1 /** 2 * \file cipher.c 3 * 4 * \brief Generic cipher wrapper for Mbed TLS 5 * 6 * \author Adriaan de Jong <dejong@fox-it.com> 7 * 8 * Copyright The Mbed TLS Contributors 9 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 10 */ 11 12 #include "common.h" 13 14 #if defined(MBEDTLS_CIPHER_C) 15 16 #include "mbedtls/cipher.h" 17 #include "cipher_invasive.h" 18 #include "cipher_wrap.h" 19 #include "mbedtls/platform_util.h" 20 #include "mbedtls/error.h" 21 #include "mbedtls/constant_time.h" 22 #include "constant_time_internal.h" 23 24 #include <stdlib.h> 25 #include <string.h> 26 27 #if defined(MBEDTLS_CHACHAPOLY_C) 28 #include "mbedtls/chachapoly.h" 29 #endif 30 31 #if defined(MBEDTLS_GCM_C) 32 #include "mbedtls/gcm.h" 33 #endif 34 35 #if defined(MBEDTLS_CCM_C) 36 #include "mbedtls/ccm.h" 37 #endif 38 39 #if defined(MBEDTLS_CHACHA20_C) 40 #include "mbedtls/chacha20.h" 41 #endif 42 43 #if defined(MBEDTLS_CMAC_C) 44 #include "mbedtls/cmac.h" 45 #endif 46 47 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 48 #include "psa/crypto.h" 49 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 50 51 #if defined(MBEDTLS_NIST_KW_C) 52 #include "mbedtls/nist_kw.h" 53 #endif 54 55 #include "mbedtls/platform.h" 56 57 static int supported_init = 0; 58 59 static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base( 60 const mbedtls_cipher_info_t *info) 61 { 62 return mbedtls_cipher_base_lookup_table[info->base_idx]; 63 } 64 65 const int *mbedtls_cipher_list(void) 66 { 67 const mbedtls_cipher_definition_t *def; 68 int *type; 69 70 if (!supported_init) { 71 def = mbedtls_cipher_definitions; 72 type = mbedtls_cipher_supported; 73 74 while (def->type != 0) { 75 *type++ = (*def++).type; 76 } 77 78 *type = 0; 79 80 supported_init = 1; 81 } 82 83 return mbedtls_cipher_supported; 84 } 85 86 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( 87 const mbedtls_cipher_type_t cipher_type) 88 { 89 const mbedtls_cipher_definition_t *def; 90 91 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 92 if (def->type == cipher_type) { 93 return def->info; 94 } 95 } 96 97 return NULL; 98 } 99 100 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( 101 const char *cipher_name) 102 { 103 const mbedtls_cipher_definition_t *def; 104 105 if (NULL == cipher_name) { 106 return NULL; 107 } 108 109 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 110 if (!strcmp(def->info->name, cipher_name)) { 111 return def->info; 112 } 113 } 114 115 return NULL; 116 } 117 118 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( 119 const mbedtls_cipher_id_t cipher_id, 120 int key_bitlen, 121 const mbedtls_cipher_mode_t mode) 122 { 123 const mbedtls_cipher_definition_t *def; 124 125 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 126 if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id && 127 mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen && 128 def->info->mode == mode) { 129 return def->info; 130 } 131 } 132 133 return NULL; 134 } 135 136 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 137 static inline psa_key_type_t mbedtls_psa_translate_cipher_type( 138 mbedtls_cipher_type_t cipher) 139 { 140 switch (cipher) { 141 case MBEDTLS_CIPHER_AES_128_CCM: 142 case MBEDTLS_CIPHER_AES_192_CCM: 143 case MBEDTLS_CIPHER_AES_256_CCM: 144 case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG: 145 case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG: 146 case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG: 147 case MBEDTLS_CIPHER_AES_128_GCM: 148 case MBEDTLS_CIPHER_AES_192_GCM: 149 case MBEDTLS_CIPHER_AES_256_GCM: 150 case MBEDTLS_CIPHER_AES_128_CBC: 151 case MBEDTLS_CIPHER_AES_192_CBC: 152 case MBEDTLS_CIPHER_AES_256_CBC: 153 case MBEDTLS_CIPHER_AES_128_ECB: 154 case MBEDTLS_CIPHER_AES_192_ECB: 155 case MBEDTLS_CIPHER_AES_256_ECB: 156 return PSA_KEY_TYPE_AES; 157 158 /* ARIA not yet supported in PSA. */ 159 /* case MBEDTLS_CIPHER_ARIA_128_CCM: 160 case MBEDTLS_CIPHER_ARIA_192_CCM: 161 case MBEDTLS_CIPHER_ARIA_256_CCM: 162 case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG: 163 case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG: 164 case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG: 165 case MBEDTLS_CIPHER_ARIA_128_GCM: 166 case MBEDTLS_CIPHER_ARIA_192_GCM: 167 case MBEDTLS_CIPHER_ARIA_256_GCM: 168 case MBEDTLS_CIPHER_ARIA_128_CBC: 169 case MBEDTLS_CIPHER_ARIA_192_CBC: 170 case MBEDTLS_CIPHER_ARIA_256_CBC: 171 return( PSA_KEY_TYPE_ARIA ); */ 172 173 default: 174 return 0; 175 } 176 } 177 178 static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode( 179 mbedtls_cipher_mode_t mode, size_t taglen) 180 { 181 switch (mode) { 182 case MBEDTLS_MODE_ECB: 183 return PSA_ALG_ECB_NO_PADDING; 184 case MBEDTLS_MODE_GCM: 185 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen); 186 case MBEDTLS_MODE_CCM: 187 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen); 188 case MBEDTLS_MODE_CCM_STAR_NO_TAG: 189 return PSA_ALG_CCM_STAR_NO_TAG; 190 case MBEDTLS_MODE_CBC: 191 if (taglen == 0) { 192 return PSA_ALG_CBC_NO_PADDING; 193 } else { 194 return 0; 195 } 196 default: 197 return 0; 198 } 199 } 200 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 201 202 void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx) 203 { 204 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 205 } 206 207 void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx) 208 { 209 if (ctx == NULL) { 210 return; 211 } 212 213 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 214 if (ctx->psa_enabled == 1) { 215 if (ctx->cipher_ctx != NULL) { 216 mbedtls_cipher_context_psa * const cipher_psa = 217 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 218 219 if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) { 220 /* xxx_free() doesn't allow to return failures. */ 221 (void) psa_destroy_key(cipher_psa->slot); 222 } 223 224 mbedtls_zeroize_and_free(cipher_psa, sizeof(*cipher_psa)); 225 } 226 227 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t)); 228 return; 229 } 230 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 231 232 #if defined(MBEDTLS_CMAC_C) 233 if (ctx->cmac_ctx) { 234 mbedtls_zeroize_and_free(ctx->cmac_ctx, 235 sizeof(mbedtls_cmac_context_t)); 236 } 237 #endif 238 239 if (ctx->cipher_ctx) { 240 mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx); 241 } 242 243 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t)); 244 } 245 246 int mbedtls_cipher_clone(mbedtls_cipher_context_t *dst, 247 const mbedtls_cipher_context_t *src) 248 { 249 if (dst == NULL || dst->cipher_info == NULL || 250 src == NULL || src->cipher_info == NULL) { 251 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 252 } 253 254 dst->cipher_info = src->cipher_info; 255 dst->key_bitlen = src->key_bitlen; 256 dst->operation = src->operation; 257 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 258 dst->add_padding = src->add_padding; 259 dst->get_padding = src->get_padding; 260 #endif 261 memcpy(dst->unprocessed_data, src->unprocessed_data, MBEDTLS_MAX_BLOCK_LENGTH); 262 dst->unprocessed_len = src->unprocessed_len; 263 memcpy(dst->iv, src->iv, MBEDTLS_MAX_IV_LENGTH); 264 dst->iv_size = src->iv_size; 265 if (mbedtls_cipher_get_base(dst->cipher_info)->ctx_clone_func) 266 mbedtls_cipher_get_base(dst->cipher_info)->ctx_clone_func(dst->cipher_ctx, src->cipher_ctx); 267 268 #if defined(MBEDTLS_CMAC_C) 269 if (dst->cmac_ctx != NULL && src->cmac_ctx != NULL) 270 memcpy(dst->cmac_ctx, src->cmac_ctx, sizeof(mbedtls_cmac_context_t)); 271 #endif 272 return 0; 273 } 274 275 int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, 276 const mbedtls_cipher_info_t *cipher_info) 277 { 278 if (cipher_info == NULL) { 279 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 280 } 281 282 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 283 284 if (mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) { 285 ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func(); 286 if (ctx->cipher_ctx == NULL) { 287 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 288 } 289 } 290 291 ctx->cipher_info = cipher_info; 292 293 return 0; 294 } 295 296 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 297 int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx, 298 const mbedtls_cipher_info_t *cipher_info, 299 size_t taglen) 300 { 301 psa_algorithm_t alg; 302 mbedtls_cipher_context_psa *cipher_psa; 303 304 if (NULL == cipher_info || NULL == ctx) { 305 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 306 } 307 308 /* Check that the underlying cipher mode and cipher type are 309 * supported by the underlying PSA Crypto implementation. */ 310 alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen); 311 if (alg == 0) { 312 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 313 } 314 if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) { 315 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 316 } 317 318 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 319 320 cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa)); 321 if (cipher_psa == NULL) { 322 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 323 } 324 cipher_psa->alg = alg; 325 ctx->cipher_ctx = cipher_psa; 326 ctx->cipher_info = cipher_info; 327 ctx->psa_enabled = 1; 328 return 0; 329 } 330 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 331 332 int mbedtls_cipher_setup_info(mbedtls_cipher_context_t *ctx, 333 const mbedtls_cipher_info_t *cipher_info) 334 { 335 if (NULL == cipher_info || NULL == ctx) 336 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 337 338 ctx->cipher_info = cipher_info; 339 return 0; 340 } 341 342 int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, 343 const unsigned char *key, 344 int key_bitlen, 345 const mbedtls_operation_t operation) 346 { 347 if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) { 348 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 349 } 350 if (ctx->cipher_info == NULL) { 351 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 352 } 353 #if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 354 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) && 355 MBEDTLS_DECRYPT == operation) { 356 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 357 } 358 #endif 359 360 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 361 if (ctx->psa_enabled == 1) { 362 mbedtls_cipher_context_psa * const cipher_psa = 363 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 364 365 size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8; 366 367 psa_status_t status; 368 psa_key_type_t key_type; 369 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 370 371 /* PSA Crypto API only accepts byte-aligned keys. */ 372 if (key_bitlen % 8 != 0) { 373 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 374 } 375 376 /* Don't allow keys to be set multiple times. */ 377 if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) { 378 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 379 } 380 381 key_type = mbedtls_psa_translate_cipher_type( 382 ((mbedtls_cipher_type_t) ctx->cipher_info->type)); 383 if (key_type == 0) { 384 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 385 } 386 psa_set_key_type(&attributes, key_type); 387 388 /* Mbed TLS' cipher layer doesn't enforce the mode of operation 389 * (encrypt vs. decrypt): it is possible to setup a key for encryption 390 * and use it for AEAD decryption. Until tests relying on this 391 * are changed, allow any usage in PSA. */ 392 psa_set_key_usage_flags(&attributes, 393 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 394 psa_set_key_algorithm(&attributes, cipher_psa->alg); 395 396 status = psa_import_key(&attributes, key, key_bytelen, 397 &cipher_psa->slot); 398 switch (status) { 399 case PSA_SUCCESS: 400 break; 401 case PSA_ERROR_INSUFFICIENT_MEMORY: 402 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 403 case PSA_ERROR_NOT_SUPPORTED: 404 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 405 default: 406 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 407 } 408 /* Indicate that we own the key slot and need to 409 * destroy it in mbedtls_cipher_free(). */ 410 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED; 411 412 ctx->key_bitlen = key_bitlen; 413 ctx->operation = operation; 414 return 0; 415 } 416 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 417 418 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 && 419 (int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) { 420 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 421 } 422 423 ctx->key_bitlen = key_bitlen; 424 ctx->operation = operation; 425 426 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 427 /* 428 * For OFB, CFB and CTR mode always use the encryption key schedule 429 */ 430 if (MBEDTLS_ENCRYPT == operation || 431 MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 432 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 433 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 434 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key, 435 ctx->key_bitlen); 436 } 437 438 if (MBEDTLS_DECRYPT == operation) { 439 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key, 440 ctx->key_bitlen); 441 } 442 #else 443 if (operation == MBEDTLS_ENCRYPT || operation == MBEDTLS_DECRYPT) { 444 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key, 445 ctx->key_bitlen); 446 } 447 #endif 448 449 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 450 } 451 452 int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx, 453 const unsigned char *iv, 454 size_t iv_len) 455 { 456 size_t actual_iv_size; 457 458 if (ctx->cipher_info == NULL) { 459 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 460 } 461 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 462 if (ctx->psa_enabled == 1) { 463 /* While PSA Crypto has an API for multipart 464 * operations, we currently don't make it 465 * accessible through the cipher layer. */ 466 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 467 } 468 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 469 470 /* avoid buffer overflow in ctx->iv */ 471 if (iv_len > MBEDTLS_MAX_IV_LENGTH) { 472 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 473 } 474 475 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) { 476 actual_iv_size = iv_len; 477 } else { 478 actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info); 479 480 /* avoid reading past the end of input buffer */ 481 if (actual_iv_size > iv_len) { 482 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 483 } 484 } 485 486 #if defined(MBEDTLS_CHACHA20_C) 487 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) { 488 /* Even though the actual_iv_size is overwritten with a correct value 489 * of 12 from the cipher info, return an error to indicate that 490 * the input iv_len is wrong. */ 491 if (iv_len != 12) { 492 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 493 } 494 495 if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx, 496 iv, 497 0U)) { /* Initial counter value */ 498 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 499 } 500 } 501 #if defined(MBEDTLS_CHACHAPOLY_C) 502 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 && 503 iv_len != 12) { 504 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 505 } 506 #endif 507 #endif 508 509 #if defined(MBEDTLS_GCM_C) 510 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 511 return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx, 512 ctx->operation, 513 iv, iv_len); 514 } 515 #endif 516 517 #if defined(MBEDTLS_CCM_C) 518 if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 519 int set_lengths_result; 520 int ccm_star_mode; 521 522 set_lengths_result = mbedtls_ccm_set_lengths( 523 (mbedtls_ccm_context *) ctx->cipher_ctx, 524 0, 0, 0); 525 if (set_lengths_result != 0) { 526 return set_lengths_result; 527 } 528 529 if (ctx->operation == MBEDTLS_DECRYPT) { 530 ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT; 531 } else if (ctx->operation == MBEDTLS_ENCRYPT) { 532 ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT; 533 } else { 534 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 535 } 536 537 return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx, 538 ccm_star_mode, 539 iv, iv_len); 540 } 541 #endif 542 543 if (actual_iv_size != 0) { 544 memcpy(ctx->iv, iv, actual_iv_size); 545 ctx->iv_size = actual_iv_size; 546 } 547 548 return 0; 549 } 550 551 int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx) 552 { 553 if (ctx->cipher_info == NULL) { 554 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 555 } 556 557 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 558 if (ctx->psa_enabled == 1) { 559 /* We don't support resetting PSA-based 560 * cipher contexts, yet. */ 561 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 562 } 563 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 564 565 ctx->unprocessed_len = 0; 566 567 return 0; 568 } 569 570 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 571 int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx, 572 const unsigned char *ad, size_t ad_len) 573 { 574 if (ctx->cipher_info == NULL) { 575 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 576 } 577 578 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 579 if (ctx->psa_enabled == 1) { 580 /* While PSA Crypto has an API for multipart 581 * operations, we currently don't make it 582 * accessible through the cipher layer. */ 583 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 584 } 585 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 586 587 #if defined(MBEDTLS_GCM_C) 588 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 589 return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx, 590 ad, ad_len); 591 } 592 #endif 593 594 #if defined(MBEDTLS_CHACHAPOLY_C) 595 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 596 int result; 597 mbedtls_chachapoly_mode_t mode; 598 599 mode = (ctx->operation == MBEDTLS_ENCRYPT) 600 ? MBEDTLS_CHACHAPOLY_ENCRYPT 601 : MBEDTLS_CHACHAPOLY_DECRYPT; 602 603 result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx, 604 ctx->iv, 605 mode); 606 if (result != 0) { 607 return result; 608 } 609 610 return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx, 611 ad, ad_len); 612 } 613 #endif 614 615 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 616 } 617 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 618 619 int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input, 620 size_t ilen, unsigned char *output, size_t *olen) 621 { 622 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 623 size_t block_size; 624 625 if (ctx->cipher_info == NULL) { 626 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 627 } 628 629 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 630 if (ctx->psa_enabled == 1) { 631 /* While PSA Crypto has an API for multipart 632 * operations, we currently don't make it 633 * accessible through the cipher layer. */ 634 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 635 } 636 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 637 638 *olen = 0; 639 block_size = mbedtls_cipher_get_block_size(ctx); 640 if (0 == block_size) { 641 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT; 642 } 643 644 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) { 645 if (ilen != block_size) { 646 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 647 } 648 649 *olen = ilen; 650 651 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx, 652 ctx->operation, input, 653 output))) { 654 return ret; 655 } 656 657 return 0; 658 } 659 660 #if defined(MBEDTLS_GCM_C) 661 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) { 662 return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx, 663 input, ilen, 664 output, ilen, olen); 665 } 666 #endif 667 668 #if defined(MBEDTLS_CCM_C) 669 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) { 670 return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx, 671 input, ilen, 672 output, ilen, olen); 673 } 674 #endif 675 676 #if defined(MBEDTLS_CHACHAPOLY_C) 677 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) { 678 *olen = ilen; 679 return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx, 680 ilen, input, output); 681 } 682 #endif 683 684 if (input == output && 685 (ctx->unprocessed_len != 0 || ilen % block_size)) { 686 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 687 } 688 689 #if defined(MBEDTLS_CIPHER_MODE_CBC) 690 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) { 691 size_t copy_len = 0; 692 693 /* 694 * If there is not enough data for a full block, cache it. 695 */ 696 if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding && 697 ilen <= block_size - ctx->unprocessed_len) || 698 (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding && 699 ilen < block_size - ctx->unprocessed_len) || 700 (ctx->operation == MBEDTLS_ENCRYPT && 701 ilen < block_size - ctx->unprocessed_len)) { 702 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input, 703 ilen); 704 705 ctx->unprocessed_len += ilen; 706 return 0; 707 } 708 709 /* 710 * Process cached data first 711 */ 712 if (0 != ctx->unprocessed_len) { 713 copy_len = block_size - ctx->unprocessed_len; 714 715 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input, 716 copy_len); 717 718 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 719 ctx->operation, 720 block_size, ctx->iv, 721 ctx-> 722 unprocessed_data, 723 output))) { 724 return ret; 725 } 726 727 *olen += block_size; 728 output += block_size; 729 ctx->unprocessed_len = 0; 730 731 input += copy_len; 732 ilen -= copy_len; 733 } 734 735 /* 736 * Cache final, incomplete block 737 */ 738 if (0 != ilen) { 739 /* Encryption: only cache partial blocks 740 * Decryption w/ padding: always keep at least one whole block 741 * Decryption w/o padding: only cache partial blocks 742 */ 743 copy_len = ilen % block_size; 744 if (copy_len == 0 && 745 ctx->operation == MBEDTLS_DECRYPT && 746 NULL != ctx->add_padding) { 747 copy_len = block_size; 748 } 749 750 memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]), 751 copy_len); 752 753 ctx->unprocessed_len += copy_len; 754 ilen -= copy_len; 755 } 756 757 /* 758 * Process remaining full blocks 759 */ 760 if (ilen) { 761 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 762 ctx->operation, 763 ilen, ctx->iv, 764 input, 765 output))) { 766 return ret; 767 } 768 769 *olen += ilen; 770 } 771 772 return 0; 773 } 774 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 775 776 #if defined(MBEDTLS_CIPHER_MODE_CFB) 777 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) { 778 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx, 779 ctx->operation, ilen, 780 &ctx->unprocessed_len, 781 ctx->iv, 782 input, output))) { 783 return ret; 784 } 785 786 *olen = ilen; 787 788 return 0; 789 } 790 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 791 792 #if defined(MBEDTLS_CIPHER_MODE_OFB) 793 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) { 794 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx, 795 ilen, 796 &ctx->unprocessed_len, 797 ctx->iv, 798 input, output))) { 799 return ret; 800 } 801 802 *olen = ilen; 803 804 return 0; 805 } 806 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 807 808 #if defined(MBEDTLS_CIPHER_MODE_CTR) 809 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) { 810 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx, 811 ilen, 812 &ctx->unprocessed_len, 813 ctx->iv, 814 ctx->unprocessed_data, 815 input, output))) { 816 return ret; 817 } 818 819 *olen = ilen; 820 821 return 0; 822 } 823 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 824 825 #if defined(MBEDTLS_CIPHER_MODE_XTS) 826 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) { 827 if (ctx->unprocessed_len > 0) { 828 /* We can only process an entire data unit at a time. */ 829 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 830 } 831 832 ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx, 833 ctx->operation, 834 ilen, 835 ctx->iv, 836 input, 837 output); 838 if (ret != 0) { 839 return ret; 840 } 841 842 *olen = ilen; 843 844 return 0; 845 } 846 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 847 848 #if defined(MBEDTLS_CIPHER_MODE_STREAM) 849 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) { 850 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx, 851 ilen, input, 852 output))) { 853 return ret; 854 } 855 856 *olen = ilen; 857 858 return 0; 859 } 860 #endif /* MBEDTLS_CIPHER_MODE_STREAM */ 861 862 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 863 } 864 865 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 866 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 867 /* 868 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len 869 */ 870 static void add_pkcs_padding(unsigned char *output, size_t output_len, 871 size_t data_len) 872 { 873 size_t padding_len = output_len - data_len; 874 unsigned char i; 875 876 for (i = 0; i < padding_len; i++) { 877 output[data_len + i] = (unsigned char) padding_len; 878 } 879 } 880 881 /* 882 * Get the length of the PKCS7 padding. 883 * 884 * Note: input_len must be the block size of the cipher. 885 */ 886 MBEDTLS_STATIC_TESTABLE int mbedtls_get_pkcs_padding(unsigned char *input, 887 size_t input_len, 888 size_t *data_len, 889 size_t *invalid_padding) 890 { 891 size_t i, pad_idx; 892 unsigned char padding_len; 893 894 if (NULL == input || NULL == data_len) { 895 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 896 } 897 898 padding_len = input[input_len - 1]; 899 900 mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len); 901 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0)); 902 903 /* The number of bytes checked must be independent of padding_len, 904 * so pick input_len, which is usually 8 or 16 (one block) */ 905 pad_idx = input_len - padding_len; 906 for (i = 0; i < input_len; i++) { 907 mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx); 908 mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len); 909 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different)); 910 } 911 912 /* If the padding is invalid, set the output length to 0 */ 913 *data_len = mbedtls_ct_if(bad, 0, input_len - padding_len); 914 915 *invalid_padding = mbedtls_ct_size_if_else_0(bad, SIZE_MAX); 916 return 0; 917 } 918 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ 919 920 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 921 /* 922 * One and zeros padding: fill with 80 00 ... 