1 /**
2 * \file cipher.c
3 *
4 * \brief Generic cipher wrapper for mbed TLS
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
8 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
9 * SPDX-License-Identifier: Apache-2.0
10 *
11 * Licensed under the Apache License, Version 2.0 (the "License"); you may
12 * not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
14 *
15 * http://www.apache.org/licenses/LICENSE-2.0
16 *
17 * Unless required by applicable law or agreed to in writing, software
18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 * See the License for the specific language governing permissions and
21 * limitations under the License.
22 *
23 * This file is part of mbed TLS (https://tls.mbed.org)
24 */
25
26 #if !defined(MBEDTLS_CONFIG_FILE)
27 #include "mbedtls/config.h"
28 #else
29 #include MBEDTLS_CONFIG_FILE
30 #endif
31
32 #if defined(MBEDTLS_CIPHER_C)
33
34 #include "mbedtls/cipher.h"
35 #include "mbedtls/cipher_internal.h"
36 #include "mbedtls/platform_util.h"
37
38 #include <stdlib.h>
39 #include <string.h>
40
41 #if defined(MBEDTLS_CHACHAPOLY_C)
42 #include "mbedtls/chachapoly.h"
43 #endif
44
45 #if defined(MBEDTLS_GCM_C)
46 #include "mbedtls/gcm.h"
47 #endif
48
49 #if defined(MBEDTLS_CCM_C)
50 #include "mbedtls/ccm.h"
51 #endif
52
53 #if defined(MBEDTLS_CHACHA20_C)
54 #include "mbedtls/chacha20.h"
55 #endif
56
57 #if defined(MBEDTLS_CMAC_C)
58 #include "mbedtls/cmac.h"
59 #endif
60
61 #if defined(MBEDTLS_PLATFORM_C)
62 #include "mbedtls/platform.h"
63 #else
64 #define mbedtls_calloc calloc
65 #define mbedtls_free free
66 #endif
67
68 #define CIPHER_VALIDATE_RET( cond ) \
69 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
70 #define CIPHER_VALIDATE( cond ) \
71 MBEDTLS_INTERNAL_VALIDATE( cond )
72
73 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
74 /* Compare the contents of two buffers in constant time.
75 * Returns 0 if the contents are bitwise identical, otherwise returns
76 * a non-zero value.
77 * This is currently only used by GCM and ChaCha20+Poly1305.
78 */
mbedtls_constant_time_memcmp(const void * v1,const void * v2,size_t len)79 static int mbedtls_constant_time_memcmp( const void *v1, const void *v2, size_t len )
80 {
81 const unsigned char *p1 = (const unsigned char*) v1;
82 const unsigned char *p2 = (const unsigned char*) v2;
83 size_t i;
84 unsigned char diff;
85
86 for( diff = 0, i = 0; i < len; i++ )
87 diff |= p1[i] ^ p2[i];
88
89 return( (int)diff );
90 }
91 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
92
93 static int supported_init = 0;
94
mbedtls_cipher_list(void)95 const int *mbedtls_cipher_list( void )
96 {
97 const mbedtls_cipher_definition_t *def;
98 int *type;
99
100 if( ! supported_init )
101 {
102 def = mbedtls_cipher_definitions;
103 type = mbedtls_cipher_supported;
104
105 while( def->type != 0 )
106 *type++ = (*def++).type;
107
108 *type = 0;
109
110 supported_init = 1;
111 }
112
113 return( mbedtls_cipher_supported );
114 }
115
mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type)116 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type )
117 {
118 const mbedtls_cipher_definition_t *def;
119
120 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
121 if( def->type == cipher_type )
122 return( def->info );
123
124 return( NULL );
125 }
126
mbedtls_cipher_info_from_string(const char * cipher_name)127 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name )
128 {
129 const mbedtls_cipher_definition_t *def;
130
131 if( NULL == cipher_name )
132 return( NULL );
133
134 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
135 if( ! strcmp( def->info->name, cipher_name ) )
136 return( def->info );
137
138 return( NULL );
139 }
140
mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id,int key_bitlen,const mbedtls_cipher_mode_t mode)141 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
142 int key_bitlen,
143 const mbedtls_cipher_mode_t mode )
144 {
145 const mbedtls_cipher_definition_t *def;
146
147 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
148 if( def->info->base->cipher == cipher_id &&
149 def->info->key_bitlen == (unsigned) key_bitlen &&
150 def->info->mode == mode )
151 return( def->info );
152
153 return( NULL );
154 }
155
mbedtls_cipher_init(mbedtls_cipher_context_t * ctx)156 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
157 {
158 CIPHER_VALIDATE( ctx != NULL );
159 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
160 }
161
mbedtls_cipher_free(mbedtls_cipher_context_t * ctx)162 void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
163 {
164 if( ctx == NULL )
165 return;
166
167 #if defined(MBEDTLS_CMAC_C)
168 if( ctx->cmac_ctx )
169 {
170 mbedtls_platform_zeroize( ctx->cmac_ctx,
171 sizeof( mbedtls_cmac_context_t ) );
172 mbedtls_free( ctx->cmac_ctx );
173 }
174 #endif
175
176 if( ctx->cipher_ctx )
177 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
178
179 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
180 }
181
mbedtls_cipher_setup(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info)182 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info )
183 {
184 CIPHER_VALIDATE_RET( ctx != NULL );
185 if( cipher_info == NULL )
186 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
187
188 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
189
190 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
191 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
192
193 ctx->cipher_info = cipher_info;
194
195 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
196 /*
197 * Ignore possible errors caused by a cipher mode that doesn't use padding
198 */
199 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
200 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
201 #else
202 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
203 #endif
204 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
205
206 return( 0 );
207 }
208
mbedtls_cipher_setkey(mbedtls_cipher_context_t * ctx,const unsigned char * key,int key_bitlen,const mbedtls_operation_t operation)209 int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
210 const unsigned char *key,
211 int key_bitlen,
212 const mbedtls_operation_t operation )
213 {
214 CIPHER_VALIDATE_RET( ctx != NULL );
215 CIPHER_VALIDATE_RET( key != NULL );
216 CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT ||
217 operation == MBEDTLS_DECRYPT );
218 if( ctx->cipher_info == NULL )
219 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
220
221 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
222 (int) ctx->cipher_info->key_bitlen != key_bitlen )
223 {
224 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
225 }
226
227 ctx->key_bitlen = key_bitlen;
228 ctx->operation = operation;
229
230 /*
231 * For OFB, CFB and CTR mode always use the encryption key schedule
232 */
233 if( MBEDTLS_ENCRYPT == operation ||
234 MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
235 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
236 MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
237 {
238 return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
239 ctx->key_bitlen ) );
240 }
241
242 if( MBEDTLS_DECRYPT == operation )
243 return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
244 ctx->key_bitlen ) );
245
246 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
247 }
248
mbedtls_cipher_set_iv(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len)249 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
250 const unsigned char *iv,
251 size_t iv_len )
252 {
253 size_t actual_iv_size;
254
255 CIPHER_VALIDATE_RET( ctx != NULL );
256 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
257 if( ctx->cipher_info == NULL )
258 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
259
260 /* avoid buffer overflow in ctx->iv */
261 if( iv_len > MBEDTLS_MAX_IV_LENGTH )
262 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
263
264 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
265 actual_iv_size = iv_len;
266 else
267 {
268 actual_iv_size = ctx->cipher_info->iv_size;
269
270 /* avoid reading past the end of input buffer */
271 if( actual_iv_size > iv_len )
272 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
273 }
274
275 #if defined(MBEDTLS_CHACHA20_C)
276 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
277 {
278 if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
279 iv,
280 0U ) ) /* Initial counter value */
281 {
282 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
283 }
284 }
285 #endif
286
287 if ( actual_iv_size != 0 )
288 {
289 memcpy( ctx->iv, iv, actual_iv_size );
290 ctx->iv_size = actual_iv_size;
291 }
292
293 return( 0 );
294 }
295
mbedtls_cipher_reset(mbedtls_cipher_context_t * ctx)296 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
297 {
298 CIPHER_VALIDATE_RET( ctx != NULL );
299 if( ctx->cipher_info == NULL )
300 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
301
302 ctx->unprocessed_len = 0;
303
304 return( 0 );
305 }
306
307 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_update_ad(mbedtls_cipher_context_t * ctx,const unsigned char * ad,size_t ad_len)308 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
309 const unsigned char *ad, size_t ad_len )
310 {
311 CIPHER_VALIDATE_RET( ctx != NULL );
312 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
313 if( ctx->cipher_info == NULL )
314 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
315
316 #if defined(MBEDTLS_GCM_C)
317 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
318 {
319 return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
320 ctx->iv, ctx->iv_size, ad, ad_len ) );
321 }
322 #endif
323
324 #if defined(MBEDTLS_CHACHAPOLY_C)
325 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
326 {
327 int result;
328 mbedtls_chachapoly_mode_t mode;
329
330 mode = ( ctx->operation == MBEDTLS_ENCRYPT )
331 ? MBEDTLS_CHACHAPOLY_ENCRYPT
332 : MBEDTLS_CHACHAPOLY_DECRYPT;
333
334 result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
335 ctx->iv,
336 mode );
337 if ( result != 0 )
338 return( result );
339
340 return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
341 ad, ad_len ) );
342 }
343 #endif
344
345 return( 0 );
346 }
347 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
348
mbedtls_cipher_update(mbedtls_cipher_context_t * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)349 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
350 size_t ilen, unsigned char *output, size_t *olen )
351 {
352 int ret;
353 size_t block_size;
354
355 CIPHER_VALIDATE_RET( ctx != NULL );
356 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
357 CIPHER_VALIDATE_RET( output != NULL );
358 CIPHER_VALIDATE_RET( olen != NULL );
359 if( ctx->cipher_info == NULL )
360 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
361
362 *olen = 0;
363 block_size = mbedtls_cipher_get_block_size( ctx );
364
365 if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
366 {
367 if( ilen != block_size )
368 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
369
370 *olen = ilen;
371
372 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
373 ctx->operation, input, output ) ) )
374 {
375 return( ret );
376 }
377
378 return( 0 );
379 }
380
381 #if defined(MBEDTLS_GCM_C)
382 if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
383 {
384 *olen = ilen;
385 return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
386 output ) );
387 }
388 #endif
389
390 #if defined(MBEDTLS_CHACHAPOLY_C)
391 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
392 {
393 *olen = ilen;
394 return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
395 ilen, input, output ) );
396 }
397 #endif
398
399 if ( 0 == block_size )
400 {
401 return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
402 }
403
404 if( input == output &&
405 ( ctx->unprocessed_len != 0 || ilen % block_size ) )
406 {
407 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
408 }
409
410 #if defined(MBEDTLS_CIPHER_MODE_CBC)
411 if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
412 {
413 size_t copy_len = 0;
414
415 /*
416 * If there is not enough data for a full block, cache it.
417 */
418 if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
419 ilen <= block_size - ctx->unprocessed_len ) ||
420 ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
421 ilen < block_size - ctx->unprocessed_len ) ||
422 ( ctx->operation == MBEDTLS_ENCRYPT &&
423 ilen < block_size - ctx->unprocessed_len ) )
424 {
425 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
426 ilen );
427
428 ctx->unprocessed_len += ilen;
429 return( 0 );
430 }
431
432 /*
433 * Process cached data first
434 */
435 if( 0 != ctx->unprocessed_len )
436 {
437 copy_len = block_size - ctx->unprocessed_len;
438
439 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
440 copy_len );
441
442 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
443 ctx->operation, block_size, ctx->iv,
444 ctx->unprocessed_data, output ) ) )
445 {
446 return( ret );
447 }
448
449 *olen += block_size;
450 output += block_size;
451 ctx->unprocessed_len = 0;
452
453 input += copy_len;
454 ilen -= copy_len;
455 }
456
457 /*
458 * Cache final, incomplete block
459 */
460 if( 0 != ilen )
461 {
462 if( 0 == block_size )
463 {
464 return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
465 }
466
467 /* Encryption: only cache partial blocks
468 * Decryption w/ padding: always keep at least one whole block
469 * Decryption w/o padding: only cache partial blocks
470 */
471 copy_len = ilen % block_size;
472 if( copy_len == 0 &&
473 ctx->operation == MBEDTLS_DECRYPT &&
474 NULL != ctx->add_padding)
475 {
476 copy_len = block_size;
477 }
478
479 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
480 copy_len );
481
482 ctx->unprocessed_len += copy_len;
483 ilen -= copy_len;
484 }
485
486 /*
487 * Process remaining full blocks
488 */
489 if( ilen )
490 {
491 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
492 ctx->operation, ilen, ctx->iv, input, output ) ) )
493 {
494 return( ret );
495 }
496
497 *olen += ilen;
498 }
499
500 return( 0 );
501 }
502 #endif /* MBEDTLS_CIPHER_MODE_CBC */
503
504 #if defined(MBEDTLS_CIPHER_MODE_CFB)
505 if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
506 {
507 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
508 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
509 input, output ) ) )
510 {
511 return( ret );
512 }
513
514 *olen = ilen;
515
516 return( 0 );
517 }
518 #endif /* MBEDTLS_CIPHER_MODE_CFB */
519
520 #if defined(MBEDTLS_CIPHER_MODE_OFB)
521 if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
522 {
523 if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
524 ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
525 {
526 return( ret );
527 }
528
529 *olen = ilen;
530
531 return( 0 );
532 }
533 #endif /* MBEDTLS_CIPHER_MODE_OFB */
534
535 #if defined(MBEDTLS_CIPHER_MODE_CTR)
536 if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
537 {
538 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
539 ilen, &ctx->unprocessed_len, ctx->iv,
540 ctx->unprocessed_data, input, output ) ) )
541 {
542 return( ret );
543 }
544
545 *olen = ilen;
546
547 return( 0 );
548 }
549 #endif /* MBEDTLS_CIPHER_MODE_CTR */
550
551 #if defined(MBEDTLS_CIPHER_MODE_XTS)
552 if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
553 {
554 if( ctx->unprocessed_len > 0 ) {
555 /* We can only process an entire data unit at a time. */
556 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
557 }
558
559 ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
560 ctx->operation, ilen, ctx->iv, input, output );
561 if( ret != 0 )
562 {
563 return( ret );
564 }
565
566 *olen = ilen;
567
568 return( 0 );
569 }
570 #endif /* MBEDTLS_CIPHER_MODE_XTS */
571
572 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
573 if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
574 {
575 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
576 ilen, input, output ) ) )
577 {
578 return( ret );
579 }
580
581 *olen = ilen;
582
583 return( 0 );
584 }
585 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
586
587 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
588 }
589
590 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
591 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
592 /*
593 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
594 */
add_pkcs_padding(unsigned char * output,size_t output_len,size_t data_len)595 static void add_pkcs_padding( unsigned char *output, size_t output_len,
596 size_t data_len )
597 {
598 size_t padding_len = output_len - data_len;
599 unsigned char i;
600
601 for( i = 0; i < padding_len; i++ )
602 output[data_len + i] = (unsigned char) padding_len;
603 }
604
get_pkcs_padding(unsigned char * input,size_t input_len,size_t * data_len)605 static int get_pkcs_padding( unsigned char *input, size_t input_len,
606 size_t *data_len )
607 {
608 size_t i, pad_idx;
609 unsigned char padding_len, bad = 0;
610
611 if( NULL == input || NULL == data_len )
612 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
613
614 padding_len = input[input_len - 1];
615 *data_len = input_len - padding_len;
616
617 /* Avoid logical || since it results in a branch */
618 bad |= padding_len > input_len;
619 bad |= padding_len == 0;
620
621 /* The number of bytes checked must be independent of padding_len,
622 * so pick input_len, which is usually 8 or 16 (one block) */
623 pad_idx = input_len - padding_len;
624 for( i = 0; i < input_len; i++ )
625 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
626
627 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
628 }
629 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
630
631 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
632 /*
633 * One and zeros padding: fill with 80 00 ... 00
634 */
add_one_and_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)635 static void add_one_and_zeros_padding( unsigned char *output,
636 size_t output_len, size_t data_len )
637 {
638 size_t padding_len = output_len - data_len;
639 unsigned char i = 0;
640
641 output[data_len] = 0x80;
642 for( i = 1; i < padding_len; i++ )
643 output[data_len + i] = 0x00;
644 }
645
get_one_and_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)646 static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
647 size_t *data_len )
648 {
649 size_t i;
650 unsigned char done = 0, prev_done, bad;
651
652 if( NULL == input || NULL == data_len )
653 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
654
655 bad = 0x80;
656 *data_len = 0;
657 for( i = input_len; i > 0; i-- )
658 {
659 prev_done = done;
660 done |= ( input[i - 1] != 0 );
661 *data_len |= ( i - 1 ) * ( done != prev_done );
662 bad ^= input[i - 1] * ( done != prev_done );
663 }
664
665 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
666
667 }
668 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
669
670 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
671 /*
672 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
673 */
add_zeros_and_len_padding(unsigned char * output,size_t output_len,size_t data_len)674 static void add_zeros_and_len_padding( unsigned char *output,
675 size_t output_len, size_t data_len )
676 {
677 size_t padding_len = output_len - data_len;
678 unsigned char i = 0;
679
680 for( i = 1; i < padding_len; i++ )
681 output[data_len + i - 1] = 0x00;
682 output[output_len - 1] = (unsigned char) padding_len;
683 }
684
get_zeros_and_len_padding(unsigned char * input,size_t input_len,size_t * data_len)685 static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
686 size_t *data_len )
687 {
688 size_t i, pad_idx;
689 unsigned char padding_len, bad = 0;
690
691 if( NULL == input || NULL == data_len )
692 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
693
694 padding_len = input[input_len - 1];
695 *data_len = input_len - padding_len;
696
697 /* Avoid logical || since it results in a branch */
698 bad |= padding_len > input_len;
699 bad |= padding_len == 0;
700
701 /* The number of bytes checked must be independent of padding_len */
702 pad_idx = input_len - padding_len;
703 for( i = 0; i < input_len - 1; i++ )
704 bad |= input[i] * ( i >= pad_idx );
705
706 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
707 }
708 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
709
710 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
711 /*
712 * Zero padding: fill with 00 ... 00
713 */
add_zeros_padding(unsigned char * output,size_t output_len,size_t data_len)714 static void add_zeros_padding( unsigned char *output,
715 size_t output_len, size_t data_len )
716 {
717 size_t i;
718
719 for( i = data_len; i < output_len; i++ )
720 output[i] = 0x00;
721 }
722
get_zeros_padding(unsigned char * input,size_t input_len,size_t * data_len)723 static int get_zeros_padding( unsigned char *input, size_t input_len,
724 size_t *data_len )
725 {
726 size_t i;
727 unsigned char done = 0, prev_done;
728
729 if( NULL == input || NULL == data_len )
730 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
731
732 *data_len = 0;
733 for( i = input_len; i > 0; i-- )
734 {
735 prev_done = done;
736 done |= ( input[i-1] != 0 );
737 *data_len |= i * ( done != prev_done );
738 }
739
740 return( 0 );
741 }
742 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
743
744 /*
745 * No padding: don't pad :)
746 *
747 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
748 * but a trivial get_padding function
749 */
get_no_padding(unsigned char * input,size_t input_len,size_t * data_len)750 static int get_no_padding( unsigned char *input, size_t input_len,
751 size_t *data_len )
752 {
753 if( NULL == input || NULL == data_len )
754 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
755
756 *data_len = input_len;
757
758 return( 0 );
759 }
760 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
761
mbedtls_cipher_finish(mbedtls_cipher_context_t * ctx,unsigned char * output,size_t * olen)762 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
763 unsigned char *output, size_t *olen )
764 {
765 CIPHER_VALIDATE_RET( ctx != NULL );
766 CIPHER_VALIDATE_RET( output != NULL );
767 CIPHER_VALIDATE_RET( olen != NULL );
768 if( ctx->cipher_info == NULL )
769 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
770
771 *olen = 0;
772
773 if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
774 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
775 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
776 MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
777 MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
778 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
779 {
780 return( 0 );
781 }
782
783 if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) ||
784 ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
785 {
786 return( 0 );
787 }
788
789 if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
790 {
791 if( ctx->unprocessed_len != 0 )
792 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
793
794 return( 0 );
795 }
796
797 #if defined(MBEDTLS_CIPHER_MODE_CBC)
798 if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
799 {
800 int ret = 0;
801
802 if( MBEDTLS_ENCRYPT == ctx->operation )
803 {
804 /* check for 'no padding' mode */
805 if( NULL == ctx->add_padding )
806 {
807 if( 0 != ctx->unprocessed_len )
808 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
809
810 return( 0 );
811 }
812
813 ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
814 ctx->unprocessed_len );
815 }
816 else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
817 {
818 /*
819 * For decrypt operations, expect a full block,
820 * or an empty block if no padding
821 */
822 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
823 return( 0 );
824
825 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
826 }
827
828 /* cipher block */
829 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
830 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
831 ctx->unprocessed_data, output ) ) )
832 {
833 return( ret );
834 }
835
836 /* Set output size for decryption */
837 if( MBEDTLS_DECRYPT == ctx->operation )
838 return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
839 olen ) );
840
841 /* Set output size for encryption */
842 *olen = mbedtls_cipher_get_block_size( ctx );
843 return( 0 );
844 }
845 #else
846 ((void) output);
847 #endif /* MBEDTLS_CIPHER_MODE_CBC */
848
849 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
850 }
851
852 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t * ctx,mbedtls_cipher_padding_t mode)853 int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
854 mbedtls_cipher_padding_t mode )
855 {
856 CIPHER_VALIDATE_RET( ctx != NULL );
857
858 if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
859 {
860 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
861 }
862
863 switch( mode )
864 {
865 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
866 case MBEDTLS_PADDING_PKCS7:
867 ctx->add_padding = add_pkcs_padding;
868 ctx->get_padding = get_pkcs_padding;
869 break;
870 #endif
871 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
872 case MBEDTLS_PADDING_ONE_AND_ZEROS:
873 ctx->add_padding = add_one_and_zeros_padding;
874 ctx->get_padding = get_one_and_zeros_padding;
875 break;
876 #endif
877 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
878 case MBEDTLS_PADDING_ZEROS_AND_LEN:
879 ctx->add_padding = add_zeros_and_len_padding;
880 ctx->get_padding = get_zeros_and_len_padding;
881 break;
882 #endif
883 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
884 case MBEDTLS_PADDING_ZEROS:
885 ctx->add_padding = add_zeros_padding;
886 ctx->get_padding = get_zeros_padding;
