blob: fcc2f8415f5f12974d5840c0508ee1b44783a8ab [file] [log] [blame]
Ronald Cron7ceee8d2021-03-17 16:55:43 +01001/*
2 * PSA AEAD entry points
3 */
4/*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21#include "common.h"
22
23#if defined(MBEDTLS_PSA_CRYPTO_C)
24
25#include "psa_crypto_aead.h"
Ronald Cron46f91782021-03-17 08:16:34 +010026#include "psa_crypto_core.h"
27
Paul Elliottadb8b162021-04-20 16:06:57 +010028#include <string.h>
29#include "mbedtls/platform.h"
30#if !defined(MBEDTLS_PLATFORM_C)
31#define mbedtls_calloc calloc
32#define mbedtls_free free
33#endif
34
Ronald Cron46f91782021-03-17 08:16:34 +010035#include "mbedtls/ccm.h"
36#include "mbedtls/chachapoly.h"
37#include "mbedtls/cipher.h"
38#include "mbedtls/gcm.h"
Paul Elliottadb8b162021-04-20 16:06:57 +010039#include "mbedtls/error.h"
Ronald Cron46f91782021-03-17 08:16:34 +010040
Ronald Cron46f91782021-03-17 08:16:34 +010041static psa_status_t psa_aead_setup(
Paul Elliottcbbde5f2021-05-10 18:19:46 +010042 mbedtls_psa_aead_operation_t *operation,
Ronald Cron46f91782021-03-17 08:16:34 +010043 const psa_key_attributes_t *attributes,
44 const uint8_t *key_buffer,
Paul Elliottcc358592021-05-12 12:22:28 +010045 size_t key_buffer_size,
Ronald Cron46f91782021-03-17 08:16:34 +010046 psa_algorithm_t alg )
47{
48 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
49 size_t key_bits;
Ronald Cronecbc0682021-03-26 13:25:17 +010050 const mbedtls_cipher_info_t *cipher_info;
Ronald Cron46f91782021-03-17 08:16:34 +010051 mbedtls_cipher_id_t cipher_id;
52
Paul Elliottcc358592021-05-12 12:22:28 +010053 ( void ) key_buffer_size;
54
Ronald Cron46f91782021-03-17 08:16:34 +010055 key_bits = attributes->core.bits;
56
Ronald Cronecbc0682021-03-26 13:25:17 +010057 cipher_info = mbedtls_cipher_info_from_psa( alg,
58 attributes->core.type, key_bits,
59 &cipher_id );
60 if( cipher_info == NULL )
Ronald Cron46f91782021-03-17 08:16:34 +010061 return( PSA_ERROR_NOT_SUPPORTED );
62
63 switch( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) )
64 {
65#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
66 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +010067 operation->alg = PSA_ALG_CCM;
Ronald Cron46f91782021-03-17 08:16:34 +010068 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
69 * The call to mbedtls_ccm_encrypt_and_tag or
70 * mbedtls_ccm_auth_decrypt will validate the tag length. */
71 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
72 return( PSA_ERROR_INVALID_ARGUMENT );
73
74 mbedtls_ccm_init( &operation->ctx.ccm );
75 status = mbedtls_to_psa_error(
76 mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id,
77 key_buffer, (unsigned int) key_bits ) );
78 if( status != PSA_SUCCESS )
79 return( status );
80 break;
81#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
82
83#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
84 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +010085 operation->alg = PSA_ALG_GCM;
Ronald Cron46f91782021-03-17 08:16:34 +010086 /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
87 * The call to mbedtls_gcm_crypt_and_tag or
88 * mbedtls_gcm_auth_decrypt will validate the tag length. */
89 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
90 return( PSA_ERROR_INVALID_ARGUMENT );
91
92 mbedtls_gcm_init( &operation->ctx.gcm );
93 status = mbedtls_to_psa_error(
94 mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id,
95 key_buffer, (unsigned int) key_bits ) );
96 if( status != PSA_SUCCESS )
97 return( status );
98 break;
99#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
100
101#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
102 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100103 operation->alg = PSA_ALG_CHACHA20_POLY1305;
Ronald Cron46f91782021-03-17 08:16:34 +0100104 /* We only support the default tag length. */
105 if( alg != PSA_ALG_CHACHA20_POLY1305 )
106 return( PSA_ERROR_NOT_SUPPORTED );
107
108 mbedtls_chachapoly_init( &operation->ctx.chachapoly );
109 status = mbedtls_to_psa_error(
110 mbedtls_chachapoly_setkey( &operation->ctx.chachapoly,
111 key_buffer ) );
112 if( status != PSA_SUCCESS )
113 return( status );
114 break;
115#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
116
117 default:
Ronald Cron7a55deb2021-04-28 14:29:00 +0200118 (void) status;
119 (void) key_buffer;
Ronald Cron46f91782021-03-17 08:16:34 +0100120 return( PSA_ERROR_NOT_SUPPORTED );
121 }
122
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100123 operation->key_type = psa_get_key_type( attributes );
124
Przemek Stekiel88ade842022-10-08 17:56:18 +0200125 operation->tag_length = PSA_ALG_AEAD_GET_TAG_LENGTH( alg );
Ronald Cron46f91782021-03-17 08:16:34 +0100126
127 return( PSA_SUCCESS );
128}
129
130psa_status_t mbedtls_psa_aead_encrypt(
131 const psa_key_attributes_t *attributes,
132 const uint8_t *key_buffer, size_t key_buffer_size,
133 psa_algorithm_t alg,
134 const uint8_t *nonce, size_t nonce_length,
135 const uint8_t *additional_data, size_t additional_data_length,
136 const uint8_t *plaintext, size_t plaintext_length,
137 uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length )
138{
139 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100140 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
Ronald Cron46f91782021-03-17 08:16:34 +0100141 uint8_t *tag;
Ronald Cron46f91782021-03-17 08:16:34 +0100142
Paul Elliottcc358592021-05-12 12:22:28 +0100143 status = psa_aead_setup( &operation, attributes, key_buffer,
144 key_buffer_size, alg );
145
Ronald Cron46f91782021-03-17 08:16:34 +0100146 if( status != PSA_SUCCESS )
147 goto exit;
148
149 /* For all currently supported modes, the tag is at the end of the
150 * ciphertext. */
151 if( ciphertext_size < ( plaintext_length + operation.tag_length ) )
152 {
153 status = PSA_ERROR_BUFFER_TOO_SMALL;
154 goto exit;
155 }
156 tag = ciphertext + plaintext_length;
157
Ronald Cron46f91782021-03-17 08:16:34 +0100158#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100159 if( operation.alg == PSA_ALG_CCM )
Ronald Cron46f91782021-03-17 08:16:34 +0100160 {
161 status = mbedtls_to_psa_error(
162 mbedtls_ccm_encrypt_and_tag( &operation.ctx.ccm,
163 plaintext_length,
164 nonce, nonce_length,
165 additional_data,
166 additional_data_length,
167 plaintext, ciphertext,
168 tag, operation.tag_length ) );
169 }
170 else
171#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Ronald Cron810eb162021-04-06 09:01:39 +0200172#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100173 if( operation.alg == PSA_ALG_GCM )
Ronald Cron810eb162021-04-06 09:01:39 +0200174 {
175 status = mbedtls_to_psa_error(
176 mbedtls_gcm_crypt_and_tag( &operation.ctx.gcm,
177 MBEDTLS_GCM_ENCRYPT,
178 plaintext_length,
179 nonce, nonce_length,
180 additional_data, additional_data_length,
181 plaintext, ciphertext,
182 operation.tag_length, tag ) );
183 }
184 else
185#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Ronald Cron46f91782021-03-17 08:16:34 +0100186#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott07a30c42021-04-20 14:13:23 +0100187 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
Ronald Cron46f91782021-03-17 08:16:34 +0100188 {
Paul Elliott96b01732021-07-16 17:00:26 +0100189 if( operation.tag_length != 16 )
Ronald Cron46f91782021-03-17 08:16:34 +0100190 {
191 status = PSA_ERROR_NOT_SUPPORTED;
192 goto exit;
193 }
194 status = mbedtls_to_psa_error(
195 mbedtls_chachapoly_encrypt_and_tag( &operation.ctx.chachapoly,
196 plaintext_length,
197 nonce,
198 additional_data,
199 additional_data_length,
200 plaintext,
201 ciphertext,
202 tag ) );
203 }
204 else
205#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
206 {
207 (void) tag;
