1 /** 2 * \file cipher.c 3 * 4 * \brief Generic cipher wrapper for mbed TLS 5 * 6 * \author Adriaan de Jong <dejong@fox-it.com> 7 * 8 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 9 * SPDX-License-Identifier: GPL-2.0 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License as published by 13 * the Free Software Foundation; either version 2 of the License, or 14 * (at your option) any later version. 15 * 16 * This program is distributed in the hope that it will be useful, 17 * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 * GNU General Public License for more details. 20 * 21 * You should have received a copy of the GNU General Public License along 22 * with this program; if not, write to the Free Software Foundation, Inc., 23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 24 * 25 * This file is part of mbed TLS (https://tls.mbed.org) 26 */ 27 28 #if !defined(MBEDTLS_CONFIG_FILE) 29 #include "mbedtls/config.h" 30 #else 31 #include MBEDTLS_CONFIG_FILE 32 #endif 33 34 #if defined(MBEDTLS_CIPHER_C) 35 36 #include "mbedtls/cipher.h" 37 #include "mbedtls/cipher_internal.h" 38 39 #include <stdlib.h> 40 #include <string.h> 41 42 #if defined(MBEDTLS_GCM_C) 43 #include "mbedtls/gcm.h" 44 #endif 45 46 #if defined(MBEDTLS_CCM_C) 47 #include "mbedtls/ccm.h" 48 #endif 49 50 #if defined(MBEDTLS_CMAC_C) 51 #include "mbedtls/cmac.h" 52 #endif 53 54 #if defined(MBEDTLS_PLATFORM_C) 55 #include "mbedtls/platform.h" 56 #else 57 #define mbedtls_calloc calloc 58 #define mbedtls_free free 59 #endif 60 61 /* Implementation that should never be optimized out by the compiler */ 62 static void mbedtls_zeroize( void *v, size_t n ) { 63 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; 64 } 65 66 static int supported_init = 0; 67 68 const int *mbedtls_cipher_list( void ) 69 { 70 const mbedtls_cipher_definition_t *def; 71 int *type; 72 73 if( ! supported_init ) 74 { 75 def = mbedtls_cipher_definitions; 76 type = mbedtls_cipher_supported; 77 78 while( def->type != 0 ) 79 *type++ = (*def++).type; 80 81 *type = 0; 82 83 supported_init = 1; 84 } 85 86 return( mbedtls_cipher_supported ); 87 } 88 89 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type ) 90 { 91 const mbedtls_cipher_definition_t *def; 92 93 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 94 if( def->type == cipher_type ) 95 return( def->info ); 96 97 return( NULL ); 98 } 99 100 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name ) 101 { 102 const mbedtls_cipher_definition_t *def; 103 104 if( NULL == cipher_name ) 105 return( NULL ); 106 107 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 108 if( ! strcmp( def->info->name, cipher_name ) ) 109 return( def->info ); 110 111 return( NULL ); 112 } 113 114 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id, 115 int key_bitlen, 116 const mbedtls_cipher_mode_t mode ) 117 { 118 const mbedtls_cipher_definition_t *def; 119 120 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 121 if( def->info->base->cipher == cipher_id && 122 def->info->key_bitlen == (unsigned) key_bitlen && 123 def->info->mode == mode ) 124 return( def->info ); 125 126 return( NULL ); 127 } 128 129 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx ) 130 { 131 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) ); 132 } 133 134 void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx ) 135 { 136 if( ctx == NULL ) 137 return; 138 139 #if defined(MBEDTLS_CMAC_C) 140 if( ctx->cmac_ctx ) 141 { 142 mbedtls_zeroize( ctx->cmac_ctx, sizeof( mbedtls_cmac_context_t ) ); 143 mbedtls_free( ctx->cmac_ctx ); 144 } 145 #endif 146 147 if( ctx->cipher_ctx ) 148 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx ); 149 150 mbedtls_zeroize( ctx, sizeof(mbedtls_cipher_context_t) ); 151 } 152 153 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info ) 154 { 155 if( NULL == cipher_info || NULL == ctx ) 156 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 157 158 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) ); 159 160 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) ) 161 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 162 163 ctx->cipher_info = cipher_info; 164 165 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 166 /* 167 * Ignore possible errors caused by a cipher mode that doesn't use padding 168 */ 169 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 170 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 ); 171 #else 172 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE ); 173 #endif 174 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 175 176 return( 0 ); 177 } 178 179 int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *key, 180 int key_bitlen, const mbedtls_operation_t operation ) 181 { 182 if( NULL == ctx || NULL == ctx->cipher_info ) 183 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 184 185 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 && 186 (int) ctx->cipher_info->key_bitlen != key_bitlen ) 187 { 188 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 189 } 190 191 ctx->key_bitlen = key_bitlen; 192 ctx->operation = operation; 193 194 /* 195 * For CFB and CTR mode always use the encryption key schedule 196 */ 197 if( MBEDTLS_ENCRYPT == operation || 198 MBEDTLS_MODE_CFB == ctx->cipher_info->mode || 199 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ) 200 { 201 return ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key, 202 ctx->key_bitlen ); 203 } 204 205 if( MBEDTLS_DECRYPT == operation ) 206 return ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key, 207 ctx->key_bitlen ); 208 209 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 210 } 211 212 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx, 213 const unsigned char *iv, size_t iv_len ) 214 { 215 size_t actual_iv_size; 216 if( NULL == ctx || NULL == ctx->cipher_info ) 217 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 218 else if( NULL == iv && iv_len != 0 ) 219 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 220 221 if( NULL == iv && iv_len == 0 ) 222 ctx->iv_size = 0; 223 224 /* avoid buffer overflow in ctx->iv */ 225 if( iv_len > MBEDTLS_MAX_IV_LENGTH ) 226 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 227 228 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 ) 229 actual_iv_size = iv_len; 230 else 231 { 232 actual_iv_size = ctx->cipher_info->iv_size; 233 234 /* avoid reading past the end of input buffer */ 235 if( actual_iv_size > iv_len ) 236 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 237 } 238 if ( actual_iv_size != 0 ) 239 { 240 memcpy( ctx->iv, iv, actual_iv_size ); 241 ctx->iv_size = actual_iv_size; 242 } 243 244 return( 0 ); 245 } 246 247 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx ) 248 { 249 if( NULL == ctx || NULL == ctx->cipher_info ) 250 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 251 252 ctx->unprocessed_len = 0; 253 254 return( 0 ); 255 } 256 257 #if defined(MBEDTLS_GCM_C) 258 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx, 259 const unsigned char *ad, size_t ad_len ) 260 { 261 if( NULL == ctx || NULL == ctx->cipher_info ) 262 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 263 264 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 265 { 266 return mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation, 267 ctx->iv, ctx->iv_size, ad, ad_len ); 268 } 269 270 return( 0 ); 271 } 272 #endif /* MBEDTLS_GCM_C */ 273 274 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input, 275 size_t ilen, unsigned char *output, size_t *olen ) 276 { 277 int ret; 278 size_t block_size = 0; 279 280 if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen ) 281 { 282 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 283 } 284 285 *olen = 0; 286 block_size = mbedtls_cipher_get_block_size( ctx ); 287 288 if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB ) 289 { 290 if( ilen != block_size ) 291 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 292 293 *olen = ilen; 294 295 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx, 296 ctx->operation, input, output ) ) ) 297 { 298 return( ret ); 299 } 300 301 return( 0 ); 302 } 303 304 #if defined(MBEDTLS_GCM_C) 305 if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM ) 306 { 307 *olen = ilen; 308 return mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input, 309 output ); 310 } 311 #endif 312 313 if ( 0 == block_size ) 314 { 315 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT; 316 } 317 318 if( input == output && 319 ( ctx->unprocessed_len != 0 || ilen % block_size ) ) 320 { 321 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 322 } 323 324 #if defined(MBEDTLS_CIPHER_MODE_CBC) 325 if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC ) 326 { 327 size_t copy_len = 0; 328 329 /* 330 * If there is not enough data for a full block, cache it. 331 */ 332 if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding && 333 ilen <= block_size - ctx->unprocessed_len ) || 334 ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding && 335 ilen < block_size - ctx->unprocessed_len ) || 336 ( ctx->operation == MBEDTLS_ENCRYPT && 337 ilen < block_size - ctx->unprocessed_len ) ) 338 { 339 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input, 340 ilen ); 341 342 ctx->unprocessed_len += ilen; 343 return( 0 ); 344 } 345 346 /* 347 * Process cached data first 348 */ 349 if( 0 != ctx->unprocessed_len ) 350 { 351 copy_len = block_size - ctx->unprocessed_len; 352 353 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input, 354 copy_len ); 355 356 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 357 ctx->operation, block_size, ctx->iv, 358 ctx->unprocessed_data, output ) ) ) 359 { 360 return( ret ); 361 } 362 363 *olen += block_size; 364 output += block_size; 365 ctx->unprocessed_len = 0; 366 367 input += copy_len; 368 ilen -= copy_len; 369 } 370 371 /* 372 * Cache final, incomplete block 373 */ 374 if( 0 != ilen ) 375 { 376 if( 0 == block_size ) 377 { 378 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT; 379 } 380 381 /* Encryption: only cache partial blocks 382 * Decryption w/ padding: always keep at least one whole block 383 * Decryption w/o padding: only cache partial blocks 384 */ 385 copy_len = ilen % block_size; 386 if( copy_len == 0 && 387 ctx->operation == MBEDTLS_DECRYPT && 388 NULL != ctx->add_padding) 389 { 390 copy_len = block_size; 391 } 392 393 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ), 394 copy_len ); 395 396 ctx->unprocessed_len += copy_len; 397 ilen -= copy_len; 398 } 399 400 /* 401 * Process remaining full blocks 402 */ 403 if( ilen ) 404 { 405 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 406 ctx->operation, ilen, ctx->iv, input, output ) ) ) 407 { 408 return( ret ); 409 } 410 411 *olen += ilen; 412 } 413 414 return( 0 ); 415 } 416 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 417 418 #if defined(MBEDTLS_CIPHER_MODE_CFB) 419 if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB ) 420 { 421 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx, 422 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv, 423 input, output ) ) ) 424 { 425 return( ret ); 426 } 427 428 *olen = ilen; 429 430 return( 0 ); 431 } 432 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 433 434 #if defined(MBEDTLS_CIPHER_MODE_CTR) 435 if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR ) 436 { 437 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx, 438 ilen, &ctx->unprocessed_len, ctx->iv, 439 ctx->unprocessed_data, input, output ) ) ) 440 { 441 return( ret ); 442 } 443 444 *olen = ilen; 445 446 return( 0 ); 447 } 448 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 449 450 #if defined(MBEDTLS_CIPHER_MODE_STREAM) 451 if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM ) 452 { 453 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx, 454 ilen, input, output ) ) ) 455 { 456 return( ret ); 457 } 458 459 *olen = ilen; 460 461 return( 0 ); 462 } 463 #endif /* MBEDTLS_CIPHER_MODE_STREAM */ 464 465 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 466 } 467 468 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 469 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 470 /* 471 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len 472 */ 473 static void add_pkcs_padding( unsigned char *output, size_t output_len, 474 size_t data_len ) 475 { 476 size_t padding_len = output_len - data_len; 477 unsigned char i; 478 479 for( i = 0; i < padding_len; i++ ) 480 output[data_len + i] = (unsigned char) padding_len; 481 } 482 483 static int get_pkcs_padding( unsigned char *input, size_t input_len, 484 size_t *data_len ) 485 { 486 size_t i, pad_idx; 487 unsigned char padding_len, bad = 0; 488 489 