NCBI C++ ToolKit
cipher.c
Go to the documentation of this file.

Go to the SVN repository for this file.

1 /**
2  * \file cipher.c
3  *
4  * \brief Generic cipher wrapper for Mbed TLS
5  *
6  * \author Adriaan de Jong <dejong@fox-it.com>
7  *
8  * Copyright The Mbed TLS Contributors
9  * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
10  */
11 
12 #include "common.h"
13 
14 #if defined(MBEDTLS_CIPHER_C)
15 
16 #include "mbedtls/cipher.h"
17 #include "cipher_wrap.h"
18 #include "mbedtls/platform_util.h"
19 #include "mbedtls/error.h"
20 #include "mbedtls/constant_time.h"
21 #include "constant_time_internal.h"
22 
23 #include <stdlib.h>
24 #include <string.h>
25 
26 #if defined(MBEDTLS_CHACHAPOLY_C)
27 #include "mbedtls/chachapoly.h"
28 #endif
29 
30 #if defined(MBEDTLS_GCM_C)
31 #include "mbedtls/gcm.h"
32 #endif
33 
34 #if defined(MBEDTLS_CCM_C)
35 #include "mbedtls/ccm.h"
36 #endif
37 
38 #if defined(MBEDTLS_CHACHA20_C)
39 #include "mbedtls/chacha20.h"
40 #endif
41 
42 #if defined(MBEDTLS_CMAC_C)
43 #include "mbedtls/cmac.h"
44 #endif
45 
46 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
47 #include "psa/crypto.h"
48 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
49 
50 #if defined(MBEDTLS_NIST_KW_C)
51 #include "mbedtls/nist_kw.h"
52 #endif
53 
54 #include "mbedtls/platform.h"
55 
56 static int supported_init = 0;
57 
58 static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base(
60 {
61  return mbedtls_cipher_base_lookup_table[info->base_idx];
62 }
63 
64 const int *mbedtls_cipher_list(void)
65 {
66  const mbedtls_cipher_definition_t *def;
67  int *type;
68 
69  if (!supported_init) {
72 
73  while (def->type != 0) {
74  *type++ = (*def++).type;
75  }
76 
77  *type = 0;
78 
79  supported_init = 1;
80  }
81 
83 }
84 
86  const mbedtls_cipher_type_t cipher_type)
87 {
88  const mbedtls_cipher_definition_t *def;
89 
90  for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
91  if (def->type == cipher_type) {
92  return def->info;
93  }
94  }
95 
96  return NULL;
97 }
98 
100  const char *cipher_name)
101 {
102  const mbedtls_cipher_definition_t *def;
103 
104  if (NULL == cipher_name) {
105  return NULL;
106  }
107 
108  for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
109  if (!strcmp(def->info->name, cipher_name)) {
110  return def->info;
111  }
112  }
113 
114  return NULL;
115 }
116 
118  const mbedtls_cipher_id_t cipher_id,
119  int key_bitlen,
121 {
122  const mbedtls_cipher_definition_t *def;
123 
124  for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
125  if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id &&
126  mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen &&
127  def->info->mode == mode) {
128  return def->info;
129  }
130  }
131 
132  return NULL;
133 }
134 
135 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
136 static inline psa_key_type_t mbedtls_psa_translate_cipher_type(
137  mbedtls_cipher_type_t cipher)
138 {
139  switch (cipher) {
155  return PSA_KEY_TYPE_AES;
156 
157  /* ARIA not yet supported in PSA. */
158  /* case MBEDTLS_CIPHER_ARIA_128_CCM:
159  case MBEDTLS_CIPHER_ARIA_192_CCM:
160  case MBEDTLS_CIPHER_ARIA_256_CCM:
161  case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:
162  case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:
163  case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:
164  case MBEDTLS_CIPHER_ARIA_128_GCM:
165  case MBEDTLS_CIPHER_ARIA_192_GCM:
166  case MBEDTLS_CIPHER_ARIA_256_GCM:
167  case MBEDTLS_CIPHER_ARIA_128_CBC:
168  case MBEDTLS_CIPHER_ARIA_192_CBC:
169  case MBEDTLS_CIPHER_ARIA_256_CBC:
170  return( PSA_KEY_TYPE_ARIA ); */
171 
172  default:
173  return 0;
174  }
175 }
176 
177 static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode(
178  mbedtls_cipher_mode_t mode, size_t taglen)
179 {
180  switch (mode) {
181  case MBEDTLS_MODE_ECB:
182  return PSA_ALG_ECB_NO_PADDING;
183  case MBEDTLS_MODE_GCM:
185  case MBEDTLS_MODE_CCM:
189  case MBEDTLS_MODE_CBC:
190  if (taglen == 0) {
191  return PSA_ALG_CBC_NO_PADDING;
192  } else {
193  return 0;
194  }
195  default:
196  return 0;
197  }
198 }
199 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
200 
202 {
203  memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
204 }
205 
207 {
208  if (ctx == NULL) {
209  return;
210  }
211 
212 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
213  if (ctx->psa_enabled == 1) {
214  if (ctx->cipher_ctx != NULL) {
215  mbedtls_cipher_context_psa * const cipher_psa =
216  (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
217 
218  if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) {
219  /* xxx_free() doesn't allow to return failures. */
220  (void) psa_destroy_key(cipher_psa->slot);
221  }
222 
223  mbedtls_zeroize_and_free(cipher_psa, sizeof(*cipher_psa));
224  }
225 
227  return;
228  }
229 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
230 
231 #if defined(MBEDTLS_CMAC_C)
232  if (ctx->cmac_ctx) {
233  mbedtls_zeroize_and_free(ctx->cmac_ctx,
234  sizeof(mbedtls_cmac_context_t));
235  }
236 #endif
237 
238  if (ctx->cipher_ctx) {
239  mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx);
240  }
241 
243 }
244 
246  const mbedtls_cipher_info_t *cipher_info)
247 {
248  if (cipher_info == NULL) {
250  }
251 
252  memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
253 
254  if (mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) {
255  ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func();
256  if (ctx->cipher_ctx == NULL) {
258  }
259  }
260 
261  ctx->cipher_info = cipher_info;
262 
263  return 0;
264 }
265 
266 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
267 int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
268  const mbedtls_cipher_info_t *cipher_info,
269  size_t taglen)
270 {
271  psa_algorithm_t alg;
272  mbedtls_cipher_context_psa *cipher_psa;
273 
274  if (NULL == cipher_info || NULL == ctx) {
276  }
277 
278  /* Check that the underlying cipher mode and cipher type are
279  * supported by the underlying PSA Crypto implementation. */
280  alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen);
281  if (alg == 0) {
283  }
284  if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) {
286  }
287 
288  memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
289 
290  cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa));
291  if (cipher_psa == NULL) {
293  }
294  cipher_psa->alg = alg;
295  ctx->cipher_ctx = cipher_psa;
296  ctx->cipher_info = cipher_info;
297  ctx->psa_enabled = 1;
298  return 0;
299 }
300 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
301 
303  const unsigned char *key,
304  int key_bitlen,
306 {
309  }
310  if (ctx->cipher_info == NULL) {
312  }
313 #if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
314  if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) &&
317  }
318 #endif
319 
320 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
321  if (ctx->psa_enabled == 1) {
322  mbedtls_cipher_context_psa * const cipher_psa =
323  (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
324 
325  size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8;
326 
327  psa_status_t status;
328  psa_key_type_t key_type;
330 
331  /* PSA Crypto API only accepts byte-aligned keys. */
332  if (key_bitlen % 8 != 0) {
334  }
335 
336  /* Don't allow keys to be set multiple times. */
337  if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) {
339  }
340 
341  key_type = mbedtls_psa_translate_cipher_type(
342  ((mbedtls_cipher_type_t) ctx->cipher_info->type));
343  if (key_type == 0) {
345  }
346  psa_set_key_type(&attributes, key_type);
347 
348  /* Mbed TLS' cipher layer doesn't enforce the mode of operation
349  * (encrypt vs. decrypt): it is possible to setup a key for encryption
350  * and use it for AEAD decryption. Until tests relying on this
351  * are changed, allow any usage in PSA. */
354  psa_set_key_algorithm(&attributes, cipher_psa->alg);
355 
356  status = psa_import_key(&attributes, key, key_bytelen,
357  &cipher_psa->slot);
358  switch (status) {
359  case PSA_SUCCESS:
360  break;
365  default:
367  }
368  /* Indicate that we own the key slot and need to
369  * destroy it in mbedtls_cipher_free(). */
370  cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
371 
372  ctx->key_bitlen = key_bitlen;
373  ctx->operation = operation;
374  return 0;
375  }
376 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
377 
378  if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 &&
379  (int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) {
381  }
382 
383  ctx->key_bitlen = key_bitlen;
384  ctx->operation = operation;
385 
386 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
387  /*
388  * For OFB, CFB and CTR mode always use the encryption key schedule
389  */
390  if (MBEDTLS_ENCRYPT == operation ||
391  MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
392  MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
393  MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
394  return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
395  ctx->key_bitlen);
396  }
397 
398  if (MBEDTLS_DECRYPT == operation) {
399  return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key,
400  ctx->key_bitlen);
401  }
402 #else
404  return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
405  ctx->key_bitlen);
406  }
407 #endif
408 
410 }
411 
413  const unsigned char *iv,
414  size_t iv_len)
415 {
416  size_t actual_iv_size;
417 
418  if (ctx->cipher_info == NULL) {
420  }
421 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
422  if (ctx->psa_enabled == 1) {
423  /* While PSA Crypto has an API for multipart
424  * operations, we currently don't make it
425  * accessible through the cipher layer. */
427  }
428 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
429 
430  /* avoid buffer overflow in ctx->iv */
431  if (iv_len > MBEDTLS_MAX_IV_LENGTH) {
433  }
434 
435  if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) {
436  actual_iv_size = iv_len;
437  } else {
438  actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info);
439 
440  /* avoid reading past the end of input buffer */
441  if (actual_iv_size > iv_len) {
443  }
444  }
445 
446 #if defined(MBEDTLS_CHACHA20_C)
447  if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) {
448  /* Even though the actual_iv_size is overwritten with a correct value
449  * of 12 from the cipher info, return an error to indicate that
450  * the input iv_len is wrong. */
451  if (iv_len != 12) {
453  }
454 
455  if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx,
456  iv,
457  0U)) { /* Initial counter value */
459  }
460  }
461 #if defined(MBEDTLS_CHACHAPOLY_C)
462  if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&
463  iv_len != 12) {
465  }
466 #endif
467 #endif
468 
469 #if defined(MBEDTLS_GCM_C)
470  if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
471  return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx,
472  ctx->operation,
473  iv, iv_len);
474  }
475 #endif
476 
477 #if defined(MBEDTLS_CCM_C)
478  if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
479  int set_lengths_result;
480  int ccm_star_mode;
481 
482  set_lengths_result = mbedtls_ccm_set_lengths(
483  (mbedtls_ccm_context *) ctx->cipher_ctx,
484  0, 0, 0);
485  if (set_lengths_result != 0) {
486  return set_lengths_result;
487  }
488 
489  if (ctx->operation == MBEDTLS_DECRYPT) {
490  ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT;
491  } else if (ctx->operation == MBEDTLS_ENCRYPT) {
492  ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT;
493  } else {
495  }
496 
497  return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx,
498  ccm_star_mode,
499  iv, iv_len);
500  }
501 #endif
502 
503  if (actual_iv_size != 0) {
504  memcpy(ctx->iv, iv, actual_iv_size);
505  ctx->iv_size = actual_iv_size;
506  }
507 
508  return 0;
509 }
510 
512 {
513  if (ctx->cipher_info == NULL) {
515  }
516 
517 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
518  if (ctx->psa_enabled == 1) {
519  /* We don't support resetting PSA-based
520  * cipher contexts, yet. */
522  }
523 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
524 
525  ctx->unprocessed_len = 0;
526 
527  return 0;
528 }
529 
530 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
532  const unsigned char *ad, size_t ad_len)
533 {
534  if (ctx->cipher_info == NULL) {
536  }
537 
538 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
539  if (ctx->psa_enabled == 1) {
540  /* While PSA Crypto has an API for multipart
541  * operations, we currently don't make it
542  * accessible through the cipher layer. */
544  }
545 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
546 
547 #if defined(MBEDTLS_GCM_C)
548  if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
549  return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx,
550  ad, ad_len);
551  }
552 #endif
553 
554 #if defined(MBEDTLS_CHACHAPOLY_C)
555  if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
556  int result;
558 
559  mode = (ctx->operation == MBEDTLS_ENCRYPT)
562 
564  ctx->iv,
565  mode);
566  if (result != 0) {
567  return result;
568  }
569 
571  ad, ad_len);
572  }
573 #endif
574 
576 }
577 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
578 
579 int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input,
580  size_t ilen, unsigned char *output, size_t *olen)
581 {
583  size_t block_size;
584 
585  if (ctx->cipher_info == NULL) {
587  }
588 
589 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
590  if (ctx->psa_enabled == 1) {
591  /* While PSA Crypto has an API for multipart
592  * operations, we currently don't make it
593  * accessible through the cipher layer. */
595  }
596 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
597 
598  *olen = 0;
599  block_size = mbedtls_cipher_get_block_size(ctx);
600  if (0 == block_size) {
602  }
603 
604  if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) {
605  if (ilen != block_size) {
607  }
608 
609  *olen = ilen;
610 
611  if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx,
612  ctx->operation, input,
613  output))) {
614  return ret;
615  }
616 
617  return 0;
618  }
619 
620 #if defined(MBEDTLS_GCM_C)
621  if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) {
622  return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx,
623  input, ilen,
624  output, ilen, olen);
625  }
626 #endif
627 
628 #if defined(MBEDTLS_CCM_C)
629  if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) {
630  return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx,
631  input, ilen,
632  output, ilen, olen);
633  }
634 #endif
635 
636 #if defined(MBEDTLS_CHACHAPOLY_C)
637  if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
638  *olen = ilen;
640  ilen, input, output);
641  }
642 #endif
643 
644  if (input == output &&
645  (ctx->unprocessed_len != 0 || ilen % block_size)) {
647  }
648 
649 #if defined(MBEDTLS_CIPHER_MODE_CBC)
650  if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) {
651  size_t copy_len = 0;
652 
653  /*
654  * If there is not enough data for a full block, cache it.
