NCBI C++ ToolKit
cipher.c
Go to the documentation of this file.

Go to the SVN repository for this file.

1 /**
2  * \file cipher.c
3  *
4  * \brief Generic cipher wrapper for mbed TLS
5  *
6  * \author Adriaan de Jong <dejong@fox-it.com>
7  *
8  * Copyright The Mbed TLS Contributors
9  * SPDX-License-Identifier: Apache-2.0
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License"); you may
12  * not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 
24 #include "common.h"
25 
26 #if defined(MBEDTLS_CIPHER_C)
27 
28 #include "mbedtls/cipher.h"
29 #include "mbedtls/cipher_internal.h"
30 #include "mbedtls/platform_util.h"
31 #include "mbedtls/error.h"
32 #include "mbedtls/constant_time.h"
33 
34 #include <stdlib.h>
35 #include <string.h>
36 
37 #if defined(MBEDTLS_CHACHAPOLY_C)
38 #include "mbedtls/chachapoly.h"
39 #endif
40 
41 #if defined(MBEDTLS_GCM_C)
42 #include "mbedtls/gcm.h"
43 #endif
44 
45 #if defined(MBEDTLS_CCM_C)
46 #include "mbedtls/ccm.h"
47 #endif
48 
49 #if defined(MBEDTLS_CHACHA20_C)
50 #include "mbedtls/chacha20.h"
51 #endif
52 
53 #if defined(MBEDTLS_CMAC_C)
54 #include "mbedtls/cmac.h"
55 #endif
56 
57 #if defined(MBEDTLS_USE_PSA_CRYPTO)
58 #include "psa/crypto.h"
59 #include "mbedtls/psa_util.h"
60 #endif /* MBEDTLS_USE_PSA_CRYPTO */
61 
62 #if defined(MBEDTLS_NIST_KW_C)
63 #include "mbedtls/nist_kw.h"
64 #endif
65 
66 #include "mbedtls/platform.h"
67 
68 #define CIPHER_VALIDATE_RET(cond) \
69  MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA)
70 #define CIPHER_VALIDATE(cond) \
71  MBEDTLS_INTERNAL_VALIDATE(cond)
72 
73 static int supported_init = 0;
74 
75 const int *mbedtls_cipher_list(void)
76 {
77  const mbedtls_cipher_definition_t *def;
78  int *type;
79 
80  if (!supported_init) {
81  def = mbedtls_cipher_definitions;
82  type = mbedtls_cipher_supported;
83 
84  while (def->type != 0) {
85  *type++ = (*def++).type;
86  }
87 
88  *type = 0;
89 
90  supported_init = 1;
91  }
92 
93  return mbedtls_cipher_supported;
94 }
95 
96 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
97  const mbedtls_cipher_type_t cipher_type)
98 {
99  const mbedtls_cipher_definition_t *def;
100 
101  for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
102  if (def->type == cipher_type) {
103  return def->info;
104  }
105  }
106 
107  return NULL;
108 }
109 
110 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
111  const char *cipher_name)
112 {
113  const mbedtls_cipher_definition_t *def;
114 
115  if (NULL == cipher_name) {
116  return NULL;
117  }
118 
119  for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
120  if (!strcmp(def->info->name, cipher_name)) {
121  return def->info;
122  }
123  }
124 
125  return NULL;
126 }
127 
128 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
129  const mbedtls_cipher_id_t cipher_id,
130  int key_bitlen,
131  const mbedtls_cipher_mode_t mode)
132 {
133  const mbedtls_cipher_definition_t *def;
134 
135  for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
136  if (def->info->base->cipher == cipher_id &&
137  def->info->key_bitlen == (unsigned) key_bitlen &&
138  def->info->mode == mode) {
139  return def->info;
140  }
141  }
142 
143  return NULL;
144 }
145 
146 void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)
147 {
148  CIPHER_VALIDATE(ctx != NULL);
149  memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
150 }
151 
152 void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
153 {
154  if (ctx == NULL) {
155  return;
156  }
157 
158 #if defined(MBEDTLS_USE_PSA_CRYPTO)
159  if (ctx->psa_enabled == 1) {
160  if (ctx->cipher_ctx != NULL) {
161  mbedtls_cipher_context_psa * const cipher_psa =
162  (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
163 
164  if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) {
165  /* xxx_free() doesn't allow to return failures. */
166  (void) psa_destroy_key(cipher_psa->slot);
167  }
168 
169  mbedtls_platform_zeroize(cipher_psa, sizeof(*cipher_psa));
170  mbedtls_free(cipher_psa);
171  }
172 
173  mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
174  return;
175  }
176 #endif /* MBEDTLS_USE_PSA_CRYPTO */
177 
178 #if defined(MBEDTLS_CMAC_C)
179  if (ctx->cmac_ctx) {
180  mbedtls_platform_zeroize(ctx->cmac_ctx,
181  sizeof(mbedtls_cmac_context_t));
182  mbedtls_free(ctx->cmac_ctx);
183  }
184 #endif
185 
186  if (ctx->cipher_ctx) {
187  ctx->cipher_info->base->ctx_free_func(ctx->cipher_ctx);
188  }
189 
190  mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
191 }
192 
193 int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
194  const mbedtls_cipher_info_t *cipher_info)
195 {
196  CIPHER_VALIDATE_RET(ctx != NULL);
197  if (cipher_info == NULL) {
198  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
199  }
200 
201  memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
202 
203  if (NULL == (ctx->cipher_ctx = cipher_info->base->ctx_alloc_func())) {
204  return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
205  }
206 
207  ctx->cipher_info = cipher_info;
208 
209 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
210  /*
211  * Ignore possible errors caused by a cipher mode that doesn't use padding
212  */
213 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
214  (void) mbedtls_cipher_set_padding_mode(ctx, MBEDTLS_PADDING_PKCS7);
215 #else
216  (void) mbedtls_cipher_set_padding_mode(ctx, MBEDTLS_PADDING_NONE);
217 #endif
218 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
219 
220  return 0;
221 }
222 
223 #if defined(MBEDTLS_USE_PSA_CRYPTO)
224 int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
225  const mbedtls_cipher_info_t *cipher_info,
226  size_t taglen)
227 {
228  psa_algorithm_t alg;
229  mbedtls_cipher_context_psa *cipher_psa;
230 
231  if (NULL == cipher_info || NULL == ctx) {
232  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
233  }
234 
235  /* Check that the underlying cipher mode and cipher type are
236  * supported by the underlying PSA Crypto implementation. */
237  alg = mbedtls_psa_translate_cipher_mode(cipher_info->mode, taglen);
238  if (alg == 0) {
239  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
240  }
241  if (mbedtls_psa_translate_cipher_type(cipher_info->type) == 0) {
242  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
243  }
244 
245  memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
246 
247  cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa));
248  if (cipher_psa == NULL) {
249  return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
250  }
251  cipher_psa->alg = alg;
252  ctx->cipher_ctx = cipher_psa;
253  ctx->cipher_info = cipher_info;
254  ctx->psa_enabled = 1;
255  return 0;
256 }
257 #endif /* MBEDTLS_USE_PSA_CRYPTO */
258 
259 int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
260  const unsigned char *key,
261  int key_bitlen,
262  const mbedtls_operation_t operation)
263 {
264  CIPHER_VALIDATE_RET(ctx != NULL);
265  CIPHER_VALIDATE_RET(key != NULL);
266  CIPHER_VALIDATE_RET(operation == MBEDTLS_ENCRYPT ||
267  operation == MBEDTLS_DECRYPT);
268  if (ctx->cipher_info == NULL) {
269  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
270  }
271 
272 #if defined(MBEDTLS_USE_PSA_CRYPTO)
273  if (ctx->psa_enabled == 1) {
274  mbedtls_cipher_context_psa * const cipher_psa =
275  (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
276 
277  size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8;
278 
279  psa_status_t status;
280  psa_key_type_t key_type;
281  psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
282 
283  /* PSA Crypto API only accepts byte-aligned keys. */
284  if (key_bitlen % 8 != 0) {
285  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
286  }
287 
288  /* Don't allow keys to be set multiple times. */
289  if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) {
290  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
291  }
292 
293  key_type = mbedtls_psa_translate_cipher_type(
294  ctx->cipher_info->type);
295  if (key_type == 0) {
296  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
297  }
298  psa_set_key_type(&attributes, key_type);
299 
300  /* Mbed TLS' cipher layer doesn't enforce the mode of operation
301  * (encrypt vs. decrypt): it is possible to setup a key for encryption
