From 4ee7e76378a7ee3e62f1bde1cdf868589926de17 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 17 Nov 2018 22:00:38 +0000 Subject: [PATCH] Check support for cipher in mbedtls_cipher_setup_psa() mbedtls_cipher_setup_psa() should return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE when the requested cipher is not supported by PSA, so that the caller can try the original mbedtls_cipher_setup() instead. The previous version of mbedtls_cipher_setup_psa(), however, only attempted to translate the cipher mode (GCM, CCM, CBC, ChaChaPoly, Stream), but didn't consider the underlying cipher primitive. Hence, it wouldn't fail when attempting to setup a cipher context for, say, 3DES-CBC, where CBC is currently supported by PSA but 3DES isn't. This commit adds a check to mbedtls_cipher_setup_psa() for whether the requested cipher primitive is available in the underlying PSA Crypto implementation, and fails cleanly with MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE if it is isn't. --- library/cipher.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/library/cipher.c b/library/cipher.c index c03b0528c..e9a1a07a0 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -243,8 +243,12 @@ int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx, if( NULL == cipher_info || NULL == ctx ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); + /* Check that the underlying cipher mode and cipher type are + * supported by the underlying PSA Crypto implementation. */ alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode, taglen ); - if( alg == 0) + if( alg == 0 ) + return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); + if( mbedtls_psa_translate_cipher_type( cipher_info->type ) == 0 ) return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );