1 /**
2 * \file cipher.c
3 *
4 * \brief Generic cipher wrapper for Mbed TLS
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
8 * Copyright The Mbed TLS Contributors
9 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
10 */
11
12 #include "common.h"
13
14 #if defined(MBEDTLS_CIPHER_C)
15
16 #include "mbedtls/cipher.h"
17 #include "cipher_wrap.h"
18 #include "mbedtls/platform_util.h"
19 #include "mbedtls/error.h"
20 #include "mbedtls/constant_time.h"
21 #include "constant_time_internal.h"
22
23 #include <stdlib.h>
24 #include <string.h>
25
26 #if defined(MBEDTLS_CHACHAPOLY_C)
27 #include "mbedtls/chachapoly.h"
28 #endif
29
30 #if defined(MBEDTLS_GCM_C)
31 #include "mbedtls/gcm.h"
32 #endif
33
34 #if defined(MBEDTLS_CCM_C)
35 #include "mbedtls/ccm.h"
36 #endif
37
38 #if defined(MBEDTLS_CHACHA20_C)
39 #include "mbedtls/chacha20.h"
40 #endif
41
42 #if defined(MBEDTLS_CMAC_C)
43 #include "mbedtls/cmac.h"
44 #endif
45
46 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
47 #include "psa/crypto.h"
48 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
49
50 #if defined(MBEDTLS_NIST_KW_C)
51 #include "mbedtls/nist_kw.h"
52 #endif
53
54 #include "mbedtls/platform.h"
55
56 static int supported_init = 0;
57
mbedtls_cipher_get_base(const mbedtls_cipher_info_t * info)58 static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base(
59 const mbedtls_cipher_info_t *info)
60 {
61 return mbedtls_cipher_base_lookup_table[info->base_idx];
62 }
63
mbedtls_cipher_list(void)64 const int *mbedtls_cipher_list(void)
65 {
66 const mbedtls_cipher_definition_t *def;
67 int *type;
68
69 if (!supported_init) {
70 def = mbedtls_cipher_definitions;
71 type = mbedtls_cipher_supported;
72
73 while (def->type != 0) {
74 *type++ = (*def++).type;
75 }
76
77 *type = 0;
78
79 supported_init = 1;
80 }
81
82 return mbedtls_cipher_supported;
83 }
84
mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type)85 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
86 const mbedtls_cipher_type_t cipher_type)
87 {
88 const mbedtls_cipher_definition_t *def;
89
90 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
91 if (def->type == cipher_type) {
92 return def->info;
93 }
94 }
95
96 return NULL;
97 }
98
mbedtls_cipher_info_from_string(const char * cipher_name)99 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
100 const char *cipher_name)
101 {
102 const mbedtls_cipher_definition_t *def;
103
104 if (NULL == cipher_name) {
105 return NULL;
106 }
107
108 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
109 if (!strcmp(def->info->name, cipher_name)) {
110 return def->info;
111 }
112 }
113
114 return NULL;
115 }
116
mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id,int key_bitlen,const mbedtls_cipher_mode_t mode)117 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
118 const mbedtls_cipher_id_t cipher_id,
119 int key_bitlen,
120 const mbedtls_cipher_mode_t mode)
121 {
122 const mbedtls_cipher_definition_t *def;
123
124 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
125 if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id &&
126 mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen &&
127 def->info->mode == mode) {
128 return def->info;
129 }
130 }
131
132 return NULL;
133 }
134
135 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_psa_translate_cipher_type(mbedtls_cipher_type_t cipher)136 static inline psa_key_type_t mbedtls_psa_translate_cipher_type(
137 mbedtls_cipher_type_t cipher)
138 {
139 switch (cipher) {
140 case MBEDTLS_CIPHER_AES_128_CCM:
141 case MBEDTLS_CIPHER_AES_192_CCM:
142 case MBEDTLS_CIPHER_AES_256_CCM:
143 case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:
144 case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:
145 case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:
146 case MBEDTLS_CIPHER_AES_128_GCM:
147 case MBEDTLS_CIPHER_AES_192_GCM:
148 case MBEDTLS_CIPHER_AES_256_GCM:
149 case MBEDTLS_CIPHER_AES_128_CBC:
150 case MBEDTLS_CIPHER_AES_192_CBC:
151 case MBEDTLS_CIPHER_AES_256_CBC:
152 case MBEDTLS_CIPHER_AES_128_ECB:
153 case MBEDTLS_CIPHER_AES_192_ECB:
154 case MBEDTLS_CIPHER_AES_256_ECB:
155 return PSA_KEY_TYPE_AES;
156
157 /* ARIA not yet supported in PSA. */
158 /* case MBEDTLS_CIPHER_ARIA_128_CCM:
159 case MBEDTLS_CIPHER_ARIA_192_CCM:
160 case MBEDTLS_CIPHER_ARIA_256_CCM:
161 case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:
162 case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:
163 case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:
164 case MBEDTLS_CIPHER_ARIA_128_GCM:
165 case MBEDTLS_CIPHER_ARIA_192_GCM:
166 case MBEDTLS_CIPHER_ARIA_256_GCM:
167 case MBEDTLS_CIPHER_ARIA_128_CBC:
168 case MBEDTLS_CIPHER_ARIA_192_CBC:
169 case MBEDTLS_CIPHER_ARIA_256_CBC:
170 return( PSA_KEY_TYPE_ARIA ); */
171
172 default:
173 return 0;
174 }
175 }
176
mbedtls_psa_translate_cipher_mode(mbedtls_cipher_mode_t mode,size_t taglen)177 static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode(
178 mbedtls_cipher_mode_t mode, size_t taglen)
179 {
180 switch (mode) {
181 case MBEDTLS_MODE_ECB:
182 return PSA_ALG_ECB_NO_PADDING;
183 case MBEDTLS_MODE_GCM:
184 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen);
185 case MBEDTLS_MODE_CCM:
186 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen);
187 case MBEDTLS_MODE_CCM_STAR_NO_TAG:
188 return PSA_ALG_CCM_STAR_NO_TAG;
189 case MBEDTLS_MODE_CBC:
190 if (taglen == 0) {
191 return PSA_ALG_CBC_NO_PADDING;
192 } else {
193 return 0;
194 }
195 default:
196 return 0;
197 }
198 }
199 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
200
mbedtls_cipher_init(mbedtls_cipher_context_t * ctx)201 void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)
202 {
203 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
204 }
205
mbedtls_cipher_free(mbedtls_cipher_context_t * ctx)206 void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
207 {
208 if (ctx == NULL) {
209 return;
210 }
211
212 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
213 if (ctx->psa_enabled == 1) {
214 if (ctx->cipher_ctx != NULL) {
215 mbedtls_cipher_context_psa * const cipher_psa =
216 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
217
218 if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) {
219 /* xxx_free() doesn't allow to return failures. */
220 (void) psa_destroy_key(cipher_psa->slot);
221 }
222
223 mbedtls_zeroize_and_free(cipher_psa, sizeof(*cipher_psa));
224 }
225
226 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
227 return;
228 }
229 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
230
231 #if defined(MBEDTLS_CMAC_C)
232 if (ctx->cmac_ctx) {
233 mbedtls_zeroize_and_free(ctx->cmac_ctx,
234 sizeof(mbedtls_cmac_context_t));
235 }
236 #endif
237
238 if (ctx->cipher_ctx) {
