Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 1 | /** |
| 2 | * \file cipher.c |
Paul Bakker | 7dc4c44 | 2014-02-01 22:50:26 +0100 | [diff] [blame] | 3 | * |
Manuel Pégourié-Gonnard | b4fe3cb | 2015-01-22 16:11:05 +0000 | [diff] [blame] | 4 | * \brief Generic cipher wrapper for mbed TLS |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 5 | * |
| 6 | * \author Adriaan de Jong <dejong@fox-it.com> |
| 7 | * |
Bence Szépkúti | 1e14827 | 2020-08-07 13:07:28 +0200 | [diff] [blame] | 8 | * Copyright The Mbed TLS Contributors |
Manuel Pégourié-Gonnard | 37ff140 | 2015-09-04 14:21:07 +0200 | [diff] [blame] | 9 | * SPDX-License-Identifier: Apache-2.0 |
| 10 | * |
| 11 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 12 | * not use this file except in compliance with the License. |
| 13 | * You may obtain a copy of the License at |
| 14 | * |
| 15 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 16 | * |
| 17 | * Unless required by applicable law or agreed to in writing, software |
| 18 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 19 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 20 | * See the License for the specific language governing permissions and |
| 21 | * limitations under the License. |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 22 | */ |
| 23 | |
Gilles Peskine | db09ef6 | 2020-06-03 01:43:33 +0200 | [diff] [blame] | 24 | #include "common.h" |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 25 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 26 | #if defined(MBEDTLS_CIPHER_C) |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 27 | |
Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 28 | #include "mbedtls/cipher.h" |
Chris Jones | daacb59 | 2021-03-09 17:03:29 +0000 | [diff] [blame] | 29 | #include "cipher_wrap.h" |
Andres Amaya Garcia | 1f6301b | 2018-04-17 09:51:09 -0500 | [diff] [blame] | 30 | #include "mbedtls/platform_util.h" |
Janos Follath | 24eed8d | 2019-11-22 13:21:35 +0000 | [diff] [blame] | 31 | #include "mbedtls/error.h" |
Gabor Mezei | 765862c | 2021-10-19 12:22:25 +0200 | [diff] [blame] | 32 | #include "mbedtls/constant_time.h" |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 33 | |
Rich Evans | 00ab470 | 2015-02-06 13:43:58 +0000 | [diff] [blame] | 34 | #include <stdlib.h> |
| 35 | #include <string.h> |
| 36 | |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 37 | #if defined(MBEDTLS_CHACHAPOLY_C) |
| 38 | #include "mbedtls/chachapoly.h" |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 39 | #endif |
| 40 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 41 | #if defined(MBEDTLS_GCM_C) |
Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 42 | #include "mbedtls/gcm.h" |
Manuel Pégourié-Gonnard | 07f8fa5 | 2013-08-30 18:34:08 +0200 | [diff] [blame] | 43 | #endif |
| 44 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 45 | #if defined(MBEDTLS_CCM_C) |
Manuel Pégourié-Gonnard | 7f80997 | 2015-03-09 17:05:11 +0000 | [diff] [blame] | 46 | #include "mbedtls/ccm.h" |
Manuel Pégourié-Gonnard | 4193695 | 2014-05-13 13:18:17 +0200 | [diff] [blame] | 47 | #endif |
| 48 | |
Daniel King | bd92062 | 2016-05-15 19:56:20 -0300 | [diff] [blame] | 49 | #if defined(MBEDTLS_CHACHA20_C) |
| 50 | #include "mbedtls/chacha20.h" |
| 51 | #endif |
| 52 | |
Simon Butcher | 327398a | 2016-10-05 14:09:11 +0100 | [diff] [blame] | 53 | #if defined(MBEDTLS_CMAC_C) |
| 54 | #include "mbedtls/cmac.h" |
| 55 | #endif |
| 56 | |
Hanno Becker | 4ccfc40 | 2018-11-09 16:10:57 +0000 | [diff] [blame] | 57 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 58 | #include "psa/crypto.h" |
Manuel Pégourié-Gonnard | 2be8c63 | 2023-06-07 13:07:21 +0200 | [diff] [blame] | 59 | #include "psa_util_internal.h" |
Hanno Becker | 4ccfc40 | 2018-11-09 16:10:57 +0000 | [diff] [blame] | 60 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 61 | |
Jack Lloyd | ffdf288 | 2019-03-07 17:00:32 -0500 | [diff] [blame] | 62 | #if defined(MBEDTLS_NIST_KW_C) |
| 63 | #include "mbedtls/nist_kw.h" |
| 64 | #endif |
| 65 | |
Simon Butcher | 327398a | 2016-10-05 14:09:11 +0100 | [diff] [blame] | 66 | #include "mbedtls/platform.h" |
Simon Butcher | 327398a | 2016-10-05 14:09:11 +0100 | [diff] [blame] | 67 | |
Manuel Pégourié-Gonnard | dace82f | 2013-09-18 15:12:07 +0200 | [diff] [blame] | 68 | static int supported_init = 0; |
Paul Bakker | 72f6266 | 2011-01-16 21:27:44 +0000 | [diff] [blame] | 69 | |
Dave Rodgman | 3b46b77 | 2023-06-24 13:25:06 +0100 | [diff] [blame] | 70 | static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base( |
| 71 | const mbedtls_cipher_info_t *info) |
| 72 | { |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 73 | return mbedtls_cipher_base_lookup_table[info->base_idx]; |
| 74 | } |
| 75 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 76 | const int *mbedtls_cipher_list(void) |
Paul Bakker | 72f6266 | 2011-01-16 21:27:44 +0000 | [diff] [blame] | 77 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 78 | const mbedtls_cipher_definition_t *def; |
Manuel Pégourié-Gonnard | dace82f | 2013-09-18 15:12:07 +0200 | [diff] [blame] | 79 | int *type; |
| 80 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 81 | if (!supported_init) { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 82 | def = mbedtls_cipher_definitions; |
| 83 | type = mbedtls_cipher_supported; |
Manuel Pégourié-Gonnard | dace82f | 2013-09-18 15:12:07 +0200 | [diff] [blame] | 84 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 85 | while (def->type != 0) { |
Manuel Pégourié-Gonnard | dace82f | 2013-09-18 15:12:07 +0200 | [diff] [blame] | 86 | *type++ = (*def++).type; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 87 | } |
Manuel Pégourié-Gonnard | dace82f | 2013-09-18 15:12:07 +0200 | [diff] [blame] | 88 | |
| 89 | *type = 0; |
| 90 | |
| 91 | supported_init = 1; |
| 92 | } |
| 93 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 94 | return mbedtls_cipher_supported; |
Paul Bakker | 72f6266 | 2011-01-16 21:27:44 +0000 | [diff] [blame] | 95 | } |
| 96 | |
Hanno Becker | 18597cd | 2018-11-09 16:36:33 +0000 | [diff] [blame] | 97 | const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 98 | const mbedtls_cipher_type_t cipher_type) |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 99 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 100 | const mbedtls_cipher_definition_t *def; |
Paul Bakker | 5e0efa7 | 2013-09-08 23:04:04 +0200 | [diff] [blame] | 101 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 102 | for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { |
| 103 | if (def->type == cipher_type) { |
| 104 | return def->info; |
| 105 | } |
| 106 | } |
Paul Bakker | 343a870 | 2011-06-09 14:27:58 +0000 | [diff] [blame] | 107 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 108 | return NULL; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 109 | } |
| 110 | |
Hanno Becker | 18597cd | 2018-11-09 16:36:33 +0000 | [diff] [blame] | 111 | const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 112 | const char *cipher_name) |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 113 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 114 | const mbedtls_cipher_definition_t *def; |
Manuel Pégourié-Gonnard | dace82f | 2013-09-18 15:12:07 +0200 | [diff] [blame] | 115 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 116 | if (NULL == cipher_name) { |
| 117 | return NULL; |
| 118 | } |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 119 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 120 | for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { |
| 121 | if (!strcmp(def->info->name, cipher_name)) { |
| 122 | return def->info; |
| 123 | } |
| 124 | } |
Paul Bakker | fab5c82 | 2012-02-06 16:45:10 +0000 | [diff] [blame] | 125 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 126 | return NULL; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 127 | } |
| 128 | |
Hanno Becker | 18597cd | 2018-11-09 16:36:33 +0000 | [diff] [blame] | 129 | const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( |
| 130 | const mbedtls_cipher_id_t cipher_id, |
| 131 | int key_bitlen, |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 132 | const mbedtls_cipher_mode_t mode) |
Paul Bakker | f46b695 | 2013-09-09 00:08:26 +0200 | [diff] [blame] | 133 | { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 134 | const mbedtls_cipher_definition_t *def; |
Paul Bakker | f46b695 | 2013-09-09 00:08:26 +0200 | [diff] [blame] | 135 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 136 | for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 137 | if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id && |
Dave Rodgman | 9282d4f | 2023-06-24 11:03:04 +0100 | [diff] [blame] | 138 | mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen && |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 139 | def->info->mode == mode) { |
| 140 | return def->info; |
| 141 | } |
| 142 | } |
Paul Bakker | f46b695 | 2013-09-09 00:08:26 +0200 | [diff] [blame] | 143 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 144 | return NULL; |
Paul Bakker | f46b695 | 2013-09-09 00:08:26 +0200 | [diff] [blame] | 145 | } |
| 146 | |
Manuel Pégourié-Gonnard | efcc1f2 | 2023-06-07 13:20:24 +0200 | [diff] [blame^] | 147 | #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) |
| 148 | static inline psa_key_type_t mbedtls_psa_translate_cipher_type( |
| 149 | mbedtls_cipher_type_t cipher) |
| 150 | { |
| 151 | switch (cipher) { |
| 152 | case MBEDTLS_CIPHER_AES_128_CCM: |
| 153 | case MBEDTLS_CIPHER_AES_192_CCM: |
| 154 | case MBEDTLS_CIPHER_AES_256_CCM: |
| 155 | case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG: |
| 156 | case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG: |
| 157 | case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG: |
| 158 | case MBEDTLS_CIPHER_AES_128_GCM: |
| 159 | case MBEDTLS_CIPHER_AES_192_GCM: |
| 160 | case MBEDTLS_CIPHER_AES_256_GCM: |
| 161 | case MBEDTLS_CIPHER_AES_128_CBC: |
| 162 | case MBEDTLS_CIPHER_AES_192_CBC: |
| 163 | case MBEDTLS_CIPHER_AES_256_CBC: |
| 164 | case MBEDTLS_CIPHER_AES_128_ECB: |
| 165 | case MBEDTLS_CIPHER_AES_192_ECB: |
| 166 | case MBEDTLS_CIPHER_AES_256_ECB: |
| 167 | return PSA_KEY_TYPE_AES; |
| 168 | |
| 169 | /* ARIA not yet supported in PSA. */ |
| 170 | /* case MBEDTLS_CIPHER_ARIA_128_CCM: |
| 171 | case MBEDTLS_CIPHER_ARIA_192_CCM: |
| 172 | case MBEDTLS_CIPHER_ARIA_256_CCM: |
| 173 | case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG: |
| 174 | case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG: |
| 175 | case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG: |
| 176 | case MBEDTLS_CIPHER_ARIA_128_GCM: |
| 177 | case MBEDTLS_CIPHER_ARIA_192_GCM: |
| 178 | case MBEDTLS_CIPHER_ARIA_256_GCM: |
| 179 | case MBEDTLS_CIPHER_ARIA_128_CBC: |
| 180 | case MBEDTLS_CIPHER_ARIA_192_CBC: |
| 181 | case MBEDTLS_CIPHER_ARIA_256_CBC: |
| 182 | return( PSA_KEY_TYPE_ARIA ); */ |
| 183 | |
| 184 | default: |
| 185 | return 0; |
| 186 | } |
| 187 | } |
| 188 | |
| 189 | static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode( |
| 190 | mbedtls_cipher_mode_t mode, size_t taglen) |
| 191 | { |
| 192 | switch (mode) { |
| 193 | case MBEDTLS_MODE_ECB: |
| 194 | return PSA_ALG_ECB_NO_PADDING; |
| 195 | case MBEDTLS_MODE_GCM: |
| 196 | return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen); |
| 197 | case MBEDTLS_MODE_CCM: |
| 198 | return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen); |
| 199 | case MBEDTLS_MODE_CCM_STAR_NO_TAG: |
| 200 | return PSA_ALG_CCM_STAR_NO_TAG; |
| 201 | case MBEDTLS_MODE_CBC: |
| 202 | if (taglen == 0) { |
| 203 | return PSA_ALG_CBC_NO_PADDING; |
| 204 | } else { |
| 205 | return 0; |
| 206 | } |
| 207 | default: |
| 208 | return 0; |
| 209 | } |
| 210 | } |
| 211 | |
| 212 | static inline psa_key_usage_t mbedtls_psa_translate_cipher_operation( |
| 213 | mbedtls_operation_t op) |
| 214 | { |
| 215 | switch (op) { |
| 216 | case MBEDTLS_ENCRYPT: |
| 217 | return PSA_KEY_USAGE_ENCRYPT; |
| 218 | case MBEDTLS_DECRYPT: |
| 219 | return PSA_KEY_USAGE_DECRYPT; |
| 220 | default: |
| 221 | return 0; |
| 222 | } |
| 223 | } |
| 224 | #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ |
| 225 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 226 | void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx) |
Paul Bakker | 84bbeb5 | 2014-07-01 14:53:22 +0200 | [diff] [blame] | 227 | { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 228 | memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); |
Paul Bakker | 84bbeb5 | 2014-07-01 14:53:22 +0200 | [diff] [blame] | 229 | } |
| 230 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 231 | void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx) |
Paul Bakker | 84bbeb5 | 2014-07-01 14:53:22 +0200 | [diff] [blame] | 232 | { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 233 | if (ctx == NULL) { |
Paul Bakker | 84bbeb5 | 2014-07-01 14:53:22 +0200 | [diff] [blame] | 234 | return; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 235 | } |
Paul Bakker | 84bbeb5 | 2014-07-01 14:53:22 +0200 | [diff] [blame] | 236 | |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 237 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 238 | if (ctx->psa_enabled == 1) { |
| 239 | if (ctx->cipher_ctx != NULL) { |
Hanno Becker | 6118e43 | 2018-11-09 16:47:20 +0000 | [diff] [blame] | 240 | mbedtls_cipher_context_psa * const cipher_psa = |
| 241 | (mbedtls_cipher_context_psa *) ctx->cipher_ctx; |
| 242 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 243 | if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) { |
Hanno Becker | edda8b8 | 2018-11-12 11:59:30 +0000 | [diff] [blame] | 244 | /* xxx_free() doesn't allow to return failures. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 245 | (void) psa_destroy_key(cipher_psa->slot); |
Hanno Becker | 6118e43 | 2018-11-09 16:47:20 +0000 | [diff] [blame] | 246 | } |
| 247 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 248 | mbedtls_platform_zeroize(cipher_psa, sizeof(*cipher_psa)); |
| 249 | mbedtls_free(cipher_psa); |
Hanno Becker | 6118e43 | 2018-11-09 16:47:20 +0000 | [diff] [blame] | 250 | } |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 251 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 252 | mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t)); |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 253 | return; |
| 254 | } |
| 255 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 256 | |
Simon Butcher | 327398a | 2016-10-05 14:09:11 +0100 | [diff] [blame] | 257 | #if defined(MBEDTLS_CMAC_C) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 258 | if (ctx->cmac_ctx) { |
| 259 | mbedtls_platform_zeroize(ctx->cmac_ctx, |
| 260 | sizeof(mbedtls_cmac_context_t)); |
| 261 | mbedtls_free(ctx->cmac_ctx); |
Simon Butcher | 327398a | 2016-10-05 14:09:11 +0100 | [diff] [blame] | 262 | } |
| 263 | #endif |
| 264 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 265 | if (ctx->cipher_ctx) { |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 266 | mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx); |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 267 | } |
Paul Bakker | 84bbeb5 | 2014-07-01 14:53:22 +0200 | [diff] [blame] | 268 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 269 | mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t)); |
Paul Bakker | 84bbeb5 | 2014-07-01 14:53:22 +0200 | [diff] [blame] | 270 | } |
| 271 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 272 | int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, |
| 273 | const mbedtls_cipher_info_t *cipher_info) |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 274 | { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 275 | if (cipher_info == NULL) { |
| 276 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 277 | } |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 278 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 279 | memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 280 | |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 281 | if (NULL == (ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func())) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 282 | return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; |
| 283 | } |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 284 | |
| 285 | ctx->cipher_info = cipher_info; |
| 286 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 287 | #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) |
Manuel Pégourié-Gonnard | ac56a1a | 2013-07-25 12:31:10 +0200 | [diff] [blame] | 288 | /* |
| 289 | * Ignore possible errors caused by a cipher mode that doesn't use padding |
| 290 | */ |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 291 | #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 292 | (void) mbedtls_cipher_set_padding_mode(ctx, MBEDTLS_PADDING_PKCS7); |
Paul Bakker | 48e93c8 | 2013-08-14 12:21:18 +0200 | [diff] [blame] | 293 | #else |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 294 | (void) mbedtls_cipher_set_padding_mode(ctx, MBEDTLS_PADDING_NONE); |
Paul Bakker | 48e93c8 | 2013-08-14 12:21:18 +0200 | [diff] [blame] | 295 | #endif |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 296 | #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ |
Manuel Pégourié-Gonnard | ac56a1a | 2013-07-25 12:31:10 +0200 | [diff] [blame] | 297 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 298 | return 0; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 299 | } |
| 300 | |
Hanno Becker | 4ccfc40 | 2018-11-09 16:10:57 +0000 | [diff] [blame] | 301 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Przemek Stekiel | ef1fb4a | 2022-05-06 10:55:10 +0200 | [diff] [blame] | 302 | #if !defined(MBEDTLS_DEPRECATED_REMOVED) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 303 | int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx, |
| 304 | const mbedtls_cipher_info_t *cipher_info, |
| 305 | size_t taglen) |
Hanno Becker | 4ccfc40 | 2018-11-09 16:10:57 +0000 | [diff] [blame] | 306 | { |
Hanno Becker | edda8b8 | 2018-11-12 11:59:30 +0000 | [diff] [blame] | 307 | psa_algorithm_t alg; |
| 308 | mbedtls_cipher_context_psa *cipher_psa; |
| 309 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 310 | if (NULL == cipher_info || NULL == ctx) { |
| 311 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 312 | } |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 313 | |
Hanno Becker | 4ee7e76 | 2018-11-17 22:00:38 +0000 | [diff] [blame] | 314 | /* Check that the underlying cipher mode and cipher type are |
| 315 | * supported by the underlying PSA Crypto implementation. */ |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 316 | alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen); |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 317 | if (alg == 0) { |
| 318 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
| 319 | } |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 320 | if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 321 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
| 322 | } |
Hanno Becker | 6118e43 | 2018-11-09 16:47:20 +0000 | [diff] [blame] | 323 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 324 | memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 325 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 326 | cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa)); |
| 327 | if (cipher_psa == NULL) { |
| 328 | return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; |
| 329 | } |
Hanno Becker | edda8b8 | 2018-11-12 11:59:30 +0000 | [diff] [blame] | 330 | cipher_psa->alg = alg; |
| 331 | ctx->cipher_ctx = cipher_psa; |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 332 | ctx->cipher_info = cipher_info; |
| 333 | ctx->psa_enabled = 1; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 334 | return 0; |
Hanno Becker | 4ccfc40 | 2018-11-09 16:10:57 +0000 | [diff] [blame] | 335 | } |
Przemek Stekiel | ef1fb4a | 2022-05-06 10:55:10 +0200 | [diff] [blame] | 336 | #endif /* MBEDTLS_DEPRECATED_REMOVED */ |
Hanno Becker | 4ccfc40 | 2018-11-09 16:10:57 +0000 | [diff] [blame] | 337 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 338 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 339 | int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, |
| 340 | const unsigned char *key, |
| 341 | int key_bitlen, |
| 342 | const mbedtls_operation_t operation) |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 343 | { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 344 | if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) { |
Tuvshinzaya Erdenekhuu | 80a6af6 | 2022-08-05 15:31:57 +0100 | [diff] [blame] | 345 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 346 | } |
| 347 | if (ctx->cipher_info == NULL) { |
| 348 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 349 | } |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 350 | |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 351 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 352 | if (ctx->psa_enabled == 1) { |
Hanno Becker | edda8b8 | 2018-11-12 11:59:30 +0000 | [diff] [blame] | 353 | mbedtls_cipher_context_psa * const cipher_psa = |
| 354 | (mbedtls_cipher_context_psa *) ctx->cipher_ctx; |
| 355 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 356 | size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8; |
Hanno Becker | edda8b8 | 2018-11-12 11:59:30 +0000 | [diff] [blame] | 357 | |
| 358 | psa_status_t status; |
| 359 | psa_key_type_t key_type; |
Gilles Peskine | d2d45c1 | 2019-05-27 14:53:13 +0200 | [diff] [blame] | 360 | psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; |
Hanno Becker | edda8b8 | 2018-11-12 11:59:30 +0000 | [diff] [blame] | 361 | |
| 362 | /* PSA Crypto API only accepts byte-aligned keys. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 363 | if (key_bitlen % 8 != 0) { |
| 364 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 365 | } |
Hanno Becker | edda8b8 | 2018-11-12 11:59:30 +0000 | [diff] [blame] | 366 | |
| 367 | /* Don't allow keys to be set multiple times. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 368 | if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) { |
| 369 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 370 | } |
Hanno Becker | edda8b8 | 2018-11-12 11:59:30 +0000 | [diff] [blame] | 371 | |
Andrzej Kurek | c750932 | 2019-01-08 09:36:01 -0500 | [diff] [blame] | 372 | key_type = mbedtls_psa_translate_cipher_type( |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 373 | ((mbedtls_cipher_type_t) ctx->cipher_info->type)); |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 374 | if (key_type == 0) { |
| 375 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
| 376 | } |
| 377 | psa_set_key_type(&attributes, key_type); |
Hanno Becker | a395d8f | 2018-11-12 13:33:16 +0000 | [diff] [blame] | 378 | |
| 379 | /* Mbed TLS' cipher layer doesn't enforce the mode of operation |
Andrzej Kurek | f410a5c | 2019-01-15 03:33:35 -0500 | [diff] [blame] | 380 | * (encrypt vs. decrypt): it is possible to setup a key for encryption |
| 381 | * and use it for AEAD decryption. Until tests relying on this |
| 382 | * are changed, allow any usage in PSA. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 383 | psa_set_key_usage_flags(&attributes, |
| 384 | /* mbedtls_psa_translate_cipher_operation( operation ); */ |
| 385 | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); |
| 386 | psa_set_key_algorithm(&attributes, cipher_psa->alg); |
Hanno Becker | edda8b8 | 2018-11-12 11:59:30 +0000 | [diff] [blame] | 387 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 388 | status = psa_import_key(&attributes, key, key_bytelen, |
| 389 | &cipher_psa->slot); |
| 390 | switch (status) { |
Gilles Peskine | d2d45c1 | 2019-05-27 14:53:13 +0200 | [diff] [blame] | 391 | case PSA_SUCCESS: |
| 392 | break; |
| 393 | case PSA_ERROR_INSUFFICIENT_MEMORY: |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 394 | return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; |
Gilles Peskine | d2d45c1 | 2019-05-27 14:53:13 +0200 | [diff] [blame] | 395 | case PSA_ERROR_NOT_SUPPORTED: |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 396 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Gilles Peskine | d2d45c1 | 2019-05-27 14:53:13 +0200 | [diff] [blame] | 397 | default: |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 398 | return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; |
Gilles Peskine | d2d45c1 | 2019-05-27 14:53:13 +0200 | [diff] [blame] | 399 | } |
| 400 | /* Indicate that we own the key slot and need to |
| 401 | * destroy it in mbedtls_cipher_free(). */ |
| 402 | cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED; |
Hanno Becker | edda8b8 | 2018-11-12 11:59:30 +0000 | [diff] [blame] | 403 | |
| 404 | ctx->key_bitlen = key_bitlen; |
| 405 | ctx->operation = operation; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 406 | return 0; |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 407 | } |
| 408 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 409 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 410 | if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 && |
Dave Rodgman | 9282d4f | 2023-06-24 11:03:04 +0100 | [diff] [blame] | 411 | (int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 412 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
Manuel Pégourié-Gonnard | 398c57b | 2014-06-23 12:10:59 +0200 | [diff] [blame] | 413 | } |
Manuel Pégourié-Gonnard | dd0f57f | 2013-09-16 11:47:43 +0200 | [diff] [blame] | 414 | |
Manuel Pégourié-Gonnard | 898e0aa | 2015-06-18 15:28:12 +0200 | [diff] [blame] | 415 | ctx->key_bitlen = key_bitlen; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 416 | ctx->operation = operation; |
| 417 | |
Paul Bakker | 343a870 | 2011-06-09 14:27:58 +0000 | [diff] [blame] | 418 | /* |
Simon Butcher | 8c0fd1e | 2018-04-22 22:58:07 +0100 | [diff] [blame] | 419 | * For OFB, CFB and CTR mode always use the encryption key schedule |
Paul Bakker | 343a870 | 2011-06-09 14:27:58 +0000 | [diff] [blame] | 420 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 421 | if (MBEDTLS_ENCRYPT == operation || |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 422 | MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || |
| 423 | MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || |
| 424 | MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 425 | return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key, |
Dave Rodgman | 3b46b77 | 2023-06-24 13:25:06 +0100 | [diff] [blame] | 426 | ctx->key_bitlen); |
Paul Bakker | 343a870 | 2011-06-09 14:27:58 +0000 | [diff] [blame] | 427 | } |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 428 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 429 | if (MBEDTLS_DECRYPT == operation) { |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 430 | return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key, |
