/src/mbedtls/library/psa_crypto_cipher.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * PSA cipher driver entry points |
3 | | */ |
4 | | /* |
5 | | * Copyright The Mbed TLS Contributors |
6 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
7 | | */ |
8 | | |
9 | | #include "common.h" |
10 | | |
11 | | #if defined(MBEDTLS_PSA_CRYPTO_C) |
12 | | |
13 | | #include "psa_crypto_cipher.h" |
14 | | #include "psa_crypto_core.h" |
15 | | #include "psa_crypto_random_impl.h" |
16 | | |
17 | | #include "mbedtls/cipher.h" |
18 | | #include "mbedtls/error.h" |
19 | | |
20 | | #include <string.h> |
21 | | |
22 | | /* mbedtls_cipher_values_from_psa() below only checks if the proper build symbols |
23 | | * are enabled, but it does not provide any compatibility check between them |
24 | | * (i.e. if the specified key works with the specified algorithm). This helper |
25 | | * function is meant to provide this support. |
26 | | * mbedtls_cipher_info_from_psa() might be used for the same purpose, but it |
27 | | * requires CIPHER_C to be enabled. |
28 | | */ |
29 | | static psa_status_t mbedtls_cipher_validate_values( |
30 | | psa_algorithm_t alg, |
31 | | psa_key_type_t key_type) |
32 | 37 | { |
33 | | /* Reduce code size - hinting to the compiler about what it can assume allows the compiler to |
34 | | eliminate bits of the logic below. */ |
35 | | #if !defined(PSA_WANT_KEY_TYPE_AES) |
36 | | MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_AES); |
37 | | #endif |
38 | | #if !defined(PSA_WANT_KEY_TYPE_ARIA) |
39 | | MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_ARIA); |
40 | | #endif |
41 | | #if !defined(PSA_WANT_KEY_TYPE_CAMELLIA) |
42 | | MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_CAMELLIA); |
43 | | #endif |
44 | | #if !defined(PSA_WANT_KEY_TYPE_CHACHA20) |
45 | | MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_CHACHA20); |
46 | | #endif |
47 | | #if !defined(PSA_WANT_KEY_TYPE_DES) |
48 | | MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_DES); |
49 | | #endif |
50 | | #if !defined(PSA_WANT_ALG_CCM) |
51 | | MBEDTLS_ASSUME(alg != PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0)); |
52 | | #endif |
53 | | #if !defined(PSA_WANT_ALG_GCM) |
54 | | MBEDTLS_ASSUME(alg != PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0)); |
55 | | #endif |
56 | | #if !defined(PSA_WANT_ALG_STREAM_CIPHER) |
57 | | MBEDTLS_ASSUME(alg != PSA_ALG_STREAM_CIPHER); |
58 | | #endif |
59 | | #if !defined(PSA_WANT_ALG_CHACHA20_POLY1305) |
60 | | MBEDTLS_ASSUME(alg != PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0)); |
61 | | #endif |
62 | | #if !defined(PSA_WANT_ALG_CCM_STAR_NO_TAG) |
63 | | MBEDTLS_ASSUME(alg != PSA_ALG_CCM_STAR_NO_TAG); |
64 | | #endif |
65 | | #if !defined(PSA_WANT_ALG_CTR) |
66 | | MBEDTLS_ASSUME(alg != PSA_ALG_CTR); |
67 | | #endif |
68 | | #if !defined(PSA_WANT_ALG_CFB) |
69 | | MBEDTLS_ASSUME(alg != PSA_ALG_CFB); |
70 | | #endif |
71 | | #if !defined(PSA_WANT_ALG_OFB) |
72 | | MBEDTLS_ASSUME(alg != PSA_ALG_OFB); |
73 | | #endif |
74 | 37 | #if !defined(PSA_WANT_ALG_XTS) |
75 | 37 | MBEDTLS_ASSUME(alg != PSA_ALG_XTS); |
76 | 37 | #endif |
77 | | #if !defined(PSA_WANT_ALG_ECB_NO_PADDING) |
78 | | MBEDTLS_ASSUME(alg != PSA_ALG_ECB_NO_PADDING); |
79 | | #endif |
80 | | #if !defined(PSA_WANT_ALG_CBC_NO_PADDING) |
81 | | MBEDTLS_ASSUME(alg != PSA_ALG_CBC_NO_PADDING); |
82 | | #endif |
