Stop supporting NIST_KW in cipher_auth_xxcrypt()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h
index 49b8b5e..24524c5 100644
--- a/include/mbedtls/cipher.h
+++ b/include/mbedtls/cipher.h
@@ -858,10 +858,14 @@
#if defined(MBEDTLS_CIPHER_MODE_AEAD)
/**
- * \brief The generic autenticated encryption (AEAD) function.
+ * \brief The generic authenticated encryption (AEAD) function.
+ *
+ * \note This function only supports AEAD algorithms, not key
+ * wrapping algorithms such as NIST_KW; for this, see
+ * mbedtls_cipher_auth_encrypt_ext().
*
* \param ctx The generic cipher context. This must be initialized and
- * bound to a key.
+ * bound to a key associated with an AEAD algorithm.
* \param iv The nonce to use. This must be a readable buffer of
* at least \p iv_len Bytes and must not be \c NULL.
* \param iv_len The length of the nonce. This must satisfy the
@@ -885,7 +889,7 @@
* below regarding restrictions with PSA-based contexts.
* \param tag_len The desired length of the authentication tag. This
* must match the constraints imposed by the AEAD cipher
- * used, and in particuler must not be \c 0.
+ * used, and in particular must not be \c 0.
*
* \note If the context is based on PSA (that is, it was set up
* with mbedtls_cipher_setup_psa()), then it is required
@@ -905,14 +909,18 @@
unsigned char *tag, size_t tag_len );
/**
- * \brief The generic autenticated decryption (AEAD) function.
+ * \brief The generic authenticated decryption (AEAD) function.
+ *
+ * \note This function only supports AEAD algorithms, not key
+ * wrapping algorithms such as NIST_KW; for this, see
+ * mbedtls_cipher_auth_encrypt_ext().
*
* \note If the data is not authentic, then the output buffer
* is zeroed out to prevent the unauthentic plaintext being
* used, making this interface safer.
*
* \param ctx The generic cipher context. This must be initialized and
- * and bound to a key.
+ * bound to a key associated with an AEAD algorithm.
* \param iv The nonce to use. This must be a readable buffer of
* at least \p iv_len Bytes and must not be \c NULL.
* \param iv_len The length of the nonce. This must satisfy the
@@ -959,14 +967,14 @@
#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
/**
- * \brief The autenticated encryption (AEAD/NIST_KW) function.
+ * \brief The authenticated encryption (AEAD/NIST_KW) function.
*
* \note For AEAD modes, the tag will be appended to the
* ciphertext, as recommended by RFC 5116.
* (NIST_KW doesn't have a separate tag.)
*
* \param ctx The generic cipher context. This must be initialized and
- * bound to a key.
+ * bound to a key, with an AEAD algorithm or NIST_KW.
* \param iv The nonce to use. This must be a readable buffer of
* at least \p iv_len Bytes and may be \c NULL if \p
* iv_len is \c 0.
@@ -994,7 +1002,7 @@
* writable object of type \c size_t.
* \param tag_len The desired length of the authentication tag. For AEAD
* ciphers, this must match the constraints imposed by
- * the cipher used, and in particuler must not be \c 0.
+ * the cipher used, and in particular must not be \c 0.
* For NIST_KW, this must be \c 0.
*
* \return \c 0 on success.
@@ -1010,7 +1018,7 @@
size_t *olen, size_t tag_len );
/**
- * \brief The autenticated encryption (AEAD/NIST_KW) function.
+ * \brief The authenticated encryption (AEAD/NIST_KW) function.
*
* \note If the data is not authentic, then the output buffer
* is zeroed out to prevent the unauthentic plaintext being
@@ -1021,7 +1029,7 @@
* (NIST_KW doesn't have a separate tag.)
*
* \param ctx The generic cipher context. This must be initialized and
- * and bound to a key.
+ * bound to a key, with an AEAD algorithm or NIST_KW.
