commit 20120b373e27f423ade5cb185c4815d1e5685852
author Hanno Becker <hanno.becker@arm.com> Mon Nov 12 16:26:27 2018 +0000
committer Hanno Becker <hanno.becker@arm.com> Thu Nov 22 16:33:01 2018 +0000
tree 9431180c35eb0cdd8adc0554cea510536c6baca5
parent a395d8f1e998e7b472973f1cf9df3279fc3f622b

Add AEAD tag length to new mbedtls_cipher_setup_psa()

For AEAD ciphers, the information contained in mbedtls_cipher_info
is not enough to deduce a PSA algorithm value of type psa_algorithm_t.
This is because mbedtls_cipher_info doesn't contain the AEAD tag
length, while values of type psa_algorithm_t do.

This commit adds the AEAD tag length as a separate parameter
to mbedtls_cipher_setup_psa(). For Non-AEAD ciphers, the value
must be 0.

This approach is preferred over passing psa_algorithm_t directly
in order to keep the changes in existing code using the cipher layer
small.

include/mbedtls/cipher.h

diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h
index c2745e8..eff12f6 100644
--- a/include/mbedtls/cipher.h
+++ b/include/mbedtls/cipher.h
@@ -434,6 +434,12 @@
  *
  * \param ctx           The context to initialize. May not be \c NULL.
  * \param cipher_info   The cipher to use.
+ * \param taglen        For AEAD ciphers, the length in bytes of the
+ *                      authentication tag to use. Subsequent uses of
+ *                      mbedtls_cipher_auth_encrypt() or
+ *                      mbedtls_cipher_auth_decrypt() must provide
+ *                      the same tag length.
+ *                      For non-AEAD ciphers, the value must be \c 0.
  *
  * \return              \c 0 on success.
  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@@ -442,7 +448,8 @@
  *                      cipher-specific context fails.
  */
 int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
-                              const mbedtls_cipher_info_t *cipher_info );
+                              const mbedtls_cipher_info_t *cipher_info,
+                              size_t taglen );
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 /**

library/cipher.c

diff --git a/library/cipher.c b/library/cipher.c
index 243c739..0b7c887 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -234,7 +234,8 @@
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
 int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
-                              const mbedtls_cipher_info_t *cipher_info )
+                              const mbedtls_cipher_info_t *cipher_info,
+                              size_t taglen )
 {
     psa_algorithm_t alg;
     mbedtls_cipher_context_psa *cipher_psa;
@@ -242,7 +243,7 @@
     if( NULL == cipher_info || NULL == ctx )
         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 
-    alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode );
+    alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode, taglen );
     if( alg == 0)
         return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );