Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / f8ab069d6aed6fd25bf1c1ee06e4f2dd0d93076d / . / library / cipher.c
blob: 0f545adf218be4470beaaec93bfcbe0b70dc457e [file] [log] [blame]
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]1/**
2 * \file cipher.c
3 *
4 * \brief Generic cipher wrapper for PolarSSL
5 *
6 * \author Adriaan de Jong <dejong@fox-it.com>
7 *
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]8 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]9 *
10 * This file is part of PolarSSL (http://www.polarssl.org)
11 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
12 *
13 * All rights reserved.
14 *
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * You should have received a copy of the GNU General Public License along
26 * with this program; if not, write to the Free Software Foundation, Inc.,
27 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
28 */
29
30#include "polarssl/config.h"
31
32#if defined(POLARSSL_CIPHER_C)
33
34#include "polarssl/cipher.h"
35#include "polarssl/cipher_wrap.h"
36
Manuel Pégourié-Gonnard07f8fa52013-08-30 18:34:08 +0200[diff] [blame]37#if defined(POLARSSL_GCM_C)
38#include "polarssl/gcm.h"
39#endif
40
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]41#include <stdlib.h>
42
Manuel Pégourié-Gonnardb5e85882013-08-28 16:36:14 +0200[diff] [blame]43#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
Manuel Pégourié-Gonnard37e230c2013-08-28 13:50:42 +0200[diff] [blame]44#define POLARSSL_CIPHER_MODE_STREAM
45#endif
46
Paul Bakkeraf5c85f2011-04-18 03:47:52 +0000[diff] [blame]47#if defined _MSC_VER && !defined strcasecmp
48#define strcasecmp _stricmp
49#endif
50
Manuel Pégourié-Gonnarddace82f2013-09-18 15:12:07 +0200[diff] [blame]51static int supported_init = 0;
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]52
53const int *cipher_list( void )
54{
Manuel Pégourié-Gonnarddace82f2013-09-18 15:12:07 +0200[diff] [blame]55 const cipher_definition_t *def;
56 int *type;
57
58 if( ! supported_init )
59 {
60 def = cipher_definitions;
61 type = supported_ciphers;
62
63 while( def->type != 0 )
64 *type++ = (*def++).type;
65
66 *type = 0;
67
68 supported_init = 1;
69 }
70
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]71 return supported_ciphers;
72}
73
Paul Bakkerec1b9842012-01-14 18:24:43 +0000[diff] [blame]74const cipher_info_t *cipher_info_from_type( const cipher_type_t cipher_type )
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]75{
Manuel Pégourié-Gonnarddace82f2013-09-18 15:12:07 +0200[diff] [blame]76 const cipher_definition_t *def;
Paul Bakker5e0efa72013-09-08 23:04:04 +0200[diff] [blame]77
Manuel Pégourié-Gonnarddace82f2013-09-18 15:12:07 +0200[diff] [blame]78 for( def = cipher_definitions; def->info != NULL; def++ )
79 if( def->type == cipher_type )
80 return( def->info );
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]81
Manuel Pégourié-Gonnarddace82f2013-09-18 15:12:07 +0200[diff] [blame]82 return NULL;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]83}
84
85const cipher_info_t *cipher_info_from_string( const char *cipher_name )
86{
Manuel Pégourié-Gonnarddace82f2013-09-18 15:12:07 +0200[diff] [blame]87 const cipher_definition_t *def;
88
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]89 if( NULL == cipher_name )
90 return NULL;
91
Manuel Pégourié-Gonnarddace82f2013-09-18 15:12:07 +0200[diff] [blame]92 for( def = cipher_definitions; def->info != NULL; def++ )
93 if( ! strcasecmp( def->info->name, cipher_name ) )
94 return( def->info );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]95
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]96 return NULL;
97}
98
Paul Bakkerf46b6952013-09-09 00:08:26 +0200[diff] [blame]99const cipher_info_t *cipher_info_from_values( const cipher_id_t cipher_id,
100 int key_length,
101 const cipher_mode_t mode )
102{
Manuel Pégourié-Gonnarddace82f2013-09-18 15:12:07 +0200[diff] [blame]103 const cipher_definition_t *def;
Paul Bakkerf46b6952013-09-09 00:08:26 +0200[diff] [blame]104
Manuel Pégourié-Gonnarddace82f2013-09-18 15:12:07 +0200[diff] [blame]105 for( def = cipher_definitions; def->info != NULL; def++ )
106 if( def->info->base->cipher == cipher_id &&
107 def->info->key_length == (unsigned) key_length &&
108 def->info->mode == mode )
109 return( def->info );
Paul Bakkerf46b6952013-09-09 00:08:26 +0200[diff] [blame]110
111 return NULL;
112}
113
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]114int cipher_init_ctx( cipher_context_t *ctx, const cipher_info_t *cipher_info )
115{
116 if( NULL == cipher_info || NULL == ctx )
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]117 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]118
Paul Bakker279432a2012-04-26 10:09:35 +0000[diff] [blame]119 memset( ctx, 0, sizeof( cipher_context_t ) );
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]120
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]121 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]122 return POLARSSL_ERR_CIPHER_ALLOC_FAILED;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]123
124 ctx->cipher_info = cipher_info;
125
Manuel Pégourié-Gonnard989ed382013-09-13 14:41:45 +0200[diff] [blame]126#if defined(POLARSSL_CIPHER_MODE_WITH_PADDING)
Manuel Pégourié-Gonnardac56a1a2013-07-25 12:31:10 +0200[diff] [blame]127 /*
128 * Ignore possible errors caused by a cipher mode that doesn't use padding
129 */
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]130#if defined(POLARSSL_CIPHER_PADDING_PKCS7)
Manuel Pégourié-Gonnardac56a1a2013-07-25 12:31:10 +0200[diff] [blame]131 (void) cipher_set_padding_mode( ctx, POLARSSL_PADDING_PKCS7 );
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]132#else
133 (void) cipher_set_padding_mode( ctx, POLARSSL_PADDING_NONE );
134#endif
Manuel Pégourié-Gonnard989ed382013-09-13 14:41:45 +0200[diff] [blame]135#endif /* POLARSSL_CIPHER_MODE_WITH_PADDING */
Manuel Pégourié-Gonnardac56a1a2013-07-25 12:31:10 +0200[diff] [blame]136
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]137 return 0;
138}
139
140int cipher_free_ctx( cipher_context_t *ctx )
141{
142 if( ctx == NULL || ctx->cipher_info == NULL )
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]143 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]144
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]145 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]146
147 return 0;
148}
149
150int cipher_setkey( cipher_context_t *ctx, const unsigned char *key,
151 int key_length, const operation_t operation )
152{
153 if( NULL == ctx || NULL == ctx->cipher_info )
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]154 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]155
Manuel Pégourié-Gonnarddd0f57f2013-09-16 11:47:43 +0200[diff] [blame]156 if( (int) ctx->cipher_info->key_length != key_length )
157 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
158
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]159 ctx->key_length = key_length;
160 ctx->operation = operation;
161
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]162 /*
Paul Bakker6132d0a2012-07-04 17:10:40 +0000[diff] [blame]163 * For CFB and CTR mode always use the encryption key schedule
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]164 */
165 if( POLARSSL_ENCRYPT == operation ||
Paul Bakker6132d0a2012-07-04 17:10:40 +0000[diff] [blame]166 POLARSSL_MODE_CFB == ctx->cipher_info->mode ||
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]167 POLARSSL_MODE_CTR == ctx->cipher_info->mode )
168 {
169 return ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]170 ctx->key_length );
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]171 }
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]172
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]173 if( POLARSSL_DECRYPT == operation )
174 return ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]175 ctx->key_length );
176
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]177 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]178}
179
Manuel Pégourié-Gonnard9c853b92013-09-03 13:04:44 +0200[diff] [blame]180int cipher_set_iv( cipher_context_t *ctx,
181 const unsigned char *iv, size_t iv_len )
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]182{
Manuel Pégourié-Gonnarda235b5b2013-09-03 13:25:52 +0200[diff] [blame]183 size_t actual_iv_size;
Manuel Pégourié-Gonnard9c853b92013-09-03 13:04:44 +0200[diff] [blame]184
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]185 if( NULL == ctx || NULL == ctx->cipher_info || NULL == iv )
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]186 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]187
Manuel Pégourié-Gonnarda235b5b2013-09-03 13:25:52 +0200[diff] [blame]188 if( ctx->cipher_info->accepts_variable_iv_size )
189 actual_iv_size = iv_len;
190 else
191 actual_iv_size = ctx->cipher_info->iv_size;
Manuel Pégourié-Gonnard9c853b92013-09-03 13:04:44 +0200[diff] [blame]192
