TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 40225ba70961d8e2e6260a563c1bc7c2290566be / . / library / psa_crypto.c
blob: c205e12f617f14595878bbd68ab94c9683c9df87 [file] [log] [blame]
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]1/*
2 * PSA crypto layer on top of Mbed TLS crypto
3 */
4/* Copyright (C) 2018, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22#if !defined(MBEDTLS_CONFIG_FILE)
23#include "mbedtls/config.h"
24#else
25#include MBEDTLS_CONFIG_FILE
26#endif
27
28#if defined(MBEDTLS_PSA_CRYPTO_C)
Mohammad Abo Mokha5c7b7d2018-07-04 15:57:00 +0300[diff] [blame]29/*
30 * In case MBEDTLS_PSA_CRYPTO_SPM is defined the code is built for SPM (Secure
31 * Partition Manager) integration which separate the code into two parts
32 * NSPE (Non-Secure Process Environment) and SPE (Secure Process Environment).
33 * In this mode an additional header file should be included.
34 */
mohammad160327010052018-07-03 13:16:15 +0300[diff] [blame]35#if defined(MBEDTLS_PSA_CRYPTO_SPM)
Mohammad Abo Mokha5c7b7d2018-07-04 15:57:00 +0300[diff] [blame]36/*
37 * PSA_CRYPTO_SECURE means that this file is compiled to the SPE side.
38 * some headers will be affected by this flag.
39 */
mohammad160327010052018-07-03 13:16:15 +0300[diff] [blame]40#define PSA_CRYPTO_SECURE 1
41#include "crypto_spe.h"
42#endif
43
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]44#include "psa/crypto.h"
45
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]46#include <stdlib.h>
47#include <string.h>
48#if defined(MBEDTLS_PLATFORM_C)
49#include "mbedtls/platform.h"
50#else
51#define mbedtls_calloc calloc
52#define mbedtls_free free
53#endif
54
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]55#include "mbedtls/arc4.h"
Gilles Peskine9a944802018-06-21 09:35:35 +0200[diff] [blame]56#include "mbedtls/asn1.h"
Gilles Peskinea81d85b2018-06-26 16:10:23 +0200[diff] [blame]57#include "mbedtls/bignum.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]58#include "mbedtls/blowfish.h"
59#include "mbedtls/camellia.h"
60#include "mbedtls/cipher.h"
61#include "mbedtls/ccm.h"
62#include "mbedtls/cmac.h"
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]63#include "mbedtls/ctr_drbg.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]64#include "mbedtls/des.h"
Gilles Peskineb7ecdf02018-09-18 12:11:27 +0200[diff] [blame]65#include "mbedtls/ecdh.h"
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]66#include "mbedtls/ecp.h"
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]67#include "mbedtls/entropy.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]68#include "mbedtls/error.h"
69#include "mbedtls/gcm.h"
70#include "mbedtls/md2.h"
71#include "mbedtls/md4.h"
72#include "mbedtls/md5.h"
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]73#include "mbedtls/md.h"
74#include "mbedtls/md_internal.h"
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]75#include "mbedtls/pk.h"
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]76#include "mbedtls/pk_internal.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]77#include "mbedtls/ripemd160.h"
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]78#include "mbedtls/rsa.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]79#include "mbedtls/sha1.h"
80#include "mbedtls/sha256.h"
81#include "mbedtls/sha512.h"
82#include "mbedtls/xtea.h"
83
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]84
85
Gilles Peskine996deb12018-08-01 15:45:45 +0200[diff] [blame]86#define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) )
87
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]88/* Implementation that should never be optimized out by the compiler */
89static void mbedtls_zeroize( void *v, size_t n )
90{
91 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
92}
93
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]94/* constant-time buffer comparison */
95static inline int safer_memcmp( const uint8_t *a, const uint8_t *b, size_t n )
96{
97 size_t i;
98 unsigned char diff = 0;
99
100 for( i = 0; i < n; i++ )
101 diff |= a[i] ^ b[i];
102
103 return( diff );
104}
105
106
107
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]108/****************************************************************/
109/* Global data, support functions and library management */
110/****************************************************************/
111
112/* Number of key slots (plus one because 0 is not used).
113 * The value is a compile-time constant for now, for simplicity. */
Gilles Peskine828ed142018-06-18 23:25:51 +0200[diff] [blame]114#define PSA_KEY_SLOT_COUNT 32
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]115
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]116typedef struct
117{
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]118 psa_key_type_t type;
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]119 psa_key_policy_t policy;
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]120 psa_key_lifetime_t lifetime;
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]121 union
122 {
123 struct raw_data
124 {
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]125 uint8_t *data;
126 size_t bytes;
127 } raw;
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]128#if defined(MBEDTLS_RSA_C)
129 mbedtls_rsa_context *rsa;
130#endif /* MBEDTLS_RSA_C */
131#if defined(MBEDTLS_ECP_C)
132 mbedtls_ecp_keypair *ecp;
133#endif /* MBEDTLS_ECP_C */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]134 } data;
135} key_slot_t;
136
Gilles Peskine48c0ea12018-06-21 14:15:31 +0200[diff] [blame]137static int key_type_is_raw_bytes( psa_key_type_t type )
138{
Gilles Peskine78b3bb62018-08-10 16:03:41 +0200[diff] [blame]139 return( PSA_KEY_TYPE_IS_UNSTRUCTURED( type ) );
Gilles Peskine48c0ea12018-06-21 14:15:31 +0200[diff] [blame]140}
141
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]142typedef struct
143{
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]144 int initialized;
145 mbedtls_entropy_context entropy;
146 mbedtls_ctr_drbg_context ctr_drbg;
Gilles Peskine828ed142018-06-18 23:25:51 +0200[diff] [blame]147 key_slot_t key_slots[PSA_KEY_SLOT_COUNT];
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]148} psa_global_data_t;
149
150static psa_global_data_t global_data;
151
itayzafrir0adf0fc2018-09-06 16:24:41 +0300[diff] [blame]152#define GUARD_MODULE_INITIALIZED \
153 if( global_data.initialized == 0 ) \
154 return( PSA_ERROR_BAD_STATE );
155
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]156static psa_status_t mbedtls_to_psa_error( int ret )
157{
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]158 /* If there's both a high-level code and low-level code, dispatch on
159 * the high-level code. */
160 switch( ret < -0x7f ? - ( -ret & 0x7f80 ) : ret )
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]161 {
162 case 0:
163 return( PSA_SUCCESS );
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]164
165 case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
166 case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
167 case MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE:
168 return( PSA_ERROR_NOT_SUPPORTED );
169 case MBEDTLS_ERR_AES_HW_ACCEL_FAILED:
170 return( PSA_ERROR_HARDWARE_FAILURE );
171
172 case MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED:
173 return( PSA_ERROR_HARDWARE_FAILURE );
174
Gilles Peskine9a944802018-06-21 09:35:35 +0200[diff] [blame]175 case MBEDTLS_ERR_ASN1_OUT_OF_DATA:
176 case MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:
177 case MBEDTLS_ERR_ASN1_INVALID_LENGTH:
178 case MBEDTLS_ERR_ASN1_LENGTH_MISMATCH:
179 case MBEDTLS_ERR_ASN1_INVALID_DATA:
180 return( PSA_ERROR_INVALID_ARGUMENT );
181 case MBEDTLS_ERR_ASN1_ALLOC_FAILED:
182 return( PSA_ERROR_INSUFFICIENT_MEMORY );
183 case MBEDTLS_ERR_ASN1_BUF_TOO_SMALL:
184 return( PSA_ERROR_BUFFER_TOO_SMALL );
185
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]186 case MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH:
187 case MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH:
188 return( PSA_ERROR_NOT_SUPPORTED );
189 case MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED:
190 return( PSA_ERROR_HARDWARE_FAILURE );
191
192 case MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH:
193 case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH:
194 return( PSA_ERROR_NOT_SUPPORTED );
195 case MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED:
196 return( PSA_ERROR_HARDWARE_FAILURE );
197
198 case MBEDTLS_ERR_CCM_BAD_INPUT:
199 return( PSA_ERROR_INVALID_ARGUMENT );
200 case MBEDTLS_ERR_CCM_AUTH_FAILED:
201 return( PSA_ERROR_INVALID_SIGNATURE );
202 case MBEDTLS_ERR_CCM_HW_ACCEL_FAILED:
203 return( PSA_ERROR_HARDWARE_FAILURE );
204
205 case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
206 return( PSA_ERROR_NOT_SUPPORTED );
207 case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
208 return( PSA_ERROR_INVALID_ARGUMENT );
209 case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
210 return( PSA_ERROR_INSUFFICIENT_MEMORY );
211 case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
212 return( PSA_ERROR_INVALID_PADDING );
213 case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
214 return( PSA_ERROR_BAD_STATE );
215 case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
216 return( PSA_ERROR_INVALID_SIGNATURE );
217 case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
218 return( PSA_ERROR_TAMPERING_DETECTED );
219 case MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED:
220 return( PSA_ERROR_HARDWARE_FAILURE );
221
222 case MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED:
223 return( PSA_ERROR_HARDWARE_FAILURE );
224
225 case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
226 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
227 case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG:
228 case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG:
229 return( PSA_ERROR_NOT_SUPPORTED );
230 case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR:
231 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
232
233 case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:
234 return( PSA_ERROR_NOT_SUPPORTED );
235 case MBEDTLS_ERR_DES_HW_ACCEL_FAILED:
236 return( PSA_ERROR_HARDWARE_FAILURE );
237
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]238 case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
239 case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE:
240 case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
241 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]242
243 case MBEDTLS_ERR_GCM_AUTH_FAILED:
244 return( PSA_ERROR_INVALID_SIGNATURE );
245 case MBEDTLS_ERR_GCM_BAD_INPUT:
Gilles Peskine8cac2e62018-08-21 15:07:38 +0200[diff] [blame]246 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]247 case MBEDTLS_ERR_GCM_HW_ACCEL_FAILED:
248 return( PSA_ERROR_HARDWARE_FAILURE );
249
250 case MBEDTLS_ERR_MD2_HW_ACCEL_FAILED:
251 case MBEDTLS_ERR_MD4_HW_ACCEL_FAILED:
252 case MBEDTLS_ERR_MD5_HW_ACCEL_FAILED:
253 return( PSA_ERROR_HARDWARE_FAILURE );
254
255 case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
256 return( PSA_ERROR_NOT_SUPPORTED );
257 case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
258 return( PSA_ERROR_INVALID_ARGUMENT );
259 case MBEDTLS_ERR_MD_ALLOC_FAILED:
260 return( PSA_ERROR_INSUFFICIENT_MEMORY );
261 case MBEDTLS_ERR_MD_FILE_IO_ERROR:
262 return( PSA_ERROR_STORAGE_FAILURE );
263 case MBEDTLS_ERR_MD_HW_ACCEL_FAILED:
264 return( PSA_ERROR_HARDWARE_FAILURE );
265
Gilles Peskinef76aa772018-10-29 19:24:33 +0100[diff] [blame]266 case MBEDTLS_ERR_MPI_FILE_IO_ERROR:
267 return( PSA_ERROR_STORAGE_FAILURE );
268 case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
269 return( PSA_ERROR_INVALID_ARGUMENT );
270 case MBEDTLS_ERR_MPI_INVALID_CHARACTER:
271 return( PSA_ERROR_INVALID_ARGUMENT );
272 case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
273 return( PSA_ERROR_BUFFER_TOO_SMALL );
274 case MBEDTLS_ERR_MPI_NEGATIVE_VALUE:
275 return( PSA_ERROR_INVALID_ARGUMENT );
276 case MBEDTLS_ERR_MPI_DIVISION_BY_ZERO:
277 return( PSA_ERROR_INVALID_ARGUMENT );
278 case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
279 return( PSA_ERROR_INVALID_ARGUMENT );
280 case MBEDTLS_ERR_MPI_ALLOC_FAILED:
281 return( PSA_ERROR_INSUFFICIENT_MEMORY );
282
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]283 case MBEDTLS_ERR_PK_ALLOC_FAILED:
284 return( PSA_ERROR_INSUFFICIENT_MEMORY );
285 case MBEDTLS_ERR_PK_TYPE_MISMATCH:
286 case MBEDTLS_ERR_PK_BAD_INPUT_DATA:
287 return( PSA_ERROR_INVALID_ARGUMENT );
288 case MBEDTLS_ERR_PK_FILE_IO_ERROR:
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]289 return( PSA_ERROR_STORAGE_FAILURE );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]290 case MBEDTLS_ERR_PK_KEY_INVALID_VERSION:
291 case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT:
292 return( PSA_ERROR_INVALID_ARGUMENT );
293 case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG:
294 return( PSA_ERROR_NOT_SUPPORTED );
295 case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
296 case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
297 return( PSA_ERROR_NOT_PERMITTED );
298 case MBEDTLS_ERR_PK_INVALID_PUBKEY:
299 return( PSA_ERROR_INVALID_ARGUMENT );
300 case MBEDTLS_ERR_PK_INVALID_ALG:
301 case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE:
302 case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:
303 return( PSA_ERROR_NOT_SUPPORTED );
304 case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH:
305 return( PSA_ERROR_INVALID_SIGNATURE );
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]306 case MBEDTLS_ERR_PK_HW_ACCEL_FAILED:
307 return( PSA_ERROR_HARDWARE_FAILURE );
308
309 case MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED:
310 return( PSA_ERROR_HARDWARE_FAILURE );
311
312 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
313 return( PSA_ERROR_INVALID_ARGUMENT );
314 case MBEDTLS_ERR_RSA_INVALID_PADDING:
315 return( PSA_ERROR_INVALID_PADDING );
316 case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
317 return( PSA_ERROR_HARDWARE_FAILURE );
318 case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
319 return( PSA_ERROR_INVALID_ARGUMENT );
320 case MBEDTLS_ERR_RSA_PUBLIC_FAILED:
321 case MBEDTLS_ERR_RSA_PRIVATE_FAILED:
322 return( PSA_ERROR_TAMPERING_DETECTED );
323 case MBEDTLS_ERR_RSA_VERIFY_FAILED:
324 return( PSA_ERROR_INVALID_SIGNATURE );
325 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
326 return( PSA_ERROR_BUFFER_TOO_SMALL );
327 case MBEDTLS_ERR_RSA_RNG_FAILED:
328 return( PSA_ERROR_INSUFFICIENT_MEMORY );
329 case MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:
330 return( PSA_ERROR_NOT_SUPPORTED );
331 case MBEDTLS_ERR_RSA_HW_ACCEL_FAILED:
332 return( PSA_ERROR_HARDWARE_FAILURE );
333
334 case MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED:
335 case MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED:
336 case MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED:
337 return( PSA_ERROR_HARDWARE_FAILURE );
338
339 case MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH:
340 return( PSA_ERROR_INVALID_ARGUMENT );
341 case MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED:
342 return( PSA_ERROR_HARDWARE_FAILURE );
343
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]344 case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
itayzafrir7b30f8b2018-05-09 16:07:36 +0300[diff] [blame]345 case MBEDTLS_ERR_ECP_INVALID_KEY:
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]346 return( PSA_ERROR_INVALID_ARGUMENT );
itayzafrir7b30f8b2018-05-09 16:07:36 +0300[diff] [blame]347 case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
348 return( PSA_ERROR_BUFFER_TOO_SMALL );
349 case MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:
350 return( PSA_ERROR_NOT_SUPPORTED );
351 case MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH:
352 case MBEDTLS_ERR_ECP_VERIFY_FAILED:
353 return( PSA_ERROR_INVALID_SIGNATURE );
354 case MBEDTLS_ERR_ECP_ALLOC_FAILED:
355 return( PSA_ERROR_INSUFFICIENT_MEMORY );
356 case MBEDTLS_ERR_ECP_HW_ACCEL_FAILED:
357 return( PSA_ERROR_HARDWARE_FAILURE );
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]358
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]359 default:
360 return( PSA_ERROR_UNKNOWN_ERROR );
361 }
362}
363
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]364
Gilles Peskine7bcfc0a2018-06-18 21:49:39 +0200[diff] [blame]365
366
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]367/****************************************************************/
368/* Key management */
369/****************************************************************/
370
Darryl Green8f8aa8f2018-07-24 15:44:51 +0100[diff] [blame]371#if defined(MBEDTLS_ECP_C)
Gilles Peskine34ef7f52018-06-18 20:47:51 +0200[diff] [blame]372static psa_ecc_curve_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grpid )
373{
374 switch( grpid )
375 {
376 case MBEDTLS_ECP_DP_SECP192R1:
377 return( PSA_ECC_CURVE_SECP192R1 );
378 case MBEDTLS_ECP_DP_SECP224R1:
379 return( PSA_ECC_CURVE_SECP224R1 );
380 case MBEDTLS_ECP_DP_SECP256R1:
381 return( PSA_ECC_CURVE_SECP256R1 );
382 case MBEDTLS_ECP_DP_SECP384R1:
383 return( PSA_ECC_CURVE_SECP384R1 );
384 case MBEDTLS_ECP_DP_SECP521R1:
385 return( PSA_ECC_CURVE_SECP521R1 );
386 case MBEDTLS_ECP_DP_BP256R1:
387 return( PSA_ECC_CURVE_BRAINPOOL_P256R1 );
388 case MBEDTLS_ECP_DP_BP384R1:
389 return( PSA_ECC_CURVE_BRAINPOOL_P384R1 );
390 case MBEDTLS_ECP_DP_BP512R1:
391 return( PSA_ECC_CURVE_BRAINPOOL_P512R1 );
392 case MBEDTLS_ECP_DP_CURVE25519:
393 return( PSA_ECC_CURVE_CURVE25519 );
394 case MBEDTLS_ECP_DP_SECP192K1:
395 return( PSA_ECC_CURVE_SECP192K1 );
396 case MBEDTLS_ECP_DP_SECP224K1:
397 return( PSA_ECC_CURVE_SECP224K1 );
398 case MBEDTLS_ECP_DP_SECP256K1:
399 return( PSA_ECC_CURVE_SECP256K1 );
400 case MBEDTLS_ECP_DP_CURVE448:
401 return( PSA_ECC_CURVE_CURVE448 );
402 default:
403 return( 0 );
404 }
405}
406
Gilles Peskine12313cd2018-06-20 00:20:32 +0200[diff] [blame]407static mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_curve_t curve )
408{
409 switch( curve )
410 {
411 case PSA_ECC_CURVE_SECP192R1:
412 return( MBEDTLS_ECP_DP_SECP192R1 );
413 case PSA_ECC_CURVE_SECP224R1:
414 return( MBEDTLS_ECP_DP_SECP224R1 );
415 case PSA_ECC_CURVE_SECP256R1:
416 return( MBEDTLS_ECP_DP_SECP256R1 );
417 case PSA_ECC_CURVE_SECP384R1:
418 return( MBEDTLS_ECP_DP_SECP384R1 );
419 case PSA_ECC_CURVE_SECP521R1:
420 return( MBEDTLS_ECP_DP_SECP521R1 );
421 case PSA_ECC_CURVE_BRAINPOOL_P256R1:
422 return( MBEDTLS_ECP_DP_BP256R1 );
423 case PSA_ECC_CURVE_BRAINPOOL_P384R1:
424 return( MBEDTLS_ECP_DP_BP384R1 );
425 case PSA_ECC_CURVE_BRAINPOOL_P512R1:
426 return( MBEDTLS_ECP_DP_BP512R1 );
427 case PSA_ECC_CURVE_CURVE25519:
428 return( MBEDTLS_ECP_DP_CURVE25519 );
429 case PSA_ECC_CURVE_SECP192K1:
430 return( MBEDTLS_ECP_DP_SECP192K1 );
431 case PSA_ECC_CURVE_SECP224K1:
432 return( MBEDTLS_ECP_DP_SECP224K1 );
433 case PSA_ECC_CURVE_SECP256K1:
434 return( MBEDTLS_ECP_DP_SECP256K1 );
435 case PSA_ECC_CURVE_CURVE448:
436 return( MBEDTLS_ECP_DP_CURVE448 );
437 default:
438 return( MBEDTLS_ECP_DP_NONE );
439 }
440}
Darryl Green8f8aa8f2018-07-24 15:44:51 +0100[diff] [blame]441#endif /* defined(MBEDTLS_ECP_C) */
Gilles Peskine12313cd2018-06-20 00:20:32 +0200[diff] [blame]442
Gilles Peskine0ff4b0f2018-06-19 21:31:50 +0200[diff] [blame]443static psa_status_t prepare_raw_data_slot( psa_key_type_t type,
444 size_t bits,
445 struct raw_data *raw )
446{
447 /* Check that the bit size is acceptable for the key type */
448 switch( type )
449 {
450 case PSA_KEY_TYPE_RAW_DATA:
Gilles Peskine46f1fd72018-06-28 19:31:31 +0200[diff] [blame]451 if( bits == 0 )
452 {
453 raw->bytes = 0;
454 raw->data = NULL;
455 return( PSA_SUCCESS );
456 }
457 break;
Gilles Peskine0ff4b0f2018-06-19 21:31:50 +0200[diff] [blame]458#if defined(MBEDTLS_MD_C)
459 case PSA_KEY_TYPE_HMAC:
Gilles Peskine46f1fd72018-06-28 19:31:31 +0200[diff] [blame]460#endif
Gilles Peskineea0fb492018-07-12 17:17:20 +0200[diff] [blame]461 case PSA_KEY_TYPE_DERIVE:
462 break;
Gilles Peskine0ff4b0f2018-06-19 21:31:50 +0200[diff] [blame]463#if defined(MBEDTLS_AES_C)
464 case PSA_KEY_TYPE_AES:
465 if( bits != 128 && bits != 192 && bits != 256 )
466 return( PSA_ERROR_INVALID_ARGUMENT );
467 break;
468#endif
469#if defined(MBEDTLS_CAMELLIA_C)
470 case PSA_KEY_TYPE_CAMELLIA:
471 if( bits != 128 && bits != 192 && bits != 256 )
472 return( PSA_ERROR_INVALID_ARGUMENT );
473 break;
474#endif
475#if defined(MBEDTLS_DES_C)
476 case PSA_KEY_TYPE_DES:
477 if( bits != 64 && bits != 128 && bits != 192 )
478 return( PSA_ERROR_INVALID_ARGUMENT );
479 break;
480#endif
481#if defined(MBEDTLS_ARC4_C)
482 case PSA_KEY_TYPE_ARC4:
483 if( bits < 8 || bits > 2048 )
484 return( PSA_ERROR_INVALID_ARGUMENT );
485 break;
486#endif
487 default:
488 return( PSA_ERROR_NOT_SUPPORTED );
489 }
Gilles Peskineb54979a2018-06-21 09:32:47 +0200[diff] [blame]490 if( bits % 8 != 0 )
491 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine0ff4b0f2018-06-19 21:31:50 +0200[diff] [blame]492
493 /* Allocate memory for the key */
494 raw->bytes = PSA_BITS_TO_BYTES( bits );
495 raw->data = mbedtls_calloc( 1, raw->bytes );
496 if( raw->data == NULL )
497 {
498 raw->bytes = 0;
499 return( PSA_ERROR_INSUFFICIENT_MEMORY );
500 }
501 return( PSA_SUCCESS );
502}
503
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200[diff] [blame]504#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_PARSE_C)
Gilles Peskine86a440b2018-11-12 18:39:40 +0100[diff] [blame]505/* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
506 * that are not a multiple of 8) well. For example, there is only
507 * mbedtls_rsa_get_len(), which returns a number of bytes, and no
508 * way to return the exact bit size of a key.
509 * To keep things simple, reject non-byte-aligned key sizes. */
510static psa_status_t psa_check_rsa_key_byte_aligned(
511 const mbedtls_rsa_context *rsa )
512{
513 mbedtls_mpi n;
514 psa_status_t status;
515 mbedtls_mpi_init( &n );
516 status = mbedtls_to_psa_error(
517 mbedtls_rsa_export( rsa, &n, NULL, NULL, NULL, NULL ) );
518 if( status == PSA_SUCCESS )
519 {
520 if( mbedtls_mpi_bitlen( &n ) % 8 != 0 )
521 status = PSA_ERROR_NOT_SUPPORTED;
522 }
523 mbedtls_mpi_free( &n );
524 return( status );
525}
526
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200[diff] [blame]527static psa_status_t psa_import_rsa_key( mbedtls_pk_context *pk,
528 mbedtls_rsa_context **p_rsa )
529{
530 if( mbedtls_pk_get_type( pk ) != MBEDTLS_PK_RSA )
531 return( PSA_ERROR_INVALID_ARGUMENT );
532 else
533 {
534 mbedtls_rsa_context *rsa = mbedtls_pk_rsa( *pk );
Gilles Peskineaac64a22018-11-12 18:37:42 +0100[diff] [blame]535 /* The size of an RSA key doesn't have to be a multiple of 8.
536 * Mbed TLS supports non-byte-aligned key sizes, but not well.