Dave Rodgman | 3b46b77 | 2023-06-24 13:25:06 +0100 | [diff] [blame] | 431 | ctx->key_bitlen); |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 432 | } |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 433 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 434 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 435 | } |
| 436 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 437 | int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx, |
| 438 | const unsigned char *iv, |
| 439 | size_t iv_len) |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 440 | { |
Manuel Pégourié-Gonnard | a235b5b | 2013-09-03 13:25:52 +0200 | [diff] [blame] | 441 | size_t actual_iv_size; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 442 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 443 | if (ctx->cipher_info == NULL) { |
| 444 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 445 | } |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 446 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 447 | if (ctx->psa_enabled == 1) { |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 448 | /* While PSA Crypto has an API for multipart |
| 449 | * operations, we currently don't make it |
| 450 | * accessible through the cipher layer. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 451 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 452 | } |
| 453 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 454 | |
Manuel Pégourié-Gonnard | e0dca4a | 2013-10-24 16:54:25 +0200 | [diff] [blame] | 455 | /* avoid buffer overflow in ctx->iv */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 456 | if (iv_len > MBEDTLS_MAX_IV_LENGTH) { |
| 457 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
| 458 | } |
Manuel Pégourié-Gonnard | e0dca4a | 2013-10-24 16:54:25 +0200 | [diff] [blame] | 459 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 460 | if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) { |
Manuel Pégourié-Gonnard | a235b5b | 2013-09-03 13:25:52 +0200 | [diff] [blame] | 461 | actual_iv_size = iv_len; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 462 | } else { |
Dave Rodgman | bb521fd | 2023-06-24 11:21:25 +0100 | [diff] [blame] | 463 | actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info); |
Manuel Pégourié-Gonnard | 9c853b9 | 2013-09-03 13:04:44 +0200 | [diff] [blame] | 464 | |
Manuel Pégourié-Gonnard | e0dca4a | 2013-10-24 16:54:25 +0200 | [diff] [blame] | 465 | /* avoid reading past the end of input buffer */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 466 | if (actual_iv_size > iv_len) { |
| 467 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 468 | } |
Manuel Pégourié-Gonnard | e0dca4a | 2013-10-24 16:54:25 +0200 | [diff] [blame] | 469 | } |
| 470 | |
Daniel King | bd92062 | 2016-05-15 19:56:20 -0300 | [diff] [blame] | 471 | #if defined(MBEDTLS_CHACHA20_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 472 | if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) { |
Andrzej Kurek | 33ca6af | 2021-12-01 21:58:05 +0100 | [diff] [blame] | 473 | /* Even though the actual_iv_size is overwritten with a correct value |
| 474 | * of 12 from the cipher info, return an error to indicate that |
| 475 | * the input iv_len is wrong. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 476 | if (iv_len != 12) { |
| 477 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 478 | } |
Andrzej Kurek | 33ca6af | 2021-12-01 21:58:05 +0100 | [diff] [blame] | 479 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 480 | if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx, |
| 481 | iv, |
| 482 | 0U)) { /* Initial counter value */ |
| 483 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
Daniel King | bd92062 | 2016-05-15 19:56:20 -0300 | [diff] [blame] | 484 | } |
| 485 | } |
Andrzej Kurek | 63439ed | 2021-12-01 22:19:33 +0100 | [diff] [blame] | 486 | #if defined(MBEDTLS_CHACHAPOLY_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 487 | if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 && |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 488 | iv_len != 12) { |
| 489 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 490 | } |
Andrzej Kurek | 63439ed | 2021-12-01 22:19:33 +0100 | [diff] [blame] | 491 | #endif |
Daniel King | bd92062 | 2016-05-15 19:56:20 -0300 | [diff] [blame] | 492 | #endif |
| 493 | |
Gilles Peskine | 295fc13 | 2021-04-15 18:32:23 +0200 | [diff] [blame] | 494 | #if defined(MBEDTLS_GCM_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 495 | if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 496 | return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx, |
| 497 | ctx->operation, |
| 498 | iv, iv_len); |
Gilles Peskine | 295fc13 | 2021-04-15 18:32:23 +0200 | [diff] [blame] | 499 | } |
| 500 | #endif |
| 501 | |
Mateusz Starzyk | 594215b | 2021-10-14 12:23:06 +0200 | [diff] [blame] | 502 | #if defined(MBEDTLS_CCM_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 503 | if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { |
Mateusz Starzyk | 594215b | 2021-10-14 12:23:06 +0200 | [diff] [blame] | 504 | int set_lengths_result; |
| 505 | int ccm_star_mode; |
| 506 | |
| 507 | set_lengths_result = mbedtls_ccm_set_lengths( |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 508 | (mbedtls_ccm_context *) ctx->cipher_ctx, |
| 509 | 0, 0, 0); |
| 510 | if (set_lengths_result != 0) { |
Mateusz Starzyk | 594215b | 2021-10-14 12:23:06 +0200 | [diff] [blame] | 511 | return set_lengths_result; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 512 | } |
Mateusz Starzyk | 594215b | 2021-10-14 12:23:06 +0200 | [diff] [blame] | 513 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 514 | if (ctx->operation == MBEDTLS_DECRYPT) { |
Mateusz Starzyk | 594215b | 2021-10-14 12:23:06 +0200 | [diff] [blame] | 515 | ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 516 | } else if (ctx->operation == MBEDTLS_ENCRYPT) { |
Mateusz Starzyk | 594215b | 2021-10-14 12:23:06 +0200 | [diff] [blame] | 517 | ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 518 | } else { |
Mateusz Starzyk | 594215b | 2021-10-14 12:23:06 +0200 | [diff] [blame] | 519 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 520 | } |
Mateusz Starzyk | 594215b | 2021-10-14 12:23:06 +0200 | [diff] [blame] | 521 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 522 | return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx, |
| 523 | ccm_star_mode, |
| 524 | iv, iv_len); |
Mateusz Starzyk | 594215b | 2021-10-14 12:23:06 +0200 | [diff] [blame] | 525 | } |
| 526 | #endif |
| 527 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 528 | if (actual_iv_size != 0) { |
| 529 | memcpy(ctx->iv, iv, actual_iv_size); |
Ron Eldor | 4e64e0b | 2017-09-25 18:22:32 +0300 | [diff] [blame] | 530 | ctx->iv_size = actual_iv_size; |
| 531 | } |
Manuel Pégourié-Gonnard | 9c853b9 | 2013-09-03 13:04:44 +0200 | [diff] [blame] | 532 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 533 | return 0; |
Manuel Pégourié-Gonnard | 9c853b9 | 2013-09-03 13:04:44 +0200 | [diff] [blame] | 534 | } |
| 535 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 536 | int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx) |
Manuel Pégourié-Gonnard | 9c853b9 | 2013-09-03 13:04:44 +0200 | [diff] [blame] | 537 | { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 538 | if (ctx->cipher_info == NULL) { |
| 539 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 540 | } |
Manuel Pégourié-Gonnard | 2adc40c | 2013-09-03 13:54:12 +0200 | [diff] [blame] | 541 | |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 542 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 543 | if (ctx->psa_enabled == 1) { |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 544 | /* We don't support resetting PSA-based |
| 545 | * cipher contexts, yet. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 546 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 547 | } |
| 548 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 549 | |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 550 | ctx->unprocessed_len = 0; |
| 551 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 552 | return 0; |
Manuel Pégourié-Gonnard | 2adc40c | 2013-09-03 13:54:12 +0200 | [diff] [blame] | 553 | } |
| 554 | |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 555 | #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 556 | int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx, |
| 557 | const unsigned char *ad, size_t ad_len) |
Manuel Pégourié-Gonnard | 2adc40c | 2013-09-03 13:54:12 +0200 | [diff] [blame] | 558 | { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 559 | if (ctx->cipher_info == NULL) { |
| 560 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 561 | } |
Manuel Pégourié-Gonnard | 2adc40c | 2013-09-03 13:54:12 +0200 | [diff] [blame] | 562 | |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 563 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 564 | if (ctx->psa_enabled == 1) { |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 565 | /* While PSA Crypto has an API for multipart |
| 566 | * operations, we currently don't make it |
| 567 | * accessible through the cipher layer. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 568 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 569 | } |
| 570 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 571 | |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 572 | #if defined(MBEDTLS_GCM_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 573 | if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 574 | return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx, |
| 575 | ad, ad_len); |
Manuel Pégourié-Gonnard | 07f8fa5 | 2013-08-30 18:34:08 +0200 | [diff] [blame] | 576 | } |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 577 | #endif |
| 578 | |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 579 | #if defined(MBEDTLS_CHACHAPOLY_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 580 | if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 581 | int result; |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 582 | mbedtls_chachapoly_mode_t mode; |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 583 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 584 | mode = (ctx->operation == MBEDTLS_ENCRYPT) |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 585 | ? MBEDTLS_CHACHAPOLY_ENCRYPT |
| 586 | : MBEDTLS_CHACHAPOLY_DECRYPT; |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 587 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 588 | result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx, |
| 589 | ctx->iv, |
| 590 | mode); |
| 591 | if (result != 0) { |
| 592 | return result; |
| 593 | } |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 594 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 595 | return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx, |
| 596 | ad, ad_len); |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 597 | } |
| 598 | #endif |
Manuel Pégourié-Gonnard | 07f8fa5 | 2013-08-30 18:34:08 +0200 | [diff] [blame] | 599 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 600 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 601 | } |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 602 | #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 603 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 604 | int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input, |
| 605 | size_t ilen, unsigned char *output, size_t *olen) |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 606 | { |
Janos Follath | 24eed8d | 2019-11-22 13:21:35 +0000 | [diff] [blame] | 607 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 608 | size_t block_size; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 609 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 610 | if (ctx->cipher_info == NULL) { |
| 611 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 612 | } |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 613 | |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 614 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 615 | if (ctx->psa_enabled == 1) { |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 616 | /* While PSA Crypto has an API for multipart |
| 617 | * operations, we currently don't make it |
| 618 | * accessible through the cipher layer. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 619 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 620 | } |
| 621 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 622 | |
Paul Bakker | 6c21276 | 2013-12-16 15:24:50 +0100 | [diff] [blame] | 623 | *olen = 0; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 624 | block_size = mbedtls_cipher_get_block_size(ctx); |
| 625 | if (0 == block_size) { |
| 626 | return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT; |
Gilles Peskine | a2bdcb9 | 2020-01-21 15:02:14 +0100 | [diff] [blame] | 627 | } |
Paul Bakker | 6c21276 | 2013-12-16 15:24:50 +0100 | [diff] [blame] | 628 | |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 629 | if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 630 | if (ilen != block_size) { |
| 631 | return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; |
| 632 | } |
Paul Bakker | 5e0efa7 | 2013-09-08 23:04:04 +0200 | [diff] [blame] | 633 | |
| 634 | *olen = ilen; |
| 635 | |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 636 | if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx, |
Dave Rodgman | 3b46b77 | 2023-06-24 13:25:06 +0100 | [diff] [blame] | 637 | ctx->operation, input, |
