diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 24524c5c3..9ae2f0609 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -857,9 +857,17 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, unsigned char *output, size_t *olen ); #if defined(MBEDTLS_CIPHER_MODE_AEAD) +#if ! defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif /* MBEDTLS_DEPRECATED_WARNING */ /** * \brief The generic authenticated encryption (AEAD) function. * + * \deprecated Superseded by mbedtls_cipher_auth_encrypt_ext(). + * * \note This function only supports AEAD algorithms, not key * wrapping algorithms such as NIST_KW; for this, see * mbedtls_cipher_auth_encrypt_ext(). @@ -906,14 +914,17 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, - unsigned char *tag, size_t tag_len ); + unsigned char *tag, size_t tag_len ) + MBEDTLS_DEPRECATED; /** * \brief The generic authenticated decryption (AEAD) function. * + * \deprecated Superseded by mbedtls_cipher_auth_decrypt_ext(). + * * \note This function only supports AEAD algorithms, not key * wrapping algorithms such as NIST_KW; for this, see - * mbedtls_cipher_auth_encrypt_ext(). + * mbedtls_cipher_auth_decrypt_ext(). * * \note If the data is not authentic, then the output buffer * is zeroed out to prevent the unauthentic plaintext being @@ -962,7 +973,10 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, - const unsigned char *tag, size_t tag_len ); + const unsigned char *tag, size_t tag_len ) + MBEDTLS_DEPRECATED; +#undef MBEDTLS_DEPRECATED +#endif /* MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_CIPHER_MODE_AEAD */ #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) diff --git a/library/cipher.c b/library/cipher.c index 47dafa4aa..44cba34bc 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -1469,6 +1469,7 @@ static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx, return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); } +#if !defined(MBEDTLS_DEPRECATED_REMOVED) /* * Packet-oriented encryption for AEAD modes: public function. */ @@ -1536,6 +1537,7 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, input, ilen, output, olen, tag, tag_len ) ); } +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_CIPHER_MODE_AEAD */ #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 543ccf6fd..3b6d1e307 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -1022,17 +1022,10 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, int ret; int using_nist_kw, using_nist_kw_padding; - unsigned char output[300]; /* Temporary buffer for results of - * encryption and decryption. */ - unsigned char *output_tag = NULL; /* Temporary buffer for tag in the - * encryption step. */ mbedtls_cipher_context_t ctx; size_t outlen; - unsigned char *tmp_tag = NULL; - unsigned char *tmp_cipher = NULL; - unsigned char *cipher_plus_tag = NULL; size_t cipher_plus_tag_len; unsigned char *decrypt_buf = NULL; @@ -1040,8 +1033,19 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, unsigned char *encrypt_buf = NULL; size_t encrypt_buf_len = 0; - mbedtls_cipher_init( &ctx ); +#if !defined(MBEDTLS_DEPRECATED_WARNING) && \ + !defined(MBEDTLS_DEPRECATED_REMOVED) + unsigned char output[300]; /* Temporary buffer for results of + * encryption and decryption. */ + unsigned char *output_tag = NULL; /* Temporary buffer for tag in the + * encryption step. */ + unsigned char *tmp_tag = NULL; + unsigned char *tmp_cipher = NULL; + memset( output, 0xFF, sizeof( output ) ); +#endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */ + + mbedtls_cipher_init( &ctx ); /* Initialize PSA Crypto */ #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -1062,6 +1066,12 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, cipher_id == MBEDTLS_CIPHER_AES_256_KW || using_nist_kw_padding; + /**************************************************************** + * * + * Part 1: non-deprecated API * + * * + ****************************************************************/ + /* * Prepare context for decryption */ @@ -1126,7 +1136,7 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, TEST_ASSERT( memcmp( decrypt_buf, clear->x, clear->len ) == 0 ); } - /* Free this, but keep cipher_plus_tag for legacy function with PSA */ + /* Free this, but keep cipher_plus_tag for deprecated function with PSA */ mbedtls_free( decrypt_buf ); decrypt_buf = NULL; @@ -1187,6 +1197,15 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, encrypt_buf = NULL; } + /**************************************************************** + * * + * Part 2: deprecated API * + * * + ****************************************************************/ + +#if !defined(MBEDTLS_DEPRECATED_WARNING) && \ + !defined(MBEDTLS_DEPRECATED_REMOVED) + /* * Prepare context for decryption */ @@ -1278,6 +1297,8 @@ void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, } } +#endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */ + exit: mbedtls_cipher_free( &ctx );