239 mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx);
240 }
241
242 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
243 }
244
mbedtls_cipher_setup(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info)245 int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
246 const mbedtls_cipher_info_t *cipher_info)
247 {
248 if (cipher_info == NULL) {
249 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
250 }
251
252 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
253
254 if (mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) {
255 ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func();
256 if (ctx->cipher_ctx == NULL) {
257 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
258 }
259 }
260
261 ctx->cipher_info = cipher_info;
262
263 return 0;
264 }
265
266 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_cipher_setup_psa(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info,size_t taglen)267 int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
268 const mbedtls_cipher_info_t *cipher_info,
269 size_t taglen)
270 {
271 psa_algorithm_t alg;
272 mbedtls_cipher_context_psa *cipher_psa;
273
274 if (NULL == cipher_info || NULL == ctx) {
275 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
276 }
277
278 /* Check that the underlying cipher mode and cipher type are
279 * supported by the underlying PSA Crypto implementation. */
280 alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen);
281 if (alg == 0) {
282 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
283 }
284 if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) {
285 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
286 }
287
288 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
289
290 cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa));
291 if (cipher_psa == NULL) {
292 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
293 }
294 cipher_psa->alg = alg;
295 ctx->cipher_ctx = cipher_psa;
296 ctx->cipher_info = cipher_info;
297 ctx->psa_enabled = 1;
298 return 0;
299 }
300 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
301
mbedtls_cipher_setkey(mbedtls_cipher_context_t * ctx,const unsigned char * key,int key_bitlen,const mbedtls_operation_t operation)302 int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
303 const unsigned char *key,
304 int key_bitlen,
305 const mbedtls_operation_t operation)
306 {
307 if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) {
308 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
309 }
310 if (ctx->cipher_info == NULL) {
311 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
312 }
313 #if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
314 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) &&
315 MBEDTLS_DECRYPT == operation) {
316 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
317 }
318 #endif
319
320 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
321 if (ctx->psa_enabled == 1) {
322 mbedtls_cipher_context_psa * const cipher_psa =
323 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
324
325 size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8;
326
327 psa_status_t status;
328 psa_key_type_t key_type;
329 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
330
331 /* PSA Crypto API only accepts byte-aligned keys. */
332 if (key_bitlen % 8 != 0) {
333 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
334 }
335
336 /* Don't allow keys to be set multiple times. */
337 if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) {
338 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
339 }
340
341 key_type = mbedtls_psa_translate_cipher_type(
342 ((mbedtls_cipher_type_t) ctx->cipher_info->type));
343 if (key_type == 0) {
344 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
345 }
346 psa_set_key_type(&attributes, key_type);
347
348 /* Mbed TLS' cipher layer doesn't enforce the mode of operation
349 * (encrypt vs. decrypt): it is possible to setup a key for encryption
350 * and use it for AEAD decryption. Until tests relying on this
351 * are changed, allow any usage in PSA. */
352 psa_set_key_usage_flags(&attributes,
353 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
354 psa_set_key_algorithm(&attributes, cipher_psa->alg);
355
356 status = psa_import_key(&attributes, key, key_bytelen,
357 &cipher_psa->slot);
358 switch (status) {
359 case PSA_SUCCESS:
360 break;
361 case PSA_ERROR_INSUFFICIENT_MEMORY:
362 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
363 case PSA_ERROR_NOT_SUPPORTED:
364 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
365 default:
366 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
367 }
368 /* Indicate that we own the key slot and need to
369 * destroy it in mbedtls_cipher_free(). */
370 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
371
372 ctx->key_bitlen = key_bitlen;
373 ctx->operation = operation;
374 return 0;
375 }
376 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
377
378 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 &&
379 (int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) {
380 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
381 }
382
383 ctx->key_bitlen = key_bitlen;
384 ctx->operation = operation;
385
386 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
387 /*
388 * For OFB, CFB and CTR mode always use the encryption key schedule
389 */
390 if (MBEDTLS_ENCRYPT == operation ||
391 MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
392 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
393 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
394 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
395 ctx->key_bitlen);
396 }
397
398 if (MBEDTLS_DECRYPT == operation) {
399 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key,
400 ctx->key_bitlen);
401 }
402 #else
403 if (operation == MBEDTLS_ENCRYPT || operation == MBEDTLS_DECRYPT) {
404 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
405 ctx->key_bitlen);
406 }
407 #endif
408
409 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
410 }
411
mbedtls_cipher_set_iv(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len)412 int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
413 const unsigned char *iv,
414 size_t iv_len)
415 {
416 size_t actual_iv_size;
417
418 if (ctx->cipher_info == NULL) {
419 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
420 }
421 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
422 if (ctx->psa_enabled == 1) {
423 /* While PSA Crypto has an API for multipart
424 * operations, we currently don't make it
425 * accessible through the cipher layer. */
426 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
427 }
428 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
429