| 638 | output))) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 639 | return ret; |
Paul Bakker | 5e0efa7 | 2013-09-08 23:04:04 +0200 | [diff] [blame] | 640 | } |
| 641 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 642 | return 0; |
Paul Bakker | 5e0efa7 | 2013-09-08 23:04:04 +0200 | [diff] [blame] | 643 | } |
| 644 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 645 | #if defined(MBEDTLS_GCM_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 646 | if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 647 | return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx, |
| 648 | input, ilen, |
| 649 | output, ilen, olen); |
Manuel Pégourié-Gonnard | b8bd593 | 2013-09-05 13:38:15 +0200 | [diff] [blame] | 650 | } |
| 651 | #endif |
| 652 | |
Mateusz Starzyk | 594215b | 2021-10-14 12:23:06 +0200 | [diff] [blame] | 653 | #if defined(MBEDTLS_CCM_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 654 | if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 655 | return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx, |
| 656 | input, ilen, |
| 657 | output, ilen, olen); |
Mateusz Starzyk | 594215b | 2021-10-14 12:23:06 +0200 | [diff] [blame] | 658 | } |
| 659 | #endif |
| 660 | |
Manuel Pégourié-Gonnard | 32902e6 | 2018-05-10 12:30:19 +0200 | [diff] [blame] | 661 | #if defined(MBEDTLS_CHACHAPOLY_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 662 | if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) { |
Manuel Pégourié-Gonnard | 32902e6 | 2018-05-10 12:30:19 +0200 | [diff] [blame] | 663 | *olen = ilen; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 664 | return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx, |
| 665 | ilen, input, output); |
Manuel Pégourié-Gonnard | 32902e6 | 2018-05-10 12:30:19 +0200 | [diff] [blame] | 666 | } |
| 667 | #endif |
| 668 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 669 | if (input == output && |
| 670 | (ctx->unprocessed_len != 0 || ilen % block_size)) { |
| 671 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
Paul Bakker | 68884e3 | 2013-01-07 18:20:04 +0100 | [diff] [blame] | 672 | } |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 673 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 674 | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 675 | if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) { |
Manuel Pégourié-Gonnard | 989ed38 | 2013-09-13 14:41:45 +0200 | [diff] [blame] | 676 | size_t copy_len = 0; |
| 677 | |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 678 | /* |
| 679 | * If there is not enough data for a full block, cache it. |
| 680 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 681 | if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding && |
| 682 | ilen <= block_size - ctx->unprocessed_len) || |
| 683 | (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding && |
| 684 | ilen < block_size - ctx->unprocessed_len) || |
| 685 | (ctx->operation == MBEDTLS_ENCRYPT && |
| 686 | ilen < block_size - ctx->unprocessed_len)) { |
| 687 | memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input, |
| 688 | ilen); |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 689 | |
| 690 | ctx->unprocessed_len += ilen; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 691 | return 0; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 692 | } |
| 693 | |
| 694 | /* |
| 695 | * Process cached data first |
| 696 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 697 | if (0 != ctx->unprocessed_len) { |
Janos Follath | 98e28a7 | 2016-05-31 14:03:54 +0100 | [diff] [blame] | 698 | copy_len = block_size - ctx->unprocessed_len; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 699 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 700 | memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input, |
| 701 | copy_len); |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 702 | |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 703 | if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, |
Dave Rodgman | 3b46b77 | 2023-06-24 13:25:06 +0100 | [diff] [blame] | 704 | ctx->operation, |
| 705 | block_size, ctx->iv, |
| 706 | ctx-> |
| 707 | unprocessed_data, |
| 708 | output))) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 709 | return ret; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 710 | } |
| 711 | |
Janos Follath | 98e28a7 | 2016-05-31 14:03:54 +0100 | [diff] [blame] | 712 | *olen += block_size; |
| 713 | output += block_size; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 714 | ctx->unprocessed_len = 0; |
| 715 | |
| 716 | input += copy_len; |
| 717 | ilen -= copy_len; |
| 718 | } |
| 719 | |
| 720 | /* |
| 721 | * Cache final, incomplete block |
| 722 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 723 | if (0 != ilen) { |
Andy Leiserson | 79e7789 | 2017-04-28 20:01:49 -0700 | [diff] [blame] | 724 | /* Encryption: only cache partial blocks |
| 725 | * Decryption w/ padding: always keep at least one whole block |
| 726 | * Decryption w/o padding: only cache partial blocks |
| 727 | */ |
Janos Follath | 98e28a7 | 2016-05-31 14:03:54 +0100 | [diff] [blame] | 728 | copy_len = ilen % block_size; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 729 | if (copy_len == 0 && |
Andy Leiserson | 79e7789 | 2017-04-28 20:01:49 -0700 | [diff] [blame] | 730 | ctx->operation == MBEDTLS_DECRYPT && |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 731 | NULL != ctx->add_padding) { |
Janos Follath | 98e28a7 | 2016-05-31 14:03:54 +0100 | [diff] [blame] | 732 | copy_len = block_size; |
Andy Leiserson | 79e7789 | 2017-04-28 20:01:49 -0700 | [diff] [blame] | 733 | } |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 734 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 735 | memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]), |
| 736 | copy_len); |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 737 | |
| 738 | ctx->unprocessed_len += copy_len; |
| 739 | ilen -= copy_len; |
| 740 | } |
| 741 | |
| 742 | /* |
| 743 | * Process remaining full blocks |
| 744 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 745 | if (ilen) { |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 746 | if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, |
Dave Rodgman | 3b46b77 | 2023-06-24 13:25:06 +0100 | [diff] [blame] | 747 | ctx->operation, |
| 748 | ilen, ctx->iv, |
| 749 | input, |
| 750 | output))) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 751 | return ret; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 752 | } |
Manuel Pégourié-Gonnard | 07f8fa5 | 2013-08-30 18:34:08 +0200 | [diff] [blame] | 753 | |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 754 | *olen += ilen; |
| 755 | } |
| 756 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 757 | return 0; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 758 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 759 | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 760 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 761 | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 762 | if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) { |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 763 | if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx, |
Dave Rodgman | 3b46b77 | 2023-06-24 13:25:06 +0100 | [diff] [blame] | 764 | ctx->operation, ilen, |
| 765 | &ctx->unprocessed_len, |
| 766 | ctx->iv, |
| 767 | input, output))) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 768 | return ret; |
Paul Bakker | 343a870 | 2011-06-09 14:27:58 +0000 | [diff] [blame] | 769 | } |
| 770 | |
| 771 | *olen = ilen; |
| 772 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 773 | return 0; |
Paul Bakker | 343a870 | 2011-06-09 14:27:58 +0000 | [diff] [blame] | 774 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 775 | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
Paul Bakker | 343a870 | 2011-06-09 14:27:58 +0000 | [diff] [blame] | 776 | |
Simon Butcher | 8c0fd1e | 2018-04-22 22:58:07 +0100 | [diff] [blame] | 777 | #if defined(MBEDTLS_CIPHER_MODE_OFB) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 778 | if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) { |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 779 | if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx, |
Dave Rodgman | 3b46b77 | 2023-06-24 13:25:06 +0100 | [diff] [blame] | 780 | ilen, |
| 781 | &ctx->unprocessed_len, |
| 782 | ctx->iv, |
| 783 | input, output))) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 784 | return ret; |
Simon Butcher | 8c0fd1e | 2018-04-22 22:58:07 +0100 | [diff] [blame] | 785 | } |
| 786 | |
| 787 | *olen = ilen; |
| 788 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 789 | return 0; |
Simon Butcher | 8c0fd1e | 2018-04-22 22:58:07 +0100 | [diff] [blame] | 790 | } |
| 791 | #endif /* MBEDTLS_CIPHER_MODE_OFB */ |
| 792 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 793 | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 794 | if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) { |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 795 | if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx, |
Dave Rodgman | 3b46b77 | 2023-06-24 13:25:06 +0100 | [diff] [blame] | 796 | ilen, |
| 797 | &ctx->unprocessed_len, |
| 798 | ctx->iv, |
| 799 | ctx->unprocessed_data, |
| 800 | input, output))) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 801 | return ret; |
Paul Bakker | 343a870 | 2011-06-09 14:27:58 +0000 | [diff] [blame] | 802 | } |
| 803 | |
| 804 | *olen = ilen; |
| 805 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 806 | return 0; |
Paul Bakker | 343a870 | 2011-06-09 14:27:58 +0000 | [diff] [blame] | 807 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 808 | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
Paul Bakker | 343a870 | 2011-06-09 14:27:58 +0000 | [diff] [blame] | 809 | |
Jaeden Amero | c653990 | 2018-04-30 17:17:41 +0100 | [diff] [blame] | 810 | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 811 | if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 812 | if (ctx->unprocessed_len > 0) { |
Jaeden Amero | c653990 | 2018-04-30 17:17:41 +0100 | [diff] [blame] | 813 | /* We can only process an entire data unit at a time. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 814 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Jaeden Amero | c653990 | 2018-04-30 17:17:41 +0100 | [diff] [blame] | 815 | } |
| 816 | |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 817 | ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx, |
Dave Rodgman | 3b46b77 | 2023-06-24 13:25:06 +0100 | [diff] [blame] | 818 | ctx->operation, |
| 819 | ilen, |
| 820 | ctx->iv, |
| 821 | input, |
| 822 | output); |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 823 | if (ret != 0) { |
| 824 | return ret; |
Jaeden Amero | c653990 | 2018-04-30 17:17:41 +0100 | [diff] [blame] | 825 | } |
| 826 | |
| 827 | *olen = ilen; |
| 828 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 829 | return 0; |
Jaeden Amero | c653990 | 2018-04-30 17:17:41 +0100 | [diff] [blame] | 830 | } |
| 831 | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
| 832 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 833 | #if defined(MBEDTLS_CIPHER_MODE_STREAM) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 834 | if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) { |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 835 | if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx, |
Dave Rodgman | 3b46b77 | 2023-06-24 13:25:06 +0100 | [diff] [blame] | 836 | ilen, input, |
| 837 | output))) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 838 | return ret; |
Manuel Pégourié-Gonnard | 37e230c | 2013-08-28 13:50:42 +0200 | [diff] [blame] | 839 | } |
| 840 | |
| 841 | *olen = ilen; |
| 842 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 843 | return 0; |
Manuel Pégourié-Gonnard | 37e230c | 2013-08-28 13:50:42 +0200 | [diff] [blame] | 844 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 845 | #endif /* MBEDTLS_CIPHER_MODE_STREAM */ |
Manuel Pégourié-Gonnard | 37e230c | 2013-08-28 13:50:42 +0200 | [diff] [blame] | 846 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 847 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 848 | } |
| 849 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 850 | #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) |
| 851 | #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) |
Manuel Pégourié-Gonnard | 679f9e9 | 2013-07-26 12:46:02 +0200 | [diff] [blame] | 852 | /* |
| 853 | * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len |
| 854 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 855 | static void add_pkcs_padding(unsigned char *output, size_t output_len, |
| 856 | size_t data_len) |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 857 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 858 | size_t padding_len = output_len - data_len; |
Manuel Pégourié-Gonnard | f8ab069 | 2013-10-27 17:21:14 +0100 | [diff] [blame] | 859 | unsigned char i; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 860 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 861 | for (i = 0; i < padding_len; i++) { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 862 | output[data_len + i] = (unsigned char) padding_len; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 863 | } |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 864 | } |
| 865 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 866 | static int get_pkcs_padding(unsigned char *input, size_t input_len, |
| 867 | size_t *data_len) |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 868 | { |
Manuel Pégourié-Gonnard | f8ab069 | 2013-10-27 17:21:14 +0100 | [diff] [blame] | 869 | size_t i, pad_idx; |
| 870 | unsigned char padding_len, bad = 0; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 871 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 872 | if (NULL == input || NULL == data_len) { |
| 873 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 874 | } |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 875 | |
| 876 | padding_len = input[input_len - 1]; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 877 | *data_len = input_len - padding_len; |
| 878 | |
Manuel Pégourié-Gonnard | f8ab069 | 2013-10-27 17:21:14 +0100 | [diff] [blame] | 879 | /* Avoid logical || since it results in a branch */ |
| 880 | bad |= padding_len > input_len; |
| 881 | bad |= padding_len == 0; |
| 882 | |
| 883 | /* The number of bytes checked must be independent of padding_len, |
| 884 | * so pick input_len, which is usually 8 or 16 (one block) */ |
| 885 | pad_idx = input_len - padding_len; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 886 | for (i = 0; i < input_len; i++) { |
| 887 | bad |= (input[i] ^ padding_len) * (i >= pad_idx); |
| 888 | } |
Manuel Pégourié-Gonnard | f8ab069 | 2013-10-27 17:21:14 +0100 | [diff] [blame] | 889 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 890 | return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0); |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 891 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 892 | #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 893 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 894 | #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) |
Manuel Pégourié-Gonnard | 679f9e9 | 2013-07-26 12:46:02 +0200 | [diff] [blame] | 895 | /* |
| 896 | * One and zeros padding: fill with 80 00 ... 00 |
| 897 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 898 | static void add_one_and_zeros_padding(unsigned char *output, |
| 899 | size_t output_len, size_t data_len) |
Manuel Pégourié-Gonnard | 679f9e9 | 2013-07-26 12:46:02 +0200 | [diff] [blame] | 900 | { |
| 901 | size_t padding_len = output_len - data_len; |
| 902 | unsigned char i = 0; |
| 903 | |
| 904 | output[data_len] = 0x80; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 905 | for (i = 1; i < padding_len; i++) { |
Manuel Pégourié-Gonnard | 679f9e9 | 2013-07-26 12:46:02 +0200 | [diff] [blame] | 906 | output[data_len + i] = 0x00; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 907 | } |
Manuel Pégourié-Gonnard | 679f9e9 | 2013-07-26 12:46:02 +0200 | [diff] [blame] | 908 | } |
| 909 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 910 | static int get_one_and_zeros_padding(unsigned char *input, size_t input_len, |
| 911 | size_t *data_len) |
Manuel Pégourié-Gonnard | 679f9e9 | 2013-07-26 12:46:02 +0200 | [diff] [blame] | 912 | { |
Manuel Pégourié-Gonnard | 6c32990 | 2013-10-27 18:25:03 +0100 | [diff] [blame] | 913 | size_t i; |
| 914 | unsigned char done = 0, prev_done, bad; |
Manuel Pégourié-Gonnard | 679f9e9 | 2013-07-26 12:46:02 +0200 | [diff] [blame] | 915 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 916 | if (NULL == input || NULL == data_len) { |
| 917 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 918 | } |
Manuel Pégourié-Gonnard | 679f9e9 | 2013-07-26 12:46:02 +0200 | [diff] [blame] | 919 | |
Micha Kraus | ba8316f | 2017-12-23 23:40:08 +0100 | [diff] [blame] | 920 | bad = 0x80; |
Manuel Pégourié-Gonnard | 6c32990 | 2013-10-27 18:25:03 +0100 | [diff] [blame] | 921 | *data_len = 0; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 922 | for (i = input_len; i > 0; i--) { |
Manuel Pégourié-Gonnard | 6c32990 | 2013-10-27 18:25:03 +0100 | [diff] [blame] | 923 | prev_done = done; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 924 | done |= (input[i - 1] != 0); |
| 925 | *data_len |= (i - 1) * (done != prev_done); |
| 926 | bad ^= input[i - 1] * (done != prev_done); |
Manuel Pégourié-Gonnard | 6c32990 | 2013-10-27 18:25:03 +0100 | [diff] [blame] | 927 | } |
Manuel Pégourié-Gonnard | 679f9e9 | 2013-07-26 12:46:02 +0200 | [diff] [blame] | 928 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 929 | return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0); |
Manuel Pégourié-Gonnard | 679f9e9 | 2013-07-26 12:46:02 +0200 | [diff] [blame] | 930 | |
Manuel Pégourié-Gonnard | 679f9e9 | 2013-07-26 12:46:02 +0200 | [diff] [blame] | 931 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 932 | #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */ |
Manuel Pégourié-Gonnard | 679f9e9 | 2013-07-26 12:46:02 +0200 | [diff] [blame] | 933 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 934 | #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) |
Manuel Pégourié-Gonnard | 8d4291b | 2013-07-26 14:55:18 +0200 | [diff] [blame] | 935 | /* |
| 936 | * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length |
| 937 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 938 | static void add_zeros_and_len_padding(unsigned char *output, |
| 939 | size_t output_len, size_t data_len) |
Manuel Pégourié-Gonnard | 8d4291b | 2013-07-26 14:55:18 +0200 | [diff] [blame] | 940 | { |
| 941 | size_t padding_len = output_len - data_len; |
| 942 | unsigned char i = 0; |
| 943 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 944 | for (i = 1; i < padding_len; i++) { |
Manuel Pégourié-Gonnard | 8d4291b | 2013-07-26 14:55:18 +0200 | [diff] [blame] | 945 | output[data_len + i - 1] = 0x00; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 946 | } |
Manuel Pégourié-Gonnard | 8d4291b | 2013-07-26 14:55:18 +0200 | [diff] [blame] | 947 | output[output_len - 1] = (unsigned char) padding_len; |
| 948 | } |
| 949 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 950 | static int get_zeros_and_len_padding(unsigned char *input, size_t input_len, |
| 951 | size_t *data_len) |
Manuel Pégourié-Gonnard | 8d4291b | 2013-07-26 14:55:18 +0200 | [diff] [blame] | 952 | { |
Manuel Pégourié-Gonnard | d17df51 | 2013-10-27 17:32:43 +0100 | [diff] [blame] | 953 | size_t i, pad_idx; |
| 954 | unsigned char padding_len, bad = 0; |
Manuel Pégourié-Gonnard | 8d4291b | 2013-07-26 14:55:18 +0200 | [diff] [blame] | 955 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 956 | if (NULL == input || NULL == data_len) { |
| 957 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 958 | } |
Manuel Pégourié-Gonnard | 8d4291b | 2013-07-26 14:55:18 +0200 | [diff] [blame] | 959 | |
| 960 | padding_len = input[input_len - 1]; |
Manuel Pégourié-Gonnard | 8d4291b | 2013-07-26 14:55:18 +0200 | [diff] [blame] | 961 | *data_len = input_len - padding_len; |
| 962 | |
Manuel Pégourié-Gonnard | d17df51 | 2013-10-27 17:32:43 +0100 | [diff] [blame] | 963 | /* Avoid logical || since it results in a branch */ |
| 964 | bad |= padding_len > input_len; |
| 965 | bad |= padding_len == 0; |
| 966 | |
| 967 | /* The number of bytes checked must be independent of padding_len */ |
| 968 | pad_idx = input_len - padding_len; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 969 | for (i = 0; i < input_len - 1; i++) { |
| 970 | bad |= input[i] * (i >= pad_idx); |
| 971 | } |
Manuel Pégourié-Gonnard | d17df51 | 2013-10-27 17:32:43 +0100 | [diff] [blame] | 972 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 973 | return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0); |
Manuel Pégourié-Gonnard | 8d4291b | 2013-07-26 14:55:18 +0200 | [diff] [blame] | 974 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 975 | #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */ |
Manuel Pégourié-Gonnard | 8d4291b | 2013-07-26 14:55:18 +0200 | [diff] [blame] | 976 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 977 | #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) |
Manuel Pégourié-Gonnard | 0e7d2c0 | 2013-07-26 16:05:14 +0200 | [diff] [blame] | 978 | /* |
| 979 | * Zero padding: fill with 00 ... 00 |
| 980 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 981 | static void add_zeros_padding(unsigned char *output, |
| 982 | size_t output_len, size_t data_len) |
Manuel Pégourié-Gonnard | 0e7d2c0 | 2013-07-26 16:05:14 +0200 | [diff] [blame] | 983 | { |
Paul Bakker | b9cfaa0 | 2013-10-11 18:58:55 +0200 | [diff] [blame] | 984 | size_t i; |
Manuel Pégourié-Gonnard | 0e7d2c0 | 2013-07-26 16:05:14 +0200 | [diff] [blame] | 985 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 986 | for (i = data_len; i < output_len; i++) { |
Manuel Pégourié-Gonnard | 0e7d2c0 | 2013-07-26 16:05:14 +0200 | [diff] [blame] | 987 | output[i] = 0x00; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 988 | } |
Manuel Pégourié-Gonnard | 0e7d2c0 | 2013-07-26 16:05:14 +0200 | [diff] [blame] | 989 | } |
| 990 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 991 | static int get_zeros_padding(unsigned char *input, size_t input_len, |
| 992 | size_t *data_len) |
Manuel Pégourié-Gonnard | 0e7d2c0 | 2013-07-26 16:05:14 +0200 | [diff] [blame] | 993 | { |
Manuel Pégourié-Gonnard | e68bf17 | 2013-10-27 18:26:39 +0100 | [diff] [blame] | 994 | size_t i; |
| 995 | unsigned char done = 0, prev_done; |
| 996 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 997 | if (NULL == input || NULL == data_len) { |
| 998 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
Manuel Pégourié-Gonnard | e68bf17 | 2013-10-27 18:26:39 +0100 | [diff] [blame] | 999 | } |
Manuel Pégourié-Gonnard | 0e7d2c0 | 2013-07-26 16:05:14 +0200 | [diff] [blame] | 1000 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1001 | *data_len = 0; |
| 1002 | for (i = input_len; i > 0; i--) { |
| 1003 | prev_done = done; |
| 1004 | done |= (input[i-1] != 0); |
| 1005 | *data_len |= i * (done != prev_done); |
| 1006 | } |
| 1007 | |
| 1008 | return 0; |
Manuel Pégourié-Gonnard | 0e7d2c0 | 2013-07-26 16:05:14 +0200 | [diff] [blame] | 1009 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1010 | #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */ |
Manuel Pégourié-Gonnard | 0e7d2c0 | 2013-07-26 16:05:14 +0200 | [diff] [blame] | 1011 | |
Manuel Pégourié-Gonnard | ebdc413 | 2013-07-26 16:50:44 +0200 | [diff] [blame] | 1012 | /* |
| 1013 | * No padding: don't pad :) |
| 1014 | * |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1015 | * There is no add_padding function (check for NULL in mbedtls_cipher_finish) |
Manuel Pégourié-Gonnard | ebdc413 | 2013-07-26 16:50:44 +0200 | [diff] [blame] | 1016 | * but a trivial get_padding function |
| 1017 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1018 | static int get_no_padding(unsigned char *input, size_t input_len, |
| 1019 | size_t *data_len) |
Manuel Pégourié-Gonnard | ebdc413 | 2013-07-26 16:50:44 +0200 | [diff] [blame] | 1020 | { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1021 | if (NULL == input || NULL == data_len) { |
| 1022 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 1023 | } |
Manuel Pégourié-Gonnard | ebdc413 | 2013-07-26 16:50:44 +0200 | [diff] [blame] | 1024 | |
| 1025 | *data_len = input_len; |
| 1026 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1027 | return 0; |
Manuel Pégourié-Gonnard | ebdc413 | 2013-07-26 16:50:44 +0200 | [diff] [blame] | 1028 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1029 | #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ |
Manuel Pégourié-Gonnard | ebdc413 | 2013-07-26 16:50:44 +0200 | [diff] [blame] | 1030 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1031 | int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx, |
| 1032 | unsigned char *output, size_t *olen) |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 1033 | { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1034 | if (ctx->cipher_info == NULL) { |
| 1035 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 1036 | } |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 1037 | |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1038 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1039 | if (ctx->psa_enabled == 1) { |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1040 | /* While PSA Crypto has an API for multipart |
| 1041 | * operations, we currently don't make it |
| 1042 | * accessible through the cipher layer. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1043 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1044 | } |
| 1045 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 1046 | |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 1047 | *olen = 0; |
| 1048 | |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1049 | if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || |
| 1050 | MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || |
| 1051 | MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || |
| 1052 | MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || |
| 1053 | MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || |
| 1054 | MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || |
| 1055 | MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1056 | return 0; |
Paul Bakker | 343a870 | 2011-06-09 14:27:58 +0000 | [diff] [blame] | 1057 | } |
| 1058 | |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1059 | if ((MBEDTLS_CIPHER_CHACHA20 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) || |
| 1060 | (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1061 | return 0; |
Daniel King | bd92062 | 2016-05-15 19:56:20 -0300 | [diff] [blame] | 1062 | } |
| 1063 | |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1064 | if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1065 | if (ctx->unprocessed_len != 0) { |
| 1066 | return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; |
| 1067 | } |
Paul Bakker | 5e0efa7 | 2013-09-08 23:04:04 +0200 | [diff] [blame] | 1068 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1069 | return 0; |
Paul Bakker | 5e0efa7 | 2013-09-08 23:04:04 +0200 | [diff] [blame] | 1070 | } |
| 1071 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1072 | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1073 | if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { |
Manuel Pégourié-Gonnard | 989ed38 | 2013-09-13 14:41:45 +0200 | [diff] [blame] | 1074 | int ret = 0; |
| 1075 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1076 | if (MBEDTLS_ENCRYPT == ctx->operation) { |
Manuel Pégourié-Gonnard | ebdc413 | 2013-07-26 16:50:44 +0200 | [diff] [blame] | 1077 | /* check for 'no padding' mode */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1078 | if (NULL == ctx->add_padding) { |
| 1079 | if (0 != ctx->unprocessed_len) { |
| 1080 | return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; |
| 1081 | } |
Manuel Pégourié-Gonnard | ebdc413 | 2013-07-26 16:50:44 +0200 | [diff] [blame] | 1082 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1083 | return 0; |
Manuel Pégourié-Gonnard | ebdc413 | 2013-07-26 16:50:44 +0200 | [diff] [blame] | 1084 | } |
| 1085 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1086 | ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx), |
| 1087 | ctx->unprocessed_len); |
| 1088 | } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) { |
Manuel Pégourié-Gonnard | ebdc413 | 2013-07-26 16:50:44 +0200 | [diff] [blame] | 1089 | /* |
| 1090 | * For decrypt operations, expect a full block, |
| 1091 | * or an empty block if no padding |
| 1092 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1093 | if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) { |
| 1094 | return 0; |
| 1095 | } |
Manuel Pégourié-Gonnard | ebdc413 | 2013-07-26 16:50:44 +0200 | [diff] [blame] | 1096 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1097 | return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 1098 | } |
| 1099 | |
| 1100 | /* cipher block */ |
Dave Rodgman | de3de77 | 2023-06-24 12:51:06 +0100 | [diff] [blame] | 1101 | if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, |
Dave Rodgman | 3b46b77 | 2023-06-24 13:25:06 +0100 | [diff] [blame] | 1102 | ctx->operation, |
| 1103 | mbedtls_cipher_get_block_size( |
| 1104 | ctx), |
| 1105 | ctx->iv, |
| 1106 | ctx->unprocessed_data, |
| 1107 | output))) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1108 | return ret; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 1109 | } |
| 1110 | |
| 1111 | /* Set output size for decryption */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1112 | if (MBEDTLS_DECRYPT == ctx->operation) { |
| 1113 | return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx), |
| 1114 | olen); |
| 1115 | } |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 1116 | |
| 1117 | /* Set output size for encryption */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1118 | *olen = mbedtls_cipher_get_block_size(ctx); |
| 1119 | return 0; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 1120 | } |
Manuel Pégourié-Gonnard | 989ed38 | 2013-09-13 14:41:45 +0200 | [diff] [blame] | 1121 | #else |
| 1122 | ((void) output); |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1123 | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 1124 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1125 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Paul Bakker | 8123e9d | 2011-01-06 15:37:30 +0000 | [diff] [blame] | 1126 | } |
| 1127 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1128 | #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1129 | int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx, |
| 1130 | mbedtls_cipher_padding_t mode) |
Manuel Pégourié-Gonnard | ac56a1a | 2013-07-25 12:31:10 +0200 | [diff] [blame] | 1131 | { |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1132 | if (NULL == ctx->cipher_info || |
| 1133 | MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1134 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
Manuel Pégourié-Gonnard | ac56a1a | 2013-07-25 12:31:10 +0200 | [diff] [blame] | 1135 | } |
| 1136 | |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1137 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1138 | if (ctx->psa_enabled == 1) { |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1139 | /* While PSA Crypto knows about CBC padding |
| 1140 | * schemes, we currently don't make them |
| 1141 | * accessible through the cipher layer. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1142 | if (mode != MBEDTLS_PADDING_NONE) { |
| 1143 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
| 1144 | } |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1145 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1146 | return 0; |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1147 | } |
| 1148 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 1149 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1150 | switch (mode) { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1151 | #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1152 | case MBEDTLS_PADDING_PKCS7: |
| 1153 | ctx->add_padding = add_pkcs_padding; |
| 1154 | ctx->get_padding = get_pkcs_padding; |
| 1155 | break; |
Paul Bakker | 48e93c8 | 2013-08-14 12:21:18 +0200 | [diff] [blame] | 1156 | #endif |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1157 | #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1158 | case MBEDTLS_PADDING_ONE_AND_ZEROS: |
| 1159 | ctx->add_padding = add_one_and_zeros_padding; |
| 1160 | ctx->get_padding = get_one_and_zeros_padding; |
| 1161 | break; |
Paul Bakker | 48e93c8 | 2013-08-14 12:21:18 +0200 | [diff] [blame] | 1162 | #endif |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1163 | #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1164 | case MBEDTLS_PADDING_ZEROS_AND_LEN: |
| 1165 | ctx->add_padding = add_zeros_and_len_padding; |
| 1166 | ctx->get_padding = get_zeros_and_len_padding; |
| 1167 | break; |
Paul Bakker | 48e93c8 | 2013-08-14 12:21:18 +0200 | [diff] [blame] | 1168 | #endif |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1169 | #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1170 | case MBEDTLS_PADDING_ZEROS: |
| 1171 | ctx->add_padding = add_zeros_padding; |
| 1172 | ctx->get_padding = get_zeros_padding; |
| 1173 | break; |
Paul Bakker | 48e93c8 | 2013-08-14 12:21:18 +0200 | [diff] [blame] | 1174 | #endif |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1175 | case MBEDTLS_PADDING_NONE: |
| 1176 | ctx->add_padding = NULL; |
| 1177 | ctx->get_padding = get_no_padding; |
| 1178 | break; |
Paul Bakker | 1a45d91 | 2013-08-14 12:04:26 +0200 | [diff] [blame] | 1179 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1180 | default: |
| 1181 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Manuel Pégourié-Gonnard | ebdc413 | 2013-07-26 16:50:44 +0200 | [diff] [blame] | 1182 | } |
| 1183 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1184 | return 0; |
Manuel Pégourié-Gonnard | ac56a1a | 2013-07-25 12:31:10 +0200 | [diff] [blame] | 1185 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1186 | #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ |
Manuel Pégourié-Gonnard | ac56a1a | 2013-07-25 12:31:10 +0200 | [diff] [blame] | 1187 | |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 1188 | #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1189 | int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx, |
| 1190 | unsigned char *tag, size_t tag_len) |
Manuel Pégourié-Gonnard | aa9ffc5 | 2013-09-03 16:19:22 +0200 | [diff] [blame] | 1191 | { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1192 | if (ctx->cipher_info == NULL) { |
| 1193 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 1194 | } |
Manuel Pégourié-Gonnard | aa9ffc5 | 2013-09-03 16:19:22 +0200 | [diff] [blame] | 1195 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1196 | if (MBEDTLS_ENCRYPT != ctx->operation) { |
| 1197 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 1198 | } |
Manuel Pégourié-Gonnard | aa9ffc5 | 2013-09-03 16:19:22 +0200 | [diff] [blame] | 1199 | |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1200 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1201 | if (ctx->psa_enabled == 1) { |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1202 | /* While PSA Crypto has an API for multipart |
| 1203 | * operations, we currently don't make it |
| 1204 | * accessible through the cipher layer. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1205 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1206 | } |
| 1207 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 1208 | |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1209 | #if defined(MBEDTLS_GCM_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1210 | if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { |
Gilles Peskine | 5a7be10 | 2021-06-23 21:51:32 +0200 | [diff] [blame] | 1211 | size_t output_length; |
| 1212 | /* The code here doesn't yet support alternative implementations |
| 1213 | * that can delay up to a block of output. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1214 | return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx, |
| 1215 | NULL, 0, &output_length, |
| 1216 | tag, tag_len); |
Gilles Peskine | 5a7be10 | 2021-06-23 21:51:32 +0200 | [diff] [blame] | 1217 | } |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1218 | #endif |
| 1219 | |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 1220 | #if defined(MBEDTLS_CHACHAPOLY_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1221 | if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1222 | /* Don't allow truncated MAC for Poly1305 */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1223 | if (tag_len != 16U) { |
| 1224 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 1225 | } |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1226 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1227 | return mbedtls_chachapoly_finish( |
| 1228 | (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag); |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1229 | } |
| 1230 | #endif |
Manuel Pégourié-Gonnard | 43a4780 | 2013-09-03 16:35:53 +0200 | [diff] [blame] | 1231 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1232 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Manuel Pégourié-Gonnard | aa9ffc5 | 2013-09-03 16:19:22 +0200 | [diff] [blame] | 1233 | } |
Paul Bakker | 9af723c | 2014-05-01 13:03:14 +0200 | [diff] [blame] | 1234 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1235 | int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx, |
| 1236 | const unsigned char *tag, size_t tag_len) |
Manuel Pégourié-Gonnard | aa9ffc5 | 2013-09-03 16:19:22 +0200 | [diff] [blame] | 1237 | { |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1238 | unsigned char check_tag[16]; |
Janos Follath | 24eed8d | 2019-11-22 13:21:35 +0000 | [diff] [blame] | 1239 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | aa9ffc5 | 2013-09-03 16:19:22 +0200 | [diff] [blame] | 1240 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1241 | if (ctx->cipher_info == NULL) { |
| 1242 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 1243 | } |
Andrzej Kurek | c470b6b | 2019-01-31 08:20:20 -0500 | [diff] [blame] | 1244 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1245 | if (MBEDTLS_DECRYPT != ctx->operation) { |
| 1246 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
Manuel Pégourié-Gonnard | 43a4780 | 2013-09-03 16:35:53 +0200 | [diff] [blame] | 1247 | } |
Manuel Pégourié-Gonnard | aa9ffc5 | 2013-09-03 16:19:22 +0200 | [diff] [blame] | 1248 | |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1249 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1250 | if (ctx->psa_enabled == 1) { |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1251 | /* While PSA Crypto has an API for multipart |
| 1252 | * operations, we currently don't make it |
| 1253 | * accessible through the cipher layer. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1254 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1255 | } |
| 1256 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 1257 | |
Denis V. Lunev | 2df73ae | 2018-11-01 12:22:27 +0300 | [diff] [blame] | 1258 | /* Status to return on a non-authenticated algorithm. */ |
| 1259 | ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Gilles Peskine | e7835d9 | 2021-12-13 12:32:43 +0100 | [diff] [blame] | 1260 | |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1261 | #if defined(MBEDTLS_GCM_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1262 | if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { |
Gilles Peskine | 5a7be10 | 2021-06-23 21:51:32 +0200 | [diff] [blame] | 1263 | size_t output_length; |
| 1264 | /* The code here doesn't yet support alternative implementations |
| 1265 | * that can delay up to a block of output. */ |
| 1266 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1267 | if (tag_len > sizeof(check_tag)) { |
| 1268 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 1269 | } |
Manuel Pégourié-Gonnard | 43a4780 | 2013-09-03 16:35:53 +0200 | [diff] [blame] | 1270 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1271 | if (0 != (ret = mbedtls_gcm_finish( |
| 1272 | (mbedtls_gcm_context *) ctx->cipher_ctx, |
| 1273 | NULL, 0, &output_length, |
| 1274 | check_tag, tag_len))) { |
| 1275 | return ret; |
Paul Bakker | b9cfaa0 | 2013-10-11 18:58:55 +0200 | [diff] [blame] | 1276 | } |
Manuel Pégourié-Gonnard | 43a4780 | 2013-09-03 16:35:53 +0200 | [diff] [blame] | 1277 | |
| 1278 | /* Check the tag in "constant-time" */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1279 | if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) { |
Gilles Peskine | e7835d9 | 2021-12-13 12:32:43 +0100 | [diff] [blame] | 1280 | ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; |
Gilles Peskine | cd74298 | 2021-12-13 16:57:47 +0100 | [diff] [blame] | 1281 | goto exit; |
| 1282 | } |
Manuel Pégourié-Gonnard | 43a4780 | 2013-09-03 16:35:53 +0200 | [diff] [blame] | 1283 | } |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1284 | #endif /* MBEDTLS_GCM_C */ |
| 1285 | |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 1286 | #if defined(MBEDTLS_CHACHAPOLY_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1287 | if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1288 | /* Don't allow truncated MAC for Poly1305 */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1289 | if (tag_len != sizeof(check_tag)) { |
| 1290 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 1291 | } |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1292 | |
Hanno Becker | 18597cd | 2018-11-09 16:36:33 +0000 | [diff] [blame] | 1293 | ret = mbedtls_chachapoly_finish( |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1294 | (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag); |
| 1295 | if (ret != 0) { |
| 1296 | return ret; |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1297 | } |
| 1298 | |
| 1299 | /* Check the tag in "constant-time" */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1300 | if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) { |
Gilles Peskine | e7835d9 | 2021-12-13 12:32:43 +0100 | [diff] [blame] | 1301 | ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; |
Gilles Peskine | cd74298 | 2021-12-13 16:57:47 +0100 | [diff] [blame] | 1302 | goto exit; |
| 1303 | } |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1304 | } |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 1305 | #endif /* MBEDTLS_CHACHAPOLY_C */ |
Manuel Pégourié-Gonnard | aa9ffc5 | 2013-09-03 16:19:22 +0200 | [diff] [blame] | 1306 | |
Gilles Peskine | cd74298 | 2021-12-13 16:57:47 +0100 | [diff] [blame] | 1307 | exit: |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1308 | mbedtls_platform_zeroize(check_tag, tag_len); |
| 1309 | return ret; |
Manuel Pégourié-Gonnard | aa9ffc5 | 2013-09-03 16:19:22 +0200 | [diff] [blame] | 1310 | } |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 1311 | #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ |
Manuel Pégourié-Gonnard | aa9ffc5 | 2013-09-03 16:19:22 +0200 | [diff] [blame] | 1312 | |
Manuel Pégourié-Gonnard | 3c1d150 | 2014-05-12 13:46:08 +0200 | [diff] [blame] | 1313 | /* |
| 1314 | * Packet-oriented wrapper for non-AEAD modes |
| 1315 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1316 | int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx, |
| 1317 | const unsigned char *iv, size_t iv_len, |
| 1318 | const unsigned char *input, size_t ilen, |
| 1319 | unsigned char *output, size_t *olen) |
Manuel Pégourié-Gonnard | 3c1d150 | 2014-05-12 13:46:08 +0200 | [diff] [blame] | 1320 | { |
Janos Follath | 24eed8d | 2019-11-22 13:21:35 +0000 | [diff] [blame] | 1321 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 3c1d150 | 2014-05-12 13:46:08 +0200 | [diff] [blame] | 1322 | size_t finish_olen; |
| 1323 | |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1324 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1325 | if (ctx->psa_enabled == 1) { |
Hanno Becker | 55e2e3d | 2018-11-12 12:36:17 +0000 | [diff] [blame] | 1326 | /* As in the non-PSA case, we don't check that |
| 1327 | * a key has been set. If not, the key slot will |
| 1328 | * still be in its default state of 0, which is |
| 1329 | * guaranteed to be invalid, hence the PSA-call |
| 1330 | * below will gracefully fail. */ |
| 1331 | mbedtls_cipher_context_psa * const cipher_psa = |
| 1332 | (mbedtls_cipher_context_psa *) ctx->cipher_ctx; |
| 1333 | |
| 1334 | psa_status_t status; |
Jaeden Amero | fe96fbe | 2019-02-20 10:32:28 +0000 | [diff] [blame] | 1335 | psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT; |
Hanno Becker | 55e2e3d | 2018-11-12 12:36:17 +0000 | [diff] [blame] | 1336 | size_t part_len; |
| 1337 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1338 | if (ctx->operation == MBEDTLS_DECRYPT) { |
| 1339 | status = psa_cipher_decrypt_setup(&cipher_op, |
| 1340 | cipher_psa->slot, |
| 1341 | cipher_psa->alg); |
| 1342 | } else if (ctx->operation == MBEDTLS_ENCRYPT) { |
| 1343 | status = psa_cipher_encrypt_setup(&cipher_op, |
| 1344 | cipher_psa->slot, |
| 1345 | cipher_psa->alg); |
| 1346 | } else { |
| 1347 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
Hanno Becker | 55e2e3d | 2018-11-12 12:36:17 +0000 | [diff] [blame] | 1348 | } |
Hanno Becker | 55e2e3d | 2018-11-12 12:36:17 +0000 | [diff] [blame] | 1349 | |
| 1350 | /* In the following, we can immediately return on an error, |
| 1351 | * because the PSA Crypto API guarantees that cipher operations |
| 1352 | * are terminated by unsuccessful calls to psa_cipher_update(), |
| 1353 | * and by any call to psa_cipher_finish(). */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1354 | if (status != PSA_SUCCESS) { |
| 1355 | return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; |
Przemyslaw Stekiel | 80c6a8e | 2021-09-29 12:13:11 +0200 | [diff] [blame] | 1356 | } |
Hanno Becker | 55e2e3d | 2018-11-12 12:36:17 +0000 | [diff] [blame] | 1357 | |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1358 | if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) { |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1359 | status = psa_cipher_set_iv(&cipher_op, iv, iv_len); |
| 1360 | if (status != PSA_SUCCESS) { |
| 1361 | return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; |
| 1362 | } |
| 1363 | } |
Hanno Becker | 55e2e3d | 2018-11-12 12:36:17 +0000 | [diff] [blame] | 1364 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1365 | status = psa_cipher_update(&cipher_op, |
| 1366 | input, ilen, |
| 1367 | output, ilen, olen); |
| 1368 | if (status != PSA_SUCCESS) { |
| 1369 | return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; |
| 1370 | } |
| 1371 | |
| 1372 | status = psa_cipher_finish(&cipher_op, |
| 1373 | output + *olen, ilen - *olen, |
| 1374 | &part_len); |
| 1375 | if (status != PSA_SUCCESS) { |
| 1376 | return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; |
| 1377 | } |
Hanno Becker | 55e2e3d | 2018-11-12 12:36:17 +0000 | [diff] [blame] | 1378 | |
| 1379 | *olen += part_len; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1380 | return 0; |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1381 | } |
| 1382 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 1383 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1384 | if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) { |
| 1385 | return ret; |
| 1386 | } |
Manuel Pégourié-Gonnard | 3c1d150 | 2014-05-12 13:46:08 +0200 | [diff] [blame] | 1387 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1388 | if ((ret = mbedtls_cipher_reset(ctx)) != 0) { |
| 1389 | return ret; |
| 1390 | } |
Manuel Pégourié-Gonnard | 3c1d150 | 2014-05-12 13:46:08 +0200 | [diff] [blame] | 1391 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1392 | if ((ret = mbedtls_cipher_update(ctx, input, ilen, |
| 1393 | output, olen)) != 0) { |
| 1394 | return ret; |
| 1395 | } |
Manuel Pégourié-Gonnard | 3c1d150 | 2014-05-12 13:46:08 +0200 | [diff] [blame] | 1396 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1397 | if ((ret = mbedtls_cipher_finish(ctx, output + *olen, |
| 1398 | &finish_olen)) != 0) { |
| 1399 | return ret; |
| 1400 | } |
Manuel Pégourié-Gonnard | 3c1d150 | 2014-05-12 13:46:08 +0200 | [diff] [blame] | 1401 | |
| 1402 | *olen += finish_olen; |
| 1403 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1404 | return 0; |
Manuel Pégourié-Gonnard | 3c1d150 | 2014-05-12 13:46:08 +0200 | [diff] [blame] | 1405 | } |
| 1406 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1407 | #if defined(MBEDTLS_CIPHER_MODE_AEAD) |
Manuel Pégourié-Gonnard | 4562ffe | 2014-05-13 12:19:29 +0200 | [diff] [blame] | 1408 | /* |
TRodziewicz | 18efb73 | 2021-04-29 23:12:19 +0200 | [diff] [blame] | 1409 | * Packet-oriented encryption for AEAD modes: internal function used by |
| 1410 | * mbedtls_cipher_auth_encrypt_ext(). |
Manuel Pégourié-Gonnard | 4562ffe | 2014-05-13 12:19:29 +0200 | [diff] [blame] | 1411 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1412 | static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx, |
| 1413 | const unsigned char *iv, size_t iv_len, |
| 1414 | const unsigned char *ad, size_t ad_len, |
| 1415 | const unsigned char *input, size_t ilen, |
| 1416 | unsigned char *output, size_t *olen, |
| 1417 | unsigned char *tag, size_t tag_len) |
Manuel Pégourié-Gonnard | 4562ffe | 2014-05-13 12:19:29 +0200 | [diff] [blame] | 1418 | { |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1419 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1420 | if (ctx->psa_enabled == 1) { |
Hanno Becker | fe73ade | 2018-11-12 16:26:46 +0000 | [diff] [blame] | 1421 | /* As in the non-PSA case, we don't check that |
| 1422 | * a key has been set. If not, the key slot will |
| 1423 | * still be in its default state of 0, which is |
| 1424 | * guaranteed to be invalid, hence the PSA-call |
| 1425 | * below will gracefully fail. */ |
| 1426 | mbedtls_cipher_context_psa * const cipher_psa = |
| 1427 | (mbedtls_cipher_context_psa *) ctx->cipher_ctx; |
| 1428 | |
| 1429 | psa_status_t status; |
| 1430 | |
| 1431 | /* PSA Crypto API always writes the authentication tag |
| 1432 | * at the end of the encrypted message. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1433 | if (output == NULL || tag != output + ilen) { |
| 1434 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
| 1435 | } |
Hanno Becker | fe73ade | 2018-11-12 16:26:46 +0000 | [diff] [blame] | 1436 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1437 | status = psa_aead_encrypt(cipher_psa->slot, |
| 1438 | cipher_psa->alg, |
| 1439 | iv, iv_len, |
| 1440 | ad, ad_len, |
| 1441 | input, ilen, |
| 1442 | output, ilen + tag_len, olen); |
| 1443 | if (status != PSA_SUCCESS) { |
| 1444 | return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; |
| 1445 | } |
Hanno Becker | fe73ade | 2018-11-12 16:26:46 +0000 | [diff] [blame] | 1446 | |
| 1447 | *olen -= tag_len; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1448 | return 0; |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1449 | } |
| 1450 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 1451 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1452 | #if defined(MBEDTLS_GCM_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1453 | if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { |
Manuel Pégourié-Gonnard | 4562ffe | 2014-05-13 12:19:29 +0200 | [diff] [blame] | 1454 | *olen = ilen; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1455 | return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, |
| 1456 | ilen, iv, iv_len, ad, ad_len, |
| 1457 | input, output, tag_len, tag); |
Manuel Pégourié-Gonnard | 4562ffe | 2014-05-13 12:19:29 +0200 | [diff] [blame] | 1458 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1459 | #endif /* MBEDTLS_GCM_C */ |
| 1460 | #if defined(MBEDTLS_CCM_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1461 | if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { |
Manuel Pégourié-Gonnard | 4193695 | 2014-05-13 13:18:17 +0200 | [diff] [blame] | 1462 | *olen = ilen; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1463 | return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen, |
| 1464 | iv, iv_len, ad, ad_len, input, output, |
| 1465 | tag, tag_len); |
Manuel Pégourié-Gonnard | 4193695 | 2014-05-13 13:18:17 +0200 | [diff] [blame] | 1466 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1467 | #endif /* MBEDTLS_CCM_C */ |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 1468 | #if defined(MBEDTLS_CHACHAPOLY_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1469 | if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { |
Manuel Pégourié-Gonnard | fe725de | 2018-05-08 09:38:09 +0200 | [diff] [blame] | 1470 | /* ChachaPoly has fixed length nonce and MAC (tag) */ |
Dave Rodgman | bb521fd | 2023-06-24 11:21:25 +0100 | [diff] [blame] | 1471 | if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) || |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1472 | (tag_len != 16U)) { |
| 1473 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1474 | } |
| 1475 | |
| 1476 | *olen = ilen; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1477 | return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx, |
| 1478 | ilen, iv, ad, ad_len, input, output, tag); |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1479 | } |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 1480 | #endif /* MBEDTLS_CHACHAPOLY_C */ |
Manuel Pégourié-Gonnard | 4562ffe | 2014-05-13 12:19:29 +0200 | [diff] [blame] | 1481 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1482 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Manuel Pégourié-Gonnard | 4562ffe | 2014-05-13 12:19:29 +0200 | [diff] [blame] | 1483 | } |
| 1484 | |
| 1485 | /* |
TRodziewicz | 18efb73 | 2021-04-29 23:12:19 +0200 | [diff] [blame] | 1486 | * Packet-oriented encryption for AEAD modes: internal function used by |
| 1487 | * mbedtls_cipher_auth_encrypt_ext(). |
Manuel Pégourié-Gonnard | 4562ffe | 2014-05-13 12:19:29 +0200 | [diff] [blame] | 1488 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1489 | static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx, |
| 1490 | const unsigned char *iv, size_t iv_len, |
| 1491 | const unsigned char *ad, size_t ad_len, |
| 1492 | const unsigned char *input, size_t ilen, |
| 1493 | unsigned char *output, size_t *olen, |
| 1494 | const unsigned char *tag, size_t tag_len) |
Manuel Pégourié-Gonnard | 4562ffe | 2014-05-13 12:19:29 +0200 | [diff] [blame] | 1495 | { |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1496 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1497 | if (ctx->psa_enabled == 1) { |
Hanno Becker | fe73ade | 2018-11-12 16:26:46 +0000 | [diff] [blame] | 1498 | /* As in the non-PSA case, we don't check that |
| 1499 | * a key has been set. If not, the key slot will |
| 1500 | * still be in its default state of 0, which is |
| 1501 | * guaranteed to be invalid, hence the PSA-call |
| 1502 | * below will gracefully fail. */ |
| 1503 | mbedtls_cipher_context_psa * const cipher_psa = |
| 1504 | (mbedtls_cipher_context_psa *) ctx->cipher_ctx; |
| 1505 | |
| 1506 | psa_status_t status; |
| 1507 | |
| 1508 | /* PSA Crypto API always writes the authentication tag |
| 1509 | * at the end of the encrypted message. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1510 | if (input == NULL || tag != input + ilen) { |
| 1511 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
| 1512 | } |
Hanno Becker | fe73ade | 2018-11-12 16:26:46 +0000 | [diff] [blame] | 1513 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1514 | status = psa_aead_decrypt(cipher_psa->slot, |
| 1515 | cipher_psa->alg, |
| 1516 | iv, iv_len, |
| 1517 | ad, ad_len, |
| 1518 | input, ilen + tag_len, |
| 1519 | output, ilen, olen); |
| 1520 | if (status == PSA_ERROR_INVALID_SIGNATURE) { |
| 1521 | return MBEDTLS_ERR_CIPHER_AUTH_FAILED; |
| 1522 | } else if (status != PSA_SUCCESS) { |
| 1523 | return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; |
| 1524 | } |
Hanno Becker | fe73ade | 2018-11-12 16:26:46 +0000 | [diff] [blame] | 1525 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1526 | return 0; |
Hanno Becker | ce1ddee | 2018-11-09 16:20:29 +0000 | [diff] [blame] | 1527 | } |
| 1528 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 1529 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1530 | #if defined(MBEDTLS_GCM_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1531 | if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { |
Janos Follath | 24eed8d | 2019-11-22 13:21:35 +0000 | [diff] [blame] | 1532 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 4562ffe | 2014-05-13 12:19:29 +0200 | [diff] [blame] | 1533 | |
| 1534 | *olen = ilen; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1535 | ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen, |
| 1536 | iv, iv_len, ad, ad_len, |
| 1537 | tag, tag_len, input, output); |
Manuel Pégourié-Gonnard | 4562ffe | 2014-05-13 12:19:29 +0200 | [diff] [blame] | 1538 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1539 | if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1540 | ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1541 | } |
Manuel Pégourié-Gonnard | 4562ffe | 2014-05-13 12:19:29 +0200 | [diff] [blame] | 1542 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1543 | return ret; |
Manuel Pégourié-Gonnard | 4562ffe | 2014-05-13 12:19:29 +0200 | [diff] [blame] | 1544 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1545 | #endif /* MBEDTLS_GCM_C */ |
| 1546 | #if defined(MBEDTLS_CCM_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1547 | if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { |
Janos Follath | 24eed8d | 2019-11-22 13:21:35 +0000 | [diff] [blame] | 1548 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Manuel Pégourié-Gonnard | 4193695 | 2014-05-13 13:18:17 +0200 | [diff] [blame] | 1549 | |
| 1550 | *olen = ilen; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1551 | ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen, |
| 1552 | iv, iv_len, ad, ad_len, |
| 1553 | input, output, tag, tag_len); |
Manuel Pégourié-Gonnard | 4193695 | 2014-05-13 13:18:17 +0200 | [diff] [blame] | 1554 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1555 | if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) { |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1556 | ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1557 | } |
Manuel Pégourié-Gonnard | 4193695 | 2014-05-13 13:18:17 +0200 | [diff] [blame] | 1558 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1559 | return ret; |
Manuel Pégourié-Gonnard | 4193695 | 2014-05-13 13:18:17 +0200 | [diff] [blame] | 1560 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1561 | #endif /* MBEDTLS_CCM_C */ |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 1562 | #if defined(MBEDTLS_CHACHAPOLY_C) |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1563 | if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { |
Janos Follath | 24eed8d | 2019-11-22 13:21:35 +0000 | [diff] [blame] | 1564 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1565 | |
Manuel Pégourié-Gonnard | fe725de | 2018-05-08 09:38:09 +0200 | [diff] [blame] | 1566 | /* ChachaPoly has fixed length nonce and MAC (tag) */ |
Dave Rodgman | bb521fd | 2023-06-24 11:21:25 +0100 | [diff] [blame] | 1567 | if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) || |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1568 | (tag_len != 16U)) { |
| 1569 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1570 | } |
| 1571 | |
| 1572 | *olen = ilen; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1573 | ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen, |
| 1574 | iv, ad, ad_len, tag, input, output); |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1575 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1576 | if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) { |
Manuel Pégourié-Gonnard | fe725de | 2018-05-08 09:38:09 +0200 | [diff] [blame] | 1577 | ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1578 | } |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1579 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1580 | return ret; |
Daniel King | 8fe4701 | 2016-05-17 20:33:28 -0300 | [diff] [blame] | 1581 | } |
Manuel Pégourié-Gonnard | dca3a5d | 2018-05-07 10:43:27 +0200 | [diff] [blame] | 1582 | #endif /* MBEDTLS_CHACHAPOLY_C */ |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1583 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1584 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1585 | } |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1586 | #endif /* MBEDTLS_CIPHER_MODE_AEAD */ |
Manuel Pégourié-Gonnard | 4562ffe | 2014-05-13 12:19:29 +0200 | [diff] [blame] | 1587 | |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1588 | #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) |
| 1589 | /* |
| 1590 | * Packet-oriented encryption for AEAD/NIST_KW: public function. |
| 1591 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1592 | int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx, |
| 1593 | const unsigned char *iv, size_t iv_len, |
| 1594 | const unsigned char *ad, size_t ad_len, |
| 1595 | const unsigned char *input, size_t ilen, |
| 1596 | unsigned char *output, size_t output_len, |
| 1597 | size_t *olen, size_t tag_len) |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1598 | { |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1599 | #if defined(MBEDTLS_NIST_KW_C) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1600 | if ( |
Gilles Peskine | a56d3d9 | 2020-12-04 00:47:07 +0100 | [diff] [blame] | 1601 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 1602 | ctx->psa_enabled == 0 && |
| 1603 | #endif |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1604 | (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || |
| 1605 | MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) { |
| 1606 | mbedtls_nist_kw_mode_t mode = |
| 1607 | (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ? |
| 1608 | MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1609 | |
| 1610 | /* There is no iv, tag or ad associated with KW and KWP, |
| 1611 | * so these length should be 0 as documented. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1612 | if (iv_len != 0 || tag_len != 0 || ad_len != 0) { |
| 1613 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 1614 | } |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1615 | |
Manuel Pégourié-Gonnard | 841b6fa | 2020-12-07 10:42:21 +0100 | [diff] [blame] | 1616 | (void) iv; |
| 1617 | (void) ad; |
| 1618 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1619 | return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen, |
| 1620 | output, olen, output_len); |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1621 | } |
| 1622 | #endif /* MBEDTLS_NIST_KW_C */ |
| 1623 | |
| 1624 | #if defined(MBEDTLS_CIPHER_MODE_AEAD) |
| 1625 | /* AEAD case: check length before passing on to shared function */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1626 | if (output_len < ilen + tag_len) { |
| 1627 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 1628 | } |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1629 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1630 | int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len, |
| 1631 | input, ilen, output, olen, |
| 1632 | output + ilen, tag_len); |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1633 | *olen += tag_len; |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1634 | return ret; |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1635 | #else |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1636 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1637 | #endif /* MBEDTLS_CIPHER_MODE_AEAD */ |
| 1638 | } |
| 1639 | |
| 1640 | /* |
| 1641 | * Packet-oriented decryption for AEAD/NIST_KW: public function. |
| 1642 | */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1643 | int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx, |
| 1644 | const unsigned char *iv, size_t iv_len, |
| 1645 | const unsigned char *ad, size_t ad_len, |
| 1646 | const unsigned char *input, size_t ilen, |
| 1647 | unsigned char *output, size_t output_len, |
| 1648 | size_t *olen, size_t tag_len) |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1649 | { |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1650 | #if defined(MBEDTLS_NIST_KW_C) |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1651 | if ( |
Gilles Peskine | a56d3d9 | 2020-12-04 00:47:07 +0100 | [diff] [blame] | 1652 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 1653 | ctx->psa_enabled == 0 && |
| 1654 | #endif |
Dave Rodgman | 1b8a3b1 | 2023-06-24 17:32:43 +0100 | [diff] [blame] | 1655 | (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || |
| 1656 | MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) { |
| 1657 | mbedtls_nist_kw_mode_t mode = |
| 1658 | (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ? |
| 1659 | MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1660 | |
| 1661 | /* There is no iv, tag or ad associated with KW and KWP, |
| 1662 | * so these length should be 0 as documented. */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1663 | if (iv_len != 0 || tag_len != 0 || ad_len != 0) { |
| 1664 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 1665 | } |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1666 | |
Manuel Pégourié-Gonnard | 841b6fa | 2020-12-07 10:42:21 +0100 | [diff] [blame] | 1667 | (void) iv; |
| 1668 | (void) ad; |
| 1669 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1670 | return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen, |
| 1671 | output, olen, output_len); |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1672 | } |
| 1673 | #endif /* MBEDTLS_NIST_KW_C */ |
| 1674 | |
| 1675 | #if defined(MBEDTLS_CIPHER_MODE_AEAD) |
| 1676 | /* AEAD case: check length before passing on to shared function */ |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1677 | if (ilen < tag_len || output_len < ilen - tag_len) { |
| 1678 | return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; |
| 1679 | } |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1680 | |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1681 | return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len, |
| 1682 | input, ilen - tag_len, output, olen, |
| 1683 | input + ilen - tag_len, tag_len); |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1684 | #else |
Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1685 | return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; |
Manuel Pégourié-Gonnard | faddf98 | 2020-11-25 13:39:47 +0100 | [diff] [blame] | 1686 | #endif /* MBEDTLS_CIPHER_MODE_AEAD */ |
| 1687 | } |
| 1688 | #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */ |
| 1689 | |
Manuel Pégourié-Gonnard | 2cf5a7c | 2015-04-08 12:49:31 +0200 | [diff] [blame] | 1690 | #endif /* MBEDTLS_CIPHER_C */ |