cipher.c 34 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164
  1. /**
  2. * \file cipher.c
  3. *
  4. * \brief Generic cipher wrapper for mbed TLS
  5. *
  6. * \author Adriaan de Jong <dejong@fox-it.com>
  7. *
  8. * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
  9. * SPDX-License-Identifier: Apache-2.0
  10. *
  11. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  12. * not use this file except in compliance with the License.
  13. * You may obtain a copy of the License at
  14. *
  15. * http://www.apache.org/licenses/LICENSE-2.0
  16. *
  17. * Unless required by applicable law or agreed to in writing, software
  18. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  19. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  20. * See the License for the specific language governing permissions and
  21. * limitations under the License.
  22. *
  23. * This file is part of mbed TLS (https://tls.mbed.org)
  24. */
  25. #if !defined(MBEDTLS_CONFIG_FILE)
  26. #include "mbedtls/config.h"
  27. #else
  28. #include MBEDTLS_CONFIG_FILE
  29. #endif
  30. #if defined(MBEDTLS_CIPHER_C)
  31. #include "mbedtls/cipher.h"
  32. #include "mbedtls/cipher_internal.h"
  33. #include "mbedtls/platform_util.h"
  34. #include <stdlib.h>
  35. #include <string.h>
  36. #if defined(MBEDTLS_CHACHAPOLY_C)
  37. #include "mbedtls/chachapoly.h"
  38. #endif
  39. #if defined(MBEDTLS_GCM_C)
  40. #include "mbedtls/gcm.h"
  41. #endif
  42. #if defined(MBEDTLS_CCM_C)
  43. #include "mbedtls/ccm.h"
  44. #endif
  45. #if defined(MBEDTLS_CHACHA20_C)
  46. #include "mbedtls/chacha20.h"
  47. #endif
  48. #if defined(MBEDTLS_CMAC_C)
  49. #include "mbedtls/cmac.h"
  50. #endif
  51. #if defined(MBEDTLS_PLATFORM_C)
  52. #include "mbedtls/platform.h"
  53. #else
  54. #define mbedtls_calloc calloc
  55. #define mbedtls_free free
  56. #endif
  57. #define CIPHER_VALIDATE_RET( cond ) \
  58. MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
  59. #define CIPHER_VALIDATE( cond ) \
  60. MBEDTLS_INTERNAL_VALIDATE( cond )
  61. #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
  62. /* Compare the contents of two buffers in constant time.
  63. * Returns 0 if the contents are bitwise identical, otherwise returns
  64. * a non-zero value.
  65. * This is currently only used by GCM and ChaCha20+Poly1305.
  66. */
  67. static int mbedtls_constant_time_memcmp( const void *v1, const void *v2, size_t len )
  68. {
  69. const unsigned char *p1 = (const unsigned char*) v1;
  70. const unsigned char *p2 = (const unsigned char*) v2;
  71. size_t i;
  72. unsigned char diff;
  73. for( diff = 0, i = 0; i < len; i++ )
  74. diff |= p1[i] ^ p2[i];
  75. return( (int)diff );
  76. }
  77. #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
  78. static int supported_init = 0;
  79. const int *mbedtls_cipher_list( void )
  80. {
  81. const mbedtls_cipher_definition_t *def;
  82. int *type;
  83. if( ! supported_init )
  84. {
  85. def = mbedtls_cipher_definitions;
  86. type = mbedtls_cipher_supported;
  87. while( def->type != 0 )
  88. *type++ = (*def++).type;
  89. *type = 0;
  90. supported_init = 1;
  91. }
  92. return( mbedtls_cipher_supported );
  93. }
  94. const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type )
  95. {
  96. const mbedtls_cipher_definition_t *def;
  97. for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
  98. if( def->type == cipher_type )
  99. return( def->info );
  100. return( NULL );
  101. }
  102. const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name )
  103. {
  104. const mbedtls_cipher_definition_t *def;
  105. if( NULL == cipher_name )
  106. return( NULL );
  107. for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
  108. if( ! strcmp( def->info->name, cipher_name ) )
  109. return( def->info );
  110. return( NULL );
  111. }
  112. const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
  113. int key_bitlen,
  114. const mbedtls_cipher_mode_t mode )
  115. {
  116. const mbedtls_cipher_definition_t *def;
  117. for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
  118. if( def->info->base->cipher == cipher_id &&
  119. def->info->key_bitlen == (unsigned) key_bitlen &&
  120. def->info->mode == mode )
  121. return( def->info );
  122. return( NULL );
  123. }
  124. void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
  125. {
  126. CIPHER_VALIDATE( ctx != NULL );
  127. memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
  128. }
  129. void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
  130. {
  131. if( ctx == NULL )
  132. return;
  133. #if defined(MBEDTLS_CMAC_C)
  134. if( ctx->cmac_ctx )
  135. {
  136. mbedtls_platform_zeroize( ctx->cmac_ctx,
  137. sizeof( mbedtls_cmac_context_t ) );
  138. mbedtls_free( ctx->cmac_ctx );
  139. }
  140. #endif
  141. if( ctx->cipher_ctx )
  142. ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
  143. mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
  144. }
  145. int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info )
  146. {
  147. CIPHER_VALIDATE_RET( ctx != NULL );
  148. if( cipher_info == NULL )
  149. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  150. memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
  151. if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
  152. return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
  153. ctx->cipher_info = cipher_info;
  154. #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
  155. /*
  156. * Ignore possible errors caused by a cipher mode that doesn't use padding
  157. */
  158. #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
  159. (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
  160. #else
  161. (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
  162. #endif
  163. #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
  164. return( 0 );
  165. }
  166. int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
  167. const unsigned char *key,
  168. int key_bitlen,
  169. const mbedtls_operation_t operation )
  170. {
  171. CIPHER_VALIDATE_RET( ctx != NULL );
  172. CIPHER_VALIDATE_RET( key != NULL );
  173. CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT ||
  174. operation == MBEDTLS_DECRYPT );
  175. if( ctx->cipher_info == NULL )
  176. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  177. if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
  178. (int) ctx->cipher_info->key_bitlen != key_bitlen )
  179. {
  180. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  181. }
  182. ctx->key_bitlen = key_bitlen;
  183. ctx->operation = operation;
  184. /*
  185. * For OFB, CFB and CTR mode always use the encryption key schedule
  186. */
  187. if( MBEDTLS_ENCRYPT == operation ||
  188. MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
  189. MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
  190. MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
  191. {
  192. return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
  193. ctx->key_bitlen ) );
  194. }
  195. if( MBEDTLS_DECRYPT == operation )
  196. return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
  197. ctx->key_bitlen ) );
  198. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  199. }
  200. int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
  201. const unsigned char *iv,
  202. size_t iv_len )
  203. {
  204. size_t actual_iv_size;
  205. CIPHER_VALIDATE_RET( ctx != NULL );
  206. CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
  207. if( ctx->cipher_info == NULL )
  208. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  209. /* avoid buffer overflow in ctx->iv */
  210. if( iv_len > MBEDTLS_MAX_IV_LENGTH )
  211. return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
  212. if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
  213. actual_iv_size = iv_len;
  214. else
  215. {
  216. actual_iv_size = ctx->cipher_info->iv_size;
  217. /* avoid reading past the end of input buffer */
  218. if( actual_iv_size > iv_len )
  219. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  220. }
  221. #if defined(MBEDTLS_CHACHA20_C)
  222. if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
  223. {
  224. if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
  225. iv,
  226. 0U ) ) /* Initial counter value */
  227. {
  228. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  229. }
  230. }
  231. #endif
  232. if ( actual_iv_size != 0 )
  233. {
  234. memcpy( ctx->iv, iv, actual_iv_size );
  235. ctx->iv_size = actual_iv_size;
  236. }
  237. return( 0 );
  238. }
  239. int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
  240. {
  241. CIPHER_VALIDATE_RET( ctx != NULL );
  242. if( ctx->cipher_info == NULL )
  243. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  244. ctx->unprocessed_len = 0;
  245. return( 0 );
  246. }
  247. #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
  248. int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
  249. const unsigned char *ad, size_t ad_len )
  250. {
  251. CIPHER_VALIDATE_RET( ctx != NULL );
  252. CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
  253. if( ctx->cipher_info == NULL )
  254. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  255. #if defined(MBEDTLS_GCM_C)
  256. if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
  257. {
  258. return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
  259. ctx->iv, ctx->iv_size, ad, ad_len ) );
  260. }
  261. #endif
  262. #if defined(MBEDTLS_CHACHAPOLY_C)
  263. if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
  264. {
  265. int result;
  266. mbedtls_chachapoly_mode_t mode;
  267. mode = ( ctx->operation == MBEDTLS_ENCRYPT )
  268. ? MBEDTLS_CHACHAPOLY_ENCRYPT
  269. : MBEDTLS_CHACHAPOLY_DECRYPT;
  270. result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
  271. ctx->iv,
  272. mode );
  273. if ( result != 0 )
  274. return( result );
  275. return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
  276. ad, ad_len ) );
  277. }
  278. #endif
  279. return( 0 );
  280. }
  281. #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
  282. int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
  283. size_t ilen, unsigned char *output, size_t *olen )
  284. {
  285. int ret;
  286. size_t block_size;
  287. CIPHER_VALIDATE_RET( ctx != NULL );
  288. CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
  289. CIPHER_VALIDATE_RET( output != NULL );
  290. CIPHER_VALIDATE_RET( olen != NULL );
  291. if( ctx->cipher_info == NULL )
  292. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  293. *olen = 0;
  294. block_size = mbedtls_cipher_get_block_size( ctx );
  295. if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
  296. {
  297. if( ilen != block_size )
  298. return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
  299. *olen = ilen;
  300. if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
  301. ctx->operation, input, output ) ) )
  302. {
  303. return( ret );
  304. }
  305. return( 0 );
  306. }
  307. #if defined(MBEDTLS_GCM_C)
  308. if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
  309. {
  310. *olen = ilen;
  311. return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
  312. output ) );
  313. }
  314. #endif
  315. #if defined(MBEDTLS_CHACHAPOLY_C)
  316. if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
  317. {
  318. *olen = ilen;
  319. return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
  320. ilen, input, output ) );
  321. }
  322. #endif
  323. if ( 0 == block_size )
  324. {
  325. return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
  326. }
  327. if( input == output &&
  328. ( ctx->unprocessed_len != 0 || ilen % block_size ) )
  329. {
  330. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  331. }
  332. #if defined(MBEDTLS_CIPHER_MODE_CBC)
  333. if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
  334. {
  335. size_t copy_len = 0;
  336. /*
  337. * If there is not enough data for a full block, cache it.
  338. */
  339. if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
  340. ilen <= block_size - ctx->unprocessed_len ) ||
  341. ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
  342. ilen < block_size - ctx->unprocessed_len ) ||
  343. ( ctx->operation == MBEDTLS_ENCRYPT &&
  344. ilen < block_size - ctx->unprocessed_len ) )
  345. {
  346. memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
  347. ilen );
  348. ctx->unprocessed_len += ilen;
  349. return( 0 );
  350. }
  351. /*
  352. * Process cached data first
  353. */
  354. if( 0 != ctx->unprocessed_len )
  355. {
  356. copy_len = block_size - ctx->unprocessed_len;
  357. memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
  358. copy_len );
  359. if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
  360. ctx->operation, block_size, ctx->iv,
  361. ctx->unprocessed_data, output ) ) )
  362. {
  363. return( ret );
  364. }
  365. *olen += block_size;
  366. output += block_size;
  367. ctx->unprocessed_len = 0;
  368. input += copy_len;
  369. ilen -= copy_len;
  370. }
  371. /*
  372. * Cache final, incomplete block
  373. */
  374. if( 0 != ilen )
  375. {
  376. if( 0 == block_size )
  377. {
  378. return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
  379. }
  380. /* Encryption: only cache partial blocks
  381. * Decryption w/ padding: always keep at least one whole block
  382. * Decryption w/o padding: only cache partial blocks
  383. */
  384. copy_len = ilen % block_size;
  385. if( copy_len == 0 &&
  386. ctx->operation == MBEDTLS_DECRYPT &&
  387. NULL != ctx->add_padding)
  388. {
  389. copy_len = block_size;
  390. }
  391. memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
  392. copy_len );
  393. ctx->unprocessed_len += copy_len;
  394. ilen -= copy_len;
  395. }
  396. /*
  397. * Process remaining full blocks
  398. */
  399. if( ilen )
  400. {
  401. if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
  402. ctx->operation, ilen, ctx->iv, input, output ) ) )
  403. {
  404. return( ret );
  405. }
  406. *olen += ilen;
  407. }
  408. return( 0 );
  409. }
  410. #endif /* MBEDTLS_CIPHER_MODE_CBC */
  411. #if defined(MBEDTLS_CIPHER_MODE_CFB)
  412. if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
  413. {
  414. if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
  415. ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
  416. input, output ) ) )
  417. {
  418. return( ret );
  419. }
  420. *olen = ilen;
  421. return( 0 );
  422. }
  423. #endif /* MBEDTLS_CIPHER_MODE_CFB */
  424. #if defined(MBEDTLS_CIPHER_MODE_OFB)
  425. if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
  426. {
  427. if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
  428. ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
  429. {
  430. return( ret );
  431. }
  432. *olen = ilen;
  433. return( 0 );
  434. }
  435. #endif /* MBEDTLS_CIPHER_MODE_OFB */
  436. #if defined(MBEDTLS_CIPHER_MODE_CTR)
  437. if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
  438. {
  439. if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
  440. ilen, &ctx->unprocessed_len, ctx->iv,
  441. ctx->unprocessed_data, input, output ) ) )
  442. {
  443. return( ret );
  444. }
  445. *olen = ilen;
  446. return( 0 );
  447. }
  448. #endif /* MBEDTLS_CIPHER_MODE_CTR */
  449. #if defined(MBEDTLS_CIPHER_MODE_XTS)
  450. if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
  451. {
  452. if( ctx->unprocessed_len > 0 ) {
  453. /* We can only process an entire data unit at a time. */
  454. return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
  455. }
  456. ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
  457. ctx->operation, ilen, ctx->iv, input, output );
  458. if( ret != 0 )
  459. {
  460. return( ret );
  461. }
  462. *olen = ilen;
  463. return( 0 );
  464. }
  465. #endif /* MBEDTLS_CIPHER_MODE_XTS */
  466. #if defined(MBEDTLS_CIPHER_MODE_STREAM)
  467. if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
  468. {
  469. if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
  470. ilen, input, output ) ) )
  471. {
  472. return( ret );
  473. }
  474. *olen = ilen;
  475. return( 0 );
  476. }
  477. #endif /* MBEDTLS_CIPHER_MODE_STREAM */
  478. return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
  479. }
  480. #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
  481. #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
  482. /*
  483. * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
  484. */
  485. static void add_pkcs_padding( unsigned char *output, size_t output_len,
  486. size_t data_len )
  487. {
  488. size_t padding_len = output_len - data_len;
  489. unsigned char i;
  490. for( i = 0; i < padding_len; i++ )
  491. output[data_len + i] = (unsigned char) padding_len;
  492. }
  493. static int get_pkcs_padding( unsigned char *input, size_t input_len,
  494. size_t *data_len )
  495. {
  496. size_t i, pad_idx;
  497. unsigned char padding_len, bad = 0;
  498. if( NULL == input || NULL == data_len )
  499. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  500. padding_len = input[input_len - 1];
  501. *data_len = input_len - padding_len;
  502. /* Avoid logical || since it results in a branch */
  503. bad |= padding_len > input_len;
  504. bad |= padding_len == 0;
  505. /* The number of bytes checked must be independent of padding_len,
  506. * so pick input_len, which is usually 8 or 16 (one block) */
  507. pad_idx = input_len - padding_len;
  508. for( i = 0; i < input_len; i++ )
  509. bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
  510. return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
  511. }
  512. #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
  513. #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
  514. /*
  515. * One and zeros padding: fill with 80 00 ... 00
  516. */
  517. static void add_one_and_zeros_padding( unsigned char *output,
  518. size_t output_len, size_t data_len )
  519. {
  520. size_t padding_len = output_len - data_len;
  521. unsigned char i = 0;
  522. output[data_len] = 0x80;
  523. for( i = 1; i < padding_len; i++ )
  524. output[data_len + i] = 0x00;
  525. }
  526. static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
  527. size_t *data_len )
  528. {
  529. size_t i;
  530. unsigned char done = 0, prev_done, bad;
  531. if( NULL == input || NULL == data_len )
  532. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  533. bad = 0x80;
  534. *data_len = 0;
  535. for( i = input_len; i > 0; i-- )
  536. {
  537. prev_done = done;
  538. done |= ( input[i - 1] != 0 );
  539. *data_len |= ( i - 1 ) * ( done != prev_done );
  540. bad ^= input[i - 1] * ( done != prev_done );
  541. }
  542. return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
  543. }
  544. #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
  545. #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
  546. /*
  547. * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
  548. */
  549. static void add_zeros_and_len_padding( unsigned char *output,
  550. size_t output_len, size_t data_len )
  551. {
  552. size_t padding_len = output_len - data_len;
  553. unsigned char i = 0;
  554. for( i = 1; i < padding_len; i++ )
  555. output[data_len + i - 1] = 0x00;
  556. output[output_len - 1] = (unsigned char) padding_len;
  557. }
  558. static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
  559. size_t *data_len )
  560. {
  561. size_t i, pad_idx;
  562. unsigned char padding_len, bad = 0;
  563. if( NULL == input || NULL == data_len )
