TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / refs/heads/dev/mbed-crypto-0.1.0-alpha / . / library / psa_crypto.c
blob: 4408b454bb0d1d15bbf0fa00f852b8494b2b7f59 [file] [log] [blame]
Jaeden Ameroe54e6932018-08-06 16:19:58 +0100[diff] [blame]1/*
2 * PSA crypto layer on top of Mbed Crypto crypto
3 */
4/* Copyright (C) 2018, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of Mbed Crypto (https://tls.mbed.org)
20 */
21
22#if !defined(MBEDCRYPTO_CONFIG_FILE)
23#include "mbedcrypto/config.h"
24#else
25#include MBEDCRYPTO_CONFIG_FILE
26#endif
27
28#if defined(MBEDCRYPTO_PSA_CRYPTO_C)
29/*
30 * In case MBEDCRYPTO_PSA_CRYPTO_SPM is defined the code is built for SPM (Secure
31 * Partition Manager) integration which separate the code into two parts
32 * NSPE (Non-Secure Process Environment) and SPE (Secure Process Environment).
33 * In this mode an additional header file should be included.
34 */
35#if defined(MBEDCRYPTO_PSA_CRYPTO_SPM)
36/*
37 * PSA_CRYPTO_SECURE means that this file is compiled to the SPE side.
38 * some headers will be affected by this flag.
39 */
40#define PSA_CRYPTO_SECURE 1
41#include "crypto_spe.h"
42#endif
43
44#include "psa/crypto.h"
45
46#include <stdlib.h>
47#include <string.h>
48#if defined(MBEDCRYPTO_PLATFORM_C)
49#include "mbedcrypto/platform.h"
50#else
51#define mbedcrypto_calloc calloc
52#define mbedcrypto_free free
53#endif
54
55#include "mbedcrypto/arc4.h"
56#include "mbedcrypto/asn1.h"
57#include "mbedcrypto/bignum.h"
58#include "mbedcrypto/blowfish.h"
59#include "mbedcrypto/camellia.h"
60#include "mbedcrypto/cipher.h"
61#include "mbedcrypto/ccm.h"
62#include "mbedcrypto/cmac.h"
63#include "mbedcrypto/ctr_drbg.h"
64#include "mbedcrypto/des.h"
65#include "mbedcrypto/ecp.h"
66#include "mbedcrypto/entropy.h"
67#include "mbedcrypto/error.h"
68#include "mbedcrypto/gcm.h"
69#include "mbedcrypto/md2.h"
70#include "mbedcrypto/md4.h"
71#include "mbedcrypto/md5.h"
72#include "mbedcrypto/md.h"
73#include "mbedcrypto/md_internal.h"
74#include "mbedcrypto/pk.h"
75#include "mbedcrypto/pk_internal.h"
76#include "mbedcrypto/ripemd160.h"
77#include "mbedcrypto/rsa.h"
78#include "mbedcrypto/sha1.h"
79#include "mbedcrypto/sha256.h"
80#include "mbedcrypto/sha512.h"
81#include "mbedcrypto/xtea.h"
82
83
84
85#define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) )
86
87/* Implementation that should never be optimized out by the compiler */
88static void mbedcrypto_zeroize( void *v, size_t n )
89{
90 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
91}
92
93/* constant-time buffer comparison */
94static inline int safer_memcmp( const uint8_t *a, const uint8_t *b, size_t n )
95{
96 size_t i;
97 unsigned char diff = 0;
98
99 for( i = 0; i < n; i++ )
100 diff |= a[i] ^ b[i];
101
102 return( diff );
103}
104
105
106
107/****************************************************************/
108/* Global data, support functions and library management */
109/****************************************************************/
110
111/* Number of key slots (plus one because 0 is not used).
112 * The value is a compile-time constant for now, for simplicity. */
113#define PSA_KEY_SLOT_COUNT 32
114
115typedef struct
116{
117 psa_key_type_t type;
118 psa_key_policy_t policy;
119 psa_key_lifetime_t lifetime;
120 union
121 {
122 struct raw_data
123 {
124 uint8_t *data;
125 size_t bytes;
126 } raw;
127#if defined(MBEDCRYPTO_RSA_C)
128 mbedcrypto_rsa_context *rsa;
129#endif /* MBEDCRYPTO_RSA_C */
130#if defined(MBEDCRYPTO_ECP_C)
131 mbedcrypto_ecp_keypair *ecp;
132#endif /* MBEDCRYPTO_ECP_C */
133 } data;
134} key_slot_t;
135
136static int key_type_is_raw_bytes( psa_key_type_t type )
137{
138 psa_key_type_t category = type & PSA_KEY_TYPE_CATEGORY_MASK;
139 return( category == PSA_KEY_TYPE_RAW_DATA ||
140 category == PSA_KEY_TYPE_CATEGORY_SYMMETRIC );
141}
142
143typedef struct
144{
145 int initialized;
146 mbedcrypto_entropy_context entropy;
147 mbedcrypto_ctr_drbg_context ctr_drbg;
148 key_slot_t key_slots[PSA_KEY_SLOT_COUNT];
149} psa_global_data_t;
150
151static psa_global_data_t global_data;
152
153static psa_status_t mbedcrypto_to_psa_error( int ret )
154{
155 /* If there's both a high-level code and low-level code, dispatch on
156 * the high-level code. */
157 switch( ret < -0x7f ? - ( -ret & 0x7f80 ) : ret )
158 {
159 case 0:
160 return( PSA_SUCCESS );
161
162 case MBEDCRYPTO_ERR_AES_INVALID_KEY_LENGTH:
163 case MBEDCRYPTO_ERR_AES_INVALID_INPUT_LENGTH:
164 case MBEDCRYPTO_ERR_AES_FEATURE_UNAVAILABLE:
165 return( PSA_ERROR_NOT_SUPPORTED );
166 case MBEDCRYPTO_ERR_AES_HW_ACCEL_FAILED:
167 return( PSA_ERROR_HARDWARE_FAILURE );
168
169 case MBEDCRYPTO_ERR_ARC4_HW_ACCEL_FAILED:
170 return( PSA_ERROR_HARDWARE_FAILURE );
171
172 case MBEDCRYPTO_ERR_ASN1_OUT_OF_DATA:
173 case MBEDCRYPTO_ERR_ASN1_UNEXPECTED_TAG:
174 case MBEDCRYPTO_ERR_ASN1_INVALID_LENGTH:
175 case MBEDCRYPTO_ERR_ASN1_LENGTH_MISMATCH:
176 case MBEDCRYPTO_ERR_ASN1_INVALID_DATA:
177 return( PSA_ERROR_INVALID_ARGUMENT );
178 case MBEDCRYPTO_ERR_ASN1_ALLOC_FAILED:
179 return( PSA_ERROR_INSUFFICIENT_MEMORY );
180 case MBEDCRYPTO_ERR_ASN1_BUF_TOO_SMALL:
181 return( PSA_ERROR_BUFFER_TOO_SMALL );
182
183 case MBEDCRYPTO_ERR_BLOWFISH_INVALID_KEY_LENGTH:
184 case MBEDCRYPTO_ERR_BLOWFISH_INVALID_INPUT_LENGTH:
185 return( PSA_ERROR_NOT_SUPPORTED );
186 case MBEDCRYPTO_ERR_BLOWFISH_HW_ACCEL_FAILED:
187 return( PSA_ERROR_HARDWARE_FAILURE );
188
189 case MBEDCRYPTO_ERR_CAMELLIA_INVALID_KEY_LENGTH:
190 case MBEDCRYPTO_ERR_CAMELLIA_INVALID_INPUT_LENGTH:
191 return( PSA_ERROR_NOT_SUPPORTED );
192 case MBEDCRYPTO_ERR_CAMELLIA_HW_ACCEL_FAILED:
193 return( PSA_ERROR_HARDWARE_FAILURE );
194
195 case MBEDCRYPTO_ERR_CCM_BAD_INPUT:
196 return( PSA_ERROR_INVALID_ARGUMENT );
197 case MBEDCRYPTO_ERR_CCM_AUTH_FAILED:
198 return( PSA_ERROR_INVALID_SIGNATURE );
199 case MBEDCRYPTO_ERR_CCM_HW_ACCEL_FAILED:
200 return( PSA_ERROR_HARDWARE_FAILURE );
201
202 case MBEDCRYPTO_ERR_CIPHER_FEATURE_UNAVAILABLE:
203 return( PSA_ERROR_NOT_SUPPORTED );
204 case MBEDCRYPTO_ERR_CIPHER_BAD_INPUT_DATA:
205 return( PSA_ERROR_INVALID_ARGUMENT );
206 case MBEDCRYPTO_ERR_CIPHER_ALLOC_FAILED:
207 return( PSA_ERROR_INSUFFICIENT_MEMORY );
208 case MBEDCRYPTO_ERR_CIPHER_INVALID_PADDING:
209 return( PSA_ERROR_INVALID_PADDING );
210 case MBEDCRYPTO_ERR_CIPHER_FULL_BLOCK_EXPECTED:
211 return( PSA_ERROR_BAD_STATE );
212 case MBEDCRYPTO_ERR_CIPHER_AUTH_FAILED:
213 return( PSA_ERROR_INVALID_SIGNATURE );
214 case MBEDCRYPTO_ERR_CIPHER_INVALID_CONTEXT:
215 return( PSA_ERROR_TAMPERING_DETECTED );
216 case MBEDCRYPTO_ERR_CIPHER_HW_ACCEL_FAILED:
217 return( PSA_ERROR_HARDWARE_FAILURE );
218
219 case MBEDCRYPTO_ERR_CMAC_HW_ACCEL_FAILED:
220 return( PSA_ERROR_HARDWARE_FAILURE );
221
222 case MBEDCRYPTO_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
223 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
224 case MBEDCRYPTO_ERR_CTR_DRBG_REQUEST_TOO_BIG:
225 case MBEDCRYPTO_ERR_CTR_DRBG_INPUT_TOO_BIG:
226 return( PSA_ERROR_NOT_SUPPORTED );
227 case MBEDCRYPTO_ERR_CTR_DRBG_FILE_IO_ERROR:
228 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
229
230 case MBEDCRYPTO_ERR_DES_INVALID_INPUT_LENGTH:
231 return( PSA_ERROR_NOT_SUPPORTED );
232 case MBEDCRYPTO_ERR_DES_HW_ACCEL_FAILED:
233 return( PSA_ERROR_HARDWARE_FAILURE );
234
235 case MBEDCRYPTO_ERR_ENTROPY_NO_SOURCES_DEFINED:
236 case MBEDCRYPTO_ERR_ENTROPY_NO_STRONG_SOURCE:
237 case MBEDCRYPTO_ERR_ENTROPY_SOURCE_FAILED:
238 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
239
240 case MBEDCRYPTO_ERR_GCM_AUTH_FAILED:
241 return( PSA_ERROR_INVALID_SIGNATURE );
242 case MBEDCRYPTO_ERR_GCM_BAD_INPUT:
243 return( PSA_ERROR_NOT_SUPPORTED );
244 case MBEDCRYPTO_ERR_GCM_HW_ACCEL_FAILED:
245 return( PSA_ERROR_HARDWARE_FAILURE );
246
247 case MBEDCRYPTO_ERR_MD2_HW_ACCEL_FAILED:
248 case MBEDCRYPTO_ERR_MD4_HW_ACCEL_FAILED:
249 case MBEDCRYPTO_ERR_MD5_HW_ACCEL_FAILED:
250 return( PSA_ERROR_HARDWARE_FAILURE );
251
252 case MBEDCRYPTO_ERR_MD_FEATURE_UNAVAILABLE:
253 return( PSA_ERROR_NOT_SUPPORTED );
254 case MBEDCRYPTO_ERR_MD_BAD_INPUT_DATA:
255 return( PSA_ERROR_INVALID_ARGUMENT );
256 case MBEDCRYPTO_ERR_MD_ALLOC_FAILED:
257 return( PSA_ERROR_INSUFFICIENT_MEMORY );
258 case MBEDCRYPTO_ERR_MD_FILE_IO_ERROR:
259 return( PSA_ERROR_STORAGE_FAILURE );
260 case MBEDCRYPTO_ERR_MD_HW_ACCEL_FAILED:
261 return( PSA_ERROR_HARDWARE_FAILURE );
262
263 case MBEDCRYPTO_ERR_PK_ALLOC_FAILED:
264 return( PSA_ERROR_INSUFFICIENT_MEMORY );
265 case MBEDCRYPTO_ERR_PK_TYPE_MISMATCH:
266 case MBEDCRYPTO_ERR_PK_BAD_INPUT_DATA:
267 return( PSA_ERROR_INVALID_ARGUMENT );
268 case MBEDCRYPTO_ERR_PK_FILE_IO_ERROR:
269 return( PSA_ERROR_STORAGE_FAILURE );
270 case MBEDCRYPTO_ERR_PK_KEY_INVALID_VERSION:
271 case MBEDCRYPTO_ERR_PK_KEY_INVALID_FORMAT:
272 return( PSA_ERROR_INVALID_ARGUMENT );
273 case MBEDCRYPTO_ERR_PK_UNKNOWN_PK_ALG:
274 return( PSA_ERROR_NOT_SUPPORTED );
275 case MBEDCRYPTO_ERR_PK_PASSWORD_REQUIRED:
276 case MBEDCRYPTO_ERR_PK_PASSWORD_MISMATCH:
277 return( PSA_ERROR_NOT_PERMITTED );
278 case MBEDCRYPTO_ERR_PK_INVALID_PUBKEY:
279 return( PSA_ERROR_INVALID_ARGUMENT );
280 case MBEDCRYPTO_ERR_PK_INVALID_ALG:
281 case MBEDCRYPTO_ERR_PK_UNKNOWN_NAMED_CURVE:
282 case MBEDCRYPTO_ERR_PK_FEATURE_UNAVAILABLE:
283 return( PSA_ERROR_NOT_SUPPORTED );
284 case MBEDCRYPTO_ERR_PK_SIG_LEN_MISMATCH:
285 return( PSA_ERROR_INVALID_SIGNATURE );
286 case MBEDCRYPTO_ERR_PK_HW_ACCEL_FAILED:
287 return( PSA_ERROR_HARDWARE_FAILURE );
288
289 case MBEDCRYPTO_ERR_RIPEMD160_HW_ACCEL_FAILED:
290 return( PSA_ERROR_HARDWARE_FAILURE );
291
292 case MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA:
293 return( PSA_ERROR_INVALID_ARGUMENT );
294 case MBEDCRYPTO_ERR_RSA_INVALID_PADDING:
295 return( PSA_ERROR_INVALID_PADDING );
296 case MBEDCRYPTO_ERR_RSA_KEY_GEN_FAILED:
297 return( PSA_ERROR_HARDWARE_FAILURE );
298 case MBEDCRYPTO_ERR_RSA_KEY_CHECK_FAILED:
299 return( PSA_ERROR_INVALID_ARGUMENT );
300 case MBEDCRYPTO_ERR_RSA_PUBLIC_FAILED:
301 case MBEDCRYPTO_ERR_RSA_PRIVATE_FAILED:
302 return( PSA_ERROR_TAMPERING_DETECTED );
303 case MBEDCRYPTO_ERR_RSA_VERIFY_FAILED:
304 return( PSA_ERROR_INVALID_SIGNATURE );
305 case MBEDCRYPTO_ERR_RSA_OUTPUT_TOO_LARGE:
306 return( PSA_ERROR_BUFFER_TOO_SMALL );
307 case MBEDCRYPTO_ERR_RSA_RNG_FAILED:
308 return( PSA_ERROR_INSUFFICIENT_MEMORY );
309 case MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION:
310 return( PSA_ERROR_NOT_SUPPORTED );
311 case MBEDCRYPTO_ERR_RSA_HW_ACCEL_FAILED:
312 return( PSA_ERROR_HARDWARE_FAILURE );
313
314 case MBEDCRYPTO_ERR_SHA1_HW_ACCEL_FAILED:
315 case MBEDCRYPTO_ERR_SHA256_HW_ACCEL_FAILED:
316 case MBEDCRYPTO_ERR_SHA512_HW_ACCEL_FAILED:
317 return( PSA_ERROR_HARDWARE_FAILURE );
318
319 case MBEDCRYPTO_ERR_XTEA_INVALID_INPUT_LENGTH:
320 return( PSA_ERROR_INVALID_ARGUMENT );
321 case MBEDCRYPTO_ERR_XTEA_HW_ACCEL_FAILED:
322 return( PSA_ERROR_HARDWARE_FAILURE );
323
324 case MBEDCRYPTO_ERR_ECP_BAD_INPUT_DATA:
325 case MBEDCRYPTO_ERR_ECP_INVALID_KEY:
326 return( PSA_ERROR_INVALID_ARGUMENT );
327 case MBEDCRYPTO_ERR_ECP_BUFFER_TOO_SMALL:
328 return( PSA_ERROR_BUFFER_TOO_SMALL );
329 case MBEDCRYPTO_ERR_ECP_FEATURE_UNAVAILABLE:
330 return( PSA_ERROR_NOT_SUPPORTED );
331 case MBEDCRYPTO_ERR_ECP_SIG_LEN_MISMATCH:
332 case MBEDCRYPTO_ERR_ECP_VERIFY_FAILED:
333 return( PSA_ERROR_INVALID_SIGNATURE );
334 case MBEDCRYPTO_ERR_ECP_ALLOC_FAILED:
335 return( PSA_ERROR_INSUFFICIENT_MEMORY );
336 case MBEDCRYPTO_ERR_ECP_HW_ACCEL_FAILED:
337 return( PSA_ERROR_HARDWARE_FAILURE );
338
339 default:
340 return( PSA_ERROR_UNKNOWN_ERROR );
341 }
342}
343
344/* Retrieve a key slot, occupied or not. */
345static psa_status_t psa_get_key_slot( psa_key_slot_t key,
346 key_slot_t **p_slot )
347{
348 /* 0 is not a valid slot number under any circumstance. This
349 * implementation provides slots number 1 to N where N is the
350 * number of available slots. */
351 if( key == 0 || key > ARRAY_LENGTH( global_data.key_slots ) )
352 return( PSA_ERROR_INVALID_ARGUMENT );
353
354 *p_slot = &global_data.key_slots[key - 1];
355 return( PSA_SUCCESS );
356}
357
358/* Retrieve an empty key slot (slot with no key data, but possibly