00 923 */ 924 static void add_one_and_zeros_padding(unsigned char *output, 925 size_t output_len, size_t data_len) 926 { 927 size_t padding_len = output_len - data_len; 928 unsigned char i = 0; 929 930 output[data_len] = 0x80; 931 for (i = 1; i < padding_len; i++) { 932 output[data_len + i] = 0x00; 933 } 934 } 935 936 static int get_one_and_zeros_padding(unsigned char *input, size_t input_len, 937 size_t *data_len, size_t *invalid_padding) 938 { 939 if (NULL == input || NULL == data_len) { 940 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 941 } 942 943 mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE; 944 mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE; 945 946 *data_len = 0; 947 948 for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) { 949 mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]); 950 951 mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding); 952 953 *data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len); 954 955 bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad); 956 957 in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero)); 958 } 959 960 *invalid_padding = mbedtls_ct_size_if_else_0(bad, SIZE_MAX); 961 return 0; 962 } 963 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */ 964 965 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 966 /* 967 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length 968 */ 969 static void add_zeros_and_len_padding(unsigned char *output, 970 size_t output_len, size_t data_len) 971 { 972 size_t padding_len = output_len - data_len; 973 unsigned char i = 0; 974 975 for (i = 1; i < padding_len; i++) { 976 output[data_len + i - 1] = 0x00; 977 } 978 output[output_len - 1] = (unsigned char) padding_len; 979 } 980 981 static int get_zeros_and_len_padding(unsigned char *input, size_t input_len, 982 size_t *data_len, size_t *invalid_padding) 983 { 984 size_t i, pad_idx; 985 unsigned char padding_len; 986 mbedtls_ct_condition_t bad; 987 988 if (NULL == input || NULL == data_len) { 989 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 990 } 991 992 padding_len = input[input_len - 1]; 993 *data_len = input_len - padding_len; 994 995 /* Avoid logical || since it results in a branch */ 996 bad = mbedtls_ct_uint_gt(padding_len, input_len); 997 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0)); 998 999 /* The number of bytes checked must be independent of padding_len */ 1000 pad_idx = input_len - padding_len; 1001 for (i = 0; i < input_len - 1; i++) { 1002 mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx); 1003 mbedtls_ct_condition_t nonzero_pad_byte; 1004 nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i])); 1005 bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte); 1006 } 1007 1008 *invalid_padding = mbedtls_ct_size_if_else_0(bad, SIZE_MAX); 1009 return 0; 1010 } 1011 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */ 1012 1013 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 1014 /* 1015 * Zero padding: fill with 00 ... 00 1016 */ 1017 static void add_zeros_padding(unsigned char *output, 1018 size_t output_len, size_t data_len) 1019 { 1020 memset(output + data_len, 0, output_len - data_len); 1021 } 1022 1023 static int get_zeros_padding(unsigned char *input, size_t input_len, 1024 size_t *data_len, size_t *invalid_padding) 1025 { 1026 size_t i; 1027 mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done; 1028 1029 if (NULL == input || NULL == data_len) { 1030 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1031 } 1032 1033 *data_len = 0; 1034 for (i = input_len; i > 0; i--) { 1035 prev_done = done; 1036 done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0)); 1037 *data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len); 1038 } 1039 1040 *invalid_padding = 0; 1041 return 0; 1042 } 1043 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */ 1044 1045 /* 1046 * No padding: don't pad :) 1047 * 1048 * There is no add_padding function (check for NULL in mbedtls_cipher_finish) 1049 * but a trivial get_padding function 1050 */ 1051 static int get_no_padding(unsigned char *input, size_t input_len, 1052 size_t *data_len, size_t *invalid_padding) 1053 { 1054 if (NULL == input || NULL == data_len) { 1055 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1056 } 1057 1058 *data_len = input_len; 1059 *invalid_padding = 0; 1060 return 0; 1061 } 1062 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1063 1064 int mbedtls_cipher_finish_padded(mbedtls_cipher_context_t *ctx, 1065 unsigned char *output, size_t *olen, 1066 size_t *invalid_padding) 1067 { 1068 if (ctx->cipher_info == NULL) { 1069 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1070 } 1071 1072 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1073 if (ctx->psa_enabled == 1) { 1074 /* While PSA Crypto has an API for multipart 1075 * operations, we currently don't make it 1076 * accessible through the cipher layer. */ 1077 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1078 } 1079 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1080 1081 *olen = 0; 1082 *invalid_padding = 0; 1083 1084 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 1085 /* CBC mode requires padding so we make sure a call to 1086 * mbedtls_cipher_set_padding_mode has been done successfully. */ 1087 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1088 if (ctx->get_padding == NULL) { 1089 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1090 } 1091 } 1092 #endif 1093 1094 if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1095 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1096 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1097 MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1098 MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1099 MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1100 MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1101 return 0; 1102 } 1103 1104 if ((MBEDTLS_CIPHER_CHACHA20 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) || 1105 (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) { 1106 return 0; 1107 } 1108 1109 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1110 if (ctx->unprocessed_len != 0) { 1111 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1112 } 1113 1114 return 0; 1115 } 1116 1117 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1118 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1119 int ret = 0; 1120 1121 if (MBEDTLS_ENCRYPT == ctx->operation) { 1122 /* check for 'no padding' mode */ 1123 if (NULL == ctx->add_padding) { 1124 if (0 != ctx->unprocessed_len) { 1125 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1126 } 1127 1128 return 0; 1129 } 1130 1131 ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx), 1132 ctx->unprocessed_len); 1133 } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) { 1134 /* 1135 * For decrypt operations, expect a full block, 1136 * or an empty block if no padding 1137 */ 1138 if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) { 