sys/psa_crypto: implement ChaCha20Poly1305 oneshot operation

cpu/nrf52/Makefile.features

@@ -22,6 +22,7 @@ ifneq (,$(filter nrf52840xxaa,$(CPU_MODEL)))
   FEATURES_PROVIDED += periph_cipher_aes_128_cbc
   FEATURES_PROVIDED += periph_cipher_chacha20
   FEATURES_PROVIDED += periph_aead_aes_128_ccm
+  FEATURES_PROVIDED += periph_aead_chacha20_poly1305
   FEATURES_PROVIDED += periph_ecc_p192r1
   FEATURES_PROVIDED += periph_ecc_p256r1
   FEATURES_PROVIDED += periph_ecc_ed25519

cpu/nrf52/periph/Makefile.dep

@@ -48,6 +48,11 @@ ifneq (,$(filter periph_aead_aes_128_ccm,$(USEMODULE)))
   USEMODULE += psa_cryptocell_310_aes_ccm
 endif
 
+ifneq (,$(filter periph_aead_chacha20_poly1305,$(USEMODULE)))
+  USEPKG += driver_cryptocell_310
+  USEMODULE += psa_cryptocell_310_aead_chacha20_poly1305
+endif
+
 ifneq (,$(filter periph_hmac_sha_256,$(USEMODULE)))
   USEPKG += driver_cryptocell_310
   USEMODULE += psa_cryptocell_310_hmac

features.yaml

@@ -870,6 +870,8 @@ groups:
       help: ChaCha20 hardware acceleration present
     - name: periph_aead_aes_128_ccm
       help: AES 128 CCM hardware acceleration present
+    - name: periph_aead_chacha20_poly1305
+      help: ChaCha20-Poly1305 hardware acceleration present
     - name: periph_ecc_p192r1
       help: ECC P192R1 hardware acceleration peripheral present.
     - name: periph_ecc_p256r1

makefiles/features_existing.inc.mk

@@ -142,6 +142,7 @@ FEATURES_EXISTING := \
     periph_adc \
     periph_adc_continuous \
     periph_aead_aes_128_ccm \
+    periph_aead_chacha20_poly1305 \
     periph_can \
     periph_cipher_aes_128_cbc \
     periph_cipher_chacha20 \

makefiles/features_modules.inc.mk

@@ -14,6 +14,7 @@ PERIPH_IGNORE_MODULES := \
   periph_cipher_aes_128_cbc \
   periph_cipher_chacha20 \
   periph_aead_aes_128_ccm \
+  periph_aead_chacha20_poly1305 \
   periph_clic \
   periph_common \
   periph_coretimer \

makefiles/pseudomodules.inc.mk

@@ -333,6 +333,7 @@ PSEUDOMODULES += printf_float
 PSEUDOMODULES += printf_long_long
 PSEUDOMODULES += prng
 PSEUDOMODULES += prng_%
+PSEUDOMODULES += psa_riot_aead_chacha20_poly1305
 PSEUDOMODULES += psa_riot_cipher_aes_common
 PSEUDOMODULES += psa_riot_cipher_aes_128_ecb
 PSEUDOMODULES += psa_riot_cipher_aes_128_cbc

pkg/driver_cryptocell_310/Makefile.include

@@ -12,6 +12,7 @@ endif
 
 CFLAGS += -Wno-cast-align
 
+PSEUDOMODULES += psa_cryptocell_310_aead_chacha20_poly1305
 PSEUDOMODULES += psa_cryptocell_310_aes_cbc
 PSEUDOMODULES += psa_cryptocell_310_aes_ccm
 PSEUDOMODULES += psa_cryptocell_310_aes_common

pkg/driver_cryptocell_310/psa_cryptocell_310/aead_chacha20_poly1305.c

@@ -0,0 +1,149 @@
+/*
+ * SPDX-FileCopyrightText: 2025 TU Dresden
+ * SPDX-License-Identifier: LGPL-2.1-only
+ */
+
+/**
+ * @ingroup     pkg_driver_cryptocell_310
+ * @{
+ *
+ * @file
+ * @brief       PSA Crypto wrapper for the CryptoCell 310 ChachaPoly API.
+ *
+ * @author      Oliver Fritz <[email protected]>
+ * @author      Sergey Kreis <[email protected]>
+ *
+ * @}
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "psa_error.h"
+#include "crys_chacha_poly.h"
+#include "crys_chacha_poly_error.h"
+#include "cryptocell_310_util.h"
+
+#define ENABLE_DEBUG 0
+#include "debug.h"
+
+/* This is defined to double check the PSA_AEAD_TAG_LENGTH
+ * macro call in psa_crypto_algorithm_dispatch.c */
+#define CHACHA20POLY1305_TAG_BYTES (16)
+
+psa_status_t psa_aead_chacha20_poly1305_encrypt(const psa_key_attributes_t *attributes,
+                                                uint8_t *key_buffer, size_t key_buffer_length,
+                                                uint8_t tag_length, const uint8_t *nonce,
+                                                size_t nonce_length, const uint8_t *additional_data,
+                                                size_t additional_data_length, const uint8_t *plaintext,
+                                                size_t plaintext_length, uint8_t *ciphertext,
+                                                size_t ciphertext_size, size_t *ciphertext_length)
+{
+    (void)attributes;
+
+    DEBUG("Peripheral ChaCha20-Poly1305 AEAD encryption\n");
+
+    if (nonce_length != CRYS_CHACHA_NONCE_MAX_SIZE_IN_BYTES ||
+        tag_length != CHACHA20POLY1305_TAG_BYTES ||
+        key_buffer_length != CRYS_CHACHA_KEY_MAX_SIZE_IN_BYTES) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+    /* Cryptocell310 ChachaPoly specifically requires the inputs to be not 0.
+     * This is in contrast to the definition of ChachaPoly in RFC 7539. */
+    if (additional_data_length == 0 ||
+        plaintext_length == 0) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+    if (ciphertext_size < plaintext_length + CHACHA20POLY1305_TAG_BYTES) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+    if (!cryptocell_310_data_within_ram(nonce) ||
+        !cryptocell_310_data_within_ram(key_buffer) ||
+        !cryptocell_310_data_within_ram(additional_data) ||
+        !cryptocell_310_data_within_ram(plaintext)) {
+        DEBUG("%s : cryptocell_310 data required to be in RAM.\n", __FILE__);
+        return PSA_ERROR_DATA_INVALID;
+    }
+
+    cryptocell_310_enable();
+    CRYSError_t ret = CRYS_CHACHA_POLY((uint8_t *)nonce,
+                                       key_buffer,
+                                       CRYS_CHACHA_Encrypt,
+                                       (uint8_t *)additional_data,
+                                       additional_data_length,
+                                       (uint8_t *)plaintext,
+                                       plaintext_length,
+                                       ciphertext,
+                                       (uint32_t *)&ciphertext[plaintext_length]);
+    cryptocell_310_disable();
+
+    if (ret != CRYS_OK) {
+        DEBUG("%s : cryptocell_310 failed to encrypt with %s.\n", __FILE__,
+              cryptocell310_status_to_humanly_readable(ret));
+        return CRYS_to_psa_error(ret);
+    }
+
+    *ciphertext_length = plaintext_length + tag_length;
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_aead_chacha20_poly1305_decrypt(const psa_key_attributes_t *attributes,
+                                                uint8_t *key_buffer, size_t key_buffer_length,
+                                                uint8_t tag_length, const uint8_t *nonce,
+                                                size_t nonce_length, const uint8_t *additional_data,
+                                                size_t additional_data_length, const uint8_t *ciphertext,
+                                                size_t ciphertext_length, uint8_t *plaintext,
+                                                size_t plaintext_size, size_t *plaintext_length)
+{
+    (void)attributes;
+
+    DEBUG("Peripheral ChaCha20-Poly1305 AEAD decryption\n");
+
+    if (nonce_length != CRYS_CHACHA_NONCE_MAX_SIZE_IN_BYTES ||
+        tag_length != CHACHA20POLY1305_TAG_BYTES ||
+        key_buffer_length != CRYS_CHACHA_KEY_MAX_SIZE_IN_BYTES) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+    if (additional_data_length == 0 ||
+        (ciphertext_length - tag_length) == 0) {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+    if (plaintext_size < ciphertext_length - tag_length) {
+        return PSA_ERROR_BUFFER_TOO_SMALL;
+    }
+    if (!cryptocell_310_data_within_ram(nonce) ||
+        !cryptocell_310_data_within_ram(key_buffer) ||
+        !cryptocell_310_data_within_ram(additional_data) ||
+        !cryptocell_310_data_within_ram(ciphertext)) {
+        DEBUG("%s : cryptocell_310 data required to be in RAM.\n", __FILE__);
+        return PSA_ERROR_DATA_INVALID;
+    }
+
+    cryptocell_310_enable();
+    CRYSError_t ret = CRYS_CHACHA_POLY((uint8_t *)nonce,
+                                       key_buffer,
+                                       CRYS_CHACHA_Decrypt,
+                                       (uint8_t *)additional_data,
+                                       additional_data_length,
+                                       (uint8_t *)ciphertext,
+                                       ciphertext_length - tag_length,
+                                       plaintext,
+                                       (uint32_t *)&ciphertext[ciphertext_length - tag_length]);
+    cryptocell_310_disable();
+
+    if (ret != CRYS_OK) {
+        DEBUG("%s : cryptocell_310 failed to decrypt with %s.\n", __FILE__,
+              cryptocell310_status_to_humanly_readable(ret));
+        return CRYS_to_psa_error(ret);
+    }
+
+    *plaintext_length = ciphertext_length - tag_length;
+
+    return PSA_SUCCESS;
+}
+
+#ifdef __cplusplus
+}
+#endif