396 lines
14 KiB
C
396 lines
14 KiB
C
|
/*
|
||
|
* PSA AEAD entry points
|
||
|
*/
|
||
|
/*
|
||
|
* Copyright The Mbed TLS Contributors
|
||
|
* SPDX-License-Identifier: Apache-2.0
|
||
|
*
|
||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||
|
* not use this file except in compliance with the License.
|
||
|
* You may obtain a copy of the License at
|
||
|
*
|
||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||
|
*
|
||
|
* Unless required by applicable law or agreed to in writing, software
|
||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
* See the License for the specific language governing permissions and
|
||
|
* limitations under the License.
|
||
|
*/
|
||
|
|
||
|
#include "common.h"
|
||
|
|
||
|
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
||
|
|
||
|
#include "psa_crypto_aead.h"
|
||
|
#include "psa_crypto_core.h"
|
||
|
|
||
|
#include "mbedtls/ccm.h"
|
||
|
#include "mbedtls/chachapoly.h"
|
||
|
#include "mbedtls/cipher.h"
|
||
|
#include "mbedtls/gcm.h"
|
||
|
|
||
|
typedef struct
|
||
|
{
|
||
|
union {
|
||
|
unsigned dummy; /* Make the union non-empty even with no supported algorithms. */
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
|
||
|
mbedtls_ccm_context ccm;
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
|
||
|
mbedtls_gcm_context gcm;
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
|
||
|
mbedtls_chachapoly_context chachapoly;
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
|
||
|
} ctx;
|
||
|
psa_algorithm_t core_alg;
|
||
|
uint8_t tag_length;
|
||
|
} aead_operation_t;
|
||
|
|
||
|
#define AEAD_OPERATION_INIT \
|
||
|
{ \
|
||
|
{ 0 }, 0, 0 \
|
||
|
}
|
||
|
|
||
|
static void psa_aead_abort_internal(aead_operation_t *operation)
|
||
|
{
|
||
|
switch (operation->core_alg) {
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
|
||
|
|
||
|
case PSA_ALG_CCM:
|
||
|
mbedtls_ccm_free(&operation->ctx.ccm);
|
||
|
break;
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
|
||
|
|
||
|
case PSA_ALG_GCM:
|
||
|
mbedtls_gcm_free(&operation->ctx.gcm);
|
||
|
break;
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
|
||
|
|
||
|
case PSA_ALG_CHACHA20_POLY1305:
|
||
|
mbedtls_chachapoly_free(&operation->ctx.chachapoly);
|
||
|
break;
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
|
||
|
}
|
||
|
}
|
||
|
|
||
|
static psa_status_t psa_aead_setup(
|
||
|
aead_operation_t *operation,
|
||
|
const psa_key_attributes_t *attributes,
|
||
|
const uint8_t *key_buffer,
|
||
|
psa_algorithm_t alg)
|
||
|
{
|
||
|
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||
|
size_t key_bits;
|
||
|
const mbedtls_cipher_info_t *cipher_info;
|
||
|
mbedtls_cipher_id_t cipher_id;
|
||
|
size_t full_tag_length = 0;
|
||
|
|
||
|
key_bits = attributes->core.bits;
|
||
|
|
||
|
cipher_info = mbedtls_cipher_info_from_psa(alg,
|
||
|
attributes->core.type, key_bits,
|
||
|
&cipher_id);
|
||
|
|
||
|
if (cipher_info == NULL) {
|
||
|
return (PSA_ERROR_NOT_SUPPORTED);
|
||
|
}
|
||
|
|
||
|
switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) {
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
|
||
|
|
||
|
case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
|
||
|
operation->core_alg = PSA_ALG_CCM;
|
||
|
full_tag_length = 16;
|
||
|
|
||
|
/* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
|
||
|
* The call to mbedtls_ccm_encrypt_and_tag or
|
||
|
* mbedtls_ccm_auth_decrypt will validate the tag length. */
|
||
|
if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(attributes->core.type) != 16) {
|
||
|
return (PSA_ERROR_INVALID_ARGUMENT);
|
||
|
}
|
||
|
|
||
|
mbedtls_ccm_init(&operation->ctx.ccm);
|
||
|
status = mbedtls_to_psa_error(
|
||
|
mbedtls_ccm_setkey(&operation->ctx.ccm, cipher_id,
|
||
|
key_buffer, (unsigned int)key_bits));
|
||
|
|
||
|
if (status != PSA_SUCCESS) {
|
||
|
return (status);
|
||
|
}
|
||
|
|
||
|
break;
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
|
||
|
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
|
||
|
|
||
|
case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
|
||
|
operation->core_alg = PSA_ALG_GCM;
|
||
|
full_tag_length = 16;
|
||
|
|
||
|
/* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
|
||
|
* The call to mbedtls_gcm_crypt_and_tag or
|
||
|
* mbedtls_gcm_auth_decrypt will validate the tag length. */
|
||
|
if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(attributes->core.type) != 16) {
|
||
|
return (PSA_ERROR_INVALID_ARGUMENT);
|
||
|
}
|
||
|
|
||
|
mbedtls_gcm_init(&operation->ctx.gcm);
|
||
|
status = mbedtls_to_psa_error(
|
||
|
mbedtls_gcm_setkey(&operation->ctx.gcm, cipher_id,
|
||
|
key_buffer, (unsigned int)key_bits));
|
||
|
|
||
|
if (status != PSA_SUCCESS) {
|
||
|
return (status);
|
||
|
}
|
||
|
|
||
|
break;
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
|
||
|
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
|
||
|
|
||
|
case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
|
||
|
operation->core_alg = PSA_ALG_CHACHA20_POLY1305;
|
||
|
full_tag_length = 16;
|
||
|
|
||
|
/* We only support the default tag length. */
|
||
|
if (alg != PSA_ALG_CHACHA20_POLY1305) {
|
||
|
return (PSA_ERROR_NOT_SUPPORTED);
|
||
|
}
|
||
|
|
||
|
mbedtls_chachapoly_init(&operation->ctx.chachapoly);
|
||
|
status = mbedtls_to_psa_error(
|
||
|
mbedtls_chachapoly_setkey(&operation->ctx.chachapoly,
|
||
|
key_buffer));
|
||
|
|
||
|
if (status != PSA_SUCCESS) {
|
||
|
return (status);
|
||
|
}
|
||
|
|
||
|
break;
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
|
||
|
|
||
|
default:
|
||
|
return (PSA_ERROR_NOT_SUPPORTED);
|
||
|
}
|
||
|
|
||
|
if (PSA_AEAD_TAG_LENGTH(attributes->core.type,
|
||
|
key_bits, alg) > full_tag_length) {
|
||
|
return (PSA_ERROR_INVALID_ARGUMENT);
|
||
|
}
|
||
|
|
||
|
operation->tag_length = PSA_AEAD_TAG_LENGTH(attributes->core.type,
|
||
|
key_bits,
|
||
|
alg);
|
||
|
|
||
|
return (PSA_SUCCESS);
|
||
|
}
|
||
|
|
||
|
psa_status_t mbedtls_psa_aead_encrypt(
|
||
|
const psa_key_attributes_t *attributes,
|
||
|
const uint8_t *key_buffer, size_t key_buffer_size,
|
||
|
psa_algorithm_t alg,
|
||
|
const uint8_t *nonce, size_t nonce_length,
|
||
|
const uint8_t *additional_data, size_t additional_data_length,
|
||
|
const uint8_t *plaintext, size_t plaintext_length,
|
||
|
uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length)
|
||
|
{
|
||
|
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||
|
aead_operation_t operation = AEAD_OPERATION_INIT;
|
||
|
uint8_t *tag;
|
||
|
(void)key_buffer_size;
|
||
|
|
||
|
status = psa_aead_setup(&operation, attributes, key_buffer, alg);
|
||
|
|
||
|
if (status != PSA_SUCCESS) {
|
||
|
goto exit;
|
||
|
}
|
||
|
|
||
|
/* For all currently supported modes, the tag is at the end of the
|
||
|
* ciphertext. */
|
||
|
if (ciphertext_size < (plaintext_length + operation.tag_length)) {
|
||
|
status = PSA_ERROR_BUFFER_TOO_SMALL;
|
||
|
goto exit;
|
||
|
}
|
||
|
|
||
|
tag = ciphertext + plaintext_length;
|
||
|
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
|
||
|
|
||
|
if (operation.core_alg == PSA_ALG_CCM) {
|
||
|
status = mbedtls_to_psa_error(
|
||
|
mbedtls_ccm_encrypt_and_tag(&operation.ctx.ccm,
|
||
|
plaintext_length,
|
||
|
nonce, nonce_length,
|
||
|
additional_data,
|
||
|
additional_data_length,
|
||
|
plaintext, ciphertext,
|
||
|
tag, operation.tag_length));
|
||
|
} else
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
|
||
|
if (operation.core_alg == PSA_ALG_GCM) {
|
||
|
status = mbedtls_to_psa_error(
|
||
|
mbedtls_gcm_crypt_and_tag(&operation.ctx.gcm,
|
||
|
MBEDTLS_GCM_ENCRYPT,
|
||
|
plaintext_length,
|
||
|
nonce, nonce_length,
|
||
|
additional_data, additional_data_length,
|
||
|
plaintext, ciphertext,
|
||
|
operation.tag_length, tag));
|
||
|
} else
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
|
||
|
if (operation.core_alg == PSA_ALG_CHACHA20_POLY1305) {
|
||
|
if (nonce_length != 12 || operation.tag_length != 16) {
|
||
|
status = PSA_ERROR_NOT_SUPPORTED;
|
||
|
goto exit;
|
||
|
}
|
||
|
|
||
|
status = mbedtls_to_psa_error(
|
||
|
mbedtls_chachapoly_encrypt_and_tag(&operation.ctx.chachapoly,
|
||
|
plaintext_length,
|
||
|
nonce,
|
||
|
additional_data,
|
||
|
additional_data_length,
|
||
|
plaintext,
|
||
|
ciphertext,
|
||
|
tag));
|
||
|
} else
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
|
||
|
{
|
||
|
(void)tag;
|
||
|
return (PSA_ERROR_NOT_SUPPORTED);
|
||
|
}
|
||
|
|
||
|
if (status == PSA_SUCCESS) {
|
||
|
*ciphertext_length = plaintext_length + operation.tag_length;
|
||
|
}
|
||
|
|
||
|
exit:
|
||
|
psa_aead_abort_internal(&operation);
|
||
|
|
||
|
return (status);
|
||
|
}
|
||
|
|
||
|
/* Locate the tag in a ciphertext buffer containing the encrypted data
|
||
|
* followed by the tag. Return the length of the part preceding the tag in
|
||
|
* *plaintext_length. This is the size of the plaintext in modes where
|
||
|
* the encrypted data has the same size as the plaintext, such as
|
||
|
* CCM and GCM. */
|
||
|
static psa_status_t psa_aead_unpadded_locate_tag(size_t tag_length,
|
||
|
const uint8_t *ciphertext,
|
||
|
size_t ciphertext_length,
|
||
|
size_t plaintext_size,
|
||
|
const uint8_t **p_tag)
|
||
|
{
|
||
|
size_t payload_length;
|
||
|
|
||
|
if (tag_length > ciphertext_length) {
|
||
|
return (PSA_ERROR_INVALID_ARGUMENT);
|
||
|
}
|
||
|
|
||
|
payload_length = ciphertext_length - tag_length;
|
||
|
|
||
|
if (payload_length > plaintext_size) {
|
||
|
return (PSA_ERROR_BUFFER_TOO_SMALL);
|
||
|
}
|
||
|
|
||
|
*p_tag = ciphertext + payload_length;
|
||
|
return (PSA_SUCCESS);
|
||
|
}
|
||
|
|
||
|
psa_status_t mbedtls_psa_aead_decrypt(
|
||
|
const psa_key_attributes_t *attributes,
|
||
|
const uint8_t *key_buffer, size_t key_buffer_size,
|
||
|
psa_algorithm_t alg,
|
||
|
const uint8_t *nonce, size_t nonce_length,
|
||
|
const uint8_t *additional_data, size_t additional_data_length,
|
||
|
const uint8_t *ciphertext, size_t ciphertext_length,
|
||
|
uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length)
|
||
|
{
|
||
|
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||
|
aead_operation_t operation = AEAD_OPERATION_INIT;
|
||
|
const uint8_t *tag = NULL;
|
||
|
(void)key_buffer_size;
|
||
|
|
||
|
status = psa_aead_setup(&operation, attributes, key_buffer, alg);
|
||
|
|
||
|
if (status != PSA_SUCCESS) {
|
||
|
goto exit;
|
||
|
}
|
||
|
|
||
|
status = psa_aead_unpadded_locate_tag(operation.tag_length,
|
||
|
ciphertext, ciphertext_length,
|
||
|
plaintext_size, &tag);
|
||
|
|
||
|
if (status != PSA_SUCCESS) {
|
||
|
goto exit;
|
||
|
}
|
||
|
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
|
||
|
|
||
|
if (operation.core_alg == PSA_ALG_CCM) {
|
||
|
status = mbedtls_to_psa_error(
|
||
|
mbedtls_ccm_auth_decrypt(&operation.ctx.ccm,
|
||
|
ciphertext_length - operation.tag_length,
|
||
|
nonce, nonce_length,
|
||
|
additional_data,
|
||
|
additional_data_length,
|
||
|
ciphertext, plaintext,
|
||
|
tag, operation.tag_length));
|
||
|
} else
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
|
||
|
if (operation.core_alg == PSA_ALG_GCM) {
|
||
|
status = mbedtls_to_psa_error(
|
||
|
mbedtls_gcm_auth_decrypt(&operation.ctx.gcm,
|
||
|
ciphertext_length - operation.tag_length,
|
||
|
nonce, nonce_length,
|
||
|
additional_data,
|
||
|
additional_data_length,
|
||
|
tag, operation.tag_length,
|
||
|
ciphertext, plaintext));
|
||
|
} else
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
|
||
|
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
|
||
|
if (operation.core_alg == PSA_ALG_CHACHA20_POLY1305) {
|
||
|
if (nonce_length != 12 || operation.tag_length != 16) {
|
||
|
status = PSA_ERROR_NOT_SUPPORTED;
|
||
|
goto exit;
|
||
|
}
|
||
|
|
||
|
status = mbedtls_to_psa_error(
|
||
|
mbedtls_chachapoly_auth_decrypt(&operation.ctx.chachapoly,
|
||
|
ciphertext_length - operation.tag_length,
|
||
|
nonce,
|
||
|
additional_data,
|
||
|
additional_data_length,
|
||
|
tag,
|
||
|
ciphertext,
|
||
|
plaintext));
|
||
|
} else
|
||
|
#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
|
||
|
{
|
||
|
return (PSA_ERROR_NOT_SUPPORTED);
|
||
|
}
|
||
|
|
||
|
if (status == PSA_SUCCESS) {
|
||
|
*plaintext_length = ciphertext_length - operation.tag_length;
|
||
|
}
|
||
|
|
||
|
exit:
|
||
|
psa_aead_abort_internal(&operation);
|
||
|
|
||
|
if (status == PSA_SUCCESS) {
|
||
|
*plaintext_length = ciphertext_length - operation.tag_length;
|
||
|
}
|
||
|
|
||
|
return (status);
|
||
|
}
|
||
|
|
||
|
#endif /* MBEDTLS_PSA_CRYPTO_C */
|