Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

cipher.c@ 398

Last change on this file since 398 was 398, checked in by coas-nagasima, 5 years ago
mbedTLS版Azure IoT Hub接続サンプルのソースコードを追加
Property svn:eol-style set to `native` Property svn:mime-type set to `text/x-csrc;charset=UTF-8`
File size: 34.1 KB

Line
1	/**
2	* \file cipher.c
3	*
4	* \brief Generic cipher wrapper for mbed TLS
5	*
6	* \author Adriaan de Jong <dejong@fox-it.com>
7	*
8	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
9	* SPDX-License-Identifier: Apache-2.0
10	*
11	* Licensed under the Apache License, Version 2.0 (the "License"); you may
12	* not use this file except in compliance with the License.
13	* You may obtain a copy of the License at
14	*
15	* http://www.apache.org/licenses/LICENSE-2.0
16	*
17	* Unless required by applicable law or agreed to in writing, software
18	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20	* See the License for the specific language governing permissions and
21	* limitations under the License.
22	*
23	* This file is part of mbed TLS (https://tls.mbed.org)
24	*/
25
26	#if !defined(MBEDTLS_CONFIG_FILE)
27	#include "mbedtls/config.h"
28	#else
29	#include MBEDTLS_CONFIG_FILE
30	#endif
31
32	#if defined(MBEDTLS_CIPHER_C)
33
34	#include "mbedtls/cipher.h"
35	#include "mbedtls/cipher_internal.h"
36	#include "mbedtls/platform_util.h"
37
38	#include <stdlib.h>
39	#include <string.h>
40
41	#if defined(MBEDTLS_CHACHAPOLY_C)
42	#include "mbedtls/chachapoly.h"
43	#endif
44
45	#if defined(MBEDTLS_GCM_C)
46	#include "mbedtls/gcm.h"
47	#endif
48
49	#if defined(MBEDTLS_CCM_C)
50	#include "mbedtls/ccm.h"
51	#endif
52
53	#if defined(MBEDTLS_CHACHA20_C)
54	#include "mbedtls/chacha20.h"
55	#endif
56
57	#if defined(MBEDTLS_CMAC_C)
58	#include "mbedtls/cmac.h"
59	#endif
60
61	#if defined(MBEDTLS_PLATFORM_C)
62	#include "mbedtls/platform.h"
63	#else
64	#define mbedtls_calloc calloc
65	#define mbedtls_free free
66	#endif
67
68	#define CIPHER_VALIDATE_RET( cond ) \
69	MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
70	#define CIPHER_VALIDATE( cond ) \
71	MBEDTLS_INTERNAL_VALIDATE( cond )
72
73	#if defined(MBEDTLS_GCM_C) \|\| defined(MBEDTLS_CHACHAPOLY_C)
74	/* Compare the contents of two buffers in constant time.
75	* Returns 0 if the contents are bitwise identical, otherwise returns
76	* a non-zero value.
77	* This is currently only used by GCM and ChaCha20+Poly1305.
78	*/
79	static int mbedtls_constant_time_memcmp( const void v1, const void v2, size_t len )
80	{
81	const unsigned char p1 = (const unsigned char) v1;
82	const unsigned char p2 = (const unsigned char) v2;
83	size_t i;
84	unsigned char diff;
85
86	for( diff = 0, i = 0; i < len; i++ )
87	diff \|= p1[i] ^ p2[i];
88
89	return( (int)diff );
90	}
91	#endif /* MBEDTLS_GCM_C \|\| MBEDTLS_CHACHAPOLY_C */
92
93	static int supported_init = 0;
94
95	const int *mbedtls_cipher_list( void )
96	{
97	const mbedtls_cipher_definition_t *def;
98	int *type;
99
100	if( ! supported_init )
101	{
102	def = mbedtls_cipher_definitions;
103	type = mbedtls_cipher_supported;
104
105	while( def->type != 0 )
106	type++ = (def++).type;
107
108	*type = 0;
109
110	supported_init = 1;
111	}
112
113	return( mbedtls_cipher_supported );
114	}
115
116	const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type )
117	{
118	const mbedtls_cipher_definition_t *def;
119
120	for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
121	if( def->type == cipher_type )
122	return( def->info );
123
124	return( NULL );
125	}
126
127	const mbedtls_cipher_info_t mbedtls_cipher_info_from_string( const char cipher_name )
128	{
129	const mbedtls_cipher_definition_t *def;
130
131	if( NULL == cipher_name )
132	return( NULL );
133
134	for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
135	if( ! strcmp( def->info->name, cipher_name ) )
136	return( def->info );
137
138	return( NULL );
139	}
140
141	const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
142	int key_bitlen,
143	const mbedtls_cipher_mode_t mode )
144	{
145	const mbedtls_cipher_definition_t *def;
146
147	for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
148	if( def->info->base->cipher == cipher_id &&
149	def->info->key_bitlen == (unsigned) key_bitlen &&
150	def->info->mode == mode )
151	return( def->info );
152
153	return( NULL );
154	}
155
156	void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
157	{
158	CIPHER_VALIDATE( ctx != NULL );
159	memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
160	}
161
162	void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
163	{
164	if( ctx == NULL )
165	return;
166
167	#if defined(MBEDTLS_CMAC_C)
168	if( ctx->cmac_ctx )
169	{
170	mbedtls_platform_zeroize( ctx->cmac_ctx,
171	sizeof( mbedtls_cmac_context_t ) );
172	mbedtls_free( ctx->cmac_ctx );
173	}
174	#endif
175
176	if( ctx->cipher_ctx )
177	ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
178
179	mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
180	}
181
182	int mbedtls_cipher_setup( mbedtls_cipher_context_t ctx, const mbedtls_cipher_info_t cipher_info )
183	{
184	CIPHER_VALIDATE_RET( ctx != NULL );
185	if( cipher_info == NULL )
186	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
187
188	memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
189
190	if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
191	return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
192
193	ctx->cipher_info = cipher_info;
194
195	#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
196	/*
197	* Ignore possible errors caused by a cipher mode that doesn't use padding
198	*/
199	#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
200	(void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
201	#else
202	(void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
203	#endif
204	#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
205
206	return( 0 );
207	}
208
209	int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
210	const unsigned char *key,
211	int key_bitlen,
212	const mbedtls_operation_t operation )
213	{
214	CIPHER_VALIDATE_RET( ctx != NULL );
215	CIPHER_VALIDATE_RET( key != NULL );
216	CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT \|\|
217	operation == MBEDTLS_DECRYPT );
218	if( ctx->cipher_info == NULL )
219	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
220
221	if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
222	(int) ctx->cipher_info->key_bitlen != key_bitlen )
223	{
224	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
225	}
226
227	ctx->key_bitlen = key_bitlen;
228	ctx->operation = operation;
229
230	/*
231	* For OFB, CFB and CTR mode always use the encryption key schedule
232	*/
233	if( MBEDTLS_ENCRYPT == operation \|\|
234	MBEDTLS_MODE_CFB == ctx->cipher_info->mode \|\|
235	MBEDTLS_MODE_OFB == ctx->cipher_info->mode \|\|
236	MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
237	{
238	return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
239	ctx->key_bitlen ) );
240	}
241
242	if( MBEDTLS_DECRYPT == operation )
243	return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
244	ctx->key_bitlen ) );
245
246	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
247	}
248
249	int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
250	const unsigned char *iv,
251	size_t iv_len )
252	{
253	size_t actual_iv_size;
254
255	CIPHER_VALIDATE_RET( ctx != NULL );
256	CIPHER_VALIDATE_RET( iv_len == 0 \|\| iv != NULL );
257	if( ctx->cipher_info == NULL )
258	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
259
260	/* avoid buffer overflow in ctx->iv */
261	if( iv_len > MBEDTLS_MAX_IV_LENGTH )
262	return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
263
264	if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
265	actual_iv_size = iv_len;
266	else
267	{
268	actual_iv_size = ctx->cipher_info->iv_size;
269
270	/* avoid reading past the end of input buffer */
271	if( actual_iv_size > iv_len )
272	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
273	}
274
275	#if defined(MBEDTLS_CHACHA20_C)
276	if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
277	{
278	if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
279	iv,
280	0U ) ) /* Initial counter value */
281	{
282	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
283	}
284	}
285	#endif
286
287	if ( actual_iv_size != 0 )
288	{
289	memcpy( ctx->iv, iv, actual_iv_size );
290	ctx->iv_size = actual_iv_size;
291	}
292
293	return( 0 );
294	}
295
296	int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
297	{
298	CIPHER_VALIDATE_RET( ctx != NULL );
299	if( ctx->cipher_info == NULL )
300	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
301
302	ctx->unprocessed_len = 0;
303
304	return( 0 );
305	}
306
307	#if defined(MBEDTLS_GCM_C) \|\| defined(MBEDTLS_CHACHAPOLY_C)
308	int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
309	const unsigned char *ad, size_t ad_len )
310	{
311	CIPHER_VALIDATE_RET( ctx != NULL );
312	CIPHER_VALIDATE_RET( ad_len == 0 \|\| ad != NULL );
313	if( ctx->cipher_info == NULL )
314	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
315
316	#if defined(MBEDTLS_GCM_C)
317	if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
318	{
319	return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
320	ctx->iv, ctx->iv_size, ad, ad_len ) );
321	}
322	#endif
323
324	#if defined(MBEDTLS_CHACHAPOLY_C)
325	if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
326	{
327	int result;
328	mbedtls_chachapoly_mode_t mode;
329
330	mode = ( ctx->operation == MBEDTLS_ENCRYPT )
331	? MBEDTLS_CHACHAPOLY_ENCRYPT
332	: MBEDTLS_CHACHAPOLY_DECRYPT;
333
334	result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
335	ctx->iv,
336	mode );
337	if ( result != 0 )
338	return( result );
339
340	return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
341	ad, ad_len ) );
342	}
343	#endif
344
345	return( 0 );
346	}
347	#endif /* MBEDTLS_GCM_C \|\| MBEDTLS_CHACHAPOLY_C */
348
349	int mbedtls_cipher_update( mbedtls_cipher_context_t ctx, const unsigned char input,
350	size_t ilen, unsigned char output, size_t olen )
351	{
352	int ret;
353	size_t block_size;
354
355	CIPHER_VALIDATE_RET( ctx != NULL );
356	CIPHER_VALIDATE_RET( ilen == 0 \|\| input != NULL );
357	CIPHER_VALIDATE_RET( output != NULL );
358	CIPHER_VALIDATE_RET( olen != NULL );
359	if( ctx->cipher_info == NULL )
360	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
361
362	*olen = 0;
363	block_size = mbedtls_cipher_get_block_size( ctx );
364
365	if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
366	{
367	if( ilen != block_size )
368	return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
369
370	*olen = ilen;
371
372	if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
373	ctx->operation, input, output ) ) )
374	{
375	return( ret );
376	}
377
378	return( 0 );
379	}
380
381	#if defined(MBEDTLS_GCM_C)
382	if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
383	{
384	*olen = ilen;
385	return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
386	output ) );
387	}
388	#endif
389
390	#if defined(MBEDTLS_CHACHAPOLY_C)
391	if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
392	{
393	*olen = ilen;
394	return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
395	ilen, input, output ) );
396	}
397	#endif
398
399	if ( 0 == block_size )
400	{
401	return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
402	}
403
404	if( input == output &&
405	( ctx->unprocessed_len != 0 \|\| ilen % block_size ) )
406	{
407	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
408	}
409
410	#if defined(MBEDTLS_CIPHER_MODE_CBC)
411	if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
412	{
413	size_t copy_len = 0;
414
415	/*
416	* If there is not enough data for a full block, cache it.
417	*/
418	if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
419	ilen <= block_size - ctx->unprocessed_len ) \|\|
420	( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
421	ilen < block_size - ctx->unprocessed_len ) \|\|
422	( ctx->operation == MBEDTLS_ENCRYPT &&
423	ilen < block_size - ctx->unprocessed_len ) )
424	{
425	memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
426	ilen );
427
428	ctx->unprocessed_len += ilen;
429	return( 0 );
430	}
431
432	/*
433	* Process cached data first
434	*/
435	if( 0 != ctx->unprocessed_len )
436	{
437	copy_len = block_size - ctx->unprocessed_len;
438
439	memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
440	copy_len );
441
442	if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
443	ctx->operation, block_size, ctx->iv,
444	ctx->unprocessed_data, output ) ) )
445	{
446	return( ret );
447	}
448
449	*olen += block_size;
450	output += block_size;
451	ctx->unprocessed_len = 0;
452
453	input += copy_len;
454	ilen -= copy_len;
455	}
456
457	/*
458	* Cache final, incomplete block
459	*/
460	if( 0 != ilen )
461	{
462	if( 0 == block_size )
463	{
464	return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
465	}
466
467	/* Encryption: only cache partial blocks
468	* Decryption w/ padding: always keep at least one whole block
469	* Decryption w/o padding: only cache partial blocks
470	*/
471	copy_len = ilen % block_size;
472	if( copy_len == 0 &&
473	ctx->operation == MBEDTLS_DECRYPT &&
474	NULL != ctx->add_padding)
475	{
476	copy_len = block_size;
477	}
478
479	memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
480	copy_len );
481
482	ctx->unprocessed_len += copy_len;
483	ilen -= copy_len;
484	}
485
486	/*
487	* Process remaining full blocks
488	*/
489	if( ilen )
490	{
491	if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
492	ctx->operation, ilen, ctx->iv, input, output ) ) )
493	{
494	return( ret );
495	}
496
497	*olen += ilen;
498	}
499
500	return( 0 );
501	}
502	#endif /* MBEDTLS_CIPHER_MODE_CBC */
503
504	#if defined(MBEDTLS_CIPHER_MODE_CFB)
505	if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
506	{
507	if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
508	ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
509	input, output ) ) )
510	{
511	return( ret );
512	}
513
514	*olen = ilen;
515
516	return( 0 );
517	}
518	#endif /* MBEDTLS_CIPHER_MODE_CFB */
519
520	#if defined(MBEDTLS_CIPHER_MODE_OFB)
521	if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
522	{
523	if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
524	ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
525	{
526	return( ret );
527	}
528
529	*olen = ilen;
530
531	return( 0 );
532	}
533	#endif /* MBEDTLS_CIPHER_MODE_OFB */
534
535	#if defined(MBEDTLS_CIPHER_MODE_CTR)
536	if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
537	{
538	if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
539	ilen, &ctx->unprocessed_len, ctx->iv,
540	ctx->unprocessed_data, input, output ) ) )
541	{
542	return( ret );
543	}
544
545	*olen = ilen;
546
547	return( 0 );
548	}
549	#endif /* MBEDTLS_CIPHER_MODE_CTR */
550
551	#if defined(MBEDTLS_CIPHER_MODE_XTS)
552	if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
553	{
554	if( ctx->unprocessed_len > 0 ) {
555	/* We can only process an entire data unit at a time. */
556	return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
557	}
558
559	ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
560	ctx->operation, ilen, ctx->iv, input, output );
561	if( ret != 0 )
562	{
563	return( ret );
564	}
565
566	*olen = ilen;
567
568	return( 0 );
569	}
570	#endif /* MBEDTLS_CIPHER_MODE_XTS */
571
572	#if defined(MBEDTLS_CIPHER_MODE_STREAM)
573	if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
574	{
575	if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
576	ilen, input, output ) ) )
577	{
578	return( ret );
579	}
580
581	*olen = ilen;
582
583	return( 0 );
584	}
585	#endif /* MBEDTLS_CIPHER_MODE_STREAM */
586
587	return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
588	}
589
590	#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
591	#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
592	/*
593	* PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
594	*/
595	static void add_pkcs_padding( unsigned char *output, size_t output_len,
596	size_t data_len )
597	{
598	size_t padding_len = output_len - data_len;
599	unsigned char i;
600
601	for( i = 0; i < padding_len; i++ )
602	output[data_len + i] = (unsigned char) padding_len;
603	}
604
605	static int get_pkcs_padding( unsigned char *input, size_t input_len,
606	size_t *data_len )
607	{
608	size_t i, pad_idx;
609	unsigned char padding_len, bad = 0;
610
611	if( NULL == input \|\| NULL == data_len )
612	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
613
614	padding_len = input[input_len - 1];
615	*data_len = input_len - padding_len;
616
617	/* Avoid logical \|\| since it results in a branch */
618	bad \|= padding_len > input_len;
619	bad \|= padding_len == 0;
620
621	/* The number of bytes checked must be independent of padding_len,
622	* so pick input_len, which is usually 8 or 16 (one block) */
623	pad_idx = input_len - padding_len;
624	for( i = 0; i < input_len; i++ )
625	bad \|= ( input[i] ^ padding_len ) * ( i >= pad_idx );
626
627	return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
628	}
629	#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
630
631	#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
632	/*
633	* One and zeros padding: fill with 80 00 ... 00
634	*/
635	static void add_one_and_zeros_padding( unsigned char *output,
636	size_t output_len, size_t data_len )
637	{
638	size_t padding_len = output_len - data_len;
639	unsigned char i = 0;
640
641	output[data_len] = 0x80;
642	for( i = 1; i < padding_len; i++ )
643	output[data_len + i] = 0x00;
644	}
645
646	static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
647	size_t *data_len )
648	{
649	size_t i;
650	unsigned char done = 0, prev_done, bad;
651
652	if( NULL == input \|\| NULL == data_len )
653	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
654
655	bad = 0x80;
656	*data_len = 0;
657	for( i = input_len; i > 0; i-- )
658	{
659	prev_done = done;
660	done \|= ( input[i - 1] != 0 );
661	data_len \|= ( i - 1 ) ( done != prev_done );
662	bad ^= input[i - 1] * ( done != prev_done );
663	}
664
665	return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
666
667	}
668	#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
669
670	#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
671	/*
672	* Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
673	*/
674	static void add_zeros_and_len_padding( unsigned char *output,
675	size_t output_len, size_t data_len )
676	{
677	size_t padding_len = output_len - data_len;
678	unsigned char i = 0;
679
680	for( i = 1; i < padding_len; i++ )
681	output[data_len + i - 1] = 0x00;
682	output[output_len - 1] = (unsigned char) padding_len;
683	}
684
685	static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
686	size_t *data_len )
687	{
688	size_t i, pad_idx;
689	unsigned char padding_len, bad = 0;
690
691	if( NULL == input \|\| NULL == data_len )
692	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
693
694	padding_len = input[input_len - 1];
695	*data_len = input_len - padding_len;
696
697	/* Avoid logical \|\| since it results in a branch */
698	bad \|= padding_len > input_len;
699	bad \|= padding_len == 0;
700
701	/* The number of bytes checked must be independent of padding_len */
702	pad_idx = input_len - padding_len;
703	for( i = 0; i < input_len - 1; i++ )
704	bad \|= input[i] * ( i >= pad_idx );
705
706	return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
707	}
708	#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
709
710	#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
711	/*
712	* Zero padding: fill with 00 ... 00
713	*/
714	static void add_zeros_padding( unsigned char *output,
715	size_t output_len, size_t data_len )
716	{
717	size_t i;
718
719	for( i = data_len; i < output_len; i++ )
720	output[i] = 0x00;
721	}
722
723	static int get_zeros_padding( unsigned char *input, size_t input_len,
724	size_t *data_len )
725	{
726	size_t i;
727	unsigned char done = 0, prev_done;
728
729	if( NULL == input \|\| NULL == data_len )
730	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
731
732	*data_len = 0;
733	for( i = input_len; i > 0; i-- )
734	{
735	prev_done = done;
736	done \|= ( input[i-1] != 0 );
737	data_len \|= i ( done != prev_done );
738	}
739
740	return( 0 );
741	}
