TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / cc3585973910c4318b690f372fcd220823d41c73 / . / library / psa_crypto_aead.c
blob: 37a4545b6eb12ddc2749ac9970fca3707c133dfd [file] [log] [blame]
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]1/*
2 * PSA AEAD entry points
3 */
4/*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21#include "common.h"
22
23#if defined(MBEDTLS_PSA_CRYPTO_C)
24
25#include "psa_crypto_aead.h"
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]26#include "psa_crypto_core.h"
27
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]28#include <string.h>
29#include "mbedtls/platform.h"
30#if !defined(MBEDTLS_PLATFORM_C)
31#define mbedtls_calloc calloc
32#define mbedtls_free free
33#endif
34
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]35#include "mbedtls/ccm.h"
36#include "mbedtls/chachapoly.h"
37#include "mbedtls/cipher.h"
38#include "mbedtls/gcm.h"
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]39#include "mbedtls/error.h"
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]40
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]41static psa_status_t psa_aead_setup(
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]42 mbedtls_psa_aead_operation_t *operation,
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]43 const psa_key_attributes_t *attributes,
44 const uint8_t *key_buffer,
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame^]45 size_t key_buffer_size,
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]46 psa_algorithm_t alg )
47{
48 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
49 size_t key_bits;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]50 const mbedtls_cipher_info_t *cipher_info;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]51 mbedtls_cipher_id_t cipher_id;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]52 size_t full_tag_length = 0;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]53
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame^]54 ( void ) key_buffer_size;
55
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]56 key_bits = attributes->core.bits;
57
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]58 cipher_info = mbedtls_cipher_info_from_psa( alg,
59 attributes->core.type, key_bits,
60 &cipher_id );
61 if( cipher_info == NULL )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]62 return( PSA_ERROR_NOT_SUPPORTED );
63
64 switch( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) )
65 {
66#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
67 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]68 operation->alg = PSA_ALG_CCM;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]69 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]70 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
71 * The call to mbedtls_ccm_encrypt_and_tag or
72 * mbedtls_ccm_auth_decrypt will validate the tag length. */
73 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
74 return( PSA_ERROR_INVALID_ARGUMENT );
75
76 mbedtls_ccm_init( &operation->ctx.ccm );
77 status = mbedtls_to_psa_error(
78 mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id,
79 key_buffer, (unsigned int) key_bits ) );
80 if( status != PSA_SUCCESS )
81 return( status );
82 break;
83#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
84
85#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
86 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]87 operation->alg = PSA_ALG_GCM;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]88 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]89 /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
90 * The call to mbedtls_gcm_crypt_and_tag or
91 * mbedtls_gcm_auth_decrypt will validate the tag length. */
92 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
93 return( PSA_ERROR_INVALID_ARGUMENT );
94
95 mbedtls_gcm_init( &operation->ctx.gcm );
96 status = mbedtls_to_psa_error(
97 mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id,
98 key_buffer, (unsigned int) key_bits ) );
99 if( status != PSA_SUCCESS )
100 return( status );
101 break;
102#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
103
104#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
105 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]106 operation->alg = PSA_ALG_CHACHA20_POLY1305;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]107 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]108 /* We only support the default tag length. */
109 if( alg != PSA_ALG_CHACHA20_POLY1305 )
110 return( PSA_ERROR_NOT_SUPPORTED );
111
112 mbedtls_chachapoly_init( &operation->ctx.chachapoly );
113 status = mbedtls_to_psa_error(
114 mbedtls_chachapoly_setkey( &operation->ctx.chachapoly,
115 key_buffer ) );
116 if( status != PSA_SUCCESS )
117 return( status );
118 break;
119#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
120
121 default:
122 return( PSA_ERROR_NOT_SUPPORTED );
123 }
124
Bence Szépkútiec174e22021-03-19 18:46:15 +0100[diff] [blame]125 if( PSA_AEAD_TAG_LENGTH( attributes->core.type,
126 key_bits, alg )
127 > full_tag_length )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]128 return( PSA_ERROR_INVALID_ARGUMENT );
129
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]130 operation->key_type = psa_get_key_type( attributes );
131
132 operation->tag_length = PSA_AEAD_TAG_LENGTH( operation->key_type,
Bence Szépkútiec174e22021-03-19 18:46:15 +0100[diff] [blame]133 key_bits,
134 alg );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]135
136 return( PSA_SUCCESS );
137}
138
139psa_status_t mbedtls_psa_aead_encrypt(
140 const psa_key_attributes_t *attributes,
141 const uint8_t *key_buffer, size_t key_buffer_size,
142 psa_algorithm_t alg,
143 const uint8_t *nonce, size_t nonce_length,
144 const uint8_t *additional_data, size_t additional_data_length,
145 const uint8_t *plaintext, size_t plaintext_length,
146 uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length )
147{
148 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]149 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]150 uint8_t *tag;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]151
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame^]152 status = psa_aead_setup( &operation, attributes, key_buffer,
153 key_buffer_size, alg );
154
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]155 if( status != PSA_SUCCESS )
156 goto exit;
157
158 /* For all currently supported modes, the tag is at the end of the
159 * ciphertext. */
160 if( ciphertext_size < ( plaintext_length + operation.tag_length ) )
161 {
162 status = PSA_ERROR_BUFFER_TOO_SMALL;
163 goto exit;
164 }
165 tag = ciphertext + plaintext_length;
166
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]167#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]168 if( operation.alg == PSA_ALG_CCM )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]169 {
170 status = mbedtls_to_psa_error(
171 mbedtls_ccm_encrypt_and_tag( &operation.ctx.ccm,
172 plaintext_length,
173 nonce, nonce_length,
174 additional_data,
175 additional_data_length,
176 plaintext, ciphertext,
177 tag, operation.tag_length ) );
178 }
179 else
180#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]181#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]182 if( operation.alg == PSA_ALG_GCM )
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]183 {
184 status = mbedtls_to_psa_error(
185 mbedtls_gcm_crypt_and_tag( &operation.ctx.gcm,
186 MBEDTLS_GCM_ENCRYPT,
187 plaintext_length,
188 nonce, nonce_length,
189 additional_data, additional_data_length,
190 plaintext, ciphertext,
191 operation.tag_length, tag ) );
192 }
193 else
194#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]195#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]196 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]197 {
198 if( nonce_length != 12 || operation.tag_length != 16 )
199 {
200 status = PSA_ERROR_NOT_SUPPORTED;
201 goto exit;
202 }
203 status = mbedtls_to_psa_error(
204 mbedtls_chachapoly_encrypt_and_tag( &operation.ctx.chachapoly,
205 plaintext_length,
206 nonce,
207 additional_data,
208 additional_data_length,
209 plaintext,
210 ciphertext,
211 tag ) );
212 }
213 else
214#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
215 {
216 (void) tag;
217 return( PSA_ERROR_NOT_SUPPORTED );
218 }
219
220 if( status == PSA_SUCCESS )
221 *ciphertext_length = plaintext_length + operation.tag_length;
222
223exit:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]224 mbedtls_psa_aead_abort( &operation );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]225
226 return( status );
227}
228
229/* Locate the tag in a ciphertext buffer containing the encrypted data
230 * followed by the tag. Return the length of the part preceding the tag in
231 * *plaintext_length. This is the size of the plaintext in modes where
232 * the encrypted data has the same size as the plaintext, such as
233 * CCM and GCM. */
234static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length,
235 const uint8_t *ciphertext,
236 size_t ciphertext_length,
237 size_t plaintext_size,
238 const uint8_t **p_tag )
239{
240 size_t payload_length;
241 if( tag_length > ciphertext_length )
242 return( PSA_ERROR_INVALID_ARGUMENT );
243 payload_length = ciphertext_length - tag_length;
244 if( payload_length > plaintext_size )
245 return( PSA_ERROR_BUFFER_TOO_SMALL );
246 *p_tag = ciphertext + payload_length;
247 return( PSA_SUCCESS );
248}
249
250psa_status_t mbedtls_psa_aead_decrypt(
251 const psa_key_attributes_t *attributes,
252 const uint8_t *key_buffer, size_t key_buffer_size,
253 psa_algorithm_t alg,
254 const uint8_t *nonce, size_t nonce_length,
255 const uint8_t *additional_data, size_t additional_data_length,
256 const uint8_t *ciphertext, size_t ciphertext_length,
257 uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length )
258{
259 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]260 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]261 const uint8_t *tag = NULL;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]262
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame^]263 status = psa_aead_setup( &operation, attributes, key_buffer,
264 key_buffer_size, alg );
265
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]266 if( status != PSA_SUCCESS )
267 goto exit;
268
269 status = psa_aead_unpadded_locate_tag( operation.tag_length,
270 ciphertext, ciphertext_length,
271 plaintext_size, &tag );
272 if( status != PSA_SUCCESS )
273 goto exit;
274
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]275#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]276 if( operation.alg == PSA_ALG_CCM )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]277 {
278 status = mbedtls_to_psa_error(
279 mbedtls_ccm_auth_decrypt( &operation.ctx.ccm,
280 ciphertext_length - operation.tag_length,
281 nonce, nonce_length,
282 additional_data,
283 additional_data_length,
284 ciphertext, plaintext,
285 tag, operation.tag_length ) );
286 }
287 else
288#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]289#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]290 if( operation.alg == PSA_ALG_GCM )
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]291 {
292 status = mbedtls_to_psa_error(
293 mbedtls_gcm_auth_decrypt( &operation.ctx.gcm,
294 ciphertext_length - operation.tag_length,
295 nonce, nonce_length,
296 additional_data,
297 additional_data_length,
298 tag, operation.tag_length,
299 ciphertext, plaintext ) );
300 }
301 else
302#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]303#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]304 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]305 {
306 if( nonce_length != 12 || operation.tag_length != 16 )
307 {
308 status = PSA_ERROR_NOT_SUPPORTED;
309 goto exit;
310 }
311 status = mbedtls_to_psa_error(
312 mbedtls_chachapoly_auth_decrypt( &operation.ctx.chachapoly,
313 ciphertext_length - operation.tag_length,
314 nonce,
315 additional_data,
316 additional_data_length,
317 tag,
318 ciphertext,
319 plaintext ) );
320 }
321 else
322#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
323 {
324 return( PSA_ERROR_NOT_SUPPORTED );
325 }
326
327 if( status == PSA_SUCCESS )
328 *plaintext_length = ciphertext_length - operation.tag_length;
329
330exit:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]331 mbedtls_psa_aead_abort( &operation );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]332
333 if( status == PSA_SUCCESS )
334 *plaintext_length = ciphertext_length - operation.tag_length;
335 return( status );
336}
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]337
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]338/* Set the key and algorithm for a multipart authenticated encryption
339 * operation. */
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]340psa_status_t mbedtls_psa_aead_encrypt_setup( mbedtls_psa_aead_operation_t
341 *operation,
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]342 const psa_key_attributes_t
343 *attributes,
344 const uint8_t *key_buffer,
345 size_t key_buffer_size,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]346 psa_algorithm_t alg )
347{
348 psa_status_t status;
349
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame^]350 status = psa_aead_setup( operation, attributes, key_buffer,
351 key_buffer_size, alg );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]352
353 if( status == PSA_SUCCESS )
354 {
355 operation->is_encrypt = 1;
356 }
357
358 return ( status );
359}
360
361/* Set the key and algorithm for a multipart authenticated decryption
362 * operation. */
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]363psa_status_t mbedtls_psa_aead_decrypt_setup( mbedtls_psa_aead_operation_t
364 *operation,
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]365 const psa_key_attributes_t
366 *attributes,
367 const uint8_t *key_buffer,
368 size_t key_buffer_size,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]369 psa_algorithm_t alg )
370{
371 psa_status_t status;
372
373 (void) key_buffer_size;
374
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame^]375 status = psa_aead_setup( operation, attributes, key_buffer,
376 key_buffer_size, alg );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]377
378 if( status == PSA_SUCCESS )
379 {
380 operation->is_encrypt = 0;
381 }
382
383 return ( status );
384}
385
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]386/* Set a nonce for the multipart AEAD operation*/
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]387psa_status_t mbedtls_psa_aead_set_nonce( mbedtls_psa_aead_operation_t
388 *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]389 const uint8_t *nonce,
390 size_t nonce_length )
391{
392 psa_status_t status;
393
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]394 #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
395 if( operation->alg == PSA_ALG_GCM )
396 {
397 /* GCM sets nonce once additional data has been supplied */
398 memcpy(operation->nonce, nonce, nonce_length);
399
400 /* We know that nonce size cannot exceed the uint8_t size */
401 operation->nonce_length = ( uint8_t ) nonce_length;
402 status = PSA_SUCCESS;
403 }
404 else
405#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
406#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
407 if( operation->alg == PSA_ALG_CCM )
408 {
409 /* Multipart CCM not supported as yet, so CCM is basically operating
410 in oneshot mode. Store the nonce as we need this later */
411 memcpy(operation->nonce, nonce, nonce_length);
412
413 /* We know that nonce size cannot exceed the uint8_t size */
414 operation->nonce_length = ( uint8_t ) nonce_length;
415 status = PSA_SUCCESS;
416 }
417 else
418#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
419#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
420 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
421 {
422 if( nonce_length != 12 && nonce_length != 8)
423 {
424 return( PSA_ERROR_INVALID_ARGUMENT );
425 }
426
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]427 status = mbedtls_to_psa_error(
428 mbedtls_chachapoly_starts( &operation->ctx.chachapoly,
429 nonce,
430 operation->is_encrypt ?
431 MBEDTLS_CHACHAPOLY_ENCRYPT :
432 MBEDTLS_CHACHAPOLY_DECRYPT ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]433 }
434 else
435#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
436 {
437 ( void ) nonce;
438 ( void ) nonce_length;
439
440 return ( PSA_ERROR_NOT_SUPPORTED );
441 }
442
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]443 return( status );
444}
445 /* Declare the lengths of the message and additional data for AEAD. */
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]446psa_status_t mbedtls_psa_aead_set_lengths( mbedtls_psa_aead_operation_t
447 *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]448 size_t ad_length,
449 size_t plaintext_length )
450{
451
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]452#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
453 if( operation->alg == PSA_ALG_GCM )
454 {
Paul Elliottef29e172021-05-10 19:33:03 +0100[diff] [blame]455 /* Lengths can only be too large for GCM if size_t is bigger than 32
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame^]456 * bits. Without th
457 e guard this code will generate warnings on 32bit builds*/
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]458#if SIZE_MAX > UINT32_MAX
459 if( ( (uint64_t) ad_length ) >> 61 != 0 ||
460 ( (uint64_t) plaintext_length ) > 0xFFFFFFFE0ull )
461 {
462 return ( PSA_ERROR_INVALID_ARGUMENT );
463 }
464#endif
465 }
466 else
467#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
468#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
469 if( operation->alg == PSA_ALG_CCM )
470 {
471 if( ad_length > 0xFF00 )
472 {
473 return ( PSA_ERROR_INVALID_ARGUMENT );
474 }
475 }
476 else
477#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
478#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
479 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
480 {
481 /* No length restrictions for ChaChaPoly. */
482 }
483 else
484#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
485 {
486 ( void ) ad_length;
487 ( void ) plaintext_length;
488
489 return ( PSA_ERROR_NOT_SUPPORTED );
490 }
491
492 operation->ad_remaining = ad_length;
493 operation->body_remaining = plaintext_length;
494 operation->lengths_set = 1;
495
496 return ( PSA_SUCCESS );
497}
498
499/* Pass additional data to an active multipart AEAD operation. */
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]500psa_status_t mbedtls_psa_aead_update_ad( mbedtls_psa_aead_operation_t
501 *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]502 const uint8_t *input,
503 size_t input_length )
504{
505 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
506
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]507 if( operation->lengths_set )
508 {
509 if ( operation->ad_remaining < input_length )
510 {
511 return( PSA_ERROR_INVALID_ARGUMENT );
512 }
513
514 operation->ad_remaining -= input_length;
515 }
516
517#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
518 if( operation->alg == PSA_ALG_GCM )
519 {
520 if( !operation->lengths_set || operation->ad_started )
521 {
522 return( PSA_ERROR_BAD_STATE );
523 }
524
525 /* GCM currently requires all the additional data to be passed in in
526 * one contigious buffer, so until that is re-done, we have to enforce
527 * this, as we cannot allocate a buffer to collate multiple calls into.
528 */
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]529 if( operation->ad_remaining != 0 )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]530 {
531 return ( PSA_ERROR_INVALID_ARGUMENT );
532 }
533
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]534 status = mbedtls_to_psa_error(
535 mbedtls_gcm_starts( &operation->ctx.gcm,
536 operation->is_encrypt ?
537 MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT,
538 operation->nonce,
539 operation->nonce_length,
540 input,
541 input_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]542
543 }
544 else
545#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
546#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
547 if( operation->alg == PSA_ALG_CCM )
548 {
549 /* CCM requires all additional data to be passed in in one go at the
550 minute, as we are basically operating in oneshot mode. */
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]551 if( operation->ad_started )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]552 {
553 return( PSA_ERROR_BAD_STATE );
554 }
555
556 /* Save the additional data for later, this will be passed in
557 when we have the body. */
558 operation->ad_buffer = ( uint8_t * ) mbedtls_calloc(1, input_length );
559
560 if( operation->ad_buffer )
561 {
562 memcpy( operation->ad_buffer, input, input_length );
563 operation->ad_length = input_length;
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]564 status = PSA_SUCCESS;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]565 }
566 else
567 {
568 return ( PSA_ERROR_INSUFFICIENT_MEMORY );
569 }
570 }
571 else
572#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
573#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
574 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
575 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]576 status = mbedtls_to_psa_error(
577 mbedtls_chachapoly_update_aad( &operation->ctx.chachapoly,
578 input,
579 input_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]580 }
581 else
582#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
583 {
584 (void) input;
585 (void) input_length;
586
587 return ( PSA_ERROR_NOT_SUPPORTED );
588 }
589
590 if( status == PSA_SUCCESS )
591 {
592 operation->ad_started = 1;
593 }
594
595 return ( status );
596}
597
598/* Encrypt or decrypt a message fragment in an active multipart AEAD
599 * operation.*/
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]600psa_status_t mbedtls_psa_aead_update( mbedtls_psa_aead_operation_t *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]601 const uint8_t *input,
602 size_t input_length,
603 uint8_t *output,
604 size_t output_size,
605 size_t *output_length )
606{
607 size_t update_output_size;
608 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]609 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]610
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]611 update_output_size = input_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]612
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]613 if( PSA_AEAD_UPDATE_OUTPUT_SIZE( operation->key_type, operation->alg,
614 input_length ) > output_size )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]615 {
616 return ( PSA_ERROR_BUFFER_TOO_SMALL );
617 }
618
619 if( operation->lengths_set)
620 {
621 /* Additional data length was supplied, but not all the additional
622 data was supplied.*/
623 if( operation->ad_remaining != 0 )
624 {
625 return ( PSA_ERROR_INVALID_ARGUMENT );
626 }
627
628 /* Too much data provided. */
629 if( operation->body_remaining < input_length )
630 {
631 return ( PSA_ERROR_INVALID_ARGUMENT );
632 }
633
634 operation->body_remaining -= input_length;
635 }
636
637#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
638 if( operation->alg == PSA_ALG_GCM )
639 {
640 /* For the time being set the requirement that all of the body data
641 * must be passed in in one update, rather than deal with the complexity
642 * of non block size aligned updates. This will be fixed in 3.0 when
643 we can change the signature of the GCM multipart functions */
644 if( !operation->lengths_set || operation->body_remaining != 0 )
645 {
646 return( PSA_ERROR_BAD_STATE );
647 }
648
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]649 if( !operation->ad_started )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]650 {
651 return( PSA_ERROR_BAD_STATE );
652 }
653
654 status = mbedtls_to_psa_error( mbedtls_gcm_update( &operation->ctx.gcm,
655 input_length,
656 input,
657 output ) );
658 }
659 else
660#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
661#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
662 if( operation->alg == PSA_ALG_CCM )
663 {
664 /* CCM dooes not support multipart yet, so all the input has to be
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]665 passed in in one go. */
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]666 if( operation->body_started )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]667 {
668 return( PSA_ERROR_BAD_STATE );
669 }
670
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]671 /* Need to store tag for Finish() / Verify() */
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]672 operation->tag_buffer =
673 ( uint8_t * ) mbedtls_calloc(1, operation->tag_length );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]674
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]675 if( operation->tag_buffer )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]676 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]677
678 if( operation->is_encrypt )
679 {
680 /* Perform oneshot CCM encryption with additional data already
681 stored, as CCM does not support multipart yet.*/
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]682 status = mbedtls_to_psa_error(
683 mbedtls_ccm_encrypt_and_tag( &operation->ctx.ccm,
684 input_length,
685 operation->nonce,
686 operation->nonce_length,
687 operation->ad_buffer,
688 operation->ad_length,
689 input,
690 output,
691 operation->tag_buffer,
692 operation->tag_length ) );
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]693
694 /* Even if the above operation fails, we no longer need the
695 additional data.*/
696 mbedtls_free(operation->ad_buffer);
697 operation->ad_buffer = NULL;
698 operation->ad_length = 0;
699 }
700 else
701 {
702 /* Need to back up the body data so we can do this again
703 later.*/
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]704 operation->body_buffer =
705 ( uint8_t * ) mbedtls_calloc(1, input_length );
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]706
707 if( operation->body_buffer )
708 {
709 memcpy( operation->body_buffer, input, input_length );
710 operation->body_length = input_length;
711
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]712 /* this will fail, as the tag is clearly false, but will
713 write the decrypted data to the output buffer.*/
714 ret = mbedtls_ccm_auth_decrypt( &operation->ctx.ccm,
715 input_length,
716 operation->nonce,
717 operation->nonce_length,
718 operation->ad_buffer,
719 operation->ad_length,
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]720 input, output,
721 operation->tag_buffer,
722 operation->tag_length );
723
724 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
725 {
726 status = PSA_SUCCESS;
727 }
728 else
729 {
730 status = mbedtls_to_psa_error( ret );
731 }
732 }
733 else
734 {
735 status = PSA_ERROR_INSUFFICIENT_MEMORY;
736 }
737 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]738 }
739 else
740 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]741 status = PSA_ERROR_INSUFFICIENT_MEMORY;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]742 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]743 }
744 else
745#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
746#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
747 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
748 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]749 status = mbedtls_to_psa_error(
750 mbedtls_chachapoly_update( &operation->ctx.chachapoly,
751 input_length,
752 input,
753 output ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]754 }
755 else
756#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
757 {
758 (void) input;
759 (void) input_length;
760
761 return ( PSA_ERROR_NOT_SUPPORTED );
762 }
763
764 if( status == PSA_SUCCESS )
765 {
766 *output_length = update_output_size;
767 operation->body_started = 1;
768 }
769
770 return( status );
771}
772
773/* Common checks for both mbedtls_psa_aead_finish() and
774 mbedtls_psa_aead_verify() */
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]775static psa_status_t mbedtls_psa_aead_finish_checks( mbedtls_psa_aead_operation_t
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]776 *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]777 size_t output_size,
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]778 size_t tag_size )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]779{
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]780 size_t finish_output_size;
781
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]782 if( operation->lengths_set )
783 {
784 if( operation->ad_remaining != 0 || operation->body_remaining != 0 )
785 {
786 return( PSA_ERROR_BAD_STATE );
787 }
788 }
789
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]790 if( tag_size < operation->tag_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]791 {
792 return ( PSA_ERROR_BUFFER_TOO_SMALL );
793 }
794
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]795 if( operation->is_encrypt )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]796 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]797 finish_output_size =
798 PSA_AEAD_FINISH_OUTPUT_SIZE( operation->key_type,
799 operation->alg );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]800 }
801 else
802 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]803 finish_output_size =
804 PSA_AEAD_VERIFY_OUTPUT_SIZE( operation->key_type,
805 operation->alg );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]806 }
807
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]808 if( output_size < finish_output_size )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]809 {