887 break;
888 #endif
889 case MBEDTLS_PADDING_NONE:
890 ctx->add_padding = NULL;
891 ctx->get_padding = get_no_padding;
892 break;
893
894 default:
895 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
896 }
897
898 return( 0 );
899 }
900 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
901
902 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
mbedtls_cipher_write_tag(mbedtls_cipher_context_t * ctx,unsigned char * tag,size_t tag_len)903 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
904 unsigned char *tag, size_t tag_len )
905 {
906 CIPHER_VALIDATE_RET( ctx != NULL );
907 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
908 if( ctx->cipher_info == NULL )
909 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
910
911 if( MBEDTLS_ENCRYPT != ctx->operation )
912 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
913
914 #if defined(MBEDTLS_GCM_C)
915 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
916 return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
917 tag, tag_len ) );
918 #endif
919
920 #if defined(MBEDTLS_CHACHAPOLY_C)
921 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
922 {
923 /* Don't allow truncated MAC for Poly1305 */
924 if ( tag_len != 16U )
925 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
926
927 return( mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
928 tag ) );
929 }
930 #endif
931
932 return( 0 );
933 }
934
mbedtls_cipher_check_tag(mbedtls_cipher_context_t * ctx,const unsigned char * tag,size_t tag_len)935 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
936 const unsigned char *tag, size_t tag_len )
937 {
938 unsigned char check_tag[16];
939 int ret;
940
941 CIPHER_VALIDATE_RET( ctx != NULL );
942 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
943 if( ctx->cipher_info == NULL )
944 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
945
946 if( MBEDTLS_DECRYPT != ctx->operation )
947 {
948 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
949 }
950
951 #if defined(MBEDTLS_GCM_C)
952 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
953 {
954 if( tag_len > sizeof( check_tag ) )
955 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
956
957 if( 0 != ( ret = mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
958 check_tag, tag_len ) ) )
959 {
960 return( ret );
961 }
962
963 /* Check the tag in "constant-time" */
964 if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
965 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
966
967 return( 0 );
968 }
969 #endif /* MBEDTLS_GCM_C */
970
971 #if defined(MBEDTLS_CHACHAPOLY_C)
972 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
973 {
974 /* Don't allow truncated MAC for Poly1305 */
975 if ( tag_len != sizeof( check_tag ) )
976 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
977
978 ret = mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
979 check_tag );
980 if ( ret != 0 )
981 {
982 return( ret );
983 }
984
985 /* Check the tag in "constant-time" */
986 if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
987 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
988
989 return( 0 );
990 }
991 #endif /* MBEDTLS_CHACHAPOLY_C */
992
993 return( 0 );
994 }
995 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
996
997 /*
998 * Packet-oriented wrapper for non-AEAD modes
999 */
mbedtls_cipher_crypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)1000 int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
1001 const unsigned char *iv, size_t iv_len,
1002 const unsigned char *input, size_t ilen,
1003 unsigned char *output, size_t *olen )
1004 {
1005 int ret;
1006 size_t finish_olen;
1007
1008 CIPHER_VALIDATE_RET( ctx != NULL );
1009 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1010 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1011 CIPHER_VALIDATE_RET( output != NULL );
1012 CIPHER_VALIDATE_RET( olen != NULL );
1013
1014 if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
1015 return( ret );
1016
1017 if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
1018 return( ret );
1019
1020 if( ( ret = mbedtls_cipher_update( ctx, input, ilen, output, olen ) ) != 0 )
1021 return( ret );
1022
1023 if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 )
1024 return( ret );
1025
1026 *olen += finish_olen;
1027
1028 return( 0 );
1029 }
1030
1031 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1032 /*
1033 * Packet-oriented encryption for AEAD modes
1034 */
