4 * \brief Generic cipher wrapper for mbed TLS
6 * \author Adriaan de Jong <dejong@fox-it.com>
8 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
9 * SPDX-License-Identifier: GPL-2.0
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 * This file is part of mbed TLS (https://tls.mbed.org)
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "mbedtls/config.h"
31 #include MBEDTLS_CONFIG_FILE
34 #if defined(MBEDTLS_CIPHER_C)
36 #include "mbedtls/cipher.h"
37 #include "mbedtls/cipher_internal.h"
42 #if defined(MBEDTLS_GCM_C)
43 #include "mbedtls/gcm.h"
46 #if defined(MBEDTLS_CCM_C)
47 #include "mbedtls/ccm.h"
50 #if defined(MBEDTLS_CMAC_C)
51 #include "mbedtls/cmac.h"
54 #if defined(MBEDTLS_PLATFORM_C)
55 #include "mbedtls/platform.h"
57 #define mbedtls_calloc calloc
58 #define mbedtls_free free
61 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
62 #define MBEDTLS_CIPHER_MODE_STREAM
65 /* Implementation that should never be optimized out by the compiler */
66 static void mbedtls_zeroize( void *v
, size_t n
) {
67 volatile unsigned char *p
= (unsigned char*)v
; while( n
-- ) *p
++ = 0;
70 static int supported_init
= 0;
72 const int *mbedtls_cipher_list( void )
74 const mbedtls_cipher_definition_t
*def
;
77 if( ! supported_init
)
79 def
= mbedtls_cipher_definitions
;
80 type
= mbedtls_cipher_supported
;
82 while( def
->type
!= 0 )
83 *type
++ = (*def
++).type
;
90 return( mbedtls_cipher_supported
);
93 const mbedtls_cipher_info_t
*mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type
)
95 const mbedtls_cipher_definition_t
*def
;
97 for( def
= mbedtls_cipher_definitions
; def
->info
!= NULL
; def
++ )
98 if( def
->type
== cipher_type
)
104 const mbedtls_cipher_info_t
*mbedtls_cipher_info_from_string( const char *cipher_name
)
106 const mbedtls_cipher_definition_t
*def
;
108 if( NULL
== cipher_name
)
111 for( def
= mbedtls_cipher_definitions
; def
->info
!= NULL
; def
++ )
112 if( ! strcmp( def
->info
->name
, cipher_name
) )
118 const mbedtls_cipher_info_t
*mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id
,
120 const mbedtls_cipher_mode_t mode
)
122 const mbedtls_cipher_definition_t
*def
;
124 for( def
= mbedtls_cipher_definitions
; def
->info
!= NULL
; def
++ )
125 if( def
->info
->base
->cipher
== cipher_id
&&
126 def
->info
->key_bitlen
== (unsigned) key_bitlen
&&
127 def
->info
->mode
== mode
)
133 void mbedtls_cipher_init( mbedtls_cipher_context_t
*ctx
)
135 memset( ctx
, 0, sizeof( mbedtls_cipher_context_t
) );
138 void mbedtls_cipher_free( mbedtls_cipher_context_t
*ctx
)
143 #if defined(MBEDTLS_CMAC_C)
146 mbedtls_zeroize( ctx
->cmac_ctx
, sizeof( mbedtls_cmac_context_t
) );
147 mbedtls_free( ctx
->cmac_ctx
);
151 if( ctx
->cipher_ctx
)
152 ctx
->cipher_info
->base
->ctx_free_func( ctx
->cipher_ctx
);
154 mbedtls_zeroize( ctx
, sizeof(mbedtls_cipher_context_t
) );
157 int mbedtls_cipher_setup( mbedtls_cipher_context_t
*ctx
, const mbedtls_cipher_info_t
*cipher_info
)
159 if( NULL
== cipher_info
|| NULL
== ctx
)
160 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
162 memset( ctx
, 0, sizeof( mbedtls_cipher_context_t
) );
164 if( NULL
== ( ctx
->cipher_ctx
= cipher_info
->base
->ctx_alloc_func() ) )
165 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED
);
167 ctx
->cipher_info
= cipher_info
;
169 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
171 * Ignore possible errors caused by a cipher mode that doesn't use padding
173 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
174 (void) mbedtls_cipher_set_padding_mode( ctx
, MBEDTLS_PADDING_PKCS7
);
176 (void) mbedtls_cipher_set_padding_mode( ctx
, MBEDTLS_PADDING_NONE
);
178 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
183 int mbedtls_cipher_setkey( mbedtls_cipher_context_t
*ctx
, const unsigned char *key
,
184 int key_bitlen
, const mbedtls_operation_t operation
)
186 if( NULL
== ctx
|| NULL
== ctx
->cipher_info
)
187 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
189 if( ( ctx
->cipher_info
->flags
& MBEDTLS_CIPHER_VARIABLE_KEY_LEN
) == 0 &&
190 (int) ctx
->cipher_info
->key_bitlen
!= key_bitlen
)
192 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
195 ctx
->key_bitlen
= key_bitlen
;
196 ctx
->operation
= operation
;
199 * For CFB and CTR mode always use the encryption key schedule
201 if( MBEDTLS_ENCRYPT
== operation
||
202 MBEDTLS_MODE_CFB
== ctx
->cipher_info
->mode
||
203 MBEDTLS_MODE_CTR
== ctx
->cipher_info
->mode
)
205 return ctx
->cipher_info
->base
->setkey_enc_func( ctx
->cipher_ctx
, key
,
209 if( MBEDTLS_DECRYPT
== operation
)
210 return ctx
->cipher_info
->base
->setkey_dec_func( ctx
->cipher_ctx
, key
,
213 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
216 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t
*ctx
,
217 const unsigned char *iv
, size_t iv_len
)
219 size_t actual_iv_size
;
221 if( NULL
== ctx
|| NULL
== ctx
->cipher_info
|| NULL
== iv
)
222 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
224 /* avoid buffer overflow in ctx->iv */
225 if( iv_len
> MBEDTLS_MAX_IV_LENGTH
)
226 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
);
228 if( ( ctx
->cipher_info
->flags
& MBEDTLS_CIPHER_VARIABLE_IV_LEN
) != 0 )
229 actual_iv_size
= iv_len
;
232 actual_iv_size
= ctx
->cipher_info
->iv_size
;
234 /* avoid reading past the end of input buffer */
235 if( actual_iv_size
> iv_len
)
236 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
239 memcpy( ctx
->iv
, iv
, actual_iv_size
);
240 ctx
->iv_size
= actual_iv_size
;
245 int mbedtls_cipher_reset( mbedtls_cipher_context_t
*ctx
)
247 if( NULL
== ctx
|| NULL
== ctx
->cipher_info
)
248 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
250 ctx
->unprocessed_len
= 0;
255 #if defined(MBEDTLS_GCM_C)
256 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t
*ctx
,
257 const unsigned char *ad
, size_t ad_len
)
259 if( NULL
== ctx
|| NULL
== ctx
->cipher_info
)
260 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
262 if( MBEDTLS_MODE_GCM
== ctx
->cipher_info
->mode
)
264 return mbedtls_gcm_starts( (mbedtls_gcm_context
*) ctx
->cipher_ctx
, ctx
->operation
,
265 ctx
->iv
, ctx
->iv_size
, ad
, ad_len
);
270 #endif /* MBEDTLS_GCM_C */
272 int mbedtls_cipher_update( mbedtls_cipher_context_t
*ctx
, const unsigned char *input
,
273 size_t ilen
, unsigned char *output
, size_t *olen
)
276 size_t block_size
= 0;
278 if( NULL
== ctx
|| NULL
== ctx
->cipher_info
|| NULL
== olen
)
280 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
284 block_size
= mbedtls_cipher_get_block_size( ctx
);
286 if( ctx
->cipher_info
->mode
== MBEDTLS_MODE_ECB
)
288 if( ilen
!= block_size
)
289 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED
);
293 if( 0 != ( ret
= ctx
->cipher_info
->base
->ecb_func( ctx
->cipher_ctx
,
294 ctx
->operation
, input
, output
) ) )
302 #if defined(MBEDTLS_GCM_C)
303 if( ctx
->cipher_info
->mode
== MBEDTLS_MODE_GCM
)
306 return mbedtls_gcm_update( (mbedtls_gcm_context
*) ctx
->cipher_ctx
, ilen
, input
,
311 if ( 0 == block_size
)
313 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT
;
316 if( input
== output
&&
317 ( ctx
->unprocessed_len
!= 0 || ilen
% block_size
) )
319 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
322 #if defined(MBEDTLS_CIPHER_MODE_CBC)
323 if( ctx
->cipher_info
->mode
== MBEDTLS_MODE_CBC
)
328 * If there is not enough data for a full block, cache it.