Manuel Pégourié-Gonnarda235b5b2013-09-03 13:25:52 +0200[diff] [blame]193 memcpy( ctx->iv, iv, actual_iv_size );
194 ctx->iv_size = actual_iv_size;
Manuel Pégourié-Gonnard9c853b92013-09-03 13:04:44 +0200[diff] [blame]195
196 return 0;
197}
198
Manuel Pégourié-Gonnard2adc40c2013-09-03 13:54:12 +0200[diff] [blame]199int cipher_reset( cipher_context_t *ctx )
Manuel Pégourié-Gonnard9c853b92013-09-03 13:04:44 +0200[diff] [blame]200{
Manuel Pégourié-Gonnard2adc40c2013-09-03 13:54:12 +0200[diff] [blame]201 if( NULL == ctx || NULL == ctx->cipher_info )
202 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
203
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]204 ctx->unprocessed_len = 0;
205
Manuel Pégourié-Gonnard2adc40c2013-09-03 13:54:12 +0200[diff] [blame]206 return 0;
207}
208
Manuel Pégourié-Gonnard43a47802013-09-03 16:35:53 +0200[diff] [blame]209#if defined(POLARSSL_CIPHER_MODE_AEAD)
Manuel Pégourié-Gonnard2adc40c2013-09-03 13:54:12 +0200[diff] [blame]210int cipher_update_ad( cipher_context_t *ctx,
211 const unsigned char *ad, size_t ad_len )
212{
213 if( NULL == ctx || NULL == ctx->cipher_info )
214 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
215
Manuel Pégourié-Gonnard07f8fa52013-08-30 18:34:08 +0200[diff] [blame]216#if defined(POLARSSL_GCM_C)
217 if( POLARSSL_MODE_GCM == ctx->cipher_info->mode )
218 {
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]219 return gcm_starts( (gcm_context *) ctx->cipher_ctx, ctx->operation,
Manuel Pégourié-Gonnard9c853b92013-09-03 13:04:44 +0200[diff] [blame]220 ctx->iv, ctx->iv_size, ad, ad_len );
Manuel Pégourié-Gonnard07f8fa52013-08-30 18:34:08 +0200[diff] [blame]221 }
222#endif
223
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]224 return 0;
225}
Manuel Pégourié-Gonnard43a47802013-09-03 16:35:53 +0200[diff] [blame]226#endif /* POLARSSL_CIPHER_MODE_AEAD */
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]227
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]228int cipher_update( cipher_context_t *ctx, const unsigned char *input, size_t ilen,
229 unsigned char *output, size_t *olen )
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]230{
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]231 int ret;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]232
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]233 *olen = 0;
234
235 if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen )
Paul Bakkera885d682011-01-20 16:35:05 +0000[diff] [blame]236 {
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]237 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
Paul Bakkera885d682011-01-20 16:35:05 +0000[diff] [blame]238 }
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]239
Paul Bakker5e0efa72013-09-08 23:04:04 +0200[diff] [blame]240 if( ctx->cipher_info->mode == POLARSSL_MODE_ECB )
241 {
242 if( ilen != cipher_get_block_size( ctx ) )
243 return POLARSSL_ERR_CIPHER_FULL_BLOCK_EXPECTED;
244
245 *olen = ilen;
246
247 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
248 ctx->operation, input, output ) ) )
249 {
250 return ret;
251 }
252
253 return 0;
254 }
255
Manuel Pégourié-Gonnardb8bd5932013-09-05 13:38:15 +0200[diff] [blame]256#if defined(POLARSSL_GCM_C)
Paul Bakker5e0efa72013-09-08 23:04:04 +0200[diff] [blame]257 if( ctx->cipher_info->mode == POLARSSL_MODE_GCM )
Manuel Pégourié-Gonnardb8bd5932013-09-05 13:38:15 +0200[diff] [blame]258 {
259 *olen = ilen;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]260 return gcm_update( (gcm_context *) ctx->cipher_ctx, ilen, input,
261 output );
Manuel Pégourié-Gonnardb8bd5932013-09-05 13:38:15 +0200[diff] [blame]262 }
263#endif
264
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]265 if( input == output &&
266 ( ctx->unprocessed_len != 0 || ilen % cipher_get_block_size( ctx ) ) )
267 {
268 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
269 }
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]270
Manuel Pégourié-Gonnard989ed382013-09-13 14:41:45 +0200[diff] [blame]271#if defined(POLARSSL_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnardb8bd5932013-09-05 13:38:15 +0200[diff] [blame]272 if( ctx->cipher_info->mode == POLARSSL_MODE_CBC )
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]273 {
Manuel Pégourié-Gonnard989ed382013-09-13 14:41:45 +0200[diff] [blame]274 size_t copy_len = 0;
275
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]276 /*
277 * If there is not enough data for a full block, cache it.
