1 /**
2 * \file cipher.c
3 *
4 * \brief Generic cipher wrapper for mbed TLS
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
8 * Copyright The Mbed TLS Contributors
9 * SPDX-License-Identifier: Apache-2.0
10 *
11 * Licensed under the Apache License, Version 2.0 (the "License"); you may
12 * not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
14 *
15 * http://www.apache.org/licenses/LICENSE-2.0
16 *
17 * Unless required by applicable law or agreed to in writing, software
18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 * See the License for the specific language governing permissions and
21 * limitations under the License.
22 */
23
24 #include "common.h"
25
26 #if defined(MBEDTLS_CIPHER_C)
27
28 #include "mbedtls/cipher.h"
29 #include "cipher_wrap.h"
30 #include "mbedtls/platform_util.h"
31 #include "mbedtls/error.h"
32 #include "mbedtls/constant_time.h"
33
34 #include <stdlib.h>
35 #include <string.h>
36
37 #if defined(VENDOR_REDEFINE_TEE_API_C)
38 #include "mbedtls/hw_redefine_tee_api.h"
39 #endif
40 #include "mbedtls/hw_tee_tag.h"
41
42 #if defined(MBEDTLS_CHACHAPOLY_C)
43 #include "mbedtls/chachapoly.h"
44 #endif
45
46 #if defined(MBEDTLS_GCM_C)
47 #include "mbedtls/gcm.h"
48 #endif
49
50 #if defined(MBEDTLS_CCM_C)
51 #include "mbedtls/ccm.h"
52 #endif
53
54 #if defined(MBEDTLS_CHACHA20_C)
55 #include "mbedtls/chacha20.h"
56 #endif
57
58 #if defined(MBEDTLS_CMAC_C)
59 #include "mbedtls/cmac.h"
60 #endif
61
62 #if defined(MBEDTLS_USE_PSA_CRYPTO)
63 #include "psa/crypto.h"
64 #include "mbedtls/psa_util.h"
65 #endif /* MBEDTLS_USE_PSA_CRYPTO */
66
67 #if defined(MBEDTLS_NIST_KW_C)
68 #include "mbedtls/nist_kw.h"
69 #endif
70
71 #if defined(MBEDTLS_PLATFORM_C)
72 #include "mbedtls/platform.h"
73 #else
74 #define mbedtls_calloc calloc
75 #define mbedtls_free free
76 #endif
77
78 #define CIPHER_VALIDATE_RET( cond ) \
79 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
80 #define CIPHER_VALIDATE( cond ) \
81 MBEDTLS_INTERNAL_VALIDATE( cond )
82
83 static int supported_init = 0;
84
mbedtls_cipher_list(void)85 const int *mbedtls_cipher_list( void )
86 {
87 const mbedtls_cipher_definition_t *def;
88 int *type;
89
90 if( ! supported_init )
91 {
92 def = mbedtls_cipher_definitions;
93 type = mbedtls_cipher_supported;
94
95 while( def->type != 0 )
96 *type++ = (*def++).type;
97
98 *type = 0;
99
100 supported_init = 1;
101 }
102
103 return( mbedtls_cipher_supported );
104 }
105
mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type)106 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
107 const mbedtls_cipher_type_t cipher_type )
108 {
109 const mbedtls_cipher_definition_t *def;
110
111 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
112 if( def->type == cipher_type )
113 return( def->info );
114
115 return( NULL );
116 }
117
mbedtls_cipher_info_from_string(const char * cipher_name)118 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
119 const char *cipher_name )
120 {
121 const mbedtls_cipher_definition_t *def;
122
123 if( NULL == cipher_name )
124 return( NULL );
125
126 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
127 if( ! strcmp( def->info->name, cipher_name ) )
128 return( def->info );
129
130 return( NULL );
131 }
132
mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id,int key_bitlen,const mbedtls_cipher_mode_t mode)133 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
134 const mbedtls_cipher_id_t cipher_id,
135 int key_bitlen,
136 const mbedtls_cipher_mode_t mode )
137 {
138 const mbedtls_cipher_definition_t *def;
139
140 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
141 if( def->info->base->cipher == cipher_id &&
142 def->info->key_bitlen == (unsigned) key_bitlen &&
143 def->info->mode == mode )
144 return( def->info );
145
146 return( NULL );
147 }
148
mbedtls_cipher_init(mbedtls_cipher_context_t * ctx)149 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
150 {
151 CIPHER_VALIDATE( ctx != NULL );
152 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
153 }
154
mbedtls_cipher_free(mbedtls_cipher_context_t * ctx)155 void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
156 {
157 if( ctx == NULL )
158 return;
159
160 #if defined(MBEDTLS_USE_PSA_CRYPTO)
161 if( ctx->psa_enabled == 1 )
162 {
163 if( ctx->cipher_ctx != NULL )
164 {
165 mbedtls_cipher_context_psa * const cipher_psa =
166 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
167
168 if( cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED )
169 {
170 /* xxx_free() doesn't allow to return failures. */
171 (void) psa_destroy_key( cipher_psa->slot );
172 }
173
174 mbedtls_platform_zeroize( cipher_psa, sizeof( *cipher_psa ) );
175 mbedtls_free( cipher_psa );
176 }
177
178 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
179 return;
180 }
181 #endif /* MBEDTLS_USE_PSA_CRYPTO */
182
183 #if defined(MBEDTLS_CMAC_C)
184 if( ctx->cmac_ctx )
185 {
186 mbedtls_platform_zeroize( ctx->cmac_ctx,
187 sizeof( mbedtls_cmac_context_t ) );
188 mbedtls_free( ctx->cmac_ctx );
189 }
190 #endif
191
192 if( ctx->cipher_ctx )
193 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
194
195 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
196 }
197
mbedtls_cipher_setup(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info)198 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
199 const mbedtls_cipher_info_t *cipher_info )
200 {
201 CIPHER_VALIDATE_RET( ctx != NULL );
202 if( cipher_info == NULL )
203 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
204
205 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
206
207 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
208 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
209
210 ctx->cipher_info = cipher_info;
211
212 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
213 /*
214 * Ignore possible errors caused by a cipher mode that doesn't use padding
215 */
216 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
217 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
218 #else
219 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
220 #endif
221 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
222
223 return( 0 );
224 }
225
226 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_cipher_setup_psa(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info,size_t taglen)227 int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
228 const mbedtls_cipher_info_t *cipher_info,
229 size_t taglen )
230 {
231 psa_algorithm_t alg;
232 mbedtls_cipher_context_psa *cipher_psa;
233
234 if( NULL == cipher_info || NULL == ctx )
235 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
236
237 /* Check that the underlying cipher mode and cipher type are
238 * supported by the underlying PSA Crypto implementation. */
239 alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode, taglen );
240 if( alg == 0 )
241 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
242 if( mbedtls_psa_translate_cipher_type( cipher_info->type ) == 0 )
243 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
244
245 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
246
247 cipher_psa = mbedtls_calloc( 1, sizeof(mbedtls_cipher_context_psa ) );
248 if( cipher_psa == NULL )
249 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
250 cipher_psa->alg = alg;
251 ctx->cipher_ctx = cipher_psa;
252 ctx->cipher_info = cipher_info;
253 ctx->psa_enabled = 1;
254 return( 0 );
255 }
256 #endif /* MBEDTLS_USE_PSA_CRYPTO */
257
258 VMP_TAG
mbedtls_cipher_setkey(mbedtls_cipher_context_t * ctx,const unsigned char * key,int key_bitlen,const mbedtls_operation_t operation)259 int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
260 const unsigned char *key,
261 int key_bitlen,
262 const mbedtls_operation_t operation )
263 {
264 CIPHER_VALIDATE_RET( ctx != NULL );
265 CIPHER_VALIDATE_RET( key != NULL );
266 CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT ||
267 operation == MBEDTLS_DECRYPT );
268 if( ctx->cipher_info == NULL )
269 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
270
271 #if defined(MBEDTLS_USE_PSA_CRYPTO)
272 if( ctx->psa_enabled == 1 )
273 {
274 mbedtls_cipher_context_psa * const cipher_psa =
275 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
276
277 size_t const key_bytelen = ( (size_t) key_bitlen + 7 ) / 8;
278
279 psa_status_t status;
280 psa_key_type_t key_type;
281 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
282
283 /* PSA Crypto API only accepts byte-aligned keys. */
284 if( key_bitlen % 8 != 0 )
285 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
286
287 /* Don't allow keys to be set multiple times. */
288 if( cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET )
289 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
290
291 key_type = mbedtls_psa_translate_cipher_type(
292 ctx->cipher_info->type );
293 if( key_type == 0 )
294 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
295 psa_set_key_type( &attributes, key_type );
296
297 /* Mbed TLS' cipher layer doesn't enforce the mode of operation
298 * (encrypt vs. decrypt): it is possible to setup a key for encryption
299 * and use it for AEAD decryption. Until tests relying on this
300 * are changed, allow any usage in PSA. */
301 psa_set_key_usage_flags( &attributes,
302 /* mbedtls_psa_translate_cipher_operation( operation ); */
303 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
304 psa_set_key_algorithm( &attributes, cipher_psa->alg );
305
306 status = psa_import_key( &attributes, key, key_bytelen,
307 &cipher_psa->slot );
308 switch( status )
309 {
310 case PSA_SUCCESS:
311 break;
312 case PSA_ERROR_INSUFFICIENT_MEMORY:
313 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
314 case PSA_ERROR_NOT_SUPPORTED:
315 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
316 default:
317 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
318 }
319 /* Indicate that we own the key slot and need to
320 * destroy it in mbedtls_cipher_free(). */
321 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
322
323 ctx->key_bitlen = key_bitlen;
324 ctx->operation = operation;
325 return( 0 );
326 }
327 #endif /* MBEDTLS_USE_PSA_CRYPTO */
328
329 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
330 (int) ctx->cipher_info->key_bitlen != key_bitlen )
331 {
332 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
333 }
334
335 ctx->key_bitlen = key_bitlen;
336 ctx->operation = operation;
337
338 /*
339 * For OFB, CFB and CTR mode always use the encryption key schedule
340 */
341 if( MBEDTLS_ENCRYPT == operation ||
342 MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
343 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
344 MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
345 {
346 return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
347 ctx->key_bitlen ) );
348 }
349
350 if( MBEDTLS_DECRYPT == operation )
351 return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
352 ctx->key_bitlen ) );
353
354 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
355 }
356
mbedtls_cipher_set_iv(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len)357 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
358 const unsigned char *iv,
359 size_t iv_len )
360 {
361 size_t actual_iv_size;
362
363 CIPHER_VALIDATE_RET( ctx != NULL );
364 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
365 if( ctx->cipher_info == NULL )
366 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
367 #if defined(MBEDTLS_USE_PSA_CRYPTO)
368 if( ctx->psa_enabled == 1 )
369 {
370 /* While PSA Crypto has an API for multipart
371 * operations, we currently don't make it
372 * accessible through the cipher layer. */
373 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
374 }
375 #endif /* MBEDTLS_USE_PSA_CRYPTO */
376
377 /* avoid buffer overflow in ctx->iv */
378 if( iv_len > MBEDTLS_MAX_IV_LENGTH )
379 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
380
381 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
382 actual_iv_size = iv_len;
383 else
384 {
385 actual_iv_size = ctx->cipher_info->iv_size;
386
387 /* avoid reading past the end of input buffer */
388 if( actual_iv_size > iv_len )
389 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
390 }
391
392 #if defined(MBEDTLS_CHACHA20_C)
393 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
394 {
395 if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
396 iv,
397 0U ) ) /* Initial counter value */
398 {
399 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
400 }
401 }
402 #endif
403
404 #if defined(MBEDTLS_GCM_C)
405 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
406 {
407 return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx,
408 ctx->operation,
409 iv, iv_len ) );
410 }
411 #endif
412
413 #if defined(MBEDTLS_CCM_C)
414 if( MBEDTLS_MODE_CCM_STAR_NO_TAG == ctx->cipher_info->mode )
415 {
416 int set_lengths_result;
417 int ccm_star_mode;
418
419 set_lengths_result = mbedtls_ccm_set_lengths(
420 (mbedtls_ccm_context *) ctx->cipher_ctx,
421 0, 0, 0 );
422 if( set_lengths_result != 0 )
423 return set_lengths_result;
424
425 if( ctx->operation == MBEDTLS_DECRYPT )
426 ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT;
427 else if( ctx->operation == MBEDTLS_ENCRYPT )
428 ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT;
429 else
430 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
431
432 return( mbedtls_ccm_starts( (mbedtls_ccm_context *) ctx->cipher_ctx,
433 ccm_star_mode,
434 iv, iv_len ) );
435 }
436 #endif
437
438 if ( actual_iv_size != 0 )
439 {
440 memcpy( ctx->iv, iv, actual_iv_size );
441 ctx->iv_size = actual_iv_size;
442 }
443
444 return( 0 );
445 }
446
mbedtls_cipher_reset(mbedtls_cipher_context_t * ctx)447 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
448 {
449 CIPHER_VALIDATE_RET( ctx != NULL );
450 if( ctx->cipher_info == NULL )
451 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
452
453 #if defined(MBEDTLS_USE_PSA_CRYPTO)
454 if( ctx->psa_enabled == 1 )
455 {
456 /* We don't support resetting PSA-based
457 * cipher contexts, yet. */
458 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
459 }
460 #endif /* MBEDTLS_USE_PSA_CRYPTO */
461
462 ctx->unprocessed_len = 0;
463
464 return( 0 );
465 }
466
467 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_update_ad(mbedtls_cipher_context_t * ctx,const unsigned char * ad,size_t ad_len)468 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
469 const unsigned char *ad, size_t ad_len )
470 {
471 CIPHER_VALIDATE_RET( ctx != NULL );
472 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
473 if( ctx->cipher_info == NULL )
474 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
475
476 #if defined(MBEDTLS_USE_PSA_CRYPTO)
477 if( ctx->psa_enabled == 1 )
478 {
479 /* While PSA Crypto has an API for multipart
480 * operations, we currently don't make it
481 * accessible through the cipher layer. */
482 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
483 }
484 #endif /* MBEDTLS_USE_PSA_CRYPTO */
485
486 #if defined(MBEDTLS_GCM_C)
487 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
488 {
489 return( mbedtls_gcm_update_ad( (mbedtls_gcm_context *) ctx->cipher_ctx,
490 ad, ad_len ) );
491 }
492 #endif
493
494 #if defined(MBEDTLS_CHACHAPOLY_C)
495 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
496 {
497 int result;
498 mbedtls_chachapoly_mode_t mode;
499
500 mode = ( ctx->operation == MBEDTLS_ENCRYPT )
501 ? MBEDTLS_CHACHAPOLY_ENCRYPT
502 : MBEDTLS_CHACHAPOLY_DECRYPT;
503
504 result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
505 ctx->iv,
506 mode );
507 if ( result != 0 )
508 return( result );
509
510 return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
511 ad, ad_len ) );
512 }
513 #endif
514
515 return( 0 );
516 }
517 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
518
mbedtls_cipher_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)519 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
520 size_t ilen, unsigned char *output, size_t *olen )
521 {
522 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
523 size_t block_size;
524
525 CIPHER_VALIDATE_RET( ctx != NULL );
526 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
527 CIPHER_VALIDATE_RET( output != NULL );
528 CIPHER_VALIDATE_RET( olen != NULL );
529 if( ctx->cipher_info == NULL )
530 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
531
532 #if defined(MBEDTLS_USE_PSA_CRYPTO)
533 if( ctx->psa_enabled == 1 )
534 {
535 /* While PSA Crypto has an API for multipart
536 * operations, we currently don't make it
537 * accessible through the cipher layer. */
538 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
539 }
540 #endif /* MBEDTLS_USE_PSA_CRYPTO */
541
542 *olen = 0;
543 block_size = mbedtls_cipher_get_block_size( ctx );
544 if ( 0 == block_size )
545 {
546 return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
547 }
548
549 if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
550 {
551 if( ilen != block_size )
552 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
553
554 *olen = ilen;
555
556 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
557 ctx->operation, input, output ) ) )
558 {
559 return( ret );
560 }
561
562 return( 0 );
563 }
564
565 #if defined(MBEDTLS_GCM_C)
566 if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
567 {
568 return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx,
569 input, ilen,
570 output, ilen, olen ) );
571 }
572 #endif
573
574 #if defined(MBEDTLS_CCM_C)
575 if( ctx->cipher_info->mode == MBEDTLS_MODE_CCM_STAR_NO_TAG )
576 {
577 return( mbedtls_ccm_update( (mbedtls_ccm_context *) ctx->cipher_ctx,
578 input, ilen,
579 output, ilen, olen ) );
580 }
581 #endif
582
583 #if defined(MBEDTLS_CHACHAPOLY_C)
584 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
585 {
586 *olen = ilen;
587 return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
588 ilen, input, output ) );
589 }
590 #endif
591
592 if( input == output &&
593 ( ctx->unprocessed_len != 0 || ilen % block_size ) )
594 {
595 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
596 }
597
598 #if defined(MBEDTLS_CIPHER_MODE_CBC)
599 if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
600 {
601 size_t copy_len = 0;
602
603 /*
604 * If there is not enough data for a full block, cache it.
605 */
606 if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
607 ilen <= block_size - ctx->unprocessed_len ) ||
608 ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
609 ilen < block_size - ctx->unprocessed_len ) ||
610 ( ctx->operation == MBEDTLS_ENCRYPT &&
611 ilen < block_size - ctx->unprocessed_len ) )
612 {
613 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
614 ilen );
615
616 ctx->unprocessed_len += ilen;
617 return( 0 );
618 }
619
620 /*
621 * Process cached data first
622 */
623 if( 0 != ctx->unprocessed_len )
624 {
625 copy_len = block_size - ctx->unprocessed_len;
626
627 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
628 copy_len );
629
630 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
631 ctx->operation, block_size, ctx->iv,
632 ctx->unprocessed_data, output ) ) )
633 {
634 return( ret );
635 }
636
637 *olen += block_size;
638 output += block_size;
639 ctx->unprocessed_len = 0;
640
641 input += copy_len;
642 ilen -= copy_len;
643 }
644
645 /*
646 * Cache final, incomplete block
647 */
648 if( 0 != ilen )
649 {
650 /* Encryption: only cache partial blocks
651 * Decryption w/ padding: always keep at least one whole block
652 * Decryption w/o padding: only cache partial blocks
653 */
654 copy_len = ilen % block_size;
655 if( copy_len == 0 &&
656 ctx->operation == MBEDTLS_DECRYPT &&
657 NULL != ctx->add_padding)
658 {
659 copy_len = block_size;
660 }
661
662 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
663 copy_len );
664
665 ctx->unprocessed_len += copy_len;
666 ilen -= copy_len;
667 }
668
669 /*
670 * Process remaining full blocks
671 */
672 if( ilen )
673 {
674 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
675 ctx->operation, ilen, ctx->iv, input, output ) ) )
676 {
677 return( ret );
678 }
679
680 *olen += ilen;
681 }
682
683 return( 0 );
684 }
685 #endif /* MBEDTLS_CIPHER_MODE_CBC */
686
687 #if defined(MBEDTLS_CIPHER_MODE_CFB)
688 if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
689 {
690 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
691 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
692 input, output ) ) )
693 {
694 return( ret );
695 }
696
697 *olen = ilen;
698
699 return( 0 );
700 }
701 #endif /* MBEDTLS_CIPHER_MODE_CFB */
702
703 #if defined(MBEDTLS_CIPHER_MODE_OFB)
704 if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
705 {
706 if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
707 ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
708 {
709 return( ret );
710 }
711
712 *olen = ilen;
713
714 return( 0 );
715 }
716 #endif /* MBEDTLS_CIPHER_MODE_OFB */
717
718 #if defined(MBEDTLS_CIPHER_MODE_CTR)
719 if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
720 {
721 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
722 ilen, &ctx->unprocessed_len, ctx->iv,
723 ctx->unprocessed_data, input, output ) ) )
724 {
725 return( ret );
726 }
727
728 *olen = ilen;
729
730 return( 0 );
731 }
732 #endif /* MBEDTLS_CIPHER_MODE_CTR */
733
734 #if defined(MBEDTLS_CIPHER_MODE_XTS)
735 if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
736 {
737 if( ctx->unprocessed_len > 0 ) {
738 /* We can only process an entire data unit at a time. */
739 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
740 }
741
742 ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
743 ctx->operation, ilen, ctx->iv, input, output );
744 if( ret != 0 )
745 {
746 return( ret );
747 }
748
749 *olen = ilen;
750
751 return( 0 );
752 }
753 #endif /* MBEDTLS_CIPHER_MODE_XTS */
754
755 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
756 if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
757 {
758 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
759 ilen, input, output ) ) )
760 {
761 return( ret );
762 }
763
764 *olen = ilen;
765
766 return( 0 );
767 }
768 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
769
770 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
771 }
772
773 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
774 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
775 /*
776 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
777 */
add_pkcs_padding(unsigned char * output,size_t output_len,size_t data_len)778 static void add_pkcs_padding( unsigned char *output, size_t output_len,
779 size_t data_len )
780 {
781 size_t padding_len = output_len - data_len;
782 unsigned char i;
783
784 for( i = 0; i < padding_len; i++ )
785 output[data_len + i] = (unsigned char) padding_len;
786 }
787
get_pkcs_padding(unsigned char * input,size_t input_len,size_t * data_len)788 static int get_pkcs_padding( unsigned char *input, size_t input_len,
789 size_t *data_len )
790 {
791 size_t i, pad_idx;
792 unsigned char padding_len, bad = 0;
793
794 if( NULL == input || NULL == data_len )
795 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
796
797 padding_len = input[input_len - 1];
798 *data_len = input_len - padding_len;
799
800 /* Avoid logical || since it results in a branch */
801 bad |= padding_len > input_len;
802 bad |= padding_len == 0;
803
804 /* The number of bytes checked must be independent of padding_len,
805 * so pick input_len, which is usually 8 or 16 (one block) */
806 pad_idx = input_len - padding_len;
807 for( i = 0; i < input_len; i++ )
808 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
809
810 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
811 }
812 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
813
814 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
815 /*
816 * One and zeros padding: fill with 80 00 ... 00
817 */
add_one_and_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)818 static void add_one_and_zeros_padding( unsigned char *output,
819 size_t output_len, size_t data_len )
820 {
821 size_t padding_len = output_len - data_len;
822 unsigned char i = 0;
823
824 output[data_len] = 0x80;
825 for( i = 1; i < padding_len; i++ )
826 output[data_len + i] = 0x00;
827 }
828
get_one_and_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)829 static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
830 size_t *data_len )
831 {
832 size_t i;
833 unsigned char done = 0, prev_done, bad;
834
835 if( NULL == input || NULL == data_len )
836 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
837
838 bad = 0x80;
839 *data_len = 0;
840 for( i = input_len; i > 0; i-- )
841 {
842 prev_done = done;
843 done |= ( input[i - 1] != 0 );
844 *data_len |= ( i - 1 ) * ( done != prev_done );
845 bad ^= input[i - 1] * ( done != prev_done );
846 }
847
848 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
849
850 }
851 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
852
853 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
854 /*
855 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
856 */
add_zeros_and_len_padding(unsigned char * output,size_t output_len,size_t data_len)857 static void add_zeros_and_len_padding( unsigned char *output,
858 size_t output_len, size_t data_len )
859 {
860 size_t padding_len = output_len - data_len;
861 unsigned char i = 0;
862
863 for( i = 1; i < padding_len; i++ )
864 output[data_len + i - 1] = 0x00;
865 output[output_len - 1] = (unsigned char) padding_len;
866 }
867
get_zeros_and_len_padding(unsigned char * input,size_t input_len,size_t * data_len)868 static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
869 size_t *data_len )
870 {
871 size_t i, pad_idx;
872 unsigned char padding_len, bad = 0;
873
874 if( NULL == input || NULL == data_len )
875 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
876
877 padding_len = input[input_len - 1];
878 *data_len = input_len - padding_len;
879
880 /* Avoid logical || since it results in a branch */
881 bad |= padding_len > input_len;
882 bad |= padding_len == 0;
883
884 /* The number of bytes checked must be independent of padding_len */
885 pad_idx = input_len - padding_len;
886 for( i = 0; i < input_len - 1; i++ )
887 bad |= input[i] * ( i >= pad_idx );
888
889 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
890 }
891 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
892
893 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
894 /*
895 * Zero padding: fill with 00 ... 00
896 */
add_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)897 static void add_zeros_padding( unsigned char *output,
898 size_t output_len, size_t data_len )
899 {
900 size_t i;
901
902 for( i = data_len; i < output_len; i++ )
903 output[i] = 0x00;
904 }
905
get_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)906 static int get_zeros_padding( unsigned char *input, size_t input_len,
907 size_t *data_len )
908 {
909 size_t i;
910 unsigned char done = 0, prev_done;
911
912 if( NULL == input || NULL == data_len )
913 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
914
915 *data_len = 0;
916 for( i = input_len; i > 0; i-- )
917 {
918 prev_done = done;
919 done |= ( input[i-1] != 0 );
920 *data_len |= i * ( done != prev_done );
921 }
922
923 return( 0 );
924 }
925 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
926
927 /*
928 * No padding: don't pad :)
929 *
930 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
931 * but a trivial get_padding function
932 */
get_no_padding(unsigned char * input,size_t input_len,size_t * data_len)933 static int get_no_padding( unsigned char *input, size_t input_len,
934 size_t *data_len )
935 {
936 if( NULL == input || NULL == data_len )
937 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
938
939 *data_len = input_len;
940
941 return( 0 );
942 }
943 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
944
mbedtls_cipher_finish(mbedtls_cipher_context_t * ctx,unsigned char * output,size_t * olen)945 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
946 unsigned char *output, size_t *olen )
947 {
948 CIPHER_VALIDATE_RET( ctx != NULL );
949 CIPHER_VALIDATE_RET( output != NULL );
950 CIPHER_VALIDATE_RET( olen != NULL );
951 if( ctx->cipher_info == NULL )
952 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
953
954 #if defined(MBEDTLS_USE_PSA_CRYPTO)
955 if( ctx->psa_enabled == 1 )
956 {
957 /* While PSA Crypto has an API for multipart
958 * operations, we currently don't make it
959 * accessible through the cipher layer. */
960 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
961 }
962 #endif /* MBEDTLS_USE_PSA_CRYPTO */
963
964 *olen = 0;
965
966 if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
967 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
968 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
969 MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
970 MBEDTLS_MODE_CCM_STAR_NO_TAG == ctx->cipher_info->mode ||
971 MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
972 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
973 {
974 return( 0 );
975 }
976
977 if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) ||
978 ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
979 {
980 return( 0 );
981 }
982
983 if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
984 {
985 if( ctx->unprocessed_len != 0 )
986 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
987
988 return( 0 );
989 }
990
991 #if defined(MBEDTLS_CIPHER_MODE_CBC)
992 if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
993 {
994 int ret = 0;
995
996 if( MBEDTLS_ENCRYPT == ctx->operation )
997 {
998 /* check for 'no padding' mode */
999 if( NULL == ctx->add_padding )
1000 {
1001 if( 0 != ctx->unprocessed_len )
1002 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
1003
1004 return( 0 );
1005 }
1006
1007 ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
1008 ctx->unprocessed_len );
1009 }
1010 else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
1011 {
1012 /*
1013 * For decrypt operations, expect a full block,
1014 * or an empty block if no padding
1015 */
1016 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
1017 return( 0 );
1018
1019 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
1020 }
1021
1022 /* cipher block */
1023 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
1024 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
1025 ctx->unprocessed_data, output ) ) )
1026 {
1027 return( ret );
1028 }
1029
1030 /* Set output size for decryption */
1031 if( MBEDTLS_DECRYPT == ctx->operation )
1032 return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
1033 olen ) );
1034
1035 /* Set output size for encryption */
1036 *olen = mbedtls_cipher_get_block_size( ctx );
1037 return( 0 );
1038 }
1039 #else
1040 ((void) output);
1041 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1042
1043 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1044 }
1045
1046 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t * ctx,mbedtls_cipher_padding_t mode)1047 int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
1048 mbedtls_cipher_padding_t mode )
1049 {
1050 CIPHER_VALIDATE_RET( ctx != NULL );
1051
1052 if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
1053 {
1054 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1055 }
1056
1057 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1058 if( ctx->psa_enabled == 1 )
1059 {
1060 /* While PSA Crypto knows about CBC padding
1061 * schemes, we currently don't make them
1062 * accessible through the cipher layer. */
1063 if( mode != MBEDTLS_PADDING_NONE )
1064 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1065
1066 return( 0 );
1067 }
1068 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1069
1070 switch( mode )
1071 {
1072 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
1073 case MBEDTLS_PADDING_PKCS7:
1074 ctx->add_padding = add_pkcs_padding;
1075 ctx->get_padding = get_pkcs_padding;
1076 break;
1077 #endif
1078 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
1079 case MBEDTLS_PADDING_ONE_AND_ZEROS:
1080 ctx->add_padding = add_one_and_zeros_padding;
1081 ctx->get_padding = get_one_and_zeros_padding;
1082 break;
1083 #endif
1084 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
1085 case MBEDTLS_PADDING_ZEROS_AND_LEN:
1086 ctx->add_padding = add_zeros_and_len_padding;
1087 ctx->get_padding = get_zeros_and_len_padding;
1088 break;
1089 #endif
1090 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1091 case MBEDTLS_PADDING_ZEROS:
1092 ctx->add_padding = add_zeros_padding;
1093 ctx->get_padding = get_zeros_padding;
1094 break;
1095 #endif
1096 case MBEDTLS_PADDING_NONE:
1097 ctx->add_padding = NULL;
1098 ctx->get_padding = get_no_padding;
1099 break;
1100
1101 default:
1102 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1103 }
1104
1105 return( 0 );
1106 }
1107 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1108
1109 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_write_tag(mbedtls_cipher_context_t * ctx,unsigned char * tag,size_t tag_len)1110 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
1111 unsigned char *tag, size_t tag_len )
1112 {
1113 CIPHER_VALIDATE_RET( ctx != NULL );
1114 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1115 if( ctx->cipher_info == NULL )
1116 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1117
1118 if( MBEDTLS_ENCRYPT != ctx->operation )
1119 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1120
1121 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1122 if( ctx->psa_enabled == 1 )
1123 {
1124 /* While PSA Crypto has an API for multipart
1125 * operations, we currently don't make it
1126 * accessible through the cipher layer. */
1127 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1128 }
1129 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1130
1131 #if defined(MBEDTLS_GCM_C)
1132 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1133 {
1134 size_t output_length;
1135 /* The code here doesn't yet support alternative implementations
1136 * that can delay up to a block of output. */
1137 return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
1138 NULL, 0, &output_length,
1139 tag, tag_len ) );
1140 }
1141 #endif
1142
1143 #if defined(MBEDTLS_CHACHAPOLY_C)
1144 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1145 {
1146 /* Don't allow truncated MAC for Poly1305 */
1147 if ( tag_len != 16U )
1148 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1149
1150 return( mbedtls_chachapoly_finish(
1151 (mbedtls_chachapoly_context*) ctx->cipher_ctx, tag ) );
1152 }
1153 #endif
1154
1155 return( 0 );
1156 }
1157
mbedtls_cipher_check_tag(mbedtls_cipher_context_t * ctx,const unsigned char * tag,size_t tag_len)1158 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
1159 const unsigned char *tag, size_t tag_len )
1160 {
1161 unsigned char check_tag[16];
1162 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1163
1164 CIPHER_VALIDATE_RET( ctx != NULL );
1165 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1166 if( ctx->cipher_info == NULL )
1167 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1168
1169 if( MBEDTLS_DECRYPT != ctx->operation )
1170 {
1171 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1172 }
1173
1174 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1175 if( ctx->psa_enabled == 1 )
1176 {
1177 /* While PSA Crypto has an API for multipart
1178 * operations, we currently don't make it
1179 * accessible through the cipher layer. */
1180 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1181 }
1182 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1183
1184 /* Status to return on a non-authenticated algorithm. It would make sense
1185 * to return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT or perhaps
1186 * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, but at the time I write this our
1187 * unit tests assume 0. */
1188 ret = 0;
1189
1190 #if defined(MBEDTLS_GCM_C)
1191 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1192 {
1193 size_t output_length;
1194 /* The code here doesn't yet support alternative implementations
1195 * that can delay up to a block of output. */
1196
1197 if( tag_len > sizeof( check_tag ) )
1198 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1199
1200 if( 0 != ( ret = mbedtls_gcm_finish(
1201 (mbedtls_gcm_context *) ctx->cipher_ctx,
1202 NULL, 0, &output_length,
1203 check_tag, tag_len ) ) )
1204 {
1205 return( ret );
1206 }
1207
1208 /* Check the tag in "constant-time" */
1209 if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 )
1210 {
1211 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1212 goto exit;
1213 }
1214 }
1215 #endif /* MBEDTLS_GCM_C */
1216
1217 #if defined(MBEDTLS_CHACHAPOLY_C)
1218 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1219 {
1220 /* Don't allow truncated MAC for Poly1305 */
1221 if ( tag_len != sizeof( check_tag ) )
1222 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1223
1224 ret = mbedtls_chachapoly_finish(
1225 (mbedtls_chachapoly_context*) ctx->cipher_ctx, check_tag );
1226 if ( ret != 0 )
1227 {
1228 return( ret );
1229 }
1230
1231 /* Check the tag in "constant-time" */
1232 if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 )
1233 {
1234 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1235 goto exit;
1236 }
1237 }
1238 #endif /* MBEDTLS_CHACHAPOLY_C */
1239
1240 exit:
1241 mbedtls_platform_zeroize( check_tag, tag_len );
1242 return( ret );
1243 }
1244 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
1245
1246 /*
1247 * Packet-oriented wrapper for non-AEAD modes
1248 */
mbedtls_cipher_crypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)1249 int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
1250 const unsigned char *iv, size_t iv_len,
1251 const unsigned char *input, size_t ilen,
1252 unsigned char *output, size_t *olen )
1253 {
1254 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1255 size_t finish_olen;
1256
1257 CIPHER_VALIDATE_RET( ctx != NULL );
1258 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1259 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1260 CIPHER_VALIDATE_RET( output != NULL );
1261 CIPHER_VALIDATE_RET( olen != NULL );
1262
1263 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1264 if( ctx->psa_enabled == 1 )
1265 {
1266 /* As in the non-PSA case, we don't check that
1267 * a key has been set. If not, the key slot will
1268 * still be in its default state of 0, which is
1269 * guaranteed to be invalid, hence the PSA-call
1270 * below will gracefully fail. */
1271 mbedtls_cipher_context_psa * const cipher_psa =
1272 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1273
1274 psa_status_t status;
1275 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1276 size_t part_len;
1277
1278 if( ctx->operation == MBEDTLS_DECRYPT )
1279 {
1280 status = psa_cipher_decrypt_setup( &cipher_op,
1281 cipher_psa->slot,
1282 cipher_psa->alg );
1283 }
1284 else if( ctx->operation == MBEDTLS_ENCRYPT )
1285 {
1286 status = psa_cipher_encrypt_setup( &cipher_op,
1287 cipher_psa->slot,
1288 cipher_psa->alg );
1289 }
1290 else
1291 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1292
1293 /* In the following, we can immediately return on an error,
1294 * because the PSA Crypto API guarantees that cipher operations
1295 * are terminated by unsuccessful calls to psa_cipher_update(),
1296 * and by any call to psa_cipher_finish(). */
1297 if( status != PSA_SUCCESS )
1298 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
1299
1300 if( ctx->cipher_info->mode != MBEDTLS_MODE_ECB )
1301 {
1302 status = psa_cipher_set_iv( &cipher_op, iv, iv_len );
1303 if( status != PSA_SUCCESS )
1304 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
1305 }
1306
1307 status = psa_cipher_update( &cipher_op,
1308 input, ilen,
1309 output, ilen, olen );
1310 if( status != PSA_SUCCESS )
1311 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
1312
1313 status = psa_cipher_finish( &cipher_op,
1314 output + *olen, ilen - *olen,
1315 &part_len );
1316 if( status != PSA_SUCCESS )
1317 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
1318
1319 *olen += part_len;
1320 return( 0 );
1321 }
1322 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1323
1324 if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
1325 return( ret );
1326
1327 if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
1328 return( ret );
1329
1330 if( ( ret = mbedtls_cipher_update( ctx, input, ilen,
1331 output, olen ) ) != 0 )
1332 return( ret );
1333
1334 if( ( ret = mbedtls_cipher_finish( ctx, output + *olen,
1335 &finish_olen ) ) != 0 )
1336 return( ret );
1337
1338 *olen += finish_olen;
1339
1340 return( 0 );
1341 }
1342
1343 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1344 /*
1345 * Packet-oriented encryption for AEAD modes: internal function used by
1346 * mbedtls_cipher_auth_encrypt_ext().
1347 */
mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,unsigned char * tag,size_t tag_len)1348 static int mbedtls_cipher_aead_encrypt( mbedtls_cipher_context_t *ctx,
1349 const unsigned char *iv, size_t iv_len,
1350 const unsigned char *ad, size_t ad_len,
1351 const unsigned char *input, size_t ilen,
1352 unsigned char *output, size_t *olen,
1353 unsigned char *tag, size_t tag_len )
1354 {
1355 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1356 if( ctx->psa_enabled == 1 )
1357 {
1358 /* As in the non-PSA case, we don't check that
1359 * a key has been set. If not, the key slot will
1360 * still be in its default state of 0, which is
1361 * guaranteed to be invalid, hence the PSA-call
1362 * below will gracefully fail. */
1363 mbedtls_cipher_context_psa * const cipher_psa =
1364 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1365
1366 psa_status_t status;
1367
1368 /* PSA Crypto API always writes the authentication tag
1369 * at the end of the encrypted message. */
1370 if( output == NULL || tag != output + ilen )
1371 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1372
1373 status = psa_aead_encrypt( cipher_psa->slot,
1374 cipher_psa->alg,
1375 iv, iv_len,
1376 ad, ad_len,
1377 input, ilen,
1378 output, ilen + tag_len, olen );
1379 if( status != PSA_SUCCESS )
1380 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
1381
1382 *olen -= tag_len;
1383 return( 0 );
1384 }
1385 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1386
1387 #if defined(MBEDTLS_GCM_C)
1388 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1389 {
1390 *olen = ilen;
1391 return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
1392 ilen, iv, iv_len, ad, ad_len,
1393 input, output, tag_len, tag ) );
1394 }
1395 #endif /* MBEDTLS_GCM_C */
1396 #if defined(MBEDTLS_CCM_C)
1397 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1398 {
1399 *olen = ilen;
1400 return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
1401 iv, iv_len, ad, ad_len, input, output,
1402 tag, tag_len ) );
1403 }
1404 #endif /* MBEDTLS_CCM_C */
1405 #if defined(MBEDTLS_CHACHAPOLY_C)
1406 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1407 {
1408 /* ChachaPoly has fixed length nonce and MAC (tag) */
1409 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1410 ( tag_len != 16U ) )
1411 {
1412 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1413 }
1414
1415 *olen = ilen;
1416 return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
1417 ilen, iv, ad, ad_len, input, output, tag ) );
1418 }
1419 #endif /* MBEDTLS_CHACHAPOLY_C */
1420
1421 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1422 }
1423
1424 /*
1425 * Packet-oriented encryption for AEAD modes: internal function used by
1426 * mbedtls_cipher_auth_encrypt_ext().
1427 */
mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,const unsigned char * tag,size_t tag_len)1428 static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx,
1429 const unsigned char *iv, size_t iv_len,
1430 const unsigned char *ad, size_t ad_len,
1431 const unsigned char *input, size_t ilen,
1432 unsigned char *output, size_t *olen,
1433 const unsigned char *tag, size_t tag_len )
1434 {
1435 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1436 if( ctx->psa_enabled == 1 )
1437 {
1438 /* As in the non-PSA case, we don't check that
1439 * a key has been set. If not, the key slot will
1440 * still be in its default state of 0, which is
1441 * guaranteed to be invalid, hence the PSA-call
1442 * below will gracefully fail. */
1443 mbedtls_cipher_context_psa * const cipher_psa =
1444 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1445
1446 psa_status_t status;
1447
1448 /* PSA Crypto API always writes the authentication tag
1449 * at the end of the encrypted message. */
1450 if( input == NULL || tag != input + ilen )
1451 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1452
1453 status = psa_aead_decrypt( cipher_psa->slot,
1454 cipher_psa->alg,
1455 iv, iv_len,
1456 ad, ad_len,
1457 input, ilen + tag_len,
1458 output, ilen, olen );
1459 if( status == PSA_ERROR_INVALID_SIGNATURE )
1460 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1461 else if( status != PSA_SUCCESS )
1462 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
1463
1464 return( 0 );
1465 }
1466 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1467
1468 #if defined(MBEDTLS_GCM_C)
1469 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1470 {
1471 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1472
1473 *olen = ilen;
1474 ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
1475 iv, iv_len, ad, ad_len,
1476 tag, tag_len, input, output );
1477
1478 if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
1479 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1480
1481 return( ret );
1482 }
1483 #endif /* MBEDTLS_GCM_C */
1484 #if defined(MBEDTLS_CCM_C)
1485 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1486 {
1487 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1488
1489 *olen = ilen;
1490 ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
1491 iv, iv_len, ad, ad_len,
1492 input, output, tag, tag_len );
1493
1494 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
1495 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1496
1497 return( ret );
1498 }
1499 #endif /* MBEDTLS_CCM_C */
1500 #if defined(MBEDTLS_CHACHAPOLY_C)
1501 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1502 {
1503 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1504
1505 /* ChachaPoly has fixed length nonce and MAC (tag) */
1506 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1507 ( tag_len != 16U ) )
1508 {
1509 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1510 }
1511
1512 *olen = ilen;
1513 ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
1514 iv, ad, ad_len, tag, input, output );
1515
1516 if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
1517 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1518
1519 return( ret );
1520 }
1521 #endif /* MBEDTLS_CHACHAPOLY_C */
1522
1523 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1524 }
1525 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1526
1527 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
1528 /*
1529 * Packet-oriented encryption for AEAD/NIST_KW: public function.
1530 */
mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1531 int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx,
1532 const unsigned char *iv, size_t iv_len,
1533 const unsigned char *ad, size_t ad_len,
1534 const unsigned char *input, size_t ilen,
1535 unsigned char *output, size_t output_len,
1536 size_t *olen, size_t tag_len )
1537 {
1538 CIPHER_VALIDATE_RET( ctx != NULL );
1539 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1540 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1541 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1542 CIPHER_VALIDATE_RET( output != NULL );
1543 CIPHER_VALIDATE_RET( olen != NULL );
1544
1545 #if defined(MBEDTLS_NIST_KW_C)
1546 if(
1547 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1548 ctx->psa_enabled == 0 &&
1549 #endif
1550 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1551 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
1552 {
1553 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
1554 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1555
1556 /* There is no iv, tag or ad associated with KW and KWP,
1557 * so these length should be 0 as documented. */
1558 if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
1559 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1560
1561 (void) iv;
1562 (void) ad;
1563
1564 return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen,
1565 output, olen, output_len ) );
1566 }
1567 #endif /* MBEDTLS_NIST_KW_C */
1568
1569 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1570 /* AEAD case: check length before passing on to shared function */
1571 if( output_len < ilen + tag_len )
1572 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1573
1574 int ret = mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
1575 input, ilen, output, olen,
1576 output + ilen, tag_len );
1577 *olen += tag_len;
1578 return( ret );
1579 #else
1580 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1581 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1582 }
1583
1584 /*
1585 * Packet-oriented decryption for AEAD/NIST_KW: public function.
1586 */
mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1587 int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx,
1588 const unsigned char *iv, size_t iv_len,
1589 const unsigned char *ad, size_t ad_len,
1590 const unsigned char *input, size_t ilen,
1591 unsigned char *output, size_t output_len,
1592 size_t *olen, size_t tag_len )
1593 {
1594 CIPHER_VALIDATE_RET( ctx != NULL );
1595 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1596 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1597 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1598 CIPHER_VALIDATE_RET( output_len == 0 || output != NULL );
1599 CIPHER_VALIDATE_RET( olen != NULL );
1600
1601 #if defined(MBEDTLS_NIST_KW_C)
1602 if(
1603 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1604 ctx->psa_enabled == 0 &&
1605 #endif
1606 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1607 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
1608 {
1609 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
1610 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1611
1612 /* There is no iv, tag or ad associated with KW and KWP,
1613 * so these length should be 0 as documented. */
1614 if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
1615 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1616
1617 (void) iv;
1618 (void) ad;
1619
1620 return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen,
1621 output, olen, output_len ) );
1622 }
1623 #endif /* MBEDTLS_NIST_KW_C */
1624
1625 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1626 /* AEAD case: check length before passing on to shared function */
1627 if( ilen < tag_len || output_len < ilen - tag_len )
1628 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1629
1630 return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
1631 input, ilen - tag_len, output, olen,
1632 input + ilen - tag_len, tag_len ) );
1633 #else
1634 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1635 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1636 }
1637 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
1638
1639 #endif /* MBEDTLS_CIPHER_C */
1640