537 * For example, mbedtls_rsa_get_len() returns the key size in
538 * bytes, not in bits. */
539 size_t bits = PSA_BYTES_TO_BITS( mbedtls_rsa_get_len( rsa ) );
Gilles Peskine86a440b2018-11-12 18:39:40 +0100[diff] [blame]540 psa_status_t status;
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200[diff] [blame]541 if( bits > PSA_VENDOR_RSA_MAX_KEY_BITS )
542 return( PSA_ERROR_NOT_SUPPORTED );
Gilles Peskine86a440b2018-11-12 18:39:40 +0100[diff] [blame]543 status = psa_check_rsa_key_byte_aligned( rsa );
544 if( status != PSA_SUCCESS )
545 return( status );
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200[diff] [blame]546 *p_rsa = rsa;
547 return( PSA_SUCCESS );
548 }
549}
550#endif /* defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_PARSE_C) */
551
552#if defined(MBEDTLS_ECP_C) && defined(MBEDTLS_PK_PARSE_C)
Gilles Peskinef76aa772018-10-29 19:24:33 +0100[diff] [blame]553/* Import an elliptic curve parsed by the mbedtls pk module. */
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200[diff] [blame]554static psa_status_t psa_import_ecp_key( psa_ecc_curve_t expected_curve,
555 mbedtls_pk_context *pk,
556 mbedtls_ecp_keypair **p_ecp )
557{
558 if( mbedtls_pk_get_type( pk ) != MBEDTLS_PK_ECKEY )
559 return( PSA_ERROR_INVALID_ARGUMENT );
560 else
561 {
562 mbedtls_ecp_keypair *ecp = mbedtls_pk_ec( *pk );
563 psa_ecc_curve_t actual_curve = mbedtls_ecc_group_to_psa( ecp->grp.id );
564 if( actual_curve != expected_curve )
565 return( PSA_ERROR_INVALID_ARGUMENT );
566 *p_ecp = ecp;
567 return( PSA_SUCCESS );
568 }
569}
570#endif /* defined(MBEDTLS_ECP_C) && defined(MBEDTLS_PK_PARSE_C) */
571
Gilles Peskinef76aa772018-10-29 19:24:33 +0100[diff] [blame]572#if defined(MBEDTLS_ECP_C)
573/* Import a private key given as a byte string which is the private value
574 * in big-endian order. */
575static psa_status_t psa_import_ec_private_key( psa_ecc_curve_t curve,
576 const uint8_t *data,
577 size_t data_length,
578 mbedtls_ecp_keypair **p_ecp )
579{
580 psa_status_t status = PSA_ERROR_TAMPERING_DETECTED;
581 mbedtls_ecp_keypair *ecp = NULL;
582 mbedtls_ecp_group_id grp_id = mbedtls_ecc_group_of_psa( curve );
583
584 *p_ecp = NULL;
585 ecp = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) );
586 if( ecp == NULL )
587 return( PSA_ERROR_INSUFFICIENT_MEMORY );
588
589 /* Load the group. */
590 status = mbedtls_to_psa_error(
591 mbedtls_ecp_group_load( &ecp->grp, grp_id ) );
592 if( status != PSA_SUCCESS )
593 goto exit;
594 /* Load the secret value. */
595 status = mbedtls_to_psa_error(
596 mbedtls_mpi_read_binary( &ecp->d, data, data_length ) );
597 if( status != PSA_SUCCESS )
598 goto exit;
599 /* Validate the private key. */
600 status = mbedtls_to_psa_error(
601 mbedtls_ecp_check_privkey( &ecp->grp, &ecp->d ) );
602 if( status != PSA_SUCCESS )
603 goto exit;
604 /* Calculate the public key from the private key. */
605 status = mbedtls_to_psa_error(
606 mbedtls_ecp_mul( &ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
607 mbedtls_ctr_drbg_random, &global_data.ctr_drbg ) );
608 if( status != PSA_SUCCESS )
609 goto exit;
610
611 *p_ecp = ecp;
612 return( PSA_SUCCESS );
613
614exit:
615 if( ecp != NULL )
616 {
617 mbedtls_ecp_keypair_free( ecp );
618 mbedtls_free( ecp );
619 }
620 return( status );
621}
622#endif /* defined(MBEDTLS_ECP_C) */
623
Darryl Green940d72c2018-07-13 13:18:51 +0100[diff] [blame]624static psa_status_t psa_import_key_into_slot( key_slot_t *slot,
625 const uint8_t *data,
626 size_t data_length )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]627{
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]628 psa_status_t status = PSA_SUCCESS;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]629
Darryl Green940d72c2018-07-13 13:18:51 +0100[diff] [blame]630 if( key_type_is_raw_bytes( slot->type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]631 {
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame]632 /* Ensure that a bytes-to-bit conversion won't overflow. */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]633 if( data_length > SIZE_MAX / 8 )
634 return( PSA_ERROR_NOT_SUPPORTED );
Darryl Green940d72c2018-07-13 13:18:51 +0100[diff] [blame]635 status = prepare_raw_data_slot( slot->type,
Gilles Peskine0ff4b0f2018-06-19 21:31:50 +0200[diff] [blame]636 PSA_BYTES_TO_BITS( data_length ),
637 &slot->data.raw );
638 if( status != PSA_SUCCESS )
639 return( status );
Gilles Peskine46f1fd72018-06-28 19:31:31 +0200[diff] [blame]640 if( data_length != 0 )
641 memcpy( slot->data.raw.data, data, data_length );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]642 }
643 else
Gilles Peskinef76aa772018-10-29 19:24:33 +0100[diff] [blame]644#if defined(MBEDTLS_ECP_C)
Darryl Green940d72c2018-07-13 13:18:51 +0100[diff] [blame]645 if( PSA_KEY_TYPE_IS_ECC_KEYPAIR( slot->type ) )
Gilles Peskinef76aa772018-10-29 19:24:33 +0100[diff] [blame]646 {
Darryl Green940d72c2018-07-13 13:18:51 +0100[diff] [blame]647 status = psa_import_ec_private_key( PSA_KEY_TYPE_GET_CURVE( slot->type ),
Gilles Peskinef76aa772018-10-29 19:24:33 +0100[diff] [blame]648 data, data_length,
649 &slot->data.ecp );
650 if( status != PSA_SUCCESS )
651 return( status );
652 }
653 else
654#endif /* MBEDTLS_ECP_C */
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]655#if defined(MBEDTLS_PK_PARSE_C)
Darryl Green940d72c2018-07-13 13:18:51 +0100[diff] [blame]656 if( PSA_KEY_TYPE_IS_RSA( slot->type ) ||
657 PSA_KEY_TYPE_IS_ECC( slot->type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]658 {
659 int ret;
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]660 mbedtls_pk_context pk;
661 mbedtls_pk_init( &pk );
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200[diff] [blame]662
663 /* Parse the data. */
Darryl Green940d72c2018-07-13 13:18:51 +0100[diff] [blame]664 if( PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]665 ret = mbedtls_pk_parse_key( &pk, data, data_length, NULL, 0 );
666 else
667 ret = mbedtls_pk_parse_public_key( &pk, data, data_length );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]668 if( ret != 0 )
669 return( mbedtls_to_psa_error( ret ) );
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200[diff] [blame]670
671 /* We have something that the pkparse module recognizes.
672 * If it has the expected type and passes any type-specific
673 * checks, store it. */
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]674#if defined(MBEDTLS_RSA_C)
Darryl Green940d72c2018-07-13 13:18:51 +0100[diff] [blame]675 if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200[diff] [blame]676 status = psa_import_rsa_key( &pk, &slot->data.rsa );
677 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]678#endif /* MBEDTLS_RSA_C */
679#if defined(MBEDTLS_ECP_C)
Darryl Green940d72c2018-07-13 13:18:51 +0100[diff] [blame]680 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
681 status = psa_import_ecp_key( PSA_KEY_TYPE_GET_CURVE( slot->type ),
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200[diff] [blame]682 &pk, &slot->data.ecp );
683 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]684#endif /* MBEDTLS_ECP_C */
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200[diff] [blame]685 {
686 status = PSA_ERROR_NOT_SUPPORTED;
Gilles Peskinec648d692018-06-28 08:46:13 +0200[diff] [blame]687 }
Gilles Peskineaf89fd72018-06-29 19:52:37 +0200[diff] [blame]688
Gilles Peskinec648d692018-06-28 08:46:13 +0200[diff] [blame]689 /* Free the content of the pk object only on error. On success,
690 * the content of the object has been stored in the slot. */
691 if( status != PSA_SUCCESS )
692 {
693 mbedtls_pk_free( &pk );
694 return( status );
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]695 }
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]696 }
697 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]698#endif /* defined(MBEDTLS_PK_PARSE_C) */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]699 {
700 return( PSA_ERROR_NOT_SUPPORTED );
701 }
Darryl Green940d72c2018-07-13 13:18:51 +0100[diff] [blame]702 return( PSA_SUCCESS );
703}
704
Darryl Green06fd18d2018-07-16 11:21:11 +0100[diff] [blame]705/* Retrieve a key slot, occupied or not. */
706static psa_status_t psa_get_key_slot( psa_key_slot_t key,
707 key_slot_t **p_slot )
708{
709 GUARD_MODULE_INITIALIZED;
710
711 /* 0 is not a valid slot number under any circumstance. This
712 * implementation provides slots number 1 to N where N is the
713 * number of available slots. */
714 if( key == 0 || key > ARRAY_LENGTH( global_data.key_slots ) )
715 return( PSA_ERROR_INVALID_ARGUMENT );
716
717 *p_slot = &global_data.key_slots[key - 1];
718 return( PSA_SUCCESS );
719}
720
721/* Retrieve an empty key slot (slot with no key data, but possibly
722 * with some metadata such as a policy). */
723static psa_status_t psa_get_empty_key_slot( psa_key_slot_t key,
724 key_slot_t **p_slot )
725{
726 psa_status_t status;
727 key_slot_t *slot = NULL;
728
729 *p_slot = NULL;
730
731 status = psa_get_key_slot( key, &slot );
732 if( status != PSA_SUCCESS )
733 return( status );
734
735 if( slot->type != PSA_KEY_TYPE_NONE )
736 return( PSA_ERROR_OCCUPIED_SLOT );
737
738 *p_slot = slot;
739 return( status );
740}
741
742/** Retrieve a slot which must contain a key. The key must have allow all the
743 * usage flags set in \p usage. If \p alg is nonzero, the key must allow
744 * operations with this algorithm. */
745static psa_status_t psa_get_key_from_slot( psa_key_slot_t key,
746 key_slot_t **p_slot,
747 psa_key_usage_t usage,
748 psa_algorithm_t alg )
749{
750 psa_status_t status;
751 key_slot_t *slot = NULL;
752
753 *p_slot = NULL;
754
755 status = psa_get_key_slot( key, &slot );
756 if( status != PSA_SUCCESS )
757 return( status );
758 if( slot->type == PSA_KEY_TYPE_NONE )
759 return( PSA_ERROR_EMPTY_SLOT );
760
761 /* Enforce that usage policy for the key slot contains all the flags
762 * required by the usage parameter. There is one exception: public
763 * keys can always be exported, so we treat public key objects as
764 * if they had the export flag. */
765 if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) )
766 usage &= ~PSA_KEY_USAGE_EXPORT;
767 if( ( slot->policy.usage & usage ) != usage )
768 return( PSA_ERROR_NOT_PERMITTED );
769 if( alg != 0 && ( alg != slot->policy.alg ) )
770 return( PSA_ERROR_NOT_PERMITTED );
771
772 *p_slot = slot;
773 return( PSA_SUCCESS );
774}
Darryl Green940d72c2018-07-13 13:18:51 +0100[diff] [blame]775
Darryl Green40225ba2018-11-15 14:48:15 +0000[diff] [blame^]776static psa_status_t psa_remove_key_data_from_memory( key_slot_t *slot )
777{
778 if( slot->type == PSA_KEY_TYPE_NONE )
779 {
780 /* No key material to clean. */
781 }
782 else if( key_type_is_raw_bytes( slot->type ) )
783 {
784 mbedtls_free( slot->data.raw.data );
785 }
786 else
787#if defined(MBEDTLS_RSA_C)
788 if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
789 {
790 mbedtls_rsa_free( slot->data.rsa );
791 mbedtls_free( slot->data.rsa );
792 }
793 else
794#endif /* defined(MBEDTLS_RSA_C) */
795#if defined(MBEDTLS_ECP_C)
796 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
797 {
798 mbedtls_ecp_keypair_free( slot->data.ecp );
799 mbedtls_free( slot->data.ecp );
800 }
801 else
802#endif /* defined(MBEDTLS_ECP_C) */
803 {
804 /* Shouldn't happen: the key type is not any type that we
805 * put in. */
806 return( PSA_ERROR_TAMPERING_DETECTED );
807 }
808
809 return( PSA_SUCCESS );
810}
811
Darryl Green940d72c2018-07-13 13:18:51 +0100[diff] [blame]812psa_status_t psa_import_key( psa_key_slot_t key,
813 psa_key_type_t type,
814 const uint8_t *data,
815 size_t data_length )
816{
817 key_slot_t *slot;
818 psa_status_t status;
819
820 status = psa_get_empty_key_slot( key, &slot );
821 if( status != PSA_SUCCESS )
822 return( status );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]823
824 slot->type = type;
Darryl Green940d72c2018-07-13 13:18:51 +0100[diff] [blame]825
826 status = psa_import_key_into_slot( slot, data, data_length );
827 if( status != PSA_SUCCESS )
828 {
829 slot->type = PSA_KEY_TYPE_NONE;
830 return( status );
831 }
832
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]833 return( PSA_SUCCESS );
834}
835
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]836psa_status_t psa_destroy_key( psa_key_slot_t key )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]837{
838 key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]839 psa_status_t status;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]840
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]841 status = psa_get_key_slot( key, &slot );
842 if( status != PSA_SUCCESS )
843 return( status );
Darryl Green40225ba2018-11-15 14:48:15 +0000[diff] [blame^]844 return( psa_remove_key_from_memory( slot ) );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]845}
846
Gilles Peskineb870b182018-07-06 16:02:09 +0200[diff] [blame]847/* Return the size of the key in the given slot, in bits. */
848static size_t psa_get_key_bits( const key_slot_t *slot )
849{
850 if( key_type_is_raw_bytes( slot->type ) )
851 return( slot->data.raw.bytes * 8 );
852#if defined(MBEDTLS_RSA_C)
Gilles Peskined8008d62018-06-29 19:51:51 +0200[diff] [blame]853 if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
Gilles Peskineaac64a22018-11-12 18:37:42 +0100[diff] [blame]854 return( PSA_BYTES_TO_BITS( mbedtls_rsa_get_len( slot->data.rsa ) ) );
Gilles Peskineb870b182018-07-06 16:02:09 +0200[diff] [blame]855#endif /* defined(MBEDTLS_RSA_C) */
856#if defined(MBEDTLS_ECP_C)
857 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
858 return( slot->data.ecp->grp.pbits );
859#endif /* defined(MBEDTLS_ECP_C) */
860 /* Shouldn't happen except on an empty slot. */
861 return( 0 );
862}
863
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]864psa_status_t psa_get_key_information( psa_key_slot_t key,
865 psa_key_type_t *type,
866 size_t *bits )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]867{
868 key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]869 psa_status_t status;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]870
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]871 if( type != NULL )
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]872 *type = 0;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]873 if( bits != NULL )
874 *bits = 0;
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]875 status = psa_get_key_slot( key, &slot );
876 if( status != PSA_SUCCESS )
877 return( status );
Gilles Peskineb870b182018-07-06 16:02:09 +0200[diff] [blame]878
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]879 if( slot->type == PSA_KEY_TYPE_NONE )
880 return( PSA_ERROR_EMPTY_SLOT );
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]881 if( type != NULL )
882 *type = slot->type;
Gilles Peskineb870b182018-07-06 16:02:09 +0200[diff] [blame]883 if( bits != NULL )
884 *bits = psa_get_key_bits( slot );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]885 return( PSA_SUCCESS );
886}
887
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]888static psa_status_t psa_internal_export_key( psa_key_slot_t key,
889 uint8_t *data,
890 size_t data_size,
891 size_t *data_length,
892 int export_public_key )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]893{
894 key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]895 psa_status_t status;
896 /* Exporting a public key doesn't require a usage flag. If we're
897 * called by psa_export_public_key(), don't require the EXPORT flag.
898 * If we're called by psa_export_key(), do require the EXPORT flag;
899 * if the key turns out to be public key object, psa_get_key_from_slot()
900 * will ignore this flag. */
901 psa_key_usage_t usage = export_public_key ? 0 : PSA_KEY_USAGE_EXPORT;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]902
Jaeden Amerof24c7f82018-06-27 17:20:43 +0100[diff] [blame]903 /* Set the key to empty now, so that even when there are errors, we always
904 * set data_length to a value between 0 and data_size. On error, setting
905 * the key to empty is a good choice because an empty key representation is
906 * unlikely to be accepted anywhere. */
907 *data_length = 0;
908
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]909 status = psa_get_key_from_slot( key, &slot, usage, 0 );
910 if( status != PSA_SUCCESS )
911 return( status );
Gilles Peskinec1bb6c82018-06-18 16:04:39 +0200[diff] [blame]912 if( export_public_key && ! PSA_KEY_TYPE_IS_ASYMMETRIC( slot->type ) )
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]913 return( PSA_ERROR_INVALID_ARGUMENT );
mohammad160306e79202018-03-28 13:17:44 +0300[diff] [blame]914
Gilles Peskine48c0ea12018-06-21 14:15:31 +0200[diff] [blame]915 if( key_type_is_raw_bytes( slot->type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]916 {
917 if( slot->data.raw.bytes > data_size )
918 return( PSA_ERROR_BUFFER_TOO_SMALL );
Gilles Peskine52b90182018-10-29 19:26:27 +0100[diff] [blame]919 if( data_size != 0 )
920 {
Gilles Peskine46f1fd72018-06-28 19:31:31 +0200[diff] [blame]921 memcpy( data, slot->data.raw.data, slot->data.raw.bytes );
Gilles Peskine52b90182018-10-29 19:26:27 +0100[diff] [blame]922 memset( data + slot->data.raw.bytes, 0,
923 data_size - slot->data.raw.bytes );
924 }
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]925 *data_length = slot->data.raw.bytes;
926 return( PSA_SUCCESS );
927 }
Gilles Peskine188c71e2018-10-29 19:26:02 +0100[diff] [blame]928#if defined(MBEDTLS_ECP_C)
929 if( PSA_KEY_TYPE_IS_ECC_KEYPAIR( slot->type ) && !export_public_key )
930 {
931 size_t bytes = PSA_BITS_TO_BYTES( psa_get_key_bits( slot ) );
932 if( bytes > data_size )
933 return( PSA_ERROR_BUFFER_TOO_SMALL );
934 status = mbedtls_to_psa_error(
935 mbedtls_mpi_write_binary( &slot->data.ecp->d, data, bytes ) );
936 if( status != PSA_SUCCESS )
937 return( status );
938 memset( data + bytes, 0, data_size - bytes );
939 *data_length = bytes;
940 return( PSA_SUCCESS );
941 }
942#endif
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]943 else
Moran Peker17e36e12018-05-02 12:55:20 +0300[diff] [blame]944 {
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]945#if defined(MBEDTLS_PK_WRITE_C)
Gilles Peskined8008d62018-06-29 19:51:51 +0200[diff] [blame]946 if( PSA_KEY_TYPE_IS_RSA( slot->type ) ||
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]947 PSA_KEY_TYPE_IS_ECC( slot->type ) )
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]948 {
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]949 mbedtls_pk_context pk;
950 int ret;
Gilles Peskined8008d62018-06-29 19:51:51 +0200[diff] [blame]951 if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]952 {
Darryl Green9e2d7a02018-07-24 16:33:30 +0100[diff] [blame]953#if defined(MBEDTLS_RSA_C)
954 mbedtls_pk_init( &pk );
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]955 pk.pk_info = &mbedtls_rsa_info;
956 pk.pk_ctx = slot->data.rsa;
Darryl Green9e2d7a02018-07-24 16:33:30 +0100[diff] [blame]957#else
958 return( PSA_ERROR_NOT_SUPPORTED );
959#endif
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]960 }
961 else
962 {
Darryl Green9e2d7a02018-07-24 16:33:30 +0100[diff] [blame]963#if defined(MBEDTLS_ECP_C)
964 mbedtls_pk_init( &pk );
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]965 pk.pk_info = &mbedtls_eckey_info;
966 pk.pk_ctx = slot->data.ecp;
Darryl Green9e2d7a02018-07-24 16:33:30 +0100[diff] [blame]967#else
968 return( PSA_ERROR_NOT_SUPPORTED );
969#endif
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]970 }
Moran Pekerd7326592018-05-29 16:56:39 +0300[diff] [blame]971 if( export_public_key || PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) )
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]972 ret = mbedtls_pk_write_pubkey_der( &pk, data, data_size );
Moran Peker17e36e12018-05-02 12:55:20 +0300[diff] [blame]973 else
974 ret = mbedtls_pk_write_key_der( &pk, data, data_size );
Moran Peker60364322018-04-29 11:34:58 +0300[diff] [blame]975 if( ret < 0 )
Gilles Peskinee66ca3b2018-06-20 00:11:45 +0200[diff] [blame]976 {
Gilles Peskine46f1fd72018-06-28 19:31:31 +0200[diff] [blame]977 /* If data_size is 0 then data may be NULL and then the
978 * call to memset would have undefined behavior. */
979 if( data_size != 0 )
980 memset( data, 0, data_size );
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]981 return( mbedtls_to_psa_error( ret ) );
Gilles Peskinee66ca3b2018-06-20 00:11:45 +0200[diff] [blame]982 }
Gilles Peskine0e231582018-06-20 00:11:07 +0200[diff] [blame]983 /* The mbedtls_pk_xxx functions write to the end of the buffer.
984 * Move the data to the beginning and erase remaining data
985 * at the original location. */
986 if( 2 * (size_t) ret <= data_size )
987 {
988 memcpy( data, data + data_size - ret, ret );
Gilles Peskinee66ca3b2018-06-20 00:11:45 +0200[diff] [blame]989 memset( data + data_size - ret, 0, ret );
Gilles Peskine0e231582018-06-20 00:11:07 +0200[diff] [blame]990 }
991 else if( (size_t) ret < data_size )
992 {
993 memmove( data, data + data_size - ret, ret );
Gilles Peskinee66ca3b2018-06-20 00:11:45 +0200[diff] [blame]994 memset( data + ret, 0, data_size - ret );
Gilles Peskine0e231582018-06-20 00:11:07 +0200[diff] [blame]995 }
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]996 *data_length = ret;
997 return( PSA_SUCCESS );
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]998 }
999 else
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame]1000#endif /* defined(MBEDTLS_PK_WRITE_C) */
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]1001 {
1002 /* This shouldn't happen in the reference implementation, but
Gilles Peskine785fd552018-06-04 15:08:56 +0200[diff] [blame]1003 it is valid for a special-purpose implementation to omit
1004 support for exporting certain key types. */
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]1005 return( PSA_ERROR_NOT_SUPPORTED );
1006 }
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]1007 }
1008}
1009
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]1010psa_status_t psa_export_key( psa_key_slot_t key,
1011 uint8_t *data,
1012 size_t data_size,
1013 size_t *data_length )
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]1014{
Gilles Peskinec1bb6c82018-06-18 16:04:39 +0200[diff] [blame]1015 return( psa_internal_export_key( key, data, data_size,
1016 data_length, 0 ) );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]1017}
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]1018
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]1019psa_status_t psa_export_public_key( psa_key_slot_t key,
1020 uint8_t *data,
1021 size_t data_size,
1022 size_t *data_length )
Moran Pekerdd4ea382018-04-03 15:30:03 +0300[diff] [blame]1023{
Gilles Peskinec1bb6c82018-06-18 16:04:39 +0200[diff] [blame]1024 return( psa_internal_export_key( key, data, data_size,
1025 data_length, 1 ) );
Moran Pekerdd4ea382018-04-03 15:30:03 +0300[diff] [blame]1026}
1027
Gilles Peskine7bcfc0a2018-06-18 21:49:39 +0200[diff] [blame]1028
1029
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]1030/****************************************************************/
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1031/* Message digests */
1032/****************************************************************/
1033
Gilles Peskinedc2fc842018-03-07 16:42:59 +0100[diff] [blame]1034static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1035{
1036 switch( alg )
1037 {
1038#if defined(MBEDTLS_MD2_C)
1039 case PSA_ALG_MD2:
1040 return( &mbedtls_md2_info );
1041#endif
1042#if defined(MBEDTLS_MD4_C)
1043 case PSA_ALG_MD4:
1044 return( &mbedtls_md4_info );
1045#endif
1046#if defined(MBEDTLS_MD5_C)
1047 case PSA_ALG_MD5:
1048 return( &mbedtls_md5_info );
1049#endif
1050#if defined(MBEDTLS_RIPEMD160_C)
1051 case PSA_ALG_RIPEMD160:
1052 return( &mbedtls_ripemd160_info );
1053#endif
1054#if defined(MBEDTLS_SHA1_C)
1055 case PSA_ALG_SHA_1:
1056 return( &mbedtls_sha1_info );
1057#endif
1058#if defined(MBEDTLS_SHA256_C)
1059 case PSA_ALG_SHA_224:
1060 return( &mbedtls_sha224_info );
1061 case PSA_ALG_SHA_256:
1062 return( &mbedtls_sha256_info );
1063#endif
1064#if defined(MBEDTLS_SHA512_C)
1065 case PSA_ALG_SHA_384:
1066 return( &mbedtls_sha384_info );
1067 case PSA_ALG_SHA_512:
1068 return( &mbedtls_sha512_info );
1069#endif
1070 default:
1071 return( NULL );
1072 }
1073}
1074
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1075psa_status_t psa_hash_abort( psa_hash_operation_t *operation )
1076{
1077 switch( operation->alg )
1078 {
Gilles Peskine81736312018-06-26 15:04:31 +0200[diff] [blame]1079 case 0:
1080 /* The object has (apparently) been initialized but it is not
1081 * in use. It's ok to call abort on such an object, and there's
1082 * nothing to do. */
1083 break;
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1084#if defined(MBEDTLS_MD2_C)
1085 case PSA_ALG_MD2:
1086 mbedtls_md2_free( &operation->ctx.md2 );
1087 break;
1088#endif
1089#if defined(MBEDTLS_MD4_C)
1090 case PSA_ALG_MD4:
1091 mbedtls_md4_free( &operation->ctx.md4 );
1092 break;
1093#endif
1094#if defined(MBEDTLS_MD5_C)
1095 case PSA_ALG_MD5:
1096 mbedtls_md5_free( &operation->ctx.md5 );
1097 break;
1098#endif
1099#if defined(MBEDTLS_RIPEMD160_C)
1100 case PSA_ALG_RIPEMD160:
1101 mbedtls_ripemd160_free( &operation->ctx.ripemd160 );
1102 break;
1103#endif
1104#if defined(MBEDTLS_SHA1_C)
1105 case PSA_ALG_SHA_1:
1106 mbedtls_sha1_free( &operation->ctx.sha1 );
1107 break;
1108#endif
1109#if defined(MBEDTLS_SHA256_C)
1110 case PSA_ALG_SHA_224:
1111 case PSA_ALG_SHA_256:
1112 mbedtls_sha256_free( &operation->ctx.sha256 );
1113 break;
1114#endif
1115#if defined(MBEDTLS_SHA512_C)
1116 case PSA_ALG_SHA_384:
1117 case PSA_ALG_SHA_512:
1118 mbedtls_sha512_free( &operation->ctx.sha512 );
1119 break;
1120#endif
1121 default:
Gilles Peskinef9c2c092018-06-21 16:57:07 +0200[diff] [blame]1122 return( PSA_ERROR_BAD_STATE );
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1123 }
1124 operation->alg = 0;
1125 return( PSA_SUCCESS );
1126}
1127
Gilles Peskineda8191d1c2018-07-08 19:46:38 +0200[diff] [blame]1128psa_status_t psa_hash_setup( psa_hash_operation_t *operation,
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1129 psa_algorithm_t alg )
1130{
1131 int ret;
1132 operation->alg = 0;
1133 switch( alg )
1134 {
1135#if defined(MBEDTLS_MD2_C)
1136 case PSA_ALG_MD2:
1137 mbedtls_md2_init( &operation->ctx.md2 );
1138 ret = mbedtls_md2_starts_ret( &operation->ctx.md2 );
1139 break;
1140#endif
1141#if defined(MBEDTLS_MD4_C)
1142 case PSA_ALG_MD4:
1143 mbedtls_md4_init( &operation->ctx.md4 );
1144 ret = mbedtls_md4_starts_ret( &operation->ctx.md4 );
1145 break;
1146#endif
1147#if defined(MBEDTLS_MD5_C)
1148 case PSA_ALG_MD5:
1149 mbedtls_md5_init( &operation->ctx.md5 );
1150 ret = mbedtls_md5_starts_ret( &operation->ctx.md5 );
1151 break;
1152#endif
1153#if defined(MBEDTLS_RIPEMD160_C)
1154 case PSA_ALG_RIPEMD160:
1155 mbedtls_ripemd160_init( &operation->ctx.ripemd160 );
1156 ret = mbedtls_ripemd160_starts_ret( &operation->ctx.ripemd160 );
1157 break;
1158#endif
1159#if defined(MBEDTLS_SHA1_C)
1160 case PSA_ALG_SHA_1:
1161 mbedtls_sha1_init( &operation->ctx.sha1 );
1162 ret = mbedtls_sha1_starts_ret( &operation->ctx.sha1 );
1163 break;
1164#endif
1165#if defined(MBEDTLS_SHA256_C)
1166 case PSA_ALG_SHA_224:
1167 mbedtls_sha256_init( &operation->ctx.sha256 );
1168 ret = mbedtls_sha256_starts_ret( &operation->ctx.sha256, 1 );
1169 break;
1170 case PSA_ALG_SHA_256:
1171 mbedtls_sha256_init( &operation->ctx.sha256 );
1172 ret = mbedtls_sha256_starts_ret( &operation->ctx.sha256, 0 );
1173 break;
1174#endif
1175#if defined(MBEDTLS_SHA512_C)
1176 case PSA_ALG_SHA_384:
1177 mbedtls_sha512_init( &operation->ctx.sha512 );
1178 ret = mbedtls_sha512_starts_ret( &operation->ctx.sha512, 1 );
1179 break;
1180 case PSA_ALG_SHA_512:
1181 mbedtls_sha512_init( &operation->ctx.sha512 );
1182 ret = mbedtls_sha512_starts_ret( &operation->ctx.sha512, 0 );
1183 break;
1184#endif
1185 default:
Gilles Peskinec06e0712018-06-20 16:21:04 +0200[diff] [blame]1186 return( PSA_ALG_IS_HASH( alg ) ?
1187 PSA_ERROR_NOT_SUPPORTED :
1188 PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1189 }
1190 if( ret == 0 )
1191 operation->alg = alg;
1192 else
1193 psa_hash_abort( operation );
1194 return( mbedtls_to_psa_error( ret ) );
1195}
1196
1197psa_status_t psa_hash_update( psa_hash_operation_t *operation,
1198 const uint8_t *input,
1199 size_t input_length )
1200{
1201 int ret;
Gilles Peskine94e44542018-07-12 16:58:43 +0200[diff] [blame]1202
1203 /* Don't require hash implementations to behave correctly on a
1204 * zero-length input, which may have an invalid pointer. */
1205 if( input_length == 0 )
1206 return( PSA_SUCCESS );
1207
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1208 switch( operation->alg )
1209 {
1210#if defined(MBEDTLS_MD2_C)
1211 case PSA_ALG_MD2:
1212 ret = mbedtls_md2_update_ret( &operation->ctx.md2,
1213 input, input_length );
1214 break;
1215#endif
1216#if defined(MBEDTLS_MD4_C)
1217 case PSA_ALG_MD4:
1218 ret = mbedtls_md4_update_ret( &operation->ctx.md4,
1219 input, input_length );
1220 break;
1221#endif
1222#if defined(MBEDTLS_MD5_C)
1223 case PSA_ALG_MD5:
1224 ret = mbedtls_md5_update_ret( &operation->ctx.md5,
1225 input, input_length );
1226 break;
1227#endif
1228#if defined(MBEDTLS_RIPEMD160_C)
1229 case PSA_ALG_RIPEMD160:
1230 ret = mbedtls_ripemd160_update_ret( &operation->ctx.ripemd160,
1231 input, input_length );
1232 break;
1233#endif
1234#if defined(MBEDTLS_SHA1_C)
1235 case PSA_ALG_SHA_1:
1236 ret = mbedtls_sha1_update_ret( &operation->ctx.sha1,
1237 input, input_length );
1238 break;
1239#endif
1240#if defined(MBEDTLS_SHA256_C)
1241 case PSA_ALG_SHA_224:
1242 case PSA_ALG_SHA_256:
1243 ret = mbedtls_sha256_update_ret( &operation->ctx.sha256,
1244 input, input_length );
1245 break;
1246#endif
1247#if defined(MBEDTLS_SHA512_C)
1248 case PSA_ALG_SHA_384:
1249 case PSA_ALG_SHA_512:
1250 ret = mbedtls_sha512_update_ret( &operation->ctx.sha512,
1251 input, input_length );
1252 break;
1253#endif
1254 default:
1255 ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
1256 break;
1257 }
Gilles Peskine94e44542018-07-12 16:58:43 +0200[diff] [blame]1258
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1259 if( ret != 0 )
1260 psa_hash_abort( operation );
1261 return( mbedtls_to_psa_error( ret ) );
1262}
1263
1264psa_status_t psa_hash_finish( psa_hash_operation_t *operation,
1265 uint8_t *hash,
1266 size_t hash_size,
1267 size_t *hash_length )
1268{
itayzafrir40835d42018-08-02 13:14:17 +0300[diff] [blame]1269 psa_status_t status;
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1270 int ret;
Gilles Peskine71bb7b72018-04-19 08:29:59 +0200[diff] [blame]1271 size_t actual_hash_length = PSA_HASH_SIZE( operation->alg );
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1272
1273 /* Fill the output buffer with something that isn't a valid hash
1274 * (barring an attack on the hash and deliberately-crafted input),
1275 * in case the caller doesn't check the return status properly. */
Gilles Peskineaee13332018-07-02 12:15:28 +0200[diff] [blame]1276 *hash_length = hash_size;
Gilles Peskine46f1fd72018-06-28 19:31:31 +0200[diff] [blame]1277 /* If hash_size is 0 then hash may be NULL and then the
1278 * call to memset would have undefined behavior. */
1279 if( hash_size != 0 )
1280 memset( hash, '!', hash_size );
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1281
1282 if( hash_size < actual_hash_length )
itayzafrir40835d42018-08-02 13:14:17 +0300[diff] [blame]1283 {
1284 status = PSA_ERROR_BUFFER_TOO_SMALL;
1285 goto exit;
1286 }
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1287
1288 switch( operation->alg )
1289 {
1290#if defined(MBEDTLS_MD2_C)
1291 case PSA_ALG_MD2:
1292 ret = mbedtls_md2_finish_ret( &operation->ctx.md2, hash );
1293 break;
1294#endif
1295#if defined(MBEDTLS_MD4_C)
1296 case PSA_ALG_MD4:
1297 ret = mbedtls_md4_finish_ret( &operation->ctx.md4, hash );
1298 break;
1299#endif
1300#if defined(MBEDTLS_MD5_C)
1301 case PSA_ALG_MD5:
1302 ret = mbedtls_md5_finish_ret( &operation->ctx.md5, hash );
1303 break;
1304#endif
1305#if defined(MBEDTLS_RIPEMD160_C)
1306 case PSA_ALG_RIPEMD160:
1307 ret = mbedtls_ripemd160_finish_ret( &operation->ctx.ripemd160, hash );
1308 break;
1309#endif
1310#if defined(MBEDTLS_SHA1_C)
1311 case PSA_ALG_SHA_1:
1312 ret = mbedtls_sha1_finish_ret( &operation->ctx.sha1, hash );
1313 break;
1314#endif
1315#if defined(MBEDTLS_SHA256_C)
1316 case PSA_ALG_SHA_224:
1317 case PSA_ALG_SHA_256:
1318 ret = mbedtls_sha256_finish_ret( &operation->ctx.sha256, hash );
1319 break;
1320#endif
1321#if defined(MBEDTLS_SHA512_C)
1322 case PSA_ALG_SHA_384:
1323 case PSA_ALG_SHA_512:
1324 ret = mbedtls_sha512_finish_ret( &operation->ctx.sha512, hash );
1325 break;
1326#endif
1327 default:
1328 ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
1329 break;
1330 }
itayzafrir40835d42018-08-02 13:14:17 +0300[diff] [blame]1331 status = mbedtls_to_psa_error( ret );
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1332
itayzafrir40835d42018-08-02 13:14:17 +0300[diff] [blame]1333exit:
1334 if( status == PSA_SUCCESS )
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1335 {
Gilles Peskineaee13332018-07-02 12:15:28 +0200[diff] [blame]1336 *hash_length = actual_hash_length;
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1337 return( psa_hash_abort( operation ) );
1338 }
1339 else
1340 {
1341 psa_hash_abort( operation );
itayzafrir40835d42018-08-02 13:14:17 +0300[diff] [blame]1342 return( status );
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1343 }
1344}
1345
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]1346psa_status_t psa_hash_verify( psa_hash_operation_t *operation,
1347 const uint8_t *hash,
1348 size_t hash_length )
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1349{
1350 uint8_t actual_hash[MBEDTLS_MD_MAX_SIZE];
1351 size_t actual_hash_length;
1352 psa_status_t status = psa_hash_finish( operation,
1353 actual_hash, sizeof( actual_hash ),
1354 &actual_hash_length );
1355 if( status != PSA_SUCCESS )
1356 return( status );
1357 if( actual_hash_length != hash_length )
1358 return( PSA_ERROR_INVALID_SIGNATURE );
1359 if( safer_memcmp( hash, actual_hash, actual_hash_length ) != 0 )
1360 return( PSA_ERROR_INVALID_SIGNATURE );
1361 return( PSA_SUCCESS );
1362}
1363
1364
1365
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]1366/****************************************************************/
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1367/* MAC */
1368/****************************************************************/
1369
Gilles Peskinedc2fc842018-03-07 16:42:59 +0100[diff] [blame]1370static const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1371 psa_algorithm_t alg,
1372 psa_key_type_t key_type,
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]1373 size_t key_bits,
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]1374 mbedtls_cipher_id_t* cipher_id )
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1375{
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1376 mbedtls_cipher_mode_t mode;
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]1377 mbedtls_cipher_id_t cipher_id_tmp;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1378
Gilles Peskine23cc2ff2018-08-17 19:47:52 +0200[diff] [blame]1379 if( PSA_ALG_IS_AEAD( alg ) )
Gilles Peskine57fbdb12018-10-17 18:29:17 +0200[diff] [blame]1380 alg = PSA_ALG_AEAD_WITH_TAG_LENGTH( alg, 0 );
Gilles Peskine23cc2ff2018-08-17 19:47:52 +0200[diff] [blame]1381
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1382 if( PSA_ALG_IS_CIPHER( alg ) || PSA_ALG_IS_AEAD( alg ) )
1383 {
Nir Sonnenscheine9664c32018-06-17 14:41:30 +0300[diff] [blame]1384 switch( alg )
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1385 {
Gilles Peskinedaea26f2018-08-21 14:02:45 +0200[diff] [blame]1386 case PSA_ALG_ARC4:
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1387 mode = MBEDTLS_MODE_STREAM;
1388 break;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1389 case PSA_ALG_CTR:
1390 mode = MBEDTLS_MODE_CTR;
1391 break;
Gilles Peskinedaea26f2018-08-21 14:02:45 +0200[diff] [blame]1392 case PSA_ALG_CFB:
1393 mode = MBEDTLS_MODE_CFB;
1394 break;
1395 case PSA_ALG_OFB:
1396 mode = MBEDTLS_MODE_OFB;
1397 break;
1398 case PSA_ALG_CBC_NO_PADDING:
1399 mode = MBEDTLS_MODE_CBC;
1400 break;
1401 case PSA_ALG_CBC_PKCS7:
1402 mode = MBEDTLS_MODE_CBC;
1403 break;
Gilles Peskine57fbdb12018-10-17 18:29:17 +0200[diff] [blame]1404 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_CCM, 0 ):
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1405 mode = MBEDTLS_MODE_CCM;
1406 break;
Gilles Peskine57fbdb12018-10-17 18:29:17 +0200[diff] [blame]1407 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_GCM, 0 ):
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1408 mode = MBEDTLS_MODE_GCM;
1409 break;
1410 default:
1411 return( NULL );
1412 }
1413 }
1414 else if( alg == PSA_ALG_CMAC )
1415 mode = MBEDTLS_MODE_ECB;
1416 else if( alg == PSA_ALG_GMAC )
1417 mode = MBEDTLS_MODE_GCM;
1418 else
1419 return( NULL );
1420
1421 switch( key_type )
1422 {
1423 case PSA_KEY_TYPE_AES:
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]1424 cipher_id_tmp = MBEDTLS_CIPHER_ID_AES;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1425 break;
1426 case PSA_KEY_TYPE_DES:
Gilles Peskine9ad29e22018-06-21 09:40:04 +0200[diff] [blame]1427 /* key_bits is 64 for Single-DES, 128 for two-key Triple-DES,
1428 * and 192 for three-key Triple-DES. */
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1429 if( key_bits == 64 )
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]1430 cipher_id_tmp = MBEDTLS_CIPHER_ID_DES;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1431 else
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]1432 cipher_id_tmp = MBEDTLS_CIPHER_ID_3DES;
Gilles Peskine9ad29e22018-06-21 09:40:04 +0200[diff] [blame]1433 /* mbedtls doesn't recognize two-key Triple-DES as an algorithm,
1434 * but two-key Triple-DES is functionally three-key Triple-DES
1435 * with K1=K3, so that's how we present it to mbedtls. */
1436 if( key_bits == 128 )
1437 key_bits = 192;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1438 break;
1439 case PSA_KEY_TYPE_CAMELLIA:
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]1440 cipher_id_tmp = MBEDTLS_CIPHER_ID_CAMELLIA;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1441 break;
1442 case PSA_KEY_TYPE_ARC4:
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]1443 cipher_id_tmp = MBEDTLS_CIPHER_ID_ARC4;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1444 break;
1445 default:
1446 return( NULL );
1447 }
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]1448 if( cipher_id != NULL )
mohammad160360a64d02018-06-03 17:20:42 +0300[diff] [blame]1449 *cipher_id = cipher_id_tmp;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1450
Jaeden Amero23bbb752018-06-26 14:16:54 +0100[diff] [blame]1451 return( mbedtls_cipher_info_from_values( cipher_id_tmp,
1452 (int) key_bits, mode ) );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1453}
1454
Gilles Peskinea05219c2018-11-16 16:02:56 +0100[diff] [blame]1455#if defined(MBEDTLS_MD_C)
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1456static size_t psa_get_hash_block_size( psa_algorithm_t alg )
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1457{
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]1458 switch( alg )
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1459 {
1460 case PSA_ALG_MD2:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1461 return( 16 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1462 case PSA_ALG_MD4:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1463 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1464 case PSA_ALG_MD5:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1465 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1466 case PSA_ALG_RIPEMD160:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1467 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1468 case PSA_ALG_SHA_1:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1469 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1470 case PSA_ALG_SHA_224:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1471 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1472 case PSA_ALG_SHA_256:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1473 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1474 case PSA_ALG_SHA_384:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1475 return( 128 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1476 case PSA_ALG_SHA_512:
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]1477 return( 128 );
1478 default:
1479 return( 0 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1480 }
1481}
Gilles Peskinea05219c2018-11-16 16:02:56 +0100[diff] [blame]1482#endif /* MBEDTLS_MD_C */
Nir Sonnenschein0c9ec532018-06-07 13:27:47 +0300[diff] [blame]1483
Gilles Peskine16c0f4f2018-06-20 16:05:20 +0200[diff] [blame]1484/* Initialize the MAC operation structure. Once this function has been
1485 * called, psa_mac_abort can run and will do the right thing. */
1486static psa_status_t psa_mac_init( psa_mac_operation_t *operation,
1487 psa_algorithm_t alg )
1488{
1489 psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
1490
1491 operation->alg = alg;
1492 operation->key_set = 0;
1493 operation->iv_set = 0;
1494 operation->iv_required = 0;
1495 operation->has_input = 0;
Gilles Peskine89167cb2018-07-08 20:12:23 +0200[diff] [blame]1496 operation->is_sign = 0;
Gilles Peskine16c0f4f2018-06-20 16:05:20 +0200[diff] [blame]1497
1498#if defined(MBEDTLS_CMAC_C)
1499 if( alg == PSA_ALG_CMAC )
1500 {
1501 operation->iv_required = 0;
1502 mbedtls_cipher_init( &operation->ctx.cmac );
1503 status = PSA_SUCCESS;
1504 }
1505 else
1506#endif /* MBEDTLS_CMAC_C */
1507#if defined(MBEDTLS_MD_C)
1508 if( PSA_ALG_IS_HMAC( operation->alg ) )
1509 {
Gilles Peskineff94abd2018-07-12 17:07:52 +0200[diff] [blame]1510 /* We'll set up the hash operation later in psa_hmac_setup_internal. */
1511 operation->ctx.hmac.hash_ctx.alg = 0;
1512 status = PSA_SUCCESS;
Gilles Peskine16c0f4f2018-06-20 16:05:20 +0200[diff] [blame]1513 }
1514 else
1515#endif /* MBEDTLS_MD_C */
1516 {
Gilles Peskinec06e0712018-06-20 16:21:04 +0200[diff] [blame]1517 if( ! PSA_ALG_IS_MAC( alg ) )
1518 status = PSA_ERROR_INVALID_ARGUMENT;
Gilles Peskine16c0f4f2018-06-20 16:05:20 +0200[diff] [blame]1519 }
1520
1521 if( status != PSA_SUCCESS )
1522 memset( operation, 0, sizeof( *operation ) );
1523 return( status );
1524}
1525
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1526#if defined(MBEDTLS_MD_C)
1527static psa_status_t psa_hmac_abort_internal( psa_hmac_internal_data *hmac )
1528{
1529 mbedtls_zeroize( hmac->opad, sizeof( hmac->opad ) );
1530 return( psa_hash_abort( &hmac->hash_ctx ) );
1531}
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]1532
1533static void psa_hmac_init_internal( psa_hmac_internal_data *hmac )
1534{
1535 /* Instances of psa_hash_operation_s can be initialized by zeroization. */
1536 memset( hmac, 0, sizeof( *hmac ) );
1537}
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1538#endif /* MBEDTLS_MD_C */
1539
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1540psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
1541{
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1542 if( operation->alg == 0 )
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1543 {
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1544 /* The object has (apparently) been initialized but it is not
1545 * in use. It's ok to call abort on such an object, and there's
1546 * nothing to do. */
1547 return( PSA_SUCCESS );
1548 }
1549 else
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1550#if defined(MBEDTLS_CMAC_C)
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1551 if( operation->alg == PSA_ALG_CMAC )
1552 {
1553 mbedtls_cipher_free( &operation->ctx.cmac );
1554 }
1555 else
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1556#endif /* MBEDTLS_CMAC_C */
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1557#if defined(MBEDTLS_MD_C)
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1558 if( PSA_ALG_IS_HMAC( operation->alg ) )
1559 {
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1560 psa_hmac_abort_internal( &operation->ctx.hmac );
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1561 }
1562 else
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1563#endif /* MBEDTLS_MD_C */
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1564 {
1565 /* Sanity check (shouldn't happen: operation->alg should
1566 * always have been initialized to a valid value). */
1567 goto bad_state;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1568 }
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1569
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1570 operation->alg = 0;
1571 operation->key_set = 0;
1572 operation->iv_set = 0;
1573 operation->iv_required = 0;
1574 operation->has_input = 0;
Gilles Peskine89167cb2018-07-08 20:12:23 +0200[diff] [blame]1575 operation->is_sign = 0;
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1576
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1577 return( PSA_SUCCESS );
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1578
1579bad_state:
1580 /* If abort is called on an uninitialized object, we can't trust
1581 * anything. Wipe the object in case it contains confidential data.
