4 * \brief Generic cipher wrapper for mbed TLS
6 * \author Adriaan de Jong <dejong@fox-it.com>
8 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
9 * SPDX-License-Identifier: Apache-2.0
11 * Licensed under the Apache License, Version 2.0 (the "License"); you may
12 * not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
15 * http://www.apache.org/licenses/LICENSE-2.0
17 * Unless required by applicable law or agreed to in writing, software
18 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 * See the License for the specific language governing permissions and
21 * limitations under the License.
23 * This file is part of mbed TLS (https://tls.mbed.org)
26 #if !defined(MBEDTLS_CONFIG_FILE)
27 #include "mbedtls/config.h"
29 #include MBEDTLS_CONFIG_FILE
32 #if defined(MBEDTLS_CIPHER_C)
34 #include "mbedtls/cipher.h"
35 #include "mbedtls/cipher_internal.h"
36 #include "mbedtls/platform_util.h"
41 #if defined(MBEDTLS_CHACHAPOLY_C)
42 #include "mbedtls/chachapoly.h"
45 #if defined(MBEDTLS_GCM_C)
46 #include "mbedtls/gcm.h"
49 #if defined(MBEDTLS_CCM_C)
50 #include "mbedtls/ccm.h"
53 #if defined(MBEDTLS_CHACHA20_C)
54 #include "mbedtls/chacha20.h"
57 #if defined(MBEDTLS_CMAC_C)
58 #include "mbedtls/cmac.h"
61 #if defined(MBEDTLS_USE_PSA_CRYPTO)
62 #include "psa/crypto.h"
63 #include "mbedtls/psa_util.h"
64 #endif /* MBEDTLS_USE_PSA_CRYPTO */
66 #if defined(MBEDTLS_NIST_KW_C)
67 #include "mbedtls/nist_kw.h"
70 #if defined(MBEDTLS_PLATFORM_C)
71 #include "mbedtls/platform.h"
73 #define mbedtls_calloc calloc
74 #define mbedtls_free free
77 #define CIPHER_VALIDATE_RET( cond ) \
78 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
79 #define CIPHER_VALIDATE( cond ) \
80 MBEDTLS_INTERNAL_VALIDATE( cond )
82 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
83 /* Compare the contents of two buffers in constant time.
84 * Returns 0 if the contents are bitwise identical, otherwise returns
86 * This is currently only used by GCM and ChaCha20+Poly1305.
88 static int mbedtls_constant_time_memcmp( const void *v1, const void *v2,
91 const unsigned char *p1 = (const unsigned char*) v1;
92 const unsigned char *p2 = (const unsigned char*) v2;
96 for( diff = 0, i = 0; i < len; i++ )
97 diff |= p1[i] ^ p2[i];
101 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
103 static int supported_init = 0;
105 const int *mbedtls_cipher_list( void )
107 const mbedtls_cipher_definition_t *def;
110 if( ! supported_init )
112 def = mbedtls_cipher_definitions;
113 type = mbedtls_cipher_supported;
115 while( def->type != 0 )
116 *type++ = (*def++).type;
123 return( mbedtls_cipher_supported );
126 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
127 const mbedtls_cipher_type_t cipher_type )
129 const mbedtls_cipher_definition_t *def;
131 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
132 if( def->type == cipher_type )
138 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
139 const char *cipher_name )
141 const mbedtls_cipher_definition_t *def;
143 if( NULL == cipher_name )
146 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
147 if( ! strcmp( def->info->name, cipher_name ) )
153 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
154 const mbedtls_cipher_id_t cipher_id,
156 const mbedtls_cipher_mode_t mode )
158 const mbedtls_cipher_definition_t *def;
160 for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
161 if( def->info->base->cipher == cipher_id &&
162 def->info->key_bitlen == (unsigned) key_bitlen &&
163 def->info->mode == mode )
169 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
171 CIPHER_VALIDATE( ctx != NULL );
172 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
175 void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
180 #if defined(MBEDTLS_USE_PSA_CRYPTO)
181 if( ctx->psa_enabled == 1 )
183 if( ctx->cipher_ctx != NULL )
185 mbedtls_cipher_context_psa * const cipher_psa =
186 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
188 if( cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED )
190 /* xxx_free() doesn't allow to return failures. */
191 (void) psa_destroy_key( cipher_psa->slot );
194 mbedtls_platform_zeroize( cipher_psa, sizeof( *cipher_psa ) );
195 mbedtls_free( cipher_psa );
198 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
201 #endif /* MBEDTLS_USE_PSA_CRYPTO */
203 #if defined(MBEDTLS_CMAC_C)
206 mbedtls_platform_zeroize( ctx->cmac_ctx,
207 sizeof( mbedtls_cmac_context_t ) );
208 mbedtls_free( ctx->cmac_ctx );
212 if( ctx->cipher_ctx )
213 ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
215 mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
218 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
219 const mbedtls_cipher_info_t *cipher_info )
221 CIPHER_VALIDATE_RET( ctx != NULL );
222 if( cipher_info == NULL )
223 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
225 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
227 if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
228 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
