1 /*
2 * PSA AEAD entry points
3 */
4 /*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21 #include "common.h"
22
23 #if defined(MBEDTLS_PSA_CRYPTO_C)
24
25 #include "psa_crypto_aead.h"
26 #include "psa_crypto_core.h"
27
28 #include <string.h>
29 #include "mbedtls/platform.h"
30 #if !defined(MBEDTLS_PLATFORM_C)
31 #define mbedtls_calloc calloc
32 #define mbedtls_free free
33 #endif
34
35 #include "mbedtls/ccm.h"
36 #include "mbedtls/chachapoly.h"
37 #include "mbedtls/cipher.h"
38 #include "mbedtls/gcm.h"
39 #include "mbedtls/error.h"
40
psa_aead_setup(mbedtls_psa_aead_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)41 static psa_status_t psa_aead_setup(
42 mbedtls_psa_aead_operation_t *operation,
43 const psa_key_attributes_t *attributes,
44 const uint8_t *key_buffer,
45 size_t key_buffer_size,
46 psa_algorithm_t alg )
47 {
48 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
49 size_t key_bits;
50 const mbedtls_cipher_info_t *cipher_info;
51 mbedtls_cipher_id_t cipher_id;
52 size_t full_tag_length = 0;
53
54 ( void ) key_buffer_size;
55
56 key_bits = attributes->core.bits;
57
58 cipher_info = mbedtls_cipher_info_from_psa( alg,
59 attributes->core.type, key_bits,
60 &cipher_id );
61 if( cipher_info == NULL )
62 return( PSA_ERROR_NOT_SUPPORTED );
63
64 switch( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) )
65 {
66 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
67 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ):
68 operation->alg = PSA_ALG_CCM;
69 full_tag_length = 16;
70 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
71 * The call to mbedtls_ccm_encrypt_and_tag or
72 * mbedtls_ccm_auth_decrypt will validate the tag length. */
73 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
74 return( PSA_ERROR_INVALID_ARGUMENT );
75
76 mbedtls_ccm_init( &operation->ctx.ccm );
77 status = mbedtls_to_psa_error(
78 mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id,
79 key_buffer, (unsigned int) key_bits ) );
80 if( status != PSA_SUCCESS )
81 return( status );
82 break;
83 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
84
85 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
86 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ):
87 operation->alg = PSA_ALG_GCM;
88 full_tag_length = 16;
89 /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
90 * The call to mbedtls_gcm_crypt_and_tag or
91 * mbedtls_gcm_auth_decrypt will validate the tag length. */
92 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
93 return( PSA_ERROR_INVALID_ARGUMENT );
94
95 mbedtls_gcm_init( &operation->ctx.gcm );
96 status = mbedtls_to_psa_error(
97 mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id,
98 key_buffer, (unsigned int) key_bits ) );
99 if( status != PSA_SUCCESS )
100 return( status );
101 break;
102 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
103
104 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
105 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ):
106 operation->alg = PSA_ALG_CHACHA20_POLY1305;
107 full_tag_length = 16;
108 /* We only support the default tag length. */
109 if( alg != PSA_ALG_CHACHA20_POLY1305 )
110 return( PSA_ERROR_NOT_SUPPORTED );
111
112 mbedtls_chachapoly_init( &operation->ctx.chachapoly );
113 status = mbedtls_to_psa_error(
114 mbedtls_chachapoly_setkey( &operation->ctx.chachapoly,
115 key_buffer ) );
116 if( status != PSA_SUCCESS )
117 return( status );
118 break;
119 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
120
121 default:
122 return( PSA_ERROR_NOT_SUPPORTED );
123 }
124
125 if( PSA_AEAD_TAG_LENGTH( attributes->core.type,
126 key_bits, alg )
127 > full_tag_length )
128 return( PSA_ERROR_INVALID_ARGUMENT );
129
130 operation->key_type = psa_get_key_type( attributes );
131
132 operation->tag_length = PSA_AEAD_TAG_LENGTH( operation->key_type,
133 key_bits,
134 alg );
135
136 return( PSA_SUCCESS );
137 }
138
mbedtls_psa_aead_encrypt(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * nonce,size_t nonce_length,const uint8_t * additional_data,size_t additional_data_length,const uint8_t * plaintext,size_t plaintext_length,uint8_t * ciphertext,size_t ciphertext_size,size_t * ciphertext_length)139 psa_status_t mbedtls_psa_aead_encrypt(
140 const psa_key_attributes_t *attributes,
141 const uint8_t *key_buffer, size_t key_buffer_size,
142 psa_algorithm_t alg,
143 const uint8_t *nonce, size_t nonce_length,
