TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / d2d2912d8950b80a567e90fc8c4b62e5d9355542 / . / lib / libmbedtls / mbedtls / library / cipher.c
blob: 31147df3ed5758fc531d0a7c1f8200cd52564a34 [file] [log] [blame]
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1/**
2 * \file cipher.c
3 *
4 * \brief Generic cipher wrapper for mbed TLS
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]8 * Copyright The Mbed TLS Contributors
9 * SPDX-License-Identifier: Apache-2.0
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]10 *
11 * Licensed under the Apache License, Version 2.0 (the "License"); you may
12 * not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
14 *
15 * http://www.apache.org/licenses/LICENSE-2.0
16 *
17 * Unless required by applicable law or agreed to in writing, software
18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 * See the License for the specific language governing permissions and
21 * limitations under the License.
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]22 */
23
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]24#include "common.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]25
26#if defined(MBEDTLS_CIPHER_C)
27
28#include "mbedtls/cipher.h"
29#include "mbedtls/cipher_internal.h"
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]30#include "mbedtls/platform_util.h"
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]31#include "mbedtls/error.h"
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]32#include "mbedtls/constant_time.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]33
34#include <stdlib.h>
35#include <string.h>
36
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]37#if defined(MBEDTLS_CHACHAPOLY_C)
38#include "mbedtls/chachapoly.h"
39#endif
40
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_GCM_C)
42#include "mbedtls/gcm.h"
43#endif
44
45#if defined(MBEDTLS_CCM_C)
46#include "mbedtls/ccm.h"
47#endif
48
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]49#if defined(MBEDTLS_CHACHA20_C)
50#include "mbedtls/chacha20.h"
51#endif
52
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]53#if defined(MBEDTLS_CMAC_C)
54#include "mbedtls/cmac.h"
55#endif
56
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]57#if defined(MBEDTLS_USE_PSA_CRYPTO)
58#include "psa/crypto.h"
59#include "mbedtls/psa_util.h"
60#endif /* MBEDTLS_USE_PSA_CRYPTO */
61
62#if defined(MBEDTLS_NIST_KW_C)
63#include "mbedtls/nist_kw.h"
64#endif
65
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]66#if defined(MBEDTLS_PLATFORM_C)
67#include "mbedtls/platform.h"
68#else
69#define mbedtls_calloc calloc
70#define mbedtls_free free
71#endif
72
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]73#define CIPHER_VALIDATE_RET( cond ) \
74 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
75#define CIPHER_VALIDATE( cond ) \
76 MBEDTLS_INTERNAL_VALIDATE( cond )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]77
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]78static int supported_init = 0;
79
80const int *mbedtls_cipher_list( void )
81{
82 const mbedtls_cipher_definition_t *def;
83 int *type;
84
85 if( ! supported_init )
86 {
87 def = mbedtls_cipher_definitions;
88 type = mbedtls_cipher_supported;
89
90 while( def->type != 0 )
91 *type++ = (*def++).type;
92
93 *type = 0;
94
95 supported_init = 1;
96 }
97
98 return( mbedtls_cipher_supported );
99}
100
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]101const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
102 const mbedtls_cipher_type_t cipher_type )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]103{
104 const mbedtls_cipher_definition_t *def;
105
106 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
107 if( def->type == cipher_type )
108 return( def->info );
109
110 return( NULL );
111}
112
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]113const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
114 const char *cipher_name )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]115{
116 const mbedtls_cipher_definition_t *def;
117
118 if( NULL == cipher_name )
119 return( NULL );
120
121 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
122 if( ! strcmp( def->info->name, cipher_name ) )
123 return( def->info );
124
125 return( NULL );
126}
127
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]128const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
129 const mbedtls_cipher_id_t cipher_id,
130 int key_bitlen,
131 const mbedtls_cipher_mode_t mode )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]132{
133 const mbedtls_cipher_definition_t *def;
134
135 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
136 if( def->info->base->cipher == cipher_id &&
137 def->info->key_bitlen == (unsigned) key_bitlen &&
138 def->info->mode == mode )
139 return( def->info );
140
141 return( NULL );
142}
143
144void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
145{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]146 CIPHER_VALIDATE( ctx != NULL );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]147 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
148}
149
150void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
151{
152 if( ctx == NULL )
153 return;
154
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]155#if defined(MBEDTLS_USE_PSA_CRYPTO)
156 if( ctx->psa_enabled == 1 )
157 {
158 if( ctx->cipher_ctx != NULL )
159 {
160 mbedtls_cipher_context_psa * const cipher_psa =
161 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
162
163 if( cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED )
164 {
165 /* xxx_free() doesn't allow to return failures. */
166 (void) psa_destroy_key( cipher_psa->slot );
167 }
168
169 mbedtls_platform_zeroize( cipher_psa, sizeof( *cipher_psa ) );
170 mbedtls_free( cipher_psa );
171 }
172
173 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
174 return;
175 }
176#endif /* MBEDTLS_USE_PSA_CRYPTO */
177
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]178#if defined(MBEDTLS_CMAC_C)
179 if( ctx->cmac_ctx )
180 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]181 mbedtls_platform_zeroize( ctx->cmac_ctx,
182 sizeof( mbedtls_cmac_context_t ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]183 mbedtls_free( ctx->cmac_ctx );
184 }
185#endif
186
187 if( ctx->cipher_ctx )
188 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
189
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]190 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]191}
192
Edison Ai12484fc2018-12-19 15:36:28 +0800[diff] [blame]193int mbedtls_cipher_clone( mbedtls_cipher_context_t *dst,
194 const mbedtls_cipher_context_t *src )
195{
196 if( dst == NULL || dst->cipher_info == NULL ||
197 src == NULL || src->cipher_info == NULL)
198 {
199 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
200 }
201
202 dst->cipher_info = src->cipher_info;
203 dst->key_bitlen = src->key_bitlen;
204 dst->operation = src->operation;
205#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
206 dst->add_padding = src->add_padding;
207 dst->get_padding = src->get_padding;
208#endif
209 memcpy( dst->unprocessed_data, src->unprocessed_data, MBEDTLS_MAX_BLOCK_LENGTH );
210 dst->unprocessed_len = src->unprocessed_len;
211 memcpy( dst->iv, src->iv, MBEDTLS_MAX_IV_LENGTH );
212 dst->iv_size = src->iv_size;
213 if( dst->cipher_info->base->ctx_clone_func )
214 dst->cipher_info->base->ctx_clone_func( dst->cipher_ctx, src->cipher_ctx );
