TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / e5b6c167f80955ce0f4b32101dafc719ba2d205a / . / lib / libmbedtls / mbedtls / library / cipher.c
blob: 457f8f66012510d9054f8e869fc19c67b4fb2ee9 [file] [log] [blame]
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1/**
2 * \file cipher.c
3 *
4 * \brief Generic cipher wrapper for mbed TLS
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
Jerome Forissier3602df82021-07-28 10:24:04 +0200[diff] [blame]8 * Copyright The Mbed TLS Contributors
9 * SPDX-License-Identifier: Apache-2.0
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]10 *
11 * Licensed under the Apache License, Version 2.0 (the "License"); you may
12 * not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
14 *
15 * http://www.apache.org/licenses/LICENSE-2.0
16 *
17 * Unless required by applicable law or agreed to in writing, software
18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 * See the License for the specific language governing permissions and
21 * limitations under the License.
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]22 */
23
Jerome Forissier3602df82021-07-28 10:24:04 +0200[diff] [blame]24#include "common.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]25
26#if defined(MBEDTLS_CIPHER_C)
27
28#include "mbedtls/cipher.h"
29#include "mbedtls/cipher_internal.h"
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]30#include "mbedtls/platform_util.h"
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]31#include "mbedtls/error.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]32
33#include <stdlib.h>
34#include <string.h>
35
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]36#if defined(MBEDTLS_CHACHAPOLY_C)
37#include "mbedtls/chachapoly.h"
38#endif
39
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]40#if defined(MBEDTLS_GCM_C)
41#include "mbedtls/gcm.h"
42#endif
43
44#if defined(MBEDTLS_CCM_C)
45#include "mbedtls/ccm.h"
46#endif
47
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]48#if defined(MBEDTLS_CHACHA20_C)
49#include "mbedtls/chacha20.h"
50#endif
51
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]52#if defined(MBEDTLS_CMAC_C)
53#include "mbedtls/cmac.h"
54#endif
55
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]56#if defined(MBEDTLS_USE_PSA_CRYPTO)
57#include "psa/crypto.h"
58#include "mbedtls/psa_util.h"
59#endif /* MBEDTLS_USE_PSA_CRYPTO */
60
61#if defined(MBEDTLS_NIST_KW_C)
62#include "mbedtls/nist_kw.h"
63#endif
64
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]65#if defined(MBEDTLS_PLATFORM_C)
66#include "mbedtls/platform.h"
67#else
68#define mbedtls_calloc calloc
69#define mbedtls_free free
70#endif
71
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]72#define CIPHER_VALIDATE_RET( cond ) \
73 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
74#define CIPHER_VALIDATE( cond ) \
75 MBEDTLS_INTERNAL_VALIDATE( cond )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]76
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]77#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
78/* Compare the contents of two buffers in constant time.
79 * Returns 0 if the contents are bitwise identical, otherwise returns
80 * a non-zero value.
81 * This is currently only used by GCM and ChaCha20+Poly1305.
82 */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]83static int mbedtls_constant_time_memcmp( const void *v1, const void *v2,
84 size_t len )
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]85{
86 const unsigned char *p1 = (const unsigned char*) v1;
87 const unsigned char *p2 = (const unsigned char*) v2;
88 size_t i;
89 unsigned char diff;
90
91 for( diff = 0, i = 0; i < len; i++ )
92 diff |= p1[i] ^ p2[i];
93
94 return( (int)diff );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]95}
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]96#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]97
98static int supported_init = 0;
99
100const int *mbedtls_cipher_list( void )
101{
102 const mbedtls_cipher_definition_t *def;
103 int *type;
104
105 if( ! supported_init )
106 {
107 def = mbedtls_cipher_definitions;
108 type = mbedtls_cipher_supported;
109
110 while( def->type != 0 )
111 *type++ = (*def++).type;
112
113 *type = 0;
114
115 supported_init = 1;
116 }
117
118 return( mbedtls_cipher_supported );
119}
120
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]121const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
122 const mbedtls_cipher_type_t cipher_type )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]123{
124 const mbedtls_cipher_definition_t *def;
125
126 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
127 if( def->type == cipher_type )
128 return( def->info );
129
130 return( NULL );
131}
132
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]133const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
134 const char *cipher_name )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]135{
136 const mbedtls_cipher_definition_t *def;
137
138 if( NULL == cipher_name )
139 return( NULL );
140
141 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
142 if( ! strcmp( def->info->name, cipher_name ) )
143 return( def->info );
144
145 return( NULL );
146}
147
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]148const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
149 const mbedtls_cipher_id_t cipher_id,
150 int key_bitlen,
151 const mbedtls_cipher_mode_t mode )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]152{
153 const mbedtls_cipher_definition_t *def;
154
155 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
156 if( def->info->base->cipher == cipher_id &&
157 def->info->key_bitlen == (unsigned) key_bitlen &&
158 def->info->mode == mode )
159 return( def->info );
160
161 return( NULL );
162}
163
164void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
165{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]166 CIPHER_VALIDATE( ctx != NULL );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]167 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
168}
169
170void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
171{
172 if( ctx == NULL )
173 return;
174
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]175#if defined(MBEDTLS_USE_PSA_CRYPTO)
176 if( ctx->psa_enabled == 1 )
177 {
178 if( ctx->cipher_ctx != NULL )
179 {
180 mbedtls_cipher_context_psa * const cipher_psa =
181 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
182
183 if( cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED )
184 {
185 /* xxx_free() doesn't allow to return failures. */
186 (void) psa_destroy_key( cipher_psa->slot );
187 }
188
189 mbedtls_platform_zeroize( cipher_psa, sizeof( *cipher_psa ) );
190 mbedtls_free( cipher_psa );
191 }
192
193 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
194 return;
195 }
196#endif /* MBEDTLS_USE_PSA_CRYPTO */
197
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]198#if defined(MBEDTLS_CMAC_C)
199 if( ctx->cmac_ctx )
200 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]201 mbedtls_platform_zeroize( ctx->cmac_ctx,