430 /* avoid buffer overflow in ctx->iv */
431 if (iv_len > MBEDTLS_MAX_IV_LENGTH) {
432 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
433 }
434
435 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) {
436 actual_iv_size = iv_len;
437 } else {
438 actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info);
439
440 /* avoid reading past the end of input buffer */
441 if (actual_iv_size > iv_len) {
442 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
443 }
444 }
445
446 #if defined(MBEDTLS_CHACHA20_C)
447 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) {
448 /* Even though the actual_iv_size is overwritten with a correct value
449 * of 12 from the cipher info, return an error to indicate that
450 * the input iv_len is wrong. */
451 if (iv_len != 12) {
452 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
453 }
454
455 if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx,
456 iv,
457 0U)) { /* Initial counter value */
458 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
459 }
460 }
461 #if defined(MBEDTLS_CHACHAPOLY_C)
462 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&
463 iv_len != 12) {
464 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
465 }
466 #endif
467 #endif
468
469 #if defined(MBEDTLS_GCM_C)
470 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
471 return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx,
472 ctx->operation,
473 iv, iv_len);
474 }
475 #endif
476
477 #if defined(MBEDTLS_CCM_C)
478 if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
479 int set_lengths_result;
480 int ccm_star_mode;
481
482 set_lengths_result = mbedtls_ccm_set_lengths(
483 (mbedtls_ccm_context *) ctx->cipher_ctx,
484 0, 0, 0);
485 if (set_lengths_result != 0) {
486 return set_lengths_result;
487 }
488
489 if (ctx->operation == MBEDTLS_DECRYPT) {
490 ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT;
491 } else if (ctx->operation == MBEDTLS_ENCRYPT) {
492 ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT;
493 } else {
494 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
495 }
496
497 return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx,
498 ccm_star_mode,
499 iv, iv_len);
500 }
501 #endif
502
503 if (actual_iv_size != 0) {
504 memcpy(ctx->iv, iv, actual_iv_size);
505 ctx->iv_size = actual_iv_size;
506 }
507
508 return 0;
509 }
510
mbedtls_cipher_reset(mbedtls_cipher_context_t * ctx)511 int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx)
512 {
513 if (ctx->cipher_info == NULL) {
514 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
515 }
516
517 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
518 if (ctx->psa_enabled == 1) {
519 /* We don't support resetting PSA-based
520 * cipher contexts, yet. */
521 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
522 }
523 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
524
525 ctx->unprocessed_len = 0;
526
527 return 0;
528 }
529
530 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_update_ad(mbedtls_cipher_context_t * ctx,const unsigned char * ad,size_t ad_len)531 int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
532 const unsigned char *ad, size_t ad_len)
533 {
534 if (ctx->cipher_info == NULL) {
535 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
536 }
537
538 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
539 if (ctx->psa_enabled == 1) {
540 /* While PSA Crypto has an API for multipart
541 * operations, we currently don't make it
542 * accessible through the cipher layer. */
543 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
544 }
545 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
546
547 #if defined(MBEDTLS_GCM_C)
548 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
549 return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx,
550 ad, ad_len);
551 }
552 #endif
553
554 #if defined(MBEDTLS_CHACHAPOLY_C)
555 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
556 int result;
557 mbedtls_chachapoly_mode_t mode;
558
559 mode = (ctx->operation == MBEDTLS_ENCRYPT)
560 ? MBEDTLS_CHACHAPOLY_ENCRYPT
561 : MBEDTLS_CHACHAPOLY_DECRYPT;
562
563 result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx,
564 ctx->iv,
565 mode);
566 if (result != 0) {
567 return result;
568 }
569
570 return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx,
571 ad, ad_len);
572 }
573 #endif
574
575 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
576 }
577 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
578
mbedtls_cipher_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)579 int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input,
580 size_t ilen, unsigned char *output, size_t *olen)
581 {
582 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
583 size_t block_size;
584
585 if (ctx->cipher_info == NULL) {
586 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
587 }
588
589 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
590 if (ctx->psa_enabled == 1) {
591 /* While PSA Crypto has an API for multipart
592 * operations, we currently don't make it
593 * accessible through the cipher layer. */
594 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
595 }
596 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
597
598 *olen = 0;
599 block_size = mbedtls_cipher_get_block_size(ctx);
600 if (0 == block_size) {
601 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
602 }
603
604 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) {
605 if (ilen != block_size) {
606 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
607 }
608
609 *olen = ilen;
610
611 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx,
612 ctx->operation, input,
613 output))) {
614 return ret;
615 }
616
617 return 0;
618 }
619
620 #if defined(MBEDTLS_GCM_C)
621 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) {
622 return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx,
623 input, ilen,
624 output, ilen, olen);
625 }
626 #endif
627
628 #if defined(MBEDTLS_CCM_C)
629 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) {
630 return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx,
631 input, ilen,
632 output, ilen, olen);
633 }
634 #endif
635
636 #if defined(MBEDTLS_CHACHAPOLY_C)
637 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
638 *olen = ilen;
639 return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx,
640 ilen, input, output);
641 }
642 #endif
643
644 if (input == output &&
645 (ctx->unprocessed_len != 0 || ilen % block_size)) {
646 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
647 }
648
649 #if defined(MBEDTLS_CIPHER_MODE_CBC)
650 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) {
651 size_t copy_len = 0;
652
653 /*
654 * If there is not enough data for a full block, cache it.
655 */
656 if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
657 ilen <= block_size - ctx->unprocessed_len) ||
658 (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
659 ilen < block_size - ctx->unprocessed_len) ||
660 (ctx->operation == MBEDTLS_ENCRYPT &&
661 ilen < block_size - ctx->unprocessed_len)) {
662 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
663 ilen);
664
665 ctx->unprocessed_len += ilen;
666 return 0;
667 }
668
669 /*
670 * Process cached data first
671 */
672 if (0 != ctx->unprocessed_len) {
673 copy_len = block_size - ctx->unprocessed_len;
674
675 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
676 copy_len);
677
678 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
679 ctx->operation,
680 block_size, ctx->iv,
681 ctx->
682 unprocessed_data,
683 output))) {
684 return ret;
685 }
686
687 *olen += block_size;
688 output += block_size;
689 ctx->unprocessed_len = 0;
690
691 input += copy_len;
692 ilen -= copy_len;
693 }
694
695 /*
696 * Cache final, incomplete block
697 */
698 if (0 != ilen) {
699 /* Encryption: only cache partial blocks
700 * Decryption w/ padding: always keep at least one whole block
701 * Decryption w/o padding: only cache partial blocks
702 */
703 copy_len = ilen % block_size;
704 if (copy_len == 0 &&
705 ctx->operation == MBEDTLS_DECRYPT &&
706 NULL != ctx->add_padding) {
707 copy_len = block_size;
708 }
709
710 memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]),
711 copy_len);
712
713 ctx->unprocessed_len += copy_len;
714 ilen -= copy_len;
715 }
716
717 /*
718 * Process remaining full blocks
719 */
720 if (ilen) {
721 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
722 ctx->operation,
723 ilen, ctx->iv,
724 input,
725 output))) {
726 return ret;
727 }
728
729 *olen += ilen;
730 }
731
732 return 0;
733 }
734 #endif /* MBEDTLS_CIPHER_MODE_CBC */
735
736 #if defined(MBEDTLS_CIPHER_MODE_CFB)
737 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) {
738 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx,
739 ctx->operation, ilen,
740 &ctx->unprocessed_len,
741 ctx->iv,
742 input, output))) {
743 return ret;
744 }
745
746 *olen = ilen;
747
748 return 0;
749 }
750 #endif /* MBEDTLS_CIPHER_MODE_CFB */
751
752 #if defined(MBEDTLS_CIPHER_MODE_OFB)
753 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) {
754 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx,
755 ilen,
756 &ctx->unprocessed_len,
757 ctx->iv,
758 input, output))) {
759 return ret;
760 }
761
762 *olen = ilen;
763
764 return 0;
765 }
766 #endif /* MBEDTLS_CIPHER_MODE_OFB */
767
768 #if defined(MBEDTLS_CIPHER_MODE_CTR)
769 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) {
770 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx,
771 ilen,
772 &ctx->unprocessed_len,
773 ctx->iv,
774 ctx->unprocessed_data,
775 input, output))) {
776 return ret;
777 }
778
779 *olen = ilen;
780
781 return 0;
782 }
783 #endif /* MBEDTLS_CIPHER_MODE_CTR */
784
785 #if defined(MBEDTLS_CIPHER_MODE_XTS)
786 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) {
787 if (ctx->unprocessed_len > 0) {
788 /* We can only process an entire data unit at a time. */
789 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
790 }
791
792 ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx,
793 ctx->operation,
794 ilen,
795 ctx->iv,
796 input,
797 output);
798 if (ret != 0) {
799 return ret;
800 }
801
802 *olen = ilen;
803
804 return 0;
805 }
806 #endif /* MBEDTLS_CIPHER_MODE_XTS */
807
808 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
809 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) {
810 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx,
811 ilen, input,
812 output))) {
813 return ret;
814 }
815
816 *olen = ilen;
817
818 return 0;
819 }
820 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
821
822 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
823 }
824
825 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
826 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
827 /*
828 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
829 */
add_pkcs_padding(unsigned char * output,size_t output_len,size_t data_len)830 static void add_pkcs_padding(unsigned char *output, size_t output_len,
831 size_t data_len)
832 {
833 size_t padding_len = output_len - data_len;
834 unsigned char i;
835
836 for (i = 0; i < padding_len; i++) {
837 output[data_len + i] = (unsigned char) padding_len;
838 }
839 }
840
get_pkcs_padding(unsigned char * input,size_t input_len,size_t * data_len)841 static int get_pkcs_padding(unsigned char *input, size_t input_len,
842 size_t *data_len)
843 {
844 size_t i, pad_idx;
845 unsigned char padding_len;
846
847 if (NULL == input || NULL == data_len) {
848 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
849 }
850
851 padding_len = input[input_len - 1];
852 *data_len = input_len - padding_len;
853
854 mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len);
855 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
856
857 /* The number of bytes checked must be independent of padding_len,
858 * so pick input_len, which is usually 8 or 16 (one block) */
859 pad_idx = input_len - padding_len;
860 for (i = 0; i < input_len; i++) {
861 mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx);
862 mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len);
863 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different));
864 }
865
866 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
867 }
868 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
869
870 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
871 /*
872 * One and zeros padding: fill with 80 00 ... 00
873 */
add_one_and_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)874 static void add_one_and_zeros_padding(unsigned char *output,
875 size_t output_len, size_t data_len)
876 {
877 size_t padding_len = output_len - data_len;
878 unsigned char i = 0;
879
880 output[data_len] = 0x80;
881 for (i = 1; i < padding_len; i++) {
882 output[data_len + i] = 0x00;
883 }
884 }
885
get_one_and_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)886 static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,
887 size_t *data_len)
888 {
889 if (NULL == input || NULL == data_len) {
890 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
891 }
892
893 mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE;
894 mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE;
895
896 *data_len = 0;
897
898 for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) {
899 mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]);
900
901 mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding);
902
903 *data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len);
904
905 bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad);
906
907 in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero));
908 }
909
910 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
911 }
912 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
913
914 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
915 /*
916 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
917 */
add_zeros_and_len_padding(unsigned char * output,size_t output_len,size_t data_len)918 static void add_zeros_and_len_padding(unsigned char *output,
919 size_t output_len, size_t data_len)
920 {
921 size_t padding_len = output_len - data_len;
922 unsigned char i = 0;
923
924 for (i = 1; i < padding_len; i++) {
925 output[data_len + i - 1] = 0x00;
926 }
927 output[output_len - 1] = (unsigned char) padding_len;
928 }
929
get_zeros_and_len_padding(unsigned char * input,size_t input_len,size_t * data_len)930 static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
931 size_t *data_len)
932 {
933 size_t i, pad_idx;
934 unsigned char padding_len;
935 mbedtls_ct_condition_t bad;
936
937 if (NULL == input || NULL == data_len) {
938 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
939 }
940
941 padding_len = input[input_len - 1];
942 *data_len = input_len - padding_len;
943
944 /* Avoid logical || since it results in a branch */
945 bad = mbedtls_ct_uint_gt(padding_len, input_len);
946 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
947
948 /* The number of bytes checked must be independent of padding_len */
949 pad_idx = input_len - padding_len;
950 for (i = 0; i < input_len - 1; i++) {
951 mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx);
952 mbedtls_ct_condition_t nonzero_pad_byte;
953 nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i]));
954 bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte);
955 }
956
957 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
958 }
959 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
960
961 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
962 /*
963 * Zero padding: fill with 00 ... 00
964 */
add_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)965 static void add_zeros_padding(unsigned char *output,
966 size_t output_len, size_t data_len)
967 {
968 memset(output + data_len, 0, output_len - data_len);
969 }
970
get_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)971 static int get_zeros_padding(unsigned char *input, size_t input_len,
972 size_t *data_len)
973 {
974 size_t i;
975 mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done;
976
977 if (NULL == input || NULL == data_len) {
978 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
979 }
980
981 *data_len = 0;
982 for (i = input_len; i > 0; i--) {
983 prev_done = done;
984 done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0));
985 *data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len);
986 }
987
988 return 0;
989 }
990 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
991
992 /*
993 * No padding: don't pad :)
994 *
995 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
996 * but a trivial get_padding function
997 */
get_no_padding(unsigned char * input,size_t input_len,size_t * data_len)998 static int get_no_padding(unsigned char *input, size_t input_len,
999 size_t *data_len)
1000 {
1001 if (NULL == input || NULL == data_len) {
1002 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1003 }
1004
1005 *data_len = input_len;
1006
1007 return 0;
1008 }
1009 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1010
mbedtls_cipher_finish(mbedtls_cipher_context_t * ctx,unsigned char * output,size_t * olen)1011 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
1012 unsigned char *output, size_t *olen)
1013 {
1014 if (ctx->cipher_info == NULL) {
1015 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1016 }
1017
1018 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1019 if (ctx->psa_enabled == 1) {
1020 /* While PSA Crypto has an API for multipart
1021 * operations, we currently don't make it
1022 * accessible through the cipher layer. */
1023 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1024 }
1025 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1026
1027 *olen = 0;
1028
1029 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
1030 /* CBC mode requires padding so we make sure a call to
1031 * mbedtls_cipher_set_padding_mode has been done successfully. */
1032 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1033 if (ctx->get_padding == NULL) {
1034 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1035 }
1036 }
1037 #endif
1038
1039 if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1040 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1041 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1042 MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1043 MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1044 MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1045 MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1046 return 0;
1047 }
1048
1049 if ((MBEDTLS_CIPHER_CHACHA20 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) ||
1050 (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) {
1051 return 0;
1052 }
1053
1054 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1055 if (ctx->unprocessed_len != 0) {
1056 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
1057 }
1058
1059 return 0;
1060 }
1061
1062 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1063 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1064 int ret = 0;
1065
1066 if (MBEDTLS_ENCRYPT == ctx->operation) {
1067 /* check for 'no padding' mode */
1068 if (NULL == ctx->add_padding) {
1069 if (0 != ctx->unprocessed_len) {
1070 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
1071 }
1072
1073 return 0;
1074 }
1075
1076 ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx),
1077 ctx->unprocessed_len);
1078 } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) {
1079 /*
1080 * For decrypt operations, expect a full block,
1081 * or an empty block if no padding
1082 */
1083 if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) {
