TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 2d2778650b04edb0791217ce6c31c42f1844d092 / . / library / psa_crypto.c
blob: 954895910f12d76773be7e37fd95bb606cbb647d [file] [log] [blame]
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]1/*
2 * PSA crypto layer on top of Mbed TLS crypto
3 */
4/* Copyright (C) 2018, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22#if !defined(MBEDTLS_CONFIG_FILE)
23#include "mbedtls/config.h"
24#else
25#include MBEDTLS_CONFIG_FILE
26#endif
27
28#if defined(MBEDTLS_PSA_CRYPTO_C)
29
30#include "psa/crypto.h"
31
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]32#include <stdlib.h>
33#include <string.h>
34#if defined(MBEDTLS_PLATFORM_C)
35#include "mbedtls/platform.h"
36#else
37#define mbedtls_calloc calloc
38#define mbedtls_free free
39#endif
40
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]41#include "mbedtls/arc4.h"
42#include "mbedtls/blowfish.h"
43#include "mbedtls/camellia.h"
44#include "mbedtls/cipher.h"
45#include "mbedtls/ccm.h"
46#include "mbedtls/cmac.h"
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]47#include "mbedtls/ctr_drbg.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]48#include "mbedtls/des.h"
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]49#include "mbedtls/ecp.h"
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]50#include "mbedtls/entropy.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]51#include "mbedtls/error.h"
52#include "mbedtls/gcm.h"
53#include "mbedtls/md2.h"
54#include "mbedtls/md4.h"
55#include "mbedtls/md5.h"
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]56#include "mbedtls/md.h"
57#include "mbedtls/md_internal.h"
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]58#include "mbedtls/pk.h"
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]59#include "mbedtls/pk_internal.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]60#include "mbedtls/ripemd160.h"
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]61#include "mbedtls/rsa.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]62#include "mbedtls/sha1.h"
63#include "mbedtls/sha256.h"
64#include "mbedtls/sha512.h"
65#include "mbedtls/xtea.h"
66
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]67
68
69/* Implementation that should never be optimized out by the compiler */
70static void mbedtls_zeroize( void *v, size_t n )
71{
72 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
73}
74
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]75/* constant-time buffer comparison */
76static inline int safer_memcmp( const uint8_t *a, const uint8_t *b, size_t n )
77{
78 size_t i;
79 unsigned char diff = 0;
80
81 for( i = 0; i < n; i++ )
82 diff |= a[i] ^ b[i];
83
84 return( diff );
85}
86
87
88
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]89/****************************************************************/
90/* Global data, support functions and library management */
91/****************************************************************/
92
93/* Number of key slots (plus one because 0 is not used).
94 * The value is a compile-time constant for now, for simplicity. */
95#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
96
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]97typedef struct
98{
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]99 psa_key_type_t type;
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]100 psa_key_policy_t policy;
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]101 psa_key_lifetime_t lifetime;
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]102 union
103 {
104 struct raw_data
105 {
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]106 uint8_t *data;
107 size_t bytes;
108 } raw;
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]109#if defined(MBEDTLS_RSA_C)
110 mbedtls_rsa_context *rsa;
111#endif /* MBEDTLS_RSA_C */
112#if defined(MBEDTLS_ECP_C)
113 mbedtls_ecp_keypair *ecp;
114#endif /* MBEDTLS_ECP_C */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]115 } data;
116} key_slot_t;
117
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]118typedef struct
119{
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]120 int initialized;
121 mbedtls_entropy_context entropy;
122 mbedtls_ctr_drbg_context ctr_drbg;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]123 key_slot_t key_slots[MBEDTLS_PSA_KEY_SLOT_COUNT];
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]124} psa_global_data_t;
125
126static psa_global_data_t global_data;
127
128static psa_status_t mbedtls_to_psa_error( int ret )
129{
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]130 /* If there's both a high-level code and low-level code, dispatch on
131 * the high-level code. */
132 switch( ret < -0x7f ? - ( -ret & 0x7f80 ) : ret )
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]133 {
134 case 0:
135 return( PSA_SUCCESS );
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]136
137 case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
138 case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
139 case MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE:
140 return( PSA_ERROR_NOT_SUPPORTED );
141 case MBEDTLS_ERR_AES_HW_ACCEL_FAILED:
142 return( PSA_ERROR_HARDWARE_FAILURE );
143
144 case MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED:
145 return( PSA_ERROR_HARDWARE_FAILURE );
146
147 case MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH:
148 case MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH:
149 return( PSA_ERROR_NOT_SUPPORTED );
150 case MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED:
151 return( PSA_ERROR_HARDWARE_FAILURE );
152
153 case MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH:
154 case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH:
155 return( PSA_ERROR_NOT_SUPPORTED );
156 case MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED:
157 return( PSA_ERROR_HARDWARE_FAILURE );
158
159 case MBEDTLS_ERR_CCM_BAD_INPUT:
160 return( PSA_ERROR_INVALID_ARGUMENT );
161 case MBEDTLS_ERR_CCM_AUTH_FAILED:
162 return( PSA_ERROR_INVALID_SIGNATURE );
163 case MBEDTLS_ERR_CCM_HW_ACCEL_FAILED:
164 return( PSA_ERROR_HARDWARE_FAILURE );
165
166 case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
167 return( PSA_ERROR_NOT_SUPPORTED );
168 case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
169 return( PSA_ERROR_INVALID_ARGUMENT );
170 case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
171 return( PSA_ERROR_INSUFFICIENT_MEMORY );
172 case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
173 return( PSA_ERROR_INVALID_PADDING );
174 case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
175 return( PSA_ERROR_BAD_STATE );
176 case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
177 return( PSA_ERROR_INVALID_SIGNATURE );
178 case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
179 return( PSA_ERROR_TAMPERING_DETECTED );
180 case MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED:
181 return( PSA_ERROR_HARDWARE_FAILURE );
182
183 case MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED:
184 return( PSA_ERROR_HARDWARE_FAILURE );
185
186 case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
187 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
188 case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG:
189 case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG:
190 return( PSA_ERROR_NOT_SUPPORTED );
191 case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR:
192 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
193
194 case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:
195 return( PSA_ERROR_NOT_SUPPORTED );
196 case MBEDTLS_ERR_DES_HW_ACCEL_FAILED:
197 return( PSA_ERROR_HARDWARE_FAILURE );
198
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]199 case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
200 case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE:
201 case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
202 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]203
204 case MBEDTLS_ERR_GCM_AUTH_FAILED:
205 return( PSA_ERROR_INVALID_SIGNATURE );
206 case MBEDTLS_ERR_GCM_BAD_INPUT:
207 return( PSA_ERROR_NOT_SUPPORTED );
208 case MBEDTLS_ERR_GCM_HW_ACCEL_FAILED:
209 return( PSA_ERROR_HARDWARE_FAILURE );
210
211 case MBEDTLS_ERR_MD2_HW_ACCEL_FAILED:
212 case MBEDTLS_ERR_MD4_HW_ACCEL_FAILED:
213 case MBEDTLS_ERR_MD5_HW_ACCEL_FAILED:
214 return( PSA_ERROR_HARDWARE_FAILURE );
215
216 case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
217 return( PSA_ERROR_NOT_SUPPORTED );
218 case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
219 return( PSA_ERROR_INVALID_ARGUMENT );
220 case MBEDTLS_ERR_MD_ALLOC_FAILED:
221 return( PSA_ERROR_INSUFFICIENT_MEMORY );
222 case MBEDTLS_ERR_MD_FILE_IO_ERROR:
223 return( PSA_ERROR_STORAGE_FAILURE );
224 case MBEDTLS_ERR_MD_HW_ACCEL_FAILED:
225 return( PSA_ERROR_HARDWARE_FAILURE );
226
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]227 case MBEDTLS_ERR_PK_ALLOC_FAILED:
228 return( PSA_ERROR_INSUFFICIENT_MEMORY );
229 case MBEDTLS_ERR_PK_TYPE_MISMATCH:
230 case MBEDTLS_ERR_PK_BAD_INPUT_DATA:
231 return( PSA_ERROR_INVALID_ARGUMENT );
232 case MBEDTLS_ERR_PK_FILE_IO_ERROR:
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]233 return( PSA_ERROR_STORAGE_FAILURE );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]234 case MBEDTLS_ERR_PK_KEY_INVALID_VERSION:
235 case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT:
236 return( PSA_ERROR_INVALID_ARGUMENT );
237 case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG:
238 return( PSA_ERROR_NOT_SUPPORTED );
239 case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
240 case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
241 return( PSA_ERROR_NOT_PERMITTED );
242 case MBEDTLS_ERR_PK_INVALID_PUBKEY:
243 return( PSA_ERROR_INVALID_ARGUMENT );
244 case MBEDTLS_ERR_PK_INVALID_ALG:
245 case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE:
246 case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:
247 return( PSA_ERROR_NOT_SUPPORTED );
248 case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH:
249 return( PSA_ERROR_INVALID_SIGNATURE );
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]250 case MBEDTLS_ERR_PK_HW_ACCEL_FAILED:
251 return( PSA_ERROR_HARDWARE_FAILURE );
252
253 case MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED:
254 return( PSA_ERROR_HARDWARE_FAILURE );
255
256 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
257 return( PSA_ERROR_INVALID_ARGUMENT );
258 case MBEDTLS_ERR_RSA_INVALID_PADDING:
259 return( PSA_ERROR_INVALID_PADDING );
260 case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
261 return( PSA_ERROR_HARDWARE_FAILURE );
262 case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
263 return( PSA_ERROR_INVALID_ARGUMENT );
264 case MBEDTLS_ERR_RSA_PUBLIC_FAILED:
265 case MBEDTLS_ERR_RSA_PRIVATE_FAILED:
266 return( PSA_ERROR_TAMPERING_DETECTED );
267 case MBEDTLS_ERR_RSA_VERIFY_FAILED:
268 return( PSA_ERROR_INVALID_SIGNATURE );
269 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
270 return( PSA_ERROR_BUFFER_TOO_SMALL );
271 case MBEDTLS_ERR_RSA_RNG_FAILED:
272 return( PSA_ERROR_INSUFFICIENT_MEMORY );
273 case MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:
274 return( PSA_ERROR_NOT_SUPPORTED );
275 case MBEDTLS_ERR_RSA_HW_ACCEL_FAILED:
276 return( PSA_ERROR_HARDWARE_FAILURE );
277
278 case MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED:
279 case MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED:
280 case MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED:
281 return( PSA_ERROR_HARDWARE_FAILURE );
282
283 case MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH:
284 return( PSA_ERROR_INVALID_ARGUMENT );
285 case MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED:
286 return( PSA_ERROR_HARDWARE_FAILURE );
287
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]288 case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
itayzafrir7b30f8b2018-05-09 16:07:36 +0300[diff] [blame]289 case MBEDTLS_ERR_ECP_INVALID_KEY:
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]290 return( PSA_ERROR_INVALID_ARGUMENT );
itayzafrir7b30f8b2018-05-09 16:07:36 +0300[diff] [blame]291 case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
292 return( PSA_ERROR_BUFFER_TOO_SMALL );
293 case MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:
294 return( PSA_ERROR_NOT_SUPPORTED );
295 case MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH:
296 case MBEDTLS_ERR_ECP_VERIFY_FAILED:
297 return( PSA_ERROR_INVALID_SIGNATURE );
298 case MBEDTLS_ERR_ECP_ALLOC_FAILED:
299 return( PSA_ERROR_INSUFFICIENT_MEMORY );
300 case MBEDTLS_ERR_ECP_HW_ACCEL_FAILED:
301 return( PSA_ERROR_HARDWARE_FAILURE );
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]302
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]303 default:
304 return( PSA_ERROR_UNKNOWN_ERROR );
305 }
306}
307
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]308/****************************************************************/
309/* Key management */
310/****************************************************************/
311
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]312psa_status_t psa_import_key( psa_key_slot_t key,
313 psa_key_type_t type,
314 const uint8_t *data,
315 size_t data_length )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]316{
317 key_slot_t *slot;
318
319 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
320 return( PSA_ERROR_INVALID_ARGUMENT );
321 slot = &global_data.key_slots[key];
322 if( slot->type != PSA_KEY_TYPE_NONE )
323 return( PSA_ERROR_OCCUPIED_SLOT );
324
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]325 if( PSA_KEY_TYPE_IS_RAW_BYTES( type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]326 {
