1 /**
2 * \file cipher.c
3 *
4 * \brief Generic cipher wrapper for Mbed TLS
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
8 * Copyright The Mbed TLS Contributors
9 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
10 */
11
12 #include "common.h"
13
14 #if defined(MBEDTLS_CIPHER_C)
15
16 #include "mbedtls/cipher.h"
17 #include "cipher_wrap.h"
18 #include "mbedtls/platform_util.h"
19 #include "mbedtls/error.h"
20 #include "mbedtls/constant_time.h"
21 #include "constant_time_internal.h"
22
23 #include <stdlib.h>
24 #include <string.h>
25
26 #if defined(MBEDTLS_CHACHAPOLY_C)
27 #include "mbedtls/chachapoly.h"
28 #endif
29
30 #if defined(MBEDTLS_GCM_C)
31 #include "mbedtls/gcm.h"
32 #endif
33
34 #if defined(MBEDTLS_CCM_C)
35 #include "mbedtls/ccm.h"
36 #endif
37
38 #if defined(MBEDTLS_CHACHA20_C)
39 #include "mbedtls/chacha20.h"
40 #endif
41
42 #if defined(MBEDTLS_CMAC_C)
43 #include "mbedtls/cmac.h"
44 #endif
45
46 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
47 #include "psa/crypto.h"
48 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
49
50 #if defined(MBEDTLS_NIST_KW_C)
51 #include "mbedtls/nist_kw.h"
52 #endif
53
54 #include "mbedtls/platform.h"
55
56 static int supported_init = 0;
57
mbedtls_cipher_get_base(const mbedtls_cipher_info_t * info)58 static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base(
59 const mbedtls_cipher_info_t *info)
60 {
61 return mbedtls_cipher_base_lookup_table[info->base_idx];
62 }
63
mbedtls_cipher_list(void)64 const int *mbedtls_cipher_list(void)
65 {
66 const mbedtls_cipher_definition_t *def;
67 int *type;
68
69 if (!supported_init) {
70 def = mbedtls_cipher_definitions;
71 type = mbedtls_cipher_supported;
72
73 while (def->type != 0) {
74 *type++ = (*def++).type;
75 }
76
77 *type = 0;
78
79 supported_init = 1;
80 }
81
82 return mbedtls_cipher_supported;
83 }
84
mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type)85 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
86 const mbedtls_cipher_type_t cipher_type)
87 {
88 const mbedtls_cipher_definition_t *def;
89
90 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
91 if (def->type == cipher_type) {
92 return def->info;
93 }
94 }
95
96 return NULL;
97 }
98
mbedtls_cipher_info_from_string(const char * cipher_name)99 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
100 const char *cipher_name)
101 {
102 const mbedtls_cipher_definition_t *def;
103
104 if (NULL == cipher_name) {
105 return NULL;
106 }
107
108 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
109 if (!strcmp(def->info->name, cipher_name)) {
110 return def->info;
111 }
112 }
113
114 return NULL;
115 }
116
mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id,int key_bitlen,const mbedtls_cipher_mode_t mode)117 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
118 const mbedtls_cipher_id_t cipher_id,
119 int key_bitlen,
120 const mbedtls_cipher_mode_t mode)
121 {
122 const mbedtls_cipher_definition_t *def;
123
124 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
125 if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id &&
126 mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen &&
127 def->info->mode == mode) {
128 return def->info;
129 }
130 }
131
132 return NULL;
133 }
134
135 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_psa_translate_cipher_type(mbedtls_cipher_type_t cipher)136 static inline psa_key_type_t mbedtls_psa_translate_cipher_type(
137 mbedtls_cipher_type_t cipher)
138 {
139 switch (cipher) {
140 case MBEDTLS_CIPHER_AES_128_CCM:
141 case MBEDTLS_CIPHER_AES_192_CCM:
142 case MBEDTLS_CIPHER_AES_256_CCM:
143 case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:
144 case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:
145 case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:
146 case MBEDTLS_CIPHER_AES_128_GCM:
147 case MBEDTLS_CIPHER_AES_192_GCM:
148 case MBEDTLS_CIPHER_AES_256_GCM:
149 case MBEDTLS_CIPHER_AES_128_CBC:
150 case MBEDTLS_CIPHER_AES_192_CBC:
151 case MBEDTLS_CIPHER_AES_256_CBC:
152 case MBEDTLS_CIPHER_AES_128_ECB:
153 case MBEDTLS_CIPHER_AES_192_ECB:
154 case MBEDTLS_CIPHER_AES_256_ECB:
155 return PSA_KEY_TYPE_AES;
156
157 /* ARIA not yet supported in PSA. */
158 /* case MBEDTLS_CIPHER_ARIA_128_CCM:
159 case MBEDTLS_CIPHER_ARIA_192_CCM:
160 case MBEDTLS_CIPHER_ARIA_256_CCM:
161 case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:
162 case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:
163 case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:
164 case MBEDTLS_CIPHER_ARIA_128_GCM:
165 case MBEDTLS_CIPHER_ARIA_192_GCM:
166 case MBEDTLS_CIPHER_ARIA_256_GCM:
167 case MBEDTLS_CIPHER_ARIA_128_CBC:
168 case MBEDTLS_CIPHER_ARIA_192_CBC:
169 case MBEDTLS_CIPHER_ARIA_256_CBC:
170 return( PSA_KEY_TYPE_ARIA ); */
171
172 default:
173 return 0;
174 }
175 }
176
mbedtls_psa_translate_cipher_mode(mbedtls_cipher_mode_t mode,size_t taglen)177 static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode(
178 mbedtls_cipher_mode_t mode, size_t taglen)
179 {
180 switch (mode) {
181 case MBEDTLS_MODE_ECB:
182 return PSA_ALG_ECB_NO_PADDING;
183 case MBEDTLS_MODE_GCM:
184 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen);
185 case MBEDTLS_MODE_CCM:
186 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen);
187 case MBEDTLS_MODE_CCM_STAR_NO_TAG:
188 return PSA_ALG_CCM_STAR_NO_TAG;
189 case MBEDTLS_MODE_CBC:
190 if (taglen == 0) {
191 return PSA_ALG_CBC_NO_PADDING;
192 } else {
193 return 0;
194 }
195 default:
196 return 0;
197 }
198 }
199 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
200
mbedtls_cipher_init(mbedtls_cipher_context_t * ctx)201 void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)
202 {
203 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
204 }
205
mbedtls_cipher_free(mbedtls_cipher_context_t * ctx)206 void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
207 {
208 if (ctx == NULL) {
209 return;
210 }
211
212 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
213 if (ctx->psa_enabled == 1) {
214 if (ctx->cipher_ctx != NULL) {
215 mbedtls_cipher_context_psa * const cipher_psa =
216 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
217
218 if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) {
219 /* xxx_free() doesn't allow to return failures. */
220 (void) psa_destroy_key(cipher_psa->slot);
221 }
222
223 mbedtls_zeroize_and_free(cipher_psa, sizeof(*cipher_psa));
224 }
225
226 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
227 return;
228 }
229 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
230
231 #if defined(MBEDTLS_CMAC_C)
232 if (ctx->cmac_ctx) {
233 mbedtls_zeroize_and_free(ctx->cmac_ctx,
234 sizeof(mbedtls_cmac_context_t));
235 }
236 #endif
237
238 if (ctx->cipher_ctx) {
239 mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx);
240 }
241
242 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
243 }
244
mbedtls_cipher_setup(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info)245 int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
246 const mbedtls_cipher_info_t *cipher_info)
247 {
248 if (cipher_info == NULL) {
249 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
250 }
251
252 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
253
254 if (NULL == (ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func())) {
255 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
256 }
257
258 ctx->cipher_info = cipher_info;
259
260 return 0;
261 }
262
263 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_cipher_setup_psa(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info,size_t taglen)264 int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
265 const mbedtls_cipher_info_t *cipher_info,
266 size_t taglen)
267 {
268 psa_algorithm_t alg;
269 mbedtls_cipher_context_psa *cipher_psa;
270
271 if (NULL == cipher_info || NULL == ctx) {
272 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
273 }
274
275 /* Check that the underlying cipher mode and cipher type are
276 * supported by the underlying PSA Crypto implementation. */
277 alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen);
278 if (alg == 0) {
279 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
280 }
281 if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) {
282 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
283 }
284
285 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
286
287 cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa));
288 if (cipher_psa == NULL) {
289 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
290 }
291 cipher_psa->alg = alg;
292 ctx->cipher_ctx = cipher_psa;
293 ctx->cipher_info = cipher_info;
294 ctx->psa_enabled = 1;
295 return 0;
296 }
297 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
298
mbedtls_cipher_setkey(mbedtls_cipher_context_t * ctx,const unsigned char * key,int key_bitlen,const mbedtls_operation_t operation)299 int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
300 const unsigned char *key,
301 int key_bitlen,
302 const mbedtls_operation_t operation)
303 {
304 if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) {
305 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
306 }
307 if (ctx->cipher_info == NULL) {
308 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
309 }
310
311 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
312 if (ctx->psa_enabled == 1) {
313 mbedtls_cipher_context_psa * const cipher_psa =
314 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
315
316 size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8;
317
318 psa_status_t status;
319 psa_key_type_t key_type;
320 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
321
322 /* PSA Crypto API only accepts byte-aligned keys. */
323 if (key_bitlen % 8 != 0) {
324 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
325 }
326
327 /* Don't allow keys to be set multiple times. */
328 if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) {
329 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
330 }
331
332 key_type = mbedtls_psa_translate_cipher_type(
333 ((mbedtls_cipher_type_t) ctx->cipher_info->type));
334 if (key_type == 0) {
335 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
336 }
337 psa_set_key_type(&attributes, key_type);
338
339 /* Mbed TLS' cipher layer doesn't enforce the mode of operation
340 * (encrypt vs. decrypt): it is possible to setup a key for encryption
341 * and use it for AEAD decryption. Until tests relying on this
342 * are changed, allow any usage in PSA. */
343 psa_set_key_usage_flags(&attributes,
344 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
345 psa_set_key_algorithm(&attributes, cipher_psa->alg);
346
347 status = psa_import_key(&attributes, key, key_bytelen,
348 &cipher_psa->slot);
349 switch (status) {
350 case PSA_SUCCESS:
351 break;
352 case PSA_ERROR_INSUFFICIENT_MEMORY:
353 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
354 case PSA_ERROR_NOT_SUPPORTED:
355 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
356 default:
357 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
358 }
359 /* Indicate that we own the key slot and need to
360 * destroy it in mbedtls_cipher_free(). */
361 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
362
363 ctx->key_bitlen = key_bitlen;
364 ctx->operation = operation;
365 return 0;
366 }
367 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
368
369 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 &&
370 (int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) {
371 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
372 }
373
374 ctx->key_bitlen = key_bitlen;
375 ctx->operation = operation;
376
377 /*
378 * For OFB, CFB and CTR mode always use the encryption key schedule
379 */
380 if (MBEDTLS_ENCRYPT == operation ||
381 MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
382 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
383 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
384 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
385 ctx->key_bitlen);
386 }
387
388 if (MBEDTLS_DECRYPT == operation) {
389 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key,
390 ctx->key_bitlen);
391 }
392
393 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
394 }
395
mbedtls_cipher_set_iv(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len)396 int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
397 const unsigned char *iv,
398 size_t iv_len)
399 {
400 size_t actual_iv_size;
401
402 if (ctx->cipher_info == NULL) {
403 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
404 }
405 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
406 if (ctx->psa_enabled == 1) {
407 /* While PSA Crypto has an API for multipart
408 * operations, we currently don't make it
409 * accessible through the cipher layer. */
410 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
411 }
412 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
413
414 /* avoid buffer overflow in ctx->iv */
415 if (iv_len > MBEDTLS_MAX_IV_LENGTH) {
416 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
417 }
418
419 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) {
420 actual_iv_size = iv_len;
421 } else {
422 actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info);
423
424 /* avoid reading past the end of input buffer */
425 if (actual_iv_size > iv_len) {
426 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
427 }
428 }
429
430 #if defined(MBEDTLS_CHACHA20_C)
431 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) {
432 /* Even though the actual_iv_size is overwritten with a correct value
433 * of 12 from the cipher info, return an error to indicate that
434 * the input iv_len is wrong. */
435 if (iv_len != 12) {
436 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
437 }
438
439 if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx,
440 iv,
441 0U)) { /* Initial counter value */
442 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
443 }
444 }
445 #if defined(MBEDTLS_CHACHAPOLY_C)
446 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&
447 iv_len != 12) {
448 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
449 }
450 #endif
451 #endif
452
453 #if defined(MBEDTLS_GCM_C)
454 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
455 return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx,
456 ctx->operation,
457 iv, iv_len);
458 }
459 #endif
460
461 #if defined(MBEDTLS_CCM_C)
462 if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
463 int set_lengths_result;
464 int ccm_star_mode;
465
466 set_lengths_result = mbedtls_ccm_set_lengths(
467 (mbedtls_ccm_context *) ctx->cipher_ctx,
468 0, 0, 0);
469 if (set_lengths_result != 0) {
470 return set_lengths_result;
471 }
472
473 if (ctx->operation == MBEDTLS_DECRYPT) {
474 ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT;
475 } else if (ctx->operation == MBEDTLS_ENCRYPT) {
476 ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT;
477 } else {
478 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
479 }
480
481 return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx,
482 ccm_star_mode,
483 iv, iv_len);
484 }
485 #endif
486
487 if (actual_iv_size != 0) {
488 memcpy(ctx->iv, iv, actual_iv_size);
489 ctx->iv_size = actual_iv_size;
490 }
491
492 return 0;
493 }
494
mbedtls_cipher_reset(mbedtls_cipher_context_t * ctx)495 int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx)
496 {
497 if (ctx->cipher_info == NULL) {
498 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
499 }
500
501 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
502 if (ctx->psa_enabled == 1) {
503 /* We don't support resetting PSA-based
504 * cipher contexts, yet. */
505 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
506 }
507 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
508
509 ctx->unprocessed_len = 0;
510
511 return 0;
512 }
513
514 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_update_ad(mbedtls_cipher_context_t * ctx,const unsigned char * ad,size_t ad_len)515 int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
516 const unsigned char *ad, size_t ad_len)
517 {
518 if (ctx->cipher_info == NULL) {
519 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
520 }
521
522 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
523 if (ctx->psa_enabled == 1) {
524 /* While PSA Crypto has an API for multipart
525 * operations, we currently don't make it
526 * accessible through the cipher layer. */
527 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
528 }
529 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
530
531 #if defined(MBEDTLS_GCM_C)
532 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
533 return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx,
534 ad, ad_len);
535 }
536 #endif
537
538 #if defined(MBEDTLS_CHACHAPOLY_C)
539 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
540 int result;
541 mbedtls_chachapoly_mode_t mode;
542
543 mode = (ctx->operation == MBEDTLS_ENCRYPT)
544 ? MBEDTLS_CHACHAPOLY_ENCRYPT
545 : MBEDTLS_CHACHAPOLY_DECRYPT;
546
547 result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx,
548 ctx->iv,
549 mode);
550 if (result != 0) {
551 return result;
552 }
553
554 return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx,
555 ad, ad_len);
556 }
557 #endif
558
559 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
560 }
561 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
562
mbedtls_cipher_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)563 int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input,
564 size_t ilen, unsigned char *output, size_t *olen)
565 {
566 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
567 size_t block_size;
568
569 if (ctx->cipher_info == NULL) {
570 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
571 }
572
573 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
574 if (ctx->psa_enabled == 1) {
575 /* While PSA Crypto has an API for multipart
576 * operations, we currently don't make it
577 * accessible through the cipher layer. */
578 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
579 }
580 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
581
582 *olen = 0;
583 block_size = mbedtls_cipher_get_block_size(ctx);
584 if (0 == block_size) {
585 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
586 }
587
588 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) {
589 if (ilen != block_size) {
590 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
591 }
592
593 *olen = ilen;
594
595 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx,
596 ctx->operation, input,
597 output))) {
598 return ret;
599 }
600
601 return 0;
602 }
603
604 #if defined(MBEDTLS_GCM_C)
605 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) {
606 return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx,
607 input, ilen,
608 output, ilen, olen);
609 }
610 #endif
611
612 #if defined(MBEDTLS_CCM_C)
613 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) {
614 return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx,
615 input, ilen,
616 output, ilen, olen);
617 }
618 #endif
619
620 #if defined(MBEDTLS_CHACHAPOLY_C)
621 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
622 *olen = ilen;
623 return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx,
624 ilen, input, output);
625 }
626 #endif
627
628 if (input == output &&
629 (ctx->unprocessed_len != 0 || ilen % block_size)) {
630 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
631 }
632
633 #if defined(MBEDTLS_CIPHER_MODE_CBC)
634 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) {
635 size_t copy_len = 0;
636
637 /*
638 * If there is not enough data for a full block, cache it.
639 */
640 if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
641 ilen <= block_size - ctx->unprocessed_len) ||
642 (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
643 ilen < block_size - ctx->unprocessed_len) ||
644 (ctx->operation == MBEDTLS_ENCRYPT &&
645 ilen < block_size - ctx->unprocessed_len)) {
646 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
647 ilen);
648
649 ctx->unprocessed_len += ilen;
650 return 0;
651 }
652
653 /*
654 * Process cached data first
655 */
656 if (0 != ctx->unprocessed_len) {
657 copy_len = block_size - ctx->unprocessed_len;
658
659 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
660 copy_len);
661
662 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
663 ctx->operation,
664 block_size, ctx->iv,
665 ctx->
666 unprocessed_data,
667 output))) {
668 return ret;
669 }
670
671 *olen += block_size;
672 output += block_size;
673 ctx->unprocessed_len = 0;
674
675 input += copy_len;
676 ilen -= copy_len;
677 }
678
679 /*
680 * Cache final, incomplete block
681 */
682 if (0 != ilen) {
683 /* Encryption: only cache partial blocks
684 * Decryption w/ padding: always keep at least one whole block
685 * Decryption w/o padding: only cache partial blocks
686 */
687 copy_len = ilen % block_size;
688 if (copy_len == 0 &&
689 ctx->operation == MBEDTLS_DECRYPT &&
690 NULL != ctx->add_padding) {
691 copy_len = block_size;
692 }
693
694 memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]),
695 copy_len);
696
697 ctx->unprocessed_len += copy_len;
698 ilen -= copy_len;
699 }
700
701 /*
702 * Process remaining full blocks
703 */
704 if (ilen) {
705 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
706 ctx->operation,
707 ilen, ctx->iv,
708 input,
709 output))) {
710 return ret;
711 }
712
713 *olen += ilen;
714 }
715
716 return 0;
717 }
718 #endif /* MBEDTLS_CIPHER_MODE_CBC */
719
720 #if defined(MBEDTLS_CIPHER_MODE_CFB)
721 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) {
722 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx,
723 ctx->operation, ilen,
724 &ctx->unprocessed_len,
725 ctx->iv,
726 input, output))) {
727 return ret;
728 }
729
730 *olen = ilen;
731
732 return 0;
733 }
734 #endif /* MBEDTLS_CIPHER_MODE_CFB */
735
736 #if defined(MBEDTLS_CIPHER_MODE_OFB)
737 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) {
738 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx,
739 ilen,
740 &ctx->unprocessed_len,
741 ctx->iv,
742 input, output))) {
743 return ret;
744 }
745
746 *olen = ilen;
747
748 return 0;
749 }
750 #endif /* MBEDTLS_CIPHER_MODE_OFB */
751
752 #if defined(MBEDTLS_CIPHER_MODE_CTR)
753 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) {
754 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx,
755 ilen,
756 &ctx->unprocessed_len,
757 ctx->iv,
758 ctx->unprocessed_data,
759 input, output))) {
760 return ret;
761 }
762
763 *olen = ilen;
764
765 return 0;
766 }
767 #endif /* MBEDTLS_CIPHER_MODE_CTR */
768
769 #if defined(MBEDTLS_CIPHER_MODE_XTS)
770 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) {
771 if (ctx->unprocessed_len > 0) {
772 /* We can only process an entire data unit at a time. */
773 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
774 }
775
776 ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx,
777 ctx->operation,
778 ilen,
779 ctx->iv,
780 input,
781 output);
782 if (ret != 0) {
783 return ret;
784 }
785
786 *olen = ilen;
787
788 return 0;
789 }
790 #endif /* MBEDTLS_CIPHER_MODE_XTS */
791
792 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
793 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) {
794 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx,
795 ilen, input,
796 output))) {
797 return ret;
798 }
799
800 *olen = ilen;
801
802 return 0;
803 }
804 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
805
806 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
807 }
808
809 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
810 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
811 /*
812 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
813 */
add_pkcs_padding(unsigned char * output,size_t output_len,size_t data_len)814 static void add_pkcs_padding(unsigned char *output, size_t output_len,
815 size_t data_len)
816 {
817 size_t padding_len = output_len - data_len;
818 unsigned char i;
819
820 for (i = 0; i < padding_len; i++) {
821 output[data_len + i] = (unsigned char) padding_len;
822 }
823 }
824
get_pkcs_padding(unsigned char * input,size_t input_len,size_t * data_len)825 static int get_pkcs_padding(unsigned char *input, size_t input_len,
826 size_t *data_len)
827 {
828 size_t i, pad_idx;
829 unsigned char padding_len;
830
831 if (NULL == input || NULL == data_len) {
832 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
833 }
834
835 padding_len = input[input_len - 1];
836 *data_len = input_len - padding_len;
837
838 mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len);
839 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
840
841 /* The number of bytes checked must be independent of padding_len,
842 * so pick input_len, which is usually 8 or 16 (one block) */
843 pad_idx = input_len - padding_len;
844 for (i = 0; i < input_len; i++) {
845 mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx);
846 mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len);
847 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different));
848 }
849
850 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
851 }
852 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
853
854 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
855 /*
856 * One and zeros padding: fill with 80 00 ... 00
857 */
add_one_and_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)858 static void add_one_and_zeros_padding(unsigned char *output,
859 size_t output_len, size_t data_len)
860 {
861 size_t padding_len = output_len - data_len;
862 unsigned char i = 0;
863
864 output[data_len] = 0x80;
865 for (i = 1; i < padding_len; i++) {
866 output[data_len + i] = 0x00;
867 }
868 }
869
get_one_and_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)870 static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,
871 size_t *data_len)
872 {
873 if (NULL == input || NULL == data_len) {
874 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
875 }
876
877 mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE;
878 mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE;
879
880 *data_len = 0;
881
882 for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) {
883 mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]);
884
885 mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding);
886
887 *data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len);
888
889 bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad);
890
891 in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero));
892 }
893
894 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
895 }
896 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
897
898 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
899 /*
900 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
901 */
add_zeros_and_len_padding(unsigned char * output,size_t output_len,size_t data_len)902 static void add_zeros_and_len_padding(unsigned char *output,
903 size_t output_len, size_t data_len)
904 {
905 size_t padding_len = output_len - data_len;
906 unsigned char i = 0;
907
908 for (i = 1; i < padding_len; i++) {
909 output[data_len + i - 1] = 0x00;
910 }
911 output[output_len - 1] = (unsigned char) padding_len;
912 }
913
get_zeros_and_len_padding(unsigned char * input,size_t input_len,size_t * data_len)914 static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
915 size_t *data_len)
916 {
917 size_t i, pad_idx;
918 unsigned char padding_len;
919 mbedtls_ct_condition_t bad;
920
921 if (NULL == input || NULL == data_len) {
922 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
923 }
924
925 padding_len = input[input_len - 1];
926 *data_len = input_len - padding_len;
927
928 /* Avoid logical || since it results in a branch */
929 bad = mbedtls_ct_uint_gt(padding_len, input_len);
930 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
931
932 /* The number of bytes checked must be independent of padding_len */
933 pad_idx = input_len - padding_len;
934 for (i = 0; i < input_len - 1; i++) {
935 mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx);
936 mbedtls_ct_condition_t nonzero_pad_byte;
937 nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i]));
938 bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte);
939 }
940
941 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
942 }
943 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
944
945 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
946 /*
947 * Zero padding: fill with 00 ... 00
948 */
add_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)949 static void add_zeros_padding(unsigned char *output,
950 size_t output_len, size_t data_len)
951 {
952 memset(output + data_len, 0, output_len - data_len);
953 }
954
get_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)955 static int get_zeros_padding(unsigned char *input, size_t input_len,
956 size_t *data_len)
957 {
958 size_t i;
959 mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done;
960
961 if (NULL == input || NULL == data_len) {
962 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
963 }
964
965 *data_len = 0;
966 for (i = input_len; i > 0; i--) {
967 prev_done = done;
968 done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0));
969 *data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len);
970 }
971
972 return 0;
973 }
974 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
975
976 /*
977 * No padding: don't pad :)
978 *
979 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
980 * but a trivial get_padding function
981 */
get_no_padding(unsigned char * input,size_t input_len,size_t * data_len)982 static int get_no_padding(unsigned char *input, size_t input_len,
983 size_t *data_len)
984 {
985 if (NULL == input || NULL == data_len) {
986 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
987 }
988
989 *data_len = input_len;
990
991 return 0;
992 }
993 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
994
mbedtls_cipher_finish(mbedtls_cipher_context_t * ctx,unsigned char * output,size_t * olen)995 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
996 unsigned char *output, size_t *olen)
997 {
998 if (ctx->cipher_info == NULL) {
999 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1000 }
1001
1002 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1003 if (ctx->psa_enabled == 1) {
1004 /* While PSA Crypto has an API for multipart
1005 * operations, we currently don't make it
1006 * accessible through the cipher layer. */
1007 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1008 }
1009 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1010
1011 *olen = 0;
1012
1013 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
1014 /* CBC mode requires padding so we make sure a call to
1015 * mbedtls_cipher_set_padding_mode has been done successfully. */
1016 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1017 if (ctx->get_padding == NULL) {
1018 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1019 }
1020 }
1021 #endif
1022
1023 if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1024 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1025 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1026 MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1027 MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1028 MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1029 MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1030 return 0;
1031 }
1032
1033 if ((MBEDTLS_CIPHER_CHACHA20 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) ||
1034 (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) {
1035 return 0;
1036 }
1037
1038 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1039 if (ctx->unprocessed_len != 0) {
1040 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
1041 }
1042
1043 return 0;
1044 }
1045
1046 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1047 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1048 int ret = 0;
1049
1050 if (MBEDTLS_ENCRYPT == ctx->operation) {
1051 /* check for 'no padding' mode */
1052 if (NULL == ctx->add_padding) {
1053 if (0 != ctx->unprocessed_len) {
1054 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
1055 }
1056
1057 return 0;
1058 }
1059
1060 ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx),
1061 ctx->unprocessed_len);
1062 } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) {
1063 /*
1064 * For decrypt operations, expect a full block,
1065 * or an empty block if no padding
1066 */
1067 if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) {
1068 return 0;
1069 }
1070
1071 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
1072 }
1073
1074 /* cipher block */
1075 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
1076 ctx->operation,
1077 mbedtls_cipher_get_block_size(
1078 ctx),
1079 ctx->iv,
1080 ctx->unprocessed_data,
1081 output))) {
1082 return ret;
1083 }
1084
1085 /* Set output size for decryption */
1086 if (MBEDTLS_DECRYPT == ctx->operation) {
1087 return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx),
1088 olen);
1089 }
1090
1091 /* Set output size for encryption */
1092 *olen = mbedtls_cipher_get_block_size(ctx);
1093 return 0;
1094 }
1095 #else
1096 ((void) output);
1097 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1098
1099 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1100 }
1101
1102 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t * ctx,mbedtls_cipher_padding_t mode)1103 int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
1104 mbedtls_cipher_padding_t mode)
1105 {
1106 if (NULL == ctx->cipher_info ||
1107 MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1108 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1109 }
1110
1111 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1112 if (ctx->psa_enabled == 1) {
1113 /* While PSA Crypto knows about CBC padding
1114 * schemes, we currently don't make them
1115 * accessible through the cipher layer. */
1116 if (mode != MBEDTLS_PADDING_NONE) {
1117 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1118 }
1119
1120 return 0;
1121 }
1122 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1123
1124 switch (mode) {
1125 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
1126 case MBEDTLS_PADDING_PKCS7:
1127 ctx->add_padding = add_pkcs_padding;
1128 ctx->get_padding = get_pkcs_padding;
1129 break;
1130 #endif
1131 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
1132 case MBEDTLS_PADDING_ONE_AND_ZEROS:
1133 ctx->add_padding = add_one_and_zeros_padding;
1134 ctx->get_padding = get_one_and_zeros_padding;
1135 break;
1136 #endif
1137 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
1138 case MBEDTLS_PADDING_ZEROS_AND_LEN:
1139 ctx->add_padding = add_zeros_and_len_padding;
1140 ctx->get_padding = get_zeros_and_len_padding;
1141 break;
1142 #endif
1143 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1144 case MBEDTLS_PADDING_ZEROS:
1145 ctx->add_padding = add_zeros_padding;
1146 ctx->get_padding = get_zeros_padding;
1147 break;
1148 #endif
1149 case MBEDTLS_PADDING_NONE:
1150 ctx->add_padding = NULL;
1151 ctx->get_padding = get_no_padding;
1152 break;
1153
1154 default:
1155 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1156 }
1157
1158 return 0;
1159 }
1160 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1161
1162 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_write_tag(mbedtls_cipher_context_t * ctx,unsigned char * tag,size_t tag_len)1163 int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
1164 unsigned char *tag, size_t tag_len)
1165 {
1166 if (ctx->cipher_info == NULL) {
1167 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1168 }
1169
1170 if (MBEDTLS_ENCRYPT != ctx->operation) {
1171 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1172 }
1173
1174 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1175 if (ctx->psa_enabled == 1) {
1176 /* While PSA Crypto has an API for multipart
1177 * operations, we currently don't make it
1178 * accessible through the cipher layer. */
1179 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1180 }
1181 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1182
1183 #if defined(MBEDTLS_GCM_C)
1184 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1185 size_t output_length;
1186 /* The code here doesn't yet support alternative implementations
1187 * that can delay up to a block of output. */
1188 return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx,
1189 NULL, 0, &output_length,
1190 tag, tag_len);
1191 }
1192 #endif
1193
1194 #if defined(MBEDTLS_CHACHAPOLY_C)
1195 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1196 /* Don't allow truncated MAC for Poly1305 */
1197 if (tag_len != 16U) {
1198 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1199 }
1200
1201 return mbedtls_chachapoly_finish(
1202 (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag);
1203 }
1204 #endif
1205
1206 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1207 }
1208
mbedtls_cipher_check_tag(mbedtls_cipher_context_t * ctx,const unsigned char * tag,size_t tag_len)1209 int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
1210 const unsigned char *tag, size_t tag_len)
1211 {
1212 unsigned char check_tag[16];
1213 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1214
1215 if (ctx->cipher_info == NULL) {
1216 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1217 }
1218
1219 if (MBEDTLS_DECRYPT != ctx->operation) {
1220 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1221 }
1222
1223 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1224 if (ctx->psa_enabled == 1) {
1225 /* While PSA Crypto has an API for multipart
1226 * operations, we currently don't make it
1227 * accessible through the cipher layer. */
1228 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1229 }
1230 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1231
1232 /* Status to return on a non-authenticated algorithm. */
1233 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1234
1235 #if defined(MBEDTLS_GCM_C)
1236 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1237 size_t output_length;
1238 /* The code here doesn't yet support alternative implementations
1239 * that can delay up to a block of output. */
1240
1241 if (tag_len > sizeof(check_tag)) {
1242 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1243 }
1244
1245 if (0 != (ret = mbedtls_gcm_finish(
1246 (mbedtls_gcm_context *) ctx->cipher_ctx,
1247 NULL, 0, &output_length,
1248 check_tag, tag_len))) {
1249 return ret;
1250 }
1251
1252 /* Check the tag in "constant-time" */
1253 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
1254 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1255 goto exit;
1256 }
1257 }
1258 #endif /* MBEDTLS_GCM_C */
1259
1260 #if defined(MBEDTLS_CHACHAPOLY_C)
1261 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1262 /* Don't allow truncated MAC for Poly1305 */
1263 if (tag_len != sizeof(check_tag)) {
1264 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1265 }
1266
1267 ret = mbedtls_chachapoly_finish(
1268 (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag);
1269 if (ret != 0) {
1270 return ret;
1271 }
1272
1273 /* Check the tag in "constant-time" */
1274 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
1275 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1276 goto exit;
1277 }
1278 }
1279 #endif /* MBEDTLS_CHACHAPOLY_C */
1280
1281 exit:
1282 mbedtls_platform_zeroize(check_tag, tag_len);
1283 return ret;
1284 }
1285 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
1286
1287 /*
1288 * Packet-oriented wrapper for non-AEAD modes
1289 */
mbedtls_cipher_crypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)1290 int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
1291 const unsigned char *iv, size_t iv_len,
1292 const unsigned char *input, size_t ilen,
1293 unsigned char *output, size_t *olen)
1294 {
1295 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1296 size_t finish_olen;
1297
1298 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1299 if (ctx->psa_enabled == 1) {
1300 /* As in the non-PSA case, we don't check that
1301 * a key has been set. If not, the key slot will
1302 * still be in its default state of 0, which is
1303 * guaranteed to be invalid, hence the PSA-call
1304 * below will gracefully fail. */
1305 mbedtls_cipher_context_psa * const cipher_psa =
1306 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1307
1308 psa_status_t status;
1309 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1310 size_t part_len;
1311
1312 if (ctx->operation == MBEDTLS_DECRYPT) {
1313 status = psa_cipher_decrypt_setup(&cipher_op,
1314 cipher_psa->slot,
1315 cipher_psa->alg);
1316 } else if (ctx->operation == MBEDTLS_ENCRYPT) {
1317 status = psa_cipher_encrypt_setup(&cipher_op,
1318 cipher_psa->slot,
1319 cipher_psa->alg);
1320 } else {
1321 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1322 }
1323
1324 /* In the following, we can immediately return on an error,
1325 * because the PSA Crypto API guarantees that cipher operations
1326 * are terminated by unsuccessful calls to psa_cipher_update(),
1327 * and by any call to psa_cipher_finish(). */
1328 if (status != PSA_SUCCESS) {
1329 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1330 }
1331
1332 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) {
1333 status = psa_cipher_set_iv(&cipher_op, iv, iv_len);
1334 if (status != PSA_SUCCESS) {
1335 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1336 }
1337 }
1338
1339 status = psa_cipher_update(&cipher_op,
1340 input, ilen,
1341 output, ilen, olen);
1342 if (status != PSA_SUCCESS) {
1343 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1344 }
1345
1346 status = psa_cipher_finish(&cipher_op,
1347 output + *olen, ilen - *olen,
1348 &part_len);
1349 if (status != PSA_SUCCESS) {
1350 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1351 }
1352
1353 *olen += part_len;
1354 return 0;
1355 }
1356 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1357
1358 if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) {
1359 return ret;
1360 }
1361
1362 if ((ret = mbedtls_cipher_reset(ctx)) != 0) {
1363 return ret;
1364 }
1365
1366 if ((ret = mbedtls_cipher_update(ctx, input, ilen,
1367 output, olen)) != 0) {
1368 return ret;
1369 }
1370
1371 if ((ret = mbedtls_cipher_finish(ctx, output + *olen,
1372 &finish_olen)) != 0) {
1373 return ret;
1374 }
1375
1376 *olen += finish_olen;
1377
1378 return 0;
1379 }
1380
1381 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1382 /*
1383 * Packet-oriented encryption for AEAD modes: internal function used by
1384 * mbedtls_cipher_auth_encrypt_ext().
1385 */
mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,unsigned char * tag,size_t tag_len)1386 static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
1387 const unsigned char *iv, size_t iv_len,
1388 const unsigned char *ad, size_t ad_len,
1389 const unsigned char *input, size_t ilen,
1390 unsigned char *output, size_t *olen,
1391 unsigned char *tag, size_t tag_len)
1392 {
1393 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1394 if (ctx->psa_enabled == 1) {
1395 /* As in the non-PSA case, we don't check that
1396 * a key has been set. If not, the key slot will
1397 * still be in its default state of 0, which is
1398 * guaranteed to be invalid, hence the PSA-call
1399 * below will gracefully fail. */
1400 mbedtls_cipher_context_psa * const cipher_psa =
1401 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1402
1403 psa_status_t status;
1404
1405 /* PSA Crypto API always writes the authentication tag
1406 * at the end of the encrypted message. */
1407 if (output == NULL || tag != output + ilen) {
1408 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1409 }
1410
1411 status = psa_aead_encrypt(cipher_psa->slot,
1412 cipher_psa->alg,
1413 iv, iv_len,
1414 ad, ad_len,
1415 input, ilen,
1416 output, ilen + tag_len, olen);
1417 if (status != PSA_SUCCESS) {
1418 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1419 }
1420
1421 *olen -= tag_len;
1422 return 0;
1423 }
1424 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1425
1426 #if defined(MBEDTLS_GCM_C)
1427 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1428 *olen = ilen;
1429 return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
1430 ilen, iv, iv_len, ad, ad_len,
1431 input, output, tag_len, tag);
1432 }
1433 #endif /* MBEDTLS_GCM_C */
1434 #if defined(MBEDTLS_CCM_C)
1435 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1436 *olen = ilen;
1437 return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen,
1438 iv, iv_len, ad, ad_len, input, output,
1439 tag, tag_len);
1440 }
1441 #endif /* MBEDTLS_CCM_C */
1442 #if defined(MBEDTLS_CHACHAPOLY_C)
1443 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1444 /* ChachaPoly has fixed length nonce and MAC (tag) */
1445 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
1446 (tag_len != 16U)) {
1447 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1448 }
1449
1450 *olen = ilen;
1451 return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx,
1452 ilen, iv, ad, ad_len, input, output, tag);
1453 }
1454 #endif /* MBEDTLS_CHACHAPOLY_C */
1455
1456 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1457 }
1458
1459 /*
1460 * Packet-oriented encryption for AEAD modes: internal function used by
1461 * mbedtls_cipher_auth_encrypt_ext().
