1 /** 2 * \file cipher.c 3 * 4 * \brief Generic cipher wrapper for mbed TLS 5 * 6 * \author Adriaan de Jong <dejong@fox-it.com> 7 * 8 * Copyright The Mbed TLS Contributors 9 * SPDX-License-Identifier: Apache-2.0 10 * 11 * Licensed under the Apache License, Version 2.0 (the "License"); you may 12 * not use this file except in compliance with the License. 13 * You may obtain a copy of the License at 14 * 15 * http://www.apache.org/licenses/LICENSE-2.0 16 * 17 * Unless required by applicable law or agreed to in writing, software 18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 * See the License for the specific language governing permissions and 21 * limitations under the License. 22 */ 23 24 #include "common.h" 25 26 #if defined(MBEDTLS_CIPHER_C) 27 28 #include "mbedtls/cipher.h" 29 #include "mbedtls/cipher_internal.h" 30 #include "mbedtls/platform_util.h" 31 #include "mbedtls/error.h" 32 #include "mbedtls/constant_time.h" 33 34 #include <stdlib.h> 35 #include <string.h> 36 37 #if defined(MBEDTLS_CHACHAPOLY_C) 38 #include "mbedtls/chachapoly.h" 39 #endif 40 41 #if defined(MBEDTLS_GCM_C) 42 #include "mbedtls/gcm.h" 43 #endif 44 45 #if defined(MBEDTLS_CCM_C) 46 #include "mbedtls/ccm.h" 47 #endif 48 49 #if defined(MBEDTLS_CHACHA20_C) 50 #include "mbedtls/chacha20.h" 51 #endif 52 53 #if defined(MBEDTLS_CMAC_C) 54 #include "mbedtls/cmac.h" 55 #endif 56 57 #if defined(MBEDTLS_USE_PSA_CRYPTO) 58 #include "psa/crypto.h" 59 #include "mbedtls/psa_util.h" 60 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 61 62 #if defined(MBEDTLS_NIST_KW_C) 63 #include "mbedtls/nist_kw.h" 64 #endif 65 66 #if defined(MBEDTLS_PLATFORM_C) 67 #include "mbedtls/platform.h" 68 #else 69 #define mbedtls_calloc calloc 70 #define mbedtls_free free 71 #endif 72 73 #define CIPHER_VALIDATE_RET( cond ) \ 74 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ) 75 #define CIPHER_VALIDATE( cond ) \ 76 MBEDTLS_INTERNAL_VALIDATE( cond ) 77 78 static int supported_init = 0; 79 80 const int *mbedtls_cipher_list( void ) 81 { 82 const mbedtls_cipher_definition_t *def; 83 int *type; 84 85 if( ! supported_init ) 86 { 87 def = mbedtls_cipher_definitions; 88 type = mbedtls_cipher_supported; 89 90 while( def->type != 0 ) 91 *type++ = (*def++).type; 92 93 *type = 0; 94 95 supported_init = 1; 96 } 97 98 return( mbedtls_cipher_supported ); 99 } 100 101 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( 102 const mbedtls_cipher_type_t cipher_type ) 103 { 104 const mbedtls_cipher_definition_t *def; 105 106 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 107 if( def->type == cipher_type ) 108 return( def->info ); 109 110 return( NULL ); 111 } 112 113 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( 114 const char *cipher_name ) 115 { 116 const mbedtls_cipher_definition_t *def; 117 118 if( NULL == cipher_name ) 119 return( NULL ); 120 121 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 122 if( ! strcmp( def->info->name, cipher_name ) ) 123 return( def->info ); 124 125 return( NULL ); 126 } 127 128 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( 129 const mbedtls_cipher_id_t cipher_id, 130 int key_bitlen, 131 const mbedtls_cipher_mode_t mode ) 132 { 133 const mbedtls_cipher_definition_t *def; 134 135 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 136 if( def->info->base->cipher == cipher_id && 137 def->info->key_bitlen == (unsigned) key_bitlen && 138 def->info->mode == mode ) 139 return( def->info ); 140 141 return( NULL ); 142 } 143 144 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx ) 145 { 146 CIPHER_VALIDATE( ctx != NULL ); 147 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) ); 148 } 149 150 void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx ) 151 { 152 if( ctx == NULL ) 153 return; 154 155 #if defined(MBEDTLS_USE_PSA_CRYPTO) 156 if( ctx->psa_enabled == 1 ) 157 { 158 if( ctx->cipher_ctx != NULL ) 159 { 160 mbedtls_cipher_context_psa * const cipher_psa = 161 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 162 163 if( cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED ) 164 { 165 /* xxx_free() doesn't allow to return failures. */ 166 (void) psa_destroy_key( cipher_psa->slot ); 167 } 168 169 mbedtls_platform_zeroize( cipher_psa, sizeof( *cipher_psa ) ); 170 mbedtls_free( cipher_psa ); 171 } 172 173 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) ); 174 return; 175 } 176 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 177 178 #if defined(MBEDTLS_CMAC_C) 179 if( ctx->cmac_ctx ) 180 { 181 mbedtls_platform_zeroize( ctx->cmac_ctx, 182 sizeof( mbedtls_cmac_context_t ) ); 183 mbedtls_free( ctx->cmac_ctx ); 184 } 185 #endif 186 187 if( ctx->cipher_ctx ) 188 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx ); 189 190 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) ); 191 } 192 193 int mbedtls_cipher_clone( mbedtls_cipher_context_t *dst, 194 const mbedtls_cipher_context_t *src ) 195 { 196 if( dst == NULL || dst->cipher_info == NULL || 197 src == NULL || src->cipher_info == NULL) 198 { 199 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 200 } 201 202 dst->cipher_info = src->cipher_info; 203 dst->key_bitlen = src->key_bitlen; 204 dst->operation = src->operation; 205 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 206 dst->add_padding = src->add_padding; 207 dst->get_padding = src->get_padding; 208 #endif 209 memcpy( dst->unprocessed_data, src->unprocessed_data, MBEDTLS_MAX_BLOCK_LENGTH ); 210 dst->unprocessed_len = src->unprocessed_len; 211 memcpy( dst->iv, src->iv, MBEDTLS_MAX_IV_LENGTH ); 212 dst->iv_size = src->iv_size; 213 if( dst->cipher_info->base->ctx_clone_func ) 214 dst->cipher_info->base->ctx_clone_func( dst->cipher_ctx, src->cipher_ctx ); 215 216 #if defined(MBEDTLS_CMAC_C) 217 if( dst->cmac_ctx != NULL && src->cmac_ctx != NULL ) 218 memcpy( dst->cmac_ctx, src->cmac_ctx, sizeof( mbedtls_cmac_context_t ) ); 219 #endif 220 return( 0 ); 221 } 222 223 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, 224 const mbedtls_cipher_info_t *cipher_info ) 225 { 226 CIPHER_VALIDATE_RET( ctx != NULL ); 227 if( cipher_info == NULL ) 228 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 229 230 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) ); 231 232 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) ) 233 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 234 235 ctx->cipher_info = cipher_info; 236 237 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 238 /* 239 * Ignore