1 /**
2 * \file cipher.c
3 *
4 * \brief Generic cipher wrapper for mbed TLS
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
8 * Copyright The Mbed TLS Contributors
9 * SPDX-License-Identifier: Apache-2.0
10 *
11 * Licensed under the Apache License, Version 2.0 (the "License"); you may
12 * not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
14 *
15 * http://www.apache.org/licenses/LICENSE-2.0
16 *
17 * Unless required by applicable law or agreed to in writing, software
18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 * See the License for the specific language governing permissions and
21 * limitations under the License.
22 */
23
24 #include "common.h"
25
26 #if defined(MBEDTLS_CIPHER_C)
27
28 #include "mbedtls/cipher.h"
29 #include "mbedtls/cipher_internal.h"
30 #include "mbedtls/platform_util.h"
31 #include "mbedtls/error.h"
32
33 #include <stdlib.h>
34 #include <string.h>
35
36 #if defined(MBEDTLS_CHACHAPOLY_C)
37 #include "mbedtls/chachapoly.h"
38 #endif
39
40 #if defined(MBEDTLS_GCM_C)
41 #include "mbedtls/gcm.h"
42 #endif
43
44 #if defined(MBEDTLS_CCM_C)
45 #include "mbedtls/ccm.h"
46 #endif
47
48 #if defined(MBEDTLS_CHACHA20_C)
49 #include "mbedtls/chacha20.h"
50 #endif
51
52 #if defined(MBEDTLS_CMAC_C)
53 #include "mbedtls/cmac.h"
54 #endif
55
56 #if defined(MBEDTLS_USE_PSA_CRYPTO)
57 #include "psa/crypto.h"
chachapoly_pad_aad(mbedtls_chachapoly_context * ctx)58 #include "mbedtls/psa_util.h"
59 #endif /* MBEDTLS_USE_PSA_CRYPTO */
60
61 #if defined(MBEDTLS_NIST_KW_C)
62 #include "mbedtls/nist_kw.h"
63 #endif
64
65 #if defined(MBEDTLS_PLATFORM_C)
66 #include "mbedtls/platform.h"
67 #else
68 #define mbedtls_calloc calloc
69 #define mbedtls_free free
70 #endif
71
72 #define CIPHER_VALIDATE_RET( cond ) \
73 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
74 #define CIPHER_VALIDATE( cond ) \
75 MBEDTLS_INTERNAL_VALIDATE( cond )
76
77 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
78 /* Compare the contents of two buffers in constant time.
79 * Returns 0 if the contents are bitwise identical, otherwise returns
80 * a non-zero value.
81 * This is currently only used by GCM and ChaCha20+Poly1305.
82 */
83 static int mbedtls_constant_time_memcmp( const void *v1, const void *v2,
84 size_t len )
85 {
86 const unsigned char *p1 = (const unsigned char*) v1;
87 const unsigned char *p2 = (const unsigned char*) v2;
88 size_t i;
89 unsigned char diff;
90
91 for( diff = 0, i = 0; i < len; i++ )
92 diff |= p1[i] ^ p2[i];
93
94 return( (int)diff );
95 }
96 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
97
98 static int supported_init = 0;
99
100 const int *mbedtls_cipher_list( void )
101 {
102 const mbedtls_cipher_definition_t *def;
103 int *type;
mbedtls_chachapoly_free(mbedtls_chachapoly_context * ctx)104
105 if( ! supported_init )
106 {
107 def = mbedtls_cipher_definitions;
108 type = mbedtls_cipher_supported;
109
110 while( def->type != 0 )
111 *type++ = (*def++).type;
112
113 *type = 0;
114
115 supported_init = 1;
116 }
mbedtls_chachapoly_setkey(mbedtls_chachapoly_context * ctx,const unsigned char key[32])117
118 return( mbedtls_cipher_supported );
119 }
120
121 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
122 const mbedtls_cipher_type_t cipher_type )
123 {
124 const mbedtls_cipher_definition_t *def;
125
126 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
127 if( def->type == cipher_type )
128 return( def->info );
mbedtls_chachapoly_starts(mbedtls_chachapoly_context * ctx,const unsigned char nonce[12],mbedtls_chachapoly_mode_t mode)129
130 return( NULL );
131 }
132
133 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
134 const char *cipher_name )
135 {
136 const mbedtls_cipher_definition_t *def;
137
138 if( NULL == cipher_name )
139 return( NULL );
140
141 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
142 if( ! strcmp( def->info->name, cipher_name ) )
143 return( def->info );
144
145 return( NULL );
146 }
147
148 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
149 const mbedtls_cipher_id_t cipher_id,
150 int key_bitlen,
151 const mbedtls_cipher_mode_t mode )
152 {
153 const mbedtls_cipher_definition_t *def;
154
155 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
156 if( def->info->base->cipher == cipher_id &&
157 def->info->key_bitlen == (unsigned) key_bitlen &&
158 def->info->mode == mode )
159 return( def->info );
160
161 return( NULL );
162 }
163
164 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
165 {
166 CIPHER_VALIDATE( ctx != NULL );
167 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
168 }
mbedtls_chachapoly_update_aad(mbedtls_chachapoly_context * ctx,const unsigned char * aad,size_t aad_len)169
170 void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
171 {
172 if( ctx == NULL )
173 return;
174
175 #if defined(MBEDTLS_USE_PSA_CRYPTO)
176 if( ctx->psa_enabled == 1 )
177 {
178 if( ctx->cipher_ctx != NULL )
179 {
180 mbedtls_cipher_context_psa * const cipher_psa =
181 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
182
183 if( cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED )
184 {
185 /* xxx_free() doesn't allow to return failures. */
186 (void) psa_destroy_key( cipher_psa->slot );
187 }
188
189 mbedtls_platform_zeroize( cipher_psa, sizeof( *cipher_psa ) );
190 mbedtls_free( cipher_psa );
191 }
192
193 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
194 return;
195 }
196 #endif /* MBEDTLS_USE_PSA_CRYPTO */
197
198 #if defined(MBEDTLS_CMAC_C)
199 if( ctx->cmac_ctx )
200 {
201 mbedtls_platform_zeroize( ctx->cmac_ctx,
202 sizeof( mbedtls_cmac_context_t ) );
203 mbedtls_free( ctx->cmac_ctx );
204 }
205 #endif
206
207 if( ctx->cipher_ctx )
208 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
209
210 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
211 }
212
213 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
214 const mbedtls_cipher_info_t *cipher_info )
215 {
216 CIPHER_VALIDATE_RET( ctx != NULL );
