xref: /reactos/dll/3rdparty/mbedtls/cipher.c (revision cc7cf826)
1 /**
2  * \file cipher.c
3  *
4  * \brief Generic cipher wrapper for mbed TLS
5  *
6  * \author Adriaan de Jong <dejong@fox-it.com>
7  *
8  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
9  *  SPDX-License-Identifier: GPL-2.0
10  *
11  *  This program is free software; you can redistribute it and/or modify
12  *  it under the terms of the GNU General Public License as published by
13  *  the Free Software Foundation; either version 2 of the License, or
14  *  (at your option) any later version.
15  *
16  *  This program is distributed in the hope that it will be useful,
17  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
18  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19  *  GNU General Public License for more details.
20  *
21  *  You should have received a copy of the GNU General Public License along
22  *  with this program; if not, write to the Free Software Foundation, Inc.,
23  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  *
25  *  This file is part of mbed TLS (https://tls.mbed.org)
26  */
27 
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "mbedtls/config.h"
30 #else
31 #include MBEDTLS_CONFIG_FILE
32 #endif
33 
34 #if defined(MBEDTLS_CIPHER_C)
35 
36 #include "mbedtls/cipher.h"
37 #include "mbedtls/cipher_internal.h"
38 
39 #include <stdlib.h>
40 #include <string.h>
41 
42 #if defined(MBEDTLS_GCM_C)
43 #include "mbedtls/gcm.h"
44 #endif
45 
46 #if defined(MBEDTLS_CCM_C)
47 #include "mbedtls/ccm.h"
48 #endif
49 
50 #if defined(MBEDTLS_CMAC_C)
51 #include "mbedtls/cmac.h"
52 #endif
53 
54 #if defined(MBEDTLS_PLATFORM_C)
55 #include "mbedtls/platform.h"
56 #else
57 #define mbedtls_calloc calloc
58 #define mbedtls_free   free
59 #endif
60 
61 /* Implementation that should never be optimized out by the compiler */
62 static void mbedtls_zeroize( void *v, size_t n ) {
63     volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
64 }
65 
66 static int supported_init = 0;
67 
68 const int *mbedtls_cipher_list( void )
69 {
70     const mbedtls_cipher_definition_t *def;
71     int *type;
72 
73     if( ! supported_init )
74     {
75         def = mbedtls_cipher_definitions;
76         type = mbedtls_cipher_supported;
77 
78         while( def->type != 0 )
79             *type++ = (*def++).type;
80 
81         *type = 0;
82 
83         supported_init = 1;
84     }
85 
86     return( mbedtls_cipher_supported );
87 }
88 
89 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type )
90 {
91     const mbedtls_cipher_definition_t *def;
92 
93     for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
94         if( def->type == cipher_type )
95             return( def->info );
96 
97     return( NULL );
98 }
99 
100 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name )
101 {
102     const mbedtls_cipher_definition_t *def;
103 
104     if( NULL == cipher_name )
105         return( NULL );
106 
107     for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
108         if( !  strcmp( def->info->name, cipher_name ) )
109             return( def->info );
110 
111     return( NULL );
112 }
113 
114 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
115                                               int key_bitlen,
116                                               const mbedtls_cipher_mode_t mode )
117 {
118     const mbedtls_cipher_definition_t *def;
119 
120     for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
121         if( def->info->base->cipher == cipher_id &&
122             def->info->key_bitlen == (unsigned) key_bitlen &&
123             def->info->mode == mode )
124             return( def->info );
125 
126     return( NULL );
127 }
128 
129 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
130 {
131     memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
132 }
133 
134 void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
135 {
136     if( ctx == NULL )
137         return;
138 
139 #if defined(MBEDTLS_CMAC_C)
140     if( ctx->cmac_ctx )
141     {
142        mbedtls_zeroize( ctx->cmac_ctx, sizeof( mbedtls_cmac_context_t ) );
143        mbedtls_free( ctx->cmac_ctx );
144     }
145 #endif
146 
147     if( ctx->cipher_ctx )
148         ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
149 
150     mbedtls_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
151 }
152 
153 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info )
154 {
155     if( NULL == cipher_info || NULL == ctx )
156         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
157 
158     memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
159 
160     if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
161         return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
162 
163     ctx->cipher_info = cipher_info;
164 
165 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
166     /*
167      * Ignore possible errors caused by a cipher mode that doesn't use padding
168      */
169 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
170     (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
171 #else
172     (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
173 #endif
174 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
175 
176     return( 0 );
177 }
178 
179 int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *key,
180         int key_bitlen, const mbedtls_operation_t operation )
181 {
182     if( NULL == ctx || NULL == ctx->cipher_info )
183         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
184 
185     if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
186         (int) ctx->cipher_info->key_bitlen != key_bitlen )
187     {
188         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
189     }
190 
191     ctx->key_bitlen = key_bitlen;
192     ctx->operation = operation;
193 
194     /*
195      * For CFB and CTR mode always use the encryption key schedule
196      */
197     if( MBEDTLS_ENCRYPT == operation ||
198         MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
199         MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
200     {
201         return ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
202                 ctx->key_bitlen );
203     }
204 
205     if( MBEDTLS_DECRYPT == operation )
206         return ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
207                 ctx->key_bitlen );
208 
209     return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
210 }
211 
212 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
213                    const unsigned char *iv, size_t iv_len )
214 {
215     size_t actual_iv_size;
216     if( NULL == ctx || NULL == ctx->cipher_info )
217         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
218     else if( NULL == iv && iv_len != 0  )
219         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
220 
221     if( NULL == iv && iv_len == 0 )
222         ctx->iv_size = 0;
223 
224     /* avoid buffer overflow in ctx->iv */
225     if( iv_len > MBEDTLS_MAX_IV_LENGTH )
226         return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
227 
228     if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
229         actual_iv_size = iv_len;
230     else
231     {
232         actual_iv_size = ctx->cipher_info->iv_size;
233 
234         /* avoid reading past the end of input buffer */
235         if( actual_iv_size > iv_len )
236             return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
237     }
238     if ( actual_iv_size != 0 )
239     {
240         memcpy( ctx->iv, iv, actual_iv_size );
241         ctx->iv_size = actual_iv_size;
242     }
243 
244     return( 0 );
245 }
246 
247 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
248 {
249     if( NULL == ctx || NULL == ctx->cipher_info )
250         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
251 
252     ctx->unprocessed_len = 0;
253 
254     return( 0 );
255 }
256 
257 #if defined(MBEDTLS_GCM_C)
258 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
259                       const unsigned char *ad, size_t ad_len )
260 {
261     if( NULL == ctx || NULL == ctx->cipher_info )
262         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
263 
264     if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
265     {
266         return mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
267                            ctx->iv, ctx->iv_size, ad, ad_len );
268     }
269 
270     return( 0 );
271 }
272 #endif /* MBEDTLS_GCM_C */
273 
274 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
275                    size_t ilen, unsigned char *output, size_t *olen )
276 {
277     int ret;
278     size_t block_size = 0;
279 
280     if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen )
281     {
282         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
283     }
284 
285     *olen = 0;
286     block_size = mbedtls_cipher_get_block_size( ctx );
287     if ( 0 == block_size )
288     {
289         return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
290     }
291 
292     if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
293     {
294         if( ilen != block_size )
295             return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
296 
297         *olen = ilen;
298 
299         if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
300                     ctx->operation, input, output ) ) )
301         {
302             return( ret );
303         }
304 
305         return( 0 );
306     }
307 
308 #if defined(MBEDTLS_GCM_C)
309     if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
310     {
311         *olen = ilen;
312         return mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
313                            output );
314     }
315 #endif
316 
317     if( input == output &&
318        ( ctx->unprocessed_len != 0 || ilen % block_size ) )
319     {
320         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
321     }
322 
323 #if defined(MBEDTLS_CIPHER_MODE_CBC)
324     if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
325     {
326         size_t copy_len = 0;
327 
328         /*
329          * If there is not enough data for a full block, cache it.
