1 // SPDX-License-Identifier: Apache-2.0 2 /** 3 * \file cipher.c 4 * 5 * \brief Generic cipher wrapper for mbed TLS 6 * 7 * \author Adriaan de Jong <dejong@fox-it.com> 8 * 9 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 10 * 11 * Licensed under the Apache License, Version 2.0 (the "License"); you may 12 * not use this file except in compliance with the License. 13 * You may obtain a copy of the License at 14 * 15 * http://www.apache.org/licenses/LICENSE-2.0 16 * 17 * Unless required by applicable law or agreed to in writing, software 18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 * See the License for the specific language governing permissions and 21 * limitations under the License. 22 * 23 * This file is part of mbed TLS (https://tls.mbed.org) 24 */ 25 26 #if !defined(MBEDTLS_CONFIG_FILE) 27 #include "mbedtls/config.h" 28 #else 29 #include MBEDTLS_CONFIG_FILE 30 #endif 31 32 #if defined(MBEDTLS_CIPHER_C) 33 34 #include "mbedtls/cipher.h" 35 #include "mbedtls/cipher_internal.h" 36 37 #include <stdlib.h> 38 #include <string.h> 39 40 #if defined(MBEDTLS_GCM_C) 41 #include "mbedtls/gcm.h" 42 #endif 43 44 #if defined(MBEDTLS_CCM_C) 45 #include "mbedtls/ccm.h" 46 #endif 47 48 #if defined(MBEDTLS_CMAC_C) 49 #include "mbedtls/cmac.h" 50 #endif 51 52 #if defined(MBEDTLS_PLATFORM_C) 53 #include "mbedtls/platform.h" 54 #else 55 #define mbedtls_calloc calloc 56 #define mbedtls_free free 57 #endif 58 59 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 60 #define MBEDTLS_CIPHER_MODE_STREAM 61 #endif 62 63 /* Implementation that should never be optimized out by the compiler */ 64 static void mbedtls_zeroize( void *v, size_t n ) { 65 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; 66 } 67 68 static int supported_init = 0; 69 70 const int *mbedtls_cipher_list( void ) 71 { 72 const mbedtls_cipher_definition_t *def; 73 int *type; 74 75 if( ! supported_init ) 76 { 77 def = mbedtls_cipher_definitions; 78 type = mbedtls_cipher_supported; 79 80 while( def->type != 0 ) 81 *type++ = (*def++).type; 82 83 *type = 0; 84 85 supported_init = 1; 86 } 87 88 return( mbedtls_cipher_supported ); 89 } 90 91 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type ) 92 { 93 const mbedtls_cipher_definition_t *def; 94 95 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 96 if( def->type == cipher_type ) 97 return( def->info ); 98 99 return( NULL ); 100 } 101 102 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name ) 103 { 104 const mbedtls_cipher_definition_t *def; 105 106 if( NULL == cipher_name ) 107 return( NULL ); 108 109 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 110 if( ! strcmp( def->info->name, cipher_name ) ) 111 return( def->info ); 112 113 return( NULL ); 114 } 115 116 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id, 117 int key_bitlen, 118 const mbedtls_cipher_mode_t mode ) 119 { 120 const mbedtls_cipher_definition_t *def; 121 122 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) 123 if( def->info->base->cipher == cipher_id && 124 def->info->key_bitlen == (unsigned) key_bitlen && 125 def->info->mode == mode ) 126 return( def->info ); 127 128 return( NULL ); 129 } 130 131 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx ) 132 { 133 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) ); 134 } 135 136 void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx ) 137 { 138 if( ctx == NULL ) 139 return; 140 141 #if defined(MBEDTLS_CMAC_C) 142 if( ctx->cmac_ctx ) 143 { 144 mbedtls_zeroize( ctx->cmac_ctx, sizeof( mbedtls_cmac_context_t ) ); 145 mbedtls_free( ctx->cmac_ctx ); 146 } 147 #endif 148 149 if( ctx->cipher_ctx ) 150 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx ); 151 152 mbedtls_zeroize( ctx, sizeof(mbedtls_cipher_context_t) ); 153 } 154 155 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info ) 156 { 157 if( NULL == cipher_info || NULL == ctx ) 158 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 159 160 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) ); 161 162 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) ) 163 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED ); 164 165 ctx->cipher_info = cipher_info; 166 167 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 168 /* 169 * Ignore possible errors caused by a cipher mode that doesn't use padding 170 */ 171 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 172 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 ); 173 #else 174 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE ); 175 #endif 176 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 177 178 return( 0 ); 179 } 180 181 int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *key, 182 int key_bitlen, const mbedtls_operation_t operation ) 183 { 184 if( NULL == ctx || NULL == ctx->cipher_info ) 185 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 186 187 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 && 188 (int) ctx->cipher_info->key_bitlen != key_bitlen ) 189 { 190 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 191 } 192 193 ctx->key_bitlen = key_bitlen; 194 ctx->operation = operation; 195 196 /* 197 * For CFB and CTR mode always use the encryption key schedule 198 */ 199 if( MBEDTLS_ENCRYPT == operation || 200 MBEDTLS_MODE_CFB == ctx->cipher_info->mode || 201 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ) 202 { 203 return ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key, 204 ctx->key_bitlen ); 205 } 206 207 if( MBEDTLS_DECRYPT == operation ) 208 return ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key, 209 ctx->key_bitlen ); 210 211 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 212 } 213 214 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx, 215 const unsigned char *iv, size_t iv_len ) 216 { 217 size_t actual_iv_size; 218 219 if( NULL == ctx || NULL == ctx->cipher_info || NULL == iv ) 220 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 221 222 /* avoid buffer overflow in ctx->iv */ 223 if( iv_len > MBEDTLS_MAX_IV_LENGTH ) 224 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 225 226 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 ) 227 actual_iv_size = iv_len; 228 else 229 { 230 actual_iv_size = ctx->cipher_info->iv_size; 231 232 /* avoid reading past the end of input buffer */ 233 if( actual_iv_size > iv_len ) 234 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 235 } 236 237 memcpy( ctx->iv, iv, actual_iv_size ); 238 ctx->iv_size = actual_iv_size; 239 240 return( 0 ); 241 } 242 243 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx ) 244 { 245 if( NULL == ctx || NULL == ctx->cipher_info ) 246 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 247 248 ctx->unprocessed_len = 0; 249 250 return( 0 ); 251 } 252 253 #if defined(MBEDTLS_GCM_C) 254 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx, 255 const unsigned char *ad, size_t ad_len ) 256 { 257 if( NULL == ctx || NULL == ctx->cipher_info ) 258 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 259 260 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 261 { 262 return mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation, 263 ctx->iv, ctx->iv_size, ad, ad_len ); 264 } 265 266 return( 0 ); 267 } 268 #endif /* MBEDTLS_GCM_C */ 269 270 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input, 271 size_t ilen, unsigned char *output, size_t *olen ) 272 { 273 int ret; 274 size_t block_size = 0; 275 276 if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen ) 277 { 278 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 279 } 280 281 *olen = 0; 282 block_size = mbedtls_cipher_get_block_size( ctx ); 283 284 if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB ) 285 { 286 if( ilen != block_size ) 287 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 288 289 *olen = ilen; 290 291 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx, 292 ctx->operation, input, output ) ) ) 293 { 294 return( ret ); 295 } 296 297 return( 0 ); 298 } 299 300 #if defined(MBEDTLS_GCM_C) 301 if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM ) 302 { 303 *olen = ilen; 304 return mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input, 305 output ); 306 } 307 #endif 308 309 if ( 0 == block_size ) 310 { 311 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT; 312 } 313 314 if( input == output && 315 ( ctx->unprocessed_len != 0 || ilen % block_size ) ) 316 { 317 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 318 } 319 320 #if defined(MBEDTLS_CIPHER_MODE_CBC) 321 if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC ) 322 { 323 size_t copy_len = 0; 324 325 /* 326 * If there is not enough data for a full block, cache it. 327 */ 328 if( ( ctx->operation == MBEDTLS_DECRYPT && 329 ilen <= block_size - ctx->unprocessed_len ) || 330 ( ctx->operation == MBEDTLS_ENCRYPT && 331 ilen < block_size - ctx->unprocessed_len ) ) 332 { 333 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input, 334 ilen ); 335 336 ctx->unprocessed_len += ilen; 337 return( 0 ); 338 } 339 340 /* 341 * Process cached data first 342 */ 343 if( 0 != ctx->unprocessed_len ) 344 { 345 copy_len = block_size - ctx->unprocessed_len; 346 347 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input, 348 copy_len ); 349 350 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 351 ctx->operation, block_size, ctx->iv, 352 ctx->unprocessed_data, output ) ) ) 353 { 354 return( ret ); 355 } 356 357 *olen += block_size; 358 output += block_size; 359 ctx->unprocessed_len = 0; 360 361 input += copy_len; 362 ilen -= copy_len; 363 } 364 365 /* 366 * Cache final, incomplete block 367 */ 368 if( 0 != ilen ) 369 { 370 if( 0 == block_size ) 371 { 372 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT; 373 } 374 375 copy_len = ilen % block_size; 376 if( copy_len == 0 && ctx->operation == MBEDTLS_DECRYPT ) 377 copy_len = block_size; 378 379 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ), 380 copy_len ); 381 382 ctx->unprocessed_len += copy_len; 383 ilen -= copy_len; 384 } 385 386 /* 387 * Process remaining full blocks 388 */ 389 if( ilen ) 390 { 391 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 392 ctx->operation, ilen, ctx->iv, input, output ) ) ) 393 { 394 return( ret ); 395 } 396 397 *olen += ilen; 398 } 399 400 return( 0 ); 401 } 402 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 403 404 #if defined(MBEDTLS_CIPHER_MODE_CFB) 405 if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB ) 406 { 407 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx, 408 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv, 409 input, output ) ) ) 410 { 411 return( ret ); 412 } 413 414 *olen = ilen; 415 416 return( 0 ); 417 } 418 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 419 420 #if defined(MBEDTLS_CIPHER_MODE_CTR) 421 if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR ) 422 { 423 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx, 424 ilen, &ctx->unprocessed_len, ctx->iv, 425 ctx->unprocessed_data, input, output ) ) ) 426 { 427 return( ret ); 428 } 429 430 *olen = ilen; 431 432 return( 0 ); 433 } 434 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 435 436 #if defined(MBEDTLS_CIPHER_MODE_STREAM) 437 if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM ) 438 { 439 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx, 440 ilen, input, output ) ) ) 441 { 442 return( ret ); 443 } 444 445 *olen = ilen; 446 447 return( 0 ); 448 } 449 #endif /* MBEDTLS_CIPHER_MODE_STREAM */ 450 451 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 452 } 453 454 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 455 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 456 /* 457 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len 458 */ 459 static void add_pkcs_padding( unsigned char *output, size_t output_len, 460 size_t data_len ) 461 { 462 size_t padding_len = output_len - data_len; 463 unsigned char i; 464 465 for( i = 0; i < padding_len; i++ ) 466 output[data_len + i] = (unsigned char) padding_len; 467 } 468 469 static int get_pkcs_padding( unsigned char *input, size_t input_len, 470 size_t *data_len ) 471 { 472 size_t i, pad_idx; 473 unsigned char padding_len, bad = 0; 474 475 if( NULL == input || NULL == data_len ) 476 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 477 478 padding_len = input[input_len - 1]; 479 *data_len = input_len - padding_len; 480 481 /* Avoid logical || since it results in a branch */ 482 bad |= padding_len > input_len; 483 bad |= padding_len == 0; 484 485 /* The number of bytes checked must be independent of padding_len, 486 * so pick input_len, which is usually 8 or 16 (one block) */ 487 pad_idx = input_len - padding_len; 488 for( i = 0; i < input_len; i++ ) 489 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx ); 490 491 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 492 } 493 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ 494 495 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 496 /* 497 * One and zeros padding: fill with 80 00 ... 00 498 */ 499 static void add_one_and_zeros_padding( unsigned char *output, 500 size_t output_len, size_t data_len ) 501 { 502 size_t padding_len = output_len - data_len; 503 unsigned char i = 0; 504 505 output[data_len] = 0x80; 506 for( i = 1; i < padding_len; i++ ) 507 output[data_len + i] = 0x00; 508 } 509 510 static int get_one_and_zeros_padding( unsigned char *input, size_t input_len, 511 size_t *data_len ) 512 { 513 size_t i; 514 unsigned char done = 0, prev_done, bad; 515 516 if( NULL == input || NULL == data_len ) 517 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 518 519 bad = 0xFF; 520 *data_len = 0; 521 for( i = input_len; i > 0; i-- ) 522 { 523 prev_done = done; 524 done |= ( input[i-1] != 0 ); 525 *data_len |= ( i - 1 ) * ( done != prev_done ); 526 bad &= ( input[i-1] ^ 0x80 ) | ( done == prev_done ); 527 } 528 529 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 530 531 } 532 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */ 533 534 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 535 /* 536 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length 537 */ 538 static void add_zeros_and_len_padding( unsigned char *output, 539 size_t output_len, size_t data_len ) 540 { 541 size_t padding_len = output_len - data_len; 542 unsigned char i = 0; 543 544 for( i = 1; i < padding_len; i++ ) 545 output[data_len + i - 1] = 0x00; 546 output[output_len - 1] = (unsigned char) padding_len; 547 } 548 549 static int get_zeros_and_len_padding( unsigned char *input, size_t input_len, 550 size_t *data_len ) 551 { 552 size_t i, pad_idx; 553 unsigned char padding_len, bad = 0; 554 555 if( NULL == input || NULL == data_len ) 556 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 557 558 padding_len = input[input_len - 1]; 559 *data_len = input_len - padding_len; 560 561 /* Avoid logical || since it results in a branch */ 562 bad |= padding_len > input_len; 563 bad |= padding_len == 0; 564 565 /* The number of bytes checked must be independent of padding_len */ 566 pad_idx = input_len - padding_len; 567 for( i = 0; i < input_len - 1; i++ ) 568 bad |= input[i] * ( i >= pad_idx ); 569 570 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); 571 } 572 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */ 573 574 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 575 /* 576 * Zero padding: fill with 00 ... 