217 if( cipher_info == NULL )
218 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
219
220 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
221
222 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
223 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
224
225 ctx->cipher_info = cipher_info;
226
227 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
228 /*
229 * Ignore possible errors caused by a cipher mode that doesn't use padding
230 */
231 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
232 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
233 #else
234 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
mbedtls_chachapoly_finish(mbedtls_chachapoly_context * ctx,unsigned char mac[16])235 #endif
236 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
237
238 return( 0 );
239 }
240
241 #if defined(MBEDTLS_USE_PSA_CRYPTO)
242 int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
243 const mbedtls_cipher_info_t *cipher_info,
244 size_t taglen )
245 {
246 psa_algorithm_t alg;
247 mbedtls_cipher_context_psa *cipher_psa;
248
249 if( NULL == cipher_info || NULL == ctx )
250 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
251
252 /* Check that the underlying cipher mode and cipher type are
253 * supported by the underlying PSA Crypto implementation. */
254 alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode, taglen );
255 if( alg == 0 )
256 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
257 if( mbedtls_psa_translate_cipher_type( cipher_info->type ) == 0 )
258 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
259
260 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
261
262 cipher_psa = mbedtls_calloc( 1, sizeof(mbedtls_cipher_context_psa ) );
263 if( cipher_psa == NULL )
264 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
265 cipher_psa->alg = alg;
266 ctx->cipher_ctx = cipher_psa;
267 ctx->cipher_info = cipher_info;
268 ctx->psa_enabled = 1;
269 return( 0 );
270 }
271 #endif /* MBEDTLS_USE_PSA_CRYPTO */
272
273 int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
274 const unsigned char *key,
275 int key_bitlen,
276 const mbedtls_operation_t operation )
277 {
278 CIPHER_VALIDATE_RET( ctx != NULL );
279 CIPHER_VALIDATE_RET( key != NULL );
280 CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT ||
281 operation == MBEDTLS_DECRYPT );
282 if( ctx->cipher_info == NULL )
283 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
284
285 #if defined(MBEDTLS_USE_PSA_CRYPTO)
286 if( ctx->psa_enabled == 1 )
287 {
288 mbedtls_cipher_context_psa * const cipher_psa =
289 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
290
291 size_t const key_bytelen = ( (size_t) key_bitlen + 7 ) / 8;
chachapoly_crypt_and_tag(mbedtls_chachapoly_context * ctx,mbedtls_chachapoly_mode_t mode,size_t length,const unsigned char nonce[12],const unsigned char * aad,size_t aad_len,const unsigned char * input,unsigned char * output,unsigned char tag[16])292
293 psa_status_t status;
294 psa_key_type_t key_type;
295 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
296
297 /* PSA Crypto API only accepts byte-aligned keys. */
298 if( key_bitlen % 8 != 0 )
299 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
300
301 /* Don't allow keys to be set multiple times. */
302 if( cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET )
303 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
304
305 key_type = mbedtls_psa_translate_cipher_type(
306 ctx->cipher_info->type );
307 if( key_type == 0 )
308 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
309 psa_set_key_type( &attributes, key_type );
310
311 /* Mbed TLS' cipher layer doesn't enforce the mode of operation
312 * (encrypt vs. decrypt): it is possible to setup a key for encryption
313 * and use it for AEAD decryption. Until tests relying on this
314 * are changed, allow any usage in PSA. */
315 psa_set_key_usage_flags( &attributes,
316 /* mbedtls_psa_translate_cipher_operation( operation ); */
317 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
318 psa_set_key_algorithm( &attributes, cipher_psa->alg );
319
320 status = psa_import_key( &attributes, key, key_bytelen,
321 &cipher_psa->slot );
mbedtls_chachapoly_encrypt_and_tag(mbedtls_chachapoly_context * ctx,size_t length,const unsigned char nonce[12],const unsigned char * aad,size_t aad_len,const unsigned char * input,unsigned char * output,unsigned char tag[16])322 switch( status )
323 {
324 case PSA_SUCCESS:
325 break;
326 case PSA_ERROR_INSUFFICIENT_MEMORY:
327 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
328 case PSA_ERROR_NOT_SUPPORTED:
329 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
330 default:
331 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
332 }
333 /* Indicate that we own the key slot and need to
334 * destroy it in mbedtls_cipher_free(). */
335 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
336
337 ctx->key_bitlen = key_bitlen;
338 ctx->operation = operation;
339 return( 0 );
340 }
341 #endif /* MBEDTLS_USE_PSA_CRYPTO */
342
mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context * ctx,size_t length,const unsigned char nonce[12],const unsigned char * aad,size_t aad_len,const unsigned char tag[16],const unsigned char * input,unsigned char * output)343 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
344 (int) ctx->cipher_info->key_bitlen != key_bitlen )
345 {
346 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
347 }
348
349 ctx->key_bitlen = key_bitlen;
350 ctx->operation = operation;
351
352 /*
353 * For OFB, CFB and CTR mode always use the encryption key schedule
354 */
355 if( MBEDTLS_ENCRYPT == operation ||
356 MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
357 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
358 MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
359 {
360 return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
361 ctx->key_bitlen ) );
362 }
363
364 if( MBEDTLS_DECRYPT == operation )
365 return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
366 ctx->key_bitlen ) );
367
368 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
369 }
370
371 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
372 const unsigned char *iv,
373 size_t iv_len )
374 {
375 size_t actual_iv_size;
376
377 CIPHER_VALIDATE_RET( ctx != NULL );
378 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
379 if( ctx->cipher_info == NULL )
380 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
381 #if defined(MBEDTLS_USE_PSA_CRYPTO)
382 if( ctx->psa_enabled == 1 )
383 {
384 /* While PSA Crypto has an API for multipart
385 * operations, we currently don't make it
386 * accessible through the cipher layer. */
387 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
388 }
389 #endif /* MBEDTLS_USE_PSA_CRYPTO */
390
391 /* avoid buffer overflow in ctx->iv */
392 if( iv_len > MBEDTLS_MAX_IV_LENGTH )
393 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
394
395 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
396 actual_iv_size = iv_len;
397 else
398 {
399 actual_iv_size = ctx->cipher_info->iv_size;
400
401 /* avoid reading past the end of input buffer */
402 if( actual_iv_size > iv_len )
403 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
404 }
405
406 #if defined(MBEDTLS_CHACHA20_C)
407 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
408 {
409 if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
410 iv,
411 0U ) ) /* Initial counter value */
412 {
413 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
414 }
415 }
416 #endif
417
418 if ( actual_iv_size != 0 )
419 {
420 memcpy( ctx->iv, iv, actual_iv_size );
421 ctx->iv_size = actual_iv_size;
422 }
423
424 return( 0 );
425 }
426
427 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
428 {
429 CIPHER_VALIDATE_RET( ctx != NULL );
430 if( ctx->cipher_info == NULL )
431 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
432
433 #if defined(MBEDTLS_USE_PSA_CRYPTO)
434 if( ctx->psa_enabled == 1 )
435 {
436 /* We don't support resetting PSA-based
437 * cipher contexts, yet. */
438 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
439 }
440 #endif /* MBEDTLS_USE_PSA_CRYPTO */
441
442 ctx->unprocessed_len = 0;
443
444 return( 0 );
445 }
446
447 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
448 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
449 const unsigned char *ad, size_t ad_len )
450 {
451 CIPHER_VALIDATE_RET( ctx != NULL );
452 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
453 if( ctx->cipher_info == NULL )
454 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
455
456 #if defined(MBEDTLS_USE_PSA_CRYPTO)
457 if( ctx->psa_enabled == 1 )
458 {
459 /* While PSA Crypto has an API for multipart
460 * operations, we currently don't make it
461 * accessible through the cipher layer. */
462 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
463 }
464 #endif /* MBEDTLS_USE_PSA_CRYPTO */
465
466 #if defined(MBEDTLS_GCM_C)
467 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
468 {
469 return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
470 ctx->iv, ctx->iv_size, ad, ad_len ) );
471 }
472 #endif
473
474 #if defined(MBEDTLS_CHACHAPOLY_C)
475 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
476 {
477 int result;
478 mbedtls_chachapoly_mode_t mode;
479
480 mode = ( ctx->operation == MBEDTLS_ENCRYPT )
481 ? MBEDTLS_CHACHAPOLY_ENCRYPT
482 : MBEDTLS_CHACHAPOLY_DECRYPT;
483
484 result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
485 ctx->iv,
486 mode );
487 if ( result != 0 )
488 return( result );
mbedtls_chachapoly_self_test(int verbose)489
490 return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
491 ad, ad_len ) );
492 }
493 #endif
494
495 return( 0 );
496 }
497 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
498
499 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
500 size_t ilen, unsigned char *output, size_t *olen )
501 {
502 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
503 size_t block_size;
504
505 CIPHER_VALIDATE_RET( ctx != NULL );
506 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
507 CIPHER_VALIDATE_RET( output != NULL );
508 CIPHER_VALIDATE_RET( olen != NULL );
509 if( ctx->cipher_info == NULL )
510 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
511
512 #if defined(MBEDTLS_USE_PSA_CRYPTO)
513 if( ctx->psa_enabled == 1 )
514 {
515 /* While PSA Crypto has an API for multipart
516 * operations, we currently don't make it
517 * accessible through the cipher layer. */
518 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
519 }
520 #endif /* MBEDTLS_USE_PSA_CRYPTO */
521
522 *olen = 0;
523 block_size = mbedtls_cipher_get_block_size( ctx );
524 if ( 0 == block_size )
525 {
526 return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
527 }
528
529 if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
530 {
531 if( ilen != block_size )
532 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
533
534 *olen = ilen;
535
536 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
537 ctx->operation, input, output ) ) )
538 {
539 return( ret );
540 }
541
542 return( 0 );
543 }
544
545 #if defined(MBEDTLS_GCM_C)
546 if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
547 {
548 *olen = ilen;
549 return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
550 output ) );
551 }
552 #endif
553
554 #if defined(MBEDTLS_CHACHAPOLY_C)
555 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
556 {
557 *olen = ilen;
558 return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
559 ilen, input, output ) );
560 }
561 #endif
562
563 if( input == output &&
564 ( ctx->unprocessed_len != 0 || ilen % block_size ) )
565 {
566 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
567 }
568
569 #if defined(MBEDTLS_CIPHER_MODE_CBC)
570 if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
571 {
572 size_t copy_len = 0;
573
574 /*
575 * If there is not enough data for a full block, cache it.