1582 * This may result in a memory leak if a pointer gets overwritten,
1583 * but it's too late to do anything about this. */
1584 memset( operation, 0, sizeof( *operation ) );
1585 return( PSA_ERROR_BAD_STATE );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1586}
1587
Gilles Peskinee3b07d82018-06-19 11:57:35 +0200[diff] [blame]1588#if defined(MBEDTLS_CMAC_C)
Gilles Peskine89167cb2018-07-08 20:12:23 +0200[diff] [blame]1589static int psa_cmac_setup( psa_mac_operation_t *operation,
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1590 size_t key_bits,
1591 key_slot_t *slot,
1592 const mbedtls_cipher_info_t *cipher_info )
1593{
1594 int ret;
1595
1596 operation->mac_size = cipher_info->block_size;
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1597
1598 ret = mbedtls_cipher_setup( &operation->ctx.cmac, cipher_info );
1599 if( ret != 0 )
1600 return( ret );
1601
1602 ret = mbedtls_cipher_cmac_starts( &operation->ctx.cmac,
1603 slot->data.raw.data,
1604 key_bits );
1605 return( ret );
1606}
Gilles Peskinee3b07d82018-06-19 11:57:35 +0200[diff] [blame]1607#endif /* MBEDTLS_CMAC_C */
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1608
Gilles Peskine248051a2018-06-20 16:09:38 +0200[diff] [blame]1609#if defined(MBEDTLS_MD_C)
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1610static psa_status_t psa_hmac_setup_internal( psa_hmac_internal_data *hmac,
1611 const uint8_t *key,
1612 size_t key_length,
1613 psa_algorithm_t hash_alg )
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1614{
Gilles Peskineb3e6e5d2018-06-18 22:16:43 +0200[diff] [blame]1615 unsigned char ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1616 size_t i;
Gilles Peskine9aa369e2018-07-16 00:36:29 +0200[diff] [blame]1617 size_t hash_size = PSA_HASH_SIZE( hash_alg );
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1618 size_t block_size = psa_get_hash_block_size( hash_alg );
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1619 psa_status_t status;
1620
Gilles Peskine9aa369e2018-07-16 00:36:29 +0200[diff] [blame]1621 /* Sanity checks on block_size, to guarantee that there won't be a buffer
1622 * overflow below. This should never trigger if the hash algorithm
1623 * is implemented correctly. */
1624 /* The size checks against the ipad and opad buffers cannot be written
1625 * `block_size > sizeof( ipad ) || block_size > sizeof( hmac->opad )`
1626 * because that triggers -Wlogical-op on GCC 7.3. */
1627 if( block_size > sizeof( ipad ) )
1628 return( PSA_ERROR_NOT_SUPPORTED );
1629 if( block_size > sizeof( hmac->opad ) )
1630 return( PSA_ERROR_NOT_SUPPORTED );
1631 if( block_size < hash_size )
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1632 return( PSA_ERROR_NOT_SUPPORTED );
1633
Gilles Peskined223b522018-06-11 18:12:58 +0200[diff] [blame]1634 if( key_length > block_size )
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1635 {
Gilles Peskine1e6bfdf2018-07-17 16:22:47 +0200[diff] [blame]1636 status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1637 if( status != PSA_SUCCESS )
Gilles Peskine1e6bfdf2018-07-17 16:22:47 +0200[diff] [blame]1638 goto cleanup;
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1639 status = psa_hash_update( &hmac->hash_ctx, key, key_length );
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1640 if( status != PSA_SUCCESS )
Gilles Peskineb8be2882018-07-17 16:24:34 +0200[diff] [blame]1641 goto cleanup;
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1642 status = psa_hash_finish( &hmac->hash_ctx,
Gilles Peskined223b522018-06-11 18:12:58 +0200[diff] [blame]1643 ipad, sizeof( ipad ), &key_length );
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1644 if( status != PSA_SUCCESS )
Gilles Peskineb8be2882018-07-17 16:24:34 +0200[diff] [blame]1645 goto cleanup;
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1646 }
Gilles Peskine96889972018-07-12 17:07:03 +0200[diff] [blame]1647 /* A 0-length key is not commonly used in HMAC when used as a MAC,
1648 * but it is permitted. It is common when HMAC is used in HKDF, for
1649 * example. Don't call `memcpy` in the 0-length because `key` could be
1650 * an invalid pointer which would make the behavior undefined. */
1651 else if( key_length != 0 )
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1652 memcpy( ipad, key, key_length );
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1653
Gilles Peskined223b522018-06-11 18:12:58 +0200[diff] [blame]1654 /* ipad contains the key followed by garbage. Xor and fill with 0x36
1655 * to create the ipad value. */
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1656 for( i = 0; i < key_length; i++ )
Gilles Peskined223b522018-06-11 18:12:58 +0200[diff] [blame]1657 ipad[i] ^= 0x36;
1658 memset( ipad + key_length, 0x36, block_size - key_length );
1659
1660 /* Copy the key material from ipad to opad, flipping the requisite bits,
1661 * and filling the rest of opad with the requisite constant. */
1662 for( i = 0; i < key_length; i++ )
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1663 hmac->opad[i] = ipad[i] ^ 0x36 ^ 0x5C;
1664 memset( hmac->opad + key_length, 0x5C, block_size - key_length );
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1665
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1666 status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1667 if( status != PSA_SUCCESS )
Gilles Peskine6a0a44e2018-06-11 17:42:48 +0200[diff] [blame]1668 goto cleanup;
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1669
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1670 status = psa_hash_update( &hmac->hash_ctx, ipad, block_size );
Gilles Peskine6a0a44e2018-06-11 17:42:48 +0200[diff] [blame]1671
1672cleanup:
Gilles Peskine6a0a44e2018-06-11 17:42:48 +0200[diff] [blame]1673 mbedtls_zeroize( ipad, key_length );
Gilles Peskine6a0a44e2018-06-11 17:42:48 +0200[diff] [blame]1674
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1675 return( status );
1676}
Gilles Peskine248051a2018-06-20 16:09:38 +0200[diff] [blame]1677#endif /* MBEDTLS_MD_C */
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1678
Gilles Peskine89167cb2018-07-08 20:12:23 +0200[diff] [blame]1679static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
1680 psa_key_slot_t key,
1681 psa_algorithm_t alg,
1682 int is_sign )
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1683{
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1684 psa_status_t status;
1685 key_slot_t *slot;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1686 size_t key_bits;
Gilles Peskine89167cb2018-07-08 20:12:23 +0200[diff] [blame]1687 psa_key_usage_t usage =
1688 is_sign ? PSA_KEY_USAGE_SIGN : PSA_KEY_USAGE_VERIFY;
Gilles Peskined911eb72018-08-14 15:18:45 +0200[diff] [blame]1689 unsigned char truncated = PSA_MAC_TRUNCATED_LENGTH( alg );
Gilles Peskinee0e9c7c2018-10-17 18:28:05 +0200[diff] [blame]1690 psa_algorithm_t full_length_alg = PSA_ALG_FULL_LENGTH_MAC( alg );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1691
Gilles Peskined911eb72018-08-14 15:18:45 +0200[diff] [blame]1692 status = psa_mac_init( operation, full_length_alg );
Gilles Peskine16c0f4f2018-06-20 16:05:20 +0200[diff] [blame]1693 if( status != PSA_SUCCESS )
1694 return( status );
Gilles Peskine89167cb2018-07-08 20:12:23 +0200[diff] [blame]1695 if( is_sign )
1696 operation->is_sign = 1;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1697
Gilles Peskine89167cb2018-07-08 20:12:23 +0200[diff] [blame]1698 status = psa_get_key_from_slot( key, &slot, usage, alg );
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]1699 if( status != PSA_SUCCESS )
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1700 goto exit;
Gilles Peskineab1d7ab2018-07-06 16:07:47 +0200[diff] [blame]1701 key_bits = psa_get_key_bits( slot );
1702
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1703#if defined(MBEDTLS_CMAC_C)
Gilles Peskined911eb72018-08-14 15:18:45 +0200[diff] [blame]1704 if( full_length_alg == PSA_ALG_CMAC )
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1705 {
1706 const mbedtls_cipher_info_t *cipher_info =
Gilles Peskined911eb72018-08-14 15:18:45 +0200[diff] [blame]1707 mbedtls_cipher_info_from_psa( full_length_alg,
1708 slot->type, key_bits, NULL );
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1709 int ret;
1710 if( cipher_info == NULL )
1711 {
1712 status = PSA_ERROR_NOT_SUPPORTED;
1713 goto exit;
1714 }
1715 operation->mac_size = cipher_info->block_size;
1716 ret = psa_cmac_setup( operation, key_bits, slot, cipher_info );
1717 status = mbedtls_to_psa_error( ret );
1718 }
1719 else
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1720#endif /* MBEDTLS_CMAC_C */
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1721#if defined(MBEDTLS_MD_C)
Gilles Peskined911eb72018-08-14 15:18:45 +0200[diff] [blame]1722 if( PSA_ALG_IS_HMAC( full_length_alg ) )
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1723 {
Gilles Peskine00709fa2018-08-22 18:25:41 +0200[diff] [blame]1724 psa_algorithm_t hash_alg = PSA_ALG_HMAC_GET_HASH( alg );
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1725 if( hash_alg == 0 )
1726 {
1727 status = PSA_ERROR_NOT_SUPPORTED;
1728 goto exit;
1729 }
Gilles Peskine9aa369e2018-07-16 00:36:29 +0200[diff] [blame]1730
1731 operation->mac_size = PSA_HASH_SIZE( hash_alg );
1732 /* Sanity check. This shouldn't fail on a valid configuration. */
1733 if( operation->mac_size == 0 ||
1734 operation->mac_size > sizeof( operation->ctx.hmac.opad ) )
1735 {
1736 status = PSA_ERROR_NOT_SUPPORTED;
1737 goto exit;
1738 }
1739
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1740 if( slot->type != PSA_KEY_TYPE_HMAC )
1741 {
1742 status = PSA_ERROR_INVALID_ARGUMENT;
1743 goto exit;
1744 }
Gilles Peskine9aa369e2018-07-16 00:36:29 +0200[diff] [blame]1745
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1746 status = psa_hmac_setup_internal( &operation->ctx.hmac,
1747 slot->data.raw.data,
1748 slot->data.raw.bytes,
1749 hash_alg );
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1750 }
1751 else
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1752#endif /* MBEDTLS_MD_C */
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1753 {
1754 status = PSA_ERROR_NOT_SUPPORTED;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1755 }
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1756
Gilles Peskined911eb72018-08-14 15:18:45 +0200[diff] [blame]1757 if( truncated == 0 )
1758 {
1759 /* The "normal" case: untruncated algorithm. Nothing to do. */
1760 }
1761 else if( truncated < 4 )
1762 {
Gilles Peskine6d72ff92018-08-21 14:55:08 +0200[diff] [blame]1763 /* A very short MAC is too short for security since it can be
1764 * brute-forced. Ancient protocols with 32-bit MACs do exist,
1765 * so we make this our minimum, even though 32 bits is still
1766 * too small for security. */
Gilles Peskined911eb72018-08-14 15:18:45 +0200[diff] [blame]1767 status = PSA_ERROR_NOT_SUPPORTED;
1768 }
1769 else if( truncated > operation->mac_size )
1770 {
1771 /* It's impossible to "truncate" to a larger length. */
1772 status = PSA_ERROR_INVALID_ARGUMENT;
1773 }
1774 else
1775 operation->mac_size = truncated;
1776
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1777exit:
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1778 if( status != PSA_SUCCESS )
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1779 {
Gilles Peskine6a0a44e2018-06-11 17:42:48 +0200[diff] [blame]1780 psa_mac_abort( operation );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1781 }
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1782 else
1783 {
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1784 operation->key_set = 1;
1785 }
1786 return( status );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1787}
1788
Gilles Peskine89167cb2018-07-08 20:12:23 +0200[diff] [blame]1789psa_status_t psa_mac_sign_setup( psa_mac_operation_t *operation,
1790 psa_key_slot_t key,
1791 psa_algorithm_t alg )
1792{
1793 return( psa_mac_setup( operation, key, alg, 1 ) );
1794}
1795
1796psa_status_t psa_mac_verify_setup( psa_mac_operation_t *operation,
1797 psa_key_slot_t key,
1798 psa_algorithm_t alg )
1799{
1800 return( psa_mac_setup( operation, key, alg, 0 ) );
1801}
1802
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1803psa_status_t psa_mac_update( psa_mac_operation_t *operation,
1804 const uint8_t *input,
1805 size_t input_length )
1806{
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1807 psa_status_t status = PSA_ERROR_BAD_STATE;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1808 if( ! operation->key_set )
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1809 goto cleanup;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1810 if( operation->iv_required && ! operation->iv_set )
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1811 goto cleanup;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1812 operation->has_input = 1;
1813
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1814#if defined(MBEDTLS_CMAC_C)
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1815 if( operation->alg == PSA_ALG_CMAC )
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1816 {
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1817 int ret = mbedtls_cipher_cmac_update( &operation->ctx.cmac,
1818 input, input_length );
1819 status = mbedtls_to_psa_error( ret );
1820 }
1821 else
1822#endif /* MBEDTLS_CMAC_C */
1823#if defined(MBEDTLS_MD_C)
1824 if( PSA_ALG_IS_HMAC( operation->alg ) )
1825 {
1826 status = psa_hash_update( &operation->ctx.hmac.hash_ctx, input,
1827 input_length );
1828 }
1829 else
1830#endif /* MBEDTLS_MD_C */
1831 {
1832 /* This shouldn't happen if `operation` was initialized by
1833 * a setup function. */
1834 status = PSA_ERROR_BAD_STATE;
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1835 }
1836
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1837cleanup:
1838 if( status != PSA_SUCCESS )
1839 psa_mac_abort( operation );
Gilles Peskinec1bb6c82018-06-18 16:04:39 +0200[diff] [blame]1840 return( status );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1841}
1842
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1843#if defined(MBEDTLS_MD_C)
1844static psa_status_t psa_hmac_finish_internal( psa_hmac_internal_data *hmac,
1845 uint8_t *mac,
1846 size_t mac_size )
1847{
1848 unsigned char tmp[MBEDTLS_MD_MAX_SIZE];
1849 psa_algorithm_t hash_alg = hmac->hash_ctx.alg;
1850 size_t hash_size = 0;
1851 size_t block_size = psa_get_hash_block_size( hash_alg );
1852 psa_status_t status;
1853
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1854 status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
1855 if( status != PSA_SUCCESS )
1856 return( status );
1857 /* From here on, tmp needs to be wiped. */
1858
1859 status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
1860 if( status != PSA_SUCCESS )
1861 goto exit;
1862
1863 status = psa_hash_update( &hmac->hash_ctx, hmac->opad, block_size );
1864 if( status != PSA_SUCCESS )
1865 goto exit;
1866
1867 status = psa_hash_update( &hmac->hash_ctx, tmp, hash_size );
1868 if( status != PSA_SUCCESS )
1869 goto exit;
1870
Gilles Peskined911eb72018-08-14 15:18:45 +0200[diff] [blame]1871 status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
1872 if( status != PSA_SUCCESS )
1873 goto exit;
1874
1875 memcpy( mac, tmp, mac_size );
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1876
1877exit:
1878 mbedtls_zeroize( tmp, hash_size );
1879 return( status );
1880}
1881#endif /* MBEDTLS_MD_C */
1882
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]1883static psa_status_t psa_mac_finish_internal( psa_mac_operation_t *operation,
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]1884 uint8_t *mac,
Gilles Peskine5d0b8642018-07-08 20:35:02 +0200[diff] [blame]1885 size_t mac_size )
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1886{
Gilles Peskine1d96fff2018-07-02 12:15:39 +0200[diff] [blame]1887 if( ! operation->key_set )
1888 return( PSA_ERROR_BAD_STATE );
1889 if( operation->iv_required && ! operation->iv_set )
1890 return( PSA_ERROR_BAD_STATE );
1891
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1892 if( mac_size < operation->mac_size )
1893 return( PSA_ERROR_BUFFER_TOO_SMALL );
1894
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1895#if defined(MBEDTLS_CMAC_C)
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1896 if( operation->alg == PSA_ALG_CMAC )
1897 {
Gilles Peskined911eb72018-08-14 15:18:45 +0200[diff] [blame]1898 uint8_t tmp[PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE];
1899 int ret = mbedtls_cipher_cmac_finish( &operation->ctx.cmac, tmp );
1900 if( ret == 0 )
Gilles Peskine87b0ac42018-08-21 14:55:49 +0200[diff] [blame]1901 memcpy( mac, tmp, operation->mac_size );
Gilles Peskined911eb72018-08-14 15:18:45 +0200[diff] [blame]1902 mbedtls_zeroize( tmp, sizeof( tmp ) );
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1903 return( mbedtls_to_psa_error( ret ) );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1904 }
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1905 else
1906#endif /* MBEDTLS_CMAC_C */
1907#if defined(MBEDTLS_MD_C)
1908 if( PSA_ALG_IS_HMAC( operation->alg ) )
1909 {
Gilles Peskine01126fa2018-07-12 17:04:55 +0200[diff] [blame]1910 return( psa_hmac_finish_internal( &operation->ctx.hmac,
Gilles Peskined911eb72018-08-14 15:18:45 +0200[diff] [blame]1911 mac, operation->mac_size ) );
Gilles Peskinefbfac682018-07-08 20:51:54 +0200[diff] [blame]1912 }
1913 else
1914#endif /* MBEDTLS_MD_C */
1915 {
1916 /* This shouldn't happen if `operation` was initialized by
1917 * a setup function. */
1918 return( PSA_ERROR_BAD_STATE );
1919 }
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1920}
1921
Gilles Peskineacd4be32018-07-08 19:56:25 +0200[diff] [blame]1922psa_status_t psa_mac_sign_finish( psa_mac_operation_t *operation,
1923 uint8_t *mac,
1924 size_t mac_size,
1925 size_t *mac_length )
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]1926{
Gilles Peskine5d0b8642018-07-08 20:35:02 +0200[diff] [blame]1927 psa_status_t status;
1928
1929 /* Fill the output buffer with something that isn't a valid mac
1930 * (barring an attack on the mac and deliberately-crafted input),
1931 * in case the caller doesn't check the return status properly. */
1932 *mac_length = mac_size;
1933 /* If mac_size is 0 then mac may be NULL and then the
1934 * call to memset would have undefined behavior. */
1935 if( mac_size != 0 )
1936 memset( mac, '!', mac_size );
1937
Gilles Peskine89167cb2018-07-08 20:12:23 +0200[diff] [blame]1938 if( ! operation->is_sign )
1939 {
Gilles Peskine5d0b8642018-07-08 20:35:02 +0200[diff] [blame]1940 status = PSA_ERROR_BAD_STATE;
1941 goto cleanup;
Gilles Peskine89167cb2018-07-08 20:12:23 +0200[diff] [blame]1942 }
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]1943
Gilles Peskine5d0b8642018-07-08 20:35:02 +0200[diff] [blame]1944 status = psa_mac_finish_internal( operation, mac, mac_size );
1945
1946cleanup:
1947 if( status == PSA_SUCCESS )
1948 {
1949 status = psa_mac_abort( operation );
1950 if( status == PSA_SUCCESS )
1951 *mac_length = operation->mac_size;
1952 else
1953 memset( mac, '!', mac_size );
1954 }
1955 else
1956 psa_mac_abort( operation );
1957 return( status );
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]1958}
1959
Gilles Peskineacd4be32018-07-08 19:56:25 +0200[diff] [blame]1960psa_status_t psa_mac_verify_finish( psa_mac_operation_t *operation,
1961 const uint8_t *mac,
1962 size_t mac_length )
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1963{
Gilles Peskine828ed142018-06-18 23:25:51 +0200[diff] [blame]1964 uint8_t actual_mac[PSA_MAC_MAX_SIZE];
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]1965 psa_status_t status;
1966
Gilles Peskine89167cb2018-07-08 20:12:23 +0200[diff] [blame]1967 if( operation->is_sign )
1968 {
Gilles Peskine5d0b8642018-07-08 20:35:02 +0200[diff] [blame]1969 status = PSA_ERROR_BAD_STATE;
1970 goto cleanup;
1971 }
1972 if( operation->mac_size != mac_length )
1973 {
1974 status = PSA_ERROR_INVALID_SIGNATURE;
1975 goto cleanup;
Gilles Peskine89167cb2018-07-08 20:12:23 +0200[diff] [blame]1976 }
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]1977
1978 status = psa_mac_finish_internal( operation,
Gilles Peskine5d0b8642018-07-08 20:35:02 +0200[diff] [blame]1979 actual_mac, sizeof( actual_mac ) );
1980
1981 if( safer_memcmp( mac, actual_mac, mac_length ) != 0 )
1982 status = PSA_ERROR_INVALID_SIGNATURE;
1983
1984cleanup:
1985 if( status == PSA_SUCCESS )
1986 status = psa_mac_abort( operation );
1987 else
1988 psa_mac_abort( operation );
1989
Gilles Peskine99b7d6b2018-08-21 14:56:19 +0200[diff] [blame]1990 mbedtls_zeroize( actual_mac, sizeof( actual_mac ) );
Gilles Peskined911eb72018-08-14 15:18:45 +0200[diff] [blame]1991
Gilles Peskine5d0b8642018-07-08 20:35:02 +0200[diff] [blame]1992 return( status );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1993}
1994
1995
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1996
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1997/****************************************************************/
1998/* Asymmetric cryptography */
1999/****************************************************************/
2000
Gilles Peskine2b450e32018-06-27 15:42:46 +0200[diff] [blame]2001#if defined(MBEDTLS_RSA_C)
Gilles Peskine8b18a4f2018-06-08 16:34:46 +0200[diff] [blame]2002/* Decode the hash algorithm from alg and store the mbedtls encoding in
Gilles Peskine71ac7b12018-06-29 23:36:35 +0200[diff] [blame]2003 * md_alg. Verify that the hash length is acceptable. */
Gilles Peskine8b18a4f2018-06-08 16:34:46 +0200[diff] [blame]2004static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
2005 size_t hash_length,
2006 mbedtls_md_type_t *md_alg )
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]2007{
Gilles Peskine7ed29c52018-06-26 15:50:08 +0200[diff] [blame]2008 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]2009 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg );
Gilles Peskine71ac7b12018-06-29 23:36:35 +0200[diff] [blame]2010 *md_alg = mbedtls_md_get_type( md_info );
2011
2012 /* The Mbed TLS RSA module uses an unsigned int for hash length
2013 * parameters. Validate that it fits so that we don't risk an
2014 * overflow later. */
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]2015#if SIZE_MAX > UINT_MAX
Gilles Peskine71ac7b12018-06-29 23:36:35 +0200[diff] [blame]2016 if( hash_length > UINT_MAX )
2017 return( PSA_ERROR_INVALID_ARGUMENT );
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]2018#endif
Gilles Peskine71ac7b12018-06-29 23:36:35 +0200[diff] [blame]2019
2020#if defined(MBEDTLS_PKCS1_V15)
2021 /* For PKCS#1 v1.5 signature, if using a hash, the hash length
2022 * must be correct. */
2023 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) &&
2024 alg != PSA_ALG_RSA_PKCS1V15_SIGN_RAW )
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]2025 {
Gilles Peskine71ac7b12018-06-29 23:36:35 +0200[diff] [blame]2026 if( md_info == NULL )
2027 return( PSA_ERROR_NOT_SUPPORTED );
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]2028 if( mbedtls_md_get_size( md_info ) != hash_length )
2029 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine71ac7b12018-06-29 23:36:35 +0200[diff] [blame]2030 }
2031#endif /* MBEDTLS_PKCS1_V15 */
2032
2033#if defined(MBEDTLS_PKCS1_V21)
2034 /* PSS requires a hash internally. */
2035 if( PSA_ALG_IS_RSA_PSS( alg ) )
2036 {
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]2037 if( md_info == NULL )
2038 return( PSA_ERROR_NOT_SUPPORTED );
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]2039 }
Gilles Peskine71ac7b12018-06-29 23:36:35 +0200[diff] [blame]2040#endif /* MBEDTLS_PKCS1_V21 */
2041
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]2042 return( PSA_SUCCESS );
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]2043}
2044
Gilles Peskine2b450e32018-06-27 15:42:46 +0200[diff] [blame]2045static psa_status_t psa_rsa_sign( mbedtls_rsa_context *rsa,
2046 psa_algorithm_t alg,
2047 const uint8_t *hash,
2048 size_t hash_length,
2049 uint8_t *signature,
2050 size_t signature_size,
2051 size_t *signature_length )
2052{
2053 psa_status_t status;
2054 int ret;
2055 mbedtls_md_type_t md_alg;
2056
2057 status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
2058 if( status != PSA_SUCCESS )
2059 return( status );
2060
Gilles Peskine630a18a2018-06-29 17:49:35 +0200[diff] [blame]2061 if( signature_size < mbedtls_rsa_get_len( rsa ) )
Gilles Peskine2b450e32018-06-27 15:42:46 +0200[diff] [blame]2062 return( PSA_ERROR_BUFFER_TOO_SMALL );
2063
2064#if defined(MBEDTLS_PKCS1_V15)
2065 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
2066 {
2067 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
2068 MBEDTLS_MD_NONE );
2069 ret = mbedtls_rsa_pkcs1_sign( rsa,
2070 mbedtls_ctr_drbg_random,
2071 &global_data.ctr_drbg,
2072 MBEDTLS_RSA_PRIVATE,
Jaeden Amerobbf97e32018-06-26 14:20:51 +0100[diff] [blame]2073 md_alg,
2074 (unsigned int) hash_length,
2075 hash,
Gilles Peskine2b450e32018-06-27 15:42:46 +0200[diff] [blame]2076 signature );
2077 }
2078 else
2079#endif /* MBEDTLS_PKCS1_V15 */
2080#if defined(MBEDTLS_PKCS1_V21)
2081 if( PSA_ALG_IS_RSA_PSS( alg ) )
2082 {
2083 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
2084 ret = mbedtls_rsa_rsassa_pss_sign( rsa,
2085 mbedtls_ctr_drbg_random,
2086 &global_data.ctr_drbg,
2087 MBEDTLS_RSA_PRIVATE,
Gilles Peskine71ac7b12018-06-29 23:36:35 +0200[diff] [blame]2088 MBEDTLS_MD_NONE,
Jaeden Amerobbf97e32018-06-26 14:20:51 +0100[diff] [blame]2089 (unsigned int) hash_length,
2090 hash,
Gilles Peskine2b450e32018-06-27 15:42:46 +0200[diff] [blame]2091 signature );
2092 }
2093 else
2094#endif /* MBEDTLS_PKCS1_V21 */
2095 {
2096 return( PSA_ERROR_INVALID_ARGUMENT );
2097 }
2098
2099 if( ret == 0 )
Gilles Peskine630a18a2018-06-29 17:49:35 +0200[diff] [blame]2100 *signature_length = mbedtls_rsa_get_len( rsa );
Gilles Peskine2b450e32018-06-27 15:42:46 +0200[diff] [blame]2101 return( mbedtls_to_psa_error( ret ) );
2102}
2103
2104static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
2105 psa_algorithm_t alg,
2106 const uint8_t *hash,
2107 size_t hash_length,
2108 const uint8_t *signature,
2109 size_t signature_length )
2110{
2111 psa_status_t status;
2112 int ret;
2113 mbedtls_md_type_t md_alg;
2114
2115 status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
2116 if( status != PSA_SUCCESS )
2117 return( status );
2118
Gilles Peskine630a18a2018-06-29 17:49:35 +0200[diff] [blame]2119 if( signature_length < mbedtls_rsa_get_len( rsa ) )
Gilles Peskine2b450e32018-06-27 15:42:46 +0200[diff] [blame]2120 return( PSA_ERROR_BUFFER_TOO_SMALL );
2121
2122#if defined(MBEDTLS_PKCS1_V15)
2123 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
2124 {
2125 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
2126 MBEDTLS_MD_NONE );
2127 ret = mbedtls_rsa_pkcs1_verify( rsa,
2128 mbedtls_ctr_drbg_random,
2129 &global_data.ctr_drbg,
2130 MBEDTLS_RSA_PUBLIC,
2131 md_alg,
Jaeden Amerobbf97e32018-06-26 14:20:51 +0100[diff] [blame]2132 (unsigned int) hash_length,
Gilles Peskine2b450e32018-06-27 15:42:46 +0200[diff] [blame]2133 hash,
2134 signature );
2135 }
2136 else
2137#endif /* MBEDTLS_PKCS1_V15 */
2138#if defined(MBEDTLS_PKCS1_V21)
2139 if( PSA_ALG_IS_RSA_PSS( alg ) )
2140 {
2141 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
2142 ret = mbedtls_rsa_rsassa_pss_verify( rsa,
2143 mbedtls_ctr_drbg_random,
2144 &global_data.ctr_drbg,
2145 MBEDTLS_RSA_PUBLIC,
Gilles Peskine71ac7b12018-06-29 23:36:35 +0200[diff] [blame]2146 MBEDTLS_MD_NONE,
Jaeden Amerobbf97e32018-06-26 14:20:51 +0100[diff] [blame]2147 (unsigned int) hash_length,
2148 hash,
Gilles Peskine2b450e32018-06-27 15:42:46 +0200[diff] [blame]2149 signature );
2150 }
2151 else
2152#endif /* MBEDTLS_PKCS1_V21 */
2153 {
2154 return( PSA_ERROR_INVALID_ARGUMENT );
2155 }
Gilles Peskineef12c632018-09-13 20:37:48 +0200[diff] [blame]2156
2157 /* Mbed TLS distinguishes "invalid padding" from "valid padding but
2158 * the rest of the signature is invalid". This has little use in
2159 * practice and PSA doesn't report this distinction. */
2160 if( ret == MBEDTLS_ERR_RSA_INVALID_PADDING )
2161 return( PSA_ERROR_INVALID_SIGNATURE );
Gilles Peskine2b450e32018-06-27 15:42:46 +0200[diff] [blame]2162 return( mbedtls_to_psa_error( ret ) );
2163}
2164#endif /* MBEDTLS_RSA_C */
2165
Gilles Peskinea81d85b2018-06-26 16:10:23 +0200[diff] [blame]2166#if defined(MBEDTLS_ECDSA_C)
Gilles Peskinea81d85b2018-06-26 16:10:23 +0200[diff] [blame]2167/* `ecp` cannot be const because `ecp->grp` needs to be non-const
2168 * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det()
2169 * (even though these functions don't modify it). */
2170static psa_status_t psa_ecdsa_sign( mbedtls_ecp_keypair *ecp,
2171 psa_algorithm_t alg,
2172 const uint8_t *hash,
2173 size_t hash_length,
2174 uint8_t *signature,
2175 size_t signature_size,
2176 size_t *signature_length )
2177{
2178 int ret;
2179 mbedtls_mpi r, s;
Gilles Peskineeae6eee2018-06-28 13:56:01 +0200[diff] [blame]2180 size_t curve_bytes = PSA_BITS_TO_BYTES( ecp->grp.pbits );
Gilles Peskinea81d85b2018-06-26 16:10:23 +0200[diff] [blame]2181 mbedtls_mpi_init( &r );
2182 mbedtls_mpi_init( &s );
2183
Gilles Peskineeae6eee2018-06-28 13:56:01 +0200[diff] [blame]2184 if( signature_size < 2 * curve_bytes )
2185 {
2186 ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
2187 goto cleanup;
2188 }
Gilles Peskinea81d85b2018-06-26 16:10:23 +0200[diff] [blame]2189
Gilles Peskinea05219c2018-11-16 16:02:56 +0100[diff] [blame]2190#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
Gilles Peskinea81d85b2018-06-26 16:10:23 +0200[diff] [blame]2191 if( PSA_ALG_DSA_IS_DETERMINISTIC( alg ) )
2192 {
2193 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
2194 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg );
2195 mbedtls_md_type_t md_alg = mbedtls_md_get_type( md_info );
2196 MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign_det( &ecp->grp, &r, &s, &ecp->d,
2197 hash, hash_length,
2198 md_alg ) );
2199 }
2200 else
Gilles Peskinea05219c2018-11-16 16:02:56 +0100[diff] [blame]2201#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
Gilles Peskinea81d85b2018-06-26 16:10:23 +0200[diff] [blame]2202 {
Gilles Peskinea05219c2018-11-16 16:02:56 +0100[diff] [blame]2203 (void) alg;
Gilles Peskinea81d85b2018-06-26 16:10:23 +0200[diff] [blame]2204 MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ecp->grp, &r, &s, &ecp->d,
2205 hash, hash_length,
2206 mbedtls_ctr_drbg_random,
2207 &global_data.ctr_drbg ) );
2208 }
Gilles Peskineeae6eee2018-06-28 13:56:01 +0200[diff] [blame]2209
2210 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &r,
2211 signature,
2212 curve_bytes ) );
2213 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &s,
2214 signature + curve_bytes,
2215 curve_bytes ) );
2216
2217cleanup:
2218 mbedtls_mpi_free( &r );
2219 mbedtls_mpi_free( &s );
2220 if( ret == 0 )
2221 *signature_length = 2 * curve_bytes;
Gilles Peskineeae6eee2018-06-28 13:56:01 +0200[diff] [blame]2222 return( mbedtls_to_psa_error( ret ) );
2223}
2224
2225static psa_status_t psa_ecdsa_verify( mbedtls_ecp_keypair *ecp,
2226 const uint8_t *hash,
2227 size_t hash_length,
2228 const uint8_t *signature,
2229 size_t signature_length )
2230{
2231 int ret;
2232 mbedtls_mpi r, s;
2233 size_t curve_bytes = PSA_BITS_TO_BYTES( ecp->grp.pbits );
2234 mbedtls_mpi_init( &r );
2235 mbedtls_mpi_init( &s );
2236
2237 if( signature_length != 2 * curve_bytes )
2238 return( PSA_ERROR_INVALID_SIGNATURE );
2239
2240 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &r,
2241 signature,
2242 curve_bytes ) );
2243 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &s,
2244 signature + curve_bytes,
2245 curve_bytes ) );
2246
2247 ret = mbedtls_ecdsa_verify( &ecp->grp, hash, hash_length,
2248 &ecp->Q, &r, &s );
Gilles Peskinea81d85b2018-06-26 16:10:23 +0200[diff] [blame]2249
2250cleanup:
2251 mbedtls_mpi_free( &r );
2252 mbedtls_mpi_free( &s );
2253 return( mbedtls_to_psa_error( ret ) );
2254}
2255#endif /* MBEDTLS_ECDSA_C */
2256
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]2257psa_status_t psa_asymmetric_sign( psa_key_slot_t key,
2258 psa_algorithm_t alg,
2259 const uint8_t *hash,
2260 size_t hash_length,
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]2261 uint8_t *signature,
2262 size_t signature_size,
2263 size_t *signature_length )
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]2264{
2265 key_slot_t *slot;
Gilles Peskinea26ff6a2018-06-28 12:21:19 +0200[diff] [blame]2266 psa_status_t status;
2267
2268 *signature_length = signature_size;
2269
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2270 status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_SIGN, alg );
2271 if( status != PSA_SUCCESS )
Gilles Peskinea26ff6a2018-06-28 12:21:19 +0200[diff] [blame]2272 goto exit;
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]2273 if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
Gilles Peskinea26ff6a2018-06-28 12:21:19 +0200[diff] [blame]2274 {
2275 status = PSA_ERROR_INVALID_ARGUMENT;
2276 goto exit;
2277 }
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]2278
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]2279#if defined(MBEDTLS_RSA_C)
2280 if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
2281 {
Gilles Peskinea26ff6a2018-06-28 12:21:19 +0200[diff] [blame]2282 status = psa_rsa_sign( slot->data.rsa,
2283 alg,
2284 hash, hash_length,
2285 signature, signature_size,
2286 signature_length );
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]2287 }
2288 else
2289#endif /* defined(MBEDTLS_RSA_C) */
2290#if defined(MBEDTLS_ECP_C)
2291 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
2292 {
Gilles Peskinea81d85b2018-06-26 16:10:23 +0200[diff] [blame]2293#if defined(MBEDTLS_ECDSA_C)
Gilles Peskinea05219c2018-11-16 16:02:56 +0100[diff] [blame]2294 if(
2295#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
2296 PSA_ALG_IS_ECDSA( alg )
2297#else
2298 PSA_ALG_IS_RANDOMIZED_ECDSA( alg )
2299#endif
2300 )
Gilles Peskinea26ff6a2018-06-28 12:21:19 +0200[diff] [blame]2301 status = psa_ecdsa_sign( slot->data.ecp,
2302 alg,
2303 hash, hash_length,
2304 signature, signature_size,
2305 signature_length );
Gilles Peskinea81d85b2018-06-26 16:10:23 +0200[diff] [blame]2306 else
2307#endif /* defined(MBEDTLS_ECDSA_C) */
2308 {
Gilles Peskinea26ff6a2018-06-28 12:21:19 +0200[diff] [blame]2309 status = PSA_ERROR_INVALID_ARGUMENT;
Gilles Peskinea81d85b2018-06-26 16:10:23 +0200[diff] [blame]2310 }
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]2311 }
2312 else
2313#endif /* defined(MBEDTLS_ECP_C) */
2314 {
Gilles Peskinea26ff6a2018-06-28 12:21:19 +0200[diff] [blame]2315 status = PSA_ERROR_NOT_SUPPORTED;
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]2316 }
Gilles Peskinea26ff6a2018-06-28 12:21:19 +0200[diff] [blame]2317
2318exit:
2319 /* Fill the unused part of the output buffer (the whole buffer on error,
2320 * the trailing part on success) with something that isn't a valid mac
2321 * (barring an attack on the mac and deliberately-crafted input),
2322 * in case the caller doesn't check the return status properly. */
2323 if( status == PSA_SUCCESS )
2324 memset( signature + *signature_length, '!',
2325 signature_size - *signature_length );
Gilles Peskine46f1fd72018-06-28 19:31:31 +0200[diff] [blame]2326 else if( signature_size != 0 )
Gilles Peskinea26ff6a2018-06-28 12:21:19 +0200[diff] [blame]2327 memset( signature, '!', signature_size );
Gilles Peskine46f1fd72018-06-28 19:31:31 +0200[diff] [blame]2328 /* If signature_size is 0 then we have nothing to do. We must not call
2329 * memset because signature may be NULL in this case. */
Gilles Peskinea26ff6a2018-06-28 12:21:19 +0200[diff] [blame]2330 return( status );
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]2331}
2332
2333psa_status_t psa_asymmetric_verify( psa_key_slot_t key,
2334 psa_algorithm_t alg,
2335 const uint8_t *hash,
2336 size_t hash_length,
Gilles Peskinee9191ff2018-06-27 14:58:41 +0200[diff] [blame]2337 const uint8_t *signature,
Gilles Peskine526fab02018-06-27 18:19:40 +0200[diff] [blame]2338 size_t signature_length )
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]2339{
2340 key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2341 psa_status_t status;
Gilles Peskine2b450e32018-06-27 15:42:46 +0200[diff] [blame]2342
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2343 status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_VERIFY, alg );
2344 if( status != PSA_SUCCESS )
2345 return( status );
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]2346
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]2347#if defined(MBEDTLS_RSA_C)
Gilles Peskined8008d62018-06-29 19:51:51 +0200[diff] [blame]2348 if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2349 {
Gilles Peskine2b450e32018-06-27 15:42:46 +0200[diff] [blame]2350 return( psa_rsa_verify( slot->data.rsa,
2351 alg,
2352 hash, hash_length,
2353 signature, signature_length ) );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2354 }
2355 else
2356#endif /* defined(MBEDTLS_RSA_C) */
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]2357#if defined(MBEDTLS_ECP_C)
2358 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
2359 {
Gilles Peskinea81d85b2018-06-26 16:10:23 +0200[diff] [blame]2360#if defined(MBEDTLS_ECDSA_C)
2361 if( PSA_ALG_IS_ECDSA( alg ) )
Gilles Peskineeae6eee2018-06-28 13:56:01 +0200[diff] [blame]2362 return( psa_ecdsa_verify( slot->data.ecp,
2363 hash, hash_length,
2364 signature, signature_length ) );
Gilles Peskinea81d85b2018-06-26 16:10:23 +0200[diff] [blame]2365 else
2366#endif /* defined(MBEDTLS_ECDSA_C) */
2367 {
2368 return( PSA_ERROR_INVALID_ARGUMENT );
2369 }
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]2370 }
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]2371 else
2372#endif /* defined(MBEDTLS_ECP_C) */
2373 {
2374 return( PSA_ERROR_NOT_SUPPORTED );
2375 }
2376}
2377
Gilles Peskine072ac562018-06-30 00:21:29 +0200[diff] [blame]2378#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
2379static void psa_rsa_oaep_set_padding_mode( psa_algorithm_t alg,
2380 mbedtls_rsa_context *rsa )
2381{
2382 psa_algorithm_t hash_alg = PSA_ALG_RSA_OAEP_GET_HASH( alg );
2383 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg );
2384 mbedtls_md_type_t md_alg = mbedtls_md_get_type( md_info );
2385 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
2386}
2387#endif /* defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21) */
2388
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]2389psa_status_t psa_asymmetric_encrypt( psa_key_slot_t key,
2390 psa_algorithm_t alg,
2391 const uint8_t *input,
2392 size_t input_length,
2393 const uint8_t *salt,
2394 size_t salt_length,
2395 uint8_t *output,
2396 size_t output_size,
2397 size_t *output_length )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2398{
2399 key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2400 psa_status_t status;
2401
Darryl Green5cc689a2018-07-24 15:34:10 +0100[diff] [blame]2402 (void) input;
2403 (void) input_length;
2404 (void) salt;
2405 (void) output;
2406 (void) output_size;
2407
Nir Sonnenscheinca466c82018-06-04 16:43:12 +0300[diff] [blame]2408 *output_length = 0;
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2409
Gilles Peskineb3fc05d2018-06-30 19:04:35 +0200[diff] [blame]2410 if( ! PSA_ALG_IS_RSA_OAEP( alg ) && salt_length != 0 )
2411 return( PSA_ERROR_INVALID_ARGUMENT );
2412
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2413 status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_ENCRYPT, alg );
2414 if( status != PSA_SUCCESS )
2415 return( status );
Gilles Peskine35da9a22018-06-29 19:17:49 +0200[diff] [blame]2416 if( ! ( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) ||
2417 PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2418 return( PSA_ERROR_INVALID_ARGUMENT );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2419
2420#if defined(MBEDTLS_RSA_C)
Gilles Peskined8008d62018-06-29 19:51:51 +0200[diff] [blame]2421 if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2422 {
2423 mbedtls_rsa_context *rsa = slot->data.rsa;
2424 int ret;
Gilles Peskine630a18a2018-06-29 17:49:35 +0200[diff] [blame]2425 if( output_size < mbedtls_rsa_get_len( rsa ) )
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]2426 return( PSA_ERROR_INVALID_ARGUMENT );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2427#if defined(MBEDTLS_PKCS1_V15)
Gilles Peskine6afe7892018-05-31 13:16:08 +0200[diff] [blame]2428 if( alg == PSA_ALG_RSA_PKCS1V15_CRYPT )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2429 {
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]2430 ret = mbedtls_rsa_pkcs1_encrypt( rsa,
2431 mbedtls_ctr_drbg_random,
2432 &global_data.ctr_drbg,
2433 MBEDTLS_RSA_PUBLIC,
2434 input_length,
2435 input,
2436 output );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2437 }
2438 else
2439#endif /* MBEDTLS_PKCS1_V15 */
2440#if defined(MBEDTLS_PKCS1_V21)
Gilles Peskine55bf3d12018-06-26 15:53:48 +0200[diff] [blame]2441 if( PSA_ALG_IS_RSA_OAEP( alg ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2442 {
Gilles Peskine072ac562018-06-30 00:21:29 +0200[diff] [blame]2443 psa_rsa_oaep_set_padding_mode( alg, rsa );
2444 ret = mbedtls_rsa_rsaes_oaep_encrypt( rsa,
2445 mbedtls_ctr_drbg_random,
2446 &global_data.ctr_drbg,
2447 MBEDTLS_RSA_PUBLIC,
2448 salt, salt_length,
2449 input_length,
2450 input,
2451 output );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2452 }
2453 else
2454#endif /* MBEDTLS_PKCS1_V21 */
2455 {
2456 return( PSA_ERROR_INVALID_ARGUMENT );
2457 }
2458 if( ret == 0 )
Gilles Peskine630a18a2018-06-29 17:49:35 +0200[diff] [blame]2459 *output_length = mbedtls_rsa_get_len( rsa );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2460 return( mbedtls_to_psa_error( ret ) );
2461 }
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2462 else
Gilles Peskineb75e4f12018-06-08 17:44:47 +0200[diff] [blame]2463#endif /* defined(MBEDTLS_RSA_C) */
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2464 {
2465 return( PSA_ERROR_NOT_SUPPORTED );
2466 }
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]2467}
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2468
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]2469psa_status_t psa_asymmetric_decrypt( psa_key_slot_t key,
2470 psa_algorithm_t alg,
2471 const uint8_t *input,
2472 size_t input_length,
2473 const uint8_t *salt,
2474 size_t salt_length,
2475 uint8_t *output,
2476 size_t output_size,
2477 size_t *output_length )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2478{
2479 key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2480 psa_status_t status;
2481
Darryl Green5cc689a2018-07-24 15:34:10 +0100[diff] [blame]2482 (void) input;
2483 (void) input_length;
2484 (void) salt;
2485 (void) output;
2486 (void) output_size;
2487
Nir Sonnenscheinca466c82018-06-04 16:43:12 +0300[diff] [blame]2488 *output_length = 0;
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2489
Gilles Peskineb3fc05d2018-06-30 19:04:35 +0200[diff] [blame]2490 if( ! PSA_ALG_IS_RSA_OAEP( alg ) && salt_length != 0 )
2491 return( PSA_ERROR_INVALID_ARGUMENT );
2492
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2493 status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_DECRYPT, alg );
2494 if( status != PSA_SUCCESS )
2495 return( status );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2496 if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
2497 return( PSA_ERROR_INVALID_ARGUMENT );
2498
2499#if defined(MBEDTLS_RSA_C)
2500 if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
2501 {
2502 mbedtls_rsa_context *rsa = slot->data.rsa;
2503 int ret;
2504
Gilles Peskine630a18a2018-06-29 17:49:35 +0200[diff] [blame]2505 if( input_length != mbedtls_rsa_get_len( rsa ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2506 return( PSA_ERROR_INVALID_ARGUMENT );
2507
2508#if defined(MBEDTLS_PKCS1_V15)
Gilles Peskine6afe7892018-05-31 13:16:08 +0200[diff] [blame]2509 if( alg == PSA_ALG_RSA_PKCS1V15_CRYPT )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2510 {
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]2511 ret = mbedtls_rsa_pkcs1_decrypt( rsa,
2512 mbedtls_ctr_drbg_random,
2513 &global_data.ctr_drbg,
2514 MBEDTLS_RSA_PRIVATE,
2515 output_length,
2516 input,
2517 output,
2518 output_size );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2519 }
2520 else
2521#endif /* MBEDTLS_PKCS1_V15 */
2522#if defined(MBEDTLS_PKCS1_V21)
Gilles Peskine55bf3d12018-06-26 15:53:48 +0200[diff] [blame]2523 if( PSA_ALG_IS_RSA_OAEP( alg ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2524 {
Gilles Peskine072ac562018-06-30 00:21:29 +0200[diff] [blame]2525 psa_rsa_oaep_set_padding_mode( alg, rsa );
2526 ret = mbedtls_rsa_rsaes_oaep_decrypt( rsa,
2527 mbedtls_ctr_drbg_random,
2528 &global_data.ctr_drbg,
2529 MBEDTLS_RSA_PRIVATE,
2530 salt, salt_length,
2531 output_length,
2532 input,
2533 output,
2534 output_size );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2535 }
2536 else
2537#endif /* MBEDTLS_PKCS1_V21 */
2538 {
2539 return( PSA_ERROR_INVALID_ARGUMENT );
2540 }
Nir Sonnenschein717a0402018-06-04 16:36:15 +0300[diff] [blame]2541
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2542 return( mbedtls_to_psa_error( ret ) );
2543 }
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2544 else
Gilles Peskineb75e4f12018-06-08 17:44:47 +0200[diff] [blame]2545#endif /* defined(MBEDTLS_RSA_C) */
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]2546 {
2547 return( PSA_ERROR_NOT_SUPPORTED );
2548 }
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]2549}
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]2550
Gilles Peskine7bcfc0a2018-06-18 21:49:39 +0200[diff] [blame]2551
2552
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2553/****************************************************************/
2554/* Symmetric cryptography */
2555/****************************************************************/
2556
Gilles Peskine16c0f4f2018-06-20 16:05:20 +0200[diff] [blame]2557/* Initialize the cipher operation structure. Once this function has been
2558 * called, psa_cipher_abort can run and will do the right thing. */
2559static psa_status_t psa_cipher_init( psa_cipher_operation_t *operation,
2560 psa_algorithm_t alg )
2561{
Gilles Peskinec06e0712018-06-20 16:21:04 +0200[diff] [blame]2562 if( ! PSA_ALG_IS_CIPHER( alg ) )
2563 {
2564 memset( operation, 0, sizeof( *operation ) );
2565 return( PSA_ERROR_INVALID_ARGUMENT );
2566 }
2567
Gilles Peskine16c0f4f2018-06-20 16:05:20 +0200[diff] [blame]2568 operation->alg = alg;
2569 operation->key_set = 0;
2570 operation->iv_set = 0;
2571 operation->iv_required = 1;
2572 operation->iv_size = 0;
2573 operation->block_size = 0;
2574 mbedtls_cipher_init( &operation->ctx.cipher );
2575 return( PSA_SUCCESS );
2576}
2577
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]2578static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation,
2579 psa_key_slot_t key,
Gilles Peskine7e928852018-06-04 16:23:10 +0200[diff] [blame]2580 psa_algorithm_t alg,
2581 mbedtls_operation_t cipher_operation )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2582{
2583 int ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
2584 psa_status_t status;
2585 key_slot_t *slot;
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2586 size_t key_bits;
2587 const mbedtls_cipher_info_t *cipher_info = NULL;
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2588 psa_key_usage_t usage = ( cipher_operation == MBEDTLS_ENCRYPT ?
