Coverage Report

Created: 2025-03-01 06:26

/src/mbedtls/library/psa_crypto.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  PSA crypto layer on top of Mbed TLS crypto
3
 */
4
/*
5
 *  Copyright The Mbed TLS Contributors
6
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7
 */
8
9
#include "common.h"
10
#include "psa_crypto_core_common.h"
11
12
#if defined(MBEDTLS_PSA_CRYPTO_C)
13
14
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
15
#include "check_crypto_config.h"
16
#endif
17
18
#include "psa/crypto.h"
19
#include "psa/crypto_values.h"
20
21
#include "psa_crypto_cipher.h"
22
#include "psa_crypto_core.h"
23
#include "psa_crypto_invasive.h"
24
#include "psa_crypto_driver_wrappers.h"
25
#include "psa_crypto_driver_wrappers_no_static.h"
26
#include "psa_crypto_ecp.h"
27
#include "psa_crypto_ffdh.h"
28
#include "psa_crypto_hash.h"
29
#include "psa_crypto_mac.h"
30
#include "psa_crypto_rsa.h"
31
#include "psa_crypto_ecp.h"
32
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
33
#include "psa_crypto_se.h"
34
#endif
35
#include "psa_crypto_slot_management.h"
36
/* Include internal declarations that are useful for implementing persistently
37
 * stored keys. */
38
#include "psa_crypto_storage.h"
39
40
#include "psa_crypto_random_impl.h"
41
42
#include <stdlib.h>
43
#include <string.h>
44
#include "mbedtls/platform.h"
45
46
#include "mbedtls/aes.h"
47
#include "mbedtls/asn1.h"
48
#include "mbedtls/asn1write.h"
49
#include "mbedtls/bignum.h"
50
#include "mbedtls/camellia.h"
51
#include "mbedtls/chacha20.h"
52
#include "mbedtls/chachapoly.h"
53
#include "mbedtls/cipher.h"
54
#include "mbedtls/ccm.h"
55
#include "mbedtls/cmac.h"
56
#include "mbedtls/constant_time.h"
57
#include "mbedtls/des.h"
58
#include "mbedtls/ecdh.h"
59
#include "mbedtls/ecp.h"
60
#include "mbedtls/entropy.h"
61
#include "mbedtls/error.h"
62
#include "mbedtls/gcm.h"
63
#include "mbedtls/md5.h"
64
#include "mbedtls/pk.h"
65
#include "pk_wrap.h"
66
#include "mbedtls/platform_util.h"
67
#include "mbedtls/error.h"
68
#include "mbedtls/ripemd160.h"
69
#include "mbedtls/rsa.h"
70
#include "mbedtls/sha1.h"
71
#include "mbedtls/sha256.h"
72
#include "mbedtls/sha512.h"
73
#include "mbedtls/psa_util.h"
74
#include "mbedtls/threading.h"
75
76
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) ||          \
77
    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) ||  \
78
    defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
79
#define BUILTIN_ALG_ANY_HKDF 1
80
#endif
81
82
/****************************************************************/
83
/* Global data, support functions and library management */
84
/****************************************************************/
85
86
static int key_type_is_raw_bytes(psa_key_type_t type)
87
0
{
88
0
    return PSA_KEY_TYPE_IS_UNSTRUCTURED(type);
89
0
}
90
91
/* Values for psa_global_data_t::rng_state */
92
12
#define RNG_NOT_INITIALIZED 0
93
2
#define RNG_INITIALIZED 1
94
2
#define RNG_SEEDED 2
95
96
/* IDs for PSA crypto subsystems. Starts at 1 to catch potential uninitialized
97
 * variables as arguments. */
98
typedef enum {
99
    PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS = 1,
100
    PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS,
101
    PSA_CRYPTO_SUBSYSTEM_RNG,
102
    PSA_CRYPTO_SUBSYSTEM_TRANSACTION,
103
} mbedtls_psa_crypto_subsystem;
104
105
/* Initialization flags for global_data::initialized */
106
12
#define PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED    0x01
107
10
#define PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED          0x02
108
4
#define PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED        0x04
109
110
0
#define PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED                ( \
111
0
        PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED | \
112
0
        PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED | \
113
0
        PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED)
114
115
typedef struct {
116
    uint8_t initialized;
117
    uint8_t rng_state;
118
    mbedtls_psa_random_context_t rng;
119
} psa_global_data_t;
120
121
static psa_global_data_t global_data;
122
123
static uint8_t psa_get_initialized(void)
124
2
{
125
2
    uint8_t initialized;
126
127
2
#if defined(MBEDTLS_THREADING_C)
128
2
    mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
129
2
#endif /* defined(MBEDTLS_THREADING_C) */
130
131
2
    initialized = global_data.rng_state == RNG_SEEDED;
132
133
2
#if defined(MBEDTLS_THREADING_C)
134
2
    mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
135
2
#endif /* defined(MBEDTLS_THREADING_C) */
136
137
2
#if defined(MBEDTLS_THREADING_C)
138
2
    mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
139
2
#endif /* defined(MBEDTLS_THREADING_C) */
140
141
2
    initialized =
142
2
        (initialized && (global_data.initialized == PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED));
143
144
2
#if defined(MBEDTLS_THREADING_C)
145
2
    mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
146
2
#endif /* defined(MBEDTLS_THREADING_C) */
147
148
2
    return initialized;
149
2
}
150
151
static uint8_t psa_get_drivers_initialized(void)
152
0
{
153
0
    uint8_t initialized;
154
155
0
#if defined(MBEDTLS_THREADING_C)
156
0
    mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
157
0
#endif /* defined(MBEDTLS_THREADING_C) */
158
159
0
    initialized = (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED) != 0;
160
161
0
#if defined(MBEDTLS_THREADING_C)
162
0
    mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
163
0
#endif /* defined(MBEDTLS_THREADING_C) */
164
165
0
    return initialized;
166
0
}
167
168
#define GUARD_MODULE_INITIALIZED        \
169
0
    if (psa_get_initialized() == 0)     \
170
0
    return PSA_ERROR_BAD_STATE;
171
172
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
173
174
/* Declare a local copy of an input buffer and a variable that will be used
175
 * to store a pointer to the start of the buffer.
176
 *
177
 * Note: This macro must be called before any operations which may jump to
178
 * the exit label, so that the local input copy object is safe to be freed.
179
 *
180
 * Assumptions:
181
 * - input is the name of a pointer to the buffer to be copied
182
 * - The name LOCAL_INPUT_COPY_OF_input is unused in the current scope
183
 * - input_copy_name is a name that is unused in the current scope
184
 */
185
#define LOCAL_INPUT_DECLARE(input, input_copy_name) \
186
0
    psa_crypto_local_input_t LOCAL_INPUT_COPY_OF_##input = PSA_CRYPTO_LOCAL_INPUT_INIT; \
187
0
    const uint8_t *input_copy_name = NULL;
188
189
/* Allocate a copy of the buffer input and set the pointer input_copy to
190
 * point to the start of the copy.
191
 *
192
 * Assumptions:
193
 * - psa_status_t status exists
194
 * - An exit label is declared
195
 * - input is the name of a pointer to the buffer to be copied
196
 * - LOCAL_INPUT_DECLARE(input, input_copy) has previously been called
197
 */
198
#define LOCAL_INPUT_ALLOC(input, length, input_copy) \
199
0
    status = psa_crypto_local_input_alloc(input, length, \
200
0
                                          &LOCAL_INPUT_COPY_OF_##input); \
201
0
    if (status != PSA_SUCCESS) { \
202
0
        goto exit; \
203
0
    } \
204
0
    input_copy = LOCAL_INPUT_COPY_OF_##input.buffer;
205
206
/* Free the local input copy allocated previously by LOCAL_INPUT_ALLOC()
207
 *
208
 * Assumptions:
209
 * - input_copy is the name of the input copy pointer set by LOCAL_INPUT_ALLOC()
210
 * - input is the name of the original buffer that was copied
211
 */
212
#define LOCAL_INPUT_FREE(input, input_copy) \
213
0
    input_copy = NULL; \
214
0
    psa_crypto_local_input_free(&LOCAL_INPUT_COPY_OF_##input);
215
216
/* Declare a local copy of an output buffer and a variable that will be used
217
 * to store a pointer to the start of the buffer.
218
 *
219
 * Note: This macro must be called before any operations which may jump to
220
 * the exit label, so that the local output copy object is safe to be freed.
221
 *
222
 * Assumptions:
223
 * - output is the name of a pointer to the buffer to be copied
224
 * - The name LOCAL_OUTPUT_COPY_OF_output is unused in the current scope
225
 * - output_copy_name is a name that is unused in the current scope
226
 */
227
#define LOCAL_OUTPUT_DECLARE(output, output_copy_name) \
228
0
    psa_crypto_local_output_t LOCAL_OUTPUT_COPY_OF_##output = PSA_CRYPTO_LOCAL_OUTPUT_INIT; \
229
0
    uint8_t *output_copy_name = NULL;
230
231
/* Allocate a copy of the buffer output and set the pointer output_copy to
232
 * point to the start of the copy.
233
 *
234
 * Assumptions:
235
 * - psa_status_t status exists
236
 * - An exit label is declared
237
 * - output is the name of a pointer to the buffer to be copied
238
 * - LOCAL_OUTPUT_DECLARE(output, output_copy) has previously been called
239
 */
240
#define LOCAL_OUTPUT_ALLOC(output, length, output_copy) \
241
0
    status = psa_crypto_local_output_alloc(output, length, \
242
0
                                           &LOCAL_OUTPUT_COPY_OF_##output); \
243
0
    if (status != PSA_SUCCESS) { \
244
0
        goto exit; \
245
0
    } \
246
0
    output_copy = LOCAL_OUTPUT_COPY_OF_##output.buffer;
247
248
/* Free the local output copy allocated previously by LOCAL_OUTPUT_ALLOC()
249
 * after first copying back its contents to the original buffer.
250
 *
251
 * Assumptions:
252
 * - psa_status_t status exists
253
 * - output_copy is the name of the output copy pointer set by LOCAL_OUTPUT_ALLOC()
254
 * - output is the name of the original buffer that was copied
255
 */
256
#define LOCAL_OUTPUT_FREE(output, output_copy) \
257
0
    output_copy = NULL; \
258
0
    do { \
259
0
        psa_status_t local_output_status; \
260
0
        local_output_status = psa_crypto_local_output_free(&LOCAL_OUTPUT_COPY_OF_##output); \
261
0
        if (local_output_status != PSA_SUCCESS) { \
262
0
            /* Since this error case is an internal error, it's more serious than \
263
0
             * any existing error code and so it's fine to overwrite the existing \
264
0
             * status. */ \
265
0
            status = local_output_status; \
266
0
        } \
267
0
    } while (0)
268
#else /* !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */
269
#define LOCAL_INPUT_DECLARE(input, input_copy_name) \
270
    const uint8_t *input_copy_name = NULL;
271
#define LOCAL_INPUT_ALLOC(input, length, input_copy) \
272
    input_copy = input;
273
#define LOCAL_INPUT_FREE(input, input_copy) \
274
    input_copy = NULL;
275
#define LOCAL_OUTPUT_DECLARE(output, output_copy_name) \
276
    uint8_t *output_copy_name = NULL;
277
#define LOCAL_OUTPUT_ALLOC(output, length, output_copy) \
278
    output_copy = output;
279
#define LOCAL_OUTPUT_FREE(output, output_copy) \
280
    output_copy = NULL;
281
#endif /* !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */
282
283
284
int psa_can_do_hash(psa_algorithm_t hash_alg)
285
0
{
286
0
    (void) hash_alg;
287
0
    return psa_get_drivers_initialized();
288
0
}
289
290
int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg)
291
0
{
292
0
    (void) key_type;
293
0
    (void) cipher_alg;
294
0
    return psa_get_drivers_initialized();
295
0
}
296
297
298
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) ||       \
299
    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) ||     \
300
    defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
301
static int psa_is_dh_key_size_valid(size_t bits)
302
0
{
303
0
    switch (bits) {
304
0
#if defined(PSA_WANT_DH_RFC7919_2048)
305
0
        case 2048:
306
0
            return 1;
307
0
#endif /* PSA_WANT_DH_RFC7919_2048 */
308
0
#if defined(PSA_WANT_DH_RFC7919_3072)
309
0
        case 3072:
310
0
            return 1;
311
0
#endif /* PSA_WANT_DH_RFC7919_3072 */
312
0
#if defined(PSA_WANT_DH_RFC7919_4096)
313
0
        case 4096:
314
0
            return 1;
315
0
#endif /* PSA_WANT_DH_RFC7919_4096 */
316
0
#if defined(PSA_WANT_DH_RFC7919_6144)
317
0
        case 6144:
318
0
            return 1;
319
0
#endif /* PSA_WANT_DH_RFC7919_6144 */
320
0
#if defined(PSA_WANT_DH_RFC7919_8192)
321
0
        case 8192:
322
0
            return 1;
323
0
#endif /* PSA_WANT_DH_RFC7919_8192 */
324
0
        default:
325
0
            return 0;
326
0
    }
327
0
}
328
#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT ||
329
          MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY ||
330
          PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */
331
332
psa_status_t mbedtls_to_psa_error(int ret)
333
2
{
334
    /* Mbed TLS error codes can combine a high-level error code and a
335
     * low-level error code. The low-level error usually reflects the
336
     * root cause better, so dispatch on that preferably. */
337
2
    int low_level_ret = -(-ret & 0x007f);
338
2
    switch (low_level_ret != 0 ? low_level_ret : ret) {
339
0
        case 0:
340
0
            return PSA_SUCCESS;
341
342
0
#if defined(MBEDTLS_AES_C)
343
0
        case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
344
0
        case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
345
0
            return PSA_ERROR_NOT_SUPPORTED;
346
0
        case MBEDTLS_ERR_AES_BAD_INPUT_DATA:
347
0
            return PSA_ERROR_INVALID_ARGUMENT;
348
0
#endif
349
350
0
#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_ASN1_WRITE_C)
351
0
        case MBEDTLS_ERR_ASN1_OUT_OF_DATA:
352
0
        case MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:
353
0
        case MBEDTLS_ERR_ASN1_INVALID_LENGTH:
354
0
        case MBEDTLS_ERR_ASN1_LENGTH_MISMATCH:
355
0
        case MBEDTLS_ERR_ASN1_INVALID_DATA:
356
0
            return PSA_ERROR_INVALID_ARGUMENT;
357
0
        case MBEDTLS_ERR_ASN1_ALLOC_FAILED:
358
0
            return PSA_ERROR_INSUFFICIENT_MEMORY;
359
0
        case MBEDTLS_ERR_ASN1_BUF_TOO_SMALL:
360
0
            return PSA_ERROR_BUFFER_TOO_SMALL;
361
0
#endif
362
363
0
#if defined(MBEDTLS_CAMELLIA_C)
364
0
        case MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA:
365
0
        case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH:
366
0
            return PSA_ERROR_NOT_SUPPORTED;
367
0
#endif
368
369
0
#if defined(MBEDTLS_CCM_C)
370
0
        case MBEDTLS_ERR_CCM_BAD_INPUT:
371
0
            return PSA_ERROR_INVALID_ARGUMENT;
372
0
        case MBEDTLS_ERR_CCM_AUTH_FAILED:
373
0
            return PSA_ERROR_INVALID_SIGNATURE;
374
0
#endif
375
376
0
#if defined(MBEDTLS_CHACHA20_C)
377
0
        case MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA:
378
0
            return PSA_ERROR_INVALID_ARGUMENT;
379
0
#endif
380
381
0
#if defined(MBEDTLS_CHACHAPOLY_C)
382
0
        case MBEDTLS_ERR_CHACHAPOLY_BAD_STATE:
383
0
            return PSA_ERROR_BAD_STATE;
384
0
        case MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED:
385
0
            return PSA_ERROR_INVALID_SIGNATURE;
386
0
#endif
387
388
0
#if defined(MBEDTLS_CIPHER_C)
389
0
        case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
390
0
            return PSA_ERROR_NOT_SUPPORTED;
391
0
        case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
392
0
            return PSA_ERROR_INVALID_ARGUMENT;
393
0
        case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
394
0
            return PSA_ERROR_INSUFFICIENT_MEMORY;
395
0
        case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
396
0
            return PSA_ERROR_INVALID_PADDING;
397
0
        case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
398
0
            return PSA_ERROR_INVALID_ARGUMENT;
399
0
        case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
400
0
            return PSA_ERROR_INVALID_SIGNATURE;
401
0
        case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
402
0
            return PSA_ERROR_CORRUPTION_DETECTED;
403
0
#endif
404
405
0
#if !(defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) ||      \
406
0
            defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE))
407
        /* Only check CTR_DRBG error codes if underlying mbedtls_xxx
408
         * functions are passed a CTR_DRBG instance. */
409
2
        case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
410
2
            return PSA_ERROR_INSUFFICIENT_ENTROPY;
411
0
        case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG:
412
0
        case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG:
413
0
            return PSA_ERROR_NOT_SUPPORTED;
414
0
        case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR:
415
0
            return PSA_ERROR_INSUFFICIENT_ENTROPY;
416
0
#endif
417
418
0
#if defined(MBEDTLS_DES_C)
419
0
        case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:
420
0
            return PSA_ERROR_NOT_SUPPORTED;
421
0
#endif
422
423
0
        case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
424
0
        case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE:
425
0
        case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
426
0
            return PSA_ERROR_INSUFFICIENT_ENTROPY;
427
428
0
#if defined(MBEDTLS_GCM_C)
429
0
        case MBEDTLS_ERR_GCM_AUTH_FAILED:
430
0
            return PSA_ERROR_INVALID_SIGNATURE;
431
0
        case MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL:
432
0
            return PSA_ERROR_BUFFER_TOO_SMALL;
433
0
        case MBEDTLS_ERR_GCM_BAD_INPUT:
434
0
            return PSA_ERROR_INVALID_ARGUMENT;
435
0
#endif
436
437
#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) &&        \
438
            defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
439
        /* Only check HMAC_DRBG error codes if underlying mbedtls_xxx
440
         * functions are passed a HMAC_DRBG instance. */
441
        case MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED:
442
            return PSA_ERROR_INSUFFICIENT_ENTROPY;
443
        case MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG:
444
        case MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG:
445
            return PSA_ERROR_NOT_SUPPORTED;
446
        case MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR:
447
            return PSA_ERROR_INSUFFICIENT_ENTROPY;
448
#endif
449
450
0
#if defined(MBEDTLS_MD_LIGHT)
451
0
        case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
452
0
            return PSA_ERROR_NOT_SUPPORTED;
453
0
        case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
454
0
            return PSA_ERROR_INVALID_ARGUMENT;
455
0
        case MBEDTLS_ERR_MD_ALLOC_FAILED:
456
0
            return PSA_ERROR_INSUFFICIENT_MEMORY;
457
0
#if defined(MBEDTLS_FS_IO)
458
0
        case MBEDTLS_ERR_MD_FILE_IO_ERROR:
459
0
            return PSA_ERROR_STORAGE_FAILURE;
460
0
#endif
461
0
#endif
462
463
0
#if defined(MBEDTLS_BIGNUM_C)
464
0
#if defined(MBEDTLS_FS_IO)
465
0
        case MBEDTLS_ERR_MPI_FILE_IO_ERROR:
466
0
            return PSA_ERROR_STORAGE_FAILURE;
467
0
#endif
468
0
        case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
469
0
            return PSA_ERROR_INVALID_ARGUMENT;
470
0
        case MBEDTLS_ERR_MPI_INVALID_CHARACTER:
471
0
            return PSA_ERROR_INVALID_ARGUMENT;
472
0
        case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
473
0
            return PSA_ERROR_BUFFER_TOO_SMALL;
474
0
        case MBEDTLS_ERR_MPI_NEGATIVE_VALUE:
475
0
            return PSA_ERROR_INVALID_ARGUMENT;
476
0
        case MBEDTLS_ERR_MPI_DIVISION_BY_ZERO:
477
0
            return PSA_ERROR_INVALID_ARGUMENT;
478
0
        case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
479
0
            return PSA_ERROR_INVALID_ARGUMENT;
480
0
        case MBEDTLS_ERR_MPI_ALLOC_FAILED:
481
0
            return PSA_ERROR_INSUFFICIENT_MEMORY;
482
0
#endif
483
484
0
#if defined(MBEDTLS_PK_C)
485
0
        case MBEDTLS_ERR_PK_ALLOC_FAILED:
486
0
            return PSA_ERROR_INSUFFICIENT_MEMORY;
487
0
        case MBEDTLS_ERR_PK_TYPE_MISMATCH:
488
0
        case MBEDTLS_ERR_PK_BAD_INPUT_DATA:
489
0
            return PSA_ERROR_INVALID_ARGUMENT;
490
0
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || defined(MBEDTLS_FS_IO) || \
491
0
            defined(MBEDTLS_PSA_ITS_FILE_C)
492
0
        case MBEDTLS_ERR_PK_FILE_IO_ERROR:
493
0
            return PSA_ERROR_STORAGE_FAILURE;
494
0
#endif
495
0
        case MBEDTLS_ERR_PK_KEY_INVALID_VERSION:
496
0
        case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT:
497
0
            return PSA_ERROR_INVALID_ARGUMENT;
498
0
        case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG:
499
0
            return PSA_ERROR_NOT_SUPPORTED;
500
0
        case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
501
0
        case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
502
0
            return PSA_ERROR_NOT_PERMITTED;
503
0
        case MBEDTLS_ERR_PK_INVALID_PUBKEY:
504
0
            return PSA_ERROR_INVALID_ARGUMENT;
505
0
        case MBEDTLS_ERR_PK_INVALID_ALG:
506
0
        case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE:
507
0
        case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:
508
0
            return PSA_ERROR_NOT_SUPPORTED;
509
0
        case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH:
510
0
            return PSA_ERROR_INVALID_SIGNATURE;
511
0
        case MBEDTLS_ERR_PK_BUFFER_TOO_SMALL:
512
0
            return PSA_ERROR_BUFFER_TOO_SMALL;
513
0
#endif
514
515
0
        case MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED:
516
0
            return PSA_ERROR_HARDWARE_FAILURE;
517
0
        case MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
518
0
            return PSA_ERROR_NOT_SUPPORTED;
519
520
0
#if defined(MBEDTLS_RSA_C)
521
0
        case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
522
0
            return PSA_ERROR_INVALID_ARGUMENT;
523
0
        case MBEDTLS_ERR_RSA_INVALID_PADDING:
524
0
            return PSA_ERROR_INVALID_PADDING;
525
0
        case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
526
0
            return PSA_ERROR_HARDWARE_FAILURE;
527
0
        case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
528
0
            return PSA_ERROR_INVALID_ARGUMENT;
529
0
        case MBEDTLS_ERR_RSA_PUBLIC_FAILED:
530
0
        case MBEDTLS_ERR_RSA_PRIVATE_FAILED:
531
0
            return PSA_ERROR_CORRUPTION_DETECTED;
532
0
        case MBEDTLS_ERR_RSA_VERIFY_FAILED:
533
0
            return PSA_ERROR_INVALID_SIGNATURE;
534
0
        case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
535
0
            return PSA_ERROR_BUFFER_TOO_SMALL;
536
0
        case MBEDTLS_ERR_RSA_RNG_FAILED:
537
0
            return PSA_ERROR_INSUFFICIENT_ENTROPY;
538
0
#endif
539
540
0
#if defined(MBEDTLS_ECP_LIGHT)
541
0
        case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
542
0
        case MBEDTLS_ERR_ECP_INVALID_KEY:
543
0
            return PSA_ERROR_INVALID_ARGUMENT;
544
0
        case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
545
0
            return PSA_ERROR_BUFFER_TOO_SMALL;
546
0
        case MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:
547
0
            return PSA_ERROR_NOT_SUPPORTED;
548
0
        case MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH:
549
0
        case MBEDTLS_ERR_ECP_VERIFY_FAILED:
550
0
            return PSA_ERROR_INVALID_SIGNATURE;
551
0
        case MBEDTLS_ERR_ECP_ALLOC_FAILED:
552
0
            return PSA_ERROR_INSUFFICIENT_MEMORY;
553
0
        case MBEDTLS_ERR_ECP_RANDOM_FAILED:
554
0
            return PSA_ERROR_INSUFFICIENT_ENTROPY;
555
556
0
#if defined(MBEDTLS_ECP_RESTARTABLE)
557
0
        case MBEDTLS_ERR_ECP_IN_PROGRESS:
558
0
            return PSA_OPERATION_INCOMPLETE;
559
0
#endif
560
0
#endif
561
562
0
        case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
563
0
            return PSA_ERROR_CORRUPTION_DETECTED;
564
565
0
        default:
566
0
            return PSA_ERROR_GENERIC_ERROR;
567
2
    }
568
2
}
569
570
/**
571
 * \brief                       For output buffers which contain "tags"
572
 *                              (outputs that may be checked for validity like
573
 *                              hashes, MACs and signatures), fill the unused
574
 *                              part of the output buffer (the whole buffer on
575
 *                              error, the trailing part on success) with
576
 *                              something that isn't a valid tag (barring an
577
 *                              attack on the tag and deliberately-crafted
578
 *                              input), in case the caller doesn't check the
579
 *                              return status properly.
580
 *
581
 * \param output_buffer         Pointer to buffer to wipe. May not be NULL
582
 *                              unless \p output_buffer_size is zero.
583
 * \param status                Status of function called to generate
584
 *                              output_buffer originally
585
 * \param output_buffer_size    Size of output buffer. If zero, \p output_buffer
586
 *                              could be NULL.
587
 * \param output_buffer_length  Length of data written to output_buffer, must be
588
 *                              less than \p output_buffer_size
589
 */
590
static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t status,
591
                                       size_t output_buffer_size, size_t output_buffer_length)
592
0
{
593
0
    size_t offset = 0;
594
595
0
    if (output_buffer_size == 0) {
596
        /* If output_buffer_size is 0 then we have nothing to do. We must not
597
           call memset because output_buffer may be NULL in this case */
598
0
        return;
599
0
    }
600
601
0
    if (status == PSA_SUCCESS) {
602
0
        offset = output_buffer_length;
603
0
    }
604
605
0
    memset(output_buffer + offset, '!', output_buffer_size - offset);
606
0
}
607
608
609
psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type,
610
                                                    size_t bits)
611
0
{
612
    /* Check that the bit size is acceptable for the key type */
613
0
    switch (type) {
614
0
        case PSA_KEY_TYPE_RAW_DATA:
615
0
        case PSA_KEY_TYPE_HMAC:
616
0
        case PSA_KEY_TYPE_DERIVE:
617
0
        case PSA_KEY_TYPE_PASSWORD:
618
0
        case PSA_KEY_TYPE_PASSWORD_HASH:
619
0
            break;
620
0
#if defined(PSA_WANT_KEY_TYPE_AES)
621
0
        case PSA_KEY_TYPE_AES:
622
0
            if (bits != 128 && bits != 192 && bits != 256) {
623
0
                return PSA_ERROR_INVALID_ARGUMENT;
624
0
            }
625
0
            break;
626
0
#endif
627
0
#if defined(PSA_WANT_KEY_TYPE_ARIA)
628
0
        case PSA_KEY_TYPE_ARIA:
629
0
            if (bits != 128 && bits != 192 && bits != 256) {
630
0
                return PSA_ERROR_INVALID_ARGUMENT;
631
0
            }
632
0
            break;
633
0
#endif
634
0
#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
635
0
        case PSA_KEY_TYPE_CAMELLIA:
636
0
            if (bits != 128 && bits != 192 && bits != 256) {
637
0
                return PSA_ERROR_INVALID_ARGUMENT;
638
0
            }
639
0
            break;
640
0
#endif
641
0
#if defined(PSA_WANT_KEY_TYPE_DES)
642
0
        case PSA_KEY_TYPE_DES:
643
0
            if (bits != 64 && bits != 128 && bits != 192) {
644
0
                return PSA_ERROR_INVALID_ARGUMENT;
645
0
            }
646
0
            break;
647
0
#endif
648
0
#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
649
0
        case PSA_KEY_TYPE_CHACHA20:
650
0
            if (bits != 256) {
651
0
                return PSA_ERROR_INVALID_ARGUMENT;
652
0
            }
653
0
            break;
654
0
#endif
655
0
        default:
656
0
            return PSA_ERROR_NOT_SUPPORTED;
657
0
    }
658
0
    if (bits % 8 != 0) {
659
0
        return PSA_ERROR_INVALID_ARGUMENT;
660
0
    }
661
662
0
    return PSA_SUCCESS;
663
0
}
664
665
/** Check whether a given key type is valid for use with a given MAC algorithm
666
 *
667
 * Upon successful return of this function, the behavior of #PSA_MAC_LENGTH
668
 * when called with the validated \p algorithm and \p key_type is well-defined.
669
 *
670
 * \param[in] algorithm     The specific MAC algorithm (can be wildcard).
671
 * \param[in] key_type      The key type of the key to be used with the
672
 *                          \p algorithm.
673
 *
674
 * \retval #PSA_SUCCESS
675
 *         The \p key_type is valid for use with the \p algorithm
676
 * \retval #PSA_ERROR_INVALID_ARGUMENT
677
 *         The \p key_type is not valid for use with the \p algorithm
678
 */
679
MBEDTLS_STATIC_TESTABLE psa_status_t psa_mac_key_can_do(
680
    psa_algorithm_t algorithm,
681
    psa_key_type_t key_type)
682
0
{
683
0
    if (PSA_ALG_IS_HMAC(algorithm)) {
684
0
        if (key_type == PSA_KEY_TYPE_HMAC) {
685
0
            return PSA_SUCCESS;
686
0
        }
687
0
    }
688
689
0
    if (PSA_ALG_IS_BLOCK_CIPHER_MAC(algorithm)) {
690
        /* Check that we're calling PSA_BLOCK_CIPHER_BLOCK_LENGTH with a cipher
691
         * key. */
692
0
        if ((key_type & PSA_KEY_TYPE_CATEGORY_MASK) ==
693
0
            PSA_KEY_TYPE_CATEGORY_SYMMETRIC) {
694
            /* PSA_BLOCK_CIPHER_BLOCK_LENGTH returns 1 for stream ciphers and
695
             * the block length (larger than 1) for block ciphers. */
696
0
            if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1) {
697
0
                return PSA_SUCCESS;
698
0
            }
699
0
        }
700
0
    }
701
702
0
    return PSA_ERROR_INVALID_ARGUMENT;
703
0
}
704
705
psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot,
706
                                         size_t buffer_length)
707
0
{
708
#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
709
    if (buffer_length > ((size_t) MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE)) {
710
        return PSA_ERROR_NOT_SUPPORTED;
711
    }
712
#else
713
0
    if (slot->key.data != NULL) {
714
0
        return PSA_ERROR_ALREADY_EXISTS;
715
0
    }
716
717
0
    slot->key.data = mbedtls_calloc(1, buffer_length);
718
0
    if (slot->key.data == NULL) {
719
0
        return PSA_ERROR_INSUFFICIENT_MEMORY;
720
0
    }
721
0
#endif
722
723
0
    slot->key.bytes = buffer_length;
724
0
    return PSA_SUCCESS;
725
0
}
726
727
psa_status_t psa_copy_key_material_into_slot(psa_key_slot_t *slot,
728
                                             const uint8_t *data,
729
                                             size_t data_length)
730
0
{
731
0
    psa_status_t status = psa_allocate_buffer_to_slot(slot,
732
0
                                                      data_length);
733
0
    if (status != PSA_SUCCESS) {
734
0
        return status;
735
0
    }
736
737
0
    memcpy(slot->key.data, data, data_length);
738
0
    return PSA_SUCCESS;
739
0
}
740
741
psa_status_t psa_import_key_into_slot(
742
    const psa_key_attributes_t *attributes,
743
    const uint8_t *data, size_t data_length,
744
    uint8_t *key_buffer, size_t key_buffer_size,
745
    size_t *key_buffer_length, size_t *bits)
746
0
{
747
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
748
0
    psa_key_type_t type = attributes->type;
749
750
    /* zero-length keys are never supported. */
751
0
    if (data_length == 0) {
752
0
        return PSA_ERROR_NOT_SUPPORTED;
753
0
    }
754
755
0
    if (key_type_is_raw_bytes(type)) {
756
0
        *bits = PSA_BYTES_TO_BITS(data_length);
757
758
0
        status = psa_validate_unstructured_key_bit_size(attributes->type,
759
0
                                                        *bits);
760
0
        if (status != PSA_SUCCESS) {
761
0
            return status;
762
0
        }
763
764
        /* Copy the key material. */
765
0
        memcpy(key_buffer, data, data_length);
766
0
        *key_buffer_length = data_length;
767
0
        (void) key_buffer_size;
768
769
0
        return PSA_SUCCESS;
770
0
    } else if (PSA_KEY_TYPE_IS_ASYMMETRIC(type)) {
771
0
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
772
0
        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
773
0
        if (PSA_KEY_TYPE_IS_DH(type)) {
774
0
            if (psa_is_dh_key_size_valid(PSA_BYTES_TO_BITS(data_length)) == 0) {
775
0
                return PSA_ERROR_NOT_SUPPORTED;
776
0
            }
777
0
            return mbedtls_psa_ffdh_import_key(attributes,
778
0
                                               data, data_length,
779
0
                                               key_buffer, key_buffer_size,
780
0
                                               key_buffer_length,
781
0
                                               bits);
782
0
        }
783
0
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) ||
784
        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */
785
0
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
786
0
        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
787
0
        if (PSA_KEY_TYPE_IS_ECC(type)) {
788
0
            return mbedtls_psa_ecp_import_key(attributes,
789
0
                                              data, data_length,
790
0
                                              key_buffer, key_buffer_size,
791
0
                                              key_buffer_length,
792
0
                                              bits);
793
0
        }
794
0
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
795
        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
796
0
#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
797
0
        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
798
0
        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
799
0
        if (PSA_KEY_TYPE_IS_RSA(type)) {
800
0
            return mbedtls_psa_rsa_import_key(attributes,
801
0
                                              data, data_length,
802
0
                                              key_buffer, key_buffer_size,
803
0
                                              key_buffer_length,
804
0
                                              bits);
805
0
        }
806
0
#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) &&
807
           defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) ||
808
        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
809
0
    }
810
811
0
    return PSA_ERROR_NOT_SUPPORTED;
812
0
}
813
814
/** Calculate the intersection of two algorithm usage policies.
815
 *
816
 * Return 0 (which allows no operation) on incompatibility.
817
 */
818
static psa_algorithm_t psa_key_policy_algorithm_intersection(
819
    psa_key_type_t key_type,
820
    psa_algorithm_t alg1,
821
    psa_algorithm_t alg2)
822
0
{
823
    /* Common case: both sides actually specify the same policy. */
824
0
    if (alg1 == alg2) {
825
0
        return alg1;
826
0
    }
827
    /* If the policies are from the same hash-and-sign family, check
828
     * if one is a wildcard. If so the other has the specific algorithm. */
829
0
    if (PSA_ALG_IS_SIGN_HASH(alg1) &&
830
0
        PSA_ALG_IS_SIGN_HASH(alg2) &&
831
0
        (alg1 & ~PSA_ALG_HASH_MASK) == (alg2 & ~PSA_ALG_HASH_MASK)) {
832
0
        if (PSA_ALG_SIGN_GET_HASH(alg1) == PSA_ALG_ANY_HASH) {
833
0
            return alg2;
834
0
        }
835
0
        if (PSA_ALG_SIGN_GET_HASH(alg2) == PSA_ALG_ANY_HASH) {
836
0
            return alg1;
837
0
        }
838
0
    }
839
    /* If the policies are from the same AEAD family, check whether
840
     * one of them is a minimum-tag-length wildcard. Calculate the most
841
     * restrictive tag length. */
842
0
    if (PSA_ALG_IS_AEAD(alg1) && PSA_ALG_IS_AEAD(alg2) &&
843
0
        (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg1, 0) ==
844
0
         PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg2, 0))) {
845
0
        size_t alg1_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg1);
846
0
        size_t alg2_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg2);
847
0
        size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len;
848
849
        /* If both are wildcards, return most restrictive wildcard */
850
0
        if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
851
0
            ((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
852
0
            return PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(
853
0
                alg1, restricted_len);
854
0
        }
855
        /* If only one is a wildcard, return specific algorithm if compatible. */
856
0
        if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
857
0
            (alg1_len <= alg2_len)) {
858
0
            return alg2;
859
0
        }
860
0
        if (((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
861
0
            (alg2_len <= alg1_len)) {
862
0
            return alg1;
863
0
        }
864
0
    }
865
    /* If the policies are from the same MAC family, check whether one
866
     * of them is a minimum-MAC-length policy. Calculate the most
867
     * restrictive tag length. */
868
0
    if (PSA_ALG_IS_MAC(alg1) && PSA_ALG_IS_MAC(alg2) &&
869
0
        (PSA_ALG_FULL_LENGTH_MAC(alg1) ==
870
0
         PSA_ALG_FULL_LENGTH_MAC(alg2))) {
871
        /* Validate the combination of key type and algorithm. Since the base
872
         * algorithm of alg1 and alg2 are the same, we only need this once. */
873
0
        if (PSA_SUCCESS != psa_mac_key_can_do(alg1, key_type)) {
874
0
            return 0;
875
0
        }
876
877
        /* Get the (exact or at-least) output lengths for both sides of the
878
         * requested intersection. None of the currently supported algorithms
879
         * have an output length dependent on the actual key size, so setting it
880
         * to a bogus value of 0 is currently OK.
881
         *
882
         * Note that for at-least-this-length wildcard algorithms, the output
883
         * length is set to the shortest allowed length, which allows us to
884
         * calculate the most restrictive tag length for the intersection. */
885
0
        size_t alg1_len = PSA_MAC_LENGTH(key_type, 0, alg1);
886
0
        size_t alg2_len = PSA_MAC_LENGTH(key_type, 0, alg2);
887
0
        size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len;
888
889
        /* If both are wildcards, return most restrictive wildcard */
890
0
        if (((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
891
0
            ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
892
0
            return PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(alg1, restricted_len);
893
0
        }
894
895
        /* If only one is an at-least-this-length policy, the intersection would
896
         * be the other (fixed-length) policy as long as said fixed length is
897
         * equal to or larger than the shortest allowed length. */
898
0
        if ((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
899
0
            return (alg1_len <= alg2_len) ? alg2 : 0;
900
0
        }
901
0
        if ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
902
0
            return (alg2_len <= alg1_len) ? alg1 : 0;
903
0
        }
904
905
        /* If none of them are wildcards, check whether they define the same tag
906
         * length. This is still possible here when one is default-length and
907
         * the other specific-length. Ensure to always return the
908
         * specific-length version for the intersection. */
909
0
        if (alg1_len == alg2_len) {
910
0
            return PSA_ALG_TRUNCATED_MAC(alg1, alg1_len);
911
0
        }
912
0
    }
913
    /* If the policies are incompatible, allow nothing. */
914
0
    return 0;
915
0
}
916
917
static int psa_key_algorithm_permits(psa_key_type_t key_type,
918
                                     psa_algorithm_t policy_alg,
919
                                     psa_algorithm_t requested_alg)
920
0
{
921
    /* Common case: the policy only allows requested_alg. */
922
0
    if (requested_alg == policy_alg) {
923
0
        return 1;
924
0
    }
925
    /* If policy_alg is a hash-and-sign with a wildcard for the hash,
926
     * and requested_alg is the same hash-and-sign family with any hash,
927
     * then requested_alg is compliant with policy_alg. */
928
0
    if (PSA_ALG_IS_SIGN_HASH(requested_alg) &&
929
0
        PSA_ALG_SIGN_GET_HASH(policy_alg) == PSA_ALG_ANY_HASH) {
930
0
        return (policy_alg & ~PSA_ALG_HASH_MASK) ==
931
0
               (requested_alg & ~PSA_ALG_HASH_MASK);
932
0
    }
933
    /* If policy_alg is a wildcard AEAD algorithm of the same base as
934
     * the requested algorithm, check the requested tag length to be
935
     * equal-length or longer than the wildcard-specified length. */
936
0
    if (PSA_ALG_IS_AEAD(policy_alg) &&
937
0
        PSA_ALG_IS_AEAD(requested_alg) &&
938
0
        (PSA_ALG_AEAD_WITH_SHORTENED_TAG(policy_alg, 0) ==
939
0
         PSA_ALG_AEAD_WITH_SHORTENED_TAG(requested_alg, 0)) &&
940
0
        ((policy_alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
941
0
        return PSA_ALG_AEAD_GET_TAG_LENGTH(policy_alg) <=
942
0
               PSA_ALG_AEAD_GET_TAG_LENGTH(requested_alg);
943
0
    }
944
    /* If policy_alg is a MAC algorithm of the same base as the requested
945
     * algorithm, check whether their MAC lengths are compatible. */
946
0
    if (PSA_ALG_IS_MAC(policy_alg) &&
947
0
        PSA_ALG_IS_MAC(requested_alg) &&
948
0
        (PSA_ALG_FULL_LENGTH_MAC(policy_alg) ==
949
0
         PSA_ALG_FULL_LENGTH_MAC(requested_alg))) {
950
        /* Validate the combination of key type and algorithm. Since the policy
951
         * and requested algorithms are the same, we only need this once. */
952
0
        if (PSA_SUCCESS != psa_mac_key_can_do(policy_alg, key_type)) {
953
0
            return 0;
954
0
        }
955
956
        /* Get both the requested output length for the algorithm which is to be
957
         * verified, and the default output length for the base algorithm.
958
         * Note that none of the currently supported algorithms have an output
959
         * length dependent on actual key size, so setting it to a bogus value
960
         * of 0 is currently OK. */
961
0
        size_t requested_output_length = PSA_MAC_LENGTH(
962
0
            key_type, 0, requested_alg);
963
0
        size_t default_output_length = PSA_MAC_LENGTH(
964
0
            key_type, 0,
965
0
            PSA_ALG_FULL_LENGTH_MAC(requested_alg));
966
967
        /* If the policy is default-length, only allow an algorithm with
968
         * a declared exact-length matching the default. */
969
0
        if (PSA_MAC_TRUNCATED_LENGTH(policy_alg) == 0) {
970
0
            return requested_output_length == default_output_length;
971
0
        }
972
973
        /* If the requested algorithm is default-length, allow it if the policy
974
         * length exactly matches the default length. */
975
0
        if (PSA_MAC_TRUNCATED_LENGTH(requested_alg) == 0 &&
976
0
            PSA_MAC_TRUNCATED_LENGTH(policy_alg) == default_output_length) {
977
0
            return 1;
978
0
        }
979
980
        /* If policy_alg is an at-least-this-length wildcard MAC algorithm,
981
         * check for the requested MAC length to be equal to or longer than the
982
         * minimum allowed length. */
983
0
        if ((policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
984
0
            return PSA_MAC_TRUNCATED_LENGTH(policy_alg) <=
985
0
                   requested_output_length;
986
0
        }
987
0
    }
988
    /* If policy_alg is a generic key agreement operation, then using it for
989
     * a key derivation with that key agreement should also be allowed. This
990
     * behaviour is expected to be defined in a future specification version. */
991
0
    if (PSA_ALG_IS_RAW_KEY_AGREEMENT(policy_alg) &&
992
0
        PSA_ALG_IS_KEY_AGREEMENT(requested_alg)) {
993
0
        return PSA_ALG_KEY_AGREEMENT_GET_BASE(requested_alg) ==
994
0
               policy_alg;
995
0
    }
996
    /* If it isn't explicitly permitted, it's forbidden. */
997
0
    return 0;
998
0
}
999
1000
/** Test whether a policy permits an algorithm.
1001
 *
1002
 * The caller must test usage flags separately.
1003
 *
1004
 * \note This function requires providing the key type for which the policy is
1005
 *       being validated, since some algorithm policy definitions (e.g. MAC)
1006
 *       have different properties depending on what kind of cipher it is
1007
 *       combined with.
1008
 *
1009
 * \retval PSA_SUCCESS                  When \p alg is a specific algorithm
1010
 *                                      allowed by the \p policy.
1011
 * \retval PSA_ERROR_INVALID_ARGUMENT   When \p alg is not a specific algorithm
1012
 * \retval PSA_ERROR_NOT_PERMITTED      When \p alg is a specific algorithm, but
1013
 *                                      the \p policy does not allow it.
1014
 */
1015
static psa_status_t psa_key_policy_permits(const psa_key_policy_t *policy,
1016
                                           psa_key_type_t key_type,
1017
                                           psa_algorithm_t alg)
1018
0
{
1019
    /* '0' is not a valid algorithm */
1020
0
    if (alg == 0) {
1021
0
        return PSA_ERROR_INVALID_ARGUMENT;
1022
0
    }
1023
1024
    /* A requested algorithm cannot be a wildcard. */
1025
0
    if (PSA_ALG_IS_WILDCARD(alg)) {
1026
0
        return PSA_ERROR_INVALID_ARGUMENT;
1027
0
    }
1028
1029
0
    if (psa_key_algorithm_permits(key_type, policy->alg, alg) ||
1030
0
        psa_key_algorithm_permits(key_type, policy->alg2, alg)) {
1031
0
        return PSA_SUCCESS;
1032
0
    } else {
1033
0
        return PSA_ERROR_NOT_PERMITTED;
1034
0
    }
1035
0
}
1036
1037
/** Restrict a key policy based on a constraint.
1038
 *
1039
 * \note This function requires providing the key type for which the policy is
1040
 *       being restricted, since some algorithm policy definitions (e.g. MAC)
1041
 *       have different properties depending on what kind of cipher it is
1042
 *       combined with.
1043
 *
1044
 * \param[in] key_type      The key type for which to restrict the policy
1045
 * \param[in,out] policy    The policy to restrict.
1046
 * \param[in] constraint    The policy constraint to apply.
1047
 *
1048
 * \retval #PSA_SUCCESS
1049
 *         \c *policy contains the intersection of the original value of
1050
 *         \c *policy and \c *constraint.
1051
 * \retval #PSA_ERROR_INVALID_ARGUMENT
1052
 *         \c key_type, \c *policy and \c *constraint are incompatible.
1053
 *         \c *policy is unchanged.
1054
 */
1055
static psa_status_t psa_restrict_key_policy(
1056
    psa_key_type_t key_type,
1057
    psa_key_policy_t *policy,
1058
    const psa_key_policy_t *constraint)
1059
0
{
1060
0
    psa_algorithm_t intersection_alg =
1061
0
        psa_key_policy_algorithm_intersection(key_type, policy->alg,
1062
0
                                              constraint->alg);
1063
0
    psa_algorithm_t intersection_alg2 =
1064
0
        psa_key_policy_algorithm_intersection(key_type, policy->alg2,
1065
0
                                              constraint->alg2);
1066
0
    if (intersection_alg == 0 && policy->alg != 0 && constraint->alg != 0) {
1067
0
        return PSA_ERROR_INVALID_ARGUMENT;
1068
0
    }
1069
0
    if (intersection_alg2 == 0 && policy->alg2 != 0 && constraint->alg2 != 0) {
1070
0
        return PSA_ERROR_INVALID_ARGUMENT;
1071
0
    }
1072
0
    policy->usage &= constraint->usage;
1073
0
    policy->alg = intersection_alg;
1074
0
    policy->alg2 = intersection_alg2;
1075
0
    return PSA_SUCCESS;
1076
0
}
1077
1078
/** Get the description of a key given its identifier and policy constraints
1079
 *  and lock it.
1080
 *
1081
 * The key must have allow all the usage flags set in \p usage. If \p alg is
1082
 * nonzero, the key must allow operations with this algorithm. If \p alg is
1083
 * zero, the algorithm is not checked.
1084
 *
1085
 * In case of a persistent key, the function loads the description of the key
1086
 * into a key slot if not already done.
1087
 *
1088
 * On success, the returned key slot has been registered for reading.
1089
 * It is the responsibility of the caller to then unregister
1090
 * once they have finished reading the contents of the slot.
1091
 * The caller unregisters by calling psa_unregister_read() or
1092
 * psa_unregister_read_under_mutex(). psa_unregister_read() must be called
1093
 * if and only if the caller already holds the global key slot mutex
1094
 * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates
1095
 * the unregister with mutex lock and unlock operations.
1096
 */
1097
static psa_status_t psa_get_and_lock_key_slot_with_policy(
1098
    mbedtls_svc_key_id_t key,
1099
    psa_key_slot_t **p_slot,
1100
    psa_key_usage_t usage,
1101
    psa_algorithm_t alg)
1102
0
{
1103
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1104
0
    psa_key_slot_t *slot = NULL;
1105
1106
0
    status = psa_get_and_lock_key_slot(key, p_slot);
1107
0
    if (status != PSA_SUCCESS) {
1108
0
        return status;
1109
0
    }
1110
0
    slot = *p_slot;
1111
1112
    /* Enforce that usage policy for the key slot contains all the flags
1113
     * required by the usage parameter. There is one exception: public
1114
     * keys can always be exported, so we treat public key objects as
1115
     * if they had the export flag. */
1116
0
    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) {
1117
0
        usage &= ~PSA_KEY_USAGE_EXPORT;
1118
0
    }
1119
1120
0
    if ((slot->attr.policy.usage & usage) != usage) {
1121
0
        status = PSA_ERROR_NOT_PERMITTED;
1122
0
        goto error;
1123
0
    }
1124
1125
    /* Enforce that the usage policy permits the requested algorithm. */
1126
0
    if (alg != 0) {
1127
0
        status = psa_key_policy_permits(&slot->attr.policy,
1128
0
                                        slot->attr.type,
1129
0
                                        alg);
1130
0
        if (status != PSA_SUCCESS) {
1131
0
            goto error;
1132
0
        }
1133
0
    }
1134
1135
0
    return PSA_SUCCESS;
1136
1137
0
error:
1138
0
    *p_slot = NULL;
1139
0
    psa_unregister_read_under_mutex(slot);
1140
1141
0
    return status;
1142
0
}
1143
1144
/** Get a key slot containing a transparent key and lock it.
1145
 *
1146
 * A transparent key is a key for which the key material is directly
1147
 * available, as opposed to a key in a secure element and/or to be used
1148
 * by a secure element.
1149
 *
1150
 * This is a temporary function that may be used instead of
1151
 * psa_get_and_lock_key_slot_with_policy() when there is no opaque key support
1152
 * for a cryptographic operation.
1153
 *
1154
 * On success, the returned key slot has been registered for reading.
1155
 * It is the responsibility of the caller to then unregister
1156
 * once they have finished reading the contents of the slot.
1157
 * The caller unregisters by calling psa_unregister_read() or
1158
 * psa_unregister_read_under_mutex(). psa_unregister_read() must be called
1159
 * if and only if the caller already holds the global key slot mutex
1160
 * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates
1161
 * psa_unregister_read() with mutex lock and unlock operations.
1162
 */
1163
static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
1164
    mbedtls_svc_key_id_t key,
1165
    psa_key_slot_t **p_slot,
1166
    psa_key_usage_t usage,
1167
    psa_algorithm_t alg)
1168
0
{
1169
0
    psa_status_t status = psa_get_and_lock_key_slot_with_policy(key, p_slot,
1170
0
                                                                usage, alg);
1171
0
    if (status != PSA_SUCCESS) {
1172
0
        return status;
1173
0
    }
1174
1175
0
    if (psa_key_lifetime_is_external((*p_slot)->attr.lifetime)) {
1176
0
        psa_unregister_read_under_mutex(*p_slot);
1177
0
        *p_slot = NULL;
1178
0
        return PSA_ERROR_NOT_SUPPORTED;
1179
0
    }
1180
1181
0
    return PSA_SUCCESS;
1182
0
}
1183
1184
psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot)
1185
0
{
1186
#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
1187
    if (slot->key.bytes > 0) {
1188
        mbedtls_platform_zeroize(slot->key.data, MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE);
1189
    }
1190
#else
1191
0
    if (slot->key.data != NULL) {
1192
0
        mbedtls_zeroize_and_free(slot->key.data, slot->key.bytes);
1193
0
    }
1194
1195
0
    slot->key.data = NULL;
1196
0
#endif /* MBEDTLS_PSA_STATIC_KEY_SLOTS */
1197
1198
0
    slot->key.bytes = 0;
1199
1200
0
    return PSA_SUCCESS;
1201
0
}
1202
1203
/** Completely wipe a slot in memory, including its policy.
1204
 * Persistent storage is not affected. */
1205
psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot)
1206
0
{
1207
0
    psa_status_t status = psa_remove_key_data_from_memory(slot);
1208
1209
    /*
1210
     * As the return error code may not be handled in case of multiple errors,
1211
     * do our best to report an unexpected amount of registered readers or
1212
     * an unexpected state.
1213
     * Assert with MBEDTLS_TEST_HOOK_TEST_ASSERT that the slot is valid for
1214
     * wiping.
1215
     * if the MBEDTLS_TEST_HOOKS configuration option is enabled and the
1216
     * function is called as part of the execution of a test suite, the
1217
     * execution of the test suite is stopped in error if the assertion fails.
1218
     */
1219
0
    switch (slot->state) {
1220
0
        case PSA_SLOT_FULL:
1221
        /* In this state psa_wipe_key_slot() must only be called if the
1222
         * caller is the last reader. */
1223
0
        case PSA_SLOT_PENDING_DELETION:
1224
            /* In this state psa_wipe_key_slot() must only be called if the
1225
             * caller is the last reader. */
1226
0
            if (slot->var.occupied.registered_readers != 1) {
1227
0
                MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->var.occupied.registered_readers == 1);
1228
0
                status = PSA_ERROR_CORRUPTION_DETECTED;
1229
0
            }
1230
0
            break;
1231
0
        case PSA_SLOT_FILLING:
1232
            /* In this state registered_readers must be 0. */
1233
0
            if (slot->var.occupied.registered_readers != 0) {
1234
0
                MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->var.occupied.registered_readers == 0);
1235
0
                status = PSA_ERROR_CORRUPTION_DETECTED;
1236
0
            }
1237
0
            break;
1238
0
        case PSA_SLOT_EMPTY:
1239
            /* The slot is already empty, it cannot be wiped. */
1240
0
            MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->state != PSA_SLOT_EMPTY);
1241
0
            status = PSA_ERROR_CORRUPTION_DETECTED;
1242
0
            break;
1243
0
        default:
1244
            /* The slot's state is invalid. */
1245
0
            status = PSA_ERROR_CORRUPTION_DETECTED;
1246
0
    }
1247
1248
0
#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
1249
0
    size_t slice_index = slot->slice_index;
1250
0
#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
1251
1252
1253
    /* Multipart operations may still be using the key. This is safe
1254
     * because all multipart operation objects are independent from
1255
     * the key slot: if they need to access the key after the setup
1256
     * phase, they have a copy of the key. Note that this means that
1257
     * key material can linger until all operations are completed. */
1258
    /* At this point, key material and other type-specific content has
1259
     * been wiped. Clear remaining metadata. We can call memset and not
1260
     * zeroize because the metadata is not particularly sensitive.
1261
     * This memset also sets the slot's state to PSA_SLOT_EMPTY. */
1262
0
    memset(slot, 0, sizeof(*slot));
1263
1264
0
#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
1265
    /* If the slot is already corrupted, something went deeply wrong,
1266
     * like a thread still using the slot or a stray pointer leading
1267
     * to the slot's memory being used for another object. Let the slot
1268
     * leak rather than make the corruption worse. */
1269
0
    if (status == PSA_SUCCESS) {
1270
0
        status = psa_free_key_slot(slice_index, slot);
1271
0
    }
1272
0
#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
1273
1274
0
    return status;
1275
0
}
1276
1277
psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key)
1278
0
{
1279
0
    psa_key_slot_t *slot;
1280
0
    psa_status_t status; /* status of the last operation */
1281
0
    psa_status_t overall_status = PSA_SUCCESS;
1282
0
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1283
0
    psa_se_drv_table_entry_t *driver;
1284
0
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1285
1286
0
    if (mbedtls_svc_key_id_is_null(key)) {
1287
0
        return PSA_SUCCESS;
1288
0
    }
1289
1290
    /*
1291
     * Get the description of the key in a key slot, and register to read it.
1292
     * In the case of a persistent key, this will load the key description
1293
     * from persistent memory if not done yet.
1294
     * We cannot avoid this loading as without it we don't know if
1295
     * the key is operated by an SE or not and this information is needed by
1296
     * the current implementation. */
1297
0
    status = psa_get_and_lock_key_slot(key, &slot);
1298
0
    if (status != PSA_SUCCESS) {
1299
0
        return status;
1300
0
    }
1301
1302
0
#if defined(MBEDTLS_THREADING_C)
1303
    /* We cannot unlock between setting the state to PENDING_DELETION
1304
     * and destroying the key in storage, as otherwise another thread
1305
     * could load the key into a new slot and the key will not be
1306
     * fully destroyed. */
1307
0
    PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(
1308
0
                                    &mbedtls_threading_key_slot_mutex));
1309
1310
0
    if (slot->state == PSA_SLOT_PENDING_DELETION) {
1311
        /* Another thread has destroyed the key between us locking the slot
1312
         * and us gaining the mutex. Unregister from the slot,
1313
         * and report that the key does not exist. */
1314
0
        status = psa_unregister_read(slot);
1315
1316
0
        PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1317
0
                                  &mbedtls_threading_key_slot_mutex));
1318
0
        return (status == PSA_SUCCESS) ? PSA_ERROR_INVALID_HANDLE : status;
1319
0
    }
1320
0
#endif
1321
    /* Set the key slot containing the key description's state to
1322
     * PENDING_DELETION. This stops new operations from registering
1323
     * to read the slot. Current readers can safely continue to access
1324
     * the key within the slot; the last registered reader will
1325
     * automatically wipe the slot when they call psa_unregister_read().
1326
     * If the key is persistent, we can now delete the copy of the key
1327
     * from memory. If the key is opaque, we require the driver to
1328
     * deal with the deletion. */
1329
0
    overall_status = psa_key_slot_state_transition(slot, PSA_SLOT_FULL,
1330
0
                                                   PSA_SLOT_PENDING_DELETION);
1331
1332
0
    if (overall_status != PSA_SUCCESS) {
1333
0
        goto exit;
1334
0
    }
1335
1336
0
    if (PSA_KEY_LIFETIME_IS_READ_ONLY(slot->attr.lifetime)) {
1337
        /* Refuse the destruction of a read-only key (which may or may not work
1338
         * if we attempt it, depending on whether the key is merely read-only
1339
         * by policy or actually physically read-only).
1340
         * Just do the best we can, which is to wipe the copy in memory
1341
         * (done in this function's cleanup code). */
1342
0
        overall_status = PSA_ERROR_NOT_PERMITTED;
1343
0
        goto exit;
1344
0
    }
1345
1346
0
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1347
0
    driver = psa_get_se_driver_entry(slot->attr.lifetime);
1348
0
    if (driver != NULL) {
1349
        /* For a key in a secure element, we need to do three things:
1350
         * remove the key file in internal storage, destroy the
1351
         * key inside the secure element, and update the driver's
1352
         * persistent data. Start a transaction that will encompass these
1353
         * three actions. */
1354
0
        psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_DESTROY_KEY);
1355
0
        psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
1356
0
        psa_crypto_transaction.key.slot = psa_key_slot_get_slot_number(slot);
1357
0
        psa_crypto_transaction.key.id = slot->attr.id;
1358
0
        status = psa_crypto_save_transaction();
1359
0
        if (status != PSA_SUCCESS) {
1360
0
            (void) psa_crypto_stop_transaction();
1361
            /* We should still try to destroy the key in the secure
1362
             * element and the key metadata in storage. This is especially
1363
             * important if the error is that the storage is full.
1364
             * But how to do it exactly without risking an inconsistent
1365
             * state after a reset?
1366
             * https://github.com/ARMmbed/mbed-crypto/issues/215
1367
             */
1368
0
            overall_status = status;
1369
0
            goto exit;
1370
0
        }
1371
1372
0
        status = psa_destroy_se_key(driver,
1373
0
                                    psa_key_slot_get_slot_number(slot));
1374
0
        if (overall_status == PSA_SUCCESS) {
1375
0
            overall_status = status;
1376
0
        }
1377
0
    }
1378
0
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1379
1380
0
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
1381
0
    if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
1382
        /* Destroy the copy of the persistent key from storage.
1383
         * The slot will still hold a copy of the key until the last reader
1384
         * unregisters. */
1385
0
        status = psa_destroy_persistent_key(slot->attr.id);
1386
0
        if (overall_status == PSA_SUCCESS) {
1387
0
            overall_status = status;
1388
0
        }
1389
0
    }
1390
0
#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
1391
1392
0
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1393
0
    if (driver != NULL) {
1394
0
        status = psa_save_se_persistent_data(driver);
1395
0
        if (overall_status == PSA_SUCCESS) {
1396
0
            overall_status = status;
1397
0
        }
1398
0
        status = psa_crypto_stop_transaction();
1399
0
        if (overall_status == PSA_SUCCESS) {
1400
0
            overall_status = status;
1401
0
        }
1402
0
    }
1403
0
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1404
1405
0
exit:
1406
    /* Unregister from reading the slot. If we are the last active reader
1407
     * then this will wipe the slot. */
1408
0
    status = psa_unregister_read(slot);
1409
    /* Prioritize CORRUPTION_DETECTED from unregistering over
1410
     * a storage error. */
1411
0
    if (status != PSA_SUCCESS) {
1412
0
        overall_status = status;
1413
0
    }
1414
1415
0
#if defined(MBEDTLS_THREADING_C)
1416
    /* Don't overwrite existing errors if the unlock fails. */
1417
0
    status = overall_status;
1418
0
    PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1419
0
                              &mbedtls_threading_key_slot_mutex));
1420
0
#endif
1421
1422
0
    return overall_status;
1423
0
}
1424
1425
/** Retrieve all the publicly-accessible attributes of a key.
1426
 */
1427
psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
1428
                                    psa_key_attributes_t *attributes)
1429
0
{
1430
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1431
0
    psa_key_slot_t *slot;
1432
1433
0
    psa_reset_key_attributes(attributes);
1434
1435
0
    status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0);
1436
0
    if (status != PSA_SUCCESS) {
1437
0
        return status;
1438
0
    }
1439
1440
0
    *attributes = slot->attr;
1441
1442
0
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1443
0
    if (psa_get_se_driver_entry(slot->attr.lifetime) != NULL) {
1444
0
        psa_set_key_slot_number(attributes,
1445
0
                                psa_key_slot_get_slot_number(slot));
1446
0
    }
1447
0
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1448
1449
0
    return psa_unregister_read_under_mutex(slot);
1450
0
}
1451
1452
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1453
psa_status_t psa_get_key_slot_number(
1454
    const psa_key_attributes_t *attributes,
1455
    psa_key_slot_number_t *slot_number)
1456
0
{
1457
0
    if (attributes->has_slot_number) {
1458
0
        *slot_number = attributes->slot_number;
1459
0
        return PSA_SUCCESS;
1460
0
    } else {
1461
0
        return PSA_ERROR_INVALID_ARGUMENT;
1462
0
    }
1463
0
}
1464
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1465
1466
static psa_status_t psa_export_key_buffer_internal(const uint8_t *key_buffer,
1467
                                                   size_t key_buffer_size,
1468
                                                   uint8_t *data,
1469
                                                   size_t data_size,
1470
                                                   size_t *data_length)
1471
0
{
1472
0
    if (key_buffer_size > data_size) {
1473
0
        return PSA_ERROR_BUFFER_TOO_SMALL;
1474
0
    }
1475
0
    memcpy(data, key_buffer, key_buffer_size);
1476
0
    memset(data + key_buffer_size, 0,
1477
0
           data_size - key_buffer_size);
1478
0
    *data_length = key_buffer_size;
1479
0
    return PSA_SUCCESS;
1480
0
}
1481
1482
psa_status_t psa_export_key_internal(
1483
    const psa_key_attributes_t *attributes,
1484
    const uint8_t *key_buffer, size_t key_buffer_size,
1485
    uint8_t *data, size_t data_size, size_t *data_length)
1486
0
{
1487
0
    psa_key_type_t type = attributes->type;
1488
1489
0
    if (key_type_is_raw_bytes(type) ||
1490
0
        PSA_KEY_TYPE_IS_RSA(type)   ||
1491
0
        PSA_KEY_TYPE_IS_ECC(type)   ||
1492
0
        PSA_KEY_TYPE_IS_DH(type)) {
1493
0
        return psa_export_key_buffer_internal(
1494
0
            key_buffer, key_buffer_size,
1495
0
            data, data_size, data_length);
1496
0
    } else {
1497
        /* This shouldn't happen in the reference implementation, but
1498
           it is valid for a special-purpose implementation to omit
1499
           support for exporting certain key types. */
1500
0
        return PSA_ERROR_NOT_SUPPORTED;
1501
0
    }
1502
0
}
1503
1504
psa_status_t psa_export_key(mbedtls_svc_key_id_t key,
1505
                            uint8_t *data_external,
1506
                            size_t data_size,
1507
                            size_t *data_length)
1508
0
{
1509
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1510
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
1511
0
    psa_key_slot_t *slot;
1512
0
    LOCAL_OUTPUT_DECLARE(data_external, data);
1513
1514
    /* Reject a zero-length output buffer now, since this can never be a
1515
     * valid key representation. This way we know that data must be a valid
1516
     * pointer and we can do things like memset(data, ..., data_size). */
1517
0
    if (data_size == 0) {
1518
0
        return PSA_ERROR_BUFFER_TOO_SMALL;
1519
0
    }
1520
1521
    /* Set the key to empty now, so that even when there are errors, we always
1522
     * set data_length to a value between 0 and data_size. On error, setting
1523
     * the key to empty is a good choice because an empty key representation is
1524
     * unlikely to be accepted anywhere. */
1525
0
    *data_length = 0;
1526
1527
    /* Export requires the EXPORT flag. There is an exception for public keys,
1528
     * which don't require any flag, but
1529
     * psa_get_and_lock_key_slot_with_policy() takes care of this.
1530
     */
1531
0
    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
1532
0
                                                   PSA_KEY_USAGE_EXPORT, 0);
1533
0
    if (status != PSA_SUCCESS) {
1534
0
        return status;
1535
0
    }
1536
1537
0
    LOCAL_OUTPUT_ALLOC(data_external, data_size, data);
1538
1539
0
    status = psa_driver_wrapper_export_key(&slot->attr,
1540
0
                                           slot->key.data, slot->key.bytes,
1541
0
                                           data, data_size, data_length);
1542
1543
0
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
1544
0
exit:
1545
0
#endif
1546
0
    unlock_status = psa_unregister_read_under_mutex(slot);
1547
1548
0
    LOCAL_OUTPUT_FREE(data_external, data);
1549
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
1550
0
}
1551
1552
psa_status_t psa_export_public_key_internal(
1553
    const psa_key_attributes_t *attributes,
1554
    const uint8_t *key_buffer,
1555
    size_t key_buffer_size,
1556
    uint8_t *data,
1557
    size_t data_size,
1558
    size_t *data_length)
1559
0
{
1560
0
    psa_key_type_t type = attributes->type;
1561
1562
0
    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
1563
0
        (PSA_KEY_TYPE_IS_RSA(type) || PSA_KEY_TYPE_IS_ECC(type) ||
1564
0
         PSA_KEY_TYPE_IS_DH(type))) {
1565
        /* Exporting public -> public */
1566
0
        return psa_export_key_buffer_internal(
1567
0
            key_buffer, key_buffer_size,
1568
0
            data, data_size, data_length);
1569
0
    } else if (PSA_KEY_TYPE_IS_RSA(type)) {
1570
0
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
1571
0
        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
1572
0
        return mbedtls_psa_rsa_export_public_key(attributes,
1573
0
                                                 key_buffer,
1574
0
                                                 key_buffer_size,
1575
0
                                                 data,
1576
0
                                                 data_size,
1577
0
                                                 data_length);
1578
#else
1579
        /* We don't know how to convert a private RSA key to public. */
1580
        return PSA_ERROR_NOT_SUPPORTED;
1581
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) ||
1582
        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
1583
0
    } else if (PSA_KEY_TYPE_IS_ECC(type)) {
1584
0
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
1585
0
        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
1586
0
        return mbedtls_psa_ecp_export_public_key(attributes,
1587
0
                                                 key_buffer,
1588
0
                                                 key_buffer_size,
1589
0
                                                 data,
1590
0
                                                 data_size,
1591
0
                                                 data_length);
1592
#else
1593
        /* We don't know how to convert a private ECC key to public */
1594
        return PSA_ERROR_NOT_SUPPORTED;
1595
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
1596
        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
1597
0
    } else if (PSA_KEY_TYPE_IS_DH(type)) {
1598
0
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
1599
0
        defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
1600
0
        return mbedtls_psa_ffdh_export_public_key(attributes,
1601
0
                                                  key_buffer,
1602
0
                                                  key_buffer_size,
1603
0
                                                  data, data_size,
1604
0
                                                  data_length);
1605
#else
1606
        return PSA_ERROR_NOT_SUPPORTED;
1607
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) ||
1608
        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */
1609
0
    } else {
1610
0
        (void) key_buffer;
1611
0
        (void) key_buffer_size;
1612
0
        (void) data;
1613
0
        (void) data_size;
1614
0
        (void) data_length;
1615
0
        return PSA_ERROR_NOT_SUPPORTED;
1616
0
    }
1617
0
}
1618
1619
psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key,
1620
                                   uint8_t *data_external,
1621
                                   size_t data_size,
1622
                                   size_t *data_length)
1623
0
{
1624
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1625
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
1626
0
    psa_key_slot_t *slot;
1627
1628
0
    LOCAL_OUTPUT_DECLARE(data_external, data);
1629
1630
    /* Reject a zero-length output buffer now, since this can never be a
1631
     * valid key representation. This way we know that data must be a valid
1632
     * pointer and we can do things like memset(data, ..., data_size). */
1633
0
    if (data_size == 0) {
1634
0
        return PSA_ERROR_BUFFER_TOO_SMALL;
1635
0
    }
1636
1637
    /* Set the key to empty now, so that even when there are errors, we always
1638
     * set data_length to a value between 0 and data_size. On error, setting
1639
     * the key to empty is a good choice because an empty key representation is
1640
     * unlikely to be accepted anywhere. */
1641
0
    *data_length = 0;
1642
1643
    /* Exporting a public key doesn't require a usage flag. */
1644
0
    status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0);
1645
0
    if (status != PSA_SUCCESS) {
1646
0
        return status;
1647
0
    }
1648
1649
0
    LOCAL_OUTPUT_ALLOC(data_external, data_size, data);
1650
1651
0
    if (!PSA_KEY_TYPE_IS_ASYMMETRIC(slot->attr.type)) {
1652
0
        status = PSA_ERROR_INVALID_ARGUMENT;
1653
0
        goto exit;
1654
0
    }
1655
1656
0
    status = psa_driver_wrapper_export_public_key(
1657
0
        &slot->attr, slot->key.data, slot->key.bytes,
1658
0
        data, data_size, data_length);
1659
1660
0
exit:
1661
0
    unlock_status = psa_unregister_read_under_mutex(slot);
1662
1663
0
    LOCAL_OUTPUT_FREE(data_external, data);
1664
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
1665
0
}
1666
1667
/** Validate that a key policy is internally well-formed.
1668
 *
1669
 * This function only rejects invalid policies. It does not validate the
1670
 * consistency of the policy with respect to other attributes of the key
1671
 * such as the key type.
1672
 */
1673
static psa_status_t psa_validate_key_policy(const psa_key_policy_t *policy)
1674
0
{
1675
0
    if ((policy->usage & ~(PSA_KEY_USAGE_EXPORT |
1676
0
                           PSA_KEY_USAGE_COPY |
1677
0
                           PSA_KEY_USAGE_ENCRYPT |
1678
0
                           PSA_KEY_USAGE_DECRYPT |
1679
0
                           PSA_KEY_USAGE_SIGN_MESSAGE |
1680
0
                           PSA_KEY_USAGE_VERIFY_MESSAGE |
1681
0
                           PSA_KEY_USAGE_SIGN_HASH |
1682
0
                           PSA_KEY_USAGE_VERIFY_HASH |
1683
0
                           PSA_KEY_USAGE_VERIFY_DERIVATION |
1684
0
                           PSA_KEY_USAGE_DERIVE)) != 0) {
1685
0
        return PSA_ERROR_INVALID_ARGUMENT;
1686
0
    }
1687
1688
0
    return PSA_SUCCESS;
1689
0
}
1690
1691
/** Validate the internal consistency of key attributes.
1692
 *
1693
 * This function only rejects invalid attribute values. If does not
1694
 * validate the consistency of the attributes with any key data that may
1695
 * be involved in the creation of the key.
1696
 *
1697
 * Call this function early in the key creation process.
1698
 *
1699
 * \param[in] attributes    Key attributes for the new key.
1700
 * \param[out] p_drv        On any return, the driver for the key, if any.
1701
 *                          NULL for a transparent key.
1702
 *
1703
 */
1704
static psa_status_t psa_validate_key_attributes(
1705
    const psa_key_attributes_t *attributes,
1706
    psa_se_drv_table_entry_t **p_drv)
1707
0
{
1708
0
    psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
1709
0
    psa_key_lifetime_t lifetime = psa_get_key_lifetime(attributes);
1710
0
    mbedtls_svc_key_id_t key = psa_get_key_id(attributes);
1711
1712
0
    status = psa_validate_key_location(lifetime, p_drv);
1713
0
    if (status != PSA_SUCCESS) {
1714
0
        return status;
1715
0
    }
1716
1717
0
    status = psa_validate_key_persistence(lifetime);
1718
0
    if (status != PSA_SUCCESS) {
1719
0
        return status;
1720
0
    }
1721
1722
0
    if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
1723
0
        if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key) != 0) {
1724
0
            return PSA_ERROR_INVALID_ARGUMENT;
1725
0
        }
1726
0
    } else {
1727
0
        if (!psa_is_valid_key_id(psa_get_key_id(attributes), 0)) {
1728
0
            return PSA_ERROR_INVALID_ARGUMENT;
1729
0
        }
1730
0
    }
1731
1732
0
    status = psa_validate_key_policy(&attributes->policy);
1733
0
    if (status != PSA_SUCCESS) {
1734
0
        return status;
1735
0
    }
1736
1737
    /* Refuse to create overly large keys.
1738
     * Note that this doesn't trigger on import if the attributes don't
1739
     * explicitly specify a size (so psa_get_key_bits returns 0), so
1740
     * psa_import_key() needs its own checks. */
1741
0
    if (psa_get_key_bits(attributes) > PSA_MAX_KEY_BITS) {
1742
0
        return PSA_ERROR_NOT_SUPPORTED;
1743
0
    }
1744
1745
0
    return PSA_SUCCESS;
1746
0
}
1747
1748
/** Prepare a key slot to receive key material.
1749
 *
1750
 * This function allocates a key slot and sets its metadata.
1751
 *
1752
 * If this function fails, call psa_fail_key_creation().
1753
 *
1754
 * This function is intended to be used as follows:
1755
 * -# Call psa_start_key_creation() to allocate a key slot, prepare
1756
 *    it with the specified attributes, and in case of a volatile key assign it
1757
 *    a volatile key identifier.
1758
 * -# Populate the slot with the key material.
1759
 * -# Call psa_finish_key_creation() to finalize the creation of the slot.
1760
 * In case of failure at any step, stop the sequence and call
1761
 * psa_fail_key_creation().
1762
 *
1763
 * On success, the key slot's state is PSA_SLOT_FILLING.
1764
 * It is the responsibility of the caller to change the slot's state to
1765
 * PSA_SLOT_EMPTY/FULL once key creation has finished.
1766
 *
1767
 * \param method            An identification of the calling function.
1768
 * \param[in] attributes    Key attributes for the new key.
1769
 * \param[out] p_slot       On success, a pointer to the prepared slot.
1770
 * \param[out] p_drv        On any return, the driver for the key, if any.
1771
 *                          NULL for a transparent key.
1772
 *
1773
 * \retval #PSA_SUCCESS
1774
 *         The key slot is ready to receive key material.
1775
 * \return If this function fails, the key slot is an invalid state.
1776
 *         You must call psa_fail_key_creation() to wipe and free the slot.
1777
 */
1778
static psa_status_t psa_start_key_creation(
1779
    psa_key_creation_method_t method,
1780
    const psa_key_attributes_t *attributes,
1781
    psa_key_slot_t **p_slot,
1782
    psa_se_drv_table_entry_t **p_drv)
1783
0
{
1784
0
    psa_status_t status;
1785
1786
0
    (void) method;
1787
0
    *p_drv = NULL;
1788
1789
0
    status = psa_validate_key_attributes(attributes, p_drv);
1790
0
    if (status != PSA_SUCCESS) {
1791
0
        return status;
1792
0
    }
1793
1794
0
    int key_is_volatile = PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime);
1795
0
    psa_key_id_t volatile_key_id;
1796
1797
0
#if defined(MBEDTLS_THREADING_C)
1798
0
    PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
1799
0
                              &mbedtls_threading_key_slot_mutex));
1800
0
#endif
1801
0
    status = psa_reserve_free_key_slot(
1802
0
        key_is_volatile ? &volatile_key_id : NULL,
1803
0
        p_slot);
1804
0
#if defined(MBEDTLS_THREADING_C)
1805
0
    PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1806
0
                              &mbedtls_threading_key_slot_mutex));
1807
0
#endif
1808
0
    if (status != PSA_SUCCESS) {
1809
0
        return status;
1810
0
    }
1811
0
    psa_key_slot_t *slot = *p_slot;
1812
1813
    /* We're storing the declared bit-size of the key. It's up to each
1814
     * creation mechanism to verify that this information is correct.
1815
     * It's automatically correct for mechanisms that use the bit-size as
1816
     * an input (generate, device) but not for those where the bit-size
1817
     * is optional (import, copy). In case of a volatile key, assign it the
1818
     * volatile key identifier associated to the slot returned to contain its
1819
     * definition. */
1820
1821
0
    slot->attr = *attributes;
1822
0
    if (key_is_volatile) {
1823
0
#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
1824
0
        slot->attr.id = volatile_key_id;
1825
#else
1826
        slot->attr.id.key_id = volatile_key_id;
1827
#endif
1828
0
    }
1829
1830
0
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1831
    /* For a key in a secure element, we need to do three things
1832
     * when creating or registering a persistent key:
1833
     * create the key file in internal storage, create the
1834
     * key inside the secure element, and update the driver's
1835
     * persistent data. This is done by starting a transaction that will
1836
     * encompass these three actions.
1837
     * For registering a volatile key, we just need to find an appropriate
1838
     * slot number inside the SE. Since the key is designated volatile, creating
1839
     * a transaction is not required. */
1840
    /* The first thing to do is to find a slot number for the new key.
1841
     * We save the slot number in persistent storage as part of the
1842
     * transaction data. It will be needed to recover if the power
1843
     * fails during the key creation process, to clean up on the secure
1844
     * element side after restarting. Obtaining a slot number from the
1845
     * secure element driver updates its persistent state, but we do not yet
1846
     * save the driver's persistent state, so that if the power fails,
1847
     * we can roll back to a state where the key doesn't exist. */
1848
0
    if (*p_drv != NULL) {
1849
0
        psa_key_slot_number_t slot_number;
1850
0
        status = psa_find_se_slot_for_key(attributes, method, *p_drv,
1851
0
                                          &slot_number);
1852
0
        if (status != PSA_SUCCESS) {
1853
0
            return status;
1854
0
        }
1855
1856
0
        if (!PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime)) {
1857
0
            psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_CREATE_KEY);
1858
0
            psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
1859
0
            psa_crypto_transaction.key.slot = slot_number;
1860
0
            psa_crypto_transaction.key.id = slot->attr.id;
1861
0
            status = psa_crypto_save_transaction();
1862
0
            if (status != PSA_SUCCESS) {
1863
0
                (void) psa_crypto_stop_transaction();
1864
0
                return status;
1865
0
            }
1866
0
        }
1867
1868
0
        status = psa_copy_key_material_into_slot(
1869
0
            slot, (uint8_t *) (&slot_number), sizeof(slot_number));
1870
0
        if (status != PSA_SUCCESS) {
1871
0
            return status;
1872
0
        }
1873
0
    }
1874
1875
0
    if (*p_drv == NULL && method == PSA_KEY_CREATION_REGISTER) {
1876
        /* Key registration only makes sense with a secure element. */
1877
0
        return PSA_ERROR_INVALID_ARGUMENT;
1878
0
    }
1879
0
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1880
1881
0
    return PSA_SUCCESS;
1882
0
}
1883
1884
/** Finalize the creation of a key once its key material has been set.
1885
 *
1886
 * This entails writing the key to persistent storage.
1887
 *
1888
 * If this function fails, call psa_fail_key_creation().
1889
 * See the documentation of psa_start_key_creation() for the intended use
1890
 * of this function.
1891
 *
1892
 * If the finalization succeeds, the function sets the key slot's state to
1893
 * PSA_SLOT_FULL, and the key slot can no longer be accessed as part of the
1894
 * key creation process.
1895
 *
1896
 * \param[in,out] slot  Pointer to the slot with key material.
1897
 * \param[in] driver    The secure element driver for the key,
1898
 *                      or NULL for a transparent key.
1899
 * \param[out] key      On success, identifier of the key. Note that the
1900
 *                      key identifier is also stored in the key slot.
1901
 *
1902
 * \retval #PSA_SUCCESS
1903
 *         The key was successfully created.
1904
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1905
 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
1906
 * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
1907
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
1908
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
1909
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1910
 *
1911
 * \return If this function fails, the key slot is an invalid state.
1912
 *         You must call psa_fail_key_creation() to wipe and free the slot.
1913
 */
1914
static psa_status_t psa_finish_key_creation(
1915
    psa_key_slot_t *slot,
1916
    psa_se_drv_table_entry_t *driver,
1917
    mbedtls_svc_key_id_t *key)
1918
0
{
1919
0
    psa_status_t status = PSA_SUCCESS;
1920
0
    (void) slot;
1921
0
    (void) driver;
1922
1923
0
#if defined(MBEDTLS_THREADING_C)
1924
0
    PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
1925
0
                              &mbedtls_threading_key_slot_mutex));
1926
0
#endif
1927
1928
0
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
1929
0
    if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
1930
0
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1931
0
        if (driver != NULL) {
1932
0
            psa_se_key_data_storage_t data;
1933
0
            psa_key_slot_number_t slot_number =
1934
0
                psa_key_slot_get_slot_number(slot);
1935
1936
0
            MBEDTLS_STATIC_ASSERT(sizeof(slot_number) ==
1937
0
                                  sizeof(data.slot_number),
1938
0
                                  "Slot number size does not match psa_se_key_data_storage_t");
1939
1940
0
            memcpy(&data.slot_number, &slot_number, sizeof(slot_number));
1941
0
            status = psa_save_persistent_key(&slot->attr,
1942
0
                                             (uint8_t *) &data,
1943
0
                                             sizeof(data));
1944
0
        } else
1945
0
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1946
0
        {
1947
            /* Key material is saved in export representation in the slot, so
1948
             * just pass the slot buffer for storage. */
1949
0
            status = psa_save_persistent_key(&slot->attr,
1950
0
                                             slot->key.data,
1951
0
                                             slot->key.bytes);
1952
0
        }
1953
0
    }
1954
0
#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
1955
1956
0
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1957
    /* Finish the transaction for a key creation. This does not
1958
     * happen when registering an existing key. Detect this case
1959
     * by checking whether a transaction is in progress (actual
1960
     * creation of a persistent key in a secure element requires a transaction,
1961
     * but registration or volatile key creation doesn't use one). */
1962
0
    if (driver != NULL &&
1963
0
        psa_crypto_transaction.unknown.type == PSA_CRYPTO_TRANSACTION_CREATE_KEY) {
1964
0
        status = psa_save_se_persistent_data(driver);
1965
0
        if (status != PSA_SUCCESS) {
1966
0
            psa_destroy_persistent_key(slot->attr.id);
1967
1968
0
#if defined(MBEDTLS_THREADING_C)
1969
0
            PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1970
0
                                      &mbedtls_threading_key_slot_mutex));
1971
0
#endif
1972
0
            return status;
1973
0
        }
1974
0
        status = psa_crypto_stop_transaction();
1975
0
    }
1976
0
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1977
1978
0
    if (status == PSA_SUCCESS) {
1979
0
        *key = slot->attr.id;
1980
0
        status = psa_key_slot_state_transition(slot, PSA_SLOT_FILLING,
1981
0
                                               PSA_SLOT_FULL);
1982
0
        if (status != PSA_SUCCESS) {
1983
0
            *key = MBEDTLS_SVC_KEY_ID_INIT;
1984
0
        }
1985
0
    }
1986
1987
0
#if defined(MBEDTLS_THREADING_C)
1988
0
    PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1989
0
                              &mbedtls_threading_key_slot_mutex));
1990
0
#endif
1991
0
    return status;
1992
0
}
1993
1994
/** Abort the creation of a key.
1995
 *
1996
 * You may call this function after calling psa_start_key_creation(),
1997
 * or after psa_finish_key_creation() fails. In other circumstances, this
1998
 * function may not clean up persistent storage.
1999
 * See the documentation of psa_start_key_creation() for the intended use
2000
 * of this function. Sets the slot's state to PSA_SLOT_EMPTY.
2001
 *
2002
 * \param[in,out] slot  Pointer to the slot with key material.
2003
 * \param[in] driver    The secure element driver for the key,
2004
 *                      or NULL for a transparent key.
2005
 */
2006
static void psa_fail_key_creation(psa_key_slot_t *slot,
2007
                                  psa_se_drv_table_entry_t *driver)
2008
0
{
2009
0
    (void) driver;
2010
2011
0
    if (slot == NULL) {
2012
0
        return;
2013
0
    }
2014
2015
0
#if defined(MBEDTLS_THREADING_C)
2016
    /* If the lock operation fails we still wipe the slot.
2017
     * Operations will no longer work after a failed lock,
2018
     * but we still need to wipe the slot of confidential data. */
2019
0
    mbedtls_mutex_lock(&mbedtls_threading_key_slot_mutex);
2020
0
#endif
2021
2022
0
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
2023
    /* TODO: If the key has already been created in the secure
2024
     * element, and the failure happened later (when saving metadata
2025
     * to internal storage), we need to destroy the key in the secure
2026
     * element.
2027
     * https://github.com/ARMmbed/mbed-crypto/issues/217
2028
     */
2029
2030
    /* Abort the ongoing transaction if any (there may not be one if
2031
     * the creation process failed before starting one, or if the
2032
     * key creation is a registration of a key in a secure element).
2033
     * Earlier functions must already have done what it takes to undo any
2034
     * partial creation. All that's left is to update the transaction data
2035
     * itself. */
2036
0
    (void) psa_crypto_stop_transaction();
2037
0
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
2038
2039
0
    psa_wipe_key_slot(slot);
2040
2041
0
#if defined(MBEDTLS_THREADING_C)
2042
0
    mbedtls_mutex_unlock(&mbedtls_threading_key_slot_mutex);
2043
0
#endif
2044
0
}
2045
2046
/** Validate optional attributes during key creation.
2047
 *
2048
 * Some key attributes are optional during key creation. If they are
2049
 * specified in the attributes structure, check that they are consistent
2050
 * with the data in the slot.
2051
 *
2052
 * This function should be called near the end of key creation, after
2053
 * the slot in memory is fully populated but before saving persistent data.
2054
 */
2055
static psa_status_t psa_validate_optional_attributes(
2056
    const psa_key_slot_t *slot,
2057
    const psa_key_attributes_t *attributes)
2058
0
{
2059
0
    if (attributes->type != 0) {
2060
0
        if (attributes->type != slot->attr.type) {
2061
0
            return PSA_ERROR_INVALID_ARGUMENT;
2062
0
        }
2063
0
    }
2064
2065
0
    if (attributes->bits != 0) {
2066
0
        if (attributes->bits != slot->attr.bits) {
2067
0
            return PSA_ERROR_INVALID_ARGUMENT;
2068
0
        }
2069
0
    }
2070
2071
0
    return PSA_SUCCESS;
2072
0
}
2073
2074
psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
2075
                            const uint8_t *data_external,
2076
                            size_t data_length,
2077
                            mbedtls_svc_key_id_t *key)
2078
0
{
2079
0
    psa_status_t status;
2080
0
    LOCAL_INPUT_DECLARE(data_external, data);
2081
0
    psa_key_slot_t *slot = NULL;
2082
0
    psa_se_drv_table_entry_t *driver = NULL;
2083
0
    size_t bits;
2084
0
    size_t storage_size = data_length;
2085
2086
0
    *key = MBEDTLS_SVC_KEY_ID_INIT;
2087
2088
    /* Reject zero-length symmetric keys (including raw data key objects).
2089
     * This also rejects any key which might be encoded as an empty string,
2090
     * which is never valid. */
2091
0
    if (data_length == 0) {
2092
0
        return PSA_ERROR_INVALID_ARGUMENT;
2093
0
    }
2094
2095
    /* Ensure that the bytes-to-bits conversion cannot overflow. */
2096
0
    if (data_length > SIZE_MAX / 8) {
2097
0
        return PSA_ERROR_NOT_SUPPORTED;
2098
0
    }
2099
2100
0
    LOCAL_INPUT_ALLOC(data_external, data_length, data);
2101
2102
0
    status = psa_start_key_creation(PSA_KEY_CREATION_IMPORT, attributes,
2103
0
                                    &slot, &driver);
2104
0
    if (status != PSA_SUCCESS) {
2105
0
        goto exit;
2106
0
    }
2107
2108
    /* In the case of a transparent key or an opaque key stored in local
2109
     * storage ( thus not in the case of importing a key in a secure element
2110
     * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
2111
     * buffer to hold the imported key material. */
2112
0
    if (slot->key.bytes == 0) {
2113
0
        if (psa_key_lifetime_is_external(attributes->lifetime)) {
2114
0
            status = psa_driver_wrapper_get_key_buffer_size_from_key_data(
2115
0
                attributes, data, data_length, &storage_size);
2116
0
            if (status != PSA_SUCCESS) {
2117
0
                goto exit;
2118
0
            }
2119
0
        }
2120
0
        status = psa_allocate_buffer_to_slot(slot, storage_size);
2121
0
        if (status != PSA_SUCCESS) {
2122
0
            goto exit;
2123
0
        }
2124
0
    }
2125
2126
0
    bits = slot->attr.bits;
2127
0
    status = psa_driver_wrapper_import_key(attributes,
2128
0
                                           data, data_length,
2129
0
                                           slot->key.data,
2130
0
                                           slot->key.bytes,
2131
0
                                           &slot->key.bytes, &bits);
2132
0
    if (status != PSA_SUCCESS) {
2133
0
        goto exit;
2134
0
    }
2135
2136
0
    if (slot->attr.bits == 0) {
2137
0
        slot->attr.bits = (psa_key_bits_t) bits;
2138
0
    } else if (bits != slot->attr.bits) {
2139
0
        status = PSA_ERROR_INVALID_ARGUMENT;
2140
0
        goto exit;
2141
0
    }
2142
2143
    /* Enforce a size limit, and in particular ensure that the bit
2144
     * size fits in its representation type.*/
2145
0
    if (bits > PSA_MAX_KEY_BITS) {
2146
0
        status = PSA_ERROR_NOT_SUPPORTED;
2147
0
        goto exit;
2148
0
    }
2149
0
    status = psa_validate_optional_attributes(slot, attributes);
2150
0
    if (status != PSA_SUCCESS) {
2151
0
        goto exit;
2152
0
    }
2153
2154
0
    status = psa_finish_key_creation(slot, driver, key);
2155
0
exit:
2156
0
    LOCAL_INPUT_FREE(data_external, data);
2157
0
    if (status != PSA_SUCCESS) {
2158
0
        psa_fail_key_creation(slot, driver);
2159
0
    }
2160
2161
0
    return status;
2162
0
}
2163
2164
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
2165
psa_status_t mbedtls_psa_register_se_key(
2166
    const psa_key_attributes_t *attributes)
2167
0
{
2168
0
    psa_status_t status;
2169
0
    psa_key_slot_t *slot = NULL;
2170
0
    psa_se_drv_table_entry_t *driver = NULL;
2171
0
    mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
2172
2173
    /* Leaving attributes unspecified is not currently supported.
2174
     * It could make sense to query the key type and size from the
2175
     * secure element, but not all secure elements support this
2176
     * and the driver HAL doesn't currently support it. */
2177
0
    if (psa_get_key_type(attributes) == PSA_KEY_TYPE_NONE) {
2178
0
        return PSA_ERROR_NOT_SUPPORTED;
2179
0
    }
2180
0
    if (psa_get_key_bits(attributes) == 0) {
2181
0
        return PSA_ERROR_NOT_SUPPORTED;
2182
0
    }
2183
2184
    /* Not usable with volatile keys, even with an appropriate location,
2185
     * due to the API design.
2186
     * https://github.com/Mbed-TLS/mbedtls/issues/9253
2187
     */
2188
0
    if (PSA_KEY_LIFETIME_IS_VOLATILE(psa_get_key_lifetime(attributes))) {
2189
0
        return PSA_ERROR_INVALID_ARGUMENT;
2190
0
    }
2191
2192
0
    status = psa_start_key_creation(PSA_KEY_CREATION_REGISTER, attributes,
2193
0
                                    &slot, &driver);
2194
0
    if (status != PSA_SUCCESS) {
2195
0
        goto exit;
2196
0
    }
2197
2198
0
    status = psa_finish_key_creation(slot, driver, &key);
2199
2200
0
exit:
2201
0
    if (status != PSA_SUCCESS) {
2202
0
        psa_fail_key_creation(slot, driver);
2203
0
    }
2204
2205
    /* Registration doesn't keep the key in RAM. */
2206
0
    psa_close_key(key);
2207
0
    return status;
2208
0
}
2209
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
2210
2211
psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key,
2212
                          const psa_key_attributes_t *specified_attributes,
2213
                          mbedtls_svc_key_id_t *target_key)
2214
0
{
2215
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2216
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
2217
0
    psa_key_slot_t *source_slot = NULL;
2218
0
    psa_key_slot_t *target_slot = NULL;
2219
0
    psa_key_attributes_t actual_attributes = *specified_attributes;
2220
0
    psa_se_drv_table_entry_t *driver = NULL;
2221
0
    size_t storage_size = 0;
2222
2223
0
    *target_key = MBEDTLS_SVC_KEY_ID_INIT;
2224
2225
0
    status = psa_get_and_lock_key_slot_with_policy(
2226
0
        source_key, &source_slot, PSA_KEY_USAGE_COPY, 0);
2227
0
    if (status != PSA_SUCCESS) {
2228
0
        goto exit;
2229
0
    }
2230
2231
0
    status = psa_validate_optional_attributes(source_slot,
2232
0
                                              specified_attributes);
2233
0
    if (status != PSA_SUCCESS) {
2234
0
        goto exit;
2235
0
    }
2236
2237
    /* The target key type and number of bits have been validated by
2238
     * psa_validate_optional_attributes() to be either equal to zero or
2239
     * equal to the ones of the source key. So it is safe to inherit
2240
     * them from the source key now."
2241
     * */
2242
0
    actual_attributes.bits = source_slot->attr.bits;
2243
0
    actual_attributes.type = source_slot->attr.type;
2244
2245
2246
0
    status = psa_restrict_key_policy(source_slot->attr.type,
2247
0
                                     &actual_attributes.policy,
2248
0
                                     &source_slot->attr.policy);
2249
0
    if (status != PSA_SUCCESS) {
2250
0
        goto exit;
2251
0
    }
2252
2253
0
    status = psa_start_key_creation(PSA_KEY_CREATION_COPY, &actual_attributes,
2254
0
                                    &target_slot, &driver);
2255
0
    if (status != PSA_SUCCESS) {
2256
0
        goto exit;
2257
0
    }
2258
0
    if (PSA_KEY_LIFETIME_GET_LOCATION(target_slot->attr.lifetime) !=
2259
0
        PSA_KEY_LIFETIME_GET_LOCATION(source_slot->attr.lifetime)) {
2260
        /*
2261
         * If the source and target keys are stored in different locations,
2262
         * the source key would need to be exported as plaintext and re-imported
2263
         * in the other location. This has security implications which have not
2264
         * been fully mapped. For now, this can be achieved through
2265
         * appropriate API invocations from the application, if needed.
2266
         * */
2267
0
        status = PSA_ERROR_NOT_SUPPORTED;
2268
0
        goto exit;
2269
0
    }
2270
    /*
2271
     * When the source and target keys are within the same location,
2272
     * - For transparent keys it is a blind copy without any driver invocation,
2273
     * - For opaque keys this translates to an invocation of the drivers'
2274
     *   copy_key entry point through the dispatch layer.
2275
     * */
2276
0
    if (psa_key_lifetime_is_external(actual_attributes.lifetime)) {
2277
0
        status = psa_driver_wrapper_get_key_buffer_size(&actual_attributes,
2278
0
                                                        &storage_size);
2279
0
        if (status != PSA_SUCCESS) {
2280
0
            goto exit;
2281
0
        }
2282
2283
0
        status = psa_allocate_buffer_to_slot(target_slot, storage_size);
2284
0
        if (status != PSA_SUCCESS) {
2285
0
            goto exit;
2286
0
        }
2287
2288
0
        status = psa_driver_wrapper_copy_key(&actual_attributes,
2289
0
                                             source_slot->key.data,
2290
0
                                             source_slot->key.bytes,
2291
0
                                             target_slot->key.data,
2292
0
                                             target_slot->key.bytes,
2293
0
                                             &target_slot->key.bytes);
2294
0
        if (status != PSA_SUCCESS) {
2295
0
            goto exit;
2296
0
        }
2297
0
    } else {
2298
0
        status = psa_copy_key_material_into_slot(target_slot,
2299
0
                                                 source_slot->key.data,
2300
0
                                                 source_slot->key.bytes);
2301
0
        if (status != PSA_SUCCESS) {
2302
0
            goto exit;
2303
0
        }
2304
0
    }
2305
0
    status = psa_finish_key_creation(target_slot, driver, target_key);
2306
0
exit:
2307
0
    if (status != PSA_SUCCESS) {
2308
0
        psa_fail_key_creation(target_slot, driver);
2309
0
    }
2310
2311
0
    unlock_status = psa_unregister_read_under_mutex(source_slot);
2312
2313
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
2314
0
}
2315
2316
2317
2318
/****************************************************************/
2319
/* Message digests */
2320
/****************************************************************/
2321
2322
static int is_hash_supported(psa_algorithm_t alg)
2323
0
{
2324
0
    switch (alg) {
2325
0
#if defined(PSA_WANT_ALG_MD5)
2326
0
        case PSA_ALG_MD5:
2327
0
            return 1;
2328
0
#endif
2329
0
#if defined(PSA_WANT_ALG_RIPEMD160)
2330
0
        case PSA_ALG_RIPEMD160:
2331
0
            return 1;
2332
0
#endif
2333
0
#if defined(PSA_WANT_ALG_SHA_1)
2334
0
        case PSA_ALG_SHA_1:
2335
0
            return 1;
2336
0
#endif
2337
0
#if defined(PSA_WANT_ALG_SHA_224)
2338
0
        case PSA_ALG_SHA_224:
2339
0
            return 1;
2340
0
#endif
2341
0
#if defined(PSA_WANT_ALG_SHA_256)
2342
0
        case PSA_ALG_SHA_256:
2343
0
            return 1;
2344
0
#endif
2345
0
#if defined(PSA_WANT_ALG_SHA_384)
2346
0
        case PSA_ALG_SHA_384:
2347
0
            return 1;
2348
0
#endif
2349
0
#if defined(PSA_WANT_ALG_SHA_512)
2350
0
        case PSA_ALG_SHA_512:
2351
0
            return 1;
2352
0
#endif
2353
0
#if defined(PSA_WANT_ALG_SHA3_224)
2354
0
        case PSA_ALG_SHA3_224:
2355
0
            return 1;
2356
0
#endif
2357
0
#if defined(PSA_WANT_ALG_SHA3_256)
2358
0
        case PSA_ALG_SHA3_256:
2359
0
            return 1;
2360
0
#endif
2361
0
#if defined(PSA_WANT_ALG_SHA3_384)
2362
0
        case PSA_ALG_SHA3_384:
2363
0
            return 1;
2364
0
#endif
2365
0
#if defined(PSA_WANT_ALG_SHA3_512)
2366
0
        case PSA_ALG_SHA3_512:
2367
0
            return 1;
2368
0
#endif
2369
0
        default:
2370
0
            return 0;
2371
0
    }
2372
0
}
2373
2374
psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
2375
0
{
2376
    /* Aborting a non-active operation is allowed */
2377
0
    if (operation->id == 0) {
2378
0
        return PSA_SUCCESS;
2379
0
    }
2380
2381
0
    psa_status_t status = psa_driver_wrapper_hash_abort(operation);
2382
0
    operation->id = 0;
2383
2384
0
    return status;
2385
0
}
2386
2387
psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
2388
                            psa_algorithm_t alg)
2389
0
{
2390
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2391
2392
    /* A context must be freshly initialized before it can be set up. */
2393
0
    if (operation->id != 0) {
2394
0
        status = PSA_ERROR_BAD_STATE;
2395
0
        goto exit;
2396
0
    }
2397
2398
0
    if (!PSA_ALG_IS_HASH(alg)) {
2399
0
        status = PSA_ERROR_INVALID_ARGUMENT;
2400
0
        goto exit;
2401
0
    }
2402
2403
    /* Ensure all of the context is zeroized, since PSA_HASH_OPERATION_INIT only
2404
     * directly zeroes the int-sized dummy member of the context union. */
2405
0
    memset(&operation->ctx, 0, sizeof(operation->ctx));
2406
2407
0
    status = psa_driver_wrapper_hash_setup(operation, alg);
2408
2409
0
exit:
2410
0
    if (status != PSA_SUCCESS) {
2411
0
        psa_hash_abort(operation);
2412
0
    }
2413
2414
0
    return status;
2415
0
}
2416
2417
psa_status_t psa_hash_update(psa_hash_operation_t *operation,
2418
                             const uint8_t *input_external,
2419
                             size_t input_length)
2420
0
{
2421
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2422
0
    LOCAL_INPUT_DECLARE(input_external, input);
2423
2424
0
    if (operation->id == 0) {
2425
0
        status = PSA_ERROR_BAD_STATE;
2426
0
        goto exit;
2427
0
    }
2428
2429
    /* Don't require hash implementations to behave correctly on a
2430
     * zero-length input, which may have an invalid pointer. */
2431
0
    if (input_length == 0) {
2432
0
        return PSA_SUCCESS;
2433
0
    }
2434
2435
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
2436
0
    status = psa_driver_wrapper_hash_update(operation, input, input_length);
2437
2438
0
exit:
2439
0
    if (status != PSA_SUCCESS) {
2440
0
        psa_hash_abort(operation);
2441
0
    }
2442
2443
0
    LOCAL_INPUT_FREE(input_external, input);
2444
0
    return status;
2445
0
}
2446
2447
static psa_status_t psa_hash_finish_internal(psa_hash_operation_t *operation,
2448
                                             uint8_t *hash,
2449
                                             size_t hash_size,
2450
                                             size_t *hash_length)
2451
0
{
2452
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2453
2454
0
    *hash_length = 0;
2455
0
    if (operation->id == 0) {
2456
0
        return PSA_ERROR_BAD_STATE;
2457
0
    }
2458
2459
0
    status = psa_driver_wrapper_hash_finish(
2460
0
        operation, hash, hash_size, hash_length);
2461
0
    psa_hash_abort(operation);
2462
2463
0
    return status;
2464
0
}
2465
2466
psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
2467
                             uint8_t *hash_external,
2468
                             size_t hash_size,
2469
                             size_t *hash_length)
2470
0
{
2471
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2472
0
    LOCAL_OUTPUT_DECLARE(hash_external, hash);
2473
2474
0
    LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash);
2475
0
    status = psa_hash_finish_internal(operation, hash, hash_size, hash_length);
2476
2477
0
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
2478
0
exit:
2479
0
#endif
2480
0
    LOCAL_OUTPUT_FREE(hash_external, hash);
2481
0
    return status;
2482
0
}
2483
2484
psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
2485
                             const uint8_t *hash_external,
2486
                             size_t hash_length)
2487
0
{
2488
0
    uint8_t actual_hash[PSA_HASH_MAX_SIZE];
2489
0
    size_t actual_hash_length;
2490
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2491
0
    LOCAL_INPUT_DECLARE(hash_external, hash);
2492
2493
0
    status = psa_hash_finish_internal(
2494
0
        operation,
2495
0
        actual_hash, sizeof(actual_hash),
2496
0
        &actual_hash_length);
2497
2498
0
    if (status != PSA_SUCCESS) {
2499
0
        goto exit;
2500
0
    }
2501
2502
0
    if (actual_hash_length != hash_length) {
2503
0
        status = PSA_ERROR_INVALID_SIGNATURE;
2504
0
        goto exit;
2505
0
    }
2506
2507
0
    LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
2508
0
    if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) {
2509
0
        status = PSA_ERROR_INVALID_SIGNATURE;
2510
0
    }
2511
2512
0
exit:
2513
0
    mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash));
2514
0
    if (status != PSA_SUCCESS) {
2515
0
        psa_hash_abort(operation);
2516
0
    }
2517
0
    LOCAL_INPUT_FREE(hash_external, hash);
2518
0
    return status;
2519
0
}
2520
2521
psa_status_t psa_hash_compute(psa_algorithm_t alg,
2522
                              const uint8_t *input_external, size_t input_length,
2523
                              uint8_t *hash_external, size_t hash_size,
2524
                              size_t *hash_length)
2525
0
{
2526
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2527
0
    LOCAL_INPUT_DECLARE(input_external, input);
2528
0
    LOCAL_OUTPUT_DECLARE(hash_external, hash);
2529
2530
0
    *hash_length = 0;
2531
0
    if (!PSA_ALG_IS_HASH(alg)) {
2532
0
        return PSA_ERROR_INVALID_ARGUMENT;
2533
0
    }
2534
2535
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
2536
0
    LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash);
2537
0
    status = psa_driver_wrapper_hash_compute(alg, input, input_length,
2538
0
                                             hash, hash_size, hash_length);
2539
2540
0
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
2541
0
exit:
2542
0
#endif
2543
0
    LOCAL_INPUT_FREE(input_external, input);
2544
0
    LOCAL_OUTPUT_FREE(hash_external, hash);
2545
0
    return status;
2546
0
}
2547
2548
psa_status_t psa_hash_compare(psa_algorithm_t alg,
2549
                              const uint8_t *input_external, size_t input_length,
2550
                              const uint8_t *hash_external, size_t hash_length)
2551
0
{
2552
0
    uint8_t actual_hash[PSA_HASH_MAX_SIZE];
2553
0
    size_t actual_hash_length;
2554
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2555
2556
0
    LOCAL_INPUT_DECLARE(input_external, input);
2557
0
    LOCAL_INPUT_DECLARE(hash_external, hash);
2558
2559
0
    if (!PSA_ALG_IS_HASH(alg)) {
2560
0
        status = PSA_ERROR_INVALID_ARGUMENT;
2561
0
        return status;
2562
0
    }
2563
2564
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
2565
0
    status = psa_driver_wrapper_hash_compute(
2566
0
        alg, input, input_length,
2567
0
        actual_hash, sizeof(actual_hash),
2568
0
        &actual_hash_length);
2569
0
    if (status != PSA_SUCCESS) {
2570
0
        goto exit;
2571
0
    }
2572
0
    if (actual_hash_length != hash_length) {
2573
0
        status = PSA_ERROR_INVALID_SIGNATURE;
2574
0
        goto exit;
2575
0
    }
2576
2577
0
    LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
2578
0
    if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) {
2579
0
        status = PSA_ERROR_INVALID_SIGNATURE;
2580
0
    }
2581
2582
0
exit:
2583
0
    mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash));
2584
2585
0
    LOCAL_INPUT_FREE(input_external, input);
2586
0
    LOCAL_INPUT_FREE(hash_external, hash);
2587
2588
0
    return status;
2589
0
}
2590
2591
psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
2592
                            psa_hash_operation_t *target_operation)
2593
0
{
2594
0
    if (source_operation->id == 0 ||
2595
0
        target_operation->id != 0) {
2596
0
        return PSA_ERROR_BAD_STATE;
2597
0
    }
2598
2599
0
    psa_status_t status = psa_driver_wrapper_hash_clone(source_operation,
2600
0
                                                        target_operation);
2601
0
    if (status != PSA_SUCCESS) {
2602
0
        psa_hash_abort(target_operation);
2603
0
    }
2604
2605
0
    return status;
2606
0
}
2607
2608
2609
/****************************************************************/
2610
/* MAC */
2611
/****************************************************************/
2612
2613
psa_status_t psa_mac_abort(psa_mac_operation_t *operation)
2614
0
{
2615
    /* Aborting a non-active operation is allowed */
2616
0
    if (operation->id == 0) {
2617
0
        return PSA_SUCCESS;
2618
0
    }
2619
2620
0
    psa_status_t status = psa_driver_wrapper_mac_abort(operation);
2621
0
    operation->mac_size = 0;
2622
0
    operation->is_sign = 0;
2623
0
    operation->id = 0;
2624
2625
0
    return status;
2626
0
}
2627
2628
static psa_status_t psa_mac_finalize_alg_and_key_validation(
2629
    psa_algorithm_t alg,
2630
    const psa_key_attributes_t *attributes,
2631
    uint8_t *mac_size)
2632
0
{
2633
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2634
0
    psa_key_type_t key_type = psa_get_key_type(attributes);
2635
0
    size_t key_bits = psa_get_key_bits(attributes);
2636
2637
0
    if (!PSA_ALG_IS_MAC(alg)) {
2638
0
        return PSA_ERROR_INVALID_ARGUMENT;
2639
0
    }
2640
2641
    /* Validate the combination of key type and algorithm */
2642
0
    status = psa_mac_key_can_do(alg, key_type);
2643
0
    if (status != PSA_SUCCESS) {
2644
0
        return status;
2645
0
    }
2646
2647
    /* Get the output length for the algorithm and key combination */
2648
0
    *mac_size = PSA_MAC_LENGTH(key_type, key_bits, alg);
2649
2650
0
    if (*mac_size < 4) {
2651
        /* A very short MAC is too short for security since it can be
2652
         * brute-forced. Ancient protocols with 32-bit MACs do exist,
2653
         * so we make this our minimum, even though 32 bits is still
2654
         * too small for security. */
2655
0
        return PSA_ERROR_NOT_SUPPORTED;
2656
0
    }
2657
2658
0
    if (*mac_size > PSA_MAC_LENGTH(key_type, key_bits,
2659
0
                                   PSA_ALG_FULL_LENGTH_MAC(alg))) {
2660
        /* It's impossible to "truncate" to a larger length than the full length
2661
         * of the algorithm. */
2662
0
        return PSA_ERROR_INVALID_ARGUMENT;
2663
0
    }
2664
2665
0
    if (*mac_size > PSA_MAC_MAX_SIZE) {
2666
        /* PSA_MAC_LENGTH returns the correct length even for a MAC algorithm
2667
         * that is disabled in the compile-time configuration. The result can
2668
         * therefore be larger than PSA_MAC_MAX_SIZE, which does take the
2669
         * configuration into account. In this case, force a return of
2670
         * PSA_ERROR_NOT_SUPPORTED here. Otherwise psa_mac_verify(), or
2671
         * psa_mac_compute(mac_size=PSA_MAC_MAX_SIZE), would return
2672
         * PSA_ERROR_BUFFER_TOO_SMALL for an unsupported algorithm whose MAC size
2673
         * is larger than PSA_MAC_MAX_SIZE, which is misleading and which breaks
2674
         * systematically generated tests. */
2675
0
        return PSA_ERROR_NOT_SUPPORTED;
2676
0
    }
2677
2678
0
    return PSA_SUCCESS;
2679
0
}
2680
2681
static psa_status_t psa_mac_setup(psa_mac_operation_t *operation,
2682
                                  mbedtls_svc_key_id_t key,
2683
                                  psa_algorithm_t alg,
2684
                                  int is_sign)
2685
0
{
2686
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2687
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
2688
0
    psa_key_slot_t *slot = NULL;
2689
2690
    /* A context must be freshly initialized before it can be set up. */
2691
0
    if (operation->id != 0) {
2692
0
        status = PSA_ERROR_BAD_STATE;
2693
0
        goto exit;
2694
0
    }
2695
2696
0
    status = psa_get_and_lock_key_slot_with_policy(
2697
0
        key,
2698
0
        &slot,
2699
0
        is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE,
2700
0
        alg);
2701
0
    if (status != PSA_SUCCESS) {
2702
0
        goto exit;
2703
0
    }
2704
2705
0
    status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr,
2706
0
                                                     &operation->mac_size);
2707
0
    if (status != PSA_SUCCESS) {
2708
0
        goto exit;
2709
0
    }
2710
2711
0
    operation->is_sign = is_sign;
2712
    /* Dispatch the MAC setup call with validated input */
2713
0
    if (is_sign) {
2714
0
        status = psa_driver_wrapper_mac_sign_setup(operation,
2715
0
                                                   &slot->attr,
2716
0
                                                   slot->key.data,
2717
0
                                                   slot->key.bytes,
2718
0
                                                   alg);
2719
0
    } else {
2720
0
        status = psa_driver_wrapper_mac_verify_setup(operation,
2721
0
                                                     &slot->attr,
2722
0
                                                     slot->key.data,
2723
0
                                                     slot->key.bytes,
2724
0
                                                     alg);
2725
0
    }
2726
2727
0
exit:
2728
0
    if (status != PSA_SUCCESS) {
2729
0
        psa_mac_abort(operation);
2730
0
    }
2731
2732
0
    unlock_status = psa_unregister_read_under_mutex(slot);
2733
2734
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
2735
0
}
2736
2737
psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
2738
                                mbedtls_svc_key_id_t key,
2739
                                psa_algorithm_t alg)
2740
0
{
2741
0
    return psa_mac_setup(operation, key, alg, 1);
2742
0
}
2743
2744
psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
2745
                                  mbedtls_svc_key_id_t key,
2746
                                  psa_algorithm_t alg)
2747
0
{
2748
0
    return psa_mac_setup(operation, key, alg, 0);
2749
0
}
2750
2751
psa_status_t psa_mac_update(psa_mac_operation_t *operation,
2752
                            const uint8_t *input_external,
2753
                            size_t input_length)
2754
0
{
2755
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2756
0
    LOCAL_INPUT_DECLARE(input_external, input);
2757
2758
0
    if (operation->id == 0) {
2759
0
        status = PSA_ERROR_BAD_STATE;
2760
0
        return status;
2761
0
    }
2762
2763
    /* Don't require hash implementations to behave correctly on a
2764
     * zero-length input, which may have an invalid pointer. */
2765
0
    if (input_length == 0) {
2766
0
        status = PSA_SUCCESS;
2767
0
        return status;
2768
0
    }
2769
2770
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
2771
0
    status = psa_driver_wrapper_mac_update(operation, input, input_length);
2772
2773
0
    if (status != PSA_SUCCESS) {
2774
0
        psa_mac_abort(operation);
2775
0
    }
2776
2777
0
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
2778
0
exit:
2779
0
#endif
2780
0
    LOCAL_INPUT_FREE(input_external, input);
2781
2782
0
    return status;
2783
0
}
2784
2785
psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
2786
                                 uint8_t *mac_external,
2787
                                 size_t mac_size,
2788
                                 size_t *mac_length)
2789
0
{
2790
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2791
0
    psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
2792
0
    LOCAL_OUTPUT_DECLARE(mac_external, mac);
2793
0
    LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac);
2794
2795
0
    if (operation->id == 0) {
2796
0
        status = PSA_ERROR_BAD_STATE;
2797
0
        goto exit;
2798
0
    }
2799
2800
0
    if (!operation->is_sign) {
2801
0
        status = PSA_ERROR_BAD_STATE;
2802
0
        goto exit;
2803
0
    }
2804
2805
    /* Sanity check. This will guarantee that mac_size != 0 (and so mac != NULL)
2806
     * once all the error checks are done. */
2807
0
    if (operation->mac_size == 0) {
2808
0
        status = PSA_ERROR_BAD_STATE;
2809
0
        goto exit;
2810
0
    }
2811
2812
0
    if (mac_size < operation->mac_size) {
2813
0
        status = PSA_ERROR_BUFFER_TOO_SMALL;
2814
0
        goto exit;
2815
0
    }
2816
2817
2818
0
    status = psa_driver_wrapper_mac_sign_finish(operation,
2819
0
                                                mac, operation->mac_size,
2820
0
                                                mac_length);
2821
2822
0
exit:
2823
    /* In case of success, set the potential excess room in the output buffer
2824
     * to an invalid value, to avoid potentially leaking a longer MAC.
2825
     * In case of error, set the output length and content to a safe default,
2826
     * such that in case the caller misses an error check, the output would be
2827
     * an unachievable MAC.
2828
     */
2829
0
    if (status != PSA_SUCCESS) {
2830
0
        *mac_length = mac_size;
2831
0
        operation->mac_size = 0;
2832
0
    }
2833
2834
0
    if (mac != NULL) {
2835
0
        psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
2836
0
    }
2837
2838
0
    abort_status = psa_mac_abort(operation);
2839
0
    LOCAL_OUTPUT_FREE(mac_external, mac);
2840
2841
0
    return status == PSA_SUCCESS ? abort_status : status;
2842
0
}
2843
2844
psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
2845
                                   const uint8_t *mac_external,
2846
                                   size_t mac_length)
2847
0
{
2848
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2849
0
    psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
2850
0
    LOCAL_INPUT_DECLARE(mac_external, mac);
2851
2852
0
    if (operation->id == 0) {
2853
0
        status = PSA_ERROR_BAD_STATE;
2854
0
        goto exit;
2855
0
    }
2856
2857
0
    if (operation->is_sign) {
2858
0
        status = PSA_ERROR_BAD_STATE;
2859
0
        goto exit;
2860
0
    }
2861
2862
0
    if (operation->mac_size != mac_length) {
2863
0
        status = PSA_ERROR_INVALID_SIGNATURE;
2864
0
        goto exit;
2865
0
    }
2866
2867
0
    LOCAL_INPUT_ALLOC(mac_external, mac_length, mac);
2868
0
    status = psa_driver_wrapper_mac_verify_finish(operation,
2869
0
                                                  mac, mac_length);
2870
2871
0
exit:
2872
0
    abort_status = psa_mac_abort(operation);
2873
0
    LOCAL_INPUT_FREE(mac_external, mac);
2874
2875
0
    return status == PSA_SUCCESS ? abort_status : status;
2876
0
}
2877
2878
static psa_status_t psa_mac_compute_internal(mbedtls_svc_key_id_t key,
2879
                                             psa_algorithm_t alg,
2880
                                             const uint8_t *input,
2881
                                             size_t input_length,
2882
                                             uint8_t *mac,
2883
                                             size_t mac_size,
2884
                                             size_t *mac_length,
2885
                                             int is_sign)
2886
0
{
2887
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2888
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
2889
0
    psa_key_slot_t *slot;
2890
0
    uint8_t operation_mac_size = 0;
2891
2892
0
    status = psa_get_and_lock_key_slot_with_policy(
2893
0
        key,
2894
0
        &slot,
2895
0
        is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE,
2896
0
        alg);
2897
0
    if (status != PSA_SUCCESS) {
2898
0
        goto exit;
2899
0
    }
2900
2901
0
    status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr,
2902
0
                                                     &operation_mac_size);
2903
0
    if (status != PSA_SUCCESS) {
2904
0
        goto exit;
2905
0
    }
2906
2907
0
    if (mac_size < operation_mac_size) {
2908
0
        status = PSA_ERROR_BUFFER_TOO_SMALL;
2909
0
        goto exit;
2910
0
    }
2911
2912
0
    status = psa_driver_wrapper_mac_compute(
2913
0
        &slot->attr,
2914
0
        slot->key.data, slot->key.bytes,
2915
0
        alg,
2916
0
        input, input_length,
2917
0
        mac, operation_mac_size, mac_length);
2918
2919
0
exit:
2920
    /* In case of success, set the potential excess room in the output buffer
2921
     * to an invalid value, to avoid potentially leaking a longer MAC.
2922
     * In case of error, set the output length and content to a safe default,
2923
     * such that in case the caller misses an error check, the output would be
2924
     * an unachievable MAC.
2925
     */
2926
0
    if (status != PSA_SUCCESS) {
2927
0
        *mac_length = mac_size;
2928
0
        operation_mac_size = 0;
2929
0
    }
2930
2931
0
    psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
2932
2933
0
    unlock_status = psa_unregister_read_under_mutex(slot);
2934
2935
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
2936
0
}
2937
2938
psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key,
2939
                             psa_algorithm_t alg,
2940
                             const uint8_t *input_external,
2941
                             size_t input_length,
2942
                             uint8_t *mac_external,
2943
                             size_t mac_size,
2944
                             size_t *mac_length)
2945
0
{
2946
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2947
0
    LOCAL_INPUT_DECLARE(input_external, input);
2948
0
    LOCAL_OUTPUT_DECLARE(mac_external, mac);
2949
2950
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
2951
0
    LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac);
2952
0
    status = psa_mac_compute_internal(key, alg,
2953
0
                                      input, input_length,
2954
0
                                      mac, mac_size, mac_length, 1);
2955
2956
0
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
2957
0
exit:
2958
0
#endif
2959
0
    LOCAL_INPUT_FREE(input_external, input);
2960
0
    LOCAL_OUTPUT_FREE(mac_external, mac);
2961
2962
0
    return status;
2963
0
}
2964
2965
psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
2966
                            psa_algorithm_t alg,
2967
                            const uint8_t *input_external,
2968
                            size_t input_length,
2969
                            const uint8_t *mac_external,
2970
                            size_t mac_length)
2971
0
{
2972
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2973
0
    uint8_t actual_mac[PSA_MAC_MAX_SIZE];
2974
0
    size_t actual_mac_length;
2975
0
    LOCAL_INPUT_DECLARE(input_external, input);
2976
0
    LOCAL_INPUT_DECLARE(mac_external, mac);
2977
2978
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
2979
0
    status = psa_mac_compute_internal(key, alg,
2980
0
                                      input, input_length,
2981
0
                                      actual_mac, sizeof(actual_mac),
2982
0
                                      &actual_mac_length, 0);
2983
0
    if (status != PSA_SUCCESS) {
2984
0
        goto exit;
2985
0
    }
2986
2987
0
    if (mac_length != actual_mac_length) {
2988
0
        status = PSA_ERROR_INVALID_SIGNATURE;
2989
0
        goto exit;
2990
0
    }
2991
2992
0
    LOCAL_INPUT_ALLOC(mac_external, mac_length, mac);
2993
0
    if (mbedtls_ct_memcmp(mac, actual_mac, actual_mac_length) != 0) {
2994
0
        status = PSA_ERROR_INVALID_SIGNATURE;
2995
0
        goto exit;
2996
0
    }
2997
2998
0
exit:
2999
0
    mbedtls_platform_zeroize(actual_mac, sizeof(actual_mac));
3000
0
    LOCAL_INPUT_FREE(input_external, input);
3001
0
    LOCAL_INPUT_FREE(mac_external, mac);
3002
3003
0
    return status;
3004
0
}
3005
3006
/****************************************************************/
3007
/* Asymmetric cryptography */
3008
/****************************************************************/
3009
3010
static psa_status_t psa_sign_verify_check_alg(int input_is_message,
3011
                                              psa_algorithm_t alg)
3012
0
{
3013
0
    if (input_is_message) {
3014
0
        if (!PSA_ALG_IS_SIGN_MESSAGE(alg)) {
3015
0
            return PSA_ERROR_INVALID_ARGUMENT;
3016
0
        }
3017
0
    }
3018
3019
0
    psa_algorithm_t hash_alg = 0;
3020
0
    if (PSA_ALG_IS_SIGN_HASH(alg)) {
3021
0
        hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
3022
0
    }
3023
3024
    /* Now hash_alg==0 if alg by itself doesn't need a hash.
3025
     * This is good enough for sign-hash, but a guaranteed failure for
3026
     * sign-message which needs to hash first for all algorithms
3027
     * supported at the moment. */
3028
3029
0
    if (hash_alg == 0 && input_is_message) {
3030
0
        return PSA_ERROR_INVALID_ARGUMENT;
3031
0
    }
3032
0
    if (hash_alg == PSA_ALG_ANY_HASH) {
3033
0
        return PSA_ERROR_INVALID_ARGUMENT;
3034
0
    }
3035
    /* Give up immediately if the hash is not supported. This has
3036
     * several advantages:
3037
     * - For mechanisms that don't use the hash at all (e.g.
3038
     *   ECDSA verification, randomized ECDSA signature), without
3039
     *   this check, the operation would succeed even though it has
3040
     *   been given an invalid argument. This would not be insecure
3041
     *   since the hash was not necessary, but it would be weird.
3042
     * - For mechanisms that do use the hash, we avoid an error
3043
     *   deep inside the execution. In principle this doesn't matter,
3044
     *   but there is a little more risk of a bug in error handling
3045
     *   deep inside than in this preliminary check.
3046
     * - When calling a driver, the driver might be capable of using
3047
     *   a hash that the core doesn't support. This could potentially
3048
     *   result in a buffer overflow if the hash is larger than the
3049
     *   maximum hash size assumed by the core.
3050
     * - Returning a consistent error makes it possible to test
3051
     *   not-supported hashes in a consistent way.
