1 /** 2 * \file cipher.c 3 * 4 * \brief Generic cipher wrapper for Mbed TLS 5 * 6 * \author Adriaan de Jong <dejong@fox-it.com> 7 * 8 * Copyright The Mbed TLS Contributors 9 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 10 */ 11 12 #include "common.h" 13 14 #if defined(MBEDTLS_CIPHER_C) 15 16 #include "mbedtls/cipher.h" 17 #include "cipher_wrap.h" 18 #include "mbedtls/platform_util.h" 19 #include "mbedtls/error.h" 20 #include "mbedtls/constant_time.h" 21 #include "constant_time_internal.h" 22 23 #include <stdlib.h> 24 #include <string.h> 25 26 #if defined(MBEDTLS_CHACHAPOLY_C) 27 #include "mbedtls/chachapoly.h" 28 #endif 29 30 #if defined(MBEDTLS_GCM_C) 31 #include "mbedtls/gcm.h" 32 #endif 33 34 #if defined(MBEDTLS_CCM_C) 35 #include "mbedtls/ccm.h" 36 #endif 37 38 #if defined(MBEDTLS_CHACHA20_C) 39 #include "mbedtls/chacha20.h" 40 #endif 41 42 #if defined(MBEDTLS_CMAC_C) 43 #include "mbedtls/cmac.h" 44 #endif 45 46 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 47 #include "psa/crypto.h" 48 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 49 50 #if defined(MBEDTLS_NIST_KW_C) 51 #include "mbedtls/nist_kw.h" 52 #endif 53 54 #include "mbedtls/platform.h" 55 56 static int supported_init = 0; 57 58 static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base( 59 const mbedtls_cipher_info_t *info) 60 { 61 return mbedtls_cipher_base_lookup_table[info->base_idx]; 62 } 63 64 const int *mbedtls_cipher_list(void) 65 { 66 const mbedtls_cipher_definition_t *def; 67 int *type; 68 69 if (!supported_init) { 70 def = mbedtls_cipher_definitions; 71 type = mbedtls_cipher_supported; 72 73 while (def->type != 0) { 74 *type++ = (*def++).type; 75 } 76 77 *type = 0; 78 79 supported_init = 1; 80 } 81 82 return mbedtls_cipher_supported; 83 } 84 85 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( 86 const mbedtls_cipher_type_t cipher_type) 87 { 88 const mbedtls_cipher_definition_t *def; 89 90 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 91 if (def->type == cipher_type) { 92 return def->info; 93 } 94 } 95 96 return NULL; 97 } 98 99 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( 100 const char *cipher_name) 101 { 102 const mbedtls_cipher_definition_t *def; 103 104 if (NULL == cipher_name) { 105 return NULL; 106 } 107 108 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 109 if (!strcmp(def->info->name, cipher_name)) { 110 return def->info; 111 } 112 } 113 114 return NULL; 115 } 116 117 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( 118 const mbedtls_cipher_id_t cipher_id, 119 int key_bitlen, 120 const mbedtls_cipher_mode_t mode) 121 { 122 const mbedtls_cipher_definition_t *def; 123 124 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 125 if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id && 126 mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen && 127 def->info->mode == mode) { 128 return def->info; 129 } 130 } 131 132 return NULL; 133 } 134 135 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 136 static inline psa_key_type_t mbedtls_psa_translate_cipher_type( 137 mbedtls_cipher_type_t cipher) 138 { 139 switch (cipher) { 140 case MBEDTLS_CIPHER_AES_128_CCM: 141 case MBEDTLS_CIPHER_AES_192_CCM: 142 case MBEDTLS_CIPHER_AES_256_CCM: 143 case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG: 144 case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG: 145 case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG: 146 case MBEDTLS_CIPHER_AES_128_GCM: 147 case MBEDTLS_CIPHER_AES_192_GCM: 148 case MBEDTLS_CIPHER_AES_256_GCM: 149 case MBEDTLS_CIPHER_AES_128_CBC: 150 case MBEDTLS_CIPHER_AES_192_CBC: 151 case MBEDTLS_CIPHER_AES_256_CBC: 152 case MBEDTLS_CIPHER_AES_128_ECB: 153 case MBEDTLS_CIPHER_AES_192_ECB: 154 case MBEDTLS_CIPHER_AES_256_ECB: 155 return PSA_KEY_TYPE_AES; 156 157 /* ARIA not yet supported in PSA. */ 158 /* case MBEDTLS_CIPHER_ARIA_128_CCM: 159 case MBEDTLS_CIPHER_ARIA_192_CCM: 160 case MBEDTLS_CIPHER_ARIA_256_CCM: 161 case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG: 162 case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG: 163 case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG: 164 case MBEDTLS_CIPHER_ARIA_128_GCM: 165 case MBEDTLS_CIPHER_ARIA_192_GCM: 166 case MBEDTLS_CIPHER_ARIA_256_GCM: 167 case MBEDTLS_CIPHER_ARIA_128_CBC: 168 case MBEDTLS_CIPHER_ARIA_192_CBC: 169 case MBEDTLS_CIPHER_ARIA_256_CBC: 170 return( PSA_KEY_TYPE_ARIA ); */ 171 172 default: 173 return 0; 174 } 175 } 176 177 static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode( 178 mbedtls_cipher_mode_t mode, size_t taglen) 179 { 180 switch (mode) { 181 case MBEDTLS_MODE_ECB: 182 return PSA_ALG_ECB_NO_PADDING; 183 case MBEDTLS_MODE_GCM: 184 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen); 185 case MBEDTLS_MODE_CCM: 186 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen); 187 case MBEDTLS_MODE_CCM_STAR_NO_TAG: 188 return PSA_ALG_CCM_STAR_NO_TAG; 189 case MBEDTLS_MODE_CBC: 190 if (taglen == 0) { 191 return PSA_ALG_CBC_NO_PADDING; 192 } else { 193 return 0; 194 } 195 default: 196 return 0; 197 } 198 } 199 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 200 201 void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx) 202 { 203 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 204 } 205 206 void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx) 207 { 208 if (ctx == NULL) { 209 return; 210 } 211 212 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 213 if (ctx->psa_enabled == 1) { 214 if (ctx->cipher_ctx != NULL) { 215 mbedtls_cipher_context_psa * const cipher_psa = 216 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 217 218 if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) { 219 /* xxx_free() doesn't allow to return failures. */ 220 (void) psa_destroy_key(cipher_psa->slot); 221 } 222 223 mbedtls_zeroize_and_free(cipher_psa, sizeof(*cipher_psa)); 224 } 225 226 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t)); 227 return; 228 } 229 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 230 231 #if defined(MBEDTLS_CMAC_C) 232 if (ctx->cmac_ctx) { 233 mbedtls_zeroize_and_free(ctx->cmac_ctx, 234 sizeof(mbedtls_cmac_context_t)); 235 } 236 #endif 237 238 if (ctx->cipher_ctx) { 239 mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx); 240 } 241 242 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t)); 243 } 244 245 int mbedtls_cipher_clone(mbedtls_cipher_context_t *dst, 246 const mbedtls_cipher_context_t *src) 247 { 248 if (dst == NULL || dst->cipher_info == NULL || 249 src == NULL || src->cipher_info == NULL) { 250 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 251 } 252 253 dst->cipher_info = src->cipher_info; 254 dst->key_bitlen = src->key_bitlen; 255 dst->operation = src->operation; 256 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 257 dst->add_padding = src->add_padding; 258 dst->get_padding = src->get_padding; 259 #endif 260 memcpy(dst->unprocessed_data, src->unprocessed_data, MBEDTLS_MAX_BLOCK_LENGTH); 261 dst->unprocessed_len = src->unprocessed_len; 262 memcpy(dst->iv, src->iv, MBEDTLS_MAX_IV_LENGTH); 263 dst->iv_size = src->iv_size; 264 if (mbedtls_cipher_get_base(dst->cipher_info)->ctx_clone_func) 265 mbedtls_cipher_get_base(dst->cipher_info)->ctx_clone_func(dst->cipher_ctx, src->cipher_ctx); 266 267 #if defined(MBEDTLS_CMAC_C) 268 if (dst->cmac_ctx != NULL && src->cmac_ctx != NULL) 269 memcpy(dst->cmac_ctx, src->cmac_ctx, sizeof(mbedtls_cmac_context_t)); 270 #endif 271 return 0; 272 } 273 274 int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, 275 const mbedtls_cipher_info_t *cipher_info) 276 { 277 if (cipher_info == NULL) { 278 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 279 } 280 281 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 282 283 if (mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) { 284 ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func(); 285 if (ctx->cipher_ctx == NULL) { 286 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 287 } 288 } 289 290 ctx->cipher_info = cipher_info; 291 292 return 0; 293 } 294 295 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 296 int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx, 297 const mbedtls_cipher_info_t *cipher_info, 298 size_t taglen) 299 { 300 psa_algorithm_t alg; 301 mbedtls_cipher_context_psa *cipher_psa; 302 303 if (NULL == cipher_info || NULL == ctx) { 304 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 305 } 306 307 /* Check that the underlying cipher mode and cipher type are 308 * supported by the underlying PSA Crypto implementation. */ 309 alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen); 310 if (alg == 0) { 311 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 312 } 313 if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) { 314 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 315 } 316 317 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 318 319 cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa)); 320 if (cipher_psa == NULL) { 321 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 322 } 323 cipher_psa->alg = alg; 324 ctx->cipher_ctx = cipher_psa; 325 ctx->cipher_info = cipher_info; 326 ctx->psa_enabled = 1; 327 return 0; 328 } 329 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 330 331 int mbedtls_cipher_setup_info(mbedtls_cipher_context_t *ctx, 332 const mbedtls_cipher_info_t *cipher_info ) 333 { 334 if (NULL == cipher_info || NULL == ctx) 335 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 336 337 ctx->cipher_info = cipher_info; 338 return 0; 339 } 340 341 int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, 342 const unsigned char *key, 343 int key_bitlen, 344 const mbedtls_operation_t operation) 345 { 346 if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) { 347 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 348 } 349 if (ctx->cipher_info == NULL) { 350 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 351 } 352 #if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 353 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) && 354 MBEDTLS_DECRYPT == operation) { 355 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 356 } 357 #endif 358 359 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 360 if (ctx->psa_enabled == 1) { 361 mbedtls_cipher_context_psa * const cipher_psa = 362 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 363 364 size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8; 365 366 psa_status_t status; 367 psa_key_type_t key_type; 368 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 369 370 /* PSA Crypto API only accepts byte-aligned keys. */ 371 if (key_bitlen % 8 != 0) { 372 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 373 } 374 375 /* Don't allow keys to be set multiple times. */ 376 if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) { 377 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 378 } 379 380 key_type = mbedtls_psa_translate_cipher_type( 381 ((mbedtls_cipher_type_t) ctx->cipher_info->type)); 382 if (key_type == 0) { 383 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 384 } 385 psa_set_key_type(&attributes, key_type); 386 387 /* Mbed TLS' cipher layer doesn't enforce the mode of operation 388 * (encrypt vs. decrypt): it is possible to setup a key for encryption 389 * and use it for AEAD decryption. Until tests relying on this 390 * are changed, allow any usage in PSA. */ 391 psa_set_key_usage_flags(&attributes, 392 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 393 psa_set_key_algorithm(&attributes, cipher_psa->alg); 394 395 status = psa_import_key(&attributes, key, key_bytelen, 396 &cipher_psa->slot); 397 switch (status) { 398 case PSA_SUCCESS: 399 break; 400 case PSA_ERROR_INSUFFICIENT_MEMORY: 401 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 402 case PSA_ERROR_NOT_SUPPORTED: 403 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 404 default: 405 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 406 } 407 /* Indicate that we own the key slot and need to 408 * destroy it in mbedtls_cipher_free(). */ 409 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED; 410 411 ctx->key_bitlen = key_bitlen; 412 ctx->operation = operation; 413 return 0; 414 } 415 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 416 417 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 && 418 (int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) { 419 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 420 } 421 422 ctx->key_bitlen = key_bitlen; 423 ctx->operation = operation; 424 425 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 426 /* 427 * For OFB, CFB and CTR mode always use the encryption key schedule 428 */ 429 if (MBEDTLS_ENCRYPT == operation || 430 MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 431 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 432 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 433 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key, 434 ctx->key_bitlen); 435 } 436 437 if (MBEDTLS_DECRYPT == operation) { 438 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key, 439 ctx->key_bitlen); 440 } 441 #else 442 if (operation == MBEDTLS_ENCRYPT || operation == MBEDTLS_DECRYPT) { 443 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key, 444 ctx->key_bitlen); 445 } 446 #endif 447 448 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 449 } 450 451 int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx, 452 const unsigned char *iv, 453 size_t iv_len) 454 { 455 size_t actual_iv_size; 456 457 if (ctx->cipher_info == NULL) { 458 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 459 } 460 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 461 if (ctx->psa_enabled == 1) { 462 /* While PSA Crypto has an API for multipart 463 * operations, we currently don't make it 464 * accessible through the cipher layer. */ 465 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 466 } 467 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 468 469 /* avoid buffer overflow in ctx->iv */ 470 if (iv_len > MBEDTLS_MAX_IV_LENGTH) { 471 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 472 } 473 474 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) { 475 actual_iv_size = iv_len; 476 } else { 477 actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info); 478 479 /* avoid reading past the end of input buffer */ 480 if (actual_iv_size > iv_len) { 481 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 482 } 483 } 484 485 #if defined(MBEDTLS_CHACHA20_C) 486 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) { 487 /* Even though the actual_iv_size is overwritten with a correct value 488 * of 12 from the cipher info, return an error to indicate that 489 * the input iv_len is wrong. */ 490 if (iv_len != 12) { 491 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 492 } 493 494 if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx, 495 iv, 496 0U)) { /* Initial counter value */ 497 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 498 } 499 } 500 #if defined(MBEDTLS_CHACHAPOLY_C) 501 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 && 502 iv_len != 12) { 503 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 504 } 505 #endif 506 #endif 507 508 #if defined(MBEDTLS_GCM_C) 509 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 510 return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx, 511 ctx->operation, 512 iv, iv_len); 513 } 514 #endif 515 516 #if defined(MBEDTLS_CCM_C) 517 if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 518 int set_lengths_result; 519 int ccm_star_mode; 520 521 set_lengths_result = mbedtls_ccm_set_lengths( 522 (mbedtls_ccm_context *) ctx->cipher_ctx, 523 0, 0, 0); 524 if (set_lengths_result != 0) { 525 return set_lengths_result; 526 } 527 528 if (ctx->operation == MBEDTLS_DECRYPT) { 529 ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT; 530 } else if (ctx->operation == MBEDTLS_ENCRYPT) { 531 ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT; 532 } else { 533 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 534 } 535 536 return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx, 537 ccm_star_mode, 538 iv, iv_len); 539 } 540 #endif 541 542 if (actual_iv_size != 0) { 543 memcpy(ctx->iv, iv, actual_iv_size); 544 ctx->iv_size = actual_iv_size; 545 } 546 547 return 0; 548 } 549 550 int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx) 551 { 552 if (ctx->cipher_info == NULL) { 553 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 554 } 555 556 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 557 if (ctx->psa_enabled == 1) { 558 /* We don't support resetting PSA-based 559 * cipher contexts, yet. */ 560 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 561 } 562 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 563 564 ctx->unprocessed_len = 0; 565 566 return 0; 567 } 568 569 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 570 int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx, 571 const unsigned char *ad, size_t ad_len) 572 { 573 if (ctx->cipher_info == NULL) { 574 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 575 } 576 577 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 578 if (ctx->psa_enabled == 1) { 579 /* While PSA Crypto has an API for multipart 580 * operations, we currently don't make it 581 * accessible through the cipher layer. */ 582 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 583 } 584 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 585 586 #if defined(MBEDTLS_GCM_C) 587 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 588 return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx, 589 ad, ad_len); 590 } 591 #endif 592 593 #if defined(MBEDTLS_CHACHAPOLY_C) 594 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 595 int result; 596 mbedtls_chachapoly_mode_t mode; 597 598 mode = (ctx->operation == MBEDTLS_ENCRYPT) 599 ? MBEDTLS_CHACHAPOLY_ENCRYPT 600 : MBEDTLS_CHACHAPOLY_DECRYPT; 601 602 result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx, 603 ctx->iv, 604 mode); 605 if (result != 0) { 606 return result; 607 } 608 609 return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx, 610 ad, ad_len); 611 } 612 #endif 613 614 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 615 } 616 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 617 618 int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input, 619 size_t ilen, unsigned char *output, size_t *olen) 620 { 621 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 622 size_t block_size; 623 624 if (ctx->cipher_info == NULL) { 625 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 626 } 627 628 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 629 if (ctx->psa_enabled == 1) { 630 /* While PSA Crypto has an API for multipart 631 * operations, we currently don't make it 632 * accessible through the cipher layer. */ 633 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 634 } 635 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 636 637 *olen = 0; 638 block_size = mbedtls_cipher_get_block_size(ctx); 639 if (0 == block_size) { 640 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT; 641 } 642 643 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) { 644 if (ilen != block_size) { 645 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 646 } 647 648 *olen = ilen; 649 650 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx, 651 ctx->operation, input, 652 output))) { 653 return ret; 654 } 655 656 return 0; 657 } 658 659 #if defined(MBEDTLS_GCM_C) 660 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) { 661 return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx, 662 input, ilen, 663 output, ilen, olen); 664 } 665 #endif 666 667 #if defined(MBEDTLS_CCM_C) 668 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) { 669 return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx, 670 input, ilen, 671 output, ilen, olen); 672 } 673 #endif 674 675 #if defined(MBEDTLS_CHACHAPOLY_C) 676 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) { 677 *olen = ilen; 678 return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx, 679 ilen, input, output); 680 } 681 #endif 682 683 if (input == output && 684 (ctx->unprocessed_len != 0 || ilen % block_size)) { 685 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 686 } 687 688 #if defined(MBEDTLS_CIPHER_MODE_CBC) 689 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) { 690 size_t copy_len = 0; 691 692 /* 693 * If there is not enough data for a full block, cache it. 694 */ 695 if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding && 696 ilen <= block_size - ctx->unprocessed_len) || 697 (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding && 698 ilen < block_size - ctx->unprocessed_len) || 699 (ctx->operation == MBEDTLS_ENCRYPT && 700 ilen < block_size - ctx->unprocessed_len)) { 701 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input, 702 ilen); 703 704 ctx->unprocessed_len += ilen; 705 return 0; 706 } 707 708 /* 709 * Process cached data first 710 */ 711 if (0 != ctx->unprocessed_len) { 712 copy_len = block_size - ctx->unprocessed_len; 713 714 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input, 715 copy_len); 716 717 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 718 ctx->operation, 719 block_size, ctx->iv, 720 ctx-> 721 unprocessed_data, 722 output))) { 723 return ret; 724 } 725 726 *olen += block_size; 727 output += block_size; 728 ctx->unprocessed_len = 0; 729 730 input += copy_len; 731 ilen -= copy_len; 732 } 733 734 /* 735 * Cache final, incomplete block 736 */ 737 if (0 != ilen) { 738 /* Encryption: only cache partial blocks 739 * Decryption w/ padding: always keep at least one whole block 740 * Decryption w/o padding: only cache partial blocks 741 */ 742 copy_len = ilen % block_size; 743 if (copy_len == 0 && 744 ctx->operation == MBEDTLS_DECRYPT && 745 NULL != ctx->add_padding) { 746 copy_len = block_size; 747 } 748 749 memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]), 750 copy_len); 751 752 ctx->unprocessed_len += copy_len; 753 ilen -= copy_len; 754 } 755 756 /* 757 * Process remaining full blocks 758 */ 759 if (ilen) { 760 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 761 ctx->operation, 762 ilen, ctx->iv, 763 input, 764 output))) { 765 return ret; 766 } 767 768 *olen += ilen; 769 } 770 771 return 0; 772 } 773 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 774 775 #if defined(MBEDTLS_CIPHER_MODE_CFB) 776 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) { 777 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx, 778 ctx->operation, ilen, 779 &ctx->unprocessed_len, 780 ctx->iv, 781 input, output))) { 782 return ret; 783 } 784 785 *olen = ilen; 786 787 return 0; 788 } 789 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 790 791 #if defined(MBEDTLS_CIPHER_MODE_OFB) 792 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) { 793 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx, 794 ilen, 795 &ctx->unprocessed_len, 796 ctx->iv, 797 input, output))) { 798 return ret; 799 } 800 801 *olen = ilen; 802 803 return 0; 804 } 805 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 806 807 #if defined(MBEDTLS_CIPHER_MODE_CTR) 808 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) { 809 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx, 810 ilen, 811 &ctx->unprocessed_len, 812 ctx->iv, 813 ctx->unprocessed_data, 814 input, output))) { 815 return ret; 816 } 817 818 *olen = ilen; 819 820 return 0; 821 } 822 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 823 824 #if defined(MBEDTLS_CIPHER_MODE_XTS) 825 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) { 826 if (ctx->unprocessed_len > 0) { 827 /* We can only process an entire data unit at a time. */ 828 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 829 } 830 831 ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx, 832 ctx->operation, 833 ilen, 834 ctx->iv, 835 input, 836 output); 837 if (ret != 0) { 838 return ret; 839 } 840 841 *olen = ilen; 842 843 return 0; 844 } 845 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 846 847 #if defined(MBEDTLS_CIPHER_MODE_STREAM) 848 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) { 849 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx, 850 ilen, input, 851 output))) { 852 return ret; 853 } 854 855 *olen = ilen; 856 857 return 0; 858 } 859 #endif /* MBEDTLS_CIPHER_MODE_STREAM */ 860 861 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 862 } 863 864 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 865 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 866 /* 867 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len 868 */ 869 static void add_pkcs_padding(unsigned char *output, size_t output_len, 870 size_t data_len) 871 { 872 size_t padding_len = output_len - data_len; 873 unsigned char i; 874 875 for (i = 0; i < padding_len; i++) { 876 output[data_len + i] = (unsigned char) padding_len; 877 } 878 } 879 880 static int get_pkcs_padding(unsigned char *input, size_t input_len, 881 size_t *data_len) 882 { 883 size_t i, pad_idx; 884 unsigned char padding_len; 885 886 if (NULL == input || NULL == data_len) { 887 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 888 } 889 890 padding_len = input[input_len - 1]; 891 *data_len = input_len - padding_len; 892 893 mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len); 894 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0)); 895 896 /* The number of bytes checked must be independent of padding_len, 897 * so pick input_len, which is usually 8 or 16 (one block) */ 898 pad_idx = input_len - padding_len; 899 for (i = 0; i < input_len; i++) { 900 mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx); 901 mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len); 902 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different)); 903 } 904 905 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING); 906 } 907 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ 908 909 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 910 /* 911 * One and zeros padding: fill with 80 00 ... 00 912 */ 913 static void add_one_and_zeros_padding(unsigned char *output, 914 size_t output_len, size_t data_len) 915 { 916 size_t padding_len = output_len - data_len; 917 unsigned char i = 0; 918 919 output[data_len] = 0x80; 920 for (i = 1; i < padding_len; i++) { 921 output[data_len + i] = 0x00; 922 } 923 } 924 925 static int get_one_and_zeros_padding(unsigned char *input, size_t input_len, 926 size_t *data_len) 927 { 928 if (NULL == input || NULL == data_len) { 929 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 930 } 931 932 mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE; 933 mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE; 934 935 *data_len = 0; 936 937 for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) { 938 mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]); 939 940 mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding); 941 942 *data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len); 943 944 bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad); 945 946 in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero)); 947 } 948 949 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING); 950 } 951 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */ 952 953 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 954 /* 955 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length 956 */ 957 static void add_zeros_and_len_padding(unsigned char *output, 958 size_t output_len, size_t data_len) 959 { 960 size_t padding_len = output_len - data_len; 961 unsigned char i = 0; 962 963 for (i = 1; i < padding_len; i++) { 964 output[data_len + i - 1] = 0x00; 965 } 966 output[output_len - 1] = (unsigned char) padding_len; 967 } 968 969 static int get_zeros_and_len_padding(unsigned char *input, size_t input_len, 970 size_t *data_len) 971 { 972 size_t i, pad_idx; 973 unsigned char padding_len; 974 mbedtls_ct_condition_t bad; 975 976 if (NULL == input || NULL == data_len) { 977 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 978 } 979 980 padding_len = input[input_len - 1]; 981 *data_len = input_len - padding_len; 982 983 /* Avoid logical || since it results in a branch */ 984 bad = mbedtls_ct_uint_gt(padding_len, input_len); 985 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0)); 986 987 /* The number of bytes checked must be independent of padding_len */ 988 pad_idx = input_len - padding_len; 989 for (i = 0; i < input_len - 1; i++) { 990 mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx); 991 mbedtls_ct_condition_t nonzero_pad_byte; 992 nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i])); 993 bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte); 994 } 995 996 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING); 997 } 998 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */ 999 1000 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 1001 /* 1002 * Zero padding: fill with 00 ... 00 1003 */ 1004 static void add_zeros_padding(unsigned char *output, 1005 size_t output_len, size_t data_len) 1006 { 1007 memset(output + data_len, 0, output_len - data_len); 1008 } 1009 1010 static int get_zeros_padding(unsigned char *input, size_t input_len, 1011 size_t *data_len) 1012 { 1013 size_t i; 1014 mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done; 1015 1016 if (NULL == input || NULL == data_len) { 1017 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1018 } 1019 1020 *data_len = 0; 1021 for (i = input_len; i > 0; i--) { 1022 prev_done = done; 1023 done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0)); 1024 *data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len); 1025 } 1026 1027 return 0; 1028 } 1029 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */ 1030 1031 /* 1032 * No padding: don't pad :) 1033 * 1034 * There is no add_padding function (check for NULL in mbedtls_cipher_finish) 1035 * but a trivial get_padding function 1036 */ 1037 static int get_no_padding(unsigned char *input, size_t input_len, 1038 size_t *data_len) 1039 { 1040 if (NULL == input || NULL == data_len) { 1041 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1042 } 1043 1044 *data_len = input_len; 1045 1046 return 0; 1047 } 1048 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1049 1050 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx, 1051 unsigned char *output, size_t *olen) 1052 { 1053 if (ctx->cipher_info == NULL) { 1054 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1055 } 1056 1057 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1058 if (ctx->psa_enabled == 1) { 1059 /* While PSA Crypto has an API for multipart 1060 * operations, we currently don't make it 1061 * accessible through the cipher layer. */ 1062 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1063 } 1064 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1065 1066 *olen = 0; 1067 1068 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 1069 /* CBC mode requires padding so we make sure a call to 1070 * mbedtls_cipher_set_padding_mode has been done successfully. */ 1071 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1072 if (ctx->get_padding == NULL) { 1073 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1074 } 1075 } 1076 #endif 1077 1078 if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1079 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1080 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1081 MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1082 MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1083 MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1084 MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1085 return 0; 1086 } 1087 1088 if ((MBEDTLS_CIPHER_CHACHA20 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) || 1089 (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) { 1090 return 0; 1091 } 1092 1093 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1094 if (ctx->unprocessed_len != 0) { 1095 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1096 } 1097 1098 return 0; 1099 } 1100 1101 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1102 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1103 int ret = 0; 1104 1105 if (MBEDTLS_ENCRYPT == ctx->operation) { 1106 /* check for 'no padding' mode */ 1107 if (NULL == ctx->add_padding) { 1108 if (0 != ctx->unprocessed_len) { 1109 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1110 } 1111 1112 return 0; 1113 } 1114 1115 ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx), 1116 ctx->unprocessed_len); 1117 } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) { 1118 /* 1119 * For decrypt operations, expect a full block, 1120 * or an empty block if no padding 1121 */ 1122 if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) { 1123 return 0; 1124 } 1125 1126 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1127 } 1128 1129 /* cipher block */ 1130 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 1131 ctx->operation, 1132 mbedtls_cipher_get_block_size( 1133 ctx), 1134 ctx->iv, 1135 ctx->unprocessed_data, 1136 output))) { 1137 return ret; 1138 } 1139 1140 /* Set output size for decryption */ 1141 if (MBEDTLS_DECRYPT == ctx->operation) { 1142 return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx), 1143 olen); 1144 } 1145 1146 /* Set output size for encryption */ 1147 *olen = mbedtls_cipher_get_block_size(ctx); 1148 return 0; 1149 } 1150 #else 1151 ((void) output); 1152 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1153 1154 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1155 } 1156 1157 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 1158 int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx, 1159 mbedtls_cipher_padding_t mode) 1160 { 1161 if (NULL == ctx->cipher_info || 1162 MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1163 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1164 } 1165 1166 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1167 if (ctx->psa_enabled == 1) { 1168 /* While PSA Crypto knows about CBC padding 1169 * schemes, we currently don't make them 1170 * accessible through the cipher layer. */ 1171 if (mode != MBEDTLS_PADDING_NONE) { 1172 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1173 } 1174 1175 return 0; 1176 } 1177 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1178 1179 switch (mode) { 1180 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 1181 case MBEDTLS_PADDING_PKCS7: 1182 ctx->add_padding = add_pkcs_padding; 1183 ctx->get_padding = get_pkcs_padding; 1184 break; 1185 #endif 1186 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 1187 case MBEDTLS_PADDING_ONE_AND_ZEROS: 1188 ctx->add_padding = add_one_and_zeros_padding; 1189 ctx->get_padding = get_one_and_zeros_padding; 1190 break; 1191 #endif 1192 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 1193 case MBEDTLS_PADDING_ZEROS_AND_LEN: 1194 ctx->add_padding = add_zeros_and_len_padding; 1195 ctx->get_padding = get_zeros_and_len_padding; 1196 break; 1197 #endif 1198 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 1199 case MBEDTLS_PADDING_ZEROS: 1200 ctx->add_padding = add_zeros_padding; 1201 ctx->get_padding = get_zeros_padding; 1202 break; 1203 #endif 1204 case MBEDTLS_PADDING_NONE: 1205 ctx->add_padding = NULL; 1206 ctx->get_padding = get_no_padding; 1207 break; 1208 1209 default: 1210 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1211 } 1212 1213 return 0; 1214 } 1215 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1216 1217 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 1218 int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx, 1219 unsigned char *tag, size_t tag_len) 1220 { 1221 if (ctx->cipher_info == NULL) { 1222 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1223 } 1224 1225 if (MBEDTLS_ENCRYPT != ctx->operation) { 1226 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1227 } 1228 1229 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1230 if (ctx->psa_enabled == 1) { 1231 /* While PSA Crypto has an API for multipart 1232 * operations, we currently don't make it 1233 * accessible through the cipher layer. */ 1234 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1235 } 1236 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1237 1238 #if defined(MBEDTLS_GCM_C) 1239 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1240 size_t output_length; 1241 /* The code here doesn't yet support alternative implementations 1242 * that can delay up to a block of output. */ 1243 return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx, 1244 NULL, 0, &output_length, 1245 tag, tag_len); 1246 } 1247 #endif 1248 1249 #if defined(MBEDTLS_CHACHAPOLY_C) 1250 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1251 /* Don't allow truncated MAC for Poly1305 */ 1252 if (tag_len != 16U) { 1253 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1254 } 1255 1256 return mbedtls_chachapoly_finish( 1257 (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag); 1258 } 1259 #endif 1260 1261 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1262 } 1263 1264 int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx, 1265 const unsigned char *tag, size_t tag_len) 1266 { 1267 unsigned char check_tag[16]; 1268 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1269 1270 if (ctx->cipher_info == NULL) { 1271 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1272 } 1273 1274 if (MBEDTLS_DECRYPT != ctx->operation) { 1275 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1276 } 1277 1278 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1279 if (ctx->psa_enabled == 1) { 1280 /* While PSA Crypto has an API for multipart 1281 * operations, we currently don't make it 1282 * accessible through the cipher layer. */ 1283 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1284 } 1285 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1286 1287 /* Status to return on a non-authenticated algorithm. */ 1288 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1289 1290 #if defined(MBEDTLS_GCM_C) 1291 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1292 size_t output_length; 1293 /* The code here doesn't yet support alternative implementations 1294 * that can delay up to a block of output. */ 1295 1296 if (tag_len > sizeof(check_tag)) { 1297 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1298 } 1299 1300 if (0 != (ret = mbedtls_gcm_finish( 1301 (mbedtls_gcm_context *) ctx->cipher_ctx, 1302 NULL, 0, &output_length, 1303 check_tag, tag_len))) { 1304 return ret; 1305 } 1306 1307 /* Check the tag in "constant-time" */ 1308 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) { 1309 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1310 goto exit; 1311 } 1312 } 1313 #endif /* MBEDTLS_GCM_C */ 1314 1315 #if defined(MBEDTLS_CHACHAPOLY_C) 1316 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1317 /* Don't allow truncated MAC for Poly1305 */ 1318 if (tag_len != sizeof(check_tag)) { 1319 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1320 } 1321 1322 ret = mbedtls_chachapoly_finish( 1323 (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag); 1324 if (ret != 0) { 1325 return ret; 1326 } 1327 1328 /* Check the tag in "constant-time" */ 1329 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) { 1330 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1331 goto exit; 1332 } 1333 } 1334 #endif /* MBEDTLS_CHACHAPOLY_C */ 1335 1336 exit: 1337 mbedtls_platform_zeroize(check_tag, tag_len); 1338 return ret; 1339 } 1340 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 1341 1342 /* 1343 * Packet-oriented wrapper for non-AEAD modes 1344 */ 1345 int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx, 1346 const unsigned char *iv, size_t iv_len, 1347 const unsigned char *input, size_t ilen, 1348 unsigned char *output, size_t *olen) 1349 { 1350 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1351 size_t finish_olen; 1352 1353 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1354 if (ctx->psa_enabled == 1) { 1355 /* As in the non-PSA case, we don't check that 1356 * a key has been set. If not, the key slot will 1357 * still be in its default state of 0, which is 1358 * guaranteed to be invalid, hence the PSA-call 1359 * below will gracefully fail. */ 1360 mbedtls_cipher_context_psa * const cipher_psa = 1361 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1362 1363 psa_status_t status; 1364 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT; 1365 size_t part_len; 1366 1367 if (ctx->operation == MBEDTLS_DECRYPT) { 1368 status = psa_cipher_decrypt_setup(&cipher_op, 1369 cipher_psa->slot, 1370 cipher_psa->alg); 1371 } else if (ctx->operation == MBEDTLS_ENCRYPT) { 1372 status = psa_cipher_encrypt_setup(&cipher_op, 1373 cipher_psa->slot, 1374 cipher_psa->alg); 1375 } else { 1376 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1377 } 1378 1379 /* In the following, we can immediately return on an error, 1380 * because the PSA Crypto API guarantees that cipher operations 1381 * are terminated by unsuccessful calls to psa_cipher_update(), 1382 * and by any call to psa_cipher_finish(). */ 1383 if (status != PSA_SUCCESS) { 1384 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1385 } 1386 1387 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) { 1388 status = psa_cipher_set_iv(&cipher_op, iv, iv_len); 1389 if (status != PSA_SUCCESS) { 1390 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1391 } 1392 } 1393 1394 status = psa_cipher_update(&cipher_op, 1395 input, ilen, 1396 output, ilen, olen); 1397 if (status != PSA_SUCCESS) { 1398 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1399 } 1400 1401 status = psa_cipher_finish(&cipher_op, 1402 output + *olen, ilen - *olen, 1403 &part_len); 1404 if (status != PSA_SUCCESS) { 1405 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1406 } 1407 1408 *olen += part_len; 1409 return 0; 1410 } 1411 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1412 1413 if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) { 1414 return ret; 1415 } 1416 1417 if ((ret = mbedtls_cipher_reset(ctx)) != 0) { 1418 return ret; 1419 } 1420 1421 if ((ret = mbedtls_cipher_update(ctx, input, ilen, 1422 output, olen)) != 0) { 1423 return ret; 1424 } 1425 1426 if ((ret = mbedtls_cipher_finish(ctx, output + *olen, 1427 &finish_olen)) != 0) { 1428 return ret; 1429 } 1430 1431 *olen += finish_olen; 1432 1433 return 0; 1434 } 1435 1436 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1437 /* 1438 * Packet-oriented encryption for AEAD modes: internal function used by 1439 * mbedtls_cipher_auth_encrypt_ext(). 1440 */ 1441 static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx, 1442 const unsigned char *iv, size_t iv_len, 1443 const unsigned char *ad, size_t ad_len, 1444 const unsigned char *input, size_t ilen, 1445 unsigned char *output, size_t *olen, 1446 unsigned char *tag, size_t tag_len) 1447 { 1448 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1449 if (ctx->psa_enabled == 1) { 1450 /* As in the non-PSA case, we don't check that 1451 * a key has been set. If not, the key slot will 1452 * still be in its default state of 0, which is 1453 * guaranteed to be invalid, hence the PSA-call 1454 * below will gracefully fail. */ 1455 mbedtls_cipher_context_psa * const cipher_psa = 1456 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1457 1458 psa_status_t status; 1459 1460 /* PSA Crypto API always writes the authentication tag 1461 * at the end of the encrypted message. */ 1462 if (output == NULL || tag != output + ilen) { 1463 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1464 } 1465 1466 status = psa_aead_encrypt(cipher_psa->slot, 1467 cipher_psa->alg, 1468 iv, iv_len, 1469 ad, ad_len, 1470 input, ilen, 1471 output, ilen + tag_len, olen); 1472 if (status != PSA_SUCCESS) { 1473 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1474 } 1475 1476 *olen -= tag_len; 1477 return 0; 1478 } 1479 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1480 1481 #if defined(MBEDTLS_GCM_C) 1482 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1483 *olen = ilen; 1484 return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, 1485 ilen, iv, iv_len, ad, ad_len, 1486 input, output, tag_len, tag); 1487 } 1488 #endif /* MBEDTLS_GCM_C */ 1489 #if defined(MBEDTLS_CCM_C) 1490 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1491 *olen = ilen; 1492 return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen, 1493 iv, iv_len, ad, ad_len, input, output, 1494 tag, tag_len); 1495 } 1496 #endif /* MBEDTLS_CCM_C */ 1497 #if defined(MBEDTLS_CHACHAPOLY_C) 1498 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1499 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1500 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) || 1501 (tag_len != 16U)) { 1502 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1503 } 1504 1505 *olen = ilen; 1506 return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx, 1507 ilen, iv, ad, ad_len, input, output, tag); 1508 } 1509 #endif /* MBEDTLS_CHACHAPOLY_C */ 1510 1511 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1512 } 1513 1514 /* 1515 * Packet-oriented encryption for AEAD modes: internal function used by 1516 * mbedtls_cipher_auth_encrypt_ext(). 1517 */ 1518 static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx, 1519 const unsigned char *iv, size_t iv_len, 1520 const unsigned char *ad, size_t ad_len, 1521 const unsigned char *input, size_t ilen, 1522 unsigned char *output, size_t *olen, 1523 const unsigned char *tag, size_t tag_len) 1524 { 1525 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1526 if (ctx->psa_enabled == 1) { 1527 /* As in the non-PSA case, we don't check that 1528 * a key has been set. If not, the key slot will 1529 * still be in its default state of 0, which is 1530 * guaranteed to be invalid, hence the PSA-call 1531 * below will gracefully fail. */ 1532 mbedtls_cipher_context_psa * const cipher_psa = 1533 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1534 1535 psa_status_t status; 1536 1537 /* PSA Crypto API always writes the authentication tag 1538 * at the end of the encrypted message. */ 1539 if (input == NULL || tag != input + ilen) { 1540 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1541 } 1542 1543 status = psa_aead_decrypt(cipher_psa->slot, 1544 cipher_psa->alg, 1545 iv, iv_len, 1546 ad, ad_len, 1547 input, ilen + tag_len, 1548 output, ilen, olen); 1549 if (status == PSA_ERROR_INVALID_SIGNATURE) { 1550 return MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1551 } else if (status != PSA_SUCCESS) { 1552 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1553 } 1554 1555 return 0; 1556 } 1557 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1558 1559 #if defined(MBEDTLS_GCM_C) 1560 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1561 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1562 1563 *olen = ilen; 1564 ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen, 1565 iv, iv_len, ad, ad_len, 1566 tag, tag_len, input, output); 1567 1568 if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) { 1569 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1570 } 1571 1572 return ret; 1573 } 1574 #endif /* MBEDTLS_GCM_C */ 1575 #if defined(MBEDTLS_CCM_C) 1576 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1577 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1578 1579 *olen = ilen; 1580 ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen, 1581 iv, iv_len, ad, ad_len, 1582 input, output, tag, tag_len); 1583 1584 if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) { 1585 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1586 } 1587 1588 return ret; 1589 } 1590 #endif /* MBEDTLS_CCM_C */ 1591 #if defined(MBEDTLS_CHACHAPOLY_C) 1592 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1593 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1594 1595 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1596 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) || 1597 (tag_len != 16U)) { 1598 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1599 } 1600 1601 *olen = ilen; 1602 ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen, 1603 iv, ad, ad_len, tag, input, output); 1604 1605 if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) { 1606 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1607 } 1608 1609 return ret; 1610 } 1611 #endif /* MBEDTLS_CHACHAPOLY_C */ 1612 1613 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1614 } 1615 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1616 1617 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) 1618 /* 1619 * Packet-oriented encryption for AEAD/NIST_KW: public function. 1620 */ 1621 int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx, 1622 const unsigned char *iv, size_t iv_len, 1623 const unsigned char *ad, size_t ad_len, 1624 const unsigned char *input, size_t ilen, 1625 unsigned char *output, size_t output_len, 1626 size_t *olen, size_t tag_len) 1627 { 1628 #if defined(MBEDTLS_NIST_KW_C) 1629 if ( 1630 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1631 ctx->psa_enabled == 0 && 1632 #endif 1633 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1634 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) { 1635 mbedtls_nist_kw_mode_t mode = 1636 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ? 1637 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1638 1639 /* There is no iv, tag or ad associated with KW and KWP, 1640 * so these length should be 0 as documented. */ 1641 if (iv_len != 0 || tag_len != 0 || ad_len != 0) { 1642 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1643 } 1644 1645 (void) iv; 1646 (void) ad; 1647 1648 return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen, 1649 output, olen, output_len); 1650 } 1651 #endif /* MBEDTLS_NIST_KW_C */ 1652 1653 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1654 /* AEAD case: check length before passing on to shared function */ 1655 if (output_len < ilen + tag_len) { 1656 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1657 } 1658 1659 int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len, 1660 input, ilen, output, olen, 1661 output + ilen, tag_len); 1662 *olen += tag_len; 1663 return ret; 1664 #else 1665 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1666 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1667 } 1668 1669 /* 1670 * Packet-oriented decryption for AEAD/NIST_KW: public function. 1671 */ 1672 int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx, 1673 const unsigned char *iv, size_t iv_len, 1674 const unsigned char *ad, size_t ad_len, 1675 const unsigned char *input, size_t ilen, 1676 unsigned char *output, size_t output_len, 1677 size_t *olen, size_t tag_len) 1678 { 1679 #if defined(MBEDTLS_NIST_KW_C) 1680 if ( 1681 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1682 ctx->psa_enabled == 0 && 1683 #endif 1684 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1685 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) { 1686 mbedtls_nist_kw_mode_t mode = 1687 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ? 1688 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1689 1690 /* There is no iv, tag or ad associated with KW and KWP, 1691 * so these length should be 0 as documented. */ 1692 if (iv_len != 0 || tag_len != 0 || ad_len != 0) { 1693 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1694 } 1695 1696 (void) iv; 1697 (void) ad; 1698 1699 return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen, 1700 output, olen, output_len); 1701 } 1702 #endif /* MBEDTLS_NIST_KW_C */ 1703 1704 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1705 /* AEAD case: check length before passing on to shared function */ 1706 if (ilen < tag_len || output_len < ilen - tag_len) { 1707 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1708 } 1709 1710 return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len, 1711 input, ilen - tag_len, output, olen, 1712 input + ilen - tag_len, tag_len); 1713 #else 1714 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1715 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1716 } 1717 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */ 1718 1719 #endif /* MBEDTLS_CIPHER_C */ 1720