1 /** 2 * \file cipher.c 3 * 4 * \brief Generic cipher wrapper for Mbed TLS 5 * 6 * \author Adriaan de Jong <dejong@fox-it.com> 7 * 8 * Copyright The Mbed TLS Contributors 9 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 10 */ 11 12 #include "common.h" 13 14 #if defined(MBEDTLS_CIPHER_C) 15 16 #include "mbedtls/cipher.h" 17 #include "cipher_wrap.h" 18 #include "mbedtls/platform_util.h" 19 #include "mbedtls/error.h" 20 #include "mbedtls/constant_time.h" 21 #include "constant_time_internal.h" 22 23 #include <stdlib.h> 24 #include <string.h> 25 26 #if defined(MBEDTLS_CHACHAPOLY_C) 27 #include "mbedtls/chachapoly.h" 28 #endif 29 30 #if defined(MBEDTLS_GCM_C) 31 #include "mbedtls/gcm.h" 32 #endif 33 34 #if defined(MBEDTLS_CCM_C) 35 #include "mbedtls/ccm.h" 36 #endif 37 38 #if defined(MBEDTLS_CHACHA20_C) 39 #include "mbedtls/chacha20.h" 40 #endif 41 42 #if defined(MBEDTLS_CMAC_C) 43 #include "mbedtls/cmac.h" 44 #endif 45 46 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 47 #include "psa/crypto.h" 48 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 49 50 #if defined(MBEDTLS_NIST_KW_C) 51 #include "mbedtls/nist_kw.h" 52 #endif 53 54 #include "mbedtls/platform.h" 55 56 static int supported_init = 0; 57 58 static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base( 59 const mbedtls_cipher_info_t *info) 60 { 61 return mbedtls_cipher_base_lookup_table[info->base_idx]; 62 } 63 64 const int *mbedtls_cipher_list(void) 65 { 66 const mbedtls_cipher_definition_t *def; 67 int *type; 68 69 if (!supported_init) { 70 def = mbedtls_cipher_definitions; 71 type = mbedtls_cipher_supported; 72 73 while (def->type != 0) { 74 *type++ = (*def++).type; 75 } 76 77 *type = 0; 78 79 supported_init = 1; 80 } 81 82 return mbedtls_cipher_supported; 83 } 84 85 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( 86 const mbedtls_cipher_type_t cipher_type) 87 { 88 const mbedtls_cipher_definition_t *def; 89 90 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 91 if (def->type == cipher_type) { 92 return def->info; 93 } 94 } 95 96 return NULL; 97 } 98 99 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( 100 const char *cipher_name) 101 { 102 const mbedtls_cipher_definition_t *def; 103 104 if (NULL == cipher_name) { 105 return NULL; 106 } 107 108 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 109 if (!strcmp(def->info->name, cipher_name)) { 110 return def->info; 111 } 112 } 113 114 return NULL; 115 } 116 117 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( 118 const mbedtls_cipher_id_t cipher_id, 119 int key_bitlen, 120 const mbedtls_cipher_mode_t mode) 121 { 122 const mbedtls_cipher_definition_t *def; 123 124 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 125 if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id && 126 mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen && 127 def->info->mode == mode) { 128 return def->info; 129 } 130 } 131 132 return NULL; 133 } 134 135 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 136 static inline psa_key_type_t mbedtls_psa_translate_cipher_type( 137 mbedtls_cipher_type_t cipher) 138 { 139 switch (cipher) { 140 case MBEDTLS_CIPHER_AES_128_CCM: 141 case MBEDTLS_CIPHER_AES_192_CCM: 142 case MBEDTLS_CIPHER_AES_256_CCM: 143 case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG: 144 case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG: 145 case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG: 146 case MBEDTLS_CIPHER_AES_128_GCM: 147 case MBEDTLS_CIPHER_AES_192_GCM: 148 case MBEDTLS_CIPHER_AES_256_GCM: 149 case MBEDTLS_CIPHER_AES_128_CBC: 150 case MBEDTLS_CIPHER_AES_192_CBC: 151 case MBEDTLS_CIPHER_AES_256_CBC: 152 case MBEDTLS_CIPHER_AES_128_ECB: 153 case MBEDTLS_CIPHER_AES_192_ECB: 154 case MBEDTLS_CIPHER_AES_256_ECB: 155 return PSA_KEY_TYPE_AES; 156 157 /* ARIA not yet supported in PSA. */ 158 /* case MBEDTLS_CIPHER_ARIA_128_CCM: 159 case MBEDTLS_CIPHER_ARIA_192_CCM: 160 case MBEDTLS_CIPHER_ARIA_256_CCM: 161 case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG: 162 case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG: 163 case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG: 164 case MBEDTLS_CIPHER_ARIA_128_GCM: 165 case MBEDTLS_CIPHER_ARIA_192_GCM: 166 case MBEDTLS_CIPHER_ARIA_256_GCM: 167 case MBEDTLS_CIPHER_ARIA_128_CBC: 168 case MBEDTLS_CIPHER_ARIA_192_CBC: 169 case MBEDTLS_CIPHER_ARIA_256_CBC: 170 return( PSA_KEY_TYPE_ARIA ); */ 171 172 default: 173 return 0; 174 } 175 } 176 177 static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode( 178 mbedtls_cipher_mode_t mode, size_t taglen) 179 { 180 switch (mode) { 181 case MBEDTLS_MODE_ECB: 182 return PSA_ALG_ECB_NO_PADDING; 183 case MBEDTLS_MODE_GCM: 184 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen); 185 case MBEDTLS_MODE_CCM: 186 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen); 187 case MBEDTLS_MODE_CCM_STAR_NO_TAG: 188 return PSA_ALG_CCM_STAR_NO_TAG; 189 case MBEDTLS_MODE_CBC: 190 if (taglen == 0) { 191 return PSA_ALG_CBC_NO_PADDING; 192 } else { 193 return 0; 194 } 195 default: 196 return 0; 197 } 198 } 199 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 200 201 void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx) 202 { 203 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 204 } 205 206 void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx) 207 { 208 if (ctx == NULL) { 209 return; 210 } 211 212 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 213 if (ctx->psa_enabled == 1) { 214 if (ctx->cipher_ctx != NULL) { 215 mbedtls_cipher_context_psa * const cipher_psa = 216 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 217 218 if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) { 219 /* xxx_free() doesn't allow to return failures. */ 220 (void) psa_destroy_key(cipher_psa->slot); 221 } 222 223 mbedtls_zeroize_and_free(cipher_psa, sizeof(*cipher_psa)); 224 } 225 226 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t)); 227 return; 228 } 229 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 230 231 #if defined(MBEDTLS_CMAC_C) 232 if (ctx->cmac_ctx) { 233 mbedtls_zeroize_and_free(ctx->cmac_ctx, 234 sizeof(mbedtls_cmac_context_t)); 235 } 236 #endif 237 238 if (ctx->cipher_ctx) { 239 mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx); 240 } 241 242 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t)); 243 } 244 245 int mbedtls_cipher_clone(mbedtls_cipher_context_t *dst, 246 const mbedtls_cipher_context_t *src) 247 { 248 if (dst == NULL || dst->cipher_info == NULL || 249 src == NULL || src->cipher_info == NULL) { 250 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 251 } 252 253 dst->cipher_info = src->cipher_info; 254 dst->key_bitlen = src->key_bitlen; 255 dst->operation = src->operation; 256 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 257 dst->add_padding = src->add_padding; 258 dst->get_padding = src->get_padding; 259 #endif 260 memcpy(dst->unprocessed_data, src->unprocessed_data, MBEDTLS_MAX_BLOCK_LENGTH); 261 dst->unprocessed_len = src->unprocessed_len; 262 memcpy(dst->iv, src->iv, MBEDTLS_MAX_IV_LENGTH); 263 dst->iv_size = src->iv_size; 264 if (mbedtls_cipher_get_base(dst->cipher_info)->ctx_clone_func) 265 mbedtls_cipher_get_base(dst->cipher_info)->ctx_clone_func(dst->cipher_ctx, src->cipher_ctx); 266 267 #if defined(MBEDTLS_CMAC_C) 268 if (dst->cmac_ctx != NULL && src->cmac_ctx != NULL) 269 memcpy(dst->cmac_ctx, src->cmac_ctx, sizeof(mbedtls_cmac_context_t)); 270 #endif 271 return 0; 272 } 273 274 int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, 275 const mbedtls_cipher_info_t *cipher_info) 276 { 277 if (cipher_info == NULL) { 278 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 279 } 280 281 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 282 283 if (mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) { 284 ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func(); 285 if (ctx->cipher_ctx == NULL) { 286 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 287 } 288 } 289 290 ctx->cipher_info = cipher_info; 291 292 return 0; 293 } 294 295 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 296 int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx, 297 const mbedtls_cipher_info_t *cipher_info, 298 size_t taglen) 299 { 300 psa_algorithm_t alg; 301 mbedtls_cipher_context_psa *cipher_psa; 302 303 if (NULL == cipher_info || NULL == ctx) { 304 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 305 } 306 307 /* Check that the underlying cipher mode and cipher type are 308 * supported by the underlying PSA Crypto implementation. */ 309 alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen); 310 if (alg == 0) { 311 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 312 } 313 if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) { 314 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 315 } 316 317 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 318 319 cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa)); 320 if (cipher_psa == NULL) { 321 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 322 } 323 cipher_psa->alg = alg; 324 ctx->cipher_ctx = cipher_psa; 325 ctx->cipher_info = cipher_info; 326 ctx->psa_enabled = 1; 327 return 0; 328 } 329 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 330 331 int mbedtls_cipher_setup_info(mbedtls_cipher_context_t *ctx, 332 const mbedtls_cipher_info_t *cipher_info ) 333 { 334 if (NULL == cipher_info || NULL == ctx) 335 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 336 337 ctx->cipher_info = cipher_info; 338 return 0; 339 } 340 341 int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, 342 const unsigned char *key, 343 int key_bitlen, 344 const mbedtls_operation_t operation) 345 { 346 if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) { 347 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 348 } 349 if (ctx->cipher_info == NULL) { 350 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 351 } 352 #if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 353 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) && 354 MBEDTLS_DECRYPT == operation) { 355 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 356 } 357 #endif 358 359 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 360 if (ctx->psa_enabled == 1) { 361 mbedtls_cipher_context_psa * const cipher_psa = 362 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 363 364 size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8; 365 366 psa_status_t status; 367 psa_key_type_t key_type; 368 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 369 370 /* PSA Crypto API only accepts byte-aligned keys. */ 371 if (key_bitlen % 8 != 0) { 372 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 373 } 374 375 /* Don't allow keys to be set multiple times. */ 376 if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) { 377 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 378 } 379 380 key_type = mbedtls_psa_translate_cipher_type( 381 ((mbedtls_cipher_type_t) ctx->cipher_info->type)); 382 if (key_type == 0) { 383 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 384 } 385 psa_set_key_type(&attributes, key_type); 386 387 /* Mbed TLS' cipher layer doesn't enforce the mode of operation 388 * (encrypt vs. decrypt): it is possible to setup a key for encryption 389 * and use it for AEAD decryption. Until tests relying on this 390 * are changed, allow any usage in PSA. */ 391 psa_set_key_usage_flags(&attributes, 392 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 393 psa_set_key_algorithm(&attributes, cipher_psa->alg); 394 395 status = psa_import_key(&attributes, key, key_bytelen, 396 &cipher_psa->slot); 397 switch (status) { 398 case PSA_SUCCESS: 399 break; 400 case PSA_ERROR_INSUFFICIENT_MEMORY: 401 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 402 case PSA_ERROR_NOT_SUPPORTED: 403 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 404 default: 405 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 406 } 407 /* Indicate that we own the key slot and need to 408 * destroy it in mbedtls_cipher_free(). */ 409 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED; 410 411 ctx->key_bitlen = key_bitlen; 412 ctx->operation = operation; 413 return 0; 414 } 415 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 416 417 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 && 418 (int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) { 419 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 420 } 421 422 ctx->key_bitlen = key_bitlen; 423 ctx->operation = operation; 424 425 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 426 /* 427 * For OFB, CFB and CTR mode always use the encryption key schedule 428 */ 429 if (MBEDTLS_ENCRYPT == operation || 430 MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 431 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 432 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 433 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key, 434 ctx->key_bitlen); 435 } 436 437 if (MBEDTLS_DECRYPT == operation) { 438 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key, 439 ctx->key_bitlen); 440 } 441 #else 442 if (operation == MBEDTLS_ENCRYPT || operation == MBEDTLS_DECRYPT) { 443 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key, 444 ctx->key_bitlen); 445 } 446 #endif 447 448 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 449 } 450 451 int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx, 452 const unsigned char *iv, 453 size_t iv_len) 454 { 455 size_t actual_iv_size; 456 457 if (ctx->cipher_info == NULL) { 458 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 459 } 460 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 461 if (ctx->psa_enabled == 1) { 462 /* While PSA Crypto has an API for multipart 463 * operations, we currently don't make it 464 * accessible through the cipher layer. */ 465 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 466 } 467 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 468 469 /* avoid buffer overflow in ctx->iv */ 470 if (iv_len > MBEDTLS_MAX_IV_LENGTH) { 471 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 472 } 473 474 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) { 475 actual_iv_size = iv_len; 476 } else { 477 actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info); 478 479 /* avoid reading past the end of input buffer */ 480 if (actual_iv_size > iv_len) { 481 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 482 } 483 } 484 485 #if defined(MBEDTLS_CHACHA20_C) 486 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) { 487 /* Even though the actual_iv_size is overwritten with a correct value 488 * of 12 from the cipher info, return an error to indicate that 489 * the input iv_len is wrong. */ 490 if (iv_len != 12) { 491 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 492 } 493 494 if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx, 495 iv, 496 0U)) { /* Initial counter value */ 497 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 498 } 499 } 500 #if defined(MBEDTLS_CHACHAPOLY_C) 501 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 && 502 iv_len != 12) { 503 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 504 } 505 #endif 506 #endif 507 508 #if defined(MBEDTLS_GCM_C) 509 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 510 return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx, 511 ctx->operation, 512 iv, iv_len); 513 } 514 #endif 515 516 #if defined(MBEDTLS_CCM_C) 517 if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 518 int set_lengths_result; 519 int ccm_star_mode; 520 521 set_lengths_result = mbedtls_ccm_set_lengths( 522 (mbedtls_ccm_context *) ctx->cipher_ctx, 523 0, 0, 0); 524 if (set_lengths_result != 0) { 525 return set_lengths_result; 526 } 527 528 if (ctx->operation == MBEDTLS_DECRYPT) { 529 ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT; 530 } else if (ctx->operation == MBEDTLS_ENCRYPT) { 531 ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT; 532 } else { 533 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 534 } 535 536 return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx, 537 ccm_star_mode, 538 iv, iv_len); 539 } 540 #endif 541 542 if (actual_iv_size != 0) { 543 memcpy(ctx->iv, iv, actual_iv_size); 544 ctx->iv_size = actual_iv_size; 545 } 546 547 return 0; 548 } 549 550 int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx) 551 { 552 if (ctx->cipher_info == NULL) { 553 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 554 } 555 556 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 557 if (ctx->psa_enabled == 1) { 558 /* We don't support resetting PSA-based 559 * cipher contexts, yet. */ 560 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 561 } 562 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 563 564 ctx->unprocessed_len = 0; 565 566 return 0; 567 } 568 569 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 570 int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx, 571 const unsigned char *ad, size_t ad_len) 572 { 573 if (ctx->cipher_info == NULL) { 574 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 575 } 576 577 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 578 if (ctx->psa_enabled == 1) { 579 /* While PSA Crypto has an API for multipart 580 * operations, we currently don't make it 581 * accessible through the cipher layer. */ 582 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 583 } 584 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 585 586 #if defined(MBEDTLS_GCM_C) 587 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 588 return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx, 589 ad, ad_len); 590 } 591 #endif 592 593 #if defined(MBEDTLS_CHACHAPOLY_C) 594 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 595 int result; 596 mbedtls_chachapoly_mode_t mode; 597 598 mode = (ctx->operation == MBEDTLS_ENCRYPT) 599 ? MBEDTLS_CHACHAPOLY_ENCRYPT 600 : MBEDTLS_CHACHAPOLY_DECRYPT; 601 602 result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx, 603 ctx->iv, 604 mode); 605 if (result != 0) { 606 return result; 607 } 608 609 return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx, 610 ad, ad_len); 611 } 612 #endif 613 614 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 615 } 616 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 617 618 int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input, 619 size_t ilen, unsigned char *output, size_t *olen) 620 { 621 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 622 size_t block_size; 623 624 if (ctx->cipher_info == NULL) { 625 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 626 } 627 628 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 629 if (ctx->psa_enabled == 1) { 630 /* While PSA Crypto has an API for multipart 631 * operations, we currently don't make it 632 * accessible through the cipher layer. */ 633 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 634 } 635 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 636 637 *olen = 0; 638 block_size = mbedtls_cipher_get_block_size(ctx); 639 if (0 == block_size) { 640 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT; 641 } 642 643 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) { 644 if (ilen != block_size) { 645 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 646 } 647 648 *olen = ilen; 649 650 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx, 651 ctx->operation, input, 652 output))) { 653 return ret; 654 } 655 656 return 0; 657 } 658 659 #if defined(MBEDTLS_GCM_C) 660 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) { 661 return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx, 662 input, ilen, 663 output, ilen, olen); 664 } 665 #endif 666 667 #if defined(MBEDTLS_CCM_C) 668 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) { 669 return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx, 670 input, ilen, 671 output, ilen, olen); 672 } 673 #endif 674 675 #if defined(MBEDTLS_CHACHAPOLY_C) 676 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) { 677 *olen = ilen; 678 return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx, 679 ilen, input, output); 680 } 681 #endif 682 683 if (input == output && 684 (ctx->unprocessed_len != 0 || ilen % block_size)) { 685 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 686 } 687 688 #if defined(MBEDTLS_CIPHER_MODE_CBC) 689 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) { 690 size_t copy_len = 0; 691 692 /* 693 * If there is not enough data for a full block, cache it. 694 */ 695 if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding && 696 ilen <= block_size - ctx->unprocessed_len) || 697 (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding && 698 ilen < block_size - ctx->unprocessed_len) || 699 (ctx->operation == MBEDTLS_ENCRYPT && 700 ilen < block_size - ctx->unprocessed_len)) { 701 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input, 702 ilen); 703 704 ctx->unprocessed_len += ilen; 705 return 0; 706 } 707 708 /* 709 * Process cached data first 710 */ 711 if (0 != ctx->unprocessed_len) { 712 copy_len = block_size - ctx->unprocessed_len; 713 714 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input, 715 copy_len); 716 717 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 718 ctx->operation, 719 block_size, ctx->iv, 720 ctx-> 721 unprocessed_data, 722 output))) { 723 return ret; 724 } 725 726 *olen += block_size; 727 output += block_size; 728 ctx->unprocessed_len = 0; 729 730 input += copy_len; 731 ilen -= copy_len; 732 } 733 734 /* 735 * Cache final, incomplete block 736 */ 737 if (0 != ilen) { 738 /* Encryption: only cache partial blocks 739 * Decryption w/ padding: always keep at least one whole block 740 * Decryption w/o padding: only cache partial blocks 741 */ 742 copy_len = ilen % block_size; 743 if (copy_len == 0 && 744 ctx->operation == MBEDTLS_DECRYPT && 745 NULL != ctx->add_padding) { 746 copy_len = block_size; 747 } 748 749 memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]), 750 copy_len); 751 752 ctx->unprocessed_len += copy_len; 753 ilen -= copy_len; 754 } 755 756 /* 757 * Process remaining full blocks 758 */ 759 if (ilen) { 760 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 761 ctx->operation, 762 ilen, ctx->iv, 763 input, 764 output))) { 765 return ret; 766 } 767 768 *olen += ilen; 769 } 770 771 return 0; 772 } 773 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 774 775 #if defined(MBEDTLS_CIPHER_MODE_CFB) 776 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) { 777 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx, 778 ctx->operation, ilen, 779 &ctx->unprocessed_len, 780 ctx->iv, 781 input, output))) { 782 return ret; 783 } 784 785 *olen = ilen; 786 787 return 0; 788 } 789 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 790 791 #if defined(MBEDTLS_CIPHER_MODE_OFB) 792 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) { 793 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx, 794 ilen, 795 &ctx->unprocessed_len, 796 ctx->iv, 797 input, output))) { 798 return ret; 799 } 800 801 *olen = ilen; 802 803 return 0; 804 } 805 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 806 807 #if defined(MBEDTLS_CIPHER_MODE_CTR) 808 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) { 809 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx, 810 ilen, 811 &ctx->unprocessed_len, 812 ctx->iv, 813 ctx->unprocessed_data, 814 input, output))) { 815 return ret; 816 } 817 818 *olen = ilen; 819 820 return 0; 821 } 822 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 823 824 #if defined(MBEDTLS_CIPHER_MODE_XTS) 825 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) { 826 if (ctx->unprocessed_len > 0) { 827 /* We can only process an entire data unit at a time. */ 828 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 829 } 830 831 ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx, 832 ctx->operation, 833 ilen, 834 ctx->iv, 835 input, 836 output); 837 if (ret != 0) { 838 return ret; 839 } 840 841 *olen = ilen; 842 843 return 0; 844 } 845 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 846 847 #if defined(MBEDTLS_CIPHER_MODE_STREAM) 848 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) { 849 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx, 850 ilen, input, 851 output))) { 852 return ret; 853 } 854 855 *olen = ilen; 856 857 return 0; 858 } 859 #endif /* MBEDTLS_CIPHER_MODE_STREAM */ 860 861 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 862 } 863 864 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 865 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 866 /* 867 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len 868 */ 869 static void add_pkcs_padding(unsigned char *output, size_t output_len, 870 size_t data_len) 871 { 872 size_t padding_len = output_len - data_len; 873 unsigned char i; 874 875 for (i = 0; i < padding_len; i++) { 876 output[data_len + i] = (unsigned char) padding_len; 877 } 878 } 879 880 static int get_pkcs_padding(unsigned char *input, size_t input_len, 881 size_t *data_len) 882 { 883 size_t i, pad_idx; 884 unsigned char padding_len; 885 886 if (NULL == input || NULL == data_len) { 887 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 888 } 889 890 padding_len = input[input_len - 1]; 891 if (padding_len == 0 || padding_len > input_len) { 892 return MBEDTLS_ERR_CIPHER_INVALID_PADDING; 893 } 894 *data_len = input_len - padding_len; 895 896 mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len); 897 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0)); 898 899 /* The number of bytes checked must be independent of padding_len, 900 * so pick input_len, which is usually 8 or 16 (one block) */ 901 pad_idx = input_len - padding_len; 902 for (i = 0; i < input_len; i++) { 903 mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx); 904 mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len); 905 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different)); 906 } 907 908 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING); 909 } 910 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ 911 912 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 913 /* 914 * One and zeros padding: fill with 80 00 ... 00 915 */ 916 static void add_one_and_zeros_padding(unsigned char *output, 917 size_t output_len, size_t data_len) 918 { 919 size_t padding_len = output_len - data_len; 920 unsigned char i = 0; 921 922 output[data_len] = 0x80; 923 for (i = 1; i < padding_len; i++) { 924 output[data_len + i] = 0x00; 925 } 926 } 927 928 static int get_one_and_zeros_padding(unsigned char *input, size_t input_len, 929 size_t *data_len) 930 { 931 if (NULL == input || NULL == data_len) { 932 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 933 } 934 935 mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE; 936 mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE; 937 938 *data_len = 0; 939 940 for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) { 941 mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]); 942 943 mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding); 944 945 *data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len); 946 947 bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad); 948 949 in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero)); 950 } 951 952 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING); 953 } 954 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */ 955 956 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 957 /* 958 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length 959 */ 960 static void add_zeros_and_len_padding(unsigned char *output, 961 size_t output_len, size_t data_len) 962 { 963 size_t padding_len = output_len - data_len; 964 unsigned char i = 0; 965 966 for (i = 1; i < padding_len; i++) { 967 output[data_len + i - 1] = 0x00; 968 } 969 output[output_len - 1] = (unsigned char) padding_len; 970 } 971 972 static int get_zeros_and_len_padding(unsigned char *input, size_t input_len, 973 size_t *data_len) 974 { 975 size_t i, pad_idx; 976 unsigned char padding_len; 977 mbedtls_ct_condition_t bad; 978 979 if (NULL == input || NULL == data_len) { 980 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 981 } 982 983 padding_len = input[input_len - 1]; 984 *data_len = input_len - padding_len; 985 986 /* Avoid logical || since it results in a branch */ 987 bad = mbedtls_ct_uint_gt(padding_len, input_len); 988 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0)); 989 990 /* The number of bytes checked must be independent of padding_len */ 991 pad_idx = input_len - padding_len; 992 for (i = 0; i < input_len - 1; i++) { 993 mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx); 994 mbedtls_ct_condition_t nonzero_pad_byte; 995 nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i])); 996 bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte); 997 } 998 999 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING); 1000 } 1001 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */ 1002 1003 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 1004 /* 1005 * Zero padding: fill with 00 ... 00 1006 */ 1007 static void add_zeros_padding(unsigned char *output, 1008 size_t output_len, size_t data_len) 1009 { 1010 memset(output + data_len, 0, output_len - data_len); 1011 } 1012 1013 static int get_zeros_padding(unsigned char *input, size_t input_len, 1014 size_t *data_len) 1015 { 1016 size_t i; 1017 mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done; 1018 1019 if (NULL == input || NULL == data_len) { 1020 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1021 } 1022 1023 *data_len = 0; 1024 for (i = input_len; i > 0; i--) { 1025 prev_done = done; 1026 done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0)); 1027 *data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len); 1028 } 1029 1030 return 0; 1031 } 1032 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */ 1033 1034 /* 1035 * No padding: don't pad :) 1036 * 1037 * There is no add_padding function (check for NULL in mbedtls_cipher_finish) 1038 * but a trivial get_padding function 1039 */ 1040 static int get_no_padding(unsigned char *input, size_t input_len, 1041 size_t *data_len) 1042 { 1043 if (NULL == input || NULL == data_len) { 1044 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1045 } 1046 1047 *data_len = input_len; 1048 1049 return 0; 1050 } 1051 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1052 1053 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx, 1054 unsigned char *output, size_t *olen) 1055 { 1056 if (ctx->cipher_info == NULL) { 1057 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1058 } 1059 1060 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1061 if (ctx->psa_enabled == 1) { 1062 /* While PSA Crypto has an API for multipart 1063 * operations, we currently don't make it 1064 * accessible through the cipher layer. */ 1065 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1066 } 1067 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1068 1069 *olen = 0; 1070 1071 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 1072 /* CBC mode requires padding so we make sure a call to 1073 * mbedtls_cipher_set_padding_mode has been done successfully. */ 1074 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1075 if (ctx->get_padding == NULL) { 1076 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1077 } 1078 } 1079 #endif 1080 1081 if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1082 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1083 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1084 MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1085 MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1086 MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1087 MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1088 return 0; 1089 } 1090 1091 if ((MBEDTLS_CIPHER_CHACHA20 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) || 1092 (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) { 1093 return 0; 1094 } 1095 1096 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1097 if (ctx->unprocessed_len != 0) { 1098 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1099 } 1100 1101 return 0; 1102 } 1103 1104 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1105 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1106 int ret = 0; 1107 1108 if (MBEDTLS_ENCRYPT == ctx->operation) { 1109 /* check for 'no padding' mode */ 1110 if (NULL == ctx->add_padding) { 1111 if (0 != ctx->unprocessed_len) { 1112 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1113 } 1114 1115 return 0; 1116 } 1117 1118 ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx), 1119 ctx->unprocessed_len); 1120 } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) { 1121 /* 1122 * For decrypt operations, expect a full block, 1123 * or an empty block if no padding 1124 */ 1125 if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) { 1126 return 0; 1127 } 1128 1129 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1130 } 1131 1132 /* cipher block */ 1133 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 1134 ctx->operation, 1135 mbedtls_cipher_get_block_size( 1136 ctx), 1137 ctx->iv, 1138 ctx->unprocessed_data, 1139 output))) { 1140 return ret; 1141 } 1142 1143 /* Set output size for decryption */ 1144 if (MBEDTLS_DECRYPT == ctx->operation) { 1145 return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx), 1146 olen); 1147 } 1148 1149 /* Set output size for encryption */ 1150 *olen = mbedtls_cipher_get_block_size(ctx); 1151 return 0; 1152 } 1153 #else 1154 ((void) output); 1155 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1156 1157 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1158 } 1159 1160 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 1161 int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx, 1162 mbedtls_cipher_padding_t mode) 1163 { 1164 if (NULL == ctx->cipher_info || 1165 MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1166 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1167 } 1168 1169 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1170 if (ctx->psa_enabled == 1) { 1171 /* While PSA Crypto knows about CBC padding 1172 * schemes, we currently don't make them 1173 * accessible through the cipher layer. */ 1174 if (mode != MBEDTLS_PADDING_NONE) { 1175 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1176 } 1177 1178 return 0; 1179 } 1180 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1181 1182 switch (mode) { 1183 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 1184 case MBEDTLS_PADDING_PKCS7: 1185 ctx->add_padding = add_pkcs_padding; 1186 ctx->get_padding = get_pkcs_padding; 1187 break; 1188 #endif 1189 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 1190 case MBEDTLS_PADDING_ONE_AND_ZEROS: 1191 ctx->add_padding = add_one_and_zeros_padding; 1192 ctx->get_padding = get_one_and_zeros_padding; 1193 break; 1194 #endif 1195 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 1196 case MBEDTLS_PADDING_ZEROS_AND_LEN: 1197 ctx->add_padding = add_zeros_and_len_padding; 1198 ctx->get_padding = get_zeros_and_len_padding; 1199 break; 1200 #endif 1201 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 1202 case MBEDTLS_PADDING_ZEROS: 1203 ctx->add_padding = add_zeros_padding; 1204 ctx->get_padding = get_zeros_padding; 1205 break; 1206 #endif 1207 case MBEDTLS_PADDING_NONE: 1208 ctx->add_padding = NULL; 1209 ctx->get_padding = get_no_padding; 1210 break; 1211 1212 default: 1213 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1214 } 1215 1216 return 0; 1217 } 1218 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1219 1220 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 1221 int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx, 1222 unsigned char *tag, size_t tag_len) 1223 { 1224 if (ctx->cipher_info == NULL) { 1225 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1226 } 1227 1228 if (MBEDTLS_ENCRYPT != ctx->operation) { 1229 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1230 } 1231 1232 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1233 if (ctx->psa_enabled == 1) { 1234 /* While PSA Crypto has an API for multipart 1235 * operations, we currently don't make it 1236 * accessible through the cipher layer. */ 1237 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1238 } 1239 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1240 1241 #if defined(MBEDTLS_GCM_C) 1242 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1243 size_t output_length; 1244 /* The code here doesn't yet support alternative implementations 1245 * that can delay up to a block of output. */ 1246 return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx, 1247 NULL, 0, &output_length, 1248 tag, tag_len); 1249 } 1250 #endif 1251 1252 #if defined(MBEDTLS_CHACHAPOLY_C) 1253 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1254 /* Don't allow truncated MAC for Poly1305 */ 1255 if (tag_len != 16U) { 1256 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1257 } 1258 1259 return mbedtls_chachapoly_finish( 1260 (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag); 1261 } 1262 #endif 1263 1264 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1265 } 1266 1267 int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx, 1268 const unsigned char *tag, size_t tag_len) 1269 { 1270 unsigned char check_tag[16]; 1271 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1272 1273 if (ctx->cipher_info == NULL) { 1274 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1275 } 1276 1277 if (MBEDTLS_DECRYPT != ctx->operation) { 1278 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1279 } 1280 1281 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1282 if (ctx->psa_enabled == 1) { 1283 /* While PSA Crypto has an API for multipart 1284 * operations, we currently don't make it 1285 * accessible through the cipher layer. */ 1286 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1287 } 1288 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1289 1290 /* Status to return on a non-authenticated algorithm. */ 1291 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1292 1293 #if defined(MBEDTLS_GCM_C) 1294 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1295 size_t output_length; 1296 /* The code here doesn't yet support alternative implementations 1297 * that can delay up to a block of output. */ 1298 1299 if (tag_len > sizeof(check_tag)) { 1300 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1301 } 1302 1303 if (0 != (ret = mbedtls_gcm_finish( 1304 (mbedtls_gcm_context *) ctx->cipher_ctx, 1305 NULL, 0, &output_length, 1306 check_tag, tag_len))) { 1307 return ret; 1308 } 1309 1310 /* Check the tag in "constant-time" */ 1311 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) { 1312 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1313 goto exit; 1314 } 1315 } 1316 #endif /* MBEDTLS_GCM_C */ 1317 1318 #if defined(MBEDTLS_CHACHAPOLY_C) 1319 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1320 /* Don't allow truncated MAC for Poly1305 */ 1321 if (tag_len != sizeof(check_tag)) { 1322 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1323 } 1324 1325 ret = mbedtls_chachapoly_finish( 1326 (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag); 1327 if (ret != 0) { 1328 return ret; 1329 } 1330 1331 /* Check the tag in "constant-time" */ 1332 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) { 1333 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1334 goto exit; 1335 } 1336 } 1337 #endif /* MBEDTLS_CHACHAPOLY_C */ 1338 1339 exit: 1340 mbedtls_platform_zeroize(check_tag, tag_len); 1341 return ret; 1342 } 1343 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 1344 1345 /* 1346 * Packet-oriented wrapper for non-AEAD modes 1347 */ 1348 int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx, 1349 const unsigned char *iv, size_t iv_len, 1350 const unsigned char *input, size_t ilen, 1351 unsigned char *output, size_t *olen) 1352 { 1353 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1354 size_t finish_olen; 1355 1356 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1357 if (ctx->psa_enabled == 1) { 1358 /* As in the non-PSA case, we don't check that 1359 * a key has been set. If not, the key slot will 1360 * still be in its default state of 0, which is 1361 * guaranteed to be invalid, hence the PSA-call 1362 * below will gracefully fail. */ 1363 mbedtls_cipher_context_psa * const cipher_psa = 1364 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1365 1366 psa_status_t status; 1367 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT; 1368 size_t part_len; 1369 1370 if (ctx->operation == MBEDTLS_DECRYPT) { 1371 status = psa_cipher_decrypt_setup(&cipher_op, 1372 cipher_psa->slot, 1373 cipher_psa->alg); 1374 } else if (ctx->operation == MBEDTLS_ENCRYPT) { 1375 status = psa_cipher_encrypt_setup(&cipher_op, 1376 cipher_psa->slot, 1377 cipher_psa->alg); 1378 } else { 1379 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1380 } 1381 1382 /* In the following, we can immediately return on an error, 1383 * because the PSA Crypto API guarantees that cipher operations 1384 * are terminated by unsuccessful calls to psa_cipher_update(), 1385 * and by any call to psa_cipher_finish(). */ 1386 if (status != PSA_SUCCESS) { 1387 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1388 } 1389 1390 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) { 1391 status = psa_cipher_set_iv(&cipher_op, iv, iv_len); 1392 if (status != PSA_SUCCESS) { 1393 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1394 } 1395 } 1396 1397 status = psa_cipher_update(&cipher_op, 1398 input, ilen, 1399 output, ilen, olen); 1400 if (status != PSA_SUCCESS) { 1401 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1402 } 1403 1404 status = psa_cipher_finish(&cipher_op, 1405 output + *olen, ilen - *olen, 1406 &part_len); 1407 if (status != PSA_SUCCESS) { 1408 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1409 } 1410 1411 *olen += part_len; 1412 return 0; 1413 } 1414 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1415 1416 if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) { 1417 return ret; 1418 } 1419 1420 if ((ret = mbedtls_cipher_reset(ctx)) != 0) { 1421 return ret; 1422 } 1423 1424 if ((ret = mbedtls_cipher_update(ctx, input, ilen, 1425 output, olen)) != 0) { 1426 return ret; 1427 } 1428 1429 if ((ret = mbedtls_cipher_finish(ctx, output + *olen, 1430 &finish_olen)) != 0) { 1431 return ret; 1432 } 1433 1434 *olen += finish_olen; 1435 1436 return 0; 1437 } 1438 1439 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1440 /* 1441 * Packet-oriented encryption for AEAD modes: internal function used by 1442 * mbedtls_cipher_auth_encrypt_ext(). 1443 */ 1444 static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx, 1445 const unsigned char *iv, size_t iv_len, 1446 const unsigned char *ad, size_t ad_len, 1447 const unsigned char *input, size_t ilen, 1448 unsigned char *output, size_t *olen, 1449 unsigned char *tag, size_t tag_len) 1450 { 1451 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1452 if (ctx->psa_enabled == 1) { 1453 /* As in the non-PSA case, we don't check that 1454 * a key has been set. If not, the key slot will 1455 * still be in its default state of 0, which is 1456 * guaranteed to be invalid, hence the PSA-call 1457 * below will gracefully fail. */ 1458 mbedtls_cipher_context_psa * const cipher_psa = 1459 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1460 1461 psa_status_t status; 1462 1463 /* PSA Crypto API always writes the authentication tag 1464 * at the end of the encrypted message. */ 1465 if (output == NULL || tag != output + ilen) { 1466 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1467 } 1468 1469 status = psa_aead_encrypt(cipher_psa->slot, 1470 cipher_psa->alg, 1471 iv, iv_len, 1472 ad, ad_len, 1473 input, ilen, 1474 output, ilen + tag_len, olen); 1475 if (status != PSA_SUCCESS) { 1476 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1477 } 1478 1479 *olen -= tag_len; 1480 return 0; 1481 } 1482 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1483 1484 #if defined(MBEDTLS_GCM_C) 1485 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1486 *olen = ilen; 1487 return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, 1488 ilen, iv, iv_len, ad, ad_len, 1489 input, output, tag_len, tag); 1490 } 1491 #endif /* MBEDTLS_GCM_C */ 1492 #if defined(MBEDTLS_CCM_C) 1493 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1494 *olen = ilen; 1495 return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen, 1496 iv, iv_len, ad, ad_len, input, output, 1497 tag, tag_len); 1498 } 1499 #endif /* MBEDTLS_CCM_C */ 1500 #if defined(MBEDTLS_CHACHAPOLY_C) 1501 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1502 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1503 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) || 1504 (tag_len != 16U)) { 1505 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1506 } 1507 1508 *olen = ilen; 1509 return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx, 1510 ilen, iv, ad, ad_len, input, output, tag); 1511 } 1512 #endif /* MBEDTLS_CHACHAPOLY_C */ 1513 1514 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1515 } 1516 1517 /* 1518 * Packet-oriented encryption for AEAD modes: internal function used by 1519 * mbedtls_cipher_auth_encrypt_ext(). 1520 */ 1521 static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx, 1522 const unsigned char *iv, size_t iv_len, 1523 const unsigned char *ad, size_t ad_len, 1524 const unsigned char *input, size_t ilen, 1525 unsigned char *output, size_t *olen, 1526 const unsigned char *tag, size_t tag_len) 1527 { 1528 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1529 if (ctx->psa_enabled == 1) { 1530 /* As in the non-PSA case, we don't check that 1531 * a key has been set. If not, the key slot will 1532 * still be in its default state of 0, which is 1533 * guaranteed to be invalid, hence the PSA-call 1534 * below will gracefully fail. */ 1535 mbedtls_cipher_context_psa * const cipher_psa = 1536 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1537 1538 psa_status_t status; 1539 1540 /* PSA Crypto API always writes the authentication tag 1541 * at the end of the encrypted message. */ 1542 if (input == NULL || tag != input + ilen) { 1543 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1544 } 1545 1546 status = psa_aead_decrypt(cipher_psa->slot, 1547 cipher_psa->alg, 1548 iv, iv_len, 1549 ad, ad_len, 1550 input, ilen + tag_len, 1551 output, ilen, olen); 1552 if (status == PSA_ERROR_INVALID_SIGNATURE) { 1553 return MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1554 } else if (status != PSA_SUCCESS) { 1555 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1556 } 1557 1558 return 0; 1559 } 1560 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1561 1562 #if defined(MBEDTLS_GCM_C) 1563 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1564 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1565 1566 *olen = ilen; 1567 ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen, 1568 iv, iv_len, ad, ad_len, 1569 tag, tag_len, input, output); 1570 1571 if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) { 1572 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1573 } 1574 1575 return ret; 1576 } 1577 #endif /* MBEDTLS_GCM_C */ 1578 #if defined(MBEDTLS_CCM_C) 1579 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1580 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1581 1582 *olen = ilen; 1583 ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen, 1584 iv, iv_len, ad, ad_len, 1585 input, output, tag, tag_len); 1586 1587 if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) { 1588 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1589 } 1590 1591 return ret; 1592 } 1593 #endif /* MBEDTLS_CCM_C */ 1594 #if defined(MBEDTLS_CHACHAPOLY_C) 1595 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1596 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1597 1598 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1599 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) || 1600 (tag_len != 16U)) { 1601 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1602 } 1603 1604 *olen = ilen; 1605 ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen, 1606 iv, ad, ad_len, tag, input, output); 1607 1608 if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) { 1609 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1610 } 1611 1612 return ret; 1613 } 1614 #endif /* MBEDTLS_CHACHAPOLY_C */ 1615 1616 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1617 } 1618 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1619 1620 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) 1621 /* 1622 * Packet-oriented encryption for AEAD/NIST_KW: public function. 1623 */ 1624 int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx, 1625 const unsigned char *iv, size_t iv_len, 1626 const unsigned char *ad, size_t ad_len, 1627 const unsigned char *input, size_t ilen, 1628 unsigned char *output, size_t output_len, 1629 size_t *olen, size_t tag_len) 1630 { 1631 #if defined(MBEDTLS_NIST_KW_C) 1632 if ( 1633 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1634 ctx->psa_enabled == 0 && 1635 #endif 1636 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1637 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) { 1638 mbedtls_nist_kw_mode_t mode = 1639 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ? 1640 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1641 1642 /* There is no iv, tag or ad associated with KW and KWP, 1643 * so these length should be 0 as documented. */ 1644 if (iv_len != 0 || tag_len != 0 || ad_len != 0) { 1645 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1646 } 1647 1648 (void) iv; 1649 (void) ad; 1650 1651 return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen, 1652 output, olen, output_len); 1653 } 1654 #endif /* MBEDTLS_NIST_KW_C */ 1655 1656 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1657 /* AEAD case: check length before passing on to shared function */ 1658 if (output_len < ilen + tag_len) { 1659 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1660 } 1661 1662 int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len, 1663 input, ilen, output, olen, 1664 output + ilen, tag_len); 1665 *olen += tag_len; 1666 return ret; 1667 #else 1668 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1669 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1670 } 1671 1672 /* 1673 * Packet-oriented decryption for AEAD/NIST_KW: public function. 1674 */ 1675 int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx, 1676 const unsigned char *iv, size_t iv_len, 1677 const unsigned char *ad, size_t ad_len, 1678 const unsigned char *input, size_t ilen, 1679 unsigned char *output, size_t output_len, 1680 size_t *olen, size_t tag_len) 1681 { 1682 #if defined(MBEDTLS_NIST_KW_C) 1683 if ( 1684 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1685 ctx->psa_enabled == 0 && 1686 #endif 1687 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1688 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) { 1689 mbedtls_nist_kw_mode_t mode = 1690 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ? 1691 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1692 1693 /* There is no iv, tag or ad associated with KW and KWP, 1694 * so these length should be 0 as documented. */ 1695 if (iv_len != 0 || tag_len != 0 || ad_len != 0) { 1696 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1697 } 1698 1699 (void) iv; 1700 (void) ad; 1701 1702 return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen, 1703 output, olen, output_len); 1704 } 1705 #endif /* MBEDTLS_NIST_KW_C */ 1706 1707 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1708 /* AEAD case: check length before passing on to shared function */ 1709 if (ilen < tag_len || output_len < ilen - tag_len) { 1710 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1711 } 1712 1713 return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len, 1714 input, ilen - tag_len, output, olen, 1715 input + ilen - tag_len, tag_len); 1716 #else 1717 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1718 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1719 } 1720 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */ 1721 1722 #endif /* MBEDTLS_CIPHER_C */ 1723