TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 6d9121381a8e170afab9a80aeafb11ff28e2a6a1 / . / library / psa_crypto.c
blob: cc631d950bb043001cdd0235b0732b29a77e0bee [file] [log] [blame]
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]1/*
2 * PSA crypto layer on top of Mbed TLS crypto
3 */
4/* Copyright (C) 2018, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22#if !defined(MBEDTLS_CONFIG_FILE)
23#include "mbedtls/config.h"
24#else
25#include MBEDTLS_CONFIG_FILE
26#endif
27
28#if defined(MBEDTLS_PSA_CRYPTO_C)
29
30#include "psa/crypto.h"
31
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]32#include <stdlib.h>
33#include <string.h>
34#if defined(MBEDTLS_PLATFORM_C)
35#include "mbedtls/platform.h"
36#else
37#define mbedtls_calloc calloc
38#define mbedtls_free free
39#endif
40
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]41#include "mbedtls/arc4.h"
42#include "mbedtls/blowfish.h"
43#include "mbedtls/camellia.h"
44#include "mbedtls/cipher.h"
45#include "mbedtls/ccm.h"
46#include "mbedtls/cmac.h"
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]47#include "mbedtls/ctr_drbg.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]48#include "mbedtls/des.h"
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]49#include "mbedtls/ecp.h"
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]50#include "mbedtls/entropy.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]51#include "mbedtls/error.h"
52#include "mbedtls/gcm.h"
53#include "mbedtls/md2.h"
54#include "mbedtls/md4.h"
55#include "mbedtls/md5.h"
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]56#include "mbedtls/md.h"
57#include "mbedtls/md_internal.h"
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]58#include "mbedtls/pk.h"
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]59#include "mbedtls/pk_internal.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]60#include "mbedtls/ripemd160.h"
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]61#include "mbedtls/rsa.h"
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]62#include "mbedtls/sha1.h"
63#include "mbedtls/sha256.h"
64#include "mbedtls/sha512.h"
65#include "mbedtls/xtea.h"
66
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]67
68
69/* Implementation that should never be optimized out by the compiler */
70static void mbedtls_zeroize( void *v, size_t n )
71{
72 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
73}
74
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]75/* constant-time buffer comparison */
76static inline int safer_memcmp( const uint8_t *a, const uint8_t *b, size_t n )
77{
78 size_t i;
79 unsigned char diff = 0;
80
81 for( i = 0; i < n; i++ )
82 diff |= a[i] ^ b[i];
83
84 return( diff );
85}
86
87
88
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]89/****************************************************************/
90/* Global data, support functions and library management */
91/****************************************************************/
92
93/* Number of key slots (plus one because 0 is not used).
94 * The value is a compile-time constant for now, for simplicity. */
95#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
96
97typedef struct {
98 psa_key_type_t type;
99 union {
100 struct raw_data {
101 uint8_t *data;
102 size_t bytes;
103 } raw;
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]104#if defined(MBEDTLS_RSA_C)
105 mbedtls_rsa_context *rsa;
106#endif /* MBEDTLS_RSA_C */
107#if defined(MBEDTLS_ECP_C)
108 mbedtls_ecp_keypair *ecp;
109#endif /* MBEDTLS_ECP_C */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]110 } data;
111} key_slot_t;
112
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]113typedef struct {
114 int initialized;
115 mbedtls_entropy_context entropy;
116 mbedtls_ctr_drbg_context ctr_drbg;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]117 key_slot_t key_slots[MBEDTLS_PSA_KEY_SLOT_COUNT];
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]118} psa_global_data_t;
119
120static psa_global_data_t global_data;
121
122static psa_status_t mbedtls_to_psa_error( int ret )
123{
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]124 /* If there's both a high-level code and low-level code, dispatch on
125 * the high-level code. */
126 switch( ret < -0x7f ? - ( -ret & 0x7f80 ) : ret )
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]127 {
128 case 0:
129 return( PSA_SUCCESS );
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]130
131 case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
132 case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
133 case MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE:
134 return( PSA_ERROR_NOT_SUPPORTED );
135 case MBEDTLS_ERR_AES_HW_ACCEL_FAILED:
136 return( PSA_ERROR_HARDWARE_FAILURE );
137
138 case MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED:
139 return( PSA_ERROR_HARDWARE_FAILURE );
140
141 case MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH:
142 case MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH:
143 return( PSA_ERROR_NOT_SUPPORTED );
144 case MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED:
145 return( PSA_ERROR_HARDWARE_FAILURE );
146
147 case MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH:
148 case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH:
149 return( PSA_ERROR_NOT_SUPPORTED );
150 case MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED:
151 return( PSA_ERROR_HARDWARE_FAILURE );
152
153 case MBEDTLS_ERR_CCM_BAD_INPUT:
154 return( PSA_ERROR_INVALID_ARGUMENT );
155 case MBEDTLS_ERR_CCM_AUTH_FAILED:
156 return( PSA_ERROR_INVALID_SIGNATURE );
157 case MBEDTLS_ERR_CCM_HW_ACCEL_FAILED:
158 return( PSA_ERROR_HARDWARE_FAILURE );
159
160 case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
161 return( PSA_ERROR_NOT_SUPPORTED );
162 case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
163 return( PSA_ERROR_INVALID_ARGUMENT );
164 case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
165 return( PSA_ERROR_INSUFFICIENT_MEMORY );
166 case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
167 return( PSA_ERROR_INVALID_PADDING );
168 case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
169 return( PSA_ERROR_BAD_STATE );
170 case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
171 return( PSA_ERROR_INVALID_SIGNATURE );
172 case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
173 return( PSA_ERROR_TAMPERING_DETECTED );
174 case MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED:
175 return( PSA_ERROR_HARDWARE_FAILURE );
176
177 case MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED:
178 return( PSA_ERROR_HARDWARE_FAILURE );
179
180 case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
181 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
182 case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG:
183 case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG:
184 return( PSA_ERROR_NOT_SUPPORTED );
185 case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR:
186 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
187
188 case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:
189 return( PSA_ERROR_NOT_SUPPORTED );
190 case MBEDTLS_ERR_DES_HW_ACCEL_FAILED:
191 return( PSA_ERROR_HARDWARE_FAILURE );
192
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]193 case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
194 case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE:
195 case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
196 return( PSA_ERROR_INSUFFICIENT_ENTROPY );
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]197
198 case MBEDTLS_ERR_GCM_AUTH_FAILED:
199 return( PSA_ERROR_INVALID_SIGNATURE );
200 case MBEDTLS_ERR_GCM_BAD_INPUT:
201 return( PSA_ERROR_NOT_SUPPORTED );
202 case MBEDTLS_ERR_GCM_HW_ACCEL_FAILED:
203 return( PSA_ERROR_HARDWARE_FAILURE );
204
205 case MBEDTLS_ERR_MD2_HW_ACCEL_FAILED:
206 case MBEDTLS_ERR_MD4_HW_ACCEL_FAILED:
207 case MBEDTLS_ERR_MD5_HW_ACCEL_FAILED:
208 return( PSA_ERROR_HARDWARE_FAILURE );
209
210 case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
211 return( PSA_ERROR_NOT_SUPPORTED );
212 case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
213 return( PSA_ERROR_INVALID_ARGUMENT );
214 case MBEDTLS_ERR_MD_ALLOC_FAILED:
215 return( PSA_ERROR_INSUFFICIENT_MEMORY );
216 case MBEDTLS_ERR_MD_FILE_IO_ERROR:
217 return( PSA_ERROR_STORAGE_FAILURE );
218 case MBEDTLS_ERR_MD_HW_ACCEL_FAILED:
219 return( PSA_ERROR_HARDWARE_FAILURE );
220
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]221 case MBEDTLS_ERR_PK_ALLOC_FAILED:
222 return( PSA_ERROR_INSUFFICIENT_MEMORY );
223 case MBEDTLS_ERR_PK_TYPE_MISMATCH:
224 case MBEDTLS_ERR_PK_BAD_INPUT_DATA:
225 return( PSA_ERROR_INVALID_ARGUMENT );
226 case MBEDTLS_ERR_PK_FILE_IO_ERROR:
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]227 return( PSA_ERROR_STORAGE_FAILURE );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]228 case MBEDTLS_ERR_PK_KEY_INVALID_VERSION:
229 case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT:
230 return( PSA_ERROR_INVALID_ARGUMENT );
231 case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG:
232 return( PSA_ERROR_NOT_SUPPORTED );
233 case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
234 case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
235 return( PSA_ERROR_NOT_PERMITTED );
236 case MBEDTLS_ERR_PK_INVALID_PUBKEY:
237 return( PSA_ERROR_INVALID_ARGUMENT );
238 case MBEDTLS_ERR_PK_INVALID_ALG:
239 case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE:
240 case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:
241 return( PSA_ERROR_NOT_SUPPORTED );
242 case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH:
243 return( PSA_ERROR_INVALID_SIGNATURE );
Gilles Peskinea5905292018-02-07 20:59:33 +0100[diff] [blame]244 case MBEDTLS_ERR_PK_HW_ACCEL_FAILED:
245 return( PSA_ERROR_HARDWARE_FAILURE );
246
247 case MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED:
248 return( PSA_ERROR_HARDWARE_FAILURE );
249
250 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
251 return( PSA_ERROR_INVALID_ARGUMENT );
252 case MBEDTLS_ERR_RSA_INVALID_PADDING:
253 return( PSA_ERROR_INVALID_PADDING );
254 case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
255 return( PSA_ERROR_HARDWARE_FAILURE );
256 case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
257 return( PSA_ERROR_INVALID_ARGUMENT );
258 case MBEDTLS_ERR_RSA_PUBLIC_FAILED:
259 case MBEDTLS_ERR_RSA_PRIVATE_FAILED:
260 return( PSA_ERROR_TAMPERING_DETECTED );
261 case MBEDTLS_ERR_RSA_VERIFY_FAILED:
262 return( PSA_ERROR_INVALID_SIGNATURE );
263 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
264 return( PSA_ERROR_BUFFER_TOO_SMALL );
265 case MBEDTLS_ERR_RSA_RNG_FAILED:
266 return( PSA_ERROR_INSUFFICIENT_MEMORY );
267 case MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:
268 return( PSA_ERROR_NOT_SUPPORTED );
269 case MBEDTLS_ERR_RSA_HW_ACCEL_FAILED:
270 return( PSA_ERROR_HARDWARE_FAILURE );
271
272 case MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED:
273 case MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED:
274 case MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED:
275 return( PSA_ERROR_HARDWARE_FAILURE );
276
277 case MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH:
278 return( PSA_ERROR_INVALID_ARGUMENT );
279 case MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED:
280 return( PSA_ERROR_HARDWARE_FAILURE );
281
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]282 default:
283 return( PSA_ERROR_UNKNOWN_ERROR );
284 }
285}
286
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]287
288
289/****************************************************************/
290/* Key management */
291/****************************************************************/
292
293psa_status_t psa_import_key(psa_key_slot_t key,
294 psa_key_type_t type,
295 const uint8_t *data,
296 size_t data_length)
297{
298 key_slot_t *slot;
299
300 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
301 return( PSA_ERROR_INVALID_ARGUMENT );
302 slot = &global_data.key_slots[key];
303 if( slot->type != PSA_KEY_TYPE_NONE )
304 return( PSA_ERROR_OCCUPIED_SLOT );
305
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]306 if( PSA_KEY_TYPE_IS_RAW_BYTES( type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]307 {
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame^]308 /* Ensure that a bytes-to-bit conversion won't overflow. */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]309 if( data_length > SIZE_MAX / 8 )
310 return( PSA_ERROR_NOT_SUPPORTED );
311 slot->data.raw.data = mbedtls_calloc( 1, data_length );
312 if( slot->data.raw.data == NULL )
313 return( PSA_ERROR_INSUFFICIENT_MEMORY );
314 memcpy( slot->data.raw.data, data, data_length );
315 slot->data.raw.bytes = data_length;
316 }
317 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]318#if defined(MBEDTLS_PK_PARSE_C)
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]319 if( type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
320 type == PSA_KEY_TYPE_RSA_KEYPAIR ||
321 PSA_KEY_TYPE_IS_ECC( type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]322 {
323 int ret;
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]324 mbedtls_pk_context pk;
325 mbedtls_pk_init( &pk );
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]326 if( PSA_KEY_TYPE_IS_KEYPAIR( type ) )
327 ret = mbedtls_pk_parse_key( &pk, data, data_length, NULL, 0 );
328 else
329 ret = mbedtls_pk_parse_public_key( &pk, data, data_length );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]330 if( ret != 0 )
331 return( mbedtls_to_psa_error( ret ) );
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]332 switch( mbedtls_pk_get_type( &pk ) )
333 {
334#if defined(MBEDTLS_RSA_C)
335 case MBEDTLS_PK_RSA:
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]336 if( type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
337 type == PSA_KEY_TYPE_RSA_KEYPAIR )
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]338 slot->data.rsa = pk.pk_ctx;
339 else
340 return( PSA_ERROR_INVALID_ARGUMENT );
341 break;
342#endif /* MBEDTLS_RSA_C */
343#if defined(MBEDTLS_ECP_C)
344 case MBEDTLS_PK_ECKEY:
345 if( PSA_KEY_TYPE_IS_ECC( type ) )
346 {
347 // TODO: check curve
348 slot->data.ecp = pk.pk_ctx;
349 }
350 else
351 return( PSA_ERROR_INVALID_ARGUMENT );
352 break;
353#endif /* MBEDTLS_ECP_C */
354 default:
355 return( PSA_ERROR_INVALID_ARGUMENT );
356 }
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]357 }
358 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]359#endif /* defined(MBEDTLS_PK_PARSE_C) */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]360 {
361 return( PSA_ERROR_NOT_SUPPORTED );
362 }
363
364 slot->type = type;
365 return( PSA_SUCCESS );
366}
367
368psa_status_t psa_destroy_key(psa_key_slot_t key)
369{
370 key_slot_t *slot;
371
372 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
373 return( PSA_ERROR_INVALID_ARGUMENT );
374 slot = &global_data.key_slots[key];
375 if( slot->type == PSA_KEY_TYPE_NONE )
376 return( PSA_ERROR_EMPTY_SLOT );
377
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]378 if( PSA_KEY_TYPE_IS_RAW_BYTES( slot->type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]379 {
380 mbedtls_free( slot->data.raw.data );
381 }
382 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]383#if defined(MBEDTLS_RSA_C)
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]384 if( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
385 slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]386 {
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]387 mbedtls_rsa_free( slot->data.rsa );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]388 }
389 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]390#endif /* defined(MBEDTLS_RSA_C) */
391#if defined(MBEDTLS_ECP_C)
392 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
393 {
394 mbedtls_ecp_keypair_free( slot->data.ecp );
395 }
396 else
397#endif /* defined(MBEDTLS_ECP_C) */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]398 {
399 /* Shouldn't happen: the key type is not any type that we
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame^]400 * put in. */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]401 return( PSA_ERROR_TAMPERING_DETECTED );
402 }
403
404 mbedtls_zeroize( slot, sizeof( *slot ) );
405 return( PSA_SUCCESS );
406}
407
408psa_status_t psa_get_key_information(psa_key_slot_t key,
409 psa_key_type_t *type,
410 size_t *bits)
411{
412 key_slot_t *slot;
413
414 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]415 return( PSA_ERROR_EMPTY_SLOT );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]416 slot = &global_data.key_slots[key];
417 if( type != NULL )
418 *type = slot->type;
419 if( bits != NULL )
420 *bits = 0;
421 if( slot->type == PSA_KEY_TYPE_NONE )
422 return( PSA_ERROR_EMPTY_SLOT );
423
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]424 if( PSA_KEY_TYPE_IS_RAW_BYTES( slot->type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]425 {
426 if( bits != NULL )
427 *bits = slot->data.raw.bytes * 8;
428 }
429 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]430#if defined(MBEDTLS_RSA_C)
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]431 if( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
432 slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]433 {
434 if( bits != NULL )
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]435 *bits = mbedtls_rsa_get_bitlen( slot->data.rsa );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]436 }
437 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]438#endif /* defined(MBEDTLS_RSA_C) */
439#if defined(MBEDTLS_ECP_C)
440 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
441 {
442 if( bits != NULL )
443 *bits = slot->data.ecp->grp.pbits;
444 }
445 else
446#endif /* defined(MBEDTLS_ECP_C) */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]447 {
448 /* Shouldn't happen: the key type is not any type that we
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame^]449 * put in. */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]450 return( PSA_ERROR_TAMPERING_DETECTED );
451 }
452
453 return( PSA_SUCCESS );
454}
455
456psa_status_t psa_export_key(psa_key_slot_t key,
457 uint8_t *data,
458 size_t data_size,
459 size_t *data_length)
460{
461 key_slot_t *slot;
462
463 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]464 return( PSA_ERROR_EMPTY_SLOT );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]465 slot = &global_data.key_slots[key];
466 if( slot->type == PSA_KEY_TYPE_NONE )
467 return( PSA_ERROR_EMPTY_SLOT );
468
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]469 if( PSA_KEY_TYPE_IS_RAW_BYTES( slot->type ) )
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]470 {
471 if( slot->data.raw.bytes > data_size )
472 return( PSA_ERROR_BUFFER_TOO_SMALL );
473 memcpy( data, slot->data.raw.data, slot->data.raw.bytes );
474 *data_length = slot->data.raw.bytes;
475 return( PSA_SUCCESS );
476 }
477 else
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]478#if defined(MBEDTLS_PK_WRITE_C)
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]479 if( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
480 slot->type == PSA_KEY_TYPE_RSA_KEYPAIR ||
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]481 PSA_KEY_TYPE_IS_ECC( slot->type ) )
482 {
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]483 mbedtls_pk_context pk;
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]484 int ret;
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]485 mbedtls_pk_init( &pk );
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]486 if( slot->type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ||
487 slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
Gilles Peskine969ac722018-01-28 18:16:59 +0100[diff] [blame]488 {
489 pk.pk_info = &mbedtls_rsa_info;
490 pk.pk_ctx = slot->data.rsa;
491 }
492 else
493 {
494 pk.pk_info = &mbedtls_eckey_info;
495 pk.pk_ctx = slot->data.ecp;
496 }
Gilles Peskinec66ea6a2018-02-03 22:43:28 +0100[diff] [blame]497 if( PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
498 ret = mbedtls_pk_write_key_der( &pk, data, data_size );
499 else
500 ret = mbedtls_pk_write_pubkey_der( &pk, data, data_size );
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]501 if( ret < 0 )
502 return( mbedtls_to_psa_error( ret ) );
503 *data_length = ret;
504 return( PSA_SUCCESS );
505 }
506 else
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame^]507#endif /* defined(MBEDTLS_PK_WRITE_C) */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]508 {
Gilles Peskine6d912132018-03-07 16:41:37 +0100[diff] [blame^]509 /* This shouldn't happen in the reference implementation, but
510 it is valid for a special-purpose implementation to omit
511 support for exporting certain key types. */
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]512 return( PSA_ERROR_NOT_SUPPORTED );
513 }
514}
515
516
517
518/****************************************************************/
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]519/* Message digests */
520/****************************************************************/
521
522static const mbedtls_md_info_t *mbedtls_md_info_of_psa( psa_algorithm_t alg )
523{
524 switch( alg )
525 {
526#if defined(MBEDTLS_MD2_C)
527 case PSA_ALG_MD2:
528 return( &mbedtls_md2_info );
529#endif
530#if defined(MBEDTLS_MD4_C)
531 case PSA_ALG_MD4:
532 return( &mbedtls_md4_info );
533#endif
534#if defined(MBEDTLS_MD5_C)
535 case PSA_ALG_MD5:
536 return( &mbedtls_md5_info );
537#endif
538#if defined(MBEDTLS_RIPEMD160_C)
539 case PSA_ALG_RIPEMD160:
540 return( &mbedtls_ripemd160_info );
541#endif
542#if defined(MBEDTLS_SHA1_C)
543 case PSA_ALG_SHA_1:
544 return( &mbedtls_sha1_info );
545#endif
546#if defined(MBEDTLS_SHA256_C)
547 case PSA_ALG_SHA_224:
548 return( &mbedtls_sha224_info );
549 case PSA_ALG_SHA_256:
550 return( &mbedtls_sha256_info );
551#endif
552#if defined(MBEDTLS_SHA512_C)
553 case PSA_ALG_SHA_384:
554 return( &mbedtls_sha384_info );
555 case PSA_ALG_SHA_512:
556 return( &mbedtls_sha512_info );
557#endif
558 default:
559 return( NULL );
560 }
561}
562
563#if 0
564static psa_algorithm_t mbedtls_md_alg_to_psa( mbedtls_md_type_t md_alg )
565{
566 switch( md_alg )
567 {
568 case MBEDTLS_MD_NONE:
569 return( 0 );
570 case MBEDTLS_MD_MD2:
571 return( PSA_ALG_MD2 );
572 case MBEDTLS_MD_MD4:
573 return( PSA_ALG_MD4 );
574 case MBEDTLS_MD_MD5:
575 return( PSA_ALG_MD5 );
576 case MBEDTLS_MD_SHA1:
577 return( PSA_ALG_SHA_1 );
578 case MBEDTLS_MD_SHA224:
579 return( PSA_ALG_SHA_224 );
580 case MBEDTLS_MD_SHA256:
581 return( PSA_ALG_SHA_256 );
582 case MBEDTLS_MD_SHA384:
583 return( PSA_ALG_SHA_384 );
584 case MBEDTLS_MD_SHA512:
585 return( PSA_ALG_SHA_512 );
586 case MBEDTLS_MD_RIPEMD160:
587 return( PSA_ALG_RIPEMD160 );
588 default:
589 return( MBEDTLS_MD_NOT_SUPPORTED );
590 }
591}
592#endif
593
Gilles Peskine9ef733f2018-02-07 21:05:37 +0100[diff] [blame]594psa_status_t psa_hash_abort( psa_hash_operation_t *operation )
595{
596 switch( operation->alg )
597 {
598#if defined(MBEDTLS_MD2_C)
599 case PSA_ALG_MD2:
600 mbedtls_md2_free( &operation->ctx.md2 );
601 break;
602#endif
603#if defined(MBEDTLS_MD4_C)
604 case PSA_ALG_MD4:
605 mbedtls_md4_free( &operation->ctx.md4 );
606 break;
607#endif
608#if defined(MBEDTLS_MD5_C)
609 case PSA_ALG_MD5:
610 mbedtls_md5_free( &operation->ctx.md5 );
611 break;
612#endif
613#if defined(MBEDTLS_RIPEMD160_C)
614 case PSA_ALG_RIPEMD160:
615 mbedtls_ripemd160_free( &operation->ctx.ripemd160 );
616 break;
617#endif
618#if defined(MBEDTLS_SHA1_C)
619 case PSA_ALG_SHA_1:
620 mbedtls_sha1_free( &operation->ctx.sha1 );
621 break;
622#endif
623#if defined(MBEDTLS_SHA256_C)
624 case PSA_ALG_SHA_224:
625 case PSA_ALG_SHA_256:
626 mbedtls_sha256_free( &operation->ctx.sha256 );
627 break;
628#endif
629#if defined(MBEDTLS_SHA512_C)
630 case PSA_ALG_SHA_384:
631 case PSA_ALG_SHA_512:
632 mbedtls_sha512_free( &operation->ctx.sha512 );
633 break;
634#endif
635 default:
636 return( PSA_ERROR_NOT_SUPPORTED );
637 }
638 operation->alg = 0;
639 return( PSA_SUCCESS );
640}
641
642psa_status_t psa_hash_start( psa_hash_operation_t *operation,
643 psa_algorithm_t alg )
644{
645 int ret;
646 operation->alg = 0;
647 switch( alg )
648 {
649#if defined(MBEDTLS_MD2_C)
650 case PSA_ALG_MD2:
651 mbedtls_md2_init( &operation->ctx.md2 );
652 ret = mbedtls_md2_starts_ret( &operation->ctx.md2 );
653 break;
654#endif
655#if defined(MBEDTLS_MD4_C)
656 case PSA_ALG_MD4:
657 mbedtls_md4_init( &operation->ctx.md4 );
658 ret = mbedtls_md4_starts_ret( &operation->ctx.md4 );
659 break;
660#endif
661#if defined(MBEDTLS_MD5_C)
662 case PSA_ALG_MD5:
663 mbedtls_md5_init( &operation->ctx.md5 );
664 ret = mbedtls_md5_starts_ret( &operation->ctx.md5 );
665 break;
666#endif
667#if defined(MBEDTLS_RIPEMD160_C)
668 case PSA_ALG_RIPEMD160:
669 mbedtls_ripemd160_init( &operation->ctx.ripemd160 );
670 ret = mbedtls_ripemd160_starts_ret( &operation->ctx.ripemd160 );
671 break;
672#endif
673#if defined(MBEDTLS_SHA1_C)
674 case PSA_ALG_SHA_1:
675 mbedtls_sha1_init( &operation->ctx.sha1 );
676 ret = mbedtls_sha1_starts_ret( &operation->ctx.sha1 );
677 break;
678#endif
679#if defined(MBEDTLS_SHA256_C)
680 case PSA_ALG_SHA_224:
681 mbedtls_sha256_init( &operation->ctx.sha256 );
682 ret = mbedtls_sha256_starts_ret( &operation->ctx.sha256, 1 );
683 break;
684 case PSA_ALG_SHA_256:
685 mbedtls_sha256_init( &operation->ctx.sha256 );
686 ret = mbedtls_sha256_starts_ret( &operation->ctx.sha256, 0 );
687 break;
688#endif
689#if defined(MBEDTLS_SHA512_C)
690 case PSA_ALG_SHA_384:
691 mbedtls_sha512_init( &operation->ctx.sha512 );
692 ret = mbedtls_sha512_starts_ret( &operation->ctx.sha512, 1 );
693 break;
694 case PSA_ALG_SHA_512:
695 mbedtls_sha512_init( &operation->ctx.sha512 );
696 ret = mbedtls_sha512_starts_ret( &operation->ctx.sha512, 0 );
697 break;
698#endif
699 default:
700 return( PSA_ERROR_NOT_SUPPORTED );
701 }
702 if( ret == 0 )
703 operation->alg = alg;
704 else
705 psa_hash_abort( operation );
706 return( mbedtls_to_psa_error( ret ) );
707}
708
709psa_status_t psa_hash_update( psa_hash_operation_t *operation,
710 const uint8_t *input,
711 size_t input_length )
712{
713 int ret;
714 switch( operation->alg )
715 {
716#if defined(MBEDTLS_MD2_C)
717 case PSA_ALG_MD2:
718 ret = mbedtls_md2_update_ret( &operation->ctx.md2,
719 input, input_length );
720 break;
721#endif
722#if defined(MBEDTLS_MD4_C)
723 case PSA_ALG_MD4:
724 ret = mbedtls_md4_update_ret( &operation->ctx.md4,
725 input, input_length );
726 break;
727#endif
728#if defined(MBEDTLS_MD5_C)
729 case PSA_ALG_MD5:
730 ret = mbedtls_md5_update_ret( &operation->ctx.md5,
731 input, input_length );
732 break;
733#endif
734#if defined(MBEDTLS_RIPEMD160_C)
735 case PSA_ALG_RIPEMD160:
736 ret = mbedtls_ripemd160_update_ret( &operation->ctx.ripemd160,
737 input, input_length );
738 break;
739#endif
740#if defined(MBEDTLS_SHA1_C)
741 case PSA_ALG_SHA_1:
742 ret = mbedtls_sha1_update_ret( &operation->ctx.sha1,
743 input, input_length );
744 break;
745#endif
746#if defined(MBEDTLS_SHA256_C)
747 case PSA_ALG_SHA_224:
748 case PSA_ALG_SHA_256:
749 ret = mbedtls_sha256_update_ret( &operation->ctx.sha256,
750 input, input_length );
751 break;
752#endif
753#if defined(MBEDTLS_SHA512_C)
754 case PSA_ALG_SHA_384:
755 case PSA_ALG_SHA_512:
756 ret = mbedtls_sha512_update_ret( &operation->ctx.sha512,
757 input, input_length );
758 break;
759#endif
760 default:
761 ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
762 break;
763 }
764 if( ret != 0 )
765 psa_hash_abort( operation );
766 return( mbedtls_to_psa_error( ret ) );
767}
768
769psa_status_t psa_hash_finish( psa_hash_operation_t *operation,
770 uint8_t *hash,
771 size_t hash_size,
772 size_t *hash_length )
773{
774 int ret;
775 size_t actual_hash_length = PSA_HASH_FINAL_SIZE( operation->alg );
776
777 /* Fill the output buffer with something that isn't a valid hash
778 * (barring an attack on the hash and deliberately-crafted input),
779 * in case the caller doesn't check the return status properly. */
780 *hash_length = actual_hash_length;
781 memset( hash, '!', hash_size );
782
783 if( hash_size < actual_hash_length )
784 return( PSA_ERROR_BUFFER_TOO_SMALL );
785
786 switch( operation->alg )
787 {
788#if defined(MBEDTLS_MD2_C)
789 case PSA_ALG_MD2:
790 ret = mbedtls_md2_finish_ret( &operation->ctx.md2, hash );
791 break;
792#endif
793#if defined(MBEDTLS_MD4_C)
794 case PSA_ALG_MD4:
795 ret = mbedtls_md4_finish_ret( &operation->ctx.md4, hash );
796 break;
797#endif
798#if defined(MBEDTLS_MD5_C)
799 case PSA_ALG_MD5:
800 ret = mbedtls_md5_finish_ret( &operation->ctx.md5, hash );
801 break;
802#endif
803#if defined(MBEDTLS_RIPEMD160_C)
804 case PSA_ALG_RIPEMD160:
805 ret = mbedtls_ripemd160_finish_ret( &operation->ctx.ripemd160, hash );
806 break;
807#endif
808#if defined(MBEDTLS_SHA1_C)
809 case PSA_ALG_SHA_1:
810 ret = mbedtls_sha1_finish_ret( &operation->ctx.sha1, hash );
811 break;
812#endif
813#if defined(MBEDTLS_SHA256_C)
814 case PSA_ALG_SHA_224:
815 case PSA_ALG_SHA_256:
816 ret = mbedtls_sha256_finish_ret( &operation->ctx.sha256, hash );
817 break;
818#endif
819#if defined(MBEDTLS_SHA512_C)
820 case PSA_ALG_SHA_384:
821 case PSA_ALG_SHA_512:
822 ret = mbedtls_sha512_finish_ret( &operation->ctx.sha512, hash );
823 break;
824#endif
825 default:
826 ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
827 break;
828 }
829
830 if( ret == 0 )
831 {
832 return( psa_hash_abort( operation ) );
833 }
834 else
835 {
836 psa_hash_abort( operation );
837 return( mbedtls_to_psa_error( ret ) );
838 }
839}
840
841psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
842 const uint8_t *hash,
843 size_t hash_length)
844{
845 uint8_t actual_hash[MBEDTLS_MD_MAX_SIZE];
846 size_t actual_hash_length;
847 psa_status_t status = psa_hash_finish( operation,
848 actual_hash, sizeof( actual_hash ),
849 &actual_hash_length );
850 if( status != PSA_SUCCESS )
851 return( status );
852 if( actual_hash_length != hash_length )
853 return( PSA_ERROR_INVALID_SIGNATURE );
854 if( safer_memcmp( hash, actual_hash, actual_hash_length ) != 0 )
855 return( PSA_ERROR_INVALID_SIGNATURE );
856 return( PSA_SUCCESS );
857}
858
859
860
861
862/****************************************************************/
Gilles Peskine8c9def32018-02-08 10:02:12 +0100[diff] [blame]863/* MAC */
864/****************************************************************/
865
866static const mbedtls_cipher_info_t *mbedtls_cipher_info_of_psa(
867 psa_algorithm_t alg,
868 psa_key_type_t key_type,
869 size_t key_bits )
870{
871 mbedtls_cipher_id_t cipher_id;
872 mbedtls_cipher_mode_t mode;
873
874 if( PSA_ALG_IS_CIPHER( alg ) || PSA_ALG_IS_AEAD( alg ) )
875 {
876 if( PSA_ALG_IS_BLOCK_CIPHER( alg ) )
877 alg &= ~PSA_ALG_BLOCK_CIPHER_MODE_MASK;
878 switch( alg )
879 {
880 case PSA_ALG_STREAM_CIPHER:
881 mode = MBEDTLS_MODE_STREAM;
882 break;
883 case PSA_ALG_CBC_BASE:
884 mode = MBEDTLS_MODE_CBC;
885 break;
886 case PSA_ALG_CFB_BASE:
887 mode = MBEDTLS_MODE_CFB;
888 break;
889 case PSA_ALG_OFB_BASE:
890 mode = MBEDTLS_MODE_OFB;
891 break;
892 case PSA_ALG_CTR:
893 mode = MBEDTLS_MODE_CTR;
894 break;
895 case PSA_ALG_CCM:
896 mode = MBEDTLS_MODE_CCM;
897 break;
898 case PSA_ALG_GCM:
899 mode = MBEDTLS_MODE_GCM;
900 break;
901 default:
902 return( NULL );
903 }
904 }
905 else if( alg == PSA_ALG_CMAC )
906 mode = MBEDTLS_MODE_ECB;
907 else if( alg == PSA_ALG_GMAC )
908 mode = MBEDTLS_MODE_GCM;
909 else
910 return( NULL );
911
912 switch( key_type )
913 {
914 case PSA_KEY_TYPE_AES:
915 cipher_id = MBEDTLS_CIPHER_ID_AES;
916 break;
917 case PSA_KEY_TYPE_DES:
918 if( key_bits == 64 )
919 cipher_id = MBEDTLS_CIPHER_ID_DES;
920 else
921 cipher_id = MBEDTLS_CIPHER_ID_3DES;
922 break;
923 case PSA_KEY_TYPE_CAMELLIA:
924 cipher_id = MBEDTLS_CIPHER_ID_CAMELLIA;
925 break;
926 case PSA_KEY_TYPE_ARC4:
927 cipher_id = MBEDTLS_CIPHER_ID_ARC4;
928 break;
929 default:
930 return( NULL );
931 }
932
933 return( mbedtls_cipher_info_from_values( cipher_id, key_bits, mode ) );
934}
935
936psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
937{
938 switch( operation->alg )
939 {
940#if defined(MBEDTLS_CMAC_C)
941 case PSA_ALG_CMAC:
942 mbedtls_cipher_free( &operation->ctx.cmac );
943 break;
944#endif /* MBEDTLS_CMAC_C */
945 default:
946#if defined(MBEDTLS_MD_C)
947 if( PSA_ALG_IS_HMAC( operation->alg ) )
948 mbedtls_md_free( &operation->ctx.hmac );
949 else
950#endif /* MBEDTLS_MD_C */
951 return( PSA_ERROR_NOT_SUPPORTED );
952 }
953 operation->alg = 0;
954 operation->key_set = 0;
955 operation->iv_set = 0;
956 operation->iv_required = 0;
957 operation->has_input = 0;
958 return( PSA_SUCCESS );
959}
960
961psa_status_t psa_mac_start( psa_mac_operation_t *operation,
962 psa_key_slot_t key,
963 psa_algorithm_t alg )
964{
965 int ret = MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
966 psa_status_t status;
967 key_slot_t *slot;
968 psa_key_type_t key_type;
969 size_t key_bits;
970 const mbedtls_cipher_info_t *cipher_info = NULL;
971
972 operation->alg = 0;
973 operation->key_set = 0;
974 operation->iv_set = 0;
975 operation->iv_required = 1;
976 operation->has_input = 0;
977
978 status = psa_get_key_information( key, &key_type, &key_bits );
979 if( status != PSA_SUCCESS )
980 return( status );
981 slot = &global_data.key_slots[key];
982
983 if( ! PSA_ALG_IS_HMAC( alg ) )
984 {
985 cipher_info = mbedtls_cipher_info_of_psa( alg, key_type, key_bits );
986 if( cipher_info == NULL )
987 return( PSA_ERROR_NOT_SUPPORTED );
988 operation->mac_size = cipher_info->block_size;
989 }
990 switch( alg )
991 {
992#if defined(MBEDTLS_CMAC_C)
993 case PSA_ALG_CMAC:
994 operation->iv_required = 0;
995 mbedtls_cipher_init( &operation->ctx.cmac );
996 ret = mbedtls_cipher_setup( &operation->ctx.cmac, cipher_info );
997 if( ret != 0 )
998 break;
999 ret = mbedtls_cipher_cmac_starts( &operation->ctx.cmac,
1000 slot->data.raw.data,
1001 key_bits );
1002 break;
1003#endif /* MBEDTLS_CMAC_C */
1004 default:
1005#if defined(MBEDTLS_MD_C)
1006 if( PSA_ALG_IS_HMAC( alg ) )
1007 {
1008 const mbedtls_md_info_t *md_info =
1009 mbedtls_md_info_of_psa( PSA_ALG_HMAC_HASH( alg ) );
1010 if( md_info == NULL )
1011 return( PSA_ERROR_NOT_SUPPORTED );
1012 if( key_type != PSA_KEY_TYPE_HMAC )
1013 return( PSA_ERROR_INVALID_ARGUMENT );
1014 operation->iv_required = 0;
1015 operation->mac_size = mbedtls_md_get_size( md_info );
1016 mbedtls_md_init( &operation->ctx.hmac );
1017 ret = mbedtls_md_setup( &operation->ctx.hmac, md_info, 1 );
1018 if( ret != 0 )
1019 break;
1020 ret = mbedtls_md_hmac_starts( &operation->ctx.hmac,
1021 slot->data.raw.data,
1022 slot->data.raw.bytes );
1023 break;
1024 }
1025 else
1026#endif /* MBEDTLS_MD_C */
1027 return( PSA_ERROR_NOT_SUPPORTED );
1028 }
1029
1030 /* If we reach this point, then the algorithm-specific part of the
1031 * context has at least been initialized, and may contain data that
1032 * needs to be wiped on error. */
1033 operation->alg = alg;
1034 if( ret != 0 )
1035 {
1036 psa_mac_abort( operation );
1037 return( mbedtls_to_psa_error( ret ) );
1038 }
1039 operation->key_set = 1;
1040 return( 0 );
1041}
1042
1043psa_status_t psa_mac_update( psa_mac_operation_t *operation,
1044 const uint8_t *input,
1045 size_t input_length )
1046{
1047 int ret;
1048 if( ! operation->key_set )
1049 return( PSA_ERROR_BAD_STATE );
1050 if( operation->iv_required && ! operation->iv_set )
1051 return( PSA_ERROR_BAD_STATE );
1052 operation->has_input = 1;
1053
1054 switch( operation->alg )
1055 {
1056#if defined(MBEDTLS_CMAC_C)
1057 case PSA_ALG_CMAC:
1058 ret = mbedtls_cipher_cmac_update( &operation->ctx.cmac,
1059 input, input_length );
1060 break;
1061#endif /* MBEDTLS_CMAC_C */
1062 default:
1063#if defined(MBEDTLS_MD_C)
1064 if( PSA_ALG_IS_HMAC( operation->alg ) )
1065 {
1066 ret = mbedtls_md_hmac_update( &operation->ctx.hmac,
1067 input, input_length );
1068 }
1069 else
1070#endif /* MBEDTLS_MD_C */
1071 {
1072 ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
1073 }
1074 break;
1075 }
1076 if( ret != 0 )
1077 psa_mac_abort( operation );
1078 return( mbedtls_to_psa_error( ret ) );
1079}
1080
1081psa_status_t psa_mac_finish( psa_mac_operation_t *operation,
1082 uint8_t *mac,
1083 size_t mac_size,
1084 size_t *mac_length )
1085{
1086 int ret;
1087 if( ! operation->key_set )
1088 return( PSA_ERROR_BAD_STATE );
1089 if( operation->iv_required && ! operation->iv_set )
1090 return( PSA_ERROR_BAD_STATE );
1091
1092 /* Fill the output buffer with something that isn't a valid mac
1093 * (barring an attack on the mac and deliberately-crafted input),
1094 * in case the caller doesn't check the return status properly. */
1095 *mac_length = operation->mac_size;
1096 memset( mac, '!', mac_size );
1097
1098 if( mac_size < operation->mac_size )
1099 return( PSA_ERROR_BUFFER_TOO_SMALL );
1100
1101 switch( operation->alg )
1102 {
1103#if defined(MBEDTLS_CMAC_C)
1104 case PSA_ALG_CMAC:
1105 ret = mbedtls_cipher_cmac_finish( &operation->ctx.cmac, mac );
1106 break;
1107#endif /* MBEDTLS_CMAC_C */
1108 default:
1109#if defined(MBEDTLS_MD_C)
1110 if( PSA_ALG_IS_HMAC( operation->alg ) )
1111 {
1112 ret = mbedtls_md_hmac_finish( &operation->ctx.hmac, mac );
1113 }
1114 else
1115#endif /* MBEDTLS_MD_C */
1116 {
1117 ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
1118 }
1119 break;
1120 }
1121
1122 if( ret == 0 )
1123 {
1124 return( psa_mac_abort( operation ) );
1125 }
1126 else
1127 {
1128 psa_mac_abort( operation );
1129 return( mbedtls_to_psa_error( ret ) );
1130 }
1131}
1132
1133#define MBEDTLS_PSA_MAC_MAX_SIZE \
1134 ( MBEDTLS_MD_MAX_SIZE > MBEDTLS_MAX_BLOCK_LENGTH ? \
1135 MBEDTLS_MD_MAX_SIZE : \
1136 MBEDTLS_MAX_BLOCK_LENGTH )
1137psa_status_t psa_mac_verify( psa_mac_operation_t *operation,
1138 const uint8_t *mac,
1139 size_t mac_length )
1140{
1141 uint8_t actual_mac[MBEDTLS_PSA_MAC_MAX_SIZE];
1142 size_t actual_mac_length;
1143 psa_status_t status = psa_mac_finish( operation,
1144 actual_mac, sizeof( actual_mac ),
1145 &actual_mac_length );
1146 if( status != PSA_SUCCESS )
1147 return( status );
1148 if( actual_mac_length != mac_length )
1149 return( PSA_ERROR_INVALID_SIGNATURE );
1150 if( safer_memcmp( mac, actual_mac, actual_mac_length ) != 0 )
1151 return( PSA_ERROR_INVALID_SIGNATURE );
1152 return( PSA_SUCCESS );
1153}
1154
1155
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1156
1157
1158/****************************************************************/
1159/* Asymmetric cryptography */
1160/****************************************************************/
1161
1162psa_status_t psa_asymmetric_sign(psa_key_slot_t key,
1163 psa_algorithm_t alg,
1164 const uint8_t *hash,
1165 size_t hash_length,
1166 const uint8_t *salt,
1167 size_t salt_length,
1168 uint8_t *signature,
1169 size_t signature_size,
1170 size_t *signature_length)
1171{
1172 key_slot_t *slot;
1173
Gilles Peskine93aa0332018-02-03 23:58:03 +0100[diff] [blame]1174 *signature_length = 0;
1175 (void) salt;
1176 (void) salt_length;
1177
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1178 if( key == 0 || key > MBEDTLS_PSA_KEY_SLOT_COUNT )
1179 return( PSA_ERROR_EMPTY_SLOT );
1180 slot = &global_data.key_slots[key];
1181 if( slot->type == PSA_KEY_TYPE_NONE )
1182 return( PSA_ERROR_EMPTY_SLOT );
1183 if( ! PSA_KEY_TYPE_IS_KEYPAIR( slot->type ) )
1184 return( PSA_ERROR_INVALID_ARGUMENT );
1185
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1186#if defined(MBEDTLS_RSA_C)
1187 if( slot->type == PSA_KEY_TYPE_RSA_KEYPAIR )
1188 {
1189 mbedtls_rsa_context *rsa = slot->data.rsa;
1190 int ret;
1191 psa_algorithm_t hash_alg = PSA_ALG_RSA_GET_HASH( alg );
1192 const mbedtls_md_info_t *md_info = mbedtls_md_info_of_psa( hash_alg );
1193 mbedtls_md_type_t md_alg =
1194 hash_alg == 0 ? MBEDTLS_MD_NONE : mbedtls_md_get_type( md_info );
1195 if( md_alg == MBEDTLS_MD_NONE )
1196 {
1197#if SIZE_MAX > UINT_MAX
1198 if( hash_length > UINT_MAX )
1199 return( PSA_ERROR_INVALID_ARGUMENT );
1200#endif
1201 }
1202 else
1203 {
1204 if( mbedtls_md_get_size( md_info ) != hash_length )
1205 return( PSA_ERROR_INVALID_ARGUMENT );
1206 if( md_info == NULL )
1207 return( PSA_ERROR_NOT_SUPPORTED );
1208 }
1209 if( signature_size < rsa->len )
1210 return( PSA_ERROR_BUFFER_TOO_SMALL );
1211#if defined(MBEDTLS_PKCS1_V15)
1212 if( PSA_ALG_IS_RSA_PKCS1V15( alg ) )
1213 {
1214 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
1215 MBEDTLS_MD_NONE );
1216 ret = mbedtls_rsa_pkcs1_sign( rsa,
1217 mbedtls_ctr_drbg_random,
1218 &global_data.ctr_drbg,
1219 MBEDTLS_RSA_PRIVATE,
1220 md_alg, hash_length, hash,
1221 signature );
1222 }
1223 else
1224#endif /* MBEDTLS_PKCS1_V15 */
1225#if defined(MBEDTLS_PKCS1_V21)
1226 if( alg == PSA_ALG_RSA_PSS_MGF1 )
1227 {
1228 mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
1229 ret = mbedtls_rsa_rsassa_pss_sign( rsa,
1230 mbedtls_ctr_drbg_random,
1231 &global_data.ctr_drbg,
1232 MBEDTLS_RSA_PRIVATE,
1233 md_alg, hash_length, hash,
1234 signature );
1235 }
1236 else
1237#endif /* MBEDTLS_PKCS1_V21 */
1238 {
1239 return( PSA_ERROR_INVALID_ARGUMENT );
1240 }
Gilles Peskine93aa0332018-02-03 23:58:03 +0100[diff] [blame]1241 if( ret == 0 )
1242 *signature_length = rsa->len;
Gilles Peskine20035e32018-02-03 22:44:14 +0100[diff] [blame]1243 return( mbedtls_to_psa_error( ret ) );
1244 }
1245 else
1246#endif /* defined(MBEDTLS_RSA_C) */
1247#if defined(MBEDTLS_ECP_C)
1248 if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
1249 {
1250 // TODO
1251 return( PSA_ERROR_NOT_SUPPORTED );
1252 }
1253 else
1254#endif /* defined(MBEDTLS_ECP_C) */
1255 {
1256 return( PSA_ERROR_NOT_SUPPORTED );
1257 }
1258}
1259
1260
1261
1262/****************************************************************/
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]1263/* Module setup */
1264/****************************************************************/
1265
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]1266void mbedtls_psa_crypto_free( void )
1267{
Gilles Peskine2f9c4dc2018-01-28 13:16:24 +0100[diff] [blame]1268 size_t key;
1269 for( key = 1; key < MBEDTLS_PSA_KEY_SLOT_COUNT; key++ )
1270 psa_destroy_key( key );
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]1271 mbedtls_ctr_drbg_free( &global_data.ctr_drbg );
1272 mbedtls_entropy_free( &global_data.entropy );
1273 mbedtls_zeroize( &global_data, sizeof( global_data ) );
1274}
1275
1276psa_status_t psa_crypto_init( void )
1277{
1278 int ret;
1279 const unsigned char drbg_seed[] = "PSA";
1280
1281 if( global_data.initialized != 0 )
1282 return( PSA_SUCCESS );
1283
1284 mbedtls_zeroize( &global_data, sizeof( global_data ) );
1285 mbedtls_entropy_init( &global_data.entropy );
1286 mbedtls_ctr_drbg_init( &global_data.ctr_drbg );
1287
1288 ret = mbedtls_ctr_drbg_seed( &global_data.ctr_drbg,
1289 mbedtls_entropy_func,
1290 &global_data.entropy,
1291 drbg_seed, sizeof( drbg_seed ) - 1 );
1292 if( ret != 0 )
1293 goto exit;
1294
Gilles Peskinee4ebc122018-03-07 14:16:44 +0100[diff] [blame]1295 global_data.initialized = 1;
1296
Gilles Peskinee59236f2018-01-27 23:32:46 +0100[diff] [blame]1297exit:
1298 if( ret != 0 )
1299 mbedtls_psa_crypto_free( );
1300 return( mbedtls_to_psa_error( ret ) );
1301}
1302
1303#endif /* MBEDTLS_PSA_CRYPTO_C */