From f13364047577569d5ee2906216fae5cf0c137a1a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 12 Nov 2018 16:26:27 +0000 Subject: [PATCH] Add AEAD tag length to new mbedtls_cipher_setup_psa() For AEAD ciphers, the information contained in mbedtls_cipher_info is not enough to deduce a PSA algorithm value of type psa_algorithm_t. This is because mbedtls_cipher_info doesn't contain the AEAD tag length, while values of type psa_algorithm_t do. This commit adds the AEAD tag length as a separate parameter to mbedtls_cipher_setup_psa(). For Non-AEAD ciphers, the value must be 0. This approach is preferred over passing psa_algorithm_t directly in order to keep the changes in existing code using the cipher layer small. --- include/mbedtls/cipher.h | 9 ++++++++- library/cipher.c | 5 +++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index c2745e82ff..eff12f687d 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -434,6 +434,12 @@ int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, * * \param ctx The context to initialize. May not be \c NULL. * \param cipher_info The cipher to use. + * \param taglen For AEAD ciphers, the length in bytes of the + * authentication tag to use. Subsequent uses of + * mbedtls_cipher_auth_encrypt() or + * mbedtls_cipher_auth_decrypt() must provide + * the same tag length. + * For non-AEAD ciphers, the value must be \c 0. * * \return \c 0 on success. * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on @@ -442,7 +448,8 @@ int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, * cipher-specific context fails. */ int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx, - const mbedtls_cipher_info_t *cipher_info ); + const mbedtls_cipher_info_t *cipher_info, + size_t taglen ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ /** diff --git a/library/cipher.c b/library/cipher.c index 243c73918e..0b7c887f03 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -234,7 +234,8 @@ int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, #if defined(MBEDTLS_USE_PSA_CRYPTO) int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx, - const mbedtls_cipher_info_t *cipher_info ) + const mbedtls_cipher_info_t *cipher_info, + size_t taglen ) { psa_algorithm_t alg; mbedtls_cipher_context_psa *cipher_psa; @@ -242,7 +243,7 @@ int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx, if( NULL == cipher_info || NULL == ctx ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); - alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode ); + alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode, taglen ); if( alg == 0) return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );