[398] | 1 | /**
|
---|
| 2 | * \file cipher.c
|
---|
| 3 | *
|
---|
| 4 | * \brief Generic cipher wrapper for mbed TLS
|
---|
| 5 | *
|
---|
| 6 | * \author Adriaan de Jong <dejong@fox-it.com>
|
---|
| 7 | *
|
---|
| 8 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
---|
| 9 | * SPDX-License-Identifier: Apache-2.0
|
---|
| 10 | *
|
---|
| 11 | * Licensed under the Apache License, Version 2.0 (the "License"); you may
|
---|
| 12 | * not use this file except in compliance with the License.
|
---|
| 13 | * You may obtain a copy of the License at
|
---|
| 14 | *
|
---|
| 15 | * http://www.apache.org/licenses/LICENSE-2.0
|
---|
| 16 | *
|
---|
| 17 | * Unless required by applicable law or agreed to in writing, software
|
---|
| 18 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
---|
| 19 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
---|
| 20 | * See the License for the specific language governing permissions and
|
---|
| 21 | * limitations under the License.
|
---|
| 22 | *
|
---|
| 23 | * This file is part of mbed TLS (https://tls.mbed.org)
|
---|
| 24 | */
|
---|
| 25 |
|
---|
| 26 | #if !defined(MBEDTLS_CONFIG_FILE)
|
---|
| 27 | #include "mbedtls/config.h"
|
---|
| 28 | #else
|
---|
| 29 | #include MBEDTLS_CONFIG_FILE
|
---|
| 30 | #endif
|
---|
| 31 |
|
---|
| 32 | #if defined(MBEDTLS_CIPHER_C)
|
---|
| 33 |
|
---|
| 34 | #include "mbedtls/cipher.h"
|
---|
| 35 | #include "mbedtls/cipher_internal.h"
|
---|
| 36 | #include "mbedtls/platform_util.h"
|
---|
| 37 |
|
---|
| 38 | #include <stdlib.h>
|
---|
| 39 | #include <string.h>
|
---|
| 40 |
|
---|
| 41 | #if defined(MBEDTLS_CHACHAPOLY_C)
|
---|
| 42 | #include "mbedtls/chachapoly.h"
|
---|
| 43 | #endif
|
---|
| 44 |
|
---|
| 45 | #if defined(MBEDTLS_GCM_C)
|
---|
| 46 | #include "mbedtls/gcm.h"
|
---|
| 47 | #endif
|
---|
| 48 |
|
---|
| 49 | #if defined(MBEDTLS_CCM_C)
|
---|
| 50 | #include "mbedtls/ccm.h"
|
---|
| 51 | #endif
|
---|
| 52 |
|
---|
| 53 | #if defined(MBEDTLS_CHACHA20_C)
|
---|
| 54 | #include "mbedtls/chacha20.h"
|
---|
| 55 | #endif
|
---|
| 56 |
|
---|
| 57 | #if defined(MBEDTLS_CMAC_C)
|
---|
| 58 | #include "mbedtls/cmac.h"
|
---|
| 59 | #endif
|
---|
| 60 |
|
---|
| 61 | #if defined(MBEDTLS_PLATFORM_C)
|
---|
| 62 | #include "mbedtls/platform.h"
|
---|
| 63 | #else
|
---|
| 64 | #define mbedtls_calloc calloc
|
---|
| 65 | #define mbedtls_free free
|
---|
| 66 | #endif
|
---|
| 67 |
|
---|
| 68 | #define CIPHER_VALIDATE_RET( cond ) \
|
---|
| 69 | MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
|
---|
| 70 | #define CIPHER_VALIDATE( cond ) \
|
---|
| 71 | MBEDTLS_INTERNAL_VALIDATE( cond )
|
---|
| 72 |
|
---|
| 73 | #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
---|
| 74 | /* Compare the contents of two buffers in constant time.
|
---|
| 75 | * Returns 0 if the contents are bitwise identical, otherwise returns
|
---|
| 76 | * a non-zero value.
|
---|
| 77 | * This is currently only used by GCM and ChaCha20+Poly1305.
|
---|
| 78 | */
|
---|
| 79 | static int mbedtls_constant_time_memcmp( const void *v1, const void *v2, size_t len )
|
---|
| 80 | {
|
---|
| 81 | const unsigned char *p1 = (const unsigned char*) v1;
|
---|
| 82 | const unsigned char *p2 = (const unsigned char*) v2;
|
---|
| 83 | size_t i;
|
---|
| 84 | unsigned char diff;
|
---|
| 85 |
|
---|
| 86 | for( diff = 0, i = 0; i < len; i++ )
|
---|
| 87 | diff |= p1[i] ^ p2[i];
|
---|
| 88 |
|
---|
| 89 | return( (int)diff );
|
---|
| 90 | }
|
---|
| 91 | #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
|
---|
| 92 |
|
---|
| 93 | static int supported_init = 0;
|
---|
| 94 |
|
---|
| 95 | const int *mbedtls_cipher_list( void )
|
---|
| 96 | {
|
---|
| 97 | const mbedtls_cipher_definition_t *def;
|
---|
| 98 | int *type;
|
---|
| 99 |
|
---|
| 100 | if( ! supported_init )
|
---|
| 101 | {
|
---|
| 102 | def = mbedtls_cipher_definitions;
|
---|
| 103 | type = mbedtls_cipher_supported;
|
---|
| 104 |
|
---|
| 105 | while( def->type != 0 )
|
---|
| 106 | *type++ = (*def++).type;
|
---|
| 107 |
|
---|
| 108 | *type = 0;
|
---|
| 109 |
|
---|
| 110 | supported_init = 1;
|
---|
| 111 | }
|
---|
| 112 |
|
---|
| 113 | return( mbedtls_cipher_supported );
|
---|
| 114 | }
|
---|
| 115 |
|
---|
| 116 | const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type )
|
---|
| 117 | {
|
---|
| 118 | const mbedtls_cipher_definition_t *def;
|
---|
| 119 |
|
---|
| 120 | for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
|
---|
| 121 | if( def->type == cipher_type )
|
---|
| 122 | return( def->info );
|
---|
| 123 |
|
---|
| 124 | return( NULL );
|
---|
| 125 | }
|
---|
| 126 |
|
---|
| 127 | const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name )
|
---|
| 128 | {
|
---|
| 129 | const mbedtls_cipher_definition_t *def;
|
---|
| 130 |
|
---|
| 131 | if( NULL == cipher_name )
|
---|
| 132 | return( NULL );
|
---|
| 133 |
|
---|
| 134 | for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
|
---|
| 135 | if( ! strcmp( def->info->name, cipher_name ) )
|
---|
| 136 | return( def->info );
|
---|
| 137 |
|
---|
| 138 | return( NULL );
|
---|
| 139 | }
|
---|
| 140 |
|
---|
| 141 | const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
|
---|
| 142 | int key_bitlen,
|
---|
| 143 | const mbedtls_cipher_mode_t mode )
|
---|
| 144 | {
|
---|
| 145 | const mbedtls_cipher_definition_t *def;
|
---|
| 146 |
|
---|
| 147 | for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
|
---|
| 148 | if( def->info->base->cipher == cipher_id &&
|
---|
| 149 | def->info->key_bitlen == (unsigned) key_bitlen &&
|
---|
| 150 | def->info->mode == mode )
|
---|
| 151 | return( def->info );
|
---|
| 152 |
|
---|
| 153 | return( NULL );
|
---|
| 154 | }
|
---|
| 155 |
|
---|
| 156 | void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
|
---|
| 157 | {
|
---|
| 158 | CIPHER_VALIDATE( ctx != NULL );
|
---|
| 159 | memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
|
---|
| 160 | }
|
---|
| 161 |
|
---|
| 162 | void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
|
---|
| 163 | {
|
---|
| 164 | if( ctx == NULL )
|
---|
| 165 | return;
|
---|
| 166 |
|
---|
| 167 | #if defined(MBEDTLS_CMAC_C)
|
---|
| 168 | if( ctx->cmac_ctx )
|
---|
| 169 | {
|
---|
| 170 | mbedtls_platform_zeroize( ctx->cmac_ctx,
|
---|
| 171 | sizeof( mbedtls_cmac_context_t ) );
|
---|
| 172 | mbedtls_free( ctx->cmac_ctx );
|
---|
| 173 | }
|
---|
| 174 | #endif
|
---|
| 175 |
|
---|
| 176 | if( ctx->cipher_ctx )
|
---|
| 177 | ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
|
---|
| 178 |
|
---|
| 179 | mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
|
---|
| 180 | }
|
---|
| 181 |
|
---|
| 182 | int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info )
|
---|
| 183 | {
|
---|
| 184 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
| 185 | if( cipher_info == NULL )
|
---|
| 186 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 187 |
|
---|
| 188 | memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
|
---|
| 189 |
|
---|
| 190 | if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
|
---|
| 191 | return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
|
---|
| 192 |
|
---|
| 193 | ctx->cipher_info = cipher_info;
|
---|
| 194 |
|
---|
| 195 | #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
---|
| 196 | /*
|
---|
| 197 | * Ignore possible errors caused by a cipher mode that doesn't use padding
|
---|
| 198 | */
|
---|
| 199 | #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
---|
| 200 | (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
|
---|
| 201 | #else
|
---|
| 202 | (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
|
---|
| 203 | #endif
|
---|
| 204 | #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
---|
| 205 |
|
---|
| 206 | return( 0 );
|
---|
| 207 | }
|
---|
| 208 |
|
---|
| 209 | int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
|
---|
| 210 | const unsigned char *key,
|
---|
| 211 | int key_bitlen,
|
---|
| 212 | const mbedtls_operation_t operation )
|
---|
| 213 | {
|
---|
| 214 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
| 215 | CIPHER_VALIDATE_RET( key != NULL );
|
---|
| 216 | CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT ||
|
---|
| 217 | operation == MBEDTLS_DECRYPT );
|
---|
| 218 | if( ctx->cipher_info == NULL )
|
---|
| 219 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 220 |
|
---|
| 221 | if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
|
---|
| 222 | (int) ctx->cipher_info->key_bitlen != key_bitlen )
|
---|
| 223 | {
|
---|
| 224 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 225 | }
|
---|
| 226 |
|
---|
| 227 | ctx->key_bitlen = key_bitlen;
|
---|
| 228 | ctx->operation = operation;
|
---|
| 229 |
|
---|
| 230 | /*
|
---|
| 231 | * For OFB, CFB and CTR mode always use the encryption key schedule
|
---|
| 232 | */
|
---|
| 233 | if( MBEDTLS_ENCRYPT == operation ||
|
---|
| 234 | MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
|
---|
| 235 | MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
|
---|
| 236 | MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
|
---|
| 237 | {
|
---|
| 238 | return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
|
---|
| 239 | ctx->key_bitlen ) );
|
---|
| 240 | }
|
---|
| 241 |
|
---|
| 242 | if( MBEDTLS_DECRYPT == operation )
|
---|
| 243 | return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
|
---|
| 244 | ctx->key_bitlen ) );
|
---|
| 245 |
|
---|
| 246 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 247 | }
|
---|
| 248 |
|
---|
| 249 | int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
|
---|
| 250 | const unsigned char *iv,
|
---|
| 251 | size_t iv_len )
|
---|
| 252 | {
|
---|
| 253 | size_t actual_iv_size;
|
---|
| 254 |
|
---|
| 255 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
| 256 | CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
|
---|
| 257 | if( ctx->cipher_info == NULL )
|
---|
| 258 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 259 |
|
---|
| 260 | /* avoid buffer overflow in ctx->iv */
|
---|
| 261 | if( iv_len > MBEDTLS_MAX_IV_LENGTH )
|
---|
| 262 | return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
---|
| 263 |
|
---|
| 264 | if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
|
---|
| 265 | actual_iv_size = iv_len;
|
---|
| 266 | else
|
---|
| 267 | {
|
---|
| 268 | actual_iv_size = ctx->cipher_info->iv_size;
|
---|
| 269 |
|
---|
| 270 | /* avoid reading past the end of input buffer */
|
---|
| 271 | if( actual_iv_size > iv_len )
|
---|
| 272 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 273 | }
