TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e193ea8cb9df86586d1b90f88a8c1c97851de1cd / . / library / psa_crypto_aead.c
blob: 9dd40dd543df9106bdaaad95ce663f99c4fbf0e3 [file] [log] [blame]
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]1/*
2 * PSA AEAD entry points
3 */
4/*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21#include "common.h"
22
23#if defined(MBEDTLS_PSA_CRYPTO_C)
24
25#include "psa_crypto_aead.h"
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]26#include "psa_crypto_core.h"
27
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]28#include <string.h>
29#include "mbedtls/platform.h"
30#if !defined(MBEDTLS_PLATFORM_C)
31#define mbedtls_calloc calloc
32#define mbedtls_free free
33#endif
34
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]35#include "mbedtls/ccm.h"
36#include "mbedtls/chachapoly.h"
37#include "mbedtls/cipher.h"
38#include "mbedtls/gcm.h"
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]39#include "mbedtls/error.h"
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]40
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]41static psa_status_t psa_aead_setup(
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]42 mbedtls_psa_aead_operation_t *operation,
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]43 const psa_key_attributes_t *attributes,
44 const uint8_t *key_buffer,
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame]45 size_t key_buffer_size,
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]46 psa_algorithm_t alg )
47{
48 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
49 size_t key_bits;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]50 const mbedtls_cipher_info_t *cipher_info;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]51 mbedtls_cipher_id_t cipher_id;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]52 size_t full_tag_length = 0;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]53
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame]54 ( void ) key_buffer_size;
55
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]56 key_bits = attributes->core.bits;
57
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]58 cipher_info = mbedtls_cipher_info_from_psa( alg,
59 attributes->core.type, key_bits,
60 &cipher_id );
61 if( cipher_info == NULL )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]62 return( PSA_ERROR_NOT_SUPPORTED );
63
64 switch( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) )
65 {
66#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
67 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]68 operation->alg = PSA_ALG_CCM;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]69 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]70 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
71 * The call to mbedtls_ccm_encrypt_and_tag or
72 * mbedtls_ccm_auth_decrypt will validate the tag length. */
73 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
74 return( PSA_ERROR_INVALID_ARGUMENT );
75
76 mbedtls_ccm_init( &operation->ctx.ccm );
77 status = mbedtls_to_psa_error(
78 mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id,
79 key_buffer, (unsigned int) key_bits ) );
80 if( status != PSA_SUCCESS )
81 return( status );
82 break;
83#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
84
85#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
86 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]87 operation->alg = PSA_ALG_GCM;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]88 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]89 /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
90 * The call to mbedtls_gcm_crypt_and_tag or
91 * mbedtls_gcm_auth_decrypt will validate the tag length. */
92 if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 )
93 return( PSA_ERROR_INVALID_ARGUMENT );
94
95 mbedtls_gcm_init( &operation->ctx.gcm );
96 status = mbedtls_to_psa_error(
97 mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id,
98 key_buffer, (unsigned int) key_bits ) );
99 if( status != PSA_SUCCESS )
100 return( status );
101 break;
102#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
103
104#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
105 case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ):
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]106 operation->alg = PSA_ALG_CHACHA20_POLY1305;
Ronald Cronecbc0682021-03-26 13:25:17 +0100[diff] [blame]107 full_tag_length = 16;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]108 /* We only support the default tag length. */
109 if( alg != PSA_ALG_CHACHA20_POLY1305 )
110 return( PSA_ERROR_NOT_SUPPORTED );
111
112 mbedtls_chachapoly_init( &operation->ctx.chachapoly );
113 status = mbedtls_to_psa_error(
114 mbedtls_chachapoly_setkey( &operation->ctx.chachapoly,
115 key_buffer ) );
116 if( status != PSA_SUCCESS )
117 return( status );
118 break;
119#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
120
121 default:
122 return( PSA_ERROR_NOT_SUPPORTED );
123 }
124
Bence Szépkútiec174e22021-03-19 18:46:15 +0100[diff] [blame]125 if( PSA_AEAD_TAG_LENGTH( attributes->core.type,
126 key_bits, alg )
127 > full_tag_length )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]128 return( PSA_ERROR_INVALID_ARGUMENT );
129
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]130 operation->key_type = psa_get_key_type( attributes );
131
132 operation->tag_length = PSA_AEAD_TAG_LENGTH( operation->key_type,
Bence Szépkútiec174e22021-03-19 18:46:15 +0100[diff] [blame]133 key_bits,
134 alg );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]135
136 return( PSA_SUCCESS );
137}
138
139psa_status_t mbedtls_psa_aead_encrypt(
140 const psa_key_attributes_t *attributes,
141 const uint8_t *key_buffer, size_t key_buffer_size,
142 psa_algorithm_t alg,
143 const uint8_t *nonce, size_t nonce_length,
144 const uint8_t *additional_data, size_t additional_data_length,
145 const uint8_t *plaintext, size_t plaintext_length,
146 uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length )
147{
148 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]149 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]150 uint8_t *tag;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]151
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame]152 status = psa_aead_setup( &operation, attributes, key_buffer,
153 key_buffer_size, alg );
154
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]155 if( status != PSA_SUCCESS )
156 goto exit;
157
158 /* For all currently supported modes, the tag is at the end of the
159 * ciphertext. */
160 if( ciphertext_size < ( plaintext_length + operation.tag_length ) )
161 {
162 status = PSA_ERROR_BUFFER_TOO_SMALL;
163 goto exit;
164 }
165 tag = ciphertext + plaintext_length;
166
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]167#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]168 if( operation.alg == PSA_ALG_CCM )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]169 {
170 status = mbedtls_to_psa_error(
171 mbedtls_ccm_encrypt_and_tag( &operation.ctx.ccm,
172 plaintext_length,
173 nonce, nonce_length,
174 additional_data,
175 additional_data_length,
176 plaintext, ciphertext,
177 tag, operation.tag_length ) );
178 }
179 else
180#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]181#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]182 if( operation.alg == PSA_ALG_GCM )
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]183 {
184 status = mbedtls_to_psa_error(
185 mbedtls_gcm_crypt_and_tag( &operation.ctx.gcm,
186 MBEDTLS_GCM_ENCRYPT,
187 plaintext_length,
188 nonce, nonce_length,
189 additional_data, additional_data_length,
190 plaintext, ciphertext,
191 operation.tag_length, tag ) );
192 }
193 else
194#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]195#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]196 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]197 {
Paul Elliott96b01732021-07-16 17:00:26 +0100[diff] [blame]198 if( operation.tag_length != 16 )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]199 {
200 status = PSA_ERROR_NOT_SUPPORTED;
201 goto exit;
202 }
203 status = mbedtls_to_psa_error(
204 mbedtls_chachapoly_encrypt_and_tag( &operation.ctx.chachapoly,
205 plaintext_length,
206 nonce,
207 additional_data,
208 additional_data_length,
209 plaintext,
210 ciphertext,
211 tag ) );
212 }
213 else
214#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
215 {
216 (void) tag;
217 return( PSA_ERROR_NOT_SUPPORTED );
218 }
219
220 if( status == PSA_SUCCESS )
221 *ciphertext_length = plaintext_length + operation.tag_length;
222
223exit:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]224 mbedtls_psa_aead_abort( &operation );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]225
226 return( status );
227}
228
229/* Locate the tag in a ciphertext buffer containing the encrypted data
230 * followed by the tag. Return the length of the part preceding the tag in
231 * *plaintext_length. This is the size of the plaintext in modes where
232 * the encrypted data has the same size as the plaintext, such as
233 * CCM and GCM. */
234static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length,
235 const uint8_t *ciphertext,
236 size_t ciphertext_length,
237 size_t plaintext_size,
238 const uint8_t **p_tag )
239{
240 size_t payload_length;
241 if( tag_length > ciphertext_length )
242 return( PSA_ERROR_INVALID_ARGUMENT );
243 payload_length = ciphertext_length - tag_length;
244 if( payload_length > plaintext_size )
245 return( PSA_ERROR_BUFFER_TOO_SMALL );
246 *p_tag = ciphertext + payload_length;
247 return( PSA_SUCCESS );
248}
249
250psa_status_t mbedtls_psa_aead_decrypt(
251 const psa_key_attributes_t *attributes,
252 const uint8_t *key_buffer, size_t key_buffer_size,
253 psa_algorithm_t alg,
254 const uint8_t *nonce, size_t nonce_length,
255 const uint8_t *additional_data, size_t additional_data_length,
256 const uint8_t *ciphertext, size_t ciphertext_length,
257 uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length )
258{
259 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]260 mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]261 const uint8_t *tag = NULL;
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]262
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame]263 status = psa_aead_setup( &operation, attributes, key_buffer,
264 key_buffer_size, alg );
265
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]266 if( status != PSA_SUCCESS )
267 goto exit;
268
269 status = psa_aead_unpadded_locate_tag( operation.tag_length,
270 ciphertext, ciphertext_length,
271 plaintext_size, &tag );
272 if( status != PSA_SUCCESS )
273 goto exit;
274
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]275#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]276 if( operation.alg == PSA_ALG_CCM )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]277 {
278 status = mbedtls_to_psa_error(
279 mbedtls_ccm_auth_decrypt( &operation.ctx.ccm,
280 ciphertext_length - operation.tag_length,
281 nonce, nonce_length,
282 additional_data,
283 additional_data_length,
284 ciphertext, plaintext,
285 tag, operation.tag_length ) );
286 }
287 else
288#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]289#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]290 if( operation.alg == PSA_ALG_GCM )
Ronald Cron810eb162021-04-06 09:01:39 +0200[diff] [blame]291 {
292 status = mbedtls_to_psa_error(
293 mbedtls_gcm_auth_decrypt( &operation.ctx.gcm,
294 ciphertext_length - operation.tag_length,
295 nonce, nonce_length,
296 additional_data,
297 additional_data_length,
298 tag, operation.tag_length,
299 ciphertext, plaintext ) );
300 }
301 else
302#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]303#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott07a30c42021-04-20 14:13:23 +0100[diff] [blame]304 if( operation.alg == PSA_ALG_CHACHA20_POLY1305 )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]305 {
Paul Elliottcf2d66e2021-06-23 18:49:56 +0100[diff] [blame]306 if( operation.tag_length != 16 )
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]307 {
308 status = PSA_ERROR_NOT_SUPPORTED;
309 goto exit;
310 }
311 status = mbedtls_to_psa_error(
312 mbedtls_chachapoly_auth_decrypt( &operation.ctx.chachapoly,
313 ciphertext_length - operation.tag_length,
314 nonce,
315 additional_data,
316 additional_data_length,
317 tag,
318 ciphertext,
319 plaintext ) );
320 }
321 else
322#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
323 {
324 return( PSA_ERROR_NOT_SUPPORTED );
325 }
326
327 if( status == PSA_SUCCESS )
328 *plaintext_length = ciphertext_length - operation.tag_length;
329
330exit:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]331 mbedtls_psa_aead_abort( &operation );
Ronald Cron46f91782021-03-17 08:16:34 +0100[diff] [blame]332
333 if( status == PSA_SUCCESS )
334 *plaintext_length = ciphertext_length - operation.tag_length;
335 return( status );
336}
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]337
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]338/* Set the key and algorithm for a multipart authenticated encryption
339 * operation. */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100[diff] [blame]340psa_status_t mbedtls_psa_aead_encrypt_setup(
341 mbedtls_psa_aead_operation_t *operation,
342 const psa_key_attributes_t *attributes,
343 const uint8_t *key_buffer,
344 size_t key_buffer_size,
345 psa_algorithm_t alg )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]346{
Paul Elliott9e8ccd72021-05-13 14:30:53 +0100[diff] [blame]347 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]348
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame]349 status = psa_aead_setup( operation, attributes, key_buffer,
350 key_buffer_size, alg );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]351
352 if( status == PSA_SUCCESS )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]353 operation->is_encrypt = 1;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]354
355 return ( status );
356}
357
358/* Set the key and algorithm for a multipart authenticated decryption
359 * operation. */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100[diff] [blame]360psa_status_t mbedtls_psa_aead_decrypt_setup(
361 mbedtls_psa_aead_operation_t *operation,
362 const psa_key_attributes_t *attributes,
363 const uint8_t *key_buffer,
364 size_t key_buffer_size,
365 psa_algorithm_t alg )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]366{
Paul Elliott9e8ccd72021-05-13 14:30:53 +0100[diff] [blame]367 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]368
Paul Elliottcc358592021-05-12 12:22:28 +0100[diff] [blame]369 status = psa_aead_setup( operation, attributes, key_buffer,
370 key_buffer_size, alg );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]371
372 if( status == PSA_SUCCESS )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]373 operation->is_encrypt = 0;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]374
375 return ( status );
376}
377
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]378/* Set a nonce for the multipart AEAD operation*/
Paul Elliottbb8bf662021-05-19 17:29:42 +0100[diff] [blame]379psa_status_t mbedtls_psa_aead_set_nonce(
380 mbedtls_psa_aead_operation_t *operation,
381 const uint8_t *nonce,
382 size_t nonce_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]383{
Paul Elliott9e8ccd72021-05-13 14:30:53 +0100[diff] [blame]384 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]385
Paul Elliottbc949782021-06-03 15:29:00 +0100[diff] [blame]386#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]387 if( operation->alg == PSA_ALG_GCM )
388 {
Paul Elliott83f09ef2021-05-21 19:28:26 +0100[diff] [blame]389 status = mbedtls_to_psa_error(
390 mbedtls_gcm_starts( &operation->ctx.gcm,
391 operation->is_encrypt ?
