1 /*
2 * PSA crypto layer on top of Mbed TLS crypto
3 */
4 /*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7 */
8
9 #include "common.h"
10 #include "psa_crypto_core_common.h"
11
12 #if defined(MBEDTLS_PSA_CRYPTO_C)
13
14 #if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
15 #include "check_crypto_config.h"
16 #endif
17
18 #include "psa/crypto.h"
19 #include "psa/crypto_values.h"
20
21 #include "psa_crypto_cipher.h"
22 #include "psa_crypto_core.h"
23 #include "psa_crypto_invasive.h"
24 #include "psa_crypto_driver_wrappers.h"
25 #include "psa_crypto_driver_wrappers_no_static.h"
26 #include "psa_crypto_ecp.h"
27 #include "psa_crypto_ffdh.h"
28 #include "psa_crypto_hash.h"
29 #include "psa_crypto_mac.h"
30 #include "psa_crypto_rsa.h"
31 #include "psa_crypto_ecp.h"
32 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
33 #include "psa_crypto_se.h"
34 #endif
35 #include "psa_crypto_slot_management.h"
36 /* Include internal declarations that are useful for implementing persistently
37 * stored keys. */
38 #include "psa_crypto_storage.h"
39
40 #include "psa_crypto_random_impl.h"
41
42 #include <stdlib.h>
43 #include <string.h>
44 #include "mbedtls/platform.h"
45
46 #include "mbedtls/aes.h"
47 #include "mbedtls/asn1.h"
48 #include "mbedtls/asn1write.h"
49 #include "mbedtls/bignum.h"
50 #include "mbedtls/camellia.h"
51 #include "mbedtls/chacha20.h"
52 #include "mbedtls/chachapoly.h"
53 #include "mbedtls/cipher.h"
54 #include "mbedtls/ccm.h"
55 #include "mbedtls/cmac.h"
56 #include "mbedtls/constant_time.h"
57 #include "mbedtls/des.h"
58 #include "mbedtls/ecdh.h"
59 #include "mbedtls/ecp.h"
60 #include "mbedtls/entropy.h"
61 #include "mbedtls/error.h"
62 #include "mbedtls/gcm.h"
63 #include "mbedtls/md5.h"
64 #include "mbedtls/pk.h"
65 #include "pk_wrap.h"
66 #include "mbedtls/platform_util.h"
67 #include "mbedtls/error.h"
68 #include "mbedtls/ripemd160.h"
69 #include "mbedtls/rsa.h"
70 #include "mbedtls/sha1.h"
71 #include "mbedtls/sha256.h"
72 #include "mbedtls/sha512.h"
73 #include "mbedtls/psa_util.h"
74 #include "mbedtls/threading.h"
75
76 #include "constant_time_internal.h"
77
78 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
79 defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
80 defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
81 #define BUILTIN_ALG_ANY_HKDF 1
82 #endif
83
84 /****************************************************************/
85 /* Global data, support functions and library management */
86 /****************************************************************/
87
key_type_is_raw_bytes(psa_key_type_t type)88 static int key_type_is_raw_bytes(psa_key_type_t type)
89 {
90 return PSA_KEY_TYPE_IS_UNSTRUCTURED(type);
91 }
92
93 /* Values for psa_global_data_t::rng_state */
94 #define RNG_NOT_INITIALIZED 0
95 #define RNG_INITIALIZED 1
96 #define RNG_SEEDED 2
97
98 /* IDs for PSA crypto subsystems. Starts at 1 to catch potential uninitialized
99 * variables as arguments. */
100 typedef enum {
101 PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS = 1,
102 PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS,
103 PSA_CRYPTO_SUBSYSTEM_RNG,
104 PSA_CRYPTO_SUBSYSTEM_TRANSACTION,
105 } mbedtls_psa_crypto_subsystem;
106
107 /* Initialization flags for global_data::initialized */
108 #define PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED 0x01
109 #define PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED 0x02
110 #define PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED 0x04
111
112 #define PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED ( \
113 PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED | \
114 PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED | \
115 PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED)
116
117 typedef struct {
118 uint8_t initialized;
119 uint8_t rng_state;
120 mbedtls_psa_random_context_t rng;
121 } psa_global_data_t;
122
123 static psa_global_data_t global_data;
124
psa_get_initialized(void)125 static uint8_t psa_get_initialized(void)
126 {
127 uint8_t initialized;
128
129 #if defined(MBEDTLS_THREADING_C)
130 mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
131 #endif /* defined(MBEDTLS_THREADING_C) */
132
133 initialized = global_data.rng_state == RNG_SEEDED;
134
135 #if defined(MBEDTLS_THREADING_C)
136 mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
137 #endif /* defined(MBEDTLS_THREADING_C) */
138
139 #if defined(MBEDTLS_THREADING_C)
140 mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
141 #endif /* defined(MBEDTLS_THREADING_C) */
142
143 initialized =
144 (initialized && (global_data.initialized == PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED));
145
146 #if defined(MBEDTLS_THREADING_C)
147 mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
148 #endif /* defined(MBEDTLS_THREADING_C) */
149
150 return initialized;
151 }
152
psa_get_drivers_initialized(void)153 static uint8_t psa_get_drivers_initialized(void)
154 {
155 uint8_t initialized;
156
157 #if defined(MBEDTLS_THREADING_C)
158 mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
159 #endif /* defined(MBEDTLS_THREADING_C) */
160
161 initialized = (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED) != 0;
162
163 #if defined(MBEDTLS_THREADING_C)
164 mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
165 #endif /* defined(MBEDTLS_THREADING_C) */
166
167 return initialized;
168 }
169
170 #define GUARD_MODULE_INITIALIZED \
171 if (psa_get_initialized() == 0) \
172 return PSA_ERROR_BAD_STATE;
173
174 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
175
176 /* Declare a local copy of an input buffer and a variable that will be used
177 * to store a pointer to the start of the buffer.
178 *
179 * Note: This macro must be called before any operations which may jump to
180 * the exit label, so that the local input copy object is safe to be freed.
181 *
182 * Assumptions:
183 * - input is the name of a pointer to the buffer to be copied
184 * - The name LOCAL_INPUT_COPY_OF_input is unused in the current scope
185 * - input_copy_name is a name that is unused in the current scope
186 */
187 #define LOCAL_INPUT_DECLARE(input, input_copy_name) \
188 psa_crypto_local_input_t LOCAL_INPUT_COPY_OF_##input = PSA_CRYPTO_LOCAL_INPUT_INIT; \
189 const uint8_t *input_copy_name = NULL;
190
191 /* Allocate a copy of the buffer input and set the pointer input_copy to
192 * point to the start of the copy.
193 *
194 * Assumptions:
195 * - psa_status_t status exists
196 * - An exit label is declared
197 * - input is the name of a pointer to the buffer to be copied
198 * - LOCAL_INPUT_DECLARE(input, input_copy) has previously been called
199 */
200 #define LOCAL_INPUT_ALLOC(input, length, input_copy) \
201 status = psa_crypto_local_input_alloc(input, length, \
202 &LOCAL_INPUT_COPY_OF_##input); \
203 if (status != PSA_SUCCESS) { \
204 goto exit; \
205 } \
206 input_copy = LOCAL_INPUT_COPY_OF_##input.buffer;
207
208 /* Free the local input copy allocated previously by LOCAL_INPUT_ALLOC()
209 *
210 * Assumptions:
211 * - input_copy is the name of the input copy pointer set by LOCAL_INPUT_ALLOC()
212 * - input is the name of the original buffer that was copied
213 */
214 #define LOCAL_INPUT_FREE(input, input_copy) \
215 input_copy = NULL; \
216 psa_crypto_local_input_free(&LOCAL_INPUT_COPY_OF_##input);
217
218 /* Declare a local copy of an output buffer and a variable that will be used
219 * to store a pointer to the start of the buffer.
220 *
221 * Note: This macro must be called before any operations which may jump to
222 * the exit label, so that the local output copy object is safe to be freed.
223 *
224 * Assumptions:
225 * - output is the name of a pointer to the buffer to be copied
226 * - The name LOCAL_OUTPUT_COPY_OF_output is unused in the current scope
227 * - output_copy_name is a name that is unused in the current scope
228 */
229 #define LOCAL_OUTPUT_DECLARE(output, output_copy_name) \
230 psa_crypto_local_output_t LOCAL_OUTPUT_COPY_OF_##output = PSA_CRYPTO_LOCAL_OUTPUT_INIT; \
231 uint8_t *output_copy_name = NULL;
232
233 /* Allocate a copy of the buffer output and set the pointer output_copy to
234 * point to the start of the copy.
235 *
236 * Assumptions:
237 * - psa_status_t status exists
238 * - An exit label is declared
239 * - output is the name of a pointer to the buffer to be copied
240 * - LOCAL_OUTPUT_DECLARE(output, output_copy) has previously been called
241 */
242 #define LOCAL_OUTPUT_ALLOC(output, length, output_copy) \
243 status = psa_crypto_local_output_alloc(output, length, \
244 &LOCAL_OUTPUT_COPY_OF_##output); \
245 if (status != PSA_SUCCESS) { \
246 goto exit; \
247 } \
248 output_copy = LOCAL_OUTPUT_COPY_OF_##output.buffer;
249
250 /* Free the local output copy allocated previously by LOCAL_OUTPUT_ALLOC()
251 * after first copying back its contents to the original buffer.
252 *
253 * Assumptions:
254 * - psa_status_t status exists
255 * - output_copy is the name of the output copy pointer set by LOCAL_OUTPUT_ALLOC()
256 * - output is the name of the original buffer that was copied
257 */
258 #define LOCAL_OUTPUT_FREE(output, output_copy) \
259 output_copy = NULL; \
260 do { \
261 psa_status_t local_output_status; \
262 local_output_status = psa_crypto_local_output_free(&LOCAL_OUTPUT_COPY_OF_##output); \
263 if (local_output_status != PSA_SUCCESS) { \
264 /* Since this error case is an internal error, it's more serious than \
265 * any existing error code and so it's fine to overwrite the existing \
266 * status. */ \
267 status = local_output_status; \
268 } \
269 } while (0)
270 #else /* !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */
271 #define LOCAL_INPUT_DECLARE(input, input_copy_name) \
272 const uint8_t *input_copy_name = NULL;
273 #define LOCAL_INPUT_ALLOC(input, length, input_copy) \
274 input_copy = input;
275 #define LOCAL_INPUT_FREE(input, input_copy) \
276 input_copy = NULL;
277 #define LOCAL_OUTPUT_DECLARE(output, output_copy_name) \
278 uint8_t *output_copy_name = NULL;
279 #define LOCAL_OUTPUT_ALLOC(output, length, output_copy) \
280 output_copy = output;
281 #define LOCAL_OUTPUT_FREE(output, output_copy) \
282 output_copy = NULL;
283 #endif /* !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */
284
285
psa_can_do_hash(psa_algorithm_t hash_alg)286 int psa_can_do_hash(psa_algorithm_t hash_alg)
287 {
288 (void) hash_alg;
289 return psa_get_drivers_initialized();
290 }
291
psa_can_do_cipher(psa_key_type_t key_type,psa_algorithm_t cipher_alg)292 int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg)
293 {
294 (void) key_type;
295 (void) cipher_alg;
296 return psa_get_drivers_initialized();
297 }
298
299
300 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
301 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) || \
302 defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
psa_is_dh_key_size_valid(size_t bits)303 static int psa_is_dh_key_size_valid(size_t bits)
304 {
305 switch (bits) {
306 #if defined(PSA_WANT_DH_RFC7919_2048)
307 case 2048:
308 return 1;
309 #endif /* PSA_WANT_DH_RFC7919_2048 */
310 #if defined(PSA_WANT_DH_RFC7919_3072)
311 case 3072:
312 return 1;
313 #endif /* PSA_WANT_DH_RFC7919_3072 */
314 #if defined(PSA_WANT_DH_RFC7919_4096)
315 case 4096:
316 return 1;
317 #endif /* PSA_WANT_DH_RFC7919_4096 */
318 #if defined(PSA_WANT_DH_RFC7919_6144)
319 case 6144:
320 return 1;
321 #endif /* PSA_WANT_DH_RFC7919_6144 */
322 #if defined(PSA_WANT_DH_RFC7919_8192)
323 case 8192:
324 return 1;
325 #endif /* PSA_WANT_DH_RFC7919_8192 */
326 default:
327 return 0;
328 }
329 }
330 #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT ||
331 MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY ||
332 PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */
333
mbedtls_to_psa_error(int ret)334 psa_status_t mbedtls_to_psa_error(int ret)
335 {
336 /* Mbed TLS error codes can combine a high-level error code and a
337 * low-level error code. The low-level error usually reflects the
338 * root cause better, so dispatch on that preferably. */
339 int low_level_ret = -(-ret & 0x007f);
340 switch (low_level_ret != 0 ? low_level_ret : ret) {
341 case 0:
342 return PSA_SUCCESS;
343
344 #if defined(MBEDTLS_AES_C)
345 case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
346 case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
347 return PSA_ERROR_NOT_SUPPORTED;
348 case MBEDTLS_ERR_AES_BAD_INPUT_DATA:
349 return PSA_ERROR_INVALID_ARGUMENT;
350 #endif
351
352 #if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_ASN1_WRITE_C)
353 case MBEDTLS_ERR_ASN1_OUT_OF_DATA:
354 case MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:
355 case MBEDTLS_ERR_ASN1_INVALID_LENGTH:
356 case MBEDTLS_ERR_ASN1_LENGTH_MISMATCH:
357 case MBEDTLS_ERR_ASN1_INVALID_DATA:
358 return PSA_ERROR_INVALID_ARGUMENT;
359 case MBEDTLS_ERR_ASN1_ALLOC_FAILED:
360 return PSA_ERROR_INSUFFICIENT_MEMORY;
361 case MBEDTLS_ERR_ASN1_BUF_TOO_SMALL:
362 return PSA_ERROR_BUFFER_TOO_SMALL;
363 #endif
364
365 #if defined(MBEDTLS_CAMELLIA_C)
366 case MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA:
367 case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH:
368 return PSA_ERROR_NOT_SUPPORTED;
369 #endif
370
371 #if defined(MBEDTLS_CCM_C)
372 case MBEDTLS_ERR_CCM_BAD_INPUT:
373 return PSA_ERROR_INVALID_ARGUMENT;
374 case MBEDTLS_ERR_CCM_AUTH_FAILED:
375 return PSA_ERROR_INVALID_SIGNATURE;
376 #endif
377
378 #if defined(MBEDTLS_CHACHA20_C)
379 case MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA:
380 return PSA_ERROR_INVALID_ARGUMENT;
381 #endif
382
383 #if defined(MBEDTLS_CHACHAPOLY_C)
384 case MBEDTLS_ERR_CHACHAPOLY_BAD_STATE:
385 return PSA_ERROR_BAD_STATE;
386 case MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED:
387 return PSA_ERROR_INVALID_SIGNATURE;
388 #endif
389
390 #if defined(MBEDTLS_CIPHER_C)
391 case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
392 return PSA_ERROR_NOT_SUPPORTED;
393 case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
394 return PSA_ERROR_INVALID_ARGUMENT;
395 case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
396 return PSA_ERROR_INSUFFICIENT_MEMORY;
397 case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
398 return PSA_ERROR_INVALID_PADDING;
399 case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
400 return PSA_ERROR_INVALID_ARGUMENT;
401 case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
402 return PSA_ERROR_INVALID_SIGNATURE;
403 case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
404 return PSA_ERROR_CORRUPTION_DETECTED;
405 #endif
406
407 #if !(defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) || \
408 defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE))
409 /* Only check CTR_DRBG error codes if underlying mbedtls_xxx
410 * functions are passed a CTR_DRBG instance. */
411 case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
412 return PSA_ERROR_INSUFFICIENT_ENTROPY;
413 case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG:
414 case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG:
415 return PSA_ERROR_NOT_SUPPORTED;
416 case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR:
417 return PSA_ERROR_INSUFFICIENT_ENTROPY;
418 #endif
419
420 #if defined(MBEDTLS_DES_C)
421 case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:
422 return PSA_ERROR_NOT_SUPPORTED;
423 #endif
424
425 case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
426 case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE:
427 case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
428 return PSA_ERROR_INSUFFICIENT_ENTROPY;
429
430 #if defined(MBEDTLS_GCM_C)
431 case MBEDTLS_ERR_GCM_AUTH_FAILED:
432 return PSA_ERROR_INVALID_SIGNATURE;
433 case MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL:
434 return PSA_ERROR_BUFFER_TOO_SMALL;
435 case MBEDTLS_ERR_GCM_BAD_INPUT:
436 return PSA_ERROR_INVALID_ARGUMENT;
437 #endif
438
439 #if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) && \
440 defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
441 /* Only check HMAC_DRBG error codes if underlying mbedtls_xxx
442 * functions are passed a HMAC_DRBG instance. */
443 case MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED:
444 return PSA_ERROR_INSUFFICIENT_ENTROPY;
445 case MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG:
446 case MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG:
447 return PSA_ERROR_NOT_SUPPORTED;
448 case MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR:
449 return PSA_ERROR_INSUFFICIENT_ENTROPY;
450 #endif
451
452 #if defined(MBEDTLS_MD_LIGHT)
453 case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
454 return PSA_ERROR_NOT_SUPPORTED;
455 case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
456 return PSA_ERROR_INVALID_ARGUMENT;
457 case MBEDTLS_ERR_MD_ALLOC_FAILED:
458 return PSA_ERROR_INSUFFICIENT_MEMORY;
459 #if defined(MBEDTLS_FS_IO)
460 case MBEDTLS_ERR_MD_FILE_IO_ERROR:
461 return PSA_ERROR_STORAGE_FAILURE;
462 #endif
463 #endif
464
465 #if defined(MBEDTLS_BIGNUM_C)
466 #if defined(MBEDTLS_FS_IO)
467 case MBEDTLS_ERR_MPI_FILE_IO_ERROR:
468 return PSA_ERROR_STORAGE_FAILURE;
469 #endif
470 case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
471 return PSA_ERROR_INVALID_ARGUMENT;
472 case MBEDTLS_ERR_MPI_INVALID_CHARACTER:
473 return PSA_ERROR_INVALID_ARGUMENT;
474 case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
475 return PSA_ERROR_BUFFER_TOO_SMALL;
476 case MBEDTLS_ERR_MPI_NEGATIVE_VALUE:
477 return PSA_ERROR_INVALID_ARGUMENT;
478 case MBEDTLS_ERR_MPI_DIVISION_BY_ZERO:
479 return PSA_ERROR_INVALID_ARGUMENT;
480 case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
481 return PSA_ERROR_INVALID_ARGUMENT;
482 case MBEDTLS_ERR_MPI_ALLOC_FAILED:
483 return PSA_ERROR_INSUFFICIENT_MEMORY;
484 #endif
485
486 #if defined(MBEDTLS_PK_C)
487 case MBEDTLS_ERR_PK_ALLOC_FAILED:
488 return PSA_ERROR_INSUFFICIENT_MEMORY;
489 case MBEDTLS_ERR_PK_TYPE_MISMATCH:
490 case MBEDTLS_ERR_PK_BAD_INPUT_DATA:
491 return PSA_ERROR_INVALID_ARGUMENT;
492 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || defined(MBEDTLS_FS_IO) || \
493 defined(MBEDTLS_PSA_ITS_FILE_C)
494 case MBEDTLS_ERR_PK_FILE_IO_ERROR:
495 return PSA_ERROR_STORAGE_FAILURE;
496 #endif
497 case MBEDTLS_ERR_PK_KEY_INVALID_VERSION:
498 case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT:
499 return PSA_ERROR_INVALID_ARGUMENT;
500 case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG:
501 return PSA_ERROR_NOT_SUPPORTED;
502 case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
503 case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
504 return PSA_ERROR_NOT_PERMITTED;
505 case MBEDTLS_ERR_PK_INVALID_PUBKEY:
506 return PSA_ERROR_INVALID_ARGUMENT;
507 case MBEDTLS_ERR_PK_INVALID_ALG:
508 case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE:
509 case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:
510 return PSA_ERROR_NOT_SUPPORTED;
511 case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH:
512 return PSA_ERROR_INVALID_SIGNATURE;
513 case MBEDTLS_ERR_PK_BUFFER_TOO_SMALL:
514 return PSA_ERROR_BUFFER_TOO_SMALL;
515 #endif
516
517 case MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED:
518 return PSA_ERROR_HARDWARE_FAILURE;
519 case MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
520 return PSA_ERROR_NOT_SUPPORTED;
521
522 #if defined(MBEDTLS_RSA_C)
523 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
524 return PSA_ERROR_INVALID_ARGUMENT;
525 case MBEDTLS_ERR_RSA_INVALID_PADDING:
526 return PSA_ERROR_INVALID_PADDING;
527 case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
528 return PSA_ERROR_HARDWARE_FAILURE;
529 case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
530 return PSA_ERROR_INVALID_ARGUMENT;
531 case MBEDTLS_ERR_RSA_PUBLIC_FAILED:
532 case MBEDTLS_ERR_RSA_PRIVATE_FAILED:
533 return PSA_ERROR_CORRUPTION_DETECTED;
534 case MBEDTLS_ERR_RSA_VERIFY_FAILED:
535 return PSA_ERROR_INVALID_SIGNATURE;
536 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
537 return PSA_ERROR_BUFFER_TOO_SMALL;
538 case MBEDTLS_ERR_RSA_RNG_FAILED:
539 return PSA_ERROR_INSUFFICIENT_ENTROPY;
540 #endif
541
542 #if defined(MBEDTLS_ECP_LIGHT)
543 case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
544 case MBEDTLS_ERR_ECP_INVALID_KEY:
545 return PSA_ERROR_INVALID_ARGUMENT;
546 case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
547 return PSA_ERROR_BUFFER_TOO_SMALL;
548 case MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:
549 return PSA_ERROR_NOT_SUPPORTED;
550 case MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH:
551 case MBEDTLS_ERR_ECP_VERIFY_FAILED:
552 return PSA_ERROR_INVALID_SIGNATURE;
553 case MBEDTLS_ERR_ECP_ALLOC_FAILED:
554 return PSA_ERROR_INSUFFICIENT_MEMORY;
555 case MBEDTLS_ERR_ECP_RANDOM_FAILED:
556 return PSA_ERROR_INSUFFICIENT_ENTROPY;
557
558 #if defined(MBEDTLS_ECP_RESTARTABLE)
559 case MBEDTLS_ERR_ECP_IN_PROGRESS:
560 return PSA_OPERATION_INCOMPLETE;
561 #endif
562 #endif
563
564 case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
565 return PSA_ERROR_CORRUPTION_DETECTED;
566
567 default:
568 return PSA_ERROR_GENERIC_ERROR;
569 }
570 }
571
572 /**
573 * \brief For output buffers which contain "tags"
574 * (outputs that may be checked for validity like
575 * hashes, MACs and signatures), fill the unused
576 * part of the output buffer (the whole buffer on
577 * error, the trailing part on success) with
578 * something that isn't a valid tag (barring an
579 * attack on the tag and deliberately-crafted
580 * input), in case the caller doesn't check the
581 * return status properly.
582 *
583 * \param output_buffer Pointer to buffer to wipe. May not be NULL
584 * unless \p output_buffer_size is zero.
585 * \param status Status of function called to generate
586 * output_buffer originally
587 * \param output_buffer_size Size of output buffer. If zero, \p output_buffer
588 * could be NULL.
589 * \param output_buffer_length Length of data written to output_buffer, must be
590 * less than \p output_buffer_size
591 */
psa_wipe_tag_output_buffer(uint8_t * output_buffer,psa_status_t status,size_t output_buffer_size,size_t output_buffer_length)592 static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t status,
593 size_t output_buffer_size, size_t output_buffer_length)
594 {
595 size_t offset = 0;
596
597 if (output_buffer_size == 0) {
598 /* If output_buffer_size is 0 then we have nothing to do. We must not
599 call memset because output_buffer may be NULL in this case */
600 return;
601 }
602
603 if (status == PSA_SUCCESS) {
604 offset = output_buffer_length;
605 }
606
607 memset(output_buffer + offset, '!', output_buffer_size - offset);
608 }
609
610
psa_validate_unstructured_key_bit_size(psa_key_type_t type,size_t bits)611 psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type,
612 size_t bits)
613 {
614 /* Check that the bit size is acceptable for the key type */
615 switch (type) {
616 case PSA_KEY_TYPE_RAW_DATA:
617 case PSA_KEY_TYPE_HMAC:
618 case PSA_KEY_TYPE_DERIVE:
619 case PSA_KEY_TYPE_PASSWORD:
620 case PSA_KEY_TYPE_PASSWORD_HASH:
621 break;
622 #if defined(PSA_WANT_KEY_TYPE_AES)
623 case PSA_KEY_TYPE_AES:
624 if (bits != 128 && bits != 192 && bits != 256) {
625 return PSA_ERROR_INVALID_ARGUMENT;
626 }
627 break;
628 #endif
629 #if defined(PSA_WANT_KEY_TYPE_ARIA)
630 case PSA_KEY_TYPE_ARIA:
631 if (bits != 128 && bits != 192 && bits != 256) {
632 return PSA_ERROR_INVALID_ARGUMENT;
633 }
634 break;
635 #endif
636 #if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
637 case PSA_KEY_TYPE_CAMELLIA:
638 if (bits != 128 && bits != 192 && bits != 256) {
639 return PSA_ERROR_INVALID_ARGUMENT;
640 }
641 break;
642 #endif
643 #if defined(PSA_WANT_KEY_TYPE_DES)
644 case PSA_KEY_TYPE_DES:
645 if (bits != 64 && bits != 128 && bits != 192) {
646 return PSA_ERROR_INVALID_ARGUMENT;
647 }
648 break;
649 #endif
650 #if defined(PSA_WANT_KEY_TYPE_CHACHA20)
651 case PSA_KEY_TYPE_CHACHA20:
652 if (bits != 256) {
653 return PSA_ERROR_INVALID_ARGUMENT;
654 }
655 break;
656 #endif
657 default:
658 return PSA_ERROR_NOT_SUPPORTED;
659 }
660 if (bits % 8 != 0) {
661 return PSA_ERROR_INVALID_ARGUMENT;
662 }
663
664 return PSA_SUCCESS;
665 }
666
667 /** Check whether a given key type is valid for use with a given MAC algorithm
668 *
669 * Upon successful return of this function, the behavior of #PSA_MAC_LENGTH
670 * when called with the validated \p algorithm and \p key_type is well-defined.
671 *
672 * \param[in] algorithm The specific MAC algorithm (can be wildcard).
673 * \param[in] key_type The key type of the key to be used with the
674 * \p algorithm.
675 *
676 * \retval #PSA_SUCCESS
677 * The \p key_type is valid for use with the \p algorithm
678 * \retval #PSA_ERROR_INVALID_ARGUMENT
679 * The \p key_type is not valid for use with the \p algorithm
680 */
psa_mac_key_can_do(psa_algorithm_t algorithm,psa_key_type_t key_type)681 MBEDTLS_STATIC_TESTABLE psa_status_t psa_mac_key_can_do(
682 psa_algorithm_t algorithm,
683 psa_key_type_t key_type)
684 {
685 if (PSA_ALG_IS_HMAC(algorithm)) {
686 if (key_type == PSA_KEY_TYPE_HMAC) {
687 return PSA_SUCCESS;
688 }
689 }
690
691 if (PSA_ALG_IS_BLOCK_CIPHER_MAC(algorithm)) {
692 /* Check that we're calling PSA_BLOCK_CIPHER_BLOCK_LENGTH with a cipher
693 * key. */
694 if ((key_type & PSA_KEY_TYPE_CATEGORY_MASK) ==
695 PSA_KEY_TYPE_CATEGORY_SYMMETRIC) {
696 /* PSA_BLOCK_CIPHER_BLOCK_LENGTH returns 1 for stream ciphers and
697 * the block length (larger than 1) for block ciphers. */
698 if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1) {
699 return PSA_SUCCESS;
700 }
701 }
702 }
703
704 return PSA_ERROR_INVALID_ARGUMENT;
705 }
706
psa_allocate_buffer_to_slot(psa_key_slot_t * slot,size_t buffer_length)707 psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot,
708 size_t buffer_length)
709 {
710 #if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
711 if (buffer_length > ((size_t) MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE)) {
712 return PSA_ERROR_NOT_SUPPORTED;
713 }
714 #else
715 if (slot->key.data != NULL) {
716 return PSA_ERROR_ALREADY_EXISTS;
717 }
718
719 slot->key.data = mbedtls_calloc(1, buffer_length);
720 if (slot->key.data == NULL) {
721 return PSA_ERROR_INSUFFICIENT_MEMORY;
722 }
723 #endif
724
725 slot->key.bytes = buffer_length;
726 return PSA_SUCCESS;
727 }
728
psa_copy_key_material_into_slot(psa_key_slot_t * slot,const uint8_t * data,size_t data_length)729 psa_status_t psa_copy_key_material_into_slot(psa_key_slot_t *slot,
730 const uint8_t *data,
731 size_t data_length)
732 {
733 psa_status_t status = psa_allocate_buffer_to_slot(slot,
734 data_length);
735 if (status != PSA_SUCCESS) {
736 return status;
737 }
738
739 memcpy(slot->key.data, data, data_length);
740 return PSA_SUCCESS;
741 }
742
psa_import_key_into_slot(const psa_key_attributes_t * attributes,const uint8_t * data,size_t data_length,uint8_t * key_buffer,size_t key_buffer_size,size_t * key_buffer_length,size_t * bits)743 psa_status_t psa_import_key_into_slot(
744 const psa_key_attributes_t *attributes,
745 const uint8_t *data, size_t data_length,
746 uint8_t *key_buffer, size_t key_buffer_size,
747 size_t *key_buffer_length, size_t *bits)
748 {
749 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
750 psa_key_type_t type = attributes->type;
751
752 /* zero-length keys are never supported. */
753 if (data_length == 0) {
754 return PSA_ERROR_NOT_SUPPORTED;
755 }
756
757 if (key_type_is_raw_bytes(type)) {
758 *bits = PSA_BYTES_TO_BITS(data_length);
759
760 status = psa_validate_unstructured_key_bit_size(attributes->type,
761 *bits);
762 if (status != PSA_SUCCESS) {
763 return status;
764 }
765
766 /* Copy the key material. */
767 memcpy(key_buffer, data, data_length);
768 *key_buffer_length = data_length;
769 (void) key_buffer_size;
770
771 return PSA_SUCCESS;
772 } else if (PSA_KEY_TYPE_IS_ASYMMETRIC(type)) {
773 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
774 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
775 if (PSA_KEY_TYPE_IS_DH(type)) {
776 if (psa_is_dh_key_size_valid(PSA_BYTES_TO_BITS(data_length)) == 0) {
777 return PSA_ERROR_NOT_SUPPORTED;
778 }
779 return mbedtls_psa_ffdh_import_key(attributes,
780 data, data_length,
781 key_buffer, key_buffer_size,
782 key_buffer_length,
783 bits);
784 }
785 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) ||
786 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */
787 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
788 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
789 if (PSA_KEY_TYPE_IS_ECC(type)) {
790 return mbedtls_psa_ecp_import_key(attributes,
791 data, data_length,
792 key_buffer, key_buffer_size,
793 key_buffer_length,
794 bits);
795 }
796 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
797 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
798 #if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
799 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
800 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
801 if (PSA_KEY_TYPE_IS_RSA(type)) {
802 return mbedtls_psa_rsa_import_key(attributes,
803 data, data_length,
804 key_buffer, key_buffer_size,
805 key_buffer_length,
806 bits);
807 }
808 #endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) &&
809 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) ||
810 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
811 }
812
813 return PSA_ERROR_NOT_SUPPORTED;
814 }
815
816 /** Calculate the intersection of two algorithm usage policies.
817 *
818 * Return 0 (which allows no operation) on incompatibility.
819 */
psa_key_policy_algorithm_intersection(psa_key_type_t key_type,psa_algorithm_t alg1,psa_algorithm_t alg2)820 static psa_algorithm_t psa_key_policy_algorithm_intersection(
821 psa_key_type_t key_type,
822 psa_algorithm_t alg1,
823 psa_algorithm_t alg2)
824 {
825 /* Common case: both sides actually specify the same policy. */
826 if (alg1 == alg2) {
827 return alg1;
828 }
829 /* If the policies are from the same hash-and-sign family, check
830 * if one is a wildcard. If so the other has the specific algorithm. */
831 if (PSA_ALG_IS_SIGN_HASH(alg1) &&
832 PSA_ALG_IS_SIGN_HASH(alg2) &&
833 (alg1 & ~PSA_ALG_HASH_MASK) == (alg2 & ~PSA_ALG_HASH_MASK)) {
834 if (PSA_ALG_SIGN_GET_HASH(alg1) == PSA_ALG_ANY_HASH) {
835 return alg2;
836 }
837 if (PSA_ALG_SIGN_GET_HASH(alg2) == PSA_ALG_ANY_HASH) {
838 return alg1;
839 }
840 }
841 /* If the policies are from the same AEAD family, check whether
842 * one of them is a minimum-tag-length wildcard. Calculate the most
843 * restrictive tag length. */
844 if (PSA_ALG_IS_AEAD(alg1) && PSA_ALG_IS_AEAD(alg2) &&
845 (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg1, 0) ==
846 PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg2, 0))) {
847 size_t alg1_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg1);
848 size_t alg2_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg2);
849 size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len;
850
851 /* If both are wildcards, return most restrictive wildcard */
852 if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
853 ((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
854 return PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(
855 alg1, restricted_len);
856 }
857 /* If only one is a wildcard, return specific algorithm if compatible. */
858 if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
859 (alg1_len <= alg2_len)) {
860 return alg2;
861 }
862 if (((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
863 (alg2_len <= alg1_len)) {
864 return alg1;
865 }
866 }
867 /* If the policies are from the same MAC family, check whether one
868 * of them is a minimum-MAC-length policy. Calculate the most
869 * restrictive tag length. */
870 if (PSA_ALG_IS_MAC(alg1) && PSA_ALG_IS_MAC(alg2) &&
871 (PSA_ALG_FULL_LENGTH_MAC(alg1) ==
872 PSA_ALG_FULL_LENGTH_MAC(alg2))) {
873 /* Validate the combination of key type and algorithm. Since the base
874 * algorithm of alg1 and alg2 are the same, we only need this once. */
875 if (PSA_SUCCESS != psa_mac_key_can_do(alg1, key_type)) {
876 return 0;
877 }
878
879 /* Get the (exact or at-least) output lengths for both sides of the
880 * requested intersection. None of the currently supported algorithms
881 * have an output length dependent on the actual key size, so setting it
882 * to a bogus value of 0 is currently OK.
883 *
884 * Note that for at-least-this-length wildcard algorithms, the output
885 * length is set to the shortest allowed length, which allows us to
886 * calculate the most restrictive tag length for the intersection. */
887 size_t alg1_len = PSA_MAC_LENGTH(key_type, 0, alg1);
888 size_t alg2_len = PSA_MAC_LENGTH(key_type, 0, alg2);
889 size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len;
890
891 /* If both are wildcards, return most restrictive wildcard */
892 if (((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
893 ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
894 return PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(alg1, restricted_len);
895 }
896
897 /* If only one is an at-least-this-length policy, the intersection would
898 * be the other (fixed-length) policy as long as said fixed length is
899 * equal to or larger than the shortest allowed length. */
900 if ((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
901 return (alg1_len <= alg2_len) ? alg2 : 0;
902 }
903 if ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
904 return (alg2_len <= alg1_len) ? alg1 : 0;
905 }
906
907 /* If none of them are wildcards, check whether they define the same tag
908 * length. This is still possible here when one is default-length and
909 * the other specific-length. Ensure to always return the
910 * specific-length version for the intersection. */
911 if (alg1_len == alg2_len) {
912 return PSA_ALG_TRUNCATED_MAC(alg1, alg1_len);
913 }
914 }
915 /* If the policies are incompatible, allow nothing. */
916 return 0;
917 }
918
psa_key_algorithm_permits(psa_key_type_t key_type,psa_algorithm_t policy_alg,psa_algorithm_t requested_alg)919 static int psa_key_algorithm_permits(psa_key_type_t key_type,
920 psa_algorithm_t policy_alg,
921 psa_algorithm_t requested_alg)
922 {
923 /* Common case: the policy only allows requested_alg. */
924 if (requested_alg == policy_alg) {
925 return 1;
926 }
927 /* If policy_alg is a hash-and-sign with a wildcard for the hash,
928 * and requested_alg is the same hash-and-sign family with any hash,
929 * then requested_alg is compliant with policy_alg. */
930 if (PSA_ALG_IS_SIGN_HASH(requested_alg) &&
931 PSA_ALG_SIGN_GET_HASH(policy_alg) == PSA_ALG_ANY_HASH) {
932 return (policy_alg & ~PSA_ALG_HASH_MASK) ==
933 (requested_alg & ~PSA_ALG_HASH_MASK);
934 }
935 /* If policy_alg is a wildcard AEAD algorithm of the same base as
936 * the requested algorithm, check the requested tag length to be
937 * equal-length or longer than the wildcard-specified length. */
938 if (PSA_ALG_IS_AEAD(policy_alg) &&
939 PSA_ALG_IS_AEAD(requested_alg) &&
940 (PSA_ALG_AEAD_WITH_SHORTENED_TAG(policy_alg, 0) ==
941 PSA_ALG_AEAD_WITH_SHORTENED_TAG(requested_alg, 0)) &&
942 ((policy_alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
943 return PSA_ALG_AEAD_GET_TAG_LENGTH(policy_alg) <=
944 PSA_ALG_AEAD_GET_TAG_LENGTH(requested_alg);
945 }
946 /* If policy_alg is a MAC algorithm of the same base as the requested
947 * algorithm, check whether their MAC lengths are compatible. */
948 if (PSA_ALG_IS_MAC(policy_alg) &&
949 PSA_ALG_IS_MAC(requested_alg) &&
950 (PSA_ALG_FULL_LENGTH_MAC(policy_alg) ==
951 PSA_ALG_FULL_LENGTH_MAC(requested_alg))) {
952 /* Validate the combination of key type and algorithm. Since the policy
953 * and requested algorithms are the same, we only need this once. */
954 if (PSA_SUCCESS != psa_mac_key_can_do(policy_alg, key_type)) {
955 return 0;
956 }
957
958 /* Get both the requested output length for the algorithm which is to be
959 * verified, and the default output length for the base algorithm.