00 577 */ 578 static void add_zeros_padding( unsigned char *output, 579 size_t output_len, size_t data_len ) 580 { 581 size_t i; 582 583 for( i = data_len; i < output_len; i++ ) 584 output[i] = 0x00; 585 } 586 587 static int get_zeros_padding( unsigned char *input, size_t input_len, 588 size_t *data_len ) 589 { 590 size_t i; 591 unsigned char done = 0, prev_done; 592 593 if( NULL == input || NULL == data_len ) 594 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 595 596 *data_len = 0; 597 for( i = input_len; i > 0; i-- ) 598 { 599 prev_done = done; 600 done |= ( input[i-1] != 0 ); 601 *data_len |= i * ( done != prev_done ); 602 } 603 604 return( 0 ); 605 } 606 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */ 607 608 /* 609 * No padding: don't pad :) 610 * 611 * There is no add_padding function (check for NULL in mbedtls_cipher_finish) 612 * but a trivial get_padding function 613 */ 614 static int get_no_padding( unsigned char *input, size_t input_len, 615 size_t *data_len ) 616 { 617 if( NULL == input || NULL == data_len ) 618 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 619 620 *data_len = input_len; 621 622 return( 0 ); 623 } 624 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 625 626 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx, 627 unsigned char *output, size_t *olen ) 628 { 629 if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen ) 630 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 631 632 *olen = 0; 633 634 if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode || 635 MBEDTLS_MODE_CTR == ctx->cipher_info->mode || 636 MBEDTLS_MODE_GCM == ctx->cipher_info->mode || 637 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode ) 638 { 639 return( 0 ); 640 } 641 642 if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode ) 643 { 644 if( ctx->unprocessed_len != 0 ) 645 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 646 647 return( 0 ); 648 } 649 650 #if defined(MBEDTLS_CIPHER_MODE_CBC) 651 if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode ) 652 { 653 int ret = 0; 654 655 if( MBEDTLS_ENCRYPT == ctx->operation ) 656 { 657 /* check for 'no padding' mode */ 658 if( NULL == ctx->add_padding ) 659 { 660 if( 0 != ctx->unprocessed_len ) 661 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 662 663 return( 0 ); 664 } 665 666 ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ), 667 ctx->unprocessed_len ); 668 } 669 else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len ) 670 { 671 /* 672 * For decrypt operations, expect a full block, 673 * or an empty block if no padding 674 */ 675 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len ) 676 return( 0 ); 677 678 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); 679 } 680 681 /* cipher block */ 682 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 683 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv, 684 ctx->unprocessed_data, output ) ) ) 685 { 686 return( ret ); 687 } 688 689 /* Set output size for decryption */ 690 if( MBEDTLS_DECRYPT == ctx->operation ) 691 return ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ), 692 olen ); 693 694 /* Set output size for encryption */ 695 *olen = mbedtls_cipher_get_block_size( ctx ); 696 return( 0 ); 697 } 698 #else 699 ((void) output); 700 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 701 702 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 703 } 704 705 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 706 int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode ) 707 { 708 if( NULL == ctx || 709 MBEDTLS_MODE_CBC != ctx->cipher_info->mode ) 710 { 711 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 712 } 713 714 switch( mode ) 715 { 716 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 717 case MBEDTLS_PADDING_PKCS7: 718 ctx->add_padding = add_pkcs_padding; 719 ctx->get_padding = get_pkcs_padding; 720 break; 721 #endif 722 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 723 case MBEDTLS_PADDING_ONE_AND_ZEROS: 724 ctx->add_padding = add_one_and_zeros_padding; 725 ctx->get_padding = get_one_and_zeros_padding; 726 break; 727 #endif 728 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 729 case MBEDTLS_PADDING_ZEROS_AND_LEN: 730 ctx->add_padding = add_zeros_and_len_padding; 731 ctx->get_padding = get_zeros_and_len_padding; 732 break; 733 #endif 734 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 735 case MBEDTLS_PADDING_ZEROS: 736 ctx->add_padding = add_zeros_padding; 737 ctx->get_padding = get_zeros_padding; 738 break; 739 #endif 740 case MBEDTLS_PADDING_NONE: 741 ctx->add_padding = NULL; 742 ctx->get_padding = get_no_padding; 743 break; 744 745 default: 746 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 747 } 748 749 return( 0 ); 750 } 751 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 752 753 #if defined(MBEDTLS_GCM_C) 754 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx, 755 unsigned char *tag, size_t tag_len ) 756 { 757 if( NULL == ctx || NULL == ctx->cipher_info || NULL == tag ) 758 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 759 760 if( MBEDTLS_ENCRYPT != ctx->operation ) 761 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 762 763 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 764 return mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx, tag, tag_len ); 765 766 return( 0 ); 767 } 768 769 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, 770 const unsigned char *tag, size_t tag_len ) 771 { 772 int ret; 773 774 if( NULL == ctx || NULL == ctx->cipher_info || 775 MBEDTLS_DECRYPT != ctx->operation ) 776 { 777 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 778 } 779 780 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 781 { 782 unsigned char check_tag[16]; 783 size_t i; 784 int diff; 785 786 if( tag_len > sizeof( check_tag ) ) 787 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); 788 789 if( 0 != ( ret = mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx, 790 check_tag, tag_len ) ) ) 791 { 792 return( ret ); 793 } 794 795 /* Check the tag in "constant-time" */ 796 for( diff = 0, i = 0; i < tag_len; i++ ) 797 diff |= tag[i] ^ check_tag[i]; 798 799 if( diff != 0 ) 800 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED ); 801 802 return( 0 ); 803 } 804 805 return( 0 ); 806 } 807 #endif /* MBEDTLS_GCM_C */ 808 809 /* 810 * Packet-oriented wrapper for non-AEAD modes 811 */ 812 int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, 813 const unsigned char *iv, size_t iv_len, 814 const unsigned char *input, size_t ilen, 815 unsigned char *output, size_t *olen ) 816 { 817 int ret; 818 size_t finish_olen; 819 820 if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 ) 821 return( ret ); 822 823 if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 ) 824 return( ret ); 825 826 if( ( ret = mbedtls_cipher_update( ctx, input, ilen, output, olen ) ) != 0 ) 827 return( ret ); 828 829 if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 ) 830 return( ret ); 831 832 *olen += finish_olen; 833 834 return( 0 ); 835 } 836 837 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 838 /* 839 * Packet-oriented encryption for AEAD modes 840 */ 841 int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, 842 const unsigned char *iv, size_t iv_len, 843 const unsigned char *ad, size_t ad_len, 844 const unsigned char *input, size_t ilen, 845 unsigned char *output, size_t *olen, 846 unsigned char *tag, size_t tag_len ) 847 { 848 #if defined(MBEDTLS_GCM_C) 849 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 850 { 851 *olen = ilen; 852 return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, ilen, 853 iv, iv_len, ad, ad_len, input, output, 854 tag_len, tag ) ); 855 } 856 #endif /* MBEDTLS_GCM_C */ 857 #if defined(MBEDTLS_CCM_C) 858 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode ) 859 { 860 *olen = ilen; 861 return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen, 862 iv, iv_len, ad, ad_len, input, output, 863 tag, tag_len ) ); 864 } 865 #endif /* MBEDTLS_CCM_C */ 866 867 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 868 } 869 870 /* 871 * Packet-oriented decryption for AEAD modes 872 */ 873 int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, 874 const unsigned char *iv, size_t iv_len, 875 const unsigned char *ad, size_t ad_len, 876 const unsigned char *input, size_t ilen, 877 unsigned char *output, size_t *olen, 878 const unsigned char *tag, size_t tag_len ) 879 { 880 #if defined(MBEDTLS_GCM_C) 881 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) 882 { 883 int ret; 884 885 *olen = ilen; 886 ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen, 887 iv, iv_len, ad, ad_len, 888 tag, tag_len, input, output ); 889 890 if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED ) 891 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 892 893 return( ret ); 894 } 895 #endif /* MBEDTLS_GCM_C */ 896 #if defined(MBEDTLS_CCM_C) 897 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode ) 898 { 899 int ret; 900 901 *olen = ilen; 902 ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen, 903 iv, iv_len, ad, ad_len, 904 input, output, tag, tag_len ); 905 906 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED ) 907 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 908 909 return( ret ); 910 } 911 #endif /* MBEDTLS_CCM_C */ 912 913 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); 914 } 915 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 916 917 #endif /* MBEDTLS_CIPHER_C */ 918