392 MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT,
393 nonce,
394 nonce_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]395 }
396 else
397#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Paul Elliotte193ea82021-10-01 13:00:16 +0100[diff] [blame^]398#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
399 if( operation->alg == PSA_ALG_CCM )
400 {
401 status = mbedtls_to_psa_error(
402 mbedtls_ccm_starts( &operation->ctx.ccm,
403 operation->is_encrypt ?
404 MBEDTLS_CCM_ENCRYPT : MBEDTLS_CCM_DECRYPT,
405 nonce,
406 nonce_length ) );
407 }
408 else
409#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]410#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
411 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
412 {
Paul Elliott946c9202021-09-28 14:32:55 +0100[diff] [blame]413 /* Note - ChaChaPoly allows an 8 byte nonce, but we would have to
414 * allocate a buffer in the operation, copy the nonce to it and pad
415 * it, so for now check the nonce is 12 bytes, as
416 * mbedtls_chachapoly_starts() assumes it can read 12 bytes from the
417 * passed in buffer. */
418 if( nonce_length != 12 )
419 {
420 return( PSA_ERROR_INVALID_ARGUMENT );
421 }
422
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]423 status = mbedtls_to_psa_error(
424 mbedtls_chachapoly_starts( &operation->ctx.chachapoly,
425 nonce,
426 operation->is_encrypt ?
427 MBEDTLS_CHACHAPOLY_ENCRYPT :
428 MBEDTLS_CHACHAPOLY_DECRYPT ) );
Paul Elliottefda3402021-08-25 17:16:52 +0100[diff] [blame]429 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]430 else
431#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
432 {
433 ( void ) nonce;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]434
435 return ( PSA_ERROR_NOT_SUPPORTED );
436 }
437
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]438 return( status );
439}
Paul Elliottefda3402021-08-25 17:16:52 +0100[diff] [blame]440
Paul Elliottdff6c5d2021-09-28 11:00:20 +0100[diff] [blame]441 /* Declare the lengths of the message and additional data for AEAD. */
442psa_status_t mbedtls_psa_aead_set_lengths(
443 mbedtls_psa_aead_operation_t *operation,
444 size_t ad_length,
445 size_t plaintext_length )
446{
Paul Elliotte193ea82021-10-01 13:00:16 +0100[diff] [blame^]447
448#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
449 if( operation->alg == PSA_ALG_CCM )
450 {
451 return( mbedtls_to_psa_error(
452 mbedtls_ccm_set_lengths( &operation->ctx.ccm,
453 ad_length,
454 plaintext_length,
455 operation->tag_length ) ) );
456
457 }
458#else /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Paul Elliottdff6c5d2021-09-28 11:00:20 +0100[diff] [blame]459 ( void ) operation;
460 ( void ) ad_length;
461 ( void ) plaintext_length;
Paul Elliotte193ea82021-10-01 13:00:16 +0100[diff] [blame^]462#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Paul Elliottdff6c5d2021-09-28 11:00:20 +0100[diff] [blame]463
Paul Elliottdff6c5d2021-09-28 11:00:20 +0100[diff] [blame]464 return ( PSA_SUCCESS );
465}
466
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]467/* Pass additional data to an active multipart AEAD operation. */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100[diff] [blame]468psa_status_t mbedtls_psa_aead_update_ad(
469 mbedtls_psa_aead_operation_t *operation,
470 const uint8_t *input,
471 size_t input_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]472{
473 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
474
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]475#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
476 if( operation->alg == PSA_ALG_GCM )
477 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]478 status = mbedtls_to_psa_error(
Paul Elliott83f09ef2021-05-21 19:28:26 +0100[diff] [blame]479 mbedtls_gcm_update_ad( &operation->ctx.gcm, input, input_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]480 }
481 else
482#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Paul Elliotte193ea82021-10-01 13:00:16 +0100[diff] [blame^]483#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
484 if( operation->alg == PSA_ALG_CCM )
485 {
486 status = mbedtls_to_psa_error(
487 mbedtls_ccm_update_ad( &operation->ctx.ccm, input, input_length ) );
488 }
489 else
490#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]491#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
492 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
493 {
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]494 status = mbedtls_to_psa_error(