Ronald Cron7a55deb2021-04-28 14:29:00 +0200208 (void) nonce;
209 (void) nonce_length;
210 (void) additional_data;
211 (void) additional_data_length;
212 (void) plaintext;
Ronald Cron46f91782021-03-17 08:16:34 +0100213 return( PSA_ERROR_NOT_SUPPORTED );
214 }
215
216 if( status == PSA_SUCCESS )
217 *ciphertext_length = plaintext_length + operation.tag_length;
218
219exit:
Paul Elliottadb8b162021-04-20 16:06:57 +0100220 mbedtls_psa_aead_abort( &operation );
Ronald Cron46f91782021-03-17 08:16:34 +0100221
222 return( status );
223}
224
225/* Locate the tag in a ciphertext buffer containing the encrypted data
226 * followed by the tag. Return the length of the part preceding the tag in
227 * *plaintext_length. This is the size of the plaintext in modes where
228 * the encrypted data has the same size as the plaintext, such as
229 * CCM and GCM. */
230static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length,
231 const uint8_t *ciphertext,
232 size_t ciphertext_length,
233 size_t plaintext_size,
234 const uint8_t **p_tag )
235{
236 size_t payload_length;
237 if( tag_length > ciphertext_length )
238 return( PSA_ERROR_INVALID_ARGUMENT );
239 payload_length = ciphertext_length - tag_length;
240 if( payload_length > plaintext_size )
241 return( PSA_ERROR_BUFFER_TOO_SMALL );
242 *p_tag = ciphertext + payload_length;
243 return( PSA_SUCCESS );
244}
245
246psa_status_t mbedtls_psa_aead_decrypt(
247 const psa_key_attributes_t *attributes,
248 const uint8_t *key_buffer, size_t key_buffer_size,
249 psa_algorithm_t alg,
250 const uint8_t *nonce, size_t nonce_length,
251 const uint8_t *additional_data, size_t additional_data_length,
252 const uint8_t *ciphertext, size_t ciphertext_length,
253 uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length )
254{
255 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100256 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
Ronald Cron46f91782021-03-17 08:16:34 +0100257 const uint8_t *tag = NULL;
Ronald Cron46f91782021-03-17 08:16:34 +0100258
Paul Elliottcc358592021-05-12 12:22:28 +0100259 status = psa_aead_setup( &operation, attributes, key_buffer,
260 key_buffer_size, alg );
261
Ronald Cron46f91782021-03-17 08:16:34 +0100262 if( status != PSA_SUCCESS )
263 goto exit;
264
265 status = psa_aead_unpadded_locate_tag( operation.tag_length,
266 ciphertext, ciphertext_length,
267 plaintext_size, &tag );
268 if( status != PSA_SUCCESS )
269 goto exit;
270
Ronald Cron46f91782021-03-17 08:16:34 +0100271#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100272 if( operation.alg == PSA_ALG_CCM )
Ronald Cron46f91782021-03-17 08:16:34 +0100273 {
274 status = mbedtls_to_psa_error(
275 mbedtls_ccm_auth_decrypt( &operation.ctx.ccm,
276 ciphertext_length - operation.tag_length,
277 nonce, nonce_length,
278 additional_data,
279 additional_data_length,
280 ciphertext, plaintext,
281 tag, operation.tag_length ) );
282 }
283 else
284#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Ronald Cron810eb162021-04-06 09:01:39 +0200285#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100286 if( operation.alg == PSA_ALG_GCM )
Ronald Cron810eb162021-04-06 09:01:39 +0200287 {
288 status = mbedtls_to_psa_error(
289 mbedtls_gcm_auth_decrypt( &operation.ctx.gcm,
290 ciphertext_length - operation.tag_length,
291 nonce, nonce_length,
292 additional_data,
293 additional_data_length,
294 tag, operation.tag_length,
295 ciphertext, plaintext ) );
296 }
297 else
298#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Ronald Cron46f91782021-03-17 08:16:34 +0100299#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott07a30c42021-04-20 14:13:23 +0100300 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
Ronald Cron46f91782021-03-17 08:16:34 +0100301 {
Paul Elliottcf2d66e2021-06-23 18:49:56 +0100302 if( operation.tag_length != 16 )
Ronald Cron46f91782021-03-17 08:16:34 +0100303 {
304 status = PSA_ERROR_NOT_SUPPORTED;
305 goto exit;
306 }
307 status = mbedtls_to_psa_error(
308 mbedtls_chachapoly_auth_decrypt( &operation.ctx.chachapoly,
309 ciphertext_length - operation.tag_length,
310 nonce,
311 additional_data,
312 additional_data_length,
313 tag,
314 ciphertext,
315 plaintext ) );
316 }
317 else
318#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
319 {
Ronald Cron7a55deb2021-04-28 14:29:00 +0200320 (void) nonce;
321 (void) nonce_length;
322 (void) additional_data;
323 (void) additional_data_length;
324 (void) plaintext;
Ronald Cron46f91782021-03-17 08:16:34 +0100325 return( PSA_ERROR_NOT_SUPPORTED );
326 }
327
328 if( status == PSA_SUCCESS )
329 *plaintext_length = ciphertext_length - operation.tag_length;
330
331exit:
Paul Elliottadb8b162021-04-20 16:06:57 +0100332 mbedtls_psa_aead_abort( &operation );
Ronald Cron46f91782021-03-17 08:16:34 +0100333
334 if( status == PSA_SUCCESS )
335 *plaintext_length = ciphertext_length - operation.tag_length;
336 return( status );
337}
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100338
Paul Elliottadb8b162021-04-20 16:06:57 +0100339/* Set the key and algorithm for a multipart authenticated encryption
340 * operation. */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100341psa_status_t mbedtls_psa_aead_encrypt_setup(
342 mbedtls_psa_aead_operation_t *operation,
343 const psa_key_attributes_t *attributes,
344 const uint8_t *key_buffer,
345 size_t key_buffer_size,
346 psa_algorithm_t alg )
Paul Elliottadb8b162021-04-20 16:06:57 +0100347{
Paul Elliott9e8ccd72021-05-13 14:30:53 +0100348 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottadb8b162021-04-20 16:06:57 +0100349
Paul Elliottcc358592021-05-12 12:22:28 +0100350 status = psa_aead_setup( operation, attributes, key_buffer,
351 key_buffer_size, alg );
Paul Elliottadb8b162021-04-20 16:06:57 +0100352
353 if( status == PSA_SUCCESS )
Paul Elliottadb8b162021-04-20 16:06:57 +0100354 operation->is_encrypt = 1;
Paul Elliottadb8b162021-04-20 16:06:57 +0100355
356 return ( status );
357}
358
359/* Set the key and algorithm for a multipart authenticated decryption
360 * operation. */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100361psa_status_t mbedtls_psa_aead_decrypt_setup(
362 mbedtls_psa_aead_operation_t *operation,
363 const psa_key_attributes_t *attributes,
364 const uint8_t *key_buffer,
365 size_t key_buffer_size,
366 psa_algorithm_t alg )
Paul Elliottadb8b162021-04-20 16:06:57 +0100367{
Paul Elliott9e8ccd72021-05-13 14:30:53 +0100368 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottadb8b162021-04-20 16:06:57 +0100369
Paul Elliottcc358592021-05-12 12:22:28 +0100370 status = psa_aead_setup( operation, attributes, key_buffer,
371 key_buffer_size, alg );
Paul Elliottadb8b162021-04-20 16:06:57 +0100372
373 if( status == PSA_SUCCESS )
Paul Elliottadb8b162021-04-20 16:06:57 +0100374 operation->is_encrypt = 0;
Paul Elliottadb8b162021-04-20 16:06:57 +0100375
376 return ( status );
377}
378
Paul Elliottadb8b162021-04-20 16:06:57 +0100379/* Set a nonce for the multipart AEAD operation*/
Paul Elliottbb8bf662021-05-19 17:29:42 +0100380psa_status_t mbedtls_psa_aead_set_nonce(
381 mbedtls_psa_aead_operation_t *operation,
382 const uint8_t *nonce,
383 size_t nonce_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100384{
Paul Elliott9e8ccd72021-05-13 14:30:53 +0100385 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottadb8b162021-04-20 16:06:57 +0100386
Paul Elliottbc949782021-06-03 15:29:00 +0100387#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliottadb8b162021-04-20 16:06:57 +0100388 if( operation->alg == PSA_ALG_GCM )
389 {
Paul Elliott83f09ef2021-05-21 19:28:26 +0100390 status = mbedtls_to_psa_error(
391 mbedtls_gcm_starts( &operation->ctx.gcm,
392 operation->is_encrypt ?
393 MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT,
394 nonce,
395 nonce_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100396 }
397 else
398#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Paul Elliotte193ea82021-10-01 13:00:16 +0100399#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
400 if( operation->alg == PSA_ALG_CCM )
401 {
402 status = mbedtls_to_psa_error(
403 mbedtls_ccm_starts( &operation->ctx.ccm,
404 operation->is_encrypt ?
405 MBEDTLS_CCM_ENCRYPT : MBEDTLS_CCM_DECRYPT,
406 nonce,
407 nonce_length ) );
408 }
409 else
410#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Paul Elliottadb8b162021-04-20 16:06:57 +0100411#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
412 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
413 {
Paul Elliott946c9202021-09-28 14:32:55 +0100414 /* Note - ChaChaPoly allows an 8 byte nonce, but we would have to
415 * allocate a buffer in the operation, copy the nonce to it and pad
416 * it, so for now check the nonce is 12 bytes, as
417 * mbedtls_chachapoly_starts() assumes it can read 12 bytes from the
418 * passed in buffer. */
419 if( nonce_length != 12 )
420 {
421 return( PSA_ERROR_INVALID_ARGUMENT );
422 }
423
Paul Elliott2df40052021-05-07 17:52:18 +0100424 status = mbedtls_to_psa_error(
425 mbedtls_chachapoly_starts( &operation->ctx.chachapoly,
426 nonce,
427 operation->is_encrypt ?
428 MBEDTLS_CHACHAPOLY_ENCRYPT :
429 MBEDTLS_CHACHAPOLY_DECRYPT ) );
Paul Elliottefda3402021-08-25 17:16:52 +0100430 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100431 else
432#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
433 {
Ronald Cron17006702021-12-03 15:25:24 +0100434 ( void ) operation;
Paul Elliottadb8b162021-04-20 16:06:57 +0100435 ( void ) nonce;
Ronald Cron17006702021-12-03 15:25:24 +0100436 ( void ) nonce_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100437
438 return ( PSA_ERROR_NOT_SUPPORTED );
439 }
440
Paul Elliottadb8b162021-04-20 16:06:57 +0100441 return( status );
442}
Paul Elliottefda3402021-08-25 17:16:52 +0100443
Paul Elliottdff6c5d2021-09-28 11:00:20 +0100444 /* Declare the lengths of the message and additional data for AEAD. */
445psa_status_t mbedtls_psa_aead_set_lengths(
446 mbedtls_psa_aead_operation_t *operation,
447 size_t ad_length,
448 size_t plaintext_length )
449{
Paul Elliotte193ea82021-10-01 13:00:16 +0100450#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
451 if( operation->alg == PSA_ALG_CCM )
452 {
453 return( mbedtls_to_psa_error(
454 mbedtls_ccm_set_lengths( &operation->ctx.ccm,
455 ad_length,
456 plaintext_length,
457 operation->tag_length ) ) );
458
459 }
460#else /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Paul Elliottdff6c5d2021-09-28 11:00:20 +0100461 ( void ) operation;
462 ( void ) ad_length;
463 ( void ) plaintext_length;
Paul Elliotte193ea82021-10-01 13:00:16 +0100464#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Paul Elliottdff6c5d2021-09-28 11:00:20 +0100465
Paul Elliottdff6c5d2021-09-28 11:00:20 +0100466 return ( PSA_SUCCESS );
467}
468
Paul Elliottadb8b162021-04-20 16:06:57 +0100469/* Pass additional data to an active multipart AEAD operation. */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100470psa_status_t mbedtls_psa_aead_update_ad(
471 mbedtls_psa_aead_operation_t *operation,
472 const uint8_t *input,
473 size_t input_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100474{
475 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
476
Paul Elliottadb8b162021-04-20 16:06:57 +0100477#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
478 if( operation->alg == PSA_ALG_GCM )
479 {
Paul Elliott2df40052021-05-07 17:52:18 +0100480 status = mbedtls_to_psa_error(
Paul Elliott83f09ef2021-05-21 19:28:26 +0100481 mbedtls_gcm_update_ad( &operation->ctx.gcm, input, input_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100482 }
483 else
484#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Paul Elliotte193ea82021-10-01 13:00:16 +0100485#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
486 if( operation->alg == PSA_ALG_CCM )
487 {
488 status = mbedtls_to_psa_error(
489 mbedtls_ccm_update_ad( &operation->ctx.ccm, input, input_length ) );
490 }
491 else
492#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Paul Elliottadb8b162021-04-20 16:06:57 +0100493#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
494 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
495 {
Paul Elliott2df40052021-05-07 17:52:18 +0100496 status = mbedtls_to_psa_error(
497 mbedtls_chachapoly_update_aad( &operation->ctx.chachapoly,
498 input,
499 input_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100500 }
501 else
502#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
503 {
Paul Elliottbc949782021-06-03 15:29:00 +0100504 ( void ) operation;
505 ( void ) input;
506 ( void ) input_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100507
508 return ( PSA_ERROR_NOT_SUPPORTED );
509 }
510
Paul Elliottadb8b162021-04-20 16:06:57 +0100511 return ( status );
512}
513
514/* Encrypt or decrypt a message fragment in an active multipart AEAD
515 * operation.*/
Paul Elliottbb8bf662021-05-19 17:29:42 +0100516psa_status_t mbedtls_psa_aead_update(
517 mbedtls_psa_aead_operation_t *operation,
518 const uint8_t *input,
519 size_t input_length,
520 uint8_t *output,
521 size_t output_size,
522 size_t *output_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100523{
Paul Elliotte2c788d2021-05-13 17:16:01 +0100524 size_t update_output_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100525 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
526
Paul Elliotte2c788d2021-05-13 17:16:01 +0100527 update_output_length = input_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100528
Paul Elliottadb8b162021-04-20 16:06:57 +0100529#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
530 if( operation->alg == PSA_ALG_GCM )
531 {
Paul Elliott83f09ef2021-05-21 19:28:26 +0100532 status = mbedtls_to_psa_error(
533 mbedtls_gcm_update( &operation->ctx.gcm,
534 input, input_length,
535 output, output_size,
536 &update_output_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100537 }
538 else
539#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Paul Elliotte193ea82021-10-01 13:00:16 +0100540#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
541 if( operation->alg == PSA_ALG_CCM )
542 {
543 if( output_size < input_length )
544 return( PSA_ERROR_BUFFER_TOO_SMALL );
545
546 status = mbedtls_to_psa_error(
547 mbedtls_ccm_update( &operation->ctx.ccm,
548 input, input_length,
549 output, output_size,
550 &update_output_length ) );
551 }
552 else
553#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Paul Elliottadb8b162021-04-20 16:06:57 +0100554#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
555 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
556 {
Paul Elliottecce9012021-07-23 15:44:11 +0100557 if( output_size < input_length )
558 return( PSA_ERROR_BUFFER_TOO_SMALL );
559
Paul Elliott2df40052021-05-07 17:52:18 +0100560 status = mbedtls_to_psa_error(
561 mbedtls_chachapoly_update( &operation->ctx.chachapoly,
562 input_length,
563 input,
564 output ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100565 }
566 else
567#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
568 {
Ronald Cron17006702021-12-03 15:25:24 +0100569 ( void ) operation;
Paul Elliottbc949782021-06-03 15:29:00 +0100570 ( void ) input;
Ronald Cron17006702021-12-03 15:25:24 +0100571 ( void ) output;
572 ( void ) output_size;
Paul Elliottadb8b162021-04-20 16:06:57 +0100573
574 return ( PSA_ERROR_NOT_SUPPORTED );
575 }
576
577 if( status == PSA_SUCCESS )
Paul Elliotte2c788d2021-05-13 17:16:01 +0100578 *output_length = update_output_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100579
580 return( status );
581}
582
Paul Elliottadb8b162021-04-20 16:06:57 +0100583/* Finish encrypting a message in a multipart AEAD operation. */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100584psa_status_t mbedtls_psa_aead_finish(
585 mbedtls_psa_aead_operation_t *operation,
586 uint8_t *ciphertext,
587 size_t ciphertext_size,
588 size_t *ciphertext_length,
589 uint8_t *tag,
590 size_t tag_size,
591 size_t *tag_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100592{
593 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100594 size_t finish_output_size = 0;
Paul Elliottadb8b162021-04-20 16:06:57 +0100595
Paul Elliott315628d2021-07-20 18:25:54 +0100596 if( tag_size < operation->tag_length )
597 return( PSA_ERROR_BUFFER_TOO_SMALL );
Paul Elliottadb8b162021-04-20 16:06:57 +0100598
599#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
600 if( operation->alg == PSA_ALG_GCM )
Paul Elliottecce9012021-07-23 15:44:11 +0100601 {
Paul Elliott83f09ef2021-05-21 19:28:26 +0100602 status = mbedtls_to_psa_error(
603 mbedtls_gcm_finish( &operation->ctx.gcm,
Paul Elliott71b05672021-09-24 11:18:13 +0100604 ciphertext, ciphertext_size, ciphertext_length,
Paul Elliott2fe5db82021-07-22 18:10:43 +0100605 tag, operation->tag_length ) );
Paul Elliottecce9012021-07-23 15:44:11 +0100606 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100607 else
608#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Paul Elliotte193ea82021-10-01 13:00:16 +0100609#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
610 if( operation->alg == PSA_ALG_CCM )
611 {
612 /* tag must be big enough to store a tag of size passed into set
613 * lengths. */
614 if( tag_size < operation->tag_length )
615 return( PSA_ERROR_BUFFER_TOO_SMALL );
616
617 status = mbedtls_to_psa_error(
618 mbedtls_ccm_finish( &operation->ctx.ccm,
619 tag, operation->tag_length ) );
620 }
621 else
622#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Paul Elliottadb8b162021-04-20 16:06:57 +0100623#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
624 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
Paul Elliotted08cf82021-07-22 18:48:24 +0100625 {
626 /* Belt and braces. Although the above tag_size check should have
627 * already done this, if we later start supporting smaller tag sizes
628 * for chachapoly, then passing a tag buffer smaller than 16 into here
629 * could cause a buffer overflow, so better safe than sorry. */
630 if( tag_size < 16 )
631 return( PSA_ERROR_BUFFER_TOO_SMALL );
632
Paul Elliott2df40052021-05-07 17:52:18 +0100633 status = mbedtls_to_psa_error(
Paul Elliott83f09ef2021-05-21 19:28:26 +0100634 mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
635 tag ) );
Paul Elliotted08cf82021-07-22 18:48:24 +0100636 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100637 else
638#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
639 {
640 ( void ) ciphertext;
641 ( void ) ciphertext_size;
642 ( void ) ciphertext_length;
643 ( void ) tag;
644 ( void ) tag_size;
645 ( void ) tag_length;
646
647 return ( PSA_ERROR_NOT_SUPPORTED );
648 }
649
650 if( status == PSA_SUCCESS )
651 {
Paul Elliott8ff74212021-09-19 18:39:23 +0100652 /* This will be zero for all supported algorithms currently, but left
653 * here for future support. */
Paul Elliottadb8b162021-04-20 16:06:57 +0100654 *ciphertext_length = finish_output_size;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100655 *tag_length = operation->tag_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100656 }
657
Paul Elliottadb8b162021-04-20 16:06:57 +0100658 return ( status );
659}
660
Paul Elliottadb8b162021-04-20 16:06:57 +0100661/* Abort an AEAD operation */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100662psa_status_t mbedtls_psa_aead_abort(
663 mbedtls_psa_aead_operation_t *operation )
Paul Elliottadb8b162021-04-20 16:06:57 +0100664{
Paul Elliott811d8d42021-04-22 11:31:14 +0100665 switch( operation->alg )
Paul Elliottadb8b162021-04-20 16:06:57 +0100666 {
Paul Elliott811d8d42021-04-22 11:31:14 +0100667#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
668 case PSA_ALG_CCM:
Paul Elliottadb8b162021-04-20 16:06:57 +0100669 mbedtls_ccm_free( &operation->ctx.ccm );
670 break;
671#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
672#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
673 case PSA_ALG_GCM:
674 mbedtls_gcm_free( &operation->ctx.gcm );
675 break;
676#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
677#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott811d8d42021-04-22 11:31:14 +0100678 case PSA_ALG_CHACHA20_POLY1305:
679 mbedtls_chachapoly_free( &operation->ctx.chachapoly );
680 break;
Paul Elliottadb8b162021-04-20 16:06:57 +0100681#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
682 }
683
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100684 operation->is_encrypt = 0;
Paul Elliott1a98aca2021-05-20 18:24:07 +0100685
Paul Elliottadb8b162021-04-20 16:06:57 +0100686 return( PSA_SUCCESS );
687}
688
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100689#endif /* MBEDTLS_PSA_CRYPTO_C */
690