330 if( ( ctx
->operation
== MBEDTLS_DECRYPT
&&
331 ilen
<= block_size
- ctx
->unprocessed_len
) ||
332 ( ctx
->operation
== MBEDTLS_ENCRYPT
&&
333 ilen
< block_size
- ctx
->unprocessed_len
) )
335 memcpy( &( ctx
->unprocessed_data
[ctx
->unprocessed_len
] ), input
,
338 ctx
->unprocessed_len
+= ilen
;
343 * Process cached data first
345 if( 0 != ctx
->unprocessed_len
)
347 copy_len
= block_size
- ctx
->unprocessed_len
;
349 memcpy( &( ctx
->unprocessed_data
[ctx
->unprocessed_len
] ), input
,
352 if( 0 != ( ret
= ctx
->cipher_info
->base
->cbc_func( ctx
->cipher_ctx
,
353 ctx
->operation
, block_size
, ctx
->iv
,
354 ctx
->unprocessed_data
, output
) ) )
360 output
+= block_size
;
361 ctx
->unprocessed_len
= 0;
368 * Cache final, incomplete block
372 if( 0 == block_size
)
374 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT
;
377 copy_len
= ilen
% block_size
;
378 if( copy_len
== 0 && ctx
->operation
== MBEDTLS_DECRYPT
)
379 copy_len
= block_size
;
381 memcpy( ctx
->unprocessed_data
, &( input
[ilen
- copy_len
] ),
384 ctx
->unprocessed_len
+= copy_len
;
389 * Process remaining full blocks
393 if( 0 != ( ret
= ctx
->cipher_info
->base
->cbc_func( ctx
->cipher_ctx
,
394 ctx
->operation
, ilen
, ctx
->iv
, input
, output
) ) )
404 #endif /* MBEDTLS_CIPHER_MODE_CBC */
406 #if defined(MBEDTLS_CIPHER_MODE_CFB)
407 if( ctx
->cipher_info
->mode
== MBEDTLS_MODE_CFB
)
409 if( 0 != ( ret
= ctx
->cipher_info
->base
->cfb_func( ctx
->cipher_ctx
,
410 ctx
->operation
, ilen
, &ctx
->unprocessed_len
, ctx
->iv
,
420 #endif /* MBEDTLS_CIPHER_MODE_CFB */
422 #if defined(MBEDTLS_CIPHER_MODE_CTR)
423 if( ctx
->cipher_info
->mode
== MBEDTLS_MODE_CTR
)
425 if( 0 != ( ret
= ctx
->cipher_info
->base
->ctr_func( ctx
->cipher_ctx
,
426 ilen
, &ctx
->unprocessed_len
, ctx
->iv
,
427 ctx
->unprocessed_data
, input
, output
) ) )
436 #endif /* MBEDTLS_CIPHER_MODE_CTR */
438 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
439 if( ctx
->cipher_info
->mode
== MBEDTLS_MODE_STREAM
)
441 if( 0 != ( ret
= ctx
->cipher_info
->base
->stream_func( ctx
->cipher_ctx
,
442 ilen
, input
, output
) ) )
451 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
453 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
);
456 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
457 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
459 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
461 static void add_pkcs_padding( unsigned char *output
, size_t output_len
,
464 size_t padding_len
= output_len
- data_len
;
467 for( i
= 0; i
< padding_len
; i
++ )
468 output
[data_len
+ i
] = (unsigned char) padding_len
;
471 static int get_pkcs_padding( unsigned char *input
, size_t input_len
,
475 unsigned char padding_len
, bad
= 0;
477 if( NULL
== input
|| NULL
== data_len
)
478 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
480 padding_len
= input
[input_len
- 1];
481 *data_len
= input_len
- padding_len
;
483 /* Avoid logical || since it results in a branch */
484 bad
|= padding_len
> input_len
;
485 bad
|= padding_len
== 0;
487 /* The number of bytes checked must be independent of padding_len,
488 * so pick input_len, which is usually 8 or 16 (one block) */
489 pad_idx
= input_len
- padding_len
;
490 for( i
= 0; i
< input_len
; i
++ )
491 bad
|= ( input
[i
] ^ padding_len
) * ( i
>= pad_idx
);
493 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING
* ( bad
!= 0 ) );
495 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
497 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
499 * One and zeros padding: fill with 80 00 ... 00
501 static void add_one_and_zeros_padding( unsigned char *output
,
502 size_t output_len
, size_t data_len
)
504 size_t padding_len
= output_len
- data_len
;
507 output
[data_len
] = 0x80;
508 for( i
= 1; i
< padding_len
; i
++ )
509 output
[data_len
+ i
] = 0x00;
512 static int get_one_and_zeros_padding( unsigned char *input
, size_t input_len
,
516 unsigned char done
= 0, prev_done
, bad
;
518 if( NULL
== input
|| NULL
== data_len
)
519 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
523 for( i
= input_len
; i
> 0; i
-- )
526 done
|= ( input
[i
-1] != 0 );
527 *data_len
|= ( i
- 1 ) * ( done
!= prev_done
);
528 bad
&= ( input
[i
-1] ^ 0x80 ) | ( done
== prev_done
);
531 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING
* ( bad
!= 0 ) );
534 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
536 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
538 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
540 static void add_zeros_and_len_padding( unsigned char *output
,
541 size_t output_len
, size_t data_len
)
543 size_t padding_len
= output_len
- data_len
;
546 for( i
= 1; i
< padding_len
; i
++ )
547 output
[data_len
+ i
- 1] = 0x00;
548 output
[output_len
- 1] = (unsigned char) padding_len
;
551 static int get_zeros_and_len_padding( unsigned char *input
, size_t input_len
,
555 unsigned char padding_len
, bad
= 0;
557 if( NULL
== input
|| NULL
== data_len
)
558 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
560 padding_len
= input
[input_len
- 1];
561 *data_len
= input_len
- padding_len
;
563 /* Avoid logical || since it results in a branch */
564 bad
|= padding_len
> input_len
;
565 bad
|= padding_len
== 0;
567 /* The number of bytes checked must be independent of padding_len */
568 pad_idx
= input_len
- padding_len
;
569 for( i
= 0; i
< input_len
- 1; i
++ )
570 bad
|= input
[i
] * ( i
>= pad_idx
);
572 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING
* ( bad
!= 0 ) );
574 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
576 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
578 * Zero padding: fill with 00 ... 00
580 static void add_zeros_padding( unsigned char *output
,
581 size_t output_len
, size_t data_len
)
585 for( i
= data_len
; i
< output_len
; i
++ )
589 static int get_zeros_padding( unsigned char *input
, size_t input_len
,
593 unsigned char done
= 0, prev_done
;
595 if( NULL
== input
|| NULL
== data_len
)
596 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
599 for( i
= input_len
; i
> 0; i
-- )
602 done
|= ( input
[i
-1] != 0 );
603 *data_len
|= i
* ( done
!= prev_done
);
608 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
611 * No padding: don't pad :)
613 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
614 * but a trivial get_padding function
616 static int get_no_padding( unsigned char *input
, size_t input_len
,
619 if( NULL
== input
|| NULL
== data_len
)
620 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
622 *data_len
= input_len
;
626 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
628 int mbedtls_cipher_finish( mbedtls_cipher_context_t
*ctx
,
629 unsigned char *output
, size_t *olen
)
631 if( NULL
== ctx
|| NULL
== ctx
->cipher_info
|| NULL
== olen
)
632 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
636 if( MBEDTLS_MODE_CFB
== ctx
->cipher_info
->mode
||
637 MBEDTLS_MODE_CTR
== ctx
->cipher_info
->mode
||
638 MBEDTLS_MODE_GCM
== ctx
->cipher_info
->mode
||
639 MBEDTLS_MODE_STREAM
== ctx
->cipher_info
->mode
)
644 if( MBEDTLS_MODE_ECB
== ctx
->cipher_info
->mode
)
646 if( ctx
->unprocessed_len
!= 0 )
647 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED
);
652 #if defined(MBEDTLS_CIPHER_MODE_CBC)
653 if( MBEDTLS_MODE_CBC
== ctx
->cipher_info
->mode
)
657 if( MBEDTLS_ENCRYPT
== ctx
->operation
)
659 /* check for 'no padding' mode */
660 if( NULL
== ctx
->add_padding
)
662 if( 0 != ctx
->unprocessed_len
)
663 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED
);
668 ctx
->add_padding( ctx
->unprocessed_data
, mbedtls_cipher_get_iv_size( ctx
),
669 ctx
->unprocessed_len
);
671 else if( mbedtls_cipher_get_block_size( ctx
) != ctx
->unprocessed_len
)
674 * For decrypt operations, expect a full block,
675 * or an empty block if no padding
677 if( NULL
== ctx
->add_padding
&& 0 == ctx
->unprocessed_len
)
680 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED
);
684 if( 0 != ( ret
= ctx
->cipher_info
->base
->cbc_func( ctx
->cipher_ctx
,
685 ctx
->operation
, mbedtls_cipher_get_block_size( ctx
), ctx
->iv
,
686 ctx
->unprocessed_data
, output
) ) )
691 /* Set output size for decryption */
692 if( MBEDTLS_DECRYPT
== ctx
->operation
)
693 return ctx
->get_padding( output
, mbedtls_cipher_get_block_size( ctx
),
696 /* Set output size for encryption */
697 *olen
= mbedtls_cipher_get_block_size( ctx
);
702 #endif /* MBEDTLS_CIPHER_MODE_CBC */
704 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
);
707 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
708 int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t
*ctx
, mbedtls_cipher_padding_t mode
)
711 MBEDTLS_MODE_CBC
!= ctx
->cipher_info
->mode
)
713 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
718 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
719 case MBEDTLS_PADDING_PKCS7
:
720 ctx
->add_padding
= add_pkcs_padding
;
721 ctx
->get_padding
= get_pkcs_padding
;
724 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
725 case MBEDTLS_PADDING_ONE_AND_ZEROS
:
726 ctx
->add_padding
= add_one_and_zeros_padding
;
727 ctx
->get_padding
= get_one_and_zeros_padding
;
730 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
731 case MBEDTLS_PADDING_ZEROS_AND_LEN
:
732 ctx
->add_padding
= add_zeros_and_len_padding
;
733 ctx
->get_padding
= get_zeros_and_len_padding
;
736 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
737 case MBEDTLS_PADDING_ZEROS
:
738 ctx
->add_padding
= add_zeros_padding
;
739 ctx
->get_padding
= get_zeros_padding
;
742 case MBEDTLS_PADDING_NONE
:
743 ctx
->add_padding
= NULL
;
744 ctx
->get_padding
= get_no_padding
;
748 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
);
753 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
755 #if defined(MBEDTLS_GCM_C)
756 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t
*ctx
,
757 unsigned char *tag
, size_t tag_len
)
759 if( NULL
== ctx
|| NULL
== ctx
->cipher_info
|| NULL
== tag
)
760 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
762 if( MBEDTLS_ENCRYPT
!= ctx
->operation
)
763 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
765 if( MBEDTLS_MODE_GCM
== ctx
->cipher_info
->mode
)
766 return mbedtls_gcm_finish( (mbedtls_gcm_context
*) ctx
->cipher_ctx
, tag
, tag_len
);
771 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t
