1 | /**
|
---|
2 | * \file cipher.c
|
---|
3 | *
|
---|
4 | * \brief Generic cipher wrapper for mbed TLS
|
---|
5 | *
|
---|
6 | * \author Adriaan de Jong <dejong@fox-it.com>
|
---|
7 | *
|
---|
8 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
---|
9 | * SPDX-License-Identifier: Apache-2.0
|
---|
10 | *
|
---|
11 | * Licensed under the Apache License, Version 2.0 (the "License"); you may
|
---|
12 | * not use this file except in compliance with the License.
|
---|
13 | * You may obtain a copy of the License at
|
---|
14 | *
|
---|
15 | * http://www.apache.org/licenses/LICENSE-2.0
|
---|
16 | *
|
---|
17 | * Unless required by applicable law or agreed to in writing, software
|
---|
18 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
---|
19 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
---|
20 | * See the License for the specific language governing permissions and
|
---|
21 | * limitations under the License.
|
---|
22 | *
|
---|
23 | * This file is part of mbed TLS (https://tls.mbed.org)
|
---|
24 | */
|
---|
25 |
|
---|
26 | #if !defined(MBEDTLS_CONFIG_FILE)
|
---|
27 | #include "mbedtls/config.h"
|
---|
28 | #else
|
---|
29 | #include MBEDTLS_CONFIG_FILE
|
---|
30 | #endif
|
---|
31 |
|
---|
32 | #if defined(MBEDTLS_CIPHER_C)
|
---|
33 |
|
---|
34 | #include "mbedtls/cipher.h"
|
---|
35 | #include "mbedtls/cipher_internal.h"
|
---|
36 | #include "mbedtls/platform_util.h"
|
---|
37 |
|
---|
38 | #include <stdlib.h>
|
---|
39 | #include <string.h>
|
---|
40 |
|
---|
41 | #if defined(MBEDTLS_CHACHAPOLY_C)
|
---|
42 | #include "mbedtls/chachapoly.h"
|
---|
43 | #endif
|
---|
44 |
|
---|
45 | #if defined(MBEDTLS_GCM_C)
|
---|
46 | #include "mbedtls/gcm.h"
|
---|
47 | #endif
|
---|
48 |
|
---|
49 | #if defined(MBEDTLS_CCM_C)
|
---|
50 | #include "mbedtls/ccm.h"
|
---|
51 | #endif
|
---|
52 |
|
---|
53 | #if defined(MBEDTLS_CHACHA20_C)
|
---|
54 | #include "mbedtls/chacha20.h"
|
---|
55 | #endif
|
---|
56 |
|
---|
57 | #if defined(MBEDTLS_CMAC_C)
|
---|
58 | #include "mbedtls/cmac.h"
|
---|
59 | #endif
|
---|
60 |
|
---|
61 | #if defined(MBEDTLS_PLATFORM_C)
|
---|
62 | #include "mbedtls/platform.h"
|
---|
63 | #else
|
---|
64 | #define mbedtls_calloc calloc
|
---|
65 | #define mbedtls_free free
|
---|
66 | #endif
|
---|
67 |
|
---|
68 | #define CIPHER_VALIDATE_RET( cond ) \
|
---|
69 | MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
|
---|
70 | #define CIPHER_VALIDATE( cond ) \
|
---|
71 | MBEDTLS_INTERNAL_VALIDATE( cond )
|
---|
72 |
|
---|
73 | #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
---|
74 | /* Compare the contents of two buffers in constant time.
|
---|
75 | * Returns 0 if the contents are bitwise identical, otherwise returns
|
---|
76 | * a non-zero value.
|
---|
77 | * This is currently only used by GCM and ChaCha20+Poly1305.
|
---|
78 | */
|
---|
79 | static int mbedtls_constant_time_memcmp( const void *v1, const void *v2, size_t len )
|
---|
80 | {
|
---|
81 | const unsigned char *p1 = (const unsigned char*) v1;
|
---|
82 | const unsigned char *p2 = (const unsigned char*) v2;
|
---|
83 | size_t i;
|
---|
84 | unsigned char diff;
|
---|
85 |
|
---|
86 | for( diff = 0, i = 0; i < len; i++ )
|
---|
87 | diff |= p1[i] ^ p2[i];
|
---|
88 |
|
---|
89 | return( (int)diff );
|
---|
90 | }
|
---|
91 | #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
|
---|
92 |
|
---|
93 | static int supported_init = 0;
|
---|
94 |
|
---|
95 | const int *mbedtls_cipher_list( void )
|
---|
96 | {
|
---|
97 | const mbedtls_cipher_definition_t *def;
|
---|
98 | int *type;
|
---|
99 |
|
---|
100 | if( ! supported_init )
|
---|
101 | {
|
---|
102 | def = mbedtls_cipher_definitions;
|
---|
103 | type = mbedtls_cipher_supported;
|
---|
104 |
|
---|
105 | while( def->type != 0 )
|
---|
106 | *type++ = (*def++).type;
|
---|
107 |
|
---|
108 | *type = 0;
|
---|
109 |
|
---|
110 | supported_init = 1;
|
---|
111 | }
|
---|
112 |
|
---|
113 | return( mbedtls_cipher_supported );
|
---|
114 | }
|
---|
115 |
|
---|
116 | const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type )
|
---|
117 | {
|
---|
118 | const mbedtls_cipher_definition_t *def;
|
---|
119 |
|
---|
120 | for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
|
---|
121 | if( def->type == cipher_type )
|
---|
122 | return( def->info );
|
---|
123 |
|
---|
124 | return( NULL );
|
---|
125 | }
|
---|
126 |
|
---|
127 | const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name )
|
---|
128 | {
|
---|
129 | const mbedtls_cipher_definition_t *def;
|
---|
130 |
|
---|
131 | if( NULL == cipher_name )
|
---|
132 | return( NULL );
|
---|
133 |
|
---|
134 | for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
|
---|
135 | if( ! strcmp( def->info->name, cipher_name ) )
|
---|
136 | return( def->info );
|
---|
137 |
|
---|
138 | return( NULL );
|
---|
139 | }
|
---|
140 |
|
---|
141 | const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
|
---|
142 | int key_bitlen,
|
---|
143 | const mbedtls_cipher_mode_t mode )
|
---|
144 | {
|