mbedtls_cipher_auth_encrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,unsigned char * tag,size_t tag_len)1035 int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
1036 const unsigned char *iv, size_t iv_len,
1037 const unsigned char *ad, size_t ad_len,
1038 const unsigned char *input, size_t ilen,
1039 unsigned char *output, size_t *olen,
1040 unsigned char *tag, size_t tag_len )
1041 {
1042 CIPHER_VALIDATE_RET( ctx != NULL );
1043 CIPHER_VALIDATE_RET( iv != NULL );
1044 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1045 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1046 CIPHER_VALIDATE_RET( output != NULL );
1047 CIPHER_VALIDATE_RET( olen != NULL );
1048 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1049
1050 #if defined(MBEDTLS_GCM_C)
1051 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1052 {
1053 *olen = ilen;
1054 return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, ilen,
1055 iv, iv_len, ad, ad_len, input, output,
1056 tag_len, tag ) );
1057 }
1058 #endif /* MBEDTLS_GCM_C */
1059 #if defined(MBEDTLS_CCM_C)
1060 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1061 {
1062 *olen = ilen;
1063 return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
1064 iv, iv_len, ad, ad_len, input, output,
1065 tag, tag_len ) );
1066 }
1067 #endif /* MBEDTLS_CCM_C */
1068 #if defined(MBEDTLS_CHACHAPOLY_C)
1069 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1070 {
1071 /* ChachaPoly has fixed length nonce and MAC (tag) */
1072 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1073 ( tag_len != 16U ) )
1074 {
1075 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1076 }
1077
1078 *olen = ilen;
1079 return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
1080 ilen, iv, ad, ad_len, input, output, tag ) );
1081 }
1082 #endif /* MBEDTLS_CHACHAPOLY_C */
1083
1084 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1085 }
1086
1087 /*
1088 * Packet-oriented decryption for AEAD modes
1089 */
mbedtls_cipher_auth_decrypt(mbedtls_cipher_context_t * ctx,const unsigned char * iv,size_t iv_len,const unsigned char * ad,size_t ad_len,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,const unsigned char * tag,size_t tag_len)1090 int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
1091 const unsigned char *iv, size_t iv_len,
1092 const unsigned char *ad, size_t ad_len,
1093 const unsigned char *input, size_t ilen,
1094 unsigned char *output, size_t *olen,
1095 const unsigned char *tag, size_t tag_len )
1096 {
1097 CIPHER_VALIDATE_RET( ctx != NULL );
1098 CIPHER_VALIDATE_RET( iv != NULL );
1099 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1100 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1101 CIPHER_VALIDATE_RET( output != NULL );
1102 CIPHER_VALIDATE_RET( olen != NULL );
1103 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1104
1105 #if defined(MBEDTLS_GCM_C)
1106 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1107 {
1108 int ret;
1109
1110 *olen = ilen;
1111 ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
1112 iv, iv_len, ad, ad_len,
1113 tag, tag_len, input, output );
1114
1115 if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
1116 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1117
1118 return( ret );
1119 }
1120 #endif /* MBEDTLS_GCM_C */
1121 #if defined(MBEDTLS_CCM_C)
1122 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1123 {
1124 int ret;
1125
1126 *olen = ilen;
1127 ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
1128 iv, iv_len, ad, ad_len,
1129 input, output, tag, tag_len );
1130
1131 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
1132 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1133
1134 return( ret );
1135 }
1136 #endif /* MBEDTLS_CCM_C */
1137 #if defined(MBEDTLS_CHACHAPOLY_C)
1138 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1139 {
1140 int ret;
1141
1142 /* ChachaPoly has fixed length nonce and MAC (tag) */
1143 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1144 ( tag_len != 16U ) )
1145 {
1146 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1147 }
1148
1149 *olen = ilen;
1150 ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
1151 iv, ad, ad_len, tag, input, output );
1152
1153 if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
1154 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1155
1156 return( ret );
1157 }
1158 #endif /* MBEDTLS_CHACHAPOLY_C */
1159
1160 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1161 }
1162 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1163
1164 #endif /* MBEDTLS_CIPHER_C */
1165