202 sizeof( mbedtls_cmac_context_t ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]203 mbedtls_free( ctx->cmac_ctx );
204 }
205#endif
206
207 if( ctx->cipher_ctx )
208 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
209
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]210 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]211}
212
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]213int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
214 const mbedtls_cipher_info_t *cipher_info )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]215{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]216 CIPHER_VALIDATE_RET( ctx != NULL );
217 if( cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]218 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
219
220 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
221
222 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
223 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
224
225 ctx->cipher_info = cipher_info;
226
227#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
228 /*
229 * Ignore possible errors caused by a cipher mode that doesn't use padding
230 */
231#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
232 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
233#else
234 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
235#endif
236#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
237
238 return( 0 );
239}
240
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]241#if defined(MBEDTLS_USE_PSA_CRYPTO)
242int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
243 const mbedtls_cipher_info_t *cipher_info,
244 size_t taglen )
245{
246 psa_algorithm_t alg;
247 mbedtls_cipher_context_psa *cipher_psa;
248
249 if( NULL == cipher_info || NULL == ctx )
250 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
251
252 /* Check that the underlying cipher mode and cipher type are
253 * supported by the underlying PSA Crypto implementation. */
254 alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode, taglen );
255 if( alg == 0 )
256 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
257 if( mbedtls_psa_translate_cipher_type( cipher_info->type ) == 0 )
258 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
259
260 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
261
262 cipher_psa = mbedtls_calloc( 1, sizeof(mbedtls_cipher_context_psa ) );
263 if( cipher_psa == NULL )
264 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
265 cipher_psa->alg = alg;
266 ctx->cipher_ctx = cipher_psa;
267 ctx->cipher_info = cipher_info;
268 ctx->psa_enabled = 1;
269 return( 0 );
270}
271#endif /* MBEDTLS_USE_PSA_CRYPTO */
272
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]273int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
274 const unsigned char *key,
275 int key_bitlen,
276 const mbedtls_operation_t operation )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]277{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]278 CIPHER_VALIDATE_RET( ctx != NULL );
279 CIPHER_VALIDATE_RET( key != NULL );
280 CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT ||
281 operation == MBEDTLS_DECRYPT );
282 if( ctx->cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]283 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
284
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]285#if defined(MBEDTLS_USE_PSA_CRYPTO)
286 if( ctx->psa_enabled == 1 )
287 {
288 mbedtls_cipher_context_psa * const cipher_psa =
289 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
290
291 size_t const key_bytelen = ( (size_t) key_bitlen + 7 ) / 8;
292
293 psa_status_t status;
294 psa_key_type_t key_type;
295 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
296
297 /* PSA Crypto API only accepts byte-aligned keys. */
298 if( key_bitlen % 8 != 0 )
299 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
300
301 /* Don't allow keys to be set multiple times. */
302 if( cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET )
303 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
304
305 key_type = mbedtls_psa_translate_cipher_type(
306 ctx->cipher_info->type );
307 if( key_type == 0 )
308 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
309 psa_set_key_type( &attributes, key_type );
310
311 /* Mbed TLS' cipher layer doesn't enforce the mode of operation
312 * (encrypt vs. decrypt): it is possible to setup a key for encryption
313 * and use it for AEAD decryption. Until tests relying on this
314 * are changed, allow any usage in PSA. */
315 psa_set_key_usage_flags( &attributes,
316 /* mbedtls_psa_translate_cipher_operation( operation ); */
317 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
318 psa_set_key_algorithm( &attributes, cipher_psa->alg );
319
320 status = psa_import_key( &attributes, key, key_bytelen,
321 &cipher_psa->slot );
322 switch( status )
323 {
324 case PSA_SUCCESS:
325 break;
326 case PSA_ERROR_INSUFFICIENT_MEMORY:
327 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
328 case PSA_ERROR_NOT_SUPPORTED:
329 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
330 default:
331 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
332 }
333 /* Indicate that we own the key slot and need to
334 * destroy it in mbedtls_cipher_free(). */
335 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
336
337 ctx->key_bitlen = key_bitlen;
338 ctx->operation = operation;
339 return( 0 );
340 }
341#endif /* MBEDTLS_USE_PSA_CRYPTO */
342
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]343 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
344 (int) ctx->cipher_info->key_bitlen != key_bitlen )
345 {
346 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
347 }
348
349 ctx->key_bitlen = key_bitlen;
350 ctx->operation = operation;
351
352 /*
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]353 * For OFB, CFB and CTR mode always use the encryption key schedule
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]354 */
355 if( MBEDTLS_ENCRYPT == operation ||
356 MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]357 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]358 MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
359 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]360 return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
361 ctx->key_bitlen ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]362 }
363
364 if( MBEDTLS_DECRYPT == operation )
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]365 return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
366 ctx->key_bitlen ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]367
368 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
369}
370
371int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]372 const unsigned char *iv,
373 size_t iv_len )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]374{
375 size_t actual_iv_size;
376
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]377 CIPHER_VALIDATE_RET( ctx != NULL );
378 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
379 if( ctx->cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]380 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]381#if defined(MBEDTLS_USE_PSA_CRYPTO)
382 if( ctx->psa_enabled == 1 )
383 {
384 /* While PSA Crypto has an API for multipart
385 * operations, we currently don't make it
386 * accessible through the cipher layer. */
387 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
388 }
389#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]390
391 /* avoid buffer overflow in ctx->iv */
392 if( iv_len > MBEDTLS_MAX_IV_LENGTH )
393 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
394
395 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
396 actual_iv_size = iv_len;
397 else
398 {
399 actual_iv_size = ctx->cipher_info->iv_size;
400
401 /* avoid reading past the end of input buffer */
402 if( actual_iv_size > iv_len )
403 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
404 }
405
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]406#if defined(MBEDTLS_CHACHA20_C)
407 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
408 {
409 if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
410 iv,
411 0U ) ) /* Initial counter value */
412 {
413 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
414 }
415 }
416#endif
417
418 if ( actual_iv_size != 0 )
419 {
420 memcpy( ctx->iv, iv, actual_iv_size );
421 ctx->iv_size = actual_iv_size;
422 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]423
424 return( 0 );
425}
426
427int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
428{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]429 CIPHER_VALIDATE_RET( ctx != NULL );
430 if( ctx->cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]431 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
432
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]433#if defined(MBEDTLS_USE_PSA_CRYPTO)
434 if( ctx->psa_enabled == 1 )
435 {
436 /* We don't support resetting PSA-based
437 * cipher contexts, yet. */
438 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
439 }
440#endif /* MBEDTLS_USE_PSA_CRYPTO */
441
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]442 ctx->unprocessed_len = 0;
443
444 return( 0 );
445}
446
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]447#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]448int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
449 const unsigned char *ad, size_t ad_len )
450{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]451 CIPHER_VALIDATE_RET( ctx != NULL );
452 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
453 if( ctx->cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]454 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
455
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]456#if defined(MBEDTLS_USE_PSA_CRYPTO)
457 if( ctx->psa_enabled == 1 )
458 {
459 /* While PSA Crypto has an API for multipart
460 * operations, we currently don't make it
461 * accessible through the cipher layer. */
462 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
463 }
464#endif /* MBEDTLS_USE_PSA_CRYPTO */
465
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]466#if defined(MBEDTLS_GCM_C)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]467 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
468 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]469 return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
470 ctx->iv, ctx->iv_size, ad, ad_len ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]471 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]472#endif
473
474#if defined(MBEDTLS_CHACHAPOLY_C)
475 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
476 {
477 int result;
478 mbedtls_chachapoly_mode_t mode;
479
480 mode = ( ctx->operation == MBEDTLS_ENCRYPT )
481 ? MBEDTLS_CHACHAPOLY_ENCRYPT
482 : MBEDTLS_CHACHAPOLY_DECRYPT;
483
484 result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
485 ctx->iv,
486 mode );
487 if ( result != 0 )
488 return( result );
489
490 return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
491 ad, ad_len ) );
492 }
493#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]494
495 return( 0 );
496}
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]497#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]498
499int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
500 size_t ilen, unsigned char *output, size_t *olen )
501{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]502 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]503 size_t block_size;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]504
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]505 CIPHER_VALIDATE_RET( ctx != NULL );
506 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
507 CIPHER_VALIDATE_RET( output != NULL );
508 CIPHER_VALIDATE_RET( olen != NULL );
509 if( ctx->cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]510 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]511
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]512#if defined(MBEDTLS_USE_PSA_CRYPTO)
513 if( ctx->psa_enabled == 1 )
514 {
515 /* While PSA Crypto has an API for multipart
516 * operations, we currently don't make it
517 * accessible through the cipher layer. */
518 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
519 }
520#endif /* MBEDTLS_USE_PSA_CRYPTO */
521
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]522 *olen = 0;
523 block_size = mbedtls_cipher_get_block_size( ctx );
Jerome Forissier5b25c762020-04-07 11:18:49 +0200[diff] [blame]524 if ( 0 == block_size )
525 {
526 return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
527 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]528
529 if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
530 {
531 if( ilen != block_size )
532 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
533
534 *olen = ilen;
535
536 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
537 ctx->operation, input, output ) ) )
538 {
539 return( ret );
540 }
541
542 return( 0 );
543 }
544
545#if defined(MBEDTLS_GCM_C)
546 if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
547 {
548 *olen = ilen;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]549 return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
550 output ) );
551 }
552#endif
553
554#if defined(MBEDTLS_CHACHAPOLY_C)
555 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
556 {
557 *olen = ilen;
558 return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
559 ilen, input, output ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]560 }
561#endif
562
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]563 if( input == output &&
564 ( ctx->unprocessed_len != 0 || ilen % block_size ) )
565 {
566 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
567 }
568
569#if defined(MBEDTLS_CIPHER_MODE_CBC)
570 if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
571 {
572 size_t copy_len = 0;
573
574 /*
575 * If there is not enough data for a full block, cache it.
576 */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]577 if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]578 ilen <= block_size - ctx->unprocessed_len ) ||
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]579 ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
580 ilen < block_size - ctx->unprocessed_len ) ||
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]581 ( ctx->operation == MBEDTLS_ENCRYPT &&
582 ilen < block_size - ctx->unprocessed_len ) )
583 {
584 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
585 ilen );
586
587 ctx->unprocessed_len += ilen;
588 return( 0 );
589 }
590
591 /*
592 * Process cached data first
593 */
594 if( 0 != ctx->unprocessed_len )
595 {
596 copy_len = block_size - ctx->unprocessed_len;
597
598 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
599 copy_len );
600
601 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
602 ctx->operation, block_size, ctx->iv,
603 ctx->unprocessed_data, output ) ) )
604 {
605 return( ret );
606 }
607
608 *olen += block_size;
609 output += block_size;
610 ctx->unprocessed_len = 0;
611
612 input += copy_len;
613 ilen -= copy_len;
614 }
615
616 /*
617 * Cache final, incomplete block
618 */
619 if( 0 != ilen )
620 {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]621 /* Encryption: only cache partial blocks
622 * Decryption w/ padding: always keep at least one whole block
623 * Decryption w/o padding: only cache partial blocks
624 */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]625 copy_len = ilen % block_size;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]626 if( copy_len == 0 &&
627 ctx->operation == MBEDTLS_DECRYPT &&
628 NULL != ctx->add_padding)
629 {
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]630 copy_len = block_size;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]631 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]632
633 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
634 copy_len );
635
636 ctx->unprocessed_len += copy_len;
637 ilen -= copy_len;
638 }
639
640 /*
641 * Process remaining full blocks
642 */
643 if( ilen )
644 {
645 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
646 ctx->operation, ilen, ctx->iv, input, output ) ) )
647 {
648 return( ret );
649 }
650
651 *olen += ilen;
652 }
653
654 return( 0 );
655 }
656#endif /* MBEDTLS_CIPHER_MODE_CBC */
657
658#if defined(MBEDTLS_CIPHER_MODE_CFB)
659 if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
660 {
661 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
662 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
663 input, output ) ) )
664 {
665 return( ret );
666 }
667
668 *olen = ilen;
669
670 return( 0 );
671 }
672#endif /* MBEDTLS_CIPHER_MODE_CFB */
673
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]674#if defined(MBEDTLS_CIPHER_MODE_OFB)
675 if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
676 {
677 if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
678 ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
679 {
680 return( ret );
681 }
682
683 *olen = ilen;
684
685 return( 0 );
686 }
687#endif /* MBEDTLS_CIPHER_MODE_OFB */
688
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]689#if defined(MBEDTLS_CIPHER_MODE_CTR)
690 if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
691 {
692 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
693 ilen, &ctx->unprocessed_len, ctx->iv,
694 ctx->unprocessed_data, input, output ) ) )
695 {
696 return( ret );
697 }
698
699 *olen = ilen;
700
701 return( 0 );
702 }
703#endif /* MBEDTLS_CIPHER_MODE_CTR */
704
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]705#if defined(MBEDTLS_CIPHER_MODE_XTS)
706 if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
707 {
708 if( ctx->unprocessed_len > 0 ) {
709 /* We can only process an entire data unit at a time. */
710 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
711 }
712
713 ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
714 ctx->operation, ilen, ctx->iv, input, output );
715 if( ret != 0 )
716 {
717 return( ret );
718 }
719
720 *olen = ilen;
721
722 return( 0 );
723 }
724#endif /* MBEDTLS_CIPHER_MODE_XTS */
725
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]726#if defined(MBEDTLS_CIPHER_MODE_STREAM)
727 if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
728 {
729 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
730 ilen, input, output ) ) )
731 {
732 return( ret );
733 }
734
735 *olen = ilen;
736
737 return( 0 );
738 }
739#endif /* MBEDTLS_CIPHER_MODE_STREAM */
740
741 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
742}
743
744#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
745#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
746/*
747 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
748 */
749static void add_pkcs_padding( unsigned char *output, size_t output_len,
750 size_t data_len )
751{
752 size_t padding_len = output_len - data_len;
753 unsigned char i;
754
755 for( i = 0; i < padding_len; i++ )
756 output[data_len + i] = (unsigned char) padding_len;
757}
758
759static int get_pkcs_padding( unsigned char *input, size_t input_len,
760 size_t *data_len )
761{
762 size_t i, pad_idx;
763 unsigned char padding_len, bad = 0;
764
765 if( NULL == input || NULL == data_len )
766 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
767
768 padding_len = input[input_len - 1];
769 *data_len = input_len - padding_len;
770
771 /* Avoid logical || since it results in a branch */
772 bad |= padding_len > input_len;
773 bad |= padding_len == 0;
774
775 /* The number of bytes checked must be independent of padding_len,
776 * so pick input_len, which is usually 8 or 16 (one block) */
777 pad_idx = input_len - padding_len;
778 for( i = 0; i < input_len; i++ )
779 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
780
781 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
782}
783#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
784
785#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
786/*
787 * One and zeros padding: fill with 80 00 ... 00
788 */
789static void add_one_and_zeros_padding( unsigned char *output,
790 size_t output_len, size_t data_len )
791{
792 size_t padding_len = output_len - data_len;
793 unsigned char i = 0;
794
795 output[data_len] = 0x80;
796 for( i = 1; i < padding_len; i++ )
797 output[data_len + i] = 0x00;
798}
799
800static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
801 size_t *data_len )
802{
803 size_t i;
804 unsigned char done = 0, prev_done, bad;
805
806 if( NULL == input || NULL == data_len )
807 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
808
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]809 bad = 0x80;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]810 *data_len = 0;
811 for( i = input_len; i > 0; i-- )
812 {
813 prev_done = done;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]814 done |= ( input[i - 1] != 0 );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]815 *data_len |= ( i - 1 ) * ( done != prev_done );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]816 bad ^= input[i - 1] * ( done != prev_done );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]817 }
818
819 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
820
821}
822#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
823
824#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
825/*
826 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
827 */
828static void add_zeros_and_len_padding( unsigned char *output,
829 size_t output_len, size_t data_len )
830{
831 size_t padding_len = output_len - data_len;
832 unsigned char i = 0;
833
834 for( i = 1; i < padding_len; i++ )
835 output[data_len + i - 1] = 0x00;
836 output[output_len - 1] = (unsigned char) padding_len;
837}
838
839static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
840 size_t *data_len )
841{
842 size_t i, pad_idx;
843 unsigned char padding_len, bad = 0;
844
845 if( NULL == input || NULL == data_len )
846 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
847
848 padding_len = input[input_len - 1];
849 *data_len = input_len - padding_len;
850
851 /* Avoid logical || since it results in a branch */
852 bad |= padding_len > input_len;
853 bad |= padding_len == 0;
854
855 /* The number of bytes checked must be independent of padding_len */
856 pad_idx = input_len - padding_len;
857 for( i = 0; i < input_len - 1; i++ )
858 bad |= input[i] * ( i >= pad_idx );
859
860 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
861}
862#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
863
864#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
865/*
866 * Zero padding: fill with 00 ... 00
867 */
868static void add_zeros_padding( unsigned char *output,
869 size_t output_len, size_t data_len )
870{
871 size_t i;
872
873 for( i = data_len; i < output_len; i++ )
874 output[i] = 0x00;
875}
876
877static int get_zeros_padding( unsigned char *input, size_t input_len,
878 size_t *data_len )
879{
880 size_t i;
881 unsigned char done = 0, prev_done;
882
883 if( NULL == input || NULL == data_len )
884 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
885
886 *data_len = 0;
887 for( i = input_len; i > 0; i-- )
888 {
889 prev_done = done;
890 done |= ( input[i-1] != 0 );
891 *data_len |= i * ( done != prev_done );
892 }
893
894 return( 0 );
895}
896#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
897
898/*
899 * No padding: don't pad :)
900 *
901 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
902 * but a trivial get_padding function
903 */
904static int get_no_padding( unsigned char *input, size_t input_len,
905 size_t *data_len )
906{
907 if( NULL == input || NULL == data_len )
908 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
909
910 *data_len = input_len;
911
912 return( 0 );
913}
914#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
915
916int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
917 unsigned char *output, size_t *olen )
918{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]919 CIPHER_VALIDATE_RET( ctx != NULL );
920 CIPHER_VALIDATE_RET( output != NULL );
921 CIPHER_VALIDATE_RET( olen != NULL );
922 if( ctx->cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]923 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
924
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]925#if defined(MBEDTLS_USE_PSA_CRYPTO)
926 if( ctx->psa_enabled == 1 )
927 {
928 /* While PSA Crypto has an API for multipart
929 * operations, we currently don't make it
930 * accessible through the cipher layer. */
931 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
932 }
933#endif /* MBEDTLS_USE_PSA_CRYPTO */
934
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]935 *olen = 0;
936
937 if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]938 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]939 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
940 MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]941 MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]942 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
943 {
944 return( 0 );
945 }
946
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]947 if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) ||
948 ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
949 {
950 return( 0 );
951 }
952
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]953 if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
954 {
955 if( ctx->unprocessed_len != 0 )
956 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
957
958 return( 0 );
959 }
960
961#if defined(MBEDTLS_CIPHER_MODE_CBC)
962 if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
963 {
964 int ret = 0;
965
966 if( MBEDTLS_ENCRYPT == ctx->operation )
967 {
968 /* check for 'no padding' mode */
969 if( NULL == ctx->add_padding )
970 {
971 if( 0 != ctx->unprocessed_len )
972 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
973
974 return( 0 );
975 }
976
977 ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
978 ctx->unprocessed_len );
979 }
980 else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
981 {
982 /*
983 * For decrypt operations, expect a full block,
984 * or an empty block if no padding
985 */
986 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
987 return( 0 );
988
989 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
990 }
991
992 /* cipher block */
993 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
994 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
995 ctx->unprocessed_data, output ) ) )
996 {
997 return( ret );
998 }
999
1000 /* Set output size for decryption */
1001 if( MBEDTLS_DECRYPT == ctx->operation )
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1002 return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
1003 olen ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1004
1005 /* Set output size for encryption */
1006 *olen = mbedtls_cipher_get_block_size( ctx );
1007 return( 0 );
1008 }
1009#else
1010 ((void) output);
1011#endif /* MBEDTLS_CIPHER_MODE_CBC */
1012
1013 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1014}
1015
1016#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1017int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
1018 mbedtls_cipher_padding_t mode )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1019{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1020 CIPHER_VALIDATE_RET( ctx != NULL );
1021
1022 if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1023 {
1024 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1025 }
1026
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1027#if defined(MBEDTLS_USE_PSA_CRYPTO)
1028 if( ctx->psa_enabled == 1 )
1029 {
1030 /* While PSA Crypto knows about CBC padding
1031 * schemes, we currently don't make them
1032 * accessible through the cipher layer. */
1033 if( mode != MBEDTLS_PADDING_NONE )
1034 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1035
1036 return( 0 );
1037 }
1038#endif /* MBEDTLS_USE_PSA_CRYPTO */
1039
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1040 switch( mode )
1041 {
1042#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
1043 case MBEDTLS_PADDING_PKCS7:
1044 ctx->add_padding = add_pkcs_padding;
1045 ctx->get_padding = get_pkcs_padding;
1046 break;
1047#endif
1048#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
1049 case MBEDTLS_PADDING_ONE_AND_ZEROS:
1050 ctx->add_padding = add_one_and_zeros_padding;
1051 ctx->get_padding = get_one_and_zeros_padding;
1052 break;
1053#endif
1054#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
1055 case MBEDTLS_PADDING_ZEROS_AND_LEN:
1056 ctx->add_padding = add_zeros_and_len_padding;
1057 ctx->get_padding = get_zeros_and_len_padding;
1058 break;
1059#endif
1060#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1061 case MBEDTLS_PADDING_ZEROS:
1062 ctx->add_padding = add_zeros_padding;
1063 ctx->get_padding = get_zeros_padding;
1064 break;
1065#endif
1066 case MBEDTLS_PADDING_NONE:
1067 ctx->add_padding = NULL;
1068 ctx->get_padding = get_no_padding;
1069 break;
1070
1071 default:
1072 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1073 }
1074
1075 return( 0 );
1076}
1077#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1078
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1079#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1080int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
1081 unsigned char *tag, size_t tag_len )
