1 /**
2 * \file cipher.c
3 *
4 * \brief Generic cipher wrapper for Mbed TLS
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
8 * Copyright The Mbed TLS Contributors
9 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
10 */
11
12 #include "common.h"
13
14 #if defined(MBEDTLS_CIPHER_C)
15
16 #include "mbedtls/cipher.h"
17 #include "mbedtls/cipher_internal.h"
18 #include "mbedtls/platform_util.h"
19 #include "mbedtls/error.h"
20 #include "mbedtls/constant_time.h"
21 #include "constant_time_internal.h"
22
23 #include <stdlib.h>
24 #include <string.h>
25
26 #if defined(MBEDTLS_CHACHAPOLY_C)
27 #include "mbedtls/chachapoly.h"
28 #endif
29
30 #if defined(MBEDTLS_GCM_C)
31 #include "mbedtls/gcm.h"
32 #endif
33
34 #if defined(MBEDTLS_CCM_C)
35 #include "mbedtls/ccm.h"
36 #endif
37
38 #if defined(MBEDTLS_CHACHA20_C)
39 #include "mbedtls/chacha20.h"
40 #endif
41
42 #if defined(MBEDTLS_CMAC_C)
43 #include "mbedtls/cmac.h"
44 #endif
45
46 #if defined(MBEDTLS_USE_PSA_CRYPTO)
47 #include "psa/crypto.h"
48 #include "mbedtls/psa_util.h"
49 #endif /* MBEDTLS_USE_PSA_CRYPTO */
50
51 #if defined(MBEDTLS_NIST_KW_C)
52 #include "mbedtls/nist_kw.h"
53 #endif
54
55 #include "mbedtls/platform.h"
56
57 #define CIPHER_VALIDATE_RET(cond) \
58 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA)
59 #define CIPHER_VALIDATE(cond) \
60 MBEDTLS_INTERNAL_VALIDATE(cond)
61
62 static int supported_init = 0;
63
mbedtls_cipher_list(void)64 const int *mbedtls_cipher_list(void)
65 {
66 const mbedtls_cipher_definition_t *def;
67 int *type;
68
69 if (!supported_init) {
70 def = mbedtls_cipher_definitions;
71 type = mbedtls_cipher_supported;
72
73 while (def->type != 0) {
74 *type++ = (*def++).type;
75 }
76
77 *type = 0;
78
79 supported_init = 1;
80 }
81
82 return mbedtls_cipher_supported;
83 }
84
mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type)85 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
86 const mbedtls_cipher_type_t cipher_type)
87 {
88 const mbedtls_cipher_definition_t *def;
89
90 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
91 if (def->type == cipher_type) {
92 return def->info;
93 }
94 }
95
96 return NULL;
97 }
98
mbedtls_cipher_info_from_string(const char * cipher_name)99 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
100 const char *cipher_name)
101 {
102 const mbedtls_cipher_definition_t *def;
103
104 if (NULL == cipher_name) {
105 return NULL;
106 }
107
108 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
109 if (!strcmp(def->info->name, cipher_name)) {
110 return def->info;
111 }
112 }
113
114 return NULL;
115 }
116
mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id,int key_bitlen,const mbedtls_cipher_mode_t mode)117 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
118 const mbedtls_cipher_id_t cipher_id,
119 int key_bitlen,
120 const mbedtls_cipher_mode_t mode)
121 {
122 const mbedtls_cipher_definition_t *def;
123
124 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
125 if (def->info->base->cipher == cipher_id &&
126 def->info->key_bitlen == (unsigned) key_bitlen &&
127 def->info->mode == mode) {
128 return def->info;
129 }
130 }
131
132 return NULL;
133 }
134
mbedtls_cipher_init(mbedtls_cipher_context_t * ctx)135 void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)
136 {
137 CIPHER_VALIDATE(ctx != NULL);
138 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
139 }
140
mbedtls_cipher_free(mbedtls_cipher_context_t * ctx)141 void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
142 {
143 if (ctx == NULL) {
144 return;
145 }
146
147 #if defined(MBEDTLS_USE_PSA_CRYPTO)
148 if (ctx->psa_enabled == 1) {
149 if (ctx->cipher_ctx != NULL) {
150 mbedtls_cipher_context_psa * const cipher_psa =
151 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
152
153 if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) {
154 /* xxx_free() doesn't allow to return failures. */
155 (void) psa_destroy_key(cipher_psa->slot);
156 }
157
158 mbedtls_platform_zeroize(cipher_psa, sizeof(*cipher_psa));
159 mbedtls_free(cipher_psa);
160 }
161
162 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
163 return;
164 }
165 #endif /* MBEDTLS_USE_PSA_CRYPTO */
166
167 #if defined(MBEDTLS_CMAC_C)
168 if (ctx->cmac_ctx) {
169 mbedtls_platform_zeroize(ctx->cmac_ctx,
170 sizeof(mbedtls_cmac_context_t));
171 mbedtls_free(ctx->cmac_ctx);
172 }
173 #endif
174
175 if (ctx->cipher_ctx) {
176 ctx->cipher_info->base->ctx_free_func(ctx->cipher_ctx);
177 }
178
179 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
180 }
181
mbedtls_cipher_setup(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info)182 int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
183 const mbedtls_cipher_info_t *cipher_info)
184 {
185 CIPHER_VALIDATE_RET(ctx != NULL);
186 if (cipher_info == NULL) {
187 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
188 }
189
190 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
191
192 if (NULL == (ctx->cipher_ctx = cipher_info->base->ctx_alloc_func())) {
193 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
194 }
195
196 ctx->cipher_info = cipher_info;
197
198 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
199 /*
200 * Ignore possible errors caused by a cipher mode that doesn't use padding
201 */
202 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
203 (void) mbedtls_cipher_set_padding_mode(ctx, MBEDTLS_PADDING_PKCS7);
204 #else
205 (void) mbedtls_cipher_set_padding_mode(ctx, MBEDTLS_PADDING_NONE);
206 #endif
207 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
208
209 return 0;
210 }
211
212 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_cipher_setup_psa(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info,size_t taglen)213 int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
214 const mbedtls_cipher_info_t *cipher_info,
215 size_t taglen)
216 {
217 psa_algorithm_t alg;
218 mbedtls_cipher_context_psa *cipher_psa;
219
220 if (NULL == cipher_info || NULL == ctx) {
221 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
222 }
223
224 /* Check that the underlying cipher mode and cipher type are
225 * supported by the underlying PSA Crypto implementation. */
226 alg = mbedtls_psa_translate_cipher_mode(cipher_info->mode, taglen);
227 if (alg == 0) {
228 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
229 }
230 if (mbedtls_psa_translate_cipher_type(cipher_info->type) == 0) {
231 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
232 }
233
234 memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
235
236 cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa));
237 if (cipher_psa == NULL) {
238 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
239 }
240 cipher_psa->alg = alg;
241 ctx->cipher_ctx = cipher_psa;
242 ctx->cipher_info = cipher_info;
243 ctx->psa_enabled = 1;
244 return 0;
245 }
246 #endif /* MBEDTLS_USE_PSA_CRYPTO */
247
mbedtls_cipher_setkey(mbedtls_cipher_context_t * ctx,const unsigned char * key,int key_bitlen,const mbedtls_operation_t operation)248 int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
249 const unsigned char *key,
250 int key_bitlen,
251 const mbedtls_operation_t operation)
252 {
253 CIPHER_VALIDATE_RET(ctx != NULL);
254 CIPHER_VALIDATE_RET(key != NULL);
255 CIPHER_VALIDATE_RET(operation == MBEDTLS_ENCRYPT ||
256 operation == MBEDTLS_DECRYPT);
257 if (ctx->cipher_info == NULL) {
258 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
259 }
260
261 #if defined(MBEDTLS_USE_PSA_CRYPTO)
262 if (ctx->psa_enabled == 1) {
263 mbedtls_cipher_context_psa * const cipher_psa =
264 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
265
266 size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8;
267
268 psa_status_t status;
269 psa_key_type_t key_type;
270 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
271
272 /* PSA Crypto API only accepts byte-aligned keys. */
273 if (key_bitlen % 8 != 0) {
274 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
275 }
276
277 /* Don't allow keys to be set multiple times. */
278 if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) {
279 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
280 }
281
282 key_type = mbedtls_psa_translate_cipher_type(
283 ctx->cipher_info->type);
284 if (key_type == 0) {
285 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
286 }
287 psa_set_key_type(&attributes, key_type);
288
289 /* Mbed TLS' cipher layer doesn't enforce the mode of operation
290 * (encrypt vs. decrypt): it is possible to setup a key for encryption
291 * and use it for AEAD decryption. Until tests relying on this
292 * are changed, allow any usage in PSA. */
293 psa_set_key_usage_flags(&attributes,
294 /* mbedtls_psa_translate_cipher_operation( operation ); */
295 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
296 psa_set_key_algorithm(&attributes, cipher_psa->alg);
297
298 status = psa_import_key(&attributes, key, key_bytelen,
299 &cipher_psa->slot);
300 switch (status) {
301 case PSA_SUCCESS:
302 break;
303 case PSA_ERROR_INSUFFICIENT_MEMORY:
304 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
305 case PSA_ERROR_NOT_SUPPORTED:
306 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
307 default:
308 return MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED;
309 }
310 /* Indicate that we own the key slot and need to
311 * destroy it in mbedtls_cipher_free(). */
312 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
313
314 ctx->key_bitlen = key_bitlen;
315 ctx->operation = operation;
316 return 0;
317 }
318 #endif /* MBEDTLS_USE_PSA_CRYPTO */
319
320 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 &&
321 (int) ctx->cipher_info->key_bitlen != key_bitlen) {
322 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
323 }
324
325 ctx->key_bitlen = key_bitlen;
326 ctx->operation = operation;
327
328 /*
329 * For OFB, CFB and CTR mode always use the encryption key schedule
330 */
331 if (MBEDTLS_ENCRYPT == operation ||
332 MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
333 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
334 MBEDTLS_MODE_CTR == ctx->cipher_info->mode) {
335 return ctx->cipher_info->base->setkey_enc_func(ctx->cipher_ctx, key,
336 ctx->key_bitlen);
337 }
338
339 if (MBEDTLS_DECRYPT == operation) {
340 return ctx->cipher_info->base->setkey_dec_func(ctx->cipher_ctx, key,
341 ctx->key_bitlen);
342 }
343
344 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
345 }
346
mbedtls_cipher_set_iv(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len)347 int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
348 const unsigned char *iv,
349 size_t iv_len)
350 {
351 size_t actual_iv_size;
352
353 CIPHER_VALIDATE_RET(ctx != NULL);
354 CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
355 if (ctx->cipher_info == NULL) {
356 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
357 }
358 #if defined(MBEDTLS_USE_PSA_CRYPTO)
359 if (ctx->psa_enabled == 1) {
360 /* While PSA Crypto has an API for multipart
361 * operations, we currently don't make it
362 * accessible through the cipher layer. */
363 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
364 }
365 #endif /* MBEDTLS_USE_PSA_CRYPTO */
366
367 /* avoid buffer overflow in ctx->iv */
368 if (iv_len > MBEDTLS_MAX_IV_LENGTH) {
369 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
370 }
371
372 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) {
373 actual_iv_size = iv_len;
374 } else {
375 actual_iv_size = ctx->cipher_info->iv_size;
376
377 /* avoid reading past the end of input buffer */
378 if (actual_iv_size > iv_len) {
379 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
380 }
381 }
382
383 #if defined(MBEDTLS_CHACHA20_C)
384 if (ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20) {
385 /* Even though the actual_iv_size is overwritten with a correct value
386 * of 12 from the cipher info, return an error to indicate that
387 * the input iv_len is wrong. */
388 if (iv_len != 12) {
389 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
390 }
391
392 if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx,
393 iv,
394 0U)) { /* Initial counter value */
395 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
396 }
397 }
398 #if defined(MBEDTLS_CHACHAPOLY_C)
399 if (ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&
400 iv_len != 12) {
401 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
402 }
403 #endif
404 #endif
405
406 if (actual_iv_size != 0) {
407 memcpy(ctx->iv, iv, actual_iv_size);
408 ctx->iv_size = actual_iv_size;
409 }
410
411 return 0;
412 }
413
mbedtls_cipher_reset(mbedtls_cipher_context_t * ctx)414 int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx)
415 {
416 CIPHER_VALIDATE_RET(ctx != NULL);
417 if (ctx->cipher_info == NULL) {
418 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
419 }
420
421 #if defined(MBEDTLS_USE_PSA_CRYPTO)
422 if (ctx->psa_enabled == 1) {
423 /* We don't support resetting PSA-based
424 * cipher contexts, yet. */
425 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
426 }
427 #endif /* MBEDTLS_USE_PSA_CRYPTO */
428
