Check support for cipher in mbedtls_cipher_setup_psa()
mbedtls_cipher_setup_psa() should return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE when the requested cipher is not supported by PSA, so that the caller can try the original mbedtls_cipher_setup() instead. The previous version of mbedtls_cipher_setup_psa(), however, only attempted to translate the cipher mode (GCM, CCM, CBC, ChaChaPoly, Stream), but didn't consider the underlying cipher primitive. Hence, it wouldn't fail when attempting to setup a cipher context for, say, 3DES-CBC, where CBC is currently supported by PSA but 3DES isn't. This commit adds a check to mbedtls_cipher_setup_psa() for whether the requested cipher primitive is available in the underlying PSA Crypto implementation, and fails cleanly with MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE if it is isn't.
This commit is contained in:
parent
b0c05e242c
commit
8d88a6e20d
1 changed files with 5 additions and 1 deletions
|
@ -243,9 +243,13 @@ int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
|
|||
if( NULL == cipher_info || NULL == ctx )
|
||||
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
||||
|
||||
/* Check that the underlying cipher mode and cipher type are
|
||||
* supported by the underlying PSA Crypto implementation. */
|
||||
alg = mbedtls_psa_translate_cipher_mode( cipher_info->mode, taglen );
|
||||
if( alg == 0 )
|
||||
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
||||
if( mbedtls_psa_translate_cipher_type( cipher_info->type ) == 0 )
|
||||
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
||||
|
||||
memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
|
||||
|
||||
|
|
Loading…
Reference in a new issue