diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c index 9ac26467f..9f673596f 100644 --- a/library/psa_crypto_aead.c +++ b/library/psa_crypto_aead.c @@ -607,18 +607,6 @@ psa_status_t mbedtls_psa_aead_update( return( status ); } -/* Common checks for both mbedtls_psa_aead_finish() and - mbedtls_psa_aead_verify() */ -static psa_status_t mbedtls_psa_aead_finish_checks( - mbedtls_psa_aead_operation_t *operation, - size_t tag_size ) -{ - if( tag_size < operation->tag_length ) - return ( PSA_ERROR_BUFFER_TOO_SMALL ); - - return ( PSA_SUCCESS ); -} - /* Finish encrypting a message in a multipart AEAD operation. */ psa_status_t mbedtls_psa_aead_finish( mbedtls_psa_aead_operation_t *operation, @@ -632,10 +620,8 @@ psa_status_t mbedtls_psa_aead_finish( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t finish_output_size = 0; - status = mbedtls_psa_aead_finish_checks( operation, tag_size ); - - if( status != PSA_SUCCESS ) - return status; + if( tag_size < operation->tag_length ) + return( PSA_ERROR_BUFFER_TOO_SMALL ); #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) if( operation->alg == PSA_ALG_GCM ) @@ -672,66 +658,6 @@ psa_status_t mbedtls_psa_aead_finish( return ( status ); } -/* Finish authenticating and decrypting a message in a multipart AEAD - * operation.*/ -psa_status_t mbedtls_psa_aead_verify( - mbedtls_psa_aead_operation_t *operation, - uint8_t *plaintext, - size_t plaintext_size, - size_t *plaintext_length, - const uint8_t *tag, - size_t tag_length ) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - size_t finish_output_size = 0; - int do_tag_check = 1; - uint8_t check_tag[PSA_AEAD_TAG_MAX_SIZE]; - - status = mbedtls_psa_aead_finish_checks( operation, tag_length ); - - if( status != PSA_SUCCESS ) - return status; - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) - if( operation->alg == PSA_ALG_GCM ) - /* Call finish to get the tag for comparison */ - status = mbedtls_to_psa_error( - mbedtls_gcm_finish( &operation->ctx.gcm, - plaintext, plaintext_size, - check_tag, operation->tag_length ) ); - else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) - if( operation->alg == PSA_ALG_CHACHA20_POLY1305 ) - // call finish to get the tag for comparison. - status = mbedtls_to_psa_error( - mbedtls_chachapoly_finish( &operation->ctx.chachapoly, - check_tag ) ); - - else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ - { - ( void ) plaintext; - ( void ) plaintext_size; - ( void ) plaintext_length; - ( void ) tag; - ( void ) tag_length; - - return ( PSA_ERROR_NOT_SUPPORTED ); - } - - if( status == PSA_SUCCESS ) - { - *plaintext_length = finish_output_size; - - if( do_tag_check && ( tag_length != operation->tag_length || - mbedtls_psa_safer_memcmp(tag, check_tag, tag_length) != 0 ) ) - status = PSA_ERROR_INVALID_SIGNATURE; - } - - return ( status ); -} - /* Abort an AEAD operation */ psa_status_t mbedtls_psa_aead_abort( mbedtls_psa_aead_operation_t *operation ) diff --git a/library/psa_crypto_aead.h b/library/psa_crypto_aead.h index c664f9f2b..38202b6fb 100644 --- a/library/psa_crypto_aead.h +++ b/library/psa_crypto_aead.h @@ -491,77 +491,6 @@ psa_status_t mbedtls_psa_aead_finish( size_t tag_size, size_t *tag_length ); -/** Finish authenticating and decrypting a message in an AEAD operation. - * - * \note The signature of this function is that of a PSA driver - * aead_verify entry point. This function behaves as an aead_verify entry - * point as defined in the PSA driver interface specification for - * transparent drivers. - * - * The operation must have been set up by the PSA core with - * mbedtls_psa_aead_decrypt_setup(). - * - * This function finishes the authenticated decryption of the message - * components: - * - * - The additional data consisting of the concatenation of the inputs - * passed to preceding calls to mbedtls_psa_aead_update_ad(). - * - The ciphertext consisting of the concatenation of the inputs passed to - * preceding calls to mbedtls_psa_aead_update(). - * - The tag passed to this function call. - * - * If the authentication tag is correct, this function outputs any remaining - * plaintext and reports success. If the authentication tag is not correct, - * this function returns #PSA_ERROR_INVALID_SIGNATURE. - * - * Whether or not this function returns successfully, the PSA core subsequently - * calls mbedtls_psa_aead_abort() to deactivate the operation. - * - * \note Implementations shall make the best effort to ensure that the - * comparison between the actual tag and the expected tag is performed - * in constant time. - * - * \param[in,out] operation Active AEAD operation. - * \param[out] plaintext Buffer where the last part of the plaintext - * is to be written. This is the remaining data - * from previous calls to mbedtls_psa_aead_update() - * that could not be processed until the end - * of the input. - * \param plaintext_size Size of the \p plaintext buffer in bytes. - * This must be appropriate for the selected - * algorithm and key: - * - A sufficient output size is - * #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, - * \c alg) where \c key_type is the type of key - * and \c alg is the algorithm that were used to - * set up the operation. - * - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to - * the maximum output size of any supported AEAD - * algorithm. - * \param[out] plaintext_length On success, the number of bytes of - * returned plaintext. - * \param[in] tag Buffer containing the authentication tag. - * \param tag_length Size of the \p tag buffer in bytes. - * - * \retval #PSA_SUCCESS - * Success. - * \retval #PSA_ERROR_INVALID_SIGNATURE - * The calculations were successful, but the authentication tag is - * not correct. - * \retval #PSA_ERROR_BUFFER_TOO_SMALL - * The size of the \p tag buffer is too small. - * #PSA_AEAD_TAG_LENGTH(\c key_type, key_bits, \c alg) or - * #PSA_AEAD_TAG_MAX_SIZE can be used to determine the required \p tag - * buffer size. - */ -psa_status_t mbedtls_psa_aead_verify( - mbedtls_psa_aead_operation_t *operation, - uint8_t *plaintext, - size_t plaintext_size, - size_t *plaintext_length, - const uint8_t *tag, - size_t tag_length ); - /** Abort an AEAD operation. * * \note The signature of this function is that of a PSA driver diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index 48410c0e1..09fff0c6b 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -1739,11 +1739,29 @@ psa_status_t psa_driver_wrapper_aead_verify( { #if defined(MBEDTLS_PSA_BUILTIN_AEAD) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: - return( mbedtls_psa_aead_verify( &operation->ctx.mbedtls_ctx, - plaintext, - plaintext_size, - plaintext_length, - tag, tag_length ) ); + { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + uint8_t check_tag[PSA_AEAD_TAG_MAX_SIZE]; + size_t check_tag_length; + + status = mbedtls_psa_aead_finish( &operation->ctx.mbedtls_ctx, + plaintext, + plaintext_size, + plaintext_length, + check_tag, + tag_length, + &check_tag_length ); + + if( status == PSA_SUCCESS ) + { + if( tag_length != check_tag_length || + mbedtls_psa_safer_memcmp( tag, check_tag, tag_length ) + != 0 ) + status = PSA_ERROR_INVALID_SIGNATURE; + } + + return( status ); + } #endif /* MBEDTLS_PSA_BUILTIN_AEAD */