1 /**
2 * \file cipher.c
3 *
4 * \brief Generic cipher wrapper for Mbed TLS
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
8 * Copyright The Mbed TLS Contributors
9 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
10 */
11
12 #include "common.h"
13
14 #if defined(MBEDTLS_CIPHER_C)
15
16 #include "mbedtls/cipher.h"
17 #include "cipher_invasive.h"
18 #include "cipher_wrap.h"
19 #include "mbedtls/platform_util.h"
20 #include "mbedtls/error.h"
21 #include "mbedtls/constant_time.h"
22 #include "constant_time_internal.h"
23
24 #include <stdlib.h>
25 #include <string.h>
26
27 #if defined(MBEDTLS_CHACHAPOLY_C)
28 #include "mbedtls/chachapoly.h"
29 #endif
30
31 #if defined(MBEDTLS_GCM_C)
32 #include "mbedtls/gcm.h"
33 #endif
34
35 #if defined(MBEDTLS_CCM_C)
36 #include "mbedtls/ccm.h"
37 #endif
38
39 #if defined(MBEDTLS_CHACHA20_C)
40 #include "mbedtls/chacha20.h"
41 #endif
42
43 #if defined(MBEDTLS_CMAC_C)
44 #include "mbedtls/cmac.h"
45 #endif
46
47 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
48 #include "psa/crypto.h"
49 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
50
51 #if defined(MBEDTLS_NIST_KW_C)
52 #include "mbedtls/nist_kw.h"
53 #endif
54
55 #include "mbedtls/platform.h"
56
57 static int supported_init = 0;
58
mbedtls_cipher_get_base(const mbedtls_cipher_info_t * info)59 static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base(
60 const mbedtls_cipher_info_t *info)
61 {
62 return mbedtls_cipher_base_lookup_table[info->base_idx];
63 }
64
mbedtls_cipher_list(void)65 const int *mbedtls_cipher_list(void)
66 {
67 const mbedtls_cipher_definition_t *def;
68 int *type;
69
70 if (!supported_init) {
71 def = mbedtls_cipher_definitions;
72 type = mbedtls_cipher_supported;
73
74 while (def->type != 0) {
75 *type++ = (*def++).type;
76 }
77
78 *type = 0;
79
80 supported_init = 1;
81 }
82
83 return mbedtls_cipher_supported;
84 }
85
mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type)86 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
87 const mbedtls_cipher_type_t cipher_type)
88 {
89 const mbedtls_cipher_definition_t *def;
90
91 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
92 if (def->type == cipher_type) {
93 return def->info;
94 }
95 }
96
97 return NULL;
98 }
99
mbedtls_cipher_info_from_string(const char * cipher_name)100 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
101 const char *cipher_name)
102 {
103 const mbedtls_cipher_definition_t *def;
104
105 if (NULL == cipher_name) {
106 return NULL;
107 }
108
109 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
110 if (!strcmp(def->info->name, cipher_name)) {
111 return def->info;
112 }
113 }
114
115 return NULL;
116 }
117
mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id,int key_bitlen,const mbedtls_cipher_mode_t mode)118 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
119 const mbedtls_cipher_id_t cipher_id,
120 int key_bitlen,
121 const mbedtls_cipher_mode_t mode)
122 {
123 const mbedtls_cipher_definition_t *def;
124
125 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
126 if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id &&
127 mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen &&
128 def->info->mode == mode) {
129 return def->info;
130 }
131 }
132
133 return NULL;
134 }
135
136 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_psa_translate_cipher_type(mbedtls_cipher_type_t cipher)137 static inline psa_key_type_t mbedtls_psa_translate_cipher_type(
138 mbedtls_cipher_type_t cipher)
139 {
140 switch (cipher) {
141 case MBEDTLS_CIPHER_AES_128_CCM:
142 case MBEDTLS_CIPHER_AES_192_CCM:
143 case MBEDTLS_CIPHER_AES_256_CCM:
144 case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:
145 case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:
146 case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:
147 case MBEDTLS_CIPHER_AES_128_GCM:
148 case MBEDTLS_CIPHER_AES_192_GCM:
149 case MBEDTLS_CIPHER_AES_256_GCM:
150 case MBEDTLS_CIPHER_AES_128_CBC:
151 case MBEDTLS_CIPHER_AES_192_CBC:
152 case MBEDTLS_CIPHER_AES_256_CBC:
153 case MBEDTLS_CIPHER_AES_128_ECB:
154 case MBEDTLS_CIPHER_AES_192_ECB:
155 case MBEDTLS_CIPHER_AES_256_ECB:
156 return PSA_KEY_TYPE_AES;
157
158 /* ARIA not yet supported in PSA. */
159 /* case MBEDTLS_CIPHER_ARIA_128_CCM:
160 case MBEDTLS_CIPHER_ARIA_192_CCM:
161 case MBEDTLS_CIPHER_ARIA_256_CCM:
162 case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:
163 case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:
164 case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:
165 case MBEDTLS_CIPHER_ARIA_128_GCM:
166 case MBEDTLS_CIPHER_ARIA_192_GCM:
167 case MBEDTLS_CIPHER_ARIA_256_GCM:
168 case MBEDTLS_CIPHER_ARIA_128_CBC:
169 case MBEDTLS_CIPHER_ARIA_192_CBC:
170 case MBEDTLS_CIPHER_ARIA_256_CBC:
171 return( PSA_KEY_TYPE_ARIA ); */
172
173 default:
174 return 0;
175 }
176 }
177
mbedtls_psa_translate_cipher_mode(mbedtls_cipher_mode_t mode,size_t taglen)178 static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode(
179 mbedtls_cipher_mode_t mode, size_t taglen)
180 {
181 switch (mode) {
182 case MBEDTLS_MODE_ECB:
183 return PSA_ALG_ECB_NO_PADDING;
184 case MBEDTLS_MODE_GCM:
185 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen);
186 case MBEDTLS_MODE_CCM:
187 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen);
188 case MBEDTLS_MODE_CCM_STAR_NO_TAG:
189 return PSA_ALG_CCM_STAR_NO_TAG;
190 case MBEDTLS_MODE_CBC:
191 if (taglen == 0) {
192 return PSA_ALG_CBC_NO_PADDING;
193 } else {
194 return 0;
195 }
196 default:
197 return 0;
198 }
199 }
200 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
201
mbedtls_cipher_init(mbedtls_cipher_context_t * ctx)202 void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)
203 {
204 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
205 }
206
mbedtls_cipher_free(mbedtls_cipher_context_t * ctx)207 void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
208 {
209 if (ctx == NULL) {
210 return;
211 }
212
213 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
214 if (ctx->psa_enabled == 1) {
215 if (ctx->cipher_ctx != NULL) {
216 mbedtls_cipher_context_psa * const cipher_psa =
217 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
218
219 if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) {
220 /* xxx_free() doesn't allow to return failures. */
221 (void) psa_destroy_key(cipher_psa->slot);
222 }
223
224 mbedtls_zeroize_and_free(cipher_psa, sizeof(*cipher_psa));
225 }
226
227 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
228 return;
229 }
230 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
231
232 #if defined(MBEDTLS_CMAC_C)
233 if (ctx->cmac_ctx) {
234 mbedtls_zeroize_and_free(ctx->cmac_ctx,
235 sizeof(mbedtls_cmac_context_t));
236 }
237 #endif
238
239 if (ctx->cipher_ctx) {
240 mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx);
241 }
242
243 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
244 }
245
mbedtls_cipher_clone(mbedtls_cipher_context_t * dst,const mbedtls_cipher_context_t * src)246 int mbedtls_cipher_clone(mbedtls_cipher_context_t *dst,
247 const mbedtls_cipher_context_t *src)
248 {
249 if (dst == NULL || dst->cipher_info == NULL ||
250 src == NULL || src->cipher_info == NULL) {
251 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
252 }
253
254 dst->cipher_info = src->cipher_info;
255 dst->key_bitlen = src->key_bitlen;
256 dst->operation = src->operation;
257 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
258 dst->add_padding = src->add_padding;
259 dst->get_padding = src->get_padding;
260 #endif
261 memcpy(dst->unprocessed_data, src->unprocessed_data, MBEDTLS_MAX_BLOCK_LENGTH);
262 dst->unprocessed_len = src->unprocessed_len;
263 memcpy(dst->iv, src->iv, MBEDTLS_MAX_IV_LENGTH);
264 dst->iv_size = src->iv_size;
265 if (mbedtls_cipher_get_base(dst->cipher_info)->ctx_clone_func)
266 mbedtls_cipher_get_base(dst->cipher_info)->ctx_clone_func(dst->cipher_ctx, src->cipher_ctx);
267
268 #if defined(MBEDTLS_CMAC_C)
269 if (dst->cmac_ctx != NULL && src->cmac_ctx != NULL)
270 memcpy(dst->cmac_ctx, src->cmac_ctx, sizeof(mbedtls_cmac_context_t));
271 #endif
272 return 0;
273 }
274
mbedtls_cipher_setup(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info)275 int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
276 const mbedtls_cipher_info_t *cipher_info)
277 {
278 if (cipher_info == NULL) {
279 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
280 }
281
282 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
283
284 if (mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) {
285 ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func();
286 if (ctx->cipher_ctx == NULL) {
287 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
288 }
289 }
290
291 ctx->cipher_info = cipher_info;
292
293 return 0;
294 }
295
296 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_cipher_setup_psa(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info,size_t taglen)297 int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
298 const mbedtls_cipher_info_t *cipher_info,
299 size_t taglen)
300 {
301 psa_algorithm_t alg;
302 mbedtls_cipher_context_psa *cipher_psa;
303
304 if (NULL == cipher_info || NULL == ctx) {
305 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
306 }
307
308 /* Check that the underlying cipher mode and cipher type are
309 * supported by the underlying PSA Crypto implementation. */
310 alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen);
311 if (alg == 0) {
312 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
313 }
314 if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) {
315 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
316 }
317
318 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
319
320 cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa));
321 if (cipher_psa == NULL) {
322 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
323 }
324 cipher_psa->alg = alg;
325 ctx->cipher_ctx = cipher_psa;
326 ctx->cipher_info = cipher_info;
327 ctx->psa_enabled = 1;
328 return 0;
329 }
330 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
331
mbedtls_cipher_setup_info(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info)332 int mbedtls_cipher_setup_info(mbedtls_cipher_context_t *ctx,
333 const mbedtls_cipher_info_t *cipher_info)
334 {
335 if (NULL == cipher_info || NULL == ctx)
336 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
337
338 ctx->cipher_info = cipher_info;
339 return 0;
340 }
341
mbedtls_cipher_setkey(mbedtls_cipher_context_t * ctx,const unsigned char * key,int key_bitlen,const mbedtls_operation_t operation)342 int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
343 const unsigned char *key,
344 int key_bitlen,
345 const mbedtls_operation_t operation)
346 {
347 if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) {
348 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
349 }
350 if (ctx->cipher_info == NULL) {
351 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
352 }
353 #if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
354 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) &&
355 MBEDTLS_DECRYPT == operation) {
356 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
357 }
358 #endif
359
360 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
361 if (ctx->psa_enabled == 1) {
362 mbedtls_cipher_context_psa * const cipher_psa =
363 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
364
365 size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8;
366
367 psa_status_t status;
368 psa_key_type_t key_type;
369 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
370
371 /* PSA Crypto API only accepts byte-aligned keys. */
372 if (key_bitlen % 8 != 0) {
373 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
374 }
375
376 /* Don't allow keys to be set multiple times. */
377 if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) {
378 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
379 }
380
381 key_type = mbedtls_psa_translate_cipher_type(
382 ((mbedtls_cipher_type_t) ctx->cipher_info->type));
383 if (key_type == 0) {
384 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
385 }
386 psa_set_key_type(&attributes, key_type);
387
388 /* Mbed TLS' cipher layer doesn't enforce the mode of operation
389 * (encrypt vs. decrypt): it is possible to setup a key for encryption
390 * and use it for AEAD decryption. Until tests relying on this
391 * are changed, allow any usage in PSA. */
392 psa_set_key_usage_flags(&attributes,
393 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
394 psa_set_key_algorithm(&attributes, cipher_psa->alg);
395
396 status = psa_import_key(&attributes, key, key_bytelen,
397 &cipher_psa->slot);
398 switch (status) {
399 case PSA_SUCCESS:
400 break;
401 case PSA_ERROR_INSUFFICIENT_MEMORY:
402 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
403 case PSA_ERROR_NOT_SUPPORTED:
404 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
405 default:
406 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
407 }
408 /* Indicate that we own the key slot and need to
409 * destroy it in mbedtls_cipher_free(). */
410 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
411
412 ctx->key_bitlen = key_bitlen;
413 ctx->operation = operation;
414 return 0;
415 }
416 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
417
418 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 &&
419 (int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) {
420 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
421 }
422
423 ctx->key_bitlen = key_bitlen;
424 ctx->operation = operation;
425
426 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
427 /*
428 * For OFB, CFB and CTR mode always use the encryption key schedule
429 */
430 if (MBEDTLS_ENCRYPT == operation ||
431 MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
432 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
433 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
434 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
435 ctx->key_bitlen);
436 }
437
438 if (MBEDTLS_DECRYPT == operation) {
439 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key,
440 ctx->key_bitlen);
441 }
442 #else
443 if (operation == MBEDTLS_ENCRYPT || operation == MBEDTLS_DECRYPT) {
444 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
445 ctx->key_bitlen);
446 }
447 #endif
448
449 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
450 }
451
mbedtls_cipher_set_iv(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len)452 int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
453 const unsigned char *iv,
454 size_t iv_len)
455 {
456 size_t actual_iv_size;
457
458 if (ctx->cipher_info == NULL) {
459 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
460 }
461 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
462 if (ctx->psa_enabled == 1) {
463 /* While PSA Crypto has an API for multipart
464 * operations, we currently don't make it
465 * accessible through the cipher layer. */
466 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
467 }
468 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
469
470 /* avoid buffer overflow in ctx->iv */
471 if (iv_len > MBEDTLS_MAX_IV_LENGTH) {
472 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
473 }
474
475 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) {
476 actual_iv_size = iv_len;
477 } else {
478 actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info);
479
480 /* avoid reading past the end of input buffer */
481 if (actual_iv_size > iv_len) {
482 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
483 }
484 }
485
486 #if defined(MBEDTLS_CHACHA20_C)
487 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) {
488 /* Even though the actual_iv_size is overwritten with a correct value
489 * of 12 from the cipher info, return an error to indicate that
490 * the input iv_len is wrong. */
491 if (iv_len != 12) {
492 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
493 }
494
495 if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx,
496 iv,
497 0U)) { /* Initial counter value */
498 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
499 }
500 }
501 #if defined(MBEDTLS_CHACHAPOLY_C)
502 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&
503 iv_len != 12) {
504 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
505 }
506 #endif
507 #endif
508
509 #if defined(MBEDTLS_GCM_C)
510 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
511 return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx,
512 ctx->operation,
513 iv, iv_len);
514 }
515 #endif
516
517 #if defined(MBEDTLS_CCM_C)
518 if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
519 int set_lengths_result;
520 int ccm_star_mode;
521
522 set_lengths_result = mbedtls_ccm_set_lengths(
523 (mbedtls_ccm_context *) ctx->cipher_ctx,
524 0, 0, 0);
525 if (set_lengths_result != 0) {
526 return set_lengths_result;
527 }
528
529 if (ctx->operation == MBEDTLS_DECRYPT) {
530 ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT;
531 } else if (ctx->operation == MBEDTLS_ENCRYPT) {
532 ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT;
533 } else {
534 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
535 }
536
537 return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx,
538 ccm_star_mode,
539 iv, iv_len);
540 }
541 #endif
542
543 if (actual_iv_size != 0) {
544 memcpy(ctx->iv, iv, actual_iv_size);
545 ctx->iv_size = actual_iv_size;
546 }
547
548 return 0;
549 }
550
mbedtls_cipher_reset(mbedtls_cipher_context_t * ctx)551 int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx)
552 {
553 if (ctx->cipher_info == NULL) {
554 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
555 }
556
557 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
558 if (ctx->psa_enabled == 1) {
559 /* We don't support resetting PSA-based
560 * cipher contexts, yet. */
561 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
562 }
563 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
564
565 ctx->unprocessed_len = 0;
566
567 return 0;
568 }
569
570 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_update_ad(mbedtls_cipher_context_t * ctx,const unsigned char * ad,size_t ad_len)571 int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
572 const unsigned char *ad, size_t ad_len)
573 {
574 if (ctx->cipher_info == NULL) {
575 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
576 }
577
578 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
579 if (ctx->psa_enabled == 1) {
580 /* While PSA Crypto has an API for multipart
581 * operations, we currently don't make it
582 * accessible through the cipher layer. */
583 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
584 }
585 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
586
587 #if defined(MBEDTLS_GCM_C)
588 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
589 return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx,
590 ad, ad_len);
591 }
592 #endif
593
594 #if defined(MBEDTLS_CHACHAPOLY_C)
595 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
596 int result;
597 mbedtls_chachapoly_mode_t mode;
598
599 mode = (ctx->operation == MBEDTLS_ENCRYPT)
600 ? MBEDTLS_CHACHAPOLY_ENCRYPT
601 : MBEDTLS_CHACHAPOLY_DECRYPT;
602
603 result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx,
604 ctx->iv,
605 mode);
606 if (result != 0) {
607 return result;
608 }
609
610 return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx,
611 ad, ad_len);
612 }
613 #endif
614
615 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
616 }
617 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
618
mbedtls_cipher_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)619 int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input,
620 size_t ilen, unsigned char *output, size_t *olen)
621 {
622 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
623 size_t block_size;
624
625 if (ctx->cipher_info == NULL) {
626 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
627 }
628
629 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
630 if (ctx->psa_enabled == 1) {
631 /* While PSA Crypto has an API for multipart
632 * operations, we currently don't make it
633 * accessible through the cipher layer. */
634 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
635 }
636 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
637
638 *olen = 0;
639 block_size = mbedtls_cipher_get_block_size(ctx);
640 if (0 == block_size) {
641 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
642 }
643
644 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) {
645 if (ilen != block_size) {
646 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
647 }
648
649 *olen = ilen;
650
651 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx,
652 ctx->operation, input,
653 output))) {
654 return ret;
655 }
656
657 return 0;
658 }
659
660 #if defined(MBEDTLS_GCM_C)
661 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) {
662 return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx,
663 input, ilen,
664 output, ilen, olen);
665 }
666 #endif
667
668 #if defined(MBEDTLS_CCM_C)
669 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) {
670 return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx,
671 input, ilen,
672 output, ilen, olen);
673 }
674 #endif
675
676 #if defined(MBEDTLS_CHACHAPOLY_C)
677 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
678 *olen = ilen;
679 return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx,
680 ilen, input, output);
681 }
682 #endif
683
684 if (input == output &&
685 (ctx->unprocessed_len != 0 || ilen % block_size)) {
686 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
687 }
688
689 #if defined(MBEDTLS_CIPHER_MODE_CBC)
690 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) {
691 size_t copy_len = 0;
692
693 /*
694 * If there is not enough data for a full block, cache it.
695 */
696 if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
697 ilen <= block_size - ctx->unprocessed_len) ||
698 (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
699 ilen < block_size - ctx->unprocessed_len) ||
700 (ctx->operation == MBEDTLS_ENCRYPT &&
701 ilen < block_size - ctx->unprocessed_len)) {
702 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
703 ilen);
704
705 ctx->unprocessed_len += ilen;
706 return 0;
707 }
708
709 /*
710 * Process cached data first
711 */
712 if (0 != ctx->unprocessed_len) {
713 copy_len = block_size - ctx->unprocessed_len;
714
715 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
716 copy_len);
717
718 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
719 ctx->operation,
720 block_size, ctx->iv,
721 ctx->
722 unprocessed_data,
723 output))) {
724 return ret;
725 }
726
727 *olen += block_size;
728 output += block_size;
729 ctx->unprocessed_len = 0;
730
731 input += copy_len;
732 ilen -= copy_len;
733 }
734
735 /*
736 * Cache final, incomplete block
737 */
738 if (0 != ilen) {
739 /* Encryption: only cache partial blocks
740 * Decryption w/ padding: always keep at least one whole block
741 * Decryption w/o padding: only cache partial blocks
742 */
743 copy_len = ilen % block_size;
744 if (copy_len == 0 &&
745 ctx->operation == MBEDTLS_DECRYPT &&
746 NULL != ctx->add_padding) {
747 copy_len = block_size;
748 }
749
750 memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]),
751 copy_len);
752
753 ctx->unprocessed_len += copy_len;
754 ilen -= copy_len;
755 }
756
757 /*
758 * Process remaining full blocks
759 */
760 if (ilen) {
761 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
762 ctx->operation,
763 ilen, ctx->iv,
764 input,
765 output))) {
766 return ret;
767 }
768
769 *olen += ilen;
770 }
771
772 return 0;
773 }
774 #endif /* MBEDTLS_CIPHER_MODE_CBC */
775
776 #if defined(MBEDTLS_CIPHER_MODE_CFB)
777 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) {
778 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx,
779 ctx->operation, ilen,
780 &ctx->unprocessed_len,
781 ctx->iv,
782 input, output))) {
783 return ret;
784 }
785
786 *olen = ilen;
787
788 return 0;
789 }
790 #endif /* MBEDTLS_CIPHER_MODE_CFB */
791
792 #if defined(MBEDTLS_CIPHER_MODE_OFB)
793 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) {
794 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx,
795 ilen,
796 &ctx->unprocessed_len,
797 ctx->iv,
798 input, output))) {
799 return ret;
800 }
801
802 *olen = ilen;
803
804 return 0;
805 }
806 #endif /* MBEDTLS_CIPHER_MODE_OFB */
807
808 #if defined(MBEDTLS_CIPHER_MODE_CTR)
809 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) {
810 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx,
811 ilen,
812 &ctx->unprocessed_len,
813 ctx->iv,
814 ctx->unprocessed_data,
815 input, output))) {
816 return ret;
817 }
818
819 *olen = ilen;
820
821 return 0;
822 }
823 #endif /* MBEDTLS_CIPHER_MODE_CTR */
824
825 #if defined(MBEDTLS_CIPHER_MODE_XTS)
826 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) {
827 if (ctx->unprocessed_len > 0) {
828 /* We can only process an entire data unit at a time. */
829 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
830 }
831
832 ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx,
833 ctx->operation,
834 ilen,
835 ctx->iv,
836 input,
837 output);
838 if (ret != 0) {
839 return ret;
840 }
841
842 *olen = ilen;
843
844 return 0;
845 }
846 #endif /* MBEDTLS_CIPHER_MODE_XTS */
847
848 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
849 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) {
850 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx,
851 ilen, input,
852 output))) {
853 return ret;
854 }
855
856 *olen = ilen;
857
858 return 0;
859 }
860 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
861
862 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
863 }
864
865 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
866 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
867 /*
868 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
869 */
add_pkcs_padding(unsigned char * output,size_t output_len,size_t data_len)870 static void add_pkcs_padding(unsigned char *output, size_t output_len,
871 size_t data_len)
872 {
873 size_t padding_len = output_len - data_len;
874 unsigned char i;
875
876 for (i = 0; i < padding_len; i++) {
877 output[data_len + i] = (unsigned char) padding_len;
878 }
879 }
880
881 /*
882 * Get the length of the PKCS7 padding.
883 *
884 * Note: input_len must be the block size of the cipher.
885 */
mbedtls_get_pkcs_padding(unsigned char * input,size_t input_len,size_t * data_len,size_t * invalid_padding)886 MBEDTLS_STATIC_TESTABLE int mbedtls_get_pkcs_padding(unsigned char *input,
887 size_t input_len,
888 size_t *data_len,
889 size_t *invalid_padding)
890 {
891 size_t i, pad_idx;
892 unsigned char padding_len;
893
894 if (NULL == input || NULL == data_len) {
895 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
896 }
897
898 padding_len = input[input_len - 1];
899
900 mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len);
901 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
902
903 /* The number of bytes checked must be independent of padding_len,
904 * so pick input_len, which is usually 8 or 16 (one block) */
905 pad_idx = input_len - padding_len;
906 for (i = 0; i < input_len; i++) {
907 mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx);
908 mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len);
909 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different));
910 }
911
912 /* If the padding is invalid, set the output length to 0 */
913 *data_len = mbedtls_ct_if(bad, 0, input_len - padding_len);
914
915 *invalid_padding = mbedtls_ct_size_if_else_0(bad, SIZE_MAX);
916 return 0;
917 }
918 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
919
920 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
921 /*
922 * One and zeros padding: fill with 80 00 ... 00
923 */
add_one_and_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)924 static void add_one_and_zeros_padding(unsigned char *output,
925 size_t output_len, size_t data_len)
926 {
927 size_t padding_len = output_len - data_len;
928 unsigned char i = 0;
929
930 output[data_len] = 0x80;
931 for (i = 1; i < padding_len; i++) {
932 output[data_len + i] = 0x00;
933 }
934 }
935
get_one_and_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len,size_t * invalid_padding)936 static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,
937 size_t *data_len, size_t *invalid_padding)
938 {
939 if (NULL == input || NULL == data_len) {
940 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
941 }
942
943 mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE;
944 mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE;
945
946 *data_len = 0;
947
948 for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) {
949 mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]);
950
951 mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding);
952
953 *data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len);
954
955 bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad);
956
957 in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero));
958 }
959
960 *invalid_padding = mbedtls_ct_size_if_else_0(bad, SIZE_MAX);
961 return 0;
962 }
963 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
964
965 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
966 /*
967 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
968 */
add_zeros_and_len_padding(unsigned char * output,size_t output_len,size_t data_len)969 static void add_zeros_and_len_padding(unsigned char *output,
970 size_t output_len, size_t data_len)
971 {
972 size_t padding_len = output_len - data_len;
973 unsigned char i = 0;
974
975 for (i = 1; i < padding_len; i++) {
976 output[data_len + i - 1] = 0x00;
977 }
978 output[output_len - 1] = (unsigned char) padding_len;
979 }
980
get_zeros_and_len_padding(unsigned char * input,size_t input_len,size_t * data_len,size_t * invalid_padding)981 static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
982 size_t *data_len, size_t *invalid_padding)
983 {
984 size_t i, pad_idx;
985 unsigned char padding_len;
986 mbedtls_ct_condition_t bad;
987
988 if (NULL == input || NULL == data_len) {
989 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
990 }
991
992 padding_len = input[input_len - 1];
993 *data_len = input_len - padding_len;
994
995 /* Avoid logical || since it results in a branch */
996 bad = mbedtls_ct_uint_gt(padding_len, input_len);
997 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
998
999 /* The number of bytes checked must be independent of padding_len */
1000 pad_idx = input_len - padding_len;
1001 for (i = 0; i < input_len - 1; i++) {
1002 mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx);
1003 mbedtls_ct_condition_t nonzero_pad_byte;
1004 nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i]));
1005 bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte);
1006 }
1007
1008 *invalid_padding = mbedtls_ct_size_if_else_0(bad, SIZE_MAX);
1009 return 0;
1010 }
1011 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
1012
1013 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1014 /*
1015 * Zero padding: fill with 00 ... 00
1016 */
add_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)1017 static void add_zeros_padding(unsigned char *output,
1018 size_t output_len, size_t data_len)
1019 {
1020 memset(output + data_len, 0, output_len - data_len);
1021 }
1022
get_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len,size_t * invalid_padding)1023 static int get_zeros_padding(unsigned char *input, size_t input_len,
1024 size_t *data_len, size_t *invalid_padding)
1025 {
1026 size_t i;
1027 mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done;
1028
1029 if (NULL == input || NULL == data_len) {
1030 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1031 }
1032
1033 *data_len = 0;
1034 for (i = input_len; i > 0; i--) {
1035 prev_done = done;
1036 done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0));
1037 *data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len);
1038 }
1039
1040 *invalid_padding = 0;
1041 return 0;
1042 }
1043 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
1044
1045 /*
1046 * No padding: don't pad :)
1047 *
1048 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
1049 * but a trivial get_padding function
1050 */
get_no_padding(unsigned char * input,size_t input_len,size_t * data_len,size_t * invalid_padding)1051 static int get_no_padding(unsigned char *input, size_t input_len,
1052 size_t *data_len, size_t *invalid_padding)
1053 {
1054 if (NULL == input || NULL == data_len) {
1055 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1056 }
1057
1058 *data_len = input_len;
1059 *invalid_padding = 0;
1060 return 0;
1061 }
1062 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1063
mbedtls_cipher_finish_padded(mbedtls_cipher_context_t * ctx,unsigned char * output,size_t * olen,size_t * invalid_padding)1064 int mbedtls_cipher_finish_padded(mbedtls_cipher_context_t *ctx,
1065 unsigned char *output, size_t *olen,
1066 size_t *invalid_padding)
1067 {
1068 if (ctx->cipher_info == NULL) {
1069 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1070 }
1071
1072 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1073 if (ctx->psa_enabled == 1) {
1074 /* While PSA Crypto has an API for multipart
1075 * operations, we currently don't make it
1076 * accessible through the cipher layer. */
1077 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1078 }
1079 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1080
1081 *olen = 0;
1082 *invalid_padding = 0;
1083
1084 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
1085 /* CBC mode requires padding so we make sure a call to
1086 * mbedtls_cipher_set_padding_mode has been done successfully. */
1087 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1088 if (ctx->get_padding == NULL) {
1089 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1090 }
1091 }
1092 #endif
1093
1094 if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1095 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1096 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1097 MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1098 MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1099 MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1100 MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1101 return 0;
1102 }
1103
1104 if ((MBEDTLS_CIPHER_CHACHA20 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) ||
1105 (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) {
1106 return 0;
1107 }
1108
1109 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1110 if (ctx->unprocessed_len != 0) {
1111 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
1112 }
1113
1114 return 0;
1115 }
1116
1117 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1118 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1119 int ret = 0;
1120
1121 if (MBEDTLS_ENCRYPT == ctx->operation) {
1122 /* check for 'no padding' mode */
1123 if (NULL == ctx->add_padding) {
1124 if (0 != ctx->unprocessed_len) {
1125 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
1126 }
1127
1128 return 0;
1129 }
1130
1131 ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx),
1132 ctx->unprocessed_len);
1133 } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) {
1134 /*
1135 * For decrypt operations, expect a full block,
1136 * or an empty block if no padding
1137 */
1138 if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) {
1139 return 0;
1140 }
1141
1142 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
1143 }
1144
1145 /* cipher block */
1146 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
1147 ctx->operation,
1148 mbedtls_cipher_get_block_size(
1149 ctx),
1150 ctx->iv,
1151 ctx->unprocessed_data,
1152 output))) {
1153 return ret;
1154 }
1155
1156 /* Set output size for decryption */
1157 if (MBEDTLS_DECRYPT == ctx->operation) {
1158 return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx),
1159 olen, invalid_padding);
1160 }
1161
1162 /* Set output size for encryption */
1163 *olen = mbedtls_cipher_get_block_size(ctx);
1164 return 0;
1165 }
1166 #else
1167 ((void) output);
1168 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1169
1170 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1171 }
1172
mbedtls_cipher_finish(mbedtls_cipher_context_t * ctx,unsigned char * output,size_t * olen)1173 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
1174 unsigned char *output, size_t *olen)
1175 {
1176 size_t invalid_padding = 0;
1177 int ret = mbedtls_cipher_finish_padded(ctx, output, olen,
1178 &invalid_padding);
1179 if (ret == 0) {
1180 ret = mbedtls_ct_error_if_else_0(invalid_padding,
1181 MBEDTLS_ERR_CIPHER_INVALID_PADDING);
1182 }
1183 return ret;
1184 }
1185
1186 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t * ctx,mbedtls_cipher_padding_t mode)1187 int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
1188 mbedtls_cipher_padding_t mode)
1189 {
1190 if (NULL == ctx->cipher_info ||
1191 MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1192 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1193 }
1194
1195 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1196 if (ctx->psa_enabled == 1) {
1197 /* While PSA Crypto knows about CBC padding
1198 * schemes, we currently don't make them
1199 * accessible through the cipher layer. */
1200 if (mode != MBEDTLS_PADDING_NONE) {
1201 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1202 }
1203
1204 return 0;
1205 }
1206 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1207
1208 switch (mode) {
1209 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
1210 case MBEDTLS_PADDING_PKCS7:
1211 ctx->add_padding = add_pkcs_padding;
1212 ctx->get_padding = mbedtls_get_pkcs_padding;
1213 break;
1214 #endif
1215 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
1216 case MBEDTLS_PADDING_ONE_AND_ZEROS:
1217 ctx->add_padding = add_one_and_zeros_padding;
1218 ctx->get_padding = get_one_and_zeros_padding;
1219 break;
1220 #endif
1221 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
1222 case MBEDTLS_PADDING_ZEROS_AND_LEN:
1223 ctx->add_padding = add_zeros_and_len_padding;
1224 ctx->get_padding = get_zeros_and_len_padding;
1225 break;
1226 #endif
1227 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1228 case MBEDTLS_PADDING_ZEROS:
1229 ctx->add_padding = add_zeros_padding;
1230 ctx->get_padding = get_zeros_padding;
1231 break;
1232 #endif
1233 case MBEDTLS_PADDING_NONE:
1234 ctx->add_padding = NULL;
1235 ctx->get_padding = get_no_padding;
1236 break;
1237
1238 default:
1239 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1240 }
1241
1242 return 0;
1243 }
1244 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1245
1246 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_write_tag(mbedtls_cipher_context_t * ctx,unsigned char * tag,size_t tag_len)1247 int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
1248 unsigned char *tag, size_t tag_len)
1249 {
1250 if (ctx->cipher_info == NULL) {
1251 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1252 }
1253
1254 if (MBEDTLS_ENCRYPT != ctx->operation) {
1255 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1256 }
1257
1258 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1259 if (ctx->psa_enabled == 1) {
1260 /* While PSA Crypto has an API for multipart
1261 * operations, we currently don't make it
1262 * accessible through the cipher layer. */
1263 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1264 }
1265 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1266
1267 #if defined(MBEDTLS_GCM_C)
1268 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1269 size_t output_length;
1270 /* The code here doesn't yet support alternative implementations
1271 * that can delay up to a block of output. */
1272 return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx,
1273 NULL, 0, &output_length,
1274 tag, tag_len);
1275 }
1276 #endif
1277
1278 #if defined(MBEDTLS_CHACHAPOLY_C)
1279 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1280 /* Don't allow truncated MAC for Poly1305 */
1281 if (tag_len != 16U) {
1282 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1283 }
1284
1285 return mbedtls_chachapoly_finish(
1286 (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag);
1287 }
1288 #endif
1289
1290 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1291 }
1292
mbedtls_cipher_check_tag(mbedtls_cipher_context_t * ctx,const unsigned char * tag,size_t tag_len)1293 int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
1294 const unsigned char *tag, size_t tag_len)
1295 {
1296 unsigned char check_tag[16];
1297 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1298
1299 if (ctx->cipher_info == NULL) {
1300 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1301 }
1302
1303 if (MBEDTLS_DECRYPT != ctx->operation) {
1304 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1305 }
1306
1307 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1308 if (ctx->psa_enabled == 1) {
1309 /* While PSA Crypto has an API for multipart
1310 * operations, we currently don't make it
1311 * accessible through the cipher layer. */
1312 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1313 }
1314 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1315
1316 /* Status to return on a non-authenticated algorithm. */
1317 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1318
1319 #if defined(MBEDTLS_GCM_C)
1320 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1321 size_t output_length;
1322 /* The code here doesn't yet support alternative implementations
1323 * that can delay up to a block of output. */
1324
1325 if (tag_len > sizeof(check_tag)) {
1326 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1327 }
1328
1329 if (0 != (ret = mbedtls_gcm_finish(
1330 (mbedtls_gcm_context *) ctx->cipher_ctx,
1331 NULL, 0, &output_length,
1332 check_tag, tag_len))) {
1333 return ret;
1334 }
1335
1336 /* Check the tag in "constant-time" */
1337 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
1338 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1339 goto exit;
1340 }
1341 }
1342 #endif /* MBEDTLS_GCM_C */
1343
1344 #if defined(MBEDTLS_CHACHAPOLY_C)
1345 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1346 /* Don't allow truncated MAC for Poly1305 */
1347 if (tag_len != sizeof(check_tag)) {
1348 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1349 }
1350
1351 ret = mbedtls_chachapoly_finish(
1352 (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag);
1353 if (ret != 0) {
1354 return ret;
1355 }
1356
1357 /* Check the tag in "constant-time" */
1358 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
1359 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1360 goto exit;
1361 }
1362 }
1363 #endif /* MBEDTLS_CHACHAPOLY_C */
1364
1365 exit:
1366 mbedtls_platform_zeroize(check_tag, tag_len);
1367 return ret;
1368 }
1369 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
1370
1371 /*
1372 * Packet-oriented wrapper for non-AEAD modes
1373 */
mbedtls_cipher_crypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)1374 int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
1375 const unsigned char *iv, size_t iv_len,
1376 const unsigned char *input, size_t ilen,
1377 unsigned char *output, size_t *olen)
1378 {
1379 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1380 size_t finish_olen;
1381
1382 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1383 if (ctx->psa_enabled == 1) {
1384 /* As in the non-PSA case, we don't check that
1385 * a key has been set. If not, the key slot will
1386 * still be in its default state of 0, which is
1387 * guaranteed to be invalid, hence the PSA-call
1388 * below will gracefully fail. */
1389 mbedtls_cipher_context_psa * const cipher_psa =
1390 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1391
1392 psa_status_t status;
1393 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1394 size_t part_len;
1395
1396 if (ctx->operation == MBEDTLS_DECRYPT) {
1397 status = psa_cipher_decrypt_setup(&cipher_op,
1398 cipher_psa->slot,
1399 cipher_psa->alg);
1400 } else if (ctx->operation == MBEDTLS_ENCRYPT) {
1401 status = psa_cipher_encrypt_setup(&cipher_op,
1402 cipher_psa->slot,
1403 cipher_psa->alg);
1404 } else {
1405 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1406 }
1407
1408 /* In the following, we can immediately return on an error,
1409 * because the PSA Crypto API guarantees that cipher operations
1410 * are terminated by unsuccessful calls to psa_cipher_update(),
1411 * and by any call to psa_cipher_finish(). */
1412 if (status != PSA_SUCCESS) {
1413 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1414 }
1415
1416 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) {
1417 status = psa_cipher_set_iv(&cipher_op, iv, iv_len);
1418 if (status != PSA_SUCCESS) {
1419 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1420 }
1421 }
1422
1423 status = psa_cipher_update(&cipher_op,
1424 input, ilen,
1425 output, ilen, olen);
1426 if (status != PSA_SUCCESS) {
1427 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1428 }
1429
1430 status = psa_cipher_finish(&cipher_op,
1431 output + *olen, ilen - *olen,
1432 &part_len);
1433 if (status != PSA_SUCCESS) {
1434 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1435 }
1436
1437 *olen += part_len;
1438 return 0;
1439 }
1440 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1441
1442 if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) {
1443 return ret;
1444 }
1445
1446 if ((ret = mbedtls_cipher_reset(ctx)) != 0) {
1447 return ret;
1448 }
1449
1450 if ((ret = mbedtls_cipher_update(ctx, input, ilen,
1451 output, olen)) != 0) {
1452 return ret;
1453 }
1454
1455 size_t invalid_padding = 0;
1456 if ((ret = mbedtls_cipher_finish_padded(ctx, output + *olen,
1457 &finish_olen,
1458 &invalid_padding)) != 0) {
1459 return ret;
1460 }
1461 *olen += finish_olen;
1462
1463 ret = mbedtls_ct_error_if_else_0(invalid_padding,
1464 MBEDTLS_ERR_CIPHER_INVALID_PADDING);
1465 return ret;
1466 }
1467
1468 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1469 /*
1470 * Packet-oriented encryption for AEAD modes: internal function used by
1471 * mbedtls_cipher_auth_encrypt_ext().
1472 */
mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,unsigned char * tag,size_t tag_len)1473 static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
1474 const unsigned char *iv, size_t iv_len,
1475 const unsigned char *ad, size_t ad_len,
1476 const unsigned char *input, size_t ilen,
1477 unsigned char *output, size_t *olen,
1478 unsigned char *tag, size_t tag_len)
1479 {
1480 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1481 if (ctx->psa_enabled == 1) {
1482 /* As in the non-PSA case, we don't check that
1483 * a key has been set. If not, the key slot will
1484 * still be in its default state of 0, which is
1485 * guaranteed to be invalid, hence the PSA-call
1486 * below will gracefully fail. */
1487 mbedtls_cipher_context_psa * const cipher_psa =
1488 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1489
1490 psa_status_t status;
1491
1492 /* PSA Crypto API always writes the authentication tag
1493 * at the end of the encrypted message. */
1494 if (output == NULL || tag != output + ilen) {
1495 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1496 }
1497
1498 status = psa_aead_encrypt(cipher_psa->slot,
1499 cipher_psa->alg,
1500 iv, iv_len,
1501 ad, ad_len,
1502 input, ilen,
1503 output, ilen + tag_len, olen);
1504 if (status != PSA_SUCCESS) {
1505 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1506 }
1507
1508 *olen -= tag_len;
1509 return 0;
1510 }
1511 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1512
1513 #if defined(MBEDTLS_GCM_C)
1514 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1515 *olen = ilen;
1516 return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
1517 ilen, iv, iv_len, ad, ad_len,
1518 input, output, tag_len, tag);
1519 }
1520 #endif /* MBEDTLS_GCM_C */
1521 #if defined(MBEDTLS_CCM_C)
1522 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1523 *olen = ilen;
1524 return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen,
1525 iv, iv_len, ad, ad_len, input, output,
1526 tag, tag_len);
1527 }
1528 #endif /* MBEDTLS_CCM_C */
1529 #if defined(MBEDTLS_CHACHAPOLY_C)
1530 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1531 /* ChachaPoly has fixed length nonce and MAC (tag) */
1532 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
1533 (tag_len != 16U)) {
1534 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1535 }
1536
1537 *olen = ilen;
1538 return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx,
1539 ilen, iv, ad, ad_len, input, output, tag);
1540 }
1541 #endif /* MBEDTLS_CHACHAPOLY_C */
1542
1543 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1544 }
1545
1546 /*
1547 * Packet-oriented encryption for AEAD modes: internal function used by
1548 * mbedtls_cipher_auth_encrypt_ext().
1549 */
mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,const unsigned char * tag,size_t tag_len)1550 static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
1551 const unsigned char *iv, size_t iv_len,
1552 const unsigned char *ad, size_t ad_len,
1553 const unsigned char *input, size_t ilen,
1554 unsigned char *output, size_t *olen,
1555 const unsigned char *tag, size_t tag_len)
1556 {
1557 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1558 if (ctx->psa_enabled == 1) {
1559 /* As in the non-PSA case, we don't check that
1560 * a key has been set. If not, the key slot will
1561 * still be in its default state of 0, which is
1562 * guaranteed to be invalid, hence the PSA-call
1563 * below will gracefully fail. */
1564 mbedtls_cipher_context_psa * const cipher_psa =
1565 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1566
1567 psa_status_t status;
1568
1569 /* PSA Crypto API always writes the authentication tag
1570 * at the end of the encrypted message. */
1571 if (input == NULL || tag != input + ilen) {
1572 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1573 }
1574
1575 status = psa_aead_decrypt(cipher_psa->slot,
1576 cipher_psa->alg,
1577 iv, iv_len,
1578 ad, ad_len,
1579 input, ilen + tag_len,
1580 output, ilen, olen);
1581 if (status == PSA_ERROR_INVALID_SIGNATURE) {
1582 return MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1583 } else if (status != PSA_SUCCESS) {
1584 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1585 }
1586
1587 return 0;
1588 }
1589 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1590
1591 #if defined(MBEDTLS_GCM_C)
1592 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1593 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1594
1595 *olen = ilen;
1596 ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen,
1597 iv, iv_len, ad, ad_len,
1598 tag, tag_len, input, output);
1599
1600 if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) {
1601 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1602 }
1603
1604 return ret;
1605 }
1606 #endif /* MBEDTLS_GCM_C */
1607 #if defined(MBEDTLS_CCM_C)
1608 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1609 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1610
1611 *olen = ilen;
1612 ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen,
1613 iv, iv_len, ad, ad_len,
1614 input, output, tag, tag_len);
1615
1616 if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) {
1617 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1618 }
1619
1620 return ret;
1621 }
1622 #endif /* MBEDTLS_CCM_C */
1623 #if defined(MBEDTLS_CHACHAPOLY_C)
1624 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1625 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1626
1627 /* ChachaPoly has fixed length nonce and MAC (tag) */
1628 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
1629 (tag_len != 16U)) {
1630 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1631 }
1632
1633 *olen = ilen;
1634 ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen,
1635 iv, ad, ad_len, tag, input, output);
1636
1637 if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) {
1638 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1639 }
1640
1641 return ret;
1642 }
1643 #endif /* MBEDTLS_CHACHAPOLY_C */
1644
1645 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1646 }
1647 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1648
1649 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
1650 /*
1651 * Packet-oriented encryption for AEAD/NIST_KW: public function.
1652 */
mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1653 int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
1654 const unsigned char *iv, size_t iv_len,
1655 const unsigned char *ad, size_t ad_len,
1656 const unsigned char *input, size_t ilen,
1657 unsigned char *output, size_t output_len,
1658 size_t *olen, size_t tag_len)
1659 {
1660 #if defined(MBEDTLS_NIST_KW_C)
1661 if (
1662 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1663 ctx->psa_enabled == 0 &&
1664 #endif
1665 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1666 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
1667 mbedtls_nist_kw_mode_t mode =
1668 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
1669 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1670
1671 /* There is no iv, tag or ad associated with KW and KWP,
1672 * so these length should be 0 as documented. */
1673 if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
1674 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1675 }
1676
1677 (void) iv;
1678 (void) ad;
1679
1680 return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen,
1681 output, olen, output_len);
1682 }
1683 #endif /* MBEDTLS_NIST_KW_C */
1684
1685 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1686 /* AEAD case: check length before passing on to shared function */
1687 if (output_len < ilen + tag_len) {
1688 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1689 }
1690
1691 int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,
1692 input, ilen, output, olen,
1693 output + ilen, tag_len);
1694 *olen += tag_len;
1695 return ret;
1696 #else
1697 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1698 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1699 }
1700
1701 /*
1702 * Packet-oriented decryption for AEAD/NIST_KW: public function.
1703 */
mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1704 int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
1705 const unsigned char *iv, size_t iv_len,
1706 const unsigned char *ad, size_t ad_len,
1707 const unsigned char *input, size_t ilen,
1708 unsigned char *output, size_t output_len,
1709 size_t *olen, size_t tag_len)
1710 {
1711 #if defined(MBEDTLS_NIST_KW_C)
1712 if (
1713 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1714 ctx->psa_enabled == 0 &&
1715 #endif
1716 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1717 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
1718 mbedtls_nist_kw_mode_t mode =
1719 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
1720 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1721
1722 /* There is no iv, tag or ad associated with KW and KWP,
1723 * so these length should be 0 as documented. */
1724 if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
1725 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1726 }
1727
1728 (void) iv;
1729 (void) ad;
1730
1731 return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen,
1732 output, olen, output_len);
1733 }
1734 #endif /* MBEDTLS_NIST_KW_C */
1735
1736 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1737 /* AEAD case: check length before passing on to shared function */
1738 if (ilen < tag_len || output_len < ilen - tag_len) {
1739 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1740 }
1741
1742 return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,
1743 input, ilen - tag_len, output, olen,
1744 input + ilen - tag_len, tag_len);
1745 #else
1746 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1747 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1748 }
1749 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
1750
1751 #endif /* MBEDTLS_CIPHER_C */
1752