1 /** 2 * \file cipher.c 3 * 4 * \brief Generic cipher wrapper for mbed TLS 5 * 6 * \author Adriaan de Jong <dejong@fox-it.com> 7 * 8 * Copyright The Mbed TLS Contributors 9 * SPDX-License-Identifier: Apache-2.0 10 * 11 * Licensed under the Apache License, Version 2.0 (the "License"); you may 12 * not use this file except in compliance with the License. 13 * You may obtain a copy of the License at 14 * 15 * http://www.apache.org/licenses/LICENSE-2.0 16 * 17 * Unless required by applicable law or agreed to in writing, software 18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 * See the License for the specific language governing permissions and 21 * limitations under the License. 22 */ 23 24 #include "common.h" 25 26 #if defined(MBEDTLS_CIPHER_C) 27 28 #include "mbedtls/cipher.h" 29 #include "mbedtls/cipher_internal.h" 30 #include "mbedtls/platform_util.h" 31 #include "mbedtls/error.h" 32 33 #include <stdlib.h> 34 #include <string.h> 35 36 #if defined(MBEDTLS_CHACHAPOLY_C) 37 #include "mbedtls/chachapoly.h" 38 #endif 39 40 #if defined(MBEDTLS_GCM_C) 41 #include "mbedtls/gcm.h" 42 #endif 43 44 #if defined(MBEDTLS_CCM_C) 45 #include "mbedtls/ccm.h" 46 #endif 47 48 #if defined(MBEDTLS_CHACHA20_C) 49 #include "mbedtls/chacha20.h" 50 #endif 51 52 #if defined(MBEDTLS_CMAC_C) 53 #include "mbedtls/cmac.h" 54 #endif 55 56 #if defined(MBEDTLS_USE_PSA_CRYPTO) 57 #include "psa/crypto.h" 58 #include "mbedtls/psa_util.h" 59 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 60 61 #if defined(MBEDTLS_NIST_KW_C) 62 #include "mbedtls/nist_kw.h" 63 #endif 64 65 #if defined(MBEDTLS_PLATFORM_C) 66 #include "mbedtls/platform.h" 67 #else 68 #define mbedtls_calloc calloc 69 #define mbedtls_free free 70 #endif 71 72 #define CIPHER_VALIDATE_RET( cond ) \ 73 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ) 74 #define CIPHER_VALIDATE( cond ) \ 75 MBEDTLS_INTERNAL_VALIDATE( cond ) 76 77 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 78 /* Compare the contents of two buffers in constant time. 79 * Returns 0 if the contents are bitwise identical, otherwise returns 80 * a non-zero value. 81 * This is currently only used by GCM and ChaCha20+Poly1305. 82 */ 83 static int mbedtls_constant_time_memcmp( const void *v1, const void *v2, 84 size_t len ) 85 { 86 const unsigned char *p1 = (const unsigned char*) v1; 87 const unsigned char *p2 = (const unsigned char*) v2; 88 size_t i; 89 unsigned char diff; 90 91 for( diff = 0, i = 0; i < len; i++ ) 92 diff |= p1[i] ^ p2[i]; 93 94 return( (int)diff ); 95 } 96 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 97 98 static int supported_init = 0; 99 100 const int *mbedtls_cipher_list( void ) 101 { 102 const mbedtls_cipher_definition_t *def; 103 int *type; 104 105 if( ! supported_init ) 106 { 107 def = mbedtls_cipher_definitions; 108 type = mbedtls_cipher_supported; 109 110 while( def->type != 0 ) 111 *type++ = (*def++).type; 112 113 *type = 0; 114 115 supported_init = 1; 116 } 117 118 return( mbedtls_cipher_supported ); 119 } 120 121 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( 122 const mbedtls_cipher_type_t cipher_type ) 123 { 124 const mbedtls_cipher_definition_t *def; 125 126 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 127 if( def->type == cipher_type ) 128 return( def->info ); 129 130 return( NULL ); 131 } 132 133 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( 134 const char *cipher_name ) 135 { 136 const mbedtls_cipher_definition_t *def; 137 138 if( NULL == cipher_name ) 139 return( NULL ); 140 141 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 142 if( ! strcmp( def->info->name, cipher_name ) ) 143 return( def->info ); 144 145 return( NULL ); 146 } 147 148 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( 149 const mbedtls_cipher_id_t cipher_id, 150 int key_bitlen, 151 const mbedtls_cipher_mode_t mode ) 152 { 153 const mbedtls_cipher_definition_t *def; 154 155 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 156 if( def->info->base->cipher == cipher_id && 157 def->info->key_bitlen == (unsigned) key_bitlen && 158 def->info->mode == mode ) 159 return( def->info ); 160 161 return( NULL ); 162 } 163 164 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx ) 165 { 166 CIPHER_VALIDATE( ctx != NULL ); 167 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) ); 168 } 169 170 void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx ) 171 { 172 if( ctx == NULL ) 173 return; 174 175 #if defined(MBEDTLS_USE_PSA_CRYPTO) 176 if( ctx->psa_enabled == 1 ) 177 { 178 if( ctx->cipher_ctx != NULL ) 179 { 180 mbedtls_cipher_context_psa * const cipher_psa = 181 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 182 183 if( cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED ) 184 { 185 /* xxx_free() doesn't allow to return failures. */ 186 (void) psa_destroy_key( cipher_psa->slot ); 187 } 188 189 mbedtls_platform_zeroize( cipher_psa, sizeof( *cipher_psa ) ); 190 mbedtls_free( cipher_psa ); 191 } 192 193 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) ); 194 return; 195 } 196 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 197 198 #if defined(MBEDTLS_CMAC_C) 199 if( ctx->cmac_ctx ) 200 { 201 mbedtls_platform_zeroize( ctx->cmac_ctx, 202 sizeof( mbedtls_cmac_context_t ) ); 203 mbedtls_free( ctx->cmac_ctx ); 204 } 205 #endif 206 207 if( ctx->cipher_ctx ) 208 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx ); 209 210 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) ); 211 } 212 213 int mbedtls_cipher_clone( mbedtls_cipher_context_t *dst, 214 const mbedtls_cipher_context_t *src ) 215 { 216 if( dst == NULL || dst->cipher_info == NULL || 217 src == NULL || src->cipher_info == NULL) 218 { 219 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 220 } 221 222 dst->cipher_info = src->cipher_info; 223 dst->key_bitlen = src->key_bitlen; 224 dst->operation = src->operation; 225 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 226 dst->add_padding = src->add_padding; 227 dst->get_padding = src->get_padding; 228 #endif 229 memcpy( dst->unprocessed_data, src->unprocessed_data, MBEDTLS_MAX_BLOCK_LENGTH ); 230 dst->unprocessed_len = src->unprocessed_len; 231 memcpy( dst->iv, src->iv, MBEDTLS_MAX_IV_LENGTH ); 232 dst->iv_size = src->iv_size; 233 if( dst->cipher_info->base->ctx_clone_func ) 234 dst->cipher_info->base->ctx_clone_func( dst->cipher_ctx, src->cipher_ctx ); 235 236 #if defined(MBEDTLS_CMAC_C) 237 if( dst->cmac_ctx != NULL && src->cmac_ctx != NULL ) 238 memcpy( dst->cmac_ctx, src->cmac_ctx, sizeof( mbedtls_cmac_context_t ) ); 239 #endif 240 return( 0 ); 241 } 242 243 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, 244 const mbedtls_cipher_info_t *cipher_info ) 245 { 246 CIPHER_VALIDATE_RET( ctx != NULL ); 247 if( cipher_info == NULL ) 248 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 249 250 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) ); 251 252 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) ) 253 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 254 255 ctx->cipher_info = cipher_info; 256 257 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 258 /* 259 * Ignore possible errors caused by a cipher mode that doesn't use padding 260 */ 261 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 262 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 ); 263 #else 264 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE ); 265 #endif 266 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 267 268 return( 0 ); 269 } 270 271 #if defined(MBEDTLS_USE_PSA_CRYPTO) 272 int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx, 273 const mbedtls_cipher_info_t *cipher_info, 274 size_t taglen ) 275 { 276 psa_algorithm_t alg; 277 mbedtls_cipher_context_psa *cipher_psa; 278 279 if( NULL == cipher_info || NULL == ctx ) 280 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 281 282 /* Check that the underlying cipher mode and cipher type are 283 * supported by the underlying PSA Crypto implementation. */ 284 alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode, taglen ); 285 if( alg == 0 ) 286 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 287 if( mbedtls_psa_translate_cipher_type( cipher_info->type ) == 0 ) 288 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 289 290 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) ); 291 292 cipher_psa = mbedtls_calloc( 1, sizeof(mbedtls_cipher_context_psa ) ); 293 if( cipher_psa == NULL ) 294 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 295 cipher_psa->alg = alg; 296 ctx->cipher_ctx = cipher_psa; 297 ctx->cipher_info = cipher_info; 298 ctx->psa_enabled = 1; 299 return( 0 ); 300 } 301 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 302 303 int mbedtls_cipher_setup_info( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info ) 304 { 305 if( NULL == cipher_info || NULL == ctx ) 306 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 307 308 ctx->cipher_info = cipher_info; 309 return( 0 ); 310 } 311 312 int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, 313 const unsigned char *key, 314 int key_bitlen, 315 const mbedtls_operation_t operation ) 316 { 317 CIPHER_VALIDATE_RET( ctx != NULL ); 318 CIPHER_VALIDATE_RET( key != NULL ); 319 CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT || 320 operation == MBEDTLS_DECRYPT ); 321 if( ctx->cipher_info == NULL ) 322 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 323 324 #if defined(MBEDTLS_USE_PSA_CRYPTO) 325 if( ctx->psa_enabled == 1 ) 326 { 327 mbedtls_cipher_context_psa * const cipher_psa = 328 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 329 330 size_t const key_bytelen = ( (size_t) key_bitlen + 7 ) / 8; 331 332 psa_status_t status; 333 psa_key_type_t key_type; 334 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 335 336 /* PSA Crypto API only accepts byte-aligned keys. */ 337 if( key_bitlen % 8 != 0 ) 338 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 339 340 /* Don't allow keys to be set multiple times. */ 341 if( cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET ) 342 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 343 344 key_type = mbedtls_psa_translate_cipher_type( 345 ctx->cipher_info->type ); 346 if( key_type == 0 ) 347 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 348 psa_set_key_type( &attributes, key_type ); 349 350 /* Mbed TLS' cipher layer doesn't enforce the mode of operation 351 * (encrypt vs. decrypt): it is possible to setup a key for encryption 352 * and use it for AEAD decryption. Until tests relying on this 353 * are changed, allow any usage in PSA. */ 354 psa_set_key_usage_flags( &attributes, 355 /* mbedtls_psa_translate_cipher_operation( operation ); */ 356 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT ); 357 psa_set_key_algorithm( &attributes, cipher_psa->alg ); 358 359 status = psa_import_key( &attributes, key, key_bytelen, 360 &cipher_psa->slot ); 361 switch( status ) 362 { 363 case PSA_SUCCESS: 364 break; 365 case PSA_ERROR_INSUFFICIENT_MEMORY: 366 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 367 case PSA_ERROR_NOT_SUPPORTED: 368 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 369 default: 370 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED ); 371 } 372 /* Indicate that we own the key slot and need to 373 * destroy it in mbedtls_cipher_free(). */ 374 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED; 375 376 ctx->key_bitlen = key_bitlen; 377 ctx->operation = operation; 378 return( 0 ); 379 } 380 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 381 382 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 && 383 (int) ctx->cipher_info->key_bitlen != key_bitlen ) 384 { 385 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 386 } 387 388 ctx->key_bitlen = key_bitlen; 389 ctx->operation = operation; 390 391 /* 392 * For OFB, CFB and CTR mode always use the encryption key schedule 393 */ 394 if( MBEDTLS_ENCRYPT == operation || 395 MBEDTLS_MODE_CFB == ctx->cipher_info->mode || 396 MBEDTLS_MODE_OFB == ctx->cipher_info->mode || 397 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ) 398 { 399 return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key, 400 ctx->key_bitlen ) ); 401 } 402 403 if( MBEDTLS_DECRYPT == operation ) 404 return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key, 405 ctx->key_bitlen ) ); 406 407 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 408 } 409 410 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx, 411 const unsigned char *iv, 412 size_t iv_len ) 413 { 414 size_t actual_iv_size; 415 416 CIPHER_VALIDATE_RET( ctx != NULL ); 417 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); 418 if( ctx->cipher_info == NULL ) 419 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 420 #if defined(MBEDTLS_USE_PSA_CRYPTO) 421 if( ctx->psa_enabled == 1 ) 422 { 423 /* While PSA Crypto has an API for multipart 424 * operations, we currently don't make it 425 * accessible through the cipher layer. */ 426 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 427 } 428 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 429 430 /* avoid buffer overflow in ctx->iv */ 431 if( iv_len > MBEDTLS_MAX_IV_LENGTH ) 432 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 433 434 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 ) 435 actual_iv_size = iv_len; 436 else 437 { 438 actual_iv_size = ctx->cipher_info->iv_size; 439 440 /* avoid reading past the end of input buffer */ 441 if( actual_iv_size > iv_len ) 442 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 443 } 444 445 #if defined(MBEDTLS_CHACHA20_C) 446 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 ) 447 { 448 if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx, 449 iv, 450 0U ) ) /* Initial counter value */ 451 { 452 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 453 } 454 } 455 #endif 456 457 if ( actual_iv_size != 0 ) 458 { 459 memcpy( ctx->iv, iv, actual_iv_size ); 460 ctx->iv_size = actual_iv_size; 461 } 462 463 return( 0 ); 464 } 465 466 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx ) 467 { 468 CIPHER_VALIDATE_RET( ctx != NULL ); 469 if( ctx->cipher_info == NULL ) 470 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 471 472 #if defined(MBEDTLS_USE_PSA_CRYPTO) 473 if( ctx->psa_enabled == 1 ) 474 { 475 /* We don't support resetting PSA-based 476 * cipher contexts, yet. */ 477 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 478 } 479 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 480 481 ctx->unprocessed_len = 0; 482 483 return( 0 ); 484 } 485 486 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 487 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx, 488 const unsigned char *ad, size_t ad_len ) 489 { 490 CIPHER_VALIDATE_RET( ctx != NULL ); 491 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); 492 if( ctx->cipher_info == NULL ) 493 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 494 495 #if defined(MBEDTLS_USE_PSA_CRYPTO) 496 if( ctx->psa_enabled == 1 ) 497 { 498 /* While PSA Crypto has an API for multipart 499 * operations, we currently don't make it 500 * accessible through the cipher layer. */ 501 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 502 } 503 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 504 505 #if defined(MBEDTLS_GCM_C) 506 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 507 { 508 return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation, 509 ctx->iv, ctx->iv_size, ad, ad_len ) ); 510 } 511 #endif 512 513 #if defined(MBEDTLS_CHACHAPOLY_C) 514 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) 515 { 516 int result; 517 mbedtls_chachapoly_mode_t mode; 518 519 mode = ( ctx->operation == MBEDTLS_ENCRYPT ) 520 ? MBEDTLS_CHACHAPOLY_ENCRYPT 521 : MBEDTLS_CHACHAPOLY_DECRYPT; 522 523 result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx, 524 ctx->iv, 525 mode ); 526 if ( result != 0 ) 527 return( result ); 528 529 return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx, 530 ad, ad_len ) ); 531 } 532 #endif 533 534 return( 0 ); 535 } 536 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 537 538 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input, 539 size_t ilen, unsigned char *output, size_t *olen ) 540 { 541 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 542 size_t block_size; 543 544 CIPHER_VALIDATE_RET( ctx != NULL ); 545 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); 546 CIPHER_VALIDATE_RET( output != NULL ); 547 CIPHER_VALIDATE_RET( olen != NULL ); 548 if( ctx->cipher_info == NULL ) 549 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 550 551 #if defined(MBEDTLS_USE_PSA_CRYPTO) 552 if( ctx->psa_enabled == 1 ) 553 { 554 /* While PSA Crypto has an API for multipart 555 * operations, we currently don't make it 556 * accessible through the cipher layer. */ 557 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 558 } 559 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 560 561 *olen = 0; 562 block_size = mbedtls_cipher_get_block_size( ctx ); 563 if ( 0 == block_size ) 564 { 565 return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT ); 566 } 567 568 if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB ) 569 { 570 if( ilen != block_size ) 571 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 572 573 *olen = ilen; 574 575 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx, 576 ctx->operation, input, output ) ) ) 577 { 578 return( ret ); 579 } 580 581 return( 0 ); 582 } 583 584 #if defined(MBEDTLS_GCM_C) 585 if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM ) 586 { 587 *olen = ilen; 588 return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input, 589 output ) ); 590 } 591 #endif 592 593 #if defined(MBEDTLS_CHACHAPOLY_C) 594 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) 595 { 596 *olen = ilen; 597 return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx, 598 ilen, input, output ) ); 599 } 600 #endif 601 602 if( input == output && 603 ( ctx->unprocessed_len != 0 || ilen % block_size ) ) 604 { 605 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 606 } 607 608 #if defined(MBEDTLS_CIPHER_MODE_CBC) 609 if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC ) 610 { 611 size_t copy_len = 0; 612 613 /* 614 * If there is not enough data for a full block, cache it. 615 */ 616 if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding && 617 ilen <= block_size - ctx->unprocessed_len ) || 618 ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding && 619 ilen < block_size - ctx->unprocessed_len ) || 620 ( ctx->operation == MBEDTLS_ENCRYPT && 621 ilen < block_size - ctx->unprocessed_len ) ) 622 { 623 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input, 624 ilen ); 625 626 ctx->unprocessed_len += ilen; 627 return( 0 ); 628 } 629 630 /* 631 * Process cached data first 632 */ 633 if( 0 != ctx->unprocessed_len ) 634 { 635 copy_len = block_size - ctx->unprocessed_len; 636 637 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input, 638 copy_len ); 639 640 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 641 ctx->operation, block_size, ctx->iv, 642 ctx->unprocessed_data, output ) ) ) 643 { 644 return( ret ); 645 } 646 647 *olen += block_size; 648 output += block_size; 649 ctx->unprocessed_len = 0; 650 651 input += copy_len; 652 ilen -= copy_len; 653 } 654 655 /* 656 * Cache final, incomplete block 657 */ 658 if( 0 != ilen ) 659 { 660 /* Encryption: only cache partial blocks 661 * Decryption w/ padding: always keep at least one whole block 662 * Decryption w/o padding: only cache partial blocks 663 */ 664 copy_len = ilen % block_size; 665 if( copy_len == 0 && 666 ctx->operation == MBEDTLS_DECRYPT && 667 NULL != ctx->add_padding) 668 { 669 copy_len = block_size; 670 } 671 672 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ), 673 copy_len ); 674 675 ctx->unprocessed_len += copy_len; 676 ilen -= copy_len; 677 } 678 679 /* 680 * Process remaining full blocks 681 */ 682 if( ilen ) 683 { 684 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 685 ctx->operation, ilen, ctx->iv, input, output ) ) ) 686 { 687 return( ret ); 688 } 689 690 *olen += ilen; 691 } 692 693 return( 0 ); 694 } 695 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 696 697 #if defined(MBEDTLS_CIPHER_MODE_CFB) 698 if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB ) 699 { 700 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx, 701 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv, 702 input, output ) ) ) 703 { 704 return( ret ); 705 } 706 707 *olen = ilen; 708 709 return( 0 ); 710 } 711 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 712 713 #if defined(MBEDTLS_CIPHER_MODE_OFB) 714 if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB ) 715 { 716 if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx, 717 ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) ) 718 { 719 return( ret ); 720 } 721 722 *olen = ilen; 723 724 return( 0 ); 725 } 726 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 727 728 #if defined(MBEDTLS_CIPHER_MODE_CTR) 729 if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR ) 730 { 731 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx, 732 ilen, &ctx->unprocessed_len, ctx->iv, 733 ctx->unprocessed_data, input, output ) ) ) 734 { 735 return( ret ); 736 } 737 738 *olen = ilen; 739 740 return( 0 ); 741 } 742 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 743 744 #if defined(MBEDTLS_CIPHER_MODE_XTS) 745 if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS ) 746 { 747 if( ctx->unprocessed_len > 0 ) { 748 /* We can only process an entire data unit at a time. */ 749 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 750 } 751 752 ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx, 753 ctx->operation, ilen, ctx->iv, input, output ); 754 if( ret != 0 ) 755 { 756 return( ret ); 757 } 758 759 *olen = ilen; 760 761 return( 0 ); 762 } 763 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 764 765 #if defined(MBEDTLS_CIPHER_MODE_STREAM) 766 if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM ) 767 { 768 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx, 769 ilen, input, output ) ) ) 770 { 771 return( ret ); 772 } 773 774 *olen = ilen; 775 776 return( 0 ); 777 } 778 #endif /* MBEDTLS_CIPHER_MODE_STREAM */ 779 780 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 781 } 782 783 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 784 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 785 /* 786 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len 787 */ 788 static void add_pkcs_padding( unsigned char *output, size_t output_len, 789 size_t data_len ) 790 { 791 size_t padding_len = output_len - data_len; 792 unsigned char i; 793 794 for( i = 0; i < padding_len; i++ ) 795 output[data_len + i] = (unsigned char) padding_len; 796 } 797 798 static int get_pkcs_padding( unsigned char *input, size_t input_len, 799 size_t *data_len ) 800 { 801 size_t i, pad_idx; 802 unsigned char padding_len, bad = 0; 803 804 if( NULL == input || NULL == data_len ) 805 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 806 807 padding_len = input[input_len - 1]; 808 *data_len = input_len - padding_len; 809 810 /* Avoid logical || since it results in a branch */ 811 bad |= padding_len > input_len; 812 bad |= padding_len == 0; 813 814 /* The number of bytes checked must be independent of padding_len, 815 * so pick input_len, which is usually 8 or 16 (one block) */ 816 pad_idx = input_len - padding_len; 817 for( i = 0; i < input_len; i++ ) 818 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx ); 819 820 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 821 } 822 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ 823 824 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 825 /* 826 * One and zeros padding: fill with 80 00 ... 00 827 */ 828 static void add_one_and_zeros_padding( unsigned char *output, 829 size_t output_len, size_t data_len ) 830 { 831 size_t padding_len = output_len - data_len; 832 unsigned char i = 0; 833 834 output[data_len] = 0x80; 835 for( i = 1; i < padding_len; i++ ) 836 output[data_len + i] = 0x00; 837 } 838 839 static int get_one_and_zeros_padding( unsigned char *input, size_t input_len, 840 size_t *data_len ) 841 { 842 size_t i; 843 unsigned char done = 0, prev_done, bad; 844 845 if( NULL == input || NULL == data_len ) 846 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 847 848 bad = 0x80; 849 *data_len = 0; 850 for( i = input_len; i > 0; i-- ) 851 { 852 prev_done = done; 853 done |= ( input[i - 1] != 0 ); 854 *data_len |= ( i - 1 ) * ( done != prev_done ); 855 bad ^= input[i - 1] * ( done != prev_done ); 856 } 857 858 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 859 860 } 861 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */ 862 863 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 864 /* 865 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length 866 */ 867 static void add_zeros_and_len_padding( unsigned char *output, 868 size_t output_len, size_t data_len ) 869 { 870 size_t padding_len = output_len - data_len; 871 unsigned char i = 0; 872 873 for( i = 1; i < padding_len; i++ ) 874 output[data_len + i - 1] = 0x00; 875 output[output_len - 1] = (unsigned char) padding_len; 876 } 877 878 static int get_zeros_and_len_padding( unsigned char *input, size_t input_len, 879 size_t *data_len ) 880 { 881 size_t i, pad_idx; 882 unsigned char padding_len, bad = 0; 883 884 if( NULL == input || NULL == data_len ) 885 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 886 887 padding_len = input[input_len - 1]; 888 *data_len = input_len - padding_len; 889 890 /* Avoid logical || since it results in a branch */ 891 bad |= padding_len > input_len; 892 bad |= padding_len == 0; 893 894 /* The number of bytes checked must be independent of padding_len */ 895 pad_idx = input_len - padding_len; 896 for( i = 0; i < input_len - 1; i++ ) 897 bad |= input[i] * ( i >= pad_idx ); 898 899 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 900 } 901 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */ 902 903 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 904 /* 905 * Zero padding: fill with 00 ... 00 906 */ 907 static void add_zeros_padding( unsigned char *output, 908 size_t output_len, size_t data_len ) 909 { 910 size_t i; 911 912 for( i = data_len; i < output_len; i++ ) 913 output[i] = 0x00; 914 } 915 916 static int get_zeros_padding( unsigned char *input, size_t input_len, 917 size_t *data_len ) 918 { 919 size_t i; 920 unsigned char done = 0, prev_done; 921 922 if( NULL == input || NULL == data_len ) 923 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 924 925 *data_len = 0; 926 for( i = input_len; i > 0; i-- ) 927 { 928 prev_done = done; 929 done |= ( input[i-1] != 0 ); 930 *data_len |= i * ( done != prev_done ); 931 } 932 933 return( 0 ); 934 } 935 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */ 936 937 /* 938 * No padding: don't pad :) 939 * 940 * There is no add_padding function (check for NULL in mbedtls_cipher_finish) 941 * but a trivial get_padding function 942 */ 943 static int get_no_padding( unsigned char *input, size_t input_len, 944 size_t *data_len ) 945 { 946 if( NULL == input || NULL == data_len ) 947 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 948 949 *data_len = input_len; 950 951 return( 0 ); 952 } 953 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 954 955 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx, 956 unsigned char *output, size_t *olen ) 957 { 958 CIPHER_VALIDATE_RET( ctx != NULL ); 959 CIPHER_VALIDATE_RET( output != NULL ); 960 CIPHER_VALIDATE_RET( olen != NULL ); 961 if( ctx->cipher_info == NULL ) 962 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 963 964 #if defined(MBEDTLS_USE_PSA_CRYPTO) 965 if( ctx->psa_enabled == 1 ) 966 { 967 /* While PSA Crypto has an API for multipart 968 * operations, we currently don't make it 969 * accessible through the cipher layer. */ 970 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 971 } 972 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 973 974 *olen = 0; 975 976 if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode || 977 MBEDTLS_MODE_OFB == ctx->cipher_info->mode || 978 MBEDTLS_MODE_CTR == ctx->cipher_info->mode || 979 MBEDTLS_MODE_GCM == ctx->cipher_info->mode || 980 MBEDTLS_MODE_XTS == ctx->cipher_info->mode || 981 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode ) 982 { 983 return( 0 ); 984 } 985 986 if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) || 987 ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) ) 988 { 989 return( 0 ); 990 } 991 992 if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode ) 993 { 994 if( ctx->unprocessed_len != 0 ) 995 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 996 997 return( 0 ); 998 } 999 1000 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1001 if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode ) 1002 { 1003 int ret = 0; 1004 1005 if( MBEDTLS_ENCRYPT == ctx->operation ) 1006 { 1007 /* check for 'no padding' mode */ 1008 if( NULL == ctx->add_padding ) 1009 { 1010 if( 0 != ctx->unprocessed_len ) 1011 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 1012 1013 return( 0 ); 1014 } 1015 1016 ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ), 1017 ctx->unprocessed_len ); 1018 } 1019 else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len ) 1020 { 1021 /* 1022 * For decrypt operations, expect a full block, 1023 * or an empty block if no padding 1024 */ 1025 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len ) 1026 return( 0 ); 1027 1028 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 1029 } 1030 1031 /* cipher block */ 1032 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 1033 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv, 1034 ctx->unprocessed_data, output ) ) ) 1035 { 1036 return( ret ); 1037 } 1038 1039 /* Set output size for decryption */ 1040 if( MBEDTLS_DECRYPT == ctx->operation ) 1041 return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ), 1042 olen ) ); 1043 1044 /* Set output size for encryption */ 1045 *olen = mbedtls_cipher_get_block_size( ctx ); 1046 return( 0 ); 1047 } 1048 #else 1049 ((void) output); 1050 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1051 1052 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1053 } 1054 1055 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 1056 int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, 1057 mbedtls_cipher_padding_t mode ) 1058 { 1059 CIPHER_VALIDATE_RET( ctx != NULL ); 1060 1061 if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode ) 1062 { 1063 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1064 } 1065 1066 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1067 if( ctx->psa_enabled == 1 ) 1068 { 1069 /* While PSA Crypto knows about CBC padding 1070 * schemes, we currently don't make them 1071 * accessible through the cipher layer. */ 1072 if( mode != MBEDTLS_PADDING_NONE ) 1073 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1074 1075 return( 0 ); 1076 } 1077 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1078 1079 switch( mode ) 1080 { 1081 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 1082 case MBEDTLS_PADDING_PKCS7: 1083 ctx->add_padding = add_pkcs_padding; 1084 ctx->get_padding = get_pkcs_padding; 1085 break; 1086 #endif 1087 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 1088 case MBEDTLS_PADDING_ONE_AND_ZEROS: 1089 ctx->add_padding = add_one_and_zeros_padding; 1090 ctx->get_padding = get_one_and_zeros_padding; 1091 break; 1092 #endif 1093 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 1094 case MBEDTLS_PADDING_ZEROS_AND_LEN: 1095 ctx->add_padding = add_zeros_and_len_padding; 1096 ctx->get_padding = get_zeros_and_len_padding; 1097 break; 1098 #endif 1099 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 1100 case MBEDTLS_PADDING_ZEROS: 1101 ctx->add_padding = add_zeros_padding; 1102 ctx->get_padding = get_zeros_padding; 1103 break; 1104 #endif 1105 case MBEDTLS_PADDING_NONE: 1106 ctx->add_padding = NULL; 1107 ctx->get_padding = get_no_padding; 1108 break; 1109 1110 default: 1111 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1112 } 1113 1114 return( 0 ); 1115 } 1116 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1117 1118 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 1119 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx, 1120 unsigned char *tag, size_t tag_len ) 1121 { 1122 CIPHER_VALIDATE_RET( ctx != NULL ); 1123 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); 1124 if( ctx->cipher_info == NULL ) 1125 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1126 1127 if( MBEDTLS_ENCRYPT != ctx->operation ) 1128 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1129 1130 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1131 if( ctx->psa_enabled == 1 ) 1132 { 1133 /* While PSA Crypto has an API for multipart 1134 * operations, we currently don't make it 1135 * accessible through the cipher layer. */ 1136 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1137 } 1138 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1139 1140 #if defined(MBEDTLS_GCM_C) 1141 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 1142 return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx, 1143 tag, tag_len ) ); 1144 #endif 1145 1146 #if defined(MBEDTLS_CHACHAPOLY_C) 1147 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) 1148 { 1149 /* Don't allow truncated MAC for Poly1305 */ 1150 if ( tag_len != 16U ) 1151 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1152 1153 return( mbedtls_chachapoly_finish( 1154 (mbedtls_chachapoly_context*) ctx->cipher_ctx, tag ) ); 1155 } 1156 #endif 1157 1158 return( 0 ); 1159 } 1160 1161 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, 1162 const unsigned char *tag, size_t tag_len ) 1163 { 1164 unsigned char check_tag[16]; 1165 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1166 1167 CIPHER_VALIDATE_RET( ctx != NULL ); 1168 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); 1169 if( ctx->cipher_info == NULL ) 1170 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1171 1172 if( MBEDTLS_DECRYPT != ctx->operation ) 1173 { 1174 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1175 } 1176 1177 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1178 if( ctx->psa_enabled == 1 ) 1179 { 1180 /* While PSA Crypto has an API for multipart 1181 * operations, we currently don't make it 1182 * accessible through the cipher layer. */ 1183 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1184 } 1185 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1186 1187 #if defined(MBEDTLS_GCM_C) 1188 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 1189 { 1190 if( tag_len > sizeof( check_tag ) ) 1191 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1192 1193 if( 0 != ( ret = mbedtls_gcm_finish( 1194 (mbedtls_gcm_context *) ctx->cipher_ctx, 1195 check_tag, tag_len ) ) ) 1196 { 1197 return( ret ); 1198 } 1199 1200 /* Check the tag in "constant-time" */ 1201 if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 ) 1202 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED ); 1203 1204 return( 0 ); 1205 } 1206 #endif /* MBEDTLS_GCM_C */ 1207 1208 #if defined(MBEDTLS_CHACHAPOLY_C) 1209 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) 1210 { 1211 /* Don't allow truncated MAC for Poly1305 */ 1212 if ( tag_len != sizeof( check_tag ) ) 1213 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1214 1215 ret = mbedtls_chachapoly_finish( 1216 (mbedtls_chachapoly_context*) ctx->cipher_ctx, check_tag ); 1217 if ( ret != 0 ) 1218 { 1219 return( ret ); 1220 } 1221 1222 /* Check the tag in "constant-time" */ 1223 if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 ) 1224 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED ); 1225 1226 return( 0 ); 1227 } 1228 #endif /* MBEDTLS_CHACHAPOLY_C */ 1229 1230 return( 0 ); 1231 } 1232 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 1233 1234 /* 1235 * Packet-oriented wrapper for non-AEAD modes 1236 */ 1237 int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, 1238 const unsigned char *iv, size_t iv_len, 1239 const unsigned char *input, size_t ilen, 1240 unsigned char *output, size_t *olen ) 1241 { 1242 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1243 size_t finish_olen; 1244 1245 CIPHER_VALIDATE_RET( ctx != NULL ); 1246 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); 1247 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); 1248 CIPHER_VALIDATE_RET( output != NULL ); 1249 CIPHER_VALIDATE_RET( olen != NULL ); 1250 1251 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1252 if( ctx->psa_enabled == 1 ) 1253 { 1254 /* As in the non-PSA case, we don't check that 1255 * a key has been set. If not, the key slot will 1256 * still be in its default state of 0, which is 1257 * guaranteed to be invalid, hence the PSA-call 1258 * below will gracefully fail. */ 1259 mbedtls_cipher_context_psa * const cipher_psa = 1260 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1261 1262 psa_status_t status; 1263 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT; 1264 size_t part_len; 1265 1266 if( ctx->operation == MBEDTLS_DECRYPT ) 1267 { 1268 status = psa_cipher_decrypt_setup( &cipher_op, 1269 cipher_psa->slot, 1270 cipher_psa->alg ); 1271 } 1272 else if( ctx->operation == MBEDTLS_ENCRYPT ) 1273 { 1274 status = psa_cipher_encrypt_setup( &cipher_op, 1275 cipher_psa->slot, 1276 cipher_psa->alg ); 1277 } 1278 else 1279 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1280 1281 /* In the following, we can immediately return on an error, 1282 * because the PSA Crypto API guarantees that cipher operations 1283 * are terminated by unsuccessful calls to psa_cipher_update(), 1284 * and by any call to psa_cipher_finish(). */ 1285 if( status != PSA_SUCCESS ) 1286 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED ); 1287 1288 status = psa_cipher_set_iv( &cipher_op, iv, iv_len ); 1289 if( status != PSA_SUCCESS ) 1290 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED ); 1291 1292 status = psa_cipher_update( &cipher_op, 1293 input, ilen, 1294 output, ilen, olen ); 1295 if( status != PSA_SUCCESS ) 1296 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED ); 1297 1298 status = psa_cipher_finish( &cipher_op, 1299 output + *olen, ilen - *olen, 1300 &part_len ); 1301 if( status != PSA_SUCCESS ) 1302 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED ); 1303 1304 *olen += part_len; 1305 return( 0 ); 1306 } 1307 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1308 1309 if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 ) 1310 return( ret ); 1311 1312 if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 ) 1313 return( ret ); 1314 1315 if( ( ret = mbedtls_cipher_update( ctx, input, ilen, 1316 output, olen ) ) != 0 ) 1317 return( ret ); 1318 1319 if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, 1320 &finish_olen ) ) != 0 ) 1321 return( ret ); 1322 1323 *olen += finish_olen; 1324 1325 return( 0 ); 1326 } 1327 1328 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1329 /* 1330 * Packet-oriented encryption for AEAD modes: internal function shared by 1331 * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext(). 1332 */ 1333 static int mbedtls_cipher_aead_encrypt( mbedtls_cipher_context_t *ctx, 1334 const unsigned char *iv, size_t iv_len, 1335 const unsigned char *ad, size_t ad_len, 1336 const unsigned char *input, size_t ilen, 1337 unsigned char *output, size_t *olen, 1338 unsigned char *tag, size_t tag_len ) 1339 { 1340 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1341 if( ctx->psa_enabled == 1 ) 1342 { 1343 /* As in the non-PSA case, we don't check that 1344 * a key has been set. If not, the key slot will 1345 * still be in its default state of 0, which is 1346 * guaranteed to be invalid, hence the PSA-call 1347 * below will gracefully fail. */ 1348 mbedtls_cipher_context_psa * const cipher_psa = 1349 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1350 1351 psa_status_t status; 1352 1353 /* PSA Crypto API always writes the authentication tag 1354 * at the end of the encrypted message. */ 1355 if( output == NULL || tag != output + ilen ) 1356 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1357 1358 status = psa_aead_encrypt( cipher_psa->slot, 1359 cipher_psa->alg, 1360 iv, iv_len, 1361 ad, ad_len, 1362 input, ilen, 1363 output, ilen + tag_len, olen ); 1364 if( status != PSA_SUCCESS ) 1365 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED ); 1366 1367 *olen -= tag_len; 1368 return( 0 ); 1369 } 1370 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1371 1372 #if defined(MBEDTLS_GCM_C) 1373 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 1374 { 1375 *olen = ilen; 1376 return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, 1377 ilen, iv, iv_len, ad, ad_len, 1378 input, output, tag_len, tag ) ); 1379 } 1380 #endif /* MBEDTLS_GCM_C */ 1381 #if defined(MBEDTLS_CCM_C) 1382 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode ) 1383 { 1384 *olen = ilen; 1385 return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen, 1386 iv, iv_len, ad, ad_len, input, output, 1387 tag, tag_len ) ); 1388 } 1389 #endif /* MBEDTLS_CCM_C */ 1390 #if defined(MBEDTLS_CHACHAPOLY_C) 1391 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) 1392 { 1393 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1394 if ( ( iv_len != ctx->cipher_info->iv_size ) || 1395 ( tag_len != 16U ) ) 1396 { 1397 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1398 } 1399 1400 *olen = ilen; 1401 return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx, 1402 ilen, iv, ad, ad_len, input, output, tag ) ); 1403 } 1404 #endif /* MBEDTLS_CHACHAPOLY_C */ 1405 1406 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1407 } 1408 1409 /* 1410 * Packet-oriented encryption for AEAD modes: internal function shared by 1411 * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext(). 1412 */ 1413 static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx, 1414 const unsigned char *iv, size_t iv_len, 1415 const unsigned char *ad, size_t ad_len, 1416 const unsigned char *input, size_t ilen, 1417 unsigned char *output, size_t *olen, 1418 const unsigned char *tag, size_t tag_len ) 1419 { 1420 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1421 if( ctx->psa_enabled == 1 ) 1422 { 1423 /* As in the non-PSA case, we don't check that 1424 * a key has been set. If not, the key slot will 1425 * still be in its default state of 0, which is 1426 * guaranteed to be invalid, hence the PSA-call 1427 * below will gracefully fail. */ 1428 mbedtls_cipher_context_psa * const cipher_psa = 1429 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1430 1431 psa_status_t status; 1432 1433 /* PSA Crypto API always writes the authentication tag 1434 * at the end of the encrypted message. */ 1435 if( input == NULL || tag != input + ilen ) 1436 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1437 1438 status = psa_aead_decrypt( cipher_psa->slot, 1439 cipher_psa->alg, 1440 iv, iv_len, 1441 ad, ad_len, 1442 input, ilen + tag_len, 1443 output, ilen, olen ); 1444 if( status == PSA_ERROR_INVALID_SIGNATURE ) 1445 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED ); 1446 else if( status != PSA_SUCCESS ) 1447 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED ); 1448 1449 return( 0 ); 1450 } 1451 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1452 1453 #if defined(MBEDTLS_GCM_C) 1454 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 1455 { 1456 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1457 1458 *olen = ilen; 1459 ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen, 1460 iv, iv_len, ad, ad_len, 1461 tag, tag_len, input, output ); 1462 1463 if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED ) 1464 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1465 1466 return( ret ); 1467 } 1468 #endif /* MBEDTLS_GCM_C */ 1469 #if defined(MBEDTLS_CCM_C) 1470 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode ) 1471 { 1472 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1473 1474 *olen = ilen; 1475 ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen, 1476 iv, iv_len, ad, ad_len, 1477 input, output, tag, tag_len ); 1478 1479 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED ) 1480 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1481 1482 return( ret ); 1483 } 1484 #endif /* MBEDTLS_CCM_C */ 1485 #if defined(MBEDTLS_CHACHAPOLY_C) 1486 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) 1487 { 1488 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1489 1490 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1491 if ( ( iv_len != ctx->cipher_info->iv_size ) || 1492 ( tag_len != 16U ) ) 1493 { 1494 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1495 } 1496 1497 *olen = ilen; 1498 ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen, 1499 iv, ad, ad_len, tag, input, output ); 1500 1501 if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED ) 1502 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1503 1504 return( ret ); 1505 } 1506 #endif /* MBEDTLS_CHACHAPOLY_C */ 1507 1508 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1509 } 1510 1511 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 1512 /* 1513 * Packet-oriented encryption for AEAD modes: public legacy function. 