810 return ( PSA_ERROR_BUFFER_TOO_SMALL );
811 }
812
813 return ( PSA_SUCCESS );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]814}
815
816/* Finish encrypting a message in a multipart AEAD operation. */
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]817psa_status_t mbedtls_psa_aead_finish( mbedtls_psa_aead_operation_t *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]818 uint8_t *ciphertext,
819 size_t ciphertext_size,
820 size_t *ciphertext_length,
821 uint8_t *tag,
822 size_t tag_size,
823 size_t *tag_length )
824{
825 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]826 size_t finish_output_size = 0;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]827
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]828 status = mbedtls_psa_aead_finish_checks( operation, ciphertext_size,
829 tag_size );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]830
831 if( status != PSA_SUCCESS )
832 {
833 return status;
834 }
835
836#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
837 if( operation->alg == PSA_ALG_GCM )
838 {
839 /* We will need to do final GCM pass in here when multipart is done. */
840 status = mbedtls_to_psa_error( mbedtls_gcm_finish( &operation->ctx.gcm,
841 tag,
842 tag_size ) );
843 }
844 else
845#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
846#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
847 if( operation->alg == PSA_ALG_CCM )
848 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]849 /* Copy the previously generated tag into place */
850 memcpy( tag, operation->tag_buffer, operation->tag_length );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]851
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]852 mbedtls_free(operation->tag_buffer);
853 operation->tag_buffer = NULL;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]854
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]855 status = PSA_SUCCESS;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]856 }
857 else
858#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
859#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
860 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
861 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]862 status = mbedtls_to_psa_error(
863 mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
864 tag ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]865 }
866 else
867#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
868 {
869 ( void ) ciphertext;
870 ( void ) ciphertext_size;
871 ( void ) ciphertext_length;
872 ( void ) tag;
873 ( void ) tag_size;
874 ( void ) tag_length;
875
876 return ( PSA_ERROR_NOT_SUPPORTED );
877 }
878
879 if( status == PSA_SUCCESS )
880 {
881 *ciphertext_length = finish_output_size;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]882 *tag_length = operation->tag_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]883 }
884
885 mbedtls_psa_aead_abort(operation);
886
887 return ( status );
888}
889
890/* Finish authenticating and decrypting a message in a multipart AEAD
891 * operation.*/
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]892psa_status_t mbedtls_psa_aead_verify( mbedtls_psa_aead_operation_t *operation,
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]893 uint8_t *plaintext,
894 size_t plaintext_size,
895 size_t *plaintext_length,
896 const uint8_t *tag,
897 size_t tag_length )
898{
899 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
900 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
901
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]902 uint8_t * temp_buffer;
903 size_t temp_buffer_size;
904
905 size_t finish_output_size = 0;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]906
907 int do_tag_check = 1;
908 uint8_t check_tag[16];
909
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]910 status = mbedtls_psa_aead_finish_checks( operation, plaintext_size,
911 tag_length );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]912
913 if( status != PSA_SUCCESS )
914 {
915 return status;
916 }
917
918#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
919 if( operation->alg == PSA_ALG_GCM )
920 {
921 /* Call finish to get the tag for comparison */
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]922 status = mbedtls_to_psa_error(
923 mbedtls_gcm_finish( &operation->ctx.gcm,
924 check_tag,
925 operation->tag_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]926 }
927 else
928#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
929#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
930 if( operation->alg == PSA_ALG_CCM )
931 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]932 if( !operation->ad_buffer || !operation->body_buffer )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]933 {
934 return( PSA_ERROR_BAD_STATE );
935 }
936
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]937 /* Perform oneshot CCM decryption *again*, as its the
938 * only way to get the tag, but this time throw away the
939 results, as verify cannot write that much data. */
940 temp_buffer_size = PSA_AEAD_UPDATE_OUTPUT_SIZE( operation->key_type,
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]941 operation->alg,
942 operation->body_length
943 );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]944
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]945 temp_buffer = ( uint8_t * ) mbedtls_calloc(1, temp_buffer_size );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]946
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]947 if( temp_buffer )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]948 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]949 ret = mbedtls_ccm_auth_decrypt( &operation->ctx.ccm,
950 operation->body_length,
951 operation->nonce,
952 operation->nonce_length,
953 operation->ad_buffer,
954 operation->ad_length,
955 operation->body_buffer,
956 temp_buffer, tag, tag_length );
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]957
958 if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
959 {
960 status = PSA_ERROR_INVALID_SIGNATURE;
961 }
962 else
963 {
964 status = mbedtls_to_psa_error( ret );
965 do_tag_check = 0;
966 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]967 }
968 else
969 {
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]970 status = PSA_ERROR_INSUFFICIENT_MEMORY;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]971 }
972
973 /* Even if the above operation fails, we no longer need the data */
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]974 mbedtls_free(temp_buffer);
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]975
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]976 mbedtls_free(operation->body_buffer);
977 operation->body_buffer = NULL;
978 operation->body_length = 0;
979
980 mbedtls_free(operation->tag_buffer);
981 operation->tag_buffer = NULL;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]982 }
983 else
984#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
985#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
986 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
987 {
988 // call finish to get the tag for comparison.
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]989 status = mbedtls_to_psa_error(
990 mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
991 check_tag ) );
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]992
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]993 }
994 else
995#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
996 {
997 ( void ) plaintext;
998 ( void ) plaintext_size;
999 ( void ) plaintext_length;
1000 ( void ) tag;
1001 ( void ) tag_length;
1002
1003 return ( PSA_ERROR_NOT_SUPPORTED );
1004 }
1005
1006 if( status == PSA_SUCCESS )
1007 {
Paul Elliott72c10082021-04-23 19:02:16 +0100[diff] [blame]1008 *plaintext_length = finish_output_size;
1009
Paul Elliott6edb7472021-05-10 19:29:35 +0100[diff] [blame]1010 if( do_tag_check &&
1011 mbedtls_psa_safer_memcmp(tag, check_tag, tag_length) != 0 )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1012 {
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]1013 status = PSA_ERROR_INVALID_SIGNATURE;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1014 }
1015 }
1016
1017 mbedtls_psa_aead_abort(operation);
1018
1019 return ( status );
1020}
1021
1022/* Abort an AEAD operation */
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]1023psa_status_t mbedtls_psa_aead_abort( mbedtls_psa_aead_operation_t *operation )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1024{
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]1025 switch( operation->alg )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1026 {
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]1027#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
1028 case PSA_ALG_CCM:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1029 mbedtls_ccm_free( &operation->ctx.ccm );
1030 break;
1031#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
1032#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
1033 case PSA_ALG_GCM:
1034 mbedtls_gcm_free( &operation->ctx.gcm );
1035 break;
1036#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
1037#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]1038 case PSA_ALG_CHACHA20_POLY1305:
1039 mbedtls_chachapoly_free( &operation->ctx.chachapoly );
1040 break;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1041#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
1042 }
1043
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]1044 operation->lengths_set = 0;
1045 operation->is_encrypt = 0;
1046 operation->ad_started = 0;
1047 operation->body_started = 0;
1048
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]1049 mbedtls_free(operation->ad_buffer);
1050 operation->ad_buffer = NULL;
1051 operation->ad_length = 0;
1052
1053 mbedtls_free(operation->body_buffer);
1054 operation->body_buffer = NULL;
1055 operation->body_length = 0;
1056
1057 mbedtls_free(operation->tag_buffer);
1058 operation->tag_buffer = NULL;
1059
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]1060 return( PSA_SUCCESS );
1061}
1062
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]1063#endif /* MBEDTLS_PSA_CRYPTO_C */
1064