495 mbedtls_chachapoly_update_aad( &operation->ctx.chachapoly,
496 input,
497 input_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]498 }
499 else
500#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
501 {
Paul Elliottbc949782021-06-03 15:29:00 +0100[diff] [blame]502 ( void ) operation;
503 ( void ) input;
504 ( void ) input_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]505
506 return ( PSA_ERROR_NOT_SUPPORTED );
507 }
508
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]509 return ( status );
510}
511
512/* Encrypt or decrypt a message fragment in an active multipart AEAD
513 * operation.*/
Paul Elliottbb8bf662021-05-19 17:29:42 +0100[diff] [blame]514psa_status_t mbedtls_psa_aead_update(
515 mbedtls_psa_aead_operation_t *operation,
516 const uint8_t *input,
517 size_t input_length,
518 uint8_t *output,
519 size_t output_size,
520 size_t *output_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]521{
Paul Elliotte2c788d2021-05-13 17:16:01 +0100[diff] [blame]522 size_t update_output_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]523 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
524
Paul Elliotte2c788d2021-05-13 17:16:01 +0100[diff] [blame]525 update_output_length = input_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]526
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]527#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
528 if( operation->alg == PSA_ALG_GCM )
529 {
Paul Elliottecce9012021-07-23 15:44:11 +0100[diff] [blame]530 if( output_size < input_length )
531 return( PSA_ERROR_BUFFER_TOO_SMALL );
532
Paul Elliott83f09ef2021-05-21 19:28:26 +0100[diff] [blame]533 status = mbedtls_to_psa_error(
534 mbedtls_gcm_update( &operation->ctx.gcm,
535 input, input_length,
536 output, output_size,
537 &update_output_length ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]538 }
539 else
540#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Paul Elliotte193ea82021-10-01 13:00:16 +0100[diff] [blame^]541#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
542 if( operation->alg == PSA_ALG_CCM )
543 {
544 if( output_size < input_length )
545 return( PSA_ERROR_BUFFER_TOO_SMALL );
546
547 status = mbedtls_to_psa_error(
548 mbedtls_ccm_update( &operation->ctx.ccm,
549 input, input_length,
550 output, output_size,
551 &update_output_length ) );
552 }
553 else
554#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]555#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
556 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
557 {
Paul Elliottecce9012021-07-23 15:44:11 +0100[diff] [blame]558 if( output_size < input_length )
559 return( PSA_ERROR_BUFFER_TOO_SMALL );
560
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]561 status = mbedtls_to_psa_error(
562 mbedtls_chachapoly_update( &operation->ctx.chachapoly,
563 input_length,
564 input,
565 output ) );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]566 }
567 else
568#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
569 {
Paul Elliottbc949782021-06-03 15:29:00 +0100[diff] [blame]570 ( void ) input;
571 ( void ) input_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]572
573 return ( PSA_ERROR_NOT_SUPPORTED );
574 }
575
576 if( status == PSA_SUCCESS )
Paul Elliotte2c788d2021-05-13 17:16:01 +0100[diff] [blame]577 *output_length = update_output_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]578
579 return( status );
580}
581
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]582/* Finish encrypting a message in a multipart AEAD operation. */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100[diff] [blame]583psa_status_t mbedtls_psa_aead_finish(
584 mbedtls_psa_aead_operation_t *operation,
585 uint8_t *ciphertext,
586 size_t ciphertext_size,
587 size_t *ciphertext_length,
588 uint8_t *tag,
589 size_t tag_size,
590 size_t *tag_length )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]591{
592 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]593 size_t finish_output_size = 0;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]594
Paul Elliott315628d2021-07-20 18:25:54 +0100[diff] [blame]595 if( tag_size < operation->tag_length )
596 return( PSA_ERROR_BUFFER_TOO_SMALL );
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]597
598#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
599 if( operation->alg == PSA_ALG_GCM )
Paul Elliottecce9012021-07-23 15:44:11 +0100[diff] [blame]600 {
601 if( ciphertext_size < 15 )
602 return( PSA_ERROR_BUFFER_TOO_SMALL );
603
Paul Elliott83f09ef2021-05-21 19:28:26 +0100[diff] [blame]604 status = mbedtls_to_psa_error(
605 mbedtls_gcm_finish( &operation->ctx.gcm,
Paul Elliott71b05672021-09-24 11:18:13 +0100[diff] [blame]606 ciphertext, ciphertext_size, ciphertext_length,
Paul Elliott2fe5db82021-07-22 18:10:43 +0100[diff] [blame]607 tag, operation->tag_length ) );
Paul Elliottecce9012021-07-23 15:44:11 +0100[diff] [blame]608 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]609 else
610#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
Paul Elliotte193ea82021-10-01 13:00:16 +0100[diff] [blame^]611#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
612 if( operation->alg == PSA_ALG_CCM )
613 {
614 /* tag must be big enough to store a tag of size passed into set
615 * lengths. */
616 if( tag_size < operation->tag_length )
617 return( PSA_ERROR_BUFFER_TOO_SMALL );
618
619 status = mbedtls_to_psa_error(
620 mbedtls_ccm_finish( &operation->ctx.ccm,
621 tag, operation->tag_length ) );
622 }
623 else
624#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]625#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
626 if( operation->alg == PSA_ALG_CHACHA20_POLY1305 )
Paul Elliotted08cf82021-07-22 18:48:24 +0100[diff] [blame]627 {
628 /* Belt and braces. Although the above tag_size check should have
629 * already done this, if we later start supporting smaller tag sizes
630 * for chachapoly, then passing a tag buffer smaller than 16 into here
631 * could cause a buffer overflow, so better safe than sorry. */
632 if( tag_size < 16 )
633 return( PSA_ERROR_BUFFER_TOO_SMALL );
634
Paul Elliott2df40052021-05-07 17:52:18 +0100[diff] [blame]635 status = mbedtls_to_psa_error(
Paul Elliott83f09ef2021-05-21 19:28:26 +0100[diff] [blame]636 mbedtls_chachapoly_finish( &operation->ctx.chachapoly,
637 tag ) );
Paul Elliotted08cf82021-07-22 18:48:24 +0100[diff] [blame]638 }
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]639 else
640#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
641 {
642 ( void ) ciphertext;
643 ( void ) ciphertext_size;
644 ( void ) ciphertext_length;
645 ( void ) tag;
646 ( void ) tag_size;
647 ( void ) tag_length;
648
649 return ( PSA_ERROR_NOT_SUPPORTED );
650 }
651
652 if( status == PSA_SUCCESS )
653 {
Paul Elliott8ff74212021-09-19 18:39:23 +0100[diff] [blame]654 /* This will be zero for all supported algorithms currently, but left
655 * here for future support. */
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]656 *ciphertext_length = finish_output_size;
Paul Elliottfd3ca242021-04-25 18:10:42 +0100[diff] [blame]657 *tag_length = operation->tag_length;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]658 }
659
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]660 return ( status );
661}
662
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]663/* Abort an AEAD operation */
Paul Elliottbb8bf662021-05-19 17:29:42 +0100[diff] [blame]664psa_status_t mbedtls_psa_aead_abort(
665 mbedtls_psa_aead_operation_t *operation )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]666{
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]667 switch( operation->alg )
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]668 {
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]669#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
670 case PSA_ALG_CCM:
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]671 mbedtls_ccm_free( &operation->ctx.ccm );
672 break;
673#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
674#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
675 case PSA_ALG_GCM:
676 mbedtls_gcm_free( &operation->ctx.gcm );
677 break;
678#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
679#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
Paul Elliott811d8d42021-04-22 11:31:14 +0100[diff] [blame]680 case PSA_ALG_CHACHA20_POLY1305:
681 mbedtls_chachapoly_free( &operation->ctx.chachapoly );
682 break;
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]683#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
684 }
685
Paul Elliottcbbde5f2021-05-10 18:19:46 +0100[diff] [blame]686 operation->is_encrypt = 0;
Paul Elliott1a98aca2021-05-20 18:24:07 +0100[diff] [blame]687
Paul Elliottadb8b162021-04-20 16:06:57 +0100[diff] [blame]688 return( PSA_SUCCESS );
689}
690
Ronald Cron7ceee8d2021-03-17 16:55:43 +0100[diff] [blame]691#endif /* MBEDTLS_PSA_CRYPTO_C */
692