215
216#if defined(MBEDTLS_CMAC_C)
217 if( dst->cmac_ctx != NULL && src->cmac_ctx != NULL )
218 memcpy( dst->cmac_ctx, src->cmac_ctx, sizeof( mbedtls_cmac_context_t ) );
219#endif
220 return( 0 );
221}
222
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]223int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
224 const mbedtls_cipher_info_t *cipher_info )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]225{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]226 CIPHER_VALIDATE_RET( ctx != NULL );
227 if( cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]228 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
229
230 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
231
232 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
233 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
234
235 ctx->cipher_info = cipher_info;
236
237#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
238 /*
239 * Ignore possible errors caused by a cipher mode that doesn't use padding
240 */
241#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
242 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
243#else
244 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
245#endif
246#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
247
248 return( 0 );
249}
250
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]251#if defined(MBEDTLS_USE_PSA_CRYPTO)
252int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
253 const mbedtls_cipher_info_t *cipher_info,
254 size_t taglen )
255{
256 psa_algorithm_t alg;
257 mbedtls_cipher_context_psa *cipher_psa;
258
259 if( NULL == cipher_info || NULL == ctx )
260 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
261
262 /* Check that the underlying cipher mode and cipher type are
263 * supported by the underlying PSA Crypto implementation. */
264 alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode, taglen );
265 if( alg == 0 )
266 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
267 if( mbedtls_psa_translate_cipher_type( cipher_info->type ) == 0 )
268 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
269
270 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
271
272 cipher_psa = mbedtls_calloc( 1, sizeof(mbedtls_cipher_context_psa ) );
273 if( cipher_psa == NULL )
274 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
275 cipher_psa->alg = alg;
276 ctx->cipher_ctx = cipher_psa;
277 ctx->cipher_info = cipher_info;
278 ctx->psa_enabled = 1;
279 return( 0 );
280}
281#endif /* MBEDTLS_USE_PSA_CRYPTO */
282
Edison Ai12484fc2018-12-19 15:36:28 +0800[diff] [blame]283int mbedtls_cipher_setup_info( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info )
284{
285 if( NULL == cipher_info || NULL == ctx )
286 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
287
288 ctx->cipher_info = cipher_info;
289 return( 0 );
290}
291
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]292int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
293 const unsigned char *key,
294 int key_bitlen,
295 const mbedtls_operation_t operation )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]296{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]297 CIPHER_VALIDATE_RET( ctx != NULL );
298 CIPHER_VALIDATE_RET( key != NULL );
299 CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT ||
300 operation == MBEDTLS_DECRYPT );
301 if( ctx->cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]302 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
303
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]304#if defined(MBEDTLS_USE_PSA_CRYPTO)
305 if( ctx->psa_enabled == 1 )
306 {
307 mbedtls_cipher_context_psa * const cipher_psa =
308 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
309
310 size_t const key_bytelen = ( (size_t) key_bitlen + 7 ) / 8;
311
312 psa_status_t status;
313 psa_key_type_t key_type;
314 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
315
316 /* PSA Crypto API only accepts byte-aligned keys. */
317 if( key_bitlen % 8 != 0 )
318 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
319
320 /* Don't allow keys to be set multiple times. */
321 if( cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET )
322 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
323
324 key_type = mbedtls_psa_translate_cipher_type(
325 ctx->cipher_info->type );
326 if( key_type == 0 )
327 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
328 psa_set_key_type( &attributes, key_type );
329
330 /* Mbed TLS' cipher layer doesn't enforce the mode of operation
331 * (encrypt vs. decrypt): it is possible to setup a key for encryption
332 * and use it for AEAD decryption. Until tests relying on this
333 * are changed, allow any usage in PSA. */
334 psa_set_key_usage_flags( &attributes,
335 /* mbedtls_psa_translate_cipher_operation( operation ); */
336 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
337 psa_set_key_algorithm( &attributes, cipher_psa->alg );
338
339 status = psa_import_key( &attributes, key, key_bytelen,
340 &cipher_psa->slot );
341 switch( status )
342 {
343 case PSA_SUCCESS:
344 break;
345 case PSA_ERROR_INSUFFICIENT_MEMORY:
346 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
347 case PSA_ERROR_NOT_SUPPORTED:
348 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
349 default:
350 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
351 }
352 /* Indicate that we own the key slot and need to
353 * destroy it in mbedtls_cipher_free(). */
354 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
355
356 ctx->key_bitlen = key_bitlen;
357 ctx->operation = operation;
358 return( 0 );
359 }
360#endif /* MBEDTLS_USE_PSA_CRYPTO */
361
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]362 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
363 (int) ctx->cipher_info->key_bitlen != key_bitlen )
364 {
365 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
366 }
367
368 ctx->key_bitlen = key_bitlen;
369 ctx->operation = operation;
370
371 /*
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]372 * For OFB, CFB and CTR mode always use the encryption key schedule
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]373 */
374 if( MBEDTLS_ENCRYPT == operation ||
375 MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]376 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]377 MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
378 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]379 return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
380 ctx->key_bitlen ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]381 }
382
383 if( MBEDTLS_DECRYPT == operation )
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]384 return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
385 ctx->key_bitlen ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]386
387 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
388}
389
390int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]391 const unsigned char *iv,
392 size_t iv_len )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]393{
394 size_t actual_iv_size;
395
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]396 CIPHER_VALIDATE_RET( ctx != NULL );
397 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
398 if( ctx->cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]399 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]400#if defined(MBEDTLS_USE_PSA_CRYPTO)
401 if( ctx->psa_enabled == 1 )