302  * and use it for AEAD decryption. Until tests relying on this
303  * are changed, allow any usage in PSA. */
304  psa_set_key_usage_flags(&attributes,
305  /* mbedtls_psa_translate_cipher_operation( operation ); */
306  PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
307  psa_set_key_algorithm(&attributes, cipher_psa->alg);
308 
309  status = psa_import_key(&attributes, key, key_bytelen,
310  &cipher_psa->slot);
311  switch (status) {
312  case PSA_SUCCESS:
313  break;
314  case PSA_ERROR_INSUFFICIENT_MEMORY:
315  return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
316  case PSA_ERROR_NOT_SUPPORTED:
317  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
318  default:
319  return MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED;
320  }
321  /* Indicate that we own the key slot and need to
322  * destroy it in mbedtls_cipher_free(). */
323  cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
324 
325  ctx->key_bitlen = key_bitlen;
326  ctx->operation = operation;
327  return 0;
328  }
329 #endif /* MBEDTLS_USE_PSA_CRYPTO */
330 
331  if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 &&
332  (int) ctx->cipher_info->key_bitlen != key_bitlen) {
333  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
334  }
335 
336  ctx->key_bitlen = key_bitlen;
337  ctx->operation = operation;
338 
339  /*
340  * For OFB, CFB and CTR mode always use the encryption key schedule
341  */
342  if (MBEDTLS_ENCRYPT == operation ||
343  MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
344  MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
345  MBEDTLS_MODE_CTR == ctx->cipher_info->mode) {
346  return ctx->cipher_info->base->setkey_enc_func(ctx->cipher_ctx, key,
347  ctx->key_bitlen);
348  }
349 
350  if (MBEDTLS_DECRYPT == operation) {
351  return ctx->cipher_info->base->setkey_dec_func(ctx->cipher_ctx, key,
352  ctx->key_bitlen);
353  }
354 
355  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
356 }
357 
358 int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
359  const unsigned char *iv,
360  size_t iv_len)
361 {
362  size_t actual_iv_size;
363 
364  CIPHER_VALIDATE_RET(ctx != NULL);
365  CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
366  if (ctx->cipher_info == NULL) {
367  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
368  }
369 #if defined(MBEDTLS_USE_PSA_CRYPTO)
370  if (ctx->psa_enabled == 1) {
371  /* While PSA Crypto has an API for multipart
372  * operations, we currently don't make it
373  * accessible through the cipher layer. */
374  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
375  }
376 #endif /* MBEDTLS_USE_PSA_CRYPTO */
377 
378  /* avoid buffer overflow in ctx->iv */
379  if (iv_len > MBEDTLS_MAX_IV_LENGTH) {
380  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
381  }
382 
383  if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) {
384  actual_iv_size = iv_len;
385  } else {
386  actual_iv_size = ctx->cipher_info->iv_size;
387 
388  /* avoid reading past the end of input buffer */
389  if (actual_iv_size > iv_len) {
390  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
391  }
392  }
393 
394 #if defined(MBEDTLS_CHACHA20_C)
395  if (ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20) {
396  /* Even though the actual_iv_size is overwritten with a correct value
397  * of 12 from the cipher info, return an error to indicate that
398  * the input iv_len is wrong. */
399  if (iv_len != 12) {
400  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
401  }
402 
403  if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx,
404  iv,
405  0U)) { /* Initial counter value */
406  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
407  }
408  }
409 #if defined(MBEDTLS_CHACHAPOLY_C)
410  if (ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&
411  iv_len != 12) {
412  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
413  }
414 #endif
415 #endif
416 
417  if (actual_iv_size != 0) {
418  memcpy(ctx->iv, iv, actual_iv_size);
419  ctx->iv_size = actual_iv_size;
420  }
421 
422  return 0;
423 }
424 
425 int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx)
426 {
427  CIPHER_VALIDATE_RET(ctx != NULL);
428  if (ctx->cipher_info == NULL) {
429  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
430  }
431 
432 #if defined(MBEDTLS_USE_PSA_CRYPTO)
433  if (ctx->psa_enabled == 1) {
434  /* We don't support resetting PSA-based
435  * cipher contexts, yet. */
436  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
437  }
438 #endif /* MBEDTLS_USE_PSA_CRYPTO */
439 
440  ctx->unprocessed_len = 0;
441 
442  return 0;
443 }
444 
445 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
446 int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
447  const unsigned char *ad, size_t ad_len)
448 {
449  CIPHER_VALIDATE_RET(ctx != NULL);
450  CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
451  if (ctx->cipher_info == NULL) {
452  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
453  }
454 
455 #if defined(MBEDTLS_USE_PSA_CRYPTO)
456  if (ctx->psa_enabled == 1) {
457  /* While PSA Crypto has an API for multipart
458  * operations, we currently don't make it
459  * accessible through the cipher layer. */
460  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
461  }
462 #endif /* MBEDTLS_USE_PSA_CRYPTO */
463 
464 #if defined(MBEDTLS_GCM_C)
465  if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
466  return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
467  ctx->iv, ctx->iv_size, ad, ad_len);
468  }
469 #endif
470 
471 #if defined(MBEDTLS_CHACHAPOLY_C)
472  if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
473  int result;
474  mbedtls_chachapoly_mode_t mode;
475 
476  mode = (ctx->operation == MBEDTLS_ENCRYPT)
477  ? MBEDTLS_CHACHAPOLY_ENCRYPT
478  : MBEDTLS_CHACHAPOLY_DECRYPT;
479 
480  result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx,
481  ctx->iv,
482  mode);
483  if (result != 0) {
484  return result;
485  }
486 
487  return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx,
488  ad, ad_len);
489  }
490 #endif
491 
492  return 0;
493 }
494 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
495 
496 int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input,
497  size_t ilen, unsigned char *output, size_t *olen)
498 {
499  int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
500  size_t block_size;
501 
502  CIPHER_VALIDATE_RET(ctx != NULL);
503  CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
504  CIPHER_VALIDATE_RET(output != NULL);
505  CIPHER_VALIDATE_RET(olen != NULL);
506  if (ctx->cipher_info == NULL) {
507  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
508  }
509 
510 #if defined(MBEDTLS_USE_PSA_CRYPTO)
511  if (ctx->psa_enabled == 1) {
512  /* While PSA Crypto has an API for multipart
513  * operations, we currently don't make it
514  * accessible through the cipher layer. */
515  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
516  }
517 #endif /* MBEDTLS_USE_PSA_CRYPTO */
518 
519  *olen = 0;
520  block_size = mbedtls_cipher_get_block_size(ctx);
521  if (0 == block_size) {
522  return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
523  }
524 
525  if (ctx->cipher_info->mode == MBEDTLS_MODE_ECB) {
526  if (ilen != block_size) {
527  return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
528  }
529 
530  *olen = ilen;
531 
532  if (0 != (ret = ctx->cipher_info->base->ecb_func(ctx->cipher_ctx,
533  ctx->operation, input, output))) {
534  return ret;
535  }
536 
537  return 0;
538  }
539 
540 #if defined(MBEDTLS_GCM_C)
541  if (ctx->cipher_info->mode == MBEDTLS_MODE_GCM) {
542  *olen = ilen;
543  return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
544  output);
545  }
546 #endif
547 
548 #if defined(MBEDTLS_CHACHAPOLY_C)
549  if (ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
550  *olen = ilen;
551  return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx,
552  ilen, input, output);
553  }
554 #endif
555 
556  if (input == output &&
557  (ctx->unprocessed_len != 0 || ilen % block_size)) {
558  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
559  }
560 
561 #if defined(MBEDTLS_CIPHER_MODE_CBC)
562  if (ctx->cipher_info->mode == MBEDTLS_MODE_CBC) {
563  size_t copy_len = 0;
564 
565  /*
566  * If there is not enough data for a full block, cache it.
