1 /**
2 * \file cipher.c
3 *
4 * \brief Generic cipher wrapper for Mbed TLS
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
8 * Copyright The Mbed TLS Contributors
9 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
10 */
11
12 #include "common.h"
13
14 #if defined(MBEDTLS_CIPHER_C)
15
16 #include "mbedtls/cipher.h"
17 #include "cipher_invasive.h"
18 #include "cipher_wrap.h"
19 #include "mbedtls/platform_util.h"
20 #include "mbedtls/error.h"
21 #include "mbedtls/constant_time.h"
22 #include "constant_time_internal.h"
23
24 #include <stdlib.h>
25 #include <string.h>
26
27 #if defined(MBEDTLS_CHACHAPOLY_C)
28 #include "mbedtls/chachapoly.h"
29 #endif
30
31 #if defined(MBEDTLS_GCM_C)
32 #include "mbedtls/gcm.h"
33 #endif
34
35 #if defined(MBEDTLS_CCM_C)
36 #include "mbedtls/ccm.h"
37 #endif
38
39 #if defined(MBEDTLS_CHACHA20_C)
40 #include "mbedtls/chacha20.h"
41 #endif
42
43 #if defined(MBEDTLS_CMAC_C)
44 #include "mbedtls/cmac.h"
45 #endif
46
47 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
48 #include "psa/crypto.h"
49 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
50
51 #if defined(MBEDTLS_NIST_KW_C)
52 #include "mbedtls/nist_kw.h"
53 #endif
54
55 #include "mbedtls/platform.h"
56
57 static int supported_init = 0;
58
mbedtls_cipher_get_base(const mbedtls_cipher_info_t * info)59 static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base(
60 const mbedtls_cipher_info_t *info)
61 {
62 return mbedtls_cipher_base_lookup_table[info->base_idx];
63 }
64
mbedtls_cipher_list(void)65 const int *mbedtls_cipher_list(void)
66 {
67 const mbedtls_cipher_definition_t *def;
68 int *type;
69
70 if (!supported_init) {
71 def = mbedtls_cipher_definitions;
72 type = mbedtls_cipher_supported;
73
74 while (def->type != 0) {
75 *type++ = (*def++).type;
76 }
77
78 *type = 0;
79
80 supported_init = 1;
81 }
82
83 return mbedtls_cipher_supported;
84 }
85
mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type)86 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
87 const mbedtls_cipher_type_t cipher_type)
88 {
89 const mbedtls_cipher_definition_t *def;
90
91 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
92 if (def->type == cipher_type) {
93 return def->info;
94 }
95 }
96
97 return NULL;
98 }
99
mbedtls_cipher_info_from_string(const char * cipher_name)100 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
101 const char *cipher_name)
102 {
103 const mbedtls_cipher_definition_t *def;
104
105 if (NULL == cipher_name) {
106 return NULL;
107 }
108
109 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
110 if (!strcmp(def->info->name, cipher_name)) {
111 return def->info;
112 }
113 }
114
115 return NULL;
116 }
117
mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id,int key_bitlen,const mbedtls_cipher_mode_t mode)118 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
119 const mbedtls_cipher_id_t cipher_id,
120 int key_bitlen,
121 const mbedtls_cipher_mode_t mode)
122 {
123 const mbedtls_cipher_definition_t *def;
124
125 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
126 if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id &&
127 mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen &&
128 def->info->mode == mode) {
129 return def->info;
130 }
131 }
132
133 return NULL;
134 }
135
136 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_psa_translate_cipher_type(mbedtls_cipher_type_t cipher)137 static inline psa_key_type_t mbedtls_psa_translate_cipher_type(
138 mbedtls_cipher_type_t cipher)
139 {
140 switch (cipher) {
141 case MBEDTLS_CIPHER_AES_128_CCM:
142 case MBEDTLS_CIPHER_AES_192_CCM:
143 case MBEDTLS_CIPHER_AES_256_CCM:
144 case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:
145 case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:
146 case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:
147 case MBEDTLS_CIPHER_AES_128_GCM:
148 case MBEDTLS_CIPHER_AES_192_GCM:
149 case MBEDTLS_CIPHER_AES_256_GCM:
150 case MBEDTLS_CIPHER_AES_128_CBC:
151 case MBEDTLS_CIPHER_AES_192_CBC:
152 case MBEDTLS_CIPHER_AES_256_CBC:
153 case MBEDTLS_CIPHER_AES_128_ECB:
154 case MBEDTLS_CIPHER_AES_192_ECB:
155 case MBEDTLS_CIPHER_AES_256_ECB:
156 return PSA_KEY_TYPE_AES;
157
158 /* ARIA not yet supported in PSA. */
159 /* case MBEDTLS_CIPHER_ARIA_128_CCM:
160 case MBEDTLS_CIPHER_ARIA_192_CCM:
161 case MBEDTLS_CIPHER_ARIA_256_CCM:
162 case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:
163 case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:
164 case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:
165 case MBEDTLS_CIPHER_ARIA_128_GCM:
166 case MBEDTLS_CIPHER_ARIA_192_GCM:
167 case MBEDTLS_CIPHER_ARIA_256_GCM:
168 case MBEDTLS_CIPHER_ARIA_128_CBC:
169 case MBEDTLS_CIPHER_ARIA_192_CBC:
170 case MBEDTLS_CIPHER_ARIA_256_CBC:
171 return( PSA_KEY_TYPE_ARIA ); */
172
173 default:
174 return 0;
175 }
176 }
177
mbedtls_psa_translate_cipher_mode(mbedtls_cipher_mode_t mode,size_t taglen)178 static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode(
179 mbedtls_cipher_mode_t mode, size_t taglen)
180 {
181 switch (mode) {
182 case MBEDTLS_MODE_ECB:
183 return PSA_ALG_ECB_NO_PADDING;
184 case MBEDTLS_MODE_GCM:
185 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen);
186 case MBEDTLS_MODE_CCM:
187 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen);
188 case MBEDTLS_MODE_CCM_STAR_NO_TAG:
189 return PSA_ALG_CCM_STAR_NO_TAG;
190 case MBEDTLS_MODE_CBC:
191 if (taglen == 0) {
192 return PSA_ALG_CBC_NO_PADDING;
193 } else {
194 return 0;
195 }
196 default:
197 return 0;
198 }
199 }
200 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
201
mbedtls_cipher_init(mbedtls_cipher_context_t * ctx)202 void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)
203 {
204 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
205 }
206
mbedtls_cipher_free(mbedtls_cipher_context_t * ctx)207 void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
208 {
209 if (ctx == NULL) {
210 return;
211 }
212
213 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
214 if (ctx->psa_enabled == 1) {
215 if (ctx->cipher_ctx != NULL) {
216 mbedtls_cipher_context_psa * const cipher_psa =
217 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
218
219 if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) {
220 /* xxx_free() doesn't allow to return failures. */
221 (void) psa_destroy_key(cipher_psa->slot);
222 }
223
224 mbedtls_zeroize_and_free(cipher_psa, sizeof(*cipher_psa));
225 }
226
227 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
228 return;
229 }
230 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
231
232 #if defined(MBEDTLS_CMAC_C)
233 if (ctx->cmac_ctx) {
234 mbedtls_zeroize_and_free(ctx->cmac_ctx,
235 sizeof(mbedtls_cmac_context_t));
236 }
237 #endif
238
239 if (ctx->cipher_ctx) {
240 mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx);
241 }
242
243 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
244 }
245
mbedtls_cipher_clone(mbedtls_cipher_context_t * dst,const mbedtls_cipher_context_t * src)246 int mbedtls_cipher_clone(mbedtls_cipher_context_t *dst,
247 const mbedtls_cipher_context_t *src)
248 {
249 if (dst == NULL || dst->cipher_info == NULL ||
250 src == NULL || src->cipher_info == NULL) {
251 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
252 }
253
254 dst->cipher_info = src->cipher_info;
255 dst->key_bitlen = src->key_bitlen;
256 dst->operation = src->operation;
257 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
258 dst->add_padding = src->add_padding;
259 dst->get_padding = src->get_padding;
260 #endif
261 memcpy(dst->unprocessed_data, src->unprocessed_data, MBEDTLS_MAX_BLOCK_LENGTH);
262 dst->unprocessed_len = src->unprocessed_len;
263 memcpy(dst->iv, src->iv, MBEDTLS_MAX_IV_LENGTH);
264 dst->iv_size = src->iv_size;
265 if (mbedtls_cipher_get_base(dst->cipher_info)->ctx_clone_func)
266 mbedtls_cipher_get_base(dst->cipher_info)->ctx_clone_func(dst->cipher_ctx, src->cipher_ctx);
267
268 #if defined(MBEDTLS_CMAC_C)
269 if (dst->cmac_ctx != NULL && src->cmac_ctx != NULL)
270 memcpy(dst->cmac_ctx, src->cmac_ctx, sizeof(mbedtls_cmac_context_t));
271 #endif
272 return 0;
273 }
274
mbedtls_cipher_setup(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info)275 int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
276 const mbedtls_cipher_info_t *cipher_info)
277 {
278 if (cipher_info == NULL) {
279 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
280 }
281
282 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
283
284 if (mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) {
285 ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func();
286 if (ctx->cipher_ctx == NULL) {
287 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
288 }
289 }
290
291 ctx->cipher_info = cipher_info;
292
293 return 0;
294 }
295
296 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_cipher_setup_psa(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info,size_t taglen)297 int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
298 const mbedtls_cipher_info_t *cipher_info,
299 size_t taglen)
300 {
301 psa_algorithm_t alg;
302 mbedtls_cipher_context_psa *cipher_psa;
303
304 if (NULL == cipher_info || NULL == ctx) {
305 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
306 }
307
308 /* Check that the underlying cipher mode and cipher type are
309 * supported by the underlying PSA Crypto implementation. */
310 alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen);
311 if (alg == 0) {
312 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
313 }
314 if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) {
315 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
316 }
317
318 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
319
320 cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa));
321 if (cipher_psa == NULL) {
322 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
323 }
324 cipher_psa->alg = alg;
325 ctx->cipher_ctx = cipher_psa;
326 ctx->cipher_info = cipher_info;
327 ctx->psa_enabled = 1;
328 return 0;
329 }
330 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
331
mbedtls_cipher_setup_info(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info)332 int mbedtls_cipher_setup_info(mbedtls_cipher_context_t *ctx,
333 const mbedtls_cipher_info_t *cipher_info )
334 {
335 if (NULL == cipher_info || NULL == ctx)
336 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
337
338 ctx->cipher_info = cipher_info;
339 return 0;
340 }
341
mbedtls_cipher_setkey(mbedtls_cipher_context_t * ctx,const unsigned char * key,int key_bitlen,const mbedtls_operation_t operation)342 int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
343 const unsigned char *key,
344 int key_bitlen,
345 const mbedtls_operation_t operation)
346 {
347 if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) {
348 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
349 }
350 if (ctx->cipher_info == NULL) {
351 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
352 }
353 #if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
354 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) &&
355 MBEDTLS_DECRYPT == operation) {
356 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
357 }
358 #endif
359
360 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
361 if (ctx->psa_enabled == 1) {
362 mbedtls_cipher_context_psa * const cipher_psa =
363 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
364
365 size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8;
366
367 psa_status_t status;
368 psa_key_type_t key_type;
369 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
370
371 /* PSA Crypto API only accepts byte-aligned keys. */
372 if (key_bitlen % 8 != 0) {
373 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
374 }
375
376 /* Don't allow keys to be set multiple times. */
377 if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) {
378 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
379 }
380
381 key_type = mbedtls_psa_translate_cipher_type(
382 ((mbedtls_cipher_type_t) ctx->cipher_info->type));
383 if (key_type == 0) {
384 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
385 }
386 psa_set_key_type(&attributes, key_type);
387
388 /* Mbed TLS' cipher layer doesn't enforce the mode of operation
389 * (encrypt vs. decrypt): it is possible to setup a key for encryption
390 * and use it for AEAD decryption. Until tests relying on this
391 * are changed, allow any usage in PSA. */
392 psa_set_key_usage_flags(&attributes,
393 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
394 psa_set_key_algorithm(&attributes, cipher_psa->alg);
395
396 status = psa_import_key(&attributes, key, key_bytelen,
397 &cipher_psa->slot);
398 switch (status) {
399 case PSA_SUCCESS:
400 break;
401 case PSA_ERROR_INSUFFICIENT_MEMORY:
402 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
403 case PSA_ERROR_NOT_SUPPORTED:
404 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
405 default:
406 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
407 }
408 /* Indicate that we own the key slot and need to
409 * destroy it in mbedtls_cipher_free(). */
410 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
411
412 ctx->key_bitlen = key_bitlen;
413 ctx->operation = operation;
414 return 0;
415 }
416 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
417
418 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 &&
419 (int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) {
420 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
421 }
422
423 ctx->key_bitlen = key_bitlen;
424 ctx->operation = operation;
425
426 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
427 /*
428 * For OFB, CFB and CTR mode always use the encryption key schedule
429 */
430 if (MBEDTLS_ENCRYPT == operation ||
431 MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
432 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
433 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
434 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
435 ctx->key_bitlen);
436 }
437
438 if (MBEDTLS_DECRYPT == operation) {
439 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key,
440 ctx->key_bitlen);
441 }
442 #else
443 if (operation == MBEDTLS_ENCRYPT || operation == MBEDTLS_DECRYPT) {
444 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
445 ctx->key_bitlen);
446 }
447 #endif
448
449 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
450 }
451
mbedtls_cipher_set_iv(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len)452 int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
453 const unsigned char *iv,
454 size_t iv_len)
455 {
456 size_t actual_iv_size;
457
458 if (ctx->cipher_info == NULL) {
459 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
460 }
461 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
462 if (ctx->psa_enabled == 1) {
463 /* While PSA Crypto has an API for multipart
464 * operations, we currently don't make it
465 * accessible through the cipher layer. */
466 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
467 }
468 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
469
470 /* avoid buffer overflow in ctx->iv */
471 if (iv_len > MBEDTLS_MAX_IV_LENGTH) {
472 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
473 }
474
475 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) {
476 actual_iv_size = iv_len;
477 } else {
478 actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info);
479
480 /* avoid reading past the end of input buffer */
481 if (actual_iv_size > iv_len) {
482 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
483 }
484 }
485
486 #if defined(MBEDTLS_CHACHA20_C)
487 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) {
488 /* Even though the actual_iv_size is overwritten with a correct value
489 * of 12 from the cipher info, return an error to indicate that
490 * the input iv_len is wrong. */
491 if (iv_len != 12) {
492 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
493 }
494
495 if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx,
496 iv,
497 0U)) { /* Initial counter value */
498 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
499 }
500 }
501 #if defined(MBEDTLS_CHACHAPOLY_C)
502 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&
503 iv_len != 12) {
504 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
505 }
506 #endif
507 #endif
508
509 #if defined(MBEDTLS_GCM_C)
510 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
511 return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx,
512 ctx->operation,
513 iv, iv_len);
514 }
515 #endif
516
517 #if defined(MBEDTLS_CCM_C)
518 if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
519 int set_lengths_result;
520 int ccm_star_mode;
521
522 set_lengths_result = mbedtls_ccm_set_lengths(
523 (mbedtls_ccm_context *) ctx->cipher_ctx,
524 0, 0, 0);
525 if (set_lengths_result != 0) {
526 return set_lengths_result;
527 }
528
529 if (ctx->operation == MBEDTLS_DECRYPT) {
530 ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT;
531 } else if (ctx->operation == MBEDTLS_ENCRYPT) {
532 ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT;
533 } else {
534 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
535 }
536
537 return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx,
538 ccm_star_mode,
539 iv, iv_len);
540 }
541 #endif
542
543 if (actual_iv_size != 0) {
544 memcpy(ctx->iv, iv, actual_iv_size);
545 ctx->iv_size = actual_iv_size;
546 }
547
548 return 0;
549 }
550
mbedtls_cipher_reset(mbedtls_cipher_context_t * ctx)551 int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx)
552 {
553 if (ctx->cipher_info == NULL) {
554 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
555 }
556
557 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
558 if (ctx->psa_enabled == 1) {
559 /* We don't support resetting PSA-based
560 * cipher contexts, yet. */
561 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
562 }
563 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
564
565 ctx->unprocessed_len = 0;
566
567 return 0;
568 }
569
570 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_update_ad(mbedtls_cipher_context_t * ctx,const unsigned char * ad,size_t ad_len)571 int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
572 const unsigned char *ad, size_t ad_len)
573 {
574 if (ctx->cipher_info == NULL) {
575 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
576 }
577
578 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
579 if (ctx->psa_enabled == 1) {
580 /* While PSA Crypto has an API for multipart
581 * operations, we currently don't make it
582 * accessible through the cipher layer. */
583 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
584 }
585 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
586
587 #if defined(MBEDTLS_GCM_C)
588 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
589 return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx,
590 ad, ad_len);
591 }
592 #endif
593
594 #if defined(MBEDTLS_CHACHAPOLY_C)
595 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
596 int result;
597 mbedtls_chachapoly_mode_t mode;
598
599 mode = (ctx->operation == MBEDTLS_ENCRYPT)
600 ? MBEDTLS_CHACHAPOLY_ENCRYPT
601 : MBEDTLS_CHACHAPOLY_DECRYPT;
602
603 result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx,
604 ctx->iv,
605 mode);
606 if (result != 0) {
607 return result;
608 }
609
610 return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx,
611 ad, ad_len);
612 }
613 #endif
614
615 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
616 }
617 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
618
mbedtls_cipher_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)619 int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input,
620 size_t ilen, unsigned char *output, size_t *olen)
621 {
622 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
623 size_t block_size;
624
625 if (ctx->cipher_info == NULL) {
626 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
627 }
628
629 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
630 if (ctx->psa_enabled == 1) {
631 /* While PSA Crypto has an API for multipart
632 * operations, we currently don't make it
633 * accessible through the cipher layer. */
634 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
635 }
636 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
637
638 *olen = 0;
639 block_size = mbedtls_cipher_get_block_size(ctx);
640 if (0 == block_size) {
641 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
642 }
643
644 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) {
645 if (ilen != block_size) {
646 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
647 }
648
649 *olen = ilen;
650
651 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx,
652 ctx->operation, input,
653 output))) {
654 return ret;
655 }
656
657 return 0;
658 }
659
660 #if defined(MBEDTLS_GCM_C)
661 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) {
662 return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx,
663 input, ilen,
664 output, ilen, olen);
665 }
666 #endif
667
668 #if defined(MBEDTLS_CCM_C)
669 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) {
670 return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx,
671 input, ilen,
672 output, ilen, olen);
673 }
674 #endif
675
676 #if defined(MBEDTLS_CHACHAPOLY_C)
677 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
678 *olen = ilen;
679 return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx,
680 ilen, input, output);
681 }
682 #endif
683
684 if (input == output &&
685 (ctx->unprocessed_len != 0 || ilen % block_size)) {
686 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
687 }
688
689 #if defined(MBEDTLS_CIPHER_MODE_CBC)
690 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) {
691 size_t copy_len = 0;
692
693 /*
694 * If there is not enough data for a full block, cache it.
695 */
696 if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
697 ilen <= block_size - ctx->unprocessed_len) ||
698 (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
699 ilen < block_size - ctx->unprocessed_len) ||
700 (ctx->operation == MBEDTLS_ENCRYPT &&
701 ilen < block_size - ctx->unprocessed_len)) {
702 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
703 ilen);
704
705 ctx->unprocessed_len += ilen;
706 return 0;
707 }
708
709 /*
710 * Process cached data first
711 */
712 if (0 != ctx->unprocessed_len) {
713 copy_len = block_size - ctx->unprocessed_len;
714
715 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
716 copy_len);
717
718 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
719 ctx->operation,
720 block_size, ctx->iv,
721 ctx->
722 unprocessed_data,
723 output))) {
724 return ret;
725 }
726
727 *olen += block_size;
728 output += block_size;
729 ctx->unprocessed_len = 0;
730
731 input += copy_len;
732 ilen -= copy_len;
733 }
734
735 /*
736 * Cache final, incomplete block
737 */
738 if (0 != ilen) {
739 /* Encryption: only cache partial blocks
740 * Decryption w/ padding: always keep at least one whole block
741 * Decryption w/o padding: only cache partial blocks
742 */
743 copy_len = ilen % block_size;
744 if (copy_len == 0 &&
745 ctx->operation == MBEDTLS_DECRYPT &&
746 NULL != ctx->add_padding) {
747 copy_len = block_size;
748 }
749
750 memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]),
751 copy_len);
752
753 ctx->unprocessed_len += copy_len;
754 ilen -= copy_len;
755 }
756
757 /*
758 * Process remaining full blocks
759 */
760 if (ilen) {
761 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
762 ctx->operation,
763 ilen, ctx->iv,
764 input,
765 output))) {
766 return ret;
767 }
768
769 *olen += ilen;
770 }
771
772 return 0;
773 }
774 #endif /* MBEDTLS_CIPHER_MODE_CBC */
775
776 #if defined(MBEDTLS_CIPHER_MODE_CFB)
777 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) {
778 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx,
779 ctx->operation, ilen,
780 &ctx->unprocessed_len,
781 ctx->iv,
782 input, output))) {
783 return ret;
784 }
785
786 *olen = ilen;
787
788 return 0;
789 }
790 #endif /* MBEDTLS_CIPHER_MODE_CFB */
791
792 #if defined(MBEDTLS_CIPHER_MODE_OFB)
793 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) {
794 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx,
795 ilen,
796 &ctx->unprocessed_len,
797 ctx->iv,
798 input, output))) {
799 return ret;
800 }
801
802 *olen = ilen;
803
804 return 0;
805 }
806 #endif /* MBEDTLS_CIPHER_MODE_OFB */
807
808 #if defined(MBEDTLS_CIPHER_MODE_CTR)
809 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) {
810 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx,
811 ilen,
812 &ctx->unprocessed_len,
813 ctx->iv,
814 ctx->unprocessed_data,
815 input, output))) {
816 return ret;
817 }
818
819 *olen = ilen;
820
821 return 0;
822 }
823 #endif /* MBEDTLS_CIPHER_MODE_CTR */
824
825 #if defined(MBEDTLS_CIPHER_MODE_XTS)
826 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) {
827 if (ctx->unprocessed_len > 0) {
828 /* We can only process an entire data unit at a time. */
829 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
830 }
831
832 ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx,
833 ctx->operation,
834 ilen,
835 ctx->iv,
836 input,
837 output);
838 if (ret != 0) {
839 return ret;
840 }
841
842 *olen = ilen;
843
844 return 0;
845 }
846 #endif /* MBEDTLS_CIPHER_MODE_XTS */
847
848 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
849 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) {
850 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx,
851 ilen, input,
852 output))) {
853 return ret;
854 }
855
856 *olen = ilen;
857
858 return 0;
859 }
860 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
861
862 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
863 }
864
865 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
866 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
867 /*
868 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
869 */
add_pkcs_padding(unsigned char * output,size_t output_len,size_t data_len)870 static void add_pkcs_padding(unsigned char *output, size_t output_len,
871 size_t data_len)
872 {
873 size_t padding_len = output_len - data_len;
874 unsigned char i;
875
876 for (i = 0; i < padding_len; i++) {
877 output[data_len + i] = (unsigned char) padding_len;
878 }
879 }
880
881 /*
882 * Get the length of the PKCS7 padding.
883 *
884 * Note: input_len must be the block size of the cipher.
885 */
mbedtls_get_pkcs_padding(unsigned char * input,size_t input_len,size_t * data_len)886 MBEDTLS_STATIC_TESTABLE int mbedtls_get_pkcs_padding(unsigned char *input,
887 size_t input_len,
888 size_t *data_len)
889 {
890 size_t i, pad_idx;
891 unsigned char padding_len;
892
893 if (NULL == input || NULL == data_len) {
894 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
895 }
896
897 padding_len = input[input_len - 1];
898
899 mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len);
900 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
901
902 /* The number of bytes checked must be independent of padding_len,
903 * so pick input_len, which is usually 8 or 16 (one block) */
904 pad_idx = input_len - padding_len;
905 for (i = 0; i < input_len; i++) {
906 mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx);
907 mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len);
908 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different));
909 }
910
911 /* If the padding is invalid, set the output length to 0 */
912 *data_len = mbedtls_ct_if(bad, 0, input_len - padding_len);
913
914 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
915 }
916 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
917
918 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
919 /*
920 * One and zeros padding: fill with 80 00 ... 00
921 */
add_one_and_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)922 static void add_one_and_zeros_padding(unsigned char *output,
923 size_t output_len, size_t data_len)
924 {
925 size_t padding_len = output_len - data_len;
926 unsigned char i = 0;
927
928 output[data_len] = 0x80;
929 for (i = 1; i < padding_len; i++) {
930 output[data_len + i] = 0x00;
931 }
932 }
933
get_one_and_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)934 static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,
935 size_t *data_len)
936 {
937 if (NULL == input || NULL == data_len) {
938 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
939 }
940
941 mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE;
942 mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE;
943
944 *data_len = 0;
945
946 for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) {
947 mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]);
948
949 mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding);
950
951 *data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len);
952
953 bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad);
954
955 in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero));
956 }
957
958 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
959 }
960 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
961
962 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
963 /*
964 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
965 */
add_zeros_and_len_padding(unsigned char * output,size_t output_len,size_t data_len)966 static void add_zeros_and_len_padding(unsigned char *output,
967 size_t output_len, size_t data_len)
968 {
969 size_t padding_len = output_len - data_len;
970 unsigned char i = 0;
971
972 for (i = 1; i < padding_len; i++) {
973 output[data_len + i - 1] = 0x00;
974 }
975 output[output_len - 1] = (unsigned char) padding_len;
976 }
977
get_zeros_and_len_padding(unsigned char * input,size_t input_len,size_t * data_len)978 static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
979 size_t *data_len)
980 {
981 size_t i, pad_idx;
982 unsigned char padding_len;
983 mbedtls_ct_condition_t bad;
984
985 if (NULL == input || NULL == data_len) {
986 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
987 }
988
989 padding_len = input[input_len - 1];
990 *data_len = input_len - padding_len;
991
992 /* Avoid logical || since it results in a branch */
993 bad = mbedtls_ct_uint_gt(padding_len, input_len);
994 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
995
996 /* The number of bytes checked must be independent of padding_len */
997 pad_idx = input_len - padding_len;
998 for (i = 0; i < input_len - 1; i++) {
999 mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx);
1000 mbedtls_ct_condition_t nonzero_pad_byte;
1001 nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i]));
1002 bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte);
1003 }
1004
1005 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
1006 }
1007 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
1008
1009 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1010 /*
1011 * Zero padding: fill with 00 ... 00
1012 */
add_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)1013 static void add_zeros_padding(unsigned char *output,
1014 size_t output_len, size_t data_len)
1015 {
1016 memset(output + data_len, 0, output_len - data_len);
1017 }
1018
get_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)1019 static int get_zeros_padding(unsigned char *input, size_t input_len,
1020 size_t *data_len)
1021 {
1022 size_t i;
1023 mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done;
1024
1025 if (NULL == input || NULL == data_len) {
1026 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1027 }
1028
1029 *data_len = 0;
1030 for (i = input_len; i > 0; i--) {
1031 prev_done = done;
1032 done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0));
1033 *data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len);
1034 }
1035
1036 return 0;
1037 }
1038 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
1039
1040 /*
1041 * No padding: don't pad :)
1042 *
1043 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
1044 * but a trivial get_padding function
1045 */
get_no_padding(unsigned char * input,size_t input_len,size_t * data_len)1046 static int get_no_padding(unsigned char *input, size_t input_len,
1047 size_t *data_len)
1048 {
1049 if (NULL == input || NULL == data_len) {
1050 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1051 }
1052
1053 *data_len = input_len;
1054
1055 return 0;
1056 }
1057 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1058
mbedtls_cipher_finish(mbedtls_cipher_context_t * ctx,unsigned char * output,size_t * olen)1059 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
1060 unsigned char *output, size_t *olen)
1061 {
1062 if (ctx->cipher_info == NULL) {
1063 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1064 }
1065
1066 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1067 if (ctx->psa_enabled == 1) {
1068 /* While PSA Crypto has an API for multipart
1069 * operations, we currently don't make it
1070 * accessible through the cipher layer. */
1071 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1072 }
1073 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1074
1075 *olen = 0;
1076
1077 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
1078 /* CBC mode requires padding so we make sure a call to
1079 * mbedtls_cipher_set_padding_mode has been done successfully. */
1080 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1081 if (ctx->get_padding == NULL) {
1082 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1083 }
1084 }
1085 #endif
1086
1087 if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1088 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1089 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1090 MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1091 MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1092 MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1093 MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1094 return 0;
1095 }
1096
1097 if ((MBEDTLS_CIPHER_CHACHA20 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) ||
1098 (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) {
1099 return 0;
1100 }
1101
1102 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1103 if (ctx->unprocessed_len != 0) {
1104 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
1105 }
1106
1107 return 0;
1108 }
1109
1110 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1111 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1112 int ret = 0;
1113
1114 if (MBEDTLS_ENCRYPT == ctx->operation) {
1115 /* check for 'no padding' mode */
1116 if (NULL == ctx->add_padding) {
1117 if (0 != ctx->unprocessed_len) {
1118 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
1119 }
1120
1121 return 0;
1122 }
1123
1124 ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx),
1125 ctx->unprocessed_len);
1126 } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) {
1127 /*
1128 * For decrypt operations, expect a full block,
1129 * or an empty block if no padding
1130 */
1131 if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) {
1132 return 0;
1133 }
1134
1135 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
1136 }
1137
1138 /* cipher block */
1139 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
1140 ctx->operation,
1141 mbedtls_cipher_get_block_size(
1142 ctx),
1143 ctx->iv,
1144 ctx->unprocessed_data,
1145 output))) {
1146 return ret;
1147 }
1148
1149 /* Set output size for decryption */
1150 if (MBEDTLS_DECRYPT == ctx->operation) {
1151 return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx),
1152 olen);
1153 }
1154
1155 /* Set output size for encryption */
1156 *olen = mbedtls_cipher_get_block_size(ctx);
1157 return 0;
1158 }
1159 #else
1160 ((void) output);
1161 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1162
1163 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1164 }
1165
1166 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t * ctx,mbedtls_cipher_padding_t mode)1167 int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
1168 mbedtls_cipher_padding_t mode)
1169 {
1170 if (NULL == ctx->cipher_info ||
1171 MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1172 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1173 }
1174
1175 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1176 if (ctx->psa_enabled == 1) {
1177 /* While PSA Crypto knows about CBC padding
1178 * schemes, we currently don't make them
1179 * accessible through the cipher layer. */
1180 if (mode != MBEDTLS_PADDING_NONE) {
1181 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1182 }
1183
1184 return 0;
1185 }
1186 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1187
1188 switch (mode) {
1189 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
1190 case MBEDTLS_PADDING_PKCS7:
1191 ctx->add_padding = add_pkcs_padding;
1192 ctx->get_padding = mbedtls_get_pkcs_padding;
1193 break;
1194 #endif
1195 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
1196 case MBEDTLS_PADDING_ONE_AND_ZEROS:
1197 ctx->add_padding = add_one_and_zeros_padding;
1198 ctx->get_padding = get_one_and_zeros_padding;
1199 break;
1200 #endif
1201 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
1202 case MBEDTLS_PADDING_ZEROS_AND_LEN:
1203 ctx->add_padding = add_zeros_and_len_padding;
1204 ctx->get_padding = get_zeros_and_len_padding;
1205 break;
1206 #endif
1207 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1208 case MBEDTLS_PADDING_ZEROS:
1209 ctx->add_padding = add_zeros_padding;
1210 ctx->get_padding = get_zeros_padding;
1211 break;
1212 #endif
1213 case MBEDTLS_PADDING_NONE:
1214 ctx->add_padding = NULL;
1215 ctx->get_padding = get_no_padding;
1216 break;
1217
1218 default:
1219 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1220 }
1221
1222 return 0;
1223 }
1224 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1225
1226 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_write_tag(mbedtls_cipher_context_t * ctx,unsigned char * tag,size_t tag_len)1227 int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
1228 unsigned char *tag, size_t tag_len)
1229 {
1230 if (ctx->cipher_info == NULL) {
1231 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1232 }
1233
1234 if (MBEDTLS_ENCRYPT != ctx->operation) {
1235 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1236 }
1237
1238 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1239 if (ctx->psa_enabled == 1) {
1240 /* While PSA Crypto has an API for multipart
1241 * operations, we currently don't make it
1242 * accessible through the cipher layer. */
1243 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1244 }
1245 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1246
1247 #if defined(MBEDTLS_GCM_C)
1248 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1249 size_t output_length;
1250 /* The code here doesn't yet support alternative implementations
1251 * that can delay up to a block of output. */
1252 return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx,
1253 NULL, 0, &output_length,
1254 tag, tag_len);
1255 }
1256 #endif
1257
1258 #if defined(MBEDTLS_CHACHAPOLY_C)
1259 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1260 /* Don't allow truncated MAC for Poly1305 */
1261 if (tag_len != 16U) {
1262 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1263 }
1264
1265 return mbedtls_chachapoly_finish(
1266 (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag);
1267 }
1268 #endif
1269
1270 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1271 }
1272
mbedtls_cipher_check_tag(mbedtls_cipher_context_t * ctx,const unsigned char * tag,size_t tag_len)1273 int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
1274 const unsigned char *tag, size_t tag_len)
1275 {
1276 unsigned char check_tag[16];
1277 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1278
1279 if (ctx->cipher_info == NULL) {
1280 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1281 }
1282
1283 if (MBEDTLS_DECRYPT != ctx->operation) {
1284 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1285 }
1286
1287 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1288 if (ctx->psa_enabled == 1) {
1289 /* While PSA Crypto has an API for multipart
1290 * operations, we currently don't make it
1291 * accessible through the cipher layer. */
1292 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1293 }
1294 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1295
1296 /* Status to return on a non-authenticated algorithm. */
1297 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1298
1299 #if defined(MBEDTLS_GCM_C)
1300 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1301 size_t output_length;
1302 /* The code here doesn't yet support alternative implementations
1303 * that can delay up to a block of output. */
1304
1305 if (tag_len > sizeof(check_tag)) {
1306 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1307 }
1308
1309 if (0 != (ret = mbedtls_gcm_finish(
1310 (mbedtls_gcm_context *) ctx->cipher_ctx,
1311 NULL, 0, &output_length,
1312 check_tag, tag_len))) {
1313 return ret;
1314 }
1315
1316 /* Check the tag in "constant-time" */
1317 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
1318 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1319 goto exit;
1320 }
1321 }
1322 #endif /* MBEDTLS_GCM_C */
1323
1324 #if defined(MBEDTLS_CHACHAPOLY_C)
1325 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1326 /* Don't allow truncated MAC for Poly1305 */
1327 if (tag_len != sizeof(check_tag)) {
1328 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1329 }
1330
1331 ret = mbedtls_chachapoly_finish(
1332 (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag);
1333 if (ret != 0) {
1334 return ret;
1335 }
1336
1337 /* Check the tag in "constant-time" */
1338 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
1339 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1340 goto exit;
1341 }
1342 }
1343 #endif /* MBEDTLS_CHACHAPOLY_C */
1344
1345 exit:
1346 mbedtls_platform_zeroize(check_tag, tag_len);
1347 return ret;
1348 }
1349 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
1350
1351 /*
1352 * Packet-oriented wrapper for non-AEAD modes
1353 */
mbedtls_cipher_crypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)1354 int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
1355 const unsigned char *iv, size_t iv_len,
1356 const unsigned char *input, size_t ilen,
1357 unsigned char *output, size_t *olen)
1358 {
1359 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1360 size_t finish_olen;
1361
1362 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1363 if (ctx->psa_enabled == 1) {
1364 /* As in the non-PSA case, we don't check that
1365 * a key has been set. If not, the key slot will
1366 * still be in its default state of 0, which is
1367 * guaranteed to be invalid, hence the PSA-call
1368 * below will gracefully fail. */
1369 mbedtls_cipher_context_psa * const cipher_psa =
1370 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1371
1372 psa_status_t status;
1373 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1374 size_t part_len;
1375
1376 if (ctx->operation == MBEDTLS_DECRYPT) {
1377 status = psa_cipher_decrypt_setup(&cipher_op,
1378 cipher_psa->slot,
1379 cipher_psa->alg);
1380 } else if (ctx->operation == MBEDTLS_ENCRYPT) {
1381 status = psa_cipher_encrypt_setup(&cipher_op,
1382 cipher_psa->slot,
1383 cipher_psa->alg);
1384 } else {
1385 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1386 }
1387
1388 /* In the following, we can immediately return on an error,
1389 * because the PSA Crypto API guarantees that cipher operations
1390 * are terminated by unsuccessful calls to psa_cipher_update(),
1391 * and by any call to psa_cipher_finish(). */
1392 if (status != PSA_SUCCESS) {
1393 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1394 }
1395
1396 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) {
1397 status = psa_cipher_set_iv(&cipher_op, iv, iv_len);
1398 if (status != PSA_SUCCESS) {
1399 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1400 }
1401 }
1402
1403 status = psa_cipher_update(&cipher_op,
1404 input, ilen,
1405 output, ilen, olen);
1406 if (status != PSA_SUCCESS) {
1407 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1408 }
1409
1410 status = psa_cipher_finish(&cipher_op,
1411 output + *olen, ilen - *olen,
1412 &part_len);
1413 if (status != PSA_SUCCESS) {
1414 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1415 }
1416
1417 *olen += part_len;
1418 return 0;
1419 }
1420 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1421
1422 if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) {
1423 return ret;
1424 }
1425
1426 if ((ret = mbedtls_cipher_reset(ctx)) != 0) {
1427 return ret;
1428 }
1429
1430 if ((ret = mbedtls_cipher_update(ctx, input, ilen,
1431 output, olen)) != 0) {
1432 return ret;
1433 }
1434
1435 if ((ret = mbedtls_cipher_finish(ctx, output + *olen,
1436 &finish_olen)) != 0) {
1437 return ret;
1438 }
1439
1440 *olen += finish_olen;
1441
1442 return 0;
1443 }
1444
1445 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1446 /*
1447 * Packet-oriented encryption for AEAD modes: internal function used by
1448 * mbedtls_cipher_auth_encrypt_ext().
1449 */
mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,unsigned char * tag,size_t tag_len)1450 static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
1451 const unsigned char *iv, size_t iv_len,
1452 const unsigned char *ad, size_t ad_len,
1453 const unsigned char *input, size_t ilen,
1454 unsigned char *output, size_t *olen,
1455 unsigned char *tag, size_t tag_len)
1456 {
1457 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1458 if (ctx->psa_enabled == 1) {
1459 /* As in the non-PSA case, we don't check that
1460 * a key has been set. If not, the key slot will
1461 * still be in its default state of 0, which is
1462 * guaranteed to be invalid, hence the PSA-call
1463 * below will gracefully fail. */
1464 mbedtls_cipher_context_psa * const cipher_psa =
1465 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1466
1467 psa_status_t status;
1468
1469 /* PSA Crypto API always writes the authentication tag
1470 * at the end of the encrypted message. */
1471 if (output == NULL || tag != output + ilen) {
1472 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1473 }
1474
1475 status = psa_aead_encrypt(cipher_psa->slot,
1476 cipher_psa->alg,
1477 iv, iv_len,
1478 ad, ad_len,
1479 input, ilen,
1480 output, ilen + tag_len, olen);
1481 if (status != PSA_SUCCESS) {
1482 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1483 }
1484
1485 *olen -= tag_len;
1486 return 0;
1487 }
1488 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1489
1490 #if defined(MBEDTLS_GCM_C)
1491 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1492 *olen = ilen;
1493 return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
1494 ilen, iv, iv_len, ad, ad_len,
1495 input, output, tag_len, tag);
1496 }
1497 #endif /* MBEDTLS_GCM_C */
1498 #if defined(MBEDTLS_CCM_C)
1499 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1500 *olen = ilen;
1501 return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen,
1502 iv, iv_len, ad, ad_len, input, output,
1503 tag, tag_len);
1504 }
1505 #endif /* MBEDTLS_CCM_C */
1506 #if defined(MBEDTLS_CHACHAPOLY_C)
1507 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1508 /* ChachaPoly has fixed length nonce and MAC (tag) */
1509 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
1510 (tag_len != 16U)) {
1511 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1512 }
1513
1514 *olen = ilen;
1515 return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx,
1516 ilen, iv, ad, ad_len, input, output, tag);
1517 }
1518 #endif /* MBEDTLS_CHACHAPOLY_C */
1519
1520 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1521 }
1522
1523 /*
1524 * Packet-oriented encryption for AEAD modes: internal function used by
1525 * mbedtls_cipher_auth_encrypt_ext().
1526 */
mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,const unsigned char * tag,size_t tag_len)1527 static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
1528 const unsigned char *iv, size_t iv_len,
1529 const unsigned char *ad, size_t ad_len,
1530 const unsigned char *input, size_t ilen,
1531 unsigned char *output, size_t *olen,
1532 const unsigned char *tag, size_t tag_len)
1533 {
1534 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1535 if (ctx->psa_enabled == 1) {
1536 /* As in the non-PSA case, we don't check that
1537 * a key has been set. If not, the key slot will
1538 * still be in its default state of 0, which is
1539 * guaranteed to be invalid, hence the PSA-call
1540 * below will gracefully fail. */
1541 mbedtls_cipher_context_psa * const cipher_psa =
1542 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1543
1544 psa_status_t status;
1545
1546 /* PSA Crypto API always writes the authentication tag
1547 * at the end of the encrypted message. */
1548 if (input == NULL || tag != input + ilen) {
1549 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1550 }
1551
1552 status = psa_aead_decrypt(cipher_psa->slot,
1553 cipher_psa->alg,
1554 iv, iv_len,
1555 ad, ad_len,
1556 input, ilen + tag_len,
1557 output, ilen, olen);
1558 if (status == PSA_ERROR_INVALID_SIGNATURE) {
1559 return MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1560 } else if (status != PSA_SUCCESS) {
1561 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1562 }
1563
1564 return 0;
1565 }
1566 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1567
1568 #if defined(MBEDTLS_GCM_C)
1569 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1570 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1571
1572 *olen = ilen;
1573 ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen,
1574 iv, iv_len, ad, ad_len,
1575 tag, tag_len, input, output);
1576
1577 if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) {
1578 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1579 }
1580
1581 return ret;
1582 }
1583 #endif /* MBEDTLS_GCM_C */
1584 #if defined(MBEDTLS_CCM_C)
1585 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1586 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1587
1588 *olen = ilen;
1589 ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen,
1590 iv, iv_len, ad, ad_len,
1591 input, output, tag, tag_len);
1592
1593 if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) {
1594 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1595 }
1596
1597 return ret;
1598 }
1599 #endif /* MBEDTLS_CCM_C */
1600 #if defined(MBEDTLS_CHACHAPOLY_C)
1601 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1602 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1603
1604 /* ChachaPoly has fixed length nonce and MAC (tag) */
1605 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
1606 (tag_len != 16U)) {
1607 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1608 }
1609
1610 *olen = ilen;
1611 ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen,
1612 iv, ad, ad_len, tag, input, output);
1613
1614 if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) {
1615 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1616 }
1617
1618 return ret;
1619 }
1620 #endif /* MBEDTLS_CHACHAPOLY_C */
1621
1622 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1623 }
1624 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1625
1626 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
1627 /*
1628 * Packet-oriented encryption for AEAD/NIST_KW: public function.
1629 */
mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1630 int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
1631 const unsigned char *iv, size_t iv_len,
1632 const unsigned char *ad, size_t ad_len,
1633 const unsigned char *input, size_t ilen,
1634 unsigned char *output, size_t output_len,
1635 size_t *olen, size_t tag_len)
1636 {
1637 #if defined(MBEDTLS_NIST_KW_C)
1638 if (
1639 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1640 ctx->psa_enabled == 0 &&
1641 #endif
1642 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1643 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
1644 mbedtls_nist_kw_mode_t mode =
1645 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
1646 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1647
1648 /* There is no iv, tag or ad associated with KW and KWP,
1649 * so these length should be 0 as documented. */
1650 if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
1651 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1652 }
1653
1654 (void) iv;
1655 (void) ad;
1656
1657 return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen,
1658 output, olen, output_len);
1659 }
1660 #endif /* MBEDTLS_NIST_KW_C */
1661
1662 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1663 /* AEAD case: check length before passing on to shared function */
1664 if (output_len < ilen + tag_len) {
1665 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1666 }
1667
1668 int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,
1669 input, ilen, output, olen,
1670 output + ilen, tag_len);
1671 *olen += tag_len;
1672 return ret;
1673 #else
1674 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1675 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1676 }
1677
1678 /*
1679 * Packet-oriented decryption for AEAD/NIST_KW: public function.
1680 */
mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1681 int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
1682 const unsigned char *iv, size_t iv_len,
1683 const unsigned char *ad, size_t ad_len,
1684 const unsigned char *input, size_t ilen,
1685 unsigned char *output, size_t output_len,
1686 size_t *olen, size_t tag_len)
1687 {
1688 #if defined(MBEDTLS_NIST_KW_C)
1689 if (
1690 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1691 ctx->psa_enabled == 0 &&
1692 #endif
1693 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1694 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
1695 mbedtls_nist_kw_mode_t mode =
1696 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
1697 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1698
1699 /* There is no iv, tag or ad associated with KW and KWP,
1700 * so these length should be 0 as documented. */
1701 if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
1702 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1703 }
1704
1705 (void) iv;
1706 (void) ad;
1707
1708 return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen,
1709 output, olen, output_len);
1710 }
1711 #endif /* MBEDTLS_NIST_KW_C */
1712
1713 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1714 /* AEAD case: check length before passing on to shared function */
1715 if (ilen < tag_len || output_len < ilen - tag_len) {
1716 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1717 }
1718
1719 return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,
1720 input, ilen - tag_len, output, olen,
1721 input + ilen - tag_len, tag_len);
1722 #else
1723 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1724 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1725 }
1726 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
1727
1728 #endif /* MBEDTLS_CIPHER_C */
1729