1 /**
2 * \file cipher.c
3 *
4 * \brief Generic cipher wrapper for mbed TLS
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
8 * Copyright The Mbed TLS Contributors
9 * SPDX-License-Identifier: Apache-2.0
10 *
11 * Licensed under the Apache License, Version 2.0 (the "License"); you may
12 * not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
14 *
15 * http://www.apache.org/licenses/LICENSE-2.0
16 *
17 * Unless required by applicable law or agreed to in writing, software
18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 * See the License for the specific language governing permissions and
21 * limitations under the License.
22 */
23
24 #include "common.h"
25
26 #if defined(MBEDTLS_CIPHER_C)
27
28 #include "mbedtls/cipher.h"
29 #include "mbedtls/cipher_internal.h"
30 #include "mbedtls/platform_util.h"
31 #include "mbedtls/error.h"
32 #include "mbedtls/constant_time.h"
33
34 #include <stdlib.h>
35 #include <string.h>
36
37 #if defined(MBEDTLS_CHACHAPOLY_C)
38 #include "mbedtls/chachapoly.h"
39 #endif
40
41 #if defined(MBEDTLS_GCM_C)
42 #include "mbedtls/gcm.h"
43 #endif
44
45 #if defined(MBEDTLS_CCM_C)
46 #include "mbedtls/ccm.h"
47 #endif
48
49 #if defined(MBEDTLS_CHACHA20_C)
50 #include "mbedtls/chacha20.h"
51 #endif
52
53 #if defined(MBEDTLS_CMAC_C)
54 #include "mbedtls/cmac.h"
55 #endif
56
57 #if defined(MBEDTLS_USE_PSA_CRYPTO)
58 #include "psa/crypto.h"
59 #include "mbedtls/psa_util.h"
60 #endif /* MBEDTLS_USE_PSA_CRYPTO */
61
62 #if defined(MBEDTLS_NIST_KW_C)
63 #include "mbedtls/nist_kw.h"
64 #endif
65
66 #if defined(MBEDTLS_PLATFORM_C)
67 #include "mbedtls/platform.h"
68 #else
69 #define mbedtls_calloc calloc
70 #define mbedtls_free free
71 #endif
72
73 #define CIPHER_VALIDATE_RET( cond ) \
74 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
75 #define CIPHER_VALIDATE( cond ) \
76 MBEDTLS_INTERNAL_VALIDATE( cond )
77
78 static int supported_init = 0;
79
mbedtls_cipher_list(void)80 const int *mbedtls_cipher_list( void )
81 {
82 const mbedtls_cipher_definition_t *def;
83 int *type;
84
85 if( ! supported_init )
86 {
87 def = mbedtls_cipher_definitions;
88 type = mbedtls_cipher_supported;
89
90 while( def->type != 0 )
91 *type++ = (*def++).type;
92
93 *type = 0;
94
95 supported_init = 1;
96 }
97
98 return( mbedtls_cipher_supported );
99 }
100
mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type)101 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
102 const mbedtls_cipher_type_t cipher_type )
103 {
104 const mbedtls_cipher_definition_t *def;
105
106 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
107 if( def->type == cipher_type )
108 return( def->info );
109
110 return( NULL );
111 }
112
mbedtls_cipher_info_from_string(const char * cipher_name)113 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
114 const char *cipher_name )
115 {
116 const mbedtls_cipher_definition_t *def;
117
118 if( NULL == cipher_name )
119 return( NULL );
120
121 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
122 if( ! strcmp( def->info->name, cipher_name ) )
123 return( def->info );
124
125 return( NULL );
126 }
127
mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id,int key_bitlen,const mbedtls_cipher_mode_t mode)128 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
129 const mbedtls_cipher_id_t cipher_id,
130 int key_bitlen,
131 const mbedtls_cipher_mode_t mode )
132 {
133 const mbedtls_cipher_definition_t *def;
134
135 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
136 if( def->info->base->cipher == cipher_id &&
137 def->info->key_bitlen == (unsigned) key_bitlen &&
138 def->info->mode == mode )
139 return( def->info );
140
141 return( NULL );
142 }
143
mbedtls_cipher_init(mbedtls_cipher_context_t * ctx)144 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
145 {
146 CIPHER_VALIDATE( ctx != NULL );
147 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
148 }
149
mbedtls_cipher_free(mbedtls_cipher_context_t * ctx)150 void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
151 {
152 if( ctx == NULL )
153 return;
154
155 #if defined(MBEDTLS_USE_PSA_CRYPTO)
156 if( ctx->psa_enabled == 1 )
157 {
158 if( ctx->cipher_ctx != NULL )
159 {
160 mbedtls_cipher_context_psa * const cipher_psa =
161 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
162
163 if( cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED )
164 {
165 /* xxx_free() doesn't allow to return failures. */
166 (void) psa_destroy_key( cipher_psa->slot );
167 }
168
169 mbedtls_platform_zeroize( cipher_psa, sizeof( *cipher_psa ) );
170 mbedtls_free( cipher_psa );
171 }
172
173 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
174 return;
175 }
176 #endif /* MBEDTLS_USE_PSA_CRYPTO */
177
178 #if defined(MBEDTLS_CMAC_C)
179 if( ctx->cmac_ctx )
180 {
181 mbedtls_platform_zeroize( ctx->cmac_ctx,
182 sizeof( mbedtls_cmac_context_t ) );
183 mbedtls_free( ctx->cmac_ctx );
184 }
185 #endif
186
187 if( ctx->cipher_ctx )
188 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
189
190 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
191 }
192
mbedtls_cipher_clone(mbedtls_cipher_context_t * dst,const mbedtls_cipher_context_t * src)193 int mbedtls_cipher_clone( mbedtls_cipher_context_t *dst,
194 const mbedtls_cipher_context_t *src )
195 {
196 if( dst == NULL || dst->cipher_info == NULL ||
197 src == NULL || src->cipher_info == NULL)
198 {
199 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
200 }
201
202 dst->cipher_info = src->cipher_info;
203 dst->key_bitlen = src->key_bitlen;
204 dst->operation = src->operation;
205 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
206 dst->add_padding = src->add_padding;
207 dst->get_padding = src->get_padding;
208 #endif
209 memcpy( dst->unprocessed_data, src->unprocessed_data, MBEDTLS_MAX_BLOCK_LENGTH );
210 dst->unprocessed_len = src->unprocessed_len;
211 memcpy( dst->iv, src->iv, MBEDTLS_MAX_IV_LENGTH );
212 dst->iv_size = src->iv_size;
213 if( dst->cipher_info->base->ctx_clone_func )
214 dst->cipher_info->base->ctx_clone_func( dst->cipher_ctx, src->cipher_ctx );
215
216 #if defined(MBEDTLS_CMAC_C)
217 if( dst->cmac_ctx != NULL && src->cmac_ctx != NULL )
218 memcpy( dst->cmac_ctx, src->cmac_ctx, sizeof( mbedtls_cmac_context_t ) );
219 #endif
220 return( 0 );
221 }
222
mbedtls_cipher_setup(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info)223 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
224 const mbedtls_cipher_info_t *cipher_info )
225 {
226 CIPHER_VALIDATE_RET( ctx != NULL );
227 if( cipher_info == NULL )
228 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
229
230 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
231
232 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
233 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
234
235 ctx->cipher_info = cipher_info;
236
237 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
238 /*
239 * Ignore possible errors caused by a cipher mode that doesn't use padding
240 */
241 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
242 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
243 #else
244 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
245 #endif
246 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
247
248 return( 0 );
249 }
250
251 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_cipher_setup_psa(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info,size_t taglen)252 int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
253 const mbedtls_cipher_info_t *cipher_info,
254 size_t taglen )
255 {
256 psa_algorithm_t alg;
257 mbedtls_cipher_context_psa *cipher_psa;
258
259 if( NULL == cipher_info || NULL == ctx )
260 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
261
262 /* Check that the underlying cipher mode and cipher type are
263 * supported by the underlying PSA Crypto implementation. */
264 alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode, taglen );
265 if( alg == 0 )
266 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
267 if( mbedtls_psa_translate_cipher_type( cipher_info->type ) == 0 )
268 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
269
270 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
271
272 cipher_psa = mbedtls_calloc( 1, sizeof(mbedtls_cipher_context_psa ) );
273 if( cipher_psa == NULL )
274 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
275 cipher_psa->alg = alg;
276 ctx->cipher_ctx = cipher_psa;
277 ctx->cipher_info = cipher_info;
278 ctx->psa_enabled = 1;
279 return( 0 );
280 }
281 #endif /* MBEDTLS_USE_PSA_CRYPTO */
282
mbedtls_cipher_setup_info(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info)283 int mbedtls_cipher_setup_info( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info )
284 {
285 if( NULL == cipher_info || NULL == ctx )
286 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
287
288 ctx->cipher_info = cipher_info;
289 return( 0 );
290 }
291
mbedtls_cipher_setkey(mbedtls_cipher_context_t * ctx,const unsigned char * key,int key_bitlen,const mbedtls_operation_t operation)292 int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
293 const unsigned char *key,
294 int key_bitlen,
295 const mbedtls_operation_t operation )
296 {
297 CIPHER_VALIDATE_RET( ctx != NULL );
298 CIPHER_VALIDATE_RET( key != NULL );
299 CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT ||
300 operation == MBEDTLS_DECRYPT );
301 if( ctx->cipher_info == NULL )
302 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
303
304 #if defined(MBEDTLS_USE_PSA_CRYPTO)
305 if( ctx->psa_enabled == 1 )
306 {
307 mbedtls_cipher_context_psa * const cipher_psa =
308 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
309
310 size_t const key_bytelen = ( (size_t) key_bitlen + 7 ) / 8;
311
312 psa_status_t status;
313 psa_key_type_t key_type;
314 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
315
316 /* PSA Crypto API only accepts byte-aligned keys. */
317 if( key_bitlen % 8 != 0 )
318 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
319
320 /* Don't allow keys to be set multiple times. */
321 if( cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET )
322 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
323
324 key_type = mbedtls_psa_translate_cipher_type(
325 ctx->cipher_info->type );
326 if( key_type == 0 )
327 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
328 psa_set_key_type( &attributes, key_type );
329
330 /* Mbed TLS' cipher layer doesn't enforce the mode of operation
331 * (encrypt vs. decrypt): it is possible to setup a key for encryption
332 * and use it for AEAD decryption. Until tests relying on this
333 * are changed, allow any usage in PSA. */
334 psa_set_key_usage_flags( &attributes,
335 /* mbedtls_psa_translate_cipher_operation( operation ); */
336 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT );
337 psa_set_key_algorithm( &attributes, cipher_psa->alg );
338
339 status = psa_import_key( &attributes, key, key_bytelen,
340 &cipher_psa->slot );
341 switch( status )
342 {
343 case PSA_SUCCESS:
344 break;
345 case PSA_ERROR_INSUFFICIENT_MEMORY:
346 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
347 case PSA_ERROR_NOT_SUPPORTED:
348 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
349 default:
350 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
351 }
352 /* Indicate that we own the key slot and need to
353 * destroy it in mbedtls_cipher_free(). */
354 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
355
356 ctx->key_bitlen = key_bitlen;
357 ctx->operation = operation;
358 return( 0 );
359 }
360 #endif /* MBEDTLS_USE_PSA_CRYPTO */
361
362 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
363 (int) ctx->cipher_info->key_bitlen != key_bitlen )
364 {
365 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
366 }
367
368 ctx->key_bitlen = key_bitlen;
369 ctx->operation = operation;
370
371 /*
372 * For OFB, CFB and CTR mode always use the encryption key schedule
373 */
374 if( MBEDTLS_ENCRYPT == operation ||
375 MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
376 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
377 MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
378 {
379 return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
380 ctx->key_bitlen ) );
381 }
382
383 if( MBEDTLS_DECRYPT == operation )
384 return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
385 ctx->key_bitlen ) );
386
387 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
388 }
389
mbedtls_cipher_set_iv(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len)390 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
391 const unsigned char *iv,
392 size_t iv_len )
393 {
394 size_t actual_iv_size;
395
396 CIPHER_VALIDATE_RET( ctx != NULL );
397 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
398 if( ctx->cipher_info == NULL )
399 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
400 #if defined(MBEDTLS_USE_PSA_CRYPTO)
401 if( ctx->psa_enabled == 1 )
402 {
403 /* While PSA Crypto has an API for multipart
404 * operations, we currently don't make it
405 * accessible through the cipher layer. */
406 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
407 }
408 #endif /* MBEDTLS_USE_PSA_CRYPTO */
409
410 /* avoid buffer overflow in ctx->iv */
411 if( iv_len > MBEDTLS_MAX_IV_LENGTH )
412 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
413
414 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
415 actual_iv_size = iv_len;
416 else
417 {
418 actual_iv_size = ctx->cipher_info->iv_size;
419
420 /* avoid reading past the end of input buffer */
421 if( actual_iv_size > iv_len )
422 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
423 }
424
425 #if defined(MBEDTLS_CHACHA20_C)
426 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
427 {
428 /* Even though the actual_iv_size is overwritten with a correct value
429 * of 12 from the cipher info, return an error to indicate that
430 * the input iv_len is wrong. */
431 if( iv_len != 12 )
432 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
433
434 if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
435 iv,
436 0U ) ) /* Initial counter value */
437 {
438 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
439 }
440 }
441 #if defined(MBEDTLS_CHACHAPOLY_C)
442 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&
443 iv_len != 12 )
444 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
445 #endif
446 #endif
447
448 if ( actual_iv_size != 0 )
449 {
450 memcpy( ctx->iv, iv, actual_iv_size );
451 ctx->iv_size = actual_iv_size;
452 }
453
454 return( 0 );
455 }
456
mbedtls_cipher_reset(mbedtls_cipher_context_t * ctx)457 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
458 {
459 CIPHER_VALIDATE_RET( ctx != NULL );
460 if( ctx->cipher_info == NULL )
461 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
462
463 #if defined(MBEDTLS_USE_PSA_CRYPTO)
464 if( ctx->psa_enabled == 1 )
465 {
466 /* We don't support resetting PSA-based
467 * cipher contexts, yet. */
468 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
469 }
470 #endif /* MBEDTLS_USE_PSA_CRYPTO */
471
472 ctx->unprocessed_len = 0;
473
474 return( 0 );
475 }
476
477 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_update_ad(mbedtls_cipher_context_t * ctx,const unsigned char * ad,size_t ad_len)478 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
479 const unsigned char *ad, size_t ad_len )
480 {
481 CIPHER_VALIDATE_RET( ctx != NULL );
482 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
483 if( ctx->cipher_info == NULL )
484 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
485
486 #if defined(MBEDTLS_USE_PSA_CRYPTO)
487 if( ctx->psa_enabled == 1 )
488 {
489 /* While PSA Crypto has an API for multipart
490 * operations, we currently don't make it
491 * accessible through the cipher layer. */
492 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
493 }
494 #endif /* MBEDTLS_USE_PSA_CRYPTO */
495
496 #if defined(MBEDTLS_GCM_C)
497 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
498 {
499 return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
500 ctx->iv, ctx->iv_size, ad, ad_len ) );
501 }
502 #endif
503
504 #if defined(MBEDTLS_CHACHAPOLY_C)
505 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
506 {
507 int result;
508 mbedtls_chachapoly_mode_t mode;
509
510 mode = ( ctx->operation == MBEDTLS_ENCRYPT )
511 ? MBEDTLS_CHACHAPOLY_ENCRYPT
512 : MBEDTLS_CHACHAPOLY_DECRYPT;
513
514 result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
515 ctx->iv,
516 mode );
517 if ( result != 0 )
518 return( result );
519
520 return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
521 ad, ad_len ) );
522 }
523 #endif
524
525 return( 0 );
526 }
527 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
528
mbedtls_cipher_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)529 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
530 size_t ilen, unsigned char *output, size_t *olen )
531 {
532 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
533 size_t block_size;
534
535 CIPHER_VALIDATE_RET( ctx != NULL );
536 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
537 CIPHER_VALIDATE_RET( output != NULL );
538 CIPHER_VALIDATE_RET( olen != NULL );
539 if( ctx->cipher_info == NULL )
540 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
541
542 #if defined(MBEDTLS_USE_PSA_CRYPTO)
543 if( ctx->psa_enabled == 1 )
544 {
545 /* While PSA Crypto has an API for multipart
546 * operations, we currently don't make it
547 * accessible through the cipher layer. */
548 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
549 }
550 #endif /* MBEDTLS_USE_PSA_CRYPTO */
551
552 *olen = 0;
553 block_size = mbedtls_cipher_get_block_size( ctx );
554 if ( 0 == block_size )
555 {
556 return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
557 }
558
559 if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
560 {
561 if( ilen != block_size )
562 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
563
564 *olen = ilen;
565
566 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
567 ctx->operation, input, output ) ) )
568 {
569 return( ret );
570 }
571
572 return( 0 );
573 }
574
575 #if defined(MBEDTLS_GCM_C)
576 if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
577 {
578 *olen = ilen;
579 return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
580 output ) );
581 }
582 #endif
583
584 #if defined(MBEDTLS_CHACHAPOLY_C)
585 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
586 {
587 *olen = ilen;
588 return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
589 ilen, input, output ) );
590 }
591 #endif
592
593 if( input == output &&
594 ( ctx->unprocessed_len != 0 || ilen % block_size ) )
595 {
596 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
597 }
598
599 #if defined(MBEDTLS_CIPHER_MODE_CBC)
600 if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
601 {
602 size_t copy_len = 0;
603
604 /*
605 * If there is not enough data for a full block, cache it.