655  */
656  if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
657  ilen <= block_size - ctx->unprocessed_len) ||
658  (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
659  ilen < block_size - ctx->unprocessed_len) ||
660  (ctx->operation == MBEDTLS_ENCRYPT &&
661  ilen < block_size - ctx->unprocessed_len)) {
662  memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
663  ilen);
664 
665  ctx->unprocessed_len += ilen;
666  return 0;
667  }
668 
669  /*
670  * Process cached data first
671  */
672  if (0 != ctx->unprocessed_len) {
673  copy_len = block_size - ctx->unprocessed_len;
674 
675  memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
676  copy_len);
677 
678  if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
679  ctx->operation,
680  block_size, ctx->iv,
681  ctx->
682  unprocessed_data,
683  output))) {
684  return ret;
685  }
686 
687  *olen += block_size;
688  output += block_size;
689  ctx->unprocessed_len = 0;
690 
691  input += copy_len;
692  ilen -= copy_len;
693  }
694 
695  /*
696  * Cache final, incomplete block
697  */
698  if (0 != ilen) {
699  /* Encryption: only cache partial blocks
700  * Decryption w/ padding: always keep at least one whole block
701  * Decryption w/o padding: only cache partial blocks
702  */
703  copy_len = ilen % block_size;
704  if (copy_len == 0 &&
705  ctx->operation == MBEDTLS_DECRYPT &&
706  NULL != ctx->add_padding) {
707  copy_len = block_size;
708  }
709 
710  memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]),
711  copy_len);
712 
713  ctx->unprocessed_len += copy_len;
714  ilen -= copy_len;
715  }
716 
717  /*
718  * Process remaining full blocks
719  */
720  if (ilen) {
721  if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
722  ctx->operation,
723  ilen, ctx->iv,
724  input,
725  output))) {
726  return ret;
727  }
728 
729  *olen += ilen;
730  }
731 
732  return 0;
733  }
734 #endif /* MBEDTLS_CIPHER_MODE_CBC */
735 
736 #if defined(MBEDTLS_CIPHER_MODE_CFB)
737  if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) {
738  if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx,
739  ctx->operation, ilen,
740  &ctx->unprocessed_len,
741  ctx->iv,
742  input, output))) {
743  return ret;
744  }
745 
746  *olen = ilen;
747 
748  return 0;
749  }
750 #endif /* MBEDTLS_CIPHER_MODE_CFB */
751 
752 #if defined(MBEDTLS_CIPHER_MODE_OFB)
753  if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) {
754  if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx,
755  ilen,
756  &ctx->unprocessed_len,
757  ctx->iv,
758  input, output))) {
759  return ret;
760  }
761 
762  *olen = ilen;
763 
764  return 0;
765  }
766 #endif /* MBEDTLS_CIPHER_MODE_OFB */
767 
768 #if defined(MBEDTLS_CIPHER_MODE_CTR)
769  if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) {
770  if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx,
771  ilen,
772  &ctx->unprocessed_len,
773  ctx->iv,
774  ctx->unprocessed_data,
775  input, output))) {
776  return ret;
777  }
778 
779  *olen = ilen;
780 
781  return 0;
782  }
783 #endif /* MBEDTLS_CIPHER_MODE_CTR */
784 
785 #if defined(MBEDTLS_CIPHER_MODE_XTS)
786  if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) {
787  if (ctx->unprocessed_len > 0) {
788  /* We can only process an entire data unit at a time. */
790  }
791 
792  ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx,
793  ctx->operation,
794  ilen,
795  ctx->iv,
796  input,
797  output);
798  if (ret != 0) {
799  return ret;
800  }
801 
802  *olen = ilen;
803 
804  return 0;
805  }
806 #endif /* MBEDTLS_CIPHER_MODE_XTS */
807 
808 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
809  if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) {
810  if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx,
811  ilen, input,
812  output))) {
813  return ret;
814  }
815 
816  *olen = ilen;
817 
818  return 0;
819  }
820 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
821 
823 }
824 
825 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
826 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
827 /*
828  * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
829  */
830 static void add_pkcs_padding(unsigned char *output, size_t output_len,
831  size_t data_len)
832 {
833  size_t padding_len = output_len - data_len;
834  unsigned char i;
835 
836  for (i = 0; i < padding_len; i++) {
837  output[data_len + i] = (unsigned char) padding_len;
838  }
839 }
840 
841 static int get_pkcs_padding(unsigned char *input, size_t input_len,
842  size_t *data_len)
843 {
844  size_t i, pad_idx;
845  unsigned char padding_len;
846 
847  if (NULL == input || NULL == data_len) {
849  }
850 
851  padding_len = input[input_len - 1];
852  *data_len = input_len - padding_len;
853 
854  mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len);
855  bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
856 
857  /* The number of bytes checked must be independent of padding_len,
858  * so pick input_len, which is usually 8 or 16 (one block) */
859  pad_idx = input_len - padding_len;
860  for (i = 0; i < input_len; i++) {
861  mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx);
862  mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len);
863  bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different));
864  }
865 
867 }
868 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
869 
870 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
871 /*
872  * One and zeros padding: fill with 80 00 ... 00
873  */
874 static void add_one_and_zeros_padding(unsigned char *output,
875  size_t output_len, size_t data_len)
876 {
877  size_t padding_len = output_len - data_len;
878  unsigned char i = 0;
879 
880  output[data_len] = 0x80;
881  for (i = 1; i < padding_len; i++) {
882  output[data_len + i] = 0x00;
883  }
884 }
885 
886 static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,
887  size_t *data_len)
888 {
889  if (NULL == input || NULL == data_len) {
891  }
892 
895 
896  *data_len = 0;
897 
898  for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) {
900 
901  mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding);
902 
903  *data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len);
904 
905  bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad);
906 
907  in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero));
908  }
909 
911 }
912 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
913 
914 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
915 /*
916  * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
917  */
918 static void add_zeros_and_len_padding(unsigned char *output,
919  size_t output_len, size_t data_len)
920 {
921  size_t padding_len = output_len - data_len;
922  unsigned char i = 0;
923 
924  for (i = 1; i < padding_len; i++) {
925  output[data_len + i - 1] = 0x00;
926  }
927  output[output_len - 1] = (unsigned char) padding_len;
928 }
929 
930 static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
931  size_t *data_len)
932 {
933  size_t i, pad_idx;
934  unsigned char padding_len;
936 
937  if (NULL == input || NULL == data_len) {
939  }
940 
941  padding_len = input[input_len - 1];
942  *data_len = input_len - padding_len;
943 
944  /* Avoid logical || since it results in a branch */
945  bad = mbedtls_ct_uint_gt(padding_len, input_len);
946  bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
947 
948  /* The number of bytes checked must be independent of padding_len */
949  pad_idx = input_len - padding_len;
950  for (i = 0; i < input_len - 1; i++) {
951  mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx);
952  mbedtls_ct_condition_t nonzero_pad_byte;
953  nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i]));
954  bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte);
955  }
956 
958 }
959 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
960 
961 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
962 /*
963  * Zero padding: fill with 00 ... 00
964  */
965 static void add_zeros_padding(unsigned char *output,
966  size_t output_len, size_t data_len)
967 {
968  memset(output + data_len, 0, output_len - data_len);
969 }
970 
971 static int get_zeros_padding(unsigned char *input, size_t input_len,
972  size_t *data_len)
973 {
974  size_t i;
976 
977  if (NULL == input || NULL == data_len) {
979  }
980 
981  *data_len = 0;
982  for (i = input_len; i > 0; i--) {
983  prev_done = done;
985  *data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len);
986  }
987 
988  return 0;
989 }
990 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
991 
992 /*
993  * No padding: don't pad :)
994  *
995  * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
996  * but a trivial get_padding function
997  */
998 static int get_no_padding(unsigned char *input, size_t input_len,
999  size_t *data_len)
1000 {
1001  if (NULL == input || NULL == data_len) {
1003  }
1004 
1005  *data_len = input_len;
1006 
1007  return 0;
1008 }
1009 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1010 
1012  unsigned char *output, size_t *olen)
1013 {
1014  if (ctx->cipher_info == NULL) {
1016  }
1017 
1018 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1019  if (ctx->psa_enabled == 1) {
1020  /* While PSA Crypto has an API for multipart
1021  * operations, we currently don't make it
1022  * accessible through the cipher layer. */
1024  }
1025 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1026 
1027  *olen = 0;
1028 
1029 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
1030  /* CBC mode requires padding so we make sure a call to
1031  * mbedtls_cipher_set_padding_mode has been done successfully. */
1032  if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1033  if (ctx->get_padding == NULL) {
1035  }
1036  }
1037 #endif
1038 
1039  if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1040  MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1041  MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1042  MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1043  MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1044  MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1045  MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1046  return 0;
1047  }
1048 
1049  if ((MBEDTLS_CIPHER_CHACHA20 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) ||
1050  (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) {
1051  return 0;
1052  }
1053 
1054  if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1055  if (ctx->unprocessed_len != 0) {
1057  }
1058 
1059  return 0;
1060  }
1061 
1062 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1063  if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1064  int ret = 0;
1065 
1066  if (MBEDTLS_ENCRYPT == ctx->operation) {
1067  /* check for 'no padding' mode */
1068  if (NULL == ctx->add_padding) {
1069  if (0 != ctx->unprocessed_len) {
1071  }
1072 
1073  return 0;
1074  }
1075 
1076  ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx),
1077  ctx->unprocessed_len);
1078  } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) {
1079  /*
1080  * For decrypt operations, expect a full block,
1081  * or an empty block if no padding
1082  */
1083  if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) {
1084  return 0;
1085  }
1086 
1088  }
1089 
1090  /* cipher block */
1091  if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
1092  ctx->operation,
1094  ctx),
1095  ctx->iv,
1096  ctx->unprocessed_data,
1097  output))) {
1098  return ret;
1099  }
1100 
1101  /* Set output size for decryption */
1102  if (MBEDTLS_DECRYPT == ctx->operation) {
1103  return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx),
1104  olen);
1105  }
1106 
1107  /* Set output size for encryption */
1109  return 0;
1110  }
1111 #else
1112  ((void) output);
1113 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1114 
1116 }
1117 
1118 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
1121 {
1122  if (NULL == ctx->cipher_info ||
1123  MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1125  }
1126 
1127 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1128  if (ctx->psa_enabled == 1) {
1129  /* While PSA Crypto knows about CBC padding
1130  * schemes, we currently don't make them
1131  * accessible through the cipher layer. */
1132  if (mode != MBEDTLS_PADDING_NONE) {
1134  }
1135 
1136  return 0;
1137  }
1138 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1139 
1140  switch (mode) {
1141 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
1142  case MBEDTLS_PADDING_PKCS7:
1143  ctx->add_padding = add_pkcs_padding;
1144  ctx->get_padding = get_pkcs_padding;
1145  break;
1146 #endif
1147 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
1149  ctx->add_padding = add_one_and_zeros_padding;
1150  ctx->get_padding = get_one_and_zeros_padding;
1151  break;
1152 #endif
1153 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
1155  ctx->add_padding = add_zeros_and_len_padding;
1156  ctx->get_padding = get_zeros_and_len_padding;
1157  break;
1158 #endif
1159 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1160  case MBEDTLS_PADDING_ZEROS:
1161  ctx->add_padding = add_zeros_padding;
1162  ctx->get_padding = get_zeros_padding;
1163  break;
1164 #endif
1165  case MBEDTLS_PADDING_NONE:
1166  ctx->add_padding = NULL;
1167  ctx->get_padding = get_no_padding;
1168  break;
1169 
1170  default:
1172  }
1173 
1174  return 0;
1175 }
1176 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1177 
1178 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
1180  unsigned char *tag, size_t tag_len)
1181 {
1182  if (ctx->cipher_info == NULL) {
1184  }
1185 
1186  if (MBEDTLS_ENCRYPT != ctx->operation) {
1188  }
1189 
1190 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1191  if (ctx->psa_enabled == 1) {
1192  /* While PSA Crypto has an API for multipart
1193  * operations, we currently don't make it
1194  * accessible through the cipher layer. */
1196  }
1197 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1198 
1199 #if defined(MBEDTLS_GCM_C)
1200  if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1201  size_t output_length;
1202  /* The code here doesn't yet support alternative implementations
1203  * that can delay up to a block of output. */
1204  return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx,
1205  NULL, 0, &output_length,
1206  tag, tag_len);
1207  }
1208 #endif
1209 
1210 #if defined(MBEDTLS_CHACHAPOLY_C)
1211  if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1212  /* Don't allow truncated MAC for Poly1305 */
1213  if (tag_len != 16U) {
1215  }
1216 
1218  (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag);
1219  }
1220 #endif
1221 
1223 }
1224 
1226  const unsigned char *tag, size_t tag_len)
1227 {
1228  unsigned char check_tag[16];
1230 
1231  if (ctx->cipher_info == NULL) {
1233  }
1234 
1235  if (MBEDTLS_DECRYPT != ctx->operation) {
1237  }
1238 
1239 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1240  if (ctx->psa_enabled == 1) {
1241  /* While PSA Crypto has an API for multipart
1242  * operations, we currently don't make it
1243  * accessible through the cipher layer. */
1245  }
1246 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1247 
1248  /* Status to return on a non-authenticated algorithm. */
1250 
1251 #if defined(MBEDTLS_GCM_C)
1252  if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1253  size_t output_length;
1254  /* The code here doesn't yet support alternative implementations
1255  * that can delay up to a block of output. */
1256 
1257  if (tag_len > sizeof(check_tag)) {
1259  }
1260 
1261  if (0 != (ret = mbedtls_gcm_finish(
1262  (mbedtls_gcm_context *) ctx->cipher_ctx,
1263  NULL, 0, &output_length,
1264  check_tag, tag_len))) {
1265  return ret;
1266  }
1267 
1268  /* Check the tag in "constant-time" */
1269  if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
1271  goto exit;
1272  }
1273  }
1274 #endif /* MBEDTLS_GCM_C */
1275 
1276 #if defined(MBEDTLS_CHACHAPOLY_C)
1277  if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1278  /* Don't allow truncated MAC for Poly1305 */
1279  if (tag_len != sizeof(check_tag)) {
1281  }
1282 
1284  (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag);
1285  if (ret != 0) {
1286  return ret;
1287  }
1288 
1289  /* Check the tag in "constant-time" */
1290  if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
1292  goto exit;
1293  }
1294  }
1295 #endif /* MBEDTLS_CHACHAPOLY_C */
1296 
1297 exit:
1298  mbedtls_platform_zeroize(check_tag, tag_len);
1299  return ret;
1300 }
1301 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
1302 
1303 /*
1304  * Packet-oriented wrapper for non-AEAD modes
1305  */
1307  const unsigned char *iv, size_t iv_len,
1308  const unsigned char *input, size_t ilen,
1309  unsigned char *output, size_t *olen)
1310 {
1312  size_t finish_olen;
1313 
1314 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1315  if (ctx->psa_enabled == 1) {
1316  /* As in the non-PSA case, we don't check that
1317  * a key has been set. If not, the key slot will
1318  * still be in its default state of 0, which is
1319  * guaranteed to be invalid, hence the PSA-call
1320  * below will gracefully fail. */
1321  mbedtls_cipher_context_psa * const cipher_psa =
1322  (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1323 
1324  psa_status_t status;
1326  size_t part_len;
1327 
1328  if (ctx->operation == MBEDTLS_DECRYPT) {
1329  status = psa_cipher_decrypt_setup(&cipher_op,
1330  cipher_psa->slot,
1331  cipher_psa->alg);
1332  } else if (ctx->operation == MBEDTLS_ENCRYPT) {
1333  status = psa_cipher_encrypt_setup(&cipher_op,
1334  cipher_psa->slot,
1335  cipher_psa->alg);
1336  } else {
1338  }
1339 
1340  /* In the following, we can immediately return on an error,
1341  * because the PSA Crypto API guarantees that cipher operations
1342  * are terminated by unsuccessful calls to psa_cipher_update(),
1343  * and by any call to psa_cipher_finish(). */
1344  if (status != PSA_SUCCESS) {
1346  }
1347 
1348  if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) {
1349  status = psa_cipher_set_iv(&cipher_op, iv, iv_len);
1350  if (status != PSA_SUCCESS) {
1352  }
1353  }
1354 
1355  status = psa_cipher_update(&cipher_op,
1356  input, ilen,
1357  output, ilen, olen);
1358  if (status != PSA_SUCCESS) {
1360  }
1361 
1362  status = psa_cipher_finish(&cipher_op,
1363  output + *olen, ilen - *olen,
1364  &part_len);
1365  if (status != PSA_SUCCESS) {
1367  }
1368 
1369  *olen += part_len;
1370  return 0;
1371  }
1372 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1373 
1374  if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) {
1375  return ret;
1376  }
1377 
1378  if ((ret = mbedtls_cipher_reset(ctx)) != 0) {
1379  return ret;
1380  }
1381 
1382  if ((ret = mbedtls_cipher_update(ctx, input, ilen,
1383  output, olen)) != 0) {
1384  return ret;
1385  }
1386 
1387  if ((ret = mbedtls_cipher_finish(ctx, output + *olen,
1388  &finish_olen)) != 0) {
1389  return ret;
1390  }
1391 
1392  *olen += finish_olen;
1393 
1394  return 0;
1395 }
1396 
1397 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1398 /*
1399  * Packet-oriented encryption for AEAD modes: internal function used by
1400  * mbedtls_cipher_auth_encrypt_ext().
1401  */
1402 static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
1403  const unsigned char *iv, size_t iv_len,
1404  const unsigned char *ad, size_t ad_len,
1405  const unsigned char *input, size_t ilen,
1406  unsigned char *output, size_t *olen,
1407  unsigned char *tag, size_t tag_len)
1408 {
1409 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1410  if (ctx->psa_enabled == 1) {
1411  /* As in the non-PSA case, we don't check that
1412  * a key has been set. If not, the key slot will
1413  * still be in its default state of 0, which is
1414  * guaranteed to be invalid, hence the PSA-call
1415  * below will gracefully fail. */
1416  mbedtls_cipher_context_psa * const cipher_psa =
1417  (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1418 
1419  psa_status_t status;
1420 
1421  /* PSA Crypto API always writes the authentication tag
1422  * at the end of the encrypted message. */
1423  if (output == NULL || tag != output + ilen) {
1425  }
1426 
1427  status = psa_aead_encrypt(cipher_psa->slot,
1428  cipher_psa->alg,
1429  iv, iv_len,
1430  ad, ad_len,
1431  input, ilen,
1432  output, ilen + tag_len, olen);
1433  if (status != PSA_SUCCESS) {
1435  }
1436 
1437  *olen -= tag_len;
1438  return 0;
1439  }
1440 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1441 
1442 #if defined(MBEDTLS_GCM_C)
1443  if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1444  *olen = ilen;
1446  ilen, iv, iv_len, ad, ad_len,
1447  input, output, tag_len, tag);
1448  }
1449 #endif /* MBEDTLS_GCM_C */
1450 #if defined(MBEDTLS_CCM_C)
1451  if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1452  *olen = ilen;
1453  return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen,
1454  iv, iv_len, ad, ad_len, input, output,
1455  tag, tag_len);
1456  }
1457 #endif /* MBEDTLS_CCM_C */
1458 #if defined(MBEDTLS_CHACHAPOLY_C)
1459  if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1460  /* ChachaPoly has fixed length nonce and MAC (tag) */
1461  if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
1462  (tag_len != 16U)) {
1464  }
1465 
1466  *olen = ilen;
1467  return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx,
1468  ilen, iv, ad, ad_len, input, output, tag);
1469  }
1470 #endif /* MBEDTLS_CHACHAPOLY_C */
1471 
1473 }
1474 
1475 /*
1476  * Packet-oriented encryption for AEAD modes: internal function used by
1477  * mbedtls_cipher_auth_encrypt_ext().
1478  */
1479 static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
1480  const unsigned char *iv, size_t iv_len,
1481  const unsigned char *ad, size_t ad_len,
1482  const unsigned char *input, size_t ilen,
1483  unsigned char *output, size_t *olen,
1484  const unsigned char *tag, size_t tag_len)
1485 {
1486 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1487  if (ctx->psa_enabled == 1) {
1488  /* As in the non-PSA case, we don't check that
1489  * a key has been set. If not, the key slot will
1490  * still be in its default state of 0, which is
1491  * guaranteed to be invalid, hence the PSA-call
1492  * below will gracefully fail. */
1493  mbedtls_cipher_context_psa * const cipher_psa =
1494  (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1495 
1496  psa_status_t status;
1497 
1498  /* PSA Crypto API always writes the authentication tag
1499  * at the end of the encrypted message. */
1500  if (input == NULL || tag != input + ilen) {
1502  }
1503 
1504  status = psa_aead_decrypt(cipher_psa->slot,
1505  cipher_psa->alg,
1506  iv, iv_len,
1507  ad, ad_len,
1508  input, ilen + tag_len,
1509  output, ilen, olen);
1510  if (status == PSA_ERROR_INVALID_SIGNATURE) {
1512  } else if (status != PSA_SUCCESS) {
1514  }
1515 
1516  return 0;
1517  }
1518 #endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
1519 
1520 #if defined(MBEDTLS_GCM_C)
1521  if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1523 
1524  *olen = ilen;
1525  ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen,
1526  iv, iv_len, ad, ad_len,
1527  tag, tag_len, input, output);
1528 
1529  if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) {
1531  }
1532 
1533  return ret;
1534  }
1535 #endif /* MBEDTLS_GCM_C */
1536 #if defined(MBEDTLS_CCM_C)
1537  if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
1539 
1540  *olen = ilen;
1541  ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen,
1542  iv, iv_len, ad, ad_len,
1543  input, output, tag, tag_len);
1544 
1545  if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) {
1547  }
1548 
1549  return ret;
1550  }
1551 #endif /* MBEDTLS_CCM_C */
1552 #if defined(MBEDTLS_CHACHAPOLY_C)
1553  if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
1555 
1556  /* ChachaPoly has fixed length nonce and MAC (tag) */
1557  if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
1558  (tag_len != 16U)) {
1560  }
1561 
1562  *olen = ilen;
1563  ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen,
1564  iv, ad, ad_len, tag, input, output);
1565 
1568  }
1569 
1570  return ret;
1571  }
1572 #endif /* MBEDTLS_CHACHAPOLY_C */
1573 
1575 }
1576 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1577 
1578 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
1579 /*
1580  * Packet-oriented encryption for AEAD/NIST_KW: public function.
1581  */
1583  const unsigned char *iv, size_t iv_len,
1584  const unsigned char *ad, size_t ad_len,
1585  const unsigned char *input, size_t ilen,
1586  unsigned char *output, size_t output_len,
1587  size_t *olen, size_t tag_len)
1588 {
1589 #if defined(MBEDTLS_NIST_KW_C)
1590  if (
1591 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1592  ctx->psa_enabled == 0 &&
1593 #endif
1594  (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1595  MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
1597  (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
1599 
1600  /* There is no iv, tag or ad associated with KW and KWP,
1601  * so these length should be 0 as documented. */
1602  if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
1604  }
1605 
1606  (void) iv;
1607  (void) ad;
1608 
1609  return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen,
1610  output, olen, output_len);
1611  }
1612 #endif /* MBEDTLS_NIST_KW_C */
1613 
1614 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1615  /* AEAD case: check length before passing on to shared function */
1616  if (output_len < ilen + tag_len) {
1618  }
1619 
1620  int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,
1621  input, ilen, output, olen,
1622  output + ilen, tag_len);
1623  *olen += tag_len;
1624  return ret;
1625 #else
1627 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1628 }
1629 
1630 /*
1631  * Packet-oriented decryption for AEAD/NIST_KW: public function.
1632  */
1634  const unsigned char *iv, size_t iv_len,
1635  const unsigned char *ad, size_t ad_len,
1636  const unsigned char *input, size_t ilen,
1637  unsigned char *output, size_t output_len,
1638  size_t *olen, size_t tag_len)
1639 {
1640 #if defined(MBEDTLS_NIST_KW_C)
1641  if (
1642 #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
1643  ctx->psa_enabled == 0 &&
1644 #endif
1645  (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
1646  MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
1648  (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
1650 
1651  /* There is no iv, tag or ad associated with KW and KWP,
1652  * so these length should be 0 as documented. */
1653  if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
1655  }
1656 
1657  (void) iv;
1658  (void) ad;
1659 
1660  return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen,
1661  output, olen, output_len);
1662  }
1663 #endif /* MBEDTLS_NIST_KW_C */
1664 
1665 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1666  /* AEAD case: check length before passing on to shared function */
1667  if (ilen < tag_len || output_len < ilen - tag_len) {
1669  }
1670 
1671  return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,
1672  input, ilen - tag_len, output, olen,
1673  input + ilen - tag_len, tag_len);
1674 #else
1676 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1677 }
1678 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
1679 
1680 #endif /* MBEDTLS_CIPHER_C */
This file provides an API for the CCM authenticated encryption mode for block ciphers.
int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *ad, size_t ad_len, const unsigned char *input, unsigned char *output, unsigned char *tag, size_t tag_len)
This function encrypts a buffer using CCM.
#define MBEDTLS_CCM_STAR_DECRYPT
Definition: ccm.h:49
#define MBEDTLS_CCM_STAR_ENCRYPT
Definition: ccm.h:50
int mbedtls_ccm_starts(mbedtls_ccm_context *ctx, int mode, const unsigned char *iv, size_t iv_len)
This function starts a CCM encryption or decryption operation.
int mbedtls_ccm_set_lengths(mbedtls_ccm_context *ctx, size_t total_ad_len, size_t plaintext_len, size_t tag_len)
This function declares the lengths of the message and additional data for a CCM encryption or decrypt...
int mbedtls_ccm_update(mbedtls_ccm_context *ctx, const unsigned char *input, size_t input_len, unsigned char *output, size_t output_size, size_t *output_len)
This function feeds an input buffer into an ongoing CCM encryption or decryption operation.
int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *ad, size_t ad_len, const unsigned char *input, unsigned char *output, const unsigned char *tag, size_t tag_len)
This function performs a CCM authenticated decryption of a buffer.
#define MBEDTLS_ERR_CCM_AUTH_FAILED
Authenticated decryption failed.
Definition: ccm.h:55
This file contains ChaCha20 definitions and functions.
int mbedtls_chacha20_starts(mbedtls_chacha20_context *ctx, const unsigned char nonce[12], uint32_t counter)
This function sets the nonce and initial counter value.
This file contains the AEAD-ChaCha20-Poly1305 definitions and functions.
int mbedtls_chachapoly_finish(mbedtls_chachapoly_context *ctx, unsigned char mac[16])
This function finished the ChaCha20-Poly1305 operation and generates the MAC (authentication tag).
int mbedtls_chachapoly_starts(mbedtls_chachapoly_context *ctx, const unsigned char nonce[12], mbedtls_chachapoly_mode_t mode)
This function starts a ChaCha20-Poly1305 encryption or decryption operation.
int mbedtls_chachapoly_update(mbedtls_chachapoly_context *ctx, size_t len, const unsigned char *input, unsigned char *output)
Thus function feeds data to be encrypted or decrypted into an on-going ChaCha20-Poly1305 operation.
int mbedtls_chachapoly_encrypt_and_tag(mbedtls_chachapoly_context *ctx, size_t length, const unsigned char nonce[12], const unsigned char *aad, size_t aad_len, const unsigned char *input, unsigned char *output, unsigned char tag[16])
This function performs a complete ChaCha20-Poly1305 authenticated encryption with the previously-set ...
#define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
Authenticated decryption failed: data was not authentic.
Definition: chachapoly.h:32
mbedtls_chachapoly_mode_t
Definition: chachapoly.h:38
@ MBEDTLS_CHACHAPOLY_ENCRYPT
The mode value for performing encryption.
Definition: chachapoly.h:39
@ MBEDTLS_CHACHAPOLY_DECRYPT
The mode value for performing decryption.
Definition: chachapoly.h:40
int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx, size_t length, const unsigned char nonce[12], const unsigned char *aad, size_t aad_len, const unsigned char tag[16], const unsigned char *input, unsigned char *output)
This function performs a complete ChaCha20-Poly1305 authenticated decryption with the previously-set ...
int mbedtls_chachapoly_update_aad(mbedtls_chachapoly_context *ctx, const unsigned char *aad, size_t aad_len)
This function feeds additional data to be authenticated into an ongoing ChaCha20-Poly1305 operation.
This file contains an abstraction interface for use with the cipher primitives provided by the librar...
int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info)
This function prepares a cipher context for use with the given cipher primitive.
mbedtls_cipher_type_t
Supported {cipher type, cipher mode} pairs.
Definition: cipher.h:84
@ MBEDTLS_CIPHER_AES_128_ECB
AES cipher with 128-bit ECB mode.
Definition: cipher.h:87
@ MBEDTLS_CIPHER_CHACHA20
ChaCha20 stream cipher.
Definition: cipher.h:161
@ MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG
AES cipher with 128-bit CCM_STAR_NO_TAG mode.
Definition: cipher.h:126
@ MBEDTLS_CIPHER_AES_128_CBC
AES cipher with 128-bit CBC mode.
Definition: cipher.h:90
@ MBEDTLS_CIPHER_AES_192_GCM
AES cipher with 192-bit GCM mode.
Definition: cipher.h:100
@ MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG
AES cipher with 192-bit CCM_STAR_NO_TAG mode.
Definition: cipher.h:127
@ MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG
AES cipher with 256-bit CCM_STAR_NO_TAG mode.
Definition: cipher.h:128
@ MBEDTLS_CIPHER_AES_256_ECB
AES cipher with 256-bit ECB mode.
Definition: cipher.h:89
@ MBEDTLS_CIPHER_AES_192_CCM
AES cipher with 192-bit CCM mode.
Definition: cipher.h:124
@ MBEDTLS_CIPHER_AES_256_GCM
AES cipher with 256-bit GCM mode.
Definition: cipher.h:101
@ MBEDTLS_CIPHER_AES_256_CCM
AES cipher with 256-bit CCM mode.
Definition: cipher.h:125
@ MBEDTLS_CIPHER_AES_128_GCM
AES cipher with 128-bit GCM mode.
Definition: cipher.h:99
@ MBEDTLS_CIPHER_CHACHA20_POLY1305
ChaCha20-Poly1305 AEAD cipher.
Definition: cipher.h:162
@ MBEDTLS_CIPHER_AES_192_CBC
AES cipher with 192-bit CBC mode.
Definition: cipher.h:91
@ MBEDTLS_CIPHER_AES_128_CCM
AES cipher with 128-bit CCM mode.
Definition: cipher.h:123
@ MBEDTLS_CIPHER_AES_256_CBC
AES cipher with 256-bit CBC mode.
Definition: cipher.h:92
@ MBEDTLS_CIPHER_AES_192_ECB
AES cipher with 192-bit ECB mode.
Definition: cipher.h:88
int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, const unsigned char *key, int key_bitlen, const mbedtls_operation_t operation)
This function sets the key to use with the given context.
#define MBEDTLS_ERR_CIPHER_INVALID_PADDING
Input data contains invalid padding and is rejected.
Definition: cipher.h:44
static size_t mbedtls_cipher_info_get_iv_size(const mbedtls_cipher_info_t *info)
This function returns the size of the IV or nonce for the cipher info structure, in bytes.
Definition: cipher.h:518
int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen)
The generic all-in-one encryption/decryption function, for all ciphers except AEAD constructs.
int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx)
This function resets the cipher state.
#define MBEDTLS_CIPHER_VARIABLE_IV_LEN
Cipher accepts IVs of variable length.
Definition: cipher.h:52
#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
The selected feature is not available.
Definition: cipher.h:38
int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len)
This function sets the initialization vector (IV) or nonce.
mbedtls_cipher_padding_t
Supported cipher padding types.
Definition: cipher.h:190
@ MBEDTLS_PADDING_ZEROS
Zero padding (not reversible).
Definition: cipher.h:194
@ MBEDTLS_PADDING_ONE_AND_ZEROS
ISO/IEC 7816-4 padding.
Definition: cipher.h:192
@ MBEDTLS_PADDING_PKCS7
PKCS7 padding (default).
Definition: cipher.h:191
@ MBEDTLS_PADDING_ZEROS_AND_LEN
ANSI X.923 padding.
Definition: cipher.h:193
@ MBEDTLS_PADDING_NONE
Never pad (full blocks only).
Definition: cipher.h:195
int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx, unsigned char *output, size_t *olen)
The generic cipher finalization function.
#define MBEDTLS_ERR_CIPHER_AUTH_FAILED
Authentication failed (for AEAD modes).
Definition: cipher.h:48
#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
Bad input parameters.
Definition: cipher.h:40
const int * mbedtls_cipher_list(void)
This function retrieves the list of ciphers supported by the generic cipher module.
void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)
This function initializes a ctx as NONE.
#define MBEDTLS_CIPHER_VARIABLE_KEY_LEN
Cipher accepts keys of variable length.
Definition: cipher.h:53
const mbedtls_cipher_info_t * mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type)
This function retrieves the cipher-information structure associated with the given cipher type.
void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
This function frees and clears the cipher-specific context of ctx.
static int mbedtls_cipher_get_iv_size(const mbedtls_cipher_context_t *ctx)
This function returns the size of the IV or nonce of the cipher, in Bytes.
Definition: cipher.h:717
int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen)
The generic cipher update function.
const mbedtls_cipher_info_t * mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id, int key_bitlen, const mbedtls_cipher_mode_t mode)
This function retrieves the cipher-information structure associated with the given cipher ID,...
const mbedtls_cipher_info_t * mbedtls_cipher_info_from_string(const char *cipher_name)
This function retrieves the cipher-information structure associated with the given cipher name.
static unsigned int mbedtls_cipher_get_block_size(const mbedtls_cipher_context_t *ctx)
This function returns the block size of the given cipher in bytes.
Definition: cipher.h:678
mbedtls_operation_t
Type of operation.
Definition: cipher.h:199
@ MBEDTLS_DECRYPT
Definition: cipher.h:201
@ MBEDTLS_ENCRYPT
Definition: cipher.h:202
#define MBEDTLS_ERR_CIPHER_ALLOC_FAILED
Failed to allocate memory.
Definition: cipher.h:42
#define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED
Decryption of block requires a full block.
Definition: cipher.h:46
mbedtls_cipher_mode_t
Supported cipher modes.
Definition: cipher.h:172
@ MBEDTLS_MODE_ECB
The ECB cipher mode.
Definition: cipher.h:174
@ MBEDTLS_MODE_CCM
The CCM cipher mode.
Definition: cipher.h:181
@ MBEDTLS_MODE_STREAM
The stream cipher mode.
Definition: cipher.h:180
@ MBEDTLS_MODE_CFB
The CFB cipher mode.
Definition: cipher.h:176
@ MBEDTLS_MODE_CTR
The CTR cipher mode.
Definition: cipher.h:178
@ MBEDTLS_MODE_GCM
The GCM cipher mode.
Definition: cipher.h:179
@ MBEDTLS_MODE_CCM_STAR_NO_TAG
The CCM*-no-tag cipher mode.
Definition: cipher.h:182
@ MBEDTLS_MODE_KW
The SP800-38F KW mode.
Definition: cipher.h:185
@ MBEDTLS_MODE_CBC
The CBC cipher mode.
Definition: cipher.h:175
@ MBEDTLS_MODE_OFB
The OFB cipher mode.
Definition: cipher.h:177
@ MBEDTLS_MODE_KWP
The SP800-38F KWP mode.
Definition: cipher.h:186
@ MBEDTLS_MODE_XTS
The XTS cipher mode.
Definition: cipher.h:183
#define MBEDTLS_MAX_IV_LENGTH
Maximum length of any IV, in Bytes.
Definition: cipher.h:220
#define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT
The context is invalid.
Definition: cipher.h:50
mbedtls_cipher_id_t
Supported cipher types.
Definition: cipher.h:66
static size_t mbedtls_cipher_info_get_key_bitlen(const mbedtls_cipher_info_t *info)
Retrieve the key size for a cipher info structure.
Definition: cipher.h:477
Cipher wrappers.
const mbedtls_cipher_base_t * mbedtls_cipher_base_lookup_table[]
const mbedtls_cipher_definition_t mbedtls_cipher_definitions[]
int mbedtls_cipher_supported[]
This file contains CMAC definitions and functions.
static mbedtls_ct_condition_t mbedtls_ct_uint_ne(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y)
static mbedtls_ct_condition_t mbedtls_ct_uint_ge(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y)
static mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x)
static mbedtls_ct_condition_t mbedtls_ct_bool_or(mbedtls_ct_condition_t x, mbedtls_ct_condition_t y)
static mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition, mbedtls_ct_condition_t if1, mbedtls_ct_condition_t if0)
static size_t mbedtls_ct_size_if(mbedtls_ct_condition_t condition, size_t if1, size_t if0)
static mbedtls_ct_condition_t mbedtls_ct_bool_not(mbedtls_ct_condition_t x)
static mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition, mbedtls_ct_condition_t if1)
static mbedtls_ct_condition_t mbedtls_ct_bool_and(mbedtls_ct_condition_t x, mbedtls_ct_condition_t y)
static mbedtls_ct_condition_t mbedtls_ct_uint_gt(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y)
static int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1)
static mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y)
static mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x, mbedtls_ct_condition_t y)
size_t mbedtls_ct_condition_t
Constant-time functions.
#define MBEDTLS_CT_TRUE
#define MBEDTLS_CT_FALSE
Platform Security Architecture cryptography module.
CS_CONTEXT * ctx
Definition: t0006.c:12
static const struct attribute attributes[]
Definition: attributes.c:165
static int type
Definition: getdata.c:31
static SQLCHAR output[256]
Definition: print.c:5
This file contains GCM definitions and functions.
#define MBEDTLS_GCM_ENCRYPT
Definition: gcm.h:33
int mbedtls_gcm_update(mbedtls_gcm_context *ctx, const unsigned char *input, size_t input_length, unsigned char *output, size_t output_size, size_t *output_length)
This function feeds an input buffer into an ongoing GCM encryption or decryption operation.
int mbedtls_gcm_finish(mbedtls_gcm_context *ctx, unsigned char *output, size_t output_size, size_t *output_length, unsigned char *tag, size_t tag_len)
This function finishes the GCM operation and generates the authentication tag.
int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx, int mode, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *input, unsigned char *output, size_t tag_len, unsigned char *tag)
This function performs GCM encryption or decryption of a buffer.
#define MBEDTLS_ERR_GCM_AUTH_FAILED
Authenticated decryption failed.
Definition: gcm.h:37
int mbedtls_gcm_update_ad(mbedtls_gcm_context *ctx, const unsigned char *add, size_t add_len)
This function feeds an input buffer as associated data (authenticated but not encrypted data) in a GC...
int mbedtls_gcm_starts(mbedtls_gcm_context *ctx, int mode, const unsigned char *iv, size_t iv_len)
This function starts a GCM encryption or decryption operation.
int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *tag, size_t tag_len, const unsigned char *input, unsigned char *output)
This function performs a GCM authenticated decryption of a buffer.
#define NULL
Definition: ncbistd.hpp:225
psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key, psa_algorithm_t alg, const uint8_t *nonce, size_t nonce_length, const uint8_t *additional_data, size_t additional_data_length, const uint8_t *plaintext, size_t plaintext_length, uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length)
Process an authenticated encryption operation.
psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key, psa_algorithm_t alg, const uint8_t *nonce, size_t nonce_length, const uint8_t *additional_data, size_t additional_data_length, const uint8_t *ciphertext, size_t ciphertext_length, uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length)
Process an authenticated decryption operation.
static void psa_set_key_usage_flags(psa_key_attributes_t *attributes, psa_key_usage_t usage_flags)
Declare usage flags for a key.
static void psa_set_key_type(psa_key_attributes_t *attributes, psa_key_type_t type)
Declare the type of a key.
#define PSA_KEY_ATTRIBUTES_INIT
This macro returns a suitable initializer for a key attribute structure of type psa_key_attributes_t.
static void psa_set_key_algorithm(psa_key_attributes_t *attributes, psa_algorithm_t alg)
Declare the permitted algorithm policy for a key.
operation
Bit operations.
Definition: bmconst.h:191
psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation, uint8_t *output, size_t output_size, size_t *output_length)
Finish encrypting or decrypting a message in a cipher operation.
#define PSA_CIPHER_OPERATION_INIT
This macro returns a suitable initializer for a cipher operation object of type psa_cipher_operation_...
psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation, mbedtls_svc_key_id_t key, psa_algorithm_t alg)
Set the key for a multipart symmetric encryption operation.
psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation, const uint8_t *iv, size_t iv_length)
Set the IV for a symmetric encryption or decryption operation.
psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation, mbedtls_svc_key_id_t key, psa_algorithm_t alg)
Set the key for a multipart symmetric decryption operation.
psa_status_t psa_cipher_update(psa_cipher_operation_t *operation, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length)
Encrypt or decrypt a message fragment in an active cipher operation.
#define PSA_ALG_GCM
The GCM authenticated encryption algorithm.
uint16_t psa_key_type_t
Encoding of a key type.
Definition: crypto_types.h:78
#define PSA_KEY_TYPE_AES
Key for a cipher, AEAD or MAC algorithm based on the AES block cipher.
#define PSA_ALG_CCM_STAR_NO_TAG
The CCM* cipher mode without authentication.
#define PSA_ALG_ECB_NO_PADDING
The Electronic Code Book (ECB) mode of a block cipher, with no padding.
#define PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, tag_length)
Macro to build a shortened AEAD algorithm.
#define PSA_ALG_CCM
The CCM authenticated encryption algorithm.
uint32_t psa_algorithm_t
Encoding of a cryptographic algorithm.
Definition: crypto_types.h:134
#define PSA_ALG_CBC_NO_PADDING
The CBC block cipher chaining mode, with no padding.
int32_t psa_status_t
Function return status.
Definition: crypto_types.h:59
#define PSA_ERROR_NOT_SUPPORTED
The requested operation or a parameter is not supported by this implementation.
Definition: crypto_values.h:73
#define PSA_ERROR_INVALID_SIGNATURE
The signature, MAC or hash is incorrect.
#define PSA_SUCCESS
The action was completed successfully.
Definition: crypto_values.h:57
#define PSA_ERROR_INSUFFICIENT_MEMORY
There is not enough runtime memory.
psa_status_t psa_import_key(const psa_key_attributes_t *attributes, const uint8_t *data, size_t data_length, mbedtls_svc_key_id_t *key)
Import a key in binary format.
psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key)
Destroy a key.
#define PSA_KEY_USAGE_ENCRYPT
Whether the key may be used to encrypt a message.
#define PSA_KEY_USAGE_DECRYPT
Whether the key may be used to decrypt a message.
exit(2)
static int input()
int i
if(yy_accept[yy_current_state])
static MDB_envinfo info
Definition: mdb_load.c:37
mdb_mode_t mode
Definition: lmdb++.h:38
const struct ncbi::grid::netcache::search::fields::KEY key
int strcmp(const char *str1, const char *str2)
Definition: odbc_utils.hpp:160
const char * tag
#define mbedtls_cipher_write_tag
#define mbedtls_platform_zeroize
#define mbedtls_zeroize_and_free
#define mbedtls_cipher_update_ad
#define mbedtls_cipher_auth_decrypt_ext
#define mbedtls_cipher_check_tag
#define mbedtls_cipher_set_padding_mode
#define mbedtls_cipher_auth_encrypt_ext
#define mbedtls_ct_memcmp
This file provides an API for key wrapping (KW) and key wrapping with padding (KWP) as defined in NIS...
int mbedtls_nist_kw_wrap(mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode, const unsigned char *input, size_t in_len, unsigned char *output, size_t *out_len, size_t out_size)
This function encrypts a buffer using key wrapping.
int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode, const unsigned char *input, size_t in_len, unsigned char *output, size_t *out_len, size_t out_size)
This function decrypts a buffer using key wrapping.
mbedtls_nist_kw_mode_t
Definition: nist_kw.h:35
@ MBEDTLS_KW_MODE_KW
Definition: nist_kw.h:36
@ MBEDTLS_KW_MODE_KWP
Definition: nist_kw.h:37
This file contains the definitions and functions of the Mbed TLS platform abstraction layer.
#define mbedtls_calloc
Definition: platform.h:167
Common and shared functions used by multiple modules in the Mbed TLS library.
Error to string translation.
#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED
This is a bug in the library.
Definition: error.h:100
#define MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
Hardware accelerator failed.
Definition: error.h:103
The CCM context-type definition.
Definition: ccm.h:69
Base cipher information.
Definition: cipher_wrap.h:74
Generic cipher context.
Definition: cipher.h:316
mbedtls_cipher_type_t type
Definition: cipher_wrap.h:143
const mbedtls_cipher_info_t * info
Definition: cipher_wrap.h:144
Cipher information.
Definition: cipher.h:266
The CMAC context structure.
Definition: cmac.h:59
The GCM context structure.
Definition: gcm.h:58
Definition: type.c:6
done
Definition: token1.c:1
else result
Definition: token2.c:20
Modified on Wed Apr 24 14:18:44 2024 by modify_doxy.py rev. 669887