1 /*
2 * PSA AEAD entry points
3 */
4 /*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21 #include "common.h"
22
23 #if defined(MBEDTLS_PSA_CRYPTO_C)
24
25 #include "psa_crypto_aead.h"
26 #include "psa_crypto_core.h"
27 #include "psa_crypto_cipher.h"
28
29 #include <string.h>
30 #include "mbedtls/platform.h"
31
32 #include "mbedtls/ccm.h"
33 #include "mbedtls/chachapoly.h"
34 #include "mbedtls/cipher.h"
35 #include "mbedtls/gcm.h"
36 #include "mbedtls/error.h"
37
psa_aead_setup(mbedtls_psa_aead_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)38 static psa_status_t psa_aead_setup(
39 mbedtls_psa_aead_operation_t *operation,
40 const psa_key_attributes_t *attributes,
41 const uint8_t *key_buffer,
42 size_t key_buffer_size,
43 psa_algorithm_t alg )
44 {
45 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
46 size_t key_bits;
47 const mbedtls_cipher_info_t *cipher_info;
48 mbedtls_cipher_id_t cipher_id;
49
50 ( void ) key_buffer_size;
51
52 key_bits = attributes->core.bits;
53
54 cipher_info = mbedtls_cipher_info_from_psa( alg,
55 attributes->core.type, key_bits,
56 &cipher_id );
57 if( cipher_info == NULL )
58 return( PSA_ERROR_NOT_SUPPORTED );
59
60 switch( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) )
61 {
62 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
63 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ):
64 operation->alg = PSA_ALG_CCM;
65 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
66 * The call to mbedtls_ccm_encrypt_and_tag or
67 * mbedtls_ccm_auth_decrypt will validate the tag length. */
68 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
69 return( PSA_ERROR_INVALID_ARGUMENT );
70
71 mbedtls_ccm_init( &operation->ctx.ccm );
72 status = mbedtls_to_psa_error(
73 mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id,
74 key_buffer, (unsigned int) key_bits ) );
75 if( status != PSA_SUCCESS )
76 return( status );
77 break;
78 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
79
80 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
81 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ):
82 operation->alg = PSA_ALG_GCM;
83 /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
84 * The call to mbedtls_gcm_crypt_and_tag or
85 * mbedtls_gcm_auth_decrypt will validate the tag length. */
86 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
87 return( PSA_ERROR_INVALID_ARGUMENT );
88
89 mbedtls_gcm_init( &operation->ctx.gcm );
90 status = mbedtls_to_psa_error(
91 mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id,
92 key_buffer, (unsigned int) key_bits ) );
93 if( status != PSA_SUCCESS )
94 return( status );
95 break;
96 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
97
98 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
99 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ):
100 operation->alg = PSA_ALG_CHACHA20_POLY1305;
101 /* We only support the default tag length. */
102 if( alg != PSA_ALG_CHACHA20_POLY1305 )
103 return( PSA_ERROR_NOT_SUPPORTED );
104
105 mbedtls_chachapoly_init( &operation->ctx.chachapoly );
106 status = mbedtls_to_psa_error(
107 mbedtls_chachapoly_setkey( &operation->ctx.chachapoly,
108 key_buffer ) );
109 if( status != PSA_SUCCESS )
110 return( status );
111 break;
112 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
113
114 default:
115 (void) status;
116 (void) key_buffer;
117 return( PSA_ERROR_NOT_SUPPORTED );
118 }
119
120 operation->key_type = psa_get_key_type( attributes );
121
122 operation->tag_length = PSA_ALG_AEAD_GET_TAG_LENGTH( alg );
123
124 return( PSA_SUCCESS );
125 }
126
mbedtls_psa_aead_encrypt(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * nonce,size_t nonce_length,const uint8_t * additional_data,size_t additional_data_length,const uint8_t * plaintext,size_t plaintext_length,uint8_t * ciphertext,size_t ciphertext_size,size_t * ciphertext_length)127 psa_status_t mbedtls_psa_aead_encrypt(
128 const psa_key_attributes_t *attributes,
129 const uint8_t *key_buffer, size_t key_buffer_size,
130 psa_algorithm_t alg,
131 const uint8_t *nonce, size_t nonce_length,
132 const uint8_t *additional_data, size_t additional_data_length,
133 const uint8_t *plaintext, size_t plaintext_length,
134 uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length )
135 {
136 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
137 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
138 uint8_t *tag;
139
140 status = psa_aead_setup( &operation, attributes, key_buffer,
141 key_buffer_size, alg );
142
143 if( status != PSA_SUCCESS )
144 goto exit;
145
146 /* For all currently supported modes, the tag is at the end of the
147 * ciphertext. */
148 if( ciphertext_size < ( plaintext_length + operation.tag_length ) )
149 {
150 status = PSA_ERROR_BUFFER_TOO_SMALL;
151 goto exit;
152 }
153 tag = ciphertext + plaintext_length;
154
155 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
156 if( operation.alg == PSA_ALG_CCM )
157 {
158 status = mbedtls_to_psa_error(
159 mbedtls_ccm_encrypt_and_tag( &operation.ctx.ccm,
160 plaintext_length,
161 nonce, nonce_length,
162 additional_data,
163 additional_data_length,
164 plaintext, ciphertext,
165 tag, operation.tag_length ) );
166 }
167 else
168 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
169 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
170 if( operation.alg == PSA_ALG_GCM )
171 {
172 status = mbedtls_to_psa_error(
173 mbedtls_gcm_crypt_and_tag( &operation.ctx.gcm,
174 MBEDTLS_GCM_ENCRYPT,
175 plaintext_length,
176 nonce, nonce_length,
177 additional_data, additional_data_length,
178 plaintext, ciphertext,
179 operation.tag_length, tag ) );
180 }
181 else
182 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
183 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
184 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
185 {
186 if( operation.tag_length != 16 )
187 {
188 status = PSA_ERROR_NOT_SUPPORTED;
189 goto exit;
190 }
191 status = mbedtls_to_psa_error(
192 mbedtls_chachapoly_encrypt_and_tag( &operation.ctx.chachapoly,
193 plaintext_length,
194 nonce,
195 additional_data,
196 additional_data_length,
197 plaintext,
198 ciphertext,
199 tag ) );
200 }
201 else
202 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
203 {
204 (void) tag;
205 (void) nonce;
206 (void) nonce_length;
207 (void) additional_data;
208 (void) additional_data_length;
209 (void) plaintext;
210 return( PSA_ERROR_NOT_SUPPORTED );
211 }
212
213 if( status == PSA_SUCCESS )
214 *ciphertext_length = plaintext_length + operation.tag_length;
215
216 exit:
217 mbedtls_psa_aead_abort( &operation );
218
219 return( status );
220 }
221
222 /* Locate the tag in a ciphertext buffer containing the encrypted data
223 * followed by the tag. Return the length of the part preceding the tag in
224 * *plaintext_length. This is the size of the plaintext in modes where
225 * the encrypted data has the same size as the plaintext, such as
226 * CCM and GCM. */
psa_aead_unpadded_locate_tag(size_t tag_length,const uint8_t * ciphertext,size_t ciphertext_length,size_t plaintext_size,const uint8_t ** p_tag)227 static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length,
228 const uint8_t *ciphertext,
229 size_t ciphertext_length,
230 size_t plaintext_size,
231 const uint8_t **p_tag )
232 {
233 size_t payload_length;
234 if( tag_length > ciphertext_length )
235 return( PSA_ERROR_INVALID_ARGUMENT );
236 payload_length = ciphertext_length - tag_length;
237 if( payload_length > plaintext_size )
238 return( PSA_ERROR_BUFFER_TOO_SMALL );
239 *p_tag = ciphertext + payload_length;
240 return( PSA_SUCCESS );
241 }
242
mbedtls_psa_aead_decrypt(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * nonce,size_t nonce_length,const uint8_t * additional_data,size_t additional_data_length,const uint8_t * ciphertext,size_t ciphertext_length,uint8_t * plaintext,size_t plaintext_size,size_t * plaintext_length)243 psa_status_t mbedtls_psa_aead_decrypt(
244 const psa_key_attributes_t *attributes,
245 const uint8_t *key_buffer, size_t key_buffer_size,
246 psa_algorithm_t alg,
247 const uint8_t *nonce, size_t nonce_length,
248 const uint8_t *additional_data, size_t additional_data_length,
249 const uint8_t *ciphertext, size_t ciphertext_length,
250 uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length )
251 {
252 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
253 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
254 const uint8_t *tag = NULL;
255
256 status = psa_aead_setup( &operation, attributes, key_buffer,
257 key_buffer_size, alg );
258
259 if( status != PSA_SUCCESS )
260 goto exit;
261
262 status = psa_aead_unpadded_locate_tag( operation.tag_length,
263 ciphertext, ciphertext_length,
264 plaintext_size, &tag );
265 if( status != PSA_SUCCESS )
266 goto exit;
267
268 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
269 if( operation.alg == PSA_ALG_CCM )
270 {
271 status = mbedtls_to_psa_error(
272 mbedtls_ccm_auth_decrypt( &operation.ctx.ccm,
273 ciphertext_length - operation.tag_length,
274 nonce, nonce_length,
275 additional_data,
276 additional_data_length,
277 ciphertext, plaintext,
278 tag, operation.tag_length ) );
279 }
280 else
281 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
282 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
283 if( operation.alg == PSA_ALG_GCM )
284 {
285 status = mbedtls_to_psa_error(
286 mbedtls_gcm_auth_decrypt( &operation.ctx.gcm,
287 ciphertext_length - operation.tag_length,
288 nonce, nonce_length,
289 additional_data,
290 additional_data_length,
291 tag, operation.tag_length,
292 ciphertext, plaintext ) );
293 }
294 else
295 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
296 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
297 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
298 {
299 if( operation.tag_length != 16 )
300 {
301 status = PSA_ERROR_NOT_SUPPORTED;
302 goto exit;
303 }
304 status = mbedtls_to_psa_error(
305 mbedtls_chachapoly_auth_decrypt( &operation.ctx.chachapoly,
306 ciphertext_length - operation.tag_length,
307 nonce,
308 additional_data,
309 additional_data_length,
310 tag,
311 ciphertext,
312 plaintext ) );
313 }
314 else
315 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
316 {
317 (void) nonce;
318 (void) nonce_length;
319 (void) additional_data;
320 (void) additional_data_length;
321 (void) plaintext;
322 return( PSA_ERROR_NOT_SUPPORTED );
323 }
324
325 if( status == PSA_SUCCESS )
326 *plaintext_length = ciphertext_length - operation.tag_length;
327
328 exit:
329 mbedtls_psa_aead_abort( &operation );
330
331 if( status == PSA_SUCCESS )
332 *plaintext_length = ciphertext_length - operation.tag_length;
333 return( status );
334 }
335
336 /* Set the key and algorithm for a multipart authenticated encryption
337 * operation. */
mbedtls_psa_aead_encrypt_setup(mbedtls_psa_aead_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)338 psa_status_t mbedtls_psa_aead_encrypt_setup(
339 mbedtls_psa_aead_operation_t *operation,
340 const psa_key_attributes_t *attributes,
341 const uint8_t *key_buffer,
342 size_t key_buffer_size,
343 psa_algorithm_t alg )
344 {
345 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
346
347 status = psa_aead_setup( operation, attributes, key_buffer,
348 key_buffer_size, alg );
349
350 if( status == PSA_SUCCESS )
351 operation->is_encrypt = 1;
352
353 return ( status );
354 }
355
356 /* Set the key and algorithm for a multipart authenticated decryption
357 * operation. */
mbedtls_psa_aead_decrypt_setup(mbedtls_psa_aead_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)358 psa_status_t mbedtls_psa_aead_decrypt_setup(
359 mbedtls_psa_aead_operation_t *operation,
360 const psa_key_attributes_t *attributes,
361 const uint8_t *key_buffer,
362 size_t key_buffer_size,
363 psa_algorithm_t alg )
364 {
365 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
366
367 status = psa_aead_setup( operation, attributes, key_buffer,
368 key_buffer_size, alg );
369
370 if( status == PSA_SUCCESS )
371 operation->is_encrypt = 0;
372
373 return ( status );
374 }
375
376 /* Set a nonce for the multipart AEAD operation*/
mbedtls_psa_aead_set_nonce(mbedtls_psa_aead_operation_t * operation,const uint8_t * nonce,size_t nonce_length)377 psa_status_t mbedtls_psa_aead_set_nonce(
378 mbedtls_psa_aead_operation_t *operation,
379 const uint8_t *nonce,
380 size_t nonce_length )
381 {
382 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
383
384 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
385 if( operation->alg == PSA_ALG_GCM )
386 {
387 status = mbedtls_to_psa_error(
388 mbedtls_gcm_starts( &operation->ctx.gcm,
389 operation->is_encrypt ?
390 MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT,
391 nonce,
392 nonce_length ) );
393 }
394 else
395 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
396 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
397 if( operation->alg == PSA_ALG_CCM )
398 {
399 status = mbedtls_to_psa_error(
400 mbedtls_ccm_starts( &operation->ctx.ccm,
401 operation->is_encrypt ?
402 MBEDTLS_CCM_ENCRYPT : MBEDTLS_CCM_DECRYPT,
403 nonce,
404 nonce_length ) );
405 }
406 else
407 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
408 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
409 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
410 {
411 /* Note - ChaChaPoly allows an 8 byte nonce, but we would have to
412 * allocate a buffer in the operation, copy the nonce to it and pad
413 * it, so for now check the nonce is 12 bytes, as
414 * mbedtls_chachapoly_starts() assumes it can read 12 bytes from the
415 * passed in buffer. */
416 if( nonce_length != 12 )
417 {
418 return( PSA_ERROR_INVALID_ARGUMENT );
419 }
420
421 status = mbedtls_to_psa_error(
422 mbedtls_chachapoly_starts( &operation->ctx.chachapoly,
423 nonce,
424 operation->is_encrypt ?
425 MBEDTLS_CHACHAPOLY_ENCRYPT :
426 MBEDTLS_CHACHAPOLY_DECRYPT ) );
427 }
428 else
429 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
430 {
431 ( void ) operation;
432 ( void ) nonce;
433 ( void ) nonce_length;
434
435 return ( PSA_ERROR_NOT_SUPPORTED );
436 }
437
438 return( status );
439 }
440
441 /* Declare the lengths of the message and additional data for AEAD. */
mbedtls_psa_aead_set_lengths(mbedtls_psa_aead_operation_t * operation,size_t ad_length,size_t plaintext_length)442 psa_status_t mbedtls_psa_aead_set_lengths(
443 mbedtls_psa_aead_operation_t *operation,
444 size_t ad_length,
445 size_t plaintext_length )
446 {
447 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
448 if( operation->alg == PSA_ALG_CCM )
449 {
450 return( mbedtls_to_psa_error(
451 mbedtls_ccm_set_lengths( &operation->ctx.ccm,
452 ad_length,
453 plaintext_length,
454 operation->tag_length ) ) );
455
456 }
457 #else /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
458 ( void ) operation;
459 ( void ) ad_length;
460 ( void ) plaintext_length;
461 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
462
463 return ( PSA_SUCCESS );
464 }
465
466 /* Pass additional data to an active multipart AEAD operation. */
mbedtls_psa_aead_update_ad(mbedtls_psa_aead_operation_t * operation,const uint8_t * input,size_t input_length)467 psa_status_t mbedtls_psa_aead_update_ad(
468 mbedtls_psa_aead_operation_t *operation,
469 const uint8_t *input,
470 size_t input_length )
471 {
472 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
473
474 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
475 if( operation->alg == PSA_ALG_GCM )
476 {
477 status = mbedtls_to_psa_error(
478 mbedtls_gcm_update_ad( &operation->ctx.gcm, input, input_length ) );
479 }
480 else
481 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
482 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
483 if( operation->alg == PSA_ALG_CCM )
484 {
485 status = mbedtls_to_psa_error(
486 mbedtls_ccm_update_ad( &operation->ctx.ccm, input, input_length ) );
487 }
488 else
489 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
490 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
491 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
492 {
493 status = mbedtls_to_psa_error(
494 mbedtls_chachapoly_update_aad( &operation->ctx.chachapoly,
495 input,
496 input_length ) );
497 }
498 else
499 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
500 {
501 ( void ) operation;
502 ( void ) input;
503 ( void ) input_length;
504
505 return ( PSA_ERROR_NOT_SUPPORTED );
506 }
507
508 return ( status );
509 }
510
511 /* Encrypt or decrypt a message fragment in an active multipart AEAD
512 * operation.*/
mbedtls_psa_aead_update(mbedtls_psa_aead_operation_t * operation,const uint8_t * input,size_t input_length,uint8_t * output,size_t output_size,size_t * output_length)513 psa_status_t mbedtls_psa_aead_update(
514 mbedtls_psa_aead_operation_t *operation,
515 const uint8_t *input,
516 size_t input_length,
517 uint8_t *output,
518 size_t output_size,
519 size_t *output_length )
520 {
521 size_t update_output_length;
522 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
523
524 update_output_length = input_length;
525
526 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
527 if( operation->alg == PSA_ALG_GCM )
528 {
529 status = mbedtls_to_psa_error(
530 mbedtls_gcm_update( &operation->ctx.gcm,
531 input, input_length,
532 output, output_size,
533 &update_output_length ) );
534 }
535 else
536 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
537 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
538 if( operation->alg == PSA_ALG_CCM )
539 {
540 if( output_size < input_length )
541 return( PSA_ERROR_BUFFER_TOO_SMALL );
542
543 status = mbedtls_to_psa_error(
544 mbedtls_ccm_update( &operation->ctx.ccm,
545 input, input_length,
546 output, output_size,
547 &update_output_length ) );
548 }
549 else
550 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
551 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
552 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
553 {
554 if( output_size < input_length )
555 return( PSA_ERROR_BUFFER_TOO_SMALL );
556
557 status = mbedtls_to_psa_error(
558 mbedtls_chachapoly_update( &operation->ctx.chachapoly,
559 input_length,
560 input,
561 output ) );
562 }
563 else
564 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
565 {
566 ( void ) operation;
567 ( void ) input;
568 ( void ) output;
569 ( void ) output_size;
570
571 return ( PSA_ERROR_NOT_SUPPORTED );
572 }
573
574 if( status == PSA_SUCCESS )
575 *output_length = update_output_length;
576
577 return( status );
578 }
579
580 /* Finish encrypting a message in a multipart AEAD operation. */
mbedtls_psa_aead_finish(mbedtls_psa_aead_operation_t * operation,uint8_t * ciphertext,size_t ciphertext_size,size_t * ciphertext_length,uint8_t * tag,size_t tag_size,size_t * tag_length)581 psa_status_t mbedtls_psa_aead_finish(
582 mbedtls_psa_aead_operation_t *operation,
583 uint8_t *ciphertext,
584 size_t ciphertext_size,
585 size_t *ciphertext_length,
586 uint8_t *tag,
587 size_t tag_size,
588 size_t *tag_length )
589 {
590 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
591 size_t finish_output_size = 0;
592
593 if( tag_size < operation->tag_length )
594 return( PSA_ERROR_BUFFER_TOO_SMALL );
595
596 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
597 if( operation->alg == PSA_ALG_GCM )
598 {
599 status = mbedtls_to_psa_error(
600 mbedtls_gcm_finish( &operation->ctx.gcm,
601 ciphertext, ciphertext_size, ciphertext_length,
602 tag, operation->tag_length ) );
603 }
604 else
605 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
606 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
607 if( operation->alg == PSA_ALG_CCM )
608 {
609 /* tag must be big enough to store a tag of size passed into set
610 * lengths. */
611 if( tag_size < operation->tag_length )
612 return( PSA_ERROR_BUFFER_TOO_SMALL );
613
614 status = mbedtls_to_psa_error(
615 mbedtls_ccm_finish( &operation->ctx.ccm,
616 tag, operation->tag_length ) );
617 }
618 else
619 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
620 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
621 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
622 {
623 /* Belt and braces. Although the above tag_size check should have
624 * already done this, if we later start supporting smaller tag sizes
625 * for chachapoly, then passing a tag buffer smaller than 16 into here
626 * could cause a buffer overflow, so better safe than sorry. */
627 if( tag_size < 16 )
628 return( PSA_ERROR_BUFFER_TOO_SMALL );
629
630 status = mbedtls_to_psa_error(
631 mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
632 tag ) );
633 }
634 else
635 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
636 {
637 ( void ) ciphertext;
638 ( void ) ciphertext_size;
639 ( void ) ciphertext_length;
640 ( void ) tag;
641 ( void ) tag_size;
642 ( void ) tag_length;
643
644 return ( PSA_ERROR_NOT_SUPPORTED );
645 }
646
647 if( status == PSA_SUCCESS )
648 {
649 /* This will be zero for all supported algorithms currently, but left
650 * here for future support. */
651 *ciphertext_length = finish_output_size;
652 *tag_length = operation->tag_length;
653 }
654
655 return ( status );
656 }
657
658 /* Abort an AEAD operation */
mbedtls_psa_aead_abort(mbedtls_psa_aead_operation_t * operation)659 psa_status_t mbedtls_psa_aead_abort(
660 mbedtls_psa_aead_operation_t *operation )
661 {
662 switch( operation->alg )
663 {
664 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
665 case PSA_ALG_CCM:
666 mbedtls_ccm_free( &operation->ctx.ccm );
667 break;
668 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
669 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
670 case PSA_ALG_GCM:
671 mbedtls_gcm_free( &operation->ctx.gcm );
672 break;
673 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
674 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
675 case PSA_ALG_CHACHA20_POLY1305:
676 mbedtls_chachapoly_free( &operation->ctx.chachapoly );
677 break;
678 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
679 }
680
681 operation->is_encrypt = 0;
682
683 return( PSA_SUCCESS );
684 }
685
686 #endif /* MBEDTLS_PSA_CRYPTO_C */
687
688