1082{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1083 CIPHER_VALIDATE_RET( ctx != NULL );
1084 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1085 if( ctx->cipher_info == NULL )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1086 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1087
1088 if( MBEDTLS_ENCRYPT != ctx->operation )
1089 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1090
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1091#if defined(MBEDTLS_USE_PSA_CRYPTO)
1092 if( ctx->psa_enabled == 1 )
1093 {
1094 /* While PSA Crypto has an API for multipart
1095 * operations, we currently don't make it
1096 * accessible through the cipher layer. */
1097 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1098 }
1099#endif /* MBEDTLS_USE_PSA_CRYPTO */
1100
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1101#if defined(MBEDTLS_GCM_C)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1102 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1103 return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
1104 tag, tag_len ) );
1105#endif
1106
1107#if defined(MBEDTLS_CHACHAPOLY_C)
1108 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1109 {
1110 /* Don't allow truncated MAC for Poly1305 */
1111 if ( tag_len != 16U )
1112 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1113
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1114 return( mbedtls_chachapoly_finish(
1115 (mbedtls_chachapoly_context*) ctx->cipher_ctx, tag ) );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1116 }
1117#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1118
1119 return( 0 );
1120}
1121
1122int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
1123 const unsigned char *tag, size_t tag_len )
1124{
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1125 unsigned char check_tag[16];
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1126 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1127
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1128 CIPHER_VALIDATE_RET( ctx != NULL );
1129 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1130 if( ctx->cipher_info == NULL )
1131 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1132
1133 if( MBEDTLS_DECRYPT != ctx->operation )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1134 {
1135 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1136 }
1137
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1138#if defined(MBEDTLS_USE_PSA_CRYPTO)
1139 if( ctx->psa_enabled == 1 )
1140 {
1141 /* While PSA Crypto has an API for multipart
1142 * operations, we currently don't make it
1143 * accessible through the cipher layer. */
1144 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1145 }
1146#endif /* MBEDTLS_USE_PSA_CRYPTO */
1147
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1148#if defined(MBEDTLS_GCM_C)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1149 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1150 {
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1151 if( tag_len > sizeof( check_tag ) )
1152 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1153
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1154 if( 0 != ( ret = mbedtls_gcm_finish(
1155 (mbedtls_gcm_context *) ctx->cipher_ctx,
1156 check_tag, tag_len ) ) )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1157 {
1158 return( ret );
1159 }
1160
1161 /* Check the tag in "constant-time" */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1162 if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1163 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1164
1165 return( 0 );
1166 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1167#endif /* MBEDTLS_GCM_C */
1168
1169#if defined(MBEDTLS_CHACHAPOLY_C)
1170 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1171 {
1172 /* Don't allow truncated MAC for Poly1305 */
1173 if ( tag_len != sizeof( check_tag ) )
1174 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1175
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1176 ret = mbedtls_chachapoly_finish(
1177 (mbedtls_chachapoly_context*) ctx->cipher_ctx, check_tag );
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1178 if ( ret != 0 )
1179 {
1180 return( ret );
1181 }
1182
1183 /* Check the tag in "constant-time" */
1184 if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
1185 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1186
1187 return( 0 );
1188 }
1189#endif /* MBEDTLS_CHACHAPOLY_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1190
1191 return( 0 );
1192}
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1193#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1194
1195/*
1196 * Packet-oriented wrapper for non-AEAD modes
1197 */
1198int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
1199 const unsigned char *iv, size_t iv_len,
1200 const unsigned char *input, size_t ilen,
1201 unsigned char *output, size_t *olen )
1202{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1203 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1204 size_t finish_olen;
1205
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1206 CIPHER_VALIDATE_RET( ctx != NULL );
1207 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1208 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1209 CIPHER_VALIDATE_RET( output != NULL );
1210 CIPHER_VALIDATE_RET( olen != NULL );
1211
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1212#if defined(MBEDTLS_USE_PSA_CRYPTO)
1213 if( ctx->psa_enabled == 1 )
1214 {
1215 /* As in the non-PSA case, we don't check that
1216 * a key has been set. If not, the key slot will
1217 * still be in its default state of 0, which is
1218 * guaranteed to be invalid, hence the PSA-call
1219 * below will gracefully fail. */
1220 mbedtls_cipher_context_psa * const cipher_psa =
1221 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1222
1223 psa_status_t status;
1224 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1225 size_t part_len;
1226
1227 if( ctx->operation == MBEDTLS_DECRYPT )
1228 {
1229 status = psa_cipher_decrypt_setup( &cipher_op,
1230 cipher_psa->slot,
1231 cipher_psa->alg );
1232 }
1233 else if( ctx->operation == MBEDTLS_ENCRYPT )
1234 {
1235 status = psa_cipher_encrypt_setup( &cipher_op,
1236 cipher_psa->slot,
1237 cipher_psa->alg );
1238 }
1239 else
1240 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1241
1242 /* In the following, we can immediately return on an error,
1243 * because the PSA Crypto API guarantees that cipher operations
1244 * are terminated by unsuccessful calls to psa_cipher_update(),
1245 * and by any call to psa_cipher_finish(). */
1246 if( status != PSA_SUCCESS )
1247 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1248
1249 status = psa_cipher_set_iv( &cipher_op, iv, iv_len );
1250 if( status != PSA_SUCCESS )
1251 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1252
1253 status = psa_cipher_update( &cipher_op,
1254 input, ilen,
1255 output, ilen, olen );
1256 if( status != PSA_SUCCESS )
1257 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1258
1259 status = psa_cipher_finish( &cipher_op,
1260 output + *olen, ilen - *olen,
1261 &part_len );
1262 if( status != PSA_SUCCESS )
1263 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1264
1265 *olen += part_len;
1266 return( 0 );
1267 }
1268#endif /* MBEDTLS_USE_PSA_CRYPTO */
1269
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1270 if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
1271 return( ret );
1272
1273 if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
1274 return( ret );
1275
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1276 if( ( ret = mbedtls_cipher_update( ctx, input, ilen,