---|
145 | const mbedtls_cipher_definition_t *def;
|
---|
146 |
|
---|
147 | for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
|
---|
148 | if( def->info->base->cipher == cipher_id &&
|
---|
149 | def->info->key_bitlen == (unsigned) key_bitlen &&
|
---|
150 | def->info->mode == mode )
|
---|
151 | return( def->info );
|
---|
152 |
|
---|
153 | return( NULL );
|
---|
154 | }
|
---|
155 |
|
---|
156 | void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
|
---|
157 | {
|
---|
158 | CIPHER_VALIDATE( ctx != NULL );
|
---|
159 | memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
|
---|
160 | }
|
---|
161 |
|
---|
162 | void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
|
---|
163 | {
|
---|
164 | if( ctx == NULL )
|
---|
165 | return;
|
---|
166 |
|
---|
167 | #if defined(MBEDTLS_CMAC_C)
|
---|
168 | if( ctx->cmac_ctx )
|
---|
169 | {
|
---|
170 | mbedtls_platform_zeroize( ctx->cmac_ctx,
|
---|
171 | sizeof( mbedtls_cmac_context_t ) );
|
---|
172 | mbedtls_free( ctx->cmac_ctx );
|
---|
173 | }
|
---|
174 | #endif
|
---|
175 |
|
---|
176 | if( ctx->cipher_ctx )
|
---|
177 | ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
|
---|
178 |
|
---|
179 | mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
|
---|
180 | }
|
---|
181 |
|
---|
182 | int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info )
|
---|
183 | {
|
---|
184 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
185 | if( cipher_info == NULL )
|
---|
186 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
187 |
|
---|
188 | memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
|
---|
189 |
|
---|
190 | if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
|
---|
191 | return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
|
---|
192 |
|
---|
193 | ctx->cipher_info = cipher_info;
|
---|
194 |
|
---|
195 | #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
---|
196 | /*
|
---|
197 | * Ignore possible errors caused by a cipher mode that doesn't use padding
|
---|
198 | */
|
---|
199 | #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
---|
200 | (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
|
---|
201 | #else
|
---|
202 | (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
|
---|
203 | #endif
|
---|
204 | #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
---|
205 |
|
---|
206 | return( 0 );
|
---|
207 | }
|
---|
208 |
|
---|
209 | int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
|
---|
210 | const unsigned char *key,
|
---|
211 | int key_bitlen,
|
---|
212 | const mbedtls_operation_t operation )
|
---|
213 | {
|
---|
214 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
215 | CIPHER_VALIDATE_RET( key != NULL );
|
---|
216 | CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT ||
|
---|
217 | operation == MBEDTLS_DECRYPT );
|
---|
218 | if( ctx->cipher_info == NULL )
|
---|
219 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
220 |
|
---|
221 | if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
|
---|
222 | (int) ctx->cipher_info->key_bitlen != key_bitlen )
|
---|
223 | {
|
---|
224 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
225 | }
|
---|
226 |
|
---|
227 | ctx->key_bitlen = key_bitlen;
|
---|
228 | ctx->operation = operation;
|
---|
229 |
|
---|
230 | /*
|
---|
231 | * For OFB, CFB and CTR mode always use the encryption key schedule
|
---|
232 | */
|
---|
233 | if( MBEDTLS_ENCRYPT == operation ||
|
---|
234 | MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
|
---|
235 | MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
|
---|
236 | MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
|
---|
237 | {
|
---|
238 | return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
|
---|
239 | ctx->key_bitlen ) );
|
---|
240 | }
|
---|
241 |
|
---|
242 | if( MBEDTLS_DECRYPT == operation )
|
---|
243 | return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
|
---|
244 | ctx->key_bitlen ) );
|
---|
245 |
|
---|
246 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
247 | }
|
---|
248 |
|
---|
249 | int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
|
---|
250 | const unsigned char *iv,
|
---|
251 | size_t iv_len )
|
---|
252 | {
|
---|
253 | size_t actual_iv_size;
|
---|
254 |
|
---|
255 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
256 | CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
|
---|
257 | if( ctx->cipher_info == NULL )
|
---|
258 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
259 |
|
---|
260 | /* avoid buffer overflow in ctx->iv */
|
---|
261 | if( iv_len > MBEDTLS_MAX_IV_LENGTH )
|
---|
262 | return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
---|
263 |
|
---|
264 | if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
|
---|
265 | actual_iv_size = iv_len;
|
---|
266 | else
|
---|
267 | {
|
---|
268 | actual_iv_size = ctx->cipher_info->iv_size;
|
---|
269 |
|
---|
270 | /* avoid reading past the end of input buffer */
|
---|
271 | if( actual_iv_size > iv_len )
|
---|
272 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
273 | }
|
---|
274 |
|
---|
275 | #if defined(MBEDTLS_CHACHA20_C)
|
---|
276 | if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
|
---|
277 | {
|
---|
278 | if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
|
---|
279 | iv,
|
---|
280 | 0U ) ) /* Initial counter value */
|
---|
281 | {
|
---|
282 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
283 | }
|
---|
284 | }
|
---|
285 | #endif
|
---|
286 |
|
---|
287 | if ( actual_iv_size != 0 )
|
---|
288 | {
|
---|
289 | memcpy( ctx->iv, iv, actual_iv_size );
|
---|
290 | ctx->iv_size = actual_iv_size;
|
---|
291 | }
|
---|
292 |
|
---|
293 | return( 0 );
|
---|
294 | }
|
---|
295 |
|
---|
296 | int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
|
---|
297 | {
|
---|
298 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
299 | if( ctx->cipher_info == NULL )
|
---|
300 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
301 |
|
---|
302 | ctx->unprocessed_len = 0;
|
---|
303 |
|
---|
304 | return( 0 );
|
---|
305 | }
|
---|
306 |
|
---|
307 | #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
---|
308 | int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
|
---|
309 | const unsigned char *ad, size_t ad_len )
|
---|
310 | {
|
---|
311 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
312 | CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
|
---|
313 | if( ctx->cipher_info == NULL )
|
---|
314 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
315 |
|
---|
316 | #if defined(MBEDTLS_GCM_C)
|
---|
317 | if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
|
---|
318 | {
|
---|
319 | return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
|
---|
320 | ctx->iv, ctx->iv_size, ad, ad_len ) );
|
---|
321 | }
|
---|
322 | #endif
|
---|
323 |
|
---|
324 | #if defined(MBEDTLS_CHACHAPOLY_C)
|
---|
325 | if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
|
---|
326 | {
|
---|
327 | int result;
|
---|
328 | mbedtls_chachapoly_mode_t mode;
|
---|
329 |
|
---|
330 | mode = ( ctx->operation == MBEDTLS_ENCRYPT )
|
---|
331 | ? MBEDTLS_CHACHAPOLY_ENCRYPT
|
---|
332 | : MBEDTLS_CHACHAPOLY_DECRYPT;
|
---|
333 |
|
---|
334 | result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
|
---|
335 | ctx->iv,
|
---|
336 | mode );
|
---|
337 | if ( result != 0 )
|
---|
338 | return( result );
|
---|
339 |
|
---|
340 | return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
|
---|
341 | ad, ad_len ) );
|
---|
342 | }
|
---|
343 | #endif
|
---|
344 |
|
---|
345 | return( 0 );
|
---|
346 | }
|
---|
347 | #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
|
---|
348 |
|
---|
349 | int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
|
---|
350 | size_t ilen, unsigned char *output, size_t *olen )
|
---|
351 | {
|
---|
352 | int ret;
|
---|
353 | size_t block_size;
|
---|
354 |
|
---|
355 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
356 | CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
|
---|
357 | CIPHER_VALIDATE_RET( output != NULL );
|
---|
358 | CIPHER_VALIDATE_RET( olen != NULL );
|
---|
359 | if( ctx->cipher_info == NULL )
|
---|
360 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
361 |
|
---|
362 | *olen = 0;
|
---|
363 | block_size = mbedtls_cipher_get_block_size( ctx );
|
---|
364 |
|
---|
365 | if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
|
---|
366 | {
|
---|
367 | if( ilen != block_size )
|
---|
368 | return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
|
---|
369 |
|
---|
370 | *olen = ilen;
|
---|
371 |
|
---|
372 | if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
|
---|
373 | ctx->operation, input, output ) ) )
|
---|
374 | {
|
---|
375 | return( ret );
|
---|
376 | }
|
---|
377 |
|
---|
378 | return( 0 );
|
---|
379 | }
|
---|
380 |
|
---|
381 | #if defined(MBEDTLS_GCM_C)
|
---|
382 | if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
|
---|
383 | {
|
---|
384 | *olen = ilen;
|
---|
385 | return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
|
---|
386 | output ) );
|
---|
387 | }
|
---|
388 | #endif
|
---|
389 |
|
---|
390 | #if defined(MBEDTLS_CHACHAPOLY_C)
|
---|
391 | if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
|
---|
392 | {
|
---|
393 | *olen = ilen;
|
---|
394 | return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
|
---|
395 | ilen, input, output ) );
|
---|
396 | }
|
---|
397 | #endif
|
---|
398 |
|
---|
399 | if ( 0 == block_size )
|
---|
400 | {
|
---|
401 | return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
|
---|
402 | }
|
---|
403 |
|
---|
404 | if( input == output &&
|
---|
405 | ( ctx->unprocessed_len != 0 || ilen % block_size ) )
|
---|
406 | {
|
---|
407 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
408 | }
|
---|
409 |
|
---|
410 | #if defined(MBEDTLS_CIPHER_MODE_CBC)
|
---|
411 | if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
|
---|
412 | {
|
---|
413 | size_t copy_len = 0;
|
---|
414 |
|
---|
415 | /*
|
---|
416 | * If there is not enough data for a full block, cache it.
|
---|
417 | */
|
---|
418 | if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
|
---|
419 | ilen <= block_size - ctx->unprocessed_len ) ||
|
---|
420 | ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
|
---|
421 | ilen < block_size - ctx->unprocessed_len ) ||
|
---|
422 | ( ctx->operation == MBEDTLS_ENCRYPT &&
|
---|
423 | ilen < block_size - ctx->unprocessed_len ) )
|
---|
424 | {
|
---|
425 | memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
|
---|
426 | ilen );
|
---|
427 |
|
---|
428 | ctx->unprocessed_len += ilen;
|
---|
429 | return( 0 );
|
---|
430 | }
|
---|
431 |
|
---|
432 | /*
|
---|
433 | * Process cached data first
|
---|
434 | */
|
---|
435 | if( 0 != ctx->unprocessed_len )
|
---|
436 | {
|
---|
437 | copy_len = block_size - ctx->unprocessed_len;
|
---|
438 |
|
---|
439 | memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
|
---|
440 | copy_len );
|
---|
441 |
|
---|
442 | if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
|
---|
443 | ctx->operation, block_size, ctx->iv,
|
---|
444 | ctx->unprocessed_data, output ) ) )
|
---|
445 | {
|
---|
446 | return( ret );
|
---|
447 | }
|
---|
448 |
|
---|
449 | *olen += block_size;
|
---|
450 | output += block_size;
|
---|
451 | ctx->unprocessed_len = 0;
|
---|
452 |
|
---|
453 | input += copy_len;
|
---|
454 | ilen -= copy_len;
|
---|
455 | }
|
---|
456 |
|
---|
457 | /*
|
---|
458 | * Cache final, incomplete block
|
---|
459 | */
|
---|
460 | if( 0 != ilen )
|
---|
461 | {
|
---|
462 | if( 0 == block_size )
|
---|
463 | {
|
---|
464 | return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
|
---|
465 | }
|
---|
466 |
|
---|
467 | /* Encryption: only cache partial blocks
|
---|
468 | * Decryption w/ padding: always keep at least one whole block
|
---|
469 | * Decryption w/o padding: only cache partial blocks
|
---|
470 | */
|
---|
471 | copy_len = ilen % block_size;
|
---|
472 | if( copy_len == 0 &&
|
---|
473 | ctx->operation == MBEDTLS_DECRYPT &&
|
---|
474 | NULL != ctx->add_padding)
|
---|
475 | {
|
---|
476 | copy_len = block_size;
|
---|
477 | }
|
---|
478 |
|
---|
479 | memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
|
---|
480 | copy_len );
|
---|
481 |
|
---|
482 | ctx->unprocessed_len += copy_len;
|
---|
483 | ilen -= copy_len;
|
---|
484 | }
|
---|
485 |
|
---|
486 | /*
|
---|
487 | * Process remaining full blocks
|
---|
488 | */
|
---|
489 | if( ilen )
|
---|
490 | {
|
---|
491 | if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
|
---|
492 | ctx->operation, ilen, ctx->iv, input, output ) ) )
|
---|
493 | {
|
---|
494 | return( ret );
|
---|
495 | }
|
---|
496 |
|
---|
497 | *olen += ilen;
|
---|
498 | }
|
---|
499 |
|
---|
500 | return( 0 );
|
---|
501 | }
|
---|
502 | #endif /* MBEDTLS_CIPHER_MODE_CBC */
|
---|
503 |
|
---|
504 | #if defined(MBEDTLS_CIPHER_MODE_CFB)
|
---|
505 | if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
|
---|
506 | {
|
---|
507 | if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
|
---|
508 | ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
|
---|
509 | input, output ) ) )
|
---|
510 | {
|
---|
511 | return( ret );
|
---|
512 | }
|
---|
513 |
|
---|
514 | *olen = ilen;
|
---|
515 |
|
---|
516 | return( 0 );
|
---|
517 | }
|
---|
518 | #endif /* MBEDTLS_CIPHER_MODE_CFB */
|
---|
519 |
|
---|
520 | #if defined(MBEDTLS_CIPHER_MODE_OFB)
|
---|
521 | if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
|
---|
522 | {
|
---|
523 | if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
|
---|
524 | ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
|
---|
525 | {
|
---|
526 | return( ret );
|
---|
527 | }
|
---|
528 |
|
---|
529 | *olen = ilen;
|
---|
530 |
|
---|
531 | return( 0 );
|
---|
532 | }
|
---|
533 | #endif /* MBEDTLS_CIPHER_MODE_OFB */
|
---|
534 |
|
---|
535 | #if defined(MBEDTLS_CIPHER_MODE_CTR)
|
---|
536 | if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
|
---|
537 | {
|
---|
538 | if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
|
---|
539 | ilen, &ctx->unprocessed_len, ctx->iv,
|
---|
540 | ctx->unprocessed_data, input, output ) ) )
|
---|
541 | {
|
---|
542 | return( ret );
|
---|
543 | }
|
---|
544 |
|
---|
545 | *olen = ilen;
|
---|
546 |
|
---|
547 | return( 0 );
|
---|
548 | }
|
---|
549 | #endif /* MBEDTLS_CIPHER_MODE_CTR */
|
---|
550 |
|
---|
551 | #if defined(MBEDTLS_CIPHER_MODE_XTS)
|
---|
552 | if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
|
---|
553 | {
|
---|
554 | if( ctx->unprocessed_len > 0 ) {
|
---|
555 | /* We can only process an entire data unit at a time. */
|
---|
556 | return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
---|
557 | }
|
---|
558 |
|
---|
559 | ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
|
---|
560 | ctx->operation, ilen, ctx->iv, input, output );
|
---|
561 | if( ret != 0 )
|
---|
562 | {
|
---|
563 | return( ret );
|
---|
564 | }
|
---|
565 |
|
---|
566 | *olen = ilen;
|
---|
567 |
|
---|
568 | return( 0 );
|
---|
569 | }
|
---|
570 | #endif /* MBEDTLS_CIPHER_MODE_XTS */
|
---|
571 |
|
---|
572 | #if defined(MBEDTLS_CIPHER_MODE_STREAM)
|
---|
573 | if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
|
---|
574 | {
|
---|
575 | if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
|
---|
576 | ilen, input, output ) ) )
|
---|
577 | {
|
---|
578 | return( ret );
|
---|
579 | }
|
---|
580 |
|
---|
581 | *olen = ilen;
|
---|
582 |
|
---|
583 | return( 0 );
|
---|
584 | }
|
---|
585 | #endif /* MBEDTLS_CIPHER_MODE_STREAM */
|
---|
586 |
|
---|
587 | return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
---|
