1 /**
2 * \file cipher.c
3 *
4 * \brief Generic cipher wrapper for mbed TLS
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
8 * Copyright The Mbed TLS Contributors
9 * SPDX-License-Identifier: Apache-2.0
10 *
11 * Licensed under the Apache License, Version 2.0 (the "License"); you may
12 * not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
14 *
15 * http://www.apache.org/licenses/LICENSE-2.0
16 *
17 * Unless required by applicable law or agreed to in writing, software
18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 * See the License for the specific language governing permissions and
21 * limitations under the License.
22 */
23
24 #include "common.h"
25
26 #if defined(MBEDTLS_CIPHER_C)
27
28 #include "mbedtls/cipher.h"
29 #include "cipher_wrap.h"
30 #include "mbedtls/platform_util.h"
31 #include "mbedtls/error.h"
32
33 #include <stdlib.h>
34 #include <string.h>
35
36 #if defined(MBEDTLS_CHACHAPOLY_C)
37 #include "mbedtls/chachapoly.h"
38 #endif
39
40 #if defined(MBEDTLS_GCM_C)
41 #include "mbedtls/gcm.h"
42 #endif
43
44 #if defined(MBEDTLS_CCM_C)
45 #include "mbedtls/ccm.h"
46 #endif
47
48 #if defined(MBEDTLS_CHACHA20_C)
49 #include "mbedtls/chacha20.h"
50 #endif
51
52 #if defined(MBEDTLS_CMAC_C)
53 #include "mbedtls/cmac.h"
54 #endif
55
56 #if defined(MBEDTLS_USE_PSA_CRYPTO)
57 #include "psa/crypto.h"
58 #include "mbedtls/psa_util.h"
59 #endif /* MBEDTLS_USE_PSA_CRYPTO */
60
61 #if defined(MBEDTLS_NIST_KW_C)
62 #include "mbedtls/nist_kw.h"
63 #endif
64
65 #if defined(MBEDTLS_PLATFORM_C)
66 #include "mbedtls/platform.h"
67 #else
68 #define mbedtls_calloc calloc
69 #define mbedtls_free free
70 #endif
71
72 #define CIPHER_VALIDATE_RET( cond ) \
73 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
74 #define CIPHER_VALIDATE( cond ) \
75 MBEDTLS_INTERNAL_VALIDATE( cond )
76
77 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
78 /* Compare the contents of two buffers in constant time.
79 * Returns 0 if the contents are bitwise identical, otherwise returns
80 * a non-zero value.
81 * This is currently only used by GCM and ChaCha20+Poly1305.
82 */
mbedtls_constant_time_memcmp(const void * v1,const void * v2,size_t len)83 static int mbedtls_constant_time_memcmp( const void *v1, const void *v2,
84 size_t len )
85 {
86 const unsigned char *p1 = (const unsigned char*) v1;
87 const unsigned char *p2 = (const unsigned char*) v2;
88 size_t i;
89 unsigned char diff;
90
91 for( diff = 0, i = 0; i < len; i++ )
92 diff |= p1[i] ^ p2[i];
93
94 return( (int)diff );
95 }
96 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
97
98 static int supported_init = 0;
99
mbedtls_cipher_list(void)100 const int *mbedtls_cipher_list( void )
101 {
102 const mbedtls_cipher_definition_t *def;
103 int *type;
104
105 if( ! supported_init )
106 {
107 def = mbedtls_cipher_definitions;
108 type = mbedtls_cipher_supported;
109
110 while( def->type != 0 )
111 *type++ = (*def++).type;
112
113 *type = 0;
114
115 supported_init = 1;
116 }
117
118 return( mbedtls_cipher_supported );
119 }
120
mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type)121 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
122 const mbedtls_cipher_type_t cipher_type )
123 {
124 const mbedtls_cipher_definition_t *def;
125
126 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
127 if( def->type == cipher_type )
128 return( def->info );
129
130 return( NULL );
131 }
132
mbedtls_cipher_info_from_string(const char * cipher_name)133 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
134 const char *cipher_name )
135 {
136 const mbedtls_cipher_definition_t *def;
137
138 if( NULL == cipher_name )
139 return( NULL );
140
141 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
142 if( ! strcmp( def->info->name, cipher_name ) )
143 return( def->info );
144
145 return( NULL );
146 }
147
mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id,int key_bitlen,const mbedtls_cipher_mode_t mode)148 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
149 const mbedtls_cipher_id_t cipher_id,
150 int key_bitlen,
151 const mbedtls_cipher_mode_t mode )
152 {
153 const mbedtls_cipher_definition_t *def;
154
155 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
156 if( def->info->base->cipher == cipher_id &&
157 def->info->key_bitlen == (unsigned) key_bitlen &&
158 def->info->mode == mode )
159 return( def->info );
160
161 return( NULL );
162 }
163
mbedtls_cipher_init(mbedtls_cipher_context_t * ctx)164 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
165 {
166 CIPHER_VALIDATE( ctx != NULL );
167 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
168 }
169
mbedtls_cipher_free(mbedtls_cipher_context_t * ctx)170 void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
171 {
172 if( ctx == NULL )
173 return;
174
175 #if defined(MBEDTLS_USE_PSA_CRYPTO)
176 if( ctx->psa_enabled == 1 )
177 {
178 if( ctx->cipher_ctx != NULL )
179 {
180 mbedtls_cipher_context_psa * const cipher_psa =
181 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
182
183 if( cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED )
184 {
185 /* xxx_free() doesn't allow to return failures. */
186 (void) psa_destroy_key( cipher_psa->slot );
187 }
188
189 mbedtls_platform_zeroize( cipher_psa, sizeof( *cipher_psa ) );
190 mbedtls_free( cipher_psa );
191 }
192
193 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
194 return;
195 }
196 #endif /* MBEDTLS_USE_PSA_CRYPTO */
197
198 #if defined(MBEDTLS_CMAC_C)
199 if( ctx->cmac_ctx )
200 {
201 mbedtls_platform_zeroize( ctx->cmac_ctx,
202 sizeof( mbedtls_cmac_context_t ) );
203 mbedtls_free( ctx->cmac_ctx );
204 }
205 #endif
206
207 if( ctx->cipher_ctx )
208 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
209
210 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
211 }
212
mbedtls_cipher_setup(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info)213 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
214 const mbedtls_cipher_info_t *cipher_info )
215 {
216 CIPHER_VALIDATE_RET( ctx != NULL );
217 if( cipher_info == NULL )
218 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
219
220 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
221
222 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
223 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
224
225 ctx->cipher_info = cipher_info;
226
227 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
228 /*
229 * Ignore possible errors caused by a cipher mode that doesn't use padding
230 */
231 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
232 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
233 #else
234 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
235 #endif
236 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
237
238 return( 0 );
239 }
240
241 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_cipher_setup_psa(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info,size_t taglen)242 int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
243 const mbedtls_cipher_info_t *cipher_info,
244 size_t taglen )
245 {
246 psa_algorithm_t alg;
247 mbedtls_cipher_context_psa *cipher_psa;
248
249 if( NULL == cipher_info || NULL == ctx )
250 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
251
252 /* Check that the underlying cipher mode and cipher type are
253 * supported by the underlying PSA Crypto implementation. */
254 alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode, taglen );
255 if( alg == 0 )
256 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
257 if( mbedtls_psa_translate_cipher_type( cipher_info->type ) == 0 )
258 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
259
260 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
261
262 cipher_psa = mbedtls_calloc( 1, sizeof(mbedtls_cipher_context_psa ) );
263 if( cipher_psa == NULL )
264 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
265 cipher_psa->alg = alg;
266 ctx->cipher_ctx = cipher_psa;
267 ctx->cipher_info = cipher_info;
268 ctx->psa_enabled = 1;
269 return( 0 );
270 }
271 #endif /* MBEDTLS_USE_PSA_CRYPTO */
272
mbedtls_cipher_setkey(mbedtls_cipher_context_t * ctx,const unsigned char * key,int key_bitlen,const mbedtls_operation_t operation)273 int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
274 const unsigned char *key,
275 int key_bitlen,
276 const mbedtls_operation_t operation )
277 {
278 CIPHER_VALIDATE_RET( ctx != NULL );
279 CIPHER_VALIDATE_RET( key != NULL );
280 CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT ||
281 operation == MBEDTLS_DECRYPT );
282 if( ctx->cipher_info == NULL )
283 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
284
285 #if defined(MBEDTLS_USE_PSA_CRYPTO)
286 if( ctx->psa_enabled == 1 )
287 {
288 mbedtls_cipher_context_psa * const cipher_psa =
289 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
290
291 size_t const key_bytelen = ( (size_t) key_bitlen + 7 ) / 8;
292
293 psa_status_t status;
294 psa_key_type_t key_type;
295 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
296
297 /* PSA Crypto API only accepts byte-aligned keys. */
298 if( key_bitlen % 8 != 0 )
299 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
300
301 /* Don't allow keys to be set multiple times. */
302 if( cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET )
303 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
304
305 key_type = mbedtls_psa_translate_cipher_type(
306 ctx->cipher_info->type );
307 if( key_type == 0 )
308 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
309 psa_set_key_type( &attributes, key_type );
310
311 /* Mbed TLS' cipher layer doesn't enforce the mode of operation
312 * (encrypt vs. decrypt): it is possible to setup a key for encryption
313 * and use it for AEAD decryption. Until tests relying on this
314 * are changed, allow any usage in PSA. */
315 psa_set_key_usage_flags( &attributes,
316 /* mbedtls_psa_translate_cipher_operation( operation ); */
317 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
318 psa_set_key_algorithm( &attributes, cipher_psa->alg );
319
320 status = psa_import_key( &attributes, key, key_bytelen,
321 &cipher_psa->slot );
322 switch( status )
323 {
324 case PSA_SUCCESS:
325 break;
326 case PSA_ERROR_INSUFFICIENT_MEMORY:
327 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
328 case PSA_ERROR_NOT_SUPPORTED:
329 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
330 default:
331 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
332 }
333 /* Indicate that we own the key slot and need to
334 * destroy it in mbedtls_cipher_free(). */
335 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
336
337 ctx->key_bitlen = key_bitlen;
338 ctx->operation = operation;
339 return( 0 );
340 }
341 #endif /* MBEDTLS_USE_PSA_CRYPTO */
342
343 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
344 (int) ctx->cipher_info->key_bitlen != key_bitlen )
345 {
346 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
347 }
348
349 ctx->key_bitlen = key_bitlen;
350 ctx->operation = operation;
351
352 /*
353 * For OFB, CFB and CTR mode always use the encryption key schedule
354 */
355 if( MBEDTLS_ENCRYPT == operation ||
356 MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
357 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
358 MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
359 {
360 return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
361 ctx->key_bitlen ) );
362 }
363
364 if( MBEDTLS_DECRYPT == operation )
365 return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
366 ctx->key_bitlen ) );
367
368 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
369 }
370
mbedtls_cipher_set_iv(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len)371 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
372 const unsigned char *iv,
373 size_t iv_len )
374 {
375 size_t actual_iv_size;
376
377 CIPHER_VALIDATE_RET( ctx != NULL );
378 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
379 if( ctx->cipher_info == NULL )
380 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
381 #if defined(MBEDTLS_USE_PSA_CRYPTO)
382 if( ctx->psa_enabled == 1 )
383 {
384 /* While PSA Crypto has an API for multipart
385 * operations, we currently don't make it
386 * accessible through the cipher layer. */
387 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
388 }
389 #endif /* MBEDTLS_USE_PSA_CRYPTO */
390
391 /* avoid buffer overflow in ctx->iv */
392 if( iv_len > MBEDTLS_MAX_IV_LENGTH )
393 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
394
395 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
396 actual_iv_size = iv_len;
397 else
398 {
399 actual_iv_size = ctx->cipher_info->iv_size;
400
401 /* avoid reading past the end of input buffer */
402 if( actual_iv_size > iv_len )
403 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
404 }
405
406 #if defined(MBEDTLS_CHACHA20_C)
407 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
408 {
409 if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
410 iv,
411 0U ) ) /* Initial counter value */
412 {
413 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
414 }
415 }
416 #endif
417
418 #if defined(MBEDTLS_GCM_C)
419 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
420 {
421 return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx,
422 ctx->operation,
423 iv, iv_len ) );
424 }
425 #endif
426
427 #if defined(MBEDTLS_CCM_C)
428 if( MBEDTLS_MODE_CCM_STAR_NO_TAG == ctx->cipher_info->mode )
429 {
430 int set_lengths_result;
431 int ccm_star_mode;
432
433 set_lengths_result = mbedtls_ccm_set_lengths(
434 (mbedtls_ccm_context *) ctx->cipher_ctx,
435 0, 0, 0 );
436 if( set_lengths_result != 0 )
437 return set_lengths_result;
438
439 if( ctx->operation == MBEDTLS_DECRYPT )
440 ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT;
441 else if( ctx->operation == MBEDTLS_ENCRYPT )
442 ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT;
443 else
444 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
445
446 return( mbedtls_ccm_starts( (mbedtls_ccm_context *) ctx->cipher_ctx,
447 ccm_star_mode,
448 iv, iv_len ) );
449 }
450 #endif
451
452 if ( actual_iv_size != 0 )
453 {
454 memcpy( ctx->iv, iv, actual_iv_size );
455 ctx->iv_size = actual_iv_size;
456 }
457
458 return( 0 );
459 }
460
mbedtls_cipher_reset(mbedtls_cipher_context_t * ctx)461 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
462 {
463 CIPHER_VALIDATE_RET( ctx != NULL );
464 if( ctx->cipher_info == NULL )
465 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
466
467 #if defined(MBEDTLS_USE_PSA_CRYPTO)
468 if( ctx->psa_enabled == 1 )
469 {
470 /* We don't support resetting PSA-based
471 * cipher contexts, yet. */
472 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
473 }
474 #endif /* MBEDTLS_USE_PSA_CRYPTO */
475
476 ctx->unprocessed_len = 0;
477
478 return( 0 );
479 }
480
481 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_update_ad(mbedtls_cipher_context_t * ctx,const unsigned char * ad,size_t ad_len)482 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
483 const unsigned char *ad, size_t ad_len )
484 {
485 CIPHER_VALIDATE_RET( ctx != NULL );
486 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
487 if( ctx->cipher_info == NULL )
488 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
489
490 #if defined(MBEDTLS_USE_PSA_CRYPTO)
491 if( ctx->psa_enabled == 1 )
492 {
493 /* While PSA Crypto has an API for multipart
494 * operations, we currently don't make it
495 * accessible through the cipher layer. */
496 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
497 }
498 #endif /* MBEDTLS_USE_PSA_CRYPTO */
499
500 #if defined(MBEDTLS_GCM_C)
501 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
502 {
503 return( mbedtls_gcm_update_ad( (mbedtls_gcm_context *) ctx->cipher_ctx,
504 ad, ad_len ) );
505 }
506 #endif
507
508 #if defined(MBEDTLS_CHACHAPOLY_C)
509 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
510 {
511 int result;
512 mbedtls_chachapoly_mode_t mode;
513
514 mode = ( ctx->operation == MBEDTLS_ENCRYPT )
515 ? MBEDTLS_CHACHAPOLY_ENCRYPT
516 : MBEDTLS_CHACHAPOLY_DECRYPT;
517
518 result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
519 ctx->iv,
520 mode );
521 if ( result != 0 )
522 return( result );
523
524 return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
525 ad, ad_len ) );
526 }
527 #endif
528
529 return( 0 );
530 }
531 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
532
mbedtls_cipher_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)533 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
534 size_t ilen, unsigned char *output, size_t *olen )
535 {
536 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
537 size_t block_size;
538
539 CIPHER_VALIDATE_RET( ctx != NULL );
540 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
541 CIPHER_VALIDATE_RET( output != NULL );
542 CIPHER_VALIDATE_RET( olen != NULL );
543 if( ctx->cipher_info == NULL )
544 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
545
546 #if defined(MBEDTLS_USE_PSA_CRYPTO)
547 if( ctx->psa_enabled == 1 )
548 {
549 /* While PSA Crypto has an API for multipart
550 * operations, we currently don't make it
551 * accessible through the cipher layer. */
552 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
553 }
554 #endif /* MBEDTLS_USE_PSA_CRYPTO */
555
556 *olen = 0;
557 block_size = mbedtls_cipher_get_block_size( ctx );
558 if ( 0 == block_size )
559 {
560 return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
561 }
562
563 if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
564 {
565 if( ilen != block_size )
566 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
567
568 *olen = ilen;
569
570 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
571 ctx->operation, input, output ) ) )
572 {
573 return( ret );
574 }
575
576 return( 0 );
577 }
578
579 #if defined(MBEDTLS_GCM_C)
580 if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
581 {
582 return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx,
583 input, ilen,
584 output, ilen, olen ) );
585 }
586 #endif
587
588 #if defined(MBEDTLS_CCM_C)
589 if( ctx->cipher_info->mode == MBEDTLS_MODE_CCM_STAR_NO_TAG )
590 {
591 return( mbedtls_ccm_update( (mbedtls_ccm_context *) ctx->cipher_ctx,
592 input, ilen,
593 output, ilen, olen ) );
594 }
595 #endif
596
597 #if defined(MBEDTLS_CHACHAPOLY_C)
598 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
599 {
600 *olen = ilen;
601 return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
602 ilen, input, output ) );
603 }
604 #endif
605
606 if( input == output &&
607 ( ctx->unprocessed_len != 0 || ilen % block_size ) )
608 {
609 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
610 }
611
612 #if defined(MBEDTLS_CIPHER_MODE_CBC)
613 if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
614 {
615 size_t copy_len = 0;
616
617 /*
618 * If there is not enough data for a full block, cache it.
