/* * PSA MAC layer on top of Mbed TLS software crypto */ /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include "common.h" #if defined(MBEDTLS_PSA_CRYPTO_C) #include #include "psa_crypto_core.h" #include "psa_crypto_mac.h" #include #include #include #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) static psa_status_t psa_hmac_abort_internal( mbedtls_psa_hmac_operation_t *hmac ) { mbedtls_platform_zeroize( hmac->opad, sizeof( hmac->opad ) ); return( psa_hash_abort( &hmac->hash_ctx ) ); } static psa_status_t psa_hmac_setup_internal( mbedtls_psa_hmac_operation_t *hmac, const uint8_t *key, size_t key_length, psa_algorithm_t hash_alg ) { uint8_t ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE]; size_t i; size_t hash_size = PSA_HASH_LENGTH( hash_alg ); size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg ); psa_status_t status; hmac->alg = hash_alg; /* Sanity checks on block_size, to guarantee that there won't be a buffer * overflow below. This should never trigger if the hash algorithm * is implemented correctly. */ /* The size checks against the ipad and opad buffers cannot be written * `block_size > sizeof( ipad ) || block_size > sizeof( hmac->opad )` * because that triggers -Wlogical-op on GCC 7.3. */ if( block_size > sizeof( ipad ) ) return( PSA_ERROR_NOT_SUPPORTED ); if( block_size > sizeof( hmac->opad ) ) return( PSA_ERROR_NOT_SUPPORTED ); if( block_size < hash_size ) return( PSA_ERROR_NOT_SUPPORTED ); if( key_length > block_size ) { status = psa_hash_compute( hash_alg, key, key_length, ipad, sizeof( ipad ), &key_length ); if( status != PSA_SUCCESS ) goto cleanup; } /* A 0-length key is not commonly used in HMAC when used as a MAC, * but it is permitted. It is common when HMAC is used in HKDF, for * example. Don't call `memcpy` in the 0-length because `key` could be * an invalid pointer which would make the behavior undefined. */ else if( key_length != 0 ) memcpy( ipad, key, key_length ); /* ipad contains the key followed by garbage. Xor and fill with 0x36 * to create the ipad value. */ for( i = 0; i < key_length; i++ ) ipad[i] ^= 0x36; memset( ipad + key_length, 0x36, block_size - key_length ); /* Copy the key material from ipad to opad, flipping the requisite bits, * and filling the rest of opad with the requisite constant. */ for( i = 0; i < key_length; i++ ) hmac->opad[i] = ipad[i] ^ 0x36 ^ 0x5C; memset( hmac->opad + key_length, 0x5C, block_size - key_length ); status = psa_hash_setup( &hmac->hash_ctx, hash_alg ); if( status != PSA_SUCCESS ) goto cleanup; status = psa_hash_update( &hmac->hash_ctx, ipad, block_size ); cleanup: mbedtls_platform_zeroize( ipad, sizeof( ipad ) ); return( status ); } static psa_status_t psa_hmac_update_internal( mbedtls_psa_hmac_operation_t *hmac, const uint8_t *data, size_t data_length ) { return( psa_hash_update( &hmac->hash_ctx, data, data_length ) ); } static psa_status_t psa_hmac_finish_internal( mbedtls_psa_hmac_operation_t *hmac, uint8_t *mac, size_t mac_size ) { uint8_t tmp[PSA_HASH_MAX_SIZE]; psa_algorithm_t hash_alg = hmac->alg; size_t hash_size = 0; size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg ); psa_status_t status; status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size ); if( status != PSA_SUCCESS ) return( status ); /* From here on, tmp needs to be wiped. */ status = psa_hash_setup( &hmac->hash_ctx, hash_alg ); if( status != PSA_SUCCESS ) goto exit; status = psa_hash_update( &hmac->hash_ctx, hmac->opad, block_size ); if( status != PSA_SUCCESS ) goto exit; status = psa_hash_update( &hmac->hash_ctx, tmp, hash_size ); if( status != PSA_SUCCESS ) goto exit; status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size ); if( status != PSA_SUCCESS ) goto exit; memcpy( mac, tmp, mac_size ); exit: mbedtls_platform_zeroize( tmp, hash_size ); return( status ); } #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) static psa_status_t cmac_setup( mbedtls_psa_mac_operation_t *operation, const psa_key_attributes_t *attributes, const uint8_t *key_buffer ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; #if defined(PSA_WANT_KEY_TYPE_DES) /* Mbed TLS CMAC does not accept 3DES with only two keys, nor does it accept * to do CMAC with pure DES, so return NOT_SUPPORTED here. */ if( psa_get_key_type( attributes ) == PSA_KEY_TYPE_DES && ( psa_get_key_bits( attributes ) == 64 || psa_get_key_bits( attributes ) == 128 ) ) return( PSA_ERROR_NOT_SUPPORTED ); #endif const mbedtls_cipher_info_t * cipher_info = mbedtls_cipher_info_from_psa( PSA_ALG_CMAC, psa_get_key_type( attributes ), psa_get_key_bits( attributes ), NULL ); if( cipher_info == NULL ) return( PSA_ERROR_NOT_SUPPORTED ); ret = mbedtls_cipher_setup( &operation->ctx.cmac, cipher_info ); if( ret != 0 ) goto exit; ret = mbedtls_cipher_cmac_starts( &operation->ctx.cmac, key_buffer, psa_get_key_bits( attributes ) ); exit: return( mbedtls_to_psa_error( ret ) ); } #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) /* Initialize this driver's MAC operation structure. Once this function has been * called, mbedtls_psa_mac_abort can run and will do the right thing. */ static psa_status_t mac_init( mbedtls_psa_mac_operation_t *operation, psa_algorithm_t alg ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; operation->alg = alg; #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC ) { mbedtls_cipher_init( &operation->ctx.cmac ); status = PSA_SUCCESS; } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) if( PSA_ALG_IS_HMAC( operation->alg ) ) { /* We'll set up the hash operation later in psa_hmac_setup_internal. */ operation->ctx.hmac.alg = 0; status = PSA_SUCCESS; } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ { (void) operation; status = PSA_ERROR_NOT_SUPPORTED; } if( status != PSA_SUCCESS ) memset( operation, 0, sizeof( *operation ) ); return( status ); } psa_status_t mbedtls_psa_mac_abort( mbedtls_psa_mac_operation_t *operation ) { if( operation->alg == 0 ) { /* The object has (apparently) been initialized but it is not * in use. It's ok to call abort on such an object, and there's * nothing to do. */ return( PSA_SUCCESS ); } else #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC ) { mbedtls_cipher_free( &operation->ctx.cmac ); } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) if( PSA_ALG_IS_HMAC( operation->alg ) ) { psa_hmac_abort_internal( &operation->ctx.hmac ); } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ { /* Sanity check (shouldn't happen: operation->alg should * always have been initialized to a valid value). */ goto bad_state; } operation->alg = 0; return( PSA_SUCCESS ); bad_state: /* If abort is called on an uninitialized object, we can't trust * anything. Wipe the object in case it contains confidential data. * This may result in a memory leak if a pointer gets overwritten, * but it's too late to do anything about this. */ memset( operation, 0, sizeof( *operation ) ); return( PSA_ERROR_BAD_STATE ); } static psa_status_t psa_mac_setup( mbedtls_psa_mac_operation_t *operation, const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; /* A context must be freshly initialized before it can be set up. */ if( operation->alg != 0 ) return( PSA_ERROR_BAD_STATE ); status = mac_init( operation, alg ); if( status != PSA_SUCCESS ) return( status ); #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) if( PSA_ALG_FULL_LENGTH_MAC( alg ) == PSA_ALG_CMAC ) { /* Key buffer size for CMAC is dictated by the key bits set on the * attributes, and previously validated by the core on key import. */ (void) key_buffer_size; status = cmac_setup( operation, attributes, key_buffer ); } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) if( PSA_ALG_IS_HMAC( alg ) ) { status = psa_hmac_setup_internal( &operation->ctx.hmac, key_buffer, key_buffer_size, PSA_ALG_HMAC_GET_HASH( alg ) ); } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ { (void) attributes; (void) key_buffer; (void) key_buffer_size; status = PSA_ERROR_NOT_SUPPORTED; } if( status != PSA_SUCCESS ) mbedtls_psa_mac_abort( operation ); return( status ); } psa_status_t mbedtls_psa_mac_sign_setup( mbedtls_psa_mac_operation_t *operation, const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg ) { return( psa_mac_setup( operation, attributes, key_buffer, key_buffer_size, alg ) ); } psa_status_t mbedtls_psa_mac_verify_setup( mbedtls_psa_mac_operation_t *operation, const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg ) { return( psa_mac_setup( operation, attributes, key_buffer, key_buffer_size, alg ) ); } psa_status_t mbedtls_psa_mac_update( mbedtls_psa_mac_operation_t *operation, const uint8_t *input, size_t input_length ) { if( operation->alg == 0 ) return( PSA_ERROR_BAD_STATE ); #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC ) { return( mbedtls_to_psa_error( mbedtls_cipher_cmac_update( &operation->ctx.cmac, input, input_length ) ) ); } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) if( PSA_ALG_IS_HMAC( operation->alg ) ) { return( psa_hmac_update_internal( &operation->ctx.hmac, input, input_length ) ); } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ { /* This shouldn't happen if `operation` was initialized by * a setup function. */ (void) input; (void) input_length; return( PSA_ERROR_BAD_STATE ); } } static psa_status_t psa_mac_finish_internal( mbedtls_psa_mac_operation_t *operation, uint8_t *mac, size_t mac_size ) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC ) { uint8_t tmp[PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE]; int ret = mbedtls_cipher_cmac_finish( &operation->ctx.cmac, tmp ); if( ret == 0 ) memcpy( mac, tmp, mac_size ); mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); return( mbedtls_to_psa_error( ret ) ); } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) if( PSA_ALG_IS_HMAC( operation->alg ) ) { return( psa_hmac_finish_internal( &operation->ctx.hmac, mac, mac_size ) ); } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ { /* This shouldn't happen if `operation` was initialized by * a setup function. */ (void) operation; (void) mac; (void) mac_size; return( PSA_ERROR_BAD_STATE ); } } psa_status_t mbedtls_psa_mac_sign_finish( mbedtls_psa_mac_operation_t *operation, uint8_t *mac, size_t mac_size, size_t *mac_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; if( operation->alg == 0 ) return( PSA_ERROR_BAD_STATE ); status = psa_mac_finish_internal( operation, mac, mac_size ); if( status == PSA_SUCCESS ) *mac_length = mac_size; return( status ); } psa_status_t mbedtls_psa_mac_verify_finish( mbedtls_psa_mac_operation_t *operation, const uint8_t *mac, size_t mac_length ) { uint8_t actual_mac[PSA_MAC_MAX_SIZE]; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; if( operation->alg == 0 ) return( PSA_ERROR_BAD_STATE ); /* Consistency check: requested MAC length fits our local buffer */ if( mac_length > sizeof( actual_mac ) ) return( PSA_ERROR_INVALID_ARGUMENT ); status = psa_mac_finish_internal( operation, actual_mac, mac_length ); if( status != PSA_SUCCESS ) goto cleanup; if( mbedtls_psa_safer_memcmp( mac, actual_mac, mac_length ) != 0 ) status = PSA_ERROR_INVALID_SIGNATURE; cleanup: mbedtls_platform_zeroize( actual_mac, sizeof( actual_mac ) ); return( status ); } psa_status_t mbedtls_psa_mac_compute( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, const uint8_t *input, size_t input_length, uint8_t *mac, size_t mac_size, size_t *mac_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; mbedtls_psa_mac_operation_t operation = MBEDTLS_PSA_MAC_OPERATION_INIT; status = psa_mac_setup( &operation, attributes, key_buffer, key_buffer_size, alg ); if( status != PSA_SUCCESS ) goto exit; if( input_length > 0 ) { status = mbedtls_psa_mac_update( &operation, input, input_length ); if( status != PSA_SUCCESS ) goto exit; } status = psa_mac_finish_internal( &operation, mac, mac_size ); if( status == PSA_SUCCESS ) *mac_length = mac_size; exit: mbedtls_psa_mac_abort( &operation ); return( status ); } #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_CMAC */ #endif /* MBEDTLS_PSA_CRYPTO_C */