2589 PSA_KEY_USAGE_ENCRYPT :
2590 PSA_KEY_USAGE_DECRYPT );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2591
Gilles Peskine16c0f4f2018-06-20 16:05:20 +0200[diff] [blame]2592 status = psa_cipher_init( operation, alg );
2593 if( status != PSA_SUCCESS )
2594 return( status );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2595
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2596 status = psa_get_key_from_slot( key, &slot, usage, alg);
2597 if( status != PSA_SUCCESS )
2598 return( status );
Gilles Peskineab1d7ab2018-07-06 16:07:47 +0200[diff] [blame]2599 key_bits = psa_get_key_bits( slot );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2600
Gilles Peskineab1d7ab2018-07-06 16:07:47 +0200[diff] [blame]2601 cipher_info = mbedtls_cipher_info_from_psa( alg, slot->type, key_bits, NULL );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2602 if( cipher_info == NULL )
2603 return( PSA_ERROR_NOT_SUPPORTED );
2604
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2605 ret = mbedtls_cipher_setup( &operation->ctx.cipher, cipher_info );
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]2606 if( ret != 0 )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2607 {
2608 psa_cipher_abort( operation );
2609 return( mbedtls_to_psa_error( ret ) );
2610 }
2611
Gilles Peskine9ad29e22018-06-21 09:40:04 +0200[diff] [blame]2612#if defined(MBEDTLS_DES_C)
Gilles Peskineab1d7ab2018-07-06 16:07:47 +0200[diff] [blame]2613 if( slot->type == PSA_KEY_TYPE_DES && key_bits == 128 )
Gilles Peskine9ad29e22018-06-21 09:40:04 +0200[diff] [blame]2614 {
2615 /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */
2616 unsigned char keys[24];
2617 memcpy( keys, slot->data.raw.data, 16 );
2618 memcpy( keys + 16, slot->data.raw.data, 8 );
2619 ret = mbedtls_cipher_setkey( &operation->ctx.cipher,
2620 keys,
2621 192, cipher_operation );
2622 }
2623 else
2624#endif
2625 {
2626 ret = mbedtls_cipher_setkey( &operation->ctx.cipher,
2627 slot->data.raw.data,
Jaeden Amero23bbb752018-06-26 14:16:54 +0100[diff] [blame]2628 (int) key_bits, cipher_operation );
Gilles Peskine9ad29e22018-06-21 09:40:04 +0200[diff] [blame]2629 }
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]2630 if( ret != 0 )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2631 {
2632 psa_cipher_abort( operation );
2633 return( mbedtls_to_psa_error( ret ) );
2634 }
2635
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]2636#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
Gilles Peskinedaea26f2018-08-21 14:02:45 +0200[diff] [blame]2637 switch( alg )
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]2638 {
Gilles Peskinedaea26f2018-08-21 14:02:45 +0200[diff] [blame]2639 case PSA_ALG_CBC_NO_PADDING:
2640 ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher,
2641 MBEDTLS_PADDING_NONE );
2642 break;
2643 case PSA_ALG_CBC_PKCS7:
2644 ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher,
2645 MBEDTLS_PADDING_PKCS7 );
2646 break;
2647 default:
2648 /* The algorithm doesn't involve padding. */
2649 ret = 0;
2650 break;
2651 }
2652 if( ret != 0 )
2653 {
2654 psa_cipher_abort( operation );
2655 return( mbedtls_to_psa_error( ret ) );
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]2656 }
2657#endif //MBEDTLS_CIPHER_MODE_WITH_PADDING
2658
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2659 operation->key_set = 1;
Gilles Peskinedaea26f2018-08-21 14:02:45 +0200[diff] [blame]2660 operation->block_size = ( PSA_ALG_IS_STREAM_CIPHER( alg ) ? 1 :
2661 PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type ) );
2662 if( alg & PSA_ALG_CIPHER_FROM_BLOCK_FLAG )
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]2663 {
Gilles Peskineab1d7ab2018-07-06 16:07:47 +0200[diff] [blame]2664 operation->iv_size = PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type );
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]2665 }
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2666
Moran Peker395db872018-05-31 14:07:14 +0300[diff] [blame]2667 return( PSA_SUCCESS );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2668}
2669
Gilles Peskinefe119512018-07-08 21:39:34 +0200[diff] [blame]2670psa_status_t psa_cipher_encrypt_setup( psa_cipher_operation_t *operation,
2671 psa_key_slot_t key,
2672 psa_algorithm_t alg )
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]2673{
Gilles Peskinec1bb6c82018-06-18 16:04:39 +0200[diff] [blame]2674 return( psa_cipher_setup( operation, key, alg, MBEDTLS_ENCRYPT ) );
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]2675}
2676
Gilles Peskinefe119512018-07-08 21:39:34 +0200[diff] [blame]2677psa_status_t psa_cipher_decrypt_setup( psa_cipher_operation_t *operation,
2678 psa_key_slot_t key,
2679 psa_algorithm_t alg )
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]2680{
Gilles Peskinec1bb6c82018-06-18 16:04:39 +0200[diff] [blame]2681 return( psa_cipher_setup( operation, key, alg, MBEDTLS_DECRYPT ) );
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]2682}
2683
Gilles Peskinefe119512018-07-08 21:39:34 +0200[diff] [blame]2684psa_status_t psa_cipher_generate_iv( psa_cipher_operation_t *operation,
2685 unsigned char *iv,
2686 size_t iv_size,
2687 size_t *iv_length )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2688{
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2689 psa_status_t status;
2690 int ret;
Gilles Peskinec1bb6c82018-06-18 16:04:39 +0200[diff] [blame]2691 if( operation->iv_set || ! operation->iv_required )
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2692 {
2693 status = PSA_ERROR_BAD_STATE;
2694 goto exit;
2695 }
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]2696 if( iv_size < operation->iv_size )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2697 {
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2698 status = PSA_ERROR_BUFFER_TOO_SMALL;
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]2699 goto exit;
2700 }
Gilles Peskine7e928852018-06-04 16:23:10 +0200[diff] [blame]2701 ret = mbedtls_ctr_drbg_random( &global_data.ctr_drbg,
2702 iv, operation->iv_size );
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]2703 if( ret != 0 )
2704 {
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2705 status = mbedtls_to_psa_error( ret );
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]2706 goto exit;
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2707 }
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]2708
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]2709 *iv_length = operation->iv_size;
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2710 status = psa_cipher_set_iv( operation, iv, *iv_length );
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]2711
Moran Peker395db872018-05-31 14:07:14 +0300[diff] [blame]2712exit:
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2713 if( status != PSA_SUCCESS )
Moran Peker395db872018-05-31 14:07:14 +0300[diff] [blame]2714 psa_cipher_abort( operation );
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2715 return( status );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2716}
2717
Gilles Peskinefe119512018-07-08 21:39:34 +0200[diff] [blame]2718psa_status_t psa_cipher_set_iv( psa_cipher_operation_t *operation,
2719 const unsigned char *iv,
2720 size_t iv_length )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2721{
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2722 psa_status_t status;
2723 int ret;
Gilles Peskinec1bb6c82018-06-18 16:04:39 +0200[diff] [blame]2724 if( operation->iv_set || ! operation->iv_required )
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2725 {
2726 status = PSA_ERROR_BAD_STATE;
2727 goto exit;
2728 }
Moran Pekera28258c2018-05-29 16:25:04 +0300[diff] [blame]2729 if( iv_length != operation->iv_size )
Moran Peker71f19ae2018-04-22 20:23:16 +0300[diff] [blame]2730 {
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2731 status = PSA_ERROR_INVALID_ARGUMENT;
2732 goto exit;
Moran Peker71f19ae2018-04-22 20:23:16 +0300[diff] [blame]2733 }
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2734 ret = mbedtls_cipher_set_iv( &operation->ctx.cipher, iv, iv_length );
2735 status = mbedtls_to_psa_error( ret );
2736exit:
2737 if( status == PSA_SUCCESS )
2738 operation->iv_set = 1;
2739 else
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2740 psa_cipher_abort( operation );
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2741 return( status );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2742}
2743
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]2744psa_status_t psa_cipher_update( psa_cipher_operation_t *operation,
2745 const uint8_t *input,
2746 size_t input_length,
2747 unsigned char *output,
2748 size_t output_size,
2749 size_t *output_length )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2750{
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2751 psa_status_t status;
2752 int ret;
Gilles Peskine89d789c2018-06-04 17:17:16 +0200[diff] [blame]2753 size_t expected_output_size;
Gilles Peskinedaea26f2018-08-21 14:02:45 +0200[diff] [blame]2754 if( ! PSA_ALG_IS_STREAM_CIPHER( operation->alg ) )
Gilles Peskine89d789c2018-06-04 17:17:16 +0200[diff] [blame]2755 {
2756 /* Take the unprocessed partial block left over from previous
2757 * update calls, if any, plus the input to this call. Remove
2758 * the last partial block, if any. You get the data that will be
2759 * output in this call. */
2760 expected_output_size =
2761 ( operation->ctx.cipher.unprocessed_len + input_length )
2762 / operation->block_size * operation->block_size;
2763 }
2764 else
2765 {
2766 expected_output_size = input_length;
2767 }
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2768
Gilles Peskine89d789c2018-06-04 17:17:16 +0200[diff] [blame]2769 if( output_size < expected_output_size )
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2770 {
2771 status = PSA_ERROR_BUFFER_TOO_SMALL;
2772 goto exit;
2773 }
mohammad160382759612018-03-12 18:16:40 +0200[diff] [blame]2774
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2775 ret = mbedtls_cipher_update( &operation->ctx.cipher, input,
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]2776 input_length, output, output_length );
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2777 status = mbedtls_to_psa_error( ret );
2778exit:
2779 if( status != PSA_SUCCESS )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2780 psa_cipher_abort( operation );
itayzafrir534bd7c2018-08-02 13:56:32 +0300[diff] [blame]2781 return( status );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2782}
2783
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]2784psa_status_t psa_cipher_finish( psa_cipher_operation_t *operation,
2785 uint8_t *output,
2786 size_t output_size,
2787 size_t *output_length )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2788{
Janos Follath315b51c2018-07-09 16:04:51 +0100[diff] [blame]2789 psa_status_t status = PSA_ERROR_UNKNOWN_ERROR;
2790 int cipher_ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]2791 uint8_t temp_output_buffer[MBEDTLS_MAX_BLOCK_LENGTH];
Moran Pekerbed71a22018-04-22 20:19:20 +0300[diff] [blame]2792
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2793 if( ! operation->key_set )
Moran Pekerdc38ebc2018-04-30 15:45:34 +0300[diff] [blame]2794 {
Janos Follath315b51c2018-07-09 16:04:51 +0100[diff] [blame]2795 status = PSA_ERROR_BAD_STATE;
2796 goto error;
Moran Peker7cb22b82018-06-05 11:40:02 +0300[diff] [blame]2797 }
2798 if( operation->iv_required && ! operation->iv_set )
2799 {
Janos Follath315b51c2018-07-09 16:04:51 +0100[diff] [blame]2800 status = PSA_ERROR_BAD_STATE;
2801 goto error;
Moran Peker7cb22b82018-06-05 11:40:02 +0300[diff] [blame]2802 }
Gilles Peskinedaea26f2018-08-21 14:02:45 +0200[diff] [blame]2803
Gilles Peskine2c5219a2018-06-06 15:12:32 +0200[diff] [blame]2804 if( operation->ctx.cipher.operation == MBEDTLS_ENCRYPT &&
Gilles Peskinedaea26f2018-08-21 14:02:45 +0200[diff] [blame]2805 operation->alg == PSA_ALG_CBC_NO_PADDING &&
2806 operation->ctx.cipher.unprocessed_len != 0 )
Moran Peker7cb22b82018-06-05 11:40:02 +0300[diff] [blame]2807 {
Gilles Peskinedaea26f2018-08-21 14:02:45 +0200[diff] [blame]2808 status = PSA_ERROR_INVALID_ARGUMENT;
Janos Follath315b51c2018-07-09 16:04:51 +0100[diff] [blame]2809 goto error;
Moran Pekerdc38ebc2018-04-30 15:45:34 +0300[diff] [blame]2810 }
2811
Janos Follath315b51c2018-07-09 16:04:51 +0100[diff] [blame]2812 cipher_ret = mbedtls_cipher_finish( &operation->ctx.cipher,
2813 temp_output_buffer,
2814 output_length );
2815 if( cipher_ret != 0 )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2816 {
Janos Follath315b51c2018-07-09 16:04:51 +0100[diff] [blame]2817 status = mbedtls_to_psa_error( cipher_ret );
2818 goto error;
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2819 }
Janos Follath315b51c2018-07-09 16:04:51 +0100[diff] [blame]2820
Gilles Peskine46f1fd72018-06-28 19:31:31 +0200[diff] [blame]2821 if( *output_length == 0 )
Janos Follath315b51c2018-07-09 16:04:51 +0100[diff] [blame]2822 ; /* Nothing to copy. Note that output may be NULL in this case. */
Gilles Peskine46f1fd72018-06-28 19:31:31 +0200[diff] [blame]2823 else if( output_size >= *output_length )
Moran Pekerdc38ebc2018-04-30 15:45:34 +0300[diff] [blame]2824 memcpy( output, temp_output_buffer, *output_length );
2825 else
2826 {
Janos Follath315b51c2018-07-09 16:04:51 +0100[diff] [blame]2827 status = PSA_ERROR_BUFFER_TOO_SMALL;
2828 goto error;
Moran Pekerdc38ebc2018-04-30 15:45:34 +0300[diff] [blame]2829 }
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2830
Janos Follath279ab8e2018-07-09 16:13:21 +0100[diff] [blame]2831 mbedtls_zeroize( temp_output_buffer, sizeof( temp_output_buffer ) );
Janos Follath315b51c2018-07-09 16:04:51 +0100[diff] [blame]2832 status = psa_cipher_abort( operation );
2833
2834 return( status );
2835
2836error:
2837
2838 *output_length = 0;
2839
Janos Follath279ab8e2018-07-09 16:13:21 +0100[diff] [blame]2840 mbedtls_zeroize( temp_output_buffer, sizeof( temp_output_buffer ) );
Janos Follath315b51c2018-07-09 16:04:51 +0100[diff] [blame]2841 (void) psa_cipher_abort( operation );
2842
2843 return( status );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2844}
2845
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]2846psa_status_t psa_cipher_abort( psa_cipher_operation_t *operation )
2847{
Gilles Peskine16c0f4f2018-06-20 16:05:20 +0200[diff] [blame]2848 if( operation->alg == 0 )
Gilles Peskine81736312018-06-26 15:04:31 +0200[diff] [blame]2849 {
2850 /* The object has (apparently) been initialized but it is not
2851 * in use. It's ok to call abort on such an object, and there's
2852 * nothing to do. */
Gilles Peskine16c0f4f2018-06-20 16:05:20 +0200[diff] [blame]2853 return( PSA_SUCCESS );
Gilles Peskine81736312018-06-26 15:04:31 +0200[diff] [blame]2854 }
Gilles Peskine16c0f4f2018-06-20 16:05:20 +0200[diff] [blame]2855
Gilles Peskinef9c2c092018-06-21 16:57:07 +0200[diff] [blame]2856 /* Sanity check (shouldn't happen: operation->alg should
2857 * always have been initialized to a valid value). */
2858 if( ! PSA_ALG_IS_CIPHER( operation->alg ) )
2859 return( PSA_ERROR_BAD_STATE );
2860
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2861 mbedtls_cipher_free( &operation->ctx.cipher );
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]2862
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]2863 operation->alg = 0;
Moran Pekerad9d82c2018-04-30 12:31:04 +0300[diff] [blame]2864 operation->key_set = 0;
2865 operation->iv_set = 0;
2866 operation->iv_size = 0;
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]2867 operation->block_size = 0;
Moran Pekerad9d82c2018-04-30 12:31:04 +0300[diff] [blame]2868 operation->iv_required = 0;
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]2869
Moran Peker395db872018-05-31 14:07:14 +0300[diff] [blame]2870 return( PSA_SUCCESS );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2871}
2872
Gilles Peskinea0655c32018-04-30 17:06:50 +0200[diff] [blame]2873
Gilles Peskine7bcfc0a2018-06-18 21:49:39 +0200[diff] [blame]2874
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2875/****************************************************************/
2876/* Key Policy */
2877/****************************************************************/
Mohammad Abo Mokha5c7b7d2018-07-04 15:57:00 +0300[diff] [blame]2878
mohammad160327010052018-07-03 13:16:15 +0300[diff] [blame]2879#if !defined(MBEDTLS_PSA_CRYPTO_SPM)
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]2880void psa_key_policy_init( psa_key_policy_t *policy )
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2881{
Gilles Peskine803ce742018-06-18 16:07:14 +0200[diff] [blame]2882 memset( policy, 0, sizeof( *policy ) );
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2883}
2884
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]2885void psa_key_policy_set_usage( psa_key_policy_t *policy,
2886 psa_key_usage_t usage,
2887 psa_algorithm_t alg )
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2888{
mohammad16034eed7572018-03-28 05:14:59 -0700[diff] [blame]2889 policy->usage = usage;
2890 policy->alg = alg;
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2891}
2892
Gilles Peskineaa7bc472018-07-12 00:54:56 +0200[diff] [blame]2893psa_key_usage_t psa_key_policy_get_usage( const psa_key_policy_t *policy )
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2894{
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]2895 return( policy->usage );
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2896}
2897
Gilles Peskineaa7bc472018-07-12 00:54:56 +0200[diff] [blame]2898psa_algorithm_t psa_key_policy_get_algorithm( const psa_key_policy_t *policy )
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2899{
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]2900 return( policy->alg );
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2901}
mohammad160327010052018-07-03 13:16:15 +0300[diff] [blame]2902#endif /* !defined(MBEDTLS_PSA_CRYPTO_SPM) */
Mohammad Abo Mokha5c7b7d2018-07-04 15:57:00 +0300[diff] [blame]2903
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]2904psa_status_t psa_set_key_policy( psa_key_slot_t key,
2905 const psa_key_policy_t *policy )
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2906{
2907 key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2908 psa_status_t status;
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2909
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2910 if( policy == NULL )
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2911 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]2912
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2913 status = psa_get_empty_key_slot( key, &slot );
2914 if( status != PSA_SUCCESS )
2915 return( status );
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2916
Gilles Peskinec1bb6c82018-06-18 16:04:39 +0200[diff] [blame]2917 if( ( policy->usage & ~( PSA_KEY_USAGE_EXPORT |
2918 PSA_KEY_USAGE_ENCRYPT |
2919 PSA_KEY_USAGE_DECRYPT |
2920 PSA_KEY_USAGE_SIGN |
Gilles Peskineea0fb492018-07-12 17:17:20 +0200[diff] [blame]2921 PSA_KEY_USAGE_VERIFY |
2922 PSA_KEY_USAGE_DERIVE ) ) != 0 )
mohammad16035feda722018-04-16 04:38:57 -0700[diff] [blame]2923 return( PSA_ERROR_INVALID_ARGUMENT );
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2924
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]2925 slot->policy = *policy;
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2926
2927 return( PSA_SUCCESS );
2928}
2929
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]2930psa_status_t psa_get_key_policy( psa_key_slot_t key,
2931 psa_key_policy_t *policy )
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2932{
2933 key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2934 psa_status_t status;
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2935
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2936 if( policy == NULL )
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2937 return( PSA_ERROR_INVALID_ARGUMENT );
2938
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2939 status = psa_get_key_slot( key, &slot );
2940 if( status != PSA_SUCCESS )
2941 return( status );
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]2942
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]2943 *policy = slot->policy;
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2944
2945 return( PSA_SUCCESS );
2946}
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]2947
Gilles Peskinea0655c32018-04-30 17:06:50 +0200[diff] [blame]2948
2949
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2950/****************************************************************/
2951/* Key Lifetime */
2952/****************************************************************/
2953
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]2954psa_status_t psa_get_key_lifetime( psa_key_slot_t key,
2955 psa_key_lifetime_t *lifetime )
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2956{
2957 key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2958 psa_status_t status;
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2959
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2960 status = psa_get_key_slot( key, &slot );
2961 if( status != PSA_SUCCESS )
2962 return( status );
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]2963
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2964 *lifetime = slot->lifetime;
2965
2966 return( PSA_SUCCESS );
2967}
2968
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]2969psa_status_t psa_set_key_lifetime( psa_key_slot_t key,
Jaeden Amero65fb2362018-06-26 13:55:30 +0100[diff] [blame]2970 psa_key_lifetime_t lifetime )
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2971{
2972 key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2973 psa_status_t status;
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2974
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]2975 if( lifetime != PSA_KEY_LIFETIME_VOLATILE &&
2976 lifetime != PSA_KEY_LIFETIME_PERSISTENT &&
mohammad1603ba178512018-03-21 04:35:20 -0700[diff] [blame]2977 lifetime != PSA_KEY_LIFETIME_WRITE_ONCE)
2978 return( PSA_ERROR_INVALID_ARGUMENT );
2979
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]2980 status = psa_get_empty_key_slot( key, &slot );
2981 if( status != PSA_SUCCESS )
2982 return( status );
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2983
Moran Pekerd7326592018-05-29 16:56:39 +0300[diff] [blame]2984 if( lifetime != PSA_KEY_LIFETIME_VOLATILE )
mohammad1603ba178512018-03-21 04:35:20 -0700[diff] [blame]2985 return( PSA_ERROR_NOT_SUPPORTED );
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]2986
mohammad1603060ad8a2018-03-20 14:28:38 -0700[diff] [blame]2987 slot->lifetime = lifetime;
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2988
2989 return( PSA_SUCCESS );
2990}
2991
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]2992
Gilles Peskine7bcfc0a2018-06-18 21:49:39 +0200[diff] [blame]2993
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2994/****************************************************************/
2995/* AEAD */
2996/****************************************************************/
Gilles Peskine7bcfc0a2018-06-18 21:49:39 +0200[diff] [blame]2997
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]2998typedef struct
2999{
3000 key_slot_t *slot;
3001 const mbedtls_cipher_info_t *cipher_info;
3002 union
3003 {
3004#if defined(MBEDTLS_CCM_C)
3005 mbedtls_ccm_context ccm;
3006#endif /* MBEDTLS_CCM_C */
3007#if defined(MBEDTLS_GCM_C)
3008 mbedtls_gcm_context gcm;
3009#endif /* MBEDTLS_GCM_C */
3010 } ctx;
Gilles Peskine23cc2ff2018-08-17 19:47:52 +0200[diff] [blame]3011 psa_algorithm_t core_alg;
3012 uint8_t full_tag_length;
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3013 uint8_t tag_length;
3014} aead_operation_t;
3015
Gilles Peskinef8a8fe62018-08-21 16:38:05 +0200[diff] [blame]3016static void psa_aead_abort( aead_operation_t *operation )
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3017{
Gilles Peskinef8a8fe62018-08-21 16:38:05 +0200[diff] [blame]3018 switch( operation->core_alg )
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3019 {
3020#if defined(MBEDTLS_CCM_C)
3021 case PSA_ALG_CCM:
3022 mbedtls_ccm_free( &operation->ctx.ccm );
3023 break;
3024#endif /* MBEDTLS_CCM_C */
3025#if defined(MBEDTLS_CCM_C)
3026 case PSA_ALG_GCM:
3027 mbedtls_gcm_free( &operation->ctx.gcm );
3028 break;
3029#endif /* MBEDTLS_GCM_C */
3030 }
3031}
3032
3033static psa_status_t psa_aead_setup( aead_operation_t *operation,
3034 psa_key_slot_t key,
3035 psa_key_usage_t usage,
3036 psa_algorithm_t alg )
3037{
3038 psa_status_t status;
3039 size_t key_bits;
3040 mbedtls_cipher_id_t cipher_id;
3041
3042 status = psa_get_key_from_slot( key, &operation->slot, usage, alg );
3043 if( status != PSA_SUCCESS )
3044 return( status );
3045
3046 key_bits = psa_get_key_bits( operation->slot );
3047
3048 operation->cipher_info =
3049 mbedtls_cipher_info_from_psa( alg, operation->slot->type, key_bits,
3050 &cipher_id );
3051 if( operation->cipher_info == NULL )
3052 return( PSA_ERROR_NOT_SUPPORTED );
3053
Gilles Peskine23cc2ff2018-08-17 19:47:52 +0200[diff] [blame]3054 switch( PSA_ALG_AEAD_WITH_TAG_LENGTH( alg, 0 ) )
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3055 {
3056#if defined(MBEDTLS_CCM_C)
Gilles Peskine23cc2ff2018-08-17 19:47:52 +0200[diff] [blame]3057 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_CCM, 0 ):
3058 operation->core_alg = PSA_ALG_CCM;
3059 operation->full_tag_length = 16;
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3060 if( PSA_BLOCK_CIPHER_BLOCK_SIZE( operation->slot->type ) != 16 )
3061 return( PSA_ERROR_INVALID_ARGUMENT );
3062 mbedtls_ccm_init( &operation->ctx.ccm );
3063 status = mbedtls_to_psa_error(
3064 mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id,
3065 operation->slot->data.raw.data,
3066 (unsigned int) key_bits ) );
3067 if( status != 0 )
3068 goto cleanup;
3069 break;
3070#endif /* MBEDTLS_CCM_C */
3071
3072#if defined(MBEDTLS_GCM_C)
Gilles Peskine23cc2ff2018-08-17 19:47:52 +0200[diff] [blame]3073 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_GCM, 0 ):
3074 operation->core_alg = PSA_ALG_GCM;
3075 operation->full_tag_length = 16;
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3076 if( PSA_BLOCK_CIPHER_BLOCK_SIZE( operation->slot->type ) != 16 )
3077 return( PSA_ERROR_INVALID_ARGUMENT );
3078 mbedtls_gcm_init( &operation->ctx.gcm );
3079 status = mbedtls_to_psa_error(
3080 mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id,
3081 operation->slot->data.raw.data,
3082 (unsigned int) key_bits ) );
3083 break;
3084#endif /* MBEDTLS_GCM_C */
3085
3086 default:
3087 return( PSA_ERROR_NOT_SUPPORTED );
3088 }
3089
Gilles Peskine23cc2ff2018-08-17 19:47:52 +0200[diff] [blame]3090 if( PSA_AEAD_TAG_LENGTH( alg ) > operation->full_tag_length )
3091 {
3092 status = PSA_ERROR_INVALID_ARGUMENT;
3093 goto cleanup;
3094 }
3095 operation->tag_length = PSA_AEAD_TAG_LENGTH( alg );
3096 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
3097 * GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
3098 * In both cases, mbedtls_xxx will validate the tag length below. */
3099
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3100 return( PSA_SUCCESS );
3101
3102cleanup:
Gilles Peskinef8a8fe62018-08-21 16:38:05 +0200[diff] [blame]3103 psa_aead_abort( operation );
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3104 return( status );
3105}
3106
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3107psa_status_t psa_aead_encrypt( psa_key_slot_t key,
3108 psa_algorithm_t alg,
3109 const uint8_t *nonce,
3110 size_t nonce_length,
3111 const uint8_t *additional_data,
3112 size_t additional_data_length,
3113 const uint8_t *plaintext,
3114 size_t plaintext_length,
3115 uint8_t *ciphertext,
3116 size_t ciphertext_size,
3117 size_t *ciphertext_length )
3118{
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3119 psa_status_t status;
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3120 aead_operation_t operation;
mohammad160315223a82018-06-03 17:19:55 +0300[diff] [blame]3121 uint8_t *tag;
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]3122
mohammad1603f08a5502018-06-03 15:05:47 +0300[diff] [blame]3123 *ciphertext_length = 0;
mohammad1603e58e6842018-05-09 04:58:32 -0700[diff] [blame]3124
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3125 status = psa_aead_setup( &operation, key, PSA_KEY_USAGE_ENCRYPT, alg );
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]3126 if( status != PSA_SUCCESS )
3127 return( status );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3128
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3129 /* For all currently supported modes, the tag is at the end of the
3130 * ciphertext. */
3131 if( ciphertext_size < ( plaintext_length + operation.tag_length ) )
3132 {
3133 status = PSA_ERROR_BUFFER_TOO_SMALL;
3134 goto exit;
3135 }
3136 tag = ciphertext + plaintext_length;
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3137
Gilles Peskine23cc2ff2018-08-17 19:47:52 +0200[diff] [blame]3138 if( operation.core_alg == PSA_ALG_GCM )
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3139 {
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3140 status = mbedtls_to_psa_error(
3141 mbedtls_gcm_crypt_and_tag( &operation.ctx.gcm,
3142 MBEDTLS_GCM_ENCRYPT,
3143 plaintext_length,
3144 nonce, nonce_length,
3145 additional_data, additional_data_length,
3146 plaintext, ciphertext,
3147 operation.tag_length, tag ) );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3148 }
Gilles Peskine23cc2ff2018-08-17 19:47:52 +0200[diff] [blame]3149 else if( operation.core_alg == PSA_ALG_CCM )
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3150 {
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3151 status = mbedtls_to_psa_error(
3152 mbedtls_ccm_encrypt_and_tag( &operation.ctx.ccm,
3153 plaintext_length,
3154 nonce, nonce_length,
3155 additional_data,
3156 additional_data_length,
3157 plaintext, ciphertext,
3158 tag, operation.tag_length ) );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3159 }
mohammad16035c8845f2018-05-09 05:40:09 -0700[diff] [blame]3160 else
3161 {
mohammad1603554faad2018-06-03 15:07:38 +0300[diff] [blame]3162 return( PSA_ERROR_NOT_SUPPORTED );
mohammad16035c8845f2018-05-09 05:40:09 -0700[diff] [blame]3163 }
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]3164
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3165 if( status != PSA_SUCCESS && ciphertext_size != 0 )
3166 memset( ciphertext, 0, ciphertext_size );
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]3167
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3168exit:
Gilles Peskinef8a8fe62018-08-21 16:38:05 +0200[diff] [blame]3169 psa_aead_abort( &operation );
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3170 if( status == PSA_SUCCESS )
3171 *ciphertext_length = plaintext_length + operation.tag_length;
3172 return( status );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3173}
3174
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]3175/* Locate the tag in a ciphertext buffer containing the encrypted data
3176 * followed by the tag. Return the length of the part preceding the tag in
3177 * *plaintext_length. This is the size of the plaintext in modes where
3178 * the encrypted data has the same size as the plaintext, such as
3179 * CCM and GCM. */
3180static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length,
3181 const uint8_t *ciphertext,
3182 size_t ciphertext_length,
3183 size_t plaintext_size,
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]3184 const uint8_t **p_tag )
3185{
3186 size_t payload_length;
3187 if( tag_length > ciphertext_length )
3188 return( PSA_ERROR_INVALID_ARGUMENT );
3189 payload_length = ciphertext_length - tag_length;
3190 if( payload_length > plaintext_size )
3191 return( PSA_ERROR_BUFFER_TOO_SMALL );
3192 *p_tag = ciphertext + payload_length;
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]3193 return( PSA_SUCCESS );
3194}
3195
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3196psa_status_t psa_aead_decrypt( psa_key_slot_t key,
3197 psa_algorithm_t alg,
3198 const uint8_t *nonce,
3199 size_t nonce_length,
3200 const uint8_t *additional_data,
3201 size_t additional_data_length,
3202 const uint8_t *ciphertext,
3203 size_t ciphertext_length,
3204 uint8_t *plaintext,
3205 size_t plaintext_size,
3206 size_t *plaintext_length )
3207{
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3208 psa_status_t status;
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3209 aead_operation_t operation;
3210 const uint8_t *tag = NULL;
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame]3211
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]3212 *plaintext_length = 0;
mohammad16039e5a5152018-04-26 12:07:35 +0300[diff] [blame]3213
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3214 status = psa_aead_setup( &operation, key, PSA_KEY_USAGE_DECRYPT, alg );
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]3215 if( status != PSA_SUCCESS )
3216 return( status );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3217
Gilles Peskine23cc2ff2018-08-17 19:47:52 +0200[diff] [blame]3218 if( operation.core_alg == PSA_ALG_GCM )
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3219 {
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3220 status = psa_aead_unpadded_locate_tag( operation.tag_length,
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]3221 ciphertext, ciphertext_length,
mohammad160360a64d02018-06-03 17:20:42 +0300[diff] [blame]3222 plaintext_size, &tag );
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]3223 if( status != PSA_SUCCESS )
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3224 goto exit;
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]3225
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3226 status = mbedtls_to_psa_error(
3227 mbedtls_gcm_auth_decrypt( &operation.ctx.gcm,
3228 ciphertext_length - operation.tag_length,
3229 nonce, nonce_length,
3230 additional_data,
3231 additional_data_length,
3232 tag, operation.tag_length,
3233 ciphertext, plaintext ) );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3234 }
Gilles Peskine23cc2ff2018-08-17 19:47:52 +0200[diff] [blame]3235 else if( operation.core_alg == PSA_ALG_CCM )
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3236 {
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3237 status = psa_aead_unpadded_locate_tag( operation.tag_length,
mohammad16039375f842018-06-03 14:28:24 +0300[diff] [blame]3238 ciphertext, ciphertext_length,
mohammad160360a64d02018-06-03 17:20:42 +0300[diff] [blame]3239 plaintext_size, &tag );
mohammad16039375f842018-06-03 14:28:24 +0300[diff] [blame]3240 if( status != PSA_SUCCESS )
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3241 goto exit;
mohammad16039375f842018-06-03 14:28:24 +0300[diff] [blame]3242
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3243 status = mbedtls_to_psa_error(
3244 mbedtls_ccm_auth_decrypt( &operation.ctx.ccm,
3245 ciphertext_length - operation.tag_length,
3246 nonce, nonce_length,
3247 additional_data,
3248 additional_data_length,
3249 ciphertext, plaintext,
3250 tag, operation.tag_length ) );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3251 }
mohammad160339574652018-06-01 04:39:53 -0700[diff] [blame]3252 else
3253 {
mohammad1603554faad2018-06-03 15:07:38 +0300[diff] [blame]3254 return( PSA_ERROR_NOT_SUPPORTED );
mohammad160339574652018-06-01 04:39:53 -0700[diff] [blame]3255 }
Gilles Peskinea40d7742018-06-01 16:28:30 +0200[diff] [blame]3256
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3257 if( status != PSA_SUCCESS && plaintext_size != 0 )
3258 memset( plaintext, 0, plaintext_size );
mohammad160360a64d02018-06-03 17:20:42 +0300[diff] [blame]3259
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3260exit:
Gilles Peskinef8a8fe62018-08-21 16:38:05 +0200[diff] [blame]3261 psa_aead_abort( &operation );
Gilles Peskineedf9a652018-08-17 18:11:56 +0200[diff] [blame]3262 if( status == PSA_SUCCESS )
3263 *plaintext_length = ciphertext_length - operation.tag_length;
3264 return( status );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]3265}
3266
Gilles Peskinea0655c32018-04-30 17:06:50 +0200[diff] [blame]3267
Gilles Peskine7bcfc0a2018-06-18 21:49:39 +0200[diff] [blame]3268
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]3269/****************************************************************/
Gilles Peskineeab56e42018-07-12 17:12:33 +0200[diff] [blame]3270/* Generators */
3271/****************************************************************/
3272
3273psa_status_t psa_generator_abort( psa_crypto_generator_t *generator )
3274{
3275 psa_status_t status = PSA_SUCCESS;
3276 if( generator->alg == 0 )
3277 {
3278 /* The object has (apparently) been initialized but it is not
3279 * in use. It's ok to call abort on such an object, and there's
3280 * nothing to do. */
3281 }
3282 else
Gilles Peskine751d9652018-09-18 12:05:44 +0200[diff] [blame]3283 if( generator->alg == PSA_ALG_SELECT_RAW )
3284 {
3285 if( generator->ctx.buffer.data != NULL )
3286 {
3287 mbedtls_zeroize( generator->ctx.buffer.data,
3288 generator->ctx.buffer.size );
3289 mbedtls_free( generator->ctx.buffer.data );
3290 }
3291 }
3292 else
Gilles Peskinebef7f142018-07-12 17:22:21 +0200[diff] [blame]3293#if defined(MBEDTLS_MD_C)
3294 if( PSA_ALG_IS_HKDF( generator->alg ) )
3295 {
3296 mbedtls_free( generator->ctx.hkdf.info );
3297 status = psa_hmac_abort_internal( &generator->ctx.hkdf.hmac );
3298 }
Hanno Becker1aaedc02018-11-16 11:35:34 +0000[diff] [blame]3299 else if( PSA_ALG_IS_TLS12_PRF( generator->alg ) ||
3300 /* TLS-1.2 PSK-to-MS KDF uses the same generator as TLS-1.2 PRF */
3301 PSA_ALG_IS_TLS12_PSK_TO_MS( generator->alg ) )
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3302 {
3303 if( generator->ctx.tls12_prf.key != NULL )
3304 {
3305 mbedtls_zeroize( generator->ctx.tls12_prf.key,
3306 generator->ctx.tls12_prf.key_len );
3307 mbedtls_free( generator->ctx.tls12_prf.key );
3308 }
Hanno Becker580fba12018-11-13 20:50:45 +0000[diff] [blame]3309
3310 if( generator->ctx.tls12_prf.Ai_with_seed != NULL )
3311 {
3312 mbedtls_zeroize( generator->ctx.tls12_prf.Ai_with_seed,
3313 generator->ctx.tls12_prf.Ai_with_seed_len );
3314 mbedtls_free( generator->ctx.tls12_prf.Ai_with_seed );
3315 }
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3316 }
Gilles Peskinebef7f142018-07-12 17:22:21 +0200[diff] [blame]3317 else
3318#endif /* MBEDTLS_MD_C */
Gilles Peskineeab56e42018-07-12 17:12:33 +0200[diff] [blame]3319 {
3320 status = PSA_ERROR_BAD_STATE;
3321 }
3322 memset( generator, 0, sizeof( *generator ) );
3323 return( status );
3324}
3325
3326
3327psa_status_t psa_get_generator_capacity(const psa_crypto_generator_t *generator,
3328 size_t *capacity)
3329{
3330 *capacity = generator->capacity;
3331 return( PSA_SUCCESS );
3332}
3333
Gilles Peskinebef7f142018-07-12 17:22:21 +0200[diff] [blame]3334#if defined(MBEDTLS_MD_C)
3335/* Read some bytes from an HKDF-based generator. This performs a chunk
3336 * of the expand phase of the HKDF algorithm. */
3337static psa_status_t psa_generator_hkdf_read( psa_hkdf_generator_t *hkdf,
3338 psa_algorithm_t hash_alg,
3339 uint8_t *output,
3340 size_t output_length )
3341{
3342 uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
3343 psa_status_t status;
3344
3345 while( output_length != 0 )
3346 {
3347 /* Copy what remains of the current block */
3348 uint8_t n = hash_length - hkdf->offset_in_block;
3349 if( n > output_length )
3350 n = (uint8_t) output_length;
3351 memcpy( output, hkdf->output_block + hkdf->offset_in_block, n );
3352 output += n;
3353 output_length -= n;
3354 hkdf->offset_in_block += n;
Gilles Peskined54931c2018-07-17 21:06:59 +0200[diff] [blame]3355 if( output_length == 0 )
Gilles Peskinebef7f142018-07-12 17:22:21 +0200[diff] [blame]3356 break;
Gilles Peskined54931c2018-07-17 21:06:59 +0200[diff] [blame]3357 /* We can't be wanting more output after block 0xff, otherwise
3358 * the capacity check in psa_generator_read() would have
3359 * prevented this call. It could happen only if the generator
3360 * object was corrupted or if this function is called directly
3361 * inside the library. */
3362 if( hkdf->block_number == 0xff )
3363 return( PSA_ERROR_BAD_STATE );
Gilles Peskinebef7f142018-07-12 17:22:21 +0200[diff] [blame]3364
3365 /* We need a new block */
3366 ++hkdf->block_number;
3367 hkdf->offset_in_block = 0;
3368 status = psa_hmac_setup_internal( &hkdf->hmac,
3369 hkdf->prk, hash_length,
3370 hash_alg );
3371 if( status != PSA_SUCCESS )
3372 return( status );
3373 if( hkdf->block_number != 1 )
3374 {
3375 status = psa_hash_update( &hkdf->hmac.hash_ctx,
3376 hkdf->output_block,
3377 hash_length );
3378 if( status != PSA_SUCCESS )
3379 return( status );
3380 }
3381 status = psa_hash_update( &hkdf->hmac.hash_ctx,
3382 hkdf->info,
3383 hkdf->info_length );
3384 if( status != PSA_SUCCESS )
3385 return( status );
3386 status = psa_hash_update( &hkdf->hmac.hash_ctx,
3387 &hkdf->block_number, 1 );
3388 if( status != PSA_SUCCESS )
3389 return( status );
3390 status = psa_hmac_finish_internal( &hkdf->hmac,
3391 hkdf->output_block,
3392 sizeof( hkdf->output_block ) );
3393 if( status != PSA_SUCCESS )
3394 return( status );
3395 }
3396
3397 return( PSA_SUCCESS );
3398}
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3399
3400static psa_status_t psa_generator_tls12_prf_generate_next_block(
3401 psa_tls12_prf_generator_t *tls12_prf,
3402 psa_algorithm_t alg )
3403{
3404 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( alg );
3405 uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
3406 psa_hmac_internal_data hmac;
3407 psa_status_t status, cleanup_status;
3408
Hanno Becker3b339e22018-11-13 20:56:14 +0000[diff] [blame]3409 unsigned char *Ai;
3410 size_t Ai_len;
3411
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3412 /* We can't be wanting more output after block 0xff, otherwise
3413 * the capacity check in psa_generator_read() would have
3414 * prevented this call. It could happen only if the generator
3415 * object was corrupted or if this function is called directly
3416 * inside the library. */
3417 if( tls12_prf->block_number == 0xff )
3418 return( PSA_ERROR_BAD_STATE );
3419
3420 /* We need a new block */
3421 ++tls12_prf->block_number;
3422 tls12_prf->offset_in_block = 0;
3423
3424 /* Recall the definition of the TLS-1.2-PRF from RFC 5246:
3425 *
3426 * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
3427 *
3428 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
3429 * HMAC_hash(secret, A(2) + seed) +
3430 * HMAC_hash(secret, A(3) + seed) + ...
3431 *
3432 * A(0) = seed
3433 * A(i) = HMAC_hash( secret, A(i-1) )
3434 *
3435 * The `psa_tls12_prf_generator` structures saves the block
3436 * `HMAC_hash(secret, A(i) + seed)` from which the output
3437 * is currently extracted as `output_block`, while
3438 * `A(i) + seed` is stored in `Ai_with_seed`.
3439 *
3440 * Generating a new block means recalculating `Ai_with_seed`
3441 * from the A(i)-part of it, and afterwards recalculating
3442 * `output_block`.
3443 *
3444 * A(0) is computed at setup time.
3445 *
3446 */
3447
3448 psa_hmac_init_internal( &hmac );
3449
3450 /* We must distinguish the calculation of A(1) from those
3451 * of A(2) and higher, because A(0)=seed has a different
3452 * length than the other A(i). */
3453 if( tls12_prf->block_number == 1 )
3454 {
Hanno Becker3b339e22018-11-13 20:56:14 +0000[diff] [blame]3455 Ai = tls12_prf->Ai_with_seed + hash_length;
3456 Ai_len = tls12_prf->Ai_with_seed_len - hash_length;
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3457 }
3458 else
3459 {
Hanno Becker3b339e22018-11-13 20:56:14 +0000[diff] [blame]3460 Ai = tls12_prf->Ai_with_seed;
3461 Ai_len = hash_length;
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3462 }
3463
Hanno Becker3b339e22018-11-13 20:56:14 +0000[diff] [blame]3464 /* Compute A(i+1) = HMAC_hash(secret, A(i)) */
3465 status = psa_hmac_setup_internal( &hmac,
3466 tls12_prf->key,
3467 tls12_prf->key_len,
3468 hash_alg );
3469 if( status != PSA_SUCCESS )
3470 goto cleanup;
3471
3472 status = psa_hash_update( &hmac.hash_ctx,
3473 Ai, Ai_len );
3474 if( status != PSA_SUCCESS )
3475 goto cleanup;
3476
3477 status = psa_hmac_finish_internal( &hmac,
3478 tls12_prf->Ai_with_seed,
3479 hash_length );
3480 if( status != PSA_SUCCESS )
3481 goto cleanup;
3482
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3483 /* Compute the next block `HMAC_hash(secret, A(i+1) + seed)`. */
3484 status = psa_hmac_setup_internal( &hmac,
3485 tls12_prf->key,
3486 tls12_prf->key_len,
3487 hash_alg );
3488 if( status != PSA_SUCCESS )
3489 goto cleanup;
3490
3491 status = psa_hash_update( &hmac.hash_ctx,
3492 tls12_prf->Ai_with_seed,
Hanno Becker580fba12018-11-13 20:50:45 +0000[diff] [blame]3493 tls12_prf->Ai_with_seed_len );
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3494 if( status != PSA_SUCCESS )
3495 goto cleanup;
3496
3497 status = psa_hmac_finish_internal( &hmac,
3498 tls12_prf->output_block,
3499 hash_length );
3500 if( status != PSA_SUCCESS )
3501 goto cleanup;
3502
3503cleanup:
3504
3505 cleanup_status = psa_hmac_abort_internal( &hmac );
3506 if( status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS )
3507 status = cleanup_status;
3508
3509 return( status );
3510}
3511
3512/* Read some bytes from an TLS-1.2-PRF-based generator.
3513 * See Section 5 of RFC 5246. */
3514static psa_status_t psa_generator_tls12_prf_read(
3515 psa_tls12_prf_generator_t *tls12_prf,
3516 psa_algorithm_t alg,
3517 uint8_t *output,
3518 size_t output_length )
3519{
3520 psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH( alg );
3521 uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
3522 psa_status_t status;
3523
3524 while( output_length != 0 )
3525 {
3526 /* Copy what remains of the current block */
3527 uint8_t n = hash_length - tls12_prf->offset_in_block;
3528
3529 /* Check if we have fully processed the current block. */
3530 if( n == 0 )
3531 {
3532 status = psa_generator_tls12_prf_generate_next_block( tls12_prf,
3533 alg );
3534 if( status != PSA_SUCCESS )
3535 return( status );
3536
3537 continue;
3538 }
3539
3540 if( n > output_length )
3541 n = (uint8_t) output_length;
3542 memcpy( output, tls12_prf->output_block + tls12_prf->offset_in_block,
3543 n );
3544 output += n;
3545 output_length -= n;
3546 tls12_prf->offset_in_block += n;
3547 }
3548
3549 return( PSA_SUCCESS );
3550}
Gilles Peskinebef7f142018-07-12 17:22:21 +0200[diff] [blame]3551#endif /* MBEDTLS_MD_C */
3552
Gilles Peskineeab56e42018-07-12 17:12:33 +0200[diff] [blame]3553psa_status_t psa_generator_read( psa_crypto_generator_t *generator,
3554 uint8_t *output,
3555 size_t output_length )
3556{
3557 psa_status_t status;
3558
3559 if( output_length > generator->capacity )
3560 {
3561 generator->capacity = 0;
3562 /* Go through the error path to wipe all confidential data now
3563 * that the generator object is useless. */
3564 status = PSA_ERROR_INSUFFICIENT_CAPACITY;
3565 goto exit;
3566 }
3567 if( output_length == 0 &&
3568 generator->capacity == 0 && generator->alg == 0 )
3569 {
3570 /* Edge case: this is a blank or finished generator, and 0
3571 * bytes were requested. The right error in this case could
3572 * be either INSUFFICIENT_CAPACITY or BAD_STATE. Return
3573 * INSUFFICIENT_CAPACITY, which is right for a finished
3574 * generator, for consistency with the case when
3575 * output_length > 0. */
3576 return( PSA_ERROR_INSUFFICIENT_CAPACITY );
3577 }
3578 generator->capacity -= output_length;
3579
Gilles Peskine751d9652018-09-18 12:05:44 +0200[diff] [blame]3580 if( generator->alg == PSA_ALG_SELECT_RAW )
3581 {
Gilles Peskine211a4362018-10-25 22:22:31 +0200[diff] [blame]3582 /* Initially, the capacity of a selection generator is always
3583 * the size of the buffer, i.e. `generator->ctx.buffer.size`,
3584 * abbreviated in this comment as `size`. When the remaining
3585 * capacity is `c`, the next bytes to serve start `c` bytes
3586 * from the end of the buffer, i.e. `size - c` from the
3587 * beginning of the buffer. Since `generator->capacity` was just
3588 * decremented above, we need to serve the bytes from
3589 * `size - generator->capacity - output_length` to
3590 * `size - generator->capacity`. */
Gilles Peskine751d9652018-09-18 12:05:44 +0200[diff] [blame]3591 size_t offset =
3592 generator->ctx.buffer.size - generator->capacity - output_length;
3593 memcpy( output, generator->ctx.buffer.data + offset, output_length );
3594 status = PSA_SUCCESS;
3595 }
3596 else
Gilles Peskinebef7f142018-07-12 17:22:21 +0200[diff] [blame]3597#if defined(MBEDTLS_MD_C)
3598 if( PSA_ALG_IS_HKDF( generator->alg ) )
3599 {
3600 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( generator->alg );
3601 status = psa_generator_hkdf_read( &generator->ctx.hkdf, hash_alg,
3602 output, output_length );
3603 }
Hanno Becker1aaedc02018-11-16 11:35:34 +0000[diff] [blame]3604 else if( PSA_ALG_IS_TLS12_PRF( generator->alg ) ||
3605 PSA_ALG_IS_TLS12_PSK_TO_MS( generator->alg ) )
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3606 {
3607 status = psa_generator_tls12_prf_read( &generator->ctx.tls12_prf,
3608 generator->alg, output,
3609 output_length );
3610 }
Gilles Peskinebef7f142018-07-12 17:22:21 +0200[diff] [blame]3611 else
3612#endif /* MBEDTLS_MD_C */
Gilles Peskineeab56e42018-07-12 17:12:33 +0200[diff] [blame]3613 {
3614 return( PSA_ERROR_BAD_STATE );
3615 }
3616
3617exit:
3618 if( status != PSA_SUCCESS )
3619 {
3620 psa_generator_abort( generator );
3621 memset( output, '!', output_length );
3622 }
3623 return( status );
3624}
3625
Gilles Peskine08542d82018-07-19 17:05:42 +0200[diff] [blame]3626#if defined(MBEDTLS_DES_C)
3627static void psa_des_set_key_parity( uint8_t *data, size_t data_size )
3628{
3629 if( data_size >= 8 )
3630 mbedtls_des_key_set_parity( data );
3631 if( data_size >= 16 )
3632 mbedtls_des_key_set_parity( data + 8 );
3633 if( data_size >= 24 )
3634 mbedtls_des_key_set_parity( data + 16 );
3635}
3636#endif /* MBEDTLS_DES_C */
3637
Gilles Peskineeab56e42018-07-12 17:12:33 +0200[diff] [blame]3638psa_status_t psa_generator_import_key( psa_key_slot_t key,
3639 psa_key_type_t type,
3640 size_t bits,
3641 psa_crypto_generator_t *generator )
3642{
3643 uint8_t *data = NULL;
3644 size_t bytes = PSA_BITS_TO_BYTES( bits );
3645 psa_status_t status;
3646
3647 if( ! key_type_is_raw_bytes( type ) )
3648 return( PSA_ERROR_INVALID_ARGUMENT );
3649 if( bits % 8 != 0 )
3650 return( PSA_ERROR_INVALID_ARGUMENT );
3651 data = mbedtls_calloc( 1, bytes );
3652 if( data == NULL )
3653 return( PSA_ERROR_INSUFFICIENT_MEMORY );
3654
3655 status = psa_generator_read( generator, data, bytes );
3656 if( status != PSA_SUCCESS )
3657 goto exit;
Gilles Peskine08542d82018-07-19 17:05:42 +0200[diff] [blame]3658#if defined(MBEDTLS_DES_C)
3659 if( type == PSA_KEY_TYPE_DES )
3660 psa_des_set_key_parity( data, bytes );
3661#endif /* MBEDTLS_DES_C */
Gilles Peskineeab56e42018-07-12 17:12:33 +0200[diff] [blame]3662 status = psa_import_key( key, type, data, bytes );
3663
3664exit:
3665 mbedtls_free( data );
3666 return( status );
3667}
3668
3669
3670
3671/****************************************************************/
Gilles Peskineea0fb492018-07-12 17:17:20 +0200[diff] [blame]3672/* Key derivation */
3673/****************************************************************/
3674
Gilles Peskinea05219c2018-11-16 16:02:56 +0100[diff] [blame]3675#if defined(MBEDTLS_MD_C)
Gilles Peskinebef7f142018-07-12 17:22:21 +0200[diff] [blame]3676/* Set up an HKDF-based generator. This is exactly the extract phase
Gilles Peskine346797d2018-11-16 16:05:06 +0100[diff] [blame]3677 * of the HKDF algorithm.
3678 *
3679 * Note that if this function fails, you must call psa_generator_abort()
3680 * to potentially free embedded data structures and wipe confidential data.
3681 */
Gilles Peskinebef7f142018-07-12 17:22:21 +0200[diff] [blame]3682static psa_status_t psa_generator_hkdf_setup( psa_hkdf_generator_t *hkdf,
Gilles Peskinecce18ae2018-09-18 12:03:52 +0200[diff] [blame]3683 const uint8_t *secret,
3684 size_t secret_length,
Gilles Peskinebef7f142018-07-12 17:22:21 +0200[diff] [blame]3685 psa_algorithm_t hash_alg,
3686 const uint8_t *salt,
3687 size_t salt_length,
3688 const uint8_t *label,
3689 size_t label_length )
3690{
3691 psa_status_t status;
3692 status = psa_hmac_setup_internal( &hkdf->hmac,
3693 salt, salt_length,
Gilles Peskine00709fa2018-08-22 18:25:41 +0200[diff] [blame]3694 PSA_ALG_HMAC_GET_HASH( hash_alg ) );
Gilles Peskinebef7f142018-07-12 17:22:21 +0200[diff] [blame]3695 if( status != PSA_SUCCESS )
3696 return( status );
Gilles Peskinecce18ae2018-09-18 12:03:52 +0200[diff] [blame]3697 status = psa_hash_update( &hkdf->hmac.hash_ctx, secret, secret_length );
Gilles Peskinebef7f142018-07-12 17:22:21 +0200[diff] [blame]3698 if( status != PSA_SUCCESS )
3699 return( status );
3700 status = psa_hmac_finish_internal( &hkdf->hmac,
3701 hkdf->prk,
3702 sizeof( hkdf->prk ) );
3703 if( status != PSA_SUCCESS )
3704 return( status );
3705 hkdf->offset_in_block = PSA_HASH_SIZE( hash_alg );
3706 hkdf->block_number = 0;
3707 hkdf->info_length = label_length;
3708 if( label_length != 0 )
3709 {
3710 hkdf->info = mbedtls_calloc( 1, label_length );
3711 if( hkdf->info == NULL )
3712 return( PSA_ERROR_INSUFFICIENT_MEMORY );
3713 memcpy( hkdf->info, label, label_length );
3714 }
3715 return( PSA_SUCCESS );
3716}
Gilles Peskinea05219c2018-11-16 16:02:56 +0100[diff] [blame]3717#endif /* MBEDTLS_MD_C */
Gilles Peskinebef7f142018-07-12 17:22:21 +0200[diff] [blame]3718
Gilles Peskinea05219c2018-11-16 16:02:56 +0100[diff] [blame]3719#if defined(MBEDTLS_MD_C)
Gilles Peskine346797d2018-11-16 16:05:06 +0100[diff] [blame]3720/* Set up a TLS-1.2-prf-based generator (see RFC 5246, Section 5).
3721 *
3722 * Note that if this function fails, you must call psa_generator_abort()
3723 * to potentially free embedded data structures and wipe confidential data.
3724 */
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3725static psa_status_t psa_generator_tls12_prf_setup(
3726 psa_tls12_prf_generator_t *tls12_prf,
3727 const unsigned char *key,
3728 size_t key_len,
3729 psa_algorithm_t hash_alg,
3730 const uint8_t *salt,
3731 size_t salt_length,
3732 const uint8_t *label,
3733 size_t label_length )
3734{
3735 uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
Hanno Becker580fba12018-11-13 20:50:45 +0000[diff] [blame]3736 size_t Ai_with_seed_len = hash_length + salt_length + label_length;
3737 int overflow;
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3738
3739 tls12_prf->key = mbedtls_calloc( 1, key_len );
3740 if( tls12_prf->key == NULL )
3741 return( PSA_ERROR_INSUFFICIENT_MEMORY );
3742 tls12_prf->key_len = key_len;
3743 memcpy( tls12_prf->key, key, key_len );
3744
Hanno Becker580fba12018-11-13 20:50:45 +0000[diff] [blame]3745 overflow = ( salt_length + label_length < salt_length ) ||
3746 ( salt_length + label_length + hash_length < hash_length );
3747 if( overflow )
3748 return( PSA_ERROR_INVALID_ARGUMENT );
3749
3750 tls12_prf->Ai_with_seed = mbedtls_calloc( 1, Ai_with_seed_len );
3751 if( tls12_prf->Ai_with_seed == NULL )
3752 return( PSA_ERROR_INSUFFICIENT_MEMORY );
3753 tls12_prf->Ai_with_seed_len = Ai_with_seed_len;
3754
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3755 /* Write `label + seed' at the end of the `A(i) + seed` buffer,
3756 * leaving the initial `hash_length` bytes unspecified for now. */
Hanno Becker353e4532018-11-15 09:53:57 +0000[diff] [blame]3757 if( label_length != 0 )
3758 {
3759 memcpy( tls12_prf->Ai_with_seed + hash_length,
3760 label, label_length );
3761 }
3762
3763 if( salt_length != 0 )
3764 {
3765 memcpy( tls12_prf->Ai_with_seed + hash_length + label_length,
3766 salt, salt_length );
3767 }
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3768
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3769 /* The first block gets generated when
3770 * psa_generator_read() is called. */
3771 tls12_prf->block_number = 0;
3772 tls12_prf->offset_in_block = hash_length;
3773
3774 return( PSA_SUCCESS );
3775}
Hanno Becker1aaedc02018-11-16 11:35:34 +0000[diff] [blame]3776
3777/* Set up a TLS-1.2-PSK-to-MS-based generator. */
3778static psa_status_t psa_generator_tls12_psk_to_ms_setup(
3779 psa_tls12_prf_generator_t *tls12_prf,
3780 const unsigned char *psk,
3781 size_t psk_len,
3782 psa_algorithm_t hash_alg,
3783 const uint8_t *salt,
3784 size_t salt_length,
3785 const uint8_t *label,
3786 size_t label_length )
3787{
3788 psa_status_t status;
3789 unsigned char pms[ 4 + 2 * PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN ];
3790
3791 if( psk_len > PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN )
3792 return( PSA_ERROR_INVALID_ARGUMENT );
3793
3794 /* Quoting RFC 4279, Section 2:
3795 *
3796 * The premaster secret is formed as follows: if the PSK is N octets
3797 * long, concatenate a uint16 with the value N, N zero octets, a second
3798 * uint16 with the value N, and the PSK itself.
3799 */
3800
3801 pms[0] = ( psk_len >> 8 ) & 0xff;
3802 pms[1] = ( psk_len >> 0 ) & 0xff;
3803 memset( pms + 2, 0, psk_len );
3804 pms[2 + psk_len + 0] = pms[0];
3805 pms[2 + psk_len + 1] = pms[1];
3806 memcpy( pms + 4 + psk_len, psk, psk_len );
3807
3808 status = psa_generator_tls12_prf_setup( tls12_prf,
3809 pms, 4 + 2 * psk_len,
3810 hash_alg,
3811 salt, salt_length,
3812 label, label_length );
3813
3814 mbedtls_zeroize( pms, sizeof( pms ) );
3815 return( status );
3816}
Gilles Peskinea05219c2018-11-16 16:02:56 +0100[diff] [blame]3817#endif /* MBEDTLS_MD_C */
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3818
Gilles Peskine346797d2018-11-16 16:05:06 +0100[diff] [blame]3819/* Note that if this function fails, you must call psa_generator_abort()
3820 * to potentially free embedded data structures and wipe confidential data.
3821 */
Gilles Peskinecce18ae2018-09-18 12:03:52 +0200[diff] [blame]3822static psa_status_t psa_key_derivation_internal(
3823 psa_crypto_generator_t *generator,
3824 const uint8_t *secret, size_t secret_length,
3825 psa_algorithm_t alg,
3826 const uint8_t *salt, size_t salt_length,
3827 const uint8_t *label, size_t label_length,
3828 size_t capacity )
3829{
3830 psa_status_t status;
3831 size_t max_capacity;
3832
3833 /* Set generator->alg even on failure so that abort knows what to do. */
3834 generator->alg = alg;
3835
Gilles Peskine751d9652018-09-18 12:05:44 +0200[diff] [blame]3836 if( alg == PSA_ALG_SELECT_RAW )
3837 {
Gilles Peskinea05219c2018-11-16 16:02:56 +0100[diff] [blame]3838 (void) salt;
Gilles Peskine751d9652018-09-18 12:05:44 +0200[diff] [blame]3839 if( salt_length != 0 )
3840 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskinea05219c2018-11-16 16:02:56 +0100[diff] [blame]3841 (void) label;
Gilles Peskine751d9652018-09-18 12:05:44 +0200[diff] [blame]3842 if( label_length != 0 )
3843 return( PSA_ERROR_INVALID_ARGUMENT );
3844 generator->ctx.buffer.data = mbedtls_calloc( 1, secret_length );
3845 if( generator->ctx.buffer.data == NULL )
3846 return( PSA_ERROR_INSUFFICIENT_MEMORY );
3847 memcpy( generator->ctx.buffer.data, secret, secret_length );
3848 generator->ctx.buffer.size = secret_length;
3849 max_capacity = secret_length;
3850 status = PSA_SUCCESS;
3851 }
3852 else
Gilles Peskinecce18ae2018-09-18 12:03:52 +0200[diff] [blame]3853#if defined(MBEDTLS_MD_C)
3854 if( PSA_ALG_IS_HKDF( alg ) )
3855 {
3856 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( alg );
3857 size_t hash_size = PSA_HASH_SIZE( hash_alg );
3858 if( hash_size == 0 )
3859 return( PSA_ERROR_NOT_SUPPORTED );
3860 max_capacity = 255 * hash_size;
3861 status = psa_generator_hkdf_setup( &generator->ctx.hkdf,
3862 secret, secret_length,
3863 hash_alg,
3864 salt, salt_length,
3865 label, label_length );
3866 }
Hanno Becker1aaedc02018-11-16 11:35:34 +0000[diff] [blame]3867 /* TLS-1.2 PRF and TLS-1.2 PSK-to-MS are very similar, so share code. */
3868 else if( PSA_ALG_IS_TLS12_PRF( alg ) ||
3869 PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3870 {
3871 psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH( alg );
3872 size_t hash_size = PSA_HASH_SIZE( hash_alg );
3873
3874 /* TLS-1.2 PRF supports only SHA-256 and SHA-384. */
3875 if( hash_alg != PSA_ALG_SHA_256 &&
3876 hash_alg != PSA_ALG_SHA_384 )
3877 {
3878 return( PSA_ERROR_NOT_SUPPORTED );
3879 }
3880
3881 max_capacity = 255 * hash_size;
Hanno Becker1aaedc02018-11-16 11:35:34 +0000[diff] [blame]3882
3883 if( PSA_ALG_IS_TLS12_PRF( alg ) )
3884 {
3885 status = psa_generator_tls12_prf_setup( &generator->ctx.tls12_prf,
3886 secret, secret_length,
3887 hash_alg, salt, salt_length,
3888 label, label_length );
3889 }
3890 else
3891 {
3892 status = psa_generator_tls12_psk_to_ms_setup(
3893 &generator->ctx.tls12_prf,
3894 secret, secret_length,
3895 hash_alg, salt, salt_length,
3896 label, label_length );
3897 }
Hanno Beckerc8a41d72018-10-09 17:33:01 +0100[diff] [blame]3898 }
Gilles Peskinecce18ae2018-09-18 12:03:52 +0200[diff] [blame]3899 else
3900#endif
3901 {
3902 return( PSA_ERROR_NOT_SUPPORTED );
3903 }
3904
3905 if( status != PSA_SUCCESS )
3906 return( status );
3907
3908 if( capacity <= max_capacity )
3909 generator->capacity = capacity;
Gilles Peskine8feb3a82018-09-18 12:06:11 +0200[diff] [blame]3910 else if( capacity == PSA_GENERATOR_UNBRIDLED_CAPACITY )
3911 generator->capacity = max_capacity;
Gilles Peskinecce18ae2018-09-18 12:03:52 +0200[diff] [blame]3912 else
3913 return( PSA_ERROR_INVALID_ARGUMENT );
3914
3915 return( PSA_SUCCESS );
3916}
3917
Gilles Peskineea0fb492018-07-12 17:17:20 +0200[diff] [blame]3918psa_status_t psa_key_derivation( psa_crypto_generator_t *generator,
Darryl Green88001362018-07-26 13:59:04 +0100[diff] [blame]3919 psa_key_slot_t key,
Gilles Peskineea0fb492018-07-12 17:17:20 +0200[diff] [blame]3920 psa_algorithm_t alg,
3921 const uint8_t *salt,
3922 size_t salt_length,
3923 const uint8_t *label,
3924 size_t label_length,
3925 size_t capacity )
3926{
3927 key_slot_t *slot;
3928 psa_status_t status;
3929
3930 if( generator->alg != 0 )
3931 return( PSA_ERROR_BAD_STATE );
3932
Gilles Peskinecce18ae2018-09-18 12:03:52 +0200[diff] [blame]3933 /* Make sure that alg is a key derivation algorithm. This prevents
3934 * key selection algorithms, which psa_key_derivation_internal
3935 * accepts for the sake of key agreement. */
Gilles Peskineea0fb492018-07-12 17:17:20 +0200[diff] [blame]3936 if( ! PSA_ALG_IS_KEY_DERIVATION( alg ) )
3937 return( PSA_ERROR_INVALID_ARGUMENT );
3938
Gilles Peskinecce18ae2018-09-18 12:03:52 +0200[diff] [blame]3939 status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_DERIVE, alg );
3940 if( status != PSA_SUCCESS )
3941 return( status );
Gilles Peskineea0fb492018-07-12 17:17:20 +0200[diff] [blame]3942
Gilles Peskinecce18ae2018-09-18 12:03:52 +0200[diff] [blame]3943 if( slot->type != PSA_KEY_TYPE_DERIVE )
3944 return( PSA_ERROR_INVALID_ARGUMENT );
3945
3946 status = psa_key_derivation_internal( generator,
3947 slot->data.raw.data,
3948 slot->data.raw.bytes,
3949 alg,
3950 salt, salt_length,
3951 label, label_length,
3952 capacity );
3953 if( status != PSA_SUCCESS )
Gilles Peskineea0fb492018-07-12 17:17:20 +0200[diff] [blame]3954 psa_generator_abort( generator );
3955 return( status );
3956}
3957
3958
3959
3960/****************************************************************/
Gilles Peskine01d718c2018-09-18 12:01:02 +0200[diff] [blame]3961/* Key agreement */
3962/****************************************************************/
3963
Gilles Peskinea05219c2018-11-16 16:02:56 +0100[diff] [blame]3964#if defined(MBEDTLS_ECDH_C)
Gilles Peskineb7ecdf02018-09-18 12:11:27 +0200[diff] [blame]3965static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key,
3966 size_t peer_key_length,
3967 const mbedtls_ecp_keypair *our_key,
3968 uint8_t *shared_secret,
3969 size_t shared_secret_size,
3970 size_t *shared_secret_length )
3971{
3972 mbedtls_pk_context pk;
3973 mbedtls_ecp_keypair *their_key = NULL;
3974 mbedtls_ecdh_context ecdh;
3975 int ret;
3976 mbedtls_ecdh_init( &ecdh );
3977 mbedtls_pk_init( &pk );
3978
3979 ret = mbedtls_pk_parse_public_key( &pk, peer_key, peer_key_length );
3980 if( ret != 0 )
3981 goto exit;
Gilles Peskine88714d72018-10-25 23:07:25 +0200[diff] [blame]3982 switch( mbedtls_pk_get_type( &pk ) )
Gilles Peskineb7ecdf02018-09-18 12:11:27 +0200[diff] [blame]3983 {
Gilles Peskine88714d72018-10-25 23:07:25 +0200[diff] [blame]3984 case MBEDTLS_PK_ECKEY:
3985 case MBEDTLS_PK_ECKEY_DH:
3986 break;
3987 default:
3988 ret = MBEDTLS_ERR_ECP_INVALID_KEY;
3989 goto exit;
Gilles Peskineb7ecdf02018-09-18 12:11:27 +0200[diff] [blame]3990 }
3991 their_key = mbedtls_pk_ec( pk );
Gilles Peskineb4086612018-11-14 20:51:23 +0100[diff] [blame]3992 if( their_key->grp.id != our_key->grp.id )
3993 {
3994 ret = MBEDTLS_ERR_ECP_INVALID_KEY;
3995 goto exit;
3996 }
3997
Gilles Peskineb7ecdf02018-09-18 12:11:27 +0200[diff] [blame]3998 ret = mbedtls_ecdh_get_params( &ecdh, their_key, MBEDTLS_ECDH_THEIRS );
3999 if( ret != 0 )
4000 goto exit;
4001 ret = mbedtls_ecdh_get_params( &ecdh, our_key, MBEDTLS_ECDH_OURS );
4002 if( ret != 0 )
4003 goto exit;
4004
4005 ret = mbedtls_ecdh_calc_secret( &ecdh,
4006 shared_secret_length,
4007 shared_secret, shared_secret_size,
4008 mbedtls_ctr_drbg_random,
4009 &global_data.ctr_drbg );
4010
4011exit:
4012 mbedtls_pk_free( &pk );
4013 mbedtls_ecdh_free( &ecdh );
4014 return( mbedtls_to_psa_error( ret ) );
4015}
Gilles Peskinea05219c2018-11-16 16:02:56 +0100[diff] [blame]4016#endif /* MBEDTLS_ECDH_C */
Gilles Peskineb7ecdf02018-09-18 12:11:27 +0200[diff] [blame]4017
Gilles Peskine01d718c2018-09-18 12:01:02 +0200[diff] [blame]4018#define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES
4019
Gilles Peskine346797d2018-11-16 16:05:06 +0100[diff] [blame]4020/* Note that if this function fails, you must call psa_generator_abort()
4021 * to potentially free embedded data structures and wipe confidential data.
4022 */
Gilles Peskine01d718c2018-09-18 12:01:02 +0200[diff] [blame]4023static psa_status_t psa_key_agreement_internal( psa_crypto_generator_t *generator,
4024 key_slot_t *private_key,
4025 const uint8_t *peer_key,
4026 size_t peer_key_length,
4027 psa_algorithm_t alg )
4028{
4029 psa_status_t status;
4030 uint8_t shared_secret[PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE];
4031 size_t shared_secret_length = 0;
4032
4033 /* Step 1: run the secret agreement algorithm to generate the shared
4034 * secret. */
4035 switch( PSA_ALG_KEY_AGREEMENT_GET_BASE( alg ) )
4036 {
Gilles Peskineb7ecdf02018-09-18 12:11:27 +0200[diff] [blame]4037#if defined(MBEDTLS_ECDH_C)
4038 case PSA_ALG_ECDH_BASE:
4039 if( ! PSA_KEY_TYPE_IS_ECC_KEYPAIR( private_key->type ) )
4040 return( PSA_ERROR_INVALID_ARGUMENT );
4041 status = psa_key_agreement_ecdh( peer_key, peer_key_length,
4042 private_key->data.ecp,
4043 shared_secret,
4044 sizeof( shared_secret ),
4045 &shared_secret_length );
4046 break;
4047#endif /* MBEDTLS_ECDH_C */
Gilles Peskine01d718c2018-09-18 12:01:02 +0200[diff] [blame]4048 default:
Gilles Peskine93f85002018-11-16 16:43:31 +0100[diff] [blame]4049 (void) private_key;
4050 (void) peer_key;
4051 (void) peer_key_length;
Gilles Peskine01d718c2018-09-18 12:01:02 +0200[diff] [blame]4052 return( PSA_ERROR_NOT_SUPPORTED );
4053 }
4054 if( status != PSA_SUCCESS )
4055 goto exit;
4056
4057 /* Step 2: set up the key derivation to generate key material from
4058 * the shared secret. */
4059 status = psa_key_derivation_internal( generator,
4060 shared_secret, shared_secret_length,
4061 PSA_ALG_KEY_AGREEMENT_GET_KDF( alg ),
4062 NULL, 0, NULL, 0,
4063 PSA_GENERATOR_UNBRIDLED_CAPACITY );
4064exit:
4065 mbedtls_zeroize( shared_secret, shared_secret_length );
4066 return( status );
4067}
4068
4069psa_status_t psa_key_agreement( psa_crypto_generator_t *generator,
4070 psa_key_slot_t private_key,
4071 const uint8_t *peer_key,
4072 size_t peer_key_length,
4073 psa_algorithm_t alg )
4074{
4075 key_slot_t *slot;
4076 psa_status_t status;
4077 if( ! PSA_ALG_IS_KEY_AGREEMENT( alg ) )
4078 return( PSA_ERROR_INVALID_ARGUMENT );
4079 status = psa_get_key_from_slot( private_key, &slot,
4080 PSA_KEY_USAGE_DERIVE, alg );
4081 if( status != PSA_SUCCESS )
4082 return( status );
Gilles Peskine346797d2018-11-16 16:05:06 +0100[diff] [blame]4083 status = psa_key_agreement_internal( generator,
4084 slot,
4085 peer_key, peer_key_length,
4086 alg );
4087 if( status != PSA_SUCCESS )
4088 psa_generator_abort( generator );
4089 return( status );
Gilles Peskine01d718c2018-09-18 12:01:02 +0200[diff] [blame]4090}
4091
4092
4093
4094/****************************************************************/
Gilles Peskineeab56e42018-07-12 17:12:33 +0200[diff] [blame]4095/* Random generation */
Gilles Peskine05d69892018-06-19 22:00:52 +0200[diff] [blame]4096/****************************************************************/
4097
4098psa_status_t psa_generate_random( uint8_t *output,
4099 size_t output_size )
4100{
itayzafrir0adf0fc2018-09-06 16:24:41 +0300[diff] [blame]4101 int ret;
4102 GUARD_MODULE_INITIALIZED;
4103
4104 ret = mbedtls_ctr_drbg_random( &global_data.ctr_drbg, output, output_size );
Gilles Peskine05d69892018-06-19 22:00:52 +0200[diff] [blame]4105 return( mbedtls_to_psa_error( ret ) );
4106}
4107
4108psa_status_t psa_generate_key( psa_key_slot_t key,
4109 psa_key_type_t type,
4110 size_t bits,
Gilles Peskine53d991e2018-07-12 01:14:59 +0200[diff] [blame]4111 const void *extra,
4112 size_t extra_size )
Gilles Peskine05d69892018-06-19 22:00:52 +0200[diff] [blame]4113{
Gilles Peskine12313cd2018-06-20 00:20:32 +0200[diff] [blame]4114 key_slot_t *slot;
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]4115 psa_status_t status;
Gilles Peskine12313cd2018-06-20 00:20:32 +0200[diff] [blame]4116
Gilles Peskine53d991e2018-07-12 01:14:59 +0200[diff] [blame]4117 if( extra == NULL && extra_size != 0 )
Gilles Peskine12313cd2018-06-20 00:20:32 +0200[diff] [blame]4118 return( PSA_ERROR_INVALID_ARGUMENT );
4119
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]4120 status = psa_get_empty_key_slot( key, &slot );
4121 if( status != PSA_SUCCESS )
4122 return( status );
4123
Gilles Peskine48c0ea12018-06-21 14:15:31 +0200[diff] [blame]4124 if( key_type_is_raw_bytes( type ) )
Gilles Peskine12313cd2018-06-20 00:20:32 +0200[diff] [blame]4125 {
Gilles Peskineb0b255c2018-07-06 17:01:38 +0200[diff] [blame]4126 status = prepare_raw_data_slot( type, bits, &slot->data.raw );
Gilles Peskine12313cd2018-06-20 00:20:32 +0200[diff] [blame]4127 if( status != PSA_SUCCESS )
4128 return( status );
4129 status = psa_generate_random( slot->data.raw.data,
4130 slot->data.raw.bytes );
4131 if( status != PSA_SUCCESS )
4132 {
4133 mbedtls_free( slot->data.raw.data );
4134 return( status );
4135 }
4136#if defined(MBEDTLS_DES_C)
4137 if( type == PSA_KEY_TYPE_DES )
Gilles Peskine08542d82018-07-19 17:05:42 +0200[diff] [blame]4138 psa_des_set_key_parity( slot->data.raw.data,
4139 slot->data.raw.bytes );
Gilles Peskine12313cd2018-06-20 00:20:32 +0200[diff] [blame]4140#endif /* MBEDTLS_DES_C */
4141 }
4142 else
4143
4144#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
4145 if ( type == PSA_KEY_TYPE_RSA_KEYPAIR )
4146 {
4147 mbedtls_rsa_context *rsa;
4148 int ret;
4149 int exponent = 65537;
Gilles Peskineaf3baab2018-06-27 22:55:52 +0200[diff] [blame]4150 if( bits > PSA_VENDOR_RSA_MAX_KEY_BITS )
4151 return( PSA_ERROR_NOT_SUPPORTED );
Gilles Peskine86a440b2018-11-12 18:39:40 +0100[diff] [blame]4152 /* Accept only byte-aligned keys, for the same reasons as
4153 * in psa_import_rsa_key(). */
4154 if( bits % 8 != 0 )
4155 return( PSA_ERROR_NOT_SUPPORTED );
Gilles Peskine53d991e2018-07-12 01:14:59 +0200[diff] [blame]4156 if( extra != NULL )
Gilles Peskine12313cd2018-06-20 00:20:32 +0200[diff] [blame]4157 {
Gilles Peskine4c317f42018-07-12 01:24:09 +0200[diff] [blame]4158 const psa_generate_key_extra_rsa *p = extra;
Gilles Peskine53d991e2018-07-12 01:14:59 +0200[diff] [blame]4159 if( extra_size != sizeof( *p ) )
Gilles Peskine12313cd2018-06-20 00:20:32 +0200[diff] [blame]4160 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine4c317f42018-07-12 01:24:09 +0200[diff] [blame]4161#if INT_MAX < 0xffffffff
4162 /* Check that the uint32_t value passed by the caller fits
4163 * in the range supported by this implementation. */
4164 if( p->e > INT_MAX )
4165 return( PSA_ERROR_NOT_SUPPORTED );
4166#endif
4167 exponent = p->e;
Gilles Peskine12313cd2018-06-20 00:20:32 +0200[diff] [blame]4168 }
4169 rsa = mbedtls_calloc( 1, sizeof( *rsa ) );
4170 if( rsa == NULL )
4171 return( PSA_ERROR_INSUFFICIENT_MEMORY );
4172 mbedtls_rsa_init( rsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE );
4173 ret = mbedtls_rsa_gen_key( rsa,
4174 mbedtls_ctr_drbg_random,
4175 &global_data.ctr_drbg,
Jaeden Amero23bbb752018-06-26 14:16:54 +0100[diff] [blame]4176 (unsigned int) bits,
Gilles Peskine12313cd2018-06-20 00:20:32 +0200[diff] [blame]4177 exponent );
4178 if( ret != 0 )
4179 {
4180 mbedtls_rsa_free( rsa );
4181 mbedtls_free( rsa );
4182 return( mbedtls_to_psa_error( ret ) );
4183 }
4184 slot->data.rsa = rsa;
4185 }
4186 else
4187#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
4188
4189#if defined(MBEDTLS_ECP_C)
4190 if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEYPAIR( type ) )
4191 {
4192 psa_ecc_curve_t curve = PSA_KEY_TYPE_GET_CURVE( type );
4193 mbedtls_ecp_group_id grp_id = mbedtls_ecc_group_of_psa( curve );
4194 const mbedtls_ecp_curve_info *curve_info =
4195 mbedtls_ecp_curve_info_from_grp_id( grp_id );
4196 mbedtls_ecp_keypair *ecp;
4197 int ret;
Gilles Peskine53d991e2018-07-12 01:14:59 +0200[diff] [blame]4198 if( extra != NULL )
Gilles Peskine12313cd2018-06-20 00:20:32 +0200[diff] [blame]4199 return( PSA_ERROR_NOT_SUPPORTED );
4200 if( grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL )
4201 return( PSA_ERROR_NOT_SUPPORTED );
4202 if( curve_info->bit_size != bits )
4203 return( PSA_ERROR_INVALID_ARGUMENT );
4204 ecp = mbedtls_calloc( 1, sizeof( *ecp ) );
4205 if( ecp == NULL )
4206 return( PSA_ERROR_INSUFFICIENT_MEMORY );
4207 mbedtls_ecp_keypair_init( ecp );
4208 ret = mbedtls_ecp_gen_key( grp_id, ecp,
4209 mbedtls_ctr_drbg_random,
4210 &global_data.ctr_drbg );
4211 if( ret != 0 )
4212 {
4213 mbedtls_ecp_keypair_free( ecp );
4214 mbedtls_free( ecp );
4215 return( mbedtls_to_psa_error( ret ) );
4216 }
4217 slot->data.ecp = ecp;
4218 }
4219 else
4220#endif /* MBEDTLS_ECP_C */
4221
4222 return( PSA_ERROR_NOT_SUPPORTED );
4223
4224 slot->type = type;
4225 return( PSA_SUCCESS );
Gilles Peskine05d69892018-06-19 22:00:52 +0200[diff] [blame]4226}
4227
4228
4229/****************************************************************/
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]4230/* Module setup */
4231/****************************************************************/
4232
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]4233void mbedtls_psa_crypto_free( void )
4234{
Jaeden Amero045bd502018-06-26 14:00:08 +0100[diff] [blame]4235 psa_key_slot_t key;
Darryl Green40225ba2018-11-15 14:48:15 +0000[diff] [blame^]4236 key_slot_t *slot;
4237 psa_status_t status;
4238
Gilles Peskine9a056342018-08-01 15:46:54 +0200[diff] [blame]4239 for( key = 1; key <= PSA_KEY_SLOT_COUNT; key++ )
Darryl Green40225ba2018-11-15 14:48:15 +0000[diff] [blame^]4240 {
4241 status = psa_get_key_slot( key, &slot );
4242 if( status != PSA_SUCCESS )
4243 continue;
4244 psa_remove_key_data_from_memory( slot );
4245 /* Zeroize the slot to wipe metadata such as policies. */
4246 mbedtls_zeroize( slot, sizeof( *slot ) );
4247 }
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]4248 mbedtls_ctr_drbg_free( &global_data.ctr_drbg );
4249 mbedtls_entropy_free( &global_data.entropy );
4250 mbedtls_zeroize( &global_data, sizeof( global_data ) );
4251}
4252
4253psa_status_t psa_crypto_init( void )
4254{
4255 int ret;
4256 const unsigned char drbg_seed[] = "PSA";
4257
4258 if( global_data.initialized != 0 )
4259 return( PSA_SUCCESS );
4260
4261 mbedtls_zeroize( &global_data, sizeof( global_data ) );
4262 mbedtls_entropy_init( &global_data.entropy );
4263 mbedtls_ctr_drbg_init( &global_data.ctr_drbg );
4264
4265 ret = mbedtls_ctr_drbg_seed( &global_data.ctr_drbg,
4266 mbedtls_entropy_func,
4267 &global_data.entropy,
4268 drbg_seed, sizeof( drbg_seed ) - 1 );
4269 if( ret != 0 )
4270 goto exit;
4271
Gilles Peskinee4ebc122018-03-07 14:16:44 +0100[diff] [blame]4272 global_data.initialized = 1;
4273
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]4274exit:
4275 if( ret != 0 )
4276 mbedtls_psa_crypto_free( );
4277 return( mbedtls_to_psa_error( ret ) );
4278}
4279
4280#endif /* MBEDTLS_PSA_CRYPTO_C */