TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / d3aa2143a9aa349b52b93d918347a8db9d801748 / . / lib / libmbedtls / mbedtls / library / cipher.c
blob: e9e0b223e52a13bffc1150036747a67f8ec3fcfc [file] [log] [blame]
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1/**
2 * \file cipher.c
3 *
4 * \brief Generic cipher wrapper for mbed TLS
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
8 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
9 * SPDX-License-Identifier: Apache-2.0
10 *
11 * Licensed under the Apache License, Version 2.0 (the "License"); you may
12 * not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
14 *
15 * http://www.apache.org/licenses/LICENSE-2.0
16 *
17 * Unless required by applicable law or agreed to in writing, software
18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 * See the License for the specific language governing permissions and
21 * limitations under the License.
22 *
23 * This file is part of mbed TLS (https://tls.mbed.org)
24 */
25
26#if !defined(MBEDTLS_CONFIG_FILE)
27#include "mbedtls/config.h"
28#else
29#include MBEDTLS_CONFIG_FILE
30#endif
31
32#if defined(MBEDTLS_CIPHER_C)
33
34#include "mbedtls/cipher.h"
35#include "mbedtls/cipher_internal.h"
36
37#include <stdlib.h>
38#include <string.h>
39
40#if defined(MBEDTLS_GCM_C)
41#include "mbedtls/gcm.h"
42#endif
43
44#if defined(MBEDTLS_CCM_C)
45#include "mbedtls/ccm.h"
46#endif
47
48#if defined(MBEDTLS_CMAC_C)
49#include "mbedtls/cmac.h"
50#endif
51
52#if defined(MBEDTLS_PLATFORM_C)
53#include "mbedtls/platform.h"
54#else
55#define mbedtls_calloc calloc
56#define mbedtls_free free
57#endif
58
59#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
60#define MBEDTLS_CIPHER_MODE_STREAM
61#endif
62
63/* Implementation that should never be optimized out by the compiler */
64static void mbedtls_zeroize( void *v, size_t n ) {
65 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
66}
67
68static int supported_init = 0;
69
70const int *mbedtls_cipher_list( void )
71{
72 const mbedtls_cipher_definition_t *def;
73 int *type;
74
75 if( ! supported_init )
76 {
77 def = mbedtls_cipher_definitions;
78 type = mbedtls_cipher_supported;
79
80 while( def->type != 0 )
81 *type++ = (*def++).type;
82
83 *type = 0;
84
85 supported_init = 1;
86 }
87
88 return( mbedtls_cipher_supported );
89}
90
91const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type )
92{
93 const mbedtls_cipher_definition_t *def;
94
95 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
96 if( def->type == cipher_type )
97 return( def->info );
98
99 return( NULL );
100}
101
102const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name )
103{
104 const mbedtls_cipher_definition_t *def;
105
106 if( NULL == cipher_name )
107 return( NULL );
108
109 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
110 if( ! strcmp( def->info->name, cipher_name ) )
111 return( def->info );
112
113 return( NULL );
114}
115
116const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
117 int key_bitlen,
118 const mbedtls_cipher_mode_t mode )
119{
120 const mbedtls_cipher_definition_t *def;
121
122 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
123 if( def->info->base->cipher == cipher_id &&
124 def->info->key_bitlen == (unsigned) key_bitlen &&
125 def->info->mode == mode )
126 return( def->info );
127
128 return( NULL );
129}
130
131void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
132{
133 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
134}
135
136void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
137{
138 if( ctx == NULL )
139 return;
140
141#if defined(MBEDTLS_CMAC_C)
142 if( ctx->cmac_ctx )
143 {
144 mbedtls_zeroize( ctx->cmac_ctx, sizeof( mbedtls_cmac_context_t ) );
145 mbedtls_free( ctx->cmac_ctx );
146 }
147#endif
148
149 if( ctx->cipher_ctx )
150 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
151
152 mbedtls_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
153}
154
155int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info )
156{
157 if( NULL == cipher_info || NULL == ctx )
158 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
159
160 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
161
162 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
163 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
164
165 ctx->cipher_info = cipher_info;
166
167#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
168 /*
169 * Ignore possible errors caused by a cipher mode that doesn't use padding
170 */
171#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
172 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
173#else
174 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
175#endif
176#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
177
178 return( 0 );
179}
180
181int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *key,
182 int key_bitlen, const mbedtls_operation_t operation )
183{
184 if( NULL == ctx || NULL == ctx->cipher_info )
185 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
186
187 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
188 (int) ctx->cipher_info->key_bitlen != key_bitlen )
189 {
190 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
191 }
192
193 ctx->key_bitlen = key_bitlen;
194 ctx->operation = operation;
195
196 /*
197 * For CFB and CTR mode always use the encryption key schedule
198 */
199 if( MBEDTLS_ENCRYPT == operation ||
200 MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
201 MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
202 {
203 return ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
204 ctx->key_bitlen );
205 }
206
207 if( MBEDTLS_DECRYPT == operation )
208 return ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
209 ctx->key_bitlen );
210
211 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
212}
213
214int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
215 const unsigned char *iv, size_t iv_len )
216{
217 size_t actual_iv_size;
218
219 if( NULL == ctx || NULL == ctx->cipher_info || NULL == iv )
220 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
221
222 /* avoid buffer overflow in ctx->iv */
223 if( iv_len > MBEDTLS_MAX_IV_LENGTH )
224 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
225
226 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
227 actual_iv_size = iv_len;
228 else
229 {
230 actual_iv_size = ctx->cipher_info->iv_size;
231
232 /* avoid reading past the end of input buffer */
233 if( actual_iv_size > iv_len )
234 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
235 }
236
237 memcpy( ctx->iv, iv, actual_iv_size );
238 ctx->iv_size = actual_iv_size;
239
240 return( 0 );
241}
242
243int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
244{
245 if( NULL == ctx || NULL == ctx->cipher_info )
246 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
247
248 ctx->unprocessed_len = 0;
249
250 return( 0 );
251}
252
253#if defined(MBEDTLS_GCM_C)
254int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
255 const unsigned char *ad, size_t ad_len )
256{
257 if( NULL == ctx || NULL == ctx->cipher_info )
258 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
259
260 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
261 {
262 return mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
263 ctx->iv, ctx->iv_size, ad, ad_len );
264 }
265
266 return( 0 );
267}
268#endif /* MBEDTLS_GCM_C */
269
270int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
271 size_t ilen, unsigned char *output, size_t *olen )
272{
273 int ret;
274 size_t block_size = 0;
275
276 if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen )
277 {
278 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
279 }
280
281 *olen = 0;
282 block_size = mbedtls_cipher_get_block_size( ctx );
283
284 if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
285 {
286 if( ilen != block_size )
287 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
288
289 *olen = ilen;
290
291 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
292 ctx->operation, input, output ) ) )
293 {
294 return( ret );
295 }
296
297 return( 0 );
298 }
299
300#if defined(MBEDTLS_GCM_C)
301 if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
302 {
303 *olen = ilen;
304 return mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
305 output );
306 }
307#endif
308
309 if ( 0 == block_size )
310 {
311 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
312 }
313
314 if( input == output &&
315 ( ctx->unprocessed_len != 0 || ilen % block_size ) )
316 {
317 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
318 }
319
320#if defined(MBEDTLS_CIPHER_MODE_CBC)
321 if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
322 {
323 size_t copy_len = 0;
324
325 /*
326 * If there is not enough data for a full block, cache it.
