/src/mbedtls/library/psa_crypto.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * PSA crypto layer on top of Mbed TLS crypto |
3 | | */ |
4 | | /* |
5 | | * Copyright The Mbed TLS Contributors |
6 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
7 | | */ |
8 | | |
9 | | #include "common.h" |
10 | | #include "psa_crypto_core_common.h" |
11 | | |
12 | | #if defined(MBEDTLS_PSA_CRYPTO_C) |
13 | | |
14 | | #if defined(MBEDTLS_PSA_CRYPTO_CONFIG) |
15 | | #include "check_crypto_config.h" |
16 | | #endif |
17 | | |
18 | | #include "psa/crypto.h" |
19 | | #include "psa/crypto_values.h" |
20 | | |
21 | | #include "psa_crypto_cipher.h" |
22 | | #include "psa_crypto_core.h" |
23 | | #include "psa_crypto_invasive.h" |
24 | | #include "psa_crypto_driver_wrappers.h" |
25 | | #include "psa_crypto_driver_wrappers_no_static.h" |
26 | | #include "psa_crypto_ecp.h" |
27 | | #include "psa_crypto_ffdh.h" |
28 | | #include "psa_crypto_hash.h" |
29 | | #include "psa_crypto_mac.h" |
30 | | #include "psa_crypto_rsa.h" |
31 | | #include "psa_crypto_ecp.h" |
32 | | #if defined(MBEDTLS_PSA_CRYPTO_SE_C) |
33 | | #include "psa_crypto_se.h" |
34 | | #endif |
35 | | #include "psa_crypto_slot_management.h" |
36 | | /* Include internal declarations that are useful for implementing persistently |
37 | | * stored keys. */ |
38 | | #include "psa_crypto_storage.h" |
39 | | |
40 | | #include "psa_crypto_random_impl.h" |
41 | | |
42 | | #include <stdlib.h> |
43 | | #include <string.h> |
44 | | #include "mbedtls/platform.h" |
45 | | |
46 | | #include "mbedtls/aes.h" |
47 | | #include "mbedtls/asn1.h" |
48 | | #include "mbedtls/asn1write.h" |
49 | | #include "mbedtls/bignum.h" |
50 | | #include "mbedtls/camellia.h" |
51 | | #include "mbedtls/chacha20.h" |
52 | | #include "mbedtls/chachapoly.h" |
53 | | #include "mbedtls/cipher.h" |
54 | | #include "mbedtls/ccm.h" |
55 | | #include "mbedtls/cmac.h" |
56 | | #include "mbedtls/constant_time.h" |
57 | | #include "mbedtls/des.h" |
58 | | #include "mbedtls/ecdh.h" |
59 | | #include "mbedtls/ecp.h" |
60 | | #include "mbedtls/entropy.h" |
61 | | #include "mbedtls/error.h" |
62 | | #include "mbedtls/gcm.h" |
63 | | #include "mbedtls/md5.h" |
64 | | #include "mbedtls/pk.h" |
65 | | #include "pk_wrap.h" |
66 | | #include "mbedtls/platform_util.h" |
67 | | #include "mbedtls/error.h" |
68 | | #include "mbedtls/ripemd160.h" |
69 | | #include "mbedtls/rsa.h" |
70 | | #include "mbedtls/sha1.h" |
71 | | #include "mbedtls/sha256.h" |
72 | | #include "mbedtls/sha512.h" |
73 | | #include "mbedtls/psa_util.h" |
74 | | #include "mbedtls/threading.h" |
75 | | |
76 | | #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \ |
77 | | defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \ |
78 | | defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) |
79 | | #define BUILTIN_ALG_ANY_HKDF 1 |
80 | | #endif |
81 | | |
82 | | /****************************************************************/ |
83 | | /* Global data, support functions and library management */ |
84 | | /****************************************************************/ |
85 | | |
86 | | static int key_type_is_raw_bytes(psa_key_type_t type) |
87 | 0 | { |
88 | 0 | return PSA_KEY_TYPE_IS_UNSTRUCTURED(type); |
89 | 0 | } |
90 | | |
91 | | /* Values for psa_global_data_t::rng_state */ |
92 | 12 | #define RNG_NOT_INITIALIZED 0 |
93 | 2 | #define RNG_INITIALIZED 1 |
94 | 2 | #define RNG_SEEDED 2 |
95 | | |
96 | | /* IDs for PSA crypto subsystems. Starts at 1 to catch potential uninitialized |
97 | | * variables as arguments. */ |
98 | | typedef enum { |
99 | | PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS = 1, |
100 | | PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS, |
101 | | PSA_CRYPTO_SUBSYSTEM_RNG, |
102 | | PSA_CRYPTO_SUBSYSTEM_TRANSACTION, |
103 | | } mbedtls_psa_crypto_subsystem; |
104 | | |
105 | | /* Initialization flags for global_data::initialized */ |
106 | 12 | #define PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED 0x01 |
107 | 10 | #define PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED 0x02 |
108 | 4 | #define PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED 0x04 |
109 | | |
110 | 0 | #define PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED ( \ |
111 | 0 | PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED | \ |
112 | 0 | PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED | \ |
113 | 0 | PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED) |
114 | | |
115 | | typedef struct { |
116 | | uint8_t initialized; |
117 | | uint8_t rng_state; |
118 | | mbedtls_psa_random_context_t rng; |
119 | | } psa_global_data_t; |
120 | | |
121 | | static psa_global_data_t global_data; |
122 | | |
123 | | static uint8_t psa_get_initialized(void) |
124 | 2 | { |
125 | 2 | uint8_t initialized; |
126 | | |
127 | 2 | #if defined(MBEDTLS_THREADING_C) |
128 | 2 | mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex); |
129 | 2 | #endif /* defined(MBEDTLS_THREADING_C) */ |
130 | | |
131 | 2 | initialized = global_data.rng_state == RNG_SEEDED; |
132 | | |
133 | 2 | #if defined(MBEDTLS_THREADING_C) |
134 | 2 | mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex); |
135 | 2 | #endif /* defined(MBEDTLS_THREADING_C) */ |
136 | | |
137 | 2 | #if defined(MBEDTLS_THREADING_C) |
138 | 2 | mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex); |
139 | 2 | #endif /* defined(MBEDTLS_THREADING_C) */ |
140 | | |
141 | 2 | initialized = |
142 | 2 | (initialized && (global_data.initialized == PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED)); |
143 | | |
144 | 2 | #if defined(MBEDTLS_THREADING_C) |
145 | 2 | mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex); |
146 | 2 | #endif /* defined(MBEDTLS_THREADING_C) */ |
147 | | |
148 | 2 | return initialized; |
149 | 2 | } |
150 | | |
151 | | static uint8_t psa_get_drivers_initialized(void) |
152 | 0 | { |
153 | 0 | uint8_t initialized; |
154 | |
|
155 | 0 | #if defined(MBEDTLS_THREADING_C) |
156 | 0 | mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex); |
157 | 0 | #endif /* defined(MBEDTLS_THREADING_C) */ |
158 | |
|
159 | 0 | initialized = (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED) != 0; |
160 | |
|
161 | 0 | #if defined(MBEDTLS_THREADING_C) |
162 | 0 | mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex); |
163 | 0 | #endif /* defined(MBEDTLS_THREADING_C) */ |
164 | |
|
165 | 0 | return initialized; |
166 | 0 | } |
167 | | |
168 | | #define GUARD_MODULE_INITIALIZED \ |
169 | 0 | if (psa_get_initialized() == 0) \ |
170 | 0 | return PSA_ERROR_BAD_STATE; |
171 | | |
172 | | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
173 | | |
174 | | /* Declare a local copy of an input buffer and a variable that will be used |
175 | | * to store a pointer to the start of the buffer. |
176 | | * |
177 | | * Note: This macro must be called before any operations which may jump to |
178 | | * the exit label, so that the local input copy object is safe to be freed. |
179 | | * |
180 | | * Assumptions: |
181 | | * - input is the name of a pointer to the buffer to be copied |
182 | | * - The name LOCAL_INPUT_COPY_OF_input is unused in the current scope |
183 | | * - input_copy_name is a name that is unused in the current scope |
184 | | */ |
185 | | #define LOCAL_INPUT_DECLARE(input, input_copy_name) \ |
186 | 0 | psa_crypto_local_input_t LOCAL_INPUT_COPY_OF_##input = PSA_CRYPTO_LOCAL_INPUT_INIT; \ |
187 | 0 | const uint8_t *input_copy_name = NULL; |
188 | | |
189 | | /* Allocate a copy of the buffer input and set the pointer input_copy to |
190 | | * point to the start of the copy. |
191 | | * |
192 | | * Assumptions: |
193 | | * - psa_status_t status exists |
194 | | * - An exit label is declared |
195 | | * - input is the name of a pointer to the buffer to be copied |
196 | | * - LOCAL_INPUT_DECLARE(input, input_copy) has previously been called |
197 | | */ |
198 | | #define LOCAL_INPUT_ALLOC(input, length, input_copy) \ |
199 | 0 | status = psa_crypto_local_input_alloc(input, length, \ |
200 | 0 | &LOCAL_INPUT_COPY_OF_##input); \ |
201 | 0 | if (status != PSA_SUCCESS) { \ |
202 | 0 | goto exit; \ |
203 | 0 | } \ |
204 | 0 | input_copy = LOCAL_INPUT_COPY_OF_##input.buffer; |
205 | | |
206 | | /* Free the local input copy allocated previously by LOCAL_INPUT_ALLOC() |
207 | | * |
208 | | * Assumptions: |
209 | | * - input_copy is the name of the input copy pointer set by LOCAL_INPUT_ALLOC() |
210 | | * - input is the name of the original buffer that was copied |
211 | | */ |
212 | | #define LOCAL_INPUT_FREE(input, input_copy) \ |
213 | 0 | input_copy = NULL; \ |
214 | 0 | psa_crypto_local_input_free(&LOCAL_INPUT_COPY_OF_##input); |
215 | | |
216 | | /* Declare a local copy of an output buffer and a variable that will be used |
217 | | * to store a pointer to the start of the buffer. |
218 | | * |
219 | | * Note: This macro must be called before any operations which may jump to |
220 | | * the exit label, so that the local output copy object is safe to be freed. |
221 | | * |
222 | | * Assumptions: |
223 | | * - output is the name of a pointer to the buffer to be copied |
224 | | * - The name LOCAL_OUTPUT_COPY_OF_output is unused in the current scope |
225 | | * - output_copy_name is a name that is unused in the current scope |
226 | | */ |
227 | | #define LOCAL_OUTPUT_DECLARE(output, output_copy_name) \ |
228 | 0 | psa_crypto_local_output_t LOCAL_OUTPUT_COPY_OF_##output = PSA_CRYPTO_LOCAL_OUTPUT_INIT; \ |
229 | 0 | uint8_t *output_copy_name = NULL; |
230 | | |
231 | | /* Allocate a copy of the buffer output and set the pointer output_copy to |
232 | | * point to the start of the copy. |
233 | | * |
234 | | * Assumptions: |
235 | | * - psa_status_t status exists |
236 | | * - An exit label is declared |
237 | | * - output is the name of a pointer to the buffer to be copied |
238 | | * - LOCAL_OUTPUT_DECLARE(output, output_copy) has previously been called |
239 | | */ |
240 | | #define LOCAL_OUTPUT_ALLOC(output, length, output_copy) \ |
241 | 0 | status = psa_crypto_local_output_alloc(output, length, \ |
242 | 0 | &LOCAL_OUTPUT_COPY_OF_##output); \ |
243 | 0 | if (status != PSA_SUCCESS) { \ |
244 | 0 | goto exit; \ |
245 | 0 | } \ |
246 | 0 | output_copy = LOCAL_OUTPUT_COPY_OF_##output.buffer; |
247 | | |
248 | | /* Free the local output copy allocated previously by LOCAL_OUTPUT_ALLOC() |
249 | | * after first copying back its contents to the original buffer. |
250 | | * |
251 | | * Assumptions: |
252 | | * - psa_status_t status exists |
253 | | * - output_copy is the name of the output copy pointer set by LOCAL_OUTPUT_ALLOC() |
254 | | * - output is the name of the original buffer that was copied |
255 | | */ |
256 | | #define LOCAL_OUTPUT_FREE(output, output_copy) \ |
257 | 0 | output_copy = NULL; \ |
258 | 0 | do { \ |
259 | 0 | psa_status_t local_output_status; \ |
260 | 0 | local_output_status = psa_crypto_local_output_free(&LOCAL_OUTPUT_COPY_OF_##output); \ |
261 | 0 | if (local_output_status != PSA_SUCCESS) { \ |
262 | 0 | /* Since this error case is an internal error, it's more serious than \ |
263 | 0 | * any existing error code and so it's fine to overwrite the existing \ |
264 | 0 | * status. */ \ |
265 | 0 | status = local_output_status; \ |
266 | 0 | } \ |
267 | 0 | } while (0) |
268 | | #else /* !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */ |
269 | | #define LOCAL_INPUT_DECLARE(input, input_copy_name) \ |
270 | | const uint8_t *input_copy_name = NULL; |
271 | | #define LOCAL_INPUT_ALLOC(input, length, input_copy) \ |
272 | | input_copy = input; |
273 | | #define LOCAL_INPUT_FREE(input, input_copy) \ |
274 | | input_copy = NULL; |
275 | | #define LOCAL_OUTPUT_DECLARE(output, output_copy_name) \ |
276 | | uint8_t *output_copy_name = NULL; |
277 | | #define LOCAL_OUTPUT_ALLOC(output, length, output_copy) \ |
278 | | output_copy = output; |
279 | | #define LOCAL_OUTPUT_FREE(output, output_copy) \ |
280 | | output_copy = NULL; |
281 | | #endif /* !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */ |
282 | | |
283 | | |
284 | | int psa_can_do_hash(psa_algorithm_t hash_alg) |
285 | 0 | { |
286 | 0 | (void) hash_alg; |
287 | 0 | return psa_get_drivers_initialized(); |
288 | 0 | } |
289 | | |
290 | | int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg) |
291 | 0 | { |
292 | 0 | (void) key_type; |
293 | 0 | (void) cipher_alg; |
294 | 0 | return psa_get_drivers_initialized(); |
295 | 0 | } |
296 | | |
297 | | |
298 | | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \ |
299 | | defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) || \ |
300 | | defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) |
301 | | static int psa_is_dh_key_size_valid(size_t bits) |
302 | 0 | { |
303 | 0 | switch (bits) { |
304 | 0 | #if defined(PSA_WANT_DH_RFC7919_2048) |
305 | 0 | case 2048: |
306 | 0 | return 1; |
307 | 0 | #endif /* PSA_WANT_DH_RFC7919_2048 */ |
308 | 0 | #if defined(PSA_WANT_DH_RFC7919_3072) |
309 | 0 | case 3072: |
310 | 0 | return 1; |
311 | 0 | #endif /* PSA_WANT_DH_RFC7919_3072 */ |
312 | 0 | #if defined(PSA_WANT_DH_RFC7919_4096) |
313 | 0 | case 4096: |
314 | 0 | return 1; |
315 | 0 | #endif /* PSA_WANT_DH_RFC7919_4096 */ |
316 | 0 | #if defined(PSA_WANT_DH_RFC7919_6144) |
317 | 0 | case 6144: |
318 | 0 | return 1; |
319 | 0 | #endif /* PSA_WANT_DH_RFC7919_6144 */ |
320 | 0 | #if defined(PSA_WANT_DH_RFC7919_8192) |
321 | 0 | case 8192: |
322 | 0 | return 1; |
323 | 0 | #endif /* PSA_WANT_DH_RFC7919_8192 */ |
324 | 0 | default: |
325 | 0 | return 0; |
326 | 0 | } |
327 | 0 | } |
328 | | #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT || |
329 | | MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY || |
330 | | PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */ |
331 | | |
332 | | psa_status_t mbedtls_to_psa_error(int ret) |
333 | 2 | { |
334 | | /* Mbed TLS error codes can combine a high-level error code and a |
335 | | * low-level error code. The low-level error usually reflects the |
336 | | * root cause better, so dispatch on that preferably. */ |
337 | 2 | int low_level_ret = -(-ret & 0x007f); |
338 | 2 | switch (low_level_ret != 0 ? low_level_ret : ret) { |
339 | 0 | case 0: |
340 | 0 | return PSA_SUCCESS; |
341 | | |
342 | 0 | #if defined(MBEDTLS_AES_C) |
343 | 0 | case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH: |
344 | 0 | case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH: |
345 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
346 | 0 | case MBEDTLS_ERR_AES_BAD_INPUT_DATA: |
347 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
348 | 0 | #endif |
349 | | |
350 | 0 | #if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_ASN1_WRITE_C) |
351 | 0 | case MBEDTLS_ERR_ASN1_OUT_OF_DATA: |
352 | 0 | case MBEDTLS_ERR_ASN1_UNEXPECTED_TAG: |
353 | 0 | case MBEDTLS_ERR_ASN1_INVALID_LENGTH: |
354 | 0 | case MBEDTLS_ERR_ASN1_LENGTH_MISMATCH: |
355 | 0 | case MBEDTLS_ERR_ASN1_INVALID_DATA: |
356 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
357 | 0 | case MBEDTLS_ERR_ASN1_ALLOC_FAILED: |
358 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
359 | 0 | case MBEDTLS_ERR_ASN1_BUF_TOO_SMALL: |
360 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
361 | 0 | #endif |
362 | | |
363 | 0 | #if defined(MBEDTLS_CAMELLIA_C) |
364 | 0 | case MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA: |
365 | 0 | case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH: |
366 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
367 | 0 | #endif |
368 | | |
369 | 0 | #if defined(MBEDTLS_CCM_C) |
370 | 0 | case MBEDTLS_ERR_CCM_BAD_INPUT: |
371 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
372 | 0 | case MBEDTLS_ERR_CCM_AUTH_FAILED: |
373 | 0 | return PSA_ERROR_INVALID_SIGNATURE; |
374 | 0 | #endif |
375 | | |
376 | 0 | #if defined(MBEDTLS_CHACHA20_C) |
377 | 0 | case MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA: |
378 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
379 | 0 | #endif |
380 | | |
381 | 0 | #if defined(MBEDTLS_CHACHAPOLY_C) |
382 | 0 | case MBEDTLS_ERR_CHACHAPOLY_BAD_STATE: |
383 | 0 | return PSA_ERROR_BAD_STATE; |
384 | 0 | case MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED: |
385 | 0 | return PSA_ERROR_INVALID_SIGNATURE; |
386 | 0 | #endif |
387 | | |
388 | 0 | #if defined(MBEDTLS_CIPHER_C) |
389 | 0 | case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE: |
390 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
391 | 0 | case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA: |
392 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
393 | 0 | case MBEDTLS_ERR_CIPHER_ALLOC_FAILED: |
394 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
395 | 0 | case MBEDTLS_ERR_CIPHER_INVALID_PADDING: |
396 | 0 | return PSA_ERROR_INVALID_PADDING; |
397 | 0 | case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED: |
398 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
399 | 0 | case MBEDTLS_ERR_CIPHER_AUTH_FAILED: |
400 | 0 | return PSA_ERROR_INVALID_SIGNATURE; |
401 | 0 | case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT: |
402 | 0 | return PSA_ERROR_CORRUPTION_DETECTED; |
403 | 0 | #endif |
404 | | |
405 | 0 | #if !(defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) || \ |
406 | 0 | defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)) |
407 | | /* Only check CTR_DRBG error codes if underlying mbedtls_xxx |
408 | | * functions are passed a CTR_DRBG instance. */ |
409 | 2 | case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED: |
410 | 2 | return PSA_ERROR_INSUFFICIENT_ENTROPY; |
411 | 0 | case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG: |
412 | 0 | case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG: |
413 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
414 | 0 | case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR: |
415 | 0 | return PSA_ERROR_INSUFFICIENT_ENTROPY; |
416 | 0 | #endif |
417 | | |
418 | 0 | #if defined(MBEDTLS_DES_C) |
419 | 0 | case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH: |
420 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
421 | 0 | #endif |
422 | | |
423 | 0 | case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED: |
424 | 0 | case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE: |
425 | 0 | case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED: |
426 | 0 | return PSA_ERROR_INSUFFICIENT_ENTROPY; |
427 | | |
428 | 0 | #if defined(MBEDTLS_GCM_C) |
429 | 0 | case MBEDTLS_ERR_GCM_AUTH_FAILED: |
430 | 0 | return PSA_ERROR_INVALID_SIGNATURE; |
431 | 0 | case MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL: |
432 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
433 | 0 | case MBEDTLS_ERR_GCM_BAD_INPUT: |
434 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
435 | 0 | #endif |
436 | | |
437 | | #if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) && \ |
438 | | defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE) |
439 | | /* Only check HMAC_DRBG error codes if underlying mbedtls_xxx |
440 | | * functions are passed a HMAC_DRBG instance. */ |
441 | | case MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED: |
442 | | return PSA_ERROR_INSUFFICIENT_ENTROPY; |
443 | | case MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG: |
444 | | case MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG: |
445 | | return PSA_ERROR_NOT_SUPPORTED; |
446 | | case MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR: |
447 | | return PSA_ERROR_INSUFFICIENT_ENTROPY; |
448 | | #endif |
449 | | |
450 | 0 | #if defined(MBEDTLS_MD_LIGHT) |
451 | 0 | case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: |
452 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
453 | 0 | case MBEDTLS_ERR_MD_BAD_INPUT_DATA: |
454 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
455 | 0 | case MBEDTLS_ERR_MD_ALLOC_FAILED: |
456 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
457 | 0 | #if defined(MBEDTLS_FS_IO) |
458 | 0 | case MBEDTLS_ERR_MD_FILE_IO_ERROR: |
459 | 0 | return PSA_ERROR_STORAGE_FAILURE; |
460 | 0 | #endif |
461 | 0 | #endif |
462 | | |
463 | 0 | #if defined(MBEDTLS_BIGNUM_C) |
464 | 0 | #if defined(MBEDTLS_FS_IO) |
465 | 0 | case MBEDTLS_ERR_MPI_FILE_IO_ERROR: |
466 | 0 | return PSA_ERROR_STORAGE_FAILURE; |
467 | 0 | #endif |
468 | 0 | case MBEDTLS_ERR_MPI_BAD_INPUT_DATA: |
469 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
470 | 0 | case MBEDTLS_ERR_MPI_INVALID_CHARACTER: |
471 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
472 | 0 | case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL: |
473 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
474 | 0 | case MBEDTLS_ERR_MPI_NEGATIVE_VALUE: |
475 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
476 | 0 | case MBEDTLS_ERR_MPI_DIVISION_BY_ZERO: |
477 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
478 | 0 | case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: |
479 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
480 | 0 | case MBEDTLS_ERR_MPI_ALLOC_FAILED: |
481 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
482 | 0 | #endif |
483 | | |
484 | 0 | #if defined(MBEDTLS_PK_C) |
485 | 0 | case MBEDTLS_ERR_PK_ALLOC_FAILED: |
486 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
487 | 0 | case MBEDTLS_ERR_PK_TYPE_MISMATCH: |
488 | 0 | case MBEDTLS_ERR_PK_BAD_INPUT_DATA: |
489 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
490 | 0 | #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || defined(MBEDTLS_FS_IO) || \ |
491 | 0 | defined(MBEDTLS_PSA_ITS_FILE_C) |
492 | 0 | case MBEDTLS_ERR_PK_FILE_IO_ERROR: |
493 | 0 | return PSA_ERROR_STORAGE_FAILURE; |
494 | 0 | #endif |
495 | 0 | case MBEDTLS_ERR_PK_KEY_INVALID_VERSION: |
496 | 0 | case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT: |
497 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
498 | 0 | case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG: |
499 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
500 | 0 | case MBEDTLS_ERR_PK_PASSWORD_REQUIRED: |
501 | 0 | case MBEDTLS_ERR_PK_PASSWORD_MISMATCH: |
502 | 0 | return PSA_ERROR_NOT_PERMITTED; |
503 | 0 | case MBEDTLS_ERR_PK_INVALID_PUBKEY: |
504 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
505 | 0 | case MBEDTLS_ERR_PK_INVALID_ALG: |
506 | 0 | case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE: |
507 | 0 | case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE: |
508 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
509 | 0 | case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH: |
510 | 0 | return PSA_ERROR_INVALID_SIGNATURE; |
511 | 0 | case MBEDTLS_ERR_PK_BUFFER_TOO_SMALL: |
512 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
513 | 0 | #endif |
514 | | |
515 | 0 | case MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED: |
516 | 0 | return PSA_ERROR_HARDWARE_FAILURE; |
517 | 0 | case MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED: |
518 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
519 | | |
520 | 0 | #if defined(MBEDTLS_RSA_C) |
521 | 0 | case MBEDTLS_ERR_RSA_BAD_INPUT_DATA: |
522 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
523 | 0 | case MBEDTLS_ERR_RSA_INVALID_PADDING: |
524 | 0 | return PSA_ERROR_INVALID_PADDING; |
525 | 0 | case MBEDTLS_ERR_RSA_KEY_GEN_FAILED: |
526 | 0 | return PSA_ERROR_HARDWARE_FAILURE; |
527 | 0 | case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED: |
528 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
529 | 0 | case MBEDTLS_ERR_RSA_PUBLIC_FAILED: |
530 | 0 | case MBEDTLS_ERR_RSA_PRIVATE_FAILED: |
531 | 0 | return PSA_ERROR_CORRUPTION_DETECTED; |
532 | 0 | case MBEDTLS_ERR_RSA_VERIFY_FAILED: |
533 | 0 | return PSA_ERROR_INVALID_SIGNATURE; |
534 | 0 | case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE: |
535 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
536 | 0 | case MBEDTLS_ERR_RSA_RNG_FAILED: |
537 | 0 | return PSA_ERROR_INSUFFICIENT_ENTROPY; |
538 | 0 | #endif |
539 | | |
540 | 0 | #if defined(MBEDTLS_ECP_LIGHT) |
541 | 0 | case MBEDTLS_ERR_ECP_BAD_INPUT_DATA: |
542 | 0 | case MBEDTLS_ERR_ECP_INVALID_KEY: |
543 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
544 | 0 | case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL: |
545 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
546 | 0 | case MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE: |
547 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
548 | 0 | case MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH: |
549 | 0 | case MBEDTLS_ERR_ECP_VERIFY_FAILED: |
550 | 0 | return PSA_ERROR_INVALID_SIGNATURE; |
551 | 0 | case MBEDTLS_ERR_ECP_ALLOC_FAILED: |
552 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
553 | 0 | case MBEDTLS_ERR_ECP_RANDOM_FAILED: |
554 | 0 | return PSA_ERROR_INSUFFICIENT_ENTROPY; |
555 | | |
556 | 0 | #if defined(MBEDTLS_ECP_RESTARTABLE) |
557 | 0 | case MBEDTLS_ERR_ECP_IN_PROGRESS: |
558 | 0 | return PSA_OPERATION_INCOMPLETE; |
559 | 0 | #endif |
560 | 0 | #endif |
561 | | |
562 | 0 | case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED: |
563 | 0 | return PSA_ERROR_CORRUPTION_DETECTED; |
564 | | |
565 | 0 | default: |
566 | 0 | return PSA_ERROR_GENERIC_ERROR; |
567 | 2 | } |
568 | 2 | } |
569 | | |
570 | | /** |
571 | | * \brief For output buffers which contain "tags" |
572 | | * (outputs that may be checked for validity like |
573 | | * hashes, MACs and signatures), fill the unused |
574 | | * part of the output buffer (the whole buffer on |
575 | | * error, the trailing part on success) with |
576 | | * something that isn't a valid tag (barring an |
577 | | * attack on the tag and deliberately-crafted |
578 | | * input), in case the caller doesn't check the |
579 | | * return status properly. |
580 | | * |
581 | | * \param output_buffer Pointer to buffer to wipe. May not be NULL |
582 | | * unless \p output_buffer_size is zero. |
583 | | * \param status Status of function called to generate |
584 | | * output_buffer originally |
585 | | * \param output_buffer_size Size of output buffer. If zero, \p output_buffer |
586 | | * could be NULL. |
587 | | * \param output_buffer_length Length of data written to output_buffer, must be |
588 | | * less than \p output_buffer_size |
589 | | */ |
590 | | static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t status, |
591 | | size_t output_buffer_size, size_t output_buffer_length) |
592 | 0 | { |
593 | 0 | size_t offset = 0; |
594 | |
|
595 | 0 | if (output_buffer_size == 0) { |
596 | | /* If output_buffer_size is 0 then we have nothing to do. We must not |
597 | | call memset because output_buffer may be NULL in this case */ |
598 | 0 | return; |
599 | 0 | } |
600 | | |
601 | 0 | if (status == PSA_SUCCESS) { |
602 | 0 | offset = output_buffer_length; |
603 | 0 | } |
604 | |
|
605 | 0 | memset(output_buffer + offset, '!', output_buffer_size - offset); |
606 | 0 | } |
607 | | |
608 | | |
609 | | psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type, |
610 | | size_t bits) |
611 | 0 | { |
612 | | /* Check that the bit size is acceptable for the key type */ |
613 | 0 | switch (type) { |
614 | 0 | case PSA_KEY_TYPE_RAW_DATA: |
615 | 0 | case PSA_KEY_TYPE_HMAC: |
616 | 0 | case PSA_KEY_TYPE_DERIVE: |
617 | 0 | case PSA_KEY_TYPE_PASSWORD: |
618 | 0 | case PSA_KEY_TYPE_PASSWORD_HASH: |
619 | 0 | break; |
620 | 0 | #if defined(PSA_WANT_KEY_TYPE_AES) |
621 | 0 | case PSA_KEY_TYPE_AES: |
622 | 0 | if (bits != 128 && bits != 192 && bits != 256) { |
623 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
624 | 0 | } |
625 | 0 | break; |
626 | 0 | #endif |
627 | 0 | #if defined(PSA_WANT_KEY_TYPE_ARIA) |
628 | 0 | case PSA_KEY_TYPE_ARIA: |
629 | 0 | if (bits != 128 && bits != 192 && bits != 256) { |
630 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
631 | 0 | } |
632 | 0 | break; |
633 | 0 | #endif |
634 | 0 | #if defined(PSA_WANT_KEY_TYPE_CAMELLIA) |
635 | 0 | case PSA_KEY_TYPE_CAMELLIA: |
636 | 0 | if (bits != 128 && bits != 192 && bits != 256) { |
637 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
638 | 0 | } |
639 | 0 | break; |
640 | 0 | #endif |
641 | 0 | #if defined(PSA_WANT_KEY_TYPE_DES) |
642 | 0 | case PSA_KEY_TYPE_DES: |
643 | 0 | if (bits != 64 && bits != 128 && bits != 192) { |
644 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
645 | 0 | } |
646 | 0 | break; |
647 | 0 | #endif |
648 | 0 | #if defined(PSA_WANT_KEY_TYPE_CHACHA20) |
649 | 0 | case PSA_KEY_TYPE_CHACHA20: |
650 | 0 | if (bits != 256) { |
651 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
652 | 0 | } |
653 | 0 | break; |
654 | 0 | #endif |
655 | 0 | default: |
656 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
657 | 0 | } |
658 | 0 | if (bits % 8 != 0) { |
659 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
660 | 0 | } |
661 | | |
662 | 0 | return PSA_SUCCESS; |
663 | 0 | } |
664 | | |
665 | | /** Check whether a given key type is valid for use with a given MAC algorithm |
666 | | * |
667 | | * Upon successful return of this function, the behavior of #PSA_MAC_LENGTH |
668 | | * when called with the validated \p algorithm and \p key_type is well-defined. |
669 | | * |
670 | | * \param[in] algorithm The specific MAC algorithm (can be wildcard). |
671 | | * \param[in] key_type The key type of the key to be used with the |
672 | | * \p algorithm. |
673 | | * |
674 | | * \retval #PSA_SUCCESS |
675 | | * The \p key_type is valid for use with the \p algorithm |
676 | | * \retval #PSA_ERROR_INVALID_ARGUMENT |
677 | | * The \p key_type is not valid for use with the \p algorithm |
678 | | */ |
679 | | MBEDTLS_STATIC_TESTABLE psa_status_t psa_mac_key_can_do( |
680 | | psa_algorithm_t algorithm, |
681 | | psa_key_type_t key_type) |
682 | 0 | { |
683 | 0 | if (PSA_ALG_IS_HMAC(algorithm)) { |
684 | 0 | if (key_type == PSA_KEY_TYPE_HMAC) { |
685 | 0 | return PSA_SUCCESS; |
686 | 0 | } |
687 | 0 | } |
688 | | |
689 | 0 | if (PSA_ALG_IS_BLOCK_CIPHER_MAC(algorithm)) { |
690 | | /* Check that we're calling PSA_BLOCK_CIPHER_BLOCK_LENGTH with a cipher |
691 | | * key. */ |
692 | 0 | if ((key_type & PSA_KEY_TYPE_CATEGORY_MASK) == |
693 | 0 | PSA_KEY_TYPE_CATEGORY_SYMMETRIC) { |
694 | | /* PSA_BLOCK_CIPHER_BLOCK_LENGTH returns 1 for stream ciphers and |
695 | | * the block length (larger than 1) for block ciphers. */ |
696 | 0 | if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1) { |
697 | 0 | return PSA_SUCCESS; |
698 | 0 | } |
699 | 0 | } |
700 | 0 | } |
701 | | |
702 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
703 | 0 | } |
704 | | |
705 | | psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot, |
706 | | size_t buffer_length) |
707 | 0 | { |
708 | | #if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS) |
709 | | if (buffer_length > ((size_t) MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE)) { |
710 | | return PSA_ERROR_NOT_SUPPORTED; |
711 | | } |
712 | | #else |
713 | 0 | if (slot->key.data != NULL) { |
714 | 0 | return PSA_ERROR_ALREADY_EXISTS; |
715 | 0 | } |
716 | | |
717 | 0 | slot->key.data = mbedtls_calloc(1, buffer_length); |
718 | 0 | if (slot->key.data == NULL) { |
719 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
720 | 0 | } |
721 | 0 | #endif |
722 | | |
723 | 0 | slot->key.bytes = buffer_length; |
724 | 0 | return PSA_SUCCESS; |
725 | 0 | } |
726 | | |
727 | | psa_status_t psa_copy_key_material_into_slot(psa_key_slot_t *slot, |
728 | | const uint8_t *data, |
729 | | size_t data_length) |
730 | 0 | { |
731 | 0 | psa_status_t status = psa_allocate_buffer_to_slot(slot, |
732 | 0 | data_length); |
733 | 0 | if (status != PSA_SUCCESS) { |
734 | 0 | return status; |
735 | 0 | } |
736 | | |
737 | 0 | memcpy(slot->key.data, data, data_length); |
738 | 0 | return PSA_SUCCESS; |
739 | 0 | } |
740 | | |
741 | | psa_status_t psa_import_key_into_slot( |
742 | | const psa_key_attributes_t *attributes, |
743 | | const uint8_t *data, size_t data_length, |
744 | | uint8_t *key_buffer, size_t key_buffer_size, |
745 | | size_t *key_buffer_length, size_t *bits) |
746 | 0 | { |
747 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
748 | 0 | psa_key_type_t type = attributes->type; |
749 | | |
750 | | /* zero-length keys are never supported. */ |
751 | 0 | if (data_length == 0) { |
752 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
753 | 0 | } |
754 | | |
755 | 0 | if (key_type_is_raw_bytes(type)) { |
756 | 0 | *bits = PSA_BYTES_TO_BITS(data_length); |
757 | |
|
758 | 0 | status = psa_validate_unstructured_key_bit_size(attributes->type, |
759 | 0 | *bits); |
760 | 0 | if (status != PSA_SUCCESS) { |
761 | 0 | return status; |
762 | 0 | } |
763 | | |
764 | | /* Copy the key material. */ |
765 | 0 | memcpy(key_buffer, data, data_length); |
766 | 0 | *key_buffer_length = data_length; |
767 | 0 | (void) key_buffer_size; |
768 | |
|
769 | 0 | return PSA_SUCCESS; |
770 | 0 | } else if (PSA_KEY_TYPE_IS_ASYMMETRIC(type)) { |
771 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \ |
772 | 0 | defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) |
773 | 0 | if (PSA_KEY_TYPE_IS_DH(type)) { |
774 | 0 | if (psa_is_dh_key_size_valid(PSA_BYTES_TO_BITS(data_length)) == 0) { |
775 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
776 | 0 | } |
777 | 0 | return mbedtls_psa_ffdh_import_key(attributes, |
778 | 0 | data, data_length, |
779 | 0 | key_buffer, key_buffer_size, |
780 | 0 | key_buffer_length, |
781 | 0 | bits); |
782 | 0 | } |
783 | 0 | #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || |
784 | | * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */ |
785 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \ |
786 | 0 | defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) |
787 | 0 | if (PSA_KEY_TYPE_IS_ECC(type)) { |
788 | 0 | return mbedtls_psa_ecp_import_key(attributes, |
789 | 0 | data, data_length, |
790 | 0 | key_buffer, key_buffer_size, |
791 | 0 | key_buffer_length, |
792 | 0 | bits); |
793 | 0 | } |
794 | 0 | #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || |
795 | | * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */ |
796 | 0 | #if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \ |
797 | 0 | defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \ |
798 | 0 | defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) |
799 | 0 | if (PSA_KEY_TYPE_IS_RSA(type)) { |
800 | 0 | return mbedtls_psa_rsa_import_key(attributes, |
801 | 0 | data, data_length, |
802 | 0 | key_buffer, key_buffer_size, |
803 | 0 | key_buffer_length, |
804 | 0 | bits); |
805 | 0 | } |
806 | 0 | #endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && |
807 | | defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || |
808 | | * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ |
809 | 0 | } |
810 | | |
811 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
812 | 0 | } |
813 | | |
814 | | /** Calculate the intersection of two algorithm usage policies. |
815 | | * |
816 | | * Return 0 (which allows no operation) on incompatibility. |
817 | | */ |
818 | | static psa_algorithm_t psa_key_policy_algorithm_intersection( |
819 | | psa_key_type_t key_type, |
820 | | psa_algorithm_t alg1, |
821 | | psa_algorithm_t alg2) |
822 | 0 | { |
823 | | /* Common case: both sides actually specify the same policy. */ |
824 | 0 | if (alg1 == alg2) { |
825 | 0 | return alg1; |
826 | 0 | } |
827 | | /* If the policies are from the same hash-and-sign family, check |
828 | | * if one is a wildcard. If so the other has the specific algorithm. */ |
829 | 0 | if (PSA_ALG_IS_SIGN_HASH(alg1) && |
830 | 0 | PSA_ALG_IS_SIGN_HASH(alg2) && |
831 | 0 | (alg1 & ~PSA_ALG_HASH_MASK) == (alg2 & ~PSA_ALG_HASH_MASK)) { |
832 | 0 | if (PSA_ALG_SIGN_GET_HASH(alg1) == PSA_ALG_ANY_HASH) { |
833 | 0 | return alg2; |
834 | 0 | } |
835 | 0 | if (PSA_ALG_SIGN_GET_HASH(alg2) == PSA_ALG_ANY_HASH) { |
836 | 0 | return alg1; |
837 | 0 | } |
838 | 0 | } |
839 | | /* If the policies are from the same AEAD family, check whether |
840 | | * one of them is a minimum-tag-length wildcard. Calculate the most |
841 | | * restrictive tag length. */ |
842 | 0 | if (PSA_ALG_IS_AEAD(alg1) && PSA_ALG_IS_AEAD(alg2) && |
843 | 0 | (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg1, 0) == |
844 | 0 | PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg2, 0))) { |
845 | 0 | size_t alg1_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg1); |
846 | 0 | size_t alg2_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg2); |
847 | 0 | size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len; |
848 | | |
849 | | /* If both are wildcards, return most restrictive wildcard */ |
850 | 0 | if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) && |
851 | 0 | ((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) { |
852 | 0 | return PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( |
853 | 0 | alg1, restricted_len); |
854 | 0 | } |
855 | | /* If only one is a wildcard, return specific algorithm if compatible. */ |
856 | 0 | if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) && |
857 | 0 | (alg1_len <= alg2_len)) { |
858 | 0 | return alg2; |
859 | 0 | } |
860 | 0 | if (((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) && |
861 | 0 | (alg2_len <= alg1_len)) { |
862 | 0 | return alg1; |
863 | 0 | } |
864 | 0 | } |
865 | | /* If the policies are from the same MAC family, check whether one |
866 | | * of them is a minimum-MAC-length policy. Calculate the most |
867 | | * restrictive tag length. */ |
868 | 0 | if (PSA_ALG_IS_MAC(alg1) && PSA_ALG_IS_MAC(alg2) && |
869 | 0 | (PSA_ALG_FULL_LENGTH_MAC(alg1) == |
870 | 0 | PSA_ALG_FULL_LENGTH_MAC(alg2))) { |
871 | | /* Validate the combination of key type and algorithm. Since the base |
872 | | * algorithm of alg1 and alg2 are the same, we only need this once. */ |
873 | 0 | if (PSA_SUCCESS != psa_mac_key_can_do(alg1, key_type)) { |
874 | 0 | return 0; |
875 | 0 | } |
876 | | |
877 | | /* Get the (exact or at-least) output lengths for both sides of the |
878 | | * requested intersection. None of the currently supported algorithms |
879 | | * have an output length dependent on the actual key size, so setting it |
880 | | * to a bogus value of 0 is currently OK. |
881 | | * |
882 | | * Note that for at-least-this-length wildcard algorithms, the output |
883 | | * length is set to the shortest allowed length, which allows us to |
884 | | * calculate the most restrictive tag length for the intersection. */ |
885 | 0 | size_t alg1_len = PSA_MAC_LENGTH(key_type, 0, alg1); |
886 | 0 | size_t alg2_len = PSA_MAC_LENGTH(key_type, 0, alg2); |
887 | 0 | size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len; |
888 | | |
889 | | /* If both are wildcards, return most restrictive wildcard */ |
890 | 0 | if (((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) && |
891 | 0 | ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0)) { |
892 | 0 | return PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(alg1, restricted_len); |
893 | 0 | } |
894 | | |
895 | | /* If only one is an at-least-this-length policy, the intersection would |
896 | | * be the other (fixed-length) policy as long as said fixed length is |
897 | | * equal to or larger than the shortest allowed length. */ |
898 | 0 | if ((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) { |
899 | 0 | return (alg1_len <= alg2_len) ? alg2 : 0; |
900 | 0 | } |
901 | 0 | if ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) { |
902 | 0 | return (alg2_len <= alg1_len) ? alg1 : 0; |
903 | 0 | } |
904 | | |
905 | | /* If none of them are wildcards, check whether they define the same tag |
906 | | * length. This is still possible here when one is default-length and |
907 | | * the other specific-length. Ensure to always return the |
908 | | * specific-length version for the intersection. */ |
909 | 0 | if (alg1_len == alg2_len) { |
910 | 0 | return PSA_ALG_TRUNCATED_MAC(alg1, alg1_len); |
911 | 0 | } |
912 | 0 | } |
913 | | /* If the policies are incompatible, allow nothing. */ |
914 | 0 | return 0; |
915 | 0 | } |
916 | | |
917 | | static int psa_key_algorithm_permits(psa_key_type_t key_type, |
918 | | psa_algorithm_t policy_alg, |
919 | | psa_algorithm_t requested_alg) |
920 | 0 | { |
921 | | /* Common case: the policy only allows requested_alg. */ |
922 | 0 | if (requested_alg == policy_alg) { |
923 | 0 | return 1; |
924 | 0 | } |
925 | | /* If policy_alg is a hash-and-sign with a wildcard for the hash, |
926 | | * and requested_alg is the same hash-and-sign family with any hash, |
927 | | * then requested_alg is compliant with policy_alg. */ |
928 | 0 | if (PSA_ALG_IS_SIGN_HASH(requested_alg) && |
929 | 0 | PSA_ALG_SIGN_GET_HASH(policy_alg) == PSA_ALG_ANY_HASH) { |
930 | 0 | return (policy_alg & ~PSA_ALG_HASH_MASK) == |
931 | 0 | (requested_alg & ~PSA_ALG_HASH_MASK); |
932 | 0 | } |
933 | | /* If policy_alg is a wildcard AEAD algorithm of the same base as |
934 | | * the requested algorithm, check the requested tag length to be |
935 | | * equal-length or longer than the wildcard-specified length. */ |
936 | 0 | if (PSA_ALG_IS_AEAD(policy_alg) && |
937 | 0 | PSA_ALG_IS_AEAD(requested_alg) && |
938 | 0 | (PSA_ALG_AEAD_WITH_SHORTENED_TAG(policy_alg, 0) == |
939 | 0 | PSA_ALG_AEAD_WITH_SHORTENED_TAG(requested_alg, 0)) && |
940 | 0 | ((policy_alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) { |
941 | 0 | return PSA_ALG_AEAD_GET_TAG_LENGTH(policy_alg) <= |
942 | 0 | PSA_ALG_AEAD_GET_TAG_LENGTH(requested_alg); |
943 | 0 | } |
944 | | /* If policy_alg is a MAC algorithm of the same base as the requested |
945 | | * algorithm, check whether their MAC lengths are compatible. */ |
946 | 0 | if (PSA_ALG_IS_MAC(policy_alg) && |
947 | 0 | PSA_ALG_IS_MAC(requested_alg) && |
948 | 0 | (PSA_ALG_FULL_LENGTH_MAC(policy_alg) == |
949 | 0 | PSA_ALG_FULL_LENGTH_MAC(requested_alg))) { |
950 | | /* Validate the combination of key type and algorithm. Since the policy |
951 | | * and requested algorithms are the same, we only need this once. */ |
952 | 0 | if (PSA_SUCCESS != psa_mac_key_can_do(policy_alg, key_type)) { |
953 | 0 | return 0; |
954 | 0 | } |
955 | | |
956 | | /* Get both the requested output length for the algorithm which is to be |
957 | | * verified, and the default output length for the base algorithm. |
958 | | * Note that none of the currently supported algorithms have an output |
959 | | * length dependent on actual key size, so setting it to a bogus value |
960 | | * of 0 is currently OK. */ |
961 | 0 | size_t requested_output_length = PSA_MAC_LENGTH( |
962 | 0 | key_type, 0, requested_alg); |
963 | 0 | size_t default_output_length = PSA_MAC_LENGTH( |
964 | 0 | key_type, 0, |
965 | 0 | PSA_ALG_FULL_LENGTH_MAC(requested_alg)); |
966 | | |
967 | | /* If the policy is default-length, only allow an algorithm with |
968 | | * a declared exact-length matching the default. */ |
969 | 0 | if (PSA_MAC_TRUNCATED_LENGTH(policy_alg) == 0) { |
970 | 0 | return requested_output_length == default_output_length; |
971 | 0 | } |
972 | | |
973 | | /* If the requested algorithm is default-length, allow it if the policy |
974 | | * length exactly matches the default length. */ |
975 | 0 | if (PSA_MAC_TRUNCATED_LENGTH(requested_alg) == 0 && |
976 | 0 | PSA_MAC_TRUNCATED_LENGTH(policy_alg) == default_output_length) { |
977 | 0 | return 1; |
978 | 0 | } |
979 | | |
980 | | /* If policy_alg is an at-least-this-length wildcard MAC algorithm, |
981 | | * check for the requested MAC length to be equal to or longer than the |
982 | | * minimum allowed length. */ |
983 | 0 | if ((policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) { |
984 | 0 | return PSA_MAC_TRUNCATED_LENGTH(policy_alg) <= |
985 | 0 | requested_output_length; |
986 | 0 | } |
987 | 0 | } |
988 | | /* If policy_alg is a generic key agreement operation, then using it for |
989 | | * a key derivation with that key agreement should also be allowed. This |
990 | | * behaviour is expected to be defined in a future specification version. */ |
991 | 0 | if (PSA_ALG_IS_RAW_KEY_AGREEMENT(policy_alg) && |
992 | 0 | PSA_ALG_IS_KEY_AGREEMENT(requested_alg)) { |
993 | 0 | return PSA_ALG_KEY_AGREEMENT_GET_BASE(requested_alg) == |
994 | 0 | policy_alg; |
995 | 0 | } |
996 | | /* If it isn't explicitly permitted, it's forbidden. */ |
997 | 0 | return 0; |
998 | 0 | } |
999 | | |
1000 | | /** Test whether a policy permits an algorithm. |
1001 | | * |
1002 | | * The caller must test usage flags separately. |
1003 | | * |
1004 | | * \note This function requires providing the key type for which the policy is |
1005 | | * being validated, since some algorithm policy definitions (e.g. MAC) |
1006 | | * have different properties depending on what kind of cipher it is |
1007 | | * combined with. |
1008 | | * |
1009 | | * \retval PSA_SUCCESS When \p alg is a specific algorithm |
1010 | | * allowed by the \p policy. |
1011 | | * \retval PSA_ERROR_INVALID_ARGUMENT When \p alg is not a specific algorithm |
1012 | | * \retval PSA_ERROR_NOT_PERMITTED When \p alg is a specific algorithm, but |
1013 | | * the \p policy does not allow it. |
1014 | | */ |
1015 | | static psa_status_t psa_key_policy_permits(const psa_key_policy_t *policy, |
1016 | | psa_key_type_t key_type, |
1017 | | psa_algorithm_t alg) |
1018 | 0 | { |
1019 | | /* '0' is not a valid algorithm */ |
1020 | 0 | if (alg == 0) { |
1021 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
1022 | 0 | } |
1023 | | |
1024 | | /* A requested algorithm cannot be a wildcard. */ |
1025 | 0 | if (PSA_ALG_IS_WILDCARD(alg)) { |
1026 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
1027 | 0 | } |
1028 | | |
1029 | 0 | if (psa_key_algorithm_permits(key_type, policy->alg, alg) || |
1030 | 0 | psa_key_algorithm_permits(key_type, policy->alg2, alg)) { |
1031 | 0 | return PSA_SUCCESS; |
1032 | 0 | } else { |
1033 | 0 | return PSA_ERROR_NOT_PERMITTED; |
1034 | 0 | } |
1035 | 0 | } |
1036 | | |
1037 | | /** Restrict a key policy based on a constraint. |
1038 | | * |
1039 | | * \note This function requires providing the key type for which the policy is |
1040 | | * being restricted, since some algorithm policy definitions (e.g. MAC) |
1041 | | * have different properties depending on what kind of cipher it is |
1042 | | * combined with. |
1043 | | * |
1044 | | * \param[in] key_type The key type for which to restrict the policy |
1045 | | * \param[in,out] policy The policy to restrict. |
1046 | | * \param[in] constraint The policy constraint to apply. |
1047 | | * |
1048 | | * \retval #PSA_SUCCESS |
1049 | | * \c *policy contains the intersection of the original value of |
1050 | | * \c *policy and \c *constraint. |
1051 | | * \retval #PSA_ERROR_INVALID_ARGUMENT |
1052 | | * \c key_type, \c *policy and \c *constraint are incompatible. |
1053 | | * \c *policy is unchanged. |
1054 | | */ |
1055 | | static psa_status_t psa_restrict_key_policy( |
1056 | | psa_key_type_t key_type, |
1057 | | psa_key_policy_t *policy, |
1058 | | const psa_key_policy_t *constraint) |
1059 | 0 | { |
1060 | 0 | psa_algorithm_t intersection_alg = |
1061 | 0 | psa_key_policy_algorithm_intersection(key_type, policy->alg, |
1062 | 0 | constraint->alg); |
1063 | 0 | psa_algorithm_t intersection_alg2 = |
1064 | 0 | psa_key_policy_algorithm_intersection(key_type, policy->alg2, |
1065 | 0 | constraint->alg2); |
1066 | 0 | if (intersection_alg == 0 && policy->alg != 0 && constraint->alg != 0) { |
1067 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
1068 | 0 | } |
1069 | 0 | if (intersection_alg2 == 0 && policy->alg2 != 0 && constraint->alg2 != 0) { |
1070 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
1071 | 0 | } |
1072 | 0 | policy->usage &= constraint->usage; |
1073 | 0 | policy->alg = intersection_alg; |
1074 | 0 | policy->alg2 = intersection_alg2; |
1075 | 0 | return PSA_SUCCESS; |
1076 | 0 | } |
1077 | | |
1078 | | /** Get the description of a key given its identifier and policy constraints |
1079 | | * and lock it. |
1080 | | * |
1081 | | * The key must have allow all the usage flags set in \p usage. If \p alg is |
1082 | | * nonzero, the key must allow operations with this algorithm. If \p alg is |
1083 | | * zero, the algorithm is not checked. |
1084 | | * |
1085 | | * In case of a persistent key, the function loads the description of the key |
1086 | | * into a key slot if not already done. |
1087 | | * |
1088 | | * On success, the returned key slot has been registered for reading. |
1089 | | * It is the responsibility of the caller to then unregister |
1090 | | * once they have finished reading the contents of the slot. |
1091 | | * The caller unregisters by calling psa_unregister_read() or |
1092 | | * psa_unregister_read_under_mutex(). psa_unregister_read() must be called |
1093 | | * if and only if the caller already holds the global key slot mutex |
1094 | | * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates |
1095 | | * the unregister with mutex lock and unlock operations. |
1096 | | */ |
1097 | | static psa_status_t psa_get_and_lock_key_slot_with_policy( |
1098 | | mbedtls_svc_key_id_t key, |
1099 | | psa_key_slot_t **p_slot, |
1100 | | psa_key_usage_t usage, |
1101 | | psa_algorithm_t alg) |
1102 | 0 | { |
1103 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
1104 | 0 | psa_key_slot_t *slot = NULL; |
1105 | |
|
1106 | 0 | status = psa_get_and_lock_key_slot(key, p_slot); |
1107 | 0 | if (status != PSA_SUCCESS) { |
1108 | 0 | return status; |
1109 | 0 | } |
1110 | 0 | slot = *p_slot; |
1111 | | |
1112 | | /* Enforce that usage policy for the key slot contains all the flags |
1113 | | * required by the usage parameter. There is one exception: public |
1114 | | * keys can always be exported, so we treat public key objects as |
1115 | | * if they had the export flag. */ |
1116 | 0 | if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) { |
1117 | 0 | usage &= ~PSA_KEY_USAGE_EXPORT; |
1118 | 0 | } |
1119 | |
|
1120 | 0 | if ((slot->attr.policy.usage & usage) != usage) { |
1121 | 0 | status = PSA_ERROR_NOT_PERMITTED; |
1122 | 0 | goto error; |
1123 | 0 | } |
1124 | | |
1125 | | /* Enforce that the usage policy permits the requested algorithm. */ |
1126 | 0 | if (alg != 0) { |
1127 | 0 | status = psa_key_policy_permits(&slot->attr.policy, |
1128 | 0 | slot->attr.type, |
1129 | 0 | alg); |
1130 | 0 | if (status != PSA_SUCCESS) { |
1131 | 0 | goto error; |
1132 | 0 | } |
1133 | 0 | } |
1134 | | |
1135 | 0 | return PSA_SUCCESS; |
1136 | | |
1137 | 0 | error: |
1138 | 0 | *p_slot = NULL; |
1139 | 0 | psa_unregister_read_under_mutex(slot); |
1140 | |
|
1141 | 0 | return status; |
1142 | 0 | } |
1143 | | |
1144 | | /** Get a key slot containing a transparent key and lock it. |
1145 | | * |
1146 | | * A transparent key is a key for which the key material is directly |
1147 | | * available, as opposed to a key in a secure element and/or to be used |
1148 | | * by a secure element. |
1149 | | * |
1150 | | * This is a temporary function that may be used instead of |
1151 | | * psa_get_and_lock_key_slot_with_policy() when there is no opaque key support |
1152 | | * for a cryptographic operation. |
1153 | | * |
1154 | | * On success, the returned key slot has been registered for reading. |
1155 | | * It is the responsibility of the caller to then unregister |
1156 | | * once they have finished reading the contents of the slot. |
1157 | | * The caller unregisters by calling psa_unregister_read() or |
1158 | | * psa_unregister_read_under_mutex(). psa_unregister_read() must be called |
1159 | | * if and only if the caller already holds the global key slot mutex |
1160 | | * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates |
1161 | | * psa_unregister_read() with mutex lock and unlock operations. |
1162 | | */ |
1163 | | static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy( |
1164 | | mbedtls_svc_key_id_t key, |
1165 | | psa_key_slot_t **p_slot, |
1166 | | psa_key_usage_t usage, |
1167 | | psa_algorithm_t alg) |
1168 | 0 | { |
1169 | 0 | psa_status_t status = psa_get_and_lock_key_slot_with_policy(key, p_slot, |
1170 | 0 | usage, alg); |
1171 | 0 | if (status != PSA_SUCCESS) { |
1172 | 0 | return status; |
1173 | 0 | } |
1174 | | |
1175 | 0 | if (psa_key_lifetime_is_external((*p_slot)->attr.lifetime)) { |
1176 | 0 | psa_unregister_read_under_mutex(*p_slot); |
1177 | 0 | *p_slot = NULL; |
1178 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
1179 | 0 | } |
1180 | | |
1181 | 0 | return PSA_SUCCESS; |
1182 | 0 | } |
1183 | | |
1184 | | psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot) |
1185 | 0 | { |
1186 | | #if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS) |
1187 | | if (slot->key.bytes > 0) { |
1188 | | mbedtls_platform_zeroize(slot->key.data, MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE); |
1189 | | } |
1190 | | #else |
1191 | 0 | if (slot->key.data != NULL) { |
1192 | 0 | mbedtls_zeroize_and_free(slot->key.data, slot->key.bytes); |
1193 | 0 | } |
1194 | |
|
1195 | 0 | slot->key.data = NULL; |
1196 | 0 | #endif /* MBEDTLS_PSA_STATIC_KEY_SLOTS */ |
1197 | |
|
1198 | 0 | slot->key.bytes = 0; |
1199 | |
|
1200 | 0 | return PSA_SUCCESS; |
1201 | 0 | } |
1202 | | |
1203 | | /** Completely wipe a slot in memory, including its policy. |
1204 | | * Persistent storage is not affected. */ |
1205 | | psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot) |
1206 | 0 | { |
1207 | 0 | psa_status_t status = psa_remove_key_data_from_memory(slot); |
1208 | | |
1209 | | /* |
1210 | | * As the return error code may not be handled in case of multiple errors, |
1211 | | * do our best to report an unexpected amount of registered readers or |
1212 | | * an unexpected state. |
1213 | | * Assert with MBEDTLS_TEST_HOOK_TEST_ASSERT that the slot is valid for |
1214 | | * wiping. |
1215 | | * if the MBEDTLS_TEST_HOOKS configuration option is enabled and the |
1216 | | * function is called as part of the execution of a test suite, the |
1217 | | * execution of the test suite is stopped in error if the assertion fails. |
1218 | | */ |
1219 | 0 | switch (slot->state) { |
1220 | 0 | case PSA_SLOT_FULL: |
1221 | | /* In this state psa_wipe_key_slot() must only be called if the |
1222 | | * caller is the last reader. */ |
1223 | 0 | case PSA_SLOT_PENDING_DELETION: |
1224 | | /* In this state psa_wipe_key_slot() must only be called if the |
1225 | | * caller is the last reader. */ |
1226 | 0 | if (slot->var.occupied.registered_readers != 1) { |
1227 | 0 | MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->var.occupied.registered_readers == 1); |
1228 | 0 | status = PSA_ERROR_CORRUPTION_DETECTED; |
1229 | 0 | } |
1230 | 0 | break; |
1231 | 0 | case PSA_SLOT_FILLING: |
1232 | | /* In this state registered_readers must be 0. */ |
1233 | 0 | if (slot->var.occupied.registered_readers != 0) { |
1234 | 0 | MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->var.occupied.registered_readers == 0); |
1235 | 0 | status = PSA_ERROR_CORRUPTION_DETECTED; |
1236 | 0 | } |
1237 | 0 | break; |
1238 | 0 | case PSA_SLOT_EMPTY: |
1239 | | /* The slot is already empty, it cannot be wiped. */ |
1240 | 0 | MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->state != PSA_SLOT_EMPTY); |
1241 | 0 | status = PSA_ERROR_CORRUPTION_DETECTED; |
1242 | 0 | break; |
1243 | 0 | default: |
1244 | | /* The slot's state is invalid. */ |
1245 | 0 | status = PSA_ERROR_CORRUPTION_DETECTED; |
1246 | 0 | } |
1247 | | |
1248 | 0 | #if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) |
1249 | 0 | size_t slice_index = slot->slice_index; |
1250 | 0 | #endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ |
1251 | | |
1252 | | |
1253 | | /* Multipart operations may still be using the key. This is safe |
1254 | | * because all multipart operation objects are independent from |
1255 | | * the key slot: if they need to access the key after the setup |
1256 | | * phase, they have a copy of the key. Note that this means that |
1257 | | * key material can linger until all operations are completed. */ |
1258 | | /* At this point, key material and other type-specific content has |
1259 | | * been wiped. Clear remaining metadata. We can call memset and not |
1260 | | * zeroize because the metadata is not particularly sensitive. |
1261 | | * This memset also sets the slot's state to PSA_SLOT_EMPTY. */ |
1262 | 0 | memset(slot, 0, sizeof(*slot)); |
1263 | |
|
1264 | 0 | #if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) |
1265 | | /* If the slot is already corrupted, something went deeply wrong, |
1266 | | * like a thread still using the slot or a stray pointer leading |
1267 | | * to the slot's memory being used for another object. Let the slot |
1268 | | * leak rather than make the corruption worse. */ |
1269 | 0 | if (status == PSA_SUCCESS) { |
1270 | 0 | status = psa_free_key_slot(slice_index, slot); |
1271 | 0 | } |
1272 | 0 | #endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ |
1273 | |
|
1274 | 0 | return status; |
1275 | 0 | } |
1276 | | |
1277 | | psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key) |
1278 | 0 | { |
1279 | 0 | psa_key_slot_t *slot; |
1280 | 0 | psa_status_t status; /* status of the last operation */ |
1281 | 0 | psa_status_t overall_status = PSA_SUCCESS; |
1282 | 0 | #if defined(MBEDTLS_PSA_CRYPTO_SE_C) |
1283 | 0 | psa_se_drv_table_entry_t *driver; |
1284 | 0 | #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ |
1285 | |
|
1286 | 0 | if (mbedtls_svc_key_id_is_null(key)) { |
1287 | 0 | return PSA_SUCCESS; |
1288 | 0 | } |
1289 | | |
1290 | | /* |
1291 | | * Get the description of the key in a key slot, and register to read it. |
1292 | | * In the case of a persistent key, this will load the key description |
1293 | | * from persistent memory if not done yet. |
1294 | | * We cannot avoid this loading as without it we don't know if |
1295 | | * the key is operated by an SE or not and this information is needed by |
1296 | | * the current implementation. */ |
1297 | 0 | status = psa_get_and_lock_key_slot(key, &slot); |
1298 | 0 | if (status != PSA_SUCCESS) { |
1299 | 0 | return status; |
1300 | 0 | } |
1301 | | |
1302 | 0 | #if defined(MBEDTLS_THREADING_C) |
1303 | | /* We cannot unlock between setting the state to PENDING_DELETION |
1304 | | * and destroying the key in storage, as otherwise another thread |
1305 | | * could load the key into a new slot and the key will not be |
1306 | | * fully destroyed. */ |
1307 | 0 | PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock( |
1308 | 0 | &mbedtls_threading_key_slot_mutex)); |
1309 | |
|
1310 | 0 | if (slot->state == PSA_SLOT_PENDING_DELETION) { |
1311 | | /* Another thread has destroyed the key between us locking the slot |
1312 | | * and us gaining the mutex. Unregister from the slot, |
1313 | | * and report that the key does not exist. */ |
1314 | 0 | status = psa_unregister_read(slot); |
1315 | |
|
1316 | 0 | PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( |
1317 | 0 | &mbedtls_threading_key_slot_mutex)); |
1318 | 0 | return (status == PSA_SUCCESS) ? PSA_ERROR_INVALID_HANDLE : status; |
1319 | 0 | } |
1320 | 0 | #endif |
1321 | | /* Set the key slot containing the key description's state to |
1322 | | * PENDING_DELETION. This stops new operations from registering |
1323 | | * to read the slot. Current readers can safely continue to access |
1324 | | * the key within the slot; the last registered reader will |
1325 | | * automatically wipe the slot when they call psa_unregister_read(). |
1326 | | * If the key is persistent, we can now delete the copy of the key |
1327 | | * from memory. If the key is opaque, we require the driver to |
1328 | | * deal with the deletion. */ |
1329 | 0 | overall_status = psa_key_slot_state_transition(slot, PSA_SLOT_FULL, |
1330 | 0 | PSA_SLOT_PENDING_DELETION); |
1331 | |
|
1332 | 0 | if (overall_status != PSA_SUCCESS) { |
1333 | 0 | goto exit; |
1334 | 0 | } |
1335 | | |
1336 | 0 | if (PSA_KEY_LIFETIME_IS_READ_ONLY(slot->attr.lifetime)) { |
1337 | | /* Refuse the destruction of a read-only key (which may or may not work |
1338 | | * if we attempt it, depending on whether the key is merely read-only |
1339 | | * by policy or actually physically read-only). |
1340 | | * Just do the best we can, which is to wipe the copy in memory |
1341 | | * (done in this function's cleanup code). */ |
1342 | 0 | overall_status = PSA_ERROR_NOT_PERMITTED; |
1343 | 0 | goto exit; |
1344 | 0 | } |
1345 | | |
1346 | 0 | #if defined(MBEDTLS_PSA_CRYPTO_SE_C) |
1347 | 0 | driver = psa_get_se_driver_entry(slot->attr.lifetime); |
1348 | 0 | if (driver != NULL) { |
1349 | | /* For a key in a secure element, we need to do three things: |
1350 | | * remove the key file in internal storage, destroy the |
1351 | | * key inside the secure element, and update the driver's |
1352 | | * persistent data. Start a transaction that will encompass these |
1353 | | * three actions. */ |
1354 | 0 | psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_DESTROY_KEY); |
1355 | 0 | psa_crypto_transaction.key.lifetime = slot->attr.lifetime; |
1356 | 0 | psa_crypto_transaction.key.slot = psa_key_slot_get_slot_number(slot); |
1357 | 0 | psa_crypto_transaction.key.id = slot->attr.id; |
1358 | 0 | status = psa_crypto_save_transaction(); |
1359 | 0 | if (status != PSA_SUCCESS) { |
1360 | 0 | (void) psa_crypto_stop_transaction(); |
1361 | | /* We should still try to destroy the key in the secure |
1362 | | * element and the key metadata in storage. This is especially |
1363 | | * important if the error is that the storage is full. |
1364 | | * But how to do it exactly without risking an inconsistent |
1365 | | * state after a reset? |
1366 | | * https://github.com/ARMmbed/mbed-crypto/issues/215 |
1367 | | */ |
1368 | 0 | overall_status = status; |
1369 | 0 | goto exit; |
1370 | 0 | } |
1371 | | |
1372 | 0 | status = psa_destroy_se_key(driver, |
1373 | 0 | psa_key_slot_get_slot_number(slot)); |
1374 | 0 | if (overall_status == PSA_SUCCESS) { |
1375 | 0 | overall_status = status; |
1376 | 0 | } |
1377 | 0 | } |
1378 | 0 | #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ |
1379 | | |
1380 | 0 | #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) |
1381 | 0 | if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) { |
1382 | | /* Destroy the copy of the persistent key from storage. |
1383 | | * The slot will still hold a copy of the key until the last reader |
1384 | | * unregisters. */ |
1385 | 0 | status = psa_destroy_persistent_key(slot->attr.id); |
1386 | 0 | if (overall_status == PSA_SUCCESS) { |
1387 | 0 | overall_status = status; |
1388 | 0 | } |
1389 | 0 | } |
1390 | 0 | #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ |
1391 | |
|
1392 | 0 | #if defined(MBEDTLS_PSA_CRYPTO_SE_C) |
1393 | 0 | if (driver != NULL) { |
1394 | 0 | status = psa_save_se_persistent_data(driver); |
1395 | 0 | if (overall_status == PSA_SUCCESS) { |
1396 | 0 | overall_status = status; |
1397 | 0 | } |
1398 | 0 | status = psa_crypto_stop_transaction(); |
1399 | 0 | if (overall_status == PSA_SUCCESS) { |
1400 | 0 | overall_status = status; |
1401 | 0 | } |
1402 | 0 | } |
1403 | 0 | #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ |
1404 | |
|
1405 | 0 | exit: |
1406 | | /* Unregister from reading the slot. If we are the last active reader |
1407 | | * then this will wipe the slot. */ |
1408 | 0 | status = psa_unregister_read(slot); |
1409 | | /* Prioritize CORRUPTION_DETECTED from unregistering over |
1410 | | * a storage error. */ |
1411 | 0 | if (status != PSA_SUCCESS) { |
1412 | 0 | overall_status = status; |
1413 | 0 | } |
1414 | |
|
1415 | 0 | #if defined(MBEDTLS_THREADING_C) |
1416 | | /* Don't overwrite existing errors if the unlock fails. */ |
1417 | 0 | status = overall_status; |
1418 | 0 | PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( |
1419 | 0 | &mbedtls_threading_key_slot_mutex)); |
1420 | 0 | #endif |
1421 | |
|
1422 | 0 | return overall_status; |
1423 | 0 | } |
1424 | | |
1425 | | /** Retrieve all the publicly-accessible attributes of a key. |
1426 | | */ |
1427 | | psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key, |
1428 | | psa_key_attributes_t *attributes) |
1429 | 0 | { |
1430 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
1431 | 0 | psa_key_slot_t *slot; |
1432 | |
|
1433 | 0 | psa_reset_key_attributes(attributes); |
1434 | |
|
1435 | 0 | status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0); |
1436 | 0 | if (status != PSA_SUCCESS) { |
1437 | 0 | return status; |
1438 | 0 | } |
1439 | | |
1440 | 0 | *attributes = slot->attr; |
1441 | |
|
1442 | 0 | #if defined(MBEDTLS_PSA_CRYPTO_SE_C) |
1443 | 0 | if (psa_get_se_driver_entry(slot->attr.lifetime) != NULL) { |
1444 | 0 | psa_set_key_slot_number(attributes, |
1445 | 0 | psa_key_slot_get_slot_number(slot)); |
1446 | 0 | } |
1447 | 0 | #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ |
1448 | |
|
1449 | 0 | return psa_unregister_read_under_mutex(slot); |
1450 | 0 | } |
1451 | | |
1452 | | #if defined(MBEDTLS_PSA_CRYPTO_SE_C) |
1453 | | psa_status_t psa_get_key_slot_number( |
1454 | | const psa_key_attributes_t *attributes, |
1455 | | psa_key_slot_number_t *slot_number) |
1456 | 0 | { |
1457 | 0 | if (attributes->has_slot_number) { |
1458 | 0 | *slot_number = attributes->slot_number; |
1459 | 0 | return PSA_SUCCESS; |
1460 | 0 | } else { |
1461 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
1462 | 0 | } |
1463 | 0 | } |
1464 | | #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ |
1465 | | |
1466 | | static psa_status_t psa_export_key_buffer_internal(const uint8_t *key_buffer, |
1467 | | size_t key_buffer_size, |
1468 | | uint8_t *data, |
1469 | | size_t data_size, |
1470 | | size_t *data_length) |
1471 | 0 | { |
1472 | 0 | if (key_buffer_size > data_size) { |
1473 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
1474 | 0 | } |
1475 | 0 | memcpy(data, key_buffer, key_buffer_size); |
1476 | 0 | memset(data + key_buffer_size, 0, |
1477 | 0 | data_size - key_buffer_size); |
1478 | 0 | *data_length = key_buffer_size; |
1479 | 0 | return PSA_SUCCESS; |
1480 | 0 | } |
1481 | | |
1482 | | psa_status_t psa_export_key_internal( |
1483 | | const psa_key_attributes_t *attributes, |
1484 | | const uint8_t *key_buffer, size_t key_buffer_size, |
1485 | | uint8_t *data, size_t data_size, size_t *data_length) |
1486 | 0 | { |
1487 | 0 | psa_key_type_t type = attributes->type; |
1488 | |
|
1489 | 0 | if (key_type_is_raw_bytes(type) || |
1490 | 0 | PSA_KEY_TYPE_IS_RSA(type) || |
1491 | 0 | PSA_KEY_TYPE_IS_ECC(type) || |
1492 | 0 | PSA_KEY_TYPE_IS_DH(type)) { |
1493 | 0 | return psa_export_key_buffer_internal( |
1494 | 0 | key_buffer, key_buffer_size, |
1495 | 0 | data, data_size, data_length); |
1496 | 0 | } else { |
1497 | | /* This shouldn't happen in the reference implementation, but |
1498 | | it is valid for a special-purpose implementation to omit |
1499 | | support for exporting certain key types. */ |
1500 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
1501 | 0 | } |
1502 | 0 | } |
1503 | | |
1504 | | psa_status_t psa_export_key(mbedtls_svc_key_id_t key, |
1505 | | uint8_t *data_external, |
1506 | | size_t data_size, |
1507 | | size_t *data_length) |
1508 | 0 | { |
1509 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
1510 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
1511 | 0 | psa_key_slot_t *slot; |
1512 | 0 | LOCAL_OUTPUT_DECLARE(data_external, data); |
1513 | | |
1514 | | /* Reject a zero-length output buffer now, since this can never be a |
1515 | | * valid key representation. This way we know that data must be a valid |
1516 | | * pointer and we can do things like memset(data, ..., data_size). */ |
1517 | 0 | if (data_size == 0) { |
1518 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
1519 | 0 | } |
1520 | | |
1521 | | /* Set the key to empty now, so that even when there are errors, we always |
1522 | | * set data_length to a value between 0 and data_size. On error, setting |
1523 | | * the key to empty is a good choice because an empty key representation is |
1524 | | * unlikely to be accepted anywhere. */ |
1525 | 0 | *data_length = 0; |
1526 | | |
1527 | | /* Export requires the EXPORT flag. There is an exception for public keys, |
1528 | | * which don't require any flag, but |
1529 | | * psa_get_and_lock_key_slot_with_policy() takes care of this. |
1530 | | */ |
1531 | 0 | status = psa_get_and_lock_key_slot_with_policy(key, &slot, |
1532 | 0 | PSA_KEY_USAGE_EXPORT, 0); |
1533 | 0 | if (status != PSA_SUCCESS) { |
1534 | 0 | return status; |
1535 | 0 | } |
1536 | | |
1537 | 0 | LOCAL_OUTPUT_ALLOC(data_external, data_size, data); |
1538 | |
|
1539 | 0 | status = psa_driver_wrapper_export_key(&slot->attr, |
1540 | 0 | slot->key.data, slot->key.bytes, |
1541 | 0 | data, data_size, data_length); |
1542 | |
|
1543 | 0 | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
1544 | 0 | exit: |
1545 | 0 | #endif |
1546 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
1547 | |
|
1548 | 0 | LOCAL_OUTPUT_FREE(data_external, data); |
1549 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
1550 | 0 | } |
1551 | | |
1552 | | psa_status_t psa_export_public_key_internal( |
1553 | | const psa_key_attributes_t *attributes, |
1554 | | const uint8_t *key_buffer, |
1555 | | size_t key_buffer_size, |
1556 | | uint8_t *data, |
1557 | | size_t data_size, |
1558 | | size_t *data_length) |
1559 | 0 | { |
1560 | 0 | psa_key_type_t type = attributes->type; |
1561 | |
|
1562 | 0 | if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) && |
1563 | 0 | (PSA_KEY_TYPE_IS_RSA(type) || PSA_KEY_TYPE_IS_ECC(type) || |
1564 | 0 | PSA_KEY_TYPE_IS_DH(type))) { |
1565 | | /* Exporting public -> public */ |
1566 | 0 | return psa_export_key_buffer_internal( |
1567 | 0 | key_buffer, key_buffer_size, |
1568 | 0 | data, data_size, data_length); |
1569 | 0 | } else if (PSA_KEY_TYPE_IS_RSA(type)) { |
1570 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \ |
1571 | 0 | defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) |
1572 | 0 | return mbedtls_psa_rsa_export_public_key(attributes, |
1573 | 0 | key_buffer, |
1574 | 0 | key_buffer_size, |
1575 | 0 | data, |
1576 | 0 | data_size, |
1577 | 0 | data_length); |
1578 | | #else |
1579 | | /* We don't know how to convert a private RSA key to public. */ |
1580 | | return PSA_ERROR_NOT_SUPPORTED; |
1581 | | #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || |
1582 | | * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ |
1583 | 0 | } else if (PSA_KEY_TYPE_IS_ECC(type)) { |
1584 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \ |
1585 | 0 | defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) |
1586 | 0 | return mbedtls_psa_ecp_export_public_key(attributes, |
1587 | 0 | key_buffer, |
1588 | 0 | key_buffer_size, |
1589 | 0 | data, |
1590 | 0 | data_size, |
1591 | 0 | data_length); |
1592 | | #else |
1593 | | /* We don't know how to convert a private ECC key to public */ |
1594 | | return PSA_ERROR_NOT_SUPPORTED; |
1595 | | #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || |
1596 | | * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */ |
1597 | 0 | } else if (PSA_KEY_TYPE_IS_DH(type)) { |
1598 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \ |
1599 | 0 | defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) |
1600 | 0 | return mbedtls_psa_ffdh_export_public_key(attributes, |
1601 | 0 | key_buffer, |
1602 | 0 | key_buffer_size, |
1603 | 0 | data, data_size, |
1604 | 0 | data_length); |
1605 | | #else |
1606 | | return PSA_ERROR_NOT_SUPPORTED; |
1607 | | #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || |
1608 | | * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */ |
1609 | 0 | } else { |
1610 | 0 | (void) key_buffer; |
1611 | 0 | (void) key_buffer_size; |
1612 | 0 | (void) data; |
1613 | 0 | (void) data_size; |
1614 | 0 | (void) data_length; |
1615 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
1616 | 0 | } |
1617 | 0 | } |
1618 | | |
1619 | | psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key, |
1620 | | uint8_t *data_external, |
1621 | | size_t data_size, |
1622 | | size_t *data_length) |
1623 | 0 | { |
1624 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
1625 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
1626 | 0 | psa_key_slot_t *slot; |
1627 | |
|
1628 | 0 | LOCAL_OUTPUT_DECLARE(data_external, data); |
1629 | | |
1630 | | /* Reject a zero-length output buffer now, since this can never be a |
1631 | | * valid key representation. This way we know that data must be a valid |
1632 | | * pointer and we can do things like memset(data, ..., data_size). */ |
1633 | 0 | if (data_size == 0) { |
1634 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
1635 | 0 | } |
1636 | | |
1637 | | /* Set the key to empty now, so that even when there are errors, we always |
1638 | | * set data_length to a value between 0 and data_size. On error, setting |
1639 | | * the key to empty is a good choice because an empty key representation is |
1640 | | * unlikely to be accepted anywhere. */ |
1641 | 0 | *data_length = 0; |
1642 | | |
1643 | | /* Exporting a public key doesn't require a usage flag. */ |
1644 | 0 | status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0); |
1645 | 0 | if (status != PSA_SUCCESS) { |
1646 | 0 | return status; |
1647 | 0 | } |
1648 | | |
1649 | 0 | LOCAL_OUTPUT_ALLOC(data_external, data_size, data); |
1650 | |
|
1651 | 0 | if (!PSA_KEY_TYPE_IS_ASYMMETRIC(slot->attr.type)) { |
1652 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
1653 | 0 | goto exit; |
1654 | 0 | } |
1655 | | |
1656 | 0 | status = psa_driver_wrapper_export_public_key( |
1657 | 0 | &slot->attr, slot->key.data, slot->key.bytes, |
1658 | 0 | data, data_size, data_length); |
1659 | |
|
1660 | 0 | exit: |
1661 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
1662 | |
|
1663 | 0 | LOCAL_OUTPUT_FREE(data_external, data); |
1664 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
1665 | 0 | } |
1666 | | |
1667 | | /** Validate that a key policy is internally well-formed. |
1668 | | * |
1669 | | * This function only rejects invalid policies. It does not validate the |
1670 | | * consistency of the policy with respect to other attributes of the key |
1671 | | * such as the key type. |
1672 | | */ |
1673 | | static psa_status_t psa_validate_key_policy(const psa_key_policy_t *policy) |
1674 | 0 | { |
1675 | 0 | if ((policy->usage & ~(PSA_KEY_USAGE_EXPORT | |
1676 | 0 | PSA_KEY_USAGE_COPY | |
1677 | 0 | PSA_KEY_USAGE_ENCRYPT | |
1678 | 0 | PSA_KEY_USAGE_DECRYPT | |
1679 | 0 | PSA_KEY_USAGE_SIGN_MESSAGE | |
1680 | 0 | PSA_KEY_USAGE_VERIFY_MESSAGE | |
1681 | 0 | PSA_KEY_USAGE_SIGN_HASH | |
1682 | 0 | PSA_KEY_USAGE_VERIFY_HASH | |
1683 | 0 | PSA_KEY_USAGE_VERIFY_DERIVATION | |
1684 | 0 | PSA_KEY_USAGE_DERIVE)) != 0) { |
1685 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
1686 | 0 | } |
1687 | | |
1688 | 0 | return PSA_SUCCESS; |
1689 | 0 | } |
1690 | | |
1691 | | /** Validate the internal consistency of key attributes. |
1692 | | * |
1693 | | * This function only rejects invalid attribute values. If does not |
1694 | | * validate the consistency of the attributes with any key data that may |
1695 | | * be involved in the creation of the key. |
1696 | | * |
1697 | | * Call this function early in the key creation process. |
1698 | | * |
1699 | | * \param[in] attributes Key attributes for the new key. |
1700 | | * \param[out] p_drv On any return, the driver for the key, if any. |
1701 | | * NULL for a transparent key. |
1702 | | * |
1703 | | */ |
1704 | | static psa_status_t psa_validate_key_attributes( |
1705 | | const psa_key_attributes_t *attributes, |
1706 | | psa_se_drv_table_entry_t **p_drv) |
1707 | 0 | { |
1708 | 0 | psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; |
1709 | 0 | psa_key_lifetime_t lifetime = psa_get_key_lifetime(attributes); |
1710 | 0 | mbedtls_svc_key_id_t key = psa_get_key_id(attributes); |
1711 | |
|
1712 | 0 | status = psa_validate_key_location(lifetime, p_drv); |
1713 | 0 | if (status != PSA_SUCCESS) { |
1714 | 0 | return status; |
1715 | 0 | } |
1716 | | |
1717 | 0 | status = psa_validate_key_persistence(lifetime); |
1718 | 0 | if (status != PSA_SUCCESS) { |
1719 | 0 | return status; |
1720 | 0 | } |
1721 | | |
1722 | 0 | if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) { |
1723 | 0 | if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key) != 0) { |
1724 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
1725 | 0 | } |
1726 | 0 | } else { |
1727 | 0 | if (!psa_is_valid_key_id(psa_get_key_id(attributes), 0)) { |
1728 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
1729 | 0 | } |
1730 | 0 | } |
1731 | | |
1732 | 0 | status = psa_validate_key_policy(&attributes->policy); |
1733 | 0 | if (status != PSA_SUCCESS) { |
1734 | 0 | return status; |
1735 | 0 | } |
1736 | | |
1737 | | /* Refuse to create overly large keys. |
1738 | | * Note that this doesn't trigger on import if the attributes don't |
1739 | | * explicitly specify a size (so psa_get_key_bits returns 0), so |
1740 | | * psa_import_key() needs its own checks. */ |
1741 | 0 | if (psa_get_key_bits(attributes) > PSA_MAX_KEY_BITS) { |
1742 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
1743 | 0 | } |
1744 | | |
1745 | 0 | return PSA_SUCCESS; |
1746 | 0 | } |
1747 | | |
1748 | | /** Prepare a key slot to receive key material. |
1749 | | * |
1750 | | * This function allocates a key slot and sets its metadata. |
1751 | | * |
1752 | | * If this function fails, call psa_fail_key_creation(). |
1753 | | * |
1754 | | * This function is intended to be used as follows: |
1755 | | * -# Call psa_start_key_creation() to allocate a key slot, prepare |
1756 | | * it with the specified attributes, and in case of a volatile key assign it |
1757 | | * a volatile key identifier. |
1758 | | * -# Populate the slot with the key material. |
1759 | | * -# Call psa_finish_key_creation() to finalize the creation of the slot. |
1760 | | * In case of failure at any step, stop the sequence and call |
1761 | | * psa_fail_key_creation(). |
1762 | | * |
1763 | | * On success, the key slot's state is PSA_SLOT_FILLING. |
1764 | | * It is the responsibility of the caller to change the slot's state to |
1765 | | * PSA_SLOT_EMPTY/FULL once key creation has finished. |
1766 | | * |
1767 | | * \param method An identification of the calling function. |
1768 | | * \param[in] attributes Key attributes for the new key. |
1769 | | * \param[out] p_slot On success, a pointer to the prepared slot. |
1770 | | * \param[out] p_drv On any return, the driver for the key, if any. |
1771 | | * NULL for a transparent key. |
1772 | | * |
1773 | | * \retval #PSA_SUCCESS |
1774 | | * The key slot is ready to receive key material. |
1775 | | * \return If this function fails, the key slot is an invalid state. |
1776 | | * You must call psa_fail_key_creation() to wipe and free the slot. |
1777 | | */ |
1778 | | static psa_status_t psa_start_key_creation( |
1779 | | psa_key_creation_method_t method, |
1780 | | const psa_key_attributes_t *attributes, |
1781 | | psa_key_slot_t **p_slot, |
1782 | | psa_se_drv_table_entry_t **p_drv) |
1783 | 0 | { |
1784 | 0 | psa_status_t status; |
1785 | |
|
1786 | 0 | (void) method; |
1787 | 0 | *p_drv = NULL; |
1788 | |
|
1789 | 0 | status = psa_validate_key_attributes(attributes, p_drv); |
1790 | 0 | if (status != PSA_SUCCESS) { |
1791 | 0 | return status; |
1792 | 0 | } |
1793 | | |
1794 | 0 | int key_is_volatile = PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime); |
1795 | 0 | psa_key_id_t volatile_key_id; |
1796 | |
|
1797 | 0 | #if defined(MBEDTLS_THREADING_C) |
1798 | 0 | PSA_THREADING_CHK_RET(mbedtls_mutex_lock( |
1799 | 0 | &mbedtls_threading_key_slot_mutex)); |
1800 | 0 | #endif |
1801 | 0 | status = psa_reserve_free_key_slot( |
1802 | 0 | key_is_volatile ? &volatile_key_id : NULL, |
1803 | 0 | p_slot); |
1804 | 0 | #if defined(MBEDTLS_THREADING_C) |
1805 | 0 | PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( |
1806 | 0 | &mbedtls_threading_key_slot_mutex)); |
1807 | 0 | #endif |
1808 | 0 | if (status != PSA_SUCCESS) { |
1809 | 0 | return status; |
1810 | 0 | } |
1811 | 0 | psa_key_slot_t *slot = *p_slot; |
1812 | | |
1813 | | /* We're storing the declared bit-size of the key. It's up to each |
1814 | | * creation mechanism to verify that this information is correct. |
1815 | | * It's automatically correct for mechanisms that use the bit-size as |
1816 | | * an input (generate, device) but not for those where the bit-size |
1817 | | * is optional (import, copy). In case of a volatile key, assign it the |
1818 | | * volatile key identifier associated to the slot returned to contain its |
1819 | | * definition. */ |
1820 | |
|
1821 | 0 | slot->attr = *attributes; |
1822 | 0 | if (key_is_volatile) { |
1823 | 0 | #if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) |
1824 | 0 | slot->attr.id = volatile_key_id; |
1825 | | #else |
1826 | | slot->attr.id.key_id = volatile_key_id; |
1827 | | #endif |
1828 | 0 | } |
1829 | |
|
1830 | 0 | #if defined(MBEDTLS_PSA_CRYPTO_SE_C) |
1831 | | /* For a key in a secure element, we need to do three things |
1832 | | * when creating or registering a persistent key: |
1833 | | * create the key file in internal storage, create the |
1834 | | * key inside the secure element, and update the driver's |
1835 | | * persistent data. This is done by starting a transaction that will |
1836 | | * encompass these three actions. |
1837 | | * For registering a volatile key, we just need to find an appropriate |
1838 | | * slot number inside the SE. Since the key is designated volatile, creating |
1839 | | * a transaction is not required. */ |
1840 | | /* The first thing to do is to find a slot number for the new key. |
1841 | | * We save the slot number in persistent storage as part of the |
1842 | | * transaction data. It will be needed to recover if the power |
1843 | | * fails during the key creation process, to clean up on the secure |
1844 | | * element side after restarting. Obtaining a slot number from the |
1845 | | * secure element driver updates its persistent state, but we do not yet |
1846 | | * save the driver's persistent state, so that if the power fails, |
1847 | | * we can roll back to a state where the key doesn't exist. */ |
1848 | 0 | if (*p_drv != NULL) { |
1849 | 0 | psa_key_slot_number_t slot_number; |
1850 | 0 | status = psa_find_se_slot_for_key(attributes, method, *p_drv, |
1851 | 0 | &slot_number); |
1852 | 0 | if (status != PSA_SUCCESS) { |
1853 | 0 | return status; |
1854 | 0 | } |
1855 | | |
1856 | 0 | if (!PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime)) { |
1857 | 0 | psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_CREATE_KEY); |
1858 | 0 | psa_crypto_transaction.key.lifetime = slot->attr.lifetime; |
1859 | 0 | psa_crypto_transaction.key.slot = slot_number; |
1860 | 0 | psa_crypto_transaction.key.id = slot->attr.id; |
1861 | 0 | status = psa_crypto_save_transaction(); |
1862 | 0 | if (status != PSA_SUCCESS) { |
1863 | 0 | (void) psa_crypto_stop_transaction(); |
1864 | 0 | return status; |
1865 | 0 | } |
1866 | 0 | } |
1867 | | |
1868 | 0 | status = psa_copy_key_material_into_slot( |
1869 | 0 | slot, (uint8_t *) (&slot_number), sizeof(slot_number)); |
1870 | 0 | if (status != PSA_SUCCESS) { |
1871 | 0 | return status; |
1872 | 0 | } |
1873 | 0 | } |
1874 | | |
1875 | 0 | if (*p_drv == NULL && method == PSA_KEY_CREATION_REGISTER) { |
1876 | | /* Key registration only makes sense with a secure element. */ |
1877 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
1878 | 0 | } |
1879 | 0 | #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ |
1880 | | |
1881 | 0 | return PSA_SUCCESS; |
1882 | 0 | } |
1883 | | |
1884 | | /** Finalize the creation of a key once its key material has been set. |
1885 | | * |
1886 | | * This entails writing the key to persistent storage. |
1887 | | * |
1888 | | * If this function fails, call psa_fail_key_creation(). |
1889 | | * See the documentation of psa_start_key_creation() for the intended use |
1890 | | * of this function. |
1891 | | * |
1892 | | * If the finalization succeeds, the function sets the key slot's state to |
1893 | | * PSA_SLOT_FULL, and the key slot can no longer be accessed as part of the |
1894 | | * key creation process. |
1895 | | * |
1896 | | * \param[in,out] slot Pointer to the slot with key material. |
1897 | | * \param[in] driver The secure element driver for the key, |
1898 | | * or NULL for a transparent key. |
1899 | | * \param[out] key On success, identifier of the key. Note that the |
1900 | | * key identifier is also stored in the key slot. |
1901 | | * |
1902 | | * \retval #PSA_SUCCESS |
1903 | | * The key was successfully created. |
1904 | | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription |
1905 | | * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription |
1906 | | * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription |
1907 | | * \retval #PSA_ERROR_DATA_INVALID \emptydescription |
1908 | | * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription |
1909 | | * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription |
1910 | | * |
1911 | | * \return If this function fails, the key slot is an invalid state. |
1912 | | * You must call psa_fail_key_creation() to wipe and free the slot. |
1913 | | */ |
1914 | | static psa_status_t psa_finish_key_creation( |
1915 | | psa_key_slot_t *slot, |
1916 | | psa_se_drv_table_entry_t *driver, |
1917 | | mbedtls_svc_key_id_t *key) |
1918 | 0 | { |
1919 | 0 | psa_status_t status = PSA_SUCCESS; |
1920 | 0 | (void) slot; |
1921 | 0 | (void) driver; |
1922 | |
|
1923 | 0 | #if defined(MBEDTLS_THREADING_C) |
1924 | 0 | PSA_THREADING_CHK_RET(mbedtls_mutex_lock( |
1925 | 0 | &mbedtls_threading_key_slot_mutex)); |
1926 | 0 | #endif |
1927 | |
|
1928 | 0 | #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) |
1929 | 0 | if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) { |
1930 | 0 | #if defined(MBEDTLS_PSA_CRYPTO_SE_C) |
1931 | 0 | if (driver != NULL) { |
1932 | 0 | psa_se_key_data_storage_t data; |
1933 | 0 | psa_key_slot_number_t slot_number = |
1934 | 0 | psa_key_slot_get_slot_number(slot); |
1935 | |
|
1936 | 0 | MBEDTLS_STATIC_ASSERT(sizeof(slot_number) == |
1937 | 0 | sizeof(data.slot_number), |
1938 | 0 | "Slot number size does not match psa_se_key_data_storage_t"); |
1939 | |
|
1940 | 0 | memcpy(&data.slot_number, &slot_number, sizeof(slot_number)); |
1941 | 0 | status = psa_save_persistent_key(&slot->attr, |
1942 | 0 | (uint8_t *) &data, |
1943 | 0 | sizeof(data)); |
1944 | 0 | } else |
1945 | 0 | #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ |
1946 | 0 | { |
1947 | | /* Key material is saved in export representation in the slot, so |
1948 | | * just pass the slot buffer for storage. */ |
1949 | 0 | status = psa_save_persistent_key(&slot->attr, |
1950 | 0 | slot->key.data, |
1951 | 0 | slot->key.bytes); |
1952 | 0 | } |
1953 | 0 | } |
1954 | 0 | #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ |
1955 | |
|
1956 | 0 | #if defined(MBEDTLS_PSA_CRYPTO_SE_C) |
1957 | | /* Finish the transaction for a key creation. This does not |
1958 | | * happen when registering an existing key. Detect this case |
1959 | | * by checking whether a transaction is in progress (actual |
1960 | | * creation of a persistent key in a secure element requires a transaction, |
1961 | | * but registration or volatile key creation doesn't use one). */ |
1962 | 0 | if (driver != NULL && |
1963 | 0 | psa_crypto_transaction.unknown.type == PSA_CRYPTO_TRANSACTION_CREATE_KEY) { |
1964 | 0 | status = psa_save_se_persistent_data(driver); |
1965 | 0 | if (status != PSA_SUCCESS) { |
1966 | 0 | psa_destroy_persistent_key(slot->attr.id); |
1967 | |
|
1968 | 0 | #if defined(MBEDTLS_THREADING_C) |
1969 | 0 | PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( |
1970 | 0 | &mbedtls_threading_key_slot_mutex)); |
1971 | 0 | #endif |
1972 | 0 | return status; |
1973 | 0 | } |
1974 | 0 | status = psa_crypto_stop_transaction(); |
1975 | 0 | } |
1976 | 0 | #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ |
1977 | | |
1978 | 0 | if (status == PSA_SUCCESS) { |
1979 | 0 | *key = slot->attr.id; |
1980 | 0 | status = psa_key_slot_state_transition(slot, PSA_SLOT_FILLING, |
1981 | 0 | PSA_SLOT_FULL); |
1982 | 0 | if (status != PSA_SUCCESS) { |
1983 | 0 | *key = MBEDTLS_SVC_KEY_ID_INIT; |
1984 | 0 | } |
1985 | 0 | } |
1986 | |
|
1987 | 0 | #if defined(MBEDTLS_THREADING_C) |
1988 | 0 | PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( |
1989 | 0 | &mbedtls_threading_key_slot_mutex)); |
1990 | 0 | #endif |
1991 | 0 | return status; |
1992 | 0 | } |
1993 | | |
1994 | | /** Abort the creation of a key. |
1995 | | * |
1996 | | * You may call this function after calling psa_start_key_creation(), |
1997 | | * or after psa_finish_key_creation() fails. In other circumstances, this |
1998 | | * function may not clean up persistent storage. |
1999 | | * See the documentation of psa_start_key_creation() for the intended use |
2000 | | * of this function. Sets the slot's state to PSA_SLOT_EMPTY. |
2001 | | * |
2002 | | * \param[in,out] slot Pointer to the slot with key material. |
2003 | | * \param[in] driver The secure element driver for the key, |
2004 | | * or NULL for a transparent key. |
2005 | | */ |
2006 | | static void psa_fail_key_creation(psa_key_slot_t *slot, |
2007 | | psa_se_drv_table_entry_t *driver) |
2008 | 0 | { |
2009 | 0 | (void) driver; |
2010 | |
|
2011 | 0 | if (slot == NULL) { |
2012 | 0 | return; |
2013 | 0 | } |
2014 | | |
2015 | 0 | #if defined(MBEDTLS_THREADING_C) |
2016 | | /* If the lock operation fails we still wipe the slot. |
2017 | | * Operations will no longer work after a failed lock, |
2018 | | * but we still need to wipe the slot of confidential data. */ |
2019 | 0 | mbedtls_mutex_lock(&mbedtls_threading_key_slot_mutex); |
2020 | 0 | #endif |
2021 | |
|
2022 | 0 | #if defined(MBEDTLS_PSA_CRYPTO_SE_C) |
2023 | | /* TODO: If the key has already been created in the secure |
2024 | | * element, and the failure happened later (when saving metadata |
2025 | | * to internal storage), we need to destroy the key in the secure |
2026 | | * element. |
2027 | | * https://github.com/ARMmbed/mbed-crypto/issues/217 |
2028 | | */ |
2029 | | |
2030 | | /* Abort the ongoing transaction if any (there may not be one if |
2031 | | * the creation process failed before starting one, or if the |
2032 | | * key creation is a registration of a key in a secure element). |
2033 | | * Earlier functions must already have done what it takes to undo any |
2034 | | * partial creation. All that's left is to update the transaction data |
2035 | | * itself. */ |
2036 | 0 | (void) psa_crypto_stop_transaction(); |
2037 | 0 | #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ |
2038 | |
|
2039 | 0 | psa_wipe_key_slot(slot); |
2040 | |
|
2041 | 0 | #if defined(MBEDTLS_THREADING_C) |
2042 | 0 | mbedtls_mutex_unlock(&mbedtls_threading_key_slot_mutex); |
2043 | 0 | #endif |
2044 | 0 | } |
2045 | | |
2046 | | /** Validate optional attributes during key creation. |
2047 | | * |
2048 | | * Some key attributes are optional during key creation. If they are |
2049 | | * specified in the attributes structure, check that they are consistent |
2050 | | * with the data in the slot. |
2051 | | * |
2052 | | * This function should be called near the end of key creation, after |
2053 | | * the slot in memory is fully populated but before saving persistent data. |
2054 | | */ |
2055 | | static psa_status_t psa_validate_optional_attributes( |
2056 | | const psa_key_slot_t *slot, |
2057 | | const psa_key_attributes_t *attributes) |
2058 | 0 | { |
2059 | 0 | if (attributes->type != 0) { |
2060 | 0 | if (attributes->type != slot->attr.type) { |
2061 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
2062 | 0 | } |
2063 | 0 | } |
2064 | | |
2065 | 0 | if (attributes->bits != 0) { |
2066 | 0 | if (attributes->bits != slot->attr.bits) { |
2067 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
2068 | 0 | } |
2069 | 0 | } |
2070 | | |
2071 | 0 | return PSA_SUCCESS; |
2072 | 0 | } |
2073 | | |
2074 | | psa_status_t psa_import_key(const psa_key_attributes_t *attributes, |
2075 | | const uint8_t *data_external, |
2076 | | size_t data_length, |
2077 | | mbedtls_svc_key_id_t *key) |
2078 | 0 | { |
2079 | 0 | psa_status_t status; |
2080 | 0 | LOCAL_INPUT_DECLARE(data_external, data); |
2081 | 0 | psa_key_slot_t *slot = NULL; |
2082 | 0 | psa_se_drv_table_entry_t *driver = NULL; |
2083 | 0 | size_t bits; |
2084 | 0 | size_t storage_size = data_length; |
2085 | |
|
2086 | 0 | *key = MBEDTLS_SVC_KEY_ID_INIT; |
2087 | | |
2088 | | /* Reject zero-length symmetric keys (including raw data key objects). |
2089 | | * This also rejects any key which might be encoded as an empty string, |
2090 | | * which is never valid. */ |
2091 | 0 | if (data_length == 0) { |
2092 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
2093 | 0 | } |
2094 | | |
2095 | | /* Ensure that the bytes-to-bits conversion cannot overflow. */ |
2096 | 0 | if (data_length > SIZE_MAX / 8) { |
2097 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
2098 | 0 | } |
2099 | | |
2100 | 0 | LOCAL_INPUT_ALLOC(data_external, data_length, data); |
2101 | |
|
2102 | 0 | status = psa_start_key_creation(PSA_KEY_CREATION_IMPORT, attributes, |
2103 | 0 | &slot, &driver); |
2104 | 0 | if (status != PSA_SUCCESS) { |
2105 | 0 | goto exit; |
2106 | 0 | } |
2107 | | |
2108 | | /* In the case of a transparent key or an opaque key stored in local |
2109 | | * storage ( thus not in the case of importing a key in a secure element |
2110 | | * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a |
2111 | | * buffer to hold the imported key material. */ |
2112 | 0 | if (slot->key.bytes == 0) { |
2113 | 0 | if (psa_key_lifetime_is_external(attributes->lifetime)) { |
2114 | 0 | status = psa_driver_wrapper_get_key_buffer_size_from_key_data( |
2115 | 0 | attributes, data, data_length, &storage_size); |
2116 | 0 | if (status != PSA_SUCCESS) { |
2117 | 0 | goto exit; |
2118 | 0 | } |
2119 | 0 | } |
2120 | 0 | status = psa_allocate_buffer_to_slot(slot, storage_size); |
2121 | 0 | if (status != PSA_SUCCESS) { |
2122 | 0 | goto exit; |
2123 | 0 | } |
2124 | 0 | } |
2125 | | |
2126 | 0 | bits = slot->attr.bits; |
2127 | 0 | status = psa_driver_wrapper_import_key(attributes, |
2128 | 0 | data, data_length, |
2129 | 0 | slot->key.data, |
2130 | 0 | slot->key.bytes, |
2131 | 0 | &slot->key.bytes, &bits); |
2132 | 0 | if (status != PSA_SUCCESS) { |
2133 | 0 | goto exit; |
2134 | 0 | } |
2135 | | |
2136 | 0 | if (slot->attr.bits == 0) { |
2137 | 0 | slot->attr.bits = (psa_key_bits_t) bits; |
2138 | 0 | } else if (bits != slot->attr.bits) { |
2139 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
2140 | 0 | goto exit; |
2141 | 0 | } |
2142 | | |
2143 | | /* Enforce a size limit, and in particular ensure that the bit |
2144 | | * size fits in its representation type.*/ |
2145 | 0 | if (bits > PSA_MAX_KEY_BITS) { |
2146 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
2147 | 0 | goto exit; |
2148 | 0 | } |
2149 | 0 | status = psa_validate_optional_attributes(slot, attributes); |
2150 | 0 | if (status != PSA_SUCCESS) { |
2151 | 0 | goto exit; |
2152 | 0 | } |
2153 | | |
2154 | 0 | status = psa_finish_key_creation(slot, driver, key); |
2155 | 0 | exit: |
2156 | 0 | LOCAL_INPUT_FREE(data_external, data); |
2157 | 0 | if (status != PSA_SUCCESS) { |
2158 | 0 | psa_fail_key_creation(slot, driver); |
2159 | 0 | } |
2160 | |
|
2161 | 0 | return status; |
2162 | 0 | } |
2163 | | |
2164 | | #if defined(MBEDTLS_PSA_CRYPTO_SE_C) |
2165 | | psa_status_t mbedtls_psa_register_se_key( |
2166 | | const psa_key_attributes_t *attributes) |
2167 | 0 | { |
2168 | 0 | psa_status_t status; |
2169 | 0 | psa_key_slot_t *slot = NULL; |
2170 | 0 | psa_se_drv_table_entry_t *driver = NULL; |
2171 | 0 | mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; |
2172 | | |
2173 | | /* Leaving attributes unspecified is not currently supported. |
2174 | | * It could make sense to query the key type and size from the |
2175 | | * secure element, but not all secure elements support this |
2176 | | * and the driver HAL doesn't currently support it. */ |
2177 | 0 | if (psa_get_key_type(attributes) == PSA_KEY_TYPE_NONE) { |
2178 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
2179 | 0 | } |
2180 | 0 | if (psa_get_key_bits(attributes) == 0) { |
2181 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
2182 | 0 | } |
2183 | | |
2184 | | /* Not usable with volatile keys, even with an appropriate location, |
2185 | | * due to the API design. |
2186 | | * https://github.com/Mbed-TLS/mbedtls/issues/9253 |
2187 | | */ |
2188 | 0 | if (PSA_KEY_LIFETIME_IS_VOLATILE(psa_get_key_lifetime(attributes))) { |
2189 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
2190 | 0 | } |
2191 | | |
2192 | 0 | status = psa_start_key_creation(PSA_KEY_CREATION_REGISTER, attributes, |
2193 | 0 | &slot, &driver); |
2194 | 0 | if (status != PSA_SUCCESS) { |
2195 | 0 | goto exit; |
2196 | 0 | } |
2197 | | |
2198 | 0 | status = psa_finish_key_creation(slot, driver, &key); |
2199 | |
|
2200 | 0 | exit: |
2201 | 0 | if (status != PSA_SUCCESS) { |
2202 | 0 | psa_fail_key_creation(slot, driver); |
2203 | 0 | } |
2204 | | |
2205 | | /* Registration doesn't keep the key in RAM. */ |
2206 | 0 | psa_close_key(key); |
2207 | 0 | return status; |
2208 | 0 | } |
2209 | | #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ |
2210 | | |
2211 | | psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key, |
2212 | | const psa_key_attributes_t *specified_attributes, |
2213 | | mbedtls_svc_key_id_t *target_key) |
2214 | 0 | { |
2215 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2216 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
2217 | 0 | psa_key_slot_t *source_slot = NULL; |
2218 | 0 | psa_key_slot_t *target_slot = NULL; |
2219 | 0 | psa_key_attributes_t actual_attributes = *specified_attributes; |
2220 | 0 | psa_se_drv_table_entry_t *driver = NULL; |
2221 | 0 | size_t storage_size = 0; |
2222 | |
|
2223 | 0 | *target_key = MBEDTLS_SVC_KEY_ID_INIT; |
2224 | |
|
2225 | 0 | status = psa_get_and_lock_key_slot_with_policy( |
2226 | 0 | source_key, &source_slot, PSA_KEY_USAGE_COPY, 0); |
2227 | 0 | if (status != PSA_SUCCESS) { |
2228 | 0 | goto exit; |
2229 | 0 | } |
2230 | | |
2231 | 0 | status = psa_validate_optional_attributes(source_slot, |
2232 | 0 | specified_attributes); |
2233 | 0 | if (status != PSA_SUCCESS) { |
2234 | 0 | goto exit; |
2235 | 0 | } |
2236 | | |
2237 | | /* The target key type and number of bits have been validated by |
2238 | | * psa_validate_optional_attributes() to be either equal to zero or |
2239 | | * equal to the ones of the source key. So it is safe to inherit |
2240 | | * them from the source key now." |
2241 | | * */ |
2242 | 0 | actual_attributes.bits = source_slot->attr.bits; |
2243 | 0 | actual_attributes.type = source_slot->attr.type; |
2244 | | |
2245 | |
|
2246 | 0 | status = psa_restrict_key_policy(source_slot->attr.type, |
2247 | 0 | &actual_attributes.policy, |
2248 | 0 | &source_slot->attr.policy); |
2249 | 0 | if (status != PSA_SUCCESS) { |
2250 | 0 | goto exit; |
2251 | 0 | } |
2252 | | |
2253 | 0 | status = psa_start_key_creation(PSA_KEY_CREATION_COPY, &actual_attributes, |
2254 | 0 | &target_slot, &driver); |
2255 | 0 | if (status != PSA_SUCCESS) { |
2256 | 0 | goto exit; |
2257 | 0 | } |
2258 | 0 | if (PSA_KEY_LIFETIME_GET_LOCATION(target_slot->attr.lifetime) != |
2259 | 0 | PSA_KEY_LIFETIME_GET_LOCATION(source_slot->attr.lifetime)) { |
2260 | | /* |
2261 | | * If the source and target keys are stored in different locations, |
2262 | | * the source key would need to be exported as plaintext and re-imported |
2263 | | * in the other location. This has security implications which have not |
2264 | | * been fully mapped. For now, this can be achieved through |
2265 | | * appropriate API invocations from the application, if needed. |
2266 | | * */ |
2267 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
2268 | 0 | goto exit; |
2269 | 0 | } |
2270 | | /* |
2271 | | * When the source and target keys are within the same location, |
2272 | | * - For transparent keys it is a blind copy without any driver invocation, |
2273 | | * - For opaque keys this translates to an invocation of the drivers' |
2274 | | * copy_key entry point through the dispatch layer. |
2275 | | * */ |
2276 | 0 | if (psa_key_lifetime_is_external(actual_attributes.lifetime)) { |
2277 | 0 | status = psa_driver_wrapper_get_key_buffer_size(&actual_attributes, |
2278 | 0 | &storage_size); |
2279 | 0 | if (status != PSA_SUCCESS) { |
2280 | 0 | goto exit; |
2281 | 0 | } |
2282 | | |
2283 | 0 | status = psa_allocate_buffer_to_slot(target_slot, storage_size); |
2284 | 0 | if (status != PSA_SUCCESS) { |
2285 | 0 | goto exit; |
2286 | 0 | } |
2287 | | |
2288 | 0 | status = psa_driver_wrapper_copy_key(&actual_attributes, |
2289 | 0 | source_slot->key.data, |
2290 | 0 | source_slot->key.bytes, |
2291 | 0 | target_slot->key.data, |
2292 | 0 | target_slot->key.bytes, |
2293 | 0 | &target_slot->key.bytes); |
2294 | 0 | if (status != PSA_SUCCESS) { |
2295 | 0 | goto exit; |
2296 | 0 | } |
2297 | 0 | } else { |
2298 | 0 | status = psa_copy_key_material_into_slot(target_slot, |
2299 | 0 | source_slot->key.data, |
2300 | 0 | source_slot->key.bytes); |
2301 | 0 | if (status != PSA_SUCCESS) { |
2302 | 0 | goto exit; |
2303 | 0 | } |
2304 | 0 | } |
2305 | 0 | status = psa_finish_key_creation(target_slot, driver, target_key); |
2306 | 0 | exit: |
2307 | 0 | if (status != PSA_SUCCESS) { |
2308 | 0 | psa_fail_key_creation(target_slot, driver); |
2309 | 0 | } |
2310 | |
|
2311 | 0 | unlock_status = psa_unregister_read_under_mutex(source_slot); |
2312 | |
|
2313 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
2314 | 0 | } |
2315 | | |
2316 | | |
2317 | | |
2318 | | /****************************************************************/ |
2319 | | /* Message digests */ |
2320 | | /****************************************************************/ |
2321 | | |
2322 | | static int is_hash_supported(psa_algorithm_t alg) |
2323 | 0 | { |
2324 | 0 | switch (alg) { |
2325 | 0 | #if defined(PSA_WANT_ALG_MD5) |
2326 | 0 | case PSA_ALG_MD5: |
2327 | 0 | return 1; |
2328 | 0 | #endif |
2329 | 0 | #if defined(PSA_WANT_ALG_RIPEMD160) |
2330 | 0 | case PSA_ALG_RIPEMD160: |
2331 | 0 | return 1; |
2332 | 0 | #endif |
2333 | 0 | #if defined(PSA_WANT_ALG_SHA_1) |
2334 | 0 | case PSA_ALG_SHA_1: |
2335 | 0 | return 1; |
2336 | 0 | #endif |
2337 | 0 | #if defined(PSA_WANT_ALG_SHA_224) |
2338 | 0 | case PSA_ALG_SHA_224: |
2339 | 0 | return 1; |
2340 | 0 | #endif |
2341 | 0 | #if defined(PSA_WANT_ALG_SHA_256) |
2342 | 0 | case PSA_ALG_SHA_256: |
2343 | 0 | return 1; |
2344 | 0 | #endif |
2345 | 0 | #if defined(PSA_WANT_ALG_SHA_384) |
2346 | 0 | case PSA_ALG_SHA_384: |
2347 | 0 | return 1; |
2348 | 0 | #endif |
2349 | 0 | #if defined(PSA_WANT_ALG_SHA_512) |
2350 | 0 | case PSA_ALG_SHA_512: |
2351 | 0 | return 1; |
2352 | 0 | #endif |
2353 | 0 | #if defined(PSA_WANT_ALG_SHA3_224) |
2354 | 0 | case PSA_ALG_SHA3_224: |
2355 | 0 | return 1; |
2356 | 0 | #endif |
2357 | 0 | #if defined(PSA_WANT_ALG_SHA3_256) |
2358 | 0 | case PSA_ALG_SHA3_256: |
2359 | 0 | return 1; |
2360 | 0 | #endif |
2361 | 0 | #if defined(PSA_WANT_ALG_SHA3_384) |
2362 | 0 | case PSA_ALG_SHA3_384: |
2363 | 0 | return 1; |
2364 | 0 | #endif |
2365 | 0 | #if defined(PSA_WANT_ALG_SHA3_512) |
2366 | 0 | case PSA_ALG_SHA3_512: |
2367 | 0 | return 1; |
2368 | 0 | #endif |
2369 | 0 | default: |
2370 | 0 | return 0; |
2371 | 0 | } |
2372 | 0 | } |
2373 | | |
2374 | | psa_status_t psa_hash_abort(psa_hash_operation_t *operation) |
2375 | 0 | { |
2376 | | /* Aborting a non-active operation is allowed */ |
2377 | 0 | if (operation->id == 0) { |
2378 | 0 | return PSA_SUCCESS; |
2379 | 0 | } |
2380 | | |
2381 | 0 | psa_status_t status = psa_driver_wrapper_hash_abort(operation); |
2382 | 0 | operation->id = 0; |
2383 | |
|
2384 | 0 | return status; |
2385 | 0 | } |
2386 | | |
2387 | | psa_status_t psa_hash_setup(psa_hash_operation_t *operation, |
2388 | | psa_algorithm_t alg) |
2389 | 0 | { |
2390 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2391 | | |
2392 | | /* A context must be freshly initialized before it can be set up. */ |
2393 | 0 | if (operation->id != 0) { |
2394 | 0 | status = PSA_ERROR_BAD_STATE; |
2395 | 0 | goto exit; |
2396 | 0 | } |
2397 | | |
2398 | 0 | if (!PSA_ALG_IS_HASH(alg)) { |
2399 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
2400 | 0 | goto exit; |
2401 | 0 | } |
2402 | | |
2403 | | /* Ensure all of the context is zeroized, since PSA_HASH_OPERATION_INIT only |
2404 | | * directly zeroes the int-sized dummy member of the context union. */ |
2405 | 0 | memset(&operation->ctx, 0, sizeof(operation->ctx)); |
2406 | |
|
2407 | 0 | status = psa_driver_wrapper_hash_setup(operation, alg); |
2408 | |
|
2409 | 0 | exit: |
2410 | 0 | if (status != PSA_SUCCESS) { |
2411 | 0 | psa_hash_abort(operation); |
2412 | 0 | } |
2413 | |
|
2414 | 0 | return status; |
2415 | 0 | } |
2416 | | |
2417 | | psa_status_t psa_hash_update(psa_hash_operation_t *operation, |
2418 | | const uint8_t *input_external, |
2419 | | size_t input_length) |
2420 | 0 | { |
2421 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2422 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
2423 | |
|
2424 | 0 | if (operation->id == 0) { |
2425 | 0 | status = PSA_ERROR_BAD_STATE; |
2426 | 0 | goto exit; |
2427 | 0 | } |
2428 | | |
2429 | | /* Don't require hash implementations to behave correctly on a |
2430 | | * zero-length input, which may have an invalid pointer. */ |
2431 | 0 | if (input_length == 0) { |
2432 | 0 | return PSA_SUCCESS; |
2433 | 0 | } |
2434 | | |
2435 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
2436 | 0 | status = psa_driver_wrapper_hash_update(operation, input, input_length); |
2437 | |
|
2438 | 0 | exit: |
2439 | 0 | if (status != PSA_SUCCESS) { |
2440 | 0 | psa_hash_abort(operation); |
2441 | 0 | } |
2442 | |
|
2443 | 0 | LOCAL_INPUT_FREE(input_external, input); |
2444 | 0 | return status; |
2445 | 0 | } |
2446 | | |
2447 | | static psa_status_t psa_hash_finish_internal(psa_hash_operation_t *operation, |
2448 | | uint8_t *hash, |
2449 | | size_t hash_size, |
2450 | | size_t *hash_length) |
2451 | 0 | { |
2452 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2453 | |
|
2454 | 0 | *hash_length = 0; |
2455 | 0 | if (operation->id == 0) { |
2456 | 0 | return PSA_ERROR_BAD_STATE; |
2457 | 0 | } |
2458 | | |
2459 | 0 | status = psa_driver_wrapper_hash_finish( |
2460 | 0 | operation, hash, hash_size, hash_length); |
2461 | 0 | psa_hash_abort(operation); |
2462 | |
|
2463 | 0 | return status; |
2464 | 0 | } |
2465 | | |
2466 | | psa_status_t psa_hash_finish(psa_hash_operation_t *operation, |
2467 | | uint8_t *hash_external, |
2468 | | size_t hash_size, |
2469 | | size_t *hash_length) |
2470 | 0 | { |
2471 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2472 | 0 | LOCAL_OUTPUT_DECLARE(hash_external, hash); |
2473 | |
|
2474 | 0 | LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash); |
2475 | 0 | status = psa_hash_finish_internal(operation, hash, hash_size, hash_length); |
2476 | |
|
2477 | 0 | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
2478 | 0 | exit: |
2479 | 0 | #endif |
2480 | 0 | LOCAL_OUTPUT_FREE(hash_external, hash); |
2481 | 0 | return status; |
2482 | 0 | } |
2483 | | |
2484 | | psa_status_t psa_hash_verify(psa_hash_operation_t *operation, |
2485 | | const uint8_t *hash_external, |
2486 | | size_t hash_length) |
2487 | 0 | { |
2488 | 0 | uint8_t actual_hash[PSA_HASH_MAX_SIZE]; |
2489 | 0 | size_t actual_hash_length; |
2490 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2491 | 0 | LOCAL_INPUT_DECLARE(hash_external, hash); |
2492 | |
|
2493 | 0 | status = psa_hash_finish_internal( |
2494 | 0 | operation, |
2495 | 0 | actual_hash, sizeof(actual_hash), |
2496 | 0 | &actual_hash_length); |
2497 | |
|
2498 | 0 | if (status != PSA_SUCCESS) { |
2499 | 0 | goto exit; |
2500 | 0 | } |
2501 | | |
2502 | 0 | if (actual_hash_length != hash_length) { |
2503 | 0 | status = PSA_ERROR_INVALID_SIGNATURE; |
2504 | 0 | goto exit; |
2505 | 0 | } |
2506 | | |
2507 | 0 | LOCAL_INPUT_ALLOC(hash_external, hash_length, hash); |
2508 | 0 | if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) { |
2509 | 0 | status = PSA_ERROR_INVALID_SIGNATURE; |
2510 | 0 | } |
2511 | |
|
2512 | 0 | exit: |
2513 | 0 | mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash)); |
2514 | 0 | if (status != PSA_SUCCESS) { |
2515 | 0 | psa_hash_abort(operation); |
2516 | 0 | } |
2517 | 0 | LOCAL_INPUT_FREE(hash_external, hash); |
2518 | 0 | return status; |
2519 | 0 | } |
2520 | | |
2521 | | psa_status_t psa_hash_compute(psa_algorithm_t alg, |
2522 | | const uint8_t *input_external, size_t input_length, |
2523 | | uint8_t *hash_external, size_t hash_size, |
2524 | | size_t *hash_length) |
2525 | 0 | { |
2526 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2527 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
2528 | 0 | LOCAL_OUTPUT_DECLARE(hash_external, hash); |
2529 | |
|
2530 | 0 | *hash_length = 0; |
2531 | 0 | if (!PSA_ALG_IS_HASH(alg)) { |
2532 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
2533 | 0 | } |
2534 | | |
2535 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
2536 | 0 | LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash); |
2537 | 0 | status = psa_driver_wrapper_hash_compute(alg, input, input_length, |
2538 | 0 | hash, hash_size, hash_length); |
2539 | |
|
2540 | 0 | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
2541 | 0 | exit: |
2542 | 0 | #endif |
2543 | 0 | LOCAL_INPUT_FREE(input_external, input); |
2544 | 0 | LOCAL_OUTPUT_FREE(hash_external, hash); |
2545 | 0 | return status; |
2546 | 0 | } |
2547 | | |
2548 | | psa_status_t psa_hash_compare(psa_algorithm_t alg, |
2549 | | const uint8_t *input_external, size_t input_length, |
2550 | | const uint8_t *hash_external, size_t hash_length) |
2551 | 0 | { |
2552 | 0 | uint8_t actual_hash[PSA_HASH_MAX_SIZE]; |
2553 | 0 | size_t actual_hash_length; |
2554 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2555 | |
|
2556 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
2557 | 0 | LOCAL_INPUT_DECLARE(hash_external, hash); |
2558 | |
|
2559 | 0 | if (!PSA_ALG_IS_HASH(alg)) { |
2560 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
2561 | 0 | return status; |
2562 | 0 | } |
2563 | | |
2564 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
2565 | 0 | status = psa_driver_wrapper_hash_compute( |
2566 | 0 | alg, input, input_length, |
2567 | 0 | actual_hash, sizeof(actual_hash), |
2568 | 0 | &actual_hash_length); |
2569 | 0 | if (status != PSA_SUCCESS) { |
2570 | 0 | goto exit; |
2571 | 0 | } |
2572 | 0 | if (actual_hash_length != hash_length) { |
2573 | 0 | status = PSA_ERROR_INVALID_SIGNATURE; |
2574 | 0 | goto exit; |
2575 | 0 | } |
2576 | | |
2577 | 0 | LOCAL_INPUT_ALLOC(hash_external, hash_length, hash); |
2578 | 0 | if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) { |
2579 | 0 | status = PSA_ERROR_INVALID_SIGNATURE; |
2580 | 0 | } |
2581 | |
|
2582 | 0 | exit: |
2583 | 0 | mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash)); |
2584 | |
|
2585 | 0 | LOCAL_INPUT_FREE(input_external, input); |
2586 | 0 | LOCAL_INPUT_FREE(hash_external, hash); |
2587 | |
|
2588 | 0 | return status; |
2589 | 0 | } |
2590 | | |
2591 | | psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation, |
2592 | | psa_hash_operation_t *target_operation) |
2593 | 0 | { |
2594 | 0 | if (source_operation->id == 0 || |
2595 | 0 | target_operation->id != 0) { |
2596 | 0 | return PSA_ERROR_BAD_STATE; |
2597 | 0 | } |
2598 | | |
2599 | 0 | psa_status_t status = psa_driver_wrapper_hash_clone(source_operation, |
2600 | 0 | target_operation); |
2601 | 0 | if (status != PSA_SUCCESS) { |
2602 | 0 | psa_hash_abort(target_operation); |
2603 | 0 | } |
2604 | |
|
2605 | 0 | return status; |
2606 | 0 | } |
2607 | | |
2608 | | |
2609 | | /****************************************************************/ |
2610 | | /* MAC */ |
2611 | | /****************************************************************/ |
2612 | | |
2613 | | psa_status_t psa_mac_abort(psa_mac_operation_t *operation) |
2614 | 0 | { |
2615 | | /* Aborting a non-active operation is allowed */ |
2616 | 0 | if (operation->id == 0) { |
2617 | 0 | return PSA_SUCCESS; |
2618 | 0 | } |
2619 | | |
2620 | 0 | psa_status_t status = psa_driver_wrapper_mac_abort(operation); |
2621 | 0 | operation->mac_size = 0; |
2622 | 0 | operation->is_sign = 0; |
2623 | 0 | operation->id = 0; |
2624 | |
|
2625 | 0 | return status; |
2626 | 0 | } |
2627 | | |
2628 | | static psa_status_t psa_mac_finalize_alg_and_key_validation( |
2629 | | psa_algorithm_t alg, |
2630 | | const psa_key_attributes_t *attributes, |
2631 | | uint8_t *mac_size) |
2632 | 0 | { |
2633 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2634 | 0 | psa_key_type_t key_type = psa_get_key_type(attributes); |
2635 | 0 | size_t key_bits = psa_get_key_bits(attributes); |
2636 | |
|
2637 | 0 | if (!PSA_ALG_IS_MAC(alg)) { |
2638 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
2639 | 0 | } |
2640 | | |
2641 | | /* Validate the combination of key type and algorithm */ |
2642 | 0 | status = psa_mac_key_can_do(alg, key_type); |
2643 | 0 | if (status != PSA_SUCCESS) { |
2644 | 0 | return status; |
2645 | 0 | } |
2646 | | |
2647 | | /* Get the output length for the algorithm and key combination */ |
2648 | 0 | *mac_size = PSA_MAC_LENGTH(key_type, key_bits, alg); |
2649 | |
|
2650 | 0 | if (*mac_size < 4) { |
2651 | | /* A very short MAC is too short for security since it can be |
2652 | | * brute-forced. Ancient protocols with 32-bit MACs do exist, |
2653 | | * so we make this our minimum, even though 32 bits is still |
2654 | | * too small for security. */ |
2655 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
2656 | 0 | } |
2657 | | |
2658 | 0 | if (*mac_size > PSA_MAC_LENGTH(key_type, key_bits, |
2659 | 0 | PSA_ALG_FULL_LENGTH_MAC(alg))) { |
2660 | | /* It's impossible to "truncate" to a larger length than the full length |
2661 | | * of the algorithm. */ |
2662 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
2663 | 0 | } |
2664 | | |
2665 | 0 | if (*mac_size > PSA_MAC_MAX_SIZE) { |
2666 | | /* PSA_MAC_LENGTH returns the correct length even for a MAC algorithm |
2667 | | * that is disabled in the compile-time configuration. The result can |
2668 | | * therefore be larger than PSA_MAC_MAX_SIZE, which does take the |
2669 | | * configuration into account. In this case, force a return of |
2670 | | * PSA_ERROR_NOT_SUPPORTED here. Otherwise psa_mac_verify(), or |
2671 | | * psa_mac_compute(mac_size=PSA_MAC_MAX_SIZE), would return |
2672 | | * PSA_ERROR_BUFFER_TOO_SMALL for an unsupported algorithm whose MAC size |
2673 | | * is larger than PSA_MAC_MAX_SIZE, which is misleading and which breaks |
2674 | | * systematically generated tests. */ |
2675 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
2676 | 0 | } |
2677 | | |
2678 | 0 | return PSA_SUCCESS; |
2679 | 0 | } |
2680 | | |
2681 | | static psa_status_t psa_mac_setup(psa_mac_operation_t *operation, |
2682 | | mbedtls_svc_key_id_t key, |
2683 | | psa_algorithm_t alg, |
2684 | | int is_sign) |
2685 | 0 | { |
2686 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2687 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
2688 | 0 | psa_key_slot_t *slot = NULL; |
2689 | | |
2690 | | /* A context must be freshly initialized before it can be set up. */ |
2691 | 0 | if (operation->id != 0) { |
2692 | 0 | status = PSA_ERROR_BAD_STATE; |
2693 | 0 | goto exit; |
2694 | 0 | } |
2695 | | |
2696 | 0 | status = psa_get_and_lock_key_slot_with_policy( |
2697 | 0 | key, |
2698 | 0 | &slot, |
2699 | 0 | is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE, |
2700 | 0 | alg); |
2701 | 0 | if (status != PSA_SUCCESS) { |
2702 | 0 | goto exit; |
2703 | 0 | } |
2704 | | |
2705 | 0 | status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr, |
2706 | 0 | &operation->mac_size); |
2707 | 0 | if (status != PSA_SUCCESS) { |
2708 | 0 | goto exit; |
2709 | 0 | } |
2710 | | |
2711 | 0 | operation->is_sign = is_sign; |
2712 | | /* Dispatch the MAC setup call with validated input */ |
2713 | 0 | if (is_sign) { |
2714 | 0 | status = psa_driver_wrapper_mac_sign_setup(operation, |
2715 | 0 | &slot->attr, |
2716 | 0 | slot->key.data, |
2717 | 0 | slot->key.bytes, |
2718 | 0 | alg); |
2719 | 0 | } else { |
2720 | 0 | status = psa_driver_wrapper_mac_verify_setup(operation, |
2721 | 0 | &slot->attr, |
2722 | 0 | slot->key.data, |
2723 | 0 | slot->key.bytes, |
2724 | 0 | alg); |
2725 | 0 | } |
2726 | |
|
2727 | 0 | exit: |
2728 | 0 | if (status != PSA_SUCCESS) { |
2729 | 0 | psa_mac_abort(operation); |
2730 | 0 | } |
2731 | |
|
2732 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
2733 | |
|
2734 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
2735 | 0 | } |
2736 | | |
2737 | | psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation, |
2738 | | mbedtls_svc_key_id_t key, |
2739 | | psa_algorithm_t alg) |
2740 | 0 | { |
2741 | 0 | return psa_mac_setup(operation, key, alg, 1); |
2742 | 0 | } |
2743 | | |
2744 | | psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation, |
2745 | | mbedtls_svc_key_id_t key, |
2746 | | psa_algorithm_t alg) |
2747 | 0 | { |
2748 | 0 | return psa_mac_setup(operation, key, alg, 0); |
2749 | 0 | } |
2750 | | |
2751 | | psa_status_t psa_mac_update(psa_mac_operation_t *operation, |
2752 | | const uint8_t *input_external, |
2753 | | size_t input_length) |
2754 | 0 | { |
2755 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2756 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
2757 | |
|
2758 | 0 | if (operation->id == 0) { |
2759 | 0 | status = PSA_ERROR_BAD_STATE; |
2760 | 0 | return status; |
2761 | 0 | } |
2762 | | |
2763 | | /* Don't require hash implementations to behave correctly on a |
2764 | | * zero-length input, which may have an invalid pointer. */ |
2765 | 0 | if (input_length == 0) { |
2766 | 0 | status = PSA_SUCCESS; |
2767 | 0 | return status; |
2768 | 0 | } |
2769 | | |
2770 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
2771 | 0 | status = psa_driver_wrapper_mac_update(operation, input, input_length); |
2772 | |
|
2773 | 0 | if (status != PSA_SUCCESS) { |
2774 | 0 | psa_mac_abort(operation); |
2775 | 0 | } |
2776 | |
|
2777 | 0 | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
2778 | 0 | exit: |
2779 | 0 | #endif |
2780 | 0 | LOCAL_INPUT_FREE(input_external, input); |
2781 | |
|
2782 | 0 | return status; |
2783 | 0 | } |
2784 | | |
2785 | | psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation, |
2786 | | uint8_t *mac_external, |
2787 | | size_t mac_size, |
2788 | | size_t *mac_length) |
2789 | 0 | { |
2790 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2791 | 0 | psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; |
2792 | 0 | LOCAL_OUTPUT_DECLARE(mac_external, mac); |
2793 | 0 | LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac); |
2794 | |
|
2795 | 0 | if (operation->id == 0) { |
2796 | 0 | status = PSA_ERROR_BAD_STATE; |
2797 | 0 | goto exit; |
2798 | 0 | } |
2799 | | |
2800 | 0 | if (!operation->is_sign) { |
2801 | 0 | status = PSA_ERROR_BAD_STATE; |
2802 | 0 | goto exit; |
2803 | 0 | } |
2804 | | |
2805 | | /* Sanity check. This will guarantee that mac_size != 0 (and so mac != NULL) |
2806 | | * once all the error checks are done. */ |
2807 | 0 | if (operation->mac_size == 0) { |
2808 | 0 | status = PSA_ERROR_BAD_STATE; |
2809 | 0 | goto exit; |
2810 | 0 | } |
2811 | | |
2812 | 0 | if (mac_size < operation->mac_size) { |
2813 | 0 | status = PSA_ERROR_BUFFER_TOO_SMALL; |
2814 | 0 | goto exit; |
2815 | 0 | } |
2816 | | |
2817 | | |
2818 | 0 | status = psa_driver_wrapper_mac_sign_finish(operation, |
2819 | 0 | mac, operation->mac_size, |
2820 | 0 | mac_length); |
2821 | |
|
2822 | 0 | exit: |
2823 | | /* In case of success, set the potential excess room in the output buffer |
2824 | | * to an invalid value, to avoid potentially leaking a longer MAC. |
2825 | | * In case of error, set the output length and content to a safe default, |
2826 | | * such that in case the caller misses an error check, the output would be |
2827 | | * an unachievable MAC. |
2828 | | */ |
2829 | 0 | if (status != PSA_SUCCESS) { |
2830 | 0 | *mac_length = mac_size; |
2831 | 0 | operation->mac_size = 0; |
2832 | 0 | } |
2833 | |
|
2834 | 0 | if (mac != NULL) { |
2835 | 0 | psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length); |
2836 | 0 | } |
2837 | |
|
2838 | 0 | abort_status = psa_mac_abort(operation); |
2839 | 0 | LOCAL_OUTPUT_FREE(mac_external, mac); |
2840 | |
|
2841 | 0 | return status == PSA_SUCCESS ? abort_status : status; |
2842 | 0 | } |
2843 | | |
2844 | | psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation, |
2845 | | const uint8_t *mac_external, |
2846 | | size_t mac_length) |
2847 | 0 | { |
2848 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2849 | 0 | psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; |
2850 | 0 | LOCAL_INPUT_DECLARE(mac_external, mac); |
2851 | |
|
2852 | 0 | if (operation->id == 0) { |
2853 | 0 | status = PSA_ERROR_BAD_STATE; |
2854 | 0 | goto exit; |
2855 | 0 | } |
2856 | | |
2857 | 0 | if (operation->is_sign) { |
2858 | 0 | status = PSA_ERROR_BAD_STATE; |
2859 | 0 | goto exit; |
2860 | 0 | } |
2861 | | |
2862 | 0 | if (operation->mac_size != mac_length) { |
2863 | 0 | status = PSA_ERROR_INVALID_SIGNATURE; |
2864 | 0 | goto exit; |
2865 | 0 | } |
2866 | | |
2867 | 0 | LOCAL_INPUT_ALLOC(mac_external, mac_length, mac); |
2868 | 0 | status = psa_driver_wrapper_mac_verify_finish(operation, |
2869 | 0 | mac, mac_length); |
2870 | |
|
2871 | 0 | exit: |
2872 | 0 | abort_status = psa_mac_abort(operation); |
2873 | 0 | LOCAL_INPUT_FREE(mac_external, mac); |
2874 | |
|
2875 | 0 | return status == PSA_SUCCESS ? abort_status : status; |
2876 | 0 | } |
2877 | | |
2878 | | static psa_status_t psa_mac_compute_internal(mbedtls_svc_key_id_t key, |
2879 | | psa_algorithm_t alg, |
2880 | | const uint8_t *input, |
2881 | | size_t input_length, |
2882 | | uint8_t *mac, |
2883 | | size_t mac_size, |
2884 | | size_t *mac_length, |
2885 | | int is_sign) |
2886 | 0 | { |
2887 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2888 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
2889 | 0 | psa_key_slot_t *slot; |
2890 | 0 | uint8_t operation_mac_size = 0; |
2891 | |
|
2892 | 0 | status = psa_get_and_lock_key_slot_with_policy( |
2893 | 0 | key, |
2894 | 0 | &slot, |
2895 | 0 | is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE, |
2896 | 0 | alg); |
2897 | 0 | if (status != PSA_SUCCESS) { |
2898 | 0 | goto exit; |
2899 | 0 | } |
2900 | | |
2901 | 0 | status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr, |
2902 | 0 | &operation_mac_size); |
2903 | 0 | if (status != PSA_SUCCESS) { |
2904 | 0 | goto exit; |
2905 | 0 | } |
2906 | | |
2907 | 0 | if (mac_size < operation_mac_size) { |
2908 | 0 | status = PSA_ERROR_BUFFER_TOO_SMALL; |
2909 | 0 | goto exit; |
2910 | 0 | } |
2911 | | |
2912 | 0 | status = psa_driver_wrapper_mac_compute( |
2913 | 0 | &slot->attr, |
2914 | 0 | slot->key.data, slot->key.bytes, |
2915 | 0 | alg, |
2916 | 0 | input, input_length, |
2917 | 0 | mac, operation_mac_size, mac_length); |
2918 | |
|
2919 | 0 | exit: |
2920 | | /* In case of success, set the potential excess room in the output buffer |
2921 | | * to an invalid value, to avoid potentially leaking a longer MAC. |
2922 | | * In case of error, set the output length and content to a safe default, |
2923 | | * such that in case the caller misses an error check, the output would be |
2924 | | * an unachievable MAC. |
2925 | | */ |
2926 | 0 | if (status != PSA_SUCCESS) { |
2927 | 0 | *mac_length = mac_size; |
2928 | 0 | operation_mac_size = 0; |
2929 | 0 | } |
2930 | |
|
2931 | 0 | psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length); |
2932 | |
|
2933 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
2934 | |
|
2935 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
2936 | 0 | } |
2937 | | |
2938 | | psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key, |
2939 | | psa_algorithm_t alg, |
2940 | | const uint8_t *input_external, |
2941 | | size_t input_length, |
2942 | | uint8_t *mac_external, |
2943 | | size_t mac_size, |
2944 | | size_t *mac_length) |
2945 | 0 | { |
2946 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2947 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
2948 | 0 | LOCAL_OUTPUT_DECLARE(mac_external, mac); |
2949 | |
|
2950 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
2951 | 0 | LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac); |
2952 | 0 | status = psa_mac_compute_internal(key, alg, |
2953 | 0 | input, input_length, |
2954 | 0 | mac, mac_size, mac_length, 1); |
2955 | |
|
2956 | 0 | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
2957 | 0 | exit: |
2958 | 0 | #endif |
2959 | 0 | LOCAL_INPUT_FREE(input_external, input); |
2960 | 0 | LOCAL_OUTPUT_FREE(mac_external, mac); |
2961 | |
|
2962 | 0 | return status; |
2963 | 0 | } |
2964 | | |
2965 | | psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key, |
2966 | | psa_algorithm_t alg, |
2967 | | const uint8_t *input_external, |
2968 | | size_t input_length, |
2969 | | const uint8_t *mac_external, |
2970 | | size_t mac_length) |
2971 | 0 | { |
2972 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
2973 | 0 | uint8_t actual_mac[PSA_MAC_MAX_SIZE]; |
2974 | 0 | size_t actual_mac_length; |
2975 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
2976 | 0 | LOCAL_INPUT_DECLARE(mac_external, mac); |
2977 | |
|
2978 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
2979 | 0 | status = psa_mac_compute_internal(key, alg, |
2980 | 0 | input, input_length, |
2981 | 0 | actual_mac, sizeof(actual_mac), |
2982 | 0 | &actual_mac_length, 0); |
2983 | 0 | if (status != PSA_SUCCESS) { |
2984 | 0 | goto exit; |
2985 | 0 | } |
2986 | | |
2987 | 0 | if (mac_length != actual_mac_length) { |
2988 | 0 | status = PSA_ERROR_INVALID_SIGNATURE; |
2989 | 0 | goto exit; |
2990 | 0 | } |
2991 | | |
2992 | 0 | LOCAL_INPUT_ALLOC(mac_external, mac_length, mac); |
2993 | 0 | if (mbedtls_ct_memcmp(mac, actual_mac, actual_mac_length) != 0) { |
2994 | 0 | status = PSA_ERROR_INVALID_SIGNATURE; |
2995 | 0 | goto exit; |
2996 | 0 | } |
2997 | | |
2998 | 0 | exit: |
2999 | 0 | mbedtls_platform_zeroize(actual_mac, sizeof(actual_mac)); |
3000 | 0 | LOCAL_INPUT_FREE(input_external, input); |
3001 | 0 | LOCAL_INPUT_FREE(mac_external, mac); |
3002 | |
|
3003 | 0 | return status; |
3004 | 0 | } |
3005 | | |
3006 | | /****************************************************************/ |
3007 | | /* Asymmetric cryptography */ |
3008 | | /****************************************************************/ |
3009 | | |
3010 | | static psa_status_t psa_sign_verify_check_alg(int input_is_message, |
3011 | | psa_algorithm_t alg) |
3012 | 0 | { |
3013 | 0 | if (input_is_message) { |
3014 | 0 | if (!PSA_ALG_IS_SIGN_MESSAGE(alg)) { |
3015 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
3016 | 0 | } |
3017 | 0 | } |
3018 | | |
3019 | 0 | psa_algorithm_t hash_alg = 0; |
3020 | 0 | if (PSA_ALG_IS_SIGN_HASH(alg)) { |
3021 | 0 | hash_alg = PSA_ALG_SIGN_GET_HASH(alg); |
3022 | 0 | } |
3023 | | |
3024 | | /* Now hash_alg==0 if alg by itself doesn't need a hash. |
3025 | | * This is good enough for sign-hash, but a guaranteed failure for |
3026 | | * sign-message which needs to hash first for all algorithms |
3027 | | * supported at the moment. */ |
3028 | |
|
3029 | 0 | if (hash_alg == 0 && input_is_message) { |
3030 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
3031 | 0 | } |
3032 | 0 | if (hash_alg == PSA_ALG_ANY_HASH) { |
3033 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
3034 | 0 | } |
3035 | | /* Give up immediately if the hash is not supported. This has |
3036 | | * several advantages: |
3037 | | * - For mechanisms that don't use the hash at all (e.g. |
3038 | | * ECDSA verification, randomized ECDSA signature), without |
3039 | | * this check, the operation would succeed even though it has |
3040 | | * been given an invalid argument. This would not be insecure |
3041 | | * since the hash was not necessary, but it would be weird. |
3042 | | * - For mechanisms that do use the hash, we avoid an error |
3043 | | * deep inside the execution. In principle this doesn't matter, |
3044 | | * but there is a little more risk of a bug in error handling |
3045 | | * deep inside than in this preliminary check. |
3046 | | * - When calling a driver, the driver might be capable of using |
3047 | | * a hash that the core doesn't support. This could potentially |
3048 | | * result in a buffer overflow if the hash is larger than the |
3049 | | * maximum hash size assumed by the core. |
3050 | | * - Returning a consistent error makes it possible to test |
3051 | | * not-supported hashes in a consistent way. |
3052 | | */ |
3053 | 0 | if (hash_alg != 0 && !is_hash_supported(hash_alg)) { |
3054 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
3055 | 0 | } |
3056 | | |
3057 | 0 | return PSA_SUCCESS; |
3058 | 0 | } |
3059 | | |
3060 | | static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key, |
3061 | | int input_is_message, |
3062 | | psa_algorithm_t alg, |
3063 | | const uint8_t *input, |
3064 | | size_t input_length, |
3065 | | uint8_t *signature, |
3066 | | size_t signature_size, |
3067 | | size_t *signature_length) |
3068 | 0 | { |
3069 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3070 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
3071 | 0 | psa_key_slot_t *slot; |
3072 | |
|
3073 | 0 | *signature_length = 0; |
3074 | |
|
3075 | 0 | status = psa_sign_verify_check_alg(input_is_message, alg); |
3076 | 0 | if (status != PSA_SUCCESS) { |
3077 | 0 | return status; |
3078 | 0 | } |
3079 | | |
3080 | | /* Immediately reject a zero-length signature buffer. This guarantees |
3081 | | * that signature must be a valid pointer. (On the other hand, the input |
3082 | | * buffer can in principle be empty since it doesn't actually have |
3083 | | * to be a hash.) */ |
3084 | 0 | if (signature_size == 0) { |
3085 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
3086 | 0 | } |
3087 | | |
3088 | 0 | status = psa_get_and_lock_key_slot_with_policy( |
3089 | 0 | key, &slot, |
3090 | 0 | input_is_message ? PSA_KEY_USAGE_SIGN_MESSAGE : |
3091 | 0 | PSA_KEY_USAGE_SIGN_HASH, |
3092 | 0 | alg); |
3093 | |
|
3094 | 0 | if (status != PSA_SUCCESS) { |
3095 | 0 | goto exit; |
3096 | 0 | } |
3097 | | |
3098 | 0 | if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) { |
3099 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
3100 | 0 | goto exit; |
3101 | 0 | } |
3102 | | |
3103 | 0 | if (input_is_message) { |
3104 | 0 | status = psa_driver_wrapper_sign_message( |
3105 | 0 | &slot->attr, slot->key.data, slot->key.bytes, |
3106 | 0 | alg, input, input_length, |
3107 | 0 | signature, signature_size, signature_length); |
3108 | 0 | } else { |
3109 | |
|
3110 | 0 | status = psa_driver_wrapper_sign_hash( |
3111 | 0 | &slot->attr, slot->key.data, slot->key.bytes, |
3112 | 0 | alg, input, input_length, |
3113 | 0 | signature, signature_size, signature_length); |
3114 | 0 | } |
3115 | | |
3116 | |
|
3117 | 0 | exit: |
3118 | 0 | psa_wipe_tag_output_buffer(signature, status, signature_size, |
3119 | 0 | *signature_length); |
3120 | |
|
3121 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
3122 | |
|
3123 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
3124 | 0 | } |
3125 | | |
3126 | | static psa_status_t psa_verify_internal(mbedtls_svc_key_id_t key, |
3127 | | int input_is_message, |
3128 | | psa_algorithm_t alg, |
3129 | | const uint8_t *input, |
3130 | | size_t input_length, |
3131 | | const uint8_t *signature, |
3132 | | size_t signature_length) |
3133 | 0 | { |
3134 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3135 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
3136 | 0 | psa_key_slot_t *slot; |
3137 | |
|
3138 | 0 | status = psa_sign_verify_check_alg(input_is_message, alg); |
3139 | 0 | if (status != PSA_SUCCESS) { |
3140 | 0 | return status; |
3141 | 0 | } |
3142 | | |
3143 | 0 | status = psa_get_and_lock_key_slot_with_policy( |
3144 | 0 | key, &slot, |
3145 | 0 | input_is_message ? PSA_KEY_USAGE_VERIFY_MESSAGE : |
3146 | 0 | PSA_KEY_USAGE_VERIFY_HASH, |
3147 | 0 | alg); |
3148 | |
|
3149 | 0 | if (status != PSA_SUCCESS) { |
3150 | 0 | return status; |
3151 | 0 | } |
3152 | | |
3153 | 0 | if (input_is_message) { |
3154 | 0 | status = psa_driver_wrapper_verify_message( |
3155 | 0 | &slot->attr, slot->key.data, slot->key.bytes, |
3156 | 0 | alg, input, input_length, |
3157 | 0 | signature, signature_length); |
3158 | 0 | } else { |
3159 | 0 | status = psa_driver_wrapper_verify_hash( |
3160 | 0 | &slot->attr, slot->key.data, slot->key.bytes, |
3161 | 0 | alg, input, input_length, |
3162 | 0 | signature, signature_length); |
3163 | 0 | } |
3164 | |
|
3165 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
3166 | |
|
3167 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
3168 | |
|
3169 | 0 | } |
3170 | | |
3171 | | psa_status_t psa_sign_message_builtin( |
3172 | | const psa_key_attributes_t *attributes, |
3173 | | const uint8_t *key_buffer, |
3174 | | size_t key_buffer_size, |
3175 | | psa_algorithm_t alg, |
3176 | | const uint8_t *input, |
3177 | | size_t input_length, |
3178 | | uint8_t *signature, |
3179 | | size_t signature_size, |
3180 | | size_t *signature_length) |
3181 | 0 | { |
3182 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3183 | |
|
3184 | 0 | if (PSA_ALG_IS_SIGN_HASH(alg)) { |
3185 | 0 | size_t hash_length; |
3186 | 0 | uint8_t hash[PSA_HASH_MAX_SIZE]; |
3187 | |
|
3188 | 0 | status = psa_driver_wrapper_hash_compute( |
3189 | 0 | PSA_ALG_SIGN_GET_HASH(alg), |
3190 | 0 | input, input_length, |
3191 | 0 | hash, sizeof(hash), &hash_length); |
3192 | |
|
3193 | 0 | if (status != PSA_SUCCESS) { |
3194 | 0 | return status; |
3195 | 0 | } |
3196 | | |
3197 | 0 | return psa_driver_wrapper_sign_hash( |
3198 | 0 | attributes, key_buffer, key_buffer_size, |
3199 | 0 | alg, hash, hash_length, |
3200 | 0 | signature, signature_size, signature_length); |
3201 | 0 | } |
3202 | | |
3203 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
3204 | 0 | } |
3205 | | |
3206 | | psa_status_t psa_sign_message(mbedtls_svc_key_id_t key, |
3207 | | psa_algorithm_t alg, |
3208 | | const uint8_t *input_external, |
3209 | | size_t input_length, |
3210 | | uint8_t *signature_external, |
3211 | | size_t signature_size, |
3212 | | size_t *signature_length) |
3213 | 0 | { |
3214 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3215 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
3216 | 0 | LOCAL_OUTPUT_DECLARE(signature_external, signature); |
3217 | |
|
3218 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
3219 | 0 | LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature); |
3220 | 0 | status = psa_sign_internal(key, 1, alg, input, input_length, signature, |
3221 | 0 | signature_size, signature_length); |
3222 | |
|
3223 | 0 | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
3224 | 0 | exit: |
3225 | 0 | #endif |
3226 | 0 | LOCAL_INPUT_FREE(input_external, input); |
3227 | 0 | LOCAL_OUTPUT_FREE(signature_external, signature); |
3228 | 0 | return status; |
3229 | 0 | } |
3230 | | |
3231 | | psa_status_t psa_verify_message_builtin( |
3232 | | const psa_key_attributes_t *attributes, |
3233 | | const uint8_t *key_buffer, |
3234 | | size_t key_buffer_size, |
3235 | | psa_algorithm_t alg, |
3236 | | const uint8_t *input, |
3237 | | size_t input_length, |
3238 | | const uint8_t *signature, |
3239 | | size_t signature_length) |
3240 | 0 | { |
3241 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3242 | |
|
3243 | 0 | if (PSA_ALG_IS_SIGN_HASH(alg)) { |
3244 | 0 | size_t hash_length; |
3245 | 0 | uint8_t hash[PSA_HASH_MAX_SIZE]; |
3246 | |
|
3247 | 0 | status = psa_driver_wrapper_hash_compute( |
3248 | 0 | PSA_ALG_SIGN_GET_HASH(alg), |
3249 | 0 | input, input_length, |
3250 | 0 | hash, sizeof(hash), &hash_length); |
3251 | |
|
3252 | 0 | if (status != PSA_SUCCESS) { |
3253 | 0 | return status; |
3254 | 0 | } |
3255 | | |
3256 | 0 | return psa_driver_wrapper_verify_hash( |
3257 | 0 | attributes, key_buffer, key_buffer_size, |
3258 | 0 | alg, hash, hash_length, |
3259 | 0 | signature, signature_length); |
3260 | 0 | } |
3261 | | |
3262 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
3263 | 0 | } |
3264 | | |
3265 | | psa_status_t psa_verify_message(mbedtls_svc_key_id_t key, |
3266 | | psa_algorithm_t alg, |
3267 | | const uint8_t *input_external, |
3268 | | size_t input_length, |
3269 | | const uint8_t *signature_external, |
3270 | | size_t signature_length) |
3271 | 0 | { |
3272 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3273 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
3274 | 0 | LOCAL_INPUT_DECLARE(signature_external, signature); |
3275 | |
|
3276 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
3277 | 0 | LOCAL_INPUT_ALLOC(signature_external, signature_length, signature); |
3278 | 0 | status = psa_verify_internal(key, 1, alg, input, input_length, signature, |
3279 | 0 | signature_length); |
3280 | |
|
3281 | 0 | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
3282 | 0 | exit: |
3283 | 0 | #endif |
3284 | 0 | LOCAL_INPUT_FREE(input_external, input); |
3285 | 0 | LOCAL_INPUT_FREE(signature_external, signature); |
3286 | |
|
3287 | 0 | return status; |
3288 | 0 | } |
3289 | | |
3290 | | psa_status_t psa_sign_hash_builtin( |
3291 | | const psa_key_attributes_t *attributes, |
3292 | | const uint8_t *key_buffer, size_t key_buffer_size, |
3293 | | psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, |
3294 | | uint8_t *signature, size_t signature_size, size_t *signature_length) |
3295 | 0 | { |
3296 | 0 | if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) { |
3297 | 0 | if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || |
3298 | 0 | PSA_ALG_IS_RSA_PSS(alg)) { |
3299 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ |
3300 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) |
3301 | 0 | return mbedtls_psa_rsa_sign_hash( |
3302 | 0 | attributes, |
3303 | 0 | key_buffer, key_buffer_size, |
3304 | 0 | alg, hash, hash_length, |
3305 | 0 | signature, signature_size, signature_length); |
3306 | 0 | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || |
3307 | | * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */ |
3308 | 0 | } else { |
3309 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
3310 | 0 | } |
3311 | 0 | } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) { |
3312 | 0 | if (PSA_ALG_IS_ECDSA(alg)) { |
3313 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ |
3314 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) |
3315 | 0 | return mbedtls_psa_ecdsa_sign_hash( |
3316 | 0 | attributes, |
3317 | 0 | key_buffer, key_buffer_size, |
3318 | 0 | alg, hash, hash_length, |
3319 | 0 | signature, signature_size, signature_length); |
3320 | 0 | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || |
3321 | | * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ |
3322 | 0 | } else { |
3323 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
3324 | 0 | } |
3325 | 0 | } |
3326 | | |
3327 | 0 | (void) key_buffer; |
3328 | 0 | (void) key_buffer_size; |
3329 | 0 | (void) hash; |
3330 | 0 | (void) hash_length; |
3331 | 0 | (void) signature; |
3332 | 0 | (void) signature_size; |
3333 | 0 | (void) signature_length; |
3334 | |
|
3335 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
3336 | 0 | } |
3337 | | |
3338 | | psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key, |
3339 | | psa_algorithm_t alg, |
3340 | | const uint8_t *hash_external, |
3341 | | size_t hash_length, |
3342 | | uint8_t *signature_external, |
3343 | | size_t signature_size, |
3344 | | size_t *signature_length) |
3345 | 0 | { |
3346 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3347 | 0 | LOCAL_INPUT_DECLARE(hash_external, hash); |
3348 | 0 | LOCAL_OUTPUT_DECLARE(signature_external, signature); |
3349 | |
|
3350 | 0 | LOCAL_INPUT_ALLOC(hash_external, hash_length, hash); |
3351 | 0 | LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature); |
3352 | 0 | status = psa_sign_internal(key, 0, alg, hash, hash_length, signature, |
3353 | 0 | signature_size, signature_length); |
3354 | |
|
3355 | 0 | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
3356 | 0 | exit: |
3357 | 0 | #endif |
3358 | 0 | LOCAL_INPUT_FREE(hash_external, hash); |
3359 | 0 | LOCAL_OUTPUT_FREE(signature_external, signature); |
3360 | |
|
3361 | 0 | return status; |
3362 | 0 | } |
3363 | | |
3364 | | psa_status_t psa_verify_hash_builtin( |
3365 | | const psa_key_attributes_t *attributes, |
3366 | | const uint8_t *key_buffer, size_t key_buffer_size, |
3367 | | psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, |
3368 | | const uint8_t *signature, size_t signature_length) |
3369 | 0 | { |
3370 | 0 | if (PSA_KEY_TYPE_IS_RSA(attributes->type)) { |
3371 | 0 | if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || |
3372 | 0 | PSA_ALG_IS_RSA_PSS(alg)) { |
3373 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ |
3374 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) |
3375 | 0 | return mbedtls_psa_rsa_verify_hash( |
3376 | 0 | attributes, |
3377 | 0 | key_buffer, key_buffer_size, |
3378 | 0 | alg, hash, hash_length, |
3379 | 0 | signature, signature_length); |
3380 | 0 | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || |
3381 | | * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */ |
3382 | 0 | } else { |
3383 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
3384 | 0 | } |
3385 | 0 | } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) { |
3386 | 0 | if (PSA_ALG_IS_ECDSA(alg)) { |
3387 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ |
3388 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) |
3389 | 0 | return mbedtls_psa_ecdsa_verify_hash( |
3390 | 0 | attributes, |
3391 | 0 | key_buffer, key_buffer_size, |
3392 | 0 | alg, hash, hash_length, |
3393 | 0 | signature, signature_length); |
3394 | 0 | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || |
3395 | | * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ |
3396 | 0 | } else { |
3397 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
3398 | 0 | } |
3399 | 0 | } |
3400 | | |
3401 | 0 | (void) key_buffer; |
3402 | 0 | (void) key_buffer_size; |
3403 | 0 | (void) hash; |
3404 | 0 | (void) hash_length; |
3405 | 0 | (void) signature; |
3406 | 0 | (void) signature_length; |
3407 | |
|
3408 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
3409 | 0 | } |
3410 | | |
3411 | | psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key, |
3412 | | psa_algorithm_t alg, |
3413 | | const uint8_t *hash_external, |
3414 | | size_t hash_length, |
3415 | | const uint8_t *signature_external, |
3416 | | size_t signature_length) |
3417 | 0 | { |
3418 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3419 | 0 | LOCAL_INPUT_DECLARE(hash_external, hash); |
3420 | 0 | LOCAL_INPUT_DECLARE(signature_external, signature); |
3421 | |
|
3422 | 0 | LOCAL_INPUT_ALLOC(hash_external, hash_length, hash); |
3423 | 0 | LOCAL_INPUT_ALLOC(signature_external, signature_length, signature); |
3424 | 0 | status = psa_verify_internal(key, 0, alg, hash, hash_length, signature, |
3425 | 0 | signature_length); |
3426 | |
|
3427 | 0 | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
3428 | 0 | exit: |
3429 | 0 | #endif |
3430 | 0 | LOCAL_INPUT_FREE(hash_external, hash); |
3431 | 0 | LOCAL_INPUT_FREE(signature_external, signature); |
3432 | |
|
3433 | 0 | return status; |
3434 | 0 | } |
3435 | | |
3436 | | psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key, |
3437 | | psa_algorithm_t alg, |
3438 | | const uint8_t *input_external, |
3439 | | size_t input_length, |
3440 | | const uint8_t *salt_external, |
3441 | | size_t salt_length, |
3442 | | uint8_t *output_external, |
3443 | | size_t output_size, |
3444 | | size_t *output_length) |
3445 | 0 | { |
3446 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3447 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
3448 | 0 | psa_key_slot_t *slot; |
3449 | |
|
3450 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
3451 | 0 | LOCAL_INPUT_DECLARE(salt_external, salt); |
3452 | 0 | LOCAL_OUTPUT_DECLARE(output_external, output); |
3453 | |
|
3454 | 0 | (void) input; |
3455 | 0 | (void) input_length; |
3456 | 0 | (void) salt; |
3457 | 0 | (void) output; |
3458 | 0 | (void) output_size; |
3459 | |
|
3460 | 0 | *output_length = 0; |
3461 | |
|
3462 | 0 | if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) { |
3463 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
3464 | 0 | } |
3465 | | |
3466 | 0 | status = psa_get_and_lock_key_slot_with_policy( |
3467 | 0 | key, &slot, PSA_KEY_USAGE_ENCRYPT, alg); |
3468 | 0 | if (status != PSA_SUCCESS) { |
3469 | 0 | return status; |
3470 | 0 | } |
3471 | 0 | if (!(PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type) || |
3472 | 0 | PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type))) { |
3473 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
3474 | 0 | goto exit; |
3475 | 0 | } |
3476 | | |
3477 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
3478 | 0 | LOCAL_INPUT_ALLOC(salt_external, salt_length, salt); |
3479 | 0 | LOCAL_OUTPUT_ALLOC(output_external, output_size, output); |
3480 | |
|
3481 | 0 | status = psa_driver_wrapper_asymmetric_encrypt( |
3482 | 0 | &slot->attr, slot->key.data, slot->key.bytes, |
3483 | 0 | alg, input, input_length, salt, salt_length, |
3484 | 0 | output, output_size, output_length); |
3485 | 0 | exit: |
3486 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
3487 | |
|
3488 | 0 | LOCAL_INPUT_FREE(input_external, input); |
3489 | 0 | LOCAL_INPUT_FREE(salt_external, salt); |
3490 | 0 | LOCAL_OUTPUT_FREE(output_external, output); |
3491 | |
|
3492 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
3493 | 0 | } |
3494 | | |
3495 | | psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key, |
3496 | | psa_algorithm_t alg, |
3497 | | const uint8_t *input_external, |
3498 | | size_t input_length, |
3499 | | const uint8_t *salt_external, |
3500 | | size_t salt_length, |
3501 | | uint8_t *output_external, |
3502 | | size_t output_size, |
3503 | | size_t *output_length) |
3504 | 0 | { |
3505 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3506 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
3507 | 0 | psa_key_slot_t *slot; |
3508 | |
|
3509 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
3510 | 0 | LOCAL_INPUT_DECLARE(salt_external, salt); |
3511 | 0 | LOCAL_OUTPUT_DECLARE(output_external, output); |
3512 | |
|
3513 | 0 | (void) input; |
3514 | 0 | (void) input_length; |
3515 | 0 | (void) salt; |
3516 | 0 | (void) output; |
3517 | 0 | (void) output_size; |
3518 | |
|
3519 | 0 | *output_length = 0; |
3520 | |
|
3521 | 0 | if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) { |
3522 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
3523 | 0 | } |
3524 | | |
3525 | 0 | status = psa_get_and_lock_key_slot_with_policy( |
3526 | 0 | key, &slot, PSA_KEY_USAGE_DECRYPT, alg); |
3527 | 0 | if (status != PSA_SUCCESS) { |
3528 | 0 | return status; |
3529 | 0 | } |
3530 | 0 | if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) { |
3531 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
3532 | 0 | goto exit; |
3533 | 0 | } |
3534 | | |
3535 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
3536 | 0 | LOCAL_INPUT_ALLOC(salt_external, salt_length, salt); |
3537 | 0 | LOCAL_OUTPUT_ALLOC(output_external, output_size, output); |
3538 | |
|
3539 | 0 | status = psa_driver_wrapper_asymmetric_decrypt( |
3540 | 0 | &slot->attr, slot->key.data, slot->key.bytes, |
3541 | 0 | alg, input, input_length, salt, salt_length, |
3542 | 0 | output, output_size, output_length); |
3543 | |
|
3544 | 0 | exit: |
3545 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
3546 | |
|
3547 | 0 | LOCAL_INPUT_FREE(input_external, input); |
3548 | 0 | LOCAL_INPUT_FREE(salt_external, salt); |
3549 | 0 | LOCAL_OUTPUT_FREE(output_external, output); |
3550 | |
|
3551 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
3552 | 0 | } |
3553 | | |
3554 | | /****************************************************************/ |
3555 | | /* Asymmetric interruptible cryptography */ |
3556 | | /****************************************************************/ |
3557 | | |
3558 | | static uint32_t psa_interruptible_max_ops = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; |
3559 | | |
3560 | | void psa_interruptible_set_max_ops(uint32_t max_ops) |
3561 | 0 | { |
3562 | 0 | psa_interruptible_max_ops = max_ops; |
3563 | 0 | } |
3564 | | |
3565 | | uint32_t psa_interruptible_get_max_ops(void) |
3566 | 0 | { |
3567 | 0 | return psa_interruptible_max_ops; |
3568 | 0 | } |
3569 | | |
3570 | | uint32_t psa_sign_hash_get_num_ops( |
3571 | | const psa_sign_hash_interruptible_operation_t *operation) |
3572 | 0 | { |
3573 | 0 | return operation->num_ops; |
3574 | 0 | } |
3575 | | |
3576 | | uint32_t psa_verify_hash_get_num_ops( |
3577 | | const psa_verify_hash_interruptible_operation_t *operation) |
3578 | 0 | { |
3579 | 0 | return operation->num_ops; |
3580 | 0 | } |
3581 | | |
3582 | | static psa_status_t psa_sign_hash_abort_internal( |
3583 | | psa_sign_hash_interruptible_operation_t *operation) |
3584 | 0 | { |
3585 | 0 | if (operation->id == 0) { |
3586 | | /* The object has (apparently) been initialized but it is not (yet) |
3587 | | * in use. It's ok to call abort on such an object, and there's |
3588 | | * nothing to do. */ |
3589 | 0 | return PSA_SUCCESS; |
3590 | 0 | } |
3591 | | |
3592 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3593 | |
|
3594 | 0 | status = psa_driver_wrapper_sign_hash_abort(operation); |
3595 | |
|
3596 | 0 | operation->id = 0; |
3597 | | |
3598 | | /* Do not clear either the error_occurred or num_ops elements here as they |
3599 | | * only want to be cleared by the application calling abort, not by abort |
3600 | | * being called at completion of an operation. */ |
3601 | |
|
3602 | 0 | return status; |
3603 | 0 | } |
3604 | | |
3605 | | psa_status_t psa_sign_hash_start( |
3606 | | psa_sign_hash_interruptible_operation_t *operation, |
3607 | | mbedtls_svc_key_id_t key, psa_algorithm_t alg, |
3608 | | const uint8_t *hash_external, size_t hash_length) |
3609 | 0 | { |
3610 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3611 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
3612 | 0 | psa_key_slot_t *slot; |
3613 | |
|
3614 | 0 | LOCAL_INPUT_DECLARE(hash_external, hash); |
3615 | | |
3616 | | /* Check that start has not been previously called, or operation has not |
3617 | | * previously errored. */ |
3618 | 0 | if (operation->id != 0 || operation->error_occurred) { |
3619 | 0 | return PSA_ERROR_BAD_STATE; |
3620 | 0 | } |
3621 | | |
3622 | 0 | status = psa_sign_verify_check_alg(0, alg); |
3623 | 0 | if (status != PSA_SUCCESS) { |
3624 | 0 | operation->error_occurred = 1; |
3625 | 0 | return status; |
3626 | 0 | } |
3627 | | |
3628 | 0 | status = psa_get_and_lock_key_slot_with_policy(key, &slot, |
3629 | 0 | PSA_KEY_USAGE_SIGN_HASH, |
3630 | 0 | alg); |
3631 | |
|
3632 | 0 | if (status != PSA_SUCCESS) { |
3633 | 0 | goto exit; |
3634 | 0 | } |
3635 | | |
3636 | 0 | if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) { |
3637 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
3638 | 0 | goto exit; |
3639 | 0 | } |
3640 | | |
3641 | 0 | LOCAL_INPUT_ALLOC(hash_external, hash_length, hash); |
3642 | | |
3643 | | /* Ensure ops count gets reset, in case of operation re-use. */ |
3644 | 0 | operation->num_ops = 0; |
3645 | |
|
3646 | 0 | status = psa_driver_wrapper_sign_hash_start(operation, &slot->attr, |
3647 | 0 | slot->key.data, |
3648 | 0 | slot->key.bytes, alg, |
3649 | 0 | hash, hash_length); |
3650 | 0 | exit: |
3651 | |
|
3652 | 0 | if (status != PSA_SUCCESS) { |
3653 | 0 | operation->error_occurred = 1; |
3654 | 0 | psa_sign_hash_abort_internal(operation); |
3655 | 0 | } |
3656 | |
|
3657 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
3658 | |
|
3659 | 0 | if (unlock_status != PSA_SUCCESS) { |
3660 | 0 | operation->error_occurred = 1; |
3661 | 0 | } |
3662 | |
|
3663 | 0 | LOCAL_INPUT_FREE(hash_external, hash); |
3664 | |
|
3665 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
3666 | 0 | } |
3667 | | |
3668 | | |
3669 | | psa_status_t psa_sign_hash_complete( |
3670 | | psa_sign_hash_interruptible_operation_t *operation, |
3671 | | uint8_t *signature_external, size_t signature_size, |
3672 | | size_t *signature_length) |
3673 | 0 | { |
3674 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3675 | |
|
3676 | 0 | LOCAL_OUTPUT_DECLARE(signature_external, signature); |
3677 | |
|
3678 | 0 | *signature_length = 0; |
3679 | | |
3680 | | /* Check that start has been called first, and that operation has not |
3681 | | * previously errored. */ |
3682 | 0 | if (operation->id == 0 || operation->error_occurred) { |
3683 | 0 | status = PSA_ERROR_BAD_STATE; |
3684 | 0 | goto exit; |
3685 | 0 | } |
3686 | | |
3687 | | /* Immediately reject a zero-length signature buffer. This guarantees that |
3688 | | * signature must be a valid pointer. */ |
3689 | 0 | if (signature_size == 0) { |
3690 | 0 | status = PSA_ERROR_BUFFER_TOO_SMALL; |
3691 | 0 | goto exit; |
3692 | 0 | } |
3693 | | |
3694 | 0 | LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature); |
3695 | |
|
3696 | 0 | status = psa_driver_wrapper_sign_hash_complete(operation, signature, |
3697 | 0 | signature_size, |
3698 | 0 | signature_length); |
3699 | | |
3700 | | /* Update ops count with work done. */ |
3701 | 0 | operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation); |
3702 | |
|
3703 | 0 | exit: |
3704 | |
|
3705 | 0 | if (signature != NULL) { |
3706 | 0 | psa_wipe_tag_output_buffer(signature, status, signature_size, |
3707 | 0 | *signature_length); |
3708 | 0 | } |
3709 | |
|
3710 | 0 | if (status != PSA_OPERATION_INCOMPLETE) { |
3711 | 0 | if (status != PSA_SUCCESS) { |
3712 | 0 | operation->error_occurred = 1; |
3713 | 0 | } |
3714 | |
|
3715 | 0 | psa_sign_hash_abort_internal(operation); |
3716 | 0 | } |
3717 | |
|
3718 | 0 | LOCAL_OUTPUT_FREE(signature_external, signature); |
3719 | |
|
3720 | 0 | return status; |
3721 | 0 | } |
3722 | | |
3723 | | psa_status_t psa_sign_hash_abort( |
3724 | | psa_sign_hash_interruptible_operation_t *operation) |
3725 | 0 | { |
3726 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3727 | |
|
3728 | 0 | status = psa_sign_hash_abort_internal(operation); |
3729 | | |
3730 | | /* We clear the number of ops done here, so that it is not cleared when |
3731 | | * the operation fails or succeeds, only on manual abort. */ |
3732 | 0 | operation->num_ops = 0; |
3733 | | |
3734 | | /* Likewise, failure state. */ |
3735 | 0 | operation->error_occurred = 0; |
3736 | |
|
3737 | 0 | return status; |
3738 | 0 | } |
3739 | | |
3740 | | static psa_status_t psa_verify_hash_abort_internal( |
3741 | | psa_verify_hash_interruptible_operation_t *operation) |
3742 | 0 | { |
3743 | 0 | if (operation->id == 0) { |
3744 | | /* The object has (apparently) been initialized but it is not (yet) |
3745 | | * in use. It's ok to call abort on such an object, and there's |
3746 | | * nothing to do. */ |
3747 | 0 | return PSA_SUCCESS; |
3748 | 0 | } |
3749 | | |
3750 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3751 | |
|
3752 | 0 | status = psa_driver_wrapper_verify_hash_abort(operation); |
3753 | |
|
3754 | 0 | operation->id = 0; |
3755 | | |
3756 | | /* Do not clear either the error_occurred or num_ops elements here as they |
3757 | | * only want to be cleared by the application calling abort, not by abort |
3758 | | * being called at completion of an operation. */ |
3759 | |
|
3760 | 0 | return status; |
3761 | 0 | } |
3762 | | |
3763 | | psa_status_t psa_verify_hash_start( |
3764 | | psa_verify_hash_interruptible_operation_t *operation, |
3765 | | mbedtls_svc_key_id_t key, psa_algorithm_t alg, |
3766 | | const uint8_t *hash_external, size_t hash_length, |
3767 | | const uint8_t *signature_external, size_t signature_length) |
3768 | 0 | { |
3769 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3770 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
3771 | 0 | psa_key_slot_t *slot; |
3772 | |
|
3773 | 0 | LOCAL_INPUT_DECLARE(hash_external, hash); |
3774 | 0 | LOCAL_INPUT_DECLARE(signature_external, signature); |
3775 | | |
3776 | | /* Check that start has not been previously called, or operation has not |
3777 | | * previously errored. */ |
3778 | 0 | if (operation->id != 0 || operation->error_occurred) { |
3779 | 0 | return PSA_ERROR_BAD_STATE; |
3780 | 0 | } |
3781 | | |
3782 | 0 | status = psa_sign_verify_check_alg(0, alg); |
3783 | 0 | if (status != PSA_SUCCESS) { |
3784 | 0 | operation->error_occurred = 1; |
3785 | 0 | return status; |
3786 | 0 | } |
3787 | | |
3788 | 0 | status = psa_get_and_lock_key_slot_with_policy(key, &slot, |
3789 | 0 | PSA_KEY_USAGE_VERIFY_HASH, |
3790 | 0 | alg); |
3791 | |
|
3792 | 0 | if (status != PSA_SUCCESS) { |
3793 | 0 | operation->error_occurred = 1; |
3794 | 0 | return status; |
3795 | 0 | } |
3796 | | |
3797 | 0 | LOCAL_INPUT_ALLOC(hash_external, hash_length, hash); |
3798 | 0 | LOCAL_INPUT_ALLOC(signature_external, signature_length, signature); |
3799 | | |
3800 | | /* Ensure ops count gets reset, in case of operation re-use. */ |
3801 | 0 | operation->num_ops = 0; |
3802 | |
|
3803 | 0 | status = psa_driver_wrapper_verify_hash_start(operation, &slot->attr, |
3804 | 0 | slot->key.data, |
3805 | 0 | slot->key.bytes, |
3806 | 0 | alg, hash, hash_length, |
3807 | 0 | signature, signature_length); |
3808 | 0 | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
3809 | 0 | exit: |
3810 | 0 | #endif |
3811 | |
|
3812 | 0 | if (status != PSA_SUCCESS) { |
3813 | 0 | operation->error_occurred = 1; |
3814 | 0 | psa_verify_hash_abort_internal(operation); |
3815 | 0 | } |
3816 | |
|
3817 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
3818 | |
|
3819 | 0 | if (unlock_status != PSA_SUCCESS) { |
3820 | 0 | operation->error_occurred = 1; |
3821 | 0 | } |
3822 | |
|
3823 | 0 | LOCAL_INPUT_FREE(hash_external, hash); |
3824 | 0 | LOCAL_INPUT_FREE(signature_external, signature); |
3825 | |
|
3826 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
3827 | 0 | } |
3828 | | |
3829 | | psa_status_t psa_verify_hash_complete( |
3830 | | psa_verify_hash_interruptible_operation_t *operation) |
3831 | 0 | { |
3832 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3833 | | |
3834 | | /* Check that start has been called first, and that operation has not |
3835 | | * previously errored. */ |
3836 | 0 | if (operation->id == 0 || operation->error_occurred) { |
3837 | 0 | status = PSA_ERROR_BAD_STATE; |
3838 | 0 | goto exit; |
3839 | 0 | } |
3840 | | |
3841 | 0 | status = psa_driver_wrapper_verify_hash_complete(operation); |
3842 | | |
3843 | | /* Update ops count with work done. */ |
3844 | 0 | operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops( |
3845 | 0 | operation); |
3846 | |
|
3847 | 0 | exit: |
3848 | |
|
3849 | 0 | if (status != PSA_OPERATION_INCOMPLETE) { |
3850 | 0 | if (status != PSA_SUCCESS) { |
3851 | 0 | operation->error_occurred = 1; |
3852 | 0 | } |
3853 | |
|
3854 | 0 | psa_verify_hash_abort_internal(operation); |
3855 | 0 | } |
3856 | |
|
3857 | 0 | return status; |
3858 | 0 | } |
3859 | | |
3860 | | psa_status_t psa_verify_hash_abort( |
3861 | | psa_verify_hash_interruptible_operation_t *operation) |
3862 | 0 | { |
3863 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3864 | |
|
3865 | 0 | status = psa_verify_hash_abort_internal(operation); |
3866 | | |
3867 | | /* We clear the number of ops done here, so that it is not cleared when |
3868 | | * the operation fails or succeeds, only on manual abort. */ |
3869 | 0 | operation->num_ops = 0; |
3870 | | |
3871 | | /* Likewise, failure state. */ |
3872 | 0 | operation->error_occurred = 0; |
3873 | |
|
3874 | 0 | return status; |
3875 | 0 | } |
3876 | | |
3877 | | /****************************************************************/ |
3878 | | /* Asymmetric interruptible cryptography internal */ |
3879 | | /* implementations */ |
3880 | | /****************************************************************/ |
3881 | | |
3882 | | void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops) |
3883 | 0 | { |
3884 | |
|
3885 | 0 | #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ |
3886 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ |
3887 | 0 | defined(MBEDTLS_ECP_RESTARTABLE) |
3888 | | |
3889 | | /* Internal implementation uses zero to indicate infinite number max ops, |
3890 | | * therefore avoid this value, and set to minimum possible. */ |
3891 | 0 | if (max_ops == 0) { |
3892 | 0 | max_ops = 1; |
3893 | 0 | } |
3894 | |
|
3895 | 0 | mbedtls_ecp_set_max_ops(max_ops); |
3896 | | #else |
3897 | | (void) max_ops; |
3898 | | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || |
3899 | | * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && |
3900 | | * defined( MBEDTLS_ECP_RESTARTABLE ) */ |
3901 | 0 | } |
3902 | | |
3903 | | uint32_t mbedtls_psa_sign_hash_get_num_ops( |
3904 | | const mbedtls_psa_sign_hash_interruptible_operation_t *operation) |
3905 | 0 | { |
3906 | 0 | #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ |
3907 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ |
3908 | 0 | defined(MBEDTLS_ECP_RESTARTABLE) |
3909 | |
|
3910 | 0 | return operation->num_ops; |
3911 | | #else |
3912 | | (void) operation; |
3913 | | return 0; |
3914 | | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || |
3915 | | * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && |
3916 | | * defined( MBEDTLS_ECP_RESTARTABLE ) */ |
3917 | 0 | } |
3918 | | |
3919 | | uint32_t mbedtls_psa_verify_hash_get_num_ops( |
3920 | | const mbedtls_psa_verify_hash_interruptible_operation_t *operation) |
3921 | 0 | { |
3922 | 0 | #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ |
3923 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ |
3924 | 0 | defined(MBEDTLS_ECP_RESTARTABLE) |
3925 | |
|
3926 | 0 | return operation->num_ops; |
3927 | | #else |
3928 | | (void) operation; |
3929 | | return 0; |
3930 | | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || |
3931 | | * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && |
3932 | | * defined( MBEDTLS_ECP_RESTARTABLE ) */ |
3933 | 0 | } |
3934 | | |
3935 | | /* Detect supported interruptible sign/verify mechanisms precisely. |
3936 | | * This is not strictly needed: we could accept everything, and let the |
3937 | | * code fail later during complete() if the mechanism is unsupported |
3938 | | * (e.g. attempting deterministic ECDSA when only the randomized variant |
3939 | | * is available). But it's easier for applications and especially for our |
3940 | | * test code to detect all not-supported errors during start(). |
3941 | | * |
3942 | | * Note that this function ignores the hash component. The core code |
3943 | | * is supposed to check the hash part by calling is_hash_supported(). |
3944 | | */ |
3945 | | static inline int can_do_interruptible_sign_verify(psa_algorithm_t alg) |
3946 | 0 | { |
3947 | 0 | #if defined(MBEDTLS_ECP_RESTARTABLE) |
3948 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) |
3949 | 0 | if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) { |
3950 | 0 | return 1; |
3951 | 0 | } |
3952 | 0 | #endif |
3953 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) |
3954 | 0 | if (PSA_ALG_IS_RANDOMIZED_ECDSA(alg)) { |
3955 | 0 | return 1; |
3956 | 0 | } |
3957 | 0 | #endif |
3958 | 0 | #endif /* defined(MBEDTLS_ECP_RESTARTABLE) */ |
3959 | 0 | (void) alg; |
3960 | 0 | return 0; |
3961 | 0 | } |
3962 | | |
3963 | | psa_status_t mbedtls_psa_sign_hash_start( |
3964 | | mbedtls_psa_sign_hash_interruptible_operation_t *operation, |
3965 | | const psa_key_attributes_t *attributes, const uint8_t *key_buffer, |
3966 | | size_t key_buffer_size, psa_algorithm_t alg, |
3967 | | const uint8_t *hash, size_t hash_length) |
3968 | 0 | { |
3969 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3970 | 0 | size_t required_hash_length; |
3971 | |
|
3972 | 0 | if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->type)) { |
3973 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
3974 | 0 | } |
3975 | 0 | psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type); |
3976 | 0 | if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) { |
3977 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
3978 | 0 | } |
3979 | | |
3980 | 0 | if (!can_do_interruptible_sign_verify(alg)) { |
3981 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
3982 | 0 | } |
3983 | | |
3984 | 0 | #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ |
3985 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ |
3986 | 0 | defined(MBEDTLS_ECP_RESTARTABLE) |
3987 | | |
3988 | 0 | mbedtls_ecdsa_restart_init(&operation->restart_ctx); |
3989 | | |
3990 | | /* Ensure num_ops is zero'ed in case of context re-use. */ |
3991 | 0 | operation->num_ops = 0; |
3992 | |
|
3993 | 0 | status = mbedtls_psa_ecp_load_representation(attributes->type, |
3994 | 0 | attributes->bits, |
3995 | 0 | key_buffer, |
3996 | 0 | key_buffer_size, |
3997 | 0 | &operation->ctx); |
3998 | |
|
3999 | 0 | if (status != PSA_SUCCESS) { |
4000 | 0 | return status; |
4001 | 0 | } |
4002 | | |
4003 | 0 | operation->coordinate_bytes = PSA_BITS_TO_BYTES( |
4004 | 0 | operation->ctx->grp.nbits); |
4005 | |
|
4006 | 0 | psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg); |
4007 | 0 | operation->md_alg = mbedtls_md_type_from_psa_alg(hash_alg); |
4008 | 0 | operation->alg = alg; |
4009 | | |
4010 | | /* We only need to store the same length of hash as the private key size |
4011 | | * here, it would be truncated by the internal implementation anyway. */ |
4012 | 0 | required_hash_length = (hash_length < operation->coordinate_bytes ? |
4013 | 0 | hash_length : operation->coordinate_bytes); |
4014 | |
|
4015 | 0 | if (required_hash_length > sizeof(operation->hash)) { |
4016 | | /* Shouldn't happen, but better safe than sorry. */ |
4017 | 0 | return PSA_ERROR_CORRUPTION_DETECTED; |
4018 | 0 | } |
4019 | | |
4020 | 0 | memcpy(operation->hash, hash, required_hash_length); |
4021 | 0 | operation->hash_length = required_hash_length; |
4022 | |
|
4023 | 0 | return PSA_SUCCESS; |
4024 | |
|
4025 | | #else |
4026 | | (void) operation; |
4027 | | (void) key_buffer; |
4028 | | (void) key_buffer_size; |
4029 | | (void) alg; |
4030 | | (void) hash; |
4031 | | (void) hash_length; |
4032 | | (void) status; |
4033 | | (void) required_hash_length; |
4034 | | |
4035 | | return PSA_ERROR_NOT_SUPPORTED; |
4036 | | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || |
4037 | | * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && |
4038 | | * defined( MBEDTLS_ECP_RESTARTABLE ) */ |
4039 | 0 | } |
4040 | | |
4041 | | psa_status_t mbedtls_psa_sign_hash_complete( |
4042 | | mbedtls_psa_sign_hash_interruptible_operation_t *operation, |
4043 | | uint8_t *signature, size_t signature_size, |
4044 | | size_t *signature_length) |
4045 | 0 | { |
4046 | 0 | #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ |
4047 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ |
4048 | 0 | defined(MBEDTLS_ECP_RESTARTABLE) |
4049 | |
|
4050 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
4051 | 0 | mbedtls_mpi r; |
4052 | 0 | mbedtls_mpi s; |
4053 | |
|
4054 | 0 | mbedtls_mpi_init(&r); |
4055 | 0 | mbedtls_mpi_init(&s); |
4056 | | |
4057 | | /* Ensure max_ops is set to the current value (or default). */ |
4058 | 0 | mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops()); |
4059 | |
|
4060 | 0 | if (signature_size < 2 * operation->coordinate_bytes) { |
4061 | 0 | status = PSA_ERROR_BUFFER_TOO_SMALL; |
4062 | 0 | goto exit; |
4063 | 0 | } |
4064 | | |
4065 | 0 | if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) { |
4066 | |
|
4067 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) |
4068 | 0 | status = mbedtls_to_psa_error( |
4069 | 0 | mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp, |
4070 | 0 | &r, |
4071 | 0 | &s, |
4072 | 0 | &operation->ctx->d, |
4073 | 0 | operation->hash, |
4074 | 0 | operation->hash_length, |
4075 | 0 | operation->md_alg, |
4076 | 0 | mbedtls_psa_get_random, |
4077 | 0 | MBEDTLS_PSA_RANDOM_STATE, |
4078 | 0 | &operation->restart_ctx)); |
4079 | | #else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ |
4080 | | status = PSA_ERROR_NOT_SUPPORTED; |
4081 | | goto exit; |
4082 | | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ |
4083 | 0 | } else { |
4084 | 0 | status = mbedtls_to_psa_error( |
4085 | 0 | mbedtls_ecdsa_sign_restartable(&operation->ctx->grp, |
4086 | 0 | &r, |
4087 | 0 | &s, |
4088 | 0 | &operation->ctx->d, |
4089 | 0 | operation->hash, |
4090 | 0 | operation->hash_length, |
4091 | 0 | mbedtls_psa_get_random, |
4092 | 0 | MBEDTLS_PSA_RANDOM_STATE, |
4093 | 0 | mbedtls_psa_get_random, |
4094 | 0 | MBEDTLS_PSA_RANDOM_STATE, |
4095 | 0 | &operation->restart_ctx)); |
4096 | 0 | } |
4097 | | |
4098 | | /* Hide the fact that the restart context only holds a delta of number of |
4099 | | * ops done during the last operation, not an absolute value. */ |
4100 | 0 | operation->num_ops += operation->restart_ctx.ecp.ops_done; |
4101 | |
|
4102 | 0 | if (status == PSA_SUCCESS) { |
4103 | 0 | status = mbedtls_to_psa_error( |
4104 | 0 | mbedtls_mpi_write_binary(&r, |
4105 | 0 | signature, |
4106 | 0 | operation->coordinate_bytes) |
4107 | 0 | ); |
4108 | |
|
4109 | 0 | if (status != PSA_SUCCESS) { |
4110 | 0 | goto exit; |
4111 | 0 | } |
4112 | | |
4113 | 0 | status = mbedtls_to_psa_error( |
4114 | 0 | mbedtls_mpi_write_binary(&s, |
4115 | 0 | signature + |
4116 | 0 | operation->coordinate_bytes, |
4117 | 0 | operation->coordinate_bytes) |
4118 | 0 | ); |
4119 | |
|
4120 | 0 | if (status != PSA_SUCCESS) { |
4121 | 0 | goto exit; |
4122 | 0 | } |
4123 | | |
4124 | 0 | *signature_length = operation->coordinate_bytes * 2; |
4125 | |
|
4126 | 0 | status = PSA_SUCCESS; |
4127 | 0 | } |
4128 | | |
4129 | 0 | exit: |
4130 | |
|
4131 | 0 | mbedtls_mpi_free(&r); |
4132 | 0 | mbedtls_mpi_free(&s); |
4133 | 0 | return status; |
4134 | |
|
4135 | | #else |
4136 | | |
4137 | | (void) operation; |
4138 | | (void) signature; |
4139 | | (void) signature_size; |
4140 | | (void) signature_length; |
4141 | | |
4142 | | return PSA_ERROR_NOT_SUPPORTED; |
4143 | | |
4144 | | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || |
4145 | | * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && |
4146 | | * defined( MBEDTLS_ECP_RESTARTABLE ) */ |
4147 | 0 | } |
4148 | | |
4149 | | psa_status_t mbedtls_psa_sign_hash_abort( |
4150 | | mbedtls_psa_sign_hash_interruptible_operation_t *operation) |
4151 | 0 | { |
4152 | |
|
4153 | 0 | #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ |
4154 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ |
4155 | 0 | defined(MBEDTLS_ECP_RESTARTABLE) |
4156 | |
|
4157 | 0 | if (operation->ctx) { |
4158 | 0 | mbedtls_ecdsa_free(operation->ctx); |
4159 | 0 | mbedtls_free(operation->ctx); |
4160 | 0 | operation->ctx = NULL; |
4161 | 0 | } |
4162 | |
|
4163 | 0 | mbedtls_ecdsa_restart_free(&operation->restart_ctx); |
4164 | |
|
4165 | 0 | operation->num_ops = 0; |
4166 | |
|
4167 | 0 | return PSA_SUCCESS; |
4168 | |
|
4169 | | #else |
4170 | | |
4171 | | (void) operation; |
4172 | | |
4173 | | return PSA_ERROR_NOT_SUPPORTED; |
4174 | | |
4175 | | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || |
4176 | | * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && |
4177 | | * defined( MBEDTLS_ECP_RESTARTABLE ) */ |
4178 | 0 | } |
4179 | | |
4180 | | psa_status_t mbedtls_psa_verify_hash_start( |
4181 | | mbedtls_psa_verify_hash_interruptible_operation_t *operation, |
4182 | | const psa_key_attributes_t *attributes, |
4183 | | const uint8_t *key_buffer, size_t key_buffer_size, |
4184 | | psa_algorithm_t alg, |
4185 | | const uint8_t *hash, size_t hash_length, |
4186 | | const uint8_t *signature, size_t signature_length) |
4187 | 0 | { |
4188 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
4189 | 0 | size_t coordinate_bytes = 0; |
4190 | 0 | size_t required_hash_length = 0; |
4191 | |
|
4192 | 0 | if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) { |
4193 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
4194 | 0 | } |
4195 | 0 | psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type); |
4196 | 0 | if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) { |
4197 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
4198 | 0 | } |
4199 | | |
4200 | 0 | if (!can_do_interruptible_sign_verify(alg)) { |
4201 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
4202 | 0 | } |
4203 | | |
4204 | 0 | #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ |
4205 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ |
4206 | 0 | defined(MBEDTLS_ECP_RESTARTABLE) |
4207 | | |
4208 | 0 | mbedtls_ecdsa_restart_init(&operation->restart_ctx); |
4209 | 0 | mbedtls_mpi_init(&operation->r); |
4210 | 0 | mbedtls_mpi_init(&operation->s); |
4211 | | |
4212 | | /* Ensure num_ops is zero'ed in case of context re-use. */ |
4213 | 0 | operation->num_ops = 0; |
4214 | |
|
4215 | 0 | status = mbedtls_psa_ecp_load_representation(attributes->type, |
4216 | 0 | attributes->bits, |
4217 | 0 | key_buffer, |
4218 | 0 | key_buffer_size, |
4219 | 0 | &operation->ctx); |
4220 | |
|
4221 | 0 | if (status != PSA_SUCCESS) { |
4222 | 0 | return status; |
4223 | 0 | } |
4224 | | |
4225 | 0 | coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.nbits); |
4226 | |
|
4227 | 0 | if (signature_length != 2 * coordinate_bytes) { |
4228 | 0 | return PSA_ERROR_INVALID_SIGNATURE; |
4229 | 0 | } |
4230 | | |
4231 | 0 | status = mbedtls_to_psa_error( |
4232 | 0 | mbedtls_mpi_read_binary(&operation->r, |
4233 | 0 | signature, |
4234 | 0 | coordinate_bytes)); |
4235 | |
|
4236 | 0 | if (status != PSA_SUCCESS) { |
4237 | 0 | return status; |
4238 | 0 | } |
4239 | | |
4240 | 0 | status = mbedtls_to_psa_error( |
4241 | 0 | mbedtls_mpi_read_binary(&operation->s, |
4242 | 0 | signature + |
4243 | 0 | coordinate_bytes, |
4244 | 0 | coordinate_bytes)); |
4245 | |
|
4246 | 0 | if (status != PSA_SUCCESS) { |
4247 | 0 | return status; |
4248 | 0 | } |
4249 | | |
4250 | 0 | status = mbedtls_psa_ecp_load_public_part(operation->ctx); |
4251 | |
|
4252 | 0 | if (status != PSA_SUCCESS) { |
4253 | 0 | return status; |
4254 | 0 | } |
4255 | | |
4256 | | /* We only need to store the same length of hash as the private key size |
4257 | | * here, it would be truncated by the internal implementation anyway. */ |
4258 | 0 | required_hash_length = (hash_length < coordinate_bytes ? hash_length : |
4259 | 0 | coordinate_bytes); |
4260 | |
|
4261 | 0 | if (required_hash_length > sizeof(operation->hash)) { |
4262 | | /* Shouldn't happen, but better safe than sorry. */ |
4263 | 0 | return PSA_ERROR_CORRUPTION_DETECTED; |
4264 | 0 | } |
4265 | | |
4266 | 0 | memcpy(operation->hash, hash, required_hash_length); |
4267 | 0 | operation->hash_length = required_hash_length; |
4268 | |
|
4269 | 0 | return PSA_SUCCESS; |
4270 | | #else |
4271 | | (void) operation; |
4272 | | (void) key_buffer; |
4273 | | (void) key_buffer_size; |
4274 | | (void) alg; |
4275 | | (void) hash; |
4276 | | (void) hash_length; |
4277 | | (void) signature; |
4278 | | (void) signature_length; |
4279 | | (void) status; |
4280 | | (void) coordinate_bytes; |
4281 | | (void) required_hash_length; |
4282 | | |
4283 | | return PSA_ERROR_NOT_SUPPORTED; |
4284 | | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || |
4285 | | * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && |
4286 | | * defined( MBEDTLS_ECP_RESTARTABLE ) */ |
4287 | 0 | } |
4288 | | |
4289 | | psa_status_t mbedtls_psa_verify_hash_complete( |
4290 | | mbedtls_psa_verify_hash_interruptible_operation_t *operation) |
4291 | 0 | { |
4292 | |
|
4293 | 0 | #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ |
4294 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ |
4295 | 0 | defined(MBEDTLS_ECP_RESTARTABLE) |
4296 | |
|
4297 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
4298 | | |
4299 | | /* Ensure max_ops is set to the current value (or default). */ |
4300 | 0 | mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops()); |
4301 | |
|
4302 | 0 | status = mbedtls_to_psa_error( |
4303 | 0 | mbedtls_ecdsa_verify_restartable(&operation->ctx->grp, |
4304 | 0 | operation->hash, |
4305 | 0 | operation->hash_length, |
4306 | 0 | &operation->ctx->Q, |
4307 | 0 | &operation->r, |
4308 | 0 | &operation->s, |
4309 | 0 | &operation->restart_ctx)); |
4310 | | |
4311 | | /* Hide the fact that the restart context only holds a delta of number of |
4312 | | * ops done during the last operation, not an absolute value. */ |
4313 | 0 | operation->num_ops += operation->restart_ctx.ecp.ops_done; |
4314 | |
|
4315 | 0 | return status; |
4316 | | #else |
4317 | | (void) operation; |
4318 | | |
4319 | | return PSA_ERROR_NOT_SUPPORTED; |
4320 | | |
4321 | | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || |
4322 | | * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && |
4323 | | * defined( MBEDTLS_ECP_RESTARTABLE ) */ |
4324 | 0 | } |
4325 | | |
4326 | | psa_status_t mbedtls_psa_verify_hash_abort( |
4327 | | mbedtls_psa_verify_hash_interruptible_operation_t *operation) |
4328 | 0 | { |
4329 | |
|
4330 | 0 | #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ |
4331 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ |
4332 | 0 | defined(MBEDTLS_ECP_RESTARTABLE) |
4333 | |
|
4334 | 0 | if (operation->ctx) { |
4335 | 0 | mbedtls_ecdsa_free(operation->ctx); |
4336 | 0 | mbedtls_free(operation->ctx); |
4337 | 0 | operation->ctx = NULL; |
4338 | 0 | } |
4339 | |
|
4340 | 0 | mbedtls_ecdsa_restart_free(&operation->restart_ctx); |
4341 | |
|
4342 | 0 | operation->num_ops = 0; |
4343 | |
|
4344 | 0 | mbedtls_mpi_free(&operation->r); |
4345 | 0 | mbedtls_mpi_free(&operation->s); |
4346 | |
|
4347 | 0 | return PSA_SUCCESS; |
4348 | |
|
4349 | | #else |
4350 | | (void) operation; |
4351 | | |
4352 | | return PSA_ERROR_NOT_SUPPORTED; |
4353 | | |
4354 | | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || |
4355 | | * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && |
4356 | | * defined( MBEDTLS_ECP_RESTARTABLE ) */ |
4357 | 0 | } |
4358 | | |
4359 | | static psa_status_t psa_generate_random_internal(uint8_t *output, |
4360 | | size_t output_size) |
4361 | 0 | { |
4362 | 0 | GUARD_MODULE_INITIALIZED; |
4363 | |
|
4364 | | #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) |
4365 | | |
4366 | | psa_status_t status; |
4367 | | size_t output_length = 0; |
4368 | | status = mbedtls_psa_external_get_random(&global_data.rng, |
4369 | | output, output_size, |
4370 | | &output_length); |
4371 | | if (status != PSA_SUCCESS) { |
4372 | | return status; |
4373 | | } |
4374 | | /* Breaking up a request into smaller chunks is currently not supported |
4375 | | * for the external RNG interface. */ |
4376 | | if (output_length != output_size) { |
4377 | | return PSA_ERROR_INSUFFICIENT_ENTROPY; |
4378 | | } |
4379 | | return PSA_SUCCESS; |
4380 | | |
4381 | | #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ |
4382 | |
|
4383 | 0 | while (output_size > 0) { |
4384 | 0 | int ret = MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED; |
4385 | 0 | size_t request_size = |
4386 | 0 | (output_size > MBEDTLS_PSA_RANDOM_MAX_REQUEST ? |
4387 | 0 | MBEDTLS_PSA_RANDOM_MAX_REQUEST : |
4388 | 0 | output_size); |
4389 | 0 | #if defined(MBEDTLS_CTR_DRBG_C) |
4390 | 0 | ret = mbedtls_ctr_drbg_random(&global_data.rng.drbg, output, request_size); |
4391 | | #elif defined(MBEDTLS_HMAC_DRBG_C) |
4392 | | ret = mbedtls_hmac_drbg_random(&global_data.rng.drbg, output, request_size); |
4393 | | #endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */ |
4394 | 0 | if (ret != 0) { |
4395 | 0 | return mbedtls_to_psa_error(ret); |
4396 | 0 | } |
4397 | 0 | output_size -= request_size; |
4398 | 0 | output += request_size; |
4399 | 0 | } |
4400 | 0 | return PSA_SUCCESS; |
4401 | 0 | #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ |
4402 | 0 | } |
4403 | | |
4404 | | |
4405 | | /****************************************************************/ |
4406 | | /* Symmetric cryptography */ |
4407 | | /****************************************************************/ |
4408 | | |
4409 | | static psa_status_t psa_cipher_setup(psa_cipher_operation_t *operation, |
4410 | | mbedtls_svc_key_id_t key, |
4411 | | psa_algorithm_t alg, |
4412 | | mbedtls_operation_t cipher_operation) |
4413 | 0 | { |
4414 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
4415 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
4416 | 0 | psa_key_slot_t *slot = NULL; |
4417 | 0 | psa_key_usage_t usage = (cipher_operation == MBEDTLS_ENCRYPT ? |
4418 | 0 | PSA_KEY_USAGE_ENCRYPT : |
4419 | 0 | PSA_KEY_USAGE_DECRYPT); |
4420 | | |
4421 | | /* A context must be freshly initialized before it can be set up. */ |
4422 | 0 | if (operation->id != 0) { |
4423 | 0 | status = PSA_ERROR_BAD_STATE; |
4424 | 0 | goto exit; |
4425 | 0 | } |
4426 | | |
4427 | 0 | if (!PSA_ALG_IS_CIPHER(alg)) { |
4428 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
4429 | 0 | goto exit; |
4430 | 0 | } |
4431 | | |
4432 | 0 | status = psa_get_and_lock_key_slot_with_policy(key, &slot, usage, alg); |
4433 | 0 | if (status != PSA_SUCCESS) { |
4434 | 0 | goto exit; |
4435 | 0 | } |
4436 | | |
4437 | | /* Initialize the operation struct members, except for id. The id member |
4438 | | * is used to indicate to psa_cipher_abort that there are resources to free, |
4439 | | * so we only set it (in the driver wrapper) after resources have been |
4440 | | * allocated/initialized. */ |
4441 | 0 | operation->iv_set = 0; |
4442 | 0 | if (alg == PSA_ALG_ECB_NO_PADDING) { |
4443 | 0 | operation->iv_required = 0; |
4444 | 0 | } else { |
4445 | 0 | operation->iv_required = 1; |
4446 | 0 | } |
4447 | 0 | operation->default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg); |
4448 | | |
4449 | | /* Try doing the operation through a driver before using software fallback. */ |
4450 | 0 | if (cipher_operation == MBEDTLS_ENCRYPT) { |
4451 | 0 | status = psa_driver_wrapper_cipher_encrypt_setup(operation, |
4452 | 0 | &slot->attr, |
4453 | 0 | slot->key.data, |
4454 | 0 | slot->key.bytes, |
4455 | 0 | alg); |
4456 | 0 | } else { |
4457 | 0 | status = psa_driver_wrapper_cipher_decrypt_setup(operation, |
4458 | 0 | &slot->attr, |
4459 | 0 | slot->key.data, |
4460 | 0 | slot->key.bytes, |
4461 | 0 | alg); |
4462 | 0 | } |
4463 | |
|
4464 | 0 | exit: |
4465 | 0 | if (status != PSA_SUCCESS) { |
4466 | 0 | psa_cipher_abort(operation); |
4467 | 0 | } |
4468 | |
|
4469 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
4470 | |
|
4471 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
4472 | 0 | } |
4473 | | |
4474 | | psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation, |
4475 | | mbedtls_svc_key_id_t key, |
4476 | | psa_algorithm_t alg) |
4477 | 0 | { |
4478 | 0 | return psa_cipher_setup(operation, key, alg, MBEDTLS_ENCRYPT); |
4479 | 0 | } |
4480 | | |
4481 | | psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation, |
4482 | | mbedtls_svc_key_id_t key, |
4483 | | psa_algorithm_t alg) |
4484 | 0 | { |
4485 | 0 | return psa_cipher_setup(operation, key, alg, MBEDTLS_DECRYPT); |
4486 | 0 | } |
4487 | | |
4488 | | psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation, |
4489 | | uint8_t *iv_external, |
4490 | | size_t iv_size, |
4491 | | size_t *iv_length) |
4492 | 0 | { |
4493 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
4494 | 0 | size_t default_iv_length = 0; |
4495 | |
|
4496 | 0 | LOCAL_OUTPUT_DECLARE(iv_external, iv); |
4497 | |
|
4498 | 0 | if (operation->id == 0) { |
4499 | 0 | status = PSA_ERROR_BAD_STATE; |
4500 | 0 | goto exit; |
4501 | 0 | } |
4502 | | |
4503 | 0 | if (operation->iv_set || !operation->iv_required) { |
4504 | 0 | status = PSA_ERROR_BAD_STATE; |
4505 | 0 | goto exit; |
4506 | 0 | } |
4507 | | |
4508 | 0 | default_iv_length = operation->default_iv_length; |
4509 | 0 | if (iv_size < default_iv_length) { |
4510 | 0 | status = PSA_ERROR_BUFFER_TOO_SMALL; |
4511 | 0 | goto exit; |
4512 | 0 | } |
4513 | | |
4514 | 0 | if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) { |
4515 | 0 | status = PSA_ERROR_GENERIC_ERROR; |
4516 | 0 | goto exit; |
4517 | 0 | } |
4518 | | |
4519 | 0 | LOCAL_OUTPUT_ALLOC(iv_external, default_iv_length, iv); |
4520 | |
|
4521 | 0 | status = psa_generate_random_internal(iv, default_iv_length); |
4522 | 0 | if (status != PSA_SUCCESS) { |
4523 | 0 | goto exit; |
4524 | 0 | } |
4525 | | |
4526 | 0 | status = psa_driver_wrapper_cipher_set_iv(operation, |
4527 | 0 | iv, default_iv_length); |
4528 | |
|
4529 | 0 | exit: |
4530 | 0 | if (status == PSA_SUCCESS) { |
4531 | 0 | *iv_length = default_iv_length; |
4532 | 0 | operation->iv_set = 1; |
4533 | 0 | } else { |
4534 | 0 | *iv_length = 0; |
4535 | 0 | psa_cipher_abort(operation); |
4536 | 0 | if (iv != NULL) { |
4537 | 0 | mbedtls_platform_zeroize(iv, default_iv_length); |
4538 | 0 | } |
4539 | 0 | } |
4540 | |
|
4541 | 0 | LOCAL_OUTPUT_FREE(iv_external, iv); |
4542 | 0 | return status; |
4543 | 0 | } |
4544 | | |
4545 | | psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation, |
4546 | | const uint8_t *iv_external, |
4547 | | size_t iv_length) |
4548 | 0 | { |
4549 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
4550 | |
|
4551 | 0 | LOCAL_INPUT_DECLARE(iv_external, iv); |
4552 | |
|
4553 | 0 | if (operation->id == 0) { |
4554 | 0 | status = PSA_ERROR_BAD_STATE; |
4555 | 0 | goto exit; |
4556 | 0 | } |
4557 | | |
4558 | 0 | if (operation->iv_set || !operation->iv_required) { |
4559 | 0 | status = PSA_ERROR_BAD_STATE; |
4560 | 0 | goto exit; |
4561 | 0 | } |
4562 | | |
4563 | 0 | if (iv_length > PSA_CIPHER_IV_MAX_SIZE) { |
4564 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
4565 | 0 | goto exit; |
4566 | 0 | } |
4567 | | |
4568 | 0 | LOCAL_INPUT_ALLOC(iv_external, iv_length, iv); |
4569 | |
|
4570 | 0 | status = psa_driver_wrapper_cipher_set_iv(operation, |
4571 | 0 | iv, |
4572 | 0 | iv_length); |
4573 | |
|
4574 | 0 | exit: |
4575 | 0 | if (status == PSA_SUCCESS) { |
4576 | 0 | operation->iv_set = 1; |
4577 | 0 | } else { |
4578 | 0 | psa_cipher_abort(operation); |
4579 | 0 | } |
4580 | |
|
4581 | 0 | LOCAL_INPUT_FREE(iv_external, iv); |
4582 | |
|
4583 | 0 | return status; |
4584 | 0 | } |
4585 | | |
4586 | | psa_status_t psa_cipher_update(psa_cipher_operation_t *operation, |
4587 | | const uint8_t *input_external, |
4588 | | size_t input_length, |
4589 | | uint8_t *output_external, |
4590 | | size_t output_size, |
4591 | | size_t *output_length) |
4592 | 0 | { |
4593 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
4594 | |
|
4595 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
4596 | 0 | LOCAL_OUTPUT_DECLARE(output_external, output); |
4597 | |
|
4598 | 0 | if (operation->id == 0) { |
4599 | 0 | status = PSA_ERROR_BAD_STATE; |
4600 | 0 | goto exit; |
4601 | 0 | } |
4602 | | |
4603 | 0 | if (operation->iv_required && !operation->iv_set) { |
4604 | 0 | status = PSA_ERROR_BAD_STATE; |
4605 | 0 | goto exit; |
4606 | 0 | } |
4607 | | |
4608 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
4609 | 0 | LOCAL_OUTPUT_ALLOC(output_external, output_size, output); |
4610 | |
|
4611 | 0 | status = psa_driver_wrapper_cipher_update(operation, |
4612 | 0 | input, |
4613 | 0 | input_length, |
4614 | 0 | output, |
4615 | 0 | output_size, |
4616 | 0 | output_length); |
4617 | |
|
4618 | 0 | exit: |
4619 | 0 | if (status != PSA_SUCCESS) { |
4620 | 0 | psa_cipher_abort(operation); |
4621 | 0 | } |
4622 | |
|
4623 | 0 | LOCAL_INPUT_FREE(input_external, input); |
4624 | 0 | LOCAL_OUTPUT_FREE(output_external, output); |
4625 | |
|
4626 | 0 | return status; |
4627 | 0 | } |
4628 | | |
4629 | | psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation, |
4630 | | uint8_t *output_external, |
4631 | | size_t output_size, |
4632 | | size_t *output_length) |
4633 | 0 | { |
4634 | 0 | psa_status_t status = PSA_ERROR_GENERIC_ERROR; |
4635 | |
|
4636 | 0 | LOCAL_OUTPUT_DECLARE(output_external, output); |
4637 | |
|
4638 | 0 | if (operation->id == 0) { |
4639 | 0 | status = PSA_ERROR_BAD_STATE; |
4640 | 0 | goto exit; |
4641 | 0 | } |
4642 | | |
4643 | 0 | if (operation->iv_required && !operation->iv_set) { |
4644 | 0 | status = PSA_ERROR_BAD_STATE; |
4645 | 0 | goto exit; |
4646 | 0 | } |
4647 | | |
4648 | 0 | LOCAL_OUTPUT_ALLOC(output_external, output_size, output); |
4649 | |
|
4650 | 0 | status = psa_driver_wrapper_cipher_finish(operation, |
4651 | 0 | output, |
4652 | 0 | output_size, |
4653 | 0 | output_length); |
4654 | |
|
4655 | 0 | exit: |
4656 | 0 | if (status == PSA_SUCCESS) { |
4657 | 0 | status = psa_cipher_abort(operation); |
4658 | 0 | } else { |
4659 | 0 | *output_length = 0; |
4660 | 0 | (void) psa_cipher_abort(operation); |
4661 | 0 | } |
4662 | |
|
4663 | 0 | LOCAL_OUTPUT_FREE(output_external, output); |
4664 | |
|
4665 | 0 | return status; |
4666 | 0 | } |
4667 | | |
4668 | | psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation) |
4669 | 0 | { |
4670 | 0 | if (operation->id == 0) { |
4671 | | /* The object has (apparently) been initialized but it is not (yet) |
4672 | | * in use. It's ok to call abort on such an object, and there's |
4673 | | * nothing to do. */ |
4674 | 0 | return PSA_SUCCESS; |
4675 | 0 | } |
4676 | | |
4677 | 0 | psa_driver_wrapper_cipher_abort(operation); |
4678 | |
|
4679 | 0 | operation->id = 0; |
4680 | 0 | operation->iv_set = 0; |
4681 | 0 | operation->iv_required = 0; |
4682 | |
|
4683 | 0 | return PSA_SUCCESS; |
4684 | 0 | } |
4685 | | |
4686 | | psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key, |
4687 | | psa_algorithm_t alg, |
4688 | | const uint8_t *input_external, |
4689 | | size_t input_length, |
4690 | | uint8_t *output_external, |
4691 | | size_t output_size, |
4692 | | size_t *output_length) |
4693 | 0 | { |
4694 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
4695 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
4696 | 0 | psa_key_slot_t *slot = NULL; |
4697 | 0 | uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE]; |
4698 | 0 | size_t default_iv_length = 0; |
4699 | |
|
4700 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
4701 | 0 | LOCAL_OUTPUT_DECLARE(output_external, output); |
4702 | |
|
4703 | 0 | if (!PSA_ALG_IS_CIPHER(alg)) { |
4704 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
4705 | 0 | goto exit; |
4706 | 0 | } |
4707 | | |
4708 | 0 | status = psa_get_and_lock_key_slot_with_policy(key, &slot, |
4709 | 0 | PSA_KEY_USAGE_ENCRYPT, |
4710 | 0 | alg); |
4711 | 0 | if (status != PSA_SUCCESS) { |
4712 | 0 | goto exit; |
4713 | 0 | } |
4714 | | |
4715 | 0 | default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg); |
4716 | 0 | if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) { |
4717 | 0 | status = PSA_ERROR_GENERIC_ERROR; |
4718 | 0 | goto exit; |
4719 | 0 | } |
4720 | | |
4721 | 0 | if (default_iv_length > 0) { |
4722 | 0 | if (output_size < default_iv_length) { |
4723 | 0 | status = PSA_ERROR_BUFFER_TOO_SMALL; |
4724 | 0 | goto exit; |
4725 | 0 | } |
4726 | | |
4727 | 0 | status = psa_generate_random_internal(local_iv, default_iv_length); |
4728 | 0 | if (status != PSA_SUCCESS) { |
4729 | 0 | goto exit; |
4730 | 0 | } |
4731 | 0 | } |
4732 | | |
4733 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
4734 | 0 | LOCAL_OUTPUT_ALLOC(output_external, output_size, output); |
4735 | |
|
4736 | 0 | status = psa_driver_wrapper_cipher_encrypt( |
4737 | 0 | &slot->attr, slot->key.data, slot->key.bytes, |
4738 | 0 | alg, local_iv, default_iv_length, input, input_length, |
4739 | 0 | psa_crypto_buffer_offset(output, default_iv_length), |
4740 | 0 | output_size - default_iv_length, output_length); |
4741 | |
|
4742 | 0 | exit: |
4743 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
4744 | 0 | if (status == PSA_SUCCESS) { |
4745 | 0 | status = unlock_status; |
4746 | 0 | } |
4747 | |
|
4748 | 0 | if (status == PSA_SUCCESS) { |
4749 | 0 | if (default_iv_length > 0) { |
4750 | 0 | memcpy(output, local_iv, default_iv_length); |
4751 | 0 | } |
4752 | 0 | *output_length += default_iv_length; |
4753 | 0 | } else { |
4754 | 0 | *output_length = 0; |
4755 | 0 | } |
4756 | |
|
4757 | 0 | LOCAL_INPUT_FREE(input_external, input); |
4758 | 0 | LOCAL_OUTPUT_FREE(output_external, output); |
4759 | |
|
4760 | 0 | return status; |
4761 | 0 | } |
4762 | | |
4763 | | psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key, |
4764 | | psa_algorithm_t alg, |
4765 | | const uint8_t *input_external, |
4766 | | size_t input_length, |
4767 | | uint8_t *output_external, |
4768 | | size_t output_size, |
4769 | | size_t *output_length) |
4770 | 0 | { |
4771 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
4772 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
4773 | 0 | psa_key_slot_t *slot = NULL; |
4774 | |
|
4775 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
4776 | 0 | LOCAL_OUTPUT_DECLARE(output_external, output); |
4777 | |
|
4778 | 0 | if (!PSA_ALG_IS_CIPHER(alg)) { |
4779 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
4780 | 0 | goto exit; |
4781 | 0 | } |
4782 | | |
4783 | 0 | status = psa_get_and_lock_key_slot_with_policy(key, &slot, |
4784 | 0 | PSA_KEY_USAGE_DECRYPT, |
4785 | 0 | alg); |
4786 | 0 | if (status != PSA_SUCCESS) { |
4787 | 0 | goto exit; |
4788 | 0 | } |
4789 | | |
4790 | 0 | if (input_length < PSA_CIPHER_IV_LENGTH(slot->attr.type, alg)) { |
4791 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
4792 | 0 | goto exit; |
4793 | 0 | } |
4794 | | |
4795 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
4796 | 0 | LOCAL_OUTPUT_ALLOC(output_external, output_size, output); |
4797 | |
|
4798 | 0 | status = psa_driver_wrapper_cipher_decrypt( |
4799 | 0 | &slot->attr, slot->key.data, slot->key.bytes, |
4800 | 0 | alg, input, input_length, |
4801 | 0 | output, output_size, output_length); |
4802 | |
|
4803 | 0 | exit: |
4804 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
4805 | 0 | if (status == PSA_SUCCESS) { |
4806 | 0 | status = unlock_status; |
4807 | 0 | } |
4808 | |
|
4809 | 0 | if (status != PSA_SUCCESS) { |
4810 | 0 | *output_length = 0; |
4811 | 0 | } |
4812 | |
|
4813 | 0 | LOCAL_INPUT_FREE(input_external, input); |
4814 | 0 | LOCAL_OUTPUT_FREE(output_external, output); |
4815 | |
|
4816 | 0 | return status; |
4817 | 0 | } |
4818 | | |
4819 | | |
4820 | | /****************************************************************/ |
4821 | | /* AEAD */ |
4822 | | /****************************************************************/ |
4823 | | |
4824 | | /* Helper function to get the base algorithm from its variants. */ |
4825 | | static psa_algorithm_t psa_aead_get_base_algorithm(psa_algorithm_t alg) |
4826 | 0 | { |
4827 | 0 | return PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg); |
4828 | 0 | } |
4829 | | |
4830 | | /* Helper function to perform common nonce length checks. */ |
4831 | | static psa_status_t psa_aead_check_nonce_length(psa_algorithm_t alg, |
4832 | | size_t nonce_length) |
4833 | 0 | { |
4834 | 0 | psa_algorithm_t base_alg = psa_aead_get_base_algorithm(alg); |
4835 | |
|
4836 | 0 | switch (base_alg) { |
4837 | 0 | #if defined(PSA_WANT_ALG_GCM) |
4838 | 0 | case PSA_ALG_GCM: |
4839 | | /* Not checking max nonce size here as GCM spec allows almost |
4840 | | * arbitrarily large nonces. Please note that we do not generally |
4841 | | * recommend the usage of nonces of greater length than |
4842 | | * PSA_AEAD_NONCE_MAX_SIZE, as large nonces are hashed to a shorter |
4843 | | * size, which can then lead to collisions if you encrypt a very |
4844 | | * large number of messages.*/ |
4845 | 0 | if (nonce_length != 0) { |
4846 | 0 | return PSA_SUCCESS; |
4847 | 0 | } |
4848 | 0 | break; |
4849 | 0 | #endif /* PSA_WANT_ALG_GCM */ |
4850 | 0 | #if defined(PSA_WANT_ALG_CCM) |
4851 | 0 | case PSA_ALG_CCM: |
4852 | 0 | if (nonce_length >= 7 && nonce_length <= 13) { |
4853 | 0 | return PSA_SUCCESS; |
4854 | 0 | } |
4855 | 0 | break; |
4856 | 0 | #endif /* PSA_WANT_ALG_CCM */ |
4857 | 0 | #if defined(PSA_WANT_ALG_CHACHA20_POLY1305) |
4858 | 0 | case PSA_ALG_CHACHA20_POLY1305: |
4859 | 0 | if (nonce_length == 12) { |
4860 | 0 | return PSA_SUCCESS; |
4861 | 0 | } else if (nonce_length == 8) { |
4862 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
4863 | 0 | } |
4864 | 0 | break; |
4865 | 0 | #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */ |
4866 | 0 | default: |
4867 | 0 | (void) nonce_length; |
4868 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
4869 | 0 | } |
4870 | | |
4871 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
4872 | 0 | } |
4873 | | |
4874 | | static psa_status_t psa_aead_check_algorithm(psa_algorithm_t alg) |
4875 | 0 | { |
4876 | 0 | if (!PSA_ALG_IS_AEAD(alg) || PSA_ALG_IS_WILDCARD(alg)) { |
4877 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
4878 | 0 | } |
4879 | | |
4880 | 0 | return PSA_SUCCESS; |
4881 | 0 | } |
4882 | | |
4883 | | psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key, |
4884 | | psa_algorithm_t alg, |
4885 | | const uint8_t *nonce_external, |
4886 | | size_t nonce_length, |
4887 | | const uint8_t *additional_data_external, |
4888 | | size_t additional_data_length, |
4889 | | const uint8_t *plaintext_external, |
4890 | | size_t plaintext_length, |
4891 | | uint8_t *ciphertext_external, |
4892 | | size_t ciphertext_size, |
4893 | | size_t *ciphertext_length) |
4894 | 0 | { |
4895 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
4896 | 0 | psa_key_slot_t *slot; |
4897 | |
|
4898 | 0 | LOCAL_INPUT_DECLARE(nonce_external, nonce); |
4899 | 0 | LOCAL_INPUT_DECLARE(additional_data_external, additional_data); |
4900 | 0 | LOCAL_INPUT_DECLARE(plaintext_external, plaintext); |
4901 | 0 | LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext); |
4902 | |
|
4903 | 0 | *ciphertext_length = 0; |
4904 | |
|
4905 | 0 | status = psa_aead_check_algorithm(alg); |
4906 | 0 | if (status != PSA_SUCCESS) { |
4907 | 0 | return status; |
4908 | 0 | } |
4909 | | |
4910 | 0 | status = psa_get_and_lock_key_slot_with_policy( |
4911 | 0 | key, &slot, PSA_KEY_USAGE_ENCRYPT, alg); |
4912 | 0 | if (status != PSA_SUCCESS) { |
4913 | 0 | return status; |
4914 | 0 | } |
4915 | | |
4916 | 0 | LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce); |
4917 | 0 | LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length, additional_data); |
4918 | 0 | LOCAL_INPUT_ALLOC(plaintext_external, plaintext_length, plaintext); |
4919 | 0 | LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext); |
4920 | |
|
4921 | 0 | status = psa_aead_check_nonce_length(alg, nonce_length); |
4922 | 0 | if (status != PSA_SUCCESS) { |
4923 | 0 | goto exit; |
4924 | 0 | } |
4925 | | |
4926 | 0 | status = psa_driver_wrapper_aead_encrypt( |
4927 | 0 | &slot->attr, slot->key.data, slot->key.bytes, |
4928 | 0 | alg, |
4929 | 0 | nonce, nonce_length, |
4930 | 0 | additional_data, additional_data_length, |
4931 | 0 | plaintext, plaintext_length, |
4932 | 0 | ciphertext, ciphertext_size, ciphertext_length); |
4933 | |
|
4934 | 0 | if (status != PSA_SUCCESS && ciphertext_size != 0) { |
4935 | 0 | memset(ciphertext, 0, ciphertext_size); |
4936 | 0 | } |
4937 | |
|
4938 | 0 | exit: |
4939 | 0 | LOCAL_INPUT_FREE(nonce_external, nonce); |
4940 | 0 | LOCAL_INPUT_FREE(additional_data_external, additional_data); |
4941 | 0 | LOCAL_INPUT_FREE(plaintext_external, plaintext); |
4942 | 0 | LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext); |
4943 | |
|
4944 | 0 | psa_unregister_read_under_mutex(slot); |
4945 | |
|
4946 | 0 | return status; |
4947 | 0 | } |
4948 | | |
4949 | | psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key, |
4950 | | psa_algorithm_t alg, |
4951 | | const uint8_t *nonce_external, |
4952 | | size_t nonce_length, |
4953 | | const uint8_t *additional_data_external, |
4954 | | size_t additional_data_length, |
4955 | | const uint8_t *ciphertext_external, |
4956 | | size_t ciphertext_length, |
4957 | | uint8_t *plaintext_external, |
4958 | | size_t plaintext_size, |
4959 | | size_t *plaintext_length) |
4960 | 0 | { |
4961 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
4962 | 0 | psa_key_slot_t *slot; |
4963 | |
|
4964 | 0 | LOCAL_INPUT_DECLARE(nonce_external, nonce); |
4965 | 0 | LOCAL_INPUT_DECLARE(additional_data_external, additional_data); |
4966 | 0 | LOCAL_INPUT_DECLARE(ciphertext_external, ciphertext); |
4967 | 0 | LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext); |
4968 | |
|
4969 | 0 | *plaintext_length = 0; |
4970 | |
|
4971 | 0 | status = psa_aead_check_algorithm(alg); |
4972 | 0 | if (status != PSA_SUCCESS) { |
4973 | 0 | return status; |
4974 | 0 | } |
4975 | | |
4976 | 0 | status = psa_get_and_lock_key_slot_with_policy( |
4977 | 0 | key, &slot, PSA_KEY_USAGE_DECRYPT, alg); |
4978 | 0 | if (status != PSA_SUCCESS) { |
4979 | 0 | return status; |
4980 | 0 | } |
4981 | | |
4982 | 0 | LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce); |
4983 | 0 | LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length, |
4984 | 0 | additional_data); |
4985 | 0 | LOCAL_INPUT_ALLOC(ciphertext_external, ciphertext_length, ciphertext); |
4986 | 0 | LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext); |
4987 | |
|
4988 | 0 | status = psa_aead_check_nonce_length(alg, nonce_length); |
4989 | 0 | if (status != PSA_SUCCESS) { |
4990 | 0 | goto exit; |
4991 | 0 | } |
4992 | | |
4993 | 0 | status = psa_driver_wrapper_aead_decrypt( |
4994 | 0 | &slot->attr, slot->key.data, slot->key.bytes, |
4995 | 0 | alg, |
4996 | 0 | nonce, nonce_length, |
4997 | 0 | additional_data, additional_data_length, |
4998 | 0 | ciphertext, ciphertext_length, |
4999 | 0 | plaintext, plaintext_size, plaintext_length); |
5000 | |
|
5001 | 0 | if (status != PSA_SUCCESS && plaintext_size != 0) { |
5002 | 0 | memset(plaintext, 0, plaintext_size); |
5003 | 0 | } |
5004 | |
|
5005 | 0 | exit: |
5006 | 0 | LOCAL_INPUT_FREE(nonce_external, nonce); |
5007 | 0 | LOCAL_INPUT_FREE(additional_data_external, additional_data); |
5008 | 0 | LOCAL_INPUT_FREE(ciphertext_external, ciphertext); |
5009 | 0 | LOCAL_OUTPUT_FREE(plaintext_external, plaintext); |
5010 | |
|
5011 | 0 | psa_unregister_read_under_mutex(slot); |
5012 | |
|
5013 | 0 | return status; |
5014 | 0 | } |
5015 | | |
5016 | | static psa_status_t psa_validate_tag_length(psa_algorithm_t alg) |
5017 | 0 | { |
5018 | 0 | const uint8_t tag_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg); |
5019 | |
|
5020 | 0 | switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) { |
5021 | 0 | #if defined(PSA_WANT_ALG_CCM) |
5022 | 0 | case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0): |
5023 | | /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.*/ |
5024 | 0 | if (tag_len < 4 || tag_len > 16 || tag_len % 2) { |
5025 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
5026 | 0 | } |
5027 | 0 | break; |
5028 | 0 | #endif /* PSA_WANT_ALG_CCM */ |
5029 | | |
5030 | 0 | #if defined(PSA_WANT_ALG_GCM) |
5031 | 0 | case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0): |
5032 | | /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16. */ |
5033 | 0 | if (tag_len != 4 && tag_len != 8 && (tag_len < 12 || tag_len > 16)) { |
5034 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
5035 | 0 | } |
5036 | 0 | break; |
5037 | 0 | #endif /* PSA_WANT_ALG_GCM */ |
5038 | | |
5039 | 0 | #if defined(PSA_WANT_ALG_CHACHA20_POLY1305) |
5040 | 0 | case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0): |
5041 | | /* We only support the default tag length. */ |
5042 | 0 | if (tag_len != 16) { |
5043 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
5044 | 0 | } |
5045 | 0 | break; |
5046 | 0 | #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */ |
5047 | | |
5048 | 0 | default: |
5049 | 0 | (void) tag_len; |
5050 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
5051 | 0 | } |
5052 | 0 | return PSA_SUCCESS; |
5053 | 0 | } |
5054 | | |
5055 | | /* Set the key for a multipart authenticated operation. */ |
5056 | | static psa_status_t psa_aead_setup(psa_aead_operation_t *operation, |
5057 | | int is_encrypt, |
5058 | | mbedtls_svc_key_id_t key, |
5059 | | psa_algorithm_t alg) |
5060 | 0 | { |
5061 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
5062 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
5063 | 0 | psa_key_slot_t *slot = NULL; |
5064 | 0 | psa_key_usage_t key_usage = 0; |
5065 | |
|
5066 | 0 | status = psa_aead_check_algorithm(alg); |
5067 | 0 | if (status != PSA_SUCCESS) { |
5068 | 0 | goto exit; |
5069 | 0 | } |
5070 | | |
5071 | 0 | if (operation->id != 0) { |
5072 | 0 | status = PSA_ERROR_BAD_STATE; |
5073 | 0 | goto exit; |
5074 | 0 | } |
5075 | | |
5076 | 0 | if (operation->nonce_set || operation->lengths_set || |
5077 | 0 | operation->ad_started || operation->body_started) { |
5078 | 0 | status = PSA_ERROR_BAD_STATE; |
5079 | 0 | goto exit; |
5080 | 0 | } |
5081 | | |
5082 | 0 | if (is_encrypt) { |
5083 | 0 | key_usage = PSA_KEY_USAGE_ENCRYPT; |
5084 | 0 | } else { |
5085 | 0 | key_usage = PSA_KEY_USAGE_DECRYPT; |
5086 | 0 | } |
5087 | |
|
5088 | 0 | status = psa_get_and_lock_key_slot_with_policy(key, &slot, key_usage, |
5089 | 0 | alg); |
5090 | 0 | if (status != PSA_SUCCESS) { |
5091 | 0 | goto exit; |
5092 | 0 | } |
5093 | | |
5094 | 0 | if ((status = psa_validate_tag_length(alg)) != PSA_SUCCESS) { |
5095 | 0 | goto exit; |
5096 | 0 | } |
5097 | | |
5098 | 0 | if (is_encrypt) { |
5099 | 0 | status = psa_driver_wrapper_aead_encrypt_setup(operation, |
5100 | 0 | &slot->attr, |
5101 | 0 | slot->key.data, |
5102 | 0 | slot->key.bytes, |
5103 | 0 | alg); |
5104 | 0 | } else { |
5105 | 0 | status = psa_driver_wrapper_aead_decrypt_setup(operation, |
5106 | 0 | &slot->attr, |
5107 | 0 | slot->key.data, |
5108 | 0 | slot->key.bytes, |
5109 | 0 | alg); |
5110 | 0 | } |
5111 | 0 | if (status != PSA_SUCCESS) { |
5112 | 0 | goto exit; |
5113 | 0 | } |
5114 | | |
5115 | 0 | operation->key_type = psa_get_key_type(&slot->attr); |
5116 | |
|
5117 | 0 | exit: |
5118 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
5119 | |
|
5120 | 0 | if (status == PSA_SUCCESS) { |
5121 | 0 | status = unlock_status; |
5122 | 0 | operation->alg = psa_aead_get_base_algorithm(alg); |
5123 | 0 | operation->is_encrypt = is_encrypt; |
5124 | 0 | } else { |
5125 | 0 | psa_aead_abort(operation); |
5126 | 0 | } |
5127 | |
|
5128 | 0 | return status; |
5129 | 0 | } |
5130 | | |
5131 | | /* Set the key for a multipart authenticated encryption operation. */ |
5132 | | psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation, |
5133 | | mbedtls_svc_key_id_t key, |
5134 | | psa_algorithm_t alg) |
5135 | 0 | { |
5136 | 0 | return psa_aead_setup(operation, 1, key, alg); |
5137 | 0 | } |
5138 | | |
5139 | | /* Set the key for a multipart authenticated decryption operation. */ |
5140 | | psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation, |
5141 | | mbedtls_svc_key_id_t key, |
5142 | | psa_algorithm_t alg) |
5143 | 0 | { |
5144 | 0 | return psa_aead_setup(operation, 0, key, alg); |
5145 | 0 | } |
5146 | | |
5147 | | static psa_status_t psa_aead_set_nonce_internal(psa_aead_operation_t *operation, |
5148 | | const uint8_t *nonce, |
5149 | | size_t nonce_length) |
5150 | 0 | { |
5151 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
5152 | |
|
5153 | 0 | if (operation->id == 0) { |
5154 | 0 | status = PSA_ERROR_BAD_STATE; |
5155 | 0 | goto exit; |
5156 | 0 | } |
5157 | | |
5158 | 0 | if (operation->nonce_set) { |
5159 | 0 | status = PSA_ERROR_BAD_STATE; |
5160 | 0 | goto exit; |
5161 | 0 | } |
5162 | | |
5163 | 0 | status = psa_aead_check_nonce_length(operation->alg, nonce_length); |
5164 | 0 | if (status != PSA_SUCCESS) { |
5165 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
5166 | 0 | goto exit; |
5167 | 0 | } |
5168 | | |
5169 | 0 | status = psa_driver_wrapper_aead_set_nonce(operation, nonce, |
5170 | 0 | nonce_length); |
5171 | |
|
5172 | 0 | exit: |
5173 | 0 | if (status == PSA_SUCCESS) { |
5174 | 0 | operation->nonce_set = 1; |
5175 | 0 | } else { |
5176 | 0 | psa_aead_abort(operation); |
5177 | 0 | } |
5178 | |
|
5179 | 0 | return status; |
5180 | 0 | } |
5181 | | |
5182 | | /* Generate a random nonce / IV for multipart AEAD operation */ |
5183 | | psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation, |
5184 | | uint8_t *nonce_external, |
5185 | | size_t nonce_size, |
5186 | | size_t *nonce_length) |
5187 | 0 | { |
5188 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
5189 | 0 | uint8_t local_nonce[PSA_AEAD_NONCE_MAX_SIZE]; |
5190 | 0 | size_t required_nonce_size = 0; |
5191 | |
|
5192 | 0 | LOCAL_OUTPUT_DECLARE(nonce_external, nonce); |
5193 | 0 | LOCAL_OUTPUT_ALLOC(nonce_external, nonce_size, nonce); |
5194 | |
|
5195 | 0 | *nonce_length = 0; |
5196 | |
|
5197 | 0 | if (operation->id == 0) { |
5198 | 0 | status = PSA_ERROR_BAD_STATE; |
5199 | 0 | goto exit; |
5200 | 0 | } |
5201 | | |
5202 | 0 | if (operation->nonce_set || !operation->is_encrypt) { |
5203 | 0 | status = PSA_ERROR_BAD_STATE; |
5204 | 0 | goto exit; |
5205 | 0 | } |
5206 | | |
5207 | | /* For CCM, this size may not be correct according to the PSA |
5208 | | * specification. The PSA Crypto 1.0.1 specification states: |
5209 | | * |
5210 | | * CCM encodes the plaintext length pLen in L octets, with L the smallest |
5211 | | * integer >= 2 where pLen < 2^(8L). The nonce length is then 15 - L bytes. |
5212 | | * |
5213 | | * However this restriction that L has to be the smallest integer is not |
5214 | | * applied in practice, and it is not implementable here since the |
5215 | | * plaintext length may or may not be known at this time. */ |
5216 | 0 | required_nonce_size = PSA_AEAD_NONCE_LENGTH(operation->key_type, |
5217 | 0 | operation->alg); |
5218 | 0 | if (nonce_size < required_nonce_size) { |
5219 | 0 | status = PSA_ERROR_BUFFER_TOO_SMALL; |
5220 | 0 | goto exit; |
5221 | 0 | } |
5222 | | |
5223 | 0 | status = psa_generate_random_internal(local_nonce, required_nonce_size); |
5224 | 0 | if (status != PSA_SUCCESS) { |
5225 | 0 | goto exit; |
5226 | 0 | } |
5227 | | |
5228 | 0 | status = psa_aead_set_nonce_internal(operation, local_nonce, |
5229 | 0 | required_nonce_size); |
5230 | |
|
5231 | 0 | exit: |
5232 | 0 | if (status == PSA_SUCCESS) { |
5233 | 0 | memcpy(nonce, local_nonce, required_nonce_size); |
5234 | 0 | *nonce_length = required_nonce_size; |
5235 | 0 | } else { |
5236 | 0 | psa_aead_abort(operation); |
5237 | 0 | } |
5238 | |
|
5239 | 0 | LOCAL_OUTPUT_FREE(nonce_external, nonce); |
5240 | |
|
5241 | 0 | return status; |
5242 | 0 | } |
5243 | | |
5244 | | /* Set the nonce for a multipart authenticated encryption or decryption |
5245 | | operation.*/ |
5246 | | psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation, |
5247 | | const uint8_t *nonce_external, |
5248 | | size_t nonce_length) |
5249 | 0 | { |
5250 | 0 | psa_status_t status; |
5251 | |
|
5252 | 0 | LOCAL_INPUT_DECLARE(nonce_external, nonce); |
5253 | 0 | LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce); |
5254 | |
|
5255 | 0 | status = psa_aead_set_nonce_internal(operation, nonce, nonce_length); |
5256 | | |
5257 | | /* Exit label is only needed for buffer copying, prevent unused warnings. */ |
5258 | 0 | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
5259 | 0 | exit: |
5260 | 0 | #endif |
5261 | |
|
5262 | 0 | LOCAL_INPUT_FREE(nonce_external, nonce); |
5263 | |
|
5264 | 0 | return status; |
5265 | 0 | } |
5266 | | |
5267 | | /* Declare the lengths of the message and additional data for multipart AEAD. */ |
5268 | | psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation, |
5269 | | size_t ad_length, |
5270 | | size_t plaintext_length) |
5271 | 0 | { |
5272 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
5273 | |
|
5274 | 0 | if (operation->id == 0) { |
5275 | 0 | status = PSA_ERROR_BAD_STATE; |
5276 | 0 | goto exit; |
5277 | 0 | } |
5278 | | |
5279 | 0 | if (operation->lengths_set || operation->ad_started || |
5280 | 0 | operation->body_started) { |
5281 | 0 | status = PSA_ERROR_BAD_STATE; |
5282 | 0 | goto exit; |
5283 | 0 | } |
5284 | | |
5285 | 0 | switch (operation->alg) { |
5286 | 0 | #if defined(PSA_WANT_ALG_GCM) |
5287 | 0 | case PSA_ALG_GCM: |
5288 | | /* Lengths can only be too large for GCM if size_t is bigger than 32 |
5289 | | * bits. Without the guard this code will generate warnings on 32bit |
5290 | | * builds. */ |
5291 | 0 | #if SIZE_MAX > UINT32_MAX |
5292 | 0 | if (((uint64_t) ad_length) >> 61 != 0 || |
5293 | 0 | ((uint64_t) plaintext_length) > 0xFFFFFFFE0ull) { |
5294 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
5295 | 0 | goto exit; |
5296 | 0 | } |
5297 | 0 | #endif |
5298 | 0 | break; |
5299 | 0 | #endif /* PSA_WANT_ALG_GCM */ |
5300 | 0 | #if defined(PSA_WANT_ALG_CCM) |
5301 | 0 | case PSA_ALG_CCM: |
5302 | 0 | if (ad_length > 0xFF00) { |
5303 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
5304 | 0 | goto exit; |
5305 | 0 | } |
5306 | 0 | break; |
5307 | 0 | #endif /* PSA_WANT_ALG_CCM */ |
5308 | 0 | #if defined(PSA_WANT_ALG_CHACHA20_POLY1305) |
5309 | 0 | case PSA_ALG_CHACHA20_POLY1305: |
5310 | | /* No length restrictions for ChaChaPoly. */ |
5311 | 0 | break; |
5312 | 0 | #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */ |
5313 | 0 | default: |
5314 | 0 | break; |
5315 | 0 | } |
5316 | | |
5317 | 0 | status = psa_driver_wrapper_aead_set_lengths(operation, ad_length, |
5318 | 0 | plaintext_length); |
5319 | |
|
5320 | 0 | exit: |
5321 | 0 | if (status == PSA_SUCCESS) { |
5322 | 0 | operation->ad_remaining = ad_length; |
5323 | 0 | operation->body_remaining = plaintext_length; |
5324 | 0 | operation->lengths_set = 1; |
5325 | 0 | } else { |
5326 | 0 | psa_aead_abort(operation); |
5327 | 0 | } |
5328 | |
|
5329 | 0 | return status; |
5330 | 0 | } |
5331 | | |
5332 | | /* Pass additional data to an active multipart AEAD operation. */ |
5333 | | psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation, |
5334 | | const uint8_t *input_external, |
5335 | | size_t input_length) |
5336 | 0 | { |
5337 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
5338 | |
|
5339 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
5340 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
5341 | |
|
5342 | 0 | if (operation->id == 0) { |
5343 | 0 | status = PSA_ERROR_BAD_STATE; |
5344 | 0 | goto exit; |
5345 | 0 | } |
5346 | | |
5347 | 0 | if (!operation->nonce_set || operation->body_started) { |
5348 | 0 | status = PSA_ERROR_BAD_STATE; |
5349 | 0 | goto exit; |
5350 | 0 | } |
5351 | | |
5352 | | /* No input to add (zero length), nothing to do. */ |
5353 | 0 | if (input_length == 0) { |
5354 | 0 | status = PSA_SUCCESS; |
5355 | 0 | goto exit; |
5356 | 0 | } |
5357 | | |
5358 | 0 | if (operation->lengths_set) { |
5359 | 0 | if (operation->ad_remaining < input_length) { |
5360 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
5361 | 0 | goto exit; |
5362 | 0 | } |
5363 | | |
5364 | 0 | operation->ad_remaining -= input_length; |
5365 | 0 | } |
5366 | 0 | #if defined(PSA_WANT_ALG_CCM) |
5367 | 0 | else if (operation->alg == PSA_ALG_CCM) { |
5368 | 0 | status = PSA_ERROR_BAD_STATE; |
5369 | 0 | goto exit; |
5370 | 0 | } |
5371 | 0 | #endif /* PSA_WANT_ALG_CCM */ |
5372 | | |
5373 | 0 | status = psa_driver_wrapper_aead_update_ad(operation, input, |
5374 | 0 | input_length); |
5375 | |
|
5376 | 0 | exit: |
5377 | 0 | if (status == PSA_SUCCESS) { |
5378 | 0 | operation->ad_started = 1; |
5379 | 0 | } else { |
5380 | 0 | psa_aead_abort(operation); |
5381 | 0 | } |
5382 | |
|
5383 | 0 | LOCAL_INPUT_FREE(input_external, input); |
5384 | |
|
5385 | 0 | return status; |
5386 | 0 | } |
5387 | | |
5388 | | /* Encrypt or decrypt a message fragment in an active multipart AEAD |
5389 | | operation.*/ |
5390 | | psa_status_t psa_aead_update(psa_aead_operation_t *operation, |
5391 | | const uint8_t *input_external, |
5392 | | size_t input_length, |
5393 | | uint8_t *output_external, |
5394 | | size_t output_size, |
5395 | | size_t *output_length) |
5396 | 0 | { |
5397 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
5398 | | |
5399 | |
|
5400 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
5401 | 0 | LOCAL_OUTPUT_DECLARE(output_external, output); |
5402 | |
|
5403 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
5404 | 0 | LOCAL_OUTPUT_ALLOC(output_external, output_size, output); |
5405 | |
|
5406 | 0 | *output_length = 0; |
5407 | |
|
5408 | 0 | if (operation->id == 0) { |
5409 | 0 | status = PSA_ERROR_BAD_STATE; |
5410 | 0 | goto exit; |
5411 | 0 | } |
5412 | | |
5413 | 0 | if (!operation->nonce_set) { |
5414 | 0 | status = PSA_ERROR_BAD_STATE; |
5415 | 0 | goto exit; |
5416 | 0 | } |
5417 | | |
5418 | 0 | if (operation->lengths_set) { |
5419 | | /* Additional data length was supplied, but not all the additional |
5420 | | data was supplied.*/ |
5421 | 0 | if (operation->ad_remaining != 0) { |
5422 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
5423 | 0 | goto exit; |
5424 | 0 | } |
5425 | | |
5426 | | /* Too much data provided. */ |
5427 | 0 | if (operation->body_remaining < input_length) { |
5428 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
5429 | 0 | goto exit; |
5430 | 0 | } |
5431 | | |
5432 | 0 | operation->body_remaining -= input_length; |
5433 | 0 | } |
5434 | 0 | #if defined(PSA_WANT_ALG_CCM) |
5435 | 0 | else if (operation->alg == PSA_ALG_CCM) { |
5436 | 0 | status = PSA_ERROR_BAD_STATE; |
5437 | 0 | goto exit; |
5438 | 0 | } |
5439 | 0 | #endif /* PSA_WANT_ALG_CCM */ |
5440 | | |
5441 | 0 | status = psa_driver_wrapper_aead_update(operation, input, input_length, |
5442 | 0 | output, output_size, |
5443 | 0 | output_length); |
5444 | |
|
5445 | 0 | exit: |
5446 | 0 | if (status == PSA_SUCCESS) { |
5447 | 0 | operation->body_started = 1; |
5448 | 0 | } else { |
5449 | 0 | psa_aead_abort(operation); |
5450 | 0 | } |
5451 | |
|
5452 | 0 | LOCAL_INPUT_FREE(input_external, input); |
5453 | 0 | LOCAL_OUTPUT_FREE(output_external, output); |
5454 | |
|
5455 | 0 | return status; |
5456 | 0 | } |
5457 | | |
5458 | | static psa_status_t psa_aead_final_checks(const psa_aead_operation_t *operation) |
5459 | 0 | { |
5460 | 0 | if (operation->id == 0 || !operation->nonce_set) { |
5461 | 0 | return PSA_ERROR_BAD_STATE; |
5462 | 0 | } |
5463 | | |
5464 | 0 | if (operation->lengths_set && (operation->ad_remaining != 0 || |
5465 | 0 | operation->body_remaining != 0)) { |
5466 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
5467 | 0 | } |
5468 | | |
5469 | 0 | return PSA_SUCCESS; |
5470 | 0 | } |
5471 | | |
5472 | | /* Finish encrypting a message in a multipart AEAD operation. */ |
5473 | | psa_status_t psa_aead_finish(psa_aead_operation_t *operation, |
5474 | | uint8_t *ciphertext_external, |
5475 | | size_t ciphertext_size, |
5476 | | size_t *ciphertext_length, |
5477 | | uint8_t *tag_external, |
5478 | | size_t tag_size, |
5479 | | size_t *tag_length) |
5480 | 0 | { |
5481 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
5482 | |
|
5483 | 0 | LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext); |
5484 | 0 | LOCAL_OUTPUT_DECLARE(tag_external, tag); |
5485 | |
|
5486 | 0 | LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext); |
5487 | 0 | LOCAL_OUTPUT_ALLOC(tag_external, tag_size, tag); |
5488 | |
|
5489 | 0 | *ciphertext_length = 0; |
5490 | 0 | *tag_length = tag_size; |
5491 | |
|
5492 | 0 | status = psa_aead_final_checks(operation); |
5493 | 0 | if (status != PSA_SUCCESS) { |
5494 | 0 | goto exit; |
5495 | 0 | } |
5496 | | |
5497 | 0 | if (!operation->is_encrypt) { |
5498 | 0 | status = PSA_ERROR_BAD_STATE; |
5499 | 0 | goto exit; |
5500 | 0 | } |
5501 | | |
5502 | 0 | status = psa_driver_wrapper_aead_finish(operation, ciphertext, |
5503 | 0 | ciphertext_size, |
5504 | 0 | ciphertext_length, |
5505 | 0 | tag, tag_size, tag_length); |
5506 | |
|
5507 | 0 | exit: |
5508 | | |
5509 | | |
5510 | | /* In case the operation fails and the user fails to check for failure or |
5511 | | * the zero tag size, make sure the tag is set to something implausible. |
5512 | | * Even if the operation succeeds, make sure we clear the rest of the |
5513 | | * buffer to prevent potential leakage of anything previously placed in |
5514 | | * the same buffer.*/ |
5515 | 0 | psa_wipe_tag_output_buffer(tag, status, tag_size, *tag_length); |
5516 | |
|
5517 | 0 | psa_aead_abort(operation); |
5518 | |
|
5519 | 0 | LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext); |
5520 | 0 | LOCAL_OUTPUT_FREE(tag_external, tag); |
5521 | |
|
5522 | 0 | return status; |
5523 | 0 | } |
5524 | | |
5525 | | /* Finish authenticating and decrypting a message in a multipart AEAD |
5526 | | operation.*/ |
5527 | | psa_status_t psa_aead_verify(psa_aead_operation_t *operation, |
5528 | | uint8_t *plaintext_external, |
5529 | | size_t plaintext_size, |
5530 | | size_t *plaintext_length, |
5531 | | const uint8_t *tag_external, |
5532 | | size_t tag_length) |
5533 | 0 | { |
5534 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
5535 | |
|
5536 | 0 | LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext); |
5537 | 0 | LOCAL_INPUT_DECLARE(tag_external, tag); |
5538 | |
|
5539 | 0 | LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext); |
5540 | 0 | LOCAL_INPUT_ALLOC(tag_external, tag_length, tag); |
5541 | |
|
5542 | 0 | *plaintext_length = 0; |
5543 | |
|
5544 | 0 | status = psa_aead_final_checks(operation); |
5545 | 0 | if (status != PSA_SUCCESS) { |
5546 | 0 | goto exit; |
5547 | 0 | } |
5548 | | |
5549 | 0 | if (operation->is_encrypt) { |
5550 | 0 | status = PSA_ERROR_BAD_STATE; |
5551 | 0 | goto exit; |
5552 | 0 | } |
5553 | | |
5554 | 0 | status = psa_driver_wrapper_aead_verify(operation, plaintext, |
5555 | 0 | plaintext_size, |
5556 | 0 | plaintext_length, |
5557 | 0 | tag, tag_length); |
5558 | |
|
5559 | 0 | exit: |
5560 | 0 | psa_aead_abort(operation); |
5561 | |
|
5562 | 0 | LOCAL_OUTPUT_FREE(plaintext_external, plaintext); |
5563 | 0 | LOCAL_INPUT_FREE(tag_external, tag); |
5564 | |
|
5565 | 0 | return status; |
5566 | 0 | } |
5567 | | |
5568 | | /* Abort an AEAD operation. */ |
5569 | | psa_status_t psa_aead_abort(psa_aead_operation_t *operation) |
5570 | 0 | { |
5571 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
5572 | |
|
5573 | 0 | if (operation->id == 0) { |
5574 | | /* The object has (apparently) been initialized but it is not (yet) |
5575 | | * in use. It's ok to call abort on such an object, and there's |
5576 | | * nothing to do. */ |
5577 | 0 | return PSA_SUCCESS; |
5578 | 0 | } |
5579 | | |
5580 | 0 | status = psa_driver_wrapper_aead_abort(operation); |
5581 | |
|
5582 | 0 | memset(operation, 0, sizeof(*operation)); |
5583 | |
|
5584 | 0 | return status; |
5585 | 0 | } |
5586 | | |
5587 | | /****************************************************************/ |
5588 | | /* Generators */ |
5589 | | /****************************************************************/ |
5590 | | |
5591 | | #if defined(BUILTIN_ALG_ANY_HKDF) || \ |
5592 | | defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ |
5593 | | defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \ |
5594 | | defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) || \ |
5595 | | defined(PSA_HAVE_SOFT_PBKDF2) |
5596 | | #define AT_LEAST_ONE_BUILTIN_KDF |
5597 | | #endif /* At least one builtin KDF */ |
5598 | | |
5599 | | #if defined(BUILTIN_ALG_ANY_HKDF) || \ |
5600 | | defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ |
5601 | | defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) |
5602 | | static psa_status_t psa_key_derivation_start_hmac( |
5603 | | psa_mac_operation_t *operation, |
5604 | | psa_algorithm_t hash_alg, |
5605 | | const uint8_t *hmac_key, |
5606 | | size_t hmac_key_length) |
5607 | 0 | { |
5608 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
5609 | 0 | psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; |
5610 | 0 | psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); |
5611 | 0 | psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(hmac_key_length)); |
5612 | 0 | psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); |
5613 | |
|
5614 | 0 | operation->is_sign = 1; |
5615 | 0 | operation->mac_size = PSA_HASH_LENGTH(hash_alg); |
5616 | |
|
5617 | 0 | status = psa_driver_wrapper_mac_sign_setup(operation, |
5618 | 0 | &attributes, |
5619 | 0 | hmac_key, hmac_key_length, |
5620 | 0 | PSA_ALG_HMAC(hash_alg)); |
5621 | |
|
5622 | 0 | psa_reset_key_attributes(&attributes); |
5623 | 0 | return status; |
5624 | 0 | } |
5625 | | #endif /* KDF algorithms reliant on HMAC */ |
5626 | | |
5627 | 0 | #define HKDF_STATE_INIT 0 /* no input yet */ |
5628 | 0 | #define HKDF_STATE_STARTED 1 /* got salt */ |
5629 | 0 | #define HKDF_STATE_KEYED 2 /* got key */ |
5630 | 0 | #define HKDF_STATE_OUTPUT 3 /* output started */ |
5631 | | |
5632 | | static psa_algorithm_t psa_key_derivation_get_kdf_alg( |
5633 | | const psa_key_derivation_operation_t *operation) |
5634 | 0 | { |
5635 | 0 | if (PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) { |
5636 | 0 | return PSA_ALG_KEY_AGREEMENT_GET_KDF(operation->alg); |
5637 | 0 | } else { |
5638 | 0 | return operation->alg; |
5639 | 0 | } |
5640 | 0 | } |
5641 | | |
5642 | | psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation) |
5643 | 0 | { |
5644 | 0 | psa_status_t status = PSA_SUCCESS; |
5645 | 0 | psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation); |
5646 | 0 | if (kdf_alg == 0) { |
5647 | | /* The object has (apparently) been initialized but it is not |
5648 | | * in use. It's ok to call abort on such an object, and there's |
5649 | | * nothing to do. */ |
5650 | 0 | } else |
5651 | 0 | #if defined(BUILTIN_ALG_ANY_HKDF) |
5652 | 0 | if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) { |
5653 | 0 | mbedtls_free(operation->ctx.hkdf.info); |
5654 | 0 | status = psa_mac_abort(&operation->ctx.hkdf.hmac); |
5655 | 0 | } else |
5656 | 0 | #endif /* BUILTIN_ALG_ANY_HKDF */ |
5657 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ |
5658 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) |
5659 | 0 | if (PSA_ALG_IS_TLS12_PRF(kdf_alg) || |
5660 | | /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */ |
5661 | 0 | PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) { |
5662 | 0 | if (operation->ctx.tls12_prf.secret != NULL) { |
5663 | 0 | mbedtls_zeroize_and_free(operation->ctx.tls12_prf.secret, |
5664 | 0 | operation->ctx.tls12_prf.secret_length); |
5665 | 0 | } |
5666 | |
|
5667 | 0 | if (operation->ctx.tls12_prf.seed != NULL) { |
5668 | 0 | mbedtls_zeroize_and_free(operation->ctx.tls12_prf.seed, |
5669 | 0 | operation->ctx.tls12_prf.seed_length); |
5670 | 0 | } |
5671 | |
|
5672 | 0 | if (operation->ctx.tls12_prf.label != NULL) { |
5673 | 0 | mbedtls_zeroize_and_free(operation->ctx.tls12_prf.label, |
5674 | 0 | operation->ctx.tls12_prf.label_length); |
5675 | 0 | } |
5676 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) |
5677 | 0 | if (operation->ctx.tls12_prf.other_secret != NULL) { |
5678 | 0 | mbedtls_zeroize_and_free(operation->ctx.tls12_prf.other_secret, |
5679 | 0 | operation->ctx.tls12_prf.other_secret_length); |
5680 | 0 | } |
5681 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ |
5682 | 0 | status = PSA_SUCCESS; |
5683 | | |
5684 | | /* We leave the fields Ai and output_block to be erased safely by the |
5685 | | * mbedtls_platform_zeroize() in the end of this function. */ |
5686 | 0 | } else |
5687 | 0 | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || |
5688 | | * defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) */ |
5689 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) |
5690 | 0 | if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { |
5691 | 0 | mbedtls_platform_zeroize(operation->ctx.tls12_ecjpake_to_pms.data, |
5692 | 0 | sizeof(operation->ctx.tls12_ecjpake_to_pms.data)); |
5693 | 0 | } else |
5694 | 0 | #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) */ |
5695 | 0 | #if defined(PSA_HAVE_SOFT_PBKDF2) |
5696 | 0 | if (PSA_ALG_IS_PBKDF2(kdf_alg)) { |
5697 | 0 | if (operation->ctx.pbkdf2.salt != NULL) { |
5698 | 0 | mbedtls_zeroize_and_free(operation->ctx.pbkdf2.salt, |
5699 | 0 | operation->ctx.pbkdf2.salt_length); |
5700 | 0 | } |
5701 | |
|
5702 | 0 | status = PSA_SUCCESS; |
5703 | 0 | } else |
5704 | 0 | #endif /* defined(PSA_HAVE_SOFT_PBKDF2) */ |
5705 | 0 | { |
5706 | 0 | status = PSA_ERROR_BAD_STATE; |
5707 | 0 | } |
5708 | 0 | mbedtls_platform_zeroize(operation, sizeof(*operation)); |
5709 | 0 | return status; |
5710 | 0 | } |
5711 | | |
5712 | | psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t *operation, |
5713 | | size_t *capacity) |
5714 | 0 | { |
5715 | 0 | if (operation->alg == 0) { |
5716 | | /* This is a blank key derivation operation. */ |
5717 | 0 | return PSA_ERROR_BAD_STATE; |
5718 | 0 | } |
5719 | | |
5720 | 0 | *capacity = operation->capacity; |
5721 | 0 | return PSA_SUCCESS; |
5722 | 0 | } |
5723 | | |
5724 | | psa_status_t psa_key_derivation_set_capacity(psa_key_derivation_operation_t *operation, |
5725 | | size_t capacity) |
5726 | 0 | { |
5727 | 0 | if (operation->alg == 0) { |
5728 | 0 | return PSA_ERROR_BAD_STATE; |
5729 | 0 | } |
5730 | 0 | if (capacity > operation->capacity) { |
5731 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
5732 | 0 | } |
5733 | 0 | operation->capacity = capacity; |
5734 | 0 | return PSA_SUCCESS; |
5735 | 0 | } |
5736 | | |
5737 | | #if defined(BUILTIN_ALG_ANY_HKDF) |
5738 | | /* Read some bytes from an HKDF-based operation. */ |
5739 | | static psa_status_t psa_key_derivation_hkdf_read(psa_hkdf_key_derivation_t *hkdf, |
5740 | | psa_algorithm_t kdf_alg, |
5741 | | uint8_t *output, |
5742 | | size_t output_length) |
5743 | 0 | { |
5744 | 0 | psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg); |
5745 | 0 | uint8_t hash_length = PSA_HASH_LENGTH(hash_alg); |
5746 | 0 | size_t hmac_output_length; |
5747 | 0 | psa_status_t status; |
5748 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) |
5749 | 0 | const uint8_t last_block = PSA_ALG_IS_HKDF_EXTRACT(kdf_alg) ? 0 : 0xff; |
5750 | | #else |
5751 | | const uint8_t last_block = 0xff; |
5752 | | #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ |
5753 | |
|
5754 | 0 | if (hkdf->state < HKDF_STATE_KEYED || |
5755 | 0 | (!hkdf->info_set |
5756 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) |
5757 | 0 | && !PSA_ALG_IS_HKDF_EXTRACT(kdf_alg) |
5758 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ |
5759 | 0 | )) { |
5760 | 0 | return PSA_ERROR_BAD_STATE; |
5761 | 0 | } |
5762 | 0 | hkdf->state = HKDF_STATE_OUTPUT; |
5763 | |
|
5764 | 0 | while (output_length != 0) { |
5765 | | /* Copy what remains of the current block */ |
5766 | 0 | uint8_t n = hash_length - hkdf->offset_in_block; |
5767 | 0 | if (n > output_length) { |
5768 | 0 | n = (uint8_t) output_length; |
5769 | 0 | } |
5770 | 0 | memcpy(output, hkdf->output_block + hkdf->offset_in_block, n); |
5771 | 0 | output += n; |
5772 | 0 | output_length -= n; |
5773 | 0 | hkdf->offset_in_block += n; |
5774 | 0 | if (output_length == 0) { |
5775 | 0 | break; |
5776 | 0 | } |
5777 | | /* We can't be wanting more output after the last block, otherwise |
5778 | | * the capacity check in psa_key_derivation_output_bytes() would have |
5779 | | * prevented this call. It could happen only if the operation |
5780 | | * object was corrupted or if this function is called directly |
5781 | | * inside the library. */ |
5782 | 0 | if (hkdf->block_number == last_block) { |
5783 | 0 | return PSA_ERROR_BAD_STATE; |
5784 | 0 | } |
5785 | | |
5786 | | /* We need a new block */ |
5787 | 0 | ++hkdf->block_number; |
5788 | 0 | hkdf->offset_in_block = 0; |
5789 | |
|
5790 | 0 | status = psa_key_derivation_start_hmac(&hkdf->hmac, |
5791 | 0 | hash_alg, |
5792 | 0 | hkdf->prk, |
5793 | 0 | hash_length); |
5794 | 0 | if (status != PSA_SUCCESS) { |
5795 | 0 | return status; |
5796 | 0 | } |
5797 | | |
5798 | 0 | if (hkdf->block_number != 1) { |
5799 | 0 | status = psa_mac_update(&hkdf->hmac, |
5800 | 0 | hkdf->output_block, |
5801 | 0 | hash_length); |
5802 | 0 | if (status != PSA_SUCCESS) { |
5803 | 0 | return status; |
5804 | 0 | } |
5805 | 0 | } |
5806 | 0 | status = psa_mac_update(&hkdf->hmac, |
5807 | 0 | hkdf->info, |
5808 | 0 | hkdf->info_length); |
5809 | 0 | if (status != PSA_SUCCESS) { |
5810 | 0 | return status; |
5811 | 0 | } |
5812 | 0 | status = psa_mac_update(&hkdf->hmac, |
5813 | 0 | &hkdf->block_number, 1); |
5814 | 0 | if (status != PSA_SUCCESS) { |
5815 | 0 | return status; |
5816 | 0 | } |
5817 | 0 | status = psa_mac_sign_finish(&hkdf->hmac, |
5818 | 0 | hkdf->output_block, |
5819 | 0 | sizeof(hkdf->output_block), |
5820 | 0 | &hmac_output_length); |
5821 | 0 | if (status != PSA_SUCCESS) { |
5822 | 0 | return status; |
5823 | 0 | } |
5824 | 0 | } |
5825 | | |
5826 | 0 | return PSA_SUCCESS; |
5827 | 0 | } |
5828 | | #endif /* BUILTIN_ALG_ANY_HKDF */ |
5829 | | |
5830 | | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ |
5831 | | defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) |
5832 | | static psa_status_t psa_key_derivation_tls12_prf_generate_next_block( |
5833 | | psa_tls12_prf_key_derivation_t *tls12_prf, |
5834 | | psa_algorithm_t alg) |
5835 | 0 | { |
5836 | 0 | psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(alg); |
5837 | 0 | uint8_t hash_length = PSA_HASH_LENGTH(hash_alg); |
5838 | 0 | psa_mac_operation_t hmac = PSA_MAC_OPERATION_INIT; |
5839 | 0 | size_t hmac_output_length; |
5840 | 0 | psa_status_t status, cleanup_status; |
5841 | | |
5842 | | /* We can't be wanting more output after block 0xff, otherwise |
5843 | | * the capacity check in psa_key_derivation_output_bytes() would have |
5844 | | * prevented this call. It could happen only if the operation |
5845 | | * object was corrupted or if this function is called directly |
5846 | | * inside the library. */ |
5847 | 0 | if (tls12_prf->block_number == 0xff) { |
5848 | 0 | return PSA_ERROR_CORRUPTION_DETECTED; |
5849 | 0 | } |
5850 | | |
5851 | | /* We need a new block */ |
5852 | 0 | ++tls12_prf->block_number; |
5853 | 0 | tls12_prf->left_in_block = hash_length; |
5854 | | |
5855 | | /* Recall the definition of the TLS-1.2-PRF from RFC 5246: |
5856 | | * |
5857 | | * PRF(secret, label, seed) = P_<hash>(secret, label + seed) |
5858 | | * |
5859 | | * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) + |
5860 | | * HMAC_hash(secret, A(2) + seed) + |
5861 | | * HMAC_hash(secret, A(3) + seed) + ... |
5862 | | * |
5863 | | * A(0) = seed |
5864 | | * A(i) = HMAC_hash(secret, A(i-1)) |
5865 | | * |
5866 | | * The `psa_tls12_prf_key_derivation` structure saves the block |
5867 | | * `HMAC_hash(secret, A(i) + seed)` from which the output |
5868 | | * is currently extracted as `output_block` and where i is |
5869 | | * `block_number`. |
5870 | | */ |
5871 | |
|
5872 | 0 | status = psa_key_derivation_start_hmac(&hmac, |
5873 | 0 | hash_alg, |
5874 | 0 | tls12_prf->secret, |
5875 | 0 | tls12_prf->secret_length); |
5876 | 0 | if (status != PSA_SUCCESS) { |
5877 | 0 | goto cleanup; |
5878 | 0 | } |
5879 | | |
5880 | | /* Calculate A(i) where i = tls12_prf->block_number. */ |
5881 | 0 | if (tls12_prf->block_number == 1) { |
5882 | | /* A(1) = HMAC_hash(secret, A(0)), where A(0) = seed. (The RFC overloads |
5883 | | * the variable seed and in this instance means it in the context of the |
5884 | | * P_hash function, where seed = label + seed.) */ |
5885 | 0 | status = psa_mac_update(&hmac, |
5886 | 0 | tls12_prf->label, |
5887 | 0 | tls12_prf->label_length); |
5888 | 0 | if (status != PSA_SUCCESS) { |
5889 | 0 | goto cleanup; |
5890 | 0 | } |
5891 | 0 | status = psa_mac_update(&hmac, |
5892 | 0 | tls12_prf->seed, |
5893 | 0 | tls12_prf->seed_length); |
5894 | 0 | if (status != PSA_SUCCESS) { |
5895 | 0 | goto cleanup; |
5896 | 0 | } |
5897 | 0 | } else { |
5898 | | /* A(i) = HMAC_hash(secret, A(i-1)) */ |
5899 | 0 | status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length); |
5900 | 0 | if (status != PSA_SUCCESS) { |
5901 | 0 | goto cleanup; |
5902 | 0 | } |
5903 | 0 | } |
5904 | | |
5905 | 0 | status = psa_mac_sign_finish(&hmac, |
5906 | 0 | tls12_prf->Ai, hash_length, |
5907 | 0 | &hmac_output_length); |
5908 | 0 | if (hmac_output_length != hash_length) { |
5909 | 0 | status = PSA_ERROR_CORRUPTION_DETECTED; |
5910 | 0 | } |
5911 | 0 | if (status != PSA_SUCCESS) { |
5912 | 0 | goto cleanup; |
5913 | 0 | } |
5914 | | |
5915 | | /* Calculate HMAC_hash(secret, A(i) + label + seed). */ |
5916 | 0 | status = psa_key_derivation_start_hmac(&hmac, |
5917 | 0 | hash_alg, |
5918 | 0 | tls12_prf->secret, |
5919 | 0 | tls12_prf->secret_length); |
5920 | 0 | if (status != PSA_SUCCESS) { |
5921 | 0 | goto cleanup; |
5922 | 0 | } |
5923 | 0 | status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length); |
5924 | 0 | if (status != PSA_SUCCESS) { |
5925 | 0 | goto cleanup; |
5926 | 0 | } |
5927 | 0 | status = psa_mac_update(&hmac, tls12_prf->label, tls12_prf->label_length); |
5928 | 0 | if (status != PSA_SUCCESS) { |
5929 | 0 | goto cleanup; |
5930 | 0 | } |
5931 | 0 | status = psa_mac_update(&hmac, tls12_prf->seed, tls12_prf->seed_length); |
5932 | 0 | if (status != PSA_SUCCESS) { |
5933 | 0 | goto cleanup; |
5934 | 0 | } |
5935 | 0 | status = psa_mac_sign_finish(&hmac, |
5936 | 0 | tls12_prf->output_block, hash_length, |
5937 | 0 | &hmac_output_length); |
5938 | 0 | if (status != PSA_SUCCESS) { |
5939 | 0 | goto cleanup; |
5940 | 0 | } |
5941 | | |
5942 | | |
5943 | 0 | cleanup: |
5944 | 0 | cleanup_status = psa_mac_abort(&hmac); |
5945 | 0 | if (status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS) { |
5946 | 0 | status = cleanup_status; |
5947 | 0 | } |
5948 | |
|
5949 | 0 | return status; |
5950 | 0 | } |
5951 | | |
5952 | | static psa_status_t psa_key_derivation_tls12_prf_read( |
5953 | | psa_tls12_prf_key_derivation_t *tls12_prf, |
5954 | | psa_algorithm_t alg, |
5955 | | uint8_t *output, |
5956 | | size_t output_length) |
5957 | 0 | { |
5958 | 0 | psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH(alg); |
5959 | 0 | uint8_t hash_length = PSA_HASH_LENGTH(hash_alg); |
5960 | 0 | psa_status_t status; |
5961 | 0 | uint8_t offset, length; |
5962 | |
|
5963 | 0 | switch (tls12_prf->state) { |
5964 | 0 | case PSA_TLS12_PRF_STATE_LABEL_SET: |
5965 | 0 | tls12_prf->state = PSA_TLS12_PRF_STATE_OUTPUT; |
5966 | 0 | break; |
5967 | 0 | case PSA_TLS12_PRF_STATE_OUTPUT: |
5968 | 0 | break; |
5969 | 0 | default: |
5970 | 0 | return PSA_ERROR_BAD_STATE; |
5971 | 0 | } |
5972 | | |
5973 | 0 | while (output_length != 0) { |
5974 | | /* Check if we have fully processed the current block. */ |
5975 | 0 | if (tls12_prf->left_in_block == 0) { |
5976 | 0 | status = psa_key_derivation_tls12_prf_generate_next_block(tls12_prf, |
5977 | 0 | alg); |
5978 | 0 | if (status != PSA_SUCCESS) { |
5979 | 0 | return status; |
5980 | 0 | } |
5981 | | |
5982 | 0 | continue; |
5983 | 0 | } |
5984 | | |
5985 | 0 | if (tls12_prf->left_in_block > output_length) { |
5986 | 0 | length = (uint8_t) output_length; |
5987 | 0 | } else { |
5988 | 0 | length = tls12_prf->left_in_block; |
5989 | 0 | } |
5990 | |
|
5991 | 0 | offset = hash_length - tls12_prf->left_in_block; |
5992 | 0 | memcpy(output, tls12_prf->output_block + offset, length); |
5993 | 0 | output += length; |
5994 | 0 | output_length -= length; |
5995 | 0 | tls12_prf->left_in_block -= length; |
5996 | 0 | } |
5997 | | |
5998 | 0 | return PSA_SUCCESS; |
5999 | 0 | } |
6000 | | #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF || |
6001 | | * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ |
6002 | | |
6003 | | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) |
6004 | | static psa_status_t psa_key_derivation_tls12_ecjpake_to_pms_read( |
6005 | | psa_tls12_ecjpake_to_pms_t *ecjpake, |
6006 | | uint8_t *output, |
6007 | | size_t output_length) |
6008 | 0 | { |
6009 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
6010 | 0 | size_t output_size = 0; |
6011 | |
|
6012 | 0 | if (output_length != 32) { |
6013 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
6014 | 0 | } |
6015 | | |
6016 | 0 | status = psa_hash_compute(PSA_ALG_SHA_256, ecjpake->data, |
6017 | 0 | PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE, output, output_length, |
6018 | 0 | &output_size); |
6019 | 0 | if (status != PSA_SUCCESS) { |
6020 | 0 | return status; |
6021 | 0 | } |
6022 | | |
6023 | 0 | if (output_size != output_length) { |
6024 | 0 | return PSA_ERROR_GENERIC_ERROR; |
6025 | 0 | } |
6026 | | |
6027 | 0 | return PSA_SUCCESS; |
6028 | 0 | } |
6029 | | #endif |
6030 | | |
6031 | | #if defined(PSA_HAVE_SOFT_PBKDF2) |
6032 | | static psa_status_t psa_key_derivation_pbkdf2_generate_block( |
6033 | | psa_pbkdf2_key_derivation_t *pbkdf2, |
6034 | | psa_algorithm_t prf_alg, |
6035 | | uint8_t prf_output_length, |
6036 | | psa_key_attributes_t *attributes) |
6037 | 0 | { |
6038 | 0 | psa_status_t status; |
6039 | 0 | psa_mac_operation_t mac_operation = PSA_MAC_OPERATION_INIT; |
6040 | 0 | size_t mac_output_length; |
6041 | 0 | uint8_t U_i[PSA_MAC_MAX_SIZE]; |
6042 | 0 | uint8_t *U_accumulator = pbkdf2->output_block; |
6043 | 0 | uint64_t i; |
6044 | 0 | uint8_t block_counter[4]; |
6045 | |
|
6046 | 0 | mac_operation.is_sign = 1; |
6047 | 0 | mac_operation.mac_size = prf_output_length; |
6048 | 0 | MBEDTLS_PUT_UINT32_BE(pbkdf2->block_number, block_counter, 0); |
6049 | |
|
6050 | 0 | status = psa_driver_wrapper_mac_sign_setup(&mac_operation, |
6051 | 0 | attributes, |
6052 | 0 | pbkdf2->password, |
6053 | 0 | pbkdf2->password_length, |
6054 | 0 | prf_alg); |
6055 | 0 | if (status != PSA_SUCCESS) { |
6056 | 0 | goto cleanup; |
6057 | 0 | } |
6058 | 0 | status = psa_mac_update(&mac_operation, pbkdf2->salt, pbkdf2->salt_length); |
6059 | 0 | if (status != PSA_SUCCESS) { |
6060 | 0 | goto cleanup; |
6061 | 0 | } |
6062 | 0 | status = psa_mac_update(&mac_operation, block_counter, sizeof(block_counter)); |
6063 | 0 | if (status != PSA_SUCCESS) { |
6064 | 0 | goto cleanup; |
6065 | 0 | } |
6066 | 0 | status = psa_mac_sign_finish(&mac_operation, U_i, sizeof(U_i), |
6067 | 0 | &mac_output_length); |
6068 | 0 | if (status != PSA_SUCCESS) { |
6069 | 0 | goto cleanup; |
6070 | 0 | } |
6071 | | |
6072 | 0 | if (mac_output_length != prf_output_length) { |
6073 | 0 | status = PSA_ERROR_CORRUPTION_DETECTED; |
6074 | 0 | goto cleanup; |
6075 | 0 | } |
6076 | | |
6077 | 0 | memcpy(U_accumulator, U_i, prf_output_length); |
6078 | |
|
6079 | 0 | for (i = 1; i < pbkdf2->input_cost; i++) { |
6080 | | /* We are passing prf_output_length as mac_size because the driver |
6081 | | * function directly sets mac_output_length as mac_size upon success. |
6082 | | * See https://github.com/Mbed-TLS/mbedtls/issues/7801 */ |
6083 | 0 | status = psa_driver_wrapper_mac_compute(attributes, |
6084 | 0 | pbkdf2->password, |
6085 | 0 | pbkdf2->password_length, |
6086 | 0 | prf_alg, U_i, prf_output_length, |
6087 | 0 | U_i, prf_output_length, |
6088 | 0 | &mac_output_length); |
6089 | 0 | if (status != PSA_SUCCESS) { |
6090 | 0 | goto cleanup; |
6091 | 0 | } |
6092 | | |
6093 | 0 | mbedtls_xor(U_accumulator, U_accumulator, U_i, prf_output_length); |
6094 | 0 | } |
6095 | | |
6096 | 0 | cleanup: |
6097 | | /* Zeroise buffers to clear sensitive data from memory. */ |
6098 | 0 | mbedtls_platform_zeroize(U_i, PSA_MAC_MAX_SIZE); |
6099 | 0 | return status; |
6100 | 0 | } |
6101 | | |
6102 | | static psa_status_t psa_key_derivation_pbkdf2_read( |
6103 | | psa_pbkdf2_key_derivation_t *pbkdf2, |
6104 | | psa_algorithm_t kdf_alg, |
6105 | | uint8_t *output, |
6106 | | size_t output_length) |
6107 | 0 | { |
6108 | 0 | psa_status_t status; |
6109 | 0 | psa_algorithm_t prf_alg; |
6110 | 0 | uint8_t prf_output_length; |
6111 | 0 | psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; |
6112 | 0 | psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(pbkdf2->password_length)); |
6113 | 0 | psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); |
6114 | |
|
6115 | 0 | if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) { |
6116 | 0 | prf_alg = PSA_ALG_HMAC(PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg)); |
6117 | 0 | prf_output_length = PSA_HASH_LENGTH(prf_alg); |
6118 | 0 | psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); |
6119 | 0 | } else if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) { |
6120 | 0 | prf_alg = PSA_ALG_CMAC; |
6121 | 0 | prf_output_length = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC); |
6122 | 0 | psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); |
6123 | 0 | } else { |
6124 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
6125 | 0 | } |
6126 | | |
6127 | 0 | switch (pbkdf2->state) { |
6128 | 0 | case PSA_PBKDF2_STATE_PASSWORD_SET: |
6129 | | /* Initially we need a new block so bytes_used is equal to block size*/ |
6130 | 0 | pbkdf2->bytes_used = prf_output_length; |
6131 | 0 | pbkdf2->state = PSA_PBKDF2_STATE_OUTPUT; |
6132 | 0 | break; |
6133 | 0 | case PSA_PBKDF2_STATE_OUTPUT: |
6134 | 0 | break; |
6135 | 0 | default: |
6136 | 0 | return PSA_ERROR_BAD_STATE; |
6137 | 0 | } |
6138 | | |
6139 | 0 | while (output_length != 0) { |
6140 | 0 | uint8_t n = prf_output_length - pbkdf2->bytes_used; |
6141 | 0 | if (n > output_length) { |
6142 | 0 | n = (uint8_t) output_length; |
6143 | 0 | } |
6144 | 0 | memcpy(output, pbkdf2->output_block + pbkdf2->bytes_used, n); |
6145 | 0 | output += n; |
6146 | 0 | output_length -= n; |
6147 | 0 | pbkdf2->bytes_used += n; |
6148 | |
|
6149 | 0 | if (output_length == 0) { |
6150 | 0 | break; |
6151 | 0 | } |
6152 | | |
6153 | | /* We need a new block */ |
6154 | 0 | pbkdf2->bytes_used = 0; |
6155 | 0 | pbkdf2->block_number++; |
6156 | |
|
6157 | 0 | status = psa_key_derivation_pbkdf2_generate_block(pbkdf2, prf_alg, |
6158 | 0 | prf_output_length, |
6159 | 0 | &attributes); |
6160 | 0 | if (status != PSA_SUCCESS) { |
6161 | 0 | return status; |
6162 | 0 | } |
6163 | 0 | } |
6164 | | |
6165 | 0 | return PSA_SUCCESS; |
6166 | 0 | } |
6167 | | #endif /* PSA_HAVE_SOFT_PBKDF2 */ |
6168 | | |
6169 | | psa_status_t psa_key_derivation_output_bytes( |
6170 | | psa_key_derivation_operation_t *operation, |
6171 | | uint8_t *output_external, |
6172 | | size_t output_length) |
6173 | 0 | { |
6174 | 0 | psa_status_t status; |
6175 | 0 | LOCAL_OUTPUT_DECLARE(output_external, output); |
6176 | |
|
6177 | 0 | psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation); |
6178 | |
|
6179 | 0 | if (operation->alg == 0) { |
6180 | | /* This is a blank operation. */ |
6181 | 0 | return PSA_ERROR_BAD_STATE; |
6182 | 0 | } |
6183 | | |
6184 | 0 | if (output_length == 0 && operation->capacity == 0) { |
6185 | | /* Edge case: this is a finished operation, and 0 bytes |
6186 | | * were requested. The right error in this case could |
6187 | | * be either INSUFFICIENT_CAPACITY or BAD_STATE. Return |
6188 | | * INSUFFICIENT_CAPACITY, which is right for a finished |
6189 | | * operation, for consistency with the case when |
6190 | | * output_length > 0. */ |
6191 | 0 | return PSA_ERROR_INSUFFICIENT_DATA; |
6192 | 0 | } |
6193 | | |
6194 | 0 | LOCAL_OUTPUT_ALLOC(output_external, output_length, output); |
6195 | 0 | if (output_length > operation->capacity) { |
6196 | 0 | operation->capacity = 0; |
6197 | | /* Go through the error path to wipe all confidential data now |
6198 | | * that the operation object is useless. */ |
6199 | 0 | status = PSA_ERROR_INSUFFICIENT_DATA; |
6200 | 0 | goto exit; |
6201 | 0 | } |
6202 | | |
6203 | 0 | operation->capacity -= output_length; |
6204 | |
|
6205 | 0 | #if defined(BUILTIN_ALG_ANY_HKDF) |
6206 | 0 | if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) { |
6207 | 0 | status = psa_key_derivation_hkdf_read(&operation->ctx.hkdf, kdf_alg, |
6208 | 0 | output, output_length); |
6209 | 0 | } else |
6210 | 0 | #endif /* BUILTIN_ALG_ANY_HKDF */ |
6211 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ |
6212 | 0 | defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) |
6213 | 0 | if (PSA_ALG_IS_TLS12_PRF(kdf_alg) || |
6214 | 0 | PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) { |
6215 | 0 | status = psa_key_derivation_tls12_prf_read(&operation->ctx.tls12_prf, |
6216 | 0 | kdf_alg, output, |
6217 | 0 | output_length); |
6218 | 0 | } else |
6219 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF || |
6220 | | * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ |
6221 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) |
6222 | 0 | if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { |
6223 | 0 | status = psa_key_derivation_tls12_ecjpake_to_pms_read( |
6224 | 0 | &operation->ctx.tls12_ecjpake_to_pms, output, output_length); |
6225 | 0 | } else |
6226 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ |
6227 | 0 | #if defined(PSA_HAVE_SOFT_PBKDF2) |
6228 | 0 | if (PSA_ALG_IS_PBKDF2(kdf_alg)) { |
6229 | 0 | status = psa_key_derivation_pbkdf2_read(&operation->ctx.pbkdf2, kdf_alg, |
6230 | 0 | output, output_length); |
6231 | 0 | } else |
6232 | 0 | #endif /* PSA_HAVE_SOFT_PBKDF2 */ |
6233 | | |
6234 | 0 | { |
6235 | 0 | (void) kdf_alg; |
6236 | 0 | status = PSA_ERROR_BAD_STATE; |
6237 | 0 | LOCAL_OUTPUT_FREE(output_external, output); |
6238 | |
|
6239 | 0 | return status; |
6240 | 0 | } |
6241 | | |
6242 | 0 | exit: |
6243 | 0 | if (status != PSA_SUCCESS) { |
6244 | | /* Preserve the algorithm upon errors, but clear all sensitive state. |
6245 | | * This allows us to differentiate between exhausted operations and |
6246 | | * blank operations, so we can return PSA_ERROR_BAD_STATE on blank |
6247 | | * operations. */ |
6248 | 0 | psa_algorithm_t alg = operation->alg; |
6249 | 0 | psa_key_derivation_abort(operation); |
6250 | 0 | operation->alg = alg; |
6251 | 0 | if (output != NULL) { |
6252 | 0 | memset(output, '!', output_length); |
6253 | 0 | } |
6254 | 0 | } |
6255 | |
|
6256 | 0 | LOCAL_OUTPUT_FREE(output_external, output); |
6257 | 0 | return status; |
6258 | 0 | } |
6259 | | |
6260 | | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) |
6261 | | static void psa_des_set_key_parity(uint8_t *data, size_t data_size) |
6262 | 0 | { |
6263 | 0 | if (data_size >= 8) { |
6264 | 0 | mbedtls_des_key_set_parity(data); |
6265 | 0 | } |
6266 | 0 | if (data_size >= 16) { |
6267 | 0 | mbedtls_des_key_set_parity(data + 8); |
6268 | 0 | } |
6269 | 0 | if (data_size >= 24) { |
6270 | 0 | mbedtls_des_key_set_parity(data + 16); |
6271 | 0 | } |
6272 | 0 | } |
6273 | | #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */ |
6274 | | |
6275 | | /* |
6276 | | * ECC keys on a Weierstrass elliptic curve require the generation |
6277 | | * of a private key which is an integer |
6278 | | * in the range [1, N - 1], where N is the boundary of the private key domain: |
6279 | | * N is the prime p for Diffie-Hellman, or the order of the |
6280 | | * curve’s base point for ECC. |
6281 | | * |
6282 | | * Let m be the bit size of N, such that 2^m > N >= 2^(m-1). |
6283 | | * This function generates the private key using the following process: |
6284 | | * |
6285 | | * 1. Draw a byte string of length ceiling(m/8) bytes. |
6286 | | * 2. If m is not a multiple of 8, set the most significant |
6287 | | * (8 * ceiling(m/8) - m) bits of the first byte in the string to zero. |
6288 | | * 3. Convert the string to integer k by decoding it as a big-endian byte string. |
6289 | | * 4. If k > N - 2, discard the result and return to step 1. |
6290 | | * 5. Output k + 1 as the private key. |
6291 | | * |
6292 | | * This method allows compliance to NIST standards, specifically the methods titled |
6293 | | * Key-Pair Generation by Testing Candidates in the following publications: |
6294 | | * - NIST Special Publication 800-56A: Recommendation for Pair-Wise Key-Establishment |
6295 | | * Schemes Using Discrete Logarithm Cryptography [SP800-56A] §5.6.1.1.4 for |
6296 | | * Diffie-Hellman keys. |
6297 | | * |
6298 | | * - [SP800-56A] §5.6.1.2.2 or FIPS Publication 186-4: Digital Signature |
6299 | | * Standard (DSS) [FIPS186-4] §B.4.2 for elliptic curve keys. |
6300 | | * |
6301 | | * Note: Function allocates memory for *data buffer, so given *data should be |
6302 | | * always NULL. |
6303 | | */ |
6304 | | #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) |
6305 | | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) |
6306 | | static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( |
6307 | | psa_key_slot_t *slot, |
6308 | | size_t bits, |
6309 | | psa_key_derivation_operation_t *operation, |
6310 | | uint8_t **data |
6311 | | ) |
6312 | 0 | { |
6313 | 0 | unsigned key_out_of_range = 1; |
6314 | 0 | mbedtls_mpi k; |
6315 | 0 | mbedtls_mpi diff_N_2; |
6316 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
6317 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
6318 | 0 | size_t m; |
6319 | 0 | size_t m_bytes; |
6320 | |
|
6321 | 0 | mbedtls_mpi_init(&k); |
6322 | 0 | mbedtls_mpi_init(&diff_N_2); |
6323 | |
|
6324 | 0 | psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( |
6325 | 0 | slot->attr.type); |
6326 | 0 | mbedtls_ecp_group_id grp_id = |
6327 | 0 | mbedtls_ecc_group_from_psa(curve, bits); |
6328 | |
|
6329 | 0 | if (grp_id == MBEDTLS_ECP_DP_NONE) { |
6330 | 0 | ret = MBEDTLS_ERR_ASN1_INVALID_DATA; |
6331 | 0 | goto cleanup; |
6332 | 0 | } |
6333 | | |
6334 | 0 | mbedtls_ecp_group ecp_group; |
6335 | 0 | mbedtls_ecp_group_init(&ecp_group); |
6336 | |
|
6337 | 0 | MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ecp_group, grp_id)); |
6338 | | |
6339 | | /* N is the boundary of the private key domain (ecp_group.N). */ |
6340 | | /* Let m be the bit size of N. */ |
6341 | 0 | m = ecp_group.nbits; |
6342 | |
|
6343 | 0 | m_bytes = PSA_BITS_TO_BYTES(m); |
6344 | | |
6345 | | /* Calculate N - 2 - it will be needed later. */ |
6346 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&diff_N_2, &ecp_group.N, 2)); |
6347 | | |
6348 | | /* Note: This function is always called with *data == NULL and it |
6349 | | * allocates memory for the data buffer. */ |
6350 | 0 | *data = mbedtls_calloc(1, m_bytes); |
6351 | 0 | if (*data == NULL) { |
6352 | 0 | ret = MBEDTLS_ERR_ASN1_ALLOC_FAILED; |
6353 | 0 | goto cleanup; |
6354 | 0 | } |
6355 | | |
6356 | 0 | while (key_out_of_range) { |
6357 | | /* 1. Draw a byte string of length ceiling(m/8) bytes. */ |
6358 | 0 | if ((status = psa_key_derivation_output_bytes(operation, *data, m_bytes)) != 0) { |
6359 | 0 | goto cleanup; |
6360 | 0 | } |
6361 | | |
6362 | | /* 2. If m is not a multiple of 8 */ |
6363 | 0 | if (m % 8 != 0) { |
6364 | | /* Set the most significant |
6365 | | * (8 * ceiling(m/8) - m) bits of the first byte in |
6366 | | * the string to zero. |
6367 | | */ |
6368 | 0 | uint8_t clear_bit_mask = (1 << (m % 8)) - 1; |
6369 | 0 | (*data)[0] &= clear_bit_mask; |
6370 | 0 | } |
6371 | | |
6372 | | /* 3. Convert the string to integer k by decoding it as a |
6373 | | * big-endian byte string. |
6374 | | */ |
6375 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&k, *data, m_bytes)); |
6376 | | |
6377 | | /* 4. If k > N - 2, discard the result and return to step 1. |
6378 | | * Result of comparison is returned. When it indicates error |
6379 | | * then this function is called again. |
6380 | | */ |
6381 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_lt_mpi_ct(&diff_N_2, &k, &key_out_of_range)); |
6382 | 0 | } |
6383 | | |
6384 | | /* 5. Output k + 1 as the private key. */ |
6385 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&k, &k, 1)); |
6386 | 0 | MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&k, *data, m_bytes)); |
6387 | 0 | cleanup: |
6388 | 0 | if (ret != 0) { |
6389 | 0 | status = mbedtls_to_psa_error(ret); |
6390 | 0 | } |
6391 | 0 | if (status != PSA_SUCCESS) { |
6392 | 0 | mbedtls_free(*data); |
6393 | 0 | *data = NULL; |
6394 | 0 | } |
6395 | 0 | mbedtls_mpi_free(&k); |
6396 | 0 | mbedtls_mpi_free(&diff_N_2); |
6397 | 0 | return status; |
6398 | 0 | } |
6399 | | |
6400 | | /* ECC keys on a Montgomery elliptic curve draws a byte string whose length |
6401 | | * is determined by the curve, and sets the mandatory bits accordingly. That is: |
6402 | | * |
6403 | | * - Curve25519 (PSA_ECC_FAMILY_MONTGOMERY, 255 bits): |
6404 | | * draw a 32-byte string and process it as specified in |
6405 | | * Elliptic Curves for Security [RFC7748] §5. |
6406 | | * |
6407 | | * - Curve448 (PSA_ECC_FAMILY_MONTGOMERY, 448 bits): |
6408 | | * draw a 56-byte string and process it as specified in [RFC7748] §5. |
6409 | | * |
6410 | | * Note: Function allocates memory for *data buffer, so given *data should be |
6411 | | * always NULL. |
6412 | | */ |
6413 | | |
6414 | | static psa_status_t psa_generate_derived_ecc_key_montgomery_helper( |
6415 | | size_t bits, |
6416 | | psa_key_derivation_operation_t *operation, |
6417 | | uint8_t **data |
6418 | | ) |
6419 | 0 | { |
6420 | 0 | size_t output_length; |
6421 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
6422 | |
|
6423 | 0 | switch (bits) { |
6424 | 0 | case 255: |
6425 | 0 | output_length = 32; |
6426 | 0 | break; |
6427 | 0 | case 448: |
6428 | 0 | output_length = 56; |
6429 | 0 | break; |
6430 | 0 | default: |
6431 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
6432 | 0 | break; |
6433 | 0 | } |
6434 | | |
6435 | 0 | *data = mbedtls_calloc(1, output_length); |
6436 | |
|
6437 | 0 | if (*data == NULL) { |
6438 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
6439 | 0 | } |
6440 | | |
6441 | 0 | status = psa_key_derivation_output_bytes(operation, *data, output_length); |
6442 | |
|
6443 | 0 | if (status != PSA_SUCCESS) { |
6444 | 0 | return status; |
6445 | 0 | } |
6446 | | |
6447 | 0 | switch (bits) { |
6448 | 0 | case 255: |
6449 | 0 | (*data)[0] &= 248; |
6450 | 0 | (*data)[31] &= 127; |
6451 | 0 | (*data)[31] |= 64; |
6452 | 0 | break; |
6453 | 0 | case 448: |
6454 | 0 | (*data)[0] &= 252; |
6455 | 0 | (*data)[55] |= 128; |
6456 | 0 | break; |
6457 | 0 | default: |
6458 | 0 | return PSA_ERROR_CORRUPTION_DETECTED; |
6459 | 0 | break; |
6460 | 0 | } |
6461 | | |
6462 | 0 | return status; |
6463 | 0 | } |
6464 | | #else /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */ |
6465 | | static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( |
6466 | | psa_key_slot_t *slot, size_t bits, |
6467 | | psa_key_derivation_operation_t *operation, uint8_t **data) |
6468 | | { |
6469 | | (void) slot; |
6470 | | (void) bits; |
6471 | | (void) operation; |
6472 | | (void) data; |
6473 | | return PSA_ERROR_NOT_SUPPORTED; |
6474 | | } |
6475 | | |
6476 | | static psa_status_t psa_generate_derived_ecc_key_montgomery_helper( |
6477 | | size_t bits, psa_key_derivation_operation_t *operation, uint8_t **data) |
6478 | | { |
6479 | | (void) bits; |
6480 | | (void) operation; |
6481 | | (void) data; |
6482 | | return PSA_ERROR_NOT_SUPPORTED; |
6483 | | } |
6484 | | #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */ |
6485 | | #endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE */ |
6486 | | |
6487 | | static psa_status_t psa_generate_derived_key_internal( |
6488 | | psa_key_slot_t *slot, |
6489 | | size_t bits, |
6490 | | psa_key_derivation_operation_t *operation) |
6491 | 0 | { |
6492 | 0 | uint8_t *data = NULL; |
6493 | 0 | size_t bytes = PSA_BITS_TO_BYTES(bits); |
6494 | 0 | size_t storage_size = bytes; |
6495 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
6496 | |
|
6497 | 0 | if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) { |
6498 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
6499 | 0 | } |
6500 | | |
6501 | 0 | #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \ |
6502 | 0 | defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) |
6503 | 0 | if (PSA_KEY_TYPE_IS_ECC(slot->attr.type)) { |
6504 | 0 | psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(slot->attr.type); |
6505 | 0 | if (PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) { |
6506 | | /* Weierstrass elliptic curve */ |
6507 | 0 | status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data); |
6508 | 0 | if (status != PSA_SUCCESS) { |
6509 | 0 | goto exit; |
6510 | 0 | } |
6511 | 0 | } else { |
6512 | | /* Montgomery elliptic curve */ |
6513 | 0 | status = psa_generate_derived_ecc_key_montgomery_helper(bits, operation, &data); |
6514 | 0 | if (status != PSA_SUCCESS) { |
6515 | 0 | goto exit; |
6516 | 0 | } |
6517 | 0 | } |
6518 | 0 | } else |
6519 | 0 | #endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || |
6520 | | defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) */ |
6521 | 0 | if (key_type_is_raw_bytes(slot->attr.type)) { |
6522 | 0 | if (bits % 8 != 0) { |
6523 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
6524 | 0 | } |
6525 | 0 | data = mbedtls_calloc(1, bytes); |
6526 | 0 | if (data == NULL) { |
6527 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
6528 | 0 | } |
6529 | | |
6530 | 0 | status = psa_key_derivation_output_bytes(operation, data, bytes); |
6531 | 0 | if (status != PSA_SUCCESS) { |
6532 | 0 | goto exit; |
6533 | 0 | } |
6534 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) |
6535 | 0 | if (slot->attr.type == PSA_KEY_TYPE_DES) { |
6536 | 0 | psa_des_set_key_parity(data, bytes); |
6537 | 0 | } |
6538 | 0 | #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) */ |
6539 | 0 | } else { |
6540 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
6541 | 0 | } |
6542 | | |
6543 | 0 | slot->attr.bits = (psa_key_bits_t) bits; |
6544 | |
|
6545 | 0 | if (psa_key_lifetime_is_external(slot->attr.lifetime)) { |
6546 | 0 | status = psa_driver_wrapper_get_key_buffer_size(&slot->attr, |
6547 | 0 | &storage_size); |
6548 | 0 | if (status != PSA_SUCCESS) { |
6549 | 0 | goto exit; |
6550 | 0 | } |
6551 | 0 | } |
6552 | 0 | status = psa_allocate_buffer_to_slot(slot, storage_size); |
6553 | 0 | if (status != PSA_SUCCESS) { |
6554 | 0 | goto exit; |
6555 | 0 | } |
6556 | | |
6557 | 0 | status = psa_driver_wrapper_import_key(&slot->attr, |
6558 | 0 | data, bytes, |
6559 | 0 | slot->key.data, |
6560 | 0 | slot->key.bytes, |
6561 | 0 | &slot->key.bytes, &bits); |
6562 | 0 | if (bits != slot->attr.bits) { |
6563 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
6564 | 0 | } |
6565 | |
|
6566 | 0 | exit: |
6567 | 0 | mbedtls_free(data); |
6568 | 0 | return status; |
6569 | 0 | } |
6570 | | |
6571 | | static const psa_custom_key_parameters_t default_custom_production = |
6572 | | PSA_CUSTOM_KEY_PARAMETERS_INIT; |
6573 | | |
6574 | | int psa_custom_key_parameters_are_default( |
6575 | | const psa_custom_key_parameters_t *custom, |
6576 | | size_t custom_data_length) |
6577 | 0 | { |
6578 | 0 | if (custom->flags != 0) { |
6579 | 0 | return 0; |
6580 | 0 | } |
6581 | 0 | if (custom_data_length != 0) { |
6582 | 0 | return 0; |
6583 | 0 | } |
6584 | 0 | return 1; |
6585 | 0 | } |
6586 | | |
6587 | | psa_status_t psa_key_derivation_output_key_custom( |
6588 | | const psa_key_attributes_t *attributes, |
6589 | | psa_key_derivation_operation_t *operation, |
6590 | | const psa_custom_key_parameters_t *custom, |
6591 | | const uint8_t *custom_data, |
6592 | | size_t custom_data_length, |
6593 | | mbedtls_svc_key_id_t *key) |
6594 | 0 | { |
6595 | 0 | psa_status_t status; |
6596 | 0 | psa_key_slot_t *slot = NULL; |
6597 | 0 | psa_se_drv_table_entry_t *driver = NULL; |
6598 | |
|
6599 | 0 | *key = MBEDTLS_SVC_KEY_ID_INIT; |
6600 | | |
6601 | | /* Reject any attempt to create a zero-length key so that we don't |
6602 | | * risk tripping up later, e.g. on a malloc(0) that returns NULL. */ |
6603 | 0 | if (psa_get_key_bits(attributes) == 0) { |
6604 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
6605 | 0 | } |
6606 | | |
6607 | 0 | (void) custom_data; /* We only accept 0-length data */ |
6608 | 0 | if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) { |
6609 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
6610 | 0 | } |
6611 | | |
6612 | 0 | if (operation->alg == PSA_ALG_NONE) { |
6613 | 0 | return PSA_ERROR_BAD_STATE; |
6614 | 0 | } |
6615 | | |
6616 | 0 | if (!operation->can_output_key) { |
6617 | 0 | return PSA_ERROR_NOT_PERMITTED; |
6618 | 0 | } |
6619 | | |
6620 | 0 | status = psa_start_key_creation(PSA_KEY_CREATION_DERIVE, attributes, |
6621 | 0 | &slot, &driver); |
6622 | 0 | #if defined(MBEDTLS_PSA_CRYPTO_SE_C) |
6623 | 0 | if (driver != NULL) { |
6624 | | /* Deriving a key in a secure element is not implemented yet. */ |
6625 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
6626 | 0 | } |
6627 | 0 | #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ |
6628 | 0 | if (status == PSA_SUCCESS) { |
6629 | 0 | status = psa_generate_derived_key_internal(slot, |
6630 | 0 | attributes->bits, |
6631 | 0 | operation); |
6632 | 0 | } |
6633 | 0 | if (status == PSA_SUCCESS) { |
6634 | 0 | status = psa_finish_key_creation(slot, driver, key); |
6635 | 0 | } |
6636 | 0 | if (status != PSA_SUCCESS) { |
6637 | 0 | psa_fail_key_creation(slot, driver); |
6638 | 0 | } |
6639 | |
|
6640 | 0 | return status; |
6641 | 0 | } |
6642 | | |
6643 | | psa_status_t psa_key_derivation_output_key_ext( |
6644 | | const psa_key_attributes_t *attributes, |
6645 | | psa_key_derivation_operation_t *operation, |
6646 | | const psa_key_production_parameters_t *params, |
6647 | | size_t params_data_length, |
6648 | | mbedtls_svc_key_id_t *key) |
6649 | 0 | { |
6650 | 0 | return psa_key_derivation_output_key_custom( |
6651 | 0 | attributes, operation, |
6652 | 0 | (const psa_custom_key_parameters_t *) params, |
6653 | 0 | params->data, params_data_length, |
6654 | 0 | key); |
6655 | 0 | } |
6656 | | |
6657 | | psa_status_t psa_key_derivation_output_key( |
6658 | | const psa_key_attributes_t *attributes, |
6659 | | psa_key_derivation_operation_t *operation, |
6660 | | mbedtls_svc_key_id_t *key) |
6661 | 0 | { |
6662 | 0 | return psa_key_derivation_output_key_custom(attributes, operation, |
6663 | 0 | &default_custom_production, |
6664 | 0 | NULL, 0, |
6665 | 0 | key); |
6666 | 0 | } |
6667 | | |
6668 | | |
6669 | | /****************************************************************/ |
6670 | | /* Key derivation */ |
6671 | | /****************************************************************/ |
6672 | | |
6673 | | #if defined(AT_LEAST_ONE_BUILTIN_KDF) |
6674 | | static int is_kdf_alg_supported(psa_algorithm_t kdf_alg) |
6675 | 0 | { |
6676 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) |
6677 | 0 | if (PSA_ALG_IS_HKDF(kdf_alg)) { |
6678 | 0 | return 1; |
6679 | 0 | } |
6680 | 0 | #endif |
6681 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) |
6682 | 0 | if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) { |
6683 | 0 | return 1; |
6684 | 0 | } |
6685 | 0 | #endif |
6686 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) |
6687 | 0 | if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) { |
6688 | 0 | return 1; |
6689 | 0 | } |
6690 | 0 | #endif |
6691 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) |
6692 | 0 | if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) { |
6693 | 0 | return 1; |
6694 | 0 | } |
6695 | 0 | #endif |
6696 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) |
6697 | 0 | if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) { |
6698 | 0 | return 1; |
6699 | 0 | } |
6700 | 0 | #endif |
6701 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) |
6702 | 0 | if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { |
6703 | 0 | return 1; |
6704 | 0 | } |
6705 | 0 | #endif |
6706 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC) |
6707 | 0 | if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) { |
6708 | 0 | return 1; |
6709 | 0 | } |
6710 | 0 | #endif |
6711 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128) |
6712 | 0 | if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) { |
6713 | 0 | return 1; |
6714 | 0 | } |
6715 | 0 | #endif |
6716 | 0 | return 0; |
6717 | 0 | } |
6718 | | |
6719 | | static psa_status_t psa_hash_try_support(psa_algorithm_t alg) |
6720 | 0 | { |
6721 | 0 | psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; |
6722 | 0 | psa_status_t status = psa_hash_setup(&operation, alg); |
6723 | 0 | psa_hash_abort(&operation); |
6724 | 0 | return status; |
6725 | 0 | } |
6726 | | |
6727 | | static psa_status_t psa_key_derivation_set_maximum_capacity( |
6728 | | psa_key_derivation_operation_t *operation, |
6729 | | psa_algorithm_t kdf_alg) |
6730 | 0 | { |
6731 | 0 | #if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) |
6732 | 0 | if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { |
6733 | 0 | operation->capacity = PSA_HASH_LENGTH(PSA_ALG_SHA_256); |
6734 | 0 | return PSA_SUCCESS; |
6735 | 0 | } |
6736 | 0 | #endif |
6737 | 0 | #if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128) |
6738 | 0 | if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) { |
6739 | 0 | #if (SIZE_MAX > UINT32_MAX) |
6740 | 0 | operation->capacity = UINT32_MAX * (size_t) PSA_MAC_LENGTH( |
6741 | 0 | PSA_KEY_TYPE_AES, |
6742 | 0 | 128U, |
6743 | 0 | PSA_ALG_CMAC); |
6744 | | #else |
6745 | | operation->capacity = SIZE_MAX; |
6746 | | #endif |
6747 | 0 | return PSA_SUCCESS; |
6748 | 0 | } |
6749 | 0 | #endif /* PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 */ |
6750 | | |
6751 | | /* After this point, if kdf_alg is not valid then value of hash_alg may be |
6752 | | * invalid or meaningless but it does not affect this function */ |
6753 | 0 | psa_algorithm_t hash_alg = PSA_ALG_GET_HASH(kdf_alg); |
6754 | 0 | size_t hash_size = PSA_HASH_LENGTH(hash_alg); |
6755 | 0 | if (hash_size == 0) { |
6756 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
6757 | 0 | } |
6758 | | |
6759 | | /* Make sure that hash_alg is a supported hash algorithm. Otherwise |
6760 | | * we might fail later, which is somewhat unfriendly and potentially |
6761 | | * risk-prone. */ |
6762 | 0 | psa_status_t status = psa_hash_try_support(hash_alg); |
6763 | 0 | if (status != PSA_SUCCESS) { |
6764 | 0 | return status; |
6765 | 0 | } |
6766 | | |
6767 | 0 | #if defined(PSA_WANT_ALG_HKDF) |
6768 | 0 | if (PSA_ALG_IS_HKDF(kdf_alg)) { |
6769 | 0 | operation->capacity = 255 * hash_size; |
6770 | 0 | } else |
6771 | 0 | #endif |
6772 | 0 | #if defined(PSA_WANT_ALG_HKDF_EXTRACT) |
6773 | 0 | if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) { |
6774 | 0 | operation->capacity = hash_size; |
6775 | 0 | } else |
6776 | 0 | #endif |
6777 | 0 | #if defined(PSA_WANT_ALG_HKDF_EXPAND) |
6778 | 0 | if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) { |
6779 | 0 | operation->capacity = 255 * hash_size; |
6780 | 0 | } else |
6781 | 0 | #endif |
6782 | 0 | #if defined(PSA_WANT_ALG_TLS12_PRF) |
6783 | 0 | if (PSA_ALG_IS_TLS12_PRF(kdf_alg) && |
6784 | 0 | (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) { |
6785 | 0 | operation->capacity = SIZE_MAX; |
6786 | 0 | } else |
6787 | 0 | #endif |
6788 | 0 | #if defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) |
6789 | 0 | if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg) && |
6790 | 0 | (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) { |
6791 | | /* Master Secret is always 48 bytes |
6792 | | * https://datatracker.ietf.org/doc/html/rfc5246.html#section-8.1 */ |
6793 | 0 | operation->capacity = 48U; |
6794 | 0 | } else |
6795 | 0 | #endif |
6796 | 0 | #if defined(PSA_WANT_ALG_PBKDF2_HMAC) |
6797 | 0 | if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) { |
6798 | 0 | #if (SIZE_MAX > UINT32_MAX) |
6799 | 0 | operation->capacity = UINT32_MAX * hash_size; |
6800 | | #else |
6801 | | operation->capacity = SIZE_MAX; |
6802 | | #endif |
6803 | 0 | } else |
6804 | 0 | #endif /* PSA_WANT_ALG_PBKDF2_HMAC */ |
6805 | 0 | { |
6806 | 0 | (void) hash_size; |
6807 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
6808 | 0 | } |
6809 | 0 | return status; |
6810 | 0 | } |
6811 | | |
6812 | | static psa_status_t psa_key_derivation_setup_kdf( |
6813 | | psa_key_derivation_operation_t *operation, |
6814 | | psa_algorithm_t kdf_alg) |
6815 | 0 | { |
6816 | | /* Make sure that operation->ctx is properly zero-initialised. (Macro |
6817 | | * initialisers for this union leave some bytes unspecified.) */ |
6818 | 0 | memset(&operation->ctx, 0, sizeof(operation->ctx)); |
6819 | | |
6820 | | /* Make sure that kdf_alg is a supported key derivation algorithm. */ |
6821 | 0 | if (!is_kdf_alg_supported(kdf_alg)) { |
6822 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
6823 | 0 | } |
6824 | | |
6825 | 0 | psa_status_t status = psa_key_derivation_set_maximum_capacity(operation, |
6826 | 0 | kdf_alg); |
6827 | 0 | return status; |
6828 | 0 | } |
6829 | | |
6830 | | static psa_status_t psa_key_agreement_try_support(psa_algorithm_t alg) |
6831 | 0 | { |
6832 | 0 | #if defined(PSA_WANT_ALG_ECDH) |
6833 | 0 | if (alg == PSA_ALG_ECDH) { |
6834 | 0 | return PSA_SUCCESS; |
6835 | 0 | } |
6836 | 0 | #endif |
6837 | 0 | #if defined(PSA_WANT_ALG_FFDH) |
6838 | 0 | if (alg == PSA_ALG_FFDH) { |
6839 | 0 | return PSA_SUCCESS; |
6840 | 0 | } |
6841 | 0 | #endif |
6842 | 0 | (void) alg; |
6843 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
6844 | 0 | } |
6845 | | |
6846 | | static int psa_key_derivation_allows_free_form_secret_input( |
6847 | | psa_algorithm_t kdf_alg) |
6848 | 0 | { |
6849 | 0 | #if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) |
6850 | 0 | if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { |
6851 | 0 | return 0; |
6852 | 0 | } |
6853 | 0 | #endif |
6854 | 0 | (void) kdf_alg; |
6855 | 0 | return 1; |
6856 | 0 | } |
6857 | | #endif /* AT_LEAST_ONE_BUILTIN_KDF */ |
6858 | | |
6859 | | psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t *operation, |
6860 | | psa_algorithm_t alg) |
6861 | 0 | { |
6862 | 0 | psa_status_t status; |
6863 | |
|
6864 | 0 | if (operation->alg != 0) { |
6865 | 0 | return PSA_ERROR_BAD_STATE; |
6866 | 0 | } |
6867 | | |
6868 | 0 | if (PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) { |
6869 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
6870 | 0 | } else if (PSA_ALG_IS_KEY_AGREEMENT(alg)) { |
6871 | 0 | #if defined(AT_LEAST_ONE_BUILTIN_KDF) |
6872 | 0 | psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF(alg); |
6873 | 0 | psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(alg); |
6874 | 0 | status = psa_key_agreement_try_support(ka_alg); |
6875 | 0 | if (status != PSA_SUCCESS) { |
6876 | 0 | return status; |
6877 | 0 | } |
6878 | 0 | if (!psa_key_derivation_allows_free_form_secret_input(kdf_alg)) { |
6879 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
6880 | 0 | } |
6881 | 0 | status = psa_key_derivation_setup_kdf(operation, kdf_alg); |
6882 | | #else |
6883 | | return PSA_ERROR_NOT_SUPPORTED; |
6884 | | #endif /* AT_LEAST_ONE_BUILTIN_KDF */ |
6885 | 0 | } else if (PSA_ALG_IS_KEY_DERIVATION(alg)) { |
6886 | 0 | #if defined(AT_LEAST_ONE_BUILTIN_KDF) |
6887 | 0 | status = psa_key_derivation_setup_kdf(operation, alg); |
6888 | | #else |
6889 | | return PSA_ERROR_NOT_SUPPORTED; |
6890 | | #endif /* AT_LEAST_ONE_BUILTIN_KDF */ |
6891 | 0 | } else { |
6892 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
6893 | 0 | } |
6894 | | |
6895 | 0 | if (status == PSA_SUCCESS) { |
6896 | 0 | operation->alg = alg; |
6897 | 0 | } |
6898 | 0 | return status; |
6899 | 0 | } |
6900 | | |
6901 | | #if defined(BUILTIN_ALG_ANY_HKDF) |
6902 | | static psa_status_t psa_hkdf_input(psa_hkdf_key_derivation_t *hkdf, |
6903 | | psa_algorithm_t kdf_alg, |
6904 | | psa_key_derivation_step_t step, |
6905 | | const uint8_t *data, |
6906 | | size_t data_length) |
6907 | 0 | { |
6908 | 0 | psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg); |
6909 | 0 | psa_status_t status; |
6910 | 0 | switch (step) { |
6911 | 0 | case PSA_KEY_DERIVATION_INPUT_SALT: |
6912 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) |
6913 | 0 | if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) { |
6914 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
6915 | 0 | } |
6916 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */ |
6917 | 0 | if (hkdf->state != HKDF_STATE_INIT) { |
6918 | 0 | return PSA_ERROR_BAD_STATE; |
6919 | 0 | } else { |
6920 | 0 | status = psa_key_derivation_start_hmac(&hkdf->hmac, |
6921 | 0 | hash_alg, |
6922 | 0 | data, data_length); |
6923 | 0 | if (status != PSA_SUCCESS) { |
6924 | 0 | return status; |
6925 | 0 | } |
6926 | 0 | hkdf->state = HKDF_STATE_STARTED; |
6927 | 0 | return PSA_SUCCESS; |
6928 | 0 | } |
6929 | 0 | case PSA_KEY_DERIVATION_INPUT_SECRET: |
6930 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) |
6931 | 0 | if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) { |
6932 | | /* We shouldn't be in different state as HKDF_EXPAND only allows |
6933 | | * two inputs: SECRET (this case) and INFO which does not modify |
6934 | | * the state. It could happen only if the hkdf |
6935 | | * object was corrupted. */ |
6936 | 0 | if (hkdf->state != HKDF_STATE_INIT) { |
6937 | 0 | return PSA_ERROR_BAD_STATE; |
6938 | 0 | } |
6939 | | |
6940 | | /* Allow only input that fits expected prk size */ |
6941 | 0 | if (data_length != PSA_HASH_LENGTH(hash_alg)) { |
6942 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
6943 | 0 | } |
6944 | | |
6945 | 0 | memcpy(hkdf->prk, data, data_length); |
6946 | 0 | } else |
6947 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */ |
6948 | 0 | { |
6949 | | /* HKDF: If no salt was provided, use an empty salt. |
6950 | | * HKDF-EXTRACT: salt is mandatory. */ |
6951 | 0 | if (hkdf->state == HKDF_STATE_INIT) { |
6952 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) |
6953 | 0 | if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) { |
6954 | 0 | return PSA_ERROR_BAD_STATE; |
6955 | 0 | } |
6956 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ |
6957 | 0 | status = psa_key_derivation_start_hmac(&hkdf->hmac, |
6958 | 0 | hash_alg, |
6959 | 0 | NULL, 0); |
6960 | 0 | if (status != PSA_SUCCESS) { |
6961 | 0 | return status; |
6962 | 0 | } |
6963 | 0 | hkdf->state = HKDF_STATE_STARTED; |
6964 | 0 | } |
6965 | 0 | if (hkdf->state != HKDF_STATE_STARTED) { |
6966 | 0 | return PSA_ERROR_BAD_STATE; |
6967 | 0 | } |
6968 | 0 | status = psa_mac_update(&hkdf->hmac, |
6969 | 0 | data, data_length); |
6970 | 0 | if (status != PSA_SUCCESS) { |
6971 | 0 | return status; |
6972 | 0 | } |
6973 | 0 | status = psa_mac_sign_finish(&hkdf->hmac, |
6974 | 0 | hkdf->prk, |
6975 | 0 | sizeof(hkdf->prk), |
6976 | 0 | &data_length); |
6977 | 0 | if (status != PSA_SUCCESS) { |
6978 | 0 | return status; |
6979 | 0 | } |
6980 | 0 | } |
6981 | | |
6982 | 0 | hkdf->state = HKDF_STATE_KEYED; |
6983 | 0 | hkdf->block_number = 0; |
6984 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) |
6985 | 0 | if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) { |
6986 | | /* The only block of output is the PRK. */ |
6987 | 0 | memcpy(hkdf->output_block, hkdf->prk, PSA_HASH_LENGTH(hash_alg)); |
6988 | 0 | hkdf->offset_in_block = 0; |
6989 | 0 | } else |
6990 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ |
6991 | 0 | { |
6992 | | /* Block 0 is empty, and the next block will be |
6993 | | * generated by psa_key_derivation_hkdf_read(). */ |
6994 | 0 | hkdf->offset_in_block = PSA_HASH_LENGTH(hash_alg); |
6995 | 0 | } |
6996 | |
|
6997 | 0 | return PSA_SUCCESS; |
6998 | 0 | case PSA_KEY_DERIVATION_INPUT_INFO: |
6999 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) |
7000 | 0 | if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) { |
7001 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
7002 | 0 | } |
7003 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ |
7004 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) |
7005 | 0 | if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg) && |
7006 | 0 | hkdf->state == HKDF_STATE_INIT) { |
7007 | 0 | return PSA_ERROR_BAD_STATE; |
7008 | 0 | } |
7009 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ |
7010 | 0 | if (hkdf->state == HKDF_STATE_OUTPUT) { |
7011 | 0 | return PSA_ERROR_BAD_STATE; |
7012 | 0 | } |
7013 | 0 | if (hkdf->info_set) { |
7014 | 0 | return PSA_ERROR_BAD_STATE; |
7015 | 0 | } |
7016 | 0 | hkdf->info_length = data_length; |
7017 | 0 | if (data_length != 0) { |
7018 | 0 | hkdf->info = mbedtls_calloc(1, data_length); |
7019 | 0 | if (hkdf->info == NULL) { |
7020 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
7021 | 0 | } |
7022 | 0 | memcpy(hkdf->info, data, data_length); |
7023 | 0 | } |
7024 | 0 | hkdf->info_set = 1; |
7025 | 0 | return PSA_SUCCESS; |
7026 | 0 | default: |
7027 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
7028 | 0 | } |
7029 | 0 | } |
7030 | | #endif /* BUILTIN_ALG_ANY_HKDF */ |
7031 | | |
7032 | | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ |
7033 | | defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) |
7034 | | static psa_status_t psa_tls12_prf_set_seed(psa_tls12_prf_key_derivation_t *prf, |
7035 | | const uint8_t *data, |
7036 | | size_t data_length) |
7037 | 0 | { |
7038 | 0 | if (prf->state != PSA_TLS12_PRF_STATE_INIT) { |
7039 | 0 | return PSA_ERROR_BAD_STATE; |
7040 | 0 | } |
7041 | | |
7042 | 0 | if (data_length != 0) { |
7043 | 0 | prf->seed = mbedtls_calloc(1, data_length); |
7044 | 0 | if (prf->seed == NULL) { |
7045 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
7046 | 0 | } |
7047 | | |
7048 | 0 | memcpy(prf->seed, data, data_length); |
7049 | 0 | prf->seed_length = data_length; |
7050 | 0 | } |
7051 | | |
7052 | 0 | prf->state = PSA_TLS12_PRF_STATE_SEED_SET; |
7053 | |
|
7054 | 0 | return PSA_SUCCESS; |
7055 | 0 | } |
7056 | | |
7057 | | static psa_status_t psa_tls12_prf_set_key(psa_tls12_prf_key_derivation_t *prf, |
7058 | | const uint8_t *data, |
7059 | | size_t data_length) |
7060 | 0 | { |
7061 | 0 | if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET && |
7062 | 0 | prf->state != PSA_TLS12_PRF_STATE_OTHER_KEY_SET) { |
7063 | 0 | return PSA_ERROR_BAD_STATE; |
7064 | 0 | } |
7065 | | |
7066 | 0 | if (data_length != 0) { |
7067 | 0 | prf->secret = mbedtls_calloc(1, data_length); |
7068 | 0 | if (prf->secret == NULL) { |
7069 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
7070 | 0 | } |
7071 | | |
7072 | 0 | memcpy(prf->secret, data, data_length); |
7073 | 0 | prf->secret_length = data_length; |
7074 | 0 | } |
7075 | | |
7076 | 0 | prf->state = PSA_TLS12_PRF_STATE_KEY_SET; |
7077 | |
|
7078 | 0 | return PSA_SUCCESS; |
7079 | 0 | } |
7080 | | |
7081 | | static psa_status_t psa_tls12_prf_set_label(psa_tls12_prf_key_derivation_t *prf, |
7082 | | const uint8_t *data, |
7083 | | size_t data_length) |
7084 | 0 | { |
7085 | 0 | if (prf->state != PSA_TLS12_PRF_STATE_KEY_SET) { |
7086 | 0 | return PSA_ERROR_BAD_STATE; |
7087 | 0 | } |
7088 | | |
7089 | 0 | if (data_length != 0) { |
7090 | 0 | prf->label = mbedtls_calloc(1, data_length); |
7091 | 0 | if (prf->label == NULL) { |
7092 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
7093 | 0 | } |
7094 | | |
7095 | 0 | memcpy(prf->label, data, data_length); |
7096 | 0 | prf->label_length = data_length; |
7097 | 0 | } |
7098 | | |
7099 | 0 | prf->state = PSA_TLS12_PRF_STATE_LABEL_SET; |
7100 | |
|
7101 | 0 | return PSA_SUCCESS; |
7102 | 0 | } |
7103 | | |
7104 | | static psa_status_t psa_tls12_prf_input(psa_tls12_prf_key_derivation_t *prf, |
7105 | | psa_key_derivation_step_t step, |
7106 | | const uint8_t *data, |
7107 | | size_t data_length) |
7108 | 0 | { |
7109 | 0 | switch (step) { |
7110 | 0 | case PSA_KEY_DERIVATION_INPUT_SEED: |
7111 | 0 | return psa_tls12_prf_set_seed(prf, data, data_length); |
7112 | 0 | case PSA_KEY_DERIVATION_INPUT_SECRET: |
7113 | 0 | return psa_tls12_prf_set_key(prf, data, data_length); |
7114 | 0 | case PSA_KEY_DERIVATION_INPUT_LABEL: |
7115 | 0 | return psa_tls12_prf_set_label(prf, data, data_length); |
7116 | 0 | default: |
7117 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
7118 | 0 | } |
7119 | 0 | } |
7120 | | #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || |
7121 | | * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ |
7122 | | |
7123 | | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) |
7124 | | static psa_status_t psa_tls12_prf_psk_to_ms_set_key( |
7125 | | psa_tls12_prf_key_derivation_t *prf, |
7126 | | const uint8_t *data, |
7127 | | size_t data_length) |
7128 | 0 | { |
7129 | 0 | psa_status_t status; |
7130 | 0 | const size_t pms_len = (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET ? |
7131 | 0 | 4 + data_length + prf->other_secret_length : |
7132 | 0 | 4 + 2 * data_length); |
7133 | |
|
7134 | 0 | if (data_length > PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE) { |
7135 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
7136 | 0 | } |
7137 | | |
7138 | 0 | uint8_t *pms = mbedtls_calloc(1, pms_len); |
7139 | 0 | if (pms == NULL) { |
7140 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
7141 | 0 | } |
7142 | 0 | uint8_t *cur = pms; |
7143 | | |
7144 | | /* pure-PSK: |
7145 | | * Quoting RFC 4279, Section 2: |
7146 | | * |
7147 | | * The premaster secret is formed as follows: if the PSK is N octets |
7148 | | * long, concatenate a uint16 with the value N, N zero octets, a second |
7149 | | * uint16 with the value N, and the PSK itself. |
7150 | | * |
7151 | | * mixed-PSK: |
7152 | | * In a DHE-PSK, RSA-PSK, ECDHE-PSK the premaster secret is formed as |
7153 | | * follows: concatenate a uint16 with the length of the other secret, |
7154 | | * the other secret itself, uint16 with the length of PSK, and the |
7155 | | * PSK itself. |
7156 | | * For details please check: |
7157 | | * - RFC 4279, Section 4 for the definition of RSA-PSK, |
7158 | | * - RFC 4279, Section 3 for the definition of DHE-PSK, |
7159 | | * - RFC 5489 for the definition of ECDHE-PSK. |
7160 | | */ |
7161 | |
|
7162 | 0 | if (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET) { |
7163 | 0 | *cur++ = MBEDTLS_BYTE_1(prf->other_secret_length); |
7164 | 0 | *cur++ = MBEDTLS_BYTE_0(prf->other_secret_length); |
7165 | 0 | if (prf->other_secret_length != 0) { |
7166 | 0 | memcpy(cur, prf->other_secret, prf->other_secret_length); |
7167 | 0 | mbedtls_platform_zeroize(prf->other_secret, prf->other_secret_length); |
7168 | 0 | cur += prf->other_secret_length; |
7169 | 0 | } |
7170 | 0 | } else { |
7171 | 0 | *cur++ = MBEDTLS_BYTE_1(data_length); |
7172 | 0 | *cur++ = MBEDTLS_BYTE_0(data_length); |
7173 | 0 | memset(cur, 0, data_length); |
7174 | 0 | cur += data_length; |
7175 | 0 | } |
7176 | |
|
7177 | 0 | *cur++ = MBEDTLS_BYTE_1(data_length); |
7178 | 0 | *cur++ = MBEDTLS_BYTE_0(data_length); |
7179 | 0 | memcpy(cur, data, data_length); |
7180 | 0 | cur += data_length; |
7181 | |
|
7182 | 0 | status = psa_tls12_prf_set_key(prf, pms, (size_t) (cur - pms)); |
7183 | |
|
7184 | 0 | mbedtls_zeroize_and_free(pms, pms_len); |
7185 | 0 | return status; |
7186 | 0 | } |
7187 | | |
7188 | | static psa_status_t psa_tls12_prf_psk_to_ms_set_other_key( |
7189 | | psa_tls12_prf_key_derivation_t *prf, |
7190 | | const uint8_t *data, |
7191 | | size_t data_length) |
7192 | 0 | { |
7193 | 0 | if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET) { |
7194 | 0 | return PSA_ERROR_BAD_STATE; |
7195 | 0 | } |
7196 | | |
7197 | 0 | if (data_length != 0) { |
7198 | 0 | prf->other_secret = mbedtls_calloc(1, data_length); |
7199 | 0 | if (prf->other_secret == NULL) { |
7200 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
7201 | 0 | } |
7202 | | |
7203 | 0 | memcpy(prf->other_secret, data, data_length); |
7204 | 0 | prf->other_secret_length = data_length; |
7205 | 0 | } else { |
7206 | 0 | prf->other_secret_length = 0; |
7207 | 0 | } |
7208 | | |
7209 | 0 | prf->state = PSA_TLS12_PRF_STATE_OTHER_KEY_SET; |
7210 | |
|
7211 | 0 | return PSA_SUCCESS; |
7212 | 0 | } |
7213 | | |
7214 | | static psa_status_t psa_tls12_prf_psk_to_ms_input( |
7215 | | psa_tls12_prf_key_derivation_t *prf, |
7216 | | psa_key_derivation_step_t step, |
7217 | | const uint8_t *data, |
7218 | | size_t data_length) |
7219 | 0 | { |
7220 | 0 | switch (step) { |
7221 | 0 | case PSA_KEY_DERIVATION_INPUT_SECRET: |
7222 | 0 | return psa_tls12_prf_psk_to_ms_set_key(prf, |
7223 | 0 | data, data_length); |
7224 | 0 | break; |
7225 | 0 | case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET: |
7226 | 0 | return psa_tls12_prf_psk_to_ms_set_other_key(prf, |
7227 | 0 | data, |
7228 | 0 | data_length); |
7229 | 0 | break; |
7230 | 0 | default: |
7231 | 0 | return psa_tls12_prf_input(prf, step, data, data_length); |
7232 | 0 | break; |
7233 | |
|
7234 | 0 | } |
7235 | 0 | } |
7236 | | #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ |
7237 | | |
7238 | | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) |
7239 | | static psa_status_t psa_tls12_ecjpake_to_pms_input( |
7240 | | psa_tls12_ecjpake_to_pms_t *ecjpake, |
7241 | | psa_key_derivation_step_t step, |
7242 | | const uint8_t *data, |
7243 | | size_t data_length) |
7244 | 0 | { |
7245 | 0 | if (data_length != PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE || |
7246 | 0 | step != PSA_KEY_DERIVATION_INPUT_SECRET) { |
7247 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
7248 | 0 | } |
7249 | | |
7250 | | /* Check if the passed point is in an uncompressed form */ |
7251 | 0 | if (data[0] != 0x04) { |
7252 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
7253 | 0 | } |
7254 | | |
7255 | | /* Only K.X has to be extracted - bytes 1 to 32 inclusive. */ |
7256 | 0 | memcpy(ecjpake->data, data + 1, PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE); |
7257 | |
|
7258 | 0 | return PSA_SUCCESS; |
7259 | 0 | } |
7260 | | #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ |
7261 | | |
7262 | | #if defined(PSA_HAVE_SOFT_PBKDF2) |
7263 | | static psa_status_t psa_pbkdf2_set_input_cost( |
7264 | | psa_pbkdf2_key_derivation_t *pbkdf2, |
7265 | | psa_key_derivation_step_t step, |
7266 | | uint64_t data) |
7267 | 0 | { |
7268 | 0 | if (step != PSA_KEY_DERIVATION_INPUT_COST) { |
7269 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
7270 | 0 | } |
7271 | | |
7272 | 0 | if (pbkdf2->state != PSA_PBKDF2_STATE_INIT) { |
7273 | 0 | return PSA_ERROR_BAD_STATE; |
7274 | 0 | } |
7275 | | |
7276 | 0 | if (data > PSA_VENDOR_PBKDF2_MAX_ITERATIONS) { |
7277 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
7278 | 0 | } |
7279 | | |
7280 | 0 | if (data == 0) { |
7281 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
7282 | 0 | } |
7283 | | |
7284 | 0 | pbkdf2->input_cost = data; |
7285 | 0 | pbkdf2->state = PSA_PBKDF2_STATE_INPUT_COST_SET; |
7286 | |
|
7287 | 0 | return PSA_SUCCESS; |
7288 | 0 | } |
7289 | | |
7290 | | static psa_status_t psa_pbkdf2_set_salt(psa_pbkdf2_key_derivation_t *pbkdf2, |
7291 | | const uint8_t *data, |
7292 | | size_t data_length) |
7293 | 0 | { |
7294 | 0 | if (pbkdf2->state == PSA_PBKDF2_STATE_INPUT_COST_SET) { |
7295 | 0 | pbkdf2->state = PSA_PBKDF2_STATE_SALT_SET; |
7296 | 0 | } else if (pbkdf2->state == PSA_PBKDF2_STATE_SALT_SET) { |
7297 | | /* Appending to existing salt. No state change. */ |
7298 | 0 | } else { |
7299 | 0 | return PSA_ERROR_BAD_STATE; |
7300 | 0 | } |
7301 | | |
7302 | 0 | if (data_length == 0) { |
7303 | | /* Appending an empty string, nothing to do. */ |
7304 | 0 | } else { |
7305 | 0 | uint8_t *next_salt; |
7306 | |
|
7307 | 0 | next_salt = mbedtls_calloc(1, data_length + pbkdf2->salt_length); |
7308 | 0 | if (next_salt == NULL) { |
7309 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
7310 | 0 | } |
7311 | | |
7312 | 0 | if (pbkdf2->salt_length != 0) { |
7313 | 0 | memcpy(next_salt, pbkdf2->salt, pbkdf2->salt_length); |
7314 | 0 | } |
7315 | 0 | memcpy(next_salt + pbkdf2->salt_length, data, data_length); |
7316 | 0 | pbkdf2->salt_length += data_length; |
7317 | 0 | mbedtls_free(pbkdf2->salt); |
7318 | 0 | pbkdf2->salt = next_salt; |
7319 | 0 | } |
7320 | 0 | return PSA_SUCCESS; |
7321 | 0 | } |
7322 | | |
7323 | | #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC) |
7324 | | static psa_status_t psa_pbkdf2_hmac_set_password(psa_algorithm_t hash_alg, |
7325 | | const uint8_t *input, |
7326 | | size_t input_len, |
7327 | | uint8_t *output, |
7328 | | size_t *output_len) |
7329 | 0 | { |
7330 | 0 | psa_status_t status = PSA_SUCCESS; |
7331 | 0 | if (input_len > PSA_HASH_BLOCK_LENGTH(hash_alg)) { |
7332 | 0 | return psa_hash_compute(hash_alg, input, input_len, output, |
7333 | 0 | PSA_HMAC_MAX_HASH_BLOCK_SIZE, output_len); |
7334 | 0 | } else if (input_len > 0) { |
7335 | 0 | memcpy(output, input, input_len); |
7336 | 0 | } |
7337 | 0 | *output_len = PSA_HASH_BLOCK_LENGTH(hash_alg); |
7338 | 0 | return status; |
7339 | 0 | } |
7340 | | #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */ |
7341 | | |
7342 | | #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128) |
7343 | | static psa_status_t psa_pbkdf2_cmac_set_password(const uint8_t *input, |
7344 | | size_t input_len, |
7345 | | uint8_t *output, |
7346 | | size_t *output_len) |
7347 | 0 | { |
7348 | 0 | psa_status_t status = PSA_SUCCESS; |
7349 | 0 | if (input_len != PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC)) { |
7350 | 0 | psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; |
7351 | 0 | uint8_t zeros[16] = { 0 }; |
7352 | 0 | psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); |
7353 | 0 | psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(sizeof(zeros))); |
7354 | 0 | psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); |
7355 | | /* Passing PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC) as |
7356 | | * mac_size as the driver function sets mac_output_length = mac_size |
7357 | | * on success. See https://github.com/Mbed-TLS/mbedtls/issues/7801 */ |
7358 | 0 | status = psa_driver_wrapper_mac_compute(&attributes, |
7359 | 0 | zeros, sizeof(zeros), |
7360 | 0 | PSA_ALG_CMAC, input, input_len, |
7361 | 0 | output, |
7362 | 0 | PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, |
7363 | 0 | 128U, |
7364 | 0 | PSA_ALG_CMAC), |
7365 | 0 | output_len); |
7366 | 0 | } else { |
7367 | 0 | memcpy(output, input, input_len); |
7368 | 0 | *output_len = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC); |
7369 | 0 | } |
7370 | 0 | return status; |
7371 | 0 | } |
7372 | | #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */ |
7373 | | |
7374 | | static psa_status_t psa_pbkdf2_set_password(psa_pbkdf2_key_derivation_t *pbkdf2, |
7375 | | psa_algorithm_t kdf_alg, |
7376 | | const uint8_t *data, |
7377 | | size_t data_length) |
7378 | 0 | { |
7379 | 0 | psa_status_t status = PSA_SUCCESS; |
7380 | 0 | if (pbkdf2->state != PSA_PBKDF2_STATE_SALT_SET) { |
7381 | 0 | return PSA_ERROR_BAD_STATE; |
7382 | 0 | } |
7383 | | |
7384 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC) |
7385 | 0 | if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) { |
7386 | 0 | psa_algorithm_t hash_alg = PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg); |
7387 | 0 | status = psa_pbkdf2_hmac_set_password(hash_alg, data, data_length, |
7388 | 0 | pbkdf2->password, |
7389 | 0 | &pbkdf2->password_length); |
7390 | 0 | } else |
7391 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */ |
7392 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128) |
7393 | 0 | if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) { |
7394 | 0 | status = psa_pbkdf2_cmac_set_password(data, data_length, |
7395 | 0 | pbkdf2->password, |
7396 | 0 | &pbkdf2->password_length); |
7397 | 0 | } else |
7398 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */ |
7399 | 0 | { |
7400 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
7401 | 0 | } |
7402 | | |
7403 | 0 | pbkdf2->state = PSA_PBKDF2_STATE_PASSWORD_SET; |
7404 | |
|
7405 | 0 | return status; |
7406 | 0 | } |
7407 | | |
7408 | | static psa_status_t psa_pbkdf2_input(psa_pbkdf2_key_derivation_t *pbkdf2, |
7409 | | psa_algorithm_t kdf_alg, |
7410 | | psa_key_derivation_step_t step, |
7411 | | const uint8_t *data, |
7412 | | size_t data_length) |
7413 | 0 | { |
7414 | 0 | switch (step) { |
7415 | 0 | case PSA_KEY_DERIVATION_INPUT_SALT: |
7416 | 0 | return psa_pbkdf2_set_salt(pbkdf2, data, data_length); |
7417 | 0 | case PSA_KEY_DERIVATION_INPUT_PASSWORD: |
7418 | 0 | return psa_pbkdf2_set_password(pbkdf2, kdf_alg, data, data_length); |
7419 | 0 | default: |
7420 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
7421 | 0 | } |
7422 | 0 | } |
7423 | | #endif /* PSA_HAVE_SOFT_PBKDF2 */ |
7424 | | |
7425 | | /** Check whether the given key type is acceptable for the given |
7426 | | * input step of a key derivation. |
7427 | | * |
7428 | | * Secret inputs must have the type #PSA_KEY_TYPE_DERIVE. |
7429 | | * Non-secret inputs must have the type #PSA_KEY_TYPE_RAW_DATA. |
7430 | | * Both secret and non-secret inputs can alternatively have the type |
7431 | | * #PSA_KEY_TYPE_NONE, which is never the type of a key object, meaning |
7432 | | * that the input was passed as a buffer rather than via a key object. |
7433 | | */ |
7434 | | static int psa_key_derivation_check_input_type( |
7435 | | psa_key_derivation_step_t step, |
7436 | | psa_key_type_t key_type) |
7437 | 0 | { |
7438 | 0 | switch (step) { |
7439 | 0 | case PSA_KEY_DERIVATION_INPUT_SECRET: |
7440 | 0 | if (key_type == PSA_KEY_TYPE_DERIVE) { |
7441 | 0 | return PSA_SUCCESS; |
7442 | 0 | } |
7443 | 0 | if (key_type == PSA_KEY_TYPE_NONE) { |
7444 | 0 | return PSA_SUCCESS; |
7445 | 0 | } |
7446 | 0 | break; |
7447 | 0 | case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET: |
7448 | 0 | if (key_type == PSA_KEY_TYPE_DERIVE) { |
7449 | 0 | return PSA_SUCCESS; |
7450 | 0 | } |
7451 | 0 | if (key_type == PSA_KEY_TYPE_NONE) { |
7452 | 0 | return PSA_SUCCESS; |
7453 | 0 | } |
7454 | 0 | break; |
7455 | 0 | case PSA_KEY_DERIVATION_INPUT_LABEL: |
7456 | 0 | case PSA_KEY_DERIVATION_INPUT_SALT: |
7457 | 0 | case PSA_KEY_DERIVATION_INPUT_INFO: |
7458 | 0 | case PSA_KEY_DERIVATION_INPUT_SEED: |
7459 | 0 | if (key_type == PSA_KEY_TYPE_RAW_DATA) { |
7460 | 0 | return PSA_SUCCESS; |
7461 | 0 | } |
7462 | 0 | if (key_type == PSA_KEY_TYPE_NONE) { |
7463 | 0 | return PSA_SUCCESS; |
7464 | 0 | } |
7465 | 0 | break; |
7466 | 0 | case PSA_KEY_DERIVATION_INPUT_PASSWORD: |
7467 | 0 | if (key_type == PSA_KEY_TYPE_PASSWORD) { |
7468 | 0 | return PSA_SUCCESS; |
7469 | 0 | } |
7470 | 0 | if (key_type == PSA_KEY_TYPE_DERIVE) { |
7471 | 0 | return PSA_SUCCESS; |
7472 | 0 | } |
7473 | 0 | if (key_type == PSA_KEY_TYPE_NONE) { |
7474 | 0 | return PSA_SUCCESS; |
7475 | 0 | } |
7476 | 0 | break; |
7477 | 0 | } |
7478 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
7479 | 0 | } |
7480 | | |
7481 | | static psa_status_t psa_key_derivation_input_internal( |
7482 | | psa_key_derivation_operation_t *operation, |
7483 | | psa_key_derivation_step_t step, |
7484 | | psa_key_type_t key_type, |
7485 | | const uint8_t *data, |
7486 | | size_t data_length) |
7487 | 0 | { |
7488 | 0 | psa_status_t status; |
7489 | 0 | psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation); |
7490 | |
|
7491 | 0 | status = psa_key_derivation_check_input_type(step, key_type); |
7492 | 0 | if (status != PSA_SUCCESS) { |
7493 | 0 | goto exit; |
7494 | 0 | } |
7495 | | |
7496 | 0 | #if defined(BUILTIN_ALG_ANY_HKDF) |
7497 | 0 | if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) { |
7498 | 0 | status = psa_hkdf_input(&operation->ctx.hkdf, kdf_alg, |
7499 | 0 | step, data, data_length); |
7500 | 0 | } else |
7501 | 0 | #endif /* BUILTIN_ALG_ANY_HKDF */ |
7502 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) |
7503 | 0 | if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) { |
7504 | 0 | status = psa_tls12_prf_input(&operation->ctx.tls12_prf, |
7505 | 0 | step, data, data_length); |
7506 | 0 | } else |
7507 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF */ |
7508 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) |
7509 | 0 | if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) { |
7510 | 0 | status = psa_tls12_prf_psk_to_ms_input(&operation->ctx.tls12_prf, |
7511 | 0 | step, data, data_length); |
7512 | 0 | } else |
7513 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ |
7514 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) |
7515 | 0 | if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { |
7516 | 0 | status = psa_tls12_ecjpake_to_pms_input( |
7517 | 0 | &operation->ctx.tls12_ecjpake_to_pms, step, data, data_length); |
7518 | 0 | } else |
7519 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ |
7520 | 0 | #if defined(PSA_HAVE_SOFT_PBKDF2) |
7521 | 0 | if (PSA_ALG_IS_PBKDF2(kdf_alg)) { |
7522 | 0 | status = psa_pbkdf2_input(&operation->ctx.pbkdf2, kdf_alg, |
7523 | 0 | step, data, data_length); |
7524 | 0 | } else |
7525 | 0 | #endif /* PSA_HAVE_SOFT_PBKDF2 */ |
7526 | 0 | { |
7527 | | /* This can't happen unless the operation object was not initialized */ |
7528 | 0 | (void) data; |
7529 | 0 | (void) data_length; |
7530 | 0 | (void) kdf_alg; |
7531 | 0 | return PSA_ERROR_BAD_STATE; |
7532 | 0 | } |
7533 | | |
7534 | 0 | exit: |
7535 | 0 | if (status != PSA_SUCCESS) { |
7536 | 0 | psa_key_derivation_abort(operation); |
7537 | 0 | } |
7538 | 0 | return status; |
7539 | 0 | } |
7540 | | |
7541 | | static psa_status_t psa_key_derivation_input_integer_internal( |
7542 | | psa_key_derivation_operation_t *operation, |
7543 | | psa_key_derivation_step_t step, |
7544 | | uint64_t value) |
7545 | 0 | { |
7546 | 0 | psa_status_t status; |
7547 | 0 | psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation); |
7548 | |
|
7549 | 0 | #if defined(PSA_HAVE_SOFT_PBKDF2) |
7550 | 0 | if (PSA_ALG_IS_PBKDF2(kdf_alg)) { |
7551 | 0 | status = psa_pbkdf2_set_input_cost( |
7552 | 0 | &operation->ctx.pbkdf2, step, value); |
7553 | 0 | } else |
7554 | 0 | #endif /* PSA_HAVE_SOFT_PBKDF2 */ |
7555 | 0 | { |
7556 | 0 | (void) step; |
7557 | 0 | (void) value; |
7558 | 0 | (void) kdf_alg; |
7559 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
7560 | 0 | } |
7561 | |
|
7562 | 0 | if (status != PSA_SUCCESS) { |
7563 | 0 | psa_key_derivation_abort(operation); |
7564 | 0 | } |
7565 | 0 | return status; |
7566 | 0 | } |
7567 | | |
7568 | | psa_status_t psa_key_derivation_input_bytes( |
7569 | | psa_key_derivation_operation_t *operation, |
7570 | | psa_key_derivation_step_t step, |
7571 | | const uint8_t *data_external, |
7572 | | size_t data_length) |
7573 | 0 | { |
7574 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
7575 | 0 | LOCAL_INPUT_DECLARE(data_external, data); |
7576 | |
|
7577 | 0 | LOCAL_INPUT_ALLOC(data_external, data_length, data); |
7578 | |
|
7579 | 0 | status = psa_key_derivation_input_internal(operation, step, |
7580 | 0 | PSA_KEY_TYPE_NONE, |
7581 | 0 | data, data_length); |
7582 | 0 | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
7583 | 0 | exit: |
7584 | 0 | #endif |
7585 | 0 | LOCAL_INPUT_FREE(data_external, data); |
7586 | 0 | return status; |
7587 | 0 | } |
7588 | | |
7589 | | psa_status_t psa_key_derivation_input_integer( |
7590 | | psa_key_derivation_operation_t *operation, |
7591 | | psa_key_derivation_step_t step, |
7592 | | uint64_t value) |
7593 | 0 | { |
7594 | 0 | return psa_key_derivation_input_integer_internal(operation, step, value); |
7595 | 0 | } |
7596 | | |
7597 | | psa_status_t psa_key_derivation_input_key( |
7598 | | psa_key_derivation_operation_t *operation, |
7599 | | psa_key_derivation_step_t step, |
7600 | | mbedtls_svc_key_id_t key) |
7601 | 0 | { |
7602 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
7603 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
7604 | 0 | psa_key_slot_t *slot; |
7605 | |
|
7606 | 0 | status = psa_get_and_lock_transparent_key_slot_with_policy( |
7607 | 0 | key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg); |
7608 | 0 | if (status != PSA_SUCCESS) { |
7609 | 0 | psa_key_derivation_abort(operation); |
7610 | 0 | return status; |
7611 | 0 | } |
7612 | | |
7613 | | /* Passing a key object as a SECRET or PASSWORD input unlocks the |
7614 | | * permission to output to a key object. */ |
7615 | 0 | if (step == PSA_KEY_DERIVATION_INPUT_SECRET || |
7616 | 0 | step == PSA_KEY_DERIVATION_INPUT_PASSWORD) { |
7617 | 0 | operation->can_output_key = 1; |
7618 | 0 | } |
7619 | |
|
7620 | 0 | status = psa_key_derivation_input_internal(operation, |
7621 | 0 | step, slot->attr.type, |
7622 | 0 | slot->key.data, |
7623 | 0 | slot->key.bytes); |
7624 | |
|
7625 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
7626 | |
|
7627 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
7628 | 0 | } |
7629 | | |
7630 | | |
7631 | | |
7632 | | /****************************************************************/ |
7633 | | /* Key agreement */ |
7634 | | /****************************************************************/ |
7635 | | |
7636 | | psa_status_t psa_key_agreement_raw_builtin(const psa_key_attributes_t *attributes, |
7637 | | const uint8_t *key_buffer, |
7638 | | size_t key_buffer_size, |
7639 | | psa_algorithm_t alg, |
7640 | | const uint8_t *peer_key, |
7641 | | size_t peer_key_length, |
7642 | | uint8_t *shared_secret, |
7643 | | size_t shared_secret_size, |
7644 | | size_t *shared_secret_length) |
7645 | 0 | { |
7646 | 0 | switch (alg) { |
7647 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) |
7648 | 0 | case PSA_ALG_ECDH: |
7649 | 0 | return mbedtls_psa_key_agreement_ecdh(attributes, key_buffer, |
7650 | 0 | key_buffer_size, alg, |
7651 | 0 | peer_key, peer_key_length, |
7652 | 0 | shared_secret, |
7653 | 0 | shared_secret_size, |
7654 | 0 | shared_secret_length); |
7655 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */ |
7656 | | |
7657 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH) |
7658 | 0 | case PSA_ALG_FFDH: |
7659 | 0 | return mbedtls_psa_ffdh_key_agreement(attributes, |
7660 | 0 | peer_key, |
7661 | 0 | peer_key_length, |
7662 | 0 | key_buffer, |
7663 | 0 | key_buffer_size, |
7664 | 0 | shared_secret, |
7665 | 0 | shared_secret_size, |
7666 | 0 | shared_secret_length); |
7667 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */ |
7668 | | |
7669 | 0 | default: |
7670 | 0 | (void) attributes; |
7671 | 0 | (void) key_buffer; |
7672 | 0 | (void) key_buffer_size; |
7673 | 0 | (void) peer_key; |
7674 | 0 | (void) peer_key_length; |
7675 | 0 | (void) shared_secret; |
7676 | 0 | (void) shared_secret_size; |
7677 | 0 | (void) shared_secret_length; |
7678 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
7679 | 0 | } |
7680 | 0 | } |
7681 | | |
7682 | | /** Internal function for raw key agreement |
7683 | | * Calls the driver wrapper which will hand off key agreement task |
7684 | | * to the driver's implementation if a driver is present. |
7685 | | * Fallback specified in the driver wrapper is built-in raw key agreement |
7686 | | * (psa_key_agreement_raw_builtin). |
7687 | | */ |
7688 | | static psa_status_t psa_key_agreement_raw_internal(psa_algorithm_t alg, |
7689 | | psa_key_slot_t *private_key, |
7690 | | const uint8_t *peer_key, |
7691 | | size_t peer_key_length, |
7692 | | uint8_t *shared_secret, |
7693 | | size_t shared_secret_size, |
7694 | | size_t *shared_secret_length) |
7695 | 0 | { |
7696 | 0 | if (!PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) { |
7697 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
7698 | 0 | } |
7699 | | |
7700 | 0 | return psa_driver_wrapper_key_agreement(&private_key->attr, |
7701 | 0 | private_key->key.data, |
7702 | 0 | private_key->key.bytes, alg, |
7703 | 0 | peer_key, peer_key_length, |
7704 | 0 | shared_secret, |
7705 | 0 | shared_secret_size, |
7706 | 0 | shared_secret_length); |
7707 | 0 | } |
7708 | | |
7709 | | /* Note that if this function fails, you must call psa_key_derivation_abort() |
7710 | | * to potentially free embedded data structures and wipe confidential data. |
7711 | | */ |
7712 | | static psa_status_t psa_key_agreement_internal(psa_key_derivation_operation_t *operation, |
7713 | | psa_key_derivation_step_t step, |
7714 | | psa_key_slot_t *private_key, |
7715 | | const uint8_t *peer_key, |
7716 | | size_t peer_key_length) |
7717 | 0 | { |
7718 | 0 | psa_status_t status; |
7719 | 0 | uint8_t shared_secret[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE] = { 0 }; |
7720 | 0 | size_t shared_secret_length = 0; |
7721 | 0 | psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(operation->alg); |
7722 | | |
7723 | | /* Step 1: run the secret agreement algorithm to generate the shared |
7724 | | * secret. */ |
7725 | 0 | status = psa_key_agreement_raw_internal(ka_alg, |
7726 | 0 | private_key, |
7727 | 0 | peer_key, peer_key_length, |
7728 | 0 | shared_secret, |
7729 | 0 | sizeof(shared_secret), |
7730 | 0 | &shared_secret_length); |
7731 | 0 | if (status != PSA_SUCCESS) { |
7732 | 0 | goto exit; |
7733 | 0 | } |
7734 | | |
7735 | | /* Step 2: set up the key derivation to generate key material from |
7736 | | * the shared secret. A shared secret is permitted wherever a key |
7737 | | * of type DERIVE is permitted. */ |
7738 | 0 | status = psa_key_derivation_input_internal(operation, step, |
7739 | 0 | PSA_KEY_TYPE_DERIVE, |
7740 | 0 | shared_secret, |
7741 | 0 | shared_secret_length); |
7742 | 0 | exit: |
7743 | 0 | mbedtls_platform_zeroize(shared_secret, shared_secret_length); |
7744 | 0 | return status; |
7745 | 0 | } |
7746 | | |
7747 | | psa_status_t psa_key_derivation_key_agreement(psa_key_derivation_operation_t *operation, |
7748 | | psa_key_derivation_step_t step, |
7749 | | mbedtls_svc_key_id_t private_key, |
7750 | | const uint8_t *peer_key_external, |
7751 | | size_t peer_key_length) |
7752 | 0 | { |
7753 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
7754 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
7755 | 0 | psa_key_slot_t *slot; |
7756 | 0 | LOCAL_INPUT_DECLARE(peer_key_external, peer_key); |
7757 | |
|
7758 | 0 | if (!PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) { |
7759 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
7760 | 0 | } |
7761 | 0 | status = psa_get_and_lock_transparent_key_slot_with_policy( |
7762 | 0 | private_key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg); |
7763 | 0 | if (status != PSA_SUCCESS) { |
7764 | 0 | return status; |
7765 | 0 | } |
7766 | | |
7767 | 0 | LOCAL_INPUT_ALLOC(peer_key_external, peer_key_length, peer_key); |
7768 | 0 | status = psa_key_agreement_internal(operation, step, |
7769 | 0 | slot, |
7770 | 0 | peer_key, peer_key_length); |
7771 | |
|
7772 | 0 | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
7773 | 0 | exit: |
7774 | 0 | #endif |
7775 | 0 | if (status != PSA_SUCCESS) { |
7776 | 0 | psa_key_derivation_abort(operation); |
7777 | 0 | } else { |
7778 | | /* If a private key has been added as SECRET, we allow the derived |
7779 | | * key material to be used as a key in PSA Crypto. */ |
7780 | 0 | if (step == PSA_KEY_DERIVATION_INPUT_SECRET) { |
7781 | 0 | operation->can_output_key = 1; |
7782 | 0 | } |
7783 | 0 | } |
7784 | |
|
7785 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
7786 | 0 | LOCAL_INPUT_FREE(peer_key_external, peer_key); |
7787 | |
|
7788 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
7789 | 0 | } |
7790 | | |
7791 | | psa_status_t psa_raw_key_agreement(psa_algorithm_t alg, |
7792 | | mbedtls_svc_key_id_t private_key, |
7793 | | const uint8_t *peer_key_external, |
7794 | | size_t peer_key_length, |
7795 | | uint8_t *output_external, |
7796 | | size_t output_size, |
7797 | | size_t *output_length) |
7798 | 0 | { |
7799 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
7800 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
7801 | 0 | psa_key_slot_t *slot = NULL; |
7802 | 0 | size_t expected_length; |
7803 | 0 | LOCAL_INPUT_DECLARE(peer_key_external, peer_key); |
7804 | 0 | LOCAL_OUTPUT_DECLARE(output_external, output); |
7805 | 0 | LOCAL_OUTPUT_ALLOC(output_external, output_size, output); |
7806 | |
|
7807 | 0 | if (!PSA_ALG_IS_KEY_AGREEMENT(alg)) { |
7808 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
7809 | 0 | goto exit; |
7810 | 0 | } |
7811 | 0 | status = psa_get_and_lock_transparent_key_slot_with_policy( |
7812 | 0 | private_key, &slot, PSA_KEY_USAGE_DERIVE, alg); |
7813 | 0 | if (status != PSA_SUCCESS) { |
7814 | 0 | goto exit; |
7815 | 0 | } |
7816 | | |
7817 | | /* PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is in general an upper bound |
7818 | | * for the output size. The PSA specification only guarantees that this |
7819 | | * function works if output_size >= PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(...), |
7820 | | * but it might be nice to allow smaller buffers if the output fits. |
7821 | | * At the time of writing this comment, with only ECDH implemented, |
7822 | | * PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is exact so the point is moot. |
7823 | | * If FFDH is implemented, PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() can easily |
7824 | | * be exact for it as well. */ |
7825 | 0 | expected_length = |
7826 | 0 | PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(slot->attr.type, slot->attr.bits); |
7827 | 0 | if (output_size < expected_length) { |
7828 | 0 | status = PSA_ERROR_BUFFER_TOO_SMALL; |
7829 | 0 | goto exit; |
7830 | 0 | } |
7831 | | |
7832 | 0 | LOCAL_INPUT_ALLOC(peer_key_external, peer_key_length, peer_key); |
7833 | 0 | status = psa_key_agreement_raw_internal(alg, slot, |
7834 | 0 | peer_key, peer_key_length, |
7835 | 0 | output, output_size, |
7836 | 0 | output_length); |
7837 | |
|
7838 | 0 | exit: |
7839 | | /* Check for successful allocation of output, |
7840 | | * with an unsuccessful status. */ |
7841 | 0 | if (output != NULL && status != PSA_SUCCESS) { |
7842 | | /* If an error happens and is not handled properly, the output |
7843 | | * may be used as a key to protect sensitive data. Arrange for such |
7844 | | * a key to be random, which is likely to result in decryption or |
7845 | | * verification errors. This is better than filling the buffer with |
7846 | | * some constant data such as zeros, which would result in the data |
7847 | | * being protected with a reproducible, easily knowable key. |
7848 | | */ |
7849 | 0 | psa_generate_random_internal(output, output_size); |
7850 | 0 | *output_length = output_size; |
7851 | 0 | } |
7852 | |
|
7853 | 0 | if (output == NULL) { |
7854 | | /* output allocation failed. */ |
7855 | 0 | *output_length = 0; |
7856 | 0 | } |
7857 | |
|
7858 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
7859 | |
|
7860 | 0 | LOCAL_INPUT_FREE(peer_key_external, peer_key); |
7861 | 0 | LOCAL_OUTPUT_FREE(output_external, output); |
7862 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
7863 | 0 | } |
7864 | | |
7865 | | |
7866 | | /****************************************************************/ |
7867 | | /* Random generation */ |
7868 | | /****************************************************************/ |
7869 | | |
7870 | | #if defined(MBEDTLS_PSA_INJECT_ENTROPY) |
7871 | | #include "entropy_poll.h" |
7872 | | #endif |
7873 | | |
7874 | | /** Initialize the PSA random generator. |
7875 | | * |
7876 | | * Note: the mbedtls_threading_psa_rngdata_mutex should be held when calling |
7877 | | * this function if mutexes are enabled. |
7878 | | */ |
7879 | | static void mbedtls_psa_random_init(mbedtls_psa_random_context_t *rng) |
7880 | 2 | { |
7881 | | #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) |
7882 | | memset(rng, 0, sizeof(*rng)); |
7883 | | #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ |
7884 | | |
7885 | | /* Set default configuration if |
7886 | | * mbedtls_psa_crypto_configure_entropy_sources() hasn't been called. */ |
7887 | 2 | if (rng->entropy_init == NULL) { |
7888 | 2 | rng->entropy_init = mbedtls_entropy_init; |
7889 | 2 | } |
7890 | 2 | if (rng->entropy_free == NULL) { |
7891 | 2 | rng->entropy_free = mbedtls_entropy_free; |
7892 | 2 | } |
7893 | | |
7894 | 2 | rng->entropy_init(&rng->entropy); |
7895 | | #if defined(MBEDTLS_PSA_INJECT_ENTROPY) && \ |
7896 | | defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) |
7897 | | /* The PSA entropy injection feature depends on using NV seed as an entropy |
7898 | | * source. Add NV seed as an entropy source for PSA entropy injection. */ |
7899 | | mbedtls_entropy_add_source(&rng->entropy, |
7900 | | mbedtls_nv_seed_poll, NULL, |
7901 | | MBEDTLS_ENTROPY_BLOCK_SIZE, |
7902 | | MBEDTLS_ENTROPY_SOURCE_STRONG); |
7903 | | #endif |
7904 | | |
7905 | 2 | mbedtls_psa_drbg_init(&rng->drbg); |
7906 | 2 | #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ |
7907 | 2 | } |
7908 | | |
7909 | | /** Deinitialize the PSA random generator. |
7910 | | * |
7911 | | * Note: the mbedtls_threading_psa_rngdata_mutex should be held when calling |
7912 | | * this function if mutexes are enabled. |
7913 | | */ |
7914 | | static void mbedtls_psa_random_free(mbedtls_psa_random_context_t *rng) |
7915 | 2 | { |
7916 | | #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) |
7917 | | memset(rng, 0, sizeof(*rng)); |
7918 | | #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ |
7919 | 2 | mbedtls_psa_drbg_free(&rng->drbg); |
7920 | 2 | rng->entropy_free(&rng->entropy); |
7921 | 2 | #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ |
7922 | 2 | } |
7923 | | |
7924 | | /** Seed the PSA random generator. |
7925 | | */ |
7926 | | static psa_status_t mbedtls_psa_random_seed(mbedtls_psa_random_context_t *rng) |
7927 | 2 | { |
7928 | | #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) |
7929 | | /* Do nothing: the external RNG seeds itself. */ |
7930 | | (void) rng; |
7931 | | return PSA_SUCCESS; |
7932 | | #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ |
7933 | 2 | const unsigned char drbg_seed[] = "PSA"; |
7934 | 2 | int ret = mbedtls_psa_drbg_seed(&rng->drbg, &rng->entropy, |
7935 | 2 | drbg_seed, sizeof(drbg_seed) - 1); |
7936 | 2 | return mbedtls_to_psa_error(ret); |
7937 | 2 | #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ |
7938 | 2 | } |
7939 | | |
7940 | | psa_status_t psa_generate_random(uint8_t *output_external, |
7941 | | size_t output_size) |
7942 | 0 | { |
7943 | 0 | psa_status_t status; |
7944 | |
|
7945 | 0 | LOCAL_OUTPUT_DECLARE(output_external, output); |
7946 | 0 | LOCAL_OUTPUT_ALLOC(output_external, output_size, output); |
7947 | |
|
7948 | 0 | status = psa_generate_random_internal(output, output_size); |
7949 | |
|
7950 | 0 | #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) |
7951 | 0 | exit: |
7952 | 0 | #endif |
7953 | 0 | LOCAL_OUTPUT_FREE(output_external, output); |
7954 | 0 | return status; |
7955 | 0 | } |
7956 | | |
7957 | | #if defined(MBEDTLS_PSA_INJECT_ENTROPY) |
7958 | | psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed, |
7959 | | size_t seed_size) |
7960 | | { |
7961 | | if (psa_get_initialized()) { |
7962 | | return PSA_ERROR_NOT_PERMITTED; |
7963 | | } |
7964 | | |
7965 | | if (((seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM) || |
7966 | | (seed_size < MBEDTLS_ENTROPY_BLOCK_SIZE)) || |
7967 | | (seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE)) { |
7968 | | return PSA_ERROR_INVALID_ARGUMENT; |
7969 | | } |
7970 | | |
7971 | | return mbedtls_psa_storage_inject_entropy(seed, seed_size); |
7972 | | } |
7973 | | #endif /* MBEDTLS_PSA_INJECT_ENTROPY */ |
7974 | | |
7975 | | /** Validate the key type and size for key generation |
7976 | | * |
7977 | | * \param type The key type |
7978 | | * \param bits The number of bits of the key |
7979 | | * |
7980 | | * \retval #PSA_SUCCESS |
7981 | | * The key type and size are valid. |
7982 | | * \retval #PSA_ERROR_INVALID_ARGUMENT |
7983 | | * The size in bits of the key is not valid. |
7984 | | * \retval #PSA_ERROR_NOT_SUPPORTED |
7985 | | * The type and/or the size in bits of the key or the combination of |
7986 | | * the two is not supported. |
7987 | | */ |
7988 | | static psa_status_t psa_validate_key_type_and_size_for_key_generation( |
7989 | | psa_key_type_t type, size_t bits) |
7990 | 0 | { |
7991 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
7992 | |
|
7993 | 0 | if (key_type_is_raw_bytes(type)) { |
7994 | 0 | status = psa_validate_unstructured_key_bit_size(type, bits); |
7995 | 0 | if (status != PSA_SUCCESS) { |
7996 | 0 | return status; |
7997 | 0 | } |
7998 | 0 | } else |
7999 | 0 | #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) |
8000 | 0 | if (PSA_KEY_TYPE_IS_RSA(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) { |
8001 | 0 | if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS) { |
8002 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
8003 | 0 | } |
8004 | 0 | if (bits < PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS) { |
8005 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
8006 | 0 | } |
8007 | | |
8008 | | /* Accept only byte-aligned keys, for the same reasons as |
8009 | | * in psa_import_rsa_key(). */ |
8010 | 0 | if (bits % 8 != 0) { |
8011 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
8012 | 0 | } |
8013 | 0 | } else |
8014 | 0 | #endif /* defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */ |
8015 | | |
8016 | 0 | #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) |
8017 | 0 | if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) { |
8018 | | /* To avoid empty block, return successfully here. */ |
8019 | 0 | return PSA_SUCCESS; |
8020 | 0 | } else |
8021 | 0 | #endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */ |
8022 | | |
8023 | 0 | #if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) |
8024 | 0 | if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) { |
8025 | 0 | if (psa_is_dh_key_size_valid(bits) == 0) { |
8026 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
8027 | 0 | } |
8028 | 0 | } else |
8029 | 0 | #endif /* defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) */ |
8030 | 0 | { |
8031 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
8032 | 0 | } |
8033 | | |
8034 | 0 | return PSA_SUCCESS; |
8035 | 0 | } |
8036 | | |
8037 | | psa_status_t psa_generate_key_internal( |
8038 | | const psa_key_attributes_t *attributes, |
8039 | | const psa_custom_key_parameters_t *custom, |
8040 | | const uint8_t *custom_data, |
8041 | | size_t custom_data_length, |
8042 | | uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) |
8043 | 0 | { |
8044 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
8045 | 0 | psa_key_type_t type = attributes->type; |
8046 | | |
8047 | | /* Only used for RSA */ |
8048 | 0 | (void) custom; |
8049 | 0 | (void) custom_data; |
8050 | 0 | (void) custom_data_length; |
8051 | |
|
8052 | 0 | if (key_type_is_raw_bytes(type)) { |
8053 | 0 | status = psa_generate_random_internal(key_buffer, key_buffer_size); |
8054 | 0 | if (status != PSA_SUCCESS) { |
8055 | 0 | return status; |
8056 | 0 | } |
8057 | | |
8058 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) |
8059 | 0 | if (type == PSA_KEY_TYPE_DES) { |
8060 | 0 | psa_des_set_key_parity(key_buffer, key_buffer_size); |
8061 | 0 | } |
8062 | 0 | #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */ |
8063 | 0 | } else |
8064 | | |
8065 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) |
8066 | 0 | if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { |
8067 | 0 | return mbedtls_psa_rsa_generate_key(attributes, |
8068 | 0 | custom_data, custom_data_length, |
8069 | 0 | key_buffer, |
8070 | 0 | key_buffer_size, |
8071 | 0 | key_buffer_length); |
8072 | 0 | } else |
8073 | 0 | #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */ |
8074 | | |
8075 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE) |
8076 | 0 | if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) { |
8077 | 0 | return mbedtls_psa_ecp_generate_key(attributes, |
8078 | 0 | key_buffer, |
8079 | 0 | key_buffer_size, |
8080 | 0 | key_buffer_length); |
8081 | 0 | } else |
8082 | 0 | #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */ |
8083 | | |
8084 | 0 | #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) |
8085 | 0 | if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) { |
8086 | 0 | return mbedtls_psa_ffdh_generate_key(attributes, |
8087 | 0 | key_buffer, |
8088 | 0 | key_buffer_size, |
8089 | 0 | key_buffer_length); |
8090 | 0 | } else |
8091 | 0 | #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) */ |
8092 | 0 | { |
8093 | 0 | (void) key_buffer_length; |
8094 | 0 | return PSA_ERROR_NOT_SUPPORTED; |
8095 | 0 | } |
8096 | | |
8097 | 0 | return PSA_SUCCESS; |
8098 | 0 | } |
8099 | | |
8100 | | psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes, |
8101 | | const psa_custom_key_parameters_t *custom, |
8102 | | const uint8_t *custom_data, |
8103 | | size_t custom_data_length, |
8104 | | mbedtls_svc_key_id_t *key) |
8105 | 0 | { |
8106 | 0 | psa_status_t status; |
8107 | 0 | psa_key_slot_t *slot = NULL; |
8108 | 0 | psa_se_drv_table_entry_t *driver = NULL; |
8109 | 0 | size_t key_buffer_size; |
8110 | |
|
8111 | 0 | *key = MBEDTLS_SVC_KEY_ID_INIT; |
8112 | | |
8113 | | /* Reject any attempt to create a zero-length key so that we don't |
8114 | | * risk tripping up later, e.g. on a malloc(0) that returns NULL. */ |
8115 | 0 | if (psa_get_key_bits(attributes) == 0) { |
8116 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
8117 | 0 | } |
8118 | | |
8119 | | /* Reject any attempt to create a public key. */ |
8120 | 0 | if (PSA_KEY_TYPE_IS_PUBLIC_KEY(attributes->type)) { |
8121 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
8122 | 0 | } |
8123 | | |
8124 | 0 | #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) |
8125 | 0 | if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) { |
8126 | 0 | if (custom->flags != 0) { |
8127 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
8128 | 0 | } |
8129 | 0 | } else |
8130 | 0 | #endif |
8131 | 0 | if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) { |
8132 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
8133 | 0 | } |
8134 | | |
8135 | 0 | status = psa_start_key_creation(PSA_KEY_CREATION_GENERATE, attributes, |
8136 | 0 | &slot, &driver); |
8137 | 0 | if (status != PSA_SUCCESS) { |
8138 | 0 | goto exit; |
8139 | 0 | } |
8140 | | |
8141 | | /* In the case of a transparent key or an opaque key stored in local |
8142 | | * storage ( thus not in the case of generating a key in a secure element |
8143 | | * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a |
8144 | | * buffer to hold the generated key material. */ |
8145 | 0 | if (slot->key.bytes == 0) { |
8146 | 0 | if (PSA_KEY_LIFETIME_GET_LOCATION(attributes->lifetime) == |
8147 | 0 | PSA_KEY_LOCATION_LOCAL_STORAGE) { |
8148 | 0 | status = psa_validate_key_type_and_size_for_key_generation( |
8149 | 0 | attributes->type, attributes->bits); |
8150 | 0 | if (status != PSA_SUCCESS) { |
8151 | 0 | goto exit; |
8152 | 0 | } |
8153 | | |
8154 | 0 | key_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE( |
8155 | 0 | attributes->type, |
8156 | 0 | attributes->bits); |
8157 | 0 | } else { |
8158 | 0 | status = psa_driver_wrapper_get_key_buffer_size( |
8159 | 0 | attributes, &key_buffer_size); |
8160 | 0 | if (status != PSA_SUCCESS) { |
8161 | 0 | goto exit; |
8162 | 0 | } |
8163 | 0 | } |
8164 | | |
8165 | 0 | status = psa_allocate_buffer_to_slot(slot, key_buffer_size); |
8166 | 0 | if (status != PSA_SUCCESS) { |
8167 | 0 | goto exit; |
8168 | 0 | } |
8169 | 0 | } |
8170 | | |
8171 | 0 | status = psa_driver_wrapper_generate_key(attributes, |
8172 | 0 | custom, |
8173 | 0 | custom_data, custom_data_length, |
8174 | 0 | slot->key.data, slot->key.bytes, |
8175 | 0 | &slot->key.bytes); |
8176 | 0 | if (status != PSA_SUCCESS) { |
8177 | 0 | psa_remove_key_data_from_memory(slot); |
8178 | 0 | } |
8179 | |
|
8180 | 0 | exit: |
8181 | 0 | if (status == PSA_SUCCESS) { |
8182 | 0 | status = psa_finish_key_creation(slot, driver, key); |
8183 | 0 | } |
8184 | 0 | if (status != PSA_SUCCESS) { |
8185 | 0 | psa_fail_key_creation(slot, driver); |
8186 | 0 | } |
8187 | |
|
8188 | 0 | return status; |
8189 | 0 | } |
8190 | | |
8191 | | psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, |
8192 | | const psa_key_production_parameters_t *params, |
8193 | | size_t params_data_length, |
8194 | | mbedtls_svc_key_id_t *key) |
8195 | 0 | { |
8196 | 0 | return psa_generate_key_custom( |
8197 | 0 | attributes, |
8198 | 0 | (const psa_custom_key_parameters_t *) params, |
8199 | 0 | params->data, params_data_length, |
8200 | 0 | key); |
8201 | 0 | } |
8202 | | |
8203 | | psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, |
8204 | | mbedtls_svc_key_id_t *key) |
8205 | 0 | { |
8206 | 0 | return psa_generate_key_custom(attributes, |
8207 | 0 | &default_custom_production, |
8208 | 0 | NULL, 0, |
8209 | 0 | key); |
8210 | 0 | } |
8211 | | |
8212 | | /****************************************************************/ |
8213 | | /* Module setup */ |
8214 | | /****************************************************************/ |
8215 | | |
8216 | | #if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) |
8217 | | psa_status_t mbedtls_psa_crypto_configure_entropy_sources( |
8218 | | void (* entropy_init)(mbedtls_entropy_context *ctx), |
8219 | | void (* entropy_free)(mbedtls_entropy_context *ctx)) |
8220 | 0 | { |
8221 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
8222 | |
|
8223 | 0 | #if defined(MBEDTLS_THREADING_C) |
8224 | 0 | mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex); |
8225 | 0 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8226 | |
|
8227 | 0 | if (global_data.rng_state != RNG_NOT_INITIALIZED) { |
8228 | 0 | status = PSA_ERROR_BAD_STATE; |
8229 | 0 | } else { |
8230 | 0 | global_data.rng.entropy_init = entropy_init; |
8231 | 0 | global_data.rng.entropy_free = entropy_free; |
8232 | 0 | status = PSA_SUCCESS; |
8233 | 0 | } |
8234 | |
|
8235 | 0 | #if defined(MBEDTLS_THREADING_C) |
8236 | 0 | mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex); |
8237 | 0 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8238 | |
|
8239 | 0 | return status; |
8240 | 0 | } |
8241 | | #endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */ |
8242 | | |
8243 | | void mbedtls_psa_crypto_free(void) |
8244 | 4 | { |
8245 | | |
8246 | 4 | #if defined(MBEDTLS_THREADING_C) |
8247 | 4 | mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex); |
8248 | 4 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8249 | | |
8250 | | /* Nothing to do to free transaction. */ |
8251 | 4 | if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED) { |
8252 | 0 | global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED; |
8253 | 0 | } |
8254 | | |
8255 | 4 | if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED) { |
8256 | 2 | psa_wipe_all_key_slots(); |
8257 | 2 | global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED; |
8258 | 2 | } |
8259 | | |
8260 | 4 | #if defined(MBEDTLS_THREADING_C) |
8261 | 4 | mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex); |
8262 | 4 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8263 | | |
8264 | 4 | #if defined(MBEDTLS_THREADING_C) |
8265 | 4 | mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex); |
8266 | 4 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8267 | | |
8268 | 4 | if (global_data.rng_state != RNG_NOT_INITIALIZED) { |
8269 | 2 | mbedtls_psa_random_free(&global_data.rng); |
8270 | 2 | } |
8271 | 4 | global_data.rng_state = RNG_NOT_INITIALIZED; |
8272 | 4 | mbedtls_platform_zeroize(&global_data.rng, sizeof(global_data.rng)); |
8273 | | |
8274 | 4 | #if defined(MBEDTLS_THREADING_C) |
8275 | 4 | mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex); |
8276 | 4 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8277 | | |
8278 | 4 | #if defined(MBEDTLS_THREADING_C) |
8279 | 4 | mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex); |
8280 | 4 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8281 | | |
8282 | | /* Terminate drivers */ |
8283 | 4 | if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED) { |
8284 | 2 | psa_driver_wrapper_free(); |
8285 | 2 | global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED; |
8286 | 2 | } |
8287 | | |
8288 | 4 | #if defined(MBEDTLS_THREADING_C) |
8289 | 4 | mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex); |
8290 | 4 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8291 | | |
8292 | 4 | } |
8293 | | |
8294 | | #if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) |
8295 | | /** Recover a transaction that was interrupted by a power failure. |
8296 | | * |
8297 | | * This function is called during initialization, before psa_crypto_init() |
8298 | | * returns. If this function returns a failure status, the initialization |
8299 | | * fails. |
8300 | | */ |
8301 | | static psa_status_t psa_crypto_recover_transaction( |
8302 | | const psa_crypto_transaction_t *transaction) |
8303 | 0 | { |
8304 | 0 | switch (transaction->unknown.type) { |
8305 | 0 | case PSA_CRYPTO_TRANSACTION_CREATE_KEY: |
8306 | 0 | case PSA_CRYPTO_TRANSACTION_DESTROY_KEY: |
8307 | | /* TODO - fall through to the failure case until this |
8308 | | * is implemented. |
8309 | | * https://github.com/ARMmbed/mbed-crypto/issues/218 |
8310 | | */ |
8311 | 0 | default: |
8312 | | /* We found an unsupported transaction in the storage. |
8313 | | * We don't know what state the storage is in. Give up. */ |
8314 | 0 | return PSA_ERROR_DATA_INVALID; |
8315 | 0 | } |
8316 | 0 | } |
8317 | | #endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */ |
8318 | | |
8319 | | static psa_status_t mbedtls_psa_crypto_init_subsystem(mbedtls_psa_crypto_subsystem subsystem) |
8320 | 6 | { |
8321 | 6 | psa_status_t status = PSA_SUCCESS; |
8322 | 6 | uint8_t driver_wrappers_initialized = 0; |
8323 | | |
8324 | 6 | switch (subsystem) { |
8325 | 2 | case PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS: |
8326 | | |
8327 | 2 | #if defined(MBEDTLS_THREADING_C) |
8328 | 2 | PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex)); |
8329 | 2 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8330 | | |
8331 | 2 | if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED)) { |
8332 | | /* Init drivers */ |
8333 | 2 | status = psa_driver_wrapper_init(); |
8334 | | |
8335 | | /* Drivers need shutdown regardless of startup errors. */ |
8336 | 2 | global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED; |
8337 | | |
8338 | | |
8339 | 2 | } |
8340 | 2 | #if defined(MBEDTLS_THREADING_C) |
8341 | 2 | PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock( |
8342 | 2 | &mbedtls_threading_psa_globaldata_mutex)); |
8343 | 2 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8344 | | |
8345 | 2 | break; |
8346 | | |
8347 | 2 | case PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS: |
8348 | | |
8349 | 2 | #if defined(MBEDTLS_THREADING_C) |
8350 | 2 | PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex)); |
8351 | 2 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8352 | | |
8353 | 2 | if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED)) { |
8354 | 2 | status = psa_initialize_key_slots(); |
8355 | | |
8356 | | /* Need to wipe keys even if initialization fails. */ |
8357 | 2 | global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED; |
8358 | | |
8359 | 2 | } |
8360 | 2 | #if defined(MBEDTLS_THREADING_C) |
8361 | 2 | PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock( |
8362 | 2 | &mbedtls_threading_psa_globaldata_mutex)); |
8363 | 2 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8364 | | |
8365 | 2 | break; |
8366 | | |
8367 | 2 | case PSA_CRYPTO_SUBSYSTEM_RNG: |
8368 | | |
8369 | 2 | #if defined(MBEDTLS_THREADING_C) |
8370 | 2 | PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex)); |
8371 | 2 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8372 | | |
8373 | 2 | driver_wrappers_initialized = |
8374 | 2 | (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED); |
8375 | | |
8376 | 2 | #if defined(MBEDTLS_THREADING_C) |
8377 | 2 | PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock( |
8378 | 2 | &mbedtls_threading_psa_globaldata_mutex)); |
8379 | 2 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8380 | | |
8381 | | /* Need to use separate mutex here, as initialisation can require |
8382 | | * testing of init flags, which requires locking the global data |
8383 | | * mutex. */ |
8384 | 2 | #if defined(MBEDTLS_THREADING_C) |
8385 | 2 | PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex)); |
8386 | 2 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8387 | | |
8388 | | /* Initialize and seed the random generator. */ |
8389 | 2 | if (global_data.rng_state == RNG_NOT_INITIALIZED && driver_wrappers_initialized) { |
8390 | 2 | mbedtls_psa_random_init(&global_data.rng); |
8391 | 2 | global_data.rng_state = RNG_INITIALIZED; |
8392 | | |
8393 | 2 | status = mbedtls_psa_random_seed(&global_data.rng); |
8394 | 2 | if (status == PSA_SUCCESS) { |
8395 | 0 | global_data.rng_state = RNG_SEEDED; |
8396 | 0 | } |
8397 | 2 | } |
8398 | | |
8399 | 2 | #if defined(MBEDTLS_THREADING_C) |
8400 | 2 | PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock( |
8401 | 2 | &mbedtls_threading_psa_rngdata_mutex)); |
8402 | 2 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8403 | | |
8404 | 2 | break; |
8405 | | |
8406 | 0 | case PSA_CRYPTO_SUBSYSTEM_TRANSACTION: |
8407 | |
|
8408 | 0 | #if defined(MBEDTLS_THREADING_C) |
8409 | 0 | PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex)); |
8410 | 0 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8411 | |
|
8412 | 0 | if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED)) { |
8413 | 0 | #if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) |
8414 | 0 | status = psa_crypto_load_transaction(); |
8415 | 0 | if (status == PSA_SUCCESS) { |
8416 | 0 | status = psa_crypto_recover_transaction(&psa_crypto_transaction); |
8417 | 0 | if (status == PSA_SUCCESS) { |
8418 | 0 | global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED; |
8419 | 0 | } |
8420 | 0 | status = psa_crypto_stop_transaction(); |
8421 | 0 | } else if (status == PSA_ERROR_DOES_NOT_EXIST) { |
8422 | | /* There's no transaction to complete. It's all good. */ |
8423 | 0 | global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED; |
8424 | 0 | status = PSA_SUCCESS; |
8425 | 0 | } |
8426 | | #else /* defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) */ |
8427 | | global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED; |
8428 | | status = PSA_SUCCESS; |
8429 | | #endif /* defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) */ |
8430 | 0 | } |
8431 | |
|
8432 | 0 | #if defined(MBEDTLS_THREADING_C) |
8433 | 0 | PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock( |
8434 | 0 | &mbedtls_threading_psa_globaldata_mutex)); |
8435 | 0 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8436 | |
|
8437 | 0 | break; |
8438 | | |
8439 | 0 | default: |
8440 | 0 | status = PSA_ERROR_CORRUPTION_DETECTED; |
8441 | 6 | } |
8442 | | |
8443 | | /* Exit label only required when using threading macros. */ |
8444 | 6 | #if defined(MBEDTLS_THREADING_C) |
8445 | 6 | exit: |
8446 | 6 | #endif /* defined(MBEDTLS_THREADING_C) */ |
8447 | | |
8448 | 6 | return status; |
8449 | 6 | } |
8450 | | |
8451 | | psa_status_t psa_crypto_init(void) |
8452 | 2 | { |
8453 | 2 | psa_status_t status; |
8454 | | |
8455 | | /* Double initialization is explicitly allowed. Early out if everything is |
8456 | | * done. */ |
8457 | 2 | if (psa_get_initialized()) { |
8458 | 0 | return PSA_SUCCESS; |
8459 | 0 | } |
8460 | | |
8461 | 2 | status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS); |
8462 | 2 | if (status != PSA_SUCCESS) { |
8463 | 0 | goto exit; |
8464 | 0 | } |
8465 | | |
8466 | 2 | status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS); |
8467 | 2 | if (status != PSA_SUCCESS) { |
8468 | 0 | goto exit; |
8469 | 0 | } |
8470 | | |
8471 | 2 | status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_RNG); |
8472 | 2 | if (status != PSA_SUCCESS) { |
8473 | 2 | goto exit; |
8474 | 2 | } |
8475 | | |
8476 | 0 | status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_TRANSACTION); |
8477 | |
|
8478 | 2 | exit: |
8479 | | |
8480 | 2 | if (status != PSA_SUCCESS) { |
8481 | 2 | mbedtls_psa_crypto_free(); |
8482 | 2 | } |
8483 | | |
8484 | 2 | return status; |
8485 | 0 | } |
8486 | | |
8487 | | #if defined(PSA_WANT_ALG_SOME_PAKE) |
8488 | | psa_status_t psa_crypto_driver_pake_get_password_len( |
8489 | | const psa_crypto_driver_pake_inputs_t *inputs, |
8490 | | size_t *password_len) |
8491 | 0 | { |
8492 | 0 | if (inputs->password_len == 0) { |
8493 | 0 | return PSA_ERROR_BAD_STATE; |
8494 | 0 | } |
8495 | | |
8496 | 0 | *password_len = inputs->password_len; |
8497 | |
|
8498 | 0 | return PSA_SUCCESS; |
8499 | 0 | } |
8500 | | |
8501 | | psa_status_t psa_crypto_driver_pake_get_password( |
8502 | | const psa_crypto_driver_pake_inputs_t *inputs, |
8503 | | uint8_t *buffer, size_t buffer_size, size_t *buffer_length) |
8504 | 0 | { |
8505 | 0 | if (inputs->password_len == 0) { |
8506 | 0 | return PSA_ERROR_BAD_STATE; |
8507 | 0 | } |
8508 | | |
8509 | 0 | if (buffer_size < inputs->password_len) { |
8510 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
8511 | 0 | } |
8512 | | |
8513 | 0 | memcpy(buffer, inputs->password, inputs->password_len); |
8514 | 0 | *buffer_length = inputs->password_len; |
8515 | |
|
8516 | 0 | return PSA_SUCCESS; |
8517 | 0 | } |
8518 | | |
8519 | | psa_status_t psa_crypto_driver_pake_get_user_len( |
8520 | | const psa_crypto_driver_pake_inputs_t *inputs, |
8521 | | size_t *user_len) |
8522 | 0 | { |
8523 | 0 | if (inputs->user_len == 0) { |
8524 | 0 | return PSA_ERROR_BAD_STATE; |
8525 | 0 | } |
8526 | | |
8527 | 0 | *user_len = inputs->user_len; |
8528 | |
|
8529 | 0 | return PSA_SUCCESS; |
8530 | 0 | } |
8531 | | |
8532 | | psa_status_t psa_crypto_driver_pake_get_user( |
8533 | | const psa_crypto_driver_pake_inputs_t *inputs, |
8534 | | uint8_t *user_id, size_t user_id_size, size_t *user_id_len) |
8535 | 0 | { |
8536 | 0 | if (inputs->user_len == 0) { |
8537 | 0 | return PSA_ERROR_BAD_STATE; |
8538 | 0 | } |
8539 | | |
8540 | 0 | if (user_id_size < inputs->user_len) { |
8541 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
8542 | 0 | } |
8543 | | |
8544 | 0 | memcpy(user_id, inputs->user, inputs->user_len); |
8545 | 0 | *user_id_len = inputs->user_len; |
8546 | |
|
8547 | 0 | return PSA_SUCCESS; |
8548 | 0 | } |
8549 | | |
8550 | | psa_status_t psa_crypto_driver_pake_get_peer_len( |
8551 | | const psa_crypto_driver_pake_inputs_t *inputs, |
8552 | | size_t *peer_len) |
8553 | 0 | { |
8554 | 0 | if (inputs->peer_len == 0) { |
8555 | 0 | return PSA_ERROR_BAD_STATE; |
8556 | 0 | } |
8557 | | |
8558 | 0 | *peer_len = inputs->peer_len; |
8559 | |
|
8560 | 0 | return PSA_SUCCESS; |
8561 | 0 | } |
8562 | | |
8563 | | psa_status_t psa_crypto_driver_pake_get_peer( |
8564 | | const psa_crypto_driver_pake_inputs_t *inputs, |
8565 | | uint8_t *peer_id, size_t peer_id_size, size_t *peer_id_length) |
8566 | 0 | { |
8567 | 0 | if (inputs->peer_len == 0) { |
8568 | 0 | return PSA_ERROR_BAD_STATE; |
8569 | 0 | } |
8570 | | |
8571 | 0 | if (peer_id_size < inputs->peer_len) { |
8572 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
8573 | 0 | } |
8574 | | |
8575 | 0 | memcpy(peer_id, inputs->peer, inputs->peer_len); |
8576 | 0 | *peer_id_length = inputs->peer_len; |
8577 | |
|
8578 | 0 | return PSA_SUCCESS; |
8579 | 0 | } |
8580 | | |
8581 | | psa_status_t psa_crypto_driver_pake_get_cipher_suite( |
8582 | | const psa_crypto_driver_pake_inputs_t *inputs, |
8583 | | psa_pake_cipher_suite_t *cipher_suite) |
8584 | 0 | { |
8585 | 0 | if (inputs->cipher_suite.algorithm == PSA_ALG_NONE) { |
8586 | 0 | return PSA_ERROR_BAD_STATE; |
8587 | 0 | } |
8588 | | |
8589 | 0 | *cipher_suite = inputs->cipher_suite; |
8590 | |
|
8591 | 0 | return PSA_SUCCESS; |
8592 | 0 | } |
8593 | | |
8594 | | psa_status_t psa_pake_setup( |
8595 | | psa_pake_operation_t *operation, |
8596 | | const psa_pake_cipher_suite_t *cipher_suite) |
8597 | 0 | { |
8598 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
8599 | |
|
8600 | 0 | if (operation->stage != PSA_PAKE_OPERATION_STAGE_SETUP) { |
8601 | 0 | status = PSA_ERROR_BAD_STATE; |
8602 | 0 | goto exit; |
8603 | 0 | } |
8604 | | |
8605 | 0 | if (PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 || |
8606 | 0 | PSA_ALG_IS_HASH(cipher_suite->hash) == 0) { |
8607 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
8608 | 0 | goto exit; |
8609 | 0 | } |
8610 | | |
8611 | 0 | memset(&operation->data.inputs, 0, sizeof(operation->data.inputs)); |
8612 | |
|
8613 | 0 | operation->alg = cipher_suite->algorithm; |
8614 | 0 | operation->primitive = PSA_PAKE_PRIMITIVE(cipher_suite->type, |
8615 | 0 | cipher_suite->family, cipher_suite->bits); |
8616 | 0 | operation->data.inputs.cipher_suite = *cipher_suite; |
8617 | |
|
8618 | 0 | #if defined(PSA_WANT_ALG_JPAKE) |
8619 | 0 | if (operation->alg == PSA_ALG_JPAKE) { |
8620 | 0 | psa_jpake_computation_stage_t *computation_stage = |
8621 | 0 | &operation->computation_stage.jpake; |
8622 | |
|
8623 | 0 | memset(computation_stage, 0, sizeof(*computation_stage)); |
8624 | 0 | computation_stage->step = PSA_PAKE_STEP_KEY_SHARE; |
8625 | 0 | } else |
8626 | 0 | #endif /* PSA_WANT_ALG_JPAKE */ |
8627 | 0 | { |
8628 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
8629 | 0 | goto exit; |
8630 | 0 | } |
8631 | | |
8632 | 0 | operation->stage = PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS; |
8633 | |
|
8634 | 0 | return PSA_SUCCESS; |
8635 | 0 | exit: |
8636 | 0 | psa_pake_abort(operation); |
8637 | 0 | return status; |
8638 | 0 | } |
8639 | | |
8640 | | psa_status_t psa_pake_set_password_key( |
8641 | | psa_pake_operation_t *operation, |
8642 | | mbedtls_svc_key_id_t password) |
8643 | 0 | { |
8644 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
8645 | 0 | psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; |
8646 | 0 | psa_key_slot_t *slot = NULL; |
8647 | 0 | psa_key_type_t type; |
8648 | |
|
8649 | 0 | if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { |
8650 | 0 | status = PSA_ERROR_BAD_STATE; |
8651 | 0 | goto exit; |
8652 | 0 | } |
8653 | | |
8654 | 0 | status = psa_get_and_lock_key_slot_with_policy(password, &slot, |
8655 | 0 | PSA_KEY_USAGE_DERIVE, |
8656 | 0 | operation->alg); |
8657 | 0 | if (status != PSA_SUCCESS) { |
8658 | 0 | goto exit; |
8659 | 0 | } |
8660 | | |
8661 | 0 | type = psa_get_key_type(&slot->attr); |
8662 | |
|
8663 | 0 | if (type != PSA_KEY_TYPE_PASSWORD && |
8664 | 0 | type != PSA_KEY_TYPE_PASSWORD_HASH) { |
8665 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
8666 | 0 | goto exit; |
8667 | 0 | } |
8668 | | |
8669 | 0 | operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes); |
8670 | 0 | if (operation->data.inputs.password == NULL) { |
8671 | 0 | status = PSA_ERROR_INSUFFICIENT_MEMORY; |
8672 | 0 | goto exit; |
8673 | 0 | } |
8674 | | |
8675 | 0 | memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes); |
8676 | 0 | operation->data.inputs.password_len = slot->key.bytes; |
8677 | 0 | operation->data.inputs.attributes = slot->attr; |
8678 | |
|
8679 | 0 | exit: |
8680 | 0 | if (status != PSA_SUCCESS) { |
8681 | 0 | psa_pake_abort(operation); |
8682 | 0 | } |
8683 | 0 | unlock_status = psa_unregister_read_under_mutex(slot); |
8684 | 0 | return (status == PSA_SUCCESS) ? unlock_status : status; |
8685 | 0 | } |
8686 | | |
8687 | | psa_status_t psa_pake_set_user( |
8688 | | psa_pake_operation_t *operation, |
8689 | | const uint8_t *user_id_external, |
8690 | | size_t user_id_len) |
8691 | 0 | { |
8692 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
8693 | 0 | LOCAL_INPUT_DECLARE(user_id_external, user_id); |
8694 | |
|
8695 | 0 | if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { |
8696 | 0 | status = PSA_ERROR_BAD_STATE; |
8697 | 0 | goto exit; |
8698 | 0 | } |
8699 | | |
8700 | 0 | if (user_id_len == 0) { |
8701 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
8702 | 0 | goto exit; |
8703 | 0 | } |
8704 | | |
8705 | 0 | if (operation->data.inputs.user_len != 0) { |
8706 | 0 | status = PSA_ERROR_BAD_STATE; |
8707 | 0 | goto exit; |
8708 | 0 | } |
8709 | | |
8710 | 0 | operation->data.inputs.user = mbedtls_calloc(1, user_id_len); |
8711 | 0 | if (operation->data.inputs.user == NULL) { |
8712 | 0 | status = PSA_ERROR_INSUFFICIENT_MEMORY; |
8713 | 0 | goto exit; |
8714 | 0 | } |
8715 | | |
8716 | 0 | LOCAL_INPUT_ALLOC(user_id_external, user_id_len, user_id); |
8717 | |
|
8718 | 0 | memcpy(operation->data.inputs.user, user_id, user_id_len); |
8719 | 0 | operation->data.inputs.user_len = user_id_len; |
8720 | |
|
8721 | 0 | status = PSA_SUCCESS; |
8722 | |
|
8723 | 0 | exit: |
8724 | 0 | LOCAL_INPUT_FREE(user_id_external, user_id); |
8725 | 0 | if (status != PSA_SUCCESS) { |
8726 | 0 | psa_pake_abort(operation); |
8727 | 0 | } |
8728 | 0 | return status; |
8729 | 0 | } |
8730 | | |
8731 | | psa_status_t psa_pake_set_peer( |
8732 | | psa_pake_operation_t *operation, |
8733 | | const uint8_t *peer_id_external, |
8734 | | size_t peer_id_len) |
8735 | 0 | { |
8736 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
8737 | 0 | LOCAL_INPUT_DECLARE(peer_id_external, peer_id); |
8738 | |
|
8739 | 0 | if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { |
8740 | 0 | status = PSA_ERROR_BAD_STATE; |
8741 | 0 | goto exit; |
8742 | 0 | } |
8743 | | |
8744 | 0 | if (peer_id_len == 0) { |
8745 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
8746 | 0 | goto exit; |
8747 | 0 | } |
8748 | | |
8749 | 0 | if (operation->data.inputs.peer_len != 0) { |
8750 | 0 | status = PSA_ERROR_BAD_STATE; |
8751 | 0 | goto exit; |
8752 | 0 | } |
8753 | | |
8754 | 0 | operation->data.inputs.peer = mbedtls_calloc(1, peer_id_len); |
8755 | 0 | if (operation->data.inputs.peer == NULL) { |
8756 | 0 | status = PSA_ERROR_INSUFFICIENT_MEMORY; |
8757 | 0 | goto exit; |
8758 | 0 | } |
8759 | | |
8760 | 0 | LOCAL_INPUT_ALLOC(peer_id_external, peer_id_len, peer_id); |
8761 | |
|
8762 | 0 | memcpy(operation->data.inputs.peer, peer_id, peer_id_len); |
8763 | 0 | operation->data.inputs.peer_len = peer_id_len; |
8764 | |
|
8765 | 0 | status = PSA_SUCCESS; |
8766 | |
|
8767 | 0 | exit: |
8768 | 0 | LOCAL_INPUT_FREE(peer_id_external, peer_id); |
8769 | 0 | if (status != PSA_SUCCESS) { |
8770 | 0 | psa_pake_abort(operation); |
8771 | 0 | } |
8772 | 0 | return status; |
8773 | 0 | } |
8774 | | |
8775 | | psa_status_t psa_pake_set_role( |
8776 | | psa_pake_operation_t *operation, |
8777 | | psa_pake_role_t role) |
8778 | 0 | { |
8779 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
8780 | |
|
8781 | 0 | if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { |
8782 | 0 | status = PSA_ERROR_BAD_STATE; |
8783 | 0 | goto exit; |
8784 | 0 | } |
8785 | | |
8786 | 0 | switch (operation->alg) { |
8787 | 0 | #if defined(PSA_WANT_ALG_JPAKE) |
8788 | 0 | case PSA_ALG_JPAKE: |
8789 | 0 | if (role == PSA_PAKE_ROLE_NONE) { |
8790 | 0 | return PSA_SUCCESS; |
8791 | 0 | } |
8792 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
8793 | 0 | break; |
8794 | 0 | #endif |
8795 | 0 | default: |
8796 | 0 | (void) role; |
8797 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
8798 | 0 | goto exit; |
8799 | 0 | } |
8800 | 0 | exit: |
8801 | 0 | psa_pake_abort(operation); |
8802 | 0 | return status; |
8803 | 0 | } |
8804 | | |
8805 | | /* Auxiliary function to convert core computation stage to single driver step. */ |
8806 | | #if defined(PSA_WANT_ALG_JPAKE) |
8807 | | static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_step( |
8808 | | psa_jpake_computation_stage_t *stage) |
8809 | 0 | { |
8810 | 0 | psa_crypto_driver_pake_step_t key_share_step; |
8811 | 0 | if (stage->round == PSA_JPAKE_FIRST) { |
8812 | 0 | int is_x1; |
8813 | |
|
8814 | 0 | if (stage->io_mode == PSA_JPAKE_OUTPUT) { |
8815 | 0 | is_x1 = (stage->outputs < 1); |
8816 | 0 | } else { |
8817 | 0 | is_x1 = (stage->inputs < 1); |
8818 | 0 | } |
8819 | |
|
8820 | 0 | key_share_step = is_x1 ? |
8821 | 0 | PSA_JPAKE_X1_STEP_KEY_SHARE : |
8822 | 0 | PSA_JPAKE_X2_STEP_KEY_SHARE; |
8823 | 0 | } else if (stage->round == PSA_JPAKE_SECOND) { |
8824 | 0 | key_share_step = (stage->io_mode == PSA_JPAKE_OUTPUT) ? |
8825 | 0 | PSA_JPAKE_X2S_STEP_KEY_SHARE : |
8826 | 0 | PSA_JPAKE_X4S_STEP_KEY_SHARE; |
8827 | 0 | } else { |
8828 | 0 | return PSA_JPAKE_STEP_INVALID; |
8829 | 0 | } |
8830 | 0 | return (psa_crypto_driver_pake_step_t) (key_share_step + stage->step - PSA_PAKE_STEP_KEY_SHARE); |
8831 | 0 | } |
8832 | | #endif /* PSA_WANT_ALG_JPAKE */ |
8833 | | |
8834 | | static psa_status_t psa_pake_complete_inputs( |
8835 | | psa_pake_operation_t *operation) |
8836 | 0 | { |
8837 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
8838 | | /* Create copy of the inputs on stack as inputs share memory |
8839 | | with the driver context which will be setup by the driver. */ |
8840 | 0 | psa_crypto_driver_pake_inputs_t inputs = operation->data.inputs; |
8841 | |
|
8842 | 0 | if (inputs.password_len == 0) { |
8843 | 0 | return PSA_ERROR_BAD_STATE; |
8844 | 0 | } |
8845 | | |
8846 | 0 | if (operation->alg == PSA_ALG_JPAKE) { |
8847 | 0 | if (inputs.user_len == 0 || inputs.peer_len == 0) { |
8848 | 0 | return PSA_ERROR_BAD_STATE; |
8849 | 0 | } |
8850 | 0 | } |
8851 | | |
8852 | | /* Clear driver context */ |
8853 | 0 | mbedtls_platform_zeroize(&operation->data, sizeof(operation->data)); |
8854 | |
|
8855 | 0 | status = psa_driver_wrapper_pake_setup(operation, &inputs); |
8856 | | |
8857 | | /* Driver is responsible for creating its own copy of the password. */ |
8858 | 0 | mbedtls_zeroize_and_free(inputs.password, inputs.password_len); |
8859 | | |
8860 | | /* User and peer are translated to role. */ |
8861 | 0 | mbedtls_free(inputs.user); |
8862 | 0 | mbedtls_free(inputs.peer); |
8863 | |
|
8864 | 0 | if (status == PSA_SUCCESS) { |
8865 | 0 | #if defined(PSA_WANT_ALG_JPAKE) |
8866 | 0 | if (operation->alg == PSA_ALG_JPAKE) { |
8867 | 0 | operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; |
8868 | 0 | } else |
8869 | 0 | #endif /* PSA_WANT_ALG_JPAKE */ |
8870 | 0 | { |
8871 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
8872 | 0 | } |
8873 | 0 | } |
8874 | 0 | return status; |
8875 | 0 | } |
8876 | | |
8877 | | #if defined(PSA_WANT_ALG_JPAKE) |
8878 | | static psa_status_t psa_jpake_prologue( |
8879 | | psa_pake_operation_t *operation, |
8880 | | psa_pake_step_t step, |
8881 | | psa_jpake_io_mode_t io_mode) |
8882 | 0 | { |
8883 | 0 | if (step != PSA_PAKE_STEP_KEY_SHARE && |
8884 | 0 | step != PSA_PAKE_STEP_ZK_PUBLIC && |
8885 | 0 | step != PSA_PAKE_STEP_ZK_PROOF) { |
8886 | 0 | return PSA_ERROR_INVALID_ARGUMENT; |
8887 | 0 | } |
8888 | | |
8889 | 0 | psa_jpake_computation_stage_t *computation_stage = |
8890 | 0 | &operation->computation_stage.jpake; |
8891 | |
|
8892 | 0 | if (computation_stage->round != PSA_JPAKE_FIRST && |
8893 | 0 | computation_stage->round != PSA_JPAKE_SECOND) { |
8894 | 0 | return PSA_ERROR_BAD_STATE; |
8895 | 0 | } |
8896 | | |
8897 | | /* Check that the step we are given is the one we were expecting */ |
8898 | 0 | if (step != computation_stage->step) { |
8899 | 0 | return PSA_ERROR_BAD_STATE; |
8900 | 0 | } |
8901 | | |
8902 | 0 | if (step == PSA_PAKE_STEP_KEY_SHARE && |
8903 | 0 | computation_stage->inputs == 0 && |
8904 | 0 | computation_stage->outputs == 0) { |
8905 | | /* Start of the round, so function decides whether we are inputting |
8906 | | * or outputting */ |
8907 | 0 | computation_stage->io_mode = io_mode; |
8908 | 0 | } else if (computation_stage->io_mode != io_mode) { |
8909 | | /* Middle of the round so the mode we are in must match the function |
8910 | | * called by the user */ |
8911 | 0 | return PSA_ERROR_BAD_STATE; |
8912 | 0 | } |
8913 | | |
8914 | 0 | return PSA_SUCCESS; |
8915 | 0 | } |
8916 | | |
8917 | | static psa_status_t psa_jpake_epilogue( |
8918 | | psa_pake_operation_t *operation, |
8919 | | psa_jpake_io_mode_t io_mode) |
8920 | 0 | { |
8921 | 0 | psa_jpake_computation_stage_t *stage = |
8922 | 0 | &operation->computation_stage.jpake; |
8923 | |
|
8924 | 0 | if (stage->step == PSA_PAKE_STEP_ZK_PROOF) { |
8925 | | /* End of an input/output */ |
8926 | 0 | if (io_mode == PSA_JPAKE_INPUT) { |
8927 | 0 | stage->inputs++; |
8928 | 0 | if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round)) { |
8929 | 0 | stage->io_mode = PSA_JPAKE_OUTPUT; |
8930 | 0 | } |
8931 | 0 | } |
8932 | 0 | if (io_mode == PSA_JPAKE_OUTPUT) { |
8933 | 0 | stage->outputs++; |
8934 | 0 | if (stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) { |
8935 | 0 | stage->io_mode = PSA_JPAKE_INPUT; |
8936 | 0 | } |
8937 | 0 | } |
8938 | 0 | if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round) && |
8939 | 0 | stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) { |
8940 | | /* End of a round, move to the next round */ |
8941 | 0 | stage->inputs = 0; |
8942 | 0 | stage->outputs = 0; |
8943 | 0 | stage->round++; |
8944 | 0 | } |
8945 | 0 | stage->step = PSA_PAKE_STEP_KEY_SHARE; |
8946 | 0 | } else { |
8947 | 0 | stage->step++; |
8948 | 0 | } |
8949 | 0 | return PSA_SUCCESS; |
8950 | 0 | } |
8951 | | |
8952 | | #endif /* PSA_WANT_ALG_JPAKE */ |
8953 | | |
8954 | | psa_status_t psa_pake_output( |
8955 | | psa_pake_operation_t *operation, |
8956 | | psa_pake_step_t step, |
8957 | | uint8_t *output_external, |
8958 | | size_t output_size, |
8959 | | size_t *output_length) |
8960 | 0 | { |
8961 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
8962 | 0 | psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID; |
8963 | 0 | LOCAL_OUTPUT_DECLARE(output_external, output); |
8964 | 0 | *output_length = 0; |
8965 | |
|
8966 | 0 | if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { |
8967 | 0 | status = psa_pake_complete_inputs(operation); |
8968 | 0 | if (status != PSA_SUCCESS) { |
8969 | 0 | goto exit; |
8970 | 0 | } |
8971 | 0 | } |
8972 | | |
8973 | 0 | if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) { |
8974 | 0 | status = PSA_ERROR_BAD_STATE; |
8975 | 0 | goto exit; |
8976 | 0 | } |
8977 | | |
8978 | 0 | if (output_size == 0) { |
8979 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
8980 | 0 | goto exit; |
8981 | 0 | } |
8982 | | |
8983 | 0 | switch (operation->alg) { |
8984 | 0 | #if defined(PSA_WANT_ALG_JPAKE) |
8985 | 0 | case PSA_ALG_JPAKE: |
8986 | 0 | status = psa_jpake_prologue(operation, step, PSA_JPAKE_OUTPUT); |
8987 | 0 | if (status != PSA_SUCCESS) { |
8988 | 0 | goto exit; |
8989 | 0 | } |
8990 | 0 | driver_step = convert_jpake_computation_stage_to_driver_step( |
8991 | 0 | &operation->computation_stage.jpake); |
8992 | 0 | break; |
8993 | 0 | #endif /* PSA_WANT_ALG_JPAKE */ |
8994 | 0 | default: |
8995 | 0 | (void) step; |
8996 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
8997 | 0 | goto exit; |
8998 | 0 | } |
8999 | | |
9000 | 0 | LOCAL_OUTPUT_ALLOC(output_external, output_size, output); |
9001 | |
|
9002 | 0 | status = psa_driver_wrapper_pake_output(operation, driver_step, |
9003 | 0 | output, output_size, output_length); |
9004 | |
|
9005 | 0 | if (status != PSA_SUCCESS) { |
9006 | 0 | goto exit; |
9007 | 0 | } |
9008 | | |
9009 | 0 | switch (operation->alg) { |
9010 | 0 | #if defined(PSA_WANT_ALG_JPAKE) |
9011 | 0 | case PSA_ALG_JPAKE: |
9012 | 0 | status = psa_jpake_epilogue(operation, PSA_JPAKE_OUTPUT); |
9013 | 0 | if (status != PSA_SUCCESS) { |
9014 | 0 | goto exit; |
9015 | 0 | } |
9016 | 0 | break; |
9017 | 0 | #endif /* PSA_WANT_ALG_JPAKE */ |
9018 | 0 | default: |
9019 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
9020 | 0 | goto exit; |
9021 | 0 | } |
9022 | | |
9023 | 0 | exit: |
9024 | 0 | LOCAL_OUTPUT_FREE(output_external, output); |
9025 | 0 | if (status != PSA_SUCCESS) { |
9026 | 0 | psa_pake_abort(operation); |
9027 | 0 | } |
9028 | 0 | return status; |
9029 | 0 | } |
9030 | | |
9031 | | psa_status_t psa_pake_input( |
9032 | | psa_pake_operation_t *operation, |
9033 | | psa_pake_step_t step, |
9034 | | const uint8_t *input_external, |
9035 | | size_t input_length) |
9036 | 0 | { |
9037 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
9038 | 0 | psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID; |
9039 | 0 | const size_t max_input_length = (size_t) PSA_PAKE_INPUT_SIZE(operation->alg, |
9040 | 0 | operation->primitive, |
9041 | 0 | step); |
9042 | 0 | LOCAL_INPUT_DECLARE(input_external, input); |
9043 | |
|
9044 | 0 | if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { |
9045 | 0 | status = psa_pake_complete_inputs(operation); |
9046 | 0 | if (status != PSA_SUCCESS) { |
9047 | 0 | goto exit; |
9048 | 0 | } |
9049 | 0 | } |
9050 | | |
9051 | 0 | if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) { |
9052 | 0 | status = PSA_ERROR_BAD_STATE; |
9053 | 0 | goto exit; |
9054 | 0 | } |
9055 | | |
9056 | 0 | if (input_length == 0 || input_length > max_input_length) { |
9057 | 0 | status = PSA_ERROR_INVALID_ARGUMENT; |
9058 | 0 | goto exit; |
9059 | 0 | } |
9060 | | |
9061 | 0 | switch (operation->alg) { |
9062 | 0 | #if defined(PSA_WANT_ALG_JPAKE) |
9063 | 0 | case PSA_ALG_JPAKE: |
9064 | 0 | status = psa_jpake_prologue(operation, step, PSA_JPAKE_INPUT); |
9065 | 0 | if (status != PSA_SUCCESS) { |
9066 | 0 | goto exit; |
9067 | 0 | } |
9068 | 0 | driver_step = convert_jpake_computation_stage_to_driver_step( |
9069 | 0 | &operation->computation_stage.jpake); |
9070 | 0 | break; |
9071 | 0 | #endif /* PSA_WANT_ALG_JPAKE */ |
9072 | 0 | default: |
9073 | 0 | (void) step; |
9074 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
9075 | 0 | goto exit; |
9076 | 0 | } |
9077 | | |
9078 | 0 | LOCAL_INPUT_ALLOC(input_external, input_length, input); |
9079 | 0 | status = psa_driver_wrapper_pake_input(operation, driver_step, |
9080 | 0 | input, input_length); |
9081 | |
|
9082 | 0 | if (status != PSA_SUCCESS) { |
9083 | 0 | goto exit; |
9084 | 0 | } |
9085 | | |
9086 | 0 | switch (operation->alg) { |
9087 | 0 | #if defined(PSA_WANT_ALG_JPAKE) |
9088 | 0 | case PSA_ALG_JPAKE: |
9089 | 0 | status = psa_jpake_epilogue(operation, PSA_JPAKE_INPUT); |
9090 | 0 | if (status != PSA_SUCCESS) { |
9091 | 0 | goto exit; |
9092 | 0 | } |
9093 | 0 | break; |
9094 | 0 | #endif /* PSA_WANT_ALG_JPAKE */ |
9095 | 0 | default: |
9096 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
9097 | 0 | goto exit; |
9098 | 0 | } |
9099 | | |
9100 | 0 | exit: |
9101 | 0 | LOCAL_INPUT_FREE(input_external, input); |
9102 | 0 | if (status != PSA_SUCCESS) { |
9103 | 0 | psa_pake_abort(operation); |
9104 | 0 | } |
9105 | 0 | return status; |
9106 | 0 | } |
9107 | | |
9108 | | psa_status_t psa_pake_get_implicit_key( |
9109 | | psa_pake_operation_t *operation, |
9110 | | psa_key_derivation_operation_t *output) |
9111 | 0 | { |
9112 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
9113 | 0 | psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; |
9114 | 0 | uint8_t shared_key[MBEDTLS_PSA_JPAKE_BUFFER_SIZE]; |
9115 | 0 | size_t shared_key_len = 0; |
9116 | |
|
9117 | 0 | if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) { |
9118 | 0 | status = PSA_ERROR_BAD_STATE; |
9119 | 0 | goto exit; |
9120 | 0 | } |
9121 | | |
9122 | 0 | #if defined(PSA_WANT_ALG_JPAKE) |
9123 | 0 | if (operation->alg == PSA_ALG_JPAKE) { |
9124 | 0 | psa_jpake_computation_stage_t *computation_stage = |
9125 | 0 | &operation->computation_stage.jpake; |
9126 | 0 | if (computation_stage->round != PSA_JPAKE_FINISHED) { |
9127 | 0 | status = PSA_ERROR_BAD_STATE; |
9128 | 0 | goto exit; |
9129 | 0 | } |
9130 | 0 | } else |
9131 | 0 | #endif /* PSA_WANT_ALG_JPAKE */ |
9132 | 0 | { |
9133 | 0 | status = PSA_ERROR_NOT_SUPPORTED; |
9134 | 0 | goto exit; |
9135 | 0 | } |
9136 | | |
9137 | 0 | status = psa_driver_wrapper_pake_get_implicit_key(operation, |
9138 | 0 | shared_key, |
9139 | 0 | sizeof(shared_key), |
9140 | 0 | &shared_key_len); |
9141 | |
|
9142 | 0 | if (status != PSA_SUCCESS) { |
9143 | 0 | goto exit; |
9144 | 0 | } |
9145 | | |
9146 | 0 | status = psa_key_derivation_input_bytes(output, |
9147 | 0 | PSA_KEY_DERIVATION_INPUT_SECRET, |
9148 | 0 | shared_key, |
9149 | 0 | shared_key_len); |
9150 | |
|
9151 | 0 | mbedtls_platform_zeroize(shared_key, sizeof(shared_key)); |
9152 | 0 | exit: |
9153 | 0 | abort_status = psa_pake_abort(operation); |
9154 | 0 | return status == PSA_SUCCESS ? abort_status : status; |
9155 | 0 | } |
9156 | | |
9157 | | psa_status_t psa_pake_abort( |
9158 | | psa_pake_operation_t *operation) |
9159 | 0 | { |
9160 | 0 | psa_status_t status = PSA_SUCCESS; |
9161 | |
|
9162 | 0 | if (operation->stage == PSA_PAKE_OPERATION_STAGE_COMPUTATION) { |
9163 | 0 | status = psa_driver_wrapper_pake_abort(operation); |
9164 | 0 | } |
9165 | |
|
9166 | 0 | if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { |
9167 | 0 | if (operation->data.inputs.password != NULL) { |
9168 | 0 | mbedtls_zeroize_and_free(operation->data.inputs.password, |
9169 | 0 | operation->data.inputs.password_len); |
9170 | 0 | } |
9171 | 0 | if (operation->data.inputs.user != NULL) { |
9172 | 0 | mbedtls_free(operation->data.inputs.user); |
9173 | 0 | } |
9174 | 0 | if (operation->data.inputs.peer != NULL) { |
9175 | 0 | mbedtls_free(operation->data.inputs.peer); |
9176 | 0 | } |
9177 | 0 | } |
9178 | 0 | memset(operation, 0, sizeof(psa_pake_operation_t)); |
9179 | |
|
9180 | 0 | return status; |
9181 | 0 | } |
9182 | | #endif /* PSA_WANT_ALG_SOME_PAKE */ |
9183 | | |
9184 | | /* Memory copying test hooks. These are called before input copy, after input |
9185 | | * copy, before output copy and after output copy, respectively. |
9186 | | * They are used by memory-poisoning tests to temporarily unpoison buffers |
9187 | | * while they are copied. */ |
9188 | | #if defined(MBEDTLS_TEST_HOOKS) |
9189 | | void (*psa_input_pre_copy_hook)(const uint8_t *input, size_t input_len) = NULL; |
9190 | | void (*psa_input_post_copy_hook)(const uint8_t *input, size_t input_len) = NULL; |
9191 | | void (*psa_output_pre_copy_hook)(const uint8_t *output, size_t output_len) = NULL; |
9192 | | void (*psa_output_post_copy_hook)(const uint8_t *output, size_t output_len) = NULL; |
9193 | | #endif |
9194 | | |
9195 | | /** Copy from an input buffer to a local copy. |
9196 | | * |
9197 | | * \param[in] input Pointer to input buffer. |
9198 | | * \param[in] input_len Length of the input buffer. |
9199 | | * \param[out] input_copy Pointer to a local copy in which to store the input data. |
9200 | | * \param[out] input_copy_len Length of the local copy buffer. |
9201 | | * \return #PSA_SUCCESS, if the buffer was successfully |
9202 | | * copied. |
9203 | | * \return #PSA_ERROR_CORRUPTION_DETECTED, if the local |
9204 | | * copy is too small to hold contents of the |
9205 | | * input buffer. |
9206 | | */ |
9207 | | MBEDTLS_STATIC_TESTABLE |
9208 | | psa_status_t psa_crypto_copy_input(const uint8_t *input, size_t input_len, |
9209 | | uint8_t *input_copy, size_t input_copy_len) |
9210 | 0 | { |
9211 | 0 | if (input_len > input_copy_len) { |
9212 | 0 | return PSA_ERROR_CORRUPTION_DETECTED; |
9213 | 0 | } |
9214 | | |
9215 | 0 | #if defined(MBEDTLS_TEST_HOOKS) |
9216 | 0 | if (psa_input_pre_copy_hook != NULL) { |
9217 | 0 | psa_input_pre_copy_hook(input, input_len); |
9218 | 0 | } |
9219 | 0 | #endif |
9220 | |
|
9221 | 0 | if (input_len > 0) { |
9222 | 0 | memcpy(input_copy, input, input_len); |
9223 | 0 | } |
9224 | |
|
9225 | 0 | #if defined(MBEDTLS_TEST_HOOKS) |
9226 | 0 | if (psa_input_post_copy_hook != NULL) { |
9227 | 0 | psa_input_post_copy_hook(input, input_len); |
9228 | 0 | } |
9229 | 0 | #endif |
9230 | |
|
9231 | 0 | return PSA_SUCCESS; |
9232 | 0 | } |
9233 | | |
9234 | | /** Copy from a local output buffer into a user-supplied one. |
9235 | | * |
9236 | | * \param[in] output_copy Pointer to a local buffer containing the output. |
9237 | | * \param[in] output_copy_len Length of the local buffer. |
9238 | | * \param[out] output Pointer to user-supplied output buffer. |
9239 | | * \param[out] output_len Length of the user-supplied output buffer. |
9240 | | * \return #PSA_SUCCESS, if the buffer was successfully |
9241 | | * copied. |
9242 | | * \return #PSA_ERROR_BUFFER_TOO_SMALL, if the |
9243 | | * user-supplied output buffer is too small to |
9244 | | * hold the contents of the local buffer. |
9245 | | */ |
9246 | | MBEDTLS_STATIC_TESTABLE |
9247 | | psa_status_t psa_crypto_copy_output(const uint8_t *output_copy, size_t output_copy_len, |
9248 | | uint8_t *output, size_t output_len) |
9249 | 0 | { |
9250 | 0 | if (output_len < output_copy_len) { |
9251 | 0 | return PSA_ERROR_BUFFER_TOO_SMALL; |
9252 | 0 | } |
9253 | | |
9254 | 0 | #if defined(MBEDTLS_TEST_HOOKS) |
9255 | 0 | if (psa_output_pre_copy_hook != NULL) { |
9256 | 0 | psa_output_pre_copy_hook(output, output_len); |
9257 | 0 | } |
9258 | 0 | #endif |
9259 | |
|
9260 | 0 | if (output_copy_len > 0) { |
9261 | 0 | memcpy(output, output_copy, output_copy_len); |
9262 | 0 | } |
9263 | |
|
9264 | 0 | #if defined(MBEDTLS_TEST_HOOKS) |
9265 | 0 | if (psa_output_post_copy_hook != NULL) { |
9266 | 0 | psa_output_post_copy_hook(output, output_len); |
9267 | 0 | } |
9268 | 0 | #endif |
9269 | |
|
9270 | 0 | return PSA_SUCCESS; |
9271 | 0 | } |
9272 | | |
9273 | | psa_status_t psa_crypto_local_input_alloc(const uint8_t *input, size_t input_len, |
9274 | | psa_crypto_local_input_t *local_input) |
9275 | 0 | { |
9276 | 0 | psa_status_t status; |
9277 | |
|
9278 | 0 | *local_input = PSA_CRYPTO_LOCAL_INPUT_INIT; |
9279 | |
|
9280 | 0 | if (input_len == 0) { |
9281 | 0 | return PSA_SUCCESS; |
9282 | 0 | } |
9283 | | |
9284 | 0 | local_input->buffer = mbedtls_calloc(input_len, 1); |
9285 | 0 | if (local_input->buffer == NULL) { |
9286 | | /* Since we dealt with the zero-length case above, we know that |
9287 | | * a NULL return value means a failure of allocation. */ |
9288 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
9289 | 0 | } |
9290 | | /* From now on, we must free local_input->buffer on error. */ |
9291 | | |
9292 | 0 | local_input->length = input_len; |
9293 | |
|
9294 | 0 | status = psa_crypto_copy_input(input, input_len, |
9295 | 0 | local_input->buffer, local_input->length); |
9296 | 0 | if (status != PSA_SUCCESS) { |
9297 | 0 | goto error; |
9298 | 0 | } |
9299 | | |
9300 | 0 | return PSA_SUCCESS; |
9301 | | |
9302 | 0 | error: |
9303 | 0 | mbedtls_free(local_input->buffer); |
9304 | 0 | local_input->buffer = NULL; |
9305 | 0 | local_input->length = 0; |
9306 | 0 | return status; |
9307 | 0 | } |
9308 | | |
9309 | | void psa_crypto_local_input_free(psa_crypto_local_input_t *local_input) |
9310 | 0 | { |
9311 | 0 | mbedtls_free(local_input->buffer); |
9312 | 0 | local_input->buffer = NULL; |
9313 | 0 | local_input->length = 0; |
9314 | 0 | } |
9315 | | |
9316 | | psa_status_t psa_crypto_local_output_alloc(uint8_t *output, size_t output_len, |
9317 | | psa_crypto_local_output_t *local_output) |
9318 | 0 | { |
9319 | 0 | *local_output = PSA_CRYPTO_LOCAL_OUTPUT_INIT; |
9320 | |
|
9321 | 0 | if (output_len == 0) { |
9322 | 0 | return PSA_SUCCESS; |
9323 | 0 | } |
9324 | 0 | local_output->buffer = mbedtls_calloc(output_len, 1); |
9325 | 0 | if (local_output->buffer == NULL) { |
9326 | | /* Since we dealt with the zero-length case above, we know that |
9327 | | * a NULL return value means a failure of allocation. */ |
9328 | 0 | return PSA_ERROR_INSUFFICIENT_MEMORY; |
9329 | 0 | } |
9330 | 0 | local_output->length = output_len; |
9331 | 0 | local_output->original = output; |
9332 | |
|
9333 | 0 | return PSA_SUCCESS; |
9334 | 0 | } |
9335 | | |
9336 | | psa_status_t psa_crypto_local_output_free(psa_crypto_local_output_t *local_output) |
9337 | 0 | { |
9338 | 0 | psa_status_t status; |
9339 | |
|
9340 | 0 | if (local_output->buffer == NULL) { |
9341 | 0 | local_output->length = 0; |
9342 | 0 | return PSA_SUCCESS; |
9343 | 0 | } |
9344 | 0 | if (local_output->original == NULL) { |
9345 | | /* We have an internal copy but nothing to copy back to. */ |
9346 | 0 | return PSA_ERROR_CORRUPTION_DETECTED; |
9347 | 0 | } |
9348 | | |
9349 | 0 | status = psa_crypto_copy_output(local_output->buffer, local_output->length, |
9350 | 0 | local_output->original, local_output->length); |
9351 | 0 | if (status != PSA_SUCCESS) { |
9352 | 0 | return status; |
9353 | 0 | } |
9354 | | |
9355 | 0 | mbedtls_free(local_output->buffer); |
9356 | 0 | local_output->buffer = NULL; |
9357 | 0 | local_output->length = 0; |
9358 | |
|
9359 | 0 | return PSA_SUCCESS; |
9360 | 0 | } |
9361 | | |
9362 | | #endif /* MBEDTLS_PSA_CRYPTO_C */ |