606 */
607 if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
608 ilen <= block_size - ctx->unprocessed_len ) ||
609 ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
610 ilen < block_size - ctx->unprocessed_len ) ||
611 ( ctx->operation == MBEDTLS_ENCRYPT &&
612 ilen < block_size - ctx->unprocessed_len ) )
613 {
614 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
615 ilen );
616
617 ctx->unprocessed_len += ilen;
618 return( 0 );
619 }
620
621 /*
622 * Process cached data first
623 */
624 if( 0 != ctx->unprocessed_len )
625 {
626 copy_len = block_size - ctx->unprocessed_len;
627
628 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
629 copy_len );
630
631 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
632 ctx->operation, block_size, ctx->iv,
633 ctx->unprocessed_data, output ) ) )
634 {
635 return( ret );
636 }
637
638 *olen += block_size;
639 output += block_size;
640 ctx->unprocessed_len = 0;
641
642 input += copy_len;
643 ilen -= copy_len;
644 }
645
646 /*
647 * Cache final, incomplete block
648 */
649 if( 0 != ilen )
650 {
651 /* Encryption: only cache partial blocks
652 * Decryption w/ padding: always keep at least one whole block
653 * Decryption w/o padding: only cache partial blocks
654 */
655 copy_len = ilen % block_size;
656 if( copy_len == 0 &&
657 ctx->operation == MBEDTLS_DECRYPT &&
658 NULL != ctx->add_padding)
659 {
660 copy_len = block_size;
661 }
662
663 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
664 copy_len );
665
666 ctx->unprocessed_len += copy_len;
667 ilen -= copy_len;
668 }
669
670 /*
671 * Process remaining full blocks
672 */
673 if( ilen )
674 {
675 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
676 ctx->operation, ilen, ctx->iv, input, output ) ) )
677 {
678 return( ret );
679 }
680
681 *olen += ilen;
682 }
683
684 return( 0 );
685 }
686 #endif /* MBEDTLS_CIPHER_MODE_CBC */
687
688 #if defined(MBEDTLS_CIPHER_MODE_CFB)
689 if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
690 {
691 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
692 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
693 input, output ) ) )
694 {
695 return( ret );
696 }
697
698 *olen = ilen;
699
700 return( 0 );
701 }
702 #endif /* MBEDTLS_CIPHER_MODE_CFB */
703
704 #if defined(MBEDTLS_CIPHER_MODE_OFB)
705 if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
706 {
707 if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
708 ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
709 {
710 return( ret );
711 }
712
713 *olen = ilen;
714
715 return( 0 );
716 }
717 #endif /* MBEDTLS_CIPHER_MODE_OFB */
718
719 #if defined(MBEDTLS_CIPHER_MODE_CTR)
720 if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
721 {
722 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
723 ilen, &ctx->unprocessed_len, ctx->iv,
724 ctx->unprocessed_data, input, output ) ) )
725 {
726 return( ret );
727 }
728
729 *olen = ilen;
730
731 return( 0 );
732 }
733 #endif /* MBEDTLS_CIPHER_MODE_CTR */
734
735 #if defined(MBEDTLS_CIPHER_MODE_XTS)
736 if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
737 {
738 if( ctx->unprocessed_len > 0 ) {
739 /* We can only process an entire data unit at a time. */
740 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
741 }
742
743 ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
744 ctx->operation, ilen, ctx->iv, input, output );
745 if( ret != 0 )
746 {
747 return( ret );
748 }
749
750 *olen = ilen;
751
752 return( 0 );
753 }
754 #endif /* MBEDTLS_CIPHER_MODE_XTS */
755
756 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
757 if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
758 {
759 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
760 ilen, input, output ) ) )
761 {
762 return( ret );
763 }
764
765 *olen = ilen;
766
767 return( 0 );
768 }
769 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
770
771 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
772 }
773
774 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
775 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
776 /*
777 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
778 */
add_pkcs_padding(unsigned char * output,size_t output_len,size_t data_len)779 static void add_pkcs_padding( unsigned char *output, size_t output_len,
780 size_t data_len )
781 {
782 size_t padding_len = output_len - data_len;
783 unsigned char i;
784
785 for( i = 0; i < padding_len; i++ )
786 output[data_len + i] = (unsigned char) padding_len;
787 }
788
get_pkcs_padding(unsigned char * input,size_t input_len,size_t * data_len)789 static int get_pkcs_padding( unsigned char *input, size_t input_len,
790 size_t *data_len )
791 {
792 size_t i, pad_idx;
793 unsigned char padding_len, bad = 0;
794
795 if( NULL == input || NULL == data_len )
796 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
797
798 padding_len = input[input_len - 1];
799 *data_len = input_len - padding_len;
800
801 /* Avoid logical || since it results in a branch */
802 bad |= padding_len > input_len;
803 bad |= padding_len == 0;
804
805 /* The number of bytes checked must be independent of padding_len,
806 * so pick input_len, which is usually 8 or 16 (one block) */
807 pad_idx = input_len - padding_len;
808 for( i = 0; i < input_len; i++ )
809 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
810
811 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
812 }
813 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
814
815 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
816 /*
817 * One and zeros padding: fill with 80 00 ... 00
818 */
add_one_and_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)819 static void add_one_and_zeros_padding( unsigned char *output,
820 size_t output_len, size_t data_len )
821 {
822 size_t padding_len = output_len - data_len;
823 unsigned char i = 0;
824
825 output[data_len] = 0x80;
826 for( i = 1; i < padding_len; i++ )
827 output[data_len + i] = 0x00;
828 }
829
get_one_and_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)830 static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
831 size_t *data_len )
832 {
833 size_t i;
834 unsigned char done = 0, prev_done, bad;
835
836 if( NULL == input || NULL == data_len )
837 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
838
839 bad = 0x80;
840 *data_len = 0;
841 for( i = input_len; i > 0; i-- )
842 {
843 prev_done = done;
844 done |= ( input[i - 1] != 0 );
845 *data_len |= ( i - 1 ) * ( done != prev_done );
846 bad ^= input[i - 1] * ( done != prev_done );
847 }
848
849 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
850
851 }
852 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
853
854 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
855 /*
856 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
857 */
add_zeros_and_len_padding(unsigned char * output,size_t output_len,size_t data_len)858 static void add_zeros_and_len_padding( unsigned char *output,
859 size_t output_len, size_t data_len )
860 {
861 size_t padding_len = output_len - data_len;
862 unsigned char i = 0;
863
864 for( i = 1; i < padding_len; i++ )
865 output[data_len + i - 1] = 0x00;