  564. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  565. padding_len = input[input_len - 1];
  566. *data_len = input_len - padding_len;
  567. /* Avoid logical || since it results in a branch */
  568. bad |= padding_len > input_len;
  569. bad |= padding_len == 0;
  570. /* The number of bytes checked must be independent of padding_len */
  571. pad_idx = input_len - padding_len;
  572. for( i = 0; i < input_len - 1; i++ )
  573. bad |= input[i] * ( i >= pad_idx );
  574. return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
  575. }
  576. #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
  577. #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
  578. /*
  579. * Zero padding: fill with 00 ... 00
  580. */
  581. static void add_zeros_padding( unsigned char *output,
  582. size_t output_len, size_t data_len )
  583. {
  584. size_t i;
  585. for( i = data_len; i < output_len; i++ )
  586. output[i] = 0x00;
  587. }
  588. static int get_zeros_padding( unsigned char *input, size_t input_len,
  589. size_t *data_len )
  590. {
  591. size_t i;
  592. unsigned char done = 0, prev_done;
  593. if( NULL == input || NULL == data_len )
  594. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  595. *data_len = 0;
  596. for( i = input_len; i > 0; i-- )
  597. {
  598. prev_done = done;
  599. done |= ( input[i-1] != 0 );
  600. *data_len |= i * ( done != prev_done );
  601. }
  602. return( 0 );
  603. }
  604. #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
  605. /*
  606. * No padding: don't pad :)
  607. *
  608. * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
  609. * but a trivial get_padding function
  610. */
  611. static int get_no_padding( unsigned char *input, size_t input_len,
  612. size_t *data_len )
  613. {
  614. if( NULL == input || NULL == data_len )
  615. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  616. *data_len = input_len;
  617. return( 0 );
  618. }
  619. #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
  620. int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
  621. unsigned char *output, size_t *olen )
  622. {
  623. CIPHER_VALIDATE_RET( ctx != NULL );
  624. CIPHER_VALIDATE_RET( output != NULL );
  625. CIPHER_VALIDATE_RET( olen != NULL );
  626. if( ctx->cipher_info == NULL )
  627. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  628. *olen = 0;
  629. if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
  630. MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
  631. MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
  632. MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
  633. MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
  634. MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
  635. {
  636. return( 0 );
  637. }
  638. if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) ||
  639. ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
  640. {
  641. return( 0 );
  642. }
  643. if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
  644. {
  645. if( ctx->unprocessed_len != 0 )
  646. return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
  647. return( 0 );
  648. }
  649. #if defined(MBEDTLS_CIPHER_MODE_CBC)
  650. if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
  651. {
  652. int ret = 0;
  653. if( MBEDTLS_ENCRYPT == ctx->operation )
  654. {
  655. /* check for 'no padding' mode */
  656. if( NULL == ctx->add_padding )
  657. {
  658. if( 0 != ctx->unprocessed_len )
  659. return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
  660. return( 0 );
  661. }
  662. ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
  663. ctx->unprocessed_len );
  664. }
  665. else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
  666. {
  667. /*
  668. * For decrypt operations, expect a full block,
  669. * or an empty block if no padding
  670. */
  671. if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
  672. return( 0 );
  673. return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
  674. }
  675. /* cipher block */
  676. if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
  677. ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
  678. ctx->unprocessed_data, output ) ) )
  679. {
  680. return( ret );
  681. }
  682. /* Set output size for decryption */
  683. if( MBEDTLS_DECRYPT == ctx->operation )
  684. return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
  685. olen ) );
  686. /* Set output size for encryption */
  687. *olen = mbedtls_cipher_get_block_size( ctx );
  688. return( 0 );
  689. }
  690. #else
  691. ((void) output);
  692. #endif /* MBEDTLS_CIPHER_MODE_CBC */
  693. return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
  694. }
  695. #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
  696. int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
  697. mbedtls_cipher_padding_t mode )
  698. {
  699. CIPHER_VALIDATE_RET( ctx != NULL );
  700. if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
  701. {
  702. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  703. }
  704. switch( mode )
  705. {
  706. #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
  707. case MBEDTLS_PADDING_PKCS7:
  708. ctx->add_padding = add_pkcs_padding;
  709. ctx->get_padding = get_pkcs_padding;
  710. break;
  711. #endif
  712. #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
  713. case MBEDTLS_PADDING_ONE_AND_ZEROS:
  714. ctx->add_padding = add_one_and_zeros_padding;
  715. ctx->get_padding = get_one_and_zeros_padding;
  716. break;
  717. #endif
  718. #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
  719. case MBEDTLS_PADDING_ZEROS_AND_LEN:
  720. ctx->add_padding = add_zeros_and_len_padding;
  721. ctx->get_padding = get_zeros_and_len_padding;
  722. break;
  723. #endif
  724. #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
  725. case MBEDTLS_PADDING_ZEROS:
  726. ctx->add_padding = add_zeros_padding;
  727. ctx->get_padding = get_zeros_padding;
  728. break;
  729. #endif
  730. case MBEDTLS_PADDING_NONE:
  731. ctx->add_padding = NULL;
  732. ctx->get_padding = get_no_padding;
  733. break;
  734. default:
  735. return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
  736. }
  737. return( 0 );
  738. }
  739. #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
  740. #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
  741. int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
  742. unsigned char *tag, size_t tag_len )
  743. {
  744. CIPHER_VALIDATE_RET( ctx != NULL );
  745. CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
  746. if( ctx->cipher_info == NULL )
  747. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  748. if( MBEDTLS_ENCRYPT != ctx->operation )
  749. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  750. #if defined(MBEDTLS_GCM_C)
  751. if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
  752. return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
  753. tag, tag_len ) );
  754. #endif
  755. #if defined(MBEDTLS_CHACHAPOLY_C)
  756. if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
  757. {
  758. /* Don't allow truncated MAC for Poly1305 */
  759. if ( tag_len != 16U )
  760. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  761. return( mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
  762. tag ) );
  763. }
  764. #endif
  765. return( 0 );
  766. }
  767. int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
  768. const unsigned char *tag, size_t tag_len )
  769. {
  770. unsigned char check_tag[16];
  771. int ret;
  772. CIPHER_VALIDATE_RET( ctx != NULL );
  773. CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
  774. if( ctx->cipher_info == NULL )
  775. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  776. if( MBEDTLS_DECRYPT != ctx->operation )
  777. {
  778. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  779. }
  780. #if defined(MBEDTLS_GCM_C)
  781. if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
  782. {
  783. if( tag_len > sizeof( check_tag ) )
  784. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  785. if( 0 != ( ret = mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
  786. check_tag, tag_len ) ) )
  787. {
  788. return( ret );
  789. }
  790. /* Check the tag in "constant-time" */
  791. if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
  792. return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
  793. return( 0 );
  794. }
  795. #endif /* MBEDTLS_GCM_C */
  796. #if defined(MBEDTLS_CHACHAPOLY_C)
  797. if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
  798. {
  799. /* Don't allow truncated MAC for Poly1305 */
  800. if ( tag_len != sizeof( check_tag ) )
  801. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  802. ret = mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
  803. check_tag );
  804. if ( ret != 0 )
  805. {
  806. return( ret );
  807. }
  808. /* Check the tag in "constant-time" */
  809. if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
  810. return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
  811. return( 0 );
  812. }
  813. #endif /* MBEDTLS_CHACHAPOLY_C */
  814. return( 0 );
  815. }
  816. #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
  817. /*
  818. * Packet-oriented wrapper for non-AEAD modes
  819. */
  820. int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
  821. const unsigned char *iv, size_t iv_len,
  822. const unsigned char *input, size_t ilen,
  823. unsigned char *output, size_t *olen )
  824. {
  825. int ret;
  826. size_t finish_olen;
  827. CIPHER_VALIDATE_RET( ctx != NULL );
  828. CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
  829. CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
  830. CIPHER_VALIDATE_RET( output != NULL );
  831. CIPHER_VALIDATE_RET( olen != NULL );
  832. if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
  833. return( ret );
  834. if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
  835. return( ret );
  836. if( ( ret = mbedtls_cipher_update( ctx, input, ilen, output, olen ) ) != 0 )
  837. return( ret );
  838. if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 )
  839. return( ret );
  840. *olen += finish_olen;
  841. return( 0 );
  842. }
  843. #if defined(MBEDTLS_CIPHER_MODE_AEAD)
  844. /*
  845. * Packet-oriented encryption for AEAD modes
  846. */
  847. int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
  848. const unsigned char *iv, size_t iv_len,
  849. const unsigned char *ad, size_t ad_len,
  850. const unsigned char *input, size_t ilen,
  851. unsigned char *output, size_t *olen,
  852. unsigned char *tag, size_t tag_len )
  853. {
  854. CIPHER_VALIDATE_RET( ctx != NULL );
  855. CIPHER_VALIDATE_RET( iv != NULL );
  856. CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
  857. CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
  858. CIPHER_VALIDATE_RET( output != NULL );
  859. CIPHER_VALIDATE_RET( olen != NULL );
  860. CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
  861. #if defined(MBEDTLS_GCM_C)
  862. if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
  863. {
  864. *olen = ilen;
  865. return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, ilen,
  866. iv, iv_len, ad, ad_len, input, output,
  867. tag_len, tag ) );
  868. }
  869. #endif /* MBEDTLS_GCM_C */
  870. #if defined(MBEDTLS_CCM_C)
  871. if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
  872. {
  873. *olen = ilen;
  874. return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
  875. iv, iv_len, ad, ad_len, input, output,
  876. tag, tag_len ) );
  877. }
  878. #endif /* MBEDTLS_CCM_C */
  879. #if defined(MBEDTLS_CHACHAPOLY_C)
  880. if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
  881. {
  882. /* ChachaPoly has fixed length nonce and MAC (tag) */
  883. if ( ( iv_len != ctx->cipher_info->iv_size ) ||
  884. ( tag_len != 16U ) )
  885. {
  886. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  887. }
  888. *olen = ilen;
  889. return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
  890. ilen, iv, ad, ad_len, input, output, tag ) );
  891. }
  892. #endif /* MBEDTLS_CHACHAPOLY_C */
  893. return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
  894. }
  895. /*
  896. * Packet-oriented decryption for AEAD modes
  897. */
  898. int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
  899. const unsigned char *iv, size_t iv_len,
  900. const unsigned char *ad, size_t ad_len,
  901. const unsigned char *input, size_t ilen,
  902. unsigned char *output, size_t *olen,
  903. const unsigned char *tag, size_t tag_len )
  904. {
  905. CIPHER_VALIDATE_RET( ctx != NULL );
  906. CIPHER_VALIDATE_RET( iv != NULL );
  907. CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
  908. CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
  909. CIPHER_VALIDATE_RET( output != NULL );
  910. CIPHER_VALIDATE_RET( olen != NULL );
  911. CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
  912. #if defined(MBEDTLS_GCM_C)
  913. if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
  914. {
  915. int ret;
  916. *olen = ilen;
  917. ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
  918. iv, iv_len, ad, ad_len,
  919. tag, tag_len, input, output );
  920. if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
  921. ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
  922. return( ret );
  923. }
  924. #endif /* MBEDTLS_GCM_C */
  925. #if defined(MBEDTLS_CCM_C)
  926. if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
  927. {
  928. int ret;
  929. *olen = ilen;
  930. ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
  931. iv, iv_len, ad, ad_len,
  932. input, output, tag, tag_len );
  933. if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
  934. ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
  935. return( ret );
  936. }
  937. #endif /* MBEDTLS_CCM_C */
  938. #if defined(MBEDTLS_CHACHAPOLY_C)
  939. if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
  940. {
  941. int ret;
  942. /* ChachaPoly has fixed length nonce and MAC (tag) */
  943. if ( ( iv_len != ctx->cipher_info->iv_size ) ||
  944. ( tag_len != 16U ) )
  945. {
  946. return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
  947. }
  948. *olen = ilen;
  949. ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
  950. iv, ad, ad_len, tag, input, output );
  951. if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
  952. ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
  953. return( ret );
  954. }
  955. #endif /* MBEDTLS_CHACHAPOLY_C */
  956. return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
  957. }
  958. #endif /* MBEDTLS_CIPHER_MODE_AEAD */
  959. #endif /* MBEDTLS_CIPHER_C */