diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index c53f817c1f..c43134d456 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -60,6 +60,8 @@ /* Error codes in range 0x0021-0x0025 */ /** Invalid input data. */ #define MBEDTLS_ERR_AES_BAD_INPUT_DATA -0x0021 +/** The requested feature is not available. */ +#define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE -0x0023 #ifdef __cplusplus extern "C" { diff --git a/library/aes.c b/library/aes.c index 940ea0296e..29a193e70c 100644 --- a/library/aes.c +++ b/library/aes.c @@ -1061,15 +1061,16 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, #endif #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) -#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) if (mode == MBEDTLS_AES_ENCRYPT) { return mbedtls_internal_aes_encrypt(ctx, input, output); } else { +#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) return mbedtls_internal_aes_decrypt(ctx, input, output); - } #else - return mbedtls_internal_aes_encrypt(ctx, input, output); + return MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE; #endif + } + return mbedtls_internal_aes_encrypt(ctx, input, output); #endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */ } diff --git a/library/aesce.c b/library/aesce.c index 79c02e367a..5883e6a83b 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -244,16 +244,15 @@ int mbedtls_aesce_crypt_ecb(mbedtls_aes_context *ctx, uint8x16_t block = vld1q_u8(&input[0]); unsigned char *keys = (unsigned char *) (ctx->buf + ctx->rk_offset); -#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) if (mode == MBEDTLS_AES_ENCRYPT) { block = aesce_encrypt_block(block, keys, ctx->nr); } else { +#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) block = aesce_decrypt_block(block, keys, ctx->nr); - } #else - (void) mode; - block = aesce_encrypt_block(block, keys, ctx->nr); -#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */ + return MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE; +#endif + } vst1q_u8(&output[0], block); return 0; diff --git a/library/aesni.c b/library/aesni.c index 0c509acc08..6c917daec8 100644 --- a/library/aesni.c +++ b/library/aesni.c @@ -93,7 +93,6 @@ int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx, ++rk; --nr; -#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) if (mode == MBEDTLS_AES_ENCRYPT) { while (nr != 0) { state = _mm_aesenc_si128(state, *rk); @@ -102,23 +101,17 @@ int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx, } state = _mm_aesenclast_si128(state, *rk); } else { +#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) while (nr != 0) { state = _mm_aesdec_si128(state, *rk); ++rk; --nr; } state = _mm_aesdeclast_si128(state, *rk); - } #else - (void) mode; - while (nr != 0) { - - state = _mm_aesenc_si128(state, *rk); - ++rk; - --nr; + return MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE; +#endif } - state = _mm_aesenclast_si128(state, *rk); -#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */ memcpy(output, &state, 16); return 0; @@ -452,6 +445,12 @@ int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx, const unsigned char input[16], unsigned char output[16]) { +#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) + if (mode == MBEDTLS_AES_DECRYPT) { + return MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE; + } +#endif + asm ("movdqu (%3), %%xmm0 \n\t" // load input "movdqu (%1), %%xmm1 \n\t" // load round key 0 "pxor %%xmm1, %%xmm0 \n\t" // round 0 diff --git a/library/cipher.c b/library/cipher.c index 60c13a9f76..de55efa78d 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -319,6 +319,17 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, if (ctx->cipher_info == NULL) { return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; } +#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) + /* CBC, XTS, KW and KWP mode always need decryption, return an error to + * indicate those modes are not available under + * MBEDTLS_BLOCK_CIPHER_NO_DECRYPT. */ + if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || + MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || + MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || + MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { + return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; + } +#endif #if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) if (ctx->psa_enabled == 1) { @@ -402,12 +413,14 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key, ctx->key_bitlen); } +#else + if (operation == MBEDTLS_ENCRYPT || operation == MBEDTLS_DECRYPT) { + return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key, + ctx->key_bitlen); + } +#endif return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; -#else - return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key, - ctx->key_bitlen); -#endif } int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx, diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 1faf1dd6ca..2ada2eb720 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -157,6 +157,7 @@ psa_status_t mbedtls_to_psa_error(int ret) #if defined(MBEDTLS_AES_C) case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH: case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH: + case MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE: return PSA_ERROR_NOT_SUPPORTED; case MBEDTLS_ERR_AES_BAD_INPUT_DATA: return PSA_ERROR_INVALID_ARGUMENT;