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame]327 /* Ensure that a bytes-to-bit conversion won't overflow. */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]328 if( data_length > SIZE_MAX / 8 )
329 return( PSA_ERROR_NOT_SUPPORTED );
330 slot->data.raw.data = mbedtls_calloc( 1, data_length );
331 if( slot->data.raw.data == NULL )
332 return( PSA_ERROR_INSUFFICIENT_MEMORY );
333 memcpy( slot->data.raw.data, data, data_length );
334 slot->data.raw.bytes = data_length;
335 }
336 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]337#if defined(MBEDTLS_PK_PARSE_C)
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]338 if( type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
339 type == PSA_KEY_TYPE_RSA_KEYPAIR ||
340 PSA_KEY_TYPE_IS_ECC( type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]341 {
342 int ret;
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]343 mbedtls_pk_context pk;
344 mbedtls_pk_init( &pk );
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]345 if( PSA_KEY_TYPE_IS_KEYPAIR( type ) )
346 ret = mbedtls_pk_parse_key( &pk, data, data_length, NULL, 0 );
347 else
348 ret = mbedtls_pk_parse_public_key( &pk, data, data_length );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]349 if( ret != 0 )
350 return( mbedtls_to_psa_error( ret ) );
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]351 switch( mbedtls_pk_get_type( &pk ) )
352 {
353#if defined(MBEDTLS_RSA_C)
354 case MBEDTLS_PK_RSA:
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]355 if( type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
356 type == PSA_KEY_TYPE_RSA_KEYPAIR )
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]357 slot->data.rsa = pk.pk_ctx;
358 else
359 return( PSA_ERROR_INVALID_ARGUMENT );
360 break;
361#endif /* MBEDTLS_RSA_C */
362#if defined(MBEDTLS_ECP_C)
363 case MBEDTLS_PK_ECKEY:
364 if( PSA_KEY_TYPE_IS_ECC( type ) )
365 {
366 // TODO: check curve
367 slot->data.ecp = pk.pk_ctx;
368 }
369 else
370 return( PSA_ERROR_INVALID_ARGUMENT );
371 break;
372#endif /* MBEDTLS_ECP_C */
373 default:
374 return( PSA_ERROR_INVALID_ARGUMENT );
375 }
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]376 }
377 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]378#endif /* defined(MBEDTLS_PK_PARSE_C) */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]379 {
380 return( PSA_ERROR_NOT_SUPPORTED );
381 }
382
383 slot->type = type;
384 return( PSA_SUCCESS );
385}
386
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]387psa_status_t psa_destroy_key( psa_key_slot_t key )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]388{
389 key_slot_t *slot;
390
391 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
392 return( PSA_ERROR_INVALID_ARGUMENT );
393 slot = &global_data.key_slots[key];
394 if( slot->type == PSA_KEY_TYPE_NONE )
Gilles Peskine154bd952018-04-19 08:38:16 +0200[diff] [blame]395 {
396 /* No key material to clean, but do zeroize the slot below to wipe
397 * metadata such as policies. */
398 }
399 else if( PSA_KEY_TYPE_IS_RAW_BYTES( slot->type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]400 {
401 mbedtls_free( slot->data.raw.data );
402 }
403 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]404#if defined(MBEDTLS_RSA_C)
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]405 if( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
406 slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]407 {
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]408 mbedtls_rsa_free( slot->data.rsa );
Gilles Peskine3c6e9702018-03-07 16:42:44 +0100[diff] [blame]409 mbedtls_free( slot->data.rsa );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]410 }
411 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]412#endif /* defined(MBEDTLS_RSA_C) */
413#if defined(MBEDTLS_ECP_C)
414 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
415 {
416 mbedtls_ecp_keypair_free( slot->data.ecp );
Gilles Peskine3c6e9702018-03-07 16:42:44 +0100[diff] [blame]417 mbedtls_free( slot->data.ecp );
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]418 }
419 else
420#endif /* defined(MBEDTLS_ECP_C) */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]421 {
422 /* Shouldn't happen: the key type is not any type that we
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame]423 * put in. */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]424 return( PSA_ERROR_TAMPERING_DETECTED );
425 }
426
427 mbedtls_zeroize( slot, sizeof( *slot ) );
428 return( PSA_SUCCESS );
429}
430
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]431psa_status_t psa_get_key_information( psa_key_slot_t key,
432 psa_key_type_t *type,
433 size_t *bits )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]434{
435 key_slot_t *slot;
436
437 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]438 return( PSA_ERROR_EMPTY_SLOT );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]439 slot = &global_data.key_slots[key];
440 if( type != NULL )
441 *type = slot->type;
442 if( bits != NULL )
443 *bits = 0;
444 if( slot->type == PSA_KEY_TYPE_NONE )
445 return( PSA_ERROR_EMPTY_SLOT );
446
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]447 if( PSA_KEY_TYPE_IS_RAW_BYTES( slot->type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]448 {
449 if( bits != NULL )
450 *bits = slot->data.raw.bytes * 8;
451 }
452 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]453#if defined(MBEDTLS_RSA_C)
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]454 if( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
455 slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]456 {
457 if( bits != NULL )
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]458 *bits = mbedtls_rsa_get_bitlen( slot->data.rsa );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]459 }
460 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]461#endif /* defined(MBEDTLS_RSA_C) */
462#if defined(MBEDTLS_ECP_C)
463 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
464 {
465 if( bits != NULL )
466 *bits = slot->data.ecp->grp.pbits;
467 }
468 else
469#endif /* defined(MBEDTLS_ECP_C) */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]470 {
471 /* Shouldn't happen: the key type is not any type that we
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame]472 * put in. */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]473 return( PSA_ERROR_TAMPERING_DETECTED );
474 }
475
476 return( PSA_SUCCESS );
477}
478
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]479static psa_status_t psa_internal_export_key( psa_key_slot_t key,
480 uint8_t *data,
481 size_t data_size,
482 size_t *data_length,
483 int export_public_key )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]484{
485 key_slot_t *slot;
486
487 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]488 return( PSA_ERROR_EMPTY_SLOT );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]489 slot = &global_data.key_slots[key];
490 if( slot->type == PSA_KEY_TYPE_NONE )
491 return( PSA_ERROR_EMPTY_SLOT );
492
Moran Peker87567632018-06-04 18:41:37 +0300[diff] [blame]493 if( export_public_key && ( !( PSA_KEY_TYPE_IS_ASYMMETRIC( slot->type ) ) ) )
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]494 return( PSA_ERROR_INVALID_ARGUMENT );
mohammad160306e79202018-03-28 13:17:44 +0300[diff] [blame]495
Moran Peker87567632018-06-04 18:41:37 +0300[diff] [blame]496 if( ( !export_public_key ) && ( !( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) ) ) &&
497 ( !( slot->policy.usage & PSA_KEY_USAGE_EXPORT ) ) )
498 return( PSA_ERROR_NOT_PERMITTED );
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]499
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]500 if( PSA_KEY_TYPE_IS_RAW_BYTES( slot->type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]501 {
502 if( slot->data.raw.bytes > data_size )
503 return( PSA_ERROR_BUFFER_TOO_SMALL );
504 memcpy( data, slot->data.raw.data, slot->data.raw.bytes );
505 *data_length = slot->data.raw.bytes;
506 return( PSA_SUCCESS );
507 }
508 else
Moran Peker17e36e12018-05-02 12:55:20 +0300[diff] [blame]509 {
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]510#if defined(MBEDTLS_PK_WRITE_C)
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]511 if( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]512 slot->type == PSA_KEY_TYPE_RSA_KEYPAIR ||
513 PSA_KEY_TYPE_IS_ECC( slot->type ) )
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]514 {
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]515 mbedtls_pk_context pk;
516 int ret;
517 mbedtls_pk_init( &pk );
518 if( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
519 slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
520 {
521 pk.pk_info = &mbedtls_rsa_info;
522 pk.pk_ctx = slot->data.rsa;
523 }
524 else
525 {
526 pk.pk_info = &mbedtls_eckey_info;
527 pk.pk_ctx = slot->data.ecp;
528 }
Moran Pekerd7326592018-05-29 16:56:39 +0300[diff] [blame]529 if( export_public_key || PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) )
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]530 ret = mbedtls_pk_write_pubkey_der( &pk, data, data_size );
Moran Peker17e36e12018-05-02 12:55:20 +0300[diff] [blame]531 else
532 ret = mbedtls_pk_write_key_der( &pk, data, data_size );
Moran Peker60364322018-04-29 11:34:58 +0300[diff] [blame]533 if( ret < 0 )
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]534 return( mbedtls_to_psa_error( ret ) );
535 *data_length = ret;
536 return( PSA_SUCCESS );
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]537 }
538 else
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame]539#endif /* defined(MBEDTLS_PK_WRITE_C) */
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]540 {
541 /* This shouldn't happen in the reference implementation, but
Gilles Peskine785fd552018-06-04 15:08:56 +0200[diff] [blame]542 it is valid for a special-purpose implementation to omit
543 support for exporting certain key types. */
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]544 return( PSA_ERROR_NOT_SUPPORTED );
545 }
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]546 }
547}
548
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]549psa_status_t psa_export_key( psa_key_slot_t key,
550 uint8_t *data,
551 size_t data_size,
552 size_t *data_length )
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]553{
554 return psa_internal_export_key( key, data, data_size,
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]555 data_length, 0 );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]556}
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]557
558
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]559psa_status_t psa_export_public_key( psa_key_slot_t key,
560 uint8_t *data,
561 size_t data_size,
562 size_t *data_length )
Moran Pekerdd4ea382018-04-03 15:30:03 +0300[diff] [blame]563{
Moran Pekera998bc62018-04-16 18:16:20 +0300[diff] [blame]564 return psa_internal_export_key( key, data, data_size,
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]565 data_length, 1 );
Moran Pekerdd4ea382018-04-03 15:30:03 +0300[diff] [blame]566}
567
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]568/****************************************************************/
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]569/* Message digests */
570/****************************************************************/
571
Gilles Peskinedc2fc842018-03-07 16:42:59 +0100[diff] [blame]572static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]573{
574 switch( alg )
575 {
576#if defined(MBEDTLS_MD2_C)
577 case PSA_ALG_MD2:
578 return( &mbedtls_md2_info );
579#endif
580#if defined(MBEDTLS_MD4_C)
581 case PSA_ALG_MD4:
582 return( &mbedtls_md4_info );
583#endif
584#if defined(MBEDTLS_MD5_C)
585 case PSA_ALG_MD5:
586 return( &mbedtls_md5_info );
587#endif
588#if defined(MBEDTLS_RIPEMD160_C)
589 case PSA_ALG_RIPEMD160:
590 return( &mbedtls_ripemd160_info );
591#endif
592#if defined(MBEDTLS_SHA1_C)
593 case PSA_ALG_SHA_1:
594 return( &mbedtls_sha1_info );
595#endif
596#if defined(MBEDTLS_SHA256_C)
597 case PSA_ALG_SHA_224:
598 return( &mbedtls_sha224_info );
599 case PSA_ALG_SHA_256:
600 return( &mbedtls_sha256_info );
601#endif
602#if defined(MBEDTLS_SHA512_C)
603 case PSA_ALG_SHA_384:
604 return( &mbedtls_sha384_info );
605 case PSA_ALG_SHA_512:
606 return( &mbedtls_sha512_info );
607#endif
608 default:
609 return( NULL );
610 }
611}
612
613#if 0
614static psa_algorithm_t mbedtls_md_alg_to_psa( mbedtls_md_type_t md_alg )
615{
616 switch( md_alg )
617 {
618 case MBEDTLS_MD_NONE:
619 return( 0 );
620 case MBEDTLS_MD_MD2:
621 return( PSA_ALG_MD2 );
622 case MBEDTLS_MD_MD4:
623 return( PSA_ALG_MD4 );
624 case MBEDTLS_MD_MD5:
625 return( PSA_ALG_MD5 );
626 case MBEDTLS_MD_SHA1:
627 return( PSA_ALG_SHA_1 );
628 case MBEDTLS_MD_SHA224:
629 return( PSA_ALG_SHA_224 );
630 case MBEDTLS_MD_SHA256:
631 return( PSA_ALG_SHA_256 );
632 case MBEDTLS_MD_SHA384:
633 return( PSA_ALG_SHA_384 );
634 case MBEDTLS_MD_SHA512:
635 return( PSA_ALG_SHA_512 );
636 case MBEDTLS_MD_RIPEMD160:
637 return( PSA_ALG_RIPEMD160 );
638 default:
Gilles Peskine47c1bc02018-03-20 17:55:04 +0100[diff] [blame]639 return( 0 );
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]640 }
641}
642#endif
643
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]644psa_status_t psa_hash_abort( psa_hash_operation_t *operation )
645{
646 switch( operation->alg )
647 {
648#if defined(MBEDTLS_MD2_C)
649 case PSA_ALG_MD2:
650 mbedtls_md2_free( &operation->ctx.md2 );
651 break;
652#endif
653#if defined(MBEDTLS_MD4_C)
654 case PSA_ALG_MD4:
655 mbedtls_md4_free( &operation->ctx.md4 );
656 break;
657#endif
658#if defined(MBEDTLS_MD5_C)
659 case PSA_ALG_MD5:
660 mbedtls_md5_free( &operation->ctx.md5 );
661 break;
662#endif
663#if defined(MBEDTLS_RIPEMD160_C)
664 case PSA_ALG_RIPEMD160:
665 mbedtls_ripemd160_free( &operation->ctx.ripemd160 );
666 break;
667#endif
668#if defined(MBEDTLS_SHA1_C)
669 case PSA_ALG_SHA_1:
670 mbedtls_sha1_free( &operation->ctx.sha1 );
671 break;
672#endif
673#if defined(MBEDTLS_SHA256_C)
674 case PSA_ALG_SHA_224:
675 case PSA_ALG_SHA_256:
676 mbedtls_sha256_free( &operation->ctx.sha256 );
677 break;
678#endif
679#if defined(MBEDTLS_SHA512_C)
680 case PSA_ALG_SHA_384:
681 case PSA_ALG_SHA_512:
682 mbedtls_sha512_free( &operation->ctx.sha512 );
683 break;
684#endif
685 default:
686 return( PSA_ERROR_NOT_SUPPORTED );
687 }
688 operation->alg = 0;
689 return( PSA_SUCCESS );
690}
691
692psa_status_t psa_hash_start( psa_hash_operation_t *operation,
693 psa_algorithm_t alg )
694{
695 int ret;
696 operation->alg = 0;
697 switch( alg )
698 {
699#if defined(MBEDTLS_MD2_C)
700 case PSA_ALG_MD2:
701 mbedtls_md2_init( &operation->ctx.md2 );
702 ret = mbedtls_md2_starts_ret( &operation->ctx.md2 );
703 break;
704#endif
705#if defined(MBEDTLS_MD4_C)
706 case PSA_ALG_MD4:
707 mbedtls_md4_init( &operation->ctx.md4 );
708 ret = mbedtls_md4_starts_ret( &operation->ctx.md4 );
709 break;
710#endif
711#if defined(MBEDTLS_MD5_C)
712 case PSA_ALG_MD5:
713 mbedtls_md5_init( &operation->ctx.md5 );
714 ret = mbedtls_md5_starts_ret( &operation->ctx.md5 );
715 break;
716#endif
717#if defined(MBEDTLS_RIPEMD160_C)
718 case PSA_ALG_RIPEMD160:
719 mbedtls_ripemd160_init( &operation->ctx.ripemd160 );
720 ret = mbedtls_ripemd160_starts_ret( &operation->ctx.ripemd160 );
721 break;
722#endif
723#if defined(MBEDTLS_SHA1_C)
724 case PSA_ALG_SHA_1:
725 mbedtls_sha1_init( &operation->ctx.sha1 );
726 ret = mbedtls_sha1_starts_ret( &operation->ctx.sha1 );
727 break;
728#endif
729#if defined(MBEDTLS_SHA256_C)
730 case PSA_ALG_SHA_224:
731 mbedtls_sha256_init( &operation->ctx.sha256 );
732 ret = mbedtls_sha256_starts_ret( &operation->ctx.sha256, 1 );
733 break;
734 case PSA_ALG_SHA_256:
735 mbedtls_sha256_init( &operation->ctx.sha256 );
736 ret = mbedtls_sha256_starts_ret( &operation->ctx.sha256, 0 );
737 break;
738#endif
739#if defined(MBEDTLS_SHA512_C)
740 case PSA_ALG_SHA_384:
741 mbedtls_sha512_init( &operation->ctx.sha512 );
742 ret = mbedtls_sha512_starts_ret( &operation->ctx.sha512, 1 );
743 break;
744 case PSA_ALG_SHA_512:
745 mbedtls_sha512_init( &operation->ctx.sha512 );
746 ret = mbedtls_sha512_starts_ret( &operation->ctx.sha512, 0 );
747 break;
748#endif
749 default:
750 return( PSA_ERROR_NOT_SUPPORTED );
751 }
752 if( ret == 0 )
753 operation->alg = alg;
754 else
755 psa_hash_abort( operation );
756 return( mbedtls_to_psa_error( ret ) );
757}
758
759psa_status_t psa_hash_update( psa_hash_operation_t *operation,
760 const uint8_t *input,
761 size_t input_length )
762{
763 int ret;
764 switch( operation->alg )
765 {
766#if defined(MBEDTLS_MD2_C)
767 case PSA_ALG_MD2:
768 ret = mbedtls_md2_update_ret( &operation->ctx.md2,
769 input, input_length );
770 break;
771#endif
772#if defined(MBEDTLS_MD4_C)
773 case PSA_ALG_MD4:
774 ret = mbedtls_md4_update_ret( &operation->ctx.md4,
775 input, input_length );
776 break;
777#endif
778#if defined(MBEDTLS_MD5_C)
779 case PSA_ALG_MD5:
780 ret = mbedtls_md5_update_ret( &operation->ctx.md5,
781 input, input_length );
782 break;
783#endif
784#if defined(MBEDTLS_RIPEMD160_C)
785 case PSA_ALG_RIPEMD160:
786 ret = mbedtls_ripemd160_update_ret( &operation->ctx.ripemd160,
787 input, input_length );
788 break;
789#endif
790#if defined(MBEDTLS_SHA1_C)
791 case PSA_ALG_SHA_1:
792 ret = mbedtls_sha1_update_ret( &operation->ctx.sha1,
793 input, input_length );
794 break;
795#endif
796#if defined(MBEDTLS_SHA256_C)
797 case PSA_ALG_SHA_224:
798 case PSA_ALG_SHA_256:
799 ret = mbedtls_sha256_update_ret( &operation->ctx.sha256,
800 input, input_length );
801 break;
802#endif
803#if defined(MBEDTLS_SHA512_C)
804 case PSA_ALG_SHA_384:
805 case PSA_ALG_SHA_512:
806 ret = mbedtls_sha512_update_ret( &operation->ctx.sha512,
807 input, input_length );
808 break;
809#endif
810 default:
811 ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
812 break;
813 }
814 if( ret != 0 )
815 psa_hash_abort( operation );
816 return( mbedtls_to_psa_error( ret ) );
817}
818
819psa_status_t psa_hash_finish( psa_hash_operation_t *operation,
820 uint8_t *hash,
821 size_t hash_size,
822 size_t *hash_length )
823{
824 int ret;
Gilles Peskine71bb7b72018-04-19 08:29:59 +0200[diff] [blame]825 size_t actual_hash_length = PSA_HASH_SIZE( operation->alg );
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]826
827 /* Fill the output buffer with something that isn't a valid hash
828 * (barring an attack on the hash and deliberately-crafted input),
829 * in case the caller doesn't check the return status properly. */
830 *hash_length = actual_hash_length;
831 memset( hash, '!', hash_size );
832
833 if( hash_size < actual_hash_length )
834 return( PSA_ERROR_BUFFER_TOO_SMALL );
835
836 switch( operation->alg )
837 {
838#if defined(MBEDTLS_MD2_C)
839 case PSA_ALG_MD2:
840 ret = mbedtls_md2_finish_ret( &operation->ctx.md2, hash );
841 break;
842#endif
843#if defined(MBEDTLS_MD4_C)
844 case PSA_ALG_MD4:
845 ret = mbedtls_md4_finish_ret( &operation->ctx.md4, hash );
846 break;
847#endif
848#if defined(MBEDTLS_MD5_C)
849 case PSA_ALG_MD5:
850 ret = mbedtls_md5_finish_ret( &operation->ctx.md5, hash );
851 break;
852#endif
853#if defined(MBEDTLS_RIPEMD160_C)
854 case PSA_ALG_RIPEMD160:
855 ret = mbedtls_ripemd160_finish_ret( &operation->ctx.ripemd160, hash );
856 break;
857#endif
858#if defined(MBEDTLS_SHA1_C)
859 case PSA_ALG_SHA_1:
860 ret = mbedtls_sha1_finish_ret( &operation->ctx.sha1, hash );
861 break;
862#endif
863#if defined(MBEDTLS_SHA256_C)
864 case PSA_ALG_SHA_224:
865 case PSA_ALG_SHA_256:
866 ret = mbedtls_sha256_finish_ret( &operation->ctx.sha256, hash );
867 break;
868#endif
869#if defined(MBEDTLS_SHA512_C)
870 case PSA_ALG_SHA_384:
871 case PSA_ALG_SHA_512:
872 ret = mbedtls_sha512_finish_ret( &operation->ctx.sha512, hash );
873 break;
874#endif
875 default:
876 ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
877 break;
878 }
879
880 if( ret == 0 )
881 {
882 return( psa_hash_abort( operation ) );
883 }
884 else
885 {
886 psa_hash_abort( operation );
887 return( mbedtls_to_psa_error( ret ) );
888 }
889}
890
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]891psa_status_t psa_hash_verify( psa_hash_operation_t *operation,
892 const uint8_t *hash,
893 size_t hash_length )
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]894{
895 uint8_t actual_hash[MBEDTLS_MD_MAX_SIZE];
896 size_t actual_hash_length;
897 psa_status_t status = psa_hash_finish( operation,
898 actual_hash, sizeof( actual_hash ),
899 &actual_hash_length );
900 if( status != PSA_SUCCESS )
901 return( status );
902 if( actual_hash_length != hash_length )
903 return( PSA_ERROR_INVALID_SIGNATURE );
904 if( safer_memcmp( hash, actual_hash, actual_hash_length ) != 0 )
905 return( PSA_ERROR_INVALID_SIGNATURE );
906 return( PSA_SUCCESS );
907}
908
909
910
911
912/****************************************************************/
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]913/* MAC */
914/****************************************************************/
915
Gilles Peskinedc2fc842018-03-07 16:42:59 +0100[diff] [blame]916static const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]917 psa_algorithm_t alg,
918 psa_key_type_t key_type,
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]919 size_t key_bits,
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]920 mbedtls_cipher_id_t* cipher_id )
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]921{
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]922 mbedtls_cipher_mode_t mode;
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]923 mbedtls_cipher_id_t cipher_id_tmp;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]924
925 if( PSA_ALG_IS_CIPHER( alg ) || PSA_ALG_IS_AEAD( alg ) )
926 {
927 if( PSA_ALG_IS_BLOCK_CIPHER( alg ) )
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]928 {
929 alg &= ~PSA_ALG_BLOCK_CIPHER_PADDING_MASK;
930 }
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]931
Nir Sonnenscheine9664c32018-06-17 14:41:30 +0300[diff] [blame]932 switch( alg )
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]933 {
934 case PSA_ALG_STREAM_CIPHER:
935 mode = MBEDTLS_MODE_STREAM;
936 break;
937 case PSA_ALG_CBC_BASE:
938 mode = MBEDTLS_MODE_CBC;
939 break;
940 case PSA_ALG_CFB_BASE:
941 mode = MBEDTLS_MODE_CFB;
942 break;
943 case PSA_ALG_OFB_BASE:
944 mode = MBEDTLS_MODE_OFB;
945 break;
946 case PSA_ALG_CTR:
947 mode = MBEDTLS_MODE_CTR;
948 break;
949 case PSA_ALG_CCM:
950 mode = MBEDTLS_MODE_CCM;
951 break;
952 case PSA_ALG_GCM:
953 mode = MBEDTLS_MODE_GCM;
954 break;
955 default:
956 return( NULL );
957 }
958 }
959 else if( alg == PSA_ALG_CMAC )
960 mode = MBEDTLS_MODE_ECB;
961 else if( alg == PSA_ALG_GMAC )
962 mode = MBEDTLS_MODE_GCM;
963 else
964 return( NULL );
965
966 switch( key_type )
967 {
968 case PSA_KEY_TYPE_AES:
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]969 cipher_id_tmp = MBEDTLS_CIPHER_ID_AES;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]970 break;
971 case PSA_KEY_TYPE_DES:
972 if( key_bits == 64 )
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]973 cipher_id_tmp = MBEDTLS_CIPHER_ID_DES;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]974 else
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]975 cipher_id_tmp = MBEDTLS_CIPHER_ID_3DES;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]976 break;
977 case PSA_KEY_TYPE_CAMELLIA:
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]978 cipher_id_tmp = MBEDTLS_CIPHER_ID_CAMELLIA;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]979 break;
980 case PSA_KEY_TYPE_ARC4:
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]981 cipher_id_tmp = MBEDTLS_CIPHER_ID_ARC4;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]982 break;
983 default:
984 return( NULL );
985 }
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]986 if( cipher_id != NULL )
mohammad160360a64d02018-06-03 17:20:42 +0300[diff] [blame]987 *cipher_id = cipher_id_tmp;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]988
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]989 return( mbedtls_cipher_info_from_values( cipher_id_tmp, key_bits, mode ) );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]990}
991
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]992static size_t psa_get_hash_block_size( psa_algorithm_t alg )
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]993{
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]994 switch( alg )
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]995 {
996 case PSA_ALG_MD2:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]997 return( 16 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]998 case PSA_ALG_MD4:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]999 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1000 case PSA_ALG_MD5:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1001 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1002 case PSA_ALG_RIPEMD160:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1003 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1004 case PSA_ALG_SHA_1:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1005 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1006 case PSA_ALG_SHA_224:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1007 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1008 case PSA_ALG_SHA_256:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1009 return( 64 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1010 case PSA_ALG_SHA_384:
Nir Sonnenscheinaa5aea02018-06-18 12:24:33 +0300[diff] [blame]1011 return( 128 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1012 case PSA_ALG_SHA_512:
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]1013 return( 128 );
1014 default:
1015 return( 0 );
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1016 }
1017}
Nir Sonnenschein0c9ec532018-06-07 13:27:47 +0300[diff] [blame]1018
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1019psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
1020{
1021 switch( operation->alg )
1022 {
1023#if defined(MBEDTLS_CMAC_C)
1024 case PSA_ALG_CMAC:
1025 mbedtls_cipher_free( &operation->ctx.cmac );
1026 break;
1027#endif /* MBEDTLS_CMAC_C */
1028 default:
1029#if defined(MBEDTLS_MD_C)
1030 if( PSA_ALG_IS_HMAC( operation->alg ) )
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1031 {
Gilles Peskine99bc6492018-06-11 17:13:00 +0200[diff] [blame]1032 unsigned int block_size =
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1033 psa_get_hash_block_size( ( PSA_ALG_HMAC_HASH( operation->alg ) ) );
Nir Sonnenschein084832d2018-06-08 22:52:24 +0300[diff] [blame]1034
Gilles Peskine99bc6492018-06-11 17:13:00 +0200[diff] [blame]1035 if( block_size == 0 )
Nir Sonnenschein084832d2018-06-08 22:52:24 +0300[diff] [blame]1036 return( PSA_ERROR_NOT_SUPPORTED );
1037
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1038 psa_hash_abort( &operation->ctx.hmac.hash_ctx );
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]1039 mbedtls_zeroize( operation->ctx.hmac.opad, block_size );
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1040 }
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1041 else
1042#endif /* MBEDTLS_MD_C */
1043 return( PSA_ERROR_NOT_SUPPORTED );
1044 }
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1045
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1046 operation->alg = 0;
1047 operation->key_set = 0;
1048 operation->iv_set = 0;
1049 operation->iv_required = 0;
1050 operation->has_input = 0;
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1051
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1052 return( PSA_SUCCESS );
1053}
1054
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1055static int psa_cmac_start( psa_mac_operation_t *operation,
1056 size_t key_bits,
1057 key_slot_t *slot,
1058 const mbedtls_cipher_info_t *cipher_info )
1059{
1060 int ret;
1061
1062 operation->mac_size = cipher_info->block_size;
1063 operation->iv_required = 0;
1064 mbedtls_cipher_init( &operation->ctx.cmac );
1065
1066 ret = mbedtls_cipher_setup( &operation->ctx.cmac, cipher_info );
1067 if( ret != 0 )
1068 return( ret );
1069
1070 ret = mbedtls_cipher_cmac_starts( &operation->ctx.cmac,
1071 slot->data.raw.data,
1072 key_bits );
1073 return( ret );
1074}
1075
1076static int psa_hmac_start( psa_mac_operation_t *operation,
1077 psa_key_type_t key_type,
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1078 key_slot_t *slot,
1079 psa_algorithm_t alg )
1080{
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1081 unsigned char ipad[PSA_CRYPTO_MD_BLOCK_SIZE];
Nir Sonnenschein5ca65472018-06-17 14:03:40 +0300[diff] [blame]1082 unsigned char *opad = operation->ctx.hmac.opad;
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1083 size_t i;
Gilles Peskinee1bc6802018-06-11 17:36:05 +0200[diff] [blame]1084 size_t block_size =
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1085 psa_get_hash_block_size( ( PSA_ALG_HMAC_HASH( alg ) ) );
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1086 unsigned int digest_size =
Nir Sonnenscheincaec7f02018-06-14 15:34:50 +0300[diff] [blame]1087 PSA_HASH_SIZE( ( PSA_ALG_HMAC_HASH( alg ) ) );
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1088 size_t key_length = slot->data.raw.bytes;
1089 psa_status_t status;
1090
1091 if( ( block_size == 0 ) || ( digest_size == 0 ) )
1092 return( PSA_ERROR_NOT_SUPPORTED );
1093
1094 if( key_type != PSA_KEY_TYPE_HMAC )
1095 return( PSA_ERROR_INVALID_ARGUMENT );
1096
1097 operation->iv_required = 0;
1098 operation->mac_size = digest_size;
1099
1100 status = psa_hash_start( &operation->ctx.hmac.hash_ctx,
1101 PSA_ALG_HMAC_HASH( alg ) );
1102 if( status != PSA_SUCCESS )
1103 return( status );
1104
Gilles Peskined223b522018-06-11 18:12:58 +0200[diff] [blame]1105 if( key_length > block_size )
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1106 {
1107 status = psa_hash_update( &operation->ctx.hmac.hash_ctx,
Gilles Peskined223b522018-06-11 18:12:58 +0200[diff] [blame]1108 slot->data.raw.data, slot->data.raw.bytes );
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1109 if( status != PSA_SUCCESS )
1110 return( status );
1111 status = psa_hash_finish( &operation->ctx.hmac.hash_ctx,
Gilles Peskined223b522018-06-11 18:12:58 +0200[diff] [blame]1112 ipad, sizeof( ipad ), &key_length );
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1113 if( status != PSA_SUCCESS )
1114 return( status );
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1115 }
Gilles Peskined223b522018-06-11 18:12:58 +0200[diff] [blame]1116 else
1117 memcpy( ipad, slot->data.raw.data, slot->data.raw.bytes );
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1118
Gilles Peskined223b522018-06-11 18:12:58 +0200[diff] [blame]1119 /* ipad contains the key followed by garbage. Xor and fill with 0x36
1120 * to create the ipad value. */
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1121 for( i = 0; i < key_length; i++ )
Gilles Peskined223b522018-06-11 18:12:58 +0200[diff] [blame]1122 ipad[i] ^= 0x36;
1123 memset( ipad + key_length, 0x36, block_size - key_length );
1124
1125 /* Copy the key material from ipad to opad, flipping the requisite bits,
1126 * and filling the rest of opad with the requisite constant. */
1127 for( i = 0; i < key_length; i++ )
1128 opad[i] = ipad[i] ^ 0x36 ^ 0x5C;
1129 memset( opad + key_length, 0x5C, block_size - key_length );
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1130
1131 status = psa_hash_start( &operation->ctx.hmac.hash_ctx,
1132 PSA_ALG_HMAC_HASH( alg ) );
1133 if( status != PSA_SUCCESS )
Gilles Peskine6a0a44e2018-06-11 17:42:48 +0200[diff] [blame]1134 goto cleanup;
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1135
1136 status = psa_hash_update( &operation->ctx.hmac.hash_ctx, ipad,
1137 block_size );
Gilles Peskine6a0a44e2018-06-11 17:42:48 +0200[diff] [blame]1138
1139cleanup:
Gilles Peskine6a0a44e2018-06-11 17:42:48 +0200[diff] [blame]1140 mbedtls_zeroize( ipad, key_length );
1141 /* opad is in the context. It needs to stay in memory if this function
1142 * succeeds, and it will be wiped by psa_mac_abort() called from
1143 * psa_mac_start in the error case. */
1144
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1145 return( status );
1146}
1147
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1148psa_status_t psa_mac_start( psa_mac_operation_t *operation,
1149 psa_key_slot_t key,
1150 psa_algorithm_t alg )
1151{
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1152 psa_status_t status;
1153 key_slot_t *slot;
1154 psa_key_type_t key_type;
1155 size_t key_bits;
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1156 const mbedtls_cipher_info_t *cipher_info;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1157
1158 operation->alg = 0;
1159 operation->key_set = 0;
1160 operation->iv_set = 0;
1161 operation->iv_required = 1;
1162 operation->has_input = 0;
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1163 operation->key_usage_sign = 0;
1164 operation->key_usage_verify = 0;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1165
1166 status = psa_get_key_information( key, &key_type, &key_bits );
1167 if( status != PSA_SUCCESS )
1168 return( status );
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1169
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1170 slot = &global_data.key_slots[key];
Gilles Peskine99bc6492018-06-11 17:13:00 +0200[diff] [blame]1171 if( slot->type == PSA_KEY_TYPE_NONE )
1172 return( PSA_ERROR_EMPTY_SLOT );
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1173
Moran Pekerd7326592018-05-29 16:56:39 +0300[diff] [blame]1174 if( ( slot->policy.usage & PSA_KEY_USAGE_SIGN ) != 0 )
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]1175 operation->key_usage_sign = 1;
1176
Moran Pekerd7326592018-05-29 16:56:39 +0300[diff] [blame]1177 if( ( slot->policy.usage & PSA_KEY_USAGE_VERIFY ) != 0 )
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]1178 operation->key_usage_verify = 1;
1179
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1180 if( ! PSA_ALG_IS_HMAC( alg ) )
1181 {
mohammad1603f4f0d612018-06-03 15:04:51 +0300[diff] [blame]1182 cipher_info = mbedtls_cipher_info_from_psa( alg, key_type, key_bits, NULL );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1183 if( cipher_info == NULL )
1184 return( PSA_ERROR_NOT_SUPPORTED );
1185 operation->mac_size = cipher_info->block_size;
1186 }
1187 switch( alg )
1188 {
1189#if defined(MBEDTLS_CMAC_C)
1190 case PSA_ALG_CMAC:
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1191 status = mbedtls_to_psa_error( psa_cmac_start( operation,
1192 key_bits,
1193 slot,
1194 cipher_info ) );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1195 break;
1196#endif /* MBEDTLS_CMAC_C */
1197 default:
1198#if defined(MBEDTLS_MD_C)
1199 if( PSA_ALG_IS_HMAC( alg ) )
Gilles Peskined223b522018-06-11 18:12:58 +0200[diff] [blame]1200 status = psa_hmac_start( operation, key_type, slot, alg );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1201 else
1202#endif /* MBEDTLS_MD_C */
1203 return( PSA_ERROR_NOT_SUPPORTED );
1204 }
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1205
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1206 /* If we reach this point, then the algorithm-specific part of the
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1207
1208 * context may contain data that needs to be wiped on error. */
1209 if( status != PSA_SUCCESS )
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1210 {
Gilles Peskine6a0a44e2018-06-11 17:42:48 +0200[diff] [blame]1211 psa_mac_abort( operation );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1212 }
Gilles Peskine99bc6492018-06-11 17:13:00 +0200[diff] [blame]1213
Gilles Peskine7e454bc2018-06-11 17:26:17 +0200[diff] [blame]1214 else
1215 {
1216 operation->alg = alg;
1217 operation->key_set = 1;
1218 }
1219 return( status );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1220}
1221
1222psa_status_t psa_mac_update( psa_mac_operation_t *operation,
1223 const uint8_t *input,
1224 size_t input_length )
1225{
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1226 int ret = 0 ;
1227 psa_status_t status = PSA_SUCCESS;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1228 if( ! operation->key_set )
1229 return( PSA_ERROR_BAD_STATE );
1230 if( operation->iv_required && ! operation->iv_set )
1231 return( PSA_ERROR_BAD_STATE );
1232 operation->has_input = 1;
1233
1234 switch( operation->alg )
1235 {
1236#if defined(MBEDTLS_CMAC_C)
1237 case PSA_ALG_CMAC:
1238 ret = mbedtls_cipher_cmac_update( &operation->ctx.cmac,
1239 input, input_length );
1240 break;
1241#endif /* MBEDTLS_CMAC_C */
1242 default:
1243#if defined(MBEDTLS_MD_C)
1244 if( PSA_ALG_IS_HMAC( operation->alg ) )
1245 {
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1246 status = psa_hash_update( &operation->ctx.hmac.hash_ctx, input,
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]1247 input_length );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1248 }
1249 else
1250#endif /* MBEDTLS_MD_C */
1251 {
1252 ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
1253 }
1254 break;
1255 }
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]1256 if( ( ret != 0 ) || ( status != PSA_SUCCESS ) )
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1257 {
Nir Sonnenscheine9664c32018-06-17 14:41:30 +0300[diff] [blame]1258 psa_mac_abort( operation );
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]1259 if( ret != 0 )
Nir Sonnenscheine9664c32018-06-17 14:41:30 +0300[diff] [blame]1260 status = mbedtls_to_psa_error( ret );
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1261 }
1262
1263 return status;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1264}
1265
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]1266static psa_status_t psa_mac_finish_internal( psa_mac_operation_t *operation,
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]1267 uint8_t *mac,
1268 size_t mac_size,
1269 size_t *mac_length )
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1270{
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1271 int ret = 0;
1272 psa_status_t status = PSA_SUCCESS;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1273 if( ! operation->key_set )
1274 return( PSA_ERROR_BAD_STATE );
1275 if( operation->iv_required && ! operation->iv_set )
1276 return( PSA_ERROR_BAD_STATE );
1277
1278 /* Fill the output buffer with something that isn't a valid mac
1279 * (barring an attack on the mac and deliberately-crafted input),
1280 * in case the caller doesn't check the return status properly. */
1281 *mac_length = operation->mac_size;
1282 memset( mac, '!', mac_size );
1283
1284 if( mac_size < operation->mac_size )
1285 return( PSA_ERROR_BUFFER_TOO_SMALL );
1286
1287 switch( operation->alg )
1288 {
1289#if defined(MBEDTLS_CMAC_C)
1290 case PSA_ALG_CMAC:
1291 ret = mbedtls_cipher_cmac_finish( &operation->ctx.cmac, mac );
1292 break;
1293#endif /* MBEDTLS_CMAC_C */
1294 default:
1295#if defined(MBEDTLS_MD_C)
1296 if( PSA_ALG_IS_HMAC( operation->alg ) )
1297 {
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1298 unsigned char tmp[MBEDTLS_MD_MAX_SIZE];
Nir Sonnenschein5ca65472018-06-17 14:03:40 +0300[diff] [blame]1299 unsigned char *opad = operation->ctx.hmac.opad;
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1300 size_t hash_size = 0;
Nir Sonnenschein96272412018-06-17 14:41:10 +0300[diff] [blame]1301 size_t block_size =
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]1302 psa_get_hash_block_size( ( PSA_ALG_HMAC_HASH( operation->alg ) ) );
Nir Sonnenschein084832d2018-06-08 22:52:24 +0300[diff] [blame]1303
Gilles Peskine99bc6492018-06-11 17:13:00 +0200[diff] [blame]1304 if( block_size == 0 )
1305 return( PSA_ERROR_NOT_SUPPORTED );
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1306
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1307 status = psa_hash_finish( &operation->ctx.hmac.hash_ctx, tmp,
Gilles Peskine99bc6492018-06-11 17:13:00 +0200[diff] [blame]1308 sizeof( tmp ), &hash_size );
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1309 if( status != PSA_SUCCESS )
1310 goto cleanup;
Gilles Peskine6a0a44e2018-06-11 17:42:48 +0200[diff] [blame]1311 /* From here on, tmp needs to be wiped. */
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1312
1313 status = psa_hash_start( &operation->ctx.hmac.hash_ctx,
1314 PSA_ALG_HMAC_HASH( operation->alg ) );
1315 if( status != PSA_SUCCESS )
Gilles Peskine6a0a44e2018-06-11 17:42:48 +0200[diff] [blame]1316 goto hmac_cleanup;
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1317
1318 status = psa_hash_update( &operation->ctx.hmac.hash_ctx, opad,
Nir Sonnenschein0c9ec532018-06-07 13:27:47 +0300[diff] [blame]1319 block_size );
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1320 if( status != PSA_SUCCESS )
Gilles Peskine6a0a44e2018-06-11 17:42:48 +0200[diff] [blame]1321 goto hmac_cleanup;
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1322
1323 status = psa_hash_update( &operation->ctx.hmac.hash_ctx, tmp,
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]1324 hash_size );
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1325 if( status != PSA_SUCCESS )
Gilles Peskine6a0a44e2018-06-11 17:42:48 +0200[diff] [blame]1326 goto hmac_cleanup;
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1327
1328 status = psa_hash_finish( &operation->ctx.hmac.hash_ctx, mac,