327 */
328 if( ( ctx->operation == MBEDTLS_DECRYPT &&
329 ilen <= block_size - ctx->unprocessed_len ) ||
330 ( ctx->operation == MBEDTLS_ENCRYPT &&
331 ilen < block_size - ctx->unprocessed_len ) )
332 {
333 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
334 ilen );
335
336 ctx->unprocessed_len += ilen;
337 return( 0 );
338 }
339
340 /*
341 * Process cached data first
342 */
343 if( 0 != ctx->unprocessed_len )
344 {
345 copy_len = block_size - ctx->unprocessed_len;
346
347 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
348 copy_len );
349
350 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
351 ctx->operation, block_size, ctx->iv,
352 ctx->unprocessed_data, output ) ) )
353 {
354 return( ret );
355 }
356
357 *olen += block_size;
358 output += block_size;
359 ctx->unprocessed_len = 0;
360
361 input += copy_len;
362 ilen -= copy_len;
363 }
364
365 /*
366 * Cache final, incomplete block
367 */
368 if( 0 != ilen )
369 {
370 if( 0 == block_size )
371 {
372 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
373 }
374
375 copy_len = ilen % block_size;
376 if( copy_len == 0 && ctx->operation == MBEDTLS_DECRYPT )
377 copy_len = block_size;
378
379 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
380 copy_len );
381
382 ctx->unprocessed_len += copy_len;
383 ilen -= copy_len;
384 }
385
386 /*
387 * Process remaining full blocks
388 */
389 if( ilen )
390 {
391 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
392 ctx->operation, ilen, ctx->iv, input, output ) ) )
393 {
394 return( ret );
395 }
396
397 *olen += ilen;
398 }
399
400 return( 0 );
401 }
402#endif /* MBEDTLS_CIPHER_MODE_CBC */
403
404#if defined(MBEDTLS_CIPHER_MODE_CFB)
405 if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
406 {
407 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
408 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
409 input, output ) ) )
410 {
411 return( ret );
412 }
413
414 *olen = ilen;
415
416 return( 0 );
417 }
418#endif /* MBEDTLS_CIPHER_MODE_CFB */
419
420#if defined(MBEDTLS_CIPHER_MODE_CTR)
421 if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
422 {
423 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
424 ilen, &ctx->unprocessed_len, ctx->iv,
425 ctx->unprocessed_data, input, output ) ) )
426 {
427 return( ret );
428 }
429
430 *olen = ilen;
431
432 return( 0 );
433 }
434#endif /* MBEDTLS_CIPHER_MODE_CTR */
435
436#if defined(MBEDTLS_CIPHER_MODE_STREAM)
437 if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
438 {
439 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
440 ilen, input, output ) ) )
441 {
442 return( ret );
443 }
444
445 *olen = ilen;
446
447 return( 0 );
448 }
449#endif /* MBEDTLS_CIPHER_MODE_STREAM */
450
451 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
452}
453
454#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
455#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
456/*
457 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
458 */
459static void add_pkcs_padding( unsigned char *output, size_t output_len,
460 size_t data_len )
461{
462 size_t padding_len = output_len - data_len;
463 unsigned char i;
464
465 for( i = 0; i < padding_len; i++ )
466 output[data_len + i] = (unsigned char) padding_len;
467}
468
469static int get_pkcs_padding( unsigned char *input, size_t input_len,
470 size_t *data_len )
471{
472 size_t i, pad_idx;
473 unsigned char padding_len, bad = 0;
474
475 if( NULL == input || NULL == data_len )
476 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
477
478 padding_len = input[input_len - 1];
479 *data_len = input_len - padding_len;
480
481 /* Avoid logical || since it results in a branch */
482 bad |= padding_len > input_len;
483 bad |= padding_len == 0;
484
485 /* The number of bytes checked must be independent of padding_len,
486 * so pick input_len, which is usually 8 or 16 (one block) */
487 pad_idx = input_len - padding_len;
488 for( i = 0; i < input_len; i++ )
489 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
490
491 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
492}
493#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
494
495#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
496/*
497 * One and zeros padding: fill with 80 00 ... 00
498 */
499static void add_one_and_zeros_padding( unsigned char *output,
500 size_t output_len, size_t data_len )
501{
502 size_t padding_len = output_len - data_len;
503 unsigned char i = 0;
504
505 output[data_len] = 0x80;
506 for( i = 1; i < padding_len; i++ )
507 output[data_len + i] = 0x00;
508}
509
510static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
511 size_t *data_len )
512{
513 size_t i;
514 unsigned char done = 0, prev_done, bad;
515
516 if( NULL == input || NULL == data_len )
517 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
518
519 bad = 0xFF;
520 *data_len = 0;
521 for( i = input_len; i > 0; i-- )
522 {
523 prev_done = done;
524 done |= ( input[i-1] != 0 );
525 *data_len |= ( i - 1 ) * ( done != prev_done );
526 bad &= ( input[i-1] ^ 0x80 ) | ( done == prev_done );
527 }
528
529 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
530
531}
532#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
533
534#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
535/*
536 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
