1 /** 2 * \file cipher.c 3 * 4 * \brief Generic cipher wrapper for mbed TLS 5 * 6 * \author Adriaan de Jong <dejong@fox-it.com> 7 * 8 * Copyright The Mbed TLS Contributors 9 * SPDX-License-Identifier: Apache-2.0 10 * 11 * Licensed under the Apache License, Version 2.0 (the "License"); you may 12 * not use this file except in compliance with the License. 13 * You may obtain a copy of the License at 14 * 15 * http://www.apache.org/licenses/LICENSE-2.0 16 * 17 * Unless required by applicable law or agreed to in writing, software 18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 * See the License for the specific language governing permissions and 21 * limitations under the License. 22 */ 23 24 #include "common.h" 25 26 #if defined(MBEDTLS_CIPHER_C) 27 28 #include "mbedtls/cipher.h" 29 #include "cipher_wrap.h" 30 #include "mbedtls/platform_util.h" 31 #include "mbedtls/error.h" 32 #include "mbedtls/constant_time.h" 33 34 #include <stdlib.h> 35 #include <string.h> 36 37 #if defined(MBEDTLS_CHACHAPOLY_C) 38 #include "mbedtls/chachapoly.h" 39 #endif 40 41 #if defined(MBEDTLS_GCM_C) 42 #include "mbedtls/gcm.h" 43 #endif 44 45 #if defined(MBEDTLS_CCM_C) 46 #include "mbedtls/ccm.h" 47 #endif 48 49 #if defined(MBEDTLS_CHACHA20_C) 50 #include "mbedtls/chacha20.h" 51 #endif 52 53 #if defined(MBEDTLS_CMAC_C) 54 #include "mbedtls/cmac.h" 55 #endif 56 57 #if defined(MBEDTLS_USE_PSA_CRYPTO) 58 #include "psa/crypto.h" 59 #include "mbedtls/psa_util.h" 60 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 61 62 #if defined(MBEDTLS_NIST_KW_C) 63 #include "mbedtls/nist_kw.h" 64 #endif 65 66 #include "mbedtls/platform.h" 67 68 static int supported_init = 0; 69 70 const int *mbedtls_cipher_list(void) 71 { 72 const mbedtls_cipher_definition_t *def; 73 int *type; 74 75 if (!supported_init) { 76 def = mbedtls_cipher_definitions; 77 type = mbedtls_cipher_supported; 78 79 while (def->type != 0) { 80 *type++ = (*def++).type; 81 } 82 83 *type = 0; 84 85 supported_init = 1; 86 } 87 88 return mbedtls_cipher_supported; 89 } 90 91 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( 92 const mbedtls_cipher_type_t cipher_type) 93 { 94 const mbedtls_cipher_definition_t *def; 95 96 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 97 if (def->type == cipher_type) { 98 return def->info; 99 } 100 } 101 102 return NULL; 103 } 104 105 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( 106 const char *cipher_name) 107 { 108 const mbedtls_cipher_definition_t *def; 109 110 if (NULL == cipher_name) { 111 return NULL; 112 } 113 114 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 115 if (!strcmp(def->info->name, cipher_name)) { 116 return def->info; 117 } 118 } 119 120 return NULL; 121 } 122 123 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( 124 const mbedtls_cipher_id_t cipher_id, 125 int key_bitlen, 126 const mbedtls_cipher_mode_t mode) 127 { 128 const mbedtls_cipher_definition_t *def; 129 130 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 131 if (def->info->base->cipher == cipher_id && 132 def->info->key_bitlen == (unsigned) key_bitlen && 133 def->info->mode == mode) { 134 return def->info; 135 } 136 } 137 138 return NULL; 139 } 140 141 void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx) 142 { 143 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 144 } 145 146 void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx) 147 { 148 if (ctx == NULL) { 149 return; 150 } 151 152 #if defined(MBEDTLS_USE_PSA_CRYPTO) 153 if (ctx->psa_enabled == 1) { 154 if (ctx->cipher_ctx != NULL) { 155 mbedtls_cipher_context_psa * const cipher_psa = 156 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 157 158 if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) { 159 /* xxx_free() doesn't allow to return failures. */ 160 (void) psa_destroy_key(cipher_psa->slot); 161 } 162 163 mbedtls_platform_zeroize(cipher_psa, sizeof(*cipher_psa)); 164 mbedtls_free(cipher_psa); 165 } 166 167 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t)); 168 return; 169 } 170 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 171 172 #if defined(MBEDTLS_CMAC_C) 173 if (ctx->cmac_ctx) { 174 mbedtls_platform_zeroize(ctx->cmac_ctx, 175 sizeof(mbedtls_cmac_context_t)); 176 mbedtls_free(ctx->cmac_ctx); 177 } 178 #endif 179 180 if (ctx->cipher_ctx) { 181 ctx->cipher_info->base->ctx_free_func(ctx->cipher_ctx); 182 } 183 184 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t)); 185 } 186 187 int mbedtls_cipher_clone(mbedtls_cipher_context_t *dst, 188 const mbedtls_cipher_context_t *src) 189 { 190 if (dst == NULL || dst->cipher_info == NULL || 191 src == NULL || src->cipher_info == NULL) { 192 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 193 } 194 195 dst->cipher_info = src->cipher_info; 196 dst->key_bitlen = src->key_bitlen; 197 dst->operation = src->operation; 198 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 199 dst->add_padding = src->add_padding; 200 dst->get_padding = src->get_padding; 201 #endif 202 memcpy(dst->unprocessed_data, src->unprocessed_data, MBEDTLS_MAX_BLOCK_LENGTH); 203 dst->unprocessed_len = src->unprocessed_len; 204 memcpy(dst->iv, src->iv, MBEDTLS_MAX_IV_LENGTH); 205 dst->iv_size = src->iv_size; 206 if (dst->cipher_info->base->ctx_clone_func) 207 dst->cipher_info->base->ctx_clone_func(dst->cipher_ctx, src->cipher_ctx); 208 209 #if defined(MBEDTLS_CMAC_C) 210 if (dst->cmac_ctx != NULL && src->cmac_ctx != NULL) 211 memcpy(dst->cmac_ctx, src->cmac_ctx, sizeof(mbedtls_cmac_context_t)); 212 #endif 213 return 0; 214 } 215 216 int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, 217 const mbedtls_cipher_info_t *cipher_info) 218 { 219 if (cipher_info == NULL) { 220 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 221 } 222 223 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 224 225 if (NULL == (ctx->cipher_ctx = cipher_info->base->ctx_alloc_func())) { 226 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 227 } 228 229 ctx->cipher_info = cipher_info; 230 231 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 232 /* 233 * Ignore possible errors caused by a cipher mode that doesn't use padding 234 */ 235 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 236 (void) mbedtls_cipher_set_padding_mode(ctx, MBEDTLS_PADDING_PKCS7); 237 #else 238 (void) mbedtls_cipher_set_padding_mode(ctx, MBEDTLS_PADDING_NONE); 239 #endif 240 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 241 242 return 0; 243 } 244 245 #if defined(MBEDTLS_USE_PSA_CRYPTO) 246 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 247 int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx, 248 const mbedtls_cipher_info_t *cipher_info, 249 size_t taglen) 250 { 251 psa_algorithm_t alg; 252 mbedtls_cipher_context_psa *cipher_psa; 253 254 if (NULL == cipher_info || NULL == ctx) { 255 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 256 } 257 258 /* Check that the underlying cipher mode and cipher type are 259 * supported by the underlying PSA Crypto implementation. */ 260 alg = mbedtls_psa_translate_cipher_mode(cipher_info->mode, taglen); 261 if (alg == 0) { 262 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 263 } 264 if (mbedtls_psa_translate_cipher_type(cipher_info->type) == 0) { 265 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 266 } 267 268 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 269 270 cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa)); 271 if (cipher_psa == NULL) { 272 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 273 } 274 cipher_psa->alg = alg; 275 ctx->cipher_ctx = cipher_psa; 276 ctx->cipher_info = cipher_info; 277 ctx->psa_enabled = 1; 278 return 0; 279 } 280 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 281 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 282 283 int mbedtls_cipher_setup_info(mbedtls_cipher_context_t *ctx, 284 const mbedtls_cipher_info_t *cipher_info ) 285 { 286 if (NULL == cipher_info || NULL == ctx) 287 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 288 289 ctx->cipher_info = cipher_info; 290 return 0; 291 } 292 293 int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, 294 const unsigned char *key, 295 int key_bitlen, 296 const mbedtls_operation_t operation) 297 { 298 if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) { 299 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 300 } 301 if (ctx->cipher_info == NULL) { 302 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 303 } 304 305 #if defined(MBEDTLS_USE_PSA_CRYPTO) 306 if (ctx->psa_enabled == 1) { 307 mbedtls_cipher_context_psa * const cipher_psa = 308 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 309 310 size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8; 311 312 psa_status_t status; 313 psa_key_type_t key_type; 314 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 315 316 /* PSA Crypto API only accepts byte-aligned keys. */ 317 if (key_bitlen % 8 != 0) { 318 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 319 } 320 321 /* Don't allow keys to be set multiple times. */ 322 if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) { 323 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 324 } 325 326 key_type = mbedtls_psa_translate_cipher_type( 327 ctx->cipher_info->type); 328 if (key_type == 0) { 329 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 330 } 331 psa_set_key_type(&attributes, key_type); 332 333 /* Mbed TLS' cipher layer doesn't enforce the mode of operation 334 * (encrypt vs. decrypt): it is possible to setup a key for encryption 335 * and use it for AEAD decryption. Until tests relying on this 336 * are changed, allow any usage in PSA. */ 337 psa_set_key_usage_flags(&attributes, 338 /* mbedtls_psa_translate_cipher_operation( operation ); */ 339 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 340 psa_set_key_algorithm(&attributes, cipher_psa->alg); 341 342 status = psa_import_key(&attributes, key, key_bytelen, 343 &cipher_psa->slot); 344 switch (status) { 345 case PSA_SUCCESS: 346 break; 347 case PSA_ERROR_INSUFFICIENT_MEMORY: 348 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 349 case PSA_ERROR_NOT_SUPPORTED: 350 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 351 default: 352 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 353 } 354 /* Indicate that we own the key slot and need to 355 * destroy it in mbedtls_cipher_free(). */ 356 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED; 357 358 ctx->key_bitlen = key_bitlen; 359 ctx->operation = operation; 360 return 0; 361 } 362 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 363 364 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 && 365 (int) ctx->cipher_info->key_bitlen != key_bitlen) { 366 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 367 } 368 369 ctx->key_bitlen = key_bitlen; 370 ctx->operation = operation; 371 372 /* 373 * For OFB, CFB and CTR mode always use the encryption key schedule 374 */ 375 if (MBEDTLS_ENCRYPT == operation || 376 MBEDTLS_MODE_CFB == ctx->cipher_info->mode || 377 MBEDTLS_MODE_OFB == ctx->cipher_info->mode || 378 MBEDTLS_MODE_CTR == ctx->cipher_info->mode) { 379 return ctx->cipher_info->base->setkey_enc_func(ctx->cipher_ctx, key, 380 ctx->key_bitlen); 381 } 382 383 if (MBEDTLS_DECRYPT == operation) { 384 return ctx->cipher_info->base->setkey_dec_func(ctx->cipher_ctx, key, 385 ctx->key_bitlen); 386 } 387 388 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 389 } 390 391 int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx, 392 const unsigned char *iv, 393 size_t iv_len) 394 { 395 size_t actual_iv_size; 396 397 if (ctx->cipher_info == NULL) { 398 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 399 } 400 #if defined(MBEDTLS_USE_PSA_CRYPTO) 401 if (ctx->psa_enabled == 1) { 402 /* While PSA Crypto has an API for multipart 403 * operations, we currently don't make it 404 * accessible through the cipher layer. */ 405 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 406 } 407 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 408 409 /* avoid buffer overflow in ctx->iv */ 410 if (iv_len > MBEDTLS_MAX_IV_LENGTH) { 411 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 412 } 413 414 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) { 415 actual_iv_size = iv_len; 416 } else { 417 actual_iv_size = ctx->cipher_info->iv_size; 418 419 /* avoid reading past the end of input buffer */ 420 if (actual_iv_size > iv_len) { 421 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 422 } 423 } 424 425 #if defined(MBEDTLS_CHACHA20_C) 426 if (ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20) { 427 /* Even though the actual_iv_size is overwritten with a correct value 428 * of 12 from the cipher info, return an error to indicate that 429 * the input iv_len is wrong. */ 430 if (iv_len != 12) { 431 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 432 } 433 434 if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx, 435 iv, 436 0U)) { /* Initial counter value */ 437 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 438 } 439 } 440 #if defined(MBEDTLS_CHACHAPOLY_C) 441 if (ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 && 442 iv_len != 12) { 443 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 444 } 445 #endif 446 #endif 447 448 #if defined(MBEDTLS_GCM_C) 449 if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) { 450 return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx, 451 ctx->operation, 452 iv, iv_len); 453 } 454 #endif 455 456 #if defined(MBEDTLS_CCM_C) 457 if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ctx->cipher_info->mode) { 458 int set_lengths_result; 459 int ccm_star_mode; 460 461 set_lengths_result = mbedtls_ccm_set_lengths( 462 (mbedtls_ccm_context *) ctx->cipher_ctx, 463 0, 0, 0); 464 if (set_lengths_result != 0) { 465 return set_lengths_result; 466 } 467 468 if (ctx->operation == MBEDTLS_DECRYPT) { 469 ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT; 470 } else if (ctx->operation == MBEDTLS_ENCRYPT) { 471 ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT; 472 } else { 473 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 474 } 475 476 return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx, 477 ccm_star_mode, 478 iv, iv_len); 479 } 480 #endif 481 482 if (actual_iv_size != 0) { 483 memcpy(ctx->iv, iv, actual_iv_size); 484 ctx->iv_size = actual_iv_size; 485 } 486 487 return 0; 488 } 489 490 int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx) 491 { 492 if (ctx->cipher_info == NULL) { 493 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 494 } 495 496 #if defined(MBEDTLS_USE_PSA_CRYPTO) 497 if (ctx->psa_enabled == 1) { 498 /* We don't support resetting PSA-based 499 * cipher contexts, yet. */ 500 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 501 } 502 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 503 504 ctx->unprocessed_len = 0; 505 506 return 0; 507 } 508 509 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 510 int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx, 511 const unsigned char *ad, size_t ad_len) 512 { 513 if (ctx->cipher_info == NULL) { 514 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 515 } 516 517 #if defined(MBEDTLS_USE_PSA_CRYPTO) 518 if (ctx->psa_enabled == 1) { 519 /* While PSA Crypto has an API for multipart 520 * operations, we currently don't make it 521 * accessible through the cipher layer. */ 522 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 523 } 524 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 525 526 #if defined(MBEDTLS_GCM_C) 527 if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) { 528 return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx, 529 ad, ad_len); 530 } 531 #endif 532 533 #if defined(MBEDTLS_CHACHAPOLY_C) 534 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) { 535 int result; 536 mbedtls_chachapoly_mode_t mode; 537 538 mode = (ctx->operation == MBEDTLS_ENCRYPT) 539 ? MBEDTLS_CHACHAPOLY_ENCRYPT 540 : MBEDTLS_CHACHAPOLY_DECRYPT; 541 542 result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx, 543 ctx->iv, 544 mode); 545 if (result != 0) { 546 return result; 547 } 548 549 return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx, 550 ad, ad_len); 551 } 552 #endif 553 554 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 555 } 556 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 557 558 int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input, 559 size_t ilen, unsigned char *output, size_t *olen) 560 { 561 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 562 size_t block_size; 563 564 if (ctx->cipher_info == NULL) { 565 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 566 } 567 568 #if defined(MBEDTLS_USE_PSA_CRYPTO) 569 if (ctx->psa_enabled == 1) { 570 /* While PSA Crypto has an API for multipart 571 * operations, we currently don't make it 572 * accessible through the cipher layer. */ 573 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 574 } 575 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 576 577 *olen = 0; 578 block_size = mbedtls_cipher_get_block_size(ctx); 579 if (0 == block_size) { 580 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT; 581 } 582 583 if (ctx->cipher_info->mode == MBEDTLS_MODE_ECB) { 584 if (ilen != block_size) { 585 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 586 } 587 588 *olen = ilen; 589 590 if (0 != (ret = ctx->cipher_info->base->ecb_func(ctx->cipher_ctx, 591 ctx->operation, input, output))) { 592 return ret; 593 } 594 595 return 0; 596 } 597 598 #if defined(MBEDTLS_GCM_C) 599 if (ctx->cipher_info->mode == MBEDTLS_MODE_GCM) { 600 return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx, 601 input, ilen, 602 output, ilen, olen); 603 } 604 #endif 605 606 #if defined(MBEDTLS_CCM_C) 607 if (ctx->cipher_info->mode == MBEDTLS_MODE_CCM_STAR_NO_TAG) { 608 return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx, 609 input, ilen, 610 output, ilen, olen); 611 } 612 #endif 613 614 #if defined(MBEDTLS_CHACHAPOLY_C) 615 if (ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) { 616 *olen = ilen; 617 return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx, 618 ilen, input, output); 619 } 620 #endif 621 622 if (input == output && 623 (ctx->unprocessed_len != 0 || ilen % block_size)) { 624 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 625 } 626 627 #if defined(MBEDTLS_CIPHER_MODE_CBC) 628 if (ctx->cipher_info->mode == MBEDTLS_MODE_CBC) { 629 size_t copy_len = 0; 630 631 /* 632 * If there is not enough data for a full block, cache it. 633 */ 634 if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding && 635 ilen <= block_size - ctx->unprocessed_len) || 636 (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding && 637 ilen < block_size - ctx->unprocessed_len) || 638 (ctx->operation == MBEDTLS_ENCRYPT && 639 ilen < block_size - ctx->unprocessed_len)) { 640 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input, 641 ilen); 642 643 ctx->unprocessed_len += ilen; 644 return 0; 645 } 646 647 /* 648 * Process cached data first 649 */ 650 if (0 != ctx->unprocessed_len) { 651 copy_len = block_size - ctx->unprocessed_len; 652 653 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input, 654 copy_len); 655 656 if (0 != (ret = ctx->cipher_info->base->cbc_func(ctx->cipher_ctx, 657 ctx->operation, block_size, ctx->iv, 658 ctx->unprocessed_data, output))) { 659 return ret; 660 } 661 662 *olen += block_size; 663 output += block_size; 664 ctx->unprocessed_len = 0; 665 666 input += copy_len; 667 ilen -= copy_len; 668 } 669 670 /* 671 * Cache final, incomplete block 672 */ 673 if (0 != ilen) { 674 /* Encryption: only cache partial blocks 675 * Decryption w/ padding: always keep at least one whole block 676 * Decryption w/o padding: only cache partial blocks 677 */ 678 copy_len = ilen % block_size; 679 if (copy_len == 0 && 680 ctx->operation == MBEDTLS_DECRYPT && 681 NULL != ctx->add_padding) { 682 copy_len = block_size; 683 } 684 685 memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]), 686 copy_len); 687 688 ctx->unprocessed_len += copy_len; 689 ilen -= copy_len; 690 } 691 692 /* 693 * Process remaining full blocks 694 */ 695 if (ilen) { 696 if (0 != (ret = ctx->cipher_info->base->cbc_func(ctx->cipher_ctx, 697 ctx->operation, ilen, ctx->iv, input, 698 output))) { 699 return ret; 700 } 701 702 *olen += ilen; 703 } 704 705 return 0; 706 } 707 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 708 709 #if defined(MBEDTLS_CIPHER_MODE_CFB) 710 if (ctx->cipher_info->mode == MBEDTLS_MODE_CFB) { 711 if (0 != (ret = ctx->cipher_info->base->cfb_func(ctx->cipher_ctx, 712 ctx->operation, ilen, 713 &ctx->unprocessed_len, ctx->iv, 714 input, output))) { 715 return ret; 716 } 717 718 *olen = ilen; 719 720 return 0; 721 } 722 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 723 724 #if defined(MBEDTLS_CIPHER_MODE_OFB) 725 if (ctx->cipher_info->mode == MBEDTLS_MODE_OFB) { 726 if (0 != (ret = ctx->cipher_info->base->ofb_func(ctx->cipher_ctx, 727 ilen, &ctx->unprocessed_len, ctx->iv, 728 input, output))) { 729 return ret; 730 } 731 732 *olen = ilen; 733 734 return 0; 735 } 736 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 737 738 #if defined(MBEDTLS_CIPHER_MODE_CTR) 739 if (ctx->cipher_info->mode == MBEDTLS_MODE_CTR) { 740 if (0 != (ret = ctx->cipher_info->base->ctr_func(ctx->cipher_ctx, 741 ilen, &ctx->unprocessed_len, ctx->iv, 742 ctx->unprocessed_data, input, output))) { 743 return ret; 744 } 745 746 *olen = ilen; 747 748 return 0; 749 } 750 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 751 752 #if defined(MBEDTLS_CIPHER_MODE_XTS) 753 if (ctx->cipher_info->mode == MBEDTLS_MODE_XTS) { 754 if (ctx->unprocessed_len > 0) { 755 /* We can only process an entire data unit at a time. */ 756 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 757 } 758 759 ret = ctx->cipher_info->base->xts_func(ctx->cipher_ctx, 760 ctx->operation, ilen, ctx->iv, input, output); 761 if (ret != 0) { 762 return ret; 763 } 764 765 *olen = ilen; 766 767 return 0; 768 } 769 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 770 771 #if defined(MBEDTLS_CIPHER_MODE_STREAM) 772 if (ctx->cipher_info->mode == MBEDTLS_MODE_STREAM) { 773 if (0 != (ret = ctx->cipher_info->base->stream_func(ctx->cipher_ctx, 774 ilen, input, output))) { 775 return ret; 776 } 777 778 *olen = ilen; 779 780 return 0; 781 } 782 #endif /* MBEDTLS_CIPHER_MODE_STREAM */ 783 784 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 785 } 786 787 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 788 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 789 /* 790 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len 791 */ 792 static void add_pkcs_padding(unsigned char *output, size_t output_len, 793 size_t data_len) 794 { 795 size_t padding_len = output_len - data_len; 796 unsigned char i; 797 798 for (i = 0; i < padding_len; i++) { 799 output[data_len + i] = (unsigned char) padding_len; 800 } 801 } 802 803 static int get_pkcs_padding(unsigned char *input, size_t input_len, 804 size_t *data_len) 805 { 806 size_t i, pad_idx; 807 unsigned char padding_len, bad = 0; 808 809 if (NULL == input || NULL == data_len) { 810 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 811 } 812 813 padding_len = input[input_len - 1]; 814 *data_len = input_len - padding_len; 815 816 /* Avoid logical || since it results in a branch */ 817 bad |= padding_len > input_len; 818 bad |= padding_len == 0; 819 820 /* The number of bytes checked must be independent of padding_len, 821 * so pick input_len, which is usually 8 or 16 (one block) */ 822 pad_idx = input_len - padding_len; 823 for (i = 0; i < input_len; i++) { 824 bad |= (input[i] ^ padding_len) * (i >= pad_idx); 825 } 826 827 return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0); 828 } 829 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ 830 831 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 832 /* 833 * One and zeros padding: fill with 80 00 ... 00 834 */ 835 static void add_one_and_zeros_padding(unsigned char *output, 836 size_t output_len, size_t data_len) 837 { 838 size_t padding_len = output_len - data_len; 839 unsigned char i = 0; 840 841 output[data_len] = 0x80; 842 for (i = 1; i < padding_len; i++) { 843 output[data_len + i] = 0x00; 844 } 845 } 846 847 static int get_one_and_zeros_padding(unsigned char *input, size_t input_len, 848 size_t *data_len) 849 { 850 size_t i; 851 unsigned char done = 0, prev_done, bad; 852 853 if (NULL == input || NULL == data_len) { 854 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 855 } 856 857 bad = 0x80; 858 *data_len = 0; 859 for (i = input_len; i > 0; i--) { 860 prev_done = done; 861 done |= (input[i - 1] != 0); 862 *data_len |= (i - 1) * (done != prev_done); 863 bad ^= input[i - 1] * (done != prev_done); 864 } 865 866 return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0); 867 868 } 869 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */ 870 871 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 872 /* 873 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length 874 */ 875 static void add_zeros_and_len_padding(unsigned char *output, 876 size_t output_len, size_t data_len) 877 { 878 size_t padding_len = output_len - data_len; 879 unsigned char i = 0; 880 881 for (i = 1; i < padding_len; i++) { 882 output[data_len + i - 1] = 0x00; 883 } 884 output[output_len - 1] = (unsigned char) padding_len; 885 } 886 887 static int get_zeros_and_len_padding(unsigned char *input, size_t input_len, 888 size_t *data_len) 889 { 890 size_t i, pad_idx; 891 unsigned char padding_len, bad = 0; 892 893 if (NULL == input || NULL == data_len) { 894 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 895 } 896 897 padding_len = input[input_len - 1]; 898 *data_len = input_len - padding_len; 899 900 /* Avoid logical || since it results in a branch */ 901 bad |= padding_len > input_len; 902 bad |= padding_len == 0; 903 904 /* The number of bytes checked must be independent of padding_len */ 905 pad_idx = input_len - padding_len; 906 for (i = 0; i < input_len - 1; i++) { 907 bad |= input[i] * (i >= pad_idx); 908 } 909 910 return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0); 911 } 912 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */ 913 914 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 915 /* 916 * Zero padding: fill with 00 ... 00 917 */ 918 static void add_zeros_padding(unsigned char *output, 919 size_t output_len, size_t data_len) 920 { 921 size_t i; 922 923 for (i = data_len; i < output_len; i++) { 924 output[i] = 0x00; 925 } 926 } 927 928 static int get_zeros_padding(unsigned char *input, size_t input_len, 929 size_t *data_len) 930 { 931 size_t i; 932 unsigned char done = 0, prev_done; 933 934 if (NULL == input || NULL == data_len) { 935 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 936 } 937 938 *data_len = 0; 939 for (i = input_len; i > 0; i--) { 940 prev_done = done; 941 done |= (input[i-1] != 0); 942 *data_len |= i * (done != prev_done); 943 } 944 945 return 0; 946 } 947 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */ 948 949 /* 950 * No padding: don't pad :) 951 * 952 * There is no add_padding function (check for NULL in mbedtls_cipher_finish) 953 * but a trivial get_padding function 954 */ 955 static int get_no_padding(unsigned char *input, size_t input_len, 956 size_t *data_len) 957 { 958 if (NULL == input || NULL == data_len) { 959 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 960 } 961 962 *data_len = input_len; 963 964 return 0; 965 } 966 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 967 968 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx, 969 unsigned char *output, size_t *olen) 970 { 971 if (ctx->cipher_info == NULL) { 972 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 973 } 974 975 #if defined(MBEDTLS_USE_PSA_CRYPTO) 976 if (ctx->psa_enabled == 1) { 977 /* While PSA Crypto has an API for multipart 978 * operations, we currently don't make it 979 * accessible through the cipher layer. */ 980 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 981 } 982 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 983 984 *olen = 0; 985 986 if (MBEDTLS_MODE_CFB == ctx->cipher_info->mode || 987 MBEDTLS_MODE_OFB == ctx->cipher_info->mode || 988 MBEDTLS_MODE_CTR == ctx->cipher_info->mode || 989 MBEDTLS_MODE_GCM == ctx->cipher_info->mode || 990 MBEDTLS_MODE_CCM_STAR_NO_TAG == ctx->cipher_info->mode || 991 MBEDTLS_MODE_XTS == ctx->cipher_info->mode || 992 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode) { 993 return 0; 994 } 995 996 if ((MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type) || 997 (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type)) { 998 return 0; 999 } 1000 1001 if (MBEDTLS_MODE_ECB == ctx->cipher_info->mode) { 1002 if (ctx->unprocessed_len != 0) { 1003 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1004 } 1005 1006 return 0; 1007 } 1008 1009 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1010 if (MBEDTLS_MODE_CBC == ctx->cipher_info->mode) { 1011 int ret = 0; 1012 1013 if (MBEDTLS_ENCRYPT == ctx->operation) { 1014 /* check for 'no padding' mode */ 1015 if (NULL == ctx->add_padding) { 1016 if (0 != ctx->unprocessed_len) { 1017 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1018 } 1019 1020 return 0; 1021 } 1022 1023 ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx), 1024 ctx->unprocessed_len); 1025 } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) { 1026 /* 1027 * For decrypt operations, expect a full block, 1028 * or an empty block if no padding 1029 */ 1030 if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) { 1031 return 0; 1032 } 1033 1034 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1035 } 1036 1037 /* cipher block */ 1038 if (0 != (ret = ctx->cipher_info->base->cbc_func(ctx->cipher_ctx, 1039 ctx->operation, 1040 mbedtls_cipher_get_block_size(ctx), 1041 ctx->iv, 1042 ctx->unprocessed_data, output))) { 1043 return ret; 1044 } 1045 1046 /* Set output size for decryption */ 1047 if (MBEDTLS_DECRYPT == ctx->operation) { 1048 return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx), 1049 olen); 1050 } 1051 1052 /* Set output size for encryption */ 1053 *olen = mbedtls_cipher_get_block_size(ctx); 1054 return 0; 1055 } 1056 #else 1057 ((void) output); 1058 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1059 1060 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1061 } 1062 1063 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 1064 int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx, 1065 mbedtls_cipher_padding_t mode) 1066 { 1067 if (NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode) { 