866 output[output_len - 1] = (unsigned char) padding_len;
867 }
868
get_zeros_and_len_padding(unsigned char * input,size_t input_len,size_t * data_len)869 static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
870 size_t *data_len )
871 {
872 size_t i, pad_idx;
873 unsigned char padding_len, bad = 0;
874
875 if( NULL == input || NULL == data_len )
876 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
877
878 padding_len = input[input_len - 1];
879 *data_len = input_len - padding_len;
880
881 /* Avoid logical || since it results in a branch */
882 bad |= padding_len > input_len;
883 bad |= padding_len == 0;
884
885 /* The number of bytes checked must be independent of padding_len */
886 pad_idx = input_len - padding_len;
887 for( i = 0; i < input_len - 1; i++ )
888 bad |= input[i] * ( i >= pad_idx );
889
890 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
891 }
892 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
893
894 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
895 /*
896 * Zero padding: fill with 00 ... 00
897 */
add_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)898 static void add_zeros_padding( unsigned char *output,
899 size_t output_len, size_t data_len )
900 {
901 size_t i;
902
903 for( i = data_len; i < output_len; i++ )
904 output[i] = 0x00;
905 }
906
get_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)907 static int get_zeros_padding( unsigned char *input, size_t input_len,
908 size_t *data_len )
909 {
910 size_t i;
911 unsigned char done = 0, prev_done;
912
913 if( NULL == input || NULL == data_len )
914 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
915
916 *data_len = 0;
917 for( i = input_len; i > 0; i-- )
918 {
919 prev_done = done;
920 done |= ( input[i-1] != 0 );
921 *data_len |= i * ( done != prev_done );
922 }
923
924 return( 0 );
925 }
926 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
927
928 /*
929 * No padding: don't pad :)
930 *
931 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
932 * but a trivial get_padding function
933 */
get_no_padding(unsigned char * input,size_t input_len,size_t * data_len)934 static int get_no_padding( unsigned char *input, size_t input_len,
935 size_t *data_len )
936 {
937 if( NULL == input || NULL == data_len )
938 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
939
940 *data_len = input_len;
941
942 return( 0 );
943 }
944 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
945
mbedtls_cipher_finish(mbedtls_cipher_context_t * ctx,unsigned char * output,size_t * olen)946 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
947 unsigned char *output, size_t *olen )
948 {
949 CIPHER_VALIDATE_RET( ctx != NULL );
950 CIPHER_VALIDATE_RET( output != NULL );
951 CIPHER_VALIDATE_RET( olen != NULL );
952 if( ctx->cipher_info == NULL )
953 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
954
955 #if defined(MBEDTLS_USE_PSA_CRYPTO)
956 if( ctx->psa_enabled == 1 )
957 {
958 /* While PSA Crypto has an API for multipart
959 * operations, we currently don't make it
960 * accessible through the cipher layer. */
961 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
962 }
963 #endif /* MBEDTLS_USE_PSA_CRYPTO */
964
965 *olen = 0;
966
967 if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
968 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
969 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
970 MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
971 MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
972 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
973 {
974 return( 0 );
975 }
976
977 if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) ||
978 ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
979 {
980 return( 0 );
981 }
982
983 if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
984 {
985 if( ctx->unprocessed_len != 0 )
986 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
987
988 return( 0 );
989 }
990
991 #if defined(MBEDTLS_CIPHER_MODE_CBC)
992 if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
993 {
994 int ret = 0;
995
996 if( MBEDTLS_ENCRYPT == ctx->operation )
997 {
998 /* check for 'no padding' mode */
999 if( NULL == ctx->add_padding )
1000 {
1001 if( 0 != ctx->unprocessed_len )
1002 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
1003
1004 return( 0 );
1005 }
1006
1007 ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
1008 ctx->unprocessed_len );
1009 }
1010 else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
1011 {
1012 /*
1013 * For decrypt operations, expect a full block,
1014 * or an empty block if no padding
1015 */
1016 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
1017 return( 0 );
1018
1019 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
1020 }
1021
1022 /* cipher block */
1023 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
1024 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
1025 ctx->unprocessed_data, output ) ) )
1026 {
1027 return( ret );
1028 }
1029
1030 /* Set output size for decryption */
1031 if( MBEDTLS_DECRYPT == ctx->operation )
1032 return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
1033 olen ) );
1034
1035 /* Set output size for encryption */
1036 *olen = mbedtls_cipher_get_block_size( ctx );
1037 return( 0 );
1038 }
1039 #else
1040 ((void) output);
1041 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1042
1043 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1044 }
1045
1046 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t * ctx,mbedtls_cipher_padding_t mode)1047 int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
1048 mbedtls_cipher_padding_t mode )
1049 {
1050 CIPHER_VALIDATE_RET( ctx != NULL );
1051
1052 if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
1053 {
1054 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1055 }
1056
1057 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1058 if( ctx->psa_enabled == 1 )
1059 {
1060 /* While PSA Crypto knows about CBC padding
1061 * schemes, we currently don't make them
1062 * accessible through the cipher layer. */
1063 if( mode != MBEDTLS_PADDING_NONE )
1064 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1065
1066 return( 0 );
1067 }
1068 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1069
1070 switch( mode )
1071 {
1072 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
1073 case MBEDTLS_PADDING_PKCS7:
1074 ctx->add_padding = add_pkcs_padding;
1075 ctx->get_padding = get_pkcs_padding;
1076 break;
1077 #endif
1078 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
1079 case MBEDTLS_PADDING_ONE_AND_ZEROS:
1080 ctx->add_padding = add_one_and_zeros_padding;
1081 ctx->get_padding = get_one_and_zeros_padding;
1082 break;
1083 #endif
1084 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
1085 case MBEDTLS_PADDING_ZEROS_AND_LEN:
1086 ctx->add_padding = add_zeros_and_len_padding;
1087 ctx->get_padding = get_zeros_and_len_padding;
1088 break;
1089 #endif
1090 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1091 case MBEDTLS_PADDING_ZEROS:
1092 ctx->add_padding = add_zeros_padding;
1093 ctx->get_padding = get_zeros_padding;