576 */
577 if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
578 ilen <= block_size - ctx->unprocessed_len ) ||
579 ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
580 ilen < block_size - ctx->unprocessed_len ) ||
581 ( ctx->operation == MBEDTLS_ENCRYPT &&
582 ilen < block_size - ctx->unprocessed_len ) )
583 {
584 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
585 ilen );
586
587 ctx->unprocessed_len += ilen;
588 return( 0 );
589 }
590
591 /*
592 * Process cached data first
593 */
594 if( 0 != ctx->unprocessed_len )
595 {
596 copy_len = block_size - ctx->unprocessed_len;
597
598 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
599 copy_len );
600
601 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
602 ctx->operation, block_size, ctx->iv,
603 ctx->unprocessed_data, output ) ) )
604 {
605 return( ret );
606 }
607
608 *olen += block_size;
609 output += block_size;
610 ctx->unprocessed_len = 0;
611
612 input += copy_len;
613 ilen -= copy_len;
614 }
615
616 /*
617 * Cache final, incomplete block
618 */
619 if( 0 != ilen )
620 {
621 /* Encryption: only cache partial blocks
622 * Decryption w/ padding: always keep at least one whole block
623 * Decryption w/o padding: only cache partial blocks
624 */
625 copy_len = ilen % block_size;
626 if( copy_len == 0 &&
627 ctx->operation == MBEDTLS_DECRYPT &&
628 NULL != ctx->add_padding)
629 {
630 copy_len = block_size;
631 }
632
633 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
634 copy_len );
635
636 ctx->unprocessed_len += copy_len;
637 ilen -= copy_len;
638 }
639
640 /*
641 * Process remaining full blocks
642 */
643 if( ilen )
644 {
645 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
646 ctx->operation, ilen, ctx->iv, input, output ) ) )
647 {
648 return( ret );
649 }
650
651 *olen += ilen;
652 }
653
654 return( 0 );
655 }
656 #endif /* MBEDTLS_CIPHER_MODE_CBC */
657
658 #if defined(MBEDTLS_CIPHER_MODE_CFB)
659 if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
660 {
661 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
662 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
663 input, output ) ) )
664 {
665 return( ret );
666 }
667
668 *olen = ilen;
669
670 return( 0 );
671 }
672 #endif /* MBEDTLS_CIPHER_MODE_CFB */
673
674 #if defined(MBEDTLS_CIPHER_MODE_OFB)
675 if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
676 {
677 if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
678 ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
679 {
680 return( ret );
681 }
682
683 *olen = ilen;
684
685 return( 0 );
686 }
687 #endif /* MBEDTLS_CIPHER_MODE_OFB */
688
689 #if defined(MBEDTLS_CIPHER_MODE_CTR)
690 if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
691 {
692 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
693 ilen, &ctx->unprocessed_len, ctx->iv,
694 ctx->unprocessed_data, input, output ) ) )
695 {
696 return( ret );
697 }
698
699 *olen = ilen;
700
701 return( 0 );
702 }
703 #endif /* MBEDTLS_CIPHER_MODE_CTR */
704
705 #if defined(MBEDTLS_CIPHER_MODE_XTS)
706 if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
707 {
708 if( ctx->unprocessed_len > 0 ) {
709 /* We can only process an entire data unit at a time. */
710 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
711 }
712
713 ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
714 ctx->operation, ilen, ctx->iv, input, output );
715 if( ret != 0 )
716 {
717 return( ret );
718 }
719
720 *olen = ilen;
721
722 return( 0 );
723 }
724 #endif /* MBEDTLS_CIPHER_MODE_XTS */
725
726 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
727 if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
728 {
729 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
730 ilen, input, output ) ) )
731 {
732 return( ret );
733 }
734
735 *olen = ilen;
736
737 return( 0 );
738 }
739 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
740
741 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
742 }
743
744 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
745 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
746 /*
747 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
748 */
749 static void add_pkcs_padding( unsigned char *output, size_t output_len,
750 size_t data_len )
751 {
752 size_t padding_len = output_len - data_len;
753 unsigned char i;
754
755 for( i = 0; i < padding_len; i++ )
756 output[data_len + i] = (unsigned char) padding_len;
757 }
758
759 static int get_pkcs_padding( unsigned char *input, size_t input_len,
760 size_t *data_len )
761 {
762 size_t i, pad_idx;
763 unsigned char padding_len, bad = 0;
764
765 if( NULL == input || NULL == data_len )
766 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
767
768 padding_len = input[input_len - 1];
769 *data_len = input_len - padding_len;
770
771 /* Avoid logical || since it results in a branch */
772 bad |= padding_len > input_len;
773 bad |= padding_len == 0;
774
775 /* The number of bytes checked must be independent of padding_len,
776 * so pick input_len, which is usually 8 or 16 (one block) */
777 pad_idx = input_len - padding_len;
778 for( i = 0; i < input_len; i++ )
779 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
780
781 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
782 }
783 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
784
785 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
786 /*
787 * One and zeros padding: fill with 80 00 ... 00
788 */
789 static void add_one_and_zeros_padding( unsigned char *output,
790 size_t output_len, size_t data_len )
791 {
792 size_t padding_len = output_len - data_len;
793 unsigned char i = 0;
794
795 output[data_len] = 0x80;
796 for( i = 1; i < padding_len; i++ )
797 output[data_len + i] = 0x00;
798 }
799
800 static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
801 size_t *data_len )
802 {
803 size_t i;
804 unsigned char done = 0, prev_done, bad;
805
806 if( NULL == input || NULL == data_len )
807 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
808
809 bad = 0x80;
810 *data_len = 0;
811 for( i = input_len; i > 0; i-- )
812 {
813 prev_done = done;
814 done |= ( input[i - 1] != 0 );
815 *data_len |= ( i - 1 ) * ( done != prev_done );
816 bad ^= input[i - 1] * ( done != prev_done );
817 }
818
819 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
820
821 }
822 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
823
824 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
825 /*
826 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
827 */
828 static void add_zeros_and_len_padding( unsigned char *output,
829 size_t output_len, size_t data_len )
830 {
831 size_t padding_len = output_len - data_len;
832 unsigned char i = 0;
833
834 for( i = 1; i < padding_len; i++ )
835 output[data_len + i - 1] = 0x00;
836 output[output_len - 1] = (unsigned char) padding_len;
837 }
838
839 static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
840 size_t *data_len )
841 {
842 size_t i, pad_idx;
843 unsigned char padding_len, bad = 0;
844
845 if( NULL == input || NULL == data_len )
846 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
847
848 padding_len = input[input_len - 1];
849 *data_len = input_len - padding_len;
850
851 /* Avoid logical || since it results in a branch */
852 bad |= padding_len > input_len;
853 bad |= padding_len == 0;
854
855 /* The number of bytes checked must be independent of padding_len */
856 pad_idx = input_len - padding_len;
857 for( i = 0; i < input_len - 1; i++ )
858 bad |= input[i] * ( i >= pad_idx );
859
860 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
861 }
862 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
863
864 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
865 /*
866 * Zero padding: fill with 00 ... 00
867 */
868 static void add_zeros_padding( unsigned char *output,
869 size_t output_len, size_t data_len )
870 {
871 size_t i;
872
873 for( i = data_len; i < output_len; i++ )
874 output[i] = 0x00;
875 }
876
877 static int get_zeros_padding( unsigned char *input, size_t input_len,
878 size_t *data_len )
879 {
880 size_t i;
881 unsigned char done = 0, prev_done;
882
883 if( NULL == input || NULL == data_len )
884 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
885
886 *data_len = 0;
887 for( i = input_len; i > 0; i-- )
888 {
889 prev_done = done;
890 done |= ( input[i-1] != 0 );
891 *data_len |= i * ( done != prev_done );
892 }
893
894 return( 0 );
895 }
896 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
897
898 /*
899 * No padding: don't pad :)
900 *
901 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
902 * but a trivial get_padding function
903 */
904 static int get_no_padding( unsigned char *input, size_t input_len,
905 size_t *data_len )
906 {
907 if( NULL == input || NULL == data_len )
908 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
909
910 *data_len = input_len;
911
912 return( 0 );
913 }
914 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
915
916 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
917 unsigned char *output, size_t *olen )
918 {
919 CIPHER_VALIDATE_RET( ctx != NULL );
920 CIPHER_VALIDATE_RET( output != NULL );
921 CIPHER_VALIDATE_RET( olen != NULL );
922 if( ctx->cipher_info == NULL )
923 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
924
925 #if defined(MBEDTLS_USE_PSA_CRYPTO)
926 if( ctx->psa_enabled == 1 )
927 {
928 /* While PSA Crypto has an API for multipart
929 * operations, we currently don't make it
930 * accessible through the cipher layer. */
931 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
932 }
933 #endif /* MBEDTLS_USE_PSA_CRYPTO */
934
935 *olen = 0;
936
937 if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
938 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
939 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
940 MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
941 MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
942 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
943 {
944 return( 0 );
945 }
946
947 if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) ||
948 ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
949 {
950 return( 0 );
951 }
952
953 if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
954 {
955 if( ctx->unprocessed_len != 0 )
956 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
957
958 return( 0 );
959 }
960
961 #if defined(MBEDTLS_CIPHER_MODE_CBC)
962 if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
963 {
964 int ret = 0;
965
966 if( MBEDTLS_ENCRYPT == ctx->operation )
967 {
968 /* check for 'no padding' mode */
969 if( NULL == ctx->add_padding )
970 {
971 if( 0 != ctx->unprocessed_len )
972 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
973
974 return( 0 );
975 }
976
977 ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
978 ctx->unprocessed_len );
979 }
980 else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
981 {
982 /*
983 * For decrypt operations, expect a full block,
984 * or an empty block if no padding
985 */
986 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
987 return( 0 );
988
989 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
990 }
991
992 /* cipher block */
993 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
994 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
995 ctx->unprocessed_data, output ) ) )
996 {
997 return( ret );
998 }
999
1000 /* Set output size for decryption */
1001 if( MBEDTLS_DECRYPT == ctx->operation )
1002 return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
1003 olen ) );
1004
1005 /* Set output size for encryption */
1006 *olen = mbedtls_cipher_get_block_size( ctx );
1007 return( 0 );
1008 }
1009 #else
1010 ((void) output);
1011 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1012
1013 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1014 }
1015
1016 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
1017 int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
1018 mbedtls_cipher_padding_t mode )
1019 {
1020 CIPHER_VALIDATE_RET( ctx != NULL );
1021
1022 if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
1023 {
1024 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1025 }
1026
1027 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1028 if( ctx->psa_enabled == 1 )
1029 {
1030 /* While PSA Crypto knows about CBC padding
1031 * schemes, we currently don't make them
1032 * accessible through the cipher layer. */
1033 if( mode != MBEDTLS_PADDING_NONE )
1034 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1035
1036 return( 0 );
1037 }
1038 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1039
1040 switch( mode )
1041 {
1042 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
1043 case MBEDTLS_PADDING_PKCS7:
1044 ctx->add_padding = add_pkcs_padding;
1045 ctx->get_padding = get_pkcs_padding;
1046 break;
1047 #endif
1048 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
1049 case MBEDTLS_PADDING_ONE_AND_ZEROS:
1050 ctx->add_padding = add_one_and_zeros_padding;
1051 ctx->get_padding = get_one_and_zeros_padding;
1052 break;
1053 #endif
1054 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
1055 case MBEDTLS_PADDING_ZEROS_AND_LEN:
1056 ctx->add_padding = add_zeros_and_len_padding;
1057 ctx->get_padding = get_zeros_and_len_padding;
1058 break;
1059 #endif
1060 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1061 case MBEDTLS_PADDING_ZEROS:
1062 ctx->add_padding = add_zeros_padding;
1063 ctx->get_padding = get_zeros_padding;
1064 break;
1065 #endif
1066 case MBEDTLS_PADDING_NONE:
1067 ctx->add_padding = NULL;
1068 ctx->get_padding = get_no_padding;
1069 break;
1070
1071 default:
1072 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1073 }
1074
1075 return( 0 );
1076 }
1077 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1078
1079 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
1080 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
1081 unsigned char *tag, size_t tag_len )
1082 {
1083 CIPHER_VALIDATE_RET( ctx != NULL );
1084 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1085 if( ctx->cipher_info == NULL )
1086 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1087
1088 if( MBEDTLS_ENCRYPT != ctx->operation )
1089 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1090
1091 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1092 if( ctx->psa_enabled == 1 )
1093 {
1094 /* While PSA Crypto has an API for multipart
1095 * operations, we currently don't make it
1096 * accessible through the cipher layer. */
1097 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1098 }
1099 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1100
1101 #if defined(MBEDTLS_GCM_C)
1102 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1103 return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
1104 tag, tag_len ) );
1105 #endif
1106
1107 #if defined(MBEDTLS_CHACHAPOLY_C)
1108 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1109 {
1110 /* Don't allow truncated MAC for Poly1305 */
1111 if ( tag_len != 16U )
1112 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1113
1114 return( mbedtls_chachapoly_finish(
1115 (mbedtls_chachapoly_context*) ctx->cipher_ctx, tag ) );
1116 }
1117 #endif
1118
1119 return( 0 );
1120 }
1121
1122 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
1123 const unsigned char *tag, size_t tag_len )
1124 {
1125 unsigned char check_tag[16];
1126 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1127
1128 CIPHER_VALIDATE_RET( ctx != NULL );
1129 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1130 if( ctx->cipher_info == NULL )
1131 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1132
1133 if( MBEDTLS_DECRYPT != ctx->operation )
1134 {
1135 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1136 }
1137
1138 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1139 if( ctx->psa_enabled == 1 )
1140 {
1141 /* While PSA Crypto has an API for multipart
1142 * operations, we currently don't make it
1143 * accessible through the cipher layer. */
1144 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1145 }
1146 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1147
1148 #if defined(MBEDTLS_GCM_C)
1149 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1150 {
1151 if( tag_len > sizeof( check_tag ) )
1152 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1153
1154 if( 0 != ( ret = mbedtls_gcm_finish(
1155 (mbedtls_gcm_context *) ctx->cipher_ctx,
1156 check_tag, tag_len ) ) )
1157 {
1158 return( ret );
1159 }
1160
1161 /* Check the tag in "constant-time" */
1162 if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
1163 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1164
1165 return( 0 );
1166 }
1167 #endif /* MBEDTLS_GCM_C */
1168
1169 #if defined(MBEDTLS_CHACHAPOLY_C)
1170 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1171 {
1172 /* Don't allow truncated MAC for Poly1305 */
1173 if ( tag_len != sizeof( check_tag ) )
1174 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1175
1176 ret = mbedtls_chachapoly_finish(
1177 (mbedtls_chachapoly_context*) ctx->cipher_ctx, check_tag );
1178 if ( ret != 0 )
1179 {
1180 return( ret );
1181 }
1182
1183 /* Check the tag in "constant-time" */
1184 if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
1185 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1186
1187 return( 0 );
1188 }
1189 #endif /* MBEDTLS_CHACHAPOLY_C */
1190
1191 return( 0 );
1192 }
1193 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
1194
1195 /*
1196 * Packet-oriented wrapper for non-AEAD modes
1197 */
1198 int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
1199 const unsigned char *iv, size_t iv_len,
1200 const unsigned char *input, size_t ilen,
1201 unsigned char *output, size_t *olen )
1202 {
1203 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1204 size_t finish_olen;
1205
1206 CIPHER_VALIDATE_RET( ctx != NULL );
1207 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1208 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1209 CIPHER_VALIDATE_RET( output != NULL );
1210 CIPHER_VALIDATE_RET( olen != NULL );
1211
1212 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1213 if( ctx->psa_enabled == 1 )
1214 {
1215 /* As in the non-PSA case, we don't check that
1216 * a key has been set. If not, the key slot will
1217 * still be in its default state of 0, which is
1218 * guaranteed to be invalid, hence the PSA-call
1219 * below will gracefully fail. */
1220 mbedtls_cipher_context_psa * const cipher_psa =
1221 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1222
1223 psa_status_t status;
1224 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1225 size_t part_len;
1226
1227 if( ctx->operation == MBEDTLS_DECRYPT )
1228 {
1229 status = psa_cipher_decrypt_setup( &cipher_op,
1230 cipher_psa->slot,
1231 cipher_psa->alg );
1232 }
1233 else if( ctx->operation == MBEDTLS_ENCRYPT )
1234 {
1235 status = psa_cipher_encrypt_setup( &cipher_op,
1236 cipher_psa->slot,
1237 cipher_psa->alg );
1238 }
1239 else
1240 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1241
1242 /* In the following, we can immediately return on an error,
1243 * because the PSA Crypto API guarantees that cipher operations
1244 * are terminated by unsuccessful calls to psa_cipher_update(),
1245 * and by any call to psa_cipher_finish(). */
1246 if( status != PSA_SUCCESS )
1247 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1248
1249 status = psa_cipher_set_iv( &cipher_op, iv, iv_len );
1250 if( status != PSA_SUCCESS )
1251 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1252
1253 status = psa_cipher_update( &cipher_op,
1254 input, ilen,
1255 output, ilen, olen );
1256 if( status != PSA_SUCCESS )
1257 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1258
1259 status = psa_cipher_finish( &cipher_op,
1260 output + *olen, ilen - *olen,
1261 &part_len );
1262 if( status != PSA_SUCCESS )
1263 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1264
1265 *olen += part_len;
1266 return( 0 );
1267 }
1268 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1269
1270 if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
1271 return( ret );
1272
1273 if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
1274 return( ret );
1275
1276 if( ( ret = mbedtls_cipher_update( ctx, input, ilen,
1277 output, olen ) ) != 0 )
1278 return( ret );
1279
1280 if( ( ret = mbedtls_cipher_finish( ctx, output + *olen,
1281 &finish_olen ) ) != 0 )
1282 return( ret );
1283
1284 *olen += finish_olen;
1285
1286 return( 0 );
1287 }
1288
1289 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1290 /*
1291 * Packet-oriented encryption for AEAD modes: internal function shared by
1292 * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
1293 */
1294 static int mbedtls_cipher_aead_encrypt( mbedtls_cipher_context_t *ctx,
1295 const unsigned char *iv, size_t iv_len,
1296 const unsigned char *ad, size_t ad_len,
1297 const unsigned char *input, size_t ilen,
1298 unsigned char *output, size_t *olen,
1299 unsigned char *tag, size_t tag_len )
1300 {
1301 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1302 if( ctx->psa_enabled == 1 )
1303 {
1304 /* As in the non-PSA case, we don't check that
1305 * a key has been set. If not, the key slot will
1306 * still be in its default state of 0, which is
1307 * guaranteed to be invalid, hence the PSA-call
1308 * below will gracefully fail. */
1309 mbedtls_cipher_context_psa * const cipher_psa =
1310 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1311
1312 psa_status_t status;
1313
1314 /* PSA Crypto API always writes the authentication tag
1315 * at the end of the encrypted message. */
1316 if( output == NULL || tag != output + ilen )
1317 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1318
1319 status = psa_aead_encrypt( cipher_psa->slot,
1320 cipher_psa->alg,
1321 iv, iv_len,
1322 ad, ad_len,
1323 input, ilen,
1324 output, ilen + tag_len, olen );
1325 if( status != PSA_SUCCESS )
1326 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1327
1328 *olen -= tag_len;
1329 return( 0 );
1330 }
1331 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1332
1333 #if defined(MBEDTLS_GCM_C)
1334 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1335 {
1336 *olen = ilen;
1337 return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
1338 ilen, iv, iv_len, ad, ad_len,
1339 input, output, tag_len, tag ) );
1340 }
1341 #endif /* MBEDTLS_GCM_C */
1342 #if defined(MBEDTLS_CCM_C)
1343 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1344 {
1345 *olen = ilen;
1346 return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
1347 iv, iv_len, ad, ad_len, input, output,
1348 tag, tag_len ) );
1349 }
1350 #endif /* MBEDTLS_CCM_C */
1351 #if defined(MBEDTLS_CHACHAPOLY_C)
1352 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1353 {
1354 /* ChachaPoly has fixed length nonce and MAC (tag) */
1355 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1356 ( tag_len != 16U ) )
1357 {
1358 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1359 }
1360
1361 *olen = ilen;
1362 return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
1363 ilen, iv, ad, ad_len, input, output, tag ) );
1364 }
1365 #endif /* MBEDTLS_CHACHAPOLY_C */
1366
1367 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1368 }
1369
1370 /*
1371 * Packet-oriented encryption for AEAD modes: internal function shared by
1372 * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
1373 */
1374 static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx,
1375 const unsigned char *iv, size_t iv_len,
1376 const unsigned char *ad, size_t ad_len,
1377 const unsigned char *input, size_t ilen,
1378 unsigned char *output, size_t *olen,
1379 const unsigned char *tag, size_t tag_len )
1380 {
1381 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1382 if( ctx->psa_enabled == 1 )
1383 {
1384 /* As in the non-PSA case, we don't check that
1385 * a key has been set. If not, the key slot will
1386 * still be in its default state of 0, which is
1387 * guaranteed to be invalid, hence the PSA-call
1388 * below will gracefully fail. */
1389 mbedtls_cipher_context_psa * const cipher_psa =
1390 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1391
1392 psa_status_t status;
1393
1394 /* PSA Crypto API always writes the authentication tag
1395 * at the end of the encrypted message. */
1396 if( input == NULL || tag != input + ilen )
1397 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1398
1399 status = psa_aead_decrypt( cipher_psa->slot,
1400 cipher_psa->alg,
1401 iv, iv_len,
1402 ad, ad_len,
1403 input, ilen + tag_len,
1404 output, ilen, olen );
1405 if( status == PSA_ERROR_INVALID_SIGNATURE )
1406 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1407 else if( status != PSA_SUCCESS )
1408 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1409
1410 return( 0 );
1411 }
1412 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1413
1414 #if defined(MBEDTLS_GCM_C)
1415 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1416 {
1417 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1418
1419 *olen = ilen;
1420 ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
1421 iv, iv_len, ad, ad_len,
1422 tag, tag_len, input, output );
1423
1424 if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
1425 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1426
1427 return( ret );
1428 }
1429 #endif /* MBEDTLS_GCM_C */
1430 #if defined(MBEDTLS_CCM_C)
1431 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1432 {
1433 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1434
1435 *olen = ilen;
1436 ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
1437 iv, iv_len, ad, ad_len,
1438 input, output, tag, tag_len );
1439
1440 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
1441 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1442
1443 return( ret );
1444 }
1445 #endif /* MBEDTLS_CCM_C */
1446 #if defined(MBEDTLS_CHACHAPOLY_C)
1447 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1448 {
1449 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1450
1451 /* ChachaPoly has fixed length nonce and MAC (tag) */
1452 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1453 ( tag_len != 16U ) )
1454 {
1455 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1456 }
1457
1458 *olen = ilen;
1459 ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
1460 iv, ad, ad_len, tag, input, output );
1461
1462 if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
1463 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1464
1465 return( ret );
1466 }
1467 #endif /* MBEDTLS_CHACHAPOLY_C */
1468
1469 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1470 }
1471
1472 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1473 /*
1474 * Packet-oriented encryption for AEAD modes: public legacy function.
1475 */
1476 int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
1477 const unsigned char *iv, size_t iv_len,
1478 const unsigned char *ad, size_t ad_len,
1479 const unsigned char *input, size_t ilen,
1480 unsigned char *output, size_t *olen,
1481 unsigned char *tag, size_t tag_len )
1482 {
1483 CIPHER_VALIDATE_RET( ctx != NULL );
1484 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1485 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1486 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1487 CIPHER_VALIDATE_RET( ilen == 0 || output != NULL );
1488 CIPHER_VALIDATE_RET( olen != NULL );
1489 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1490
1491 return( mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
1492 input, ilen, output, olen,
1493 tag, tag_len ) );
1494 }
1495
1496 /*
1497 * Packet-oriented decryption for AEAD modes: public legacy function.
1498 */
1499 int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
1500 const unsigned char *iv, size_t iv_len,
1501 const unsigned char *ad, size_t ad_len,
1502 const unsigned char *input, size_t ilen,
1503 unsigned char *output, size_t *olen,
1504 const unsigned char *tag, size_t tag_len )
1505 {
1506 CIPHER_VALIDATE_RET( ctx != NULL );
1507 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1508 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1509 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1510 CIPHER_VALIDATE_RET( ilen == 0 || output != NULL );
1511 CIPHER_VALIDATE_RET( olen != NULL );
1512 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1513
1514 return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
1515 input, ilen, output, olen,
1516 tag, tag_len ) );
1517 }
1518 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1519 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1520
1521 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
1522 /*
1523 * Packet-oriented encryption for AEAD/NIST_KW: public function.
1524 */
1525 int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx,
1526 const unsigned char *iv, size_t iv_len,
1527 const unsigned char *ad, size_t ad_len,
1528 const unsigned char *input, size_t ilen,
1529 unsigned char *output, size_t output_len,
1530 size_t *olen, size_t tag_len )
1531 {
1532 CIPHER_VALIDATE_RET( ctx != NULL );
1533 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1534 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1535 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1536 CIPHER_VALIDATE_RET( output != NULL );
1537 CIPHER_VALIDATE_RET( olen != NULL );
1538
1539 #if defined(MBEDTLS_NIST_KW_C)
1540 if(
1541 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1542 ctx->psa_enabled == 0 &&
1543 #endif
1544 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1545 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
1546 {
1547 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
1548 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1549
1550 /* There is no iv, tag or ad associated with KW and KWP,
1551 * so these length should be 0 as documented. */
1552 if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
1553 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1554
1555 (void) iv;
1556 (void) ad;
1557
1558 return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen,
1559 output, olen, output_len ) );
1560 }
1561 #endif /* MBEDTLS_NIST_KW_C */
1562
1563 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1564 /* AEAD case: check length before passing on to shared function */
1565 if( output_len < ilen + tag_len )
1566 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1567
1568 int ret = mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
1569 input, ilen, output, olen,
1570 output + ilen, tag_len );
1571 *olen += tag_len;
1572 return( ret );
1573 #else
1574 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1575 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1576 }
1577
1578 /*
1579 * Packet-oriented decryption for AEAD/NIST_KW: public function.
1580 */
1581 int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx,
1582 const unsigned char *iv, size_t iv_len,
1583 const unsigned char *ad, size_t ad_len,
1584 const unsigned char *input, size_t ilen,
1585 unsigned char *output, size_t output_len,
1586 size_t *olen, size_t tag_len )
1587 {
1588 CIPHER_VALIDATE_RET( ctx != NULL );
1589 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1590 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1591 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1592 CIPHER_VALIDATE_RET( output_len == 0 || output != NULL );
1593 CIPHER_VALIDATE_RET( olen != NULL );
1594
1595 #if defined(MBEDTLS_NIST_KW_C)
1596 if(
1597 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1598 ctx->psa_enabled == 0 &&
1599 #endif
1600 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1601 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
1602 {
1603 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
1604 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1605
1606 /* There is no iv, tag or ad associated with KW and KWP,
1607 * so these length should be 0 as documented. */
1608 if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
1609 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1610
1611 (void) iv;
1612 (void) ad;
1613
1614 return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen,
1615 output, olen, output_len ) );
1616 }
1617 #endif /* MBEDTLS_NIST_KW_C */
1618
1619 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1620 /* AEAD case: check length before passing on to shared function */
1621 if( ilen < tag_len || output_len < ilen - tag_len )
1622 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1623
1624 return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
1625 input, ilen - tag_len, output, olen,
1626 input + ilen - tag_len, tag_len ) );
1627 #else
1628 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1629 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1630 }
1631 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
1632
1633 #endif /* MBEDTLS_CIPHER_C */
1634