742	#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
743
744	/*
745	* No padding: don't pad :)
746	*
747	* There is no add_padding function (check for NULL in mbedtls_cipher_finish)
748	* but a trivial get_padding function
749	*/
750	static int get_no_padding( unsigned char *input, size_t input_len,
751	size_t *data_len )
752	{
753	if( NULL == input \|\| NULL == data_len )
754	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
755
756	*data_len = input_len;
757
758	return( 0 );
759	}
760	#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
761
762	int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
763	unsigned char output, size_t olen )
764	{
765	CIPHER_VALIDATE_RET( ctx != NULL );
766	CIPHER_VALIDATE_RET( output != NULL );
767	CIPHER_VALIDATE_RET( olen != NULL );
768	if( ctx->cipher_info == NULL )
769	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
770
771	*olen = 0;
772
773	if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode \|\|
774	MBEDTLS_MODE_OFB == ctx->cipher_info->mode \|\|
775	MBEDTLS_MODE_CTR == ctx->cipher_info->mode \|\|
776	MBEDTLS_MODE_GCM == ctx->cipher_info->mode \|\|
777	MBEDTLS_MODE_XTS == ctx->cipher_info->mode \|\|
778	MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
779	{
780	return( 0 );
781	}
782
783	if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) \|\|
784	( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
785	{
786	return( 0 );
787	}
788
789	if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
790	{
791	if( ctx->unprocessed_len != 0 )
792	return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
793
794	return( 0 );
795	}
796
797	#if defined(MBEDTLS_CIPHER_MODE_CBC)
798	if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
799	{
800	int ret = 0;
801
802	if( MBEDTLS_ENCRYPT == ctx->operation )
803	{
804	/* check for 'no padding' mode */
805	if( NULL == ctx->add_padding )
806	{
807	if( 0 != ctx->unprocessed_len )
808	return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
809
810	return( 0 );
811	}
812
813	ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
814	ctx->unprocessed_len );
815	}
816	else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
817	{
818	/*
819	* For decrypt operations, expect a full block,
820	* or an empty block if no padding
821	*/
822	if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
823	return( 0 );
824
825	return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
826	}
827
828	/* cipher block */
829	if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
830	ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
831	ctx->unprocessed_data, output ) ) )
832	{
833	return( ret );
834	}
835
836	/* Set output size for decryption */
837	if( MBEDTLS_DECRYPT == ctx->operation )
838	return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
839	olen ) );
840
841	/* Set output size for encryption */
842	*olen = mbedtls_cipher_get_block_size( ctx );
843	return( 0 );
844	}
845	#else
846	((void) output);
847	#endif /* MBEDTLS_CIPHER_MODE_CBC */
848
849	return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
850	}
851
852	#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
853	int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
854	mbedtls_cipher_padding_t mode )
855	{
856	CIPHER_VALIDATE_RET( ctx != NULL );
857
858	if( NULL == ctx->cipher_info \|\| MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
859	{
860	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
861	}
862
863	switch( mode )
864	{
865	#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
866	case MBEDTLS_PADDING_PKCS7:
867	ctx->add_padding = add_pkcs_padding;
868	ctx->get_padding = get_pkcs_padding;
869	break;
870	#endif
871	#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
872	case MBEDTLS_PADDING_ONE_AND_ZEROS:
873	ctx->add_padding = add_one_and_zeros_padding;
874	ctx->get_padding = get_one_and_zeros_padding;
875	break;
876	#endif
877	#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
878	case MBEDTLS_PADDING_ZEROS_AND_LEN:
879	ctx->add_padding = add_zeros_and_len_padding;
880	ctx->get_padding = get_zeros_and_len_padding;
881	break;
882	#endif
883	#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
884	case MBEDTLS_PADDING_ZEROS:
885	ctx->add_padding = add_zeros_padding;
886	ctx->get_padding = get_zeros_padding;
887	break;
888	#endif
889	case MBEDTLS_PADDING_NONE:
890	ctx->add_padding = NULL;
891	ctx->get_padding = get_no_padding;
892	break;
893
894	default:
895	return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
896	}
897
898	return( 0 );
899	}
900	#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
901
902	#if defined(MBEDTLS_GCM_C) \|\| defined(MBEDTLS_CHACHAPOLY_C)
903	int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
904	unsigned char *tag, size_t tag_len )
905	{
906	CIPHER_VALIDATE_RET( ctx != NULL );
907	CIPHER_VALIDATE_RET( tag_len == 0 \|\| tag != NULL );
908	if( ctx->cipher_info == NULL )
909	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
910
911	if( MBEDTLS_ENCRYPT != ctx->operation )
912	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
913
914	#if defined(MBEDTLS_GCM_C)
915	if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
916	return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
917	tag, tag_len ) );
918	#endif
919
920	#if defined(MBEDTLS_CHACHAPOLY_C)
921	if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
922	{
923	/* Don't allow truncated MAC for Poly1305 */
924	if ( tag_len != 16U )
925	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
926
927	return( mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
928	tag ) );
929	}
930	#endif
931
932	return( 0 );
933	}
934
935	int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
936	const unsigned char *tag, size_t tag_len )
937	{
938	unsigned char check_tag[16];
939	int ret;
940
941	CIPHER_VALIDATE_RET( ctx != NULL );
942	CIPHER_VALIDATE_RET( tag_len == 0 \|\| tag != NULL );
943	if( ctx->cipher_info == NULL )
944	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
945
946	if( MBEDTLS_DECRYPT != ctx->operation )
947	{
948	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
949	}
950
951	#if defined(MBEDTLS_GCM_C)
952	if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
953	{
954	if( tag_len > sizeof( check_tag ) )
955	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
956
957	if( 0 != ( ret = mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
958	check_tag, tag_len ) ) )
959	{
960	return( ret );
961	}
962
963	/* Check the tag in "constant-time" */
964	if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
965	return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
966
967	return( 0 );
968	}
969	#endif /* MBEDTLS_GCM_C */
970
971	#if defined(MBEDTLS_CHACHAPOLY_C)
972	if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
973	{
974	/* Don't allow truncated MAC for Poly1305 */
975	if ( tag_len != sizeof( check_tag ) )
976	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
977
978	ret = mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
979	check_tag );
980	if ( ret != 0 )
981	{
982	return( ret );
983	}
984
985	/* Check the tag in "constant-time" */
986	if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
987	return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
988
989	return( 0 );
990	}
991	#endif /* MBEDTLS_CHACHAPOLY_C */
992
993	return( 0 );
994	}
995	#endif /* MBEDTLS_GCM_C \|\| MBEDTLS_CHACHAPOLY_C */
996
997	/*
998	* Packet-oriented wrapper for non-AEAD modes
999	*/
1000	int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
1001	const unsigned char *iv, size_t iv_len,
1002	const unsigned char *input, size_t ilen,
1003	unsigned char output, size_t olen )
1004	{
1005	int ret;
1006	size_t finish_olen;
1007
1008	CIPHER_VALIDATE_RET( ctx != NULL );
1009	CIPHER_VALIDATE_RET( iv_len == 0 \|\| iv != NULL );
1010	CIPHER_VALIDATE_RET( ilen == 0 \|\| input != NULL );
1011	CIPHER_VALIDATE_RET( output != NULL );
1012	CIPHER_VALIDATE_RET( olen != NULL );
1013
1014	if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
1015	return( ret );
1016
1017	if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
1018	return( ret );
1019
1020	if( ( ret = mbedtls_cipher_update( ctx, input, ilen, output, olen ) ) != 0 )
1021	return( ret );
1022
1023	if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 )
1024	return( ret );
1025
1026	*olen += finish_olen;
1027
1028	return( 0 );
1029	}
1030
1031	#if defined(MBEDTLS_CIPHER_MODE_AEAD)
1032	/*
1033	* Packet-oriented encryption for AEAD modes
1034	*/
1035	int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
1036	const unsigned char *iv, size_t iv_len,
1037	const unsigned char *ad, size_t ad_len,
1038	const unsigned char *input, size_t ilen,
1039	unsigned char output, size_t olen,
1040	unsigned char *tag, size_t tag_len )
1041	{
1042	CIPHER_VALIDATE_RET( ctx != NULL );
1043	CIPHER_VALIDATE_RET( iv != NULL );
1044	CIPHER_VALIDATE_RET( ad_len == 0 \|\| ad != NULL );
1045	CIPHER_VALIDATE_RET( ilen == 0 \|\| input != NULL );
1046	CIPHER_VALIDATE_RET( output != NULL );
1047	CIPHER_VALIDATE_RET( olen != NULL );
1048	CIPHER_VALIDATE_RET( tag_len == 0 \|\| tag != NULL );
1049
1050	#if defined(MBEDTLS_GCM_C)
1051	if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1052	{
1053	*olen = ilen;
1054	return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, ilen,
1055	iv, iv_len, ad, ad_len, input, output,
1056	tag_len, tag ) );
1057	}
1058	#endif /* MBEDTLS_GCM_C */
1059	#if defined(MBEDTLS_CCM_C)
1060	if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1061	{
1062	*olen = ilen;
1063	return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
1064	iv, iv_len, ad, ad_len, input, output,
1065	tag, tag_len ) );
1066	}
1067	#endif /* MBEDTLS_CCM_C */
1068	#if defined(MBEDTLS_CHACHAPOLY_C)
1069	if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1070	{
1071	/* ChachaPoly has fixed length nonce and MAC (tag) */
1072	if ( ( iv_len != ctx->cipher_info->iv_size ) \|\|
1073	( tag_len != 16U ) )
1074	{
1075	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1076	}
1077
1078	*olen = ilen;
1079	return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
1080	ilen, iv, ad, ad_len, input, output, tag ) );
1081	}
1082	#endif /* MBEDTLS_CHACHAPOLY_C */
1083
1084	return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1085	}
1086
1087	/*
1088	* Packet-oriented decryption for AEAD modes
1089	*/
1090	int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
1091	const unsigned char *iv, size_t iv_len,
1092	const unsigned char *ad, size_t ad_len,
1093	const unsigned char *input, size_t ilen,
1094	unsigned char output, size_t olen,
1095	const unsigned char *tag, size_t tag_len )
1096	{
1097	CIPHER_VALIDATE_RET( ctx != NULL );
1098	CIPHER_VALIDATE_RET( iv != NULL );
1099	CIPHER_VALIDATE_RET( ad_len == 0 \|\| ad != NULL );
1100	CIPHER_VALIDATE_RET( ilen == 0 \|\| input != NULL );
1101	CIPHER_VALIDATE_RET( output != NULL );
1102	CIPHER_VALIDATE_RET( olen != NULL );
1103	CIPHER_VALIDATE_RET( tag_len == 0 \|\| tag != NULL );
1104
1105	#if defined(MBEDTLS_GCM_C)
1106	if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1107	{
1108	int ret;
1109
1110	*olen = ilen;
1111	ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
1112	iv, iv_len, ad, ad_len,
1113	tag, tag_len, input, output );
1114
1115	if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
1116	ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1117
1118	return( ret );
1119	}
1120	#endif /* MBEDTLS_GCM_C */
1121	#if defined(MBEDTLS_CCM_C)
1122	if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1123	{
1124	int ret;
1125
1126	*olen = ilen;
1127	ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
1128	iv, iv_len, ad, ad_len,
1129	input, output, tag, tag_len );
1130
1131	if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
1132	ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1133
1134	return( ret );
1135	}
1136	#endif /* MBEDTLS_CCM_C */
1137	#if defined(MBEDTLS_CHACHAPOLY_C)
1138	if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1139	{
1140	int ret;
1141
1142	/* ChachaPoly has fixed length nonce and MAC (tag) */
1143	if ( ( iv_len != ctx->cipher_info->iv_size ) \|\|
1144	( tag_len != 16U ) )
1145	{
1146	return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1147	}
1148
1149	*olen = ilen;
1150	ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
1151	iv, ad, ad_len, tag, input, output );
1152
1153	if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
1154	ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1155
1156	return( ret );
1157	}
1158	#endif /* MBEDTLS_CHACHAPOLY_C */
1159
1160	return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1161	}
1162	#endif /* MBEDTLS_CIPHER_MODE_AEAD */
1163
1164	#endif /* MBEDTLS_CIPHER_C */

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: azure_iot_hub_mbedtls/trunk/mbedtls-2.16.1/library/cipher.c@ 398

Download in other formats: