TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 6edb7473db1e4c1ee9a8da405c25ea0c3841e06c / . / library / psa_crypto_aead.c
blob: ac4297ed40aeb119230b69fd1df4104ba47ea062 [file] [log] [blame]
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]1/*
2 * PSA AEAD entry points
3 */
4/*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21#include "common.h"
22
23#if defined(MBEDTLS_PSA_CRYPTO_C)
24
25#include "psa_crypto_aead.h"
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]26#include "psa_crypto_core.h"
27
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]28#include <string.h>
29#include "mbedtls/platform.h"
30#if !defined(MBEDTLS_PLATFORM_C)
31#define mbedtls_calloc calloc
32#define mbedtls_free free
33#endif
34
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]35#include "mbedtls/ccm.h"
36#include "mbedtls/chachapoly.h"
37#include "mbedtls/cipher.h"
38#include "mbedtls/gcm.h"
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]39#include "mbedtls/error.h"
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]40
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]41static psa_status_t psa_aead_setup(
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]42 mbedtls_psa_aead_operation_t *operation,
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]43 const psa_key_attributes_t *attributes,
44 const uint8_t *key_buffer,
45 psa_algorithm_t alg )
46{
47 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
48 size_t key_bits;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]49 const mbedtls_cipher_info_t *cipher_info;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]50 mbedtls_cipher_id_t cipher_id;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]51 size_t full_tag_length = 0;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]52
53 key_bits = attributes->core.bits;
54
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]55 cipher_info = mbedtls_cipher_info_from_psa( alg,
56 attributes->core.type, key_bits,
57 &cipher_id );
58 if( cipher_info == NULL )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]59 return( PSA_ERROR_NOT_SUPPORTED );
60
61 switch( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) )
62 {
63#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
64 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]65 operation->alg = PSA_ALG_CCM;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]66 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]67 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
68 * The call to mbedtls_ccm_encrypt_and_tag or
69 * mbedtls_ccm_auth_decrypt will validate the tag length. */
70 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
71 return( PSA_ERROR_INVALID_ARGUMENT );
72
73 mbedtls_ccm_init( &operation->ctx.ccm );
74 status = mbedtls_to_psa_error(
75 mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id,
76 key_buffer, (unsigned int) key_bits ) );
77 if( status != PSA_SUCCESS )
78 return( status );
79 break;
80#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
81
82#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
83 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]84 operation->alg = PSA_ALG_GCM;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]85 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]86 /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
87 * The call to mbedtls_gcm_crypt_and_tag or
88 * mbedtls_gcm_auth_decrypt will validate the tag length. */
89 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
90 return( PSA_ERROR_INVALID_ARGUMENT );
91
92 mbedtls_gcm_init( &operation->ctx.gcm );
93 status = mbedtls_to_psa_error(
94 mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id,
95 key_buffer, (unsigned int) key_bits ) );
96 if( status != PSA_SUCCESS )
97 return( status );
98 break;
99#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
100
101#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
102 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]103 operation->alg = PSA_ALG_CHACHA20_POLY1305;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]104 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]105 /* We only support the default tag length. */
106 if( alg != PSA_ALG_CHACHA20_POLY1305 )
107 return( PSA_ERROR_NOT_SUPPORTED );
108
109 mbedtls_chachapoly_init( &operation->ctx.chachapoly );
110 status = mbedtls_to_psa_error(
111 mbedtls_chachapoly_setkey( &operation->ctx.chachapoly,
112 key_buffer ) );
113 if( status != PSA_SUCCESS )
114 return( status );
115 break;
116#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
117
118 default:
119 return( PSA_ERROR_NOT_SUPPORTED );
120 }
121
Bence Szépkútiec174e22021-03-19 18:46:15 +0100[diff] [blame]122 if( PSA_AEAD_TAG_LENGTH( attributes->core.type,
123 key_bits, alg )
124 > full_tag_length )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]125 return( PSA_ERROR_INVALID_ARGUMENT );
126
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]127 operation->key_type = psa_get_key_type( attributes );
128
129 operation->tag_length = PSA_AEAD_TAG_LENGTH( operation->key_type,
Bence Szépkútiec174e22021-03-19 18:46:15 +0100[diff] [blame]130 key_bits,
131 alg );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]132
133 return( PSA_SUCCESS );
134}
135
136psa_status_t mbedtls_psa_aead_encrypt(
137 const psa_key_attributes_t *attributes,
138 const uint8_t *key_buffer, size_t key_buffer_size,
139 psa_algorithm_t alg,
140 const uint8_t *nonce, size_t nonce_length,
141 const uint8_t *additional_data, size_t additional_data_length,
142 const uint8_t *plaintext, size_t plaintext_length,
143 uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length )
144{
145 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]146 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]147 uint8_t *tag;
148 (void) key_buffer_size;
149
150 status = psa_aead_setup( &operation, attributes, key_buffer, alg );
151 if( status != PSA_SUCCESS )
152 goto exit;
153
154 /* For all currently supported modes, the tag is at the end of the
155 * ciphertext. */
156 if( ciphertext_size < ( plaintext_length + operation.tag_length ) )
157 {
158 status = PSA_ERROR_BUFFER_TOO_SMALL;
159 goto exit;
160 }
161 tag = ciphertext + plaintext_length;
162
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]163#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]164 if( operation.alg == PSA_ALG_CCM )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]165 {
166 status = mbedtls_to_psa_error(
167 mbedtls_ccm_encrypt_and_tag( &operation.ctx.ccm,
168 plaintext_length,
169 nonce, nonce_length,
170 additional_data,
171 additional_data_length,
172 plaintext, ciphertext,
173 tag, operation.tag_length ) );
174 }
175 else
176#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]177#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]178 if( operation.alg == PSA_ALG_GCM )
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]179 {
180 status = mbedtls_to_psa_error(
181 mbedtls_gcm_crypt_and_tag( &operation.ctx.gcm,
182 MBEDTLS_GCM_ENCRYPT,
183 plaintext_length,
184 nonce, nonce_length,
185 additional_data, additional_data_length,
186 plaintext, ciphertext,
187 operation.tag_length, tag ) );
188 }
189 else
190#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]191#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]192 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]193 {
194 if( nonce_length != 12 || operation.tag_length != 16 )
195 {
196 status = PSA_ERROR_NOT_SUPPORTED;
197 goto exit;
198 }
199 status = mbedtls_to_psa_error(
200 mbedtls_chachapoly_encrypt_and_tag( &operation.ctx.chachapoly,
201 plaintext_length,
202 nonce,
203 additional_data,
204 additional_data_length,
205 plaintext,
206 ciphertext,
207 tag ) );
208 }
209 else
210#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
211 {
212 (void) tag;
213 return( PSA_ERROR_NOT_SUPPORTED );
214 }
215
216 if( status == PSA_SUCCESS )
217 *ciphertext_length = plaintext_length + operation.tag_length;
218
219exit:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]220 mbedtls_psa_aead_abort( &operation );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]221
222 return( status );
223}
224
225/* Locate the tag in a ciphertext buffer containing the encrypted data
226 * followed by the tag. Return the length of the part preceding the tag in
227 * *plaintext_length. This is the size of the plaintext in modes where
228 * the encrypted data has the same size as the plaintext, such as
229 * CCM and GCM. */
230static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length,
231 const uint8_t *ciphertext,
232 size_t ciphertext_length,
233 size_t plaintext_size,
234 const uint8_t **p_tag )
235{
236 size_t payload_length;
237 if( tag_length > ciphertext_length )
238 return( PSA_ERROR_INVALID_ARGUMENT );
239 payload_length = ciphertext_length - tag_length;
240 if( payload_length > plaintext_size )
241 return( PSA_ERROR_BUFFER_TOO_SMALL );
242 *p_tag = ciphertext + payload_length;
243 return( PSA_SUCCESS );
244}
245
246psa_status_t mbedtls_psa_aead_decrypt(
247 const psa_key_attributes_t *attributes,
248 const uint8_t *key_buffer, size_t key_buffer_size,
249 psa_algorithm_t alg,
250 const uint8_t *nonce, size_t nonce_length,
251 const uint8_t *additional_data, size_t additional_data_length,
252 const uint8_t *ciphertext, size_t ciphertext_length,
253 uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length )
254{
255 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]256 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]257 const uint8_t *tag = NULL;
258 (void) key_buffer_size;
259
260 status = psa_aead_setup( &operation, attributes, key_buffer, alg );
261 if( status != PSA_SUCCESS )
262 goto exit;
263
264 status = psa_aead_unpadded_locate_tag( operation.tag_length,
265 ciphertext, ciphertext_length,
266 plaintext_size, &tag );
267 if( status != PSA_SUCCESS )
268 goto exit;
269
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]270#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]271 if( operation.alg == PSA_ALG_CCM )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]272 {
273 status = mbedtls_to_psa_error(
274 mbedtls_ccm_auth_decrypt( &operation.ctx.ccm,
275 ciphertext_length - operation.tag_length,
276 nonce, nonce_length,
277 additional_data,
278 additional_data_length,
279 ciphertext, plaintext,
280 tag, operation.tag_length ) );
281 }
282 else
283#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]284#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]285 if( operation.alg == PSA_ALG_GCM )
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]286 {
287 status = mbedtls_to_psa_error(
288 mbedtls_gcm_auth_decrypt( &operation.ctx.gcm,
289 ciphertext_length - operation.tag_length,
290 nonce, nonce_length,
291 additional_data,
292 additional_data_length,
293 tag, operation.tag_length,
294 ciphertext, plaintext ) );
295 }
296 else
297#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]298#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]299 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]300 {
301 if( nonce_length != 12 || operation.tag_length != 16 )
302 {
303 status = PSA_ERROR_NOT_SUPPORTED;
304 goto exit;
305 }
306 status = mbedtls_to_psa_error(
307 mbedtls_chachapoly_auth_decrypt( &operation.ctx.chachapoly,
308 ciphertext_length - operation.tag_length,
309 nonce,
310 additional_data,
311 additional_data_length,
312 tag,
313 ciphertext,
314 plaintext ) );
315 }
316 else
317#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
318 {
319 return( PSA_ERROR_NOT_SUPPORTED );
320 }
321
322 if( status == PSA_SUCCESS )
323 *plaintext_length = ciphertext_length - operation.tag_length;
324
325exit:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]326 mbedtls_psa_aead_abort( &operation );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]327
328 if( status == PSA_SUCCESS )
329 *plaintext_length = ciphertext_length - operation.tag_length;
330 return( status );
331}
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]332
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]333/* Set the key and algorithm for a multipart authenticated encryption
334 * operation. */
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]335psa_status_t mbedtls_psa_aead_encrypt_setup( mbedtls_psa_aead_operation_t
336 *operation,
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]337 const psa_key_attributes_t
338 *attributes,
339 const uint8_t *key_buffer,
340 size_t key_buffer_size,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]341 psa_algorithm_t alg )
342{
343 psa_status_t status;
344
345 (void) key_buffer_size;
346
347 status = psa_aead_setup( operation, attributes, key_buffer, alg );
348
349 if( status == PSA_SUCCESS )
350 {
351 operation->is_encrypt = 1;
352 }
353
354 return ( status );
355}
356
357/* Set the key and algorithm for a multipart authenticated decryption
358 * operation. */
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]359psa_status_t mbedtls_psa_aead_decrypt_setup( mbedtls_psa_aead_operation_t
360 *operation,
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]361 const psa_key_attributes_t
362 *attributes,
363 const uint8_t *key_buffer,
364 size_t key_buffer_size,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]365 psa_algorithm_t alg )
366{
367 psa_status_t status;
368
369 (void) key_buffer_size;
370
371 status = psa_aead_setup( operation, attributes, key_buffer, alg );
372
373 if( status == PSA_SUCCESS )
374 {
375 operation->is_encrypt = 0;
376 }
377
378 return ( status );
379}
380
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]381/* Set a nonce for the multipart AEAD operation*/
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]382psa_status_t mbedtls_psa_aead_set_nonce( mbedtls_psa_aead_operation_t
383 *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]384 const uint8_t *nonce,
385 size_t nonce_length )
386{
387 psa_status_t status;
388
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]389 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
390 if( operation->alg == PSA_ALG_GCM )
391 {
392 /* GCM sets nonce once additional data has been supplied */
393 memcpy(operation->nonce, nonce, nonce_length);
394
395 /* We know that nonce size cannot exceed the uint8_t size */
396 operation->nonce_length = ( uint8_t ) nonce_length;
397 status = PSA_SUCCESS;
398 }
399 else
400#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
401#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
402 if( operation->alg == PSA_ALG_CCM )
403 {
404 /* Multipart CCM not supported as yet, so CCM is basically operating
405 in oneshot mode. Store the nonce as we need this later */
406 memcpy(operation->nonce, nonce, nonce_length);
407
408 /* We know that nonce size cannot exceed the uint8_t size */
409 operation->nonce_length = ( uint8_t ) nonce_length;
410 status = PSA_SUCCESS;
411 }
412 else
413#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
414#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
415 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
416 {
417 if( nonce_length != 12 && nonce_length != 8)
418 {
419 return( PSA_ERROR_INVALID_ARGUMENT );
420 }
421
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]422 status = mbedtls_to_psa_error(
423 mbedtls_chachapoly_starts( &operation->ctx.chachapoly,
424 nonce,
425 operation->is_encrypt ?
426 MBEDTLS_CHACHAPOLY_ENCRYPT :
427 MBEDTLS_CHACHAPOLY_DECRYPT ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]428 }
429 else
430#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
431 {
432 ( void ) nonce;
433 ( void ) nonce_length;
434
435 return ( PSA_ERROR_NOT_SUPPORTED );
436 }
437
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]438 return( status );
439}
440 /* Declare the lengths of the message and additional data for AEAD. */
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]441psa_status_t mbedtls_psa_aead_set_lengths( mbedtls_psa_aead_operation_t
442 *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]443 size_t ad_length,
444 size_t plaintext_length )
445{
446
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]447#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
448 if( operation->alg == PSA_ALG_GCM )
449 {
450#if SIZE_MAX > UINT32_MAX
451 if( ( (uint64_t) ad_length ) >> 61 != 0 ||
452 ( (uint64_t) plaintext_length ) > 0xFFFFFFFE0ull )
453 {
454 return ( PSA_ERROR_INVALID_ARGUMENT );
455 }
456#endif
457 }
458 else
459#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
460#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
461 if( operation->alg == PSA_ALG_CCM )
462 {
463 if( ad_length > 0xFF00 )
464 {
465 return ( PSA_ERROR_INVALID_ARGUMENT );
466 }
467 }
468 else
469#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
470#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
471 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
472 {
473 /* No length restrictions for ChaChaPoly. */
474 }
475 else
476#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
477 {
478 ( void ) ad_length;
479 ( void ) plaintext_length;
480
481 return ( PSA_ERROR_NOT_SUPPORTED );
482 }
483
484 operation->ad_remaining = ad_length;
485 operation->body_remaining = plaintext_length;
486 operation->lengths_set = 1;
487
488 return ( PSA_SUCCESS );
489}
490
491/* Pass additional data to an active multipart AEAD operation. */
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]492psa_status_t mbedtls_psa_aead_update_ad( mbedtls_psa_aead_operation_t
493 *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]494 const uint8_t *input,
495 size_t input_length )
496{
497 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
498
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]499 if( operation->lengths_set )
500 {
501 if ( operation->ad_remaining < input_length )
502 {
503 return( PSA_ERROR_INVALID_ARGUMENT );
504 }
505
506 operation->ad_remaining -= input_length;
507 }
508
509#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
510 if( operation->alg == PSA_ALG_GCM )
511 {
512 if( !operation->lengths_set || operation->ad_started )
513 {
514 return( PSA_ERROR_BAD_STATE );
515 }
516
517 /* GCM currently requires all the additional data to be passed in in
518 * one contigious buffer, so until that is re-done, we have to enforce
519 * this, as we cannot allocate a buffer to collate multiple calls into.
520 */
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]521 if( operation->ad_remaining != 0 )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]522 {
523 return ( PSA_ERROR_INVALID_ARGUMENT );
524 }
525
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]526 status = mbedtls_to_psa_error(
527 mbedtls_gcm_starts( &operation->ctx.gcm,
528 operation->is_encrypt ?
529 MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT,
530 operation->nonce,
531 operation->nonce_length,
532 input,
533 input_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]534
535 }
536 else
537#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
538#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
539 if( operation->alg == PSA_ALG_CCM )
540 {
541 /* CCM requires all additional data to be passed in in one go at the
542 minute, as we are basically operating in oneshot mode. */
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]543 if( operation->ad_started )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]544 {
545 return( PSA_ERROR_BAD_STATE );
546 }
547
548 /* Save the additional data for later, this will be passed in
549 when we have the body. */
550 operation->ad_buffer = ( uint8_t * ) mbedtls_calloc(1, input_length );
551
552 if( operation->ad_buffer )
553 {
554 memcpy( operation->ad_buffer, input, input_length );
555 operation->ad_length = input_length;
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]556 status = PSA_SUCCESS;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]557 }
558 else
559 {
560 return ( PSA_ERROR_INSUFFICIENT_MEMORY );
561 }
562 }
563 else
564#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
565#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
566 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
567 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]568 status = mbedtls_to_psa_error(
569 mbedtls_chachapoly_update_aad( &operation->ctx.chachapoly,
570 input,
571 input_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]572 }
573 else
574#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
575 {
576 (void) input;
577 (void) input_length;
578
579 return ( PSA_ERROR_NOT_SUPPORTED );
580 }
581
582 if( status == PSA_SUCCESS )
583 {
584 operation->ad_started = 1;
585 }
586
587 return ( status );
588}
589
590/* Encrypt or decrypt a message fragment in an active multipart AEAD
591 * operation.*/
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]592psa_status_t mbedtls_psa_aead_update( mbedtls_psa_aead_operation_t *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]593 const uint8_t *input,
594 size_t input_length,
595 uint8_t *output,
596 size_t output_size,
597 size_t *output_length )
598{
599 size_t update_output_size;
600 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]601 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]602
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]603 update_output_size = input_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]604
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]605 if( PSA_AEAD_UPDATE_OUTPUT_SIZE( operation->key_type, operation->alg,
606 input_length ) > output_size )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]607 {
608 return ( PSA_ERROR_BUFFER_TOO_SMALL );
609 }
610
611 if( operation->lengths_set)
612 {
613 /* Additional data length was supplied, but not all the additional
614 data was supplied.*/
615 if( operation->ad_remaining != 0 )
616 {
617 return ( PSA_ERROR_INVALID_ARGUMENT );
618 }
619
620 /* Too much data provided. */
621 if( operation->body_remaining < input_length )
622 {
623 return ( PSA_ERROR_INVALID_ARGUMENT );
624 }
625
626 operation->body_remaining -= input_length;
627 }
628
629#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
630 if( operation->alg == PSA_ALG_GCM )
631 {
632 /* For the time being set the requirement that all of the body data
633 * must be passed in in one update, rather than deal with the complexity
634 * of non block size aligned updates. This will be fixed in 3.0 when
635 we can change the signature of the GCM multipart functions */
636 if( !operation->lengths_set || operation->body_remaining != 0 )
637 {
638 return( PSA_ERROR_BAD_STATE );
639 }
640
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]641 if( !operation->ad_started )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]642 {
643 return( PSA_ERROR_BAD_STATE );
644 }
645
646 status = mbedtls_to_psa_error( mbedtls_gcm_update( &operation->ctx.gcm,
647 input_length,
648 input,
649 output ) );
650 }
651 else
652#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
653#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
654 if( operation->alg == PSA_ALG_CCM )
655 {
656 /* CCM dooes not support multipart yet, so all the input has to be
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]657 passed in in one go. */
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]658 if( operation->body_started )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]659 {
660 return( PSA_ERROR_BAD_STATE );
661 }
662
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]663 /* Need to store tag for Finish() / Verify() */
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]664 operation->tag_buffer =
665 ( uint8_t * ) mbedtls_calloc(1, operation->tag_length );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]666
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]667 if( operation->tag_buffer )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]668 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]669
670 if( operation->is_encrypt )
671 {
672 /* Perform oneshot CCM encryption with additional data already
673 stored, as CCM does not support multipart yet.*/
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]674 status = mbedtls_to_psa_error(
675 mbedtls_ccm_encrypt_and_tag( &operation->ctx.ccm,
676 input_length,
677 operation->nonce,
678 operation->nonce_length,
679 operation->ad_buffer,
680 operation->ad_length,
681 input,
682 output,
683 operation->tag_buffer,
684 operation->tag_length ) );
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]685
686 /* Even if the above operation fails, we no longer need the
687 additional data.*/
688 mbedtls_free(operation->ad_buffer);
689 operation->ad_buffer = NULL;
690 operation->ad_length = 0;
691 }
692 else
693 {
694 /* Need to back up the body data so we can do this again
695 later.*/
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]696 operation->body_buffer =
697 ( uint8_t * ) mbedtls_calloc(1, input_length );
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]698
699 if( operation->body_buffer )
700 {
701 memcpy( operation->body_buffer, input, input_length );
702 operation->body_length = input_length;
703
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]704 /* this will fail, as the tag is clearly false, but will
705 write the decrypted data to the output buffer.*/
706 ret = mbedtls_ccm_auth_decrypt( &operation->ctx.ccm,
707 input_length,
708 operation->nonce,
709 operation->nonce_length,
710 operation->ad_buffer,
711 operation->ad_length,
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]712 input, output,
713 operation->tag_buffer,
714 operation->tag_length );
715
716 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
717 {
718 status = PSA_SUCCESS;
719 }
720 else
721 {
722 status = mbedtls_to_psa_error( ret );
723 }
724 }
725 else
726 {
727 status = PSA_ERROR_INSUFFICIENT_MEMORY;
728 }
729 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]730 }
731 else
732 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]733 status = PSA_ERROR_INSUFFICIENT_MEMORY;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]734 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]735 }
736 else
737#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
738#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
739 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
740 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]741 status = mbedtls_to_psa_error(
742 mbedtls_chachapoly_update( &operation->ctx.chachapoly,
743 input_length,
744 input,
745 output ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]746 }
747 else
748#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
749 {
750 (void) input;
751 (void) input_length;
752
753 return ( PSA_ERROR_NOT_SUPPORTED );
754 }
755
756 if( status == PSA_SUCCESS )
757 {
758 *output_length = update_output_size;
759 operation->body_started = 1;
760 }
761
762 return( status );
763}
764
765/* Common checks for both mbedtls_psa_aead_finish() and
766 mbedtls_psa_aead_verify() */
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]767static psa_status_t mbedtls_psa_aead_finish_checks( mbedtls_psa_aead_operation_t
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]768 *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]769 size_t output_size,
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]770 size_t tag_size )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]771{
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]772 size_t finish_output_size;
773
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]774 if( operation->lengths_set )
775 {
776 if( operation->ad_remaining != 0 || operation->body_remaining != 0 )
777 {
778 return( PSA_ERROR_BAD_STATE );
779 }
780 }
781
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]782 if( tag_size < operation->tag_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]783 {
784 return ( PSA_ERROR_BUFFER_TOO_SMALL );
785 }
786
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]787 if( operation->is_encrypt )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]788 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]789 finish_output_size =
790 PSA_AEAD_FINISH_OUTPUT_SIZE( operation->key_type,
791 operation->alg );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]792 }
793 else
794 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]795 finish_output_size =
796 PSA_AEAD_VERIFY_OUTPUT_SIZE( operation->key_type,
797 operation->alg );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]798 }
799
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]800 if( output_size < finish_output_size )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]801 {
802 return ( PSA_ERROR_BUFFER_TOO_SMALL );
803 }
804
805 return ( PSA_SUCCESS );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]806}
807
808/* Finish encrypting a message in a multipart AEAD operation. */
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]809psa_status_t mbedtls_psa_aead_finish( mbedtls_psa_aead_operation_t *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]810 uint8_t *ciphertext,
811 size_t ciphertext_size,
812 size_t *ciphertext_length,
813 uint8_t *tag,
814 size_t tag_size,
815 size_t *tag_length )
816{
817 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]818 size_t finish_output_size = 0;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]819
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]820 status = mbedtls_psa_aead_finish_checks( operation, ciphertext_size,
821 tag_size );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]822
823 if( status != PSA_SUCCESS )
824 {
825 return status;
826 }
827
828#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
829 if( operation->alg == PSA_ALG_GCM )
830 {
831 /* We will need to do final GCM pass in here when multipart is done. */
832 status = mbedtls_to_psa_error( mbedtls_gcm_finish( &operation->ctx.gcm,
833 tag,
834 tag_size ) );
835 }
836 else
837#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
838#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
839 if( operation->alg == PSA_ALG_CCM )
840 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]841 /* Copy the previously generated tag into place */
842 memcpy( tag, operation->tag_buffer, operation->tag_length );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]843
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]844 mbedtls_free(operation->tag_buffer);
845 operation->tag_buffer = NULL;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]846
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]847 status = PSA_SUCCESS;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]848 }
849 else
850#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
851#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
852 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
853 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]854 status = mbedtls_to_psa_error(
855 mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
856 tag ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]857 }
858 else
859#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
860 {
861 ( void ) ciphertext;
862 ( void ) ciphertext_size;
863 ( void ) ciphertext_length;
864 ( void ) tag;
865 ( void ) tag_size;
866 ( void ) tag_length;
867
868 return ( PSA_ERROR_NOT_SUPPORTED );
869 }
870
871 if( status == PSA_SUCCESS )
872 {
873 *ciphertext_length = finish_output_size;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]874 *tag_length = operation->tag_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]875 }
876
877 mbedtls_psa_aead_abort(operation);
878
879 return ( status );
880}
881
882/* Finish authenticating and decrypting a message in a multipart AEAD
883 * operation.*/
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]884psa_status_t mbedtls_psa_aead_verify( mbedtls_psa_aead_operation_t *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]885 uint8_t *plaintext,
886 size_t plaintext_size,
887 size_t *plaintext_length,
888 const uint8_t *tag,
889 size_t tag_length )
890{
891 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
892 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
893
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]894 uint8_t * temp_buffer;
895 size_t temp_buffer_size;
896
897 size_t finish_output_size = 0;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]898
899 int do_tag_check = 1;
900 uint8_t check_tag[16];
901
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]902 status = mbedtls_psa_aead_finish_checks( operation, plaintext_size,
903 tag_length );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]904
905 if( status != PSA_SUCCESS )
906 {
907 return status;
908 }
909
910#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
911 if( operation->alg == PSA_ALG_GCM )
912 {
913 /* Call finish to get the tag for comparison */
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]914 status = mbedtls_to_psa_error(
915 mbedtls_gcm_finish( &operation->ctx.gcm,
916 check_tag,
917 operation->tag_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]918 }
919 else
920#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
921#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
922 if( operation->alg == PSA_ALG_CCM )
923 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]924 if( !operation->ad_buffer || !operation->body_buffer )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]925 {
926 return( PSA_ERROR_BAD_STATE );
927 }
928
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]929 /* Perform oneshot CCM decryption *again*, as its the
930 * only way to get the tag, but this time throw away the
931 results, as verify cannot write that much data. */
932 temp_buffer_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( operation->key_type,
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]933 operation->alg,
934 operation->body_length
935 );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]936
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]937 temp_buffer = ( uint8_t * ) mbedtls_calloc(1, temp_buffer_size );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]938
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]939 if( temp_buffer )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]940 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]941 ret = mbedtls_ccm_auth_decrypt( &operation->ctx.ccm,
942 operation->body_length,
943 operation->nonce,
944 operation->nonce_length,
945 operation->ad_buffer,
946 operation->ad_length,
947 operation->body_buffer,
948 temp_buffer, tag, tag_length );
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]949
950 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
951 {
952 status = PSA_ERROR_INVALID_SIGNATURE;
953 }
954 else
955 {
956 status = mbedtls_to_psa_error( ret );
957 do_tag_check = 0;
958 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]959 }
960 else
961 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]962 status = PSA_ERROR_INSUFFICIENT_MEMORY;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]963 }
964
965 /* Even if the above operation fails, we no longer need the data */
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]966 mbedtls_free(temp_buffer);
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]967
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]968 mbedtls_free(operation->body_buffer);
969 operation->body_buffer = NULL;
970 operation->body_length = 0;
971
972 mbedtls_free(operation->tag_buffer);
973 operation->tag_buffer = NULL;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]974 }
975 else
976#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
977#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
978 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
979 {
980 // call finish to get the tag for comparison.
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]981 status = mbedtls_to_psa_error(
982 mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
983 check_tag ) );
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]984
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]985 }
986 else
987#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
988 {
989 ( void ) plaintext;
990 ( void ) plaintext_size;
991 ( void ) plaintext_length;
992 ( void ) tag;
993 ( void ) tag_length;
994
995 return ( PSA_ERROR_NOT_SUPPORTED );
996 }
997
998 if( status == PSA_SUCCESS )
999 {
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]1000 *plaintext_length = finish_output_size;
1001
Paul Elliott6edb7472021-05-10 19:29:35 +0100[diff] [blame^]1002 if( do_tag_check &&
1003 mbedtls_psa_safer_memcmp(tag, check_tag, tag_length) != 0 )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1004 {
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]1005 status = PSA_ERROR_INVALID_SIGNATURE;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1006 }
1007 }
1008
1009 mbedtls_psa_aead_abort(operation);
1010
1011 return ( status );
1012}
1013
1014/* Abort an AEAD operation */
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]1015psa_status_t mbedtls_psa_aead_abort( mbedtls_psa_aead_operation_t *operation )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1016{
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]1017 switch( operation->alg )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1018 {
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]1019#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
1020 case PSA_ALG_CCM:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1021 mbedtls_ccm_free( &operation->ctx.ccm );
1022 break;
1023#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
1024#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
1025 case PSA_ALG_GCM:
1026 mbedtls_gcm_free( &operation->ctx.gcm );
1027 break;
1028#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
1029#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]1030 case PSA_ALG_CHACHA20_POLY1305:
1031 mbedtls_chachapoly_free( &operation->ctx.chachapoly );
1032 break;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1033#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
1034 }
1035
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]1036 operation->lengths_set = 0;
1037 operation->is_encrypt = 0;
1038 operation->ad_started = 0;
1039 operation->body_started = 0;
1040
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]1041 mbedtls_free(operation->ad_buffer);
1042 operation->ad_buffer = NULL;
1043 operation->ad_length = 0;
1044
1045 mbedtls_free(operation->body_buffer);
1046 operation->body_buffer = NULL;
1047 operation->body_length = 0;
1048
1049 mbedtls_free(operation->tag_buffer);
1050 operation->tag_buffer = NULL;
1051
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1052 return( PSA_SUCCESS );
1053}
1054
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]1055#endif /* MBEDTLS_PSA_CRYPTO_C */
1056