83 | | #if !defined(PSA_WANT_ALG_CBC_PKCS7) |
84 | | MBEDTLS_ASSUME(alg != PSA_ALG_CBC_PKCS7); |
85 | | #endif |
86 | | #if !defined(PSA_WANT_ALG_CMAC) |
87 | | MBEDTLS_ASSUME(alg != PSA_ALG_CMAC); |
88 | | #endif |
89 | | |
90 | 37 | if (alg == PSA_ALG_STREAM_CIPHER || |
91 | 37 | alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0)) { |
92 | 7 | if (key_type == PSA_KEY_TYPE_CHACHA20) { |
93 | 7 | return PSA_SUCCESS; |
94 | 7 | } |
95 | 7 | } |
96 | | |
97 | 30 | if (alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0) || |
98 | 30 | alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0) || |
99 | 30 | alg == PSA_ALG_CCM_STAR_NO_TAG) { |
100 | 5 | if (key_type == PSA_KEY_TYPE_AES || |
101 | 5 | key_type == PSA_KEY_TYPE_ARIA || |
102 | 5 | key_type == PSA_KEY_TYPE_CAMELLIA) { |
103 | 5 | return PSA_SUCCESS; |
104 | 5 | } |
105 | 5 | } |
106 | | |
107 | 25 | if (alg == PSA_ALG_CTR || |
108 | 25 | alg == PSA_ALG_CFB || |
109 | 25 | alg == PSA_ALG_OFB || |
110 | 25 | alg == PSA_ALG_XTS || |
111 | 25 | alg == PSA_ALG_ECB_NO_PADDING || |
112 | 25 | alg == PSA_ALG_CBC_NO_PADDING || |
113 | 25 | alg == PSA_ALG_CBC_PKCS7 || |
114 | 25 | alg == PSA_ALG_CMAC) { |
115 | 25 | if (key_type == PSA_KEY_TYPE_AES || |
116 | 25 | key_type == PSA_KEY_TYPE_ARIA || |
117 | 25 | key_type == PSA_KEY_TYPE_DES || |
118 | 25 | key_type == PSA_KEY_TYPE_CAMELLIA) { |
119 | 25 | return PSA_SUCCESS; |
120 | 25 | } |
121 | 25 | } |
122 | | |
123 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
124 | 25 | } |
125 | | |
126 | | psa_status_t mbedtls_cipher_values_from_psa( |
127 | | psa_algorithm_t alg, |
128 | | psa_key_type_t key_type, |
129 | | size_t *key_bits, |
130 | | mbedtls_cipher_mode_t *mode, |
131 | | mbedtls_cipher_id_t *cipher_id) |
132 | 37 | { |
133 | 37 | mbedtls_cipher_id_t cipher_id_tmp; |
134 | | /* Only DES modifies key_bits */ |
135 | | #if !defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) |
136 | | (void) key_bits; |
137 | | #endif |
138 | | |
139 | 37 | if (PSA_ALG_IS_AEAD(alg)) { |
140 | 10 | alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0); |
141 | 10 | } |
142 | | |
143 | 37 | if (PSA_ALG_IS_CIPHER(alg) || PSA_ALG_IS_AEAD(alg)) { |
144 | 35 | switch (alg) { |
145 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER) |
146 | 0 | case PSA_ALG_STREAM_CIPHER: |
147 | 0 | *mode = MBEDTLS_MODE_STREAM; |
148 | 0 | break; |
149 | 0 | #endif |
150 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_CTR) |
151 | 6 | case PSA_ALG_CTR: |
152 | 6 | *mode = MBEDTLS_MODE_CTR; |
153 | 6 | break; |
154 | 0 | #endif |
155 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_CFB) |
156 | 1 | case PSA_ALG_CFB: |
157 | 1 | *mode = MBEDTLS_MODE_CFB; |
158 | 1 | break; |
159 | 0 | #endif |
160 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_OFB) |
161 | 9 | case PSA_ALG_OFB: |
162 | 9 | *mode = MBEDTLS_MODE_OFB; |
163 | 9 | break; |
164 | 0 | #endif |
165 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) |
166 | 2 | case PSA_ALG_ECB_NO_PADDING: |
167 | 2 | *mode = MBEDTLS_MODE_ECB; |
168 | 2 | break; |
169 | 0 | #endif |
170 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) |
171 | 0 | case PSA_ALG_CBC_NO_PADDING: |
172 | 0 | *mode = MBEDTLS_MODE_CBC; |
173 | 0 | break; |
174 | 0 | #endif |
175 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) |
176 | 5 | case PSA_ALG_CBC_PKCS7: |
177 | 5 | *mode = MBEDTLS_MODE_CBC; |
178 | 5 | break; |
179 | 0 | #endif |
180 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG) |
181 | 2 | case PSA_ALG_CCM_STAR_NO_TAG: |
182 | 2 | *mode = MBEDTLS_MODE_CCM_STAR_NO_TAG; |
183 | 2 | break; |
184 | 0 | #endif |
185 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) |
186 | 0 | case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0): |
187 | 0 | *mode = MBEDTLS_MODE_CCM; |
188 | 0 | break; |
189 | 0 | #endif |
190 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) |
191 | 3 | case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0): |
192 | 3 | *mode = MBEDTLS_MODE_GCM; |
193 | 3 | break; |
194 | 0 | #endif |
195 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) |
196 | 7 | case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0): |
197 | 7 | *mode = MBEDTLS_MODE_CHACHAPOLY; |
198 | 7 | break; |
199 | 0 | #endif |
200 | 0 | default: |
201 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
202 | 35 | } |
203 | 35 | } else if (alg == PSA_ALG_CMAC) { |
204 | 2 | *mode = MBEDTLS_MODE_ECB; |
205 | 2 | } else { |
206 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
207 | 0 | } |
208 | | |
209 | 37 | switch (key_type) { |
210 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES) |
211 | 18 | case PSA_KEY_TYPE_AES: |
212 | 18 | cipher_id_tmp = MBEDTLS_CIPHER_ID_AES; |
213 | 18 | break; |
214 | 0 | #endif |
215 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA) |
216 | 5 | case PSA_KEY_TYPE_ARIA: |
217 | 5 | cipher_id_tmp = MBEDTLS_CIPHER_ID_ARIA; |
218 | 5 | break; |
219 | 0 | #endif |
220 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) |
221 | 6 | case PSA_KEY_TYPE_DES: |
222 | | /* key_bits is 64 for Single-DES, 128 for two-key Triple-DES, |
223 | | * and 192 for three-key Triple-DES. */ |
224 | 6 | if (*key_bits == 64) { |
225 | 1 | cipher_id_tmp = MBEDTLS_CIPHER_ID_DES; |
226 | 5 | } else { |
227 | 5 | cipher_id_tmp = MBEDTLS_CIPHER_ID_3DES; |
228 | 5 | } |
229 | | /* mbedtls doesn't recognize two-key Triple-DES as an algorithm, |
230 | | * but two-key Triple-DES is functionally three-key Triple-DES |
231 | | * with K1=K3, so that's how we present it to mbedtls. */ |
232 | 6 | if (*key_bits == 128) { |
233 | 3 | *key_bits = 192; |
234 | 3 | } |
235 | 6 | break; |
236 | 0 | #endif |
237 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA) |
238 | 1 | case PSA_KEY_TYPE_CAMELLIA: |
239 | 1 | cipher_id_tmp = MBEDTLS_CIPHER_ID_CAMELLIA; |
240 | 1 | break; |
241 | 0 | #endif |
242 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20) |
243 | 7 | case PSA_KEY_TYPE_CHACHA20: |
244 | 7 | cipher_id_tmp = MBEDTLS_CIPHER_ID_CHACHA20; |
245 | 7 | break; |
246 | 0 | #endif |
247 | 0 | default: |
248 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
249 | 37 | } |
250 | 37 | if (cipher_id != NULL) { |
251 | 37 | *cipher_id = cipher_id_tmp; |
252 | 37 | } |
253 | | |
254 | 37 | return mbedtls_cipher_validate_values(alg, key_type); |
255 | 37 | } |
256 | | |
257 | | #if defined(MBEDTLS_CIPHER_C) |
258 | | const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( |
259 | | psa_algorithm_t alg, |
260 | | psa_key_type_t key_type, |
261 | | size_t key_bits, |
262 | | mbedtls_cipher_id_t *cipher_id) |
263 | 27 | { |
264 | 27 | mbedtls_cipher_mode_t mode; |
265 | 27 | psa_status_t status; |
266 | 27 | mbedtls_cipher_id_t cipher_id_tmp = MBEDTLS_CIPHER_ID_NONE; |
267 | | |