537 */
538static void add_zeros_and_len_padding( unsigned char *output,
539 size_t output_len, size_t data_len )
540{
541 size_t padding_len = output_len - data_len;
542 unsigned char i = 0;
543
544 for( i = 1; i < padding_len; i++ )
545 output[data_len + i - 1] = 0x00;
546 output[output_len - 1] = (unsigned char) padding_len;
547}
548
549static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
550 size_t *data_len )
551{
552 size_t i, pad_idx;
553 unsigned char padding_len, bad = 0;
554
555 if( NULL == input || NULL == data_len )
556 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
557
558 padding_len = input[input_len - 1];
559 *data_len = input_len - padding_len;
560
561 /* Avoid logical || since it results in a branch */
562 bad |= padding_len > input_len;
563 bad |= padding_len == 0;
564
565 /* The number of bytes checked must be independent of padding_len */
566 pad_idx = input_len - padding_len;
567 for( i = 0; i < input_len - 1; i++ )
568 bad |= input[i] * ( i >= pad_idx );
569
570 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
571}
572#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
573
574#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
575/*
576 * Zero padding: fill with 00 ... 00
577 */
578static void add_zeros_padding( unsigned char *output,
579 size_t output_len, size_t data_len )
580{
581 size_t i;
582
583 for( i = data_len; i < output_len; i++ )
584 output[i] = 0x00;
585}
586
587static int get_zeros_padding( unsigned char *input, size_t input_len,
588 size_t *data_len )
589{
590 size_t i;
591 unsigned char done = 0, prev_done;
592
593 if( NULL == input || NULL == data_len )
594 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
595
596 *data_len = 0;
597 for( i = input_len; i > 0; i-- )
598 {
599 prev_done = done;
600 done |= ( input[i-1] != 0 );
601 *data_len |= i * ( done != prev_done );
602 }
603
604 return( 0 );
605}
606#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
607
608/*
609 * No padding: don't pad :)
610 *
611 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
612 * but a trivial get_padding function
613 */
614static int get_no_padding( unsigned char *input, size_t input_len,
615 size_t *data_len )
616{
617 if( NULL == input || NULL == data_len )
618 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
619
620 *data_len = input_len;
621
622 return( 0 );
623}
624#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
625
626int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
627 unsigned char *output, size_t *olen )
628{
629 if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen )
630 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
631
632 *olen = 0;
633
634 if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
635 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
636 MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
637 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
638 {
639 return( 0 );
640 }
641
642 if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
643 {
644 if( ctx->unprocessed_len != 0 )
645 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
646
647 return( 0 );
648 }
649
650#if defined(MBEDTLS_CIPHER_MODE_CBC)
651 if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
652 {
653 int ret = 0;
654
655 if( MBEDTLS_ENCRYPT == ctx->operation )
656 {
657 /* check for 'no padding' mode */
658 if( NULL == ctx->add_padding )
659 {
660 if( 0 != ctx->unprocessed_len )
661 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
662
663 return( 0 );
664 }
665
666 ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
667 ctx->unprocessed_len );
668 }
669 else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
670 {
671 /*
672 * For decrypt operations, expect a full block,
673 * or an empty block if no padding
674 */
675 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
676 return( 0 );
677
678 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
679 }
680
681 /* cipher block */
682 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
683 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
684 ctx->unprocessed_data, output ) ) )
685 {
686 return( ret );
687 }
688
689 /* Set output size for decryption */
690 if( MBEDTLS_DECRYPT == ctx->operation )
691 return ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
692 olen );
693
694 /* Set output size for encryption */
695 *olen = mbedtls_cipher_get_block_size( ctx );
696 return( 0 );
697 }
698#else
699 ((void) output);
700#endif /* MBEDTLS_CIPHER_MODE_CBC */
701
702 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
703}
704
705#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
706int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode )
707{
708 if( NULL == ctx ||
709 MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
710 {
711 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
712 }
713
714 switch( mode )
715 {
716#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
717 case MBEDTLS_PADDING_PKCS7:
718 ctx->add_padding = add_pkcs_padding;
719 ctx->get_padding = get_pkcs_padding;
720 break;
721#endif
722#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
723 case MBEDTLS_PADDING_ONE_AND_ZEROS:
724 ctx->add_padding = add_one_and_zeros_padding;
725 ctx->get_padding = get_one_and_zeros_padding;
726 break;
727#endif
728#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
729 case MBEDTLS_PADDING_ZEROS_AND_LEN:
730 ctx->add_padding = add_zeros_and_len_padding;
731 ctx->get_padding = get_zeros_and_len_padding;
732 break;
733#endif
734#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
735 case MBEDTLS_PADDING_ZEROS:
736 ctx->add_padding = add_zeros_padding;
737 ctx->get_padding = get_zeros_padding;
738 break;
739#endif
740 case MBEDTLS_PADDING_NONE:
741 ctx->add_padding = NULL;
742 ctx->get_padding = get_no_padding;
743 break;
744
745 default:
746 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
747 }
748
749 return( 0 );
750}
751#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
752
753#if defined(MBEDTLS_GCM_C)
754int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
755 unsigned char *tag, size_t tag_len )
756{
757 if( NULL == ctx || NULL == ctx->cipher_info || NULL == tag )
758 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
759
760 if( MBEDTLS_ENCRYPT != ctx->operation )
761 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
762
763 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
764 return mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx, tag, tag_len );
765
766 return( 0 );
767}
768
769int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
770 const unsigned char *tag, size_t tag_len )
771{
772 int ret;
773
774 if( NULL == ctx || NULL == ctx->cipher_info ||
775 MBEDTLS_DECRYPT != ctx->operation )
776 {
777 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
778 }
779
780 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
781 {
782 unsigned char check_tag[16];
783 size_t i;
784 int diff;
785
786 if( tag_len > sizeof( check_tag ) )
787 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
788
789 if( 0 != ( ret = mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
790 check_tag, tag_len ) ) )
791 {
792 return( ret );
793 }
794
795 /* Check the tag in "constant-time" */
796 for( diff = 0, i = 0; i < tag_len; i++ )
797 diff |= tag[i] ^ check_tag[i];
798
799 if( diff != 0 )
800 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
801
802 return( 0 );
803 }
804
805 return( 0 );
806}
807#endif /* MBEDTLS_GCM_C */
808
809/*
810 * Packet-oriented wrapper for non-AEAD modes
811 */
812int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
813 const unsigned char *iv, size_t iv_len,
814 const unsigned char *input, size_t ilen,
815 unsigned char *output, size_t *olen )
816{
817 int ret;
818 size_t finish_olen;
819
820 if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
821 return( ret );
822
823 if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
824 return( ret );
825
826 if( ( ret = mbedtls_cipher_update( ctx, input, ilen, output, olen ) ) != 0 )
827 return( ret );
828
829 if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 )
830 return( ret );
831
832 *olen += finish_olen;
833
834 return( 0 );
835}
836
837#if defined(MBEDTLS_CIPHER_MODE_AEAD)
838/*
839 * Packet-oriented encryption for AEAD modes
840 */
841int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
842 const unsigned char *iv, size_t iv_len,
843 const unsigned char *ad, size_t ad_len,
844 const unsigned char *input, size_t ilen,
845 unsigned char *output, size_t *olen,
846 unsigned char *tag, size_t tag_len )
847{
848#if defined(MBEDTLS_GCM_C)
849 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
850 {
851 *olen = ilen;
852 return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, ilen,
853 iv, iv_len, ad, ad_len, input, output,
854 tag_len, tag ) );
855 }
856#endif /* MBEDTLS_GCM_C */
857#if defined(MBEDTLS_CCM_C)
858 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
859 {
860 *olen = ilen;
861 return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
862 iv, iv_len, ad, ad_len, input, output,
863 tag, tag_len ) );
864 }
865#endif /* MBEDTLS_CCM_C */
866
867 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
868}
869
870/*
871 * Packet-oriented decryption for AEAD modes
872 */
873int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
874 const unsigned char *iv, size_t iv_len,
875 const unsigned char *ad, size_t ad_len,
876 const unsigned char *input, size_t ilen,
877 unsigned char *output, size_t *olen,
878 const unsigned char *tag, size_t tag_len )
879{
880#if defined(MBEDTLS_GCM_C)
881 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
882 {
883 int ret;
884
885 *olen = ilen;
886 ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
887 iv, iv_len, ad, ad_len,
888 tag, tag_len, input, output );
889
890 if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
891 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
892
893 return( ret );
894 }
895#endif /* MBEDTLS_GCM_C */
896#if defined(MBEDTLS_CCM_C)
897 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
898 {
899 int ret;
900
901 *olen = ilen;
902 ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
903 iv, iv_len, ad, ad_len,
904 input, output, tag, tag_len );
905
906 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
907 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
908
909 return( ret );
910 }
911#endif /* MBEDTLS_CCM_C */
912
913 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
914}
915#endif /* MBEDTLS_CIPHER_MODE_AEAD */
916
917#endif /* MBEDTLS_CIPHER_C */