• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  PSA cipher driver entry points
3  */
4 /*
5  *  Copyright The Mbed TLS Contributors
6  *  SPDX-License-Identifier: Apache-2.0
7  *
8  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
9  *  not use this file except in compliance with the License.
10  *  You may obtain a copy of the License at
11  *
12  *  http://www.apache.org/licenses/LICENSE-2.0
13  *
14  *  Unless required by applicable law or agreed to in writing, software
15  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17  *  See the License for the specific language governing permissions and
18  *  limitations under the License.
19  */
20 
21 #include "common.h"
22 
23 #if defined(MBEDTLS_PSA_CRYPTO_C)
24 
25 #include "psa_crypto_cipher.h"
26 #include "psa_crypto_core.h"
27 #include "psa_crypto_random_impl.h"
28 
29 #include "mbedtls/cipher.h"
30 #include "mbedtls/error.h"
31 
32 #include <string.h>
33 
mbedtls_cipher_info_from_psa(psa_algorithm_t alg,psa_key_type_t key_type,size_t key_bits,mbedtls_cipher_id_t * cipher_id)34 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
35     psa_algorithm_t alg,
36     psa_key_type_t key_type,
37     size_t key_bits,
38     mbedtls_cipher_id_t *cipher_id)
39 {
40     mbedtls_cipher_mode_t mode;
41     mbedtls_cipher_id_t cipher_id_tmp;
42 
43     if (PSA_ALG_IS_AEAD(alg)) {
44         alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0);
45     }
46 
47     if (PSA_ALG_IS_CIPHER(alg) || PSA_ALG_IS_AEAD(alg)) {
48         switch (alg) {
49 #if defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER)
50             case PSA_ALG_STREAM_CIPHER:
51                 mode = MBEDTLS_MODE_STREAM;
52                 break;
53 #endif
54 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CTR)
55             case PSA_ALG_CTR:
56                 mode = MBEDTLS_MODE_CTR;
57                 break;
58 #endif
59 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CFB)
60             case PSA_ALG_CFB:
61                 mode = MBEDTLS_MODE_CFB;
62                 break;
63 #endif
64 #if defined(MBEDTLS_PSA_BUILTIN_ALG_OFB)
65             case PSA_ALG_OFB:
66                 mode = MBEDTLS_MODE_OFB;
67                 break;
68 #endif
69 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING)
70             case PSA_ALG_ECB_NO_PADDING:
71                 mode = MBEDTLS_MODE_ECB;
72                 break;
73 #endif
74 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING)
75             case PSA_ALG_CBC_NO_PADDING:
76                 mode = MBEDTLS_MODE_CBC;
77                 break;
78 #endif
79 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7)
80             case PSA_ALG_CBC_PKCS7:
81                 mode = MBEDTLS_MODE_CBC;
82                 break;
83 #endif
84 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG)
85             case PSA_ALG_CCM_STAR_NO_TAG:
86                 mode = MBEDTLS_MODE_CCM_STAR_NO_TAG;
87                 break;
88 #endif
89 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
90             case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
91                 mode = MBEDTLS_MODE_CCM;
92                 break;
93 #endif
94 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
95             case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
96                 mode = MBEDTLS_MODE_GCM;
97                 break;
98 #endif
99 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
100             case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
101                 mode = MBEDTLS_MODE_CHACHAPOLY;
102                 break;
103 #endif
104             default:
105                 return NULL;
106         }
107     } else if (alg == PSA_ALG_CMAC) {
108         mode = MBEDTLS_MODE_ECB;
109     } else {
110         return NULL;
111     }
112 
113     switch (key_type) {
114 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES)
115         case PSA_KEY_TYPE_AES:
116             cipher_id_tmp = MBEDTLS_CIPHER_ID_AES;
117             break;
118 #endif
119 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA)
120         case PSA_KEY_TYPE_ARIA:
121             cipher_id_tmp = MBEDTLS_CIPHER_ID_ARIA;
122             break;
123 #endif
124 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
125         case PSA_KEY_TYPE_DES:
126             /* key_bits is 64 for Single-DES, 128 for two-key Triple-DES,
127              * and 192 for three-key Triple-DES. */
128             if (key_bits == 64) {
129                 cipher_id_tmp = MBEDTLS_CIPHER_ID_DES;
130             } else {
131                 cipher_id_tmp = MBEDTLS_CIPHER_ID_3DES;
132             }
133             /* mbedtls doesn't recognize two-key Triple-DES as an algorithm,
134              * but two-key Triple-DES is functionally three-key Triple-DES
135              * with K1=K3, so that's how we present it to mbedtls. */
136             if (key_bits == 128) {
137                 key_bits = 192;
138             }
139             break;
140 #endif
141 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA)
142         case PSA_KEY_TYPE_CAMELLIA:
143             cipher_id_tmp = MBEDTLS_CIPHER_ID_CAMELLIA;
144             break;
145 #endif
146 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20)
147         case PSA_KEY_TYPE_CHACHA20:
148             cipher_id_tmp = MBEDTLS_CIPHER_ID_CHACHA20;
149             break;
150 #endif
151         default:
152             return NULL;
153     }
154     if (cipher_id != NULL) {
155         *cipher_id = cipher_id_tmp;
156     }
157 
158     return mbedtls_cipher_info_from_values(cipher_id_tmp,
159                                            (int) key_bits, mode);
160 }
161 
162 #if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
163 
psa_cipher_setup(mbedtls_psa_cipher_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,mbedtls_operation_t cipher_operation)164 static psa_status_t psa_cipher_setup(
165     mbedtls_psa_cipher_operation_t *operation,
166     const psa_key_attributes_t *attributes,
167     const uint8_t *key_buffer, size_t key_buffer_size,
168     psa_algorithm_t alg,
169     mbedtls_operation_t cipher_operation)
170 {
171     int ret = 0;
172     size_t key_bits;
173     const mbedtls_cipher_info_t *cipher_info = NULL;
174     psa_key_type_t key_type = attributes->core.type;
175 
176     (void) key_buffer_size;
177 
178     mbedtls_cipher_init(&operation->ctx.cipher);
179 
180     operation->alg = alg;
181     key_bits = attributes->core.bits;
182     cipher_info = mbedtls_cipher_info_from_psa(alg, key_type,
183                                                key_bits, NULL);
184     if (cipher_info == NULL) {
185         return PSA_ERROR_NOT_SUPPORTED;
186     }
187 
188     ret = mbedtls_cipher_setup(&operation->ctx.cipher, cipher_info);
189     if (ret != 0) {
190         goto exit;
191     }
192 
193 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
194     if (key_type == PSA_KEY_TYPE_DES && key_bits == 128) {
195         /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */
196         uint8_t keys[24];
197         memcpy(keys, key_buffer, 16);
198         memcpy(keys + 16, key_buffer, 8);
199         ret = mbedtls_cipher_setkey(&operation->ctx.cipher,
200                                     keys,
201                                     192, cipher_operation);
202     } else
203 #endif
204     {
205         ret = mbedtls_cipher_setkey(&operation->ctx.cipher, key_buffer,
206                                     (int) key_bits, cipher_operation);
207     }
208     if (ret != 0) {
209         goto exit;
210     }
211 
212 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
213     defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7)
214     switch (alg) {
215         case PSA_ALG_CBC_NO_PADDING:
216             ret = mbedtls_cipher_set_padding_mode(&operation->ctx.cipher,
217                                                   MBEDTLS_PADDING_NONE);
218             break;
219         case PSA_ALG_CBC_PKCS7:
220             ret = mbedtls_cipher_set_padding_mode(&operation->ctx.cipher,
221                                                   MBEDTLS_PADDING_PKCS7);
222             break;
223         default:
224             /* The algorithm doesn't involve padding. */
225             ret = 0;
226             break;
227     }
228     if (ret != 0) {
229         goto exit;
230     }
231 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING ||
232           MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 */
233 
234     operation->block_length = (PSA_ALG_IS_STREAM_CIPHER(alg) ? 1 :
235                                PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type));
236     operation->iv_length = PSA_CIPHER_IV_LENGTH(key_type, alg);
237 
238 exit:
239     return mbedtls_to_psa_error(ret);
240 }
241 
mbedtls_psa_cipher_encrypt_setup(mbedtls_psa_cipher_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)242 psa_status_t mbedtls_psa_cipher_encrypt_setup(
243     mbedtls_psa_cipher_operation_t *operation,
244     const psa_key_attributes_t *attributes,
245     const uint8_t *key_buffer, size_t key_buffer_size,
246     psa_algorithm_t alg)
247 {
248     return psa_cipher_setup(operation, attributes,
249                             key_buffer, key_buffer_size,
250                             alg, MBEDTLS_ENCRYPT);
251 }
252 
mbedtls_psa_cipher_decrypt_setup(mbedtls_psa_cipher_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)253 psa_status_t mbedtls_psa_cipher_decrypt_setup(
254     mbedtls_psa_cipher_operation_t *operation,
255     const psa_key_attributes_t *attributes,
256     const uint8_t *key_buffer, size_t key_buffer_size,
257     psa_algorithm_t alg)
258 {
259     return psa_cipher_setup(operation, attributes,
260                             key_buffer, key_buffer_size,
261                             alg, MBEDTLS_DECRYPT);
262 }
263 
mbedtls_psa_cipher_set_iv(mbedtls_psa_cipher_operation_t * operation,const uint8_t * iv,size_t iv_length)264 psa_status_t mbedtls_psa_cipher_set_iv(
265     mbedtls_psa_cipher_operation_t *operation,
266     const uint8_t *iv, size_t iv_length)
267 {
268     if (iv_length != operation->iv_length) {
269         return PSA_ERROR_INVALID_ARGUMENT;
270     }
271 
272     return mbedtls_to_psa_error(
273         mbedtls_cipher_set_iv(&operation->ctx.cipher,
274                               iv, iv_length));
275 }
276 
277 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING)
278 /** Process input for which the algorithm is set to ECB mode.
279  *
280  * This requires manual processing, since the PSA API is defined as being
281  * able to process arbitrary-length calls to psa_cipher_update() with ECB mode,
282  * but the underlying mbedtls_cipher_update only takes full blocks.
283  *
284  * \param ctx           The mbedtls cipher context to use. It must have been
285  *                      set up for ECB.
286  * \param[in] input     The input plaintext or ciphertext to process.
287  * \param input_length  The number of bytes to process from \p input.
288  *                      This does not need to be aligned to a block boundary.
289  *                      If there is a partial block at the end of the input,
290  *                      it is stored in \p ctx for future processing.
291  * \param output        The buffer where the output is written. It must be
292  *                      at least `BS * floor((p + input_length) / BS)` bytes
293  *                      long, where `p` is the number of bytes in the
294  *                      unprocessed partial block in \p ctx (with
295  *                      `0 <= p <= BS - 1`) and `BS` is the block size.
296  * \param output_length On success, the number of bytes written to \p output.
297  *                      \c 0 on error.
298  *
299  * \return #PSA_SUCCESS or an error from a hardware accelerator
300  */
psa_cipher_update_ecb(mbedtls_cipher_context_t * ctx,const uint8_t * input,size_t input_length,uint8_t * output,size_t * output_length)301 static psa_status_t psa_cipher_update_ecb(
302     mbedtls_cipher_context_t *ctx,
303     const uint8_t *input,
304     size_t input_length,
305     uint8_t *output,
306     size_t *output_length)
307 {
308     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
309     size_t block_size = ctx->cipher_info->block_size;
310     size_t internal_output_length = 0;
311     *output_length = 0;
312 
313     if (input_length == 0) {
314         status = PSA_SUCCESS;
315         goto exit;
316     }
317 
318     if (ctx->unprocessed_len > 0) {
319         /* Fill up to block size, and run the block if there's a full one. */
320         size_t bytes_to_copy = block_size - ctx->unprocessed_len;
321 
322         if (input_length < bytes_to_copy) {
323             bytes_to_copy = input_length;
324         }
325 
326         memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]),
327                input, bytes_to_copy);
328         input_length -= bytes_to_copy;
329         input += bytes_to_copy;
330         ctx->unprocessed_len += bytes_to_copy;
331 
332         if (ctx->unprocessed_len == block_size) {
333             status = mbedtls_to_psa_error(
334                 mbedtls_cipher_update(ctx,
335                                       ctx->unprocessed_data,
336                                       block_size,
337                                       output, &internal_output_length));
338 
339             if (status != PSA_SUCCESS) {
340                 goto exit;
341             }
342 
343             output += internal_output_length;
344             *output_length += internal_output_length;
345             ctx->unprocessed_len = 0;
346         }
347     }
348 
349     while (input_length >= block_size) {
350         /* Run all full blocks we have, one by one */
351         status = mbedtls_to_psa_error(
352             mbedtls_cipher_update(ctx, input,
353                                   block_size,
354                                   output, &internal_output_length));
355 
356         if (status != PSA_SUCCESS) {
357             goto exit;
358         }
359 
360         input_length -= block_size;
361         input += block_size;
362 
363         output += internal_output_length;
364         *output_length += internal_output_length;
365     }
366 
367     if (input_length > 0) {
368         /* Save unprocessed bytes for later processing */
369         memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]),
370                input, input_length);
371         ctx->unprocessed_len += input_length;
372     }
373 
374     status = PSA_SUCCESS;
375 
376 exit:
377     return status;
378 }
379 #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING */
380 
mbedtls_psa_cipher_update(mbedtls_psa_cipher_operation_t * operation,const uint8_t * input,size_t input_length,uint8_t * output,size_t output_size,size_t * output_length)381 psa_status_t mbedtls_psa_cipher_update(
382     mbedtls_psa_cipher_operation_t *operation,
383     const uint8_t *input, size_t input_length,
384     uint8_t *output, size_t output_size, size_t *output_length)
385 {
386     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
387     size_t expected_output_size;
388 
389     if (!PSA_ALG_IS_STREAM_CIPHER(operation->alg)) {
390         /* Take the unprocessed partial block left over from previous
391          * update calls, if any, plus the input to this call. Remove
392          * the last partial block, if any. You get the data that will be
393          * output in this call. */
394         expected_output_size =
395             (operation->ctx.cipher.unprocessed_len + input_length)
396             / operation->block_length * operation->block_length;
397     } else {
398         expected_output_size = input_length;
399     }
400 
401     if (output_size < expected_output_size) {
402         return PSA_ERROR_BUFFER_TOO_SMALL;
403     }
404 
405 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING)
406     if (operation->alg == PSA_ALG_ECB_NO_PADDING) {
407         /* mbedtls_cipher_update has an API inconsistency: it will only
408          * process a single block at a time in ECB mode. Abstract away that
409          * inconsistency here to match the PSA API behaviour. */
410         status = psa_cipher_update_ecb(&operation->ctx.cipher,
411                                        input,
412                                        input_length,
413                                        output,
414                                        output_length);
415     } else
416 #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING */
417     {
418         status = mbedtls_to_psa_error(
419             mbedtls_cipher_update(&operation->ctx.cipher, input,
420                                   input_length, output, output_length));
421 
422         if (*output_length > output_size) {
423             return PSA_ERROR_CORRUPTION_DETECTED;
424         }
425     }
426 
427     return status;
428 }
429 
mbedtls_psa_cipher_finish(mbedtls_psa_cipher_operation_t * operation,uint8_t * output,size_t output_size,size_t * output_length)430 psa_status_t mbedtls_psa_cipher_finish(
431     mbedtls_psa_cipher_operation_t *operation,
432     uint8_t *output, size_t output_size, size_t *output_length)
433 {
434     psa_status_t status = PSA_ERROR_GENERIC_ERROR;
435     uint8_t temp_output_buffer[MBEDTLS_MAX_BLOCK_LENGTH];
436 
437     if (operation->ctx.cipher.unprocessed_len != 0) {
438         if (operation->alg == PSA_ALG_ECB_NO_PADDING ||
439             operation->alg == PSA_ALG_CBC_NO_PADDING) {
440             status = PSA_ERROR_INVALID_ARGUMENT;
441             goto exit;
442         }
443     }
444 
445     status = mbedtls_to_psa_error(
446         mbedtls_cipher_finish(&operation->ctx.cipher,
447                               temp_output_buffer,
448                               output_length));
449     if (status != PSA_SUCCESS) {
450         goto exit;
451     }
452 
453     if (*output_length == 0) {
454         ; /* Nothing to copy. Note that output may be NULL in this case. */
455     } else if (output_size >= *output_length) {
456         memcpy(output, temp_output_buffer, *output_length);
457     } else {
458         status = PSA_ERROR_BUFFER_TOO_SMALL;
459     }
460 
461 exit:
462     mbedtls_platform_zeroize(temp_output_buffer,
463                              sizeof(temp_output_buffer));
464 
465     return status;
466 }
467 
mbedtls_psa_cipher_abort(mbedtls_psa_cipher_operation_t * operation)468 psa_status_t mbedtls_psa_cipher_abort(
469     mbedtls_psa_cipher_operation_t *operation)
470 {
471     /* Sanity check (shouldn't happen: operation->alg should
472      * always have been initialized to a valid value). */
473     if (!PSA_ALG_IS_CIPHER(operation->alg)) {
474         return PSA_ERROR_BAD_STATE;
475     }
476 
477     mbedtls_cipher_free(&operation->ctx.cipher);
478 
479     return PSA_SUCCESS;
480 }
481 
mbedtls_psa_cipher_encrypt(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * iv,size_t iv_length,const uint8_t * input,size_t input_length,uint8_t * output,size_t output_size,size_t * output_length)482 psa_status_t mbedtls_psa_cipher_encrypt(
483     const psa_key_attributes_t *attributes,
484     const uint8_t *key_buffer,
485     size_t key_buffer_size,
486     psa_algorithm_t alg,
487     const uint8_t *iv,
488     size_t iv_length,
489     const uint8_t *input,
490     size_t input_length,
491     uint8_t *output,
492     size_t output_size,
493     size_t *output_length)
494 {
495     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
496     mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT;
497     size_t update_output_length, finish_output_length;
498 
499     status = mbedtls_psa_cipher_encrypt_setup(&operation, attributes,
500                                               key_buffer, key_buffer_size,
501                                               alg);
502     if (status != PSA_SUCCESS) {
503         goto exit;
504     }
505 
506     if (iv_length > 0) {
507         status = mbedtls_psa_cipher_set_iv(&operation, iv, iv_length);
508         if (status != PSA_SUCCESS) {
509             goto exit;
510         }
511     }
512 
513     status = mbedtls_psa_cipher_update(&operation, input, input_length,
514                                        output, output_size,
515                                        &update_output_length);
516     if (status != PSA_SUCCESS) {
517         goto exit;
518     }
519 
520     status = mbedtls_psa_cipher_finish(
521         &operation,
522         mbedtls_buffer_offset(output, update_output_length),
523         output_size - update_output_length, &finish_output_length);
524     if (status != PSA_SUCCESS) {
525         goto exit;
526     }
527 
528     *output_length = update_output_length + finish_output_length;
529 
530 exit:
531     if (status == PSA_SUCCESS) {
532         status = mbedtls_psa_cipher_abort(&operation);
533     } else {
534         mbedtls_psa_cipher_abort(&operation);
535     }
536 
537     return status;
538 }
539 
mbedtls_psa_cipher_decrypt(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * input,size_t input_length,uint8_t * output,size_t output_size,size_t * output_length)540 psa_status_t mbedtls_psa_cipher_decrypt(
541     const psa_key_attributes_t *attributes,
542     const uint8_t *key_buffer,
543     size_t key_buffer_size,
544     psa_algorithm_t alg,
545     const uint8_t *input,
546     size_t input_length,
547     uint8_t *output,
548     size_t output_size,
549     size_t *output_length)
550 {
551     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
552     mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT;
553     size_t olength, accumulated_length;
554 
555     status = mbedtls_psa_cipher_decrypt_setup(&operation, attributes,
556                                               key_buffer, key_buffer_size,
557                                               alg);
558     if (status != PSA_SUCCESS) {
559         goto exit;
560     }
561 
562     if (operation.iv_length > 0) {
563         status = mbedtls_psa_cipher_set_iv(&operation,
564                                            input, operation.iv_length);
565         if (status != PSA_SUCCESS) {
566             goto exit;
567         }
568     }
569 
570     status = mbedtls_psa_cipher_update(
571         &operation,
572         mbedtls_buffer_offset_const(input, operation.iv_length),
573         input_length - operation.iv_length,
574         output, output_size, &olength);
575     if (status != PSA_SUCCESS) {
576         goto exit;
577     }
578 
579     accumulated_length = olength;
580 
581     status = mbedtls_psa_cipher_finish(
582         &operation,
583         mbedtls_buffer_offset(output, accumulated_length),
584         output_size - accumulated_length, &olength);
585     if (status != PSA_SUCCESS) {
586         goto exit;
587     }
588 
589     *output_length = accumulated_length + olength;
590 
591 exit:
592     if (status == PSA_SUCCESS) {
593         status = mbedtls_psa_cipher_abort(&operation);
594     } else {
595         mbedtls_psa_cipher_abort(&operation);
596     }
597 
598     return status;
599 }
600 #endif /* MBEDTLS_PSA_BUILTIN_CIPHER */
601 
602 #endif /* MBEDTLS_PSA_CRYPTO_C */
603