diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 0863901f1..eb6fae0c6 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3509,222 +3509,6 @@ psa_status_t psa_cipher_abort( psa_cipher_operation_t *operation ) /* AEAD */ /****************************************************************/ -typedef struct -{ - const mbedtls_cipher_info_t *cipher_info; - union - { - unsigned dummy; /* Make the union non-empty even with no supported algorithms. */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) - mbedtls_ccm_context ccm; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) - mbedtls_gcm_context gcm; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) - mbedtls_chachapoly_context chachapoly; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ - } ctx; - psa_algorithm_t core_alg; - uint8_t full_tag_length; - uint8_t tag_length; -} aead_operation_t; - -#define AEAD_OPERATION_INIT {0, {0}, 0, 0, 0} - -static void psa_aead_abort_internal( aead_operation_t *operation ) -{ - switch( operation->core_alg ) - { -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) - case PSA_ALG_CCM: - mbedtls_ccm_free( &operation->ctx.ccm ); - break; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) - case PSA_ALG_GCM: - mbedtls_gcm_free( &operation->ctx.gcm ); - break; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ - } -} - -static psa_status_t psa_aead_setup( - aead_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - psa_algorithm_t alg ) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - size_t key_bits; - mbedtls_cipher_id_t cipher_id; - - key_bits = attributes->core.bits; - - operation->cipher_info = - mbedtls_cipher_info_from_psa( alg, attributes->core.type, key_bits, - &cipher_id ); - if( operation->cipher_info == NULL ) - return( PSA_ERROR_NOT_SUPPORTED ); - - switch( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) ) - { -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) - case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ): - operation->core_alg = PSA_ALG_CCM; - operation->full_tag_length = 16; - /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16. - * The call to mbedtls_ccm_encrypt_and_tag or - * mbedtls_ccm_auth_decrypt will validate the tag length. */ - if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 ) - return( PSA_ERROR_INVALID_ARGUMENT ); - - mbedtls_ccm_init( &operation->ctx.ccm ); - status = mbedtls_to_psa_error( - mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id, - key_buffer, (unsigned int) key_bits ) ); - if( status != PSA_SUCCESS ) - return( status ); - break; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) - case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ): - operation->core_alg = PSA_ALG_GCM; - operation->full_tag_length = 16; - /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16. - * The call to mbedtls_gcm_crypt_and_tag or - * mbedtls_gcm_auth_decrypt will validate the tag length. */ - if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 ) - return( PSA_ERROR_INVALID_ARGUMENT ); - - mbedtls_gcm_init( &operation->ctx.gcm ); - status = mbedtls_to_psa_error( - mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id, - key_buffer, (unsigned int) key_bits ) ); - if( status != PSA_SUCCESS ) - return( status ); - break; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) - case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ): - operation->core_alg = PSA_ALG_CHACHA20_POLY1305; - operation->full_tag_length = 16; - /* We only support the default tag length. */ - if( alg != PSA_ALG_CHACHA20_POLY1305 ) - return( PSA_ERROR_NOT_SUPPORTED ); - - mbedtls_chachapoly_init( &operation->ctx.chachapoly ); - status = mbedtls_to_psa_error( - mbedtls_chachapoly_setkey( &operation->ctx.chachapoly, - key_buffer ) ); - if( status != PSA_SUCCESS ) - return( status ); - break; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ - - default: - return( PSA_ERROR_NOT_SUPPORTED ); - } - - if( PSA_AEAD_TAG_LENGTH( alg ) > operation->full_tag_length ) - return( PSA_ERROR_INVALID_ARGUMENT ); - - operation->tag_length = PSA_AEAD_TAG_LENGTH( alg ); - - return( PSA_SUCCESS ); -} - -static psa_status_t psa_aead_encrypt_internal( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *nonce, size_t nonce_length, - const uint8_t *additional_data, size_t additional_data_length, - const uint8_t *plaintext, size_t plaintext_length, - uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length ) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - aead_operation_t operation = AEAD_OPERATION_INIT; - uint8_t *tag; - (void) key_buffer_size; - - status = psa_aead_setup( &operation, attributes, key_buffer, alg ); - if( status != PSA_SUCCESS ) - goto exit; - - /* For all currently supported modes, the tag is at the end of the - * ciphertext. */ - if( ciphertext_size < ( plaintext_length + operation.tag_length ) ) - { - status = PSA_ERROR_BUFFER_TOO_SMALL; - goto exit; - } - tag = ciphertext + plaintext_length; - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) - if( operation.core_alg == PSA_ALG_GCM ) - { - status = mbedtls_to_psa_error( - mbedtls_gcm_crypt_and_tag( &operation.ctx.gcm, - MBEDTLS_GCM_ENCRYPT, - plaintext_length, - nonce, nonce_length, - additional_data, additional_data_length, - plaintext, ciphertext, - operation.tag_length, tag ) ); - } - else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) - if( operation.core_alg == PSA_ALG_CCM ) - { - status = mbedtls_to_psa_error( - mbedtls_ccm_encrypt_and_tag( &operation.ctx.ccm, - plaintext_length, - nonce, nonce_length, - additional_data, - additional_data_length, - plaintext, ciphertext, - tag, operation.tag_length ) ); - } - else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) - if( operation.core_alg == PSA_ALG_CHACHA20_POLY1305 ) - { - if( nonce_length != 12 || operation.tag_length != 16 ) - { - status = PSA_ERROR_NOT_SUPPORTED; - goto exit; - } - status = mbedtls_to_psa_error( - mbedtls_chachapoly_encrypt_and_tag( &operation.ctx.chachapoly, - plaintext_length, - nonce, - additional_data, - additional_data_length, - plaintext, - ciphertext, - tag ) ); - } - else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ - { - (void) tag; - return( PSA_ERROR_NOT_SUPPORTED ); - } - - if( status == PSA_SUCCESS ) - *ciphertext_length = plaintext_length + operation.tag_length; - -exit: - psa_aead_abort_internal( &operation ); - - return( status ); -} - psa_status_t psa_aead_encrypt( mbedtls_svc_key_id_t key, psa_algorithm_t alg, const uint8_t *nonce, @@ -3751,7 +3535,7 @@ psa_status_t psa_aead_encrypt( mbedtls_svc_key_id_t key, .core = slot->attr }; - status = psa_aead_encrypt_internal( + status = mbedtls_psa_aead_encrypt( &attributes, slot->key.data, slot->key.bytes, alg, nonce, nonce_length, @@ -3767,114 +3551,6 @@ psa_status_t psa_aead_encrypt( mbedtls_svc_key_id_t key, return( status ); } -/* Locate the tag in a ciphertext buffer containing the encrypted data - * followed by the tag. Return the length of the part preceding the tag in - * *plaintext_length. This is the size of the plaintext in modes where - * the encrypted data has the same size as the plaintext, such as - * CCM and GCM. */ -static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length, - const uint8_t *ciphertext, - size_t ciphertext_length, - size_t plaintext_size, - const uint8_t **p_tag ) -{ - size_t payload_length; - if( tag_length > ciphertext_length ) - return( PSA_ERROR_INVALID_ARGUMENT ); - payload_length = ciphertext_length - tag_length; - if( payload_length > plaintext_size ) - return( PSA_ERROR_BUFFER_TOO_SMALL ); - *p_tag = ciphertext + payload_length; - return( PSA_SUCCESS ); -} - -static psa_status_t psa_aead_decrypt_internal( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *nonce, size_t nonce_length, - const uint8_t *additional_data, size_t additional_data_length, - const uint8_t *ciphertext, size_t ciphertext_length, - uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length ) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - aead_operation_t operation = AEAD_OPERATION_INIT; - const uint8_t *tag = NULL; - (void) key_buffer_size; - - status = psa_aead_setup( &operation, attributes, key_buffer, alg ); - if( status != PSA_SUCCESS ) - goto exit; - - status = psa_aead_unpadded_locate_tag( operation.tag_length, - ciphertext, ciphertext_length, - plaintext_size, &tag ); - if( status != PSA_SUCCESS ) - goto exit; - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) - if( operation.core_alg == PSA_ALG_GCM ) - { - status = mbedtls_to_psa_error( - mbedtls_gcm_auth_decrypt( &operation.ctx.gcm, - ciphertext_length - operation.tag_length, - nonce, nonce_length, - additional_data, - additional_data_length, - tag, operation.tag_length, - ciphertext, plaintext ) ); - } - else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) - if( operation.core_alg == PSA_ALG_CCM ) - { - status = mbedtls_to_psa_error( - mbedtls_ccm_auth_decrypt( &operation.ctx.ccm, - ciphertext_length - operation.tag_length, - nonce, nonce_length, - additional_data, - additional_data_length, - ciphertext, plaintext, - tag, operation.tag_length ) ); - } - else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) - if( operation.core_alg == PSA_ALG_CHACHA20_POLY1305 ) - { - if( nonce_length != 12 || operation.tag_length != 16 ) - { - status = PSA_ERROR_NOT_SUPPORTED; - goto exit; - } - status = mbedtls_to_psa_error( - mbedtls_chachapoly_auth_decrypt( &operation.ctx.chachapoly, - ciphertext_length - operation.tag_length, - nonce, - additional_data, - additional_data_length, - tag, - ciphertext, - plaintext ) ); - } - else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ - { - return( PSA_ERROR_NOT_SUPPORTED ); - } - - if( status == PSA_SUCCESS ) - *plaintext_length = ciphertext_length - operation.tag_length; - -exit: - psa_aead_abort_internal( &operation ); - - if( status == PSA_SUCCESS ) - *plaintext_length = ciphertext_length - operation.tag_length; - return( status ); -} - psa_status_t psa_aead_decrypt( mbedtls_svc_key_id_t key, psa_algorithm_t alg, const uint8_t *nonce, @@ -3901,7 +3577,7 @@ psa_status_t psa_aead_decrypt( mbedtls_svc_key_id_t key, .core = slot->attr }; - status = psa_aead_decrypt_internal( + status = mbedtls_psa_aead_decrypt( &attributes, slot->key.data, slot->key.bytes, alg, nonce, nonce_length, @@ -3917,8 +3593,6 @@ psa_status_t psa_aead_decrypt( mbedtls_svc_key_id_t key, return( status ); } - - /****************************************************************/ /* Generators */ /****************************************************************/ diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c index f45353344..18ea17667 100644 --- a/library/psa_crypto_aead.c +++ b/library/psa_crypto_aead.c @@ -23,6 +23,336 @@ #if defined(MBEDTLS_PSA_CRYPTO_C) #include "psa_crypto_aead.h" +#include "psa_crypto_core.h" + +#include "mbedtls/ccm.h" +#include "mbedtls/chachapoly.h" +#include "mbedtls/cipher.h" +#include "mbedtls/gcm.h" + +typedef struct +{ + const mbedtls_cipher_info_t *cipher_info; + union + { + unsigned dummy; /* Make the union non-empty even with no supported algorithms. */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) + mbedtls_ccm_context ccm; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) + mbedtls_gcm_context gcm; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) + mbedtls_chachapoly_context chachapoly; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ + } ctx; + psa_algorithm_t core_alg; + uint8_t full_tag_length; + uint8_t tag_length; +} aead_operation_t; + +#define AEAD_OPERATION_INIT {0, {0}, 0, 0, 0} + +static void psa_aead_abort_internal( aead_operation_t *operation ) +{ + switch( operation->core_alg ) + { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) + case PSA_ALG_CCM: + mbedtls_ccm_free( &operation->ctx.ccm ); + break; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) + case PSA_ALG_GCM: + mbedtls_gcm_free( &operation->ctx.gcm ); + break; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ + } +} + +static psa_status_t psa_aead_setup( + aead_operation_t *operation, + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + psa_algorithm_t alg ) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t key_bits; + mbedtls_cipher_id_t cipher_id; + + key_bits = attributes->core.bits; + + operation->cipher_info = + mbedtls_cipher_info_from_psa( alg, attributes->core.type, key_bits, + &cipher_id ); + if( operation->cipher_info == NULL ) + return( PSA_ERROR_NOT_SUPPORTED ); + + switch( PSA_ALG_AEAD_WITH_SHORTENED_TAG( alg, 0 ) ) + { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) + case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ): + operation->core_alg = PSA_ALG_CCM; + operation->full_tag_length = 16; + /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16. + * The call to mbedtls_ccm_encrypt_and_tag or + * mbedtls_ccm_auth_decrypt will validate the tag length. */ + if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + mbedtls_ccm_init( &operation->ctx.ccm ); + status = mbedtls_to_psa_error( + mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id, + key_buffer, (unsigned int) key_bits ) ); + if( status != PSA_SUCCESS ) + return( status ); + break; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) + case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 0 ): + operation->core_alg = PSA_ALG_GCM; + operation->full_tag_length = 16; + /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16. + * The call to mbedtls_gcm_crypt_and_tag or + * mbedtls_gcm_auth_decrypt will validate the tag length. */ + if( PSA_BLOCK_CIPHER_BLOCK_LENGTH( attributes->core.type ) != 16 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + mbedtls_gcm_init( &operation->ctx.gcm ); + status = mbedtls_to_psa_error( + mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id, + key_buffer, (unsigned int) key_bits ) ); + if( status != PSA_SUCCESS ) + return( status ); + break; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) + case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CHACHA20_POLY1305, 0 ): + operation->core_alg = PSA_ALG_CHACHA20_POLY1305; + operation->full_tag_length = 16; + /* We only support the default tag length. */ + if( alg != PSA_ALG_CHACHA20_POLY1305 ) + return( PSA_ERROR_NOT_SUPPORTED ); + + mbedtls_chachapoly_init( &operation->ctx.chachapoly ); + status = mbedtls_to_psa_error( + mbedtls_chachapoly_setkey( &operation->ctx.chachapoly, + key_buffer ) ); + if( status != PSA_SUCCESS ) + return( status ); + break; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ + + default: + return( PSA_ERROR_NOT_SUPPORTED ); + } + + if( PSA_AEAD_TAG_LENGTH( alg ) > operation->full_tag_length ) + return( PSA_ERROR_INVALID_ARGUMENT ); + + operation->tag_length = PSA_AEAD_TAG_LENGTH( alg ); + + return( PSA_SUCCESS ); +} + +psa_status_t mbedtls_psa_aead_encrypt( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *nonce, size_t nonce_length, + const uint8_t *additional_data, size_t additional_data_length, + const uint8_t *plaintext, size_t plaintext_length, + uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length ) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + aead_operation_t operation = AEAD_OPERATION_INIT; + uint8_t *tag; + (void) key_buffer_size; + + status = psa_aead_setup( &operation, attributes, key_buffer, alg ); + if( status != PSA_SUCCESS ) + goto exit; + + /* For all currently supported modes, the tag is at the end of the + * ciphertext. */ + if( ciphertext_size < ( plaintext_length + operation.tag_length ) ) + { + status = PSA_ERROR_BUFFER_TOO_SMALL; + goto exit; + } + tag = ciphertext + plaintext_length; + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) + if( operation.core_alg == PSA_ALG_GCM ) + { + status = mbedtls_to_psa_error( + mbedtls_gcm_crypt_and_tag( &operation.ctx.gcm, + MBEDTLS_GCM_ENCRYPT, + plaintext_length, + nonce, nonce_length, + additional_data, additional_data_length, + plaintext, ciphertext, + operation.tag_length, tag ) ); + } + else +#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) + if( operation.core_alg == PSA_ALG_CCM ) + { + status = mbedtls_to_psa_error( + mbedtls_ccm_encrypt_and_tag( &operation.ctx.ccm, + plaintext_length, + nonce, nonce_length, + additional_data, + additional_data_length, + plaintext, ciphertext, + tag, operation.tag_length ) ); + } + else +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) + if( operation.core_alg == PSA_ALG_CHACHA20_POLY1305 ) + { + if( nonce_length != 12 || operation.tag_length != 16 ) + { + status = PSA_ERROR_NOT_SUPPORTED; + goto exit; + } + status = mbedtls_to_psa_error( + mbedtls_chachapoly_encrypt_and_tag( &operation.ctx.chachapoly, + plaintext_length, + nonce, + additional_data, + additional_data_length, + plaintext, + ciphertext, + tag ) ); + } + else +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ + { + (void) tag; + return( PSA_ERROR_NOT_SUPPORTED ); + } + + if( status == PSA_SUCCESS ) + *ciphertext_length = plaintext_length + operation.tag_length; + +exit: + psa_aead_abort_internal( &operation ); + + return( status ); +} + +/* Locate the tag in a ciphertext buffer containing the encrypted data + * followed by the tag. Return the length of the part preceding the tag in + * *plaintext_length. This is the size of the plaintext in modes where + * the encrypted data has the same size as the plaintext, such as + * CCM and GCM. */ +static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length, + const uint8_t *ciphertext, + size_t ciphertext_length, + size_t plaintext_size, + const uint8_t **p_tag ) +{ + size_t payload_length; + if( tag_length > ciphertext_length ) + return( PSA_ERROR_INVALID_ARGUMENT ); + payload_length = ciphertext_length - tag_length; + if( payload_length > plaintext_size ) + return( PSA_ERROR_BUFFER_TOO_SMALL ); + *p_tag = ciphertext + payload_length; + return( PSA_SUCCESS ); +} + +psa_status_t mbedtls_psa_aead_decrypt( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *nonce, size_t nonce_length, + const uint8_t *additional_data, size_t additional_data_length, + const uint8_t *ciphertext, size_t ciphertext_length, + uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length ) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + aead_operation_t operation = AEAD_OPERATION_INIT; + const uint8_t *tag = NULL; + (void) key_buffer_size; + + status = psa_aead_setup( &operation, attributes, key_buffer, alg ); + if( status != PSA_SUCCESS ) + goto exit; + + status = psa_aead_unpadded_locate_tag( operation.tag_length, + ciphertext, ciphertext_length, + plaintext_size, &tag ); + if( status != PSA_SUCCESS ) + goto exit; + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) + if( operation.core_alg == PSA_ALG_GCM ) + { + status = mbedtls_to_psa_error( + mbedtls_gcm_auth_decrypt( &operation.ctx.gcm, + ciphertext_length - operation.tag_length, + nonce, nonce_length, + additional_data, + additional_data_length, + tag, operation.tag_length, + ciphertext, plaintext ) ); + } + else +#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) + if( operation.core_alg == PSA_ALG_CCM ) + { + status = mbedtls_to_psa_error( + mbedtls_ccm_auth_decrypt( &operation.ctx.ccm, + ciphertext_length - operation.tag_length, + nonce, nonce_length, + additional_data, + additional_data_length, + ciphertext, plaintext, + tag, operation.tag_length ) ); + } + else +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) + if( operation.core_alg == PSA_ALG_CHACHA20_POLY1305 ) + { + if( nonce_length != 12 || operation.tag_length != 16 ) + { + status = PSA_ERROR_NOT_SUPPORTED; + goto exit; + } + status = mbedtls_to_psa_error( + mbedtls_chachapoly_auth_decrypt( &operation.ctx.chachapoly, + ciphertext_length - operation.tag_length, + nonce, + additional_data, + additional_data_length, + tag, + ciphertext, + plaintext ) ); + } + else +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ + { + return( PSA_ERROR_NOT_SUPPORTED ); + } + + if( status == PSA_SUCCESS ) + *plaintext_length = ciphertext_length - operation.tag_length; + +exit: + psa_aead_abort_internal( &operation ); + + if( status == PSA_SUCCESS ) + *plaintext_length = ciphertext_length - operation.tag_length; + return( status ); +} #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/library/psa_crypto_aead.h b/library/psa_crypto_aead.h index 1219e7c88..aab0f835c 100644 --- a/library/psa_crypto_aead.h +++ b/library/psa_crypto_aead.h @@ -23,4 +23,129 @@ #include +/** + * \brief Process an authenticated encryption operation. + * + * \note The signature of this function is that of a PSA driver + * aead_encrypt entry point. This function behaves as an aead_encrypt + * entry point as defined in the PSA driver interface specification for + * transparent drivers. + * + * \param[in] attributes The attributes of the key to use for the + * operation. + * \param[in] key_buffer The buffer containing the key context. + * \param key_buffer_size Size of the \p key_buffer buffer in bytes. + * \param alg The AEAD algorithm to compute. + * \param[in] nonce Nonce or IV to use. + * \param nonce_length Size of the nonce buffer in bytes. This must + * be appropriate for the selected algorithm. + * The default nonce size is + * PSA_AEAD_NONCE_LENGTH(key_type, alg) where + * key_type is the type of key. + * \param[in] additional_data Additional data that will be authenticated + * but not encrypted. + * \param additional_data_length Size of additional_data in bytes. + * \param[in] plaintext Data that will be authenticated and encrypted. + * \param plaintext_length Size of plaintext in bytes. + * \param[out] ciphertext Output buffer for the authenticated and + * encrypted data. The additional data is not + * part of this output. For algorithms where the + * encrypted data and the authentication tag are + * defined as separate outputs, the + * authentication tag is appended to the + * encrypted data. + * \param ciphertext_size Size of the ciphertext buffer in bytes. This + * must be appropriate for the selected algorithm + * and key: + * - A sufficient output size is + * PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, + * plaintext_length) where key_type is the type + * of key. + * - PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE( + * plaintext_length) evaluates to the maximum + * ciphertext size of any supported AEAD + * encryption. + * \param[out] ciphertext_length On success, the size of the output in the + * ciphertext buffer. + * + * \retval #PSA_SUCCESS Success. + * \retval #PSA_ERROR_NOT_SUPPORTED + * \p alg is not supported. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * ciphertext_size is too small. + * \retval #PSA_ERROR_CORRUPTION_DETECTED + */ +psa_status_t mbedtls_psa_aead_encrypt( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *nonce, size_t nonce_length, + const uint8_t *additional_data, size_t additional_data_length, + const uint8_t *plaintext, size_t plaintext_length, + uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length ); + +/** + * \brief Process an authenticated decryption operation. + * + * \note The signature of this function is that of a PSA driver + * aead_decrypt entry point. This function behaves as an aead_decrypt + * entry point as defined in the PSA driver interface specification for + * transparent drivers. + * + * \param[in] attributes The attributes of the key to use for the + * operation. + * \param[in] key_buffer The buffer containing the key context. + * \param key_buffer_size Size of the \p key_buffer buffer in bytes. + * \param alg The AEAD algorithm to compute. + * \param[in] nonce Nonce or IV to use. + * \param nonce_length Size of the nonce buffer in bytes. This must + * be appropriate for the selected algorithm. + * The default nonce size is + * PSA_AEAD_NONCE_LENGTH(key_type, alg) where + * key_type is the type of key. + * \param[in] additional_data Additional data that has been authenticated + * but not encrypted. + * \param additional_data_length Size of additional_data in bytes. + * \param[in] ciphertext Data that has been authenticated and + * encrypted. For algorithms where the encrypted + * data and the authentication tag are defined + * as separate inputs, the buffer contains + * encrypted data followed by the authentication + * tag. + * \param ciphertext_length Size of ciphertext in bytes. + * \param[out] plaintext Output buffer for the decrypted data. + * \param plaintext_size Size of the plaintext buffer in bytes. This + * must be appropriate for the selected algorithm + * and key: + * - A sufficient output size is + * PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, + * ciphertext_length) where key_type is the + * type of key. + * - PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE( + * ciphertext_length) evaluates to the maximum + * plaintext size of any supported AEAD + * decryption. + * \param[out] plaintext_length On success, the size of the output in the + * plaintext buffer. + * + * \retval #PSA_SUCCESS Success. + * \retval #PSA_ERROR_INVALID_SIGNATURE + * The cipher is not authentic. + * \retval #PSA_ERROR_NOT_SUPPORTED + * \p alg is not supported. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * plaintext_size is too small. + * \retval #PSA_ERROR_CORRUPTION_DETECTED + */ +psa_status_t mbedtls_psa_aead_decrypt( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *nonce, size_t nonce_length, + const uint8_t *additional_data, size_t additional_data_length, + const uint8_t *ciphertext, size_t ciphertext_length, + uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length ); + #endif /* PSA_CRYPTO_AEAD */