1514 */ 1515 int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, 1516 const unsigned char *iv, size_t iv_len, 1517 const unsigned char *ad, size_t ad_len, 1518 const unsigned char *input, size_t ilen, 1519 unsigned char *output, size_t *olen, 1520 unsigned char *tag, size_t tag_len ) 1521 { 1522 CIPHER_VALIDATE_RET( ctx != NULL ); 1523 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); 1524 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); 1525 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); 1526 CIPHER_VALIDATE_RET( ilen == 0 || output != NULL ); 1527 CIPHER_VALIDATE_RET( olen != NULL ); 1528 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); 1529 1530 return( mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len, 1531 input, ilen, output, olen, 1532 tag, tag_len ) ); 1533 } 1534 1535 /* 1536 * Packet-oriented decryption for AEAD modes: public legacy function. 1537 */ 1538 int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, 1539 const unsigned char *iv, size_t iv_len, 1540 const unsigned char *ad, size_t ad_len, 1541 const unsigned char *input, size_t ilen, 1542 unsigned char *output, size_t *olen, 1543 const unsigned char *tag, size_t tag_len ) 1544 { 1545 CIPHER_VALIDATE_RET( ctx != NULL ); 1546 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); 1547 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); 1548 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); 1549 CIPHER_VALIDATE_RET( ilen == 0 || output != NULL ); 1550 CIPHER_VALIDATE_RET( olen != NULL ); 1551 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL ); 1552 1553 return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len, 1554 input, ilen, output, olen, 1555 tag, tag_len ) ); 1556 } 1557 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 1558 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1559 1560 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) 1561 /* 1562 * Packet-oriented encryption for AEAD/NIST_KW: public function. 1563 */ 1564 int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx, 1565 const unsigned char *iv, size_t iv_len, 1566 const unsigned char *ad, size_t ad_len, 1567 const unsigned char *input, size_t ilen, 1568 unsigned char *output, size_t output_len, 1569 size_t *olen, size_t tag_len ) 1570 { 1571 CIPHER_VALIDATE_RET( ctx != NULL ); 1572 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); 1573 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); 1574 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); 1575 CIPHER_VALIDATE_RET( output != NULL ); 1576 CIPHER_VALIDATE_RET( olen != NULL ); 1577 1578 #if defined(MBEDTLS_NIST_KW_C) 1579 if( 1580 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1581 ctx->psa_enabled == 0 && 1582 #endif 1583 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode || 1584 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) ) 1585 { 1586 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ? 1587 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1588 1589 /* There is no iv, tag or ad associated with KW and KWP, 1590 * so these length should be 0 as documented. */ 1591 if( iv_len != 0 || tag_len != 0 || ad_len != 0 ) 1592 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1593 1594 (void) iv; 1595 (void) ad; 1596 1597 return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen, 1598 output, olen, output_len ) ); 1599 } 1600 #endif /* MBEDTLS_NIST_KW_C */ 1601 1602 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1603 /* AEAD case: check length before passing on to shared function */ 1604 if( output_len < ilen + tag_len ) 1605 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1606 1607 int ret = mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len, 1608 input, ilen, output, olen, 1609 output + ilen, tag_len ); 1610 *olen += tag_len; 1611 return( ret ); 1612 #else 1613 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1614 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1615 } 1616 1617 /* 1618 * Packet-oriented decryption for AEAD/NIST_KW: public function. 1619 */ 1620 int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx, 1621 const unsigned char *iv, size_t iv_len, 1622 const unsigned char *ad, size_t ad_len, 1623 const unsigned char *input, size_t ilen, 1624 unsigned char *output, size_t output_len, 1625 size_t *olen, size_t tag_len ) 1626 { 1627 CIPHER_VALIDATE_RET( ctx != NULL ); 1628 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL ); 1629 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL ); 1630 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); 1631 CIPHER_VALIDATE_RET( output_len == 0 || output != NULL ); 1632 CIPHER_VALIDATE_RET( olen != NULL ); 1633 1634 #if defined(MBEDTLS_NIST_KW_C) 1635 if( 1636 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1637 ctx->psa_enabled == 0 && 1638 #endif 1639 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode || 1640 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) ) 1641 { 1642 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ? 1643 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1644 1645 /* There is no iv, tag or ad associated with KW and KWP, 1646 * so these length should be 0 as documented. */ 1647 if( iv_len != 0 || tag_len != 0 || ad_len != 0 ) 1648 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1649 1650 (void) iv; 1651 (void) ad; 1652 1653 return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen, 1654 output, olen, output_len ) ); 1655 } 1656 #endif /* MBEDTLS_NIST_KW_C */ 1657 1658 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1659 /* AEAD case: check length before passing on to shared function */ 1660 if( ilen < tag_len || output_len < ilen - tag_len ) 1661 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 1662 1663 return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len, 1664 input, ilen - tag_len, output, olen, 1665 input + ilen - tag_len, tag_len ) ); 1666 #else 1667 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 1668 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1669 } 1670 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */ 1671 1672 #endif /* MBEDTLS_CIPHER_C */ 1673