230 ctx->cipher_info = cipher_info;
232 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
234 * Ignore possible errors caused by a cipher mode that doesn't use padding
236 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
237 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
239 (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
241 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
246 #if defined(MBEDTLS_USE_PSA_CRYPTO)
247 int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
248 const mbedtls_cipher_info_t *cipher_info,
252 mbedtls_cipher_context_psa *cipher_psa;
254 if( NULL == cipher_info || NULL == ctx )
255 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
257 /* Check that the underlying cipher mode and cipher type are
258 * supported by the underlying PSA Crypto implementation. */
259 alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode, taglen );
261 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
262 if( mbedtls_psa_translate_cipher_type( cipher_info->type ) == 0 )
263 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
265 memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
267 cipher_psa = mbedtls_calloc( 1, sizeof(mbedtls_cipher_context_psa ) );
268 if( cipher_psa == NULL )
269 return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
270 cipher_psa->alg = alg;
271 ctx->cipher_ctx = cipher_psa;
272 ctx->cipher_info = cipher_info;
273 ctx->psa_enabled = 1;
276 #endif /* MBEDTLS_USE_PSA_CRYPTO */
278 int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
279 const unsigned char *key,
281 const mbedtls_operation_t operation )
283 CIPHER_VALIDATE_RET( ctx != NULL );
284 CIPHER_VALIDATE_RET( key != NULL );
285 CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT ||
286 operation == MBEDTLS_DECRYPT );
287 if( ctx->cipher_info == NULL )
288 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
290 #if defined(MBEDTLS_USE_PSA_CRYPTO)
291 if( ctx->psa_enabled == 1 )
293 mbedtls_cipher_context_psa * const cipher_psa =
294 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
296 size_t const key_bytelen = ( (size_t) key_bitlen + 7 ) / 8;
299 psa_key_type_t key_type;
300 psa_key_usage_t key_usage;
301 psa_key_policy_t key_policy;
303 /* PSA Crypto API only accepts byte-aligned keys. */
304 if( key_bitlen % 8 != 0 )
305 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
307 /* Don't allow keys to be set multiple times. */
308 if( cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET )
309 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
311 key_type = mbedtls_psa_translate_cipher_type(
312 ctx->cipher_info->type );
314 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
316 /* Allocate a key slot to use. */
317 status = psa_allocate_key( &cipher_psa->slot );
318 if( status != PSA_SUCCESS )
319 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
321 /* Indicate that we own the key slot and need to
322 * destroy it in mbedtls_cipher_free(). */
323 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
325 /* From that point on, the responsibility for destroying the
326 * key slot is on mbedtls_cipher_free(). This includes the case
327 * where the policy setup or key import below fail, as
328 * mbedtls_cipher_free() needs to be called in any case. */
330 /* Setup policy for the new key slot. */
331 key_policy = psa_key_policy_init();
333 /* Mbed TLS' cipher layer doesn't enforce the mode of operation
334 * (encrypt vs. decrypt): it is possible to setup a key for encryption
335 * and use it for AEAD decryption. Until tests relying on this
336 * are changed, allow any usage in PSA. */
337 /* key_usage = mbedtls_psa_translate_cipher_operation( operation ); */
338 key_usage = PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT;
339 psa_key_policy_set_usage( &key_policy, key_usage, cipher_psa->alg );
340 status = psa_set_key_policy( cipher_psa->slot, &key_policy );
341 if( status != PSA_SUCCESS )
342 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
344 /* Populate new key slot. */
345 status = psa_import_key( cipher_psa->slot,
346 key_type, key, key_bytelen );
347 if( status != PSA_SUCCESS )
348 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
350 ctx->key_bitlen = key_bitlen;
351 ctx->operation = operation;
354 #endif /* MBEDTLS_USE_PSA_CRYPTO */
356 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
357 (int) ctx->cipher_info->key_bitlen != key_bitlen )
359 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
362 ctx->key_bitlen = key_bitlen;
363 ctx->operation = operation;
366 * For OFB, CFB and CTR mode always use the encryption key schedule
368 if( MBEDTLS_ENCRYPT == operation ||
369 MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
370 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
371 MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
373 return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
377 if( MBEDTLS_DECRYPT == operation )
378 return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
381 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
384 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
385 const unsigned char *iv,
388 size_t actual_iv_size;
390 CIPHER_VALIDATE_RET( ctx != NULL );
391 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
392 if( ctx->cipher_info == NULL )
393 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
394 #if defined(MBEDTLS_USE_PSA_CRYPTO)
395 if( ctx->psa_enabled == 1 )
397 /* While PSA Crypto has an API for multipart
398 * operations, we currently don't make it
399 * accessible through the cipher layer. */
400 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
402 #endif /* MBEDTLS_USE_PSA_CRYPTO */
404 /* avoid buffer overflow in ctx->iv */
405 if( iv_len > MBEDTLS_MAX_IV_LENGTH )
406 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
408 if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
409 actual_iv_size = iv_len;
412 actual_iv_size = ctx->cipher_info->iv_size;
414 /* avoid reading past the end of input buffer */
415 if( actual_iv_size > iv_len )
416 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
419 #if defined(MBEDTLS_CHACHA20_C)
420 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
422 if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
424 0U ) ) /* Initial counter value */
426 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
431 if ( actual_iv_size != 0 )
433 memcpy( ctx->iv, iv, actual_iv_size );
434 ctx->iv_size = actual_iv_size;
440 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
442 CIPHER_VALIDATE_RET( ctx != NULL );
443 if( ctx->cipher_info == NULL )
444 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
446 #if defined(MBEDTLS_USE_PSA_CRYPTO)
447 if( ctx->psa_enabled == 1 )
449 /* We don't support resetting PSA-based
450 * cipher contexts, yet. */
451 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
453 #endif /* MBEDTLS_USE_PSA_CRYPTO */
455 ctx->unprocessed_len = 0;
460 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
461 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
462 const unsigned char *ad, size_t ad_len )
464 CIPHER_VALIDATE_RET( ctx != NULL );
465 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
466 if( ctx->cipher_info == NULL )
467 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
469 #if defined(MBEDTLS_USE_PSA_CRYPTO)
470 if( ctx->psa_enabled == 1 )
472 /* While PSA Crypto has an API for multipart
473 * operations, we currently don't make it
474 * accessible through the cipher layer. */
475 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
477 #endif /* MBEDTLS_USE_PSA_CRYPTO */
479 #if defined(MBEDTLS_GCM_C)
480 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
482 return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
483 ctx->iv, ctx->iv_size, ad, ad_len ) );
487 #if defined(MBEDTLS_CHACHAPOLY_C)
488 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
491 mbedtls_chachapoly_mode_t mode;
493 mode = ( ctx->operation == MBEDTLS_ENCRYPT )
494 ? MBEDTLS_CHACHAPOLY_ENCRYPT
495 : MBEDTLS_CHACHAPOLY_DECRYPT;
497 result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
503 return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
510 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
512 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
513 size_t ilen, unsigned char *output, size_t *olen )
518 CIPHER_VALIDATE_RET( ctx != NULL );
519 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
520 CIPHER_VALIDATE_RET( output != NULL );
521 CIPHER_VALIDATE_RET( olen != NULL );
522 if( ctx->cipher_info == NULL )
523 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
525 #if defined(MBEDTLS_USE_PSA_CRYPTO)
526 if( ctx->psa_enabled == 1 )
528 /* While PSA Crypto has an API for multipart
529 * operations, we currently don't make it
530 * accessible through the cipher layer. */
531 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
533 #endif /* MBEDTLS_USE_PSA_CRYPTO */
536 block_size = mbedtls_cipher_get_block_size( ctx );
538 if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
540 if( ilen != block_size )
541 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
545 if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
546 ctx->operation, input, output ) ) )
554 #if defined(MBEDTLS_GCM_C)
555 if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
558 return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
563 #if defined(MBEDTLS_CHACHAPOLY_C)
564 if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
567 return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
568 ilen, input, output ) );
572 if ( 0 == block_size )
574 return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
577 if( input == output &&
578 ( ctx->unprocessed_len != 0 || ilen % block_size ) )
580 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
583 #if defined(MBEDTLS_CIPHER_MODE_CBC)
584 if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
589 * If there is not enough data for a full block, cache it.
591 if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
592 ilen <= block_size - ctx->unprocessed_len ) ||
593 ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
594 ilen < block_size - ctx->unprocessed_len ) ||
595 ( ctx->operation == MBEDTLS_ENCRYPT &&
596 ilen < block_size - ctx->unprocessed_len ) )
598 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
601 ctx->unprocessed_len += ilen;
606 * Process cached data first
608 if( 0 != ctx->unprocessed_len )
610 copy_len = block_size - ctx->unprocessed_len;
612 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
615 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
616 ctx->operation, block_size, ctx->iv,
617 ctx->unprocessed_data, output ) ) )
623 output += block_size;
624 ctx->unprocessed_len = 0;
631 * Cache final, incomplete block
635 if( 0 == block_size )
637 return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
640 /* Encryption: only cache partial blocks
641 * Decryption w/ padding: always keep at least one whole block
642 * Decryption w/o padding: only cache partial blocks
644 copy_len = ilen % block_size;
646 ctx->operation == MBEDTLS_DECRYPT &&
647 NULL != ctx->add_padding)
649 copy_len = block_size;
652 memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
655 ctx->unprocessed_len += copy_len;
660 * Process remaining full blocks
664 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
665 ctx->operation, ilen, ctx->iv, input, output ) ) )
675 #endif /* MBEDTLS_CIPHER_MODE_CBC */
677 #if defined(MBEDTLS_CIPHER_MODE_CFB)
678 if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
680 if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
681 ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
691 #endif /* MBEDTLS_CIPHER_MODE_CFB */
693 #if defined(MBEDTLS_CIPHER_MODE_OFB)
694 if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
696 if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
697 ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
706 #endif /* MBEDTLS_CIPHER_MODE_OFB */
708 #if defined(MBEDTLS_CIPHER_MODE_CTR)
709 if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
711 if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
712 ilen, &ctx->unprocessed_len, ctx->iv,
713 ctx->unprocessed_data, input, output ) ) )
722 #endif /* MBEDTLS_CIPHER_MODE_CTR */
724 #if defined(MBEDTLS_CIPHER_MODE_XTS)
725 if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
727 if( ctx->unprocessed_len > 0 ) {
728 /* We can only process an entire data unit at a time. */
729 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
732 ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
733 ctx->operation, ilen, ctx->iv, input, output );
743 #endif /* MBEDTLS_CIPHER_MODE_XTS */
745 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
746 if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
748 if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
749 ilen, input, output ) ) )
758 #endif /* MBEDTLS_CIPHER_MODE_STREAM */
760 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
763 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
764 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
766 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
768 static void add_pkcs_padding( unsigned char *output, size_t output_len,
771 size_t padding_len = output_len - data_len;
774 for( i = 0; i < padding_len; i++ )
775 output[data_len + i] = (unsigned char) padding_len;
778 static int get_pkcs_padding( unsigned char *input, size_t input_len,
782 unsigned char padding_len, bad = 0;
784 if( NULL == input || NULL == data_len )
785 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
787 padding_len = input[input_len - 1];
788 *data_len = input_len - padding_len;
790 /* Avoid logical || since it results in a branch */
791 bad |= padding_len > input_len;
792 bad |= padding_len == 0;
794 /* The number of bytes checked must be independent of padding_len,
795 * so pick input_len, which is usually 8 or 16 (one block) */
796 pad_idx = input_len - padding_len;
797 for( i = 0; i < input_len; i++ )
798 bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
800 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
802 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
804 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
806 * One and zeros padding: fill with 80 00 ... 00
808 static void add_one_and_zeros_padding( unsigned char *output,
809 size_t output_len, size_t data_len )
811 size_t padding_len = output_len - data_len;
814 output[data_len] = 0x80;
815 for( i = 1; i < padding_len; i++ )
816 output[data_len + i] = 0x00;
819 static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
823 unsigned char done = 0, prev_done, bad;
825 if( NULL == input || NULL == data_len )
826 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
830 for( i = input_len; i > 0; i-- )
833 done |= ( input[i - 1] != 0 );
834 *data_len |= ( i - 1 ) * ( done != prev_done );
835 bad ^= input[i - 1] * ( done != prev_done );
838 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
841 #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
843 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
845 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
847 static void add_zeros_and_len_padding( unsigned char *output,
848 size_t output_len, size_t data_len )
850 size_t padding_len = output_len - data_len;
853 for( i = 1; i < padding_len; i++ )
854 output[data_len + i - 1] = 0x00;
855 output[output_len - 1] = (unsigned char) padding_len;
858 static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
862 unsigned char padding_len, bad = 0;
864 if( NULL == input || NULL == data_len )
865 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
867 padding_len = input[input_len - 1];
868 *data_len = input_len - padding_len;
870 /* Avoid logical || since it results in a branch */
871 bad |= padding_len > input_len;
872 bad |= padding_len == 0;
874 /* The number of bytes checked must be independent of padding_len */
875 pad_idx = input_len - padding_len;
876 for( i = 0; i < input_len - 1; i++ )
877 bad |= input[i] * ( i >= pad_idx );
879 return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
881 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
883 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
885 * Zero padding: fill with 00 ... 00
887 static void add_zeros_padding( unsigned char *output,
888 size_t output_len, size_t data_len )
892 for( i = data_len; i < output_len; i++ )
896 static int get_zeros_padding( unsigned char *input, size_t input_len,
900 unsigned char done = 0, prev_done;
902 if( NULL == input || NULL == data_len )
903 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
906 for( i = input_len; i > 0; i-- )
909 done |= ( input[i-1] != 0 );
910 *data_len |= i * ( done != prev_done );
915 #endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
918 * No padding: don't pad :)
920 * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
921 * but a trivial get_padding function
923 static int get_no_padding( unsigned char *input, size_t input_len,
926 if( NULL == input || NULL == data_len )
927 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
929 *data_len = input_len;
933 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
935 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
936 unsigned char *output, size_t *olen )
938 CIPHER_VALIDATE_RET( ctx != NULL );
939 CIPHER_VALIDATE_RET( output != NULL );
940 CIPHER_VALIDATE_RET( olen != NULL );
941 if( ctx->cipher_info == NULL )
942 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
944 #if defined(MBEDTLS_USE_PSA_CRYPTO)
945 if( ctx->psa_enabled == 1 )
947 /* While PSA Crypto has an API for multipart
948 * operations, we currently don't make it
949 * accessible through the cipher layer. */
950 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
952 #endif /* MBEDTLS_USE_PSA_CRYPTO */
956 if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
957 MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
958 MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
959 MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
960 MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
961 MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
966 if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) ||
967 ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
972 if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
974 if( ctx->unprocessed_len != 0 )
975 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
980 #if defined(MBEDTLS_CIPHER_MODE_CBC)
981 if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
985 if( MBEDTLS_ENCRYPT == ctx->operation )
987 /* check for 'no padding' mode */
988 if( NULL == ctx->add_padding )
990 if( 0 != ctx->unprocessed_len )
991 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
996 ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
997 ctx->unprocessed_len );
999 else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
1002 * For decrypt operations, expect a full block,
1003 * or an empty block if no padding
1005 if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
1008 return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
1012 if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
1013 ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
1014 ctx->unprocessed_data, output ) ) )
1019 /* Set output size for decryption */
1020 if( MBEDTLS_DECRYPT == ctx->operation )
1021 return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
1024 /* Set output size for encryption */
1025 *olen = mbedtls_cipher_get_block_size( ctx );
1030 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1032 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1035 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
1036 int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
1037 mbedtls_cipher_padding_t mode )
1039 CIPHER_VALIDATE_RET( ctx != NULL );
1041 if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
1043 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1046 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1047 if( ctx->psa_enabled == 1 )
1049 /* While PSA Crypto knows about CBC padding
1050 * schemes, we currently don't make them
1051 * accessible through the cipher layer. */
1052 if( mode != MBEDTLS_PADDING_NONE )
1053 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1057 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1061 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
1062 case MBEDTLS_PADDING_PKCS7:
1063 ctx->add_padding = add_pkcs_padding;
1064 ctx->get_padding = get_pkcs_padding;
1067 #if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
1068 case MBEDTLS_PADDING_ONE_AND_ZEROS:
1069 ctx->add_padding = add_one_and_zeros_padding;
1070 ctx->get_padding = get_one_and_zeros_padding;
1073 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
1074 case MBEDTLS_PADDING_ZEROS_AND_LEN:
1075 ctx->add_padding = add_zeros_and_len_padding;
1076 ctx->get_padding = get_zeros_and_len_padding;
1079 #if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
1080 case MBEDTLS_PADDING_ZEROS:
1081 ctx->add_padding = add_zeros_padding;
1082 ctx->get_padding = get_zeros_padding;
1085 case MBEDTLS_PADDING_NONE:
1086 ctx->add_padding = NULL;
1087 ctx->get_padding = get_no_padding;
1091 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1096 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
1098 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
1099 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
1100 unsigned char *tag, size_t tag_len )
1102 CIPHER_VALIDATE_RET( ctx != NULL );
1103 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1104 if( ctx->cipher_info == NULL )
1105 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1107 if( MBEDTLS_ENCRYPT != ctx->operation )
1108 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1110 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1111 if( ctx->psa_enabled == 1 )
1113 /* While PSA Crypto has an API for multipart
1114 * operations, we currently don't make it
1115 * accessible through the cipher layer. */
1116 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1120 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1122 #if defined(MBEDTLS_GCM_C)
1123 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1124 return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
1128 #if defined(MBEDTLS_CHACHAPOLY_C)
1129 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1131 /* Don't allow truncated MAC for Poly1305 */
1132 if ( tag_len != 16U )
1133 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1135 return( mbedtls_chachapoly_finish(
1136 (mbedtls_chachapoly_context*) ctx->cipher_ctx, tag ) );
1143 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
1144 const unsigned char *tag, size_t tag_len )
1146 unsigned char check_tag[16];
1149 CIPHER_VALIDATE_RET( ctx != NULL );
1150 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1151 if( ctx->cipher_info == NULL )
1152 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1154 if( MBEDTLS_DECRYPT != ctx->operation )
1156 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1159 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1160 if( ctx->psa_enabled == 1 )
1162 /* While PSA Crypto has an API for multipart
1163 * operations, we currently don't make it
1164 * accessible through the cipher layer. */
1165 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1167 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1169 #if defined(MBEDTLS_GCM_C)
1170 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1172 if( tag_len > sizeof( check_tag ) )
1173 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1175 if( 0 != ( ret = mbedtls_gcm_finish(
1176 (mbedtls_gcm_context *) ctx->cipher_ctx,
1177 check_tag, tag_len ) ) )
1182 /* Check the tag in "constant-time" */
1183 if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
1184 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1188 #endif /* MBEDTLS_GCM_C */
1190 #if defined(MBEDTLS_CHACHAPOLY_C)
1191 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1193 /* Don't allow truncated MAC for Poly1305 */
1194 if ( tag_len != sizeof( check_tag ) )
1195 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1197 ret = mbedtls_chachapoly_finish(
1198 (mbedtls_chachapoly_context*) ctx->cipher_ctx, check_tag );
1204 /* Check the tag in "constant-time" */
1205 if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
1206 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1210 #endif /* MBEDTLS_CHACHAPOLY_C */
1214 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
1217 * Packet-oriented wrapper for non-AEAD modes
1219 int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
1220 const unsigned char *iv, size_t iv_len,
1221 const unsigned char *input, size_t ilen,
1222 unsigned char *output, size_t *olen )
1227 CIPHER_VALIDATE_RET( ctx != NULL );
1228 CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
1229 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1230 CIPHER_VALIDATE_RET( output != NULL );
1231 CIPHER_VALIDATE_RET( olen != NULL );
1233 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1234 if( ctx->psa_enabled == 1 )
1236 /* As in the non-PSA case, we don't check that
1237 * a key has been set. If not, the key slot will
1238 * still be in its default state of 0, which is
1239 * guaranteed to be invalid, hence the PSA-call
1240 * below will gracefully fail. */
1241 mbedtls_cipher_context_psa * const cipher_psa =
1242 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1244 psa_status_t status;
1245 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1248 if( ctx->operation == MBEDTLS_DECRYPT )
1250 status = psa_cipher_decrypt_setup( &cipher_op,
1254 else if( ctx->operation == MBEDTLS_ENCRYPT )
1256 status = psa_cipher_encrypt_setup( &cipher_op,
1261 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1263 /* In the following, we can immediately return on an error,
1264 * because the PSA Crypto API guarantees that cipher operations
1265 * are terminated by unsuccessful calls to psa_cipher_update(),
1266 * and by any call to psa_cipher_finish(). */
1267 if( status != PSA_SUCCESS )
1268 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1270 status = psa_cipher_set_iv( &cipher_op, iv, iv_len );
1271 if( status != PSA_SUCCESS )
1272 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1274 status = psa_cipher_update( &cipher_op,
1276 output, ilen, olen );
1277 if( status != PSA_SUCCESS )
1278 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1280 status = psa_cipher_finish( &cipher_op,
1281 output + *olen, ilen - *olen,
1283 if( status != PSA_SUCCESS )
1284 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1289 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1291 if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
1294 if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
1297 if( ( ret = mbedtls_cipher_update( ctx, input, ilen,
1298 output, olen ) ) != 0 )
1301 if( ( ret = mbedtls_cipher_finish( ctx, output + *olen,
1302 &finish_olen ) ) != 0 )
1305 *olen += finish_olen;
1310 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
1312 * Packet-oriented encryption for AEAD modes
1314 int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
1315 const unsigned char *iv, size_t iv_len,
1316 const unsigned char *ad, size_t ad_len,
1317 const unsigned char *input, size_t ilen,
1318 unsigned char *output, size_t *olen,
1319 unsigned char *tag, size_t tag_len )
1321 CIPHER_VALIDATE_RET( ctx != NULL );
1322 CIPHER_VALIDATE_RET( iv != NULL );
1323 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1324 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1325 CIPHER_VALIDATE_RET( output != NULL );
1326 CIPHER_VALIDATE_RET( olen != NULL );
1327 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1329 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1330 if( ctx->psa_enabled == 1 )
1332 /* As in the non-PSA case, we don't check that
1333 * a key has been set. If not, the key slot will
1334 * still be in its default state of 0, which is
1335 * guaranteed to be invalid, hence the PSA-call
1336 * below will gracefully fail. */
1337 mbedtls_cipher_context_psa * const cipher_psa =
1338 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1340 psa_status_t status;
1342 /* PSA Crypto API always writes the authentication tag
1343 * at the end of the encrypted message. */
1344 if( tag != output + ilen )
1345 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1347 status = psa_aead_encrypt( cipher_psa->slot,
1352 output, ilen + tag_len, olen );
1353 if( status != PSA_SUCCESS )
1354 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1359 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1361 #if defined(MBEDTLS_GCM_C)
1362 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1365 return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
1366 ilen, iv, iv_len, ad, ad_len,
1367 input, output, tag_len, tag ) );
1369 #endif /* MBEDTLS_GCM_C */
1370 #if defined(MBEDTLS_CCM_C)
1371 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1374 return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
1375 iv, iv_len, ad, ad_len, input, output,
1378 #endif /* MBEDTLS_CCM_C */
1379 #if defined(MBEDTLS_CHACHAPOLY_C)
1380 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1382 /* ChachaPoly has fixed length nonce and MAC (tag) */
1383 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1384 ( tag_len != 16U ) )
1386 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1390 return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
1391 ilen, iv, ad, ad_len, input, output, tag ) );
1393 #endif /* MBEDTLS_CHACHAPOLY_C */
1394 #if defined(MBEDTLS_NIST_KW_C)
1395 if( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1396 MBEDTLS_MODE_KWP == ctx->cipher_info->mode )
1398 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
1399 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1401 /* There is no iv, tag or ad associated with KW and KWP, these length should be 0 */
1402 if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
1404 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1407 return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen, output, olen, SIZE_MAX ) );
1409 #endif /* MBEDTLS_NIST_KW_C */
1411 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1415 * Packet-oriented decryption for AEAD modes
1417 int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
1418 const unsigned char *iv, size_t iv_len,
1419 const unsigned char *ad, size_t ad_len,
1420 const unsigned char *input, size_t ilen,
1421 unsigned char *output, size_t *olen,
1422 const unsigned char *tag, size_t tag_len )
1424 CIPHER_VALIDATE_RET( ctx != NULL );
1425 CIPHER_VALIDATE_RET( iv != NULL );
1426 CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
1427 CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
1428 CIPHER_VALIDATE_RET( output != NULL );
1429 CIPHER_VALIDATE_RET( olen != NULL );
1430 CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
1432 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1433 if( ctx->psa_enabled == 1 )
1435 /* As in the non-PSA case, we don't check that
1436 * a key has been set. If not, the key slot will
1437 * still be in its default state of 0, which is
1438 * guaranteed to be invalid, hence the PSA-call
1439 * below will gracefully fail. */
1440 mbedtls_cipher_context_psa * const cipher_psa =
1441 (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
1443 psa_status_t status;
1445 /* PSA Crypto API always writes the authentication tag
1446 * at the end of the encrypted message. */
1447 if( tag != input + ilen )
1448 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1450 status = psa_aead_decrypt( cipher_psa->slot,
1454 input, ilen + tag_len,
1455 output, ilen, olen );
1456 if( status == PSA_ERROR_INVALID_SIGNATURE )
1457 return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
1458 else if( status != PSA_SUCCESS )
1459 return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
1463 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1465 #if defined(MBEDTLS_GCM_C)
1466 if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
1471 ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
1472 iv, iv_len, ad, ad_len,
1473 tag, tag_len, input, output );
1475 if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
1476 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1480 #endif /* MBEDTLS_GCM_C */
1481 #if defined(MBEDTLS_CCM_C)
1482 if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
1487 ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
1488 iv, iv_len, ad, ad_len,
1489 input, output, tag, tag_len );
1491 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
1492 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1496 #endif /* MBEDTLS_CCM_C */
1497 #if defined(MBEDTLS_CHACHAPOLY_C)
1498 if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
1502 /* ChachaPoly has fixed length nonce and MAC (tag) */
1503 if ( ( iv_len != ctx->cipher_info->iv_size ) ||
1504 ( tag_len != 16U ) )
1506 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1510 ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
1511 iv, ad, ad_len, tag, input, output );
1513 if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
1514 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
1518 #endif /* MBEDTLS_CHACHAPOLY_C */
1519 #if defined(MBEDTLS_NIST_KW_C)
1520 if( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
1521 MBEDTLS_MODE_KWP == ctx->cipher_info->mode )
1523 mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
1524 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
1526 /* There is no iv, tag or ad associated with KW and KWP, these length should be 0 */
1527 if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
1529 return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
1532 return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen, output, olen, SIZE_MAX ) );
1534 #endif /* MBEDTLS_NIST_KW_C */
1536 return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
1538 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
1540 #endif /* MBEDTLS_CIPHER_C */