1139 return 0; 1140 } 1141 1142 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1143 } 1144 1145 /* cipher block */ 1146 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 1147 ctx->operation, 1148 mbedtls_cipher_get_block_size( 1149 ctx), 1150 ctx->iv, 1151 ctx->unprocessed_data, 1152 output))) { 1153 return ret; 1154 } 1155 1156 /* Set output size for decryption */ 1157 if (MBEDTLS_DECRYPT == ctx->operation) { 1158 return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx), 1159 olen, invalid_padding); 1160 } 1161 1162 /* Set output size for encryption */ 1163 *olen = mbedtls_cipher_get_block_size(ctx); 1164 return 0; 1165 } 1166 #else 1167 ((void) output); 1168 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1169 1170 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1171 } 1172 1173 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx, 1174 unsigned char *output, size_t *olen) 1175 { 1176 size_t invalid_padding = 0; 1177 int ret = mbedtls_cipher_finish_padded(ctx, output, olen, 1178 &invalid_padding); 1179 if (ret == 0) { 1180 ret = mbedtls_ct_error_if_else_0(invalid_padding, 1181 MBEDTLS_ERR_CIPHER_INVALID_PADDING); 1182 } 1183 return ret; 1184 } 1185 1186 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 1187 int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx, 1188 mbedtls_cipher_padding_t mode) 1189 { 1190 if (NULL == ctx->cipher_info || 1191 MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1192 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1193 } 1194 1195 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1196 if (ctx->psa_enabled == 1) { 1197 /* While PSA Crypto knows about CBC padding 1198 * schemes, we currently don't make them 1199 * accessible through the cipher layer. */ 1200 if (mode != MBEDTLS_PADDING_NONE) { 1201 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1202 } 1203 1204 return 0; 1205 } 1206 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1207 1208 switch (mode) { 1209 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 1210 case MBEDTLS_PADDING_PKCS7: 1211 ctx->add_padding = add_pkcs_padding; 1212 ctx->get_padding = mbedtls_get_pkcs_padding; 1213 break; 1214 #endif 1215 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 1216 case MBEDTLS_PADDING_ONE_AND_ZEROS: 1217 ctx->add_padding = add_one_and_zeros_padding; 1218 ctx->get_padding = get_one_and_zeros_padding; 1219 break; 1220 #endif 1221 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 1222 case MBEDTLS_PADDING_ZEROS_AND_LEN: 1223 ctx->add_padding = add_zeros_and_len_padding; 1224 ctx->get_padding = get_zeros_and_len_padding; 1225 break; 1226 #endif 1227 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 1228 case MBEDTLS_PADDING_ZEROS: 1229 ctx->add_padding = add_zeros_padding; 1230 ctx->get_padding = get_zeros_padding; 1231 break; 1232 #endif 1233 case MBEDTLS_PADDING_NONE: 1234 ctx->add_padding = NULL; 1235 ctx->get_padding = get_no_padding; 1236 break; 1237 1238 default: 1239 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1240 } 1241 1242 return 0; 1243 } 1244 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1245 1246 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 1247 int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx, 1248 unsigned char *tag, size_t tag_len) 1249 { 1250 if (ctx->cipher_info == NULL) { 1251 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1252 } 1253 1254 if (MBEDTLS_ENCRYPT != ctx->operation) { 1255 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1256 } 1257 1258 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1259 if (ctx->psa_enabled == 1) { 1260 /* While PSA Crypto has an API for multipart 1261 * operations, we currently don't make it 1262 * accessible through the cipher layer. */ 1263 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1264 } 1265 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1266 1267 #if defined(MBEDTLS_GCM_C) 1268 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1269 size_t output_length; 1270 /* The code here doesn't yet support alternative implementations 1271 * that can delay up to a block of output. */ 1272 return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx, 1273 NULL, 0, &output_length, 1274 tag, tag_len); 1275 } 1276 #endif 1277 1278 #if defined(MBEDTLS_CHACHAPOLY_C) 1279 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1280 /* Don't allow truncated MAC for Poly1305 */ 1281 if (tag_len != 16U) { 1282 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1283 } 1284 1285 return mbedtls_chachapoly_finish( 1286 (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag); 1287 } 1288 #endif 1289 1290 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1291 } 1292 1293 int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx, 1294 const unsigned char *tag, size_t tag_len) 1295 { 1296 unsigned char check_tag[16]; 1297 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1298 1299 if (ctx->cipher_info == NULL) { 1300 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1301 } 1302 1303 if (MBEDTLS_DECRYPT != ctx->operation) { 1304 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1305 } 1306 1307 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1308 if (ctx->psa_enabled == 1) { 1309 /* While PSA Crypto has an API for multipart 1310 * operations, we currently don't make it 1311 * accessible through the cipher layer. */ 1312 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1313 } 1314 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1315 1316 /* Status to return on a non-authenticated algorithm. */ 1317 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1318 1319 #if defined(MBEDTLS_GCM_C) 1320 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1321 size_t output_length; 1322 /* The code here doesn't yet support alternative implementations 1323 * that can delay up to a block of output. */ 1324 1325 if (tag_len > sizeof(check_tag)) { 1326 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1327 } 1328 1329 if (0 != (ret = mbedtls_gcm_finish( 1330 (mbedtls_gcm_context *) ctx->cipher_ctx, 1331 NULL, 0, &output_length, 1332 check_tag, tag_len))) { 1333 return ret; 1334 } 1335 1336 /* Check the tag in "constant-time" */ 1337 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) { 1338 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1339 goto exit; 1340 } 1341 } 1342 #endif /* MBEDTLS_GCM_C */ 1343 1344 #if defined(MBEDTLS_CHACHAPOLY_C) 1345 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1346 /* Don't allow truncated MAC for Poly1305 */ 1347 if (tag_len != sizeof(check_tag)) { 1348 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1349 } 1350 1351 ret = mbedtls_chachapoly_finish( 1352 (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag); 1353 if (ret != 0) { 1354 return ret; 1355 } 1356 1357 /* Check the tag in "constant-time" */ 1358 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) { 1359 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1360 goto exit; 1361 } 1362 } 1363 #endif /* MBEDTLS_CHACHAPOLY_C */ 1364 1365 exit: 1366 mbedtls_platform_zeroize(check_tag, tag_len); 1367 return ret; 1368 } 1369 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 1370 1371 /* 1372 * Packet-oriented wrapper for non-AEAD modes 1373 */ 1374 int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx, 1375 const unsigned char *iv, size_t iv_len, 1376 const unsigned char *input, size_t ilen, 1377 unsigned char *output, size_t *olen) 1378 { 1379 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1380 size_t finish_olen; 1381 1382 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1383 if (ctx->psa_enabled == 1) { 1384 /* As in the non-PSA case, we don't check that 1385 * a key has been set. If not, the key slot will 1386 * still be in its default state of 0, which is 1387 * guaranteed to be invalid, hence the PSA-call 1388 * below will gracefully fail. */ 1389 mbedtls_cipher_context_psa * const cipher_psa = 1390 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1391 1392 psa_status_t status; 1393 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT; 1394 size_t part_len; 1395 1396 if (ctx->operation == MBEDTLS_DECRYPT) { 1397 status = psa_cipher_decrypt_setup(&cipher_op, 1398 cipher_psa->slot, 1399 cipher_psa->alg); 1400 } else if (ctx->operation == MBEDTLS_ENCRYPT) { 1401 status = psa_cipher_encrypt_setup(&cipher_op, 1402 cipher_psa->slot, 1403 cipher_psa->alg); 1404 } else { 1405 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1406 } 1407 1408 /* In the following, we can immediately return on an error, 1409 * because the PSA Crypto API guarantees that cipher operations 1410 * are terminated by unsuccessful calls to psa_cipher_update(), 1411 * and by any call to psa_cipher_finish(). */ 1412 if (status != PSA_SUCCESS) { 1413 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1414 } 1415 1416 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) { 1417 status = psa_cipher_set_iv(&cipher_op, iv, iv_len); 1418 if (status != PSA_SUCCESS) { 1419 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1420 } 1421 } 1422 1423 status = psa_cipher_update(&cipher_op, 1424 input, ilen, 1425 output, ilen, olen); 1426 if (status != PSA_SUCCESS) { 1427 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1428 } 1429 1430 status = psa_cipher_finish(&cipher_op, 1431 output + *olen, ilen - *olen, 1432 &part_len); 1433 if (status != PSA_SUCCESS) { 1434 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1435 } 1436 1437 *olen += part_len; 1438 return 0; 1439 } 1440 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1441 1442 if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) { 1443 return ret; 1444 } 1445 1446 if ((ret = mbedtls_cipher_reset(ctx)) != 0) { 1447 return ret; 1448 } 1449 1450 if ((ret = mbedtls_cipher_update(ctx, input, ilen, 1451 output, olen)) != 0) { 1452 return ret; 1453 } 1454 1455 size_t invalid_padding = 0; 1456 if ((ret = mbedtls_cipher_finish_padded(ctx, output + *olen, 1457 &finish_olen, 1458 &invalid_padding)) != 0) { 1459 return ret; 1460 } 1461 *olen += finish_olen; 1462 1463 ret = mbedtls_ct_error_if_else_0(invalid_padding, 1464 MBEDTLS_ERR_CIPHER_INVALID_PADDING); 1465 return ret; 1466 } 1467 1468 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1469 /* 1470 * Packet-oriented encryption for AEAD modes: internal function used by 1471 * mbedtls_cipher_auth_encrypt_ext(). 1472 */ 1473 static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx, 1474 const unsigned char *iv, size_t iv_len, 1475 const unsigned char *ad, size_t ad_len, 1476 const unsigned char *input, size_t ilen, 1477 unsigned char *output, size_t *olen, 1478 unsigned char *tag, size_t tag_len) 1479 { 1480 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1481 if (ctx->psa_enabled == 1) { 1482 /* As in the non-PSA case, we don't check that 1483 * a key has been set. If not, the key slot will 1484 * still be in its default state of 0, which is 1485 * guaranteed to be invalid, hence the PSA-call 1486 * below will gracefully fail. */ 1487 mbedtls_cipher_context_psa * const cipher_psa = 1488 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1489 1490 psa_status_t status; 1491 1492 /* PSA Crypto API always writes the authentication tag 1493 * at the end of the encrypted message. */ 1494 if (output == NULL || tag != output + ilen) { 1495 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1496 } 1497 1498 status = psa_aead_encrypt(cipher_psa->slot, 1499 cipher_psa->alg, 1500 iv, iv_len, 1501 ad, ad_len, 1502 input, ilen, 1503 output, ilen + tag_len, olen); 1504 if (status != PSA_SUCCESS) { 1505 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1506 } 1507 1508 *olen -= tag_len; 1509 return 0; 1510 } 1511 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1512 1513 #if defined(MBEDTLS_GCM_C) 1514 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1515 *olen = ilen; 1516 return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, 1517 ilen, iv, iv_len, ad, ad_len, 1518 input, output, tag_len, tag); 1519 } 1520 #endif /* MBEDTLS_GCM_C */ 1521 #if defined(MBEDTLS_CCM_C) 1522 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1523 *olen = ilen; 1524 return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen, 1525 iv, iv_len, ad, ad_len, input, output, 1526 tag, tag_len); 1527 } 1528 #endif /* MBEDTLS_CCM_C */ 1529 #if defined(MBEDTLS_CHACHAPOLY_C) 1530 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1531 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1532 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) || 1533 (tag_len != 16U)) { 1534 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1535 } 1536 1537 *olen = ilen; 1538 return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx, 1539 ilen, iv, ad, ad_len, input, output, tag); 1540 } 1541 #endif /* MBEDTLS_CHACHAPOLY_C */ 1542 1543 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1544 } 1545 1546 /* 1547 * Packet-oriented encryption for AEAD modes: internal function used by 1548 * mbedtls_cipher_auth_encrypt_ext(). 1549 */ 1550 static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx, 1551 const unsigned char *iv, size_t iv_len, 1552 const unsigned char *ad, size_t ad_len, 1553 const unsigned char *input, size_t ilen, 1554 unsigned char *output, size_t *olen, 1555 const unsigned char *tag, size_t tag_len) 1556 { 1557 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1558 if (ctx->psa_enabled == 1) { 1559 /* As in the non-PSA case, we don't check that 1560 * a key has been set. If not, the key slot will 1561 * still be in its default state of 0, which is 1562 * guaranteed to be invalid, hence the PSA-call 1563 * below will gracefully fail. */ 1564 mbedtls_cipher_context_psa * const cipher_psa = 1565 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1566 1567 psa_status_t status; 1568 1569 /* PSA Crypto API always writes the authentication tag 1570 * at the end of the encrypted message. */ 1571 if (input == NULL || tag != input + ilen) { 1572 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1573 } 1574 1575 status = psa_aead_decrypt(cipher_psa->slot, 1576 cipher_psa->alg, 1577 iv, iv_len, 1578 ad, ad_len, 1579 input, ilen + tag_len, 1580 output, ilen, olen); 1581 if (status == PSA_ERROR_INVALID_SIGNATURE) { 1582 return MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1583 } else if (status != PSA_SUCCESS) { 1584 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1585 } 1586 1587 return 0; 1588 } 1589 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1590 1591 #if defined(MBEDTLS_GCM_C) 1592 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1593 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1594 1595 *olen = ilen; 1596 ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen, 1597 iv, iv_len, ad, ad_len, 1598 tag, tag_len, input, output); 1599 1600 if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) { 1601 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1602 } 1603 1604 return ret; 1605 } 1606 #endif /* MBEDTLS_GCM_C */ 1607 #if defined(MBEDTLS_CCM_C) 1608 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1609 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1610 1611 *olen = ilen; 1612 ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen, 1613 iv, iv_len, ad, ad_len, 1614 input, output, tag, tag_len); 1615 1616 if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) { 1617 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1618 } 1619 1620 return ret; 1621 } 1622 #endif /* MBEDTLS_CCM_C */ 1623 #if defined(MBEDTLS_CHACHAPOLY_C) 1624 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1625 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1626 1627 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1628 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) || 1629 (tag_len != 16U)) { 1630 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1631 } 1632 1633 *olen = ilen; 1634 ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen, 1635 iv, ad, ad_len, tag, input, output); 1636 1637 if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) { 1638 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1639 } 1640 1641 return ret; 1642 } 1643 #endif /* MBEDTLS_CHACHAPOLY_C */ 1644 1645 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1646 } 1647 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1648 1649 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) 1650 /* 1651 * Packet-oriented encryption for AEAD/NIST_KW: public function. 1652 */ 1653 int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx, 1654 const unsigned char *iv, size_t iv_len, 1655 const unsigned char *ad, size_t ad_len, 1656 const unsigned char *input, size_t ilen, 1657 unsigned char *output, size_t output_len, 1658 size_t *olen, size_t tag_len) 1659 { 1660 #if defined(MBEDTLS_NIST_KW_C) 1661 if ( 1662 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1663 ctx->psa_enabled == 0 && 1664 #endif 1665 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1666 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) { 1667 mbedtls_nist_kw_mode_t mode = 1668 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ? 1669 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1670 1671 /* There is no iv, tag or ad associated with KW and KWP, 1672 * so these length should be 0 as documented. */ 1673 if (iv_len != 0 || tag_len != 0 || ad_len != 0) { 1674 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1675 } 1676 1677 (void) iv; 1678 (void) ad; 1679 1680 return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen, 1681 output, olen, output_len); 1682 } 1683 #endif /* MBEDTLS_NIST_KW_C */ 1684 1685 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1686 /* AEAD case: check length before passing on to shared function */ 1687 if (output_len < ilen + tag_len) { 1688 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1689 } 1690 1691 int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len, 1692 input, ilen, output, olen, 1693 output + ilen, tag_len); 1694 *olen += tag_len; 1695 return ret; 1696 #else 1697 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1698 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1699 } 1700 1701 /* 1702 * Packet-oriented decryption for AEAD/NIST_KW: public function. 1703 */ 1704 int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx, 1705 const unsigned char *iv, size_t iv_len, 1706 const unsigned char *ad, size_t ad_len, 1707 const unsigned char *input, size_t ilen, 1708 unsigned char *output, size_t output_len, 1709 size_t *olen, size_t tag_len) 1710 { 1711 #if defined(MBEDTLS_NIST_KW_C) 1712 if ( 1713 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1714 ctx->psa_enabled == 0 && 1715 #endif 1716 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1717 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) { 1718 mbedtls_nist_kw_mode_t mode = 1719 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ? 1720 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1721 1722 /* There is no iv, tag or ad associated with KW and KWP, 1723 * so these length should be 0 as documented. */ 1724 if (iv_len != 0 || tag_len != 0 || ad_len != 0) { 1725 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1726 } 1727 1728 (void) iv; 1729 (void) ad; 1730 1731 return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen, 1732 output, olen, output_len); 1733 } 1734 #endif /* MBEDTLS_NIST_KW_C */ 1735 1736 #if defined(MBEDTLS_CIPHER_MODE_AEAD) 1737 /* AEAD case: check length before passing on to shared function */ 1738 if (ilen < tag_len || output_len < ilen - tag_len) { 1739 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1740 } 1741 1742 return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len, 1743 input, ilen - tag_len, output, olen, 1744 input + ilen - tag_len, tag_len); 1745 #else 1746 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1747 #endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1748 } 1749 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */ 1750 1751 #endif /* MBEDTLS_CIPHER_C */ 1752