1 /** 2 * \file cipher.c 3 * 4 * \brief Generic cipher wrapper for Mbed TLS 5 * 6 * \author Adriaan de Jong <dejong@fox-it.com> 7 * 8 * Copyright The Mbed TLS Contributors 9 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 10 */ 11 12 #include "common.h" 13 14 #if defined(MBEDTLS_CIPHER_C) 15 16 #include "mbedtls/cipher.h" 17 #include "cipher_invasive.h" 18 #include "cipher_wrap.h" 19 #include "mbedtls/platform_util.h" 20 #include "mbedtls/error.h" 21 #include "mbedtls/constant_time.h" 22 #include "constant_time_internal.h" 23 24 #include <stdlib.h> 25 #include <string.h> 26 27 #if defined(MBEDTLS_CHACHAPOLY_C) 28 #include "mbedtls/chachapoly.h" 29 #endif 30 31 #if defined(MBEDTLS_GCM_C) 32 #include "mbedtls/gcm.h" 33 #endif 34 35 #if defined(MBEDTLS_CCM_C) 36 #include "mbedtls/ccm.h" 37 #endif 38 39 #if defined(MBEDTLS_CHACHA20_C) 40 #include "mbedtls/chacha20.h" 41 #endif 42 43 #if defined(MBEDTLS_CMAC_C) 44 #include "mbedtls/cmac.h" 45 #endif 46 47 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 48 #include "psa/crypto.h" 49 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 50 51 #if defined(MBEDTLS_NIST_KW_C) 52 #include "mbedtls/nist_kw.h" 53 #endif 54 55 #include "mbedtls/platform.h" 56 57 static int supported_init = 0; 58 59 static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base( 60 const mbedtls_cipher_info_t *info) 61 { 62 return mbedtls_cipher_base_lookup_table[info->base_idx]; 63 } 64 65 const int *mbedtls_cipher_list(void) 66 { 67 const mbedtls_cipher_definition_t *def; 68 int *type; 69 70 if (!supported_init) { 71 def = mbedtls_cipher_definitions; 72 type = mbedtls_cipher_supported; 73 74 while (def->type != 0) { 75 *type++ = (*def++).type; 76 } 77 78 *type = 0; 79 80 supported_init = 1; 81 } 82 83 return mbedtls_cipher_supported; 84 } 85 86 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( 87 const mbedtls_cipher_type_t cipher_type) 88 { 89 const mbedtls_cipher_definition_t *def; 90 91 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 92 if (def->type == cipher_type) { 93 return def->info; 94 } 95 } 96 97 return NULL; 98 } 99 100 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( 101 const char *cipher_name) 102 { 103 const mbedtls_cipher_definition_t *def; 104 105 if (NULL == cipher_name) { 106 return NULL; 107 } 108 109 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 110 if (!strcmp(def->info->name, cipher_name)) { 111 return def->info; 112 } 113 } 114 115 return NULL; 116 } 117 118 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( 119 const mbedtls_cipher_id_t cipher_id, 120 int key_bitlen, 121 const mbedtls_cipher_mode_t mode) 122 { 123 const mbedtls_cipher_definition_t *def; 124 125 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 126 if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id && 127 mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen && 128 def->info->mode == mode) { 129 return def->info; 130 } 131 } 132 133 return NULL; 134 } 135 136 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 137 static inline psa_key_type_t mbedtls_psa_translate_cipher_type( 138 mbedtls_cipher_type_t cipher) 139 { 140 switch (cipher) { 141 case MBEDTLS_CIPHER_AES_128_CCM: 142 case MBEDTLS_CIPHER_AES_192_CCM: 143 case MBEDTLS_CIPHER_AES_256_CCM: 144 case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG: 145 case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG: 146 case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG: 147 case MBEDTLS_CIPHER_AES_128_GCM: 148 case MBEDTLS_CIPHER_AES_192_GCM: 149 case MBEDTLS_CIPHER_AES_256_GCM: 150 case MBEDTLS_CIPHER_AES_128_CBC: 151 case MBEDTLS_CIPHER_AES_192_CBC: 152 case MBEDTLS_CIPHER_AES_256_CBC: 153 case MBEDTLS_CIPHER_AES_128_ECB: 154 case MBEDTLS_CIPHER_AES_192_ECB: 155 case MBEDTLS_CIPHER_AES_256_ECB: 156 return PSA_KEY_TYPE_AES; 157 158 /* ARIA not yet supported in PSA. */ 159 /* case MBEDTLS_CIPHER_ARIA_128_CCM: 160 case MBEDTLS_CIPHER_ARIA_192_CCM: 161 case MBEDTLS_CIPHER_ARIA_256_CCM: 162 case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG: 163 case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG: 164 case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG: 165 case MBEDTLS_CIPHER_ARIA_128_GCM: 166 case MBEDTLS_CIPHER_ARIA_192_GCM: 167 case MBEDTLS_CIPHER_ARIA_256_GCM: 168 case MBEDTLS_CIPHER_ARIA_128_CBC: 169 case MBEDTLS_CIPHER_ARIA_192_CBC: 170 case MBEDTLS_CIPHER_ARIA_256_CBC: 171 return( PSA_KEY_TYPE_ARIA ); */ 172 173 default: 174 return 0; 175 } 176 } 177 178 static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode( 179 mbedtls_cipher_mode_t mode, size_t taglen) 180 { 181 switch (mode) { 182 case MBEDTLS_MODE_ECB: 183 return PSA_ALG_ECB_NO_PADDING; 184 case MBEDTLS_MODE_GCM: 185 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen); 186 case MBEDTLS_MODE_CCM: 187 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen); 188 case MBEDTLS_MODE_CCM_STAR_NO_TAG: 189 return PSA_ALG_CCM_STAR_NO_TAG; 190 case MBEDTLS_MODE_CBC: 191 if (taglen == 0) { 192 return PSA_ALG_CBC_NO_PADDING; 193 } else { 194 return 0; 195 } 196 default: 197 return 0; 198 } 199 } 200 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 201 202 void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx) 203 { 204 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 205 } 206 207 void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx) 208 { 209 if (ctx == NULL) { 210 return; 211 } 212 213 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 214 if (ctx->psa_enabled == 1) { 215 if (ctx->cipher_ctx != NULL) { 216 mbedtls_cipher_context_psa * const cipher_psa = 217 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 218 219 if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) { 220 /* xxx_free() doesn't allow to return failures. */ 221 (void) psa_destroy_key(cipher_psa->slot); 222 } 223 224 mbedtls_zeroize_and_free(cipher_psa, sizeof(*cipher_psa)); 225 } 226 227 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t)); 228 return; 229 } 230 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 231 232 #if defined(MBEDTLS_CMAC_C) 233 if (ctx->cmac_ctx) { 234 mbedtls_zeroize_and_free(ctx->cmac_ctx, 235 sizeof(mbedtls_cmac_context_t)); 236 } 237 #endif 238 239 if (ctx->cipher_ctx) { 240 mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx); 241 } 242 243 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t)); 244 } 245 246 int mbedtls_cipher_clone(mbedtls_cipher_context_t *dst, 247 const mbedtls_cipher_context_t *src) 248 { 249 if (dst == NULL || dst->cipher_info == NULL || 250 src == NULL || src->cipher_info == NULL) { 251 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 252 } 253 254 dst->cipher_info = src->cipher_info; 255 dst->key_bitlen = src->key_bitlen; 256 dst->operation = src->operation; 257 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 258 dst->add_padding = src->add_padding; 259 dst->get_padding = src->get_padding; 260 #endif 261 memcpy(dst->unprocessed_data, src->unprocessed_data, MBEDTLS_MAX_BLOCK_LENGTH); 262 dst->unprocessed_len = src->unprocessed_len; 263 memcpy(dst->iv, src->iv, MBEDTLS_MAX_IV_LENGTH); 264 dst->iv_size = src->iv_size; 265 if (mbedtls_cipher_get_base(dst->cipher_info)->ctx_clone_func) 266 mbedtls_cipher_get_base(dst->cipher_info)->ctx_clone_func(dst->cipher_ctx, src->cipher_ctx); 267 268 #if defined(MBEDTLS_CMAC_C) 269 if (dst->cmac_ctx != NULL && src->cmac_ctx != NULL) 270 memcpy(dst->cmac_ctx, src->cmac_ctx, sizeof(mbedtls_cmac_context_t)); 271 #endif 272 return 0; 273 } 274 275 int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, 276 const mbedtls_cipher_info_t *cipher_info) 277 { 278 if (cipher_info == NULL) { 279 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 280 } 281 282 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 283 284 if (mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) { 285 ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func(); 286 if (ctx->cipher_ctx == NULL) { 287 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 288 } 289 } 290 291 ctx->cipher_info = cipher_info; 292 293 return 0; 294 } 295 296 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 297 int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx, 298 const mbedtls_cipher_info_t *cipher_info, 299 size_t taglen) 300 { 301 psa_algorithm_t alg; 302 mbedtls_cipher_context_psa *cipher_psa; 303 304 if (NULL == cipher_info || NULL == ctx) { 305 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 306 } 307 308 /* Check that the underlying cipher mode and cipher type are 309 * supported by the underlying PSA Crypto implementation. */ 310 alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen); 311 if (alg == 0) { 312 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 313 } 314 if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) { 315 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 316 } 317 318 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 319 320 cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa)); 321 if (cipher_psa == NULL) { 322 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 323 } 324 cipher_psa->alg = alg; 325 ctx->cipher_ctx = cipher_psa; 326 ctx->cipher_info = cipher_info; 327 ctx->psa_enabled = 1; 328 return 0; 329 } 330 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 331 332 int mbedtls_cipher_setup_info(mbedtls_cipher_context_t *ctx, 333 const mbedtls_cipher_info_t *cipher_info ) 334 { 335 if (NULL == cipher_info || NULL == ctx) 336 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 337 338 ctx->cipher_info = cipher_info; 339 return 0; 340 } 341 342 int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, 343 const unsigned char *key, 344 int key_bitlen, 345 const mbedtls_operation_t operation) 346 { 347 if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) { 348 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 349 } 350 if (ctx->cipher_info == NULL) { 351 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 352 } 353 #if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 354 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) && 355 MBEDTLS_DECRYPT == operation) { 356 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 357 } 358 #endif 359 360 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 361 if (ctx->psa_enabled == 1) { 362 mbedtls_cipher_context_psa * const cipher_psa = 363 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 364 365 size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8; 366 367 psa_status_t status; 368 psa_key_type_t key_type; 369 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 370 371 /* PSA Crypto API only accepts byte-aligned keys. */ 372 if (key_bitlen % 8 != 0) { 373 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 374 } 375 376 /* Don't allow keys to be set multiple times. */ 377 if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) { 378 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 379 } 380 381 key_type = mbedtls_psa_translate_cipher_type( 382 ((mbedtls_cipher_type_t) ctx->cipher_info->type)); 383 if (key_type == 0) { 384 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 385 } 386 psa_set_key_type(&attributes, key_type); 387 388 /* Mbed TLS' cipher layer doesn't enforce the mode of operation 389 * (encrypt vs. decrypt): it is possible to setup a key for encryption 390 * and use it for AEAD decryption. Until tests relying on this 391 * are changed, allow any usage in PSA. */ 392 psa_set_key_usage_flags(&attributes, 393 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 394 psa_set_key_algorithm(&attributes, cipher_psa->alg); 395 396 status = psa_import_key(&attributes, key, key_bytelen, 397 &cipher_psa->slot); 398 switch (status) { 399 case PSA_SUCCESS: 400 break; 401 case PSA_ERROR_INSUFFICIENT_MEMORY: 402 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 403 case PSA_ERROR_NOT_SUPPORTED: 404 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 405 default: 406 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 407 } 408 /* Indicate that we own the key slot and need to 409 * destroy it in mbedtls_cipher_free(). */ 410 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED; 411 412 ctx->key_bitlen = key_bitlen; 413 ctx->operation = operation; 414 return 0; 415 } 416 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 417 418 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 && 419 (int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) { 420 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 421 } 422 423 ctx->key_bitlen = key_bitlen; 424 ctx->operation = operation; 425 426 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 427 /* 428 * For OFB, CFB and CTR mode always use the encryption key schedule 429 */ 430 if (MBEDTLS_ENCRYPT == operation || 431 MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 432 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 433 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 434 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key, 435 ctx->key_bitlen); 436 } 437 438 if (MBEDTLS_DECRYPT == operation) { 439 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key, 440 ctx->key_bitlen); 441 } 442 #else 443 if (operation == MBEDTLS_ENCRYPT || operation == MBEDTLS_DECRYPT) { 444 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key, 445 ctx->key_bitlen); 446 } 447 #endif 448 449 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 450 } 451 452 int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx, 453 const unsigned char *iv, 454 size_t iv_len) 455 { 456 size_t actual_iv_size; 457 458 if (ctx->cipher_info == NULL) { 459 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 460 } 461 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 462 if (ctx->psa_enabled == 1) { 463 /* While PSA Crypto has an API for multipart 464 * operations, we currently don't make it 465 * accessible through the cipher layer. */ 466 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 467 } 468 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 469 470 /* avoid buffer overflow in ctx->iv */ 471 if (iv_len > MBEDTLS_MAX_IV_LENGTH) { 472 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 473 } 474 475 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) { 476 actual_iv_size = iv_len; 477 } else { 478 actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info); 479 480 /* avoid reading past the end of input buffer */ 481 if (actual_iv_size > iv_len) { 482 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 483 } 484 } 485 486 #if defined(MBEDTLS_CHACHA20_C) 487 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) { 488 /* Even though the actual_iv_size is overwritten with a correct value 489 * of 12 from the cipher info, return an error to indicate that 490 * the input iv_len is wrong. */ 491 if (iv_len != 12) { 492 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 493 } 494 495 if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx, 496 iv, 497 0U)) { /* Initial counter value */ 498 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 499 } 500 } 501 #if defined(MBEDTLS_CHACHAPOLY_C) 502 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 && 503 iv_len != 12) { 504 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 505 } 506 #endif 507 #endif 508 509 #if defined(MBEDTLS_GCM_C) 510 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 511 return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx, 512 ctx->operation, 513 iv, iv_len); 514 } 515 #endif 516 517 #if defined(MBEDTLS_CCM_C) 518 if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 519 int set_lengths_result; 520 int ccm_star_mode; 521 522 set_lengths_result = mbedtls_ccm_set_lengths( 523 (mbedtls_ccm_context *) ctx->cipher_ctx, 524 0, 0, 0); 525 if (set_lengths_result != 0) { 526 return set_lengths_result; 527 } 528 529 if (ctx->operation == MBEDTLS_DECRYPT) { 530 ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT; 531 } else if (ctx->operation == MBEDTLS_ENCRYPT) { 532 ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT; 533 } else { 534 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 535 } 536 537 return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx, 538 ccm_star_mode, 539 iv, iv_len); 540 } 541 #endif 542 543 if (actual_iv_size != 0) { 544 memcpy(ctx->iv, iv, actual_iv_size); 545 ctx->iv_size = actual_iv_size; 546 } 547 548 return 0; 549 } 550 551 int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx) 552 { 553 if (ctx->cipher_info == NULL) { 554 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 555 } 556 557 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 558 if (ctx->psa_enabled == 1) { 559 /* We don't support resetting PSA-based 560 * cipher contexts, yet. */ 561 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 562 } 563 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 564 565 ctx->unprocessed_len = 0; 566 567 return 0; 568 } 569 570 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 571 int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx, 572 const unsigned char *ad, size_t ad_len) 573 { 574 if (ctx->cipher_info == NULL) { 575 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 576 } 577 578 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 579 if (ctx->psa_enabled == 1) { 580 /* While PSA Crypto has an API for multipart 581 * operations, we currently don't make it 582 * accessible through the cipher layer. */ 583 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 584 } 585 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 586 587 #if defined(MBEDTLS_GCM_C) 588 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 589 return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx, 590 ad, ad_len); 591 } 592 #endif 593 594 #if defined(MBEDTLS_CHACHAPOLY_C) 595 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 596 int result; 597 mbedtls_chachapoly_mode_t mode; 598 599 mode = (ctx->operation == MBEDTLS_ENCRYPT) 600 ? MBEDTLS_CHACHAPOLY_ENCRYPT 601 : MBEDTLS_CHACHAPOLY_DECRYPT; 602 603 result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx, 604 ctx->iv, 605 mode); 606 if (result != 0) { 607 return result; 608 } 609 610 return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx, 611 ad, ad_len); 612 } 613 #endif 614 615 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 616 } 617 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 618 619 int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input, 620 size_t ilen, unsigned char *output, size_t *olen) 621 { 622 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 623 size_t block_size; 624 625 if (ctx->cipher_info == NULL) { 626 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 627 } 628 629 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 630 if (ctx->psa_enabled == 1) { 631 /* While PSA Crypto has an API for multipart 632 * operations, we currently don't make it 633 * accessible through the cipher layer. */ 634 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 635 } 636 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 637 638 *olen = 0; 639 block_size = mbedtls_cipher_get_block_size(ctx); 640 if (0 == block_size) { 641 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT; 642 } 643 644 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) { 645 if (ilen != block_size) { 646 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 647 } 648 649 *olen = ilen; 650 651 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx, 652 ctx->operation, input, 653 output))) { 654 return ret; 655 } 656 657 return 0; 658 } 659 660 #if defined(MBEDTLS_GCM_C) 661 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) { 662 return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx, 663 input, ilen, 664 output, ilen, olen); 665 } 666 #endif 667 668 #if defined(MBEDTLS_CCM_C) 669 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) { 670 return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx, 671 input, ilen, 672 output, ilen, olen); 673 } 674 #endif 675 676 #if defined(MBEDTLS_CHACHAPOLY_C) 677 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) { 678 *olen = ilen; 679 return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx, 680 ilen, input, output); 681 } 682 #endif 683 684 if (input == output && 685 (ctx->unprocessed_len != 0 || ilen % block_size)) { 686 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 687 } 688 689 #if defined(MBEDTLS_CIPHER_MODE_CBC) 690 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) { 691 size_t copy_len = 0; 692 693 /* 694 * If there is not enough data for a full block, cache it. 695 */ 696 if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding && 697 ilen <= block_size - ctx->unprocessed_len) || 698 (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding && 699 ilen < block_size - ctx->unprocessed_len) || 700 (ctx->operation == MBEDTLS_ENCRYPT && 701 ilen < block_size - ctx->unprocessed_len)) { 702 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input, 703 ilen); 704 705 ctx->unprocessed_len += ilen; 706 return 0; 707 } 708 709 /* 710 * Process cached data first 711 */ 712 if (0 != ctx->unprocessed_len) { 713 copy_len = block_size - ctx->unprocessed_len; 714 715 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input, 716 copy_len); 717 718 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 719 ctx->operation, 720 block_size, ctx->iv, 721 ctx-> 722 unprocessed_data, 723 output))) { 724 return ret; 725 } 726 727 *olen += block_size; 728 output += block_size; 729 ctx->unprocessed_len = 0; 730 731 input += copy_len; 732 ilen -= copy_len; 733 } 734 735 /* 736 * Cache final, incomplete block 737 */ 738 if (0 != ilen) { 739 /* Encryption: only cache partial blocks 740 * Decryption w/ padding: always keep at least one whole block 741 * Decryption w/o padding: only cache partial blocks 742 */ 743 copy_len = ilen % block_size; 744 if (copy_len == 0 && 745 ctx->operation == MBEDTLS_DECRYPT && 746 NULL != ctx->add_padding) { 747 copy_len = block_size; 748 } 749 750 memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]), 751 copy_len); 752 753 ctx->unprocessed_len += copy_len; 754 ilen -= copy_len; 755 } 756 757 /* 758 * Process remaining full blocks 759 */ 760 if (ilen) { 761 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 762 ctx->operation, 763 ilen, ctx->iv, 764 input, 765 output))) { 766 return ret; 767 } 768 769 *olen += ilen; 770 } 771 772 return 0; 773 } 774 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 775 776 #if defined(MBEDTLS_CIPHER_MODE_CFB) 777 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) { 778 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx, 779 ctx->operation, ilen, 780 &ctx->unprocessed_len, 781 ctx->iv, 782 input, output))) { 783 return ret; 784 } 785 786 *olen = ilen; 787 788 return 0; 789 } 790 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 791 792 #if defined(MBEDTLS_CIPHER_MODE_OFB) 793 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) { 794 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx, 795 ilen, 796 &ctx->unprocessed_len, 797 ctx->iv, 798 input, output))) { 799 return ret; 800 } 801 802 *olen = ilen; 803 804 return 0; 805 } 806 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 807 808 #if defined(MBEDTLS_CIPHER_MODE_CTR) 809 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) { 810 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx, 811 ilen, 812 &ctx->unprocessed_len, 813 ctx->iv, 814 ctx->unprocessed_data, 815 input, output))) { 816 return ret; 817 } 818 819 *olen = ilen; 820 821 return 0; 822 } 823 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 824 825 #if defined(MBEDTLS_CIPHER_MODE_XTS) 826 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) { 827 if (ctx->unprocessed_len > 0) { 828 /* We can only process an entire data unit at a time. */ 829 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 830 } 831 832 ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx, 833 ctx->operation, 834 ilen, 835 ctx->iv, 836 input, 837 output); 838 if (ret != 0) { 839 return ret; 840 } 841 842 *olen = ilen; 843 844 return 0; 845 } 846 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 847 848 #if defined(MBEDTLS_CIPHER_MODE_STREAM) 849 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) { 850 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx, 851 ilen, input, 852 output))) { 853 return ret; 854 } 855 856 *olen = ilen; 857 858 return 0; 859 } 860 #endif /* MBEDTLS_CIPHER_MODE_STREAM */ 861 862 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 863 } 864 865 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 866 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 867 /* 868 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len 869 */ 870 static void add_pkcs_padding(unsigned char *output, size_t output_len, 871 size_t data_len) 872 { 873 size_t padding_len = output_len - data_len; 874 unsigned char i; 875 876 for (i = 0; i < padding_len; i++) { 877 output[data_len + i] = (unsigned char) padding_len; 878 } 879 } 880 881 /* 882 * Get the length of the PKCS7 padding. 883 * 884 * Note: input_len must be the block size of the cipher. 885 */ 886 MBEDTLS_STATIC_TESTABLE int mbedtls_get_pkcs_padding(unsigned char *input, 887 size_t input_len, 888 size_t *data_len) 889 { 890 size_t i, pad_idx; 891 unsigned char padding_len; 892 893 if (NULL == input || NULL == data_len) { 894 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 895 } 896 897 padding_len = input[input_len - 1]; 898 899 mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len); 900 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0)); 901 902 /* The number of bytes checked must be independent of padding_len, 903 * so pick input_len, which is usually 8 or 16 (one block) */ 904 pad_idx = input_len - padding_len; 905 for (i = 0; i < input_len; i++) { 906 mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx); 907 mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len); 908 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different)); 909 } 910 911 /* If the padding is invalid, set the output length to 0 */ 912 *data_len = mbedtls_ct_if(bad, 0, input_len - padding_len); 913 914 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING); 915 } 916 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ 917 918 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 919 /* 920 * One and zeros padding: fill with 80 00 ... 00 921 */ 922 static void add_one_and_zeros_padding(unsigned char *output, 923 size_t output_len, size_t data_len) 924 { 925 size_t padding_len = output_len - data_len; 926 unsigned char i = 0; 927 928 output[data_len] = 0x80; 929 for (i = 1; i < padding_len; i++) { 930 output[data_len + i] = 0x00; 931 } 932 } 933 934 static int get_one_and_zeros_padding(unsigned char *input, size_t input_len, 935 size_t *data_len) 936 { 937 if (NULL == input || NULL == data_len) { 938 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 939 } 940 941 mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE; 942 mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE; 943 944 *data_len = 0; 945 946 for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) { 947 mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]); 948 949 mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding); 950 951 *data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len); 952 953 bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad); 954 955 in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero)); 956 } 957 958 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING); 959 } 960 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */ 961 962 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 963 /* 964 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length 965 */ 966 static void add_zeros_and_len_padding(unsigned char *output, 967 size_t output_len, size_t data_len) 968 { 969 size_t padding_len = output_len - data_len; 970 unsigned char i = 0; 971 972 for (i = 1; i < padding_len; i++) { 973 output[data_len + i - 1] = 0x00; 974 } 975 output[output_len - 1] = (unsigned char) padding_len; 976 } 977 978 static int get_zeros_and_len_padding(unsigned char *input, size_t input_len, 979 size_t *data_len) 980 { 981 size_t i, pad_idx; 982 unsigned char padding_len; 983 mbedtls_ct_condition_t bad; 984 985 if (NULL == input || NULL == data_len) { 986 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 987 } 988 989 padding_len = input[input_len - 1]; 990 *data_len = input_len - padding_len; 991 992 /* Avoid logical || since it results in a branch */ 993 bad = mbedtls_ct_uint_gt(padding_len, input_len); 994 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0)); 995 996 /* The number of bytes checked must be independent of padding_len */ 997 pad_idx = input_len - padding_len; 998 for (i = 0; i < input_len - 1; i++) { 999 mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx); 1000 mbedtls_ct_condition_t nonzero_pad_byte; 1001 nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i])); 1002 bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte); 1003 } 1004 1005 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING); 1006 } 1007 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */ 1008 1009 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 1010 /* 1011 * Zero padding: fill with 00 ... 00 1012 */ 1013 static void add_zeros_padding(unsigned char *output, 1014 size_t output_len, size_t data_len) 1015 { 1016 memset(output + data_len, 0, output_len - data_len); 1017 } 1018 1019 static int get_zeros_padding(unsigned char *input, size_t input_len, 1020 size_t *data_len) 1021 { 1022 size_t i; 1023 mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done; 1024 1025 if (NULL == input || NULL == data_len) { 1026 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1027 } 1028 1029 *data_len = 0; 1030 for (i = input_len; i > 0; i--) { 1031 prev_done = done; 1032 done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0)); 1033 *data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len); 1034 } 1035 1036 return 0; 1037 } 1038 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */ 1039 1040 /* 1041 * No padding: don't pad :) 1042 * 1043 * There is no add_padding function (check for NULL in mbedtls_cipher_finish) 1044 * but a trivial get_padding function 1045 */ 1046 static int get_no_padding(unsigned char *input, size_t input_len, 1047 size_t *data_len) 1048 { 1049 if (NULL == input || NULL == data_len) { 1050 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1051 } 1052 1053 *data_len = input_len; 1054 1055 return 0; 1056 } 1057 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1058 1059 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx, 1060 unsigned char *output, size_t *olen) 1061 { 1062 if (ctx->cipher_info == NULL) { 1063 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1064 } 1065 1066 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1067 if (ctx->psa_enabled == 1) { 1068 /* While PSA Crypto has an API for multipart 1069 * operations, we currently don't make it 1070 * accessible through the cipher layer. */ 1071 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1072 } 1073 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1074 1075 *olen = 0; 1076 1077 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 1078 /* CBC mode requires padding so we make sure a call to 1079 * mbedtls_cipher_set_padding_mode has been done successfully. */ 1080 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1081 if (ctx->get_padding == NULL) { 1082 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1083 } 1084 } 1085 #endif 1086 1087 if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1088 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1089 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1090 MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1091 MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1092 MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1093 MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1094 return 0; 1095 } 1096 1097 if ((MBEDTLS_CIPHER_CHACHA20 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) || 1098 (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) { 1099 return 0; 1100 } 1101 1102 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1103 if (ctx->unprocessed_len != 0) { 1104 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1105 } 1106 1107 return 0; 1108 } 1109 1110 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1111 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1112 int ret = 0; 1113 1114 if (MBEDTLS_ENCRYPT == ctx->operation) { 1115 /* check for 'no padding' mode */ 1116 if (NULL == ctx->add_padding) { 1117 if (0 != ctx->unprocessed_len) { 1118 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1119 } 1120 1121 return 0; 1122 } 1123 1124 ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx), 1125 ctx->unprocessed_len); 1126 } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) { 1127 /* 1128 * For decrypt operations, expect a full block, 1129 * or an empty block if no padding 1130 */ 1131 if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) { 1132 return 0; 1133 } 1134 1135 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1136 } 1137 1138 /* cipher block */ 1139 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 1140 ctx->operation, 1141 mbedtls_cipher_get_block_size( 1142 ctx), 1143 ctx->iv, 1144 ctx->unprocessed_data, 1145 output))) { 1146 return ret; 1147 } 1148 1149 /* Set output size for decryption */ 1150 if (MBEDTLS_DECRYPT == ctx->operation) { 1151 return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx), 1152 olen); 1153 } 1154 1155 /* Set output size for encryption */ 1156 *olen = mbedtls_cipher_get_block_size(ctx); 1157 return 0; 1158 } 1159 #else 1160 ((void) output); 1161 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1162 1163 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1164 } 1165 1166 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 1167 int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx, 1168 mbedtls_cipher_padding_t mode) 1169 { 1170 if (NULL == ctx->cipher_info || 1171 MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1172 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1173 } 1174 1175 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1176 if (ctx->psa_enabled == 1) { 1177 /* While PSA Crypto knows about CBC padding 1178 * schemes, we currently don't make them 1179 * accessible through the cipher layer. */ 1180 if (mode != MBEDTLS_PADDING_NONE) { 1181 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1182 } 1183 1184 return 0; 1185 } 1186 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1187 1188 switch (mode) { 1189 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 1190 case MBEDTLS_PADDING_PKCS7: 1191 ctx->add_padding = add_pkcs_padding; 1192 ctx->get_padding = mbedtls_get_pkcs_padding; 1193 break; 1194 #endif 1195 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 1196 case MBEDTLS_PADDING_ONE_AND_ZEROS: 1197 ctx->add_padding = add_one_and_zeros_padding; 1198 ctx->get_padding = get_one_and_zeros_padding; 1199 break; 1200 #endif 1201 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 1202 case MBEDTLS_PADDING_ZEROS_AND_LEN: 1203 ctx->add_padding = add_zeros_and_len_padding; 1204 ctx->get_padding = get_zeros_and_len_padding; 1205 break; 1206 #endif 1207 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 1208 case MBEDTLS_PADDING_ZEROS: 1209 ctx->add_padding = add_zeros_padding; 1210 ctx->get_padding = get_zeros_padding; 1211 break; 1212 #endif 1213 case MBEDTLS_PADDING_NONE: 1214 ctx->add_padding = NULL; 1215 ctx->get_padding = get_no_padding; 1216 break; 1217 1218 default: 1219 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1220 } 1221 1222 return 0; 1223 } 1224 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1225 1226 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 1227 int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx, 1228 unsigned char *tag, size_t tag_len) 1229 { 1230 if (ctx->cipher_info == NULL) { 1231 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1232 } 1233 1234 if (MBEDTLS_ENCRYPT != ctx->operation) { 1235 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1236 } 1237 1238 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1239 if (ctx->psa_enabled == 1) { 1240 /* While PSA Crypto has an API for multipart 1241 * operations, we currently don't make it 1242 * accessible through the cipher layer. */ 1243 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1244 } 1245 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1246 1247 #if defined(MBEDTLS_GCM_C) 1248 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1249 size_t output_length; 1250 /* The code here doesn't yet support alternative implementations 1251 * that can delay up to a block of output. */ 1252 return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx, 1253 NULL, 0, &output_length, 1254 tag, tag_len); 1255 } 1256 #endif 1257 1258 #if defined(MBEDTLS_CHACHAPOLY_C) 1259 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1260 /* Don't allow truncated MAC for Poly1305 */ 1261 if (tag_len != 16U) { 1262 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1263 } 1264 1265 return mbedtls_chachapoly_finish( 1266 (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag); 1267 } 1268 #endif 1269 1270 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1271 } 1272 1273 int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx, 1274 const unsigned char *tag, size_t tag_len) 1275 { 1276 unsigned char check_tag[16]; 1277 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1278 1279 if (ctx->cipher_info == NULL) { 1280 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1281 } 1282 1283 if (MBEDTLS_DECRYPT != ctx->operation) { 1284 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1285 } 1286 1287 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1288 if (ctx->psa_enabled == 1) { 1289 /* While PSA Crypto has an API for multipart 1290 * operations, we currently don't make it 1291 * accessible through the cipher layer. */ 1292 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1293 } 1294 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1295 1296 /* Status to return on a non-authenticated algorithm. */ 1297 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1298 1299 #if defined(MBEDTLS_GCM_C) 1300 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1301 size_t output_length; 1302 /* The code here doesn't yet support alternative implementations 1303 * that can delay up to a block of output. */ 1304 1305 if (tag_len > sizeof(check_tag)) { 1306 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1307 } 1308 1309 if (0 != (ret = mbedtls_gcm_finish( 1310 (mbedtls_gcm_context *) ctx->cipher_ctx, 1311 NULL, 0, &output_length, 1312 check_tag, tag_len))) { 1313 return ret; 1314 } 1315 1316 /* Check the tag in "constant-time" */ 1317 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) { 1318 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1319 goto exit; 1320 } 1321 } 1322 #endif /* MBEDTLS_GCM_C */ 1323 1324 #if defined(MBEDTLS_CHACHAPOLY_C) 1325 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1326 /* Don't allow truncated MAC for Poly1305 */ 1327 if (tag_len != sizeof(check_tag)) { 1328 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1329 } 1330 1331 ret = mbedtls_chachapoly_finish( 1332 (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag); 1333 if (ret != 0) { 1334 return ret; 1335 } 1336 1337 /* Check the tag in "constant-time" */ 1338 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) { 1339 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1340 goto exit; 1341 } 1342 } 1343 #endif /* MBEDTLS_CHACHAPOLY_C */ 1344 1345 exit: 1346 mbedtls_platform_zeroize(check_tag, tag_len); 1347 return ret; 1348 } 1349 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 1350 1351 /* 1352 * Packet-oriented wrapper for non-AEAD modes 1353 */ 1354 int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx, 1355 const unsigned char *iv, size_t iv_len, 1356 const unsigned char *input, size_t ilen, 1357 unsigned char *output, size_t *olen) 1358 { 1359 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1360 size_t finish_olen; 1361 1362 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1363 if (ctx->psa_enabled == 1) { 1364 /* As in the non-PSA case, we don't check that 1365 * a key has been set. If not, the key slot will 1366 * still be in its default state of 0, which is 1367 * guaranteed to be invalid, hence the PSA-call 1368 * below will gracefully fail. */ 1369 mbedtls_cipher_context_psa * const cipher_psa = 1370 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1371 1372 psa_status_t status; 1373 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT; 1374 size_t part_len; 1375 1376 if (ctx->operation == MBEDTLS_DECRYPT) { 1377 status = psa_cipher_decrypt_setup(&cipher_op, 1378 cipher_psa->slot, 1379 cipher_psa->alg); 1380 } else if (ctx->operation == MBEDTLS_ENCRYPT) { 1381 status = psa_cipher_encrypt_setup(&cipher_op, 1382 cipher_psa->slot, 1383 cipher_psa->alg); 1384 } else { 1385 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1386 } 1387 1388 /* In the following, we can immediately return on an error, 1389 * because the PSA Crypto API guarantees that cipher operations 1390 * are terminated by unsuccessful calls to psa_cipher_update(), 1391 * and by any call to psa_cipher_finish(). */ 1392 if (status != PSA_SUCCESS) { 1393 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1394 } 1395 1396 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) { 1397 status = psa_cipher_set_iv(&cipher_op, iv, iv_len); 1398 if (status != PSA_SUCCESS) { 1399 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1400 } 1401 } 1402 1403 status = psa_cipher_update(&cipher_op, 1404 input, ilen, 1405 output, ilen, olen); 1406 if (status != PSA_SUCCESS) { 1407 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1408 } 1409 1410 status = psa_cipher_finish(&cipher_op, 1411 output + *olen, ilen - *olen, 1412 &part_len); 1413 if (status != PSA_SUCCESS) { 1414 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1415 } 1416 1417 *olen += part_len; 1418 return 0; 1419 } 1420 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1421 1422 if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) { 1423 return ret; 1424 } 1425 1426 if ((ret = mbedtls_cipher_reset(ctx)) != 0) { 1427 return ret; 1428 } 1429 1430 if ((ret = mbedtls_cipher_update(ctx, input, ilen, 1431 output, olen)) != 0) { 1432 return ret; 1433 } 1434 1435 if ((ret = mbedtls_cipher_finish(ctx, output + *olen, 1436 &finish_olen)) != 0) { 1437 return ret; 1438 } 1439 1440 *olen += finish_olen; 1441 1442 return 0; 1443 } 1444 1445 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1446 /* 1447 * Packet-oriented encryption for AEAD modes: internal function used by 1448 * mbedtls_cipher_auth_encrypt_ext(). 1449 */ 1450 static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx, 1451 const unsigned char *iv, size_t iv_len, 1452 const unsigned char *ad, size_t ad_len, 1453 const unsigned char *input, size_t ilen, 1454 unsigned char *output, size_t *olen, 1455 unsigned char *tag, size_t tag_len) 1456 { 1457 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1458 if (ctx->psa_enabled == 1) { 1459 /* As in the non-PSA case, we don't check that 1460 * a key has been set. If not, the key slot will 1461 * still be in its default state of 0, which is 1462 * guaranteed to be invalid, hence the PSA-call 1463 * below will gracefully fail. */ 1464 mbedtls_cipher_context_psa * const cipher_psa = 1465 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1466 1467 psa_status_t status; 1468 1469 /* PSA Crypto API always writes the authentication tag 1470 * at the end of the encrypted message. */ 1471 if (output == NULL || tag != output + ilen) { 1472 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1473 } 1474 1475 status = psa_aead_encrypt(cipher_psa->slot, 1476 cipher_psa->alg, 1477 iv, iv_len, 1478 ad, ad_len, 1479 input, ilen, 1480 output, ilen + tag_len, olen); 1481 if (status != PSA_SUCCESS) { 1482 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1483 } 1484 1485 *olen -= tag_len; 1486 return 0; 1487 } 1488 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1489 1490 #if defined(MBEDTLS_GCM_C) 1491 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1492 *olen = ilen; 1493 return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, 1494 ilen, iv, iv_len, ad, ad_len, 1495 input, output, tag_len, tag); 1496 } 1497 #endif /* MBEDTLS_GCM_C */ 1498 #if defined(MBEDTLS_CCM_C) 1499 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1500 *olen = ilen; 1501 return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen, 1502 iv, iv_len, ad, ad_len, input, output, 1503 tag, tag_len); 1504 } 1505 #endif /* MBEDTLS_CCM_C */ 1506 #if defined(MBEDTLS_CHACHAPOLY_C) 1507 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1508 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1509 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) || 1510 (tag_len != 16U)) { 1511 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1512 } 1513 1514 *olen = ilen; 1515 return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx, 1516 ilen, iv, ad, ad_len, input, output, tag); 1517 } 1518 #endif /* MBEDTLS_CHACHAPOLY_C */ 1519 1520 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1521 } 1522 1523 /* 1524 * Packet-oriented encryption for AEAD modes: internal function used by 1525 * mbedtls_cipher_auth_encrypt_ext(). 1526 */ 1527 static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx, 1528 const unsigned char *iv, size_t iv_len, 1529 const unsigned char *ad, size_t ad_len, 1530 const unsigned char *input, size_t ilen, 1531 unsigned char *output, size_t *olen, 1532 const unsigned char *tag, size_t tag_len) 1533 { 1534 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1535 if (ctx->psa_enabled == 1) { 1536 /* As in the non-PSA case, we don't check that 1537 * a key has been set. If not, the key slot will 1538 * still be in its default state of 0, which is 1539 * guaranteed to be invalid, hence the PSA-call 1540 * below will gracefully fail. */ 1541 mbedtls_cipher_context_psa * const cipher_psa = 1542 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1543 1544 psa_status_t status; 1545 1546 /* PSA Crypto API always writes the authentication tag 1547 * at the end of the encrypted message. */ 1548 if (input == NULL || tag != input + ilen) { 1549 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1550 } 1551 1552 status = psa_aead_decrypt(cipher_psa->slot, 1553 cipher_psa->alg, 1554 iv, iv_len, 1555 ad, ad_len, 1556 input, ilen + tag_len, 1557 output, ilen, olen); 1558 if (status == PSA_ERROR_INVALID_SIGNATURE) { 1559 return MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1560 } else if (status != PSA_SUCCESS) { 1561 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1562 } 1563 1564 return 0; 1565 } 1566 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1567 1568 #if defined(MBEDTLS_GCM_C) 1569 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1570 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1571 1572 *olen = ilen; 1573 ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen, 1574 iv, iv_len, ad, ad_len, 1575 tag, tag_len, input, output); 1576 1577 if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) { 1578 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1579 } 1580 1581 return ret; 1582 } 1583 #endif /* MBEDTLS_GCM_C */ 1584 #if defined(MBEDTLS_CCM_C) 1585 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1586 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1587 1588 *olen = ilen; 1589 ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen, 1590 iv, iv_len, ad, ad_len, 1591 input, output, tag, tag_len); 1592 1593 if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) { 1594 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1595 } 1596 1597 return ret; 1598 } 1599 #endif /* MBEDTLS_CCM_C */ 1600 #if defined(MBEDTLS_CHACHAPOLY_C) 1601 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1602 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1603 1604 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1605 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) || 1606 (tag_len != 16U)) { 1607 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1608 } 1609 1610 *olen = ilen; 1611 ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen, 1612 iv, ad, ad_len, tag, input, output); 1613 1614 if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) { 1615 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1616 } 1617 1618 return ret; 1619 } 1620 #endif /* MBEDTLS_CHACHAPOLY_C */ 1621 1622 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1623 } 1624 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1625 1626 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) 1627 /* 1628 * Packet-oriented encryption for AEAD/NIST_KW: public function. 1629 */ 1630 int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx, 1631 const unsigned char *iv, size_t iv_len, 1632 const unsigned char *ad, size_t ad_len, 1633 const unsigned char *input, size_t ilen, 1634 unsigned char *output, size_t output_len, 1635 size_t *olen, size_t tag_len) 1636 { 1637 #if defined(MBEDTLS_NIST_KW_C) 1638 if ( 1639 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1640 ctx->psa_enabled == 0 && 1641 #endif 1642 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1643 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) { 1644 mbedtls_nist_kw_mode_t mode = 1645 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ? 1646 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1647 1648 /* There is no iv, tag or ad associated with KW and KWP, 1649 * so these length should be 0 as documented. */ 1650 if (iv_len != 0 || tag_len != 0 || ad_len != 0) { 1651 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1652 } 1653 1654 (void) iv; 1655 (void) ad; 1656 1657 return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen, 1658 output, olen, output_len); 1659 } 1660 #endif /* MBEDTLS_NIST_KW_C */ 1661 1662 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1663 /* AEAD case: check length before passing on to shared function */ 1664 if (output_len < ilen + tag_len) { 1665 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1666 } 1667 1668 int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len, 1669 input, ilen, output, olen, 1670 output + ilen, tag_len); 1671 *olen += tag_len; 1672 return ret; 1673 #else 1674 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1675 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1676 } 1677 1678 /* 1679 * Packet-oriented decryption for AEAD/NIST_KW: public function. 1680 */ 1681 int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx, 1682 const unsigned char *iv, size_t iv_len, 1683 const unsigned char *ad, size_t ad_len, 1684 const unsigned char *input, size_t ilen, 1685 unsigned char *output, size_t output_len, 1686 size_t *olen, size_t tag_len) 1687 { 1688 #if defined(MBEDTLS_NIST_KW_C) 1689 if ( 1690 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1691 ctx->psa_enabled == 0 && 1692 #endif 1693 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1694 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) { 1695 mbedtls_nist_kw_mode_t mode = 1696 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ? 1697 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1698 1699 /* There is no iv, tag or ad associated with KW and KWP, 1700 * so these length should be 0 as documented. */ 1701 if (iv_len != 0 || tag_len != 0 || ad_len != 0) { 1702 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1703 } 1704 1705 (void) iv; 1706 (void) ad; 1707 1708 return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen, 1709 output, olen, output_len); 1710 } 1711 #endif /* MBEDTLS_NIST_KW_C */ 1712 1713 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1714 /* AEAD case: check length before passing on to shared function */ 1715 if (ilen < tag_len || output_len < ilen - tag_len) { 1716 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1717 } 1718 1719 return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len, 1720 input, ilen - tag_len, output, olen, 1721 input + ilen - tag_len, tag_len); 1722 #else 1723 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1724 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1725 } 1726 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */ 1727 1728 #endif /* MBEDTLS_CIPHER_C */ 1729