1329 mac_size, mac_length );
Gilles Peskine6a0a44e2018-06-11 17:42:48 +0200[diff] [blame]1330 hmac_cleanup:
1331 mbedtls_zeroize( tmp, hash_size );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1332 }
1333 else
1334#endif /* MBEDTLS_MD_C */
1335 {
1336 ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
1337 }
1338 break;
1339 }
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1340cleanup:
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1341
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]1342 if( ( ret == 0 ) && ( status == PSA_SUCCESS ) )
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1343 {
1344 return( psa_mac_abort( operation ) );
1345 }
1346 else
1347 {
1348 psa_mac_abort( operation );
Gilles Peskine99bc6492018-06-11 17:13:00 +0200[diff] [blame]1349 if( ret != 0 )
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]1350 status = mbedtls_to_psa_error( ret );
Nir Sonnenscheindcd636a2018-06-04 16:03:32 +0300[diff] [blame]1351
1352 return status;
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1353 }
1354}
1355
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]1356psa_status_t psa_mac_finish( psa_mac_operation_t *operation,
1357 uint8_t *mac,
1358 size_t mac_size,
1359 size_t *mac_length )
1360{
1361 if( !( operation->key_usage_sign ) )
1362 return( PSA_ERROR_NOT_PERMITTED );
1363
Gilles Peskine99bc6492018-06-11 17:13:00 +0200[diff] [blame]1364 return( psa_mac_finish_internal( operation, mac,
1365 mac_size, mac_length ) );
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]1366}
1367
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]1368#define MBEDTLS_PSA_MAC_MAX_SIZE \
1369 ( MBEDTLS_MD_MAX_SIZE > MBEDTLS_MAX_BLOCK_LENGTH ? \
1370 MBEDTLS_MD_MAX_SIZE : \
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1371 MBEDTLS_MAX_BLOCK_LENGTH )
1372psa_status_t psa_mac_verify( psa_mac_operation_t *operation,
1373 const uint8_t *mac,
1374 size_t mac_length )
1375{
1376 uint8_t actual_mac[MBEDTLS_PSA_MAC_MAX_SIZE];
1377 size_t actual_mac_length;
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]1378 psa_status_t status;
1379
1380 if( !( operation->key_usage_verify ) )
1381 return( PSA_ERROR_NOT_PERMITTED );
1382
1383 status = psa_mac_finish_internal( operation,
1384 actual_mac, sizeof( actual_mac ),
1385 &actual_mac_length );
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]1386 if( status != PSA_SUCCESS )
1387 return( status );
1388 if( actual_mac_length != mac_length )
1389 return( PSA_ERROR_INVALID_SIGNATURE );
1390 if( safer_memcmp( mac, actual_mac, actual_mac_length ) != 0 )
1391 return( PSA_ERROR_INVALID_SIGNATURE );
1392 return( PSA_SUCCESS );
1393}
1394
1395
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1396
1397
1398/****************************************************************/
1399/* Asymmetric cryptography */
1400/****************************************************************/
1401
Gilles Peskine8b18a4f2018-06-08 16:34:46 +0200[diff] [blame]1402/* Decode the hash algorithm from alg and store the mbedtls encoding in
1403 * md_alg. Verify that the hash length is consistent. */
1404static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
1405 size_t hash_length,
1406 mbedtls_md_type_t *md_alg )
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]1407{
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1408 psa_algorithm_t hash_alg = PSA_ALG_RSA_GET_HASH( alg );
1409 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg );
1410 *md_alg = hash_alg == 0 ? MBEDTLS_MD_NONE : mbedtls_md_get_type( md_info );
1411 if( *md_alg == MBEDTLS_MD_NONE )
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]1412 {
1413#if SIZE_MAX > UINT_MAX
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1414 if( hash_length > UINT_MAX )
1415 return( PSA_ERROR_INVALID_ARGUMENT );
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]1416#endif
1417 }
1418 else
1419 {
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1420 if( mbedtls_md_get_size( md_info ) != hash_length )
1421 return( PSA_ERROR_INVALID_ARGUMENT );
1422 if( md_info == NULL )
1423 return( PSA_ERROR_NOT_SUPPORTED );
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]1424 }
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1425 return( PSA_SUCCESS );
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]1426}
1427
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1428psa_status_t psa_asymmetric_sign( psa_key_slot_t key,
1429 psa_algorithm_t alg,
1430 const uint8_t *hash,
1431 size_t hash_length,
1432 const uint8_t *salt,
1433 size_t salt_length,
1434 uint8_t *signature,
1435 size_t signature_size,
1436 size_t *signature_length )
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1437{
1438 key_slot_t *slot;
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]1439 psa_status_t status;
Gilles Peskine93aa0332018-02-03 23:58:03 +0100[diff] [blame]1440 *signature_length = 0;
1441 (void) salt;
1442 (void) salt_length;
1443
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1444 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
1445 return( PSA_ERROR_EMPTY_SLOT );
1446 slot = &global_data.key_slots[key];
1447 if( slot->type == PSA_KEY_TYPE_NONE )
1448 return( PSA_ERROR_EMPTY_SLOT );
1449 if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
1450 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1451 if( ! ( slot->policy.usage & PSA_KEY_USAGE_SIGN ) )
mohammad160306e79202018-03-28 13:17:44 +0300[diff] [blame]1452 return( PSA_ERROR_NOT_PERMITTED );
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1453
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1454#if defined(MBEDTLS_RSA_C)
1455 if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
1456 {
1457 mbedtls_rsa_context *rsa = slot->data.rsa;
1458 int ret;
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]1459 mbedtls_md_type_t md_alg;
Gilles Peskine8b18a4f2018-06-08 16:34:46 +0200[diff] [blame]1460 status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1461 if( status != PSA_SUCCESS )
1462 return( status );
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]1463
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1464 if( signature_size < rsa->len )
1465 return( PSA_ERROR_BUFFER_TOO_SMALL );
1466#if defined(MBEDTLS_PKCS1_V15)
Gilles Peskinea5926232018-03-28 14:16:50 +0200[diff] [blame]1467 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1468 {
1469 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
1470 MBEDTLS_MD_NONE );
1471 ret = mbedtls_rsa_pkcs1_sign( rsa,
1472 mbedtls_ctr_drbg_random,
1473 &global_data.ctr_drbg,
1474 MBEDTLS_RSA_PRIVATE,
1475 md_alg, hash_length, hash,
1476 signature );
1477 }
1478 else
1479#endif /* MBEDTLS_PKCS1_V15 */
1480#if defined(MBEDTLS_PKCS1_V21)
1481 if( alg == PSA_ALG_RSA_PSS_MGF1 )
1482 {
1483 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
1484 ret = mbedtls_rsa_rsassa_pss_sign( rsa,
1485 mbedtls_ctr_drbg_random,
1486 &global_data.ctr_drbg,
1487 MBEDTLS_RSA_PRIVATE,
1488 md_alg, hash_length, hash,
1489 signature );
1490 }
1491 else
1492#endif /* MBEDTLS_PKCS1_V21 */
1493 {
1494 return( PSA_ERROR_INVALID_ARGUMENT );
1495 }
Gilles Peskine93aa0332018-02-03 23:58:03 +0100[diff] [blame]1496 if( ret == 0 )
1497 *signature_length = rsa->len;
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1498 return( mbedtls_to_psa_error( ret ) );
1499 }
1500 else
1501#endif /* defined(MBEDTLS_RSA_C) */
1502#if defined(MBEDTLS_ECP_C)
1503 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
1504 {
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]1505 mbedtls_ecp_keypair *ecdsa = slot->data.ecp;
1506 int ret;
1507 const mbedtls_md_info_t *md_info;
1508 mbedtls_md_type_t md_alg;
1509 if( signature_size < PSA_ECDSA_SIGNATURE_SIZE( ecdsa->grp.pbits ) )
1510 return( PSA_ERROR_BUFFER_TOO_SMALL );
1511 md_info = mbedtls_md_info_from_psa( alg );
1512 md_alg = mbedtls_md_get_type( md_info );
1513 ret = mbedtls_ecdsa_write_signature( ecdsa, md_alg, hash, hash_length,
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1514 signature, signature_length,
1515 mbedtls_ctr_drbg_random,
1516 &global_data.ctr_drbg );
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]1517 return( mbedtls_to_psa_error( ret ) );
1518 }
1519 else
1520#endif /* defined(MBEDTLS_ECP_C) */
1521 {
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1522 return( PSA_ERROR_NOT_SUPPORTED );
1523 }
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]1524}
1525
1526psa_status_t psa_asymmetric_verify( psa_key_slot_t key,
1527 psa_algorithm_t alg,
1528 const uint8_t *hash,
1529 size_t hash_length,
1530 const uint8_t *salt,
1531 size_t salt_length,
1532 uint8_t *signature,
1533 size_t signature_size )
1534{
1535 key_slot_t *slot;
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]1536 psa_status_t status;
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]1537 (void) salt;
1538 (void) salt_length;
1539
1540 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
1541 return( PSA_ERROR_INVALID_ARGUMENT );
1542 slot = &global_data.key_slots[key];
1543 if( slot->type == PSA_KEY_TYPE_NONE )
1544 return( PSA_ERROR_EMPTY_SLOT );
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1545 if( ! ( slot->policy.usage & PSA_KEY_USAGE_VERIFY ) )
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]1546 return( PSA_ERROR_NOT_PERMITTED );
1547
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1548#if defined(MBEDTLS_RSA_C)
Nir Sonnenschein1c2a7ea2018-06-05 15:01:42 +0300[diff] [blame]1549 if( ( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR ) ||
1550 ( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1551 {
1552 mbedtls_rsa_context *rsa = slot->data.rsa;
1553 int ret;
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]1554 mbedtls_md_type_t md_alg;
Gilles Peskine8b18a4f2018-06-08 16:34:46 +0200[diff] [blame]1555 status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1556 if( status != PSA_SUCCESS )
1557 return( status );
Nir Sonnenschein4db79eb2018-06-04 16:40:31 +0300[diff] [blame]1558
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1559 if( signature_size < rsa->len )
1560 return( PSA_ERROR_BUFFER_TOO_SMALL );
1561#if defined(MBEDTLS_PKCS1_V15)
Gilles Peskine6afe7892018-05-31 13:16:08 +0200[diff] [blame]1562 if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1563 {
1564 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
1565 MBEDTLS_MD_NONE );
1566
1567 ret = mbedtls_rsa_pkcs1_verify( rsa,
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1568 mbedtls_ctr_drbg_random,
1569 &global_data.ctr_drbg,
1570 MBEDTLS_RSA_PUBLIC,
1571 md_alg,
1572 hash_length,
1573 hash,
1574 signature );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1575
1576 }
1577 else
1578#endif /* MBEDTLS_PKCS1_V15 */
1579#if defined(MBEDTLS_PKCS1_V21)
1580 if( alg == PSA_ALG_RSA_PSS_MGF1 )
1581 {
Gilles Peskinebeb49482018-06-08 17:44:35 +0200[diff] [blame]1582 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
1583 ret = mbedtls_rsa_rsassa_pss_verify( rsa,
1584 mbedtls_ctr_drbg_random,
1585 &global_data.ctr_drbg,
1586 MBEDTLS_RSA_PUBLIC,
1587 md_alg, hash_length, hash,
1588 signature );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1589 }
1590 else
1591#endif /* MBEDTLS_PKCS1_V21 */
1592 {
1593 return( PSA_ERROR_INVALID_ARGUMENT );
1594 }
1595 return( mbedtls_to_psa_error( ret ) );
1596 }
1597 else
1598#endif /* defined(MBEDTLS_RSA_C) */
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]1599#if defined(MBEDTLS_ECP_C)
1600 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
1601 {
1602 mbedtls_ecp_keypair *ecdsa = slot->data.ecp;
1603 int ret;
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]1604 (void) alg;
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1605 ret = mbedtls_ecdsa_read_signature( ecdsa, hash, hash_length,
1606 signature, signature_size );
itayzafrir5c753392018-05-08 11:18:38 +0300[diff] [blame]1607 return( mbedtls_to_psa_error( ret ) );
1608 }
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1609 else
1610#endif /* defined(MBEDTLS_ECP_C) */
1611 {
1612 return( PSA_ERROR_NOT_SUPPORTED );
1613 }
1614}
1615
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1616psa_status_t psa_asymmetric_encrypt( psa_key_slot_t key,
1617 psa_algorithm_t alg,
1618 const uint8_t *input,
1619 size_t input_length,
1620 const uint8_t *salt,
1621 size_t salt_length,
1622 uint8_t *output,
1623 size_t output_size,
1624 size_t *output_length )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1625{
1626 key_slot_t *slot;
1627 (void) salt;
1628 (void) salt_length;
Nir Sonnenscheinca466c82018-06-04 16:43:12 +0300[diff] [blame]1629 *output_length = 0;
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1630
1631 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
Nir Sonnenschein7f5a3192018-05-06 22:26:54 +0300[diff] [blame]1632 return( PSA_ERROR_INVALID_ARGUMENT );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1633 slot = &global_data.key_slots[key];
1634 if( slot->type == PSA_KEY_TYPE_NONE )
1635 return( PSA_ERROR_EMPTY_SLOT );
1636 if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
1637 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1638 if( ! ( slot->policy.usage & PSA_KEY_USAGE_ENCRYPT ) )
1639 return( PSA_ERROR_NOT_PERMITTED );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1640
1641#if defined(MBEDTLS_RSA_C)
Nir Sonnenschein1c2a7ea2018-06-05 15:01:42 +0300[diff] [blame]1642 if( ( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR ) ||
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1643 ( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1644 {
1645 mbedtls_rsa_context *rsa = slot->data.rsa;
1646 int ret;
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]1647 if( output_size < rsa->len )
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1648 return( PSA_ERROR_INVALID_ARGUMENT );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1649#if defined(MBEDTLS_PKCS1_V15)
Gilles Peskine6afe7892018-05-31 13:16:08 +0200[diff] [blame]1650 if( alg == PSA_ALG_RSA_PKCS1V15_CRYPT )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1651 {
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1652 ret = mbedtls_rsa_pkcs1_encrypt( rsa,
1653 mbedtls_ctr_drbg_random,
1654 &global_data.ctr_drbg,
1655 MBEDTLS_RSA_PUBLIC,
1656 input_length,
1657 input,
1658 output );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1659 }
1660 else
1661#endif /* MBEDTLS_PKCS1_V15 */
1662#if defined(MBEDTLS_PKCS1_V21)
Gilles Peskine625b01c2018-06-08 17:43:16 +0200[diff] [blame]1663 if( PSA_ALG_IS_RSA_OAEP_MGF1( alg ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1664 {
1665 return( PSA_ERROR_NOT_SUPPORTED );
1666 }
1667 else
1668#endif /* MBEDTLS_PKCS1_V21 */
1669 {
1670 return( PSA_ERROR_INVALID_ARGUMENT );
1671 }
1672 if( ret == 0 )
Nir Sonnenschein717a0402018-06-04 16:36:15 +0300[diff] [blame]1673 *output_length = rsa->len;
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1674 return( mbedtls_to_psa_error( ret ) );
1675 }
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1676 else
Gilles Peskineb75e4f12018-06-08 17:44:47 +0200[diff] [blame]1677#endif /* defined(MBEDTLS_RSA_C) */
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1678 {
1679 return( PSA_ERROR_NOT_SUPPORTED );
1680 }
1681
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]1682}
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1683
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1684psa_status_t psa_asymmetric_decrypt( psa_key_slot_t key,
1685 psa_algorithm_t alg,
1686 const uint8_t *input,
1687 size_t input_length,
1688 const uint8_t *salt,
1689 size_t salt_length,
1690 uint8_t *output,
1691 size_t output_size,
1692 size_t *output_length )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1693{
1694 key_slot_t *slot;
1695 (void) salt;
1696 (void) salt_length;
Nir Sonnenscheinca466c82018-06-04 16:43:12 +0300[diff] [blame]1697 *output_length = 0;
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1698
1699 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
1700 return( PSA_ERROR_EMPTY_SLOT );
1701 slot = &global_data.key_slots[key];
1702 if( slot->type == PSA_KEY_TYPE_NONE )
1703 return( PSA_ERROR_EMPTY_SLOT );
1704 if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
1705 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1706 if( ! ( slot->policy.usage & PSA_KEY_USAGE_DECRYPT ) )
1707 return( PSA_ERROR_NOT_PERMITTED );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1708
1709#if defined(MBEDTLS_RSA_C)
1710 if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
1711 {
1712 mbedtls_rsa_context *rsa = slot->data.rsa;
1713 int ret;
1714
Gilles Peskinec4def2f2018-06-08 17:53:48 +0200[diff] [blame]1715 if( input_length != rsa->len )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1716 return( PSA_ERROR_INVALID_ARGUMENT );
1717
1718#if defined(MBEDTLS_PKCS1_V15)
Gilles Peskine6afe7892018-05-31 13:16:08 +0200[diff] [blame]1719 if( alg == PSA_ALG_RSA_PKCS1V15_CRYPT )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1720 {
Gilles Peskine61b91d42018-06-08 16:09:36 +0200[diff] [blame]1721 ret = mbedtls_rsa_pkcs1_decrypt( rsa,
1722 mbedtls_ctr_drbg_random,
1723 &global_data.ctr_drbg,
1724 MBEDTLS_RSA_PRIVATE,
1725 output_length,
1726 input,
1727 output,
1728 output_size );
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1729 }
1730 else
1731#endif /* MBEDTLS_PKCS1_V15 */
1732#if defined(MBEDTLS_PKCS1_V21)
Gilles Peskine625b01c2018-06-08 17:43:16 +0200[diff] [blame]1733 if( PSA_ALG_IS_RSA_OAEP_MGF1( alg ) )
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1734 {
1735 return( PSA_ERROR_NOT_SUPPORTED );
1736 }
1737 else
1738#endif /* MBEDTLS_PKCS1_V21 */
1739 {
1740 return( PSA_ERROR_INVALID_ARGUMENT );
1741 }
Nir Sonnenschein717a0402018-06-04 16:36:15 +0300[diff] [blame]1742
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1743 return( mbedtls_to_psa_error( ret ) );
1744 }
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1745 else
Gilles Peskineb75e4f12018-06-08 17:44:47 +0200[diff] [blame]1746#endif /* defined(MBEDTLS_RSA_C) */
Nir Sonnenschein39e59142018-05-02 23:16:26 +0300[diff] [blame]1747 {
1748 return( PSA_ERROR_NOT_SUPPORTED );
1749 }
1750
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]1751}
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1752
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1753/****************************************************************/
1754/* Symmetric cryptography */
1755/****************************************************************/
1756
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]1757static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation,
1758 psa_key_slot_t key,
Gilles Peskine7e928852018-06-04 16:23:10 +0200[diff] [blame]1759 psa_algorithm_t alg,
1760 mbedtls_operation_t cipher_operation )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1761{
1762 int ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
1763 psa_status_t status;
1764 key_slot_t *slot;
1765 psa_key_type_t key_type;
1766 size_t key_bits;
1767 const mbedtls_cipher_info_t *cipher_info = NULL;
1768
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1769 operation->alg = alg;
Moran Pekerad9d82c2018-04-30 12:31:04 +0300[diff] [blame]1770 operation->key_set = 0;
1771 operation->iv_set = 0;
1772 operation->iv_required = 1;
1773 operation->iv_size = 0;
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1774 operation->block_size = 0;
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1775
1776 status = psa_get_key_information( key, &key_type, &key_bits );
1777 if( status != PSA_SUCCESS )
1778 return( status );
1779 slot = &global_data.key_slots[key];
1780
Gilles Peskinebb1072f2018-06-08 18:46:05 +0200[diff] [blame]1781 cipher_info = mbedtls_cipher_info_from_psa( alg, key_type, key_bits, NULL );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1782 if( cipher_info == NULL )
1783 return( PSA_ERROR_NOT_SUPPORTED );
1784
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1785 mbedtls_cipher_init( &operation->ctx.cipher );
1786 ret = mbedtls_cipher_setup( &operation->ctx.cipher, cipher_info );
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1787 if( ret != 0 )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1788 {
1789 psa_cipher_abort( operation );
1790 return( mbedtls_to_psa_error( ret ) );
1791 }
1792
1793 ret = mbedtls_cipher_setkey( &operation->ctx.cipher, slot->data.raw.data,
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]1794 key_bits, cipher_operation );
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1795 if( ret != 0 )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1796 {
1797 psa_cipher_abort( operation );
1798 return( mbedtls_to_psa_error( ret ) );
1799 }
1800
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]1801#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
Moran Peker7cb22b82018-06-05 11:40:02 +0300[diff] [blame]1802 if( ( alg & ~PSA_ALG_BLOCK_CIPHER_PADDING_MASK ) == PSA_ALG_CBC_BASE )
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]1803 {
Gilles Peskine53514202018-06-06 15:11:46 +0200[diff] [blame]1804 psa_algorithm_t padding_mode = alg & PSA_ALG_BLOCK_CIPHER_PADDING_MASK;
1805 mbedtls_cipher_padding_t mode;
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]1806
Moran Pekera28258c2018-05-29 16:25:04 +0300[diff] [blame]1807 switch ( padding_mode )
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]1808 {
1809 case PSA_ALG_BLOCK_CIPHER_PAD_PKCS7:
1810 mode = MBEDTLS_PADDING_PKCS7;
1811 break;
1812 case PSA_ALG_BLOCK_CIPHER_PAD_NONE:
1813 mode = MBEDTLS_PADDING_NONE;
1814 break;
1815 default:
Moran Pekerae382792018-05-31 14:06:17 +0300[diff] [blame]1816 psa_cipher_abort( operation );
1817 return( PSA_ERROR_INVALID_ARGUMENT );
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]1818 }
1819 ret = mbedtls_cipher_set_padding_mode( &operation->ctx.cipher, mode );
Moran Pekera28258c2018-05-29 16:25:04 +0300[diff] [blame]1820 if( ret != 0 )
Moran Peker71f19ae2018-04-22 20:23:16 +0300[diff] [blame]1821 {
1822 psa_cipher_abort( operation );
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]1823 return( mbedtls_to_psa_error( ret ) );
Moran Peker71f19ae2018-04-22 20:23:16 +0300[diff] [blame]1824 }
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]1825 }
1826#endif //MBEDTLS_CIPHER_MODE_WITH_PADDING
1827
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1828 operation->key_set = 1;
1829 operation->alg = alg;
Gilles Peskine7e928852018-06-04 16:23:10 +0200[diff] [blame]1830 operation->block_size = ( PSA_ALG_IS_BLOCK_CIPHER( alg ) ?
1831 PSA_BLOCK_CIPHER_BLOCK_SIZE( key_type ) :
1832 1 );
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1833 if( PSA_ALG_IS_BLOCK_CIPHER( alg ) || ( alg == PSA_ALG_CTR ) )
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]1834 {
mohammad160389e0f462018-04-12 08:48:45 +0300[diff] [blame]1835 operation->iv_size = PSA_BLOCK_CIPHER_BLOCK_SIZE( key_type );
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]1836 }
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1837
Moran Peker395db872018-05-31 14:07:14 +0300[diff] [blame]1838 return( PSA_SUCCESS );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1839}
1840
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]1841psa_status_t psa_encrypt_setup( psa_cipher_operation_t *operation,
1842 psa_key_slot_t key,
1843 psa_algorithm_t alg )
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]1844{
Moran Pekera28258c2018-05-29 16:25:04 +0300[diff] [blame]1845 return psa_cipher_setup( operation, key, alg, MBEDTLS_ENCRYPT );
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]1846}
1847
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]1848psa_status_t psa_decrypt_setup( psa_cipher_operation_t *operation,
1849 psa_key_slot_t key,
1850 psa_algorithm_t alg )
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]1851{
Moran Pekera28258c2018-05-29 16:25:04 +0300[diff] [blame]1852 return psa_cipher_setup( operation, key, alg, MBEDTLS_DECRYPT );
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]1853}
1854
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]1855psa_status_t psa_encrypt_generate_iv( psa_cipher_operation_t *operation,
1856 unsigned char *iv,
1857 size_t iv_size,
1858 size_t *iv_length )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1859{
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1860 int ret = PSA_SUCCESS;
Moran Pekerad9d82c2018-04-30 12:31:04 +0300[diff] [blame]1861 if( operation->iv_set || !( operation->iv_required ) )
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1862 return( PSA_ERROR_BAD_STATE );
1863 if( iv_size < operation->iv_size )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1864 {
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1865 ret = PSA_ERROR_BUFFER_TOO_SMALL;
1866 goto exit;
1867 }
Gilles Peskine7e928852018-06-04 16:23:10 +0200[diff] [blame]1868 ret = mbedtls_ctr_drbg_random( &global_data.ctr_drbg,
1869 iv, operation->iv_size );
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1870 if( ret != 0 )
1871 {
1872 ret = mbedtls_to_psa_error( ret );
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]1873 goto exit;
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1874 }
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]1875
mohammad16038481e742018-03-18 13:57:31 +0200[diff] [blame]1876 *iv_length = operation->iv_size;
mohammad160389e0f462018-04-12 08:48:45 +0300[diff] [blame]1877 ret = psa_encrypt_set_iv( operation, iv, *iv_length );
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1878
Moran Peker395db872018-05-31 14:07:14 +0300[diff] [blame]1879exit:
1880 if( ret != PSA_SUCCESS )
1881 psa_cipher_abort( operation );
1882 return( ret );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1883}
1884
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]1885psa_status_t psa_encrypt_set_iv( psa_cipher_operation_t *operation,
1886 const unsigned char *iv,
1887 size_t iv_length )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1888{
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1889 int ret = PSA_SUCCESS;
Moran Pekerad9d82c2018-04-30 12:31:04 +0300[diff] [blame]1890 if( operation->iv_set || !( operation->iv_required ) )
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1891 return( PSA_ERROR_BAD_STATE );
Moran Pekera28258c2018-05-29 16:25:04 +0300[diff] [blame]1892 if( iv_length != operation->iv_size )
Moran Peker71f19ae2018-04-22 20:23:16 +0300[diff] [blame]1893 {
Moran Pekerae382792018-05-31 14:06:17 +0300[diff] [blame]1894 psa_cipher_abort( operation );
1895 return( PSA_ERROR_INVALID_ARGUMENT );
Moran Peker71f19ae2018-04-22 20:23:16 +0300[diff] [blame]1896 }
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1897 ret = mbedtls_cipher_set_iv( &operation->ctx.cipher, iv, iv_length );
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1898 if( ret != 0 )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1899 {
1900 psa_cipher_abort( operation );
1901 return( mbedtls_to_psa_error( ret ) );
1902 }
1903
1904 operation->iv_set = 1;
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1905
Moran Peker395db872018-05-31 14:07:14 +0300[diff] [blame]1906 return( PSA_SUCCESS );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1907}
1908
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]1909psa_status_t psa_cipher_update( psa_cipher_operation_t *operation,
1910 const uint8_t *input,
1911 size_t input_length,
1912 unsigned char *output,
1913 size_t output_size,
1914 size_t *output_length )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1915{
1916 int ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
Gilles Peskine89d789c2018-06-04 17:17:16 +0200[diff] [blame]1917 size_t expected_output_size;
1918 if( PSA_ALG_IS_BLOCK_CIPHER( operation->alg ) )
1919 {
1920 /* Take the unprocessed partial block left over from previous
1921 * update calls, if any, plus the input to this call. Remove
1922 * the last partial block, if any. You get the data that will be
1923 * output in this call. */
1924 expected_output_size =
1925 ( operation->ctx.cipher.unprocessed_len + input_length )
1926 / operation->block_size * operation->block_size;
1927 }
1928 else
1929 {
1930 expected_output_size = input_length;
1931 }
1932 if( output_size < expected_output_size )
Moran Peker395db872018-05-31 14:07:14 +0300[diff] [blame]1933 return( PSA_ERROR_BUFFER_TOO_SMALL );
mohammad160382759612018-03-12 18:16:40 +0200[diff] [blame]1934
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1935 ret = mbedtls_cipher_update( &operation->ctx.cipher, input,
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]1936 input_length, output, output_length );
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1937 if( ret != 0 )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1938 {
1939 psa_cipher_abort( operation );
1940 return( mbedtls_to_psa_error( ret ) );
1941 }
1942
Moran Peker395db872018-05-31 14:07:14 +0300[diff] [blame]1943 return( PSA_SUCCESS );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1944}
1945
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]1946psa_status_t psa_cipher_finish( psa_cipher_operation_t *operation,
1947 uint8_t *output,
1948 size_t output_size,
1949 size_t *output_length )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1950{
1951 int ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]1952 uint8_t temp_output_buffer[MBEDTLS_MAX_BLOCK_LENGTH];
Moran Pekerbed71a22018-04-22 20:19:20 +0300[diff] [blame]1953
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1954 if( ! operation->key_set )
Moran Pekerdc38ebc2018-04-30 15:45:34 +0300[diff] [blame]1955 {
Moran Peker7cb22b82018-06-05 11:40:02 +0300[diff] [blame]1956 psa_cipher_abort( operation );
1957 return( PSA_ERROR_BAD_STATE );
1958 }
1959 if( operation->iv_required && ! operation->iv_set )
1960 {
Gilles Peskine2c5219a2018-06-06 15:12:32 +0200[diff] [blame]1961 psa_cipher_abort( operation );
Moran Peker7cb22b82018-06-05 11:40:02 +0300[diff] [blame]1962 return( PSA_ERROR_BAD_STATE );
1963 }
Gilles Peskine2c5219a2018-06-06 15:12:32 +0200[diff] [blame]1964 if( operation->ctx.cipher.operation == MBEDTLS_ENCRYPT &&
1965 PSA_ALG_IS_BLOCK_CIPHER( operation->alg ) )
Moran Peker7cb22b82018-06-05 11:40:02 +0300[diff] [blame]1966 {
Gilles Peskine53514202018-06-06 15:11:46 +0200[diff] [blame]1967 psa_algorithm_t padding_mode =
1968 operation->alg & PSA_ALG_BLOCK_CIPHER_PADDING_MASK;
Moran Peker7cb22b82018-06-05 11:40:02 +0300[diff] [blame]1969 if( operation->ctx.cipher.unprocessed_len >= operation->block_size )
Gilles Peskine89d789c2018-06-04 17:17:16 +0200[diff] [blame]1970 {
Gilles Peskine2c5219a2018-06-06 15:12:32 +0200[diff] [blame]1971 psa_cipher_abort( operation );
Moran Peker7cb22b82018-06-05 11:40:02 +0300[diff] [blame]1972 return( PSA_ERROR_TAMPERING_DETECTED );
1973 }
Gilles Peskine53514202018-06-06 15:11:46 +0200[diff] [blame]1974 if( padding_mode == PSA_ALG_BLOCK_CIPHER_PAD_NONE )
Moran Peker7cb22b82018-06-05 11:40:02 +0300[diff] [blame]1975 {
1976 if( operation->ctx.cipher.unprocessed_len != 0 )
1977 {
Gilles Peskine2c5219a2018-06-06 15:12:32 +0200[diff] [blame]1978 psa_cipher_abort( operation );
Moran Peker7cb22b82018-06-05 11:40:02 +0300[diff] [blame]1979 return( PSA_ERROR_INVALID_ARGUMENT );
1980 }
Gilles Peskine89d789c2018-06-04 17:17:16 +0200[diff] [blame]1981 }
Moran Pekerdc38ebc2018-04-30 15:45:34 +0300[diff] [blame]1982 }
1983
1984 ret = mbedtls_cipher_finish( &operation->ctx.cipher, temp_output_buffer,
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]1985 output_length );
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]1986 if( ret != 0 )
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1987 {
1988 psa_cipher_abort( operation );
1989 return( mbedtls_to_psa_error( ret ) );
1990 }
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]1991 if( output_size >= *output_length )
Moran Pekerdc38ebc2018-04-30 15:45:34 +0300[diff] [blame]1992 memcpy( output, temp_output_buffer, *output_length );
1993 else
1994 {
1995 psa_cipher_abort( operation );
1996 return( PSA_ERROR_BUFFER_TOO_SMALL );
1997 }
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]1998
Moran Peker4c80d832018-04-22 20:15:31 +0300[diff] [blame]1999 return( PSA_SUCCESS );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2000}
2001
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]2002psa_status_t psa_cipher_abort( psa_cipher_operation_t *operation )
2003{
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2004 mbedtls_cipher_free( &operation->ctx.cipher );
Gilles Peskinee553c652018-06-04 16:22:46 +0200[diff] [blame]2005
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]2006 operation->alg = 0;
Moran Pekerad9d82c2018-04-30 12:31:04 +0300[diff] [blame]2007 operation->key_set = 0;
2008 operation->iv_set = 0;
2009 operation->iv_size = 0;
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]2010 operation->block_size = 0;
Moran Pekerad9d82c2018-04-30 12:31:04 +0300[diff] [blame]2011 operation->iv_required = 0;
Moran Peker41deec42018-04-04 15:43:05 +0300[diff] [blame]2012
Moran Peker395db872018-05-31 14:07:14 +0300[diff] [blame]2013 return( PSA_SUCCESS );
mohammad1603503973b2018-03-12 15:59:30 +0200[diff] [blame]2014}
2015
Gilles Peskinea0655c32018-04-30 17:06:50 +0200[diff] [blame]2016
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2017/****************************************************************/
2018/* Key Policy */
2019/****************************************************************/
2020
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2021void psa_key_policy_init( psa_key_policy_t *policy )
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2022{
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]2023 memset( policy, 0, sizeof( psa_key_policy_t ) );
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2024}
2025
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2026void psa_key_policy_set_usage( psa_key_policy_t *policy,
2027 psa_key_usage_t usage,
2028 psa_algorithm_t alg )
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2029{
mohammad16034eed7572018-03-28 05:14:59 -0700[diff] [blame]2030 policy->usage = usage;
2031 policy->alg = alg;
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2032}
2033
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2034psa_key_usage_t psa_key_policy_get_usage( psa_key_policy_t *policy )
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2035{
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]2036 return( policy->usage );
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2037}
2038
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2039psa_algorithm_t psa_key_policy_get_algorithm( psa_key_policy_t *policy )
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2040{
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]2041 return( policy->alg );
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2042}
2043
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2044psa_status_t psa_set_key_policy( psa_key_slot_t key,
2045 const psa_key_policy_t *policy )
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2046{
2047 key_slot_t *slot;
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2048
2049 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT || policy == NULL )
2050 return( PSA_ERROR_INVALID_ARGUMENT );
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]2051
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2052 slot = &global_data.key_slots[key];
2053 if( slot->type != PSA_KEY_TYPE_NONE )
2054 return( PSA_ERROR_OCCUPIED_SLOT );
2055
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]2056 if( ( policy->usage & ~( PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2057 | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_SIGN
2058 | PSA_KEY_USAGE_VERIFY ) ) != 0 )
mohammad16035feda722018-04-16 04:38:57 -0700[diff] [blame]2059 return( PSA_ERROR_INVALID_ARGUMENT );
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2060
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]2061 slot->policy = *policy;
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2062
2063 return( PSA_SUCCESS );
2064}
2065
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2066psa_status_t psa_get_key_policy( psa_key_slot_t key,
2067 psa_key_policy_t *policy )
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2068{
2069 key_slot_t *slot;
2070
2071 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT || policy == NULL )
2072 return( PSA_ERROR_INVALID_ARGUMENT );
2073
2074 slot = &global_data.key_slots[key];
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]2075
mohammad16036df908f2018-04-02 08:34:15 -0700[diff] [blame]2076 *policy = slot->policy;
mohammad16038cc1cee2018-03-28 01:21:33 +0300[diff] [blame]2077
2078 return( PSA_SUCCESS );
2079}
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]2080
Gilles Peskinea0655c32018-04-30 17:06:50 +0200[diff] [blame]2081
2082
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2083/****************************************************************/
2084/* Key Lifetime */
2085/****************************************************************/
2086
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2087psa_status_t psa_get_key_lifetime( psa_key_slot_t key,
2088 psa_key_lifetime_t *lifetime )
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2089{
2090 key_slot_t *slot;
2091
2092 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
2093 return( PSA_ERROR_INVALID_ARGUMENT );
2094
2095 slot = &global_data.key_slots[key];
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]2096
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2097 *lifetime = slot->lifetime;
2098
2099 return( PSA_SUCCESS );
2100}
2101
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2102psa_status_t psa_set_key_lifetime( psa_key_slot_t key,
2103 const psa_key_lifetime_t lifetime )
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2104{
2105 key_slot_t *slot;
2106
2107 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
2108 return( PSA_ERROR_INVALID_ARGUMENT );
2109
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]2110 if( lifetime != PSA_KEY_LIFETIME_VOLATILE &&
2111 lifetime != PSA_KEY_LIFETIME_PERSISTENT &&
mohammad1603ba178512018-03-21 04:35:20 -0700[diff] [blame]2112 lifetime != PSA_KEY_LIFETIME_WRITE_ONCE)
2113 return( PSA_ERROR_INVALID_ARGUMENT );
2114
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2115 slot = &global_data.key_slots[key];
mohammad16035d7ec202018-03-28 01:29:41 +0300[diff] [blame]2116 if( slot->type != PSA_KEY_TYPE_NONE )
2117 return( PSA_ERROR_OCCUPIED_SLOT );
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2118
Moran Pekerd7326592018-05-29 16:56:39 +0300[diff] [blame]2119 if( lifetime != PSA_KEY_LIFETIME_VOLATILE )
mohammad1603ba178512018-03-21 04:35:20 -0700[diff] [blame]2120 return( PSA_ERROR_NOT_SUPPORTED );
Gilles Peskine5b051bc2018-05-31 13:25:48 +0200[diff] [blame]2121
mohammad1603060ad8a2018-03-20 14:28:38 -0700[diff] [blame]2122 slot->lifetime = lifetime;
mohammad1603804cd712018-03-20 22:44:08 +0200[diff] [blame]2123
2124 return( PSA_SUCCESS );
2125}
2126
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]2127
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2128/****************************************************************/
2129/* AEAD */
2130/****************************************************************/
2131psa_status_t psa_aead_encrypt( psa_key_slot_t key,
2132 psa_algorithm_t alg,
2133 const uint8_t *nonce,
2134 size_t nonce_length,
2135 const uint8_t *additional_data,
2136 size_t additional_data_length,
2137 const uint8_t *plaintext,
2138 size_t plaintext_length,
2139 uint8_t *ciphertext,
2140 size_t ciphertext_size,
2141 size_t *ciphertext_length )
2142{
2143 int ret;
2144 psa_status_t status;
2145 key_slot_t *slot;
2146 psa_key_type_t key_type;
2147 size_t key_bits;
mohammad160315223a82018-06-03 17:19:55 +0300[diff] [blame]2148 uint8_t *tag;
2149 size_t tag_length;
mohammad1603dad36fa2018-05-09 02:24:42 -0700[diff] [blame]2150 mbedtls_cipher_id_t cipher_id;
mohammad16030f214652018-06-03 15:10:06 +0300[diff] [blame]2151 const mbedtls_cipher_info_t *cipher_info = NULL;
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2152
mohammad1603f08a5502018-06-03 15:05:47 +0300[diff] [blame]2153 *ciphertext_length = 0;
mohammad1603e58e6842018-05-09 04:58:32 -0700[diff] [blame]2154
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2155 status = psa_get_key_information( key, &key_type, &key_bits );
2156 if( status != PSA_SUCCESS )
2157 return( status );
2158 slot = &global_data.key_slots[key];
mohammad1603a1d98012018-06-06 13:45:55 +0300[diff] [blame]2159 if( slot->type == PSA_KEY_TYPE_NONE )
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2160 return( PSA_ERROR_EMPTY_SLOT );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2161
mohammad16035ed06212018-06-06 13:09:34 +0300[diff] [blame]2162 cipher_info = mbedtls_cipher_info_from_psa( alg, key_type,
2163 key_bits, &cipher_id );
mohammad16030f214652018-06-03 15:10:06 +0300[diff] [blame]2164 if( cipher_info == NULL )
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2165 return( PSA_ERROR_NOT_SUPPORTED );
mohammad1603dad36fa2018-05-09 02:24:42 -0700[diff] [blame]2166
mohammad1603f14394b2018-06-04 14:33:19 +0300[diff] [blame]2167 if( !( slot->policy.usage & PSA_KEY_USAGE_ENCRYPT ) )
2168 return( PSA_ERROR_NOT_PERMITTED );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2169
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2170 if( ( key_type & PSA_KEY_TYPE_CATEGORY_MASK ) !=
2171 PSA_KEY_TYPE_CATEGORY_SYMMETRIC )
mohammad1603db624732018-04-30 17:21:50 +0300[diff] [blame]2172 return( PSA_ERROR_INVALID_ARGUMENT );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2173
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2174 if( alg == PSA_ALG_GCM )
2175 {
2176 mbedtls_gcm_context gcm;
mohammad160315223a82018-06-03 17:19:55 +0300[diff] [blame]2177 tag_length = 16;
2178
mohammad160396910d82018-06-04 14:33:00 +0300[diff] [blame]2179 if( PSA_BLOCK_CIPHER_BLOCK_SIZE( key_type ) != 16 )
2180 return( PSA_ERROR_INVALID_ARGUMENT );
2181
mohammad160315223a82018-06-03 17:19:55 +0300[diff] [blame]2182 //make sure we have place to hold the tag in the ciphertext buffer
2183 if( ciphertext_size < ( plaintext_length + tag_length ) )
mohammad1603e3cb8a82018-06-06 13:45:03 +0300[diff] [blame]2184 return( PSA_ERROR_BUFFER_TOO_SMALL );
mohammad160315223a82018-06-03 17:19:55 +0300[diff] [blame]2185
2186 //update the tag pointer to point to the end of the ciphertext_length
2187 tag = ciphertext + plaintext_length;
2188
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2189 mbedtls_gcm_init( &gcm );
Gilles Peskinea40d7742018-06-01 16:28:30 +0200[diff] [blame]2190 ret = mbedtls_gcm_setkey( &gcm, cipher_id,
mohammad160395893f82018-06-03 15:06:17 +0300[diff] [blame]2191 slot->data.raw.data,
Gilles Peskinea40d7742018-06-01 16:28:30 +0200[diff] [blame]2192 key_bits );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2193 if( ret != 0 )
2194 {
2195 mbedtls_gcm_free( &gcm );
2196 return( mbedtls_to_psa_error( ret ) );
2197 }
2198 ret = mbedtls_gcm_crypt_and_tag( &gcm, MBEDTLS_GCM_ENCRYPT,
Gilles Peskinea40d7742018-06-01 16:28:30 +0200[diff] [blame]2199 plaintext_length, nonce,
2200 nonce_length, additional_data,
2201 additional_data_length, plaintext,
mohammad160315223a82018-06-03 17:19:55 +0300[diff] [blame]2202 ciphertext, tag_length, tag );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2203 mbedtls_gcm_free( &gcm );
2204 }
2205 else if( alg == PSA_ALG_CCM )
2206 {
2207 mbedtls_ccm_context ccm;
mohammad160315223a82018-06-03 17:19:55 +0300[diff] [blame]2208 tag_length = 16;
2209
mohammad160396910d82018-06-04 14:33:00 +0300[diff] [blame]2210 if( PSA_BLOCK_CIPHER_BLOCK_SIZE( key_type ) != 16 )
2211 return( PSA_ERROR_INVALID_ARGUMENT );
2212
mohammad160347ddf3d2018-04-26 01:11:21 +0300[diff] [blame]2213 if( nonce_length < 7 || nonce_length > 13 )
2214 return( PSA_ERROR_INVALID_ARGUMENT );
2215
mohammad160315223a82018-06-03 17:19:55 +0300[diff] [blame]2216 //make sure we have place to hold the tag in the ciphertext buffer
2217 if( ciphertext_size < ( plaintext_length + tag_length ) )
mohammad1603e3cb8a82018-06-06 13:45:03 +0300[diff] [blame]2218 return( PSA_ERROR_BUFFER_TOO_SMALL );
mohammad160315223a82018-06-03 17:19:55 +0300[diff] [blame]2219
2220 //update the tag pointer to point to the end of the ciphertext_length
2221 tag = ciphertext + plaintext_length;
2222
2223
2224
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2225 mbedtls_ccm_init( &ccm );
Gilles Peskinea40d7742018-06-01 16:28:30 +0200[diff] [blame]2226 ret = mbedtls_ccm_setkey( &ccm, cipher_id,
mohammad16036bbd8c72018-04-30 17:22:52 +0300[diff] [blame]2227 slot->data.raw.data, key_bits );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2228 if( ret != 0 )
2229 {
2230 mbedtls_ccm_free( &ccm );
2231 return( mbedtls_to_psa_error( ret ) );
2232 }
Gilles Peskinea40d7742018-06-01 16:28:30 +0200[diff] [blame]2233 ret = mbedtls_ccm_encrypt_and_tag( &ccm, plaintext_length,
2234 nonce, nonce_length, additional_data,
2235 additional_data_length,
2236 plaintext, ciphertext,
mohammad160315223a82018-06-03 17:19:55 +0300[diff] [blame]2237 tag, tag_length );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2238 mbedtls_ccm_free( &ccm );
2239 }
mohammad16035c8845f2018-05-09 05:40:09 -0700[diff] [blame]2240 else
2241 {
mohammad1603554faad2018-06-03 15:07:38 +0300[diff] [blame]2242 return( PSA_ERROR_NOT_SUPPORTED );
mohammad16035c8845f2018-05-09 05:40:09 -0700[diff] [blame]2243 }
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2244
mohammad160315223a82018-06-03 17:19:55 +0300[diff] [blame]2245 if( ret != 0 )
2246 {
2247 memset( ciphertext, 0, ciphertext_size );
2248 return( mbedtls_to_psa_error( ret ) );
2249 }
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2250
mohammad160315223a82018-06-03 17:19:55 +0300[diff] [blame]2251 *ciphertext_length = plaintext_length + tag_length;
mohammad160347ddf3d2018-04-26 01:11:21 +0300[diff] [blame]2252 return( PSA_SUCCESS );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2253}
2254
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]2255/* Locate the tag in a ciphertext buffer containing the encrypted data
2256 * followed by the tag. Return the length of the part preceding the tag in
2257 * *plaintext_length. This is the size of the plaintext in modes where
2258 * the encrypted data has the same size as the plaintext, such as
2259 * CCM and GCM. */
2260static psa_status_t psa_aead_unpadded_locate_tag( size_t tag_length,
2261 const uint8_t *ciphertext,
2262 size_t ciphertext_length,
2263 size_t plaintext_size,
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]2264 const uint8_t **p_tag )
2265{
2266 size_t payload_length;
2267 if( tag_length > ciphertext_length )
2268 return( PSA_ERROR_INVALID_ARGUMENT );
2269 payload_length = ciphertext_length - tag_length;
2270 if( payload_length > plaintext_size )
2271 return( PSA_ERROR_BUFFER_TOO_SMALL );
2272 *p_tag = ciphertext + payload_length;
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]2273 return( PSA_SUCCESS );
2274}
2275
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2276psa_status_t psa_aead_decrypt( psa_key_slot_t key,
2277 psa_algorithm_t alg,
2278 const uint8_t *nonce,
2279 size_t nonce_length,
2280 const uint8_t *additional_data,
2281 size_t additional_data_length,
2282 const uint8_t *ciphertext,
2283 size_t ciphertext_length,
2284 uint8_t *plaintext,
2285 size_t plaintext_size,
2286 size_t *plaintext_length )
2287{
2288 int ret;
2289 psa_status_t status;
2290 key_slot_t *slot;
2291 psa_key_type_t key_type;
2292 size_t key_bits;
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]2293 const uint8_t *tag;
2294 size_t tag_length;
mohammad1603dad36fa2018-05-09 02:24:42 -0700[diff] [blame]2295 mbedtls_cipher_id_t cipher_id;
mohammad16030f214652018-06-03 15:10:06 +0300[diff] [blame]2296 const mbedtls_cipher_info_t *cipher_info = NULL;
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2297
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]2298 *plaintext_length = 0;
mohammad16039e5a5152018-04-26 12:07:35 +0300[diff] [blame]2299
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2300 status = psa_get_key_information( key, &key_type, &key_bits );
2301 if( status != PSA_SUCCESS )
2302 return( status );
2303 slot = &global_data.key_slots[key];
mohammad1603a1d98012018-06-06 13:45:55 +0300[diff] [blame]2304 if( slot->type == PSA_KEY_TYPE_NONE )
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2305 return( PSA_ERROR_EMPTY_SLOT );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2306
mohammad16035ed06212018-06-06 13:09:34 +0300[diff] [blame]2307 cipher_info = mbedtls_cipher_info_from_psa( alg, key_type,
2308 key_bits, &cipher_id );
mohammad16030f214652018-06-03 15:10:06 +0300[diff] [blame]2309 if( cipher_info == NULL )
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2310 return( PSA_ERROR_NOT_SUPPORTED );
2311
mohammad1603f14394b2018-06-04 14:33:19 +0300[diff] [blame]2312 if( !( slot->policy.usage & PSA_KEY_USAGE_DECRYPT ) )
2313 return( PSA_ERROR_NOT_PERMITTED );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2314
Gilles Peskine2d277862018-06-18 15:41:12 +0200[diff] [blame^]2315 if( ( key_type & PSA_KEY_TYPE_CATEGORY_MASK ) !=
2316 PSA_KEY_TYPE_CATEGORY_SYMMETRIC )
mohammad1603a7e6df72018-04-30 17:25:45 +0300[diff] [blame]2317 return( PSA_ERROR_INVALID_ARGUMENT );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2318
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2319 if( alg == PSA_ALG_GCM )
2320 {
2321 mbedtls_gcm_context gcm;
mohammad160347ddf3d2018-04-26 01:11:21 +0300[diff] [blame]2322
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]2323 tag_length = 16;
2324 status = psa_aead_unpadded_locate_tag( tag_length,
2325 ciphertext, ciphertext_length,
mohammad160360a64d02018-06-03 17:20:42 +0300[diff] [blame]2326 plaintext_size, &tag );
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]2327 if( status != PSA_SUCCESS )
2328 return( status );
2329
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2330 mbedtls_gcm_init( &gcm );
Gilles Peskinea40d7742018-06-01 16:28:30 +0200[diff] [blame]2331 ret = mbedtls_gcm_setkey( &gcm, cipher_id,
mohammad16036bbd8c72018-04-30 17:22:52 +0300[diff] [blame]2332 slot->data.raw.data, key_bits );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2333 if( ret != 0 )
2334 {
2335 mbedtls_gcm_free( &gcm );
2336 return( mbedtls_to_psa_error( ret ) );
2337 }
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2338
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]2339 ret = mbedtls_gcm_auth_decrypt( &gcm,
mohammad160360a64d02018-06-03 17:20:42 +0300[diff] [blame]2340 ciphertext_length - tag_length,
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]2341 nonce, nonce_length,
mohammad16035ed06212018-06-06 13:09:34 +0300[diff] [blame]2342 additional_data,
2343 additional_data_length,
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]2344 tag, tag_length,
2345 ciphertext, plaintext );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2346 mbedtls_gcm_free( &gcm );
2347 }
2348 else if( alg == PSA_ALG_CCM )
2349 {
2350 mbedtls_ccm_context ccm;
Gilles Peskinea40d7742018-06-01 16:28:30 +0200[diff] [blame]2351
mohammad160347ddf3d2018-04-26 01:11:21 +0300[diff] [blame]2352 if( nonce_length < 7 || nonce_length > 13 )
2353 return( PSA_ERROR_INVALID_ARGUMENT );
2354
mohammad16039375f842018-06-03 14:28:24 +0300[diff] [blame]2355 tag_length = 16;
2356 status = psa_aead_unpadded_locate_tag( tag_length,
2357 ciphertext, ciphertext_length,
mohammad160360a64d02018-06-03 17:20:42 +0300[diff] [blame]2358 plaintext_size, &tag );
mohammad16039375f842018-06-03 14:28:24 +0300[diff] [blame]2359 if( status != PSA_SUCCESS )
2360 return( status );
2361
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2362 mbedtls_ccm_init( &ccm );
Gilles Peskinea40d7742018-06-01 16:28:30 +0200[diff] [blame]2363 ret = mbedtls_ccm_setkey( &ccm, cipher_id,
mohammad16036bbd8c72018-04-30 17:22:52 +0300[diff] [blame]2364 slot->data.raw.data, key_bits );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2365 if( ret != 0 )
2366 {
2367 mbedtls_ccm_free( &ccm );
2368 return( mbedtls_to_psa_error( ret ) );
2369 }
mohammad160360a64d02018-06-03 17:20:42 +0300[diff] [blame]2370 ret = mbedtls_ccm_auth_decrypt( &ccm, ciphertext_length - tag_length,
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]2371 nonce, nonce_length,
2372 additional_data, additional_data_length,
2373 ciphertext, plaintext,
2374 tag, tag_length );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2375 mbedtls_ccm_free( &ccm );
2376 }
mohammad160339574652018-06-01 04:39:53 -0700[diff] [blame]2377 else
2378 {
mohammad1603554faad2018-06-03 15:07:38 +0300[diff] [blame]2379 return( PSA_ERROR_NOT_SUPPORTED );
mohammad160339574652018-06-01 04:39:53 -0700[diff] [blame]2380 }
Gilles Peskinea40d7742018-06-01 16:28:30 +0200[diff] [blame]2381
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]2382 if( ret != 0 )
mohammad160360a64d02018-06-03 17:20:42 +0300[diff] [blame]2383 memset( plaintext, 0, plaintext_size );
2384 else
2385 *plaintext_length = ciphertext_length - tag_length;
2386
Gilles Peskineee652a32018-06-01 19:23:52 +0200[diff] [blame]2387 return( mbedtls_to_psa_error( ret ) );
mohammad16035955c982018-04-26 00:53:03 +0300[diff] [blame]2388}
2389
Gilles Peskinea0655c32018-04-30 17:06:50 +0200[diff] [blame]2390
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]2391/****************************************************************/
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]2392/* Module setup */
2393/****************************************************************/
2394
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]2395void mbedtls_psa_crypto_free( void )
2396{
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]2397 size_t key;
2398 for( key = 1; key < MBEDTLS_PSA_KEY_SLOT_COUNT; key++ )
2399 psa_destroy_key( key );
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]2400 mbedtls_ctr_drbg_free( &global_data.ctr_drbg );
2401 mbedtls_entropy_free( &global_data.entropy );
2402 mbedtls_zeroize( &global_data, sizeof( global_data ) );
2403}
2404
2405psa_status_t psa_crypto_init( void )
2406{
2407 int ret;
2408 const unsigned char drbg_seed[] = "PSA";
2409
2410 if( global_data.initialized != 0 )
2411 return( PSA_SUCCESS );
2412
2413 mbedtls_zeroize( &global_data, sizeof( global_data ) );
2414 mbedtls_entropy_init( &global_data.entropy );
2415 mbedtls_ctr_drbg_init( &global_data.ctr_drbg );
2416
2417 ret = mbedtls_ctr_drbg_seed( &global_data.ctr_drbg,
2418 mbedtls_entropy_func,
2419 &global_data.entropy,
2420 drbg_seed, sizeof( drbg_seed ) - 1 );
2421 if( ret != 0 )
2422 goto exit;
2423
Gilles Peskinee4ebc122018-03-07 14:16:44 +0100[diff] [blame]2424 global_data.initialized = 1;
2425
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]2426exit:
2427 if( ret != 0 )
2428 mbedtls_psa_crypto_free( );
2429 return( mbedtls_to_psa_error( ret ) );
2430}
2431
2432#endif /* MBEDTLS_PSA_CRYPTO_C */