960 * Note that none of the currently supported algorithms have an output
961 * length dependent on actual key size, so setting it to a bogus value
962 * of 0 is currently OK. */
963 size_t requested_output_length = PSA_MAC_LENGTH(
964 key_type, 0, requested_alg);
965 size_t default_output_length = PSA_MAC_LENGTH(
966 key_type, 0,
967 PSA_ALG_FULL_LENGTH_MAC(requested_alg));
968
969 /* If the policy is default-length, only allow an algorithm with
970 * a declared exact-length matching the default. */
971 if (PSA_MAC_TRUNCATED_LENGTH(policy_alg) == 0) {
972 return requested_output_length == default_output_length;
973 }
974
975 /* If the requested algorithm is default-length, allow it if the policy
976 * length exactly matches the default length. */
977 if (PSA_MAC_TRUNCATED_LENGTH(requested_alg) == 0 &&
978 PSA_MAC_TRUNCATED_LENGTH(policy_alg) == default_output_length) {
979 return 1;
980 }
981
982 /* If policy_alg is an at-least-this-length wildcard MAC algorithm,
983 * check for the requested MAC length to be equal to or longer than the
984 * minimum allowed length. */
985 if ((policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
986 return PSA_MAC_TRUNCATED_LENGTH(policy_alg) <=
987 requested_output_length;
988 }
989 }
990 /* If policy_alg is a generic key agreement operation, then using it for
991 * a key derivation with that key agreement should also be allowed. This
992 * behaviour is expected to be defined in a future specification version. */
993 if (PSA_ALG_IS_RAW_KEY_AGREEMENT(policy_alg) &&
994 PSA_ALG_IS_KEY_AGREEMENT(requested_alg)) {
995 return PSA_ALG_KEY_AGREEMENT_GET_BASE(requested_alg) ==
996 policy_alg;
997 }
998 /* If it isn't explicitly permitted, it's forbidden. */
999 return 0;
1000 }
1001
1002 /** Test whether a policy permits an algorithm.
1003 *
1004 * The caller must test usage flags separately.
1005 *
1006 * \note This function requires providing the key type for which the policy is
1007 * being validated, since some algorithm policy definitions (e.g. MAC)
1008 * have different properties depending on what kind of cipher it is
1009 * combined with.
1010 *
1011 * \retval PSA_SUCCESS When \p alg is a specific algorithm
1012 * allowed by the \p policy.
1013 * \retval PSA_ERROR_INVALID_ARGUMENT When \p alg is not a specific algorithm
1014 * \retval PSA_ERROR_NOT_PERMITTED When \p alg is a specific algorithm, but
1015 * the \p policy does not allow it.
1016 */
psa_key_policy_permits(const psa_key_policy_t * policy,psa_key_type_t key_type,psa_algorithm_t alg)1017 static psa_status_t psa_key_policy_permits(const psa_key_policy_t *policy,
1018 psa_key_type_t key_type,
1019 psa_algorithm_t alg)
1020 {
1021 /* '0' is not a valid algorithm */
1022 if (alg == 0) {
1023 return PSA_ERROR_INVALID_ARGUMENT;
1024 }
1025
1026 /* A requested algorithm cannot be a wildcard. */
1027 if (PSA_ALG_IS_WILDCARD(alg)) {
1028 return PSA_ERROR_INVALID_ARGUMENT;
1029 }
1030
1031 if (psa_key_algorithm_permits(key_type, policy->alg, alg) ||
1032 psa_key_algorithm_permits(key_type, policy->alg2, alg)) {
1033 return PSA_SUCCESS;
1034 } else {
1035 return PSA_ERROR_NOT_PERMITTED;
1036 }
1037 }
1038
1039 /** Restrict a key policy based on a constraint.
1040 *
1041 * \note This function requires providing the key type for which the policy is
1042 * being restricted, since some algorithm policy definitions (e.g. MAC)
1043 * have different properties depending on what kind of cipher it is
1044 * combined with.
1045 *
1046 * \param[in] key_type The key type for which to restrict the policy
1047 * \param[in,out] policy The policy to restrict.
1048 * \param[in] constraint The policy constraint to apply.
1049 *
1050 * \retval #PSA_SUCCESS
1051 * \c *policy contains the intersection of the original value of
1052 * \c *policy and \c *constraint.
1053 * \retval #PSA_ERROR_INVALID_ARGUMENT
1054 * \c key_type, \c *policy and \c *constraint are incompatible.
1055 * \c *policy is unchanged.
1056 */
psa_restrict_key_policy(psa_key_type_t key_type,psa_key_policy_t * policy,const psa_key_policy_t * constraint)1057 static psa_status_t psa_restrict_key_policy(
1058 psa_key_type_t key_type,
1059 psa_key_policy_t *policy,
1060 const psa_key_policy_t *constraint)
1061 {
1062 psa_algorithm_t intersection_alg =
1063 psa_key_policy_algorithm_intersection(key_type, policy->alg,
1064 constraint->alg);
1065 psa_algorithm_t intersection_alg2 =
1066 psa_key_policy_algorithm_intersection(key_type, policy->alg2,
1067 constraint->alg2);
1068 if (intersection_alg == 0 && policy->alg != 0 && constraint->alg != 0) {
1069 return PSA_ERROR_INVALID_ARGUMENT;
1070 }
1071 if (intersection_alg2 == 0 && policy->alg2 != 0 && constraint->alg2 != 0) {
1072 return PSA_ERROR_INVALID_ARGUMENT;
1073 }
1074 policy->usage &= constraint->usage;
1075 policy->alg = intersection_alg;
1076 policy->alg2 = intersection_alg2;
1077 return PSA_SUCCESS;
1078 }
1079
1080 /** Get the description of a key given its identifier and policy constraints
1081 * and lock it.
1082 *
1083 * The key must have allow all the usage flags set in \p usage. If \p alg is
1084 * nonzero, the key must allow operations with this algorithm. If \p alg is
1085 * zero, the algorithm is not checked.
1086 *
1087 * In case of a persistent key, the function loads the description of the key
1088 * into a key slot if not already done.
1089 *
1090 * On success, the returned key slot has been registered for reading.
1091 * It is the responsibility of the caller to then unregister
1092 * once they have finished reading the contents of the slot.
1093 * The caller unregisters by calling psa_unregister_read() or
1094 * psa_unregister_read_under_mutex(). psa_unregister_read() must be called
1095 * if and only if the caller already holds the global key slot mutex
1096 * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates
1097 * the unregister with mutex lock and unlock operations.
1098 */
psa_get_and_lock_key_slot_with_policy(mbedtls_svc_key_id_t key,psa_key_slot_t ** p_slot,psa_key_usage_t usage,psa_algorithm_t alg)1099 static psa_status_t psa_get_and_lock_key_slot_with_policy(
1100 mbedtls_svc_key_id_t key,
1101 psa_key_slot_t **p_slot,
1102 psa_key_usage_t usage,
1103 psa_algorithm_t alg)
1104 {
1105 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1106 psa_key_slot_t *slot = NULL;
1107
1108 status = psa_get_and_lock_key_slot(key, p_slot);
1109 if (status != PSA_SUCCESS) {
1110 return status;
1111 }
1112 slot = *p_slot;
1113
1114 /* Enforce that usage policy for the key slot contains all the flags
1115 * required by the usage parameter. There is one exception: public
1116 * keys can always be exported, so we treat public key objects as
1117 * if they had the export flag. */
1118 if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) {
1119 usage &= ~PSA_KEY_USAGE_EXPORT;
1120 }
1121
1122 if ((slot->attr.policy.usage & usage) != usage) {
1123 status = PSA_ERROR_NOT_PERMITTED;
1124 goto error;
1125 }
1126
1127 /* Enforce that the usage policy permits the requested algorithm. */
1128 if (alg != 0) {
1129 status = psa_key_policy_permits(&slot->attr.policy,
1130 slot->attr.type,
1131 alg);
1132 if (status != PSA_SUCCESS) {
1133 goto error;
1134 }
1135 }
1136
1137 return PSA_SUCCESS;
1138
1139 error:
1140 *p_slot = NULL;
1141 psa_unregister_read_under_mutex(slot);
1142
1143 return status;
1144 }
1145
1146 /** Get a key slot containing a transparent key and lock it.
1147 *
1148 * A transparent key is a key for which the key material is directly
1149 * available, as opposed to a key in a secure element and/or to be used
1150 * by a secure element.
1151 *
1152 * This is a temporary function that may be used instead of
1153 * psa_get_and_lock_key_slot_with_policy() when there is no opaque key support
1154 * for a cryptographic operation.
1155 *
1156 * On success, the returned key slot has been registered for reading.
1157 * It is the responsibility of the caller to then unregister
1158 * once they have finished reading the contents of the slot.
1159 * The caller unregisters by calling psa_unregister_read() or
1160 * psa_unregister_read_under_mutex(). psa_unregister_read() must be called
1161 * if and only if the caller already holds the global key slot mutex
1162 * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates
1163 * psa_unregister_read() with mutex lock and unlock operations.
1164 */
psa_get_and_lock_transparent_key_slot_with_policy(mbedtls_svc_key_id_t key,psa_key_slot_t ** p_slot,psa_key_usage_t usage,psa_algorithm_t alg)1165 static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
1166 mbedtls_svc_key_id_t key,
1167 psa_key_slot_t **p_slot,
1168 psa_key_usage_t usage,
1169 psa_algorithm_t alg)
1170 {
1171 psa_status_t status = psa_get_and_lock_key_slot_with_policy(key, p_slot,
1172 usage, alg);
1173 if (status != PSA_SUCCESS) {
1174 return status;
1175 }
1176
1177 if (psa_key_lifetime_is_external((*p_slot)->attr.lifetime)) {
1178 psa_unregister_read_under_mutex(*p_slot);
1179 *p_slot = NULL;
1180 return PSA_ERROR_NOT_SUPPORTED;
1181 }
1182
1183 return PSA_SUCCESS;
1184 }
1185
psa_remove_key_data_from_memory(psa_key_slot_t * slot)1186 psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot)
1187 {
1188 #if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
1189 if (slot->key.bytes > 0) {
1190 mbedtls_platform_zeroize(slot->key.data, MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE);
1191 }
1192 #else
1193 if (slot->key.data != NULL) {
1194 mbedtls_zeroize_and_free(slot->key.data, slot->key.bytes);
1195 }
1196
1197 slot->key.data = NULL;
1198 #endif /* MBEDTLS_PSA_STATIC_KEY_SLOTS */
1199
1200 slot->key.bytes = 0;
1201
1202 return PSA_SUCCESS;
1203 }
1204
1205 /** Completely wipe a slot in memory, including its policy.
1206 * Persistent storage is not affected. */
psa_wipe_key_slot(psa_key_slot_t * slot)1207 psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot)
1208 {
1209 psa_status_t status = psa_remove_key_data_from_memory(slot);
1210
1211 /*
1212 * As the return error code may not be handled in case of multiple errors,
1213 * do our best to report an unexpected amount of registered readers or
1214 * an unexpected state.
1215 * Assert with MBEDTLS_TEST_HOOK_TEST_ASSERT that the slot is valid for
1216 * wiping.
1217 * if the MBEDTLS_TEST_HOOKS configuration option is enabled and the
1218 * function is called as part of the execution of a test suite, the
1219 * execution of the test suite is stopped in error if the assertion fails.
1220 */
1221 switch (slot->state) {
1222 case PSA_SLOT_FULL:
1223 /* In this state psa_wipe_key_slot() must only be called if the
1224 * caller is the last reader. */
1225 case PSA_SLOT_PENDING_DELETION:
1226 /* In this state psa_wipe_key_slot() must only be called if the
1227 * caller is the last reader. */
1228 if (slot->var.occupied.registered_readers != 1) {
1229 MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->var.occupied.registered_readers == 1);
1230 status = PSA_ERROR_CORRUPTION_DETECTED;
1231 }
1232 break;
1233 case PSA_SLOT_FILLING:
1234 /* In this state registered_readers must be 0. */
1235 if (slot->var.occupied.registered_readers != 0) {
1236 MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->var.occupied.registered_readers == 0);
1237 status = PSA_ERROR_CORRUPTION_DETECTED;
1238 }
1239 break;
1240 case PSA_SLOT_EMPTY:
1241 /* The slot is already empty, it cannot be wiped. */
1242 MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->state != PSA_SLOT_EMPTY);
1243 status = PSA_ERROR_CORRUPTION_DETECTED;
1244 break;
1245 default:
1246 /* The slot's state is invalid. */
1247 status = PSA_ERROR_CORRUPTION_DETECTED;
1248 }
1249
1250 #if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
1251 size_t slice_index = slot->slice_index;
1252 #endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
1253
1254
1255 /* Multipart operations may still be using the key. This is safe
1256 * because all multipart operation objects are independent from
1257 * the key slot: if they need to access the key after the setup
1258 * phase, they have a copy of the key. Note that this means that
1259 * key material can linger until all operations are completed. */
1260 /* At this point, key material and other type-specific content has
1261 * been wiped. Clear remaining metadata. We can call memset and not
1262 * zeroize because the metadata is not particularly sensitive.
1263 * This memset also sets the slot's state to PSA_SLOT_EMPTY. */
1264 memset(slot, 0, sizeof(*slot));
1265
1266 #if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
1267 /* If the slot is already corrupted, something went deeply wrong,
1268 * like a thread still using the slot or a stray pointer leading
1269 * to the slot's memory being used for another object. Let the slot
1270 * leak rather than make the corruption worse. */
1271 if (status == PSA_SUCCESS) {
1272 status = psa_free_key_slot(slice_index, slot);
1273 }
1274 #endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
1275
1276 return status;
1277 }
1278
psa_destroy_key(mbedtls_svc_key_id_t key)1279 psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key)
1280 {
1281 psa_key_slot_t *slot;
1282 psa_status_t status; /* status of the last operation */
1283 psa_status_t overall_status = PSA_SUCCESS;
1284 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1285 psa_se_drv_table_entry_t *driver;
1286 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1287
1288 if (mbedtls_svc_key_id_is_null(key)) {
1289 return PSA_SUCCESS;
1290 }
1291
1292 /*
1293 * Get the description of the key in a key slot, and register to read it.
1294 * In the case of a persistent key, this will load the key description
1295 * from persistent memory if not done yet.
1296 * We cannot avoid this loading as without it we don't know if
1297 * the key is operated by an SE or not and this information is needed by
1298 * the current implementation. */
1299 status = psa_get_and_lock_key_slot(key, &slot);
1300 if (status != PSA_SUCCESS) {
1301 return status;
1302 }
1303
1304 #if defined(MBEDTLS_THREADING_C)
1305 /* We cannot unlock between setting the state to PENDING_DELETION
1306 * and destroying the key in storage, as otherwise another thread
1307 * could load the key into a new slot and the key will not be
1308 * fully destroyed. */
1309 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(
1310 &mbedtls_threading_key_slot_mutex));
1311
1312 if (slot->state == PSA_SLOT_PENDING_DELETION) {
1313 /* Another thread has destroyed the key between us locking the slot
1314 * and us gaining the mutex. Unregister from the slot,
1315 * and report that the key does not exist. */
1316 status = psa_unregister_read(slot);
1317
1318 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1319 &mbedtls_threading_key_slot_mutex));
1320 return (status == PSA_SUCCESS) ? PSA_ERROR_INVALID_HANDLE : status;
1321 }
1322 #endif
1323 /* Set the key slot containing the key description's state to
1324 * PENDING_DELETION. This stops new operations from registering
1325 * to read the slot. Current readers can safely continue to access
1326 * the key within the slot; the last registered reader will
1327 * automatically wipe the slot when they call psa_unregister_read().
1328 * If the key is persistent, we can now delete the copy of the key
1329 * from memory. If the key is opaque, we require the driver to
1330 * deal with the deletion. */
1331 overall_status = psa_key_slot_state_transition(slot, PSA_SLOT_FULL,
1332 PSA_SLOT_PENDING_DELETION);
1333
1334 if (overall_status != PSA_SUCCESS) {
1335 goto exit;
1336 }
1337
1338 if (PSA_KEY_LIFETIME_IS_READ_ONLY(slot->attr.lifetime)) {
1339 /* Refuse the destruction of a read-only key (which may or may not work
1340 * if we attempt it, depending on whether the key is merely read-only
1341 * by policy or actually physically read-only).