567  */
568  if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
569  ilen <= block_size - ctx->unprocessed_len) ||
570  (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
571  ilen < block_size - ctx->unprocessed_len) ||
572  (ctx->operation == MBEDTLS_ENCRYPT &&
573  ilen < block_size - ctx->unprocessed_len)) {
574  memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
575  ilen);
576 
577  ctx->unprocessed_len += ilen;
578  return 0;
579  }
580 
581  /*
582  * Process cached data first
583  */
584  if (0 != ctx->unprocessed_len) {
585  copy_len = block_size - ctx->unprocessed_len;
586 
587  memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
588  copy_len);
589 
590  if (0 != (ret = ctx->cipher_info->base->cbc_func(ctx->cipher_ctx,
591  ctx->operation, block_size, ctx->iv,
592  ctx->unprocessed_data, output))) {
593  return ret;
594  }
595 
596  *olen += block_size;
597  output += block_size;
598  ctx->unprocessed_len = 0;
599 
600  input += copy_len;
601  ilen -= copy_len;
602  }
603 
604  /*
605  * Cache final, incomplete block
606  */
607  if (0 != ilen) {
608  /* Encryption: only cache partial blocks
609  * Decryption w/ padding: always keep at least one whole block
610  * Decryption w/o padding: only cache partial blocks
611  */
612  copy_len = ilen % block_size;
613  if (copy_len == 0 &&
614  ctx->operation == MBEDTLS_DECRYPT &&
615  NULL != ctx->add_padding) {
616  copy_len = block_size;
617  }
618 
619  memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]),
620  copy_len);
621 
622  ctx->unprocessed_len += copy_len;
623  ilen -= copy_len;
624  }
625 
626  /*
627  * Process remaining full blocks
628  */
629  if (ilen) {
630  if (0 != (ret = ctx->cipher_info->base->cbc_func(ctx->cipher_ctx,
631  ctx->operation, ilen, ctx->iv, input,
632  output))) {
633  return ret;
634  }
635 
636  *olen += ilen;
637  }
638 
639  return 0;
640  }
641 #endif /* MBEDTLS_CIPHER_MODE_CBC */
642 
643 #if defined(MBEDTLS_CIPHER_MODE_CFB)
644  if (ctx->cipher_info->mode == MBEDTLS_MODE_CFB) {
645  if (0 != (ret = ctx->cipher_info->base->cfb_func(ctx->cipher_ctx,
646  ctx->operation, ilen,
647  &ctx->unprocessed_len, ctx->iv,
648  input, output))) {
649  return ret;
650  }
651 
652  *olen = ilen;
653 
654  return 0;
655  }
656 #endif /* MBEDTLS_CIPHER_MODE_CFB */
657 
658 #if defined(MBEDTLS_CIPHER_MODE_OFB)
659  if (ctx->cipher_info->mode == MBEDTLS_MODE_OFB) {
660  if (0 != (ret = ctx->cipher_info->base->ofb_func(ctx->cipher_ctx,
661  ilen, &ctx->unprocessed_len, ctx->iv,
662  input, output))) {
663  return ret;
664  }
665 
666  *olen = ilen;
667 
668  return 0;
669  }
670 #endif /* MBEDTLS_CIPHER_MODE_OFB */
671 
672 #if defined(MBEDTLS_CIPHER_MODE_CTR)
673  if (ctx->cipher_info->mode == MBEDTLS_MODE_CTR) {
674  if (0 != (ret = ctx->cipher_info->base->ctr_func(ctx->cipher_ctx,
675  ilen, &ctx->unprocessed_len, ctx->iv,
676  ctx->unprocessed_data, input, output))) {
677  return ret;
678  }
679 
680  *olen = ilen;
681 
682  return 0;
683  }
684 #endif /* MBEDTLS_CIPHER_MODE_CTR */
685 
686 #if defined(MBEDTLS_CIPHER_MODE_XTS)
687  if (ctx->cipher_info->mode == MBEDTLS_MODE_XTS) {
688  if (ctx->unprocessed_len > 0) {
689  /* We can only process an entire data unit at a time. */
690  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
691  }
692 
693  ret = ctx->cipher_info->base->xts_func(ctx->cipher_ctx,
694  ctx->operation, ilen, ctx->iv, input, output);
695  if (ret != 0) {
696  return ret;
697  }
698 
699  *olen = ilen;
700 
701  return 0;
702  }
703 #endif /* MBEDTLS_CIPHER_MODE_XTS */
704 
705 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
706  if (ctx->cipher_info->mode == MBEDTLS_MODE_STREAM) {
707  if (0 != (ret = ctx->cipher_info->base->stream_func(ctx->cipher_ctx,
708  ilen, input, output))) {
709  return ret;
710  }
711 
712  *olen = ilen;
713 
714  return 0;
715  }
716 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
717 
718  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
719 }
720 
721 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
722 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
723 /*
724  * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
725  */
726 static void add_pkcs_padding(unsigned char *output, size_t output_len,
727  size_t data_len)
728 {
729  size_t padding_len = output_len - data_len;
730  unsigned char i;
731 
732  for (i = 0; i < padding_len; i++) {
733  output[data_len + i] = (unsigned char) padding_len;
734  }
735 }
736 
737 static int get_pkcs_padding(unsigned char *input, size_t input_len,
738  size_t *data_len)
739 {
740  size_t i, pad_idx;
741  unsigned char padding_len, bad = 0;
742 
743  if (NULL == input || NULL == data_len) {
744  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
745  }
746 
747  padding_len = input[input_len - 1];
748  *data_len = input_len - padding_len;
749 
750  /* Avoid logical || since it results in a branch */
751  bad |= padding_len > input_len;
752  bad |= padding_len == 0;
753 
754  /* The number of bytes checked must be independent of padding_len,
755  * so pick input_len, which is usually 8 or 16 (one block) */
756  pad_idx = input_len - padding_len;
757  for (i = 0; i < input_len; i++) {
758  bad |= (input[i] ^ padding_len) * (i >= pad_idx);
759  }
760 
761  return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0);
762 }
763 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
764 
765 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
766 /*
767  * One and zeros padding: fill with 80 00 ... 00
768  */
769 static void add_one_and_zeros_padding(unsigned char *output,
770  size_t output_len, size_t data_len)
771 {
772  size_t padding_len = output_len - data_len;
773  unsigned char i = 0;
774 
775  output[data_len] = 0x80;
776  for (i = 1; i < padding_len; i++) {
777  output[data_len + i] = 0x00;
778  }
779 }
780 
781 static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,
782  size_t *data_len)
783 {
784  size_t i;
785  unsigned char done = 0, prev_done, bad;
786 
787  if (NULL == input || NULL == data_len) {
788  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
789  }
790 
791  bad = 0x80;
792  *data_len = 0;
793  for (i = input_len; i > 0; i--) {
794  prev_done = done;
795  done |= (input[i - 1] != 0);
796  *data_len |= (i - 1) * (done != prev_done);
797  bad ^= input[i - 1] * (done != prev_done);
798  }
799 
800  return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0);
801 
802 }
803 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
804 
805 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
806 /*
807  * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
808  */
809 static void add_zeros_and_len_padding(unsigned char *output,
810  size_t output_len, size_t data_len)
811 {
812  size_t padding_len = output_len - data_len;
813  unsigned char i = 0;
814 
815  for (i = 1; i < padding_len; i++) {
816  output[data_len + i - 1] = 0x00;
817  }
818  output[output_len - 1] = (unsigned char) padding_len;
819 }
820 
821 static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
822  size_t *data_len)
823 {
824  size_t i, pad_idx;
825  unsigned char padding_len, bad = 0;
826 
827  if (NULL == input || NULL == data_len) {
828  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
829  }
830 
831  padding_len = input[input_len - 1];
832  *data_len = input_len - padding_len;
833 
834  /* Avoid logical || since it results in a branch */
835  bad |= padding_len > input_len;
836  bad |= padding_len == 0;
837 
838  /* The number of bytes checked must be independent of padding_len */
839  pad_idx = input_len - padding_len;
840  for (i = 0; i < input_len - 1; i++) {
841  bad |= input[i] * (i >= pad_idx);
842  }
843 
844  return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0);
845 }
846 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
847 
848 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
849 /*
850  * Zero padding: fill with 00 ... 00
851  */
852 static void add_zeros_padding(unsigned char *output,
853  size_t output_len, size_t data_len)
854 {
855  size_t i;
856 
857  for (i = data_len; i < output_len; i++) {
858  output[i] = 0x00;
859  }
860 }
861 
862 static int get_zeros_padding(unsigned char *input, size_t input_len,
863  size_t *data_len)
864 {
865  size_t i;
866  unsigned char done = 0, prev_done;
867 
868  if (NULL == input || NULL == data_len) {
869  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
870  }
871 
872  *data_len = 0;
873  for (i = input_len; i > 0; i--) {
874  prev_done = done;
875  done |= (input[i-1] != 0);
876  *data_len |= i * (done != prev_done);
877  }
878 
879  return 0;
880 }
881 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
882 
883 /*
884  * No padding: don't pad :)
885  *
886  * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
887  * but a trivial get_padding function
888  */
889 static int get_no_padding(unsigned char *input, size_t input_len,
890  size_t *data_len)
891 {
892  if (NULL == input || NULL == data_len) {
893  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
894  }
895 
896  *data_len = input_len;
897 
898  return 0;
899 }
900 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
901 
902 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
903  unsigned char *output, size_t *olen)
904 {
905  CIPHER_VALIDATE_RET(ctx != NULL);
906  CIPHER_VALIDATE_RET(output != NULL);
907  CIPHER_VALIDATE_RET(olen != NULL);
908  if (ctx->cipher_info == NULL) {
909  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
910  }
911 
912 #if defined(MBEDTLS_USE_PSA_CRYPTO)
913  if (ctx->psa_enabled == 1) {
914  /* While PSA Crypto has an API for multipart
915  * operations, we currently don't make it
916  * accessible through the cipher layer. */
917  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
918  }
919 #endif /* MBEDTLS_USE_PSA_CRYPTO */
920 
921  *olen = 0;
922 
923  if (MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
924  MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
925  MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
926  MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
927  MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
928  MBEDTLS_MODE_STREAM == ctx->cipher_info->mode) {
929  return 0;
930  }
931 
932  if ((MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type) ||
933  (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type)) {
934  return 0;
935  }
936 
937  if (MBEDTLS_MODE_ECB == ctx->cipher_info->mode) {
938  if (ctx->unprocessed_len != 0) {
939  return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
940  }
941 
942  return 0;
943  }
944 
945 #if defined(MBEDTLS_CIPHER_MODE_CBC)
946  if (MBEDTLS_MODE_CBC == ctx->cipher_info->mode) {
947  int ret = 0;
948 
949  if (MBEDTLS_ENCRYPT == ctx->operation) {
950  /* check for 'no padding' mode */
951  if (NULL == ctx->add_padding) {
952  if (0 != ctx->unprocessed_len) {
953  return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
954  }
955 
956  return 0;
957  }
958 
959  ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx),
960  ctx->unprocessed_len);
961  } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) {
962  /*
963  * For decrypt operations, expect a full block,
964  * or an empty block if no padding
965  */
966  if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) {
967  return 0;
968  }
969 
970  return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
971  }
972 
973  /* cipher block */
974  if (0 != (ret = ctx->cipher_info->base->cbc_func(ctx->cipher_ctx,
975  ctx->operation,
976  mbedtls_cipher_get_block_size(ctx),
977  ctx->iv,
978  ctx->unprocessed_data, output))) {
979  return ret;
980  }
981 
982  /* Set output size for decryption */
983  if (MBEDTLS_DECRYPT == ctx->operation) {
984  return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx),
985  olen);
986  }
987 
988  /* Set output size for encryption */
989  *olen = mbedtls_cipher_get_block_size(ctx);
990  return 0;
991  }
992 #else
993  ((void) output);
994 #endif /* MBEDTLS_CIPHER_MODE_CBC */
995 
996  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
997 }
998 
999 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
1000 int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
1001  mbedtls_cipher_padding_t mode)
1002 {
1003  CIPHER_VALIDATE_RET(ctx != NULL);
1004 
1005  if (NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode) {
1006  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1007  }
1008 
1009 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1010  if (ctx->psa_enabled == 1) {
1011  /* While PSA Crypto knows about CBC padding
1012  * schemes, we currently don't make them
1013  * accessible through the cipher layer. */
1014  if (mode != MBEDTLS_PADDING_NONE) {
1015  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1016  }
1017 
1018  return 0;
1019  }
1020 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1021 
1022  switch (mode) {
1023 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
1024  case MBEDTLS_PADDING_PKCS7:
1025  ctx->add_padding = add_pkcs_padding;
1026  ctx->get_padding = get_pkcs_padding;
1027  break;
1028 #endif
1029 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
1030  case MBEDTLS_PADDING_ONE_AND_ZEROS:
1031  ctx->add_padding = add_one_and_zeros_padding;
1032  ctx->get_padding = get_one_and_zeros_padding;
1033  break;
1034 #endif
1035 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
1036  case MBEDTLS_PADDING_ZEROS_AND_LEN:
1037  ctx->add_padding = add_zeros_and_len_padding;
1038  ctx->get_padding = get_zeros_and_len_padding;
1039  break;
1040 #endif
1041 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1042  case MBEDTLS_PADDING_ZEROS:
1043  ctx->add_padding = add_zeros_padding;
1044  ctx->get_padding = get_zeros_padding;
1045  break;
1046 #endif
1047  case MBEDTLS_PADDING_NONE:
1048  ctx->add_padding = NULL;
1049  ctx->get_padding = get_no_padding;
1050  break;
1051 
1052  default:
1053  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1054  }
1055 
1056  return 0;
1057 }
1058 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1059 
1060 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
1061 int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
1062  unsigned char *tag, size_t tag_len)
1063 {
1064  CIPHER_VALIDATE_RET(ctx != NULL);
1065  CIPHER_VALIDATE_RET(tag_len == 0 || tag != NULL);
1066  if (ctx->cipher_info == NULL) {
1067  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1068  }
1069 
1070  if (MBEDTLS_ENCRYPT != ctx->operation) {
1071  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1072  }
1073 
1074 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1075  if (ctx->psa_enabled == 1) {
1076  /* While PSA Crypto has an API for multipart
1077  * operations, we currently don't make it
1078  * accessible through the cipher layer. */
1079  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1080  }
1081 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1082 
1083 #if defined(MBEDTLS_GCM_C)
1084  if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
1085  return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx,
1086  tag, tag_len);
1087  }
1088 #endif
1089 
1090 #if defined(MBEDTLS_CHACHAPOLY_C)
1091  if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
1092  /* Don't allow truncated MAC for Poly1305 */
1093  if (tag_len != 16U) {
1094  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1095  }
1096 
1097  return mbedtls_chachapoly_finish(
1098  (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag);
1099  }
1100 #endif
1101 
1102  return 0;
1103 }
1104 
1105 int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
1106  const unsigned char *tag, size_t tag_len)
1107 {
1108  unsigned char check_tag[16];
1109  int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1110 
1111  CIPHER_VALIDATE_RET(ctx != NULL);
1112  CIPHER_VALIDATE_RET(tag_len == 0 || tag != NULL);
1113  if (ctx->cipher_info == NULL) {
1114  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1115  }
1116 
1117  if (MBEDTLS_DECRYPT != ctx->operation) {
1118  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1119  }
1120 
1121 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1122  if (ctx->psa_enabled == 1) {
1123  /* While PSA Crypto has an API for multipart
1124  * operations, we currently don't make it
1125  * accessible through the cipher layer. */
1126  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1127  }
1128 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1129 
1130  /* Status to return on a non-authenticated algorithm. It would make sense
1131  * to return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT or perhaps
1132  * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, but at the time I write this our
1133  * unit tests assume 0. */
1134  ret = 0;
1135 
1136 #if defined(MBEDTLS_GCM_C)
1137  if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
1138  if (tag_len > sizeof(check_tag)) {
1139  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1140  }
1141 
1142  if (0 != (ret = mbedtls_gcm_finish(
1143  (mbedtls_gcm_context *) ctx->cipher_ctx,
1144  check_tag, tag_len))) {
1145  return ret;
1146  }
1147 
1148  /* Check the tag in "constant-time" */
1149  if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
1150  ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1151  goto exit;
1152  }
1153  }
1154 #endif /* MBEDTLS_GCM_C */
1155 
1156 #if defined(MBEDTLS_CHACHAPOLY_C)
1157  if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
1158  /* Don't allow truncated MAC for Poly1305 */
1159  if (tag_len != sizeof(check_tag)) {
1160  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1161  }
1162 
1163  ret = mbedtls_chachapoly_finish(
1164  (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag);
1165  if (ret != 0) {
1166  return ret;
1167  }
1168 
1169  /* Check the tag in "constant-time" */
1170  if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
1171  ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1172  goto exit;
1173  }
1174  }
1175 #endif /* MBEDTLS_CHACHAPOLY_C */
1176 
1177 exit:
1178  mbedtls_platform_zeroize(check_tag, tag_len);
1179  return ret;
1180 }
1181 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
1182 
1183 /*
1184  * Packet-oriented wrapper for non-AEAD modes
1185  */
1186 int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
1187  const unsigned char *iv, size_t iv_len,
1188  const unsigned char *input, size_t ilen,
1189  unsigned char *output, size_t *olen)
1190 {
1191  int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1192  size_t finish_olen;
1193 
1194  CIPHER_VALIDATE_RET(ctx != NULL);
1195  CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
1196  CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
1197  CIPHER_VALIDATE_RET(output != NULL);
1198  CIPHER_VALIDATE_RET(olen != NULL);
1199 
1200 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1201  if (ctx->psa_enabled == 1) {
1202  /* As in the non-PSA case, we don't check that
1203  * a key has been set. If not, the key slot will
1204  * still be in its default state of 0, which is
1205  * guaranteed to be invalid, hence the PSA-call
1206  * below will gracefully fail. */
1207  mbedtls_cipher_context_psa * const cipher_psa =
1208  (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1209 
1210  psa_status_t status;
1211  psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1212  size_t part_len;
1213 
1214  if (ctx->operation == MBEDTLS_DECRYPT) {
1215  status = psa_cipher_decrypt_setup(&cipher_op,
1216  cipher_psa->slot,
1217  cipher_psa->alg);
1218  } else if (ctx->operation == MBEDTLS_ENCRYPT) {
1219  status = psa_cipher_encrypt_setup(&cipher_op,
1220  cipher_psa->slot,
1221  cipher_psa->alg);
1222  } else {
1223  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1224  }
1225 
1226  /* In the following, we can immediately return on an error,
1227  * because the PSA Crypto API guarantees that cipher operations
1228  * are terminated by unsuccessful calls to psa_cipher_update(),
1229  * and by any call to psa_cipher_finish(). */
1230  if (status != PSA_SUCCESS) {
1231  return MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED;
1232  }
1233 
1234  if (ctx->cipher_info->mode != MBEDTLS_MODE_ECB) {
1235  status = psa_cipher_set_iv(&cipher_op, iv, iv_len);
1236  if (status != PSA_SUCCESS) {
1237  return MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED;
1238  }
1239  }
1240 
1241  status = psa_cipher_update(&cipher_op,
1242  input, ilen,
1243  output, ilen, olen);
1244  if (status != PSA_SUCCESS) {
1245  return MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED;
1246  }
1247 
1248  status = psa_cipher_finish(&cipher_op,
1249  output + *olen, ilen - *olen,
1250  &part_len);
1251  if (status != PSA_SUCCESS) {
1252  return MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED;
1253  }
1254 
1255  *olen += part_len;
1256  return 0;
1257  }
1258 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1259 
1260  if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) {
1261  return ret;
1262  }
1263 
1264  if ((ret = mbedtls_cipher_reset(ctx)) != 0) {
1265  return ret;
1266  }
1267 
1268  if ((ret = mbedtls_cipher_update(ctx, input, ilen,
1269  output, olen)) != 0) {
1270  return ret;
1271  }
1272 
1273  if ((ret = mbedtls_cipher_finish(ctx, output + *olen,
1274  &finish_olen)) != 0) {
1275  return ret;
1276  }
1277 
1278  *olen += finish_olen;
1279 
1280  return 0;
1281 }
1282 
1283 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1284 /*
1285  * Packet-oriented encryption for AEAD modes: internal function shared by
1286  * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
1287  */
1288 static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
1289  const unsigned char *iv, size_t iv_len,
1290  const unsigned char *ad, size_t ad_len,
1291  const unsigned char *input, size_t ilen,
1292  unsigned char *output, size_t *olen,
1293  unsigned char *tag, size_t tag_len)
1294 {
1295 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1296  if (ctx->psa_enabled == 1) {
1297  /* As in the non-PSA case, we don't check that
1298  * a key has been set. If not, the key slot will
1299  * still be in its default state of 0, which is
1300  * guaranteed to be invalid, hence the PSA-call
1301  * below will gracefully fail. */
1302  mbedtls_cipher_context_psa * const cipher_psa =
1303  (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1304 
1305  psa_status_t status;
1306 
1307  /* PSA Crypto API always writes the authentication tag
1308  * at the end of the encrypted message. */
1309  if (output == NULL || tag != output + ilen) {
1310  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1311  }
1312 
1313  status = psa_aead_encrypt(cipher_psa->slot,
1314  cipher_psa->alg,
1315  iv, iv_len,
1316  ad, ad_len,
1317  input, ilen,
1318  output, ilen + tag_len, olen);
1319  if (status != PSA_SUCCESS) {
1320  return MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED;
1321  }
1322 
1323  *olen -= tag_len;
1324  return 0;
1325  }
1326 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1327 
1328 #if defined(MBEDTLS_GCM_C)
1329  if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
1330  *olen = ilen;
1331  return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
1332  ilen, iv, iv_len, ad, ad_len,
1333  input, output, tag_len, tag);
1334  }
1335 #endif /* MBEDTLS_GCM_C */
1336 #if defined(MBEDTLS_CCM_C)
1337  if (MBEDTLS_MODE_CCM == ctx->cipher_info->mode) {
1338  *olen = ilen;
1339  return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen,
1340  iv, iv_len, ad, ad_len, input, output,
1341  tag, tag_len);
1342  }
1343 #endif /* MBEDTLS_CCM_C */
1344 #if defined(MBEDTLS_CHACHAPOLY_C)
1345  if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
1346  /* ChachaPoly has fixed length nonce and MAC (tag) */
1347  if ((iv_len != ctx->cipher_info->iv_size) ||
1348  (tag_len != 16U)) {
1349  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1350  }
1351 
1352  *olen = ilen;
1353  return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx,
1354  ilen, iv, ad, ad_len, input, output, tag);
1355  }
1356 #endif /* MBEDTLS_CHACHAPOLY_C */
1357 
1358  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1359 }
1360 
1361 /*
1362  * Packet-oriented encryption for AEAD modes: internal function shared by
1363  * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
1364  */
1365 static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
1366  const unsigned char *iv, size_t iv_len,
1367  const unsigned char *ad, size_t ad_len,
1368  const unsigned char *input, size_t ilen,
1369  unsigned char *output, size_t *olen,
1370  const unsigned char *tag, size_t tag_len)
1371 {
1372 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1373  if (ctx->psa_enabled == 1) {
1374  /* As in the non-PSA case, we don't check that
1375  * a key has been set. If not, the key slot will
1376  * still be in its default state of 0, which is
1377  * guaranteed to be invalid, hence the PSA-call
1378  * below will gracefully fail. */
1379  mbedtls_cipher_context_psa * const cipher_psa =
1380  (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1381 
1382  psa_status_t status;
1383 
1384  /* PSA Crypto API always writes the authentication tag
1385  * at the end of the encrypted message. */
1386  if (input == NULL || tag != input + ilen) {
1387  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1388  }
1389 
1390  status = psa_aead_decrypt(cipher_psa->slot,
1391  cipher_psa->alg,
1392  iv, iv_len,
1393  ad, ad_len,
1394  input, ilen + tag_len,
1395  output, ilen, olen);
1396  if (status == PSA_ERROR_INVALID_SIGNATURE) {
1397  return MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1398  } else if (status != PSA_SUCCESS) {
1399  return MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED;
1400  }
1401 
1402  return 0;
1403  }
1404 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1405 
1406 #if defined(MBEDTLS_GCM_C)
1407  if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
1408  int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1409 
1410  *olen = ilen;
1411  ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen,
1412  iv, iv_len, ad, ad_len,
1413  tag, tag_len, input, output);
1414 
1415  if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) {
1416  ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1417  }
1418 
1419  return ret;
1420  }
1421 #endif /* MBEDTLS_GCM_C */
1422 #if defined(MBEDTLS_CCM_C)
1423  if (MBEDTLS_MODE_CCM == ctx->cipher_info->mode) {
1424  int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1425 
1426  *olen = ilen;
1427  ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen,
1428  iv, iv_len, ad, ad_len,
1429  input, output, tag, tag_len);
1430 
1431  if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) {
1432  ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1433  }
1434 
1435  return ret;
1436  }
1437 #endif /* MBEDTLS_CCM_C */
1438 #if defined(MBEDTLS_CHACHAPOLY_C)
1439  if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
1440  int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1441 
1442  /* ChachaPoly has fixed length nonce and MAC (tag) */
1443  if ((iv_len != ctx->cipher_info->iv_size) ||
1444  (tag_len != 16U)) {
1445  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1446  }
1447 
1448  *olen = ilen;
1449  ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen,
1450  iv, ad, ad_len, tag, input, output);
1451 
1452  if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) {
1453  ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1454  }
1455 
1456  return ret;
1457  }
1458 #endif /* MBEDTLS_CHACHAPOLY_C */
1459 
1460  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1461 }
1462 
1463 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1464 /*
1465  * Packet-oriented encryption for AEAD modes: public legacy function.
1466  */
1467 int mbedtls_cipher_auth_encrypt(mbedtls_cipher_context_t *ctx,
1468  const unsigned char *iv, size_t iv_len,
1469  const unsigned char *ad, size_t ad_len,
1470  const unsigned char *input, size_t ilen,
1471  unsigned char *output, size_t *olen,
1472  unsigned char *tag, size_t tag_len)
1473 {
1474  CIPHER_VALIDATE_RET(ctx != NULL);
1475  CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
1476  CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
1477  CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
1478  CIPHER_VALIDATE_RET(ilen == 0 || output != NULL);
1479  CIPHER_VALIDATE_RET(olen != NULL);
1480  CIPHER_VALIDATE_RET(tag_len == 0 || tag != NULL);
1481 
1482  return mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,
1483  input, ilen, output, olen,
1484  tag, tag_len);
1485 }
1486 
1487 /*
1488  * Packet-oriented decryption for AEAD modes: public legacy function.
1489  */
1490 int mbedtls_cipher_auth_decrypt(mbedtls_cipher_context_t *ctx,
1491  const unsigned char *iv, size_t iv_len,
1492  const unsigned char *ad, size_t ad_len,
1493  const unsigned char *input, size_t ilen,
1494  unsigned char *output, size_t *olen,
1495  const unsigned char *tag, size_t tag_len)
1496 {
1497  CIPHER_VALIDATE_RET(ctx != NULL);
1498  CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
1499  CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
1500  CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
1501  CIPHER_VALIDATE_RET(ilen == 0 || output != NULL);
1502  CIPHER_VALIDATE_RET(olen != NULL);
1503  CIPHER_VALIDATE_RET(tag_len == 0 || tag != NULL);
1504 
1505  return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,
1506  input, ilen, output, olen,
1507  tag, tag_len);
1508 }
1509 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1510 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1511 
1512 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
1513 /*
1514  * Packet-oriented encryption for AEAD/NIST_KW: public function.
1515  */
1516 int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
1517  const unsigned char *iv, size_t iv_len,
1518  const unsigned char *ad, size_t ad_len,
1519  const unsigned char *input, size_t ilen,
1520  unsigned char *output, size_t output_len,
1521  size_t *olen, size_t tag_len)
1522 {
1523  CIPHER_VALIDATE_RET(ctx != NULL);
1524  CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
1525  CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
1526  CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
1527  CIPHER_VALIDATE_RET(output != NULL);
1528  CIPHER_VALIDATE_RET(olen != NULL);
1529 
1530 #if defined(MBEDTLS_NIST_KW_C)
1531  if (
1532 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1533  ctx->psa_enabled == 0 &&
1534 #endif
1535  (MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1536  MBEDTLS_MODE_KWP == ctx->cipher_info->mode)) {
1537  mbedtls_nist_kw_mode_t mode = (MBEDTLS_MODE_KW == ctx->cipher_info->mode) ?
1538  MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1539 
1540  /* There is no iv, tag or ad associated with KW and KWP,
1541  * so these length should be 0 as documented. */
1542  if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
1543  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1544  }
1545 
1546  (void) iv;
1547  (void) ad;
1548 
1549  return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen,
1550  output, olen, output_len);
1551  }
1552 #endif /* MBEDTLS_NIST_KW_C */
1553 
1554 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1555  /* AEAD case: check length before passing on to shared function */
1556  if (output_len < ilen + tag_len) {
1557  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1558  }
1559 
1560  int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,
1561  input, ilen, output, olen,
1562  output + ilen, tag_len);
1563  *olen += tag_len;
1564  return ret;
1565 #else
1566  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1567 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1568 }
1569 
1570 /*
1571  * Packet-oriented decryption for AEAD/NIST_KW: public function.
1572  */
1573 int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
1574  const unsigned char *iv, size_t iv_len,
1575  const unsigned char *ad, size_t ad_len,
1576  const unsigned char *input, size_t ilen,
1577  unsigned char *output, size_t output_len,
1578  size_t *olen, size_t tag_len)
1579 {
1580  CIPHER_VALIDATE_RET(ctx != NULL);
1581  CIPHER_VALIDATE_RET(iv_len == 0 || iv != NULL);
1582  CIPHER_VALIDATE_RET(ad_len == 0 || ad != NULL);
1583  CIPHER_VALIDATE_RET(ilen == 0 || input != NULL);
1584  CIPHER_VALIDATE_RET(output_len == 0 || output != NULL);
1585  CIPHER_VALIDATE_RET(olen != NULL);
1586 
1587 #if defined(MBEDTLS_NIST_KW_C)
1588  if (
1589 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1590  ctx->psa_enabled == 0 &&
1591 #endif
1592  (MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1593  MBEDTLS_MODE_KWP == ctx->cipher_info->mode)) {
1594  mbedtls_nist_kw_mode_t mode = (MBEDTLS_MODE_KW == ctx->cipher_info->mode) ?
1595  MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1596 
1597  /* There is no iv, tag or ad associated with KW and KWP,
1598  * so these length should be 0 as documented. */
1599  if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
1600  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1601  }
1602 
1603  (void) iv;
1604  (void) ad;
1605 
1606  return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen,
1607  output, olen, output_len);
1608  }
1609 #endif /* MBEDTLS_NIST_KW_C */
1610 
1611 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1612  /* AEAD case: check length before passing on to shared function */
1613  if (ilen < tag_len || output_len < ilen - tag_len) {
1614  return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
1615  }
1616 
1617  return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,
1618  input, ilen - tag_len, output, olen,
1619  input + ilen - tag_len, tag_len);
1620 #else
1621  return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1622 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1623 }
1624 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
1625 
1626 #endif /* MBEDTLS_CIPHER_C */
attributes
static const struct attribute attributes[]
Definition: attributes.c:165
ccm.h
This file provides an API for the CCM authenticated encryption mode for block ciphers.
mbedtls_ccm_encrypt_and_tag
int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *input, unsigned char *output, unsigned char *tag, size_t tag_len)
This function encrypts a buffer using CCM.
mbedtls_ccm_auth_decrypt
int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *input, unsigned char *output, const unsigned char *tag, size_t tag_len)
This function performs a CCM authenticated decryption of a buffer.
MBEDTLS_ERR_CCM_AUTH_FAILED
#define MBEDTLS_ERR_CCM_AUTH_FAILED
Authenticated decryption failed.
Definition: ccm.h:61
chacha20.h
This file contains ChaCha20 definitions and functions.
mbedtls_chacha20_starts
int mbedtls_chacha20_starts(mbedtls_chacha20_context *ctx, const unsigned char nonce[12], uint32_t counter)
This function sets the nonce and initial counter value.
chachapoly.h
This file contains the AEAD-ChaCha20-Poly1305 definitions and functions.
mbedtls_chachapoly_finish
int mbedtls_chachapoly_finish(mbedtls_chachapoly_context *ctx, unsigned char mac[16])
This function finished the ChaCha20-Poly1305 operation and generates the MAC (authentication tag).
mbedtls_chachapoly_starts
int mbedtls_chachapoly_starts(mbedtls_chachapoly_context *ctx, const unsigned char nonce[12], mbedtls_chachapoly_mode_t mode)
This function starts a ChaCha20-Poly1305 encryption or decryption operation.
mbedtls_chachapoly_update
int mbedtls_chachapoly_update(mbedtls_chachapoly_context *ctx, size_t len, const unsigned char *input, unsigned char *output)
Thus function feeds data to be encrypted or decrypted into an on-going ChaCha20-Poly1305 operation.
mbedtls_chachapoly_encrypt_and_tag
int mbedtls_chachapoly_encrypt_and_tag(mbedtls_chachapoly_context *ctx, size_t length, const unsigned char nonce[12], const unsigned char *aad, size_t aad_len, const unsigned char *input, unsigned char *output, unsigned char tag[16])
This function performs a complete ChaCha20-Poly1305 authenticated encryption with the previously-set ...
MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
#define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
Authenticated decryption failed: data was not authentic.
Definition: chachapoly.h:47
mbedtls_chachapoly_mode_t
mbedtls_chachapoly_mode_t
Definition: chachapoly.h:53
MBEDTLS_CHACHAPOLY_ENCRYPT
@ MBEDTLS_CHACHAPOLY_ENCRYPT
The mode value for performing encryption.
Definition: chachapoly.h:54
MBEDTLS_CHACHAPOLY_DECRYPT
@ MBEDTLS_CHACHAPOLY_DECRYPT
The mode value for performing decryption.
Definition: chachapoly.h:55
mbedtls_chachapoly_auth_decrypt
int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx, size_t length, const unsigned char nonce[12], const unsigned char *aad, size_t aad_len, const unsigned char tag[16], const unsigned char *input, unsigned char *output)
This function performs a complete ChaCha20-Poly1305 authenticated decryption with the previously-set ...
mbedtls_chachapoly_update_aad
int mbedtls_chachapoly_update_aad(mbedtls_chachapoly_context *ctx, const unsigned char *aad, size_t aad_len)
This function feeds additional data to be authenticated into an ongoing ChaCha20-Poly1305 operation.
add_one_and_zeros_padding
static void add_one_and_zeros_padding(unsigned char *output, size_t output_len, size_t data_len)
Definition: cipher.c:769
supported_init
static int supported_init
Definition: cipher.c:73
get_zeros_and_len_padding
static int get_zeros_and_len_padding(unsigned char *input, size_t input_len, size_t *data_len)
Definition: cipher.c:821
get_no_padding
static int get_no_padding(unsigned char *input, size_t input_len, size_t *data_len)
Definition: cipher.c:889
add_zeros_padding
static void add_zeros_padding(unsigned char *output, size_t output_len, size_t data_len)
Definition: cipher.c:852
CIPHER_VALIDATE_RET
#define CIPHER_VALIDATE_RET(cond)
Definition: cipher.c:68
add_zeros_and_len_padding
static void add_zeros_and_len_padding(unsigned char *output, size_t output_len, size_t data_len)
Definition: cipher.c:809
mbedtls_cipher_aead_decrypt
static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, const unsigned char *tag, size_t tag_len)
Definition: cipher.c:1365
get_pkcs_padding
static int get_pkcs_padding(unsigned char *input, size_t input_len, size_t *data_len)
Definition: cipher.c:737
add_pkcs_padding
static void add_pkcs_padding(unsigned char *output, size_t output_len, size_t data_len)
Definition: cipher.c:726
get_one_and_zeros_padding
static int get_one_and_zeros_padding(unsigned char *input, size_t input_len, size_t *data_len)
Definition: cipher.c:781
get_zeros_padding
static int get_zeros_padding(unsigned char *input, size_t input_len, size_t *data_len)
Definition: cipher.c:862
mbedtls_cipher_aead_encrypt
static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, unsigned char *tag, size_t tag_len)
Definition: cipher.c:1288
CIPHER_VALIDATE
#define CIPHER_VALIDATE(cond)
Definition: cipher.c:70
cipher.h
This file contains an abstraction interface for use with the cipher primitives provided by the librar...
mbedtls_cipher_setup
int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info)
This function initializes a cipher context for use with the given cipher primitive.
mbedtls_cipher_type_t
mbedtls_cipher_type_t
Supported {cipher type, cipher mode} pairs.
Definition: cipher.h:110
MBEDTLS_CIPHER_CHACHA20
@ MBEDTLS_CIPHER_CHACHA20
ChaCha20 stream cipher.
Definition: cipher.h:183
MBEDTLS_CIPHER_CHACHA20_POLY1305
@ MBEDTLS_CIPHER_CHACHA20_POLY1305
ChaCha20-Poly1305 AEAD cipher.
Definition: cipher.h:184
mbedtls_cipher_setkey
int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, const unsigned char *key, int key_bitlen, const mbedtls_operation_t operation)
This function sets the key to use with the given context.
MBEDTLS_ERR_CIPHER_INVALID_PADDING
#define MBEDTLS_ERR_CIPHER_INVALID_PADDING
Input data contains invalid padding and is rejected.