402 {
403 /* While PSA Crypto has an API for multipart
404 * operations, we currently don't make it
405 * accessible through the cipher layer. */
406 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
407 }
408#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]409
410 /* avoid buffer overflow in ctx->iv */
411 if( iv_len > MBEDTLS_MAX_IV_LENGTH )
412 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
413
414 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
415 actual_iv_size = iv_len;
416 else
417 {
418 actual_iv_size = ctx->cipher_info->iv_size;
419
420 /* avoid reading past the end of input buffer */
421 if( actual_iv_size > iv_len )
422 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
423 }
424
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]425#if defined(MBEDTLS_CHACHA20_C)
426 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
427 {
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]428 /* Even though the actual_iv_size is overwritten with a correct value
429 * of 12 from the cipher info, return an error to indicate that
430 * the input iv_len is wrong. */
431 if( iv_len != 12 )
432 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
433
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]434 if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
435 iv,
436 0U ) ) /* Initial counter value */
437 {
438 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
439 }
440 }
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]441#if defined(MBEDTLS_CHACHAPOLY_C)
442 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&
443 iv_len != 12 )
444 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
445#endif
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]446#endif
447
448 if ( actual_iv_size != 0 )
449 {
450 memcpy( ctx->iv, iv, actual_iv_size );
451 ctx->iv_size = actual_iv_size;
452 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]453
454 return( 0 );
455}
456
457int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
458{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]459 CIPHER_VALIDATE_RET( ctx != NULL );
460 if( ctx->cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]461 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
462
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]463#if defined(MBEDTLS_USE_PSA_CRYPTO)
464 if( ctx->psa_enabled == 1 )
465 {
466 /* We don't support resetting PSA-based
467 * cipher contexts, yet. */
468 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
469 }
470#endif /* MBEDTLS_USE_PSA_CRYPTO */
471
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]472 ctx->unprocessed_len = 0;
473
474 return( 0 );
475}
476
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]477#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]478int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
479 const unsigned char *ad, size_t ad_len )
480{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]481 CIPHER_VALIDATE_RET( ctx != NULL );
482 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
483 if( ctx->cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]484 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
485
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]486#if defined(MBEDTLS_USE_PSA_CRYPTO)
487 if( ctx->psa_enabled == 1 )
488 {
489 /* While PSA Crypto has an API for multipart
490 * operations, we currently don't make it
491 * accessible through the cipher layer. */
492 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
493 }
494#endif /* MBEDTLS_USE_PSA_CRYPTO */
495
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]496#if defined(MBEDTLS_GCM_C)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]497 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
498 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]499 return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
500 ctx->iv, ctx->iv_size, ad, ad_len ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]501 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]502#endif
503
504#if defined(MBEDTLS_CHACHAPOLY_C)
505 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
506 {
507 int result;
508 mbedtls_chachapoly_mode_t mode;
509
510 mode = ( ctx->operation == MBEDTLS_ENCRYPT )
511 ? MBEDTLS_CHACHAPOLY_ENCRYPT
512 : MBEDTLS_CHACHAPOLY_DECRYPT;
513
514 result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
515 ctx->iv,
516 mode );
517 if ( result != 0 )
518 return( result );
519
520 return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
521 ad, ad_len ) );
522 }
523#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]524
525 return( 0 );
526}
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]527#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]528
529int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
530 size_t ilen, unsigned char *output, size_t *olen )
531{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]532 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]533 size_t block_size;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]534
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]535 CIPHER_VALIDATE_RET( ctx != NULL );
536 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
537 CIPHER_VALIDATE_RET( output != NULL );
538 CIPHER_VALIDATE_RET( olen != NULL );
539 if( ctx->cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]540 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]541
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]542#if defined(MBEDTLS_USE_PSA_CRYPTO)
543 if( ctx->psa_enabled == 1 )
544 {
545 /* While PSA Crypto has an API for multipart
546 * operations, we currently don't make it
547 * accessible through the cipher layer. */
548 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
549 }
550#endif /* MBEDTLS_USE_PSA_CRYPTO */
551
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]552 *olen = 0;
553 block_size = mbedtls_cipher_get_block_size( ctx );
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]554 if ( 0 == block_size )
555 {
556 return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
557 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]558
559 if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
560 {
561 if( ilen != block_size )
562 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
563
564 *olen = ilen;
565
566 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
567 ctx->operation, input, output ) ) )
568 {
569 return( ret );
570 }
571
572 return( 0 );
573 }
574
575#if defined(MBEDTLS_GCM_C)
576 if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
577 {
578 *olen = ilen;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]579 return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
580 output ) );
581 }
582#endif
583
584#if defined(MBEDTLS_CHACHAPOLY_C)
585 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
586 {
587 *olen = ilen;
588 return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
589 ilen, input, output ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]590 }
591#endif
592
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]593 if( input == output &&
594 ( ctx->unprocessed_len != 0 || ilen % block_size ) )
595 {
596 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
597 }
598
599#if defined(MBEDTLS_CIPHER_MODE_CBC)
600 if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
601 {
602 size_t copy_len = 0;
603
604 /*
605 * If there is not enough data for a full block, cache it.
606 */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]607 if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]608 ilen <= block_size - ctx->unprocessed_len ) ||
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]609 ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
610 ilen < block_size - ctx->unprocessed_len ) ||
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]611 ( ctx->operation == MBEDTLS_ENCRYPT &&
612 ilen < block_size - ctx->unprocessed_len ) )
613 {
614 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
615 ilen );
616
617 ctx->unprocessed_len += ilen;
618 return( 0 );
619 }
620
621 /*
622 * Process cached data first
623 */
624 if( 0 != ctx->unprocessed_len )
625 {
626 copy_len = block_size - ctx->unprocessed_len;
627
628 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
629 copy_len );
630
631 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
632 ctx->operation, block_size, ctx->iv,
633 ctx->unprocessed_data, output ) ) )
634 {
635 return( ret );
636 }
637
638 *olen += block_size;
639 output += block_size;
640 ctx->unprocessed_len = 0;
641
642 input += copy_len;
643 ilen -= copy_len;
644 }
645
646 /*
647 * Cache final, incomplete block
648 */
649 if( 0 != ilen )
650 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]651 /* Encryption: only cache partial blocks
652 * Decryption w/ padding: always keep at least one whole block
653 * Decryption w/o padding: only cache partial blocks
654 */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]655 copy_len = ilen % block_size;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]656 if( copy_len == 0 &&
657 ctx->operation == MBEDTLS_DECRYPT &&
658 NULL != ctx->add_padding)
659 {
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]660 copy_len = block_size;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]661 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]662
663 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
664 copy_len );
665
666 ctx->unprocessed_len += copy_len;
667 ilen -= copy_len;
668 }
669
670 /*
671 * Process remaining full blocks
672 */
673 if( ilen )
674 {
675 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
676 ctx->operation, ilen, ctx->iv, input, output ) ) )
677 {
678 return( ret );
679 }
680
681 *olen += ilen;
682 }
683
684 return( 0 );
685 }
686#endif /* MBEDTLS_CIPHER_MODE_CBC */
687
688#if defined(MBEDTLS_CIPHER_MODE_CFB)
689 if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
690 {
691 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
692 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
693 input, output ) ) )
694 {
695 return( ret );
696 }
697
698 *olen = ilen;
699
700 return( 0 );
701 }
702#endif /* MBEDTLS_CIPHER_MODE_CFB */
703
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]704#if defined(MBEDTLS_CIPHER_MODE_OFB)
705 if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
706 {
707 if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
708 ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
709 {
710 return( ret );
711 }
712
713 *olen = ilen;
714
715 return( 0 );
716 }
717#endif /* MBEDTLS_CIPHER_MODE_OFB */
718
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]719#if defined(MBEDTLS_CIPHER_MODE_CTR)
720 if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
721 {
722 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
723 ilen, &ctx->unprocessed_len, ctx->iv,
724 ctx->unprocessed_data, input, output ) ) )
725 {
726 return( ret );
727 }
728
729 *olen = ilen;
730
731 return( 0 );
732 }
733#endif /* MBEDTLS_CIPHER_MODE_CTR */
734
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]735#if defined(MBEDTLS_CIPHER_MODE_XTS)
736 if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
737 {
738 if( ctx->unprocessed_len > 0 ) {
739 /* We can only process an entire data unit at a time. */
740 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
741 }
742
743 ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
744 ctx->operation, ilen, ctx->iv, input, output );
745 if( ret != 0 )
746 {
747 return( ret );
748 }
749
750 *olen = ilen;
751
752 return( 0 );
753 }
754#endif /* MBEDTLS_CIPHER_MODE_XTS */
755
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]756#if defined(MBEDTLS_CIPHER_MODE_STREAM)
757 if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
758 {
759 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
760 ilen, input, output ) ) )
761 {
762 return( ret );
763 }
764
765 *olen = ilen;
766
767 return( 0 );
768 }
769#endif /* MBEDTLS_CIPHER_MODE_STREAM */
770
771 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
772}
773
774#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
775#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
776/*
777 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
778 */
779static void add_pkcs_padding( unsigned char *output, size_t output_len,
780 size_t data_len )
781{
782 size_t padding_len = output_len - data_len;
783 unsigned char i;
784
785 for( i = 0; i < padding_len; i++ )
786 output[data_len + i] = (unsigned char) padding_len;
787}
788
789static int get_pkcs_padding( unsigned char *input, size_t input_len,
790 size_t *data_len )
791{
792 size_t i, pad_idx;
793 unsigned char padding_len, bad = 0;
794
795 if( NULL == input || NULL == data_len )
796 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
797
798 padding_len = input[input_len - 1];
799 *data_len = input_len - padding_len;
800
801 /* Avoid logical || since it results in a branch */
802 bad |= padding_len > input_len;
803 bad |= padding_len == 0;
804
805 /* The number of bytes checked must be independent of padding_len,
806 * so pick input_len, which is usually 8 or 16 (one block) */
807 pad_idx = input_len - padding_len;
808 for( i = 0; i < input_len; i++ )
809 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
810
811 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
812}
813#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
814
815#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
816/*
817 * One and zeros padding: fill with 80 00 ... 00
818 */
819static void add_one_and_zeros_padding( unsigned char *output,
820 size_t output_len, size_t data_len )
821{
822 size_t padding_len = output_len - data_len;
823 unsigned char i = 0;
824
825 output[data_len] = 0x80;
826 for( i = 1; i < padding_len; i++ )
827 output[data_len + i] = 0x00;
828}
829
830static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
831 size_t *data_len )
832{
833 size_t i;
834 unsigned char done = 0, prev_done, bad;
835
836 if( NULL == input || NULL == data_len )
837 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
838
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]839 bad = 0x80;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]840 *data_len = 0;
841 for( i = input_len; i > 0; i-- )
842 {
843 prev_done = done;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]844 done |= ( input[i - 1] != 0 );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]845 *data_len |= ( i - 1 ) * ( done != prev_done );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]846 bad ^= input[i - 1] * ( done != prev_done );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]847 }
848
849 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
850
851}
852#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
853
854#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
855/*
856 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
857 */
858static void add_zeros_and_len_padding( unsigned char *output,
859 size_t output_len, size_t data_len )
860{
861 size_t padding_len = output_len - data_len;
862 unsigned char i = 0;
863
864 for( i = 1; i < padding_len; i++ )
865 output[data_len + i - 1] = 0x00;
866 output[output_len - 1] = (unsigned char) padding_len;
867}
868
869static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
870 size_t *data_len )
871{
872 size_t i, pad_idx;
873 unsigned char padding_len, bad = 0;
874
875 if( NULL == input || NULL == data_len )
876 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
877
878 padding_len = input[input_len - 1];
879 *data_len = input_len - padding_len;
880
881 /* Avoid logical || since it results in a branch */
882 bad |= padding_len > input_len;
883 bad |= padding_len == 0;
884
885 /* The number of bytes checked must be independent of padding_len */
886 pad_idx = input_len - padding_len;
887 for( i = 0; i < input_len - 1; i++ )
888 bad |= input[i] * ( i >= pad_idx );
889
890 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
891}
892#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
893
894#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
895/*
896 * Zero padding: fill with 00 ... 00
897 */
898static void add_zeros_padding( unsigned char *output,
899 size_t output_len, size_t data_len )
900{
901 size_t i;
902
903 for( i = data_len; i < output_len; i++ )
904 output[i] = 0x00;
905}
906
907static int get_zeros_padding( unsigned char *input, size_t input_len,
908 size_t *data_len )
909{
910 size_t i;
911 unsigned char done = 0, prev_done;
912
913 if( NULL == input || NULL == data_len )
914 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
915
916 *data_len = 0;
917 for( i = input_len; i > 0; i-- )
918 {
919 prev_done = done;
920 done |= ( input[i-1] != 0 );
921 *data_len |= i * ( done != prev_done );
922 }
923
924 return( 0 );
925}
926#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
927
928/*
929 * No padding: don't pad :)
930 *
931 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
932 * but a trivial get_padding function
933 */
934static int get_no_padding( unsigned char *input, size_t input_len,
935 size_t *data_len )
936{
937 if( NULL == input || NULL == data_len )
938 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
939
940 *data_len = input_len;
941
942 return( 0 );
943}
944#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
945
946int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
947 unsigned char *output, size_t *olen )
948{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]949 CIPHER_VALIDATE_RET( ctx != NULL );
950 CIPHER_VALIDATE_RET( output != NULL );
951 CIPHER_VALIDATE_RET( olen != NULL );
952 if( ctx->cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]953 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
954
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]955#if defined(MBEDTLS_USE_PSA_CRYPTO)
956 if( ctx->psa_enabled == 1 )
957 {
958 /* While PSA Crypto has an API for multipart
959 * operations, we currently don't make it
960 * accessible through the cipher layer. */
961 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
962 }
963#endif /* MBEDTLS_USE_PSA_CRYPTO */
964
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]965 *olen = 0;
966
967 if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]968 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]969 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
970 MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]971 MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]972 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
973 {
974 return( 0 );
975 }
976
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]977 if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) ||
978 ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
979 {
980 return( 0 );
981 }
982
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]983 if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
984 {
985 if( ctx->unprocessed_len != 0 )
986 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
987
988 return( 0 );
989 }
990
991#if defined(MBEDTLS_CIPHER_MODE_CBC)
992 if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
993 {
994 int ret = 0;
995
996 if( MBEDTLS_ENCRYPT == ctx->operation )
997 {
998 /* check for 'no padding' mode */
999 if( NULL == ctx->add_padding )
1000 {
1001 if( 0 != ctx->unprocessed_len )
1002 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
1003
1004 return( 0 );
1005 }
1006
1007 ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
1008 ctx->unprocessed_len );
1009 }
1010 else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
1011 {
1012 /*
1013 * For decrypt operations, expect a full block,
1014 * or an empty block if no padding
1015 */
1016 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
1017 return( 0 );
1018
1019 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
1020 }
1021
1022 /* cipher block */
1023 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
1024 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
1025 ctx->unprocessed_data, output ) ) )
1026 {
1027 return( ret );
1028 }
1029
1030 /* Set output size for decryption */
1031 if( MBEDTLS_DECRYPT == ctx->operation )
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1032 return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
1033 olen ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1034
1035 /* Set output size for encryption */
1036 *olen = mbedtls_cipher_get_block_size( ctx );
1037 return( 0 );
1038 }
1039#else
1040 ((void) output);
1041#endif /* MBEDTLS_CIPHER_MODE_CBC */
1042
1043 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1044}
1045
1046#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1047int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
1048 mbedtls_cipher_padding_t mode )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1049{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1050 CIPHER_VALIDATE_RET( ctx != NULL );
1051
1052 if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1053 {
1054 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1055 }
1056
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1057#if defined(MBEDTLS_USE_PSA_CRYPTO)
1058 if( ctx->psa_enabled == 1 )
1059 {
1060 /* While PSA Crypto knows about CBC padding
1061 * schemes, we currently don't make them
1062 * accessible through the cipher layer. */
1063 if( mode != MBEDTLS_PADDING_NONE )
1064 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1065
1066 return( 0 );
1067 }
1068#endif /* MBEDTLS_USE_PSA_CRYPTO */
1069
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1070 switch( mode )
1071 {
1072#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
1073 case MBEDTLS_PADDING_PKCS7:
1074 ctx->add_padding = add_pkcs_padding;
1075 ctx->get_padding = get_pkcs_padding;
1076 break;
1077#endif
1078#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
1079 case MBEDTLS_PADDING_ONE_AND_ZEROS:
1080 ctx->add_padding = add_one_and_zeros_padding;
1081 ctx->get_padding = get_one_and_zeros_padding;
1082 break;
1083#endif
1084#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
1085 case MBEDTLS_PADDING_ZEROS_AND_LEN:
1086 ctx->add_padding = add_zeros_and_len_padding;
1087 ctx->get_padding = get_zeros_and_len_padding;
1088 break;
1089#endif
1090#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1091 case MBEDTLS_PADDING_ZEROS:
1092 ctx->add_padding = add_zeros_padding;
1093 ctx->get_padding = get_zeros_padding;
1094 break;
1095#endif
1096 case MBEDTLS_PADDING_NONE:
1097 ctx->add_padding = NULL;
1098 ctx->get_padding = get_no_padding;
1099 break;
1100
1101 default:
1102 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1103 }
1104
1105 return( 0 );
1106}
1107#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1108
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1109#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1110int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
1111 unsigned char *tag, size_t tag_len )
1112{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1113 CIPHER_VALIDATE_RET( ctx != NULL );
1114 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1115 if( ctx->cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1116 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1117
1118 if( MBEDTLS_ENCRYPT != ctx->operation )
1119 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1120
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1121#if defined(MBEDTLS_USE_PSA_CRYPTO)
1122 if( ctx->psa_enabled == 1 )
1123 {
1124 /* While PSA Crypto has an API for multipart
1125 * operations, we currently don't make it
1126 * accessible through the cipher layer. */
1127 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1128 }
1129#endif /* MBEDTLS_USE_PSA_CRYPTO */
1130
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1131#if defined(MBEDTLS_GCM_C)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1132 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1133 return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
1134 tag, tag_len ) );
1135#endif
1136
1137#if defined(MBEDTLS_CHACHAPOLY_C)
1138 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1139 {
1140 /* Don't allow truncated MAC for Poly1305 */
1141 if ( tag_len != 16U )
1142 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1143
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1144 return( mbedtls_chachapoly_finish(
1145 (mbedtls_chachapoly_context*) ctx->cipher_ctx, tag ) );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1146 }
1147#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1148
1149 return( 0 );
1150}
1151
1152int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
1153 const unsigned char *tag, size_t tag_len )
1154{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1155 unsigned char check_tag[16];
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1156 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1157
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1158 CIPHER_VALIDATE_RET( ctx != NULL );
1159 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1160 if( ctx->cipher_info == NULL )
1161 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1162
1163 if( MBEDTLS_DECRYPT != ctx->operation )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1164 {
1165 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1166 }
1167
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1168#if defined(MBEDTLS_USE_PSA_CRYPTO)
1169 if( ctx->psa_enabled == 1 )
1170 {
1171 /* While PSA Crypto has an API for multipart
1172 * operations, we currently don't make it
1173 * accessible through the cipher layer. */
1174 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1175 }
1176#endif /* MBEDTLS_USE_PSA_CRYPTO */
1177
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]1178 /* Status to return on a non-authenticated algorithm. It would make sense
1179 * to return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT or perhaps
1180 * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, but at the time I write this our
1181 * unit tests assume 0. */
1182 ret = 0;
1183
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1184#if defined(MBEDTLS_GCM_C)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1185 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1186 {
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1187 if( tag_len > sizeof( check_tag ) )
1188 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1189
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1190 if( 0 != ( ret = mbedtls_gcm_finish(
1191 (mbedtls_gcm_context *) ctx->cipher_ctx,
1192 check_tag, tag_len ) ) )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1193 {
1194 return( ret );
1195 }
1196
1197 /* Check the tag in "constant-time" */
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]1198 if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 )
1199 {
1200 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1201 goto exit;
1202 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1203 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1204#endif /* MBEDTLS_GCM_C */
1205
1206#if defined(MBEDTLS_CHACHAPOLY_C)
1207 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1208 {
1209 /* Don't allow truncated MAC for Poly1305 */
1210 if ( tag_len != sizeof( check_tag ) )
1211 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1212
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1213 ret = mbedtls_chachapoly_finish(
1214 (mbedtls_chachapoly_context*) ctx->cipher_ctx, check_tag );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1215 if ( ret != 0 )
1216 {
1217 return( ret );
1218 }
1219
1220 /* Check the tag in "constant-time" */
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]1221 if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 )
1222 {
1223 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1224 goto exit;
1225 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1226 }
1227#endif /* MBEDTLS_CHACHAPOLY_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1228
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]1229exit:
1230 mbedtls_platform_zeroize( check_tag, tag_len );
1231 return( ret );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1232}
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1233#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1234
1235/*
1236 * Packet-oriented wrapper for non-AEAD modes
1237 */
1238int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
1239 const unsigned char *iv, size_t iv_len,
1240 const unsigned char *input, size_t ilen,
1241 unsigned char *output, size_t *olen )
1242{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1243 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1244 size_t finish_olen;
1245
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1246 CIPHER_VALIDATE_RET( ctx != NULL );
1247 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1248 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1249 CIPHER_VALIDATE_RET( output != NULL );
1250 CIPHER_VALIDATE_RET( olen != NULL );
1251
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1252#if defined(MBEDTLS_USE_PSA_CRYPTO)
1253 if( ctx->psa_enabled == 1 )
1254 {
1255 /* As in the non-PSA case, we don't check that
1256 * a key has been set. If not, the key slot will
1257 * still be in its default state of 0, which is
1258 * guaranteed to be invalid, hence the PSA-call
1259 * below will gracefully fail. */
1260 mbedtls_cipher_context_psa * const cipher_psa =
1261 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1262
1263 psa_status_t status;
1264 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1265 size_t part_len;
1266
1267 if( ctx->operation == MBEDTLS_DECRYPT )
1268 {
1269 status = psa_cipher_decrypt_setup( &cipher_op,
1270 cipher_psa->slot,
1271 cipher_psa->alg );
1272 }
1273 else if( ctx->operation == MBEDTLS_ENCRYPT )
1274 {
1275 status = psa_cipher_encrypt_setup( &cipher_op,
1276 cipher_psa->slot,
1277 cipher_psa->alg );
1278 }
1279 else
1280 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1281
1282 /* In the following, we can immediately return on an error,
1283 * because the PSA Crypto API guarantees that cipher operations
1284 * are terminated by unsuccessful calls to psa_cipher_update(),
1285 * and by any call to psa_cipher_finish(). */
1286 if( status != PSA_SUCCESS )
1287 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1288
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]1289 if( ctx->cipher_info->mode != MBEDTLS_MODE_ECB )
1290 {
1291 status = psa_cipher_set_iv( &cipher_op, iv, iv_len );
1292 if( status != PSA_SUCCESS )
1293 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1294 }
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1295
1296 status = psa_cipher_update( &cipher_op,
1297 input, ilen,
1298 output, ilen, olen );
1299 if( status != PSA_SUCCESS )
1300 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1301
1302 status = psa_cipher_finish( &cipher_op,
1303 output + *olen, ilen - *olen,
1304 &part_len );
1305 if( status != PSA_SUCCESS )
1306 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1307
1308 *olen += part_len;
1309 return( 0 );
1310 }
1311#endif /* MBEDTLS_USE_PSA_CRYPTO */
1312
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1313 if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
1314 return( ret );
1315
1316 if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
1317 return( ret );
1318
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1319 if( ( ret = mbedtls_cipher_update( ctx, input, ilen,
1320 output, olen ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1321 return( ret );
1322
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1323 if( ( ret = mbedtls_cipher_finish( ctx, output + *olen,
1324 &finish_olen ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1325 return( ret );
1326
1327 *olen += finish_olen;
1328
1329 return( 0 );
1330}
1331
1332#if defined(MBEDTLS_CIPHER_MODE_AEAD)
1333/*
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1334 * Packet-oriented encryption for AEAD modes: internal function shared by
1335 * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1336 */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1337static int mbedtls_cipher_aead_encrypt( mbedtls_cipher_context_t *ctx,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1338 const unsigned char *iv, size_t iv_len,
1339 const unsigned char *ad, size_t ad_len,
1340 const unsigned char *input, size_t ilen,
1341 unsigned char *output, size_t *olen,
1342 unsigned char *tag, size_t tag_len )
1343{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1344#if defined(MBEDTLS_USE_PSA_CRYPTO)
1345 if( ctx->psa_enabled == 1 )
1346 {
1347 /* As in the non-PSA case, we don't check that
1348 * a key has been set. If not, the key slot will
1349 * still be in its default state of 0, which is
1350 * guaranteed to be invalid, hence the PSA-call
1351 * below will gracefully fail. */
1352 mbedtls_cipher_context_psa * const cipher_psa =
1353 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1354
1355 psa_status_t status;
1356
1357 /* PSA Crypto API always writes the authentication tag
1358 * at the end of the encrypted message. */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1359 if( output == NULL || tag != output + ilen )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1360 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1361
1362 status = psa_aead_encrypt( cipher_psa->slot,
1363 cipher_psa->alg,
1364 iv, iv_len,
1365 ad, ad_len,
1366 input, ilen,
1367 output, ilen + tag_len, olen );
1368 if( status != PSA_SUCCESS )
1369 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1370
1371 *olen -= tag_len;
1372 return( 0 );
1373 }
1374#endif /* MBEDTLS_USE_PSA_CRYPTO */
1375
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1376#if defined(MBEDTLS_GCM_C)
1377 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1378 {
1379 *olen = ilen;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1380 return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
1381 ilen, iv, iv_len, ad, ad_len,
1382 input, output, tag_len, tag ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1383 }
1384#endif /* MBEDTLS_GCM_C */
1385#if defined(MBEDTLS_CCM_C)
1386 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1387 {
1388 *olen = ilen;
1389 return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
1390 iv, iv_len, ad, ad_len, input, output,
1391 tag, tag_len ) );
1392 }
1393#endif /* MBEDTLS_CCM_C */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1394#if defined(MBEDTLS_CHACHAPOLY_C)
1395 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1396 {
1397 /* ChachaPoly has fixed length nonce and MAC (tag) */
1398 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1399 ( tag_len != 16U ) )
1400 {
1401 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1402 }
1403
1404 *olen = ilen;
1405 return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
1406 ilen, iv, ad, ad_len, input, output, tag ) );
1407 }
1408#endif /* MBEDTLS_CHACHAPOLY_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1409
1410 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1411}
1412
1413/*
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1414 * Packet-oriented encryption for AEAD modes: internal function shared by
1415 * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1416 */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1417static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1418 const unsigned char *iv, size_t iv_len,
1419 const unsigned char *ad, size_t ad_len,
1420 const unsigned char *input, size_t ilen,
1421 unsigned char *output, size_t *olen,
1422 const unsigned char *tag, size_t tag_len )
1423{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1424#if defined(MBEDTLS_USE_PSA_CRYPTO)
1425 if( ctx->psa_enabled == 1 )
1426 {
1427 /* As in the non-PSA case, we don't check that
1428 * a key has been set. If not, the key slot will
1429 * still be in its default state of 0, which is
1430 * guaranteed to be invalid, hence the PSA-call
1431 * below will gracefully fail. */
1432 mbedtls_cipher_context_psa * const cipher_psa =
1433 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1434
1435 psa_status_t status;
1436
1437 /* PSA Crypto API always writes the authentication tag
1438 * at the end of the encrypted message. */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1439 if( input == NULL || tag != input + ilen )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1440 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1441
1442 status = psa_aead_decrypt( cipher_psa->slot,
1443 cipher_psa->alg,
1444 iv, iv_len,
1445 ad, ad_len,
1446 input, ilen + tag_len,
1447 output, ilen, olen );
1448 if( status == PSA_ERROR_INVALID_SIGNATURE )
1449 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1450 else if( status != PSA_SUCCESS )
1451 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1452
1453 return( 0 );
1454 }
1455#endif /* MBEDTLS_USE_PSA_CRYPTO */
1456
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1457#if defined(MBEDTLS_GCM_C)
1458 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1459 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1460 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1461
1462 *olen = ilen;
1463 ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
1464 iv, iv_len, ad, ad_len,
1465 tag, tag_len, input, output );
1466
1467 if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
1468 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1469
1470 return( ret );
1471 }
1472#endif /* MBEDTLS_GCM_C */
1473#if defined(MBEDTLS_CCM_C)
1474 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1475 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1476 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1477
1478 *olen = ilen;
1479 ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
1480 iv, iv_len, ad, ad_len,
1481 input, output, tag, tag_len );
1482
1483 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
1484 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1485
1486 return( ret );
1487 }
1488#endif /* MBEDTLS_CCM_C */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1489#if defined(MBEDTLS_CHACHAPOLY_C)
1490 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1491 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1492 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1493
1494 /* ChachaPoly has fixed length nonce and MAC (tag) */
1495 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1496 ( tag_len != 16U ) )
1497 {
1498 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1499 }
1500
1501 *olen = ilen;
1502 ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
1503 iv, ad, ad_len, tag, input, output );
1504
1505 if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
1506 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1507
1508 return( ret );
1509 }
1510#endif /* MBEDTLS_CHACHAPOLY_C */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1511
1512 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1513}
1514
1515#if !defined(MBEDTLS_DEPRECATED_REMOVED)
1516/*
1517 * Packet-oriented encryption for AEAD modes: public legacy function.
1518 */
1519int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
1520 const unsigned char *iv, size_t iv_len,
1521 const unsigned char *ad, size_t ad_len,
1522 const unsigned char *input, size_t ilen,
1523 unsigned char *output, size_t *olen,
1524 unsigned char *tag, size_t tag_len )
1525{
1526 CIPHER_VALIDATE_RET( ctx != NULL );
1527 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1528 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1529 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1530 CIPHER_VALIDATE_RET( ilen == 0 || output != NULL );
1531 CIPHER_VALIDATE_RET( olen != NULL );
1532 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1533
1534 return( mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
1535 input, ilen, output, olen,
1536 tag, tag_len ) );
1537}
1538
1539/*
1540 * Packet-oriented decryption for AEAD modes: public legacy function.
1541 */
1542int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
1543 const unsigned char *iv, size_t iv_len,
1544 const unsigned char *ad, size_t ad_len,
1545 const unsigned char *input, size_t ilen,
1546 unsigned char *output, size_t *olen,
1547 const unsigned char *tag, size_t tag_len )
1548{
1549 CIPHER_VALIDATE_RET( ctx != NULL );
1550 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1551 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1552 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1553 CIPHER_VALIDATE_RET( ilen == 0 || output != NULL );
1554 CIPHER_VALIDATE_RET( olen != NULL );
1555 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1556
1557 return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
1558 input, ilen, output, olen,
1559 tag, tag_len ) );
1560}
1561#endif /* !MBEDTLS_DEPRECATED_REMOVED */
1562#endif /* MBEDTLS_CIPHER_MODE_AEAD */
1563
1564#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
1565/*
1566 * Packet-oriented encryption for AEAD/NIST_KW: public function.
1567 */
1568int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx,
1569 const unsigned char *iv, size_t iv_len,
1570 const unsigned char *ad, size_t ad_len,
1571 const unsigned char *input, size_t ilen,
1572 unsigned char *output, size_t output_len,
1573 size_t *olen, size_t tag_len )
1574{
1575 CIPHER_VALIDATE_RET( ctx != NULL );
1576 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1577 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1578 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1579 CIPHER_VALIDATE_RET( output != NULL );
1580 CIPHER_VALIDATE_RET( olen != NULL );
1581
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1582#if defined(MBEDTLS_NIST_KW_C)
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1583 if(
1584#if defined(MBEDTLS_USE_PSA_CRYPTO)
1585 ctx->psa_enabled == 0 &&
1586#endif
1587 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1588 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1589 {
1590 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
1591 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1592
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1593 /* There is no iv, tag or ad associated with KW and KWP,
1594 * so these length should be 0 as documented. */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1595 if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1596 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1597
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1598 (void) iv;
1599 (void) ad;
1600
1601 return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen,
1602 output, olen, output_len ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1603 }
1604#endif /* MBEDTLS_NIST_KW_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1605
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1606#if defined(MBEDTLS_CIPHER_MODE_AEAD)
1607 /* AEAD case: check length before passing on to shared function */
1608 if( output_len < ilen + tag_len )
1609 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1610
1611 int ret = mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
1612 input, ilen, output, olen,
1613 output + ilen, tag_len );
1614 *olen += tag_len;
1615 return( ret );
1616#else
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1617 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1618#endif /* MBEDTLS_CIPHER_MODE_AEAD */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]1619}
1620
1621/*
1622 * Packet-oriented decryption for AEAD/NIST_KW: public function.
1623 */
1624int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx,
1625 const unsigned char *iv, size_t iv_len,
1626 const unsigned char *ad, size_t ad_len,
1627 const unsigned char *input, size_t ilen,
1628 unsigned char *output, size_t output_len,
1629 size_t *olen, size_t tag_len )
1630{
1631 CIPHER_VALIDATE_RET( ctx != NULL );
1632 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1633 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1634 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1635 CIPHER_VALIDATE_RET( output_len == 0 || output != NULL );
1636 CIPHER_VALIDATE_RET( olen != NULL );
1637
1638#if defined(MBEDTLS_NIST_KW_C)
1639 if(
1640#if defined(MBEDTLS_USE_PSA_CRYPTO)
1641 ctx->psa_enabled == 0 &&
1642#endif
1643 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1644 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
1645 {
1646 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
1647 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1648
1649 /* There is no iv, tag or ad associated with KW and KWP,
1650 * so these length should be 0 as documented. */
1651 if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
1652 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1653
1654 (void) iv;
1655 (void) ad;
1656
1657 return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen,
1658 output, olen, output_len ) );
1659 }
1660#endif /* MBEDTLS_NIST_KW_C */
1661
1662#if defined(MBEDTLS_CIPHER_MODE_AEAD)
1663 /* AEAD case: check length before passing on to shared function */
1664 if( ilen < tag_len || output_len < ilen - tag_len )
1665 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1666
1667 return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
1668 input, ilen - tag_len, output, olen,
1669 input + ilen - tag_len, tag_len ) );
1670#else
1671 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1672#endif /* MBEDTLS_CIPHER_MODE_AEAD */
1673}
1674#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1675
1676#endif /* MBEDTLS_CIPHER_C */