|
---|
| 274 |
|
---|
| 275 | #if defined(MBEDTLS_CHACHA20_C)
|
---|
| 276 | if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
|
---|
| 277 | {
|
---|
| 278 | if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
|
---|
| 279 | iv,
|
---|
| 280 | 0U ) ) /* Initial counter value */
|
---|
| 281 | {
|
---|
| 282 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 283 | }
|
---|
| 284 | }
|
---|
| 285 | #endif
|
---|
| 286 |
|
---|
| 287 | if ( actual_iv_size != 0 )
|
---|
| 288 | {
|
---|
| 289 | memcpy( ctx->iv, iv, actual_iv_size );
|
---|
| 290 | ctx->iv_size = actual_iv_size;
|
---|
| 291 | }
|
---|
| 292 |
|
---|
| 293 | return( 0 );
|
---|
| 294 | }
|
---|
| 295 |
|
---|
| 296 | int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
|
---|
| 297 | {
|
---|
| 298 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
| 299 | if( ctx->cipher_info == NULL )
|
---|
| 300 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 301 |
|
---|
| 302 | ctx->unprocessed_len = 0;
|
---|
| 303 |
|
---|
| 304 | return( 0 );
|
---|
| 305 | }
|
---|
| 306 |
|
---|
| 307 | #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
---|
| 308 | int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
|
---|
| 309 | const unsigned char *ad, size_t ad_len )
|
---|
| 310 | {
|
---|
| 311 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
| 312 | CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
|
---|
| 313 | if( ctx->cipher_info == NULL )
|
---|
| 314 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 315 |
|
---|
| 316 | #if defined(MBEDTLS_GCM_C)
|
---|
| 317 | if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
|
---|
| 318 | {
|
---|
| 319 | return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
|
---|
| 320 | ctx->iv, ctx->iv_size, ad, ad_len ) );
|
---|
| 321 | }
|
---|
| 322 | #endif
|
---|
| 323 |
|
---|
| 324 | #if defined(MBEDTLS_CHACHAPOLY_C)
|
---|
| 325 | if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
|
---|
| 326 | {
|
---|
| 327 | int result;
|
---|
| 328 | mbedtls_chachapoly_mode_t mode;
|
---|
| 329 |
|
---|
| 330 | mode = ( ctx->operation == MBEDTLS_ENCRYPT )
|
---|
| 331 | ? MBEDTLS_CHACHAPOLY_ENCRYPT
|
---|
| 332 | : MBEDTLS_CHACHAPOLY_DECRYPT;
|
---|
| 333 |
|
---|
| 334 | result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
|
---|
| 335 | ctx->iv,
|
---|
| 336 | mode );
|
---|
| 337 | if ( result != 0 )
|
---|
| 338 | return( result );
|
---|
| 339 |
|
---|
| 340 | return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
|
---|
| 341 | ad, ad_len ) );
|
---|
| 342 | }
|
---|
| 343 | #endif
|
---|
| 344 |
|
---|
| 345 | return( 0 );
|
---|
| 346 | }
|
---|
| 347 | #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
|
---|
| 348 |
|
---|
| 349 | int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
|
---|
| 350 | size_t ilen, unsigned char *output, size_t *olen )
|
---|
| 351 | {
|
---|
| 352 | int ret;
|
---|
| 353 | size_t block_size;
|
---|
| 354 |
|
---|
| 355 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
| 356 | CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
|
---|
| 357 | CIPHER_VALIDATE_RET( output != NULL );
|
---|
| 358 | CIPHER_VALIDATE_RET( olen != NULL );
|
---|
| 359 | if( ctx->cipher_info == NULL )
|
---|
| 360 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 361 |
|
---|
| 362 | *olen = 0;
|
---|
| 363 | block_size = mbedtls_cipher_get_block_size( ctx );
|
---|
| 364 |
|
---|
| 365 | if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
|
---|
| 366 | {
|
---|
| 367 | if( ilen != block_size )
|
---|
| 368 | return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
|
---|
| 369 |
|
---|
| 370 | *olen = ilen;
|
---|
| 371 |
|
---|
| 372 | if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
|
---|
| 373 | ctx->operation, input, output ) ) )
|
---|
| 374 | {
|
---|
| 375 | return( ret );
|
---|
| 376 | }
|
---|
| 377 |
|
---|
| 378 | return( 0 );
|
---|
| 379 | }
|
---|
| 380 |
|
---|
| 381 | #if defined(MBEDTLS_GCM_C)
|
---|
| 382 | if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
|
---|
| 383 | {
|
---|
| 384 | *olen = ilen;
|
---|
| 385 | return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
|
---|
| 386 | output ) );
|
---|
| 387 | }
|
---|
| 388 | #endif
|
---|
| 389 |
|
---|
| 390 | #if defined(MBEDTLS_CHACHAPOLY_C)
|
---|
| 391 | if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
|
---|
| 392 | {
|
---|
| 393 | *olen = ilen;
|
---|
| 394 | return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
|
---|
| 395 | ilen, input, output ) );
|
---|
| 396 | }
|
---|
| 397 | #endif
|
---|
| 398 |
|
---|
| 399 | if ( 0 == block_size )
|
---|
| 400 | {
|
---|
| 401 | return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
|
---|
| 402 | }
|
---|
| 403 |
|
---|
| 404 | if( input == output &&
|
---|
| 405 | ( ctx->unprocessed_len != 0 || ilen % block_size ) )
|
---|
| 406 | {
|
---|
| 407 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 408 | }
|
---|
| 409 |
|
---|
| 410 | #if defined(MBEDTLS_CIPHER_MODE_CBC)
|
---|
| 411 | if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
|
---|
| 412 | {
|
---|
| 413 | size_t copy_len = 0;
|
---|
| 414 |
|
---|
| 415 | /*
|
---|
| 416 | * If there is not enough data for a full block, cache it.
|
---|
| 417 | */
|
---|
| 418 | if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
|
---|
| 419 | ilen <= block_size - ctx->unprocessed_len ) ||
|
---|
| 420 | ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
|
---|
| 421 | ilen < block_size - ctx->unprocessed_len ) ||
|
---|
| 422 | ( ctx->operation == MBEDTLS_ENCRYPT &&
|
---|
| 423 | ilen < block_size - ctx->unprocessed_len ) )
|
---|
| 424 | {
|
---|
| 425 | memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
|
---|
| 426 | ilen );
|
---|
| 427 |
|
---|
| 428 | ctx->unprocessed_len += ilen;
|
---|
| 429 | return( 0 );
|
---|
| 430 | }
|
---|
| 431 |
|
---|
| 432 | /*
|
---|
| 433 | * Process cached data first
|
---|
| 434 | */
|
---|
| 435 | if( 0 != ctx->unprocessed_len )
|
---|
| 436 | {
|
---|
| 437 | copy_len = block_size - ctx->unprocessed_len;
|
---|
| 438 |
|
---|
| 439 | memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
|
---|
| 440 | copy_len );
|
---|
| 441 |
|
---|
| 442 | if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
|
---|
| 443 | ctx->operation, block_size, ctx->iv,
|
---|
| 444 | ctx->unprocessed_data, output ) ) )
|
---|
| 445 | {
|
---|
| 446 | return( ret );
|
---|
| 447 | }
|
---|
| 448 |
|
---|
| 449 | *olen += block_size;
|
---|
| 450 | output += block_size;
|
---|
| 451 | ctx->unprocessed_len = 0;
|
---|
| 452 |
|
---|
| 453 | input += copy_len;
|
---|
| 454 | ilen -= copy_len;
|
---|
| 455 | }
|
---|
| 456 |
|
---|
| 457 | /*
|
---|
| 458 | * Cache final, incomplete block
|
---|
| 459 | */
|
---|
| 460 | if( 0 != ilen )
|
---|
| 461 | {
|
---|
| 462 | if( 0 == block_size )
|
---|
| 463 | {
|
---|
| 464 | return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
|
---|
| 465 | }
|
---|
| 466 |
|
---|
| 467 | /* Encryption: only cache partial blocks
|
---|
| 468 | * Decryption w/ padding: always keep at least one whole block
|
---|
| 469 | * Decryption w/o padding: only cache partial blocks
|
---|
| 470 | */
|
---|
| 471 | copy_len = ilen % block_size;
|
---|
| 472 | if( copy_len == 0 &&
|
---|
| 473 | ctx->operation == MBEDTLS_DECRYPT &&
|
---|
| 474 | NULL != ctx->add_padding)
|
---|
| 475 | {
|
---|
| 476 | copy_len = block_size;
|
---|
| 477 | }
|
---|
| 478 |
|
---|
| 479 | memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
|
---|
| 480 | copy_len );
|
---|
| 481 |
|
---|
| 482 | ctx->unprocessed_len += copy_len;
|
---|
| 483 | ilen -= copy_len;
|
---|
| 484 | }
|
---|
| 485 |
|
---|
| 486 | /*
|
---|
| 487 | * Process remaining full blocks
|
---|
| 488 | */
|
---|
| 489 | if( ilen )
|
---|
| 490 | {
|
---|
| 491 | if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
|
---|
| 492 | ctx->operation, ilen, ctx->iv, input, output ) ) )
|
---|
| 493 | {
|
---|
| 494 | return( ret );
|
---|
| 495 | }
|
---|
| 496 |
|
---|
| 497 | *olen += ilen;
|
---|
| 498 | }
|
---|
| 499 |
|
---|
| 500 | return( 0 );
|
---|
| 501 | }
|
---|
| 502 | #endif /* MBEDTLS_CIPHER_MODE_CBC */
|
---|
| 503 |
|
---|
| 504 | #if defined(MBEDTLS_CIPHER_MODE_CFB)
|
---|
| 505 | if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
|
---|
| 506 | {
|
---|
| 507 | if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
|
---|
| 508 | ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
|
---|
| 509 | input, output ) ) )
|
---|
| 510 | {
|
---|
| 511 | return( ret );
|
---|
| 512 | }
|
---|
| 513 |
|
---|
| 514 | *olen = ilen;
|
---|
| 515 |
|
---|
| 516 | return( 0 );
|
---|
| 517 | }
|
---|
| 518 | #endif /* MBEDTLS_CIPHER_MODE_CFB */
|
---|
| 519 |
|
---|
| 520 | #if defined(MBEDTLS_CIPHER_MODE_OFB)
|
---|
| 521 | if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
|
---|
| 522 | {
|
---|
| 523 | if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
|
---|
| 524 | ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
|
---|
| 525 | {
|
---|
| 526 | return( ret );
|
---|
| 527 | }
|
---|
| 528 |
|
---|
| 529 | *olen = ilen;
|
---|
| 530 |
|
---|
| 531 | return( 0 );
|
---|
| 532 | }
|
---|
| 533 | #endif /* MBEDTLS_CIPHER_MODE_OFB */
|
---|
| 534 |
|
---|
| 535 | #if defined(MBEDTLS_CIPHER_MODE_CTR)
|
---|
| 536 | if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
|
---|
| 537 | {
|
---|
| 538 | if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
|
---|
| 539 | ilen, &ctx->unprocessed_len, ctx->iv,
|
---|
| 540 | ctx->unprocessed_data, input, output ) ) )
|
---|
| 541 | {
|
---|
| 542 | return( ret );
|
---|
| 543 | }
|
---|
| 544 |
|
---|
| 545 | *olen = ilen;
|
---|
| 546 |
|
---|
| 547 | return( 0 );
|
---|
| 548 | }
|
---|
| 549 | #endif /* MBEDTLS_CIPHER_MODE_CTR */
|
---|
| 550 |
|
---|
| 551 | #if defined(MBEDTLS_CIPHER_MODE_XTS)
|
---|
| 552 | if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
|
---|
| 553 | {
|
---|
| 554 | if( ctx->unprocessed_len > 0 ) {
|
---|
| 555 | /* We can only process an entire data unit at a time. */
|
---|
| 556 | return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
---|
| 557 | }
|
---|
| 558 |
|
---|
| 559 | ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
|
---|
| 560 | ctx->operation, ilen, ctx->iv, input, output );
|
---|
| 561 | if( ret != 0 )
|
---|
| 562 | {
|
---|
| 563 | return( ret );
|
---|
| 564 | }
|
---|
| 565 |
|
---|
| 566 | *olen = ilen;
|
---|
| 567 |
|
---|
| 568 | return( 0 );
|
---|
| 569 | }
|
---|
| 570 | #endif /* MBEDTLS_CIPHER_MODE_XTS */
|
---|
| 571 |
|
---|
| 572 | #if defined(MBEDTLS_CIPHER_MODE_STREAM)
|
---|
| 573 | if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
|
---|
| 574 | {
|
---|
| 575 | if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
|
---|
| 576 | ilen, input, output ) ) )
|
---|
| 577 | {
|
---|
| 578 | return( ret );
|
---|
| 579 | }
|
---|
| 580 |
|
---|
| 581 | *olen = ilen;
|
---|
| 582 |
|
---|
| 583 | return( 0 );
|
---|
| 584 | }
|
---|
| 585 | #endif /* MBEDTLS_CIPHER_MODE_STREAM */
|
---|
| 586 |
|
---|
| 587 | return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
---|
| 588 | }
|
---|
| 589 |
|
---|
| 590 | #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
---|
| 591 | #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
---|
| 592 | /*
|
---|
| 593 | * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
|
---|
| 594 | */
|
---|
| 595 | static void add_pkcs_padding( unsigned char *output, size_t output_len,
|
---|
| 596 | size_t data_len )
|
---|
| 597 | {
|
---|
| 598 | size_t padding_len = output_len - data_len;
|
---|
| 599 | unsigned char i;
|
---|
| 600 |
|
---|
| 601 | for( i = 0; i < padding_len; i++ )
|
---|
| 602 | output[data_len + i] = (unsigned char) padding_len;
|
---|
| 603 | }
|
---|
| 604 |
|
---|
| 605 | static int get_pkcs_padding( unsigned char *input, size_t input_len,
|
---|
| 606 | size_t *data_len )
|
---|
| 607 | {
|
---|
| 608 | size_t i, pad_idx;
|
---|
| 609 | unsigned char padding_len, bad = 0;
|
---|
| 610 |
|
---|
| 611 | if( NULL == input || NULL == data_len )
|
---|
| 612 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 613 |
|
---|
| 614 | padding_len = input[input_len - 1];
|
---|
| 615 | *data_len = input_len - padding_len;
|
---|
| 616 |
|
---|
| 617 | /* Avoid logical || since it results in a branch */
|
---|
| 618 | bad |= padding_len > input_len;
|
---|
| 619 | bad |= padding_len == 0;
|
---|
| 620 |
|
---|
| 621 | /* The number of bytes checked must be independent of padding_len,
|
---|
| 622 | * so pick input_len, which is usually 8 or 16 (one block) */
|
---|
| 623 | pad_idx = input_len - padding_len;
|
---|
| 624 | for( i = 0; i < input_len; i++ )
|
---|
| 625 | bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
|
---|
| 626 |
|
---|
| 627 | return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
|
---|
| 628 | }
|
---|
| 629 | #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
|
---|
| 630 |
|
---|
| 631 | #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
|
---|
| 632 | /*
|
---|
| 633 | * One and zeros padding: fill with 80 00 ... 00
|
---|
| 634 | */
|
---|
| 635 | static void add_one_and_zeros_padding( unsigned char *output,
|
---|
| 636 | size_t output_len, size_t data_len )
|
---|
| 637 | {
|
---|
| 638 | size_t padding_len = output_len - data_len;
|
---|
| 639 | unsigned char i = 0;
|
---|
| 640 |
|
---|
| 641 | output[data_len] = 0x80;
|
---|
| 642 | for( i = 1; i < padding_len; i++ )
|
---|
| 643 | output[data_len + i] = 0x00;
|
---|
| 644 | }
|
---|
| 645 |
|
---|
| 646 | static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
|
---|
| 647 | size_t *data_len )
|
---|
| 648 | {
|
---|
| 649 | size_t i;
|
---|
| 650 | unsigned char done = 0, prev_done, bad;
|
---|
| 651 |
|
---|
| 652 | if( NULL == input || NULL == data_len )
|
---|
| 653 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 654 |
|
---|
| 655 | bad = 0x80;
|
---|
| 656 | *data_len = 0;
|
---|
| 657 | for( i = input_len; i > 0; i-- )
|
---|
| 658 | {
|
---|
| 659 | prev_done = done;
|
---|
| 660 | done |= ( input[i - 1] != 0 );
|
---|
| 661 | *data_len |= ( i - 1 ) * ( done != prev_done );
|
---|
| 662 | bad ^= input[i - 1] * ( done != prev_done );
|
---|
| 663 | }
|
---|
| 664 |
|
---|
| 665 | return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
|
---|
| 666 |
|
---|
| 667 | }
|
---|
| 668 | #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
|
---|
| 669 |
|
---|
| 670 | #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
|
---|
| 671 | /*
|
---|
| 672 | * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
|
---|
| 673 | */
|
---|
| 674 | static void add_zeros_and_len_padding( unsigned char *output,
|
---|
| 675 | size_t output_len, size_t data_len )
|
---|
| 676 | {
|
---|
| 677 | size_t padding_len = output_len - data_len;
|
---|
| 678 | unsigned char i = 0;
|
---|
| 679 |
|
---|
| 680 | for( i = 1; i < padding_len; i++ )
|
---|
| 681 | output[data_len + i - 1] = 0x00;
|
---|
| 682 | output[output_len - 1] = (unsigned char) padding_len;
|
---|
| 683 | }
|
---|
| 684 |
|
---|
| 685 | static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
|
---|
| 686 | size_t *data_len )
|
---|
| 687 | {
|
---|
| 688 | size_t i, pad_idx;
|
---|
| 689 | unsigned char padding_len, bad = 0;
|
---|
| 690 |
|
---|
| 691 | if( NULL == input || NULL == data_len )
|
---|
| 692 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 693 |
|
---|
| 694 | padding_len = input[input_len - 1];
|
---|
| 695 | *data_len = input_len - padding_len;
|
---|
| 696 |
|
---|
| 697 | /* Avoid logical || since it results in a branch */
|
---|
| 698 | bad |= padding_len > input_len;
|
---|
| 699 | bad |= padding_len == 0;
|
---|
| 700 |
|
---|
| 701 | /* The number of bytes checked must be independent of padding_len */
|
---|
| 702 | pad_idx = input_len - padding_len;
|
---|
| 703 | for( i = 0; i < input_len - 1; i++ )
|
---|
| 704 | bad |= input[i] * ( i >= pad_idx );
|
---|
| 705 |
|
---|
| 706 | return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
|
---|
| 707 | }
|
---|
| 708 | #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
|
---|
| 709 |
|
---|
| 710 | #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
|
---|
| 711 | /*
|
---|
| 712 | * Zero padding: fill with 00 ... 00
|
---|
| 713 | */
|
---|
| 714 | static void add_zeros_padding( unsigned char *output,
|
---|
| 715 | size_t output_len, size_t data_len )
|
---|
| 716 | {
|
---|
| 717 | size_t i;
|
---|
| 718 |
|
---|
| 719 | for( i = data_len; i < output_len; i++ )
|
---|
| 720 | output[i] = 0x00;
|
---|
| 721 | }
|
---|
| 722 |
|
---|
| 723 | static int get_zeros_padding( unsigned char *input, size_t input_len,
|
---|
| 724 | size_t *data_len )
|
---|
| 725 | {
|
---|
| 726 | size_t i;
|
---|
| 727 | unsigned char done = 0, prev_done;
|
---|
| 728 |
|
---|
| 729 | if( NULL == input || NULL == data_len )
|
---|
| 730 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 731 |
