• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  PSA AEAD entry points
3  */
4 /*
5  *  Copyright The Mbed TLS Contributors
6  *  SPDX-License-Identifier: Apache-2.0
7  *
8  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
9  *  not use this file except in compliance with the License.
10  *  You may obtain a copy of the License at
11  *
12  *  http://www.apache.org/licenses/LICENSE-2.0
13  *
14  *  Unless required by applicable law or agreed to in writing, software
15  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17  *  See the License for the specific language governing permissions and
18  *  limitations under the License.
19  */
20 
21 #include "common.h"
22 
23 #if defined(MBEDTLS_PSA_CRYPTO_C)
24 
25 #include "psa_crypto_aead.h"
26 #include "psa_crypto_core.h"
27 #include "psa_crypto_cipher.h"
28 
29 #include <string.h>
30 #include "mbedtls/platform.h"
31 
32 #include "mbedtls/ccm.h"
33 #include "mbedtls/chachapoly.h"
34 #include "mbedtls/cipher.h"
35 #include "mbedtls/gcm.h"
36 #include "mbedtls/error.h"
37 
psa_aead_setup(mbedtls_psa_aead_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)38 static psa_status_t psa_aead_setup(
39     mbedtls_psa_aead_operation_t *operation,
40     const psa_key_attributes_t *attributes,
41     const uint8_t *key_buffer,
42     size_t key_buffer_size,
43     psa_algorithm_t alg)
44 {
45     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
46     size_t key_bits;
47     const mbedtls_cipher_info_t *cipher_info;
48     mbedtls_cipher_id_t cipher_id;
49 
50     (void) key_buffer_size;
51 
52     key_bits = attributes->core.bits;
53 
54     cipher_info = mbedtls_cipher_info_from_psa(alg,
55                                                attributes->core.type, key_bits,
56                                                &cipher_id);
57     if (cipher_info == NULL) {
58         return PSA_ERROR_NOT_SUPPORTED;
59     }
60 
61     switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) {
62 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
63         case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
64             operation->alg = PSA_ALG_CCM;
65             /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
66              * The call to mbedtls_ccm_encrypt_and_tag or
67              * mbedtls_ccm_auth_decrypt will validate the tag length. */
68             if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(attributes->core.type) != 16) {
69                 return PSA_ERROR_INVALID_ARGUMENT;
70             }
71 
72             mbedtls_ccm_init(&operation->ctx.ccm);
73             status = mbedtls_to_psa_error(
74                 mbedtls_ccm_setkey(&operation->ctx.ccm, cipher_id,
75                                    key_buffer, (unsigned int) key_bits));
76             if (status != PSA_SUCCESS) {
77                 return status;
78             }
79             break;
80 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
81 
82 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
83         case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
84             operation->alg = PSA_ALG_GCM;
85             /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
86              * The call to mbedtls_gcm_crypt_and_tag or
87              * mbedtls_gcm_auth_decrypt will validate the tag length. */
88             if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(attributes->core.type) != 16) {
89                 return PSA_ERROR_INVALID_ARGUMENT;
90             }
91 
92             mbedtls_gcm_init(&operation->ctx.gcm);
93             status = mbedtls_to_psa_error(
94                 mbedtls_gcm_setkey(&operation->ctx.gcm, cipher_id,
95                                    key_buffer, (unsigned int) key_bits));
96             if (status != PSA_SUCCESS) {
97                 return status;
98             }
99             break;
100 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
101 
102 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
103         case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
104             operation->alg = PSA_ALG_CHACHA20_POLY1305;
105             /* We only support the default tag length. */
106             if (alg != PSA_ALG_CHACHA20_POLY1305) {
107                 return PSA_ERROR_NOT_SUPPORTED;
108             }
109 
110             mbedtls_chachapoly_init(&operation->ctx.chachapoly);
111             status = mbedtls_to_psa_error(
112                 mbedtls_chachapoly_setkey(&operation->ctx.chachapoly,
113                                           key_buffer));
114             if (status != PSA_SUCCESS) {
115                 return status;
116             }
117             break;
118 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
119 
120         default:
121             (void) status;
122             (void) key_buffer;
123             return PSA_ERROR_NOT_SUPPORTED;
124     }
125 
126     operation->key_type = psa_get_key_type(attributes);
127 
128     operation->tag_length = PSA_ALG_AEAD_GET_TAG_LENGTH(alg);
129 
130     return PSA_SUCCESS;
131 }
132 
mbedtls_psa_aead_encrypt(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * nonce,size_t nonce_length,const uint8_t * additional_data,size_t additional_data_length,const uint8_t * plaintext,size_t plaintext_length,uint8_t * ciphertext,size_t ciphertext_size,size_t * ciphertext_length)133 psa_status_t mbedtls_psa_aead_encrypt(
134     const psa_key_attributes_t *attributes,
135     const uint8_t *key_buffer, size_t key_buffer_size,
136     psa_algorithm_t alg,
137     const uint8_t *nonce, size_t nonce_length,
138     const uint8_t *additional_data, size_t additional_data_length,
139     const uint8_t *plaintext, size_t plaintext_length,
140     uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length)
141 {
142     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
143     mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
144     uint8_t *tag;
145 
146     status = psa_aead_setup(&operation, attributes, key_buffer,
147                             key_buffer_size, alg);
148 
149     if (status != PSA_SUCCESS) {
150         goto exit;
151     }
152 
153     /* For all currently supported modes, the tag is at the end of the
154      * ciphertext. */
155     if (ciphertext_size < (plaintext_length + operation.tag_length)) {
156         status = PSA_ERROR_BUFFER_TOO_SMALL;
157         goto exit;
158     }
159     tag = ciphertext + plaintext_length;
160 
161 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
162     if (operation.alg == PSA_ALG_CCM) {
163         status = mbedtls_to_psa_error(
164             mbedtls_ccm_encrypt_and_tag(&operation.ctx.ccm,
165                                         plaintext_length,
166                                         nonce, nonce_length,
167                                         additional_data,
168                                         additional_data_length,
169                                         plaintext, ciphertext,
170                                         tag, operation.tag_length));
171     } else
172 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
173 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
174     if (operation.alg == PSA_ALG_GCM) {
175         status = mbedtls_to_psa_error(
176             mbedtls_gcm_crypt_and_tag(&operation.ctx.gcm,
177                                       MBEDTLS_GCM_ENCRYPT,
178                                       plaintext_length,
179                                       nonce, nonce_length,
180                                       additional_data, additional_data_length,
181                                       plaintext, ciphertext,
182                                       operation.tag_length, tag));
183     } else
184 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
185 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
186     if (operation.alg == PSA_ALG_CHACHA20_POLY1305) {
187         if (operation.tag_length != 16) {
188             status = PSA_ERROR_NOT_SUPPORTED;
189             goto exit;
190         }
191         status = mbedtls_to_psa_error(
192             mbedtls_chachapoly_encrypt_and_tag(&operation.ctx.chachapoly,
193                                                plaintext_length,
194                                                nonce,
195                                                additional_data,
196                                                additional_data_length,
197                                                plaintext,
198                                                ciphertext,
199                                                tag));
200     } else
201 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
202     {
203         (void) tag;
204         (void) nonce;
205         (void) nonce_length;
206         (void) additional_data;
207         (void) additional_data_length;
208         (void) plaintext;
209         return PSA_ERROR_NOT_SUPPORTED;
210     }
211 
212     if (status == PSA_SUCCESS) {
213         *ciphertext_length = plaintext_length + operation.tag_length;
214     }
215 
216 exit:
217     mbedtls_psa_aead_abort(&operation);
218 
219     return status;
220 }
221 
222 /* Locate the tag in a ciphertext buffer containing the encrypted data
223  * followed by the tag. Return the length of the part preceding the tag in
224  * *plaintext_length. This is the size of the plaintext in modes where
225  * the encrypted data has the same size as the plaintext, such as
226  * CCM and GCM. */
psa_aead_unpadded_locate_tag(size_t tag_length,const uint8_t * ciphertext,size_t ciphertext_length,size_t plaintext_size,const uint8_t ** p_tag)227 static psa_status_t psa_aead_unpadded_locate_tag(size_t tag_length,
228                                                  const uint8_t *ciphertext,
229                                                  size_t ciphertext_length,
230                                                  size_t plaintext_size,
231                                                  const uint8_t **p_tag)
232 {
233     size_t payload_length;
234     if (tag_length > ciphertext_length) {
235         return PSA_ERROR_INVALID_ARGUMENT;
236     }
237     payload_length = ciphertext_length - tag_length;
238     if (payload_length > plaintext_size) {
239         return PSA_ERROR_BUFFER_TOO_SMALL;
240     }
241     *p_tag = ciphertext + payload_length;
242     return PSA_SUCCESS;
243 }
244 
mbedtls_psa_aead_decrypt(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * nonce,size_t nonce_length,const uint8_t * additional_data,size_t additional_data_length,const uint8_t * ciphertext,size_t ciphertext_length,uint8_t * plaintext,size_t plaintext_size,size_t * plaintext_length)245 psa_status_t mbedtls_psa_aead_decrypt(
246     const psa_key_attributes_t *attributes,
247     const uint8_t *key_buffer, size_t key_buffer_size,
248     psa_algorithm_t alg,
249     const uint8_t *nonce, size_t nonce_length,
250     const uint8_t *additional_data, size_t additional_data_length,
251     const uint8_t *ciphertext, size_t ciphertext_length,
252     uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length)
253 {
254     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
255     mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
256     const uint8_t *tag = NULL;
257 
258     status = psa_aead_setup(&operation, attributes, key_buffer,
259                             key_buffer_size, alg);
260 
261     if (status != PSA_SUCCESS) {
262         goto exit;
263     }
264 
265     status = psa_aead_unpadded_locate_tag(operation.tag_length,
266                                           ciphertext, ciphertext_length,
267                                           plaintext_size, &tag);
268     if (status != PSA_SUCCESS) {
269         goto exit;
270     }
271 
272 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
273     if (operation.alg == PSA_ALG_CCM) {
274         status = mbedtls_to_psa_error(
275             mbedtls_ccm_auth_decrypt(&operation.ctx.ccm,
276                                      ciphertext_length - operation.tag_length,
277                                      nonce, nonce_length,
278                                      additional_data,
279                                      additional_data_length,
280                                      ciphertext, plaintext,
281                                      tag, operation.tag_length));
282     } else
283 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
284 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
285     if (operation.alg == PSA_ALG_GCM) {
286         status = mbedtls_to_psa_error(
287             mbedtls_gcm_auth_decrypt(&operation.ctx.gcm,
288                                      ciphertext_length - operation.tag_length,
289                                      nonce, nonce_length,
290                                      additional_data,
291                                      additional_data_length,
292                                      tag, operation.tag_length,
293                                      ciphertext, plaintext));
294     } else
295 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
296 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
297     if (operation.alg == PSA_ALG_CHACHA20_POLY1305) {
298         if (operation.tag_length != 16) {
299             status = PSA_ERROR_NOT_SUPPORTED;
300             goto exit;
301         }
302         status = mbedtls_to_psa_error(
303             mbedtls_chachapoly_auth_decrypt(&operation.ctx.chachapoly,
304                                             ciphertext_length - operation.tag_length,
305                                             nonce,
306                                             additional_data,
307                                             additional_data_length,
308                                             tag,
309                                             ciphertext,
310                                             plaintext));
311     } else
312 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
313     {
314         (void) nonce;
315         (void) nonce_length;
316         (void) additional_data;
317         (void) additional_data_length;
318         (void) plaintext;
319         return PSA_ERROR_NOT_SUPPORTED;
320     }
321 
322     if (status == PSA_SUCCESS) {
323         *plaintext_length = ciphertext_length - operation.tag_length;
324     }
325 
326 exit:
327     mbedtls_psa_aead_abort(&operation);
328 
329     if (status == PSA_SUCCESS) {
330         *plaintext_length = ciphertext_length - operation.tag_length;
331     }
332     return status;
333 }
334 
335 /* Set the key and algorithm for a multipart authenticated encryption
336  * operation. */
mbedtls_psa_aead_encrypt_setup(mbedtls_psa_aead_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)337 psa_status_t mbedtls_psa_aead_encrypt_setup(
338     mbedtls_psa_aead_operation_t *operation,
339     const psa_key_attributes_t *attributes,
340     const uint8_t *key_buffer,
341     size_t key_buffer_size,
342     psa_algorithm_t alg)
343 {
344     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
345 
346     status = psa_aead_setup(operation, attributes, key_buffer,
347                             key_buffer_size, alg);
348 
349     if (status == PSA_SUCCESS) {
350         operation->is_encrypt = 1;
351     }
352 
353     return status;
354 }
355 
356 /* Set the key and algorithm for a multipart authenticated decryption
357  * operation. */
mbedtls_psa_aead_decrypt_setup(mbedtls_psa_aead_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)358 psa_status_t mbedtls_psa_aead_decrypt_setup(
359     mbedtls_psa_aead_operation_t *operation,
360     const psa_key_attributes_t *attributes,
361     const uint8_t *key_buffer,
362     size_t key_buffer_size,
363     psa_algorithm_t alg)
364 {
365     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
366 
367     status = psa_aead_setup(operation, attributes, key_buffer,
368                             key_buffer_size, alg);
369 
370     if (status == PSA_SUCCESS) {
371         operation->is_encrypt = 0;
372     }
373 
374     return status;
375 }
376 
377 /* Set a nonce for the multipart AEAD operation*/
mbedtls_psa_aead_set_nonce(mbedtls_psa_aead_operation_t * operation,const uint8_t * nonce,size_t nonce_length)378 psa_status_t mbedtls_psa_aead_set_nonce(
379     mbedtls_psa_aead_operation_t *operation,
380     const uint8_t *nonce,
381     size_t nonce_length)
382 {
383     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
384 
385 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
386     if (operation->alg == PSA_ALG_GCM) {
387         status = mbedtls_to_psa_error(
388             mbedtls_gcm_starts(&operation->ctx.gcm,
389                                operation->is_encrypt ?
390                                MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT,
391                                nonce,
392                                nonce_length));
393     } else
394 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
395 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
396     if (operation->alg == PSA_ALG_CCM) {
397         status = mbedtls_to_psa_error(
398             mbedtls_ccm_starts(&operation->ctx.ccm,
399                                operation->is_encrypt ?
400                                MBEDTLS_CCM_ENCRYPT : MBEDTLS_CCM_DECRYPT,
401                                nonce,
402                                nonce_length));
403     } else
404 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
405 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
406     if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
407         /* Note - ChaChaPoly allows an 8 byte nonce, but we would have to
408          * allocate a buffer in the operation, copy the nonce to it and pad
409          * it, so for now check the nonce is 12 bytes, as
410          * mbedtls_chachapoly_starts() assumes it can read 12 bytes from the
411          * passed in buffer. */
412         if (nonce_length != 12) {
413             return PSA_ERROR_INVALID_ARGUMENT;
414         }
415 
416         status = mbedtls_to_psa_error(
417             mbedtls_chachapoly_starts(&operation->ctx.chachapoly,
418                                       nonce,
419                                       operation->is_encrypt ?
