psa_crypto_mac.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500
  1. /*
  2. * PSA MAC layer on top of Mbed TLS software crypto
  3. */
  4. /*
  5. * Copyright The Mbed TLS Contributors
  6. * SPDX-License-Identifier: Apache-2.0
  7. *
  8. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  9. * not use this file except in compliance with the License.
  10. * You may obtain a copy of the License at
  11. *
  12. * http://www.apache.org/licenses/LICENSE-2.0
  13. *
  14. * Unless required by applicable law or agreed to in writing, software
  15. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  16. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  17. * See the License for the specific language governing permissions and
  18. * limitations under the License.
  19. */
  20. #include "common.h"
  21. #if defined(MBEDTLS_PSA_CRYPTO_C)
  22. #include <psa/crypto.h>
  23. #include "psa_crypto_core.h"
  24. #include "psa_crypto_mac.h"
  25. #include <mbedtls/md.h>
  26. #include <mbedtls/error.h>
  27. #include <string.h>
  28. #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
  29. static psa_status_t psa_hmac_abort_internal(
  30. mbedtls_psa_hmac_operation_t *hmac )
  31. {
  32. mbedtls_platform_zeroize( hmac->opad, sizeof( hmac->opad ) );
  33. return( psa_hash_abort( &hmac->hash_ctx ) );
  34. }
  35. static psa_status_t psa_hmac_setup_internal(
  36. mbedtls_psa_hmac_operation_t *hmac,
  37. const uint8_t *key,
  38. size_t key_length,
  39. psa_algorithm_t hash_alg )
  40. {
  41. uint8_t ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
  42. size_t i;
  43. size_t hash_size = PSA_HASH_LENGTH( hash_alg );
  44. size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg );
  45. psa_status_t status;
  46. hmac->alg = hash_alg;
  47. /* Sanity checks on block_size, to guarantee that there won't be a buffer
  48. * overflow below. This should never trigger if the hash algorithm
  49. * is implemented correctly. */
  50. /* The size checks against the ipad and opad buffers cannot be written
  51. * `block_size > sizeof( ipad ) || block_size > sizeof( hmac->opad )`
  52. * because that triggers -Wlogical-op on GCC 7.3. */
  53. if( block_size > sizeof( ipad ) )
  54. return( PSA_ERROR_NOT_SUPPORTED );
  55. if( block_size > sizeof( hmac->opad ) )
  56. return( PSA_ERROR_NOT_SUPPORTED );
  57. if( block_size < hash_size )
  58. return( PSA_ERROR_NOT_SUPPORTED );
  59. if( key_length > block_size )
  60. {
  61. status = psa_hash_compute( hash_alg, key, key_length,
  62. ipad, sizeof( ipad ), &key_length );
  63. if( status != PSA_SUCCESS )
  64. goto cleanup;
  65. }
  66. /* A 0-length key is not commonly used in HMAC when used as a MAC,
  67. * but it is permitted. It is common when HMAC is used in HKDF, for
  68. * example. Don't call `memcpy` in the 0-length because `key` could be
  69. * an invalid pointer which would make the behavior undefined. */
  70. else if( key_length != 0 )
  71. memcpy( ipad, key, key_length );
  72. /* ipad contains the key followed by garbage. Xor and fill with 0x36
  73. * to create the ipad value. */
  74. for( i = 0; i < key_length; i++ )
  75. ipad[i] ^= 0x36;
  76. memset( ipad + key_length, 0x36, block_size - key_length );
  77. /* Copy the key material from ipad to opad, flipping the requisite bits,
  78. * and filling the rest of opad with the requisite constant. */
  79. for( i = 0; i < key_length; i++ )
  80. hmac->opad[i] = ipad[i] ^ 0x36 ^ 0x5C;
  81. memset( hmac->opad + key_length, 0x5C, block_size - key_length );
  82. status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
  83. if( status != PSA_SUCCESS )
  84. goto cleanup;
  85. status = psa_hash_update( &hmac->hash_ctx, ipad, block_size );
  86. cleanup:
  87. mbedtls_platform_zeroize( ipad, sizeof( ipad ) );
  88. return( status );
  89. }
  90. static psa_status_t psa_hmac_update_internal(
  91. mbedtls_psa_hmac_operation_t *hmac,
  92. const uint8_t *data,
  93. size_t data_length )
  94. {
  95. return( psa_hash_update( &hmac->hash_ctx, data, data_length ) );
  96. }
  97. static psa_status_t psa_hmac_finish_internal(
  98. mbedtls_psa_hmac_operation_t *hmac,
  99. uint8_t *mac,
  100. size_t mac_size )
  101. {
  102. uint8_t tmp[PSA_HASH_MAX_SIZE];
  103. psa_algorithm_t hash_alg = hmac->alg;
  104. size_t hash_size = 0;
  105. size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg );
  106. psa_status_t status;
  107. status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
  108. if( status != PSA_SUCCESS )
  109. return( status );
  110. /* From here on, tmp needs to be wiped. */
  111. status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
  112. if( status != PSA_SUCCESS )
  113. goto exit;
  114. status = psa_hash_update( &hmac->hash_ctx, hmac->opad, block_size );
  115. if( status != PSA_SUCCESS )
  116. goto exit;
  117. status = psa_hash_update( &hmac->hash_ctx, tmp, hash_size );
  118. if( status != PSA_SUCCESS )
  119. goto exit;
  120. status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
  121. if( status != PSA_SUCCESS )
  122. goto exit;
  123. memcpy( mac, tmp, mac_size );
  124. exit:
  125. mbedtls_platform_zeroize( tmp, hash_size );
  126. return( status );
  127. }
  128. #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
  129. #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
  130. static psa_status_t cmac_setup( mbedtls_psa_mac_operation_t *operation,
  131. const psa_key_attributes_t *attributes,
  132. const uint8_t *key_buffer )
  133. {
  134. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  135. #if defined(PSA_WANT_KEY_TYPE_DES)
  136. /* Mbed TLS CMAC does not accept 3DES with only two keys, nor does it accept
  137. * to do CMAC with pure DES, so return NOT_SUPPORTED here. */
  138. if( psa_get_key_type( attributes ) == PSA_KEY_TYPE_DES &&
  139. ( psa_get_key_bits( attributes ) == 64 ||
  140. psa_get_key_bits( attributes ) == 128 ) )
  141. return( PSA_ERROR_NOT_SUPPORTED );
  142. #endif
  143. const mbedtls_cipher_info_t * cipher_info =
  144. mbedtls_cipher_info_from_psa(
  145. PSA_ALG_CMAC,
  146. psa_get_key_type( attributes ),
  147. psa_get_key_bits( attributes ),
  148. NULL );
  149. if( cipher_info == NULL )
  150. return( PSA_ERROR_NOT_SUPPORTED );
  151. ret = mbedtls_cipher_setup( &operation->ctx.cmac, cipher_info );
  152. if( ret != 0 )
  153. goto exit;
  154. ret = mbedtls_cipher_cmac_starts( &operation->ctx.cmac,
  155. key_buffer,
  156. psa_get_key_bits( attributes ) );
  157. exit:
  158. return( mbedtls_to_psa_error( ret ) );
  159. }
  160. #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
  161. #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || \
  162. defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
  163. /* Initialize this driver's MAC operation structure. Once this function has been
  164. * called, mbedtls_psa_mac_abort can run and will do the right thing. */
  165. static psa_status_t mac_init(
  166. mbedtls_psa_mac_operation_t *operation,
  167. psa_algorithm_t alg )
  168. {
  169. psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
  170. operation->alg = alg;
  171. #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
  172. if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
  173. {
  174. mbedtls_cipher_init( &operation->ctx.cmac );
  175. status = PSA_SUCCESS;
  176. }
  177. else
  178. #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
  179. #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
  180. if( PSA_ALG_IS_HMAC( operation->alg ) )
  181. {
  182. /* We'll set up the hash operation later in psa_hmac_setup_internal. */
  183. operation->ctx.hmac.alg = 0;
  184. status = PSA_SUCCESS;
  185. }
  186. else
  187. #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
  188. {
  189. (void) operation;
  190. status = PSA_ERROR_NOT_SUPPORTED;
  191. }
  192. if( status != PSA_SUCCESS )
  193. memset( operation, 0, sizeof( *operation ) );
  194. return( status );
  195. }
  196. psa_status_t mbedtls_psa_mac_abort( mbedtls_psa_mac_operation_t *operation )
  197. {
  198. if( operation->alg == 0 )
  199. {
  200. /* The object has (apparently) been initialized but it is not
  201. * in use. It's ok to call abort on such an object, and there's
  202. * nothing to do. */
  203. return( PSA_SUCCESS );
  204. }
  205. else
  206. #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
  207. if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
  208. {
  209. mbedtls_cipher_free( &operation->ctx.cmac );
  210. }
  211. else
  212. #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
  213. #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
  214. if( PSA_ALG_IS_HMAC( operation->alg ) )
  215. {
  216. psa_hmac_abort_internal( &operation->ctx.hmac );
  217. }
  218. else
  219. #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
  220. {
  221. /* Sanity check (shouldn't happen: operation->alg should
  222. * always have been initialized to a valid value). */
  223. goto bad_state;
  224. }
  225. operation->alg = 0;
  226. return( PSA_SUCCESS );
  227. bad_state:
  228. /* If abort is called on an uninitialized object, we can't trust
  229. * anything. Wipe the object in case it contains confidential data.
  230. * This may result in a memory leak if a pointer gets overwritten,
  231. * but it's too late to do anything about this. */
  232. memset( operation, 0, sizeof( *operation ) );
  233. return( PSA_ERROR_BAD_STATE );
  234. }
  235. static psa_status_t psa_mac_setup( mbedtls_psa_mac_operation_t *operation,
  236. const psa_key_attributes_t *attributes,
  237. const uint8_t *key_buffer,
  238. size_t key_buffer_size,
  239. psa_algorithm_t alg )
  240. {
  241. psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
  242. /* A context must be freshly initialized before it can be set up. */
  243. if( operation->alg != 0 )
  244. return( PSA_ERROR_BAD_STATE );
  245. status = mac_init( operation, alg );
  246. if( status != PSA_SUCCESS )
  247. return( status );
  248. #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
  249. if( PSA_ALG_FULL_LENGTH_MAC( alg ) == PSA_ALG_CMAC )
  250. {
  251. /* Key buffer size for CMAC is dictated by the key bits set on the
  252. * attributes, and previously validated by the core on key import. */
  253. (void) key_buffer_size;
  254. status = cmac_setup( operation, attributes, key_buffer );
  255. }
  256. else
  257. #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
  258. #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
  259. if( PSA_ALG_IS_HMAC( alg ) )
  260. {
  261. status = psa_hmac_setup_internal( &operation->ctx.hmac,
  262. key_buffer,
  263. key_buffer_size,
  264. PSA_ALG_HMAC_GET_HASH( alg ) );
  265. }
  266. else
  267. #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
  268. {
  269. (void) attributes;
  270. (void) key_buffer;
  271. (void) key_buffer_size;
  272. status = PSA_ERROR_NOT_SUPPORTED;
  273. }
  274. if( status != PSA_SUCCESS )
  275. mbedtls_psa_mac_abort( operation );
  276. return( status );
  277. }
  278. psa_status_t mbedtls_psa_mac_sign_setup(
  279. mbedtls_psa_mac_operation_t *operation,
  280. const psa_key_attributes_t *attributes,
  281. const uint8_t *key_buffer,
  282. size_t key_buffer_size,
  283. psa_algorithm_t alg )
  284. {
  285. return( psa_mac_setup( operation, attributes,
  286. key_buffer, key_buffer_size, alg ) );
  287. }
  288. psa_status_t mbedtls_psa_mac_verify_setup(
  289. mbedtls_psa_mac_operation_t *operation,
  290. const psa_key_attributes_t *attributes,
  291. const uint8_t *key_buffer,
  292. size_t key_buffer_size,
  293. psa_algorithm_t alg )
  294. {
  295. return( psa_mac_setup( operation, attributes,
  296. key_buffer, key_buffer_size, alg ) );
  297. }
  298. psa_status_t mbedtls_psa_mac_update(
  299. mbedtls_psa_mac_operation_t *operation,
  300. const uint8_t *input,
  301. size_t input_length )
  302. {
  303. if( operation->alg == 0 )
  304. return( PSA_ERROR_BAD_STATE );
  305. #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
  306. if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
  307. {
  308. return( mbedtls_to_psa_error(
  309. mbedtls_cipher_cmac_update( &operation->ctx.cmac,
  310. input, input_length ) ) );
  311. }
  312. else
  313. #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
  314. #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
  315. if( PSA_ALG_IS_HMAC( operation->alg ) )
  316. {
  317. return( psa_hmac_update_internal( &operation->ctx.hmac,
  318. input, input_length ) );
  319. }
  320. else
  321. #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
  322. {
  323. /* This shouldn't happen if `operation` was initialized by
  324. * a setup function. */
  325. (void) input;
  326. (void) input_length;
  327. return( PSA_ERROR_BAD_STATE );
  328. }
  329. }
  330. static psa_status_t psa_mac_finish_internal(
