Path: blob/master/thirdparty/mbedtls/library/cipher.c
9903 views
/**1* \file cipher.c2*3* \brief Generic cipher wrapper for Mbed TLS4*5* \author Adriaan de Jong <[email protected]>6*7* Copyright The Mbed TLS Contributors8* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later9*/1011#include "common.h"1213#if defined(MBEDTLS_CIPHER_C)1415#include "mbedtls/cipher.h"16#include "cipher_invasive.h"17#include "cipher_wrap.h"18#include "mbedtls/platform_util.h"19#include "mbedtls/error.h"20#include "mbedtls/constant_time.h"21#include "constant_time_internal.h"2223#include <stdlib.h>24#include <string.h>2526#if defined(MBEDTLS_CHACHAPOLY_C)27#include "mbedtls/chachapoly.h"28#endif2930#if defined(MBEDTLS_GCM_C)31#include "mbedtls/gcm.h"32#endif3334#if defined(MBEDTLS_CCM_C)35#include "mbedtls/ccm.h"36#endif3738#if defined(MBEDTLS_CHACHA20_C)39#include "mbedtls/chacha20.h"40#endif4142#if defined(MBEDTLS_CMAC_C)43#include "mbedtls/cmac.h"44#endif4546#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)47#include "psa/crypto.h"48#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */4950#if defined(MBEDTLS_NIST_KW_C)51#include "mbedtls/nist_kw.h"52#endif5354#include "mbedtls/platform.h"5556static int supported_init = 0;5758static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base(59const mbedtls_cipher_info_t *info)60{61return mbedtls_cipher_base_lookup_table[info->base_idx];62}6364const int *mbedtls_cipher_list(void)65{66const mbedtls_cipher_definition_t *def;67int *type;6869if (!supported_init) {70def = mbedtls_cipher_definitions;71type = mbedtls_cipher_supported;7273while (def->type != 0) {74*type++ = (*def++).type;75}7677*type = 0;7879supported_init = 1;80}8182return mbedtls_cipher_supported;83}8485const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(86const mbedtls_cipher_type_t cipher_type)87{88const mbedtls_cipher_definition_t *def;8990for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {91if (def->type == cipher_type) {92return def->info;93}94}9596return NULL;97}9899const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(100const char *cipher_name)101{102const mbedtls_cipher_definition_t *def;103104if (NULL == cipher_name) {105return NULL;106}107108for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {109if (!strcmp(def->info->name, cipher_name)) {110return def->info;111}112}113114return NULL;115}116117const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(118const mbedtls_cipher_id_t cipher_id,119int key_bitlen,120const mbedtls_cipher_mode_t mode)121{122const mbedtls_cipher_definition_t *def;123124for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {125if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id &&126mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen &&127def->info->mode == mode) {128return def->info;129}130}131132return NULL;133}134135#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)136static inline psa_key_type_t mbedtls_psa_translate_cipher_type(137mbedtls_cipher_type_t cipher)138{139switch (cipher) {140case MBEDTLS_CIPHER_AES_128_CCM:141case MBEDTLS_CIPHER_AES_192_CCM:142case MBEDTLS_CIPHER_AES_256_CCM:143case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:144case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:145case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:146case MBEDTLS_CIPHER_AES_128_GCM:147case MBEDTLS_CIPHER_AES_192_GCM:148case MBEDTLS_CIPHER_AES_256_GCM:149case MBEDTLS_CIPHER_AES_128_CBC:150case MBEDTLS_CIPHER_AES_192_CBC:151case MBEDTLS_CIPHER_AES_256_CBC:152case MBEDTLS_CIPHER_AES_128_ECB:153case MBEDTLS_CIPHER_AES_192_ECB:154case MBEDTLS_CIPHER_AES_256_ECB:155return PSA_KEY_TYPE_AES;156157/* ARIA not yet supported in PSA. */158/* case MBEDTLS_CIPHER_ARIA_128_CCM:159case MBEDTLS_CIPHER_ARIA_192_CCM:160case MBEDTLS_CIPHER_ARIA_256_CCM:161case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:162case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:163case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:164case MBEDTLS_CIPHER_ARIA_128_GCM:165case MBEDTLS_CIPHER_ARIA_192_GCM:166case MBEDTLS_CIPHER_ARIA_256_GCM:167case MBEDTLS_CIPHER_ARIA_128_CBC:168case MBEDTLS_CIPHER_ARIA_192_CBC:169case MBEDTLS_CIPHER_ARIA_256_CBC:170return( PSA_KEY_TYPE_ARIA ); */171172default:173return 0;174}175}176177static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode(178mbedtls_cipher_mode_t mode, size_t taglen)179{180switch (mode) {181case MBEDTLS_MODE_ECB:182return PSA_ALG_ECB_NO_PADDING;183case MBEDTLS_MODE_GCM:184return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen);185case MBEDTLS_MODE_CCM:186return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen);187case MBEDTLS_MODE_CCM_STAR_NO_TAG:188return PSA_ALG_CCM_STAR_NO_TAG;189case MBEDTLS_MODE_CBC:190if (taglen == 0) {191return PSA_ALG_CBC_NO_PADDING;192} else {193return 0;194}195default:196return 0;197}198}199#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */200201void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)202{203memset(ctx, 0, sizeof(mbedtls_cipher_context_t));204}205206void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)207{208if (ctx == NULL) {209return;210}211212#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)213if (ctx->psa_enabled == 1) {214if (ctx->cipher_ctx != NULL) {215mbedtls_cipher_context_psa * const cipher_psa =216(mbedtls_cipher_context_psa *) ctx->cipher_ctx;217218if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) {219/* xxx_free() doesn't allow to return failures. */220(void) psa_destroy_key(cipher_psa->slot);221}222223mbedtls_zeroize_and_free(cipher_psa, sizeof(*cipher_psa));224}225226mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));227return;228}229#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */230231#if defined(MBEDTLS_CMAC_C)232if (ctx->cmac_ctx) {233mbedtls_zeroize_and_free(ctx->cmac_ctx,234sizeof(mbedtls_cmac_context_t));235}236#endif237238if (ctx->cipher_ctx) {239mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx);240}241242mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));243}244245int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,246const mbedtls_cipher_info_t *cipher_info)247{248if (cipher_info == NULL) {249return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;250}251252memset(ctx, 0, sizeof(mbedtls_cipher_context_t));253254if (mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) {255ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func();256if (ctx->cipher_ctx == NULL) {257return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;258}259}260261ctx->cipher_info = cipher_info;262263return 0;264}265266#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)267int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,268const mbedtls_cipher_info_t *cipher_info,269size_t taglen)270{271psa_algorithm_t alg;272mbedtls_cipher_context_psa *cipher_psa;273274if (NULL == cipher_info || NULL == ctx) {275return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;276}277278/* Check that the underlying cipher mode and cipher type are279* supported by the underlying PSA Crypto implementation. */280alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen);281if (alg == 0) {282return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;283}284if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) {285return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;286}287288memset(ctx, 0, sizeof(mbedtls_cipher_context_t));289290cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa));291if (cipher_psa == NULL) {292return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;293}294cipher_psa->alg = alg;295ctx->cipher_ctx = cipher_psa;296ctx->cipher_info = cipher_info;297ctx->psa_enabled = 1;298return 0;299}300#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */301302int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,303const unsigned char *key,304int key_bitlen,305const mbedtls_operation_t operation)306{307if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) {308return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;309}310if (ctx->cipher_info == NULL) {311return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;312}313#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)314if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) &&315MBEDTLS_DECRYPT == operation) {316return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;317}318#endif319320#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)321if (ctx->psa_enabled == 1) {322mbedtls_cipher_context_psa * const cipher_psa =323(mbedtls_cipher_context_psa *) ctx->cipher_ctx;324325size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8;326327psa_status_t status;328psa_key_type_t key_type;329psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;330331/* PSA Crypto API only accepts byte-aligned keys. */332if (key_bitlen % 8 != 0) {333return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;334}335336/* Don't allow keys to be set multiple times. */337if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) {338return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;339}340341key_type = mbedtls_psa_translate_cipher_type(342((mbedtls_cipher_type_t) ctx->cipher_info->type));343if (key_type == 0) {344return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;345}346psa_set_key_type(&attributes, key_type);347348/* Mbed TLS' cipher layer doesn't enforce the mode of operation349* (encrypt vs. decrypt): it is possible to setup a key for encryption350* and use it for AEAD decryption. Until tests relying on this351* are changed, allow any usage in PSA. */352psa_set_key_usage_flags(&attributes,353PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);354psa_set_key_algorithm(&attributes, cipher_psa->alg);355356status = psa_import_key(&attributes, key, key_bytelen,357&cipher_psa->slot);358switch (status) {359case PSA_SUCCESS:360break;361case PSA_ERROR_INSUFFICIENT_MEMORY:362return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;363case PSA_ERROR_NOT_SUPPORTED:364return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;365default:366return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;367}368/* Indicate that we own the key slot and need to369* destroy it in mbedtls_cipher_free(). */370cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;371372ctx->key_bitlen = key_bitlen;373ctx->operation = operation;374return 0;375}376#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */377378if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 &&379(int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) {380return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;381}382383ctx->key_bitlen = key_bitlen;384ctx->operation = operation;385386#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)387/*388* For OFB, CFB and CTR mode always use the encryption key schedule389*/390if (MBEDTLS_ENCRYPT == operation ||391MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||392MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||393MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {394return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,395ctx->key_bitlen);396}397398if (MBEDTLS_DECRYPT == operation) {399return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key,400ctx->key_bitlen);401}402#else403if (operation == MBEDTLS_ENCRYPT || operation == MBEDTLS_DECRYPT) {404return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,405ctx->key_bitlen);406}407#endif408409return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;410}411412int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,413const unsigned char *iv,414size_t iv_len)415{416size_t actual_iv_size;417418if (ctx->cipher_info == NULL) {419return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;420}421#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)422if (ctx->psa_enabled == 1) {423/* While PSA Crypto has an API for multipart424* operations, we currently don't make it425* accessible through the cipher layer. */426return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;427}428#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */429430/* avoid buffer overflow in ctx->iv */431if (iv_len > MBEDTLS_MAX_IV_LENGTH) {432return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;433}434435if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) {436actual_iv_size = iv_len;437} else {438actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info);439440/* avoid reading past the end of input buffer */441if (actual_iv_size > iv_len) {442return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;443}444}445446#if defined(MBEDTLS_CHACHA20_C)447if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) {448/* Even though the actual_iv_size is overwritten with a correct value449* of 12 from the cipher info, return an error to indicate that450* the input iv_len is wrong. */451if (iv_len != 12) {452return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;453}454455if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx,456iv,4570U)) { /* Initial counter value */458return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;459}460}461#if defined(MBEDTLS_CHACHAPOLY_C)462if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&463iv_len != 12) {464return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;465}466#endif467#endif468469#if defined(MBEDTLS_GCM_C)470if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {471return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx,472ctx->operation,473iv, iv_len);474}475#endif476477#if defined(MBEDTLS_CCM_C)478if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {479int set_lengths_result;480int ccm_star_mode;481482set_lengths_result = mbedtls_ccm_set_lengths(483(mbedtls_ccm_context *) ctx->cipher_ctx,4840, 0, 0);485if (set_lengths_result != 0) {486return set_lengths_result;487}488489if (ctx->operation == MBEDTLS_DECRYPT) {490ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT;491} else if (ctx->operation == MBEDTLS_ENCRYPT) {492ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT;493} else {494return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;495}496497return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx,498ccm_star_mode,499iv, iv_len);500}501#endif502503if (actual_iv_size != 0) {504memcpy(ctx->iv, iv, actual_iv_size);505ctx->iv_size = actual_iv_size;506}507508return 0;509}510511int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx)512{513if (ctx->cipher_info == NULL) {514return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;515}516517#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)518if (ctx->psa_enabled == 1) {519/* We don't support resetting PSA-based520* cipher contexts, yet. */521return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;522}523#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */524525ctx->unprocessed_len = 0;526527return 0;528}529530#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)531int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,532const unsigned char *ad, size_t ad_len)533{534if (ctx->cipher_info == NULL) {535return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;536}537538#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)539if (ctx->psa_enabled == 1) {540/* While PSA Crypto has an API for multipart541* operations, we currently don't make it542* accessible through the cipher layer. */543return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;544}545#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */546547#if defined(MBEDTLS_GCM_C)548if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {549return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx,550ad, ad_len);551}552#endif553554#if defined(MBEDTLS_CHACHAPOLY_C)555if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {556int result;557mbedtls_chachapoly_mode_t mode;558559mode = (ctx->operation == MBEDTLS_ENCRYPT)560? MBEDTLS_CHACHAPOLY_ENCRYPT561: MBEDTLS_CHACHAPOLY_DECRYPT;562563result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx,564ctx->iv,565mode);566if (result != 0) {567return result;568}569570return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx,571ad, ad_len);572}573#endif574575return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;576}577#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */578579int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input,580size_t ilen, unsigned char *output, size_t *olen)581{582int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;583size_t block_size;584585if (ctx->cipher_info == NULL) {586return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;587}588589#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)590if (ctx->psa_enabled == 1) {591/* While PSA Crypto has an API for multipart592* operations, we currently don't make it593* accessible through the cipher layer. */594return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;595}596#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */597598*olen = 0;599block_size = mbedtls_cipher_get_block_size(ctx);600if (0 == block_size) {601return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;602}603604if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) {605if (ilen != block_size) {606return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;607}608609*olen = ilen;610611if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx,612ctx->operation, input,613output))) {614return ret;615}616617return 0;618}619620#if defined(MBEDTLS_GCM_C)621if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) {622return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx,623input, ilen,624output, ilen, olen);625}626#endif627628#if defined(MBEDTLS_CCM_C)629if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) {630return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx,631input, ilen,632output, ilen, olen);633}634#endif635636#if defined(MBEDTLS_CHACHAPOLY_C)637if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) {638*olen = ilen;639return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx,640ilen, input, output);641}642#endif643644if (input == output &&645(ctx->unprocessed_len != 0 || ilen % block_size)) {646return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;647}648649#if defined(MBEDTLS_CIPHER_MODE_CBC)650if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) {651size_t copy_len = 0;652653/*654* If there is not enough data for a full block, cache it.655*/656if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&657ilen <= block_size - ctx->unprocessed_len) ||658(ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&659ilen < block_size - ctx->unprocessed_len) ||660(ctx->operation == MBEDTLS_ENCRYPT &&661ilen < block_size - ctx->unprocessed_len)) {662memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,663ilen);664665ctx->unprocessed_len += ilen;666return 0;667}668669/*670* Process cached data first671*/672if (0 != ctx->unprocessed_len) {673copy_len = block_size - ctx->unprocessed_len;674675memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,676copy_len);677678if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,679ctx->operation,680block_size, ctx->iv,681ctx->682unprocessed_data,683output))) {684return ret;685}686687*olen += block_size;688output += block_size;689ctx->unprocessed_len = 0;690691input += copy_len;692ilen -= copy_len;693}694695/*696* Cache final, incomplete block697*/698if (0 != ilen) {699/* Encryption: only cache partial blocks700* Decryption w/ padding: always keep at least one whole block701* Decryption w/o padding: only cache partial blocks702*/703copy_len = ilen % block_size;704if (copy_len == 0 &&705ctx->operation == MBEDTLS_DECRYPT &&706NULL != ctx->add_padding) {707copy_len = block_size;708}709710memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]),711copy_len);712713ctx->unprocessed_len += copy_len;714ilen -= copy_len;715}716717/*718* Process remaining full blocks719*/720if (ilen) {721if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,722ctx->operation,723ilen, ctx->iv,724input,725output))) {726return ret;727}728729*olen += ilen;730}731732return 0;733}734#endif /* MBEDTLS_CIPHER_MODE_CBC */735736#if defined(MBEDTLS_CIPHER_MODE_CFB)737if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) {738if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx,739ctx->operation, ilen,740&ctx->unprocessed_len,741ctx->iv,742input, output))) {743return ret;744}745746*olen = ilen;747748return 0;749}750#endif /* MBEDTLS_CIPHER_MODE_CFB */751752#if defined(MBEDTLS_CIPHER_MODE_OFB)753if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) {754if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx,755ilen,756&ctx->unprocessed_len,757ctx->iv,758input, output))) {759return ret;760}761762*olen = ilen;763764return 0;765}766#endif /* MBEDTLS_CIPHER_MODE_OFB */767768#if defined(MBEDTLS_CIPHER_MODE_CTR)769if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) {770if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx,771ilen,772&ctx->unprocessed_len,773ctx->iv,774ctx->unprocessed_data,775input, output))) {776return ret;777}778779*olen = ilen;780781return 0;782}783#endif /* MBEDTLS_CIPHER_MODE_CTR */784785#if defined(MBEDTLS_CIPHER_MODE_XTS)786if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) {787if (ctx->unprocessed_len > 0) {788/* We can only process an entire data unit at a time. */789return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;790}791792ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx,793ctx->operation,794ilen,795ctx->iv,796input,797output);798if (ret != 0) {799return ret;800}801802*olen = ilen;803804return 0;805}806#endif /* MBEDTLS_CIPHER_MODE_XTS */807808#if defined(MBEDTLS_CIPHER_MODE_STREAM)809if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) {810if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx,811ilen, input,812output))) {813return ret;814}815816*olen = ilen;817818return 0;819}820#endif /* MBEDTLS_CIPHER_MODE_STREAM */821822return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;823}824825#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)826#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)827/*828* PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len829*/830static void add_pkcs_padding(unsigned char *output, size_t output_len,831size_t data_len)832{833size_t padding_len = output_len - data_len;834unsigned char i;835836for (i = 0; i < padding_len; i++) {837output[data_len + i] = (unsigned char) padding_len;838}839}840841/*842* Get the length of the PKCS7 padding.843*844* Note: input_len must be the block size of the cipher.845*/846MBEDTLS_STATIC_TESTABLE int mbedtls_get_pkcs_padding(unsigned char *input,847size_t input_len,848size_t *data_len)849{850size_t i, pad_idx;851unsigned char padding_len;852853if (NULL == input || NULL == data_len) {854return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;855}856857padding_len = input[input_len - 1];858859mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len);860bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));861862/* The number of bytes checked must be independent of padding_len,863* so pick input_len, which is usually 8 or 16 (one block) */864pad_idx = input_len - padding_len;865for (i = 0; i < input_len; i++) {866mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx);867mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len);868bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different));869}870871/* If the padding is invalid, set the output length to 0 */872*data_len = mbedtls_ct_if(bad, 0, input_len - padding_len);873874return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);875}876#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */877878#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)879/*880* One and zeros padding: fill with 80 00 ... 00881*/882static void add_one_and_zeros_padding(unsigned char *output,883size_t output_len, size_t data_len)884{885size_t padding_len = output_len - data_len;886unsigned char i = 0;887888output[data_len] = 0x80;889for (i = 1; i < padding_len; i++) {890output[data_len + i] = 0x00;891}892}893894static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,895size_t *data_len)896{897if (NULL == input || NULL == data_len) {898return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;899}900901mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE;902mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE;903904*data_len = 0;905906for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) {907mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]);908909mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding);910911*data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len);912913bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad);914915in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero));916}917918return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);919}920#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */921922#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)923/*924* Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length925*/926static void add_zeros_and_len_padding(unsigned char *output,927size_t output_len, size_t data_len)928{929size_t padding_len = output_len - data_len;930unsigned char i = 0;931932for (i = 1; i < padding_len; i++) {933output[data_len + i - 1] = 0x00;934}935output[output_len - 1] = (unsigned char) padding_len;936}937938static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,939size_t *data_len)940{941size_t i, pad_idx;942unsigned char padding_len;943mbedtls_ct_condition_t bad;944945if (NULL == input || NULL == data_len) {946return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;947}948949padding_len = input[input_len - 1];950*data_len = input_len - padding_len;951952/* Avoid logical || since it results in a branch */953bad = mbedtls_ct_uint_gt(padding_len, input_len);954bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));955956/* The number of bytes checked must be independent of padding_len */957pad_idx = input_len - padding_len;958for (i = 0; i < input_len - 1; i++) {959mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx);960mbedtls_ct_condition_t nonzero_pad_byte;961nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i]));962bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte);963}964965return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);966}967#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */968969#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)970/*971* Zero padding: fill with 00 ... 00972*/973static void add_zeros_padding(unsigned char *output,974size_t output_len, size_t data_len)975{976memset(output + data_len, 0, output_len - data_len);977}978979static int get_zeros_padding(unsigned char *input, size_t input_len,980size_t *data_len)981{982size_t i;983mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done;984985if (NULL == input || NULL == data_len) {986return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;987}988989*data_len = 0;990for (i = input_len; i > 0; i--) {991prev_done = done;992done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0));993*data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len);994}995996return 0;997}998#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */9991000/*1001* No padding: don't pad :)1002*1003* There is no add_padding function (check for NULL in mbedtls_cipher_finish)1004* but a trivial get_padding function1005*/1006static int get_no_padding(unsigned char *input, size_t input_len,1007size_t *data_len)1008{1009if (NULL == input || NULL == data_len) {1010return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1011}10121013*data_len = input_len;10141015return 0;1016}1017#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */10181019int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,1020unsigned char *output, size_t *olen)1021{1022if (ctx->cipher_info == NULL) {1023return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1024}10251026#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)1027if (ctx->psa_enabled == 1) {1028/* While PSA Crypto has an API for multipart1029* operations, we currently don't make it1030* accessible through the cipher layer. */1031return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;1032}1033#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */10341035*olen = 0;10361037#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)1038/* CBC mode requires padding so we make sure a call to1039* mbedtls_cipher_set_padding_mode has been done successfully. */1040if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {1041if (ctx->get_padding == NULL) {1042return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1043}1044}1045#endif10461047if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||1048MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||1049MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||1050MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||1051MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||1052MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||1053MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {1054return 0;1055}10561057if ((MBEDTLS_CIPHER_CHACHA20 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) ||1058(MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) {1059return 0;1060}10611062if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {1063if (ctx->unprocessed_len != 0) {1064return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;1065}10661067return 0;1068}10691070#if defined(MBEDTLS_CIPHER_MODE_CBC)1071if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {1072int ret = 0;10731074if (MBEDTLS_ENCRYPT == ctx->operation) {1075/* check for 'no padding' mode */1076if (NULL == ctx->add_padding) {1077if (0 != ctx->unprocessed_len) {1078return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;1079}10801081return 0;1082}10831084ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx),1085ctx->unprocessed_len);1086} else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) {1087/*1088* For decrypt operations, expect a full block,1089* or an empty block if no padding1090*/1091if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) {1092return 0;1093}10941095return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;1096}10971098/* cipher block */1099if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,1100ctx->operation,1101mbedtls_cipher_get_block_size(1102ctx),1103ctx->iv,1104ctx->unprocessed_data,1105output))) {1106return ret;1107}11081109/* Set output size for decryption */1110if (MBEDTLS_DECRYPT == ctx->operation) {1111return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx),1112olen);1113}11141115/* Set output size for encryption */1116*olen = mbedtls_cipher_get_block_size(ctx);1117return 0;1118}1119#else1120((void) output);1121#endif /* MBEDTLS_CIPHER_MODE_CBC */11221123return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;1124}11251126#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)1127int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,1128mbedtls_cipher_padding_t mode)1129{1130if (NULL == ctx->cipher_info ||1131MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {1132return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1133}11341135#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)1136if (ctx->psa_enabled == 1) {1137/* While PSA Crypto knows about CBC padding1138* schemes, we currently don't make them1139* accessible through the cipher layer. */1140if (mode != MBEDTLS_PADDING_NONE) {1141return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;1142}11431144return 0;1145}1146#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */11471148switch (mode) {1149#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)1150case MBEDTLS_PADDING_PKCS7:1151ctx->add_padding = add_pkcs_padding;1152ctx->get_padding = mbedtls_get_pkcs_padding;1153break;1154#endif1155#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)1156case MBEDTLS_PADDING_ONE_AND_ZEROS:1157ctx->add_padding = add_one_and_zeros_padding;1158ctx->get_padding = get_one_and_zeros_padding;1159break;1160#endif1161#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)1162case MBEDTLS_PADDING_ZEROS_AND_LEN:1163ctx->add_padding = add_zeros_and_len_padding;1164ctx->get_padding = get_zeros_and_len_padding;1165break;1166#endif1167#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)1168case MBEDTLS_PADDING_ZEROS:1169ctx->add_padding = add_zeros_padding;1170ctx->get_padding = get_zeros_padding;1171break;1172#endif1173case MBEDTLS_PADDING_NONE:1174ctx->add_padding = NULL;1175ctx->get_padding = get_no_padding;1176break;11771178default:1179return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;1180}11811182return 0;1183}1184#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */11851186#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)1187int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,1188unsigned char *tag, size_t tag_len)1189{1190if (ctx->cipher_info == NULL) {1191return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1192}11931194if (MBEDTLS_ENCRYPT != ctx->operation) {1195return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1196}11971198#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)1199if (ctx->psa_enabled == 1) {1200/* While PSA Crypto has an API for multipart1201* operations, we currently don't make it1202* accessible through the cipher layer. */1203return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;1204}1205#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */12061207#if defined(MBEDTLS_GCM_C)1208if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {1209size_t output_length;1210/* The code here doesn't yet support alternative implementations1211* that can delay up to a block of output. */1212return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx,1213NULL, 0, &output_length,1214tag, tag_len);1215}1216#endif12171218#if defined(MBEDTLS_CHACHAPOLY_C)1219if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {1220/* Don't allow truncated MAC for Poly1305 */1221if (tag_len != 16U) {1222return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1223}12241225return mbedtls_chachapoly_finish(1226(mbedtls_chachapoly_context *) ctx->cipher_ctx, tag);1227}1228#endif12291230return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;1231}12321233int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,1234const unsigned char *tag, size_t tag_len)1235{1236unsigned char check_tag[16];1237int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;12381239if (ctx->cipher_info == NULL) {1240return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1241}12421243if (MBEDTLS_DECRYPT != ctx->operation) {1244return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1245}12461247#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)1248if (ctx->psa_enabled == 1) {1249/* While PSA Crypto has an API for multipart1250* operations, we currently don't make it1251* accessible through the cipher layer. */1252return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;1253}1254#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */12551256/* Status to return on a non-authenticated algorithm. */1257ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;12581259#if defined(MBEDTLS_GCM_C)1260if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {1261size_t output_length;1262/* The code here doesn't yet support alternative implementations1263* that can delay up to a block of output. */12641265if (tag_len > sizeof(check_tag)) {1266return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1267}12681269if (0 != (ret = mbedtls_gcm_finish(1270(mbedtls_gcm_context *) ctx->cipher_ctx,1271NULL, 0, &output_length,1272check_tag, tag_len))) {1273return ret;1274}12751276/* Check the tag in "constant-time" */1277if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {1278ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;1279goto exit;1280}1281}1282#endif /* MBEDTLS_GCM_C */12831284#if defined(MBEDTLS_CHACHAPOLY_C)1285if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {1286/* Don't allow truncated MAC for Poly1305 */1287if (tag_len != sizeof(check_tag)) {1288return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1289}12901291ret = mbedtls_chachapoly_finish(1292(mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag);1293if (ret != 0) {1294return ret;1295}12961297/* Check the tag in "constant-time" */1298if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {1299ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;1300goto exit;1301}1302}1303#endif /* MBEDTLS_CHACHAPOLY_C */13041305exit:1306mbedtls_platform_zeroize(check_tag, tag_len);1307return