420                                       MBEDTLS_CHACHAPOLY_ENCRYPT :
421                                       MBEDTLS_CHACHAPOLY_DECRYPT));
422     } else
423 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
424     {
425         (void) operation;
426         (void) nonce;
427         (void) nonce_length;
428 
429         return PSA_ERROR_NOT_SUPPORTED;
430     }
431 
432     return status;
433 }
434 
435 /* Declare the lengths of the message and additional data for AEAD. */
mbedtls_psa_aead_set_lengths(mbedtls_psa_aead_operation_t * operation,size_t ad_length,size_t plaintext_length)436 psa_status_t mbedtls_psa_aead_set_lengths(
437     mbedtls_psa_aead_operation_t *operation,
438     size_t ad_length,
439     size_t plaintext_length)
440 {
441 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
442     if (operation->alg == PSA_ALG_CCM) {
443         return mbedtls_to_psa_error(
444             mbedtls_ccm_set_lengths(&operation->ctx.ccm,
445                                     ad_length,
446                                     plaintext_length,
447                                     operation->tag_length));
448 
449     }
450 #else /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
451     (void) operation;
452     (void) ad_length;
453     (void) plaintext_length;
454 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
455 
456     return PSA_SUCCESS;
457 }
458 
459 /* Pass additional data to an active multipart AEAD operation. */
mbedtls_psa_aead_update_ad(mbedtls_psa_aead_operation_t * operation,const uint8_t * input,size_t input_length)460 psa_status_t mbedtls_psa_aead_update_ad(
461     mbedtls_psa_aead_operation_t *operation,
462     const uint8_t *input,
463     size_t input_length)
464 {
465     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
466 
467 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
468     if (operation->alg == PSA_ALG_GCM) {
469         status = mbedtls_to_psa_error(
470             mbedtls_gcm_update_ad(&operation->ctx.gcm, input, input_length));
471     } else
472 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
473 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
474     if (operation->alg == PSA_ALG_CCM) {
475         status = mbedtls_to_psa_error(
476             mbedtls_ccm_update_ad(&operation->ctx.ccm, input, input_length));
477     } else
478 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
479 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
480     if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
481         status = mbedtls_to_psa_error(
482             mbedtls_chachapoly_update_aad(&operation->ctx.chachapoly,
483                                           input,
484                                           input_length));
485     } else
486 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
487     {
488         (void) operation;
489         (void) input;
490         (void) input_length;
491 
492         return PSA_ERROR_NOT_SUPPORTED;
493     }
494 
495     return status;
496 }
497 
498 /* Encrypt or decrypt a message fragment in an active multipart AEAD
499  * operation.*/
mbedtls_psa_aead_update(mbedtls_psa_aead_operation_t * operation,const uint8_t * input,size_t input_length,uint8_t * output,size_t output_size,size_t * output_length)500 psa_status_t mbedtls_psa_aead_update(
501     mbedtls_psa_aead_operation_t *operation,
502     const uint8_t *input,
503     size_t input_length,
504     uint8_t *output,
505     size_t output_size,
506     size_t *output_length)
507 {
508     size_t update_output_length;
509     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
510 
511     update_output_length = input_length;
512 
513 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
514     if (operation->alg == PSA_ALG_GCM) {
515         status =  mbedtls_to_psa_error(
516             mbedtls_gcm_update(&operation->ctx.gcm,
517                                input, input_length,
518                                output, output_size,
519                                &update_output_length));
520     } else
521 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
522 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
523     if (operation->alg == PSA_ALG_CCM) {
524         if (output_size < input_length) {
525             return PSA_ERROR_BUFFER_TOO_SMALL;
526         }
527 
528         status = mbedtls_to_psa_error(
529             mbedtls_ccm_update(&operation->ctx.ccm,
530                                input, input_length,
531                                output, output_size,
532                                &update_output_length));
533     } else
534 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
535 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
536     if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
537         if (output_size < input_length) {
538             return PSA_ERROR_BUFFER_TOO_SMALL;
539         }
540 
541         status = mbedtls_to_psa_error(
542             mbedtls_chachapoly_update(&operation->ctx.chachapoly,
543                                       input_length,
544                                       input,
545                                       output));
546     } else
547 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
548     {
549         (void) operation;
550         (void) input;
551         (void) output;
552         (void) output_size;
553 
554         return PSA_ERROR_NOT_SUPPORTED;
555     }
556 
557     if (status == PSA_SUCCESS) {
558         *output_length = update_output_length;
559     }
560 
561     return status;
562 }
563 
564 /* Finish encrypting a message in a multipart AEAD operation. */
mbedtls_psa_aead_finish(mbedtls_psa_aead_operation_t * operation,uint8_t * ciphertext,size_t ciphertext_size,size_t * ciphertext_length,uint8_t * tag,size_t tag_size,size_t * tag_length)565 psa_status_t mbedtls_psa_aead_finish(
566     mbedtls_psa_aead_operation_t *operation,
567     uint8_t *ciphertext,
568     size_t ciphertext_size,
569     size_t *ciphertext_length,
570     uint8_t *tag,
571     size_t tag_size,
572     size_t *tag_length)
573 {
574     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
575     size_t finish_output_size = 0;
576 
577     if (tag_size < operation->tag_length) {
578         return PSA_ERROR_BUFFER_TOO_SMALL;
579     }
580 
581 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
582     if (operation->alg == PSA_ALG_GCM) {
583         status =  mbedtls_to_psa_error(
584             mbedtls_gcm_finish(&operation->ctx.gcm,
585                                ciphertext, ciphertext_size, ciphertext_length,
586                                tag, operation->tag_length));
587     } else
588 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
589 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
590     if (operation->alg == PSA_ALG_CCM) {
591         /* tag must be big enough to store a tag of size passed into set
592          * lengths. */
593         if (tag_size < operation->tag_length) {
594             return PSA_ERROR_BUFFER_TOO_SMALL;
595         }
596 
597         status = mbedtls_to_psa_error(
598             mbedtls_ccm_finish(&operation->ctx.ccm,
599                                tag, operation->tag_length));
600     } else
601 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
602 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
603     if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
604         /* Belt and braces. Although the above tag_size check should have
605          * already done this, if we later start supporting smaller tag sizes
606          * for chachapoly, then passing a tag buffer smaller than 16 into here
607          * could cause a buffer overflow, so better safe than sorry. */
608         if (tag_size < 16) {
609             return PSA_ERROR_BUFFER_TOO_SMALL;
610         }
611 
612         status = mbedtls_to_psa_error(
613             mbedtls_chachapoly_finish(&operation->ctx.chachapoly,
614                                       tag));
615     } else
616 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
617     {
618         (void) ciphertext;
619         (void) ciphertext_size;
620         (void) ciphertext_length;
621         (void) tag;
622         (void) tag_size;
623         (void) tag_length;
624 
625         return PSA_ERROR_NOT_SUPPORTED;
626     }
627 
628     if (status == PSA_SUCCESS) {
629         /* This will be zero for all supported algorithms currently, but left
630          * here for future support. */
631         *ciphertext_length = finish_output_size;
632         *tag_length = operation->tag_length;
633     }
634 
635     return status;
636 }
637 
638 /* Abort an AEAD operation */
mbedtls_psa_aead_abort(mbedtls_psa_aead_operation_t * operation)639 psa_status_t mbedtls_psa_aead_abort(
640     mbedtls_psa_aead_operation_t *operation)
641 {
642     switch (operation->alg) {
643 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
644         case PSA_ALG_CCM:
645             mbedtls_ccm_free(&operation->ctx.ccm);
646             break;
647 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
648 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
649         case PSA_ALG_GCM:
650             mbedtls_gcm_free(&operation->ctx.gcm);
651             break;
652 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
653 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
654         case PSA_ALG_CHACHA20_POLY1305:
655             mbedtls_chachapoly_free(&operation->ctx.chachapoly);
656             break;
657 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
658     }
659 
660     operation->is_encrypt = 0;
661 
662     return PSA_SUCCESS;
663 }
664 
665 #endif /* MBEDTLS_PSA_CRYPTO_C */
666