if( NULL == input || NULL == data_len ) 490 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 491 492 padding_len = input[input_len - 1]; 493 *data_len = input_len - padding_len; 494 495 /* Avoid logical || since it results in a branch */ 496 bad |= padding_len > input_len; 497 bad |= padding_len == 0; 498 499 /* The number of bytes checked must be independent of padding_len, 500 * so pick input_len, which is usually 8 or 16 (one block) */ 501 pad_idx = input_len - padding_len; 502 for( i = 0; i < input_len; i++ ) 503 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx ); 504 505 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 506 } 507 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ 508 509 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 510 /* 511 * One and zeros padding: fill with 80 00 ... 00 512 */ 513 static void add_one_and_zeros_padding( unsigned char *output, 514 size_t output_len, size_t data_len ) 515 { 516 size_t padding_len = output_len - data_len; 517 unsigned char i = 0; 518 519 output[data_len] = 0x80; 520 for( i = 1; i < padding_len; i++ ) 521 output[data_len + i] = 0x00; 522 } 523 524 static int get_one_and_zeros_padding( unsigned char *input, size_t input_len, 525 size_t *data_len ) 526 { 527 size_t i; 528 unsigned char done = 0, prev_done, bad; 529 530 if( NULL == input || NULL == data_len ) 531 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 532 533 bad = 0x80; 534 *data_len = 0; 535 for( i = input_len; i > 0; i-- ) 536 { 537 prev_done = done; 538 done |= ( input[i - 1] != 0 ); 539 *data_len |= ( i - 1 ) * ( done != prev_done ); 540 bad ^= input[i - 1] * ( done != prev_done ); 541 } 542 543 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 544 545 } 546 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */ 547 548 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 549 /* 550 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length 551 */ 552 static void add_zeros_and_len_padding( unsigned char *output, 553 size_t output_len, size_t data_len ) 554 { 555 size_t padding_len = output_len - data_len; 556 unsigned char i = 0; 557 558 for( i = 1; i < padding_len; i++ ) 559 output[data_len + i - 1] = 0x00; 560 output[output_len - 1] = (unsigned char) padding_len; 561 } 562 563 static int get_zeros_and_len_padding( unsigned char *input, size_t input_len, 564 size_t *data_len ) 565 { 566 size_t i, pad_idx; 567 unsigned char padding_len, bad = 0; 568 569 if( NULL == input || NULL == data_len ) 570 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 571 572 padding_len = input[input_len - 1]; 573 *data_len = input_len - padding_len; 574 575 /* Avoid logical || since it results in a branch */ 576 bad |= padding_len > input_len; 577 bad |= padding_len == 0; 578 579 /* The number of bytes checked must be independent of padding_len */ 580 pad_idx = input_len - padding_len; 581 for( i = 0; i < input_len - 1; i++ ) 582 bad |= input[i] * ( i >= pad_idx ); 583 584 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 585 } 586 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */ 587 588 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 589 /* 590 * Zero padding: fill with 00 ... 00 591 */ 592 static void add_zeros_padding( unsigned char *output, 593 size_t output_len, size_t data_len ) 594 { 595 size_t i; 596 597 for( i = data_len; i < output_len; i++ ) 598 output[i] = 0x00; 599 } 600 601 static int get_zeros_padding( unsigned char *input, size_t input_len, 602 size_t *data_len ) 603 { 604 size_t i; 605 unsigned char done = 0, prev_done; 606 607 if( NULL == input || NULL == data_len ) 608 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 609 610 *data_len = 0; 611 for( i = input_len; i > 0; i-- ) 612 { 613 prev_done = done; 614 done |= ( input[i-1] != 0 ); 615 *data_len |= i * ( done != prev_done ); 616 } 617 618 return( 0 ); 619 } 620 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */ 621 622 /* 623 * No padding: don't pad :) 624 * 625 * There is no add_padding function (check for NULL in mbedtls_cipher_finish) 626 * but a trivial get_padding function 627 */ 628 static int get_no_padding( unsigned char *input, size_t input_len, 629 size_t *data_len ) 630 { 631 if( NULL == input || NULL == data_len ) 632 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 633 634 *data_len = input_len; 635 636 return( 0 ); 637 } 638 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 639 640 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx, 641 unsigned char *output, size_t *olen ) 642 { 643 if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen ) 644 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 645 646 *olen = 0; 647 648 if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode || 649 MBEDTLS_MODE_CTR == ctx->cipher_info->mode || 650 MBEDTLS_MODE_GCM == ctx->cipher_info->mode || 651 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode ) 652 { 653 return( 0 ); 654 } 655 656 if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode ) 657 { 658 if( ctx->unprocessed_len != 0 ) 659 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 660 661 return( 0 ); 662 } 663 664 #if defined(MBEDTLS_CIPHER_MODE_CBC) 665 if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode ) 666 { 667 int ret = 0; 668 669 if( MBEDTLS_ENCRYPT == ctx->operation ) 670 { 671 /* check for 'no padding' mode */ 672 if( NULL == ctx->add_padding ) 673 { 674 if( 0 != ctx->unprocessed_len ) 675 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 676 677 return( 0 ); 678 } 679 680 ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ), 681 ctx->unprocessed_len ); 682 } 683 else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len ) 684 { 685 /* 686 * For decrypt operations, expect a full block, 687 * or an empty block if no padding 688 */ 689 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len ) 690 return( 0 ); 691 692 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 693 } 694 695 /* cipher block */ 696 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 697 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv, 698 ctx->unprocessed_data, output ) ) ) 699 { 700 return( ret ); 701 } 702 703 /* Set output size for decryption */ 704 if( MBEDTLS_DECRYPT == ctx->operation ) 705 return ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ), 706 olen ); 707 708 /* Set output size for encryption */ 709 *olen = mbedtls_cipher_get_block_size( ctx ); 710 return( 0 ); 711 } 712 #else 713 ((void) output); 714 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 715 716 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 717 } 718 719 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 720 int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode ) 721 { 722 if( NULL == ctx || 723 MBEDTLS_MODE_CBC != ctx->cipher_info->mode ) 724 { 725 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 726 } 727 728 switch( mode ) 729 { 730 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 731 case MBEDTLS_PADDING_PKCS7: 732 ctx->add_padding = add_pkcs_padding; 733 ctx->get_padding = get_pkcs_padding; 734 break; 735 #endif 736 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 737 case MBEDTLS_PADDING_ONE_AND_ZEROS: 738 ctx->add_padding = add_one_and_zeros_padding; 739 ctx->get_padding = get_one_and_zeros_padding; 740 break; 741 #endif 742 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 743 case MBEDTLS_PADDING_ZEROS_AND_LEN: 744 ctx->add_padding = add_zeros_and_len_padding; 745 ctx->get_padding = get_zeros_and_len_padding; 746 break; 747 #endif 748 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 749 case MBEDTLS_PADDING_ZEROS: 750 ctx->add_padding = add_zeros_padding; 751 ctx->get_padding = get_zeros_padding; 752 break; 753 #endif 754 case MBEDTLS_PADDING_NONE: 755 ctx->add_padding = NULL; 756 ctx->get_padding = get_no_padding; 757 break; 758 759 default: 760 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 761 } 762 763 return( 0 ); 764 } 765 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 766 767 #if defined(MBEDTLS_GCM_C) 768 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx, 769 unsigned char *tag, size_t tag_len ) 770 { 771 if( NULL == ctx || NULL == ctx->cipher_info || NULL == tag ) 772 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 773 774 if( MBEDTLS_ENCRYPT != ctx->operation ) 775 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 776 777 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 778 return mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx, tag, tag_len ); 779 780 return( 0 ); 781 } 782 783 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, 784 const unsigned char *tag, size_t tag_len ) 785 { 786 int ret; 787 788 if( NULL == ctx || NULL == ctx->cipher_info || 789 MBEDTLS_DECRYPT != ctx->operation ) 790 { 791 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 792 } 793 794 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 795 { 796 unsigned char check_tag[16]; 797 size_t i; 798 int diff; 799 800 if( tag_len > sizeof( check_tag ) ) 801 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 802 803 if( 0 != ( ret = mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx, 804 check_tag, tag_len ) ) ) 805 { 806 return( ret ); 807 } 808 809 /* Check the tag in "constant-time" */ 810 for( diff = 0, i = 0; i < tag_len; i++ ) 811 diff |= tag[i] ^ check_tag[i]; 812 813 if( diff != 0 ) 814 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED ); 815 816 return( 0 ); 817 } 818 819 return( 0 ); 820 } 821 #endif /* MBEDTLS_GCM_C */ 822 823 /* 824 * Packet-oriented wrapper for non-AEAD modes 825 */ 826 int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, 827 const unsigned char *iv, size_t iv_len, 828 const unsigned char *input, size_t ilen, 829 unsigned char *output, size_t *olen ) 830 { 831 int ret; 832 size_t finish_olen; 833 834 if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 ) 835 return( ret ); 836 837 if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 ) 838 return( ret ); 839 840 if( ( ret = mbedtls_cipher_update( ctx, input, ilen, output, olen ) ) != 0 ) 841 return( ret ); 842 843 if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 ) 844 return( ret ); 845 846 *olen += finish_olen; 847 848 return( 0 ); 849 } 850 851 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 852 /* 853 * Packet-oriented encryption for AEAD modes 854 */ 855 int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, 856 const unsigned char *iv, size_t iv_len, 857 const unsigned char *ad, size_t ad_len, 858 const unsigned char *input, size_t ilen, 859 unsigned char *output, size_t *olen, 860 unsigned char *tag, size_t tag_len ) 861 { 862 #if defined(MBEDTLS_GCM_C) 863 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 864 { 865 *olen = ilen; 866 return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, ilen, 867 iv, iv_len, ad, ad_len, input, output, 868 tag_len, tag ) ); 869 } 870 #endif /* MBEDTLS_GCM_C */ 871 #if defined(MBEDTLS_CCM_C) 872 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode ) 873 { 874 *olen = ilen; 875 return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen, 876 iv, iv_len, ad, ad_len, input, output, 877 tag, tag_len ) ); 878 } 879 #endif /* MBEDTLS_CCM_C */ 880 881 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 882 } 883 884 /* 885 * Packet-oriented decryption for AEAD modes 886 */ 887 int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, 888 const unsigned char *iv, size_t iv_len, 889 const unsigned char *ad, size_t ad_len, 890 const unsigned char *input, size_t ilen, 891 unsigned char *output, size_t *olen, 892 const unsigned char *tag, size_t tag_len ) 893 { 894 #if defined(MBEDTLS_GCM_C) 895 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 896 { 897 int ret; 898 899 *olen = ilen; 900 ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen, 901 iv, iv_len, ad, ad_len, 902 tag, tag_len, input, output ); 903 904 if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED ) 905 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 906 907 return( ret ); 908 } 909 #endif /* MBEDTLS_GCM_C */ 910 #if defined(MBEDTLS_CCM_C) 911 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode ) 912 { 913 int ret; 914 915 *olen = ilen; 916 ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen, 917 iv, iv_len, ad, ad_len, 918 input, output, tag, tag_len ); 919 920 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED ) 921 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 922 923 return( ret ); 924 } 925 #endif /* MBEDTLS_CCM_C */ 926 927 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 928 } 929 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 930 931 #endif /* MBEDTLS_CIPHER_C */ 932