1094 break;
1095 #endif
1096 case MBEDTLS_PADDING_NONE:
1097 ctx->add_padding = NULL;
1098 ctx->get_padding = get_no_padding;
1099 break;
1100
1101 default:
1102 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1103 }
1104
1105 return( 0 );
1106 }
1107 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1108
1109 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_write_tag(mbedtls_cipher_context_t * ctx,unsigned char * tag,size_t tag_len)1110 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
1111 unsigned char *tag, size_t tag_len )
1112 {
1113 CIPHER_VALIDATE_RET( ctx != NULL );
1114 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1115 if( ctx->cipher_info == NULL )
1116 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1117
1118 if( MBEDTLS_ENCRYPT != ctx->operation )
1119 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1120
1121 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1122 if( ctx->psa_enabled == 1 )
1123 {
1124 /* While PSA Crypto has an API for multipart
1125 * operations, we currently don't make it
1126 * accessible through the cipher layer. */
1127 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1128 }
1129 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1130
1131 #if defined(MBEDTLS_GCM_C)
1132 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1133 return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
1134 tag, tag_len ) );
1135 #endif
1136
1137 #if defined(MBEDTLS_CHACHAPOLY_C)
1138 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1139 {
1140 /* Don't allow truncated MAC for Poly1305 */
1141 if ( tag_len != 16U )
1142 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1143
1144 return( mbedtls_chachapoly_finish(
1145 (mbedtls_chachapoly_context*) ctx->cipher_ctx, tag ) );
1146 }
1147 #endif
1148
1149 return( 0 );
1150 }
1151
mbedtls_cipher_check_tag(mbedtls_cipher_context_t * ctx,const unsigned char * tag,size_t tag_len)1152 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
1153 const unsigned char *tag, size_t tag_len )
1154 {
1155 unsigned char check_tag[16];
1156 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1157
1158 CIPHER_VALIDATE_RET( ctx != NULL );
1159 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1160 if( ctx->cipher_info == NULL )
1161 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1162
1163 if( MBEDTLS_DECRYPT != ctx->operation )
1164 {
1165 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1166 }
1167
1168 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1169 if( ctx->psa_enabled == 1 )
1170 {
1171 /* While PSA Crypto has an API for multipart
1172 * operations, we currently don't make it
1173 * accessible through the cipher layer. */
1174 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1175 }
1176 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1177
1178 /* Status to return on a non-authenticated algorithm. It would make sense
1179 * to return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT or perhaps
1180 * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, but at the time I write this our
1181 * unit tests assume 0. */
1182 ret = 0;
1183
1184 #if defined(MBEDTLS_GCM_C)
1185 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1186 {
1187 if( tag_len > sizeof( check_tag ) )
1188 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1189
1190 if( 0 != ( ret = mbedtls_gcm_finish(
1191 (mbedtls_gcm_context *) ctx->cipher_ctx,
1192 check_tag, tag_len ) ) )
1193 {
1194 return( ret );
1195 }
1196
1197 /* Check the tag in "constant-time" */
1198 if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 )
1199 {
1200 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1201 goto exit;
1202 }
1203 }
1204 #endif /* MBEDTLS_GCM_C */
1205
1206 #if defined(MBEDTLS_CHACHAPOLY_C)
1207 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1208 {
1209 /* Don't allow truncated MAC for Poly1305 */
1210 if ( tag_len != sizeof( check_tag ) )
1211 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1212
1213 ret = mbedtls_chachapoly_finish(
1214 (mbedtls_chachapoly_context*) ctx->cipher_ctx, check_tag );
1215 if ( ret != 0 )
1216 {
1217 return( ret );
1218 }
1219
1220 /* Check the tag in "constant-time" */
1221 if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 )
1222 {
1223 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1224 goto exit;
1225 }
1226 }
1227 #endif /* MBEDTLS_CHACHAPOLY_C */
1228
1229 exit:
1230 mbedtls_platform_zeroize( check_tag, tag_len );
1231 return( ret );
1232 }
1233 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
1234
1235 /*
1236 * Packet-oriented wrapper for non-AEAD modes
1237 */
mbedtls_cipher_crypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)1238 int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
1239 const unsigned char *iv, size_t iv_len,
1240 const unsigned char *input, size_t ilen,
1241 unsigned char *output, size_t *olen )
1242 {
1243 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1244 size_t finish_olen;
1245
1246 CIPHER_VALIDATE_RET( ctx != NULL );
1247 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1248 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1249 CIPHER_VALIDATE_RET( output != NULL );
1250 CIPHER_VALIDATE_RET( olen != NULL );
1251
1252 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1253 if( ctx->psa_enabled == 1 )
1254 {
1255 /* As in the non-PSA case, we don't check that
1256 * a key has been set. If not, the key slot will
1257 * still be in its default state of 0, which is
1258 * guaranteed to be invalid, hence the PSA-call
1259 * below will gracefully fail. */
1260 mbedtls_cipher_context_psa * const cipher_psa =
1261 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1262
1263 psa_status_t status;
1264 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1265 size_t part_len;
1266
1267 if( ctx->operation == MBEDTLS_DECRYPT )
1268 {
1269 status = psa_cipher_decrypt_setup( &cipher_op,
1270 cipher_psa->slot,
1271 cipher_psa->alg );
1272 }
1273 else if( ctx->operation == MBEDTLS_ENCRYPT )
1274 {
1275 status = psa_cipher_encrypt_setup( &cipher_op,
1276 cipher_psa->slot,
1277 cipher_psa->alg );
1278 }
1279 else
1280 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1281
1282 /* In the following, we can immediately return on an error,
1283 * because the PSA Crypto API guarantees that cipher operations
1284 * are terminated by unsuccessful calls to psa_cipher_update(),
1285 * and by any call to psa_cipher_finish(). */
1286 if( status != PSA_SUCCESS )
1287 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1288
1289 if( ctx->cipher_info->mode != MBEDTLS_MODE_ECB )
1290 {
1291 status = psa_cipher_set_iv( &cipher_op, iv, iv_len );
1292 if( status != PSA_SUCCESS )
1293 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1294 }
1295
1296 status = psa_cipher_update( &cipher_op,
1297 input, ilen,
1298 output, ilen, olen );
1299 if( status != PSA_SUCCESS )
1300 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1301
1302 status = psa_cipher_finish( &cipher_op,
1303 output + *olen, ilen - *olen,
1304 &part_len );
1305 if( status != PSA_SUCCESS )
1306 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1307
1308 *olen += part_len;
1309 return( 0 );
1310 }
1311 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1312
1313 if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
1314 return( ret );
1315
1316 if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
1317 return( ret );
1318
1319 if( ( ret = mbedtls_cipher_update( ctx, input, ilen,
1320 output, olen ) ) != 0 )
1321 return( ret );
1322
1323 if( ( ret = mbedtls_cipher_finish( ctx, output + *olen,
1324 &finish_olen ) ) != 0 )
1325 return( ret );
1326
1327 *olen += finish_olen;
1328
1329 return( 0 );
1330 }
1331
1332 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1333 /*
1334 * Packet-oriented encryption for AEAD modes: internal function shared by
1335 * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
1336 */
mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,unsigned char * tag,size_t tag_len)1337 static int mbedtls_cipher_aead_encrypt( mbedtls_cipher_context_t *ctx,
1338 const unsigned char *iv, size_t iv_len,
1339 const unsigned char *ad, size_t ad_len,
1340 const unsigned char *input, size_t ilen,
1341 unsigned char *output, size_t *olen,
1342 unsigned char *tag, size_t tag_len )
1343 {
1344 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1345 if( ctx->psa_enabled == 1 )
1346 {
1347 /* As in the non-PSA case, we don't check that
1348 * a key has been set. If not, the key slot will
1349 * still be in its default state of 0, which is
1350 * guaranteed to be invalid, hence the PSA-call
1351 * below will gracefully fail. */
1352 mbedtls_cipher_context_psa * const cipher_psa =
1353 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1354
1355 psa_status_t status;
1356
1357 /* PSA Crypto API always writes the authentication tag
1358 * at the end of the encrypted message. */
1359 if( output == NULL || tag != output + ilen )
1360 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1361
1362 status = psa_aead_encrypt( cipher_psa->slot,
1363 cipher_psa->alg,
1364 iv, iv_len,
1365 ad, ad_len,
1366 input, ilen,
1367 output, ilen + tag_len, olen );
1368 if( status != PSA_SUCCESS )
1369 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1370
1371 *olen -= tag_len;
1372 return( 0 );
1373 }
1374 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1375
1376 #if defined(MBEDTLS_GCM_C)
1377 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1378 {
1379 *olen = ilen;
1380 return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
1381 ilen, iv, iv_len, ad, ad_len,
1382 input, output, tag_len, tag ) );
1383 }
1384 #endif /* MBEDTLS_GCM_C */
1385 #if defined(MBEDTLS_CCM_C)
1386 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1387 {
1388 *olen = ilen;
1389 return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
1390 iv, iv_len, ad, ad_len, input, output,
1391 tag, tag_len ) );
1392 }
1393 #endif /* MBEDTLS_CCM_C */
1394 #if defined(MBEDTLS_CHACHAPOLY_C)
1395 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1396 {
1397 /* ChachaPoly has fixed length nonce and MAC (tag) */
1398 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1399 ( tag_len != 16U ) )
1400 {
1401 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1402 }
1403
1404 *olen = ilen;
1405 return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
1406 ilen, iv, ad, ad_len, input, output, tag ) );
1407 }
1408 #endif /* MBEDTLS_CHACHAPOLY_C */
1409
1410 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1411 }
1412
1413 /*
1414 * Packet-oriented encryption for AEAD modes: internal function shared by
1415 * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
1416 */
mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,const unsigned char * tag,size_t tag_len)1417 static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx,
1418 const unsigned char *iv, size_t iv_len,
1419 const unsigned char *ad, size_t ad_len,
1420 const unsigned char *input, size_t ilen,
1421 unsigned char *output, size_t *olen,
1422 const unsigned char *tag, size_t tag_len )
1423 {
1424 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1425 if( ctx->psa_enabled == 1 )
1426 {
1427 /* As in the non-PSA case, we don't check that
1428 * a key has been set. If not, the key slot will
1429 * still be in its default state of 0, which is
1430 * guaranteed to be invalid, hence the PSA-call
1431 * below will gracefully fail. */
1432 mbedtls_cipher_context_psa * const cipher_psa =
1433 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1434
1435 psa_status_t status;
1436
1437 /* PSA Crypto API always writes the authentication tag
1438 * at the end of the encrypted message. */
1439 if( input == NULL || tag != input + ilen )
1440 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1441
1442 status = psa_aead_decrypt( cipher_psa->slot,
1443 cipher_psa->alg,
1444 iv, iv_len,
1445 ad, ad_len,
1446 input, ilen + tag_len,
1447 output, ilen, olen );
1448 if( status == PSA_ERROR_INVALID_SIGNATURE )
1449 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1450 else if( status != PSA_SUCCESS )
1451 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1452
1453 return( 0 );
1454 }
1455 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1456
1457 #if defined(MBEDTLS_GCM_C)
1458 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1459 {
1460 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1461
1462 *olen = ilen;
1463 ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
1464 iv, iv_len, ad, ad_len,
1465 tag, tag_len, input, output );
1466
1467 if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
1468 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1469
1470 return( ret );
1471 }
1472 #endif /* MBEDTLS_GCM_C */
1473 #if defined(MBEDTLS_CCM_C)
1474 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1475 {
1476 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1477
1478 *olen = ilen;
1479 ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
1480 iv, iv_len, ad, ad_len,
1481 input, output, tag, tag_len );
1482
1483 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
1484 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1485
1486 return( ret );
1487 }
1488 #endif /* MBEDTLS_CCM_C */
1489 #if defined(MBEDTLS_CHACHAPOLY_C)
1490 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1491 {
1492 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1493
1494 /* ChachaPoly has fixed length nonce and MAC (tag) */
1495 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1496 ( tag_len != 16U ) )
1497 {
1498 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1499 }
1500
1501 *olen = ilen;
1502 ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
1503 iv, ad, ad_len, tag, input, output );
1504
1505 if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
1506 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1507
1508 return( ret );
1509 }
1510 #endif /* MBEDTLS_CHACHAPOLY_C */
1511
1512 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1513 }
1514
1515 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1516 /*
1517 * Packet-oriented encryption for AEAD modes: public legacy function.
1518 */
mbedtls_cipher_auth_encrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,unsigned char * tag,size_t tag_len)1519 int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
1520 const unsigned char *iv, size_t iv_len,
1521 const unsigned char *ad, size_t ad_len,
1522 const unsigned char *input, size_t ilen,
1523 unsigned char *output, size_t *olen,
1524 unsigned char *tag, size_t tag_len )
1525 {
1526 CIPHER_VALIDATE_RET( ctx != NULL );
1527 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1528 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1529 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1530 CIPHER_VALIDATE_RET( ilen == 0 || output != NULL );
1531 CIPHER_VALIDATE_RET( olen != NULL );
1532 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1533
1534 return( mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
1535 input, ilen, output, olen,
1536 tag, tag_len ) );
1537 }
1538
1539 /*
1540 * Packet-oriented decryption for AEAD modes: public legacy function.
1541 */
mbedtls_cipher_auth_decrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,const unsigned char * tag,size_t tag_len)1542 int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
1543 const unsigned char *iv, size_t iv_len,
1544 const unsigned char *ad, size_t ad_len,
1545 const unsigned char *input, size_t ilen,
1546 unsigned char *output, size_t *olen,
1547 const unsigned char *tag, size_t tag_len )
1548 {
1549 CIPHER_VALIDATE_RET( ctx != NULL );
1550 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1551 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1552 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1553 CIPHER_VALIDATE_RET( ilen == 0 || output != NULL );
1554 CIPHER_VALIDATE_RET( olen != NULL );
1555 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1556
1557 return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
1558 input, ilen, output, olen,
1559 tag, tag_len ) );
1560 }
1561 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1562 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1563
1564 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
1565 /*
1566 * Packet-oriented encryption for AEAD/NIST_KW: public function.
1567 */
mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1568 int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx,
1569 const unsigned char *iv, size_t iv_len,
1570 const unsigned char *ad, size_t ad_len,
1571 const unsigned char *input, size_t ilen,
1572 unsigned char *output, size_t output_len,
1573 size_t *olen, size_t tag_len )
1574 {
1575 CIPHER_VALIDATE_RET( ctx != NULL );
1576 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1577 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1578 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1579 CIPHER_VALIDATE_RET( output != NULL );
1580 CIPHER_VALIDATE_RET( olen != NULL );
1581
1582 #if defined(MBEDTLS_NIST_KW_C)
1583 if(
1584 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1585 ctx->psa_enabled == 0 &&
1586 #endif
1587 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1588 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
1589 {
1590 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
1591 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1592
1593 /* There is no iv, tag or ad associated with KW and KWP,
1594 * so these length should be 0 as documented. */
1595 if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
1596 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1597
1598 (void) iv;
1599 (void) ad;
1600
1601 return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen,
1602 output, olen, output_len ) );
1603 }
1604 #endif /* MBEDTLS_NIST_KW_C */
1605
1606 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1607 /* AEAD case: check length before passing on to shared function */
1608 if( output_len < ilen + tag_len )
1609 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1610
1611 int ret = mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
1612 input, ilen, output, olen,
1613 output + ilen, tag_len );
1614 *olen += tag_len;
1615 return( ret );
1616 #else
1617 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1618 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1619 }
1620
1621 /*
1622 * Packet-oriented decryption for AEAD/NIST_KW: public function.
1623 */
mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t output_len,size_t * olen,size_t tag_len)1624 int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx,
1625 const unsigned char *iv, size_t iv_len,
1626 const unsigned char *ad, size_t ad_len,
1627 const unsigned char *input, size_t ilen,
1628 unsigned char *output, size_t output_len,
1629 size_t *olen, size_t tag_len )
1630 {
1631 CIPHER_VALIDATE_RET( ctx != NULL );
1632 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1633 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1634 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1635 CIPHER_VALIDATE_RET( output_len == 0 || output != NULL );
1636 CIPHER_VALIDATE_RET( olen != NULL );
1637
1638 #if defined(MBEDTLS_NIST_KW_C)
1639 if(
1640 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1641 ctx->psa_enabled == 0 &&
1642 #endif
1643 ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1644 MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
1645 {
1646 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
1647 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1648
1649 /* There is no iv, tag or ad associated with KW and KWP,
1650 * so these length should be 0 as documented. */
1651 if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
1652 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1653
1654 (void) iv;
1655 (void) ad;
1656
1657 return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen,
1658 output, olen, output_len ) );
1659 }
1660 #endif /* MBEDTLS_NIST_KW_C */
1661
1662 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1663 /* AEAD case: check length before passing on to shared function */
1664 if( ilen < tag_len || output_len < ilen - tag_len )
1665 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1666
1667 return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
1668 input, ilen - tag_len, output, olen,
1669 input + ilen - tag_len, tag_len ) );
1670 #else
1671 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1672 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1673 }
1674 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
1675
1676 #endif /* MBEDTLS_CIPHER_C */
1677