268 | 27 | status = mbedtls_cipher_values_from_psa(alg, key_type, &key_bits, &mode, &cipher_id_tmp); |
269 | 27 | if (status != PSA_SUCCESS) { |
270 | 0 | return NULL; |
271 | 0 | } |
272 | 27 | if (cipher_id != NULL) { |
273 | 0 | *cipher_id = cipher_id_tmp; |
274 | 0 | } |
275 | | |
276 | 27 | return mbedtls_cipher_info_from_values(cipher_id_tmp, (int) key_bits, mode); |
277 | 27 | } |
278 | | #endif /* MBEDTLS_CIPHER_C */ |
279 | | |
280 | | #if defined(MBEDTLS_PSA_BUILTIN_CIPHER) |
281 | | |
282 | | static psa_status_t psa_cipher_setup( |
283 | | mbedtls_psa_cipher_operation_t *operation, |
284 | | const psa_key_attributes_t *attributes, |
285 | | const uint8_t *key_buffer, size_t key_buffer_size, |
286 | | psa_algorithm_t alg, |
287 | | mbedtls_operation_t cipher_operation) |
288 | 25 | { |
289 | 25 | int ret = 0; |
290 | 25 | size_t key_bits; |
291 | 25 | const mbedtls_cipher_info_t *cipher_info = NULL; |
292 | 25 | psa_key_type_t key_type = attributes->type; |
293 | | |
294 | 25 | (void) key_buffer_size; |
295 | | |
296 | 25 | mbedtls_cipher_init(&operation->ctx.cipher); |
297 | | |
298 | 25 | operation->alg = alg; |
299 | 25 | key_bits = attributes->bits; |
300 | 25 | cipher_info = mbedtls_cipher_info_from_psa(alg, key_type, |
301 | 25 | key_bits, NULL); |
302 | 25 | if (cipher_info == NULL) { |
303 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
304 | 0 | } |
305 | | |
306 | 25 | ret = mbedtls_cipher_setup(&operation->ctx.cipher, cipher_info); |
307 | 25 | if (ret != 0) { |
308 | 0 | goto exit; |
309 | 0 | } |
310 | | |
311 | 25 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) |
312 | 25 | if (key_type == PSA_KEY_TYPE_DES && key_bits == 128) { |
313 | | /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */ |
314 | 3 | uint8_t keys[24]; |
315 | 3 | memcpy(keys, key_buffer, 16); |
316 | 3 | memcpy(keys + 16, key_buffer, 8); |
317 | 3 | ret = mbedtls_cipher_setkey(&operation->ctx.cipher, |
318 | 3 | keys, |
319 | 3 | 192, cipher_operation); |
320 | 3 | } else |
321 | 22 | #endif |
322 | 22 | { |
323 | 22 | ret = mbedtls_cipher_setkey(&operation->ctx.cipher, key_buffer, |
324 | 22 | (int) key_bits, cipher_operation); |
325 | 22 | } |
326 | 25 | if (ret != 0) { |
327 | 0 | goto exit; |
328 | 0 | } |
329 | | |
330 | 25 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \ |
331 | 25 | defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) |
332 | 25 | switch (alg) { |
333 | 0 | case PSA_ALG_CBC_NO_PADDING: |
334 | 0 | ret = mbedtls_cipher_set_padding_mode(&operation->ctx.cipher, |
335 | 0 | MBEDTLS_PADDING_NONE); |
336 | 0 | break; |
337 | 5 | case PSA_ALG_CBC_PKCS7: |
338 | 5 | ret = mbedtls_cipher_set_padding_mode(&operation->ctx.cipher, |
339 | 5 | MBEDTLS_PADDING_PKCS7); |
340 | 5 | break; |
341 | 20 | default: |
342 | | /* The algorithm doesn't involve padding. */ |
343 | 20 | ret = 0; |
344 | 20 | break; |
345 | 25 | } |
346 | 25 | if (ret != 0) { |
347 | 0 | goto exit; |
348 | 0 | } |
349 | 25 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING || |
350 | | MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 */ |
351 | | |
352 | 25 | operation->block_length = (PSA_ALG_IS_STREAM_CIPHER(alg) ? 1 : |
353 | 25 | PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type)); |
354 | 25 | operation->iv_length = PSA_CIPHER_IV_LENGTH(key_type, alg); |
355 | | |
356 | 25 | exit: |
357 | 25 | return mbedtls_to_psa_error(ret); |
358 | 25 | } |
359 | | |
360 | | psa_status_t mbedtls_psa_cipher_encrypt_setup( |
361 | | mbedtls_psa_cipher_operation_t *operation, |
362 | | const psa_key_attributes_t *attributes, |
363 | | const uint8_t *key_buffer, size_t key_buffer_size, |
364 | | psa_algorithm_t alg) |
365 | 10 | { |
366 | 10 | return psa_cipher_setup(operation, attributes, |
367 | 10 | key_buffer, key_buffer_size, |
368 | 10 | alg, MBEDTLS_ENCRYPT); |
369 | 10 | } |
370 | | |
371 | | psa_status_t mbedtls_psa_cipher_decrypt_setup( |
372 | | mbedtls_psa_cipher_operation_t *operation, |
373 | | const psa_key_attributes_t *attributes, |
374 | | const uint8_t *key_buffer, size_t key_buffer_size, |
375 | | psa_algorithm_t alg) |
376 | 15 | { |
377 | 15 | return psa_cipher_setup(operation, attributes, |
378 | 15 | key_buffer, key_buffer_size, |
379 | 15 | alg, MBEDTLS_DECRYPT); |
380 | 15 | } |
381 | | |
382 | | psa_status_t mbedtls_psa_cipher_set_iv( |
383 | | mbedtls_psa_cipher_operation_t *operation, |
384 | | const uint8_t *iv, size_t iv_length) |
385 | 23 | { |
386 | 23 | if (iv_length != operation->iv_length) { |
387 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
388 | 0 | } |
389 | | |
390 | 23 | return mbedtls_to_psa_error( |
391 | 23 | mbedtls_cipher_set_iv(&operation->ctx.cipher, |
392 | 23 | iv, iv_length)); |
393 | 23 | } |
394 | | |
395 | | #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) |
396 | | /** Process input for which the algorithm is set to ECB mode. |
397 | | * |
398 | | * This requires manual processing, since the PSA API is defined as being |
399 | | * able to process arbitrary-length calls to psa_cipher_update() with ECB mode, |
400 | | * but the underlying mbedtls_cipher_update only takes full blocks. |
401 | | * |
402 | | * \param ctx The mbedtls cipher context to use. It must have been |
403 | | * set up for ECB. |
404 | | * \param[in] input The input plaintext or ciphertext to process. |
405 | | * \param input_length The number of bytes to process from \p input. |
406 | | * This does not need to be aligned to a block boundary. |
407 | | * If there is a partial block at the end of the input, |
408 | | * it is stored in \p ctx for future processing. |
409 | | * \param output The buffer where the output is written. It must be |
410 | | * at least `BS * floor((p + input_length) / BS)` bytes |
411 | | * long, where `p` is the number of bytes in the |
412 | | * unprocessed partial block in \p ctx (with |
413 | | * `0 <= p <= BS - 1`) and `BS` is the block size. |
414 | | * \param output_length On success, the number of bytes written to \p output. |
415 | | * \c 0 on error. |
416 | | * |
417 | | * \return #PSA_SUCCESS or an error from a hardware accelerator |
418 | | */ |
419 | | static psa_status_t psa_cipher_update_ecb( |
420 | | mbedtls_cipher_context_t *ctx, |
421 | | const uint8_t *input, |
422 | | size_t input_length, |
423 | | uint8_t *output, |
424 | | size_t *output_length) |
425 | 225 | { |
426 | 225 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
427 | 225 | size_t block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info); |
428 | 225 | size_t internal_output_length = 0; |
429 | 225 | *output_length = 0; |
430 | | |
431 | 225 | if (input_length == 0) { |
432 | 218 | status = PSA_SUCCESS; |
433 | 218 | goto exit; |
434 | 218 | } |
435 | | |
436 | 7 | if (ctx->unprocessed_len > 0) { |
437 | | /* Fill up to block size, and run the block if there's a full one. */ |
438 | 5 | size_t bytes_to_copy = block_size - ctx->unprocessed_len; |
439 | | |
440 | 5 | if (input_length < bytes_to_copy) { |
441 | 3 | bytes_to_copy = input_length; |
442 | 3 | } |
443 | | |
444 | 5 | memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), |
445 | 5 | input, bytes_to_copy); |
446 | 5 | input_length -= bytes_to_copy; |
447 | 5 | input += bytes_to_copy; |
448 | 5 | ctx->unprocessed_len += bytes_to_copy; |
449 | | |
450 | 5 | if (ctx->unprocessed_len == block_size) { |
451 | 2 | status = mbedtls_to_psa_error( |
452 | 2 | mbedtls_cipher_update(ctx, |
453 | 2 | ctx->unprocessed_data, |
454 | 2 | block_size, |
455 | 2 | output, &internal_output_length)); |
456 | | |
457 | 2 | if (status != PSA_SUCCESS) { |
458 | 0 | goto exit; |
459 | 0 | } |
460 | | |
461 | 2 | output += internal_output_length; |
462 | 2 | *output_length += internal_output_length; |
463 | 2 | ctx->unprocessed_len = 0; |
464 | 2 | } |
465 | 5 | } |
466 | | |
467 | 9 | while (input_length >= block_size) { |
468 | | /* Run all full blocks we have, one by one */ |
469 | 2 | status = mbedtls_to_psa_error( |
470 | 2 | mbedtls_cipher_update(ctx, input, |
471 | 2 | block_size, |
472 | 2 | output, &internal_output_length)); |
473 | | |
474 | 2 | if (status != PSA_SUCCESS) { |
475 | 0 | goto exit; |
476 | 0 | } |
477 | | |
478 | 2 | input_length -= block_size; |
479 | 2 | input += block_size; |
480 | | |
481 | 2 | output += internal_output_length; |
482 | 2 | *output_length += internal_output_length; |
483 | 2 | } |
484 | | |
485 | 7 | if (input_length > 0) { |
486 | | /* Save unprocessed bytes for later processing */ |
487 | 2 | memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), |
488 | 2 | input, input_length); |
489 | 2 | ctx->unprocessed_len += input_length; |
490 | 2 | } |
491 | | |
492 | 7 | status = PSA_SUCCESS; |
493 | | |
494 | 225 | exit: |
495 | 225 | return status; |
496 | 7 | } |
497 | | #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING */ |
498 | | |
499 | | psa_status_t mbedtls_psa_cipher_update( |
500 | | mbedtls_psa_cipher_operation_t *operation, |
501 | | const uint8_t *input, size_t input_length, |
502 | | uint8_t *output, size_t output_size, size_t *output_length) |
503 | 1.42k | { |
504 | 1.42k | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
505 | 1.42k | size_t expected_output_size; |
506 | | |
507 | 1.42k | if (!PSA_ALG_IS_STREAM_CIPHER(operation->alg)) { |
508 | | /* Take the unprocessed partial block left over from previous |
509 | | * update calls, if any, plus the input to this call. Remove |
510 | | * the last partial block, if any. You get the data that will be |
511 | | * output in this call. */ |
512 | 334 | expected_output_size = |
513 | 334 | (operation->ctx.cipher.unprocessed_len + input_length) |
514 | 334 | / operation->block_length * operation->block_length; |
515 | 1.08k | } else { |
516 | 1.08k | expected_output_size = input_length; |
517 | 1.08k | } |
518 | | |
519 | 1.42k | if (output_size < expected_output_size) { |
520 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
521 | 0 | } |
522 | | |
523 | 1.42k | #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) |
524 | 1.42k | if (operation->alg == PSA_ALG_ECB_NO_PADDING) { |
525 | | /* mbedtls_cipher_update has an API inconsistency: it will only |
526 | | * process a single block at a time in ECB mode. Abstract away that |
527 | | * inconsistency here to match the PSA API behaviour. */ |
528 | 225 | status = psa_cipher_update_ecb(&operation->ctx.cipher, |
529 | 225 | input, |
530 | 225 | input_length, |
531 | 225 | output, |
532 | 225 | output_length); |
533 | 225 | } else |
534 | 1.19k | #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING */ |
535 | 1.19k | if (input_length == 0) { |
536 | | /* There is no input, nothing to be done */ |
537 | 1.13k | *output_length = 0; |
538 | 1.13k | status = PSA_SUCCESS; |
539 | 1.13k | } else { |
540 | 67 | status = mbedtls_to_psa_error( |
541 | 67 | mbedtls_cipher_update(&operation->ctx.cipher, input, |
542 | 67 | input_length, output, output_length)); |
543 | | |
544 | 67 | if (*output_length > output_size) { |
545 | 0 | return PSA_ERROR_CORRUPTION_DETECTED; |
546 | 0 | } |
547 | 67 | } |
548 | | |
549 | 1.42k | return status; |
550 | 1.42k | } |
551 | | |
552 | | psa_status_t mbedtls_psa_cipher_finish( |
553 | | mbedtls_psa_cipher_operation_t *operation, |
554 | | uint8_t *output, size_t output_size, size_t *output_length) |
555 | 25 | { |
556 | 25 | psa_status_t status = PSA_ERROR_GENERIC_ERROR; |
557 | 25 | uint8_t temp_output_buffer[MBEDTLS_MAX_BLOCK_LENGTH]; |
558 | | |
559 | 25 | if (operation->ctx.cipher.unprocessed_len != 0) { |
560 | 13 | if (operation->alg == PSA_ALG_ECB_NO_PADDING || |
561 | 13 | operation->alg == PSA_ALG_CBC_NO_PADDING) { |
562 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
563 | 0 | goto exit; |
564 | 0 | } |
565 | 13 | } |
566 | | |
567 | 25 | status = mbedtls_to_psa_error( |
568 | 25 | mbedtls_cipher_finish(&operation->ctx.cipher, |
569 | 25 | temp_output_buffer, |
570 | 25 | output_length)); |
571 | 25 | if (status != PSA_SUCCESS) { |
572 | 3 | goto exit; |
573 | 3 | } |
574 | | |
575 | 22 | if (*output_length == 0) { |
576 | 20 | ; /* Nothing to copy. Note that output may be NULL in this case. */ |
577 | 20 | } else if (output_size >= *output_length) { |
578 | 2 | memcpy(output, temp_output_buffer, *output_length); |
579 | 2 | } else { |
580 | 0 | status = PSA_ERROR_BUFFER_TOO_SMALL; |
581 | 0 | } |
582 | | |
583 | 25 | exit: |
584 | 25 | mbedtls_platform_zeroize(temp_output_buffer, |
585 | 25 | sizeof(temp_output_buffer)); |
586 | | |
587 | 25 | return status; |
588 | 22 | } |
589 | | |
590 | | psa_status_t mbedtls_psa_cipher_abort( |
591 | | mbedtls_psa_cipher_operation_t *operation) |
592 | 25 | { |
593 | | /* Sanity check (shouldn't happen: operation->alg should |
594 | | * always have been initialized to a valid value). */ |
595 | 25 | if (!PSA_ALG_IS_CIPHER(operation->alg)) { |
596 | 0 | return PSA_ERROR_BAD_STATE; |
597 | 0 | } |
598 | | |
599 | 25 | mbedtls_cipher_free(&operation->ctx.cipher); |
600 | | |
601 | 25 | return PSA_SUCCESS; |
602 | 25 | } |
603 | | |
604 | | psa_status_t mbedtls_psa_cipher_encrypt( |
605 | | const psa_key_attributes_t *attributes, |
606 | | const uint8_t *key_buffer, |
607 | | size_t key_buffer_size, |
608 | | psa_algorithm_t alg, |
609 | | const uint8_t *iv, |
610 | | size_t iv_length, |
611 | | const uint8_t *input, |
612 | | size_t input_length, |
613 | | uint8_t *output, |
614 | | size_t output_size, |
615 | | size_t *output_length) |
616 | 0 | { |
617 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
618 | 0 | mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT; |
619 | 0 | size_t update_output_length, finish_output_length; |
620 | |
|
621 | 0 | status = mbedtls_psa_cipher_encrypt_setup(&operation, attributes, |
622 | 0 | key_buffer, key_buffer_size, |
623 | 0 | alg); |
624 | 0 | if (status != PSA_SUCCESS) { |
625 | 0 | goto exit; |
626 | 0 | } |
627 | | |
628 | 0 | if (iv_length > 0) { |
629 | 0 | status = mbedtls_psa_cipher_set_iv(&operation, iv, iv_length); |
630 | 0 | if (status != PSA_SUCCESS) { |
631 | 0 | goto exit; |
632 | 0 | } |
633 | 0 | } |
634 | | |
635 | 0 | status = mbedtls_psa_cipher_update(&operation, input, input_length, |
636 | 0 | output, output_size, |
637 | 0 | &update_output_length); |
638 | 0 | if (status != PSA_SUCCESS) { |
639 | 0 | goto exit; |
640 | 0 | } |
641 | | |
642 | 0 | status = mbedtls_psa_cipher_finish( |
643 | 0 | &operation, |
644 | 0 | mbedtls_buffer_offset(output, update_output_length), |
645 | 0 | output_size - update_output_length, &finish_output_length); |
646 | 0 | if (status != PSA_SUCCESS) { |
647 | 0 | goto exit; |
648 | 0 | } |
649 | | |
650 | 0 | *output_length = update_output_length + finish_output_length; |
651 | |
|
652 | 0 | exit: |
653 | 0 | if (status == PSA_SUCCESS) { |
654 | 0 | status = mbedtls_psa_cipher_abort(&operation); |
655 | 0 | } else { |
656 | 0 | mbedtls_psa_cipher_abort(&operation); |
657 | 0 | } |
658 | |
|
659 | 0 | return status; |
660 | 0 | } |
661 | | |
662 | | psa_status_t mbedtls_psa_cipher_decrypt( |
663 | | const psa_key_attributes_t *attributes, |
664 | | const uint8_t *key_buffer, |
665 | | size_t key_buffer_size, |
666 | | psa_algorithm_t alg, |
667 | | const uint8_t *input, |
668 | | size_t input_length, |
669 | | uint8_t *output, |
670 | | size_t output_size, |
671 | | size_t *output_length) |
672 | 8 | { |
673 | 8 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
674 | 8 | mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT; |
675 | 8 | size_t olength, accumulated_length; |
676 | | |
677 | 8 | status = mbedtls_psa_cipher_decrypt_setup(&operation, attributes, |
678 | 8 | key_buffer, key_buffer_size, |
679 | 8 | alg); |
680 | 8 | if (status != PSA_SUCCESS) { |
681 | 0 | goto exit; |
682 | 0 | } |
683 | | |
684 | 8 | if (operation.iv_length > 0) { |
685 | 8 | status = mbedtls_psa_cipher_set_iv(&operation, |
686 | 8 | input, operation.iv_length); |
687 | 8 | if (status != PSA_SUCCESS) { |
688 | 0 | goto exit; |
689 | 0 | } |
690 | 8 | } |
691 | | |
692 | 8 | status = mbedtls_psa_cipher_update( |
693 | 8 | &operation, |
694 | 8 | mbedtls_buffer_offset_const(input, operation.iv_length), |
695 | 8 | input_length - operation.iv_length, |
696 | 8 | output, output_size, &olength); |
697 | 8 | if (status != PSA_SUCCESS) { |
698 | 0 | goto exit; |
699 | 0 | } |
700 | | |
701 | 8 | accumulated_length = olength; |
702 | | |
703 | 8 | status = mbedtls_psa_cipher_finish( |
704 | 8 | &operation, |
705 | 8 | mbedtls_buffer_offset(output, accumulated_length), |
706 | 8 | output_size - accumulated_length, &olength); |
707 | 8 | if (status != PSA_SUCCESS) { |
708 | 2 | goto exit; |
709 | 2 | } |
710 | | |
711 | 6 | *output_length = accumulated_length + olength; |
712 | | |
713 | 8 | exit: |
714 | 8 | if (status == PSA_SUCCESS) { |
715 | 6 | status = mbedtls_psa_cipher_abort(&operation); |
716 | 6 | } else { |
717 | 2 | mbedtls_psa_cipher_abort(&operation); |
718 | 2 | } |
719 | | |
720 | 8 | return status; |
721 | 6 | } |
722 | | #endif /* MBEDTLS_PSA_BUILTIN_CIPHER */ |
723 | | |
724 | | #endif /* MBEDTLS_PSA_CRYPTO_C */ |