Definition: cipher.h:64
mbedtls_cipher_crypt
int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen)
The generic all-in-one encryption/decryption function, for all ciphers except AEAD constructs.
mbedtls_cipher_reset
int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx)
This function resets the cipher state.
MBEDTLS_CIPHER_VARIABLE_IV_LEN
#define MBEDTLS_CIPHER_VARIABLE_IV_LEN
Cipher accepts IVs of variable length.
Definition: cipher.h:76
MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED
#define MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED
Cipher hardware accelerator failed.
Definition: cipher.h:74
MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
The selected feature is not available.
Definition: cipher.h:58
mbedtls_cipher_set_iv
int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len)
This function sets the initialization vector (IV) or nonce.
mbedtls_cipher_padding_t
mbedtls_cipher_padding_t
Supported cipher padding types.
Definition: cipher.h:211
MBEDTLS_PADDING_ZEROS
@ MBEDTLS_PADDING_ZEROS
Zero padding (not reversible).
Definition: cipher.h:215
MBEDTLS_PADDING_ONE_AND_ZEROS
@ MBEDTLS_PADDING_ONE_AND_ZEROS
ISO/IEC 7816-4 padding.
Definition: cipher.h:213
MBEDTLS_PADDING_PKCS7
@ MBEDTLS_PADDING_PKCS7
PKCS7 padding (default).
Definition: cipher.h:212
MBEDTLS_PADDING_ZEROS_AND_LEN
@ MBEDTLS_PADDING_ZEROS_AND_LEN
ANSI X.923 padding.
Definition: cipher.h:214
MBEDTLS_PADDING_NONE
@ MBEDTLS_PADDING_NONE
Never pad (full blocks only).
Definition: cipher.h:216
mbedtls_cipher_finish
int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx, unsigned char *output, size_t *olen)
The generic cipher finalization function.
MBEDTLS_ERR_CIPHER_AUTH_FAILED
#define MBEDTLS_ERR_CIPHER_AUTH_FAILED
Authentication failed (for AEAD modes).
Definition: cipher.h:68
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
Bad input parameters.
Definition: cipher.h:60
mbedtls_cipher_list
const int * mbedtls_cipher_list(void)
This function retrieves the list of ciphers supported by the generic cipher module.
mbedtls_cipher_init
void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)
This function initializes a cipher_context as NONE.
MBEDTLS_CIPHER_VARIABLE_KEY_LEN
#define MBEDTLS_CIPHER_VARIABLE_KEY_LEN
Cipher accepts keys of variable length.
Definition: cipher.h:77
mbedtls_cipher_info_from_type
const mbedtls_cipher_info_t * mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type)
This function retrieves the cipher-information structure associated with the given cipher type.
mbedtls_cipher_free
void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
This function frees and clears the cipher-specific context of ctx.
mbedtls_cipher_get_iv_size
static int mbedtls_cipher_get_iv_size(const mbedtls_cipher_context_t *ctx)
This function returns the size of the IV or nonce of the cipher, in Bytes.
Definition: cipher.h:544
mbedtls_cipher_update
int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen)
The generic cipher update function.
mbedtls_cipher_info_from_values
const mbedtls_cipher_info_t * mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id, int key_bitlen, const mbedtls_cipher_mode_t mode)
This function retrieves the cipher-information structure associated with the given cipher ID,...
mbedtls_cipher_info_from_string
const mbedtls_cipher_info_t * mbedtls_cipher_info_from_string(const char *cipher_name)
This function retrieves the cipher-information structure associated with the given cipher name.
mbedtls_cipher_get_block_size
static unsigned int mbedtls_cipher_get_block_size(const mbedtls_cipher_context_t *ctx)
This function returns the block size of the given cipher.
Definition: cipher.h:503
mbedtls_operation_t
mbedtls_operation_t
Type of operation.
Definition: cipher.h:220
MBEDTLS_DECRYPT
@ MBEDTLS_DECRYPT
Definition: cipher.h:222
MBEDTLS_ENCRYPT
@ MBEDTLS_ENCRYPT
Definition: cipher.h:223
MBEDTLS_ERR_CIPHER_ALLOC_FAILED
#define MBEDTLS_ERR_CIPHER_ALLOC_FAILED
Failed to allocate memory.
Definition: cipher.h:62
MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED
#define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED
Decryption of block requires a full block.
Definition: cipher.h:66
mbedtls_cipher_mode_t
mbedtls_cipher_mode_t
Supported cipher modes.
Definition: cipher.h:194
MBEDTLS_MODE_ECB
@ MBEDTLS_MODE_ECB
The ECB cipher mode.
Definition: cipher.h:196
MBEDTLS_MODE_CCM
@ MBEDTLS_MODE_CCM
The CCM cipher mode.
Definition: cipher.h:203
MBEDTLS_MODE_STREAM
@ MBEDTLS_MODE_STREAM
The stream cipher mode.
Definition: cipher.h:202
MBEDTLS_MODE_CFB
@ MBEDTLS_MODE_CFB
The CFB cipher mode.
Definition: cipher.h:198
MBEDTLS_MODE_CTR
@ MBEDTLS_MODE_CTR
The CTR cipher mode.
Definition: cipher.h:200
MBEDTLS_MODE_GCM
@ MBEDTLS_MODE_GCM
The GCM cipher mode.
Definition: cipher.h:201
MBEDTLS_MODE_KW
@ MBEDTLS_MODE_KW
The SP800-38F KW mode.
Definition: cipher.h:206
MBEDTLS_MODE_CBC
@ MBEDTLS_MODE_CBC
The CBC cipher mode.
Definition: cipher.h:197
MBEDTLS_MODE_OFB
@ MBEDTLS_MODE_OFB
The OFB cipher mode.
Definition: cipher.h:199
MBEDTLS_MODE_KWP
@ MBEDTLS_MODE_KWP
The SP800-38F KWP mode.
Definition: cipher.h:207
MBEDTLS_MODE_XTS
@ MBEDTLS_MODE_XTS
The XTS cipher mode.
Definition: cipher.h:204
MBEDTLS_MAX_IV_LENGTH
#define MBEDTLS_MAX_IV_LENGTH
Maximum length of any IV, in Bytes.
Definition: cipher.h:241
MBEDTLS_ERR_CIPHER_INVALID_CONTEXT
#define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT
The context is invalid.
Definition: cipher.h:70
mbedtls_cipher_id_t
mbedtls_cipher_id_t
Supported cipher types.
Definition: cipher.h:90
cipher_internal.h
Cipher wrappers.
mbedtls_cipher_definitions
const mbedtls_cipher_definition_t mbedtls_cipher_definitions[]
mbedtls_cipher_supported
int mbedtls_cipher_supported[]
cmac.h
This file contains CMAC definitions and functions.
constant_time.h
mbedtls_ct_memcmp
int mbedtls_ct_memcmp(const void *a, const void *b, size_t n)
Constant-time functions.
crypto.h
Platform Security Architecture cryptography module.
ctx
CS_CONTEXT * ctx
Definition: t0006.c:12
gcm.h
This file contains GCM definitions and functions.
MBEDTLS_GCM_ENCRYPT
#define MBEDTLS_GCM_ENCRYPT
Definition: gcm.h:44
mbedtls_gcm_starts
int mbedtls_gcm_starts(mbedtls_gcm_context *ctx, int mode, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len)
This function starts a GCM encryption or decryption operation.
mbedtls_gcm_crypt_and_tag
int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx, int mode, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *input, unsigned char *output, size_t tag_len, unsigned char *tag)
This function performs GCM encryption or decryption of a buffer.
mbedtls_gcm_finish
int mbedtls_gcm_finish(mbedtls_gcm_context *ctx, unsigned char *tag, size_t tag_len)
This function finishes the GCM operation and generates the authentication tag.
MBEDTLS_ERR_GCM_AUTH_FAILED
#define MBEDTLS_ERR_GCM_AUTH_FAILED
Authenticated decryption failed.
Definition: gcm.h:48
mbedtls_gcm_update
int mbedtls_gcm_update(mbedtls_gcm_context *ctx, size_t length, const unsigned char *input, unsigned char *output)
This function feeds an input buffer into an ongoing GCM encryption or decryption operation.
mbedtls_gcm_auth_decrypt
int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *tag, size_t tag_len, const unsigned char *input, unsigned char *output)
This function performs a GCM authenticated decryption of a buffer.
type
static int type
Definition: getdata.c:31
NULL
#define NULL
Definition: ncbistd.hpp:225
psa_aead_encrypt
psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key, psa_algorithm_t alg, const uint8_t *nonce, size_t nonce_length, const uint8_t *additional_data, size_t additional_data_length, const uint8_t *plaintext, size_t plaintext_length, uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length)
Process an authenticated encryption operation.
psa_aead_decrypt
psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key, psa_algorithm_t alg, const uint8_t *nonce, size_t nonce_length, const uint8_t *additional_data, size_t additional_data_length, const uint8_t *ciphertext, size_t ciphertext_length, uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length)
Process an authenticated decryption operation.
psa_set_key_usage_flags
static void psa_set_key_usage_flags(psa_key_attributes_t *attributes, psa_key_usage_t usage_flags)
Declare usage flags for a key.
psa_set_key_type
static void psa_set_key_type(psa_key_attributes_t *attributes, psa_key_type_t type)
Declare the type of a key.
PSA_KEY_ATTRIBUTES_INIT
#define PSA_KEY_ATTRIBUTES_INIT
This macro returns a suitable initializer for a key attribute structure of type psa_key_attributes_t.
Definition: crypto_struct.h:323
psa_set_key_algorithm
static void psa_set_key_algorithm(psa_key_attributes_t *attributes, psa_algorithm_t alg)
Declare the permitted algorithm policy for a key.
bm::operation
operation
Bit operations.
Definition: bmconst.h:191
psa_cipher_finish
psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation, uint8_t *output, size_t output_size, size_t *output_length)
Finish encrypting or decrypting a message in a cipher operation.
PSA_CIPHER_OPERATION_INIT
#define PSA_CIPHER_OPERATION_INIT
This macro returns a suitable initializer for a cipher operation object of type psa_cipher_operation_...
Definition: crypto_struct.h:118
psa_cipher_encrypt_setup
psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation, mbedtls_svc_key_id_t key, psa_algorithm_t alg)
Set the key for a multipart symmetric encryption operation.
psa_cipher_set_iv
psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation, const uint8_t *iv, size_t iv_length)
Set the IV for a symmetric encryption or decryption operation.
psa_cipher_decrypt_setup
psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation, mbedtls_svc_key_id_t key, psa_algorithm_t alg)
Set the key for a multipart symmetric decryption operation.
psa_cipher_update
psa_status_t psa_cipher_update(psa_cipher_operation_t *operation, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length)
Encrypt or decrypt a message fragment in an active cipher operation.
psa_key_type_t
uint16_t psa_key_type_t
Encoding of a key type.
Definition: crypto_types.h:81
psa_algorithm_t
uint32_t psa_algorithm_t
Encoding of a cryptographic algorithm.
Definition: crypto_types.h:137
psa_status_t
int32_t psa_status_t
Function return status.
Definition: crypto_types.h:62
PSA_ERROR_NOT_SUPPORTED
#define PSA_ERROR_NOT_SUPPORTED
The requested operation or a parameter is not supported by this implementation.
Definition: crypto_values.h:84
PSA_ERROR_INVALID_SIGNATURE
#define PSA_ERROR_INVALID_SIGNATURE
The signature, MAC or hash is incorrect.
Definition: crypto_values.h:271
PSA_SUCCESS
#define PSA_SUCCESS
The action was completed successfully.
Definition: crypto_values.h:68
PSA_ERROR_INSUFFICIENT_MEMORY
#define PSA_ERROR_INSUFFICIENT_MEMORY
There is not enough runtime memory.
Definition: crypto_values.h:154
psa_import_key
psa_status_t psa_import_key(const psa_key_attributes_t *attributes, const uint8_t *data, size_t data_length, mbedtls_svc_key_id_t *key)
Import a key in binary format.
psa_destroy_key
psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key)
Destroy a key.
PSA_KEY_USAGE_ENCRYPT
#define PSA_KEY_USAGE_ENCRYPT
Whether the key may be used to encrypt a message.
Definition: crypto_values.h:2253
PSA_KEY_USAGE_DECRYPT
#define PSA_KEY_USAGE_DECRYPT
Whether the key may be used to decrypt a message.
Definition: crypto_values.h:2264
exit
exit(2)
input
static int input()
Definition: lex.newick.cpp:1147
i
int i
Definition: lex.newick.cpp:1456
if
if(yy_accept[yy_current_state])
Definition: lex.newick.cpp:1081
lmdb::mode
mdb_mode_t mode
Definition: lmdb++.h:38
ncbi::grid::netcache::search::fields::key
const struct ncbi::grid::netcache::search::fields::KEY key
util::strcmp
int strcmp(const char *str1, const char *str2)
Definition: odbc_utils.hpp:160
tag
const char * tag
Definition: ncbi_server_info.c:103
mbedtls_cipher_write_tag
#define mbedtls_cipher_write_tag
Definition: ncbicxx_rename_mbedtls.h:619
mbedtls_cipher_auth_decrypt
#define mbedtls_cipher_auth_decrypt
Definition: ncbicxx_rename_mbedtls.h:579
mbedtls_cipher_update_ad
#define mbedtls_cipher_update_ad
Definition: ncbicxx_rename_mbedtls.h:617
mbedtls_cipher_auth_decrypt_ext
#define mbedtls_cipher_auth_decrypt_ext
Definition: ncbicxx_rename_mbedtls.h:581
mbedtls_cipher_auth_encrypt
#define mbedtls_cipher_auth_encrypt
Definition: ncbicxx_rename_mbedtls.h:583
mbedtls_cipher_check_tag
#define mbedtls_cipher_check_tag
Definition: ncbicxx_rename_mbedtls.h:587
mbedtls_cipher_set_padding_mode
#define mbedtls_cipher_set_padding_mode
Definition: ncbicxx_rename_mbedtls.h:609
mbedtls_cipher_auth_encrypt_ext
#define mbedtls_cipher_auth_encrypt_ext
Definition: ncbicxx_rename_mbedtls.h:585
nist_kw.h
This file provides an API for key wrapping (KW) and key wrapping with padding (KWP) as defined in NIS...
mbedtls_nist_kw_wrap
int mbedtls_nist_kw_wrap(mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode, const unsigned char *input, size_t in_len, unsigned char *output, size_t *out_len, size_t out_size)
This function encrypts a buffer using key wrapping.
mbedtls_nist_kw_unwrap
int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode, const unsigned char *input, size_t in_len, unsigned char *output, size_t *out_len, size_t out_size)
This function decrypts a buffer using key wrapping.
mbedtls_nist_kw_mode_t
mbedtls_nist_kw_mode_t
Definition: nist_kw.h:50
MBEDTLS_KW_MODE_KW
@ MBEDTLS_KW_MODE_KW
Definition: nist_kw.h:51
MBEDTLS_KW_MODE_KWP
@ MBEDTLS_KW_MODE_KWP
Definition: nist_kw.h:52
platform.h
This file contains the definitions and functions of the Mbed TLS platform abstraction layer.
mbedtls_free
#define mbedtls_free
Definition: platform.h:168
mbedtls_calloc
#define mbedtls_calloc
Definition: platform.h:169
platform_util.h
Common and shared functions used by multiple modules in the Mbed TLS library.
mbedtls_platform_zeroize
void mbedtls_platform_zeroize(void *buf, size_t len)
Securely zeroize a buffer.
output
static SQLCHAR output[256]
Definition: print.c:5
psa_util.h
Utility functions for the use of the PSA Crypto library.
error.h
Error to string translation.
MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED
#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED
This is a bug in the library.
Definition: error.h:122
mbedtls_chacha20_context
Definition: chacha20.h:63
mbedtls_chachapoly_context
Definition: chachapoly.h:63
mbedtls_cipher_base_t::cipher
mbedtls_cipher_id_t cipher
Base Cipher type (e.g.
Definition: cipher_internal.h:48
mbedtls_cipher_base_t::ctx_alloc_func
void *(* ctx_alloc_func)(void)
Allocate a new context.
Definition: cipher_internal.h:105
mbedtls_cipher_context_t
Generic cipher context.
Definition: cipher.h:317
mbedtls_cipher_definition_t
Definition: cipher_internal.h:112
mbedtls_cipher_definition_t::type
mbedtls_cipher_type_t type
Definition: cipher_internal.h:113
mbedtls_cipher_definition_t::info
const mbedtls_cipher_info_t * info
Definition: cipher_internal.h:114
mbedtls_cipher_info_t
Cipher information.
Definition: cipher.h:276
mbedtls_cipher_info_t::key_bitlen
unsigned int key_bitlen
The cipher key length, in bits.
Definition: cipher.h:289
mbedtls_cipher_info_t::type
mbedtls_cipher_type_t type
Full cipher identifier.
Definition: cipher.h:280
mbedtls_cipher_info_t::mode
mbedtls_cipher_mode_t mode
The cipher mode.
Definition: cipher.h:283
mbedtls_cipher_info_t::name
const char * name
Name of the cipher.
Definition: cipher.h:292
mbedtls_cipher_info_t::base
const mbedtls_cipher_base_t * base
Struct for base cipher information and functions.
Definition: cipher.h:310
mbedtls_cmac_context_t
The CMAC context structure.
Definition: cmac.h:59
mbedtls_gcm_context
The GCM context structure.
Definition: gcm.h:66
psa_cipher_operation_s
Definition: crypto_struct.h:101
psa_key_attributes_s
Definition: crypto_struct.h:311
type
Definition: type.c:6
done
done
Definition: token1.c:1
result
else result
Definition: token2.c:20
Generated by doxygen 1.9.0
Modified on Sat Dec 09 04:48:48 2023 by modify_doxy.py rev. 669887