1 /*
2 * PSA AEAD entry points
3 */
4 /*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21 #include "common.h"
22
23 #if defined(MBEDTLS_PSA_CRYPTO_C)
24
25 #include "psa_crypto_aead.h"
26 #include "psa_crypto_core.h"
27
28 #include <string.h>
29 #include "mbedtls/platform.h"
30 #if !defined(MBEDTLS_PLATFORM_C)
31 #define mbedtls_calloc calloc
32 #define mbedtls_free free
33 #endif
34
35 #include "mbedtls/ccm.h"
36 #include "mbedtls/chachapoly.h"
37 #include "mbedtls/cipher.h"
38 #include "mbedtls/gcm.h"
39 #include "mbedtls/error.h"
40
psa_aead_setup(mbedtls_psa_aead_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)41 static psa_status_t psa_aead_setup(
42 mbedtls_psa_aead_operation_t *operation,
43 const psa_key_attributes_t *attributes,
44 const uint8_t *key_buffer,
45 size_t key_buffer_size,
46 psa_algorithm_t alg )
47 {
48 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
49 size_t key_bits;
50 const mbedtls_cipher_info_t *cipher_info;
51 mbedtls_cipher_id_t cipher_id;
52 size_t full_tag_length = 0;
53
54 ( void ) key_buffer_size;
55
56 key_bits = attributes->core.bits;
57
58 cipher_info = mbedtls_cipher_info_from_psa( alg,
59 attributes->core.type, key_bits,
60 &cipher_id );
61 if( cipher_info == NULL )
62 return( PSA_ERROR_NOT_SUPPORTED );
63
64 switch( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) )
65 {
66 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
67 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ):
68 operation->alg = PSA_ALG_CCM;
69 full_tag_length = 16;
70 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
71 * The call to mbedtls_ccm_encrypt_and_tag or
72 * mbedtls_ccm_auth_decrypt will validate the tag length. */
73 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
74 return( PSA_ERROR_INVALID_ARGUMENT );
75
76 mbedtls_ccm_init( &operation->ctx.ccm );
77 status = mbedtls_to_psa_error(
78 mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id,
79 key_buffer, (unsigned int) key_bits ) );
80 if( status != PSA_SUCCESS )
81 return( status );
82 break;
83 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
84
85 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
86 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ):
87 operation->alg = PSA_ALG_GCM;
88 full_tag_length = 16;
89 /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
90 * The call to mbedtls_gcm_crypt_and_tag or
91 * mbedtls_gcm_auth_decrypt will validate the tag length. */
92 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
93 return( PSA_ERROR_INVALID_ARGUMENT );
94
95 mbedtls_gcm_init( &operation->ctx.gcm );
96 status = mbedtls_to_psa_error(
97 mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id,
98 key_buffer, (unsigned int) key_bits ) );
99 if( status != PSA_SUCCESS )
100 return( status );
101 break;
102 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
103
104 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
105 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ):
106 operation->alg = PSA_ALG_CHACHA20_POLY1305;
107 full_tag_length = 16;
108 /* We only support the default tag length. */
109 if( alg != PSA_ALG_CHACHA20_POLY1305 )
110 return( PSA_ERROR_NOT_SUPPORTED );
111
112 mbedtls_chachapoly_init( &operation->ctx.chachapoly );
113 status = mbedtls_to_psa_error(
114 mbedtls_chachapoly_setkey( &operation->ctx.chachapoly,
115 key_buffer ) );
116 if( status != PSA_SUCCESS )
117 return( status );
118 break;
119 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
120
121 default:
122 (void) status;
123 (void) key_buffer;
124 return( PSA_ERROR_NOT_SUPPORTED );
125 }
126
127 if( PSA_AEAD_TAG_LENGTH( attributes->core.type,
128 key_bits, alg )
129 > full_tag_length )
130 return( PSA_ERROR_INVALID_ARGUMENT );
131
132 operation->key_type = psa_get_key_type( attributes );
133
134 operation->tag_length = PSA_AEAD_TAG_LENGTH( operation->key_type,
135 key_bits,
136 alg );
137
138 return( PSA_SUCCESS );
139 }
140
mbedtls_psa_aead_encrypt(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * nonce,size_t nonce_length,const uint8_t * additional_data,size_t additional_data_length,const uint8_t * plaintext,size_t plaintext_length,uint8_t * ciphertext,size_t ciphertext_size,size_t * ciphertext_length)141 psa_status_t mbedtls_psa_aead_encrypt(
142 const psa_key_attributes_t *attributes,
143 const uint8_t *key_buffer, size_t key_buffer_size,
144 psa_algorithm_t alg,
145 const uint8_t *nonce, size_t nonce_length,
146 const uint8_t *additional_data, size_t additional_data_length,
147 const uint8_t *plaintext, size_t plaintext_length,
148 uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length )
149 {
150 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
151 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
152 uint8_t *tag;
153
154 status = psa_aead_setup( &operation, attributes, key_buffer,
155 key_buffer_size, alg );
156
157 if( status != PSA_SUCCESS )
158 goto exit;
159
160 /* For all currently supported modes, the tag is at the end of the
161 * ciphertext. */
162 if( ciphertext_size < ( plaintext_length + operation.tag_length ) )
163 {
164 status = PSA_ERROR_BUFFER_TOO_SMALL;
165 goto exit;
166 }
167 tag = ciphertext + plaintext_length;
168
169 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
170 if( operation.alg == PSA_ALG_CCM )
171 {
172 status = mbedtls_to_psa_error(
173 mbedtls_ccm_encrypt_and_tag( &operation.ctx.ccm,
174 plaintext_length,
175 nonce, nonce_length,
176 additional_data,
177 additional_data_length,
178 plaintext, ciphertext,
179 tag, operation.tag_length ) );
180 }
181 else
182 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
183 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
184 if( operation.alg == PSA_ALG_GCM )
185 {
186 status = mbedtls_to_psa_error(
187 mbedtls_gcm_crypt_and_tag( &operation.ctx.gcm,
188 MBEDTLS_GCM_ENCRYPT,
189 plaintext_length,
190 nonce, nonce_length,
191 additional_data, additional_data_length,
192 plaintext, ciphertext,
193 operation.tag_length, tag ) );
194 }
195 else
196 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
197 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
198 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
199 {
200 if( operation.tag_length != 16 )
201 {
202 status = PSA_ERROR_NOT_SUPPORTED;
203 goto exit;
204 }
205 status = mbedtls_to_psa_error(
206 mbedtls_chachapoly_encrypt_and_tag( &operation.ctx.chachapoly,
207 plaintext_length,
208 nonce,
209 additional_data,
210 additional_data_length,
211 plaintext,
212 ciphertext,
213 tag ) );
214 }
215 else
216 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
217 {
218 (void) tag;
219 (void) nonce;
220 (void) nonce_length;
221 (void) additional_data;
222 (void) additional_data_length;
223 (void) plaintext;
224 return( PSA_ERROR_NOT_SUPPORTED );
225 }
226
227 if( status == PSA_SUCCESS )
228 *ciphertext_length = plaintext_length + operation.tag_length;
229
230 exit:
231 mbedtls_psa_aead_abort( &operation );
232
233 return( status );
234 }
235
236 /* Locate the tag in a ciphertext buffer containing the encrypted data
237 * followed by the tag. Return the length of the part preceding the tag in
238 * *plaintext_length. This is the size of the plaintext in modes where
239 * the encrypted data has the same size as the plaintext, such as
240 * CCM and GCM. */
psa_aead_unpadded_locate_tag(size_t tag_length,const uint8_t * ciphertext,size_t ciphertext_length,size_t plaintext_size,const uint8_t ** p_tag)241 static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length,
242 const uint8_t *ciphertext,
243 size_t ciphertext_length,
244 size_t plaintext_size,
245 const uint8_t **p_tag )
246 {
247 size_t payload_length;
248 if( tag_length > ciphertext_length )
249 return( PSA_ERROR_INVALID_ARGUMENT );
250 payload_length = ciphertext_length - tag_length;
251 if( payload_length > plaintext_size )
252 return( PSA_ERROR_BUFFER_TOO_SMALL );
253 *p_tag = ciphertext + payload_length;
254 return( PSA_SUCCESS );
255 }
256
mbedtls_psa_aead_decrypt(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * nonce,size_t nonce_length,const uint8_t * additional_data,size_t additional_data_length,const uint8_t * ciphertext,size_t ciphertext_length,uint8_t * plaintext,size_t plaintext_size,size_t * plaintext_length)257 psa_status_t mbedtls_psa_aead_decrypt(
258 const psa_key_attributes_t *attributes,
259 const uint8_t *key_buffer, size_t key_buffer_size,
260 psa_algorithm_t alg,
261 const uint8_t *nonce, size_t nonce_length,
262 const uint8_t *additional_data, size_t additional_data_length,
263 const uint8_t *ciphertext, size_t ciphertext_length,
264 uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length )
265 {
266 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
267 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
268 const uint8_t *tag = NULL;
269
270 status = psa_aead_setup( &operation, attributes, key_buffer,
271 key_buffer_size, alg );
272