|
---|
| 732 | *data_len = 0;
|
---|
| 733 | for( i = input_len; i > 0; i-- )
|
---|
| 734 | {
|
---|
| 735 | prev_done = done;
|
---|
| 736 | done |= ( input[i-1] != 0 );
|
---|
| 737 | *data_len |= i * ( done != prev_done );
|
---|
| 738 | }
|
---|
| 739 |
|
---|
| 740 | return( 0 );
|
---|
| 741 | }
|
---|
| 742 | #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
|
---|
| 743 |
|
---|
| 744 | /*
|
---|
| 745 | * No padding: don't pad :)
|
---|
| 746 | *
|
---|
| 747 | * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
|
---|
| 748 | * but a trivial get_padding function
|
---|
| 749 | */
|
---|
| 750 | static int get_no_padding( unsigned char *input, size_t input_len,
|
---|
| 751 | size_t *data_len )
|
---|
| 752 | {
|
---|
| 753 | if( NULL == input || NULL == data_len )
|
---|
| 754 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 755 |
|
---|
| 756 | *data_len = input_len;
|
---|
| 757 |
|
---|
| 758 | return( 0 );
|
---|
| 759 | }
|
---|
| 760 | #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
---|
| 761 |
|
---|
| 762 | int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
|
---|
| 763 | unsigned char *output, size_t *olen )
|
---|
| 764 | {
|
---|
| 765 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
| 766 | CIPHER_VALIDATE_RET( output != NULL );
|
---|
| 767 | CIPHER_VALIDATE_RET( olen != NULL );
|
---|
| 768 | if( ctx->cipher_info == NULL )
|
---|
| 769 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 770 |
|
---|
| 771 | *olen = 0;
|
---|
| 772 |
|
---|
| 773 | if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
|
---|
| 774 | MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
|
---|
| 775 | MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
|
---|
| 776 | MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
|
---|
| 777 | MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
|
---|
| 778 | MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
|
---|
| 779 | {
|
---|
| 780 | return( 0 );
|
---|
| 781 | }
|
---|
| 782 |
|
---|
| 783 | if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) ||
|
---|
| 784 | ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
|
---|
| 785 | {
|
---|
| 786 | return( 0 );
|
---|
| 787 | }
|
---|
| 788 |
|
---|
| 789 | if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
|
---|
| 790 | {
|
---|
| 791 | if( ctx->unprocessed_len != 0 )
|
---|
| 792 | return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
|
---|
| 793 |
|
---|
| 794 | return( 0 );
|
---|
| 795 | }
|
---|
| 796 |
|
---|
| 797 | #if defined(MBEDTLS_CIPHER_MODE_CBC)
|
---|
| 798 | if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
|
---|
| 799 | {
|
---|
| 800 | int ret = 0;
|
---|
| 801 |
|
---|
| 802 | if( MBEDTLS_ENCRYPT == ctx->operation )
|
---|
| 803 | {
|
---|
| 804 | /* check for 'no padding' mode */
|
---|
| 805 | if( NULL == ctx->add_padding )
|
---|
| 806 | {
|
---|
| 807 | if( 0 != ctx->unprocessed_len )
|
---|
| 808 | return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
|
---|
| 809 |
|
---|
| 810 | return( 0 );
|
---|
| 811 | }
|
---|
| 812 |
|
---|
| 813 | ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
|
---|
| 814 | ctx->unprocessed_len );
|
---|
| 815 | }
|
---|
| 816 | else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
|
---|
| 817 | {
|
---|
| 818 | /*
|
---|
| 819 | * For decrypt operations, expect a full block,
|
---|
| 820 | * or an empty block if no padding
|
---|
| 821 | */
|
---|
| 822 | if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
|
---|
| 823 | return( 0 );
|
---|
| 824 |
|
---|
| 825 | return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
|
---|
| 826 | }
|
---|
| 827 |
|
---|
| 828 | /* cipher block */
|
---|
| 829 | if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
|
---|
| 830 | ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
|
---|
| 831 | ctx->unprocessed_data, output ) ) )
|
---|
| 832 | {
|
---|
| 833 | return( ret );
|
---|
| 834 | }
|
---|
| 835 |
|
---|
| 836 | /* Set output size for decryption */
|
---|
| 837 | if( MBEDTLS_DECRYPT == ctx->operation )
|
---|
| 838 | return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
|
---|
| 839 | olen ) );
|
---|
| 840 |
|
---|
| 841 | /* Set output size for encryption */
|
---|
| 842 | *olen = mbedtls_cipher_get_block_size( ctx );
|
---|
| 843 | return( 0 );
|
---|
| 844 | }
|
---|
| 845 | #else
|
---|
| 846 | ((void) output);
|
---|
| 847 | #endif /* MBEDTLS_CIPHER_MODE_CBC */
|
---|
| 848 |
|
---|
| 849 | return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
---|
| 850 | }
|
---|
| 851 |
|
---|
| 852 | #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
---|
| 853 | int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
|
---|
| 854 | mbedtls_cipher_padding_t mode )
|
---|
| 855 | {
|
---|
| 856 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
| 857 |
|
---|
| 858 | if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
|
---|
| 859 | {
|
---|
| 860 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 861 | }
|
---|
| 862 |
|
---|
| 863 | switch( mode )
|
---|
| 864 | {
|
---|
| 865 | #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
---|
| 866 | case MBEDTLS_PADDING_PKCS7:
|
---|
| 867 | ctx->add_padding = add_pkcs_padding;
|
---|
| 868 | ctx->get_padding = get_pkcs_padding;
|
---|
| 869 | break;
|
---|
| 870 | #endif
|
---|
| 871 | #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
|
---|
| 872 | case MBEDTLS_PADDING_ONE_AND_ZEROS:
|
---|
| 873 | ctx->add_padding = add_one_and_zeros_padding;
|
---|
| 874 | ctx->get_padding = get_one_and_zeros_padding;
|
---|
| 875 | break;
|
---|
| 876 | #endif
|
---|
| 877 | #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
|
---|
| 878 | case MBEDTLS_PADDING_ZEROS_AND_LEN:
|
---|
| 879 | ctx->add_padding = add_zeros_and_len_padding;
|
---|
| 880 | ctx->get_padding = get_zeros_and_len_padding;