359 * with some metadata such as a policy). */
360static psa_status_t psa_get_empty_key_slot( psa_key_slot_t key,
361 key_slot_t **p_slot )
362{
363 psa_status_t status;
364 key_slot_t *slot = NULL;
365
366 *p_slot = NULL;
367
368 status = psa_get_key_slot( key, &slot );
369 if( status != PSA_SUCCESS )
370 return( status );
371
372 if( slot->type != PSA_KEY_TYPE_NONE )
373 return( PSA_ERROR_OCCUPIED_SLOT );
374
375 *p_slot = slot;
376 return( status );
377}
378
379/** Retrieve a slot which must contain a key. The key must have allow all the
380 * usage flags set in \p usage. If \p alg is nonzero, the key must allow
381 * operations with this algorithm. */
382static psa_status_t psa_get_key_from_slot( psa_key_slot_t key,
383 key_slot_t **p_slot,
384 psa_key_usage_t usage,
385 psa_algorithm_t alg )
386{
387 psa_status_t status;
388 key_slot_t *slot = NULL;
389
390 *p_slot = NULL;
391
392 status = psa_get_key_slot( key, &slot );
393 if( status != PSA_SUCCESS )
394 return( status );
395 if( slot->type == PSA_KEY_TYPE_NONE )
396 return( PSA_ERROR_EMPTY_SLOT );
397
398 /* Enforce that usage policy for the key slot contains all the flags
399 * required by the usage parameter. There is one exception: public
400 * keys can always be exported, so we treat public key objects as
401 * if they had the export flag. */
402 if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) )
403 usage &= ~PSA_KEY_USAGE_EXPORT;
404 if( ( slot->policy.usage & usage ) != usage )
405 return( PSA_ERROR_NOT_PERMITTED );
406 if( alg != 0 && ( alg != slot->policy.alg ) )
407 return( PSA_ERROR_NOT_PERMITTED );
408
409 *p_slot = slot;
410 return( PSA_SUCCESS );
411}
412
413
414
415/****************************************************************/
416/* Key management */
417/****************************************************************/
418
419#if defined(MBEDCRYPTO_ECP_C)
420static psa_ecc_curve_t mbedcrypto_ecc_group_to_psa( mbedcrypto_ecp_group_id grpid )
421{
422 switch( grpid )
423 {
424 case MBEDCRYPTO_ECP_DP_SECP192R1:
425 return( PSA_ECC_CURVE_SECP192R1 );
426 case MBEDCRYPTO_ECP_DP_SECP224R1:
427 return( PSA_ECC_CURVE_SECP224R1 );
428 case MBEDCRYPTO_ECP_DP_SECP256R1:
429 return( PSA_ECC_CURVE_SECP256R1 );
430 case MBEDCRYPTO_ECP_DP_SECP384R1:
431 return( PSA_ECC_CURVE_SECP384R1 );
432 case MBEDCRYPTO_ECP_DP_SECP521R1:
433 return( PSA_ECC_CURVE_SECP521R1 );
434 case MBEDCRYPTO_ECP_DP_BP256R1:
435 return( PSA_ECC_CURVE_BRAINPOOL_P256R1 );
436 case MBEDCRYPTO_ECP_DP_BP384R1:
437 return( PSA_ECC_CURVE_BRAINPOOL_P384R1 );
438 case MBEDCRYPTO_ECP_DP_BP512R1:
439 return( PSA_ECC_CURVE_BRAINPOOL_P512R1 );
440 case MBEDCRYPTO_ECP_DP_CURVE25519:
441 return( PSA_ECC_CURVE_CURVE25519 );
442 case MBEDCRYPTO_ECP_DP_SECP192K1:
443 return( PSA_ECC_CURVE_SECP192K1 );
444 case MBEDCRYPTO_ECP_DP_SECP224K1:
445 return( PSA_ECC_CURVE_SECP224K1 );
446 case MBEDCRYPTO_ECP_DP_SECP256K1:
447 return( PSA_ECC_CURVE_SECP256K1 );
448 case MBEDCRYPTO_ECP_DP_CURVE448:
449 return( PSA_ECC_CURVE_CURVE448 );
450 default:
451 return( 0 );
452 }
453}
454
455static mbedcrypto_ecp_group_id mbedcrypto_ecc_group_of_psa( psa_ecc_curve_t curve )
456{
457 switch( curve )
458 {
459 case PSA_ECC_CURVE_SECP192R1:
460 return( MBEDCRYPTO_ECP_DP_SECP192R1 );
461 case PSA_ECC_CURVE_SECP224R1:
462 return( MBEDCRYPTO_ECP_DP_SECP224R1 );
463 case PSA_ECC_CURVE_SECP256R1:
464 return( MBEDCRYPTO_ECP_DP_SECP256R1 );
465 case PSA_ECC_CURVE_SECP384R1:
466 return( MBEDCRYPTO_ECP_DP_SECP384R1 );
467 case PSA_ECC_CURVE_SECP521R1:
468 return( MBEDCRYPTO_ECP_DP_SECP521R1 );
469 case PSA_ECC_CURVE_BRAINPOOL_P256R1:
470 return( MBEDCRYPTO_ECP_DP_BP256R1 );
471 case PSA_ECC_CURVE_BRAINPOOL_P384R1:
472 return( MBEDCRYPTO_ECP_DP_BP384R1 );
473 case PSA_ECC_CURVE_BRAINPOOL_P512R1:
474 return( MBEDCRYPTO_ECP_DP_BP512R1 );
475 case PSA_ECC_CURVE_CURVE25519:
476 return( MBEDCRYPTO_ECP_DP_CURVE25519 );
477 case PSA_ECC_CURVE_SECP192K1:
478 return( MBEDCRYPTO_ECP_DP_SECP192K1 );
479 case PSA_ECC_CURVE_SECP224K1:
480 return( MBEDCRYPTO_ECP_DP_SECP224K1 );
481 case PSA_ECC_CURVE_SECP256K1:
482 return( MBEDCRYPTO_ECP_DP_SECP256K1 );
483 case PSA_ECC_CURVE_CURVE448:
484 return( MBEDCRYPTO_ECP_DP_CURVE448 );
485 default:
486 return( MBEDCRYPTO_ECP_DP_NONE );
487 }
488}
489#endif /* defined(MBEDCRYPTO_ECP_C) */
490
491static psa_status_t prepare_raw_data_slot( psa_key_type_t type,
492 size_t bits,
493 struct raw_data *raw )
494{
495 /* Check that the bit size is acceptable for the key type */
496 switch( type )
497 {
498 case PSA_KEY_TYPE_RAW_DATA:
499 if( bits == 0 )
500 {
501 raw->bytes = 0;
502 raw->data = NULL;
503 return( PSA_SUCCESS );
504 }
505 break;
506#if defined(MBEDCRYPTO_MD_C)
507 case PSA_KEY_TYPE_HMAC:
508#endif
509 case PSA_KEY_TYPE_DERIVE:
510 break;
511#if defined(MBEDCRYPTO_AES_C)
512 case PSA_KEY_TYPE_AES:
513 if( bits != 128 && bits != 192 && bits != 256 )
514 return( PSA_ERROR_INVALID_ARGUMENT );
515 break;
516#endif
517#if defined(MBEDCRYPTO_CAMELLIA_C)
518 case PSA_KEY_TYPE_CAMELLIA:
519 if( bits != 128 && bits != 192 && bits != 256 )
520 return( PSA_ERROR_INVALID_ARGUMENT );
521 break;
522#endif
523#if defined(MBEDCRYPTO_DES_C)
524 case PSA_KEY_TYPE_DES:
525 if( bits != 64 && bits != 128 && bits != 192 )
526 return( PSA_ERROR_INVALID_ARGUMENT );
527 break;
528#endif
529#if defined(MBEDCRYPTO_ARC4_C)
530 case PSA_KEY_TYPE_ARC4:
531 if( bits < 8 || bits > 2048 )
532 return( PSA_ERROR_INVALID_ARGUMENT );
533 break;
534#endif
535 default:
536 return( PSA_ERROR_NOT_SUPPORTED );
537 }
538 if( bits % 8 != 0 )
539 return( PSA_ERROR_INVALID_ARGUMENT );
540
541 /* Allocate memory for the key */
542 raw->bytes = PSA_BITS_TO_BYTES( bits );
543 raw->data = mbedcrypto_calloc( 1, raw->bytes );
544 if( raw->data == NULL )
545 {
546 raw->bytes = 0;
547 return( PSA_ERROR_INSUFFICIENT_MEMORY );
548 }
549 return( PSA_SUCCESS );
550}
551
552#if defined(MBEDCRYPTO_RSA_C) && defined(MBEDCRYPTO_PK_PARSE_C)
553static psa_status_t psa_import_rsa_key( mbedcrypto_pk_context *pk,
554 mbedcrypto_rsa_context **p_rsa )
555{
556 if( mbedcrypto_pk_get_type( pk ) != MBEDCRYPTO_PK_RSA )
557 return( PSA_ERROR_INVALID_ARGUMENT );
558 else
559 {
560 mbedcrypto_rsa_context *rsa = mbedcrypto_pk_rsa( *pk );
561 size_t bits = mbedcrypto_rsa_get_bitlen( rsa );
562 if( bits > PSA_VENDOR_RSA_MAX_KEY_BITS )
563 return( PSA_ERROR_NOT_SUPPORTED );
564 *p_rsa = rsa;
565 return( PSA_SUCCESS );
566 }
567}
568#endif /* defined(MBEDCRYPTO_RSA_C) && defined(MBEDCRYPTO_PK_PARSE_C) */
569
570#if defined(MBEDCRYPTO_ECP_C) && defined(MBEDCRYPTO_PK_PARSE_C)
571static psa_status_t psa_import_ecp_key( psa_ecc_curve_t expected_curve,
572 mbedcrypto_pk_context *pk,
573 mbedcrypto_ecp_keypair **p_ecp )
574{
575 if( mbedcrypto_pk_get_type( pk ) != MBEDCRYPTO_PK_ECKEY )
576 return( PSA_ERROR_INVALID_ARGUMENT );
577 else
578 {
579 mbedcrypto_ecp_keypair *ecp = mbedcrypto_pk_ec( *pk );
580 psa_ecc_curve_t actual_curve = mbedcrypto_ecc_group_to_psa( ecp->grp.id );
581 if( actual_curve != expected_curve )
582 return( PSA_ERROR_INVALID_ARGUMENT );
583 *p_ecp = ecp;
584 return( PSA_SUCCESS );
585 }
586}
587#endif /* defined(MBEDCRYPTO_ECP_C) && defined(MBEDCRYPTO_PK_PARSE_C) */
588
589psa_status_t psa_import_key( psa_key_slot_t key,
590 psa_key_type_t type,
591 const uint8_t *data,
592 size_t data_length )
593{
594 key_slot_t *slot;
595 psa_status_t status = PSA_SUCCESS;
596 status = psa_get_empty_key_slot( key, &slot );
597 if( status != PSA_SUCCESS )
598 return( status );
599
600 if( key_type_is_raw_bytes( type ) )
601 {
602 /* Ensure that a bytes-to-bit conversion won't overflow. */
603 if( data_length > SIZE_MAX / 8 )
604 return( PSA_ERROR_NOT_SUPPORTED );
605 status = prepare_raw_data_slot( type,
606 PSA_BYTES_TO_BITS( data_length ),
607 &slot->data.raw );
608 if( status != PSA_SUCCESS )
609 return( status );
610 if( data_length != 0 )
611 memcpy( slot->data.raw.data, data, data_length );
612 }
613 else
614#if defined(MBEDCRYPTO_PK_PARSE_C)
615 if( PSA_KEY_TYPE_IS_RSA( type ) || PSA_KEY_TYPE_IS_ECC( type ) )
616 {
617 int ret;
618 mbedcrypto_pk_context pk;
619 mbedcrypto_pk_init( &pk );
620
621 /* Parse the data. */
622 if( PSA_KEY_TYPE_IS_KEYPAIR( type ) )
623 ret = mbedcrypto_pk_parse_key( &pk, data, data_length, NULL, 0 );
624 else
625 ret = mbedcrypto_pk_parse_public_key( &pk, data, data_length );
626 if( ret != 0 )
627 return( mbedcrypto_to_psa_error( ret ) );
628
629 /* We have something that the pkparse module recognizes.
630 * If it has the expected type and passes any type-specific
631 * checks, store it. */
632#if defined(MBEDCRYPTO_RSA_C)
633 if( PSA_KEY_TYPE_IS_RSA( type ) )
634 status = psa_import_rsa_key( &pk, &slot->data.rsa );
635 else
636#endif /* MBEDCRYPTO_RSA_C */
637#if defined(MBEDCRYPTO_ECP_C)
638 if( PSA_KEY_TYPE_IS_ECC( type ) )
639 status = psa_import_ecp_key( PSA_KEY_TYPE_GET_CURVE( type ),
640 &pk, &slot->data.ecp );
641 else
642#endif /* MBEDCRYPTO_ECP_C */
643 {
644 status = PSA_ERROR_NOT_SUPPORTED;
645 }
646
647 /* Free the content of the pk object only on error. On success,
648 * the content of the object has been stored in the slot. */
649 if( status != PSA_SUCCESS )
650 {
651 mbedcrypto_pk_free( &pk );
652 return( status );
653 }
654 }
655 else
656#endif /* defined(MBEDCRYPTO_PK_PARSE_C) */
657 {
658 return( PSA_ERROR_NOT_SUPPORTED );
659 }
660
661 slot->type = type;
662 return( PSA_SUCCESS );
663}
664
665psa_status_t psa_destroy_key( psa_key_slot_t key )
666{
667 key_slot_t *slot;
668 psa_status_t status;
669
670 status = psa_get_key_slot( key, &slot );
671 if( status != PSA_SUCCESS )
672 return( status );
673
674 if( slot->type == PSA_KEY_TYPE_NONE )
675 {
676 /* No key material to clean, but do zeroize the slot below to wipe
677 * metadata such as policies. */
678 }
679 else if( key_type_is_raw_bytes( slot->type ) )
680 {
681 mbedcrypto_free( slot->data.raw.data );
682 }
683 else
684#if defined(MBEDCRYPTO_RSA_C)
685 if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
686 {
687 mbedcrypto_rsa_free( slot->data.rsa );
688 mbedcrypto_free( slot->data.rsa );
689 }
690 else
691#endif /* defined(MBEDCRYPTO_RSA_C) */
692#if defined(MBEDCRYPTO_ECP_C)
693 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
694 {
695 mbedcrypto_ecp_keypair_free( slot->data.ecp );
696 mbedcrypto_free( slot->data.ecp );
697 }
698 else
699#endif /* defined(MBEDCRYPTO_ECP_C) */
700 {
701 /* Shouldn't happen: the key type is not any type that we
702 * put in. */
703 return( PSA_ERROR_TAMPERING_DETECTED );
704 }
705
706 mbedcrypto_zeroize( slot, sizeof( *slot ) );
707 return( PSA_SUCCESS );
708}
709
710/* Return the size of the key in the given slot, in bits. */
711static size_t psa_get_key_bits( const key_slot_t *slot )
712{
713 if( key_type_is_raw_bytes( slot->type ) )
714 return( slot->data.raw.bytes * 8 );
715#if defined(MBEDCRYPTO_RSA_C)
716 if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
717 return( mbedcrypto_rsa_get_bitlen( slot->data.rsa ) );
718#endif /* defined(MBEDCRYPTO_RSA_C) */
719#if defined(MBEDCRYPTO_ECP_C)
720 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
721 return( slot->data.ecp->grp.pbits );
722#endif /* defined(MBEDCRYPTO_ECP_C) */
723 /* Shouldn't happen except on an empty slot. */
724 return( 0 );
725}
726
727psa_status_t psa_get_key_information( psa_key_slot_t key,
728 psa_key_type_t *type,
729 size_t *bits )
730{
731 key_slot_t *slot;
732 psa_status_t status;
733
734 if( type != NULL )
735 *type = 0;
736 if( bits != NULL )
737 *bits = 0;
738 status = psa_get_key_slot( key, &slot );
739 if( status != PSA_SUCCESS )
740 return( status );
741
742 if( slot->type == PSA_KEY_TYPE_NONE )
743 return( PSA_ERROR_EMPTY_SLOT );
744 if( type != NULL )
745 *type = slot->type;
746 if( bits != NULL )
747 *bits = psa_get_key_bits( slot );
748 return( PSA_SUCCESS );
749}
750
751static psa_status_t psa_internal_export_key( psa_key_slot_t key,
752 uint8_t *data,
753 size_t data_size,
754 size_t *data_length,
755 int export_public_key )
756{
757 key_slot_t *slot;
758 psa_status_t status;
759 /* Exporting a public key doesn't require a usage flag. If we're
760 * called by psa_export_public_key(), don't require the EXPORT flag.
761 * If we're called by psa_export_key(), do require the EXPORT flag;
762 * if the key turns out to be public key object, psa_get_key_from_slot()
763 * will ignore this flag. */
764 psa_key_usage_t usage = export_public_key ? 0 : PSA_KEY_USAGE_EXPORT;
765
766 /* Set the key to empty now, so that even when there are errors, we always
767 * set data_length to a value between 0 and data_size. On error, setting
768 * the key to empty is a good choice because an empty key representation is
769 * unlikely to be accepted anywhere. */
770 *data_length = 0;
771
772 status = psa_get_key_from_slot( key, &slot, usage, 0 );
773 if( status != PSA_SUCCESS )
774 return( status );
775 if( export_public_key && ! PSA_KEY_TYPE_IS_ASYMMETRIC( slot->type ) )
776 return( PSA_ERROR_INVALID_ARGUMENT );
777
778 if( key_type_is_raw_bytes( slot->type ) )
779 {
780 if( slot->data.raw.bytes > data_size )
781 return( PSA_ERROR_BUFFER_TOO_SMALL );
782 if( slot->data.raw.bytes != 0 )
783 memcpy( data, slot->data.raw.data, slot->data.raw.bytes );
784 *data_length = slot->data.raw.bytes;
785 return( PSA_SUCCESS );
786 }
787 else
788 {
789#if defined(MBEDCRYPTO_PK_WRITE_C)
790 if( PSA_KEY_TYPE_IS_RSA( slot->type ) ||
791 PSA_KEY_TYPE_IS_ECC( slot->type ) )
792 {
793 mbedcrypto_pk_context pk;
794 int ret;
795 if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
796 {
797#if defined(MBEDCRYPTO_RSA_C)
798 mbedcrypto_pk_init( &pk );
799 pk.pk_info = &mbedcrypto_rsa_info;
800 pk.pk_ctx = slot->data.rsa;
801#else
802 return( PSA_ERROR_NOT_SUPPORTED );
803#endif
804 }
805 else
806 {
807#if defined(MBEDCRYPTO_ECP_C)
808 mbedcrypto_pk_init( &pk );
809 pk.pk_info = &mbedcrypto_eckey_info;
810 pk.pk_ctx = slot->data.ecp;
811#else
812 return( PSA_ERROR_NOT_SUPPORTED );
813#endif
814 }
815 if( export_public_key || PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) )
816 ret = mbedcrypto_pk_write_pubkey_der( &pk, data, data_size );
817 else
818 ret = mbedcrypto_pk_write_key_der( &pk, data, data_size );
819 if( ret < 0 )
820 {
821 /* If data_size is 0 then data may be NULL and then the
822 * call to memset would have undefined behavior. */
823 if( data_size != 0 )
824 memset( data, 0, data_size );
825 return( mbedcrypto_to_psa_error( ret ) );
826 }
827 /* The mbedcrypto_pk_xxx functions write to the end of the buffer.
828 * Move the data to the beginning and erase remaining data
829 * at the original location. */
830 if( 2 * (size_t) ret <= data_size )
831 {
832 memcpy( data, data + data_size - ret, ret );
833 memset( data + data_size - ret, 0, ret );
834 }
835 else if( (size_t) ret < data_size )
836 {
837 memmove( data, data + data_size - ret, ret );
838 memset( data + ret, 0, data_size - ret );
839 }
840 *data_length = ret;
841 return( PSA_SUCCESS );
842 }
843 else
844#endif /* defined(MBEDCRYPTO_PK_WRITE_C) */
845 {
846 /* This shouldn't happen in the reference implementation, but
847 it is valid for a special-purpose implementation to omit
848 support for exporting certain key types. */
849 return( PSA_ERROR_NOT_SUPPORTED );
850 }
851 }
852}
853
854psa_status_t psa_export_key( psa_key_slot_t key,
855 uint8_t *data,
856 size_t data_size,
857 size_t *data_length )
858{
859 return( psa_internal_export_key( key, data, data_size,
860 data_length, 0 ) );
861}
862
863psa_status_t psa_export_public_key( psa_key_slot_t key,
864 uint8_t *data,
865 size_t data_size,
866 size_t *data_length )
867{
868 return( psa_internal_export_key( key, data, data_size,
869 data_length, 1 ) );
870}
871
872
873
874/****************************************************************/
875/* Message digests */
876/****************************************************************/
877
878static const mbedcrypto_md_info_t *mbedcrypto_md_info_from_psa( psa_algorithm_t alg )
879{
880 switch( alg )
881 {
882#if defined(MBEDCRYPTO_MD2_C)
883 case PSA_ALG_MD2:
884 return( &mbedcrypto_md2_info );
885#endif
886#if defined(MBEDCRYPTO_MD4_C)
887 case PSA_ALG_MD4:
888 return( &mbedcrypto_md4_info );
889#endif
890#if defined(MBEDCRYPTO_MD5_C)
891 case PSA_ALG_MD5:
892 return( &mbedcrypto_md5_info );
893#endif
894#if defined(MBEDCRYPTO_RIPEMD160_C)
895 case PSA_ALG_RIPEMD160:
896 return( &mbedcrypto_ripemd160_info );
897#endif
898#if defined(MBEDCRYPTO_SHA1_C)
899 case PSA_ALG_SHA_1:
900 return( &mbedcrypto_sha1_info );
901#endif
902#if defined(MBEDCRYPTO_SHA256_C)
903 case PSA_ALG_SHA_224:
904 return( &mbedcrypto_sha224_info );
905 case PSA_ALG_SHA_256:
906 return( &mbedcrypto_sha256_info );
907#endif
908#if defined(MBEDCRYPTO_SHA512_C)
909 case PSA_ALG_SHA_384:
910 return( &mbedcrypto_sha384_info );
911 case PSA_ALG_SHA_512:
912 return( &mbedcrypto_sha512_info );
913#endif
914 default:
915 return( NULL );
916 }
917}
918
919psa_status_t psa_hash_abort( psa_hash_operation_t *operation )
920{
921 switch( operation->alg )
922 {
923 case 0:
924 /* The object has (apparently) been initialized but it is not
925 * in use. It's ok to call abort on such an object, and there's
926 * nothing to do. */
927 break;
928#if defined(MBEDCRYPTO_MD2_C)
929 case PSA_ALG_MD2:
930 mbedcrypto_md2_free( &operation->ctx.md2 );
931 break;
932#endif
933#if defined(MBEDCRYPTO_MD4_C)
934 case PSA_ALG_MD4:
935 mbedcrypto_md4_free( &operation->ctx.md4 );
936 break;
937#endif
938#if defined(MBEDCRYPTO_MD5_C)
939 case PSA_ALG_MD5:
940 mbedcrypto_md5_free( &operation->ctx.md5 );
941 break;
942#endif
943#if defined(MBEDCRYPTO_RIPEMD160_C)
944 case PSA_ALG_RIPEMD160:
945 mbedcrypto_ripemd160_free( &operation->ctx.ripemd160 );
946 break;
947#endif
948#if defined(MBEDCRYPTO_SHA1_C)
949 case PSA_ALG_SHA_1:
950 mbedcrypto_sha1_free( &operation->ctx.sha1 );
951 break;
952#endif
953#if defined(MBEDCRYPTO_SHA256_C)
954 case PSA_ALG_SHA_224:
955 case PSA_ALG_SHA_256:
956 mbedcrypto_sha256_free( &operation->ctx.sha256 );
957 break;
958#endif
959#if defined(MBEDCRYPTO_SHA512_C)
960 case PSA_ALG_SHA_384:
961 case PSA_ALG_SHA_512:
962 mbedcrypto_sha512_free( &operation->ctx.sha512 );
963 break;
964#endif
965 default:
966 return( PSA_ERROR_BAD_STATE );
967 }
968 operation->alg = 0;
969 return( PSA_SUCCESS );
970}
971
972psa_status_t psa_hash_setup( psa_hash_operation_t *operation,
973 psa_algorithm_t alg )
974{
975 int ret;
976 operation->alg = 0;
977 switch( alg )
978 {
979#if defined(MBEDCRYPTO_MD2_C)
980 case PSA_ALG_MD2:
981 mbedcrypto_md2_init( &operation->ctx.md2 );
982 ret = mbedcrypto_md2_starts_ret( &operation->ctx.md2 );
983 break;
984#endif
985#if defined(MBEDCRYPTO_MD4_C)
986 case PSA_ALG_MD4:
987 mbedcrypto_md4_init( &operation->ctx.md4 );
988 ret = mbedcrypto_md4_starts_ret( &operation->ctx.md4 );
989 break;
990#endif
991#if defined(MBEDCRYPTO_MD5_C)
992 case PSA_ALG_MD5:
993 mbedcrypto_md5_init( &operation->ctx.md5 );
994 ret = mbedcrypto_md5_starts_ret( &operation->ctx.md5 );
995 break;
996#endif
997#if defined(MBEDCRYPTO_RIPEMD160_C)
998 case PSA_ALG_RIPEMD160:
999 mbedcrypto_ripemd160_init( &operation->ctx.ripemd160 );
1000 ret = mbedcrypto_ripemd160_starts_ret( &operation->ctx.ripemd160 );
1001 break;
1002#endif
1003#if defined(MBEDCRYPTO_SHA1_C)
1004 case PSA_ALG_SHA_1:
1005 mbedcrypto_sha1_init( &operation->ctx.sha1 );
1006 ret = mbedcrypto_sha1_starts_ret( &operation->ctx.sha1 );
1007 break;
1008#endif
1009#if defined(MBEDCRYPTO_SHA256_C)
1010 case PSA_ALG_SHA_224:
1011 mbedcrypto_sha256_init( &operation->ctx.sha256 );
1012 ret = mbedcrypto_sha256_starts_ret( &operation->ctx.sha256, 1 );
1013 break;
1014 case PSA_ALG_SHA_256:
1015 mbedcrypto_sha256_init( &operation->ctx.sha256 );
1016 ret = mbedcrypto_sha256_starts_ret( &operation->ctx.sha256, 0 );
1017 break;
1018#endif
1019#if defined(MBEDCRYPTO_SHA512_C)
1020 case PSA_ALG_SHA_384:
1021 mbedcrypto_sha512_init( &operation->ctx.sha512 );
1022 ret = mbedcrypto_sha512_starts_ret( &operation->ctx.sha512, 1 );
1023 break;
1024 case PSA_ALG_SHA_512:
1025 mbedcrypto_sha512_init( &operation->ctx.sha512 );
1026 ret = mbedcrypto_sha512_starts_ret( &operation->ctx.sha512, 0 );
1027 break;
1028#endif
1029 default:
1030 return( PSA_ALG_IS_HASH( alg ) ?
1031 PSA_ERROR_NOT_SUPPORTED :
1032 PSA_ERROR_INVALID_ARGUMENT );
1033 }
1034 if( ret == 0 )
1035 operation->alg = alg;
1036 else
1037 psa_hash_abort( operation );
1038 return( mbedcrypto_to_psa_error( ret ) );
1039}
1040
1041psa_status_t psa_hash_update( psa_hash_operation_t *operation,
1042 const uint8_t *input,
1043 size_t input_length )
1044{
1045 int ret;
1046
1047 /* Don't require hash implementations to behave correctly on a
1048 * zero-length input, which may have an invalid pointer. */
1049 if( input_length == 0 )
1050 return( PSA_SUCCESS );
1051
1052 switch( operation->alg )
1053 {
1054#if defined(MBEDCRYPTO_MD2_C)
1055 case PSA_ALG_MD2:
1056 ret = mbedcrypto_md2_update_ret( &operation->ctx.md2,
1057 input, input_length );
1058 break;
1059#endif
1060#if defined(MBEDCRYPTO_MD4_C)
1061 case PSA_ALG_MD4:
1062 ret = mbedcrypto_md4_update_ret( &operation->ctx.md4,
1063 input, input_length );
1064 break;
1065#endif
1066#if defined(MBEDCRYPTO_MD5_C)
1067 case PSA_ALG_MD5:
1068 ret = mbedcrypto_md5_update_ret( &operation->ctx.md5,
1069 input, input_length );
1070 break;
1071#endif
1072#if defined(MBEDCRYPTO_RIPEMD160_C)
1073 case PSA_ALG_RIPEMD160:
1074 ret = mbedcrypto_ripemd160_update_ret( &operation->ctx.ripemd160,
1075 input, input_length );
1076 break;
1077#endif
1078#if defined(MBEDCRYPTO_SHA1_C)
1079 case PSA_ALG_SHA_1:
1080 ret = mbedcrypto_sha1_update_ret( &operation->ctx.sha1,
1081 input, input_length );
1082 break;
1083#endif
1084#if defined(MBEDCRYPTO_SHA256_C)
1085 case PSA_ALG_SHA_224:
1086 case PSA_ALG_SHA_256:
1087 ret = mbedcrypto_sha256_update_ret( &operation->ctx.sha256,
1088 input, input_length );
1089 break;
1090#endif
1091#if defined(MBEDCRYPTO_SHA512_C)
1092 case PSA_ALG_SHA_384:
1093 case PSA_ALG_SHA_512:
1094 ret = mbedcrypto_sha512_update_ret( &operation->ctx.sha512,
1095 input, input_length );
1096 break;
1097#endif
1098 default:
1099 ret = MBEDCRYPTO_ERR_MD_BAD_INPUT_DATA;
1100 break;
1101 }
1102
1103 if( ret != 0 )
1104 psa_hash_abort( operation );
1105 return( mbedcrypto_to_psa_error( ret ) );
1106}
1107
1108psa_status_t psa_hash_finish( psa_hash_operation_t *operation,
1109 uint8_t *hash,
1110 size_t hash_size,
1111 size_t *hash_length )
1112{
1113 int ret;
1114 size_t actual_hash_length = PSA_HASH_SIZE( operation->alg );
1115
1116 /* Fill the output buffer with something that isn't a valid hash
1117 * (barring an attack on the hash and deliberately-crafted input),
1118 * in case the caller doesn't check the return status properly. */
1119 *hash_length = hash_size;
1120 /* If hash_size is 0 then hash may be NULL and then the
1121 * call to memset would have undefined behavior. */
1122 if( hash_size != 0 )
1123 memset( hash, '!', hash_size );
1124
1125 if( hash_size < actual_hash_length )
1126 return( PSA_ERROR_BUFFER_TOO_SMALL );
1127
1128 switch( operation->alg )
1129 {
1130#if defined(MBEDCRYPTO_MD2_C)
1131 case PSA_ALG_MD2:
1132 ret = mbedcrypto_md2_finish_ret( &operation->ctx.md2, hash );
1133 break;
1134#endif
1135#if defined(MBEDCRYPTO_MD4_C)
1136 case PSA_ALG_MD4:
1137 ret = mbedcrypto_md4_finish_ret( &operation->ctx.md4, hash );
1138 break;
1139#endif
1140#if defined(MBEDCRYPTO_MD5_C)
1141 case PSA_ALG_MD5:
1142 ret = mbedcrypto_md5_finish_ret( &operation->ctx.md5, hash );
1143 break;
1144#endif
1145#if defined(MBEDCRYPTO_RIPEMD160_C)
1146 case PSA_ALG_RIPEMD160:
1147 ret = mbedcrypto_ripemd160_finish_ret( &operation->ctx.ripemd160, hash );
1148 break;
1149#endif
1150#if defined(MBEDCRYPTO_SHA1_C)
1151 case PSA_ALG_SHA_1:
1152 ret = mbedcrypto_sha1_finish_ret( &operation->ctx.sha1, hash );
1153 break;
1154#endif
1155#if defined(MBEDCRYPTO_SHA256_C)
1156 case PSA_ALG_SHA_224:
1157 case PSA_ALG_SHA_256:
1158 ret = mbedcrypto_sha256_finish_ret( &operation->ctx.sha256, hash );
1159 break;
1160#endif
1161#if defined(MBEDCRYPTO_SHA512_C)
1162 case PSA_ALG_SHA_384:
1163 case PSA_ALG_SHA_512:
1164 ret = mbedcrypto_sha512_finish_ret( &operation->ctx.sha512, hash );
1165 break;
1166#endif
1167 default:
1168 ret = MBEDCRYPTO_ERR_MD_BAD_INPUT_DATA;
1169 break;
1170 }
1171
1172 if( ret == 0 )
1173 {
1174 *hash_length = actual_hash_length;
1175 return( psa_hash_abort( operation ) );
1176 }
1177 else
1178 {
1179 psa_hash_abort( operation );
1180 return( mbedcrypto_to_psa_error( ret ) );
1181 }
1182}
1183
1184psa_status_t psa_hash_verify( psa_hash_operation_t *operation,
1185 const uint8_t *hash,
1186 size_t hash_length )
1187{
1188 uint8_t actual_hash[MBEDCRYPTO_MD_MAX_SIZE];
1189 size_t actual_hash_length;
1190 psa_status_t status = psa_hash_finish( operation,
1191 actual_hash, sizeof( actual_hash ),
1192 &actual_hash_length );
1193 if( status != PSA_SUCCESS )
1194 return( status );
1195 if( actual_hash_length != hash_length )
1196 return( PSA_ERROR_INVALID_SIGNATURE );
1197 if( safer_memcmp( hash, actual_hash, actual_hash_length ) != 0 )
1198 return( PSA_ERROR_INVALID_SIGNATURE );
1199 return( PSA_SUCCESS );
1200}
1201
1202
1203
1204/****************************************************************/
1205/* MAC */
1206/****************************************************************/
1207
1208static const mbedcrypto_cipher_info_t *mbedcrypto_cipher_info_from_psa(
1209 psa_algorithm_t alg,
1210 psa_key_type_t key_type,
1211 size_t key_bits,
1212 mbedcrypto_cipher_id_t* cipher_id )
1213{
1214 mbedcrypto_cipher_mode_t mode;
1215 mbedcrypto_cipher_id_t cipher_id_tmp;
1216
1217 if( PSA_ALG_IS_CIPHER( alg ) || PSA_ALG_IS_AEAD( alg ) )
1218 {
1219 if( PSA_ALG_IS_BLOCK_CIPHER( alg ) )
1220 {
1221 alg &= ~PSA_ALG_BLOCK_CIPHER_PADDING_MASK;
1222 }
1223
1224 switch( alg )
1225 {
1226 case PSA_ALG_STREAM_CIPHER_BASE:
1227 mode = MBEDCRYPTO_MODE_STREAM;
1228 break;
1229 case PSA_ALG_CBC_BASE:
1230 mode = MBEDCRYPTO_MODE_CBC;
1231 break;
1232 case PSA_ALG_CFB_BASE:
1233 mode = MBEDCRYPTO_MODE_CFB;
1234 break;
1235 case PSA_ALG_OFB_BASE:
1236 mode = MBEDCRYPTO_MODE_OFB;
1237 break;
1238 case PSA_ALG_CTR:
1239 mode = MBEDCRYPTO_MODE_CTR;
1240 break;
1241 case PSA_ALG_CCM:
1242 mode = MBEDCRYPTO_MODE_CCM;
1243 break;
1244 case PSA_ALG_GCM:
1245 mode = MBEDCRYPTO_MODE_GCM;
1246 break;
1247 default:
1248 return( NULL );
1249 }
1250 }
1251 else if( alg == PSA_ALG_CMAC )
1252 mode = MBEDCRYPTO_MODE_ECB;
1253 else if( alg == PSA_ALG_GMAC )
1254 mode = MBEDCRYPTO_MODE_GCM;
1255 else
1256 return( NULL );
1257
1258 switch( key_type )
1259 {
1260 case PSA_KEY_TYPE_AES:
1261 cipher_id_tmp = MBEDCRYPTO_CIPHER_ID_AES;
1262 break;
1263 case PSA_KEY_TYPE_DES:
1264 /* key_bits is 64 for Single-DES, 128 for two-key Triple-DES,
1265 * and 192 for three-key Triple-DES. */
1266 if( key_bits == 64 )
1267 cipher_id_tmp = MBEDCRYPTO_CIPHER_ID_DES;
1268 else
1269 cipher_id_tmp = MBEDCRYPTO_CIPHER_ID_3DES;
1270 /* mbedcrypto doesn't recognize two-key Triple-DES as an algorithm,
1271 * but two-key Triple-DES is functionally three-key Triple-DES
1272 * with K1=K3, so that's how we present it to mbedcrypto. */
1273 if( key_bits == 128 )
1274 key_bits = 192;
1275 break;
1276 case PSA_KEY_TYPE_CAMELLIA:
1277 cipher_id_tmp = MBEDCRYPTO_CIPHER_ID_CAMELLIA;
1278 break;
1279 case PSA_KEY_TYPE_ARC4:
1280 cipher_id_tmp = MBEDCRYPTO_CIPHER_ID_ARC4;
1281 break;
1282 default:
1283 return( NULL );
1284 }
1285 if( cipher_id != NULL )
1286 *cipher_id = cipher_id_tmp;
1287
1288 return( mbedcrypto_cipher_info_from_values( cipher_id_tmp,
1289 (int) key_bits, mode ) );
1290}
1291
1292static size_t psa_get_hash_block_size( psa_algorithm_t alg )
1293{
1294 switch( alg )
1295 {
1296 case PSA_ALG_MD2:
1297 return( 16 );
1298 case PSA_ALG_MD4:
1299 return( 64 );
1300 case PSA_ALG_MD5:
1301 return( 64 );
1302 case PSA_ALG_RIPEMD160:
1303 return( 64 );
1304 case PSA_ALG_SHA_1:
1305 return( 64 );
1306 case PSA_ALG_SHA_224:
1307 return( 64 );
1308 case PSA_ALG_SHA_256:
1309 return( 64 );
1310 case PSA_ALG_SHA_384:
1311 return( 128 );
1312 case PSA_ALG_SHA_512:
1313 return( 128 );
1314 default:
1315 return( 0 );
1316 }
1317}
1318
1319/* Initialize the MAC operation structure. Once this function has been
1320 * called, psa_mac_abort can run and will do the right thing. */
1321static psa_status_t psa_mac_init( psa_mac_operation_t *operation,
1322 psa_algorithm_t alg )
1323{
1324 psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
1325
1326 operation->alg = alg;
1327 operation->key_set = 0;
1328 operation->iv_set = 0;
1329 operation->iv_required = 0;
1330 operation->has_input = 0;
1331 operation->is_sign = 0;
1332
1333#if defined(MBEDCRYPTO_CMAC_C)
1334 if( alg == PSA_ALG_CMAC )
1335 {
1336 operation->iv_required = 0;
1337 mbedcrypto_cipher_init( &operation->ctx.cmac );
1338 status = PSA_SUCCESS;
1339 }
1340 else
1341#endif /* MBEDCRYPTO_CMAC_C */
1342#if defined(MBEDCRYPTO_MD_C)
1343 if( PSA_ALG_IS_HMAC( operation->alg ) )
1344 {
1345 /* We'll set up the hash operation later in psa_hmac_setup_internal. */
1346 operation->ctx.hmac.hash_ctx.alg = 0;
1347 status = PSA_SUCCESS;
1348 }
1349 else
1350#endif /* MBEDCRYPTO_MD_C */
1351 {
1352 if( ! PSA_ALG_IS_MAC( alg ) )
1353 status = PSA_ERROR_INVALID_ARGUMENT;
1354 }
1355
1356 if( status != PSA_SUCCESS )
1357 memset( operation, 0, sizeof( *operation ) );
1358 return( status );
1359}
1360
1361#if defined(MBEDCRYPTO_MD_C)
1362static psa_status_t psa_hmac_abort_internal( psa_hmac_internal_data *hmac )
1363{
1364 mbedcrypto_zeroize( hmac->opad, sizeof( hmac->opad ) );
1365 return( psa_hash_abort( &hmac->hash_ctx ) );
1366}
1367#endif /* MBEDCRYPTO_MD_C */
1368
1369psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
1370{
1371 if( operation->alg == 0 )
1372 {
1373 /* The object has (apparently) been initialized but it is not
1374 * in use. It's ok to call abort on such an object, and there's
1375 * nothing to do. */
1376 return( PSA_SUCCESS );
1377 }
1378 else
1379#if defined(MBEDCRYPTO_CMAC_C)
1380 if( operation->alg == PSA_ALG_CMAC )
1381 {
1382 mbedcrypto_cipher_free( &operation->ctx.cmac );
1383 }
1384 else
1385#endif /* MBEDCRYPTO_CMAC_C */
1386#if defined(MBEDCRYPTO_MD_C)
1387 if( PSA_ALG_IS_HMAC( operation->alg ) )
1388 {
1389 psa_hmac_abort_internal( &operation->ctx.hmac );
1390 }
1391 else
1392#endif /* MBEDCRYPTO_MD_C */
1393 {
1394 /* Sanity check (shouldn't happen: operation->alg should
1395 * always have been initialized to a valid value). */
1396 goto bad_state;
1397 }
1398
1399 operation->alg = 0;
1400 operation->key_set = 0;
1401 operation->iv_set = 0;
1402 operation->iv_required = 0;
1403 operation->has_input = 0;
1404 operation->is_sign = 0;
1405
1406 return( PSA_SUCCESS );
1407
1408bad_state:
1409 /* If abort is called on an uninitialized object, we can't trust
1410 * anything. Wipe the object in case it contains confidential data.
1411 * This may result in a memory leak if a pointer gets overwritten,
1412 * but it's too late to do anything about this. */
1413 memset( operation, 0, sizeof( *operation ) );
1414 return( PSA_ERROR_BAD_STATE );
1415}
1416
1417#if defined(MBEDCRYPTO_CMAC_C)
1418static int psa_cmac_setup( psa_mac_operation_t *operation,
1419 size_t key_bits,
1420 key_slot_t *slot,
1421 const mbedcrypto_cipher_info_t *cipher_info )
1422{
1423 int ret;
1424
1425 operation->mac_size = cipher_info->block_size;
1426
1427 ret = mbedcrypto_cipher_setup( &operation->ctx.cmac, cipher_info );
1428 if( ret != 0 )
1429 return( ret );
1430
1431 ret = mbedcrypto_cipher_cmac_starts( &operation->ctx.cmac,
1432 slot->data.raw.data,
1433 key_bits );
1434 return( ret );
1435}
1436#endif /* MBEDCRYPTO_CMAC_C */
1437
1438#if defined(MBEDCRYPTO_MD_C)
1439static psa_status_t psa_hmac_setup_internal( psa_hmac_internal_data *hmac,
1440 const uint8_t *key,
1441 size_t key_length,
1442 psa_algorithm_t hash_alg )
1443{
1444 unsigned char ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
1445 size_t i;
1446 size_t hash_size = PSA_HASH_SIZE( hash_alg );
1447 size_t block_size = psa_get_hash_block_size( hash_alg );
1448 psa_status_t status;
1449
1450 /* Sanity checks on block_size, to guarantee that there won't be a buffer
1451 * overflow below. This should never trigger if the hash algorithm
1452 * is implemented correctly. */
1453 /* The size checks against the ipad and opad buffers cannot be written
1454 * `block_size > sizeof( ipad ) || block_size > sizeof( hmac->opad )`
1455 * because that triggers -Wlogical-op on GCC 7.3. */
1456 if( block_size > sizeof( ipad ) )
1457 return( PSA_ERROR_NOT_SUPPORTED );
1458 if( block_size > sizeof( hmac->opad ) )
1459 return( PSA_ERROR_NOT_SUPPORTED );
1460 if( block_size < hash_size )
1461 return( PSA_ERROR_NOT_SUPPORTED );
1462
1463 if( key_length > block_size )
1464 {
1465 status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
1466 if( status != PSA_SUCCESS )
1467 goto cleanup;
1468 status = psa_hash_update( &hmac->hash_ctx, key, key_length );
1469 if( status != PSA_SUCCESS )
1470 goto cleanup;
1471 status = psa_hash_finish( &hmac->hash_ctx,
1472 ipad, sizeof( ipad ), &key_length );
1473 if( status != PSA_SUCCESS )
1474 goto cleanup;
1475 }
1476 /* A 0-length key is not commonly used in HMAC when used as a MAC,
1477 * but it is permitted. It is common when HMAC is used in HKDF, for
1478 * example. Don't call `memcpy` in the 0-length because `key` could be
1479 * an invalid pointer which would make the behavior undefined. */
1480 else if( key_length != 0 )
1481 memcpy( ipad, key, key_length );
1482
1483 /* ipad contains the key followed by garbage. Xor and fill with 0x36
1484 * to create the ipad value. */
1485 for( i = 0; i < key_length; i++ )
1486 ipad[i] ^= 0x36;
1487 memset( ipad + key_length, 0x36, block_size - key_length );
1488
1489 /* Copy the key material from ipad to opad, flipping the requisite bits,
1490 * and filling the rest of opad with the requisite constant. */
1491 for( i = 0; i < key_length; i++ )
1492 hmac->opad[i] = ipad[i] ^ 0x36 ^ 0x5C;
1493 memset( hmac->opad + key_length, 0x5C, block_size - key_length );
1494
1495 status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
1496 if( status != PSA_SUCCESS )
1497 goto cleanup;
1498
1499 status = psa_hash_update( &hmac->hash_ctx, ipad, block_size );
1500
1501cleanup:
1502 mbedcrypto_zeroize( ipad, key_length );
1503
1504 return( status );
1505}
1506#endif /* MBEDCRYPTO_MD_C */
1507
1508static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
1509 psa_key_slot_t key,
1510 psa_algorithm_t alg,
1511 int is_sign )
1512{
1513 psa_status_t status;
1514 key_slot_t *slot;
1515 size_t key_bits;
1516 psa_key_usage_t usage =
1517 is_sign ? PSA_KEY_USAGE_SIGN : PSA_KEY_USAGE_VERIFY;
1518
1519 status = psa_mac_init( operation, alg );
1520 if( status != PSA_SUCCESS )
1521 return( status );
1522 if( is_sign )
1523 operation->is_sign = 1;
1524
1525 status = psa_get_key_from_slot( key, &slot, usage, alg );
1526 if( status != PSA_SUCCESS )
1527 goto exit;
1528 key_bits = psa_get_key_bits( slot );
1529
1530#if defined(MBEDCRYPTO_CMAC_C)
1531 if( alg == PSA_ALG_CMAC )
1532 {
1533 const mbedcrypto_cipher_info_t *cipher_info =
1534 mbedcrypto_cipher_info_from_psa( alg, slot->type, key_bits, NULL );
1535 int ret;
1536 if( cipher_info == NULL )
1537 {
1538 status = PSA_ERROR_NOT_SUPPORTED;
1539 goto exit;
1540 }
1541 operation->mac_size = cipher_info->block_size;
1542 ret = psa_cmac_setup( operation, key_bits, slot, cipher_info );
1543 status = mbedcrypto_to_psa_error( ret );
1544 }
1545 else
1546#endif /* MBEDCRYPTO_CMAC_C */
1547#if defined(MBEDCRYPTO_MD_C)
1548 if( PSA_ALG_IS_HMAC( alg ) )
1549 {
1550 psa_algorithm_t hash_alg = PSA_ALG_HMAC_HASH( alg );
1551 if( hash_alg == 0 )
1552 {
1553 status = PSA_ERROR_NOT_SUPPORTED;
1554 goto exit;
1555 }
1556
1557 operation->mac_size = PSA_HASH_SIZE( hash_alg );
1558 /* Sanity check. This shouldn't fail on a valid configuration. */
1559 if( operation->mac_size == 0 ||
1560 operation->mac_size > sizeof( operation->ctx.hmac.opad ) )
1561 {
1562 status = PSA_ERROR_NOT_SUPPORTED;
1563 goto exit;
1564 }
1565
1566 if( slot->type != PSA_KEY_TYPE_HMAC )
1567 {
1568 status = PSA_ERROR_INVALID_ARGUMENT;
1569 goto exit;
1570 }
1571
1572 status = psa_hmac_setup_internal( &operation->ctx.hmac,
1573 slot->data.raw.data,
1574 slot->data.raw.bytes,
1575 hash_alg );
1576 }
1577 else
1578#endif /* MBEDCRYPTO_MD_C */
1579 {
1580 status = PSA_ERROR_NOT_SUPPORTED;
1581 }
1582
1583exit:
1584 if( status != PSA_SUCCESS )
1585 {
1586 psa_mac_abort( operation );
1587 }
1588 else
1589 {
1590 operation->key_set = 1;
1591 }
1592 return( status );
1593}
1594
1595psa_status_t psa_mac_sign_setup( psa_mac_operation_t *operation,
1596 psa_key_slot_t key,
1597 psa_algorithm_t alg )
1598{
1599 return( psa_mac_setup( operation, key, alg, 1 ) );
1600}
1601
1602psa_status_t psa_mac_verify_setup( psa_mac_operation_t *operation,
1603 psa_key_slot_t key,
1604 psa_algorithm_t alg )
1605{
1606 return( psa_mac_setup( operation, key, alg, 0 ) );
1607}
1608
1609psa_status_t psa_mac_update( psa_mac_operation_t *operation,
1610 const uint8_t *input,
1611 size_t input_length )
1612{
1613 psa_status_t status = PSA_ERROR_BAD_STATE;
1614 if( ! operation->key_set )
1615 goto cleanup;
1616 if( operation->iv_required && ! operation->iv_set )
1617 goto cleanup;
1618 operation->has_input = 1;
1619
1620#if defined(MBEDCRYPTO_CMAC_C)
1621 if( operation->alg == PSA_ALG_CMAC )
1622 {
1623 int ret = mbedcrypto_cipher_cmac_update( &operation->ctx.cmac,
1624 input, input_length );
1625 status = mbedcrypto_to_psa_error( ret );
1626 }
1627 else
1628#endif /* MBEDCRYPTO_CMAC_C */
1629#if defined(MBEDCRYPTO_MD_C)
1630 if( PSA_ALG_IS_HMAC( operation->alg ) )
1631 {
1632 status = psa_hash_update( &operation->ctx.hmac.hash_ctx, input,
1633 input_length );
1634 }
1635 else
1636#endif /* MBEDCRYPTO_MD_C */
1637 {
1638 /* This shouldn't happen if `operation` was initialized by
1639 * a setup function. */
1640 status = PSA_ERROR_BAD_STATE;
1641 }
1642
1643cleanup:
1644 if( status != PSA_SUCCESS )
1645 psa_mac_abort( operation );
1646 return( status );
1647}
1648
1649#if defined(MBEDCRYPTO_MD_C)
1650static psa_status_t psa_hmac_finish_internal( psa_hmac_internal_data *hmac,
1651 uint8_t *mac,
1652 size_t mac_size )
1653{
1654 unsigned char tmp[MBEDCRYPTO_MD_MAX_SIZE];
1655 psa_algorithm_t hash_alg = hmac->hash_ctx.alg;
1656 size_t hash_size = 0;
1657 size_t block_size = psa_get_hash_block_size( hash_alg );
1658 psa_status_t status;
1659
1660 status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size );
1661 if( status != PSA_SUCCESS )
1662 return( status );
1663 /* From here on, tmp needs to be wiped. */
1664
1665 status = psa_hash_setup( &hmac->hash_ctx, hash_alg );
1666 if( status != PSA_SUCCESS )
1667 goto exit;
1668
1669 status = psa_hash_update( &hmac->hash_ctx, hmac->opad, block_size );
1670 if( status != PSA_SUCCESS )
1671 goto exit;
1672
1673 status = psa_hash_update( &hmac->hash_ctx, tmp, hash_size );
1674 if( status != PSA_SUCCESS )
1675 goto exit;
1676
1677 status = psa_hash_finish( &hmac->hash_ctx, mac, mac_size, &hash_size );
1678
1679exit:
1680 mbedcrypto_zeroize( tmp, hash_size );
1681 return( status );
1682}
1683#endif /* MBEDCRYPTO_MD_C */
1684
1685static psa_status_t psa_mac_finish_internal( psa_mac_operation_t *operation,
1686 uint8_t *mac,
1687 size_t mac_size )
1688{
1689 if( ! operation->key_set )
1690 return( PSA_ERROR_BAD_STATE );
1691 if( operation->iv_required && ! operation->iv_set )
1692 return( PSA_ERROR_BAD_STATE );
1693
1694 if( mac_size < operation->mac_size )
1695 return( PSA_ERROR_BUFFER_TOO_SMALL );
1696
1697#if defined(MBEDCRYPTO_CMAC_C)
1698 if( operation->alg == PSA_ALG_CMAC )
1699 {
1700 int ret = mbedcrypto_cipher_cmac_finish( &operation->ctx.cmac, mac );
1701 return( mbedcrypto_to_psa_error( ret ) );
1702 }
1703 else
1704#endif /* MBEDCRYPTO_CMAC_C */
1705#if defined(MBEDCRYPTO_MD_C)
1706 if( PSA_ALG_IS_HMAC( operation->alg ) )
1707 {
1708 return( psa_hmac_finish_internal( &operation->ctx.hmac,
1709 mac, mac_size ) );
1710 }
1711 else
1712#endif /* MBEDCRYPTO_MD_C */
1713 {
1714 /* This shouldn't happen if `operation` was initialized by
1715 * a setup function. */
1716 return( PSA_ERROR_BAD_STATE );
1717 }
1718}
1719
1720psa_status_t psa_mac_sign_finish( psa_mac_operation_t *operation,
1721 uint8_t *mac,
1722 size_t mac_size,
1723 size_t *mac_length )
1724{
1725 psa_status_t status;
1726
1727 /* Fill the output buffer with something that isn't a valid mac
1728 * (barring an attack on the mac and deliberately-crafted input),
1729 * in case the caller doesn't check the return status properly. */
1730 *mac_length = mac_size;
1731 /* If mac_size is 0 then mac may be NULL and then the
1732 * call to memset would have undefined behavior. */
1733 if( mac_size != 0 )
1734 memset( mac, '!', mac_size );
1735
1736 if( ! operation->is_sign )
1737 {
1738 status = PSA_ERROR_BAD_STATE;
1739 goto cleanup;
1740 }
1741
1742 status = psa_mac_finish_internal( operation, mac, mac_size );
1743
1744cleanup:
1745 if( status == PSA_SUCCESS )
1746 {
1747 status = psa_mac_abort( operation );
1748 if( status == PSA_SUCCESS )
1749 *mac_length = operation->mac_size;
1750 else
1751 memset( mac, '!', mac_size );
1752 }
1753 else
1754 psa_mac_abort( operation );
1755 return( status );
1756}
1757
1758psa_status_t psa_mac_verify_finish( psa_mac_operation_t *operation,
1759 const uint8_t *mac,
1760 size_t mac_length )
1761{
1762 uint8_t actual_mac[PSA_MAC_MAX_SIZE];
1763 psa_status_t status;
1764
1765 if( operation->is_sign )
1766 {
1767 status = PSA_ERROR_BAD_STATE;
1768 goto cleanup;
1769 }
1770 if( operation->mac_size != mac_length )
1771 {
1772 status = PSA_ERROR_INVALID_SIGNATURE;
1773 goto cleanup;
1774 }
1775
1776 status = psa_mac_finish_internal( operation,
1777 actual_mac, sizeof( actual_mac ) );
1778
1779 if( safer_memcmp( mac, actual_mac, mac_length ) != 0 )
1780 status = PSA_ERROR_INVALID_SIGNATURE;
1781
1782cleanup:
1783 if( status == PSA_SUCCESS )
1784 status = psa_mac_abort( operation );
1785 else
1786 psa_mac_abort( operation );
1787
1788 return( status );
1789}
1790
1791
1792
1793/****************************************************************/
1794/* Asymmetric cryptography */
1795/****************************************************************/
1796
1797#if defined(MBEDCRYPTO_RSA_C)
1798/* Decode the hash algorithm from alg and store the mbedcrypto encoding in
1799 * md_alg. Verify that the hash length is acceptable. */
1800static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
1801 size_t hash_length,
1802 mbedcrypto_md_type_t *md_alg )
1803{
1804 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
1805 const mbedcrypto_md_info_t *md_info = mbedcrypto_md_info_from_psa( hash_alg );
1806 *md_alg = mbedcrypto_md_get_type( md_info );
1807
1808 /* The Mbed Crypto RSA module uses an unsigned int for hash length
1809 * parameters. Validate that it fits so that we don't risk an
1810 * overflow later. */
1811#if SIZE_MAX > UINT_MAX
1812 if( hash_length > UINT_MAX )
1813 return( PSA_ERROR_INVALID_ARGUMENT );
1814#endif
1815
1816#if defined(MBEDCRYPTO_PKCS1_V15)
1817 /* For PKCS#1 v1.5 signature, if using a hash, the hash length
1818 * must be correct. */
1819 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) &&
1820 alg != PSA_ALG_RSA_PKCS1V15_SIGN_RAW )
1821 {
1822 if( md_info == NULL )
1823 return( PSA_ERROR_NOT_SUPPORTED );
1824 if( mbedcrypto_md_get_size( md_info ) != hash_length )
1825 return( PSA_ERROR_INVALID_ARGUMENT );
1826 }
1827#endif /* MBEDCRYPTO_PKCS1_V15 */
1828
1829#if defined(MBEDCRYPTO_PKCS1_V21)
1830 /* PSS requires a hash internally. */
1831 if( PSA_ALG_IS_RSA_PSS( alg ) )
1832 {
1833 if( md_info == NULL )
1834 return( PSA_ERROR_NOT_SUPPORTED );
1835 }
1836#endif /* MBEDCRYPTO_PKCS1_V21 */
1837
1838 return( PSA_SUCCESS );
1839}
1840
1841static psa_status_t psa_rsa_sign( mbedcrypto_rsa_context *rsa,
1842 psa_algorithm_t alg,
1843 const uint8_t *hash,
1844 size_t hash_length,
1845 uint8_t *signature,
1846 size_t signature_size,
1847 size_t *signature_length )
1848{
1849 psa_status_t status;
1850 int ret;
1851 mbedcrypto_md_type_t md_alg;
1852
1853 status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
1854 if( status != PSA_SUCCESS )
1855 return( status );
1856
1857 if( signature_size < mbedcrypto_rsa_get_len( rsa ) )
1858 return( PSA_ERROR_BUFFER_TOO_SMALL );
1859
1860#if defined(MBEDCRYPTO_PKCS1_V15)
1861 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
1862 {
1863 mbedcrypto_rsa_set_padding( rsa, MBEDCRYPTO_RSA_PKCS_V15,
1864 MBEDCRYPTO_MD_NONE );
1865 ret = mbedcrypto_rsa_pkcs1_sign( rsa,
1866 mbedcrypto_ctr_drbg_random,
1867 &global_data.ctr_drbg,
1868 MBEDCRYPTO_RSA_PRIVATE,
1869 md_alg,
1870 (unsigned int) hash_length,
1871 hash,
1872 signature );
1873 }
1874 else
1875#endif /* MBEDCRYPTO_PKCS1_V15 */
1876#if defined(MBEDCRYPTO_PKCS1_V21)
1877 if( PSA_ALG_IS_RSA_PSS( alg ) )
1878 {
1879 mbedcrypto_rsa_set_padding( rsa, MBEDCRYPTO_RSA_PKCS_V21, md_alg );
1880 ret = mbedcrypto_rsa_rsassa_pss_sign( rsa,
1881 mbedcrypto_ctr_drbg_random,
1882 &global_data.ctr_drbg,
1883 MBEDCRYPTO_RSA_PRIVATE,
1884 MBEDCRYPTO_MD_NONE,
1885 (unsigned int) hash_length,
1886 hash,
1887 signature );
1888 }
1889 else
1890#endif /* MBEDCRYPTO_PKCS1_V21 */
1891 {
1892 return( PSA_ERROR_INVALID_ARGUMENT );
1893 }
1894
1895 if( ret == 0 )
1896 *signature_length = mbedcrypto_rsa_get_len( rsa );
1897 return( mbedcrypto_to_psa_error( ret ) );
1898}
1899
1900static psa_status_t psa_rsa_verify( mbedcrypto_rsa_context *rsa,
1901 psa_algorithm_t alg,
1902 const uint8_t *hash,
1903 size_t hash_length,
1904 const uint8_t *signature,
1905 size_t signature_length )
1906{
1907 psa_status_t status;
1908 int ret;
1909 mbedcrypto_md_type_t md_alg;
1910
1911 status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
1912 if( status != PSA_SUCCESS )
1913 return( status );
1914
1915 if( signature_length < mbedcrypto_rsa_get_len( rsa ) )
1916 return( PSA_ERROR_BUFFER_TOO_SMALL );
1917
1918#if defined(MBEDCRYPTO_PKCS1_V15)
1919 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
1920 {
1921 mbedcrypto_rsa_set_padding( rsa, MBEDCRYPTO_RSA_PKCS_V15,
1922 MBEDCRYPTO_MD_NONE );
1923 ret = mbedcrypto_rsa_pkcs1_verify( rsa,
1924 mbedcrypto_ctr_drbg_random,
1925 &global_data.ctr_drbg,
1926 MBEDCRYPTO_RSA_PUBLIC,
1927 md_alg,
1928 (unsigned int) hash_length,
1929 hash,
1930 signature );
1931 }
1932 else
1933#endif /* MBEDCRYPTO_PKCS1_V15 */
1934#if defined(MBEDCRYPTO_PKCS1_V21)
1935 if( PSA_ALG_IS_RSA_PSS( alg ) )
1936 {
1937 mbedcrypto_rsa_set_padding( rsa, MBEDCRYPTO_RSA_PKCS_V21, md_alg );
1938 ret = mbedcrypto_rsa_rsassa_pss_verify( rsa,
1939 mbedcrypto_ctr_drbg_random,
1940 &global_data.ctr_drbg,
1941 MBEDCRYPTO_RSA_PUBLIC,
1942 MBEDCRYPTO_MD_NONE,
1943 (unsigned int) hash_length,
1944 hash,
1945 signature );
1946 }
1947 else
1948#endif /* MBEDCRYPTO_PKCS1_V21 */
1949 {
1950 return( PSA_ERROR_INVALID_ARGUMENT );
1951 }
1952 return( mbedcrypto_to_psa_error( ret ) );
1953}
1954#endif /* MBEDCRYPTO_RSA_C */
1955
1956#if defined(MBEDCRYPTO_ECDSA_C)
1957/* `ecp` cannot be const because `ecp->grp` needs to be non-const
1958 * for mbedcrypto_ecdsa_sign() and mbedcrypto_ecdsa_sign_det()
1959 * (even though these functions don't modify it). */
1960static psa_status_t psa_ecdsa_sign( mbedcrypto_ecp_keypair *ecp,
1961 psa_algorithm_t alg,
1962 const uint8_t *hash,
1963 size_t hash_length,
1964 uint8_t *signature,
1965 size_t signature_size,
1966 size_t *signature_length )
1967{
1968 int ret;
1969 mbedcrypto_mpi r, s;
1970 size_t curve_bytes = PSA_BITS_TO_BYTES( ecp->grp.pbits );
1971 mbedcrypto_mpi_init( &r );
1972 mbedcrypto_mpi_init( &s );
1973
1974 if( signature_size < 2 * curve_bytes )
1975 {
1976 ret = MBEDCRYPTO_ERR_ECP_BUFFER_TOO_SMALL;
1977 goto cleanup;
1978 }
1979
1980 if( PSA_ALG_DSA_IS_DETERMINISTIC( alg ) )
1981 {
1982 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
1983 const mbedcrypto_md_info_t *md_info = mbedcrypto_md_info_from_psa( hash_alg );
1984 mbedcrypto_md_type_t md_alg = mbedcrypto_md_get_type( md_info );
1985 MBEDCRYPTO_MPI_CHK( mbedcrypto_ecdsa_sign_det( &ecp->grp, &r, &s, &ecp->d,
1986 hash, hash_length,
1987 md_alg ) );
1988 }
1989 else
1990 {
1991 MBEDCRYPTO_MPI_CHK( mbedcrypto_ecdsa_sign( &ecp->grp, &r, &s, &ecp->d,
1992 hash, hash_length,
1993 mbedcrypto_ctr_drbg_random,
1994 &global_data.ctr_drbg ) );
1995 }
1996
1997 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_write_binary( &r,
1998 signature,
1999 curve_bytes ) );
2000 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_write_binary( &s,
2001 signature + curve_bytes,
2002 curve_bytes ) );
2003
2004cleanup:
2005 mbedcrypto_mpi_free( &r );
2006 mbedcrypto_mpi_free( &s );
2007 if( ret == 0 )
2008 *signature_length = 2 * curve_bytes;
2009 return( mbedcrypto_to_psa_error( ret ) );
2010}
2011
2012static psa_status_t psa_ecdsa_verify( mbedcrypto_ecp_keypair *ecp,
2013 const uint8_t *hash,
2014 size_t hash_length,
2015 const uint8_t *signature,
2016 size_t signature_length )
2017{
2018 int ret;
2019 mbedcrypto_mpi r, s;
2020 size_t curve_bytes = PSA_BITS_TO_BYTES( ecp->grp.pbits );
2021 mbedcrypto_mpi_init( &r );
2022 mbedcrypto_mpi_init( &s );
2023
2024 if( signature_length != 2 * curve_bytes )
2025 return( PSA_ERROR_INVALID_SIGNATURE );
2026
2027 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_binary( &r,
2028 signature,
2029 curve_bytes ) );
2030 MBEDCRYPTO_MPI_CHK( mbedcrypto_mpi_read_binary( &s,
2031 signature + curve_bytes,
2032 curve_bytes ) );
2033
2034 ret = mbedcrypto_ecdsa_verify( &ecp->grp, hash, hash_length,
2035 &ecp->Q, &r, &s );
2036
2037cleanup:
2038 mbedcrypto_mpi_free( &r );
2039 mbedcrypto_mpi_free( &s );
2040 return( mbedcrypto_to_psa_error( ret ) );
2041}
2042#endif /* MBEDCRYPTO_ECDSA_C */
2043
2044psa_status_t psa_asymmetric_sign( psa_key_slot_t key,
2045 psa_algorithm_t alg,
2046 const uint8_t *hash,
2047 size_t hash_length,
2048 uint8_t *signature,
2049 size_t signature_size,
2050 size_t *signature_length )
2051{
2052 key_slot_t *slot;
2053 psa_status_t status;
2054
2055 *signature_length = signature_size;
2056
2057 status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_SIGN, alg );
2058 if( status != PSA_SUCCESS )
2059 goto exit;
2060 if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
2061 {
2062 status = PSA_ERROR_INVALID_ARGUMENT;
2063 goto exit;
2064 }
2065
2066#if defined(MBEDCRYPTO_RSA_C)
2067 if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
2068 {
2069 status = psa_rsa_sign( slot->data.rsa,
2070 alg,
2071 hash, hash_length,
2072 signature, signature_size,
2073 signature_length );
2074 }
2075 else
2076#endif /* defined(MBEDCRYPTO_RSA_C) */
2077#if defined(MBEDCRYPTO_ECP_C)
2078 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
2079 {
2080#if defined(MBEDCRYPTO_ECDSA_C)
2081 if( PSA_ALG_IS_ECDSA( alg ) )
2082 status = psa_ecdsa_sign( slot->data.ecp,
2083 alg,
2084 hash, hash_length,
2085 signature, signature_size,
2086 signature_length );
2087 else
2088#endif /* defined(MBEDCRYPTO_ECDSA_C) */
2089 {
2090 status = PSA_ERROR_INVALID_ARGUMENT;
2091 }
2092 }
2093 else
2094#endif /* defined(MBEDCRYPTO_ECP_C) */
2095 {
2096 status = PSA_ERROR_NOT_SUPPORTED;
2097 }
2098
2099exit:
2100 /* Fill the unused part of the output buffer (the whole buffer on error,
2101 * the trailing part on success) with something that isn't a valid mac
2102 * (barring an attack on the mac and deliberately-crafted input),
2103 * in case the caller doesn't check the return status properly. */
2104 if( status == PSA_SUCCESS )
2105 memset( signature + *signature_length, '!',
2106 signature_size - *signature_length );
2107 else if( signature_size != 0 )
2108 memset( signature, '!', signature_size );
2109 /* If signature_size is 0 then we have nothing to do. We must not call
2110 * memset because signature may be NULL in this case. */
2111 return( status );
2112}
2113
2114psa_status_t psa_asymmetric_verify( psa_key_slot_t key,
2115 psa_algorithm_t alg,
2116 const uint8_t *hash,
2117 size_t hash_length,
2118 const uint8_t *signature,
2119 size_t signature_length )
2120{
2121 key_slot_t *slot;
2122 psa_status_t status;
2123
2124 status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_VERIFY, alg );
2125 if( status != PSA_SUCCESS )
2126 return( status );
2127
2128#if defined(MBEDCRYPTO_RSA_C)
2129 if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
2130 {
2131 return( psa_rsa_verify( slot->data.rsa,
2132 alg,
2133 hash, hash_length,
2134 signature, signature_length ) );
2135 }
2136 else
2137#endif /* defined(MBEDCRYPTO_RSA_C) */
2138#if defined(MBEDCRYPTO_ECP_C)
2139 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
2140 {
2141#if defined(MBEDCRYPTO_ECDSA_C)
2142 if( PSA_ALG_IS_ECDSA( alg ) )
2143 return( psa_ecdsa_verify( slot->data.ecp,
2144 hash, hash_length,
2145 signature, signature_length ) );
2146 else
2147#endif /* defined(MBEDCRYPTO_ECDSA_C) */
2148 {
2149 return( PSA_ERROR_INVALID_ARGUMENT );
2150 }
2151 }
2152 else
2153#endif /* defined(MBEDCRYPTO_ECP_C) */
2154 {
2155 return( PSA_ERROR_NOT_SUPPORTED );
2156 }
2157}
2158
2159#if defined(MBEDCRYPTO_RSA_C) && defined(MBEDCRYPTO_PKCS1_V21)
2160static void psa_rsa_oaep_set_padding_mode( psa_algorithm_t alg,
2161 mbedcrypto_rsa_context *rsa )
2162{
2163 psa_algorithm_t hash_alg = PSA_ALG_RSA_OAEP_GET_HASH( alg );
2164 const mbedcrypto_md_info_t *md_info = mbedcrypto_md_info_from_psa( hash_alg );
2165 mbedcrypto_md_type_t md_alg = mbedcrypto_md_get_type( md_info );
2166 mbedcrypto_rsa_set_padding( rsa, MBEDCRYPTO_RSA_PKCS_V21, md_alg );
2167}
2168#endif /* defined(MBEDCRYPTO_RSA_C) && defined(MBEDCRYPTO_PKCS1_V21) */
2169
2170psa_status_t psa_asymmetric_encrypt( psa_key_slot_t key,
2171 psa_algorithm_t alg,
2172 const uint8_t *input,
2173 size_t input_length,
2174 const uint8_t *salt,
2175 size_t salt_length,
2176 uint8_t *output,
2177 size_t output_size,
2178 size_t *output_length )
2179{
2180 key_slot_t *slot;
2181 psa_status_t status;
2182
2183 (void) input;
2184 (void) input_length;
2185 (void) salt;
2186 (void) output;
2187 (void) output_size;
2188
2189 *output_length = 0;
2190
2191 if( ! PSA_ALG_IS_RSA_OAEP( alg ) && salt_length != 0 )
2192 return( PSA_ERROR_INVALID_ARGUMENT );
2193
2194 status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_ENCRYPT, alg );
2195 if( status != PSA_SUCCESS )
2196 return( status );
2197 if( ! ( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) ||
2198 PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) ) )
2199 return( PSA_ERROR_INVALID_ARGUMENT );
2200
2201#if defined(MBEDCRYPTO_RSA_C)
2202 if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
2203 {
2204 mbedcrypto_rsa_context *rsa = slot->data.rsa;
2205 int ret;
2206 if( output_size < mbedcrypto_rsa_get_len( rsa ) )
2207 return( PSA_ERROR_INVALID_ARGUMENT );
2208#if defined(MBEDCRYPTO_PKCS1_V15)
2209 if( alg == PSA_ALG_RSA_PKCS1V15_CRYPT )
2210 {
2211 ret = mbedcrypto_rsa_pkcs1_encrypt( rsa,
2212 mbedcrypto_ctr_drbg_random,
2213 &global_data.ctr_drbg,
2214 MBEDCRYPTO_RSA_PUBLIC,
2215 input_length,
2216 input,
2217 output );
2218 }
2219 else
2220#endif /* MBEDCRYPTO_PKCS1_V15 */
2221#if defined(MBEDCRYPTO_PKCS1_V21)
2222 if( PSA_ALG_IS_RSA_OAEP( alg ) )
2223 {
2224 psa_rsa_oaep_set_padding_mode( alg, rsa );
2225 ret = mbedcrypto_rsa_rsaes_oaep_encrypt( rsa,
2226 mbedcrypto_ctr_drbg_random,
2227 &global_data.ctr_drbg,
2228 MBEDCRYPTO_RSA_PUBLIC,
2229 salt, salt_length,
2230 input_length,
2231 input,
2232 output );
2233 }
2234 else
2235#endif /* MBEDCRYPTO_PKCS1_V21 */
2236 {
2237 return( PSA_ERROR_INVALID_ARGUMENT );
2238 }
2239 if( ret == 0 )
2240 *output_length = mbedcrypto_rsa_get_len( rsa );
2241 return( mbedcrypto_to_psa_error( ret ) );
2242 }
2243 else
2244#endif /* defined(MBEDCRYPTO_RSA_C) */
2245 {
2246 return( PSA_ERROR_NOT_SUPPORTED );
2247 }
2248}
2249
2250psa_status_t psa_asymmetric_decrypt( psa_key_slot_t key,
2251 psa_algorithm_t alg,
2252 const uint8_t *input,
2253 size_t input_length,
2254 const uint8_t *salt,
2255 size_t salt_length,
2256 uint8_t *output,
2257 size_t output_size,
2258 size_t *output_length )
2259{
2260 key_slot_t *slot;
2261 psa_status_t status;
2262
2263 (void) input;
2264 (void) input_length;
2265 (void) salt;
2266 (void) output;
2267 (void) output_size;
2268
2269 *output_length = 0;
2270
2271 if( ! PSA_ALG_IS_RSA_OAEP( alg ) && salt_length != 0 )
2272 return( PSA_ERROR_INVALID_ARGUMENT );
2273
2274 status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_DECRYPT, alg );
2275 if( status != PSA_SUCCESS )
2276 return( status );
2277 if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
2278 return( PSA_ERROR_INVALID_ARGUMENT );
2279
2280#if defined(MBEDCRYPTO_RSA_C)
2281 if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
2282 {
2283 mbedcrypto_rsa_context *rsa = slot->data.rsa;
2284 int ret;
2285
2286 if( input_length != mbedcrypto_rsa_get_len( rsa ) )
2287 return( PSA_ERROR_INVALID_ARGUMENT );
2288
2289#if defined(MBEDCRYPTO_PKCS1_V15)
2290 if( alg == PSA_ALG_RSA_PKCS1V15_CRYPT )
2291 {
2292 ret = mbedcrypto_rsa_pkcs1_decrypt( rsa,
2293 mbedcrypto_ctr_drbg_random,
2294 &global_data.ctr_drbg,
2295 MBEDCRYPTO_RSA_PRIVATE,
2296 output_length,
2297 input,
2298 output,
2299 output_size );
2300 }
2301 else
2302#endif /* MBEDCRYPTO_PKCS1_V15 */
2303#if defined(MBEDCRYPTO_PKCS1_V21)
2304 if( PSA_ALG_IS_RSA_OAEP( alg ) )
2305 {
2306 psa_rsa_oaep_set_padding_mode( alg, rsa );
2307 ret = mbedcrypto_rsa_rsaes_oaep_decrypt( rsa,
2308 mbedcrypto_ctr_drbg_random,
2309 &global_data.ctr_drbg,
2310 MBEDCRYPTO_RSA_PRIVATE,
2311 salt, salt_length,
2312 output_length,
2313 input,
2314 output,
2315 output_size );
2316 }
2317 else
2318#endif /* MBEDCRYPTO_PKCS1_V21 */
2319 {
2320 return( PSA_ERROR_INVALID_ARGUMENT );
2321 }
2322
2323 return( mbedcrypto_to_psa_error( ret ) );
2324 }
2325 else
2326#endif /* defined(MBEDCRYPTO_RSA_C) */
2327 {
2328 return( PSA_ERROR_NOT_SUPPORTED );
2329 }
2330}
2331
2332
2333
2334/****************************************************************/
2335/* Symmetric cryptography */
2336/****************************************************************/
2337
2338/* Initialize the cipher operation structure. Once this function has been
2339 * called, psa_cipher_abort can run and will do the right thing. */
2340static psa_status_t psa_cipher_init( psa_cipher_operation_t *operation,
2341 psa_algorithm_t alg )
2342{
2343 if( ! PSA_ALG_IS_CIPHER( alg ) )
2344 {
2345 memset( operation, 0, sizeof( *operation ) );
2346 return( PSA_ERROR_INVALID_ARGUMENT );
2347 }
2348
2349 operation->alg = alg;
2350 operation->key_set = 0;
2351 operation->iv_set = 0;
2352 operation->iv_required = 1;
2353 operation->iv_size = 0;
2354 operation->block_size = 0;
2355 mbedcrypto_cipher_init( &operation->ctx.cipher );
2356 return( PSA_SUCCESS );
2357}
2358
2359static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation,
2360 psa_key_slot_t key,
2361 psa_algorithm_t alg,
2362 mbedcrypto_operation_t cipher_operation )
2363{
2364 int ret = MBEDCRYPTO_ERR_CIPHER_FEATURE_UNAVAILABLE;
2365 psa_status_t status;
2366 key_slot_t *slot;
2367 size_t key_bits;
2368 const mbedcrypto_cipher_info_t *cipher_info = NULL;
2369 psa_key_usage_t usage = ( cipher_operation == MBEDCRYPTO_ENCRYPT ?
2370 PSA_KEY_USAGE_ENCRYPT :
2371 PSA_KEY_USAGE_DECRYPT );
2372
2373 status = psa_cipher_init( operation, alg );
2374 if( status != PSA_SUCCESS )
2375 return( status );
2376
2377 status = psa_get_key_from_slot( key, &slot, usage, alg);
2378 if( status != PSA_SUCCESS )
2379 return( status );
2380 key_bits = psa_get_key_bits( slot );
2381
2382 cipher_info = mbedcrypto_cipher_info_from_psa( alg, slot->type, key_bits, NULL );
2383 if( cipher_info == NULL )
2384 return( PSA_ERROR_NOT_SUPPORTED );
2385
2386 ret = mbedcrypto_cipher_setup( &operation->ctx.cipher, cipher_info );
2387 if( ret != 0 )
2388 {
2389 psa_cipher_abort( operation );
2390 return( mbedcrypto_to_psa_error( ret ) );
2391 }
2392
2393#if defined(MBEDCRYPTO_DES_C)
2394 if( slot->type == PSA_KEY_TYPE_DES && key_bits == 128 )
2395 {
2396 /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */
2397 unsigned char keys[24];
2398 memcpy( keys, slot->data.raw.data, 16 );
2399 memcpy( keys + 16, slot->data.raw.data, 8 );
2400 ret = mbedcrypto_cipher_setkey( &operation->ctx.cipher,
2401 keys,
2402 192, cipher_operation );
2403 }
2404 else
2405#endif
2406 {
2407 ret = mbedcrypto_cipher_setkey( &operation->ctx.cipher,
2408 slot->data.raw.data,
2409 (int) key_bits, cipher_operation );
2410 }
2411 if( ret != 0 )
2412 {
2413 psa_cipher_abort( operation );
2414 return( mbedcrypto_to_psa_error( ret ) );
2415 }
2416
2417#if defined(MBEDCRYPTO_CIPHER_MODE_WITH_PADDING)
2418 if( ( alg & ~PSA_ALG_BLOCK_CIPHER_PADDING_MASK ) == PSA_ALG_CBC_BASE )
2419 {
2420 psa_algorithm_t padding_mode = alg & PSA_ALG_BLOCK_CIPHER_PADDING_MASK;
2421 mbedcrypto_cipher_padding_t mode;
2422
2423 switch ( padding_mode )
2424 {
2425 case PSA_ALG_BLOCK_CIPHER_PAD_PKCS7:
2426 mode = MBEDCRYPTO_PADDING_PKCS7;
2427 break;
2428 case PSA_ALG_BLOCK_CIPHER_PAD_NONE:
2429 mode = MBEDCRYPTO_PADDING_NONE;
2430 break;
2431 default:
2432 psa_cipher_abort( operation );
2433 return( PSA_ERROR_INVALID_ARGUMENT );
2434 }
2435 ret = mbedcrypto_cipher_set_padding_mode( &operation->ctx.cipher, mode );
2436 if( ret != 0 )
2437 {
2438 psa_cipher_abort( operation );
2439 return( mbedcrypto_to_psa_error( ret ) );
2440 }
2441 }
2442#endif //MBEDCRYPTO_CIPHER_MODE_WITH_PADDING
2443
2444 operation->key_set = 1;
2445 operation->block_size = ( PSA_ALG_IS_BLOCK_CIPHER( alg ) ?
2446 PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type ) :
2447 1 );
2448 if( PSA_ALG_IS_BLOCK_CIPHER( alg ) || alg == PSA_ALG_CTR )
2449 {
2450 operation->iv_size = PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type );
2451 }
2452
2453 return( PSA_SUCCESS );
2454}
2455
2456psa_status_t psa_cipher_encrypt_setup( psa_cipher_operation_t *operation,
2457 psa_key_slot_t key,
2458 psa_algorithm_t alg )
2459{
2460 return( psa_cipher_setup( operation, key, alg, MBEDCRYPTO_ENCRYPT ) );
2461}
2462
2463psa_status_t psa_cipher_decrypt_setup( psa_cipher_operation_t *operation,
2464 psa_key_slot_t key,
2465 psa_algorithm_t alg )
2466{
2467 return( psa_cipher_setup( operation, key, alg, MBEDCRYPTO_DECRYPT ) );
2468}
2469
2470psa_status_t psa_cipher_generate_iv( psa_cipher_operation_t *operation,
2471 unsigned char *iv,
2472 size_t iv_size,
2473 size_t *iv_length )
2474{
2475 int ret = PSA_SUCCESS;
2476 if( operation->iv_set || ! operation->iv_required )
2477 return( PSA_ERROR_BAD_STATE );
2478 if( iv_size < operation->iv_size )
2479 {
2480 ret = PSA_ERROR_BUFFER_TOO_SMALL;
2481 goto exit;
2482 }
2483 ret = mbedcrypto_ctr_drbg_random( &global_data.ctr_drbg,
2484 iv, operation->iv_size );
2485 if( ret != 0 )
2486 {
2487 ret = mbedcrypto_to_psa_error( ret );
2488 goto exit;
2489 }
2490
2491 *iv_length = operation->iv_size;
2492 ret = psa_cipher_set_iv( operation, iv, *iv_length );
2493
2494exit:
2495 if( ret != PSA_SUCCESS )
2496 psa_cipher_abort( operation );
2497 return( ret );
2498}
2499
2500psa_status_t psa_cipher_set_iv( psa_cipher_operation_t *operation,
2501 const unsigned char *iv,
2502 size_t iv_length )
2503{
2504 int ret = PSA_SUCCESS;
2505 if( operation->iv_set || ! operation->iv_required )
2506 return( PSA_ERROR_BAD_STATE );
2507 if( iv_length != operation->iv_size )
2508 {
2509 psa_cipher_abort( operation );
2510 return( PSA_ERROR_INVALID_ARGUMENT );
2511 }
2512 ret = mbedcrypto_cipher_set_iv( &operation->ctx.cipher, iv, iv_length );
2513 if( ret != 0 )
2514 {
2515 psa_cipher_abort( operation );
2516 return( mbedcrypto_to_psa_error( ret ) );
2517 }
2518
2519 operation->iv_set = 1;
2520
2521 return( PSA_SUCCESS );
2522}
2523
2524psa_status_t psa_cipher_update( psa_cipher_operation_t *operation,
2525 const uint8_t *input,
2526 size_t input_length,
2527 unsigned char *output,
2528 size_t output_size,
2529 size_t *output_length )
2530{
2531 int ret = MBEDCRYPTO_ERR_CIPHER_FEATURE_UNAVAILABLE;
2532 size_t expected_output_size;
2533 if( PSA_ALG_IS_BLOCK_CIPHER( operation->alg ) )
2534 {
2535 /* Take the unprocessed partial block left over from previous
2536 * update calls, if any, plus the input to this call. Remove
2537 * the last partial block, if any. You get the data that will be
2538 * output in this call. */
2539 expected_output_size =
2540 ( operation->ctx.cipher.unprocessed_len + input_length )
2541 / operation->block_size * operation->block_size;
2542 }
2543 else
2544 {
2545 expected_output_size = input_length;
2546 }
2547 if( output_size < expected_output_size )
2548 return( PSA_ERROR_BUFFER_TOO_SMALL );
2549
2550 ret = mbedcrypto_cipher_update( &operation->ctx.cipher, input,
2551 input_length, output, output_length );
2552 if( ret != 0 )
2553 {
2554 psa_cipher_abort( operation );
2555 return( mbedcrypto_to_psa_error( ret ) );
2556 }
2557
2558 return( PSA_SUCCESS );
2559}
2560
2561psa_status_t psa_cipher_finish( psa_cipher_operation_t *operation,
2562 uint8_t *output,
2563 size_t output_size,
2564 size_t *output_length )
2565{
2566 psa_status_t status = PSA_ERROR_UNKNOWN_ERROR;
2567 int cipher_ret = MBEDCRYPTO_ERR_CIPHER_FEATURE_UNAVAILABLE;
2568 uint8_t temp_output_buffer[MBEDCRYPTO_MAX_BLOCK_LENGTH];
2569
2570 if( ! operation->key_set )
2571 {
2572 status = PSA_ERROR_BAD_STATE;
2573 goto error;
2574 }
2575 if( operation->iv_required && ! operation->iv_set )
2576 {
2577 status = PSA_ERROR_BAD_STATE;
2578 goto error;
2579 }
2580 if( operation->ctx.cipher.operation == MBEDCRYPTO_ENCRYPT &&
2581 PSA_ALG_IS_BLOCK_CIPHER( operation->alg ) )
2582 {
2583 psa_algorithm_t padding_mode =
2584 operation->alg & PSA_ALG_BLOCK_CIPHER_PADDING_MASK;
2585 if( operation->ctx.cipher.unprocessed_len >= operation->block_size )
2586 {
2587 status = PSA_ERROR_TAMPERING_DETECTED;
2588 goto error;
2589 }
2590 if( padding_mode == PSA_ALG_BLOCK_CIPHER_PAD_NONE )
2591 {
2592 if( operation->ctx.cipher.unprocessed_len != 0 )
2593 {
2594 status = PSA_ERROR_INVALID_ARGUMENT;
2595 goto error;
2596 }
2597 }
2598 }
2599
2600 cipher_ret = mbedcrypto_cipher_finish( &operation->ctx.cipher,
2601 temp_output_buffer,
2602 output_length );
2603 if( cipher_ret != 0 )
2604 {
2605 status = mbedcrypto_to_psa_error( cipher_ret );
2606 goto error;
2607 }
2608
2609 if( *output_length == 0 )
2610 ; /* Nothing to copy. Note that output may be NULL in this case. */
2611 else if( output_size >= *output_length )
2612 memcpy( output, temp_output_buffer, *output_length );
2613 else
2614 {
2615 status = PSA_ERROR_BUFFER_TOO_SMALL;
2616 goto error;
2617 }
2618
2619 mbedcrypto_zeroize( temp_output_buffer, sizeof( temp_output_buffer ) );
2620 status = psa_cipher_abort( operation );
2621
2622 return( status );
2623
2624error:
2625
2626 *output_length = 0;
2627
2628 mbedcrypto_zeroize( temp_output_buffer, sizeof( temp_output_buffer ) );
2629 (void) psa_cipher_abort( operation );
2630
2631 return( status );
2632}
2633
2634psa_status_t psa_cipher_abort( psa_cipher_operation_t *operation )
2635{
2636 if( operation->alg == 0 )
2637 {
2638 /* The object has (apparently) been initialized but it is not
2639 * in use. It's ok to call abort on such an object, and there's
2640 * nothing to do. */
2641 return( PSA_SUCCESS );
2642 }
2643
2644 /* Sanity check (shouldn't happen: operation->alg should
2645 * always have been initialized to a valid value). */
2646 if( ! PSA_ALG_IS_CIPHER( operation->alg ) )
2647 return( PSA_ERROR_BAD_STATE );
2648
2649 mbedcrypto_cipher_free( &operation->ctx.cipher );
2650
2651 operation->alg = 0;
2652 operation->key_set = 0;
2653 operation->iv_set = 0;
2654 operation->iv_size = 0;
2655 operation->block_size = 0;
2656 operation->iv_required = 0;
2657
2658 return( PSA_SUCCESS );
2659}
2660
2661
2662
2663/****************************************************************/
2664/* Key Policy */
2665/****************************************************************/
2666
2667#if !defined(MBEDCRYPTO_PSA_CRYPTO_SPM)
2668void psa_key_policy_init( psa_key_policy_t *policy )
2669{
2670 memset( policy, 0, sizeof( *policy ) );
2671}
2672
2673void psa_key_policy_set_usage( psa_key_policy_t *policy,
2674 psa_key_usage_t usage,
2675 psa_algorithm_t alg )
2676{
2677 policy->usage = usage;
2678 policy->alg = alg;
2679}
2680
2681psa_key_usage_t psa_key_policy_get_usage( const psa_key_policy_t *policy )
2682{
2683 return( policy->usage );
2684}
2685
2686psa_algorithm_t psa_key_policy_get_algorithm( const psa_key_policy_t *policy )
2687{
2688 return( policy->alg );
2689}
2690#endif /* !defined(MBEDCRYPTO_PSA_CRYPTO_SPM) */
2691
2692psa_status_t psa_set_key_policy( psa_key_slot_t key,
2693 const psa_key_policy_t *policy )
2694{
2695 key_slot_t *slot;
2696 psa_status_t status;
2697
2698 if( policy == NULL )
2699 return( PSA_ERROR_INVALID_ARGUMENT );
2700
2701 status = psa_get_empty_key_slot( key, &slot );
2702 if( status != PSA_SUCCESS )
2703 return( status );
2704
2705 if( ( policy->usage & ~( PSA_KEY_USAGE_EXPORT |
2706 PSA_KEY_USAGE_ENCRYPT |
2707 PSA_KEY_USAGE_DECRYPT |
2708 PSA_KEY_USAGE_SIGN |
2709 PSA_KEY_USAGE_VERIFY |
2710 PSA_KEY_USAGE_DERIVE ) ) != 0 )
2711 return( PSA_ERROR_INVALID_ARGUMENT );
2712
2713 slot->policy = *policy;
2714
2715 return( PSA_SUCCESS );
2716}
2717
2718psa_status_t psa_get_key_policy( psa_key_slot_t key,
2719 psa_key_policy_t *policy )
2720{
2721 key_slot_t *slot;
2722 psa_status_t status;
2723
2724 if( policy == NULL )
2725 return( PSA_ERROR_INVALID_ARGUMENT );
2726
2727 status = psa_get_key_slot( key, &slot );
2728 if( status != PSA_SUCCESS )
2729 return( status );
2730
2731 *policy = slot->policy;
2732
2733 return( PSA_SUCCESS );
2734}
2735
2736
2737
2738/****************************************************************/
2739/* Key Lifetime */
2740/****************************************************************/
2741
2742psa_status_t psa_get_key_lifetime( psa_key_slot_t key,
2743 psa_key_lifetime_t *lifetime )
2744{
2745 key_slot_t *slot;
2746 psa_status_t status;
2747
2748 status = psa_get_key_slot( key, &slot );
2749 if( status != PSA_SUCCESS )
2750 return( status );
2751
2752 *lifetime = slot->lifetime;
2753
2754 return( PSA_SUCCESS );
2755}
2756
2757psa_status_t psa_set_key_lifetime( psa_key_slot_t key,
2758 psa_key_lifetime_t lifetime )
2759{
2760 key_slot_t *slot;
2761 psa_status_t status;
2762
2763 if( lifetime != PSA_KEY_LIFETIME_VOLATILE &&
2764 lifetime != PSA_KEY_LIFETIME_PERSISTENT &&
2765 lifetime != PSA_KEY_LIFETIME_WRITE_ONCE)
2766 return( PSA_ERROR_INVALID_ARGUMENT );
2767
2768 status = psa_get_empty_key_slot( key, &slot );
2769 if( status != PSA_SUCCESS )
2770 return( status );
2771
2772 if( lifetime != PSA_KEY_LIFETIME_VOLATILE )
2773 return( PSA_ERROR_NOT_SUPPORTED );
2774
2775 slot->lifetime = lifetime;
2776
2777 return( PSA_SUCCESS );
2778}
2779
2780
2781
2782/****************************************************************/
2783/* AEAD */
2784/****************************************************************/
2785
2786psa_status_t psa_aead_encrypt( psa_key_slot_t key,
2787 psa_algorithm_t alg,
2788 const uint8_t *nonce,
2789 size_t nonce_length,
2790 const uint8_t *additional_data,
2791 size_t additional_data_length,
2792 const uint8_t *plaintext,
2793 size_t plaintext_length,
2794 uint8_t *ciphertext,
2795 size_t ciphertext_size,
2796 size_t *ciphertext_length )
2797{
2798 int ret;
2799 psa_status_t status;
2800 key_slot_t *slot;
2801 size_t key_bits;
2802 uint8_t *tag;
2803 size_t tag_length;
2804 mbedcrypto_cipher_id_t cipher_id;
2805 const mbedcrypto_cipher_info_t *cipher_info = NULL;
2806
2807 *ciphertext_length = 0;
2808
2809 status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_ENCRYPT, alg );
2810 if( status != PSA_SUCCESS )
2811 return( status );
2812 key_bits = psa_get_key_bits( slot );
2813
2814 cipher_info = mbedcrypto_cipher_info_from_psa( alg, slot->type,
2815 key_bits, &cipher_id );
2816 if( cipher_info == NULL )
2817 return( PSA_ERROR_NOT_SUPPORTED );
2818
2819 if( ( slot->type & PSA_KEY_TYPE_CATEGORY_MASK ) !=
2820 PSA_KEY_TYPE_CATEGORY_SYMMETRIC )
2821 return( PSA_ERROR_INVALID_ARGUMENT );
2822
2823 if( alg == PSA_ALG_GCM )
2824 {
2825 mbedcrypto_gcm_context gcm;
2826 tag_length = 16;
2827
2828 if( PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type ) != 16 )
2829 return( PSA_ERROR_INVALID_ARGUMENT );
2830
2831 //make sure we have place to hold the tag in the ciphertext buffer
2832 if( ciphertext_size < ( plaintext_length + tag_length ) )
2833 return( PSA_ERROR_BUFFER_TOO_SMALL );
2834
2835 //update the tag pointer to point to the end of the ciphertext_length
2836 tag = ciphertext + plaintext_length;
2837
2838 mbedcrypto_gcm_init( &gcm );
2839 ret = mbedcrypto_gcm_setkey( &gcm, cipher_id,
2840 slot->data.raw.data,
2841 (unsigned int) key_bits );
2842 if( ret != 0 )
2843 {
2844 mbedcrypto_gcm_free( &gcm );
2845 return( mbedcrypto_to_psa_error( ret ) );
2846 }
2847 ret = mbedcrypto_gcm_crypt_and_tag( &gcm, MBEDCRYPTO_GCM_ENCRYPT,
2848 plaintext_length, nonce,
2849 nonce_length, additional_data,
2850 additional_data_length, plaintext,
2851 ciphertext, tag_length, tag );
2852 mbedcrypto_gcm_free( &gcm );
2853 }
2854 else if( alg == PSA_ALG_CCM )
2855 {
2856 mbedcrypto_ccm_context ccm;
2857 tag_length = 16;
2858
2859 if( PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type ) != 16 )
2860 return( PSA_ERROR_INVALID_ARGUMENT );
2861
2862 if( nonce_length < 7 || nonce_length > 13 )
2863 return( PSA_ERROR_INVALID_ARGUMENT );
2864
2865 //make sure we have place to hold the tag in the ciphertext buffer
2866 if( ciphertext_size < ( plaintext_length + tag_length ) )
2867 return( PSA_ERROR_BUFFER_TOO_SMALL );
2868
2869 //update the tag pointer to point to the end of the ciphertext_length
2870 tag = ciphertext + plaintext_length;
2871
2872 mbedcrypto_ccm_init( &ccm );
2873 ret = mbedcrypto_ccm_setkey( &ccm, cipher_id,
2874 slot->data.raw.data,
2875 (unsigned int) key_bits );
2876 if( ret != 0 )
2877 {
2878 mbedcrypto_ccm_free( &ccm );
2879 return( mbedcrypto_to_psa_error( ret ) );
2880 }
2881 ret = mbedcrypto_ccm_encrypt_and_tag( &ccm, plaintext_length,
2882 nonce, nonce_length,
2883 additional_data,
2884 additional_data_length,
2885 plaintext, ciphertext,
2886 tag, tag_length );
2887 mbedcrypto_ccm_free( &ccm );
2888 }
2889 else
2890 {
2891 return( PSA_ERROR_NOT_SUPPORTED );
2892 }
2893
2894 if( ret != 0 )
2895 {
2896 /* If ciphertext_size is 0 then ciphertext may be NULL and then the
2897 * call to memset would have undefined behavior. */
2898 if( ciphertext_size != 0 )
2899 memset( ciphertext, 0, ciphertext_size );
2900 return( mbedcrypto_to_psa_error( ret ) );
2901 }
2902
2903 *ciphertext_length = plaintext_length + tag_length;
2904 return( PSA_SUCCESS );
2905}
2906
2907/* Locate the tag in a ciphertext buffer containing the encrypted data
2908 * followed by the tag. Return the length of the part preceding the tag in
2909 * *plaintext_length. This is the size of the plaintext in modes where
2910 * the encrypted data has the same size as the plaintext, such as
2911 * CCM and GCM. */
2912static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length,
2913 const uint8_t *ciphertext,
2914 size_t ciphertext_length,
2915 size_t plaintext_size,
2916 const uint8_t **p_tag )
2917{
2918 size_t payload_length;
2919 if( tag_length > ciphertext_length )
2920 return( PSA_ERROR_INVALID_ARGUMENT );
2921 payload_length = ciphertext_length - tag_length;
2922 if( payload_length > plaintext_size )
2923 return( PSA_ERROR_BUFFER_TOO_SMALL );
2924 *p_tag = ciphertext + payload_length;
2925 return( PSA_SUCCESS );
2926}
2927
2928psa_status_t psa_aead_decrypt( psa_key_slot_t key,
2929 psa_algorithm_t alg,
2930 const uint8_t *nonce,
2931 size_t nonce_length,
2932 const uint8_t *additional_data,
2933 size_t additional_data_length,
2934 const uint8_t *ciphertext,
2935 size_t ciphertext_length,
2936 uint8_t *plaintext,
2937 size_t plaintext_size,
2938 size_t *plaintext_length )
2939{
2940 int ret;
2941 psa_status_t status;
2942 key_slot_t *slot;
2943 size_t key_bits;
2944 const uint8_t *tag;
2945 size_t tag_length;
2946 mbedcrypto_cipher_id_t cipher_id;
2947 const mbedcrypto_cipher_info_t *cipher_info = NULL;
2948
2949 *plaintext_length = 0;
2950
2951 status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_DECRYPT, alg );
2952 if( status != PSA_SUCCESS )
2953 return( status );
2954 key_bits = psa_get_key_bits( slot );
2955
2956 cipher_info = mbedcrypto_cipher_info_from_psa( alg, slot->type,
2957 key_bits, &cipher_id );
2958 if( cipher_info == NULL )
2959 return( PSA_ERROR_NOT_SUPPORTED );
2960
2961 if( ( slot->type & PSA_KEY_TYPE_CATEGORY_MASK ) !=
2962 PSA_KEY_TYPE_CATEGORY_SYMMETRIC )
2963 return( PSA_ERROR_INVALID_ARGUMENT );
2964
2965 if( alg == PSA_ALG_GCM )
2966 {
2967 mbedcrypto_gcm_context gcm;
2968
2969 tag_length = 16;
2970 status = psa_aead_unpadded_locate_tag( tag_length,
2971 ciphertext, ciphertext_length,
2972 plaintext_size, &tag );
2973 if( status != PSA_SUCCESS )
2974 return( status );
2975
2976 mbedcrypto_gcm_init( &gcm );
2977 ret = mbedcrypto_gcm_setkey( &gcm, cipher_id,
2978 slot->data.raw.data,
2979 (unsigned int) key_bits );
2980 if( ret != 0 )
2981 {
2982 mbedcrypto_gcm_free( &gcm );
2983 return( mbedcrypto_to_psa_error( ret ) );
2984 }
2985
2986 ret = mbedcrypto_gcm_auth_decrypt( &gcm,
2987 ciphertext_length - tag_length,
2988 nonce, nonce_length,
2989 additional_data,
2990 additional_data_length,
2991 tag, tag_length,
2992 ciphertext, plaintext );
2993 mbedcrypto_gcm_free( &gcm );
2994 }
2995 else if( alg == PSA_ALG_CCM )
2996 {
2997 mbedcrypto_ccm_context ccm;
2998
2999 if( nonce_length < 7 || nonce_length > 13 )
3000 return( PSA_ERROR_INVALID_ARGUMENT );
3001
3002 tag_length = 16;
3003 status = psa_aead_unpadded_locate_tag( tag_length,
3004 ciphertext, ciphertext_length,
3005 plaintext_size, &tag );
3006 if( status != PSA_SUCCESS )
3007 return( status );
3008
3009 mbedcrypto_ccm_init( &ccm );
3010 ret = mbedcrypto_ccm_setkey( &ccm, cipher_id,
3011 slot->data.raw.data,
3012 (unsigned int) key_bits );
3013 if( ret != 0 )
3014 {
3015 mbedcrypto_ccm_free( &ccm );
3016 return( mbedcrypto_to_psa_error( ret ) );
3017 }
3018 ret = mbedcrypto_ccm_auth_decrypt( &ccm, ciphertext_length - tag_length,
3019 nonce, nonce_length,
3020 additional_data,
3021 additional_data_length,
3022 ciphertext, plaintext,
3023 tag, tag_length );
3024 mbedcrypto_ccm_free( &ccm );
3025 }
3026 else
3027 {
3028 return( PSA_ERROR_NOT_SUPPORTED );
3029 }
3030
3031 if( ret != 0 )
3032 {
3033 /* If plaintext_size is 0 then plaintext may be NULL and then the
3034 * call to memset has undefined behavior. */
3035 if( plaintext_size != 0 )
3036 memset( plaintext, 0, plaintext_size );
3037 }
3038 else
3039 *plaintext_length = ciphertext_length - tag_length;
3040
3041 return( mbedcrypto_to_psa_error( ret ) );
3042}
3043
3044
3045
3046/****************************************************************/
3047/* Generators */
3048/****************************************************************/
3049
3050psa_status_t psa_generator_abort( psa_crypto_generator_t *generator )
3051{
3052 psa_status_t status = PSA_SUCCESS;
3053 if( generator->alg == 0 )
3054 {
3055 /* The object has (apparently) been initialized but it is not
3056 * in use. It's ok to call abort on such an object, and there's
3057 * nothing to do. */
3058 }
3059 else
3060#if defined(MBEDCRYPTO_MD_C)
3061 if( PSA_ALG_IS_HKDF( generator->alg ) )
3062 {
3063 mbedcrypto_free( generator->ctx.hkdf.info );
3064 status = psa_hmac_abort_internal( &generator->ctx.hkdf.hmac );
3065 }
3066 else
3067#endif /* MBEDCRYPTO_MD_C */
3068 {
3069 status = PSA_ERROR_BAD_STATE;
3070 }
3071 memset( generator, 0, sizeof( *generator ) );
3072 return( status );
3073}
3074
3075
3076psa_status_t psa_get_generator_capacity(const psa_crypto_generator_t *generator,
3077 size_t *capacity)
3078{
3079 *capacity = generator->capacity;
3080 return( PSA_SUCCESS );
3081}
3082
3083#if defined(MBEDCRYPTO_MD_C)
3084/* Read some bytes from an HKDF-based generator. This performs a chunk
3085 * of the expand phase of the HKDF algorithm. */
3086static psa_status_t psa_generator_hkdf_read( psa_hkdf_generator_t *hkdf,
3087 psa_algorithm_t hash_alg,
3088 uint8_t *output,
3089 size_t output_length )
3090{
3091 uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
3092 psa_status_t status;
3093
3094 while( output_length != 0 )
3095 {
3096 /* Copy what remains of the current block */
3097 uint8_t n = hash_length - hkdf->offset_in_block;
3098 if( n > output_length )
3099 n = (uint8_t) output_length;
3100 memcpy( output, hkdf->output_block + hkdf->offset_in_block, n );
3101 output += n;
3102 output_length -= n;
3103 hkdf->offset_in_block += n;
3104 if( output_length == 0 )
3105 break;
3106 /* We can't be wanting more output after block 0xff, otherwise
3107 * the capacity check in psa_generator_read() would have
3108 * prevented this call. It could happen only if the generator
3109 * object was corrupted or if this function is called directly
3110 * inside the library. */
3111 if( hkdf->block_number == 0xff )
3112 return( PSA_ERROR_BAD_STATE );
3113
3114 /* We need a new block */
3115 ++hkdf->block_number;
3116 hkdf->offset_in_block = 0;
3117 status = psa_hmac_setup_internal( &hkdf->hmac,
3118 hkdf->prk, hash_length,
3119 hash_alg );
3120 if( status != PSA_SUCCESS )
3121 return( status );
3122 if( hkdf->block_number != 1 )
3123 {
3124 status = psa_hash_update( &hkdf->hmac.hash_ctx,
3125 hkdf->output_block,
3126 hash_length );
3127 if( status != PSA_SUCCESS )
3128 return( status );
3129 }
3130 status = psa_hash_update( &hkdf->hmac.hash_ctx,
3131 hkdf->info,
3132 hkdf->info_length );
3133 if( status != PSA_SUCCESS )
3134 return( status );
3135 status = psa_hash_update( &hkdf->hmac.hash_ctx,
3136 &hkdf->block_number, 1 );
3137 if( status != PSA_SUCCESS )
3138 return( status );
3139 status = psa_hmac_finish_internal( &hkdf->hmac,
3140 hkdf->output_block,
3141 sizeof( hkdf->output_block ) );
3142 if( status != PSA_SUCCESS )
3143 return( status );
3144 }
3145
3146 return( PSA_SUCCESS );
3147}
3148#endif /* MBEDCRYPTO_MD_C */
3149
3150psa_status_t psa_generator_read( psa_crypto_generator_t *generator,
3151 uint8_t *output,
3152 size_t output_length )
3153{
3154 psa_status_t status;
3155
3156 if( output_length > generator->capacity )
3157 {
3158 generator->capacity = 0;
3159 /* Go through the error path to wipe all confidential data now
3160 * that the generator object is useless. */
3161 status = PSA_ERROR_INSUFFICIENT_CAPACITY;
3162 goto exit;
3163 }
3164 if( output_length == 0 &&
3165 generator->capacity == 0 && generator->alg == 0 )
3166 {
3167 /* Edge case: this is a blank or finished generator, and 0
3168 * bytes were requested. The right error in this case could
3169 * be either INSUFFICIENT_CAPACITY or BAD_STATE. Return
3170 * INSUFFICIENT_CAPACITY, which is right for a finished
3171 * generator, for consistency with the case when
3172 * output_length > 0. */
3173 return( PSA_ERROR_INSUFFICIENT_CAPACITY );
3174 }
3175 generator->capacity -= output_length;
3176
3177#if defined(MBEDCRYPTO_MD_C)
3178 if( PSA_ALG_IS_HKDF( generator->alg ) )
3179 {
3180 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( generator->alg );
3181 status = psa_generator_hkdf_read( &generator->ctx.hkdf, hash_alg,
3182 output, output_length );
3183 }
3184 else
3185#endif /* MBEDCRYPTO_MD_C */
3186 {
3187 return( PSA_ERROR_BAD_STATE );
3188 }
3189
3190exit:
3191 if( status != PSA_SUCCESS )
3192 {
3193 psa_generator_abort( generator );
3194 memset( output, '!', output_length );
3195 }
3196 return( status );
3197}
3198
3199#if defined(MBEDCRYPTO_DES_C)
3200static void psa_des_set_key_parity( uint8_t *data, size_t data_size )
3201{
3202 if( data_size >= 8 )
3203 mbedcrypto_des_key_set_parity( data );
3204 if( data_size >= 16 )
3205 mbedcrypto_des_key_set_parity( data + 8 );
3206 if( data_size >= 24 )
3207 mbedcrypto_des_key_set_parity( data + 16 );
3208}
3209#endif /* MBEDCRYPTO_DES_C */
3210
3211psa_status_t psa_generator_import_key( psa_key_slot_t key,
3212 psa_key_type_t type,
3213 size_t bits,
3214 psa_crypto_generator_t *generator )
3215{
3216 uint8_t *data = NULL;
3217 size_t bytes = PSA_BITS_TO_BYTES( bits );
3218 psa_status_t status;
3219
3220 if( ! key_type_is_raw_bytes( type ) )
3221 return( PSA_ERROR_INVALID_ARGUMENT );
3222 if( bits % 8 != 0 )
3223 return( PSA_ERROR_INVALID_ARGUMENT );
3224 data = mbedcrypto_calloc( 1, bytes );
3225 if( data == NULL )
3226 return( PSA_ERROR_INSUFFICIENT_MEMORY );
3227
3228 status = psa_generator_read( generator, data, bytes );
3229 if( status != PSA_SUCCESS )
3230 goto exit;
3231#if defined(MBEDCRYPTO_DES_C)
3232 if( type == PSA_KEY_TYPE_DES )
3233 psa_des_set_key_parity( data, bytes );
3234#endif /* MBEDCRYPTO_DES_C */
3235 status = psa_import_key( key, type, data, bytes );
3236
3237exit:
3238 mbedcrypto_free( data );
3239 return( status );
3240}
3241
3242
3243
3244/****************************************************************/
3245/* Key derivation */
3246/****************************************************************/
3247
3248/* Set up an HKDF-based generator. This is exactly the extract phase
3249 * of the HKDF algorithm. */
3250static psa_status_t psa_generator_hkdf_setup( psa_hkdf_generator_t *hkdf,
3251 key_slot_t *slot,
3252 psa_algorithm_t hash_alg,
3253 const uint8_t *salt,
3254 size_t salt_length,
3255 const uint8_t *label,
3256 size_t label_length )
3257{
3258 psa_status_t status;
3259 status = psa_hmac_setup_internal( &hkdf->hmac,
3260 salt, salt_length,
3261 PSA_ALG_HMAC_HASH( hash_alg ) );
3262 if( status != PSA_SUCCESS )
3263 return( status );
3264 status = psa_hash_update( &hkdf->hmac.hash_ctx,
3265 slot->data.raw.data,
3266 slot->data.raw.bytes );
3267 if( status != PSA_SUCCESS )
3268 return( status );
3269 status = psa_hmac_finish_internal( &hkdf->hmac,
3270 hkdf->prk,
3271 sizeof( hkdf->prk ) );
3272 if( status != PSA_SUCCESS )
3273 return( status );
3274 hkdf->offset_in_block = PSA_HASH_SIZE( hash_alg );
3275 hkdf->block_number = 0;
3276 hkdf->info_length = label_length;
3277 if( label_length != 0 )
3278 {
3279 hkdf->info = mbedcrypto_calloc( 1, label_length );
3280 if( hkdf->info == NULL )
3281 return( PSA_ERROR_INSUFFICIENT_MEMORY );
3282 memcpy( hkdf->info, label, label_length );
3283 }
3284 return( PSA_SUCCESS );
3285}
3286
3287psa_status_t psa_key_derivation( psa_crypto_generator_t *generator,
3288 psa_key_slot_t key,
3289 psa_algorithm_t alg,
3290 const uint8_t *salt,
3291 size_t salt_length,
3292 const uint8_t *label,
3293 size_t label_length,
3294 size_t capacity )
3295{
3296 key_slot_t *slot;
3297 psa_status_t status;
3298
3299 if( generator->alg != 0 )
3300 return( PSA_ERROR_BAD_STATE );
3301
3302 status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_DERIVE, alg );
3303 if( status != PSA_SUCCESS )
3304 return( status );
3305 if( slot->type != PSA_KEY_TYPE_DERIVE )
3306 return( PSA_ERROR_INVALID_ARGUMENT );
3307
3308 if( ! PSA_ALG_IS_KEY_DERIVATION( alg ) )
3309 return( PSA_ERROR_INVALID_ARGUMENT );
3310
3311#if defined(MBEDCRYPTO_MD_C)
3312 if( PSA_ALG_IS_HKDF( alg ) )
3313 {
3314 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( alg );
3315 size_t hash_size = PSA_HASH_SIZE( hash_alg );
3316 if( hash_size == 0 )
3317 return( PSA_ERROR_NOT_SUPPORTED );
3318 if( capacity > 255 * hash_size )
3319 return( PSA_ERROR_INVALID_ARGUMENT );
3320 status = psa_generator_hkdf_setup( &generator->ctx.hkdf,
3321 slot,
3322 hash_alg,
3323 salt, salt_length,
3324 label, label_length );
3325 }
3326 else
3327#endif
3328 {
3329 return( PSA_ERROR_NOT_SUPPORTED );
3330 }
3331
3332 /* Set generator->alg even on failure so that abort knows what to do. */
3333 generator->alg = alg;
3334 if( status == PSA_SUCCESS )
3335 generator->capacity = capacity;
3336 else
3337 psa_generator_abort( generator );
3338 return( status );
3339}
3340
3341
3342
3343/****************************************************************/
3344/* Random generation */
3345/****************************************************************/
3346
3347psa_status_t psa_generate_random( uint8_t *output,
3348 size_t output_size )
3349{
3350 int ret = mbedcrypto_ctr_drbg_random( &global_data.ctr_drbg,
3351 output, output_size );
3352 return( mbedcrypto_to_psa_error( ret ) );
3353}
3354
3355psa_status_t psa_generate_key( psa_key_slot_t key,
3356 psa_key_type_t type,
3357 size_t bits,
3358 const void *extra,
3359 size_t extra_size )
3360{
3361 key_slot_t *slot;
3362 psa_status_t status;
3363
3364 if( extra == NULL && extra_size != 0 )
3365 return( PSA_ERROR_INVALID_ARGUMENT );
3366
3367 status = psa_get_empty_key_slot( key, &slot );
3368 if( status != PSA_SUCCESS )
3369 return( status );
3370
3371 if( key_type_is_raw_bytes( type ) )
3372 {
3373 status = prepare_raw_data_slot( type, bits, &slot->data.raw );
3374 if( status != PSA_SUCCESS )
3375 return( status );
3376 status = psa_generate_random( slot->data.raw.data,
3377 slot->data.raw.bytes );
3378 if( status != PSA_SUCCESS )
3379 {
3380 mbedcrypto_free( slot->data.raw.data );
3381 return( status );
3382 }
3383#if defined(MBEDCRYPTO_DES_C)
3384 if( type == PSA_KEY_TYPE_DES )
3385 psa_des_set_key_parity( slot->data.raw.data,
3386 slot->data.raw.bytes );
3387#endif /* MBEDCRYPTO_DES_C */
3388 }
3389 else
3390
3391#if defined(MBEDCRYPTO_RSA_C) && defined(MBEDCRYPTO_GENPRIME)
3392 if ( type == PSA_KEY_TYPE_RSA_KEYPAIR )
3393 {
3394 mbedcrypto_rsa_context *rsa;
3395 int ret;
3396 int exponent = 65537;
3397 if( bits > PSA_VENDOR_RSA_MAX_KEY_BITS )
3398 return( PSA_ERROR_NOT_SUPPORTED );
3399 if( extra != NULL )
3400 {
3401 const psa_generate_key_extra_rsa *p = extra;
3402 if( extra_size != sizeof( *p ) )
3403 return( PSA_ERROR_INVALID_ARGUMENT );
3404#if INT_MAX < 0xffffffff
3405 /* Check that the uint32_t value passed by the caller fits
3406 * in the range supported by this implementation. */
3407 if( p->e > INT_MAX )
3408 return( PSA_ERROR_NOT_SUPPORTED );
3409#endif
3410 exponent = p->e;
3411 }
3412 rsa = mbedcrypto_calloc( 1, sizeof( *rsa ) );
3413 if( rsa == NULL )
3414 return( PSA_ERROR_INSUFFICIENT_MEMORY );
3415 mbedcrypto_rsa_init( rsa, MBEDCRYPTO_RSA_PKCS_V15, MBEDCRYPTO_MD_NONE );
3416 ret = mbedcrypto_rsa_gen_key( rsa,
3417 mbedcrypto_ctr_drbg_random,
3418 &global_data.ctr_drbg,
3419 (unsigned int) bits,
3420 exponent );
3421 if( ret != 0 )
3422 {
3423 mbedcrypto_rsa_free( rsa );
3424 mbedcrypto_free( rsa );
3425 return( mbedcrypto_to_psa_error( ret ) );
3426 }
3427 slot->data.rsa = rsa;
3428 }
3429 else
3430#endif /* MBEDCRYPTO_RSA_C && MBEDCRYPTO_GENPRIME */
3431
3432#if defined(MBEDCRYPTO_ECP_C)
3433 if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEYPAIR( type ) )
3434 {
3435 psa_ecc_curve_t curve = PSA_KEY_TYPE_GET_CURVE( type );
3436 mbedcrypto_ecp_group_id grp_id = mbedcrypto_ecc_group_of_psa( curve );
3437 const mbedcrypto_ecp_curve_info *curve_info =
3438 mbedcrypto_ecp_curve_info_from_grp_id( grp_id );
3439 mbedcrypto_ecp_keypair *ecp;
3440 int ret;
3441 if( extra != NULL )
3442 return( PSA_ERROR_NOT_SUPPORTED );
3443 if( grp_id == MBEDCRYPTO_ECP_DP_NONE || curve_info == NULL )
3444 return( PSA_ERROR_NOT_SUPPORTED );
3445 if( curve_info->bit_size != bits )
3446 return( PSA_ERROR_INVALID_ARGUMENT );
3447 ecp = mbedcrypto_calloc( 1, sizeof( *ecp ) );
3448 if( ecp == NULL )
3449 return( PSA_ERROR_INSUFFICIENT_MEMORY );
3450 mbedcrypto_ecp_keypair_init( ecp );
3451 ret = mbedcrypto_ecp_gen_key( grp_id, ecp,
3452 mbedcrypto_ctr_drbg_random,
3453 &global_data.ctr_drbg );
3454 if( ret != 0 )
3455 {
3456 mbedcrypto_ecp_keypair_free( ecp );
3457 mbedcrypto_free( ecp );
3458 return( mbedcrypto_to_psa_error( ret ) );
3459 }
3460 slot->data.ecp = ecp;
3461 }
3462 else
3463#endif /* MBEDCRYPTO_ECP_C */
3464
3465 return( PSA_ERROR_NOT_SUPPORTED );
3466
3467 slot->type = type;
3468 return( PSA_SUCCESS );
3469}
3470
3471
3472/****************************************************************/
3473/* Module setup */
3474/****************************************************************/
3475
3476void mbedcrypto_psa_crypto_free( void )
3477{
3478 psa_key_slot_t key;
3479 for( key = 1; key <= PSA_KEY_SLOT_COUNT; key++ )
3480 psa_destroy_key( key );
3481 mbedcrypto_ctr_drbg_free( &global_data.ctr_drbg );
3482 mbedcrypto_entropy_free( &global_data.entropy );
3483 mbedcrypto_zeroize( &global_data, sizeof( global_data ) );
3484}
3485
3486psa_status_t psa_crypto_init( void )
3487{
3488 int ret;
3489 const unsigned char drbg_seed[] = "PSA";
3490
3491 if( global_data.initialized != 0 )
3492 return( PSA_SUCCESS );
3493
3494 mbedcrypto_zeroize( &global_data, sizeof( global_data ) );
3495 mbedcrypto_entropy_init( &global_data.entropy );
3496 mbedcrypto_ctr_drbg_init( &global_data.ctr_drbg );
3497
3498 ret = mbedcrypto_ctr_drbg_seed( &global_data.ctr_drbg,
3499 mbedcrypto_entropy_func,
3500 &global_data.entropy,
3501 drbg_seed, sizeof( drbg_seed ) - 1 );
3502 if( ret != 0 )
3503 goto exit;
3504
3505 global_data.initialized = 1;
3506
3507exit:
3508 if( ret != 0 )
3509 mbedcrypto_psa_crypto_free( );
3510 return( mbedcrypto_to_psa_error( ret ) );
3511}
3512
3513#endif /* MBEDCRYPTO_PSA_CRYPTO_C */