  331. mbedtls_psa_mac_operation_t *operation,
  332. uint8_t *mac, size_t mac_size )
  333. {
  334. #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
  335. if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
  336. {
  337. uint8_t tmp[PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE];
  338. int ret = mbedtls_cipher_cmac_finish( &operation->ctx.cmac, tmp );
  339. if( ret == 0 )
  340. memcpy( mac, tmp, mac_size );
  341. mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
  342. return( mbedtls_to_psa_error( ret ) );
  343. }
  344. else
  345. #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
  346. #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
  347. if( PSA_ALG_IS_HMAC( operation->alg ) )
  348. {
  349. return( psa_hmac_finish_internal( &operation->ctx.hmac,
  350. mac, mac_size ) );
  351. }
  352. else
  353. #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
  354. {
  355. /* This shouldn't happen if `operation` was initialized by
  356. * a setup function. */
  357. (void) operation;
  358. (void) mac;
  359. (void) mac_size;
  360. return( PSA_ERROR_BAD_STATE );
  361. }
  362. }
  363. psa_status_t mbedtls_psa_mac_sign_finish(
  364. mbedtls_psa_mac_operation_t *operation,
  365. uint8_t *mac,
  366. size_t mac_size,
  367. size_t *mac_length )
  368. {
  369. psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
  370. if( operation->alg == 0 )
  371. return( PSA_ERROR_BAD_STATE );
  372. status = psa_mac_finish_internal( operation, mac, mac_size );
  373. if( status == PSA_SUCCESS )
  374. *mac_length = mac_size;
  375. return( status );
  376. }
  377. psa_status_t mbedtls_psa_mac_verify_finish(
  378. mbedtls_psa_mac_operation_t *operation,
  379. const uint8_t *mac,
  380. size_t mac_length )
  381. {
  382. uint8_t actual_mac[PSA_MAC_MAX_SIZE];
  383. psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
  384. if( operation->alg == 0 )
  385. return( PSA_ERROR_BAD_STATE );
  386. /* Consistency check: requested MAC length fits our local buffer */
  387. if( mac_length > sizeof( actual_mac ) )
  388. return( PSA_ERROR_INVALID_ARGUMENT );
  389. status = psa_mac_finish_internal( operation, actual_mac, mac_length );
  390. if( status != PSA_SUCCESS )
  391. goto cleanup;
  392. if( mbedtls_psa_safer_memcmp( mac, actual_mac, mac_length ) != 0 )
  393. status = PSA_ERROR_INVALID_SIGNATURE;
  394. cleanup:
  395. mbedtls_platform_zeroize( actual_mac, sizeof( actual_mac ) );
  396. return( status );
  397. }
  398. psa_status_t mbedtls_psa_mac_compute(
  399. const psa_key_attributes_t *attributes,
  400. const uint8_t *key_buffer,
  401. size_t key_buffer_size,
  402. psa_algorithm_t alg,
  403. const uint8_t *input,
  404. size_t input_length,
  405. uint8_t *mac,
  406. size_t mac_size,
  407. size_t *mac_length )
  408. {
  409. psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
  410. mbedtls_psa_mac_operation_t operation = MBEDTLS_PSA_MAC_OPERATION_INIT;
  411. status = psa_mac_setup( &operation,
  412. attributes, key_buffer, key_buffer_size,
  413. alg );
  414. if( status != PSA_SUCCESS )
  415. goto exit;
  416. if( input_length > 0 )
  417. {
  418. status = mbedtls_psa_mac_update( &operation, input, input_length );
  419. if( status != PSA_SUCCESS )
  420. goto exit;
  421. }
  422. status = psa_mac_finish_internal( &operation, mac, mac_size );
  423. if( status == PSA_SUCCESS )
  424. *mac_length = mac_size;
  425. exit:
  426. mbedtls_psa_mac_abort( &operation );
  427. return( status );
  428. }
  429. #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_CMAC */
  430. #endif /* MBEDTLS_PSA_CRYPTO_C */