1084 return 0;
1085 }
1086
1087 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
1088 }
1089
1090 /* cipher block */
1091 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
1092 ctx->operation,
1093 mbedtls_cipher_get_block_size(
1094 ctx),
1095 ctx->iv,
1096 ctx->unprocessed_data,
1097 output))) {
1098 return ret;
1099 }
1100
1101 /* Set output size for decryption */
1102 if (MBEDTLS_DECRYPT == ctx->operation) {
1103 return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx),
1104 olen);
1105 }
1106
1107 /* Set output size for encryption */
1108 *olen = mbedtls_cipher_get_block_size(ctx);
1109 return 0;
1110 }
1111 #else
1112 ((void) output);
1113 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1114
1115 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1116 }
1117
1118 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t * ctx,mbedtls_cipher_padding_t mode)1119 int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
1120 mbedtls_cipher_padding_t mode)
1121 {
1122 if (NULL == ctx->cipher_info ||
1123 MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1124 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1125 }
1126
1127 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1128 if (ctx->psa_enabled == 1) {
1129 /* While PSA Crypto knows about CBC padding
1130 * schemes, we currently don't make them
1131 * accessible through the cipher layer. */
1132 if (mode != MBEDTLS_PADDING_NONE) {
1133 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1134 }
1135
1136 return 0;
1137 }
1138 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1139
1140 switch (mode) {
1141 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
1142 case MBEDTLS_PADDING_PKCS7:
1143 ctx->add_padding = add_pkcs_padding;
1144 ctx->get_padding = get_pkcs_padding;
1145 break;
1146 #endif
1147 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
1148 case MBEDTLS_PADDING_ONE_AND_ZEROS:
1149 ctx->add_padding = add_one_and_zeros_padding;
1150 ctx->get_padding = get_one_and_zeros_padding;
1151 break;
1152 #endif
1153 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
1154 case MBEDTLS_PADDING_ZEROS_AND_LEN:
1155 ctx->add_padding = add_zeros_and_len_padding;
1156 ctx->get_padding = get_zeros_and_len_padding;
1157 break;
1158 #endif
1159 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1160 case MBEDTLS_PADDING_ZEROS:
1161 ctx->add_padding = add_zeros_padding;
1162 ctx->get_padding = get_zeros_padding;
1163 break;
1164 #endif
1165 case MBEDTLS_PADDING_NONE:
1166 ctx->add_padding = NULL;
1167 ctx->get_padding = get_no_padding;
1168 break;
1169
1170 default:
1171 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1172 }
1173
1174 return 0;
1175 }
1176 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1177
1178 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_write_tag(mbedtls_cipher_context_t * ctx,unsigned char * tag,size_t tag_len)1179 int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
1180 unsigned char *tag, size_t tag_len)
1181 {
1182 if (ctx->cipher_info == NULL) {
1183 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1184 }
1185
1186 if (MBEDTLS_ENCRYPT != ctx->operation) {
1187 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1188 }
1189
1190 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1191 if (ctx->psa_enabled == 1) {
1192 /* While PSA Crypto has an API for multipart
1193 * operations, we currently don't make it
1194 * accessible through the cipher layer. */
1195 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1196 }
1197 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1198
1199 #if defined(MBEDTLS_GCM_C)
1200 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1201 size_t output_length;
1202 /* The code here doesn't yet support alternative implementations
1203 * that can delay up to a block of output. */
1204 return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx,
1205 NULL, 0, &output_length,
1206 tag, tag_len);
1207 }
1208 #endif
1209
1210 #if defined(MBEDTLS_CHACHAPOLY_C)
1211 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1212 /* Don't allow truncated MAC for Poly1305 */
1213 if (tag_len != 16U) {
1214 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1215 }
1216
1217 return mbedtls_chachapoly_finish(
1218 (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag);
1219 }
1220 #endif
1221
1222 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1223 }
1224
mbedtls_cipher_check_tag(mbedtls_cipher_context_t * ctx,const unsigned char * tag,size_t tag_len)1225 int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
1226 const unsigned char *tag, size_t tag_len)
1227 {
1228 unsigned char check_tag[16];
1229 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1230
1231 if (ctx->cipher_info == NULL) {
1232 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1233 }
1234
1235 if (MBEDTLS_DECRYPT != ctx->operation) {
1236 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1237 }
1238
1239 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1240 if (ctx->psa_enabled == 1) {
1241 /* While PSA Crypto has an API for multipart
1242 * operations, we currently don't make it
1243 * accessible through the cipher layer. */
1244 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1245 }
1246 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1247
1248 /* Status to return on a non-authenticated algorithm. */
1249 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1250
1251 #if defined(MBEDTLS_GCM_C)
1252 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1253 size_t output_length;
1254 /* The code here doesn't yet support alternative implementations
1255 * that can delay up to a block of output. */
1256
1257 if (tag_len > sizeof(check_tag)) {
1258 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1259 }
1260
1261 if (0 != (ret = mbedtls_gcm_finish(
1262 (mbedtls_gcm_context *) ctx->cipher_ctx,
1263 NULL, 0, &output_length,
1264 check_tag, tag_len))) {
1265 return ret;
1266 }
1267
1268 /* Check the tag in "constant-time" */
1269 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
1270 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1271 goto exit;
1272 }
1273 }
1274 #endif /* MBEDTLS_GCM_C */
1275
1276 #if defined(MBEDTLS_CHACHAPOLY_C)
1277 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1278 /* Don't allow truncated MAC for Poly1305 */
1279 if (tag_len != sizeof(check_tag)) {
1280 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1281 }
1282
1283 ret = mbedtls_chachapoly_finish(
1284 (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag);
1285 if (ret != 0) {
1286 return ret;
1287 }
1288
1289 /* Check the tag in "constant-time" */
1290 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
1291 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1292 goto exit;
1293 }
1294 }
1295 #endif /* MBEDTLS_CHACHAPOLY_C */
1296
1297 exit:
1298 mbedtls_platform_zeroize(check_tag, tag_len);
1299 return ret;
1300 }
1301 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
1302
1303 /*
1304 * Packet-oriented wrapper for non-AEAD modes
1305 */
mbedtls_cipher_crypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)1306 int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
1307 const unsigned char *iv, size_t iv_len,
1308 const unsigned char *input, size_t ilen,
1309 unsigned char *output, size_t *olen)
1310 {
1311 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1312 size_t finish_olen;
1313
1314 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1315 if (ctx->psa_enabled == 1) {
1316 /* As in the non-PSA case, we don't check that
1317 * a key has been set. If not, the key slot will
1318 * still be in its default state of 0, which is
1319 * guaranteed to be invalid, hence the PSA-call
1320 * below will gracefully fail. */
1321 mbedtls_cipher_context_psa * const cipher_psa =
1322 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1323
1324 psa_status_t status;
1325 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1326 size_t part_len;
1327
1328 if (ctx->operation == MBEDTLS_DECRYPT) {
1329 status = psa_cipher_decrypt_setup(&cipher_op,
1330 cipher_psa->slot,
1331 cipher_psa->alg);
1332 } else if (ctx->operation == MBEDTLS_ENCRYPT) {
1333 status = psa_cipher_encrypt_setup(&cipher_op,
1334 cipher_psa->slot,
1335 cipher_psa->alg);
1336 } else {
1337 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1338 }
1339
1340 /* In the following, we can immediately return on an error,
1341 * because the PSA Crypto API guarantees that cipher operations
1342 * are terminated by unsuccessful calls to psa_cipher_update(),
1343 * and by any call to psa_cipher_finish(). */
1344 if (status != PSA_SUCCESS) {
1345 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1346 }
1347
1348 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) {
1349 status = psa_cipher_set_iv(&cipher_op, iv, iv_len);
1350 if (status != PSA_SUCCESS) {
1351 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1352 }
1353 }
1354
1355 status = psa_cipher_update(&cipher_op,
1356 input, ilen,
1357 output, ilen, olen);
1358 if (status != PSA_SUCCESS) {
1359 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1360 }
1361
1362 status = psa_cipher_finish(&cipher_op,
1363 output + *olen, ilen - *olen,
1364 &part_len);
1365 if (status != PSA_SUCCESS) {
1366 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1367 }
1368
1369 *olen += part_len;
1370 return 0;
1371 }
1372 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1373
1374 if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) {
1375 return ret;
1376 }
1377
1378 if ((ret = mbedtls_cipher_reset(ctx)) != 0) {
1379 return ret;
1380 }
1381
1382 if ((ret = mbedtls_cipher_update(ctx, input, ilen,
1383 output, olen)) != 0) {
1384 return ret;
1385 }
1386
1387 if ((ret = mbedtls_cipher_finish(ctx, output + *olen,
1388 &finish_olen)) != 0) {
1389 return ret;
1390 }
1391
1392 *olen += finish_olen;
1393
1394 return 0;
1395 }
1396
1397 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1398 /*
1399 * Packet-oriented encryption for AEAD modes: internal function used by
1400 * mbedtls_cipher_auth_encrypt_ext().
1401 */
mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,unsigned char * tag,size_t tag_len)1402 static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
1403 const unsigned char *iv, size_t iv_len,
1404 const unsigned char *ad, size_t ad_len,
1405 const unsigned char *input, size_t ilen,
1406 unsigned char *output, size_t *olen,
1407 unsigned char *tag, size_t tag_len)
1408 {
1409 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1410 if (ctx->psa_enabled == 1) {
1411 /* As in the non-PSA case, we don't check that
1412 * a key has been set. If not, the key slot will
1413 * still be in its default state of 0, which is
1414 * guaranteed to be invalid, hence the PSA-call
1415 * below will gracefully fail. */
1416 mbedtls_cipher_context_psa * const cipher_psa =
1417 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1418
1419 psa_status_t status;
1420
1421 /* PSA Crypto API always writes the authentication tag
1422 * at the end of the encrypted message. */
1423 if (output == NULL || tag != output + ilen) {
1424 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1425 }
1426
1427 status = psa_aead_encrypt(cipher_psa->slot,
1428 cipher_psa->alg,
1429 iv, iv_len,
1430 ad, ad_len,
1431 input, ilen,
1432 output, ilen + tag_len, olen);
1433 if (status != PSA_SUCCESS) {
1434 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1435 }
1436
1437 *olen -= tag_len;
1438 return 0;
1439 }
1440 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1441
1442 #if defined(MBEDTLS_GCM_C)
1443 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1444 *olen = ilen;
1445 return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
1446 ilen, iv, iv_len, ad, ad_len,
1447 input, output, tag_len, tag);
1448 }
1449 #endif /* MBEDTLS_GCM_C */
1450 #if defined(MBEDTLS_CCM_C)
1451 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1452 *olen = ilen;
1453 return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen,
1454 iv, iv_len, ad, ad_len, input, output,
1455 tag, tag_len);
1456 }
1457 #endif /* MBEDTLS_CCM_C */
1458 #if defined(MBEDTLS_CHACHAPOLY_C)
1459 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1460 /* ChachaPoly has fixed length nonce and MAC (tag) */
1461 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
1462 (tag_len != 16U)) {
1463 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1464 }
1465
1466 *olen = ilen;
1467 return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx,
1468 ilen, iv, ad, ad_len, input, output, tag);
1469 }
1470 #endif /* MBEDTLS_CHACHAPOLY_C */
1471
1472 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1473 }
1474
1475 /*
1476 * Packet-oriented encryption for AEAD modes: internal function used by
1477 * mbedtls_cipher_auth_encrypt_ext().