588 | }
|
---|
589 |
|
---|
590 | #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
---|
591 | #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
---|
592 | /*
|
---|
593 | * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
|
---|
594 | */
|
---|
595 | static void add_pkcs_padding( unsigned char *output, size_t output_len,
|
---|
596 | size_t data_len )
|
---|
597 | {
|
---|
598 | size_t padding_len = output_len - data_len;
|
---|
599 | unsigned char i;
|
---|
600 |
|
---|
601 | for( i = 0; i < padding_len; i++ )
|
---|
602 | output[data_len + i] = (unsigned char) padding_len;
|
---|
603 | }
|
---|
604 |
|
---|
605 | static int get_pkcs_padding( unsigned char *input, size_t input_len,
|
---|
606 | size_t *data_len )
|
---|
607 | {
|
---|
608 | size_t i, pad_idx;
|
---|
609 | unsigned char padding_len, bad = 0;
|
---|
610 |
|
---|
611 | if( NULL == input || NULL == data_len )
|
---|
612 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
613 |
|
---|
614 | padding_len = input[input_len - 1];
|
---|
615 | *data_len = input_len - padding_len;
|
---|
616 |
|
---|
617 | /* Avoid logical || since it results in a branch */
|
---|
618 | bad |= padding_len > input_len;
|
---|
619 | bad |= padding_len == 0;
|
---|
620 |
|
---|
621 | /* The number of bytes checked must be independent of padding_len,
|
---|
622 | * so pick input_len, which is usually 8 or 16 (one block) */
|
---|
623 | pad_idx = input_len - padding_len;
|
---|
624 | for( i = 0; i < input_len; i++ )
|
---|
625 | bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
|
---|
626 |
|
---|
627 | return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
|
---|
628 | }
|
---|
629 | #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
|
---|
630 |
|
---|
631 | #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
|
---|
632 | /*
|
---|
633 | * One and zeros padding: fill with 80 00 ... 00
|
---|
634 | */
|
---|
635 | static void add_one_and_zeros_padding( unsigned char *output,
|
---|
636 | size_t output_len, size_t data_len )
|
---|
637 | {
|
---|
638 | size_t padding_len = output_len - data_len;
|
---|
639 | unsigned char i = 0;
|
---|
640 |
|
---|
641 | output[data_len] = 0x80;
|
---|
642 | for( i = 1; i < padding_len; i++ )
|
---|
643 | output[data_len + i] = 0x00;
|
---|
644 | }
|
---|
645 |
|
---|
646 | static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
|
---|
647 | size_t *data_len )
|
---|
648 | {
|
---|
649 | size_t i;
|
---|
650 | unsigned char done = 0, prev_done, bad;
|
---|
651 |
|
---|
652 | if( NULL == input || NULL == data_len )
|
---|
653 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
654 |
|
---|
655 | bad = 0x80;
|
---|
656 | *data_len = 0;
|
---|
657 | for( i = input_len; i > 0; i-- )
|
---|
658 | {
|
---|
659 | prev_done = done;
|
---|
660 | done |= ( input[i - 1] != 0 );
|
---|
661 | *data_len |= ( i - 1 ) * ( done != prev_done );
|
---|
662 | bad ^= input[i - 1] * ( done != prev_done );
|
---|
663 | }
|
---|
664 |
|
---|
665 | return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
|
---|
666 |
|
---|
667 | }
|
---|
668 | #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
|
---|
669 |
|
---|
670 | #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
|
---|
671 | /*
|
---|
672 | * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
|
---|
673 | */
|
---|
674 | static void add_zeros_and_len_padding( unsigned char *output,
|
---|
675 | size_t output_len, size_t data_len )
|
---|
676 | {
|
---|
677 | size_t padding_len = output_len - data_len;
|
---|
678 | unsigned char i = 0;
|
---|
679 |
|
---|
680 | for( i = 1; i < padding_len; i++ )
|
---|
681 | output[data_len + i - 1] = 0x00;
|
---|
682 | output[output_len - 1] = (unsigned char) padding_len;
|
---|
683 | }
|
---|
684 |
|
---|
685 | static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
|
---|
686 | size_t *data_len )
|
---|
687 | {
|
---|
688 | size_t i, pad_idx;
|
---|
689 | unsigned char padding_len, bad = 0;
|
---|
690 |
|
---|
691 | if( NULL == input || NULL == data_len )
|
---|
692 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
693 |
|
---|
694 | padding_len = input[input_len - 1];
|
---|
695 | *data_len = input_len - padding_len;
|
---|
696 |
|
---|
697 | /* Avoid logical || since it results in a branch */
|
---|
698 | bad |= padding_len > input_len;
|
---|
699 | bad |= padding_len == 0;
|
---|
700 |
|
---|
701 | /* The number of bytes checked must be independent of padding_len */
|
---|
702 | pad_idx = input_len - padding_len;
|
---|
703 | for( i = 0; i < input_len - 1; i++ )
|
---|
704 | bad |= input[i] * ( i >= pad_idx );
|
---|
705 |
|
---|
706 | return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
|
---|
707 | }
|
---|
708 | #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
|
---|
709 |
|
---|
710 | #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
|
---|
711 | /*
|
---|
712 | * Zero padding: fill with 00 ... 00
|
---|
713 | */
|
---|
714 | static void add_zeros_padding( unsigned char *output,
|
---|
715 | size_t output_len, size_t data_len )
|
---|
716 | {
|
---|
717 | size_t i;
|
---|
718 |
|
---|
719 | for( i = data_len; i < output_len; i++ )
|
---|
720 | output[i] = 0x00;
|
---|
721 | }
|
---|
722 |
|
---|
723 | static int get_zeros_padding( unsigned char *input, size_t input_len,
|
---|
724 | size_t *data_len )
|
---|
725 | {
|
---|
726 | size_t i;
|
---|
727 | unsigned char done = 0, prev_done;
|
---|
728 |
|
---|
729 | if( NULL == input || NULL == data_len )
|
---|
730 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
731 |
|
---|
732 | *data_len = 0;
|
---|
733 | for( i = input_len; i > 0; i-- )
|
---|
734 | {
|
---|
735 | prev_done = done;
|
---|
736 | done |= ( input[i-1] != 0 );
|
---|
737 | *data_len |= i * ( done != prev_done );
|
---|
738 | }
|
---|
739 |
|
---|
740 | return( 0 );
|
---|
741 | }
|
---|
742 | #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
|
---|
743 |
|
---|
744 | /*
|
---|
745 | * No padding: don't pad :)
|
---|
746 | *
|
---|
747 | * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
|
---|
748 | * but a trivial get_padding function
|
---|
749 | */
|
---|
750 | static int get_no_padding( unsigned char *input, size_t input_len,
|
---|
751 | size_t *data_len )
|
---|
752 | {
|
---|
753 | if( NULL == input || NULL == data_len )
|
---|
754 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
755 |
|
---|
756 | *data_len = input_len;
|
---|
757 |
|
---|
758 | return( 0 );
|
---|
759 | }
|
---|
760 | #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
---|
761 |
|
---|
762 | int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
|
---|
763 | unsigned char *output, size_t *olen )
|
---|
764 | {
|
---|
765 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
766 | CIPHER_VALIDATE_RET( output != NULL );
|
---|
767 | CIPHER_VALIDATE_RET( olen != NULL );
|
---|
768 | if( ctx->cipher_info == NULL )
|
---|
769 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
770 |
|
---|
771 | *olen = 0;
|
---|
772 |
|
---|
773 | if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
|
---|
774 | MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
|
---|
775 | MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
|
---|
776 | MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
|
---|
777 | MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
|
---|
778 | MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
|
---|
779 | {
|
---|
780 | return( 0 );
|
---|
781 | }
|
---|
782 |
|
---|
783 | if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) ||
|
---|
784 | ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
|
---|
785 | {
|
---|
786 | return( 0 );
|
---|
787 | }
|
---|
788 |
|
---|
789 | if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
|
---|
790 | {
|
---|
791 | if( ctx->unprocessed_len != 0 )
|
---|
792 | return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
|
---|
793 |
|
---|
794 | return( 0 );
|
---|
795 | }
|
---|
796 |
|
---|
797 | #if defined(MBEDTLS_CIPHER_MODE_CBC)
|
---|
798 | if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
|
---|
799 | {
|
---|
800 | int ret = 0;
|
---|
801 |
|
---|
802 | if( MBEDTLS_ENCRYPT == ctx->operation )
|
---|
803 | {
|
---|
804 | /* check for 'no padding' mode */
|
---|
805 | if( NULL == ctx->add_padding )
|
---|
806 | {
|
---|
807 | if( 0 != ctx->unprocessed_len )
|
---|
808 | return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
|
---|
809 |
|
---|
810 | return( 0 );
|
---|
811 | }
|
---|
812 |
|
---|
813 | ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
|
---|
814 | ctx->unprocessed_len );
|
---|
815 | }
|
---|
816 | else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
|
---|
817 | {
|
---|
818 | /*
|
---|
819 | * For decrypt operations, expect a full block,
|
---|
820 | * or an empty block if no padding
|
---|
821 | */
|
---|
822 | if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
|
---|
823 | return( 0 );
|
---|
824 |
|
---|
825 | return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
|
---|
826 | }
|
---|
827 |
|
---|
828 | /* cipher block */
|
---|
829 | if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
|
---|
830 | ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
|
---|
831 | ctx->unprocessed_data, output ) ) )
|
---|
832 | {
|
---|
833 | return( ret );
|
---|
834 | }
|
---|
835 |
|
---|
836 | /* Set output size for decryption */
|
---|
837 | if( MBEDTLS_DECRYPT == ctx->operation )
|
---|
838 | return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
|
---|
839 | olen ) );
|
---|
840 |
|
---|
841 | /* Set output size for encryption */
|
---|
842 | *olen = mbedtls_cipher_get_block_size( ctx );
|
---|
843 | return( 0 );
|
---|
844 | }
|
---|
845 | #else
|
---|
846 | ((void) output);
|
---|
847 | #endif /* MBEDTLS_CIPHER_MODE_CBC */
|
---|
848 |
|
---|
849 | return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
---|
850 | }
|
---|
851 |
|
---|
852 | #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
---|
853 | int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
|
---|
854 | mbedtls_cipher_padding_t mode )
|
---|
855 | {
|
---|
856 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
857 |
|
---|
858 | if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
|
---|
859 | {
|
---|
860 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
861 | }
|
---|
862 |
|
---|
863 | switch( mode )
|
---|
864 | {
|
---|
865 | #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
---|
866 | case MBEDTLS_PADDING_PKCS7:
|
---|
867 | ctx->add_padding = add_pkcs_padding;
|
---|
868 | ctx->get_padding = get_pkcs_padding;
|
---|
869 | break;
|
---|
870 | #endif
|
---|
871 | #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
|
---|
872 | case MBEDTLS_PADDING_ONE_AND_ZEROS:
|
---|
873 | ctx->add_padding = add_one_and_zeros_padding;
|
---|
874 | ctx->get_padding = get_one_and_zeros_padding;
|
---|
875 | break;
|
---|
876 | #endif
|
---|
877 | #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
|
---|
878 | case MBEDTLS_PADDING_ZEROS_AND_LEN:
|
---|
879 | ctx->add_padding = add_zeros_and_len_padding;
|
---|
880 | ctx->get_padding = get_zeros_and_len_padding;
|
---|
881 | break;
|
---|
882 | #endif
|
---|
883 | #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
|
---|
884 | case MBEDTLS_PADDING_ZEROS:
|
---|
885 | ctx->add_padding = add_zeros_padding;
|
---|
886 | ctx->get_padding = get_zeros_padding;
|
---|
887 | break;
|
---|
888 | #endif
|
---|
889 | case MBEDTLS_PADDING_NONE:
|
---|
890 | ctx->add_padding = NULL;
|
---|
891 | ctx->get_padding = get_no_padding;
|
---|
892 | break;
|
---|
893 |
|
---|
894 | default:
|
---|
895 | return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
---|
896 | }
|
---|
897 |
|
---|
898 | return( 0 );
|
---|
899 | }
|
---|
900 | #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
---|
901 |
|
---|
902 | #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
---|
903 | int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
|
---|
904 | unsigned char *tag, size_t tag_len )
|
---|
905 | {
|
---|
906 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
907 | CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
|
---|
908 | if( ctx->cipher_info == NULL )
|
---|
909 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
910 |
|
---|
911 | if( MBEDTLS_ENCRYPT != ctx->operation )
|
---|
912 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
913 |
|
---|
914 | #if defined(MBEDTLS_GCM_C)
|
---|
915 | if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
|
---|
916 | return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
|
---|
917 | tag, tag_len ) );
|
---|
918 | #endif
|
---|
919 |
|
---|
920 | #if defined(MBEDTLS_CHACHAPOLY_C)
|
---|
921 | if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
|
---|
922 | {
|
---|
923 | /* Don't allow truncated MAC for Poly1305 */
|
---|
924 | if ( tag_len != 16U )
|
---|
925 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
926 |
|
---|
927 | return( mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
|
---|
928 | tag ) );
|
---|
929 | }
|
---|
930 | #endif
|
---|
931 |
|
---|
932 | return( 0 );
|
---|
933 | }
|
---|
934 |
|
---|
935 | int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
|
---|
936 | const unsigned char *tag, size_t tag_len )
|
---|
937 | {
|
---|
938 | unsigned char check_tag[16];
|
---|
939 | int ret;
|
---|
940 |
|
---|
941 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
942 | CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
|
---|
943 | if( ctx->cipher_info == NULL )
|
---|
944 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
945 |
|
---|
946 | if( MBEDTLS_DECRYPT != ctx->operation )
|
---|
947 | {
|
---|
948 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
949 | }
|
---|
950 |
|
---|
951 | #if defined(MBEDTLS_GCM_C)
|
---|
952 | if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
|
---|
953 | {
|
---|
954 | if( tag_len > sizeof( check_tag ) )
|
---|
955 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
956 |
|
---|
957 | if( 0 != ( ret = mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
|
---|
958 | check_tag, tag_len ) ) )
|
---|
959 | {
|
---|
960 | return( ret );
|
---|
961 | }
|
---|
962 |
|
---|
963 | /* Check the tag in "constant-time" */
|
---|
964 | if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
|
---|
965 | return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
|
---|
966 |
|
---|
967 | return( 0 );
|
---|
968 | }
|
---|
969 | #endif /* MBEDTLS_GCM_C */
|
---|
970 |
|
---|
971 | #if defined(MBEDTLS_CHACHAPOLY_C)
|
---|
972 | if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
|
---|
973 | {
|
---|
974 | /* Don't allow truncated MAC for Poly1305 */
|
---|
975 | if ( tag_len != sizeof( check_tag ) )
|
---|
976 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
977 |
|
---|
978 | ret = mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
|
---|
979 | check_tag );
|
---|
980 | if ( ret != 0 )
|
---|
981 | {
|
---|
982 | return( ret );
|
---|
983 | }
|
---|
984 |
|
---|
985 | /* Check the tag in "constant-time" */
|
---|
986 | if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
|
---|
987 | return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
|
---|
988 |
|
---|
989 | return( 0 );
|
---|
990 | }
|
---|
991 | #endif /* MBEDTLS_CHACHAPOLY_C */
|
---|
992 |
|
---|
993 | return( 0 );
|
---|
994 | }
|
---|
995 | #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
|
---|
996 |
|
---|
997 | /*
|
---|
998 | * Packet-oriented wrapper for non-AEAD modes
|
---|
999 | */
|
---|
1000 | int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
|
---|
1001 | const unsigned char *iv, size_t iv_len,
|
---|
1002 | const unsigned char *input, size_t ilen,
|
---|
1003 | unsigned char *output, size_t *olen )
|
---|
1004 | {
|
---|
1005 | int ret;
|
---|
1006 | size_t finish_olen;
|
---|
1007 |
|
---|
1008 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
1009 | CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
|
---|
1010 | CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
|
---|
1011 | CIPHER_VALIDATE_RET( output != NULL );
|
---|
1012 | CIPHER_VALIDATE_RET( olen != NULL );
|
---|
1013 |
|
---|
1014 | if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
|
---|
1015 | return( ret );
|
---|
1016 |
|
---|
1017 | if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
|
---|
1018 | return( ret );
|
---|
1019 |
|
---|
1020 | if( ( ret = mbedtls_cipher_update( ctx, input, ilen, output, olen ) ) != 0 )
|
---|
1021 | return( ret );
|
---|
1022 |
|
---|
1023 | if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 )
|
---|
1024 | return( ret );
|
---|
1025 |
|
---|
1026 | *olen += finish_olen;
|
---|
1027 |
|
---|
1028 | return( 0 );
|
---|
1029 | }
|
---|
1030 |
|
---|
1031 | #if defined(MBEDTLS_CIPHER_MODE_AEAD)
|
---|
1032 | /*
|
---|
1033 | * Packet-oriented encryption for AEAD modes
|
---|
1034 | */
|
---|
1035 | int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
|
---|
1036 | const unsigned char *iv, size_t iv_len,
|
---|
1037 | const unsigned char *ad, size_t ad_len,
|
---|
1038 | const unsigned char *input, size_t ilen,
|
---|
1039 | unsigned char *output, size_t *olen,
|
---|
1040 | unsigned char *tag, size_t tag_len )
|
---|
1041 | {
|
---|
1042 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
1043 | CIPHER_VALIDATE_RET( iv != NULL );
|
---|
1044 | CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
|
---|
1045 | CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
|
---|
1046 | CIPHER_VALIDATE_RET( output != NULL );
|
---|
1047 | CIPHER_VALIDATE_RET( olen != NULL );
|
---|
1048 | CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
|
---|
1049 |
|
---|
1050 | #if defined(MBEDTLS_GCM_C)
|
---|
1051 | if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
|
---|
1052 | {
|
---|
1053 | *olen = ilen;
|
---|
1054 | return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, ilen,
|
---|
1055 | iv, iv_len, ad, ad_len, input, output,
|
---|
1056 | tag_len, tag ) );
|
---|
1057 | }
|
---|
1058 | #endif /* MBEDTLS_GCM_C */
|
---|
1059 | #if defined(MBEDTLS_CCM_C)
|
---|
1060 | if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
|
---|
1061 | {
|
---|
1062 | *olen = ilen;
|
---|
1063 | return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
|
---|
1064 | iv, iv_len, ad, ad_len, input, output,
|
---|
1065 | tag, tag_len ) );
|
---|
1066 | }
|
---|
1067 | #endif /* MBEDTLS_CCM_C */
|
---|
1068 | #if defined(MBEDTLS_CHACHAPOLY_C)
|
---|
1069 | if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
|
---|
1070 | {
|
---|
1071 | /* ChachaPoly has fixed length nonce and MAC (tag) */
|
---|
1072 | if ( ( iv_len != ctx->cipher_info->iv_size ) ||
|
---|
1073 | ( tag_len != 16U ) )
|
---|
1074 | {
|
---|
1075 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
1076 | }
|
---|
1077 |
|
---|
1078 | *olen = ilen;
|
---|
1079 | return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
|
---|
1080 | ilen, iv, ad, ad_len, input, output, tag ) );
|
---|
1081 | }
|
---|
1082 | #endif /* MBEDTLS_CHACHAPOLY_C */
|
---|
1083 |
|
---|
1084 | return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
---|
1085 | }
|
---|
1086 |
|
---|
1087 | /*
|
---|
1088 | * Packet-oriented decryption for AEAD modes
|
---|
1089 | */
|
---|
1090 | int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
|
---|
1091 | const unsigned char *iv, size_t iv_len,
|
---|
1092 | const unsigned char *ad, size_t ad_len,
|
---|
1093 | const unsigned char *input, size_t ilen,
|
---|
1094 | unsigned char *output, size_t *olen,
|
---|
1095 | const unsigned char *tag, size_t tag_len )
|
---|
1096 | {
|
---|
1097 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
1098 | CIPHER_VALIDATE_RET( iv != NULL );
|
---|
1099 | CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
|
---|
1100 | CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
|
---|
1101 | CIPHER_VALIDATE_RET( output != NULL );
|
---|
1102 | CIPHER_VALIDATE_RET( olen != NULL );
|
---|
1103 | CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
|
---|
1104 |
|
---|
1105 | #if defined(MBEDTLS_GCM_C)
|
---|
1106 | if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
|
---|
1107 | {
|
---|
1108 | int ret;
|
---|
1109 |
|
---|
1110 | *olen = ilen;
|
---|
1111 | ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
|
---|
1112 | iv, iv_len, ad, ad_len,
|
---|
1113 | tag, tag_len, input, output );
|
---|
1114 |
|
---|
1115 | if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
|
---|
1116 | ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
|
---|
1117 |
|
---|
1118 | return( ret );
|
---|
1119 | }
|
---|
1120 | #endif /* MBEDTLS_GCM_C */
|
---|
1121 | #if defined(MBEDTLS_CCM_C)
|
---|
1122 | if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
|
---|
1123 | {
|
---|
1124 | int ret;
|
---|
1125 |
|
---|
1126 | *olen = ilen;
|
---|
1127 | ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
|
---|
1128 | iv, iv_len, ad, ad_len,
|
---|
1129 | input, output, tag, tag_len );
|
---|
1130 |
|
---|
1131 | if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
|
---|
1132 | ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
|
---|
1133 |
|
---|
1134 | return( ret );
|
---|
1135 | }
|
---|
1136 | #endif /* MBEDTLS_CCM_C */
|
---|
1137 | #if defined(MBEDTLS_CHACHAPOLY_C)
|
---|
1138 | if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
|
---|
1139 | {
|
---|
1140 | int ret;
|
---|
1141 |
|
---|
1142 | /* ChachaPoly has fixed length nonce and MAC (tag) */
|
---|
1143 | if ( ( iv_len != ctx->cipher_info->iv_size ) ||
|
---|
1144 | ( tag_len != 16U ) )
|
---|
1145 | {
|
---|
1146 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
1147 | }
|
---|
1148 |
|
---|
1149 | *olen = ilen;
|
---|
1150 | ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
|
---|
1151 | iv, ad, ad_len, tag, input, output );
|
---|
1152 |
|
---|
1153 | if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
|
---|
1154 | ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
|
---|
1155 |
|
---|
1156 | return( ret );
|
---|
1157 | }
|
---|
1158 | #endif /* MBEDTLS_CHACHAPOLY_C */
|
---|
1159 |
|
---|
1160 | return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
---|
1161 | }
|
---|
1162 | #endif /* MBEDTLS_CIPHER_MODE_AEAD */
|
---|
1163 |
|
---|
1164 | #endif /* MBEDTLS_CIPHER_C */
|
---|