429 ctx->unprocessed_len = 0;
430
431 return 0;
432 }
433
434 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_update_ad(mbedtls_cipher_context_t * ctx,const unsigned char * ad,size_t ad_len)435 int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
436 const unsigned char *ad, size_t ad_len)
437 {
438 CIPHER_VALIDATE_RET(ctx != NULL);
439 CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
440 if (ctx->cipher_info == NULL) {
441 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
442 }
443
444 #if defined(MBEDTLS_USE_PSA_CRYPTO)
445 if (ctx->psa_enabled == 1) {
446 /* While PSA Crypto has an API for multipart
447 * operations, we currently don't make it
448 * accessible through the cipher layer. */
449 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
450 }
451 #endif /* MBEDTLS_USE_PSA_CRYPTO */
452
453 #if defined(MBEDTLS_GCM_C)
454 if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
455 return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
456 ctx->iv, ctx->iv_size, ad, ad_len);
457 }
458 #endif
459
460 #if defined(MBEDTLS_CHACHAPOLY_C)
461 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
462 int result;
463 mbedtls_chachapoly_mode_t mode;
464
465 mode = (ctx->operation == MBEDTLS_ENCRYPT)
466 ? MBEDTLS_CHACHAPOLY_ENCRYPT
467 : MBEDTLS_CHACHAPOLY_DECRYPT;
468
469 result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx,
470 ctx->iv,
471 mode);
472 if (result != 0) {
473 return result;
474 }
475
476 return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx,
477 ad, ad_len);
478 }
479 #endif
480
481 return 0;
482 }
483 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
484
mbedtls_cipher_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)485 int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input,
486 size_t ilen, unsigned char *output, size_t *olen)
487 {
488 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
489 size_t block_size;
490
491 CIPHER_VALIDATE_RET(ctx != NULL);
492 CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
493 CIPHER_VALIDATE_RET(output != NULL);
494 CIPHER_VALIDATE_RET(olen != NULL);
495 if (ctx->cipher_info == NULL) {
496 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
497 }
498
499 #if defined(MBEDTLS_USE_PSA_CRYPTO)
500 if (ctx->psa_enabled == 1) {
501 /* While PSA Crypto has an API for multipart
502 * operations, we currently don't make it
503 * accessible through the cipher layer. */
504 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
505 }
506 #endif /* MBEDTLS_USE_PSA_CRYPTO */
507
508 *olen = 0;
509 block_size = mbedtls_cipher_get_block_size(ctx);
510 if (0 == block_size) {
511 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
512 }
513
514 if (ctx->cipher_info->mode == MBEDTLS_MODE_ECB) {
515 if (ilen != block_size) {
516 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
517 }
518
519 *olen = ilen;
520
521 if (0 != (ret = ctx->cipher_info->base->ecb_func(ctx->cipher_ctx,
522 ctx->operation, input, output))) {
523 return ret;
524 }
525
526 return 0;
527 }
528
529 #if defined(MBEDTLS_GCM_C)
530 if (ctx->cipher_info->mode == MBEDTLS_MODE_GCM) {
531 *olen = ilen;
532 return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
533 output);
534 }
535 #endif
536
537 #if defined(MBEDTLS_CHACHAPOLY_C)
538 if (ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
539 *olen = ilen;
540 return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx,
541 ilen, input, output);
542 }
543 #endif
544
545 if (input == output &&
546 (ctx->unprocessed_len != 0 || ilen % block_size)) {
547 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
548 }
549
550 #if defined(MBEDTLS_CIPHER_MODE_CBC)
551 if (ctx->cipher_info->mode == MBEDTLS_MODE_CBC) {
552 size_t copy_len = 0;
553
554 /*
555 * If there is not enough data for a full block, cache it.
556 */
557 if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
558 ilen <= block_size - ctx->unprocessed_len) ||
559 (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
560 ilen < block_size - ctx->unprocessed_len) ||
561 (ctx->operation == MBEDTLS_ENCRYPT &&
562 ilen < block_size - ctx->unprocessed_len)) {
563 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
564 ilen);
565
566 ctx->unprocessed_len += ilen;
567 return 0;
568 }
569
570 /*
571 * Process cached data first
572 */
573 if (0 != ctx->unprocessed_len) {
574 copy_len = block_size - ctx->unprocessed_len;
575
576 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
577 copy_len);
578
579 if (0 != (ret = ctx->cipher_info->base->cbc_func(ctx->cipher_ctx,
580 ctx->operation, block_size, ctx->iv,
581 ctx->unprocessed_data, output))) {
582 return ret;
583 }
584
585 *olen += block_size;
586 output += block_size;
587 ctx->unprocessed_len = 0;
588
589 input += copy_len;
590 ilen -= copy_len;
591 }
592
593 /*
594 * Cache final, incomplete block
595 */
596 if (0 != ilen) {
597 /* Encryption: only cache partial blocks
598 * Decryption w/ padding: always keep at least one whole block
599 * Decryption w/o padding: only cache partial blocks
600 */
601 copy_len = ilen % block_size;
602 if (copy_len == 0 &&
603 ctx->operation == MBEDTLS_DECRYPT &&
604 NULL != ctx->add_padding) {
605 copy_len = block_size;
606 }
607
608 memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]),
609 copy_len);
610
611 ctx->unprocessed_len += copy_len;
612 ilen -= copy_len;
613 }
614
615 /*
616 * Process remaining full blocks
617 */
618 if (ilen) {
619 if (0 != (ret = ctx->cipher_info->base->cbc_func(ctx->cipher_ctx,
620 ctx->operation, ilen, ctx->iv, input,
621 output))) {
622 return ret;
623 }
624
625 *olen += ilen;
626 }
627
628 return 0;
629 }
630 #endif /* MBEDTLS_CIPHER_MODE_CBC */
631
632 #if defined(MBEDTLS_CIPHER_MODE_CFB)
633 if (ctx->cipher_info->mode == MBEDTLS_MODE_CFB) {
634 if (0 != (ret = ctx->cipher_info->base->cfb_func(ctx->cipher_ctx,
635 ctx->operation, ilen,
636 &ctx->unprocessed_len, ctx->iv,
637 input, output))) {
638 return ret;
639 }
640
641 *olen = ilen;
642
643 return 0;
644 }
645 #endif /* MBEDTLS_CIPHER_MODE_CFB */
646
647 #if defined(MBEDTLS_CIPHER_MODE_OFB)
648 if (ctx->cipher_info->mode == MBEDTLS_MODE_OFB) {
649 if (0 != (ret = ctx->cipher_info->base->ofb_func(ctx->cipher_ctx,
650 ilen, &ctx->unprocessed_len, ctx->iv,
651 input, output))) {
652 return ret;
653 }
654
655 *olen = ilen;
656
657 return 0;
658 }
659 #endif /* MBEDTLS_CIPHER_MODE_OFB */
660
661 #if defined(MBEDTLS_CIPHER_MODE_CTR)
662 if (ctx->cipher_info->mode == MBEDTLS_MODE_CTR) {
663 if (0 != (ret = ctx->cipher_info->base->ctr_func(ctx->cipher_ctx,
