Since the KATs for some of the PQC algorithms have very long data values, it's convenient to be able to split the data across multiple lines to avoid having excessively long lines. This change adds support for that in the KAT parser (via escaping the newline with `\`), and adds a Python script that automatically reformats existing KATs with lines that are too long.
Tested: unit tests
This change adds support for nonces larger or smaller than 12-bytes for AES-GCM (and GCM generally, if it's ever used with other block ciphers). It adds 32-bit CTR functions, as required in the GCM spec. Previously we used a 64-bit CTR function, which worked for 12-byte nonces because the counter block always started at 1 and the message length limit for GCM is 2^36 - 32 bytes, so the 32-bit counter would never overflow. Using a 64-bit counter does not work for non-12-byte nonces because the counter block starts at an arbitrary value computed by GHASHing the nonce.
It also updates the "stitched" implementations of AES-GCM to use 32-bit addition intrinsics instead of 64-bit addition.
Tested with unit tests:
- AMD64 with all features enabled
- AMD64 without aesni
- AMD64 without pclmulqdq
- AMD64 with everything disabled except for rdrand, rdseed, savexmmnofail
- ARM64 hardware (Galaxy Book 2) + qemu (via pipeline)
Related work items: #33824154
Product code:
- Added SymCryptChaCha20Poly1305Encrypt function declaration to symcrypt.h.
- Added SymCryptChaCha20Poly1305Decrypt function declaration to symcrypt.h.
- Added new file chacha20_poly1305.c.
- Created function definition SymCryptChaCha20Poly1305Encrypt.
- Created function definition SymCryptChaCha20Poly1305Decrypt.
- Created function definition SymCryptChaCha20Poly1305ComputeTag.
- Created CHACHA20_POLY1305_MAX_DATA_SIZE define.
Test code:
- Added unit tests for CHACHA20_POLY1305 authenticated encryption algorithm.
- Added the one (and only) test case for CHACHA20_POLY1305 from RFC 8439 to kat_authenc.dat.
- Added "partial" field to kat_authenc.dat to determine if algorithm supports partial encryption/decryption.
- Modified testAuthEncRandom to handle algorithms that do not support partial encryption/decryption.
- Added mode type: ModeNone for authenticated encryption algorithms without a mode.
- Fixed typo in testdsa.cpp that resulted in a buffer overread which prevented unit tests from running successfully with app verifier enabled.
Testing:
- Built all flavors using scbuild.
- Ran symcryptunittest.exe on x86 (fre|chk) and amd64 (fre|chk) with page heap and app verifier enabled.
Related work items: #25803596
Mitch Lindgren 🦎
Justin Burke
Niels Ferguson