Add AEAD tag length to new mbedtls_cipher_setup_psa()

For AEAD ciphers, the information contained in mbedtls_cipher_info is not enough to deduce a PSA algorithm value of type psa_algorithm_t. This is because mbedtls_cipher_info doesn't contain the AEAD tag length, while values of type psa_algorithm_t do. This commit adds the AEAD tag length as a separate parameter to mbedtls_cipher_setup_psa(). For Non-AEAD ciphers, the value must be 0. This approach is preferred over passing psa_algorithm_t directly in order to keep the changes in existing code using the cipher layer small.
2024-11-23 00:35:50 +01:00 · 2018-11-12 16:26:27 +00:00 · 2018-11-12 16:26:27 +00:00 · f133640475
commit f133640475
parent 884f6af590
2 changed files with 11 additions and 3 deletions
--- a/include/mbedtls/cipher.h
+++ b/include/mbedtls/cipher.h
@ -434,6 +434,12 @@ int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
 *
 * \param ctx           The context to initialize. May not be \c NULL.
 * \param cipher_info   The cipher to use.
+ * \param taglen        For AEAD ciphers, the length in bytes of the
+ *                      authentication tag to use. Subsequent uses of
+ *                      mbedtls_cipher_auth_encrypt() or
+ *                      mbedtls_cipher_auth_decrypt() must provide
+ *                      the same tag length.
+ *                      For non-AEAD ciphers, the value must be \c 0.
 *
 * \return              \c 0 on success.
 * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@ -442,7 +448,8 @@ int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
 *                      cipher-specific context fails.
 */
 int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
-                              const mbedtls_cipher_info_t *cipher_info );
+                              const mbedtls_cipher_info_t *cipher_info,
+                              size_t taglen );
 #endif /* MBEDTLS_USE_PSA_CRYPTO */

 /**
--- a/library/cipher.c
+++ b/library/cipher.c
@ -234,7 +234,8 @@ int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,

 #if defined(MBEDTLS_USE_PSA_CRYPTO)
 int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
-                              const mbedtls_cipher_info_t *cipher_info )
+                              const mbedtls_cipher_info_t *cipher_info,
+                              size_t taglen )
 {
    psa_algorithm_t alg;
    mbedtls_cipher_context_psa *cipher_psa;
@ -242,7 +243,7 @@ int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
    if( NULL == cipher_info || NULL == ctx )
        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );

-    alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode );
+    alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode, taglen );
    if( alg == 0)
        return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );