TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 2df40057b3ce3682a4ca36a4bff4c5bd3088091c / . / library / psa_crypto_aead.c
blob: f5b4dc512fc5c6fd8d6832ca66916ba8d215f365 [file] [log] [blame]
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]1/*
2 * PSA AEAD entry points
3 */
4/*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21#include "common.h"
22
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]23
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]24#if defined(MBEDTLS_PSA_CRYPTO_C)
25
26#include "psa_crypto_aead.h"
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]27#include "psa_crypto_core.h"
28
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]29#include <string.h>
30#include "mbedtls/platform.h"
31#if !defined(MBEDTLS_PLATFORM_C)
32#define mbedtls_calloc calloc
33#define mbedtls_free free
34#endif
35
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]36#include "mbedtls/ccm.h"
37#include "mbedtls/chachapoly.h"
38#include "mbedtls/cipher.h"
39#include "mbedtls/gcm.h"
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]40#include "mbedtls/error.h"
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]41
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]42/* Constant-time buffer comparison. This is duplication of code from
43 * psa_crypto.c, but has nowhere private I can put it for the minute. Really
44 belongs in the constant time module, when that gets implemented */
45static inline int safer_memcmp( const uint8_t *a, const uint8_t *b, size_t n )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]46{
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]47 size_t i;
48 unsigned char diff = 0;
49
50 for( i = 0; i < n; i++ )
51 diff |= a[i] ^ b[i];
52
53 return( diff );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]54}
55
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]56
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]57static psa_status_t psa_aead_setup(
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]58 psa_aead_operation_t *operation,
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]59 const psa_key_attributes_t *attributes,
60 const uint8_t *key_buffer,
61 psa_algorithm_t alg )
62{
63 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
64 size_t key_bits;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]65 const mbedtls_cipher_info_t *cipher_info;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]66 mbedtls_cipher_id_t cipher_id;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]67 size_t full_tag_length = 0;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]68
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]69 if( operation->key_set || operation->nonce_set ||
70 operation->ad_started || operation->body_started )
71 {
72 return( PSA_ERROR_BAD_STATE );
73 }
74
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]75 key_bits = attributes->core.bits;
76
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]77 cipher_info = mbedtls_cipher_info_from_psa( alg,
78 attributes->core.type, key_bits,
79 &cipher_id );
80 if( cipher_info == NULL )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]81 return( PSA_ERROR_NOT_SUPPORTED );
82
83 switch( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) )
84 {
85#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
86 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]87 operation->alg = PSA_ALG_CCM;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]88 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]89 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
90 * The call to mbedtls_ccm_encrypt_and_tag or
91 * mbedtls_ccm_auth_decrypt will validate the tag length. */
92 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
93 return( PSA_ERROR_INVALID_ARGUMENT );
94
95 mbedtls_ccm_init( &operation->ctx.ccm );
96 status = mbedtls_to_psa_error(
97 mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id,
98 key_buffer, (unsigned int) key_bits ) );
99 if( status != PSA_SUCCESS )
100 return( status );
101 break;
102#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
103
104#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
105 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]106 operation->alg = PSA_ALG_GCM;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]107 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]108 /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
109 * The call to mbedtls_gcm_crypt_and_tag or
110 * mbedtls_gcm_auth_decrypt will validate the tag length. */
111 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
112 return( PSA_ERROR_INVALID_ARGUMENT );
113
114 mbedtls_gcm_init( &operation->ctx.gcm );
115 status = mbedtls_to_psa_error(
116 mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id,
117 key_buffer, (unsigned int) key_bits ) );
118 if( status != PSA_SUCCESS )
119 return( status );
120 break;
121#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
122
123#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
124 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]125 operation->alg = PSA_ALG_CHACHA20_POLY1305;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]126 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]127 /* We only support the default tag length. */
128 if( alg != PSA_ALG_CHACHA20_POLY1305 )
129 return( PSA_ERROR_NOT_SUPPORTED );
130
131 mbedtls_chachapoly_init( &operation->ctx.chachapoly );
132 status = mbedtls_to_psa_error(
133 mbedtls_chachapoly_setkey( &operation->ctx.chachapoly,
134 key_buffer ) );
135 if( status != PSA_SUCCESS )
136 return( status );
137 break;
138#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
139
140 default:
141 return( PSA_ERROR_NOT_SUPPORTED );
142 }
143
Bence Szépkútiec174e22021-03-19 18:46:15 +0100[diff] [blame]144 if( PSA_AEAD_TAG_LENGTH( attributes->core.type,
145 key_bits, alg )
146 > full_tag_length )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]147 return( PSA_ERROR_INVALID_ARGUMENT );
148
Bence Szépkútiec174e22021-03-19 18:46:15 +0100[diff] [blame]149 operation->tag_length = PSA_AEAD_TAG_LENGTH( attributes->core.type,
150 key_bits,
151 alg );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]152
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]153 operation->key_set = 1;
154
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]155 return( PSA_SUCCESS );
156}
157
158psa_status_t mbedtls_psa_aead_encrypt(
159 const psa_key_attributes_t *attributes,
160 const uint8_t *key_buffer, size_t key_buffer_size,
161 psa_algorithm_t alg,
162 const uint8_t *nonce, size_t nonce_length,
163 const uint8_t *additional_data, size_t additional_data_length,
164 const uint8_t *plaintext, size_t plaintext_length,
165 uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length )
166{
167 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]168 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]169 uint8_t *tag;
170 (void) key_buffer_size;
171
172 status = psa_aead_setup( &operation, attributes, key_buffer, alg );
173 if( status != PSA_SUCCESS )
174 goto exit;
175
176 /* For all currently supported modes, the tag is at the end of the
177 * ciphertext. */
178 if( ciphertext_size < ( plaintext_length + operation.tag_length ) )
179 {
180 status = PSA_ERROR_BUFFER_TOO_SMALL;
181 goto exit;
182 }
183 tag = ciphertext + plaintext_length;
184
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]185#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]186 if( operation.alg == PSA_ALG_CCM )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]187 {
188 status = mbedtls_to_psa_error(
189 mbedtls_ccm_encrypt_and_tag( &operation.ctx.ccm,
190 plaintext_length,
191 nonce, nonce_length,
192 additional_data,
193 additional_data_length,
194 plaintext, ciphertext,
195 tag, operation.tag_length ) );
196 }
197 else
198#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]199#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]200 if( operation.alg == PSA_ALG_GCM )
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]201 {
202 status = mbedtls_to_psa_error(
203 mbedtls_gcm_crypt_and_tag( &operation.ctx.gcm,
204 MBEDTLS_GCM_ENCRYPT,
205 plaintext_length,
206 nonce, nonce_length,
207 additional_data, additional_data_length,
208 plaintext, ciphertext,
209 operation.tag_length, tag ) );
210 }
211 else
212#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]213#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]214 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]215 {
216 if( nonce_length != 12 || operation.tag_length != 16 )
217 {
218 status = PSA_ERROR_NOT_SUPPORTED;
219 goto exit;
220 }
221 status = mbedtls_to_psa_error(
222 mbedtls_chachapoly_encrypt_and_tag( &operation.ctx.chachapoly,
223 plaintext_length,
224 nonce,
225 additional_data,
226 additional_data_length,
227 plaintext,
228 ciphertext,
229 tag ) );
230 }
231 else
232#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
233 {
234 (void) tag;
235 return( PSA_ERROR_NOT_SUPPORTED );
236 }
237
238 if( status == PSA_SUCCESS )
239 *ciphertext_length = plaintext_length + operation.tag_length;
240
241exit:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]242 mbedtls_psa_aead_abort( &operation );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]243
244 return( status );
245}
246
247/* Locate the tag in a ciphertext buffer containing the encrypted data
248 * followed by the tag. Return the length of the part preceding the tag in
249 * *plaintext_length. This is the size of the plaintext in modes where
250 * the encrypted data has the same size as the plaintext, such as
251 * CCM and GCM. */
252static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length,
253 const uint8_t *ciphertext,
254 size_t ciphertext_length,
255 size_t plaintext_size,
256 const uint8_t **p_tag )
257{
258 size_t payload_length;
259 if( tag_length > ciphertext_length )
260 return( PSA_ERROR_INVALID_ARGUMENT );
261 payload_length = ciphertext_length - tag_length;
262 if( payload_length > plaintext_size )
263 return( PSA_ERROR_BUFFER_TOO_SMALL );
264 *p_tag = ciphertext + payload_length;
265 return( PSA_SUCCESS );
266}
267
268psa_status_t mbedtls_psa_aead_decrypt(
269 const psa_key_attributes_t *attributes,
270 const uint8_t *key_buffer, size_t key_buffer_size,
271 psa_algorithm_t alg,
272 const uint8_t *nonce, size_t nonce_length,
273 const uint8_t *additional_data, size_t additional_data_length,
274 const uint8_t *ciphertext, size_t ciphertext_length,
275 uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length )
276{
277 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]278 psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]279 const uint8_t *tag = NULL;
280 (void) key_buffer_size;
281
282 status = psa_aead_setup( &operation, attributes, key_buffer, alg );
283 if( status != PSA_SUCCESS )
284 goto exit;
285
286 status = psa_aead_unpadded_locate_tag( operation.tag_length,
287 ciphertext, ciphertext_length,
288 plaintext_size, &tag );
289 if( status != PSA_SUCCESS )
290 goto exit;
291
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]292#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]293 if( operation.alg == PSA_ALG_CCM )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]294 {
295 status = mbedtls_to_psa_error(
296 mbedtls_ccm_auth_decrypt( &operation.ctx.ccm,
297 ciphertext_length - operation.tag_length,
298 nonce, nonce_length,
299 additional_data,
300 additional_data_length,
301 ciphertext, plaintext,
302 tag, operation.tag_length ) );
303 }
304 else
305#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]306#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]307 if( operation.alg == PSA_ALG_GCM )
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]308 {
309 status = mbedtls_to_psa_error(
310 mbedtls_gcm_auth_decrypt( &operation.ctx.gcm,
311 ciphertext_length - operation.tag_length,
312 nonce, nonce_length,
313 additional_data,
314 additional_data_length,
315 tag, operation.tag_length,
316 ciphertext, plaintext ) );
317 }
318 else
319#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]320#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]321 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]322 {
323 if( nonce_length != 12 || operation.tag_length != 16 )
324 {
325 status = PSA_ERROR_NOT_SUPPORTED;
326 goto exit;
327 }
328 status = mbedtls_to_psa_error(
329 mbedtls_chachapoly_auth_decrypt( &operation.ctx.chachapoly,
330 ciphertext_length - operation.tag_length,
331 nonce,
332 additional_data,
333 additional_data_length,
334 tag,
335 ciphertext,
336 plaintext ) );
337 }
338 else
339#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
340 {
341 return( PSA_ERROR_NOT_SUPPORTED );
342 }
343
344 if( status == PSA_SUCCESS )
345 *plaintext_length = ciphertext_length - operation.tag_length;
346
347exit:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]348 mbedtls_psa_aead_abort( &operation );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]349
350 if( status == PSA_SUCCESS )
351 *plaintext_length = ciphertext_length - operation.tag_length;
352 return( status );
353}
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]354
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]355/* Set the key and algorithm for a multipart authenticated encryption
356 * operation. */
357psa_status_t mbedtls_psa_aead_encrypt_setup( psa_aead_operation_t *operation,
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]358 const psa_key_attributes_t
359 *attributes,
360 const uint8_t *key_buffer,
361 size_t key_buffer_size,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]362 psa_algorithm_t alg )
363{
364 psa_status_t status;
365
366 (void) key_buffer_size;
367
368 status = psa_aead_setup( operation, attributes, key_buffer, alg );
369
370 if( status == PSA_SUCCESS )
371 {
372 operation->is_encrypt = 1;
373 }
374
375 return ( status );
376}
377
378/* Set the key and algorithm for a multipart authenticated decryption
379 * operation. */
380psa_status_t mbedtls_psa_aead_decrypt_setup( psa_aead_operation_t *operation,
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]381 const psa_key_attributes_t
382 *attributes,
383 const uint8_t *key_buffer,
384 size_t key_buffer_size,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]385 psa_algorithm_t alg )
386{
387 psa_status_t status;
388
389 (void) key_buffer_size;
390
391 status = psa_aead_setup( operation, attributes, key_buffer, alg );
392
393 if( status == PSA_SUCCESS )
394 {
395 operation->is_encrypt = 0;
396 }
397
398 return ( status );
399}
400
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]401/* Set a nonce for the multipart AEAD operation*/
402psa_status_t mbedtls_psa_aead_set_nonce( psa_aead_operation_t *operation,
403 const uint8_t *nonce,
404 size_t nonce_length )
405{
406 psa_status_t status;
407
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]408 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
409 if( operation->alg == PSA_ALG_GCM )
410 {
411 /* GCM sets nonce once additional data has been supplied */
412 memcpy(operation->nonce, nonce, nonce_length);
413
414 /* We know that nonce size cannot exceed the uint8_t size */
415 operation->nonce_length = ( uint8_t ) nonce_length;
416 status = PSA_SUCCESS;
417 }
418 else
419#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
420#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
421 if( operation->alg == PSA_ALG_CCM )
422 {
423 /* Multipart CCM not supported as yet, so CCM is basically operating
424 in oneshot mode. Store the nonce as we need this later */
425 memcpy(operation->nonce, nonce, nonce_length);
426
427 /* We know that nonce size cannot exceed the uint8_t size */
428 operation->nonce_length = ( uint8_t ) nonce_length;
429 status = PSA_SUCCESS;
430 }
431 else
432#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
433#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
434 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
435 {
436 if( nonce_length != 12 && nonce_length != 8)
437 {
438 return( PSA_ERROR_INVALID_ARGUMENT );
439 }
440
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]441 status = mbedtls_to_psa_error(
442 mbedtls_chachapoly_starts( &operation->ctx.chachapoly,
443 nonce,
444 operation->is_encrypt ?
445 MBEDTLS_CHACHAPOLY_ENCRYPT :
446 MBEDTLS_CHACHAPOLY_DECRYPT ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]447 }
448 else
449#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
450 {
451 ( void ) nonce;
452 ( void ) nonce_length;
453
454 return ( PSA_ERROR_NOT_SUPPORTED );
455 }
456
457 if( status == PSA_SUCCESS )
458 {
459 operation->nonce_set = 1;
460 }
461
462 return( status );
463}
464 /* Declare the lengths of the message and additional data for AEAD. */
465psa_status_t mbedtls_psa_aead_set_lengths( psa_aead_operation_t *operation,
466 size_t ad_length,
467 size_t plaintext_length )
468{
469
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]470#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
471 if( operation->alg == PSA_ALG_GCM )
472 {
473#if SIZE_MAX > UINT32_MAX
474 if( ( (uint64_t) ad_length ) >> 61 != 0 ||
475 ( (uint64_t) plaintext_length ) > 0xFFFFFFFE0ull )
476 {
477 return ( PSA_ERROR_INVALID_ARGUMENT );
478 }
479#endif
480 }
481 else
482#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
483#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
484 if( operation->alg == PSA_ALG_CCM )
485 {
486 if( ad_length > 0xFF00 )
487 {
488 return ( PSA_ERROR_INVALID_ARGUMENT );
489 }
490 }
491 else
492#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
493#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
494 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
495 {
496 /* No length restrictions for ChaChaPoly. */
497 }
498 else
499#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
500 {
501 ( void ) ad_length;
502 ( void ) plaintext_length;
503
504 return ( PSA_ERROR_NOT_SUPPORTED );
505 }
506
507 operation->ad_remaining = ad_length;
508 operation->body_remaining = plaintext_length;
509 operation->lengths_set = 1;
510
511 return ( PSA_SUCCESS );
512}
513
514/* Pass additional data to an active multipart AEAD operation. */
515psa_status_t mbedtls_psa_aead_update_ad( psa_aead_operation_t *operation,
516 const uint8_t *input,
517 size_t input_length )
518{
519 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
520
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]521 if( operation->lengths_set )
522 {
523 if ( operation->ad_remaining < input_length )
524 {
525 return( PSA_ERROR_INVALID_ARGUMENT );
526 }
527
528 operation->ad_remaining -= input_length;
529 }
530
531#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
532 if( operation->alg == PSA_ALG_GCM )
533 {
534 if( !operation->lengths_set || operation->ad_started )
535 {
536 return( PSA_ERROR_BAD_STATE );
537 }
538
539 /* GCM currently requires all the additional data to be passed in in
540 * one contigious buffer, so until that is re-done, we have to enforce
541 * this, as we cannot allocate a buffer to collate multiple calls into.
542 */
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]543 if( operation->ad_remaining != 0 )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]544 {
545 return ( PSA_ERROR_INVALID_ARGUMENT );
546 }
547
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]548 status = mbedtls_to_psa_error(
549 mbedtls_gcm_starts( &operation->ctx.gcm,
550 operation->is_encrypt ?
551 MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT,
552 operation->nonce,
553 operation->nonce_length,
554 input,
555 input_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]556
557 }
558 else
559#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
560#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
561 if( operation->alg == PSA_ALG_CCM )
562 {
563 /* CCM requires all additional data to be passed in in one go at the
564 minute, as we are basically operating in oneshot mode. */
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]565 if( operation->ad_started )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]566 {
567 return( PSA_ERROR_BAD_STATE );
568 }
569
570 /* Save the additional data for later, this will be passed in
571 when we have the body. */
572 operation->ad_buffer = ( uint8_t * ) mbedtls_calloc(1, input_length );
573
574 if( operation->ad_buffer )
575 {
576 memcpy( operation->ad_buffer, input, input_length );
577 operation->ad_length = input_length;
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]578 status = PSA_SUCCESS;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]579 }
580 else
581 {
582 return ( PSA_ERROR_INSUFFICIENT_MEMORY );
583 }
584 }
585 else
586#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
587#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
588 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
589 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]590 status = mbedtls_to_psa_error(
591 mbedtls_chachapoly_update_aad( &operation->ctx.chachapoly,
592 input,
593 input_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]594 }
595 else
596#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
597 {
598 (void) input;
599 (void) input_length;
600
601 return ( PSA_ERROR_NOT_SUPPORTED );
602 }
603
604 if( status == PSA_SUCCESS )
605 {
606 operation->ad_started = 1;
607 }
608
609 return ( status );
610}
611
612/* Encrypt or decrypt a message fragment in an active multipart AEAD
613 * operation.*/
614psa_status_t mbedtls_psa_aead_update( psa_aead_operation_t *operation,
615 const uint8_t *input,
616 size_t input_length,
617 uint8_t *output,
618 size_t output_size,
619 size_t *output_length )
620{
621 size_t update_output_size;
622 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]623 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]624
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]625 update_output_size = input_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]626
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]627 if( PSA_AEAD_UPDATE_OUTPUT_SIZE( operation->key_type, operation->alg,
628 input_length ) > output_size )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]629 {
630 return ( PSA_ERROR_BUFFER_TOO_SMALL );
631 }
632
633 if( operation->lengths_set)
634 {
635 /* Additional data length was supplied, but not all the additional
636 data was supplied.*/
637 if( operation->ad_remaining != 0 )
638 {
639 return ( PSA_ERROR_INVALID_ARGUMENT );
640 }
641
642 /* Too much data provided. */
643 if( operation->body_remaining < input_length )
644 {
645 return ( PSA_ERROR_INVALID_ARGUMENT );
646 }
647
648 operation->body_remaining -= input_length;
649 }
650
651#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
652 if( operation->alg == PSA_ALG_GCM )
653 {
654 /* For the time being set the requirement that all of the body data
655 * must be passed in in one update, rather than deal with the complexity
656 * of non block size aligned updates. This will be fixed in 3.0 when
657 we can change the signature of the GCM multipart functions */
658 if( !operation->lengths_set || operation->body_remaining != 0 )
659 {
660 return( PSA_ERROR_BAD_STATE );
661 }
662
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]663 if( !operation->ad_started )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]664 {
665 return( PSA_ERROR_BAD_STATE );
666 }
667
668 status = mbedtls_to_psa_error( mbedtls_gcm_update( &operation->ctx.gcm,
669 input_length,
670 input,
671 output ) );
672 }
673 else
674#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
675#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
676 if( operation->alg == PSA_ALG_CCM )
677 {
678 /* CCM dooes not support multipart yet, so all the input has to be
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]679 passed in in one go. */
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]680 if( operation->body_started )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]681 {
682 return( PSA_ERROR_BAD_STATE );
683 }
684
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]685 /* Need to store tag for Finish() / Verify() */
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]686 operation->tag_buffer =
687 ( uint8_t * ) mbedtls_calloc(1, operation->tag_length );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]688
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]689 if( operation->tag_buffer )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]690 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]691
692 if( operation->is_encrypt )
693 {
694 /* Perform oneshot CCM encryption with additional data already
695 stored, as CCM does not support multipart yet.*/
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]696 status = mbedtls_to_psa_error(
697 mbedtls_ccm_encrypt_and_tag( &operation->ctx.ccm,
698 input_length,
699 operation->nonce,
700 operation->nonce_length,
701 operation->ad_buffer,
702 operation->ad_length,
703 input,
704 output,
705 operation->tag_buffer,
706 operation->tag_length ) );
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]707
708 /* Even if the above operation fails, we no longer need the
709 additional data.*/
710 mbedtls_free(operation->ad_buffer);
711 operation->ad_buffer = NULL;
712 operation->ad_length = 0;
713 }
714 else
715 {
716 /* Need to back up the body data so we can do this again
717 later.*/
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]718 operation->body_buffer =
719 ( uint8_t * ) mbedtls_calloc(1, input_length );
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]720
721 if( operation->body_buffer )
722 {
723 memcpy( operation->body_buffer, input, input_length );
724 operation->body_length = input_length;
725
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]726 /* this will fail, as the tag is clearly false, but will
727 write the decrypted data to the output buffer.*/
728 ret = mbedtls_ccm_auth_decrypt( &operation->ctx.ccm,
729 input_length,
730 operation->nonce,
731 operation->nonce_length,
732 operation->ad_buffer,
733 operation->ad_length,
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]734 input, output,
735 operation->tag_buffer,
736 operation->tag_length );
737
738 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
739 {
740 status = PSA_SUCCESS;
741 }
742 else
743 {
744 status = mbedtls_to_psa_error( ret );
745 }
746 }
747 else
748 {
749 status = PSA_ERROR_INSUFFICIENT_MEMORY;
750 }
751 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]752 }
753 else
754 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]755 status = PSA_ERROR_INSUFFICIENT_MEMORY;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]756 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]757 }
758 else
759#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
760#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
761 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
762 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]763 status = mbedtls_to_psa_error(
764 mbedtls_chachapoly_update( &operation->ctx.chachapoly,
765 input_length,
766 input,
767 output ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]768 }
769 else
770#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
771 {
772 (void) input;
773 (void) input_length;
774
775 return ( PSA_ERROR_NOT_SUPPORTED );
776 }
777
778 if( status == PSA_SUCCESS )
779 {
780 *output_length = update_output_size;
781 operation->body_started = 1;
782 }
783
784 return( status );
785}
786
787/* Common checks for both mbedtls_psa_aead_finish() and
788 mbedtls_psa_aead_verify() */
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]789static psa_status_t mbedtls_psa_aead_finish_checks( psa_aead_operation_t
790 *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]791 size_t output_size,
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]792 size_t tag_size )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]793{
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]794 size_t finish_output_size;
795
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]796 if( operation->lengths_set )
797 {
798 if( operation->ad_remaining != 0 || operation->body_remaining != 0 )
799 {
800 return( PSA_ERROR_BAD_STATE );
801 }
802 }
803
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]804 if( tag_size < operation->tag_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]805 {
806 return ( PSA_ERROR_BUFFER_TOO_SMALL );
807 }
808
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]809 if( operation->is_encrypt )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]810 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]811 finish_output_size =
812 PSA_AEAD_FINISH_OUTPUT_SIZE( operation->key_type,
813 operation->alg );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]814 }
815 else
816 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]817 finish_output_size =
818 PSA_AEAD_VERIFY_OUTPUT_SIZE( operation->key_type,
819 operation->alg );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]820 }
821
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]822 if( output_size < finish_output_size )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]823 {
824 return ( PSA_ERROR_BUFFER_TOO_SMALL );
825 }
826
827 return ( PSA_SUCCESS );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]828}
829
830/* Finish encrypting a message in a multipart AEAD operation. */
831psa_status_t mbedtls_psa_aead_finish( psa_aead_operation_t *operation,
832 uint8_t *ciphertext,
833 size_t ciphertext_size,
834 size_t *ciphertext_length,
835 uint8_t *tag,
836 size_t tag_size,
837 size_t *tag_length )
838{
839 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]840 size_t finish_output_size = 0;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]841
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]842 status = mbedtls_psa_aead_finish_checks( operation, ciphertext_size,
843 tag_size );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]844
845 if( status != PSA_SUCCESS )
846 {
847 return status;
848 }
849
850#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
851 if( operation->alg == PSA_ALG_GCM )
852 {
853 /* We will need to do final GCM pass in here when multipart is done. */
854 status = mbedtls_to_psa_error( mbedtls_gcm_finish( &operation->ctx.gcm,
855 tag,
856 tag_size ) );
857 }
858 else
859#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
860#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
861 if( operation->alg == PSA_ALG_CCM )
862 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]863 /* Copy the previously generated tag into place */
864 memcpy( tag, operation->tag_buffer, operation->tag_length );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]865
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]866 mbedtls_free(operation->tag_buffer);
867 operation->tag_buffer = NULL;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]868
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]869 status = PSA_SUCCESS;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]870 }
871 else
872#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
873#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
874 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
875 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]876 status = mbedtls_to_psa_error(
877 mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
878 tag ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]879 }
880 else
881#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
882 {
883 ( void ) ciphertext;
884 ( void ) ciphertext_size;
885 ( void ) ciphertext_length;
886 ( void ) tag;
887 ( void ) tag_size;
888 ( void ) tag_length;
889
890 return ( PSA_ERROR_NOT_SUPPORTED );
891 }
892
893 if( status == PSA_SUCCESS )
894 {
895 *ciphertext_length = finish_output_size;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]896 *tag_length = operation->tag_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]897 }
898
899 mbedtls_psa_aead_abort(operation);
900
901 return ( status );
902}
903
904/* Finish authenticating and decrypting a message in a multipart AEAD
905 * operation.*/
906psa_status_t mbedtls_psa_aead_verify( psa_aead_operation_t *operation,
907 uint8_t *plaintext,
908 size_t plaintext_size,
909 size_t *plaintext_length,
910 const uint8_t *tag,
911 size_t tag_length )
912{
913 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
914 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
915
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]916 uint8_t * temp_buffer;
917 size_t temp_buffer_size;
918
919 size_t finish_output_size = 0;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]920
921 int do_tag_check = 1;
922 uint8_t check_tag[16];
923
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]924 status = mbedtls_psa_aead_finish_checks( operation, plaintext_size,
925 tag_length );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]926
927 if( status != PSA_SUCCESS )
928 {
929 return status;
930 }
931
932#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
933 if( operation->alg == PSA_ALG_GCM )
934 {
935 /* Call finish to get the tag for comparison */
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]936 status = mbedtls_to_psa_error(
937 mbedtls_gcm_finish( &operation->ctx.gcm,
938 check_tag,
939 operation->tag_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]940 }
941 else
942#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
943#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
944 if( operation->alg == PSA_ALG_CCM )
945 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]946 if( !operation->ad_buffer || !operation->body_buffer )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]947 {
948 return( PSA_ERROR_BAD_STATE );
949 }
950
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]951 /* Perform oneshot CCM decryption *again*, as its the
952 * only way to get the tag, but this time throw away the
953 results, as verify cannot write that much data. */
954 temp_buffer_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( operation->key_type,
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]955 operation->alg,
956 operation->body_length
957 );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]958
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]959 temp_buffer = ( uint8_t * ) mbedtls_calloc(1, temp_buffer_size );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]960
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]961 if( temp_buffer )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]962 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]963 ret = mbedtls_ccm_auth_decrypt( &operation->ctx.ccm,
964 operation->body_length,
965 operation->nonce,
966 operation->nonce_length,
967 operation->ad_buffer,
968 operation->ad_length,
969 operation->body_buffer,
970 temp_buffer, tag, tag_length );
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]971
972 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
973 {
974 status = PSA_ERROR_INVALID_SIGNATURE;
975 }
976 else
977 {
978 status = mbedtls_to_psa_error( ret );
979 do_tag_check = 0;
980 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]981 }
982 else
983 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]984 status = PSA_ERROR_INSUFFICIENT_MEMORY;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]985 }
986
987 /* Even if the above operation fails, we no longer need the data */
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]988 mbedtls_free(temp_buffer);
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]989
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]990 mbedtls_free(operation->body_buffer);
991 operation->body_buffer = NULL;
992 operation->body_length = 0;
993
994 mbedtls_free(operation->tag_buffer);
995 operation->tag_buffer = NULL;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]996 }
997 else
998#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
999#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
1000 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
1001 {
1002 // call finish to get the tag for comparison.
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame^]1003 status = mbedtls_to_psa_error(
1004 mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
1005 check_tag ) );
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]1006
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1007 }
1008 else
1009#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
1010 {
1011 ( void ) plaintext;
1012 ( void ) plaintext_size;
1013 ( void ) plaintext_length;
1014 ( void ) tag;
1015 ( void ) tag_length;
1016
1017 return ( PSA_ERROR_NOT_SUPPORTED );
1018 }
1019
1020 if( status == PSA_SUCCESS )
1021 {
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]1022 *plaintext_length = finish_output_size;
1023
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1024 if( do_tag_check && safer_memcmp(tag, check_tag, tag_length) != 0 )
1025 {
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]1026 status = PSA_ERROR_INVALID_SIGNATURE;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1027 }
1028 }
1029
1030 mbedtls_psa_aead_abort(operation);
1031
1032 return ( status );
1033}
1034
1035/* Abort an AEAD operation */
1036psa_status_t mbedtls_psa_aead_abort( psa_aead_operation_t *operation )
1037{
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]1038 switch( operation->alg )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1039 {
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]1040#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
1041 case PSA_ALG_CCM:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1042 mbedtls_ccm_free( &operation->ctx.ccm );
1043 break;
1044#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
1045#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
1046 case PSA_ALG_GCM:
1047 mbedtls_gcm_free( &operation->ctx.gcm );
1048 break;
1049#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
1050#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]1051 case PSA_ALG_CHACHA20_POLY1305:
1052 mbedtls_chachapoly_free( &operation->ctx.chachapoly );
1053 break;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1054#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
1055 }
1056
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]1057 mbedtls_free(operation->ad_buffer);
1058 operation->ad_buffer = NULL;
1059 operation->ad_length = 0;
1060
1061 mbedtls_free(operation->body_buffer);
1062 operation->body_buffer = NULL;
1063 operation->body_length = 0;
1064
1065 mbedtls_free(operation->tag_buffer);
1066 operation->tag_buffer = NULL;
1067
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1068 return( PSA_SUCCESS );
1069}
1070
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]1071#endif /* MBEDTLS_PSA_CRYPTO_C */
1072