3052
     */
3053
0
    if (hash_alg != 0 && !is_hash_supported(hash_alg)) {
3054
0
        return PSA_ERROR_NOT_SUPPORTED;
3055
0
    }
3056
3057
0
    return PSA_SUCCESS;
3058
0
}
3059
3060
static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key,
3061
                                      int input_is_message,
3062
                                      psa_algorithm_t alg,
3063
                                      const uint8_t *input,
3064
                                      size_t input_length,
3065
                                      uint8_t *signature,
3066
                                      size_t signature_size,
3067
                                      size_t *signature_length)
3068
0
{
3069
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3070
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3071
0
    psa_key_slot_t *slot;
3072
3073
0
    *signature_length = 0;
3074
3075
0
    status = psa_sign_verify_check_alg(input_is_message, alg);
3076
0
    if (status != PSA_SUCCESS) {
3077
0
        return status;
3078
0
    }
3079
3080
    /* Immediately reject a zero-length signature buffer. This guarantees
3081
     * that signature must be a valid pointer. (On the other hand, the input
3082
     * buffer can in principle be empty since it doesn't actually have
3083
     * to be a hash.) */
3084
0
    if (signature_size == 0) {
3085
0
        return PSA_ERROR_BUFFER_TOO_SMALL;
3086
0
    }
3087
3088
0
    status = psa_get_and_lock_key_slot_with_policy(
3089
0
        key, &slot,
3090
0
        input_is_message ? PSA_KEY_USAGE_SIGN_MESSAGE :
3091
0
        PSA_KEY_USAGE_SIGN_HASH,
3092
0
        alg);
3093
3094
0
    if (status != PSA_SUCCESS) {
3095
0
        goto exit;
3096
0
    }
3097
3098
0
    if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
3099
0
        status = PSA_ERROR_INVALID_ARGUMENT;
3100
0
        goto exit;
3101
0
    }
3102
3103
0
    if (input_is_message) {
3104
0
        status = psa_driver_wrapper_sign_message(
3105
0
            &slot->attr, slot->key.data, slot->key.bytes,
3106
0
            alg, input, input_length,
3107
0
            signature, signature_size, signature_length);
3108
0
    } else {
3109
3110
0
        status = psa_driver_wrapper_sign_hash(
3111
0
            &slot->attr, slot->key.data, slot->key.bytes,
3112
0
            alg, input, input_length,
3113
0
            signature, signature_size, signature_length);
3114
0
    }
3115
3116
3117
0
exit:
3118
0
    psa_wipe_tag_output_buffer(signature, status, signature_size,
3119
0
                               *signature_length);
3120
3121
0
    unlock_status = psa_unregister_read_under_mutex(slot);
3122
3123
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
3124
0
}
3125
3126
static psa_status_t psa_verify_internal(mbedtls_svc_key_id_t key,
3127
                                        int input_is_message,
3128
                                        psa_algorithm_t alg,
3129
                                        const uint8_t *input,
3130
                                        size_t input_length,
3131
                                        const uint8_t *signature,
3132
                                        size_t signature_length)
3133
0
{
3134
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3135
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3136
0
    psa_key_slot_t *slot;
3137
3138
0
    status = psa_sign_verify_check_alg(input_is_message, alg);
3139
0
    if (status != PSA_SUCCESS) {
3140
0
        return status;
3141
0
    }
3142
3143
0
    status = psa_get_and_lock_key_slot_with_policy(
3144
0
        key, &slot,
3145
0
        input_is_message ? PSA_KEY_USAGE_VERIFY_MESSAGE :
3146
0
        PSA_KEY_USAGE_VERIFY_HASH,
3147
0
        alg);
3148
3149
0
    if (status != PSA_SUCCESS) {
3150
0
        return status;
3151
0
    }
3152
3153
0
    if (input_is_message) {
3154
0
        status = psa_driver_wrapper_verify_message(
3155
0
            &slot->attr, slot->key.data, slot->key.bytes,
3156
0
            alg, input, input_length,
3157
0
            signature, signature_length);
3158
0
    } else {
3159
0
        status = psa_driver_wrapper_verify_hash(
3160
0
            &slot->attr, slot->key.data, slot->key.bytes,
3161
0
            alg, input, input_length,
3162
0
            signature, signature_length);
3163
0
    }
3164
3165
0
    unlock_status = psa_unregister_read_under_mutex(slot);
3166
3167
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
3168
3169
0
}
3170
3171
psa_status_t psa_sign_message_builtin(
3172
    const psa_key_attributes_t *attributes,
3173
    const uint8_t *key_buffer,
3174
    size_t key_buffer_size,
3175
    psa_algorithm_t alg,
3176
    const uint8_t *input,
3177
    size_t input_length,
3178
    uint8_t *signature,
3179
    size_t signature_size,
3180
    size_t *signature_length)
3181
0
{
3182
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3183
3184
0
    if (PSA_ALG_IS_SIGN_HASH(alg)) {
3185
0
        size_t hash_length;
3186
0
        uint8_t hash[PSA_HASH_MAX_SIZE];
3187
3188
0
        status = psa_driver_wrapper_hash_compute(
3189
0
            PSA_ALG_SIGN_GET_HASH(alg),
3190
0
            input, input_length,
3191
0
            hash, sizeof(hash), &hash_length);
3192
3193
0
        if (status != PSA_SUCCESS) {
3194
0
            return status;
3195
0
        }
3196
3197
0
        return psa_driver_wrapper_sign_hash(
3198
0
            attributes, key_buffer, key_buffer_size,
3199
0
            alg, hash, hash_length,
3200
0
            signature, signature_size, signature_length);
3201
0
    }
3202
3203
0
    return PSA_ERROR_NOT_SUPPORTED;
3204
0
}
3205
3206
psa_status_t psa_sign_message(mbedtls_svc_key_id_t key,
3207
                              psa_algorithm_t alg,
3208
                              const uint8_t *input_external,
3209
                              size_t input_length,
3210
                              uint8_t *signature_external,
3211
                              size_t signature_size,
3212
                              size_t *signature_length)
3213
0
{
3214
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3215
0
    LOCAL_INPUT_DECLARE(input_external, input);
3216
0
    LOCAL_OUTPUT_DECLARE(signature_external, signature);
3217
3218
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
3219
0
    LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
3220
0
    status = psa_sign_internal(key, 1, alg, input, input_length, signature,
3221
0
                               signature_size, signature_length);
3222
3223
0
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3224
0
exit:
3225
0
#endif
3226
0
    LOCAL_INPUT_FREE(input_external, input);
3227
0
    LOCAL_OUTPUT_FREE(signature_external, signature);
3228
0
    return status;
3229
0
}
3230
3231
psa_status_t psa_verify_message_builtin(
3232
    const psa_key_attributes_t *attributes,
3233
    const uint8_t *key_buffer,
3234
    size_t key_buffer_size,
3235
    psa_algorithm_t alg,
3236
    const uint8_t *input,
3237
    size_t input_length,
3238
    const uint8_t *signature,
3239
    size_t signature_length)
3240
0
{
3241
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3242
3243
0
    if (PSA_ALG_IS_SIGN_HASH(alg)) {
3244
0
        size_t hash_length;
3245
0
        uint8_t hash[PSA_HASH_MAX_SIZE];
3246
3247
0
        status = psa_driver_wrapper_hash_compute(
3248
0
            PSA_ALG_SIGN_GET_HASH(alg),
3249
0
            input, input_length,
3250
0
            hash, sizeof(hash), &hash_length);
3251
3252
0
        if (status != PSA_SUCCESS) {
3253
0
            return status;
3254
0
        }
3255
3256
0
        return psa_driver_wrapper_verify_hash(
3257
0
            attributes, key_buffer, key_buffer_size,
3258
0
            alg, hash, hash_length,
3259
0
            signature, signature_length);
3260
0
    }
3261
3262
0
    return PSA_ERROR_NOT_SUPPORTED;
3263
0
}
3264
3265
psa_status_t psa_verify_message(mbedtls_svc_key_id_t key,
3266
                                psa_algorithm_t alg,
3267
                                const uint8_t *input_external,
3268
                                size_t input_length,
3269
                                const uint8_t *signature_external,
3270
                                size_t signature_length)
3271
0
{
3272
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3273
0
    LOCAL_INPUT_DECLARE(input_external, input);
3274
0
    LOCAL_INPUT_DECLARE(signature_external, signature);
3275
3276
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
3277
0
    LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
3278
0
    status = psa_verify_internal(key, 1, alg, input, input_length, signature,
3279
0
                                 signature_length);
3280
3281
0
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3282
0
exit:
3283
0
#endif
3284
0
    LOCAL_INPUT_FREE(input_external, input);
3285
0
    LOCAL_INPUT_FREE(signature_external, signature);
3286
3287
0
    return status;
3288
0
}
3289
3290
psa_status_t psa_sign_hash_builtin(
3291
    const psa_key_attributes_t *attributes,
3292
    const uint8_t *key_buffer, size_t key_buffer_size,
3293
    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
3294
    uint8_t *signature, size_t signature_size, size_t *signature_length)
3295
0
{
3296
0
    if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
3297
0
        if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
3298
0
            PSA_ALG_IS_RSA_PSS(alg)) {
3299
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
3300
0
            defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
3301
0
            return mbedtls_psa_rsa_sign_hash(
3302
0
                attributes,
3303
0
                key_buffer, key_buffer_size,
3304
0
                alg, hash, hash_length,
3305
0
                signature, signature_size, signature_length);
3306
0
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
3307
        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
3308
0
        } else {
3309
0
            return PSA_ERROR_INVALID_ARGUMENT;
3310
0
        }
3311
0
    } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) {
3312
0
        if (PSA_ALG_IS_ECDSA(alg)) {
3313
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3314
0
            defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
3315
0
            return mbedtls_psa_ecdsa_sign_hash(
3316
0
                attributes,
3317
0
                key_buffer, key_buffer_size,
3318
0
                alg, hash, hash_length,
3319
0
                signature, signature_size, signature_length);
3320
0
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3321
        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
3322
0
        } else {
3323
0
            return PSA_ERROR_INVALID_ARGUMENT;
3324
0
        }
3325
0
    }
3326
3327
0
    (void) key_buffer;
3328
0
    (void) key_buffer_size;
3329
0
    (void) hash;
3330
0
    (void) hash_length;
3331
0
    (void) signature;
3332
0
    (void) signature_size;
3333
0
    (void) signature_length;
3334
3335
0
    return PSA_ERROR_NOT_SUPPORTED;
3336
0
}
3337
3338
psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key,
3339
                           psa_algorithm_t alg,
3340
                           const uint8_t *hash_external,
3341
                           size_t hash_length,
3342
                           uint8_t *signature_external,
3343
                           size_t signature_size,
3344
                           size_t *signature_length)
3345
0
{
3346
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3347
0
    LOCAL_INPUT_DECLARE(hash_external, hash);
3348
0
    LOCAL_OUTPUT_DECLARE(signature_external, signature);
3349
3350
0
    LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
3351
0
    LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
3352
0
    status = psa_sign_internal(key, 0, alg, hash, hash_length, signature,
3353
0
                               signature_size, signature_length);
3354
3355
0
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3356
0
exit:
3357
0
#endif
3358
0
    LOCAL_INPUT_FREE(hash_external, hash);
3359
0
    LOCAL_OUTPUT_FREE(signature_external, signature);
3360
3361
0
    return status;
3362
0
}
3363
3364
psa_status_t psa_verify_hash_builtin(
3365
    const psa_key_attributes_t *attributes,
3366
    const uint8_t *key_buffer, size_t key_buffer_size,
3367
    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
3368
    const uint8_t *signature, size_t signature_length)
3369
0
{
3370
0
    if (PSA_KEY_TYPE_IS_RSA(attributes->type)) {
3371
0
        if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
3372
0
            PSA_ALG_IS_RSA_PSS(alg)) {
3373
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
3374
0
            defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
3375
0
            return mbedtls_psa_rsa_verify_hash(
3376
0
                attributes,
3377
0
                key_buffer, key_buffer_size,
3378
0
                alg, hash, hash_length,
3379
0
                signature, signature_length);
3380
0
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
3381
        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
3382
0
        } else {
3383
0
            return PSA_ERROR_INVALID_ARGUMENT;
3384
0
        }
3385
0
    } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) {
3386
0
        if (PSA_ALG_IS_ECDSA(alg)) {
3387
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3388
0
            defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
3389
0
            return mbedtls_psa_ecdsa_verify_hash(
3390
0
                attributes,
3391
0
                key_buffer, key_buffer_size,
3392
0
                alg, hash, hash_length,
3393
0
                signature, signature_length);
3394
0
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3395
        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
3396
0
        } else {
3397
0
            return PSA_ERROR_INVALID_ARGUMENT;
3398
0
        }
3399
0
    }
3400
3401
0
    (void) key_buffer;
3402
0
    (void) key_buffer_size;
3403
0
    (void) hash;
3404
0
    (void) hash_length;
3405
0
    (void) signature;
3406
0
    (void) signature_length;
3407
3408
0
    return PSA_ERROR_NOT_SUPPORTED;
3409
0
}
3410
3411
psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key,
3412
                             psa_algorithm_t alg,
3413
                             const uint8_t *hash_external,
3414
                             size_t hash_length,
3415
                             const uint8_t *signature_external,
3416
                             size_t signature_length)
3417
0
{
3418
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3419
0
    LOCAL_INPUT_DECLARE(hash_external, hash);
3420
0
    LOCAL_INPUT_DECLARE(signature_external, signature);
3421
3422
0
    LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
3423
0
    LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
3424
0
    status = psa_verify_internal(key, 0, alg, hash, hash_length, signature,
3425
0
                                 signature_length);
3426
3427
0
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3428
0
exit:
3429
0
#endif
3430
0
    LOCAL_INPUT_FREE(hash_external, hash);
3431
0
    LOCAL_INPUT_FREE(signature_external, signature);
3432
3433
0
    return status;
3434
0
}
3435
3436
psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,
3437
                                    psa_algorithm_t alg,
3438
                                    const uint8_t *input_external,
3439
                                    size_t input_length,
3440
                                    const uint8_t *salt_external,
3441
                                    size_t salt_length,
3442
                                    uint8_t *output_external,
3443
                                    size_t output_size,
3444
                                    size_t *output_length)
3445
0
{
3446
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3447
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3448
0
    psa_key_slot_t *slot;
3449
3450
0
    LOCAL_INPUT_DECLARE(input_external, input);
3451
0
    LOCAL_INPUT_DECLARE(salt_external, salt);
3452
0
    LOCAL_OUTPUT_DECLARE(output_external, output);
3453
3454
0
    (void) input;
3455
0
    (void) input_length;
3456
0
    (void) salt;
3457
0
    (void) output;
3458
0
    (void) output_size;
3459
3460
0
    *output_length = 0;
3461
3462
0
    if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) {
3463
0
        return PSA_ERROR_INVALID_ARGUMENT;
3464
0
    }
3465
3466
0
    status = psa_get_and_lock_key_slot_with_policy(
3467
0
        key, &slot, PSA_KEY_USAGE_ENCRYPT, alg);
3468
0
    if (status != PSA_SUCCESS) {
3469
0
        return status;
3470
0
    }
3471
0
    if (!(PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type) ||
3472
0
          PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type))) {
3473
0
        status = PSA_ERROR_INVALID_ARGUMENT;
3474
0
        goto exit;
3475
0
    }
3476
3477
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
3478
0
    LOCAL_INPUT_ALLOC(salt_external, salt_length, salt);
3479
0
    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
3480
3481
0
    status = psa_driver_wrapper_asymmetric_encrypt(
3482
0
        &slot->attr, slot->key.data, slot->key.bytes,
3483
0
        alg, input, input_length, salt, salt_length,
3484
0
        output, output_size, output_length);
3485
0
exit:
3486
0
    unlock_status = psa_unregister_read_under_mutex(slot);
3487
3488
0
    LOCAL_INPUT_FREE(input_external, input);
3489
0
    LOCAL_INPUT_FREE(salt_external, salt);
3490
0
    LOCAL_OUTPUT_FREE(output_external, output);
3491
3492
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
3493
0
}
3494
3495
psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key,
3496
                                    psa_algorithm_t alg,
3497
                                    const uint8_t *input_external,
3498
                                    size_t input_length,
3499
                                    const uint8_t *salt_external,
3500
                                    size_t salt_length,
3501
                                    uint8_t *output_external,
3502
                                    size_t output_size,
3503
                                    size_t *output_length)
3504
0
{
3505
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3506
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3507
0
    psa_key_slot_t *slot;
3508
3509
0
    LOCAL_INPUT_DECLARE(input_external, input);
3510
0
    LOCAL_INPUT_DECLARE(salt_external, salt);
3511
0
    LOCAL_OUTPUT_DECLARE(output_external, output);
3512
3513
0
    (void) input;
3514
0
    (void) input_length;
3515
0
    (void) salt;
3516
0
    (void) output;
3517
0
    (void) output_size;
3518
3519
0
    *output_length = 0;
3520
3521
0
    if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) {
3522
0
        return PSA_ERROR_INVALID_ARGUMENT;
3523
0
    }
3524
3525
0
    status = psa_get_and_lock_key_slot_with_policy(
3526
0
        key, &slot, PSA_KEY_USAGE_DECRYPT, alg);
3527
0
    if (status != PSA_SUCCESS) {
3528
0
        return status;
3529
0
    }
3530
0
    if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
3531
0
        status = PSA_ERROR_INVALID_ARGUMENT;
3532
0
        goto exit;
3533
0
    }
3534
3535
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
3536
0
    LOCAL_INPUT_ALLOC(salt_external, salt_length, salt);
3537
0
    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
3538
3539
0
    status = psa_driver_wrapper_asymmetric_decrypt(
3540
0
        &slot->attr, slot->key.data, slot->key.bytes,
3541
0
        alg, input, input_length, salt, salt_length,
3542
0
        output, output_size, output_length);
3543
3544
0
exit:
3545
0
    unlock_status = psa_unregister_read_under_mutex(slot);
3546
3547
0
    LOCAL_INPUT_FREE(input_external, input);
3548
0
    LOCAL_INPUT_FREE(salt_external, salt);
3549
0
    LOCAL_OUTPUT_FREE(output_external, output);
3550
3551
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
3552
0
}
3553
3554
/****************************************************************/
3555
/* Asymmetric interruptible cryptography                        */
3556
/****************************************************************/
3557
3558
static uint32_t psa_interruptible_max_ops = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
3559
3560
void psa_interruptible_set_max_ops(uint32_t max_ops)
3561
0
{
3562
0
    psa_interruptible_max_ops = max_ops;
3563
0
}
3564
3565
uint32_t psa_interruptible_get_max_ops(void)
3566
0
{
3567
0
    return psa_interruptible_max_ops;
3568
0
}
3569
3570
uint32_t psa_sign_hash_get_num_ops(
3571
    const psa_sign_hash_interruptible_operation_t *operation)
3572
0
{
3573
0
    return operation->num_ops;
3574
0
}
3575
3576
uint32_t psa_verify_hash_get_num_ops(
3577
    const psa_verify_hash_interruptible_operation_t *operation)
3578
0
{
3579
0
    return operation->num_ops;
3580
0
}
3581
3582
static psa_status_t psa_sign_hash_abort_internal(
3583
    psa_sign_hash_interruptible_operation_t *operation)
3584
0
{
3585
0
    if (operation->id == 0) {
3586
        /* The object has (apparently) been initialized but it is not (yet)
3587
         * in use. It's ok to call abort on such an object, and there's
3588
         * nothing to do. */
3589
0
        return PSA_SUCCESS;
3590
0
    }
3591
3592
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3593
3594
0
    status = psa_driver_wrapper_sign_hash_abort(operation);
3595
3596
0
    operation->id = 0;
3597
3598
    /* Do not clear either the error_occurred or num_ops elements here as they
3599
     * only want to be cleared by the application calling abort, not by abort
3600
     * being called at completion of an operation. */
3601
3602
0
    return status;
3603
0
}
3604
3605
psa_status_t psa_sign_hash_start(
3606
    psa_sign_hash_interruptible_operation_t *operation,
3607
    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
3608
    const uint8_t *hash_external, size_t hash_length)
3609
0
{
3610
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3611
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3612
0
    psa_key_slot_t *slot;
3613
3614
0
    LOCAL_INPUT_DECLARE(hash_external, hash);
3615
3616
    /* Check that start has not been previously called, or operation has not
3617
     * previously errored. */
3618
0
    if (operation->id != 0 || operation->error_occurred) {
3619
0
        return PSA_ERROR_BAD_STATE;
3620
0
    }
3621
3622
0
    status = psa_sign_verify_check_alg(0, alg);
3623
0
    if (status != PSA_SUCCESS) {
3624
0
        operation->error_occurred = 1;
3625
0
        return status;
3626
0
    }
3627
3628
0
    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
3629
0
                                                   PSA_KEY_USAGE_SIGN_HASH,
3630
0
                                                   alg);
3631
3632
0
    if (status != PSA_SUCCESS) {
3633
0
        goto exit;
3634
0
    }
3635
3636
0
    if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
3637
0
        status = PSA_ERROR_INVALID_ARGUMENT;
3638
0
        goto exit;
3639
0
    }
3640
3641
0
    LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
3642
3643
    /* Ensure ops count gets reset, in case of operation re-use. */
3644
0
    operation->num_ops = 0;
3645
3646
0
    status = psa_driver_wrapper_sign_hash_start(operation, &slot->attr,
3647
0
                                                slot->key.data,
3648
0
                                                slot->key.bytes, alg,
3649
0
                                                hash, hash_length);
3650
0
exit:
3651
3652
0
    if (status != PSA_SUCCESS) {
3653
0
        operation->error_occurred = 1;
3654
0
        psa_sign_hash_abort_internal(operation);
3655
0
    }
3656
3657
0
    unlock_status = psa_unregister_read_under_mutex(slot);
3658
3659
0
    if (unlock_status != PSA_SUCCESS) {
3660
0
        operation->error_occurred = 1;
3661
0
    }
3662
3663
0
    LOCAL_INPUT_FREE(hash_external, hash);
3664
3665
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
3666
0
}
3667
3668
3669
psa_status_t psa_sign_hash_complete(
3670
    psa_sign_hash_interruptible_operation_t *operation,
3671
    uint8_t *signature_external, size_t signature_size,
3672
    size_t *signature_length)
3673
0
{
3674
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3675
3676
0
    LOCAL_OUTPUT_DECLARE(signature_external, signature);
3677
3678
0
    *signature_length = 0;
3679
3680
    /* Check that start has been called first, and that operation has not
3681
     * previously errored. */
3682
0
    if (operation->id == 0 || operation->error_occurred) {
3683
0
        status = PSA_ERROR_BAD_STATE;
3684
0
        goto exit;
3685
0
    }
3686
3687
    /* Immediately reject a zero-length signature buffer. This guarantees that
3688
     * signature must be a valid pointer. */
3689
0
    if (signature_size == 0) {
3690
0
        status = PSA_ERROR_BUFFER_TOO_SMALL;
3691
0
        goto exit;
3692
0
    }
3693
3694
0
    LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
3695
3696
0
    status = psa_driver_wrapper_sign_hash_complete(operation, signature,
3697
0
                                                   signature_size,
3698
0
                                                   signature_length);
3699
3700
    /* Update ops count with work done. */
3701
0
    operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation);
3702
3703
0
exit:
3704
3705
0
    if (signature != NULL) {
3706
0
        psa_wipe_tag_output_buffer(signature, status, signature_size,
3707
0
                                   *signature_length);
3708
0
    }
3709
3710
0
    if (status != PSA_OPERATION_INCOMPLETE) {
3711
0
        if (status != PSA_SUCCESS) {
3712
0
            operation->error_occurred = 1;
3713
0
        }
3714
3715
0
        psa_sign_hash_abort_internal(operation);
3716
0
    }
3717
3718
0
    LOCAL_OUTPUT_FREE(signature_external, signature);
3719
3720
0
    return status;
3721
0
}
3722
3723
psa_status_t psa_sign_hash_abort(
3724
    psa_sign_hash_interruptible_operation_t *operation)
3725
0
{
3726
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3727
3728
0
    status = psa_sign_hash_abort_internal(operation);
3729
3730
    /* We clear the number of ops done here, so that it is not cleared when
3731
     * the operation fails or succeeds, only on manual abort. */
3732
0
    operation->num_ops = 0;
3733
3734
    /* Likewise, failure state. */
3735
0
    operation->error_occurred = 0;
3736
3737
0
    return status;
3738
0
}
3739
3740
static psa_status_t psa_verify_hash_abort_internal(
3741
    psa_verify_hash_interruptible_operation_t *operation)
3742
0
{
3743
0
    if (operation->id == 0) {
3744
        /* The object has (apparently) been initialized but it is not (yet)
3745
         * in use. It's ok to call abort on such an object, and there's
3746
         * nothing to do. */
3747
0
        return PSA_SUCCESS;
3748
0
    }
3749
3750
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3751
3752
0
    status = psa_driver_wrapper_verify_hash_abort(operation);
3753
3754
0
    operation->id = 0;
3755
3756
    /* Do not clear either the error_occurred or num_ops elements here as they
3757
     * only want to be cleared by the application calling abort, not by abort
3758
     * being called at completion of an operation. */
3759
3760
0
    return status;
3761
0
}
3762
3763
psa_status_t psa_verify_hash_start(
3764
    psa_verify_hash_interruptible_operation_t *operation,
3765
    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
3766
    const uint8_t *hash_external, size_t hash_length,
3767
    const uint8_t *signature_external, size_t signature_length)
3768
0
{
3769
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3770
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3771
0
    psa_key_slot_t *slot;
3772
3773
0
    LOCAL_INPUT_DECLARE(hash_external, hash);
3774
0
    LOCAL_INPUT_DECLARE(signature_external, signature);
3775
3776
    /* Check that start has not been previously called, or operation has not
3777
     * previously errored. */
3778
0
    if (operation->id != 0 || operation->error_occurred) {
3779
0
        return PSA_ERROR_BAD_STATE;
3780
0
    }
3781
3782
0
    status = psa_sign_verify_check_alg(0, alg);
3783
0
    if (status != PSA_SUCCESS) {
3784
0
        operation->error_occurred = 1;
3785
0
        return status;
3786
0
    }
3787
3788
0
    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
3789
0
                                                   PSA_KEY_USAGE_VERIFY_HASH,
3790
0
                                                   alg);
3791
3792
0
    if (status != PSA_SUCCESS) {
3793
0
        operation->error_occurred = 1;
3794
0
        return status;
3795
0
    }
3796
3797
0
    LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
3798
0
    LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
3799
3800
    /* Ensure ops count gets reset, in case of operation re-use. */
3801
0
    operation->num_ops = 0;
3802
3803
0
    status = psa_driver_wrapper_verify_hash_start(operation, &slot->attr,
3804
0
                                                  slot->key.data,
3805
0
                                                  slot->key.bytes,
3806
0
                                                  alg, hash, hash_length,
3807
0
                                                  signature, signature_length);
3808
0
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3809
0
exit:
3810
0
#endif
3811
3812
0
    if (status != PSA_SUCCESS) {
3813
0
        operation->error_occurred = 1;
3814
0
        psa_verify_hash_abort_internal(operation);
3815
0
    }
3816
3817
0
    unlock_status = psa_unregister_read_under_mutex(slot);
3818
3819
0
    if (unlock_status != PSA_SUCCESS) {
3820
0
        operation->error_occurred = 1;
3821
0
    }
3822
3823
0
    LOCAL_INPUT_FREE(hash_external, hash);
3824
0
    LOCAL_INPUT_FREE(signature_external, signature);
3825
3826
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
3827
0
}
3828
3829
psa_status_t psa_verify_hash_complete(
3830
    psa_verify_hash_interruptible_operation_t *operation)
3831
0
{
3832
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3833
3834
    /* Check that start has been called first, and that operation has not
3835
     * previously errored. */
3836
0
    if (operation->id == 0 || operation->error_occurred) {
3837
0
        status = PSA_ERROR_BAD_STATE;
3838
0
        goto exit;
3839
0
    }
3840
3841
0
    status = psa_driver_wrapper_verify_hash_complete(operation);
3842
3843
    /* Update ops count with work done. */
3844
0
    operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops(
3845
0
        operation);
3846
3847
0
exit:
3848
3849
0
    if (status != PSA_OPERATION_INCOMPLETE) {
3850
0
        if (status != PSA_SUCCESS) {
3851
0
            operation->error_occurred = 1;
3852
0
        }
3853
3854
0
        psa_verify_hash_abort_internal(operation);
3855
0
    }
3856
3857
0
    return status;
3858
0
}
3859
3860
psa_status_t psa_verify_hash_abort(
3861
    psa_verify_hash_interruptible_operation_t *operation)
3862
0
{
3863
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3864
3865
0
    status = psa_verify_hash_abort_internal(operation);
3866
3867
    /* We clear the number of ops done here, so that it is not cleared when
3868
     * the operation fails or succeeds, only on manual abort. */
3869
0
    operation->num_ops = 0;
3870
3871
    /* Likewise, failure state. */
3872
0
    operation->error_occurred = 0;
3873
3874
0
    return status;
3875
0
}
3876
3877
/****************************************************************/
3878
/* Asymmetric interruptible cryptography internal               */
3879
/* implementations                                              */
3880
/****************************************************************/
3881
3882
void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops)
3883
0
{
3884
3885
0
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3886
0
    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
3887
0
    defined(MBEDTLS_ECP_RESTARTABLE)
3888
3889
    /* Internal implementation uses zero to indicate infinite number max ops,
3890
     * therefore avoid this value, and set to minimum possible. */
3891
0
    if (max_ops == 0) {
3892
0
        max_ops = 1;
3893
0
    }
3894
3895
0
    mbedtls_ecp_set_max_ops(max_ops);
3896
#else
3897
    (void) max_ops;
3898
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3899
        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
3900
        * defined( MBEDTLS_ECP_RESTARTABLE ) */
3901
0
}
3902
3903
uint32_t mbedtls_psa_sign_hash_get_num_ops(
3904
    const mbedtls_psa_sign_hash_interruptible_operation_t *operation)
3905
0
{
3906
0
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3907
0
    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
3908
0
    defined(MBEDTLS_ECP_RESTARTABLE)
3909
3910
0
    return operation->num_ops;
3911
#else
3912
    (void) operation;
3913
    return 0;
3914
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3915
        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
3916
        * defined( MBEDTLS_ECP_RESTARTABLE ) */
3917
0
}
3918
3919
uint32_t mbedtls_psa_verify_hash_get_num_ops(
3920
    const mbedtls_psa_verify_hash_interruptible_operation_t *operation)
3921
0
{
3922
0
    #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3923
0
    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
3924
0
    defined(MBEDTLS_ECP_RESTARTABLE)
3925
3926
0
    return operation->num_ops;
3927
#else
3928
    (void) operation;
3929
    return 0;
3930
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3931
        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
3932
        * defined( MBEDTLS_ECP_RESTARTABLE ) */
3933
0
}
3934
3935
/* Detect supported interruptible sign/verify mechanisms precisely.
3936
 * This is not strictly needed: we could accept everything, and let the
3937
 * code fail later during complete() if the mechanism is unsupported
3938
 * (e.g. attempting deterministic ECDSA when only the randomized variant
3939
 * is available). But it's easier for applications and especially for our
3940
 * test code to detect all not-supported errors during start().
3941
 *
3942
 * Note that this function ignores the hash component. The core code
3943
 * is supposed to check the hash part by calling is_hash_supported().
3944
 */
3945
static inline int can_do_interruptible_sign_verify(psa_algorithm_t alg)
3946
0
{
3947
0
#if defined(MBEDTLS_ECP_RESTARTABLE)
3948
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
3949
0
    if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) {
3950
0
        return 1;
3951
0
    }
3952
0
#endif
3953
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA)
3954
0
    if (PSA_ALG_IS_RANDOMIZED_ECDSA(alg)) {
3955
0
        return 1;
3956
0
    }
3957
0
#endif
3958
0
#endif /* defined(MBEDTLS_ECP_RESTARTABLE) */
3959
0
    (void) alg;
3960
0
    return 0;
3961
0
}
3962
3963
psa_status_t mbedtls_psa_sign_hash_start(
3964
    mbedtls_psa_sign_hash_interruptible_operation_t *operation,
3965
    const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
3966
    size_t key_buffer_size, psa_algorithm_t alg,
3967
    const uint8_t *hash, size_t hash_length)
3968
0
{
3969
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3970
0
    size_t required_hash_length;
3971
3972
0
    if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->type)) {
3973
0
        return PSA_ERROR_NOT_SUPPORTED;
3974
0
    }
3975
0
    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type);
3976
0
    if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
3977
0
        return PSA_ERROR_INVALID_ARGUMENT;
3978
0
    }
3979
3980
0
    if (!can_do_interruptible_sign_verify(alg)) {
3981
0
        return PSA_ERROR_NOT_SUPPORTED;
3982
0
    }
3983
3984
0
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3985
0
    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
3986
0
    defined(MBEDTLS_ECP_RESTARTABLE)
3987
3988
0
    mbedtls_ecdsa_restart_init(&operation->restart_ctx);
3989
3990
    /* Ensure num_ops is zero'ed in case of context re-use. */
3991
0
    operation->num_ops = 0;
3992
3993
0
    status = mbedtls_psa_ecp_load_representation(attributes->type,
3994
0
                                                 attributes->bits,
3995
0
                                                 key_buffer,
3996
0
                                                 key_buffer_size,
3997
0
                                                 &operation->ctx);
3998
3999
0
    if (status != PSA_SUCCESS) {
4000
0
        return status;
4001
0
    }
4002
4003
0
    operation->coordinate_bytes = PSA_BITS_TO_BYTES(
4004
0
        operation->ctx->grp.nbits);
4005
4006
0
    psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
4007
0
    operation->md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
4008
0
    operation->alg = alg;
4009
4010
    /* We only need to store the same length of hash as the private key size
4011
     * here, it would be truncated by the internal implementation anyway. */
4012
0
    required_hash_length = (hash_length < operation->coordinate_bytes ?
4013
0
                            hash_length : operation->coordinate_bytes);
4014
4015
0
    if (required_hash_length > sizeof(operation->hash)) {
4016
        /* Shouldn't happen, but better safe than sorry. */
4017
0
        return PSA_ERROR_CORRUPTION_DETECTED;
4018
0
    }
4019
4020
0
    memcpy(operation->hash, hash, required_hash_length);
4021
0
    operation->hash_length = required_hash_length;
4022
4023
0
    return PSA_SUCCESS;
4024
4025
#else
4026
    (void) operation;
4027
    (void) key_buffer;
4028
    (void) key_buffer_size;
4029
    (void) alg;
4030
    (void) hash;
4031
    (void) hash_length;
4032
    (void) status;
4033
    (void) required_hash_length;
4034
4035
    return PSA_ERROR_NOT_SUPPORTED;
4036
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4037
        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4038
        * defined( MBEDTLS_ECP_RESTARTABLE ) */
4039
0
}
4040
4041
psa_status_t mbedtls_psa_sign_hash_complete(
4042
    mbedtls_psa_sign_hash_interruptible_operation_t *operation,
4043
    uint8_t *signature, size_t signature_size,
4044
    size_t *signature_length)
4045
0
{
4046
0
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4047
0
    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4048
0
    defined(MBEDTLS_ECP_RESTARTABLE)
4049
4050
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4051
0
    mbedtls_mpi r;
4052
0
    mbedtls_mpi s;
4053
4054
0
    mbedtls_mpi_init(&r);
4055
0
    mbedtls_mpi_init(&s);
4056
4057
    /* Ensure max_ops is set to the current value (or default). */
4058
0
    mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops());
4059
4060
0
    if (signature_size < 2 * operation->coordinate_bytes) {
4061
0
        status = PSA_ERROR_BUFFER_TOO_SMALL;
4062
0
        goto exit;
4063
0
    }
4064
4065
0
    if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) {
4066
4067
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
4068
0
        status = mbedtls_to_psa_error(
4069
0
            mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp,
4070
0
                                               &r,
4071
0
                                               &s,
4072
0
                                               &operation->ctx->d,
4073
0
                                               operation->hash,
4074
0
                                               operation->hash_length,
4075
0
                                               operation->md_alg,
4076
0
                                               mbedtls_psa_get_random,
4077
0
                                               MBEDTLS_PSA_RANDOM_STATE,
4078
0
                                               &operation->restart_ctx));
4079
#else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
4080
        status = PSA_ERROR_NOT_SUPPORTED;
4081
        goto exit;
4082
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
4083
0
    } else {
4084
0
        status = mbedtls_to_psa_error(
4085
0
            mbedtls_ecdsa_sign_restartable(&operation->ctx->grp,
4086
0
                                           &r,
4087
0
                                           &s,
4088
0
                                           &operation->ctx->d,
4089
0
                                           operation->hash,
4090
0
                                           operation->hash_length,
4091
0
                                           mbedtls_psa_get_random,
4092
0
                                           MBEDTLS_PSA_RANDOM_STATE,
4093
0
                                           mbedtls_psa_get_random,
4094
0
                                           MBEDTLS_PSA_RANDOM_STATE,
4095
0
                                           &operation->restart_ctx));
4096
0
    }
4097
4098
    /* Hide the fact that the restart context only holds a delta of number of
4099
     * ops done during the last operation, not an absolute value. */
4100
0
    operation->num_ops += operation->restart_ctx.ecp.ops_done;
4101
4102
0
    if (status == PSA_SUCCESS) {
4103
0
        status =  mbedtls_to_psa_error(
4104
0
            mbedtls_mpi_write_binary(&r,
4105
0
                                     signature,
4106
0
                                     operation->coordinate_bytes)
4107
0
            );
4108
4109
0
        if (status != PSA_SUCCESS) {
4110
0
            goto exit;
4111
0
        }
4112
4113
0
        status =  mbedtls_to_psa_error(
4114
0
            mbedtls_mpi_write_binary(&s,
4115
0
                                     signature +
4116
0
                                     operation->coordinate_bytes,
4117
0
                                     operation->coordinate_bytes)
4118
0
            );
4119
4120
0
        if (status != PSA_SUCCESS) {
4121
0
            goto exit;
4122
0
        }
4123
4124
0
        *signature_length = operation->coordinate_bytes * 2;
4125
4126
0
        status = PSA_SUCCESS;
4127
0
    }
4128
4129
0
exit:
4130
4131
0
    mbedtls_mpi_free(&r);
4132
0
    mbedtls_mpi_free(&s);
4133
0
    return status;
4134
4135
 #else
4136
4137
    (void) operation;
4138
    (void) signature;
4139
    (void) signature_size;
4140
    (void) signature_length;
4141
4142
    return PSA_ERROR_NOT_SUPPORTED;
4143
4144
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4145
        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4146
        * defined( MBEDTLS_ECP_RESTARTABLE ) */
4147
0
}
4148
4149
psa_status_t mbedtls_psa_sign_hash_abort(
4150
    mbedtls_psa_sign_hash_interruptible_operation_t *operation)
4151
0
{
4152
4153
0
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4154
0
    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4155
0
    defined(MBEDTLS_ECP_RESTARTABLE)
4156
4157
0
    if (operation->ctx) {
4158
0
        mbedtls_ecdsa_free(operation->ctx);
4159
0
        mbedtls_free(operation->ctx);
4160
0
        operation->ctx = NULL;
4161
0
    }
4162
4163
0
    mbedtls_ecdsa_restart_free(&operation->restart_ctx);
4164
4165
0
    operation->num_ops = 0;
4166
4167
0
    return PSA_SUCCESS;
4168
4169
#else
4170
4171
    (void) operation;
4172
4173
    return PSA_ERROR_NOT_SUPPORTED;
4174
4175
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4176
        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4177
        * defined( MBEDTLS_ECP_RESTARTABLE ) */
4178
0
}
4179
4180
psa_status_t mbedtls_psa_verify_hash_start(
4181
    mbedtls_psa_verify_hash_interruptible_operation_t *operation,
4182
    const psa_key_attributes_t *attributes,
4183
    const uint8_t *key_buffer, size_t key_buffer_size,
4184
    psa_algorithm_t alg,
4185
    const uint8_t *hash, size_t hash_length,
4186
    const uint8_t *signature, size_t signature_length)
4187
0
{
4188
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4189
0
    size_t coordinate_bytes = 0;
4190
0
    size_t required_hash_length = 0;
4191
4192
0
    if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
4193
0
        return PSA_ERROR_NOT_SUPPORTED;
4194
0
    }
4195
0
    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type);
4196
0
    if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
4197
0
        return PSA_ERROR_INVALID_ARGUMENT;
4198
0
    }
4199
4200
0
    if (!can_do_interruptible_sign_verify(alg)) {
4201
0
        return PSA_ERROR_NOT_SUPPORTED;
4202
0
    }
4203
4204
0
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4205
0
    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4206
0
    defined(MBEDTLS_ECP_RESTARTABLE)
4207
4208
0
    mbedtls_ecdsa_restart_init(&operation->restart_ctx);
4209
0
    mbedtls_mpi_init(&operation->r);
4210
0
    mbedtls_mpi_init(&operation->s);
4211
4212
    /* Ensure num_ops is zero'ed in case of context re-use. */
4213
0
    operation->num_ops = 0;
4214
4215
0
    status = mbedtls_psa_ecp_load_representation(attributes->type,
4216
0
                                                 attributes->bits,
4217
0
                                                 key_buffer,
4218
0
                                                 key_buffer_size,
4219
0
                                                 &operation->ctx);
4220
4221
0
    if (status != PSA_SUCCESS) {
4222
0
        return status;
4223
0
    }
4224
4225
0
    coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.nbits);
4226
4227
0
    if (signature_length != 2 * coordinate_bytes) {
4228
0
        return PSA_ERROR_INVALID_SIGNATURE;
4229
0
    }
4230
4231
0
    status = mbedtls_to_psa_error(
4232
0
        mbedtls_mpi_read_binary(&operation->r,
4233
0
                                signature,
4234
0
                                coordinate_bytes));
4235
4236
0
    if (status != PSA_SUCCESS) {
4237
0
        return status;
4238
0
    }
4239
4240
0
    status = mbedtls_to_psa_error(
4241
0
        mbedtls_mpi_read_binary(&operation->s,
4242
0
                                signature +
4243
0
                                coordinate_bytes,
4244
0
                                coordinate_bytes));
4245
4246
0
    if (status != PSA_SUCCESS) {
4247
0
        return status;
4248
0
    }
4249
4250
0
    status = mbedtls_psa_ecp_load_public_part(operation->ctx);
4251
4252
0
    if (status != PSA_SUCCESS) {
4253
0
        return status;
4254
0
    }
4255
4256
    /* We only need to store the same length of hash as the private key size
4257
     * here, it would be truncated by the internal implementation anyway. */
4258
0
    required_hash_length = (hash_length < coordinate_bytes ? hash_length :
4259
0
                            coordinate_bytes);
4260
4261
0
    if (required_hash_length > sizeof(operation->hash)) {
4262
        /* Shouldn't happen, but better safe than sorry. */
4263
0
        return PSA_ERROR_CORRUPTION_DETECTED;
4264
0
    }
4265
4266
0
    memcpy(operation->hash, hash, required_hash_length);
4267
0
    operation->hash_length = required_hash_length;
4268
4269
0
    return PSA_SUCCESS;
4270
#else
4271
    (void) operation;
4272
    (void) key_buffer;
4273
    (void) key_buffer_size;
4274
    (void) alg;
4275
    (void) hash;
4276
    (void) hash_length;
4277
    (void) signature;
4278
    (void) signature_length;
4279
    (void) status;
4280
    (void) coordinate_bytes;
4281
    (void) required_hash_length;
4282
4283
    return PSA_ERROR_NOT_SUPPORTED;
4284
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4285
        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4286
        * defined( MBEDTLS_ECP_RESTARTABLE ) */
4287
0
}
4288
4289
psa_status_t mbedtls_psa_verify_hash_complete(
4290
    mbedtls_psa_verify_hash_interruptible_operation_t *operation)
4291
0
{
4292
4293
0
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4294
0
    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4295
0
    defined(MBEDTLS_ECP_RESTARTABLE)
4296
4297
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4298
4299
    /* Ensure max_ops is set to the current value (or default). */
4300
0
    mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops());
4301
4302
0
    status = mbedtls_to_psa_error(
4303
0
        mbedtls_ecdsa_verify_restartable(&operation->ctx->grp,
4304
0
                                         operation->hash,
4305
0
                                         operation->hash_length,
4306
0
                                         &operation->ctx->Q,
4307
0
                                         &operation->r,
4308
0
                                         &operation->s,
4309
0
                                         &operation->restart_ctx));
4310
4311
    /* Hide the fact that the restart context only holds a delta of number of
4312
     * ops done during the last operation, not an absolute value. */
4313
0
    operation->num_ops += operation->restart_ctx.ecp.ops_done;
4314
4315
0
    return status;
4316
#else
4317
    (void) operation;
4318
4319
    return PSA_ERROR_NOT_SUPPORTED;
4320
4321
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4322
        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4323
        * defined( MBEDTLS_ECP_RESTARTABLE ) */
4324
0
}
4325
4326
psa_status_t mbedtls_psa_verify_hash_abort(
4327
    mbedtls_psa_verify_hash_interruptible_operation_t *operation)
4328
0
{
4329
4330
0
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4331
0
    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4332
0
    defined(MBEDTLS_ECP_RESTARTABLE)
4333
4334
0
    if (operation->ctx) {
4335
0
        mbedtls_ecdsa_free(operation->ctx);
4336
0
        mbedtls_free(operation->ctx);
4337
0
        operation->ctx = NULL;
4338
0
    }
4339
4340
0
    mbedtls_ecdsa_restart_free(&operation->restart_ctx);
4341
4342
0
    operation->num_ops = 0;
4343
4344
0
    mbedtls_mpi_free(&operation->r);
4345
0
    mbedtls_mpi_free(&operation->s);
4346
4347
0
    return PSA_SUCCESS;
4348
4349
#else
4350
    (void) operation;
4351
4352
    return PSA_ERROR_NOT_SUPPORTED;
4353
4354
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4355
        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4356
        * defined( MBEDTLS_ECP_RESTARTABLE ) */
4357
0
}
4358
4359
static psa_status_t psa_generate_random_internal(uint8_t *output,
4360
                                                 size_t output_size)
4361
0
{
4362
0
    GUARD_MODULE_INITIALIZED;
4363
4364
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
4365
4366
    psa_status_t status;
4367
    size_t output_length = 0;
4368
    status = mbedtls_psa_external_get_random(&global_data.rng,
4369
                                             output, output_size,
4370
                                             &output_length);
4371
    if (status != PSA_SUCCESS) {
4372
        return status;
4373
    }
4374
    /* Breaking up a request into smaller chunks is currently not supported
4375
     * for the external RNG interface. */
4376
    if (output_length != output_size) {
4377
        return PSA_ERROR_INSUFFICIENT_ENTROPY;
4378
    }
4379
    return PSA_SUCCESS;
4380
4381
#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
4382
4383
0
    while (output_size > 0) {
4384
0
        int ret = MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
4385
0
        size_t request_size =
4386
0
            (output_size > MBEDTLS_PSA_RANDOM_MAX_REQUEST ?
4387
0
             MBEDTLS_PSA_RANDOM_MAX_REQUEST :
4388
0
             output_size);
4389
0
#if defined(MBEDTLS_CTR_DRBG_C)
4390
0
        ret = mbedtls_ctr_drbg_random(&global_data.rng.drbg, output, request_size);
4391
#elif defined(MBEDTLS_HMAC_DRBG_C)
4392
        ret = mbedtls_hmac_drbg_random(&global_data.rng.drbg, output, request_size);
4393
#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
4394
0
        if (ret != 0) {
4395
0
            return mbedtls_to_psa_error(ret);
4396
0
        }
4397
0
        output_size -= request_size;
4398
0
        output += request_size;
4399
0
    }
4400
0
    return PSA_SUCCESS;
4401
0
#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
4402
0
}
4403
4404
4405
/****************************************************************/
4406
/* Symmetric cryptography */
4407
/****************************************************************/
4408
4409
static psa_status_t psa_cipher_setup(psa_cipher_operation_t *operation,
4410
                                     mbedtls_svc_key_id_t key,
4411
                                     psa_algorithm_t alg,
4412
                                     mbedtls_operation_t cipher_operation)
4413
0
{
4414
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4415
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
4416
0
    psa_key_slot_t *slot = NULL;
4417
0
    psa_key_usage_t usage = (cipher_operation == MBEDTLS_ENCRYPT ?
4418
0
                             PSA_KEY_USAGE_ENCRYPT :
4419
0
                             PSA_KEY_USAGE_DECRYPT);
4420
4421
    /* A context must be freshly initialized before it can be set up. */
4422
0
    if (operation->id != 0) {
4423
0
        status = PSA_ERROR_BAD_STATE;
4424
0
        goto exit;
4425
0
    }
4426
4427
0
    if (!PSA_ALG_IS_CIPHER(alg)) {
4428
0
        status = PSA_ERROR_INVALID_ARGUMENT;
4429
0
        goto exit;
4430
0
    }
4431
4432
0
    status = psa_get_and_lock_key_slot_with_policy(key, &slot, usage, alg);
4433
0
    if (status != PSA_SUCCESS) {
4434
0
        goto exit;
4435
0
    }
4436
4437
    /* Initialize the operation struct members, except for id. The id member
4438
     * is used to indicate to psa_cipher_abort that there are resources to free,
4439
     * so we only set it (in the driver wrapper) after resources have been
4440
     * allocated/initialized. */
4441
0
    operation->iv_set = 0;
4442
0
    if (alg == PSA_ALG_ECB_NO_PADDING) {
4443
0
        operation->iv_required = 0;
4444
0
    } else {
4445
0
        operation->iv_required = 1;
4446
0
    }
4447
0
    operation->default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg);
4448
4449
    /* Try doing the operation through a driver before using software fallback. */
4450
0
    if (cipher_operation == MBEDTLS_ENCRYPT) {
4451
0
        status = psa_driver_wrapper_cipher_encrypt_setup(operation,
4452
0
                                                         &slot->attr,
4453
0
                                                         slot->key.data,
4454
0
                                                         slot->key.bytes,
4455
0
                                                         alg);
4456
0
    } else {
4457
0
        status = psa_driver_wrapper_cipher_decrypt_setup(operation,
4458
0
                                                         &slot->attr,
4459
0
                                                         slot->key.data,
4460
0
                                                         slot->key.bytes,
4461
0
                                                         alg);
4462
0
    }
4463
4464
0
exit:
4465
0
    if (status != PSA_SUCCESS) {
4466
0
        psa_cipher_abort(operation);
4467
0
    }
4468
4469
0
    unlock_status = psa_unregister_read_under_mutex(slot);
4470
4471
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
4472
0
}
4473
4474
psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
4475
                                      mbedtls_svc_key_id_t key,
4476
                                      psa_algorithm_t alg)
4477
0
{
4478
0
    return psa_cipher_setup(operation, key, alg, MBEDTLS_ENCRYPT);
4479
0
}
4480
4481
psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
4482
                                      mbedtls_svc_key_id_t key,
4483
                                      psa_algorithm_t alg)
4484
0
{
4485
0
    return psa_cipher_setup(operation, key, alg, MBEDTLS_DECRYPT);
4486
0
}
4487
4488
psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
4489
                                    uint8_t *iv_external,
4490
                                    size_t iv_size,
4491
                                    size_t *iv_length)
4492
0
{
4493
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4494
0
    size_t default_iv_length = 0;
4495
4496
0
    LOCAL_OUTPUT_DECLARE(iv_external, iv);
4497
4498
0
    if (operation->id == 0) {
4499
0
        status = PSA_ERROR_BAD_STATE;
4500
0
        goto exit;
4501
0
    }
4502
4503
0
    if (operation->iv_set || !operation->iv_required) {
4504
0
        status = PSA_ERROR_BAD_STATE;
4505
0
        goto exit;
4506
0
    }
4507
4508
0
    default_iv_length = operation->default_iv_length;
4509
0
    if (iv_size < default_iv_length) {
4510
0
        status = PSA_ERROR_BUFFER_TOO_SMALL;
4511
0
        goto exit;
4512
0
    }
4513
4514
0
    if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) {
4515
0
        status = PSA_ERROR_GENERIC_ERROR;
4516
0
        goto exit;
4517
0
    }
4518
4519
0
    LOCAL_OUTPUT_ALLOC(iv_external, default_iv_length, iv);
4520
4521
0
    status = psa_generate_random_internal(iv, default_iv_length);
4522
0
    if (status != PSA_SUCCESS) {
4523
0
        goto exit;
4524
0
    }
4525
4526
0
    status = psa_driver_wrapper_cipher_set_iv(operation,
4527
0
                                              iv, default_iv_length);
4528
4529
0
exit:
4530
0
    if (status == PSA_SUCCESS) {
4531
0
        *iv_length = default_iv_length;
4532
0
        operation->iv_set = 1;
4533
0
    } else {
4534
0
        *iv_length = 0;
4535
0
        psa_cipher_abort(operation);
4536
0
        if (iv != NULL) {
4537
0
            mbedtls_platform_zeroize(iv, default_iv_length);
4538
0
        }
4539
0
    }
4540
4541
0
    LOCAL_OUTPUT_FREE(iv_external, iv);
4542
0
    return status;
4543
0
}
4544
4545
psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
4546
                               const uint8_t *iv_external,
4547
                               size_t iv_length)
4548
0
{
4549
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4550
4551
0
    LOCAL_INPUT_DECLARE(iv_external, iv);
4552
4553
0
    if (operation->id == 0) {
4554
0
        status = PSA_ERROR_BAD_STATE;
4555
0
        goto exit;
4556
0
    }
4557
4558
0
    if (operation->iv_set || !operation->iv_required) {
4559
0
        status = PSA_ERROR_BAD_STATE;
4560
0
        goto exit;
4561
0
    }
4562
4563
0
    if (iv_length > PSA_CIPHER_IV_MAX_SIZE) {
4564
0
        status = PSA_ERROR_INVALID_ARGUMENT;
4565
0
        goto exit;
4566
0
    }
4567
4568
0
    LOCAL_INPUT_ALLOC(iv_external, iv_length, iv);
4569
4570
0
    status = psa_driver_wrapper_cipher_set_iv(operation,
4571
0
                                              iv,
4572
0
                                              iv_length);
4573
4574
0
exit:
4575
0
    if (status == PSA_SUCCESS) {
4576
0
        operation->iv_set = 1;
4577
0
    } else {
4578
0
        psa_cipher_abort(operation);
4579
0
    }
4580
4581
0
    LOCAL_INPUT_FREE(iv_external, iv);
4582
4583
0
    return status;
4584
0
}
4585
4586
psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
4587
                               const uint8_t *input_external,
4588
                               size_t input_length,
4589
                               uint8_t *output_external,
4590
                               size_t output_size,
4591
                               size_t *output_length)
4592
0
{
4593
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4594
4595
0
    LOCAL_INPUT_DECLARE(input_external, input);
4596
0
    LOCAL_OUTPUT_DECLARE(output_external, output);
4597
4598
0
    if (operation->id == 0) {
4599
0
        status = PSA_ERROR_BAD_STATE;
4600
0
        goto exit;
4601
0
    }
4602
4603
0
    if (operation->iv_required && !operation->iv_set) {
4604
0
        status = PSA_ERROR_BAD_STATE;
4605
0
        goto exit;
4606
0
    }
4607
4608
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
4609
0
    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
4610
4611
0
    status = psa_driver_wrapper_cipher_update(operation,
4612
0
                                              input,
4613
0
                                              input_length,
4614
0
                                              output,
4615
0
                                              output_size,
4616
0
                                              output_length);
4617
4618
0
exit:
4619
0
    if (status != PSA_SUCCESS) {
4620
0
        psa_cipher_abort(operation);
4621
0
    }
4622
4623
0
    LOCAL_INPUT_FREE(input_external, input);
4624
0
    LOCAL_OUTPUT_FREE(output_external, output);
4625
4626
0
    return status;
4627
0
}
4628
4629
psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
4630
                               uint8_t *output_external,
4631
                               size_t output_size,
4632
                               size_t *output_length)
4633
0
{
4634
0
    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
4635
4636
0
    LOCAL_OUTPUT_DECLARE(output_external, output);
4637
4638
0
    if (operation->id == 0) {
4639
0
        status = PSA_ERROR_BAD_STATE;
4640
0
        goto exit;
4641
0
    }
4642
4643
0
    if (operation->iv_required && !operation->iv_set) {
4644
0
        status = PSA_ERROR_BAD_STATE;
4645
0
        goto exit;
4646
0
    }
4647
4648
0
    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
4649
4650
0
    status = psa_driver_wrapper_cipher_finish(operation,
4651
0
                                              output,
4652
0
                                              output_size,
4653
0
                                              output_length);
4654
4655
0
exit:
4656
0
    if (status == PSA_SUCCESS) {
4657
0
        status = psa_cipher_abort(operation);
4658
0
    } else {
4659
0
        *output_length = 0;
4660
0
        (void) psa_cipher_abort(operation);
4661
0
    }
4662
4663
0
    LOCAL_OUTPUT_FREE(output_external, output);
4664
4665
0
    return status;
4666
0
}
4667
4668
psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation)
4669
0
{
4670
0
    if (operation->id == 0) {
4671
        /* The object has (apparently) been initialized but it is not (yet)
4672
         * in use. It's ok to call abort on such an object, and there's
4673
         * nothing to do. */
4674
0
        return PSA_SUCCESS;
4675
0
    }
4676
4677
0
    psa_driver_wrapper_cipher_abort(operation);
4678
4679
0
    operation->id = 0;
4680
0
    operation->iv_set = 0;
4681
0
    operation->iv_required = 0;
4682
4683
0
    return PSA_SUCCESS;
4684
0
}
4685
4686
psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key,
4687
                                psa_algorithm_t alg,
4688
                                const uint8_t *input_external,
4689
                                size_t input_length,
4690
                                uint8_t *output_external,
4691
                                size_t output_size,
4692
                                size_t *output_length)
4693
0
{
4694
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4695
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
4696
0
    psa_key_slot_t *slot = NULL;
4697
0
    uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE];
4698
0
    size_t default_iv_length = 0;
4699
4700
0
    LOCAL_INPUT_DECLARE(input_external, input);
4701
0
    LOCAL_OUTPUT_DECLARE(output_external, output);
4702
4703
0
    if (!PSA_ALG_IS_CIPHER(alg)) {
4704
0
        status = PSA_ERROR_INVALID_ARGUMENT;
4705
0
        goto exit;
4706
0
    }
4707
4708
0
    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
4709
0
                                                   PSA_KEY_USAGE_ENCRYPT,
4710
0
                                                   alg);
4711
0
    if (status != PSA_SUCCESS) {
4712
0
        goto exit;
4713
0
    }
4714
4715
0
    default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg);
4716
0
    if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) {
4717
0
        status = PSA_ERROR_GENERIC_ERROR;
4718
0
        goto exit;
4719
0
    }
4720
4721
0
    if (default_iv_length > 0) {
4722
0
        if (output_size < default_iv_length) {
4723
0
            status = PSA_ERROR_BUFFER_TOO_SMALL;
4724
0
            goto exit;
4725
0
        }
4726
4727
0
        status = psa_generate_random_internal(local_iv, default_iv_length);
4728
0
        if (status != PSA_SUCCESS) {
4729
0
            goto exit;
4730
0
        }
4731
0
    }
4732
4733
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
4734
0
    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
4735
4736
0
    status = psa_driver_wrapper_cipher_encrypt(
4737
0
        &slot->attr, slot->key.data, slot->key.bytes,
4738
0
        alg, local_iv, default_iv_length, input, input_length,
4739
0
        psa_crypto_buffer_offset(output, default_iv_length),
4740
0
        output_size - default_iv_length, output_length);
4741
4742
0
exit:
4743
0
    unlock_status = psa_unregister_read_under_mutex(slot);
4744
0
    if (status == PSA_SUCCESS) {
4745
0
        status = unlock_status;
4746
0
    }
4747
4748
0
    if (status == PSA_SUCCESS) {
4749
0
        if (default_iv_length > 0) {
4750
0
            memcpy(output, local_iv, default_iv_length);
4751
0
        }
4752
0
        *output_length += default_iv_length;
4753
0
    } else {
4754
0
        *output_length = 0;
4755
0
    }
4756
4757
0
    LOCAL_INPUT_FREE(input_external, input);
4758
0
    LOCAL_OUTPUT_FREE(output_external, output);
4759
4760
0
    return status;
4761
0
}
4762
4763
psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key,
4764
                                psa_algorithm_t alg,
4765
                                const uint8_t *input_external,
4766
                                size_t input_length,
4767
                                uint8_t *output_external,
4768
                                size_t output_size,
4769
                                size_t *output_length)
4770
0
{
4771
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4772
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
4773
0
    psa_key_slot_t *slot = NULL;
4774
4775
0
    LOCAL_INPUT_DECLARE(input_external, input);
4776
0
    LOCAL_OUTPUT_DECLARE(output_external, output);
4777
4778
0
    if (!PSA_ALG_IS_CIPHER(alg)) {
4779
0
        status = PSA_ERROR_INVALID_ARGUMENT;
4780
0
        goto exit;
4781
0
    }
4782
4783
0
    status = psa_get_and_lock_key_slot_with_policy(key, &slot,
4784
0
                                                   PSA_KEY_USAGE_DECRYPT,
4785
0
                                                   alg);
4786
0
    if (status != PSA_SUCCESS) {
4787
0
        goto exit;
4788
0
    }
4789
4790
0
    if (input_length < PSA_CIPHER_IV_LENGTH(slot->attr.type, alg)) {
4791
0
        status = PSA_ERROR_INVALID_ARGUMENT;
4792
0
        goto exit;
4793
0
    }
4794
4795
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
4796
0
    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
4797
4798
0
    status = psa_driver_wrapper_cipher_decrypt(
4799
0
        &slot->attr, slot->key.data, slot->key.bytes,
4800
0
        alg, input, input_length,
4801
0
        output, output_size, output_length);
4802
4803
0
exit:
4804
0
    unlock_status = psa_unregister_read_under_mutex(slot);
4805
0
    if (status == PSA_SUCCESS) {
4806
0
        status = unlock_status;
4807
0
    }
4808
4809
0
    if (status != PSA_SUCCESS) {
4810
0
        *output_length = 0;
4811
0
    }
4812
4813
0
    LOCAL_INPUT_FREE(input_external, input);
4814
0
    LOCAL_OUTPUT_FREE(output_external, output);
4815
4816
0
    return status;
4817
0
}
4818
4819
4820
/****************************************************************/
4821
/* AEAD */
4822
/****************************************************************/
4823
4824
/* Helper function to get the base algorithm from its variants. */
4825
static psa_algorithm_t psa_aead_get_base_algorithm(psa_algorithm_t alg)
4826
0
{
4827
0
    return PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg);
4828
0
}
4829
4830
/* Helper function to perform common nonce length checks. */
4831
static psa_status_t psa_aead_check_nonce_length(psa_algorithm_t alg,
4832
                                                size_t nonce_length)
4833
0
{
4834
0
    psa_algorithm_t base_alg = psa_aead_get_base_algorithm(alg);
4835
4836
0
    switch (base_alg) {
4837
0
#if defined(PSA_WANT_ALG_GCM)
4838
0
        case PSA_ALG_GCM:
4839
            /* Not checking max nonce size here as GCM spec allows almost
4840
             * arbitrarily large nonces. Please note that we do not generally
4841
             * recommend the usage of nonces of greater length than
4842
             * PSA_AEAD_NONCE_MAX_SIZE, as large nonces are hashed to a shorter
4843
             * size, which can then lead to collisions if you encrypt a very
4844
             * large number of messages.*/
4845
0
            if (nonce_length != 0) {
4846
0
                return PSA_SUCCESS;
4847
0
            }
4848
0
            break;
4849
0
#endif /* PSA_WANT_ALG_GCM */
4850
0
#if defined(PSA_WANT_ALG_CCM)
4851
0
        case PSA_ALG_CCM:
4852
0
            if (nonce_length >= 7 && nonce_length <= 13) {
4853
0
                return PSA_SUCCESS;
4854
0
            }
4855
0
            break;
4856
0
#endif /* PSA_WANT_ALG_CCM */
4857
0
#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
4858
0
        case PSA_ALG_CHACHA20_POLY1305:
4859
0
            if (nonce_length == 12) {
4860
0
                return PSA_SUCCESS;
4861
0
            } else if (nonce_length == 8) {
4862
0
                return PSA_ERROR_NOT_SUPPORTED;
4863
0
            }
4864
0
            break;
4865
0
#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
4866
0
        default:
4867
0
            (void) nonce_length;
4868
0
            return PSA_ERROR_NOT_SUPPORTED;
4869
0
    }
4870
4871
0
    return PSA_ERROR_INVALID_ARGUMENT;
4872
0
}
4873
4874
static psa_status_t psa_aead_check_algorithm(psa_algorithm_t alg)
4875
0
{
4876
0
    if (!PSA_ALG_IS_AEAD(alg) || PSA_ALG_IS_WILDCARD(alg)) {
4877
0
        return PSA_ERROR_INVALID_ARGUMENT;
4878
0
    }
4879
4880
0
    return PSA_SUCCESS;
4881
0
}
4882
4883
psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
4884
                              psa_algorithm_t alg,
4885
                              const uint8_t *nonce_external,
4886
                              size_t nonce_length,
4887
                              const uint8_t *additional_data_external,
4888
                              size_t additional_data_length,
4889
                              const uint8_t *plaintext_external,
4890
                              size_t plaintext_length,
4891
                              uint8_t *ciphertext_external,
4892
                              size_t ciphertext_size,
4893
                              size_t *ciphertext_length)
4894
0
{
4895
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4896
0
    psa_key_slot_t *slot;
4897
4898
0
    LOCAL_INPUT_DECLARE(nonce_external, nonce);
4899
0
    LOCAL_INPUT_DECLARE(additional_data_external, additional_data);
4900
0
    LOCAL_INPUT_DECLARE(plaintext_external, plaintext);
4901
0
    LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext);
4902
4903
0
    *ciphertext_length = 0;
4904
4905
0
    status = psa_aead_check_algorithm(alg);
4906
0
    if (status != PSA_SUCCESS) {
4907
0
        return status;
4908
0
    }
4909
4910
0
    status = psa_get_and_lock_key_slot_with_policy(
4911
0
        key, &slot, PSA_KEY_USAGE_ENCRYPT, alg);
4912
0
    if (status != PSA_SUCCESS) {
4913
0
        return status;
4914
0
    }
4915
4916
0
    LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
4917
0
    LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length, additional_data);
4918
0
    LOCAL_INPUT_ALLOC(plaintext_external, plaintext_length, plaintext);
4919
0
    LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext);
4920
4921
0
    status = psa_aead_check_nonce_length(alg, nonce_length);
4922
0
    if (status != PSA_SUCCESS) {
4923
0
        goto exit;
4924
0
    }
4925
4926
0
    status = psa_driver_wrapper_aead_encrypt(
4927
0
        &slot->attr, slot->key.data, slot->key.bytes,
4928
0
        alg,
4929
0
        nonce, nonce_length,
4930
0
        additional_data, additional_data_length,
4931
0
        plaintext, plaintext_length,
4932
0
        ciphertext, ciphertext_size, ciphertext_length);
4933
4934
0
    if (status != PSA_SUCCESS && ciphertext_size != 0) {
4935
0
        memset(ciphertext, 0, ciphertext_size);
4936
0
    }
4937
4938
0
exit:
4939
0
    LOCAL_INPUT_FREE(nonce_external, nonce);
4940
0
    LOCAL_INPUT_FREE(additional_data_external, additional_data);
4941
0
    LOCAL_INPUT_FREE(plaintext_external, plaintext);
4942
0
    LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext);
4943
4944
0
    psa_unregister_read_under_mutex(slot);
4945
4946
0
    return status;
4947
0
}
4948
4949
psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
4950
                              psa_algorithm_t alg,
4951
                              const uint8_t *nonce_external,
4952
                              size_t nonce_length,
4953
                              const uint8_t *additional_data_external,
4954
                              size_t additional_data_length,
4955
                              const uint8_t *ciphertext_external,
4956
                              size_t ciphertext_length,
4957
                              uint8_t *plaintext_external,
4958
                              size_t plaintext_size,
4959
                              size_t *plaintext_length)
4960
0
{
4961
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4962
0
    psa_key_slot_t *slot;
4963
4964
0
    LOCAL_INPUT_DECLARE(nonce_external, nonce);
4965
0
    LOCAL_INPUT_DECLARE(additional_data_external, additional_data);
4966
0
    LOCAL_INPUT_DECLARE(ciphertext_external, ciphertext);
4967
0
    LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext);
4968
4969
0
    *plaintext_length = 0;
4970
4971
0
    status = psa_aead_check_algorithm(alg);
4972
0
    if (status != PSA_SUCCESS) {
4973
0
        return status;
4974
0
    }
4975
4976
0
    status = psa_get_and_lock_key_slot_with_policy(
4977
0
        key, &slot, PSA_KEY_USAGE_DECRYPT, alg);
4978
0
    if (status != PSA_SUCCESS) {
4979
0
        return status;
4980
0
    }
4981
4982
0
    LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
4983
0
    LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length,
4984
0
                      additional_data);
4985
0
    LOCAL_INPUT_ALLOC(ciphertext_external, ciphertext_length, ciphertext);
4986
0
    LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext);
4987
4988
0
    status = psa_aead_check_nonce_length(alg, nonce_length);
4989
0
    if (status != PSA_SUCCESS) {
4990
0
        goto exit;
4991
0
    }
4992
4993
0
    status = psa_driver_wrapper_aead_decrypt(
4994
0
        &slot->attr, slot->key.data, slot->key.bytes,
4995
0
        alg,
4996
0
        nonce, nonce_length,
4997
0
        additional_data, additional_data_length,
4998
0
        ciphertext, ciphertext_length,
4999
0
        plaintext, plaintext_size, plaintext_length);
5000
5001
0
    if (status != PSA_SUCCESS && plaintext_size != 0) {
5002
0
        memset(plaintext, 0, plaintext_size);
5003
0
    }
5004
5005
0
exit:
5006
0
    LOCAL_INPUT_FREE(nonce_external, nonce);
5007
0
    LOCAL_INPUT_FREE(additional_data_external, additional_data);
5008
0
    LOCAL_INPUT_FREE(ciphertext_external, ciphertext);
5009
0
    LOCAL_OUTPUT_FREE(plaintext_external, plaintext);
5010
5011
0
    psa_unregister_read_under_mutex(slot);
5012
5013
0
    return status;
5014
0
}
5015
5016
static psa_status_t psa_validate_tag_length(psa_algorithm_t alg)
5017
0
{
5018
0
    const uint8_t tag_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg);
5019
5020
0
    switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) {
5021
0
#if defined(PSA_WANT_ALG_CCM)
5022
0
        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
5023
            /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.*/
5024
0
            if (tag_len < 4 || tag_len > 16 || tag_len % 2) {
5025
0
                return PSA_ERROR_INVALID_ARGUMENT;
5026
0
            }
5027
0
            break;
5028
0
#endif /* PSA_WANT_ALG_CCM */
5029
5030
0
#if defined(PSA_WANT_ALG_GCM)
5031
0
        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
5032
            /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16. */
5033
0
            if (tag_len != 4 && tag_len != 8 && (tag_len < 12 || tag_len > 16)) {
5034
0
                return PSA_ERROR_INVALID_ARGUMENT;
5035
0
            }
5036
0
            break;
5037
0
#endif /* PSA_WANT_ALG_GCM */
5038
5039
0
#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
5040
0
        case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
5041
            /* We only support the default tag length. */
5042
0
            if (tag_len != 16) {
5043
0
                return PSA_ERROR_INVALID_ARGUMENT;
5044
0
            }
5045
0
            break;
5046
0
#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
5047
5048
0
        default:
5049
0
            (void) tag_len;
5050
0
            return PSA_ERROR_NOT_SUPPORTED;
5051
0
    }
5052
0
    return PSA_SUCCESS;
5053
0
}
5054
5055
/* Set the key for a multipart authenticated operation. */
5056
static psa_status_t psa_aead_setup(psa_aead_operation_t *operation,
5057
                                   int is_encrypt,
5058
                                   mbedtls_svc_key_id_t key,
5059
                                   psa_algorithm_t alg)
5060
0
{
5061
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5062
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
5063
0
    psa_key_slot_t *slot = NULL;
5064
0
    psa_key_usage_t key_usage = 0;
5065
5066
0
    status = psa_aead_check_algorithm(alg);
5067
0
    if (status != PSA_SUCCESS) {
5068
0
        goto exit;
5069
0
    }
5070
5071
0
    if (operation->id != 0) {
5072
0
        status = PSA_ERROR_BAD_STATE;
5073
0
        goto exit;
5074
0
    }
5075
5076
0
    if (operation->nonce_set || operation->lengths_set ||
5077
0
        operation->ad_started || operation->body_started) {
5078
0
        status = PSA_ERROR_BAD_STATE;
5079
0
        goto exit;
5080
0
    }
5081
5082
0
    if (is_encrypt) {
5083
0
        key_usage = PSA_KEY_USAGE_ENCRYPT;
5084
0
    } else {
5085
0
        key_usage = PSA_KEY_USAGE_DECRYPT;
5086
0
    }
5087
5088
0
    status = psa_get_and_lock_key_slot_with_policy(key, &slot, key_usage,
5089
0
                                                   alg);
5090
0
    if (status != PSA_SUCCESS) {
5091
0
        goto exit;
5092
0
    }
5093
5094
0
    if ((status = psa_validate_tag_length(alg)) != PSA_SUCCESS) {
5095
0
        goto exit;
5096
0
    }
5097
5098
0
    if (is_encrypt) {
5099
0
        status = psa_driver_wrapper_aead_encrypt_setup(operation,
5100
0
                                                       &slot->attr,
5101
0
                                                       slot->key.data,
5102
0
                                                       slot->key.bytes,
5103
0
                                                       alg);
5104
0
    } else {
5105
0
        status = psa_driver_wrapper_aead_decrypt_setup(operation,
5106
0
                                                       &slot->attr,
5107
0
                                                       slot->key.data,
5108
0
                                                       slot->key.bytes,
5109
0
                                                       alg);
5110
0
    }
5111
0
    if (status != PSA_SUCCESS) {
5112
0
        goto exit;
5113
0
    }
5114
5115
0
    operation->key_type = psa_get_key_type(&slot->attr);
5116
5117
0
exit:
5118
0
    unlock_status = psa_unregister_read_under_mutex(slot);
5119
5120
0
    if (status == PSA_SUCCESS) {
5121
0
        status = unlock_status;
5122
0
        operation->alg = psa_aead_get_base_algorithm(alg);
5123
0
        operation->is_encrypt = is_encrypt;
5124
0
    } else {
5125
0
        psa_aead_abort(operation);
5126
0
    }
5127
5128
0
    return status;
5129
0
}
5130
5131
/* Set the key for a multipart authenticated encryption operation. */
5132
psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
5133
                                    mbedtls_svc_key_id_t key,
5134
                                    psa_algorithm_t alg)
5135
0
{
5136
0
    return psa_aead_setup(operation, 1, key, alg);
5137
0
}
5138
5139
/* Set the key for a multipart authenticated decryption operation. */
5140
psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
5141
                                    mbedtls_svc_key_id_t key,
5142
                                    psa_algorithm_t alg)
5143
0
{
5144
0
    return psa_aead_setup(operation, 0, key, alg);
5145
0
}
5146
5147
static psa_status_t psa_aead_set_nonce_internal(psa_aead_operation_t *operation,
5148
                                                const uint8_t *nonce,
5149
                                                size_t nonce_length)
5150
0
{
5151
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5152
5153
0
    if (operation->id == 0) {
5154
0
        status = PSA_ERROR_BAD_STATE;
5155
0
        goto exit;
5156
0
    }
5157
5158
0
    if (operation->nonce_set) {
5159
0
        status = PSA_ERROR_BAD_STATE;
5160
0
        goto exit;
5161
0
    }
5162
5163
0
    status = psa_aead_check_nonce_length(operation->alg, nonce_length);
5164
0
    if (status != PSA_SUCCESS) {
5165
0
        status = PSA_ERROR_INVALID_ARGUMENT;
5166
0
        goto exit;
5167
0
    }
5168
5169
0
    status = psa_driver_wrapper_aead_set_nonce(operation, nonce,
5170
0
                                               nonce_length);
5171
5172
0
exit:
5173
0
    if (status == PSA_SUCCESS) {
5174
0
        operation->nonce_set = 1;
5175
0
    } else {
5176
0
        psa_aead_abort(operation);
5177
0
    }
5178
5179
0
    return status;
5180
0
}
5181
5182
/* Generate a random nonce / IV for multipart AEAD operation */
5183
psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation,
5184
                                     uint8_t *nonce_external,
5185
                                     size_t nonce_size,
5186
                                     size_t *nonce_length)
5187
0
{
5188
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5189
0
    uint8_t local_nonce[PSA_AEAD_NONCE_MAX_SIZE];
5190
0
    size_t required_nonce_size = 0;
5191
5192
0
    LOCAL_OUTPUT_DECLARE(nonce_external, nonce);
5193
0
    LOCAL_OUTPUT_ALLOC(nonce_external, nonce_size, nonce);
5194
5195
0
    *nonce_length = 0;
5196
5197
0
    if (operation->id == 0) {
5198
0
        status = PSA_ERROR_BAD_STATE;
5199
0
        goto exit;
5200
0
    }
5201
5202
0
    if (operation->nonce_set || !operation->is_encrypt) {
5203
0
        status = PSA_ERROR_BAD_STATE;
5204
0
        goto exit;
5205
0
    }
5206
5207
    /* For CCM, this size may not be correct according to the PSA
5208
     * specification. The PSA Crypto 1.0.1 specification states:
5209
     *
5210
     * CCM encodes the plaintext length pLen in L octets, with L the smallest
5211
     * integer >= 2 where pLen < 2^(8L). The nonce length is then 15 - L bytes.
5212
     *
5213
     * However this restriction that L has to be the smallest integer is not
5214
     * applied in practice, and it is not implementable here since the
5215
     * plaintext length may or may not be known at this time. */
5216
0
    required_nonce_size = PSA_AEAD_NONCE_LENGTH(operation->key_type,
5217
0
                                                operation->alg);
5218
0
    if (nonce_size < required_nonce_size) {
5219
0
        status = PSA_ERROR_BUFFER_TOO_SMALL;
5220
0
        goto exit;
5221
0
    }
5222
5223
0
    status = psa_generate_random_internal(local_nonce, required_nonce_size);
5224
0
    if (status != PSA_SUCCESS) {
5225
0
        goto exit;
5226
0
    }
5227
5228
0
    status = psa_aead_set_nonce_internal(operation, local_nonce,
5229
0
                                         required_nonce_size);
5230
5231
0
exit:
5232
0
    if (status == PSA_SUCCESS) {
5233
0
        memcpy(nonce, local_nonce, required_nonce_size);
5234
0
        *nonce_length = required_nonce_size;
5235
0
    } else {
5236
0
        psa_aead_abort(operation);
5237
0
    }
5238
5239
0
    LOCAL_OUTPUT_FREE(nonce_external, nonce);
5240
5241
0
    return status;
5242
0
}
5243
5244
/* Set the nonce for a multipart authenticated encryption or decryption
5245
   operation.*/
5246
psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation,
5247
                                const uint8_t *nonce_external,
5248
                                size_t nonce_length)
5249
0
{
5250
0
    psa_status_t status;
5251
5252
0
    LOCAL_INPUT_DECLARE(nonce_external, nonce);
5253
0
    LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
5254
5255
0
    status = psa_aead_set_nonce_internal(operation, nonce, nonce_length);
5256
5257
/* Exit label is only needed for buffer copying, prevent unused warnings. */
5258
0
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
5259
0
exit:
5260
0
#endif
5261
5262
0
    LOCAL_INPUT_FREE(nonce_external, nonce);
5263
5264
0
    return status;
5265
0
}
5266
5267
/* Declare the lengths of the message and additional data for multipart AEAD. */
5268
psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation,
5269
                                  size_t ad_length,
5270
                                  size_t plaintext_length)
5271
0
{
5272
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5273
5274
0
    if (operation->id == 0) {
5275
0
        status = PSA_ERROR_BAD_STATE;
5276
0
        goto exit;
5277
0
    }
5278
5279
0
    if (operation->lengths_set || operation->ad_started ||
5280
0
        operation->body_started) {
5281
0
        status = PSA_ERROR_BAD_STATE;
5282
0
        goto exit;
5283
0
    }
5284
5285
0
    switch (operation->alg) {
5286
0
#if defined(PSA_WANT_ALG_GCM)
5287
0
        case PSA_ALG_GCM:
5288
            /* Lengths can only be too large for GCM if size_t is bigger than 32
5289
             * bits. Without the guard this code will generate warnings on 32bit
5290
             * builds. */
5291
0
#if SIZE_MAX > UINT32_MAX
5292
0
            if (((uint64_t) ad_length) >> 61 != 0 ||
5293
0
                ((uint64_t) plaintext_length) > 0xFFFFFFFE0ull) {
5294
0
                status = PSA_ERROR_INVALID_ARGUMENT;
5295
0
                goto exit;
5296
0
            }
5297
0
#endif
5298
0
            break;
5299
0
#endif /* PSA_WANT_ALG_GCM */
5300
0
#if defined(PSA_WANT_ALG_CCM)
5301
0
        case PSA_ALG_CCM:
5302
0
            if (ad_length > 0xFF00) {
5303
0
                status = PSA_ERROR_INVALID_ARGUMENT;
5304
0
                goto exit;
5305
0
            }
5306
0
            break;
5307
0
#endif /* PSA_WANT_ALG_CCM */
5308
0
#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
5309
0
        case PSA_ALG_CHACHA20_POLY1305:
5310
            /* No length restrictions for ChaChaPoly. */
5311
0
            break;
5312
0
#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
5313
0
        default:
5314
0
            break;
5315
0
    }
5316
5317
0
    status = psa_driver_wrapper_aead_set_lengths(operation, ad_length,
5318
0
                                                 plaintext_length);
5319
5320
0
exit:
5321
0
    if (status == PSA_SUCCESS) {
5322
0
        operation->ad_remaining = ad_length;
5323
0
        operation->body_remaining = plaintext_length;
5324
0
        operation->lengths_set = 1;
5325
0
    } else {
5326
0
        psa_aead_abort(operation);
5327
0
    }
5328
5329
0
    return status;
5330
0
}
5331
5332
/* Pass additional data to an active multipart AEAD operation. */
5333
psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
5334
                                const uint8_t *input_external,
5335
                                size_t input_length)
5336
0
{
5337
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5338
5339
0
    LOCAL_INPUT_DECLARE(input_external, input);
5340
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
5341
5342
0
    if (operation->id == 0) {
5343
0
        status = PSA_ERROR_BAD_STATE;
5344
0
        goto exit;
5345
0
    }
5346
5347
0
    if (!operation->nonce_set || operation->body_started) {
5348
0
        status = PSA_ERROR_BAD_STATE;
5349
0
        goto exit;
5350
0
    }
5351
5352
    /* No input to add (zero length), nothing to do. */
5353
0
    if (input_length == 0) {
5354
0
        status = PSA_SUCCESS;
5355
0
        goto exit;
5356
0
    }
5357
5358
0
    if (operation->lengths_set) {
5359
0
        if (operation->ad_remaining < input_length) {
5360
0
            status = PSA_ERROR_INVALID_ARGUMENT;
5361
0
            goto exit;
5362
0
        }
5363
5364
0
        operation->ad_remaining -= input_length;
5365
0
    }
5366
0
#if defined(PSA_WANT_ALG_CCM)
5367
0
    else if (operation->alg == PSA_ALG_CCM) {
5368
0
        status = PSA_ERROR_BAD_STATE;
5369
0
        goto exit;
5370
0
    }
5371
0
#endif /* PSA_WANT_ALG_CCM */
5372
5373
0
    status = psa_driver_wrapper_aead_update_ad(operation, input,
5374
0
                                               input_length);
5375
5376
0
exit:
5377
0
    if (status == PSA_SUCCESS) {
5378
0
        operation->ad_started = 1;
5379
0
    } else {
5380
0
        psa_aead_abort(operation);
5381
0
    }
5382
5383
0
    LOCAL_INPUT_FREE(input_external, input);
5384
5385
0
    return status;
5386
0
}
5387
5388
/* Encrypt or decrypt a message fragment in an active multipart AEAD
5389
   operation.*/
5390
psa_status_t psa_aead_update(psa_aead_operation_t *operation,
5391
                             const uint8_t *input_external,
5392
                             size_t input_length,
5393
                             uint8_t *output_external,
5394
                             size_t output_size,
5395
                             size_t *output_length)
5396
0
{
5397
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5398
5399
5400
0
    LOCAL_INPUT_DECLARE(input_external, input);
5401
0
    LOCAL_OUTPUT_DECLARE(output_external, output);
5402
5403
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
5404
0
    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
5405
5406
0
    *output_length = 0;
5407
5408
0
    if (operation->id == 0) {
5409
0
        status = PSA_ERROR_BAD_STATE;
5410
0
        goto exit;
5411
0
    }
5412
5413
0
    if (!operation->nonce_set) {
5414
0
        status = PSA_ERROR_BAD_STATE;
5415
0
        goto exit;
5416
0
    }
5417
5418
0
    if (operation->lengths_set) {
5419
        /* Additional data length was supplied, but not all the additional
5420
           data was supplied.*/
5421
0
        if (operation->ad_remaining != 0) {
5422
0
            status = PSA_ERROR_INVALID_ARGUMENT;
5423
0
            goto exit;
5424
0
        }
5425
5426
        /* Too much data provided. */
5427
0
        if (operation->body_remaining < input_length) {
5428
0
            status = PSA_ERROR_INVALID_ARGUMENT;
5429
0
            goto exit;
5430
0
        }
5431
5432
0
        operation->body_remaining -= input_length;
5433
0
    }
5434
0
#if defined(PSA_WANT_ALG_CCM)
5435
0
    else if (operation->alg == PSA_ALG_CCM) {
5436
0
        status = PSA_ERROR_BAD_STATE;
5437
0
        goto exit;
5438
0
    }
5439
0
#endif /* PSA_WANT_ALG_CCM */
5440
5441
0
    status = psa_driver_wrapper_aead_update(operation, input, input_length,
5442
0
                                            output, output_size,
5443
0
                                            output_length);
5444
5445
0
exit:
5446
0
    if (status == PSA_SUCCESS) {
5447
0
        operation->body_started = 1;
5448
0
    } else {
5449
0
        psa_aead_abort(operation);
5450
0
    }
5451
5452
0
    LOCAL_INPUT_FREE(input_external, input);
5453
0
    LOCAL_OUTPUT_FREE(output_external, output);
5454
5455
0
    return status;
5456
0
}
5457
5458
static psa_status_t psa_aead_final_checks(const psa_aead_operation_t *operation)
5459
0
{
5460
0
    if (operation->id == 0 || !operation->nonce_set) {
5461
0
        return PSA_ERROR_BAD_STATE;
5462
0
    }
5463
5464
0
    if (operation->lengths_set && (operation->ad_remaining != 0 ||
5465
0
                                   operation->body_remaining != 0)) {
5466
0
        return PSA_ERROR_INVALID_ARGUMENT;
5467
0
    }
5468
5469
0
    return PSA_SUCCESS;
5470
0
}
5471
5472
/* Finish encrypting a message in a multipart AEAD operation. */
5473
psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
5474
                             uint8_t *ciphertext_external,
5475
                             size_t ciphertext_size,
5476
                             size_t *ciphertext_length,
5477
                             uint8_t *tag_external,
5478
                             size_t tag_size,
5479
                             size_t *tag_length)
5480
0
{
5481
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5482
5483
0
    LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext);
5484
0
    LOCAL_OUTPUT_DECLARE(tag_external, tag);
5485
5486
0
    LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext);
5487
0
    LOCAL_OUTPUT_ALLOC(tag_external, tag_size, tag);
5488
5489
0
    *ciphertext_length = 0;
5490
0
    *tag_length = tag_size;
5491
5492
0
    status = psa_aead_final_checks(operation);
5493
0
    if (status != PSA_SUCCESS) {
5494
0
        goto exit;
5495
0
    }
5496
5497
0
    if (!operation->is_encrypt) {
5498
0
        status = PSA_ERROR_BAD_STATE;
5499
0
        goto exit;
5500
0
    }
5501
5502
0
    status = psa_driver_wrapper_aead_finish(operation, ciphertext,
5503
0
                                            ciphertext_size,
5504
0
                                            ciphertext_length,
5505
0
                                            tag, tag_size, tag_length);
5506
5507
0
exit:
5508
5509
5510
    /* In case the operation fails and the user fails to check for failure or
5511
     * the zero tag size, make sure the tag is set to something implausible.
5512
     * Even if the operation succeeds, make sure we clear the rest of the
5513
     * buffer to prevent potential leakage of anything previously placed in
5514
     * the same buffer.*/
5515
0
    psa_wipe_tag_output_buffer(tag, status, tag_size, *tag_length);
5516
5517
0
    psa_aead_abort(operation);
5518
5519
0
    LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext);
5520
0
    LOCAL_OUTPUT_FREE(tag_external, tag);
5521
5522
0
    return status;
5523
0
}
5524
5525
/* Finish authenticating and decrypting a message in a multipart AEAD
5526
   operation.*/
5527
psa_status_t psa_aead_verify(psa_aead_operation_t *operation,
5528
                             uint8_t *plaintext_external,
5529
                             size_t plaintext_size,
5530
                             size_t *plaintext_length,
5531
                             const uint8_t *tag_external,
5532
                             size_t tag_length)
5533
0
{
5534
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5535
5536
0
    LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext);
5537
0
    LOCAL_INPUT_DECLARE(tag_external, tag);
5538
5539
0
    LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext);
5540
0
    LOCAL_INPUT_ALLOC(tag_external, tag_length, tag);
5541
5542
0
    *plaintext_length = 0;
5543
5544
0
    status = psa_aead_final_checks(operation);
5545
0
    if (status != PSA_SUCCESS) {
5546
0
        goto exit;
5547
0
    }
5548
5549
0
    if (operation->is_encrypt) {
5550
0
        status = PSA_ERROR_BAD_STATE;
5551
0
        goto exit;
5552
0
    }
5553
5554
0
    status = psa_driver_wrapper_aead_verify(operation, plaintext,
5555
0
                                            plaintext_size,
5556
0
                                            plaintext_length,
5557
0
                                            tag, tag_length);
5558
5559
0
exit:
5560
0
    psa_aead_abort(operation);
5561
5562
0
    LOCAL_OUTPUT_FREE(plaintext_external, plaintext);
5563
0
    LOCAL_INPUT_FREE(tag_external, tag);
5564
5565
0
    return status;
5566
0
}
5567
5568
/* Abort an AEAD operation. */
5569
psa_status_t psa_aead_abort(psa_aead_operation_t *operation)
5570
0
{
5571
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5572
5573
0
    if (operation->id == 0) {
5574
        /* The object has (apparently) been initialized but it is not (yet)
5575
         * in use. It's ok to call abort on such an object, and there's
5576
         * nothing to do. */
5577
0
        return PSA_SUCCESS;
5578
0
    }
5579
5580
0
    status = psa_driver_wrapper_aead_abort(operation);
5581
5582
0
    memset(operation, 0, sizeof(*operation));
5583
5584
0
    return status;
5585
0
}
5586
5587
/****************************************************************/
5588
/* Generators */
5589
/****************************************************************/
5590
5591
#if defined(BUILTIN_ALG_ANY_HKDF) || \
5592
    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5593
    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \
5594
    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) || \
5595
    defined(PSA_HAVE_SOFT_PBKDF2)
5596
#define AT_LEAST_ONE_BUILTIN_KDF
5597
#endif /* At least one builtin KDF */
5598
5599
#if defined(BUILTIN_ALG_ANY_HKDF) || \
5600
    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5601
    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5602
static psa_status_t psa_key_derivation_start_hmac(
5603
    psa_mac_operation_t *operation,
5604
    psa_algorithm_t hash_alg,
5605
    const uint8_t *hmac_key,
5606
    size_t hmac_key_length)
5607
0
{
5608
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5609
0
    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5610
0
    psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
5611
0
    psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(hmac_key_length));
5612
0
    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
5613
5614
0
    operation->is_sign = 1;
5615
0
    operation->mac_size = PSA_HASH_LENGTH(hash_alg);
5616
5617
0
    status = psa_driver_wrapper_mac_sign_setup(operation,
5618
0
                                               &attributes,
5619
0
                                               hmac_key, hmac_key_length,
5620
0
                                               PSA_ALG_HMAC(hash_alg));
5621
5622
0
    psa_reset_key_attributes(&attributes);
5623
0
    return status;
5624
0
}
5625
#endif /* KDF algorithms reliant on HMAC */
5626
5627
0
#define HKDF_STATE_INIT 0 /* no input yet */
5628
0
#define HKDF_STATE_STARTED 1 /* got salt */
5629
0
#define HKDF_STATE_KEYED 2 /* got key */
5630
0
#define HKDF_STATE_OUTPUT 3 /* output started */
5631
5632
static psa_algorithm_t psa_key_derivation_get_kdf_alg(
5633
    const psa_key_derivation_operation_t *operation)
5634
0
{
5635
0
    if (PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) {
5636
0
        return PSA_ALG_KEY_AGREEMENT_GET_KDF(operation->alg);
5637
0
    } else {
5638
0
        return operation->alg;
5639
0
    }
5640
0
}
5641
5642
psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation)
5643
0
{
5644
0
    psa_status_t status = PSA_SUCCESS;
5645
0
    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
5646
0
    if (kdf_alg == 0) {
5647
        /* The object has (apparently) been initialized but it is not
5648
         * in use. It's ok to call abort on such an object, and there's
5649
         * nothing to do. */
5650
0
    } else
5651
0
#if defined(BUILTIN_ALG_ANY_HKDF)
5652
0
    if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
5653
0
        mbedtls_free(operation->ctx.hkdf.info);
5654
0
        status = psa_mac_abort(&operation->ctx.hkdf.hmac);
5655
0
    } else
5656
0
#endif /* BUILTIN_ALG_ANY_HKDF */
5657
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5658
0
    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5659
0
    if (PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
5660
        /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */
5661
0
        PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
5662
0
        if (operation->ctx.tls12_prf.secret != NULL) {
5663
0
            mbedtls_zeroize_and_free(operation->ctx.tls12_prf.secret,
5664
0
                                     operation->ctx.tls12_prf.secret_length);
5665
0
        }
5666
5667
0
        if (operation->ctx.tls12_prf.seed != NULL) {
5668
0
            mbedtls_zeroize_and_free(operation->ctx.tls12_prf.seed,
5669
0
                                     operation->ctx.tls12_prf.seed_length);
5670
0
        }
5671
5672
0
        if (operation->ctx.tls12_prf.label != NULL) {
5673
0
            mbedtls_zeroize_and_free(operation->ctx.tls12_prf.label,
5674
0
                                     operation->ctx.tls12_prf.label_length);
5675
0
        }
5676
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5677
0
        if (operation->ctx.tls12_prf.other_secret != NULL) {
5678
0
            mbedtls_zeroize_and_free(operation->ctx.tls12_prf.other_secret,
5679
0
                                     operation->ctx.tls12_prf.other_secret_length);
5680
0
        }
5681
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
5682
0
        status = PSA_SUCCESS;
5683
5684
        /* We leave the fields Ai and output_block to be erased safely by the
5685
         * mbedtls_platform_zeroize() in the end of this function. */
5686
0
    } else
5687
0
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
5688
        * defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) */
5689
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
5690
0
    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
5691
0
        mbedtls_platform_zeroize(operation->ctx.tls12_ecjpake_to_pms.data,
5692
0
                                 sizeof(operation->ctx.tls12_ecjpake_to_pms.data));
5693
0
    } else
5694
0
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) */
5695
0
#if defined(PSA_HAVE_SOFT_PBKDF2)
5696
0
    if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
5697
0
        if (operation->ctx.pbkdf2.salt != NULL) {
5698
0
            mbedtls_zeroize_and_free(operation->ctx.pbkdf2.salt,
5699
0
                                     operation->ctx.pbkdf2.salt_length);
5700
0
        }
5701
5702
0
        status = PSA_SUCCESS;
5703
0
    } else
5704
0
#endif /* defined(PSA_HAVE_SOFT_PBKDF2) */
5705
0
    {
5706
0
        status = PSA_ERROR_BAD_STATE;
5707
0
    }
5708
0
    mbedtls_platform_zeroize(operation, sizeof(*operation));
5709
0
    return status;
5710
0
}
5711
5712
psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t *operation,
5713
                                             size_t *capacity)
5714
0
{
5715
0
    if (operation->alg == 0) {
5716
        /* This is a blank key derivation operation. */
5717
0
        return PSA_ERROR_BAD_STATE;
5718
0
    }
5719
5720
0
    *capacity = operation->capacity;
5721
0
    return PSA_SUCCESS;
5722
0
}
5723
5724
psa_status_t psa_key_derivation_set_capacity(psa_key_derivation_operation_t *operation,
5725
                                             size_t capacity)
5726
0
{
5727
0
    if (operation->alg == 0) {
5728
0
        return PSA_ERROR_BAD_STATE;
5729
0
    }
5730
0
    if (capacity > operation->capacity) {
5731
0
        return PSA_ERROR_INVALID_ARGUMENT;
5732
0
    }
5733
0
    operation->capacity = capacity;
5734
0
    return PSA_SUCCESS;
5735
0
}
5736
5737
#if defined(BUILTIN_ALG_ANY_HKDF)
5738
/* Read some bytes from an HKDF-based operation. */
5739
static psa_status_t psa_key_derivation_hkdf_read(psa_hkdf_key_derivation_t *hkdf,
5740
                                                 psa_algorithm_t kdf_alg,
5741
                                                 uint8_t *output,
5742
                                                 size_t output_length)
5743
0
{
5744
0
    psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
5745
0
    uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
5746
0
    size_t hmac_output_length;
5747
0
    psa_status_t status;
5748
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
5749
0
    const uint8_t last_block = PSA_ALG_IS_HKDF_EXTRACT(kdf_alg) ? 0 : 0xff;
5750
#else
5751
    const uint8_t last_block = 0xff;
5752
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
5753
5754
0
    if (hkdf->state < HKDF_STATE_KEYED ||
5755
0
        (!hkdf->info_set
5756
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
5757
0
         && !PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)
5758
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
5759
0
        )) {
5760
0
        return PSA_ERROR_BAD_STATE;
5761
0
    }
5762
0
    hkdf->state = HKDF_STATE_OUTPUT;
5763
5764
0
    while (output_length != 0) {
5765
        /* Copy what remains of the current block */
5766
0
        uint8_t n = hash_length - hkdf->offset_in_block;
5767
0
        if (n > output_length) {
5768
0
            n = (uint8_t) output_length;
5769
0
        }
5770
0
        memcpy(output, hkdf->output_block + hkdf->offset_in_block, n);
5771
0
        output += n;
5772
0
        output_length -= n;
5773
0
        hkdf->offset_in_block += n;
5774
0
        if (output_length == 0) {
5775
0
            break;
5776
0
        }
5777
        /* We can't be wanting more output after the last block, otherwise
5778
         * the capacity check in psa_key_derivation_output_bytes() would have
5779
         * prevented this call. It could happen only if the operation
5780
         * object was corrupted or if this function is called directly
5781
         * inside the library. */
5782
0
        if (hkdf->block_number == last_block) {
5783
0
            return PSA_ERROR_BAD_STATE;
5784
0
        }
5785
5786
        /* We need a new block */
5787
0
        ++hkdf->block_number;
5788
0
        hkdf->offset_in_block = 0;
5789
5790
0
        status = psa_key_derivation_start_hmac(&hkdf->hmac,
5791
0
                                               hash_alg,
5792
0
                                               hkdf->prk,
5793
0
                                               hash_length);
5794
0
        if (status != PSA_SUCCESS) {
5795
0
            return status;
5796
0
        }
5797
5798
0
        if (hkdf->block_number != 1) {
5799
0
            status = psa_mac_update(&hkdf->hmac,
5800
0
                                    hkdf->output_block,
5801
0
                                    hash_length);
5802
0
            if (status != PSA_SUCCESS) {
5803
0
                return status;
5804
0
            }
5805
0
        }
5806
0
        status = psa_mac_update(&hkdf->hmac,
5807
0
                                hkdf->info,
5808
0
                                hkdf->info_length);
5809
0
        if (status != PSA_SUCCESS) {
5810
0
            return status;
5811
0
        }
5812
0
        status = psa_mac_update(&hkdf->hmac,
5813
0
                                &hkdf->block_number, 1);
5814
0
        if (status != PSA_SUCCESS) {
5815
0
            return status;
5816
0
        }
5817
0
        status = psa_mac_sign_finish(&hkdf->hmac,
5818
0
                                     hkdf->output_block,
5819
0
                                     sizeof(hkdf->output_block),
5820
0
                                     &hmac_output_length);
5821
0
        if (status != PSA_SUCCESS) {
5822
0
            return status;
5823
0
        }
5824
0
    }
5825
5826
0
    return PSA_SUCCESS;
5827
0
}
5828
#endif /* BUILTIN_ALG_ANY_HKDF */
5829
5830
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5831
    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5832
static psa_status_t psa_key_derivation_tls12_prf_generate_next_block(
5833
    psa_tls12_prf_key_derivation_t *tls12_prf,
5834
    psa_algorithm_t alg)
5835
0
{
5836
0
    psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(alg);
5837
0
    uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
5838
0
    psa_mac_operation_t hmac = PSA_MAC_OPERATION_INIT;
5839
0
    size_t hmac_output_length;
5840
0
    psa_status_t status, cleanup_status;
5841
5842
    /* We can't be wanting more output after block 0xff, otherwise
5843
     * the capacity check in psa_key_derivation_output_bytes() would have
5844
     * prevented this call. It could happen only if the operation
5845
     * object was corrupted or if this function is called directly
5846
     * inside the library. */
5847
0
    if (tls12_prf->block_number == 0xff) {
5848
0
        return PSA_ERROR_CORRUPTION_DETECTED;
5849
0
    }
5850
5851
    /* We need a new block */
5852
0
    ++tls12_prf->block_number;
5853
0
    tls12_prf->left_in_block = hash_length;
5854
5855
    /* Recall the definition of the TLS-1.2-PRF from RFC 5246:
5856
     *
5857
     * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
5858
     *
5859
     * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
5860
     *                        HMAC_hash(secret, A(2) + seed) +
5861
     *                        HMAC_hash(secret, A(3) + seed) + ...
5862
     *
5863
     * A(0) = seed
5864
     * A(i) = HMAC_hash(secret, A(i-1))
5865
     *
5866
     * The `psa_tls12_prf_key_derivation` structure saves the block
5867
     * `HMAC_hash(secret, A(i) + seed)` from which the output
5868
     * is currently extracted as `output_block` and where i is
5869
     * `block_number`.
5870
     */
5871
5872
0
    status = psa_key_derivation_start_hmac(&hmac,
5873
0
                                           hash_alg,
5874
0
                                           tls12_prf->secret,
5875
0
                                           tls12_prf->secret_length);
5876
0
    if (status != PSA_SUCCESS) {
5877
0
        goto cleanup;
5878
0
    }
5879
5880
    /* Calculate A(i) where i = tls12_prf->block_number. */
5881
0
    if (tls12_prf->block_number == 1) {
5882
        /* A(1) = HMAC_hash(secret, A(0)), where A(0) = seed. (The RFC overloads
5883
         * the variable seed and in this instance means it in the context of the
5884
         * P_hash function, where seed = label + seed.) */
5885
0
        status = psa_mac_update(&hmac,
5886
0
                                tls12_prf->label,
5887
0
                                tls12_prf->label_length);
5888
0
        if (status != PSA_SUCCESS) {
5889
0
            goto cleanup;
5890
0
        }
5891
0
        status = psa_mac_update(&hmac,
5892
0
                                tls12_prf->seed,
5893
0
                                tls12_prf->seed_length);
5894
0
        if (status != PSA_SUCCESS) {
5895
0
            goto cleanup;
5896
0
        }
5897
0
    } else {
5898
        /* A(i) = HMAC_hash(secret, A(i-1)) */
5899
0
        status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length);
5900
0
        if (status != PSA_SUCCESS) {
5901
0
            goto cleanup;
5902
0
        }
5903
0
    }
5904
5905
0
    status = psa_mac_sign_finish(&hmac,
5906
0
                                 tls12_prf->Ai, hash_length,
5907
0
                                 &hmac_output_length);
5908
0
    if (hmac_output_length != hash_length) {
5909
0
        status = PSA_ERROR_CORRUPTION_DETECTED;
5910
0
    }
5911
0
    if (status != PSA_SUCCESS) {
5912
0
        goto cleanup;
5913
0
    }
5914
5915
    /* Calculate HMAC_hash(secret, A(i) + label + seed). */
5916
0
    status = psa_key_derivation_start_hmac(&hmac,
5917
0
                                           hash_alg,
5918
0
                                           tls12_prf->secret,
5919
0
                                           tls12_prf->secret_length);
5920
0
    if (status != PSA_SUCCESS) {
5921
0
        goto cleanup;
5922
0
    }
5923
0
    status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length);
5924
0
    if (status != PSA_SUCCESS) {
5925
0
        goto cleanup;
5926
0
    }
5927
0
    status = psa_mac_update(&hmac, tls12_prf->label, tls12_prf->label_length);
5928
0
    if (status != PSA_SUCCESS) {
5929
0
        goto cleanup;
5930
0
    }
5931
0
    status = psa_mac_update(&hmac, tls12_prf->seed, tls12_prf->seed_length);
5932
0
    if (status != PSA_SUCCESS) {
5933
0
        goto cleanup;
5934
0
    }
5935
0
    status = psa_mac_sign_finish(&hmac,
5936
0
                                 tls12_prf->output_block, hash_length,
5937
0
                                 &hmac_output_length);
5938
0
    if (status != PSA_SUCCESS) {
5939
0
        goto cleanup;
5940
0
    }
5941
5942
5943
0
cleanup:
5944
0
    cleanup_status = psa_mac_abort(&hmac);
5945
0
    if (status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS) {
5946
0
        status = cleanup_status;
5947
0
    }
5948
5949
0
    return status;
5950
0
}
5951
5952
static psa_status_t psa_key_derivation_tls12_prf_read(
5953
    psa_tls12_prf_key_derivation_t *tls12_prf,
5954
    psa_algorithm_t alg,
5955
    uint8_t *output,
5956
    size_t output_length)
5957
0
{
5958
0
    psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH(alg);
5959
0
    uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
5960
0
    psa_status_t status;
5961
0
    uint8_t offset, length;
5962
5963
0
    switch (tls12_prf->state) {
5964
0
        case PSA_TLS12_PRF_STATE_LABEL_SET:
5965
0
            tls12_prf->state = PSA_TLS12_PRF_STATE_OUTPUT;
5966
0
            break;
5967
0
        case PSA_TLS12_PRF_STATE_OUTPUT:
5968
0
            break;
5969
0
        default:
5970
0
            return PSA_ERROR_BAD_STATE;
5971
0
    }
5972
5973
0
    while (output_length != 0) {
5974
        /* Check if we have fully processed the current block. */
5975
0
        if (tls12_prf->left_in_block == 0) {
5976
0
            status = psa_key_derivation_tls12_prf_generate_next_block(tls12_prf,
5977
0
                                                                      alg);
5978
0
            if (status != PSA_SUCCESS) {
5979
0
                return status;
5980
0
            }
5981
5982
0
            continue;
5983
0
        }
5984
5985
0
        if (tls12_prf->left_in_block > output_length) {
5986
0
            length = (uint8_t) output_length;
5987
0
        } else {
5988
0
            length = tls12_prf->left_in_block;
5989
0
        }
5990
5991
0
        offset = hash_length - tls12_prf->left_in_block;
5992
0
        memcpy(output, tls12_prf->output_block + offset, length);
5993
0
        output += length;
5994
0
        output_length -= length;
5995
0
        tls12_prf->left_in_block -= length;
5996
0
    }
5997
5998
0
    return PSA_SUCCESS;
5999
0
}
6000
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
6001
        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
6002
6003
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
6004
static psa_status_t psa_key_derivation_tls12_ecjpake_to_pms_read(
6005
    psa_tls12_ecjpake_to_pms_t *ecjpake,
6006
    uint8_t *output,
6007
    size_t output_length)
6008
0
{
6009
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6010
0
    size_t output_size = 0;
6011
6012
0
    if (output_length != 32) {
6013
0
        return PSA_ERROR_INVALID_ARGUMENT;
6014
0
    }
6015
6016
0
    status = psa_hash_compute(PSA_ALG_SHA_256, ecjpake->data,
6017
0
                              PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE, output, output_length,
6018
0
                              &output_size);
6019
0
    if (status != PSA_SUCCESS) {
6020
0
        return status;
6021
0
    }
6022
6023
0
    if (output_size != output_length) {
6024
0
        return PSA_ERROR_GENERIC_ERROR;
6025
0
    }
6026
6027
0
    return PSA_SUCCESS;
6028
0
}
6029
#endif
6030
6031
#if defined(PSA_HAVE_SOFT_PBKDF2)
6032
static psa_status_t psa_key_derivation_pbkdf2_generate_block(
6033
    psa_pbkdf2_key_derivation_t *pbkdf2,
6034
    psa_algorithm_t prf_alg,
6035
    uint8_t prf_output_length,
6036
    psa_key_attributes_t *attributes)
6037
0
{
6038
0
    psa_status_t status;
6039
0
    psa_mac_operation_t mac_operation = PSA_MAC_OPERATION_INIT;
6040
0
    size_t mac_output_length;
6041
0
    uint8_t U_i[PSA_MAC_MAX_SIZE];
6042
0
    uint8_t *U_accumulator = pbkdf2->output_block;
6043
0
    uint64_t i;
6044
0
    uint8_t block_counter[4];
6045
6046
0
    mac_operation.is_sign = 1;
6047
0
    mac_operation.mac_size = prf_output_length;
6048
0
    MBEDTLS_PUT_UINT32_BE(pbkdf2->block_number, block_counter, 0);
6049
6050
0
    status = psa_driver_wrapper_mac_sign_setup(&mac_operation,
6051
0
                                               attributes,
6052
0
                                               pbkdf2->password,
6053
0
                                               pbkdf2->password_length,
6054
0
                                               prf_alg);
6055
0
    if (status != PSA_SUCCESS) {
6056
0
        goto cleanup;
6057
0
    }
6058
0
    status = psa_mac_update(&mac_operation, pbkdf2->salt, pbkdf2->salt_length);
6059
0
    if (status != PSA_SUCCESS) {
6060
0
        goto cleanup;
6061
0
    }
6062
0
    status = psa_mac_update(&mac_operation, block_counter, sizeof(block_counter));
6063
0
    if (status != PSA_SUCCESS) {
6064
0
        goto cleanup;
6065
0
    }
6066
0
    status = psa_mac_sign_finish(&mac_operation, U_i, sizeof(U_i),
6067
0
                                 &mac_output_length);
6068
0
    if (status != PSA_SUCCESS) {
6069
0
        goto cleanup;
6070
0
    }
6071
6072
0
    if (mac_output_length != prf_output_length) {
6073
0
        status = PSA_ERROR_CORRUPTION_DETECTED;
6074
0
        goto cleanup;
6075
0
    }
6076
6077
0
    memcpy(U_accumulator, U_i, prf_output_length);
6078
6079
0
    for (i = 1; i < pbkdf2->input_cost; i++) {
6080
        /* We are passing prf_output_length as mac_size because the driver
6081
         * function directly sets mac_output_length as mac_size upon success.
6082
         * See https://github.com/Mbed-TLS/mbedtls/issues/7801 */
6083
0
        status = psa_driver_wrapper_mac_compute(attributes,
6084
0
                                                pbkdf2->password,
6085
0
                                                pbkdf2->password_length,
6086
0
                                                prf_alg, U_i, prf_output_length,
6087
0
                                                U_i, prf_output_length,
6088
0
                                                &mac_output_length);
6089
0
        if (status != PSA_SUCCESS) {
6090
0
            goto cleanup;
6091
0
        }
6092
6093
0
        mbedtls_xor(U_accumulator, U_accumulator, U_i, prf_output_length);
6094
0
    }
6095
6096
0
cleanup:
6097
    /* Zeroise buffers to clear sensitive data from memory. */
6098
0
    mbedtls_platform_zeroize(U_i, PSA_MAC_MAX_SIZE);
6099
0
    return status;
6100
0
}
6101
6102
static psa_status_t psa_key_derivation_pbkdf2_read(
6103
    psa_pbkdf2_key_derivation_t *pbkdf2,
6104
    psa_algorithm_t kdf_alg,
6105
    uint8_t *output,
6106
    size_t output_length)
6107
0
{
6108
0
    psa_status_t status;
6109
0
    psa_algorithm_t prf_alg;
6110
0
    uint8_t prf_output_length;
6111
0
    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
6112
0
    psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(pbkdf2->password_length));
6113
0
    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
6114
6115
0
    if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
6116
0
        prf_alg = PSA_ALG_HMAC(PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg));
6117
0
        prf_output_length = PSA_HASH_LENGTH(prf_alg);
6118
0
        psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
6119
0
    } else if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
6120
0
        prf_alg = PSA_ALG_CMAC;
6121
0
        prf_output_length = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC);
6122
0
        psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
6123
0
    } else {
6124
0
        return PSA_ERROR_INVALID_ARGUMENT;
6125
0
    }
6126
6127
0
    switch (pbkdf2->state) {
6128
0
        case PSA_PBKDF2_STATE_PASSWORD_SET:
6129
            /* Initially we need a new block so bytes_used is equal to block size*/
6130
0
            pbkdf2->bytes_used = prf_output_length;
6131
0
            pbkdf2->state = PSA_PBKDF2_STATE_OUTPUT;
6132
0
            break;
6133
0
        case PSA_PBKDF2_STATE_OUTPUT:
6134
0
            break;
6135
0
        default:
6136
0
            return PSA_ERROR_BAD_STATE;
6137
0
    }
6138
6139
0
    while (output_length != 0) {
6140
0
        uint8_t n = prf_output_length - pbkdf2->bytes_used;
6141
0
        if (n > output_length) {
6142
0
            n = (uint8_t) output_length;
6143
0
        }
6144
0
        memcpy(output, pbkdf2->output_block + pbkdf2->bytes_used, n);
6145
0
        output += n;
6146
0
        output_length -= n;
6147
0
        pbkdf2->bytes_used += n;
6148
6149
0
        if (output_length == 0) {
6150
0
            break;
6151
0
        }
6152
6153
        /* We need a new block */
6154
0
        pbkdf2->bytes_used = 0;
6155
0
        pbkdf2->block_number++;
6156
6157
0
        status = psa_key_derivation_pbkdf2_generate_block(pbkdf2, prf_alg,
6158
0
                                                          prf_output_length,
6159
0
                                                          &attributes);
6160
0
        if (status != PSA_SUCCESS) {
6161
0
            return status;
6162
0
        }
6163
0
    }
6164
6165
0
    return PSA_SUCCESS;
6166
0
}
6167
#endif /* PSA_HAVE_SOFT_PBKDF2 */
6168
6169
psa_status_t psa_key_derivation_output_bytes(
6170
    psa_key_derivation_operation_t *operation,
6171
    uint8_t *output_external,
6172
    size_t output_length)
6173
0
{
6174
0
    psa_status_t status;
6175
0
    LOCAL_OUTPUT_DECLARE(output_external, output);
6176
6177
0
    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
6178
6179
0
    if (operation->alg == 0) {
6180
        /* This is a blank operation. */
6181
0
        return PSA_ERROR_BAD_STATE;
6182
0
    }
6183
6184
0
    if (output_length == 0 && operation->capacity == 0) {
6185
        /* Edge case: this is a finished operation, and 0 bytes
6186
         * were requested. The right error in this case could
6187
         * be either INSUFFICIENT_CAPACITY or BAD_STATE. Return
6188
         * INSUFFICIENT_CAPACITY, which is right for a finished
6189
         * operation, for consistency with the case when
6190
         * output_length > 0. */
6191
0
        return PSA_ERROR_INSUFFICIENT_DATA;
6192
0
    }
6193
6194
0
    LOCAL_OUTPUT_ALLOC(output_external, output_length, output);
6195
0
    if (output_length > operation->capacity) {
6196
0
        operation->capacity = 0;
6197
        /* Go through the error path to wipe all confidential data now
6198
         * that the operation object is useless. */
6199
0
        status = PSA_ERROR_INSUFFICIENT_DATA;
6200
0
        goto exit;
6201
0
    }
6202
6203
0
    operation->capacity -= output_length;
6204
6205
0
#if defined(BUILTIN_ALG_ANY_HKDF)
6206
0
    if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
6207
0
        status = psa_key_derivation_hkdf_read(&operation->ctx.hkdf, kdf_alg,
6208
0
                                              output, output_length);
6209
0
    } else
6210
0
#endif /* BUILTIN_ALG_ANY_HKDF */
6211
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
6212
0
    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
6213
0
    if (PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
6214
0
        PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
6215
0
        status = psa_key_derivation_tls12_prf_read(&operation->ctx.tls12_prf,
6216
0
                                                   kdf_alg, output,
6217
0
                                                   output_length);
6218
0
    } else
6219
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
6220
        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
6221
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
6222
0
    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
6223
0
        status = psa_key_derivation_tls12_ecjpake_to_pms_read(
6224
0
            &operation->ctx.tls12_ecjpake_to_pms, output, output_length);
6225
0
    } else
6226
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
6227
0
#if defined(PSA_HAVE_SOFT_PBKDF2)
6228
0
    if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
6229
0
        status = psa_key_derivation_pbkdf2_read(&operation->ctx.pbkdf2, kdf_alg,
6230
0
                                                output, output_length);
6231
0
    } else
6232
0
#endif /* PSA_HAVE_SOFT_PBKDF2 */
6233
6234
0
    {
6235
0
        (void) kdf_alg;
6236
0
        status = PSA_ERROR_BAD_STATE;
6237
0
        LOCAL_OUTPUT_FREE(output_external, output);
6238
6239
0
        return status;
6240
0
    }
6241
6242
0
exit:
6243
0
    if (status != PSA_SUCCESS) {
6244
        /* Preserve the algorithm upon errors, but clear all sensitive state.
6245
         * This allows us to differentiate between exhausted operations and
6246
         * blank operations, so we can return PSA_ERROR_BAD_STATE on blank
6247
         * operations. */
6248
0
        psa_algorithm_t alg = operation->alg;
6249
0
        psa_key_derivation_abort(operation);
6250
0
        operation->alg = alg;
6251
0
        if (output != NULL) {
6252
0
            memset(output, '!', output_length);
6253
0
        }
6254
0
    }
6255
6256
0
    LOCAL_OUTPUT_FREE(output_external, output);
6257
0
    return status;
6258
0
}
6259
6260
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
6261
static void psa_des_set_key_parity(uint8_t *data, size_t data_size)
6262
0
{
6263
0
    if (data_size >= 8) {
6264
0
        mbedtls_des_key_set_parity(data);
6265
0
    }
6266
0
    if (data_size >= 16) {
6267
0
        mbedtls_des_key_set_parity(data + 8);
6268
0
    }
6269
0
    if (data_size >= 24) {
6270
0
        mbedtls_des_key_set_parity(data + 16);
6271
0
    }
6272
0
}
6273
#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
6274
6275
/*
6276
 * ECC keys on a Weierstrass elliptic curve require the generation
6277
 * of a private key which is an integer
6278
 * in the range [1, N - 1], where N is the boundary of the private key domain:
6279
 * N is the prime p for Diffie-Hellman, or the order of the
6280
 * curve’s base point for ECC.
6281
 *
6282
 * Let m be the bit size of N, such that 2^m > N >= 2^(m-1).
6283
 * This function generates the private key using the following process:
6284
 *
6285
 * 1. Draw a byte string of length ceiling(m/8) bytes.
6286
 * 2. If m is not a multiple of 8, set the most significant
6287
 *    (8 * ceiling(m/8) - m) bits of the first byte in the string to zero.
6288
 * 3. Convert the string to integer k by decoding it as a big-endian byte string.
6289
 * 4. If k > N - 2, discard the result and return to step 1.
6290
 * 5. Output k + 1 as the private key.
6291
 *
6292
 * This method allows compliance to NIST standards, specifically the methods titled
6293
 * Key-Pair Generation by Testing Candidates in the following publications:
6294
 * - NIST Special Publication 800-56A: Recommendation for Pair-Wise Key-Establishment
6295
 *   Schemes Using Discrete Logarithm Cryptography [SP800-56A] §5.6.1.1.4 for
6296
 *   Diffie-Hellman keys.
6297
 *
6298
 * - [SP800-56A] §5.6.1.2.2 or FIPS Publication 186-4: Digital Signature
6299
 *   Standard (DSS) [FIPS186-4] §B.4.2 for elliptic curve keys.
6300
 *
6301
 * Note: Function allocates memory for *data buffer, so given *data should be
6302
 *       always NULL.
6303
 */
6304
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
6305
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
6306
static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
6307
    psa_key_slot_t *slot,
6308
    size_t bits,
6309
    psa_key_derivation_operation_t *operation,
6310
    uint8_t **data
6311
    )
6312
0
{
6313
0
    unsigned key_out_of_range = 1;
6314
0
    mbedtls_mpi k;
6315
0
    mbedtls_mpi diff_N_2;
6316
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6317
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6318
0
    size_t m;
6319
0
    size_t m_bytes;
6320
6321
0
    mbedtls_mpi_init(&k);
6322
0
    mbedtls_mpi_init(&diff_N_2);
6323
6324
0
    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
6325
0
        slot->attr.type);
6326
0
    mbedtls_ecp_group_id grp_id =
6327
0
        mbedtls_ecc_group_from_psa(curve, bits);
6328
6329
0
    if (grp_id == MBEDTLS_ECP_DP_NONE) {
6330
0
        ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
6331
0
        goto cleanup;
6332
0
    }
6333
6334
0
    mbedtls_ecp_group ecp_group;
6335
0
    mbedtls_ecp_group_init(&ecp_group);
6336
6337
0
    MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ecp_group, grp_id));
6338
6339
    /* N is the boundary of the private key domain (ecp_group.N). */
6340
    /* Let m be the bit size of N. */
6341
0
    m = ecp_group.nbits;
6342
6343
0
    m_bytes = PSA_BITS_TO_BYTES(m);
6344
6345
    /* Calculate N - 2 - it will be needed later. */
6346
0
    MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&diff_N_2, &ecp_group.N, 2));
6347
6348
    /* Note: This function is always called with *data == NULL and it
6349
     * allocates memory for the data buffer. */
6350
0
    *data = mbedtls_calloc(1, m_bytes);
6351
0
    if (*data == NULL) {
6352
0
        ret = MBEDTLS_ERR_ASN1_ALLOC_FAILED;
6353
0
        goto cleanup;
6354
0
    }
6355
6356
0
    while (key_out_of_range) {
6357
        /* 1. Draw a byte string of length ceiling(m/8) bytes. */
6358
0
        if ((status = psa_key_derivation_output_bytes(operation, *data, m_bytes)) != 0) {
6359
0
            goto cleanup;
6360
0
        }
6361
6362
        /* 2. If m is not a multiple of 8 */
6363
0
        if (m % 8 != 0) {
6364
            /* Set the most significant
6365
             * (8 * ceiling(m/8) - m) bits of the first byte in
6366
             * the string to zero.
6367
             */
6368
0
            uint8_t clear_bit_mask = (1 << (m % 8)) - 1;
6369
0
            (*data)[0] &= clear_bit_mask;
6370
0
        }
6371
6372
        /* 3. Convert the string to integer k by decoding it as a
6373
         *    big-endian byte string.
6374
         */
6375
0
        MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&k, *data, m_bytes));
6376
6377
        /* 4. If k > N - 2, discard the result and return to step 1.
6378
         *    Result of comparison is returned. When it indicates error
6379
         *    then this function is called again.
6380
         */
6381
0
        MBEDTLS_MPI_CHK(mbedtls_mpi_lt_mpi_ct(&diff_N_2, &k, &key_out_of_range));
6382
0
    }
6383
6384
    /* 5. Output k + 1 as the private key. */
6385
0
    MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&k, &k, 1));
6386
0
    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&k, *data, m_bytes));
6387
0
cleanup:
6388
0
    if (ret != 0) {
6389
0
        status = mbedtls_to_psa_error(ret);
6390
0
    }
6391
0
    if (status != PSA_SUCCESS) {
6392
0
        mbedtls_free(*data);
6393
0
        *data = NULL;
6394
0
    }
6395
0
    mbedtls_mpi_free(&k);
6396
0
    mbedtls_mpi_free(&diff_N_2);
6397
0
    return status;
6398
0
}
6399
6400
/* ECC keys on a Montgomery elliptic curve draws a byte string whose length
6401
 * is determined by the curve, and sets the mandatory bits accordingly. That is:
6402
 *
6403
 * - Curve25519 (PSA_ECC_FAMILY_MONTGOMERY, 255 bits):
6404
 *   draw a 32-byte string and process it as specified in
6405
 *   Elliptic Curves for Security [RFC7748] §5.
6406
 *
6407
 * - Curve448 (PSA_ECC_FAMILY_MONTGOMERY, 448 bits):
6408
 *   draw a 56-byte string and process it as specified in [RFC7748] §5.
6409
 *
6410
 * Note: Function allocates memory for *data buffer, so given *data should be
6411
 *       always NULL.
6412
 */
6413
6414
static psa_status_t psa_generate_derived_ecc_key_montgomery_helper(
6415
    size_t bits,
6416
    psa_key_derivation_operation_t *operation,
6417
    uint8_t **data
6418
    )
6419
0
{
6420
0
    size_t output_length;
6421
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6422
6423
0
    switch (bits) {
6424
0
        case 255:
6425
0
            output_length = 32;
6426
0
            break;
6427
0
        case 448:
6428
0
            output_length = 56;
6429
0
            break;
6430
0
        default:
6431
0
            return PSA_ERROR_INVALID_ARGUMENT;
6432
0
            break;
6433
0
    }
6434
6435
0
    *data = mbedtls_calloc(1, output_length);
6436
6437
0
    if (*data == NULL) {
6438
0
        return PSA_ERROR_INSUFFICIENT_MEMORY;
6439
0
    }
6440
6441
0
    status = psa_key_derivation_output_bytes(operation, *data, output_length);
6442
6443
0
    if (status != PSA_SUCCESS) {
6444
0
        return status;
6445
0
    }
6446
6447
0
    switch (bits) {
6448
0
        case 255:
6449
0
            (*data)[0] &= 248;
6450
0
            (*data)[31] &= 127;
6451
0
            (*data)[31] |= 64;
6452
0
            break;
6453
0
        case 448:
6454
0
            (*data)[0] &= 252;
6455
0
            (*data)[55] |= 128;
6456
0
            break;
6457
0
        default:
6458
0
            return PSA_ERROR_CORRUPTION_DETECTED;
6459
0
            break;
6460
0
    }
6461
6462
0
    return status;
6463
0
}
6464
#else /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
6465
static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
6466
    psa_key_slot_t *slot, size_t bits,
6467
    psa_key_derivation_operation_t *operation, uint8_t **data)
6468
{
6469
    (void) slot;
6470
    (void) bits;
6471
    (void) operation;
6472
    (void) data;
6473
    return PSA_ERROR_NOT_SUPPORTED;
6474
}
6475
6476
static psa_status_t psa_generate_derived_ecc_key_montgomery_helper(
6477
    size_t bits, psa_key_derivation_operation_t *operation, uint8_t **data)
6478
{
6479
    (void) bits;
6480
    (void) operation;
6481
    (void) data;
6482
    return PSA_ERROR_NOT_SUPPORTED;
6483
}
6484
#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
6485
#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
6486
6487
static psa_status_t psa_generate_derived_key_internal(
6488
    psa_key_slot_t *slot,
6489
    size_t bits,
6490
    psa_key_derivation_operation_t *operation)
6491
0
{
6492
0
    uint8_t *data = NULL;
6493
0
    size_t bytes = PSA_BITS_TO_BYTES(bits);
6494
0
    size_t storage_size = bytes;
6495
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6496
6497
0
    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) {
6498
0
        return PSA_ERROR_INVALID_ARGUMENT;
6499
0
    }
6500
6501
0
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
6502
0
    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
6503
0
    if (PSA_KEY_TYPE_IS_ECC(slot->attr.type)) {
6504
0
        psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(slot->attr.type);
6505
0
        if (PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
6506
            /* Weierstrass elliptic curve */
6507
0
            status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data);
6508
0
            if (status != PSA_SUCCESS) {
6509
0
                goto exit;
6510
0
            }
6511
0
        } else {
6512
            /* Montgomery elliptic curve */
6513
0
            status = psa_generate_derived_ecc_key_montgomery_helper(bits, operation, &data);
6514
0
            if (status != PSA_SUCCESS) {
6515
0
                goto exit;
6516
0
            }
6517
0
        }
6518
0
    } else
6519
0
#endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) ||
6520
          defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) */
6521
0
    if (key_type_is_raw_bytes(slot->attr.type)) {
6522
0
        if (bits % 8 != 0) {
6523
0
            return PSA_ERROR_INVALID_ARGUMENT;
6524
0
        }
6525
0
        data = mbedtls_calloc(1, bytes);
6526
0
        if (data == NULL) {
6527
0
            return PSA_ERROR_INSUFFICIENT_MEMORY;
6528
0
        }
6529
6530
0
        status = psa_key_derivation_output_bytes(operation, data, bytes);
6531
0
        if (status != PSA_SUCCESS) {
6532
0
            goto exit;
6533
0
        }
6534
0
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
6535
0
        if (slot->attr.type == PSA_KEY_TYPE_DES) {
6536
0
            psa_des_set_key_parity(data, bytes);
6537
0
        }
6538
0
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) */
6539
0
    } else {
6540
0
        return PSA_ERROR_NOT_SUPPORTED;
6541
0
    }
6542
6543
0
    slot->attr.bits = (psa_key_bits_t) bits;
6544
6545
0
    if (psa_key_lifetime_is_external(slot->attr.lifetime)) {
6546
0
        status = psa_driver_wrapper_get_key_buffer_size(&slot->attr,
6547
0
                                                        &storage_size);
6548
0
        if (status != PSA_SUCCESS) {
6549
0
            goto exit;
6550
0
        }
6551
0
    }
6552
0
    status = psa_allocate_buffer_to_slot(slot, storage_size);
6553
0
    if (status != PSA_SUCCESS) {
6554
0
        goto exit;
6555
0
    }
6556
6557
0
    status = psa_driver_wrapper_import_key(&slot->attr,
6558
0
                                           data, bytes,
6559
0
                                           slot->key.data,
6560
0
                                           slot->key.bytes,
6561
0
                                           &slot->key.bytes, &bits);
6562
0
    if (bits != slot->attr.bits) {
6563
0
        status = PSA_ERROR_INVALID_ARGUMENT;
6564
0
    }
6565
6566
0
exit:
6567
0
    mbedtls_free(data);
6568
0
    return status;
6569
0
}
6570
6571
static const psa_custom_key_parameters_t default_custom_production =
6572
    PSA_CUSTOM_KEY_PARAMETERS_INIT;
6573
6574
int psa_custom_key_parameters_are_default(
6575
    const psa_custom_key_parameters_t *custom,
6576
    size_t custom_data_length)
6577
0
{
6578
0
    if (custom->flags != 0) {
6579
0
        return 0;
6580
0
    }
6581
0
    if (custom_data_length != 0) {
6582
0
        return 0;
6583
0
    }
6584
0
    return 1;
6585
0
}
6586
6587
psa_status_t psa_key_derivation_output_key_custom(
6588
    const psa_key_attributes_t *attributes,
6589
    psa_key_derivation_operation_t *operation,
6590
    const psa_custom_key_parameters_t *custom,
6591
    const uint8_t *custom_data,
6592
    size_t custom_data_length,
6593
    mbedtls_svc_key_id_t *key)
6594
0
{
6595
0
    psa_status_t status;
6596
0
    psa_key_slot_t *slot = NULL;
6597
0
    psa_se_drv_table_entry_t *driver = NULL;
6598
6599
0
    *key = MBEDTLS_SVC_KEY_ID_INIT;
6600
6601
    /* Reject any attempt to create a zero-length key so that we don't
6602
     * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
6603
0
    if (psa_get_key_bits(attributes) == 0) {
6604
0
        return PSA_ERROR_INVALID_ARGUMENT;
6605
0
    }
6606
6607
0
    (void) custom_data;         /* We only accept 0-length data */
6608
0
    if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) {
6609
0
        return PSA_ERROR_INVALID_ARGUMENT;
6610
0
    }
6611
6612
0
    if (operation->alg == PSA_ALG_NONE) {
6613
0
        return PSA_ERROR_BAD_STATE;
6614
0
    }
6615
6616
0
    if (!operation->can_output_key) {
6617
0
        return PSA_ERROR_NOT_PERMITTED;
6618
0
    }
6619
6620
0
    status = psa_start_key_creation(PSA_KEY_CREATION_DERIVE, attributes,
6621
0
                                    &slot, &driver);
6622
0
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
6623
0
    if (driver != NULL) {
6624
        /* Deriving a key in a secure element is not implemented yet. */
6625
0
        status = PSA_ERROR_NOT_SUPPORTED;
6626
0
    }
6627
0
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
6628
0
    if (status == PSA_SUCCESS) {
6629
0
        status = psa_generate_derived_key_internal(slot,
6630
0
                                                   attributes->bits,
6631
0
                                                   operation);
6632
0
    }
6633
0
    if (status == PSA_SUCCESS) {
6634
0
        status = psa_finish_key_creation(slot, driver, key);
6635
0
    }
6636
0
    if (status != PSA_SUCCESS) {
6637
0
        psa_fail_key_creation(slot, driver);
6638
0
    }
6639
6640
0
    return status;
6641
0
}
6642
6643
psa_status_t psa_key_derivation_output_key_ext(
6644
    const psa_key_attributes_t *attributes,
6645
    psa_key_derivation_operation_t *operation,
6646
    const psa_key_production_parameters_t *params,
6647
    size_t params_data_length,
6648
    mbedtls_svc_key_id_t *key)
6649
0
{
6650
0
    return psa_key_derivation_output_key_custom(
6651
0
        attributes, operation,
6652
0
        (const psa_custom_key_parameters_t *) params,
6653
0
        params->data, params_data_length,
6654
0
        key);
6655
0
}
6656
6657
psa_status_t psa_key_derivation_output_key(
6658
    const psa_key_attributes_t *attributes,
6659
    psa_key_derivation_operation_t *operation,
6660
    mbedtls_svc_key_id_t *key)
6661
0
{
6662
0
    return psa_key_derivation_output_key_custom(attributes, operation,
6663
0
                                                &default_custom_production,
6664
0
                                                NULL, 0,
6665
0
                                                key);
6666
0
}
6667
6668
6669
/****************************************************************/
6670
/* Key derivation */
6671
/****************************************************************/
6672
6673
#if defined(AT_LEAST_ONE_BUILTIN_KDF)
6674
static int is_kdf_alg_supported(psa_algorithm_t kdf_alg)
6675
0
{
6676
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
6677
0
    if (PSA_ALG_IS_HKDF(kdf_alg)) {
6678
0
        return 1;
6679
0
    }
6680
0
#endif
6681
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
6682
0
    if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
6683
0
        return 1;
6684
0
    }
6685
0
#endif
6686
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
6687
0
    if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
6688
0
        return 1;
6689
0
    }
6690
0
#endif
6691
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
6692
0
    if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) {
6693
0
        return 1;
6694
0
    }
6695
0
#endif
6696
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
6697
0
    if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
6698
0
        return 1;
6699
0
    }
6700
0
#endif
6701
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
6702
0
    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
6703
0
        return 1;
6704
0
    }
6705
0
#endif
6706
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
6707
0
    if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
6708
0
        return 1;
6709
0
    }
6710
0
#endif
6711
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
6712
0
    if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
6713
0
        return 1;
6714
0
    }
6715
0
#endif
6716
0
    return 0;
6717
0
}
6718
6719
static psa_status_t psa_hash_try_support(psa_algorithm_t alg)
6720
0
{
6721
0
    psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
6722
0
    psa_status_t status = psa_hash_setup(&operation, alg);
6723
0
    psa_hash_abort(&operation);
6724
0
    return status;
6725
0
}
6726
6727
static psa_status_t psa_key_derivation_set_maximum_capacity(
6728
    psa_key_derivation_operation_t *operation,
6729
    psa_algorithm_t kdf_alg)
6730
0
{
6731
0
#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
6732
0
    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
6733
0
        operation->capacity = PSA_HASH_LENGTH(PSA_ALG_SHA_256);
6734
0
        return PSA_SUCCESS;
6735
0
    }
6736
0
#endif
6737
0
#if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128)
6738
0
    if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
6739
0
#if (SIZE_MAX > UINT32_MAX)
6740
0
        operation->capacity = UINT32_MAX * (size_t) PSA_MAC_LENGTH(
6741
0
            PSA_KEY_TYPE_AES,
6742
0
            128U,
6743
0
            PSA_ALG_CMAC);
6744
#else
6745
        operation->capacity = SIZE_MAX;
6746
#endif
6747
0
        return PSA_SUCCESS;
6748
0
    }
6749
0
#endif /* PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 */
6750
6751
    /* After this point, if kdf_alg is not valid then value of hash_alg may be
6752
     * invalid or meaningless but it does not affect this function */
6753
0
    psa_algorithm_t hash_alg = PSA_ALG_GET_HASH(kdf_alg);
6754
0
    size_t hash_size = PSA_HASH_LENGTH(hash_alg);
6755
0
    if (hash_size == 0) {
6756
0
        return PSA_ERROR_NOT_SUPPORTED;
6757
0
    }
6758
6759
    /* Make sure that hash_alg is a supported hash algorithm. Otherwise
6760
     * we might fail later, which is somewhat unfriendly and potentially
6761
     * risk-prone. */
6762
0
    psa_status_t status = psa_hash_try_support(hash_alg);
6763
0
    if (status != PSA_SUCCESS) {
6764
0
        return status;
6765
0
    }
6766
6767
0
#if defined(PSA_WANT_ALG_HKDF)
6768
0
    if (PSA_ALG_IS_HKDF(kdf_alg)) {
6769
0
        operation->capacity = 255 * hash_size;
6770
0
    } else
6771
0
#endif
6772
0
#if defined(PSA_WANT_ALG_HKDF_EXTRACT)
6773
0
    if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
6774
0
        operation->capacity = hash_size;
6775
0
    } else
6776
0
#endif
6777
0
#if defined(PSA_WANT_ALG_HKDF_EXPAND)
6778
0
    if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
6779
0
        operation->capacity = 255 * hash_size;
6780
0
    } else
6781
0
#endif
6782
0
#if defined(PSA_WANT_ALG_TLS12_PRF)
6783
0
    if (PSA_ALG_IS_TLS12_PRF(kdf_alg) &&
6784
0
        (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) {
6785
0
        operation->capacity = SIZE_MAX;
6786
0
    } else
6787
0
#endif
6788
0
#if defined(PSA_WANT_ALG_TLS12_PSK_TO_MS)
6789
0
    if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg) &&
6790
0
        (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) {
6791
        /* Master Secret is always 48 bytes
6792
         * https://datatracker.ietf.org/doc/html/rfc5246.html#section-8.1 */
6793
0
        operation->capacity = 48U;
6794
0
    } else
6795
0
#endif
6796
0
#if defined(PSA_WANT_ALG_PBKDF2_HMAC)
6797
0
    if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
6798
0
#if (SIZE_MAX > UINT32_MAX)
6799
0
        operation->capacity = UINT32_MAX * hash_size;
6800
#else
6801
        operation->capacity = SIZE_MAX;
6802
#endif
6803
0
    } else
6804
0
#endif /* PSA_WANT_ALG_PBKDF2_HMAC */
6805
0
    {
6806
0
        (void) hash_size;
6807
0
        status = PSA_ERROR_NOT_SUPPORTED;
6808
0
    }
6809
0
    return status;
6810
0
}
6811
6812
static psa_status_t psa_key_derivation_setup_kdf(
6813
    psa_key_derivation_operation_t *operation,
6814
    psa_algorithm_t kdf_alg)
6815
0
{
6816
    /* Make sure that operation->ctx is properly zero-initialised. (Macro
6817
     * initialisers for this union leave some bytes unspecified.) */
6818
0
    memset(&operation->ctx, 0, sizeof(operation->ctx));
6819
6820
    /* Make sure that kdf_alg is a supported key derivation algorithm. */
6821
0
    if (!is_kdf_alg_supported(kdf_alg)) {
6822
0
        return PSA_ERROR_NOT_SUPPORTED;
6823
0
    }
6824
6825
0
    psa_status_t status = psa_key_derivation_set_maximum_capacity(operation,
6826
0
                                                                  kdf_alg);
6827
0
    return status;
6828
0
}
6829
6830
static psa_status_t psa_key_agreement_try_support(psa_algorithm_t alg)
6831
0
{
6832
0
#if defined(PSA_WANT_ALG_ECDH)
6833
0
    if (alg == PSA_ALG_ECDH) {
6834
0
        return PSA_SUCCESS;
6835
0
    }
6836
0
#endif
6837
0
#if defined(PSA_WANT_ALG_FFDH)
6838
0
    if (alg == PSA_ALG_FFDH) {
6839
0
        return PSA_SUCCESS;
6840
0
    }
6841
0
#endif
6842
0
    (void) alg;
6843
0
    return PSA_ERROR_NOT_SUPPORTED;
6844
0
}
6845
6846
static int psa_key_derivation_allows_free_form_secret_input(
6847
    psa_algorithm_t kdf_alg)
6848
0
{
6849
0
#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
6850
0
    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
6851
0
        return 0;
6852
0
    }
6853
0
#endif
6854
0
    (void) kdf_alg;
6855
0
    return 1;
6856
0
}
6857
#endif /* AT_LEAST_ONE_BUILTIN_KDF */
6858
6859
psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t *operation,
6860
                                      psa_algorithm_t alg)
6861
0
{
6862
0
    psa_status_t status;
6863
6864
0
    if (operation->alg != 0) {
6865
0
        return PSA_ERROR_BAD_STATE;
6866
0
    }
6867
6868
0
    if (PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) {
6869
0
        return PSA_ERROR_INVALID_ARGUMENT;
6870
0
    } else if (PSA_ALG_IS_KEY_AGREEMENT(alg)) {
6871
0
#if defined(AT_LEAST_ONE_BUILTIN_KDF)
6872
0
        psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF(alg);
6873
0
        psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(alg);
6874
0
        status = psa_key_agreement_try_support(ka_alg);
6875
0
        if (status != PSA_SUCCESS) {
6876
0
            return status;
6877
0
        }
6878
0
        if (!psa_key_derivation_allows_free_form_secret_input(kdf_alg)) {
6879
0
            return PSA_ERROR_INVALID_ARGUMENT;
6880
0
        }
6881
0
        status = psa_key_derivation_setup_kdf(operation, kdf_alg);
6882
#else
6883
        return PSA_ERROR_NOT_SUPPORTED;
6884
#endif /* AT_LEAST_ONE_BUILTIN_KDF */
6885
0
    } else if (PSA_ALG_IS_KEY_DERIVATION(alg)) {
6886
0
#if defined(AT_LEAST_ONE_BUILTIN_KDF)
6887
0
        status = psa_key_derivation_setup_kdf(operation, alg);
6888
#else
6889
        return PSA_ERROR_NOT_SUPPORTED;
6890
#endif /* AT_LEAST_ONE_BUILTIN_KDF */
6891
0
    } else {
6892
0
        return PSA_ERROR_INVALID_ARGUMENT;
6893
0
    }
6894
6895
0
    if (status == PSA_SUCCESS) {
6896
0
        operation->alg = alg;
6897
0
    }
6898
0
    return status;
6899
0
}
6900
6901
#if defined(BUILTIN_ALG_ANY_HKDF)
6902
static psa_status_t psa_hkdf_input(psa_hkdf_key_derivation_t *hkdf,
6903
                                   psa_algorithm_t kdf_alg,
6904
                                   psa_key_derivation_step_t step,
6905
                                   const uint8_t *data,
6906
                                   size_t data_length)
6907
0
{
6908
0
    psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
6909
0
    psa_status_t status;
6910
0
    switch (step) {
6911
0
        case PSA_KEY_DERIVATION_INPUT_SALT:
6912
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
6913
0
            if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
6914
0
                return PSA_ERROR_INVALID_ARGUMENT;
6915
0
            }
6916
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
6917
0
            if (hkdf->state != HKDF_STATE_INIT) {
6918
0
                return PSA_ERROR_BAD_STATE;
6919
0
            } else {
6920
0
                status = psa_key_derivation_start_hmac(&hkdf->hmac,
6921
0
                                                       hash_alg,
6922
0
                                                       data, data_length);
6923
0
                if (status != PSA_SUCCESS) {
6924
0
                    return status;
6925
0
                }
6926
0
                hkdf->state = HKDF_STATE_STARTED;
6927
0
                return PSA_SUCCESS;
6928
0
            }
6929
0
        case PSA_KEY_DERIVATION_INPUT_SECRET:
6930
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
6931
0
            if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
6932
                /* We shouldn't be in different state as HKDF_EXPAND only allows
6933
                 * two inputs: SECRET (this case) and INFO which does not modify
6934
                 * the state. It could happen only if the hkdf
6935
                 * object was corrupted. */
6936
0
                if (hkdf->state != HKDF_STATE_INIT) {
6937
0
                    return PSA_ERROR_BAD_STATE;
6938
0
                }
6939
6940
                /* Allow only input that fits expected prk size */
6941
0
                if (data_length != PSA_HASH_LENGTH(hash_alg)) {
6942
0
                    return PSA_ERROR_INVALID_ARGUMENT;
6943
0
                }
6944
6945
0
                memcpy(hkdf->prk, data, data_length);
6946
0
            } else
6947
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
6948
0
            {
6949
                /* HKDF: If no salt was provided, use an empty salt.
6950
                 * HKDF-EXTRACT: salt is mandatory. */
6951
0
                if (hkdf->state == HKDF_STATE_INIT) {
6952
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
6953
0
                    if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
6954
0
                        return PSA_ERROR_BAD_STATE;
6955
0
                    }
6956
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
6957
0
                    status = psa_key_derivation_start_hmac(&hkdf->hmac,
6958
0
                                                           hash_alg,
6959
0
                                                           NULL, 0);
6960
0
                    if (status != PSA_SUCCESS) {
6961
0
                        return status;
6962
0
                    }
6963
0
                    hkdf->state = HKDF_STATE_STARTED;
6964
0
                }
6965
0
                if (hkdf->state != HKDF_STATE_STARTED) {
6966
0
                    return PSA_ERROR_BAD_STATE;
6967
0
                }
6968
0
                status = psa_mac_update(&hkdf->hmac,
6969
0
                                        data, data_length);
6970
0
                if (status != PSA_SUCCESS) {
6971
0
                    return status;
6972
0
                }
6973
0
                status = psa_mac_sign_finish(&hkdf->hmac,
6974
0
                                             hkdf->prk,
6975
0
                                             sizeof(hkdf->prk),
6976
0
                                             &data_length);
6977
0
                if (status != PSA_SUCCESS) {
6978
0
                    return status;
6979
0
                }
6980
0
            }
6981
6982
0
            hkdf->state = HKDF_STATE_KEYED;
6983
0
            hkdf->block_number = 0;
6984
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
6985
0
            if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
6986
                /* The only block of output is the PRK. */
6987
0
                memcpy(hkdf->output_block, hkdf->prk, PSA_HASH_LENGTH(hash_alg));
6988
0
                hkdf->offset_in_block = 0;
6989
0
            } else
6990
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
6991
0
            {
6992
                /* Block 0 is empty, and the next block will be
6993
                 * generated by psa_key_derivation_hkdf_read(). */
6994
0
                hkdf->offset_in_block = PSA_HASH_LENGTH(hash_alg);
6995
0
            }
6996
6997
0
            return PSA_SUCCESS;
6998
0
        case PSA_KEY_DERIVATION_INPUT_INFO:
6999
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
7000
0
            if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
7001
0
                return PSA_ERROR_INVALID_ARGUMENT;
7002
0
            }
7003
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
7004
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
7005
0
            if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg) &&
7006
0
                hkdf->state == HKDF_STATE_INIT) {
7007
0
                return PSA_ERROR_BAD_STATE;
7008
0
            }
7009
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
7010
0
            if (hkdf->state == HKDF_STATE_OUTPUT) {
7011
0
                return PSA_ERROR_BAD_STATE;
7012
0
            }
7013
0
            if (hkdf->info_set) {
7014
0
                return PSA_ERROR_BAD_STATE;
7015
0
            }
7016
0
            hkdf->info_length = data_length;
7017
0
            if (data_length != 0) {
7018
0
                hkdf->info = mbedtls_calloc(1, data_length);
7019
0
                if (hkdf->info == NULL) {
7020
0
                    return PSA_ERROR_INSUFFICIENT_MEMORY;
7021
0
                }
7022
0
                memcpy(hkdf->info, data, data_length);
7023
0
            }
7024
0
            hkdf->info_set = 1;
7025
0
            return PSA_SUCCESS;
7026
0
        default:
7027
0
            return PSA_ERROR_INVALID_ARGUMENT;
7028
0
    }
7029
0
}
7030
#endif /* BUILTIN_ALG_ANY_HKDF */
7031
7032
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
7033
    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
7034
static psa_status_t psa_tls12_prf_set_seed(psa_tls12_prf_key_derivation_t *prf,
7035
                                           const uint8_t *data,
7036
                                           size_t data_length)
7037
0
{
7038
0
    if (prf->state != PSA_TLS12_PRF_STATE_INIT) {
7039
0
        return PSA_ERROR_BAD_STATE;
7040
0
    }
7041
7042
0
    if (data_length != 0) {
7043
0
        prf->seed = mbedtls_calloc(1, data_length);
7044
0
        if (prf->seed == NULL) {
7045
0
            return PSA_ERROR_INSUFFICIENT_MEMORY;
7046
0
        }
7047
7048
0
        memcpy(prf->seed, data, data_length);
7049
0
        prf->seed_length = data_length;
7050
0
    }
7051
7052
0
    prf->state = PSA_TLS12_PRF_STATE_SEED_SET;
7053
7054
0
    return PSA_SUCCESS;
7055
0
}
7056
7057
static psa_status_t psa_tls12_prf_set_key(psa_tls12_prf_key_derivation_t *prf,
7058
                                          const uint8_t *data,
7059
                                          size_t data_length)
7060
0
{
7061
0
    if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET &&
7062
0
        prf->state != PSA_TLS12_PRF_STATE_OTHER_KEY_SET) {
7063
0
        return PSA_ERROR_BAD_STATE;
7064
0
    }
7065
7066
0
    if (data_length != 0) {
7067
0
        prf->secret = mbedtls_calloc(1, data_length);
7068
0
        if (prf->secret == NULL) {
7069
0
            return PSA_ERROR_INSUFFICIENT_MEMORY;
7070
0
        }
7071
7072
0
        memcpy(prf->secret, data, data_length);
7073
0
        prf->secret_length = data_length;
7074
0
    }
7075
7076
0
    prf->state = PSA_TLS12_PRF_STATE_KEY_SET;
7077
7078
0
    return PSA_SUCCESS;
7079
0
}
7080
7081
static psa_status_t psa_tls12_prf_set_label(psa_tls12_prf_key_derivation_t *prf,
7082
                                            const uint8_t *data,
7083
                                            size_t data_length)
7084
0
{
7085
0
    if (prf->state != PSA_TLS12_PRF_STATE_KEY_SET) {
7086
0
        return PSA_ERROR_BAD_STATE;
7087
0
    }
7088
7089
0
    if (data_length != 0) {
7090
0
        prf->label = mbedtls_calloc(1, data_length);
7091
0
        if (prf->label == NULL) {
7092
0
            return PSA_ERROR_INSUFFICIENT_MEMORY;
7093
0
        }
7094
7095
0
        memcpy(prf->label, data, data_length);
7096
0
        prf->label_length = data_length;
7097
0
    }
7098
7099
0
    prf->state = PSA_TLS12_PRF_STATE_LABEL_SET;
7100
7101
0
    return PSA_SUCCESS;
7102
0
}
7103
7104
static psa_status_t psa_tls12_prf_input(psa_tls12_prf_key_derivation_t *prf,
7105
                                        psa_key_derivation_step_t step,
7106
                                        const uint8_t *data,
7107
                                        size_t data_length)
7108
0
{
7109
0
    switch (step) {
7110
0
        case PSA_KEY_DERIVATION_INPUT_SEED:
7111
0
            return psa_tls12_prf_set_seed(prf, data, data_length);
7112
0
        case PSA_KEY_DERIVATION_INPUT_SECRET:
7113
0
            return psa_tls12_prf_set_key(prf, data, data_length);
7114
0
        case PSA_KEY_DERIVATION_INPUT_LABEL:
7115
0
            return psa_tls12_prf_set_label(prf, data, data_length);
7116
0
        default:
7117
0
            return PSA_ERROR_INVALID_ARGUMENT;
7118
0
    }
7119
0
}
7120
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
7121
        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
7122
7123
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
7124
static psa_status_t psa_tls12_prf_psk_to_ms_set_key(
7125
    psa_tls12_prf_key_derivation_t *prf,
7126
    const uint8_t *data,
7127
    size_t data_length)
7128
0
{
7129
0
    psa_status_t status;
7130
0
    const size_t pms_len = (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET ?
7131
0
                            4 + data_length + prf->other_secret_length :
7132
0
                            4 + 2 * data_length);
7133
7134
0
    if (data_length > PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE) {
7135
0
        return PSA_ERROR_INVALID_ARGUMENT;
7136
0
    }
7137
7138
0
    uint8_t *pms = mbedtls_calloc(1, pms_len);
7139
0
    if (pms == NULL) {
7140
0
        return PSA_ERROR_INSUFFICIENT_MEMORY;
7141
0
    }
7142
0
    uint8_t *cur = pms;
7143
7144
    /* pure-PSK:
7145
     * Quoting RFC 4279, Section 2:
7146
     *
7147
     * The premaster secret is formed as follows: if the PSK is N octets
7148
     * long, concatenate a uint16 with the value N, N zero octets, a second
7149
     * uint16 with the value N, and the PSK itself.
7150
     *
7151
     * mixed-PSK:
7152
     * In a DHE-PSK, RSA-PSK, ECDHE-PSK the premaster secret is formed as
7153
     * follows: concatenate a uint16 with the length of the other secret,
7154
     * the other secret itself, uint16 with the length of PSK, and the
7155
     * PSK itself.
7156
     * For details please check:
7157
     * - RFC 4279, Section 4 for the definition of RSA-PSK,
7158
     * - RFC 4279, Section 3 for the definition of DHE-PSK,
7159
     * - RFC 5489 for the definition of ECDHE-PSK.
7160
     */
7161
7162
0
    if (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET) {
7163
0
        *cur++ = MBEDTLS_BYTE_1(prf->other_secret_length);
7164
0
        *cur++ = MBEDTLS_BYTE_0(prf->other_secret_length);
7165
0
        if (prf->other_secret_length != 0) {
7166
0
            memcpy(cur, prf->other_secret, prf->other_secret_length);
7167
0
            mbedtls_platform_zeroize(prf->other_secret, prf->other_secret_length);
7168
0
            cur += prf->other_secret_length;
7169
0
        }
7170
0
    } else {
7171
0
        *cur++ = MBEDTLS_BYTE_1(data_length);
7172
0
        *cur++ = MBEDTLS_BYTE_0(data_length);
7173
0
        memset(cur, 0, data_length);
7174
0
        cur += data_length;
7175
0
    }
7176
7177
0
    *cur++ = MBEDTLS_BYTE_1(data_length);
7178
0
    *cur++ = MBEDTLS_BYTE_0(data_length);
7179
0
    memcpy(cur, data, data_length);
7180
0
    cur += data_length;
7181
7182
0
    status = psa_tls12_prf_set_key(prf, pms, (size_t) (cur - pms));
7183
7184
0
    mbedtls_zeroize_and_free(pms, pms_len);
7185
0
    return status;
7186
0
}
7187
7188
static psa_status_t psa_tls12_prf_psk_to_ms_set_other_key(
7189
    psa_tls12_prf_key_derivation_t *prf,
7190
    const uint8_t *data,
7191
    size_t data_length)
7192
0
{
7193
0
    if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET) {
7194
0
        return PSA_ERROR_BAD_STATE;
7195
0
    }
7196
7197
0
    if (data_length != 0) {
7198
0
        prf->other_secret = mbedtls_calloc(1, data_length);
7199
0
        if (prf->other_secret == NULL) {
7200
0
            return PSA_ERROR_INSUFFICIENT_MEMORY;
7201
0
        }
7202
7203
0
        memcpy(prf->other_secret, data, data_length);
7204
0
        prf->other_secret_length = data_length;
7205
0
    } else {
7206
0
        prf->other_secret_length = 0;
7207
0
    }
7208
7209
0
    prf->state = PSA_TLS12_PRF_STATE_OTHER_KEY_SET;
7210
7211
0
    return PSA_SUCCESS;
7212
0
}
7213
7214
static psa_status_t psa_tls12_prf_psk_to_ms_input(
7215
    psa_tls12_prf_key_derivation_t *prf,
7216
    psa_key_derivation_step_t step,
7217
    const uint8_t *data,
7218
    size_t data_length)
7219
0
{
7220
0
    switch (step) {
7221
0
        case PSA_KEY_DERIVATION_INPUT_SECRET:
7222
0
            return psa_tls12_prf_psk_to_ms_set_key(prf,
7223
0
                                                   data, data_length);
7224
0
            break;
7225
0
        case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
7226
0
            return psa_tls12_prf_psk_to_ms_set_other_key(prf,
7227
0
                                                         data,
7228
0
                                                         data_length);
7229
0
            break;
7230
0
        default:
7231
0
            return psa_tls12_prf_input(prf, step, data, data_length);
7232
0
            break;
7233
7234
0
    }
7235
0
}
7236
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
7237
7238
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
7239
static psa_status_t psa_tls12_ecjpake_to_pms_input(
7240
    psa_tls12_ecjpake_to_pms_t *ecjpake,
7241
    psa_key_derivation_step_t step,
7242
    const uint8_t *data,
7243
    size_t data_length)
7244
0
{
7245
0
    if (data_length != PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE ||
7246
0
        step != PSA_KEY_DERIVATION_INPUT_SECRET) {
7247
0
        return PSA_ERROR_INVALID_ARGUMENT;
7248
0
    }
7249
7250
    /* Check if the passed point is in an uncompressed form */
7251
0
    if (data[0] != 0x04) {
7252
0
        return PSA_ERROR_INVALID_ARGUMENT;
7253
0
    }
7254
7255
    /* Only K.X has to be extracted - bytes 1 to 32 inclusive. */
7256
0
    memcpy(ecjpake->data, data + 1, PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
7257
7258
0
    return PSA_SUCCESS;
7259
0
}
7260
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
7261
7262
#if defined(PSA_HAVE_SOFT_PBKDF2)
7263
static psa_status_t psa_pbkdf2_set_input_cost(
7264
    psa_pbkdf2_key_derivation_t *pbkdf2,
7265
    psa_key_derivation_step_t step,
7266
    uint64_t data)
7267
0
{
7268
0
    if (step != PSA_KEY_DERIVATION_INPUT_COST) {
7269
0
        return PSA_ERROR_INVALID_ARGUMENT;
7270
0
    }
7271
7272
0
    if (pbkdf2->state != PSA_PBKDF2_STATE_INIT) {
7273
0
        return PSA_ERROR_BAD_STATE;
7274
0
    }
7275
7276
0
    if (data > PSA_VENDOR_PBKDF2_MAX_ITERATIONS) {
7277
0
        return PSA_ERROR_NOT_SUPPORTED;
7278
0
    }
7279
7280
0
    if (data == 0) {
7281
0
        return PSA_ERROR_INVALID_ARGUMENT;
7282
0
    }
7283
7284
0
    pbkdf2->input_cost = data;
7285
0
    pbkdf2->state = PSA_PBKDF2_STATE_INPUT_COST_SET;
7286
7287
0
    return PSA_SUCCESS;
7288
0
}
7289
7290
static psa_status_t psa_pbkdf2_set_salt(psa_pbkdf2_key_derivation_t *pbkdf2,
7291
                                        const uint8_t *data,
7292
                                        size_t data_length)
7293
0
{
7294
0
    if (pbkdf2->state == PSA_PBKDF2_STATE_INPUT_COST_SET) {
7295
0
        pbkdf2->state = PSA_PBKDF2_STATE_SALT_SET;
7296
0
    } else if (pbkdf2->state == PSA_PBKDF2_STATE_SALT_SET) {
7297
        /* Appending to existing salt. No state change. */
7298
0
    } else {
7299
0
        return PSA_ERROR_BAD_STATE;
7300
0
    }
7301
7302
0
    if (data_length == 0) {
7303
        /* Appending an empty string, nothing to do. */
7304
0
    } else {
7305
0
        uint8_t *next_salt;
7306
7307
0
        next_salt = mbedtls_calloc(1, data_length + pbkdf2->salt_length);
7308
0
        if (next_salt == NULL) {
7309
0
            return PSA_ERROR_INSUFFICIENT_MEMORY;
7310
0
        }
7311
7312
0
        if (pbkdf2->salt_length != 0) {
7313
0
            memcpy(next_salt, pbkdf2->salt, pbkdf2->salt_length);
7314
0
        }
7315
0
        memcpy(next_salt + pbkdf2->salt_length, data, data_length);
7316
0
        pbkdf2->salt_length += data_length;
7317
0
        mbedtls_free(pbkdf2->salt);
7318
0
        pbkdf2->salt = next_salt;
7319
0
    }
7320
0
    return PSA_SUCCESS;
7321
0
}
7322
7323
#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
7324
static psa_status_t psa_pbkdf2_hmac_set_password(psa_algorithm_t hash_alg,
7325
                                                 const uint8_t *input,
7326
                                                 size_t input_len,
7327
                                                 uint8_t *output,
7328
                                                 size_t *output_len)
7329
0
{
7330
0
    psa_status_t status = PSA_SUCCESS;
7331
0
    if (input_len > PSA_HASH_BLOCK_LENGTH(hash_alg)) {
7332
0
        return psa_hash_compute(hash_alg, input, input_len, output,
7333
0
                                PSA_HMAC_MAX_HASH_BLOCK_SIZE, output_len);
7334
0
    } else if (input_len > 0) {
7335
0
        memcpy(output, input, input_len);
7336
0
    }
7337
0
    *output_len = PSA_HASH_BLOCK_LENGTH(hash_alg);
7338
0
    return status;
7339
0
}
7340
#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
7341
7342
#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
7343
static psa_status_t psa_pbkdf2_cmac_set_password(const uint8_t *input,
7344
                                                 size_t input_len,
7345
                                                 uint8_t *output,
7346
                                                 size_t *output_len)
7347
0
{
7348
0
    psa_status_t status = PSA_SUCCESS;
7349
0
    if (input_len != PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC)) {
7350
0
        psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7351
0
        uint8_t zeros[16] = { 0 };
7352
0
        psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
7353
0
        psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(sizeof(zeros)));
7354
0
        psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
7355
        /* Passing PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC) as
7356
         * mac_size as the driver function sets mac_output_length = mac_size
7357
         * on success. See https://github.com/Mbed-TLS/mbedtls/issues/7801 */
7358
0
        status = psa_driver_wrapper_mac_compute(&attributes,
7359
0
                                                zeros, sizeof(zeros),
7360
0
                                                PSA_ALG_CMAC, input, input_len,
7361
0
                                                output,
7362
0
                                                PSA_MAC_LENGTH(PSA_KEY_TYPE_AES,
7363
0
                                                               128U,
7364
0
                                                               PSA_ALG_CMAC),
7365
0
                                                output_len);
7366
0
    } else {
7367
0
        memcpy(output, input, input_len);
7368
0
        *output_len = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC);
7369
0
    }
7370
0
    return status;
7371
0
}
7372
#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */
7373
7374
static psa_status_t psa_pbkdf2_set_password(psa_pbkdf2_key_derivation_t *pbkdf2,
7375
                                            psa_algorithm_t kdf_alg,
7376
                                            const uint8_t *data,
7377
                                            size_t data_length)
7378
0
{
7379
0
    psa_status_t status = PSA_SUCCESS;
7380
0
    if (pbkdf2->state != PSA_PBKDF2_STATE_SALT_SET) {
7381
0
        return PSA_ERROR_BAD_STATE;
7382
0
    }
7383
7384
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
7385
0
    if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
7386
0
        psa_algorithm_t hash_alg = PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg);
7387
0
        status = psa_pbkdf2_hmac_set_password(hash_alg, data, data_length,
7388
0
                                              pbkdf2->password,
7389
0
                                              &pbkdf2->password_length);
7390
0
    } else
7391
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
7392
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
7393
0
    if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
7394
0
        status = psa_pbkdf2_cmac_set_password(data, data_length,
7395
0
                                              pbkdf2->password,
7396
0
                                              &pbkdf2->password_length);
7397
0
    } else
7398
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */
7399
0
    {
7400
0
        return PSA_ERROR_INVALID_ARGUMENT;
7401
0
    }
7402
7403
0
    pbkdf2->state = PSA_PBKDF2_STATE_PASSWORD_SET;
7404
7405
0
    return status;
7406
0
}
7407
7408
static psa_status_t psa_pbkdf2_input(psa_pbkdf2_key_derivation_t *pbkdf2,
7409
                                     psa_algorithm_t kdf_alg,
7410
                                     psa_key_derivation_step_t step,
7411
                                     const uint8_t *data,
7412
                                     size_t data_length)
7413
0
{
7414
0
    switch (step) {
7415
0
        case PSA_KEY_DERIVATION_INPUT_SALT:
7416
0
            return psa_pbkdf2_set_salt(pbkdf2, data, data_length);
7417
0
        case PSA_KEY_DERIVATION_INPUT_PASSWORD:
7418
0
            return psa_pbkdf2_set_password(pbkdf2, kdf_alg, data, data_length);
7419
0
        default:
7420
0
            return PSA_ERROR_INVALID_ARGUMENT;
7421
0
    }
7422
0
}
7423
#endif /* PSA_HAVE_SOFT_PBKDF2 */
7424
7425
/** Check whether the given key type is acceptable for the given
7426
 * input step of a key derivation.
7427
 *
7428
 * Secret inputs must have the type #PSA_KEY_TYPE_DERIVE.
7429
 * Non-secret inputs must have the type #PSA_KEY_TYPE_RAW_DATA.
7430
 * Both secret and non-secret inputs can alternatively have the type
7431
 * #PSA_KEY_TYPE_NONE, which is never the type of a key object, meaning
7432
 * that the input was passed as a buffer rather than via a key object.
7433
 */
7434
static int psa_key_derivation_check_input_type(
7435
    psa_key_derivation_step_t step,
7436
    psa_key_type_t key_type)
7437
0
{
7438
0
    switch (step) {
7439
0
        case PSA_KEY_DERIVATION_INPUT_SECRET:
7440
0
            if (key_type == PSA_KEY_TYPE_DERIVE) {
7441
0
                return PSA_SUCCESS;
7442
0
            }
7443
0
            if (key_type == PSA_KEY_TYPE_NONE) {
7444
0
                return PSA_SUCCESS;
7445
0
            }
7446
0
            break;
7447
0
        case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
7448
0
            if (key_type == PSA_KEY_TYPE_DERIVE) {
7449
0
                return PSA_SUCCESS;
7450
0
            }
7451
0
            if (key_type == PSA_KEY_TYPE_NONE) {
7452
0
                return PSA_SUCCESS;
7453
0
            }
7454
0
            break;
7455
0
        case PSA_KEY_DERIVATION_INPUT_LABEL:
7456
0
        case PSA_KEY_DERIVATION_INPUT_SALT:
7457
0
        case PSA_KEY_DERIVATION_INPUT_INFO:
7458
0
        case PSA_KEY_DERIVATION_INPUT_SEED:
7459
0
            if (key_type == PSA_KEY_TYPE_RAW_DATA) {
7460
0
                return PSA_SUCCESS;
7461
0
            }
7462
0
            if (key_type == PSA_KEY_TYPE_NONE) {
7463
0
                return PSA_SUCCESS;
7464
0
            }
7465
0
            break;
7466
0
        case PSA_KEY_DERIVATION_INPUT_PASSWORD:
7467
0
            if (key_type == PSA_KEY_TYPE_PASSWORD) {
7468
0
                return PSA_SUCCESS;
7469
0
            }
7470
0
            if (key_type == PSA_KEY_TYPE_DERIVE) {
7471
0
                return PSA_SUCCESS;
7472
0
            }
7473
0
            if (key_type == PSA_KEY_TYPE_NONE) {
7474
0
                return PSA_SUCCESS;
7475
0
            }
7476
0
            break;
7477
0
    }
7478
0
    return PSA_ERROR_INVALID_ARGUMENT;
7479
0
}
7480
7481
static psa_status_t psa_key_derivation_input_internal(
7482
    psa_key_derivation_operation_t *operation,
7483
    psa_key_derivation_step_t step,
7484
    psa_key_type_t key_type,
7485
    const uint8_t *data,
7486
    size_t data_length)
7487
0
{
7488
0
    psa_status_t status;
7489
0
    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
7490
7491
0
    status = psa_key_derivation_check_input_type(step, key_type);
7492
0
    if (status != PSA_SUCCESS) {
7493
0
        goto exit;
7494
0
    }
7495
7496
0
#if defined(BUILTIN_ALG_ANY_HKDF)
7497
0
    if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
7498
0
        status = psa_hkdf_input(&operation->ctx.hkdf, kdf_alg,
7499
0
                                step, data, data_length);
7500
0
    } else
7501
0
#endif /* BUILTIN_ALG_ANY_HKDF */
7502
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
7503
0
    if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) {
7504
0
        status = psa_tls12_prf_input(&operation->ctx.tls12_prf,
7505
0
                                     step, data, data_length);
7506
0
    } else
7507
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF */
7508
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
7509
0
    if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
7510
0
        status = psa_tls12_prf_psk_to_ms_input(&operation->ctx.tls12_prf,
7511
0
                                               step, data, data_length);
7512
0
    } else
7513
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
7514
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
7515
0
    if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
7516
0
        status = psa_tls12_ecjpake_to_pms_input(
7517
0
            &operation->ctx.tls12_ecjpake_to_pms, step, data, data_length);
7518
0
    } else
7519
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
7520
0
#if defined(PSA_HAVE_SOFT_PBKDF2)
7521
0
    if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
7522
0
        status = psa_pbkdf2_input(&operation->ctx.pbkdf2, kdf_alg,
7523
0
                                  step, data, data_length);
7524
0
    } else
7525
0
#endif /* PSA_HAVE_SOFT_PBKDF2 */
7526
0
    {
7527
        /* This can't happen unless the operation object was not initialized */
7528
0
        (void) data;
7529
0
        (void) data_length;
7530
0
        (void) kdf_alg;
7531
0
        return PSA_ERROR_BAD_STATE;
7532
0
    }
7533
7534
0
exit:
7535
0
    if (status != PSA_SUCCESS) {
7536
0
        psa_key_derivation_abort(operation);
7537
0
    }
7538
0
    return status;
7539
0
}
7540
7541
static psa_status_t psa_key_derivation_input_integer_internal(
7542
    psa_key_derivation_operation_t *operation,
7543
    psa_key_derivation_step_t step,
7544
    uint64_t value)
7545
0
{
7546
0
    psa_status_t status;
7547
0
    psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
7548
7549
0
#if defined(PSA_HAVE_SOFT_PBKDF2)
7550
0
    if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
7551
0
        status = psa_pbkdf2_set_input_cost(
7552
0
            &operation->ctx.pbkdf2, step, value);
7553
0
    } else
7554
0
#endif /* PSA_HAVE_SOFT_PBKDF2 */
7555
0
    {
7556
0
        (void) step;
7557
0
        (void) value;
7558
0
        (void) kdf_alg;
7559
0
        status = PSA_ERROR_INVALID_ARGUMENT;
7560
0
    }
7561
7562
0
    if (status != PSA_SUCCESS) {
7563
0
        psa_key_derivation_abort(operation);
7564
0
    }
7565
0
    return status;
7566
0
}
7567
7568
psa_status_t psa_key_derivation_input_bytes(
7569
    psa_key_derivation_operation_t *operation,
7570
    psa_key_derivation_step_t step,
7571
    const uint8_t *data_external,
7572
    size_t data_length)
7573
0
{
7574
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7575
0
    LOCAL_INPUT_DECLARE(data_external, data);
7576
7577
0
    LOCAL_INPUT_ALLOC(data_external, data_length, data);
7578
7579
0
    status = psa_key_derivation_input_internal(operation, step,
7580
0
                                               PSA_KEY_TYPE_NONE,
7581
0
                                               data, data_length);
7582
0
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
7583
0
exit:
7584
0
#endif
7585
0
    LOCAL_INPUT_FREE(data_external, data);
7586
0
    return status;
7587
0
}
7588
7589
psa_status_t psa_key_derivation_input_integer(
7590
    psa_key_derivation_operation_t *operation,
7591
    psa_key_derivation_step_t step,
7592
    uint64_t value)
7593
0
{
7594
0
    return psa_key_derivation_input_integer_internal(operation, step, value);
7595
0
}
7596
7597
psa_status_t psa_key_derivation_input_key(
7598
    psa_key_derivation_operation_t *operation,
7599
    psa_key_derivation_step_t step,
7600
    mbedtls_svc_key_id_t key)
7601
0
{
7602
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7603
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
7604
0
    psa_key_slot_t *slot;
7605
7606
0
    status = psa_get_and_lock_transparent_key_slot_with_policy(
7607
0
        key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg);
7608
0
    if (status != PSA_SUCCESS) {
7609
0
        psa_key_derivation_abort(operation);
7610
0
        return status;
7611
0
    }
7612
7613
    /* Passing a key object as a SECRET or PASSWORD input unlocks the
7614
     * permission to output to a key object. */
7615
0
    if (step == PSA_KEY_DERIVATION_INPUT_SECRET ||
7616
0
        step == PSA_KEY_DERIVATION_INPUT_PASSWORD) {
7617
0
        operation->can_output_key = 1;
7618
0
    }
7619
7620
0
    status = psa_key_derivation_input_internal(operation,
7621
0
                                               step, slot->attr.type,
7622
0
                                               slot->key.data,
7623
0
                                               slot->key.bytes);
7624
7625
0
    unlock_status = psa_unregister_read_under_mutex(slot);
7626
7627
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
7628
0
}
7629
7630
7631
7632
/****************************************************************/
7633
/* Key agreement */
7634
/****************************************************************/
7635
7636
psa_status_t psa_key_agreement_raw_builtin(const psa_key_attributes_t *attributes,
7637
                                           const uint8_t *key_buffer,
7638
                                           size_t key_buffer_size,
7639
                                           psa_algorithm_t alg,
7640
                                           const uint8_t *peer_key,
7641
                                           size_t peer_key_length,
7642
                                           uint8_t *shared_secret,
7643
                                           size_t shared_secret_size,
7644
                                           size_t *shared_secret_length)
7645
0
{
7646
0
    switch (alg) {
7647
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
7648
0
        case PSA_ALG_ECDH:
7649
0
            return mbedtls_psa_key_agreement_ecdh(attributes, key_buffer,
7650
0
                                                  key_buffer_size, alg,
7651
0
                                                  peer_key, peer_key_length,
7652
0
                                                  shared_secret,
7653
0
                                                  shared_secret_size,
7654
0
                                                  shared_secret_length);
7655
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
7656
7657
0
#if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
7658
0
        case PSA_ALG_FFDH:
7659
0
            return mbedtls_psa_ffdh_key_agreement(attributes,
7660
0
                                                  peer_key,
7661
0
                                                  peer_key_length,
7662
0
                                                  key_buffer,
7663
0
                                                  key_buffer_size,
7664
0
                                                  shared_secret,
7665
0
                                                  shared_secret_size,
7666
0
                                                  shared_secret_length);
7667
0
#endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */
7668
7669
0
        default:
7670
0
            (void) attributes;
7671
0
            (void) key_buffer;
7672
0
            (void) key_buffer_size;
7673
0
            (void) peer_key;
7674
0
            (void) peer_key_length;
7675
0
            (void) shared_secret;
7676
0
            (void) shared_secret_size;
7677
0
            (void) shared_secret_length;
7678
0
            return PSA_ERROR_NOT_SUPPORTED;
7679
0
    }
7680
0
}
7681
7682
/** Internal function for raw key agreement
7683
 *  Calls the driver wrapper which will hand off key agreement task
7684
 *  to the driver's implementation if a driver is present.
7685
 *  Fallback specified in the driver wrapper is built-in raw key agreement
7686
 *  (psa_key_agreement_raw_builtin).
7687
 */
7688
static psa_status_t psa_key_agreement_raw_internal(psa_algorithm_t alg,
7689
                                                   psa_key_slot_t *private_key,
7690
                                                   const uint8_t *peer_key,
7691
                                                   size_t peer_key_length,
7692
                                                   uint8_t *shared_secret,
7693
                                                   size_t shared_secret_size,
7694
                                                   size_t *shared_secret_length)
7695
0
{
7696
0
    if (!PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) {
7697
0
        return PSA_ERROR_NOT_SUPPORTED;
7698
0
    }
7699
7700
0
    return psa_driver_wrapper_key_agreement(&private_key->attr,
7701
0
                                            private_key->key.data,
7702
0
                                            private_key->key.bytes, alg,
7703
0
                                            peer_key, peer_key_length,
7704
0
                                            shared_secret,
7705
0
                                            shared_secret_size,
7706
0
                                            shared_secret_length);
7707
0
}
7708
7709
/* Note that if this function fails, you must call psa_key_derivation_abort()
7710
 * to potentially free embedded data structures and wipe confidential data.
7711
 */
7712
static psa_status_t psa_key_agreement_internal(psa_key_derivation_operation_t *operation,
7713
                                               psa_key_derivation_step_t step,
7714
                                               psa_key_slot_t *private_key,
7715
                                               const uint8_t *peer_key,
7716
                                               size_t peer_key_length)
7717
0
{
7718
0
    psa_status_t status;
7719
0
    uint8_t shared_secret[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE] = { 0 };
7720
0
    size_t shared_secret_length = 0;
7721
0
    psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(operation->alg);
7722
7723
    /* Step 1: run the secret agreement algorithm to generate the shared
7724
     * secret. */
7725
0
    status = psa_key_agreement_raw_internal(ka_alg,
7726
0
                                            private_key,
7727
0
                                            peer_key, peer_key_length,
7728
0
                                            shared_secret,
7729
0
                                            sizeof(shared_secret),
7730
0
                                            &shared_secret_length);
7731
0
    if (status != PSA_SUCCESS) {
7732
0
        goto exit;
7733
0
    }
7734
7735
    /* Step 2: set up the key derivation to generate key material from
7736
     * the shared secret. A shared secret is permitted wherever a key
7737
     * of type DERIVE is permitted. */
7738
0
    status = psa_key_derivation_input_internal(operation, step,
7739
0
                                               PSA_KEY_TYPE_DERIVE,
7740
0
                                               shared_secret,
7741
0
                                               shared_secret_length);
7742
0
exit:
7743
0
    mbedtls_platform_zeroize(shared_secret, shared_secret_length);
7744
0
    return status;
7745
0
}
7746
7747
psa_status_t psa_key_derivation_key_agreement(psa_key_derivation_operation_t *operation,
7748
                                              psa_key_derivation_step_t step,
7749
                                              mbedtls_svc_key_id_t private_key,
7750
                                              const uint8_t *peer_key_external,
7751
                                              size_t peer_key_length)
7752
0
{
7753
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7754
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
7755
0
    psa_key_slot_t *slot;
7756
0
    LOCAL_INPUT_DECLARE(peer_key_external, peer_key);
7757
7758
0
    if (!PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) {
7759
0
        return PSA_ERROR_INVALID_ARGUMENT;
7760
0
    }
7761
0
    status = psa_get_and_lock_transparent_key_slot_with_policy(
7762
0
        private_key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg);
7763
0
    if (status != PSA_SUCCESS) {
7764
0
        return status;
7765
0
    }
7766
7767
0
    LOCAL_INPUT_ALLOC(peer_key_external, peer_key_length, peer_key);
7768
0
    status = psa_key_agreement_internal(operation, step,
7769
0
                                        slot,
7770
0
                                        peer_key, peer_key_length);
7771
7772
0
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
7773
0
exit:
7774
0
#endif
7775
0
    if (status != PSA_SUCCESS) {
7776
0
        psa_key_derivation_abort(operation);
7777
0
    } else {
7778
        /* If a private key has been added as SECRET, we allow the derived
7779
         * key material to be used as a key in PSA Crypto. */
7780
0
        if (step == PSA_KEY_DERIVATION_INPUT_SECRET) {
7781
0
            operation->can_output_key = 1;
7782
0
        }
7783
0
    }
7784
7785
0
    unlock_status = psa_unregister_read_under_mutex(slot);
7786
0
    LOCAL_INPUT_FREE(peer_key_external, peer_key);
7787
7788
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
7789
0
}
7790
7791
psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
7792
                                   mbedtls_svc_key_id_t private_key,
7793
                                   const uint8_t *peer_key_external,
7794
                                   size_t peer_key_length,
7795
                                   uint8_t *output_external,
7796
                                   size_t output_size,
7797
                                   size_t *output_length)
7798
0
{
7799
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7800
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
7801
0
    psa_key_slot_t *slot = NULL;
7802
0
    size_t expected_length;
7803
0
    LOCAL_INPUT_DECLARE(peer_key_external, peer_key);
7804
0
    LOCAL_OUTPUT_DECLARE(output_external, output);
7805
0
    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
7806
7807
0
    if (!PSA_ALG_IS_KEY_AGREEMENT(alg)) {
7808
0
        status = PSA_ERROR_INVALID_ARGUMENT;
7809
0
        goto exit;
7810
0
    }
7811
0
    status = psa_get_and_lock_transparent_key_slot_with_policy(
7812
0
        private_key, &slot, PSA_KEY_USAGE_DERIVE, alg);
7813
0
    if (status != PSA_SUCCESS) {
7814
0
        goto exit;
7815
0
    }
7816
7817
    /* PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is in general an upper bound
7818
     * for the output size. The PSA specification only guarantees that this
7819
     * function works if output_size >= PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(...),
7820
     * but it might be nice to allow smaller buffers if the output fits.
7821
     * At the time of writing this comment, with only ECDH implemented,
7822
     * PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is exact so the point is moot.
7823
     * If FFDH is implemented, PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() can easily
7824
     * be exact for it as well. */
7825
0
    expected_length =
7826
0
        PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(slot->attr.type, slot->attr.bits);
7827
0
    if (output_size < expected_length) {
7828
0
        status = PSA_ERROR_BUFFER_TOO_SMALL;
7829
0
        goto exit;
7830
0
    }
7831
7832
0
    LOCAL_INPUT_ALLOC(peer_key_external, peer_key_length, peer_key);
7833
0
    status = psa_key_agreement_raw_internal(alg, slot,
7834
0
                                            peer_key, peer_key_length,
7835
0
                                            output, output_size,
7836
0
                                            output_length);
7837
7838
0
exit:
7839
    /* Check for successful allocation of output,
7840
     * with an unsuccessful status. */
7841
0
    if (output != NULL && status != PSA_SUCCESS) {
7842
        /* If an error happens and is not handled properly, the output
7843
         * may be used as a key to protect sensitive data. Arrange for such
7844
         * a key to be random, which is likely to result in decryption or
7845
         * verification errors. This is better than filling the buffer with
7846
         * some constant data such as zeros, which would result in the data
7847
         * being protected with a reproducible, easily knowable key.
7848
         */
7849
0
        psa_generate_random_internal(output, output_size);
7850
0
        *output_length = output_size;
7851
0
    }
7852
7853
0
    if (output == NULL) {
7854
        /* output allocation failed. */
7855
0
        *output_length = 0;
7856
0
    }
7857
7858
0
    unlock_status = psa_unregister_read_under_mutex(slot);
7859
7860
0
    LOCAL_INPUT_FREE(peer_key_external, peer_key);
7861
0
    LOCAL_OUTPUT_FREE(output_external, output);
7862
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
7863
0
}
7864
7865
7866
/****************************************************************/
7867
/* Random generation */
7868
/****************************************************************/
7869
7870
#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
7871
#include "entropy_poll.h"
7872
#endif
7873
7874
/** Initialize the PSA random generator.
7875
 *
7876
 *  Note: the mbedtls_threading_psa_rngdata_mutex should be held when calling
7877
 *  this function if mutexes are enabled.
7878
 */
7879
static void mbedtls_psa_random_init(mbedtls_psa_random_context_t *rng)
7880
2
{
7881
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
7882
    memset(rng, 0, sizeof(*rng));
7883
#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
7884
7885
    /* Set default configuration if
7886
     * mbedtls_psa_crypto_configure_entropy_sources() hasn't been called. */
7887
2
    if (rng->entropy_init == NULL) {
7888
2
        rng->entropy_init = mbedtls_entropy_init;
7889
2
    }
7890
2
    if (rng->entropy_free == NULL) {
7891
2
        rng->entropy_free = mbedtls_entropy_free;
7892
2
    }
7893
7894
2
    rng->entropy_init(&rng->entropy);
7895
#if defined(MBEDTLS_PSA_INJECT_ENTROPY) && \
7896
    defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
7897
    /* The PSA entropy injection feature depends on using NV seed as an entropy
7898
     * source. Add NV seed as an entropy source for PSA entropy injection. */
7899
    mbedtls_entropy_add_source(&rng->entropy,
7900
                               mbedtls_nv_seed_poll, NULL,
7901
                               MBEDTLS_ENTROPY_BLOCK_SIZE,
7902
                               MBEDTLS_ENTROPY_SOURCE_STRONG);
7903
#endif
7904
7905
2
    mbedtls_psa_drbg_init(&rng->drbg);
7906
2
#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
7907
2
}
7908
7909
/** Deinitialize the PSA random generator.
7910
 *
7911
 *  Note: the mbedtls_threading_psa_rngdata_mutex should be held when calling
7912
 *  this function if mutexes are enabled.
7913
 */
7914
static void mbedtls_psa_random_free(mbedtls_psa_random_context_t *rng)
7915
2
{
7916
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
7917
    memset(rng, 0, sizeof(*rng));
7918
#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
7919
2
    mbedtls_psa_drbg_free(&rng->drbg);
7920
2
    rng->entropy_free(&rng->entropy);
7921
2
#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
7922
2
}
7923
7924
/** Seed the PSA random generator.
7925
 */
7926
static psa_status_t mbedtls_psa_random_seed(mbedtls_psa_random_context_t *rng)
7927
2
{
7928
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
7929
    /* Do nothing: the external RNG seeds itself. */
7930
    (void) rng;
7931
    return PSA_SUCCESS;
7932
#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
7933
2
    const unsigned char drbg_seed[] = "PSA";
7934
2
    int ret = mbedtls_psa_drbg_seed(&rng->drbg, &rng->entropy,
7935
2
                                    drbg_seed, sizeof(drbg_seed) - 1);
7936
2
    return mbedtls_to_psa_error(ret);
7937
2
#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
7938
2
}
7939
7940
psa_status_t psa_generate_random(uint8_t *output_external,
7941
                                 size_t output_size)
7942
0
{
7943
0
    psa_status_t status;
7944
7945
0
    LOCAL_OUTPUT_DECLARE(output_external, output);
7946
0
    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
7947
7948
0
    status = psa_generate_random_internal(output, output_size);
7949
7950
0
#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
7951
0
exit:
7952
0
#endif
7953
0
    LOCAL_OUTPUT_FREE(output_external, output);
7954
0
    return status;
7955
0
}
7956
7957
#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
7958
psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
7959
                                        size_t seed_size)
7960
{
7961
    if (psa_get_initialized()) {
7962
        return PSA_ERROR_NOT_PERMITTED;
7963
    }
7964
7965
    if (((seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM) ||
7966
         (seed_size < MBEDTLS_ENTROPY_BLOCK_SIZE)) ||
7967
        (seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE)) {
7968
        return PSA_ERROR_INVALID_ARGUMENT;
7969
    }
7970
7971
    return mbedtls_psa_storage_inject_entropy(seed, seed_size);
7972
}
7973
#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
7974
7975
/** Validate the key type and size for key generation
7976
 *
7977
 * \param  type  The key type
7978
 * \param  bits  The number of bits of the key
7979
 *
7980
 * \retval #PSA_SUCCESS
7981
 *         The key type and size are valid.
7982
 * \retval #PSA_ERROR_INVALID_ARGUMENT
7983
 *         The size in bits of the key is not valid.
7984
 * \retval #PSA_ERROR_NOT_SUPPORTED
7985
 *         The type and/or the size in bits of the key or the combination of
7986
 *         the two is not supported.
7987
 */
7988
static psa_status_t psa_validate_key_type_and_size_for_key_generation(
7989
    psa_key_type_t type, size_t bits)
7990
0
{
7991
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7992
7993
0
    if (key_type_is_raw_bytes(type)) {
7994
0
        status = psa_validate_unstructured_key_bit_size(type, bits);
7995
0
        if (status != PSA_SUCCESS) {
7996
0
            return status;
7997
0
        }
7998
0
    } else
7999
0
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
8000
0
    if (PSA_KEY_TYPE_IS_RSA(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
8001
0
        if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS) {
8002
0
            return PSA_ERROR_NOT_SUPPORTED;
8003
0
        }
8004
0
        if (bits < PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS) {
8005
0
            return PSA_ERROR_NOT_SUPPORTED;
8006
0
        }
8007
8008
        /* Accept only byte-aligned keys, for the same reasons as
8009
         * in psa_import_rsa_key(). */
8010
0
        if (bits % 8 != 0) {
8011
0
            return PSA_ERROR_NOT_SUPPORTED;
8012
0
        }
8013
0
    } else
8014
0
#endif /* defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
8015
8016
0
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
8017
0
    if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
8018
        /* To avoid empty block, return successfully here. */
8019
0
        return PSA_SUCCESS;
8020
0
    } else
8021
0
#endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */
8022
8023
0
#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
8024
0
    if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
8025
0
        if (psa_is_dh_key_size_valid(bits) == 0) {
8026
0
            return PSA_ERROR_NOT_SUPPORTED;
8027
0
        }
8028
0
    } else
8029
0
#endif /* defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) */
8030
0
    {
8031
0
        return PSA_ERROR_NOT_SUPPORTED;
8032
0
    }
8033
8034
0
    return PSA_SUCCESS;
8035
0
}
8036
8037
psa_status_t psa_generate_key_internal(
8038
    const psa_key_attributes_t *attributes,
8039
    const psa_custom_key_parameters_t *custom,
8040
    const uint8_t *custom_data,
8041
    size_t custom_data_length,
8042
    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
8043
0
{
8044
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8045
0
    psa_key_type_t type = attributes->type;
8046
8047
    /* Only used for RSA */
8048
0
    (void) custom;
8049
0
    (void) custom_data;
8050
0
    (void) custom_data_length;
8051
8052
0
    if (key_type_is_raw_bytes(type)) {
8053
0
        status = psa_generate_random_internal(key_buffer, key_buffer_size);
8054
0
        if (status != PSA_SUCCESS) {
8055
0
            return status;
8056
0
        }
8057
8058
0
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
8059
0
        if (type == PSA_KEY_TYPE_DES) {
8060
0
            psa_des_set_key_parity(key_buffer, key_buffer_size);
8061
0
        }
8062
0
#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
8063
0
    } else
8064
8065
0
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
8066
0
    if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
8067
0
        return mbedtls_psa_rsa_generate_key(attributes,
8068
0
                                            custom_data, custom_data_length,
8069
0
                                            key_buffer,
8070
0
                                            key_buffer_size,
8071
0
                                            key_buffer_length);
8072
0
    } else
8073
0
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
8074
8075
0
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
8076
0
    if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
8077
0
        return mbedtls_psa_ecp_generate_key(attributes,
8078
0
                                            key_buffer,
8079
0
                                            key_buffer_size,
8080
0
                                            key_buffer_length);
8081
0
    } else
8082
0
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */
8083
8084
0
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE)
8085
0
    if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
8086
0
        return mbedtls_psa_ffdh_generate_key(attributes,
8087
0
                                             key_buffer,
8088
0
                                             key_buffer_size,
8089
0
                                             key_buffer_length);
8090
0
    } else
8091
0
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) */
8092
0
    {
8093
0
        (void) key_buffer_length;
8094
0
        return PSA_ERROR_NOT_SUPPORTED;
8095
0
    }
8096
8097
0
    return PSA_SUCCESS;
8098
0
}
8099
8100
psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes,
8101
                                     const psa_custom_key_parameters_t *custom,
8102
                                     const uint8_t *custom_data,
8103
                                     size_t custom_data_length,
8104
                                     mbedtls_svc_key_id_t *key)
8105
0
{
8106
0
    psa_status_t status;
8107
0
    psa_key_slot_t *slot = NULL;
8108
0
    psa_se_drv_table_entry_t *driver = NULL;
8109
0
    size_t key_buffer_size;
8110
8111
0
    *key = MBEDTLS_SVC_KEY_ID_INIT;
8112
8113
    /* Reject any attempt to create a zero-length key so that we don't
8114
     * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
8115
0
    if (psa_get_key_bits(attributes) == 0) {
8116
0
        return PSA_ERROR_INVALID_ARGUMENT;
8117
0
    }
8118
8119
    /* Reject any attempt to create a public key. */
8120
0
    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(attributes->type)) {
8121
0
        return PSA_ERROR_INVALID_ARGUMENT;
8122
0
    }
8123
8124
0
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
8125
0
    if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
8126
0
        if (custom->flags != 0) {
8127
0
            return PSA_ERROR_INVALID_ARGUMENT;
8128
0
        }
8129
0
    } else
8130
0
#endif
8131
0
    if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) {
8132
0
        return PSA_ERROR_INVALID_ARGUMENT;
8133
0
    }
8134
8135
0
    status = psa_start_key_creation(PSA_KEY_CREATION_GENERATE, attributes,
8136
0
                                    &slot, &driver);
8137
0
    if (status != PSA_SUCCESS) {
8138
0
        goto exit;
8139
0
    }
8140
8141
    /* In the case of a transparent key or an opaque key stored in local
8142
     * storage ( thus not in the case of generating a key in a secure element
8143
     * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
8144
     * buffer to hold the generated key material. */
8145
0
    if (slot->key.bytes == 0) {
8146
0
        if (PSA_KEY_LIFETIME_GET_LOCATION(attributes->lifetime) ==
8147
0
            PSA_KEY_LOCATION_LOCAL_STORAGE) {
8148
0
            status = psa_validate_key_type_and_size_for_key_generation(
8149
0
                attributes->type, attributes->bits);
8150
0
            if (status != PSA_SUCCESS) {
8151
0
                goto exit;
8152
0
            }
8153
8154
0
            key_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
8155
0
                attributes->type,
8156
0
                attributes->bits);
8157
0
        } else {
8158
0
            status = psa_driver_wrapper_get_key_buffer_size(
8159
0
                attributes, &key_buffer_size);
8160
0
            if (status != PSA_SUCCESS) {
8161
0
                goto exit;
8162
0
            }
8163
0
        }
8164
8165
0
        status = psa_allocate_buffer_to_slot(slot, key_buffer_size);
8166
0
        if (status != PSA_SUCCESS) {
8167
0
            goto exit;
8168
0
        }
8169
0
    }
8170
8171
0
    status = psa_driver_wrapper_generate_key(attributes,
8172
0
                                             custom,
8173
0
                                             custom_data, custom_data_length,
8174
0
                                             slot->key.data, slot->key.bytes,
8175
0
                                             &slot->key.bytes);
8176
0
    if (status != PSA_SUCCESS) {
8177
0
        psa_remove_key_data_from_memory(slot);
8178
0
    }
8179
8180
0
exit:
8181
0
    if (status == PSA_SUCCESS) {
8182
0
        status = psa_finish_key_creation(slot, driver, key);
8183
0
    }
8184
0
    if (status != PSA_SUCCESS) {
8185
0
        psa_fail_key_creation(slot, driver);
8186
0
    }
8187
8188
0
    return status;
8189
0
}
8190
8191
psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
8192
                                  const psa_key_production_parameters_t *params,
8193
                                  size_t params_data_length,
8194
                                  mbedtls_svc_key_id_t *key)
8195
0
{
8196
0
    return psa_generate_key_custom(
8197
0
        attributes,
8198
0
        (const psa_custom_key_parameters_t *) params,
8199
0
        params->data, params_data_length,
8200
0
        key);
8201
0
}
8202
8203
psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
8204
                              mbedtls_svc_key_id_t *key)
8205
0
{
8206
0
    return psa_generate_key_custom(attributes,
8207
0
                                   &default_custom_production,
8208
0
                                   NULL, 0,
8209
0
                                   key);
8210
0
}
8211
8212
/****************************************************************/
8213
/* Module setup */
8214
/****************************************************************/
8215
8216
#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
8217
psa_status_t mbedtls_psa_crypto_configure_entropy_sources(
8218
    void (* entropy_init)(mbedtls_entropy_context *ctx),
8219
    void (* entropy_free)(mbedtls_entropy_context *ctx))
8220
0
{
8221
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8222
8223
0
#if defined(MBEDTLS_THREADING_C)
8224
0
    mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
8225
0
#endif /* defined(MBEDTLS_THREADING_C) */
8226
8227
0
    if (global_data.rng_state != RNG_NOT_INITIALIZED) {
8228
0
        status = PSA_ERROR_BAD_STATE;
8229
0
    } else {
8230
0
        global_data.rng.entropy_init = entropy_init;
8231
0
        global_data.rng.entropy_free = entropy_free;
8232
0
        status = PSA_SUCCESS;
8233
0
    }
8234
8235
0
#if defined(MBEDTLS_THREADING_C)
8236
0
    mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
8237
0
#endif /* defined(MBEDTLS_THREADING_C) */
8238
8239
0
    return status;
8240
0
}
8241
#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
8242
8243
void mbedtls_psa_crypto_free(void)
8244
4
{
8245
8246
4
#if defined(MBEDTLS_THREADING_C)
8247
4
    mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
8248
4
#endif /* defined(MBEDTLS_THREADING_C) */
8249
8250
    /* Nothing to do to free transaction. */
8251
4
    if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED) {
8252
0
        global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
8253
0
    }
8254
8255
4
    if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED) {
8256
2
        psa_wipe_all_key_slots();
8257
2
        global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED;
8258
2
    }
8259
8260
4
#if defined(MBEDTLS_THREADING_C)
8261
4
    mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
8262
4
#endif /* defined(MBEDTLS_THREADING_C) */
8263
8264
4
#if defined(MBEDTLS_THREADING_C)
8265
4
    mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
8266
4
#endif /* defined(MBEDTLS_THREADING_C) */
8267
8268
4
    if (global_data.rng_state != RNG_NOT_INITIALIZED) {
8269
2
        mbedtls_psa_random_free(&global_data.rng);
8270
2
    }
8271
4
    global_data.rng_state = RNG_NOT_INITIALIZED;
8272
4
    mbedtls_platform_zeroize(&global_data.rng, sizeof(global_data.rng));
8273
8274
4
#if defined(MBEDTLS_THREADING_C)
8275
4
    mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
8276
4
#endif /* defined(MBEDTLS_THREADING_C) */
8277
8278
4
#if defined(MBEDTLS_THREADING_C)
8279
4
    mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
8280
4
#endif /* defined(MBEDTLS_THREADING_C) */
8281
8282
    /* Terminate drivers */
8283
4
    if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED) {
8284
2
        psa_driver_wrapper_free();
8285
2
        global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED;
8286
2
    }
8287
8288
4
#if defined(MBEDTLS_THREADING_C)
8289
4
    mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
8290
4
#endif /* defined(MBEDTLS_THREADING_C) */
8291
8292
4
}
8293
8294
#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
8295
/** Recover a transaction that was interrupted by a power failure.
8296
 *
8297
 * This function is called during initialization, before psa_crypto_init()
8298
 * returns. If this function returns a failure status, the initialization
8299
 * fails.
8300
 */
8301
static psa_status_t psa_crypto_recover_transaction(
8302
    const psa_crypto_transaction_t *transaction)
8303
0
{
8304
0
    switch (transaction->unknown.type) {
8305
0
        case PSA_CRYPTO_TRANSACTION_CREATE_KEY:
8306
0
        case PSA_CRYPTO_TRANSACTION_DESTROY_KEY:
8307
        /* TODO - fall through to the failure case until this
8308
         * is implemented.
8309
         * https://github.com/ARMmbed/mbed-crypto/issues/218
8310
         */
8311
0
        default:
8312
            /* We found an unsupported transaction in the storage.
8313
             * We don't know what state the storage is in. Give up. */
8314
0
            return PSA_ERROR_DATA_INVALID;
8315
0
    }
8316
0
}
8317
#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
8318
8319
static psa_status_t mbedtls_psa_crypto_init_subsystem(mbedtls_psa_crypto_subsystem subsystem)
8320
6
{
8321
6
    psa_status_t status = PSA_SUCCESS;
8322
6
    uint8_t driver_wrappers_initialized = 0;
8323
8324
6
    switch (subsystem) {
8325
2
        case PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS:
8326
8327
2
#if defined(MBEDTLS_THREADING_C)
8328
2
            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
8329
2
#endif /* defined(MBEDTLS_THREADING_C) */
8330
8331
2
            if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED)) {
8332
                /* Init drivers */
8333
2
                status = psa_driver_wrapper_init();
8334
8335
                /* Drivers need shutdown regardless of startup errors. */
8336
2
                global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED;
8337
8338
8339
2
            }
8340
2
#if defined(MBEDTLS_THREADING_C)
8341
2
            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8342
2
                                            &mbedtls_threading_psa_globaldata_mutex));
8343
2
#endif /* defined(MBEDTLS_THREADING_C) */
8344
8345
2
            break;
8346
8347
2
        case PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS:
8348
8349
2
#if defined(MBEDTLS_THREADING_C)
8350
2
            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
8351
2
#endif /* defined(MBEDTLS_THREADING_C) */
8352
8353
2
            if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED)) {
8354
2
                status = psa_initialize_key_slots();
8355
8356
                /* Need to wipe keys even if initialization fails. */
8357
2
                global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED;
8358
8359
2
            }
8360
2
#if defined(MBEDTLS_THREADING_C)
8361
2
            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8362
2
                                            &mbedtls_threading_psa_globaldata_mutex));
8363
2
#endif /* defined(MBEDTLS_THREADING_C) */
8364
8365
2
            break;
8366
8367
2
        case PSA_CRYPTO_SUBSYSTEM_RNG:
8368
8369
2
#if defined(MBEDTLS_THREADING_C)
8370
2
            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
8371
2
#endif /* defined(MBEDTLS_THREADING_C) */
8372
8373
2
            driver_wrappers_initialized =
8374
2
                (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED);
8375
8376
2
#if defined(MBEDTLS_THREADING_C)
8377
2
            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8378
2
                                            &mbedtls_threading_psa_globaldata_mutex));
8379
2
#endif /* defined(MBEDTLS_THREADING_C) */
8380
8381
            /* Need to use separate mutex here, as initialisation can require
8382
             * testing of init flags, which requires locking the global data
8383
             * mutex. */
8384
2
#if defined(MBEDTLS_THREADING_C)
8385
2
            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex));
8386
2
#endif /* defined(MBEDTLS_THREADING_C) */
8387
8388
            /* Initialize and seed the random generator. */
8389
2
            if (global_data.rng_state == RNG_NOT_INITIALIZED && driver_wrappers_initialized) {
8390
2
                mbedtls_psa_random_init(&global_data.rng);
8391
2
                global_data.rng_state = RNG_INITIALIZED;
8392
8393
2
                status = mbedtls_psa_random_seed(&global_data.rng);
8394
2
                if (status == PSA_SUCCESS) {
8395
0
                    global_data.rng_state = RNG_SEEDED;
8396
0
                }
8397
2
            }
8398
8399
2
#if defined(MBEDTLS_THREADING_C)
8400
2
            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8401
2
                                            &mbedtls_threading_psa_rngdata_mutex));
8402
2
#endif /* defined(MBEDTLS_THREADING_C) */
8403
8404
2
            break;
8405
8406
0
        case PSA_CRYPTO_SUBSYSTEM_TRANSACTION:
8407
8408
0
#if defined(MBEDTLS_THREADING_C)
8409
0
            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
8410
0
#endif /* defined(MBEDTLS_THREADING_C) */
8411
8412
0
            if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED)) {
8413
0
#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
8414
0
                status = psa_crypto_load_transaction();
8415
0
                if (status == PSA_SUCCESS) {
8416
0
                    status = psa_crypto_recover_transaction(&psa_crypto_transaction);
8417
0
                    if (status == PSA_SUCCESS) {
8418
0
                        global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
8419
0
                    }
8420
0
                    status = psa_crypto_stop_transaction();
8421
0
                } else if (status == PSA_ERROR_DOES_NOT_EXIST) {
8422
                    /* There's no transaction to complete. It's all good. */
8423
0
                    global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
8424
0
                    status = PSA_SUCCESS;
8425
0
                }
8426
#else /* defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) */
8427
                global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
8428
                status = PSA_SUCCESS;
8429
#endif /* defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) */
8430
0
            }
8431
8432
0
#if defined(MBEDTLS_THREADING_C)
8433
0
            PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8434
0
                                            &mbedtls_threading_psa_globaldata_mutex));
8435
0
#endif /* defined(MBEDTLS_THREADING_C) */
8436
8437
0
            break;
8438
8439
0
        default:
8440
0
            status = PSA_ERROR_CORRUPTION_DETECTED;
8441
6
    }
8442
8443
    /* Exit label only required when using threading macros. */
8444
6
#if defined(MBEDTLS_THREADING_C)
8445
6
exit:
8446
6
#endif /* defined(MBEDTLS_THREADING_C) */
8447
8448
6
    return status;
8449
6
}
8450
8451
psa_status_t psa_crypto_init(void)
8452
2
{
8453
2
    psa_status_t status;
8454
8455
    /* Double initialization is explicitly allowed. Early out if everything is
8456
     * done. */
8457
2
    if (psa_get_initialized()) {
8458
0
        return PSA_SUCCESS;
8459
0
    }
8460
8461
2
    status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS);
8462
2
    if (status != PSA_SUCCESS) {
8463
0
        goto exit;
8464
0
    }
8465
8466
2
    status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS);
8467
2
    if (status != PSA_SUCCESS) {
8468
0
        goto exit;
8469
0
    }
8470
8471
2
    status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_RNG);
8472
2
    if (status != PSA_SUCCESS) {
8473
2
        goto exit;
8474
2
    }
8475
8476
0
    status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_TRANSACTION);
8477
8478
2
exit:
8479
8480
2
    if (status != PSA_SUCCESS) {
8481
2
        mbedtls_psa_crypto_free();
8482
2
    }
8483
8484
2
    return status;
8485
0
}
8486
8487
#if defined(PSA_WANT_ALG_SOME_PAKE)
8488
psa_status_t psa_crypto_driver_pake_get_password_len(
8489
    const psa_crypto_driver_pake_inputs_t *inputs,
8490
    size_t *password_len)
8491
0
{
8492
0
    if (inputs->password_len == 0) {
8493
0
        return PSA_ERROR_BAD_STATE;
8494
0
    }
8495
8496
0
    *password_len = inputs->password_len;
8497
8498
0
    return PSA_SUCCESS;
8499
0
}
8500
8501
psa_status_t psa_crypto_driver_pake_get_password(
8502
    const psa_crypto_driver_pake_inputs_t *inputs,
8503
    uint8_t *buffer, size_t buffer_size, size_t *buffer_length)
8504
0
{
8505
0
    if (inputs->password_len == 0) {
8506
0
        return PSA_ERROR_BAD_STATE;
8507
0
    }
8508
8509
0
    if (buffer_size < inputs->password_len) {
8510
0
        return PSA_ERROR_BUFFER_TOO_SMALL;
8511
0
    }
8512
8513
0
    memcpy(buffer, inputs->password, inputs->password_len);
8514
0
    *buffer_length = inputs->password_len;
8515
8516
0
    return PSA_SUCCESS;
8517
0
}
8518
8519
psa_status_t psa_crypto_driver_pake_get_user_len(
8520
    const psa_crypto_driver_pake_inputs_t *inputs,
8521
    size_t *user_len)
8522
0
{
8523
0
    if (inputs->user_len == 0) {
8524
0
        return PSA_ERROR_BAD_STATE;
8525
0
    }
8526
8527
0
    *user_len = inputs->user_len;
8528
8529
0
    return PSA_SUCCESS;
8530
0
}
8531
8532
psa_status_t psa_crypto_driver_pake_get_user(
8533
    const psa_crypto_driver_pake_inputs_t *inputs,
8534
    uint8_t *user_id, size_t user_id_size, size_t *user_id_len)
8535
0
{
8536
0
    if (inputs->user_len == 0) {
8537
0
        return PSA_ERROR_BAD_STATE;
8538
0
    }
8539
8540
0
    if (user_id_size < inputs->user_len) {
8541
0
        return PSA_ERROR_BUFFER_TOO_SMALL;
8542
0
    }
8543
8544
0
    memcpy(user_id, inputs->user, inputs->user_len);
8545
0
    *user_id_len = inputs->user_len;
8546
8547
0
    return PSA_SUCCESS;
8548
0
}
8549
8550
psa_status_t psa_crypto_driver_pake_get_peer_len(
8551
    const psa_crypto_driver_pake_inputs_t *inputs,
8552
    size_t *peer_len)
8553
0
{
8554
0
    if (inputs->peer_len == 0) {
8555
0
        return PSA_ERROR_BAD_STATE;
8556
0
    }
8557
8558
0
    *peer_len = inputs->peer_len;
8559
8560
0
    return PSA_SUCCESS;
8561
0
}
8562
8563
psa_status_t psa_crypto_driver_pake_get_peer(
8564
    const psa_crypto_driver_pake_inputs_t *inputs,
8565
    uint8_t *peer_id, size_t peer_id_size, size_t *peer_id_length)
8566
0
{
8567
0
    if (inputs->peer_len == 0) {
8568
0
        return PSA_ERROR_BAD_STATE;
8569
0
    }
8570
8571
0
    if (peer_id_size < inputs->peer_len) {
8572
0
        return PSA_ERROR_BUFFER_TOO_SMALL;
8573
0
    }
8574
8575
0
    memcpy(peer_id, inputs->peer, inputs->peer_len);
8576
0
    *peer_id_length = inputs->peer_len;
8577
8578
0
    return PSA_SUCCESS;
8579
0
}
8580
8581
psa_status_t psa_crypto_driver_pake_get_cipher_suite(
8582
    const psa_crypto_driver_pake_inputs_t *inputs,
8583
    psa_pake_cipher_suite_t *cipher_suite)
8584
0
{
8585
0
    if (inputs->cipher_suite.algorithm == PSA_ALG_NONE) {
8586
0
        return PSA_ERROR_BAD_STATE;
8587
0
    }
8588
8589
0
    *cipher_suite = inputs->cipher_suite;
8590
8591
0
    return PSA_SUCCESS;
8592
0
}
8593
8594
psa_status_t psa_pake_setup(
8595
    psa_pake_operation_t *operation,
8596
    const psa_pake_cipher_suite_t *cipher_suite)
8597
0
{
8598
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8599
8600
0
    if (operation->stage != PSA_PAKE_OPERATION_STAGE_SETUP) {
8601
0
        status = PSA_ERROR_BAD_STATE;
8602
0
        goto exit;
8603
0
    }
8604
8605
0
    if (PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 ||
8606
0
        PSA_ALG_IS_HASH(cipher_suite->hash) == 0) {
8607
0
        status = PSA_ERROR_INVALID_ARGUMENT;
8608
0
        goto exit;
8609
0
    }
8610
8611
0
    memset(&operation->data.inputs, 0, sizeof(operation->data.inputs));
8612
8613
0
    operation->alg = cipher_suite->algorithm;
8614
0
    operation->primitive = PSA_PAKE_PRIMITIVE(cipher_suite->type,
8615
0
                                              cipher_suite->family, cipher_suite->bits);
8616
0
    operation->data.inputs.cipher_suite = *cipher_suite;
8617
8618
0
#if defined(PSA_WANT_ALG_JPAKE)
8619
0
    if (operation->alg == PSA_ALG_JPAKE) {
8620
0
        psa_jpake_computation_stage_t *computation_stage =
8621
0
            &operation->computation_stage.jpake;
8622
8623
0
        memset(computation_stage, 0, sizeof(*computation_stage));
8624
0
        computation_stage->step = PSA_PAKE_STEP_KEY_SHARE;
8625
0
    } else
8626
0
#endif /* PSA_WANT_ALG_JPAKE */
8627
0
    {
8628
0
        status = PSA_ERROR_NOT_SUPPORTED;
8629
0
        goto exit;
8630
0
    }
8631
8632
0
    operation->stage = PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS;
8633
8634
0
    return PSA_SUCCESS;
8635
0
exit:
8636
0
    psa_pake_abort(operation);
8637
0
    return status;
8638
0
}
8639
8640
psa_status_t psa_pake_set_password_key(
8641
    psa_pake_operation_t *operation,
8642
    mbedtls_svc_key_id_t password)
8643
0
{
8644
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8645
0
    psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
8646
0
    psa_key_slot_t *slot = NULL;
8647
0
    psa_key_type_t type;
8648
8649
0
    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8650
0
        status = PSA_ERROR_BAD_STATE;
8651
0
        goto exit;
8652
0
    }
8653
8654
0
    status = psa_get_and_lock_key_slot_with_policy(password, &slot,
8655
0
                                                   PSA_KEY_USAGE_DERIVE,
8656
0
                                                   operation->alg);
8657
0
    if (status != PSA_SUCCESS) {
8658
0
        goto exit;
8659
0
    }
8660
8661
0
    type = psa_get_key_type(&slot->attr);
8662
8663
0
    if (type != PSA_KEY_TYPE_PASSWORD &&
8664
0
        type != PSA_KEY_TYPE_PASSWORD_HASH) {
8665
0
        status = PSA_ERROR_INVALID_ARGUMENT;
8666
0
        goto exit;
8667
0
    }
8668
8669
0
    operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes);
8670
0
    if (operation->data.inputs.password == NULL) {
8671
0
        status = PSA_ERROR_INSUFFICIENT_MEMORY;
8672
0
        goto exit;
8673
0
    }
8674
8675
0
    memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes);
8676
0
    operation->data.inputs.password_len = slot->key.bytes;
8677
0
    operation->data.inputs.attributes = slot->attr;
8678
8679
0
exit:
8680
0
    if (status != PSA_SUCCESS) {
8681
0
        psa_pake_abort(operation);
8682
0
    }
8683
0
    unlock_status = psa_unregister_read_under_mutex(slot);
8684
0
    return (status == PSA_SUCCESS) ? unlock_status : status;
8685
0
}
8686
8687
psa_status_t psa_pake_set_user(
8688
    psa_pake_operation_t *operation,
8689
    const uint8_t *user_id_external,
8690
    size_t user_id_len)
8691
0
{
8692
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8693
0
    LOCAL_INPUT_DECLARE(user_id_external, user_id);
8694
8695
0
    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8696
0
        status = PSA_ERROR_BAD_STATE;
8697
0
        goto exit;
8698
0
    }
8699
8700
0
    if (user_id_len == 0) {
8701
0
        status = PSA_ERROR_INVALID_ARGUMENT;
8702
0
        goto exit;
8703
0
    }
8704
8705
0
    if (operation->data.inputs.user_len != 0) {
8706
0
        status = PSA_ERROR_BAD_STATE;
8707
0
        goto exit;
8708
0
    }
8709
8710
0
    operation->data.inputs.user = mbedtls_calloc(1, user_id_len);
8711
0
    if (operation->data.inputs.user == NULL) {
8712
0
        status = PSA_ERROR_INSUFFICIENT_MEMORY;
8713
0
        goto exit;
8714
0
    }
8715
8716
0
    LOCAL_INPUT_ALLOC(user_id_external, user_id_len, user_id);
8717
8718
0
    memcpy(operation->data.inputs.user, user_id, user_id_len);
8719
0
    operation->data.inputs.user_len = user_id_len;
8720
8721
0
    status = PSA_SUCCESS;
8722
8723
0
exit:
8724
0
    LOCAL_INPUT_FREE(user_id_external, user_id);
8725
0
    if (status != PSA_SUCCESS) {
8726
0
        psa_pake_abort(operation);
8727
0
    }
8728
0
    return status;
8729
0
}
8730
8731
psa_status_t psa_pake_set_peer(
8732
    psa_pake_operation_t *operation,
8733
    const uint8_t *peer_id_external,
8734
    size_t peer_id_len)
8735
0
{
8736
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8737
0
    LOCAL_INPUT_DECLARE(peer_id_external, peer_id);
8738
8739
0
    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8740
0
        status = PSA_ERROR_BAD_STATE;
8741
0
        goto exit;
8742
0
    }
8743
8744
0
    if (peer_id_len == 0) {
8745
0
        status = PSA_ERROR_INVALID_ARGUMENT;
8746
0
        goto exit;
8747
0
    }
8748
8749
0
    if (operation->data.inputs.peer_len != 0) {
8750
0
        status = PSA_ERROR_BAD_STATE;
8751
0
        goto exit;
8752
0
    }
8753
8754
0
    operation->data.inputs.peer = mbedtls_calloc(1, peer_id_len);
8755
0
    if (operation->data.inputs.peer == NULL) {
8756
0
        status = PSA_ERROR_INSUFFICIENT_MEMORY;
8757
0
        goto exit;
8758
0
    }
8759
8760
0
    LOCAL_INPUT_ALLOC(peer_id_external, peer_id_len, peer_id);
8761
8762
0
    memcpy(operation->data.inputs.peer, peer_id, peer_id_len);
8763
0
    operation->data.inputs.peer_len = peer_id_len;
8764
8765
0
    status = PSA_SUCCESS;
8766
8767
0
exit:
8768
0
    LOCAL_INPUT_FREE(peer_id_external, peer_id);
8769
0
    if (status != PSA_SUCCESS) {
8770
0
        psa_pake_abort(operation);
8771
0
    }
8772
0
    return status;
8773
0
}
8774
8775
psa_status_t psa_pake_set_role(
8776
    psa_pake_operation_t *operation,
8777
    psa_pake_role_t role)
8778
0
{
8779
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8780
8781
0
    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8782
0
        status = PSA_ERROR_BAD_STATE;
8783
0
        goto exit;
8784
0
    }
8785
8786
0
    switch (operation->alg) {
8787
0
#if defined(PSA_WANT_ALG_JPAKE)
8788
0
        case PSA_ALG_JPAKE:
8789
0
            if (role == PSA_PAKE_ROLE_NONE) {
8790
0
                return PSA_SUCCESS;
8791
0
            }
8792
0
            status = PSA_ERROR_INVALID_ARGUMENT;
8793
0
            break;
8794
0
#endif
8795
0
        default:
8796
0
            (void) role;
8797
0
            status = PSA_ERROR_NOT_SUPPORTED;
8798
0
            goto exit;
8799
0
    }
8800
0
exit:
8801
0
    psa_pake_abort(operation);
8802
0
    return status;
8803
0
}
8804
8805
/* Auxiliary function to convert core computation stage to single driver step. */
8806
#if defined(PSA_WANT_ALG_JPAKE)
8807
static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_step(
8808
    psa_jpake_computation_stage_t *stage)
8809
0
{
8810
0
    psa_crypto_driver_pake_step_t key_share_step;
8811
0
    if (stage->round == PSA_JPAKE_FIRST) {
8812
0
        int is_x1;
8813
8814
0
        if (stage->io_mode == PSA_JPAKE_OUTPUT) {
8815
0
            is_x1 = (stage->outputs < 1);
8816
0
        } else {
8817
0
            is_x1 = (stage->inputs < 1);
8818
0
        }
8819
8820
0
        key_share_step = is_x1 ?
8821
0
                         PSA_JPAKE_X1_STEP_KEY_SHARE :
8822
0
                         PSA_JPAKE_X2_STEP_KEY_SHARE;
8823
0
    } else if (stage->round == PSA_JPAKE_SECOND) {
8824
0
        key_share_step = (stage->io_mode == PSA_JPAKE_OUTPUT) ?
8825
0
                         PSA_JPAKE_X2S_STEP_KEY_SHARE :
8826
0
                         PSA_JPAKE_X4S_STEP_KEY_SHARE;
8827
0
    } else {
8828
0
        return PSA_JPAKE_STEP_INVALID;
8829
0
    }
8830
0
    return (psa_crypto_driver_pake_step_t) (key_share_step + stage->step - PSA_PAKE_STEP_KEY_SHARE);
8831
0
}
8832
#endif /* PSA_WANT_ALG_JPAKE */
8833
8834
static psa_status_t psa_pake_complete_inputs(
8835
    psa_pake_operation_t *operation)
8836
0
{
8837
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8838
    /* Create copy of the inputs on stack as inputs share memory
8839
       with the driver context which will be setup by the driver. */
8840
0
    psa_crypto_driver_pake_inputs_t inputs = operation->data.inputs;
8841
8842
0
    if (inputs.password_len == 0) {
8843
0
        return PSA_ERROR_BAD_STATE;
8844
0
    }
8845
8846
0
    if (operation->alg == PSA_ALG_JPAKE) {
8847
0
        if (inputs.user_len == 0 || inputs.peer_len == 0) {
8848
0
            return PSA_ERROR_BAD_STATE;
8849
0
        }
8850
0
    }
8851
8852
    /* Clear driver context */
8853
0
    mbedtls_platform_zeroize(&operation->data, sizeof(operation->data));
8854
8855
0
    status = psa_driver_wrapper_pake_setup(operation, &inputs);
8856
8857
    /* Driver is responsible for creating its own copy of the password. */
8858
0
    mbedtls_zeroize_and_free(inputs.password, inputs.password_len);
8859
8860
    /* User and peer are translated to role. */
8861
0
    mbedtls_free(inputs.user);
8862
0
    mbedtls_free(inputs.peer);
8863
8864
0
    if (status == PSA_SUCCESS) {
8865
0
#if defined(PSA_WANT_ALG_JPAKE)
8866
0
        if (operation->alg == PSA_ALG_JPAKE) {
8867
0
            operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION;
8868
0
        } else
8869
0
#endif /* PSA_WANT_ALG_JPAKE */
8870
0
        {
8871
0
            status = PSA_ERROR_NOT_SUPPORTED;
8872
0
        }
8873
0
    }
8874
0
    return status;
8875
0
}
8876
8877
#if defined(PSA_WANT_ALG_JPAKE)
8878
static psa_status_t psa_jpake_prologue(
8879
    psa_pake_operation_t *operation,
8880
    psa_pake_step_t step,
8881
    psa_jpake_io_mode_t io_mode)
8882
0
{
8883
0
    if (step != PSA_PAKE_STEP_KEY_SHARE &&
8884
0
        step != PSA_PAKE_STEP_ZK_PUBLIC &&
8885
0
        step != PSA_PAKE_STEP_ZK_PROOF) {
8886
0
        return PSA_ERROR_INVALID_ARGUMENT;
8887
0
    }
8888
8889
0
    psa_jpake_computation_stage_t *computation_stage =
8890
0
        &operation->computation_stage.jpake;
8891
8892
0
    if (computation_stage->round != PSA_JPAKE_FIRST &&
8893
0
        computation_stage->round != PSA_JPAKE_SECOND) {
8894
0
        return PSA_ERROR_BAD_STATE;
8895
0
    }
8896
8897
    /* Check that the step we are given is the one we were expecting */
8898
0
    if (step != computation_stage->step) {
8899
0
        return PSA_ERROR_BAD_STATE;
8900
0
    }
8901
8902
0
    if (step == PSA_PAKE_STEP_KEY_SHARE &&
8903
0
        computation_stage->inputs == 0 &&
8904
0
        computation_stage->outputs == 0) {
8905
        /* Start of the round, so function decides whether we are inputting
8906
         * or outputting */
8907
0
        computation_stage->io_mode = io_mode;
8908
0
    } else if (computation_stage->io_mode != io_mode) {
8909
        /* Middle of the round so the mode we are in must match the function
8910
         * called by the user */
8911
0
        return PSA_ERROR_BAD_STATE;
8912
0
    }
8913
8914
0
    return PSA_SUCCESS;
8915
0
}
8916
8917
static psa_status_t psa_jpake_epilogue(
8918
    psa_pake_operation_t *operation,
8919
    psa_jpake_io_mode_t io_mode)
8920
0
{
8921
0
    psa_jpake_computation_stage_t *stage =
8922
0
        &operation->computation_stage.jpake;
8923
8924
0
    if (stage->step == PSA_PAKE_STEP_ZK_PROOF) {
8925
        /* End of an input/output */
8926
0
        if (io_mode == PSA_JPAKE_INPUT) {
8927
0
            stage->inputs++;
8928
0
            if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round)) {
8929
0
                stage->io_mode = PSA_JPAKE_OUTPUT;
8930
0
            }
8931
0
        }
8932
0
        if (io_mode == PSA_JPAKE_OUTPUT) {
8933
0
            stage->outputs++;
8934
0
            if (stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) {
8935
0
                stage->io_mode = PSA_JPAKE_INPUT;
8936
0
            }
8937
0
        }
8938
0
        if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round) &&
8939
0
            stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) {
8940
            /* End of a round, move to the next round */
8941
0
            stage->inputs = 0;
8942
0
            stage->outputs = 0;
8943
0
            stage->round++;
8944
0
        }
8945
0
        stage->step = PSA_PAKE_STEP_KEY_SHARE;
8946
0
    } else {
8947
0
        stage->step++;
8948
0
    }
8949
0
    return PSA_SUCCESS;
8950
0
}
8951
8952
#endif /* PSA_WANT_ALG_JPAKE */
8953
8954
psa_status_t psa_pake_output(
8955
    psa_pake_operation_t *operation,
8956
    psa_pake_step_t step,
8957
    uint8_t *output_external,
8958
    size_t output_size,
8959
    size_t *output_length)
8960
0
{
8961
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8962
0
    psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID;
8963
0
    LOCAL_OUTPUT_DECLARE(output_external, output);
8964
0
    *output_length = 0;
8965
8966
0
    if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8967
0
        status = psa_pake_complete_inputs(operation);
8968
0
        if (status != PSA_SUCCESS) {
8969
0
            goto exit;
8970
0
        }
8971
0
    }
8972
8973
0
    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
8974
0
        status = PSA_ERROR_BAD_STATE;
8975
0
        goto exit;
8976
0
    }
8977
8978
0
    if (output_size == 0) {
8979
0
        status = PSA_ERROR_INVALID_ARGUMENT;
8980
0
        goto exit;
8981
0
    }
8982
8983
0
    switch (operation->alg) {
8984
0
#if defined(PSA_WANT_ALG_JPAKE)
8985
0
        case PSA_ALG_JPAKE:
8986
0
            status = psa_jpake_prologue(operation, step, PSA_JPAKE_OUTPUT);
8987
0
            if (status != PSA_SUCCESS) {
8988
0
                goto exit;
8989
0
            }
8990
0
            driver_step = convert_jpake_computation_stage_to_driver_step(
8991
0
                &operation->computation_stage.jpake);
8992
0
            break;
8993
0
#endif /* PSA_WANT_ALG_JPAKE */
8994
0
        default:
8995
0
            (void) step;
8996
0
            status = PSA_ERROR_NOT_SUPPORTED;
8997
0
            goto exit;
8998
0
    }
8999
9000
0
    LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
9001
9002
0
    status = psa_driver_wrapper_pake_output(operation, driver_step,
9003
0
                                            output, output_size, output_length);
9004
9005
0
    if (status != PSA_SUCCESS) {
9006
0
        goto exit;
9007
0
    }
9008
9009
0
    switch (operation->alg) {
9010
0
#if defined(PSA_WANT_ALG_JPAKE)
9011
0
        case PSA_ALG_JPAKE:
9012
0
            status = psa_jpake_epilogue(operation, PSA_JPAKE_OUTPUT);
9013
0
            if (status != PSA_SUCCESS) {
9014
0
                goto exit;
9015
0
            }
9016
0
            break;
9017
0
#endif /* PSA_WANT_ALG_JPAKE */
9018
0
        default:
9019
0
            status = PSA_ERROR_NOT_SUPPORTED;
9020
0
            goto exit;
9021
0
    }
9022
9023
0
exit:
9024
0
    LOCAL_OUTPUT_FREE(output_external, output);
9025
0
    if (status != PSA_SUCCESS) {
9026
0
        psa_pake_abort(operation);
9027
0
    }
9028
0
    return status;
9029
0
}
9030
9031
psa_status_t psa_pake_input(
9032
    psa_pake_operation_t *operation,
9033
    psa_pake_step_t step,
9034
    const uint8_t *input_external,
9035
    size_t input_length)
9036
0
{
9037
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
9038
0
    psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID;
9039
0
    const size_t max_input_length = (size_t) PSA_PAKE_INPUT_SIZE(operation->alg,
9040
0
                                                                 operation->primitive,
9041
0
                                                                 step);
9042
0
    LOCAL_INPUT_DECLARE(input_external, input);
9043
9044
0
    if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
9045
0
        status = psa_pake_complete_inputs(operation);
9046
0
        if (status != PSA_SUCCESS) {
9047
0
            goto exit;
9048
0
        }
9049
0
    }
9050
9051
0
    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
9052
0
        status =  PSA_ERROR_BAD_STATE;
9053
0
        goto exit;
9054
0
    }
9055
9056
0
    if (input_length == 0 || input_length > max_input_length) {
9057
0
        status = PSA_ERROR_INVALID_ARGUMENT;
9058
0
        goto exit;
9059
0
    }
9060
9061
0
    switch (operation->alg) {
9062
0
#if defined(PSA_WANT_ALG_JPAKE)
9063
0
        case PSA_ALG_JPAKE:
9064
0
            status = psa_jpake_prologue(operation, step, PSA_JPAKE_INPUT);
9065
0
            if (status != PSA_SUCCESS) {
9066
0
                goto exit;
9067
0
            }
9068
0
            driver_step = convert_jpake_computation_stage_to_driver_step(
9069
0
                &operation->computation_stage.jpake);
9070
0
            break;
9071
0
#endif /* PSA_WANT_ALG_JPAKE */
9072
0
        default:
9073
0
            (void) step;
9074
0
            status = PSA_ERROR_NOT_SUPPORTED;
9075
0
            goto exit;
9076
0
    }
9077
9078
0
    LOCAL_INPUT_ALLOC(input_external, input_length, input);
9079
0
    status = psa_driver_wrapper_pake_input(operation, driver_step,
9080
0
                                           input, input_length);
9081
9082
0
    if (status != PSA_SUCCESS) {
9083
0
        goto exit;
9084
0
    }
9085
9086
0
    switch (operation->alg) {
9087
0
#if defined(PSA_WANT_ALG_JPAKE)
9088
0
        case PSA_ALG_JPAKE:
9089
0
            status = psa_jpake_epilogue(operation, PSA_JPAKE_INPUT);
9090
0
            if (status != PSA_SUCCESS) {
9091
0
                goto exit;
9092
0
            }
9093
0
            break;
9094
0
#endif /* PSA_WANT_ALG_JPAKE */
9095
0
        default:
9096
0
            status = PSA_ERROR_NOT_SUPPORTED;
9097
0
            goto exit;
9098
0
    }
9099
9100
0
exit:
9101
0
    LOCAL_INPUT_FREE(input_external, input);
9102
0
    if (status != PSA_SUCCESS) {
9103
0
        psa_pake_abort(operation);
9104
0
    }
9105
0
    return status;
9106
0
}
9107
9108
psa_status_t psa_pake_get_implicit_key(
9109
    psa_pake_operation_t *operation,
9110
    psa_key_derivation_operation_t *output)
9111
0
{
9112
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
9113
0
    psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
9114
0
    uint8_t shared_key[MBEDTLS_PSA_JPAKE_BUFFER_SIZE];
9115
0
    size_t shared_key_len = 0;
9116
9117
0
    if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
9118
0
        status = PSA_ERROR_BAD_STATE;
9119
0
        goto exit;
9120
0
    }
9121
9122
0
#if defined(PSA_WANT_ALG_JPAKE)
9123
0
    if (operation->alg == PSA_ALG_JPAKE) {
9124
0
        psa_jpake_computation_stage_t *computation_stage =
9125
0
            &operation->computation_stage.jpake;
9126
0
        if (computation_stage->round != PSA_JPAKE_FINISHED) {
9127
0
            status = PSA_ERROR_BAD_STATE;
9128
0
            goto exit;
9129
0
        }
9130
0
    } else
9131
0
#endif /* PSA_WANT_ALG_JPAKE */
9132
0
    {
9133
0
        status = PSA_ERROR_NOT_SUPPORTED;
9134
0
        goto exit;
9135
0
    }
9136
9137
0
    status = psa_driver_wrapper_pake_get_implicit_key(operation,
9138
0
                                                      shared_key,
9139
0
                                                      sizeof(shared_key),
9140
0
                                                      &shared_key_len);
9141
9142
0
    if (status != PSA_SUCCESS) {
9143
0
        goto exit;
9144
0
    }
9145
9146
0
    status = psa_key_derivation_input_bytes(output,
9147
0
                                            PSA_KEY_DERIVATION_INPUT_SECRET,
9148
0
                                            shared_key,
9149
0
                                            shared_key_len);
9150
9151
0
    mbedtls_platform_zeroize(shared_key, sizeof(shared_key));
9152
0
exit:
9153
0
    abort_status = psa_pake_abort(operation);
9154
0
    return status == PSA_SUCCESS ? abort_status : status;
9155
0
}
9156
9157
psa_status_t psa_pake_abort(
9158
    psa_pake_operation_t *operation)
9159
0
{
9160
0
    psa_status_t status = PSA_SUCCESS;
9161
9162
0
    if (operation->stage == PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
9163
0
        status = psa_driver_wrapper_pake_abort(operation);
9164
0
    }
9165
9166
0
    if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
9167
0
        if (operation->data.inputs.password != NULL) {
9168
0
            mbedtls_zeroize_and_free(operation->data.inputs.password,
9169
0
                                     operation->data.inputs.password_len);
9170
0
        }
9171
0
        if (operation->data.inputs.user != NULL) {
9172
0
            mbedtls_free(operation->data.inputs.user);
9173
0
        }
9174
0
        if (operation->data.inputs.peer != NULL) {
9175
0
            mbedtls_free(operation->data.inputs.peer);
9176
0
        }
9177
0
    }
9178
0
    memset(operation, 0, sizeof(psa_pake_operation_t));
9179
9180
0
    return status;
9181
0
}
9182
#endif /* PSA_WANT_ALG_SOME_PAKE */
9183
9184
/* Memory copying test hooks. These are called before input copy, after input
9185
 * copy, before output copy and after output copy, respectively.
9186
 * They are used by memory-poisoning tests to temporarily unpoison buffers
9187
 * while they are copied. */
9188
#if defined(MBEDTLS_TEST_HOOKS)
9189
void (*psa_input_pre_copy_hook)(const uint8_t *input, size_t input_len) = NULL;
9190
void (*psa_input_post_copy_hook)(const uint8_t *input, size_t input_len) = NULL;
9191
void (*psa_output_pre_copy_hook)(const uint8_t *output, size_t output_len) = NULL;
9192
void (*psa_output_post_copy_hook)(const uint8_t *output, size_t output_len) = NULL;
9193
#endif
9194
9195
/** Copy from an input buffer to a local copy.
9196
 *
9197
 * \param[in] input             Pointer to input buffer.
9198
 * \param[in] input_len         Length of the input buffer.
9199
 * \param[out] input_copy       Pointer to a local copy in which to store the input data.
9200
 * \param[out] input_copy_len   Length of the local copy buffer.
9201
 * \return                      #PSA_SUCCESS, if the buffer was successfully
9202
 *                              copied.
9203
 * \return                      #PSA_ERROR_CORRUPTION_DETECTED, if the local
9204
 *                              copy is too small to hold contents of the
9205
 *                              input buffer.
9206
 */
9207
MBEDTLS_STATIC_TESTABLE
9208
psa_status_t psa_crypto_copy_input(const uint8_t *input, size_t input_len,
9209
                                   uint8_t *input_copy, size_t input_copy_len)
9210
0
{
9211
0
    if (input_len > input_copy_len) {
9212
0
        return PSA_ERROR_CORRUPTION_DETECTED;
9213
0
    }
9214
9215
0
#if defined(MBEDTLS_TEST_HOOKS)
9216
0
    if (psa_input_pre_copy_hook != NULL) {
9217
0
        psa_input_pre_copy_hook(input, input_len);
9218
0
    }
9219
0
#endif
9220
9221
0
    if (input_len > 0) {
9222
0
        memcpy(input_copy, input, input_len);
9223
0
    }
9224
9225
0
#if defined(MBEDTLS_TEST_HOOKS)
9226
0
    if (psa_input_post_copy_hook != NULL) {
9227
0
        psa_input_post_copy_hook(input, input_len);
9228
0
    }
9229
0
#endif
9230
9231
0
    return PSA_SUCCESS;
9232
0
}
9233
9234
/** Copy from a local output buffer into a user-supplied one.
9235
 *
9236
 * \param[in] output_copy       Pointer to a local buffer containing the output.
9237
 * \param[in] output_copy_len   Length of the local buffer.
9238
 * \param[out] output           Pointer to user-supplied output buffer.
9239
 * \param[out] output_len       Length of the user-supplied output buffer.
9240
 * \return                      #PSA_SUCCESS, if the buffer was successfully
9241
 *                              copied.
9242
 * \return                      #PSA_ERROR_BUFFER_TOO_SMALL, if the
9243
 *                              user-supplied output buffer is too small to
9244
 *                              hold the contents of the local buffer.
9245
 */
9246
MBEDTLS_STATIC_TESTABLE
9247
psa_status_t psa_crypto_copy_output(const uint8_t *output_copy, size_t output_copy_len,
9248
                                    uint8_t *output, size_t output_len)
9249
0
{
9250
0
    if (output_len < output_copy_len) {
9251
0
        return PSA_ERROR_BUFFER_TOO_SMALL;
9252
0
    }
9253
9254
0
#if defined(MBEDTLS_TEST_HOOKS)
9255
0
    if (psa_output_pre_copy_hook != NULL) {
9256
0
        psa_output_pre_copy_hook(output, output_len);
9257
0
    }
9258
0
#endif
9259
9260
0
    if (output_copy_len > 0) {
9261
0
        memcpy(output, output_copy, output_copy_len);
9262
0
    }
9263
9264
0
#if defined(MBEDTLS_TEST_HOOKS)
9265
0
    if (psa_output_post_copy_hook != NULL) {
9266
0
        psa_output_post_copy_hook(output, output_len);
9267
0
    }
9268
0
#endif
9269
9270
0
    return PSA_SUCCESS;
9271
0
}
9272
9273
psa_status_t psa_crypto_local_input_alloc(const uint8_t *input, size_t input_len,
9274
                                          psa_crypto_local_input_t *local_input)
9275
0
{
9276
0
    psa_status_t status;
9277
9278
0
    *local_input = PSA_CRYPTO_LOCAL_INPUT_INIT;
9279
9280
0
    if (input_len == 0) {
9281
0
        return PSA_SUCCESS;
9282
0
    }
9283
9284
0
    local_input->buffer = mbedtls_calloc(input_len, 1);
9285
0
    if (local_input->buffer == NULL) {
9286
        /* Since we dealt with the zero-length case above, we know that
9287
         * a NULL return value means a failure of allocation. */
9288
0
        return PSA_ERROR_INSUFFICIENT_MEMORY;
9289
0
    }
9290
    /* From now on, we must free local_input->buffer on error. */
9291
9292
0
    local_input->length = input_len;
9293
9294
0
    status = psa_crypto_copy_input(input, input_len,
9295
0
                                   local_input->buffer, local_input->length);
9296
0
    if (status != PSA_SUCCESS) {
9297
0
        goto error;
9298
0
    }
9299
9300
0
    return PSA_SUCCESS;
9301
9302
0
error:
9303
0
    mbedtls_free(local_input->buffer);
9304
0
    local_input->buffer = NULL;
9305
0
    local_input->length = 0;
9306
0
    return status;
9307
0
}
9308
9309
void psa_crypto_local_input_free(psa_crypto_local_input_t *local_input)
9310
0
{
9311
0
    mbedtls_free(local_input->buffer);
9312
0
    local_input->buffer = NULL;
9313
0
    local_input->length = 0;
9314
0
}
9315
9316
psa_status_t psa_crypto_local_output_alloc(uint8_t *output, size_t output_len,
9317
                                           psa_crypto_local_output_t *local_output)
9318
0
{
9319
0
    *local_output = PSA_CRYPTO_LOCAL_OUTPUT_INIT;
9320
9321
0
    if (output_len == 0) {
9322
0
        return PSA_SUCCESS;
9323
0
    }
9324
0
    local_output->buffer = mbedtls_calloc(output_len, 1);
9325
0
    if (local_output->buffer == NULL) {
9326
        /* Since we dealt with the zero-length case above, we know that
9327
         * a NULL return value means a failure of allocation. */
9328
0
        return PSA_ERROR_INSUFFICIENT_MEMORY;
9329
0
    }
9330
0
    local_output->length = output_len;
9331
0
    local_output->original = output;
9332
9333
0
    return PSA_SUCCESS;
9334
0
}
9335
9336
psa_status_t psa_crypto_local_output_free(psa_crypto_local_output_t *local_output)
9337
0
{
9338
0
    psa_status_t status;
9339
9340
0
    if (local_output->buffer == NULL) {
9341
0
        local_output->length = 0;
9342
0
        return PSA_SUCCESS;
9343
0
    }
9344
0
    if (local_output->original == NULL) {
9345
        /* We have an internal copy but nothing to copy back to. */
9346
0
        return PSA_ERROR_CORRUPTION_DETECTED;
9347
0
    }
9348
9349
0
    status = psa_crypto_copy_output(local_output->buffer, local_output->length,
9350
0
                                    local_output->original, local_output->length);
9351
0
    if (status != PSA_SUCCESS) {
9352
0
        return status;
9353
0
    }
9354
9355
0
    mbedtls_free(local_output->buffer);
9356
0
    local_output->buffer = NULL;
9357
0
    local_output->length = 0;
9358
9359
0
    return PSA_SUCCESS;
9360
0
}
9361
9362
#endif /* MBEDTLS_PSA_CRYPTO_C */