|
---|
| 881 | break;
|
---|
| 882 | #endif
|
---|
| 883 | #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
|
---|
| 884 | case MBEDTLS_PADDING_ZEROS:
|
---|
| 885 | ctx->add_padding = add_zeros_padding;
|
---|
| 886 | ctx->get_padding = get_zeros_padding;
|
---|
| 887 | break;
|
---|
| 888 | #endif
|
---|
| 889 | case MBEDTLS_PADDING_NONE:
|
---|
| 890 | ctx->add_padding = NULL;
|
---|
| 891 | ctx->get_padding = get_no_padding;
|
---|
| 892 | break;
|
---|
| 893 |
|
---|
| 894 | default:
|
---|
| 895 | return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
---|
| 896 | }
|
---|
| 897 |
|
---|
| 898 | return( 0 );
|
---|
| 899 | }
|
---|
| 900 | #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
---|
| 901 |
|
---|
| 902 | #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
|
---|
| 903 | int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
|
---|
| 904 | unsigned char *tag, size_t tag_len )
|
---|
| 905 | {
|
---|
| 906 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
| 907 | CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
|
---|
| 908 | if( ctx->cipher_info == NULL )
|
---|
| 909 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 910 |
|
---|
| 911 | if( MBEDTLS_ENCRYPT != ctx->operation )
|
---|
| 912 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 913 |
|
---|
| 914 | #if defined(MBEDTLS_GCM_C)
|
---|
| 915 | if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
|
---|
| 916 | return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
|
---|
| 917 | tag, tag_len ) );
|
---|
| 918 | #endif
|
---|
| 919 |
|
---|
| 920 | #if defined(MBEDTLS_CHACHAPOLY_C)
|
---|
| 921 | if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
|
---|
| 922 | {
|
---|
| 923 | /* Don't allow truncated MAC for Poly1305 */
|
---|
| 924 | if ( tag_len != 16U )
|
---|
| 925 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 926 |
|
---|
| 927 | return( mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
|
---|
| 928 | tag ) );
|
---|
| 929 | }
|
---|
| 930 | #endif
|
---|
| 931 |
|
---|
| 932 | return( 0 );
|
---|
| 933 | }
|
---|
| 934 |
|
---|
| 935 | int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
|
---|
| 936 | const unsigned char *tag, size_t tag_len )
|
---|
| 937 | {
|
---|
| 938 | unsigned char check_tag[16];
|
---|
| 939 | int ret;
|
---|
| 940 |
|
---|
| 941 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
| 942 | CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
|
---|
| 943 | if( ctx->cipher_info == NULL )
|
---|
| 944 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 945 |
|
---|
| 946 | if( MBEDTLS_DECRYPT != ctx->operation )
|
---|
| 947 | {
|
---|
| 948 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 949 | }
|
---|
| 950 |
|
---|
| 951 | #if defined(MBEDTLS_GCM_C)
|
---|
| 952 | if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
|
---|
| 953 | {
|
---|
| 954 | if( tag_len > sizeof( check_tag ) )
|
---|
| 955 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 956 |
|
---|
| 957 | if( 0 != ( ret = mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
|
---|
| 958 | check_tag, tag_len ) ) )
|
---|
| 959 | {
|
---|
| 960 | return( ret );
|
---|
| 961 | }
|
---|
| 962 |
|
---|
| 963 | /* Check the tag in "constant-time" */
|
---|
| 964 | if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
|
---|
| 965 | return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
|
---|
| 966 |
|
---|
| 967 | return( 0 );
|
---|
| 968 | }
|
---|
| 969 | #endif /* MBEDTLS_GCM_C */
|
---|
| 970 |
|
---|
| 971 | #if defined(MBEDTLS_CHACHAPOLY_C)
|
---|
| 972 | if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
|
---|
| 973 | {
|
---|
| 974 | /* Don't allow truncated MAC for Poly1305 */
|
---|
| 975 | if ( tag_len != sizeof( check_tag ) )
|
---|
| 976 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 977 |
|
---|
| 978 | ret = mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
|
---|
| 979 | check_tag );
|
---|
| 980 | if ( ret != 0 )
|
---|
| 981 | {
|
---|
| 982 | return( ret );
|
---|
| 983 | }
|
---|
| 984 |
|
---|
| 985 | /* Check the tag in "constant-time" */
|
---|
| 986 | if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
|
---|
| 987 | return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
|
---|
| 988 |
|
---|
| 989 | return( 0 );
|
---|
| 990 | }
|
---|
| 991 | #endif /* MBEDTLS_CHACHAPOLY_C */
|
---|
| 992 |
|
---|
| 993 | return( 0 );
|
---|
| 994 | }
|
---|
| 995 | #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
|
---|
| 996 |
|
---|
| 997 | /*
|
---|
| 998 | * Packet-oriented wrapper for non-AEAD modes
|
---|
| 999 | */
|
---|
| 1000 | int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
|
---|
| 1001 | const unsigned char *iv, size_t iv_len,
|
---|
| 1002 | const unsigned char *input, size_t ilen,
|
---|
| 1003 | unsigned char *output, size_t *olen )
|
---|
| 1004 | {
|
---|
| 1005 | int ret;
|
---|
| 1006 | size_t finish_olen;
|
---|
| 1007 |
|
---|
| 1008 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
| 1009 | CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
|
---|
| 1010 | CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
|
---|
| 1011 | CIPHER_VALIDATE_RET( output != NULL );
|
---|
| 1012 | CIPHER_VALIDATE_RET( olen != NULL );
|
---|
| 1013 |
|
---|
| 1014 | if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
|
---|
| 1015 | return( ret );
|
---|
| 1016 |
|
---|
| 1017 | if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
|
---|
| 1018 | return( ret );
|
---|
| 1019 |
|
---|
| 1020 | if( ( ret = mbedtls_cipher_update( ctx, input, ilen, output, olen ) ) != 0 )
|
---|
| 1021 | return( ret );
|
---|
| 1022 |
|
---|
| 1023 | if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 )
|
---|
| 1024 | return( ret );
|
---|
| 1025 |
|
---|
| 1026 | *olen += finish_olen;
|
---|
| 1027 |
|
---|
| 1028 | return( 0 );
|