278 */
279 if( ( ctx->operation == POLARSSL_DECRYPT &&
280 ilen + ctx->unprocessed_len <= cipher_get_block_size( ctx ) ) ||
281 ( ctx->operation == POLARSSL_ENCRYPT &&
282 ilen + ctx->unprocessed_len < cipher_get_block_size( ctx ) ) )
283 {
284 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
285 ilen );
286
287 ctx->unprocessed_len += ilen;
288 return 0;
289 }
290
291 /*
292 * Process cached data first
293 */
294 if( ctx->unprocessed_len != 0 )
295 {
296 copy_len = cipher_get_block_size( ctx ) - ctx->unprocessed_len;
297
298 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
299 copy_len );
300
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]301 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]302 ctx->operation, cipher_get_block_size( ctx ), ctx->iv,
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]303 ctx->unprocessed_data, output ) ) )
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]304 {
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]305 return ret;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]306 }
307
308 *olen += cipher_get_block_size( ctx );
309 output += cipher_get_block_size( ctx );
310 ctx->unprocessed_len = 0;
311
312 input += copy_len;
313 ilen -= copy_len;
314 }
315
316 /*
317 * Cache final, incomplete block
318 */
319 if( 0 != ilen )
320 {
321 copy_len = ilen % cipher_get_block_size( ctx );
322 if( copy_len == 0 && ctx->operation == POLARSSL_DECRYPT )
323 copy_len = cipher_get_block_size(ctx);
324
325 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
326 copy_len );
327
328 ctx->unprocessed_len += copy_len;
329 ilen -= copy_len;
330 }
331
332 /*
333 * Process remaining full blocks
334 */
335 if( ilen )
336 {
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]337 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
338 ctx->operation, ilen, ctx->iv, input, output ) ) )
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]339 {
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]340 return ret;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]341 }
Manuel Pégourié-Gonnard07f8fa52013-08-30 18:34:08 +0200[diff] [blame]342
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]343 *olen += ilen;
344 }
345
346 return 0;
347 }
Manuel Pégourié-Gonnard989ed382013-09-13 14:41:45 +0200[diff] [blame]348#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]349
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]350#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker6132d0a2012-07-04 17:10:40 +0000[diff] [blame]351 if( ctx->cipher_info->mode == POLARSSL_MODE_CFB )
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]352 {
Paul Bakker6132d0a2012-07-04 17:10:40 +0000[diff] [blame]353 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]354 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]355 input, output ) ) )
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]356 {
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]357 return ret;
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]358 }
359
360 *olen = ilen;
361
362 return 0;
363 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]364#endif
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]365
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]366#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]367 if( ctx->cipher_info->mode == POLARSSL_MODE_CTR )
368 {
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]369 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]370 ilen, &ctx->unprocessed_len, ctx->iv,
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]371 ctx->unprocessed_data, input, output ) ) )
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]372 {
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]373 return ret;
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]374 }
375
376 *olen = ilen;
377
378 return 0;
379 }
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]380#endif
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]381
Manuel Pégourié-Gonnard37e230c2013-08-28 13:50:42 +0200[diff] [blame]382#if defined(POLARSSL_CIPHER_MODE_STREAM)
383 if( ctx->cipher_info->mode == POLARSSL_MODE_STREAM )
384 {
385 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
386 ilen, input, output ) ) )
387 {
388 return ret;
389 }
390
391 *olen = ilen;
392
393 return 0;
394 }
395#endif
396
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]397 return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]398}
399
Manuel Pégourié-Gonnard989ed382013-09-13 14:41:45 +0200[diff] [blame]400#if defined(POLARSSL_CIPHER_MODE_WITH_PADDING)
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]401#if defined(POLARSSL_CIPHER_PADDING_PKCS7)
Manuel Pégourié-Gonnard679f9e92013-07-26 12:46:02 +0200[diff] [blame]402/*
403 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
404 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]405static void add_pkcs_padding( unsigned char *output, size_t output_len,
406 size_t data_len )
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]407{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]408 size_t padding_len = output_len - data_len;
Manuel Pégourié-Gonnardf8ab0692013-10-27 17:21:14 +0100[diff] [blame^]409 unsigned char i;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]410
411 for( i = 0; i < padding_len; i++ )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]412 output[data_len + i] = (unsigned char) padding_len;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]413}
414
Manuel Pégourié-Gonnardac56a1a2013-07-25 12:31:10 +0200[diff] [blame]415static int get_pkcs_padding( unsigned char *input, size_t input_len,
416 size_t *data_len )
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]417{
Manuel Pégourié-Gonnardf8ab0692013-10-27 17:21:14 +0100[diff] [blame^]418 size_t i, pad_idx;
419 unsigned char padding_len, bad = 0;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]420
Paul Bakkera885d682011-01-20 16:35:05 +0000[diff] [blame]421 if( NULL == input || NULL == data_len )
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]422 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]423
424 padding_len = input[input_len - 1];
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]425 *data_len = input_len - padding_len;
426
Manuel Pégourié-Gonnardf8ab0692013-10-27 17:21:14 +0100[diff] [blame^]427 /* Avoid logical || since it results in a branch */
428 bad |= padding_len > input_len;
429 bad |= padding_len == 0;
430
431 /* The number of bytes checked must be independent of padding_len,
432 * so pick input_len, which is usually 8 or 16 (one block) */
433 pad_idx = input_len - padding_len;
434 for( i = 0; i < input_len; i++ )
435 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
436
437 return POLARSSL_ERR_CIPHER_INVALID_PADDING * (bad != 0);
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]438}
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]439#endif /* POLARSSL_CIPHER_PADDING_PKCS7 */
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]440
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]441#if defined(POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS)
Manuel Pégourié-Gonnard679f9e92013-07-26 12:46:02 +0200[diff] [blame]442/*
443 * One and zeros padding: fill with 80 00 ... 00
444 */
445static void add_one_and_zeros_padding( unsigned char *output,
446 size_t output_len, size_t data_len )
447{
448 size_t padding_len = output_len - data_len;
449 unsigned char i = 0;
450
451 output[data_len] = 0x80;
452 for( i = 1; i < padding_len; i++ )
453 output[data_len + i] = 0x00;
454}
455
456static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
457 size_t *data_len )
458{
459 unsigned char *p = input + input_len - 1;
460
461 if( NULL == input || NULL == data_len )
462 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
463
464 while( *p == 0x00 && p > input )
465 --p;
466
467 if( *p != 0x80 )
468 return POLARSSL_ERR_CIPHER_INVALID_PADDING;
469
470 *data_len = p - input;
471
472 return 0;
473}
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]474#endif /* POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS */
Manuel Pégourié-Gonnard679f9e92013-07-26 12:46:02 +0200[diff] [blame]475
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]476#if defined(POLARSSL_CIPHER_PADDING_ZEROS_AND_LEN)
Manuel Pégourié-Gonnard8d4291b2013-07-26 14:55:18 +0200[diff] [blame]477/*
478 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
479 */
480static void add_zeros_and_len_padding( unsigned char *output,
481 size_t output_len, size_t data_len )
482{
483 size_t padding_len = output_len - data_len;
484 unsigned char i = 0;
485
486 for( i = 1; i < padding_len; i++ )
487 output[data_len + i - 1] = 0x00;
488 output[output_len - 1] = (unsigned char) padding_len;
489}
490
491static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
492 size_t *data_len )
493{
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]494 size_t i, padding_len = 0;
Manuel Pégourié-Gonnard8d4291b2013-07-26 14:55:18 +0200[diff] [blame]495
496 if( NULL == input || NULL == data_len )
497 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
498
499 padding_len = input[input_len - 1];
500
501 if( padding_len > input_len || padding_len == 0 )
502 return POLARSSL_ERR_CIPHER_INVALID_PADDING;
503
504 for( i = input_len - padding_len; i < input_len - 1; i++ )
505 if( input[i] != 0x00 )
506 return POLARSSL_ERR_CIPHER_INVALID_PADDING;
507
508 *data_len = input_len - padding_len;
509
510 return 0;
511}
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]512#endif /* POLARSSL_CIPHER_PADDING_ZEROS_AND_LEN */
Manuel Pégourié-Gonnard8d4291b2013-07-26 14:55:18 +0200[diff] [blame]513
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]514#if defined(POLARSSL_CIPHER_PADDING_ZEROS)
Manuel Pégourié-Gonnard0e7d2c02013-07-26 16:05:14 +0200[diff] [blame]515/*
516 * Zero padding: fill with 00 ... 00
517 */
518static void add_zeros_padding( unsigned char *output,
519 size_t output_len, size_t data_len )
520{
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]521 size_t i;
Manuel Pégourié-Gonnard0e7d2c02013-07-26 16:05:14 +0200[diff] [blame]522
523 for( i = data_len; i < output_len; i++ )
524 output[i] = 0x00;
525}
526
527static int get_zeros_padding( unsigned char *input, size_t input_len,
528 size_t *data_len )
529{
530 unsigned char *p = input + input_len - 1;
531 if( NULL == input || NULL == data_len )
532 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
533
534 while( *p == 0x00 && p > input )
535 --p;
536
537 *data_len = *p == 0x00 ? 0 : p - input + 1;
538
539 return 0;
540}
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]541#endif /* POLARSSL_CIPHER_PADDING_ZEROS */
Manuel Pégourié-Gonnard0e7d2c02013-07-26 16:05:14 +0200[diff] [blame]542
Manuel Pégourié-Gonnardebdc4132013-07-26 16:50:44 +0200[diff] [blame]543/*
544 * No padding: don't pad :)
545 *
546 * There is no add_padding function (check for NULL in cipher_finish)
547 * but a trivial get_padding function
548 */
549static int get_no_padding( unsigned char *input, size_t input_len,
550 size_t *data_len )
551{
552 if( NULL == input || NULL == data_len )
553 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
554
555 *data_len = input_len;
556
557 return 0;
558}
Manuel Pégourié-Gonnard989ed382013-09-13 14:41:45 +0200[diff] [blame]559#endif /* POLARSSL_CIPHER_MODE_WITH_PADDING */
Manuel Pégourié-Gonnardebdc4132013-07-26 16:50:44 +0200[diff] [blame]560
Manuel Pégourié-Gonnard9241be72013-08-31 17:31:03 +0200[diff] [blame]561int cipher_finish( cipher_context_t *ctx,
Manuel Pégourié-Gonnardaa9ffc52013-09-03 16:19:22 +0200[diff] [blame]562 unsigned char *output, size_t *olen )
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]563{
564 if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen )
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]565 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]566
567 *olen = 0;
568
Paul Bakker6132d0a2012-07-04 17:10:40 +0000[diff] [blame]569 if( POLARSSL_MODE_CFB == ctx->cipher_info->mode ||
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]570 POLARSSL_MODE_CTR == ctx->cipher_info->mode ||
Manuel Pégourié-Gonnardb8bd5932013-09-05 13:38:15 +0200[diff] [blame]571 POLARSSL_MODE_GCM == ctx->cipher_info->mode ||
Manuel Pégourié-Gonnardb5e85882013-08-28 16:36:14 +0200[diff] [blame]572 POLARSSL_MODE_STREAM == ctx->cipher_info->mode )
Paul Bakker343a8702011-06-09 14:27:58 +0000[diff] [blame]573 {
574 return 0;
575 }
576
Paul Bakker5e0efa72013-09-08 23:04:04 +0200[diff] [blame]577 if( POLARSSL_MODE_ECB == ctx->cipher_info->mode )
578 {
579 if( ctx->unprocessed_len != 0 )
580 return POLARSSL_ERR_CIPHER_FULL_BLOCK_EXPECTED;
581
582 return 0;
583 }
584
Manuel Pégourié-Gonnard989ed382013-09-13 14:41:45 +0200[diff] [blame]585#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]586 if( POLARSSL_MODE_CBC == ctx->cipher_info->mode )
587 {
Manuel Pégourié-Gonnard989ed382013-09-13 14:41:45 +0200[diff] [blame]588 int ret = 0;
589
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]590 if( POLARSSL_ENCRYPT == ctx->operation )
591 {
Manuel Pégourié-Gonnardebdc4132013-07-26 16:50:44 +0200[diff] [blame]592 /* check for 'no padding' mode */
593 if( NULL == ctx->add_padding )
594 {
595 if( 0 != ctx->unprocessed_len )
596 return POLARSSL_ERR_CIPHER_FULL_BLOCK_EXPECTED;
597
598 return 0;
599 }
600
Manuel Pégourié-Gonnardac56a1a2013-07-25 12:31:10 +0200[diff] [blame]601 ctx->add_padding( ctx->unprocessed_data, cipher_get_iv_size( ctx ),
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]602 ctx->unprocessed_len );
603 }
604 else if ( cipher_get_block_size( ctx ) != ctx->unprocessed_len )
605 {
Manuel Pégourié-Gonnardebdc4132013-07-26 16:50:44 +0200[diff] [blame]606 /*
607 * For decrypt operations, expect a full block,
608 * or an empty block if no padding
609 */
610 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
611 return 0;
612
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]613 return POLARSSL_ERR_CIPHER_FULL_BLOCK_EXPECTED;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]614 }
615
616 /* cipher block */
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]617 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
618 ctx->operation, cipher_get_block_size( ctx ), ctx->iv,
619 ctx->unprocessed_data, output ) ) )
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]620 {
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]621 return ret;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]622 }
623
624 /* Set output size for decryption */
625 if( POLARSSL_DECRYPT == ctx->operation )
Manuel Pégourié-Gonnardac56a1a2013-07-25 12:31:10 +0200[diff] [blame]626 return ctx->get_padding( output, cipher_get_block_size( ctx ),
627 olen );
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]628
629 /* Set output size for encryption */
630 *olen = cipher_get_block_size( ctx );
631 return 0;
632 }
Manuel Pégourié-Gonnard989ed382013-09-13 14:41:45 +0200[diff] [blame]633#else
634 ((void) output);
635#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]636
Paul Bakkerff61a782011-06-09 15:42:02 +0000[diff] [blame]637 return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]638}
639
Manuel Pégourié-Gonnard989ed382013-09-13 14:41:45 +0200[diff] [blame]640#if defined(POLARSSL_CIPHER_MODE_WITH_PADDING)
Manuel Pégourié-Gonnardac56a1a2013-07-25 12:31:10 +0200[diff] [blame]641int cipher_set_padding_mode( cipher_context_t *ctx, cipher_padding_t mode )
642{
643 if( NULL == ctx ||
644 POLARSSL_MODE_CBC != ctx->cipher_info->mode )
645 {
646 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
647 }
648
Paul Bakker1a45d912013-08-14 12:04:26 +0200[diff] [blame]649 switch( mode )
Manuel Pégourié-Gonnardac56a1a2013-07-25 12:31:10 +0200[diff] [blame]650 {
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]651#if defined(POLARSSL_CIPHER_PADDING_PKCS7)
Paul Bakker1a45d912013-08-14 12:04:26 +0200[diff] [blame]652 case POLARSSL_PADDING_PKCS7:
Manuel Pégourié-Gonnardac56a1a2013-07-25 12:31:10 +0200[diff] [blame]653 ctx->add_padding = add_pkcs_padding;
654 ctx->get_padding = get_pkcs_padding;
Paul Bakker1a45d912013-08-14 12:04:26 +0200[diff] [blame]655 break;
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]656#endif
657#if defined(POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS)
Paul Bakker1a45d912013-08-14 12:04:26 +0200[diff] [blame]658 case POLARSSL_PADDING_ONE_AND_ZEROS:
Manuel Pégourié-Gonnard679f9e92013-07-26 12:46:02 +0200[diff] [blame]659 ctx->add_padding = add_one_and_zeros_padding;
660 ctx->get_padding = get_one_and_zeros_padding;
Paul Bakker1a45d912013-08-14 12:04:26 +0200[diff] [blame]661 break;
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]662#endif
663#if defined(POLARSSL_CIPHER_PADDING_ZEROS_AND_LEN)
Paul Bakker1a45d912013-08-14 12:04:26 +0200[diff] [blame]664 case POLARSSL_PADDING_ZEROS_AND_LEN:
Manuel Pégourié-Gonnard8d4291b2013-07-26 14:55:18 +0200[diff] [blame]665 ctx->add_padding = add_zeros_and_len_padding;
666 ctx->get_padding = get_zeros_and_len_padding;
Paul Bakker1a45d912013-08-14 12:04:26 +0200[diff] [blame]667 break;
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]668#endif
669#if defined(POLARSSL_CIPHER_PADDING_ZEROS)
Paul Bakker1a45d912013-08-14 12:04:26 +0200[diff] [blame]670 case POLARSSL_PADDING_ZEROS:
Manuel Pégourié-Gonnard0e7d2c02013-07-26 16:05:14 +0200[diff] [blame]671 ctx->add_padding = add_zeros_padding;
672 ctx->get_padding = get_zeros_padding;
Paul Bakker1a45d912013-08-14 12:04:26 +0200[diff] [blame]673 break;
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]674#endif
Paul Bakker1a45d912013-08-14 12:04:26 +0200[diff] [blame]675 case POLARSSL_PADDING_NONE:
Manuel Pégourié-Gonnardebdc4132013-07-26 16:50:44 +0200[diff] [blame]676 ctx->add_padding = NULL;
677 ctx->get_padding = get_no_padding;
Paul Bakker1a45d912013-08-14 12:04:26 +0200[diff] [blame]678 break;
679
680 default:
Paul Bakker48e93c82013-08-14 12:21:18 +0200[diff] [blame]681 return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnardebdc4132013-07-26 16:50:44 +0200[diff] [blame]682 }
683
Paul Bakker1a45d912013-08-14 12:04:26 +0200[diff] [blame]684 return 0;
Manuel Pégourié-Gonnardac56a1a2013-07-25 12:31:10 +0200[diff] [blame]685}
Manuel Pégourié-Gonnard989ed382013-09-13 14:41:45 +0200[diff] [blame]686#endif /* POLARSSL_CIPHER_MODE_WITH_PADDING */
Manuel Pégourié-Gonnardac56a1a2013-07-25 12:31:10 +0200[diff] [blame]687
Manuel Pégourié-Gonnard43a47802013-09-03 16:35:53 +0200[diff] [blame]688#if defined(POLARSSL_CIPHER_MODE_AEAD)
Manuel Pégourié-Gonnardaa9ffc52013-09-03 16:19:22 +0200[diff] [blame]689int cipher_write_tag( cipher_context_t *ctx,
690 unsigned char *tag, size_t tag_len )
691{
692 if( NULL == ctx || NULL == ctx->cipher_info || NULL == tag )
693 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
694
Manuel Pégourié-Gonnardaa9ffc52013-09-03 16:19:22 +0200[diff] [blame]695 if( POLARSSL_ENCRYPT != ctx->operation )
696 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
697
Manuel Pégourié-Gonnard43a47802013-09-03 16:35:53 +0200[diff] [blame]698#if defined(POLARSSL_GCM_C)
699 if( POLARSSL_MODE_GCM == ctx->cipher_info->mode )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]700 return gcm_finish( (gcm_context *) ctx->cipher_ctx, tag, tag_len );
Manuel Pégourié-Gonnard43a47802013-09-03 16:35:53 +0200[diff] [blame]701#endif
702
703 return 0;
Manuel Pégourié-Gonnardaa9ffc52013-09-03 16:19:22 +0200[diff] [blame]704}
705
706int cipher_check_tag( cipher_context_t *ctx,
707 const unsigned char *tag, size_t tag_len )
708{
709 int ret;
Manuel Pégourié-Gonnardaa9ffc52013-09-03 16:19:22 +0200[diff] [blame]710
Manuel Pégourié-Gonnard43a47802013-09-03 16:35:53 +0200[diff] [blame]711 if( NULL == ctx || NULL == ctx->cipher_info ||
712 POLARSSL_DECRYPT != ctx->operation )
713 {
Manuel Pégourié-Gonnardaa9ffc52013-09-03 16:19:22 +0200[diff] [blame]714 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard43a47802013-09-03 16:35:53 +0200[diff] [blame]715 }
Manuel Pégourié-Gonnardaa9ffc52013-09-03 16:19:22 +0200[diff] [blame]716
Manuel Pégourié-Gonnard43a47802013-09-03 16:35:53 +0200[diff] [blame]717#if defined(POLARSSL_GCM_C)
718 if( POLARSSL_MODE_GCM == ctx->cipher_info->mode )
719 {
720 unsigned char check_tag[16];
721 size_t i;
722 int diff;
723
724 if( tag_len > sizeof( check_tag ) )
725 return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
726
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]727 if( 0 != ( ret = gcm_finish( (gcm_context *) ctx->cipher_ctx,
728 check_tag, tag_len ) ) )
729 {
Manuel Pégourié-Gonnard43a47802013-09-03 16:35:53 +0200[diff] [blame]730 return( ret );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200[diff] [blame]731 }
Manuel Pégourié-Gonnard43a47802013-09-03 16:35:53 +0200[diff] [blame]732
733 /* Check the tag in "constant-time" */
734 for( diff = 0, i = 0; i < tag_len; i++ )
735 diff |= tag[i] ^ check_tag[i];
736
737 if( diff != 0 )
Manuel Pégourié-Gonnard4fee79b2013-09-19 18:09:14 +0200[diff] [blame]738 return( POLARSSL_ERR_CIPHER_AUTH_FAILED );
Manuel Pégourié-Gonnard43a47802013-09-03 16:35:53 +0200[diff] [blame]739
Manuel Pégourié-Gonnardaa9ffc52013-09-03 16:19:22 +0200[diff] [blame]740 return( 0 );
Manuel Pégourié-Gonnard43a47802013-09-03 16:35:53 +0200[diff] [blame]741 }
742#endif
Manuel Pégourié-Gonnardaa9ffc52013-09-03 16:19:22 +0200[diff] [blame]743
744 return( 0 );
745}
Manuel Pégourié-Gonnard43a47802013-09-03 16:35:53 +0200[diff] [blame]746#endif /* POLARSSL_CIPHER_MODE_AEAD */
Manuel Pégourié-Gonnardaa9ffc52013-09-03 16:19:22 +0200[diff] [blame]747
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]748#if defined(POLARSSL_SELF_TEST)
749
750#include <stdio.h>
751
752#define ASSERT(x) if (!(x)) { \
753 printf( "failed with %i at %s\n", value, (#x) ); \
754 return( 1 ); \
755}
756/*
757 * Checkup routine
758 */
759
760int cipher_self_test( int verbose )
761{
Paul Bakkerd61e7d92011-01-18 16:17:47 +0000[diff] [blame]762 ((void) verbose);
763
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]764 return( 0 );
765}
766
767#endif
768
769#endif