1462 */
mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,const unsigned char * tag,size_t tag_len)1463 static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
1464 const unsigned char *iv, size_t iv_len,
1465 const unsigned char *ad, size_t ad_len,
1466 const unsigned char *input, size_t ilen,
1467 unsigned char *output, size_t *olen,
1468 const unsigned char *tag, size_t tag_len)
1469 {
1470 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1471 if (ctx->psa_enabled == 1) {
1472 /* As in the non-PSA case, we don't check that
1473 * a key has been set. If not, the key slot will
1474 * still be in its default state of 0, which is
1475 * guaranteed to be invalid, hence the PSA-call
1476 * below will gracefully fail. */
1477 mbedtls_cipher_context_psa * const cipher_psa =
1478 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1479
1480 psa_status_t status;
1481
1482 /* PSA Crypto API always writes the authentication tag
1483 * at the end of the encrypted message. */
1484 if (input == NULL || tag != input + ilen) {
1485 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1486 }
1487
1488 status = psa_aead_decrypt(cipher_psa->slot,
1489 cipher_psa->alg,
1490 iv, iv_len,
1491 ad, ad_len,
1492 input, ilen + tag_len,
1493 output, ilen, olen);
1494 if (status == PSA_ERROR_INVALID_SIGNATURE) {
1495 return MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1496 } else if (status != PSA_SUCCESS) {
1497 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1498 }
1499
1500 return 0;
1501 }
1502 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1503
1504 #if defined(MBEDTLS_GCM_C)
1505 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1506 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1507
1508 *olen = ilen;
1509 ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen,
1510 iv, iv_len, ad, ad_len,
1511 tag, tag_len, input, output);
1512
1513 if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) {
1514 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1515 }
1516
1517 return ret;
1518 }
1519 #endif /* MBEDTLS_GCM_C */
1520 #if defined(MBEDTLS_CCM_C)
1521 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1522 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1523
1524 *olen = ilen;
1525 ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen,
1526 iv, iv_len, ad, ad_len,
1527 input, output, tag, tag_len);
1528
1529 if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) {
1530 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1531 }
1532
1533 return ret;
1534 }
1535 #endif /* MBEDTLS_CCM_C */
1536 #if defined(MBEDTLS_CHACHAPOLY_C)
1537 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1538 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1539
1540 /* ChachaPoly has fixed length nonce and MAC (tag) */
1541 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
1542 (tag_len != 16U)) {
1543 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1544 }
1545
1546 *olen = ilen;
1547 ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen,
1548 iv, ad, ad_len, tag, input, output);
1549
1550 if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) {
1551 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1552 }
1553
1554 return ret;
1555 }
1556 #endif /* MBEDTLS_CHACHAPOLY_C */
1557
1558 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1559 }
1560 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1561
1562 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
1563 /*
1564 * Packet-oriented encryption for AEAD/NIST_KW: public function.
1565 */
mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1566 int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
1567 const unsigned char *iv, size_t iv_len,
1568 const unsigned char *ad, size_t ad_len,
1569 const unsigned char *input, size_t ilen,
1570 unsigned char *output, size_t output_len,
1571 size_t *olen, size_t tag_len)
1572 {
1573 #if defined(MBEDTLS_NIST_KW_C)
1574 if (
1575 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1576 ctx->psa_enabled == 0 &&
1577 #endif
1578 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1579 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
1580 mbedtls_nist_kw_mode_t mode =
1581 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
1582 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1583
1584 /* There is no iv, tag or ad associated with KW and KWP,
1585 * so these length should be 0 as documented. */
1586 if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
1587 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1588 }
1589
1590 (void) iv;
1591 (void) ad;
1592
1593 return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen,
1594 output, olen, output_len);
1595 }
1596 #endif /* MBEDTLS_NIST_KW_C */
1597
1598 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1599 /* AEAD case: check length before passing on to shared function */
1600 if (output_len < ilen + tag_len) {
1601 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1602 }
1603
1604 int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,
1605 input, ilen, output, olen,
1606 output + ilen, tag_len);
1607 *olen += tag_len;
1608 return ret;
1609 #else
1610 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1611 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1612 }
1613
1614 /*
1615 * Packet-oriented decryption for AEAD/NIST_KW: public function.
1616 */
mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1617 int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
1618 const unsigned char *iv, size_t iv_len,
1619 const unsigned char *ad, size_t ad_len,
1620 const unsigned char *input, size_t ilen,
1621 unsigned char *output, size_t output_len,
1622 size_t *olen, size_t tag_len)
1623 {
1624 #if defined(MBEDTLS_NIST_KW_C)
1625 if (
1626 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1627 ctx->psa_enabled == 0 &&
1628 #endif
1629 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1630 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
1631 mbedtls_nist_kw_mode_t mode =
1632 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
1633 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1634
1635 /* There is no iv, tag or ad associated with KW and KWP,
1636 * so these length should be 0 as documented. */
1637 if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
1638 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1639 }
1640
1641 (void) iv;
1642 (void) ad;
1643
1644 return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen,
1645 output, olen, output_len);
1646 }
1647 #endif /* MBEDTLS_NIST_KW_C */
1648
1649 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1650 /* AEAD case: check length before passing on to shared function */
1651 if (ilen < tag_len || output_len < ilen - tag_len) {
1652 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1653 }
1654
1655 return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,
1656 input, ilen - tag_len, output, olen,
1657 input + ilen - tag_len, tag_len);
1658 #else
1659 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1660 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1661 }
1662 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
1663
1664 #endif /* MBEDTLS_CIPHER_C */
1665