*ctx
,
772 const unsigned char *tag
, size_t tag_len
)
776 if( NULL
== ctx
|| NULL
== ctx
->cipher_info
||
777 MBEDTLS_DECRYPT
!= ctx
->operation
)
779 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
782 if( MBEDTLS_MODE_GCM
== ctx
->cipher_info
->mode
)
784 unsigned char check_tag
[16];
788 if( tag_len
> sizeof( check_tag
) )
789 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
);
791 if( 0 != ( ret
= mbedtls_gcm_finish( (mbedtls_gcm_context
*) ctx
->cipher_ctx
,
792 check_tag
, tag_len
) ) )
797 /* Check the tag in "constant-time" */
798 for( diff
= 0, i
= 0; i
< tag_len
; i
++ )
799 diff
|= tag
[i
] ^ check_tag
[i
];
802 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED
);
809 #endif /* MBEDTLS_GCM_C */
812 * Packet-oriented wrapper for non-AEAD modes
814 int mbedtls_cipher_crypt( mbedtls_cipher_context_t
*ctx
,
815 const unsigned char *iv
, size_t iv_len
,
816 const unsigned char *input
, size_t ilen
,
817 unsigned char *output
, size_t *olen
)
822 if( ( ret
= mbedtls_cipher_set_iv( ctx
, iv
, iv_len
) ) != 0 )
825 if( ( ret
= mbedtls_cipher_reset( ctx
) ) != 0 )
828 if( ( ret
= mbedtls_cipher_update( ctx
, input
, ilen
, output
, olen
) ) != 0 )
831 if( ( ret
= mbedtls_cipher_finish( ctx
, output
+ *olen
, &finish_olen
) ) != 0 )
834 *olen
+= finish_olen
;
839 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
841 * Packet-oriented encryption for AEAD modes
843 int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t
*ctx
,
844 const unsigned char *iv
, size_t iv_len
,
845 const unsigned char *ad
, size_t ad_len
,
846 const unsigned char *input
, size_t ilen
,
847 unsigned char *output
, size_t *olen
,
848 unsigned char *tag
, size_t tag_len
)
850 #if defined(MBEDTLS_GCM_C)
851 if( MBEDTLS_MODE_GCM
== ctx
->cipher_info
->mode
)
854 return( mbedtls_gcm_crypt_and_tag( ctx
->cipher_ctx
, MBEDTLS_GCM_ENCRYPT
, ilen
,
855 iv
, iv_len
, ad
, ad_len
, input
, output
,
858 #endif /* MBEDTLS_GCM_C */
859 #if defined(MBEDTLS_CCM_C)
860 if( MBEDTLS_MODE_CCM
== ctx
->cipher_info
->mode
)
863 return( mbedtls_ccm_encrypt_and_tag( ctx
->cipher_ctx
, ilen
,
864 iv
, iv_len
, ad
, ad_len
, input
, output
,
867 #endif /* MBEDTLS_CCM_C */
869 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
);
873 * Packet-oriented decryption for AEAD modes
875 int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t
*ctx
,
876 const unsigned char *iv
, size_t iv_len
,
877 const unsigned char *ad
, size_t ad_len
,
878 const unsigned char *input
, size_t ilen
,
879 unsigned char *output
, size_t *olen
,
880 const unsigned char *tag
, size_t tag_len
)
882 #if defined(MBEDTLS_GCM_C)
883 if( MBEDTLS_MODE_GCM
== ctx
->cipher_info
->mode
)
888 ret
= mbedtls_gcm_auth_decrypt( ctx
->cipher_ctx
, ilen
,
889 iv
, iv_len
, ad
, ad_len
,
890 tag
, tag_len
, input
, output
);
892 if( ret
== MBEDTLS_ERR_GCM_AUTH_FAILED
)
893 ret
= MBEDTLS_ERR_CIPHER_AUTH_FAILED
;
897 #endif /* MBEDTLS_GCM_C */
898 #if defined(MBEDTLS_CCM_C)
899 if( MBEDTLS_MODE_CCM
== ctx
->cipher_info
->mode
)
904 ret
= mbedtls_ccm_auth_decrypt( ctx
->cipher_ctx
, ilen
,
905 iv
, iv_len
, ad
, ad_len
,
906 input
, output
, tag
, tag_len
);
908 if( ret
== MBEDTLS_ERR_CCM_AUTH_FAILED
)
909 ret
= MBEDTLS_ERR_CIPHER_AUTH_FAILED
;
913 #endif /* MBEDTLS_CCM_C */
915 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
);
917 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
919 #endif /* MBEDTLS_CIPHER_C */