diff --git a/include/psa/crypto_builtin_primitives.h b/include/psa/crypto_builtin_primitives.h index 75801a178..8701eb7a5 100644 --- a/include/psa/crypto_builtin_primitives.h +++ b/include/psa/crypto_builtin_primitives.h @@ -113,7 +113,10 @@ typedef struct { psa_algorithm_t alg; uint8_t iv_length; uint8_t block_length; - mbedtls_cipher_context_t cipher; + union { + unsigned int initialised; + mbedtls_cipher_context_t cipher; + } ctx; } mbedtls_psa_cipher_operation_t; #define MBEDTLS_PSA_CIPHER_OPERATION_INIT {0, 0, 0, {0}} diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index 84ec57daa..4f52b955e 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -165,7 +165,7 @@ static psa_status_t cipher_setup( /* Proceed with initializing an mbed TLS cipher context if no driver is * available for the given algorithm & key. */ - mbedtls_cipher_init( &operation->cipher ); + mbedtls_cipher_init( &operation->ctx.cipher ); operation->alg = alg; key_bits = attributes->core.bits; @@ -174,7 +174,7 @@ static psa_status_t cipher_setup( if( cipher_info == NULL ) return( PSA_ERROR_NOT_SUPPORTED ); - ret = mbedtls_cipher_setup( &operation->cipher, cipher_info ); + ret = mbedtls_cipher_setup( &operation->ctx.cipher, cipher_info ); if( ret != 0 ) goto exit; @@ -185,14 +185,14 @@ static psa_status_t cipher_setup( uint8_t keys[24]; memcpy( keys, key_buffer, 16 ); memcpy( keys + 16, key_buffer, 8 ); - ret = mbedtls_cipher_setkey( &operation->cipher, + ret = mbedtls_cipher_setkey( &operation->ctx.cipher, keys, 192, cipher_operation ); } else #endif { - ret = mbedtls_cipher_setkey( &operation->cipher, key_buffer, + ret = mbedtls_cipher_setkey( &operation->ctx.cipher, key_buffer, (int) key_bits, cipher_operation ); } if( ret != 0 ) @@ -203,11 +203,11 @@ static psa_status_t cipher_setup( switch( alg ) { case PSA_ALG_CBC_NO_PADDING: - ret = mbedtls_cipher_set_padding_mode( &operation->cipher, + ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher, MBEDTLS_PADDING_NONE ); break; case PSA_ALG_CBC_PKCS7: - ret = mbedtls_cipher_set_padding_mode( &operation->cipher, + ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher, MBEDTLS_PADDING_PKCS7 ); break; default: @@ -256,7 +256,7 @@ static psa_status_t cipher_set_iv( mbedtls_psa_cipher_operation_t *operation, return( PSA_ERROR_INVALID_ARGUMENT ); return( mbedtls_to_psa_error( - mbedtls_cipher_set_iv( &operation->cipher, + mbedtls_cipher_set_iv( &operation->ctx.cipher, iv, iv_length ) ) ); } @@ -365,7 +365,7 @@ static psa_status_t cipher_update( mbedtls_psa_cipher_operation_t *operation, * the last partial block, if any. You get the data that will be * output in this call. */ expected_output_size = - ( operation->cipher.unprocessed_len + input_length ) + ( operation->ctx.cipher.unprocessed_len + input_length ) / operation->block_length * operation->block_length; } else @@ -381,7 +381,7 @@ static psa_status_t cipher_update( mbedtls_psa_cipher_operation_t *operation, /* mbedtls_cipher_update has an API inconsistency: it will only * process a single block at a time in ECB mode. Abstract away that * inconsistency here to match the PSA API behaviour. */ - status = psa_cipher_update_ecb( &operation->cipher, + status = psa_cipher_update_ecb( &operation->ctx.cipher, input, input_length, output, @@ -391,7 +391,7 @@ static psa_status_t cipher_update( mbedtls_psa_cipher_operation_t *operation, else { status = mbedtls_to_psa_error( - mbedtls_cipher_update( &operation->cipher, input, + mbedtls_cipher_update( &operation->ctx.cipher, input, input_length, output, output_length ) ); } @@ -406,7 +406,7 @@ static psa_status_t cipher_finish( mbedtls_psa_cipher_operation_t *operation, psa_status_t status = PSA_ERROR_GENERIC_ERROR; uint8_t temp_output_buffer[MBEDTLS_MAX_BLOCK_LENGTH]; - if( operation->cipher.unprocessed_len != 0 ) + if( operation->ctx.cipher.unprocessed_len != 0 ) { if( operation->alg == PSA_ALG_ECB_NO_PADDING || operation->alg == PSA_ALG_CBC_NO_PADDING ) @@ -417,7 +417,7 @@ static psa_status_t cipher_finish( mbedtls_psa_cipher_operation_t *operation, } status = mbedtls_to_psa_error( - mbedtls_cipher_finish( &operation->cipher, + mbedtls_cipher_finish( &operation->ctx.cipher, temp_output_buffer, output_length ) ); if( status != PSA_SUCCESS ) @@ -444,7 +444,7 @@ static psa_status_t cipher_abort( mbedtls_psa_cipher_operation_t *operation ) if( ! PSA_ALG_IS_CIPHER( operation->alg ) ) return( PSA_ERROR_BAD_STATE ); - mbedtls_cipher_free( &operation->cipher ); + mbedtls_cipher_free( &operation->ctx.cipher ); return( PSA_SUCCESS ); }