blob: d64a9dd9e3ead4251c25951066b89e2464cdc929 [file] [log] [blame]
Gilles Peskinee59236f2018-01-27 23:32:46 +01001/*
2 * PSA crypto layer on top of Mbed TLS crypto
3 */
Bence Szépkúti86974652020-06-15 11:59:37 +02004/*
5 * Copyright (C) 2018, ARM Limited, All Rights Reserved
Gilles Peskinee59236f2018-01-27 23:32:46 +01006 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 *
20 * This file is part of mbed TLS (https://tls.mbed.org)
21 */
22
Gilles Peskinedb09ef62020-06-03 01:43:33 +020023#include "common.h"
Gilles Peskinee59236f2018-01-27 23:32:46 +010024
25#if defined(MBEDTLS_PSA_CRYPTO_C)
mohammad160327010052018-07-03 13:16:15 +030026
itayzafrir7723ab12019-02-14 10:28:02 +020027#include "psa_crypto_service_integration.h"
Gilles Peskinee59236f2018-01-27 23:32:46 +010028#include "psa/crypto.h"
29
Gilles Peskine039b90c2018-12-07 18:24:41 +010030#include "psa_crypto_core.h"
Gilles Peskine5e769522018-11-20 21:59:56 +010031#include "psa_crypto_invasive.h"
Gilles Peskinea8ade162019-06-26 11:24:49 +020032#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
Gilles Peskined0890212019-06-24 14:34:43 +020033#include "psa_crypto_se.h"
Gilles Peskinea8ade162019-06-26 11:24:49 +020034#endif
Gilles Peskine961849f2018-11-30 18:54:54 +010035#include "psa_crypto_slot_management.h"
Darryl Greend49a4992018-06-18 17:27:26 +010036/* Include internal declarations that are useful for implementing persistently
37 * stored keys. */
38#include "psa_crypto_storage.h"
39
Gilles Peskineb46bef22019-07-30 21:32:04 +020040#include <assert.h>
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +010041#include <stdlib.h>
42#include <string.h>
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +010043#include "mbedtls/platform.h"
Gilles Peskineff2d2002019-05-06 15:26:23 +020044#if !defined(MBEDTLS_PLATFORM_C)
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +010045#define mbedtls_calloc calloc
46#define mbedtls_free free
47#endif
48
Gilles Peskinea5905292018-02-07 20:59:33 +010049#include "mbedtls/arc4.h"
Gilles Peskine9a944802018-06-21 09:35:35 +020050#include "mbedtls/asn1.h"
Jaeden Amero25384a22019-01-10 10:23:21 +000051#include "mbedtls/asn1write.h"
Gilles Peskinea81d85b2018-06-26 16:10:23 +020052#include "mbedtls/bignum.h"
Gilles Peskinea5905292018-02-07 20:59:33 +010053#include "mbedtls/blowfish.h"
54#include "mbedtls/camellia.h"
Gilles Peskine26869f22019-05-06 15:25:00 +020055#include "mbedtls/chacha20.h"
56#include "mbedtls/chachapoly.h"
Gilles Peskinea5905292018-02-07 20:59:33 +010057#include "mbedtls/cipher.h"
58#include "mbedtls/ccm.h"
59#include "mbedtls/cmac.h"
Gilles Peskinee59236f2018-01-27 23:32:46 +010060#include "mbedtls/ctr_drbg.h"
Gilles Peskinea5905292018-02-07 20:59:33 +010061#include "mbedtls/des.h"
Gilles Peskineb7ecdf02018-09-18 12:11:27 +020062#include "mbedtls/ecdh.h"
Gilles Peskine969ac722018-01-28 18:16:59 +010063#include "mbedtls/ecp.h"
Gilles Peskinee59236f2018-01-27 23:32:46 +010064#include "mbedtls/entropy.h"
Gilles Peskinea5905292018-02-07 20:59:33 +010065#include "mbedtls/error.h"
66#include "mbedtls/gcm.h"
67#include "mbedtls/md2.h"
68#include "mbedtls/md4.h"
69#include "mbedtls/md5.h"
Gilles Peskine20035e32018-02-03 22:44:14 +010070#include "mbedtls/md.h"
71#include "mbedtls/md_internal.h"
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +010072#include "mbedtls/pk.h"
Gilles Peskine969ac722018-01-28 18:16:59 +010073#include "mbedtls/pk_internal.h"
Gilles Peskine3f108122018-12-07 18:14:53 +010074#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +000075#include "mbedtls/error.h"
Gilles Peskinea5905292018-02-07 20:59:33 +010076#include "mbedtls/ripemd160.h"
Gilles Peskine969ac722018-01-28 18:16:59 +010077#include "mbedtls/rsa.h"
Gilles Peskinea5905292018-02-07 20:59:33 +010078#include "mbedtls/sha1.h"
79#include "mbedtls/sha256.h"
80#include "mbedtls/sha512.h"
81#include "mbedtls/xtea.h"
82
Gilles Peskine996deb12018-08-01 15:45:45 +020083#define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) )
84
Gilles Peskine9ef733f2018-02-07 21:05:37 +010085/* constant-time buffer comparison */
86static inline int safer_memcmp( const uint8_t *a, const uint8_t *b, size_t n )
87{
88 size_t i;
89 unsigned char diff = 0;
90
91 for( i = 0; i < n; i++ )
92 diff |= a[i] ^ b[i];
93
94 return( diff );
95}
96
97
98
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +010099/****************************************************************/
100/* Global data, support functions and library management */
101/****************************************************************/
102
Gilles Peskine48c0ea12018-06-21 14:15:31 +0200103static int key_type_is_raw_bytes( psa_key_type_t type )
104{
Gilles Peskine78b3bb62018-08-10 16:03:41 +0200105 return( PSA_KEY_TYPE_IS_UNSTRUCTURED( type ) );
Gilles Peskine48c0ea12018-06-21 14:15:31 +0200106}
107
Gilles Peskine5a3c50e2018-12-04 12:27:09 +0100108/* Values for psa_global_data_t::rng_state */
109#define RNG_NOT_INITIALIZED 0
110#define RNG_INITIALIZED 1
111#define RNG_SEEDED 2
Gilles Peskinec6b69072018-11-20 21:42:52 +0100112
Gilles Peskine2d277862018-06-18 15:41:12 +0200113typedef struct
114{
Gilles Peskine5e769522018-11-20 21:59:56 +0100115 void (* entropy_init )( mbedtls_entropy_context *ctx );
116 void (* entropy_free )( mbedtls_entropy_context *ctx );
Gilles Peskinee59236f2018-01-27 23:32:46 +0100117 mbedtls_entropy_context entropy;
118 mbedtls_ctr_drbg_context ctr_drbg;
Gilles Peskinec6b69072018-11-20 21:42:52 +0100119 unsigned initialized : 1;
Gilles Peskine5a3c50e2018-12-04 12:27:09 +0100120 unsigned rng_state : 2;
Gilles Peskinee59236f2018-01-27 23:32:46 +0100121} psa_global_data_t;
122
123static psa_global_data_t global_data;
124
itayzafrir0adf0fc2018-09-06 16:24:41 +0300125#define GUARD_MODULE_INITIALIZED \
126 if( global_data.initialized == 0 ) \
127 return( PSA_ERROR_BAD_STATE );
128
Gilles Peskinee59236f2018-01-27 23:32:46 +0100129static psa_status_t mbedtls_to_psa_error( int ret )
130{
Gilles Peskinea5905292018-02-07 20:59:33 +0100131 /* If there's both a high-level code and low-level code, dispatch on
132 * the high-level code. */
133 switch( ret < -0x7f ? - ( -ret & 0x7f80 ) : ret )
Gilles Peskinee59236f2018-01-27 23:32:46 +0100134 {
135 case 0:
136 return( PSA_SUCCESS );
Gilles Peskinea5905292018-02-07 20:59:33 +0100137
138 case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
139 case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
140 case MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE:
141 return( PSA_ERROR_NOT_SUPPORTED );
142 case MBEDTLS_ERR_AES_HW_ACCEL_FAILED:
143 return( PSA_ERROR_HARDWARE_FAILURE );
144
145 case MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED:
146 return( PSA_ERROR_HARDWARE_FAILURE );
147
Gilles Peskine9a944802018-06-21 09:35:35 +0200148 case MBEDTLS_ERR_ASN1_OUT_OF_DATA:
149 case MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:
150 case MBEDTLS_ERR_ASN1_INVALID_LENGTH:
151 case MBEDTLS_ERR_ASN1_LENGTH_MISMATCH:
152 case MBEDTLS_ERR_ASN1_INVALID_DATA:
153 return( PSA_ERROR_INVALID_ARGUMENT );
154 case MBEDTLS_ERR_ASN1_ALLOC_FAILED:
155 return( PSA_ERROR_INSUFFICIENT_MEMORY );
156 case MBEDTLS_ERR_ASN1_BUF_TOO_SMALL:
157 return( PSA_ERROR_BUFFER_TOO_SMALL );
158
Jaeden Amero93e21112019-02-20 13:57:28 +0000159#if defined(MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA)
Jaeden Amero892cd6d2019-02-11 12:21:12 +0000160 case MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA:
Jaeden Amero93e21112019-02-20 13:57:28 +0000161#elif defined(MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH)
162 case MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH:
163#endif
Gilles Peskinea5905292018-02-07 20:59:33 +0100164 case MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH:
165 return( PSA_ERROR_NOT_SUPPORTED );
166 case MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED:
167 return( PSA_ERROR_HARDWARE_FAILURE );
168
Jaeden Amero93e21112019-02-20 13:57:28 +0000169#if defined(MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA)
Jaeden Amero892cd6d2019-02-11 12:21:12 +0000170 case MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA:
Jaeden Amero93e21112019-02-20 13:57:28 +0000171#elif defined(MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH)
172 case MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH:
173#endif
Gilles Peskinea5905292018-02-07 20:59:33 +0100174 case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH:
175 return( PSA_ERROR_NOT_SUPPORTED );
176 case MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED:
177 return( PSA_ERROR_HARDWARE_FAILURE );
178
179 case MBEDTLS_ERR_CCM_BAD_INPUT:
180 return( PSA_ERROR_INVALID_ARGUMENT );
181 case MBEDTLS_ERR_CCM_AUTH_FAILED:
182 return( PSA_ERROR_INVALID_SIGNATURE );
183 case MBEDTLS_ERR_CCM_HW_ACCEL_FAILED:
184 return( PSA_ERROR_HARDWARE_FAILURE );
185
Gilles Peskine26869f22019-05-06 15:25:00 +0200186 case MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA:
187 return( PSA_ERROR_INVALID_ARGUMENT );
188
189 case MBEDTLS_ERR_CHACHAPOLY_BAD_STATE:
190 return( PSA_ERROR_BAD_STATE );
191 case MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED:
192 return( PSA_ERROR_INVALID_SIGNATURE );
193
Gilles Peskinea5905292018-02-07 20:59:33 +0100194 case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
195 return( PSA_ERROR_NOT_SUPPORTED );
196 case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
197 return( PSA_ERROR_INVALID_ARGUMENT );
198 case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
199 return( PSA_ERROR_INSUFFICIENT_MEMORY );
200 case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
201 return( PSA_ERROR_INVALID_PADDING );
202 case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
203 return( PSA_ERROR_BAD_STATE );
204 case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
205 return( PSA_ERROR_INVALID_SIGNATURE );
206 case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
Gilles Peskine4b3eb692019-05-16 21:35:18 +0200207 return( PSA_ERROR_CORRUPTION_DETECTED );
Gilles Peskinea5905292018-02-07 20:59:33 +0100208 case MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED:
209 return( PSA_ERROR_HARDWARE_FAILURE );
210
211 case MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED:
212 return( PSA_ERROR_HARDWARE_FAILURE );
213
214 case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
215 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
216 case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG:
217 case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG:
218 return( PSA_ERROR_NOT_SUPPORTED );
219 case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR:
220 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
221
222 case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:
223 return( PSA_ERROR_NOT_SUPPORTED );
224 case MBEDTLS_ERR_DES_HW_ACCEL_FAILED:
225 return( PSA_ERROR_HARDWARE_FAILURE );
226
Gilles Peskinee59236f2018-01-27 23:32:46 +0100227 case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
228 case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE:
229 case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
230 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
Gilles Peskinea5905292018-02-07 20:59:33 +0100231
232 case MBEDTLS_ERR_GCM_AUTH_FAILED:
233 return( PSA_ERROR_INVALID_SIGNATURE );
234 case MBEDTLS_ERR_GCM_BAD_INPUT:
Gilles Peskine8cac2e62018-08-21 15:07:38 +0200235 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskinea5905292018-02-07 20:59:33 +0100236 case MBEDTLS_ERR_GCM_HW_ACCEL_FAILED:
237 return( PSA_ERROR_HARDWARE_FAILURE );
238
239 case MBEDTLS_ERR_MD2_HW_ACCEL_FAILED:
240 case MBEDTLS_ERR_MD4_HW_ACCEL_FAILED:
241 case MBEDTLS_ERR_MD5_HW_ACCEL_FAILED:
242 return( PSA_ERROR_HARDWARE_FAILURE );
243
244 case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
245 return( PSA_ERROR_NOT_SUPPORTED );
246 case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
247 return( PSA_ERROR_INVALID_ARGUMENT );
248 case MBEDTLS_ERR_MD_ALLOC_FAILED:
249 return( PSA_ERROR_INSUFFICIENT_MEMORY );
250 case MBEDTLS_ERR_MD_FILE_IO_ERROR:
251 return( PSA_ERROR_STORAGE_FAILURE );
252 case MBEDTLS_ERR_MD_HW_ACCEL_FAILED:
253 return( PSA_ERROR_HARDWARE_FAILURE );
254
Gilles Peskinef76aa772018-10-29 19:24:33 +0100255 case MBEDTLS_ERR_MPI_FILE_IO_ERROR:
256 return( PSA_ERROR_STORAGE_FAILURE );
257 case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
258 return( PSA_ERROR_INVALID_ARGUMENT );
259 case MBEDTLS_ERR_MPI_INVALID_CHARACTER:
260 return( PSA_ERROR_INVALID_ARGUMENT );
261 case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
262 return( PSA_ERROR_BUFFER_TOO_SMALL );
263 case MBEDTLS_ERR_MPI_NEGATIVE_VALUE:
264 return( PSA_ERROR_INVALID_ARGUMENT );
265 case MBEDTLS_ERR_MPI_DIVISION_BY_ZERO:
266 return( PSA_ERROR_INVALID_ARGUMENT );
267 case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
268 return( PSA_ERROR_INVALID_ARGUMENT );
269 case MBEDTLS_ERR_MPI_ALLOC_FAILED:
270 return( PSA_ERROR_INSUFFICIENT_MEMORY );
271
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100272 case MBEDTLS_ERR_PK_ALLOC_FAILED:
273 return( PSA_ERROR_INSUFFICIENT_MEMORY );
274 case MBEDTLS_ERR_PK_TYPE_MISMATCH:
275 case MBEDTLS_ERR_PK_BAD_INPUT_DATA:
276 return( PSA_ERROR_INVALID_ARGUMENT );
277 case MBEDTLS_ERR_PK_FILE_IO_ERROR:
Gilles Peskinea5905292018-02-07 20:59:33 +0100278 return( PSA_ERROR_STORAGE_FAILURE );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100279 case MBEDTLS_ERR_PK_KEY_INVALID_VERSION:
280 case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT:
281 return( PSA_ERROR_INVALID_ARGUMENT );
282 case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG:
283 return( PSA_ERROR_NOT_SUPPORTED );
284 case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
285 case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
286 return( PSA_ERROR_NOT_PERMITTED );
287 case MBEDTLS_ERR_PK_INVALID_PUBKEY:
288 return( PSA_ERROR_INVALID_ARGUMENT );
289 case MBEDTLS_ERR_PK_INVALID_ALG:
290 case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE:
291 case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:
292 return( PSA_ERROR_NOT_SUPPORTED );
293 case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH:
294 return( PSA_ERROR_INVALID_SIGNATURE );
Gilles Peskinea5905292018-02-07 20:59:33 +0100295 case MBEDTLS_ERR_PK_HW_ACCEL_FAILED:
296 return( PSA_ERROR_HARDWARE_FAILURE );
297
Gilles Peskineff2d2002019-05-06 15:26:23 +0200298 case MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED:
299 return( PSA_ERROR_HARDWARE_FAILURE );
300 case MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
301 return( PSA_ERROR_NOT_SUPPORTED );
302
Gilles Peskinea5905292018-02-07 20:59:33 +0100303 case MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED:
304 return( PSA_ERROR_HARDWARE_FAILURE );
305
306 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
307 return( PSA_ERROR_INVALID_ARGUMENT );
308 case MBEDTLS_ERR_RSA_INVALID_PADDING:
309 return( PSA_ERROR_INVALID_PADDING );
310 case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
311 return( PSA_ERROR_HARDWARE_FAILURE );
312 case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
313 return( PSA_ERROR_INVALID_ARGUMENT );
314 case MBEDTLS_ERR_RSA_PUBLIC_FAILED:
315 case MBEDTLS_ERR_RSA_PRIVATE_FAILED:
Gilles Peskine4b3eb692019-05-16 21:35:18 +0200316 return( PSA_ERROR_CORRUPTION_DETECTED );
Gilles Peskinea5905292018-02-07 20:59:33 +0100317 case MBEDTLS_ERR_RSA_VERIFY_FAILED:
318 return( PSA_ERROR_INVALID_SIGNATURE );
319 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
320 return( PSA_ERROR_BUFFER_TOO_SMALL );
321 case MBEDTLS_ERR_RSA_RNG_FAILED:
322 return( PSA_ERROR_INSUFFICIENT_MEMORY );
323 case MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:
324 return( PSA_ERROR_NOT_SUPPORTED );
325 case MBEDTLS_ERR_RSA_HW_ACCEL_FAILED:
326 return( PSA_ERROR_HARDWARE_FAILURE );
327
328 case MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED:
329 case MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED:
330 case MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED:
331 return( PSA_ERROR_HARDWARE_FAILURE );
332
333 case MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH:
334 return( PSA_ERROR_INVALID_ARGUMENT );
335 case MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED:
336 return( PSA_ERROR_HARDWARE_FAILURE );
337
itayzafrir5c753392018-05-08 11:18:38 +0300338 case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
itayzafrir7b30f8b2018-05-09 16:07:36 +0300339 case MBEDTLS_ERR_ECP_INVALID_KEY:
itayzafrir5c753392018-05-08 11:18:38 +0300340 return( PSA_ERROR_INVALID_ARGUMENT );
itayzafrir7b30f8b2018-05-09 16:07:36 +0300341 case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
342 return( PSA_ERROR_BUFFER_TOO_SMALL );
343 case MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:
344 return( PSA_ERROR_NOT_SUPPORTED );
345 case MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH:
346 case MBEDTLS_ERR_ECP_VERIFY_FAILED:
347 return( PSA_ERROR_INVALID_SIGNATURE );
348 case MBEDTLS_ERR_ECP_ALLOC_FAILED:
349 return( PSA_ERROR_INSUFFICIENT_MEMORY );
350 case MBEDTLS_ERR_ECP_HW_ACCEL_FAILED:
351 return( PSA_ERROR_HARDWARE_FAILURE );
Janos Follatha13b9052019-11-22 12:48:59 +0000352 case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
353 return( PSA_ERROR_CORRUPTION_DETECTED );
itayzafrir5c753392018-05-08 11:18:38 +0300354
Gilles Peskinee59236f2018-01-27 23:32:46 +0100355 default:
David Saadab4ecc272019-02-14 13:48:10 +0200356 return( PSA_ERROR_GENERIC_ERROR );
Gilles Peskinee59236f2018-01-27 23:32:46 +0100357 }
358}
359
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200360
Gilles Peskine7bcfc0a2018-06-18 21:49:39 +0200361
362
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100363/****************************************************************/
364/* Key management */
365/****************************************************************/
366
Gilles Peskine73167e12019-07-12 23:44:37 +0200367#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
368static inline int psa_key_slot_is_external( const psa_key_slot_t *slot )
369{
Gilles Peskine8e338702019-07-30 20:06:31 +0200370 return( psa_key_lifetime_is_external( slot->attr.lifetime ) );
Gilles Peskine73167e12019-07-12 23:44:37 +0200371}
372#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
373
Darryl Green8f8aa8f2018-07-24 15:44:51 +0100374#if defined(MBEDTLS_ECP_C)
Gilles Peskine5055b232019-12-12 17:49:31 +0100375mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_curve_t curve,
376 size_t byte_length )
Gilles Peskine12313cd2018-06-20 00:20:32 +0200377{
378 switch( curve )
379 {
Gilles Peskine228abc52019-12-03 17:24:19 +0100380 case PSA_ECC_CURVE_SECP_R1:
381 switch( byte_length )
382 {
383 case PSA_BITS_TO_BYTES( 192 ):
384 return( MBEDTLS_ECP_DP_SECP192R1 );
385 case PSA_BITS_TO_BYTES( 224 ):
386 return( MBEDTLS_ECP_DP_SECP224R1 );
387 case PSA_BITS_TO_BYTES( 256 ):
388 return( MBEDTLS_ECP_DP_SECP256R1 );
389 case PSA_BITS_TO_BYTES( 384 ):
390 return( MBEDTLS_ECP_DP_SECP384R1 );
391 case PSA_BITS_TO_BYTES( 521 ):
392 return( MBEDTLS_ECP_DP_SECP521R1 );
393 default:
394 return( MBEDTLS_ECP_DP_NONE );
395 }
396 break;
Gilles Peskine228abc52019-12-03 17:24:19 +0100397
398 case PSA_ECC_CURVE_BRAINPOOL_P_R1:
399 switch( byte_length )
400 {
401 case PSA_BITS_TO_BYTES( 256 ):
402 return( MBEDTLS_ECP_DP_BP256R1 );
403 case PSA_BITS_TO_BYTES( 384 ):
404 return( MBEDTLS_ECP_DP_BP384R1 );
405 case PSA_BITS_TO_BYTES( 512 ):
406 return( MBEDTLS_ECP_DP_BP512R1 );
407 default:
408 return( MBEDTLS_ECP_DP_NONE );
409 }
410 break;
Gilles Peskine228abc52019-12-03 17:24:19 +0100411
412 case PSA_ECC_CURVE_MONTGOMERY:
413 switch( byte_length )
414 {
415 case PSA_BITS_TO_BYTES( 255 ):
416 return( MBEDTLS_ECP_DP_CURVE25519 );
417 case PSA_BITS_TO_BYTES( 448 ):
418 return( MBEDTLS_ECP_DP_CURVE448 );
419 default:
420 return( MBEDTLS_ECP_DP_NONE );
421 }
422 break;
Gilles Peskine228abc52019-12-03 17:24:19 +0100423
424 case PSA_ECC_CURVE_SECP_K1:
425 switch( byte_length )
426 {
427 case PSA_BITS_TO_BYTES( 192 ):
428 return( MBEDTLS_ECP_DP_SECP192K1 );
429 case PSA_BITS_TO_BYTES( 224 ):
430 return( MBEDTLS_ECP_DP_SECP224K1 );
431 case PSA_BITS_TO_BYTES( 256 ):
432 return( MBEDTLS_ECP_DP_SECP256K1 );
433 default:
434 return( MBEDTLS_ECP_DP_NONE );
435 }
436 break;
Gilles Peskine228abc52019-12-03 17:24:19 +0100437
Gilles Peskine12313cd2018-06-20 00:20:32 +0200438 default:
439 return( MBEDTLS_ECP_DP_NONE );
440 }
441}
Darryl Green8f8aa8f2018-07-24 15:44:51 +0100442#endif /* defined(MBEDTLS_ECP_C) */
Gilles Peskine12313cd2018-06-20 00:20:32 +0200443
Gilles Peskine0ff4b0f2018-06-19 21:31:50 +0200444static psa_status_t prepare_raw_data_slot( psa_key_type_t type,
445 size_t bits,
446 struct raw_data *raw )
447{
448 /* Check that the bit size is acceptable for the key type */
449 switch( type )
450 {
451 case PSA_KEY_TYPE_RAW_DATA:
452#if defined(MBEDTLS_MD_C)
453 case PSA_KEY_TYPE_HMAC:
Gilles Peskine46f1fd72018-06-28 19:31:31 +0200454#endif
Gilles Peskineea0fb492018-07-12 17:17:20 +0200455 case PSA_KEY_TYPE_DERIVE:
456 break;
Gilles Peskine0ff4b0f2018-06-19 21:31:50 +0200457#if defined(MBEDTLS_AES_C)
458 case PSA_KEY_TYPE_AES:
459 if( bits != 128 && bits != 192 && bits != 256 )
460 return( PSA_ERROR_INVALID_ARGUMENT );
461 break;
462#endif
463#if defined(MBEDTLS_CAMELLIA_C)
464 case PSA_KEY_TYPE_CAMELLIA:
465 if( bits != 128 && bits != 192 && bits != 256 )
466 return( PSA_ERROR_INVALID_ARGUMENT );
467 break;
468#endif
469#if defined(MBEDTLS_DES_C)
470 case PSA_KEY_TYPE_DES:
471 if( bits != 64 && bits != 128 && bits != 192 )
472 return( PSA_ERROR_INVALID_ARGUMENT );
473 break;
474#endif
475#if defined(MBEDTLS_ARC4_C)
476 case PSA_KEY_TYPE_ARC4:
477 if( bits < 8 || bits > 2048 )
478 return( PSA_ERROR_INVALID_ARGUMENT );
479 break;
480#endif
Gilles Peskine26869f22019-05-06 15:25:00 +0200481#if defined(MBEDTLS_CHACHA20_C)
482 case PSA_KEY_TYPE_CHACHA20:
483 if( bits != 256 )
484 return( PSA_ERROR_INVALID_ARGUMENT );
485 break;
486#endif
Gilles Peskine0ff4b0f2018-06-19 21:31:50 +0200487 default:
488 return( PSA_ERROR_NOT_SUPPORTED );
489 }
Gilles Peskineb54979a2018-06-21 09:32:47 +0200490 if( bits % 8 != 0 )
491 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine0ff4b0f2018-06-19 21:31:50 +0200492
493 /* Allocate memory for the key */
494 raw->bytes = PSA_BITS_TO_BYTES( bits );
495 raw->data = mbedtls_calloc( 1, raw->bytes );
496 if( raw->data == NULL )
497 {
498 raw->bytes = 0;
499 return( PSA_ERROR_INSUFFICIENT_MEMORY );
500 }
501 return( PSA_SUCCESS );
502}
503
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200504#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_PARSE_C)
Gilles Peskine86a440b2018-11-12 18:39:40 +0100505/* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
506 * that are not a multiple of 8) well. For example, there is only
507 * mbedtls_rsa_get_len(), which returns a number of bytes, and no
508 * way to return the exact bit size of a key.
509 * To keep things simple, reject non-byte-aligned key sizes. */
510static psa_status_t psa_check_rsa_key_byte_aligned(
511 const mbedtls_rsa_context *rsa )
512{
513 mbedtls_mpi n;
514 psa_status_t status;
515 mbedtls_mpi_init( &n );
516 status = mbedtls_to_psa_error(
517 mbedtls_rsa_export( rsa, &n, NULL, NULL, NULL, NULL ) );
518 if( status == PSA_SUCCESS )
519 {
520 if( mbedtls_mpi_bitlen( &n ) % 8 != 0 )
521 status = PSA_ERROR_NOT_SUPPORTED;
522 }
523 mbedtls_mpi_free( &n );
524 return( status );
525}
526
Jaeden Amerocd09d8c2019-01-11 17:53:05 +0000527static psa_status_t psa_import_rsa_key( psa_key_type_t type,
528 const uint8_t *data,
529 size_t data_length,
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200530 mbedtls_rsa_context **p_rsa )
531{
Jaeden Amerocd09d8c2019-01-11 17:53:05 +0000532 psa_status_t status;
533 mbedtls_pk_context pk;
534 mbedtls_rsa_context *rsa;
535 size_t bits;
536
537 mbedtls_pk_init( &pk );
538
539 /* Parse the data. */
Gilles Peskinec93b80c2019-05-16 19:39:54 +0200540 if( PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
Jaeden Amerocd09d8c2019-01-11 17:53:05 +0000541 status = mbedtls_to_psa_error(
542 mbedtls_pk_parse_key( &pk, data, data_length, NULL, 0 ) );
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200543 else
Jaeden Amerocd09d8c2019-01-11 17:53:05 +0000544 status = mbedtls_to_psa_error(
545 mbedtls_pk_parse_public_key( &pk, data, data_length ) );
546 if( status != PSA_SUCCESS )
547 goto exit;
548
549 /* We have something that the pkparse module recognizes. If it is a
550 * valid RSA key, store it. */
551 if( mbedtls_pk_get_type( &pk ) != MBEDTLS_PK_RSA )
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200552 {
Jaeden Amerocd09d8c2019-01-11 17:53:05 +0000553 status = PSA_ERROR_INVALID_ARGUMENT;
554 goto exit;
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200555 }
Jaeden Amerocd09d8c2019-01-11 17:53:05 +0000556
557 rsa = mbedtls_pk_rsa( pk );
558 /* The size of an RSA key doesn't have to be a multiple of 8. Mbed TLS
559 * supports non-byte-aligned key sizes, but not well. For example,
560 * mbedtls_rsa_get_len() returns the key size in bytes, not in bits. */
561 bits = PSA_BYTES_TO_BITS( mbedtls_rsa_get_len( rsa ) );
562 if( bits > PSA_VENDOR_RSA_MAX_KEY_BITS )
563 {
564 status = PSA_ERROR_NOT_SUPPORTED;
565 goto exit;
566 }
567 status = psa_check_rsa_key_byte_aligned( rsa );
568
569exit:
570 /* Free the content of the pk object only on error. */
571 if( status != PSA_SUCCESS )
572 {
573 mbedtls_pk_free( &pk );
574 return( status );
575 }
576
577 /* On success, store the content of the object in the RSA context. */
578 *p_rsa = rsa;
579
580 return( PSA_SUCCESS );
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200581}
582#endif /* defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_PARSE_C) */
583
Jaeden Ameroccdce902019-01-10 11:42:27 +0000584#if defined(MBEDTLS_ECP_C)
Gilles Peskine4cd32772019-12-02 20:49:42 +0100585static psa_status_t psa_prepare_import_ec_key( psa_ecc_curve_t curve,
Gilles Peskine4295e8b2019-12-02 21:39:10 +0100586 size_t data_length,
587 int is_public,
Gilles Peskine4cd32772019-12-02 20:49:42 +0100588 mbedtls_ecp_keypair **p_ecp )
589{
590 mbedtls_ecp_group_id grp_id = MBEDTLS_ECP_DP_NONE;
591 *p_ecp = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) );
592 if( *p_ecp == NULL )
593 return( PSA_ERROR_INSUFFICIENT_MEMORY );
594 mbedtls_ecp_keypair_init( *p_ecp );
595
Gilles Peskine4295e8b2019-12-02 21:39:10 +0100596 if( is_public )
597 {
598 /* A public key is represented as:
599 * - The byte 0x04;
600 * - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
601 * - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
602 * So its data length is 2m+1 where n is the key size in bits.
603 */
604 if( ( data_length & 1 ) == 0 )
605 return( PSA_ERROR_INVALID_ARGUMENT );
606 data_length = data_length / 2;
607 }
608
Gilles Peskine4cd32772019-12-02 20:49:42 +0100609 /* Load the group. */
Gilles Peskine4295e8b2019-12-02 21:39:10 +0100610 grp_id = mbedtls_ecc_group_of_psa( curve, data_length );
611 if( grp_id == MBEDTLS_ECP_DP_NONE )
612 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine4cd32772019-12-02 20:49:42 +0100613 return( mbedtls_to_psa_error(
614 mbedtls_ecp_group_load( &( *p_ecp )->grp, grp_id ) ) );
615}
Jaeden Ameroccdce902019-01-10 11:42:27 +0000616
617/* Import a public key given as the uncompressed representation defined by SEC1
618 * 2.3.3 as the content of an ECPoint. */
619static psa_status_t psa_import_ec_public_key( psa_ecc_curve_t curve,
620 const uint8_t *data,
621 size_t data_length,
622 mbedtls_ecp_keypair **p_ecp )
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200623{
Gilles Peskine4b3eb692019-05-16 21:35:18 +0200624 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Jaeden Ameroccdce902019-01-10 11:42:27 +0000625 mbedtls_ecp_keypair *ecp = NULL;
Jaeden Ameroccdce902019-01-10 11:42:27 +0000626
Gilles Peskine4295e8b2019-12-02 21:39:10 +0100627 status = psa_prepare_import_ec_key( curve, data_length, 1, &ecp );
Jaeden Ameroccdce902019-01-10 11:42:27 +0000628 if( status != PSA_SUCCESS )
629 goto exit;
Gilles Peskine4cd32772019-12-02 20:49:42 +0100630
Jaeden Ameroccdce902019-01-10 11:42:27 +0000631 /* Load the public value. */
632 status = mbedtls_to_psa_error(
633 mbedtls_ecp_point_read_binary( &ecp->grp, &ecp->Q,
634 data, data_length ) );
635 if( status != PSA_SUCCESS )
636 goto exit;
637
638 /* Check that the point is on the curve. */
639 status = mbedtls_to_psa_error(
640 mbedtls_ecp_check_pubkey( &ecp->grp, &ecp->Q ) );
641 if( status != PSA_SUCCESS )
642 goto exit;
643
644 *p_ecp = ecp;
645 return( PSA_SUCCESS );
646
647exit:
648 if( ecp != NULL )
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200649 {
Jaeden Ameroccdce902019-01-10 11:42:27 +0000650 mbedtls_ecp_keypair_free( ecp );
651 mbedtls_free( ecp );
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200652 }
Jaeden Ameroccdce902019-01-10 11:42:27 +0000653 return( status );
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200654}
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200655
Gilles Peskinef76aa772018-10-29 19:24:33 +0100656/* Import a private key given as a byte string which is the private value
657 * in big-endian order. */
658static psa_status_t psa_import_ec_private_key( psa_ecc_curve_t curve,
659 const uint8_t *data,
660 size_t data_length,
661 mbedtls_ecp_keypair **p_ecp )
662{
Gilles Peskine4b3eb692019-05-16 21:35:18 +0200663 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Gilles Peskinef76aa772018-10-29 19:24:33 +0100664 mbedtls_ecp_keypair *ecp = NULL;
Gilles Peskinef76aa772018-10-29 19:24:33 +0100665
Gilles Peskine4295e8b2019-12-02 21:39:10 +0100666 status = psa_prepare_import_ec_key( curve, data_length, 0, &ecp );
Gilles Peskinef76aa772018-10-29 19:24:33 +0100667 if( status != PSA_SUCCESS )
668 goto exit;
Gilles Peskine4cd32772019-12-02 20:49:42 +0100669
Gilles Peskinef76aa772018-10-29 19:24:33 +0100670 /* Load the secret value. */
671 status = mbedtls_to_psa_error(
672 mbedtls_mpi_read_binary( &ecp->d, data, data_length ) );
673 if( status != PSA_SUCCESS )
674 goto exit;
675 /* Validate the private key. */
676 status = mbedtls_to_psa_error(
677 mbedtls_ecp_check_privkey( &ecp->grp, &ecp->d ) );
678 if( status != PSA_SUCCESS )
679 goto exit;
680 /* Calculate the public key from the private key. */
681 status = mbedtls_to_psa_error(
682 mbedtls_ecp_mul( &ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
683 mbedtls_ctr_drbg_random, &global_data.ctr_drbg ) );
684 if( status != PSA_SUCCESS )
685 goto exit;
686
687 *p_ecp = ecp;
688 return( PSA_SUCCESS );
689
690exit:
691 if( ecp != NULL )
692 {
693 mbedtls_ecp_keypair_free( ecp );
694 mbedtls_free( ecp );
695 }
696 return( status );
697}
698#endif /* defined(MBEDTLS_ECP_C) */
699
Gilles Peskineb46bef22019-07-30 21:32:04 +0200700
701/** Return the size of the key in the given slot, in bits.
702 *
703 * \param[in] slot A key slot.
704 *
705 * \return The key size in bits, read from the metadata in the slot.
706 */
707static inline size_t psa_get_key_slot_bits( const psa_key_slot_t *slot )
708{
709 return( slot->attr.bits );
710}
711
712/** Calculate the size of the key in the given slot, in bits.
713 *
714 * \param[in] slot A key slot containing a transparent key.
715 *
716 * \return The key size in bits, calculated from the key data.
717 */
Gilles Peskine8908c5e2019-07-31 18:55:00 +0200718static psa_key_bits_t psa_calculate_key_bits( const psa_key_slot_t *slot )
Gilles Peskineb46bef22019-07-30 21:32:04 +0200719{
Gilles Peskine8908c5e2019-07-31 18:55:00 +0200720 size_t bits = 0; /* return 0 on an empty slot */
721
Gilles Peskineb46bef22019-07-30 21:32:04 +0200722 if( key_type_is_raw_bytes( slot->attr.type ) )
Gilles Peskine8908c5e2019-07-31 18:55:00 +0200723 bits = PSA_BYTES_TO_BITS( slot->data.raw.bytes );
Gilles Peskineb46bef22019-07-30 21:32:04 +0200724#if defined(MBEDTLS_RSA_C)
Gilles Peskine8908c5e2019-07-31 18:55:00 +0200725 else if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
726 bits = PSA_BYTES_TO_BITS( mbedtls_rsa_get_len( slot->data.rsa ) );
Gilles Peskineb46bef22019-07-30 21:32:04 +0200727#endif /* defined(MBEDTLS_RSA_C) */
728#if defined(MBEDTLS_ECP_C)
Gilles Peskine8908c5e2019-07-31 18:55:00 +0200729 else if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
730 bits = slot->data.ecp->grp.pbits;
Gilles Peskineb46bef22019-07-30 21:32:04 +0200731#endif /* defined(MBEDTLS_ECP_C) */
Gilles Peskine8908c5e2019-07-31 18:55:00 +0200732
733 /* We know that the size fits in psa_key_bits_t thanks to checks
734 * when the key was created. */
735 return( (psa_key_bits_t) bits );
Gilles Peskineb46bef22019-07-30 21:32:04 +0200736}
737
Gilles Peskine8e338702019-07-30 20:06:31 +0200738/** Import key data into a slot. `slot->attr.type` must have been set
Gilles Peskinef77ed1f2018-12-03 11:58:46 +0100739 * previously. This function assumes that the slot does not contain
740 * any key material yet. On failure, the slot content is unchanged. */
Gilles Peskinefa4135b2018-12-10 16:48:53 +0100741psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
742 const uint8_t *data,
743 size_t data_length )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100744{
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200745 psa_status_t status = PSA_SUCCESS;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100746
Gilles Peskine8e338702019-07-30 20:06:31 +0200747 if( key_type_is_raw_bytes( slot->attr.type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100748 {
Gilles Peskinec744d992019-07-30 17:26:54 +0200749 size_t bit_size = PSA_BYTES_TO_BITS( data_length );
Gilles Peskine1b9505c2019-08-07 10:59:45 +0200750 /* Ensure that the bytes-to-bit conversion didn't overflow. */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100751 if( data_length > SIZE_MAX / 8 )
752 return( PSA_ERROR_NOT_SUPPORTED );
Gilles Peskine1b9505c2019-08-07 10:59:45 +0200753 /* Enforce a size limit, and in particular ensure that the bit
754 * size fits in its representation type. */
Gilles Peskinec744d992019-07-30 17:26:54 +0200755 if( bit_size > PSA_MAX_KEY_BITS )
756 return( PSA_ERROR_NOT_SUPPORTED );
Gilles Peskine8e338702019-07-30 20:06:31 +0200757 status = prepare_raw_data_slot( slot->attr.type, bit_size,
Gilles Peskine0ff4b0f2018-06-19 21:31:50 +0200758 &slot->data.raw );
759 if( status != PSA_SUCCESS )
760 return( status );
Gilles Peskine46f1fd72018-06-28 19:31:31 +0200761 if( data_length != 0 )
762 memcpy( slot->data.raw.data, data, data_length );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100763 }
764 else
Gilles Peskinef76aa772018-10-29 19:24:33 +0100765#if defined(MBEDTLS_ECP_C)
Gilles Peskine8e338702019-07-30 20:06:31 +0200766 if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( slot->attr.type ) )
Gilles Peskinef76aa772018-10-29 19:24:33 +0100767 {
Gilles Peskine8e338702019-07-30 20:06:31 +0200768 status = psa_import_ec_private_key( PSA_KEY_TYPE_GET_CURVE( slot->attr.type ),
Gilles Peskinef76aa772018-10-29 19:24:33 +0100769 data, data_length,
770 &slot->data.ecp );
Gilles Peskinef76aa772018-10-29 19:24:33 +0100771 }
Gilles Peskine8e338702019-07-30 20:06:31 +0200772 else if( PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY( slot->attr.type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100773 {
Jaeden Ameroccdce902019-01-10 11:42:27 +0000774 status = psa_import_ec_public_key(
Gilles Peskine8e338702019-07-30 20:06:31 +0200775 PSA_KEY_TYPE_GET_CURVE( slot->attr.type ),
Jaeden Ameroccdce902019-01-10 11:42:27 +0000776 data, data_length,
777 &slot->data.ecp );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100778 }
779 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100780#endif /* MBEDTLS_ECP_C */
Jaeden Ameroccdce902019-01-10 11:42:27 +0000781#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_PARSE_C)
Gilles Peskine8e338702019-07-30 20:06:31 +0200782 if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100783 {
Gilles Peskine8e338702019-07-30 20:06:31 +0200784 status = psa_import_rsa_key( slot->attr.type,
Jaeden Amerocd09d8c2019-01-11 17:53:05 +0000785 data, data_length,
786 &slot->data.rsa );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100787 }
788 else
Jaeden Ameroccdce902019-01-10 11:42:27 +0000789#endif /* defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_PARSE_C) */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100790 {
791 return( PSA_ERROR_NOT_SUPPORTED );
792 }
Darryl Green940d72c2018-07-13 13:18:51 +0100793
Gilles Peskineb46bef22019-07-30 21:32:04 +0200794 if( status == PSA_SUCCESS )
795 {
796 /* Write the actual key size to the slot.