1342 * Just do the best we can, which is to wipe the copy in memory
1343 * (done in this function's cleanup code). */
1344 overall_status = PSA_ERROR_NOT_PERMITTED;
1345 goto exit;
1346 }
1347
1348 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1349 driver = psa_get_se_driver_entry(slot->attr.lifetime);
1350 if (driver != NULL) {
1351 /* For a key in a secure element, we need to do three things:
1352 * remove the key file in internal storage, destroy the
1353 * key inside the secure element, and update the driver's
1354 * persistent data. Start a transaction that will encompass these
1355 * three actions. */
1356 psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_DESTROY_KEY);
1357 psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
1358 psa_crypto_transaction.key.slot = psa_key_slot_get_slot_number(slot);
1359 psa_crypto_transaction.key.id = slot->attr.id;
1360 status = psa_crypto_save_transaction();
1361 if (status != PSA_SUCCESS) {
1362 (void) psa_crypto_stop_transaction();
1363 /* We should still try to destroy the key in the secure
1364 * element and the key metadata in storage. This is especially
1365 * important if the error is that the storage is full.
1366 * But how to do it exactly without risking an inconsistent
1367 * state after a reset?
1368 * https://github.com/ARMmbed/mbed-crypto/issues/215
1369 */
1370 overall_status = status;
1371 goto exit;
1372 }
1373
1374 status = psa_destroy_se_key(driver,
1375 psa_key_slot_get_slot_number(slot));
1376 if (overall_status == PSA_SUCCESS) {
1377 overall_status = status;
1378 }
1379 }
1380 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1381
1382 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
1383 if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
1384 /* Destroy the copy of the persistent key from storage.
1385 * The slot will still hold a copy of the key until the last reader
1386 * unregisters. */
1387 status = psa_destroy_persistent_key(slot->attr.id);
1388 if (overall_status == PSA_SUCCESS) {
1389 overall_status = status;
1390 }
1391 }
1392 #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
1393
1394 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1395 if (driver != NULL) {
1396 status = psa_save_se_persistent_data(driver);
1397 if (overall_status == PSA_SUCCESS) {
1398 overall_status = status;
1399 }
1400 status = psa_crypto_stop_transaction();
1401 if (overall_status == PSA_SUCCESS) {
1402 overall_status = status;
1403 }
1404 }
1405 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1406
1407 exit:
1408 /* Unregister from reading the slot. If we are the last active reader
1409 * then this will wipe the slot. */
1410 status = psa_unregister_read(slot);
1411 /* Prioritize CORRUPTION_DETECTED from unregistering over
1412 * a storage error. */
1413 if (status != PSA_SUCCESS) {
1414 overall_status = status;
1415 }
1416
1417 #if defined(MBEDTLS_THREADING_C)
1418 /* Don't overwrite existing errors if the unlock fails. */
1419 status = overall_status;
1420 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1421 &mbedtls_threading_key_slot_mutex));
1422 #endif
1423
1424 return overall_status;
1425 }
1426
1427 /** Retrieve all the publicly-accessible attributes of a key.
1428 */
psa_get_key_attributes(mbedtls_svc_key_id_t key,psa_key_attributes_t * attributes)1429 psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
1430 psa_key_attributes_t *attributes)
1431 {
1432 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1433 psa_key_slot_t *slot;
1434
1435 psa_reset_key_attributes(attributes);
1436
1437 status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0);
1438 if (status != PSA_SUCCESS) {
1439 return status;
1440 }
1441
1442 *attributes = slot->attr;
1443
1444 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1445 if (psa_get_se_driver_entry(slot->attr.lifetime) != NULL) {
1446 psa_set_key_slot_number(attributes,
1447 psa_key_slot_get_slot_number(slot));
1448 }
1449 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1450
1451 return psa_unregister_read_under_mutex(slot);
1452 }
1453
1454 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
psa_get_key_slot_number(const psa_key_attributes_t * attributes,psa_key_slot_number_t * slot_number)1455 psa_status_t psa_get_key_slot_number(
1456 const psa_key_attributes_t *attributes,
1457 psa_key_slot_number_t *slot_number)
1458 {
1459 if (attributes->has_slot_number) {
1460 *slot_number = attributes->slot_number;
1461 return PSA_SUCCESS;
1462 } else {
1463 return PSA_ERROR_INVALID_ARGUMENT;
1464 }
1465 }
1466 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1467
psa_export_key_buffer_internal(const uint8_t * key_buffer,size_t key_buffer_size,uint8_t * data,size_t data_size,size_t * data_length)1468 static psa_status_t psa_export_key_buffer_internal(const uint8_t *key_buffer,
1469 size_t key_buffer_size,
1470 uint8_t *data,
1471 size_t data_size,
1472 size_t *data_length)
1473 {
1474 if (key_buffer_size > data_size) {
1475 return PSA_ERROR_BUFFER_TOO_SMALL;
1476 }
1477 memcpy(data, key_buffer, key_buffer_size);
1478 memset(data + key_buffer_size, 0,
1479 data_size - key_buffer_size);
1480 *data_length = key_buffer_size;
1481 return PSA_SUCCESS;
1482 }
1483
psa_export_key_internal(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,uint8_t * data,size_t data_size,size_t * data_length)1484 psa_status_t psa_export_key_internal(
1485 const psa_key_attributes_t *attributes,
1486 const uint8_t *key_buffer, size_t key_buffer_size,
1487 uint8_t *data, size_t data_size, size_t *data_length)
1488 {
1489 psa_key_type_t type = attributes->type;
1490
1491 if (key_type_is_raw_bytes(type) ||
1492 PSA_KEY_TYPE_IS_RSA(type) ||
1493 PSA_KEY_TYPE_IS_ECC(type) ||
1494 PSA_KEY_TYPE_IS_DH(type)) {
1495 return psa_export_key_buffer_internal(
1496 key_buffer, key_buffer_size,
1497 data, data_size, data_length);
1498 } else {
1499 /* This shouldn't happen in the built-in implementation, but
1500 it is valid for a special-purpose drivers to omit
1501 support for exporting certain key types. */
1502 return PSA_ERROR_NOT_SUPPORTED;
1503 }
1504 }
1505
psa_export_key(mbedtls_svc_key_id_t key,uint8_t * data_external,size_t data_size,size_t * data_length)1506 psa_status_t psa_export_key(mbedtls_svc_key_id_t key,
1507 uint8_t *data_external,
1508 size_t data_size,
1509 size_t *data_length)
1510 {
1511 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1512 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
1513 psa_key_slot_t *slot;
1514 LOCAL_OUTPUT_DECLARE(data_external, data);
1515
1516 /* Reject a zero-length output buffer now, since this can never be a
1517 * valid key representation. This way we know that data must be a valid
1518 * pointer and we can do things like memset(data, ..., data_size). */
1519 if (data_size == 0) {
1520 return PSA_ERROR_BUFFER_TOO_SMALL;
1521 }
1522
1523 /* Set the key to empty now, so that even when there are errors, we always
1524 * set data_length to a value between 0 and data_size. On error, setting
1525 * the key to empty is a good choice because an empty key representation is
1526 * unlikely to be accepted anywhere. */
1527 *data_length = 0;
1528
1529 /* Export requires the EXPORT flag. There is an exception for public keys,
1530 * which don't require any flag, but
1531 * psa_get_and_lock_key_slot_with_policy() takes care of this.
1532 */
1533 status = psa_get_and_lock_key_slot_with_policy(key, &slot,
1534 PSA_KEY_USAGE_EXPORT, 0);
1535 if (status != PSA_SUCCESS) {
1536 return status;
1537 }
1538
1539 LOCAL_OUTPUT_ALLOC(data_external, data_size, data);
1540
1541 status = psa_driver_wrapper_export_key(&slot->attr,
1542 slot->key.data, slot->key.bytes,
1543 data, data_size, data_length);
1544
1545 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
1546 exit:
1547 #endif
1548 unlock_status = psa_unregister_read_under_mutex(slot);
1549
1550 LOCAL_OUTPUT_FREE(data_external, data);
1551 return (status == PSA_SUCCESS) ? unlock_status : status;
1552 }
1553
psa_export_public_key_internal(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,uint8_t * data,size_t data_size,size_t * data_length)1554 psa_status_t psa_export_public_key_internal(
1555 const psa_key_attributes_t *attributes,
1556 const uint8_t *key_buffer,
1557 size_t key_buffer_size,
1558 uint8_t *data,
1559 size_t data_size,
1560 size_t *data_length)
1561 {
1562 psa_key_type_t type = attributes->type;
1563
1564 if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
1565 (PSA_KEY_TYPE_IS_RSA(type) || PSA_KEY_TYPE_IS_ECC(type) ||
1566 PSA_KEY_TYPE_IS_DH(type))) {
1567 /* Exporting public -> public */
1568 return psa_export_key_buffer_internal(
1569 key_buffer, key_buffer_size,
1570 data, data_size, data_length);
1571 } else if (PSA_KEY_TYPE_IS_RSA(type)) {
1572 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
1573 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
1574 return mbedtls_psa_rsa_export_public_key(attributes,
1575 key_buffer,
1576 key_buffer_size,
1577 data,
1578 data_size,
1579 data_length);
1580 #else
1581 /* We don't know how to convert a private RSA key to public. */
1582 return PSA_ERROR_NOT_SUPPORTED;
1583 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) ||
1584 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
1585 } else if (PSA_KEY_TYPE_IS_ECC(type)) {
1586 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
1587 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
1588 return mbedtls_psa_ecp_export_public_key(attributes,
1589 key_buffer,
1590 key_buffer_size,
1591 data,
1592 data_size,
1593 data_length);
1594 #else
1595 /* We don't know how to convert a private ECC key to public */
1596 return PSA_ERROR_NOT_SUPPORTED;
1597 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
1598 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
1599 } else if (PSA_KEY_TYPE_IS_DH(type)) {
1600 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
1601 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
1602 return mbedtls_psa_ffdh_export_public_key(attributes,
1603 key_buffer,
1604 key_buffer_size,
1605 data, data_size,
1606 data_length);
1607 #else
1608 return PSA_ERROR_NOT_SUPPORTED;
1609 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) ||
1610 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */
1611 } else {
1612 (void) key_buffer;
1613 (void) key_buffer_size;
1614 (void) data;
1615 (void) data_size;
1616 (void) data_length;
1617 return PSA_ERROR_NOT_SUPPORTED;
1618 }
1619 }
1620
psa_export_public_key(mbedtls_svc_key_id_t key,uint8_t * data_external,size_t data_size,size_t * data_length)1621 psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key,
1622 uint8_t *data_external,
1623 size_t data_size,
1624 size_t *data_length)
1625 {
1626 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1627 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
1628 psa_key_slot_t *slot;
1629
1630 LOCAL_OUTPUT_DECLARE(data_external, data);
1631
1632 /* Reject a zero-length output buffer now, since this can never be a
1633 * valid key representation. This way we know that data must be a valid
1634 * pointer and we can do things like memset(data, ..., data_size). */
1635 if (data_size == 0) {
1636 return PSA_ERROR_BUFFER_TOO_SMALL;
1637 }
1638
1639 /* Set the key to empty now, so that even when there are errors, we always
1640 * set data_length to a value between 0 and data_size. On error, setting
1641 * the key to empty is a good choice because an empty key representation is
1642 * unlikely to be accepted anywhere. */
1643 *data_length = 0;
1644
1645 /* Exporting a public key doesn't require a usage flag. */
1646 status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0);
1647 if (status != PSA_SUCCESS) {
1648 return status;
1649 }
1650
1651 LOCAL_OUTPUT_ALLOC(data_external, data_size, data);
1652
1653 if (!PSA_KEY_TYPE_IS_ASYMMETRIC(slot->attr.type)) {
1654 status = PSA_ERROR_INVALID_ARGUMENT;
1655 goto exit;
1656 }
1657
1658 status = psa_driver_wrapper_export_public_key(
1659 &slot->attr, slot->key.data, slot->key.bytes,
1660 data, data_size, data_length);
1661
1662 exit:
1663 unlock_status = psa_unregister_read_under_mutex(slot);
1664
1665 LOCAL_OUTPUT_FREE(data_external, data);
1666 return (status == PSA_SUCCESS) ? unlock_status : status;
1667 }
1668
1669 /** Validate that a key policy is internally well-formed.
1670 *
1671 * This function only rejects invalid policies. It does not validate the
1672 * consistency of the policy with respect to other attributes of the key
1673 * such as the key type.
1674 */
psa_validate_key_policy(const psa_key_policy_t * policy)1675 static psa_status_t psa_validate_key_policy(const psa_key_policy_t *policy)
1676 {
1677 if ((policy->usage & ~(PSA_KEY_USAGE_EXPORT |
1678 PSA_KEY_USAGE_COPY |
1679 PSA_KEY_USAGE_ENCRYPT |
1680 PSA_KEY_USAGE_DECRYPT |
1681 PSA_KEY_USAGE_SIGN_MESSAGE |
1682 PSA_KEY_USAGE_VERIFY_MESSAGE |
1683 PSA_KEY_USAGE_SIGN_HASH |
1684 PSA_KEY_USAGE_VERIFY_HASH |
1685 PSA_KEY_USAGE_VERIFY_DERIVATION |
1686 PSA_KEY_USAGE_DERIVE)) != 0) {
1687 return PSA_ERROR_INVALID_ARGUMENT;
1688 }
1689
1690 return PSA_SUCCESS;
1691 }
1692
1693 /** Validate the internal consistency of key attributes.
1694 *
1695 * This function only rejects invalid attribute values. If does not
1696 * validate the consistency of the attributes with any key data that may
1697 * be involved in the creation of the key.
1698 *
1699 * Call this function early in the key creation process.
1700 *
1701 * \param[in] attributes Key attributes for the new key.
1702 * \param[out] p_drv On any return, the driver for the key, if any.
1703 * NULL for a transparent key.
1704 *
1705 */
psa_validate_key_attributes(const psa_key_attributes_t * attributes,psa_se_drv_table_entry_t ** p_drv)1706 static psa_status_t psa_validate_key_attributes(
1707 const psa_key_attributes_t *attributes,
1708 psa_se_drv_table_entry_t **p_drv)
1709 {
1710 psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
1711 psa_key_lifetime_t lifetime = psa_get_key_lifetime(attributes);
1712 mbedtls_svc_key_id_t key = psa_get_key_id(attributes);
1713
1714 status = psa_validate_key_location(lifetime, p_drv);
1715 if (status != PSA_SUCCESS) {
1716 return status;
1717 }
1718
1719 status = psa_validate_key_persistence(lifetime);
1720 if (status != PSA_SUCCESS) {
1721 return status;
1722 }
1723
1724 if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
1725 if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key) != 0) {
1726 return PSA_ERROR_INVALID_ARGUMENT;
1727 }
1728 } else {
1729 if (!psa_is_valid_key_id(psa_get_key_id(attributes), 0)) {
1730 return PSA_ERROR_INVALID_ARGUMENT;
1731 }
1732 }
1733
1734 status = psa_validate_key_policy(&attributes->policy);
1735 if (status != PSA_SUCCESS) {
1736 return status;
1737 }
1738
1739 /* Refuse to create overly large keys.
1740 * Note that this doesn't trigger on import if the attributes don't
1741 * explicitly specify a size (so psa_get_key_bits returns 0), so
1742 * psa_import_key() needs its own checks. */
1743 if (psa_get_key_bits(attributes) > PSA_MAX_KEY_BITS) {
1744 return PSA_ERROR_NOT_SUPPORTED;
1745 }
1746
1747 return PSA_SUCCESS;
1748 }
1749
1750 /** Prepare a key slot to receive key material.
1751 *
1752 * This function allocates a key slot and sets its metadata.
1753 *
1754 * If this function fails, call psa_fail_key_creation().
1755 *
1756 * This function is intended to be used as follows:
1757 * -# Call psa_start_key_creation() to allocate a key slot, prepare
1758 * it with the specified attributes, and in case of a volatile key assign it
1759 * a volatile key identifier.
1760 * -# Populate the slot with the key material.
1761 * -# Call psa_finish_key_creation() to finalize the creation of the slot.
1762 * In case of failure at any step, stop the sequence and call
1763 * psa_fail_key_creation().
1764 *
1765 * On success, the key slot's state is PSA_SLOT_FILLING.
1766 * It is the responsibility of the caller to change the slot's state to
1767 * PSA_SLOT_EMPTY/FULL once key creation has finished.
1768 *
1769 * \param method An identification of the calling function.
1770 * \param[in] attributes Key attributes for the new key.
1771 * \param[out] p_slot On success, a pointer to the prepared slot.
1772 * \param[out] p_drv On any return, the driver for the key, if any.
1773 * NULL for a transparent key.
1774 *
1775 * \retval #PSA_SUCCESS
1776 * The key slot is ready to receive key material.
1777 * \return If this function fails, the key slot is an invalid state.
1778 * You must call psa_fail_key_creation() to wipe and free the slot.
1779 */
psa_start_key_creation(psa_key_creation_method_t method,const psa_key_attributes_t * attributes,psa_key_slot_t ** p_slot,psa_se_drv_table_entry_t ** p_drv)1780 static psa_status_t psa_start_key_creation(
1781 psa_key_creation_method_t method,
1782 const psa_key_attributes_t *attributes,
1783 psa_key_slot_t **p_slot,
1784 psa_se_drv_table_entry_t **p_drv)
1785 {
1786 psa_status_t status;
1787
1788 (void) method;
1789 *p_drv = NULL;
1790
1791 status = psa_validate_key_attributes(attributes, p_drv);
1792 if (status != PSA_SUCCESS) {
1793 return status;
1794 }
1795
1796 int key_is_volatile = PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime);
1797 psa_key_id_t volatile_key_id;
1798
1799 #if defined(MBEDTLS_THREADING_C)
1800 PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
1801 &mbedtls_threading_key_slot_mutex));
1802 #endif
1803 status = psa_reserve_free_key_slot(
1804 key_is_volatile ? &volatile_key_id : NULL,
1805 p_slot);
1806 #if defined(MBEDTLS_THREADING_C)
1807 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1808 &mbedtls_threading_key_slot_mutex));
1809 #endif
1810 if (status != PSA_SUCCESS) {
1811 return status;
1812 }
1813 psa_key_slot_t *slot = *p_slot;
1814
1815 /* We're storing the declared bit-size of the key. It's up to each
1816 * creation mechanism to verify that this information is correct.
