123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500 |
- /*
- * PSA MAC layer on top of Mbed TLS software crypto
- */
- /*
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
- #include "common.h"
- #if defined(MBEDTLS_PSA_CRYPTO_C)
- #include <psa/crypto.h>
- #include "psa_crypto_core.h"
- #include "psa_crypto_mac.h"
- #include <mbedtls/md.h>
- #include <mbedtls/error.h>
- #include <string.h>
- #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
- static psa_status_t psa_hmac_abort_internal(
- mbedtls_psa_hmac_operation_t *hmac )
- {
- mbedtls_platform_zeroize( hmac->opad, sizeof( hmac->opad ) );
- return( psa_hash_abort( &hmac->hash_ctx ) );
- }
- static psa_status_t psa_hmac_setup_internal(
- mbedtls_psa_hmac_operation_t *hmac,
- const uint8_t *key,
- size_t key_length,
- psa_algorithm_t hash_alg )
- {
- uint8_t ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
- size_t i;
- size_t hash_size = PSA_HASH_LENGTH( hash_alg );
- size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg );
- psa_status_t status;
- hmac->alg = hash_alg;
- /* Sanity checks on block_size, to guarantee that there won't be a buffer
- * overflow below. This should never trigger if the hash algorithm
- * is implemented correctly. */
- /* The size checks against the ipad and opad buffers cannot be written
- * `block_size > sizeof( ipad ) || block_size > sizeof( hmac->opad )`
- * because that triggers -Wlogical-op on GCC 7.3. */
- if( block_size > sizeof( ipad ) )
- return( PSA_ERROR_NOT_SUPPORTED );
- if( block_size > sizeof( hmac->opad ) )
- return( PSA_ERROR_NOT_SUPPORTED );
- if( block_size < hash_size )
- return( PSA_ERROR_NOT_SUPPORTED );
- if( key_length > block_size )
- {
- status = psa_hash_compute( hash_alg, key, key_length,
- ipad, sizeof( ipad ), &key_length );
- if( status != PSA_SUCCESS )
- goto cleanup;
- }
- /* A 0-length key is not commonly used in HMAC when used as a MAC,
- * but it is permitted. It is common when HMAC is used in HKDF, for
- * example. Don't call `memcpy` in the 0-length because `key` could be
- * an invalid pointer which would make the behavior undefined. */
- else if( key_length != 0 )
- memcpy( ipad, key, key_length );
- /* ipad contains the key followed by garbage. Xor and fill with 0x36
- * to create the ipad value. */
- for( i = 0; i < key_length; i++ )
- ipad[i] ^= 0x36;
- memset( ipad + key_length, 0x36, block_size - key_length );
- /* Copy the key material from ipad to opad, flipping the requisite bits,
- * and filling the rest of opad with the requisite constant. */
- for( i = 0; i < key_length; i++ )
- hmac->opad[i] = ipad[i] ^ 0x36 ^ 0x5C;
- memset( hmac->opad + key_length, 0x5C, block_size - key_length );
- status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
- if( status != PSA_SUCCESS )
- goto cleanup;
- status = psa_hash_update( &hmac->hash_ctx, ipad, block_size );
- cleanup:
- mbedtls_platform_zeroize( ipad, sizeof( ipad ) );
- return( status );
- }
- static psa_status_t psa_hmac_update_internal(
- mbedtls_psa_hmac_operation_t *hmac,
- const uint8_t *data,
- size_t data_length )
- {
- return( psa_hash_update( &hmac->hash_ctx, data, data_length ) );
- }
- static psa_status_t psa_hmac_finish_internal(
- mbedtls_psa_hmac_operation_t *hmac,
- uint8_t *mac,
- size_t mac_size )
- {
- uint8_t tmp[PSA_HASH_MAX_SIZE];
- psa_algorithm_t hash_alg = hmac->alg;
- size_t hash_size = 0;
- size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg );
- psa_status_t status;
- status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
- if( status != PSA_SUCCESS )
- return( status );
- /* From here on, tmp needs to be wiped. */
- status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
- if( status != PSA_SUCCESS )
- goto exit;
- status = psa_hash_update( &hmac->hash_ctx, hmac->opad, block_size );
- if( status != PSA_SUCCESS )
- goto exit;
- status = psa_hash_update( &hmac->hash_ctx, tmp, hash_size );
- if( status != PSA_SUCCESS )
- goto exit;
- status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
- if( status != PSA_SUCCESS )
- goto exit;
- memcpy( mac, tmp, mac_size );
- exit:
- mbedtls_platform_zeroize( tmp, hash_size );
- return( status );
- }
- #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
- #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
- static psa_status_t cmac_setup( mbedtls_psa_mac_operation_t *operation,
- const psa_key_attributes_t *attributes,
- const uint8_t *key_buffer )
- {
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- #if defined(PSA_WANT_KEY_TYPE_DES)
- /* Mbed TLS CMAC does not accept 3DES with only two keys, nor does it accept
- * to do CMAC with pure DES, so return NOT_SUPPORTED here. */
- if( psa_get_key_type( attributes ) == PSA_KEY_TYPE_DES &&
- ( psa_get_key_bits( attributes ) == 64 ||
- psa_get_key_bits( attributes ) == 128 ) )
- return( PSA_ERROR_NOT_SUPPORTED );
- #endif
- const mbedtls_cipher_info_t * cipher_info =
- mbedtls_cipher_info_from_psa(
- PSA_ALG_CMAC,
- psa_get_key_type( attributes ),
- psa_get_key_bits( attributes ),
- NULL );
- if( cipher_info == NULL )
- return( PSA_ERROR_NOT_SUPPORTED );
- ret = mbedtls_cipher_setup( &operation->ctx.cmac, cipher_info );
- if( ret != 0 )
- goto exit;
- ret = mbedtls_cipher_cmac_starts( &operation->ctx.cmac,
- key_buffer,
- psa_get_key_bits( attributes ) );
- exit:
- return( mbedtls_to_psa_error( ret ) );
- }
- #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
- #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || \
- defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
- /* Initialize this driver's MAC operation structure. Once this function has been
- * called, mbedtls_psa_mac_abort can run and will do the right thing. */
- static psa_status_t mac_init(
- mbedtls_psa_mac_operation_t *operation,
- psa_algorithm_t alg )
- {
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- operation->alg = alg;
- #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
- if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
- {
- mbedtls_cipher_init( &operation->ctx.cmac );
- status = PSA_SUCCESS;
- }
- else
- #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
- #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
- if( PSA_ALG_IS_HMAC( operation->alg ) )
- {
- /* We'll set up the hash operation later in psa_hmac_setup_internal. */
- operation->ctx.hmac.alg = 0;
- status = PSA_SUCCESS;
- }
- else
- #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
- {
- (void) operation;
- status = PSA_ERROR_NOT_SUPPORTED;
- }
- if( status != PSA_SUCCESS )
- memset( operation, 0, sizeof( *operation ) );
- return( status );
- }
- psa_status_t mbedtls_psa_mac_abort( mbedtls_psa_mac_operation_t *operation )
- {
- if( operation->alg == 0 )
- {
- /* The object has (apparently) been initialized but it is not
- * in use. It's ok to call abort on such an object, and there's
- * nothing to do. */
- return( PSA_SUCCESS );
- }
- else
- #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
- if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
- {
- mbedtls_cipher_free( &operation->ctx.cmac );
- }
- else
- #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
- #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
- if( PSA_ALG_IS_HMAC( operation->alg ) )
- {
- psa_hmac_abort_internal( &operation->ctx.hmac );
- }
- else
- #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
- {
- /* Sanity check (shouldn't happen: operation->alg should
- * always have been initialized to a valid value). */
- goto bad_state;
- }
- operation->alg = 0;
- return( PSA_SUCCESS );
- bad_state:
- /* If abort is called on an uninitialized object, we can't trust
- * anything. Wipe the object in case it contains confidential data.
- * This may result in a memory leak if a pointer gets overwritten,
- * but it's too late to do anything about this. */
- memset( operation, 0, sizeof( *operation ) );
- return( PSA_ERROR_BAD_STATE );
- }
- static psa_status_t psa_mac_setup( mbedtls_psa_mac_operation_t *operation,
- const psa_key_attributes_t *attributes,
- const uint8_t *key_buffer,
- size_t key_buffer_size,
- psa_algorithm_t alg )
- {
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- /* A context must be freshly initialized before it can be set up. */
- if( operation->alg != 0 )
- return( PSA_ERROR_BAD_STATE );
- status = mac_init( operation, alg );
- if( status != PSA_SUCCESS )
- return( status );
- #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
- if( PSA_ALG_FULL_LENGTH_MAC( alg ) == PSA_ALG_CMAC )
- {
- /* Key buffer size for CMAC is dictated by the key bits set on the
- * attributes, and previously validated by the core on key import. */
- (void) key_buffer_size;
- status = cmac_setup( operation, attributes, key_buffer );
- }
- else
- #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
- #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
- if( PSA_ALG_IS_HMAC( alg ) )
- {
- status = psa_hmac_setup_internal( &operation->ctx.hmac,
- key_buffer,
- key_buffer_size,
- PSA_ALG_HMAC_GET_HASH( alg ) );
- }
- else
- #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
- {
- (void) attributes;
- (void) key_buffer;
- (void) key_buffer_size;
- status = PSA_ERROR_NOT_SUPPORTED;
- }
- if( status != PSA_SUCCESS )
- mbedtls_psa_mac_abort( operation );
- return( status );
- }
- psa_status_t mbedtls_psa_mac_sign_setup(
- mbedtls_psa_mac_operation_t *operation,
- const psa_key_attributes_t *attributes,
- const uint8_t *key_buffer,
- size_t key_buffer_size,
- psa_algorithm_t alg )
- {
- return( psa_mac_setup( operation, attributes,
- key_buffer, key_buffer_size, alg ) );
- }
- psa_status_t mbedtls_psa_mac_verify_setup(
- mbedtls_psa_mac_operation_t *operation,
- const psa_key_attributes_t *attributes,
- const uint8_t *key_buffer,
- size_t key_buffer_size,
- psa_algorithm_t alg )
- {
- return( psa_mac_setup( operation, attributes,
- key_buffer, key_buffer_size, alg ) );
- }
- psa_status_t mbedtls_psa_mac_update(
- mbedtls_psa_mac_operation_t *operation,
- const uint8_t *input,
- size_t input_length )
- {
- if( operation->alg == 0 )
- return( PSA_ERROR_BAD_STATE );
- #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
- if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
- {
- return( mbedtls_to_psa_error(
- mbedtls_cipher_cmac_update( &operation->ctx.cmac,
- input, input_length ) ) );
- }
- else
- #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
- #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
- if( PSA_ALG_IS_HMAC( operation->alg ) )
- {
- return( psa_hmac_update_internal( &operation->ctx.hmac,
- input, input_length ) );
- }
- else
- #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
- {
- /* This shouldn't happen if `operation` was initialized by
- * a setup function. */
- (void) input;
- (void) input_length;
- return( PSA_ERROR_BAD_STATE );
- }
- }
- static psa_status_t psa_mac_finish_internal(
- mbedtls_psa_mac_operation_t *operation,
- uint8_t *mac, size_t mac_size )
- {
- #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
- if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
- {
- uint8_t tmp[PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE];
- int ret = mbedtls_cipher_cmac_finish( &operation->ctx.cmac, tmp );
- if( ret == 0 )
- memcpy( mac, tmp, mac_size );
- mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
- return( mbedtls_to_psa_error( ret ) );
- }
- else
- #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
- #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
- if( PSA_ALG_IS_HMAC( operation->alg ) )
- {
- return( psa_hmac_finish_internal( &operation->ctx.hmac,
- mac, mac_size ) );
- }
- else
- #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
- {
- /* This shouldn't happen if `operation` was initialized by
- * a setup function. */
- (void) operation;
- (void) mac;
- (void) mac_size;
- return( PSA_ERROR_BAD_STATE );
- }
- }
- psa_status_t mbedtls_psa_mac_sign_finish(
- mbedtls_psa_mac_operation_t *operation,
- uint8_t *mac,
- size_t mac_size,
- size_t *mac_length )
- {
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- if( operation->alg == 0 )
- return( PSA_ERROR_BAD_STATE );
- status = psa_mac_finish_internal( operation, mac, mac_size );
- if( status == PSA_SUCCESS )
- *mac_length = mac_size;
- return( status );
- }
- psa_status_t mbedtls_psa_mac_verify_finish(
- mbedtls_psa_mac_operation_t *operation,
- const uint8_t *mac,
- size_t mac_length )
- {
- uint8_t actual_mac[PSA_MAC_MAX_SIZE];
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- if( operation->alg == 0 )
- return( PSA_ERROR_BAD_STATE );
- /* Consistency check: requested MAC length fits our local buffer */
- if( mac_length > sizeof( actual_mac ) )
- return( PSA_ERROR_INVALID_ARGUMENT );
- status = psa_mac_finish_internal( operation, actual_mac, mac_length );
- if( status != PSA_SUCCESS )
- goto cleanup;
- if( mbedtls_psa_safer_memcmp( mac, actual_mac, mac_length ) != 0 )
- status = PSA_ERROR_INVALID_SIGNATURE;
- cleanup:
- mbedtls_platform_zeroize( actual_mac, sizeof( actual_mac ) );
- return( status );
- }
- psa_status_t mbedtls_psa_mac_compute(
- const psa_key_attributes_t *attributes,
- const uint8_t *key_buffer,
- size_t key_buffer_size,
- psa_algorithm_t alg,
- const uint8_t *input,
- size_t input_length,
- uint8_t *mac,
- size_t mac_size,
- size_t *mac_length )
- {
- psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- mbedtls_psa_mac_operation_t operation = MBEDTLS_PSA_MAC_OPERATION_INIT;
- status = psa_mac_setup( &operation,
- attributes, key_buffer, key_buffer_size,
- alg );
- if( status != PSA_SUCCESS )
- goto exit;
- if( input_length > 0 )
- {
- status = mbedtls_psa_mac_update( &operation, input, input_length );
- if( status != PSA_SUCCESS )
- goto exit;
- }
- status = psa_mac_finish_internal( &operation, mac, mac_size );
- if( status == PSA_SUCCESS )
- *mac_length = mac_size;
- exit:
- mbedtls_psa_mac_abort( &operation );
- return( status );
- }
- #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_CMAC */
- #endif /* MBEDTLS_PSA_CRYPTO_C */
|