1478 */
mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,const unsigned char * tag,size_t tag_len)1479 static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
1480 const unsigned char *iv, size_t iv_len,
1481 const unsigned char *ad, size_t ad_len,
1482 const unsigned char *input, size_t ilen,
1483 unsigned char *output, size_t *olen,
1484 const unsigned char *tag, size_t tag_len)
1485 {
1486 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1487 if (ctx->psa_enabled == 1) {
1488 /* As in the non-PSA case, we don't check that
1489 * a key has been set. If not, the key slot will
1490 * still be in its default state of 0, which is
1491 * guaranteed to be invalid, hence the PSA-call
1492 * below will gracefully fail. */
1493 mbedtls_cipher_context_psa * const cipher_psa =
1494 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1495
1496 psa_status_t status;
1497
1498 /* PSA Crypto API always writes the authentication tag
1499 * at the end of the encrypted message. */
1500 if (input == NULL || tag != input + ilen) {
1501 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1502 }
1503
1504 status = psa_aead_decrypt(cipher_psa->slot,
1505 cipher_psa->alg,
1506 iv, iv_len,
1507 ad, ad_len,
1508 input, ilen + tag_len,
1509 output, ilen, olen);
1510 if (status == PSA_ERROR_INVALID_SIGNATURE) {
1511 return MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1512 } else if (status != PSA_SUCCESS) {
1513 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
1514 }
1515
1516 return 0;
1517 }
1518 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1519
1520 #if defined(MBEDTLS_GCM_C)
1521 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1522 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1523
1524 *olen = ilen;
1525 ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen,
1526 iv, iv_len, ad, ad_len,
1527 tag, tag_len, input, output);
1528
1529 if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) {
1530 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1531 }
1532
1533 return ret;
1534 }
1535 #endif /* MBEDTLS_GCM_C */
1536 #if defined(MBEDTLS_CCM_C)
1537 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1538 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1539
1540 *olen = ilen;
1541 ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen,
1542 iv, iv_len, ad, ad_len,
1543 input, output, tag, tag_len);
1544
1545 if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) {
1546 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1547 }
1548
1549 return ret;
1550 }
1551 #endif /* MBEDTLS_CCM_C */
1552 #if defined(MBEDTLS_CHACHAPOLY_C)
1553 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1554 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1555
1556 /* ChachaPoly has fixed length nonce and MAC (tag) */
1557 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
1558 (tag_len != 16U)) {
1559 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1560 }
1561
1562 *olen = ilen;
1563 ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen,
1564 iv, ad, ad_len, tag, input, output);
1565
1566 if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) {
1567 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1568 }
1569
1570 return ret;
1571 }
1572 #endif /* MBEDTLS_CHACHAPOLY_C */
1573
1574 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1575 }
1576 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1577
1578 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
1579 /*
1580 * Packet-oriented encryption for AEAD/NIST_KW: public function.
1581 */
mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1582 int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
1583 const unsigned char *iv, size_t iv_len,
1584 const unsigned char *ad, size_t ad_len,
1585 const unsigned char *input, size_t ilen,
1586 unsigned char *output, size_t output_len,
1587 size_t *olen, size_t tag_len)
1588 {
1589 #if defined(MBEDTLS_NIST_KW_C)
1590 if (
1591 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1592 ctx->psa_enabled == 0 &&
1593 #endif
1594 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1595 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
1596 mbedtls_nist_kw_mode_t mode =
1597 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
1598 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1599
1600 /* There is no iv, tag or ad associated with KW and KWP,
1601 * so these length should be 0 as documented. */
1602 if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
1603 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1604 }
1605
1606 (void) iv;
1607 (void) ad;
1608
1609 return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen,
1610 output, olen, output_len);
1611 }
1612 #endif /* MBEDTLS_NIST_KW_C */
1613
1614 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1615 /* AEAD case: check length before passing on to shared function */
1616 if (output_len < ilen + tag_len) {
1617 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1618 }
1619
1620 int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,
1621 input, ilen, output, olen,
1622 output + ilen, tag_len);
1623 *olen += tag_len;
1624 return ret;
1625 #else
1626 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1627 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1628 }
1629
1630 /*
1631 * Packet-oriented decryption for AEAD/NIST_KW: public function.
1632 */
mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1633 int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
1634 const unsigned char *iv, size_t iv_len,
1635 const unsigned char *ad, size_t ad_len,
1636 const unsigned char *input, size_t ilen,
1637 unsigned char *output, size_t output_len,
1638 size_t *olen, size_t tag_len)
1639 {
1640 #if defined(MBEDTLS_NIST_KW_C)
1641 if (
1642 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1643 ctx->psa_enabled == 0 &&
1644 #endif
1645 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1646 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
1647 mbedtls_nist_kw_mode_t mode =
1648 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
1649 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1650
1651 /* There is no iv, tag or ad associated with KW and KWP,
1652 * so these length should be 0 as documented. */
1653 if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
1654 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1655 }
1656
1657 (void) iv;
1658 (void) ad;
1659
1660 return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen,
1661 output, olen, output_len);
1662 }
1663 #endif /* MBEDTLS_NIST_KW_C */
1664
1665 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1666 /* AEAD case: check length before passing on to shared function */
1667 if (ilen < tag_len || output_len < ilen - tag_len) {
1668 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1669 }
1670
1671 return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,
1672 input, ilen - tag_len, output, olen,
1673 input + ilen - tag_len, tag_len);
1674 #else
1675 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1676 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1677 }
1678 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
1679
1680 #endif /* MBEDTLS_CIPHER_C */
1681