330          */
331         if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
332                 ilen <= block_size - ctx->unprocessed_len ) ||
333             ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
334                 ilen < block_size - ctx->unprocessed_len ) ||
335              ( ctx->operation == MBEDTLS_ENCRYPT &&
336                 ilen < block_size - ctx->unprocessed_len ) )
337         {
338             memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
339                     ilen );
340 
341             ctx->unprocessed_len += ilen;
342             return( 0 );
343         }
344 
345         /*
346          * Process cached data first
347          */
348         if( 0 != ctx->unprocessed_len )
349         {
350             copy_len = block_size - ctx->unprocessed_len;
351 
352             memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
353                     copy_len );
354 
355             if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
356                     ctx->operation, block_size, ctx->iv,
357                     ctx->unprocessed_data, output ) ) )
358             {
359                 return( ret );
360             }
361 
362             *olen += block_size;
363             output += block_size;
364             ctx->unprocessed_len = 0;
365 
366             input += copy_len;
367             ilen -= copy_len;
368         }
369 
370         /*
371          * Cache final, incomplete block
372          */
373         if( 0 != ilen )
374         {
375             /* Encryption: only cache partial blocks
376              * Decryption w/ padding: always keep at least one whole block
377              * Decryption w/o padding: only cache partial blocks
378              */
379             copy_len = ilen % block_size;
380             if( copy_len == 0 &&
381                 ctx->operation == MBEDTLS_DECRYPT &&
382                 NULL != ctx->add_padding)
383             {
384                 copy_len = block_size;
385             }
386 
387             memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
388                     copy_len );
389 
390             ctx->unprocessed_len += copy_len;
391             ilen -= copy_len;
392         }
393 
394         /*
395          * Process remaining full blocks
396          */
397         if( ilen )
398         {
399             if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
400                     ctx->operation, ilen, ctx->iv, input, output ) ) )
401             {
402                 return( ret );
403             }
404 
405             *olen += ilen;
406         }
407 
408         return( 0 );
409     }
410 #endif /* MBEDTLS_CIPHER_MODE_CBC */
411 
412 #if defined(MBEDTLS_CIPHER_MODE_CFB)
413     if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
414     {
415         if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
416                 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
417                 input, output ) ) )
418         {
419             return( ret );
420         }
421 
422         *olen = ilen;
423 
424         return( 0 );
425     }
426 #endif /* MBEDTLS_CIPHER_MODE_CFB */
427 
428 #if defined(MBEDTLS_CIPHER_MODE_CTR)
429     if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
430     {
431         if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
432                 ilen, &ctx->unprocessed_len, ctx->iv,
433                 ctx->unprocessed_data, input, output ) ) )
434         {
435             return( ret );
436         }
437 
438         *olen = ilen;
439 
440         return( 0 );
441     }
442 #endif /* MBEDTLS_CIPHER_MODE_CTR */
443 
444 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
445     if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
446     {
447         if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
448                                                     ilen, input, output ) ) )
449         {
450             return( ret );
451         }
452 
453         *olen = ilen;
454 
455         return( 0 );
456     }
457 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
458 
459     return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
460 }
461 
462 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
463 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
464 /*
465  * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
466  */
467 static void add_pkcs_padding( unsigned char *output, size_t output_len,
468         size_t data_len )
469 {
470     size_t padding_len = output_len - data_len;
471     unsigned char i;
472 
473     for( i = 0; i < padding_len; i++ )
474         output[data_len + i] = (unsigned char) padding_len;
475 }
476 
477 static int get_pkcs_padding( unsigned char *input, size_t input_len,
478         size_t *data_len )
479 {
480     size_t i, pad_idx;
481     unsigned char padding_len, bad = 0;
482 
483     if( NULL == input || NULL == data_len )
484         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
485 
486     padding_len = input[input_len - 1];
487     *data_len = input_len - padding_len;
488 
489     /* Avoid logical || since it results in a branch */
490     bad |= padding_len > input_len;
491     bad |= padding_len == 0;
492 
493     /* The number of bytes checked must be independent of padding_len,
494      * so pick input_len, which is usually 8 or 16 (one block) */
495     pad_idx = input_len - padding_len;
496     for( i = 0; i < input_len; i++ )
497         bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
498 
499     return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
500 }
501 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
502 
503 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
504 /*
505  * One and zeros padding: fill with 80 00 ... 00
506  */
507 static void add_one_and_zeros_padding( unsigned char *output,
508                                        size_t output_len, size_t data_len )
509 {
510     size_t padding_len = output_len - data_len;
511     unsigned char i = 0;
512 
513     output[data_len] = 0x80;
514     for( i = 1; i < padding_len; i++ )
515         output[data_len + i] = 0x00;
516 }
517 
518 static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
519                                       size_t *data_len )
520 {
521     size_t i;
522     unsigned char done = 0, prev_done, bad;
523 
524     if( NULL == input || NULL == data_len )
525         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
526 
527     bad = 0x80;
528     *data_len = 0;
529     for( i = input_len; i > 0; i-- )
530     {
531         prev_done = done;
532         done |= ( input[i - 1] != 0 );
533         *data_len |= ( i - 1 ) * ( done != prev_done );
534         bad ^= input[i - 1] * ( done != prev_done );
535     }
536 
537     return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
538 
539 }
540 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
541 
542 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
543 /*
544  * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
545  */
546 static void add_zeros_and_len_padding( unsigned char *output,
547                                        size_t output_len, size_t data_len )
548 {
549     size_t padding_len = output_len - data_len;
550     unsigned char i = 0;
551 
552     for( i = 1; i < padding_len; i++ )
553         output[data_len + i - 1] = 0x00;
554     output[output_len - 1] = (unsigned char) padding_len;
555 }
556 
557 static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
558                                       size_t *data_len )
559 {
560     size_t i, pad_idx;
561     unsigned char padding_len, bad = 0;
562 
563     if( NULL == input || NULL == data_len )
564         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
565 
566     padding_len = input[input_len - 1];
567     *data_len = input_len - padding_len;
568 
569     /* Avoid logical || since it results in a branch */
570     bad |= padding_len > input_len;
571     bad |= padding_len == 0;
572 
573     /* The number of bytes checked must be independent of padding_len */
574     pad_idx = input_len - padding_len;
575     for( i = 0; i < input_len - 1; i++ )
576         bad |= input[i] * ( i >= pad_idx );
577 
578     return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
579 }
580 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
581 
582 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
583 /*
584  * Zero padding: fill with 00 ... 00
585  */
586 static void add_zeros_padding( unsigned char *output,
587                                size_t output_len, size_t data_len )
588 {
589     size_t i;
590 
591     for( i = data_len; i < output_len; i++ )
592         output[i] = 0x00;
593 }
594 
595 static int get_zeros_padding( unsigned char *input, size_t input_len,
596                               size_t *data_len )
597 {
598     size_t i;
599     unsigned char done = 0, prev_done;
600 
601     if( NULL == input || NULL == data_len )
602         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
603 
604     *data_len = 0;
605     for( i = input_len; i > 0; i-- )
606     {
607         prev_done = done;
608         done |= ( input[i-1] != 0 );
609         *data_len |= i * ( done != prev_done );
610     }
611 
612     return( 0 );
613 }
614 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
615 
616 /*
617  * No padding: don't pad :)
618  *
619  * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
620  * but a trivial get_padding function
621  */
622 static int get_no_padding( unsigned char *input, size_t input_len,
623                               size_t *data_len )
624 {
625     if( NULL == input || NULL == data_len )
626         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
627 
628     *data_len = input_len;
629 
630     return( 0 );
631 }
632 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
633 
634 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
635                    unsigned char *output, size_t *olen )
636 {
637     if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen )
638         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
639 
640     *olen = 0;
641 
642     if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
643         MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
644         MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
645         MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
646     {
647         return( 0 );
648     }
649 
650     if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
651     {
652         if( ctx->unprocessed_len != 0 )
653             return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
654 
655         return( 0 );
656     }
657 
658 #if defined(MBEDTLS_CIPHER_MODE_CBC)
659     if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
660     {
661         int ret = 0;
662 
663         if( MBEDTLS_ENCRYPT == ctx->operation )
664         {
665             /* check for 'no padding' mode */
666             if( NULL == ctx->add_padding )
667             {
668                 if( 0 != ctx->unprocessed_len )
669                     return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
670 
671                 return( 0 );
672             }
673 
674             ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
675                     ctx->unprocessed_len );
676         }
677         else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
678         {
679             /*
680              * For decrypt operations, expect a full block,
681              * or an empty block if no padding
682              */
683             if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
684                 return( 0 );
685 
686             return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
687         }
688 
689         /* cipher block */
690         if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
691                 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
692                 ctx->unprocessed_data, output ) ) )
693         {
694             return( ret );
695         }
696 
697         /* Set output size for decryption */
698         if( MBEDTLS_DECRYPT == ctx->operation )
699             return ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
700                                      olen );
701 
702         /* Set output size for encryption */
703         *olen = mbedtls_cipher_get_block_size( ctx );
704         return( 0 );
705     }
706 #else
707     ((void) output);
708 #endif /* MBEDTLS_CIPHER_MODE_CBC */
709 
710     return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
711 }
712 
713 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
714 int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode )
715 {
716     if( NULL == ctx ||
717         MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
718     {
719         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
720     }
721 
722     switch( mode )
723     {
724 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
725     case MBEDTLS_PADDING_PKCS7:
726         ctx->add_padding = add_pkcs_padding;
727         ctx->get_padding = get_pkcs_padding;
728         break;
729 #endif
730 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
731     case MBEDTLS_PADDING_ONE_AND_ZEROS:
732         ctx->add_padding = add_one_and_zeros_padding;
733         ctx->get_padding = get_one_and_zeros_padding;
734         break;
735 #endif
736 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
737     case MBEDTLS_PADDING_ZEROS_AND_LEN:
738         ctx->add_padding = add_zeros_and_len_padding;
739         ctx->get_padding = get_zeros_and_len_padding;
740         break;
741 #endif
742 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
743     case MBEDTLS_PADDING_ZEROS:
744         ctx->add_padding = add_zeros_padding;
745         ctx->get_padding = get_zeros_padding;
746         break;
747 #endif
748     case MBEDTLS_PADDING_NONE:
749         ctx->add_padding = NULL;
750         ctx->get_padding = get_no_padding;
751         break;
752 
753     default:
754         return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
755     }
756 
757     return( 0 );
758 }
759 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
760 
761 #if defined(MBEDTLS_GCM_C)
762 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
763                       unsigned char *tag, size_t tag_len )
764 {
765     if( NULL == ctx || NULL == ctx->cipher_info || NULL == tag )
766         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
767 
768     if( MBEDTLS_ENCRYPT != ctx->operation )
769         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
770 
771     if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
772         return mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx, tag, tag_len );
773 
774     return( 0 );
775 }
776 
777 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
778                       const unsigned char *tag, size_t tag_len )
779 {
780     int ret;
781 
782     if( NULL == ctx || NULL == ctx->cipher_info ||
783         MBEDTLS_DECRYPT != ctx->operation )
784     {
785         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
786     }
787 
788     if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
789     {
790         unsigned char check_tag[16];
791         size_t i;
792         int diff;
793 
794         if( tag_len > sizeof( check_tag ) )
795             return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
796 
797         if( 0 != ( ret = mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
798                                      check_tag, tag_len ) ) )
799         {
800             return( ret );
801         }
802 
803         /* Check the tag in "constant-time" */
804         for( diff = 0, i = 0; i < tag_len; i++ )
805             diff |= tag[i] ^ check_tag[i];
806 
807         if( diff != 0 )
808             return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
809 
810         return( 0 );
811     }
812 
813     return( 0 );
814 }
815 #endif /* MBEDTLS_GCM_C */
816 
817 /*
818  * Packet-oriented wrapper for non-AEAD modes
819  */
820 int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
821                   const unsigned char *iv, size_t iv_len,
822                   const unsigned char *input, size_t ilen,
823                   unsigned char *output, size_t *olen )
824 {
825     int ret;
826     size_t finish_olen;
827 
828     if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
829         return( ret );
830 
831     if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
832         return( ret );
833 
834     if( ( ret = mbedtls_cipher_update( ctx, input, ilen, output, olen ) ) != 0 )
835         return( ret );
836 
837     if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 )
838         return( ret );
839 
840     *olen += finish_olen;
841 
842     return( 0 );
843 }
844 
845 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
846 /*
847  * Packet-oriented encryption for AEAD modes
848  */
849 int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
850                          const unsigned char *iv, size_t iv_len,
851                          const unsigned char *ad, size_t ad_len,
852                          const unsigned char *input, size_t ilen,
853                          unsigned char *output, size_t *olen,
854                          unsigned char *tag, size_t tag_len )
855 {
856 #if defined(MBEDTLS_GCM_C)
857     if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
858     {
859         *olen = ilen;
860         return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, ilen,
861                                    iv, iv_len, ad, ad_len, input, output,
862                                    tag_len, tag ) );
863     }
864 #endif /* MBEDTLS_GCM_C */
865 #if defined(MBEDTLS_CCM_C)
866     if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
867     {
868         *olen = ilen;
869         return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
870                                      iv, iv_len, ad, ad_len, input, output,
871                                      tag, tag_len ) );
872     }
873 #endif /* MBEDTLS_CCM_C */
874 
875     return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
876 }
877 
878 /*
879  * Packet-oriented decryption for AEAD modes
880  */
881 int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
882                          const unsigned char *iv, size_t iv_len,
883                          const unsigned char *ad, size_t ad_len,
884                          const unsigned char *input, size_t ilen,
885                          unsigned char *output, size_t *olen,
886                          const unsigned char *tag, size_t tag_len )
887 {
888 #if defined(MBEDTLS_GCM_C)
889     if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
890     {
891         int ret;
892 
893         *olen = ilen;
894         ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
895                                 iv, iv_len, ad, ad_len,
896                                 tag, tag_len, input, output );
897 
898         if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
899             ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
900 
901         return( ret );
902     }
903 #endif /* MBEDTLS_GCM_C */
904 #if defined(MBEDTLS_CCM_C)
905     if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
906     {
907         int ret;
908 
909         *olen = ilen;
910         ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
911                                 iv, iv_len, ad, ad_len,
912                                 input, output, tag, tag_len );
913 
914         if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
915             ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
916 
917         return( ret );
918     }
919 #endif /* MBEDTLS_CCM_C */
920 
921     return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
922 }
923 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
924 
925 #endif /* MBEDTLS_CIPHER_C */
926