ret;1308}1309#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */13101311/*1312* Packet-oriented wrapper for non-AEAD modes1313*/1314int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,1315const unsigned char *iv, size_t iv_len,1316const unsigned char *input, size_t ilen,1317unsigned char *output, size_t *olen)1318{1319int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;1320size_t finish_olen;13211322#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)1323if (ctx->psa_enabled == 1) {1324/* As in the non-PSA case, we don't check that1325* a key has been set. If not, the key slot will1326* still be in its default state of 0, which is1327* guaranteed to be invalid, hence the PSA-call1328* below will gracefully fail. */1329mbedtls_cipher_context_psa * const cipher_psa =1330(mbedtls_cipher_context_psa *) ctx->cipher_ctx;13311332psa_status_t status;1333psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;1334size_t part_len;13351336if (ctx->operation == MBEDTLS_DECRYPT) {1337status = psa_cipher_decrypt_setup(&cipher_op,1338cipher_psa->slot,1339cipher_psa->alg);1340} else if (ctx->operation == MBEDTLS_ENCRYPT) {1341status = psa_cipher_encrypt_setup(&cipher_op,1342cipher_psa->slot,1343cipher_psa->alg);1344} else {1345return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1346}13471348/* In the following, we can immediately return on an error,1349* because the PSA Crypto API guarantees that cipher operations1350* are terminated by unsuccessful calls to psa_cipher_update(),1351* and by any call to psa_cipher_finish(). */1352if (status != PSA_SUCCESS) {1353return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;1354}13551356if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) {1357status = psa_cipher_set_iv(&cipher_op, iv, iv_len);1358if (status != PSA_SUCCESS) {1359return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;1360}1361}13621363status = psa_cipher_update(&cipher_op,1364input, ilen,1365output, ilen, olen);1366if (status != PSA_SUCCESS) {1367return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;1368}13691370status = psa_cipher_finish(&cipher_op,1371output + *olen, ilen - *olen,1372&part_len);1373if (status != PSA_SUCCESS) {1374return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;1375}13761377*olen += part_len;1378return 0;1379}1380#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */13811382if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) {1383return ret;1384}13851386if ((ret = mbedtls_cipher_reset(ctx)) != 0) {1387return ret;1388}13891390if ((ret = mbedtls_cipher_update(ctx, input, ilen,1391output, olen)) != 0) {1392return ret;1393}13941395if ((ret = mbedtls_cipher_finish(ctx, output + *olen,1396&finish_olen)) != 0) {1397return ret;1398}13991400*olen += finish_olen;14011402return 0;1403}14041405#if defined(MBEDTLS_CIPHER_MODE_AEAD)1406/*1407* Packet-oriented encryption for AEAD modes: internal function used by1408* mbedtls_cipher_auth_encrypt_ext().1409*/1410static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,1411const unsigned char *iv, size_t iv_len,1412const unsigned char *ad, size_t ad_len,1413const unsigned char *input, size_t ilen,1414unsigned char *output, size_t *olen,1415unsigned char *tag, size_t tag_len)1416{1417#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)1418if (ctx->psa_enabled == 1) {1419/* As in the non-PSA case, we don't check that1420* a key has been set. If not, the key slot will1421* still be in its default state of 0, which is1422* guaranteed to be invalid, hence the PSA-call1423* below will gracefully fail. */1424mbedtls_cipher_context_psa * const cipher_psa =1425(mbedtls_cipher_context_psa *) ctx->cipher_ctx;14261427psa_status_t status;14281429/* PSA Crypto API always writes the authentication tag1430* at the end of the encrypted message. */1431if (output == NULL || tag != output + ilen) {1432return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;1433}14341435status = psa_aead_encrypt(cipher_psa->slot,1436cipher_psa->alg,1437iv, iv_len,1438ad, ad_len,1439input, ilen,1440output, ilen + tag_len, olen);1441if (status != PSA_SUCCESS) {1442return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;1443}14441445*olen -= tag_len;1446return 0;1447}1448#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */14491450#if defined(MBEDTLS_GCM_C)1451if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {1452*olen = ilen;1453return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,1454ilen, iv, iv_len, ad, ad_len,1455input, output, tag_len, tag);1456}1457#endif /* MBEDTLS_GCM_C */1458#if defined(MBEDTLS_CCM_C)1459if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {1460*olen = ilen;1461return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen,1462iv, iv_len, ad, ad_len, input, output,1463tag, tag_len);1464}1465#endif /* MBEDTLS_CCM_C */1466#if defined(MBEDTLS_CHACHAPOLY_C)1467if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {1468/* ChachaPoly has fixed length nonce and MAC (tag) */1469if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||1470(tag_len != 16U)) {1471return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1472}14731474*olen = ilen;1475return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx,1476ilen, iv, ad, ad_len, input, output, tag);1477}1478#endif /* MBEDTLS_CHACHAPOLY_C */14791480return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;1481}14821483/*1484* Packet-oriented encryption for AEAD modes: internal function used by1485* mbedtls_cipher_auth_encrypt_ext().1486*/1487static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,1488const unsigned char *iv, size_t iv_len,1489const unsigned char *ad, size_t ad_len,1490const unsigned char *input, size_t ilen,1491unsigned char *output, size_t *olen,1492const unsigned char *tag, size_t tag_len)1493{1494#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)1495if (ctx->psa_enabled == 1) {1496/* As in the non-PSA case, we don't check that1497* a key has been set. If not, the key slot will1498* still be in its default state of 0, which is1499* guaranteed to be invalid, hence the PSA-call1500* below will gracefully fail. */1501mbedtls_cipher_context_psa * const cipher_psa =1502(mbedtls_cipher_context_psa *) ctx->cipher_ctx;15031504psa_status_t status;15051506/* PSA Crypto API always writes the authentication tag1507* at the end of the encrypted message. */1508if (input == NULL || tag != input + ilen) {1509return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;1510}15111512status = psa_aead_decrypt(cipher_psa->slot,1513cipher_psa->alg,1514iv, iv_len,1515ad, ad_len,1516input, ilen + tag_len,1517output, ilen, olen);1518if (status == PSA_ERROR_INVALID_SIGNATURE) {1519return MBEDTLS_ERR_CIPHER_AUTH_FAILED;1520} else if (status != PSA_SUCCESS) {1521return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;1522}15231524return 0;1525}1526#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */15271528#if defined(MBEDTLS_GCM_C)1529if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {1530int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;15311532*olen = ilen;1533ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen,1534iv, iv_len, ad, ad_len,1535tag, tag_len, input, output);15361537if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) {1538ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;1539}15401541return ret;1542}1543#endif /* MBEDTLS_GCM_C */1544#if defined(MBEDTLS_CCM_C)1545if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {1546int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;15471548*olen = ilen;1549ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen,1550iv, iv_len, ad, ad_len,1551input, output, tag, tag_len);15521553if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) {1554ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;1555}15561557return ret;1558}1559#endif /* MBEDTLS_CCM_C */1560#if defined(MBEDTLS_CHACHAPOLY_C)1561if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {1562int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;15631564/* ChachaPoly has fixed length nonce and MAC (tag) */1565if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||1566(tag_len != 16U)) {1567return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1568}15691570*olen = ilen;1571ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen,1572iv, ad, ad_len, tag, input, output);15731574if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) {1575ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;1576}15771578return ret;1579}1580#endif /* MBEDTLS_CHACHAPOLY_C */15811582return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;1583}1584#endif /* MBEDTLS_CIPHER_MODE_AEAD */15851586#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)1587/*1588* Packet-oriented encryption for AEAD/NIST_KW: public function.1589*/1590int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,1591const unsigned char *iv, size_t iv_len,1592const unsigned char *ad, size_t ad_len,1593const unsigned char *input, size_t ilen,1594unsigned char *output, size_t output_len,1595size_t *olen, size_t tag_len)1596{1597#if defined(MBEDTLS_NIST_KW_C)1598if (1599#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)1600ctx->psa_enabled == 0 &&1601#endif1602(MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||1603MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {1604mbedtls_nist_kw_mode_t mode =1605(MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?1606MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;16071608/* There is no iv, tag or ad associated with KW and KWP,1609* so these length should be 0 as documented. */1610if (iv_len != 0 || tag_len != 0 || ad_len != 0) {1611return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1612}16131614(void) iv;1615(void) ad;16161617return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen,1618output, olen, output_len);1619}1620#endif /* MBEDTLS_NIST_KW_C */16211622#if defined(MBEDTLS_CIPHER_MODE_AEAD)1623/* AEAD case: check length before passing on to shared function */1624if (output_len < ilen + tag_len) {1625return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1626}16271628int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,1629input, ilen, output, olen,1630output + ilen, tag_len);1631*olen += tag_len;1632return ret;1633#else1634return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;1635#endif /* MBEDTLS_CIPHER_MODE_AEAD */1636}16371638/*1639* Packet-oriented decryption for AEAD/NIST_KW: public function.1640*/1641int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,1642const unsigned char *iv, size_t iv_len,1643const unsigned char *ad, size_t ad_len,1644const unsigned char *input, size_t ilen,1645unsigned char *output, size_t output_len,1646size_t *olen, size_t tag_len)1647{1648#if defined(MBEDTLS_NIST_KW_C)1649if (1650#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)1651ctx->psa_enabled == 0 &&1652#endif1653(MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||1654MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {1655mbedtls_nist_kw_mode_t mode =1656(MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?1657MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;16581659/* There is no iv, tag or ad associated with KW and KWP,1660* so these length should be 0 as documented. */1661if (iv_len != 0 || tag_len != 0 || ad_len != 0) {1662return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1663}16641665(void) iv;1666(void) ad;16671668return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen,1669output, olen, output_len);1670}1671#endif /* MBEDTLS_NIST_KW_C */16721673#if defined(MBEDTLS_CIPHER_MODE_AEAD)1674/* AEAD case: check length before passing on to shared function */1675if (ilen < tag_len || output_len < ilen - tag_len) {1676return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;1677}16781679return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,1680input, ilen - tag_len, output, olen,1681input + ilen - tag_len, tag_len);1682#else1683return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;1684#endif /* MBEDTLS_CIPHER_MODE_AEAD */1685}1686#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */16871688#endif /* MBEDTLS_CIPHER_C */168916901691