| /* |
| * PSA cipher driver entry points |
| */ |
| /* |
| * Copyright The Mbed TLS Contributors |
| * SPDX-License-Identifier: Apache-2.0 |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| * not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include "common.h" |
| |
| #if defined(MBEDTLS_PSA_CRYPTO_C) |
| |
| #include <psa_crypto_cipher.h> |
| #include "psa_crypto_core.h" |
| #include "psa_crypto_random_impl.h" |
| |
| #include "mbedtls/cipher.h" |
| #include "mbedtls/error.h" |
| |
| #include <string.h> |
| |
| const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( |
| psa_algorithm_t alg, |
| psa_key_type_t key_type, |
| size_t key_bits, |
| mbedtls_cipher_id_t* cipher_id ) |
| { |
| mbedtls_cipher_mode_t mode; |
| mbedtls_cipher_id_t cipher_id_tmp; |
| |
| if( PSA_ALG_IS_AEAD( alg ) ) |
| alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ); |
| |
| if( PSA_ALG_IS_CIPHER( alg ) || PSA_ALG_IS_AEAD( alg ) ) |
| { |
| switch( alg ) |
| { |
| case PSA_ALG_STREAM_CIPHER: |
| mode = MBEDTLS_MODE_STREAM; |
| break; |
| case PSA_ALG_CTR: |
| mode = MBEDTLS_MODE_CTR; |
| break; |
| case PSA_ALG_CFB: |
| mode = MBEDTLS_MODE_CFB; |
| break; |
| case PSA_ALG_OFB: |
| mode = MBEDTLS_MODE_OFB; |
| break; |
| case PSA_ALG_ECB_NO_PADDING: |
| mode = MBEDTLS_MODE_ECB; |
| break; |
| case PSA_ALG_CBC_NO_PADDING: |
| mode = MBEDTLS_MODE_CBC; |
| break; |
| case PSA_ALG_CBC_PKCS7: |
| mode = MBEDTLS_MODE_CBC; |
| break; |
| case PSA_ALG_CCM_STAR_NO_TAG: |
| mode = MBEDTLS_MODE_CCM_STAR_NO_TAG; |
| break; |
| case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ): |
| mode = MBEDTLS_MODE_CCM; |
| break; |
| case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ): |
| mode = MBEDTLS_MODE_GCM; |
| break; |
| case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ): |
| mode = MBEDTLS_MODE_CHACHAPOLY; |
| break; |
| default: |
| return( NULL ); |
| } |
| } |
| else if( alg == PSA_ALG_CMAC ) |
| mode = MBEDTLS_MODE_ECB; |
| else |
| return( NULL ); |
| |
| switch( key_type ) |
| { |
| case PSA_KEY_TYPE_AES: |
| cipher_id_tmp = MBEDTLS_CIPHER_ID_AES; |
| break; |
| case PSA_KEY_TYPE_ARIA: |
| cipher_id_tmp = MBEDTLS_CIPHER_ID_ARIA; |
| break; |
| case PSA_KEY_TYPE_DES: |
| /* key_bits is 64 for Single-DES, 128 for two-key Triple-DES, |
| * and 192 for three-key Triple-DES. */ |
| if( key_bits == 64 ) |
| cipher_id_tmp = MBEDTLS_CIPHER_ID_DES; |
| else |
| cipher_id_tmp = MBEDTLS_CIPHER_ID_3DES; |
| /* mbedtls doesn't recognize two-key Triple-DES as an algorithm, |
| * but two-key Triple-DES is functionally three-key Triple-DES |
| * with K1=K3, so that's how we present it to mbedtls. */ |
| if( key_bits == 128 ) |
| key_bits = 192; |
| break; |
| case PSA_KEY_TYPE_CAMELLIA: |
| cipher_id_tmp = MBEDTLS_CIPHER_ID_CAMELLIA; |
| break; |
| case PSA_KEY_TYPE_CHACHA20: |
| cipher_id_tmp = MBEDTLS_CIPHER_ID_CHACHA20; |
| break; |
| default: |
| return( NULL ); |
| } |
| if( cipher_id != NULL ) |
| *cipher_id = cipher_id_tmp; |
| |
| return( mbedtls_cipher_info_from_values( cipher_id_tmp, |
| (int) key_bits, mode ) ); |
| } |
| |
| #if defined(MBEDTLS_PSA_BUILTIN_CIPHER) |
| |
| static psa_status_t psa_cipher_setup( |
| mbedtls_psa_cipher_operation_t *operation, |
| const psa_key_attributes_t *attributes, |
| const uint8_t *key_buffer, size_t key_buffer_size, |
| psa_algorithm_t alg, |
| mbedtls_operation_t cipher_operation ) |
| { |
| int ret = 0; |
| size_t key_bits; |
| const mbedtls_cipher_info_t *cipher_info = NULL; |
| psa_key_type_t key_type = attributes->core.type; |
| |
| (void)key_buffer_size; |
| |
| mbedtls_cipher_init( &operation->ctx.cipher ); |
| |
| operation->alg = alg; |
| key_bits = attributes->core.bits; |
| cipher_info = mbedtls_cipher_info_from_psa( alg, key_type, |
| key_bits, NULL ); |
| if( cipher_info == NULL ) |
| return( PSA_ERROR_NOT_SUPPORTED ); |
| |
| ret = mbedtls_cipher_setup( &operation->ctx.cipher, cipher_info ); |
| if( ret != 0 ) |
| goto exit; |
| |
| #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) |
| if( key_type == PSA_KEY_TYPE_DES && key_bits == 128 ) |
| { |
| /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */ |
| uint8_t keys[24]; |
| memcpy( keys, key_buffer, 16 ); |
| memcpy( keys + 16, key_buffer, 8 ); |
| ret = mbedtls_cipher_setkey( &operation->ctx.cipher, |
| keys, |
| 192, cipher_operation ); |
| } |
| else |
| #endif |
| { |
| ret = mbedtls_cipher_setkey( &operation->ctx.cipher, key_buffer, |
| (int) key_bits, cipher_operation ); |
| } |
| if( ret != 0 ) |
| goto exit; |
| |
| #if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \ |
| defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) |
| switch( alg ) |
| { |
| case PSA_ALG_CBC_NO_PADDING: |
| ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher, |
| MBEDTLS_PADDING_NONE ); |
| break; |
| case PSA_ALG_CBC_PKCS7: |
| ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher, |
| MBEDTLS_PADDING_PKCS7 ); |
| break; |
| default: |
| /* The algorithm doesn't involve padding. */ |
| ret = 0; |
| break; |
| } |
| if( ret != 0 ) |
| goto exit; |
| #endif /* MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING || |
| MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 */ |
| |
| operation->block_length = ( PSA_ALG_IS_STREAM_CIPHER( alg ) ? 1 : |
| PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type ) ); |
| operation->iv_length = PSA_CIPHER_IV_LENGTH( key_type, alg ); |
| |
| exit: |
| return( mbedtls_to_psa_error( ret ) ); |
| } |
| |
| psa_status_t mbedtls_psa_cipher_encrypt_setup( |
| mbedtls_psa_cipher_operation_t *operation, |
| const psa_key_attributes_t *attributes, |
| const uint8_t *key_buffer, size_t key_buffer_size, |
| psa_algorithm_t alg ) |
| { |
| return( psa_cipher_setup( operation, attributes, |
| key_buffer, key_buffer_size, |
| alg, MBEDTLS_ENCRYPT ) ); |
| } |
| |
| psa_status_t mbedtls_psa_cipher_decrypt_setup( |
| mbedtls_psa_cipher_operation_t *operation, |
| const psa_key_attributes_t *attributes, |
| const uint8_t *key_buffer, size_t key_buffer_size, |
| psa_algorithm_t alg ) |
| { |
| return( psa_cipher_setup( operation, attributes, |
| key_buffer, key_buffer_size, |
| alg, MBEDTLS_DECRYPT ) ); |
| } |
| |
| psa_status_t mbedtls_psa_cipher_set_iv( |
| mbedtls_psa_cipher_operation_t *operation, |
| const uint8_t *iv, size_t iv_length ) |
| { |
| if( iv_length != operation->iv_length ) |
| return( PSA_ERROR_INVALID_ARGUMENT ); |
| |
| return( mbedtls_to_psa_error( |
| mbedtls_cipher_set_iv( &operation->ctx.cipher, |
| iv, iv_length ) ) ); |
| } |
| |
| /** Process input for which the algorithm is set to ECB mode. |
| * |
| * This requires manual processing, since the PSA API is defined as being |
| * able to process arbitrary-length calls to psa_cipher_update() with ECB mode, |
| * but the underlying mbedtls_cipher_update only takes full blocks. |
| * |
| * \param ctx The mbedtls cipher context to use. It must have been |
| * set up for ECB. |
| * \param[in] input The input plaintext or ciphertext to process. |
| * \param input_length The number of bytes to process from \p input. |
| * This does not need to be aligned to a block boundary. |
| * If there is a partial block at the end of the input, |
| * it is stored in \p ctx for future processing. |
| * \param output The buffer where the output is written. It must be |
| * at least `BS * floor((p + input_length) / BS)` bytes |
| * long, where `p` is the number of bytes in the |
| * unprocessed partial block in \p ctx (with |
| * `0 <= p <= BS - 1`) and `BS` is the block size. |
| * \param output_length On success, the number of bytes written to \p output. |
| * \c 0 on error. |
| * |
| * \return #PSA_SUCCESS or an error from a hardware accelerator |
| */ |
| static psa_status_t psa_cipher_update_ecb( |
| mbedtls_cipher_context_t *ctx, |
| const uint8_t *input, |
| size_t input_length, |
| uint8_t *output, |
| size_t *output_length ) |
| { |
| psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| size_t block_size = ctx->cipher_info->block_size; |
| size_t internal_output_length = 0; |
| *output_length = 0; |
| |
| if( input_length == 0 ) |
| { |
| status = PSA_SUCCESS; |
| goto exit; |
| } |
| |
| if( ctx->unprocessed_len > 0 ) |
| { |
| /* Fill up to block size, and run the block if there's a full one. */ |
| size_t bytes_to_copy = block_size - ctx->unprocessed_len; |
| |
| if( input_length < bytes_to_copy ) |
| bytes_to_copy = input_length; |
| |
| memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), |
| input, bytes_to_copy ); |
| input_length -= bytes_to_copy; |
| input += bytes_to_copy; |
| ctx->unprocessed_len += bytes_to_copy; |
| |
| if( ctx->unprocessed_len == block_size ) |
| { |
| status = mbedtls_to_psa_error( |
| mbedtls_cipher_update( ctx, |
| ctx->unprocessed_data, |
| block_size, |
| output, &internal_output_length ) ); |
| |
| if( status != PSA_SUCCESS ) |
| goto exit; |
| |
| output += internal_output_length; |
| *output_length += internal_output_length; |
| ctx->unprocessed_len = 0; |
| } |
| } |
| |
| while( input_length >= block_size ) |
| { |
| /* Run all full blocks we have, one by one */ |
| status = mbedtls_to_psa_error( |
| mbedtls_cipher_update( ctx, input, |
| block_size, |
| output, &internal_output_length ) ); |
| |
| if( status != PSA_SUCCESS ) |
| goto exit; |
| |
| input_length -= block_size; |
| input += block_size; |
| |
| output += internal_output_length; |
| *output_length += internal_output_length; |
| } |
| |
| if( input_length > 0 ) |
| { |
| /* Save unprocessed bytes for later processing */ |
| memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), |
| input, input_length ); |
| ctx->unprocessed_len += input_length; |
| } |
| |
| status = PSA_SUCCESS; |
| |
| exit: |
| return( status ); |
| } |
| |
| psa_status_t mbedtls_psa_cipher_update( |
| mbedtls_psa_cipher_operation_t *operation, |
| const uint8_t *input, size_t input_length, |
| uint8_t *output, size_t output_size, size_t *output_length ) |
| { |
| psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| size_t expected_output_size; |
| |
| if( ! PSA_ALG_IS_STREAM_CIPHER( operation->alg ) ) |
| { |
| /* Take the unprocessed partial block left over from previous |
| * update calls, if any, plus the input to this call. Remove |
| * the last partial block, if any. You get the data that will be |
| * output in this call. */ |
| expected_output_size = |
| ( operation->ctx.cipher.unprocessed_len + input_length ) |
| / operation->block_length * operation->block_length; |
| } |
| else |
| { |
| expected_output_size = input_length; |
| } |
| |
| if( output_size < expected_output_size ) |
| return( PSA_ERROR_BUFFER_TOO_SMALL ); |
| |
| if( operation->alg == PSA_ALG_ECB_NO_PADDING ) |
| { |
| /* mbedtls_cipher_update has an API inconsistency: it will only |
| * process a single block at a time in ECB mode. Abstract away that |
| * inconsistency here to match the PSA API behaviour. */ |
| status = psa_cipher_update_ecb( &operation->ctx.cipher, |
| input, |
| input_length, |
| output, |
| output_length ); |
| } |
| else |
| { |
| status = mbedtls_to_psa_error( |
| mbedtls_cipher_update( &operation->ctx.cipher, input, |
| input_length, output, output_length ) ); |
| |
| if( *output_length > output_size ) |
| return( PSA_ERROR_CORRUPTION_DETECTED ); |
| } |
| |
| return( status ); |
| } |
| |
| psa_status_t mbedtls_psa_cipher_finish( |
| mbedtls_psa_cipher_operation_t *operation, |
| uint8_t *output, size_t output_size, size_t *output_length ) |
| { |
| psa_status_t status = PSA_ERROR_GENERIC_ERROR; |
| uint8_t temp_output_buffer[MBEDTLS_MAX_BLOCK_LENGTH]; |
| |
| if( operation->ctx.cipher.unprocessed_len != 0 ) |
| { |
| if( operation->alg == PSA_ALG_ECB_NO_PADDING || |
| operation->alg == PSA_ALG_CBC_NO_PADDING ) |
| { |
| status = PSA_ERROR_INVALID_ARGUMENT; |
| goto exit; |
| } |
| } |
| |
| status = mbedtls_to_psa_error( |
| mbedtls_cipher_finish( &operation->ctx.cipher, |
| temp_output_buffer, |
| output_length ) ); |
| if( status != PSA_SUCCESS ) |
| goto exit; |
| |
| if( *output_length == 0 ) |
| ; /* Nothing to copy. Note that output may be NULL in this case. */ |
| else if( output_size >= *output_length ) |
| memcpy( output, temp_output_buffer, *output_length ); |
| else |
| status = PSA_ERROR_BUFFER_TOO_SMALL; |
| |
| exit: |
| mbedtls_platform_zeroize( temp_output_buffer, |
| sizeof( temp_output_buffer ) ); |
| |
| return( status ); |
| } |
| |
| psa_status_t mbedtls_psa_cipher_abort( |
| mbedtls_psa_cipher_operation_t *operation ) |
| { |
| /* Sanity check (shouldn't happen: operation->alg should |
| * always have been initialized to a valid value). */ |
| if( ! PSA_ALG_IS_CIPHER( operation->alg ) ) |
| return( PSA_ERROR_BAD_STATE ); |
| |
| mbedtls_cipher_free( &operation->ctx.cipher ); |
| |
| return( PSA_SUCCESS ); |
| } |
| |
| psa_status_t mbedtls_psa_cipher_encrypt( |
| const psa_key_attributes_t *attributes, |
| const uint8_t *key_buffer, |
| size_t key_buffer_size, |
| psa_algorithm_t alg, |
| const uint8_t *input, |
| size_t input_length, |
| uint8_t *output, |
| size_t output_size, |
| size_t *output_length ) |
| { |
| psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT; |
| size_t olength, accumulated_length; |
| |
| status = mbedtls_psa_cipher_encrypt_setup( &operation, attributes, |
| key_buffer, key_buffer_size, |
| alg ); |
| if( status != PSA_SUCCESS ) |
| goto exit; |
| |
| accumulated_length = 0; |
| if( operation.iv_length > 0 ) |
| { |
| status = mbedtls_psa_cipher_set_iv( &operation, |
| output, operation.iv_length ); |
| if( status != PSA_SUCCESS ) |
| goto exit; |
| |
| accumulated_length = operation.iv_length; |
| } |
| |
| status = mbedtls_psa_cipher_update( &operation, input, input_length, |
| output + operation.iv_length, |
| output_size - operation.iv_length, |
| &olength ); |
| if( status != PSA_SUCCESS ) |
| goto exit; |
| |
| accumulated_length += olength; |
| |
| status = mbedtls_psa_cipher_finish( &operation, output + accumulated_length, |
| output_size - accumulated_length, |
| &olength ); |
| if( status != PSA_SUCCESS ) |
| goto exit; |
| |
| *output_length = accumulated_length + olength; |
| |
| exit: |
| if( status == PSA_SUCCESS ) |
| status = mbedtls_psa_cipher_abort( &operation ); |
| else |
| mbedtls_psa_cipher_abort( &operation ); |
| |
| return( status ); |
| } |
| |
| psa_status_t mbedtls_psa_cipher_decrypt( |
| const psa_key_attributes_t *attributes, |
| const uint8_t *key_buffer, |
| size_t key_buffer_size, |
| psa_algorithm_t alg, |
| const uint8_t *input, |
| size_t input_length, |
| uint8_t *output, |
| size_t output_size, |
| size_t *output_length ) |
| { |
| psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT; |
| size_t olength, accumulated_length; |
| |
| status = mbedtls_psa_cipher_decrypt_setup( &operation, attributes, |
| key_buffer, key_buffer_size, |
| alg ); |
| if( status != PSA_SUCCESS ) |
| goto exit; |
| |
| if( operation.iv_length > 0 ) |
| { |
| status = mbedtls_psa_cipher_set_iv( &operation, |
| input, operation.iv_length ); |
| if( status != PSA_SUCCESS ) |
| goto exit; |
| } |
| |
| status = mbedtls_psa_cipher_update( &operation, input + operation.iv_length, |
| input_length - operation.iv_length, |
| output, output_size, &olength ); |
| if( status != PSA_SUCCESS ) |
| goto exit; |
| |
| accumulated_length = olength; |
| |
| status = mbedtls_psa_cipher_finish( &operation, output + accumulated_length, |
| output_size - accumulated_length, |
| &olength ); |
| if( status != PSA_SUCCESS ) |
| goto exit; |
| |
| *output_length = accumulated_length + olength; |
| |
| exit: |
| if ( status == PSA_SUCCESS ) |
| status = mbedtls_psa_cipher_abort( &operation ); |
| else |
| mbedtls_psa_cipher_abort( &operation ); |
| |
| return( status ); |
| } |
| #endif /* MBEDTLS_PSA_BUILTIN_CIPHER */ |
| |
| #endif /* MBEDTLS_PSA_CRYPTO_C */ |