1 /*
2 * PSA crypto layer on top of Mbed TLS crypto
3 */
4 /*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20
21 #include "common.h"
22
23 #if defined(MBEDTLS_PSA_CRYPTO_C)
24
25 #if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
26 #include "check_crypto_config.h"
27 #endif
28
29 #include "psa_crypto_service_integration.h"
30 #include "psa/crypto.h"
31
32 #include "psa_crypto_core.h"
33 #include "psa_crypto_invasive.h"
34 #include "psa_crypto_driver_wrappers.h"
35 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
36 #include "psa_crypto_se.h"
37 #endif
38 #include "psa_crypto_slot_management.h"
39 /* Include internal declarations that are useful for implementing persistently
40 * stored keys. */
41 #include "psa_crypto_storage.h"
42
43 #include <assert.h>
44 #include <stdlib.h>
45 #include <string.h>
46 #include "mbedtls/platform.h"
47 #if !defined(MBEDTLS_PLATFORM_C)
48 #define mbedtls_calloc calloc
49 #define mbedtls_free free
50 #endif
51
52 #include "mbedtls/arc4.h"
53 #include "mbedtls/asn1.h"
54 #include "mbedtls/asn1write.h"
55 #include "mbedtls/bignum.h"
56 #include "mbedtls/blowfish.h"
57 #include "mbedtls/camellia.h"
58 #include "mbedtls/chacha20.h"
59 #include "mbedtls/chachapoly.h"
60 #include "mbedtls/cipher.h"
61 #include "mbedtls/ccm.h"
62 #include "mbedtls/cmac.h"
63 #include "mbedtls/ctr_drbg.h"
64 #include "mbedtls/des.h"
65 #include "mbedtls/ecdh.h"
66 #include "mbedtls/ecp.h"
67 #include "mbedtls/entropy.h"
68 #include "mbedtls/error.h"
69 #include "mbedtls/gcm.h"
70 #include "mbedtls/md2.h"
71 #include "mbedtls/md4.h"
72 #include "mbedtls/md5.h"
73 #include "mbedtls/md.h"
74 #include "mbedtls/md_internal.h"
75 #include "mbedtls/pk.h"
76 #include "mbedtls/pk_internal.h"
77 #include "mbedtls/platform_util.h"
78 #include "mbedtls/error.h"
79 #include "mbedtls/ripemd160.h"
80 #include "mbedtls/rsa.h"
81 #include "mbedtls/sha1.h"
82 #include "mbedtls/sha256.h"
83 #include "mbedtls/sha512.h"
84 #include "mbedtls/xtea.h"
85
86 #define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) )
87
88 /* constant-time buffer comparison */
safer_memcmp(const uint8_t * a,const uint8_t * b,size_t n)89 static inline int safer_memcmp( const uint8_t *a, const uint8_t *b, size_t n )
90 {
91 size_t i;
92 unsigned char diff = 0;
93
94 for( i = 0; i < n; i++ )
95 diff |= a[i] ^ b[i];
96
97 return( diff );
98 }
99
100
101
102 /****************************************************************/
103 /* Global data, support functions and library management */
104 /****************************************************************/
105
key_type_is_raw_bytes(psa_key_type_t type)106 static int key_type_is_raw_bytes( psa_key_type_t type )
107 {
108 return( PSA_KEY_TYPE_IS_UNSTRUCTURED( type ) );
109 }
110
111 /* Values for psa_global_data_t::rng_state */
112 #define RNG_NOT_INITIALIZED 0
113 #define RNG_INITIALIZED 1
114 #define RNG_SEEDED 2
115
116 typedef struct
117 {
118 void (* entropy_init )( mbedtls_entropy_context *ctx );
119 void (* entropy_free )( mbedtls_entropy_context *ctx );
120 mbedtls_entropy_context entropy;
121 mbedtls_ctr_drbg_context ctr_drbg;
122 unsigned initialized : 1;
123 unsigned rng_state : 2;
124 } psa_global_data_t;
125
126 static psa_global_data_t global_data;
127
128 #define GUARD_MODULE_INITIALIZED \
129 if( global_data.initialized == 0 ) \
130 return( PSA_ERROR_BAD_STATE );
131
mbedtls_to_psa_error(int ret)132 psa_status_t mbedtls_to_psa_error( int ret )
133 {
134 /* If there's both a high-level code and low-level code, dispatch on
135 * the high-level code. */
136 switch( ret < -0x7f ? - ( -ret & 0x7f80 ) : ret )
137 {
138 case 0:
139 return( PSA_SUCCESS );
140
141 case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
142 case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
143 case MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE:
144 return( PSA_ERROR_NOT_SUPPORTED );
145 case MBEDTLS_ERR_AES_HW_ACCEL_FAILED:
146 return( PSA_ERROR_HARDWARE_FAILURE );
147
148 case MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED:
149 return( PSA_ERROR_HARDWARE_FAILURE );
150
151 case MBEDTLS_ERR_ASN1_OUT_OF_DATA:
152 case MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:
153 case MBEDTLS_ERR_ASN1_INVALID_LENGTH:
154 case MBEDTLS_ERR_ASN1_LENGTH_MISMATCH:
155 case MBEDTLS_ERR_ASN1_INVALID_DATA:
156 return( PSA_ERROR_INVALID_ARGUMENT );
157 case MBEDTLS_ERR_ASN1_ALLOC_FAILED:
158 return( PSA_ERROR_INSUFFICIENT_MEMORY );
159 case MBEDTLS_ERR_ASN1_BUF_TOO_SMALL:
160 return( PSA_ERROR_BUFFER_TOO_SMALL );
161
162 #if defined(MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA)
163 case MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA:
164 #elif defined(MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH)
165 case MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH:
166 #endif
167 case MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH:
168 return( PSA_ERROR_NOT_SUPPORTED );
169 case MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED:
170 return( PSA_ERROR_HARDWARE_FAILURE );
171
172 #if defined(MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA)
173 case MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA:
174 #elif defined(MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH)
175 case MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH:
176 #endif
177 case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH:
178 return( PSA_ERROR_NOT_SUPPORTED );
179 case MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED:
180 return( PSA_ERROR_HARDWARE_FAILURE );
181
182 case MBEDTLS_ERR_CCM_BAD_INPUT:
183 return( PSA_ERROR_INVALID_ARGUMENT );
184 case MBEDTLS_ERR_CCM_AUTH_FAILED:
185 return( PSA_ERROR_INVALID_SIGNATURE );
186 case MBEDTLS_ERR_CCM_HW_ACCEL_FAILED:
187 return( PSA_ERROR_HARDWARE_FAILURE );
188
189 case MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA:
190 return( PSA_ERROR_INVALID_ARGUMENT );
191
192 case MBEDTLS_ERR_CHACHAPOLY_BAD_STATE:
193 return( PSA_ERROR_BAD_STATE );
194 case MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED:
195 return( PSA_ERROR_INVALID_SIGNATURE );
196
197 case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
198 return( PSA_ERROR_NOT_SUPPORTED );
199 case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
200 return( PSA_ERROR_INVALID_ARGUMENT );
201 case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
202 return( PSA_ERROR_INSUFFICIENT_MEMORY );
203 case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
204 return( PSA_ERROR_INVALID_PADDING );
205 case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
206 return( PSA_ERROR_INVALID_ARGUMENT );
207 case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
208 return( PSA_ERROR_INVALID_SIGNATURE );
209 case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
210 return( PSA_ERROR_CORRUPTION_DETECTED );
211 case MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED:
212 return( PSA_ERROR_HARDWARE_FAILURE );
213
214 case MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED:
215 return( PSA_ERROR_HARDWARE_FAILURE );
216
217 case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
218 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
219 case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG:
220 case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG:
221 return( PSA_ERROR_NOT_SUPPORTED );
222 case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR:
223 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
224
225 case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:
226 return( PSA_ERROR_NOT_SUPPORTED );
227 case MBEDTLS_ERR_DES_HW_ACCEL_FAILED:
228 return( PSA_ERROR_HARDWARE_FAILURE );
229
230 case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
231 case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE:
232 case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
233 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
234
235 case MBEDTLS_ERR_GCM_AUTH_FAILED:
236 return( PSA_ERROR_INVALID_SIGNATURE );
237 case MBEDTLS_ERR_GCM_BAD_INPUT:
238 return( PSA_ERROR_INVALID_ARGUMENT );
239 case MBEDTLS_ERR_GCM_HW_ACCEL_FAILED:
240 return( PSA_ERROR_HARDWARE_FAILURE );
241
242 case MBEDTLS_ERR_MD2_HW_ACCEL_FAILED:
243 case MBEDTLS_ERR_MD4_HW_ACCEL_FAILED:
244 case MBEDTLS_ERR_MD5_HW_ACCEL_FAILED:
245 return( PSA_ERROR_HARDWARE_FAILURE );
246
247 case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
248 return( PSA_ERROR_NOT_SUPPORTED );
249 case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
250 return( PSA_ERROR_INVALID_ARGUMENT );
251 case MBEDTLS_ERR_MD_ALLOC_FAILED:
252 return( PSA_ERROR_INSUFFICIENT_MEMORY );
253 case MBEDTLS_ERR_MD_FILE_IO_ERROR:
254 return( PSA_ERROR_STORAGE_FAILURE );
255 case MBEDTLS_ERR_MD_HW_ACCEL_FAILED:
256 return( PSA_ERROR_HARDWARE_FAILURE );
257
258 case MBEDTLS_ERR_MPI_FILE_IO_ERROR:
259 return( PSA_ERROR_STORAGE_FAILURE );
260 case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
261 return( PSA_ERROR_INVALID_ARGUMENT );
262 case MBEDTLS_ERR_MPI_INVALID_CHARACTER:
263 return( PSA_ERROR_INVALID_ARGUMENT );
264 case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
265 return( PSA_ERROR_BUFFER_TOO_SMALL );
266 case MBEDTLS_ERR_MPI_NEGATIVE_VALUE:
267 return( PSA_ERROR_INVALID_ARGUMENT );
268 case MBEDTLS_ERR_MPI_DIVISION_BY_ZERO:
269 return( PSA_ERROR_INVALID_ARGUMENT );
270 case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
271 return( PSA_ERROR_INVALID_ARGUMENT );
272 case MBEDTLS_ERR_MPI_ALLOC_FAILED:
273 return( PSA_ERROR_INSUFFICIENT_MEMORY );
274
275 case MBEDTLS_ERR_PK_ALLOC_FAILED:
276 return( PSA_ERROR_INSUFFICIENT_MEMORY );
277 case MBEDTLS_ERR_PK_TYPE_MISMATCH:
278 case MBEDTLS_ERR_PK_BAD_INPUT_DATA:
279 return( PSA_ERROR_INVALID_ARGUMENT );
280 case MBEDTLS_ERR_PK_FILE_IO_ERROR:
281 return( PSA_ERROR_STORAGE_FAILURE );
282 case MBEDTLS_ERR_PK_KEY_INVALID_VERSION:
283 case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT:
284 return( PSA_ERROR_INVALID_ARGUMENT );
285 case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG:
286 return( PSA_ERROR_NOT_SUPPORTED );
287 case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
288 case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
289 return( PSA_ERROR_NOT_PERMITTED );
290 case MBEDTLS_ERR_PK_INVALID_PUBKEY:
291 return( PSA_ERROR_INVALID_ARGUMENT );
292 case MBEDTLS_ERR_PK_INVALID_ALG:
293 case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE:
294 case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:
295 return( PSA_ERROR_NOT_SUPPORTED );
296 case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH:
297 return( PSA_ERROR_INVALID_SIGNATURE );
298 case MBEDTLS_ERR_PK_HW_ACCEL_FAILED:
299 return( PSA_ERROR_HARDWARE_FAILURE );
300
301 case MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED:
302 return( PSA_ERROR_HARDWARE_FAILURE );
303 case MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
304 return( PSA_ERROR_NOT_SUPPORTED );
305
306 case MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED:
307 return( PSA_ERROR_HARDWARE_FAILURE );
308
309 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
310 return( PSA_ERROR_INVALID_ARGUMENT );
311 case MBEDTLS_ERR_RSA_INVALID_PADDING:
312 return( PSA_ERROR_INVALID_PADDING );
313 case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
314 return( PSA_ERROR_HARDWARE_FAILURE );
315 case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
316 return( PSA_ERROR_INVALID_ARGUMENT );
317 case MBEDTLS_ERR_RSA_PUBLIC_FAILED:
318 case MBEDTLS_ERR_RSA_PRIVATE_FAILED:
319 return( PSA_ERROR_CORRUPTION_DETECTED );
320 case MBEDTLS_ERR_RSA_VERIFY_FAILED:
321 return( PSA_ERROR_INVALID_SIGNATURE );
322 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
323 return( PSA_ERROR_BUFFER_TOO_SMALL );
324 case MBEDTLS_ERR_RSA_RNG_FAILED:
325 return( PSA_ERROR_INSUFFICIENT_MEMORY );
326 case MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:
327 return( PSA_ERROR_NOT_SUPPORTED );
328 case MBEDTLS_ERR_RSA_HW_ACCEL_FAILED:
329 return( PSA_ERROR_HARDWARE_FAILURE );
330
331 case MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED:
332 case MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED:
333 case MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED:
334 return( PSA_ERROR_HARDWARE_FAILURE );
335
336 case MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH:
337 return( PSA_ERROR_INVALID_ARGUMENT );
338 case MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED:
339 return( PSA_ERROR_HARDWARE_FAILURE );
340
341 case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
342 case MBEDTLS_ERR_ECP_INVALID_KEY:
343 return( PSA_ERROR_INVALID_ARGUMENT );
344 case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
345 return( PSA_ERROR_BUFFER_TOO_SMALL );
346 case MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:
347 return( PSA_ERROR_NOT_SUPPORTED );
348 case MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH:
349 case MBEDTLS_ERR_ECP_VERIFY_FAILED:
350 return( PSA_ERROR_INVALID_SIGNATURE );
351 case MBEDTLS_ERR_ECP_ALLOC_FAILED:
352 return( PSA_ERROR_INSUFFICIENT_MEMORY );
353 case MBEDTLS_ERR_ECP_HW_ACCEL_FAILED:
354 return( PSA_ERROR_HARDWARE_FAILURE );
355 case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
356 return( PSA_ERROR_CORRUPTION_DETECTED );
357
358 default:
359 return( PSA_ERROR_GENERIC_ERROR );
360 }
361 }
362
363
364
365
366 /****************************************************************/
367 /* Key management */
368 /****************************************************************/
369
370 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
psa_key_slot_is_external(const psa_key_slot_t * slot)371 static inline int psa_key_slot_is_external( const psa_key_slot_t *slot )
372 {
373 return( psa_key_lifetime_is_external( slot->attr.lifetime ) );
374 }
375 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
376
377 /* For now the MBEDTLS_PSA_ACCEL_ guards are also used here since the
378 * current test driver in key_management.c is using this function
379 * when accelerators are used for ECC key pair and public key.
380 * Once that dependency is resolved these guards can be removed.
381 */
382 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
383 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
384 defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
385 defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
mbedtls_ecc_group_of_psa(psa_ecc_family_t curve,size_t byte_length)386 mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
387 size_t byte_length )
388 {
389 switch( curve )
390 {
391 case PSA_ECC_FAMILY_SECP_R1:
392 switch( byte_length )
393 {
394 case PSA_BITS_TO_BYTES( 192 ):
395 return( MBEDTLS_ECP_DP_SECP192R1 );
396 case PSA_BITS_TO_BYTES( 224 ):
397 return( MBEDTLS_ECP_DP_SECP224R1 );
398 case PSA_BITS_TO_BYTES( 256 ):
399 return( MBEDTLS_ECP_DP_SECP256R1 );
400 case PSA_BITS_TO_BYTES( 384 ):
401 return( MBEDTLS_ECP_DP_SECP384R1 );
402 case PSA_BITS_TO_BYTES( 521 ):
403 return( MBEDTLS_ECP_DP_SECP521R1 );
404 default:
405 return( MBEDTLS_ECP_DP_NONE );
406 }
407 break;
408
409 case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
410 switch( byte_length )
411 {
412 case PSA_BITS_TO_BYTES( 256 ):
413 return( MBEDTLS_ECP_DP_BP256R1 );
414 case PSA_BITS_TO_BYTES( 384 ):
415 return( MBEDTLS_ECP_DP_BP384R1 );
416 case PSA_BITS_TO_BYTES( 512 ):
417 return( MBEDTLS_ECP_DP_BP512R1 );
418 default:
419 return( MBEDTLS_ECP_DP_NONE );
420 }
421 break;
422
423 case PSA_ECC_FAMILY_MONTGOMERY:
424 switch( byte_length )
425 {
426 case PSA_BITS_TO_BYTES( 255 ):
427 return( MBEDTLS_ECP_DP_CURVE25519 );
428 case PSA_BITS_TO_BYTES( 448 ):
429 return( MBEDTLS_ECP_DP_CURVE448 );
430 default:
431 return( MBEDTLS_ECP_DP_NONE );
432 }
433 break;
434
435 case PSA_ECC_FAMILY_SECP_K1:
436 switch( byte_length )
437 {
438 case PSA_BITS_TO_BYTES( 192 ):
439 return( MBEDTLS_ECP_DP_SECP192K1 );
440 case PSA_BITS_TO_BYTES( 224 ):
441 return( MBEDTLS_ECP_DP_SECP224K1 );
442 case PSA_BITS_TO_BYTES( 256 ):
443 return( MBEDTLS_ECP_DP_SECP256K1 );
444 default:
445 return( MBEDTLS_ECP_DP_NONE );
446 }
447 break;
448
449 default:
450 return( MBEDTLS_ECP_DP_NONE );
451 }
452 }
453 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
454 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ||
455 * defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) ||
456 * defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) */
457
validate_unstructured_key_bit_size(psa_key_type_t type,size_t bits)458 static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type,
459 size_t bits )
460 {
461 /* Check that the bit size is acceptable for the key type */
462 switch( type )
463 {
464 case PSA_KEY_TYPE_RAW_DATA:
465 case PSA_KEY_TYPE_HMAC:
466 case PSA_KEY_TYPE_DERIVE:
467 break;
468 #if defined(MBEDTLS_AES_C)
469 case PSA_KEY_TYPE_AES:
470 if( bits != 128 && bits != 192 && bits != 256 )
471 return( PSA_ERROR_INVALID_ARGUMENT );
472 break;
473 #endif
474 #if defined(MBEDTLS_CAMELLIA_C)
475 case PSA_KEY_TYPE_CAMELLIA:
476 if( bits != 128 && bits != 192 && bits != 256 )
477 return( PSA_ERROR_INVALID_ARGUMENT );
478 break;
479 #endif
480 #if defined(MBEDTLS_DES_C)
481 case PSA_KEY_TYPE_DES:
482 if( bits != 64 && bits != 128 && bits != 192 )
483 return( PSA_ERROR_INVALID_ARGUMENT );
484 break;
485 #endif
486 #if defined(MBEDTLS_ARC4_C)
487 case PSA_KEY_TYPE_ARC4:
488 if( bits < 8 || bits > 2048 )
489 return( PSA_ERROR_INVALID_ARGUMENT );
490 break;
491 #endif
492 #if defined(MBEDTLS_CHACHA20_C)
493 case PSA_KEY_TYPE_CHACHA20:
494 if( bits != 256 )
495 return( PSA_ERROR_INVALID_ARGUMENT );
496 break;
497 #endif
498 default:
499 return( PSA_ERROR_NOT_SUPPORTED );
500 }
501 if( bits % 8 != 0 )
502 return( PSA_ERROR_INVALID_ARGUMENT );
503
504 return( PSA_SUCCESS );
505 }
506
507 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
508 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
509 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
510 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
511 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
512 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
513
514 /* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
515 * that are not a multiple of 8) well. For example, there is only
516 * mbedtls_rsa_get_len(), which returns a number of bytes, and no
517 * way to return the exact bit size of a key.
518 * To keep things simple, reject non-byte-aligned key sizes. */
psa_check_rsa_key_byte_aligned(const mbedtls_rsa_context * rsa)519 static psa_status_t psa_check_rsa_key_byte_aligned(
520 const mbedtls_rsa_context *rsa )
521 {
522 mbedtls_mpi n;
523 psa_status_t status;
524 mbedtls_mpi_init( &n );
525 status = mbedtls_to_psa_error(
526 mbedtls_rsa_export( rsa, &n, NULL, NULL, NULL, NULL ) );
527 if( status == PSA_SUCCESS )
528 {
529 if( mbedtls_mpi_bitlen( &n ) % 8 != 0 )
530 status = PSA_ERROR_NOT_SUPPORTED;
531 }
532 mbedtls_mpi_free( &n );
533 return( status );
534 }
535
536 /** Load the contents of a key buffer into an internal RSA representation
537 *
538 * \param[in] type The type of key contained in \p data.
539 * \param[in] data The buffer from which to load the representation.
540 * \param[in] data_length The size in bytes of \p data.
541 * \param[out] p_rsa Returns a pointer to an RSA context on success.
542 * The caller is responsible for freeing both the
543 * contents of the context and the context itself
544 * when done.
545 */
psa_load_rsa_representation(psa_key_type_t type,const uint8_t * data,size_t data_length,mbedtls_rsa_context ** p_rsa)546 static psa_status_t psa_load_rsa_representation( psa_key_type_t type,
547 const uint8_t *data,
548 size_t data_length,
549 mbedtls_rsa_context **p_rsa )
550 {
551 psa_status_t status;
552 mbedtls_pk_context ctx;
553 size_t bits;
554 mbedtls_pk_init( &ctx );
555
556 /* Parse the data. */
557 if( PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
558 status = mbedtls_to_psa_error(
559 mbedtls_pk_parse_key( &ctx, data, data_length, NULL, 0 ) );
560 else
561 status = mbedtls_to_psa_error(
562 mbedtls_pk_parse_public_key( &ctx, data, data_length ) );
563 if( status != PSA_SUCCESS )
564 goto exit;
565
566 /* We have something that the pkparse module recognizes. If it is a
567 * valid RSA key, store it. */
568 if( mbedtls_pk_get_type( &ctx ) != MBEDTLS_PK_RSA )
569 {
570 status = PSA_ERROR_INVALID_ARGUMENT;
571 goto exit;
572 }
573
574 /* The size of an RSA key doesn't have to be a multiple of 8. Mbed TLS
575 * supports non-byte-aligned key sizes, but not well. For example,
576 * mbedtls_rsa_get_len() returns the key size in bytes, not in bits. */
577 bits = PSA_BYTES_TO_BITS( mbedtls_rsa_get_len( mbedtls_pk_rsa( ctx ) ) );
578 if( bits > PSA_VENDOR_RSA_MAX_KEY_BITS )
579 {
580 status = PSA_ERROR_NOT_SUPPORTED;
581 goto exit;
582 }
583 status = psa_check_rsa_key_byte_aligned( mbedtls_pk_rsa( ctx ) );
584 if( status != PSA_SUCCESS )
585 goto exit;
586
587 /* Copy out the pointer to the RSA context, and reset the PK context
588 * such that pk_free doesn't free the RSA context we just grabbed. */
589 *p_rsa = mbedtls_pk_rsa( ctx );
590 ctx.pk_info = NULL;
591
592 exit:
593 mbedtls_pk_free( &ctx );
594 return( status );
595 }
596
597 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
598 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
599 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
600 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
601 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
602 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
603
604 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
605 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
606
607 /** Export an RSA key to export representation
608 *
609 * \param[in] type The type of key (public/private) to export
610 * \param[in] rsa The internal RSA representation from which to export
611 * \param[out] data The buffer to export to
612 * \param[in] data_size The length of the buffer to export to
613 * \param[out] data_length The amount of bytes written to \p data
614 */
psa_export_rsa_key(psa_key_type_t type,mbedtls_rsa_context * rsa,uint8_t * data,size_t data_size,size_t * data_length)615 static psa_status_t psa_export_rsa_key( psa_key_type_t type,
616 mbedtls_rsa_context *rsa,
617 uint8_t *data,
618 size_t data_size,
619 size_t *data_length )
620 {
621 #if defined(MBEDTLS_PK_WRITE_C)
622 int ret;
623 mbedtls_pk_context pk;
624 uint8_t *pos = data + data_size;
625
626 mbedtls_pk_init( &pk );
627 pk.pk_info = &mbedtls_rsa_info;
628 pk.pk_ctx = rsa;
629
630 /* PSA Crypto API defines the format of an RSA key as a DER-encoded
631 * representation of the non-encrypted PKCS#1 RSAPrivateKey for a
632 * private key and of the RFC3279 RSAPublicKey for a public key. */
633 if( PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
634 ret = mbedtls_pk_write_key_der( &pk, data, data_size );
635 else
636 ret = mbedtls_pk_write_pubkey( &pos, data, &pk );
637
638 if( ret < 0 )
639 {
640 /* Clean up in case pk_write failed halfway through. */
641 memset( data, 0, data_size );
642 return( mbedtls_to_psa_error( ret ) );
643 }
644
645 /* The mbedtls_pk_xxx functions write to the end of the buffer.
646 * Move the data to the beginning and erase remaining data
647 * at the original location. */
648 if( 2 * (size_t) ret <= data_size )
649 {
650 memcpy( data, data + data_size - ret, ret );
651 memset( data + data_size - ret, 0, ret );
652 }
653 else if( (size_t) ret < data_size )
654 {
655 memmove( data, data + data_size - ret, ret );
656 memset( data + ret, 0, data_size - ret );
657 }
658
659 *data_length = ret;
660 return( PSA_SUCCESS );
661 #else
662 (void) type;
663 (void) rsa;
664 (void) data;
665 (void) data_size;
666 (void) data_length;
667 return( PSA_ERROR_NOT_SUPPORTED );
668 #endif /* MBEDTLS_PK_WRITE_C */
669 }
670
671 /** Import an RSA key from import representation to a slot
672 *
673 * \param[in,out] slot The slot where to store the export representation to
674 * \param[in] data The buffer containing the import representation
675 * \param[in] data_length The amount of bytes in \p data
676 */
psa_import_rsa_key(psa_key_slot_t * slot,const uint8_t * data,size_t data_length)677 static psa_status_t psa_import_rsa_key( psa_key_slot_t *slot,
678 const uint8_t *data,
679 size_t data_length )
680 {
681 psa_status_t status;
682 uint8_t* output = NULL;
683 mbedtls_rsa_context *rsa = NULL;
684
685 /* Parse input */
686 status = psa_load_rsa_representation( slot->attr.type,
687 data,
688 data_length,
689 &rsa );
690 if( status != PSA_SUCCESS )
691 goto exit;
692
693 slot->attr.bits = (psa_key_bits_t) PSA_BYTES_TO_BITS(
694 mbedtls_rsa_get_len( rsa ) );
695
696 /* Re-export the data to PSA export format, such that we can store export
697 * representation in the key slot. Export representation in case of RSA is
698 * the smallest representation that's allowed as input, so a straight-up
699 * allocation of the same size as the input buffer will be large enough. */
700 output = mbedtls_calloc( 1, data_length );
701 if( output == NULL )
702 {
703 status = PSA_ERROR_INSUFFICIENT_MEMORY;
704 goto exit;
705 }
706
707 status = psa_export_rsa_key( slot->attr.type,
708 rsa,
709 output,
710 data_length,
711 &data_length);
712 exit:
713 /* Always free the RSA object */
714 mbedtls_rsa_free( rsa );
715 mbedtls_free( rsa );
716
717 /* Free the allocated buffer only on error. */
718 if( status != PSA_SUCCESS )
719 {
720 mbedtls_free( output );
721 return( status );
722 }
723
724 /* On success, store the allocated export-formatted key. */
725 slot->data.key.data = output;
726 slot->data.key.bytes = data_length;
727
728 return( PSA_SUCCESS );
729 }
730
731 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
732 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
733
734 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
735 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
736 defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
737 defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) || \
738 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
739 /** Load the contents of a key buffer into an internal ECP representation
740 *
741 * \param[in] type The type of key contained in \p data.
742 * \param[in] data The buffer from which to load the representation.
743 * \param[in] data_length The size in bytes of \p data.
744 * \param[out] p_ecp Returns a pointer to an ECP context on success.
745 * The caller is responsible for freeing both the
746 * contents of the context and the context itself
747 * when done.
748 */
psa_load_ecp_representation(psa_key_type_t type,const uint8_t * data,size_t data_length,mbedtls_ecp_keypair ** p_ecp)749 static psa_status_t psa_load_ecp_representation( psa_key_type_t type,
750 const uint8_t *data,
751 size_t data_length,
752 mbedtls_ecp_keypair **p_ecp )
753 {
754 mbedtls_ecp_group_id grp_id = MBEDTLS_ECP_DP_NONE;
755 psa_status_t status;
756 mbedtls_ecp_keypair *ecp = NULL;
757 size_t curve_size = data_length;
758
759 if( PSA_KEY_TYPE_IS_PUBLIC_KEY( type ) &&
760 PSA_KEY_TYPE_ECC_GET_FAMILY( type ) != PSA_ECC_FAMILY_MONTGOMERY )
761 {
762 /* A Weierstrass public key is represented as:
763 * - The byte 0x04;
764 * - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
765 * - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
766 * So its data length is 2m+1 where m is the curve size in bits.
767 */
768 if( ( data_length & 1 ) == 0 )
769 return( PSA_ERROR_INVALID_ARGUMENT );
770 curve_size = data_length / 2;
771
772 /* Montgomery public keys are represented in compressed format, meaning
773 * their curve_size is equal to the amount of input. */
774
775 /* Private keys are represented in uncompressed private random integer
776 * format, meaning their curve_size is equal to the amount of input. */
777 }
778
779 /* Allocate and initialize a key representation. */
780 ecp = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) );
781 if( ecp == NULL )
782 return( PSA_ERROR_INSUFFICIENT_MEMORY );
783 mbedtls_ecp_keypair_init( ecp );
784
785 /* Load the group. */
786 grp_id = mbedtls_ecc_group_of_psa( PSA_KEY_TYPE_ECC_GET_FAMILY( type ),
787 curve_size );
788 if( grp_id == MBEDTLS_ECP_DP_NONE )
789 {
790 status = PSA_ERROR_INVALID_ARGUMENT;
791 goto exit;
792 }
793
794 status = mbedtls_to_psa_error(
795 mbedtls_ecp_group_load( &ecp->grp, grp_id ) );
796 if( status != PSA_SUCCESS )
797 goto exit;
798
799 /* Load the key material. */
800 if( PSA_KEY_TYPE_IS_PUBLIC_KEY( type ) )
801 {
802 /* Load the public value. */
803 status = mbedtls_to_psa_error(
804 mbedtls_ecp_point_read_binary( &ecp->grp, &ecp->Q,
805 data,
806 data_length ) );
807 if( status != PSA_SUCCESS )
808 goto exit;
809
810 /* Check that the point is on the curve. */
811 status = mbedtls_to_psa_error(
812 mbedtls_ecp_check_pubkey( &ecp->grp, &ecp->Q ) );
813 if( status != PSA_SUCCESS )
814 goto exit;
815 }
816 else
817 {
818 /* Load and validate the secret value. */
819 status = mbedtls_to_psa_error(
820 mbedtls_ecp_read_key( ecp->grp.id,
821 ecp,
822 data,
823 data_length ) );
824 if( status != PSA_SUCCESS )
825 goto exit;
826 }
827
828 *p_ecp = ecp;
829 exit:
830 if( status != PSA_SUCCESS )
831 {
832 mbedtls_ecp_keypair_free( ecp );
833 mbedtls_free( ecp );
834 }
835
836 return( status );
837 }
838 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
839 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ||
840 * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
841 * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) ||
842 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
843
844 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
845 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
846 /** Export an ECP key to export representation
847 *
848 * \param[in] type The type of key (public/private) to export
849 * \param[in] ecp The internal ECP representation from which to export
850 * \param[out] data The buffer to export to
851 * \param[in] data_size The length of the buffer to export to
852 * \param[out] data_length The amount of bytes written to \p data
853 */
psa_export_ecp_key(psa_key_type_t type,mbedtls_ecp_keypair * ecp,uint8_t * data,size_t data_size,size_t * data_length)854 static psa_status_t psa_export_ecp_key( psa_key_type_t type,
855 mbedtls_ecp_keypair *ecp,
856 uint8_t *data,
857 size_t data_size,
858 size_t *data_length )
859 {
860 psa_status_t status;
861
862 if( PSA_KEY_TYPE_IS_PUBLIC_KEY( type ) )
863 {
864 /* Check whether the public part is loaded */
865 if( mbedtls_ecp_is_zero( &ecp->Q ) )
866 {
867 /* Calculate the public key */
868 status = mbedtls_to_psa_error(
869 mbedtls_ecp_mul( &ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
870 mbedtls_ctr_drbg_random, &global_data.ctr_drbg ) );
871 if( status != PSA_SUCCESS )
872 return( status );
873 }
874
875 status = mbedtls_to_psa_error(
876 mbedtls_ecp_point_write_binary( &ecp->grp, &ecp->Q,
877 MBEDTLS_ECP_PF_UNCOMPRESSED,
878 data_length,
879 data,
880 data_size ) );
881 if( status != PSA_SUCCESS )
882 memset( data, 0, data_size );
883
884 return( status );
885 }
886 else
887 {
888 if( data_size < PSA_BITS_TO_BYTES( ecp->grp.nbits ) )
889 return( PSA_ERROR_BUFFER_TOO_SMALL );
890
891 status = mbedtls_to_psa_error(
892 mbedtls_ecp_write_key( ecp,
893 data,
894 PSA_BITS_TO_BYTES( ecp->grp.nbits ) ) );
895 if( status == PSA_SUCCESS )
896 *data_length = PSA_BITS_TO_BYTES( ecp->grp.nbits );
897 else
898 memset( data, 0, data_size );
899
900 return( status );
901 }
902 }
903
904 /** Import an ECP key from import representation to a slot
905 *
906 * \param[in,out] slot The slot where to store the export representation to
907 * \param[in] data The buffer containing the import representation
908 * \param[in] data_length The amount of bytes in \p data
909 */
psa_import_ecp_key(psa_key_slot_t * slot,const uint8_t * data,size_t data_length)910 static psa_status_t psa_import_ecp_key( psa_key_slot_t *slot,
911 const uint8_t *data,
912 size_t data_length )
913 {
914 psa_status_t status;
915 uint8_t* output = NULL;
916 mbedtls_ecp_keypair *ecp = NULL;
917
918 /* Parse input */
919 status = psa_load_ecp_representation( slot->attr.type,
920 data,
921 data_length,
922 &ecp );
923 if( status != PSA_SUCCESS )
924 goto exit;
925
926 if( PSA_KEY_TYPE_ECC_GET_FAMILY( slot->attr.type ) == PSA_ECC_FAMILY_MONTGOMERY)
927 slot->attr.bits = (psa_key_bits_t) ecp->grp.nbits + 1;
928 else
929 slot->attr.bits = (psa_key_bits_t) ecp->grp.nbits;
930
931 /* Re-export the data to PSA export format. There is currently no support
932 * for other input formats then the export format, so this is a 1-1
933 * copy operation. */
934 output = mbedtls_calloc( 1, data_length );
935 if( output == NULL )
936 {
937 status = PSA_ERROR_INSUFFICIENT_MEMORY;
938 goto exit;
939 }
940
941 status = psa_export_ecp_key( slot->attr.type,
942 ecp,
943 output,
944 data_length,
945 &data_length);
946 exit:
947 /* Always free the PK object (will also free contained ECP context) */
948 mbedtls_ecp_keypair_free( ecp );
949 mbedtls_free( ecp );
950
951 /* Free the allocated buffer only on error. */
952 if( status != PSA_SUCCESS )
953 {
954 mbedtls_free( output );
955 return( status );
956 }
957
958 /* On success, store the allocated export-formatted key. */
959 slot->data.key.data = output;
960 slot->data.key.bytes = data_length;
961
962 return( PSA_SUCCESS );
963 }
964 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
965 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
966
967 /** Return the size of the key in the given slot, in bits.
968 *
969 * \param[in] slot A key slot.
970 *
971 * \return The key size in bits, read from the metadata in the slot.
972 */
psa_get_key_slot_bits(const psa_key_slot_t * slot)973 static inline size_t psa_get_key_slot_bits( const psa_key_slot_t *slot )
974 {
975 return( slot->attr.bits );
976 }
977
978 /** Try to allocate a buffer to an empty key slot.
979 *
980 * \param[in,out] slot Key slot to attach buffer to.
981 * \param[in] buffer_length Requested size of the buffer.
982 *
983 * \retval #PSA_SUCCESS
984 * The buffer has been successfully allocated.
985 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
986 * Not enough memory was available for allocation.
987 * \retval #PSA_ERROR_ALREADY_EXISTS
988 * Trying to allocate a buffer to a non-empty key slot.
989 */
psa_allocate_buffer_to_slot(psa_key_slot_t * slot,size_t buffer_length)990 static psa_status_t psa_allocate_buffer_to_slot( psa_key_slot_t *slot,
991 size_t buffer_length )
992 {
993 if( slot->data.key.data != NULL )
994 return( PSA_ERROR_ALREADY_EXISTS );
995
996 slot->data.key.data = mbedtls_calloc( 1, buffer_length );
997 if( slot->data.key.data == NULL )
998 return( PSA_ERROR_INSUFFICIENT_MEMORY );
999
1000 slot->data.key.bytes = buffer_length;
1001 return( PSA_SUCCESS );
1002 }
1003
psa_copy_key_material_into_slot(psa_key_slot_t * slot,const uint8_t * data,size_t data_length)1004 psa_status_t psa_copy_key_material_into_slot( psa_key_slot_t *slot,
1005 const uint8_t* data,
1006 size_t data_length )
1007 {
1008 psa_status_t status = psa_allocate_buffer_to_slot( slot,
1009 data_length );
1010 if( status != PSA_SUCCESS )
1011 return( status );
1012
1013 memcpy( slot->data.key.data, data, data_length );
1014 return( PSA_SUCCESS );
1015 }
1016
1017 /** Import key data into a slot.
1018 *
1019 * `slot->type` must have been set previously.
1020 * This function assumes that the slot does not contain any key material yet.
1021 * On failure, the slot content is unchanged.
1022 *
1023 * Persistent storage is not affected.
1024 *
1025 * \param[in,out] slot The key slot to import data into.
1026 * Its `type` field must have previously been set to
1027 * the desired key type.
1028 * It must not contain any key material yet.
1029 * \param[in] data Buffer containing the key material to parse and import.
1030 * \param data_length Size of \p data in bytes.
1031 *
1032 * \retval #PSA_SUCCESS
1033 * \retval #PSA_ERROR_INVALID_ARGUMENT
1034 * \retval #PSA_ERROR_NOT_SUPPORTED
1035 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1036 */
psa_import_key_into_slot(psa_key_slot_t * slot,const uint8_t * data,size_t data_length)1037 static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
1038 const uint8_t *data,
1039 size_t data_length )
1040 {
1041 psa_status_t status = PSA_SUCCESS;
1042 size_t bit_size;
1043
1044 /* zero-length keys are never supported. */
1045 if( data_length == 0 )
1046 return( PSA_ERROR_NOT_SUPPORTED );
1047
1048 if( key_type_is_raw_bytes( slot->attr.type ) )
1049 {
1050 bit_size = PSA_BYTES_TO_BITS( data_length );
1051
1052 /* Ensure that the bytes-to-bits conversion hasn't overflown. */
1053 if( data_length > SIZE_MAX / 8 )
1054 return( PSA_ERROR_NOT_SUPPORTED );
1055
1056 /* Enforce a size limit, and in particular ensure that the bit
1057 * size fits in its representation type. */
1058 if( bit_size > PSA_MAX_KEY_BITS )
1059 return( PSA_ERROR_NOT_SUPPORTED );
1060
1061 status = validate_unstructured_key_bit_size( slot->attr.type, bit_size );
1062 if( status != PSA_SUCCESS )
1063 return( status );
1064
1065 /* Allocate memory for the key */
1066 status = psa_copy_key_material_into_slot( slot, data, data_length );
1067 if( status != PSA_SUCCESS )
1068 return( status );
1069
1070 /* Write the actual key size to the slot.
1071 * psa_start_key_creation() wrote the size declared by the
1072 * caller, which may be 0 (meaning unspecified) or wrong. */
1073 slot->attr.bits = (psa_key_bits_t) bit_size;
1074
1075 return( PSA_SUCCESS );
1076 }
1077 else if( PSA_KEY_TYPE_IS_ASYMMETRIC( slot->attr.type ) )
1078 {
1079 /* Try validation through accelerators first. */
1080 bit_size = slot->attr.bits;
1081 psa_key_attributes_t attributes = {
1082 .core = slot->attr
1083 };
1084 status = psa_driver_wrapper_validate_key( &attributes,
1085 data,
1086 data_length,
1087 &bit_size );
1088 if( status == PSA_SUCCESS )
1089 {
1090 /* Key has been validated successfully by an accelerator.
1091 * Copy key material into slot. */
1092 status = psa_copy_key_material_into_slot( slot, data, data_length );
1093 if( status != PSA_SUCCESS )
1094 return( status );
1095
1096 slot->attr.bits = (psa_key_bits_t) bit_size;
1097 return( PSA_SUCCESS );
1098 }
1099 else if( status != PSA_ERROR_NOT_SUPPORTED )
1100 return( status );
1101
1102 /* Key format is not supported by any accelerator, try software fallback
1103 * if present. */
1104 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
1105 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
1106 if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
1107 {
1108 return( psa_import_ecp_key( slot, data, data_length ) );
1109 }
1110 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
1111 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
1112 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
1113 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
1114 if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
1115 {
1116 return( psa_import_rsa_key( slot, data, data_length ) );
1117 }
1118 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
1119 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
1120
1121 /* Fell through the fallback as well, so have nothing else to try. */
1122 return( PSA_ERROR_NOT_SUPPORTED );
1123 }
1124 else
1125 {
1126 /* Unknown key type */
1127 return( PSA_ERROR_NOT_SUPPORTED );
1128 }
1129 }
1130
1131 /** Calculate the intersection of two algorithm usage policies.
1132 *
1133 * Return 0 (which allows no operation) on incompatibility.
1134 */
psa_key_policy_algorithm_intersection(psa_algorithm_t alg1,psa_algorithm_t alg2)1135 static psa_algorithm_t psa_key_policy_algorithm_intersection(
1136 psa_algorithm_t alg1,
1137 psa_algorithm_t alg2 )
1138 {
1139 /* Common case: both sides actually specify the same policy. */
1140 if( alg1 == alg2 )
1141 return( alg1 );
1142 /* If the policies are from the same hash-and-sign family, check
1143 * if one is a wildcard. If so the other has the specific algorithm. */
1144 if( PSA_ALG_IS_HASH_AND_SIGN( alg1 ) &&
1145 PSA_ALG_IS_HASH_AND_SIGN( alg2 ) &&
1146 ( alg1 & ~PSA_ALG_HASH_MASK ) == ( alg2 & ~PSA_ALG_HASH_MASK ) )
1147 {
1148 if( PSA_ALG_SIGN_GET_HASH( alg1 ) == PSA_ALG_ANY_HASH )
1149 return( alg2 );
1150 if( PSA_ALG_SIGN_GET_HASH( alg2 ) == PSA_ALG_ANY_HASH )
1151 return( alg1 );
1152 }
1153 /* If the policies are incompatible, allow nothing. */
1154 return( 0 );
1155 }
1156
psa_key_algorithm_permits(psa_algorithm_t policy_alg,psa_algorithm_t requested_alg)1157 static int psa_key_algorithm_permits( psa_algorithm_t policy_alg,
1158 psa_algorithm_t requested_alg )
1159 {
1160 /* Common case: the policy only allows requested_alg. */
1161 if( requested_alg == policy_alg )
1162 return( 1 );
1163 /* If policy_alg is a hash-and-sign with a wildcard for the hash,
1164 * and requested_alg is the same hash-and-sign family with any hash,
1165 * then requested_alg is compliant with policy_alg. */
1166 if( PSA_ALG_IS_HASH_AND_SIGN( requested_alg ) &&
1167 PSA_ALG_SIGN_GET_HASH( policy_alg ) == PSA_ALG_ANY_HASH )
1168 {
1169 return( ( policy_alg & ~PSA_ALG_HASH_MASK ) ==
1170 ( requested_alg & ~PSA_ALG_HASH_MASK ) );
1171 }
1172 /* If policy_alg is a generic key agreement operation, then using it for
1173 * a key derivation with that key agreement should also be allowed. This
1174 * behaviour is expected to be defined in a future specification version. */
1175 if( PSA_ALG_IS_RAW_KEY_AGREEMENT( policy_alg ) &&
1176 PSA_ALG_IS_KEY_AGREEMENT( requested_alg ) )
1177 {
1178 return( PSA_ALG_KEY_AGREEMENT_GET_BASE( requested_alg ) ==
1179 policy_alg );
1180 }
1181 /* If it isn't permitted, it's forbidden. */
1182 return( 0 );
1183 }
1184
1185 /** Test whether a policy permits an algorithm.
1186 *
1187 * The caller must test usage flags separately.
1188 */
psa_key_policy_permits(const psa_key_policy_t * policy,psa_algorithm_t alg)1189 static int psa_key_policy_permits( const psa_key_policy_t *policy,
1190 psa_algorithm_t alg )
1191 {
1192 return( psa_key_algorithm_permits( policy->alg, alg ) ||
1193 psa_key_algorithm_permits( policy->alg2, alg ) );
1194 }
1195
1196 /** Restrict a key policy based on a constraint.
1197 *
1198 * \param[in,out] policy The policy to restrict.
1199 * \param[in] constraint The policy constraint to apply.
1200 *
1201 * \retval #PSA_SUCCESS
1202 * \c *policy contains the intersection of the original value of
1203 * \c *policy and \c *constraint.
1204 * \retval #PSA_ERROR_INVALID_ARGUMENT
1205 * \c *policy and \c *constraint are incompatible.
1206 * \c *policy is unchanged.
1207 */
psa_restrict_key_policy(psa_key_policy_t * policy,const psa_key_policy_t * constraint)1208 static psa_status_t psa_restrict_key_policy(
1209 psa_key_policy_t *policy,
1210 const psa_key_policy_t *constraint )
1211 {
1212 psa_algorithm_t intersection_alg =
1213 psa_key_policy_algorithm_intersection( policy->alg, constraint->alg );
1214 psa_algorithm_t intersection_alg2 =
1215 psa_key_policy_algorithm_intersection( policy->alg2, constraint->alg2 );
1216 if( intersection_alg == 0 && policy->alg != 0 && constraint->alg != 0 )
1217 return( PSA_ERROR_INVALID_ARGUMENT );
1218 if( intersection_alg2 == 0 && policy->alg2 != 0 && constraint->alg2 != 0 )
1219 return( PSA_ERROR_INVALID_ARGUMENT );
1220 policy->usage &= constraint->usage;
1221 policy->alg = intersection_alg;
1222 policy->alg2 = intersection_alg2;
1223 return( PSA_SUCCESS );
1224 }
1225
1226 /** Get the description of a key given its identifier and policy constraints
1227 * and lock it.
1228 *
1229 * The key must have allow all the usage flags set in \p usage. If \p alg is
1230 * nonzero, the key must allow operations with this algorithm.
1231 *
1232 * In case of a persistent key, the function loads the description of the key
1233 * into a key slot if not already done.
1234 *
1235 * On success, the returned key slot is locked. It is the responsibility of
1236 * the caller to unlock the key slot when it does not access it anymore.
1237 */
psa_get_and_lock_key_slot_with_policy(mbedtls_svc_key_id_t key,psa_key_slot_t ** p_slot,psa_key_usage_t usage,psa_algorithm_t alg)1238 static psa_status_t psa_get_and_lock_key_slot_with_policy(
1239 mbedtls_svc_key_id_t key,
1240 psa_key_slot_t **p_slot,
1241 psa_key_usage_t usage,
1242 psa_algorithm_t alg )
1243 {
1244 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1245 psa_key_slot_t *slot;
1246
1247 status = psa_get_and_lock_key_slot( key, p_slot );
1248 if( status != PSA_SUCCESS )
1249 return( status );
1250 slot = *p_slot;
1251
1252 /* Enforce that usage policy for the key slot contains all the flags
1253 * required by the usage parameter. There is one exception: public
1254 * keys can always be exported, so we treat public key objects as
1255 * if they had the export flag. */
1256 if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) )
1257 usage &= ~PSA_KEY_USAGE_EXPORT;
1258
1259 status = PSA_ERROR_NOT_PERMITTED;
1260 if( ( slot->attr.policy.usage & usage ) != usage )
1261 goto error;
1262
1263 /* Enforce that the usage policy permits the requested algortihm. */
1264 if( alg != 0 && ! psa_key_policy_permits( &slot->attr.policy, alg ) )
1265 goto error;
1266
1267 return( PSA_SUCCESS );
1268
1269 error:
1270 *p_slot = NULL;
1271 psa_unlock_key_slot( slot );
1272
1273 return( status );
1274 }
1275
1276 /** Get a key slot containing a transparent key and lock it.
1277 *
1278 * A transparent key is a key for which the key material is directly
1279 * available, as opposed to a key in a secure element.
1280 *
1281 * This is a temporary function to use instead of
1282 * psa_get_and_lock_key_slot_with_policy() until secure element support is
1283 * fully implemented.
1284 *
1285 * On success, the returned key slot is locked. It is the responsibility of the
1286 * caller to unlock the key slot when it does not access it anymore.
1287 */
1288 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
psa_get_and_lock_transparent_key_slot_with_policy(mbedtls_svc_key_id_t key,psa_key_slot_t ** p_slot,psa_key_usage_t usage,psa_algorithm_t alg)1289 static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
1290 mbedtls_svc_key_id_t key,
1291 psa_key_slot_t **p_slot,
1292 psa_key_usage_t usage,
1293 psa_algorithm_t alg )
1294 {
1295 psa_status_t status = psa_get_and_lock_key_slot_with_policy( key, p_slot,
1296 usage, alg );
1297 if( status != PSA_SUCCESS )
1298 return( status );
1299
1300 if( psa_key_slot_is_external( *p_slot ) )
1301 {
1302 psa_unlock_key_slot( *p_slot );
1303 *p_slot = NULL;
1304 return( PSA_ERROR_NOT_SUPPORTED );
1305 }
1306
1307 return( PSA_SUCCESS );
1308 }
1309 #else /* MBEDTLS_PSA_CRYPTO_SE_C */
1310 /* With no secure element support, all keys are transparent. */
1311 #define psa_get_and_lock_transparent_key_slot_with_policy( key, p_slot, usage, alg ) \
1312 psa_get_and_lock_key_slot_with_policy( key, p_slot, usage, alg )
1313 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1314
1315 /** Wipe key data from a slot. Preserve metadata such as the policy. */
psa_remove_key_data_from_memory(psa_key_slot_t * slot)1316 static psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot )
1317 {
1318 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1319 if( psa_key_slot_is_external( slot ) )
1320 {
1321 /* No key material to clean. */
1322 }
1323 else
1324 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1325 {
1326 /* Data pointer will always be either a valid pointer or NULL in an
1327 * initialized slot, so we can just free it. */
1328 if( slot->data.key.data != NULL )
1329 mbedtls_platform_zeroize( slot->data.key.data, slot->data.key.bytes);
1330 mbedtls_free( slot->data.key.data );
1331 slot->data.key.data = NULL;
1332 slot->data.key.bytes = 0;
1333 }
1334
1335 return( PSA_SUCCESS );
1336 }
1337
1338 /** Completely wipe a slot in memory, including its policy.
1339 * Persistent storage is not affected. */
psa_wipe_key_slot(psa_key_slot_t * slot)1340 psa_status_t psa_wipe_key_slot( psa_key_slot_t *slot )
1341 {
1342 psa_status_t status = psa_remove_key_data_from_memory( slot );
1343
1344 /*
1345 * As the return error code may not be handled in case of multiple errors,
1346 * do our best to report an unexpected lock counter: if available
1347 * call MBEDTLS_PARAM_FAILED that may terminate execution (if called as
1348 * part of the execution of a test suite this will stop the test suite
1349 * execution).
1350 */
1351 if( slot->lock_count != 1 )
1352 {
1353 #ifdef MBEDTLS_CHECK_PARAMS
1354 MBEDTLS_PARAM_FAILED( slot->lock_count == 1 );
1355 #endif
1356 status = PSA_ERROR_CORRUPTION_DETECTED;
1357 }
1358
1359 /* Multipart operations may still be using the key. This is safe
1360 * because all multipart operation objects are independent from
1361 * the key slot: if they need to access the key after the setup
1362 * phase, they have a copy of the key. Note that this means that
1363 * key material can linger until all operations are completed. */
1364 /* At this point, key material and other type-specific content has
1365 * been wiped. Clear remaining metadata. We can call memset and not
1366 * zeroize because the metadata is not particularly sensitive. */
1367 memset( slot, 0, sizeof( *slot ) );
1368 return( status );
1369 }
1370
psa_destroy_key(mbedtls_svc_key_id_t key)1371 psa_status_t psa_destroy_key( mbedtls_svc_key_id_t key )
1372 {
1373 psa_key_slot_t *slot;
1374 psa_status_t status; /* status of the last operation */
1375 psa_status_t overall_status = PSA_SUCCESS;
1376 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1377 psa_se_drv_table_entry_t *driver;
1378 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1379
1380 if( mbedtls_svc_key_id_is_null( key ) )
1381 return( PSA_SUCCESS );
1382
1383 /*
1384 * Get the description of the key in a key slot. In case of a persistent
1385 * key, this will load the key description from persistent memory if not
1386 * done yet. We cannot avoid this loading as without it we don't know if
1387 * the key is operated by an SE or not and this information is needed by
1388 * the current implementation.
1389 */
1390 status = psa_get_and_lock_key_slot( key, &slot );
1391 if( status != PSA_SUCCESS )
1392 return( status );
1393
1394 /*
1395 * If the key slot containing the key description is under access by the
1396 * library (apart from the present access), the key cannot be destroyed
1397 * yet. For the time being, just return in error. Eventually (to be
1398 * implemented), the key should be destroyed when all accesses have
1399 * stopped.
1400 */
1401 if( slot->lock_count > 1 )
1402 {
1403 psa_unlock_key_slot( slot );
1404 return( PSA_ERROR_GENERIC_ERROR );
1405 }
1406
1407 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1408 driver = psa_get_se_driver_entry( slot->attr.lifetime );
1409 if( driver != NULL )
1410 {
1411 /* For a key in a secure element, we need to do three things:
1412 * remove the key file in internal storage, destroy the
1413 * key inside the secure element, and update the driver's
1414 * persistent data. Start a transaction that will encompass these
1415 * three actions. */
1416 psa_crypto_prepare_transaction( PSA_CRYPTO_TRANSACTION_DESTROY_KEY );
1417 psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
1418 psa_crypto_transaction.key.slot = slot->data.se.slot_number;
1419 psa_crypto_transaction.key.id = slot->attr.id;
1420 status = psa_crypto_save_transaction( );
1421 if( status != PSA_SUCCESS )
1422 {
1423 (void) psa_crypto_stop_transaction( );
1424 /* We should still try to destroy the key in the secure
1425 * element and the key metadata in storage. This is especially
1426 * important if the error is that the storage is full.
1427 * But how to do it exactly without risking an inconsistent
1428 * state after a reset?
1429 * https://github.com/ARMmbed/mbed-crypto/issues/215
1430 */
1431 overall_status = status;
1432 goto exit;
1433 }
1434
1435 status = psa_destroy_se_key( driver, slot->data.se.slot_number );
1436 if( overall_status == PSA_SUCCESS )
1437 overall_status = status;
1438 }
1439 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1440
1441 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
1442 if( ! PSA_KEY_LIFETIME_IS_VOLATILE( slot->attr.lifetime ) )
1443 {
1444 status = psa_destroy_persistent_key( slot->attr.id );
1445 if( overall_status == PSA_SUCCESS )
1446 overall_status = status;
1447
1448 /* TODO: other slots may have a copy of the same key. We should
1449 * invalidate them.
1450 * https://github.com/ARMmbed/mbed-crypto/issues/214
1451 */
1452 }
1453 #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
1454
1455 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1456 if( driver != NULL )
1457 {
1458 status = psa_save_se_persistent_data( driver );
1459 if( overall_status == PSA_SUCCESS )
1460 overall_status = status;
1461 status = psa_crypto_stop_transaction( );
1462 if( overall_status == PSA_SUCCESS )
1463 overall_status = status;
1464 }
1465 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1466
1467 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1468 exit:
1469 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1470 status = psa_wipe_key_slot( slot );
1471 /* Prioritize CORRUPTION_DETECTED from wiping over a storage error */
1472 if( overall_status == PSA_SUCCESS )
1473 overall_status = status;
1474 return( overall_status );
1475 }
1476
psa_reset_key_attributes(psa_key_attributes_t * attributes)1477 void psa_reset_key_attributes( psa_key_attributes_t *attributes )
1478 {
1479 mbedtls_free( attributes->domain_parameters );
1480 memset( attributes, 0, sizeof( *attributes ) );
1481 }
1482
psa_set_key_domain_parameters(psa_key_attributes_t * attributes,psa_key_type_t type,const uint8_t * data,size_t data_length)1483 psa_status_t psa_set_key_domain_parameters( psa_key_attributes_t *attributes,
1484 psa_key_type_t type,
1485 const uint8_t *data,
1486 size_t data_length )
1487 {
1488 uint8_t *copy = NULL;
1489
1490 if( data_length != 0 )
1491 {
1492 copy = mbedtls_calloc( 1, data_length );
1493 if( copy == NULL )
1494 return( PSA_ERROR_INSUFFICIENT_MEMORY );
1495 memcpy( copy, data, data_length );
1496 }
1497 /* After this point, this function is guaranteed to succeed, so it
1498 * can start modifying `*attributes`. */
1499
1500 if( attributes->domain_parameters != NULL )
1501 {
1502 mbedtls_free( attributes->domain_parameters );
1503 attributes->domain_parameters = NULL;
1504 attributes->domain_parameters_size = 0;
1505 }
1506
1507 attributes->domain_parameters = copy;
1508 attributes->domain_parameters_size = data_length;
1509 attributes->core.type = type;
1510 return( PSA_SUCCESS );
1511 }
1512
psa_get_key_domain_parameters(const psa_key_attributes_t * attributes,uint8_t * data,size_t data_size,size_t * data_length)1513 psa_status_t psa_get_key_domain_parameters(
1514 const psa_key_attributes_t *attributes,
1515 uint8_t *data, size_t data_size, size_t *data_length )
1516 {
1517 if( attributes->domain_parameters_size > data_size )
1518 return( PSA_ERROR_BUFFER_TOO_SMALL );
1519 *data_length = attributes->domain_parameters_size;
1520 if( attributes->domain_parameters_size != 0 )
1521 memcpy( data, attributes->domain_parameters,
1522 attributes->domain_parameters_size );
1523 return( PSA_SUCCESS );
1524 }
1525
1526 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
1527 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
psa_get_rsa_public_exponent(const mbedtls_rsa_context * rsa,psa_key_attributes_t * attributes)1528 static psa_status_t psa_get_rsa_public_exponent(
1529 const mbedtls_rsa_context *rsa,
1530 psa_key_attributes_t *attributes )
1531 {
1532 mbedtls_mpi mpi;
1533 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1534 uint8_t *buffer = NULL;
1535 size_t buflen;
1536 mbedtls_mpi_init( &mpi );
1537
1538 ret = mbedtls_rsa_export( rsa, NULL, NULL, NULL, NULL, &mpi );
1539 if( ret != 0 )
1540 goto exit;
1541 if( mbedtls_mpi_cmp_int( &mpi, 65537 ) == 0 )
1542 {
1543 /* It's the default value, which is reported as an empty string,
1544 * so there's nothing to do. */
1545 goto exit;
1546 }
1547
1548 buflen = mbedtls_mpi_size( &mpi );
1549 buffer = mbedtls_calloc( 1, buflen );
1550 if( buffer == NULL )
1551 {
1552 ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
1553 goto exit;
1554 }
1555 ret = mbedtls_mpi_write_binary( &mpi, buffer, buflen );
1556 if( ret != 0 )
1557 goto exit;
1558 attributes->domain_parameters = buffer;
1559 attributes->domain_parameters_size = buflen;
1560
1561 exit:
1562 mbedtls_mpi_free( &mpi );
1563 if( ret != 0 )
1564 mbedtls_free( buffer );
1565 return( mbedtls_to_psa_error( ret ) );
1566 }
1567 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
1568 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
1569
1570 /** Retrieve all the publicly-accessible attributes of a key.
1571 */
psa_get_key_attributes(mbedtls_svc_key_id_t key,psa_key_attributes_t * attributes)1572 psa_status_t psa_get_key_attributes( mbedtls_svc_key_id_t key,
1573 psa_key_attributes_t *attributes )
1574 {
1575 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1576 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
1577 psa_key_slot_t *slot;
1578
1579 psa_reset_key_attributes( attributes );
1580
1581 status = psa_get_and_lock_key_slot_with_policy( key, &slot, 0, 0 );
1582 if( status != PSA_SUCCESS )
1583 return( status );
1584
1585 attributes->core = slot->attr;
1586 attributes->core.flags &= ( MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY |
1587 MBEDTLS_PSA_KA_MASK_DUAL_USE );
1588
1589 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1590 if( psa_key_slot_is_external( slot ) )
1591 psa_set_key_slot_number( attributes, slot->data.se.slot_number );
1592 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1593
1594 switch( slot->attr.type )
1595 {
1596 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
1597 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
1598 case PSA_KEY_TYPE_RSA_KEY_PAIR:
1599 case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
1600 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1601 /* TODO: reporting the public exponent for opaque keys
1602 * is not yet implemented.
1603 * https://github.com/ARMmbed/mbed-crypto/issues/216
1604 */
1605 if( psa_key_slot_is_external( slot ) )
1606 break;
1607 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1608 {
1609 mbedtls_rsa_context *rsa = NULL;
1610
1611 status = psa_load_rsa_representation( slot->attr.type,
1612 slot->data.key.data,
1613 slot->data.key.bytes,
1614 &rsa );
1615 if( status != PSA_SUCCESS )
1616 break;
1617
1618 status = psa_get_rsa_public_exponent( rsa,
1619 attributes );
1620 mbedtls_rsa_free( rsa );
1621 mbedtls_free( rsa );
1622 }
1623 break;
1624 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
1625 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
1626 default:
1627 /* Nothing else to do. */
1628 break;
1629 }
1630
1631 if( status != PSA_SUCCESS )
1632 psa_reset_key_attributes( attributes );
1633
1634 unlock_status = psa_unlock_key_slot( slot );
1635
1636 return( ( status == PSA_SUCCESS ) ? unlock_status : status );
1637 }
1638
1639 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
psa_get_key_slot_number(const psa_key_attributes_t * attributes,psa_key_slot_number_t * slot_number)1640 psa_status_t psa_get_key_slot_number(
1641 const psa_key_attributes_t *attributes,
1642 psa_key_slot_number_t *slot_number )
1643 {
1644 if( attributes->core.flags & MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER )
1645 {
1646 *slot_number = attributes->slot_number;
1647 return( PSA_SUCCESS );
1648 }
1649 else
1650 return( PSA_ERROR_INVALID_ARGUMENT );
1651 }
1652 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1653
psa_internal_export_key_buffer(const psa_key_slot_t * slot,uint8_t * data,size_t data_size,size_t * data_length)1654 static psa_status_t psa_internal_export_key_buffer( const psa_key_slot_t *slot,
1655 uint8_t *data,
1656 size_t data_size,
1657 size_t *data_length )
1658 {
1659 if( slot->data.key.bytes > data_size )
1660 return( PSA_ERROR_BUFFER_TOO_SMALL );
1661 memcpy( data, slot->data.key.data, slot->data.key.bytes );
1662 memset( data + slot->data.key.bytes, 0,
1663 data_size - slot->data.key.bytes );
1664 *data_length = slot->data.key.bytes;
1665 return( PSA_SUCCESS );
1666 }
1667
psa_internal_export_key(const psa_key_slot_t * slot,uint8_t * data,size_t data_size,size_t * data_length,int export_public_key)1668 static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
1669 uint8_t *data,
1670 size_t data_size,
1671 size_t *data_length,
1672 int export_public_key )
1673 {
1674 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1675 const psa_drv_se_t *drv;
1676 psa_drv_se_context_t *drv_context;
1677 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1678
1679 *data_length = 0;
1680
1681 if( export_public_key && ! PSA_KEY_TYPE_IS_ASYMMETRIC( slot->attr.type ) )
1682 return( PSA_ERROR_INVALID_ARGUMENT );
1683
1684 /* Reject a zero-length output buffer now, since this can never be a
1685 * valid key representation. This way we know that data must be a valid
1686 * pointer and we can do things like memset(data, ..., data_size). */
1687 if( data_size == 0 )
1688 return( PSA_ERROR_BUFFER_TOO_SMALL );
1689
1690 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1691 if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
1692 {
1693 psa_drv_se_export_key_t method;
1694 if( drv->key_management == NULL )
1695 return( PSA_ERROR_NOT_SUPPORTED );
1696 method = ( export_public_key ?
1697 drv->key_management->p_export_public :
1698 drv->key_management->p_export );
1699 if( method == NULL )
1700 return( PSA_ERROR_NOT_SUPPORTED );
1701 return( method( drv_context,
1702 slot->data.se.slot_number,
1703 data, data_size, data_length ) );
1704 }
1705 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1706
1707 if( key_type_is_raw_bytes( slot->attr.type ) )
1708 {
1709 return( psa_internal_export_key_buffer( slot, data, data_size, data_length ) );
1710 }
1711 else if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) ||
1712 PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
1713 {
1714 if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) )
1715 {
1716 /* Exporting public -> public */
1717 return( psa_internal_export_key_buffer( slot, data, data_size, data_length ) );
1718 }
1719 else if( !export_public_key )
1720 {
1721 /* Exporting private -> private */
1722 return( psa_internal_export_key_buffer( slot, data, data_size, data_length ) );
1723 }
1724
1725 /* Need to export the public part of a private key,
1726 * so conversion is needed. Try the accelerators first. */
1727 psa_status_t status = psa_driver_wrapper_export_public_key( slot,
1728 data,
1729 data_size,
1730 data_length );
1731
1732 if( status != PSA_ERROR_NOT_SUPPORTED ||
1733 psa_key_lifetime_is_external( slot->attr.lifetime ) )
1734 return( status );
1735
1736 if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
1737 {
1738 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
1739 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
1740 mbedtls_rsa_context *rsa = NULL;
1741 status = psa_load_rsa_representation(
1742 slot->attr.type,
1743 slot->data.key.data,
1744 slot->data.key.bytes,
1745 &rsa );
1746 if( status != PSA_SUCCESS )
1747 return( status );
1748
1749 status = psa_export_rsa_key( PSA_KEY_TYPE_RSA_PUBLIC_KEY,
1750 rsa,
1751 data,
1752 data_size,
1753 data_length );
1754
1755 mbedtls_rsa_free( rsa );
1756 mbedtls_free( rsa );
1757
1758 return( status );
1759 #else
1760 /* We don't know how to convert a private RSA key to public. */
1761 return( PSA_ERROR_NOT_SUPPORTED );
1762 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
1763 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
1764 }
1765 else
1766 {
1767 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
1768 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
1769 mbedtls_ecp_keypair *ecp = NULL;
1770 status = psa_load_ecp_representation(
1771 slot->attr.type,
1772 slot->data.key.data,
1773 slot->data.key.bytes,
1774 &ecp );
1775 if( status != PSA_SUCCESS )
1776 return( status );
1777
1778 status = psa_export_ecp_key( PSA_KEY_TYPE_ECC_PUBLIC_KEY(
1779 PSA_KEY_TYPE_ECC_GET_FAMILY(
1780 slot->attr.type ) ),
1781 ecp,
1782 data,
1783 data_size,
1784 data_length );
1785
1786 mbedtls_ecp_keypair_free( ecp );
1787 mbedtls_free( ecp );
1788 return( status );
1789 #else
1790 /* We don't know how to convert a private ECC key to public */
1791 return( PSA_ERROR_NOT_SUPPORTED );
1792 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
1793 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
1794 }
1795 }
1796 else
1797 {
1798 /* This shouldn't happen in the reference implementation, but
1799 it is valid for a special-purpose implementation to omit
1800 support for exporting certain key types. */
1801 return( PSA_ERROR_NOT_SUPPORTED );
1802 }
1803 }
1804
psa_export_key(mbedtls_svc_key_id_t key,uint8_t * data,size_t data_size,size_t * data_length)1805 psa_status_t psa_export_key( mbedtls_svc_key_id_t key,
1806 uint8_t *data,
1807 size_t data_size,
1808 size_t *data_length )
1809 {
1810 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1811 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
1812 psa_key_slot_t *slot;
1813
1814 /* Set the key to empty now, so that even when there are errors, we always
1815 * set data_length to a value between 0 and data_size. On error, setting
1816 * the key to empty is a good choice because an empty key representation is
1817 * unlikely to be accepted anywhere. */
1818 *data_length = 0;
1819
1820 /* Export requires the EXPORT flag. There is an exception for public keys,
1821 * which don't require any flag, but
1822 * psa_get_and_lock_key_slot_with_policy() takes care of this.
1823 */
1824 status = psa_get_and_lock_key_slot_with_policy( key, &slot,
1825 PSA_KEY_USAGE_EXPORT, 0 );
1826 if( status != PSA_SUCCESS )
1827 return( status );
1828
1829 status = psa_internal_export_key( slot, data, data_size, data_length, 0 );
1830 unlock_status = psa_unlock_key_slot( slot );
1831
1832 return( ( status == PSA_SUCCESS ) ? unlock_status : status );
1833 }
1834
psa_export_public_key(mbedtls_svc_key_id_t key,uint8_t * data,size_t data_size,size_t * data_length)1835 psa_status_t psa_export_public_key( mbedtls_svc_key_id_t key,
1836 uint8_t *data,
1837 size_t data_size,
1838 size_t *data_length )
1839 {
1840 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1841 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
1842 psa_key_slot_t *slot;
1843
1844 /* Set the key to empty now, so that even when there are errors, we always
1845 * set data_length to a value between 0 and data_size. On error, setting
1846 * the key to empty is a good choice because an empty key representation is
1847 * unlikely to be accepted anywhere. */
1848 *data_length = 0;
1849
1850 /* Exporting a public key doesn't require a usage flag. */
1851 status = psa_get_and_lock_key_slot_with_policy( key, &slot, 0, 0 );
1852 if( status != PSA_SUCCESS )
1853 return( status );
1854
1855 status = psa_internal_export_key( slot, data, data_size, data_length, 1 );
1856 unlock_status = psa_unlock_key_slot( slot );
1857
1858 return( ( status == PSA_SUCCESS ) ? unlock_status : status );
1859 }
1860
1861 #if defined(static_assert)
1862 static_assert( ( MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_DUAL_USE ) == 0,
1863 "One or more key attribute flag is listed as both external-only and dual-use" );
1864 static_assert( ( PSA_KA_MASK_INTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_DUAL_USE ) == 0,
1865 "One or more key attribute flag is listed as both internal-only and dual-use" );
1866 static_assert( ( PSA_KA_MASK_INTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY ) == 0,
1867 "One or more key attribute flag is listed as both internal-only and external-only" );
1868 #endif
1869
1870 /** Validate that a key policy is internally well-formed.
1871 *
1872 * This function only rejects invalid policies. It does not validate the
1873 * consistency of the policy with respect to other attributes of the key
1874 * such as the key type.
1875 */
psa_validate_key_policy(const psa_key_policy_t * policy)1876 static psa_status_t psa_validate_key_policy( const psa_key_policy_t *policy )
1877 {
1878 if( ( policy->usage & ~( PSA_KEY_USAGE_EXPORT |
1879 PSA_KEY_USAGE_COPY |
1880 PSA_KEY_USAGE_ENCRYPT |
1881 PSA_KEY_USAGE_DECRYPT |
1882 PSA_KEY_USAGE_SIGN_HASH |
1883 PSA_KEY_USAGE_VERIFY_HASH |
1884 PSA_KEY_USAGE_DERIVE ) ) != 0 )
1885 return( PSA_ERROR_INVALID_ARGUMENT );
1886
1887 return( PSA_SUCCESS );
1888 }
1889
1890 /** Validate the internal consistency of key attributes.
1891 *
1892 * This function only rejects invalid attribute values. If does not
1893 * validate the consistency of the attributes with any key data that may
1894 * be involved in the creation of the key.
1895 *
1896 * Call this function early in the key creation process.
1897 *
1898 * \param[in] attributes Key attributes for the new key.
1899 * \param[out] p_drv On any return, the driver for the key, if any.
1900 * NULL for a transparent key.
1901 *
1902 */
psa_validate_key_attributes(const psa_key_attributes_t * attributes,psa_se_drv_table_entry_t ** p_drv)1903 static psa_status_t psa_validate_key_attributes(
1904 const psa_key_attributes_t *attributes,
1905 psa_se_drv_table_entry_t **p_drv )
1906 {
1907 psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
1908 psa_key_lifetime_t lifetime = psa_get_key_lifetime( attributes );
1909 mbedtls_svc_key_id_t key = psa_get_key_id( attributes );
1910
1911 status = psa_validate_key_location( lifetime, p_drv );
1912 if( status != PSA_SUCCESS )
1913 return( status );
1914
1915 status = psa_validate_key_persistence( lifetime );
1916 if( status != PSA_SUCCESS )
1917 return( status );
1918
1919 if ( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) )
1920 {
1921 if( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key ) != 0 )
1922 return( PSA_ERROR_INVALID_ARGUMENT );
1923 }
1924 else
1925 {
1926 status = psa_validate_key_id( psa_get_key_id( attributes ), 0 );
1927 if( status != PSA_SUCCESS )
1928 return( status );
1929 }
1930
1931 status = psa_validate_key_policy( &attributes->core.policy );
1932 if( status != PSA_SUCCESS )
1933 return( status );
1934
1935 /* Refuse to create overly large keys.
1936 * Note that this doesn't trigger on import if the attributes don't
1937 * explicitly specify a size (so psa_get_key_bits returns 0), so
1938 * psa_import_key() needs its own checks. */
1939 if( psa_get_key_bits( attributes ) > PSA_MAX_KEY_BITS )
1940 return( PSA_ERROR_NOT_SUPPORTED );
1941
1942 /* Reject invalid flags. These should not be reachable through the API. */
1943 if( attributes->core.flags & ~ ( MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY |
1944 MBEDTLS_PSA_KA_MASK_DUAL_USE ) )
1945 return( PSA_ERROR_INVALID_ARGUMENT );
1946
1947 return( PSA_SUCCESS );
1948 }
1949
1950 /** Prepare a key slot to receive key material.
1951 *
1952 * This function allocates a key slot and sets its metadata.
1953 *
1954 * If this function fails, call psa_fail_key_creation().
1955 *
1956 * This function is intended to be used as follows:
1957 * -# Call psa_start_key_creation() to allocate a key slot, prepare
1958 * it with the specified attributes, and in case of a volatile key assign it
1959 * a volatile key identifier.
1960 * -# Populate the slot with the key material.
1961 * -# Call psa_finish_key_creation() to finalize the creation of the slot.
1962 * In case of failure at any step, stop the sequence and call
1963 * psa_fail_key_creation().
1964 *
1965 * On success, the key slot is locked. It is the responsibility of the caller
1966 * to unlock the key slot when it does not access it anymore.
1967 *
1968 * \param method An identification of the calling function.
1969 * \param[in] attributes Key attributes for the new key.
1970 * \param[out] p_slot On success, a pointer to the prepared slot.
1971 * \param[out] p_drv On any return, the driver for the key, if any.
1972 * NULL for a transparent key.
1973 *
1974 * \retval #PSA_SUCCESS
1975 * The key slot is ready to receive key material.
1976 * \return If this function fails, the key slot is an invalid state.
1977 * You must call psa_fail_key_creation() to wipe and free the slot.
1978 */
psa_start_key_creation(psa_key_creation_method_t method,const psa_key_attributes_t * attributes,psa_key_slot_t ** p_slot,psa_se_drv_table_entry_t ** p_drv)1979 static psa_status_t psa_start_key_creation(
1980 psa_key_creation_method_t method,
1981 const psa_key_attributes_t *attributes,
1982 psa_key_slot_t **p_slot,
1983 psa_se_drv_table_entry_t **p_drv )
1984 {
1985 psa_status_t status;
1986 psa_key_id_t volatile_key_id;
1987 psa_key_slot_t *slot;
1988
1989 (void) method;
1990 *p_drv = NULL;
1991
1992 status = psa_validate_key_attributes( attributes, p_drv );
1993 if( status != PSA_SUCCESS )
1994 return( status );
1995
1996 status = psa_get_empty_key_slot( &volatile_key_id, p_slot );
1997 if( status != PSA_SUCCESS )
1998 return( status );
1999 slot = *p_slot;
2000
2001 /* We're storing the declared bit-size of the key. It's up to each
2002 * creation mechanism to verify that this information is correct.
2003 * It's automatically correct for mechanisms that use the bit-size as
2004 * an input (generate, device) but not for those where the bit-size
2005 * is optional (import, copy). In case of a volatile key, assign it the
2006 * volatile key identifier associated to the slot returned to contain its
2007 * definition. */
2008
2009 slot->attr = attributes->core;
2010 if( PSA_KEY_LIFETIME_IS_VOLATILE( slot->attr.lifetime ) )
2011 {
2012 #if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
2013 slot->attr.id = volatile_key_id;
2014 #else
2015 slot->attr.id.key_id = volatile_key_id;
2016 #endif
2017 }
2018
2019 /* Erase external-only flags from the internal copy. To access
2020 * external-only flags, query `attributes`. Thanks to the check
2021 * in psa_validate_key_attributes(), this leaves the dual-use
2022 * flags and any internal flag that psa_get_empty_key_slot()
2023 * may have set. */
2024 slot->attr.flags &= ~MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY;
2025
2026 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
2027 /* For a key in a secure element, we need to do three things
2028 * when creating or registering a persistent key:
2029 * create the key file in internal storage, create the
2030 * key inside the secure element, and update the driver's
2031 * persistent data. This is done by starting a transaction that will
2032 * encompass these three actions.
2033 * For registering a volatile key, we just need to find an appropriate
2034 * slot number inside the SE. Since the key is designated volatile, creating
2035 * a transaction is not required. */
2036 /* The first thing to do is to find a slot number for the new key.
2037 * We save the slot number in persistent storage as part of the
2038 * transaction data. It will be needed to recover if the power
2039 * fails during the key creation process, to clean up on the secure
2040 * element side after restarting. Obtaining a slot number from the
2041 * secure element driver updates its persistent state, but we do not yet
2042 * save the driver's persistent state, so that if the power fails,
2043 * we can roll back to a state where the key doesn't exist. */
2044 if( *p_drv != NULL )
2045 {
2046 status = psa_find_se_slot_for_key( attributes, method, *p_drv,
2047 &slot->data.se.slot_number );
2048 if( status != PSA_SUCCESS )
2049 return( status );
2050
2051 if( ! PSA_KEY_LIFETIME_IS_VOLATILE( attributes->core.lifetime ) )
2052 {
2053 psa_crypto_prepare_transaction( PSA_CRYPTO_TRANSACTION_CREATE_KEY );
2054 psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
2055 psa_crypto_transaction.key.slot = slot->data.se.slot_number;
2056 psa_crypto_transaction.key.id = slot->attr.id;
2057 status = psa_crypto_save_transaction( );
2058 if( status != PSA_SUCCESS )
2059 {
2060 (void) psa_crypto_stop_transaction( );
2061 return( status );
2062 }
2063 }
2064 }
2065
2066 if( *p_drv == NULL && method == PSA_KEY_CREATION_REGISTER )
2067 {
2068 /* Key registration only makes sense with a secure element. */
2069 return( PSA_ERROR_INVALID_ARGUMENT );
2070 }
2071 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
2072
2073 return( PSA_SUCCESS );
2074 }
2075
2076 /** Finalize the creation of a key once its key material has been set.
2077 *
2078 * This entails writing the key to persistent storage.
2079 *
2080 * If this function fails, call psa_fail_key_creation().
2081 * See the documentation of psa_start_key_creation() for the intended use
2082 * of this function.
2083 *
2084 * If the finalization succeeds, the function unlocks the key slot (it was
2085 * locked by psa_start_key_creation()) and the key slot cannot be accessed
2086 * anymore as part of the key creation process.
2087 *
2088 * \param[in,out] slot Pointer to the slot with key material.
2089 * \param[in] driver The secure element driver for the key,
2090 * or NULL for a transparent key.
2091 * \param[out] key On success, identifier of the key. Note that the
2092 * key identifier is also stored in the key slot.
2093 *
2094 * \retval #PSA_SUCCESS
2095 * The key was successfully created.
2096 * \return If this function fails, the key slot is an invalid state.
2097 * You must call psa_fail_key_creation() to wipe and free the slot.
2098 */
psa_finish_key_creation(psa_key_slot_t * slot,psa_se_drv_table_entry_t * driver,mbedtls_svc_key_id_t * key)2099 static psa_status_t psa_finish_key_creation(
2100 psa_key_slot_t *slot,
2101 psa_se_drv_table_entry_t *driver,
2102 mbedtls_svc_key_id_t *key)
2103 {
2104 psa_status_t status = PSA_SUCCESS;
2105 (void) slot;
2106 (void) driver;
2107
2108 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
2109 if( ! PSA_KEY_LIFETIME_IS_VOLATILE( slot->attr.lifetime ) )
2110 {
2111 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
2112 if( driver != NULL )
2113 {
2114 psa_se_key_data_storage_t data;
2115 #if defined(static_assert)
2116 static_assert( sizeof( slot->data.se.slot_number ) ==
2117 sizeof( data.slot_number ),
2118 "Slot number size does not match psa_se_key_data_storage_t" );
2119 #endif
2120 memcpy( &data.slot_number, &slot->data.se.slot_number,
2121 sizeof( slot->data.se.slot_number ) );
2122 status = psa_save_persistent_key( &slot->attr,
2123 (uint8_t*) &data,
2124 sizeof( data ) );
2125 }
2126 else
2127 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
2128 {
2129 /* Key material is saved in export representation in the slot, so
2130 * just pass the slot buffer for storage. */
2131 status = psa_save_persistent_key( &slot->attr,
2132 slot->data.key.data,
2133 slot->data.key.bytes );
2134 }
2135 }
2136 #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
2137
2138 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
2139 /* Finish the transaction for a key creation. This does not
2140 * happen when registering an existing key. Detect this case
2141 * by checking whether a transaction is in progress (actual
2142 * creation of a persistent key in a secure element requires a transaction,
2143 * but registration or volatile key creation doesn't use one). */
2144 if( driver != NULL &&
2145 psa_crypto_transaction.unknown.type == PSA_CRYPTO_TRANSACTION_CREATE_KEY )
2146 {
2147 status = psa_save_se_persistent_data( driver );
2148 if( status != PSA_SUCCESS )
2149 {
2150 psa_destroy_persistent_key( slot->attr.id );
2151 return( status );
2152 }
2153 status = psa_crypto_stop_transaction( );
2154 }
2155 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
2156
2157 if( status == PSA_SUCCESS )
2158 {
2159 *key = slot->attr.id;
2160 status = psa_unlock_key_slot( slot );
2161 if( status != PSA_SUCCESS )
2162 *key = MBEDTLS_SVC_KEY_ID_INIT;
2163 }
2164
2165 return( status );
2166 }
2167
2168 /** Abort the creation of a key.
2169 *
2170 * You may call this function after calling psa_start_key_creation(),
2171 * or after psa_finish_key_creation() fails. In other circumstances, this
2172 * function may not clean up persistent storage.
2173 * See the documentation of psa_start_key_creation() for the intended use
2174 * of this function.
2175 *
2176 * \param[in,out] slot Pointer to the slot with key material.
2177 * \param[in] driver The secure element driver for the key,
2178 * or NULL for a transparent key.
2179 */
psa_fail_key_creation(psa_key_slot_t * slot,psa_se_drv_table_entry_t * driver)2180 static void psa_fail_key_creation( psa_key_slot_t *slot,
2181 psa_se_drv_table_entry_t *driver )
2182 {
2183 (void) driver;
2184
2185 if( slot == NULL )
2186 return;
2187
2188 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
2189 /* TODO: If the key has already been created in the secure
2190 * element, and the failure happened later (when saving metadata
2191 * to internal storage), we need to destroy the key in the secure
2192 * element.
2193 * https://github.com/ARMmbed/mbed-crypto/issues/217
2194 */
2195
2196 /* Abort the ongoing transaction if any (there may not be one if
2197 * the creation process failed before starting one, or if the
2198 * key creation is a registration of a key in a secure element).
2199 * Earlier functions must already have done what it takes to undo any
2200 * partial creation. All that's left is to update the transaction data
2201 * itself. */
2202 (void) psa_crypto_stop_transaction( );
2203 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
2204
2205 psa_wipe_key_slot( slot );
2206 }
2207
2208 /** Validate optional attributes during key creation.
2209 *
2210 * Some key attributes are optional during key creation. If they are
2211 * specified in the attributes structure, check that they are consistent
2212 * with the data in the slot.
2213 *
2214 * This function should be called near the end of key creation, after
2215 * the slot in memory is fully populated but before saving persistent data.
2216 */
psa_validate_optional_attributes(const psa_key_slot_t * slot,const psa_key_attributes_t * attributes)2217 static psa_status_t psa_validate_optional_attributes(
2218 const psa_key_slot_t *slot,
2219 const psa_key_attributes_t *attributes )
2220 {
2221 if( attributes->core.type != 0 )
2222 {
2223 if( attributes->core.type != slot->attr.type )
2224 return( PSA_ERROR_INVALID_ARGUMENT );
2225 }
2226
2227 if( attributes->domain_parameters_size != 0 )
2228 {
2229 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
2230 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
2231 if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
2232 {
2233 mbedtls_rsa_context *rsa = NULL;
2234 mbedtls_mpi actual, required;
2235 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2236
2237 psa_status_t status = psa_load_rsa_representation(
2238 slot->attr.type,
2239 slot->data.key.data,
2240 slot->data.key.bytes,
2241 &rsa );
2242 if( status != PSA_SUCCESS )
2243 return( status );
2244
2245 mbedtls_mpi_init( &actual );
2246 mbedtls_mpi_init( &required );
2247 ret = mbedtls_rsa_export( rsa,
2248 NULL, NULL, NULL, NULL, &actual );
2249 mbedtls_rsa_free( rsa );
2250 mbedtls_free( rsa );
2251 if( ret != 0 )
2252 goto rsa_exit;
2253 ret = mbedtls_mpi_read_binary( &required,
2254 attributes->domain_parameters,
2255 attributes->domain_parameters_size );
2256 if( ret != 0 )
2257 goto rsa_exit;
2258 if( mbedtls_mpi_cmp_mpi( &actual, &required ) != 0 )
2259 ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
2260 rsa_exit:
2261 mbedtls_mpi_free( &actual );
2262 mbedtls_mpi_free( &required );
2263 if( ret != 0)
2264 return( mbedtls_to_psa_error( ret ) );
2265 }
2266 else
2267 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
2268 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
2269 {
2270 return( PSA_ERROR_INVALID_ARGUMENT );
2271 }
2272 }
2273
2274 if( attributes->core.bits != 0 )
2275 {
2276 if( attributes->core.bits != slot->attr.bits )
2277 return( PSA_ERROR_INVALID_ARGUMENT );
2278 }
2279
2280 return( PSA_SUCCESS );
2281 }
2282
psa_import_key(const psa_key_attributes_t * attributes,const uint8_t * data,size_t data_length,mbedtls_svc_key_id_t * key)2283 psa_status_t psa_import_key( const psa_key_attributes_t *attributes,
2284 const uint8_t *data,
2285 size_t data_length,
2286 mbedtls_svc_key_id_t *key )
2287 {
2288 psa_status_t status;
2289 psa_key_slot_t *slot = NULL;
2290 psa_se_drv_table_entry_t *driver = NULL;
2291
2292 *key = MBEDTLS_SVC_KEY_ID_INIT;
2293
2294 /* Reject zero-length symmetric keys (including raw data key objects).
2295 * This also rejects any key which might be encoded as an empty string,
2296 * which is never valid. */
2297 if( data_length == 0 )
2298 return( PSA_ERROR_INVALID_ARGUMENT );
2299
2300 status = psa_start_key_creation( PSA_KEY_CREATION_IMPORT, attributes,
2301 &slot, &driver );
2302 if( status != PSA_SUCCESS )
2303 goto exit;
2304
2305 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
2306 if( driver != NULL )
2307 {
2308 const psa_drv_se_t *drv = psa_get_se_driver_methods( driver );
2309 /* The driver should set the number of key bits, however in
2310 * case it doesn't, we initialize bits to an invalid value. */
2311 size_t bits = PSA_MAX_KEY_BITS + 1;
2312 if( drv->key_management == NULL ||
2313 drv->key_management->p_import == NULL )
2314 {
2315 status = PSA_ERROR_NOT_SUPPORTED;
2316 goto exit;
2317 }
2318 status = drv->key_management->p_import(
2319 psa_get_se_driver_context( driver ),
2320 slot->data.se.slot_number, attributes, data, data_length,
2321 &bits );
2322 if( status != PSA_SUCCESS )
2323 goto exit;
2324 if( bits > PSA_MAX_KEY_BITS )
2325 {
2326 status = PSA_ERROR_NOT_SUPPORTED;
2327 goto exit;
2328 }
2329 slot->attr.bits = (psa_key_bits_t) bits;
2330 }
2331 else
2332 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
2333 {
2334 status = psa_import_key_into_slot( slot, data, data_length );
2335 if( status != PSA_SUCCESS )
2336 goto exit;
2337 }
2338 status = psa_validate_optional_attributes( slot, attributes );
2339 if( status != PSA_SUCCESS )
2340 goto exit;
2341
2342 status = psa_finish_key_creation( slot, driver, key );
2343 exit:
2344 if( status != PSA_SUCCESS )
2345 psa_fail_key_creation( slot, driver );
2346
2347 return( status );
2348 }
2349
2350 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
mbedtls_psa_register_se_key(const psa_key_attributes_t * attributes)2351 psa_status_t mbedtls_psa_register_se_key(
2352 const psa_key_attributes_t *attributes )
2353 {
2354 psa_status_t status;
2355 psa_key_slot_t *slot = NULL;
2356 psa_se_drv_table_entry_t *driver = NULL;
2357 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
2358
2359 /* Leaving attributes unspecified is not currently supported.
2360 * It could make sense to query the key type and size from the
2361 * secure element, but not all secure elements support this
2362 * and the driver HAL doesn't currently support it. */
2363 if( psa_get_key_type( attributes ) == PSA_KEY_TYPE_NONE )
2364 return( PSA_ERROR_NOT_SUPPORTED );
2365 if( psa_get_key_bits( attributes ) == 0 )
2366 return( PSA_ERROR_NOT_SUPPORTED );
2367
2368 status = psa_start_key_creation( PSA_KEY_CREATION_REGISTER, attributes,
2369 &slot, &driver );
2370 if( status != PSA_SUCCESS )
2371 goto exit;
2372
2373 status = psa_finish_key_creation( slot, driver, &key );
2374
2375 exit:
2376 if( status != PSA_SUCCESS )
2377 psa_fail_key_creation( slot, driver );
2378
2379 /* Registration doesn't keep the key in RAM. */
2380 psa_close_key( key );
2381 return( status );
2382 }
2383 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
2384
psa_copy_key_material(const psa_key_slot_t * source,psa_key_slot_t * target)2385 static psa_status_t psa_copy_key_material( const psa_key_slot_t *source,
2386 psa_key_slot_t *target )
2387 {
2388 psa_status_t status = psa_copy_key_material_into_slot( target,
2389 source->data.key.data,
2390 source->data.key.bytes );
2391 if( status != PSA_SUCCESS )
2392 return( status );
2393
2394 target->attr.type = source->attr.type;
2395 target->attr.bits = source->attr.bits;
2396
2397 return( PSA_SUCCESS );
2398 }
2399
psa_copy_key(mbedtls_svc_key_id_t source_key,const psa_key_attributes_t * specified_attributes,mbedtls_svc_key_id_t * target_key)2400 psa_status_t psa_copy_key( mbedtls_svc_key_id_t source_key,
2401 const psa_key_attributes_t *specified_attributes,
2402 mbedtls_svc_key_id_t *target_key )
2403 {
2404 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2405 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
2406 psa_key_slot_t *source_slot = NULL;
2407 psa_key_slot_t *target_slot = NULL;
2408 psa_key_attributes_t actual_attributes = *specified_attributes;
2409 psa_se_drv_table_entry_t *driver = NULL;
2410
2411 *target_key = MBEDTLS_SVC_KEY_ID_INIT;
2412
2413 status = psa_get_and_lock_transparent_key_slot_with_policy(
2414 source_key, &source_slot, PSA_KEY_USAGE_COPY, 0 );
2415 if( status != PSA_SUCCESS )
2416 goto exit;
2417
2418 status = psa_validate_optional_attributes( source_slot,
2419 specified_attributes );
2420 if( status != PSA_SUCCESS )
2421 goto exit;
2422
2423 status = psa_restrict_key_policy( &actual_attributes.core.policy,
2424 &source_slot->attr.policy );
2425 if( status != PSA_SUCCESS )
2426 goto exit;
2427
2428 status = psa_start_key_creation( PSA_KEY_CREATION_COPY, &actual_attributes,
2429 &target_slot, &driver );
2430 if( status != PSA_SUCCESS )
2431 goto exit;
2432
2433 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
2434 if( driver != NULL )
2435 {
2436 /* Copying to a secure element is not implemented yet. */
2437 status = PSA_ERROR_NOT_SUPPORTED;
2438 goto exit;
2439 }
2440 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
2441
2442 status = psa_copy_key_material( source_slot, target_slot );
2443 if( status != PSA_SUCCESS )
2444 goto exit;
2445
2446 status = psa_finish_key_creation( target_slot, driver, target_key );
2447 exit:
2448 if( status != PSA_SUCCESS )
2449 psa_fail_key_creation( target_slot, driver );
2450
2451 unlock_status = psa_unlock_key_slot( source_slot );
2452
2453 return( ( status == PSA_SUCCESS ) ? unlock_status : status );
2454 }
2455
2456
2457
2458 /****************************************************************/
2459 /* Message digests */
2460 /****************************************************************/
2461
2462 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
2463 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
2464 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
2465 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
mbedtls_md_info_from_psa(psa_algorithm_t alg)2466 static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
2467 {
2468 switch( alg )
2469 {
2470 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD2)
2471 case PSA_ALG_MD2:
2472 return( &mbedtls_md2_info );
2473 #endif
2474 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD4)
2475 case PSA_ALG_MD4:
2476 return( &mbedtls_md4_info );
2477 #endif
2478 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
2479 case PSA_ALG_MD5:
2480 return( &mbedtls_md5_info );
2481 #endif
2482 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
2483 case PSA_ALG_RIPEMD160:
2484 return( &mbedtls_ripemd160_info );
2485 #endif
2486 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
2487 case PSA_ALG_SHA_1:
2488 return( &mbedtls_sha1_info );
2489 #endif
2490 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
2491 case PSA_ALG_SHA_224:
2492 return( &mbedtls_sha224_info );
2493 #endif
2494 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
2495 case PSA_ALG_SHA_256:
2496 return( &mbedtls_sha256_info );
2497 #endif
2498 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
2499 case PSA_ALG_SHA_384:
2500 return( &mbedtls_sha384_info );
2501 #endif
2502 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
2503 case PSA_ALG_SHA_512:
2504 return( &mbedtls_sha512_info );
2505 #endif
2506 default:
2507 return( NULL );
2508 }
2509 }
2510 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
2511 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
2512 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
2513 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
2514
psa_hash_abort(psa_hash_operation_t * operation)2515 psa_status_t psa_hash_abort( psa_hash_operation_t *operation )
2516 {
2517 switch( operation->alg )
2518 {
2519 case 0:
2520 /* The object has (apparently) been initialized but it is not
2521 * in use. It's ok to call abort on such an object, and there's
2522 * nothing to do. */
2523 break;
2524 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD2)
2525 case PSA_ALG_MD2:
2526 mbedtls_md2_free( &operation->ctx.md2 );
2527 break;
2528 #endif
2529 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD4)
2530 case PSA_ALG_MD4:
2531 mbedtls_md4_free( &operation->ctx.md4 );
2532 break;
2533 #endif
2534 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
2535 case PSA_ALG_MD5:
2536 mbedtls_md5_free( &operation->ctx.md5 );
2537 break;
2538 #endif
2539 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
2540 case PSA_ALG_RIPEMD160:
2541 mbedtls_ripemd160_free( &operation->ctx.ripemd160 );
2542 break;
2543 #endif
2544 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
2545 case PSA_ALG_SHA_1:
2546 mbedtls_sha1_free( &operation->ctx.sha1 );
2547 break;
2548 #endif
2549 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
2550 case PSA_ALG_SHA_224:
2551 mbedtls_sha256_free( &operation->ctx.sha256 );
2552 break;
2553 #endif
2554 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
2555 case PSA_ALG_SHA_256:
2556 mbedtls_sha256_free( &operation->ctx.sha256 );
2557 break;
2558 #endif
2559 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
2560 case PSA_ALG_SHA_384:
2561 mbedtls_sha512_free( &operation->ctx.sha512 );
2562 break;
2563 #endif
2564 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
2565 case PSA_ALG_SHA_512:
2566 mbedtls_sha512_free( &operation->ctx.sha512 );
2567 break;
2568 #endif
2569 default:
2570 return( PSA_ERROR_BAD_STATE );
2571 }
2572 operation->alg = 0;
2573 return( PSA_SUCCESS );
2574 }
2575
psa_hash_setup(psa_hash_operation_t * operation,psa_algorithm_t alg)2576 psa_status_t psa_hash_setup( psa_hash_operation_t *operation,
2577 psa_algorithm_t alg )
2578 {
2579 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2580
2581 /* A context must be freshly initialized before it can be set up. */
2582 if( operation->alg != 0 )
2583 {
2584 return( PSA_ERROR_BAD_STATE );
2585 }
2586
2587 switch( alg )
2588 {
2589 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD2)
2590 case PSA_ALG_MD2:
2591 mbedtls_md2_init( &operation->ctx.md2 );
2592 ret = mbedtls_md2_starts_ret( &operation->ctx.md2 );
2593 break;
2594 #endif
2595 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD4)
2596 case PSA_ALG_MD4:
2597 mbedtls_md4_init( &operation->ctx.md4 );
2598 ret = mbedtls_md4_starts_ret( &operation->ctx.md4 );
2599 break;
2600 #endif
2601 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
2602 case PSA_ALG_MD5:
2603 mbedtls_md5_init( &operation->ctx.md5 );
2604 ret = mbedtls_md5_starts_ret( &operation->ctx.md5 );
2605 break;
2606 #endif
2607 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
2608 case PSA_ALG_RIPEMD160:
2609 mbedtls_ripemd160_init( &operation->ctx.ripemd160 );
2610 ret = mbedtls_ripemd160_starts_ret( &operation->ctx.ripemd160 );
2611 break;
2612 #endif
2613 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
2614 case PSA_ALG_SHA_1:
2615 mbedtls_sha1_init( &operation->ctx.sha1 );
2616 ret = mbedtls_sha1_starts_ret( &operation->ctx.sha1 );
2617 break;
2618 #endif
2619 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
2620 case PSA_ALG_SHA_224:
2621 mbedtls_sha256_init( &operation->ctx.sha256 );
2622 ret = mbedtls_sha256_starts_ret( &operation->ctx.sha256, 1 );
2623 break;
2624 #endif
2625 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
2626 case PSA_ALG_SHA_256:
2627 mbedtls_sha256_init( &operation->ctx.sha256 );
2628 ret = mbedtls_sha256_starts_ret( &operation->ctx.sha256, 0 );
2629 break;
2630 #endif
2631 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
2632 case PSA_ALG_SHA_384:
2633 mbedtls_sha512_init( &operation->ctx.sha512 );
2634 ret = mbedtls_sha512_starts_ret( &operation->ctx.sha512, 1 );
2635 break;
2636 #endif
2637 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
2638 case PSA_ALG_SHA_512:
2639 mbedtls_sha512_init( &operation->ctx.sha512 );
2640 ret = mbedtls_sha512_starts_ret( &operation->ctx.sha512, 0 );
2641 break;
2642 #endif
2643 default:
2644 return( PSA_ALG_IS_HASH( alg ) ?
2645 PSA_ERROR_NOT_SUPPORTED :
2646 PSA_ERROR_INVALID_ARGUMENT );
2647 }
2648 if( ret == 0 )
2649 operation->alg = alg;
2650 else
2651 psa_hash_abort( operation );
2652 return( mbedtls_to_psa_error( ret ) );
2653 }
2654
psa_hash_update(psa_hash_operation_t * operation,const uint8_t * input,size_t input_length)2655 psa_status_t psa_hash_update( psa_hash_operation_t *operation,
2656 const uint8_t *input,
2657 size_t input_length )
2658 {
2659 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2660
2661 /* Don't require hash implementations to behave correctly on a
2662 * zero-length input, which may have an invalid pointer. */
2663 if( input_length == 0 )
2664 return( PSA_SUCCESS );
2665
2666 switch( operation->alg )
2667 {
2668 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD2)
2669 case PSA_ALG_MD2:
2670 ret = mbedtls_md2_update_ret( &operation->ctx.md2,
2671 input, input_length );
2672 break;
2673 #endif
2674 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD4)
2675 case PSA_ALG_MD4:
2676 ret = mbedtls_md4_update_ret( &operation->ctx.md4,
2677 input, input_length );
2678 break;
2679 #endif
2680 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
2681 case PSA_ALG_MD5:
2682 ret = mbedtls_md5_update_ret( &operation->ctx.md5,
2683 input, input_length );
2684 break;
2685 #endif
2686 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
2687 case PSA_ALG_RIPEMD160:
2688 ret = mbedtls_ripemd160_update_ret( &operation->ctx.ripemd160,
2689 input, input_length );
2690 break;
2691 #endif
2692 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
2693 case PSA_ALG_SHA_1:
2694 ret = mbedtls_sha1_update_ret( &operation->ctx.sha1,
2695 input, input_length );
2696 break;
2697 #endif
2698 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
2699 case PSA_ALG_SHA_224:
2700 ret = mbedtls_sha256_update_ret( &operation->ctx.sha256,
2701 input, input_length );
2702 break;
2703 #endif
2704 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
2705 case PSA_ALG_SHA_256:
2706 ret = mbedtls_sha256_update_ret( &operation->ctx.sha256,
2707 input, input_length );
2708 break;
2709 #endif
2710 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
2711 case PSA_ALG_SHA_384:
2712 ret = mbedtls_sha512_update_ret( &operation->ctx.sha512,
2713 input, input_length );
2714 break;
2715 #endif
2716 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
2717 case PSA_ALG_SHA_512:
2718 ret = mbedtls_sha512_update_ret( &operation->ctx.sha512,
2719 input, input_length );
2720 break;
2721 #endif
2722 default:
2723 (void)input;
2724 return( PSA_ERROR_BAD_STATE );
2725 }
2726
2727 if( ret != 0 )
2728 psa_hash_abort( operation );
2729 return( mbedtls_to_psa_error( ret ) );
2730 }
2731
psa_hash_finish(psa_hash_operation_t * operation,uint8_t * hash,size_t hash_size,size_t * hash_length)2732 psa_status_t psa_hash_finish( psa_hash_operation_t *operation,
2733 uint8_t *hash,
2734 size_t hash_size,
2735 size_t *hash_length )
2736 {
2737 psa_status_t status;
2738 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2739 size_t actual_hash_length = PSA_HASH_SIZE( operation->alg );
2740
2741 /* Fill the output buffer with something that isn't a valid hash
2742 * (barring an attack on the hash and deliberately-crafted input),
2743 * in case the caller doesn't check the return status properly. */
2744 *hash_length = hash_size;
2745 /* If hash_size is 0 then hash may be NULL and then the
2746 * call to memset would have undefined behavior. */
2747 if( hash_size != 0 )
2748 memset( hash, '!', hash_size );
2749
2750 if( hash_size < actual_hash_length )
2751 {
2752 status = PSA_ERROR_BUFFER_TOO_SMALL;
2753 goto exit;
2754 }
2755
2756 switch( operation->alg )
2757 {
2758 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD2)
2759 case PSA_ALG_MD2:
2760 ret = mbedtls_md2_finish_ret( &operation->ctx.md2, hash );
2761 break;
2762 #endif
2763 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD4)
2764 case PSA_ALG_MD4:
2765 ret = mbedtls_md4_finish_ret( &operation->ctx.md4, hash );
2766 break;
2767 #endif
2768 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
2769 case PSA_ALG_MD5:
2770 ret = mbedtls_md5_finish_ret( &operation->ctx.md5, hash );
2771 break;
2772 #endif
2773 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
2774 case PSA_ALG_RIPEMD160:
2775 ret = mbedtls_ripemd160_finish_ret( &operation->ctx.ripemd160, hash );
2776 break;
2777 #endif
2778 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
2779 case PSA_ALG_SHA_1:
2780 ret = mbedtls_sha1_finish_ret( &operation->ctx.sha1, hash );
2781 break;
2782 #endif
2783 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
2784 case PSA_ALG_SHA_224:
2785 ret = mbedtls_sha256_finish_ret( &operation->ctx.sha256, hash );
2786 break;
2787 #endif
2788 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
2789 case PSA_ALG_SHA_256:
2790 ret = mbedtls_sha256_finish_ret( &operation->ctx.sha256, hash );
2791 break;
2792 #endif
2793 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
2794 case PSA_ALG_SHA_384:
2795 ret = mbedtls_sha512_finish_ret( &operation->ctx.sha512, hash );
2796 break;
2797 #endif
2798 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
2799 case PSA_ALG_SHA_512:
2800 ret = mbedtls_sha512_finish_ret( &operation->ctx.sha512, hash );
2801 break;
2802 #endif
2803 default:
2804 return( PSA_ERROR_BAD_STATE );
2805 }
2806 status = mbedtls_to_psa_error( ret );
2807
2808 exit:
2809 if( status == PSA_SUCCESS )
2810 {
2811 *hash_length = actual_hash_length;
2812 return( psa_hash_abort( operation ) );
2813 }
2814 else
2815 {
2816 psa_hash_abort( operation );
2817 return( status );
2818 }
2819 }
2820
psa_hash_verify(psa_hash_operation_t * operation,const uint8_t * hash,size_t hash_length)2821 psa_status_t psa_hash_verify( psa_hash_operation_t *operation,
2822 const uint8_t *hash,
2823 size_t hash_length )
2824 {
2825 uint8_t actual_hash[MBEDTLS_MD_MAX_SIZE];
2826 size_t actual_hash_length;
2827 psa_status_t status = psa_hash_finish( operation,
2828 actual_hash, sizeof( actual_hash ),
2829 &actual_hash_length );
2830 if( status != PSA_SUCCESS )
2831 return( status );
2832 if( actual_hash_length != hash_length )
2833 return( PSA_ERROR_INVALID_SIGNATURE );
2834 if( safer_memcmp( hash, actual_hash, actual_hash_length ) != 0 )
2835 return( PSA_ERROR_INVALID_SIGNATURE );
2836 return( PSA_SUCCESS );
2837 }
2838
psa_hash_compute(psa_algorithm_t alg,const uint8_t * input,size_t input_length,uint8_t * hash,size_t hash_size,size_t * hash_length)2839 psa_status_t psa_hash_compute( psa_algorithm_t alg,
2840 const uint8_t *input, size_t input_length,
2841 uint8_t *hash, size_t hash_size,
2842 size_t *hash_length )
2843 {
2844 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
2845 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2846
2847 *hash_length = hash_size;
2848 status = psa_hash_setup( &operation, alg );
2849 if( status != PSA_SUCCESS )
2850 goto exit;
2851 status = psa_hash_update( &operation, input, input_length );
2852 if( status != PSA_SUCCESS )
2853 goto exit;
2854 status = psa_hash_finish( &operation, hash, hash_size, hash_length );
2855 if( status != PSA_SUCCESS )
2856 goto exit;
2857
2858 exit:
2859 if( status == PSA_SUCCESS )
2860 status = psa_hash_abort( &operation );
2861 else
2862 psa_hash_abort( &operation );
2863 return( status );
2864 }
2865
psa_hash_compare(psa_algorithm_t alg,const uint8_t * input,size_t input_length,const uint8_t * hash,size_t hash_length)2866 psa_status_t psa_hash_compare( psa_algorithm_t alg,
2867 const uint8_t *input, size_t input_length,
2868 const uint8_t *hash, size_t hash_length )
2869 {
2870 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
2871 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2872
2873 status = psa_hash_setup( &operation, alg );
2874 if( status != PSA_SUCCESS )
2875 goto exit;
2876 status = psa_hash_update( &operation, input, input_length );
2877 if( status != PSA_SUCCESS )
2878 goto exit;
2879 status = psa_hash_verify( &operation, hash, hash_length );
2880 if( status != PSA_SUCCESS )
2881 goto exit;
2882
2883 exit:
2884 if( status == PSA_SUCCESS )
2885 status = psa_hash_abort( &operation );
2886 else
2887 psa_hash_abort( &operation );
2888 return( status );
2889 }
2890
psa_hash_clone(const psa_hash_operation_t * source_operation,psa_hash_operation_t * target_operation)2891 psa_status_t psa_hash_clone( const psa_hash_operation_t *source_operation,
2892 psa_hash_operation_t *target_operation )
2893 {
2894 if( target_operation->alg != 0 )
2895 return( PSA_ERROR_BAD_STATE );
2896
2897 switch( source_operation->alg )
2898 {
2899 case 0:
2900 return( PSA_ERROR_BAD_STATE );
2901 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD2)
2902 case PSA_ALG_MD2:
2903 mbedtls_md2_clone( &target_operation->ctx.md2,
2904 &source_operation->ctx.md2 );
2905 break;
2906 #endif
2907 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD4)
2908 case PSA_ALG_MD4:
2909 mbedtls_md4_clone( &target_operation->ctx.md4,
2910 &source_operation->ctx.md4 );
2911 break;
2912 #endif
2913 #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
2914 case PSA_ALG_MD5:
2915 mbedtls_md5_clone( &target_operation->ctx.md5,
2916 &source_operation->ctx.md5 );
2917 break;
2918 #endif
2919 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
2920 case PSA_ALG_RIPEMD160:
2921 mbedtls_ripemd160_clone( &target_operation->ctx.ripemd160,
2922 &source_operation->ctx.ripemd160 );
2923 break;
2924 #endif
2925 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
2926 case PSA_ALG_SHA_1:
2927 mbedtls_sha1_clone( &target_operation->ctx.sha1,
2928 &source_operation->ctx.sha1 );
2929 break;
2930 #endif
2931 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
2932 case PSA_ALG_SHA_224:
2933 mbedtls_sha256_clone( &target_operation->ctx.sha256,
2934 &source_operation->ctx.sha256 );
2935 break;
2936 #endif
2937 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
2938 case PSA_ALG_SHA_256:
2939 mbedtls_sha256_clone( &target_operation->ctx.sha256,
2940 &source_operation->ctx.sha256 );
2941 break;
2942 #endif
2943 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
2944 case PSA_ALG_SHA_384:
2945 mbedtls_sha512_clone( &target_operation->ctx.sha512,
2946 &source_operation->ctx.sha512 );
2947 break;
2948 #endif
2949 #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
2950 case PSA_ALG_SHA_512:
2951 mbedtls_sha512_clone( &target_operation->ctx.sha512,
2952 &source_operation->ctx.sha512 );
2953 break;
2954 #endif
2955 default:
2956 return( PSA_ERROR_NOT_SUPPORTED );
2957 }
2958
2959 target_operation->alg = source_operation->alg;
2960 return( PSA_SUCCESS );
2961 }
2962
2963
2964 /****************************************************************/
2965 /* MAC */
2966 /****************************************************************/
2967
mbedtls_cipher_info_from_psa(psa_algorithm_t alg,psa_key_type_t key_type,size_t key_bits,mbedtls_cipher_id_t * cipher_id)2968 static const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
2969 psa_algorithm_t alg,
2970 psa_key_type_t key_type,
2971 size_t key_bits,
2972 mbedtls_cipher_id_t* cipher_id )
2973 {
2974 mbedtls_cipher_mode_t mode;
2975 mbedtls_cipher_id_t cipher_id_tmp;
2976
2977 if( PSA_ALG_IS_AEAD( alg ) )
2978 alg = PSA_ALG_AEAD_WITH_TAG_LENGTH( alg, 0 );
2979
2980 if( PSA_ALG_IS_CIPHER( alg ) || PSA_ALG_IS_AEAD( alg ) )
2981 {
2982 switch( alg )
2983 {
2984 case PSA_ALG_STREAM_CIPHER:
2985 mode = MBEDTLS_MODE_STREAM;
2986 break;
2987 case PSA_ALG_CTR:
2988 mode = MBEDTLS_MODE_CTR;
2989 break;
2990 case PSA_ALG_CFB:
2991 mode = MBEDTLS_MODE_CFB;
2992 break;
2993 case PSA_ALG_OFB:
2994 mode = MBEDTLS_MODE_OFB;
2995 break;
2996 case PSA_ALG_ECB_NO_PADDING:
2997 mode = MBEDTLS_MODE_ECB;
2998 break;
2999 case PSA_ALG_CBC_NO_PADDING:
3000 mode = MBEDTLS_MODE_CBC;
3001 break;
3002 case PSA_ALG_CBC_PKCS7:
3003 mode = MBEDTLS_MODE_CBC;
3004 break;
3005 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_CCM, 0 ):
3006 mode = MBEDTLS_MODE_CCM;
3007 break;
3008 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_GCM, 0 ):
3009 mode = MBEDTLS_MODE_GCM;
3010 break;
3011 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_CHACHA20_POLY1305, 0 ):
3012 mode = MBEDTLS_MODE_CHACHAPOLY;
3013 break;
3014 default:
3015 return( NULL );
3016 }
3017 }
3018 else if( alg == PSA_ALG_CMAC )
3019 mode = MBEDTLS_MODE_ECB;
3020 else
3021 return( NULL );
3022
3023 switch( key_type )
3024 {
3025 case PSA_KEY_TYPE_AES:
3026 cipher_id_tmp = MBEDTLS_CIPHER_ID_AES;
3027 break;
3028 case PSA_KEY_TYPE_DES:
3029 /* key_bits is 64 for Single-DES, 128 for two-key Triple-DES,
3030 * and 192 for three-key Triple-DES. */
3031 if( key_bits == 64 )
3032 cipher_id_tmp = MBEDTLS_CIPHER_ID_DES;
3033 else
3034 cipher_id_tmp = MBEDTLS_CIPHER_ID_3DES;
3035 /* mbedtls doesn't recognize two-key Triple-DES as an algorithm,
3036 * but two-key Triple-DES is functionally three-key Triple-DES
3037 * with K1=K3, so that's how we present it to mbedtls. */
3038 if( key_bits == 128 )
3039 key_bits = 192;
3040 break;
3041 case PSA_KEY_TYPE_CAMELLIA:
3042 cipher_id_tmp = MBEDTLS_CIPHER_ID_CAMELLIA;
3043 break;
3044 case PSA_KEY_TYPE_ARC4:
3045 cipher_id_tmp = MBEDTLS_CIPHER_ID_ARC4;
3046 break;
3047 case PSA_KEY_TYPE_CHACHA20:
3048 cipher_id_tmp = MBEDTLS_CIPHER_ID_CHACHA20;
3049 break;
3050 default:
3051 return( NULL );
3052 }
3053 if( cipher_id != NULL )
3054 *cipher_id = cipher_id_tmp;
3055
3056 return( mbedtls_cipher_info_from_values( cipher_id_tmp,
3057 (int) key_bits, mode ) );
3058 }
3059
3060 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
psa_get_hash_block_size(psa_algorithm_t alg)3061 static size_t psa_get_hash_block_size( psa_algorithm_t alg )
3062 {
3063 switch( alg )
3064 {
3065 case PSA_ALG_MD2:
3066 return( 16 );
3067 case PSA_ALG_MD4:
3068 return( 64 );
3069 case PSA_ALG_MD5:
3070 return( 64 );
3071 case PSA_ALG_RIPEMD160:
3072 return( 64 );
3073 case PSA_ALG_SHA_1:
3074 return( 64 );
3075 case PSA_ALG_SHA_224:
3076 return( 64 );
3077 case PSA_ALG_SHA_256:
3078 return( 64 );
3079 case PSA_ALG_SHA_384:
3080 return( 128 );
3081 case PSA_ALG_SHA_512:
3082 return( 128 );
3083 default:
3084 return( 0 );
3085 }
3086 }
3087 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) */
3088
3089 /* Initialize the MAC operation structure. Once this function has been
3090 * called, psa_mac_abort can run and will do the right thing. */
psa_mac_init(psa_mac_operation_t * operation,psa_algorithm_t alg)3091 static psa_status_t psa_mac_init( psa_mac_operation_t *operation,
3092 psa_algorithm_t alg )
3093 {
3094 psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
3095
3096 operation->alg = alg;
3097 operation->key_set = 0;
3098 operation->iv_set = 0;
3099 operation->iv_required = 0;
3100 operation->has_input = 0;
3101 operation->is_sign = 0;
3102
3103 #if defined(MBEDTLS_CMAC_C)
3104 if( alg == PSA_ALG_CMAC )
3105 {
3106 operation->iv_required = 0;
3107 mbedtls_cipher_init( &operation->ctx.cmac );
3108 status = PSA_SUCCESS;
3109 }
3110 else
3111 #endif /* MBEDTLS_CMAC_C */
3112 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
3113 if( PSA_ALG_IS_HMAC( operation->alg ) )
3114 {
3115 /* We'll set up the hash operation later in psa_hmac_setup_internal. */
3116 operation->ctx.hmac.hash_ctx.alg = 0;
3117 status = PSA_SUCCESS;
3118 }
3119 else
3120 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
3121 {
3122 if( ! PSA_ALG_IS_MAC( alg ) )
3123 status = PSA_ERROR_INVALID_ARGUMENT;
3124 }
3125
3126 if( status != PSA_SUCCESS )
3127 memset( operation, 0, sizeof( *operation ) );
3128 return( status );
3129 }
3130
3131 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
psa_hmac_abort_internal(psa_hmac_internal_data * hmac)3132 static psa_status_t psa_hmac_abort_internal( psa_hmac_internal_data *hmac )
3133 {
3134 mbedtls_platform_zeroize( hmac->opad, sizeof( hmac->opad ) );
3135 return( psa_hash_abort( &hmac->hash_ctx ) );
3136 }
3137 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
3138
psa_mac_abort(psa_mac_operation_t * operation)3139 psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
3140 {
3141 if( operation->alg == 0 )
3142 {
3143 /* The object has (apparently) been initialized but it is not
3144 * in use. It's ok to call abort on such an object, and there's
3145 * nothing to do. */
3146 return( PSA_SUCCESS );
3147 }
3148 else
3149 #if defined(MBEDTLS_CMAC_C)
3150 if( operation->alg == PSA_ALG_CMAC )
3151 {
3152 mbedtls_cipher_free( &operation->ctx.cmac );
3153 }
3154 else
3155 #endif /* MBEDTLS_CMAC_C */
3156 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
3157 if( PSA_ALG_IS_HMAC( operation->alg ) )
3158 {
3159 psa_hmac_abort_internal( &operation->ctx.hmac );
3160 }
3161 else
3162 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
3163 {
3164 /* Sanity check (shouldn't happen: operation->alg should
3165 * always have been initialized to a valid value). */
3166 goto bad_state;
3167 }
3168
3169 operation->alg = 0;
3170 operation->key_set = 0;
3171 operation->iv_set = 0;
3172 operation->iv_required = 0;
3173 operation->has_input = 0;
3174 operation->is_sign = 0;
3175
3176 return( PSA_SUCCESS );
3177
3178 bad_state:
3179 /* If abort is called on an uninitialized object, we can't trust
3180 * anything. Wipe the object in case it contains confidential data.
3181 * This may result in a memory leak if a pointer gets overwritten,
3182 * but it's too late to do anything about this. */
3183 memset( operation, 0, sizeof( *operation ) );
3184 return( PSA_ERROR_BAD_STATE );
3185 }
3186
3187 #if defined(MBEDTLS_CMAC_C)
psa_cmac_setup(psa_mac_operation_t * operation,size_t key_bits,psa_key_slot_t * slot,const mbedtls_cipher_info_t * cipher_info)3188 static int psa_cmac_setup( psa_mac_operation_t *operation,
3189 size_t key_bits,
3190 psa_key_slot_t *slot,
3191 const mbedtls_cipher_info_t *cipher_info )
3192 {
3193 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3194
3195 operation->mac_size = cipher_info->block_size;
3196
3197 ret = mbedtls_cipher_setup( &operation->ctx.cmac, cipher_info );
3198 if( ret != 0 )
3199 return( ret );
3200
3201 ret = mbedtls_cipher_cmac_starts( &operation->ctx.cmac,
3202 slot->data.key.data,
3203 key_bits );
3204 return( ret );
3205 }
3206 #endif /* MBEDTLS_CMAC_C */
3207
3208 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
psa_hmac_setup_internal(psa_hmac_internal_data * hmac,const uint8_t * key,size_t key_length,psa_algorithm_t hash_alg)3209 static psa_status_t psa_hmac_setup_internal( psa_hmac_internal_data *hmac,
3210 const uint8_t *key,
3211 size_t key_length,
3212 psa_algorithm_t hash_alg )
3213 {
3214 uint8_t ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
3215 size_t i;
3216 size_t hash_size = PSA_HASH_SIZE( hash_alg );
3217 size_t block_size = psa_get_hash_block_size( hash_alg );
3218 psa_status_t status;
3219
3220 /* Sanity checks on block_size, to guarantee that there won't be a buffer
3221 * overflow below. This should never trigger if the hash algorithm
3222 * is implemented correctly. */
3223 /* The size checks against the ipad and opad buffers cannot be written
3224 * `block_size > sizeof( ipad ) || block_size > sizeof( hmac->opad )`
3225 * because that triggers -Wlogical-op on GCC 7.3. */
3226 if( block_size > sizeof( ipad ) )
3227 return( PSA_ERROR_NOT_SUPPORTED );
3228 if( block_size > sizeof( hmac->opad ) )
3229 return( PSA_ERROR_NOT_SUPPORTED );
3230 if( block_size < hash_size )
3231 return( PSA_ERROR_NOT_SUPPORTED );
3232
3233 if( key_length > block_size )
3234 {
3235 status = psa_hash_compute( hash_alg, key, key_length,
3236 ipad, sizeof( ipad ), &key_length );
3237 if( status != PSA_SUCCESS )
3238 goto cleanup;
3239 }
3240 /* A 0-length key is not commonly used in HMAC when used as a MAC,
3241 * but it is permitted. It is common when HMAC is used in HKDF, for
3242 * example. Don't call `memcpy` in the 0-length because `key` could be
3243 * an invalid pointer which would make the behavior undefined. */
3244 else if( key_length != 0 )
3245 memcpy( ipad, key, key_length );
3246
3247 /* ipad contains the key followed by garbage. Xor and fill with 0x36
3248 * to create the ipad value. */
3249 for( i = 0; i < key_length; i++ )
3250 ipad[i] ^= 0x36;
3251 memset( ipad + key_length, 0x36, block_size - key_length );
3252
3253 /* Copy the key material from ipad to opad, flipping the requisite bits,
3254 * and filling the rest of opad with the requisite constant. */
3255 for( i = 0; i < key_length; i++ )
3256 hmac->opad[i] = ipad[i] ^ 0x36 ^ 0x5C;
3257 memset( hmac->opad + key_length, 0x5C, block_size - key_length );
3258
3259 status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
3260 if( status != PSA_SUCCESS )
3261 goto cleanup;
3262
3263 status = psa_hash_update( &hmac->hash_ctx, ipad, block_size );
3264
3265 cleanup:
3266 mbedtls_platform_zeroize( ipad, sizeof( ipad ) );
3267
3268 return( status );
3269 }
3270 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
3271
psa_mac_setup(psa_mac_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg,int is_sign)3272 static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
3273 mbedtls_svc_key_id_t key,
3274 psa_algorithm_t alg,
3275 int is_sign )
3276 {
3277 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3278 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3279 psa_key_slot_t *slot;
3280 size_t key_bits;
3281 psa_key_usage_t usage =
3282 is_sign ? PSA_KEY_USAGE_SIGN_HASH : PSA_KEY_USAGE_VERIFY_HASH;
3283 uint8_t truncated = PSA_MAC_TRUNCATED_LENGTH( alg );
3284 psa_algorithm_t full_length_alg = PSA_ALG_FULL_LENGTH_MAC( alg );
3285
3286 /* A context must be freshly initialized before it can be set up. */
3287 if( operation->alg != 0 )
3288 {
3289 return( PSA_ERROR_BAD_STATE );
3290 }
3291
3292 status = psa_mac_init( operation, full_length_alg );
3293 if( status != PSA_SUCCESS )
3294 return( status );
3295 if( is_sign )
3296 operation->is_sign = 1;
3297
3298 status = psa_get_and_lock_transparent_key_slot_with_policy(
3299 key, &slot, usage, alg );
3300 if( status != PSA_SUCCESS )
3301 goto exit;
3302 key_bits = psa_get_key_slot_bits( slot );
3303
3304 #if defined(MBEDTLS_CMAC_C)
3305 if( full_length_alg == PSA_ALG_CMAC )
3306 {
3307 const mbedtls_cipher_info_t *cipher_info =
3308 mbedtls_cipher_info_from_psa( full_length_alg,
3309 slot->attr.type, key_bits, NULL );
3310 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3311 if( cipher_info == NULL )
3312 {
3313 status = PSA_ERROR_NOT_SUPPORTED;
3314 goto exit;
3315 }
3316 operation->mac_size = cipher_info->block_size;
3317 ret = psa_cmac_setup( operation, key_bits, slot, cipher_info );
3318 status = mbedtls_to_psa_error( ret );
3319 }
3320 else
3321 #endif /* MBEDTLS_CMAC_C */
3322 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
3323 if( PSA_ALG_IS_HMAC( full_length_alg ) )
3324 {
3325 psa_algorithm_t hash_alg = PSA_ALG_HMAC_GET_HASH( alg );
3326 if( hash_alg == 0 )
3327 {
3328 status = PSA_ERROR_NOT_SUPPORTED;
3329 goto exit;
3330 }
3331
3332 operation->mac_size = PSA_HASH_SIZE( hash_alg );
3333 /* Sanity check. This shouldn't fail on a valid configuration. */
3334 if( operation->mac_size == 0 ||
3335 operation->mac_size > sizeof( operation->ctx.hmac.opad ) )
3336 {
3337 status = PSA_ERROR_NOT_SUPPORTED;
3338 goto exit;
3339 }
3340
3341 if( slot->attr.type != PSA_KEY_TYPE_HMAC )
3342 {
3343 status = PSA_ERROR_INVALID_ARGUMENT;
3344 goto exit;
3345 }
3346
3347 status = psa_hmac_setup_internal( &operation->ctx.hmac,
3348 slot->data.key.data,
3349 slot->data.key.bytes,
3350 hash_alg );
3351 }
3352 else
3353 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
3354 {
3355 (void) key_bits;
3356 status = PSA_ERROR_NOT_SUPPORTED;
3357 }
3358
3359 if( truncated == 0 )
3360 {
3361 /* The "normal" case: untruncated algorithm. Nothing to do. */
3362 }
3363 else if( truncated < 4 )
3364 {
3365 /* A very short MAC is too short for security since it can be
3366 * brute-forced. Ancient protocols with 32-bit MACs do exist,
3367 * so we make this our minimum, even though 32 bits is still
3368 * too small for security. */
3369 status = PSA_ERROR_NOT_SUPPORTED;
3370 }
3371 else if( truncated > operation->mac_size )
3372 {
3373 /* It's impossible to "truncate" to a larger length. */
3374 status = PSA_ERROR_INVALID_ARGUMENT;
3375 }
3376 else
3377 operation->mac_size = truncated;
3378
3379 exit:
3380 if( status != PSA_SUCCESS )
3381 {
3382 psa_mac_abort( operation );
3383 }
3384 else
3385 {
3386 operation->key_set = 1;
3387 }
3388
3389 unlock_status = psa_unlock_key_slot( slot );
3390
3391 return( ( status == PSA_SUCCESS ) ? unlock_status : status );
3392 }
3393
psa_mac_sign_setup(psa_mac_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg)3394 psa_status_t psa_mac_sign_setup( psa_mac_operation_t *operation,
3395 mbedtls_svc_key_id_t key,
3396 psa_algorithm_t alg )
3397 {
3398 return( psa_mac_setup( operation, key, alg, 1 ) );
3399 }
3400
psa_mac_verify_setup(psa_mac_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg)3401 psa_status_t psa_mac_verify_setup( psa_mac_operation_t *operation,
3402 mbedtls_svc_key_id_t key,
3403 psa_algorithm_t alg )
3404 {
3405 return( psa_mac_setup( operation, key, alg, 0 ) );
3406 }
3407
psa_mac_update(psa_mac_operation_t * operation,const uint8_t * input,size_t input_length)3408 psa_status_t psa_mac_update( psa_mac_operation_t *operation,
3409 const uint8_t *input,
3410 size_t input_length )
3411 {
3412 psa_status_t status = PSA_ERROR_BAD_STATE;
3413 if( ! operation->key_set )
3414 return( PSA_ERROR_BAD_STATE );
3415 if( operation->iv_required && ! operation->iv_set )
3416 return( PSA_ERROR_BAD_STATE );
3417 operation->has_input = 1;
3418
3419 #if defined(MBEDTLS_CMAC_C)
3420 if( operation->alg == PSA_ALG_CMAC )
3421 {
3422 int ret = mbedtls_cipher_cmac_update( &operation->ctx.cmac,
3423 input, input_length );
3424 status = mbedtls_to_psa_error( ret );
3425 }
3426 else
3427 #endif /* MBEDTLS_CMAC_C */
3428 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
3429 if( PSA_ALG_IS_HMAC( operation->alg ) )
3430 {
3431 status = psa_hash_update( &operation->ctx.hmac.hash_ctx, input,
3432 input_length );
3433 }
3434 else
3435 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
3436 {
3437 /* This shouldn't happen if `operation` was initialized by
3438 * a setup function. */
3439 return( PSA_ERROR_BAD_STATE );
3440 }
3441
3442 if( status != PSA_SUCCESS )
3443 psa_mac_abort( operation );
3444 return( status );
3445 }
3446
3447 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
psa_hmac_finish_internal(psa_hmac_internal_data * hmac,uint8_t * mac,size_t mac_size)3448 static psa_status_t psa_hmac_finish_internal( psa_hmac_internal_data *hmac,
3449 uint8_t *mac,
3450 size_t mac_size )
3451 {
3452 uint8_t tmp[MBEDTLS_MD_MAX_SIZE];
3453 psa_algorithm_t hash_alg = hmac->hash_ctx.alg;
3454 size_t hash_size = 0;
3455 size_t block_size = psa_get_hash_block_size( hash_alg );
3456 psa_status_t status;
3457
3458 status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
3459 if( status != PSA_SUCCESS )
3460 return( status );
3461 /* From here on, tmp needs to be wiped. */
3462
3463 status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
3464 if( status != PSA_SUCCESS )
3465 goto exit;
3466
3467 status = psa_hash_update( &hmac->hash_ctx, hmac->opad, block_size );
3468 if( status != PSA_SUCCESS )
3469 goto exit;
3470
3471 status = psa_hash_update( &hmac->hash_ctx, tmp, hash_size );
3472 if( status != PSA_SUCCESS )
3473 goto exit;
3474
3475 status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
3476 if( status != PSA_SUCCESS )
3477 goto exit;
3478
3479 memcpy( mac, tmp, mac_size );
3480
3481 exit:
3482 mbedtls_platform_zeroize( tmp, hash_size );
3483 return( status );
3484 }
3485 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
3486
psa_mac_finish_internal(psa_mac_operation_t * operation,uint8_t * mac,size_t mac_size)3487 static psa_status_t psa_mac_finish_internal( psa_mac_operation_t *operation,
3488 uint8_t *mac,
3489 size_t mac_size )
3490 {
3491 if( ! operation->key_set )
3492 return( PSA_ERROR_BAD_STATE );
3493 if( operation->iv_required && ! operation->iv_set )
3494 return( PSA_ERROR_BAD_STATE );
3495
3496 if( mac_size < operation->mac_size )
3497 return( PSA_ERROR_BUFFER_TOO_SMALL );
3498
3499 #if defined(MBEDTLS_CMAC_C)
3500 if( operation->alg == PSA_ALG_CMAC )
3501 {
3502 uint8_t tmp[PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE];
3503 int ret = mbedtls_cipher_cmac_finish( &operation->ctx.cmac, tmp );
3504 if( ret == 0 )
3505 memcpy( mac, tmp, operation->mac_size );
3506 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
3507 return( mbedtls_to_psa_error( ret ) );
3508 }
3509 else
3510 #endif /* MBEDTLS_CMAC_C */
3511 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
3512 if( PSA_ALG_IS_HMAC( operation->alg ) )
3513 {
3514 return( psa_hmac_finish_internal( &operation->ctx.hmac,
3515 mac, operation->mac_size ) );
3516 }
3517 else
3518 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
3519 {
3520 /* This shouldn't happen if `operation` was initialized by
3521 * a setup function. */
3522 return( PSA_ERROR_BAD_STATE );
3523 }
3524 }
3525
psa_mac_sign_finish(psa_mac_operation_t * operation,uint8_t * mac,size_t mac_size,size_t * mac_length)3526 psa_status_t psa_mac_sign_finish( psa_mac_operation_t *operation,
3527 uint8_t *mac,
3528 size_t mac_size,
3529 size_t *mac_length )
3530 {
3531 psa_status_t status;
3532
3533 if( operation->alg == 0 )
3534 {
3535 return( PSA_ERROR_BAD_STATE );
3536 }
3537
3538 /* Fill the output buffer with something that isn't a valid mac
3539 * (barring an attack on the mac and deliberately-crafted input),
3540 * in case the caller doesn't check the return status properly. */
3541 *mac_length = mac_size;
3542 /* If mac_size is 0 then mac may be NULL and then the
3543 * call to memset would have undefined behavior. */
3544 if( mac_size != 0 )
3545 memset( mac, '!', mac_size );
3546
3547 if( ! operation->is_sign )
3548 {
3549 return( PSA_ERROR_BAD_STATE );
3550 }
3551
3552 status = psa_mac_finish_internal( operation, mac, mac_size );
3553
3554 if( status == PSA_SUCCESS )
3555 {
3556 status = psa_mac_abort( operation );
3557 if( status == PSA_SUCCESS )
3558 *mac_length = operation->mac_size;
3559 else
3560 memset( mac, '!', mac_size );
3561 }
3562 else
3563 psa_mac_abort( operation );
3564 return( status );
3565 }
3566
psa_mac_verify_finish(psa_mac_operation_t * operation,const uint8_t * mac,size_t mac_length)3567 psa_status_t psa_mac_verify_finish( psa_mac_operation_t *operation,
3568 const uint8_t *mac,
3569 size_t mac_length )
3570 {
3571 uint8_t actual_mac[PSA_MAC_MAX_SIZE];
3572 psa_status_t status;
3573
3574 if( operation->alg == 0 )
3575 {
3576 return( PSA_ERROR_BAD_STATE );
3577 }
3578
3579 if( operation->is_sign )
3580 {
3581 return( PSA_ERROR_BAD_STATE );
3582 }
3583 if( operation->mac_size != mac_length )
3584 {
3585 status = PSA_ERROR_INVALID_SIGNATURE;
3586 goto cleanup;
3587 }
3588
3589 status = psa_mac_finish_internal( operation,
3590 actual_mac, sizeof( actual_mac ) );
3591 if( status != PSA_SUCCESS )
3592 goto cleanup;
3593
3594 if( safer_memcmp( mac, actual_mac, mac_length ) != 0 )
3595 status = PSA_ERROR_INVALID_SIGNATURE;
3596
3597 cleanup:
3598 if( status == PSA_SUCCESS )
3599 status = psa_mac_abort( operation );
3600 else
3601 psa_mac_abort( operation );
3602
3603 mbedtls_platform_zeroize( actual_mac, sizeof( actual_mac ) );
3604
3605 return( status );
3606 }
3607
3608
3609
3610 /****************************************************************/
3611 /* Asymmetric cryptography */
3612 /****************************************************************/
3613
3614 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
3615 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
3616 /* Decode the hash algorithm from alg and store the mbedtls encoding in
3617 * md_alg. Verify that the hash length is acceptable. */
psa_rsa_decode_md_type(psa_algorithm_t alg,size_t hash_length,mbedtls_md_type_t * md_alg)3618 static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
3619 size_t hash_length,
3620 mbedtls_md_type_t *md_alg )
3621 {
3622 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
3623 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg );
3624 *md_alg = mbedtls_md_get_type( md_info );
3625
3626 /* The Mbed TLS RSA module uses an unsigned int for hash length
3627 * parameters. Validate that it fits so that we don't risk an
3628 * overflow later. */
3629 #if SIZE_MAX > UINT_MAX
3630 if( hash_length > UINT_MAX )
3631 return( PSA_ERROR_INVALID_ARGUMENT );
3632 #endif
3633
3634 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
3635 /* For PKCS#1 v1.5 signature, if using a hash, the hash length
3636 * must be correct. */
3637 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) &&
3638 alg != PSA_ALG_RSA_PKCS1V15_SIGN_RAW )
3639 {
3640 if( md_info == NULL )
3641 return( PSA_ERROR_NOT_SUPPORTED );
3642 if( mbedtls_md_get_size( md_info ) != hash_length )
3643 return( PSA_ERROR_INVALID_ARGUMENT );
3644 }
3645 #endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
3646
3647 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
3648 /* PSS requires a hash internally. */
3649 if( PSA_ALG_IS_RSA_PSS( alg ) )
3650 {
3651 if( md_info == NULL )
3652 return( PSA_ERROR_NOT_SUPPORTED );
3653 }
3654 #endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
3655
3656 return( PSA_SUCCESS );
3657 }
3658
psa_rsa_sign(mbedtls_rsa_context * rsa,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length,uint8_t * signature,size_t signature_size,size_t * signature_length)3659 static psa_status_t psa_rsa_sign( mbedtls_rsa_context *rsa,
3660 psa_algorithm_t alg,
3661 const uint8_t *hash,
3662 size_t hash_length,
3663 uint8_t *signature,
3664 size_t signature_size,
3665 size_t *signature_length )
3666 {
3667 psa_status_t status;
3668 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3669 mbedtls_md_type_t md_alg;
3670
3671 status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
3672 if( status != PSA_SUCCESS )
3673 return( status );
3674
3675 if( signature_size < mbedtls_rsa_get_len( rsa ) )
3676 return( PSA_ERROR_BUFFER_TOO_SMALL );
3677
3678 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
3679 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
3680 {
3681 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
3682 MBEDTLS_MD_NONE );
3683 ret = mbedtls_rsa_pkcs1_sign( rsa,
3684 mbedtls_ctr_drbg_random,
3685 &global_data.ctr_drbg,
3686 MBEDTLS_RSA_PRIVATE,
3687 md_alg,
3688 (unsigned int) hash_length,
3689 hash,
3690 signature );
3691 }
3692 else
3693 #endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
3694 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
3695 if( PSA_ALG_IS_RSA_PSS( alg ) )
3696 {
3697 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
3698 ret = mbedtls_rsa_rsassa_pss_sign( rsa,
3699 mbedtls_ctr_drbg_random,
3700 &global_data.ctr_drbg,
3701 MBEDTLS_RSA_PRIVATE,
3702 MBEDTLS_MD_NONE,
3703 (unsigned int) hash_length,
3704 hash,
3705 signature );
3706 }
3707 else
3708 #endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
3709 {
3710 return( PSA_ERROR_INVALID_ARGUMENT );
3711 }
3712
3713 if( ret == 0 )
3714 *signature_length = mbedtls_rsa_get_len( rsa );
3715 return( mbedtls_to_psa_error( ret ) );
3716 }
3717
psa_rsa_verify(mbedtls_rsa_context * rsa,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length,const uint8_t * signature,size_t signature_length)3718 static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
3719 psa_algorithm_t alg,
3720 const uint8_t *hash,
3721 size_t hash_length,
3722 const uint8_t *signature,
3723 size_t signature_length )
3724 {
3725 psa_status_t status;
3726 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3727 mbedtls_md_type_t md_alg;
3728
3729 status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
3730 if( status != PSA_SUCCESS )
3731 return( status );
3732
3733 if( signature_length != mbedtls_rsa_get_len( rsa ) )
3734 return( PSA_ERROR_INVALID_SIGNATURE );
3735
3736 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
3737 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
3738 {
3739 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
3740 MBEDTLS_MD_NONE );
3741 ret = mbedtls_rsa_pkcs1_verify( rsa,
3742 mbedtls_ctr_drbg_random,
3743 &global_data.ctr_drbg,
3744 MBEDTLS_RSA_PUBLIC,
3745 md_alg,
3746 (unsigned int) hash_length,
3747 hash,
3748 signature );
3749 }
3750 else
3751 #endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
3752 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
3753 if( PSA_ALG_IS_RSA_PSS( alg ) )
3754 {
3755 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
3756 ret = mbedtls_rsa_rsassa_pss_verify( rsa,
3757 mbedtls_ctr_drbg_random,
3758 &global_data.ctr_drbg,
3759 MBEDTLS_RSA_PUBLIC,
3760 MBEDTLS_MD_NONE,
3761 (unsigned int) hash_length,
3762 hash,
3763 signature );
3764 }
3765 else
3766 #endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
3767 {
3768 return( PSA_ERROR_INVALID_ARGUMENT );
3769 }
3770
3771 /* Mbed TLS distinguishes "invalid padding" from "valid padding but
3772 * the rest of the signature is invalid". This has little use in
3773 * practice and PSA doesn't report this distinction. */
3774 if( ret == MBEDTLS_ERR_RSA_INVALID_PADDING )
3775 return( PSA_ERROR_INVALID_SIGNATURE );
3776 return( mbedtls_to_psa_error( ret ) );
3777 }
3778 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
3779 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
3780
3781 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3782 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
3783 /* `ecp` cannot be const because `ecp->grp` needs to be non-const
3784 * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det()
3785 * (even though these functions don't modify it). */
psa_ecdsa_sign(mbedtls_ecp_keypair * ecp,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length,uint8_t * signature,size_t signature_size,size_t * signature_length)3786 static psa_status_t psa_ecdsa_sign( mbedtls_ecp_keypair *ecp,
3787 psa_algorithm_t alg,
3788 const uint8_t *hash,
3789 size_t hash_length,
3790 uint8_t *signature,
3791 size_t signature_size,
3792 size_t *signature_length )
3793 {
3794 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3795 mbedtls_mpi r, s;
3796 size_t curve_bytes = PSA_BITS_TO_BYTES( ecp->grp.pbits );
3797 mbedtls_mpi_init( &r );
3798 mbedtls_mpi_init( &s );
3799
3800 if( signature_size < 2 * curve_bytes )
3801 {
3802 ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
3803 goto cleanup;
3804 }
3805
3806 #if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
3807 if( PSA_ALG_DSA_IS_DETERMINISTIC( alg ) )
3808 {
3809 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
3810 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg );
3811 mbedtls_md_type_t md_alg = mbedtls_md_get_type( md_info );
3812 MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign_det_ext( &ecp->grp, &r, &s,
3813 &ecp->d, hash,
3814 hash_length, md_alg,
3815 mbedtls_ctr_drbg_random,
3816 &global_data.ctr_drbg ) );
3817 }
3818 else
3819 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
3820 {
3821 (void) alg;
3822 MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ecp->grp, &r, &s, &ecp->d,
3823 hash, hash_length,
3824 mbedtls_ctr_drbg_random,
3825 &global_data.ctr_drbg ) );
3826 }
3827
3828 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &r,
3829 signature,
3830 curve_bytes ) );
3831 MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &s,
3832 signature + curve_bytes,
3833 curve_bytes ) );
3834
3835 cleanup:
3836 mbedtls_mpi_free( &r );
3837 mbedtls_mpi_free( &s );
3838 if( ret == 0 )
3839 *signature_length = 2 * curve_bytes;
3840 return( mbedtls_to_psa_error( ret ) );
3841 }
3842
psa_ecdsa_verify(mbedtls_ecp_keypair * ecp,const uint8_t * hash,size_t hash_length,const uint8_t * signature,size_t signature_length)3843 static psa_status_t psa_ecdsa_verify( mbedtls_ecp_keypair *ecp,
3844 const uint8_t *hash,
3845 size_t hash_length,
3846 const uint8_t *signature,
3847 size_t signature_length )
3848 {
3849 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3850 mbedtls_mpi r, s;
3851 size_t curve_bytes = PSA_BITS_TO_BYTES( ecp->grp.pbits );
3852 mbedtls_mpi_init( &r );
3853 mbedtls_mpi_init( &s );
3854
3855 if( signature_length != 2 * curve_bytes )
3856 return( PSA_ERROR_INVALID_SIGNATURE );
3857
3858 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &r,
3859 signature,
3860 curve_bytes ) );
3861 MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &s,
3862 signature + curve_bytes,
3863 curve_bytes ) );
3864
3865 /* Check whether the public part is loaded. If not, load it. */
3866 if( mbedtls_ecp_is_zero( &ecp->Q ) )
3867 {
3868 MBEDTLS_MPI_CHK(
3869 mbedtls_ecp_mul( &ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
3870 mbedtls_ctr_drbg_random, &global_data.ctr_drbg ) );
3871 }
3872
3873 ret = mbedtls_ecdsa_verify( &ecp->grp, hash, hash_length,
3874 &ecp->Q, &r, &s );
3875
3876 cleanup:
3877 mbedtls_mpi_free( &r );
3878 mbedtls_mpi_free( &s );
3879 return( mbedtls_to_psa_error( ret ) );
3880 }
3881 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3882 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
3883
psa_sign_hash(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length,uint8_t * signature,size_t signature_size,size_t * signature_length)3884 psa_status_t psa_sign_hash( mbedtls_svc_key_id_t key,
3885 psa_algorithm_t alg,
3886 const uint8_t *hash,
3887 size_t hash_length,
3888 uint8_t *signature,
3889 size_t signature_size,
3890 size_t *signature_length )
3891 {
3892 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3893 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3894 psa_key_slot_t *slot;
3895
3896 *signature_length = signature_size;
3897 /* Immediately reject a zero-length signature buffer. This guarantees
3898 * that signature must be a valid pointer. (On the other hand, the hash
3899 * buffer can in principle be empty since it doesn't actually have
3900 * to be a hash.) */
3901 if( signature_size == 0 )
3902 return( PSA_ERROR_BUFFER_TOO_SMALL );
3903
3904 status = psa_get_and_lock_key_slot_with_policy( key, &slot,
3905 PSA_KEY_USAGE_SIGN_HASH,
3906 alg );
3907 if( status != PSA_SUCCESS )
3908 goto exit;
3909 if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) )
3910 {
3911 status = PSA_ERROR_INVALID_ARGUMENT;
3912 goto exit;
3913 }
3914
3915 /* Try any of the available accelerators first */
3916 status = psa_driver_wrapper_sign_hash( slot,
3917 alg,
3918 hash,
3919 hash_length,
3920 signature,
3921 signature_size,
3922 signature_length );
3923 if( status != PSA_ERROR_NOT_SUPPORTED ||
3924 psa_key_lifetime_is_external( slot->attr.lifetime ) )
3925 goto exit;
3926
3927 /* If the operation was not supported by any accelerator, try fallback. */
3928 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
3929 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
3930 if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
3931 {
3932 mbedtls_rsa_context *rsa = NULL;
3933
3934 status = psa_load_rsa_representation( slot->attr.type,
3935 slot->data.key.data,
3936 slot->data.key.bytes,
3937 &rsa );
3938 if( status != PSA_SUCCESS )
3939 goto exit;
3940
3941 status = psa_rsa_sign( rsa,
3942 alg,
3943 hash, hash_length,
3944 signature, signature_size,
3945 signature_length );
3946
3947 mbedtls_rsa_free( rsa );
3948 mbedtls_free( rsa );
3949 }
3950 else
3951 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
3952 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
3953 if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
3954 {
3955 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3956 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
3957 if(
3958 #if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
3959 PSA_ALG_IS_ECDSA( alg )
3960 #else
3961 PSA_ALG_IS_RANDOMIZED_ECDSA( alg )
3962 #endif
3963 )
3964 {
3965 mbedtls_ecp_keypair *ecp = NULL;
3966 status = psa_load_ecp_representation( slot->attr.type,
3967 slot->data.key.data,
3968 slot->data.key.bytes,
3969 &ecp );
3970 if( status != PSA_SUCCESS )
3971 goto exit;
3972 status = psa_ecdsa_sign( ecp,
3973 alg,
3974 hash, hash_length,
3975 signature, signature_size,
3976 signature_length );
3977 mbedtls_ecp_keypair_free( ecp );
3978 mbedtls_free( ecp );
3979 }
3980 else
3981 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3982 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
3983 {
3984 status = PSA_ERROR_INVALID_ARGUMENT;
3985 }
3986 }
3987 else
3988 {
3989 status = PSA_ERROR_NOT_SUPPORTED;
3990 }
3991
3992 exit:
3993 /* Fill the unused part of the output buffer (the whole buffer on error,
3994 * the trailing part on success) with something that isn't a valid mac
3995 * (barring an attack on the mac and deliberately-crafted input),
3996 * in case the caller doesn't check the return status properly. */
3997 if( status == PSA_SUCCESS )
3998 memset( signature + *signature_length, '!',
3999 signature_size - *signature_length );
4000 else
4001 memset( signature, '!', signature_size );
4002 /* If signature_size is 0 then we have nothing to do. We must not call
4003 * memset because signature may be NULL in this case. */
4004
4005 unlock_status = psa_unlock_key_slot( slot );
4006
4007 return( ( status == PSA_SUCCESS ) ? unlock_status : status );
4008 }
4009
psa_verify_hash(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length,const uint8_t * signature,size_t signature_length)4010 psa_status_t psa_verify_hash( mbedtls_svc_key_id_t key,
4011 psa_algorithm_t alg,
4012 const uint8_t *hash,
4013 size_t hash_length,
4014 const uint8_t *signature,
4015 size_t signature_length )
4016 {
4017 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4018 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
4019 psa_key_slot_t *slot;
4020
4021 status = psa_get_and_lock_key_slot_with_policy( key, &slot,
4022 PSA_KEY_USAGE_VERIFY_HASH,
4023 alg );
4024 if( status != PSA_SUCCESS )
4025 return( status );
4026
4027 /* Try any of the available accelerators first */
4028 status = psa_driver_wrapper_verify_hash( slot,
4029 alg,
4030 hash,
4031 hash_length,
4032 signature,
4033 signature_length );
4034 if( status != PSA_ERROR_NOT_SUPPORTED ||
4035 psa_key_lifetime_is_external( slot->attr.lifetime ) )
4036 goto exit;
4037
4038 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
4039 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
4040 if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
4041 {
4042 mbedtls_rsa_context *rsa = NULL;
4043
4044 status = psa_load_rsa_representation( slot->attr.type,
4045 slot->data.key.data,
4046 slot->data.key.bytes,
4047 &rsa );
4048 if( status != PSA_SUCCESS )
4049 goto exit;
4050
4051 status = psa_rsa_verify( rsa,
4052 alg,
4053 hash, hash_length,
4054 signature, signature_length );
4055 mbedtls_rsa_free( rsa );
4056 mbedtls_free( rsa );
4057 goto exit;
4058 }
4059 else
4060 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
4061 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
4062 if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
4063 {
4064 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4065 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
4066 if( PSA_ALG_IS_ECDSA( alg ) )
4067 {
4068 mbedtls_ecp_keypair *ecp = NULL;
4069 status = psa_load_ecp_representation( slot->attr.type,
4070 slot->data.key.data,
4071 slot->data.key.bytes,
4072 &ecp );
4073 if( status != PSA_SUCCESS )
4074 goto exit;
4075 status = psa_ecdsa_verify( ecp,
4076 hash, hash_length,
4077 signature, signature_length );
4078 mbedtls_ecp_keypair_free( ecp );
4079 mbedtls_free( ecp );
4080 goto exit;
4081 }
4082 else
4083 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4084 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
4085 {
4086 status = PSA_ERROR_INVALID_ARGUMENT;
4087 goto exit;
4088 }
4089 }
4090 else
4091 {
4092 status = PSA_ERROR_NOT_SUPPORTED;
4093 }
4094
4095 exit:
4096 unlock_status = psa_unlock_key_slot( slot );
4097
4098 return( ( status == PSA_SUCCESS ) ? unlock_status : status );
4099 }
4100
4101 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
psa_rsa_oaep_set_padding_mode(psa_algorithm_t alg,mbedtls_rsa_context * rsa)4102 static void psa_rsa_oaep_set_padding_mode( psa_algorithm_t alg,
4103 mbedtls_rsa_context *rsa )
4104 {
4105 psa_algorithm_t hash_alg = PSA_ALG_RSA_OAEP_GET_HASH( alg );
4106 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg );
4107 mbedtls_md_type_t md_alg = mbedtls_md_get_type( md_info );
4108 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
4109 }
4110 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
4111
psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * input,size_t input_length,const uint8_t * salt,size_t salt_length,uint8_t * output,size_t output_size,size_t * output_length)4112 psa_status_t psa_asymmetric_encrypt( mbedtls_svc_key_id_t key,
4113 psa_algorithm_t alg,
4114 const uint8_t *input,
4115 size_t input_length,
4116 const uint8_t *salt,
4117 size_t salt_length,
4118 uint8_t *output,
4119 size_t output_size,
4120 size_t *output_length )
4121 {
4122 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4123 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
4124 psa_key_slot_t *slot;
4125
4126 (void) input;
4127 (void) input_length;
4128 (void) salt;
4129 (void) output;
4130 (void) output_size;
4131
4132 *output_length = 0;
4133
4134 if( ! PSA_ALG_IS_RSA_OAEP( alg ) && salt_length != 0 )
4135 return( PSA_ERROR_INVALID_ARGUMENT );
4136
4137 status = psa_get_and_lock_transparent_key_slot_with_policy(
4138 key, &slot, PSA_KEY_USAGE_ENCRYPT, alg );
4139 if( status != PSA_SUCCESS )
4140 return( status );
4141 if( ! ( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) ||
4142 PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) ) )
4143 {
4144 status = PSA_ERROR_INVALID_ARGUMENT;
4145 goto exit;
4146 }
4147
4148 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
4149 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
4150 if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
4151 {
4152 mbedtls_rsa_context *rsa = NULL;
4153 status = psa_load_rsa_representation( slot->attr.type,
4154 slot->data.key.data,
4155 slot->data.key.bytes,
4156 &rsa );
4157 if( status != PSA_SUCCESS )
4158 goto rsa_exit;
4159
4160 if( output_size < mbedtls_rsa_get_len( rsa ) )
4161 {
4162 status = PSA_ERROR_BUFFER_TOO_SMALL;
4163 goto rsa_exit;
4164 }
4165 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT)
4166 if( alg == PSA_ALG_RSA_PKCS1V15_CRYPT )
4167 {
4168 status = mbedtls_to_psa_error(
4169 mbedtls_rsa_pkcs1_encrypt( rsa,
4170 mbedtls_ctr_drbg_random,
4171 &global_data.ctr_drbg,
4172 MBEDTLS_RSA_PUBLIC,
4173 input_length,
4174 input,
4175 output ) );
4176 }
4177 else
4178 #endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */
4179 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
4180 if( PSA_ALG_IS_RSA_OAEP( alg ) )
4181 {
4182 psa_rsa_oaep_set_padding_mode( alg, rsa );
4183 status = mbedtls_to_psa_error(
4184 mbedtls_rsa_rsaes_oaep_encrypt( rsa,
4185 mbedtls_ctr_drbg_random,
4186 &global_data.ctr_drbg,
4187 MBEDTLS_RSA_PUBLIC,
4188 salt, salt_length,
4189 input_length,
4190 input,
4191 output ) );
4192 }
4193 else
4194 #endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */
4195 {
4196 status = PSA_ERROR_INVALID_ARGUMENT;
4197 goto rsa_exit;
4198 }
4199 rsa_exit:
4200 if( status == PSA_SUCCESS )
4201 *output_length = mbedtls_rsa_get_len( rsa );
4202
4203 mbedtls_rsa_free( rsa );
4204 mbedtls_free( rsa );
4205 }
4206 else
4207 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
4208 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
4209 {
4210 status = PSA_ERROR_NOT_SUPPORTED;
4211 }
4212
4213 exit:
4214 unlock_status = psa_unlock_key_slot( slot );
4215
4216 return( ( status == PSA_SUCCESS ) ? unlock_status : status );
4217 }
4218
psa_asymmetric_decrypt(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * input,size_t input_length,const uint8_t * salt,size_t salt_length,uint8_t * output,size_t output_size,size_t * output_length)4219 psa_status_t psa_asymmetric_decrypt( mbedtls_svc_key_id_t key,
4220 psa_algorithm_t alg,
4221 const uint8_t *input,
4222 size_t input_length,
4223 const uint8_t *salt,
4224 size_t salt_length,
4225 uint8_t *output,
4226 size_t output_size,
4227 size_t *output_length )
4228 {
4229 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4230 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
4231 psa_key_slot_t *slot;
4232
4233 (void) input;
4234 (void) input_length;
4235 (void) salt;
4236 (void) output;
4237 (void) output_size;
4238
4239 *output_length = 0;
4240
4241 if( ! PSA_ALG_IS_RSA_OAEP( alg ) && salt_length != 0 )
4242 return( PSA_ERROR_INVALID_ARGUMENT );
4243
4244 status = psa_get_and_lock_transparent_key_slot_with_policy(
4245 key, &slot, PSA_KEY_USAGE_DECRYPT, alg );
4246 if( status != PSA_SUCCESS )
4247 return( status );
4248 if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) )
4249 {
4250 status = PSA_ERROR_INVALID_ARGUMENT;
4251 goto exit;
4252 }
4253
4254 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
4255 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
4256 if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
4257 {
4258 mbedtls_rsa_context *rsa = NULL;
4259 status = psa_load_rsa_representation( slot->attr.type,
4260 slot->data.key.data,
4261 slot->data.key.bytes,
4262 &rsa );
4263 if( status != PSA_SUCCESS )
4264 goto exit;
4265
4266 if( input_length != mbedtls_rsa_get_len( rsa ) )
4267 {
4268 status = PSA_ERROR_INVALID_ARGUMENT;
4269 goto rsa_exit;
4270 }
4271
4272 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT)
4273 if( alg == PSA_ALG_RSA_PKCS1V15_CRYPT )
4274 {
4275 status = mbedtls_to_psa_error(
4276 mbedtls_rsa_pkcs1_decrypt( rsa,
4277 mbedtls_ctr_drbg_random,
4278 &global_data.ctr_drbg,
4279 MBEDTLS_RSA_PRIVATE,
4280 output_length,
4281 input,
4282 output,
4283 output_size ) );
4284 }
4285 else
4286 #endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */
4287 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
4288 if( PSA_ALG_IS_RSA_OAEP( alg ) )
4289 {
4290 psa_rsa_oaep_set_padding_mode( alg, rsa );
4291 status = mbedtls_to_psa_error(
4292 mbedtls_rsa_rsaes_oaep_decrypt( rsa,
4293 mbedtls_ctr_drbg_random,
4294 &global_data.ctr_drbg,
4295 MBEDTLS_RSA_PRIVATE,
4296 salt, salt_length,
4297 output_length,
4298 input,
4299 output,
4300 output_size ) );
4301 }
4302 else
4303 #endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */
4304 {
4305 status = PSA_ERROR_INVALID_ARGUMENT;
4306 }
4307
4308 rsa_exit:
4309 mbedtls_rsa_free( rsa );
4310 mbedtls_free( rsa );
4311 }
4312 else
4313 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
4314 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
4315 {
4316 status = PSA_ERROR_NOT_SUPPORTED;
4317 }
4318
4319 exit:
4320 unlock_status = psa_unlock_key_slot( slot );
4321
4322 return( ( status == PSA_SUCCESS ) ? unlock_status : status );
4323 }
4324
4325
4326
4327 /****************************************************************/
4328 /* Symmetric cryptography */
4329 /****************************************************************/
4330
psa_cipher_setup(psa_cipher_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg,mbedtls_operation_t cipher_operation)4331 static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation,
4332 mbedtls_svc_key_id_t key,
4333 psa_algorithm_t alg,
4334 mbedtls_operation_t cipher_operation )
4335 {
4336 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4337 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
4338 int ret = 0;
4339 psa_key_slot_t *slot;
4340 size_t key_bits;
4341 const mbedtls_cipher_info_t *cipher_info = NULL;
4342 psa_key_usage_t usage = ( cipher_operation == MBEDTLS_ENCRYPT ?
4343 PSA_KEY_USAGE_ENCRYPT :
4344 PSA_KEY_USAGE_DECRYPT );
4345
4346 /* A context must be freshly initialized before it can be set up. */
4347 if( operation->alg != 0 )
4348 return( PSA_ERROR_BAD_STATE );
4349
4350 /* The requested algorithm must be one that can be processed by cipher. */
4351 if( ! PSA_ALG_IS_CIPHER( alg ) )
4352 return( PSA_ERROR_INVALID_ARGUMENT );
4353
4354 /* Fetch key material from key storage. */
4355 status = psa_get_and_lock_key_slot_with_policy( key, &slot, usage, alg );
4356 if( status != PSA_SUCCESS )
4357 goto exit;
4358
4359 /* Initialize the operation struct members, except for alg. The alg member
4360 * is used to indicate to psa_cipher_abort that there are resources to free,
4361 * so we only set it after resources have been allocated/initialized. */
4362 operation->key_set = 0;
4363 operation->iv_set = 0;
4364 operation->mbedtls_in_use = 0;
4365 operation->iv_size = 0;
4366 operation->block_size = 0;
4367 if( alg == PSA_ALG_ECB_NO_PADDING )
4368 operation->iv_required = 0;
4369 else
4370 operation->iv_required = 1;
4371
4372 /* Try doing the operation through a driver before using software fallback. */
4373 if( cipher_operation == MBEDTLS_ENCRYPT )
4374 status = psa_driver_wrapper_cipher_encrypt_setup( &operation->ctx.driver,
4375 slot,
4376 alg );
4377 else
4378 status = psa_driver_wrapper_cipher_decrypt_setup( &operation->ctx.driver,
4379 slot,
4380 alg );
4381
4382 if( status == PSA_SUCCESS )
4383 {
4384 /* Once the driver context is initialised, it needs to be freed using
4385 * psa_cipher_abort. Indicate this through setting alg. */
4386 operation->alg = alg;
4387 }
4388
4389 if( status != PSA_ERROR_NOT_SUPPORTED ||
4390 psa_key_lifetime_is_external( slot->attr.lifetime ) )
4391 goto exit;
4392
4393 /* Proceed with initializing an mbed TLS cipher context if no driver is
4394 * available for the given algorithm & key. */
4395 mbedtls_cipher_init( &operation->ctx.cipher );
4396
4397 /* Once the cipher context is initialised, it needs to be freed using
4398 * psa_cipher_abort. Indicate there is something to be freed through setting
4399 * alg, and indicate the operation is being done using mbedtls crypto through
4400 * setting mbedtls_in_use. */
4401 operation->alg = alg;
4402 operation->mbedtls_in_use = 1;
4403
4404 key_bits = psa_get_key_slot_bits( slot );
4405 cipher_info = mbedtls_cipher_info_from_psa( alg, slot->attr.type, key_bits, NULL );
4406 if( cipher_info == NULL )
4407 {
4408 status = PSA_ERROR_NOT_SUPPORTED;
4409 goto exit;
4410 }
4411
4412 ret = mbedtls_cipher_setup( &operation->ctx.cipher, cipher_info );
4413 if( ret != 0 )
4414 goto exit;
4415
4416 #if defined(MBEDTLS_DES_C)
4417 if( slot->attr.type == PSA_KEY_TYPE_DES && key_bits == 128 )
4418 {
4419 /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */
4420 uint8_t keys[24];
4421 memcpy( keys, slot->data.key.data, 16 );
4422 memcpy( keys + 16, slot->data.key.data, 8 );
4423 ret = mbedtls_cipher_setkey( &operation->ctx.cipher,
4424 keys,
4425 192, cipher_operation );
4426 }
4427 else
4428 #endif
4429 {
4430 ret = mbedtls_cipher_setkey( &operation->ctx.cipher,
4431 slot->data.key.data,
4432 (int) key_bits, cipher_operation );
4433 }
4434 if( ret != 0 )
4435 goto exit;
4436
4437 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
4438 switch( alg )
4439 {
4440 case PSA_ALG_CBC_NO_PADDING:
4441 ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher,
4442 MBEDTLS_PADDING_NONE );
4443 break;
4444 case PSA_ALG_CBC_PKCS7:
4445 ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher,
4446 MBEDTLS_PADDING_PKCS7 );
4447 break;
4448 default:
4449 /* The algorithm doesn't involve padding. */
4450 ret = 0;
4451 break;
4452 }
4453 if( ret != 0 )
4454 goto exit;
4455 #endif //MBEDTLS_CIPHER_MODE_WITH_PADDING
4456
4457 operation->block_size = ( PSA_ALG_IS_STREAM_CIPHER( alg ) ? 1 :
4458 PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->attr.type ) );
4459 if( ( alg & PSA_ALG_CIPHER_FROM_BLOCK_FLAG ) != 0 &&
4460 alg != PSA_ALG_ECB_NO_PADDING )
4461 {
4462 operation->iv_size = PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->attr.type );
4463 }
4464 #if defined(MBEDTLS_CHACHA20_C)
4465 else
4466 if( alg == PSA_ALG_STREAM_CIPHER && slot->attr.type == PSA_KEY_TYPE_CHACHA20 )
4467 operation->iv_size = 12;
4468 #endif
4469
4470 status = PSA_SUCCESS;
4471
4472 exit:
4473 if( ret != 0 )
4474 status = mbedtls_to_psa_error( ret );
4475 if( status == PSA_SUCCESS )
4476 {
4477 /* Update operation flags for both driver and software implementations */
4478 operation->key_set = 1;
4479 }
4480 else
4481 psa_cipher_abort( operation );
4482
4483 unlock_status = psa_unlock_key_slot( slot );
4484
4485 return( ( status == PSA_SUCCESS ) ? unlock_status : status );
4486 }
4487
psa_cipher_encrypt_setup(psa_cipher_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg)4488 psa_status_t psa_cipher_encrypt_setup( psa_cipher_operation_t *operation,
4489 mbedtls_svc_key_id_t key,
4490 psa_algorithm_t alg )
4491 {
4492 return( psa_cipher_setup( operation, key, alg, MBEDTLS_ENCRYPT ) );
4493 }
4494
psa_cipher_decrypt_setup(psa_cipher_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg)4495 psa_status_t psa_cipher_decrypt_setup( psa_cipher_operation_t *operation,
4496 mbedtls_svc_key_id_t key,
4497 psa_algorithm_t alg )
4498 {
4499 return( psa_cipher_setup( operation, key, alg, MBEDTLS_DECRYPT ) );
4500 }
4501
psa_cipher_generate_iv(psa_cipher_operation_t * operation,uint8_t * iv,size_t iv_size,size_t * iv_length)4502 psa_status_t psa_cipher_generate_iv( psa_cipher_operation_t *operation,
4503 uint8_t *iv,
4504 size_t iv_size,
4505 size_t *iv_length )
4506 {
4507 psa_status_t status;
4508 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4509 if( operation->iv_set || ! operation->iv_required )
4510 {
4511 return( PSA_ERROR_BAD_STATE );
4512 }
4513
4514 if( operation->mbedtls_in_use == 0 )
4515 {
4516 status = psa_driver_wrapper_cipher_generate_iv( &operation->ctx.driver,
4517 iv,
4518 iv_size,
4519 iv_length );
4520 goto exit;
4521 }
4522
4523 if( iv_size < operation->iv_size )
4524 {
4525 status = PSA_ERROR_BUFFER_TOO_SMALL;
4526 goto exit;
4527 }
4528 ret = mbedtls_ctr_drbg_random( &global_data.ctr_drbg,
4529 iv, operation->iv_size );
4530 if( ret != 0 )
4531 {
4532 status = mbedtls_to_psa_error( ret );
4533 goto exit;
4534 }
4535
4536 *iv_length = operation->iv_size;
4537 status = psa_cipher_set_iv( operation, iv, *iv_length );
4538
4539 exit:
4540 if( status == PSA_SUCCESS )
4541 operation->iv_set = 1;
4542 else
4543 psa_cipher_abort( operation );
4544 return( status );
4545 }
4546
psa_cipher_set_iv(psa_cipher_operation_t * operation,const uint8_t * iv,size_t iv_length)4547 psa_status_t psa_cipher_set_iv( psa_cipher_operation_t *operation,
4548 const uint8_t *iv,
4549 size_t iv_length )
4550 {
4551 psa_status_t status;
4552 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4553 if( operation->iv_set || ! operation->iv_required )
4554 {
4555 return( PSA_ERROR_BAD_STATE );
4556 }
4557
4558 if( operation->mbedtls_in_use == 0 )
4559 {
4560 status = psa_driver_wrapper_cipher_set_iv( &operation->ctx.driver,
4561 iv,
4562 iv_length );
4563 goto exit;
4564 }
4565
4566 if( iv_length != operation->iv_size )
4567 {
4568 status = PSA_ERROR_INVALID_ARGUMENT;
4569 goto exit;
4570 }
4571 ret = mbedtls_cipher_set_iv( &operation->ctx.cipher, iv, iv_length );
4572 status = mbedtls_to_psa_error( ret );
4573 exit:
4574 if( status == PSA_SUCCESS )
4575 operation->iv_set = 1;
4576 else
4577 psa_cipher_abort( operation );
4578 return( status );
4579 }
4580
4581 /* Process input for which the algorithm is set to ECB mode. This requires
4582 * manual processing, since the PSA API is defined as being able to process
4583 * arbitrary-length calls to psa_cipher_update() with ECB mode, but the
4584 * underlying mbedtls_cipher_update only takes full blocks. */
psa_cipher_update_ecb_internal(mbedtls_cipher_context_t * ctx,const uint8_t * input,size_t input_length,uint8_t * output,size_t output_size,size_t * output_length)4585 static psa_status_t psa_cipher_update_ecb_internal(
4586 mbedtls_cipher_context_t *ctx,
4587 const uint8_t *input,
4588 size_t input_length,
4589 uint8_t *output,
4590 size_t output_size,
4591 size_t *output_length )
4592 {
4593 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4594 size_t block_size = ctx->cipher_info->block_size;
4595 size_t internal_output_length = 0;
4596 *output_length = 0;
4597
4598 if( input_length == 0 )
4599 {
4600 status = PSA_SUCCESS;
4601 goto exit;
4602 }
4603
4604 if( ctx->unprocessed_len > 0 )
4605 {
4606 /* Fill up to block size, and run the block if there's a full one. */
4607 size_t bytes_to_copy = block_size - ctx->unprocessed_len;
4608
4609 if( input_length < bytes_to_copy )
4610 bytes_to_copy = input_length;
4611
4612 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ),
4613 input, bytes_to_copy );
4614 input_length -= bytes_to_copy;
4615 input += bytes_to_copy;
4616 ctx->unprocessed_len += bytes_to_copy;
4617
4618 if( ctx->unprocessed_len == block_size )
4619 {
4620 status = mbedtls_to_psa_error(
4621 mbedtls_cipher_update( ctx,
4622 ctx->unprocessed_data,
4623 block_size,
4624 output, &internal_output_length ) );
4625
4626 if( status != PSA_SUCCESS )
4627 goto exit;
4628
4629 output += internal_output_length;
4630 output_size -= internal_output_length;
4631 *output_length += internal_output_length;
4632 ctx->unprocessed_len = 0;
4633 }
4634 }
4635
4636 while( input_length >= block_size )
4637 {
4638 /* Run all full blocks we have, one by one */
4639 status = mbedtls_to_psa_error(
4640 mbedtls_cipher_update( ctx, input,
4641 block_size,
4642 output, &internal_output_length ) );
4643
4644 if( status != PSA_SUCCESS )
4645 goto exit;
4646
4647 input_length -= block_size;
4648 input += block_size;
4649
4650 output += internal_output_length;
4651 output_size -= internal_output_length;
4652 *output_length += internal_output_length;
4653 }
4654
4655 if( input_length > 0 )
4656 {
4657 /* Save unprocessed bytes for later processing */
4658 memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ),
4659 input, input_length );
4660 ctx->unprocessed_len += input_length;
4661 }
4662
4663 status = PSA_SUCCESS;
4664
4665 exit:
4666 return( status );
4667 }
4668
psa_cipher_update(psa_cipher_operation_t * operation,const uint8_t * input,size_t input_length,uint8_t * output,size_t output_size,size_t * output_length)4669 psa_status_t psa_cipher_update( psa_cipher_operation_t *operation,
4670 const uint8_t *input,
4671 size_t input_length,
4672 uint8_t *output,
4673 size_t output_size,
4674 size_t *output_length )
4675 {
4676 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4677 size_t expected_output_size;
4678 if( operation->alg == 0 )
4679 {
4680 return( PSA_ERROR_BAD_STATE );
4681 }
4682 if( operation->iv_required && ! operation->iv_set )
4683 {
4684 return( PSA_ERROR_BAD_STATE );
4685 }
4686
4687 if( operation->mbedtls_in_use == 0 )
4688 {
4689 status = psa_driver_wrapper_cipher_update( &operation->ctx.driver,
4690 input,
4691 input_length,
4692 output,
4693 output_size,
4694 output_length );
4695 goto exit;
4696 }
4697
4698 if( ! PSA_ALG_IS_STREAM_CIPHER( operation->alg ) )
4699 {
4700 /* Take the unprocessed partial block left over from previous
4701 * update calls, if any, plus the input to this call. Remove
4702 * the last partial block, if any. You get the data that will be
4703 * output in this call. */
4704 expected_output_size =
4705 ( operation->ctx.cipher.unprocessed_len + input_length )
4706 / operation->block_size * operation->block_size;
4707 }
4708 else
4709 {
4710 expected_output_size = input_length;
4711 }
4712
4713 if( output_size < expected_output_size )
4714 {
4715 status = PSA_ERROR_BUFFER_TOO_SMALL;
4716 goto exit;
4717 }
4718
4719 if( operation->alg == PSA_ALG_ECB_NO_PADDING )
4720 {
4721 /* mbedtls_cipher_update has an API inconsistency: it will only
4722 * process a single block at a time in ECB mode. Abstract away that
4723 * inconsistency here to match the PSA API behaviour. */
4724 status = psa_cipher_update_ecb_internal( &operation->ctx.cipher,
4725 input,
4726 input_length,
4727 output,
4728 output_size,
4729 output_length );
4730 }
4731 else
4732 {
4733 status = mbedtls_to_psa_error(
4734 mbedtls_cipher_update( &operation->ctx.cipher, input,
4735 input_length, output, output_length ) );
4736 }
4737 exit:
4738 if( status != PSA_SUCCESS )
4739 psa_cipher_abort( operation );
4740 return( status );
4741 }
4742
psa_cipher_finish(psa_cipher_operation_t * operation,uint8_t * output,size_t output_size,size_t * output_length)4743 psa_status_t psa_cipher_finish( psa_cipher_operation_t *operation,
4744 uint8_t *output,
4745 size_t output_size,
4746 size_t *output_length )
4747 {
4748 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
4749 uint8_t temp_output_buffer[MBEDTLS_MAX_BLOCK_LENGTH];
4750 if( operation->alg == 0 )
4751 {
4752 return( PSA_ERROR_BAD_STATE );
4753 }
4754 if( operation->iv_required && ! operation->iv_set )
4755 {
4756 return( PSA_ERROR_BAD_STATE );
4757 }
4758
4759 if( operation->mbedtls_in_use == 0 )
4760 {
4761 status = psa_driver_wrapper_cipher_finish( &operation->ctx.driver,
4762 output,
4763 output_size,
4764 output_length );
4765 goto exit;
4766 }
4767
4768 if( operation->ctx.cipher.unprocessed_len != 0 )
4769 {
4770 if( operation->alg == PSA_ALG_ECB_NO_PADDING ||
4771 operation->alg == PSA_ALG_CBC_NO_PADDING )
4772 {
4773 status = PSA_ERROR_INVALID_ARGUMENT;
4774 goto exit;
4775 }
4776 }
4777
4778 status = mbedtls_to_psa_error(
4779 mbedtls_cipher_finish( &operation->ctx.cipher,
4780 temp_output_buffer,
4781 output_length ) );
4782 if( status != PSA_SUCCESS )
4783 goto exit;
4784
4785 if( *output_length == 0 )
4786 ; /* Nothing to copy. Note that output may be NULL in this case. */
4787 else if( output_size >= *output_length )
4788 memcpy( output, temp_output_buffer, *output_length );
4789 else
4790 status = PSA_ERROR_BUFFER_TOO_SMALL;
4791
4792 exit:
4793 if( operation->mbedtls_in_use == 1 )
4794 mbedtls_platform_zeroize( temp_output_buffer, sizeof( temp_output_buffer ) );
4795
4796 if( status == PSA_SUCCESS )
4797 return( psa_cipher_abort( operation ) );
4798 else
4799 {
4800 *output_length = 0;
4801 (void) psa_cipher_abort( operation );
4802
4803 return( status );
4804 }
4805 }
4806
psa_cipher_abort(psa_cipher_operation_t * operation)4807 psa_status_t psa_cipher_abort( psa_cipher_operation_t *operation )
4808 {
4809 if( operation->alg == 0 )
4810 {
4811 /* The object has (apparently) been initialized but it is not (yet)
4812 * in use. It's ok to call abort on such an object, and there's
4813 * nothing to do. */
4814 return( PSA_SUCCESS );
4815 }
4816
4817 /* Sanity check (shouldn't happen: operation->alg should
4818 * always have been initialized to a valid value). */
4819 if( ! PSA_ALG_IS_CIPHER( operation->alg ) )
4820 return( PSA_ERROR_BAD_STATE );
4821
4822 if( operation->mbedtls_in_use == 0 )
4823 psa_driver_wrapper_cipher_abort( &operation->ctx.driver );
4824 else
4825 mbedtls_cipher_free( &operation->ctx.cipher );
4826
4827 operation->alg = 0;
4828 operation->key_set = 0;
4829 operation->iv_set = 0;
4830 operation->mbedtls_in_use = 0;
4831 operation->iv_size = 0;
4832 operation->block_size = 0;
4833 operation->iv_required = 0;
4834
4835 return( PSA_SUCCESS );
4836 }
4837
4838
4839
4840
4841 /****************************************************************/
4842 /* AEAD */
4843 /****************************************************************/
4844
4845 typedef struct
4846 {
4847 psa_key_slot_t *slot;
4848 const mbedtls_cipher_info_t *cipher_info;
4849 union
4850 {
4851 unsigned dummy; /* Make the union non-empty even with no supported algorithms. */
4852 #if defined(MBEDTLS_CCM_C)
4853 mbedtls_ccm_context ccm;
4854 #endif /* MBEDTLS_CCM_C */
4855 #if defined(MBEDTLS_GCM_C)
4856 mbedtls_gcm_context gcm;
4857 #endif /* MBEDTLS_GCM_C */
4858 #if defined(MBEDTLS_CHACHAPOLY_C)
4859 mbedtls_chachapoly_context chachapoly;
4860 #endif /* MBEDTLS_CHACHAPOLY_C */
4861 } ctx;
4862 psa_algorithm_t core_alg;
4863 uint8_t full_tag_length;
4864 uint8_t tag_length;
4865 } aead_operation_t;
4866
4867 #define AEAD_OPERATION_INIT {0, 0, {0}, 0, 0, 0}
4868
psa_aead_abort_internal(aead_operation_t * operation)4869 static void psa_aead_abort_internal( aead_operation_t *operation )
4870 {
4871 switch( operation->core_alg )
4872 {
4873 #if defined(MBEDTLS_CCM_C)
4874 case PSA_ALG_CCM:
4875 mbedtls_ccm_free( &operation->ctx.ccm );
4876 break;
4877 #endif /* MBEDTLS_CCM_C */
4878 #if defined(MBEDTLS_GCM_C)
4879 case PSA_ALG_GCM:
4880 mbedtls_gcm_free( &operation->ctx.gcm );
4881 break;
4882 #endif /* MBEDTLS_GCM_C */
4883 }
4884
4885 psa_unlock_key_slot( operation->slot );
4886 }
4887
psa_aead_setup(aead_operation_t * operation,mbedtls_svc_key_id_t key,psa_key_usage_t usage,psa_algorithm_t alg)4888 static psa_status_t psa_aead_setup( aead_operation_t *operation,
4889 mbedtls_svc_key_id_t key,
4890 psa_key_usage_t usage,
4891 psa_algorithm_t alg )
4892 {
4893 psa_status_t status;
4894 size_t key_bits;
4895 mbedtls_cipher_id_t cipher_id;
4896
4897 status = psa_get_and_lock_transparent_key_slot_with_policy(
4898 key, &operation->slot, usage, alg );
4899 if( status != PSA_SUCCESS )
4900 return( status );
4901
4902 key_bits = psa_get_key_slot_bits( operation->slot );
4903
4904 operation->cipher_info =
4905 mbedtls_cipher_info_from_psa( alg, operation->slot->attr.type, key_bits,
4906 &cipher_id );
4907 if( operation->cipher_info == NULL )
4908 {
4909 status = PSA_ERROR_NOT_SUPPORTED;
4910 goto cleanup;
4911 }
4912
4913 switch( PSA_ALG_AEAD_WITH_TAG_LENGTH( alg, 0 ) )
4914 {
4915 #if defined(MBEDTLS_CCM_C)
4916 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_CCM, 0 ):
4917 operation->core_alg = PSA_ALG_CCM;
4918 operation->full_tag_length = 16;
4919 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
4920 * The call to mbedtls_ccm_encrypt_and_tag or
4921 * mbedtls_ccm_auth_decrypt will validate the tag length. */
4922 if( PSA_BLOCK_CIPHER_BLOCK_SIZE( operation->slot->attr.type ) != 16 )
4923 {
4924 status = PSA_ERROR_INVALID_ARGUMENT;
4925 goto cleanup;
4926 }
4927 mbedtls_ccm_init( &operation->ctx.ccm );
4928 status = mbedtls_to_psa_error(
4929 mbedtls_ccm_setkey( &operation->ctx.ccm, cipher_id,
4930 operation->slot->data.key.data,
4931 (unsigned int) key_bits ) );
4932 if( status != 0 )
4933 goto cleanup;
4934 break;
4935 #endif /* MBEDTLS_CCM_C */
4936
4937 #if defined(MBEDTLS_GCM_C)
4938 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_GCM, 0 ):
4939 operation->core_alg = PSA_ALG_GCM;
4940 operation->full_tag_length = 16;
4941 /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
4942 * The call to mbedtls_gcm_crypt_and_tag or
4943 * mbedtls_gcm_auth_decrypt will validate the tag length. */
4944 if( PSA_BLOCK_CIPHER_BLOCK_SIZE( operation->slot->attr.type ) != 16 )
4945 {
4946 status = PSA_ERROR_INVALID_ARGUMENT;
4947 goto cleanup;
4948 }
4949 mbedtls_gcm_init( &operation->ctx.gcm );
4950 status = mbedtls_to_psa_error(
4951 mbedtls_gcm_setkey( &operation->ctx.gcm, cipher_id,
4952 operation->slot->data.key.data,
4953 (unsigned int) key_bits ) );
4954 if( status != 0 )
4955 goto cleanup;
4956 break;
4957 #endif /* MBEDTLS_GCM_C */
4958
4959 #if defined(MBEDTLS_CHACHAPOLY_C)
4960 case PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_CHACHA20_POLY1305, 0 ):
4961 operation->core_alg = PSA_ALG_CHACHA20_POLY1305;
4962 operation->full_tag_length = 16;
4963 /* We only support the default tag length. */
4964 if( alg != PSA_ALG_CHACHA20_POLY1305 )
4965 {
4966 status = PSA_ERROR_NOT_SUPPORTED;
4967 goto cleanup;
4968 }
4969 mbedtls_chachapoly_init( &operation->ctx.chachapoly );
4970 status = mbedtls_to_psa_error(
4971 mbedtls_chachapoly_setkey( &operation->ctx.chachapoly,
4972 operation->slot->data.key.data ) );
4973 if( status != 0 )
4974 goto cleanup;
4975 break;
4976 #endif /* MBEDTLS_CHACHAPOLY_C */
4977
4978 default:
4979 status = PSA_ERROR_NOT_SUPPORTED;
4980 goto cleanup;
4981 }
4982
4983 if( PSA_AEAD_TAG_LENGTH( alg ) > operation->full_tag_length )
4984 {
4985 status = PSA_ERROR_INVALID_ARGUMENT;
4986 goto cleanup;
4987 }
4988 operation->tag_length = PSA_AEAD_TAG_LENGTH( alg );
4989
4990 return( PSA_SUCCESS );
4991
4992 cleanup:
4993 psa_aead_abort_internal( operation );
4994 return( status );
4995 }
4996
psa_aead_encrypt(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * nonce,size_t nonce_length,const uint8_t * additional_data,size_t additional_data_length,const uint8_t * plaintext,size_t plaintext_length,uint8_t * ciphertext,size_t ciphertext_size,size_t * ciphertext_length)4997 psa_status_t psa_aead_encrypt( mbedtls_svc_key_id_t key,
4998 psa_algorithm_t alg,
4999 const uint8_t *nonce,
5000 size_t nonce_length,
5001 const uint8_t *additional_data,
5002 size_t additional_data_length,
5003 const uint8_t *plaintext,
5004 size_t plaintext_length,
5005 uint8_t *ciphertext,
5006 size_t ciphertext_size,
5007 size_t *ciphertext_length )
5008 {
5009 psa_status_t status;
5010 aead_operation_t operation = AEAD_OPERATION_INIT;
5011 uint8_t *tag;
5012
5013 *ciphertext_length = 0;
5014
5015 status = psa_aead_setup( &operation, key, PSA_KEY_USAGE_ENCRYPT, alg );
5016 if( status != PSA_SUCCESS )
5017 return( status );
5018
5019 /* For all currently supported modes, the tag is at the end of the
5020 * ciphertext. */
5021 if( ciphertext_size < ( plaintext_length + operation.tag_length ) )
5022 {
5023 status = PSA_ERROR_BUFFER_TOO_SMALL;
5024 goto exit;
5025 }
5026 tag = ciphertext + plaintext_length;
5027
5028 #if defined(MBEDTLS_GCM_C)
5029 if( operation.core_alg == PSA_ALG_GCM )
5030 {
5031 status = mbedtls_to_psa_error(
5032 mbedtls_gcm_crypt_and_tag( &operation.ctx.gcm,
5033 MBEDTLS_GCM_ENCRYPT,
5034 plaintext_length,
5035 nonce, nonce_length,
5036 additional_data, additional_data_length,
5037 plaintext, ciphertext,
5038 operation.tag_length, tag ) );
5039 }
5040 else
5041 #endif /* MBEDTLS_GCM_C */
5042 #if defined(MBEDTLS_CCM_C)
5043 if( operation.core_alg == PSA_ALG_CCM )
5044 {
5045 status = mbedtls_to_psa_error(
5046 mbedtls_ccm_encrypt_and_tag( &operation.ctx.ccm,
5047 plaintext_length,
5048 nonce, nonce_length,
5049 additional_data,
5050 additional_data_length,
5051 plaintext, ciphertext,
5052 tag, operation.tag_length ) );
5053 }
5054 else
5055 #endif /* MBEDTLS_CCM_C */
5056 #if defined(MBEDTLS_CHACHAPOLY_C)
5057 if( operation.core_alg == PSA_ALG_CHACHA20_POLY1305 )
5058 {
5059 if( nonce_length != 12 || operation.tag_length != 16 )
5060 {
5061 status = PSA_ERROR_NOT_SUPPORTED;
5062 goto exit;
5063 }
5064 status = mbedtls_to_psa_error(
5065 mbedtls_chachapoly_encrypt_and_tag( &operation.ctx.chachapoly,
5066 plaintext_length,
5067 nonce,
5068 additional_data,
5069 additional_data_length,
5070 plaintext,
5071 ciphertext,
5072 tag ) );
5073 }
5074 else
5075 #endif /* MBEDTLS_CHACHAPOLY_C */
5076 {
5077 return( PSA_ERROR_NOT_SUPPORTED );
5078 }
5079
5080 if( status != PSA_SUCCESS && ciphertext_size != 0 )
5081 memset( ciphertext, 0, ciphertext_size );
5082
5083 exit:
5084 psa_aead_abort_internal( &operation );
5085 if( status == PSA_SUCCESS )
5086 *ciphertext_length = plaintext_length + operation.tag_length;
5087 return( status );
5088 }
5089
5090 /* Locate the tag in a ciphertext buffer containing the encrypted data
5091 * followed by the tag. Return the length of the part preceding the tag in
5092 * *plaintext_length. This is the size of the plaintext in modes where
5093 * the encrypted data has the same size as the plaintext, such as
5094 * CCM and GCM. */
psa_aead_unpadded_locate_tag(size_t tag_length,const uint8_t * ciphertext,size_t ciphertext_length,size_t plaintext_size,const uint8_t ** p_tag)5095 static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length,
5096 const uint8_t *ciphertext,
5097 size_t ciphertext_length,
5098 size_t plaintext_size,
5099 const uint8_t **p_tag )
5100 {
5101 size_t payload_length;
5102 if( tag_length > ciphertext_length )
5103 return( PSA_ERROR_INVALID_ARGUMENT );
5104 payload_length = ciphertext_length - tag_length;
5105 if( payload_length > plaintext_size )
5106 return( PSA_ERROR_BUFFER_TOO_SMALL );
5107 *p_tag = ciphertext + payload_length;
5108 return( PSA_SUCCESS );
5109 }
5110
psa_aead_decrypt(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * nonce,size_t nonce_length,const uint8_t * additional_data,size_t additional_data_length,const uint8_t * ciphertext,size_t ciphertext_length,uint8_t * plaintext,size_t plaintext_size,size_t * plaintext_length)5111 psa_status_t psa_aead_decrypt( mbedtls_svc_key_id_t key,
5112 psa_algorithm_t alg,
5113 const uint8_t *nonce,
5114 size_t nonce_length,
5115 const uint8_t *additional_data,
5116 size_t additional_data_length,
5117 const uint8_t *ciphertext,
5118 size_t ciphertext_length,
5119 uint8_t *plaintext,
5120 size_t plaintext_size,
5121 size_t *plaintext_length )
5122 {
5123 psa_status_t status;
5124 aead_operation_t operation = AEAD_OPERATION_INIT;
5125 const uint8_t *tag = NULL;
5126
5127 *plaintext_length = 0;
5128
5129 status = psa_aead_setup( &operation, key, PSA_KEY_USAGE_DECRYPT, alg );
5130 if( status != PSA_SUCCESS )
5131 return( status );
5132
5133 status = psa_aead_unpadded_locate_tag( operation.tag_length,
5134 ciphertext, ciphertext_length,
5135 plaintext_size, &tag );
5136 if( status != PSA_SUCCESS )
5137 goto exit;
5138
5139 #if defined(MBEDTLS_GCM_C)
5140 if( operation.core_alg == PSA_ALG_GCM )
5141 {
5142 status = mbedtls_to_psa_error(
5143 mbedtls_gcm_auth_decrypt( &operation.ctx.gcm,
5144 ciphertext_length - operation.tag_length,
5145 nonce, nonce_length,
5146 additional_data,
5147 additional_data_length,
5148 tag, operation.tag_length,
5149 ciphertext, plaintext ) );
5150 }
5151 else
5152 #endif /* MBEDTLS_GCM_C */
5153 #if defined(MBEDTLS_CCM_C)
5154 if( operation.core_alg == PSA_ALG_CCM )
5155 {
5156 status = mbedtls_to_psa_error(
5157 mbedtls_ccm_auth_decrypt( &operation.ctx.ccm,
5158 ciphertext_length - operation.tag_length,
5159 nonce, nonce_length,
5160 additional_data,
5161 additional_data_length,
5162 ciphertext, plaintext,
5163 tag, operation.tag_length ) );
5164 }
5165 else
5166 #endif /* MBEDTLS_CCM_C */
5167 #if defined(MBEDTLS_CHACHAPOLY_C)
5168 if( operation.core_alg == PSA_ALG_CHACHA20_POLY1305 )
5169 {
5170 if( nonce_length != 12 || operation.tag_length != 16 )
5171 {
5172 status = PSA_ERROR_NOT_SUPPORTED;
5173 goto exit;
5174 }
5175 status = mbedtls_to_psa_error(
5176 mbedtls_chachapoly_auth_decrypt( &operation.ctx.chachapoly,
5177 ciphertext_length - operation.tag_length,
5178 nonce,
5179 additional_data,
5180 additional_data_length,
5181 tag,
5182 ciphertext,
5183 plaintext ) );
5184 }
5185 else
5186 #endif /* MBEDTLS_CHACHAPOLY_C */
5187 {
5188 return( PSA_ERROR_NOT_SUPPORTED );
5189 }
5190
5191 if( status != PSA_SUCCESS && plaintext_size != 0 )
5192 memset( plaintext, 0, plaintext_size );
5193
5194 exit:
5195 psa_aead_abort_internal( &operation );
5196 if( status == PSA_SUCCESS )
5197 *plaintext_length = ciphertext_length - operation.tag_length;
5198 return( status );
5199 }
5200
5201
5202
5203 /****************************************************************/
5204 /* Generators */
5205 /****************************************************************/
5206
5207 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
5208 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5209 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5210 #define AT_LEAST_ONE_BUILTIN_KDF
5211 #endif
5212
5213 #define HKDF_STATE_INIT 0 /* no input yet */
5214 #define HKDF_STATE_STARTED 1 /* got salt */
5215 #define HKDF_STATE_KEYED 2 /* got key */
5216 #define HKDF_STATE_OUTPUT 3 /* output started */
5217
psa_key_derivation_get_kdf_alg(const psa_key_derivation_operation_t * operation)5218 static psa_algorithm_t psa_key_derivation_get_kdf_alg(
5219 const psa_key_derivation_operation_t *operation )
5220 {
5221 if ( PSA_ALG_IS_KEY_AGREEMENT( operation->alg ) )
5222 return( PSA_ALG_KEY_AGREEMENT_GET_KDF( operation->alg ) );
5223 else
5224 return( operation->alg );
5225 }
5226
psa_key_derivation_abort(psa_key_derivation_operation_t * operation)5227 psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation )
5228 {
5229 psa_status_t status = PSA_SUCCESS;
5230 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
5231 if( kdf_alg == 0 )
5232 {
5233 /* The object has (apparently) been initialized but it is not
5234 * in use. It's ok to call abort on such an object, and there's
5235 * nothing to do. */
5236 }
5237 else
5238 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
5239 if( PSA_ALG_IS_HKDF( kdf_alg ) )
5240 {
5241 mbedtls_free( operation->ctx.hkdf.info );
5242 status = psa_hmac_abort_internal( &operation->ctx.hkdf.hmac );
5243 }
5244 else
5245 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF */
5246 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5247 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5248 if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
5249 /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */
5250 PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
5251 {
5252 if( operation->ctx.tls12_prf.seed != NULL )
5253 {
5254 mbedtls_platform_zeroize( operation->ctx.tls12_prf.seed,
5255 operation->ctx.tls12_prf.seed_length );
5256 mbedtls_free( operation->ctx.tls12_prf.seed );
5257 }
5258
5259 if( operation->ctx.tls12_prf.label != NULL )
5260 {
5261 mbedtls_platform_zeroize( operation->ctx.tls12_prf.label,
5262 operation->ctx.tls12_prf.label_length );
5263 mbedtls_free( operation->ctx.tls12_prf.label );
5264 }
5265
5266 status = psa_hmac_abort_internal( &operation->ctx.tls12_prf.hmac );
5267
5268 /* We leave the fields Ai and output_block to be erased safely by the
5269 * mbedtls_platform_zeroize() in the end of this function. */
5270 }
5271 else
5272 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
5273 * defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) */
5274 {
5275 status = PSA_ERROR_BAD_STATE;
5276 }
5277 mbedtls_platform_zeroize( operation, sizeof( *operation ) );
5278 return( status );
5279 }
5280
psa_key_derivation_get_capacity(const psa_key_derivation_operation_t * operation,size_t * capacity)5281 psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t *operation,
5282 size_t *capacity)
5283 {
5284 if( operation->alg == 0 )
5285 {
5286 /* This is a blank key derivation operation. */
5287 return( PSA_ERROR_BAD_STATE );
5288 }
5289
5290 *capacity = operation->capacity;
5291 return( PSA_SUCCESS );
5292 }
5293
psa_key_derivation_set_capacity(psa_key_derivation_operation_t * operation,size_t capacity)5294 psa_status_t psa_key_derivation_set_capacity( psa_key_derivation_operation_t *operation,
5295 size_t capacity )
5296 {
5297 if( operation->alg == 0 )
5298 return( PSA_ERROR_BAD_STATE );
5299 if( capacity > operation->capacity )
5300 return( PSA_ERROR_INVALID_ARGUMENT );
5301 operation->capacity = capacity;
5302 return( PSA_SUCCESS );
5303 }
5304
5305 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
5306 /* Read some bytes from an HKDF-based operation. This performs a chunk
5307 * of the expand phase of the HKDF algorithm. */
psa_key_derivation_hkdf_read(psa_hkdf_key_derivation_t * hkdf,psa_algorithm_t hash_alg,uint8_t * output,size_t output_length)5308 static psa_status_t psa_key_derivation_hkdf_read( psa_hkdf_key_derivation_t *hkdf,
5309 psa_algorithm_t hash_alg,
5310 uint8_t *output,
5311 size_t output_length )
5312 {
5313 uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
5314 psa_status_t status;
5315
5316 if( hkdf->state < HKDF_STATE_KEYED || ! hkdf->info_set )
5317 return( PSA_ERROR_BAD_STATE );
5318 hkdf->state = HKDF_STATE_OUTPUT;
5319
5320 while( output_length != 0 )
5321 {
5322 /* Copy what remains of the current block */
5323 uint8_t n = hash_length - hkdf->offset_in_block;
5324 if( n > output_length )
5325 n = (uint8_t) output_length;
5326 memcpy( output, hkdf->output_block + hkdf->offset_in_block, n );
5327 output += n;
5328 output_length -= n;
5329 hkdf->offset_in_block += n;
5330 if( output_length == 0 )
5331 break;
5332 /* We can't be wanting more output after block 0xff, otherwise
5333 * the capacity check in psa_key_derivation_output_bytes() would have
5334 * prevented this call. It could happen only if the operation
5335 * object was corrupted or if this function is called directly
5336 * inside the library. */
5337 if( hkdf->block_number == 0xff )
5338 return( PSA_ERROR_BAD_STATE );
5339
5340 /* We need a new block */
5341 ++hkdf->block_number;
5342 hkdf->offset_in_block = 0;
5343 status = psa_hmac_setup_internal( &hkdf->hmac,
5344 hkdf->prk, hash_length,
5345 hash_alg );
5346 if( status != PSA_SUCCESS )
5347 return( status );
5348 if( hkdf->block_number != 1 )
5349 {
5350 status = psa_hash_update( &hkdf->hmac.hash_ctx,
5351 hkdf->output_block,
5352 hash_length );
5353 if( status != PSA_SUCCESS )
5354 return( status );
5355 }
5356 status = psa_hash_update( &hkdf->hmac.hash_ctx,
5357 hkdf->info,
5358 hkdf->info_length );
5359 if( status != PSA_SUCCESS )
5360 return( status );
5361 status = psa_hash_update( &hkdf->hmac.hash_ctx,
5362 &hkdf->block_number, 1 );
5363 if( status != PSA_SUCCESS )
5364 return( status );
5365 status = psa_hmac_finish_internal( &hkdf->hmac,
5366 hkdf->output_block,
5367 sizeof( hkdf->output_block ) );
5368 if( status != PSA_SUCCESS )
5369 return( status );
5370 }
5371
5372 return( PSA_SUCCESS );
5373 }
5374 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
5375
5376 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5377 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
psa_key_derivation_tls12_prf_generate_next_block(psa_tls12_prf_key_derivation_t * tls12_prf,psa_algorithm_t alg)5378 static psa_status_t psa_key_derivation_tls12_prf_generate_next_block(
5379 psa_tls12_prf_key_derivation_t *tls12_prf,
5380 psa_algorithm_t alg )
5381 {
5382 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( alg );
5383 uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
5384 psa_hash_operation_t backup = PSA_HASH_OPERATION_INIT;
5385 psa_status_t status, cleanup_status;
5386
5387 /* We can't be wanting more output after block 0xff, otherwise
5388 * the capacity check in psa_key_derivation_output_bytes() would have
5389 * prevented this call. It could happen only if the operation
5390 * object was corrupted or if this function is called directly
5391 * inside the library. */
5392 if( tls12_prf->block_number == 0xff )
5393 return( PSA_ERROR_CORRUPTION_DETECTED );
5394
5395 /* We need a new block */
5396 ++tls12_prf->block_number;
5397 tls12_prf->left_in_block = hash_length;
5398
5399 /* Recall the definition of the TLS-1.2-PRF from RFC 5246:
5400 *
5401 * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
5402 *
5403 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
5404 * HMAC_hash(secret, A(2) + seed) +
5405 * HMAC_hash(secret, A(3) + seed) + ...
5406 *
5407 * A(0) = seed
5408 * A(i) = HMAC_hash(secret, A(i-1))
5409 *
5410 * The `psa_tls12_prf_key_derivation` structure saves the block
5411 * `HMAC_hash(secret, A(i) + seed)` from which the output
5412 * is currently extracted as `output_block` and where i is
5413 * `block_number`.
5414 */
5415
5416 /* Save the hash context before using it, to preserve the hash state with
5417 * only the inner padding in it. We need this, because inner padding depends
5418 * on the key (secret in the RFC's terminology). */
5419 status = psa_hash_clone( &tls12_prf->hmac.hash_ctx, &backup );
5420 if( status != PSA_SUCCESS )
5421 goto cleanup;
5422
5423 /* Calculate A(i) where i = tls12_prf->block_number. */
5424 if( tls12_prf->block_number == 1 )
5425 {
5426 /* A(1) = HMAC_hash(secret, A(0)), where A(0) = seed. (The RFC overloads
5427 * the variable seed and in this instance means it in the context of the
5428 * P_hash function, where seed = label + seed.) */
5429 status = psa_hash_update( &tls12_prf->hmac.hash_ctx,
5430 tls12_prf->label, tls12_prf->label_length );
5431 if( status != PSA_SUCCESS )
5432 goto cleanup;
5433 status = psa_hash_update( &tls12_prf->hmac.hash_ctx,
5434 tls12_prf->seed, tls12_prf->seed_length );
5435 if( status != PSA_SUCCESS )
5436 goto cleanup;
5437 }
5438 else
5439 {
5440 /* A(i) = HMAC_hash(secret, A(i-1)) */
5441 status = psa_hash_update( &tls12_prf->hmac.hash_ctx,
5442 tls12_prf->Ai, hash_length );
5443 if( status != PSA_SUCCESS )
5444 goto cleanup;
5445 }
5446
5447 status = psa_hmac_finish_internal( &tls12_prf->hmac,
5448 tls12_prf->Ai, hash_length );
5449 if( status != PSA_SUCCESS )
5450 goto cleanup;
5451 status = psa_hash_clone( &backup, &tls12_prf->hmac.hash_ctx );
5452 if( status != PSA_SUCCESS )
5453 goto cleanup;
5454
5455 /* Calculate HMAC_hash(secret, A(i) + label + seed). */
5456 status = psa_hash_update( &tls12_prf->hmac.hash_ctx,
5457 tls12_prf->Ai, hash_length );
5458 if( status != PSA_SUCCESS )
5459 goto cleanup;
5460 status = psa_hash_update( &tls12_prf->hmac.hash_ctx,
5461 tls12_prf->label, tls12_prf->label_length );
5462 if( status != PSA_SUCCESS )
5463 goto cleanup;
5464 status = psa_hash_update( &tls12_prf->hmac.hash_ctx,
5465 tls12_prf->seed, tls12_prf->seed_length );
5466 if( status != PSA_SUCCESS )
5467 goto cleanup;
5468 status = psa_hmac_finish_internal( &tls12_prf->hmac,
5469 tls12_prf->output_block, hash_length );
5470 if( status != PSA_SUCCESS )
5471 goto cleanup;
5472 status = psa_hash_clone( &backup, &tls12_prf->hmac.hash_ctx );
5473 if( status != PSA_SUCCESS )
5474 goto cleanup;
5475
5476
5477 cleanup:
5478
5479 cleanup_status = psa_hash_abort( &backup );
5480 if( status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS )
5481 status = cleanup_status;
5482
5483 return( status );
5484 }
5485
psa_key_derivation_tls12_prf_read(psa_tls12_prf_key_derivation_t * tls12_prf,psa_algorithm_t alg,uint8_t * output,size_t output_length)5486 static psa_status_t psa_key_derivation_tls12_prf_read(
5487 psa_tls12_prf_key_derivation_t *tls12_prf,
5488 psa_algorithm_t alg,
5489 uint8_t *output,
5490 size_t output_length )
5491 {
5492 psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH( alg );
5493 uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
5494 psa_status_t status;
5495 uint8_t offset, length;
5496
5497 while( output_length != 0 )
5498 {
5499 /* Check if we have fully processed the current block. */
5500 if( tls12_prf->left_in_block == 0 )
5501 {
5502 status = psa_key_derivation_tls12_prf_generate_next_block( tls12_prf,
5503 alg );
5504 if( status != PSA_SUCCESS )
5505 return( status );
5506
5507 continue;
5508 }
5509
5510 if( tls12_prf->left_in_block > output_length )
5511 length = (uint8_t) output_length;
5512 else
5513 length = tls12_prf->left_in_block;
5514
5515 offset = hash_length - tls12_prf->left_in_block;
5516 memcpy( output, tls12_prf->output_block + offset, length );
5517 output += length;
5518 output_length -= length;
5519 tls12_prf->left_in_block -= length;
5520 }
5521
5522 return( PSA_SUCCESS );
5523 }
5524 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
5525 * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
5526
psa_key_derivation_output_bytes(psa_key_derivation_operation_t * operation,uint8_t * output,size_t output_length)5527 psa_status_t psa_key_derivation_output_bytes(
5528 psa_key_derivation_operation_t *operation,
5529 uint8_t *output,
5530 size_t output_length )
5531 {
5532 psa_status_t status;
5533 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
5534
5535 if( operation->alg == 0 )
5536 {
5537 /* This is a blank operation. */
5538 return( PSA_ERROR_BAD_STATE );
5539 }
5540
5541 if( output_length > operation->capacity )
5542 {
5543 operation->capacity = 0;
5544 /* Go through the error path to wipe all confidential data now
5545 * that the operation object is useless. */
5546 status = PSA_ERROR_INSUFFICIENT_DATA;
5547 goto exit;
5548 }
5549 if( output_length == 0 && operation->capacity == 0 )
5550 {
5551 /* Edge case: this is a finished operation, and 0 bytes
5552 * were requested. The right error in this case could
5553 * be either INSUFFICIENT_CAPACITY or BAD_STATE. Return
5554 * INSUFFICIENT_CAPACITY, which is right for a finished
5555 * operation, for consistency with the case when
5556 * output_length > 0. */
5557 return( PSA_ERROR_INSUFFICIENT_DATA );
5558 }
5559 operation->capacity -= output_length;
5560
5561 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
5562 if( PSA_ALG_IS_HKDF( kdf_alg ) )
5563 {
5564 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg );
5565 status = psa_key_derivation_hkdf_read( &operation->ctx.hkdf, hash_alg,
5566 output, output_length );
5567 }
5568 else
5569 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
5570 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5571 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5572 if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
5573 PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
5574 {
5575 status = psa_key_derivation_tls12_prf_read( &operation->ctx.tls12_prf,
5576 kdf_alg, output,
5577 output_length );
5578 }
5579 else
5580 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
5581 * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
5582 {
5583 return( PSA_ERROR_BAD_STATE );
5584 }
5585
5586 exit:
5587 if( status != PSA_SUCCESS )
5588 {
5589 /* Preserve the algorithm upon errors, but clear all sensitive state.
5590 * This allows us to differentiate between exhausted operations and
5591 * blank operations, so we can return PSA_ERROR_BAD_STATE on blank
5592 * operations. */
5593 psa_algorithm_t alg = operation->alg;
5594 psa_key_derivation_abort( operation );
5595 operation->alg = alg;
5596 memset( output, '!', output_length );
5597 }
5598 return( status );
5599 }
5600
5601 #if defined(MBEDTLS_DES_C)
psa_des_set_key_parity(uint8_t * data,size_t data_size)5602 static void psa_des_set_key_parity( uint8_t *data, size_t data_size )
5603 {
5604 if( data_size >= 8 )
5605 mbedtls_des_key_set_parity( data );
5606 if( data_size >= 16 )
5607 mbedtls_des_key_set_parity( data + 8 );
5608 if( data_size >= 24 )
5609 mbedtls_des_key_set_parity( data + 16 );
5610 }
5611 #endif /* MBEDTLS_DES_C */
5612
psa_generate_derived_key_internal(psa_key_slot_t * slot,size_t bits,psa_key_derivation_operation_t * operation)5613 static psa_status_t psa_generate_derived_key_internal(
5614 psa_key_slot_t *slot,
5615 size_t bits,
5616 psa_key_derivation_operation_t *operation )
5617 {
5618 uint8_t *data = NULL;
5619 size_t bytes = PSA_BITS_TO_BYTES( bits );
5620 psa_status_t status;
5621
5622 if( ! key_type_is_raw_bytes( slot->attr.type ) )
5623 return( PSA_ERROR_INVALID_ARGUMENT );
5624 if( bits % 8 != 0 )
5625 return( PSA_ERROR_INVALID_ARGUMENT );
5626 data = mbedtls_calloc( 1, bytes );
5627 if( data == NULL )
5628 return( PSA_ERROR_INSUFFICIENT_MEMORY );
5629
5630 status = psa_key_derivation_output_bytes( operation, data, bytes );
5631 if( status != PSA_SUCCESS )
5632 goto exit;
5633 #if defined(MBEDTLS_DES_C)
5634 if( slot->attr.type == PSA_KEY_TYPE_DES )
5635 psa_des_set_key_parity( data, bytes );
5636 #endif /* MBEDTLS_DES_C */
5637 status = psa_import_key_into_slot( slot, data, bytes );
5638
5639 exit:
5640 mbedtls_free( data );
5641 return( status );
5642 }
5643
psa_key_derivation_output_key(const psa_key_attributes_t * attributes,psa_key_derivation_operation_t * operation,mbedtls_svc_key_id_t * key)5644 psa_status_t psa_key_derivation_output_key( const psa_key_attributes_t *attributes,
5645 psa_key_derivation_operation_t *operation,
5646 mbedtls_svc_key_id_t *key )
5647 {
5648 psa_status_t status;
5649 psa_key_slot_t *slot = NULL;
5650 psa_se_drv_table_entry_t *driver = NULL;
5651
5652 *key = MBEDTLS_SVC_KEY_ID_INIT;
5653
5654 /* Reject any attempt to create a zero-length key so that we don't
5655 * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
5656 if( psa_get_key_bits( attributes ) == 0 )
5657 return( PSA_ERROR_INVALID_ARGUMENT );
5658
5659 if( ! operation->can_output_key )
5660 return( PSA_ERROR_NOT_PERMITTED );
5661
5662 status = psa_start_key_creation( PSA_KEY_CREATION_DERIVE, attributes,
5663 &slot, &driver );
5664 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
5665 if( driver != NULL )
5666 {
5667 /* Deriving a key in a secure element is not implemented yet. */
5668 status = PSA_ERROR_NOT_SUPPORTED;
5669 }
5670 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
5671 if( status == PSA_SUCCESS )
5672 {
5673 status = psa_generate_derived_key_internal( slot,
5674 attributes->core.bits,
5675 operation );
5676 }
5677 if( status == PSA_SUCCESS )
5678 status = psa_finish_key_creation( slot, driver, key );
5679 if( status != PSA_SUCCESS )
5680 psa_fail_key_creation( slot, driver );
5681
5682 return( status );
5683 }
5684
5685
5686
5687 /****************************************************************/
5688 /* Key derivation */
5689 /****************************************************************/
5690
5691 #ifdef AT_LEAST_ONE_BUILTIN_KDF
psa_key_derivation_setup_kdf(psa_key_derivation_operation_t * operation,psa_algorithm_t kdf_alg)5692 static psa_status_t psa_key_derivation_setup_kdf(
5693 psa_key_derivation_operation_t *operation,
5694 psa_algorithm_t kdf_alg )
5695 {
5696 int is_kdf_alg_supported;
5697
5698 /* Make sure that operation->ctx is properly zero-initialised. (Macro
5699 * initialisers for this union leave some bytes unspecified.) */
5700 memset( &operation->ctx, 0, sizeof( operation->ctx ) );
5701
5702 /* Make sure that kdf_alg is a supported key derivation algorithm. */
5703 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
5704 if( PSA_ALG_IS_HKDF( kdf_alg ) )
5705 is_kdf_alg_supported = 1;
5706 else
5707 #endif
5708 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
5709 if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) )
5710 is_kdf_alg_supported = 1;
5711 else
5712 #endif
5713 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5714 if( PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
5715 is_kdf_alg_supported = 1;
5716 else
5717 #endif
5718 is_kdf_alg_supported = 0;
5719
5720 if( is_kdf_alg_supported )
5721 {
5722 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg );
5723 size_t hash_size = PSA_HASH_SIZE( hash_alg );
5724 if( hash_size == 0 )
5725 return( PSA_ERROR_NOT_SUPPORTED );
5726 if( ( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
5727 PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) &&
5728 ! ( hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384 ) )
5729 {
5730 return( PSA_ERROR_NOT_SUPPORTED );
5731 }
5732 operation->capacity = 255 * hash_size;
5733 return( PSA_SUCCESS );
5734 }
5735
5736 return( PSA_ERROR_NOT_SUPPORTED );
5737 }
5738 #endif /* AT_LEAST_ONE_BUILTIN_KDF */
5739
psa_key_derivation_setup(psa_key_derivation_operation_t * operation,psa_algorithm_t alg)5740 psa_status_t psa_key_derivation_setup( psa_key_derivation_operation_t *operation,
5741 psa_algorithm_t alg )
5742 {
5743 psa_status_t status;
5744
5745 if( operation->alg != 0 )
5746 return( PSA_ERROR_BAD_STATE );
5747
5748 if( PSA_ALG_IS_RAW_KEY_AGREEMENT( alg ) )
5749 return( PSA_ERROR_INVALID_ARGUMENT );
5750 #ifdef AT_LEAST_ONE_BUILTIN_KDF
5751 else if( PSA_ALG_IS_KEY_AGREEMENT( alg ) )
5752 {
5753 psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF( alg );
5754 status = psa_key_derivation_setup_kdf( operation, kdf_alg );
5755 }
5756 else if( PSA_ALG_IS_KEY_DERIVATION( alg ) )
5757 {
5758 status = psa_key_derivation_setup_kdf( operation, alg );
5759 }
5760 #endif
5761 else
5762 return( PSA_ERROR_INVALID_ARGUMENT );
5763
5764 if( status == PSA_SUCCESS )
5765 operation->alg = alg;
5766 return( status );
5767 }
5768
5769 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
psa_hkdf_input(psa_hkdf_key_derivation_t * hkdf,psa_algorithm_t hash_alg,psa_key_derivation_step_t step,const uint8_t * data,size_t data_length)5770 static psa_status_t psa_hkdf_input( psa_hkdf_key_derivation_t *hkdf,
5771 psa_algorithm_t hash_alg,
5772 psa_key_derivation_step_t step,
5773 const uint8_t *data,
5774 size_t data_length )
5775 {
5776 psa_status_t status;
5777 switch( step )
5778 {
5779 case PSA_KEY_DERIVATION_INPUT_SALT:
5780 if( hkdf->state != HKDF_STATE_INIT )
5781 return( PSA_ERROR_BAD_STATE );
5782 status = psa_hmac_setup_internal( &hkdf->hmac,
5783 data, data_length,
5784 hash_alg );
5785 if( status != PSA_SUCCESS )
5786 return( status );
5787 hkdf->state = HKDF_STATE_STARTED;
5788 return( PSA_SUCCESS );
5789 case PSA_KEY_DERIVATION_INPUT_SECRET:
5790 /* If no salt was provided, use an empty salt. */
5791 if( hkdf->state == HKDF_STATE_INIT )
5792 {
5793 status = psa_hmac_setup_internal( &hkdf->hmac,
5794 NULL, 0,
5795 hash_alg );
5796 if( status != PSA_SUCCESS )
5797 return( status );
5798 hkdf->state = HKDF_STATE_STARTED;
5799 }
5800 if( hkdf->state != HKDF_STATE_STARTED )
5801 return( PSA_ERROR_BAD_STATE );
5802 status = psa_hash_update( &hkdf->hmac.hash_ctx,
5803 data, data_length );
5804 if( status != PSA_SUCCESS )
5805 return( status );
5806 status = psa_hmac_finish_internal( &hkdf->hmac,
5807 hkdf->prk,
5808 sizeof( hkdf->prk ) );
5809 if( status != PSA_SUCCESS )
5810 return( status );
5811 hkdf->offset_in_block = PSA_HASH_SIZE( hash_alg );
5812 hkdf->block_number = 0;
5813 hkdf->state = HKDF_STATE_KEYED;
5814 return( PSA_SUCCESS );
5815 case PSA_KEY_DERIVATION_INPUT_INFO:
5816 if( hkdf->state == HKDF_STATE_OUTPUT )
5817 return( PSA_ERROR_BAD_STATE );
5818 if( hkdf->info_set )
5819 return( PSA_ERROR_BAD_STATE );
5820 hkdf->info_length = data_length;
5821 if( data_length != 0 )
5822 {
5823 hkdf->info = mbedtls_calloc( 1, data_length );
5824 if( hkdf->info == NULL )
5825 return( PSA_ERROR_INSUFFICIENT_MEMORY );
5826 memcpy( hkdf->info, data, data_length );
5827 }
5828 hkdf->info_set = 1;
5829 return( PSA_SUCCESS );
5830 default:
5831 return( PSA_ERROR_INVALID_ARGUMENT );
5832 }
5833 }
5834 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
5835
5836 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5837 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
psa_tls12_prf_set_seed(psa_tls12_prf_key_derivation_t * prf,const uint8_t * data,size_t data_length)5838 static psa_status_t psa_tls12_prf_set_seed( psa_tls12_prf_key_derivation_t *prf,
5839 const uint8_t *data,
5840 size_t data_length )
5841 {
5842 if( prf->state != TLS12_PRF_STATE_INIT )
5843 return( PSA_ERROR_BAD_STATE );
5844
5845 if( data_length != 0 )
5846 {
5847 prf->seed = mbedtls_calloc( 1, data_length );
5848 if( prf->seed == NULL )
5849 return( PSA_ERROR_INSUFFICIENT_MEMORY );
5850
5851 memcpy( prf->seed, data, data_length );
5852 prf->seed_length = data_length;
5853 }
5854
5855 prf->state = TLS12_PRF_STATE_SEED_SET;
5856
5857 return( PSA_SUCCESS );
5858 }
5859
psa_tls12_prf_set_key(psa_tls12_prf_key_derivation_t * prf,psa_algorithm_t hash_alg,const uint8_t * data,size_t data_length)5860 static psa_status_t psa_tls12_prf_set_key( psa_tls12_prf_key_derivation_t *prf,
5861 psa_algorithm_t hash_alg,
5862 const uint8_t *data,
5863 size_t data_length )
5864 {
5865 psa_status_t status;
5866 if( prf->state != TLS12_PRF_STATE_SEED_SET )
5867 return( PSA_ERROR_BAD_STATE );
5868
5869 status = psa_hmac_setup_internal( &prf->hmac, data, data_length, hash_alg );
5870 if( status != PSA_SUCCESS )
5871 return( status );
5872
5873 prf->state = TLS12_PRF_STATE_KEY_SET;
5874
5875 return( PSA_SUCCESS );
5876 }
5877
psa_tls12_prf_set_label(psa_tls12_prf_key_derivation_t * prf,const uint8_t * data,size_t data_length)5878 static psa_status_t psa_tls12_prf_set_label( psa_tls12_prf_key_derivation_t *prf,
5879 const uint8_t *data,
5880 size_t data_length )
5881 {
5882 if( prf->state != TLS12_PRF_STATE_KEY_SET )
5883 return( PSA_ERROR_BAD_STATE );
5884
5885 if( data_length != 0 )
5886 {
5887 prf->label = mbedtls_calloc( 1, data_length );
5888 if( prf->label == NULL )
5889 return( PSA_ERROR_INSUFFICIENT_MEMORY );
5890
5891 memcpy( prf->label, data, data_length );
5892 prf->label_length = data_length;
5893 }
5894
5895 prf->state = TLS12_PRF_STATE_LABEL_SET;
5896
5897 return( PSA_SUCCESS );
5898 }
5899
psa_tls12_prf_input(psa_tls12_prf_key_derivation_t * prf,psa_algorithm_t hash_alg,psa_key_derivation_step_t step,const uint8_t * data,size_t data_length)5900 static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf,
5901 psa_algorithm_t hash_alg,
5902 psa_key_derivation_step_t step,
5903 const uint8_t *data,
5904 size_t data_length )
5905 {
5906 switch( step )
5907 {
5908 case PSA_KEY_DERIVATION_INPUT_SEED:
5909 return( psa_tls12_prf_set_seed( prf, data, data_length ) );
5910 case PSA_KEY_DERIVATION_INPUT_SECRET:
5911 return( psa_tls12_prf_set_key( prf, hash_alg, data, data_length ) );
5912 case PSA_KEY_DERIVATION_INPUT_LABEL:
5913 return( psa_tls12_prf_set_label( prf, data, data_length ) );
5914 default:
5915 return( PSA_ERROR_INVALID_ARGUMENT );
5916 }
5917 }
5918 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
5919 * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
5920
5921 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
psa_tls12_prf_psk_to_ms_set_key(psa_tls12_prf_key_derivation_t * prf,psa_algorithm_t hash_alg,const uint8_t * data,size_t data_length)5922 static psa_status_t psa_tls12_prf_psk_to_ms_set_key(
5923 psa_tls12_prf_key_derivation_t *prf,
5924 psa_algorithm_t hash_alg,
5925 const uint8_t *data,
5926 size_t data_length )
5927 {
5928 psa_status_t status;
5929 uint8_t pms[ 4 + 2 * PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN ];
5930 uint8_t *cur = pms;
5931
5932 if( data_length > PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN )
5933 return( PSA_ERROR_INVALID_ARGUMENT );
5934
5935 /* Quoting RFC 4279, Section 2:
5936 *
5937 * The premaster secret is formed as follows: if the PSK is N octets
5938 * long, concatenate a uint16 with the value N, N zero octets, a second
5939 * uint16 with the value N, and the PSK itself.
5940 */
5941
5942 *cur++ = ( data_length >> 8 ) & 0xff;
5943 *cur++ = ( data_length >> 0 ) & 0xff;
5944 memset( cur, 0, data_length );
5945 cur += data_length;
5946 *cur++ = pms[0];
5947 *cur++ = pms[1];
5948 memcpy( cur, data, data_length );
5949 cur += data_length;
5950
5951 status = psa_tls12_prf_set_key( prf, hash_alg, pms, cur - pms );
5952
5953 mbedtls_platform_zeroize( pms, sizeof( pms ) );
5954 return( status );
5955 }
5956
psa_tls12_prf_psk_to_ms_input(psa_tls12_prf_key_derivation_t * prf,psa_algorithm_t hash_alg,psa_key_derivation_step_t step,const uint8_t * data,size_t data_length)5957 static psa_status_t psa_tls12_prf_psk_to_ms_input(
5958 psa_tls12_prf_key_derivation_t *prf,
5959 psa_algorithm_t hash_alg,
5960 psa_key_derivation_step_t step,
5961 const uint8_t *data,
5962 size_t data_length )
5963 {
5964 if( step == PSA_KEY_DERIVATION_INPUT_SECRET )
5965 {
5966 return( psa_tls12_prf_psk_to_ms_set_key( prf, hash_alg,
5967 data, data_length ) );
5968 }
5969
5970 return( psa_tls12_prf_input( prf, hash_alg, step, data, data_length ) );
5971 }
5972 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
5973
5974 /** Check whether the given key type is acceptable for the given
5975 * input step of a key derivation.
5976 *
5977 * Secret inputs must have the type #PSA_KEY_TYPE_DERIVE.
5978 * Non-secret inputs must have the type #PSA_KEY_TYPE_RAW_DATA.
5979 * Both secret and non-secret inputs can alternatively have the type
5980 * #PSA_KEY_TYPE_NONE, which is never the type of a key object, meaning
5981 * that the input was passed as a buffer rather than via a key object.
5982 */
psa_key_derivation_check_input_type(psa_key_derivation_step_t step,psa_key_type_t key_type)5983 static int psa_key_derivation_check_input_type(
5984 psa_key_derivation_step_t step,
5985 psa_key_type_t key_type )
5986 {
5987 switch( step )
5988 {
5989 case PSA_KEY_DERIVATION_INPUT_SECRET:
5990 if( key_type == PSA_KEY_TYPE_DERIVE )
5991 return( PSA_SUCCESS );
5992 if( key_type == PSA_KEY_TYPE_NONE )
5993 return( PSA_SUCCESS );
5994 break;
5995 case PSA_KEY_DERIVATION_INPUT_LABEL:
5996 case PSA_KEY_DERIVATION_INPUT_SALT:
5997 case PSA_KEY_DERIVATION_INPUT_INFO:
5998 case PSA_KEY_DERIVATION_INPUT_SEED:
5999 if( key_type == PSA_KEY_TYPE_RAW_DATA )
6000 return( PSA_SUCCESS );
6001 if( key_type == PSA_KEY_TYPE_NONE )
6002 return( PSA_SUCCESS );
6003 break;
6004 }
6005 return( PSA_ERROR_INVALID_ARGUMENT );
6006 }
6007
psa_key_derivation_input_internal(psa_key_derivation_operation_t * operation,psa_key_derivation_step_t step,psa_key_type_t key_type,const uint8_t * data,size_t data_length)6008 static psa_status_t psa_key_derivation_input_internal(
6009 psa_key_derivation_operation_t *operation,
6010 psa_key_derivation_step_t step,
6011 psa_key_type_t key_type,
6012 const uint8_t *data,
6013 size_t data_length )
6014 {
6015 psa_status_t status;
6016 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
6017
6018 status = psa_key_derivation_check_input_type( step, key_type );
6019 if( status != PSA_SUCCESS )
6020 goto exit;
6021
6022 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
6023 if( PSA_ALG_IS_HKDF( kdf_alg ) )
6024 {
6025 status = psa_hkdf_input( &operation->ctx.hkdf,
6026 PSA_ALG_HKDF_GET_HASH( kdf_alg ),
6027 step, data, data_length );
6028 }
6029 else
6030 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
6031 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
6032 if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) )
6033 {
6034 status = psa_tls12_prf_input( &operation->ctx.tls12_prf,
6035 PSA_ALG_HKDF_GET_HASH( kdf_alg ),
6036 step, data, data_length );
6037 }
6038 else
6039 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF */
6040 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
6041 if( PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
6042 {
6043 status = psa_tls12_prf_psk_to_ms_input( &operation->ctx.tls12_prf,
6044 PSA_ALG_HKDF_GET_HASH( kdf_alg ),
6045 step, data, data_length );
6046 }
6047 else
6048 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
6049 {
6050 /* This can't happen unless the operation object was not initialized */
6051 return( PSA_ERROR_BAD_STATE );
6052 }
6053
6054 exit:
6055 if( status != PSA_SUCCESS )
6056 psa_key_derivation_abort( operation );
6057 return( status );
6058 }
6059
psa_key_derivation_input_bytes(psa_key_derivation_operation_t * operation,psa_key_derivation_step_t step,const uint8_t * data,size_t data_length)6060 psa_status_t psa_key_derivation_input_bytes(
6061 psa_key_derivation_operation_t *operation,
6062 psa_key_derivation_step_t step,
6063 const uint8_t *data,
6064 size_t data_length )
6065 {
6066 return( psa_key_derivation_input_internal( operation, step,
6067 PSA_KEY_TYPE_NONE,
6068 data, data_length ) );
6069 }
6070
psa_key_derivation_input_key(psa_key_derivation_operation_t * operation,psa_key_derivation_step_t step,mbedtls_svc_key_id_t key)6071 psa_status_t psa_key_derivation_input_key(
6072 psa_key_derivation_operation_t *operation,
6073 psa_key_derivation_step_t step,
6074 mbedtls_svc_key_id_t key )
6075 {
6076 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6077 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
6078 psa_key_slot_t *slot;
6079
6080 status = psa_get_and_lock_transparent_key_slot_with_policy(
6081 key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg );
6082 if( status != PSA_SUCCESS )
6083 {
6084 psa_key_derivation_abort( operation );
6085 return( status );
6086 }
6087
6088 /* Passing a key object as a SECRET input unlocks the permission
6089 * to output to a key object. */
6090 if( step == PSA_KEY_DERIVATION_INPUT_SECRET )
6091 operation->can_output_key = 1;
6092
6093 status = psa_key_derivation_input_internal( operation,
6094 step, slot->attr.type,
6095 slot->data.key.data,
6096 slot->data.key.bytes );
6097
6098 unlock_status = psa_unlock_key_slot( slot );
6099
6100 return( ( status == PSA_SUCCESS ) ? unlock_status : status );
6101 }
6102
6103
6104
6105 /****************************************************************/
6106 /* Key agreement */
6107 /****************************************************************/
6108
6109 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
psa_key_agreement_ecdh(const uint8_t * peer_key,size_t peer_key_length,const mbedtls_ecp_keypair * our_key,uint8_t * shared_secret,size_t shared_secret_size,size_t * shared_secret_length)6110 static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key,
6111 size_t peer_key_length,
6112 const mbedtls_ecp_keypair *our_key,
6113 uint8_t *shared_secret,
6114 size_t shared_secret_size,
6115 size_t *shared_secret_length )
6116 {
6117 mbedtls_ecp_keypair *their_key = NULL;
6118 mbedtls_ecdh_context ecdh;
6119 psa_status_t status;
6120 size_t bits = 0;
6121 psa_ecc_family_t curve = mbedtls_ecc_group_to_psa( our_key->grp.id, &bits );
6122 mbedtls_ecdh_init( &ecdh );
6123
6124 status = psa_load_ecp_representation( PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve),
6125 peer_key,
6126 peer_key_length,
6127 &their_key );
6128 if( status != PSA_SUCCESS )
6129 goto exit;
6130
6131 status = mbedtls_to_psa_error(
6132 mbedtls_ecdh_get_params( &ecdh, their_key, MBEDTLS_ECDH_THEIRS ) );
6133 if( status != PSA_SUCCESS )
6134 goto exit;
6135 status = mbedtls_to_psa_error(
6136 mbedtls_ecdh_get_params( &ecdh, our_key, MBEDTLS_ECDH_OURS ) );
6137 if( status != PSA_SUCCESS )
6138 goto exit;
6139
6140 status = mbedtls_to_psa_error(
6141 mbedtls_ecdh_calc_secret( &ecdh,
6142 shared_secret_length,
6143 shared_secret, shared_secret_size,
6144 mbedtls_ctr_drbg_random,
6145 &global_data.ctr_drbg ) );
6146 if( status != PSA_SUCCESS )
6147 goto exit;
6148 if( PSA_BITS_TO_BYTES( bits ) != *shared_secret_length )
6149 status = PSA_ERROR_CORRUPTION_DETECTED;
6150
6151 exit:
6152 if( status != PSA_SUCCESS )
6153 mbedtls_platform_zeroize( shared_secret, shared_secret_size );
6154 mbedtls_ecdh_free( &ecdh );
6155 mbedtls_ecp_keypair_free( their_key );
6156 mbedtls_free( their_key );
6157
6158 return( status );
6159 }
6160 #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
6161
6162 #define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES
6163
psa_key_agreement_raw_internal(psa_algorithm_t alg,psa_key_slot_t * private_key,const uint8_t * peer_key,size_t peer_key_length,uint8_t * shared_secret,size_t shared_secret_size,size_t * shared_secret_length)6164 static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
6165 psa_key_slot_t *private_key,
6166 const uint8_t *peer_key,
6167 size_t peer_key_length,
6168 uint8_t *shared_secret,
6169 size_t shared_secret_size,
6170 size_t *shared_secret_length )
6171 {
6172 switch( alg )
6173 {
6174 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
6175 case PSA_ALG_ECDH:
6176 if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( private_key->attr.type ) )
6177 return( PSA_ERROR_INVALID_ARGUMENT );
6178 mbedtls_ecp_keypair *ecp = NULL;
6179 psa_status_t status = psa_load_ecp_representation(
6180 private_key->attr.type,
6181 private_key->data.key.data,
6182 private_key->data.key.bytes,
6183 &ecp );
6184 if( status != PSA_SUCCESS )
6185 return( status );
6186 status = psa_key_agreement_ecdh( peer_key, peer_key_length,
6187 ecp,
6188 shared_secret, shared_secret_size,
6189 shared_secret_length );
6190 mbedtls_ecp_keypair_free( ecp );
6191 mbedtls_free( ecp );
6192 return( status );
6193 #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
6194 default:
6195 (void) private_key;
6196 (void) peer_key;
6197 (void) peer_key_length;
6198 (void) shared_secret;
6199 (void) shared_secret_size;
6200 (void) shared_secret_length;
6201 return( PSA_ERROR_NOT_SUPPORTED );
6202 }
6203 }
6204
6205 /* Note that if this function fails, you must call psa_key_derivation_abort()
6206 * to potentially free embedded data structures and wipe confidential data.
6207 */
psa_key_agreement_internal(psa_key_derivation_operation_t * operation,psa_key_derivation_step_t step,psa_key_slot_t * private_key,const uint8_t * peer_key,size_t peer_key_length)6208 static psa_status_t psa_key_agreement_internal( psa_key_derivation_operation_t *operation,
6209 psa_key_derivation_step_t step,
6210 psa_key_slot_t *private_key,
6211 const uint8_t *peer_key,
6212 size_t peer_key_length )
6213 {
6214 psa_status_t status;
6215 uint8_t shared_secret[PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE];
6216 size_t shared_secret_length = 0;
6217 psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE( operation->alg );
6218
6219 /* Step 1: run the secret agreement algorithm to generate the shared
6220 * secret. */
6221 status = psa_key_agreement_raw_internal( ka_alg,
6222 private_key,
6223 peer_key, peer_key_length,
6224 shared_secret,
6225 sizeof( shared_secret ),
6226 &shared_secret_length );
6227 if( status != PSA_SUCCESS )
6228 goto exit;
6229
6230 /* Step 2: set up the key derivation to generate key material from
6231 * the shared secret. A shared secret is permitted wherever a key
6232 * of type DERIVE is permitted. */
6233 status = psa_key_derivation_input_internal( operation, step,
6234 PSA_KEY_TYPE_DERIVE,
6235 shared_secret,
6236 shared_secret_length );
6237 exit:
6238 mbedtls_platform_zeroize( shared_secret, shared_secret_length );
6239 return( status );
6240 }
6241
psa_key_derivation_key_agreement(psa_key_derivation_operation_t * operation,psa_key_derivation_step_t step,mbedtls_svc_key_id_t private_key,const uint8_t * peer_key,size_t peer_key_length)6242 psa_status_t psa_key_derivation_key_agreement( psa_key_derivation_operation_t *operation,
6243 psa_key_derivation_step_t step,
6244 mbedtls_svc_key_id_t private_key,
6245 const uint8_t *peer_key,
6246 size_t peer_key_length )
6247 {
6248 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6249 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
6250 psa_key_slot_t *slot;
6251
6252 if( ! PSA_ALG_IS_KEY_AGREEMENT( operation->alg ) )
6253 return( PSA_ERROR_INVALID_ARGUMENT );
6254 status = psa_get_and_lock_transparent_key_slot_with_policy(
6255 private_key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg );
6256 if( status != PSA_SUCCESS )
6257 return( status );
6258 status = psa_key_agreement_internal( operation, step,
6259 slot,
6260 peer_key, peer_key_length );
6261 if( status != PSA_SUCCESS )
6262 psa_key_derivation_abort( operation );
6263 else
6264 {
6265 /* If a private key has been added as SECRET, we allow the derived
6266 * key material to be used as a key in PSA Crypto. */
6267 if( step == PSA_KEY_DERIVATION_INPUT_SECRET )
6268 operation->can_output_key = 1;
6269 }
6270
6271 unlock_status = psa_unlock_key_slot( slot );
6272
6273 return( ( status == PSA_SUCCESS ) ? unlock_status : status );
6274 }
6275
psa_raw_key_agreement(psa_algorithm_t alg,mbedtls_svc_key_id_t private_key,const uint8_t * peer_key,size_t peer_key_length,uint8_t * output,size_t output_size,size_t * output_length)6276 psa_status_t psa_raw_key_agreement( psa_algorithm_t alg,
6277 mbedtls_svc_key_id_t private_key,
6278 const uint8_t *peer_key,
6279 size_t peer_key_length,
6280 uint8_t *output,
6281 size_t output_size,
6282 size_t *output_length )
6283 {
6284 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6285 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
6286 psa_key_slot_t *slot = NULL;
6287
6288 if( ! PSA_ALG_IS_KEY_AGREEMENT( alg ) )
6289 {
6290 status = PSA_ERROR_INVALID_ARGUMENT;
6291 goto exit;
6292 }
6293 status = psa_get_and_lock_transparent_key_slot_with_policy(
6294 private_key, &slot, PSA_KEY_USAGE_DERIVE, alg );
6295 if( status != PSA_SUCCESS )
6296 goto exit;
6297
6298 status = psa_key_agreement_raw_internal( alg, slot,
6299 peer_key, peer_key_length,
6300 output, output_size,
6301 output_length );
6302
6303 exit:
6304 if( status != PSA_SUCCESS )
6305 {
6306 /* If an error happens and is not handled properly, the output
6307 * may be used as a key to protect sensitive data. Arrange for such
6308 * a key to be random, which is likely to result in decryption or
6309 * verification errors. This is better than filling the buffer with
6310 * some constant data such as zeros, which would result in the data
6311 * being protected with a reproducible, easily knowable key.
6312 */
6313 psa_generate_random( output, output_size );
6314 *output_length = output_size;
6315 }
6316
6317 unlock_status = psa_unlock_key_slot( slot );
6318
6319 return( ( status == PSA_SUCCESS ) ? unlock_status : status );
6320 }
6321
6322
6323 /****************************************************************/
6324 /* Random generation */
6325 /****************************************************************/
6326
psa_generate_random(uint8_t * output,size_t output_size)6327 psa_status_t psa_generate_random( uint8_t *output,
6328 size_t output_size )
6329 {
6330 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6331 GUARD_MODULE_INITIALIZED;
6332
6333 while( output_size > MBEDTLS_CTR_DRBG_MAX_REQUEST )
6334 {
6335 ret = mbedtls_ctr_drbg_random( &global_data.ctr_drbg,
6336 output,
6337 MBEDTLS_CTR_DRBG_MAX_REQUEST );
6338 if( ret != 0 )
6339 return( mbedtls_to_psa_error( ret ) );
6340 output += MBEDTLS_CTR_DRBG_MAX_REQUEST;
6341 output_size -= MBEDTLS_CTR_DRBG_MAX_REQUEST;
6342 }
6343
6344 ret = mbedtls_ctr_drbg_random( &global_data.ctr_drbg, output, output_size );
6345 return( mbedtls_to_psa_error( ret ) );
6346 }
6347
6348 #if defined(MBEDTLS_PSA_INJECT_ENTROPY)
6349 #include "mbedtls/entropy_poll.h"
6350
mbedtls_psa_inject_entropy(const uint8_t * seed,size_t seed_size)6351 psa_status_t mbedtls_psa_inject_entropy( const uint8_t *seed,
6352 size_t seed_size )
6353 {
6354 if( global_data.initialized )
6355 return( PSA_ERROR_NOT_PERMITTED );
6356
6357 if( ( ( seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM ) ||
6358 ( seed_size < MBEDTLS_ENTROPY_BLOCK_SIZE ) ) ||
6359 ( seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE ) )
6360 return( PSA_ERROR_INVALID_ARGUMENT );
6361
6362 return( mbedtls_psa_storage_inject_entropy( seed, seed_size ) );
6363 }
6364 #endif /* MBEDTLS_PSA_INJECT_ENTROPY */
6365
6366 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
psa_read_rsa_exponent(const uint8_t * domain_parameters,size_t domain_parameters_size,int * exponent)6367 static psa_status_t psa_read_rsa_exponent( const uint8_t *domain_parameters,
6368 size_t domain_parameters_size,
6369 int *exponent )
6370 {
6371 size_t i;
6372 uint32_t acc = 0;
6373
6374 if( domain_parameters_size == 0 )
6375 {
6376 *exponent = 65537;
6377 return( PSA_SUCCESS );
6378 }
6379
6380 /* Mbed TLS encodes the public exponent as an int. For simplicity, only
6381 * support values that fit in a 32-bit integer, which is larger than
6382 * int on just about every platform anyway. */
6383 if( domain_parameters_size > sizeof( acc ) )
6384 return( PSA_ERROR_NOT_SUPPORTED );
6385 for( i = 0; i < domain_parameters_size; i++ )
6386 acc = ( acc << 8 ) | domain_parameters[i];
6387 if( acc > INT_MAX )
6388 return( PSA_ERROR_NOT_SUPPORTED );
6389 *exponent = acc;
6390 return( PSA_SUCCESS );
6391 }
6392 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
6393
psa_generate_key_internal(psa_key_slot_t * slot,size_t bits,const uint8_t * domain_parameters,size_t domain_parameters_size)6394 static psa_status_t psa_generate_key_internal(
6395 psa_key_slot_t *slot, size_t bits,
6396 const uint8_t *domain_parameters, size_t domain_parameters_size )
6397 {
6398 psa_key_type_t type = slot->attr.type;
6399
6400 if( domain_parameters == NULL && domain_parameters_size != 0 )
6401 return( PSA_ERROR_INVALID_ARGUMENT );
6402
6403 if( key_type_is_raw_bytes( type ) )
6404 {
6405 psa_status_t status;
6406
6407 status = validate_unstructured_key_bit_size( slot->attr.type, bits );
6408 if( status != PSA_SUCCESS )
6409 return( status );
6410
6411 /* Allocate memory for the key */
6412 status = psa_allocate_buffer_to_slot( slot, PSA_BITS_TO_BYTES( bits ) );
6413 if( status != PSA_SUCCESS )
6414 return( status );
6415
6416 status = psa_generate_random( slot->data.key.data,
6417 slot->data.key.bytes );
6418 if( status != PSA_SUCCESS )
6419 return( status );
6420
6421 slot->attr.bits = (psa_key_bits_t) bits;
6422 #if defined(MBEDTLS_DES_C)
6423 if( type == PSA_KEY_TYPE_DES )
6424 psa_des_set_key_parity( slot->data.key.data,
6425 slot->data.key.bytes );
6426 #endif /* MBEDTLS_DES_C */
6427 }
6428 else
6429
6430 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
6431 if ( type == PSA_KEY_TYPE_RSA_KEY_PAIR )
6432 {
6433 mbedtls_rsa_context rsa;
6434 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6435 int exponent;
6436 psa_status_t status;
6437 if( bits > PSA_VENDOR_RSA_MAX_KEY_BITS )
6438 return( PSA_ERROR_NOT_SUPPORTED );
6439 /* Accept only byte-aligned keys, for the same reasons as
6440 * in psa_import_rsa_key(). */
6441 if( bits % 8 != 0 )
6442 return( PSA_ERROR_NOT_SUPPORTED );
6443 status = psa_read_rsa_exponent( domain_parameters,
6444 domain_parameters_size,
6445 &exponent );
6446 if( status != PSA_SUCCESS )
6447 return( status );
6448 mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE );
6449 ret = mbedtls_rsa_gen_key( &rsa,
6450 mbedtls_ctr_drbg_random,
6451 &global_data.ctr_drbg,
6452 (unsigned int) bits,
6453 exponent );
6454 if( ret != 0 )
6455 return( mbedtls_to_psa_error( ret ) );
6456
6457 /* Make sure to always have an export representation available */
6458 size_t bytes = PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE( bits );
6459
6460 status = psa_allocate_buffer_to_slot( slot, bytes );
6461 if( status != PSA_SUCCESS )
6462 {
6463 mbedtls_rsa_free( &rsa );
6464 return( status );
6465 }
6466
6467 status = psa_export_rsa_key( type,
6468 &rsa,
6469 slot->data.key.data,
6470 bytes,
6471 &slot->data.key.bytes );
6472 mbedtls_rsa_free( &rsa );
6473 if( status != PSA_SUCCESS )
6474 psa_remove_key_data_from_memory( slot );
6475 return( status );
6476 }
6477 else
6478 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
6479
6480 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR)
6481 if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
6482 {
6483 psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( type );
6484 mbedtls_ecp_group_id grp_id =
6485 mbedtls_ecc_group_of_psa( curve, PSA_BITS_TO_BYTES( bits ) );
6486 const mbedtls_ecp_curve_info *curve_info =
6487 mbedtls_ecp_curve_info_from_grp_id( grp_id );
6488 mbedtls_ecp_keypair ecp;
6489 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6490 if( domain_parameters_size != 0 )
6491 return( PSA_ERROR_NOT_SUPPORTED );
6492 if( grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL )
6493 return( PSA_ERROR_NOT_SUPPORTED );
6494 mbedtls_ecp_keypair_init( &ecp );
6495 ret = mbedtls_ecp_gen_key( grp_id, &ecp,
6496 mbedtls_ctr_drbg_random,
6497 &global_data.ctr_drbg );
6498 if( ret != 0 )
6499 {
6500 mbedtls_ecp_keypair_free( &ecp );
6501 return( mbedtls_to_psa_error( ret ) );
6502 }
6503
6504
6505 /* Make sure to always have an export representation available */
6506 size_t bytes = PSA_BITS_TO_BYTES( bits );
6507 psa_status_t status = psa_allocate_buffer_to_slot( slot, bytes );
6508 if( status != PSA_SUCCESS )
6509 {
6510 mbedtls_ecp_keypair_free( &ecp );
6511 return( status );
6512 }
6513
6514 status = mbedtls_to_psa_error(
6515 mbedtls_ecp_write_key( &ecp, slot->data.key.data, bytes ) );
6516
6517 mbedtls_ecp_keypair_free( &ecp );
6518 if( status != PSA_SUCCESS ) {
6519 memset( slot->data.key.data, 0, bytes );
6520 psa_remove_key_data_from_memory( slot );
6521 }
6522 return( status );
6523 }
6524 else
6525 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */
6526 {
6527 return( PSA_ERROR_NOT_SUPPORTED );
6528 }
6529
6530 return( PSA_SUCCESS );
6531 }
6532
psa_generate_key(const psa_key_attributes_t * attributes,mbedtls_svc_key_id_t * key)6533 psa_status_t psa_generate_key( const psa_key_attributes_t *attributes,
6534 mbedtls_svc_key_id_t *key )
6535 {
6536 psa_status_t status;
6537 psa_key_slot_t *slot = NULL;
6538 psa_se_drv_table_entry_t *driver = NULL;
6539
6540 *key = MBEDTLS_SVC_KEY_ID_INIT;
6541
6542 /* Reject any attempt to create a zero-length key so that we don't
6543 * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
6544 if( psa_get_key_bits( attributes ) == 0 )
6545 return( PSA_ERROR_INVALID_ARGUMENT );
6546
6547 status = psa_start_key_creation( PSA_KEY_CREATION_GENERATE, attributes,
6548 &slot, &driver );
6549 if( status != PSA_SUCCESS )
6550 goto exit;
6551
6552 status = psa_driver_wrapper_generate_key( attributes,
6553 slot );
6554 if( status != PSA_ERROR_NOT_SUPPORTED ||
6555 psa_key_lifetime_is_external( attributes->core.lifetime ) )
6556 goto exit;
6557
6558 status = psa_generate_key_internal(
6559 slot, attributes->core.bits,
6560 attributes->domain_parameters, attributes->domain_parameters_size );
6561
6562 exit:
6563 if( status == PSA_SUCCESS )
6564 status = psa_finish_key_creation( slot, driver, key );
6565 if( status != PSA_SUCCESS )
6566 psa_fail_key_creation( slot, driver );
6567
6568 return( status );
6569 }
6570
6571
6572
6573 /****************************************************************/
6574 /* Module setup */
6575 /****************************************************************/
6576
mbedtls_psa_crypto_configure_entropy_sources(void (* entropy_init)(mbedtls_entropy_context * ctx),void (* entropy_free)(mbedtls_entropy_context * ctx))6577 psa_status_t mbedtls_psa_crypto_configure_entropy_sources(
6578 void (* entropy_init )( mbedtls_entropy_context *ctx ),
6579 void (* entropy_free )( mbedtls_entropy_context *ctx ) )
6580 {
6581 if( global_data.rng_state != RNG_NOT_INITIALIZED )
6582 return( PSA_ERROR_BAD_STATE );
6583 global_data.entropy_init = entropy_init;
6584 global_data.entropy_free = entropy_free;
6585 return( PSA_SUCCESS );
6586 }
6587
mbedtls_psa_crypto_free(void)6588 void mbedtls_psa_crypto_free( void )
6589 {
6590 psa_wipe_all_key_slots( );
6591 if( global_data.rng_state != RNG_NOT_INITIALIZED )
6592 {
6593 mbedtls_ctr_drbg_free( &global_data.ctr_drbg );
6594 global_data.entropy_free( &global_data.entropy );
6595 }
6596 /* Wipe all remaining data, including configuration.
6597 * In particular, this sets all state indicator to the value
6598 * indicating "uninitialized". */
6599 mbedtls_platform_zeroize( &global_data, sizeof( global_data ) );
6600 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
6601 /* Unregister all secure element drivers, so that we restart from
6602 * a pristine state. */
6603 psa_unregister_all_se_drivers( );
6604 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
6605 }
6606
6607 #if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
6608 /** Recover a transaction that was interrupted by a power failure.
6609 *
6610 * This function is called during initialization, before psa_crypto_init()
6611 * returns. If this function returns a failure status, the initialization
6612 * fails.
6613 */
psa_crypto_recover_transaction(const psa_crypto_transaction_t * transaction)6614 static psa_status_t psa_crypto_recover_transaction(
6615 const psa_crypto_transaction_t *transaction )
6616 {
6617 switch( transaction->unknown.type )
6618 {
6619 case PSA_CRYPTO_TRANSACTION_CREATE_KEY:
6620 case PSA_CRYPTO_TRANSACTION_DESTROY_KEY:
6621 /* TODO - fall through to the failure case until this
6622 * is implemented.
6623 * https://github.com/ARMmbed/mbed-crypto/issues/218
6624 */
6625 default:
6626 /* We found an unsupported transaction in the storage.
6627 * We don't know what state the storage is in. Give up. */
6628 return( PSA_ERROR_STORAGE_FAILURE );
6629 }
6630 }
6631 #endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
6632
psa_crypto_init(void)6633 psa_status_t psa_crypto_init( void )
6634 {
6635 psa_status_t status;
6636 const unsigned char drbg_seed[] = "PSA";
6637
6638 /* Double initialization is explicitly allowed. */
6639 if( global_data.initialized != 0 )
6640 return( PSA_SUCCESS );
6641
6642 /* Set default configuration if
6643 * mbedtls_psa_crypto_configure_entropy_sources() hasn't been called. */
6644 if( global_data.entropy_init == NULL )
6645 global_data.entropy_init = mbedtls_entropy_init;
6646 if( global_data.entropy_free == NULL )
6647 global_data.entropy_free = mbedtls_entropy_free;
6648
6649 /* Initialize the random generator. */
6650 global_data.entropy_init( &global_data.entropy );
6651 #if defined(MBEDTLS_PSA_INJECT_ENTROPY) && \
6652 defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
6653 /* The PSA entropy injection feature depends on using NV seed as an entropy
6654 * source. Add NV seed as an entropy source for PSA entropy injection. */
6655 mbedtls_entropy_add_source( &global_data.entropy,
6656 mbedtls_nv_seed_poll, NULL,
6657 MBEDTLS_ENTROPY_BLOCK_SIZE,
6658 MBEDTLS_ENTROPY_SOURCE_STRONG );
6659 #endif
6660 mbedtls_ctr_drbg_init( &global_data.ctr_drbg );
6661 global_data.rng_state = RNG_INITIALIZED;
6662 status = mbedtls_to_psa_error(
6663 mbedtls_ctr_drbg_seed( &global_data.ctr_drbg,
6664 mbedtls_entropy_func,
6665 &global_data.entropy,
6666 drbg_seed, sizeof( drbg_seed ) - 1 ) );
6667 if( status != PSA_SUCCESS )
6668 goto exit;
6669 global_data.rng_state = RNG_SEEDED;
6670
6671 status = psa_initialize_key_slots( );
6672 if( status != PSA_SUCCESS )
6673 goto exit;
6674
6675 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
6676 status = psa_init_all_se_drivers( );
6677 if( status != PSA_SUCCESS )
6678 goto exit;
6679 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
6680
6681 #if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
6682 status = psa_crypto_load_transaction( );
6683 if( status == PSA_SUCCESS )
6684 {
6685 status = psa_crypto_recover_transaction( &psa_crypto_transaction );
6686 if( status != PSA_SUCCESS )
6687 goto exit;
6688 status = psa_crypto_stop_transaction( );
6689 }
6690 else if( status == PSA_ERROR_DOES_NOT_EXIST )
6691 {
6692 /* There's no transaction to complete. It's all good. */
6693 status = PSA_SUCCESS;
6694 }
6695 #endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
6696
6697 /* All done. */
6698 global_data.initialized = 1;
6699
6700 exit:
6701 if( status != PSA_SUCCESS )
6702 mbedtls_psa_crypto_free( );
6703 return( status );
6704 }
6705
6706 #endif /* MBEDTLS_PSA_CRYPTO_C */
6707