1277 output, olen ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1278 return( ret );
1279
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1280 if( ( ret = mbedtls_cipher_finish( ctx, output + *olen,
1281 &finish_olen ) ) != 0 )
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1282 return( ret );
1283
1284 *olen += finish_olen;
1285
1286 return( 0 );
1287}
1288
1289#if defined(MBEDTLS_CIPHER_MODE_AEAD)
1290/*
Jerome Forissier3602df82021-07-28 10:24:04 +0200[diff] [blame]1291 * Packet-oriented encryption for AEAD modes: internal function shared by
1292 * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1293 */
Jerome Forissier3602df82021-07-28 10:24:04 +0200[diff] [blame]1294static int mbedtls_cipher_aead_encrypt( mbedtls_cipher_context_t *ctx,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1295 const unsigned char *iv, size_t iv_len,
1296 const unsigned char *ad, size_t ad_len,
1297 const unsigned char *input, size_t ilen,
1298 unsigned char *output, size_t *olen,
1299 unsigned char *tag, size_t tag_len )
1300{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1301#if defined(MBEDTLS_USE_PSA_CRYPTO)
1302 if( ctx->psa_enabled == 1 )
1303 {
1304 /* As in the non-PSA case, we don't check that
1305 * a key has been set. If not, the key slot will
1306 * still be in its default state of 0, which is
1307 * guaranteed to be invalid, hence the PSA-call
1308 * below will gracefully fail. */
1309 mbedtls_cipher_context_psa * const cipher_psa =
1310 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1311
1312 psa_status_t status;
1313
1314 /* PSA Crypto API always writes the authentication tag
1315 * at the end of the encrypted message. */
Jerome Forissier3602df82021-07-28 10:24:04 +0200[diff] [blame]1316 if( output == NULL || tag != output + ilen )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1317 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1318
1319 status = psa_aead_encrypt( cipher_psa->slot,
1320 cipher_psa->alg,
1321 iv, iv_len,
1322 ad, ad_len,
1323 input, ilen,
1324 output, ilen + tag_len, olen );
1325 if( status != PSA_SUCCESS )
1326 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1327
1328 *olen -= tag_len;
1329 return( 0 );
1330 }
1331#endif /* MBEDTLS_USE_PSA_CRYPTO */
1332
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1333#if defined(MBEDTLS_GCM_C)
1334 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1335 {
1336 *olen = ilen;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1337 return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
1338 ilen, iv, iv_len, ad, ad_len,
1339 input, output, tag_len, tag ) );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1340 }
1341#endif /* MBEDTLS_GCM_C */
1342#if defined(MBEDTLS_CCM_C)
1343 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1344 {
1345 *olen = ilen;
1346 return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
1347 iv, iv_len, ad, ad_len, input, output,
1348 tag, tag_len ) );
1349 }
1350#endif /* MBEDTLS_CCM_C */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1351#if defined(MBEDTLS_CHACHAPOLY_C)
1352 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1353 {
1354 /* ChachaPoly has fixed length nonce and MAC (tag) */
1355 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1356 ( tag_len != 16U ) )
1357 {
1358 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1359 }
1360
1361 *olen = ilen;
1362 return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
1363 ilen, iv, ad, ad_len, input, output, tag ) );
1364 }
1365#endif /* MBEDTLS_CHACHAPOLY_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1366
1367 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1368}
1369
1370/*
Jerome Forissier3602df82021-07-28 10:24:04 +0200[diff] [blame]1371 * Packet-oriented encryption for AEAD modes: internal function shared by
1372 * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1373 */
Jerome Forissier3602df82021-07-28 10:24:04 +0200[diff] [blame]1374static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1375 const unsigned char *iv, size_t iv_len,
1376 const unsigned char *ad, size_t ad_len,
1377 const unsigned char *input, size_t ilen,
1378 unsigned char *output, size_t *olen,
1379 const unsigned char *tag, size_t tag_len )
1380{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1381#if defined(MBEDTLS_USE_PSA_CRYPTO)
1382 if( ctx->psa_enabled == 1 )
1383 {
1384 /* As in the non-PSA case, we don't check that
1385 * a key has been set. If not, the key slot will
1386 * still be in its default state of 0, which is
1387 * guaranteed to be invalid, hence the PSA-call
1388 * below will gracefully fail. */
1389 mbedtls_cipher_context_psa * const cipher_psa =
1390 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1391
1392 psa_status_t status;
1393
1394 /* PSA Crypto API always writes the authentication tag
1395 * at the end of the encrypted message. */
Jerome Forissier3602df82021-07-28 10:24:04 +0200[diff] [blame]1396 if( input == NULL || tag != input + ilen )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1397 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1398
1399 status = psa_aead_decrypt( cipher_psa->slot,
1400 cipher_psa->alg,
1401 iv, iv_len,
1402 ad, ad_len,
1403 input, ilen + tag_len,
1404 output, ilen, olen );
1405 if( status == PSA_ERROR_INVALID_SIGNATURE )
1406 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1407 else if( status != PSA_SUCCESS )
1408 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1409
1410 return( 0 );
1411 }
1412#endif /* MBEDTLS_USE_PSA_CRYPTO */
1413
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1414#if defined(MBEDTLS_GCM_C)
1415 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1416 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1417 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1418
1419 *olen = ilen;
1420 ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
1421 iv, iv_len, ad, ad_len,
1422 tag, tag_len, input, output );
1423
1424 if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
1425 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1426
1427 return( ret );
1428 }
1429#endif /* MBEDTLS_GCM_C */
1430#if defined(MBEDTLS_CCM_C)
1431 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1432 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1433 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1434
1435 *olen = ilen;
1436 ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
1437 iv, iv_len, ad, ad_len,
1438 input, output, tag, tag_len );
1439
1440 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
1441 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1442
1443 return( ret );
1444 }
1445#endif /* MBEDTLS_CCM_C */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1446#if defined(MBEDTLS_CHACHAPOLY_C)
1447 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1448 {
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1449 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1450
1451 /* ChachaPoly has fixed length nonce and MAC (tag) */
1452 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1453 ( tag_len != 16U ) )
1454 {
1455 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1456 }
1457
1458 *olen = ilen;
1459 ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
1460 iv, ad, ad_len, tag, input, output );
1461
1462 if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
1463 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1464
1465 return( ret );
1466 }
1467#endif /* MBEDTLS_CHACHAPOLY_C */
Jerome Forissier3602df82021-07-28 10:24:04 +0200[diff] [blame]1468
1469 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1470}
1471
1472#if !defined(MBEDTLS_DEPRECATED_REMOVED)
1473/*
1474 * Packet-oriented encryption for AEAD modes: public legacy function.
1475 */
1476int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
1477 const unsigned char *iv, size_t iv_len,
1478 const unsigned char *ad, size_t ad_len,
1479 const unsigned char *input, size_t ilen,
1480 unsigned char *output, size_t *olen,
1481 unsigned char *tag, size_t tag_len )
1482{
1483 CIPHER_VALIDATE_RET( ctx != NULL );
1484 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1485 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1486 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1487 CIPHER_VALIDATE_RET( ilen == 0 || output != NULL );
1488 CIPHER_VALIDATE_RET( olen != NULL );
1489 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1490
1491 return( mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
1492 input, ilen, output, olen,
1493 tag, tag_len ) );
1494}
1495
1496/*
1497 * Packet-oriented decryption for AEAD modes: public legacy function.
1498 */
1499int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
1500 const unsigned char *iv, size_t iv_len,
1501 const unsigned char *ad, size_t ad_len,
1502 const unsigned char *input, size_t ilen,
1503 unsigned char *output, size_t *olen,
1504 const unsigned char *tag, size_t tag_len )
1505{
1506 CIPHER_VALIDATE_RET( ctx != NULL );
1507 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1508 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1509 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1510 CIPHER_VALIDATE_RET( ilen == 0 || output != NULL );
1511 CIPHER_VALIDATE_RET( olen != NULL );
1512 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1513
1514 return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
1515 input, ilen, output, olen,
1516 tag, tag_len ) );
1517}
1518#endif /* !MBEDTLS_DEPRECATED_REMOVED */
1519#endif /* MBEDTLS_CIPHER_MODE_AEAD */
1520
1521#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
1522/*
1523 * Packet-oriented encryption for AEAD/NIST_KW: public function.
1524 */
1525int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx,
1526 const unsigned char *iv, size_t iv_len,
1527 const unsigned char *ad, size_t ad_len,
1528 const unsigned char *input, size_t ilen,
1529 unsigned char *output, size_t output_len,
1530 size_t *olen, size_t tag_len )
1531{
1532 CIPHER_VALIDATE_RET( ctx != NULL );
1533 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1534 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1535 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1536 CIPHER_VALIDATE_RET( output != NULL );
1537 CIPHER_VALIDATE_RET( olen != NULL );
1538
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1539#if defined(MBEDTLS_NIST_KW_C)
Jerome Forissier3602df82021-07-28 10:24:04 +0200[diff] [blame]1540 if(
1541#if defined(MBEDTLS_USE_PSA_CRYPTO)
1542 ctx->psa_enabled == 0 &&
1543#endif
1544 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1545 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1546 {
1547 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
1548 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1549
Jerome Forissier3602df82021-07-28 10:24:04 +0200[diff] [blame]1550 /* There is no iv, tag or ad associated with KW and KWP,
1551 * so these length should be 0 as documented. */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1552 if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1553 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1554
Jerome Forissier3602df82021-07-28 10:24:04 +0200[diff] [blame]1555 (void) iv;
1556 (void) ad;
1557
1558 return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen,
1559 output, olen, output_len ) );
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1560 }
1561#endif /* MBEDTLS_NIST_KW_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1562
Jerome Forissier3602df82021-07-28 10:24:04 +0200[diff] [blame]1563#if defined(MBEDTLS_CIPHER_MODE_AEAD)
1564 /* AEAD case: check length before passing on to shared function */
1565 if( output_len < ilen + tag_len )
1566 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1567
1568 int ret = mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
1569 input, ilen, output, olen,
1570 output + ilen, tag_len );
1571 *olen += tag_len;
1572 return( ret );
1573#else
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1574 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1575#endif /* MBEDTLS_CIPHER_MODE_AEAD */
Jerome Forissier3602df82021-07-28 10:24:04 +0200[diff] [blame]1576}
1577
1578/*
1579 * Packet-oriented decryption for AEAD/NIST_KW: public function.
1580 */
1581int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx,
1582 const unsigned char *iv, size_t iv_len,
1583 const unsigned char *ad, size_t ad_len,
1584 const unsigned char *input, size_t ilen,
1585 unsigned char *output, size_t output_len,
1586 size_t *olen, size_t tag_len )
1587{
1588 CIPHER_VALIDATE_RET( ctx != NULL );
1589 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1590 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1591 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1592 CIPHER_VALIDATE_RET( output_len == 0 || output != NULL );
1593 CIPHER_VALIDATE_RET( olen != NULL );
1594
1595#if defined(MBEDTLS_NIST_KW_C)
1596 if(
1597#if defined(MBEDTLS_USE_PSA_CRYPTO)
1598 ctx->psa_enabled == 0 &&
1599#endif
1600 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1601 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
1602 {
1603 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
1604 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1605
1606 /* There is no iv, tag or ad associated with KW and KWP,
1607 * so these length should be 0 as documented. */
1608 if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
1609 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1610
1611 (void) iv;
1612 (void) ad;
1613
1614 return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen,
1615 output, olen, output_len ) );
1616 }
1617#endif /* MBEDTLS_NIST_KW_C */
1618
1619#if defined(MBEDTLS_CIPHER_MODE_AEAD)
1620 /* AEAD case: check length before passing on to shared function */
1621 if( ilen < tag_len || output_len < ilen - tag_len )
1622 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1623
1624 return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
1625 input, ilen - tag_len, output, olen,
1626 input + ilen - tag_len, tag_len ) );
1627#else
1628 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1629#endif /* MBEDTLS_CIPHER_MODE_AEAD */
1630}
1631#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1632
1633#endif /* MBEDTLS_CIPHER_C */