1 /** 2 * \file cipher.c 3 * 4 * \brief Generic cipher wrapper for mbed TLS 5 * 6 * \author Adriaan de Jong <dejong@fox-it.com> 7 * 8 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 9 * SPDX-License-Identifier: GPL-2.0 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License as published by 13 * the Free Software Foundation; either version 2 of the License, or 14 * (at your option) any later version. 15 * 16 * This program is distributed in the hope that it will be useful, 17 * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 * GNU General Public License for more details. 20 * 21 * You should have received a copy of the GNU General Public License along 22 * with this program; if not, write to the Free Software Foundation, Inc., 23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 24 * 25 * This file is part of mbed TLS (https://tls.mbed.org) 26 */ 27 28 #if !defined(MBEDTLS_CONFIG_FILE) 29 #include "mbedtls/config.h" 30 #else 31 #include MBEDTLS_CONFIG_FILE 32 #endif 33 34 #if defined(MBEDTLS_CIPHER_C) 35 36 #include "mbedtls/cipher.h" 37 #include "mbedtls/cipher_internal.h" 38 39 #include <stdlib.h> 40 #include <string.h> 41 42 #if defined(MBEDTLS_GCM_C) 43 #include "mbedtls/gcm.h" 44 #endif 45 46 #if defined(MBEDTLS_CCM_C) 47 #include "mbedtls/ccm.h" 48 #endif 49 50 #if defined(MBEDTLS_CMAC_C) 51 #include "mbedtls/cmac.h" 52 #endif 53 54 #if defined(MBEDTLS_PLATFORM_C) 55 #include "mbedtls/platform.h" 56 #else 57 #define mbedtls_calloc calloc 58 #define mbedtls_free free 59 #endif 60 61 /* Implementation that should never be optimized out by the compiler */ 62 static void mbedtls_zeroize( void *v, size_t n ) { 63 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; 64 } 65 66 static int supported_init = 0; 67 68 const int *mbedtls_cipher_list( void ) 69 { 70 const mbedtls_cipher_definition_t *def; 71 int *type; 72 73 if( ! supported_init ) 74 { 75 def = mbedtls_cipher_definitions; 76 type = mbedtls_cipher_supported; 77 78 while( def->type != 0 ) 79 *type++ = (*def++).type; 80 81 *type = 0; 82 83 supported_init = 1; 84 } 85 86 return( mbedtls_cipher_supported ); 87 } 88 89 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type ) 90 { 91 const mbedtls_cipher_definition_t *def; 92 93 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 94 if( def->type == cipher_type ) 95 return( def->info ); 96 97 return( NULL ); 98 } 99 100 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name ) 101 { 102 const mbedtls_cipher_definition_t *def; 103 104 if( NULL == cipher_name ) 105 return( NULL ); 106 107 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 108 if( ! strcmp( def->info->name, cipher_name ) ) 109 return( def->info ); 110 111 return( NULL ); 112 } 113 114 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id, 115 int key_bitlen, 116 const mbedtls_cipher_mode_t mode ) 117 { 118 const mbedtls_cipher_definition_t *def; 119 120 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 121 if( def->info->base->cipher == cipher_id && 122 def->info->key_bitlen == (unsigned) key_bitlen && 123 def->info->mode == mode ) 124 return( def->info ); 125 126 return( NULL ); 127 } 128 129 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx ) 130 { 131 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) ); 132 } 133 134 void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx ) 135 { 136 if( ctx == NULL ) 137 return; 138 139 #if defined(MBEDTLS_CMAC_C) 140 if( ctx->cmac_ctx ) 141 { 142 mbedtls_zeroize( ctx->cmac_ctx, sizeof( mbedtls_cmac_context_t ) ); 143 mbedtls_free( ctx->cmac_ctx ); 144 } 145 #endif 146 147 if( ctx->cipher_ctx ) 148 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx ); 149 150 mbedtls_zeroize( ctx, sizeof(mbedtls_cipher_context_t) ); 151 } 152 153 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info ) 154 { 155 if( NULL == cipher_info || NULL == ctx ) 156 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 157 158 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) ); 159 160 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) ) 161 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 162 163 ctx->cipher_info = cipher_info; 164 165 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 166 /* 167 * Ignore possible errors caused by a cipher mode that doesn't use padding 168 */ 169 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 170 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 ); 171 #else 172 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE ); 173 #endif 174 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 175 176 return( 0 ); 177 } 178 179 int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *key, 180 int key_bitlen, const mbedtls_operation_t operation ) 181 { 182 if( NULL == ctx || NULL == ctx->cipher_info ) 183 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 184 185 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 && 186 (int) ctx->cipher_info->key_bitlen != key_bitlen ) 187 { 188 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 189 } 190 191 ctx->key_bitlen = key_bitlen; 192 ctx->operation = operation; 193 194 /* 195 * For CFB and CTR mode always use the encryption key schedule 196 */ 197 if( MBEDTLS_ENCRYPT == operation || 198 MBEDTLS_MODE_CFB == ctx->cipher_info->mode || 199 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ) 200 { 201 return ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key, 202 ctx->key_bitlen ); 203 } 204 205 if( MBEDTLS_DECRYPT == operation ) 206 return ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key, 207 ctx->key_bitlen ); 208 209 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 210 } 211 212 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx, 213 const unsigned char *iv, size_t iv_len ) 214 { 215 size_t actual_iv_size; 216 if( NULL == ctx || NULL == ctx->cipher_info ) 217 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 218 else if( NULL == iv && iv_len != 0 ) 219 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 220 221 if( NULL == iv && iv_len == 0 ) 222 ctx->iv_size = 0; 223 224 /* avoid buffer overflow in ctx->iv */ 225 if( iv_len > MBEDTLS_MAX_IV_LENGTH ) 226 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 227 228 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 ) 229 actual_iv_size = iv_len; 230 else 231 { 232 actual_iv_size = ctx->cipher_info->iv_size; 233 234 /* avoid reading past the end of input buffer */ 235 if( actual_iv_size > iv_len ) 236 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 237 } 238 if ( actual_iv_size != 0 ) 239 { 240 memcpy( ctx->iv, iv, actual_iv_size ); 241 ctx->iv_size = actual_iv_size; 242 } 243 244 return( 0 ); 245 } 246 247 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx ) 248 { 249 if( NULL == ctx || NULL == ctx->cipher_info ) 250 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 251 252 ctx->unprocessed_len = 0; 253 254 return( 0 ); 255 } 256 257 #if defined(MBEDTLS_GCM_C) 258 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx, 259 const unsigned char *ad, size_t ad_len ) 260 { 261 if( NULL == ctx || NULL == ctx->cipher_info ) 262 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 263 264 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 265 { 266 return mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation, 267 ctx->iv, ctx->iv_size, ad, ad_len ); 268 } 269 270 return( 0 ); 271 } 272 #endif /* MBEDTLS_GCM_C */ 273 274 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input, 275 size_t ilen, unsigned char *output, size_t *olen ) 276 { 277 int ret; 278 size_t block_size = 0; 279 280 if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen ) 281 { 282 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 283 } 284 285 *olen = 0; 286 block_size = mbedtls_cipher_get_block_size( ctx ); 287 if ( 0 == block_size ) 288 { 289 return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT ); 290 } 291 292 if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB ) 293 { 294 if( ilen != block_size ) 295 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 296 297 *olen = ilen; 298 299 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx, 300 ctx->operation, input, output ) ) ) 301 { 302 return( ret ); 303 } 304 305 return( 0 ); 306 } 307 308 #if defined(MBEDTLS_GCM_C) 309 if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM ) 310 { 311 *olen = ilen; 312 return mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input, 313 output ); 314 } 315 #endif 316 317 if( input == output && 318 ( ctx->unprocessed_len != 0 || ilen % block_size ) ) 319 { 320 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 321 } 322 323 #if defined(MBEDTLS_CIPHER_MODE_CBC) 324 if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC ) 325 { 326 size_t copy_len = 0; 327 328 /* 329 * If there is not enough data for a full block, cache it. 330 */ 331 if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding && 332 ilen <= block_size - ctx->unprocessed_len ) || 333 ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding && 334 ilen < block_size - ctx->unprocessed_len ) || 335 ( ctx->operation == MBEDTLS_ENCRYPT && 336 ilen < block_size - ctx->unprocessed_len ) ) 337 { 338 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input, 339 ilen ); 340 341 ctx->unprocessed_len += ilen; 342 return( 0 ); 343 } 344 345 /* 346 * Process cached data first 347 */ 348 if( 0 != ctx->unprocessed_len ) 349 { 350 copy_len = block_size - ctx->unprocessed_len; 351 352 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input, 353 copy_len ); 354 355 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 356 ctx->operation, block_size, ctx->iv, 357 ctx->unprocessed_data, output ) ) ) 358 { 359 return( ret ); 360 } 361 362 *olen += block_size; 363 output += block_size; 364 ctx->unprocessed_len = 0; 365 366 input += copy_len; 367 ilen -= copy_len; 368 } 369 370 /* 371 * Cache final, incomplete block 372 */ 373 if( 0 != ilen ) 374 { 375 /* Encryption: only cache partial blocks 376 * Decryption w/ padding: always keep at least one whole block 377 * Decryption w/o padding: only cache partial blocks 378 */ 379 copy_len = ilen % block_size; 380 if( copy_len == 0 && 381 ctx->operation == MBEDTLS_DECRYPT && 382 NULL != ctx->add_padding) 383 { 384 copy_len = block_size; 385 } 386 387 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ), 388 copy_len ); 389 390 ctx->unprocessed_len += copy_len; 391 ilen -= copy_len; 392 } 393 394 /* 395 * Process remaining full blocks 396 */ 397 if( ilen ) 398 { 399 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 400 ctx->operation, ilen, ctx->iv, input, output ) ) ) 401 { 402 return( ret ); 403 } 404 405 *olen += ilen; 406 } 407 408 return( 0 ); 409 } 410 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 411 412 #if defined(MBEDTLS_CIPHER_MODE_CFB) 413 if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB ) 414 { 415 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx, 416 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv, 417 input, output ) ) ) 418 { 419 return( ret ); 420 } 421 422 *olen = ilen; 423 424 return( 0 ); 425 } 426 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 427 428 #if defined(MBEDTLS_CIPHER_MODE_CTR) 429 if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR ) 430 { 431 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx, 432 ilen, &ctx->unprocessed_len, ctx->iv, 433 ctx->unprocessed_data, input, output ) ) ) 434 { 435 return( ret ); 436 } 437 438 *olen = ilen; 439 440 return( 0 ); 441 } 442 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 443 444 #if defined(MBEDTLS_CIPHER_MODE_STREAM) 445 if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM ) 446 { 447 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx, 448 ilen, input, output ) ) ) 449 { 450 return( ret ); 451 } 452 453 *olen = ilen; 454 455 return( 0 ); 456 } 457 #endif /* MBEDTLS_CIPHER_MODE_STREAM */ 458 459 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 460 } 461 462 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 463 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 464 /* 465 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len 466 */ 467 static void add_pkcs_padding( unsigned char *output, size_t output_len, 468 size_t data_len ) 469 { 470 size_t padding_len = output_len - data_len; 471 unsigned char i; 472 473 for( i = 0; i < padding_len; i++ ) 474 output[data_len + i] = (unsigned char) padding_len; 475 } 476 477 static int get_pkcs_padding( unsigned char *input, size_t input_len, 478 size_t *data_len ) 479 { 480 size_t i, pad_idx; 481 unsigned char padding_len, bad = 0; 482 483 if( NULL == input || NULL == data_len ) 484 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 485 486 padding_len = input[input_len - 1]; 487 *data_len = input_len - padding_len; 488 489 /* Avoid logical || since it results in a branch */ 490 bad |= padding_len > input_len; 491 bad |= padding_len == 0; 492 493 /* The number of bytes checked must be independent of padding_len, 494 * so pick input_len, which is usually 8 or 16 (one block) */ 495 pad_idx = input_len - padding_len; 496 for( i = 0; i < input_len; i++ ) 497 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx ); 498 499 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 500 } 501 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ 502 503 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 504 /* 505 * One and zeros padding: fill with 80 00 ... 00 506 */ 507 static void add_one_and_zeros_padding( unsigned char *output, 508 size_t output_len, size_t data_len ) 509 { 510 size_t padding_len = output_len - data_len; 511 unsigned char i = 0; 512 513 output[data_len] = 0x80; 514 for( i = 1; i < padding_len; i++ ) 515 output[data_len + i] = 0x00; 516 } 517 518 static int get_one_and_zeros_padding( unsigned char *input, size_t input_len, 519 size_t *data_len ) 520 { 521 size_t i; 522 unsigned char done = 0, prev_done, bad; 523 524 if( NULL == input || NULL == data_len ) 525 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 526 527 bad = 0x80; 528 *data_len = 0; 529 for( i = input_len; i > 0; i-- ) 530 { 531 prev_done = done; 532 done |= ( input[i - 1] != 0 ); 533 *data_len |= ( i - 1 ) * ( done != prev_done ); 534 bad ^= input[i - 1] * ( done != prev_done ); 535 } 536 537 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 538 539 } 540 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */ 541 542 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 543 /* 544 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length 545 */ 546 static void add_zeros_and_len_padding( unsigned char *output, 547 size_t output_len, size_t data_len ) 548 { 549 size_t padding_len = output_len - data_len; 550 unsigned char i = 0; 551 552 for( i = 1; i < padding_len; i++ ) 553 output[data_len + i - 1] = 0x00; 554 output[output_len - 1] = (unsigned char) padding_len; 555 } 556 557 static int get_zeros_and_len_padding( unsigned char *input, size_t input_len, 558 size_t *data_len ) 559 { 560 size_t i, pad_idx; 561 unsigned char padding_len, bad = 0; 562 563 if( NULL == input || NULL == data_len ) 564 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 565 566 padding_len = input[input_len - 1]; 567 *data_len = input_len - padding_len; 568 569 /* Avoid logical || since it results in a branch */ 570 bad |= padding_len > input_len; 571 bad |= padding_len == 0; 572 573 /* The number of bytes checked must be independent of padding_len */ 574 pad_idx = input_len - padding_len; 575 for( i = 0; i < input_len - 1; i++ ) 576 bad |= input[i] * ( i >= pad_idx ); 577 578 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 579 } 580 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */ 581 582 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 583 /* 584 * Zero padding: fill with 00 ... 00 585 */ 586 static void add_zeros_padding( unsigned char *output, 587 size_t output_len, size_t data_len ) 588 { 589 size_t i; 590 591 for( i = data_len; i < output_len; i++ ) 592 output[i] = 0x00; 593 } 594 595 static int get_zeros_padding( unsigned char *input, size_t input_len, 596 size_t *data_len ) 597 { 598 size_t i; 599 unsigned char done = 0, prev_done; 600 601 if( NULL == input || NULL == data_len ) 602 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 603 604 *data_len = 0; 605 for( i = input_len; i > 0; i-- ) 606 { 607 prev_done = done; 608 done |= ( input[i-1] != 0 ); 609 *data_len |= i * ( done != prev_done ); 610 } 611 612 return( 0 ); 613 } 614 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */ 615 616 /* 617 * No padding: don't pad :) 618 * 619 * There is no add_padding function (check for NULL in mbedtls_cipher_finish) 620 * but a trivial get_padding function 621 */ 622 static int get_no_padding( unsigned char *input, size_t input_len, 623 size_t *data_len ) 624 { 625 if( NULL == input || NULL == data_len ) 626 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 627 628 *data_len = input_len; 629 630 return( 0 ); 631 } 632 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 633 634 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx, 635 unsigned char *output, size_t *olen ) 636 { 637 if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen ) 638 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 639 640 *olen = 0; 641 642 if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode || 643 MBEDTLS_MODE_CTR == ctx->cipher_info->mode || 644 MBEDTLS_MODE_GCM == ctx->cipher_info->mode || 645 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode ) 646 { 647 return( 0 ); 648 } 649 650 if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode ) 651 { 652 if( ctx->unprocessed_len != 0 ) 653 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 654 655 return( 0 ); 656 } 657 658 #if defined(MBEDTLS_CIPHER_MODE_CBC) 659 if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode ) 660 { 661 int ret = 0; 662 663 if( MBEDTLS_ENCRYPT == ctx->operation ) 664 { 665 /* check for 'no padding' mode */ 666 if( NULL == ctx->add_padding ) 667 { 668 if( 0 != ctx->unprocessed_len ) 669 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 670 671 return( 0 ); 672 } 673 674 ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ), 675 ctx->unprocessed_len ); 676 } 677 else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len ) 678 { 679 /* 680 * For decrypt operations, expect a full block, 681 * or an empty block if no padding 682 */ 683 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len ) 684 return( 0 ); 685 686 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 687 } 688 689 /* cipher block */ 690 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 691 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv, 692 ctx->unprocessed_data, output ) ) ) 693 { 694 return( ret ); 695 } 696 697 /* Set output size for decryption */ 698 if( MBEDTLS_DECRYPT == ctx->operation ) 699 return ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ), 700 olen ); 701 702 /* Set output size for encryption */ 703 *olen = mbedtls_cipher_get_block_size( ctx ); 704 return( 0 ); 705 } 706 #else 707 ((void) output); 708 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 709 710 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 711 } 712 713 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 714 int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode ) 715 { 716 if( NULL == ctx || 717 MBEDTLS_MODE_CBC != ctx->cipher_info->mode ) 718 { 719 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 720 } 721 722 switch( mode ) 723 { 724 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 725 case MBEDTLS_PADDING_PKCS7: 726 ctx->add_padding = add_pkcs_padding; 727 ctx->get_padding = get_pkcs_padding; 728 break; 729 #endif 730 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 731 case MBEDTLS_PADDING_ONE_AND_ZEROS: 732 ctx->add_padding = add_one_and_zeros_padding; 733 ctx->get_padding = get_one_and_zeros_padding; 734 break; 735 #endif 736 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 737 case MBEDTLS_PADDING_ZEROS_AND_LEN: 738 ctx->add_padding = add_zeros_and_len_padding; 739 ctx->get_padding = get_zeros_and_len_padding; 740 break; 741 #endif 742 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 743 case MBEDTLS_PADDING_ZEROS: 744 ctx->add_padding = add_zeros_padding; 745 ctx->get_padding = get_zeros_padding; 746 break; 747 #endif 748 case MBEDTLS_PADDING_NONE: 749 ctx->add_padding = NULL; 750 ctx->get_padding = get_no_padding; 751 break; 752 753 default: 754 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 755 } 756 757 return( 0 ); 758 } 759 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 760 761 #if defined(MBEDTLS_GCM_C) 762 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx, 763 unsigned char *tag, size_t tag_len ) 764 { 765 if( NULL == ctx || NULL == ctx->cipher_info || NULL == tag ) 766 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 767 768 if( MBEDTLS_ENCRYPT != ctx->operation ) 769 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 770 771 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 772 return mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx, tag, tag_len ); 773 774 return( 0 ); 775 } 776 777 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, 778 const unsigned char *tag, size_t tag_len ) 779 { 780 int ret; 781 782 if( NULL == ctx || NULL == ctx->cipher_info || 783 MBEDTLS_DECRYPT != ctx->operation ) 784 { 785 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 786 } 787 788 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 789 { 790 unsigned char check_tag[16]; 791 size_t i; 792 int diff; 793 794 if( tag_len > sizeof( check_tag ) ) 795 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 796 797 if( 0 != ( ret = mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx, 798 check_tag, tag_len ) ) ) 799 { 800 return( ret ); 801 } 802 803 /* Check the tag in "constant-time" */ 804 for( diff = 0, i = 0; i < tag_len; i++ ) 805 diff |= tag[i] ^ check_tag[i]; 806 807 if( diff != 0 ) 808 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED ); 809 810 return( 0 ); 811 } 812 813 return( 0 ); 814 } 815 #endif /* MBEDTLS_GCM_C */ 816 817 /* 818 * Packet-oriented wrapper for non-AEAD modes 819 */ 820 int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, 821 const unsigned char *iv, size_t iv_len, 822 const unsigned char *input, size_t ilen, 823 unsigned char *output, size_t *olen ) 824 { 825 int ret; 826 size_t finish_olen; 827 828 if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 ) 829 return( ret ); 830 831 if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 ) 832 return( ret ); 833 834 if( ( ret = mbedtls_cipher_update( ctx, input, ilen, output, olen ) ) != 0 ) 835 return( ret ); 836 837 if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 ) 838 return( ret ); 839 840 *olen += finish_olen; 841 842 return( 0 ); 843 } 844 845 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 846 /* 847 * Packet-oriented encryption for AEAD modes 848 */ 849 int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, 850 const unsigned char *iv, size_t iv_len, 851 const unsigned char *ad, size_t ad_len, 852 const unsigned char *input, size_t ilen, 853 unsigned char *output, size_t *olen, 854 unsigned char *tag, size_t tag_len ) 855 { 856 #if defined(MBEDTLS_GCM_C) 857 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 858 { 859 *olen = ilen; 860 return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, ilen, 861 iv, iv_len, ad, ad_len, input, output, 862 tag_len, tag ) ); 863 } 864 #endif /* MBEDTLS_GCM_C */ 865 #if defined(MBEDTLS_CCM_C) 866 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode ) 867 { 868 *olen = ilen; 869 return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen, 870 iv, iv_len, ad, ad_len, input, output, 871 tag, tag_len ) ); 872 } 873 #endif /* MBEDTLS_CCM_C */ 874 875 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 876 } 877 878 /* 879 * Packet-oriented decryption for AEAD modes 880 */ 881 int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, 882 const unsigned char *iv, size_t iv_len, 883 const unsigned char *ad, size_t ad_len, 884 const unsigned char *input, size_t ilen, 885 unsigned char *output, size_t *olen, 886 const unsigned char *tag, size_t tag_len ) 887 { 888 #if defined(MBEDTLS_GCM_C) 889 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 890 { 891 int ret; 892 893 *olen = ilen; 894 ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen, 895 iv, iv_len, ad, ad_len, 896 tag, tag_len, input, output ); 897 898 if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED ) 899 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 900 901 return( ret ); 902 } 903 #endif /* MBEDTLS_GCM_C */ 904 #if defined(MBEDTLS_CCM_C) 905 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode ) 906 { 907 int ret; 908 909 *olen = ilen; 910 ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen, 911 iv, iv_len, ad, ad_len, 912 input, output, tag, tag_len ); 913 914 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED ) 915 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 916 917 return( ret ); 918 } 919 #endif /* MBEDTLS_CCM_C */ 920 921 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 922 } 923 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 924 925 #endif /* MBEDTLS_CIPHER_C */ 926