619 */
620 if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
621 ilen <= block_size - ctx->unprocessed_len ) ||
622 ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
623 ilen < block_size - ctx->unprocessed_len ) ||
624 ( ctx->operation == MBEDTLS_ENCRYPT &&
625 ilen < block_size - ctx->unprocessed_len ) )
626 {
627 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
628 ilen );
629
630 ctx->unprocessed_len += ilen;
631 return( 0 );
632 }
633
634 /*
635 * Process cached data first
636 */
637 if( 0 != ctx->unprocessed_len )
638 {
639 copy_len = block_size - ctx->unprocessed_len;
640
641 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
642 copy_len );
643
644 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
645 ctx->operation, block_size, ctx->iv,
646 ctx->unprocessed_data, output ) ) )
647 {
648 return( ret );
649 }
650
651 *olen += block_size;
652 output += block_size;
653 ctx->unprocessed_len = 0;
654
655 input += copy_len;
656 ilen -= copy_len;
657 }
658
659 /*
660 * Cache final, incomplete block
661 */
662 if( 0 != ilen )
663 {
664 /* Encryption: only cache partial blocks
665 * Decryption w/ padding: always keep at least one whole block
666 * Decryption w/o padding: only cache partial blocks
667 */
668 copy_len = ilen % block_size;
669 if( copy_len == 0 &&
670 ctx->operation == MBEDTLS_DECRYPT &&
671 NULL != ctx->add_padding)
672 {
673 copy_len = block_size;
674 }
675
676 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
677 copy_len );
678
679 ctx->unprocessed_len += copy_len;
680 ilen -= copy_len;
681 }
682
683 /*
684 * Process remaining full blocks
685 */
686 if( ilen )
687 {
688 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
689 ctx->operation, ilen, ctx->iv, input, output ) ) )
690 {
691 return( ret );
692 }
693
694 *olen += ilen;
695 }
696
697 return( 0 );
698 }
699 #endif /* MBEDTLS_CIPHER_MODE_CBC */
700
701 #if defined(MBEDTLS_CIPHER_MODE_CFB)
702 if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
703 {
704 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
705 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
706 input, output ) ) )
707 {
708 return( ret );
709 }
710
711 *olen = ilen;
712
713 return( 0 );
714 }
715 #endif /* MBEDTLS_CIPHER_MODE_CFB */
716
717 #if defined(MBEDTLS_CIPHER_MODE_OFB)
718 if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
719 {
720 if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
721 ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
722 {
723 return( ret );
724 }
725
726 *olen = ilen;
727
728 return( 0 );
729 }
730 #endif /* MBEDTLS_CIPHER_MODE_OFB */
731
732 #if defined(MBEDTLS_CIPHER_MODE_CTR)
733 if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
734 {
735 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
736 ilen, &ctx->unprocessed_len, ctx->iv,
737 ctx->unprocessed_data, input, output ) ) )
738 {
739 return( ret );
740 }
741
742 *olen = ilen;
743
744 return( 0 );
745 }
746 #endif /* MBEDTLS_CIPHER_MODE_CTR */
747
748 #if defined(MBEDTLS_CIPHER_MODE_XTS)
749 if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
750 {
751 if( ctx->unprocessed_len > 0 ) {
752 /* We can only process an entire data unit at a time. */
753 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
754 }
755
756 ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
757 ctx->operation, ilen, ctx->iv, input, output );
758 if( ret != 0 )
759 {
760 return( ret );
761 }
762
763 *olen = ilen;
764
765 return( 0 );
766 }
767 #endif /* MBEDTLS_CIPHER_MODE_XTS */
768
769 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
770 if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
771 {
772 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
773 ilen, input, output ) ) )
774 {
775 return( ret );
776 }
777
778 *olen = ilen;
779
780 return( 0 );
781 }
782 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
783
784 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
785 }
786
787 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
788 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
789 /*
790 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
791 */
add_pkcs_padding(unsigned char * output,size_t output_len,size_t data_len)792 static void add_pkcs_padding( unsigned char *output, size_t output_len,
793 size_t data_len )
794 {
795 size_t padding_len = output_len - data_len;
796 unsigned char i;
797
798 for( i = 0; i < padding_len; i++ )
799 output[data_len + i] = (unsigned char) padding_len;
800 }
801
get_pkcs_padding(unsigned char * input,size_t input_len,size_t * data_len)802 static int get_pkcs_padding( unsigned char *input, size_t input_len,
803 size_t *data_len )
804 {
805 size_t i, pad_idx;
806 unsigned char padding_len, bad = 0;
807
808 if( NULL == input || NULL == data_len )
809 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
810
811 padding_len = input[input_len - 1];
812 *data_len = input_len - padding_len;
813
814 /* Avoid logical || since it results in a branch */
815 bad |= padding_len > input_len;
816 bad |= padding_len == 0;
817
818 /* The number of bytes checked must be independent of padding_len,
819 * so pick input_len, which is usually 8 or 16 (one block) */
820 pad_idx = input_len - padding_len;
821 for( i = 0; i < input_len; i++ )
822 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
823
824 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
825 }
826 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
827
828 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
829 /*
830 * One and zeros padding: fill with 80 00 ... 00
831 */
add_one_and_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)832 static void add_one_and_zeros_padding( unsigned char *output,
833 size_t output_len, size_t data_len )
834 {
835 size_t padding_len = output_len - data_len;
836 unsigned char i = 0;
837
838 output[data_len] = 0x80;
839 for( i = 1; i < padding_len; i++ )
840 output[data_len + i] = 0x00;
841 }
842
get_one_and_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)843 static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
844 size_t *data_len )
845 {
846 size_t i;
847 unsigned char done = 0, prev_done, bad;
848
849 if( NULL == input || NULL == data_len )
850 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
851
852 bad = 0x80;
853 *data_len = 0;
854 for( i = input_len; i > 0; i-- )
855 {
856 prev_done = done;
857 done |= ( input[i - 1] != 0 );
858 *data_len |= ( i - 1 ) * ( done != prev_done );
859 bad ^= input[i - 1] * ( done != prev_done );
860 }
861
862 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
863
864 }
865 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
866
867 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
868 /*
869 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
870 */
add_zeros_and_len_padding(unsigned char * output,size_t output_len,size_t data_len)871 static void add_zeros_and_len_padding( unsigned char *output,
872 size_t output_len, size_t data_len )
873 {
874 size_t padding_len = output_len - data_len;
875 unsigned char i = 0;
876
877 for( i = 1; i < padding_len; i++ )
878 output[data_len + i - 1] = 0x00;
879 output[output_len - 1] = (unsigned char) padding_len;
880 }
881
get_zeros_and_len_padding(unsigned char * input,size_t input_len,size_t * data_len)882 static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
883 size_t *data_len )
884 {
885 size_t i, pad_idx;
886 unsigned char padding_len, bad = 0;
887
888 if( NULL == input || NULL == data_len )
889 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
890
891 padding_len = input[input_len - 1];
892 *data_len = input_len - padding_len;
893
894 /* Avoid logical || since it results in a branch */
895 bad |= padding_len > input_len;
896 bad |= padding_len == 0;
897
898 /* The number of bytes checked must be independent of padding_len */
899 pad_idx = input_len - padding_len;
900 for( i = 0; i < input_len - 1; i++ )
901 bad |= input[i] * ( i >= pad_idx );
902
903 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
904 }
905 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
906
907 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
908 /*
909 * Zero padding: fill with 00 ... 00
910 */
add_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)911 static void add_zeros_padding( unsigned char *output,
912 size_t output_len, size_t data_len )
913 {
914 size_t i;
915
916 for( i = data_len; i < output_len; i++ )
917 output[i] = 0x00;
918 }
919
get_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)920 static int get_zeros_padding( unsigned char *input, size_t input_len,
921 size_t *data_len )
922 {
923 size_t i;
924 unsigned char done = 0, prev_done;
925
926 if( NULL == input || NULL == data_len )
927 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
928
929 *data_len = 0;
930 for( i = input_len; i > 0; i-- )
931 {
932 prev_done = done;
933 done |= ( input[i-1] != 0 );
934 *data_len |= i * ( done != prev_done );
935 }
936
937 return( 0 );
938 }
939 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
940
941 /*
942 * No padding: don't pad :)
943 *
944 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
945 * but a trivial get_padding function
946 */
get_no_padding(unsigned char * input,size_t input_len,size_t * data_len)947 static int get_no_padding( unsigned char *input, size_t input_len,
948 size_t *data_len )
949 {
950 if( NULL == input || NULL == data_len )
951 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
952
953 *data_len = input_len;
954
955 return( 0 );
956 }
957 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
958
mbedtls_cipher_finish(mbedtls_cipher_context_t * ctx,unsigned char * output,size_t * olen)959 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
960 unsigned char *output, size_t *olen )
961 {
962 CIPHER_VALIDATE_RET( ctx != NULL );
963 CIPHER_VALIDATE_RET( output != NULL );
964 CIPHER_VALIDATE_RET( olen != NULL );
965 if( ctx->cipher_info == NULL )
966 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
967
968 #if defined(MBEDTLS_USE_PSA_CRYPTO)
969 if( ctx->psa_enabled == 1 )
970 {
971 /* While PSA Crypto has an API for multipart
972 * operations, we currently don't make it
973 * accessible through the cipher layer. */
974 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
975 }
976 #endif /* MBEDTLS_USE_PSA_CRYPTO */
977
978 *olen = 0;
979
980 if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
981 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
982 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
983 MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
984 MBEDTLS_MODE_CCM_STAR_NO_TAG == ctx->cipher_info->mode ||
985 MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
986 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
987 {
988 return( 0 );
989 }
990
991 if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) ||
992 ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
993 {
994 return( 0 );
995 }
996
997 if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
998 {
999 if( ctx->unprocessed_len != 0 )
1000 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
1001
1002 return( 0 );
1003 }
1004
1005 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1006 if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
1007 {
1008 int ret = 0;
1009
1010 if( MBEDTLS_ENCRYPT == ctx->operation )
1011 {
1012 /* check for 'no padding' mode */
1013 if( NULL == ctx->add_padding )
1014 {
1015 if( 0 != ctx->unprocessed_len )
1016 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
1017
1018 return( 0 );
1019 }
1020
1021 ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
1022 ctx->unprocessed_len );
1023 }
1024 else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
1025 {
1026 /*
1027 * For decrypt operations, expect a full block,
1028 * or an empty block if no padding
1029 */
1030 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
1031 return( 0 );
1032
1033 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
1034 }
1035
1036 /* cipher block */
1037 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
1038 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
1039 ctx->unprocessed_data, output ) ) )
1040 {
1041 return( ret );
1042 }
1043
1044 /* Set output size for decryption */
1045 if( MBEDTLS_DECRYPT == ctx->operation )
1046 return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
1047 olen ) );
1048
1049 /* Set output size for encryption */
1050 *olen = mbedtls_cipher_get_block_size( ctx );
1051 return( 0 );
1052 }
1053 #else
1054 ((void) output);
1055 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1056
1057 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1058 }
1059
1060 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t * ctx,mbedtls_cipher_padding_t mode)1061 int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
1062 mbedtls_cipher_padding_t mode )
1063 {
1064 CIPHER_VALIDATE_RET( ctx != NULL );
1065
1066 if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
1067 {
1068 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1069 }
1070
1071 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1072 if( ctx->psa_enabled == 1 )
1073 {
1074 /* While PSA Crypto knows about CBC padding
1075 * schemes, we currently don't make them
1076 * accessible through the cipher layer. */
1077 if( mode != MBEDTLS_PADDING_NONE )
1078 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1079
1080 return( 0 );
1081 }
1082 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1083
1084 switch( mode )
1085 {
1086 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
1087 case MBEDTLS_PADDING_PKCS7:
1088 ctx->add_padding = add_pkcs_padding;
1089 ctx->get_padding = get_pkcs_padding;
1090 break;
1091 #endif
1092 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
1093 case MBEDTLS_PADDING_ONE_AND_ZEROS:
1094 ctx->add_padding = add_one_and_zeros_padding;
1095 ctx->get_padding = get_one_and_zeros_padding;
1096 break;
1097 #endif
1098 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
1099 case MBEDTLS_PADDING_ZEROS_AND_LEN:
1100 ctx->add_padding = add_zeros_and_len_padding;
1101 ctx->get_padding = get_zeros_and_len_padding;
1102 break;
1103 #endif
1104 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1105 case MBEDTLS_PADDING_ZEROS:
1106 ctx->add_padding = add_zeros_padding;
1107 ctx->get_padding = get_zeros_padding;
1108 break;
1109 #endif
1110 case MBEDTLS_PADDING_NONE:
1111 ctx->add_padding = NULL;
1112 ctx->get_padding = get_no_padding;
1113 break;
1114
1115 default:
1116 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1117 }
1118
1119 return( 0 );
1120 }
1121 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1122
1123 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_write_tag(mbedtls_cipher_context_t * ctx,unsigned char * tag,size_t tag_len)1124 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
1125 unsigned char *tag, size_t tag_len )
1126 {
1127 CIPHER_VALIDATE_RET( ctx != NULL );
1128 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1129 if( ctx->cipher_info == NULL )
1130 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1131
1132 if( MBEDTLS_ENCRYPT != ctx->operation )
1133 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1134
1135 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1136 if( ctx->psa_enabled == 1 )
1137 {
1138 /* While PSA Crypto has an API for multipart
1139 * operations, we currently don't make it
1140 * accessible through the cipher layer. */
1141 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1142 }
1143 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1144
1145 #if defined(MBEDTLS_GCM_C)
1146 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1147 {
1148 size_t output_length;
1149 /* The code here doesn't yet support alternative implementations
1150 * that can delay up to a block of output. */
1151 return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
1152 NULL, 0, &output_length,
1153 tag, tag_len ) );
1154 }
1155 #endif
1156
1157 #if defined(MBEDTLS_CHACHAPOLY_C)
1158 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1159 {
1160 /* Don't allow truncated MAC for Poly1305 */
1161 if ( tag_len != 16U )
1162 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1163
1164 return( mbedtls_chachapoly_finish(
1165 (mbedtls_chachapoly_context*) ctx->cipher_ctx, tag ) );
1166 }
1167 #endif
1168
1169 return( 0 );
1170 }
1171
mbedtls_cipher_check_tag(mbedtls_cipher_context_t * ctx,const unsigned char * tag,size_t tag_len)1172 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
1173 const unsigned char *tag, size_t tag_len )
1174 {
1175 unsigned char check_tag[16];
1176 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1177
1178 CIPHER_VALIDATE_RET( ctx != NULL );
1179 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1180 if( ctx->cipher_info == NULL )
1181 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1182
1183 if( MBEDTLS_DECRYPT != ctx->operation )
1184 {
1185 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1186 }
1187
1188 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1189 if( ctx->psa_enabled == 1 )
1190 {
1191 /* While PSA Crypto has an API for multipart
1192 * operations, we currently don't make it
1193 * accessible through the cipher layer. */
1194 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1195 }
1196 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1197
1198 #if defined(MBEDTLS_GCM_C)
1199 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1200 {
1201 size_t output_length;
1202 /* The code here doesn't yet support alternative implementations
1203 * that can delay up to a block of output. */
1204
1205 if( tag_len > sizeof( check_tag ) )
1206 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1207
1208 if( 0 != ( ret = mbedtls_gcm_finish(
1209 (mbedtls_gcm_context *) ctx->cipher_ctx,
1210 NULL, 0, &output_length,
1211 check_tag, tag_len ) ) )
1212 {
1213 return( ret );
1214 }
1215
1216 /* Check the tag in "constant-time" */
1217 if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
1218 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1219
1220 return( 0 );
1221 }
1222 #endif /* MBEDTLS_GCM_C */
1223
1224 #if defined(MBEDTLS_CHACHAPOLY_C)
1225 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1226 {
1227 /* Don't allow truncated MAC for Poly1305 */
1228 if ( tag_len != sizeof( check_tag ) )
1229 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1230
1231 ret = mbedtls_chachapoly_finish(
1232 (mbedtls_chachapoly_context*) ctx->cipher_ctx, check_tag );
1233 if ( ret != 0 )
1234 {
1235 return( ret );
1236 }
1237
1238 /* Check the tag in "constant-time" */
1239 if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
1240 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1241
1242 return( 0 );
1243 }
1244 #endif /* MBEDTLS_CHACHAPOLY_C */
1245
1246 return( 0 );
1247 }
1248 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
1249
1250 /*
1251 * Packet-oriented wrapper for non-AEAD modes
1252 */
mbedtls_cipher_crypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)1253 int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
1254 const unsigned char *iv, size_t iv_len,
1255 const unsigned char *input, size_t ilen,
1256 unsigned char *output, size_t *olen )
1257 {
1258 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1259 size_t finish_olen;
1260
1261 CIPHER_VALIDATE_RET( ctx != NULL );
1262 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1263 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1264 CIPHER_VALIDATE_RET( output != NULL );
1265 CIPHER_VALIDATE_RET( olen != NULL );
1266
1267 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1268 if( ctx->psa_enabled == 1 )
1269 {
1270 /* As in the non-PSA case, we don't check that
1271 * a key has been set. If not, the key slot will
1272 * still be in its default state of 0, which is
1273 * guaranteed to be invalid, hence the PSA-call
1274 * below will gracefully fail. */
1275 mbedtls_cipher_context_psa * const cipher_psa =
1276 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1277
1278 psa_status_t status;
1279 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1280 size_t part_len;
1281
1282 if( ctx->operation == MBEDTLS_DECRYPT )
1283 {
1284 status = psa_cipher_decrypt_setup( &cipher_op,
1285 cipher_psa->slot,
1286 cipher_psa->alg );
1287 }
1288 else if( ctx->operation == MBEDTLS_ENCRYPT )
1289 {
1290 status = psa_cipher_encrypt_setup( &cipher_op,
1291 cipher_psa->slot,
1292 cipher_psa->alg );
1293 }
1294 else
1295 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1296
1297 /* In the following, we can immediately return on an error,
1298 * because the PSA Crypto API guarantees that cipher operations
1299 * are terminated by unsuccessful calls to psa_cipher_update(),
1300 * and by any call to psa_cipher_finish(). */
1301 if( status != PSA_SUCCESS )
1302 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
1303
1304 if( ctx->cipher_info->mode != MBEDTLS_MODE_ECB )
1305 {
1306 status = psa_cipher_set_iv( &cipher_op, iv, iv_len );
1307 if( status != PSA_SUCCESS )
1308 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
1309 }
1310
1311 status = psa_cipher_update( &cipher_op,
1312 input, ilen,
1313 output, ilen, olen );
1314 if( status != PSA_SUCCESS )
1315 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
1316
1317 status = psa_cipher_finish( &cipher_op,
1318 output + *olen, ilen - *olen,
1319 &part_len );
1320 if( status != PSA_SUCCESS )
1321 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
1322
1323 *olen += part_len;
1324 return( 0 );
1325 }
1326 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1327
1328 if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
1329 return( ret );
1330
1331 if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
1332 return( ret );
1333
1334 if( ( ret = mbedtls_cipher_update( ctx, input, ilen,
1335 output, olen ) ) != 0 )
1336 return( ret );
1337
1338 if( ( ret = mbedtls_cipher_finish( ctx, output + *olen,
1339 &finish_olen ) ) != 0 )
1340 return( ret );
1341
1342 *olen += finish_olen;
1343
1344 return( 0 );
1345 }
1346
1347 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1348 /*
1349 * Packet-oriented encryption for AEAD modes: internal function used by
1350 * mbedtls_cipher_auth_encrypt_ext().
1351 */
mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,unsigned char * tag,size_t tag_len)1352 static int mbedtls_cipher_aead_encrypt( mbedtls_cipher_context_t *ctx,
1353 const unsigned char *iv, size_t iv_len,
1354 const unsigned char *ad, size_t ad_len,
1355 const unsigned char *input, size_t ilen,
1356 unsigned char *output, size_t *olen,
1357 unsigned char *tag, size_t tag_len )
1358 {
1359 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1360 if( ctx->psa_enabled == 1 )
1361 {
1362 /* As in the non-PSA case, we don't check that
1363 * a key has been set. If not, the key slot will
1364 * still be in its default state of 0, which is
1365 * guaranteed to be invalid, hence the PSA-call
1366 * below will gracefully fail. */
1367 mbedtls_cipher_context_psa * const cipher_psa =
1368 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1369
1370 psa_status_t status;
1371
1372 /* PSA Crypto API always writes the authentication tag
1373 * at the end of the encrypted message. */
1374 if( output == NULL || tag != output + ilen )
1375 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1376
1377 status = psa_aead_encrypt( cipher_psa->slot,
1378 cipher_psa->alg,
1379 iv, iv_len,
1380 ad, ad_len,
1381 input, ilen,
1382 output, ilen + tag_len, olen );
1383 if( status != PSA_SUCCESS )
1384 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
1385
1386 *olen -= tag_len;
1387 return( 0 );
1388 }
1389 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1390
1391 #if defined(MBEDTLS_GCM_C)
1392 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1393 {
1394 *olen = ilen;
1395 return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
1396 ilen, iv, iv_len, ad, ad_len,
1397 input, output, tag_len, tag ) );
1398 }
1399 #endif /* MBEDTLS_GCM_C */
1400 #if defined(MBEDTLS_CCM_C)
1401 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1402 {
1403 *olen = ilen;
1404 return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
1405 iv, iv_len, ad, ad_len, input, output,
1406 tag, tag_len ) );
1407 }
1408 #endif /* MBEDTLS_CCM_C */
1409 #if defined(MBEDTLS_CHACHAPOLY_C)
1410 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1411 {
1412 /* ChachaPoly has fixed length nonce and MAC (tag) */
1413 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1414 ( tag_len != 16U ) )
1415 {
1416 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1417 }
1418
1419 *olen = ilen;
1420 return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
1421 ilen, iv, ad, ad_len, input, output, tag ) );
1422 }
1423 #endif /* MBEDTLS_CHACHAPOLY_C */
1424
1425 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1426 }
1427
1428 /*
1429 * Packet-oriented encryption for AEAD modes: internal function used by
1430 * mbedtls_cipher_auth_encrypt_ext().
1431 */
mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,const unsigned char * tag,size_t tag_len)1432 static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx,
1433 const unsigned char *iv, size_t iv_len,
1434 const unsigned char *ad, size_t ad_len,
1435 const unsigned char *input, size_t ilen,
1436 unsigned char *output, size_t *olen,
1437 const unsigned char *tag, size_t tag_len )
1438 {
1439 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1440 if( ctx->psa_enabled == 1 )
1441 {
1442 /* As in the non-PSA case, we don't check that
1443 * a key has been set. If not, the key slot will
1444 * still be in its default state of 0, which is
1445 * guaranteed to be invalid, hence the PSA-call
1446 * below will gracefully fail. */
1447 mbedtls_cipher_context_psa * const cipher_psa =
1448 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1449
1450 psa_status_t status;
1451
1452 /* PSA Crypto API always writes the authentication tag
1453 * at the end of the encrypted message. */
1454 if( input == NULL || tag != input + ilen )
1455 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1456
1457 status = psa_aead_decrypt( cipher_psa->slot,
1458 cipher_psa->alg,
1459 iv, iv_len,
1460 ad, ad_len,
1461 input, ilen + tag_len,
1462 output, ilen, olen );
1463 if( status == PSA_ERROR_INVALID_SIGNATURE )
1464 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1465 else if( status != PSA_SUCCESS )
1466 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
1467
1468 return( 0 );
1469 }
1470 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1471
1472 #if defined(MBEDTLS_GCM_C)
1473 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1474 {
1475 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1476
1477 *olen = ilen;
1478 ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
1479 iv, iv_len, ad, ad_len,
1480 tag, tag_len, input, output );
1481
1482 if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
1483 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1484
1485 return( ret );
1486 }
1487 #endif /* MBEDTLS_GCM_C */
1488 #if defined(MBEDTLS_CCM_C)
1489 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1490 {
1491 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1492
1493 *olen = ilen;
1494 ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
1495 iv, iv_len, ad, ad_len,
1496 input, output, tag, tag_len );
1497
1498 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
1499 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1500
1501 return( ret );
1502 }
1503 #endif /* MBEDTLS_CCM_C */
1504 #if defined(MBEDTLS_CHACHAPOLY_C)
1505 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1506 {
1507 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1508
1509 /* ChachaPoly has fixed length nonce and MAC (tag) */
1510 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1511 ( tag_len != 16U ) )
1512 {
1513 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1514 }
1515
1516 *olen = ilen;
1517 ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
1518 iv, ad, ad_len, tag, input, output );
1519
1520 if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
1521 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1522
1523 return( ret );
1524 }
1525 #endif /* MBEDTLS_CHACHAPOLY_C */
1526
1527 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1528 }
1529 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1530
1531 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
1532 /*
1533 * Packet-oriented encryption for AEAD/NIST_KW: public function.
1534 */
mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1535 int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx,
1536 const unsigned char *iv, size_t iv_len,
1537 const unsigned char *ad, size_t ad_len,
1538 const unsigned char *input, size_t ilen,
1539 unsigned char *output, size_t output_len,
1540 size_t *olen, size_t tag_len )
1541 {
1542 CIPHER_VALIDATE_RET( ctx != NULL );
1543 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1544 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1545 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1546 CIPHER_VALIDATE_RET( output != NULL );
1547 CIPHER_VALIDATE_RET( olen != NULL );
1548
1549 #if defined(MBEDTLS_NIST_KW_C)
1550 if(
1551 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1552 ctx->psa_enabled == 0 &&
1553 #endif
1554 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1555 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
1556 {
1557 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
1558 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1559
1560 /* There is no iv, tag or ad associated with KW and KWP,
1561 * so these length should be 0 as documented. */
1562 if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
1563 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1564
1565 (void) iv;
1566 (void) ad;
1567
1568 return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen,
1569 output, olen, output_len ) );
1570 }
1571 #endif /* MBEDTLS_NIST_KW_C */
1572
1573 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1574 /* AEAD case: check length before passing on to shared function */
1575 if( output_len < ilen + tag_len )
1576 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1577
1578 int ret = mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
1579 input, ilen, output, olen,
1580 output + ilen, tag_len );
1581 *olen += tag_len;
1582 return( ret );
1583 #else
1584 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1585 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1586 }
1587
1588 /*
1589 * Packet-oriented decryption for AEAD/NIST_KW: public function.
1590 */
mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1591 int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx,
1592 const unsigned char *iv, size_t iv_len,
1593 const unsigned char *ad, size_t ad_len,
1594 const unsigned char *input, size_t ilen,
1595 unsigned char *output, size_t output_len,
1596 size_t *olen, size_t tag_len )
1597 {
1598 CIPHER_VALIDATE_RET( ctx != NULL );
1599 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1600 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1601 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1602 CIPHER_VALIDATE_RET( output_len == 0 || output != NULL );
1603 CIPHER_VALIDATE_RET( olen != NULL );
1604
1605 #if defined(MBEDTLS_NIST_KW_C)
1606 if(
1607 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1608 ctx->psa_enabled == 0 &&
1609 #endif
1610 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1611 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
1612 {
1613 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
1614 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1615
1616 /* There is no iv, tag or ad associated with KW and KWP,
1617 * so these length should be 0 as documented. */
1618 if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
1619 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1620
1621 (void) iv;
1622 (void) ad;
1623
1624 return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen,
1625 output, olen, output_len ) );
1626 }
1627 #endif /* MBEDTLS_NIST_KW_C */
1628
1629 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1630 /* AEAD case: check length before passing on to shared function */
1631 if( ilen < tag_len || output_len < ilen - tag_len )
1632 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1633
1634 return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
1635 input, ilen - tag_len, output, olen,
1636 input + ilen - tag_len, tag_len ) );
1637 #else
1638 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1639 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1640 }
1641 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
1642
1643 #endif /* MBEDTLS_CIPHER_C */
1644