---|
| 1029 | }
|
---|
| 1030 |
|
---|
| 1031 | #if defined(MBEDTLS_CIPHER_MODE_AEAD)
|
---|
| 1032 | /*
|
---|
| 1033 | * Packet-oriented encryption for AEAD modes
|
---|
| 1034 | */
|
---|
| 1035 | int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
|
---|
| 1036 | const unsigned char *iv, size_t iv_len,
|
---|
| 1037 | const unsigned char *ad, size_t ad_len,
|
---|
| 1038 | const unsigned char *input, size_t ilen,
|
---|
| 1039 | unsigned char *output, size_t *olen,
|
---|
| 1040 | unsigned char *tag, size_t tag_len )
|
---|
| 1041 | {
|
---|
| 1042 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
| 1043 | CIPHER_VALIDATE_RET( iv != NULL );
|
---|
| 1044 | CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
|
---|
| 1045 | CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
|
---|
| 1046 | CIPHER_VALIDATE_RET( output != NULL );
|
---|
| 1047 | CIPHER_VALIDATE_RET( olen != NULL );
|
---|
| 1048 | CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
|
---|
| 1049 |
|
---|
| 1050 | #if defined(MBEDTLS_GCM_C)
|
---|
| 1051 | if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
|
---|
| 1052 | {
|
---|
| 1053 | *olen = ilen;
|
---|
| 1054 | return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, ilen,
|
---|
| 1055 | iv, iv_len, ad, ad_len, input, output,
|
---|
| 1056 | tag_len, tag ) );
|
---|
| 1057 | }
|
---|
| 1058 | #endif /* MBEDTLS_GCM_C */
|
---|
| 1059 | #if defined(MBEDTLS_CCM_C)
|
---|
| 1060 | if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
|
---|
| 1061 | {
|
---|
| 1062 | *olen = ilen;
|
---|
| 1063 | return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
|
---|
| 1064 | iv, iv_len, ad, ad_len, input, output,
|
---|
| 1065 | tag, tag_len ) );
|
---|
| 1066 | }
|
---|
| 1067 | #endif /* MBEDTLS_CCM_C */
|
---|
| 1068 | #if defined(MBEDTLS_CHACHAPOLY_C)
|
---|
| 1069 | if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
|
---|
| 1070 | {
|
---|
| 1071 | /* ChachaPoly has fixed length nonce and MAC (tag) */
|
---|
| 1072 | if ( ( iv_len != ctx->cipher_info->iv_size ) ||
|
---|
| 1073 | ( tag_len != 16U ) )
|
---|
| 1074 | {
|
---|
| 1075 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 1076 | }
|
---|
| 1077 |
|
---|
| 1078 | *olen = ilen;
|
---|
| 1079 | return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
|
---|
| 1080 | ilen, iv, ad, ad_len, input, output, tag ) );
|
---|
| 1081 | }
|
---|
| 1082 | #endif /* MBEDTLS_CHACHAPOLY_C */
|
---|
| 1083 |
|
---|
| 1084 | return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
---|
| 1085 | }
|
---|
| 1086 |
|
---|
| 1087 | /*
|
---|
| 1088 | * Packet-oriented decryption for AEAD modes
|
---|
| 1089 | */
|
---|
| 1090 | int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
|
---|
| 1091 | const unsigned char *iv, size_t iv_len,
|
---|
| 1092 | const unsigned char *ad, size_t ad_len,
|
---|
| 1093 | const unsigned char *input, size_t ilen,
|
---|
| 1094 | unsigned char *output, size_t *olen,
|
---|
| 1095 | const unsigned char *tag, size_t tag_len )
|
---|
| 1096 | {
|
---|
| 1097 | CIPHER_VALIDATE_RET( ctx != NULL );
|
---|
| 1098 | CIPHER_VALIDATE_RET( iv != NULL );
|
---|
| 1099 | CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
|
---|
| 1100 | CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
|
---|
| 1101 | CIPHER_VALIDATE_RET( output != NULL );
|
---|
| 1102 | CIPHER_VALIDATE_RET( olen != NULL );
|
---|
| 1103 | CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
|
---|
| 1104 |
|
---|
| 1105 | #if defined(MBEDTLS_GCM_C)
|
---|
| 1106 | if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
|
---|
| 1107 | {
|
---|
| 1108 | int ret;
|
---|
| 1109 |
|
---|
| 1110 | *olen = ilen;
|
---|
| 1111 | ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
|
---|
| 1112 | iv, iv_len, ad, ad_len,
|
---|
| 1113 | tag, tag_len, input, output );
|
---|
| 1114 |
|
---|
| 1115 | if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
|
---|
| 1116 | ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
|
---|
| 1117 |
|
---|
| 1118 | return( ret );
|
---|
| 1119 | }
|
---|
| 1120 | #endif /* MBEDTLS_GCM_C */
|
---|
| 1121 | #if defined(MBEDTLS_CCM_C)
|
---|
| 1122 | if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
|
---|
| 1123 | {
|
---|
| 1124 | int ret;
|
---|
| 1125 |
|
---|
| 1126 | *olen = ilen;
|
---|
| 1127 | ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
|
---|
| 1128 | iv, iv_len, ad, ad_len,
|
---|
| 1129 | input, output, tag, tag_len );
|
---|
| 1130 |
|
---|
| 1131 | if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
|
---|
| 1132 | ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
|
---|
| 1133 |
|
---|
| 1134 | return( ret );
|
---|
| 1135 | }
|
---|
| 1136 | #endif /* MBEDTLS_CCM_C */
|
---|
| 1137 | #if defined(MBEDTLS_CHACHAPOLY_C)
|
---|
| 1138 | if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
|
---|
| 1139 | {
|
---|
| 1140 | int ret;
|
---|
| 1141 |
|
---|
| 1142 | /* ChachaPoly has fixed length nonce and MAC (tag) */
|
---|
| 1143 | if ( ( iv_len != ctx->cipher_info->iv_size ) ||
|
---|
| 1144 | ( tag_len != 16U ) )
|
---|
| 1145 | {
|
---|
| 1146 | return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
---|
| 1147 | }
|
---|
| 1148 |
|
---|
| 1149 | *olen = ilen;
|
---|
| 1150 | ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
|
---|
| 1151 | iv, ad, ad_len, tag, input, output );
|
---|
| 1152 |
|
---|
| 1153 | if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
|
---|
| 1154 | ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
|
---|
| 1155 |
|
---|
| 1156 | return( ret );
|
---|
| 1157 | }
|
---|
| 1158 | #endif /* MBEDTLS_CHACHAPOLY_C */
|
---|
| 1159 |
|
---|
| 1160 | return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
---|
| 1161 | }
|
---|
| 1162 | #endif /* MBEDTLS_CIPHER_MODE_AEAD */
|
---|
| 1163 |
|
---|
| 1164 | #endif /* MBEDTLS_CIPHER_C */
|
---|