* \param iv The nonce to use. This must be a readable buffer of
* at least \p iv_len Bytes and may be \c NULL if \p
* iv_len is \c 0.
@@ -1049,7 +1057,7 @@
* writable object of type \c size_t.
* \param tag_len The actual length of the authentication tag. For AEAD
* ciphers, this must match the constraints imposed by
- * the cipher used, and in particuler must not be \c 0.
+ * the cipher used, and in particular must not be \c 0.
* For NIST_KW, this must be \c 0.
*
* \return \c 0 on success.
diff --git a/library/cipher.c b/library/cipher.c
index 20e1e7b..47dafa4 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -1491,16 +1491,10 @@
if( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
MBEDTLS_MODE_KWP == ctx->cipher_info->mode )
{
- mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
- MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
-
- /* There is no iv, tag or ad associated with KW and KWP, these length should be 0 */
- if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
- {
- return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
- }
-
- return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen, output, olen, SIZE_MAX ) );
+ /* NIST_KW is not supported because we used to document the wrong size
+ * of the output buffer, so people should move to the _ext API,
+ * which has an explicit argument for buffer size. */
+ return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
#endif /* MBEDTLS_NIST_KW_C */
@@ -1531,16 +1525,10 @@
if( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
MBEDTLS_MODE_KWP == ctx->cipher_info->mode )
{
- mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
- MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
-
- /* There is no iv, tag or ad associated with KW and KWP, these length should be 0 */
- if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
- {
- return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
- }
-
- return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen, output, olen, SIZE_MAX ) );
+ /* NIST_KW is not supported because we used to document the wrong size
+ * of the output buffer, so people should move to the _ext API,
+ * which has an explicit argument for buffer size. */
+ return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
#endif /* MBEDTLS_NIST_KW_C */
diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function
index 7ea1a14..543ccf6 100644
--- a/tests/suites/test_suite_cipher.function
+++ b/tests/suites/test_suite_cipher.function
@@ -1222,22 +1222,31 @@
tmp_cipher, cipher->len, output, &outlen,
tmp_tag, tag->len );
- /* make sure the message is rejected if it should be */
- if( strcmp( result, "FAIL" ) == 0 )
+ if( using_nist_kw )
{
+ /* NIST_KW with legacy API */
+ TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+ }
+ else if( strcmp( result, "FAIL" ) == 0 )
+ {
+ /* unauthentic message */
TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED );
}
else
{
- /* otherwise, make sure it was decrypted properly */
+ /* authentic message: is the plaintext correct? */
TEST_ASSERT( ret == 0 );
TEST_ASSERT( outlen == clear->len );
TEST_ASSERT( memcmp( output, clear->x, clear->len ) == 0 );
+ }
- /*
- * Prepare context for encryption
- */
+ /*
+ * Encrypt back if test data was authentic
+ */
+ if( strcmp( result, "FAIL" ) != 0 )
+ {
+ /* prepare context for encryption */
cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key,
MBEDTLS_ENCRYPT );
@@ -1254,11 +1263,19 @@
ret = mbedtls_cipher_auth_encrypt( &ctx, iv->x, iv->len, ad->x, ad->len,
clear->x, clear->len, output, &outlen,
output_tag, tag->len );
- TEST_ASSERT( ret == 0 );
- TEST_ASSERT( outlen == cipher->len );
- TEST_ASSERT( memcmp( output, cipher->x, cipher->len ) == 0 );
- TEST_ASSERT( memcmp( output_tag, tag->x, tag->len ) == 0 );
+ if( using_nist_kw )
+ {
+ TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+ }
+ else
+ {
+ TEST_ASSERT( ret == 0 );
+
+ TEST_ASSERT( outlen == cipher->len );
+ TEST_ASSERT( memcmp( output, cipher->x, cipher->len ) == 0 );
+ TEST_ASSERT( memcmp( output_tag, tag->x, tag->len ) == 0 );
+ }
}
exit: