TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 154bd95131470b5d58efc60829dbb8d371b8cd63 / . / library / psa_crypto.c
blob: deeffa3b828d895c74de732dd04d7bc25b596704 [file] [log] [blame]
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]1/*
2 * PSA crypto layer on top of Mbed TLS crypto
3 */
4/* Copyright (C) 2018, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22#if !defined(MBEDTLS_CONFIG_FILE)
23#include "mbedtls/config.h"
24#else
25#include MBEDTLS_CONFIG_FILE
26#endif
27
28#if defined(MBEDTLS_PSA_CRYPTO_C)
29
30#include "psa/crypto.h"
31
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]32#include <stdlib.h>
33#include <string.h>
34#if defined(MBEDTLS_PLATFORM_C)
35#include "mbedtls/platform.h"
36#else
37#define mbedtls_calloc calloc
38#define mbedtls_free free
39#endif
40
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]41#include "mbedtls/arc4.h"
42#include "mbedtls/blowfish.h"
43#include "mbedtls/camellia.h"
44#include "mbedtls/cipher.h"
45#include "mbedtls/ccm.h"
46#include "mbedtls/cmac.h"
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]47#include "mbedtls/ctr_drbg.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]48#include "mbedtls/des.h"
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]49#include "mbedtls/ecp.h"
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]50#include "mbedtls/entropy.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]51#include "mbedtls/error.h"
52#include "mbedtls/gcm.h"
53#include "mbedtls/md2.h"
54#include "mbedtls/md4.h"
55#include "mbedtls/md5.h"
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]56#include "mbedtls/md.h"
57#include "mbedtls/md_internal.h"
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]58#include "mbedtls/pk.h"
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]59#include "mbedtls/pk_internal.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]60#include "mbedtls/ripemd160.h"
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]61#include "mbedtls/rsa.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]62#include "mbedtls/sha1.h"
63#include "mbedtls/sha256.h"
64#include "mbedtls/sha512.h"
65#include "mbedtls/xtea.h"
66
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]67
68
69/* Implementation that should never be optimized out by the compiler */
70static void mbedtls_zeroize( void *v, size_t n )
71{
72 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
73}
74
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]75/* constant-time buffer comparison */
76static inline int safer_memcmp( const uint8_t *a, const uint8_t *b, size_t n )
77{
78 size_t i;
79 unsigned char diff = 0;
80
81 for( i = 0; i < n; i++ )
82 diff |= a[i] ^ b[i];
83
84 return( diff );
85}
86
87
88
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]89/****************************************************************/
90/* Global data, support functions and library management */
91/****************************************************************/
92
93/* Number of key slots (plus one because 0 is not used).
94 * The value is a compile-time constant for now, for simplicity. */
95#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
96
97typedef struct {
98 psa_key_type_t type;
99 union {
100 struct raw_data {
101 uint8_t *data;
102 size_t bytes;
103 } raw;
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]104#if defined(MBEDTLS_RSA_C)
105 mbedtls_rsa_context *rsa;
106#endif /* MBEDTLS_RSA_C */
107#if defined(MBEDTLS_ECP_C)
108 mbedtls_ecp_keypair *ecp;
109#endif /* MBEDTLS_ECP_C */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]110 } data;
111} key_slot_t;
112
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]113typedef struct {
114 int initialized;
115 mbedtls_entropy_context entropy;
116 mbedtls_ctr_drbg_context ctr_drbg;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]117 key_slot_t key_slots[MBEDTLS_PSA_KEY_SLOT_COUNT];
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]118} psa_global_data_t;
119
120static psa_global_data_t global_data;
121
122static psa_status_t mbedtls_to_psa_error( int ret )
123{
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]124 /* If there's both a high-level code and low-level code, dispatch on
125 * the high-level code. */
126 switch( ret < -0x7f ? - ( -ret & 0x7f80 ) : ret )
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]127 {
128 case 0:
129 return( PSA_SUCCESS );
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]130
131 case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
132 case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
133 case MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE:
134 return( PSA_ERROR_NOT_SUPPORTED );
135 case MBEDTLS_ERR_AES_HW_ACCEL_FAILED:
136 return( PSA_ERROR_HARDWARE_FAILURE );
137
138 case MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED:
139 return( PSA_ERROR_HARDWARE_FAILURE );
140
141 case MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH:
142 case MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH:
143 return( PSA_ERROR_NOT_SUPPORTED );
144 case MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED:
145 return( PSA_ERROR_HARDWARE_FAILURE );
146
147 case MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH:
148 case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH:
149 return( PSA_ERROR_NOT_SUPPORTED );
150 case MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED:
151 return( PSA_ERROR_HARDWARE_FAILURE );
152
153 case MBEDTLS_ERR_CCM_BAD_INPUT:
154 return( PSA_ERROR_INVALID_ARGUMENT );
155 case MBEDTLS_ERR_CCM_AUTH_FAILED:
156 return( PSA_ERROR_INVALID_SIGNATURE );
157 case MBEDTLS_ERR_CCM_HW_ACCEL_FAILED:
158 return( PSA_ERROR_HARDWARE_FAILURE );
159
160 case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
161 return( PSA_ERROR_NOT_SUPPORTED );
162 case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
163 return( PSA_ERROR_INVALID_ARGUMENT );
164 case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
165 return( PSA_ERROR_INSUFFICIENT_MEMORY );
166 case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
167 return( PSA_ERROR_INVALID_PADDING );
168 case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
169 return( PSA_ERROR_BAD_STATE );
170 case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
171 return( PSA_ERROR_INVALID_SIGNATURE );
172 case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
173 return( PSA_ERROR_TAMPERING_DETECTED );
174 case MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED:
175 return( PSA_ERROR_HARDWARE_FAILURE );
176
177 case MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED:
178 return( PSA_ERROR_HARDWARE_FAILURE );
179
180 case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
181 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
182 case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG:
183 case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG:
184 return( PSA_ERROR_NOT_SUPPORTED );
185 case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR:
186 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
187
188 case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:
189 return( PSA_ERROR_NOT_SUPPORTED );
190 case MBEDTLS_ERR_DES_HW_ACCEL_FAILED:
191 return( PSA_ERROR_HARDWARE_FAILURE );
192
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]193 case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
194 case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE:
195 case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
196 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]197
198 case MBEDTLS_ERR_GCM_AUTH_FAILED:
199 return( PSA_ERROR_INVALID_SIGNATURE );
200 case MBEDTLS_ERR_GCM_BAD_INPUT:
201 return( PSA_ERROR_NOT_SUPPORTED );
202 case MBEDTLS_ERR_GCM_HW_ACCEL_FAILED:
203 return( PSA_ERROR_HARDWARE_FAILURE );
204
205 case MBEDTLS_ERR_MD2_HW_ACCEL_FAILED:
206 case MBEDTLS_ERR_MD4_HW_ACCEL_FAILED:
207 case MBEDTLS_ERR_MD5_HW_ACCEL_FAILED:
208 return( PSA_ERROR_HARDWARE_FAILURE );
209
210 case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
211 return( PSA_ERROR_NOT_SUPPORTED );
212 case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
213 return( PSA_ERROR_INVALID_ARGUMENT );
214 case MBEDTLS_ERR_MD_ALLOC_FAILED:
215 return( PSA_ERROR_INSUFFICIENT_MEMORY );
216 case MBEDTLS_ERR_MD_FILE_IO_ERROR:
217 return( PSA_ERROR_STORAGE_FAILURE );
218 case MBEDTLS_ERR_MD_HW_ACCEL_FAILED:
219 return( PSA_ERROR_HARDWARE_FAILURE );
220
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]221 case MBEDTLS_ERR_PK_ALLOC_FAILED:
222 return( PSA_ERROR_INSUFFICIENT_MEMORY );
223 case MBEDTLS_ERR_PK_TYPE_MISMATCH:
224 case MBEDTLS_ERR_PK_BAD_INPUT_DATA:
225 return( PSA_ERROR_INVALID_ARGUMENT );
226 case MBEDTLS_ERR_PK_FILE_IO_ERROR:
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]227 return( PSA_ERROR_STORAGE_FAILURE );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]228 case MBEDTLS_ERR_PK_KEY_INVALID_VERSION:
229 case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT:
230 return( PSA_ERROR_INVALID_ARGUMENT );
231 case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG:
232 return( PSA_ERROR_NOT_SUPPORTED );
233 case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
234 case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
235 return( PSA_ERROR_NOT_PERMITTED );
236 case MBEDTLS_ERR_PK_INVALID_PUBKEY:
237 return( PSA_ERROR_INVALID_ARGUMENT );
238 case MBEDTLS_ERR_PK_INVALID_ALG:
239 case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE:
240 case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:
241 return( PSA_ERROR_NOT_SUPPORTED );
242 case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH:
243 return( PSA_ERROR_INVALID_SIGNATURE );
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]244 case MBEDTLS_ERR_PK_HW_ACCEL_FAILED:
245 return( PSA_ERROR_HARDWARE_FAILURE );
246
247 case MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED:
248 return( PSA_ERROR_HARDWARE_FAILURE );
249
250 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
251 return( PSA_ERROR_INVALID_ARGUMENT );
252 case MBEDTLS_ERR_RSA_INVALID_PADDING:
253 return( PSA_ERROR_INVALID_PADDING );
254 case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
255 return( PSA_ERROR_HARDWARE_FAILURE );
256 case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
257 return( PSA_ERROR_INVALID_ARGUMENT );
258 case MBEDTLS_ERR_RSA_PUBLIC_FAILED:
259 case MBEDTLS_ERR_RSA_PRIVATE_FAILED:
260 return( PSA_ERROR_TAMPERING_DETECTED );
261 case MBEDTLS_ERR_RSA_VERIFY_FAILED:
262 return( PSA_ERROR_INVALID_SIGNATURE );
263 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
264 return( PSA_ERROR_BUFFER_TOO_SMALL );
265 case MBEDTLS_ERR_RSA_RNG_FAILED:
266 return( PSA_ERROR_INSUFFICIENT_MEMORY );
267 case MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:
268 return( PSA_ERROR_NOT_SUPPORTED );
269 case MBEDTLS_ERR_RSA_HW_ACCEL_FAILED:
270 return( PSA_ERROR_HARDWARE_FAILURE );
271
272 case MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED:
273 case MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED:
274 case MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED:
275 return( PSA_ERROR_HARDWARE_FAILURE );
276
277 case MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH:
278 return( PSA_ERROR_INVALID_ARGUMENT );
279 case MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED:
280 return( PSA_ERROR_HARDWARE_FAILURE );
281
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]282 default:
283 return( PSA_ERROR_UNKNOWN_ERROR );
284 }
285}
286
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]287
288
289/****************************************************************/
290/* Key management */
291/****************************************************************/
292
293psa_status_t psa_import_key(psa_key_slot_t key,
294 psa_key_type_t type,
295 const uint8_t *data,
296 size_t data_length)
297{
298 key_slot_t *slot;
299
300 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
301 return( PSA_ERROR_INVALID_ARGUMENT );
302 slot = &global_data.key_slots[key];
303 if( slot->type != PSA_KEY_TYPE_NONE )
304 return( PSA_ERROR_OCCUPIED_SLOT );
305
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]306 if( PSA_KEY_TYPE_IS_RAW_BYTES( type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]307 {
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame]308 /* Ensure that a bytes-to-bit conversion won't overflow. */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]309 if( data_length > SIZE_MAX / 8 )
310 return( PSA_ERROR_NOT_SUPPORTED );
311 slot->data.raw.data = mbedtls_calloc( 1, data_length );
312 if( slot->data.raw.data == NULL )
313 return( PSA_ERROR_INSUFFICIENT_MEMORY );
314 memcpy( slot->data.raw.data, data, data_length );
315 slot->data.raw.bytes = data_length;
316 }
317 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]318#if defined(MBEDTLS_PK_PARSE_C)
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]319 if( type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
320 type == PSA_KEY_TYPE_RSA_KEYPAIR ||
321 PSA_KEY_TYPE_IS_ECC( type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]322 {
323 int ret;
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]324 mbedtls_pk_context pk;
325 mbedtls_pk_init( &pk );
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]326 if( PSA_KEY_TYPE_IS_KEYPAIR( type ) )
327 ret = mbedtls_pk_parse_key( &pk, data, data_length, NULL, 0 );
328 else
329 ret = mbedtls_pk_parse_public_key( &pk, data, data_length );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]330 if( ret != 0 )
331 return( mbedtls_to_psa_error( ret ) );
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]332 switch( mbedtls_pk_get_type( &pk ) )
333 {
334#if defined(MBEDTLS_RSA_C)
335 case MBEDTLS_PK_RSA:
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]336 if( type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
337 type == PSA_KEY_TYPE_RSA_KEYPAIR )
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]338 slot->data.rsa = pk.pk_ctx;
339 else
340 return( PSA_ERROR_INVALID_ARGUMENT );
341 break;
342#endif /* MBEDTLS_RSA_C */
343#if defined(MBEDTLS_ECP_C)
344 case MBEDTLS_PK_ECKEY:
345 if( PSA_KEY_TYPE_IS_ECC( type ) )
346 {
347 // TODO: check curve
348 slot->data.ecp = pk.pk_ctx;
349 }
350 else
351 return( PSA_ERROR_INVALID_ARGUMENT );
352 break;
353#endif /* MBEDTLS_ECP_C */
354 default:
355 return( PSA_ERROR_INVALID_ARGUMENT );
356 }
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]357 }
358 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]359#endif /* defined(MBEDTLS_PK_PARSE_C) */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]360 {
361 return( PSA_ERROR_NOT_SUPPORTED );
362 }
363
364 slot->type = type;
365 return( PSA_SUCCESS );
366}
367
368psa_status_t psa_destroy_key(psa_key_slot_t key)
369{
370 key_slot_t *slot;
371
372 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
373 return( PSA_ERROR_INVALID_ARGUMENT );
374 slot = &global_data.key_slots[key];
375 if( slot->type == PSA_KEY_TYPE_NONE )
Gilles Peskine154bd952018-04-19 08:38:16 +0200[diff] [blame^]376 {
377 /* No key material to clean, but do zeroize the slot below to wipe
378 * metadata such as policies. */
379 }
380 else if( PSA_KEY_TYPE_IS_RAW_BYTES( slot->type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]381 {
382 mbedtls_free( slot->data.raw.data );
383 }
384 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]385#if defined(MBEDTLS_RSA_C)
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]386 if( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
387 slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]388 {
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]389 mbedtls_rsa_free( slot->data.rsa );
Gilles Peskine3c6e9702018-03-07 16:42:44 +0100[diff] [blame]390 mbedtls_free( slot->data.rsa );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]391 }
392 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]393#endif /* defined(MBEDTLS_RSA_C) */
394#if defined(MBEDTLS_ECP_C)
395 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
396 {
397 mbedtls_ecp_keypair_free( slot->data.ecp );
Gilles Peskine3c6e9702018-03-07 16:42:44 +0100[diff] [blame]398 mbedtls_free( slot->data.ecp );
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]399 }
400 else
401#endif /* defined(MBEDTLS_ECP_C) */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]402 {
403 /* Shouldn't happen: the key type is not any type that we
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame]404 * put in. */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]405 return( PSA_ERROR_TAMPERING_DETECTED );
406 }
407
408 mbedtls_zeroize( slot, sizeof( *slot ) );
409 return( PSA_SUCCESS );
410}
411
412psa_status_t psa_get_key_information(psa_key_slot_t key,
413 psa_key_type_t *type,
414 size_t *bits)
415{
416 key_slot_t *slot;
417
418 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]419 return( PSA_ERROR_EMPTY_SLOT );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]420 slot = &global_data.key_slots[key];
421 if( type != NULL )
422 *type = slot->type;
423 if( bits != NULL )
424 *bits = 0;
425 if( slot->type == PSA_KEY_TYPE_NONE )
426 return( PSA_ERROR_EMPTY_SLOT );
427
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]428 if( PSA_KEY_TYPE_IS_RAW_BYTES( slot->type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]429 {
430 if( bits != NULL )
431 *bits = slot->data.raw.bytes * 8;
432 }
433 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]434#if defined(MBEDTLS_RSA_C)
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]435 if( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
436 slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]437 {
438 if( bits != NULL )
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]439 *bits = mbedtls_rsa_get_bitlen( slot->data.rsa );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]440 }
441 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]442#endif /* defined(MBEDTLS_RSA_C) */
443#if defined(MBEDTLS_ECP_C)
444 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
445 {
446 if( bits != NULL )
447 *bits = slot->data.ecp->grp.pbits;
448 }
449 else
450#endif /* defined(MBEDTLS_ECP_C) */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]451 {
452 /* Shouldn't happen: the key type is not any type that we
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame]453 * put in. */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]454 return( PSA_ERROR_TAMPERING_DETECTED );
455 }
456
457 return( PSA_SUCCESS );
458}
459
460psa_status_t psa_export_key(psa_key_slot_t key,
461 uint8_t *data,
462 size_t data_size,
463 size_t *data_length)
464{
465 key_slot_t *slot;
466
467 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]468 return( PSA_ERROR_EMPTY_SLOT );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]469 slot = &global_data.key_slots[key];
470 if( slot->type == PSA_KEY_TYPE_NONE )
471 return( PSA_ERROR_EMPTY_SLOT );
472
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]473 if( PSA_KEY_TYPE_IS_RAW_BYTES( slot->type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]474 {
475 if( slot->data.raw.bytes > data_size )
476 return( PSA_ERROR_BUFFER_TOO_SMALL );
477 memcpy( data, slot->data.raw.data, slot->data.raw.bytes );
478 *data_length = slot->data.raw.bytes;
479 return( PSA_SUCCESS );
480 }
481 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]482#if defined(MBEDTLS_PK_WRITE_C)
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]483 if( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
484 slot->type == PSA_KEY_TYPE_RSA_KEYPAIR ||
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]485 PSA_KEY_TYPE_IS_ECC( slot->type ) )
486 {
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]487 mbedtls_pk_context pk;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]488 int ret;
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]489 mbedtls_pk_init( &pk );
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]490 if( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
491 slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]492 {
493 pk.pk_info = &mbedtls_rsa_info;
494 pk.pk_ctx = slot->data.rsa;
495 }
496 else
497 {
498 pk.pk_info = &mbedtls_eckey_info;
499 pk.pk_ctx = slot->data.ecp;
500 }
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]501 if( PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
502 ret = mbedtls_pk_write_key_der( &pk, data, data_size );
503 else
504 ret = mbedtls_pk_write_pubkey_der( &pk, data, data_size );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]505 if( ret < 0 )
506 return( mbedtls_to_psa_error( ret ) );
507 *data_length = ret;
508 return( PSA_SUCCESS );
509 }
510 else
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame]511#endif /* defined(MBEDTLS_PK_WRITE_C) */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]512 {
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame]513 /* This shouldn't happen in the reference implementation, but
514 it is valid for a special-purpose implementation to omit
515 support for exporting certain key types. */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]516 return( PSA_ERROR_NOT_SUPPORTED );
517 }
518}
519
520
521
522/****************************************************************/
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]523/* Message digests */
524/****************************************************************/
525
Gilles Peskinedc2fc842018-03-07 16:42:59 +0100[diff] [blame]526static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]527{
528 switch( alg )
529 {
530#if defined(MBEDTLS_MD2_C)
531 case PSA_ALG_MD2:
532 return( &mbedtls_md2_info );
533#endif
534#if defined(MBEDTLS_MD4_C)
535 case PSA_ALG_MD4:
536 return( &mbedtls_md4_info );
537#endif
538#if defined(MBEDTLS_MD5_C)
539 case PSA_ALG_MD5:
540 return( &mbedtls_md5_info );
541#endif
542#if defined(MBEDTLS_RIPEMD160_C)
543 case PSA_ALG_RIPEMD160:
544 return( &mbedtls_ripemd160_info );
545#endif
546#if defined(MBEDTLS_SHA1_C)
547 case PSA_ALG_SHA_1:
548 return( &mbedtls_sha1_info );
549#endif
550#if defined(MBEDTLS_SHA256_C)
551 case PSA_ALG_SHA_224:
552 return( &mbedtls_sha224_info );
553 case PSA_ALG_SHA_256:
554 return( &mbedtls_sha256_info );
555#endif
556#if defined(MBEDTLS_SHA512_C)
557 case PSA_ALG_SHA_384:
558 return( &mbedtls_sha384_info );
559 case PSA_ALG_SHA_512:
560 return( &mbedtls_sha512_info );
561#endif
562 default:
563 return( NULL );
564 }
565}
566
567#if 0
568static psa_algorithm_t mbedtls_md_alg_to_psa( mbedtls_md_type_t md_alg )
569{
570 switch( md_alg )
571 {
572 case MBEDTLS_MD_NONE:
573 return( 0 );
574 case MBEDTLS_MD_MD2:
575 return( PSA_ALG_MD2 );
576 case MBEDTLS_MD_MD4:
577 return( PSA_ALG_MD4 );
578 case MBEDTLS_MD_MD5:
579 return( PSA_ALG_MD5 );
580 case MBEDTLS_MD_SHA1:
581 return( PSA_ALG_SHA_1 );
582 case MBEDTLS_MD_SHA224:
583 return( PSA_ALG_SHA_224 );
584 case MBEDTLS_MD_SHA256:
585 return( PSA_ALG_SHA_256 );
586 case MBEDTLS_MD_SHA384:
587 return( PSA_ALG_SHA_384 );
588 case MBEDTLS_MD_SHA512:
589 return( PSA_ALG_SHA_512 );
590 case MBEDTLS_MD_RIPEMD160:
591 return( PSA_ALG_RIPEMD160 );
592 default:
Gilles Peskine47c1bc02018-03-20 17:55:04 +0100[diff] [blame]593 return( 0 );
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]594 }
595}
596#endif
597
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]598psa_status_t psa_hash_abort( psa_hash_operation_t *operation )
599{
600 switch( operation->alg )
601 {
602#if defined(MBEDTLS_MD2_C)
603 case PSA_ALG_MD2:
604 mbedtls_md2_free( &operation->ctx.md2 );
605 break;
606#endif
607#if defined(MBEDTLS_MD4_C)
608 case PSA_ALG_MD4:
609 mbedtls_md4_free( &operation->ctx.md4 );
610 break;
611#endif
612#if defined(MBEDTLS_MD5_C)
613 case PSA_ALG_MD5:
614 mbedtls_md5_free( &operation->ctx.md5 );
615 break;
616#endif
617#if defined(MBEDTLS_RIPEMD160_C)
618 case PSA_ALG_RIPEMD160:
619 mbedtls_ripemd160_free( &operation->ctx.ripemd160 );
620 break;
621#endif
622#if defined(MBEDTLS_SHA1_C)
623 case PSA_ALG_SHA_1:
624 mbedtls_sha1_free( &operation->ctx.sha1 );
625 break;
626#endif
627#if defined(MBEDTLS_SHA256_C)
628 case PSA_ALG_SHA_224:
629 case PSA_ALG_SHA_256:
630 mbedtls_sha256_free( &operation->ctx.sha256 );
631 break;
632#endif
633#if defined(MBEDTLS_SHA512_C)
634 case PSA_ALG_SHA_384:
635 case PSA_ALG_SHA_512:
636 mbedtls_sha512_free( &operation->ctx.sha512 );
637 break;
638#endif
639 default:
640 return( PSA_ERROR_NOT_SUPPORTED );
641 }
642 operation->alg = 0;
643 return( PSA_SUCCESS );
644}
645
646psa_status_t psa_hash_start( psa_hash_operation_t *operation,
647 psa_algorithm_t alg )
648{
649 int ret;
650 operation->alg = 0;
651 switch( alg )
652 {
653#if defined(MBEDTLS_MD2_C)
654 case PSA_ALG_MD2:
655 mbedtls_md2_init( &operation->ctx.md2 );
656 ret = mbedtls_md2_starts_ret( &operation->ctx.md2 );
657 break;
658#endif
659#if defined(MBEDTLS_MD4_C)
660 case PSA_ALG_MD4:
661 mbedtls_md4_init( &operation->ctx.md4 );
662 ret = mbedtls_md4_starts_ret( &operation->ctx.md4 );
663 break;
664#endif
665#if defined(MBEDTLS_MD5_C)
666 case PSA_ALG_MD5:
667 mbedtls_md5_init( &operation->ctx.md5 );
668 ret = mbedtls_md5_starts_ret( &operation->ctx.md5 );
669 break;
670#endif
671#if defined(MBEDTLS_RIPEMD160_C)
672 case PSA_ALG_RIPEMD160:
673 mbedtls_ripemd160_init( &operation->ctx.ripemd160 );
674 ret = mbedtls_ripemd160_starts_ret( &operation->ctx.ripemd160 );
675 break;
676#endif
677#if defined(MBEDTLS_SHA1_C)
678 case PSA_ALG_SHA_1:
679 mbedtls_sha1_init( &operation->ctx.sha1 );
680 ret = mbedtls_sha1_starts_ret( &operation->ctx.sha1 );
681 break;
682#endif
683#if defined(MBEDTLS_SHA256_C)
684 case PSA_ALG_SHA_224:
685 mbedtls_sha256_init( &operation->ctx.sha256 );
686 ret = mbedtls_sha256_starts_ret( &operation->ctx.sha256, 1 );
687 break;
688 case PSA_ALG_SHA_256:
689 mbedtls_sha256_init( &operation->ctx.sha256 );
690 ret = mbedtls_sha256_starts_ret( &operation->ctx.sha256, 0 );
691 break;
692#endif
693#if defined(MBEDTLS_SHA512_C)
694 case PSA_ALG_SHA_384:
695 mbedtls_sha512_init( &operation->ctx.sha512 );
696 ret = mbedtls_sha512_starts_ret( &operation->ctx.sha512, 1 );
697 break;
698 case PSA_ALG_SHA_512:
699 mbedtls_sha512_init( &operation->ctx.sha512 );
700 ret = mbedtls_sha512_starts_ret( &operation->ctx.sha512, 0 );
701 break;
702#endif
703 default:
704 return( PSA_ERROR_NOT_SUPPORTED );
705 }
706 if( ret == 0 )
707 operation->alg = alg;
708 else
709 psa_hash_abort( operation );
710 return( mbedtls_to_psa_error( ret ) );
711}
712
713psa_status_t psa_hash_update( psa_hash_operation_t *operation,
714 const uint8_t *input,
715 size_t input_length )
716{
717 int ret;
718 switch( operation->alg )
719 {
720#if defined(MBEDTLS_MD2_C)
721 case PSA_ALG_MD2:
722 ret = mbedtls_md2_update_ret( &operation->ctx.md2,
723 input, input_length );
724 break;
725#endif
726#if defined(MBEDTLS_MD4_C)
727 case PSA_ALG_MD4:
728 ret = mbedtls_md4_update_ret( &operation->ctx.md4,
729 input, input_length );
730 break;
731#endif
732#if defined(MBEDTLS_MD5_C)
733 case PSA_ALG_MD5:
734 ret = mbedtls_md5_update_ret( &operation->ctx.md5,
735 input, input_length );
736 break;
737#endif
738#if defined(MBEDTLS_RIPEMD160_C)
739 case PSA_ALG_RIPEMD160:
740 ret = mbedtls_ripemd160_update_ret( &operation->ctx.ripemd160,
741 input, input_length );
742 break;
743#endif
744#if defined(MBEDTLS_SHA1_C)
745 case PSA_ALG_SHA_1:
746 ret = mbedtls_sha1_update_ret( &operation->ctx.sha1,
747 input, input_length );
748 break;
749#endif
750#if defined(MBEDTLS_SHA256_C)
751 case PSA_ALG_SHA_224:
752 case PSA_ALG_SHA_256:
753 ret = mbedtls_sha256_update_ret( &operation->ctx.sha256,
754 input, input_length );
755 break;
756#endif
757#if defined(MBEDTLS_SHA512_C)
758 case PSA_ALG_SHA_384:
759 case PSA_ALG_SHA_512:
760 ret = mbedtls_sha512_update_ret( &operation->ctx.sha512,
761 input, input_length );
762 break;
763#endif
764 default:
765 ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
766 break;
767 }
768 if( ret != 0 )
769 psa_hash_abort( operation );
770 return( mbedtls_to_psa_error( ret ) );
771}
772
773psa_status_t psa_hash_finish( psa_hash_operation_t *operation,
774 uint8_t *hash,
775 size_t hash_size,
776 size_t *hash_length )
777{
778 int ret;
Gilles Peskine71bb7b72018-04-19 08:29:59 +0200[diff] [blame]779 size_t actual_hash_length = PSA_HASH_SIZE( operation->alg );
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]780
781 /* Fill the output buffer with something that isn't a valid hash
782 * (barring an attack on the hash and deliberately-crafted input),
783 * in case the caller doesn't check the return status properly. */
784 *hash_length = actual_hash_length;
785 memset( hash, '!', hash_size );
786
787 if( hash_size < actual_hash_length )
788 return( PSA_ERROR_BUFFER_TOO_SMALL );
789
790 switch( operation->alg )
791 {
792#if defined(MBEDTLS_MD2_C)
793 case PSA_ALG_MD2:
794 ret = mbedtls_md2_finish_ret( &operation->ctx.md2, hash );
795 break;
796#endif
797#if defined(MBEDTLS_MD4_C)
798 case PSA_ALG_MD4:
799 ret = mbedtls_md4_finish_ret( &operation->ctx.md4, hash );
800 break;
801#endif
802#if defined(MBEDTLS_MD5_C)
803 case PSA_ALG_MD5:
804 ret = mbedtls_md5_finish_ret( &operation->ctx.md5, hash );
805 break;
806#endif
807#if defined(MBEDTLS_RIPEMD160_C)
808 case PSA_ALG_RIPEMD160:
809 ret = mbedtls_ripemd160_finish_ret( &operation->ctx.ripemd160, hash );
810 break;
811#endif
812#if defined(MBEDTLS_SHA1_C)
813 case PSA_ALG_SHA_1:
814 ret = mbedtls_sha1_finish_ret( &operation->ctx.sha1, hash );
815 break;
816#endif
817#if defined(MBEDTLS_SHA256_C)
818 case PSA_ALG_SHA_224:
819 case PSA_ALG_SHA_256:
820 ret = mbedtls_sha256_finish_ret( &operation->ctx.sha256, hash );
821 break;
822#endif
823#if defined(MBEDTLS_SHA512_C)
824 case PSA_ALG_SHA_384:
825 case PSA_ALG_SHA_512:
826 ret = mbedtls_sha512_finish_ret( &operation->ctx.sha512, hash );
827 break;
828#endif
829 default:
830 ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
831 break;
832 }
833
834 if( ret == 0 )
835 {
836 return( psa_hash_abort( operation ) );
837 }
838 else
839 {
840 psa_hash_abort( operation );
841 return( mbedtls_to_psa_error( ret ) );
842 }
843}
844
845psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
846 const uint8_t *hash,
847 size_t hash_length)
848{
849 uint8_t actual_hash[MBEDTLS_MD_MAX_SIZE];
850 size_t actual_hash_length;
851 psa_status_t status = psa_hash_finish( operation,
852 actual_hash, sizeof( actual_hash ),
853 &actual_hash_length );
854 if( status != PSA_SUCCESS )
855 return( status );
856 if( actual_hash_length != hash_length )
857 return( PSA_ERROR_INVALID_SIGNATURE );
858 if( safer_memcmp( hash, actual_hash, actual_hash_length ) != 0 )
859 return( PSA_ERROR_INVALID_SIGNATURE );
860 return( PSA_SUCCESS );
861}
862
863
864
865
866/****************************************************************/
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]867/* MAC */
868/****************************************************************/
869
Gilles Peskinedc2fc842018-03-07 16:42:59 +0100[diff] [blame]870static const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]871 psa_algorithm_t alg,
872 psa_key_type_t key_type,
873 size_t key_bits )
874{
875 mbedtls_cipher_id_t cipher_id;
876 mbedtls_cipher_mode_t mode;
877
878 if( PSA_ALG_IS_CIPHER( alg ) || PSA_ALG_IS_AEAD( alg ) )
879 {
880 if( PSA_ALG_IS_BLOCK_CIPHER( alg ) )
881 alg &= ~PSA_ALG_BLOCK_CIPHER_MODE_MASK;
882 switch( alg )
883 {
884 case PSA_ALG_STREAM_CIPHER:
885 mode = MBEDTLS_MODE_STREAM;
886 break;
887 case PSA_ALG_CBC_BASE:
888 mode = MBEDTLS_MODE_CBC;
889 break;
890 case PSA_ALG_CFB_BASE:
891 mode = MBEDTLS_MODE_CFB;
892 break;
893 case PSA_ALG_OFB_BASE:
894 mode = MBEDTLS_MODE_OFB;
895 break;
896 case PSA_ALG_CTR:
897 mode = MBEDTLS_MODE_CTR;
898 break;
899 case PSA_ALG_CCM:
900 mode = MBEDTLS_MODE_CCM;
901 break;
902 case PSA_ALG_GCM:
903 mode = MBEDTLS_MODE_GCM;
904 break;
905 default:
906 return( NULL );
907 }
908 }
909 else if( alg == PSA_ALG_CMAC )
910 mode = MBEDTLS_MODE_ECB;
911 else if( alg == PSA_ALG_GMAC )
912 mode = MBEDTLS_MODE_GCM;
913 else
914 return( NULL );
915
916 switch( key_type )
917 {
918 case PSA_KEY_TYPE_AES:
919 cipher_id = MBEDTLS_CIPHER_ID_AES;
920 break;
921 case PSA_KEY_TYPE_DES:
922 if( key_bits == 64 )
923 cipher_id = MBEDTLS_CIPHER_ID_DES;
924 else
925 cipher_id = MBEDTLS_CIPHER_ID_3DES;
926 break;
927 case PSA_KEY_TYPE_CAMELLIA:
928 cipher_id = MBEDTLS_CIPHER_ID_CAMELLIA;
929 break;
930 case PSA_KEY_TYPE_ARC4:
931 cipher_id = MBEDTLS_CIPHER_ID_ARC4;
932 break;
933 default:
934 return( NULL );
935 }
936
937 return( mbedtls_cipher_info_from_values( cipher_id, key_bits, mode ) );
938}
939
940psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
941{
942 switch( operation->alg )
943 {
944#if defined(MBEDTLS_CMAC_C)
945 case PSA_ALG_CMAC:
946 mbedtls_cipher_free( &operation->ctx.cmac );
947 break;
948#endif /* MBEDTLS_CMAC_C */
949 default:
950#if defined(MBEDTLS_MD_C)
951 if( PSA_ALG_IS_HMAC( operation->alg ) )
952 mbedtls_md_free( &operation->ctx.hmac );
953 else
954#endif /* MBEDTLS_MD_C */
955 return( PSA_ERROR_NOT_SUPPORTED );
956 }
957 operation->alg = 0;
958 operation->key_set = 0;
959 operation->iv_set = 0;
960 operation->iv_required = 0;
961 operation->has_input = 0;
962 return( PSA_SUCCESS );
963}
964
965psa_status_t psa_mac_start( psa_mac_operation_t *operation,
966 psa_key_slot_t key,
967 psa_algorithm_t alg )
968{
969 int ret = MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
970 psa_status_t status;
971 key_slot_t *slot;
972 psa_key_type_t key_type;
973 size_t key_bits;
974 const mbedtls_cipher_info_t *cipher_info = NULL;
975
976 operation->alg = 0;
977 operation->key_set = 0;
978 operation->iv_set = 0;
979 operation->iv_required = 1;
980 operation->has_input = 0;
981
982 status = psa_get_key_information( key, &key_type, &key_bits );
983 if( status != PSA_SUCCESS )
984 return( status );
985 slot = &global_data.key_slots[key];
986
987 if( ! PSA_ALG_IS_HMAC( alg ) )
988 {
Gilles Peskinedc2fc842018-03-07 16:42:59 +0100[diff] [blame]989 cipher_info = mbedtls_cipher_info_from_psa( alg, key_type, key_bits );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]990 if( cipher_info == NULL )
991 return( PSA_ERROR_NOT_SUPPORTED );
992 operation->mac_size = cipher_info->block_size;
993 }
994 switch( alg )
995 {
996#if defined(MBEDTLS_CMAC_C)
997 case PSA_ALG_CMAC:
998 operation->iv_required = 0;
999 mbedtls_cipher_init( &operation->ctx.cmac );
1000 ret = mbedtls_cipher_setup( &operation->ctx.cmac, cipher_info );
1001 if( ret != 0 )
1002 break;
1003 ret = mbedtls_cipher_cmac_starts( &operation->ctx.cmac,
1004 slot->data.raw.data,
1005 key_bits );
1006 break;
1007#endif /* MBEDTLS_CMAC_C */
1008 default:
1009#if defined(MBEDTLS_MD_C)
1010 if( PSA_ALG_IS_HMAC( alg ) )
1011 {
1012 const mbedtls_md_info_t *md_info =
Gilles Peskinedc2fc842018-03-07 16:42:59 +0100[diff] [blame]1013 mbedtls_md_info_from_psa( PSA_ALG_HMAC_HASH( alg ) );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1014 if( md_info == NULL )
1015 return( PSA_ERROR_NOT_SUPPORTED );
1016 if( key_type != PSA_KEY_TYPE_HMAC )
1017 return( PSA_ERROR_INVALID_ARGUMENT );
1018 operation->iv_required = 0;
1019 operation->mac_size = mbedtls_md_get_size( md_info );
1020 mbedtls_md_init( &operation->ctx.hmac );
1021 ret = mbedtls_md_setup( &operation->ctx.hmac, md_info, 1 );
1022 if( ret != 0 )
1023 break;
1024 ret = mbedtls_md_hmac_starts( &operation->ctx.hmac,
1025 slot->data.raw.data,
1026 slot->data.raw.bytes );
1027 break;
1028 }
1029 else
1030#endif /* MBEDTLS_MD_C */
1031 return( PSA_ERROR_NOT_SUPPORTED );
1032 }
1033
1034 /* If we reach this point, then the algorithm-specific part of the
1035 * context has at least been initialized, and may contain data that
1036 * needs to be wiped on error. */
1037 operation->alg = alg;
1038 if( ret != 0 )
1039 {
1040 psa_mac_abort( operation );
1041 return( mbedtls_to_psa_error( ret ) );
1042 }
1043 operation->key_set = 1;
Gilles Peskine47c1bc02018-03-20 17:55:04 +0100[diff] [blame]1044 return( PSA_SUCCESS );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1045}
1046
1047psa_status_t psa_mac_update( psa_mac_operation_t *operation,
1048 const uint8_t *input,
1049 size_t input_length )
1050{
1051 int ret;
1052 if( ! operation->key_set )
1053 return( PSA_ERROR_BAD_STATE );
1054 if( operation->iv_required && ! operation->iv_set )
1055 return( PSA_ERROR_BAD_STATE );
1056 operation->has_input = 1;
1057
1058 switch( operation->alg )
1059 {
1060#if defined(MBEDTLS_CMAC_C)
1061 case PSA_ALG_CMAC:
1062 ret = mbedtls_cipher_cmac_update( &operation->ctx.cmac,
1063 input, input_length );
1064 break;
1065#endif /* MBEDTLS_CMAC_C */
1066 default:
1067#if defined(MBEDTLS_MD_C)
1068 if( PSA_ALG_IS_HMAC( operation->alg ) )
1069 {
1070 ret = mbedtls_md_hmac_update( &operation->ctx.hmac,
1071 input, input_length );
1072 }
1073 else
1074#endif /* MBEDTLS_MD_C */
1075 {
1076 ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
1077 }
1078 break;
1079 }
1080 if( ret != 0 )
1081 psa_mac_abort( operation );
1082 return( mbedtls_to_psa_error( ret ) );
1083}
1084
1085psa_status_t psa_mac_finish( psa_mac_operation_t *operation,
1086 uint8_t *mac,
1087 size_t mac_size,
1088 size_t *mac_length )
1089{
1090 int ret;
1091 if( ! operation->key_set )
1092 return( PSA_ERROR_BAD_STATE );
1093 if( operation->iv_required && ! operation->iv_set )
1094 return( PSA_ERROR_BAD_STATE );
1095
1096 /* Fill the output buffer with something that isn't a valid mac
1097 * (barring an attack on the mac and deliberately-crafted input),
1098 * in case the caller doesn't check the return status properly. */
1099 *mac_length = operation->mac_size;
1100 memset( mac, '!', mac_size );
1101
1102 if( mac_size < operation->mac_size )
1103 return( PSA_ERROR_BUFFER_TOO_SMALL );
1104
1105 switch( operation->alg )
1106 {
1107#if defined(MBEDTLS_CMAC_C)
1108 case PSA_ALG_CMAC:
1109 ret = mbedtls_cipher_cmac_finish( &operation->ctx.cmac, mac );
1110 break;
1111#endif /* MBEDTLS_CMAC_C */
1112 default:
1113#if defined(MBEDTLS_MD_C)
1114 if( PSA_ALG_IS_HMAC( operation->alg ) )
1115 {
1116 ret = mbedtls_md_hmac_finish( &operation->ctx.hmac, mac );
1117 }
1118 else
1119#endif /* MBEDTLS_MD_C */
1120 {
1121 ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
1122 }
1123 break;
1124 }
1125
1126 if( ret == 0 )
1127 {
1128 return( psa_mac_abort( operation ) );
1129 }
1130 else
1131 {
1132 psa_mac_abort( operation );
1133 return( mbedtls_to_psa_error( ret ) );
1134 }
1135}
1136
1137#define MBEDTLS_PSA_MAC_MAX_SIZE \
1138 ( MBEDTLS_MD_MAX_SIZE > MBEDTLS_MAX_BLOCK_LENGTH ? \
1139 MBEDTLS_MD_MAX_SIZE : \
1140 MBEDTLS_MAX_BLOCK_LENGTH )
1141psa_status_t psa_mac_verify( psa_mac_operation_t *operation,
1142 const uint8_t *mac,
1143 size_t mac_length )
1144{
1145 uint8_t actual_mac[MBEDTLS_PSA_MAC_MAX_SIZE];
1146 size_t actual_mac_length;
1147 psa_status_t status = psa_mac_finish( operation,
1148 actual_mac, sizeof( actual_mac ),
1149 &actual_mac_length );
1150 if( status != PSA_SUCCESS )
1151 return( status );
1152 if( actual_mac_length != mac_length )
1153 return( PSA_ERROR_INVALID_SIGNATURE );
1154 if( safer_memcmp( mac, actual_mac, actual_mac_length ) != 0 )
1155 return( PSA_ERROR_INVALID_SIGNATURE );
1156 return( PSA_SUCCESS );
1157}
1158
1159
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1160
1161
1162/****************************************************************/
1163/* Asymmetric cryptography */
1164/****************************************************************/
1165
1166psa_status_t psa_asymmetric_sign(psa_key_slot_t key,
1167 psa_algorithm_t alg,
1168 const uint8_t *hash,
1169 size_t hash_length,
1170 const uint8_t *salt,
1171 size_t salt_length,
1172 uint8_t *signature,
1173 size_t signature_size,
1174 size_t *signature_length)
1175{
1176 key_slot_t *slot;
1177
Gilles Peskine93aa0332018-02-03 23:58:03 +0100[diff] [blame]1178 *signature_length = 0;
1179 (void) salt;
1180 (void) salt_length;
1181
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1182 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
1183 return( PSA_ERROR_EMPTY_SLOT );
1184 slot = &global_data.key_slots[key];
1185 if( slot->type == PSA_KEY_TYPE_NONE )
1186 return( PSA_ERROR_EMPTY_SLOT );
1187 if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
1188 return( PSA_ERROR_INVALID_ARGUMENT );
1189
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1190#if defined(MBEDTLS_RSA_C)
1191 if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
1192 {
1193 mbedtls_rsa_context *rsa = slot->data.rsa;
1194 int ret;
1195 psa_algorithm_t hash_alg = PSA_ALG_RSA_GET_HASH( alg );
Gilles Peskinedc2fc842018-03-07 16:42:59 +0100[diff] [blame]1196 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg );
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1197 mbedtls_md_type_t md_alg =
1198 hash_alg == 0 ? MBEDTLS_MD_NONE : mbedtls_md_get_type( md_info );
1199 if( md_alg == MBEDTLS_MD_NONE )
1200 {
1201#if SIZE_MAX > UINT_MAX
1202 if( hash_length > UINT_MAX )
1203 return( PSA_ERROR_INVALID_ARGUMENT );
1204#endif
1205 }
1206 else
1207 {
1208 if( mbedtls_md_get_size( md_info ) != hash_length )
1209 return( PSA_ERROR_INVALID_ARGUMENT );
1210 if( md_info == NULL )
1211 return( PSA_ERROR_NOT_SUPPORTED );
1212 }
1213 if( signature_size < rsa->len )
1214 return( PSA_ERROR_BUFFER_TOO_SMALL );
1215#if defined(MBEDTLS_PKCS1_V15)
Gilles Peskinea5926232018-03-28 14:16:50 +0200[diff] [blame]1216 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1217 {
1218 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
1219 MBEDTLS_MD_NONE );
1220 ret = mbedtls_rsa_pkcs1_sign( rsa,
1221 mbedtls_ctr_drbg_random,
1222 &global_data.ctr_drbg,
1223 MBEDTLS_RSA_PRIVATE,
1224 md_alg, hash_length, hash,
1225 signature );
1226 }
1227 else
1228#endif /* MBEDTLS_PKCS1_V15 */
1229#if defined(MBEDTLS_PKCS1_V21)
1230 if( alg == PSA_ALG_RSA_PSS_MGF1 )
1231 {
1232 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
1233 ret = mbedtls_rsa_rsassa_pss_sign( rsa,
1234 mbedtls_ctr_drbg_random,
1235 &global_data.ctr_drbg,
1236 MBEDTLS_RSA_PRIVATE,
1237 md_alg, hash_length, hash,
1238 signature );
1239 }
1240 else
1241#endif /* MBEDTLS_PKCS1_V21 */
1242 {
1243 return( PSA_ERROR_INVALID_ARGUMENT );
1244 }
Gilles Peskine93aa0332018-02-03 23:58:03 +0100[diff] [blame]1245 if( ret == 0 )
1246 *signature_length = rsa->len;
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1247 return( mbedtls_to_psa_error( ret ) );
1248 }
1249 else
1250#endif /* defined(MBEDTLS_RSA_C) */
1251#if defined(MBEDTLS_ECP_C)
1252 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
1253 {
1254 // TODO
1255 return( PSA_ERROR_NOT_SUPPORTED );
1256 }
1257 else
1258#endif /* defined(MBEDTLS_ECP_C) */
1259 {
1260 return( PSA_ERROR_NOT_SUPPORTED );
1261 }
1262}
1263
1264
1265
1266/****************************************************************/
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]1267/* Module setup */
1268/****************************************************************/
1269
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]1270void mbedtls_psa_crypto_free( void )
1271{
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]1272 size_t key;
1273 for( key = 1; key < MBEDTLS_PSA_KEY_SLOT_COUNT; key++ )
1274 psa_destroy_key( key );
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]1275 mbedtls_ctr_drbg_free( &global_data.ctr_drbg );
1276 mbedtls_entropy_free( &global_data.entropy );
1277 mbedtls_zeroize( &global_data, sizeof( global_data ) );
1278}
1279
1280psa_status_t psa_crypto_init( void )
1281{
1282 int ret;
1283 const unsigned char drbg_seed[] = "PSA";
1284
1285 if( global_data.initialized != 0 )
1286 return( PSA_SUCCESS );
1287
1288 mbedtls_zeroize( &global_data, sizeof( global_data ) );
1289 mbedtls_entropy_init( &global_data.entropy );
1290 mbedtls_ctr_drbg_init( &global_data.ctr_drbg );
1291
1292 ret = mbedtls_ctr_drbg_seed( &global_data.ctr_drbg,
1293 mbedtls_entropy_func,
1294 &global_data.entropy,
1295 drbg_seed, sizeof( drbg_seed ) - 1 );
1296 if( ret != 0 )
1297 goto exit;
1298
Gilles Peskinee4ebc122018-03-07 14:16:44 +0100[diff] [blame]1299 global_data.initialized = 1;
1300
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]1301exit:
1302 if( ret != 0 )
1303 mbedtls_psa_crypto_free( );
1304 return( mbedtls_to_psa_error( ret ) );
1305}
1306
1307#endif /* MBEDTLS_PSA_CRYPTO_C */