797 * psa_start_key_creation() wrote the size declared by the
798 * caller, which may be 0 (meaning unspecified) or wrong. */
799 slot->attr.bits = psa_calculate_key_bits( slot );
800 }
Darryl Green06fd18d2018-07-16 11:21:11 +0100801 return( status );
802}
803
Gilles Peskinef603c712019-01-19 13:40:11 +0100804/** Calculate the intersection of two algorithm usage policies.
805 *
806 * Return 0 (which allows no operation) on incompatibility.
807 */
808static psa_algorithm_t psa_key_policy_algorithm_intersection(
809 psa_algorithm_t alg1,
810 psa_algorithm_t alg2 )
811{
Gilles Peskine549ea862019-05-22 11:45:59 +0200812 /* Common case: both sides actually specify the same policy. */
Gilles Peskinef603c712019-01-19 13:40:11 +0100813 if( alg1 == alg2 )
814 return( alg1 );
815 /* If the policies are from the same hash-and-sign family, check
816 * if one is a wildcard. If so the other has the specific algorithm. */
817 if( PSA_ALG_IS_HASH_AND_SIGN( alg1 ) &&
818 PSA_ALG_IS_HASH_AND_SIGN( alg2 ) &&
819 ( alg1 & ~PSA_ALG_HASH_MASK ) == ( alg2 & ~PSA_ALG_HASH_MASK ) )
820 {
821 if( PSA_ALG_SIGN_GET_HASH( alg1 ) == PSA_ALG_ANY_HASH )
822 return( alg2 );
823 if( PSA_ALG_SIGN_GET_HASH( alg2 ) == PSA_ALG_ANY_HASH )
824 return( alg1 );
825 }
826 /* If the policies are incompatible, allow nothing. */
827 return( 0 );
828}
829
Gilles Peskined6f371b2019-05-10 19:33:38 +0200830static int psa_key_algorithm_permits( psa_algorithm_t policy_alg,
831 psa_algorithm_t requested_alg )
832{
Gilles Peskine549ea862019-05-22 11:45:59 +0200833 /* Common case: the policy only allows requested_alg. */
Gilles Peskined6f371b2019-05-10 19:33:38 +0200834 if( requested_alg == policy_alg )
835 return( 1 );
836 /* If policy_alg is a hash-and-sign with a wildcard for the hash,
Gilles Peskine549ea862019-05-22 11:45:59 +0200837 * and requested_alg is the same hash-and-sign family with any hash,
838 * then requested_alg is compliant with policy_alg. */
Gilles Peskined6f371b2019-05-10 19:33:38 +0200839 if( PSA_ALG_IS_HASH_AND_SIGN( requested_alg ) &&
840 PSA_ALG_SIGN_GET_HASH( policy_alg ) == PSA_ALG_ANY_HASH )
841 {
842 return( ( policy_alg & ~PSA_ALG_HASH_MASK ) ==
843 ( requested_alg & ~PSA_ALG_HASH_MASK ) );
844 }
845 /* If it isn't permitted, it's forbidden. */
846 return( 0 );
847}
848
Gilles Peskine30f77cd2019-01-14 16:06:39 +0100849/** Test whether a policy permits an algorithm.
850 *
851 * The caller must test usage flags separately.
852 */
853static int psa_key_policy_permits( const psa_key_policy_t *policy,
854 psa_algorithm_t alg )
855{
Gilles Peskined6f371b2019-05-10 19:33:38 +0200856 return( psa_key_algorithm_permits( policy->alg, alg ) ||
857 psa_key_algorithm_permits( policy->alg2, alg ) );
Gilles Peskine30f77cd2019-01-14 16:06:39 +0100858}
859
Gilles Peskinef603c712019-01-19 13:40:11 +0100860/** Restrict a key policy based on a constraint.
861 *
862 * \param[in,out] policy The policy to restrict.
863 * \param[in] constraint The policy constraint to apply.
864 *
865 * \retval #PSA_SUCCESS
866 * \c *policy contains the intersection of the original value of
867 * \c *policy and \c *constraint.
868 * \retval #PSA_ERROR_INVALID_ARGUMENT
869 * \c *policy and \c *constraint are incompatible.
870 * \c *policy is unchanged.
871 */
872static psa_status_t psa_restrict_key_policy(
873 psa_key_policy_t *policy,
874 const psa_key_policy_t *constraint )
875{
876 psa_algorithm_t intersection_alg =
877 psa_key_policy_algorithm_intersection( policy->alg, constraint->alg );
Gilles Peskined6f371b2019-05-10 19:33:38 +0200878 psa_algorithm_t intersection_alg2 =
879 psa_key_policy_algorithm_intersection( policy->alg2, constraint->alg2 );
Gilles Peskinef603c712019-01-19 13:40:11 +0100880 if( intersection_alg == 0 && policy->alg != 0 && constraint->alg != 0 )
881 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskined6f371b2019-05-10 19:33:38 +0200882 if( intersection_alg2 == 0 && policy->alg2 != 0 && constraint->alg2 != 0 )
883 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskinef603c712019-01-19 13:40:11 +0100884 policy->usage &= constraint->usage;
885 policy->alg = intersection_alg;
Gilles Peskined6f371b2019-05-10 19:33:38 +0200886 policy->alg2 = intersection_alg2;
Gilles Peskinef603c712019-01-19 13:40:11 +0100887 return( PSA_SUCCESS );
888}
889
Darryl Green06fd18d2018-07-16 11:21:11 +0100890/** Retrieve a slot which must contain a key. The key must have allow all the
891 * usage flags set in \p usage. If \p alg is nonzero, the key must allow
892 * operations with this algorithm. */
Gilles Peskinec5487a82018-12-03 18:08:14 +0100893static psa_status_t psa_get_key_from_slot( psa_key_handle_t handle,
Gilles Peskine2f060a82018-12-04 17:12:32 +0100894 psa_key_slot_t **p_slot,
Darryl Green06fd18d2018-07-16 11:21:11 +0100895 psa_key_usage_t usage,
896 psa_algorithm_t alg )
897{
898 psa_status_t status;
Gilles Peskine2f060a82018-12-04 17:12:32 +0100899 psa_key_slot_t *slot = NULL;
Darryl Green06fd18d2018-07-16 11:21:11 +0100900
901 *p_slot = NULL;
902
Gilles Peskinec5487a82018-12-03 18:08:14 +0100903 status = psa_get_key_slot( handle, &slot );
Darryl Green06fd18d2018-07-16 11:21:11 +0100904 if( status != PSA_SUCCESS )
905 return( status );
Darryl Green06fd18d2018-07-16 11:21:11 +0100906
907 /* Enforce that usage policy for the key slot contains all the flags
908 * required by the usage parameter. There is one exception: public
909 * keys can always be exported, so we treat public key objects as
910 * if they had the export flag. */
Gilles Peskine8e338702019-07-30 20:06:31 +0200911 if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) )
Darryl Green06fd18d2018-07-16 11:21:11 +0100912 usage &= ~PSA_KEY_USAGE_EXPORT;
Gilles Peskine8e338702019-07-30 20:06:31 +0200913 if( ( slot->attr.policy.usage & usage ) != usage )
Darryl Green06fd18d2018-07-16 11:21:11 +0100914 return( PSA_ERROR_NOT_PERMITTED );
Gilles Peskine30f77cd2019-01-14 16:06:39 +0100915
916 /* Enforce that the usage policy permits the requested algortihm. */
Gilles Peskine8e338702019-07-30 20:06:31 +0200917 if( alg != 0 && ! psa_key_policy_permits( &slot->attr.policy, alg ) )
Darryl Green06fd18d2018-07-16 11:21:11 +0100918 return( PSA_ERROR_NOT_PERMITTED );
919
920 *p_slot = slot;
921 return( PSA_SUCCESS );
922}
Darryl Green940d72c2018-07-13 13:18:51 +0100923
Gilles Peskine28f8f302019-07-24 13:30:31 +0200924/** Retrieve a slot which must contain a transparent key.
925 *
926 * A transparent key is a key for which the key material is directly
927 * available, as opposed to a key in a secure element.
928 *
Gilles Peskine60450a42019-07-25 11:32:45 +0200929 * This is a temporary function to use instead of psa_get_key_from_slot()
930 * until secure element support is fully implemented.
Gilles Peskine28f8f302019-07-24 13:30:31 +0200931 */
932#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
933static psa_status_t psa_get_transparent_key( psa_key_handle_t handle,
934 psa_key_slot_t **p_slot,
935 psa_key_usage_t usage,
936 psa_algorithm_t alg )
937{
938 psa_status_t status = psa_get_key_from_slot( handle, p_slot, usage, alg );
939 if( status != PSA_SUCCESS )
940 return( status );
Gilles Peskineadad8132019-07-25 11:31:23 +0200941 if( psa_key_slot_is_external( *p_slot ) )
Gilles Peskine28f8f302019-07-24 13:30:31 +0200942 {
943 *p_slot = NULL;
944 return( PSA_ERROR_NOT_SUPPORTED );
945 }
946 return( PSA_SUCCESS );
947}
948#else /* MBEDTLS_PSA_CRYPTO_SE_C */
949/* With no secure element support, all keys are transparent. */
950#define psa_get_transparent_key( handle, p_slot, usage, alg ) \
951 psa_get_key_from_slot( handle, p_slot, usage, alg )
952#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
953
Gilles Peskinef77ed1f2018-12-03 11:58:46 +0100954/** Wipe key data from a slot. Preserve metadata such as the policy. */
Gilles Peskine2f060a82018-12-04 17:12:32 +0100955static psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot )
Darryl Green40225ba2018-11-15 14:48:15 +0000956{
Gilles Peskine73167e12019-07-12 23:44:37 +0200957#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
958 if( psa_key_slot_is_external( slot ) )
Darryl Green40225ba2018-11-15 14:48:15 +0000959 {
960 /* No key material to clean. */
961 }
Gilles Peskine73167e12019-07-12 23:44:37 +0200962 else
963#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskine8e338702019-07-30 20:06:31 +0200964 if( slot->attr.type == PSA_KEY_TYPE_NONE )
Darryl Green40225ba2018-11-15 14:48:15 +0000965 {
966 /* No key material to clean. */
967 }
Gilles Peskine8e338702019-07-30 20:06:31 +0200968 else if( key_type_is_raw_bytes( slot->attr.type ) )
Darryl Green40225ba2018-11-15 14:48:15 +0000969 {
970 mbedtls_free( slot->data.raw.data );
971 }
972 else
973#if defined(MBEDTLS_RSA_C)
Gilles Peskine8e338702019-07-30 20:06:31 +0200974 if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
Darryl Green40225ba2018-11-15 14:48:15 +0000975 {
976 mbedtls_rsa_free( slot->data.rsa );
977 mbedtls_free( slot->data.rsa );
978 }
979 else
980#endif /* defined(MBEDTLS_RSA_C) */
981#if defined(MBEDTLS_ECP_C)
Gilles Peskine8e338702019-07-30 20:06:31 +0200982 if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
Darryl Green40225ba2018-11-15 14:48:15 +0000983 {
984 mbedtls_ecp_keypair_free( slot->data.ecp );
985 mbedtls_free( slot->data.ecp );
986 }
987 else
988#endif /* defined(MBEDTLS_ECP_C) */
989 {
990 /* Shouldn't happen: the key type is not any type that we
991 * put in. */
Gilles Peskine4b3eb692019-05-16 21:35:18 +0200992 return( PSA_ERROR_CORRUPTION_DETECTED );
Darryl Green40225ba2018-11-15 14:48:15 +0000993 }
994
995 return( PSA_SUCCESS );
996}
997
Gilles Peskinef77ed1f2018-12-03 11:58:46 +0100998/** Completely wipe a slot in memory, including its policy.
999 * Persistent storage is not affected. */
Gilles Peskine66fb1262018-12-10 16:29:04 +01001000psa_status_t psa_wipe_key_slot( psa_key_slot_t *slot )
Gilles Peskinef77ed1f2018-12-03 11:58:46 +01001001{
1002 psa_status_t status = psa_remove_key_data_from_memory( slot );
Gilles Peskine3f7cd622019-08-13 15:01:08 +02001003 /* Multipart operations may still be using the key. This is safe
1004 * because all multipart operation objects are independent from
1005 * the key slot: if they need to access the key after the setup
1006 * phase, they have a copy of the key. Note that this means that
1007 * key material can linger until all operations are completed. */
Gilles Peskinef77ed1f2018-12-03 11:58:46 +01001008 /* At this point, key material and other type-specific content has
1009 * been wiped. Clear remaining metadata. We can call memset and not
1010 * zeroize because the metadata is not particularly sensitive. */
1011 memset( slot, 0, sizeof( *slot ) );
1012 return( status );
1013}
1014
Gilles Peskinec5487a82018-12-03 18:08:14 +01001015psa_status_t psa_destroy_key( psa_key_handle_t handle )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001016{
Gilles Peskine2f060a82018-12-04 17:12:32 +01001017 psa_key_slot_t *slot;
Gilles Peskine4b7f3402019-08-13 15:58:36 +02001018 psa_status_t status; /* status of the last operation */
1019 psa_status_t overall_status = PSA_SUCCESS;
Gilles Peskine354f7672019-07-12 23:46:38 +02001020#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1021 psa_se_drv_table_entry_t *driver;
1022#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001023
Gilles Peskine1841cf42019-10-08 15:48:25 +02001024 if( handle == 0 )
1025 return( PSA_SUCCESS );
1026
Gilles Peskinec5487a82018-12-03 18:08:14 +01001027 status = psa_get_key_slot( handle, &slot );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001028 if( status != PSA_SUCCESS )
1029 return( status );
Gilles Peskine354f7672019-07-12 23:46:38 +02001030
1031#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
Gilles Peskine8e338702019-07-30 20:06:31 +02001032 driver = psa_get_se_driver_entry( slot->attr.lifetime );
Gilles Peskine354f7672019-07-12 23:46:38 +02001033 if( driver != NULL )
Gilles Peskinefc762652019-07-22 19:30:34 +02001034 {
Gilles Peskine60450a42019-07-25 11:32:45 +02001035 /* For a key in a secure element, we need to do three things:
1036 * remove the key file in internal storage, destroy the
1037 * key inside the secure element, and update the driver's
1038 * persistent data. Start a transaction that will encompass these
1039 * three actions. */
Gilles Peskinefc762652019-07-22 19:30:34 +02001040 psa_crypto_prepare_transaction( PSA_CRYPTO_TRANSACTION_DESTROY_KEY );
Gilles Peskine8e338702019-07-30 20:06:31 +02001041 psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
Gilles Peskinefc762652019-07-22 19:30:34 +02001042 psa_crypto_transaction.key.slot = slot->data.se.slot_number;
Gilles Peskine8e338702019-07-30 20:06:31 +02001043 psa_crypto_transaction.key.id = slot->attr.id;
Gilles Peskinefc762652019-07-22 19:30:34 +02001044 status = psa_crypto_save_transaction( );
1045 if( status != PSA_SUCCESS )
1046 {
Gilles Peskine66be51c2019-07-25 18:02:52 +02001047 (void) psa_crypto_stop_transaction( );
Gilles Peskine4b7f3402019-08-13 15:58:36 +02001048 /* We should still try to destroy the key in the secure
1049 * element and the key metadata in storage. This is especially
1050 * important if the error is that the storage is full.
1051 * But how to do it exactly without risking an inconsistent
1052 * state after a reset?
1053 * https://github.com/ARMmbed/mbed-crypto/issues/215
1054 */
1055 overall_status = status;
1056 goto exit;
Gilles Peskinefc762652019-07-22 19:30:34 +02001057 }
1058
Gilles Peskine354f7672019-07-12 23:46:38 +02001059 status = psa_destroy_se_key( driver, slot->data.se.slot_number );
Gilles Peskine4b7f3402019-08-13 15:58:36 +02001060 if( overall_status == PSA_SUCCESS )
1061 overall_status = status;
Gilles Peskinefc762652019-07-22 19:30:34 +02001062 }
Gilles Peskine354f7672019-07-12 23:46:38 +02001063#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1064
Darryl Greend49a4992018-06-18 17:27:26 +01001065#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
Gilles Peskinecaec2782019-08-13 15:11:49 +02001066 if( slot->attr.lifetime != PSA_KEY_LIFETIME_VOLATILE )
Darryl Greend49a4992018-06-18 17:27:26 +01001067 {
Gilles Peskine4b7f3402019-08-13 15:58:36 +02001068 status = psa_destroy_persistent_key( slot->attr.id );
1069 if( overall_status == PSA_SUCCESS )
1070 overall_status = status;
1071
Gilles Peskine9ce31c42019-08-13 15:14:20 +02001072 /* TODO: other slots may have a copy of the same key. We should
1073 * invalidate them.
1074 * https://github.com/ARMmbed/mbed-crypto/issues/214
1075 */
Darryl Greend49a4992018-06-18 17:27:26 +01001076 }
1077#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
Gilles Peskine354f7672019-07-12 23:46:38 +02001078
Gilles Peskinefc762652019-07-22 19:30:34 +02001079#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1080 if( driver != NULL )
1081 {
Gilles Peskine725f22a2019-07-25 11:31:48 +02001082 status = psa_save_se_persistent_data( driver );
Gilles Peskine4b7f3402019-08-13 15:58:36 +02001083 if( overall_status == PSA_SUCCESS )
1084 overall_status = status;
1085 status = psa_crypto_stop_transaction( );
1086 if( overall_status == PSA_SUCCESS )
1087 overall_status = status;
Gilles Peskinefc762652019-07-22 19:30:34 +02001088 }
1089#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1090
Gilles Peskine4b7f3402019-08-13 15:58:36 +02001091#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1092exit:
1093#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskinef77ed1f2018-12-03 11:58:46 +01001094 status = psa_wipe_key_slot( slot );
Gilles Peskine4b7f3402019-08-13 15:58:36 +02001095 /* Prioritize CORRUPTION_DETECTED from wiping over a storage error */
1096 if( overall_status == PSA_SUCCESS )
1097 overall_status = status;
1098 return( overall_status );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001099}
1100
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001101void psa_reset_key_attributes( psa_key_attributes_t *attributes )
Gilles Peskineb870b182018-07-06 16:02:09 +02001102{
Gilles Peskineb699f072019-04-26 16:06:02 +02001103 mbedtls_free( attributes->domain_parameters );
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001104 memset( attributes, 0, sizeof( *attributes ) );
Gilles Peskineb870b182018-07-06 16:02:09 +02001105}
1106
Gilles Peskineb699f072019-04-26 16:06:02 +02001107psa_status_t psa_set_key_domain_parameters( psa_key_attributes_t *attributes,
1108 psa_key_type_t type,
1109 const uint8_t *data,
1110 size_t data_length )
1111{
1112 uint8_t *copy = NULL;
1113
1114 if( data_length != 0 )
1115 {
1116 copy = mbedtls_calloc( 1, data_length );
1117 if( copy == NULL )
1118 return( PSA_ERROR_INSUFFICIENT_MEMORY );
1119 memcpy( copy, data, data_length );
1120 }
1121 /* After this point, this function is guaranteed to succeed, so it
1122 * can start modifying `*attributes`. */
1123
1124 if( attributes->domain_parameters != NULL )
1125 {
1126 mbedtls_free( attributes->domain_parameters );
1127 attributes->domain_parameters = NULL;
1128 attributes->domain_parameters_size = 0;
1129 }
1130
1131 attributes->domain_parameters = copy;
1132 attributes->domain_parameters_size = data_length;
Gilles Peskine7e0cff92019-07-30 13:48:52 +02001133 attributes->core.type = type;
Gilles Peskineb699f072019-04-26 16:06:02 +02001134 return( PSA_SUCCESS );
1135}
1136
1137psa_status_t psa_get_key_domain_parameters(
1138 const psa_key_attributes_t *attributes,
1139 uint8_t *data, size_t data_size, size_t *data_length )
1140{
1141 if( attributes->domain_parameters_size > data_size )
1142 return( PSA_ERROR_BUFFER_TOO_SMALL );
1143 *data_length = attributes->domain_parameters_size;
1144 if( attributes->domain_parameters_size != 0 )
1145 memcpy( data, attributes->domain_parameters,
1146 attributes->domain_parameters_size );
1147 return( PSA_SUCCESS );
1148}
1149
1150#if defined(MBEDTLS_RSA_C)
1151static psa_status_t psa_get_rsa_public_exponent(
1152 const mbedtls_rsa_context *rsa,
1153 psa_key_attributes_t *attributes )
1154{
1155 mbedtls_mpi mpi;
Janos Follath24eed8d2019-11-22 13:21:35 +00001156 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskineb699f072019-04-26 16:06:02 +02001157 uint8_t *buffer = NULL;
1158 size_t buflen;
1159 mbedtls_mpi_init( &mpi );
1160
1161 ret = mbedtls_rsa_export( rsa, NULL, NULL, NULL, NULL, &mpi );
1162 if( ret != 0 )
1163 goto exit;
Gilles Peskine772c8b12019-04-26 17:37:21 +02001164 if( mbedtls_mpi_cmp_int( &mpi, 65537 ) == 0 )
1165 {
1166 /* It's the default value, which is reported as an empty string,
1167 * so there's nothing to do. */
1168 goto exit;
1169 }
Gilles Peskineb699f072019-04-26 16:06:02 +02001170
1171 buflen = mbedtls_mpi_size( &mpi );
1172 buffer = mbedtls_calloc( 1, buflen );
1173 if( buffer == NULL )
1174 {
1175 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
1176 goto exit;
1177 }
1178 ret = mbedtls_mpi_write_binary( &mpi, buffer, buflen );
1179 if( ret != 0 )
1180 goto exit;
1181 attributes->domain_parameters = buffer;
1182 attributes->domain_parameters_size = buflen;
1183
1184exit:
1185 mbedtls_mpi_free( &mpi );
1186 if( ret != 0 )
1187 mbedtls_free( buffer );
1188 return( mbedtls_to_psa_error( ret ) );
1189}
1190#endif /* MBEDTLS_RSA_C */
1191
Gilles Peskinebfd322f2019-07-23 11:58:03 +02001192/** Retrieve all the publicly-accessible attributes of a key.
1193 */
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001194psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
1195 psa_key_attributes_t *attributes )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001196{
Gilles Peskine2f060a82018-12-04 17:12:32 +01001197 psa_key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +02001198 psa_status_t status;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001199
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001200 psa_reset_key_attributes( attributes );
1201
Gilles Peskinedc5bfe92019-07-24 19:09:30 +02001202 status = psa_get_key_from_slot( handle, &slot, 0, 0 );
Gilles Peskineb0b255c2018-07-06 17:01:38 +02001203 if( status != PSA_SUCCESS )
1204 return( status );
Gilles Peskineb870b182018-07-06 16:02:09 +02001205
Gilles Peskine76aa09c2019-07-31 14:15:34 +02001206 attributes->core = slot->attr;
Gilles Peskinec8000c02019-08-02 20:15:51 +02001207 attributes->core.flags &= ( MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY |
1208 MBEDTLS_PSA_KA_MASK_DUAL_USE );
1209
1210#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1211 if( psa_key_slot_is_external( slot ) )
1212 psa_set_key_slot_number( attributes, slot->data.se.slot_number );
1213#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskineb699f072019-04-26 16:06:02 +02001214
Gilles Peskine8e338702019-07-30 20:06:31 +02001215 switch( slot->attr.type )
Gilles Peskineb699f072019-04-26 16:06:02 +02001216 {
1217#if defined(MBEDTLS_RSA_C)
Gilles Peskinec93b80c2019-05-16 19:39:54 +02001218 case PSA_KEY_TYPE_RSA_KEY_PAIR:
Gilles Peskineb699f072019-04-26 16:06:02 +02001219 case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
Gilles Peskinedc5bfe92019-07-24 19:09:30 +02001220#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
Janos Follath1d57a202019-08-13 12:15:34 +01001221 /* TODO: reporting the public exponent for opaque keys
Gilles Peskinec9d7f942019-08-13 16:17:16 +02001222 * is not yet implemented.
1223 * https://github.com/ARMmbed/mbed-crypto/issues/216
1224 */
Gilles Peskinec8000c02019-08-02 20:15:51 +02001225 if( psa_key_slot_is_external( slot ) )
Gilles Peskinedc5bfe92019-07-24 19:09:30 +02001226 break;
1227#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskineb699f072019-04-26 16:06:02 +02001228 status = psa_get_rsa_public_exponent( slot->data.rsa, attributes );
1229 break;
Gilles Peskinedc5bfe92019-07-24 19:09:30 +02001230#endif /* MBEDTLS_RSA_C */
Gilles Peskineb699f072019-04-26 16:06:02 +02001231 default:
1232 /* Nothing else to do. */
1233 break;
1234 }
1235
1236 if( status != PSA_SUCCESS )
1237 psa_reset_key_attributes( attributes );
1238 return( status );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001239}
1240
Gilles Peskinec8000c02019-08-02 20:15:51 +02001241#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1242psa_status_t psa_get_key_slot_number(
1243 const psa_key_attributes_t *attributes,
1244 psa_key_slot_number_t *slot_number )
1245{
1246 if( attributes->core.flags & MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER )
1247 {
1248 *slot_number = attributes->slot_number;
1249 return( PSA_SUCCESS );
1250 }
1251 else
1252 return( PSA_ERROR_INVALID_ARGUMENT );
1253}
1254#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1255
Jaeden Ameroccdce902019-01-10 11:42:27 +00001256#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECP_C)
Jaeden Amero25384a22019-01-10 10:23:21 +00001257static int pk_write_pubkey_simple( mbedtls_pk_context *key,
1258 unsigned char *buf, size_t size )
1259{
Janos Follath24eed8d2019-11-22 13:21:35 +00001260 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero25384a22019-01-10 10:23:21 +00001261 unsigned char *c;
1262 size_t len = 0;
1263
1264 c = buf + size;
1265
1266 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, key ) );
1267
1268 return( (int) len );
1269}
Jaeden Ameroccdce902019-01-10 11:42:27 +00001270#endif /* defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECP_C) */
Jaeden Amero25384a22019-01-10 10:23:21 +00001271
Gilles Peskinef603c712019-01-19 13:40:11 +01001272static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
1273 uint8_t *data,
1274 size_t data_size,
1275 size_t *data_length,
1276 int export_public_key )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001277{
Gilles Peskine5d309672019-07-12 23:47:28 +02001278#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1279 const psa_drv_se_t *drv;
1280 psa_drv_se_context_t *drv_context;
1281#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1282
Jaeden Amerof24c7f82018-06-27 17:20:43 +01001283 *data_length = 0;
1284
Gilles Peskine8e338702019-07-30 20:06:31 +02001285 if( export_public_key && ! PSA_KEY_TYPE_IS_ASYMMETRIC( slot->attr.type ) )
Moran Pekera998bc62018-04-16 18:16:20 +03001286 return( PSA_ERROR_INVALID_ARGUMENT );
mohammad160306e79202018-03-28 13:17:44 +03001287
Gilles Peskinef9168942019-09-12 19:20:29 +02001288 /* Reject a zero-length output buffer now, since this can never be a
1289 * valid key representation. This way we know that data must be a valid
1290 * pointer and we can do things like memset(data, ..., data_size). */
1291 if( data_size == 0 )
1292 return( PSA_ERROR_BUFFER_TOO_SMALL );
1293
Gilles Peskine5d309672019-07-12 23:47:28 +02001294#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
Gilles Peskine8e338702019-07-30 20:06:31 +02001295 if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
Gilles Peskine5d309672019-07-12 23:47:28 +02001296 {
1297 psa_drv_se_export_key_t method;
1298 if( drv->key_management == NULL )
1299 return( PSA_ERROR_NOT_SUPPORTED );
1300 method = ( export_public_key ?
1301 drv->key_management->p_export_public :
1302 drv->key_management->p_export );
1303 if( method == NULL )
1304 return( PSA_ERROR_NOT_SUPPORTED );
Gilles Peskine2e0f3882019-07-25 11:34:33 +02001305 return( method( drv_context,
1306 slot->data.se.slot_number,
1307 data, data_size, data_length ) );
Gilles Peskine5d309672019-07-12 23:47:28 +02001308 }
1309#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1310
Gilles Peskine8e338702019-07-30 20:06:31 +02001311 if( key_type_is_raw_bytes( slot->attr.type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001312 {
1313 if( slot->data.raw.bytes > data_size )
1314 return( PSA_ERROR_BUFFER_TOO_SMALL );
Gilles Peskinef9168942019-09-12 19:20:29 +02001315 memcpy( data, slot->data.raw.data, slot->data.raw.bytes );
1316 memset( data + slot->data.raw.bytes, 0,
1317 data_size - slot->data.raw.bytes );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001318 *data_length = slot->data.raw.bytes;
1319 return( PSA_SUCCESS );
1320 }
Gilles Peskine188c71e2018-10-29 19:26:02 +01001321#if defined(MBEDTLS_ECP_C)
Gilles Peskine8e338702019-07-30 20:06:31 +02001322 if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( slot->attr.type ) && !export_public_key )
Gilles Peskine188c71e2018-10-29 19:26:02 +01001323 {
Darryl Greendd8fb772018-11-07 16:00:44 +00001324 psa_status_t status;
1325
Gilles Peskineb46bef22019-07-30 21:32:04 +02001326 size_t bytes = PSA_BITS_TO_BYTES( slot->attr.bits );
Gilles Peskine188c71e2018-10-29 19:26:02 +01001327 if( bytes > data_size )
1328 return( PSA_ERROR_BUFFER_TOO_SMALL );
1329 status = mbedtls_to_psa_error(
1330 mbedtls_mpi_write_binary( &slot->data.ecp->d, data, bytes ) );
1331 if( status != PSA_SUCCESS )
1332 return( status );
1333 memset( data + bytes, 0, data_size - bytes );
1334 *data_length = bytes;
1335 return( PSA_SUCCESS );
1336 }
1337#endif
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001338 else
Moran Peker17e36e12018-05-02 12:55:20 +03001339 {
Gilles Peskine969ac722018-01-28 18:16:59 +01001340#if defined(MBEDTLS_PK_WRITE_C)
Gilles Peskine8e338702019-07-30 20:06:31 +02001341 if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) ||
1342 PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
Gilles Peskine969ac722018-01-28 18:16:59 +01001343 {
Moran Pekera998bc62018-04-16 18:16:20 +03001344 mbedtls_pk_context pk;
Janos Follath24eed8d2019-11-22 13:21:35 +00001345 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine8e338702019-07-30 20:06:31 +02001346 if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
Moran Pekera998bc62018-04-16 18:16:20 +03001347 {
Darryl Green9e2d7a02018-07-24 16:33:30 +01001348#if defined(MBEDTLS_RSA_C)
1349 mbedtls_pk_init( &pk );
Moran Pekera998bc62018-04-16 18:16:20 +03001350 pk.pk_info = &mbedtls_rsa_info;
1351 pk.pk_ctx = slot->data.rsa;
Darryl Green9e2d7a02018-07-24 16:33:30 +01001352#else
1353 return( PSA_ERROR_NOT_SUPPORTED );
1354#endif
Moran Pekera998bc62018-04-16 18:16:20 +03001355 }
1356 else
1357 {
Darryl Green9e2d7a02018-07-24 16:33:30 +01001358#if defined(MBEDTLS_ECP_C)
1359 mbedtls_pk_init( &pk );
Moran Pekera998bc62018-04-16 18:16:20 +03001360 pk.pk_info = &mbedtls_eckey_info;
1361 pk.pk_ctx = slot->data.ecp;
Darryl Green9e2d7a02018-07-24 16:33:30 +01001362#else
1363 return( PSA_ERROR_NOT_SUPPORTED );
1364#endif
Moran Pekera998bc62018-04-16 18:16:20 +03001365 }
Gilles Peskine8e338702019-07-30 20:06:31 +02001366 if( export_public_key || PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) )
Jaeden Amero25384a22019-01-10 10:23:21 +00001367 {
Jaeden Ameroccdce902019-01-10 11:42:27 +00001368 ret = pk_write_pubkey_simple( &pk, data, data_size );
Jaeden Amero25384a22019-01-10 10:23:21 +00001369 }
Moran Peker17e36e12018-05-02 12:55:20 +03001370 else
Jaeden Amero25384a22019-01-10 10:23:21 +00001371 {
Moran Peker17e36e12018-05-02 12:55:20 +03001372 ret = mbedtls_pk_write_key_der( &pk, data, data_size );
Jaeden Amero25384a22019-01-10 10:23:21 +00001373 }
Moran Peker60364322018-04-29 11:34:58 +03001374 if( ret < 0 )
Gilles Peskinee66ca3b2018-06-20 00:11:45 +02001375 {
Gilles Peskinef9168942019-09-12 19:20:29 +02001376 memset( data, 0, data_size );
Moran Pekera998bc62018-04-16 18:16:20 +03001377 return( mbedtls_to_psa_error( ret ) );
Gilles Peskinee66ca3b2018-06-20 00:11:45 +02001378 }
Gilles Peskine0e231582018-06-20 00:11:07 +02001379 /* The mbedtls_pk_xxx functions write to the end of the buffer.
1380 * Move the data to the beginning and erase remaining data
1381 * at the original location. */
1382 if( 2 * (size_t) ret <= data_size )
1383 {
1384 memcpy( data, data + data_size - ret, ret );
Gilles Peskinee66ca3b2018-06-20 00:11:45 +02001385 memset( data + data_size - ret, 0, ret );
Gilles Peskine0e231582018-06-20 00:11:07 +02001386 }
1387 else if( (size_t) ret < data_size )
1388 {
1389 memmove( data, data + data_size - ret, ret );
Gilles Peskinee66ca3b2018-06-20 00:11:45 +02001390 memset( data + ret, 0, data_size - ret );
Gilles Peskine0e231582018-06-20 00:11:07 +02001391 }
Moran Pekera998bc62018-04-16 18:16:20 +03001392 *data_length = ret;
1393 return( PSA_SUCCESS );
Gilles Peskine969ac722018-01-28 18:16:59 +01001394 }
1395 else
Gilles Peskine6d912132018-03-07 16:41:37 +01001396#endif /* defined(MBEDTLS_PK_WRITE_C) */
Moran Pekera998bc62018-04-16 18:16:20 +03001397 {
1398 /* This shouldn't happen in the reference implementation, but
Gilles Peskine785fd552018-06-04 15:08:56 +02001399 it is valid for a special-purpose implementation to omit
1400 support for exporting certain key types. */
Moran Pekera998bc62018-04-16 18:16:20 +03001401 return( PSA_ERROR_NOT_SUPPORTED );
1402 }
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001403 }
1404}
1405
Gilles Peskinec5487a82018-12-03 18:08:14 +01001406psa_status_t psa_export_key( psa_key_handle_t handle,
Gilles Peskine2d277862018-06-18 15:41:12 +02001407 uint8_t *data,
1408 size_t data_size,
1409 size_t *data_length )
Moran Pekera998bc62018-04-16 18:16:20 +03001410{
Gilles Peskine2f060a82018-12-04 17:12:32 +01001411 psa_key_slot_t *slot;
Darryl Greendd8fb772018-11-07 16:00:44 +00001412 psa_status_t status;
1413
1414 /* Set the key to empty now, so that even when there are errors, we always
1415 * set data_length to a value between 0 and data_size. On error, setting
1416 * the key to empty is a good choice because an empty key representation is
1417 * unlikely to be accepted anywhere. */
1418 *data_length = 0;
1419
1420 /* Export requires the EXPORT flag. There is an exception for public keys,
1421 * which don't require any flag, but psa_get_key_from_slot takes
1422 * care of this. */
Gilles Peskinec5487a82018-12-03 18:08:14 +01001423 status = psa_get_key_from_slot( handle, &slot, PSA_KEY_USAGE_EXPORT, 0 );
Darryl Greendd8fb772018-11-07 16:00:44 +00001424 if( status != PSA_SUCCESS )
1425 return( status );
1426 return( psa_internal_export_key( slot, data, data_size,
Gilles Peskinec1bb6c82018-06-18 16:04:39 +02001427 data_length, 0 ) );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001428}
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01001429
Gilles Peskinec5487a82018-12-03 18:08:14 +01001430psa_status_t psa_export_public_key( psa_key_handle_t handle,
Gilles Peskine2d277862018-06-18 15:41:12 +02001431 uint8_t *data,
1432 size_t data_size,
1433 size_t *data_length )
Moran Pekerdd4ea382018-04-03 15:30:03 +03001434{
Gilles Peskine2f060a82018-12-04 17:12:32 +01001435 psa_key_slot_t *slot;
Darryl Greendd8fb772018-11-07 16:00:44 +00001436 psa_status_t status;
1437
1438 /* Set the key to empty now, so that even when there are errors, we always
1439 * set data_length to a value between 0 and data_size. On error, setting
1440 * the key to empty is a good choice because an empty key representation is
1441 * unlikely to be accepted anywhere. */
1442 *data_length = 0;
1443
1444 /* Exporting a public key doesn't require a usage flag. */
Gilles Peskinec5487a82018-12-03 18:08:14 +01001445 status = psa_get_key_from_slot( handle, &slot, 0, 0 );
Darryl Greendd8fb772018-11-07 16:00:44 +00001446 if( status != PSA_SUCCESS )
1447 return( status );
1448 return( psa_internal_export_key( slot, data, data_size,
Gilles Peskinec1bb6c82018-06-18 16:04:39 +02001449 data_length, 1 ) );
Moran Pekerdd4ea382018-04-03 15:30:03 +03001450}
1451
Gilles Peskine91e8c332019-08-02 19:19:39 +02001452#if defined(static_assert)
1453static_assert( ( MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_DUAL_USE ) == 0,
1454 "One or more key attribute flag is listed as both external-only and dual-use" );
Gilles Peskine5a680562019-08-05 17:32:13 +02001455static_assert( ( PSA_KA_MASK_INTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_DUAL_USE ) == 0,
Gilles Peskine094dac12019-08-07 18:19:46 +02001456 "One or more key attribute flag is listed as both internal-only and dual-use" );
Gilles Peskine5a680562019-08-05 17:32:13 +02001457static_assert( ( PSA_KA_MASK_INTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY ) == 0,
Gilles Peskine91e8c332019-08-02 19:19:39 +02001458 "One or more key attribute flag is listed as both internal-only and external-only" );
1459#endif
1460
Gilles Peskine1b8594a2019-07-31 17:21:46 +02001461/** Validate that a key policy is internally well-formed.
1462 *
1463 * This function only rejects invalid policies. It does not validate the
1464 * consistency of the policy with respect to other attributes of the key
1465 * such as the key type.
1466 */
1467static psa_status_t psa_validate_key_policy( const psa_key_policy_t *policy )
Gilles Peskine4747d192019-04-17 15:05:45 +02001468{
1469 if( ( policy->usage & ~( PSA_KEY_USAGE_EXPORT |
Gilles Peskine8e0206a2019-05-14 14:24:28 +02001470 PSA_KEY_USAGE_COPY |
Gilles Peskine4747d192019-04-17 15:05:45 +02001471 PSA_KEY_USAGE_ENCRYPT |
1472 PSA_KEY_USAGE_DECRYPT |
Gilles Peskine89d8c5c2019-11-26 17:01:59 +01001473 PSA_KEY_USAGE_SIGN_HASH |
1474 PSA_KEY_USAGE_VERIFY_HASH |
Gilles Peskine4747d192019-04-17 15:05:45 +02001475 PSA_KEY_USAGE_DERIVE ) ) != 0 )
1476 return( PSA_ERROR_INVALID_ARGUMENT );
1477
Gilles Peskine4747d192019-04-17 15:05:45 +02001478 return( PSA_SUCCESS );
1479}
1480
Gilles Peskine1b8594a2019-07-31 17:21:46 +02001481/** Validate the internal consistency of key attributes.
1482 *
1483 * This function only rejects invalid attribute values. If does not
1484 * validate the consistency of the attributes with any key data that may
1485 * be involved in the creation of the key.
1486 *
1487 * Call this function early in the key creation process.
1488 *
1489 * \param[in] attributes Key attributes for the new key.
1490 * \param[out] p_drv On any return, the driver for the key, if any.
1491 * NULL for a transparent key.
1492 *
1493 */
1494static psa_status_t psa_validate_key_attributes(
1495 const psa_key_attributes_t *attributes,
1496 psa_se_drv_table_entry_t **p_drv )
Darryl Green0c6575a2018-11-07 16:05:30 +00001497{
Steven Cooreman81fe7c32020-06-08 18:37:19 +02001498 psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
Gilles Peskine1b8594a2019-07-31 17:21:46 +02001499
Steven Cooreman8c1e7592020-06-17 14:52:05 +02001500 status = psa_validate_key_location( psa_get_key_lifetime( attributes ),
1501 p_drv );
Steven Cooreman81fe7c32020-06-08 18:37:19 +02001502 if( status != PSA_SUCCESS )
1503 return( status );
1504
Steven Cooreman8c1e7592020-06-17 14:52:05 +02001505 status = psa_validate_key_persistence( psa_get_key_lifetime( attributes ),
1506 psa_get_key_id( attributes ) );
Steven Cooreman81fe7c32020-06-08 18:37:19 +02001507 if( status != PSA_SUCCESS )
1508 return( status );
Gilles Peskine1b8594a2019-07-31 17:21:46 +02001509
1510 status = psa_validate_key_policy( &attributes->core.policy );
Darryl Green0c6575a2018-11-07 16:05:30 +00001511 if( status != PSA_SUCCESS )
Gilles Peskine1b8594a2019-07-31 17:21:46 +02001512 return( status );
1513
1514 /* Refuse to create overly large keys.
1515 * Note that this doesn't trigger on import if the attributes don't
1516 * explicitly specify a size (so psa_get_key_bits returns 0), so
1517 * psa_import_key() needs its own checks. */
1518 if( psa_get_key_bits( attributes ) > PSA_MAX_KEY_BITS )
1519 return( PSA_ERROR_NOT_SUPPORTED );
1520
Gilles Peskine91e8c332019-08-02 19:19:39 +02001521 /* Reject invalid flags. These should not be reachable through the API. */
1522 if( attributes->core.flags & ~ ( MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY |
1523 MBEDTLS_PSA_KA_MASK_DUAL_USE ) )
1524 return( PSA_ERROR_INVALID_ARGUMENT );
1525
Gilles Peskine1b8594a2019-07-31 17:21:46 +02001526 return( PSA_SUCCESS );
1527}
1528
Gilles Peskine4747d192019-04-17 15:05:45 +02001529/** Prepare a key slot to receive key material.
1530 *
1531 * This function allocates a key slot and sets its metadata.
1532 *
1533 * If this function fails, call psa_fail_key_creation().
1534 *
Gilles Peskine9bc88c62019-04-28 11:37:03 +02001535 * This function is intended to be used as follows:
1536 * -# Call psa_start_key_creation() to allocate a key slot, prepare
1537 * it with the specified attributes, and assign it a handle.
1538 * -# Populate the slot with the key material.
1539 * -# Call psa_finish_key_creation() to finalize the creation of the slot.
1540 * In case of failure at any step, stop the sequence and call
1541 * psa_fail_key_creation().
1542 *
Gilles Peskinedf179142019-07-15 22:02:14 +02001543 * \param method An identification of the calling function.
Gilles Peskine011e4282019-06-26 18:34:38 +02001544 * \param[in] attributes Key attributes for the new key.
1545 * \param[out] handle On success, a handle for the allocated slot.
1546 * \param[out] p_slot On success, a pointer to the prepared slot.
1547 * \param[out] p_drv On any return, the driver for the key, if any.
1548 * NULL for a transparent key.
Gilles Peskine9bc88c62019-04-28 11:37:03 +02001549 *
1550 * \retval #PSA_SUCCESS
1551 * The key slot is ready to receive key material.
1552 * \return If this function fails, the key slot is an invalid state.
1553 * You must call psa_fail_key_creation() to wipe and free the slot.
Gilles Peskine4747d192019-04-17 15:05:45 +02001554 */
1555static psa_status_t psa_start_key_creation(
Gilles Peskinedf179142019-07-15 22:02:14 +02001556 psa_key_creation_method_t method,
Gilles Peskine4747d192019-04-17 15:05:45 +02001557 const psa_key_attributes_t *attributes,
1558 psa_key_handle_t *handle,
Gilles Peskine011e4282019-06-26 18:34:38 +02001559 psa_key_slot_t **p_slot,
Gilles Peskine8abe6a22019-07-12 23:40:35 +02001560 psa_se_drv_table_entry_t **p_drv )
Gilles Peskine4747d192019-04-17 15:05:45 +02001561{
1562 psa_status_t status;
1563 psa_key_slot_t *slot;
1564
Gilles Peskinedf179142019-07-15 22:02:14 +02001565 (void) method;
Gilles Peskine011e4282019-06-26 18:34:38 +02001566 *p_drv = NULL;
1567
Gilles Peskine1b8594a2019-07-31 17:21:46 +02001568 status = psa_validate_key_attributes( attributes, p_drv );
1569 if( status != PSA_SUCCESS )
1570 return( status );
1571
Gilles Peskineedbed562019-08-07 18:19:59 +02001572 status = psa_get_empty_key_slot( handle, p_slot );
Gilles Peskine4747d192019-04-17 15:05:45 +02001573 if( status != PSA_SUCCESS )
1574 return( status );
1575 slot = *p_slot;
1576
Gilles Peskine76aa09c2019-07-31 14:15:34 +02001577 /* We're storing the declared bit-size of the key. It's up to each
1578 * creation mechanism to verify that this information is correct.
1579 * It's automatically correct for mechanisms that use the bit-size as
Gilles Peskineb46bef22019-07-30 21:32:04 +02001580 * an input (generate, device) but not for those where the bit-size
1581 * is optional (import, copy). */
Gilles Peskine76aa09c2019-07-31 14:15:34 +02001582
1583 slot->attr = attributes->core;
Gilles Peskinec744d992019-07-30 17:26:54 +02001584
Gilles Peskine91e8c332019-08-02 19:19:39 +02001585 /* Erase external-only flags from the internal copy. To access
Gilles Peskine013f5472019-08-07 15:42:14 +02001586 * external-only flags, query `attributes`. Thanks to the check
1587 * in psa_validate_key_attributes(), this leaves the dual-use
Gilles Peskineedbed562019-08-07 18:19:59 +02001588 * flags and any internal flag that psa_get_empty_key_slot()
Gilles Peskine013f5472019-08-07 15:42:14 +02001589 * may have set. */
1590 slot->attr.flags &= ~MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY;
Gilles Peskine91e8c332019-08-02 19:19:39 +02001591
Gilles Peskinecbaff462019-07-12 23:46:04 +02001592#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
Gilles Peskined7729582019-08-05 15:55:54 +02001593 /* For a key in a secure element, we need to do three things
Steven Cooremanbbeaf182020-06-08 18:29:44 +02001594 * when creating or registering a persistent key:
Gilles Peskine60450a42019-07-25 11:32:45 +02001595 * create the key file in internal storage, create the
1596 * key inside the secure element, and update the driver's
Steven Cooremanbbeaf182020-06-08 18:29:44 +02001597 * persistent data. This is done by starting a transaction that will
1598 * encompass these three actions.
1599 * For registering a volatile key, we just need to find an appropriate
1600 * slot number inside the SE. Since the key is designated volatile, creating
1601 * a transaction is not required. */
Gilles Peskine60450a42019-07-25 11:32:45 +02001602 /* The first thing to do is to find a slot number for the new key.
1603 * We save the slot number in persistent storage as part of the
1604 * transaction data. It will be needed to recover if the power
1605 * fails during the key creation process, to clean up on the secure
1606 * element side after restarting. Obtaining a slot number from the
1607 * secure element driver updates its persistent state, but we do not yet
1608 * save the driver's persistent state, so that if the power fails,
Gilles Peskinefc762652019-07-22 19:30:34 +02001609 * we can roll back to a state where the key doesn't exist. */
Gilles Peskine3efcebb2019-10-01 14:18:35 +02001610 if( *p_drv != NULL )
Darryl Green0c6575a2018-11-07 16:05:30 +00001611 {
Gilles Peskinee88c2c12019-08-05 16:44:14 +02001612 status = psa_find_se_slot_for_key( attributes, method, *p_drv,
Gilles Peskinecbaff462019-07-12 23:46:04 +02001613 &slot->data.se.slot_number );
1614 if( status != PSA_SUCCESS )
1615 return( status );
Steven Cooremanbbeaf182020-06-08 18:29:44 +02001616
1617 if( ! PSA_KEY_LIFETIME_IS_VOLATILE( attributes->core.lifetime ) )
Gilles Peskine66be51c2019-07-25 18:02:52 +02001618 {
Steven Cooremanbbeaf182020-06-08 18:29:44 +02001619 psa_crypto_prepare_transaction( PSA_CRYPTO_TRANSACTION_CREATE_KEY );
1620 psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
1621 psa_crypto_transaction.key.slot = slot->data.se.slot_number;
1622 psa_crypto_transaction.key.id = slot->attr.id;
1623 status = psa_crypto_save_transaction( );
1624 if( status != PSA_SUCCESS )
1625 {
1626 (void) psa_crypto_stop_transaction( );
1627 return( status );
1628 }
Gilles Peskine66be51c2019-07-25 18:02:52 +02001629 }
Darryl Green0c6575a2018-11-07 16:05:30 +00001630 }
Gilles Peskine3efcebb2019-10-01 14:18:35 +02001631
1632 if( *p_drv == NULL && method == PSA_KEY_CREATION_REGISTER )
1633 {
1634 /* Key registration only makes sense with a secure element. */
1635 return( PSA_ERROR_INVALID_ARGUMENT );
1636 }
Gilles Peskinecbaff462019-07-12 23:46:04 +02001637#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1638
Darryl Green0c6575a2018-11-07 16:05:30 +00001639 return( status );
1640}
Gilles Peskine4747d192019-04-17 15:05:45 +02001641
1642/** Finalize the creation of a key once its key material has been set.
1643 *
1644 * This entails writing the key to persistent storage.
1645 *
1646 * If this function fails, call psa_fail_key_creation().
Gilles Peskine9bc88c62019-04-28 11:37:03 +02001647 * See the documentation of psa_start_key_creation() for the intended use
1648 * of this function.
Gilles Peskine4747d192019-04-17 15:05:45 +02001649 *
Gilles Peskine011e4282019-06-26 18:34:38 +02001650 * \param[in,out] slot Pointer to the slot with key material.
1651 * \param[in] driver The secure element driver for the key,
1652 * or NULL for a transparent key.
Gilles Peskine9bc88c62019-04-28 11:37:03 +02001653 *
1654 * \retval #PSA_SUCCESS
1655 * The key was successfully created. The handle is now valid.
1656 * \return If this function fails, the key slot is an invalid state.
1657 * You must call psa_fail_key_creation() to wipe and free the slot.
Gilles Peskine4747d192019-04-17 15:05:45 +02001658 */
Gilles Peskine011e4282019-06-26 18:34:38 +02001659static psa_status_t psa_finish_key_creation(
1660 psa_key_slot_t *slot,
Gilles Peskine8abe6a22019-07-12 23:40:35 +02001661 psa_se_drv_table_entry_t *driver )
Gilles Peskine4747d192019-04-17 15:05:45 +02001662{
1663 psa_status_t status = PSA_SUCCESS;
Gilles Peskine30afafd2019-04-25 13:47:40 +02001664 (void) slot;
Gilles Peskine011e4282019-06-26 18:34:38 +02001665 (void) driver;
Gilles Peskine4747d192019-04-17 15:05:45 +02001666
1667#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
Steven Cooremanc59de6a2020-06-08 18:28:25 +02001668 if( ! PSA_KEY_LIFETIME_IS_VOLATILE( slot->attr.lifetime ) )
Gilles Peskine4747d192019-04-17 15:05:45 +02001669 {
Gilles Peskine1df83d42019-07-23 16:13:14 +02001670#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1671 if( driver != NULL )
1672 {
Gilles Peskineb46bef22019-07-30 21:32:04 +02001673 psa_se_key_data_storage_t data;
1674#if defined(static_assert)
1675 static_assert( sizeof( slot->data.se.slot_number ) ==
1676 sizeof( data.slot_number ),
1677 "Slot number size does not match psa_se_key_data_storage_t" );
1678 static_assert( sizeof( slot->attr.bits ) == sizeof( data.bits ),
1679 "Bit-size size does not match psa_se_key_data_storage_t" );
1680#endif
1681 memcpy( &data.slot_number, &slot->data.se.slot_number,
1682 sizeof( slot->data.se.slot_number ) );
1683 memcpy( &data.bits, &slot->attr.bits,
1684 sizeof( slot->attr.bits ) );
Gilles Peskine76aa09c2019-07-31 14:15:34 +02001685 status = psa_save_persistent_key( &slot->attr,
Gilles Peskineb46bef22019-07-30 21:32:04 +02001686 (uint8_t*) &data,
1687 sizeof( data ) );
Gilles Peskine1df83d42019-07-23 16:13:14 +02001688 }
1689 else
1690#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1691 {
Gilles Peskinee60d1d02019-07-24 20:27:59 +02001692 size_t buffer_size =
Gilles Peskine8e338702019-07-30 20:06:31 +02001693 PSA_KEY_EXPORT_MAX_SIZE( slot->attr.type,
Gilles Peskine76aa09c2019-07-31 14:15:34 +02001694 slot->attr.bits );
Gilles Peskinee60d1d02019-07-24 20:27:59 +02001695 uint8_t *buffer = mbedtls_calloc( 1, buffer_size );
1696 size_t length = 0;
Gilles Peskinef9168942019-09-12 19:20:29 +02001697 if( buffer == NULL )
Gilles Peskine1df83d42019-07-23 16:13:14 +02001698 return( PSA_ERROR_INSUFFICIENT_MEMORY );
1699 status = psa_internal_export_key( slot,
1700 buffer, buffer_size, &length,
1701 0 );
Gilles Peskinee60d1d02019-07-24 20:27:59 +02001702 if( status == PSA_SUCCESS )
Gilles Peskine76aa09c2019-07-31 14:15:34 +02001703 status = psa_save_persistent_key( &slot->attr,
Gilles Peskine4ed0e6f2019-07-30 20:22:33 +02001704 buffer, length );
Gilles Peskine4747d192019-04-17 15:05:45 +02001705
Gilles Peskinef9168942019-09-12 19:20:29 +02001706 mbedtls_platform_zeroize( buffer, buffer_size );
Gilles Peskine1df83d42019-07-23 16:13:14 +02001707 mbedtls_free( buffer );
1708 }
Gilles Peskine4747d192019-04-17 15:05:45 +02001709 }
Darryl Green0c6575a2018-11-07 16:05:30 +00001710#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
1711
Gilles Peskinecbaff462019-07-12 23:46:04 +02001712#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
Gilles Peskined7729582019-08-05 15:55:54 +02001713 /* Finish the transaction for a key creation. This does not
1714 * happen when registering an existing key. Detect this case
1715 * by checking whether a transaction is in progress (actual
Steven Cooremanbbeaf182020-06-08 18:29:44 +02001716 * creation of a persistent key in a secure element requires a transaction,
1717 * but registration or volatile key creation doesn't use one). */
Gilles Peskined7729582019-08-05 15:55:54 +02001718 if( driver != NULL &&
1719 psa_crypto_transaction.unknown.type == PSA_CRYPTO_TRANSACTION_CREATE_KEY )
Gilles Peskinecbaff462019-07-12 23:46:04 +02001720 {
1721 status = psa_save_se_persistent_data( driver );
1722 if( status != PSA_SUCCESS )
1723 {
Gilles Peskine8e338702019-07-30 20:06:31 +02001724 psa_destroy_persistent_key( slot->attr.id );
Gilles Peskinecbaff462019-07-12 23:46:04 +02001725 return( status );
1726 }
Gilles Peskinefc762652019-07-22 19:30:34 +02001727 status = psa_crypto_stop_transaction( );
1728 if( status != PSA_SUCCESS )
1729 return( status );
Gilles Peskinecbaff462019-07-12 23:46:04 +02001730 }
1731#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1732
Gilles Peskine4747d192019-04-17 15:05:45 +02001733 return( status );
1734}
1735
1736/** Abort the creation of a key.
1737 *
1738 * You may call this function after calling psa_start_key_creation(),
1739 * or after psa_finish_key_creation() fails. In other circumstances, this
1740 * function may not clean up persistent storage.
Gilles Peskine9bc88c62019-04-28 11:37:03 +02001741 * See the documentation of psa_start_key_creation() for the intended use
1742 * of this function.
Gilles Peskine4747d192019-04-17 15:05:45 +02001743 *
Gilles Peskine011e4282019-06-26 18:34:38 +02001744 * \param[in,out] slot Pointer to the slot with key material.
1745 * \param[in] driver The secure element driver for the key,
1746 * or NULL for a transparent key.
Gilles Peskine4747d192019-04-17 15:05:45 +02001747 */
Gilles Peskine011e4282019-06-26 18:34:38 +02001748static void psa_fail_key_creation( psa_key_slot_t *slot,
Gilles Peskine8abe6a22019-07-12 23:40:35 +02001749 psa_se_drv_table_entry_t *driver )
Gilles Peskine4747d192019-04-17 15:05:45 +02001750{
Gilles Peskine011e4282019-06-26 18:34:38 +02001751 (void) driver;
1752
Gilles Peskine4747d192019-04-17 15:05:45 +02001753 if( slot == NULL )
1754 return;
Gilles Peskine011e4282019-06-26 18:34:38 +02001755
1756#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
Janos Follath1d57a202019-08-13 12:15:34 +01001757 /* TODO: If the key has already been created in the secure
Gilles Peskine011e4282019-06-26 18:34:38 +02001758 * element, and the failure happened later (when saving metadata
1759 * to internal storage), we need to destroy the key in the secure
Gilles Peskinec9d7f942019-08-13 16:17:16 +02001760 * element.
1761 * https://github.com/ARMmbed/mbed-crypto/issues/217
1762 */
Gilles Peskinefc762652019-07-22 19:30:34 +02001763
Gilles Peskined7729582019-08-05 15:55:54 +02001764 /* Abort the ongoing transaction if any (there may not be one if
1765 * the creation process failed before starting one, or if the
1766 * key creation is a registration of a key in a secure element).
1767 * Earlier functions must already have done what it takes to undo any
1768 * partial creation. All that's left is to update the transaction data
1769 * itself. */
Gilles Peskinefc762652019-07-22 19:30:34 +02001770 (void) psa_crypto_stop_transaction( );
Gilles Peskine011e4282019-06-26 18:34:38 +02001771#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1772
Gilles Peskine4747d192019-04-17 15:05:45 +02001773 psa_wipe_key_slot( slot );
1774}
1775
Gilles Peskine1b8594a2019-07-31 17:21:46 +02001776/** Validate optional attributes during key creation.
1777 *
1778 * Some key attributes are optional during key creation. If they are
1779 * specified in the attributes structure, check that they are consistent
1780 * with the data in the slot.
1781 *
1782 * This function should be called near the end of key creation, after
1783 * the slot in memory is fully populated but before saving persistent data.
1784 */
1785static psa_status_t psa_validate_optional_attributes(
Gilles Peskine4ce2a9d2019-05-03 16:57:15 +02001786 const psa_key_slot_t *slot,
1787 const psa_key_attributes_t *attributes )
1788{
Gilles Peskine7e0cff92019-07-30 13:48:52 +02001789 if( attributes->core.type != 0 )
Gilles Peskine4ce2a9d2019-05-03 16:57:15 +02001790 {
Gilles Peskine8e338702019-07-30 20:06:31 +02001791 if( attributes->core.type != slot->attr.type )
Gilles Peskine4ce2a9d2019-05-03 16:57:15 +02001792 return( PSA_ERROR_INVALID_ARGUMENT );
1793 }
1794
1795 if( attributes->domain_parameters_size != 0 )
1796 {
1797#if defined(MBEDTLS_RSA_C)
Gilles Peskine8e338702019-07-30 20:06:31 +02001798 if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
Gilles Peskine4ce2a9d2019-05-03 16:57:15 +02001799 {
1800 mbedtls_mpi actual, required;
Janos Follath24eed8d2019-11-22 13:21:35 +00001801 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine4ce2a9d2019-05-03 16:57:15 +02001802 mbedtls_mpi_init( &actual );
1803 mbedtls_mpi_init( &required );
1804 ret = mbedtls_rsa_export( slot->data.rsa,
1805 NULL, NULL, NULL, NULL, &actual );
1806 if( ret != 0 )
1807 goto rsa_exit;
1808 ret = mbedtls_mpi_read_binary( &required,
1809 attributes->domain_parameters,
1810 attributes->domain_parameters_size );
1811 if( ret != 0 )
1812 goto rsa_exit;
1813 if( mbedtls_mpi_cmp_mpi( &actual, &required ) != 0 )
1814 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1815 rsa_exit:
1816 mbedtls_mpi_free( &actual );
1817 mbedtls_mpi_free( &required );
1818 if( ret != 0)
1819 return( mbedtls_to_psa_error( ret ) );
1820 }
1821 else
1822#endif
1823 {
1824 return( PSA_ERROR_INVALID_ARGUMENT );
1825 }
1826 }
1827
Gilles Peskine7e0cff92019-07-30 13:48:52 +02001828 if( attributes->core.bits != 0 )
Gilles Peskine4ce2a9d2019-05-03 16:57:15 +02001829 {
Gilles Peskineb46bef22019-07-30 21:32:04 +02001830 if( attributes->core.bits != slot->attr.bits )
Gilles Peskine4ce2a9d2019-05-03 16:57:15 +02001831 return( PSA_ERROR_INVALID_ARGUMENT );
1832 }
1833
1834 return( PSA_SUCCESS );
1835}
1836
Gilles Peskine4747d192019-04-17 15:05:45 +02001837psa_status_t psa_import_key( const psa_key_attributes_t *attributes,
Gilles Peskine4747d192019-04-17 15:05:45 +02001838 const uint8_t *data,
Gilles Peskine73676cb2019-05-15 20:15:10 +02001839 size_t data_length,
1840 psa_key_handle_t *handle )
Gilles Peskine4747d192019-04-17 15:05:45 +02001841{
1842 psa_status_t status;
1843 psa_key_slot_t *slot = NULL;
Gilles Peskine8abe6a22019-07-12 23:40:35 +02001844 psa_se_drv_table_entry_t *driver = NULL;
Gilles Peskine4ce2a9d2019-05-03 16:57:15 +02001845
Gilles Peskine0f84d622019-09-12 19:03:13 +02001846 /* Reject zero-length symmetric keys (including raw data key objects).
1847 * This also rejects any key which might be encoded as an empty string,
1848 * which is never valid. */
1849 if( data_length == 0 )
1850 return( PSA_ERROR_INVALID_ARGUMENT );
1851
Gilles Peskinedf179142019-07-15 22:02:14 +02001852 status = psa_start_key_creation( PSA_KEY_CREATION_IMPORT, attributes,
1853 handle, &slot, &driver );
Gilles Peskine4ce2a9d2019-05-03 16:57:15 +02001854 if( status != PSA_SUCCESS )
1855 goto exit;
1856
Gilles Peskine5d309672019-07-12 23:47:28 +02001857#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1858 if( driver != NULL )
1859 {
1860 const psa_drv_se_t *drv = psa_get_se_driver_methods( driver );
Darryl Green0892d0f2019-08-20 09:50:14 +01001861 /* The driver should set the number of key bits, however in
1862 * case it doesn't, we initialize bits to an invalid value. */
1863 size_t bits = PSA_MAX_KEY_BITS + 1;
Gilles Peskine5d309672019-07-12 23:47:28 +02001864 if( drv->key_management == NULL ||
1865 drv->key_management->p_import == NULL )
1866 {
1867 status = PSA_ERROR_NOT_SUPPORTED;
1868 goto exit;
1869 }
1870 status = drv->key_management->p_import(
1871 psa_get_se_driver_context( driver ),
Gilles Peskinef3801ff2019-08-06 17:32:04 +02001872 slot->data.se.slot_number, attributes, data, data_length,
Gilles Peskineb46bef22019-07-30 21:32:04 +02001873 &bits );
1874 if( status != PSA_SUCCESS )
1875 goto exit;
1876 if( bits > PSA_MAX_KEY_BITS )
1877 {
1878 status = PSA_ERROR_NOT_SUPPORTED;
1879 goto exit;
1880 }
1881 slot->attr.bits = (psa_key_bits_t) bits;
Gilles Peskine5d309672019-07-12 23:47:28 +02001882 }
1883 else
1884#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1885 {
1886 status = psa_import_key_into_slot( slot, data, data_length );
1887 if( status != PSA_SUCCESS )
1888 goto exit;
Gilles Peskine5d309672019-07-12 23:47:28 +02001889 }
Gilles Peskine1b8594a2019-07-31 17:21:46 +02001890 status = psa_validate_optional_attributes( slot, attributes );
Gilles Peskine18017402019-07-24 20:25:59 +02001891 if( status != PSA_SUCCESS )
1892 goto exit;
Gilles Peskine4ce2a9d2019-05-03 16:57:15 +02001893
Gilles Peskine011e4282019-06-26 18:34:38 +02001894 status = psa_finish_key_creation( slot, driver );
Gilles Peskine4ce2a9d2019-05-03 16:57:15 +02001895exit:
Gilles Peskine4747d192019-04-17 15:05:45 +02001896 if( status != PSA_SUCCESS )
1897 {
Gilles Peskine011e4282019-06-26 18:34:38 +02001898 psa_fail_key_creation( slot, driver );
Gilles Peskine4747d192019-04-17 15:05:45 +02001899 *handle = 0;
1900 }
1901 return( status );
1902}
1903
Gilles Peskined7729582019-08-05 15:55:54 +02001904#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1905psa_status_t mbedtls_psa_register_se_key(
1906 const psa_key_attributes_t *attributes )
1907{
1908 psa_status_t status;
1909 psa_key_slot_t *slot = NULL;
1910 psa_se_drv_table_entry_t *driver = NULL;
Gilles Peskined7729582019-08-05 15:55:54 +02001911 psa_key_handle_t handle = 0;
1912
1913 /* Leaving attributes unspecified is not currently supported.
1914 * It could make sense to query the key type and size from the
1915 * secure element, but not all secure elements support this
1916 * and the driver HAL doesn't currently support it. */
1917 if( psa_get_key_type( attributes ) == PSA_KEY_TYPE_NONE )
1918 return( PSA_ERROR_NOT_SUPPORTED );
1919 if( psa_get_key_bits( attributes ) == 0 )
1920 return( PSA_ERROR_NOT_SUPPORTED );
1921
1922 status = psa_start_key_creation( PSA_KEY_CREATION_REGISTER, attributes,
1923 &handle, &slot, &driver );
1924 if( status != PSA_SUCCESS )
1925 goto exit;
1926
Gilles Peskined7729582019-08-05 15:55:54 +02001927 status = psa_finish_key_creation( slot, driver );
1928
1929exit:
1930 if( status != PSA_SUCCESS )
1931 {
1932 psa_fail_key_creation( slot, driver );
1933 }
1934 /* Registration doesn't keep the key in RAM. */
1935 psa_close_key( handle );
1936 return( status );
1937}
1938#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1939
Gilles Peskinef603c712019-01-19 13:40:11 +01001940static psa_status_t psa_copy_key_material( const psa_key_slot_t *source,
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001941 psa_key_slot_t *target )
Gilles Peskinef603c712019-01-19 13:40:11 +01001942{
1943 psa_status_t status;
1944 uint8_t *buffer = NULL;
1945 size_t buffer_size = 0;
1946 size_t length;
1947
Gilles Peskine8e338702019-07-30 20:06:31 +02001948 buffer_size = PSA_KEY_EXPORT_MAX_SIZE( source->attr.type,
Gilles Peskinedb4b3ab2019-04-18 12:53:01 +02001949 psa_get_key_slot_bits( source ) );
Gilles Peskinef603c712019-01-19 13:40:11 +01001950 buffer = mbedtls_calloc( 1, buffer_size );
Gilles Peskinef9168942019-09-12 19:20:29 +02001951 if( buffer == NULL )
Gilles Peskine122d0022019-01-23 10:55:43 +01001952 return( PSA_ERROR_INSUFFICIENT_MEMORY );
Gilles Peskinef603c712019-01-19 13:40:11 +01001953 status = psa_internal_export_key( source, buffer, buffer_size, &length, 0 );
1954 if( status != PSA_SUCCESS )
1955 goto exit;
Gilles Peskine8e338702019-07-30 20:06:31 +02001956 target->attr.type = source->attr.type;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001957 status = psa_import_key_into_slot( target, buffer, length );
Gilles Peskinef603c712019-01-19 13:40:11 +01001958
1959exit:
Gilles Peskinef9168942019-09-12 19:20:29 +02001960 mbedtls_platform_zeroize( buffer, buffer_size );
Gilles Peskine122d0022019-01-23 10:55:43 +01001961 mbedtls_free( buffer );
Gilles Peskinef603c712019-01-19 13:40:11 +01001962 return( status );
1963}
1964
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001965psa_status_t psa_copy_key( psa_key_handle_t source_handle,
1966 const psa_key_attributes_t *specified_attributes,
1967 psa_key_handle_t *target_handle )
Gilles Peskinef603c712019-01-19 13:40:11 +01001968{
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001969 psa_status_t status;
Gilles Peskinef603c712019-01-19 13:40:11 +01001970 psa_key_slot_t *source_slot = NULL;
1971 psa_key_slot_t *target_slot = NULL;
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001972 psa_key_attributes_t actual_attributes = *specified_attributes;
Gilles Peskine8abe6a22019-07-12 23:40:35 +02001973 psa_se_drv_table_entry_t *driver = NULL;
Gilles Peskinef603c712019-01-19 13:40:11 +01001974
Gilles Peskine28f8f302019-07-24 13:30:31 +02001975 status = psa_get_transparent_key( source_handle, &source_slot,
Gilles Peskinef77a6ac2019-07-25 10:51:03 +02001976 PSA_KEY_USAGE_COPY, 0 );
Gilles Peskinef603c712019-01-19 13:40:11 +01001977 if( status != PSA_SUCCESS )
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001978 goto exit;
1979
Gilles Peskine1b8594a2019-07-31 17:21:46 +02001980 status = psa_validate_optional_attributes( source_slot,
1981 specified_attributes );
Gilles Peskine4ce2a9d2019-05-03 16:57:15 +02001982 if( status != PSA_SUCCESS )
1983 goto exit;
1984
Gilles Peskine7e0cff92019-07-30 13:48:52 +02001985 status = psa_restrict_key_policy( &actual_attributes.core.policy,
Gilles Peskine8e338702019-07-30 20:06:31 +02001986 &source_slot->attr.policy );
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001987 if( status != PSA_SUCCESS )
1988 goto exit;
1989
Gilles Peskinedf179142019-07-15 22:02:14 +02001990 status = psa_start_key_creation( PSA_KEY_CREATION_COPY,
1991 &actual_attributes,
Gilles Peskine011e4282019-06-26 18:34:38 +02001992 target_handle, &target_slot, &driver );
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02001993 if( status != PSA_SUCCESS )
1994 goto exit;
1995
Gilles Peskinef4ee6622019-07-24 13:44:30 +02001996#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1997 if( driver != NULL )
Gilles Peskinef603c712019-01-19 13:40:11 +01001998 {
Gilles Peskinef4ee6622019-07-24 13:44:30 +02001999 /* Copying to a secure element is not implemented yet. */
2000 status = PSA_ERROR_NOT_SUPPORTED;
2001 goto exit;
Gilles Peskinef603c712019-01-19 13:40:11 +01002002 }
Gilles Peskinef4ee6622019-07-24 13:44:30 +02002003#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskinef603c712019-01-19 13:40:11 +01002004
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02002005 status = psa_copy_key_material( source_slot, target_slot );
Gilles Peskinef603c712019-01-19 13:40:11 +01002006 if( status != PSA_SUCCESS )
Gilles Peskine4ce2a9d2019-05-03 16:57:15 +02002007 goto exit;
Gilles Peskinef603c712019-01-19 13:40:11 +01002008
Gilles Peskine011e4282019-06-26 18:34:38 +02002009 status = psa_finish_key_creation( target_slot, driver );
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02002010exit:
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02002011 if( status != PSA_SUCCESS )
2012 {
Gilles Peskine011e4282019-06-26 18:34:38 +02002013 psa_fail_key_creation( target_slot, driver );
Gilles Peskine8c8f2ab2019-04-18 21:44:46 +02002014 *target_handle = 0;
2015 }
2016 return( status );
Gilles Peskinef603c712019-01-19 13:40:11 +01002017}
2018
Gilles Peskine7bcfc0a2018-06-18 21:49:39 +02002019
2020
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +01002021/****************************************************************/
Gilles Peskine20035e32018-02-03 22:44:14 +01002022/* Message digests */
2023/****************************************************************/
2024
Gilles Peskineb16841e2019-10-10 20:36:12 +02002025#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_DETERMINISTIC)
Gilles Peskinedc2fc842018-03-07 16:42:59 +01002026static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
Gilles Peskine20035e32018-02-03 22:44:14 +01002027{
2028 switch( alg )
2029 {
2030#if defined(MBEDTLS_MD2_C)
2031 case PSA_ALG_MD2:
2032 return( &mbedtls_md2_info );
2033#endif
2034#if defined(MBEDTLS_MD4_C)
2035 case PSA_ALG_MD4:
2036 return( &mbedtls_md4_info );
2037#endif
2038#if defined(MBEDTLS_MD5_C)
2039 case PSA_ALG_MD5:
2040 return( &mbedtls_md5_info );
2041#endif
2042#if defined(MBEDTLS_RIPEMD160_C)
2043 case PSA_ALG_RIPEMD160:
2044 return( &mbedtls_ripemd160_info );
2045#endif
2046#if defined(MBEDTLS_SHA1_C)
2047 case PSA_ALG_SHA_1:
2048 return( &mbedtls_sha1_info );
2049#endif
2050#if defined(MBEDTLS_SHA256_C)
2051 case PSA_ALG_SHA_224:
2052 return( &mbedtls_sha224_info );
2053 case PSA_ALG_SHA_256:
2054 return( &mbedtls_sha256_info );
2055#endif
2056#if defined(MBEDTLS_SHA512_C)
Manuel Pégourié-Gonnardd6020842019-07-17 16:28:21 +02002057#if !defined(MBEDTLS_SHA512_NO_SHA384)
Gilles Peskine20035e32018-02-03 22:44:14 +01002058 case PSA_ALG_SHA_384:
2059 return( &mbedtls_sha384_info );
Manuel Pégourié-Gonnardd6020842019-07-17 16:28:21 +02002060#endif
Gilles Peskine20035e32018-02-03 22:44:14 +01002061 case PSA_ALG_SHA_512:
2062 return( &mbedtls_sha512_info );
2063#endif
2064 default:
2065 return( NULL );
2066 }
2067}
Gilles Peskineb16841e2019-10-10 20:36:12 +02002068#endif
Gilles Peskine20035e32018-02-03 22:44:14 +01002069
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002070psa_status_t psa_hash_abort( psa_hash_operation_t *operation )
2071{
2072 switch( operation->alg )
2073 {
Gilles Peskine81736312018-06-26 15:04:31 +02002074 case 0:
2075 /* The object has (apparently) been initialized but it is not
2076 * in use. It's ok to call abort on such an object, and there's
2077 * nothing to do. */
2078 break;
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002079#if defined(MBEDTLS_MD2_C)
2080 case PSA_ALG_MD2:
2081 mbedtls_md2_free( &operation->ctx.md2 );
2082 break;
2083#endif
2084#if defined(MBEDTLS_MD4_C)
2085 case PSA_ALG_MD4:
2086 mbedtls_md4_free( &operation->ctx.md4 );
2087 break;
2088#endif
2089#if defined(MBEDTLS_MD5_C)
2090 case PSA_ALG_MD5:
2091 mbedtls_md5_free( &operation->ctx.md5 );
2092 break;
2093#endif
2094#if defined(MBEDTLS_RIPEMD160_C)
2095 case PSA_ALG_RIPEMD160:
2096 mbedtls_ripemd160_free( &operation->ctx.ripemd160 );
2097 break;
2098#endif
2099#if defined(MBEDTLS_SHA1_C)
2100 case PSA_ALG_SHA_1:
2101 mbedtls_sha1_free( &operation->ctx.sha1 );
2102 break;
2103#endif
2104#if defined(MBEDTLS_SHA256_C)
2105 case PSA_ALG_SHA_224:
2106 case PSA_ALG_SHA_256:
2107 mbedtls_sha256_free( &operation->ctx.sha256 );
2108 break;
2109#endif
2110#if defined(MBEDTLS_SHA512_C)
Manuel Pégourié-Gonnard792b16d2020-01-07 10:13:18 +01002111#if !defined(MBEDTLS_SHA512_NO_SHA384)
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002112 case PSA_ALG_SHA_384:
Manuel Pégourié-Gonnard792b16d2020-01-07 10:13:18 +01002113#endif
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002114 case PSA_ALG_SHA_512:
2115 mbedtls_sha512_free( &operation->ctx.sha512 );
2116 break;
2117#endif
2118 default:
Gilles Peskinef9c2c092018-06-21 16:57:07 +02002119 return( PSA_ERROR_BAD_STATE );
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002120 }
2121 operation->alg = 0;
2122 return( PSA_SUCCESS );
2123}
2124
Gilles Peskineda8191d1c2018-07-08 19:46:38 +02002125psa_status_t psa_hash_setup( psa_hash_operation_t *operation,
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002126 psa_algorithm_t alg )
2127{
Janos Follath24eed8d2019-11-22 13:21:35 +00002128 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero36ee5d02019-02-19 09:25:10 +00002129
2130 /* A context must be freshly initialized before it can be set up. */
2131 if( operation->alg != 0 )
2132 {
2133 return( PSA_ERROR_BAD_STATE );
2134 }
2135
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002136 switch( alg )
2137 {
2138#if defined(MBEDTLS_MD2_C)
2139 case PSA_ALG_MD2:
2140 mbedtls_md2_init( &operation->ctx.md2 );
2141 ret = mbedtls_md2_starts_ret( &operation->ctx.md2 );
2142 break;
2143#endif
2144#if defined(MBEDTLS_MD4_C)
2145 case PSA_ALG_MD4:
2146 mbedtls_md4_init( &operation->ctx.md4 );
2147 ret = mbedtls_md4_starts_ret( &operation->ctx.md4 );
2148 break;
2149#endif
2150#if defined(MBEDTLS_MD5_C)
2151 case PSA_ALG_MD5:
2152 mbedtls_md5_init( &operation->ctx.md5 );
2153 ret = mbedtls_md5_starts_ret( &operation->ctx.md5 );
2154 break;
2155#endif
2156#if defined(MBEDTLS_RIPEMD160_C)
2157 case PSA_ALG_RIPEMD160:
2158 mbedtls_ripemd160_init( &operation->ctx.ripemd160 );
2159 ret = mbedtls_ripemd160_starts_ret( &operation->ctx.ripemd160 );
2160 break;
2161#endif
2162#if defined(MBEDTLS_SHA1_C)
2163 case PSA_ALG_SHA_1:
2164 mbedtls_sha1_init( &operation->ctx.sha1 );
2165 ret = mbedtls_sha1_starts_ret( &operation->ctx.sha1 );
2166 break;
2167#endif
2168#if defined(MBEDTLS_SHA256_C)
2169 case PSA_ALG_SHA_224:
2170 mbedtls_sha256_init( &operation->ctx.sha256 );
2171 ret = mbedtls_sha256_starts_ret( &operation->ctx.sha256, 1 );
2172 break;
2173 case PSA_ALG_SHA_256:
2174 mbedtls_sha256_init( &operation->ctx.sha256 );
2175 ret = mbedtls_sha256_starts_ret( &operation->ctx.sha256, 0 );
2176 break;
2177#endif
2178#if defined(MBEDTLS_SHA512_C)
Manuel Pégourié-Gonnard792b16d2020-01-07 10:13:18 +01002179#if !defined(MBEDTLS_SHA512_NO_SHA384)
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002180 case PSA_ALG_SHA_384:
2181 mbedtls_sha512_init( &operation->ctx.sha512 );
2182 ret = mbedtls_sha512_starts_ret( &operation->ctx.sha512, 1 );
2183 break;
Manuel Pégourié-Gonnard792b16d2020-01-07 10:13:18 +01002184#endif
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002185 case PSA_ALG_SHA_512:
2186 mbedtls_sha512_init( &operation->ctx.sha512 );
2187 ret = mbedtls_sha512_starts_ret( &operation->ctx.sha512, 0 );
2188 break;
2189#endif
2190 default:
Gilles Peskinec06e0712018-06-20 16:21:04 +02002191 return( PSA_ALG_IS_HASH( alg ) ?
2192 PSA_ERROR_NOT_SUPPORTED :
2193 PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002194 }
2195 if( ret == 0 )
2196 operation->alg = alg;
2197 else
2198 psa_hash_abort( operation );
2199 return( mbedtls_to_psa_error( ret ) );
2200}
2201
2202psa_status_t psa_hash_update( psa_hash_operation_t *operation,
2203 const uint8_t *input,
2204 size_t input_length )
2205{
Janos Follath24eed8d2019-11-22 13:21:35 +00002206 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine94e44542018-07-12 16:58:43 +02002207
2208 /* Don't require hash implementations to behave correctly on a
2209 * zero-length input, which may have an invalid pointer. */
2210 if( input_length == 0 )
2211 return( PSA_SUCCESS );
2212
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002213 switch( operation->alg )
2214 {
2215#if defined(MBEDTLS_MD2_C)
2216 case PSA_ALG_MD2:
2217 ret = mbedtls_md2_update_ret( &operation->ctx.md2,
2218 input, input_length );
2219 break;
2220#endif
2221#if defined(MBEDTLS_MD4_C)
2222 case PSA_ALG_MD4:
2223 ret = mbedtls_md4_update_ret( &operation->ctx.md4,
2224 input, input_length );
2225 break;
2226#endif
2227#if defined(MBEDTLS_MD5_C)
2228 case PSA_ALG_MD5:
2229 ret = mbedtls_md5_update_ret( &operation->ctx.md5,
2230 input, input_length );
2231 break;
2232#endif
2233#if defined(MBEDTLS_RIPEMD160_C)
2234 case PSA_ALG_RIPEMD160:
2235 ret = mbedtls_ripemd160_update_ret( &operation->ctx.ripemd160,
2236 input, input_length );
2237 break;
2238#endif
2239#if defined(MBEDTLS_SHA1_C)
2240 case PSA_ALG_SHA_1:
2241 ret = mbedtls_sha1_update_ret( &operation->ctx.sha1,
2242 input, input_length );
2243 break;
2244#endif
2245#if defined(MBEDTLS_SHA256_C)
2246 case PSA_ALG_SHA_224:
2247 case PSA_ALG_SHA_256:
2248 ret = mbedtls_sha256_update_ret( &operation->ctx.sha256,
2249 input, input_length );
2250 break;
2251#endif
2252#if defined(MBEDTLS_SHA512_C)
Manuel Pégourié-Gonnard792b16d2020-01-07 10:13:18 +01002253#if !defined(MBEDTLS_SHA512_NO_SHA384)
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002254 case PSA_ALG_SHA_384:
Manuel Pégourié-Gonnard792b16d2020-01-07 10:13:18 +01002255#endif
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002256 case PSA_ALG_SHA_512:
2257 ret = mbedtls_sha512_update_ret( &operation->ctx.sha512,
2258 input, input_length );
2259 break;
2260#endif
2261 default:
Jaeden Ameroa0f625a2019-02-15 13:52:25 +00002262 return( PSA_ERROR_BAD_STATE );
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002263 }
Gilles Peskine94e44542018-07-12 16:58:43 +02002264
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002265 if( ret != 0 )
2266 psa_hash_abort( operation );
2267 return( mbedtls_to_psa_error( ret ) );
2268}
2269
2270psa_status_t psa_hash_finish( psa_hash_operation_t *operation,
2271 uint8_t *hash,
2272 size_t hash_size,
2273 size_t *hash_length )
2274{
itayzafrir40835d42018-08-02 13:14:17 +03002275 psa_status_t status;
Janos Follath24eed8d2019-11-22 13:21:35 +00002276 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine71bb7b72018-04-19 08:29:59 +02002277 size_t actual_hash_length = PSA_HASH_SIZE( operation->alg );
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002278
2279 /* Fill the output buffer with something that isn't a valid hash
2280 * (barring an attack on the hash and deliberately-crafted input),
2281 * in case the caller doesn't check the return status properly. */
Gilles Peskineaee13332018-07-02 12:15:28 +02002282 *hash_length = hash_size;
Gilles Peskine46f1fd72018-06-28 19:31:31 +02002283 /* If hash_size is 0 then hash may be NULL and then the
2284 * call to memset would have undefined behavior. */
2285 if( hash_size != 0 )
2286 memset( hash, '!', hash_size );
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002287
2288 if( hash_size < actual_hash_length )
itayzafrir40835d42018-08-02 13:14:17 +03002289 {
2290 status = PSA_ERROR_BUFFER_TOO_SMALL;
2291 goto exit;
2292 }
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002293
2294 switch( operation->alg )
2295 {
2296#if defined(MBEDTLS_MD2_C)
2297 case PSA_ALG_MD2:
2298 ret = mbedtls_md2_finish_ret( &operation->ctx.md2, hash );
2299 break;
2300#endif
2301#if defined(MBEDTLS_MD4_C)
2302 case PSA_ALG_MD4:
2303 ret = mbedtls_md4_finish_ret( &operation->ctx.md4, hash );
2304 break;
2305#endif
2306#if defined(MBEDTLS_MD5_C)
2307 case PSA_ALG_MD5:
2308 ret = mbedtls_md5_finish_ret( &operation->ctx.md5, hash );
2309 break;
2310#endif
2311#if defined(MBEDTLS_RIPEMD160_C)
2312 case PSA_ALG_RIPEMD160:
2313 ret = mbedtls_ripemd160_finish_ret( &operation->ctx.ripemd160, hash );
2314 break;
2315#endif
2316#if defined(MBEDTLS_SHA1_C)
2317 case PSA_ALG_SHA_1:
2318 ret = mbedtls_sha1_finish_ret( &operation->ctx.sha1, hash );
2319 break;
2320#endif
2321#if defined(MBEDTLS_SHA256_C)
2322 case PSA_ALG_SHA_224:
2323 case PSA_ALG_SHA_256:
2324 ret = mbedtls_sha256_finish_ret( &operation->ctx.sha256, hash );
2325 break;
2326#endif
2327#if defined(MBEDTLS_SHA512_C)
Manuel Pégourié-Gonnard792b16d2020-01-07 10:13:18 +01002328#if !defined(MBEDTLS_SHA512_NO_SHA384)
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002329 case PSA_ALG_SHA_384:
Manuel Pégourié-Gonnard792b16d2020-01-07 10:13:18 +01002330#endif
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002331 case PSA_ALG_SHA_512:
2332 ret = mbedtls_sha512_finish_ret( &operation->ctx.sha512, hash );
2333 break;
2334#endif
2335 default:
Jaeden Ameroa0f625a2019-02-15 13:52:25 +00002336 return( PSA_ERROR_BAD_STATE );
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002337 }
itayzafrir40835d42018-08-02 13:14:17 +03002338 status = mbedtls_to_psa_error( ret );
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002339
itayzafrir40835d42018-08-02 13:14:17 +03002340exit:
2341 if( status == PSA_SUCCESS )
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002342 {
Gilles Peskineaee13332018-07-02 12:15:28 +02002343 *hash_length = actual_hash_length;
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002344 return( psa_hash_abort( operation ) );
2345 }
2346 else
2347 {
2348 psa_hash_abort( operation );
itayzafrir40835d42018-08-02 13:14:17 +03002349 return( status );
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002350 }
2351}
2352
Gilles Peskine2d277862018-06-18 15:41:12 +02002353psa_status_t psa_hash_verify( psa_hash_operation_t *operation,
2354 const uint8_t *hash,
2355 size_t hash_length )
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002356{
2357 uint8_t actual_hash[MBEDTLS_MD_MAX_SIZE];
2358 size_t actual_hash_length;
2359 psa_status_t status = psa_hash_finish( operation,
2360 actual_hash, sizeof( actual_hash ),
2361 &actual_hash_length );
2362 if( status != PSA_SUCCESS )
2363 return( status );
2364 if( actual_hash_length != hash_length )
2365 return( PSA_ERROR_INVALID_SIGNATURE );
2366 if( safer_memcmp( hash, actual_hash, actual_hash_length ) != 0 )
2367 return( PSA_ERROR_INVALID_SIGNATURE );
2368 return( PSA_SUCCESS );
2369}
2370
Gilles Peskine0a749c82019-11-28 19:33:58 +01002371psa_status_t psa_hash_compute( psa_algorithm_t alg,
2372 const uint8_t *input, size_t input_length,
2373 uint8_t *hash, size_t hash_size,
2374 size_t *hash_length )
2375{
2376 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
2377 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2378
2379 *hash_length = hash_size;
2380 status = psa_hash_setup( &operation, alg );
2381 if( status != PSA_SUCCESS )
2382 goto exit;
2383 status = psa_hash_update( &operation, input, input_length );
2384 if( status != PSA_SUCCESS )
2385 goto exit;
2386 status = psa_hash_finish( &operation, hash, hash_size, hash_length );
2387 if( status != PSA_SUCCESS )
2388 goto exit;
2389
2390exit:
2391 if( status == PSA_SUCCESS )
2392 status = psa_hash_abort( &operation );
2393 else
2394 psa_hash_abort( &operation );
2395 return( status );
2396}
2397
2398psa_status_t psa_hash_compare( psa_algorithm_t alg,
2399 const uint8_t *input, size_t input_length,
2400 const uint8_t *hash, size_t hash_length )
2401{
2402 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
2403 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2404
2405 status = psa_hash_setup( &operation, alg );
2406 if( status != PSA_SUCCESS )
2407 goto exit;
2408 status = psa_hash_update( &operation, input, input_length );
2409 if( status != PSA_SUCCESS )
2410 goto exit;
2411 status = psa_hash_verify( &operation, hash, hash_length );
2412 if( status != PSA_SUCCESS )
2413 goto exit;
2414
2415exit:
2416 if( status == PSA_SUCCESS )
2417 status = psa_hash_abort( &operation );
2418 else
2419 psa_hash_abort( &operation );
2420 return( status );
2421}
2422
Gilles Peskineeb35d782019-01-22 17:56:16 +01002423psa_status_t psa_hash_clone( const psa_hash_operation_t *source_operation,
2424 psa_hash_operation_t *target_operation )
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01002425{
2426 if( target_operation->alg != 0 )
2427 return( PSA_ERROR_BAD_STATE );
2428
2429 switch( source_operation->alg )
2430 {
2431 case 0:
2432 return( PSA_ERROR_BAD_STATE );
2433#if defined(MBEDTLS_MD2_C)
2434 case PSA_ALG_MD2:
2435 mbedtls_md2_clone( &target_operation->ctx.md2,
2436 &source_operation->ctx.md2 );
2437 break;
2438#endif
2439#if defined(MBEDTLS_MD4_C)
2440 case PSA_ALG_MD4:
2441 mbedtls_md4_clone( &target_operation->ctx.md4,
2442 &source_operation->ctx.md4 );
2443 break;
2444#endif
2445#if defined(MBEDTLS_MD5_C)
2446 case PSA_ALG_MD5:
2447 mbedtls_md5_clone( &target_operation->ctx.md5,
2448 &source_operation->ctx.md5 );
2449 break;
2450#endif
2451#if defined(MBEDTLS_RIPEMD160_C)
2452 case PSA_ALG_RIPEMD160:
2453 mbedtls_ripemd160_clone( &target_operation->ctx.ripemd160,
2454 &source_operation->ctx.ripemd160 );
2455 break;
2456#endif
2457#if defined(MBEDTLS_SHA1_C)
2458 case PSA_ALG_SHA_1:
2459 mbedtls_sha1_clone( &target_operation->ctx.sha1,
2460 &source_operation->ctx.sha1 );
2461 break;
2462#endif
2463#if defined(MBEDTLS_SHA256_C)
2464 case PSA_ALG_SHA_224:
2465 case PSA_ALG_SHA_256:
2466 mbedtls_sha256_clone( &target_operation->ctx.sha256,
2467 &source_operation->ctx.sha256 );
2468 break;
2469#endif
2470#if defined(MBEDTLS_SHA512_C)
Manuel Pégourié-Gonnard792b16d2020-01-07 10:13:18 +01002471#if !defined(MBEDTLS_SHA512_NO_SHA384)
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01002472 case PSA_ALG_SHA_384:
Manuel Pégourié-Gonnard792b16d2020-01-07 10:13:18 +01002473#endif
Gilles Peskineebb2c3e2019-01-19 12:03:41 +01002474 case PSA_ALG_SHA_512:
2475 mbedtls_sha512_clone( &target_operation->ctx.sha512,
2476 &source_operation->ctx.sha512 );
2477 break;
2478#endif
2479 default:
2480 return( PSA_ERROR_NOT_SUPPORTED );
2481 }
2482
2483 target_operation->alg = source_operation->alg;
2484 return( PSA_SUCCESS );
2485}
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002486
2487
Gilles Peskine9ef733f2018-02-07 21:05:37 +01002488/****************************************************************/
Gilles Peskine8c9def32018-02-08 10:02:12 +01002489/* MAC */
2490/****************************************************************/
2491
Gilles Peskinedc2fc842018-03-07 16:42:59 +01002492static const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
Gilles Peskine8c9def32018-02-08 10:02:12 +01002493 psa_algorithm_t alg,
2494 psa_key_type_t key_type,
Gilles Peskine2d277862018-06-18 15:41:12 +02002495 size_t key_bits,
mohammad1603f4f0d612018-06-03 15:04:51 +03002496 mbedtls_cipher_id_t* cipher_id )
Gilles Peskine8c9def32018-02-08 10:02:12 +01002497{
Gilles Peskine8c9def32018-02-08 10:02:12 +01002498 mbedtls_cipher_mode_t mode;
mohammad1603f4f0d612018-06-03 15:04:51 +03002499 mbedtls_cipher_id_t cipher_id_tmp;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002500
Gilles Peskine23cc2ff2018-08-17 19:47:52 +02002501 if( PSA_ALG_IS_AEAD( alg ) )
Gilles Peskine57fbdb12018-10-17 18:29:17 +02002502 alg = PSA_ALG_AEAD_WITH_TAG_LENGTH( alg, 0 );
Gilles Peskine23cc2ff2018-08-17 19:47:52 +02002503
Gilles Peskine8c9def32018-02-08 10:02:12 +01002504 if( PSA_ALG_IS_CIPHER( alg ) || PSA_ALG_IS_AEAD( alg ) )
2505 {
Nir Sonnenscheine9664c32018-06-17 14:41:30 +03002506 switch( alg )
Gilles Peskine8c9def32018-02-08 10:02:12 +01002507 {
Gilles Peskinedaea26f2018-08-21 14:02:45 +02002508 case PSA_ALG_ARC4:
Gilles Peskine26869f22019-05-06 15:25:00 +02002509 case PSA_ALG_CHACHA20:
Gilles Peskine8c9def32018-02-08 10:02:12 +01002510 mode = MBEDTLS_MODE_STREAM;
2511 break;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002512 case PSA_ALG_CTR:
2513 mode = MBEDTLS_MODE_CTR;
2514 break;
Gilles Peskinedaea26f2018-08-21 14:02:45 +02002515 case PSA_ALG_CFB:
2516 mode = MBEDTLS_MODE_CFB;
2517 break;
2518 case PSA_ALG_OFB:
2519 mode = MBEDTLS_MODE_OFB;
2520 break;
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02002521 case PSA_ALG_ECB_NO_PADDING:
2522 mode = MBEDTLS_MODE_ECB;
2523 break;
Gilles Peskinedaea26f2018-08-21 14:02:45 +02002524 case PSA_ALG_CBC_NO_PADDING:
2525 mode = MBEDTLS_MODE_CBC;
2526 break;
2527 case PSA_ALG_CBC_PKCS7:
2528 mode = MBEDTLS_MODE_CBC;
2529 break;
Gilles Peskine57fbdb12018-10-17 18:29:17 +02002530 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_CCM, 0 ):
Gilles Peskine8c9def32018-02-08 10:02:12 +01002531 mode = MBEDTLS_MODE_CCM;
2532 break;
Gilles Peskine57fbdb12018-10-17 18:29:17 +02002533 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_GCM, 0 ):
Gilles Peskine8c9def32018-02-08 10:02:12 +01002534 mode = MBEDTLS_MODE_GCM;
2535 break;
Gilles Peskine26869f22019-05-06 15:25:00 +02002536 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_CHACHA20_POLY1305, 0 ):
2537 mode = MBEDTLS_MODE_CHACHAPOLY;
2538 break;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002539 default:
2540 return( NULL );
2541 }
2542 }
2543 else if( alg == PSA_ALG_CMAC )
2544 mode = MBEDTLS_MODE_ECB;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002545 else
2546 return( NULL );
2547
2548 switch( key_type )
2549 {
2550 case PSA_KEY_TYPE_AES:
mohammad1603f4f0d612018-06-03 15:04:51 +03002551 cipher_id_tmp = MBEDTLS_CIPHER_ID_AES;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002552 break;
2553 case PSA_KEY_TYPE_DES:
Gilles Peskine9ad29e22018-06-21 09:40:04 +02002554 /* key_bits is 64 for Single-DES, 128 for two-key Triple-DES,
2555 * and 192 for three-key Triple-DES. */
Gilles Peskine8c9def32018-02-08 10:02:12 +01002556 if( key_bits == 64 )
mohammad1603f4f0d612018-06-03 15:04:51 +03002557 cipher_id_tmp = MBEDTLS_CIPHER_ID_DES;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002558 else
mohammad1603f4f0d612018-06-03 15:04:51 +03002559 cipher_id_tmp = MBEDTLS_CIPHER_ID_3DES;
Gilles Peskine9ad29e22018-06-21 09:40:04 +02002560 /* mbedtls doesn't recognize two-key Triple-DES as an algorithm,
2561 * but two-key Triple-DES is functionally three-key Triple-DES
2562 * with K1=K3, so that's how we present it to mbedtls. */
2563 if( key_bits == 128 )
2564 key_bits = 192;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002565 break;
2566 case PSA_KEY_TYPE_CAMELLIA:
mohammad1603f4f0d612018-06-03 15:04:51 +03002567 cipher_id_tmp = MBEDTLS_CIPHER_ID_CAMELLIA;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002568 break;
2569 case PSA_KEY_TYPE_ARC4:
mohammad1603f4f0d612018-06-03 15:04:51 +03002570 cipher_id_tmp = MBEDTLS_CIPHER_ID_ARC4;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002571 break;
Gilles Peskine26869f22019-05-06 15:25:00 +02002572 case PSA_KEY_TYPE_CHACHA20:
2573 cipher_id_tmp = MBEDTLS_CIPHER_ID_CHACHA20;
2574 break;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002575 default:
2576 return( NULL );
2577 }
mohammad1603f4f0d612018-06-03 15:04:51 +03002578 if( cipher_id != NULL )
mohammad160360a64d02018-06-03 17:20:42 +03002579 *cipher_id = cipher_id_tmp;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002580
Jaeden Amero23bbb752018-06-26 14:16:54 +01002581 return( mbedtls_cipher_info_from_values( cipher_id_tmp,
2582 (int) key_bits, mode ) );
Gilles Peskine8c9def32018-02-08 10:02:12 +01002583}
2584
Gilles Peskinea05219c2018-11-16 16:02:56 +01002585#if defined(MBEDTLS_MD_C)
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +03002586static size_t psa_get_hash_block_size( psa_algorithm_t alg )
Nir Sonnenschein96272412018-06-17 14:41:10 +03002587{
Gilles Peskine2d277862018-06-18 15:41:12 +02002588 switch( alg )
Nir Sonnenschein96272412018-06-17 14:41:10 +03002589 {
2590 case PSA_ALG_MD2:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +03002591 return( 16 );
Nir Sonnenschein96272412018-06-17 14:41:10 +03002592 case PSA_ALG_MD4:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +03002593 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +03002594 case PSA_ALG_MD5:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +03002595 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +03002596 case PSA_ALG_RIPEMD160:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +03002597 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +03002598 case PSA_ALG_SHA_1:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +03002599 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +03002600 case PSA_ALG_SHA_224:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +03002601 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +03002602 case PSA_ALG_SHA_256:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +03002603 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +03002604 case PSA_ALG_SHA_384:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +03002605 return( 128 );
Nir Sonnenschein96272412018-06-17 14:41:10 +03002606 case PSA_ALG_SHA_512:
Gilles Peskine2d277862018-06-18 15:41:12 +02002607 return( 128 );
2608 default:
2609 return( 0 );
Nir Sonnenschein96272412018-06-17 14:41:10 +03002610 }
2611}
Gilles Peskinea05219c2018-11-16 16:02:56 +01002612#endif /* MBEDTLS_MD_C */
Nir Sonnenschein0c9ec532018-06-07 13:27:47 +03002613
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002614/* Initialize the MAC operation structure. Once this function has been
2615 * called, psa_mac_abort can run and will do the right thing. */
2616static psa_status_t psa_mac_init( psa_mac_operation_t *operation,
2617 psa_algorithm_t alg )
2618{
2619 psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
2620
2621 operation->alg = alg;
2622 operation->key_set = 0;
2623 operation->iv_set = 0;
2624 operation->iv_required = 0;
2625 operation->has_input = 0;
Gilles Peskine89167cb2018-07-08 20:12:23 +02002626 operation->is_sign = 0;
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002627
2628#if defined(MBEDTLS_CMAC_C)
2629 if( alg == PSA_ALG_CMAC )
2630 {
2631 operation->iv_required = 0;
2632 mbedtls_cipher_init( &operation->ctx.cmac );
2633 status = PSA_SUCCESS;
2634 }
2635 else
2636#endif /* MBEDTLS_CMAC_C */
2637#if defined(MBEDTLS_MD_C)
2638 if( PSA_ALG_IS_HMAC( operation->alg ) )
2639 {
Gilles Peskineff94abd2018-07-12 17:07:52 +02002640 /* We'll set up the hash operation later in psa_hmac_setup_internal. */
2641 operation->ctx.hmac.hash_ctx.alg = 0;
2642 status = PSA_SUCCESS;
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002643 }
2644 else
2645#endif /* MBEDTLS_MD_C */
2646 {
Gilles Peskinec06e0712018-06-20 16:21:04 +02002647 if( ! PSA_ALG_IS_MAC( alg ) )
2648 status = PSA_ERROR_INVALID_ARGUMENT;
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002649 }
2650
2651 if( status != PSA_SUCCESS )
2652 memset( operation, 0, sizeof( *operation ) );
2653 return( status );
2654}
2655
Gilles Peskine01126fa2018-07-12 17:04:55 +02002656#if defined(MBEDTLS_MD_C)
2657static psa_status_t psa_hmac_abort_internal( psa_hmac_internal_data *hmac )
2658{
Gilles Peskine3f108122018-12-07 18:14:53 +01002659 mbedtls_platform_zeroize( hmac->opad, sizeof( hmac->opad ) );
Gilles Peskine01126fa2018-07-12 17:04:55 +02002660 return( psa_hash_abort( &hmac->hash_ctx ) );
2661}
2662#endif /* MBEDTLS_MD_C */
2663
Gilles Peskine8c9def32018-02-08 10:02:12 +01002664psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
2665{
Gilles Peskinefbfac682018-07-08 20:51:54 +02002666 if( operation->alg == 0 )
Gilles Peskine8c9def32018-02-08 10:02:12 +01002667 {
Gilles Peskinefbfac682018-07-08 20:51:54 +02002668 /* The object has (apparently) been initialized but it is not
2669 * in use. It's ok to call abort on such an object, and there's
2670 * nothing to do. */
2671 return( PSA_SUCCESS );
2672 }
2673 else
Gilles Peskine8c9def32018-02-08 10:02:12 +01002674#if defined(MBEDTLS_CMAC_C)
Gilles Peskinefbfac682018-07-08 20:51:54 +02002675 if( operation->alg == PSA_ALG_CMAC )
2676 {
2677 mbedtls_cipher_free( &operation->ctx.cmac );
2678 }
2679 else
Gilles Peskine8c9def32018-02-08 10:02:12 +01002680#endif /* MBEDTLS_CMAC_C */
Gilles Peskine8c9def32018-02-08 10:02:12 +01002681#if defined(MBEDTLS_MD_C)
Gilles Peskinefbfac682018-07-08 20:51:54 +02002682 if( PSA_ALG_IS_HMAC( operation->alg ) )
2683 {
Gilles Peskine01126fa2018-07-12 17:04:55 +02002684 psa_hmac_abort_internal( &operation->ctx.hmac );
Gilles Peskinefbfac682018-07-08 20:51:54 +02002685 }
2686 else
Gilles Peskine8c9def32018-02-08 10:02:12 +01002687#endif /* MBEDTLS_MD_C */
Gilles Peskinefbfac682018-07-08 20:51:54 +02002688 {
2689 /* Sanity check (shouldn't happen: operation->alg should
2690 * always have been initialized to a valid value). */
2691 goto bad_state;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002692 }
Moran Peker41deec42018-04-04 15:43:05 +03002693
Gilles Peskine8c9def32018-02-08 10:02:12 +01002694 operation->alg = 0;
2695 operation->key_set = 0;
2696 operation->iv_set = 0;
2697 operation->iv_required = 0;
2698 operation->has_input = 0;
Gilles Peskine89167cb2018-07-08 20:12:23 +02002699 operation->is_sign = 0;
Moran Peker41deec42018-04-04 15:43:05 +03002700
Gilles Peskine8c9def32018-02-08 10:02:12 +01002701 return( PSA_SUCCESS );
Gilles Peskinefbfac682018-07-08 20:51:54 +02002702
2703bad_state:
2704 /* If abort is called on an uninitialized object, we can't trust
2705 * anything. Wipe the object in case it contains confidential data.
2706 * This may result in a memory leak if a pointer gets overwritten,
2707 * but it's too late to do anything about this. */
2708 memset( operation, 0, sizeof( *operation ) );
2709 return( PSA_ERROR_BAD_STATE );
Gilles Peskine8c9def32018-02-08 10:02:12 +01002710}
2711
Gilles Peskinee3b07d82018-06-19 11:57:35 +02002712#if defined(MBEDTLS_CMAC_C)
Gilles Peskine89167cb2018-07-08 20:12:23 +02002713static int psa_cmac_setup( psa_mac_operation_t *operation,
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002714 size_t key_bits,
Gilles Peskine2f060a82018-12-04 17:12:32 +01002715 psa_key_slot_t *slot,
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002716 const mbedtls_cipher_info_t *cipher_info )
2717{
Janos Follath24eed8d2019-11-22 13:21:35 +00002718 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002719
2720 operation->mac_size = cipher_info->block_size;
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002721
2722 ret = mbedtls_cipher_setup( &operation->ctx.cmac, cipher_info );
2723 if( ret != 0 )
2724 return( ret );
2725
2726 ret = mbedtls_cipher_cmac_starts( &operation->ctx.cmac,
2727 slot->data.raw.data,
2728 key_bits );
2729 return( ret );
2730}
Gilles Peskinee3b07d82018-06-19 11:57:35 +02002731#endif /* MBEDTLS_CMAC_C */
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002732
Gilles Peskine248051a2018-06-20 16:09:38 +02002733#if defined(MBEDTLS_MD_C)
Gilles Peskine01126fa2018-07-12 17:04:55 +02002734static psa_status_t psa_hmac_setup_internal( psa_hmac_internal_data *hmac,
2735 const uint8_t *key,
2736 size_t key_length,
2737 psa_algorithm_t hash_alg )
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002738{
Gilles Peskinec11c4dc2019-07-15 11:06:38 +02002739 uint8_t ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002740 size_t i;
Gilles Peskine9aa369e2018-07-16 00:36:29 +02002741 size_t hash_size = PSA_HASH_SIZE( hash_alg );
Gilles Peskine01126fa2018-07-12 17:04:55 +02002742 size_t block_size = psa_get_hash_block_size( hash_alg );
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002743 psa_status_t status;
2744
Gilles Peskine9aa369e2018-07-16 00:36:29 +02002745 /* Sanity checks on block_size, to guarantee that there won't be a buffer
2746 * overflow below. This should never trigger if the hash algorithm
2747 * is implemented correctly. */
2748 /* The size checks against the ipad and opad buffers cannot be written
2749 * `block_size > sizeof( ipad ) || block_size > sizeof( hmac->opad )`
2750 * because that triggers -Wlogical-op on GCC 7.3. */
2751 if( block_size > sizeof( ipad ) )
2752 return( PSA_ERROR_NOT_SUPPORTED );
2753 if( block_size > sizeof( hmac->opad ) )
2754 return( PSA_ERROR_NOT_SUPPORTED );
2755 if( block_size < hash_size )
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002756 return( PSA_ERROR_NOT_SUPPORTED );
2757
Gilles Peskined223b522018-06-11 18:12:58 +02002758 if( key_length > block_size )
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002759 {
Gilles Peskine84b8fc82019-11-28 20:07:20 +01002760 status = psa_hash_compute( hash_alg, key, key_length,
2761 ipad, sizeof( ipad ), &key_length );
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002762 if( status != PSA_SUCCESS )
Gilles Peskineb8be2882018-07-17 16:24:34 +02002763 goto cleanup;
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002764 }
Gilles Peskine96889972018-07-12 17:07:03 +02002765 /* A 0-length key is not commonly used in HMAC when used as a MAC,
2766 * but it is permitted. It is common when HMAC is used in HKDF, for
2767 * example. Don't call `memcpy` in the 0-length because `key` could be
2768 * an invalid pointer which would make the behavior undefined. */
2769 else if( key_length != 0 )
Gilles Peskine01126fa2018-07-12 17:04:55 +02002770 memcpy( ipad, key, key_length );
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002771
Gilles Peskined223b522018-06-11 18:12:58 +02002772 /* ipad contains the key followed by garbage. Xor and fill with 0x36
2773 * to create the ipad value. */
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002774 for( i = 0; i < key_length; i++ )
Gilles Peskined223b522018-06-11 18:12:58 +02002775 ipad[i] ^= 0x36;
2776 memset( ipad + key_length, 0x36, block_size - key_length );
2777
2778 /* Copy the key material from ipad to opad, flipping the requisite bits,
2779 * and filling the rest of opad with the requisite constant. */
2780 for( i = 0; i < key_length; i++ )
Gilles Peskine01126fa2018-07-12 17:04:55 +02002781 hmac->opad[i] = ipad[i] ^ 0x36 ^ 0x5C;
2782 memset( hmac->opad + key_length, 0x5C, block_size - key_length );
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002783
Gilles Peskine01126fa2018-07-12 17:04:55 +02002784 status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002785 if( status != PSA_SUCCESS )
Gilles Peskine6a0a44e2018-06-11 17:42:48 +02002786 goto cleanup;
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002787
Gilles Peskine01126fa2018-07-12 17:04:55 +02002788 status = psa_hash_update( &hmac->hash_ctx, ipad, block_size );
Gilles Peskine6a0a44e2018-06-11 17:42:48 +02002789
2790cleanup:
Ron Eldor296eca62019-09-10 15:21:37 +03002791 mbedtls_platform_zeroize( ipad, sizeof(ipad) );
Gilles Peskine6a0a44e2018-06-11 17:42:48 +02002792
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002793 return( status );
2794}
Gilles Peskine248051a2018-06-20 16:09:38 +02002795#endif /* MBEDTLS_MD_C */
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002796
Gilles Peskine89167cb2018-07-08 20:12:23 +02002797static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
Gilles Peskinec5487a82018-12-03 18:08:14 +01002798 psa_key_handle_t handle,
Gilles Peskine89167cb2018-07-08 20:12:23 +02002799 psa_algorithm_t alg,
2800 int is_sign )
Gilles Peskine8c9def32018-02-08 10:02:12 +01002801{
Gilles Peskine8c9def32018-02-08 10:02:12 +01002802 psa_status_t status;
Gilles Peskine2f060a82018-12-04 17:12:32 +01002803 psa_key_slot_t *slot;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002804 size_t key_bits;
Gilles Peskine89167cb2018-07-08 20:12:23 +02002805 psa_key_usage_t usage =
Gilles Peskine89d8c5c2019-11-26 17:01:59 +01002806 is_sign ? PSA_KEY_USAGE_SIGN_HASH : PSA_KEY_USAGE_VERIFY_HASH;
Gilles Peskinec11c4dc2019-07-15 11:06:38 +02002807 uint8_t truncated = PSA_MAC_TRUNCATED_LENGTH( alg );
Gilles Peskinee0e9c7c2018-10-17 18:28:05 +02002808 psa_algorithm_t full_length_alg = PSA_ALG_FULL_LENGTH_MAC( alg );
Gilles Peskine8c9def32018-02-08 10:02:12 +01002809
Jaeden Amero36ee5d02019-02-19 09:25:10 +00002810 /* A context must be freshly initialized before it can be set up. */
2811 if( operation->alg != 0 )
2812 {
2813 return( PSA_ERROR_BAD_STATE );
2814 }
2815
Gilles Peskined911eb72018-08-14 15:18:45 +02002816 status = psa_mac_init( operation, full_length_alg );
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02002817 if( status != PSA_SUCCESS )
2818 return( status );
Gilles Peskine89167cb2018-07-08 20:12:23 +02002819 if( is_sign )
2820 operation->is_sign = 1;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002821
Gilles Peskine28f8f302019-07-24 13:30:31 +02002822 status = psa_get_transparent_key( handle, &slot, usage, alg );
Gilles Peskineb0b255c2018-07-06 17:01:38 +02002823 if( status != PSA_SUCCESS )
Gilles Peskinefbfac682018-07-08 20:51:54 +02002824 goto exit;
Gilles Peskinedb4b3ab2019-04-18 12:53:01 +02002825 key_bits = psa_get_key_slot_bits( slot );
Gilles Peskineab1d7ab2018-07-06 16:07:47 +02002826
Gilles Peskine8c9def32018-02-08 10:02:12 +01002827#if defined(MBEDTLS_CMAC_C)
Gilles Peskined911eb72018-08-14 15:18:45 +02002828 if( full_length_alg == PSA_ALG_CMAC )
Gilles Peskinefbfac682018-07-08 20:51:54 +02002829 {
2830 const mbedtls_cipher_info_t *cipher_info =
Gilles Peskined911eb72018-08-14 15:18:45 +02002831 mbedtls_cipher_info_from_psa( full_length_alg,
Gilles Peskine8e338702019-07-30 20:06:31 +02002832 slot->attr.type, key_bits, NULL );
Janos Follath24eed8d2019-11-22 13:21:35 +00002833 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinefbfac682018-07-08 20:51:54 +02002834 if( cipher_info == NULL )
2835 {
2836 status = PSA_ERROR_NOT_SUPPORTED;
2837 goto exit;
2838 }
2839 operation->mac_size = cipher_info->block_size;
2840 ret = psa_cmac_setup( operation, key_bits, slot, cipher_info );
2841 status = mbedtls_to_psa_error( ret );
2842 }
2843 else
Gilles Peskine8c9def32018-02-08 10:02:12 +01002844#endif /* MBEDTLS_CMAC_C */
Gilles Peskine8c9def32018-02-08 10:02:12 +01002845#if defined(MBEDTLS_MD_C)
Gilles Peskined911eb72018-08-14 15:18:45 +02002846 if( PSA_ALG_IS_HMAC( full_length_alg ) )
Gilles Peskinefbfac682018-07-08 20:51:54 +02002847 {
Gilles Peskine00709fa2018-08-22 18:25:41 +02002848 psa_algorithm_t hash_alg = PSA_ALG_HMAC_GET_HASH( alg );
Gilles Peskine01126fa2018-07-12 17:04:55 +02002849 if( hash_alg == 0 )
2850 {
2851 status = PSA_ERROR_NOT_SUPPORTED;
2852 goto exit;
2853 }
Gilles Peskine9aa369e2018-07-16 00:36:29 +02002854
2855 operation->mac_size = PSA_HASH_SIZE( hash_alg );
2856 /* Sanity check. This shouldn't fail on a valid configuration. */
2857 if( operation->mac_size == 0 ||
2858 operation->mac_size > sizeof( operation->ctx.hmac.opad ) )
2859 {
2860 status = PSA_ERROR_NOT_SUPPORTED;
2861 goto exit;
2862 }
2863
Gilles Peskine8e338702019-07-30 20:06:31 +02002864 if( slot->attr.type != PSA_KEY_TYPE_HMAC )
Gilles Peskine01126fa2018-07-12 17:04:55 +02002865 {
2866 status = PSA_ERROR_INVALID_ARGUMENT;
2867 goto exit;
2868 }
Gilles Peskine9aa369e2018-07-16 00:36:29 +02002869
Gilles Peskine01126fa2018-07-12 17:04:55 +02002870 status = psa_hmac_setup_internal( &operation->ctx.hmac,
2871 slot->data.raw.data,
2872 slot->data.raw.bytes,
2873 hash_alg );
Gilles Peskinefbfac682018-07-08 20:51:54 +02002874 }
2875 else
Gilles Peskine8c9def32018-02-08 10:02:12 +01002876#endif /* MBEDTLS_MD_C */
Gilles Peskinefbfac682018-07-08 20:51:54 +02002877 {
Jaeden Amero82df32e2018-11-23 15:11:20 +00002878 (void) key_bits;
Gilles Peskinefbfac682018-07-08 20:51:54 +02002879 status = PSA_ERROR_NOT_SUPPORTED;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002880 }
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002881
Gilles Peskined911eb72018-08-14 15:18:45 +02002882 if( truncated == 0 )
2883 {
2884 /* The "normal" case: untruncated algorithm. Nothing to do. */
2885 }
2886 else if( truncated < 4 )
2887 {
Gilles Peskine6d72ff92018-08-21 14:55:08 +02002888 /* A very short MAC is too short for security since it can be
2889 * brute-forced. Ancient protocols with 32-bit MACs do exist,
2890 * so we make this our minimum, even though 32 bits is still
2891 * too small for security. */
Gilles Peskined911eb72018-08-14 15:18:45 +02002892 status = PSA_ERROR_NOT_SUPPORTED;
2893 }
2894 else if( truncated > operation->mac_size )
2895 {
2896 /* It's impossible to "truncate" to a larger length. */
2897 status = PSA_ERROR_INVALID_ARGUMENT;
2898 }
2899 else
2900 operation->mac_size = truncated;
2901
Gilles Peskinefbfac682018-07-08 20:51:54 +02002902exit:
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002903 if( status != PSA_SUCCESS )
Gilles Peskine8c9def32018-02-08 10:02:12 +01002904 {
Gilles Peskine6a0a44e2018-06-11 17:42:48 +02002905 psa_mac_abort( operation );
Gilles Peskine8c9def32018-02-08 10:02:12 +01002906 }
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002907 else
2908 {
Gilles Peskine7e454bc2018-06-11 17:26:17 +02002909 operation->key_set = 1;
2910 }
2911 return( status );
Gilles Peskine8c9def32018-02-08 10:02:12 +01002912}
2913
Gilles Peskine89167cb2018-07-08 20:12:23 +02002914psa_status_t psa_mac_sign_setup( psa_mac_operation_t *operation,
Gilles Peskinec5487a82018-12-03 18:08:14 +01002915 psa_key_handle_t handle,
Gilles Peskine89167cb2018-07-08 20:12:23 +02002916 psa_algorithm_t alg )
2917{
Gilles Peskinec5487a82018-12-03 18:08:14 +01002918 return( psa_mac_setup( operation, handle, alg, 1 ) );
Gilles Peskine89167cb2018-07-08 20:12:23 +02002919}
2920
2921psa_status_t psa_mac_verify_setup( psa_mac_operation_t *operation,
Gilles Peskinec5487a82018-12-03 18:08:14 +01002922 psa_key_handle_t handle,
Gilles Peskine89167cb2018-07-08 20:12:23 +02002923 psa_algorithm_t alg )
2924{
Gilles Peskinec5487a82018-12-03 18:08:14 +01002925 return( psa_mac_setup( operation, handle, alg, 0 ) );
Gilles Peskine89167cb2018-07-08 20:12:23 +02002926}
2927
Gilles Peskine8c9def32018-02-08 10:02:12 +01002928psa_status_t psa_mac_update( psa_mac_operation_t *operation,
2929 const uint8_t *input,
2930 size_t input_length )
2931{
Gilles Peskinefbfac682018-07-08 20:51:54 +02002932 psa_status_t status = PSA_ERROR_BAD_STATE;
Gilles Peskine8c9def32018-02-08 10:02:12 +01002933 if( ! operation->key_set )
Jaeden Ameroe236c2a2019-02-20 15:37:15 +00002934 return( PSA_ERROR_BAD_STATE );
Gilles Peskine8c9def32018-02-08 10:02:12 +01002935 if( operation->iv_required && ! operation->iv_set )
Jaeden Ameroe236c2a2019-02-20 15:37:15 +00002936 return( PSA_ERROR_BAD_STATE );
Gilles Peskine8c9def32018-02-08 10:02:12 +01002937 operation->has_input = 1;
2938
Gilles Peskine8c9def32018-02-08 10:02:12 +01002939#if defined(MBEDTLS_CMAC_C)
Gilles Peskinefbfac682018-07-08 20:51:54 +02002940 if( operation->alg == PSA_ALG_CMAC )
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +03002941 {
Gilles Peskinefbfac682018-07-08 20:51:54 +02002942 int ret = mbedtls_cipher_cmac_update( &operation->ctx.cmac,
2943 input, input_length );
2944 status = mbedtls_to_psa_error( ret );
2945 }
2946 else
2947#endif /* MBEDTLS_CMAC_C */
2948#if defined(MBEDTLS_MD_C)
2949 if( PSA_ALG_IS_HMAC( operation->alg ) )
2950 {
2951 status = psa_hash_update( &operation->ctx.hmac.hash_ctx, input,
2952 input_length );
2953 }
2954 else
2955#endif /* MBEDTLS_MD_C */
2956 {
2957 /* This shouldn't happen if `operation` was initialized by
2958 * a setup function. */
Jaeden Ameroe236c2a2019-02-20 15:37:15 +00002959 return( PSA_ERROR_BAD_STATE );
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +03002960 }
2961
Gilles Peskinefbfac682018-07-08 20:51:54 +02002962 if( status != PSA_SUCCESS )
2963 psa_mac_abort( operation );
Gilles Peskinec1bb6c82018-06-18 16:04:39 +02002964 return( status );
Gilles Peskine8c9def32018-02-08 10:02:12 +01002965}
2966
Gilles Peskine01126fa2018-07-12 17:04:55 +02002967#if defined(MBEDTLS_MD_C)
2968static psa_status_t psa_hmac_finish_internal( psa_hmac_internal_data *hmac,
2969 uint8_t *mac,
2970 size_t mac_size )
2971{
Gilles Peskinec11c4dc2019-07-15 11:06:38 +02002972 uint8_t tmp[MBEDTLS_MD_MAX_SIZE];
Gilles Peskine01126fa2018-07-12 17:04:55 +02002973 psa_algorithm_t hash_alg = hmac->hash_ctx.alg;
2974 size_t hash_size = 0;
2975 size_t block_size = psa_get_hash_block_size( hash_alg );
2976 psa_status_t status;
2977
Gilles Peskine01126fa2018-07-12 17:04:55 +02002978 status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
2979 if( status != PSA_SUCCESS )
2980 return( status );
2981 /* From here on, tmp needs to be wiped. */
2982
2983 status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
2984 if( status != PSA_SUCCESS )
2985 goto exit;
2986
2987 status = psa_hash_update( &hmac->hash_ctx, hmac->opad, block_size );
2988 if( status != PSA_SUCCESS )
2989 goto exit;
2990
2991 status = psa_hash_update( &hmac->hash_ctx, tmp, hash_size );
2992 if( status != PSA_SUCCESS )
2993 goto exit;
2994
Gilles Peskined911eb72018-08-14 15:18:45 +02002995 status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
2996 if( status != PSA_SUCCESS )
2997 goto exit;
2998
2999 memcpy( mac, tmp, mac_size );
Gilles Peskine01126fa2018-07-12 17:04:55 +02003000
3001exit:
Gilles Peskine3f108122018-12-07 18:14:53 +01003002 mbedtls_platform_zeroize( tmp, hash_size );
Gilles Peskine01126fa2018-07-12 17:04:55 +02003003 return( status );
3004}
3005#endif /* MBEDTLS_MD_C */
3006
mohammad16036df908f2018-04-02 08:34:15 -07003007static psa_status_t psa_mac_finish_internal( psa_mac_operation_t *operation,
Gilles Peskine2d277862018-06-18 15:41:12 +02003008 uint8_t *mac,
Gilles Peskine5d0b8642018-07-08 20:35:02 +02003009 size_t mac_size )
Gilles Peskine8c9def32018-02-08 10:02:12 +01003010{
Gilles Peskine1d96fff2018-07-02 12:15:39 +02003011 if( ! operation->key_set )
3012 return( PSA_ERROR_BAD_STATE );
3013 if( operation->iv_required && ! operation->iv_set )
3014 return( PSA_ERROR_BAD_STATE );
3015
Gilles Peskine8c9def32018-02-08 10:02:12 +01003016 if( mac_size < operation->mac_size )
3017 return( PSA_ERROR_BUFFER_TOO_SMALL );
3018
Gilles Peskine8c9def32018-02-08 10:02:12 +01003019#if defined(MBEDTLS_CMAC_C)
Gilles Peskinefbfac682018-07-08 20:51:54 +02003020 if( operation->alg == PSA_ALG_CMAC )
3021 {
Gilles Peskined911eb72018-08-14 15:18:45 +02003022 uint8_t tmp[PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE];
3023 int ret = mbedtls_cipher_cmac_finish( &operation->ctx.cmac, tmp );
3024 if( ret == 0 )
Gilles Peskine87b0ac42018-08-21 14:55:49 +02003025 memcpy( mac, tmp, operation->mac_size );
Gilles Peskine3f108122018-12-07 18:14:53 +01003026 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
Gilles Peskinefbfac682018-07-08 20:51:54 +02003027 return( mbedtls_to_psa_error( ret ) );
Gilles Peskine8c9def32018-02-08 10:02:12 +01003028 }
Gilles Peskinefbfac682018-07-08 20:51:54 +02003029 else
3030#endif /* MBEDTLS_CMAC_C */
3031#if defined(MBEDTLS_MD_C)
3032 if( PSA_ALG_IS_HMAC( operation->alg ) )
3033 {
Gilles Peskine01126fa2018-07-12 17:04:55 +02003034 return( psa_hmac_finish_internal( &operation->ctx.hmac,
Gilles Peskined911eb72018-08-14 15:18:45 +02003035 mac, operation->mac_size ) );
Gilles Peskinefbfac682018-07-08 20:51:54 +02003036 }
3037 else
3038#endif /* MBEDTLS_MD_C */
3039 {
3040 /* This shouldn't happen if `operation` was initialized by
3041 * a setup function. */
3042 return( PSA_ERROR_BAD_STATE );
3043 }
Gilles Peskine8c9def32018-02-08 10:02:12 +01003044}
3045
Gilles Peskineacd4be32018-07-08 19:56:25 +02003046psa_status_t psa_mac_sign_finish( psa_mac_operation_t *operation,
3047 uint8_t *mac,
3048 size_t mac_size,
3049 size_t *mac_length )
mohammad16036df908f2018-04-02 08:34:15 -07003050{
Gilles Peskine5d0b8642018-07-08 20:35:02 +02003051 psa_status_t status;
3052
Jaeden Amero252ef282019-02-15 14:05:35 +00003053 if( operation->alg == 0 )
3054 {
3055 return( PSA_ERROR_BAD_STATE );
3056 }
3057
Gilles Peskine5d0b8642018-07-08 20:35:02 +02003058 /* Fill the output buffer with something that isn't a valid mac
3059 * (barring an attack on the mac and deliberately-crafted input),
3060 * in case the caller doesn't check the return status properly. */
3061 *mac_length = mac_size;
3062 /* If mac_size is 0 then mac may be NULL and then the
3063 * call to memset would have undefined behavior. */
3064 if( mac_size != 0 )
3065 memset( mac, '!', mac_size );
3066
Gilles Peskine89167cb2018-07-08 20:12:23 +02003067 if( ! operation->is_sign )
3068 {
Jaeden Ameroe236c2a2019-02-20 15:37:15 +00003069 return( PSA_ERROR_BAD_STATE );
Gilles Peskine89167cb2018-07-08 20:12:23 +02003070 }
mohammad16036df908f2018-04-02 08:34:15 -07003071
Gilles Peskine5d0b8642018-07-08 20:35:02 +02003072 status = psa_mac_finish_internal( operation, mac, mac_size );
3073
Gilles Peskine5d0b8642018-07-08 20:35:02 +02003074 if( status == PSA_SUCCESS )
3075 {
3076 status = psa_mac_abort( operation );
3077 if( status == PSA_SUCCESS )
3078 *mac_length = operation->mac_size;
3079 else
3080 memset( mac, '!', mac_size );
3081 }
3082 else
3083 psa_mac_abort( operation );
3084 return( status );
mohammad16036df908f2018-04-02 08:34:15 -07003085}
3086
Gilles Peskineacd4be32018-07-08 19:56:25 +02003087psa_status_t psa_mac_verify_finish( psa_mac_operation_t *operation,
3088 const uint8_t *mac,
3089 size_t mac_length )
Gilles Peskine8c9def32018-02-08 10:02:12 +01003090{
Gilles Peskine828ed142018-06-18 23:25:51 +02003091 uint8_t actual_mac[PSA_MAC_MAX_SIZE];
mohammad16036df908f2018-04-02 08:34:15 -07003092 psa_status_t status;
3093
Jaeden Amero252ef282019-02-15 14:05:35 +00003094 if( operation->alg == 0 )
3095 {
3096 return( PSA_ERROR_BAD_STATE );
3097 }
3098
Gilles Peskine89167cb2018-07-08 20:12:23 +02003099 if( operation->is_sign )
3100 {
Jaeden Ameroe236c2a2019-02-20 15:37:15 +00003101 return( PSA_ERROR_BAD_STATE );
Gilles Peskine5d0b8642018-07-08 20:35:02 +02003102 }
3103 if( operation->mac_size != mac_length )
3104 {
3105 status = PSA_ERROR_INVALID_SIGNATURE;
3106 goto cleanup;
Gilles Peskine89167cb2018-07-08 20:12:23 +02003107 }
mohammad16036df908f2018-04-02 08:34:15 -07003108
3109 status = psa_mac_finish_internal( operation,
Gilles Peskine5d0b8642018-07-08 20:35:02 +02003110 actual_mac, sizeof( actual_mac ) );
Gilles Peskine28cd4162020-01-20 16:31:06 +01003111 if( status != PSA_SUCCESS )
3112 goto cleanup;
Gilles Peskine5d0b8642018-07-08 20:35:02 +02003113
3114 if( safer_memcmp( mac, actual_mac, mac_length ) != 0 )
3115 status = PSA_ERROR_INVALID_SIGNATURE;
3116
3117cleanup:
3118 if( status == PSA_SUCCESS )
3119 status = psa_mac_abort( operation );
3120 else
3121 psa_mac_abort( operation );
3122
Gilles Peskine3f108122018-12-07 18:14:53 +01003123 mbedtls_platform_zeroize( actual_mac, sizeof( actual_mac ) );
Gilles Peskined911eb72018-08-14 15:18:45 +02003124
Gilles Peskine5d0b8642018-07-08 20:35:02 +02003125 return( status );
Gilles Peskine8c9def32018-02-08 10:02:12 +01003126}
3127
3128
Gilles Peskine20035e32018-02-03 22:44:14 +01003129
Gilles Peskine20035e32018-02-03 22:44:14 +01003130/****************************************************************/
3131/* Asymmetric cryptography */
3132/****************************************************************/
3133
Gilles Peskine2b450e32018-06-27 15:42:46 +02003134#if defined(MBEDTLS_RSA_C)
Gilles Peskine8b18a4f2018-06-08 16:34:46 +02003135/* Decode the hash algorithm from alg and store the mbedtls encoding in
Gilles Peskine71ac7b12018-06-29 23:36:35 +02003136 * md_alg. Verify that the hash length is acceptable. */
Gilles Peskine8b18a4f2018-06-08 16:34:46 +02003137static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
3138 size_t hash_length,
3139 mbedtls_md_type_t *md_alg )
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +03003140{
Gilles Peskine7ed29c52018-06-26 15:50:08 +02003141 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
Gilles Peskine61b91d42018-06-08 16:09:36 +02003142 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg );
Gilles Peskine71ac7b12018-06-29 23:36:35 +02003143 *md_alg = mbedtls_md_get_type( md_info );
3144
3145 /* The Mbed TLS RSA module uses an unsigned int for hash length
3146 * parameters. Validate that it fits so that we don't risk an
3147 * overflow later. */
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +03003148#if SIZE_MAX > UINT_MAX
Gilles Peskine71ac7b12018-06-29 23:36:35 +02003149 if( hash_length > UINT_MAX )
3150 return( PSA_ERROR_INVALID_ARGUMENT );
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +03003151#endif
Gilles Peskine71ac7b12018-06-29 23:36:35 +02003152
3153#if defined(MBEDTLS_PKCS1_V15)
3154 /* For PKCS#1 v1.5 signature, if using a hash, the hash length
3155 * must be correct. */
3156 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) &&
3157 alg != PSA_ALG_RSA_PKCS1V15_SIGN_RAW )
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +03003158 {
Gilles Peskine71ac7b12018-06-29 23:36:35 +02003159 if( md_info == NULL )
3160 return( PSA_ERROR_NOT_SUPPORTED );
Gilles Peskine61b91d42018-06-08 16:09:36 +02003161 if( mbedtls_md_get_size( md_info ) != hash_length )
3162 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine71ac7b12018-06-29 23:36:35 +02003163 }
3164#endif /* MBEDTLS_PKCS1_V15 */
3165
3166#if defined(MBEDTLS_PKCS1_V21)
3167 /* PSS requires a hash internally. */
3168 if( PSA_ALG_IS_RSA_PSS( alg ) )
3169 {
Gilles Peskine61b91d42018-06-08 16:09:36 +02003170 if( md_info == NULL )
3171 return( PSA_ERROR_NOT_SUPPORTED );
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +03003172 }
Gilles Peskine71ac7b12018-06-29 23:36:35 +02003173#endif /* MBEDTLS_PKCS1_V21 */
3174
Gilles Peskine61b91d42018-06-08 16:09:36 +02003175 return( PSA_SUCCESS );
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +03003176}
3177
Gilles Peskine2b450e32018-06-27 15:42:46 +02003178static psa_status_t psa_rsa_sign( mbedtls_rsa_context *rsa,
3179 psa_algorithm_t alg,
3180 const uint8_t *hash,
3181 size_t hash_length,
3182 uint8_t *signature,
3183 size_t signature_size,
3184 size_t *signature_length )
3185{
3186 psa_status_t status;
Janos Follath24eed8d2019-11-22 13:21:35 +00003187 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine2b450e32018-06-27 15:42:46 +02003188 mbedtls_md_type_t md_alg;
3189
3190 status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
3191 if( status != PSA_SUCCESS )
3192 return( status );
3193
Gilles Peskine630a18a2018-06-29 17:49:35 +02003194 if( signature_size < mbedtls_rsa_get_len( rsa ) )
Gilles Peskine2b450e32018-06-27 15:42:46 +02003195 return( PSA_ERROR_BUFFER_TOO_SMALL );
3196
3197#if defined(MBEDTLS_PKCS1_V15)
3198 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
3199 {
3200 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
3201 MBEDTLS_MD_NONE );
3202 ret = mbedtls_rsa_pkcs1_sign( rsa,
3203 mbedtls_ctr_drbg_random,
3204 &global_data.ctr_drbg,
3205 MBEDTLS_RSA_PRIVATE,
Jaeden Amerobbf97e32018-06-26 14:20:51 +01003206 md_alg,
3207 (unsigned int) hash_length,
3208 hash,
Gilles Peskine2b450e32018-06-27 15:42:46 +02003209 signature );
3210 }
3211 else
3212#endif /* MBEDTLS_PKCS1_V15 */
3213#if defined(MBEDTLS_PKCS1_V21)
3214 if( PSA_ALG_IS_RSA_PSS( alg ) )
3215 {
3216 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
3217 ret = mbedtls_rsa_rsassa_pss_sign( rsa,
3218 mbedtls_ctr_drbg_random,
3219 &global_data.ctr_drbg,
3220 MBEDTLS_RSA_PRIVATE,
Gilles Peskine71ac7b12018-06-29 23:36:35 +02003221 MBEDTLS_MD_NONE,
Jaeden Amerobbf97e32018-06-26 14:20:51 +01003222 (unsigned int) hash_length,
3223 hash,
Gilles Peskine2b450e32018-06-27 15:42:46 +02003224 signature );
3225 }
3226 else
3227#endif /* MBEDTLS_PKCS1_V21 */
3228 {
3229 return( PSA_ERROR_INVALID_ARGUMENT );
3230 }
3231
3232 if( ret == 0 )
Gilles Peskine630a18a2018-06-29 17:49:35 +02003233 *signature_length = mbedtls_rsa_get_len( rsa );
Gilles Peskine2b450e32018-06-27 15:42:46 +02003234 return( mbedtls_to_psa_error( ret ) );
3235}
3236
3237static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
3238 psa_algorithm_t alg,
3239 const uint8_t *hash,
3240 size_t hash_length,
3241 const uint8_t *signature,
3242 size_t signature_length )
3243{
3244 psa_status_t status;
Janos Follath24eed8d2019-11-22 13:21:35 +00003245 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine2b450e32018-06-27 15:42:46 +02003246 mbedtls_md_type_t md_alg;
3247
3248 status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
3249 if( status != PSA_SUCCESS )
3250 return( status );
3251
Gilles Peskine89cc74f2019-09-12 22:08:23 +02003252 if( signature_length != mbedtls_rsa_get_len( rsa ) )
3253 return( PSA_ERROR_INVALID_SIGNATURE );
Gilles Peskine2b450e32018-06-27 15:42:46 +02003254
3255#if defined(MBEDTLS_PKCS1_V15)
3256 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
3257 {
3258 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
3259 MBEDTLS_MD_NONE );
3260 ret = mbedtls_rsa_pkcs1_verify( rsa,
3261 mbedtls_ctr_drbg_random,
3262 &global_data.ctr_drbg,
3263 MBEDTLS_RSA_PUBLIC,
3264 md_alg,
Jaeden Amerobbf97e32018-06-26 14:20:51 +01003265 (unsigned int) hash_length,
Gilles Peskine2b450e32018-06-27 15:42:46 +02003266 hash,
3267 signature );
3268 }
3269 else
3270#endif /* MBEDTLS_PKCS1_V15 */
3271#if defined(MBEDTLS_PKCS1_V21)
3272 if( PSA_ALG_IS_RSA_PSS( alg ) )
3273 {
3274 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
3275 ret = mbedtls_rsa_rsassa_pss_verify( rsa,
3276 mbedtls_ctr_drbg_random,
3277 &global_data.ctr_drbg,
3278 MBEDTLS_RSA_PUBLIC,
Gilles Peskine71ac7b12018-06-29 23:36:35 +02003279 MBEDTLS_MD_NONE,
Jaeden Amerobbf97e32018-06-26 14:20:51 +01003280 (unsigned int) hash_length,
3281 hash,
Gilles Peskine2b450e32018-06-27 15:42:46 +02003282 signature );
3283 }
3284 else
3285#endif /* MBEDTLS_PKCS1_V21 */
3286 {
3287 return( PSA_ERROR_INVALID_ARGUMENT );
3288 }
Gilles Peskineef12c632018-09-13 20:37:48 +02003289
3290 /* Mbed TLS distinguishes "invalid padding" from "valid padding but
3291 * the rest of the signature is invalid". This has little use in
3292 * practice and PSA doesn't report this distinction. */
3293 if( ret == MBEDTLS_ERR_RSA_INVALID_PADDING )
3294 return( PSA_ERROR_INVALID_SIGNATURE );
Gilles Peskine2b450e32018-06-27 15:42:46 +02003295 return( mbedtls_to_psa_error( ret ) );
3296}
3297#endif /* MBEDTLS_RSA_C */
3298
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003299#if defined(MBEDTLS_ECDSA_C)
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003300/* `ecp` cannot be const because `ecp->grp` needs to be non-const
3301 * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det()
3302 * (even though these functions don't modify it). */
3303static psa_status_t psa_ecdsa_sign( mbedtls_ecp_keypair *ecp,
3304 psa_algorithm_t alg,
3305 const uint8_t *hash,
3306 size_t hash_length,
3307 uint8_t *signature,
3308 size_t signature_size,
3309 size_t *signature_length )
3310{
Janos Follath24eed8d2019-11-22 13:21:35 +00003311 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003312 mbedtls_mpi r, s;
Gilles Peskineeae6eee2018-06-28 13:56:01 +02003313 size_t curve_bytes = PSA_BITS_TO_BYTES( ecp->grp.pbits );
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003314 mbedtls_mpi_init( &r );
3315 mbedtls_mpi_init( &s );
3316
Gilles Peskineeae6eee2018-06-28 13:56:01 +02003317 if( signature_size < 2 * curve_bytes )
3318 {
3319 ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
3320 goto cleanup;
3321 }
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003322
Gilles Peskinea05219c2018-11-16 16:02:56 +01003323#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003324 if( PSA_ALG_DSA_IS_DETERMINISTIC( alg ) )
3325 {
3326 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
3327 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg );
3328 mbedtls_md_type_t md_alg = mbedtls_md_get_type( md_info );
Darryl Green5e843fa2019-09-05 14:06:34 +01003329 MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign_det_ext( &ecp->grp, &r, &s,
3330 &ecp->d, hash,
3331 hash_length, md_alg,
3332 mbedtls_ctr_drbg_random,
3333 &global_data.ctr_drbg ) );
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003334 }
3335 else
Gilles Peskinea05219c2018-11-16 16:02:56 +01003336#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003337 {
Gilles Peskinea05219c2018-11-16 16:02:56 +01003338 (void) alg;
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003339 MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ecp->grp, &r, &s, &ecp->d,
3340 hash, hash_length,
3341 mbedtls_ctr_drbg_random,
3342 &global_data.ctr_drbg ) );
3343 }
Gilles Peskineeae6eee2018-06-28 13:56:01 +02003344
3345 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &r,
3346 signature,
3347 curve_bytes ) );
3348 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &s,
3349 signature + curve_bytes,
3350 curve_bytes ) );
3351
3352cleanup:
3353 mbedtls_mpi_free( &r );
3354 mbedtls_mpi_free( &s );
3355 if( ret == 0 )
3356 *signature_length = 2 * curve_bytes;
Gilles Peskineeae6eee2018-06-28 13:56:01 +02003357 return( mbedtls_to_psa_error( ret ) );
3358}
3359
3360static psa_status_t psa_ecdsa_verify( mbedtls_ecp_keypair *ecp,
3361 const uint8_t *hash,
3362 size_t hash_length,
3363 const uint8_t *signature,
3364 size_t signature_length )
3365{
Janos Follath24eed8d2019-11-22 13:21:35 +00003366 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskineeae6eee2018-06-28 13:56:01 +02003367 mbedtls_mpi r, s;
3368 size_t curve_bytes = PSA_BITS_TO_BYTES( ecp->grp.pbits );
3369 mbedtls_mpi_init( &r );
3370 mbedtls_mpi_init( &s );
3371
3372 if( signature_length != 2 * curve_bytes )
3373 return( PSA_ERROR_INVALID_SIGNATURE );
3374
3375 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &r,
3376 signature,
3377 curve_bytes ) );
3378 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &s,
3379 signature + curve_bytes,
3380 curve_bytes ) );
3381
3382 ret = mbedtls_ecdsa_verify( &ecp->grp, hash, hash_length,
3383 &ecp->Q, &r, &s );
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003384
3385cleanup:
3386 mbedtls_mpi_free( &r );
3387 mbedtls_mpi_free( &s );
3388 return( mbedtls_to_psa_error( ret ) );
3389}
3390#endif /* MBEDTLS_ECDSA_C */
3391
Gilles Peskine89d8c5c2019-11-26 17:01:59 +01003392psa_status_t psa_sign_hash( psa_key_handle_t handle,
3393 psa_algorithm_t alg,
3394 const uint8_t *hash,
3395 size_t hash_length,
3396 uint8_t *signature,
3397 size_t signature_size,
3398 size_t *signature_length )
Gilles Peskine20035e32018-02-03 22:44:14 +01003399{
Gilles Peskine2f060a82018-12-04 17:12:32 +01003400 psa_key_slot_t *slot;
Gilles Peskinea26ff6a2018-06-28 12:21:19 +02003401 psa_status_t status;
Gilles Peskineedc64242019-08-07 21:05:07 +02003402#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
3403 const psa_drv_se_t *drv;
3404 psa_drv_se_context_t *drv_context;
3405#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskinea26ff6a2018-06-28 12:21:19 +02003406
3407 *signature_length = signature_size;
Gilles Peskine4019f0e2019-09-12 22:05:59 +02003408 /* Immediately reject a zero-length signature buffer. This guarantees
3409 * that signature must be a valid pointer. (On the other hand, the hash
3410 * buffer can in principle be empty since it doesn't actually have
3411 * to be a hash.) */
3412 if( signature_size == 0 )
3413 return( PSA_ERROR_BUFFER_TOO_SMALL );
Gilles Peskinea26ff6a2018-06-28 12:21:19 +02003414
Gilles Peskine89d8c5c2019-11-26 17:01:59 +01003415 status = psa_get_key_from_slot( handle, &slot, PSA_KEY_USAGE_SIGN_HASH, alg );
Gilles Peskineb0b255c2018-07-06 17:01:38 +02003416 if( status != PSA_SUCCESS )
Gilles Peskinea26ff6a2018-06-28 12:21:19 +02003417 goto exit;
Gilles Peskine8e338702019-07-30 20:06:31 +02003418 if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) )
Gilles Peskinea26ff6a2018-06-28 12:21:19 +02003419 {
3420 status = PSA_ERROR_INVALID_ARGUMENT;
3421 goto exit;
3422 }
Gilles Peskine20035e32018-02-03 22:44:14 +01003423
Gilles Peskineedc64242019-08-07 21:05:07 +02003424#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
3425 if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
3426 {
3427 if( drv->asymmetric == NULL ||
3428 drv->asymmetric->p_sign == NULL )
3429 {
3430 status = PSA_ERROR_NOT_SUPPORTED;
3431 goto exit;
3432 }
3433 status = drv->asymmetric->p_sign( drv_context,
3434 slot->data.se.slot_number,
3435 alg,
3436 hash, hash_length,
3437 signature, signature_size,
3438 signature_length );
3439 }
3440 else
3441#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskine20035e32018-02-03 22:44:14 +01003442#if defined(MBEDTLS_RSA_C)
Gilles Peskine8e338702019-07-30 20:06:31 +02003443 if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
Gilles Peskine20035e32018-02-03 22:44:14 +01003444 {
Gilles Peskinea26ff6a2018-06-28 12:21:19 +02003445 status = psa_rsa_sign( slot->data.rsa,
3446 alg,
3447 hash, hash_length,
3448 signature, signature_size,
3449 signature_length );
Gilles Peskine20035e32018-02-03 22:44:14 +01003450 }
3451 else
3452#endif /* defined(MBEDTLS_RSA_C) */
3453#if defined(MBEDTLS_ECP_C)
Gilles Peskine8e338702019-07-30 20:06:31 +02003454 if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
Gilles Peskine20035e32018-02-03 22:44:14 +01003455 {
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003456#if defined(MBEDTLS_ECDSA_C)
Gilles Peskinea05219c2018-11-16 16:02:56 +01003457 if(
3458#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
3459 PSA_ALG_IS_ECDSA( alg )
3460#else
3461 PSA_ALG_IS_RANDOMIZED_ECDSA( alg )
3462#endif
3463 )
Gilles Peskinea26ff6a2018-06-28 12:21:19 +02003464 status = psa_ecdsa_sign( slot->data.ecp,
3465 alg,
3466 hash, hash_length,
3467 signature, signature_size,
3468 signature_length );
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003469 else
3470#endif /* defined(MBEDTLS_ECDSA_C) */
3471 {
Gilles Peskinea26ff6a2018-06-28 12:21:19 +02003472 status = PSA_ERROR_INVALID_ARGUMENT;
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003473 }
itayzafrir5c753392018-05-08 11:18:38 +03003474 }
3475 else
3476#endif /* defined(MBEDTLS_ECP_C) */
3477 {
Gilles Peskinea26ff6a2018-06-28 12:21:19 +02003478 status = PSA_ERROR_NOT_SUPPORTED;
Gilles Peskine20035e32018-02-03 22:44:14 +01003479 }
Gilles Peskinea26ff6a2018-06-28 12:21:19 +02003480
3481exit:
3482 /* Fill the unused part of the output buffer (the whole buffer on error,
3483 * the trailing part on success) with something that isn't a valid mac
3484 * (barring an attack on the mac and deliberately-crafted input),
3485 * in case the caller doesn't check the return status properly. */
3486 if( status == PSA_SUCCESS )
3487 memset( signature + *signature_length, '!',
3488 signature_size - *signature_length );
Gilles Peskine4019f0e2019-09-12 22:05:59 +02003489 else
Gilles Peskinea26ff6a2018-06-28 12:21:19 +02003490 memset( signature, '!', signature_size );
Gilles Peskine46f1fd72018-06-28 19:31:31 +02003491 /* If signature_size is 0 then we have nothing to do. We must not call
3492 * memset because signature may be NULL in this case. */
Gilles Peskinea26ff6a2018-06-28 12:21:19 +02003493 return( status );
itayzafrir5c753392018-05-08 11:18:38 +03003494}
3495
Gilles Peskine89d8c5c2019-11-26 17:01:59 +01003496psa_status_t psa_verify_hash( psa_key_handle_t handle,
3497 psa_algorithm_t alg,
3498 const uint8_t *hash,
3499 size_t hash_length,
3500 const uint8_t *signature,
3501 size_t signature_length )
itayzafrir5c753392018-05-08 11:18:38 +03003502{
Gilles Peskine2f060a82018-12-04 17:12:32 +01003503 psa_key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +02003504 psa_status_t status;
Gilles Peskineedc64242019-08-07 21:05:07 +02003505#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
3506 const psa_drv_se_t *drv;
3507 psa_drv_se_context_t *drv_context;
3508#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskine2b450e32018-06-27 15:42:46 +02003509
Gilles Peskine89d8c5c2019-11-26 17:01:59 +01003510 status = psa_get_key_from_slot( handle, &slot, PSA_KEY_USAGE_VERIFY_HASH, alg );
Gilles Peskineb0b255c2018-07-06 17:01:38 +02003511 if( status != PSA_SUCCESS )
3512 return( status );
itayzafrir5c753392018-05-08 11:18:38 +03003513
Gilles Peskineedc64242019-08-07 21:05:07 +02003514#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
3515 if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
3516 {
3517 if( drv->asymmetric == NULL ||
3518 drv->asymmetric->p_verify == NULL )
3519 return( PSA_ERROR_NOT_SUPPORTED );
3520 return( drv->asymmetric->p_verify( drv_context,
3521 slot->data.se.slot_number,
3522 alg,
3523 hash, hash_length,
3524 signature, signature_length ) );
3525 }
3526 else
3527#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskine61b91d42018-06-08 16:09:36 +02003528#if defined(MBEDTLS_RSA_C)
Gilles Peskine8e338702019-07-30 20:06:31 +02003529 if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003530 {
Gilles Peskine2b450e32018-06-27 15:42:46 +02003531 return( psa_rsa_verify( slot->data.rsa,
3532 alg,
3533 hash, hash_length,
3534 signature, signature_length ) );
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003535 }
3536 else
3537#endif /* defined(MBEDTLS_RSA_C) */
itayzafrir5c753392018-05-08 11:18:38 +03003538#if defined(MBEDTLS_ECP_C)
Gilles Peskine8e338702019-07-30 20:06:31 +02003539 if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
itayzafrir5c753392018-05-08 11:18:38 +03003540 {
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003541#if defined(MBEDTLS_ECDSA_C)
3542 if( PSA_ALG_IS_ECDSA( alg ) )
Gilles Peskineeae6eee2018-06-28 13:56:01 +02003543 return( psa_ecdsa_verify( slot->data.ecp,
3544 hash, hash_length,
3545 signature, signature_length ) );
Gilles Peskinea81d85b2018-06-26 16:10:23 +02003546 else
3547#endif /* defined(MBEDTLS_ECDSA_C) */
3548 {
3549 return( PSA_ERROR_INVALID_ARGUMENT );
3550 }
itayzafrir5c753392018-05-08 11:18:38 +03003551 }
Gilles Peskine20035e32018-02-03 22:44:14 +01003552 else
3553#endif /* defined(MBEDTLS_ECP_C) */
3554 {
3555 return( PSA_ERROR_NOT_SUPPORTED );
3556 }
3557}
3558
Gilles Peskine072ac562018-06-30 00:21:29 +02003559#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
3560static void psa_rsa_oaep_set_padding_mode( psa_algorithm_t alg,
3561 mbedtls_rsa_context *rsa )
3562{
3563 psa_algorithm_t hash_alg = PSA_ALG_RSA_OAEP_GET_HASH( alg );
3564 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg );
3565 mbedtls_md_type_t md_alg = mbedtls_md_get_type( md_info );
3566 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
3567}
3568#endif /* defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21) */
3569
Gilles Peskinec5487a82018-12-03 18:08:14 +01003570psa_status_t psa_asymmetric_encrypt( psa_key_handle_t handle,
Gilles Peskine61b91d42018-06-08 16:09:36 +02003571 psa_algorithm_t alg,
3572 const uint8_t *input,
3573 size_t input_length,
3574 const uint8_t *salt,
3575 size_t salt_length,
3576 uint8_t *output,
3577 size_t output_size,
3578 size_t *output_length )
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003579{
Gilles Peskine2f060a82018-12-04 17:12:32 +01003580 psa_key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +02003581 psa_status_t status;
3582
Darryl Green5cc689a2018-07-24 15:34:10 +01003583 (void) input;
3584 (void) input_length;
3585 (void) salt;
3586 (void) output;
3587 (void) output_size;
3588
Nir Sonnenscheinca466c82018-06-04 16:43:12 +03003589 *output_length = 0;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003590
Gilles Peskineb3fc05d2018-06-30 19:04:35 +02003591 if( ! PSA_ALG_IS_RSA_OAEP( alg ) && salt_length != 0 )
3592 return( PSA_ERROR_INVALID_ARGUMENT );
3593
Gilles Peskine28f8f302019-07-24 13:30:31 +02003594 status = psa_get_transparent_key( handle, &slot, PSA_KEY_USAGE_ENCRYPT, alg );
Gilles Peskineb0b255c2018-07-06 17:01:38 +02003595 if( status != PSA_SUCCESS )
3596 return( status );
Gilles Peskine8e338702019-07-30 20:06:31 +02003597 if( ! ( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) ||
3598 PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003599 return( PSA_ERROR_INVALID_ARGUMENT );
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003600
3601#if defined(MBEDTLS_RSA_C)
Gilles Peskine8e338702019-07-30 20:06:31 +02003602 if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003603 {
3604 mbedtls_rsa_context *rsa = slot->data.rsa;
Janos Follath24eed8d2019-11-22 13:21:35 +00003605 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine630a18a2018-06-29 17:49:35 +02003606 if( output_size < mbedtls_rsa_get_len( rsa ) )
Vikas Katariya21599b62019-08-02 12:26:29 +01003607 return( PSA_ERROR_BUFFER_TOO_SMALL );
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003608#if defined(MBEDTLS_PKCS1_V15)
Gilles Peskine6afe7892018-05-31 13:16:08 +02003609 if( alg == PSA_ALG_RSA_PKCS1V15_CRYPT )
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003610 {
Gilles Peskine61b91d42018-06-08 16:09:36 +02003611 ret = mbedtls_rsa_pkcs1_encrypt( rsa,
3612 mbedtls_ctr_drbg_random,
3613 &global_data.ctr_drbg,
3614 MBEDTLS_RSA_PUBLIC,
3615 input_length,
3616 input,
3617 output );
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003618 }
3619 else
3620#endif /* MBEDTLS_PKCS1_V15 */
3621#if defined(MBEDTLS_PKCS1_V21)
Gilles Peskine55bf3d12018-06-26 15:53:48 +02003622 if( PSA_ALG_IS_RSA_OAEP( alg ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003623 {
Gilles Peskine072ac562018-06-30 00:21:29 +02003624 psa_rsa_oaep_set_padding_mode( alg, rsa );
3625 ret = mbedtls_rsa_rsaes_oaep_encrypt( rsa,
3626 mbedtls_ctr_drbg_random,
3627 &global_data.ctr_drbg,
3628 MBEDTLS_RSA_PUBLIC,
3629 salt, salt_length,
3630 input_length,
3631 input,
3632 output );
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003633 }
3634 else
3635#endif /* MBEDTLS_PKCS1_V21 */
3636 {
3637 return( PSA_ERROR_INVALID_ARGUMENT );
3638 }
3639 if( ret == 0 )
Gilles Peskine630a18a2018-06-29 17:49:35 +02003640 *output_length = mbedtls_rsa_get_len( rsa );
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003641 return( mbedtls_to_psa_error( ret ) );
3642 }
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003643 else
Gilles Peskineb75e4f12018-06-08 17:44:47 +02003644#endif /* defined(MBEDTLS_RSA_C) */
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003645 {
3646 return( PSA_ERROR_NOT_SUPPORTED );
3647 }
Gilles Peskine5b051bc2018-05-31 13:25:48 +02003648}
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003649
Gilles Peskinec5487a82018-12-03 18:08:14 +01003650psa_status_t psa_asymmetric_decrypt( psa_key_handle_t handle,
Gilles Peskine61b91d42018-06-08 16:09:36 +02003651 psa_algorithm_t alg,
3652 const uint8_t *input,
3653 size_t input_length,
3654 const uint8_t *salt,
3655 size_t salt_length,
3656 uint8_t *output,
3657 size_t output_size,
3658 size_t *output_length )
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003659{
Gilles Peskine2f060a82018-12-04 17:12:32 +01003660 psa_key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +02003661 psa_status_t status;
3662
Darryl Green5cc689a2018-07-24 15:34:10 +01003663 (void) input;
3664 (void) input_length;
3665 (void) salt;
3666 (void) output;
3667 (void) output_size;
3668
Nir Sonnenscheinca466c82018-06-04 16:43:12 +03003669 *output_length = 0;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003670
Gilles Peskineb3fc05d2018-06-30 19:04:35 +02003671 if( ! PSA_ALG_IS_RSA_OAEP( alg ) && salt_length != 0 )
3672 return( PSA_ERROR_INVALID_ARGUMENT );
3673
Gilles Peskine28f8f302019-07-24 13:30:31 +02003674 status = psa_get_transparent_key( handle, &slot, PSA_KEY_USAGE_DECRYPT, alg );
Gilles Peskineb0b255c2018-07-06 17:01:38 +02003675 if( status != PSA_SUCCESS )
3676 return( status );
Gilles Peskine8e338702019-07-30 20:06:31 +02003677 if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003678 return( PSA_ERROR_INVALID_ARGUMENT );
3679
3680#if defined(MBEDTLS_RSA_C)
Gilles Peskine8e338702019-07-30 20:06:31 +02003681 if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003682 {
3683 mbedtls_rsa_context *rsa = slot->data.rsa;
Janos Follath24eed8d2019-11-22 13:21:35 +00003684 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003685
Gilles Peskine630a18a2018-06-29 17:49:35 +02003686 if( input_length != mbedtls_rsa_get_len( rsa ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003687 return( PSA_ERROR_INVALID_ARGUMENT );
3688
3689#if defined(MBEDTLS_PKCS1_V15)
Gilles Peskine6afe7892018-05-31 13:16:08 +02003690 if( alg == PSA_ALG_RSA_PKCS1V15_CRYPT )
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003691 {
Gilles Peskine61b91d42018-06-08 16:09:36 +02003692 ret = mbedtls_rsa_pkcs1_decrypt( rsa,
3693 mbedtls_ctr_drbg_random,
3694 &global_data.ctr_drbg,
3695 MBEDTLS_RSA_PRIVATE,
3696 output_length,
3697 input,
3698 output,
3699 output_size );
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003700 }
3701 else
3702#endif /* MBEDTLS_PKCS1_V15 */
3703#if defined(MBEDTLS_PKCS1_V21)
Gilles Peskine55bf3d12018-06-26 15:53:48 +02003704 if( PSA_ALG_IS_RSA_OAEP( alg ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003705 {
Gilles Peskine072ac562018-06-30 00:21:29 +02003706 psa_rsa_oaep_set_padding_mode( alg, rsa );
3707 ret = mbedtls_rsa_rsaes_oaep_decrypt( rsa,
3708 mbedtls_ctr_drbg_random,
3709 &global_data.ctr_drbg,
3710 MBEDTLS_RSA_PRIVATE,
3711 salt, salt_length,
3712 output_length,
3713 input,
3714 output,
3715 output_size );
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003716 }
3717 else
3718#endif /* MBEDTLS_PKCS1_V21 */
3719 {
3720 return( PSA_ERROR_INVALID_ARGUMENT );
3721 }
Nir Sonnenschein717a0402018-06-04 16:36:15 +03003722
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003723 return( mbedtls_to_psa_error( ret ) );
3724 }
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003725 else
Gilles Peskineb75e4f12018-06-08 17:44:47 +02003726#endif /* defined(MBEDTLS_RSA_C) */
Nir Sonnenschein39e59142018-05-02 23:16:26 +03003727 {
3728 return( PSA_ERROR_NOT_SUPPORTED );
3729 }
Gilles Peskine5b051bc2018-05-31 13:25:48 +02003730}
Gilles Peskine20035e32018-02-03 22:44:14 +01003731
Gilles Peskine7bcfc0a2018-06-18 21:49:39 +02003732
3733
mohammad1603503973b2018-03-12 15:59:30 +02003734/****************************************************************/
3735/* Symmetric cryptography */
3736/****************************************************************/
3737
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003738/* Initialize the cipher operation structure. Once this function has been
3739 * called, psa_cipher_abort can run and will do the right thing. */
3740static psa_status_t psa_cipher_init( psa_cipher_operation_t *operation,
3741 psa_algorithm_t alg )
3742{
Gilles Peskinec06e0712018-06-20 16:21:04 +02003743 if( ! PSA_ALG_IS_CIPHER( alg ) )
3744 {
3745 memset( operation, 0, sizeof( *operation ) );
3746 return( PSA_ERROR_INVALID_ARGUMENT );
3747 }
3748
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003749 operation->alg = alg;
3750 operation->key_set = 0;
3751 operation->iv_set = 0;
Steven Cooremana6033e92020-08-25 11:47:50 +02003752 if( alg == PSA_ALG_ECB_NO_PADDING )
3753 {
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02003754 operation->iv_required = 0;
Steven Cooremana6033e92020-08-25 11:47:50 +02003755 }
3756 else
3757 {
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02003758 operation->iv_required = 1;
3759 }
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003760 operation->iv_size = 0;
3761 operation->block_size = 0;
3762 mbedtls_cipher_init( &operation->ctx.cipher );
3763 return( PSA_SUCCESS );
3764}
3765
Gilles Peskinee553c652018-06-04 16:22:46 +02003766static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation,
Gilles Peskinec5487a82018-12-03 18:08:14 +01003767 psa_key_handle_t handle,
Gilles Peskine7e928852018-06-04 16:23:10 +02003768 psa_algorithm_t alg,
3769 mbedtls_operation_t cipher_operation )
mohammad1603503973b2018-03-12 15:59:30 +02003770{
Gilles Peskine9ab61b62019-02-25 17:43:14 +01003771 int ret = 0;
3772 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
Gilles Peskine2f060a82018-12-04 17:12:32 +01003773 psa_key_slot_t *slot;
mohammad1603503973b2018-03-12 15:59:30 +02003774 size_t key_bits;
3775 const mbedtls_cipher_info_t *cipher_info = NULL;
Gilles Peskineb0b255c2018-07-06 17:01:38 +02003776 psa_key_usage_t usage = ( cipher_operation == MBEDTLS_ENCRYPT ?
3777 PSA_KEY_USAGE_ENCRYPT :
3778 PSA_KEY_USAGE_DECRYPT );
mohammad1603503973b2018-03-12 15:59:30 +02003779
Jaeden Amero36ee5d02019-02-19 09:25:10 +00003780 /* A context must be freshly initialized before it can be set up. */
3781 if( operation->alg != 0 )
3782 {
3783 return( PSA_ERROR_BAD_STATE );
3784 }
3785
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02003786 status = psa_cipher_init( operation, alg );
3787 if( status != PSA_SUCCESS )
3788 return( status );
mohammad1603503973b2018-03-12 15:59:30 +02003789
Gilles Peskine28f8f302019-07-24 13:30:31 +02003790 status = psa_get_transparent_key( handle, &slot, usage, alg);
Gilles Peskineb0b255c2018-07-06 17:01:38 +02003791 if( status != PSA_SUCCESS )
Gilles Peskine9ab61b62019-02-25 17:43:14 +01003792 goto exit;
Gilles Peskinedb4b3ab2019-04-18 12:53:01 +02003793 key_bits = psa_get_key_slot_bits( slot );
mohammad1603503973b2018-03-12 15:59:30 +02003794
Gilles Peskine8e338702019-07-30 20:06:31 +02003795 cipher_info = mbedtls_cipher_info_from_psa( alg, slot->attr.type, key_bits, NULL );
mohammad1603503973b2018-03-12 15:59:30 +02003796 if( cipher_info == NULL )
Gilles Peskine9ab61b62019-02-25 17:43:14 +01003797 {
3798 status = PSA_ERROR_NOT_SUPPORTED;
3799 goto exit;
3800 }
mohammad1603503973b2018-03-12 15:59:30 +02003801
mohammad1603503973b2018-03-12 15:59:30 +02003802 ret = mbedtls_cipher_setup( &operation->ctx.cipher, cipher_info );
Moran Peker41deec42018-04-04 15:43:05 +03003803 if( ret != 0 )
Gilles Peskine9ab61b62019-02-25 17:43:14 +01003804 goto exit;
mohammad1603503973b2018-03-12 15:59:30 +02003805
Gilles Peskine9ad29e22018-06-21 09:40:04 +02003806#if defined(MBEDTLS_DES_C)
Gilles Peskine8e338702019-07-30 20:06:31 +02003807 if( slot->attr.type == PSA_KEY_TYPE_DES && key_bits == 128 )
Gilles Peskine9ad29e22018-06-21 09:40:04 +02003808 {
3809 /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */
Gilles Peskinec11c4dc2019-07-15 11:06:38 +02003810 uint8_t keys[24];
Gilles Peskine9ad29e22018-06-21 09:40:04 +02003811 memcpy( keys, slot->data.raw.data, 16 );
3812 memcpy( keys + 16, slot->data.raw.data, 8 );
3813 ret = mbedtls_cipher_setkey( &operation->ctx.cipher,
3814 keys,
3815 192, cipher_operation );
3816 }
3817 else
3818#endif
3819 {
3820 ret = mbedtls_cipher_setkey( &operation->ctx.cipher,
3821 slot->data.raw.data,
Jaeden Amero23bbb752018-06-26 14:16:54 +01003822 (int) key_bits, cipher_operation );
Gilles Peskine9ad29e22018-06-21 09:40:04 +02003823 }
Moran Peker41deec42018-04-04 15:43:05 +03003824 if( ret != 0 )
Gilles Peskine9ab61b62019-02-25 17:43:14 +01003825 goto exit;
mohammad1603503973b2018-03-12 15:59:30 +02003826
mohammad16038481e742018-03-18 13:57:31 +02003827#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
Gilles Peskinedaea26f2018-08-21 14:02:45 +02003828 switch( alg )
mohammad16038481e742018-03-18 13:57:31 +02003829 {
Gilles Peskinedaea26f2018-08-21 14:02:45 +02003830 case PSA_ALG_CBC_NO_PADDING:
3831 ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher,
3832 MBEDTLS_PADDING_NONE );
3833 break;
3834 case PSA_ALG_CBC_PKCS7:
3835 ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher,
3836 MBEDTLS_PADDING_PKCS7 );
3837 break;
3838 default:
3839 /* The algorithm doesn't involve padding. */
3840 ret = 0;
3841 break;
3842 }
3843 if( ret != 0 )
Gilles Peskine9ab61b62019-02-25 17:43:14 +01003844 goto exit;
mohammad16038481e742018-03-18 13:57:31 +02003845#endif //MBEDTLS_CIPHER_MODE_WITH_PADDING
3846
mohammad1603503973b2018-03-12 15:59:30 +02003847 operation->key_set = 1;
Gilles Peskinedaea26f2018-08-21 14:02:45 +02003848 operation->block_size = ( PSA_ALG_IS_STREAM_CIPHER( alg ) ? 1 :
Gilles Peskine8e338702019-07-30 20:06:31 +02003849 PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->attr.type ) );
Steven Cooremana6033e92020-08-25 11:47:50 +02003850 if( ( alg & PSA_ALG_CIPHER_FROM_BLOCK_FLAG ) != 0 &&
3851 alg != PSA_ALG_ECB_NO_PADDING )
mohammad16038481e742018-03-18 13:57:31 +02003852 {
Gilles Peskine8e338702019-07-30 20:06:31 +02003853 operation->iv_size = PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->attr.type );
mohammad16038481e742018-03-18 13:57:31 +02003854 }
Gilles Peskine26869f22019-05-06 15:25:00 +02003855#if defined(MBEDTLS_CHACHA20_C)
3856 else
3857 if( alg == PSA_ALG_CHACHA20 )
3858 operation->iv_size = 12;
3859#endif
mohammad1603503973b2018-03-12 15:59:30 +02003860
Gilles Peskine9ab61b62019-02-25 17:43:14 +01003861exit:
3862 if( status == 0 )
3863 status = mbedtls_to_psa_error( ret );
3864 if( status != 0 )
3865 psa_cipher_abort( operation );
3866 return( status );
mohammad1603503973b2018-03-12 15:59:30 +02003867}
3868
Gilles Peskinefe119512018-07-08 21:39:34 +02003869psa_status_t psa_cipher_encrypt_setup( psa_cipher_operation_t *operation,
Gilles Peskinec5487a82018-12-03 18:08:14 +01003870 psa_key_handle_t handle,
Gilles Peskinefe119512018-07-08 21:39:34 +02003871 psa_algorithm_t alg )
mohammad16038481e742018-03-18 13:57:31 +02003872{
Gilles Peskinec5487a82018-12-03 18:08:14 +01003873 return( psa_cipher_setup( operation, handle, alg, MBEDTLS_ENCRYPT ) );
mohammad16038481e742018-03-18 13:57:31 +02003874}
3875
Gilles Peskinefe119512018-07-08 21:39:34 +02003876psa_status_t psa_cipher_decrypt_setup( psa_cipher_operation_t *operation,
Gilles Peskinec5487a82018-12-03 18:08:14 +01003877 psa_key_handle_t handle,
Gilles Peskinefe119512018-07-08 21:39:34 +02003878 psa_algorithm_t alg )
mohammad16038481e742018-03-18 13:57:31 +02003879{
Gilles Peskinec5487a82018-12-03 18:08:14 +01003880 return( psa_cipher_setup( operation, handle, alg, MBEDTLS_DECRYPT ) );
mohammad16038481e742018-03-18 13:57:31 +02003881}
3882
Gilles Peskinefe119512018-07-08 21:39:34 +02003883psa_status_t psa_cipher_generate_iv( psa_cipher_operation_t *operation,
Andrew Thoelke163639b2019-05-15 12:33:23 +01003884 uint8_t *iv,
Gilles Peskinefe119512018-07-08 21:39:34 +02003885 size_t iv_size,
3886 size_t *iv_length )
mohammad1603503973b2018-03-12 15:59:30 +02003887{
itayzafrir534bd7c2018-08-02 13:56:32 +03003888 psa_status_t status;
Janos Follath24eed8d2019-11-22 13:21:35 +00003889 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinec1bb6c82018-06-18 16:04:39 +02003890 if( operation->iv_set || ! operation->iv_required )
itayzafrir534bd7c2018-08-02 13:56:32 +03003891 {
Jaeden Ameroe236c2a2019-02-20 15:37:15 +00003892 return( PSA_ERROR_BAD_STATE );
itayzafrir534bd7c2018-08-02 13:56:32 +03003893 }
Moran Peker41deec42018-04-04 15:43:05 +03003894 if( iv_size < operation->iv_size )
mohammad1603503973b2018-03-12 15:59:30 +02003895 {
itayzafrir534bd7c2018-08-02 13:56:32 +03003896 status = PSA_ERROR_BUFFER_TOO_SMALL;
Moran Peker41deec42018-04-04 15:43:05 +03003897 goto exit;
3898 }
Gilles Peskine7e928852018-06-04 16:23:10 +02003899 ret = mbedtls_ctr_drbg_random( &global_data.ctr_drbg,
3900 iv, operation->iv_size );
Moran Peker41deec42018-04-04 15:43:05 +03003901 if( ret != 0 )
3902 {
itayzafrir534bd7c2018-08-02 13:56:32 +03003903 status = mbedtls_to_psa_error( ret );
Gilles Peskinee553c652018-06-04 16:22:46 +02003904 goto exit;
mohammad1603503973b2018-03-12 15:59:30 +02003905 }
Gilles Peskinee553c652018-06-04 16:22:46 +02003906
mohammad16038481e742018-03-18 13:57:31 +02003907 *iv_length = operation->iv_size;
itayzafrir534bd7c2018-08-02 13:56:32 +03003908 status = psa_cipher_set_iv( operation, iv, *iv_length );
Moran Peker41deec42018-04-04 15:43:05 +03003909
Moran Peker395db872018-05-31 14:07:14 +03003910exit:
itayzafrir534bd7c2018-08-02 13:56:32 +03003911 if( status != PSA_SUCCESS )
Moran Peker395db872018-05-31 14:07:14 +03003912 psa_cipher_abort( operation );
itayzafrir534bd7c2018-08-02 13:56:32 +03003913 return( status );
mohammad1603503973b2018-03-12 15:59:30 +02003914}
3915
Gilles Peskinefe119512018-07-08 21:39:34 +02003916psa_status_t psa_cipher_set_iv( psa_cipher_operation_t *operation,
Andrew Thoelke163639b2019-05-15 12:33:23 +01003917 const uint8_t *iv,
Gilles Peskinefe119512018-07-08 21:39:34 +02003918 size_t iv_length )
mohammad1603503973b2018-03-12 15:59:30 +02003919{
itayzafrir534bd7c2018-08-02 13:56:32 +03003920 psa_status_t status;
Janos Follath24eed8d2019-11-22 13:21:35 +00003921 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinec1bb6c82018-06-18 16:04:39 +02003922 if( operation->iv_set || ! operation->iv_required )
itayzafrir534bd7c2018-08-02 13:56:32 +03003923 {
Jaeden Ameroe236c2a2019-02-20 15:37:15 +00003924 return( PSA_ERROR_BAD_STATE );
itayzafrir534bd7c2018-08-02 13:56:32 +03003925 }
Moran Pekera28258c2018-05-29 16:25:04 +03003926 if( iv_length != operation->iv_size )
Moran Peker71f19ae2018-04-22 20:23:16 +03003927 {
itayzafrir534bd7c2018-08-02 13:56:32 +03003928 status = PSA_ERROR_INVALID_ARGUMENT;
3929 goto exit;
Moran Peker71f19ae2018-04-22 20:23:16 +03003930 }
itayzafrir534bd7c2018-08-02 13:56:32 +03003931 ret = mbedtls_cipher_set_iv( &operation->ctx.cipher, iv, iv_length );
3932 status = mbedtls_to_psa_error( ret );
3933exit:
3934 if( status == PSA_SUCCESS )
3935 operation->iv_set = 1;
3936 else
mohammad1603503973b2018-03-12 15:59:30 +02003937 psa_cipher_abort( operation );
itayzafrir534bd7c2018-08-02 13:56:32 +03003938 return( status );
mohammad1603503973b2018-03-12 15:59:30 +02003939}
3940
Steven Cooreman177deba2020-09-07 17:14:14 +02003941/* Process input for which the algorithm is set to ECB mode. This requires
3942 * manual processing, since the PSA API is defined as being able to process
3943 * arbitrary-length calls to psa_cipher_update() with ECB mode, but the
3944 * underlying mbedtls_cipher_update only takes full blocks. */
3945static psa_status_t psa_cipher_update_ecb_internal(
3946 mbedtls_cipher_context_t *ctx,
3947 const uint8_t *input,
3948 size_t input_length,
3949 uint8_t *output,
3950 size_t output_size,
3951 size_t *output_length )
3952{
3953 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3954 size_t block_size = ctx->cipher_info->block_size;
3955 size_t internal_output_length = 0;
3956 *output_length = 0;
3957
3958 if( input_length == 0 )
3959 {
3960 status = PSA_SUCCESS;
3961 goto exit;
3962 }
3963
3964 if( ctx->unprocessed_len > 0 )
3965 {
3966 /* Fill up to block size, and run the block if there's a full one. */
3967 size_t bytes_to_copy = block_size - ctx->unprocessed_len;
3968
3969 if( input_length < bytes_to_copy )
3970 bytes_to_copy = input_length;
3971
3972 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ),
3973 input, bytes_to_copy );
3974 input_length -= bytes_to_copy;
3975 input += bytes_to_copy;
3976 ctx->unprocessed_len += bytes_to_copy;
3977
3978 if( ctx->unprocessed_len == block_size )
3979 {
3980 status = mbedtls_to_psa_error(
3981 mbedtls_cipher_update( ctx,
3982 ctx->unprocessed_data,
3983 block_size,
3984 output, &internal_output_length ) );
3985
3986 if( status != PSA_SUCCESS )
3987 goto exit;
3988
3989 output += internal_output_length;
3990 output_size -= internal_output_length;
3991 *output_length += internal_output_length;
3992 ctx->unprocessed_len = 0;
3993 }
3994 }
3995
3996 while( input_length >= block_size )
3997 {
3998 /* Run all full blocks we have, one by one */
3999 status = mbedtls_to_psa_error(
4000 mbedtls_cipher_update( ctx, input,
4001 block_size,
4002 output, &internal_output_length ) );
4003
4004 if( status != PSA_SUCCESS )
4005 goto exit;
4006
4007 input_length -= block_size;
4008 input += block_size;
4009
4010 output += internal_output_length;
4011 output_size -= internal_output_length;
4012 *output_length += internal_output_length;
4013 }
4014
4015 if( input_length > 0 )
4016 {
4017 /* Save unprocessed bytes for later processing */
4018 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ),
4019 input, input_length );
4020 ctx->unprocessed_len += input_length;
4021 }
4022
4023 status = PSA_SUCCESS;
4024
4025exit:
4026 return( status );
4027}
4028
Gilles Peskinee553c652018-06-04 16:22:46 +02004029psa_status_t psa_cipher_update( psa_cipher_operation_t *operation,
4030 const uint8_t *input,
4031 size_t input_length,
Andrew Thoelke163639b2019-05-15 12:33:23 +01004032 uint8_t *output,
Gilles Peskinee553c652018-06-04 16:22:46 +02004033 size_t output_size,
4034 size_t *output_length )
mohammad1603503973b2018-03-12 15:59:30 +02004035{
Steven Cooremanffecb7b2020-08-25 15:13:13 +02004036 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
Gilles Peskine89d789c2018-06-04 17:17:16 +02004037 size_t expected_output_size;
Jaeden Ameroab439972019-02-15 14:12:05 +00004038
4039 if( operation->alg == 0 )
4040 {
4041 return( PSA_ERROR_BAD_STATE );
4042 }
4043
Gilles Peskinedaea26f2018-08-21 14:02:45 +02004044 if( ! PSA_ALG_IS_STREAM_CIPHER( operation->alg ) )
Gilles Peskine89d789c2018-06-04 17:17:16 +02004045 {
4046 /* Take the unprocessed partial block left over from previous
4047 * update calls, if any, plus the input to this call. Remove
4048 * the last partial block, if any. You get the data that will be
4049 * output in this call. */
4050 expected_output_size =
4051 ( operation->ctx.cipher.unprocessed_len + input_length )
4052 / operation->block_size * operation->block_size;
4053 }
4054 else
4055 {
4056 expected_output_size = input_length;
4057 }
itayzafrir534bd7c2018-08-02 13:56:32 +03004058
Gilles Peskine89d789c2018-06-04 17:17:16 +02004059 if( output_size < expected_output_size )
itayzafrir534bd7c2018-08-02 13:56:32 +03004060 {
4061 status = PSA_ERROR_BUFFER_TOO_SMALL;
4062 goto exit;
4063 }
mohammad160382759612018-03-12 18:16:40 +02004064
Steven Cooremanffecb7b2020-08-25 15:13:13 +02004065 if( operation->alg == PSA_ALG_ECB_NO_PADDING )
4066 {
4067 /* mbedtls_cipher_update has an API inconsistency: it will only
4068 * process a single block at a time in ECB mode. Abstract away that
4069 * inconsistency here to match the PSA API behaviour. */
Steven Cooreman177deba2020-09-07 17:14:14 +02004070 status = psa_cipher_update_ecb_internal( &operation->ctx.cipher,
4071 input,
4072 input_length,
4073 output,
4074 output_size,
4075 output_length );
Steven Cooremanffecb7b2020-08-25 15:13:13 +02004076 }
4077 else
4078 {
4079 status = mbedtls_to_psa_error(
4080 mbedtls_cipher_update( &operation->ctx.cipher, input,
4081 input_length, output, output_length ) );
4082 }
itayzafrir534bd7c2018-08-02 13:56:32 +03004083exit:
4084 if( status != PSA_SUCCESS )
mohammad1603503973b2018-03-12 15:59:30 +02004085 psa_cipher_abort( operation );
itayzafrir534bd7c2018-08-02 13:56:32 +03004086 return( status );
mohammad1603503973b2018-03-12 15:59:30 +02004087}
4088
Gilles Peskinee553c652018-06-04 16:22:46 +02004089psa_status_t psa_cipher_finish( psa_cipher_operation_t *operation,
4090 uint8_t *output,
4091 size_t output_size,
4092 size_t *output_length )
mohammad1603503973b2018-03-12 15:59:30 +02004093{
David Saadab4ecc272019-02-14 13:48:10 +02004094 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
Janos Follath315b51c2018-07-09 16:04:51 +01004095 int cipher_ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
Gilles Peskinee553c652018-06-04 16:22:46 +02004096 uint8_t temp_output_buffer[MBEDTLS_MAX_BLOCK_LENGTH];
Moran Pekerbed71a22018-04-22 20:19:20 +03004097
mohammad1603503973b2018-03-12 15:59:30 +02004098 if( ! operation->key_set )
Moran Pekerdc38ebc2018-04-30 15:45:34 +03004099 {
Jaeden Ameroe236c2a2019-02-20 15:37:15 +00004100 return( PSA_ERROR_BAD_STATE );
Moran Peker7cb22b82018-06-05 11:40:02 +03004101 }
4102 if( operation->iv_required && ! operation->iv_set )
4103 {
Jaeden Ameroe236c2a2019-02-20 15:37:15 +00004104 return( PSA_ERROR_BAD_STATE );
Moran Peker7cb22b82018-06-05 11:40:02 +03004105 }
Gilles Peskinedaea26f2018-08-21 14:02:45 +02004106
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004107 if( operation->ctx.cipher.unprocessed_len != 0 )
Moran Peker7cb22b82018-06-05 11:40:02 +03004108 {
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004109 if( operation->alg == PSA_ALG_ECB_NO_PADDING ||
4110 ( operation->alg == PSA_ALG_CBC_NO_PADDING &&
Steven Cooremana6033e92020-08-25 11:47:50 +02004111 operation->ctx.cipher.operation == MBEDTLS_ENCRYPT ) )
4112 {
Gilles Peskinedaea26f2018-08-21 14:02:45 +02004113 status = PSA_ERROR_INVALID_ARGUMENT;
Janos Follath315b51c2018-07-09 16:04:51 +01004114 goto error;
Steven Cooremaned3c9ec2020-07-06 14:08:59 +02004115 }
Moran Pekerdc38ebc2018-04-30 15:45:34 +03004116 }
4117
Janos Follath315b51c2018-07-09 16:04:51 +01004118 cipher_ret = mbedtls_cipher_finish( &operation->ctx.cipher,
4119 temp_output_buffer,
4120 output_length );
4121 if( cipher_ret != 0 )
mohammad1603503973b2018-03-12 15:59:30 +02004122 {
Janos Follath315b51c2018-07-09 16:04:51 +01004123 status = mbedtls_to_psa_error( cipher_ret );
4124 goto error;
mohammad1603503973b2018-03-12 15:59:30 +02004125 }
Janos Follath315b51c2018-07-09 16:04:51 +01004126
Gilles Peskine46f1fd72018-06-28 19:31:31 +02004127 if( *output_length == 0 )
Janos Follath315b51c2018-07-09 16:04:51 +01004128 ; /* Nothing to copy. Note that output may be NULL in this case. */
Gilles Peskine46f1fd72018-06-28 19:31:31 +02004129 else if( output_size >= *output_length )
Moran Pekerdc38ebc2018-04-30 15:45:34 +03004130 memcpy( output, temp_output_buffer, *output_length );
4131 else
4132 {
Janos Follath315b51c2018-07-09 16:04:51 +01004133 status = PSA_ERROR_BUFFER_TOO_SMALL;
4134 goto error;
Moran Pekerdc38ebc2018-04-30 15:45:34 +03004135 }
mohammad1603503973b2018-03-12 15:59:30 +02004136
Gilles Peskine3f108122018-12-07 18:14:53 +01004137 mbedtls_platform_zeroize( temp_output_buffer, sizeof( temp_output_buffer ) );
Janos Follath315b51c2018-07-09 16:04:51 +01004138 status = psa_cipher_abort( operation );
4139
4140 return( status );
4141
4142error:
4143
4144 *output_length = 0;
4145
Gilles Peskine3f108122018-12-07 18:14:53 +01004146 mbedtls_platform_zeroize( temp_output_buffer, sizeof( temp_output_buffer ) );
Janos Follath315b51c2018-07-09 16:04:51 +01004147 (void) psa_cipher_abort( operation );
4148
4149 return( status );
mohammad1603503973b2018-03-12 15:59:30 +02004150}
4151
Gilles Peskinee553c652018-06-04 16:22:46 +02004152psa_status_t psa_cipher_abort( psa_cipher_operation_t *operation )
4153{
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02004154 if( operation->alg == 0 )
Gilles Peskine81736312018-06-26 15:04:31 +02004155 {
4156 /* The object has (apparently) been initialized but it is not
4157 * in use. It's ok to call abort on such an object, and there's
4158 * nothing to do. */
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02004159 return( PSA_SUCCESS );
Gilles Peskine81736312018-06-26 15:04:31 +02004160 }
Gilles Peskine16c0f4f2018-06-20 16:05:20 +02004161
Gilles Peskinef9c2c092018-06-21 16:57:07 +02004162 /* Sanity check (shouldn't happen: operation->alg should
4163 * always have been initialized to a valid value). */
4164 if( ! PSA_ALG_IS_CIPHER( operation->alg ) )
4165 return( PSA_ERROR_BAD_STATE );
4166
mohammad1603503973b2018-03-12 15:59:30 +02004167 mbedtls_cipher_free( &operation->ctx.cipher );
Gilles Peskinee553c652018-06-04 16:22:46 +02004168
Moran Peker41deec42018-04-04 15:43:05 +03004169 operation->alg = 0;
Moran Pekerad9d82c2018-04-30 12:31:04 +03004170 operation->key_set = 0;
4171 operation->iv_set = 0;
4172 operation->iv_size = 0;
Moran Peker41deec42018-04-04 15:43:05 +03004173 operation->block_size = 0;
Moran Pekerad9d82c2018-04-30 12:31:04 +03004174 operation->iv_required = 0;
Moran Peker41deec42018-04-04 15:43:05 +03004175
Moran Peker395db872018-05-31 14:07:14 +03004176 return( PSA_SUCCESS );
mohammad1603503973b2018-03-12 15:59:30 +02004177}
4178
Gilles Peskinea0655c32018-04-30 17:06:50 +02004179
Gilles Peskine7bcfc0a2018-06-18 21:49:39 +02004180
Gilles Peskine7bcfc0a2018-06-18 21:49:39 +02004181
mohammad16035955c982018-04-26 00:53:03 +03004182/****************************************************************/
4183/* AEAD */
4184/****************************************************************/
Gilles Peskine7bcfc0a2018-06-18 21:49:39 +02004185
Gilles Peskineedf9a652018-08-17 18:11:56 +02004186typedef struct
4187{
Gilles Peskine2f060a82018-12-04 17:12:32 +01004188 psa_key_slot_t *slot;
Gilles Peskineedf9a652018-08-17 18:11:56 +02004189 const mbedtls_cipher_info_t *cipher_info;
4190 union
4191 {
4192#if defined(MBEDTLS_CCM_C)
4193 mbedtls_ccm_context ccm;
4194#endif /* MBEDTLS_CCM_C */
4195#if defined(MBEDTLS_GCM_C)
4196 mbedtls_gcm_context gcm;
4197#endif /* MBEDTLS_GCM_C */
Gilles Peskine26869f22019-05-06 15:25:00 +02004198#if defined(MBEDTLS_CHACHAPOLY_C)
4199 mbedtls_chachapoly_context chachapoly;
4200#endif /* MBEDTLS_CHACHAPOLY_C */
Gilles Peskineedf9a652018-08-17 18:11:56 +02004201 } ctx;
Gilles Peskine23cc2ff2018-08-17 19:47:52 +02004202 psa_algorithm_t core_alg;
4203 uint8_t full_tag_length;
Gilles Peskineedf9a652018-08-17 18:11:56 +02004204 uint8_t tag_length;
4205} aead_operation_t;
4206
Gilles Peskine30a9e412019-01-14 18:36:12 +01004207static void psa_aead_abort_internal( aead_operation_t *operation )
Gilles Peskineedf9a652018-08-17 18:11:56 +02004208{
Gilles Peskinef8a8fe62018-08-21 16:38:05 +02004209 switch( operation->core_alg )
Gilles Peskineedf9a652018-08-17 18:11:56 +02004210 {
4211#if defined(MBEDTLS_CCM_C)
4212 case PSA_ALG_CCM:
4213 mbedtls_ccm_free( &operation->ctx.ccm );
4214 break;
4215#endif /* MBEDTLS_CCM_C */
Gilles Peskineb0b189f2018-11-28 17:30:58 +01004216#if defined(MBEDTLS_GCM_C)
Gilles Peskineedf9a652018-08-17 18:11:56 +02004217 case PSA_ALG_GCM:
4218 mbedtls_gcm_free( &operation->ctx.gcm );
4219 break;
4220#endif /* MBEDTLS_GCM_C */
4221 }
4222}
4223
4224static psa_status_t psa_aead_setup( aead_operation_t *operation,
Gilles Peskinec5487a82018-12-03 18:08:14 +01004225 psa_key_handle_t handle,
Gilles Peskineedf9a652018-08-17 18:11:56 +02004226 psa_key_usage_t usage,
4227 psa_algorithm_t alg )
4228{
4229 psa_status_t status;
4230 size_t key_bits;
4231 mbedtls_cipher_id_t cipher_id;
4232
Gilles Peskine28f8f302019-07-24 13:30:31 +02004233 status = psa_get_transparent_key( handle, &operation->slot, usage, alg );
Gilles Peskineedf9a652018-08-17 18:11:56 +02004234 if( status != PSA_SUCCESS )
4235 return( status );
4236
Gilles Peskinedb4b3ab2019-04-18 12:53:01 +02004237 key_bits = psa_get_key_slot_bits( operation->slot );
Gilles Peskineedf9a652018-08-17 18:11:56 +02004238
4239 operation->cipher_info =
Gilles Peskine8e338702019-07-30 20:06:31 +02004240 mbedtls_cipher_info_from_psa( alg, operation->slot->attr.type, key_bits,
Gilles Peskineedf9a652018-08-17 18:11:56 +02004241 &cipher_id );
4242 if( operation->cipher_info == NULL )
4243 return( PSA_ERROR_NOT_SUPPORTED );
4244
Gilles Peskine23cc2ff2018-08-17 19:47:52 +02004245 switch( PSA_ALG_AEAD_WITH_TAG_LENGTH( alg, 0 ) )
Gilles Peskineedf9a652018-08-17 18:11:56 +02004246 {
4247#if defined(MBEDTLS_CCM_C)
Gilles Peskine23cc2ff2018-08-17 19:47:52 +02004248 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_CCM, 0 ):
4249 operation->core_alg = PSA_ALG_CCM;
4250 operation->full_tag_length = 16;
Gilles Peskinef7e7b012019-05-06 15:27:16 +02004251 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
4252 * The call to mbedtls_ccm_encrypt_and_tag or
4253 * mbedtls_ccm_auth_decrypt will validate the tag length. */
Gilles Peskine8e338702019-07-30 20:06:31 +02004254 if( PSA_BLOCK_CIPHER_BLOCK_SIZE( operation->slot->attr.type ) != 16 )
Gilles Peskineedf9a652018-08-17 18:11:56 +02004255 return( PSA_ERROR_INVALID_ARGUMENT );
4256 mbedtls_ccm_init( &operation->ctx.ccm );
4257 status = mbedtls_to_psa_error(
4258 mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id,
4259 operation->slot->data.raw.data,
4260 (unsigned int) key_bits ) );
4261 if( status != 0 )
4262 goto cleanup;
4263 break;
4264#endif /* MBEDTLS_CCM_C */
4265
4266#if defined(MBEDTLS_GCM_C)
Gilles Peskine23cc2ff2018-08-17 19:47:52 +02004267 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_GCM, 0 ):
4268 operation->core_alg = PSA_ALG_GCM;
4269 operation->full_tag_length = 16;
Gilles Peskinef7e7b012019-05-06 15:27:16 +02004270 /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
4271 * The call to mbedtls_gcm_crypt_and_tag or
4272 * mbedtls_gcm_auth_decrypt will validate the tag length. */
Gilles Peskine8e338702019-07-30 20:06:31 +02004273 if( PSA_BLOCK_CIPHER_BLOCK_SIZE( operation->slot->attr.type ) != 16 )
Gilles Peskineedf9a652018-08-17 18:11:56 +02004274 return( PSA_ERROR_INVALID_ARGUMENT );
4275 mbedtls_gcm_init( &operation->ctx.gcm );
4276 status = mbedtls_to_psa_error(
4277 mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id,
4278 operation->slot->data.raw.data,
4279 (unsigned int) key_bits ) );
Gilles Peskinef7e7b012019-05-06 15:27:16 +02004280 if( status != 0 )
4281 goto cleanup;
Gilles Peskineedf9a652018-08-17 18:11:56 +02004282 break;
4283#endif /* MBEDTLS_GCM_C */
4284
Gilles Peskine26869f22019-05-06 15:25:00 +02004285#if defined(MBEDTLS_CHACHAPOLY_C)
4286 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_CHACHA20_POLY1305, 0 ):
4287 operation->core_alg = PSA_ALG_CHACHA20_POLY1305;
4288 operation->full_tag_length = 16;
4289 /* We only support the default tag length. */
4290 if( alg != PSA_ALG_CHACHA20_POLY1305 )
4291 return( PSA_ERROR_NOT_SUPPORTED );
4292 mbedtls_chachapoly_init( &operation->ctx.chachapoly );
4293 status = mbedtls_to_psa_error(
4294 mbedtls_chachapoly_setkey( &operation->ctx.chachapoly,
4295 operation->slot->data.raw.data ) );
4296 if( status != 0 )
4297 goto cleanup;
4298 break;
4299#endif /* MBEDTLS_CHACHAPOLY_C */
4300
Gilles Peskineedf9a652018-08-17 18:11:56 +02004301 default:
4302 return( PSA_ERROR_NOT_SUPPORTED );
4303 }
4304
Gilles Peskine23cc2ff2018-08-17 19:47:52 +02004305 if( PSA_AEAD_TAG_LENGTH( alg ) > operation->full_tag_length )
4306 {
4307 status = PSA_ERROR_INVALID_ARGUMENT;
4308 goto cleanup;
4309 }
4310 operation->tag_length = PSA_AEAD_TAG_LENGTH( alg );
Gilles Peskine23cc2ff2018-08-17 19:47:52 +02004311
Gilles Peskineedf9a652018-08-17 18:11:56 +02004312 return( PSA_SUCCESS );
4313
4314cleanup:
Gilles Peskine30a9e412019-01-14 18:36:12 +01004315 psa_aead_abort_internal( operation );
Gilles Peskineedf9a652018-08-17 18:11:56 +02004316 return( status );
4317}
4318
Gilles Peskinec5487a82018-12-03 18:08:14 +01004319psa_status_t psa_aead_encrypt( psa_key_handle_t handle,
mohammad16035955c982018-04-26 00:53:03 +03004320 psa_algorithm_t alg,
4321 const uint8_t *nonce,
4322 size_t nonce_length,
4323 const uint8_t *additional_data,
4324 size_t additional_data_length,
4325 const uint8_t *plaintext,
4326 size_t plaintext_length,
4327 uint8_t *ciphertext,
4328 size_t ciphertext_size,
4329 size_t *ciphertext_length )
4330{
mohammad16035955c982018-04-26 00:53:03 +03004331 psa_status_t status;
Gilles Peskineedf9a652018-08-17 18:11:56 +02004332 aead_operation_t operation;
mohammad160315223a82018-06-03 17:19:55 +03004333 uint8_t *tag;
Gilles Peskine2d277862018-06-18 15:41:12 +02004334
mohammad1603f08a5502018-06-03 15:05:47 +03004335 *ciphertext_length = 0;
mohammad1603e58e6842018-05-09 04:58:32 -07004336
Gilles Peskinec5487a82018-12-03 18:08:14 +01004337 status = psa_aead_setup( &operation, handle, PSA_KEY_USAGE_ENCRYPT, alg );
Gilles Peskineb0b255c2018-07-06 17:01:38 +02004338 if( status != PSA_SUCCESS )
4339 return( status );
mohammad16035955c982018-04-26 00:53:03 +03004340
Gilles Peskineedf9a652018-08-17 18:11:56 +02004341 /* For all currently supported modes, the tag is at the end of the
4342 * ciphertext. */
4343 if( ciphertext_size < ( plaintext_length + operation.tag_length ) )
4344 {
4345 status = PSA_ERROR_BUFFER_TOO_SMALL;
4346 goto exit;
4347 }
4348 tag = ciphertext + plaintext_length;
mohammad16035955c982018-04-26 00:53:03 +03004349
Gilles Peskineb0b189f2018-11-28 17:30:58 +01004350#if defined(MBEDTLS_GCM_C)
Gilles Peskine23cc2ff2018-08-17 19:47:52 +02004351 if( operation.core_alg == PSA_ALG_GCM )
mohammad16035955c982018-04-26 00:53:03 +03004352 {
Gilles Peskineedf9a652018-08-17 18:11:56 +02004353 status = mbedtls_to_psa_error(
4354 mbedtls_gcm_crypt_and_tag( &operation.ctx.gcm,
4355 MBEDTLS_GCM_ENCRYPT,
4356 plaintext_length,
4357 nonce, nonce_length,
4358 additional_data, additional_data_length,
4359 plaintext, ciphertext,
4360 operation.tag_length, tag ) );
mohammad16035955c982018-04-26 00:53:03 +03004361 }
Gilles Peskineb0b189f2018-11-28 17:30:58 +01004362 else
4363#endif /* MBEDTLS_GCM_C */
4364#if defined(MBEDTLS_CCM_C)
4365 if( operation.core_alg == PSA_ALG_CCM )
mohammad16035955c982018-04-26 00:53:03 +03004366 {
Gilles Peskineedf9a652018-08-17 18:11:56 +02004367 status = mbedtls_to_psa_error(
4368 mbedtls_ccm_encrypt_and_tag( &operation.ctx.ccm,
4369 plaintext_length,
4370 nonce, nonce_length,
4371 additional_data,
4372 additional_data_length,
4373 plaintext, ciphertext,
4374 tag, operation.tag_length ) );
mohammad16035955c982018-04-26 00:53:03 +03004375 }
mohammad16035c8845f2018-05-09 05:40:09 -07004376 else
Gilles Peskineb0b189f2018-11-28 17:30:58 +01004377#endif /* MBEDTLS_CCM_C */
Gilles Peskine26869f22019-05-06 15:25:00 +02004378#if defined(MBEDTLS_CHACHAPOLY_C)
4379 if( operation.core_alg == PSA_ALG_CHACHA20_POLY1305 )
4380 {
4381 if( nonce_length != 12 || operation.tag_length != 16 )
4382 {
4383 status = PSA_ERROR_NOT_SUPPORTED;
4384 goto exit;
4385 }
4386 status = mbedtls_to_psa_error(
4387 mbedtls_chachapoly_encrypt_and_tag( &operation.ctx.chachapoly,
4388 plaintext_length,
4389 nonce,
4390 additional_data,
4391 additional_data_length,
4392 plaintext,
4393 ciphertext,
4394 tag ) );
4395 }
4396 else
4397#endif /* MBEDTLS_CHACHAPOLY_C */
mohammad16035c8845f2018-05-09 05:40:09 -07004398 {
mohammad1603554faad2018-06-03 15:07:38 +03004399 return( PSA_ERROR_NOT_SUPPORTED );
mohammad16035c8845f2018-05-09 05:40:09 -07004400 }
Gilles Peskine2d277862018-06-18 15:41:12 +02004401
Gilles Peskineedf9a652018-08-17 18:11:56 +02004402 if( status != PSA_SUCCESS && ciphertext_size != 0 )
4403 memset( ciphertext, 0, ciphertext_size );
Gilles Peskine2d277862018-06-18 15:41:12 +02004404
Gilles Peskineedf9a652018-08-17 18:11:56 +02004405exit:
Gilles Peskine30a9e412019-01-14 18:36:12 +01004406 psa_aead_abort_internal( &operation );
Gilles Peskineedf9a652018-08-17 18:11:56 +02004407 if( status == PSA_SUCCESS )
4408 *ciphertext_length = plaintext_length + operation.tag_length;
4409 return( status );
mohammad16035955c982018-04-26 00:53:03 +03004410}
4411
Gilles Peskineee652a32018-06-01 19:23:52 +02004412/* Locate the tag in a ciphertext buffer containing the encrypted data
4413 * followed by the tag. Return the length of the part preceding the tag in
4414 * *plaintext_length. This is the size of the plaintext in modes where
4415 * the encrypted data has the same size as the plaintext, such as
4416 * CCM and GCM. */
4417static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length,
4418 const uint8_t *ciphertext,
4419 size_t ciphertext_length,
4420 size_t plaintext_size,
Gilles Peskineee652a32018-06-01 19:23:52 +02004421 const uint8_t **p_tag )
4422{
4423 size_t payload_length;
4424 if( tag_length > ciphertext_length )
4425 return( PSA_ERROR_INVALID_ARGUMENT );
4426 payload_length = ciphertext_length - tag_length;
4427 if( payload_length > plaintext_size )
4428 return( PSA_ERROR_BUFFER_TOO_SMALL );
4429 *p_tag = ciphertext + payload_length;
Gilles Peskineee652a32018-06-01 19:23:52 +02004430 return( PSA_SUCCESS );
4431}
4432
Gilles Peskinec5487a82018-12-03 18:08:14 +01004433psa_status_t psa_aead_decrypt( psa_key_handle_t handle,
mohammad16035955c982018-04-26 00:53:03 +03004434 psa_algorithm_t alg,
4435 const uint8_t *nonce,
4436 size_t nonce_length,
4437 const uint8_t *additional_data,
4438 size_t additional_data_length,
4439 const uint8_t *ciphertext,
4440 size_t ciphertext_length,
4441 uint8_t *plaintext,
4442 size_t plaintext_size,
4443 size_t *plaintext_length )
4444{
mohammad16035955c982018-04-26 00:53:03 +03004445 psa_status_t status;
Gilles Peskineedf9a652018-08-17 18:11:56 +02004446 aead_operation_t operation;
4447 const uint8_t *tag = NULL;
Gilles Peskine2d277862018-06-18 15:41:12 +02004448
Gilles Peskineee652a32018-06-01 19:23:52 +02004449 *plaintext_length = 0;
mohammad16039e5a5152018-04-26 12:07:35 +03004450
Gilles Peskinec5487a82018-12-03 18:08:14 +01004451 status = psa_aead_setup( &operation, handle, PSA_KEY_USAGE_DECRYPT, alg );
Gilles Peskineb0b255c2018-07-06 17:01:38 +02004452 if( status != PSA_SUCCESS )
4453 return( status );
mohammad16035955c982018-04-26 00:53:03 +03004454
Gilles Peskinef7e7b012019-05-06 15:27:16 +02004455 status = psa_aead_unpadded_locate_tag( operation.tag_length,
4456 ciphertext, ciphertext_length,
4457 plaintext_size, &tag );
4458 if( status != PSA_SUCCESS )
4459 goto exit;
4460
Gilles Peskineb0b189f2018-11-28 17:30:58 +01004461#if defined(MBEDTLS_GCM_C)
Gilles Peskine23cc2ff2018-08-17 19:47:52 +02004462 if( operation.core_alg == PSA_ALG_GCM )
mohammad16035955c982018-04-26 00:53:03 +03004463 {
Gilles Peskineedf9a652018-08-17 18:11:56 +02004464 status = mbedtls_to_psa_error(
4465 mbedtls_gcm_auth_decrypt( &operation.ctx.gcm,
4466 ciphertext_length - operation.tag_length,
4467 nonce, nonce_length,
4468 additional_data,
4469 additional_data_length,
4470 tag, operation.tag_length,
4471 ciphertext, plaintext ) );
mohammad16035955c982018-04-26 00:53:03 +03004472 }
Gilles Peskineb0b189f2018-11-28 17:30:58 +01004473 else
4474#endif /* MBEDTLS_GCM_C */
4475#if defined(MBEDTLS_CCM_C)
4476 if( operation.core_alg == PSA_ALG_CCM )
mohammad16035955c982018-04-26 00:53:03 +03004477 {
Gilles Peskineedf9a652018-08-17 18:11:56 +02004478 status = mbedtls_to_psa_error(
4479 mbedtls_ccm_auth_decrypt( &operation.ctx.ccm,
4480 ciphertext_length - operation.tag_length,
4481 nonce, nonce_length,
4482 additional_data,
4483 additional_data_length,
4484 ciphertext, plaintext,
4485 tag, operation.tag_length ) );
mohammad16035955c982018-04-26 00:53:03 +03004486 }
mohammad160339574652018-06-01 04:39:53 -07004487 else
Gilles Peskineb0b189f2018-11-28 17:30:58 +01004488#endif /* MBEDTLS_CCM_C */
Gilles Peskine26869f22019-05-06 15:25:00 +02004489#if defined(MBEDTLS_CHACHAPOLY_C)
4490 if( operation.core_alg == PSA_ALG_CHACHA20_POLY1305 )
4491 {
4492 if( nonce_length != 12 || operation.tag_length != 16 )
4493 {
4494 status = PSA_ERROR_NOT_SUPPORTED;
4495 goto exit;
4496 }
4497 status = mbedtls_to_psa_error(
4498 mbedtls_chachapoly_auth_decrypt( &operation.ctx.chachapoly,
4499 ciphertext_length - operation.tag_length,
4500 nonce,
4501 additional_data,
4502 additional_data_length,
4503 tag,
4504 ciphertext,
4505 plaintext ) );
4506 }
4507 else
4508#endif /* MBEDTLS_CHACHAPOLY_C */
mohammad160339574652018-06-01 04:39:53 -07004509 {
mohammad1603554faad2018-06-03 15:07:38 +03004510 return( PSA_ERROR_NOT_SUPPORTED );
mohammad160339574652018-06-01 04:39:53 -07004511 }
Gilles Peskinea40d7742018-06-01 16:28:30 +02004512
Gilles Peskineedf9a652018-08-17 18:11:56 +02004513 if( status != PSA_SUCCESS && plaintext_size != 0 )
4514 memset( plaintext, 0, plaintext_size );
mohammad160360a64d02018-06-03 17:20:42 +03004515
Gilles Peskineedf9a652018-08-17 18:11:56 +02004516exit:
Gilles Peskine30a9e412019-01-14 18:36:12 +01004517 psa_aead_abort_internal( &operation );
Gilles Peskineedf9a652018-08-17 18:11:56 +02004518 if( status == PSA_SUCCESS )
4519 *plaintext_length = ciphertext_length - operation.tag_length;
4520 return( status );
mohammad16035955c982018-04-26 00:53:03 +03004521}
4522
Gilles Peskinea0655c32018-04-30 17:06:50 +02004523
Gilles Peskine7bcfc0a2018-06-18 21:49:39 +02004524
Gilles Peskine20035e32018-02-03 22:44:14 +01004525/****************************************************************/
Gilles Peskineeab56e42018-07-12 17:12:33 +02004526/* Generators */
4527/****************************************************************/
4528
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01004529#define HKDF_STATE_INIT 0 /* no input yet */
4530#define HKDF_STATE_STARTED 1 /* got salt */
4531#define HKDF_STATE_KEYED 2 /* got key */
4532#define HKDF_STATE_OUTPUT 3 /* output started */
4533
Gilles Peskinecbe66502019-05-16 16:59:18 +02004534static psa_algorithm_t psa_key_derivation_get_kdf_alg(
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004535 const psa_key_derivation_operation_t *operation )
Gilles Peskine969c5d62019-01-16 15:53:06 +01004536{
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004537 if ( PSA_ALG_IS_KEY_AGREEMENT( operation->alg ) )
4538 return( PSA_ALG_KEY_AGREEMENT_GET_KDF( operation->alg ) );
Gilles Peskine969c5d62019-01-16 15:53:06 +01004539 else
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004540 return( operation->alg );
Gilles Peskine969c5d62019-01-16 15:53:06 +01004541}
4542
4543
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004544psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation )
Gilles Peskineeab56e42018-07-12 17:12:33 +02004545{
4546 psa_status_t status = PSA_SUCCESS;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004547 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
Gilles Peskine969c5d62019-01-16 15:53:06 +01004548 if( kdf_alg == 0 )
Gilles Peskineeab56e42018-07-12 17:12:33 +02004549 {
4550 /* The object has (apparently) been initialized but it is not
4551 * in use. It's ok to call abort on such an object, and there's
4552 * nothing to do. */
4553 }
4554 else
Gilles Peskinebef7f142018-07-12 17:22:21 +02004555#if defined(MBEDTLS_MD_C)
Gilles Peskine969c5d62019-01-16 15:53:06 +01004556 if( PSA_ALG_IS_HKDF( kdf_alg ) )
Gilles Peskinebef7f142018-07-12 17:22:21 +02004557 {
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004558 mbedtls_free( operation->ctx.hkdf.info );
4559 status = psa_hmac_abort_internal( &operation->ctx.hkdf.hmac );
Gilles Peskinebef7f142018-07-12 17:22:21 +02004560 }
Gilles Peskine969c5d62019-01-16 15:53:06 +01004561 else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004562 /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */
Gilles Peskine969c5d62019-01-16 15:53:06 +01004563 PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
Hanno Beckerc8a41d72018-10-09 17:33:01 +01004564 {
Janos Follath6a1d2622019-06-11 10:37:28 +01004565 if( operation->ctx.tls12_prf.seed != NULL )
4566 {
4567 mbedtls_platform_zeroize( operation->ctx.tls12_prf.seed,
4568 operation->ctx.tls12_prf.seed_length );
4569 mbedtls_free( operation->ctx.tls12_prf.seed );
4570 }
4571
4572 if( operation->ctx.tls12_prf.label != NULL )
4573 {
4574 mbedtls_platform_zeroize( operation->ctx.tls12_prf.label,
4575 operation->ctx.tls12_prf.label_length );
4576 mbedtls_free( operation->ctx.tls12_prf.label );
4577 }
4578
4579 status = psa_hmac_abort_internal( &operation->ctx.tls12_prf.hmac );
4580
4581 /* We leave the fields Ai and output_block to be erased safely by the
4582 * mbedtls_platform_zeroize() in the end of this function. */
Hanno Beckerc8a41d72018-10-09 17:33:01 +01004583 }
Gilles Peskinebef7f142018-07-12 17:22:21 +02004584 else
4585#endif /* MBEDTLS_MD_C */
Gilles Peskineeab56e42018-07-12 17:12:33 +02004586 {
4587 status = PSA_ERROR_BAD_STATE;
4588 }
Janos Follath083036a2019-06-11 10:22:26 +01004589 mbedtls_platform_zeroize( operation, sizeof( *operation ) );
Gilles Peskineeab56e42018-07-12 17:12:33 +02004590 return( status );
4591}
4592
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004593psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t *operation,
Gilles Peskineeab56e42018-07-12 17:12:33 +02004594 size_t *capacity)
4595{
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004596 if( operation->alg == 0 )
Jaeden Amerocf2010c2019-02-15 13:05:49 +00004597 {
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004598 /* This is a blank key derivation operation. */
Jaeden Amerocf2010c2019-02-15 13:05:49 +00004599 return PSA_ERROR_BAD_STATE;
4600 }
4601
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004602 *capacity = operation->capacity;
Gilles Peskineeab56e42018-07-12 17:12:33 +02004603 return( PSA_SUCCESS );
4604}
4605
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004606psa_status_t psa_key_derivation_set_capacity( psa_key_derivation_operation_t *operation,
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01004607 size_t capacity )
4608{
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004609 if( operation->alg == 0 )
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01004610 return( PSA_ERROR_BAD_STATE );
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004611 if( capacity > operation->capacity )
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01004612 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004613 operation->capacity = capacity;
Gilles Peskineeab56e42018-07-12 17:12:33 +02004614 return( PSA_SUCCESS );
4615}
4616
Gilles Peskinebef7f142018-07-12 17:22:21 +02004617#if defined(MBEDTLS_MD_C)
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004618/* Read some bytes from an HKDF-based operation. This performs a chunk
Gilles Peskinebef7f142018-07-12 17:22:21 +02004619 * of the expand phase of the HKDF algorithm. */
Gilles Peskinecbe66502019-05-16 16:59:18 +02004620static psa_status_t psa_key_derivation_hkdf_read( psa_hkdf_key_derivation_t *hkdf,
Gilles Peskinebef7f142018-07-12 17:22:21 +02004621 psa_algorithm_t hash_alg,
4622 uint8_t *output,
4623 size_t output_length )
4624{
4625 uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
4626 psa_status_t status;
4627
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01004628 if( hkdf->state < HKDF_STATE_KEYED || ! hkdf->info_set )
4629 return( PSA_ERROR_BAD_STATE );
4630 hkdf->state = HKDF_STATE_OUTPUT;
4631
Gilles Peskinebef7f142018-07-12 17:22:21 +02004632 while( output_length != 0 )
4633 {
4634 /* Copy what remains of the current block */
4635 uint8_t n = hash_length - hkdf->offset_in_block;
4636 if( n > output_length )
4637 n = (uint8_t) output_length;
4638 memcpy( output, hkdf->output_block + hkdf->offset_in_block, n );
4639 output += n;
4640 output_length -= n;
4641 hkdf->offset_in_block += n;
Gilles Peskined54931c2018-07-17 21:06:59 +02004642 if( output_length == 0 )
Gilles Peskinebef7f142018-07-12 17:22:21 +02004643 break;
Gilles Peskined54931c2018-07-17 21:06:59 +02004644 /* We can't be wanting more output after block 0xff, otherwise
Gilles Peskinea99d3fb2019-05-16 15:28:51 +02004645 * the capacity check in psa_key_derivation_output_bytes() would have
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004646 * prevented this call. It could happen only if the operation
Gilles Peskined54931c2018-07-17 21:06:59 +02004647 * object was corrupted or if this function is called directly
4648 * inside the library. */
4649 if( hkdf->block_number == 0xff )
4650 return( PSA_ERROR_BAD_STATE );
Gilles Peskinebef7f142018-07-12 17:22:21 +02004651
4652 /* We need a new block */
4653 ++hkdf->block_number;
4654 hkdf->offset_in_block = 0;
4655 status = psa_hmac_setup_internal( &hkdf->hmac,
4656 hkdf->prk, hash_length,
4657 hash_alg );
4658 if( status != PSA_SUCCESS )
4659 return( status );
4660 if( hkdf->block_number != 1 )
4661 {
4662 status = psa_hash_update( &hkdf->hmac.hash_ctx,
4663 hkdf->output_block,
4664 hash_length );
4665 if( status != PSA_SUCCESS )
4666 return( status );
4667 }
4668 status = psa_hash_update( &hkdf->hmac.hash_ctx,
4669 hkdf->info,
4670 hkdf->info_length );
4671 if( status != PSA_SUCCESS )
4672 return( status );
4673 status = psa_hash_update( &hkdf->hmac.hash_ctx,
4674 &hkdf->block_number, 1 );
4675 if( status != PSA_SUCCESS )
4676 return( status );
4677 status = psa_hmac_finish_internal( &hkdf->hmac,
4678 hkdf->output_block,
4679 sizeof( hkdf->output_block ) );
4680 if( status != PSA_SUCCESS )
4681 return( status );
4682 }
4683
4684 return( PSA_SUCCESS );
4685}
Hanno Beckerc8a41d72018-10-09 17:33:01 +01004686
Janos Follath7742fee2019-06-17 12:58:10 +01004687static psa_status_t psa_key_derivation_tls12_prf_generate_next_block(
4688 psa_tls12_prf_key_derivation_t *tls12_prf,
4689 psa_algorithm_t alg )
4690{
4691 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( alg );
4692 uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
Janos Follathea29bfb2019-06-19 12:21:20 +01004693 psa_hash_operation_t backup = PSA_HASH_OPERATION_INIT;
4694 psa_status_t status, cleanup_status;
Hanno Beckerc8a41d72018-10-09 17:33:01 +01004695
Janos Follath7742fee2019-06-17 12:58:10 +01004696 /* We can't be wanting more output after block 0xff, otherwise
4697 * the capacity check in psa_key_derivation_output_bytes() would have
4698 * prevented this call. It could happen only if the operation
4699 * object was corrupted or if this function is called directly
4700 * inside the library. */
4701 if( tls12_prf->block_number == 0xff )
Janos Follath30090bc2019-06-25 10:15:04 +01004702 return( PSA_ERROR_CORRUPTION_DETECTED );
Janos Follath7742fee2019-06-17 12:58:10 +01004703
4704 /* We need a new block */
4705 ++tls12_prf->block_number;
Janos Follath844eb0e2019-06-19 12:10:49 +01004706 tls12_prf->left_in_block = hash_length;
Janos Follath7742fee2019-06-17 12:58:10 +01004707
4708 /* Recall the definition of the TLS-1.2-PRF from RFC 5246:
4709 *
4710 * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
4711 *
4712 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
4713 * HMAC_hash(secret, A(2) + seed) +
4714 * HMAC_hash(secret, A(3) + seed) + ...
4715 *
4716 * A(0) = seed
Janos Follathea29bfb2019-06-19 12:21:20 +01004717 * A(i) = HMAC_hash(secret, A(i-1))
Janos Follath7742fee2019-06-17 12:58:10 +01004718 *
Janos Follathea29bfb2019-06-19 12:21:20 +01004719 * The `psa_tls12_prf_key_derivation` structure saves the block
Janos Follath7742fee2019-06-17 12:58:10 +01004720 * `HMAC_hash(secret, A(i) + seed)` from which the output
Janos Follath76c39842019-06-26 12:50:36 +01004721 * is currently extracted as `output_block` and where i is
4722 * `block_number`.
Janos Follath7742fee2019-06-17 12:58:10 +01004723 */
4724
Janos Follathea29bfb2019-06-19 12:21:20 +01004725 /* Save the hash context before using it, to preserve the hash state with
4726 * only the inner padding in it. We need this, because inner padding depends
4727 * on the key (secret in the RFC's terminology). */
4728 status = psa_hash_clone( &tls12_prf->hmac.hash_ctx, &backup );
4729 if( status != PSA_SUCCESS )
4730 goto cleanup;
4731
4732 /* Calculate A(i) where i = tls12_prf->block_number. */
4733 if( tls12_prf->block_number == 1 )
4734 {
4735 /* A(1) = HMAC_hash(secret, A(0)), where A(0) = seed. (The RFC overloads
4736 * the variable seed and in this instance means it in the context of the
4737 * P_hash function, where seed = label + seed.) */
4738 status = psa_hash_update( &tls12_prf->hmac.hash_ctx,
4739 tls12_prf->label, tls12_prf->label_length );
4740 if( status != PSA_SUCCESS )
4741 goto cleanup;
4742 status = psa_hash_update( &tls12_prf->hmac.hash_ctx,
4743 tls12_prf->seed, tls12_prf->seed_length );
4744 if( status != PSA_SUCCESS )
4745 goto cleanup;
4746 }
4747 else
4748 {
4749 /* A(i) = HMAC_hash(secret, A(i-1)) */
4750 status = psa_hash_update( &tls12_prf->hmac.hash_ctx,
4751 tls12_prf->Ai, hash_length );
4752 if( status != PSA_SUCCESS )
4753 goto cleanup;
4754 }
4755
4756 status = psa_hmac_finish_internal( &tls12_prf->hmac,
4757 tls12_prf->Ai, hash_length );
4758 if( status != PSA_SUCCESS )
4759 goto cleanup;
4760 status = psa_hash_clone( &backup, &tls12_prf->hmac.hash_ctx );
4761 if( status != PSA_SUCCESS )
4762 goto cleanup;
4763
4764 /* Calculate HMAC_hash(secret, A(i) + label + seed). */
4765 status = psa_hash_update( &tls12_prf->hmac.hash_ctx,
4766 tls12_prf->Ai, hash_length );
4767 if( status != PSA_SUCCESS )
4768 goto cleanup;
4769 status = psa_hash_update( &tls12_prf->hmac.hash_ctx,
4770 tls12_prf->label, tls12_prf->label_length );
4771 if( status != PSA_SUCCESS )
4772 goto cleanup;
4773 status = psa_hash_update( &tls12_prf->hmac.hash_ctx,
4774 tls12_prf->seed, tls12_prf->seed_length );
4775 if( status != PSA_SUCCESS )
4776 goto cleanup;
4777 status = psa_hmac_finish_internal( &tls12_prf->hmac,
4778 tls12_prf->output_block, hash_length );
4779 if( status != PSA_SUCCESS )
4780 goto cleanup;
4781 status = psa_hash_clone( &backup, &tls12_prf->hmac.hash_ctx );
4782 if( status != PSA_SUCCESS )
4783 goto cleanup;
4784
Janos Follath7742fee2019-06-17 12:58:10 +01004785
4786cleanup:
4787
Janos Follathea29bfb2019-06-19 12:21:20 +01004788 cleanup_status = psa_hash_abort( &backup );
4789 if( status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS )
4790 status = cleanup_status;
4791
4792 return( status );
Janos Follath7742fee2019-06-17 12:58:10 +01004793}
Hanno Beckerc8a41d72018-10-09 17:33:01 +01004794
Janos Follath844eb0e2019-06-19 12:10:49 +01004795static psa_status_t psa_key_derivation_tls12_prf_read(
4796 psa_tls12_prf_key_derivation_t *tls12_prf,
4797 psa_algorithm_t alg,
4798 uint8_t *output,
4799 size_t output_length )
4800{
4801 psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH( alg );
4802 uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
4803 psa_status_t status;
4804 uint8_t offset, length;
4805
4806 while( output_length != 0 )
4807 {
4808 /* Check if we have fully processed the current block. */
4809 if( tls12_prf->left_in_block == 0 )
4810 {
4811 status = psa_key_derivation_tls12_prf_generate_next_block( tls12_prf,
4812 alg );
4813 if( status != PSA_SUCCESS )
4814 return( status );
4815
4816 continue;
4817 }
4818
4819 if( tls12_prf->left_in_block > output_length )
4820 length = (uint8_t) output_length;
4821 else
4822 length = tls12_prf->left_in_block;
4823
4824 offset = hash_length - tls12_prf->left_in_block;
4825 memcpy( output, tls12_prf->output_block + offset, length );
4826 output += length;
4827 output_length -= length;
4828 tls12_prf->left_in_block -= length;
4829 }
4830
4831 return( PSA_SUCCESS );
4832}
Gilles Peskinebef7f142018-07-12 17:22:21 +02004833#endif /* MBEDTLS_MD_C */
4834
Janos Follath6c6c8fc2019-06-17 12:38:20 +01004835psa_status_t psa_key_derivation_output_bytes(
4836 psa_key_derivation_operation_t *operation,
4837 uint8_t *output,
4838 size_t output_length )
Gilles Peskineeab56e42018-07-12 17:12:33 +02004839{
4840 psa_status_t status;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004841 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
Gilles Peskineeab56e42018-07-12 17:12:33 +02004842
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004843 if( operation->alg == 0 )
Jaeden Amerocf2010c2019-02-15 13:05:49 +00004844 {
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004845 /* This is a blank operation. */
Jaeden Amerocf2010c2019-02-15 13:05:49 +00004846 return PSA_ERROR_BAD_STATE;
4847 }
4848
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004849 if( output_length > operation->capacity )
Gilles Peskineeab56e42018-07-12 17:12:33 +02004850 {
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004851 operation->capacity = 0;
Gilles Peskineeab56e42018-07-12 17:12:33 +02004852 /* Go through the error path to wipe all confidential data now
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004853 * that the operation object is useless. */
David Saadab4ecc272019-02-14 13:48:10 +02004854 status = PSA_ERROR_INSUFFICIENT_DATA;
Gilles Peskineeab56e42018-07-12 17:12:33 +02004855 goto exit;
4856 }
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004857 if( output_length == 0 && operation->capacity == 0 )
Gilles Peskineeab56e42018-07-12 17:12:33 +02004858 {
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004859 /* Edge case: this is a finished operation, and 0 bytes
Jaeden Amerocf2010c2019-02-15 13:05:49 +00004860 * were requested. The right error in this case could
Gilles Peskineeab56e42018-07-12 17:12:33 +02004861 * be either INSUFFICIENT_CAPACITY or BAD_STATE. Return
4862 * INSUFFICIENT_CAPACITY, which is right for a finished
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004863 * operation, for consistency with the case when
Gilles Peskineeab56e42018-07-12 17:12:33 +02004864 * output_length > 0. */
David Saadab4ecc272019-02-14 13:48:10 +02004865 return( PSA_ERROR_INSUFFICIENT_DATA );
Gilles Peskineeab56e42018-07-12 17:12:33 +02004866 }
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004867 operation->capacity -= output_length;
Gilles Peskineeab56e42018-07-12 17:12:33 +02004868
Gilles Peskinebef7f142018-07-12 17:22:21 +02004869#if defined(MBEDTLS_MD_C)
Gilles Peskine969c5d62019-01-16 15:53:06 +01004870 if( PSA_ALG_IS_HKDF( kdf_alg ) )
Gilles Peskinebef7f142018-07-12 17:22:21 +02004871 {
Gilles Peskine969c5d62019-01-16 15:53:06 +01004872 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg );
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004873 status = psa_key_derivation_hkdf_read( &operation->ctx.hkdf, hash_alg,
Gilles Peskinebef7f142018-07-12 17:22:21 +02004874 output, output_length );
4875 }
Janos Follathadbec812019-06-14 11:05:39 +01004876 else
Janos Follathadbec812019-06-14 11:05:39 +01004877 if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
Gilles Peskine969c5d62019-01-16 15:53:06 +01004878 PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
Hanno Beckerc8a41d72018-10-09 17:33:01 +01004879 {
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004880 status = psa_key_derivation_tls12_prf_read( &operation->ctx.tls12_prf,
Gilles Peskine969c5d62019-01-16 15:53:06 +01004881 kdf_alg, output,
Hanno Beckerc8a41d72018-10-09 17:33:01 +01004882 output_length );
4883 }
Gilles Peskinebef7f142018-07-12 17:22:21 +02004884 else
4885#endif /* MBEDTLS_MD_C */
Gilles Peskineeab56e42018-07-12 17:12:33 +02004886 {
4887 return( PSA_ERROR_BAD_STATE );
4888 }
4889
4890exit:
4891 if( status != PSA_SUCCESS )
4892 {
Jaeden Amerocf2010c2019-02-15 13:05:49 +00004893 /* Preserve the algorithm upon errors, but clear all sensitive state.
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004894 * This allows us to differentiate between exhausted operations and
4895 * blank operations, so we can return PSA_ERROR_BAD_STATE on blank
4896 * operations. */
4897 psa_algorithm_t alg = operation->alg;
4898 psa_key_derivation_abort( operation );
4899 operation->alg = alg;
Gilles Peskineeab56e42018-07-12 17:12:33 +02004900 memset( output, '!', output_length );
4901 }
4902 return( status );
4903}
4904
Gilles Peskine08542d82018-07-19 17:05:42 +02004905#if defined(MBEDTLS_DES_C)
4906static void psa_des_set_key_parity( uint8_t *data, size_t data_size )
4907{
4908 if( data_size >= 8 )
4909 mbedtls_des_key_set_parity( data );
4910 if( data_size >= 16 )
4911 mbedtls_des_key_set_parity( data + 8 );
4912 if( data_size >= 24 )
4913 mbedtls_des_key_set_parity( data + 16 );
4914}
4915#endif /* MBEDTLS_DES_C */
4916
Adrian L. Shaw5a5a79a2019-05-03 15:44:28 +01004917static psa_status_t psa_generate_derived_key_internal(
Gilles Peskineff5f0e72019-04-18 12:53:30 +02004918 psa_key_slot_t *slot,
4919 size_t bits,
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004920 psa_key_derivation_operation_t *operation )
Gilles Peskineeab56e42018-07-12 17:12:33 +02004921{
4922 uint8_t *data = NULL;
4923 size_t bytes = PSA_BITS_TO_BYTES( bits );
4924 psa_status_t status;
4925
Gilles Peskine8e338702019-07-30 20:06:31 +02004926 if( ! key_type_is_raw_bytes( slot->attr.type ) )
Gilles Peskineeab56e42018-07-12 17:12:33 +02004927 return( PSA_ERROR_INVALID_ARGUMENT );
4928 if( bits % 8 != 0 )
4929 return( PSA_ERROR_INVALID_ARGUMENT );
4930 data = mbedtls_calloc( 1, bytes );
4931 if( data == NULL )
4932 return( PSA_ERROR_INSUFFICIENT_MEMORY );
4933
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004934 status = psa_key_derivation_output_bytes( operation, data, bytes );
Gilles Peskineeab56e42018-07-12 17:12:33 +02004935 if( status != PSA_SUCCESS )
4936 goto exit;
Gilles Peskine08542d82018-07-19 17:05:42 +02004937#if defined(MBEDTLS_DES_C)
Gilles Peskine8e338702019-07-30 20:06:31 +02004938 if( slot->attr.type == PSA_KEY_TYPE_DES )
Gilles Peskine08542d82018-07-19 17:05:42 +02004939 psa_des_set_key_parity( data, bytes );
4940#endif /* MBEDTLS_DES_C */
Gilles Peskineff5f0e72019-04-18 12:53:30 +02004941 status = psa_import_key_into_slot( slot, data, bytes );
Gilles Peskineeab56e42018-07-12 17:12:33 +02004942
4943exit:
4944 mbedtls_free( data );
4945 return( status );
4946}
4947
Gilles Peskinea99d3fb2019-05-16 15:28:51 +02004948psa_status_t psa_key_derivation_output_key( const psa_key_attributes_t *attributes,
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004949 psa_key_derivation_operation_t *operation,
Gilles Peskine98dd7792019-05-15 19:43:49 +02004950 psa_key_handle_t *handle )
Gilles Peskineff5f0e72019-04-18 12:53:30 +02004951{
4952 psa_status_t status;
4953 psa_key_slot_t *slot = NULL;
Gilles Peskine8abe6a22019-07-12 23:40:35 +02004954 psa_se_drv_table_entry_t *driver = NULL;
Gilles Peskine0f84d622019-09-12 19:03:13 +02004955
4956 /* Reject any attempt to create a zero-length key so that we don't
4957 * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
4958 if( psa_get_key_bits( attributes ) == 0 )
4959 return( PSA_ERROR_INVALID_ARGUMENT );
4960
Gilles Peskine178c9aa2019-09-24 18:21:06 +02004961 if( ! operation->can_output_key )
4962 return( PSA_ERROR_NOT_PERMITTED );
4963
Gilles Peskinedf179142019-07-15 22:02:14 +02004964 status = psa_start_key_creation( PSA_KEY_CREATION_DERIVE,
4965 attributes, handle, &slot, &driver );
Gilles Peskinef4ee6622019-07-24 13:44:30 +02004966#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
4967 if( driver != NULL )
4968 {
4969 /* Deriving a key in a secure element is not implemented yet. */
4970 status = PSA_ERROR_NOT_SUPPORTED;
4971 }
4972#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskineff5f0e72019-04-18 12:53:30 +02004973 if( status == PSA_SUCCESS )
4974 {
Adrian L. Shaw5a5a79a2019-05-03 15:44:28 +01004975 status = psa_generate_derived_key_internal( slot,
Gilles Peskine7e0cff92019-07-30 13:48:52 +02004976 attributes->core.bits,
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004977 operation );
Gilles Peskineff5f0e72019-04-18 12:53:30 +02004978 }
4979 if( status == PSA_SUCCESS )
Gilles Peskine011e4282019-06-26 18:34:38 +02004980 status = psa_finish_key_creation( slot, driver );
Gilles Peskineff5f0e72019-04-18 12:53:30 +02004981 if( status != PSA_SUCCESS )
4982 {
Gilles Peskine011e4282019-06-26 18:34:38 +02004983 psa_fail_key_creation( slot, driver );
Gilles Peskineff5f0e72019-04-18 12:53:30 +02004984 *handle = 0;
4985 }
4986 return( status );
4987}
4988
Gilles Peskineeab56e42018-07-12 17:12:33 +02004989
4990
4991/****************************************************************/
Gilles Peskineea0fb492018-07-12 17:17:20 +02004992/* Key derivation */
4993/****************************************************************/
4994
Gilles Peskine969c5d62019-01-16 15:53:06 +01004995static psa_status_t psa_key_derivation_setup_kdf(
Gilles Peskine51ae0e42019-05-16 17:31:03 +02004996 psa_key_derivation_operation_t *operation,
Gilles Peskine969c5d62019-01-16 15:53:06 +01004997 psa_algorithm_t kdf_alg )
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01004998{
Janos Follath5fe19732019-06-20 15:09:30 +01004999 /* Make sure that operation->ctx is properly zero-initialised. (Macro
5000 * initialisers for this union leave some bytes unspecified.) */
5001 memset( &operation->ctx, 0, sizeof( operation->ctx ) );
5002
Gilles Peskine969c5d62019-01-16 15:53:06 +01005003 /* Make sure that kdf_alg is a supported key derivation algorithm. */
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005004#if defined(MBEDTLS_MD_C)
Gilles Peskine969c5d62019-01-16 15:53:06 +01005005 if( PSA_ALG_IS_HKDF( kdf_alg ) ||
5006 PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
5007 PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005008 {
Gilles Peskine969c5d62019-01-16 15:53:06 +01005009 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg );
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005010 size_t hash_size = PSA_HASH_SIZE( hash_alg );
5011 if( hash_size == 0 )
5012 return( PSA_ERROR_NOT_SUPPORTED );
Gilles Peskine969c5d62019-01-16 15:53:06 +01005013 if( ( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
5014 PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) &&
Gilles Peskineab4b2012019-04-12 15:06:27 +02005015 ! ( hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384 ) )
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005016 {
5017 return( PSA_ERROR_NOT_SUPPORTED );
5018 }
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005019 operation->capacity = 255 * hash_size;
Gilles Peskine969c5d62019-01-16 15:53:06 +01005020 return( PSA_SUCCESS );
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005021 }
5022#endif /* MBEDTLS_MD_C */
Gilles Peskine969c5d62019-01-16 15:53:06 +01005023 else
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005024 return( PSA_ERROR_NOT_SUPPORTED );
Gilles Peskine969c5d62019-01-16 15:53:06 +01005025}
5026
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005027psa_status_t psa_key_derivation_setup( psa_key_derivation_operation_t *operation,
Gilles Peskine969c5d62019-01-16 15:53:06 +01005028 psa_algorithm_t alg )
5029{
5030 psa_status_t status;
5031
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005032 if( operation->alg != 0 )
Gilles Peskine969c5d62019-01-16 15:53:06 +01005033 return( PSA_ERROR_BAD_STATE );
5034
Gilles Peskine6843c292019-01-18 16:44:49 +01005035 if( PSA_ALG_IS_RAW_KEY_AGREEMENT( alg ) )
5036 return( PSA_ERROR_INVALID_ARGUMENT );
5037 else if( PSA_ALG_IS_KEY_AGREEMENT( alg ) )
Gilles Peskine969c5d62019-01-16 15:53:06 +01005038 {
5039 psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF( alg );
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005040 status = psa_key_derivation_setup_kdf( operation, kdf_alg );
Gilles Peskine969c5d62019-01-16 15:53:06 +01005041 }
5042 else if( PSA_ALG_IS_KEY_DERIVATION( alg ) )
5043 {
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005044 status = psa_key_derivation_setup_kdf( operation, alg );
Gilles Peskine969c5d62019-01-16 15:53:06 +01005045 }
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005046 else
5047 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine969c5d62019-01-16 15:53:06 +01005048
5049 if( status == PSA_SUCCESS )
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005050 operation->alg = alg;
Gilles Peskine969c5d62019-01-16 15:53:06 +01005051 return( status );
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005052}
5053
5054#if defined(MBEDTLS_MD_C)
Gilles Peskinecbe66502019-05-16 16:59:18 +02005055static psa_status_t psa_hkdf_input( psa_hkdf_key_derivation_t *hkdf,
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005056 psa_algorithm_t hash_alg,
5057 psa_key_derivation_step_t step,
5058 const uint8_t *data,
5059 size_t data_length )
5060{
5061 psa_status_t status;
5062 switch( step )
5063 {
Gilles Peskine03410b52019-05-16 16:05:19 +02005064 case PSA_KEY_DERIVATION_INPUT_SALT:
Gilles Peskine2b522db2019-04-12 15:11:49 +02005065 if( hkdf->state != HKDF_STATE_INIT )
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005066 return( PSA_ERROR_BAD_STATE );
Gilles Peskine2b522db2019-04-12 15:11:49 +02005067 status = psa_hmac_setup_internal( &hkdf->hmac,
5068 data, data_length,
5069 hash_alg );
5070 if( status != PSA_SUCCESS )
5071 return( status );
5072 hkdf->state = HKDF_STATE_STARTED;
5073 return( PSA_SUCCESS );
Gilles Peskine03410b52019-05-16 16:05:19 +02005074 case PSA_KEY_DERIVATION_INPUT_SECRET:
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005075 /* If no salt was provided, use an empty salt. */
5076 if( hkdf->state == HKDF_STATE_INIT )
5077 {
5078 status = psa_hmac_setup_internal( &hkdf->hmac,
5079 NULL, 0,
Gilles Peskinef9ee6332019-04-11 21:22:52 +02005080 hash_alg );
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005081 if( status != PSA_SUCCESS )
5082 return( status );
5083 hkdf->state = HKDF_STATE_STARTED;
5084 }
Gilles Peskine2b522db2019-04-12 15:11:49 +02005085 if( hkdf->state != HKDF_STATE_STARTED )
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005086 return( PSA_ERROR_BAD_STATE );
Gilles Peskine2b522db2019-04-12 15:11:49 +02005087 status = psa_hash_update( &hkdf->hmac.hash_ctx,
5088 data, data_length );
5089 if( status != PSA_SUCCESS )
5090 return( status );
5091 status = psa_hmac_finish_internal( &hkdf->hmac,
5092 hkdf->prk,
5093 sizeof( hkdf->prk ) );
5094 if( status != PSA_SUCCESS )
5095 return( status );
5096 hkdf->offset_in_block = PSA_HASH_SIZE( hash_alg );
5097 hkdf->block_number = 0;
5098 hkdf->state = HKDF_STATE_KEYED;
5099 return( PSA_SUCCESS );
Gilles Peskine03410b52019-05-16 16:05:19 +02005100 case PSA_KEY_DERIVATION_INPUT_INFO:
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005101 if( hkdf->state == HKDF_STATE_OUTPUT )
5102 return( PSA_ERROR_BAD_STATE );
5103 if( hkdf->info_set )
5104 return( PSA_ERROR_BAD_STATE );
5105 hkdf->info_length = data_length;
5106 if( data_length != 0 )
5107 {
5108 hkdf->info = mbedtls_calloc( 1, data_length );
5109 if( hkdf->info == NULL )
5110 return( PSA_ERROR_INSUFFICIENT_MEMORY );
5111 memcpy( hkdf->info, data, data_length );
5112 }
5113 hkdf->info_set = 1;
5114 return( PSA_SUCCESS );
5115 default:
5116 return( PSA_ERROR_INVALID_ARGUMENT );
5117 }
5118}
Janos Follathb03233e2019-06-11 15:30:30 +01005119
Janos Follathf08e2652019-06-13 09:05:41 +01005120static psa_status_t psa_tls12_prf_set_seed( psa_tls12_prf_key_derivation_t *prf,
5121 const uint8_t *data,
5122 size_t data_length )
5123{
5124 if( prf->state != TLS12_PRF_STATE_INIT )
5125 return( PSA_ERROR_BAD_STATE );
5126
Janos Follathd6dce9f2019-07-04 09:11:38 +01005127 if( data_length != 0 )
5128 {
5129 prf->seed = mbedtls_calloc( 1, data_length );
5130 if( prf->seed == NULL )
5131 return( PSA_ERROR_INSUFFICIENT_MEMORY );
Janos Follathf08e2652019-06-13 09:05:41 +01005132
Janos Follathd6dce9f2019-07-04 09:11:38 +01005133 memcpy( prf->seed, data, data_length );
5134 prf->seed_length = data_length;
5135 }
Janos Follathf08e2652019-06-13 09:05:41 +01005136
5137 prf->state = TLS12_PRF_STATE_SEED_SET;
5138
5139 return( PSA_SUCCESS );
5140}
5141
Janos Follath81550542019-06-13 14:26:34 +01005142static psa_status_t psa_tls12_prf_set_key( psa_tls12_prf_key_derivation_t *prf,
5143 psa_algorithm_t hash_alg,
5144 const uint8_t *data,
5145 size_t data_length )
5146{
5147 psa_status_t status;
5148 if( prf->state != TLS12_PRF_STATE_SEED_SET )
5149 return( PSA_ERROR_BAD_STATE );
5150
5151 status = psa_hmac_setup_internal( &prf->hmac, data, data_length, hash_alg );
5152 if( status != PSA_SUCCESS )
5153 return( status );
5154
5155 prf->state = TLS12_PRF_STATE_KEY_SET;
5156
5157 return( PSA_SUCCESS );
5158}
5159
Janos Follath6660f0e2019-06-17 08:44:03 +01005160static psa_status_t psa_tls12_prf_psk_to_ms_set_key(
5161 psa_tls12_prf_key_derivation_t *prf,
5162 psa_algorithm_t hash_alg,
5163 const uint8_t *data,
5164 size_t data_length )
5165{
5166 psa_status_t status;
Gilles Peskinec11c4dc2019-07-15 11:06:38 +02005167 uint8_t pms[ 4 + 2 * PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN ];
5168 uint8_t *cur = pms;
Janos Follath6660f0e2019-06-17 08:44:03 +01005169
5170 if( data_length > PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN )
5171 return( PSA_ERROR_INVALID_ARGUMENT );
5172
5173 /* Quoting RFC 4279, Section 2:
5174 *
5175 * The premaster secret is formed as follows: if the PSK is N octets
5176 * long, concatenate a uint16 with the value N, N zero octets, a second
5177 * uint16 with the value N, and the PSK itself.
5178 */
5179
Janos Follath40e13932019-06-26 13:22:29 +01005180 *cur++ = ( data_length >> 8 ) & 0xff;
5181 *cur++ = ( data_length >> 0 ) & 0xff;
5182 memset( cur, 0, data_length );
5183 cur += data_length;
5184 *cur++ = pms[0];
5185 *cur++ = pms[1];
5186 memcpy( cur, data, data_length );
5187 cur += data_length;
Janos Follath6660f0e2019-06-17 08:44:03 +01005188
Janos Follath40e13932019-06-26 13:22:29 +01005189 status = psa_tls12_prf_set_key( prf, hash_alg, pms, cur - pms );
Janos Follath6660f0e2019-06-17 08:44:03 +01005190
5191 mbedtls_platform_zeroize( pms, sizeof( pms ) );
5192 return( status );
5193}
5194
Janos Follath63028dd2019-06-13 09:15:47 +01005195static psa_status_t psa_tls12_prf_set_label( psa_tls12_prf_key_derivation_t *prf,
5196 const uint8_t *data,
5197 size_t data_length )
5198{
5199 if( prf->state != TLS12_PRF_STATE_KEY_SET )
5200 return( PSA_ERROR_BAD_STATE );
5201
Janos Follathd6dce9f2019-07-04 09:11:38 +01005202 if( data_length != 0 )
5203 {
5204 prf->label = mbedtls_calloc( 1, data_length );
5205 if( prf->label == NULL )
5206 return( PSA_ERROR_INSUFFICIENT_MEMORY );
Janos Follath63028dd2019-06-13 09:15:47 +01005207
Janos Follathd6dce9f2019-07-04 09:11:38 +01005208 memcpy( prf->label, data, data_length );
5209 prf->label_length = data_length;
5210 }
Janos Follath63028dd2019-06-13 09:15:47 +01005211
5212 prf->state = TLS12_PRF_STATE_LABEL_SET;
5213
5214 return( PSA_SUCCESS );
5215}
5216
Janos Follathb03233e2019-06-11 15:30:30 +01005217static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf,
5218 psa_algorithm_t hash_alg,
5219 psa_key_derivation_step_t step,
5220 const uint8_t *data,
5221 size_t data_length )
5222{
Janos Follathb03233e2019-06-11 15:30:30 +01005223 switch( step )
5224 {
Janos Follathf08e2652019-06-13 09:05:41 +01005225 case PSA_KEY_DERIVATION_INPUT_SEED:
5226 return( psa_tls12_prf_set_seed( prf, data, data_length ) );
Janos Follath81550542019-06-13 14:26:34 +01005227 case PSA_KEY_DERIVATION_INPUT_SECRET:
5228 return( psa_tls12_prf_set_key( prf, hash_alg, data, data_length ) );
Janos Follath63028dd2019-06-13 09:15:47 +01005229 case PSA_KEY_DERIVATION_INPUT_LABEL:
5230 return( psa_tls12_prf_set_label( prf, data, data_length ) );
Janos Follathb03233e2019-06-11 15:30:30 +01005231 default:
5232 return( PSA_ERROR_INVALID_ARGUMENT );
5233 }
5234}
Janos Follath6660f0e2019-06-17 08:44:03 +01005235
5236static psa_status_t psa_tls12_prf_psk_to_ms_input(
5237 psa_tls12_prf_key_derivation_t *prf,
5238 psa_algorithm_t hash_alg,
5239 psa_key_derivation_step_t step,
5240 const uint8_t *data,
5241 size_t data_length )
5242{
5243 if( step == PSA_KEY_DERIVATION_INPUT_SECRET )
Janos Follath0c1ed842019-06-28 13:35:36 +01005244 {
Janos Follath6660f0e2019-06-17 08:44:03 +01005245 return( psa_tls12_prf_psk_to_ms_set_key( prf, hash_alg,
5246 data, data_length ) );
Janos Follath0c1ed842019-06-28 13:35:36 +01005247 }
Janos Follath6660f0e2019-06-17 08:44:03 +01005248
5249 return( psa_tls12_prf_input( prf, hash_alg, step, data, data_length ) );
5250}
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005251#endif /* MBEDTLS_MD_C */
5252
Gilles Peskineb8965192019-09-24 16:21:10 +02005253/** Check whether the given key type is acceptable for the given
5254 * input step of a key derivation.
5255 *
5256 * Secret inputs must have the type #PSA_KEY_TYPE_DERIVE.
5257 * Non-secret inputs must have the type #PSA_KEY_TYPE_RAW_DATA.
5258 * Both secret and non-secret inputs can alternatively have the type
5259 * #PSA_KEY_TYPE_NONE, which is never the type of a key object, meaning
5260 * that the input was passed as a buffer rather than via a key object.
5261 */
Gilles Peskine224b0d62019-09-23 18:13:17 +02005262static int psa_key_derivation_check_input_type(
5263 psa_key_derivation_step_t step,
5264 psa_key_type_t key_type )
5265{
5266 switch( step )
5267 {
5268 case PSA_KEY_DERIVATION_INPUT_SECRET:
Gilles Peskineb8965192019-09-24 16:21:10 +02005269 if( key_type == PSA_KEY_TYPE_DERIVE )
5270 return( PSA_SUCCESS );
5271 if( key_type == PSA_KEY_TYPE_NONE )
Gilles Peskine224b0d62019-09-23 18:13:17 +02005272 return( PSA_SUCCESS );
5273 break;
5274 case PSA_KEY_DERIVATION_INPUT_LABEL:
5275 case PSA_KEY_DERIVATION_INPUT_SALT:
5276 case PSA_KEY_DERIVATION_INPUT_INFO:
5277 case PSA_KEY_DERIVATION_INPUT_SEED:
Gilles Peskineb8965192019-09-24 16:21:10 +02005278 if( key_type == PSA_KEY_TYPE_RAW_DATA )
5279 return( PSA_SUCCESS );
5280 if( key_type == PSA_KEY_TYPE_NONE )
Gilles Peskine224b0d62019-09-23 18:13:17 +02005281 return( PSA_SUCCESS );
5282 break;
5283 }
5284 return( PSA_ERROR_INVALID_ARGUMENT );
5285}
5286
Janos Follathb80a94e2019-06-12 15:54:46 +01005287static psa_status_t psa_key_derivation_input_internal(
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005288 psa_key_derivation_operation_t *operation,
Gilles Peskine6cdfdb72019-01-08 10:31:27 +01005289 psa_key_derivation_step_t step,
Gilles Peskine224b0d62019-09-23 18:13:17 +02005290 psa_key_type_t key_type,
Gilles Peskine6cdfdb72019-01-08 10:31:27 +01005291 const uint8_t *data,
5292 size_t data_length )
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005293{
Gilles Peskine46d7faf2019-09-23 19:22:55 +02005294 psa_status_t status;
5295 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
5296
5297 status = psa_key_derivation_check_input_type( step, key_type );
Gilles Peskine224b0d62019-09-23 18:13:17 +02005298 if( status != PSA_SUCCESS )
5299 goto exit;
5300
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005301#if defined(MBEDTLS_MD_C)
Gilles Peskine969c5d62019-01-16 15:53:06 +01005302 if( PSA_ALG_IS_HKDF( kdf_alg ) )
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005303 {
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005304 status = psa_hkdf_input( &operation->ctx.hkdf,
Gilles Peskine969c5d62019-01-16 15:53:06 +01005305 PSA_ALG_HKDF_GET_HASH( kdf_alg ),
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005306 step, data, data_length );
5307 }
k-stachowiak012dcc42019-08-13 14:55:03 +02005308 else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) )
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005309 {
Janos Follathb03233e2019-06-11 15:30:30 +01005310 status = psa_tls12_prf_input( &operation->ctx.tls12_prf,
5311 PSA_ALG_HKDF_GET_HASH( kdf_alg ),
5312 step, data, data_length );
Janos Follath6660f0e2019-06-17 08:44:03 +01005313 }
5314 else if( PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
5315 {
5316 status = psa_tls12_prf_psk_to_ms_input( &operation->ctx.tls12_prf,
5317 PSA_ALG_HKDF_GET_HASH( kdf_alg ),
5318 step, data, data_length );
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005319 }
5320 else
5321#endif /* MBEDTLS_MD_C */
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005322 {
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005323 /* This can't happen unless the operation object was not initialized */
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005324 return( PSA_ERROR_BAD_STATE );
5325 }
5326
Gilles Peskine224b0d62019-09-23 18:13:17 +02005327exit:
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005328 if( status != PSA_SUCCESS )
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005329 psa_key_derivation_abort( operation );
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005330 return( status );
5331}
5332
Janos Follath51f4a0f2019-06-14 11:35:55 +01005333psa_status_t psa_key_derivation_input_bytes(
5334 psa_key_derivation_operation_t *operation,
5335 psa_key_derivation_step_t step,
5336 const uint8_t *data,
5337 size_t data_length )
Gilles Peskine6cdfdb72019-01-08 10:31:27 +01005338{
Gilles Peskineb8965192019-09-24 16:21:10 +02005339 return( psa_key_derivation_input_internal( operation, step,
5340 PSA_KEY_TYPE_NONE,
Janos Follathc5621512019-06-14 11:27:57 +01005341 data, data_length ) );
Gilles Peskine6cdfdb72019-01-08 10:31:27 +01005342}
5343
Janos Follath51f4a0f2019-06-14 11:35:55 +01005344psa_status_t psa_key_derivation_input_key(
5345 psa_key_derivation_operation_t *operation,
5346 psa_key_derivation_step_t step,
5347 psa_key_handle_t handle )
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005348{
5349 psa_key_slot_t *slot;
5350 psa_status_t status;
Gilles Peskine178c9aa2019-09-24 18:21:06 +02005351
Gilles Peskine28f8f302019-07-24 13:30:31 +02005352 status = psa_get_transparent_key( handle, &slot,
Gilles Peskinef77a6ac2019-07-25 10:51:03 +02005353 PSA_KEY_USAGE_DERIVE,
5354 operation->alg );
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005355 if( status != PSA_SUCCESS )
Gilles Peskine593773d2019-09-23 18:17:40 +02005356 {
5357 psa_key_derivation_abort( operation );
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005358 return( status );
Gilles Peskine593773d2019-09-23 18:17:40 +02005359 }
Gilles Peskine178c9aa2019-09-24 18:21:06 +02005360
5361 /* Passing a key object as a SECRET input unlocks the permission
5362 * to output to a key object. */
5363 if( step == PSA_KEY_DERIVATION_INPUT_SECRET )
5364 operation->can_output_key = 1;
5365
Janos Follathb80a94e2019-06-12 15:54:46 +01005366 return( psa_key_derivation_input_internal( operation,
Gilles Peskine224b0d62019-09-23 18:13:17 +02005367 step, slot->attr.type,
Janos Follathb80a94e2019-06-12 15:54:46 +01005368 slot->data.raw.data,
5369 slot->data.raw.bytes ) );
Gilles Peskineb70a0fd2019-01-07 22:59:38 +01005370}
Gilles Peskineea0fb492018-07-12 17:17:20 +02005371
5372
5373
5374/****************************************************************/
Gilles Peskine01d718c2018-09-18 12:01:02 +02005375/* Key agreement */
5376/****************************************************************/
5377
Gilles Peskinea05219c2018-11-16 16:02:56 +01005378#if defined(MBEDTLS_ECDH_C)
Gilles Peskineb7ecdf02018-09-18 12:11:27 +02005379static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key,
5380 size_t peer_key_length,
5381 const mbedtls_ecp_keypair *our_key,
5382 uint8_t *shared_secret,
5383 size_t shared_secret_size,
5384 size_t *shared_secret_length )
5385{
Gilles Peskineb7ecdf02018-09-18 12:11:27 +02005386 mbedtls_ecp_keypair *their_key = NULL;
5387 mbedtls_ecdh_context ecdh;
Jaeden Amero97271b32019-01-10 19:38:51 +00005388 psa_status_t status;
Gilles Peskinec7ef5b32019-12-12 16:58:00 +01005389 size_t bits = 0;
5390 psa_ecc_curve_t curve = mbedtls_ecc_group_to_psa( our_key->grp.id, &bits );
Gilles Peskineb7ecdf02018-09-18 12:11:27 +02005391 mbedtls_ecdh_init( &ecdh );
Gilles Peskineb7ecdf02018-09-18 12:11:27 +02005392
Gilles Peskinec7ef5b32019-12-12 16:58:00 +01005393 status = psa_import_ec_public_key( curve,
5394 peer_key, peer_key_length,
5395 &their_key );
Jaeden Amero97271b32019-01-10 19:38:51 +00005396 if( status != PSA_SUCCESS )
Gilles Peskineb7ecdf02018-09-18 12:11:27 +02005397 goto exit;
5398
Jaeden Amero97271b32019-01-10 19:38:51 +00005399 status = mbedtls_to_psa_error(
5400 mbedtls_ecdh_get_params( &ecdh, their_key, MBEDTLS_ECDH_THEIRS ) );
5401 if( status != PSA_SUCCESS )
Gilles Peskineb7ecdf02018-09-18 12:11:27 +02005402 goto exit;
Jaeden Amero97271b32019-01-10 19:38:51 +00005403 status = mbedtls_to_psa_error(
5404 mbedtls_ecdh_get_params( &ecdh, our_key, MBEDTLS_ECDH_OURS ) );
5405 if( status != PSA_SUCCESS )
Gilles Peskineb7ecdf02018-09-18 12:11:27 +02005406 goto exit;
5407
Jaeden Amero97271b32019-01-10 19:38:51 +00005408 status = mbedtls_to_psa_error(
5409 mbedtls_ecdh_calc_secret( &ecdh,
5410 shared_secret_length,
5411 shared_secret, shared_secret_size,
5412 mbedtls_ctr_drbg_random,
5413 &global_data.ctr_drbg ) );
Gilles Peskinec7ef5b32019-12-12 16:58:00 +01005414 if( status != PSA_SUCCESS )
5415 goto exit;
5416 if( PSA_BITS_TO_BYTES( bits ) != *shared_secret_length )
5417 status = PSA_ERROR_CORRUPTION_DETECTED;
Gilles Peskineb7ecdf02018-09-18 12:11:27 +02005418
5419exit:
Gilles Peskine3e819b72019-12-20 14:09:55 +01005420 if( status != PSA_SUCCESS )
5421 mbedtls_platform_zeroize( shared_secret, shared_secret_size );
Gilles Peskineb7ecdf02018-09-18 12:11:27 +02005422 mbedtls_ecdh_free( &ecdh );
Jaeden Ameroccdce902019-01-10 11:42:27 +00005423 mbedtls_ecp_keypair_free( their_key );
5424 mbedtls_free( their_key );
Jaeden Amero97271b32019-01-10 19:38:51 +00005425 return( status );
Gilles Peskineb7ecdf02018-09-18 12:11:27 +02005426}
Gilles Peskinea05219c2018-11-16 16:02:56 +01005427#endif /* MBEDTLS_ECDH_C */
Gilles Peskineb7ecdf02018-09-18 12:11:27 +02005428
Gilles Peskine01d718c2018-09-18 12:01:02 +02005429#define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES
5430
Gilles Peskine0216fe12019-04-11 21:23:21 +02005431static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
5432 psa_key_slot_t *private_key,
5433 const uint8_t *peer_key,
5434 size_t peer_key_length,
5435 uint8_t *shared_secret,
5436 size_t shared_secret_size,
5437 size_t *shared_secret_length )
Gilles Peskine01d718c2018-09-18 12:01:02 +02005438{
Gilles Peskine0216fe12019-04-11 21:23:21 +02005439 switch( alg )
Gilles Peskine01d718c2018-09-18 12:01:02 +02005440 {
Gilles Peskineb7ecdf02018-09-18 12:11:27 +02005441#if defined(MBEDTLS_ECDH_C)
Gilles Peskine0216fe12019-04-11 21:23:21 +02005442 case PSA_ALG_ECDH:
Gilles Peskine8e338702019-07-30 20:06:31 +02005443 if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( private_key->attr.type ) )
Gilles Peskineb7ecdf02018-09-18 12:11:27 +02005444 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine0216fe12019-04-11 21:23:21 +02005445 return( psa_key_agreement_ecdh( peer_key, peer_key_length,
5446 private_key->data.ecp,
5447 shared_secret, shared_secret_size,
5448 shared_secret_length ) );
Gilles Peskineb7ecdf02018-09-18 12:11:27 +02005449#endif /* MBEDTLS_ECDH_C */
Gilles Peskine01d718c2018-09-18 12:01:02 +02005450 default:
Gilles Peskine93f85002018-11-16 16:43:31 +01005451 (void) private_key;
5452 (void) peer_key;
5453 (void) peer_key_length;
Gilles Peskine0216fe12019-04-11 21:23:21 +02005454 (void) shared_secret;
5455 (void) shared_secret_size;
5456 (void) shared_secret_length;
Gilles Peskine01d718c2018-09-18 12:01:02 +02005457 return( PSA_ERROR_NOT_SUPPORTED );
5458 }
Gilles Peskine0216fe12019-04-11 21:23:21 +02005459}
5460
Gilles Peskinea99d3fb2019-05-16 15:28:51 +02005461/* Note that if this function fails, you must call psa_key_derivation_abort()
Gilles Peskine01d718c2018-09-18 12:01:02 +02005462 * to potentially free embedded data structures and wipe confidential data.
5463 */
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005464static psa_status_t psa_key_agreement_internal( psa_key_derivation_operation_t *operation,
Gilles Peskine969c5d62019-01-16 15:53:06 +01005465 psa_key_derivation_step_t step,
Gilles Peskine01d718c2018-09-18 12:01:02 +02005466 psa_key_slot_t *private_key,
5467 const uint8_t *peer_key,
Gilles Peskine969c5d62019-01-16 15:53:06 +01005468 size_t peer_key_length )
Gilles Peskine01d718c2018-09-18 12:01:02 +02005469{
5470 psa_status_t status;
5471 uint8_t shared_secret[PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE];
5472 size_t shared_secret_length = 0;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005473 psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE( operation->alg );
Gilles Peskine01d718c2018-09-18 12:01:02 +02005474
5475 /* Step 1: run the secret agreement algorithm to generate the shared
5476 * secret. */
Gilles Peskine0216fe12019-04-11 21:23:21 +02005477 status = psa_key_agreement_raw_internal( ka_alg,
5478 private_key,
5479 peer_key, peer_key_length,
itayzafrir0adf0fc2018-09-06 16:24:41 +03005480 shared_secret,
5481 sizeof( shared_secret ),
Gilles Peskine05d69892018-06-19 22:00:52 +02005482 &shared_secret_length );
Gilles Peskine53d991e2018-07-12 01:14:59 +02005483 if( status != PSA_SUCCESS )
Gilles Peskine12313cd2018-06-20 00:20:32 +02005484 goto exit;
5485
Gilles Peskineb0b255c2018-07-06 17:01:38 +02005486 /* Step 2: set up the key derivation to generate key material from
Gilles Peskine224b0d62019-09-23 18:13:17 +02005487 * the shared secret. A shared secret is permitted wherever a key
5488 * of type DERIVE is permitted. */
Janos Follathb80a94e2019-06-12 15:54:46 +01005489 status = psa_key_derivation_input_internal( operation, step,
Gilles Peskine224b0d62019-09-23 18:13:17 +02005490 PSA_KEY_TYPE_DERIVE,
Janos Follathb80a94e2019-06-12 15:54:46 +01005491 shared_secret,
5492 shared_secret_length );
Gilles Peskine969c5d62019-01-16 15:53:06 +01005493
Gilles Peskine12313cd2018-06-20 00:20:32 +02005494exit:
Gilles Peskine3f108122018-12-07 18:14:53 +01005495 mbedtls_platform_zeroize( shared_secret, shared_secret_length );
Gilles Peskine12313cd2018-06-20 00:20:32 +02005496 return( status );
5497}
5498
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005499psa_status_t psa_key_derivation_key_agreement( psa_key_derivation_operation_t *operation,
Gilles Peskinecf7292e2019-05-16 17:53:40 +02005500 psa_key_derivation_step_t step,
5501 psa_key_handle_t private_key,
5502 const uint8_t *peer_key,
5503 size_t peer_key_length )
Gilles Peskine12313cd2018-06-20 00:20:32 +02005504{
Gilles Peskine2f060a82018-12-04 17:12:32 +01005505 psa_key_slot_t *slot;
Gilles Peskine08542d82018-07-19 17:05:42 +02005506 psa_status_t status;
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005507 if( ! PSA_ALG_IS_KEY_AGREEMENT( operation->alg ) )
Gilles Peskine12313cd2018-06-20 00:20:32 +02005508 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine28f8f302019-07-24 13:30:31 +02005509 status = psa_get_transparent_key( private_key, &slot,
Gilles Peskinef77a6ac2019-07-25 10:51:03 +02005510 PSA_KEY_USAGE_DERIVE, operation->alg );
Gilles Peskine12313cd2018-06-20 00:20:32 +02005511 if( status != PSA_SUCCESS )
5512 return( status );
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005513 status = psa_key_agreement_internal( operation, step,
Gilles Peskine346797d2018-11-16 16:05:06 +01005514 slot,
Gilles Peskine969c5d62019-01-16 15:53:06 +01005515 peer_key, peer_key_length );
Gilles Peskine346797d2018-11-16 16:05:06 +01005516 if( status != PSA_SUCCESS )
Gilles Peskine51ae0e42019-05-16 17:31:03 +02005517 psa_key_derivation_abort( operation );
Gilles Peskine346797d2018-11-16 16:05:06 +01005518 return( status );
Gilles Peskineaf3baab2018-06-27 22:55:52 +02005519}
5520
Gilles Peskinebe697d82019-05-16 18:00:41 +02005521psa_status_t psa_raw_key_agreement( psa_algorithm_t alg,
5522 psa_key_handle_t private_key,
5523 const uint8_t *peer_key,
5524 size_t peer_key_length,
5525 uint8_t *output,
5526 size_t output_size,
5527 size_t *output_length )
Gilles Peskine0216fe12019-04-11 21:23:21 +02005528{
5529 psa_key_slot_t *slot;
5530 psa_status_t status;
5531
5532 if( ! PSA_ALG_IS_KEY_AGREEMENT( alg ) )
5533 {
5534 status = PSA_ERROR_INVALID_ARGUMENT;
5535 goto exit;
5536 }
Gilles Peskine28f8f302019-07-24 13:30:31 +02005537 status = psa_get_transparent_key( private_key, &slot,
Gilles Peskinef77a6ac2019-07-25 10:51:03 +02005538 PSA_KEY_USAGE_DERIVE, alg );
Gilles Peskine0216fe12019-04-11 21:23:21 +02005539 if( status != PSA_SUCCESS )
5540 goto exit;
5541
5542 status = psa_key_agreement_raw_internal( alg, slot,
5543 peer_key, peer_key_length,
5544 output, output_size,
5545 output_length );
5546
5547exit:
5548 if( status != PSA_SUCCESS )
5549 {
5550 /* If an error happens and is not handled properly, the output
5551 * may be used as a key to protect sensitive data. Arrange for such
5552 * a key to be random, which is likely to result in decryption or
5553 * verification errors. This is better than filling the buffer with
5554 * some constant data such as zeros, which would result in the data
5555 * being protected with a reproducible, easily knowable key.
5556 */
5557 psa_generate_random( output, output_size );
5558 *output_length = output_size;
5559 }
5560 return( status );
5561}
Gilles Peskine86a440b2018-11-12 18:39:40 +01005562
5563
5564/****************************************************************/
5565/* Random generation */
Gilles Peskine53d991e2018-07-12 01:14:59 +02005566/****************************************************************/
Gilles Peskine12313cd2018-06-20 00:20:32 +02005567
Gilles Peskine4c317f42018-07-12 01:24:09 +02005568psa_status_t psa_generate_random( uint8_t *output,
Gilles Peskine53d991e2018-07-12 01:14:59 +02005569 size_t output_size )
Gilles Peskine12313cd2018-06-20 00:20:32 +02005570{
Janos Follath24eed8d2019-11-22 13:21:35 +00005571 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinee59236f2018-01-27 23:32:46 +01005572 GUARD_MODULE_INITIALIZED;
5573
Gilles Peskinef181eca2019-08-07 13:49:00 +02005574 while( output_size > MBEDTLS_CTR_DRBG_MAX_REQUEST )
5575 {
5576 ret = mbedtls_ctr_drbg_random( &global_data.ctr_drbg,
5577 output,
5578 MBEDTLS_CTR_DRBG_MAX_REQUEST );
5579 if( ret != 0 )
5580 return( mbedtls_to_psa_error( ret ) );
5581 output += MBEDTLS_CTR_DRBG_MAX_REQUEST;
5582 output_size -= MBEDTLS_CTR_DRBG_MAX_REQUEST;
5583 }
5584
Gilles Peskinee59236f2018-01-27 23:32:46 +01005585 ret = mbedtls_ctr_drbg_random( &global_data.ctr_drbg, output, output_size );
5586 return( mbedtls_to_psa_error( ret ) );
5587}
5588
Gilles Peskinee3dbdd82019-02-25 11:04:06 +01005589#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
5590#include "mbedtls/entropy_poll.h"
5591
Gilles Peskine7228da22019-07-15 11:06:15 +02005592psa_status_t mbedtls_psa_inject_entropy( const uint8_t *seed,
Netanel Gonen2bcd3122018-11-19 11:53:02 +02005593 size_t seed_size )
5594{
Netanel Gonen2bcd3122018-11-19 11:53:02 +02005595 if( global_data.initialized )
5596 return( PSA_ERROR_NOT_PERMITTED );
Netanel Gonen21f37cb2018-11-19 11:53:55 +02005597
5598 if( ( ( seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM ) ||
5599 ( seed_size < MBEDTLS_ENTROPY_BLOCK_SIZE ) ) ||
5600 ( seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE ) )
5601 return( PSA_ERROR_INVALID_ARGUMENT );
5602
Gilles Peskinee3dbdd82019-02-25 11:04:06 +01005603 return( mbedtls_psa_storage_inject_entropy( seed, seed_size ) );
Netanel Gonen2bcd3122018-11-19 11:53:02 +02005604}
Gilles Peskinee3dbdd82019-02-25 11:04:06 +01005605#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
Netanel Gonen2bcd3122018-11-19 11:53:02 +02005606
Gilles Peskinee56e8782019-04-26 17:34:02 +02005607#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
5608static psa_status_t psa_read_rsa_exponent( const uint8_t *domain_parameters,
5609 size_t domain_parameters_size,
5610 int *exponent )
Gilles Peskinee59236f2018-01-27 23:32:46 +01005611{
Gilles Peskinee56e8782019-04-26 17:34:02 +02005612 size_t i;
5613 uint32_t acc = 0;
Gilles Peskinee59236f2018-01-27 23:32:46 +01005614
Gilles Peskinee56e8782019-04-26 17:34:02 +02005615 if( domain_parameters_size == 0 )
5616 {
5617 *exponent = 65537;
5618 return( PSA_SUCCESS );
5619 }
5620
5621 /* Mbed TLS encodes the public exponent as an int. For simplicity, only
5622 * support values that fit in a 32-bit integer, which is larger than
5623 * int on just about every platform anyway. */
5624 if( domain_parameters_size > sizeof( acc ) )
5625 return( PSA_ERROR_NOT_SUPPORTED );
5626 for( i = 0; i < domain_parameters_size; i++ )
5627 acc = ( acc << 8 ) | domain_parameters[i];
5628 if( acc > INT_MAX )
5629 return( PSA_ERROR_NOT_SUPPORTED );
5630 *exponent = acc;
5631 return( PSA_SUCCESS );
5632}
5633#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
5634
Gilles Peskine35ef36b2019-05-16 19:42:05 +02005635static psa_status_t psa_generate_key_internal(
Gilles Peskinee56e8782019-04-26 17:34:02 +02005636 psa_key_slot_t *slot, size_t bits,
5637 const uint8_t *domain_parameters, size_t domain_parameters_size )
Gilles Peskinee59236f2018-01-27 23:32:46 +01005638{
Gilles Peskine8e338702019-07-30 20:06:31 +02005639 psa_key_type_t type = slot->attr.type;
Gilles Peskinee59236f2018-01-27 23:32:46 +01005640
Gilles Peskinee56e8782019-04-26 17:34:02 +02005641 if( domain_parameters == NULL && domain_parameters_size != 0 )
Gilles Peskinee59236f2018-01-27 23:32:46 +01005642 return( PSA_ERROR_INVALID_ARGUMENT );
5643
Gilles Peskinee59236f2018-01-27 23:32:46 +01005644 if( key_type_is_raw_bytes( type ) )
5645 {
Gilles Peskineff5f0e72019-04-18 12:53:30 +02005646 psa_status_t status;
Gilles Peskinee59236f2018-01-27 23:32:46 +01005647 status = prepare_raw_data_slot( type, bits, &slot->data.raw );
5648 if( status != PSA_SUCCESS )
5649 return( status );
5650 status = psa_generate_random( slot->data.raw.data,
5651 slot->data.raw.bytes );
5652 if( status != PSA_SUCCESS )
Gilles Peskinee59236f2018-01-27 23:32:46 +01005653 return( status );
Gilles Peskinee59236f2018-01-27 23:32:46 +01005654#if defined(MBEDTLS_DES_C)
5655 if( type == PSA_KEY_TYPE_DES )
5656 psa_des_set_key_parity( slot->data.raw.data,
5657 slot->data.raw.bytes );
5658#endif /* MBEDTLS_DES_C */
5659 }
5660 else
5661
5662#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
Gilles Peskinec93b80c2019-05-16 19:39:54 +02005663 if ( type == PSA_KEY_TYPE_RSA_KEY_PAIR )
Gilles Peskinee59236f2018-01-27 23:32:46 +01005664 {
5665 mbedtls_rsa_context *rsa;
Janos Follath24eed8d2019-11-22 13:21:35 +00005666 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinee56e8782019-04-26 17:34:02 +02005667 int exponent;
5668 psa_status_t status;
Gilles Peskinee59236f2018-01-27 23:32:46 +01005669 if( bits > PSA_VENDOR_RSA_MAX_KEY_BITS )
5670 return( PSA_ERROR_NOT_SUPPORTED );
5671 /* Accept only byte-aligned keys, for the same reasons as
5672 * in psa_import_rsa_key(). */
5673 if( bits % 8 != 0 )
5674 return( PSA_ERROR_NOT_SUPPORTED );
Gilles Peskinee56e8782019-04-26 17:34:02 +02005675 status = psa_read_rsa_exponent( domain_parameters,
5676 domain_parameters_size,
5677 &exponent );
5678 if( status != PSA_SUCCESS )
5679 return( status );
Gilles Peskinee59236f2018-01-27 23:32:46 +01005680 rsa = mbedtls_calloc( 1, sizeof( *rsa ) );
5681 if( rsa == NULL )
5682 return( PSA_ERROR_INSUFFICIENT_MEMORY );
5683 mbedtls_rsa_init( rsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE );
5684 ret = mbedtls_rsa_gen_key( rsa,
5685 mbedtls_ctr_drbg_random,
5686 &global_data.ctr_drbg,
5687 (unsigned int) bits,
5688 exponent );
5689 if( ret != 0 )
5690 {
5691 mbedtls_rsa_free( rsa );
5692 mbedtls_free( rsa );
5693 return( mbedtls_to_psa_error( ret ) );
5694 }
5695 slot->data.rsa = rsa;
5696 }
5697 else
5698#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
5699
5700#if defined(MBEDTLS_ECP_C)
Gilles Peskinec93b80c2019-05-16 19:39:54 +02005701 if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
Gilles Peskinee59236f2018-01-27 23:32:46 +01005702 {
5703 psa_ecc_curve_t curve = PSA_KEY_TYPE_GET_CURVE( type );
Gilles Peskine4295e8b2019-12-02 21:39:10 +01005704 mbedtls_ecp_group_id grp_id =
5705 mbedtls_ecc_group_of_psa( curve, PSA_BITS_TO_BYTES( bits ) );
Gilles Peskinee59236f2018-01-27 23:32:46 +01005706 const mbedtls_ecp_curve_info *curve_info =
5707 mbedtls_ecp_curve_info_from_grp_id( grp_id );
5708 mbedtls_ecp_keypair *ecp;
Janos Follath24eed8d2019-11-22 13:21:35 +00005709 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskinee56e8782019-04-26 17:34:02 +02005710 if( domain_parameters_size != 0 )
Gilles Peskinee59236f2018-01-27 23:32:46 +01005711 return( PSA_ERROR_NOT_SUPPORTED );
5712 if( grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL )
5713 return( PSA_ERROR_NOT_SUPPORTED );
5714 if( curve_info->bit_size != bits )
5715 return( PSA_ERROR_INVALID_ARGUMENT );
5716 ecp = mbedtls_calloc( 1, sizeof( *ecp ) );
5717 if( ecp == NULL )
5718 return( PSA_ERROR_INSUFFICIENT_MEMORY );
5719 mbedtls_ecp_keypair_init( ecp );
5720 ret = mbedtls_ecp_gen_key( grp_id, ecp,
5721 mbedtls_ctr_drbg_random,
5722 &global_data.ctr_drbg );
5723 if( ret != 0 )
5724 {
5725 mbedtls_ecp_keypair_free( ecp );
5726 mbedtls_free( ecp );
5727 return( mbedtls_to_psa_error( ret ) );
5728 }
5729 slot->data.ecp = ecp;
5730 }
5731 else
5732#endif /* MBEDTLS_ECP_C */
5733
5734 return( PSA_ERROR_NOT_SUPPORTED );
5735
Gilles Peskineff5f0e72019-04-18 12:53:30 +02005736 return( PSA_SUCCESS );
5737}
Darryl Green0c6575a2018-11-07 16:05:30 +00005738
Gilles Peskine35ef36b2019-05-16 19:42:05 +02005739psa_status_t psa_generate_key( const psa_key_attributes_t *attributes,
Gilles Peskinee56e8782019-04-26 17:34:02 +02005740 psa_key_handle_t *handle )
Gilles Peskineff5f0e72019-04-18 12:53:30 +02005741{
5742 psa_status_t status;
5743 psa_key_slot_t *slot = NULL;
Gilles Peskine8abe6a22019-07-12 23:40:35 +02005744 psa_se_drv_table_entry_t *driver = NULL;
Gilles Peskine11792082019-08-06 18:36:36 +02005745
Gilles Peskine0f84d622019-09-12 19:03:13 +02005746 /* Reject any attempt to create a zero-length key so that we don't
5747 * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
5748 if( psa_get_key_bits( attributes ) == 0 )
5749 return( PSA_ERROR_INVALID_ARGUMENT );
5750
Gilles Peskinedf179142019-07-15 22:02:14 +02005751 status = psa_start_key_creation( PSA_KEY_CREATION_GENERATE,
5752 attributes, handle, &slot, &driver );
Gilles Peskine11792082019-08-06 18:36:36 +02005753 if( status != PSA_SUCCESS )
5754 goto exit;
5755
Gilles Peskinef4ee6622019-07-24 13:44:30 +02005756#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
5757 if( driver != NULL )
Darryl Green0c6575a2018-11-07 16:05:30 +00005758 {
Gilles Peskine11792082019-08-06 18:36:36 +02005759 const psa_drv_se_t *drv = psa_get_se_driver_methods( driver );
5760 size_t pubkey_length = 0; /* We don't support this feature yet */
5761 if( drv->key_management == NULL ||
5762 drv->key_management->p_generate == NULL )
5763 {
5764 status = PSA_ERROR_NOT_SUPPORTED;
5765 goto exit;
5766 }
5767 status = drv->key_management->p_generate(
5768 psa_get_se_driver_context( driver ),
5769 slot->data.se.slot_number, attributes,
5770 NULL, 0, &pubkey_length );
Darryl Green0c6575a2018-11-07 16:05:30 +00005771 }
Gilles Peskine11792082019-08-06 18:36:36 +02005772 else
Gilles Peskinef4ee6622019-07-24 13:44:30 +02005773#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskineff5f0e72019-04-18 12:53:30 +02005774 {
Gilles Peskine35ef36b2019-05-16 19:42:05 +02005775 status = psa_generate_key_internal(
Gilles Peskine7e0cff92019-07-30 13:48:52 +02005776 slot, attributes->core.bits,
Gilles Peskinee56e8782019-04-26 17:34:02 +02005777 attributes->domain_parameters, attributes->domain_parameters_size );
Gilles Peskineff5f0e72019-04-18 12:53:30 +02005778 }
Gilles Peskine11792082019-08-06 18:36:36 +02005779
5780exit:
Gilles Peskineff5f0e72019-04-18 12:53:30 +02005781 if( status == PSA_SUCCESS )
Gilles Peskine011e4282019-06-26 18:34:38 +02005782 status = psa_finish_key_creation( slot, driver );
Gilles Peskineff5f0e72019-04-18 12:53:30 +02005783 if( status != PSA_SUCCESS )
5784 {
Gilles Peskine011e4282019-06-26 18:34:38 +02005785 psa_fail_key_creation( slot, driver );
Gilles Peskineff5f0e72019-04-18 12:53:30 +02005786 *handle = 0;
5787 }
Darryl Green0c6575a2018-11-07 16:05:30 +00005788 return( status );
Gilles Peskinee59236f2018-01-27 23:32:46 +01005789}
5790
5791
Gilles Peskinee59236f2018-01-27 23:32:46 +01005792
5793/****************************************************************/
5794/* Module setup */
5795/****************************************************************/
5796
Gilles Peskine5e769522018-11-20 21:59:56 +01005797psa_status_t mbedtls_psa_crypto_configure_entropy_sources(
5798 void (* entropy_init )( mbedtls_entropy_context *ctx ),
5799 void (* entropy_free )( mbedtls_entropy_context *ctx ) )
5800{
5801 if( global_data.rng_state != RNG_NOT_INITIALIZED )
5802 return( PSA_ERROR_BAD_STATE );
5803 global_data.entropy_init = entropy_init;
5804 global_data.entropy_free = entropy_free;
5805 return( PSA_SUCCESS );
5806}
5807
Gilles Peskinee59236f2018-01-27 23:32:46 +01005808void mbedtls_psa_crypto_free( void )
5809{
Gilles Peskine66fb1262018-12-10 16:29:04 +01005810 psa_wipe_all_key_slots( );
Gilles Peskinec6b69072018-11-20 21:42:52 +01005811 if( global_data.rng_state != RNG_NOT_INITIALIZED )
5812 {
5813 mbedtls_ctr_drbg_free( &global_data.ctr_drbg );
Gilles Peskine5e769522018-11-20 21:59:56 +01005814 global_data.entropy_free( &global_data.entropy );
Gilles Peskinec6b69072018-11-20 21:42:52 +01005815 }
5816 /* Wipe all remaining data, including configuration.
5817 * In particular, this sets all state indicator to the value
5818 * indicating "uninitialized". */
Gilles Peskine3f108122018-12-07 18:14:53 +01005819 mbedtls_platform_zeroize( &global_data, sizeof( global_data ) );
Gilles Peskinea8ade162019-06-26 11:24:49 +02005820#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
Gilles Peskined0890212019-06-24 14:34:43 +02005821 /* Unregister all secure element drivers, so that we restart from
5822 * a pristine state. */
5823 psa_unregister_all_se_drivers( );
Gilles Peskinea8ade162019-06-26 11:24:49 +02005824#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
Gilles Peskinee59236f2018-01-27 23:32:46 +01005825}
5826
Gilles Peskinef9bb29e2019-07-25 17:52:59 +02005827#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
5828/** Recover a transaction that was interrupted by a power failure.
5829 *
5830 * This function is called during initialization, before psa_crypto_init()
5831 * returns. If this function returns a failure status, the initialization
5832 * fails.
5833 */
5834static psa_status_t psa_crypto_recover_transaction(
5835 const psa_crypto_transaction_t *transaction )
5836{
5837 switch( transaction->unknown.type )
5838 {
5839 case PSA_CRYPTO_TRANSACTION_CREATE_KEY:
5840 case PSA_CRYPTO_TRANSACTION_DESTROY_KEY:
Janos Follath1d57a202019-08-13 12:15:34 +01005841 /* TODO - fall through to the failure case until this
Gilles Peskinec9d7f942019-08-13 16:17:16 +02005842 * is implemented.
5843 * https://github.com/ARMmbed/mbed-crypto/issues/218
5844 */
Gilles Peskinef9bb29e2019-07-25 17:52:59 +02005845 default:
5846 /* We found an unsupported transaction in the storage.
5847 * We don't know what state the storage is in. Give up. */
5848 return( PSA_ERROR_STORAGE_FAILURE );
5849 }
5850}
5851#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
5852
Gilles Peskinee59236f2018-01-27 23:32:46 +01005853psa_status_t psa_crypto_init( void )
5854{
Gilles Peskine66fb1262018-12-10 16:29:04 +01005855 psa_status_t status;
Gilles Peskinee59236f2018-01-27 23:32:46 +01005856 const unsigned char drbg_seed[] = "PSA";
5857
Gilles Peskinec6b69072018-11-20 21:42:52 +01005858 /* Double initialization is explicitly allowed. */
Gilles Peskinee59236f2018-01-27 23:32:46 +01005859 if( global_data.initialized != 0 )
5860 return( PSA_SUCCESS );
5861
Gilles Peskine5e769522018-11-20 21:59:56 +01005862 /* Set default configuration if
5863 * mbedtls_psa_crypto_configure_entropy_sources() hasn't been called. */
5864 if( global_data.entropy_init == NULL )
5865 global_data.entropy_init = mbedtls_entropy_init;
5866 if( global_data.entropy_free == NULL )
5867 global_data.entropy_free = mbedtls_entropy_free;
Gilles Peskinee59236f2018-01-27 23:32:46 +01005868
Gilles Peskinec6b69072018-11-20 21:42:52 +01005869 /* Initialize the random generator. */
Gilles Peskine5e769522018-11-20 21:59:56 +01005870 global_data.entropy_init( &global_data.entropy );
Jaeden Amero76541612019-06-04 17:14:43 +01005871#if defined(MBEDTLS_PSA_INJECT_ENTROPY) && \
5872 defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
5873 /* The PSA entropy injection feature depends on using NV seed as an entropy
5874 * source. Add NV seed as an entropy source for PSA entropy injection. */
5875 mbedtls_entropy_add_source( &global_data.entropy,
5876 mbedtls_nv_seed_poll, NULL,
5877 MBEDTLS_ENTROPY_BLOCK_SIZE,
5878 MBEDTLS_ENTROPY_SOURCE_STRONG );
5879#endif
Gilles Peskinee59236f2018-01-27 23:32:46 +01005880 mbedtls_ctr_drbg_init( &global_data.ctr_drbg );
Gilles Peskinec6b69072018-11-20 21:42:52 +01005881 global_data.rng_state = RNG_INITIALIZED;
Gilles Peskine66fb1262018-12-10 16:29:04 +01005882 status = mbedtls_to_psa_error(
5883 mbedtls_ctr_drbg_seed( &global_data.ctr_drbg,
5884 mbedtls_entropy_func,
5885 &global_data.entropy,
5886 drbg_seed, sizeof( drbg_seed ) - 1 ) );
5887 if( status != PSA_SUCCESS )
Gilles Peskinee59236f2018-01-27 23:32:46 +01005888 goto exit;
Gilles Peskinec6b69072018-11-20 21:42:52 +01005889 global_data.rng_state = RNG_SEEDED;
Gilles Peskinee59236f2018-01-27 23:32:46 +01005890
Gilles Peskine66fb1262018-12-10 16:29:04 +01005891 status = psa_initialize_key_slots( );
5892 if( status != PSA_SUCCESS )
5893 goto exit;
Gilles Peskinec6b69072018-11-20 21:42:52 +01005894
Gilles Peskined9348f22019-10-01 15:22:29 +02005895#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
5896 status = psa_init_all_se_drivers( );
5897 if( status != PSA_SUCCESS )
5898 goto exit;
5899#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
5900
Gilles Peskine4b734222019-07-24 15:56:31 +02005901#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
Gilles Peskinefc762652019-07-22 19:30:34 +02005902 status = psa_crypto_load_transaction( );
5903 if( status == PSA_SUCCESS )
5904 {
Gilles Peskinef9bb29e2019-07-25 17:52:59 +02005905 status = psa_crypto_recover_transaction( &psa_crypto_transaction );
5906 if( status != PSA_SUCCESS )
5907 goto exit;
5908 status = psa_crypto_stop_transaction( );
Gilles Peskinefc762652019-07-22 19:30:34 +02005909 }
5910 else if( status == PSA_ERROR_DOES_NOT_EXIST )
5911 {
5912 /* There's no transaction to complete. It's all good. */
5913 status = PSA_SUCCESS;
5914 }
Gilles Peskine4b734222019-07-24 15:56:31 +02005915#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
Gilles Peskinefc762652019-07-22 19:30:34 +02005916
Gilles Peskinec6b69072018-11-20 21:42:52 +01005917 /* All done. */
Gilles Peskinee59236f2018-01-27 23:32:46 +01005918 global_data.initialized = 1;
5919
5920exit:
Gilles Peskine66fb1262018-12-10 16:29:04 +01005921 if( status != PSA_SUCCESS )
Gilles Peskinee59236f2018-01-27 23:32:46 +01005922 mbedtls_psa_crypto_free( );
Gilles Peskine66fb1262018-12-10 16:29:04 +01005923 return( status );
Gilles Peskinee59236f2018-01-27 23:32:46 +01005924}
5925
5926#endif /* MBEDTLS_PSA_CRYPTO_C */