144 const uint8_t *additional_data, size_t additional_data_length,
145 const uint8_t *plaintext, size_t plaintext_length,
146 uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length )
147 {
148 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
149 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
150 uint8_t *tag;
151
152 status = psa_aead_setup( &operation, attributes, key_buffer,
153 key_buffer_size, alg );
154
155 if( status != PSA_SUCCESS )
156 goto exit;
157
158 /* For all currently supported modes, the tag is at the end of the
159 * ciphertext. */
160 if( ciphertext_size < ( plaintext_length + operation.tag_length ) )
161 {
162 status = PSA_ERROR_BUFFER_TOO_SMALL;
163 goto exit;
164 }
165 tag = ciphertext + plaintext_length;
166
167 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
168 if( operation.alg == PSA_ALG_CCM )
169 {
170 status = mbedtls_to_psa_error(
171 mbedtls_ccm_encrypt_and_tag( &operation.ctx.ccm,
172 plaintext_length,
173 nonce, nonce_length,
174 additional_data,
175 additional_data_length,
176 plaintext, ciphertext,
177 tag, operation.tag_length ) );
178 }
179 else
180 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
181 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
182 if( operation.alg == PSA_ALG_GCM )
183 {
184 status = mbedtls_to_psa_error(
185 mbedtls_gcm_crypt_and_tag( &operation.ctx.gcm,
186 MBEDTLS_GCM_ENCRYPT,
187 plaintext_length,
188 nonce, nonce_length,
189 additional_data, additional_data_length,
190 plaintext, ciphertext,
191 operation.tag_length, tag ) );
192 }
193 else
194 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
195 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
196 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
197 {
198 if( operation.tag_length != 16 )
199 {
200 status = PSA_ERROR_NOT_SUPPORTED;
201 goto exit;
202 }
203 status = mbedtls_to_psa_error(
204 mbedtls_chachapoly_encrypt_and_tag( &operation.ctx.chachapoly,
205 plaintext_length,
206 nonce,
207 additional_data,
208 additional_data_length,
209 plaintext,
210 ciphertext,
211 tag ) );
212 }
213 else
214 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
215 {
216 (void) tag;
217 return( PSA_ERROR_NOT_SUPPORTED );
218 }
219
220 if( status == PSA_SUCCESS )
221 *ciphertext_length = plaintext_length + operation.tag_length;
222
223 exit:
224 mbedtls_psa_aead_abort( &operation );
225
226 return( status );
227 }
228
229 /* Locate the tag in a ciphertext buffer containing the encrypted data
230 * followed by the tag. Return the length of the part preceding the tag in
231 * *plaintext_length. This is the size of the plaintext in modes where
232 * the encrypted data has the same size as the plaintext, such as
233 * CCM and GCM. */
psa_aead_unpadded_locate_tag(size_t tag_length,const uint8_t * ciphertext,size_t ciphertext_length,size_t plaintext_size,const uint8_t ** p_tag)234 static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length,
235 const uint8_t *ciphertext,
236 size_t ciphertext_length,
237 size_t plaintext_size,
238 const uint8_t **p_tag )
239 {
240 size_t payload_length;
241 if( tag_length > ciphertext_length )
242 return( PSA_ERROR_INVALID_ARGUMENT );
243 payload_length = ciphertext_length - tag_length;
244 if( payload_length > plaintext_size )
245 return( PSA_ERROR_BUFFER_TOO_SMALL );
246 *p_tag = ciphertext + payload_length;
247 return( PSA_SUCCESS );
248 }
249
mbedtls_psa_aead_decrypt(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * nonce,size_t nonce_length,const uint8_t * additional_data,size_t additional_data_length,const uint8_t * ciphertext,size_t ciphertext_length,uint8_t * plaintext,size_t plaintext_size,size_t * plaintext_length)250 psa_status_t mbedtls_psa_aead_decrypt(
251 const psa_key_attributes_t *attributes,
252 const uint8_t *key_buffer, size_t key_buffer_size,
253 psa_algorithm_t alg,
254 const uint8_t *nonce, size_t nonce_length,
255 const uint8_t *additional_data, size_t additional_data_length,
256 const uint8_t *ciphertext, size_t ciphertext_length,
257 uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length )
258 {
259 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
260 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
261 const uint8_t *tag = NULL;
262
263 status = psa_aead_setup( &operation, attributes, key_buffer,
264 key_buffer_size, alg );
265
266 if( status != PSA_SUCCESS )
267 goto exit;
268
269 status = psa_aead_unpadded_locate_tag( operation.tag_length,
270 ciphertext, ciphertext_length,
271 plaintext_size, &tag );
272 if( status != PSA_SUCCESS )
273 goto exit;
274
275 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
276 if( operation.alg == PSA_ALG_CCM )
277 {
278 status = mbedtls_to_psa_error(
279 mbedtls_ccm_auth_decrypt( &operation.ctx.ccm,
280 ciphertext_length - operation.tag_length,
281 nonce, nonce_length,
282 additional_data,
283 additional_data_length,
284 ciphertext, plaintext,
285 tag, operation.tag_length ) );
286 }
287 else
288 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
289 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
290 if( operation.alg == PSA_ALG_GCM )
291 {
292 status = mbedtls_to_psa_error(
293 mbedtls_gcm_auth_decrypt( &operation.ctx.gcm,
294 ciphertext_length - operation.tag_length,
295 nonce, nonce_length,
296 additional_data,
297 additional_data_length,
298 tag, operation.tag_length,
299 ciphertext, plaintext ) );
300 }
301 else
302 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
303 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
304 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
305 {
306 if( operation.tag_length != 16 )
307 {
308 status = PSA_ERROR_NOT_SUPPORTED;
309 goto exit;
310 }
311 status = mbedtls_to_psa_error(
312 mbedtls_chachapoly_auth_decrypt( &operation.ctx.chachapoly,
313 ciphertext_length - operation.tag_length,
314 nonce,
315 additional_data,
316 additional_data_length,
317 tag,
318 ciphertext,
319 plaintext ) );
320 }
321 else
322 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
323 {
324 return( PSA_ERROR_NOT_SUPPORTED );
325 }
326
327 if( status == PSA_SUCCESS )
328 *plaintext_length = ciphertext_length - operation.tag_length;
329
330 exit:
331 mbedtls_psa_aead_abort( &operation );
332
333 if( status == PSA_SUCCESS )
334 *plaintext_length = ciphertext_length - operation.tag_length;
335 return( status );
336 }
337
338 /* Set the key and algorithm for a multipart authenticated encryption
339 * operation. */
mbedtls_psa_aead_encrypt_setup(mbedtls_psa_aead_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)340 psa_status_t mbedtls_psa_aead_encrypt_setup(
341 mbedtls_psa_aead_operation_t *operation,
342 const psa_key_attributes_t *attributes,
343 const uint8_t *key_buffer,
344 size_t key_buffer_size,
345 psa_algorithm_t alg )
346 {
347 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
348
349 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
350 if( operation->alg == PSA_ALG_CCM )
351 {
352 return( PSA_ERROR_NOT_SUPPORTED );
353 }
354 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
355
356 status = psa_aead_setup( operation, attributes, key_buffer,
357 key_buffer_size, alg );
358
359 if( status == PSA_SUCCESS )
360 operation->is_encrypt = 1;
361
362 return ( status );
363 }
364
365 /* Set the key and algorithm for a multipart authenticated decryption
366 * operation. */
mbedtls_psa_aead_decrypt_setup(mbedtls_psa_aead_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)367 psa_status_t mbedtls_psa_aead_decrypt_setup(
368 mbedtls_psa_aead_operation_t *operation,
369 const psa_key_attributes_t *attributes,
370 const uint8_t *key_buffer,
371 size_t key_buffer_size,
372 psa_algorithm_t alg )
373 {
374 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
375
376 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
377 if( operation->alg == PSA_ALG_CCM )
378 {
379 return( PSA_ERROR_NOT_SUPPORTED );
380 }
381 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
382
383 status = psa_aead_setup( operation, attributes, key_buffer,
384 key_buffer_size, alg );
385
386 if( status == PSA_SUCCESS )
387 operation->is_encrypt = 0;
388
389 return ( status );
390 }
391
392 /* Set a nonce for the multipart AEAD operation*/
mbedtls_psa_aead_set_nonce(mbedtls_psa_aead_operation_t * operation,const uint8_t * nonce,size_t nonce_length)393 psa_status_t mbedtls_psa_aead_set_nonce(
394 mbedtls_psa_aead_operation_t *operation,
395 const uint8_t *nonce,
396 size_t nonce_length )
397 {
398 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
399
400 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
401 if( operation->alg == PSA_ALG_GCM )
402 {
403 status = mbedtls_to_psa_error(
404 mbedtls_gcm_starts( &operation->ctx.gcm,
405 operation->is_encrypt ?
406 MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT,
407 nonce,
408 nonce_length ) );
409 }
410 else
411 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
412 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
413 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
414 {
415 /* Note - ChaChaPoly allows an 8 byte nonce, but we would have to
416 * allocate a buffer in the operation, copy the nonce to it and pad
417 * it, so for now check the nonce is 12 bytes, as
418 * mbedtls_chachapoly_starts() assumes it can read 12 bytes from the
419 * passed in buffer. */
420 if( nonce_length != 12 )
421 {
422 return( PSA_ERROR_INVALID_ARGUMENT );
423 }
424
425 status = mbedtls_to_psa_error(
426 mbedtls_chachapoly_starts( &operation->ctx.chachapoly,
427 nonce,
428 operation->is_encrypt ?
429 MBEDTLS_CHACHAPOLY_ENCRYPT :
430 MBEDTLS_CHACHAPOLY_DECRYPT ) );
431 }
432 else
433 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
434 {
435 ( void ) nonce;
436
437 return ( PSA_ERROR_NOT_SUPPORTED );
438 }
439
440 return( status );
441 }
442
443 /* Declare the lengths of the message and additional data for AEAD. */
mbedtls_psa_aead_set_lengths(mbedtls_psa_aead_operation_t * operation,size_t ad_length,size_t plaintext_length)444 psa_status_t mbedtls_psa_aead_set_lengths(
445 mbedtls_psa_aead_operation_t *operation,
446 size_t ad_length,
447 size_t plaintext_length )
448 {
449 /* Nothing here yet, work is currently done in PSA Core, however support
450 * for CCM will require this function. */
451 ( void ) operation;
452 ( void ) ad_length;
453 ( void ) plaintext_length;
454
455 return ( PSA_SUCCESS );
456 }
457
458 /* Pass additional data to an active multipart AEAD operation. */
mbedtls_psa_aead_update_ad(mbedtls_psa_aead_operation_t * operation,const uint8_t * input,size_t input_length)459 psa_status_t mbedtls_psa_aead_update_ad(
460 mbedtls_psa_aead_operation_t *operation,
461 const uint8_t *input,
462 size_t input_length )
463 {
464 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
465
466 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
467 if( operation->alg == PSA_ALG_GCM )
468 {
469 status = mbedtls_to_psa_error(
470 mbedtls_gcm_update_ad( &operation->ctx.gcm, input, input_length ) );
471 }
472 else
473 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
474 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
475 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
476 {
477 status = mbedtls_to_psa_error(
478 mbedtls_chachapoly_update_aad( &operation->ctx.chachapoly,
479 input,
480 input_length ) );
481 }
482 else
483 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
484 {
485 ( void ) operation;
486 ( void ) input;
487 ( void ) input_length;
488
489 return ( PSA_ERROR_NOT_SUPPORTED );
490 }
491
492 return ( status );
493 }
494
495 /* Encrypt or decrypt a message fragment in an active multipart AEAD
496 * operation.*/
mbedtls_psa_aead_update(mbedtls_psa_aead_operation_t * operation,const uint8_t * input,size_t input_length,uint8_t * output,size_t output_size,size_t * output_length)497 psa_status_t mbedtls_psa_aead_update(
498 mbedtls_psa_aead_operation_t *operation,
499 const uint8_t *input,
500 size_t input_length,
501 uint8_t *output,
502 size_t output_size,
503 size_t *output_length )
504 {
505 size_t update_output_length;
506 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
507
508 update_output_length = input_length;
509
510 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
511 if( operation->alg == PSA_ALG_GCM )
512 {
513 status = mbedtls_to_psa_error(
514 mbedtls_gcm_update( &operation->ctx.gcm,
515 input, input_length,
516 output, output_size,
517 &update_output_length ) );
518 }
519 else
520 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
521 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
522 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
523 {
524 if( output_size < input_length )
525 return( PSA_ERROR_BUFFER_TOO_SMALL );
526
527 status = mbedtls_to_psa_error(
528 mbedtls_chachapoly_update( &operation->ctx.chachapoly,
529 input_length,
530 input,
531 output ) );
532 }
533 else
534 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
535 {
536 ( void ) input;
537 ( void ) input_length;
538
539 return ( PSA_ERROR_NOT_SUPPORTED );
540 }
541
542 if( status == PSA_SUCCESS )
543 *output_length = update_output_length;
544
545 return( status );
546 }
547
548 /* Finish encrypting a message in a multipart AEAD operation. */
mbedtls_psa_aead_finish(mbedtls_psa_aead_operation_t * operation,uint8_t * ciphertext,size_t ciphertext_size,size_t * ciphertext_length,uint8_t * tag,size_t tag_size,size_t * tag_length)549 psa_status_t mbedtls_psa_aead_finish(
550 mbedtls_psa_aead_operation_t *operation,
551 uint8_t *ciphertext,
552 size_t ciphertext_size,
553 size_t *ciphertext_length,
554 uint8_t *tag,
555 size_t tag_size,
556 size_t *tag_length )
557 {
558 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
559 size_t finish_output_size = 0;
560
561 if( tag_size < operation->tag_length )
562 return( PSA_ERROR_BUFFER_TOO_SMALL );
563
564 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
565 if( operation->alg == PSA_ALG_GCM )
566 {
567 status = mbedtls_to_psa_error(
568 mbedtls_gcm_finish( &operation->ctx.gcm,
569 ciphertext, ciphertext_size, ciphertext_length,
570 tag, operation->tag_length ) );
571 }
572 else
573 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
574 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
575 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
576 {
577 /* Belt and braces. Although the above tag_size check should have
578 * already done this, if we later start supporting smaller tag sizes
579 * for chachapoly, then passing a tag buffer smaller than 16 into here
580 * could cause a buffer overflow, so better safe than sorry. */
581 if( tag_size < 16 )
582 return( PSA_ERROR_BUFFER_TOO_SMALL );
583
584 status = mbedtls_to_psa_error(
585 mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
586 tag ) );
587 }
588 else
589 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
590 {
591 ( void ) ciphertext;
592 ( void ) ciphertext_size;
593 ( void ) ciphertext_length;
594 ( void ) tag;
595 ( void ) tag_size;
596 ( void ) tag_length;
597
598 return ( PSA_ERROR_NOT_SUPPORTED );
599 }
600
601 if( status == PSA_SUCCESS )
602 {
603 /* This will be zero for all supported algorithms currently, but left
604 * here for future support. */
605 *ciphertext_length = finish_output_size;
606 *tag_length = operation->tag_length;
607 }
608
609 return ( status );
610 }
611
612 /* Abort an AEAD operation */
mbedtls_psa_aead_abort(mbedtls_psa_aead_operation_t * operation)613 psa_status_t mbedtls_psa_aead_abort(
614 mbedtls_psa_aead_operation_t *operation )
615 {
616 switch( operation->alg )
617 {
618 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
619 case PSA_ALG_CCM:
620 mbedtls_ccm_free( &operation->ctx.ccm );
621 break;
622 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
623 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
624 case PSA_ALG_GCM:
625 mbedtls_gcm_free( &operation->ctx.gcm );
626 break;
627 #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
628 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
629 case PSA_ALG_CHACHA20_POLY1305:
630 mbedtls_chachapoly_free( &operation->ctx.chachapoly );
631 break;
632 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
633 }
634
635 operation->is_encrypt = 0;
636
637 return( PSA_SUCCESS );
638 }
639
640 #endif /* MBEDTLS_PSA_CRYPTO_C */
641
642