1 /*
2 * PSA MAC layer on top of Mbed TLS software crypto
3 */
4 /*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21 #include "common.h"
22
23 #if defined(MBEDTLS_PSA_CRYPTO_C)
24
25 #include <psa/crypto.h>
26 #include "psa_crypto_core.h"
27 #include "psa_crypto_cipher.h"
28 #include "psa_crypto_mac.h"
29 #include <mbedtls/md.h>
30
31 #include <mbedtls/error.h>
32 #include <string.h>
33
34 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
psa_hmac_abort_internal(mbedtls_psa_hmac_operation_t * hmac)35 static psa_status_t psa_hmac_abort_internal(
36 mbedtls_psa_hmac_operation_t *hmac )
37 {
38 mbedtls_platform_zeroize( hmac->opad, sizeof( hmac->opad ) );
39 return( psa_hash_abort( &hmac->hash_ctx ) );
40 }
41
psa_hmac_setup_internal(mbedtls_psa_hmac_operation_t * hmac,const uint8_t * key,size_t key_length,psa_algorithm_t hash_alg)42 static psa_status_t psa_hmac_setup_internal(
43 mbedtls_psa_hmac_operation_t *hmac,
44 const uint8_t *key,
45 size_t key_length,
46 psa_algorithm_t hash_alg )
47 {
48 uint8_t ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
49 size_t i;
50 size_t hash_size = PSA_HASH_LENGTH( hash_alg );
51 size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg );
52 psa_status_t status;
53
54 hmac->alg = hash_alg;
55
56 /* Sanity checks on block_size, to guarantee that there won't be a buffer
57 * overflow below. This should never trigger if the hash algorithm
58 * is implemented correctly. */
59 /* The size checks against the ipad and opad buffers cannot be written
60 * `block_size > sizeof( ipad ) || block_size > sizeof( hmac->opad )`
61 * because that triggers -Wlogical-op on GCC 7.3. */
62 if( block_size > sizeof( ipad ) )
63 return( PSA_ERROR_NOT_SUPPORTED );
64 if( block_size > sizeof( hmac->opad ) )
65 return( PSA_ERROR_NOT_SUPPORTED );
66 if( block_size < hash_size )
67 return( PSA_ERROR_NOT_SUPPORTED );
68
69 if( key_length > block_size )
70 {
71 status = psa_hash_compute( hash_alg, key, key_length,
72 ipad, sizeof( ipad ), &key_length );
73 if( status != PSA_SUCCESS )
74 goto cleanup;
75 }
76 /* A 0-length key is not commonly used in HMAC when used as a MAC,
77 * but it is permitted. It is common when HMAC is used in HKDF, for
78 * example. Don't call `memcpy` in the 0-length because `key` could be
79 * an invalid pointer which would make the behavior undefined. */
80 else if( key_length != 0 )
81 memcpy( ipad, key, key_length );
82
83 /* ipad contains the key followed by garbage. Xor and fill with 0x36
84 * to create the ipad value. */
85 for( i = 0; i < key_length; i++ )
86 ipad[i] ^= 0x36;
87 memset( ipad + key_length, 0x36, block_size - key_length );
88
89 /* Copy the key material from ipad to opad, flipping the requisite bits,
90 * and filling the rest of opad with the requisite constant. */
91 for( i = 0; i < key_length; i++ )
92 hmac->opad[i] = ipad[i] ^ 0x36 ^ 0x5C;
93 memset( hmac->opad + key_length, 0x5C, block_size - key_length );
94
95 status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
96 if( status != PSA_SUCCESS )
97 goto cleanup;
98
99 status = psa_hash_update( &hmac->hash_ctx, ipad, block_size );
100
101 cleanup:
102 mbedtls_platform_zeroize( ipad, sizeof( ipad ) );
103
104 return( status );
105 }
106
psa_hmac_update_internal(mbedtls_psa_hmac_operation_t * hmac,const uint8_t * data,size_t data_length)107 static psa_status_t psa_hmac_update_internal(
108 mbedtls_psa_hmac_operation_t *hmac,
109 const uint8_t *data,
110 size_t data_length )
111 {
112 return( psa_hash_update( &hmac->hash_ctx, data, data_length ) );
113 }
114
psa_hmac_finish_internal(mbedtls_psa_hmac_operation_t * hmac,uint8_t * mac,size_t mac_size)115 static psa_status_t psa_hmac_finish_internal(
116 mbedtls_psa_hmac_operation_t *hmac,
117 uint8_t *mac,
118 size_t mac_size )
119 {
120 uint8_t tmp[PSA_HASH_MAX_SIZE];
121 psa_algorithm_t hash_alg = hmac->alg;
122 size_t hash_size = 0;
123 size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg );
124 psa_status_t status;
125
126 status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
127 if( status != PSA_SUCCESS )
128 return( status );
129 /* From here on, tmp needs to be wiped. */
130
131 status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
132 if( status != PSA_SUCCESS )
133 goto exit;
134
135 status = psa_hash_update( &hmac->hash_ctx, hmac->opad, block_size );
136 if( status != PSA_SUCCESS )
137 goto exit;
138
139 status = psa_hash_update( &hmac->hash_ctx, tmp, hash_size );
140 if( status != PSA_SUCCESS )
141 goto exit;
142
143 status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
144 if( status != PSA_SUCCESS )
145 goto exit;
146
147 memcpy( mac, tmp, mac_size );
148
149 exit:
150 mbedtls_platform_zeroize( tmp, hash_size );
151 return( status );
152 }
153 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
154
155 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
cmac_setup(mbedtls_psa_mac_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer)156 static psa_status_t cmac_setup( mbedtls_psa_mac_operation_t *operation,
157 const psa_key_attributes_t *attributes,
158 const uint8_t *key_buffer )
159 {
160 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
161
162 #if defined(PSA_WANT_KEY_TYPE_DES)
163 /* Mbed TLS CMAC does not accept 3DES with only two keys, nor does it accept
164 * to do CMAC with pure DES, so return NOT_SUPPORTED here. */
165 if( psa_get_key_type( attributes ) == PSA_KEY_TYPE_DES &&
166 ( psa_get_key_bits( attributes ) == 64 ||
167 psa_get_key_bits( attributes ) == 128 ) )
168 return( PSA_ERROR_NOT_SUPPORTED );
169 #endif
170
171 const mbedtls_cipher_info_t * cipher_info =
172 mbedtls_cipher_info_from_psa(
173 PSA_ALG_CMAC,
174 psa_get_key_type( attributes ),
175 psa_get_key_bits( attributes ),
176 NULL );
177
178 if( cipher_info == NULL )
179 return( PSA_ERROR_NOT_SUPPORTED );
180
181 ret = mbedtls_cipher_setup( &operation->ctx.cmac, cipher_info );
182 if( ret != 0 )
183 goto exit;
184
185 ret = mbedtls_cipher_cmac_starts( &operation->ctx.cmac,
186 key_buffer,
187 psa_get_key_bits( attributes ) );
188 exit:
189 return( mbedtls_to_psa_error( ret ) );
190 }
191 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
192
193 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || \
194 defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
195
196 /* Initialize this driver's MAC operation structure. Once this function has been
197 * called, mbedtls_psa_mac_abort can run and will do the right thing. */
mac_init(mbedtls_psa_mac_operation_t * operation,psa_algorithm_t alg)198 static psa_status_t mac_init(
199 mbedtls_psa_mac_operation_t *operation,
200 psa_algorithm_t alg )
201 {
202 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
203
204 operation->alg = alg;
205
206 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
207 if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
208 {
209 mbedtls_cipher_init( &operation->ctx.cmac );
210 status = PSA_SUCCESS;
211 }
212 else
213 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
214 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
215 if( PSA_ALG_IS_HMAC( operation->alg ) )
216 {
217 /* We'll set up the hash operation later in psa_hmac_setup_internal. */
218 operation->ctx.hmac.alg = 0;
219 status = PSA_SUCCESS;
220 }
221 else
222 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
223 {
224 (void) operation;
225 status = PSA_ERROR_NOT_SUPPORTED;
226 }
227
228 if( status != PSA_SUCCESS )
229 memset( operation, 0, sizeof( *operation ) );
230 return( status );
231 }
232
mbedtls_psa_mac_abort(mbedtls_psa_mac_operation_t * operation)233 psa_status_t mbedtls_psa_mac_abort( mbedtls_psa_mac_operation_t *operation )
234 {
235 if( operation->alg == 0 )
236 {
237 /* The object has (apparently) been initialized but it is not
238 * in use. It's ok to call abort on such an object, and there's
239 * nothing to do. */
240 return( PSA_SUCCESS );
241 }
242 else
243 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
244 if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
245 {
246 mbedtls_cipher_free( &operation->ctx.cmac );
247 }
248 else
249 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
250 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
251 if( PSA_ALG_IS_HMAC( operation->alg ) )
252 {
253 psa_hmac_abort_internal( &operation->ctx.hmac );
254 }
255 else
256 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
257 {
258 /* Sanity check (shouldn't happen: operation->alg should
259 * always have been initialized to a valid value). */
260 goto bad_state;
261 }
262
263 operation->alg = 0;
264
265 return( PSA_SUCCESS );
266
267 bad_state:
268 /* If abort is called on an uninitialized object, we can't trust
269 * anything. Wipe the object in case it contains confidential data.
270 * This may result in a memory leak if a pointer gets overwritten,
271 * but it's too late to do anything about this. */
272 memset( operation, 0, sizeof( *operation ) );
273 return( PSA_ERROR_BAD_STATE );
274 }
275
psa_mac_setup(mbedtls_psa_mac_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)276 static psa_status_t psa_mac_setup( mbedtls_psa_mac_operation_t *operation,
277 const psa_key_attributes_t *attributes,
278 const uint8_t *key_buffer,
279 size_t key_buffer_size,
280 psa_algorithm_t alg )
281 {
282 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
283
284 /* A context must be freshly initialized before it can be set up. */
285 if( operation->alg != 0 )
286 return( PSA_ERROR_BAD_STATE );
287
288 status = mac_init( operation, alg );
289 if( status != PSA_SUCCESS )
290 return( status );
291
292 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
293 if( PSA_ALG_FULL_LENGTH_MAC( alg ) == PSA_ALG_CMAC )
294 {
295 /* Key buffer size for CMAC is dictated by the key bits set on the
296 * attributes, and previously validated by the core on key import. */
297 (void) key_buffer_size;
298 status = cmac_setup( operation, attributes, key_buffer );
299 }
300 else
301 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
302 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
303 if( PSA_ALG_IS_HMAC( alg ) )
304 {
305 status = psa_hmac_setup_internal( &operation->ctx.hmac,
306 key_buffer,
307 key_buffer_size,
308 PSA_ALG_HMAC_GET_HASH( alg ) );
309 }
310 else
311 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
312 {
313 (void) attributes;
314 (void) key_buffer;
315 (void) key_buffer_size;
316 status = PSA_ERROR_NOT_SUPPORTED;
317 }
318
319 if( status != PSA_SUCCESS )
320 mbedtls_psa_mac_abort( operation );
321
322 return( status );
323 }
324
mbedtls_psa_mac_sign_setup(mbedtls_psa_mac_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)325 psa_status_t mbedtls_psa_mac_sign_setup(
326 mbedtls_psa_mac_operation_t *operation,
327 const psa_key_attributes_t *attributes,
328 const uint8_t *key_buffer,
329 size_t key_buffer_size,
330 psa_algorithm_t alg )
331 {
332 return( psa_mac_setup( operation, attributes,
333 key_buffer, key_buffer_size, alg ) );
334 }
335
mbedtls_psa_mac_verify_setup(mbedtls_psa_mac_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)336 psa_status_t mbedtls_psa_mac_verify_setup(
337 mbedtls_psa_mac_operation_t *operation,
338 const psa_key_attributes_t *attributes,
339 const uint8_t *key_buffer,
340 size_t key_buffer_size,
341 psa_algorithm_t alg )
342 {
343 return( psa_mac_setup( operation, attributes,
344 key_buffer, key_buffer_size, alg ) );
345 }
346
mbedtls_psa_mac_update(mbedtls_psa_mac_operation_t * operation,const uint8_t * input,size_t input_length)347 psa_status_t mbedtls_psa_mac_update(
348 mbedtls_psa_mac_operation_t *operation,
349 const uint8_t *input,
350 size_t input_length )
351 {
352 if( operation->alg == 0 )
353 return( PSA_ERROR_BAD_STATE );
354
355 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
356 if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
357 {
358 return( mbedtls_to_psa_error(
359 mbedtls_cipher_cmac_update( &operation->ctx.cmac,
360 input, input_length ) ) );
361 }
362 else
363 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
364 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
365 if( PSA_ALG_IS_HMAC( operation->alg ) )
366 {
367 return( psa_hmac_update_internal( &operation->ctx.hmac,
368 input, input_length ) );
369 }
370 else
371 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
372 {
373 /* This shouldn't happen if `operation` was initialized by
374 * a setup function. */
375 (void) input;
376 (void) input_length;
377 return( PSA_ERROR_BAD_STATE );
378 }
379 }
380
psa_mac_finish_internal(mbedtls_psa_mac_operation_t * operation,uint8_t * mac,size_t mac_size)381 static psa_status_t psa_mac_finish_internal(
382 mbedtls_psa_mac_operation_t *operation,
383 uint8_t *mac, size_t mac_size )
384 {
385 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
386 if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC )
387 {
388 uint8_t tmp[PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE];
389 int ret = mbedtls_cipher_cmac_finish( &operation->ctx.cmac, tmp );
390 if( ret == 0 )
391 memcpy( mac, tmp, mac_size );
392 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
393 return( mbedtls_to_psa_error( ret ) );
394 }
395 else
396 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
397 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
398 if( PSA_ALG_IS_HMAC( operation->alg ) )
399 {
400 return( psa_hmac_finish_internal( &operation->ctx.hmac,
401 mac, mac_size ) );
402 }
403 else
404 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
405 {
406 /* This shouldn't happen if `operation` was initialized by
407 * a setup function. */
408 (void) operation;
409 (void) mac;
410 (void) mac_size;
411 return( PSA_ERROR_BAD_STATE );
412 }
413 }
414
mbedtls_psa_mac_sign_finish(mbedtls_psa_mac_operation_t * operation,uint8_t * mac,size_t mac_size,size_t * mac_length)415 psa_status_t mbedtls_psa_mac_sign_finish(
416 mbedtls_psa_mac_operation_t *operation,
417 uint8_t *mac,
418 size_t mac_size,
419 size_t *mac_length )
420 {
421 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
422
423 if( operation->alg == 0 )
424 return( PSA_ERROR_BAD_STATE );
425
426 status = psa_mac_finish_internal( operation, mac, mac_size );
427 if( status == PSA_SUCCESS )
428 *mac_length = mac_size;
429
430 return( status );
431 }
432
mbedtls_psa_mac_verify_finish(mbedtls_psa_mac_operation_t * operation,const uint8_t * mac,size_t mac_length)433 psa_status_t mbedtls_psa_mac_verify_finish(
434 mbedtls_psa_mac_operation_t *operation,
435 const uint8_t *mac,
436 size_t mac_length )
437 {
438 uint8_t actual_mac[PSA_MAC_MAX_SIZE];
439 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
440
441 if( operation->alg == 0 )
442 return( PSA_ERROR_BAD_STATE );
443
444 /* Consistency check: requested MAC length fits our local buffer */
445 if( mac_length > sizeof( actual_mac ) )
446 return( PSA_ERROR_INVALID_ARGUMENT );
447
448 status = psa_mac_finish_internal( operation, actual_mac, mac_length );
449 if( status != PSA_SUCCESS )
450 goto cleanup;
451
452 if( mbedtls_psa_safer_memcmp( mac, actual_mac, mac_length ) != 0 )
453 status = PSA_ERROR_INVALID_SIGNATURE;
454
455 cleanup:
456 mbedtls_platform_zeroize( actual_mac, sizeof( actual_mac ) );
457
458 return( status );
459 }
460
mbedtls_psa_mac_compute(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * input,size_t input_length,uint8_t * mac,size_t mac_size,size_t * mac_length)461 psa_status_t mbedtls_psa_mac_compute(
462 const psa_key_attributes_t *attributes,
463 const uint8_t *key_buffer,
464 size_t key_buffer_size,
465 psa_algorithm_t alg,
466 const uint8_t *input,
467 size_t input_length,
468 uint8_t *mac,
469 size_t mac_size,
470 size_t *mac_length )
471 {
472 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
473 mbedtls_psa_mac_operation_t operation = MBEDTLS_PSA_MAC_OPERATION_INIT;
474
475 status = psa_mac_setup( &operation,
476 attributes, key_buffer, key_buffer_size,
477 alg );
478 if( status != PSA_SUCCESS )
479 goto exit;
480
481 if( input_length > 0 )
482 {
483 status = mbedtls_psa_mac_update( &operation, input, input_length );
484 if( status != PSA_SUCCESS )
485 goto exit;
486 }
487
488 status = psa_mac_finish_internal( &operation, mac, mac_size );
489 if( status == PSA_SUCCESS )
490 *mac_length = mac_size;
491
492 exit:
493 mbedtls_psa_mac_abort( &operation );
494
495 return( status );
496 }
497
498 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_CMAC */
499
500 #endif /* MBEDTLS_PSA_CRYPTO_C */
501