1068 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1069 } 1070 1071 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1072 if (ctx->psa_enabled == 1) { 1073 /* While PSA Crypto knows about CBC padding 1074 * schemes, we currently don't make them 1075 * accessible through the cipher layer. */ 1076 if (mode != MBEDTLS_PADDING_NONE) { 1077 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1078 } 1079 1080 return 0; 1081 } 1082 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1083 1084 switch (mode) { 1085 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 1086 case MBEDTLS_PADDING_PKCS7: 1087 ctx->add_padding = add_pkcs_padding; 1088 ctx->get_padding = get_pkcs_padding; 1089 break; 1090 #endif 1091 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 1092 case MBEDTLS_PADDING_ONE_AND_ZEROS: 1093 ctx->add_padding = add_one_and_zeros_padding; 1094 ctx->get_padding = get_one_and_zeros_padding; 1095 break; 1096 #endif 1097 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 1098 case MBEDTLS_PADDING_ZEROS_AND_LEN: 1099 ctx->add_padding = add_zeros_and_len_padding; 1100 ctx->get_padding = get_zeros_and_len_padding; 1101 break; 1102 #endif 1103 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 1104 case MBEDTLS_PADDING_ZEROS: 1105 ctx->add_padding = add_zeros_padding; 1106 ctx->get_padding = get_zeros_padding; 1107 break; 1108 #endif 1109 case MBEDTLS_PADDING_NONE: 1110 ctx->add_padding = NULL; 1111 ctx->get_padding = get_no_padding; 1112 break; 1113 1114 default: 1115 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1116 } 1117 1118 return 0; 1119 } 1120 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1121 1122 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 1123 int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx, 1124 unsigned char *tag, size_t tag_len) 1125 { 1126 if (ctx->cipher_info == NULL) { 1127 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1128 } 1129 1130 if (MBEDTLS_ENCRYPT != ctx->operation) { 1131 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1132 } 1133 1134 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1135 if (ctx->psa_enabled == 1) { 1136 /* While PSA Crypto has an API for multipart 1137 * operations, we currently don't make it 1138 * accessible through the cipher layer. */ 1139 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1140 } 1141 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1142 1143 #if defined(MBEDTLS_GCM_C) 1144 if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) { 1145 size_t output_length; 1146 /* The code here doesn't yet support alternative implementations 1147 * that can delay up to a block of output. */ 1148 return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx, 1149 NULL, 0, &output_length, 1150 tag, tag_len); 1151 } 1152 #endif 1153 1154 #if defined(MBEDTLS_CHACHAPOLY_C) 1155 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) { 1156 /* Don't allow truncated MAC for Poly1305 */ 1157 if (tag_len != 16U) { 1158 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1159 } 1160 1161 return mbedtls_chachapoly_finish( 1162 (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag); 1163 } 1164 #endif 1165 1166 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1167 } 1168 1169 int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx, 1170 const unsigned char *tag, size_t tag_len) 1171 { 1172 unsigned char check_tag[16]; 1173 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1174 1175 if (ctx->cipher_info == NULL) { 1176 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1177 } 1178 1179 if (MBEDTLS_DECRYPT != ctx->operation) { 1180 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1181 } 1182 1183 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1184 if (ctx->psa_enabled == 1) { 1185 /* While PSA Crypto has an API for multipart 1186 * operations, we currently don't make it 1187 * accessible through the cipher layer. */ 1188 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1189 } 1190 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1191 1192 /* Status to return on a non-authenticated algorithm. */ 1193 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1194 1195 #if defined(MBEDTLS_GCM_C) 1196 if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) { 1197 size_t output_length; 1198 /* The code here doesn't yet support alternative implementations 1199 * that can delay up to a block of output. */ 1200 1201 if (tag_len > sizeof(check_tag)) { 1202 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1203 } 1204 1205 if (0 != (ret = mbedtls_gcm_finish( 1206 (mbedtls_gcm_context *) ctx->cipher_ctx, 1207 NULL, 0, &output_length, 1208 check_tag, tag_len))) { 1209 return ret; 1210 } 1211 1212 /* Check the tag in "constant-time" */ 1213 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) { 1214 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1215 goto exit; 1216 } 1217 } 1218 #endif /* MBEDTLS_GCM_C */ 1219 1220 #if defined(MBEDTLS_CHACHAPOLY_C) 1221 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) { 1222 /* Don't allow truncated MAC for Poly1305 */ 1223 if (tag_len != sizeof(check_tag)) { 1224 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1225 } 1226 1227 ret = mbedtls_chachapoly_finish( 1228 (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag); 1229 if (ret != 0) { 1230 return ret; 1231 } 1232 1233 /* Check the tag in "constant-time" */ 1234 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) { 1235 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1236 goto exit; 1237 } 1238 } 1239 #endif /* MBEDTLS_CHACHAPOLY_C */ 1240 1241 exit: 1242 mbedtls_platform_zeroize(check_tag, tag_len); 1243 return ret; 1244 } 1245 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 1246 1247 /* 1248 * Packet-oriented wrapper for non-AEAD modes 1249 */ 1250 int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx, 1251 const unsigned char *iv, size_t iv_len, 1252 const unsigned char *input, size_t ilen, 1253 unsigned char *output, size_t *olen) 1254 { 1255 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1256 size_t finish_olen; 1257 1258 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1259 if (ctx->psa_enabled == 1) { 1260 /* As in the non-PSA case, we don't check that 1261 * a key has been set. If not, the key slot will 1262 * still be in its default state of 0, which is 1263 * guaranteed to be invalid, hence the PSA-call 1264 * below will gracefully fail. */ 1265 mbedtls_cipher_context_psa * const cipher_psa = 1266 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1267 1268 psa_status_t status; 1269 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT; 1270 size_t part_len; 1271 1272 if (ctx->operation == MBEDTLS_DECRYPT) { 1273 status = psa_cipher_decrypt_setup(&cipher_op, 1274 cipher_psa->slot, 1275 cipher_psa->alg); 1276 } else if (ctx->operation == MBEDTLS_ENCRYPT) { 1277 status = psa_cipher_encrypt_setup(&cipher_op, 1278 cipher_psa->slot, 1279 cipher_psa->alg); 1280 } else { 1281 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1282 } 1283 1284 /* In the following, we can immediately return on an error, 1285 * because the PSA Crypto API guarantees that cipher operations 1286 * are terminated by unsuccessful calls to psa_cipher_update(), 1287 * and by any call to psa_cipher_finish(). */ 1288 if (status != PSA_SUCCESS) { 1289 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1290 } 1291 1292 if (ctx->cipher_info->mode != MBEDTLS_MODE_ECB) { 1293 status = psa_cipher_set_iv(&cipher_op, iv, iv_len); 1294 if (status != PSA_SUCCESS) { 1295 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1296 } 1297 } 1298 1299 status = psa_cipher_update(&cipher_op, 1300 input, ilen, 1301 output, ilen, olen); 1302 if (status != PSA_SUCCESS) { 1303 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1304 } 1305 1306 status = psa_cipher_finish(&cipher_op, 1307 output + *olen, ilen - *olen, 1308 &part_len); 1309 if (status != PSA_SUCCESS) { 1310 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1311 } 1312 1313 *olen += part_len; 1314 return 0; 1315 } 1316 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1317 1318 if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) { 1319 return ret; 1320 } 1321 1322 if ((ret = mbedtls_cipher_reset(ctx)) != 0) { 1323 return ret; 1324 } 1325 1326 if ((ret = mbedtls_cipher_update(ctx, input, ilen, 1327 output, olen)) != 0) { 1328 return ret; 1329 } 1330 1331 if ((ret = mbedtls_cipher_finish(ctx, output + *olen, 1332 &finish_olen)) != 0) { 1333 return ret; 1334 } 1335 1336 *olen += finish_olen; 1337 1338 return 0; 1339 } 1340 1341 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1342 /* 1343 * Packet-oriented encryption for AEAD modes: internal function used by 1344 * mbedtls_cipher_auth_encrypt_ext(). 1345 */ 1346 static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx, 1347 const unsigned char *iv, size_t iv_len, 1348 const unsigned char *ad, size_t ad_len, 1349 const unsigned char *input, size_t ilen, 1350 unsigned char *output, size_t *olen, 1351 unsigned char *tag, size_t tag_len) 1352 { 1353 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1354 if (ctx->psa_enabled == 1) { 1355 /* As in the non-PSA case, we don't check that 1356 * a key has been set. If not, the key slot will 1357 * still be in its default state of 0, which is 1358 * guaranteed to be invalid, hence the PSA-call 1359 * below will gracefully fail. */ 1360 mbedtls_cipher_context_psa * const cipher_psa = 1361 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1362 1363 psa_status_t status; 1364 1365 /* PSA Crypto API always writes the authentication tag 1366 * at the end of the encrypted message. */ 1367 if (output == NULL || tag != output + ilen) { 1368 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1369 } 1370 1371 status = psa_aead_encrypt(cipher_psa->slot, 1372 cipher_psa->alg, 1373 iv, iv_len, 1374 ad, ad_len, 1375 input, ilen, 1376 output, ilen + tag_len, olen); 1377 if (status != PSA_SUCCESS) { 1378 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1379 } 1380 1381 *olen -= tag_len; 1382 return 0; 1383 } 1384 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1385 1386 #if defined(MBEDTLS_GCM_C) 1387 if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) { 1388 *olen = ilen; 1389 return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, 1390 ilen, iv, iv_len, ad, ad_len, 1391 input, output, tag_len, tag); 1392 } 1393 #endif /* MBEDTLS_GCM_C */ 1394 #if defined(MBEDTLS_CCM_C) 1395 if (MBEDTLS_MODE_CCM == ctx->cipher_info->mode) { 1396 *olen = ilen; 1397 return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen, 1398 iv, iv_len, ad, ad_len, input, output, 1399 tag, tag_len); 1400 } 1401 #endif /* MBEDTLS_CCM_C */ 1402 #if defined(MBEDTLS_CHACHAPOLY_C) 1403 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) { 1404 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1405 if ((iv_len != ctx->cipher_info->iv_size) || 1406 (tag_len != 16U)) { 1407 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1408 } 1409 1410 *olen = ilen; 1411 return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx, 1412 ilen, iv, ad, ad_len, input, output, tag); 1413 } 1414 #endif /* MBEDTLS_CHACHAPOLY_C */ 1415 1416 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1417 } 1418 1419 /* 1420 * Packet-oriented encryption for AEAD modes: internal function used by 1421 * mbedtls_cipher_auth_encrypt_ext(). 1422 */ 1423 static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx, 1424 const unsigned char *iv, size_t iv_len, 1425 const unsigned char *ad, size_t ad_len, 1426 const unsigned char *input, size_t ilen, 1427 unsigned char *output, size_t *olen, 1428 const unsigned char *tag, size_t tag_len) 1429 { 1430 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1431 if (ctx->psa_enabled == 1) { 1432 /* As in the non-PSA case, we don't check that 1433 * a key has been set. If not, the key slot will 1434 * still be in its default state of 0, which is 1435 * guaranteed to be invalid, hence the PSA-call 1436 * below will gracefully fail. */ 1437 mbedtls_cipher_context_psa * const cipher_psa = 1438 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1439 1440 psa_status_t status; 1441 1442 /* PSA Crypto API always writes the authentication tag 1443 * at the end of the encrypted message. */ 1444 if (input == NULL || tag != input + ilen) { 1445 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1446 } 1447 1448 status = psa_aead_decrypt(cipher_psa->slot, 1449 cipher_psa->alg, 1450 iv, iv_len, 1451 ad, ad_len, 1452 input, ilen + tag_len, 1453 output, ilen, olen); 1454 if (status == PSA_ERROR_INVALID_SIGNATURE) { 1455 return MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1456 } else if (status != PSA_SUCCESS) { 1457 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1458 } 1459 1460 return 0; 1461 } 1462 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1463 1464 #if defined(MBEDTLS_GCM_C) 1465 if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) { 1466 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1467 1468 *olen = ilen; 1469 ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen, 1470 iv, iv_len, ad, ad_len, 1471 tag, tag_len, input, output); 1472 1473 if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) { 1474 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1475 } 1476 1477 return ret; 1478 } 1479 #endif /* MBEDTLS_GCM_C */ 1480 #if defined(MBEDTLS_CCM_C) 1481 if (MBEDTLS_MODE_CCM == ctx->cipher_info->mode) { 1482 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1483 1484 *olen = ilen; 1485 ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen, 1486 iv, iv_len, ad, ad_len, 1487 input, output, tag, tag_len); 1488 1489 if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) { 1490 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1491 } 1492 1493 return ret; 1494 } 1495 #endif /* MBEDTLS_CCM_C */ 1496 #if defined(MBEDTLS_CHACHAPOLY_C) 1497 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) { 1498 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1499 1500 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1501 if ((iv_len != ctx->cipher_info->iv_size) || 1502 (tag_len != 16U)) { 1503 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1504 } 1505 1506 *olen = ilen; 1507 ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen, 1508 iv, ad, ad_len, tag, input, output); 1509 1510 if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) { 1511 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1512 } 1513 1514 return ret; 1515 } 1516 #endif /* MBEDTLS_CHACHAPOLY_C */ 1517 1518 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1519 } 1520 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1521 1522 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) 1523 /* 1524 * Packet-oriented encryption for AEAD/NIST_KW: public function. 1525 */ 1526 int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx, 1527 const unsigned char *iv, size_t iv_len, 1528 const unsigned char *ad, size_t ad_len, 1529 const unsigned char *input, size_t ilen, 1530 unsigned char *output, size_t output_len, 1531 size_t *olen, size_t tag_len) 1532 { 1533 #if defined(MBEDTLS_NIST_KW_C) 1534 if ( 1535 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1536 ctx->psa_enabled == 0 && 1537 #endif 1538 (MBEDTLS_MODE_KW == ctx->cipher_info->mode || 1539 MBEDTLS_MODE_KWP == ctx->cipher_info->mode)) { 1540 mbedtls_nist_kw_mode_t mode = (MBEDTLS_MODE_KW == ctx->cipher_info->mode) ? 1541 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1542 1543 /* There is no iv, tag or ad associated with KW and KWP, 1544 * so these length should be 0 as documented. */ 1545 if (iv_len != 0 || tag_len != 0 || ad_len != 0) { 1546 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1547 } 1548 1549 (void) iv; 1550 (void) ad; 1551 1552 return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen, 1553 output, olen, output_len); 1554 } 1555 #endif /* MBEDTLS_NIST_KW_C */ 1556 1557 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1558 /* AEAD case: check length before passing on to shared function */ 1559 if (output_len < ilen + tag_len) { 1560 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1561 } 1562 1563 int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len, 1564 input, ilen, output, olen, 1565 output + ilen, tag_len); 1566 *olen += tag_len; 1567 return ret; 1568 #else 1569 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1570 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1571 } 1572 1573 /* 1574 * Packet-oriented decryption for AEAD/NIST_KW: public function. 1575 */ 1576 int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx, 1577 const unsigned char *iv, size_t iv_len, 1578 const unsigned char *ad, size_t ad_len, 1579 const unsigned char *input, size_t ilen, 1580 unsigned char *output, size_t output_len, 1581 size_t *olen, size_t tag_len) 1582 { 1583 #if defined(MBEDTLS_NIST_KW_C) 1584 if ( 1585 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1586 ctx->psa_enabled == 0 && 1587 #endif 1588 (MBEDTLS_MODE_KW == ctx->cipher_info->mode || 1589 MBEDTLS_MODE_KWP == ctx->cipher_info->mode)) { 1590 mbedtls_nist_kw_mode_t mode = (MBEDTLS_MODE_KW == ctx->cipher_info->mode) ? 1591 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1592 1593 /* There is no iv, tag or ad associated with KW and KWP, 1594 * so these length should be 0 as documented. */ 1595 if (iv_len != 0 || tag_len != 0 || ad_len != 0) { 1596 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1597 } 1598 1599 (void) iv; 1600 (void) ad; 1601 1602 return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen, 1603 output, olen, output_len); 1604 } 1605 #endif /* MBEDTLS_NIST_KW_C */ 1606 1607 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1608 /* AEAD case: check length before passing on to shared function */ 1609 if (ilen < tag_len || output_len < ilen - tag_len) { 1610 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1611 } 1612 1613 return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len, 1614 input, ilen - tag_len, output, olen, 1615 input + ilen - tag_len, tag_len); 1616 #else 1617 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1618 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1619 } 1620 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */ 1621 1622 #endif /* MBEDTLS_CIPHER_C */ 1623