273 if( status != PSA_SUCCESS )
274 goto exit;
275
276 status = psa_aead_unpadded_locate_tag( operation.tag_length,
277 ciphertext, ciphertext_length,
278 plaintext_size, &tag );
279 if( status != PSA_SUCCESS )
280 goto exit;
281
282 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
283 if( operation.alg == PSA_ALG_CCM )
284 {
285 status = mbedtls_to_psa_error(
286 mbedtls_ccm_auth_decrypt( &operation.ctx.ccm,
287 ciphertext_length - operation.tag_length,
288 nonce, nonce_length,
289 additional_data,
290 additional_data_length,
291 ciphertext, plaintext,
292 tag, operation.tag_length ) );
293 }
294 else
295 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
296 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
297 if( operation.alg == PSA_ALG_GCM )
298 {
299 status = mbedtls_to_psa_error(
300 mbedtls_gcm_auth_decrypt( &operation.ctx.gcm,
301 ciphertext_length - operation.tag_length,
302 nonce, nonce_length,
303 additional_data,
304 additional_data_length,
305 tag, operation.tag_length,
306 ciphertext, plaintext ) );
307 }
308 else
309 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
310 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
311 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
312 {
313 if( operation.tag_length != 16 )
314 {
315 status = PSA_ERROR_NOT_SUPPORTED;
316 goto exit;
317 }
318 status = mbedtls_to_psa_error(
319 mbedtls_chachapoly_auth_decrypt( &operation.ctx.chachapoly,
320 ciphertext_length - operation.tag_length,
321 nonce,
322 additional_data,
323 additional_data_length,
324 tag,
325 ciphertext,
326 plaintext ) );
327 }
328 else
329 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
330 {
331 (void) nonce;
332 (void) nonce_length;
333 (void) additional_data;
334 (void) additional_data_length;
335 (void) plaintext;
336 return( PSA_ERROR_NOT_SUPPORTED );
337 }
338
339 if( status == PSA_SUCCESS )
340 *plaintext_length = ciphertext_length - operation.tag_length;
341
342 exit:
343 mbedtls_psa_aead_abort( &operation );
344
345 if( status == PSA_SUCCESS )
346 *plaintext_length = ciphertext_length - operation.tag_length;
347 return( status );
348 }
349
350 /* Set the key and algorithm for a multipart authenticated encryption
351 * operation. */
mbedtls_psa_aead_encrypt_setup(mbedtls_psa_aead_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)352 psa_status_t mbedtls_psa_aead_encrypt_setup(
353 mbedtls_psa_aead_operation_t *operation,
354 const psa_key_attributes_t *attributes,
355 const uint8_t *key_buffer,
356 size_t key_buffer_size,
357 psa_algorithm_t alg )
358 {
359 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
360
361 status = psa_aead_setup( operation, attributes, key_buffer,
362 key_buffer_size, alg );
363
364 if( status == PSA_SUCCESS )
365 operation->is_encrypt = 1;
366
367 return ( status );
368 }
369
370 /* Set the key and algorithm for a multipart authenticated decryption
371 * operation. */
mbedtls_psa_aead_decrypt_setup(mbedtls_psa_aead_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)372 psa_status_t mbedtls_psa_aead_decrypt_setup(
373 mbedtls_psa_aead_operation_t *operation,
374 const psa_key_attributes_t *attributes,
375 const uint8_t *key_buffer,
376 size_t key_buffer_size,
377 psa_algorithm_t alg )
378 {
379 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
380
381 status = psa_aead_setup( operation, attributes, key_buffer,
382 key_buffer_size, alg );
383
384 if( status == PSA_SUCCESS )
385 operation->is_encrypt = 0;
386
387 return ( status );
388 }
389
390 /* Set a nonce for the multipart AEAD operation*/
mbedtls_psa_aead_set_nonce(mbedtls_psa_aead_operation_t * operation,const uint8_t * nonce,size_t nonce_length)391 psa_status_t mbedtls_psa_aead_set_nonce(
392 mbedtls_psa_aead_operation_t *operation,
393 const uint8_t *nonce,
394 size_t nonce_length )
395 {
396 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
397
398 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
399 if( operation->alg == PSA_ALG_GCM )
400 {
401 status = mbedtls_to_psa_error(
402 mbedtls_gcm_starts( &operation->ctx.gcm,
403 operation->is_encrypt ?
404 MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT,
405 nonce,
406 nonce_length ) );
407 }
408 else
409 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
410 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
411 if( operation->alg == PSA_ALG_CCM )
412 {
413 status = mbedtls_to_psa_error(
414 mbedtls_ccm_starts( &operation->ctx.ccm,
415 operation->is_encrypt ?
416 MBEDTLS_CCM_ENCRYPT : MBEDTLS_CCM_DECRYPT,
417 nonce,
418 nonce_length ) );
419 }
420 else
421 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
422 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
423 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
424 {
425 /* Note - ChaChaPoly allows an 8 byte nonce, but we would have to
426 * allocate a buffer in the operation, copy the nonce to it and pad
427 * it, so for now check the nonce is 12 bytes, as
428 * mbedtls_chachapoly_starts() assumes it can read 12 bytes from the
429 * passed in buffer. */
430 if( nonce_length != 12 )
431 {
432 return( PSA_ERROR_INVALID_ARGUMENT );
433 }
434
435 status = mbedtls_to_psa_error(
436 mbedtls_chachapoly_starts( &operation->ctx.chachapoly,
437 nonce,
438 operation->is_encrypt ?
439 MBEDTLS_CHACHAPOLY_ENCRYPT :
440 MBEDTLS_CHACHAPOLY_DECRYPT ) );
441 }
442 else
443 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
444 {
445 ( void ) operation;
446 ( void ) nonce;
447 ( void ) nonce_length;
448
449 return ( PSA_ERROR_NOT_SUPPORTED );
450 }
451
452 return( status );
453 }
454
455 /* Declare the lengths of the message and additional data for AEAD. */
mbedtls_psa_aead_set_lengths(mbedtls_psa_aead_operation_t * operation,size_t ad_length,size_t plaintext_length)456 psa_status_t mbedtls_psa_aead_set_lengths(
457 mbedtls_psa_aead_operation_t *operation,
458 size_t ad_length,
459 size_t plaintext_length )
460 {
461 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
462 if( operation->alg == PSA_ALG_CCM )
463 {
464 return( mbedtls_to_psa_error(
465 mbedtls_ccm_set_lengths( &operation->ctx.ccm,
466 ad_length,
467 plaintext_length,
468 operation->tag_length ) ) );
469
470 }
471 #else /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
472 ( void ) operation;
473 ( void ) ad_length;
474 ( void ) plaintext_length;
475 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
476
477 return ( PSA_SUCCESS );
478 }
479
480 /* Pass additional data to an active multipart AEAD operation. */
mbedtls_psa_aead_update_ad(mbedtls_psa_aead_operation_t * operation,const uint8_t * input,size_t input_length)481 psa_status_t mbedtls_psa_aead_update_ad(
482 mbedtls_psa_aead_operation_t *operation,
483 const uint8_t *input,
484 size_t input_length )
485 {
486 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
487
488 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
489 if( operation->alg == PSA_ALG_GCM )
490 {
491 status = mbedtls_to_psa_error(
492 mbedtls_gcm_update_ad( &operation->ctx.gcm, input, input_length ) );
493 }
494 else
495 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
496 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
497 if( operation->alg == PSA_ALG_CCM )
498 {
499 status = mbedtls_to_psa_error(
500 mbedtls_ccm_update_ad( &operation->ctx.ccm, input, input_length ) );
501 }
502 else
503 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
504 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
505 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
506 {
507 status = mbedtls_to_psa_error(
508 mbedtls_chachapoly_update_aad( &operation->ctx.chachapoly,
509 input,
510 input_length ) );
511 }
512 else
513 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
514 {
515 ( void ) operation;
516 ( void ) input;
517 ( void ) input_length;
518
519 return ( PSA_ERROR_NOT_SUPPORTED );
520 }
521
522 return ( status );
523 }
524
525 /* Encrypt or decrypt a message fragment in an active multipart AEAD
526 * operation.*/
mbedtls_psa_aead_update(mbedtls_psa_aead_operation_t * operation,const uint8_t * input,size_t input_length,uint8_t * output,size_t output_size,size_t * output_length)527 psa_status_t mbedtls_psa_aead_update(
528 mbedtls_psa_aead_operation_t *operation,
529 const uint8_t *input,
530 size_t input_length,
531 uint8_t *output,
532 size_t output_size,
533 size_t *output_length )
534 {
535 size_t update_output_length;
536 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
537
538 update_output_length = input_length;
539
540 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
541 if( operation->alg == PSA_ALG_GCM )
542 {
543 status = mbedtls_to_psa_error(
544 mbedtls_gcm_update( &operation->ctx.gcm,
545 input, input_length,
546 output, output_size,
547 &update_output_length ) );
548 }
549 else
550 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
551 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
552 if( operation->alg == PSA_ALG_CCM )
553 {
554 if( output_size < input_length )
555 return( PSA_ERROR_BUFFER_TOO_SMALL );
556
557 status = mbedtls_to_psa_error(
558 mbedtls_ccm_update( &operation->ctx.ccm,
559 input, input_length,
560 output, output_size,
561 &update_output_length ) );
562 }
563 else
564 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
565 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
566 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
567 {
568 if( output_size < input_length )
569 return( PSA_ERROR_BUFFER_TOO_SMALL );
570
571 status = mbedtls_to_psa_error(
572 mbedtls_chachapoly_update( &operation->ctx.chachapoly,
573 input_length,
574 input,
575 output ) );
576 }
577 else
578 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
579 {
580 ( void ) operation;
581 ( void ) input;
582 ( void ) output;
583 ( void ) output_size;
584
585 return ( PSA_ERROR_NOT_SUPPORTED );
586 }
587
588 if( status == PSA_SUCCESS )
589 *output_length = update_output_length;
590
591 return( status );
592 }
593
594 /* Finish encrypting a message in a multipart AEAD operation. */
mbedtls_psa_aead_finish(mbedtls_psa_aead_operation_t * operation,uint8_t * ciphertext,size_t ciphertext_size,size_t * ciphertext_length,uint8_t * tag,size_t tag_size,size_t * tag_length)595 psa_status_t mbedtls_psa_aead_finish(
596 mbedtls_psa_aead_operation_t *operation,
597 uint8_t *ciphertext,
598 size_t ciphertext_size,
599 size_t *ciphertext_length,
600 uint8_t *tag,
601 size_t tag_size,
602 size_t *tag_length )
603 {
604 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
605 size_t finish_output_size = 0;
606
607 if( tag_size < operation->tag_length )
608 return( PSA_ERROR_BUFFER_TOO_SMALL );
609
610 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
611 if( operation->alg == PSA_ALG_GCM )
612 {
613 status = mbedtls_to_psa_error(
614 mbedtls_gcm_finish( &operation->ctx.gcm,
615 ciphertext, ciphertext_size, ciphertext_length,
616 tag, operation->tag_length ) );
617 }
618 else
619 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
620 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
621 if( operation->alg == PSA_ALG_CCM )
622 {
623 /* tag must be big enough to store a tag of size passed into set
624 * lengths. */
625 if( tag_size < operation->tag_length )
626 return( PSA_ERROR_BUFFER_TOO_SMALL );
627
628 status = mbedtls_to_psa_error(
629 mbedtls_ccm_finish( &operation->ctx.ccm,
630 tag, operation->tag_length ) );
631 }
632 else
633 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
634 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
635 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
636 {
637 /* Belt and braces. Although the above tag_size check should have
638 * already done this, if we later start supporting smaller tag sizes
639 * for chachapoly, then passing a tag buffer smaller than 16 into here
640 * could cause a buffer overflow, so better safe than sorry. */
641 if( tag_size < 16 )
642 return( PSA_ERROR_BUFFER_TOO_SMALL );
643
644 status = mbedtls_to_psa_error(
645 mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
646 tag ) );
647 }
648 else
649 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
650 {
651 ( void ) ciphertext;
652 ( void ) ciphertext_size;
653 ( void ) ciphertext_length;
654 ( void ) tag;
655 ( void ) tag_size;
656 ( void ) tag_length;
657
658 return ( PSA_ERROR_NOT_SUPPORTED );
659 }
660
661 if( status == PSA_SUCCESS )
662 {
663 /* This will be zero for all supported algorithms currently, but left
664 * here for future support. */
665 *ciphertext_length = finish_output_size;
666 *tag_length = operation->tag_length;
667 }
668
669 return ( status );
670 }
671
672 /* Abort an AEAD operation */
mbedtls_psa_aead_abort(mbedtls_psa_aead_operation_t * operation)673 psa_status_t mbedtls_psa_aead_abort(
674 mbedtls_psa_aead_operation_t *operation )
675 {
676 switch( operation->alg )
677 {
678 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
679 case PSA_ALG_CCM:
680 mbedtls_ccm_free( &operation->ctx.ccm );
681 break;
682 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
683 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
684 case PSA_ALG_GCM:
685 mbedtls_gcm_free( &operation->ctx.gcm );
686 break;
687 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
688 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
689 case PSA_ALG_CHACHA20_POLY1305:
690 mbedtls_chachapoly_free( &operation->ctx.chachapoly );
691 break;
692 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
693 }
694
695 operation->is_encrypt = 0;
696
697 return( PSA_SUCCESS );
698 }
699
700 #endif /* MBEDTLS_PSA_CRYPTO_C */
701
702