1 /*
2 * PSA MAC layer on top of Mbed TLS software crypto
3 */
4 /*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21 #include "common.h"
22
23 #if defined(MBEDTLS_PSA_CRYPTO_C)
24
25 #include <psa/crypto.h>
26 #include "psa_crypto_core.h"
27 #include "psa_crypto_mac.h"
28 #include <mbedtls/md.h>
29
30 #include <mbedtls/error.h>
31 #include <string.h>
32
33 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
psa_hmac_abort_internal(mbedtls_psa_hmac_operation_t * hmac)34 static psa_status_t psa_hmac_abort_internal(
35 mbedtls_psa_hmac_operation_t *hmac )
36 {
37 mbedtls_platform_zeroize( hmac->opad, sizeof( hmac->opad ) );
38 return( psa_hash_abort( &hmac->hash_ctx ) );
39 }
40
psa_hmac_setup_internal(mbedtls_psa_hmac_operation_t * hmac,const uint8_t * key,size_t key_length,psa_algorithm_t hash_alg)41 static psa_status_t psa_hmac_setup_internal(
42 mbedtls_psa_hmac_operation_t *hmac,
43 const uint8_t *key,
44 size_t key_length,
45 psa_algorithm_t hash_alg )
46 {
47 uint8_t ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
48 size_t i;
49 size_t hash_size = PSA_HASH_LENGTH( hash_alg );
50 size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg );
51 psa_status_t status;
52
53 hmac->alg = hash_alg;
54
55 /* Sanity checks on block_size, to guarantee that there won't be a buffer
56 * overflow below. This should never trigger if the hash algorithm
57 * is implemented correctly. */
58 /* The size checks against the ipad and opad buffers cannot be written
59 * `block_size > sizeof( ipad ) || block_size > sizeof( hmac->opad )`
60 * because that triggers -Wlogical-op on GCC 7.3. */
61 if( block_size > sizeof( ipad ) )
62 return( PSA_ERROR_NOT_SUPPORTED );
63 if( block_size > sizeof( hmac->opad ) )
64 return( PSA_ERROR_NOT_SUPPORTED );
65 if( block_size < hash_size )
66 return( PSA_ERROR_NOT_SUPPORTED );
67
68 if( key_length > block_size )
69 {
70 status = psa_hash_compute( hash_alg, key, key_length,
71 ipad, sizeof( ipad ), &key_length );
72 if( status != PSA_SUCCESS )
73 goto cleanup;
74 }
75 /* A 0-length key is not commonly used in HMAC when used as a MAC,
76 * but it is permitted. It is common when HMAC is used in HKDF, for
77 * example. Don't call `memcpy` in the 0-length because `key` could be
78 * an invalid pointer which would make the behavior undefined. */
79 else if( key_length != 0 )
80 memcpy( ipad, key, key_length );
81
82 /* ipad contains the key followed by garbage. Xor and fill with 0x36
83 * to create the ipad value. */
84 for( i = 0; i < key_length; i++ )
85 ipad[i] ^= 0x36;
86 memset( ipad + key_length, 0x36, block_size - key_length );
87
88 /* Copy the key material from ipad to opad, flipping the requisite bits,
89 * and filling the rest of opad with the requisite constant. */
90 for( i = 0; i < key_length; i++ )
91 hmac->opad[i] = ipad[i] ^ 0x36 ^ 0x5C;
92 memset( hmac->opad + key_length, 0x5C, block_size - key_length );
93
94 status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
95 if( status != PSA_SUCCESS )
96 goto cleanup;
97
98 status = psa_hash_update( &hmac->hash_ctx, ipad, block_size );
99
100 cleanup:
101 mbedtls_platform_zeroize( ipad, sizeof( ipad ) );
102
103 return( status );
104 }
105
psa_hmac_update_internal(mbedtls_psa_hmac_operation_t * hmac,const uint8_t * data,size_t data_length)106 static psa_status_t psa_hmac_update_internal(
107 mbedtls_psa_hmac_operation_t *hmac,
108 const uint8_t *data,
109 size_t data_length )
110 {
111 return( psa_hash_update( &hmac->hash_ctx, data, data_length ) );
112 }
113
psa_hmac_finish_internal(mbedtls_psa_hmac_operation_t * hmac,uint8_t * mac,size_t mac_size)114 static psa_status_t psa_hmac_finish_internal(
115 mbedtls_psa_hmac_operation_t *hmac,
116 uint8_t *mac,
117 size_t mac_size )
118 {
119 uint8_t tmp[PSA_HASH_MAX_SIZE];
120 psa_algorithm_t hash_alg = hmac->alg;
121 size_t hash_size = 0;
122 size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg );
123 psa_status_t status;
124
125 status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
126 if( status != PSA_SUCCESS )
127 return( status );
128 /* From here on, tmp needs to be wiped. */
129
130 status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
131 if( status != PSA_SUCCESS )
132 goto exit;
133
134 status = psa_hash_update( &hmac->hash_ctx, hmac->opad, block_size );
135 if( status != PSA_SUCCESS )
136 goto exit;
137
138 status = psa_hash_update( &hmac->hash_ctx, tmp, hash_size );
139 if( status != PSA_SUCCESS )
140 goto exit;
141
142 status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
143 if( status != PSA_SUCCESS )
144 goto exit;
145
146 memcpy( mac, tmp, mac_size );
147
148 exit:
149 mbedtls_platform_zeroize( tmp, hash_size );
150 return( status );
151 }
152 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
153
154 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
cmac_setup(mbedtls_psa_mac_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer)155 static psa_status_t cmac_setup( mbedtls_psa_mac_operation_t *operation,
156 const psa_key_attributes_t *attributes,
157 const uint8_t *key_buffer )
158 {
159 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
160
161 #if defined(PSA_WANT_KEY_TYPE_DES)
162 /* Mbed TLS CMAC does not accept 3DES with only two keys, nor does it accept
163 * to do CMAC with pure DES, so return NOT_SUPPORTED here. */
164 if( psa_get_key_type( attributes ) == PSA_KEY_TYPE_DES &&
165 ( psa_get_key_bits( attributes ) == 64 ||
166 psa_get_key_bits( attributes ) == 128 ) )
167 return( PSA_ERROR_NOT_SUPPORTED );
168 #endif
169
170 const mbedtls_cipher_info_t * cipher_info =
171 mbedtls_cipher_info_from_psa(
172 PSA_ALG_CMAC,
173 psa_get_key_type( attributes ),
174 psa_get_key_bits( attributes ),
175 NULL );
176
177 if( cipher_info == NULL )
178 return( PSA_ERROR_NOT_SUPPORTED );
179
180 ret = mbedtls_cipher_setup( &operation->ctx.cmac, cipher_info );
181 if( ret != 0 )
182 goto exit;
183
184 ret = mbedtls_cipher_cmac_starts( &operation->ctx.cmac,
185 key_buffer,
186 psa_get_key_bits( attributes ) );
187 exit:
188 return( mbedtls_to_psa_error( ret ) );
189 }
190 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
191
192 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || \
193 defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
194
195 /* Initialize this driver's MAC operation structure. Once this function has been
196 * called, mbedtls_psa_mac_abort can run and will do the right thing. */
mac_init(mbedtls_psa_mac_operation_t * operation,psa_algorithm_t alg)197 static psa_status_t mac_init(
198 mbedtls_psa_mac_operation_t *operation,
199 psa_algorithm_t alg )
200 {
201 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
202
203 operation->alg = alg;
204
205 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
206 if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
207 {
208 mbedtls_cipher_init( &operation->ctx.cmac );
209 status = PSA_SUCCESS;
210 }
211 else
212 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
213 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
214 if( PSA_ALG_IS_HMAC( operation->alg ) )
215 {
216 /* We'll set up the hash operation later in psa_hmac_setup_internal. */
217 operation->ctx.hmac.alg = 0;
218 status = PSA_SUCCESS;
219 }
220 else
221 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
222 {
223 (void) operation;
224 status = PSA_ERROR_NOT_SUPPORTED;
225 }
226
227 if( status != PSA_SUCCESS )
228 memset( operation, 0, sizeof( *operation ) );
229 return( status );
230 }
231
mbedtls_psa_mac_abort(mbedtls_psa_mac_operation_t * operation)232 psa_status_t mbedtls_psa_mac_abort( mbedtls_psa_mac_operation_t *operation )
233 {
234 if( operation->alg == 0 )
235 {
236 /* The object has (apparently) been initialized but it is not
237 * in use. It's ok to call abort on such an object, and there's
238 * nothing to do. */
239 return( PSA_SUCCESS );
240 }
241 else
242 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
243 if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
244 {
245 mbedtls_cipher_free( &operation->ctx.cmac );
246 }
247 else
248 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
249 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
250 if( PSA_ALG_IS_HMAC( operation->alg ) )
251 {
252 psa_hmac_abort_internal( &operation->ctx.hmac );
253 }
254 else
255 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
256 {
257 /* Sanity check (shouldn't happen: operation->alg should
258 * always have been initialized to a valid value). */
259 goto bad_state;
260 }
261
262 operation->alg = 0;
263
264 return( PSA_SUCCESS );
265
266 bad_state:
267 /* If abort is called on an uninitialized object, we can't trust
268 * anything. Wipe the object in case it contains confidential data.
269 * This may result in a memory leak if a pointer gets overwritten,
270 * but it's too late to do anything about this. */
271 memset( operation, 0, sizeof( *operation ) );
272 return( PSA_ERROR_BAD_STATE );
273 }
274
psa_mac_setup(mbedtls_psa_mac_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)275 static psa_status_t psa_mac_setup( mbedtls_psa_mac_operation_t *operation,
276 const psa_key_attributes_t *attributes,
277 const uint8_t *key_buffer,
278 size_t key_buffer_size,
279 psa_algorithm_t alg )
280 {
281 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
282
283 /* A context must be freshly initialized before it can be set up. */
284 if( operation->alg != 0 )
285 return( PSA_ERROR_BAD_STATE );
286
287 status = mac_init( operation, alg );
288 if( status != PSA_SUCCESS )
289 return( status );
290
291 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
292 if( PSA_ALG_FULL_LENGTH_MAC( alg ) == PSA_ALG_CMAC )
293 {
294 /* Key buffer size for CMAC is dictated by the key bits set on the
295 * attributes, and previously validated by the core on key import. */
296 (void) key_buffer_size;
297 status = cmac_setup( operation, attributes, key_buffer );
298 }
299 else
300 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
301 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
302 if( PSA_ALG_IS_HMAC( alg ) )
303 {
304 status = psa_hmac_setup_internal( &operation->ctx.hmac,
305 key_buffer,
306 key_buffer_size,
307 PSA_ALG_HMAC_GET_HASH( alg ) );
308 }
309 else
310 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
311 {
312 (void) attributes;
313 (void) key_buffer;
314 (void) key_buffer_size;
315 status = PSA_ERROR_NOT_SUPPORTED;
316 }
317
318 if( status != PSA_SUCCESS )
319 mbedtls_psa_mac_abort( operation );
320
321 return( status );
322 }
323
mbedtls_psa_mac_sign_setup(mbedtls_psa_mac_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)324 psa_status_t mbedtls_psa_mac_sign_setup(
325 mbedtls_psa_mac_operation_t *operation,
326 const psa_key_attributes_t *attributes,
327 const uint8_t *key_buffer,
328 size_t key_buffer_size,
329 psa_algorithm_t alg )
330 {
331 return( psa_mac_setup( operation, attributes,
332 key_buffer, key_buffer_size, alg ) );
333 }
334
mbedtls_psa_mac_verify_setup(mbedtls_psa_mac_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)335 psa_status_t mbedtls_psa_mac_verify_setup(
336 mbedtls_psa_mac_operation_t *operation,
337 const psa_key_attributes_t *attributes,
338 const uint8_t *key_buffer,
339 size_t key_buffer_size,
340 psa_algorithm_t alg )
341 {
342 return( psa_mac_setup( operation, attributes,
343 key_buffer, key_buffer_size, alg ) );
344 }
345
mbedtls_psa_mac_update(mbedtls_psa_mac_operation_t * operation,const uint8_t * input,size_t input_length)346 psa_status_t mbedtls_psa_mac_update(
347 mbedtls_psa_mac_operation_t *operation,
348 const uint8_t *input,
349 size_t input_length )
350 {
351 if( operation->alg == 0 )
352 return( PSA_ERROR_BAD_STATE );
353
354 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
355 if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
356 {
357 return( mbedtls_to_psa_error(
358 mbedtls_cipher_cmac_update( &operation->ctx.cmac,
359 input, input_length ) ) );
360 }
361 else
362 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
363 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
364 if( PSA_ALG_IS_HMAC( operation->alg ) )
365 {
366 return( psa_hmac_update_internal( &operation->ctx.hmac,
367 input, input_length ) );
368 }
369 else
370 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
371 {
372 /* This shouldn't happen if `operation` was initialized by
373 * a setup function. */
374 (void) input;
375 (void) input_length;
376 return( PSA_ERROR_BAD_STATE );
377 }
378 }
379
psa_mac_finish_internal(mbedtls_psa_mac_operation_t * operation,uint8_t * mac,size_t mac_size)380 static psa_status_t psa_mac_finish_internal(
381 mbedtls_psa_mac_operation_t *operation,
382 uint8_t *mac, size_t mac_size )
383 {
384 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
385 if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
386 {
387 uint8_t tmp[PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE];
388 int ret = mbedtls_cipher_cmac_finish( &operation->ctx.cmac, tmp );
389 if( ret == 0 )
390 memcpy( mac, tmp, mac_size );
391 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
392 return( mbedtls_to_psa_error( ret ) );
393 }
394 else
395 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
396 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
397 if( PSA_ALG_IS_HMAC( operation->alg ) )
398 {
399 return( psa_hmac_finish_internal( &operation->ctx.hmac,
400 mac, mac_size ) );
401 }
402 else
403 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
404 {
405 /* This shouldn't happen if `operation` was initialized by
406 * a setup function. */
407 (void) operation;
408 (void) mac;
409 (void) mac_size;
410 return( PSA_ERROR_BAD_STATE );
411 }
412 }
413
mbedtls_psa_mac_sign_finish(mbedtls_psa_mac_operation_t * operation,uint8_t * mac,size_t mac_size,size_t * mac_length)414 psa_status_t mbedtls_psa_mac_sign_finish(
415 mbedtls_psa_mac_operation_t *operation,
416 uint8_t *mac,
417 size_t mac_size,
418 size_t *mac_length )
419 {
420 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
421
422 if( operation->alg == 0 )
423 return( PSA_ERROR_BAD_STATE );
424
425 status = psa_mac_finish_internal( operation, mac, mac_size );
426 if( status == PSA_SUCCESS )
427 *mac_length = mac_size;
428
429 return( status );
430 }
431
mbedtls_psa_mac_verify_finish(mbedtls_psa_mac_operation_t * operation,const uint8_t * mac,size_t mac_length)432 psa_status_t mbedtls_psa_mac_verify_finish(
433 mbedtls_psa_mac_operation_t *operation,
434 const uint8_t *mac,
435 size_t mac_length )
436 {
437 uint8_t actual_mac[PSA_MAC_MAX_SIZE];
438 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
439
440 if( operation->alg == 0 )
441 return( PSA_ERROR_BAD_STATE );
442
443 /* Consistency check: requested MAC length fits our local buffer */
444 if( mac_length > sizeof( actual_mac ) )
445 return( PSA_ERROR_INVALID_ARGUMENT );
446
447 status = psa_mac_finish_internal( operation, actual_mac, mac_length );
448 if( status != PSA_SUCCESS )
449 goto cleanup;
450
451 if( mbedtls_psa_safer_memcmp( mac, actual_mac, mac_length ) != 0 )
452 status = PSA_ERROR_INVALID_SIGNATURE;
453
454 cleanup:
455 mbedtls_platform_zeroize( actual_mac, sizeof( actual_mac ) );
456
457 return( status );
458 }
459
mbedtls_psa_mac_compute(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * input,size_t input_length,uint8_t * mac,size_t mac_size,size_t * mac_length)460 psa_status_t mbedtls_psa_mac_compute(
461 const psa_key_attributes_t *attributes,
462 const uint8_t *key_buffer,
463 size_t key_buffer_size,
464 psa_algorithm_t alg,
465 const uint8_t *input,
466 size_t input_length,
467 uint8_t *mac,
468 size_t mac_size,
469 size_t *mac_length )
470 {
471 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
472 mbedtls_psa_mac_operation_t operation = MBEDTLS_PSA_MAC_OPERATION_INIT;
473
474 status = psa_mac_setup( &operation,
475 attributes, key_buffer, key_buffer_size,
476 alg );
477 if( status != PSA_SUCCESS )
478 goto exit;
479
480 if( input_length > 0 )
481 {
482 status = mbedtls_psa_mac_update( &operation, input, input_length );
483 if( status != PSA_SUCCESS )
484 goto exit;
485 }
486
487 status = psa_mac_finish_internal( &operation, mac, mac_size );
488 if( status == PSA_SUCCESS )
489 *mac_length = mac_size;
490
491 exit:
492 mbedtls_psa_mac_abort( &operation );
493
494 return( status );
495 }
496
497 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_CMAC */
498
499 #endif /* MBEDTLS_PSA_CRYPTO_C */
500