possible errors caused by a cipher mode that doesn't use padding 240 */ 241 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 242 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 ); 243 #else 244 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE ); 245 #endif 246 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 247 248 return( 0 ); 249 } 250 251 #if defined(MBEDTLS_USE_PSA_CRYPTO) 252 int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx, 253 const mbedtls_cipher_info_t *cipher_info, 254 size_t taglen ) 255 { 256 psa_algorithm_t alg; 257 mbedtls_cipher_context_psa *cipher_psa; 258 259 if( NULL == cipher_info || NULL == ctx ) 260 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 261 262 /* Check that the underlying cipher mode and cipher type are 263 * supported by the underlying PSA Crypto implementation. */ 264 alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode, taglen ); 265 if( alg == 0 ) 266 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 267 if( mbedtls_psa_translate_cipher_type( cipher_info->type ) == 0 ) 268 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 269 270 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) ); 271 272 cipher_psa = mbedtls_calloc( 1, sizeof(mbedtls_cipher_context_psa ) ); 273 if( cipher_psa == NULL ) 274 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 275 cipher_psa->alg = alg; 276 ctx->cipher_ctx = cipher_psa; 277 ctx->cipher_info = cipher_info; 278 ctx->psa_enabled = 1; 279 return( 0 ); 280 } 281 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 282 283 int mbedtls_cipher_setup_info( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info ) 284 { 285 if( NULL == cipher_info || NULL == ctx ) 286 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 287 288 ctx->cipher_info = cipher_info; 289 return( 0 ); 290 } 291 292 int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, 293 const unsigned char *key, 294 int key_bitlen, 295 const mbedtls_operation_t operation ) 296 { 297 CIPHER_VALIDATE_RET( ctx != NULL ); 298 CIPHER_VALIDATE_RET( key != NULL ); 299 CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT || 300 operation == MBEDTLS_DECRYPT ); 301 if( ctx->cipher_info == NULL ) 302 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 303 304 #if defined(MBEDTLS_USE_PSA_CRYPTO) 305 if( ctx->psa_enabled == 1 ) 306 { 307 mbedtls_cipher_context_psa * const cipher_psa = 308 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 309 310 size_t const key_bytelen = ( (size_t) key_bitlen + 7 ) / 8; 311 312 psa_status_t status; 313 psa_key_type_t key_type; 314 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 315 316 /* PSA Crypto API only accepts byte-aligned keys. */ 317 if( key_bitlen % 8 != 0 ) 318 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 319 320 /* Don't allow keys to be set multiple times. */ 321 if( cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET ) 322 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 323 324 key_type = mbedtls_psa_translate_cipher_type( 325 ctx->cipher_info->type ); 326 if( key_type == 0 ) 327 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 328 psa_set_key_type( &attributes, key_type ); 329 330 /* Mbed TLS' cipher layer doesn't enforce the mode of operation 331 * (encrypt vs. decrypt): it is possible to setup a key for encryption 332 * and use it for AEAD decryption. Until tests relying on this 333 * are changed, allow any usage in PSA. */ 334 psa_set_key_usage_flags( &attributes, 335 /* mbedtls_psa_translate_cipher_operation( operation ); */ 336 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 337 psa_set_key_algorithm( &attributes, cipher_psa->alg ); 338 339 status = psa_import_key( &attributes, key, key_bytelen, 340 &cipher_psa->slot ); 341 switch( status ) 342 { 343 case PSA_SUCCESS: 344 break; 345 case PSA_ERROR_INSUFFICIENT_MEMORY: 346 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 347 case PSA_ERROR_NOT_SUPPORTED: 348 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 349 default: 350 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED ); 351 } 352 /* Indicate that we own the key slot and need to 353 * destroy it in mbedtls_cipher_free(). */ 354 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED; 355 356 ctx->key_bitlen = key_bitlen; 357 ctx->operation = operation; 358 return( 0 ); 359 } 360 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 361 362 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 && 363 (int) ctx->cipher_info->key_bitlen != key_bitlen ) 364 { 365 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 366 } 367 368 ctx->key_bitlen = key_bitlen; 369 ctx->operation = operation; 370 371 /* 372 * For OFB, CFB and CTR mode always use the encryption key schedule 373 */ 374 if( MBEDTLS_ENCRYPT == operation || 375 MBEDTLS_MODE_CFB == ctx->cipher_info->mode || 376 MBEDTLS_MODE_OFB == ctx->cipher_info->mode || 377 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ) 378 { 379 return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key, 380 ctx->key_bitlen ) ); 381 } 382 383 if( MBEDTLS_DECRYPT == operation ) 384 return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key, 385 ctx->key_bitlen ) ); 386 387 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 388 } 389 390 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx, 391 const unsigned char *iv, 392 size_t iv_len ) 393 { 394 size_t actual_iv_size; 395 396 CIPHER_VALIDATE_RET( ctx != NULL ); 397 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); 398 if( ctx->cipher_info == NULL ) 399 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 400 #if defined(MBEDTLS_USE_PSA_CRYPTO) 401 if( ctx->psa_enabled == 1 ) 402 { 403 /* While PSA Crypto has an API for multipart 404 * operations, we currently don't make it 405 * accessible through the cipher layer. */ 406 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 407 } 408 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 409 410 /* avoid buffer overflow in ctx->iv */ 411 if( iv_len > MBEDTLS_MAX_IV_LENGTH ) 412 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 413 414 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 ) 415 actual_iv_size = iv_len; 416 else 417 { 418 actual_iv_size = ctx->cipher_info->iv_size; 419 420 /* avoid reading past the end of input buffer */ 421 if( actual_iv_size > iv_len ) 422 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 423 } 424 425 #if defined(MBEDTLS_CHACHA20_C) 426 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 ) 427 { 428 /* Even though the actual_iv_size is overwritten with a correct value 429 * of 12 from the cipher info, return an error to indicate that 430 * the input iv_len is wrong. */ 431 if( iv_len != 12 ) 432 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 433 434 if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx, 435 iv, 436 0U ) ) /* Initial counter value */ 437 { 438 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 439 } 440 } 441 #if defined(MBEDTLS_CHACHAPOLY_C) 442 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 && 443 iv_len != 12 ) 444 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 445 #endif 446 #endif 447 448 if ( actual_iv_size != 0 ) 449 { 450 memcpy( ctx->iv, iv, actual_iv_size ); 451 ctx->iv_size = actual_iv_size; 452 } 453 454 return( 0 ); 455 } 456 457 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx ) 458 { 459 CIPHER_VALIDATE_RET( ctx != NULL ); 460 if( ctx->cipher_info == NULL ) 461 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 462 463 #if defined(MBEDTLS_USE_PSA_CRYPTO) 464 if( ctx->psa_enabled == 1 ) 465 { 466 /* We don't support resetting PSA-based 467 * cipher contexts, yet. */ 468 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 469 } 470 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 471 472 ctx->unprocessed_len = 0; 473 474 return( 0 ); 475 } 476 477 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 478 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx, 479 const unsigned char *ad, size_t ad_len ) 480 { 481 CIPHER_VALIDATE_RET( ctx != NULL ); 482 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); 483 if( ctx->cipher_info == NULL ) 484 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 485 486 #if defined(MBEDTLS_USE_PSA_CRYPTO) 487 if( ctx->psa_enabled == 1 ) 488 { 489 /* While PSA Crypto has an API for multipart 490 * operations, we currently don't make it 491 * accessible through the cipher layer. */ 492 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 493 } 494 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 495 496 #if defined(MBEDTLS_GCM_C) 497 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 498 { 499 return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation, 500 ctx->iv, ctx->iv_size, ad, ad_len ) ); 501 } 502 #endif 503 504 #if defined(MBEDTLS_CHACHAPOLY_C) 505 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) 506 { 507 int result; 508 mbedtls_chachapoly_mode_t mode; 509 510 mode = ( ctx->operation == MBEDTLS_ENCRYPT ) 511 ? MBEDTLS_CHACHAPOLY_ENCRYPT 512 : MBEDTLS_CHACHAPOLY_DECRYPT; 513 514 result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx, 515 ctx->iv, 516 mode ); 517 if ( result != 0 ) 518 return( result ); 519 520 return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx, 521 ad, ad_len ) ); 522 } 523 #endif 524 525 return( 0 ); 526 } 527 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 528 529 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input, 530 size_t ilen, unsigned char *output, size_t *olen ) 531 { 532 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 533 size_t block_size; 534 535 CIPHER_VALIDATE_RET( ctx != NULL ); 536 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); 537 CIPHER_VALIDATE_RET( output != NULL ); 538 CIPHER_VALIDATE_RET( olen != NULL ); 539 if( ctx->cipher_info == NULL ) 540 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 541 542 #if defined(MBEDTLS_USE_PSA_CRYPTO) 543 if( ctx->psa_enabled == 1 ) 544 { 545 /* While PSA Crypto has an API for multipart 546 * operations, we currently don't make it 547 * accessible through the cipher layer. */ 548 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 549 } 550 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 551 552 *olen = 0; 553 block_size = mbedtls_cipher_get_block_size( ctx ); 554 if ( 0 == block_size ) 555 { 556 return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT ); 557 } 558 559 if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB ) 560 { 561 if( ilen != block_size ) 562 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 563 564 *olen = ilen; 565 566 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx, 567 ctx->operation, input, output ) ) ) 568 { 569 return( ret ); 570 } 571 572 return( 0 ); 573 } 574 575 #if defined(MBEDTLS_GCM_C) 576 if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM ) 577 { 578 *olen = ilen; 579 return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input, 580 output ) ); 581 } 582 #endif 583 584 #if defined(MBEDTLS_CHACHAPOLY_C) 585 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) 586 { 587 *olen = ilen; 588 return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx, 589 ilen, input, output ) ); 590 } 591 #endif 592 593 if( input == output && 594 ( ctx->unprocessed_len != 0 || ilen % block_size ) ) 595 { 596 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 597 } 598 599 #if defined(MBEDTLS_CIPHER_MODE_CBC) 600 if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC ) 601 { 602 size_t copy_len = 0; 603 604 /* 605 * If there is not enough data for a full block, cache it. 606 */ 607 if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding && 608 ilen <= block_size - ctx->unprocessed_len ) || 609 ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding && 610 ilen < block_size - ctx->unprocessed_len ) || 611 ( ctx->operation == MBEDTLS_ENCRYPT && 612 ilen < block_size - ctx->unprocessed_len ) ) 613 { 614 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input, 615 ilen ); 616 617 ctx->unprocessed_len += ilen; 618 return( 0 ); 619 } 620 621 /* 622 * Process cached data first 623 */ 624 if( 0 != ctx->unprocessed_len ) 625 { 626 copy_len = block_size - ctx->unprocessed_len; 627 628 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input, 629 copy_len ); 630 631 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 632 ctx->operation, block_size, ctx->iv, 633 ctx->unprocessed_data, output ) ) ) 634 { 635 return( ret ); 636 } 637 638 *olen += block_size; 639 output += block_size; 640 ctx->unprocessed_len = 0; 641 642 input += copy_len; 643 ilen -= copy_len; 644 } 645 646 /* 647 * Cache final, incomplete block 648 */ 649 if( 0 != ilen ) 650 { 651 /* Encryption: only cache partial blocks 652 * Decryption w/ padding: always keep at least one whole block 653 * Decryption w/o padding: only cache partial blocks 654 */ 655 copy_len = ilen % block_size; 656 if( copy_len == 0 && 657 ctx->operation == MBEDTLS_DECRYPT && 658 NULL != ctx->add_padding) 659 { 660 copy_len = block_size; 661 } 662 663 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ), 664 copy_len ); 665 666 ctx->unprocessed_len += copy_len; 667 ilen -= copy_len; 668 } 669 670 /* 671 * Process remaining full blocks 672 */ 673 if( ilen ) 674 { 675 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 676 ctx->operation, ilen, ctx->iv, input, output ) ) ) 677 { 678 return( ret ); 679 } 680 681 *olen += ilen; 682 } 683 684 return( 0 ); 685 } 686 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 687 688 #if defined(MBEDTLS_CIPHER_MODE_CFB) 689 if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB ) 690 { 691 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx, 692 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv, 693 input, output ) ) ) 694 { 695 return( ret ); 696 } 697 698 *olen = ilen; 699 700 return( 0 ); 701 } 702 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 703 704 #if defined(MBEDTLS_CIPHER_MODE_OFB) 705 if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB ) 706 { 707 if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx, 708 ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) ) 709 { 710 return( ret ); 711 } 712 713 *olen = ilen; 714 715 return( 0 ); 716 } 717 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 718 719 #if defined(MBEDTLS_CIPHER_MODE_CTR) 720 if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR ) 721 { 722 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx, 723 ilen, &ctx->unprocessed_len, ctx->iv, 724 ctx->unprocessed_data, input, output ) ) ) 725 { 726 return( ret ); 727 } 728 729 *olen = ilen; 730 731 return( 0 ); 732 } 733 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 734 735 #if defined(MBEDTLS_CIPHER_MODE_XTS) 736 if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS ) 737 { 738 if( ctx->unprocessed_len > 0 ) { 739 /* We can only process an entire data unit at a time. */ 740 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 741 } 742 743 ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx, 744 ctx->operation, ilen, ctx->iv, input, output ); 745 if( ret != 0 ) 746 { 747 return( ret ); 748 } 749 750 *olen = ilen; 751 752 return( 0 ); 753 } 754 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 755 756 #if defined(MBEDTLS_CIPHER_MODE_STREAM) 757 if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM ) 758 { 759 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx, 760 ilen, input, output ) ) ) 761 { 762 return( ret ); 763 } 764 765 *olen = ilen; 766 767 return( 0 ); 768 } 769 #endif /* MBEDTLS_CIPHER_MODE_STREAM */ 770 771 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 772 } 773 774 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 775 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 776 /* 777 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len 778 */ 779 static void add_pkcs_padding( unsigned char *output, size_t output_len, 780 size_t data_len ) 781 { 782 size_t padding_len = output_len - data_len; 783 unsigned char i; 784 785 for( i = 0; i < padding_len; i++ ) 786 output[data_len + i] = (unsigned char) padding_len; 787 } 788 789 static int get_pkcs_padding( unsigned char *input, size_t input_len, 790 size_t *data_len ) 791 { 792 size_t i, pad_idx; 793 unsigned char padding_len, bad = 0; 794 795 if( NULL == input || NULL == data_len ) 796 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 797 798 padding_len = input[input_len - 1]; 799 *data_len = input_len - padding_len; 800 801 /* Avoid logical || since it results in a branch */ 802 bad |= padding_len > input_len; 803 bad |= padding_len == 0; 804 805 /* The number of bytes checked must be independent of padding_len, 806 * so pick input_len, which is usually 8 or 16 (one block) */ 807 pad_idx = input_len - padding_len; 808 for( i = 0; i < input_len; i++ ) 809 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx ); 810 811 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 812 } 813 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ 814 815 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 816 /* 817 * One and zeros padding: fill with 80 00 ... 00 818 */ 819 static void add_one_and_zeros_padding( unsigned char *output, 820 size_t output_len, size_t data_len ) 821 { 822 size_t padding_len = output_len - data_len; 823 unsigned char i = 0; 824 825 output[data_len] = 0x80; 826 for( i = 1; i < padding_len; i++ ) 827 output[data_len + i] = 0x00; 828 } 829 830 static int get_one_and_zeros_padding( unsigned char *input, size_t input_len, 831 size_t *data_len ) 832 { 833 size_t i; 834 unsigned char done = 0, prev_done, bad; 835 836 if( NULL == input || NULL == data_len ) 837 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 838 839 bad = 0x80; 840 *data_len = 0; 841 for( i = input_len; i > 0; i-- ) 842 { 843 prev_done = done; 844 done |= ( input[i - 1] != 0 ); 845 *data_len |= ( i - 1 ) * ( done != prev_done ); 846 bad ^= input[i - 1] * ( done != prev_done ); 847 } 848 849 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 850 851 } 852 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */ 853 854 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 855 /* 856 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length 857 */ 858 static void add_zeros_and_len_padding( unsigned char *output, 859 size_t output_len, size_t data_len ) 860 { 861 size_t padding_len = output_len - data_len; 862 unsigned char i = 0; 863 864 for( i = 1; i < padding_len; i++ ) 865 output[data_len + i - 1] = 0x00; 866 output[output_len - 1] = (unsigned char) padding_len; 867 } 868 869 static int get_zeros_and_len_padding( unsigned char *input, size_t input_len, 870 size_t *data_len ) 871 { 872 size_t i, pad_idx; 873 unsigned char padding_len, bad = 0; 874 875 if( NULL == input || NULL == data_len ) 876 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 877 878 padding_len = input[input_len - 1]; 879 *data_len = input_len - padding_len; 880 881 /* Avoid logical || since it results in a branch */ 882 bad |= padding_len > input_len; 883 bad |= padding_len == 0; 884 885 /* The number of bytes checked must be independent of padding_len */ 886 pad_idx = input_len - padding_len; 887 for( i = 0; i < input_len - 1; i++ ) 888 bad |= input[i] * ( i >= pad_idx ); 889 890 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 891 } 892 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */ 893 894 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 895 /* 896 * Zero padding: fill with 00 ... 00 897 */ 898 static void add_zeros_padding( unsigned char *output, 899 size_t output_len, size_t data_len ) 900 { 901 size_t i; 902 903 for( i = data_len; i < output_len; i++ ) 904 output[i] = 0x00; 905 } 906 907 static int get_zeros_padding( unsigned char *input, size_t input_len, 908 size_t *data_len ) 909 { 910 size_t i; 911 unsigned char done = 0, prev_done; 912 913 if( NULL == input || NULL == data_len ) 914 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 915 916 *data_len = 0; 917 for( i = input_len; i > 0; i-- ) 918 { 919 prev_done = done; 920 done |= ( input[i-1] != 0 ); 921 *data_len |= i * ( done != prev_done ); 922 } 923 924 return( 0 ); 925 } 926 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */ 927 928 /* 929 * No padding: don't pad :) 930 * 931 * There is no add_padding function (check for NULL in mbedtls_cipher_finish) 932 * but a trivial get_padding function 933 */ 934 static int get_no_padding( unsigned char *input, size_t input_len, 935 size_t *data_len ) 936 { 937 if( NULL == input || NULL == data_len ) 938 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 939 940 *data_len = input_len; 941 942 return( 0 ); 943 } 944 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 945 946 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx, 947 unsigned char *output, size_t *olen ) 948 { 949 CIPHER_VALIDATE_RET( ctx != NULL ); 950 CIPHER_VALIDATE_RET( output != NULL ); 951 CIPHER_VALIDATE_RET( olen != NULL ); 952 if( ctx->cipher_info == NULL ) 953 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 954 955 #if defined(MBEDTLS_USE_PSA_CRYPTO) 956 if( ctx->psa_enabled == 1 ) 957 { 958 /* While PSA Crypto has an API for multipart 959 * operations, we currently don't make it 960 * accessible through the cipher layer. */ 961 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 962 } 963 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 964 965 *olen = 0; 966 967 if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode || 968 MBEDTLS_MODE_OFB == ctx->cipher_info->mode || 969 MBEDTLS_MODE_CTR == ctx->cipher_info->mode || 970 MBEDTLS_MODE_GCM == ctx->cipher_info->mode || 971 MBEDTLS_MODE_XTS == ctx->cipher_info->mode || 972 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode ) 973 { 974 return( 0 ); 975 } 976 977 if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) || 978 ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) ) 979 { 980 return( 0 ); 981 } 982 983 if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode ) 984 { 985 if( ctx->unprocessed_len != 0 ) 986 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 987 988 return( 0 ); 989 } 990 991 #if defined(MBEDTLS_CIPHER_MODE_CBC) 992 if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode ) 993 { 994 int ret = 0; 995 996 if( MBEDTLS_ENCRYPT == ctx->operation ) 997 { 998 /* check for 'no padding' mode */ 999 if( NULL == ctx->add_padding ) 1000 { 1001 if( 0 != ctx->unprocessed_len ) 1002 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 1003 1004 return( 0 ); 1005 } 1006 1007 ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ), 1008 ctx->unprocessed_len ); 1009 } 1010 else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len ) 1011 { 1012 /* 1013 * For decrypt operations, expect a full block, 1014 * or an empty block if no padding 1015 */ 1016 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len ) 1017 return( 0 ); 1018 1019 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 1020 } 1021 1022 /* cipher block */ 1023 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 1024 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv, 1025 ctx->unprocessed_data, output ) ) ) 1026 { 1027 return( ret ); 1028 } 1029 1030 /* Set output size for decryption */ 1031 if( MBEDTLS_DECRYPT == ctx->operation ) 1032 return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ), 1033 olen ) ); 1034 1035 /* Set output size for encryption */ 1036 *olen = mbedtls_cipher_get_block_size( ctx ); 1037 return( 0 ); 1038 } 1039 #else 1040 ((void) output); 1041 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1042 1043 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1044 } 1045 1046 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 1047 int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, 1048 mbedtls_cipher_padding_t mode ) 1049 { 1050 CIPHER_VALIDATE_RET( ctx != NULL ); 1051 1052 if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode ) 1053 { 1054 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1055 } 1056 1057 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1058 if( ctx->psa_enabled == 1 ) 1059 { 1060 /* While PSA Crypto knows about CBC padding 1061 * schemes, we currently don't make them 1062 * accessible through the cipher layer. */ 1063 if( mode != MBEDTLS_PADDING_NONE ) 1064 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1065 1066 return( 0 ); 1067 } 1068 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1069 1070 switch( mode ) 1071 { 1072 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 1073 case MBEDTLS_PADDING_PKCS7: 1074 ctx->add_padding = add_pkcs_padding; 1075 ctx->get_padding = get_pkcs_padding; 1076 break; 1077 #endif 1078 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 1079 case MBEDTLS_PADDING_ONE_AND_ZEROS: 1080 ctx->add_padding = add_one_and_zeros_padding; 1081 ctx->get_padding = get_one_and_zeros_padding; 1082 break; 1083 #endif 1084 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 1085 case MBEDTLS_PADDING_ZEROS_AND_LEN: 1086 ctx->add_padding = add_zeros_and_len_padding; 1087 ctx->get_padding = get_zeros_and_len_padding; 1088 break; 1089 #endif 1090 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 1091 case MBEDTLS_PADDING_ZEROS: 1092 ctx->add_padding = add_zeros_padding; 1093 ctx->get_padding = get_zeros_padding; 1094 break; 1095 #endif 1096 case MBEDTLS_PADDING_NONE: 1097 ctx->add_padding = NULL; 1098 ctx->get_padding = get_no_padding; 1099 break; 1100 1101 default: 1102 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1103 } 1104 1105 return( 0 ); 1106 } 1107 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1108 1109 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 1110 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx, 1111 unsigned char *tag, size_t tag_len ) 1112 { 1113 CIPHER_VALIDATE_RET( ctx != NULL ); 1114 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); 1115 if( ctx->cipher_info == NULL ) 1116 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1117 1118 if( MBEDTLS_ENCRYPT != ctx->operation ) 1119 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1120 1121 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1122 if( ctx->psa_enabled == 1 ) 1123 { 1124 /* While PSA Crypto has an API for multipart 1125 * operations, we currently don't make it 1126 * accessible through the cipher layer. */ 1127 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1128 } 1129 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1130 1131 #if defined(MBEDTLS_GCM_C) 1132 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 1133 return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx, 1134 tag, tag_len ) ); 1135 #endif 1136 1137 #if defined(MBEDTLS_CHACHAPOLY_C) 1138 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) 1139 { 1140 /* Don't allow truncated MAC for Poly1305 */ 1141 if ( tag_len != 16U ) 1142 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1143 1144 return( mbedtls_chachapoly_finish( 1145 (mbedtls_chachapoly_context*) ctx->cipher_ctx, tag ) ); 1146 } 1147 #endif 1148 1149 return( 0 ); 1150 } 1151 1152 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, 1153 const unsigned char *tag, size_t tag_len ) 1154 { 1155 unsigned char check_tag[16]; 1156 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1157 1158 CIPHER_VALIDATE_RET( ctx != NULL ); 1159 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); 1160 if( ctx->cipher_info == NULL ) 1161 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1162 1163 if( MBEDTLS_DECRYPT != ctx->operation ) 1164 { 1165 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1166 } 1167 1168 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1169 if( ctx->psa_enabled == 1 ) 1170 { 1171 /* While PSA Crypto has an API for multipart 1172 * operations, we currently don't make it 1173 * accessible through the cipher layer. */ 1174 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1175 } 1176 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1177 1178 /* Status to return on a non-authenticated algorithm. It would make sense 1179 * to return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT or perhaps 1180 * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, but at the time I write this our 1181 * unit tests assume 0. */ 1182 ret = 0; 1183 1184 #if defined(MBEDTLS_GCM_C) 1185 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 1186 { 1187 if( tag_len > sizeof( check_tag ) ) 1188 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1189 1190 if( 0 != ( ret = mbedtls_gcm_finish( 1191 (mbedtls_gcm_context *) ctx->cipher_ctx, 1192 check_tag, tag_len ) ) ) 1193 { 1194 return( ret ); 1195 } 1196 1197 /* Check the tag in "constant-time" */ 1198 if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 ) 1199 { 1200 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1201 goto exit; 1202 } 1203 } 1204 #endif /* MBEDTLS_GCM_C */ 1205 1206 #if defined(MBEDTLS_CHACHAPOLY_C) 1207 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) 1208 { 1209 /* Don't allow truncated MAC for Poly1305 */ 1210 if ( tag_len != sizeof( check_tag ) ) 1211 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1212 1213 ret = mbedtls_chachapoly_finish( 1214 (mbedtls_chachapoly_context*) ctx->cipher_ctx, check_tag ); 1215 if ( ret != 0 ) 1216 { 1217 return( ret ); 1218 } 1219 1220 /* Check the tag in "constant-time" */ 1221 if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 ) 1222 { 1223 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1224 goto exit; 1225 } 1226 } 1227 #endif /* MBEDTLS_CHACHAPOLY_C */ 1228 1229 exit: 1230 mbedtls_platform_zeroize( check_tag, tag_len ); 1231 return( ret ); 1232 } 1233 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 1234 1235 /* 1236 * Packet-oriented wrapper for non-AEAD modes 1237 */ 1238 int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, 1239 const unsigned char *iv, size_t iv_len, 1240 const unsigned char *input, size_t ilen, 1241 unsigned char *output, size_t *olen ) 1242 { 1243 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1244 size_t finish_olen; 1245 1246 CIPHER_VALIDATE_RET( ctx != NULL ); 1247 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); 1248 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); 1249 CIPHER_VALIDATE_RET( output != NULL ); 1250 CIPHER_VALIDATE_RET( olen != NULL ); 1251 1252 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1253 if( ctx->psa_enabled == 1 ) 1254 { 1255 /* As in the non-PSA case, we don't check that 1256 * a key has been set. If not, the key slot will 1257 * still be in its default state of 0, which is 1258 * guaranteed to be invalid, hence the PSA-call 1259 * below will gracefully fail. */ 1260 mbedtls_cipher_context_psa * const cipher_psa = 1261 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1262 1263 psa_status_t status; 1264 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT; 1265 size_t part_len; 1266 1267 if( ctx->operation == MBEDTLS_DECRYPT ) 1268 { 1269 status = psa_cipher_decrypt_setup( &cipher_op, 1270 cipher_psa->slot, 1271 cipher_psa->alg ); 1272 } 1273 else if( ctx->operation == MBEDTLS_ENCRYPT ) 1274 { 1275 status = psa_cipher_encrypt_setup( &cipher_op, 1276 cipher_psa->slot, 1277 cipher_psa->alg ); 1278 } 1279 else 1280 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1281 1282 /* In the following, we can immediately return on an error, 1283 * because the PSA Crypto API guarantees that cipher operations 1284 * are terminated by unsuccessful calls to psa_cipher_update(), 1285 * and by any call to psa_cipher_finish(). */ 1286 if( status != PSA_SUCCESS ) 1287 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED ); 1288 1289 if( ctx->cipher_info->mode != MBEDTLS_MODE_ECB ) 1290 { 1291 status = psa_cipher_set_iv( &cipher_op, iv, iv_len ); 1292 if( status != PSA_SUCCESS ) 1293 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED ); 1294 } 1295 1296 status = psa_cipher_update( &cipher_op, 1297 input, ilen, 1298 output, ilen, olen ); 1299 if( status != PSA_SUCCESS ) 1300 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED ); 1301 1302 status = psa_cipher_finish( &cipher_op, 1303 output + *olen, ilen - *olen, 1304 &part_len ); 1305 if( status != PSA_SUCCESS ) 1306 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED ); 1307 1308 *olen += part_len; 1309 return( 0 ); 1310 } 1311 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1312 1313 if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 ) 1314 return( ret ); 1315 1316 if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 ) 1317 return( ret ); 1318 1319 if( ( ret = mbedtls_cipher_update( ctx, input, ilen, 1320 output, olen ) ) != 0 ) 1321 return( ret ); 1322 1323 if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, 1324 &finish_olen ) ) != 0 ) 1325 return( ret ); 1326 1327 *olen += finish_olen; 1328 1329 return( 0 ); 1330 } 1331 1332 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1333 /* 1334 * Packet-oriented encryption for AEAD modes: internal function shared by 1335 * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext(). 1336 */ 1337 static int mbedtls_cipher_aead_encrypt( mbedtls_cipher_context_t *ctx, 1338 const unsigned char *iv, size_t iv_len, 1339 const unsigned char *ad, size_t ad_len, 1340 const unsigned char *input, size_t ilen, 1341 unsigned char *output, size_t *olen, 1342 unsigned char *tag, size_t tag_len ) 1343 { 1344 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1345 if( ctx->psa_enabled == 1 ) 1346 { 1347 /* As in the non-PSA case, we don't check that 1348 * a key has been set. If not, the key slot will 1349 * still be in its default state of 0, which is 1350 * guaranteed to be invalid, hence the PSA-call 1351 * below will gracefully fail. */ 1352 mbedtls_cipher_context_psa * const cipher_psa = 1353 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1354 1355 psa_status_t status; 1356 1357 /* PSA Crypto API always writes the authentication tag 1358 * at the end of the encrypted message. */ 1359 if( output == NULL || tag != output + ilen ) 1360 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1361 1362 status = psa_aead_encrypt( cipher_psa->slot, 1363 cipher_psa->alg, 1364 iv, iv_len, 1365 ad, ad_len, 1366 input, ilen, 1367 output, ilen + tag_len, olen ); 1368 if( status != PSA_SUCCESS ) 1369 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED ); 1370 1371 *olen -= tag_len; 1372 return( 0 ); 1373 } 1374 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1375 1376 #if defined(MBEDTLS_GCM_C) 1377 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 1378 { 1379 *olen = ilen; 1380 return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, 1381 ilen, iv, iv_len, ad, ad_len, 1382 input, output, tag_len, tag ) ); 1383 } 1384 #endif /* MBEDTLS_GCM_C */ 1385 #if defined(MBEDTLS_CCM_C) 1386 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode ) 1387 { 1388 *olen = ilen; 1389 return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen, 1390 iv, iv_len, ad, ad_len, input, output, 1391 tag, tag_len ) ); 1392 } 1393 #endif /* MBEDTLS_CCM_C */ 1394 #if defined(MBEDTLS_CHACHAPOLY_C) 1395 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) 1396 { 1397 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1398 if ( ( iv_len != ctx->cipher_info->iv_size ) || 1399 ( tag_len != 16U ) ) 1400 { 1401 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1402 } 1403 1404 *olen = ilen; 1405 return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx, 1406 ilen, iv, ad, ad_len, input, output, tag ) ); 1407 } 1408 #endif /* MBEDTLS_CHACHAPOLY_C */ 1409 1410 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1411 } 1412 1413 /* 1414 * Packet-oriented encryption for AEAD modes: internal function shared by 1415 * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext(). 1416 */ 1417 static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx, 1418 const unsigned char *iv, size_t iv_len, 1419 const unsigned char *ad, size_t ad_len, 1420 const unsigned char *input, size_t ilen, 1421 unsigned char *output, size_t *olen, 1422 const unsigned char *tag, size_t tag_len ) 1423 { 1424 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1425 if( ctx->psa_enabled == 1 ) 1426 { 1427 /* As in the non-PSA case, we don't check that 1428 * a key has been set. If not, the key slot will 1429 * still be in its default state of 0, which is 1430 * guaranteed to be invalid, hence the PSA-call 1431 * below will gracefully fail. */ 1432 mbedtls_cipher_context_psa * const cipher_psa = 1433 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1434 1435 psa_status_t status; 1436 1437 /* PSA Crypto API always writes the authentication tag 1438 * at the end of the encrypted message. */ 1439 if( input == NULL || tag != input + ilen ) 1440 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1441 1442 status = psa_aead_decrypt( cipher_psa->slot, 1443 cipher_psa->alg, 1444 iv, iv_len, 1445 ad, ad_len, 1446 input, ilen + tag_len, 1447 output, ilen, olen ); 1448 if( status == PSA_ERROR_INVALID_SIGNATURE ) 1449 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED ); 1450 else if( status != PSA_SUCCESS ) 1451 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED ); 1452 1453 return( 0 ); 1454 } 1455 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1456 1457 #if defined(MBEDTLS_GCM_C) 1458 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 1459 { 1460 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1461 1462 *olen = ilen; 1463 ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen, 1464 iv, iv_len, ad, ad_len, 1465 tag, tag_len, input, output ); 1466 1467 if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED ) 1468 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1469 1470 return( ret ); 1471 } 1472 #endif /* MBEDTLS_GCM_C */ 1473 #if defined(MBEDTLS_CCM_C) 1474 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode ) 1475 { 1476 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1477 1478 *olen = ilen; 1479 ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen, 1480 iv, iv_len, ad, ad_len, 1481 input, output, tag, tag_len ); 1482 1483 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED ) 1484 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1485 1486 return( ret ); 1487 } 1488 #endif /* MBEDTLS_CCM_C */ 1489 #if defined(MBEDTLS_CHACHAPOLY_C) 1490 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) 1491 { 1492 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1493 1494 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1495 if ( ( iv_len != ctx->cipher_info->iv_size ) || 1496 ( tag_len != 16U ) ) 1497 { 1498 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1499 } 1500 1501 *olen = ilen; 1502 ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen, 1503 iv, ad, ad_len, tag, input, output ); 1504 1505 if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED ) 1506 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1507 1508 return( ret ); 1509 } 1510 #endif /* MBEDTLS_CHACHAPOLY_C */ 1511 1512 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1513 } 1514 1515 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 1516 /* 1517 * Packet-oriented encryption for AEAD modes: public legacy function. 1518 */ 1519 int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, 1520 const unsigned char *iv, size_t iv_len, 1521 const unsigned char *ad, size_t ad_len, 1522 const unsigned char *input, size_t ilen, 1523 unsigned char *output, size_t *olen, 1524 unsigned char *tag, size_t tag_len ) 1525 { 1526 CIPHER_VALIDATE_RET( ctx != NULL ); 1527 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); 1528 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); 1529 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); 1530 CIPHER_VALIDATE_RET( ilen == 0 || output != NULL ); 1531 CIPHER_VALIDATE_RET( olen != NULL ); 1532 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); 1533 1534 return( mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len, 1535 input, ilen, output, olen, 1536 tag, tag_len ) ); 1537 } 1538 1539 /* 1540 * Packet-oriented decryption for AEAD modes: public legacy function. 1541 */ 1542 int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, 1543 const unsigned char *iv, size_t iv_len, 1544 const unsigned char *ad, size_t ad_len, 1545 const unsigned char *input, size_t ilen, 1546 unsigned char *output, size_t *olen, 1547 const unsigned char *tag, size_t tag_len ) 1548 { 1549 CIPHER_VALIDATE_RET( ctx != NULL ); 1550 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); 1551 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); 1552 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); 1553 CIPHER_VALIDATE_RET( ilen == 0 || output != NULL ); 1554 CIPHER_VALIDATE_RET( olen != NULL ); 1555 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); 1556 1557 return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len, 1558 input, ilen, output, olen, 1559 tag, tag_len ) ); 1560 } 1561 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 1562 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1563 1564 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) 1565 /* 1566 * Packet-oriented encryption for AEAD/NIST_KW: public function. 1567 */ 1568 int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx, 1569 const unsigned char *iv, size_t iv_len, 1570 const unsigned char *ad, size_t ad_len, 1571 const unsigned char *input, size_t ilen, 1572 unsigned char *output, size_t output_len, 1573 size_t *olen, size_t tag_len ) 1574 { 1575 CIPHER_VALIDATE_RET( ctx != NULL ); 1576 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); 1577 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); 1578 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); 1579 CIPHER_VALIDATE_RET( output != NULL ); 1580 CIPHER_VALIDATE_RET( olen != NULL ); 1581 1582 #if defined(MBEDTLS_NIST_KW_C) 1583 if( 1584 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1585 ctx->psa_enabled == 0 && 1586 #endif 1587 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode || 1588 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) ) 1589 { 1590 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ? 1591 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1592 1593 /* There is no iv, tag or ad associated with KW and KWP, 1594 * so these length should be 0 as documented. */ 1595 if( iv_len != 0 || tag_len != 0 || ad_len != 0 ) 1596 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1597 1598 (void) iv; 1599 (void) ad; 1600 1601 return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen, 1602 output, olen, output_len ) ); 1603 } 1604 #endif /* MBEDTLS_NIST_KW_C */ 1605 1606 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1607 /* AEAD case: check length before passing on to shared function */ 1608 if( output_len < ilen + tag_len ) 1609 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1610 1611 int ret = mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len, 1612 input, ilen, output, olen, 1613 output + ilen, tag_len ); 1614 *olen += tag_len; 1615 return( ret ); 1616 #else 1617 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1618 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1619 } 1620 1621 /* 1622 * Packet-oriented decryption for AEAD/NIST_KW: public function. 1623 */ 1624 int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx, 1625 const unsigned char *iv, size_t iv_len, 1626 const unsigned char *ad, size_t ad_len, 1627 const unsigned char *input, size_t ilen, 1628 unsigned char *output, size_t output_len, 1629 size_t *olen, size_t tag_len ) 1630 { 1631 CIPHER_VALIDATE_RET( ctx != NULL ); 1632 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); 1633 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); 1634 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); 1635 CIPHER_VALIDATE_RET( output_len == 0 || output != NULL ); 1636 CIPHER_VALIDATE_RET( olen != NULL ); 1637 1638 #if defined(MBEDTLS_NIST_KW_C) 1639 if( 1640 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1641 ctx->psa_enabled == 0 && 1642 #endif 1643 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode || 1644 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) ) 1645 { 1646 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ? 1647 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1648 1649 /* There is no iv, tag or ad associated with KW and KWP, 1650 * so these length should be 0 as documented. */ 1651 if( iv_len != 0 || tag_len != 0 || ad_len != 0 ) 1652 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1653 1654 (void) iv; 1655 (void) ad; 1656 1657 return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen, 1658 output, olen, output_len ) ); 1659 } 1660 #endif /* MBEDTLS_NIST_KW_C */ 1661 1662 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1663 /* AEAD case: check length before passing on to shared function */ 1664 if( ilen < tag_len || output_len < ilen - tag_len ) 1665 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1666 1667 return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len, 1668 input, ilen - tag_len, output, olen, 1669 input + ilen - tag_len, tag_len ) ); 1670 #else 1671 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1672 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1673 } 1674 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */ 1675 1676 #endif /* MBEDTLS_CIPHER_C */ 1677