664 ilen, &ctx->unprocessed_len, ctx->iv,
665 ctx->unprocessed_data, input, output))) {
666 return ret;
667 }
668
669 *olen = ilen;
670
671 return 0;
672 }
673 #endif /* MBEDTLS_CIPHER_MODE_CTR */
674
675 #if defined(MBEDTLS_CIPHER_MODE_XTS)
676 if (ctx->cipher_info->mode == MBEDTLS_MODE_XTS) {
677 if (ctx->unprocessed_len > 0) {
678 /* We can only process an entire data unit at a time. */
679 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
680 }
681
682 ret = ctx->cipher_info->base->xts_func(ctx->cipher_ctx,
683 ctx->operation, ilen, ctx->iv, input, output);
684 if (ret != 0) {
685 return ret;
686 }
687
688 *olen = ilen;
689
690 return 0;
691 }
692 #endif /* MBEDTLS_CIPHER_MODE_XTS */
693
694 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
695 if (ctx->cipher_info->mode == MBEDTLS_MODE_STREAM) {
696 if (0 != (ret = ctx->cipher_info->base->stream_func(ctx->cipher_ctx,
697 ilen, input, output))) {
698 return ret;
699 }
700
701 *olen = ilen;
702
703 return 0;
704 }
705 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
706
707 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
708 }
709
710 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
711 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
712 /*
713 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
714 */
add_pkcs_padding(unsigned char * output,size_t output_len,size_t data_len)715 static void add_pkcs_padding(unsigned char *output, size_t output_len,
716 size_t data_len)
717 {
718 size_t padding_len = output_len - data_len;
719 unsigned char i;
720
721 for (i = 0; i < padding_len; i++) {
722 output[data_len + i] = (unsigned char) padding_len;
723 }
724 }
725
get_pkcs_padding(unsigned char * input,size_t input_len,size_t * data_len)726 static int get_pkcs_padding(unsigned char *input, size_t input_len,
727 size_t *data_len)
728 {
729 size_t i, pad_idx;
730 unsigned char padding_len, bad = 0;
731
732 if (NULL == input || NULL == data_len) {
733 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
734 }
735
736 padding_len = input[input_len - 1];
737 *data_len = input_len - padding_len;
738
739 /* Avoid logical || since it results in a branch */
740 bad |= ~mbedtls_ct_size_mask_ge(input_len, padding_len);
741 bad |= mbedtls_ct_size_bool_eq(padding_len, 0);
742
743 /* The number of bytes checked must be independent of padding_len,
744 * so pick input_len, which is usually 8 or 16 (one block) */
745 pad_idx = input_len - padding_len;
746 for (i = 0; i < input_len; i++) {
747 size_t mask = mbedtls_ct_size_mask_ge(i, pad_idx);
748 bad |= (input[i] ^ padding_len) & mask;
749 }
750 return -(int) mbedtls_ct_uint_if(bad, -MBEDTLS_ERR_CIPHER_INVALID_PADDING, 0);
751 }
752 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
753
754 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
755 /*
756 * One and zeros padding: fill with 80 00 ... 00
757 */
add_one_and_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)758 static void add_one_and_zeros_padding(unsigned char *output,
759 size_t output_len, size_t data_len)
760 {
761 size_t padding_len = output_len - data_len;
762 unsigned char i = 0;
763
764 output[data_len] = 0x80;
765 for (i = 1; i < padding_len; i++) {
766 output[data_len + i] = 0x00;
767 }
768 }
769
get_one_and_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)770 static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,
771 size_t *data_len)
772 {
773 unsigned int bad = 1;
774
775 if (NULL == input || NULL == data_len) {
776 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
777 }
778
779 *data_len = 0;
780 size_t in_padding = ~0;
781
782 for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) {
783 size_t is_nonzero = mbedtls_ct_uint_mask(input[i]);
784
785 size_t hit_first_nonzero = is_nonzero & in_padding;
786
787 *data_len = (*data_len & ~hit_first_nonzero) | ((size_t) i & hit_first_nonzero);
788
789 bad = mbedtls_ct_uint_if((unsigned int) hit_first_nonzero,
790 !mbedtls_ct_size_bool_eq(input[i], 0x80), bad);
791
792 in_padding = in_padding & ~is_nonzero;
793 }
794
795 return -(int) mbedtls_ct_uint_if(bad, -MBEDTLS_ERR_CIPHER_INVALID_PADDING, 0);
796 }
797 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
798
799 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
800 /*
801 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
802 */
add_zeros_and_len_padding(unsigned char * output,size_t output_len,size_t data_len)803 static void add_zeros_and_len_padding(unsigned char *output,
804 size_t output_len, size_t data_len)
805 {
806 size_t padding_len = output_len - data_len;
807 unsigned char i = 0;
808
809 for (i = 1; i < padding_len; i++) {
810 output[data_len + i - 1] = 0x00;
811 }
812 output[output_len - 1] = (unsigned char) padding_len;
813 }
814
get_zeros_and_len_padding(unsigned char * input,size_t input_len,size_t * data_len)815 static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
816 size_t *data_len)
817 {
818 size_t i, pad_idx;
819 unsigned char padding_len, bad = 0;
820
821 if (NULL == input || NULL == data_len) {
822 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
823 }
824
825 padding_len = input[input_len - 1];
826 *data_len = input_len - padding_len;
827
828 /* Avoid logical || since it results in a branch */
829 bad |= mbedtls_ct_size_mask_ge(padding_len, input_len + 1);
830 bad |= mbedtls_ct_size_bool_eq(padding_len, 0);
831
832 /* The number of bytes checked must be independent of padding_len */
833 pad_idx = input_len - padding_len;
834 for (i = 0; i < input_len - 1; i++) {
835 size_t mask = mbedtls_ct_size_mask_ge(i, pad_idx);
836 bad |= input[i] & mask;
837 }
838
839 return -(int) mbedtls_ct_uint_if(bad, -MBEDTLS_ERR_CIPHER_INVALID_PADDING, 0);
840 }
841 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
842
843 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
844 /*
845 * Zero padding: fill with 00 ... 00
846 */
add_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)847 static void add_zeros_padding(unsigned char *output,
848 size_t output_len, size_t data_len)
849 {
850 size_t i;
851
852 for (i = data_len; i < output_len; i++) {
853 output[i] = 0x00;
854 }
855 }
856
get_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)857 static int get_zeros_padding(unsigned char *input, size_t input_len,
858 size_t *data_len)
859 {
860 size_t i;
861 unsigned char done = 0, prev_done;
862
863 if (NULL == input || NULL == data_len) {
864 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
865 }
866
867 *data_len = 0;
868 for (i = input_len; i > 0; i--) {
869 prev_done = done;
870 done |= !mbedtls_ct_size_bool_eq(input[i-1], 0);
871 size_t mask = mbedtls_ct_size_mask(done ^ prev_done);
872 *data_len |= i & mask;
873 }
874
875 return 0;
876 }
877 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
878
879 /*
880 * No padding: don't pad :)
881 *
882 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
883 * but a trivial get_padding function
884 */
get_no_padding(unsigned char * input,size_t input_len,size_t * data_len)885 static int get_no_padding(unsigned char *input, size_t input_len,
886 size_t *data_len)
887 {
888 if (NULL == input || NULL == data_len) {
889 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
890 }
891
892 *data_len = input_len;
893
894 return 0;
895 }
896 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
897
mbedtls_cipher_finish(mbedtls_cipher_context_t * ctx,unsigned char * output,size_t * olen)898 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
899 unsigned char *output, size_t *olen)
900 {
901 CIPHER_VALIDATE_RET(ctx != NULL);
902 CIPHER_VALIDATE_RET(output != NULL);
903 CIPHER_VALIDATE_RET(olen != NULL);
904 if (ctx->cipher_info == NULL) {
905 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
906 }
907
908 #if defined(MBEDTLS_USE_PSA_CRYPTO)
909 if (ctx->psa_enabled == 1) {
910 /* While PSA Crypto has an API for multipart
911 * operations, we currently don't make it
912 * accessible through the cipher layer. */
913 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
914 }
915 #endif /* MBEDTLS_USE_PSA_CRYPTO */
916
917 *olen = 0;
918
919 if (MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
920 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
921 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
922 MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
923 MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
924 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode) {
925 return 0;
926 }
927
928 if ((MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type) ||
929 (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type)) {
930 return 0;
931 }
932
933 if (MBEDTLS_MODE_ECB == ctx->cipher_info->mode) {
934 if (ctx->unprocessed_len != 0) {
935 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
936 }
937
938 return 0;
939 }
940
941 #if defined(MBEDTLS_CIPHER_MODE_CBC)
942 if (MBEDTLS_MODE_CBC == ctx->cipher_info->mode) {
943 int ret = 0;
944
945 if (MBEDTLS_ENCRYPT == ctx->operation) {
946 /* check for 'no padding' mode */
947 if (NULL == ctx->add_padding) {
948 if (0 != ctx->unprocessed_len) {
949 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
950 }
951
952 return 0;
953 }
954
955 ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx),
956 ctx->unprocessed_len);
957 } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) {
958 /*
959 * For decrypt operations, expect a full block,
960 * or an empty block if no padding
961 */
962 if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) {
963 return 0;
964 }
965
966 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
967 }
968
969 /* cipher block */
970 if (0 != (ret = ctx->cipher_info->base->cbc_func(ctx->cipher_ctx,
971 ctx->operation,
972 mbedtls_cipher_get_block_size(ctx),
973 ctx->iv,
974 ctx->unprocessed_data, output))) {
975 return ret;
976 }
977
978 /* Set output size for decryption */
979 if (MBEDTLS_DECRYPT == ctx->operation) {
980 return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx),
981 olen);
982 }
983
984 /* Set output size for encryption */
985 *olen = mbedtls_cipher_get_block_size(ctx);
986 return 0;
987 }
988 #else
989 ((void) output);
990 #endif /* MBEDTLS_CIPHER_MODE_CBC */
991
992 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
993 }
994
995 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t * ctx,mbedtls_cipher_padding_t mode)996 int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
997 mbedtls_cipher_padding_t mode)
998 {
999 CIPHER_VALIDATE_RET(ctx != NULL);
1000
1001 if (NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode) {
1002 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1003 }
1004
1005 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1006 if (ctx->psa_enabled == 1) {
1007 /* While PSA Crypto knows about CBC padding
1008 * schemes, we currently don't make them
1009 * accessible through the cipher layer. */
1010 if (mode != MBEDTLS_PADDING_NONE) {
1011 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1012 }
1013
1014 return 0;
1015 }
1016 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1017
1018 switch (mode) {
1019 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
1020 case MBEDTLS_PADDING_PKCS7:
1021 ctx->add_padding = add_pkcs_padding;
1022 ctx->get_padding = get_pkcs_padding;
1023 break;
1024 #endif
1025 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
1026 case MBEDTLS_PADDING_ONE_AND_ZEROS:
1027 ctx->add_padding = add_one_and_zeros_padding;
1028 ctx->get_padding = get_one_and_zeros_padding;
1029 break;
1030 #endif
1031 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
1032 case MBEDTLS_PADDING_ZEROS_AND_LEN:
1033 ctx->add_padding = add_zeros_and_len_padding;
1034 ctx->get_padding = get_zeros_and_len_padding;
1035 break;
1036 #endif
1037 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1038 case MBEDTLS_PADDING_ZEROS:
1039 ctx->add_padding = add_zeros_padding;
1040 ctx->get_padding = get_zeros_padding;
1041 break;
1042 #endif
1043 case MBEDTLS_PADDING_NONE:
1044 ctx->add_padding = NULL;
1045 ctx->get_padding = get_no_padding;
1046 break;
1047
1048 default:
1049 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1050 }
1051
1052 return 0;
1053 }
1054 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1055
1056 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_write_tag(mbedtls_cipher_context_t * ctx,unsigned char * tag,size_t tag_len)1057 int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
1058 unsigned char *tag, size_t tag_len)
1059 {
1060 CIPHER_VALIDATE_RET(ctx != NULL);
1061 CIPHER_VALIDATE_RET(tag_len == 0 || tag != NULL);
1062 if (ctx->cipher_info == NULL) {
1063 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1064 }
1065
1066 if (MBEDTLS_ENCRYPT != ctx->operation) {
1067 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1068 }
1069
1070 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1071 if (ctx->psa_enabled == 1) {
1072 /* While PSA Crypto has an API for multipart
1073 * operations, we currently don't make it
1074 * accessible through the cipher layer. */
1075 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1076 }
1077 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1078
1079 #if defined(MBEDTLS_GCM_C)
1080 if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
1081 return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx,
1082 tag, tag_len);
1083 }
1084 #endif
1085
1086 #if defined(MBEDTLS_CHACHAPOLY_C)
1087 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
1088 /* Don't allow truncated MAC for Poly1305 */
1089 if (tag_len != 16U) {
1090 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1091 }
1092
1093 return mbedtls_chachapoly_finish(
1094 (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag);
1095 }
1096 #endif
1097
1098 return 0;
1099 }
1100
mbedtls_cipher_check_tag(mbedtls_cipher_context_t * ctx,const unsigned char * tag,size_t tag_len)1101 int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
1102 const unsigned char *tag, size_t tag_len)
1103 {
1104 unsigned char check_tag[16];
1105 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1106
1107 CIPHER_VALIDATE_RET(ctx != NULL);
1108 CIPHER_VALIDATE_RET(tag_len == 0 || tag != NULL);
1109 if (ctx->cipher_info == NULL) {
1110 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1111 }
1112
1113 if (MBEDTLS_DECRYPT != ctx->operation) {
1114 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1115 }
1116
1117 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1118 if (ctx->psa_enabled == 1) {
1119 /* While PSA Crypto has an API for multipart
1120 * operations, we currently don't make it
1121 * accessible through the cipher layer. */
1122 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1123 }
1124 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1125
1126 /* Status to return on a non-authenticated algorithm. It would make sense
1127 * to return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT or perhaps
1128 * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, but at the time I write this our
1129 * unit tests assume 0. */
1130 ret = 0;
1131
1132 #if defined(MBEDTLS_GCM_C)
1133 if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
1134 if (tag_len > sizeof(check_tag)) {
1135 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1136 }
1137
1138 if (0 != (ret = mbedtls_gcm_finish(
1139 (mbedtls_gcm_context *) ctx->cipher_ctx,
1140 check_tag, tag_len))) {
1141 return ret;
1142 }
1143
1144 /* Check the tag in "constant-time" */
1145 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
1146 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1147 goto exit;
1148 }
1149 }
1150 #endif /* MBEDTLS_GCM_C */
1151
1152 #if defined(MBEDTLS_CHACHAPOLY_C)
1153 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
1154 /* Don't allow truncated MAC for Poly1305 */
1155 if (tag_len != sizeof(check_tag)) {
1156 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1157 }
1158
1159 ret = mbedtls_chachapoly_finish(
1160 (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag);
1161 if (ret != 0) {
1162 return ret;
1163 }
1164
1165 /* Check the tag in "constant-time" */
1166 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
1167 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1168 goto exit;
1169 }
1170 }
1171 #endif /* MBEDTLS_CHACHAPOLY_C */
1172
1173 exit:
1174 mbedtls_platform_zeroize(check_tag, tag_len);
1175 return ret;
1176 }
1177 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
1178
1179 /*
1180 * Packet-oriented wrapper for non-AEAD modes
1181 */
mbedtls_cipher_crypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)1182 int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
1183 const unsigned char *iv, size_t iv_len,
1184 const unsigned char *input, size_t ilen,
1185 unsigned char *output, size_t *olen)
1186 {
1187 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1188 size_t finish_olen;
1189
1190 CIPHER_VALIDATE_RET(ctx != NULL);
1191 CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
1192 CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
1193 CIPHER_VALIDATE_RET(output != NULL);
1194 CIPHER_VALIDATE_RET(olen != NULL);
1195
1196 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1197 if (ctx->psa_enabled == 1) {
1198 /* As in the non-PSA case, we don't check that
1199 * a key has been set. If not, the key slot will
1200 * still be in its default state of 0, which is
1201 * guaranteed to be invalid, hence the PSA-call
1202 * below will gracefully fail. */
1203 mbedtls_cipher_context_psa * const cipher_psa =
1204 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1205
1206 psa_status_t status;
1207 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1208 size_t part_len;
1209
1210 if (ctx->operation == MBEDTLS_DECRYPT) {
1211 status = psa_cipher_decrypt_setup(&cipher_op,
1212 cipher_psa->slot,
1213 cipher_psa->alg);
1214 } else if (ctx->operation == MBEDTLS_ENCRYPT) {
1215 status = psa_cipher_encrypt_setup(&cipher_op,
1216 cipher_psa->slot,
1217 cipher_psa->alg);
1218 } else {
1219 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1220 }
1221
1222 /* In the following, we can immediately return on an error,
1223 * because the PSA Crypto API guarantees that cipher operations
1224 * are terminated by unsuccessful calls to psa_cipher_update(),
1225 * and by any call to psa_cipher_finish(). */
1226 if (status != PSA_SUCCESS) {
1227 return MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED;
1228 }
1229
1230 if (ctx->cipher_info->mode != MBEDTLS_MODE_ECB) {
1231 status = psa_cipher_set_iv(&cipher_op, iv, iv_len);
1232 if (status != PSA_SUCCESS) {
1233 return MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED;
1234 }
1235 }
1236
1237 status = psa_cipher_update(&cipher_op,
1238 input, ilen,
1239 output, ilen, olen);
1240 if (status != PSA_SUCCESS) {
1241 return MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED;
1242 }
1243
1244 status = psa_cipher_finish(&cipher_op,
1245 output + *olen, ilen - *olen,
1246 &part_len);
1247 if (status != PSA_SUCCESS) {
1248 return MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED;
1249 }
1250
1251 *olen += part_len;
1252 return 0;
1253 }
1254 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1255
1256 if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) {
1257 return ret;
1258 }
1259
1260 if ((ret = mbedtls_cipher_reset(ctx)) != 0) {
1261 return ret;
1262 }
1263
1264 if ((ret = mbedtls_cipher_update(ctx, input, ilen,
1265 output, olen)) != 0) {
1266 return ret;
1267 }
1268
1269 if ((ret = mbedtls_cipher_finish(ctx, output + *olen,
1270 &finish_olen)) != 0) {
1271 return ret;
1272 }
1273
1274 *olen += finish_olen;
1275
1276 return 0;
1277 }
1278
1279 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1280 /*
1281 * Packet-oriented encryption for AEAD modes: internal function shared by
1282 * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
1283 */
mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,unsigned char * tag,size_t tag_len)1284 static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
1285 const unsigned char *iv, size_t iv_len,
1286 const unsigned char *ad, size_t ad_len,
1287 const unsigned char *input, size_t ilen,
1288 unsigned char *output, size_t *olen,
1289 unsigned char *tag, size_t tag_len)
1290 {
1291 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1292 if (ctx->psa_enabled == 1) {
1293 /* As in the non-PSA case, we don't check that
1294 * a key has been set. If not, the key slot will
1295 * still be in its default state of 0, which is
1296 * guaranteed to be invalid, hence the PSA-call
1297 * below will gracefully fail. */
1298 mbedtls_cipher_context_psa * const cipher_psa =
1299 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1300
1301 psa_status_t status;
1302
1303 /* PSA Crypto API always writes the authentication tag
1304 * at the end of the encrypted message. */
1305 if (output == NULL || tag != output + ilen) {
1306 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1307 }
1308
1309 status = psa_aead_encrypt(cipher_psa->slot,
1310 cipher_psa->alg,
1311 iv, iv_len,
1312 ad, ad_len,
1313 input, ilen,
1314 output, ilen + tag_len, olen);
1315 if (status != PSA_SUCCESS) {
1316 return MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED;
1317 }
1318
1319 *olen -= tag_len;
1320 return 0;
1321 }
1322 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1323
1324 #if defined(MBEDTLS_GCM_C)
1325 if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
1326 *olen = ilen;
1327 return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
1328 ilen, iv, iv_len, ad, ad_len,
1329 input, output, tag_len, tag);
1330 }
1331 #endif /* MBEDTLS_GCM_C */
1332 #if defined(MBEDTLS_CCM_C)
1333 if (MBEDTLS_MODE_CCM == ctx->cipher_info->mode) {
1334 *olen = ilen;
1335 return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen,
1336 iv, iv_len, ad, ad_len, input, output,
1337 tag, tag_len);
1338 }
1339 #endif /* MBEDTLS_CCM_C */
1340 #if defined(MBEDTLS_CHACHAPOLY_C)
1341 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
1342 /* ChachaPoly has fixed length nonce and MAC (tag) */
1343 if ((iv_len != ctx->cipher_info->iv_size) ||
1344 (tag_len != 16U)) {
1345 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1346 }
1347
1348 *olen = ilen;
1349 return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx,
1350 ilen, iv, ad, ad_len, input, output, tag);
1351 }
1352 #endif /* MBEDTLS_CHACHAPOLY_C */
1353
1354 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1355 }
1356
1357 /*
1358 * Packet-oriented encryption for AEAD modes: internal function shared by
1359 * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
1360 */
mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,const unsigned char * tag,size_t tag_len)1361 static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
1362 const unsigned char *iv, size_t iv_len,
1363 const unsigned char *ad, size_t ad_len,
1364 const unsigned char *input, size_t ilen,
1365 unsigned char *output, size_t *olen,
1366 const unsigned char *tag, size_t tag_len)
1367 {
1368 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1369 if (ctx->psa_enabled == 1) {
1370 /* As in the non-PSA case, we don't check that
1371 * a key has been set. If not, the key slot will
1372 * still be in its default state of 0, which is
1373 * guaranteed to be invalid, hence the PSA-call
1374 * below will gracefully fail. */
1375 mbedtls_cipher_context_psa * const cipher_psa =
1376 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1377
1378 psa_status_t status;
1379
1380 /* PSA Crypto API always writes the authentication tag
1381 * at the end of the encrypted message. */
1382 if (input == NULL || tag != input + ilen) {
1383 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1384 }
1385
1386 status = psa_aead_decrypt(cipher_psa->slot,
1387 cipher_psa->alg,
1388 iv, iv_len,
1389 ad, ad_len,
1390 input, ilen + tag_len,
1391 output, ilen, olen);
1392 if (status == PSA_ERROR_INVALID_SIGNATURE) {
1393 return MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1394 } else if (status != PSA_SUCCESS) {
1395 return MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED;
1396 }
1397
1398 return 0;
1399 }
1400 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1401
1402 #if defined(MBEDTLS_GCM_C)
1403 if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
1404 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1405
1406 *olen = ilen;
1407 ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen,
1408 iv, iv_len, ad, ad_len,
1409 tag, tag_len, input, output);
1410
1411 if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) {
1412 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1413 }
1414
1415 return ret;
1416 }
1417 #endif /* MBEDTLS_GCM_C */
1418 #if defined(MBEDTLS_CCM_C)
1419 if (MBEDTLS_MODE_CCM == ctx->cipher_info->mode) {
1420 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1421
1422 *olen = ilen;
1423 ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen,
1424 iv, iv_len, ad, ad_len,
1425 input, output, tag, tag_len);
1426
1427 if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) {
1428 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1429 }
1430
1431 return ret;
1432 }
1433 #endif /* MBEDTLS_CCM_C */
1434 #if defined(MBEDTLS_CHACHAPOLY_C)
1435 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
1436 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1437
1438 /* ChachaPoly has fixed length nonce and MAC (tag) */
1439 if ((iv_len != ctx->cipher_info->iv_size) ||
1440 (tag_len != 16U)) {
1441 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1442 }
1443
1444 *olen = ilen;
1445 ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen,
1446 iv, ad, ad_len, tag, input, output);
1447
1448 if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) {
1449 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1450 }
1451
1452 return ret;
1453 }
1454 #endif /* MBEDTLS_CHACHAPOLY_C */
1455
1456 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1457 }
1458
1459 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1460 /*
1461 * Packet-oriented encryption for AEAD modes: public legacy function.
1462 */
mbedtls_cipher_auth_encrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,unsigned char * tag,size_t tag_len)1463 int mbedtls_cipher_auth_encrypt(mbedtls_cipher_context_t *ctx,
1464 const unsigned char *iv, size_t iv_len,
1465 const unsigned char *ad, size_t ad_len,
1466 const unsigned char *input, size_t ilen,
1467 unsigned char *output, size_t *olen,
1468 unsigned char *tag, size_t tag_len)
1469 {
1470 CIPHER_VALIDATE_RET(ctx != NULL);
1471 CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
1472 CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
1473 CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
1474 CIPHER_VALIDATE_RET(ilen == 0 || output != NULL);
1475 CIPHER_VALIDATE_RET(olen != NULL);
1476 CIPHER_VALIDATE_RET(tag_len == 0 || tag != NULL);
1477
1478 return mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,
1479 input, ilen, output, olen,
1480 tag, tag_len);
1481 }
1482
1483 /*
1484 * Packet-oriented decryption for AEAD modes: public legacy function.
1485 */
mbedtls_cipher_auth_decrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,const unsigned char * tag,size_t tag_len)1486 int mbedtls_cipher_auth_decrypt(mbedtls_cipher_context_t *ctx,
1487 const unsigned char *iv, size_t iv_len,
1488 const unsigned char *ad, size_t ad_len,
1489 const unsigned char *input, size_t ilen,
1490 unsigned char *output, size_t *olen,
1491 const unsigned char *tag, size_t tag_len)
1492 {
1493 CIPHER_VALIDATE_RET(ctx != NULL);
1494 CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
1495 CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
1496 CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
1497 CIPHER_VALIDATE_RET(ilen == 0 || output != NULL);
1498 CIPHER_VALIDATE_RET(olen != NULL);
1499 CIPHER_VALIDATE_RET(tag_len == 0 || tag != NULL);
1500
1501 return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,
1502 input, ilen, output, olen,
1503 tag, tag_len);
1504 }
1505 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1506 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1507
1508 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
1509 /*
1510 * Packet-oriented encryption for AEAD/NIST_KW: public function.
1511 */
mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1512 int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
1513 const unsigned char *iv, size_t iv_len,
1514 const unsigned char *ad, size_t ad_len,
1515 const unsigned char *input, size_t ilen,
1516 unsigned char *output, size_t output_len,
1517 size_t *olen, size_t tag_len)
1518 {
1519 CIPHER_VALIDATE_RET(ctx != NULL);
1520 CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
1521 CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
1522 CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
1523 CIPHER_VALIDATE_RET(output != NULL);
1524 CIPHER_VALIDATE_RET(olen != NULL);
1525
1526 #if defined(MBEDTLS_NIST_KW_C)
1527 if (
1528 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1529 ctx->psa_enabled == 0 &&
1530 #endif
1531 (MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1532 MBEDTLS_MODE_KWP == ctx->cipher_info->mode)) {
1533 mbedtls_nist_kw_mode_t mode = (MBEDTLS_MODE_KW == ctx->cipher_info->mode) ?
1534 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1535
1536 /* There is no iv, tag or ad associated with KW and KWP,
1537 * so these length should be 0 as documented. */
1538 if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
1539 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1540 }
1541
1542 (void) iv;
1543 (void) ad;
1544
1545 return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen,
1546 output, olen, output_len);
1547 }
1548 #endif /* MBEDTLS_NIST_KW_C */
1549
1550 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1551 /* AEAD case: check length before passing on to shared function */
1552 if (output_len < ilen + tag_len) {
1553 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1554 }
1555
1556 int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,
1557 input, ilen, output, olen,
1558 output + ilen, tag_len);
1559 *olen += tag_len;
1560 return ret;
1561 #else
1562 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1563 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1564 }
1565
1566 /*
1567 * Packet-oriented decryption for AEAD/NIST_KW: public function.
1568 */
mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1569 int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
1570 const unsigned char *iv, size_t iv_len,
1571 const unsigned char *ad, size_t ad_len,
1572 const unsigned char *input, size_t ilen,
1573 unsigned char *output, size_t output_len,
1574 size_t *olen, size_t tag_len)
1575 {
1576 CIPHER_VALIDATE_RET(ctx != NULL);
1577 CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
1578 CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
1579 CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
1580 CIPHER_VALIDATE_RET(output_len == 0 || output != NULL);
1581 CIPHER_VALIDATE_RET(olen != NULL);
1582
1583 #if defined(MBEDTLS_NIST_KW_C)
1584 if (
1585 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1586 ctx->psa_enabled == 0 &&
1587 #endif
1588 (MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1589 MBEDTLS_MODE_KWP == ctx->cipher_info->mode)) {
1590 mbedtls_nist_kw_mode_t mode = (MBEDTLS_MODE_KW == ctx->cipher_info->mode) ?
1591 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1592
1593 /* There is no iv, tag or ad associated with KW and KWP,
1594 * so these length should be 0 as documented. */
1595 if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
1596 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1597 }
1598
1599 (void) iv;
1600 (void) ad;
1601
1602 return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen,
1603 output, olen, output_len);
1604 }
1605 #endif /* MBEDTLS_NIST_KW_C */
1606
1607 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1608 /* AEAD case: check length before passing on to shared function */
1609 if (ilen < tag_len || output_len < ilen - tag_len) {
1610 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1611 }
1612
1613 return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,
1614 input, ilen - tag_len, output, olen,
1615 input + ilen - tag_len, tag_len);
1616 #else
1617 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1618 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1619 }
1620 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
1621
1622 #endif /* MBEDTLS_CIPHER_C */
1623