TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 7a55deb5a8346e4662bcdabab57fa5b3c83b2fdb / . / library / psa_crypto_aead.c
blob: c181415461a070e925da9a419fa18fe01ced5ff3 [file] [log] [blame]
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]1/*
2 * PSA AEAD entry points
3 */
4/*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21#include "common.h"
22
23#if defined(MBEDTLS_PSA_CRYPTO_C)
24
25#include "psa_crypto_aead.h"
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]26#include "psa_crypto_core.h"
27
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]28#include <string.h>
29#include "mbedtls/platform.h"
30#if !defined(MBEDTLS_PLATFORM_C)
31#define mbedtls_calloc calloc
32#define mbedtls_free free
33#endif
34
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]35#include "mbedtls/ccm.h"
36#include "mbedtls/chachapoly.h"
37#include "mbedtls/cipher.h"
38#include "mbedtls/gcm.h"
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]39#include "mbedtls/error.h"
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]40
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]41static psa_status_t psa_aead_setup(
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]42 mbedtls_psa_aead_operation_t *operation,
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]43 const psa_key_attributes_t *attributes,
44 const uint8_t *key_buffer,
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame]45 size_t key_buffer_size,
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]46 psa_algorithm_t alg )
47{
48 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
49 size_t key_bits;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]50 const mbedtls_cipher_info_t *cipher_info;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]51 mbedtls_cipher_id_t cipher_id;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]52 size_t full_tag_length = 0;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]53
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame]54 ( void ) key_buffer_size;
55
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]56 key_bits = attributes->core.bits;
57
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]58 cipher_info = mbedtls_cipher_info_from_psa( alg,
59 attributes->core.type, key_bits,
60 &cipher_id );
61 if( cipher_info == NULL )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]62 return( PSA_ERROR_NOT_SUPPORTED );
63
64 switch( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) )
65 {
66#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
67 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]68 operation->alg = PSA_ALG_CCM;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]69 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]70 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
71 * The call to mbedtls_ccm_encrypt_and_tag or
72 * mbedtls_ccm_auth_decrypt will validate the tag length. */
73 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
74 return( PSA_ERROR_INVALID_ARGUMENT );
75
76 mbedtls_ccm_init( &operation->ctx.ccm );
77 status = mbedtls_to_psa_error(
78 mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id,
79 key_buffer, (unsigned int) key_bits ) );
80 if( status != PSA_SUCCESS )
81 return( status );
82 break;
83#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
84
85#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
86 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]87 operation->alg = PSA_ALG_GCM;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]88 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]89 /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
90 * The call to mbedtls_gcm_crypt_and_tag or
91 * mbedtls_gcm_auth_decrypt will validate the tag length. */
92 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
93 return( PSA_ERROR_INVALID_ARGUMENT );
94
95 mbedtls_gcm_init( &operation->ctx.gcm );
96 status = mbedtls_to_psa_error(
97 mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id,
98 key_buffer, (unsigned int) key_bits ) );
99 if( status != PSA_SUCCESS )
100 return( status );
101 break;
102#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
103
104#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
105 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]106 operation->alg = PSA_ALG_CHACHA20_POLY1305;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]107 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]108 /* We only support the default tag length. */
109 if( alg != PSA_ALG_CHACHA20_POLY1305 )
110 return( PSA_ERROR_NOT_SUPPORTED );
111
112 mbedtls_chachapoly_init( &operation->ctx.chachapoly );
113 status = mbedtls_to_psa_error(
114 mbedtls_chachapoly_setkey( &operation->ctx.chachapoly,
115 key_buffer ) );
116 if( status != PSA_SUCCESS )
117 return( status );
118 break;
119#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
120
121 default:
Ronald Cron7a55deb2021-04-28 14:29:00 +0200[diff] [blame^]122 (void) status;
123 (void) key_buffer;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]124 return( PSA_ERROR_NOT_SUPPORTED );
125 }
126
Bence Szépkútiec174e22021-03-19 18:46:15 +0100[diff] [blame]127 if( PSA_AEAD_TAG_LENGTH( attributes->core.type,
128 key_bits, alg )
129 > full_tag_length )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]130 return( PSA_ERROR_INVALID_ARGUMENT );
131
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]132 operation->key_type = psa_get_key_type( attributes );
133
134 operation->tag_length = PSA_AEAD_TAG_LENGTH( operation->key_type,
Bence Szépkútiec174e22021-03-19 18:46:15 +0100[diff] [blame]135 key_bits,
136 alg );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]137
138 return( PSA_SUCCESS );
139}
140
141psa_status_t mbedtls_psa_aead_encrypt(
142 const psa_key_attributes_t *attributes,
143 const uint8_t *key_buffer, size_t key_buffer_size,
144 psa_algorithm_t alg,
145 const uint8_t *nonce, size_t nonce_length,
146 const uint8_t *additional_data, size_t additional_data_length,
147 const uint8_t *plaintext, size_t plaintext_length,
148 uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length )
149{
150 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]151 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]152 uint8_t *tag;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]153
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame]154 status = psa_aead_setup( &operation, attributes, key_buffer,
155 key_buffer_size, alg );
156
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]157 if( status != PSA_SUCCESS )
158 goto exit;
159
160 /* For all currently supported modes, the tag is at the end of the
161 * ciphertext. */
162 if( ciphertext_size < ( plaintext_length + operation.tag_length ) )
163 {
164 status = PSA_ERROR_BUFFER_TOO_SMALL;
165 goto exit;
166 }
167 tag = ciphertext + plaintext_length;
168
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]169#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]170 if( operation.alg == PSA_ALG_CCM )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]171 {
172 status = mbedtls_to_psa_error(
173 mbedtls_ccm_encrypt_and_tag( &operation.ctx.ccm,
174 plaintext_length,
175 nonce, nonce_length,
176 additional_data,
177 additional_data_length,
178 plaintext, ciphertext,
179 tag, operation.tag_length ) );
180 }
181 else
182#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]183#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]184 if( operation.alg == PSA_ALG_GCM )
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]185 {
186 status = mbedtls_to_psa_error(
187 mbedtls_gcm_crypt_and_tag( &operation.ctx.gcm,
188 MBEDTLS_GCM_ENCRYPT,
189 plaintext_length,
190 nonce, nonce_length,
191 additional_data, additional_data_length,
192 plaintext, ciphertext,
193 operation.tag_length, tag ) );
194 }
195 else
196#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]197#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]198 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]199 {
Paul Elliott96b01732021-07-16 17:00:26 +0100[diff] [blame]200 if( operation.tag_length != 16 )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]201 {
202 status = PSA_ERROR_NOT_SUPPORTED;
203 goto exit;
204 }
205 status = mbedtls_to_psa_error(
206 mbedtls_chachapoly_encrypt_and_tag( &operation.ctx.chachapoly,
207 plaintext_length,
208 nonce,
209 additional_data,
210 additional_data_length,
211 plaintext,
212 ciphertext,
213 tag ) );
214 }
215 else
216#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
217 {
218 (void) tag;
Ronald Cron7a55deb2021-04-28 14:29:00 +0200[diff] [blame^]219 (void) nonce;
220 (void) nonce_length;
221 (void) additional_data;
222 (void) additional_data_length;
223 (void) plaintext;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]224 return( PSA_ERROR_NOT_SUPPORTED );
225 }
226
227 if( status == PSA_SUCCESS )
228 *ciphertext_length = plaintext_length + operation.tag_length;
229
230exit:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]231 mbedtls_psa_aead_abort( &operation );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]232
233 return( status );
234}
235
236/* Locate the tag in a ciphertext buffer containing the encrypted data
237 * followed by the tag. Return the length of the part preceding the tag in
238 * *plaintext_length. This is the size of the plaintext in modes where
239 * the encrypted data has the same size as the plaintext, such as
240 * CCM and GCM. */
241static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length,
242 const uint8_t *ciphertext,
243 size_t ciphertext_length,
244 size_t plaintext_size,
245 const uint8_t **p_tag )
246{
247 size_t payload_length;
248 if( tag_length > ciphertext_length )
249 return( PSA_ERROR_INVALID_ARGUMENT );
250 payload_length = ciphertext_length - tag_length;
251 if( payload_length > plaintext_size )
252 return( PSA_ERROR_BUFFER_TOO_SMALL );
253 *p_tag = ciphertext + payload_length;
254 return( PSA_SUCCESS );
255}
256
257psa_status_t mbedtls_psa_aead_decrypt(
258 const psa_key_attributes_t *attributes,
259 const uint8_t *key_buffer, size_t key_buffer_size,
260 psa_algorithm_t alg,
261 const uint8_t *nonce, size_t nonce_length,
262 const uint8_t *additional_data, size_t additional_data_length,
263 const uint8_t *ciphertext, size_t ciphertext_length,
264 uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length )
265{
266 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]267 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]268 const uint8_t *tag = NULL;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]269
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame]270 status = psa_aead_setup( &operation, attributes, key_buffer,
271 key_buffer_size, alg );
272
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]273 if( status != PSA_SUCCESS )
274 goto exit;
275
276 status = psa_aead_unpadded_locate_tag( operation.tag_length,
277 ciphertext, ciphertext_length,
278 plaintext_size, &tag );
279 if( status != PSA_SUCCESS )
280 goto exit;
281
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]282#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]283 if( operation.alg == PSA_ALG_CCM )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]284 {
285 status = mbedtls_to_psa_error(
286 mbedtls_ccm_auth_decrypt( &operation.ctx.ccm,
287 ciphertext_length - operation.tag_length,
288 nonce, nonce_length,
289 additional_data,
290 additional_data_length,
291 ciphertext, plaintext,
292 tag, operation.tag_length ) );
293 }
294 else
295#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]296#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]297 if( operation.alg == PSA_ALG_GCM )
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]298 {
299 status = mbedtls_to_psa_error(
300 mbedtls_gcm_auth_decrypt( &operation.ctx.gcm,
301 ciphertext_length - operation.tag_length,
302 nonce, nonce_length,
303 additional_data,
304 additional_data_length,
305 tag, operation.tag_length,
306 ciphertext, plaintext ) );
307 }
308 else
309#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]310#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]311 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]312 {
Paul Elliottcf2d66e2021-06-23 18:49:56 +0100[diff] [blame]313 if( operation.tag_length != 16 )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]314 {
315 status = PSA_ERROR_NOT_SUPPORTED;
316 goto exit;
317 }
318 status = mbedtls_to_psa_error(
319 mbedtls_chachapoly_auth_decrypt( &operation.ctx.chachapoly,
320 ciphertext_length - operation.tag_length,
321 nonce,
322 additional_data,
323 additional_data_length,
324 tag,
325 ciphertext,
326 plaintext ) );
327 }
328 else
329#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
330 {
Ronald Cron7a55deb2021-04-28 14:29:00 +0200[diff] [blame^]331 (void) nonce;
332 (void) nonce_length;
333 (void) additional_data;
334 (void) additional_data_length;
335 (void) plaintext;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]336 return( PSA_ERROR_NOT_SUPPORTED );
337 }
338
339 if( status == PSA_SUCCESS )
340 *plaintext_length = ciphertext_length - operation.tag_length;
341
342exit:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]343 mbedtls_psa_aead_abort( &operation );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]344
345 if( status == PSA_SUCCESS )
346 *plaintext_length = ciphertext_length - operation.tag_length;
347 return( status );
348}
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]349
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]350/* Set the key and algorithm for a multipart authenticated encryption
351 * operation. */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100[diff] [blame]352psa_status_t mbedtls_psa_aead_encrypt_setup(
353 mbedtls_psa_aead_operation_t *operation,
354 const psa_key_attributes_t *attributes,
355 const uint8_t *key_buffer,
356 size_t key_buffer_size,
357 psa_algorithm_t alg )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]358{
Paul Elliott9e8ccd72021-05-13 14:30:53 +0100[diff] [blame]359 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]360
Paul Elliott60aa2032021-05-20 18:57:02 +0100[diff] [blame]361#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
362 if( operation->alg == PSA_ALG_CCM )
363 {
Paul Elliotte95259f2021-05-21 17:09:21 +0100[diff] [blame]364 return( PSA_ERROR_NOT_SUPPORTED );
Paul Elliott60aa2032021-05-20 18:57:02 +0100[diff] [blame]365 }
366#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
367
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame]368 status = psa_aead_setup( operation, attributes, key_buffer,
369 key_buffer_size, alg );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]370
371 if( status == PSA_SUCCESS )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]372 operation->is_encrypt = 1;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]373
374 return ( status );
375}
376
377/* Set the key and algorithm for a multipart authenticated decryption
378 * operation. */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100[diff] [blame]379psa_status_t mbedtls_psa_aead_decrypt_setup(
380 mbedtls_psa_aead_operation_t *operation,
381 const psa_key_attributes_t *attributes,
382 const uint8_t *key_buffer,
383 size_t key_buffer_size,
384 psa_algorithm_t alg )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]385{
Paul Elliott9e8ccd72021-05-13 14:30:53 +0100[diff] [blame]386 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]387
Paul Elliotte95259f2021-05-21 17:09:21 +0100[diff] [blame]388#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
Paul Elliott60aa2032021-05-20 18:57:02 +0100[diff] [blame]389 if( operation->alg == PSA_ALG_CCM )
390 {
Paul Elliotte95259f2021-05-21 17:09:21 +0100[diff] [blame]391 return( PSA_ERROR_NOT_SUPPORTED );
Paul Elliott60aa2032021-05-20 18:57:02 +0100[diff] [blame]392 }
393#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]394
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame]395 status = psa_aead_setup( operation, attributes, key_buffer,
396 key_buffer_size, alg );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]397
398 if( status == PSA_SUCCESS )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]399 operation->is_encrypt = 0;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]400
401 return ( status );
402}
403
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]404/* Set a nonce for the multipart AEAD operation*/
Paul Elliottbb8bf662021-05-19 17:29:42 +0100[diff] [blame]405psa_status_t mbedtls_psa_aead_set_nonce(
406 mbedtls_psa_aead_operation_t *operation,
407 const uint8_t *nonce,
408 size_t nonce_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]409{
Paul Elliott9e8ccd72021-05-13 14:30:53 +0100[diff] [blame]410 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]411
Paul Elliottbc949782021-06-03 15:29:00 +0100[diff] [blame]412#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]413 if( operation->alg == PSA_ALG_GCM )
414 {
Paul Elliott83f09ef2021-05-21 19:28:26 +0100[diff] [blame]415 status = mbedtls_to_psa_error(
416 mbedtls_gcm_starts( &operation->ctx.gcm,
417 operation->is_encrypt ?
418 MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT,
419 nonce,
420 nonce_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]421 }
422 else
423#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]424#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
425 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
426 {
Paul Elliott946c9202021-09-28 14:32:55 +0100[diff] [blame]427 /* Note - ChaChaPoly allows an 8 byte nonce, but we would have to
428 * allocate a buffer in the operation, copy the nonce to it and pad
429 * it, so for now check the nonce is 12 bytes, as
430 * mbedtls_chachapoly_starts() assumes it can read 12 bytes from the
431 * passed in buffer. */
432 if( nonce_length != 12 )
433 {
434 return( PSA_ERROR_INVALID_ARGUMENT );
435 }
436
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]437 status = mbedtls_to_psa_error(
438 mbedtls_chachapoly_starts( &operation->ctx.chachapoly,
439 nonce,
440 operation->is_encrypt ?
441 MBEDTLS_CHACHAPOLY_ENCRYPT :
442 MBEDTLS_CHACHAPOLY_DECRYPT ) );
Paul Elliottefda3402021-08-25 17:16:52 +0100[diff] [blame]443 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]444 else
445#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
446 {
Ronald Cron17006702021-12-03 15:25:24 +0100[diff] [blame]447 ( void ) operation;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]448 ( void ) nonce;
Ronald Cron17006702021-12-03 15:25:24 +0100[diff] [blame]449 ( void ) nonce_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]450
451 return ( PSA_ERROR_NOT_SUPPORTED );
452 }
453
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]454 return( status );
455}
Paul Elliottefda3402021-08-25 17:16:52 +0100[diff] [blame]456
Paul Elliottdff6c5d2021-09-28 11:00:20 +0100[diff] [blame]457 /* Declare the lengths of the message and additional data for AEAD. */
458psa_status_t mbedtls_psa_aead_set_lengths(
459 mbedtls_psa_aead_operation_t *operation,
460 size_t ad_length,
461 size_t plaintext_length )
462{
Paul Elliott814f0c52021-09-28 14:41:22 +0100[diff] [blame]463 /* Nothing here yet, work is currently done in PSA Core, however support
464 * for CCM will require this function. */
Paul Elliottdff6c5d2021-09-28 11:00:20 +0100[diff] [blame]465 ( void ) operation;
466 ( void ) ad_length;
467 ( void ) plaintext_length;
468
Paul Elliottdff6c5d2021-09-28 11:00:20 +0100[diff] [blame]469 return ( PSA_SUCCESS );
470}
471
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]472/* Pass additional data to an active multipart AEAD operation. */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100[diff] [blame]473psa_status_t mbedtls_psa_aead_update_ad(
474 mbedtls_psa_aead_operation_t *operation,
475 const uint8_t *input,
476 size_t input_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]477{
478 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
479
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]480#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
481 if( operation->alg == PSA_ALG_GCM )
482 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]483 status = mbedtls_to_psa_error(
Paul Elliott83f09ef2021-05-21 19:28:26 +0100[diff] [blame]484 mbedtls_gcm_update_ad( &operation->ctx.gcm, input, input_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]485 }
486 else
487#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]488#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
489 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
490 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]491 status = mbedtls_to_psa_error(
492 mbedtls_chachapoly_update_aad( &operation->ctx.chachapoly,
493 input,
494 input_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]495 }
496 else
497#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
498 {
Paul Elliottbc949782021-06-03 15:29:00 +0100[diff] [blame]499 ( void ) operation;
500 ( void ) input;
501 ( void ) input_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]502
503 return ( PSA_ERROR_NOT_SUPPORTED );
504 }
505
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]506 return ( status );
507}
508
509/* Encrypt or decrypt a message fragment in an active multipart AEAD
510 * operation.*/
Paul Elliottbb8bf662021-05-19 17:29:42 +0100[diff] [blame]511psa_status_t mbedtls_psa_aead_update(
512 mbedtls_psa_aead_operation_t *operation,
513 const uint8_t *input,
514 size_t input_length,
515 uint8_t *output,
516 size_t output_size,
517 size_t *output_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]518{
Paul Elliotte2c788d2021-05-13 17:16:01 +0100[diff] [blame]519 size_t update_output_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]520 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
521
Paul Elliotte2c788d2021-05-13 17:16:01 +0100[diff] [blame]522 update_output_length = input_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]523
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]524#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
525 if( operation->alg == PSA_ALG_GCM )
526 {
Paul Elliott83f09ef2021-05-21 19:28:26 +0100[diff] [blame]527 status = mbedtls_to_psa_error(
528 mbedtls_gcm_update( &operation->ctx.gcm,
529 input, input_length,
530 output, output_size,
531 &update_output_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]532 }
533 else
534#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]535#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
536 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
537 {
Paul Elliottecce9012021-07-23 15:44:11 +0100[diff] [blame]538 if( output_size < input_length )
539 return( PSA_ERROR_BUFFER_TOO_SMALL );
540
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]541 status = mbedtls_to_psa_error(
542 mbedtls_chachapoly_update( &operation->ctx.chachapoly,
543 input_length,
544 input,
545 output ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]546 }
547 else
548#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
549 {
Ronald Cron17006702021-12-03 15:25:24 +0100[diff] [blame]550 ( void ) operation;
Paul Elliottbc949782021-06-03 15:29:00 +0100[diff] [blame]551 ( void ) input;
Ronald Cron17006702021-12-03 15:25:24 +0100[diff] [blame]552 ( void ) output;
553 ( void ) output_size;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]554
555 return ( PSA_ERROR_NOT_SUPPORTED );
556 }
557
558 if( status == PSA_SUCCESS )
Paul Elliotte2c788d2021-05-13 17:16:01 +0100[diff] [blame]559 *output_length = update_output_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]560
561 return( status );
562}
563
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]564/* Finish encrypting a message in a multipart AEAD operation. */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100[diff] [blame]565psa_status_t mbedtls_psa_aead_finish(
566 mbedtls_psa_aead_operation_t *operation,
567 uint8_t *ciphertext,
568 size_t ciphertext_size,
569 size_t *ciphertext_length,
570 uint8_t *tag,
571 size_t tag_size,
572 size_t *tag_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]573{
574 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]575 size_t finish_output_size = 0;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]576
Paul Elliott315628d2021-07-20 18:25:54 +0100[diff] [blame]577 if( tag_size < operation->tag_length )
578 return( PSA_ERROR_BUFFER_TOO_SMALL );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]579
580#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
581 if( operation->alg == PSA_ALG_GCM )
Paul Elliottecce9012021-07-23 15:44:11 +0100[diff] [blame]582 {
Paul Elliott83f09ef2021-05-21 19:28:26 +0100[diff] [blame]583 status = mbedtls_to_psa_error(
584 mbedtls_gcm_finish( &operation->ctx.gcm,
Paul Elliott71b05672021-09-24 11:18:13 +0100[diff] [blame]585 ciphertext, ciphertext_size, ciphertext_length,
Paul Elliott2fe5db82021-07-22 18:10:43 +0100[diff] [blame]586 tag, operation->tag_length ) );
Paul Elliottecce9012021-07-23 15:44:11 +0100[diff] [blame]587 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]588 else
589#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]590#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
591 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
Paul Elliotted08cf82021-07-22 18:48:24 +0100[diff] [blame]592 {
593 /* Belt and braces. Although the above tag_size check should have
594 * already done this, if we later start supporting smaller tag sizes
595 * for chachapoly, then passing a tag buffer smaller than 16 into here
596 * could cause a buffer overflow, so better safe than sorry. */
597 if( tag_size < 16 )
598 return( PSA_ERROR_BUFFER_TOO_SMALL );
599
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]600 status = mbedtls_to_psa_error(
Paul Elliott83f09ef2021-05-21 19:28:26 +0100[diff] [blame]601 mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
602 tag ) );
Paul Elliotted08cf82021-07-22 18:48:24 +0100[diff] [blame]603 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]604 else
605#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
606 {
607 ( void ) ciphertext;
608 ( void ) ciphertext_size;
609 ( void ) ciphertext_length;
610 ( void ) tag;
611 ( void ) tag_size;
612 ( void ) tag_length;
613
614 return ( PSA_ERROR_NOT_SUPPORTED );
615 }
616
617 if( status == PSA_SUCCESS )
618 {
Paul Elliott8ff74212021-09-19 18:39:23 +0100[diff] [blame]619 /* This will be zero for all supported algorithms currently, but left
620 * here for future support. */
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]621 *ciphertext_length = finish_output_size;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]622 *tag_length = operation->tag_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]623 }
624
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]625 return ( status );
626}
627
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]628/* Abort an AEAD operation */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100[diff] [blame]629psa_status_t mbedtls_psa_aead_abort(
630 mbedtls_psa_aead_operation_t *operation )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]631{
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]632 switch( operation->alg )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]633 {
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]634#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
635 case PSA_ALG_CCM:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]636 mbedtls_ccm_free( &operation->ctx.ccm );
637 break;
638#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
639#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
640 case PSA_ALG_GCM:
641 mbedtls_gcm_free( &operation->ctx.gcm );
642 break;
643#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
644#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]645 case PSA_ALG_CHACHA20_POLY1305:
646 mbedtls_chachapoly_free( &operation->ctx.chachapoly );
647 break;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]648#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
649 }
650
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]651 operation->is_encrypt = 0;
Paul Elliott1a98aca2021-05-20 18:24:07 +0100[diff] [blame]652
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]653 return( PSA_SUCCESS );
654}
655
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]656#endif /* MBEDTLS_PSA_CRYPTO_C */
657