1817 * It's automatically correct for mechanisms that use the bit-size as
1818 * an input (generate, device) but not for those where the bit-size
1819 * is optional (import, copy). In case of a volatile key, assign it the
1820 * volatile key identifier associated to the slot returned to contain its
1821 * definition. */
1822
1823 slot->attr = *attributes;
1824 if (key_is_volatile) {
1825 #if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
1826 slot->attr.id = volatile_key_id;
1827 #else
1828 slot->attr.id.key_id = volatile_key_id;
1829 #endif
1830 }
1831
1832 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1833 /* For a key in a secure element, we need to do three things
1834 * when creating or registering a persistent key:
1835 * create the key file in internal storage, create the
1836 * key inside the secure element, and update the driver's
1837 * persistent data. This is done by starting a transaction that will
1838 * encompass these three actions.
1839 * For registering a volatile key, we just need to find an appropriate
1840 * slot number inside the SE. Since the key is designated volatile, creating
1841 * a transaction is not required. */
1842 /* The first thing to do is to find a slot number for the new key.
1843 * We save the slot number in persistent storage as part of the
1844 * transaction data. It will be needed to recover if the power
1845 * fails during the key creation process, to clean up on the secure
1846 * element side after restarting. Obtaining a slot number from the
1847 * secure element driver updates its persistent state, but we do not yet
1848 * save the driver's persistent state, so that if the power fails,
1849 * we can roll back to a state where the key doesn't exist. */
1850 if (*p_drv != NULL) {
1851 psa_key_slot_number_t slot_number;
1852 status = psa_find_se_slot_for_key(attributes, method, *p_drv,
1853 &slot_number);
1854 if (status != PSA_SUCCESS) {
1855 return status;
1856 }
1857
1858 if (!PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime)) {
1859 psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_CREATE_KEY);
1860 psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
1861 psa_crypto_transaction.key.slot = slot_number;
1862 psa_crypto_transaction.key.id = slot->attr.id;
1863 status = psa_crypto_save_transaction();
1864 if (status != PSA_SUCCESS) {
1865 (void) psa_crypto_stop_transaction();
1866 return status;
1867 }
1868 }
1869
1870 status = psa_copy_key_material_into_slot(
1871 slot, (uint8_t *) (&slot_number), sizeof(slot_number));
1872 if (status != PSA_SUCCESS) {
1873 return status;
1874 }
1875 }
1876
1877 if (*p_drv == NULL && method == PSA_KEY_CREATION_REGISTER) {
1878 /* Key registration only makes sense with a secure element. */
1879 return PSA_ERROR_INVALID_ARGUMENT;
1880 }
1881 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1882
1883 return PSA_SUCCESS;
1884 }
1885
1886 /** Finalize the creation of a key once its key material has been set.
1887 *
1888 * This entails writing the key to persistent storage.
1889 *
1890 * If this function fails, call psa_fail_key_creation().
1891 * See the documentation of psa_start_key_creation() for the intended use
1892 * of this function.
1893 *
1894 * If the finalization succeeds, the function sets the key slot's state to
1895 * PSA_SLOT_FULL, and the key slot can no longer be accessed as part of the
1896 * key creation process.
1897 *
1898 * \param[in,out] slot Pointer to the slot with key material.
1899 * \param[in] driver The secure element driver for the key,
1900 * or NULL for a transparent key.
1901 * \param[out] key On success, identifier of the key. Note that the
1902 * key identifier is also stored in the key slot.
1903 *
1904 * \retval #PSA_SUCCESS
1905 * The key was successfully created.
1906 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1907 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
1908 * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
1909 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
1910 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
1911 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1912 *
1913 * \return If this function fails, the key slot is an invalid state.
1914 * You must call psa_fail_key_creation() to wipe and free the slot.
1915 */
psa_finish_key_creation(psa_key_slot_t * slot,psa_se_drv_table_entry_t * driver,mbedtls_svc_key_id_t * key)1916 static psa_status_t psa_finish_key_creation(
1917 psa_key_slot_t *slot,
1918 psa_se_drv_table_entry_t *driver,
1919 mbedtls_svc_key_id_t *key)
1920 {
1921 psa_status_t status = PSA_SUCCESS;
1922 (void) slot;
1923 (void) driver;
1924
1925 #if defined(MBEDTLS_THREADING_C)
1926 PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
1927 &mbedtls_threading_key_slot_mutex));
1928 #endif
1929
1930 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
1931 if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
1932 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1933 if (driver != NULL) {
1934 psa_se_key_data_storage_t data;
1935 psa_key_slot_number_t slot_number =
1936 psa_key_slot_get_slot_number(slot);
1937
1938 MBEDTLS_STATIC_ASSERT(sizeof(slot_number) ==
1939 sizeof(data.slot_number),
1940 "Slot number size does not match psa_se_key_data_storage_t");
1941
1942 memcpy(&data.slot_number, &slot_number, sizeof(slot_number));
1943 status = psa_save_persistent_key(&slot->attr,
1944 (uint8_t *) &data,
1945 sizeof(data));
1946 } else
1947 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1948 {
1949 /* Key material is saved in export representation in the slot, so
1950 * just pass the slot buffer for storage. */
1951 status = psa_save_persistent_key(&slot->attr,
1952 slot->key.data,
1953 slot->key.bytes);
1954 }
1955 }
1956 #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
1957
1958 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1959 /* Finish the transaction for a key creation. This does not
1960 * happen when registering an existing key. Detect this case
1961 * by checking whether a transaction is in progress (actual
1962 * creation of a persistent key in a secure element requires a transaction,
1963 * but registration or volatile key creation doesn't use one). */
1964 if (driver != NULL &&
1965 psa_crypto_transaction.unknown.type == PSA_CRYPTO_TRANSACTION_CREATE_KEY) {
1966 status = psa_save_se_persistent_data(driver);
1967 if (status != PSA_SUCCESS) {
1968 psa_destroy_persistent_key(slot->attr.id);
1969
1970 #if defined(MBEDTLS_THREADING_C)
1971 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1972 &mbedtls_threading_key_slot_mutex));
1973 #endif
1974 return status;
1975 }
1976 status = psa_crypto_stop_transaction();
1977 }
1978 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1979
1980 if (status == PSA_SUCCESS) {
1981 *key = slot->attr.id;
1982 status = psa_key_slot_state_transition(slot, PSA_SLOT_FILLING,
1983 PSA_SLOT_FULL);
1984 if (status != PSA_SUCCESS) {
1985 *key = MBEDTLS_SVC_KEY_ID_INIT;
1986 }
1987 }
1988
1989 #if defined(MBEDTLS_THREADING_C)
1990 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1991 &mbedtls_threading_key_slot_mutex));
1992 #endif
1993 return status;
1994 }
1995
1996 /** Abort the creation of a key.
1997 *
1998 * You may call this function after calling psa_start_key_creation(),
1999 * or after psa_finish_key_creation() fails. In other circumstances, this
2000 * function may not clean up persistent storage.
2001 * See the documentation of psa_start_key_creation() for the intended use
2002 * of this function. Sets the slot's state to PSA_SLOT_EMPTY.
2003 *
2004 * \param[in,out] slot Pointer to the slot with key material.
2005 * \param[in] driver The secure element driver for the key,
2006 * or NULL for a transparent key.
2007 */
psa_fail_key_creation(psa_key_slot_t * slot,psa_se_drv_table_entry_t * driver)2008 static void psa_fail_key_creation(psa_key_slot_t *slot,
2009 psa_se_drv_table_entry_t *driver)
2010 {
2011 (void) driver;
2012
2013 if (slot == NULL) {
2014 return;
2015 }
2016
2017 #if defined(MBEDTLS_THREADING_C)
2018 /* If the lock operation fails we still wipe the slot.
2019 * Operations will no longer work after a failed lock,
2020 * but we still need to wipe the slot of confidential data. */
2021 mbedtls_mutex_lock(&mbedtls_threading_key_slot_mutex);
2022 #endif
2023
2024 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
2025 /* TODO: If the key has already been created in the secure
2026 * element, and the failure happened later (when saving metadata
2027 * to internal storage), we need to destroy the key in the secure
2028 * element.
2029 * https://github.com/ARMmbed/mbed-crypto/issues/217
2030 */
2031
2032 /* Abort the ongoing transaction if any (there may not be one if
2033 * the creation process failed before starting one, or if the
2034 * key creation is a registration of a key in a secure element).
2035 * Earlier functions must already have done what it takes to undo any
2036 * partial creation. All that's left is to update the transaction data
2037 * itself. */
2038 (void) psa_crypto_stop_transaction();
2039 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
2040
2041 psa_wipe_key_slot(slot);
2042
2043 #if defined(MBEDTLS_THREADING_C)
2044 mbedtls_mutex_unlock(&mbedtls_threading_key_slot_mutex);
2045 #endif
2046 }
2047
2048 /** Validate optional attributes during key creation.
2049 *
2050 * Some key attributes are optional during key creation. If they are
2051 * specified in the attributes structure, check that they are consistent
2052 * with the data in the slot.
2053 *
2054 * This function should be called near the end of key creation, after
2055 * the slot in memory is fully populated but before saving persistent data.
2056 */
psa_validate_optional_attributes(const psa_key_slot_t * slot,const psa_key_attributes_t * attributes)2057 static psa_status_t psa_validate_optional_attributes(
2058 const psa_key_slot_t *slot,
2059 const psa_key_attributes_t *attributes)
2060 {
2061 if (attributes->type != 0) {
2062 if (attributes->type != slot->attr.type) {
2063 return PSA_ERROR_INVALID_ARGUMENT;
2064 }
2065 }
2066
2067 if (attributes->bits != 0) {
2068 if (attributes->bits != slot->attr.bits) {
2069 return PSA_ERROR_INVALID_ARGUMENT;
2070 }
2071 }
2072
2073 return PSA_SUCCESS;
2074 }
2075
psa_import_key(const psa_key_attributes_t * attributes,const uint8_t * data_external,size_t data_length,mbedtls_svc_key_id_t * key)2076 psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
2077 const uint8_t *data_external,
2078 size_t data_length,
2079 mbedtls_svc_key_id_t *key)
2080 {
2081 psa_status_t status;
2082 LOCAL_INPUT_DECLARE(data_external, data);
2083 psa_key_slot_t *slot = NULL;
2084 psa_se_drv_table_entry_t *driver = NULL;
2085 size_t bits;
2086 size_t storage_size = data_length;
2087
2088 *key = MBEDTLS_SVC_KEY_ID_INIT;
2089
2090 /* Reject zero-length symmetric keys (including raw data key objects).
2091 * This also rejects any key which might be encoded as an empty string,
2092 * which is never valid. */
2093 if (data_length == 0) {
2094 return PSA_ERROR_INVALID_ARGUMENT;
2095 }
2096
2097 /* Ensure that the bytes-to-bits conversion cannot overflow. */
2098 if (data_length > SIZE_MAX / 8) {
2099 return PSA_ERROR_NOT_SUPPORTED;
2100 }
2101
2102 LOCAL_INPUT_ALLOC(data_external, data_length, data);
2103
2104 status = psa_start_key_creation(PSA_KEY_CREATION_IMPORT, attributes,
2105 &slot, &driver);
2106 if (status != PSA_SUCCESS) {
2107 goto exit;
2108 }
2109
2110 /* In the case of a transparent key or an opaque key stored in local
2111 * storage ( thus not in the case of importing a key in a secure element
2112 * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
2113 * buffer to hold the imported key material. */
2114 if (slot->key.bytes == 0) {
2115 if (psa_key_lifetime_is_external(attributes->lifetime)) {
2116 status = psa_driver_wrapper_get_key_buffer_size_from_key_data(
2117 attributes, data, data_length, &storage_size);
2118 if (status != PSA_SUCCESS) {
2119 goto exit;
2120 }
2121 }
2122 status = psa_allocate_buffer_to_slot(slot, storage_size);
2123 if (status != PSA_SUCCESS) {
2124 goto exit;
2125 }
2126 }
2127
2128 bits = slot->attr.bits;
2129 status = psa_driver_wrapper_import_key(attributes,
2130 data, data_length,
2131 slot->key.data,
2132 slot->key.bytes,
2133 &slot->key.bytes, &bits);
2134 if (status != PSA_SUCCESS) {
2135 goto exit;
2136 }
2137
2138 if (slot->attr.bits == 0) {
2139 slot->attr.bits = (psa_key_bits_t) bits;
2140 } else if (bits != slot->attr.bits) {
2141 status = PSA_ERROR_INVALID_ARGUMENT;
2142 goto exit;
2143 }
2144
2145 /* Enforce a size limit, and in particular ensure that the bit
2146 * size fits in its representation type.*/
2147 if (bits > PSA_MAX_KEY_BITS) {
2148 status = PSA_ERROR_NOT_SUPPORTED;
2149 goto exit;
2150 }
2151 status = psa_validate_optional_attributes(slot, attributes);
2152 if (status != PSA_SUCCESS) {
2153 goto exit;
2154 }
2155
2156 status = psa_finish_key_creation(slot, driver, key);
2157 exit:
2158 LOCAL_INPUT_FREE(data_external, data);
2159 if (status != PSA_SUCCESS) {
2160 psa_fail_key_creation(slot, driver);
2161 }
2162
2163 return status;
2164 }
2165
2166 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
mbedtls_psa_register_se_key(const psa_key_attributes_t * attributes)2167 psa_status_t mbedtls_psa_register_se_key(
2168 const psa_key_attributes_t *attributes)
2169 {
2170 psa_status_t status;
2171 psa_key_slot_t *slot = NULL;
2172 psa_se_drv_table_entry_t *driver = NULL;
2173 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
2174
2175 /* Leaving attributes unspecified is not currently supported.
2176 * It could make sense to query the key type and size from the
2177 * secure element, but not all secure elements support this
2178 * and the driver HAL doesn't currently support it. */
2179 if (psa_get_key_type(attributes) == PSA_KEY_TYPE_NONE) {
2180 return PSA_ERROR_NOT_SUPPORTED;
2181 }
2182 if (psa_get_key_bits(attributes) == 0) {
2183 return PSA_ERROR_NOT_SUPPORTED;
2184 }
2185
2186 /* Not usable with volatile keys, even with an appropriate location,
2187 * due to the API design.
2188 * https://github.com/Mbed-TLS/mbedtls/issues/9253
2189 */
2190 if (PSA_KEY_LIFETIME_IS_VOLATILE(psa_get_key_lifetime(attributes))) {
2191 return PSA_ERROR_INVALID_ARGUMENT;
2192 }
2193
2194 status = psa_start_key_creation(PSA_KEY_CREATION_REGISTER, attributes,
2195 &slot, &driver);
2196 if (status != PSA_SUCCESS) {
2197 goto exit;
2198 }
2199
2200 status = psa_finish_key_creation(slot, driver, &key);
2201
2202 exit:
2203 if (status != PSA_SUCCESS) {
2204 psa_fail_key_creation(slot, driver);
2205 }
2206
2207 /* Registration doesn't keep the key in RAM. */
2208 psa_close_key(key);
2209 return status;
2210 }
2211 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
2212
psa_copy_key(mbedtls_svc_key_id_t source_key,const psa_key_attributes_t * specified_attributes,mbedtls_svc_key_id_t * target_key)2213 psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key,
2214 const psa_key_attributes_t *specified_attributes,
2215 mbedtls_svc_key_id_t *target_key)
2216 {
2217 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2218 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
2219 psa_key_slot_t *source_slot = NULL;
2220 psa_key_slot_t *target_slot = NULL;
2221 psa_key_attributes_t actual_attributes = *specified_attributes;
2222 psa_se_drv_table_entry_t *driver = NULL;
2223 size_t storage_size = 0;
2224
2225 *target_key = MBEDTLS_SVC_KEY_ID_INIT;
2226
2227 status = psa_get_and_lock_key_slot_with_policy(
2228 source_key, &source_slot, PSA_KEY_USAGE_COPY, 0);
2229 if (status != PSA_SUCCESS) {
2230 goto exit;
2231 }
2232
2233 status = psa_validate_optional_attributes(source_slot,
2234 specified_attributes);
2235 if (status != PSA_SUCCESS) {
2236 goto exit;
2237 }
2238
2239 /* The target key type and number of bits have been validated by
2240 * psa_validate_optional_attributes() to be either equal to zero or
2241 * equal to the ones of the source key. So it is safe to inherit
2242 * them from the source key now."
2243 * */
2244 actual_attributes.bits = source_slot->attr.bits;
2245 actual_attributes.type = source_slot->attr.type;
2246
2247
2248 status = psa_restrict_key_policy(source_slot->attr.type,
2249 &actual_attributes.policy,
2250 &source_slot->attr.policy);
2251 if (status != PSA_SUCCESS) {
2252 goto exit;
2253 }
2254
2255 status = psa_start_key_creation(PSA_KEY_CREATION_COPY, &actual_attributes,
2256 &target_slot, &driver);
2257 if (status != PSA_SUCCESS) {
2258 goto exit;
2259 }
2260 if (PSA_KEY_LIFETIME_GET_LOCATION(target_slot->attr.lifetime) !=
2261 PSA_KEY_LIFETIME_GET_LOCATION(source_slot->attr.lifetime)) {
2262 /*
2263 * If the source and target keys are stored in different locations,
2264 * the source key would need to be exported as plaintext and re-imported
2265 * in the other location. This has security implications which have not
2266 * been fully mapped. For now, this can be achieved through
2267 * appropriate API invocations from the application, if needed.
2268 * */
2269 status = PSA_ERROR_NOT_SUPPORTED;
2270 goto exit;
2271 }
2272 /*
2273 * When the source and target keys are within the same location,
2274 * - For transparent keys it is a blind copy without any driver invocation,
2275 * - For opaque keys this translates to an invocation of the drivers'
2276 * copy_key entry point through the dispatch layer.
2277 * */
2278 if (psa_key_lifetime_is_external(actual_attributes.lifetime)) {
2279 status = psa_driver_wrapper_get_key_buffer_size(&actual_attributes,
2280 &storage_size);
2281 if (status != PSA_SUCCESS) {
2282 goto exit;
2283 }
2284
2285 status = psa_allocate_buffer_to_slot(target_slot, storage_size);
2286 if (status != PSA_SUCCESS) {
2287 goto exit;
2288 }
2289
2290 status = psa_driver_wrapper_copy_key(&actual_attributes,
2291 source_slot->key.data,
2292 source_slot->key.bytes,
2293 target_slot->key.data,
2294 target_slot->key.bytes,
2295 &target_slot->key.bytes);
2296 if (status != PSA_SUCCESS) {
2297 goto exit;
2298 }
2299 } else {
2300 status = psa_copy_key_material_into_slot(target_slot,
2301 source_slot->key.data,
2302 source_slot->key.bytes);
2303 if (status != PSA_SUCCESS) {
2304 goto exit;
2305 }
2306 }
2307 status = psa_finish_key_creation(target_slot, driver, target_key);
2308 exit:
2309 if (status != PSA_SUCCESS) {
2310 psa_fail_key_creation(target_slot, driver);
2311 }
2312
2313 unlock_status = psa_unregister_read_under_mutex(source_slot);
2314
2315 return (status == PSA_SUCCESS) ? unlock_status : status;
2316 }
2317
2318
2319
2320 /****************************************************************/
2321 /* Message digests */
2322 /****************************************************************/
2323
is_hash_supported(psa_algorithm_t alg)2324 static int is_hash_supported(psa_algorithm_t alg)
2325 {
2326 switch (alg) {
2327 #if defined(PSA_WANT_ALG_MD5)
2328 case PSA_ALG_MD5:
2329 return 1;
2330 #endif
2331 #if defined(PSA_WANT_ALG_RIPEMD160)
2332 case PSA_ALG_RIPEMD160:
2333 return 1;
2334 #endif
2335 #if defined(PSA_WANT_ALG_SHA_1)
2336 case PSA_ALG_SHA_1:
2337 return 1;
2338 #endif
2339 #if defined(PSA_WANT_ALG_SHA_224)
2340 case PSA_ALG_SHA_224:
2341 return 1;
2342 #endif
2343 #if defined(PSA_WANT_ALG_SHA_256)
2344 case PSA_ALG_SHA_256:
2345 return 1;
2346 #endif
2347 #if defined(PSA_WANT_ALG_SHA_384)
2348 case PSA_ALG_SHA_384:
2349 return 1;
2350 #endif
2351 #if defined(PSA_WANT_ALG_SHA_512)
2352 case PSA_ALG_SHA_512:
2353 return 1;
2354 #endif
2355 #if defined(PSA_WANT_ALG_SHA3_224)
2356 case PSA_ALG_SHA3_224:
2357 return 1;
2358 #endif
2359 #if defined(PSA_WANT_ALG_SHA3_256)
2360 case PSA_ALG_SHA3_256:
2361 return 1;
2362 #endif
2363 #if defined(PSA_WANT_ALG_SHA3_384)
2364 case PSA_ALG_SHA3_384:
2365 return 1;
2366 #endif
2367 #if defined(PSA_WANT_ALG_SHA3_512)
2368 case PSA_ALG_SHA3_512:
2369 return 1;
2370 #endif
2371 default:
2372 return 0;
2373 }
2374 }
2375
psa_hash_abort(psa_hash_operation_t * operation)2376 psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
2377 {
2378 /* Aborting a non-active operation is allowed */
2379 if (operation->id == 0) {
2380 return PSA_SUCCESS;
2381 }
2382
2383 psa_status_t status = psa_driver_wrapper_hash_abort(operation);
2384 operation->id = 0;
2385
2386 return status;
2387 }
2388
psa_hash_setup(psa_hash_operation_t * operation,psa_algorithm_t alg)2389 psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
2390 psa_algorithm_t alg)
2391 {
2392 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2393
2394 /* A context must be freshly initialized before it can be set up. */
2395 if (operation->id != 0) {
2396 status = PSA_ERROR_BAD_STATE;
2397 goto exit;
2398 }
2399
2400 if (!PSA_ALG_IS_HASH(alg)) {
2401 status = PSA_ERROR_INVALID_ARGUMENT;
2402 goto exit;
2403 }
2404
2405 /* Make sure the driver-dependent part of the operation is zeroed.
2406 * This is a guarantee we make to drivers. Initializing the operation
2407 * does not necessarily take care of it, since the context is a
2408 * union and initializing a union does not necessarily initialize
2409 * all of its members. */
2410 memset(&operation->ctx, 0, sizeof(operation->ctx));
2411
2412 status = psa_driver_wrapper_hash_setup(operation, alg);
2413
2414 exit:
2415 if (status != PSA_SUCCESS) {
2416 psa_hash_abort(operation);
2417 }
2418
2419 return status;
2420 }
2421
psa_hash_update(psa_hash_operation_t * operation,const uint8_t * input_external,size_t input_length)2422 psa_status_t psa_hash_update(psa_hash_operation_t *operation,
2423 const uint8_t *input_external,
2424 size_t input_length)
2425 {
2426 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2427 LOCAL_INPUT_DECLARE(input_external, input);
2428
2429 if (operation->id == 0) {
2430 status = PSA_ERROR_BAD_STATE;
2431 goto exit;
2432 }
2433
2434 /* Don't require hash implementations to behave correctly on a
2435 * zero-length input, which may have an invalid pointer. */
2436 if (input_length == 0) {
2437 return PSA_SUCCESS;
2438 }
2439
2440 LOCAL_INPUT_ALLOC(input_external, input_length, input);
2441 status = psa_driver_wrapper_hash_update(operation, input, input_length);
2442
2443 exit:
2444 if (status != PSA_SUCCESS) {
2445 psa_hash_abort(operation);
2446 }
2447
2448 LOCAL_INPUT_FREE(input_external, input);
2449 return status;
2450 }
2451
psa_hash_finish_internal(psa_hash_operation_t * operation,uint8_t * hash,size_t hash_size,size_t * hash_length)2452 static psa_status_t psa_hash_finish_internal(psa_hash_operation_t *operation,
2453 uint8_t *hash,
2454 size_t hash_size,
2455 size_t *hash_length)
2456 {
2457 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2458
2459 *hash_length = 0;
2460 if (operation->id == 0) {
2461 return PSA_ERROR_BAD_STATE;
2462 }
2463
2464 status = psa_driver_wrapper_hash_finish(
2465 operation, hash, hash_size, hash_length);
2466 psa_hash_abort(operation);
2467
2468 return status;
2469 }
2470
psa_hash_finish(psa_hash_operation_t * operation,uint8_t * hash_external,size_t hash_size,size_t * hash_length)2471 psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
2472 uint8_t *hash_external,
2473 size_t hash_size,
2474 size_t *hash_length)
2475 {
2476 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2477 LOCAL_OUTPUT_DECLARE(hash_external, hash);
2478
2479 LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash);
2480 status = psa_hash_finish_internal(operation, hash, hash_size, hash_length);
2481
2482 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
2483 exit:
2484 #endif
2485 LOCAL_OUTPUT_FREE(hash_external, hash);
2486 return status;
2487 }
2488
psa_hash_verify(psa_hash_operation_t * operation,const uint8_t * hash_external,size_t hash_length)2489 psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
2490 const uint8_t *hash_external,
2491 size_t hash_length)
2492 {
2493 uint8_t actual_hash[PSA_HASH_MAX_SIZE];
2494 size_t actual_hash_length;
2495 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2496 LOCAL_INPUT_DECLARE(hash_external, hash);
2497
2498 status = psa_hash_finish_internal(
2499 operation,
2500 actual_hash, sizeof(actual_hash),
2501 &actual_hash_length);
2502
2503 if (status != PSA_SUCCESS) {
2504 goto exit;
2505 }
2506
2507 if (actual_hash_length != hash_length) {
2508 status = PSA_ERROR_INVALID_SIGNATURE;
2509 goto exit;
2510 }
2511
2512 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
2513 if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) {
2514 status = PSA_ERROR_INVALID_SIGNATURE;
2515 }
2516
2517 exit:
2518 mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash));
2519 if (status != PSA_SUCCESS) {
2520 psa_hash_abort(operation);
2521 }
2522 LOCAL_INPUT_FREE(hash_external, hash);
2523 return status;
2524 }
2525
psa_hash_compute(psa_algorithm_t alg,const uint8_t * input_external,size_t input_length,uint8_t * hash_external,size_t hash_size,size_t * hash_length)2526 psa_status_t psa_hash_compute(psa_algorithm_t alg,
2527 const uint8_t *input_external, size_t input_length,
2528 uint8_t *hash_external, size_t hash_size,
2529 size_t *hash_length)
2530 {
2531 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2532 LOCAL_INPUT_DECLARE(input_external, input);
2533 LOCAL_OUTPUT_DECLARE(hash_external, hash);
2534
2535 *hash_length = 0;
2536 if (!PSA_ALG_IS_HASH(alg)) {
2537 return PSA_ERROR_INVALID_ARGUMENT;
2538 }
2539
2540 LOCAL_INPUT_ALLOC(input_external, input_length, input);
2541 LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash);
2542 status = psa_driver_wrapper_hash_compute(alg, input, input_length,
2543 hash, hash_size, hash_length);
2544
2545 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
2546 exit:
2547 #endif
2548 LOCAL_INPUT_FREE(input_external, input);
2549 LOCAL_OUTPUT_FREE(hash_external, hash);
2550 return status;
2551 }
2552
psa_hash_compare(psa_algorithm_t alg,const uint8_t * input_external,size_t input_length,const uint8_t * hash_external,size_t hash_length)2553 psa_status_t psa_hash_compare(psa_algorithm_t alg,
2554 const uint8_t *input_external, size_t input_length,
2555 const uint8_t *hash_external, size_t hash_length)
2556 {
2557 uint8_t actual_hash[PSA_HASH_MAX_SIZE];
2558 size_t actual_hash_length;
2559 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2560
2561 LOCAL_INPUT_DECLARE(input_external, input);
2562 LOCAL_INPUT_DECLARE(hash_external, hash);
2563
2564 if (!PSA_ALG_IS_HASH(alg)) {
2565 status = PSA_ERROR_INVALID_ARGUMENT;
2566 return status;
2567 }
2568
2569 LOCAL_INPUT_ALLOC(input_external, input_length, input);
2570 status = psa_driver_wrapper_hash_compute(
2571 alg, input, input_length,
2572 actual_hash, sizeof(actual_hash),
2573 &actual_hash_length);
2574 if (status != PSA_SUCCESS) {
2575 goto exit;
2576 }
2577 if (actual_hash_length != hash_length) {
2578 status = PSA_ERROR_INVALID_SIGNATURE;
2579 goto exit;
2580 }
2581
2582 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
2583 if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) {
2584 status = PSA_ERROR_INVALID_SIGNATURE;
2585 }
2586
2587 exit:
2588 mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash));
2589
2590 LOCAL_INPUT_FREE(input_external, input);
2591 LOCAL_INPUT_FREE(hash_external, hash);
2592
2593 return status;
2594 }
2595
psa_hash_clone(const psa_hash_operation_t * source_operation,psa_hash_operation_t * target_operation)2596 psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
2597 psa_hash_operation_t *target_operation)
2598 {
2599 if (source_operation->id == 0 ||
2600 target_operation->id != 0) {
2601 return PSA_ERROR_BAD_STATE;
2602 }
2603
2604 /* Make sure the driver-dependent part of the operation is zeroed.
2605 * This is a guarantee we make to drivers. Initializing the operation
2606 * does not necessarily take care of it, since the context is a
2607 * union and initializing a union does not necessarily initialize
2608 * all of its members. */
2609 memset(&target_operation->ctx, 0, sizeof(target_operation->ctx));
2610
2611 psa_status_t status = psa_driver_wrapper_hash_clone(source_operation,
2612 target_operation);
2613 if (status != PSA_SUCCESS) {
2614 psa_hash_abort(target_operation);
2615 }
2616
2617 return status;
2618 }
2619
2620
2621 /****************************************************************/
2622 /* MAC */
2623 /****************************************************************/
2624
psa_mac_abort(psa_mac_operation_t * operation)2625 psa_status_t psa_mac_abort(psa_mac_operation_t *operation)
2626 {
2627 /* Aborting a non-active operation is allowed */
2628 if (operation->id == 0) {
2629 return PSA_SUCCESS;
2630 }
2631
2632 psa_status_t status = psa_driver_wrapper_mac_abort(operation);
2633 operation->mac_size = 0;
2634 operation->is_sign = 0;
2635 operation->id = 0;
2636
2637 return status;
2638 }
2639
psa_mac_finalize_alg_and_key_validation(psa_algorithm_t alg,const psa_key_attributes_t * attributes,uint8_t * mac_size)2640 static psa_status_t psa_mac_finalize_alg_and_key_validation(
2641 psa_algorithm_t alg,
2642 const psa_key_attributes_t *attributes,
2643 uint8_t *mac_size)
2644 {
2645 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2646 psa_key_type_t key_type = psa_get_key_type(attributes);
2647 size_t key_bits = psa_get_key_bits(attributes);
2648
2649 if (!PSA_ALG_IS_MAC(alg)) {
2650 return PSA_ERROR_INVALID_ARGUMENT;
2651 }
2652
2653 /* Validate the combination of key type and algorithm */
2654 status = psa_mac_key_can_do(alg, key_type);
2655 if (status != PSA_SUCCESS) {
2656 return status;
2657 }
2658
2659 /* Get the output length for the algorithm and key combination */
2660 *mac_size = PSA_MAC_LENGTH(key_type, key_bits, alg);
2661
2662 if (*mac_size < 4) {
2663 /* A very short MAC is too short for security since it can be
2664 * brute-forced. Ancient protocols with 32-bit MACs do exist,
2665 * so we make this our minimum, even though 32 bits is still
2666 * too small for security. */
2667 return PSA_ERROR_NOT_SUPPORTED;
2668 }
2669
2670 if (*mac_size > PSA_MAC_LENGTH(key_type, key_bits,
2671 PSA_ALG_FULL_LENGTH_MAC(alg))) {
2672 /* It's impossible to "truncate" to a larger length than the full length
2673 * of the algorithm. */
2674 return PSA_ERROR_INVALID_ARGUMENT;
2675 }
2676
2677 if (*mac_size > PSA_MAC_MAX_SIZE) {
2678 /* PSA_MAC_LENGTH returns the correct length even for a MAC algorithm
2679 * that is disabled in the compile-time configuration. The result can
2680 * therefore be larger than PSA_MAC_MAX_SIZE, which does take the
2681 * configuration into account. In this case, force a return of
2682 * PSA_ERROR_NOT_SUPPORTED here. Otherwise psa_mac_verify(), or
2683 * psa_mac_compute(mac_size=PSA_MAC_MAX_SIZE), would return
2684 * PSA_ERROR_BUFFER_TOO_SMALL for an unsupported algorithm whose MAC size
2685 * is larger than PSA_MAC_MAX_SIZE, which is misleading and which breaks
2686 * systematically generated tests. */
2687 return PSA_ERROR_NOT_SUPPORTED;
2688 }
2689
2690 return PSA_SUCCESS;
2691 }
2692
psa_mac_setup(psa_mac_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg,int is_sign)2693 static psa_status_t psa_mac_setup(psa_mac_operation_t *operation,
2694 mbedtls_svc_key_id_t key,
2695 psa_algorithm_t alg,
2696 int is_sign)
2697 {
2698 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2699 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
2700 psa_key_slot_t *slot = NULL;
2701
2702 /* A context must be freshly initialized before it can be set up. */
2703 if (operation->id != 0) {
2704 status = PSA_ERROR_BAD_STATE;
2705 goto exit;
2706 }
2707
2708 /* Make sure the driver-dependent part of the operation is zeroed.
2709 * This is a guarantee we make to drivers. Initializing the operation
2710 * does not necessarily take care of it, since the context is a
2711 * union and initializing a union does not necessarily initialize
2712 * all of its members. */
2713 memset(&operation->ctx, 0, sizeof(operation->ctx));
2714
2715 status = psa_get_and_lock_key_slot_with_policy(
2716 key,
2717 &slot,
2718 is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE,
2719 alg);
2720 if (status != PSA_SUCCESS) {
2721 goto exit;
2722 }
2723
2724 status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr,
2725 &operation->mac_size);
2726 if (status != PSA_SUCCESS) {
2727 goto exit;
2728 }
2729
2730 operation->is_sign = is_sign;
2731 /* Dispatch the MAC setup call with validated input */
2732 if (is_sign) {
2733 status = psa_driver_wrapper_mac_sign_setup(operation,
2734 &slot->attr,
2735 slot->key.data,
2736 slot->key.bytes,
2737 alg);
2738 } else {
2739 status = psa_driver_wrapper_mac_verify_setup(operation,
2740 &slot->attr,
2741 slot->key.data,
2742 slot->key.bytes,
2743 alg);
2744 }
2745
2746 exit:
2747 if (status != PSA_SUCCESS) {
2748 psa_mac_abort(operation);
2749 }
2750
2751 unlock_status = psa_unregister_read_under_mutex(slot);
2752
2753 return (status == PSA_SUCCESS) ? unlock_status : status;
2754 }
2755
psa_mac_sign_setup(psa_mac_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg)2756 psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
2757 mbedtls_svc_key_id_t key,
2758 psa_algorithm_t alg)
2759 {
2760 return psa_mac_setup(operation, key, alg, 1);
2761 }
2762
psa_mac_verify_setup(psa_mac_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg)2763 psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
2764 mbedtls_svc_key_id_t key,
2765 psa_algorithm_t alg)
2766 {
2767 return psa_mac_setup(operation, key, alg, 0);
2768 }
2769
psa_mac_update(psa_mac_operation_t * operation,const uint8_t * input_external,size_t input_length)2770 psa_status_t psa_mac_update(psa_mac_operation_t *operation,
2771 const uint8_t *input_external,
2772 size_t input_length)
2773 {
2774 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2775 LOCAL_INPUT_DECLARE(input_external, input);
2776
2777 if (operation->id == 0) {
2778 status = PSA_ERROR_BAD_STATE;
2779 return status;
2780 }
2781
2782 /* Don't require hash implementations to behave correctly on a
2783 * zero-length input, which may have an invalid pointer. */
2784 if (input_length == 0) {
2785 status = PSA_SUCCESS;
2786 return status;
2787 }
2788
2789 LOCAL_INPUT_ALLOC(input_external, input_length, input);
2790 status = psa_driver_wrapper_mac_update(operation, input, input_length);
2791
2792 if (status != PSA_SUCCESS) {
2793 psa_mac_abort(operation);
2794 }
2795
2796 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
2797 exit:
2798 #endif
2799 LOCAL_INPUT_FREE(input_external, input);
2800
2801 return status;
2802 }
2803
psa_mac_sign_finish(psa_mac_operation_t * operation,uint8_t * mac_external,size_t mac_size,size_t * mac_length)2804 psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
2805 uint8_t *mac_external,
2806 size_t mac_size,
2807 size_t *mac_length)
2808 {
2809 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2810 psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
2811 LOCAL_OUTPUT_DECLARE(mac_external, mac);
2812 LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac);
2813
2814 if (operation->id == 0) {
2815 status = PSA_ERROR_BAD_STATE;
2816 goto exit;
2817 }
2818
2819 if (!operation->is_sign) {
2820 status = PSA_ERROR_BAD_STATE;
2821 goto exit;
2822 }
2823
2824 /* Sanity check. This will guarantee that mac_size != 0 (and so mac != NULL)
2825 * once all the error checks are done. */
2826 if (operation->mac_size == 0) {
2827 status = PSA_ERROR_BAD_STATE;
2828 goto exit;
2829 }
2830
2831 if (mac_size < operation->mac_size) {
2832 status = PSA_ERROR_BUFFER_TOO_SMALL;
2833 goto exit;
2834 }
2835
2836
2837 status = psa_driver_wrapper_mac_sign_finish(operation,
2838 mac, operation->mac_size,
2839 mac_length);
2840
2841 exit:
2842 /* In case of success, set the potential excess room in the output buffer
2843 * to an invalid value, to avoid potentially leaking a longer MAC.
2844 * In case of error, set the output length and content to a safe default,
2845 * such that in case the caller misses an error check, the output would be
2846 * an unachievable MAC.
2847 */
2848 if (status != PSA_SUCCESS) {
2849 *mac_length = mac_size;
2850 operation->mac_size = 0;
2851 }
2852
2853 if (mac != NULL) {
2854 psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
2855 }
2856
2857 abort_status = psa_mac_abort(operation);
2858 LOCAL_OUTPUT_FREE(mac_external, mac);
2859
2860 return status == PSA_SUCCESS ? abort_status : status;
2861 }
2862
psa_mac_verify_finish(psa_mac_operation_t * operation,const uint8_t * mac_external,size_t mac_length)2863 psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
2864 const uint8_t *mac_external,
2865 size_t mac_length)
2866 {
2867 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2868 psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
2869 LOCAL_INPUT_DECLARE(mac_external, mac);
2870
2871 if (operation->id == 0) {
2872 status = PSA_ERROR_BAD_STATE;
2873 goto exit;
2874 }
2875
2876 if (operation->is_sign) {
2877 status = PSA_ERROR_BAD_STATE;
2878 goto exit;
2879 }
2880
2881 if (operation->mac_size != mac_length) {
2882 status = PSA_ERROR_INVALID_SIGNATURE;
2883 goto exit;
2884 }
2885
2886 LOCAL_INPUT_ALLOC(mac_external, mac_length, mac);
2887 status = psa_driver_wrapper_mac_verify_finish(operation,
2888 mac, mac_length);
2889
2890 exit:
2891 abort_status = psa_mac_abort(operation);
2892 LOCAL_INPUT_FREE(mac_external, mac);
2893
2894 return status == PSA_SUCCESS ? abort_status : status;
2895 }
2896
psa_mac_compute_internal(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * input,size_t input_length,uint8_t * mac,size_t mac_size,size_t * mac_length,int is_sign)2897 static psa_status_t psa_mac_compute_internal(mbedtls_svc_key_id_t key,
2898 psa_algorithm_t alg,
2899 const uint8_t *input,
2900 size_t input_length,
2901 uint8_t *mac,
2902 size_t mac_size,
2903 size_t *mac_length,
2904 int is_sign)
2905 {
2906 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2907 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
2908 psa_key_slot_t *slot;
2909 uint8_t operation_mac_size = 0;
2910
2911 status = psa_get_and_lock_key_slot_with_policy(
2912 key,
2913 &slot,
2914 is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE,
2915 alg);
2916 if (status != PSA_SUCCESS) {
2917 goto exit;
2918 }
2919
2920 status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr,
2921 &operation_mac_size);
2922 if (status != PSA_SUCCESS) {
2923 goto exit;
2924 }
2925
2926 if (mac_size < operation_mac_size) {
2927 status = PSA_ERROR_BUFFER_TOO_SMALL;
2928 goto exit;
2929 }
2930
2931 status = psa_driver_wrapper_mac_compute(
2932 &slot->attr,
2933 slot->key.data, slot->key.bytes,
2934 alg,
2935 input, input_length,
2936 mac, operation_mac_size, mac_length);
2937
2938 exit:
2939 /* In case of success, set the potential excess room in the output buffer
2940 * to an invalid value, to avoid potentially leaking a longer MAC.
2941 * In case of error, set the output length and content to a safe default,
2942 * such that in case the caller misses an error check, the output would be
2943 * an unachievable MAC.
2944 */
2945 if (status != PSA_SUCCESS) {
2946 *mac_length = mac_size;
2947 operation_mac_size = 0;
2948 }
2949
2950 psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
2951
2952 unlock_status = psa_unregister_read_under_mutex(slot);
2953
2954 return (status == PSA_SUCCESS) ? unlock_status : status;
2955 }
2956
psa_mac_compute(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * input_external,size_t input_length,uint8_t * mac_external,size_t mac_size,size_t * mac_length)2957 psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key,
2958 psa_algorithm_t alg,
2959 const uint8_t *input_external,
2960 size_t input_length,
2961 uint8_t *mac_external,
2962 size_t mac_size,
2963 size_t *mac_length)
2964 {
2965 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2966 LOCAL_INPUT_DECLARE(input_external, input);
2967 LOCAL_OUTPUT_DECLARE(mac_external, mac);
2968
2969 LOCAL_INPUT_ALLOC(input_external, input_length, input);
2970 LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac);
2971 status = psa_mac_compute_internal(key, alg,
2972 input, input_length,
2973 mac, mac_size, mac_length, 1);
2974
2975 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
2976 exit:
2977 #endif
2978 LOCAL_INPUT_FREE(input_external, input);
2979 LOCAL_OUTPUT_FREE(mac_external, mac);
2980
2981 return status;
2982 }
2983
psa_mac_verify(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * input_external,size_t input_length,const uint8_t * mac_external,size_t mac_length)2984 psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
2985 psa_algorithm_t alg,
2986 const uint8_t *input_external,
2987 size_t input_length,
2988 const uint8_t *mac_external,
2989 size_t mac_length)
2990 {
2991 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2992 uint8_t actual_mac[PSA_MAC_MAX_SIZE];
2993 size_t actual_mac_length;
2994 LOCAL_INPUT_DECLARE(input_external, input);
2995 LOCAL_INPUT_DECLARE(mac_external, mac);
2996
2997 LOCAL_INPUT_ALLOC(input_external, input_length, input);
2998 status = psa_mac_compute_internal(key, alg,
2999 input, input_length,
3000 actual_mac, sizeof(actual_mac),
3001 &actual_mac_length, 0);
3002 if (status != PSA_SUCCESS) {
3003 goto exit;
3004 }
3005
3006 if (mac_length != actual_mac_length) {
3007 status = PSA_ERROR_INVALID_SIGNATURE;
3008 goto exit;
3009 }
3010
3011 LOCAL_INPUT_ALLOC(mac_external, mac_length, mac);
3012 if (mbedtls_ct_memcmp(mac, actual_mac, actual_mac_length) != 0) {
3013 status = PSA_ERROR_INVALID_SIGNATURE;
3014 goto exit;
3015 }
3016
3017 exit:
3018 mbedtls_platform_zeroize(actual_mac, sizeof(actual_mac));
3019 LOCAL_INPUT_FREE(input_external, input);
3020 LOCAL_INPUT_FREE(mac_external, mac);
3021
3022 return status;
3023 }
3024
3025 /****************************************************************/
3026 /* Asymmetric cryptography */
3027 /****************************************************************/
3028
psa_sign_verify_check_alg(int input_is_message,psa_algorithm_t alg)3029 static psa_status_t psa_sign_verify_check_alg(int input_is_message,
3030 psa_algorithm_t alg)
3031 {
3032 if (input_is_message) {
3033 if (!PSA_ALG_IS_SIGN_MESSAGE(alg)) {
3034 return PSA_ERROR_INVALID_ARGUMENT;
3035 }
3036 }
3037
3038 psa_algorithm_t hash_alg = 0;
3039 if (PSA_ALG_IS_SIGN_HASH(alg)) {
3040 hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
3041 }
3042
3043 /* Now hash_alg==0 if alg by itself doesn't need a hash.
3044 * This is good enough for sign-hash, but a guaranteed failure for
3045 * sign-message which needs to hash first for all algorithms
3046 * supported at the moment. */
3047
3048 if (hash_alg == 0 && input_is_message) {
3049 return PSA_ERROR_INVALID_ARGUMENT;
3050 }
3051 if (hash_alg == PSA_ALG_ANY_HASH) {
3052 return PSA_ERROR_INVALID_ARGUMENT;
3053 }
3054 /* Give up immediately if the hash is not supported. This has
3055 * several advantages:
3056 * - For mechanisms that don't use the hash at all (e.g.
3057 * ECDSA verification, randomized ECDSA signature), without
3058 * this check, the operation would succeed even though it has
3059 * been given an invalid argument. This would not be insecure
3060 * since the hash was not necessary, but it would be weird.
3061 * - For mechanisms that do use the hash, we avoid an error
3062 * deep inside the execution. In principle this doesn't matter,
3063 * but there is a little more risk of a bug in error handling
3064 * deep inside than in this preliminary check.
3065 * - When calling a driver, the driver might be capable of using
3066 * a hash that the core doesn't support. This could potentially
3067 * result in a buffer overflow if the hash is larger than the
3068 * maximum hash size assumed by the core.
3069 * - Returning a consistent error makes it possible to test
3070 * not-supported hashes in a consistent way.
3071 */
3072 if (hash_alg != 0 && !is_hash_supported(hash_alg)) {
3073 return PSA_ERROR_NOT_SUPPORTED;
3074 }
3075
3076 return PSA_SUCCESS;
3077 }
3078
psa_sign_internal(mbedtls_svc_key_id_t key,int input_is_message,psa_algorithm_t alg,const uint8_t * input,size_t input_length,uint8_t * signature,size_t signature_size,size_t * signature_length)3079 static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key,
3080 int input_is_message,
3081 psa_algorithm_t alg,
3082 const uint8_t *input,
3083 size_t input_length,
3084 uint8_t *signature,
3085 size_t signature_size,
3086 size_t *signature_length)
3087 {
3088 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3089 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3090 psa_key_slot_t *slot;
3091
3092 *signature_length = 0;
3093
3094 status = psa_sign_verify_check_alg(input_is_message, alg);
3095 if (status != PSA_SUCCESS) {
3096 return status;
3097 }
3098
3099 /* Immediately reject a zero-length signature buffer. This guarantees
3100 * that signature must be a valid pointer. (On the other hand, the input
3101 * buffer can in principle be empty since it doesn't actually have
3102 * to be a hash.) */
3103 if (signature_size == 0) {
3104 return PSA_ERROR_BUFFER_TOO_SMALL;
3105 }
3106
3107 status = psa_get_and_lock_key_slot_with_policy(
3108 key, &slot,
3109 input_is_message ? PSA_KEY_USAGE_SIGN_MESSAGE :
3110 PSA_KEY_USAGE_SIGN_HASH,
3111 alg);
3112
3113 if (status != PSA_SUCCESS) {
3114 goto exit;
3115 }
3116
3117 if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
3118 status = PSA_ERROR_INVALID_ARGUMENT;
3119 goto exit;
3120 }
3121
3122 if (input_is_message) {
3123 status = psa_driver_wrapper_sign_message(
3124 &slot->attr, slot->key.data, slot->key.bytes,
3125 alg, input, input_length,
3126 signature, signature_size, signature_length);
3127 } else {
3128
3129 status = psa_driver_wrapper_sign_hash(
3130 &slot->attr, slot->key.data, slot->key.bytes,
3131 alg, input, input_length,
3132 signature, signature_size, signature_length);
3133 }
3134
3135
3136 exit:
3137 psa_wipe_tag_output_buffer(signature, status, signature_size,
3138 *signature_length);
3139
3140 unlock_status = psa_unregister_read_under_mutex(slot);
3141
3142 return (status == PSA_SUCCESS) ? unlock_status : status;
3143 }
3144
psa_verify_internal(mbedtls_svc_key_id_t key,int input_is_message,psa_algorithm_t alg,const uint8_t * input,size_t input_length,const uint8_t * signature,size_t signature_length)3145 static psa_status_t psa_verify_internal(mbedtls_svc_key_id_t key,
3146 int input_is_message,
3147 psa_algorithm_t alg,
3148 const uint8_t *input,
3149 size_t input_length,
3150 const uint8_t *signature,
3151 size_t signature_length)
3152 {
3153 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3154 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3155 psa_key_slot_t *slot;
3156
3157 status = psa_sign_verify_check_alg(input_is_message, alg);
3158 if (status != PSA_SUCCESS) {
3159 return status;
3160 }
3161
3162 status = psa_get_and_lock_key_slot_with_policy(
3163 key, &slot,
3164 input_is_message ? PSA_KEY_USAGE_VERIFY_MESSAGE :
3165 PSA_KEY_USAGE_VERIFY_HASH,
3166 alg);
3167
3168 if (status != PSA_SUCCESS) {
3169 return status;
3170 }
3171
3172 if (input_is_message) {
3173 status = psa_driver_wrapper_verify_message(
3174 &slot->attr, slot->key.data, slot->key.bytes,
3175 alg, input, input_length,
3176 signature, signature_length);
3177 } else {
3178 status = psa_driver_wrapper_verify_hash(
3179 &slot->attr, slot->key.data, slot->key.bytes,
3180 alg, input, input_length,
3181 signature, signature_length);
3182 }
3183
3184 unlock_status = psa_unregister_read_under_mutex(slot);
3185
3186 return (status == PSA_SUCCESS) ? unlock_status : status;
3187
3188 }
3189
psa_sign_message_builtin(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * input,size_t input_length,uint8_t * signature,size_t signature_size,size_t * signature_length)3190 psa_status_t psa_sign_message_builtin(
3191 const psa_key_attributes_t *attributes,
3192 const uint8_t *key_buffer,
3193 size_t key_buffer_size,
3194 psa_algorithm_t alg,
3195 const uint8_t *input,
3196 size_t input_length,
3197 uint8_t *signature,
3198 size_t signature_size,
3199 size_t *signature_length)
3200 {
3201 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3202
3203 if (PSA_ALG_IS_SIGN_HASH(alg)) {
3204 size_t hash_length;
3205 uint8_t hash[PSA_HASH_MAX_SIZE];
3206
3207 status = psa_driver_wrapper_hash_compute(
3208 PSA_ALG_SIGN_GET_HASH(alg),
3209 input, input_length,
3210 hash, sizeof(hash), &hash_length);
3211
3212 if (status != PSA_SUCCESS) {
3213 return status;
3214 }
3215
3216 return psa_driver_wrapper_sign_hash(
3217 attributes, key_buffer, key_buffer_size,
3218 alg, hash, hash_length,
3219 signature, signature_size, signature_length);
3220 }
3221
3222 return PSA_ERROR_NOT_SUPPORTED;
3223 }
3224
psa_sign_message(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * input_external,size_t input_length,uint8_t * signature_external,size_t signature_size,size_t * signature_length)3225 psa_status_t psa_sign_message(mbedtls_svc_key_id_t key,
3226 psa_algorithm_t alg,
3227 const uint8_t *input_external,
3228 size_t input_length,
3229 uint8_t *signature_external,
3230 size_t signature_size,
3231 size_t *signature_length)
3232 {
3233 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3234 LOCAL_INPUT_DECLARE(input_external, input);
3235 LOCAL_OUTPUT_DECLARE(signature_external, signature);
3236
3237 LOCAL_INPUT_ALLOC(input_external, input_length, input);
3238 LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
3239 status = psa_sign_internal(key, 1, alg, input, input_length, signature,
3240 signature_size, signature_length);
3241
3242 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3243 exit:
3244 #endif
3245 LOCAL_INPUT_FREE(input_external, input);
3246 LOCAL_OUTPUT_FREE(signature_external, signature);
3247 return status;
3248 }
3249
psa_verify_message_builtin(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * input,size_t input_length,const uint8_t * signature,size_t signature_length)3250 psa_status_t psa_verify_message_builtin(
3251 const psa_key_attributes_t *attributes,
3252 const uint8_t *key_buffer,
3253 size_t key_buffer_size,
3254 psa_algorithm_t alg,
3255 const uint8_t *input,
3256 size_t input_length,
3257 const uint8_t *signature,
3258 size_t signature_length)
3259 {
3260 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3261
3262 if (PSA_ALG_IS_SIGN_HASH(alg)) {
3263 size_t hash_length;
3264 uint8_t hash[PSA_HASH_MAX_SIZE];
3265
3266 status = psa_driver_wrapper_hash_compute(
3267 PSA_ALG_SIGN_GET_HASH(alg),
3268 input, input_length,
3269 hash, sizeof(hash), &hash_length);
3270
3271 if (status != PSA_SUCCESS) {
3272 return status;
3273 }
3274
3275 return psa_driver_wrapper_verify_hash(
3276 attributes, key_buffer, key_buffer_size,
3277 alg, hash, hash_length,
3278 signature, signature_length);
3279 }
3280
3281 return PSA_ERROR_NOT_SUPPORTED;
3282 }
3283
psa_verify_message(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * input_external,size_t input_length,const uint8_t * signature_external,size_t signature_length)3284 psa_status_t psa_verify_message(mbedtls_svc_key_id_t key,
3285 psa_algorithm_t alg,
3286 const uint8_t *input_external,
3287 size_t input_length,
3288 const uint8_t *signature_external,
3289 size_t signature_length)
3290 {
3291 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3292 LOCAL_INPUT_DECLARE(input_external, input);
3293 LOCAL_INPUT_DECLARE(signature_external, signature);
3294
3295 LOCAL_INPUT_ALLOC(input_external, input_length, input);
3296 LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
3297 status = psa_verify_internal(key, 1, alg, input, input_length, signature,
3298 signature_length);
3299
3300 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3301 exit:
3302 #endif
3303 LOCAL_INPUT_FREE(input_external, input);
3304 LOCAL_INPUT_FREE(signature_external, signature);
3305
3306 return status;
3307 }
3308
psa_sign_hash_builtin(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length,uint8_t * signature,size_t signature_size,size_t * signature_length)3309 psa_status_t psa_sign_hash_builtin(
3310 const psa_key_attributes_t *attributes,
3311 const uint8_t *key_buffer, size_t key_buffer_size,
3312 psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
3313 uint8_t *signature, size_t signature_size, size_t *signature_length)
3314 {
3315 if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
3316 if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
3317 PSA_ALG_IS_RSA_PSS(alg)) {
3318 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
3319 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
3320 return mbedtls_psa_rsa_sign_hash(
3321 attributes,
3322 key_buffer, key_buffer_size,
3323 alg, hash, hash_length,
3324 signature, signature_size, signature_length);
3325 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
3326 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
3327 } else {
3328 return PSA_ERROR_INVALID_ARGUMENT;
3329 }
3330 } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) {
3331 if (PSA_ALG_IS_ECDSA(alg)) {
3332 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3333 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
3334 return mbedtls_psa_ecdsa_sign_hash(
3335 attributes,
3336 key_buffer, key_buffer_size,
3337 alg, hash, hash_length,
3338 signature, signature_size, signature_length);
3339 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3340 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
3341 } else {
3342 return PSA_ERROR_INVALID_ARGUMENT;
3343 }
3344 }
3345
3346 (void) key_buffer;
3347 (void) key_buffer_size;
3348 (void) hash;
3349 (void) hash_length;
3350 (void) signature;
3351 (void) signature_size;
3352 (void) signature_length;
3353
3354 return PSA_ERROR_NOT_SUPPORTED;
3355 }
3356
psa_sign_hash(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * hash_external,size_t hash_length,uint8_t * signature_external,size_t signature_size,size_t * signature_length)3357 psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key,
3358 psa_algorithm_t alg,
3359 const uint8_t *hash_external,
3360 size_t hash_length,
3361 uint8_t *signature_external,
3362 size_t signature_size,
3363 size_t *signature_length)
3364 {
3365 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3366 LOCAL_INPUT_DECLARE(hash_external, hash);
3367 LOCAL_OUTPUT_DECLARE(signature_external, signature);
3368
3369 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
3370 LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
3371 status = psa_sign_internal(key, 0, alg, hash, hash_length, signature,
3372 signature_size, signature_length);
3373
3374 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3375 exit:
3376 #endif
3377 LOCAL_INPUT_FREE(hash_external, hash);
3378 LOCAL_OUTPUT_FREE(signature_external, signature);
3379
3380 return status;
3381 }
3382
psa_verify_hash_builtin(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length,const uint8_t * signature,size_t signature_length)3383 psa_status_t psa_verify_hash_builtin(
3384 const psa_key_attributes_t *attributes,
3385 const uint8_t *key_buffer, size_t key_buffer_size,
3386 psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
3387 const uint8_t *signature, size_t signature_length)
3388 {
3389 if (PSA_KEY_TYPE_IS_RSA(attributes->type)) {
3390 if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
3391 PSA_ALG_IS_RSA_PSS(alg)) {
3392 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
3393 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
3394 return mbedtls_psa_rsa_verify_hash(
3395 attributes,
3396 key_buffer, key_buffer_size,
3397 alg, hash, hash_length,
3398 signature, signature_length);
3399 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
3400 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
3401 } else {
3402 return PSA_ERROR_INVALID_ARGUMENT;
3403 }
3404 } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) {
3405 if (PSA_ALG_IS_ECDSA(alg)) {
3406 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3407 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
3408 return mbedtls_psa_ecdsa_verify_hash(
3409 attributes,
3410 key_buffer, key_buffer_size,
3411 alg, hash, hash_length,
3412 signature, signature_length);
3413 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3414 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
3415 } else {
3416 return PSA_ERROR_INVALID_ARGUMENT;
3417 }
3418 }
3419
3420 (void) key_buffer;
3421 (void) key_buffer_size;
3422 (void) hash;
3423 (void) hash_length;
3424 (void) signature;
3425 (void) signature_length;
3426
3427 return PSA_ERROR_NOT_SUPPORTED;
3428 }
3429
psa_verify_hash(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * hash_external,size_t hash_length,const uint8_t * signature_external,size_t signature_length)3430 psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key,
3431 psa_algorithm_t alg,
3432 const uint8_t *hash_external,
3433 size_t hash_length,
3434 const uint8_t *signature_external,
3435 size_t signature_length)
3436 {
3437 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3438 LOCAL_INPUT_DECLARE(hash_external, hash);
3439 LOCAL_INPUT_DECLARE(signature_external, signature);
3440
3441 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
3442 LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
3443 status = psa_verify_internal(key, 0, alg, hash, hash_length, signature,
3444 signature_length);
3445
3446 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3447 exit:
3448 #endif
3449 LOCAL_INPUT_FREE(hash_external, hash);
3450 LOCAL_INPUT_FREE(signature_external, signature);
3451
3452 return status;
3453 }
3454
psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * input_external,size_t input_length,const uint8_t * salt_external,size_t salt_length,uint8_t * output_external,size_t output_size,size_t * output_length)3455 psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,
3456 psa_algorithm_t alg,
3457 const uint8_t *input_external,
3458 size_t input_length,
3459 const uint8_t *salt_external,
3460 size_t salt_length,
3461 uint8_t *output_external,
3462 size_t output_size,
3463 size_t *output_length)
3464 {
3465 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3466 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3467 psa_key_slot_t *slot;
3468
3469 LOCAL_INPUT_DECLARE(input_external, input);
3470 LOCAL_INPUT_DECLARE(salt_external, salt);
3471 LOCAL_OUTPUT_DECLARE(output_external, output);
3472
3473 (void) input;
3474 (void) input_length;
3475 (void) salt;
3476 (void) output;
3477 (void) output_size;
3478
3479 *output_length = 0;
3480
3481 if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) {
3482 return PSA_ERROR_INVALID_ARGUMENT;
3483 }
3484
3485 status = psa_get_and_lock_key_slot_with_policy(
3486 key, &slot, PSA_KEY_USAGE_ENCRYPT, alg);
3487 if (status != PSA_SUCCESS) {
3488 return status;
3489 }
3490 if (!(PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type) ||
3491 PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type))) {
3492 status = PSA_ERROR_INVALID_ARGUMENT;
3493 goto exit;
3494 }
3495
3496 LOCAL_INPUT_ALLOC(input_external, input_length, input);
3497 LOCAL_INPUT_ALLOC(salt_external, salt_length, salt);
3498 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
3499
3500 status = psa_driver_wrapper_asymmetric_encrypt(
3501 &slot->attr, slot->key.data, slot->key.bytes,
3502 alg, input, input_length, salt, salt_length,
3503 output, output_size, output_length);
3504 exit:
3505 unlock_status = psa_unregister_read_under_mutex(slot);
3506
3507 LOCAL_INPUT_FREE(input_external, input);
3508 LOCAL_INPUT_FREE(salt_external, salt);
3509 LOCAL_OUTPUT_FREE(output_external, output);
3510
3511 return (status == PSA_SUCCESS) ? unlock_status : status;
3512 }
3513
psa_asymmetric_decrypt(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * input_external,size_t input_length,const uint8_t * salt_external,size_t salt_length,uint8_t * output_external,size_t output_size,size_t * output_length)3514 psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key,
3515 psa_algorithm_t alg,
3516 const uint8_t *input_external,
3517 size_t input_length,
3518 const uint8_t *salt_external,
3519 size_t salt_length,
3520 uint8_t *output_external,
3521 size_t output_size,
3522 size_t *output_length)
3523 {
3524 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3525 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3526 psa_key_slot_t *slot;
3527
3528 LOCAL_INPUT_DECLARE(input_external, input);
3529 LOCAL_INPUT_DECLARE(salt_external, salt);
3530 LOCAL_OUTPUT_DECLARE(output_external, output);
3531
3532 (void) input;
3533 (void) input_length;
3534 (void) salt;
3535 (void) output;
3536 (void) output_size;
3537
3538 *output_length = 0;
3539
3540 if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) {
3541 return PSA_ERROR_INVALID_ARGUMENT;
3542 }
3543
3544 status = psa_get_and_lock_key_slot_with_policy(
3545 key, &slot, PSA_KEY_USAGE_DECRYPT, alg);
3546 if (status != PSA_SUCCESS) {
3547 return status;
3548 }
3549 if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
3550 status = PSA_ERROR_INVALID_ARGUMENT;
3551 goto exit;
3552 }
3553
3554 LOCAL_INPUT_ALLOC(input_external, input_length, input);
3555 LOCAL_INPUT_ALLOC(salt_external, salt_length, salt);
3556 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
3557
3558 status = psa_driver_wrapper_asymmetric_decrypt(
3559 &slot->attr, slot->key.data, slot->key.bytes,
3560 alg, input, input_length, salt, salt_length,
3561 output, output_size, output_length);
3562
3563 exit:
3564 unlock_status = psa_unregister_read_under_mutex(slot);
3565
3566 LOCAL_INPUT_FREE(input_external, input);
3567 LOCAL_INPUT_FREE(salt_external, salt);
3568 LOCAL_OUTPUT_FREE(output_external, output);
3569
3570 return (status == PSA_SUCCESS) ? unlock_status : status;
3571 }
3572
3573 /****************************************************************/
3574 /* Asymmetric interruptible cryptography */
3575 /****************************************************************/
3576
3577 static uint32_t psa_interruptible_max_ops = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
3578
psa_interruptible_set_max_ops(uint32_t max_ops)3579 void psa_interruptible_set_max_ops(uint32_t max_ops)
3580 {
3581 psa_interruptible_max_ops = max_ops;
3582 }
3583
psa_interruptible_get_max_ops(void)3584 uint32_t psa_interruptible_get_max_ops(void)
3585 {
3586 return psa_interruptible_max_ops;
3587 }
3588
psa_sign_hash_get_num_ops(const psa_sign_hash_interruptible_operation_t * operation)3589 uint32_t psa_sign_hash_get_num_ops(
3590 const psa_sign_hash_interruptible_operation_t *operation)
3591 {
3592 return operation->num_ops;
3593 }
3594
psa_verify_hash_get_num_ops(const psa_verify_hash_interruptible_operation_t * operation)3595 uint32_t psa_verify_hash_get_num_ops(
3596 const psa_verify_hash_interruptible_operation_t *operation)
3597 {
3598 return operation->num_ops;
3599 }
3600
psa_sign_hash_abort_internal(psa_sign_hash_interruptible_operation_t * operation)3601 static psa_status_t psa_sign_hash_abort_internal(
3602 psa_sign_hash_interruptible_operation_t *operation)
3603 {
3604 if (operation->id == 0) {
3605 /* The object has (apparently) been initialized but it is not (yet)
3606 * in use. It's ok to call abort on such an object, and there's
3607 * nothing to do. */
3608 return PSA_SUCCESS;
3609 }
3610
3611 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3612
3613 status = psa_driver_wrapper_sign_hash_abort(operation);
3614
3615 operation->id = 0;
3616
3617 /* Do not clear either the error_occurred or num_ops elements here as they
3618 * only want to be cleared by the application calling abort, not by abort
3619 * being called at completion of an operation. */
3620
3621 return status;
3622 }
3623
psa_sign_hash_start(psa_sign_hash_interruptible_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * hash_external,size_t hash_length)3624 psa_status_t psa_sign_hash_start(
3625 psa_sign_hash_interruptible_operation_t *operation,
3626 mbedtls_svc_key_id_t key, psa_algorithm_t alg,
3627 const uint8_t *hash_external, size_t hash_length)
3628 {
3629 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3630 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3631 psa_key_slot_t *slot;
3632
3633 LOCAL_INPUT_DECLARE(hash_external, hash);
3634
3635 /* Check that start has not been previously called, or operation has not
3636 * previously errored. */
3637 if (operation->id != 0 || operation->error_occurred) {
3638 return PSA_ERROR_BAD_STATE;
3639 }
3640
3641 /* Make sure the driver-dependent part of the operation is zeroed.
3642 * This is a guarantee we make to drivers. Initializing the operation
3643 * does not necessarily take care of it, since the context is a
3644 * union and initializing a union does not necessarily initialize
3645 * all of its members. */
3646 memset(&operation->ctx, 0, sizeof(operation->ctx));
3647
3648 status = psa_sign_verify_check_alg(0, alg);
3649 if (status != PSA_SUCCESS) {
3650 operation->error_occurred = 1;
3651 return status;
3652 }
3653
3654 status = psa_get_and_lock_key_slot_with_policy(key, &slot,
3655 PSA_KEY_USAGE_SIGN_HASH,
3656 alg);
3657
3658 if (status != PSA_SUCCESS) {
3659 goto exit;
3660 }
3661
3662 if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
3663 status = PSA_ERROR_INVALID_ARGUMENT;
3664 goto exit;
3665 }
3666
3667 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
3668
3669 /* Ensure ops count gets reset, in case of operation re-use. */
3670 operation->num_ops = 0;
3671
3672 status = psa_driver_wrapper_sign_hash_start(operation, &slot->attr,
3673 slot->key.data,
3674 slot->key.bytes, alg,
3675 hash, hash_length);
3676 exit:
3677
3678 if (status != PSA_SUCCESS) {
3679 operation->error_occurred = 1;
3680 psa_sign_hash_abort_internal(operation);
3681 }
3682
3683 unlock_status = psa_unregister_read_under_mutex(slot);
3684
3685 if (unlock_status != PSA_SUCCESS) {
3686 operation->error_occurred = 1;
3687 }
3688
3689 LOCAL_INPUT_FREE(hash_external, hash);
3690
3691 return (status == PSA_SUCCESS) ? unlock_status : status;
3692 }
3693
3694
psa_sign_hash_complete(psa_sign_hash_interruptible_operation_t * operation,uint8_t * signature_external,size_t signature_size,size_t * signature_length)3695 psa_status_t psa_sign_hash_complete(
3696 psa_sign_hash_interruptible_operation_t *operation,
3697 uint8_t *signature_external, size_t signature_size,
3698 size_t *signature_length)
3699 {
3700 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3701
3702 LOCAL_OUTPUT_DECLARE(signature_external, signature);
3703
3704 *signature_length = 0;
3705
3706 /* Check that start has been called first, and that operation has not
3707 * previously errored. */
3708 if (operation->id == 0 || operation->error_occurred) {
3709 status = PSA_ERROR_BAD_STATE;
3710 goto exit;
3711 }
3712
3713 /* Immediately reject a zero-length signature buffer. This guarantees that
3714 * signature must be a valid pointer. */
3715 if (signature_size == 0) {
3716 status = PSA_ERROR_BUFFER_TOO_SMALL;
3717 goto exit;
3718 }
3719
3720 LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
3721
3722 status = psa_driver_wrapper_sign_hash_complete(operation, signature,
3723 signature_size,
3724 signature_length);
3725
3726 /* Update ops count with work done. */
3727 operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation);
3728
3729 exit:
3730
3731 if (signature != NULL) {
3732 psa_wipe_tag_output_buffer(signature, status, signature_size,
3733 *signature_length);
3734 }
3735
3736 if (status != PSA_OPERATION_INCOMPLETE) {
3737 if (status != PSA_SUCCESS) {
3738 operation->error_occurred = 1;
3739 }
3740
3741 psa_sign_hash_abort_internal(operation);
3742 }
3743
3744 LOCAL_OUTPUT_FREE(signature_external, signature);
3745
3746 return status;
3747 }
3748
psa_sign_hash_abort(psa_sign_hash_interruptible_operation_t * operation)3749 psa_status_t psa_sign_hash_abort(
3750 psa_sign_hash_interruptible_operation_t *operation)
3751 {
3752 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3753
3754 status = psa_sign_hash_abort_internal(operation);
3755
3756 /* We clear the number of ops done here, so that it is not cleared when
3757 * the operation fails or succeeds, only on manual abort. */
3758 operation->num_ops = 0;
3759
3760 /* Likewise, failure state. */
3761 operation->error_occurred = 0;
3762
3763 return status;
3764 }
3765
psa_verify_hash_abort_internal(psa_verify_hash_interruptible_operation_t * operation)3766 static psa_status_t psa_verify_hash_abort_internal(
3767 psa_verify_hash_interruptible_operation_t *operation)
3768 {
3769 if (operation->id == 0) {
3770 /* The object has (apparently) been initialized but it is not (yet)
3771 * in use. It's ok to call abort on such an object, and there's
3772 * nothing to do. */
3773 return PSA_SUCCESS;
3774 }
3775
3776 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3777
3778 status = psa_driver_wrapper_verify_hash_abort(operation);
3779
3780 operation->id = 0;
3781
3782 /* Do not clear either the error_occurred or num_ops elements here as they
3783 * only want to be cleared by the application calling abort, not by abort
3784 * being called at completion of an operation. */
3785
3786 return status;
3787 }
3788
psa_verify_hash_start(psa_verify_hash_interruptible_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * hash_external,size_t hash_length,const uint8_t * signature_external,size_t signature_length)3789 psa_status_t psa_verify_hash_start(
3790 psa_verify_hash_interruptible_operation_t *operation,
3791 mbedtls_svc_key_id_t key, psa_algorithm_t alg,
3792 const uint8_t *hash_external, size_t hash_length,
3793 const uint8_t *signature_external, size_t signature_length)
3794 {
3795 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3796 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3797 psa_key_slot_t *slot;
3798
3799 LOCAL_INPUT_DECLARE(hash_external, hash);
3800 LOCAL_INPUT_DECLARE(signature_external, signature);
3801
3802 /* Check that start has not been previously called, or operation has not
3803 * previously errored. */
3804 if (operation->id != 0 || operation->error_occurred) {
3805 return PSA_ERROR_BAD_STATE;
3806 }
3807
3808 /* Make sure the driver-dependent part of the operation is zeroed.
3809 * This is a guarantee we make to drivers. Initializing the operation
3810 * does not necessarily take care of it, since the context is a
3811 * union and initializing a union does not necessarily initialize
3812 * all of its members. */
3813 memset(&operation->ctx, 0, sizeof(operation->ctx));
3814
3815 status = psa_sign_verify_check_alg(0, alg);
3816 if (status != PSA_SUCCESS) {
3817 operation->error_occurred = 1;
3818 return status;
3819 }
3820
3821 status = psa_get_and_lock_key_slot_with_policy(key, &slot,
3822 PSA_KEY_USAGE_VERIFY_HASH,
3823 alg);
3824
3825 if (status != PSA_SUCCESS) {
3826 operation->error_occurred = 1;
3827 return status;
3828 }
3829
3830 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
3831 LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
3832
3833 /* Ensure ops count gets reset, in case of operation re-use. */
3834 operation->num_ops = 0;
3835
3836 status = psa_driver_wrapper_verify_hash_start(operation, &slot->attr,
3837 slot->key.data,
3838 slot->key.bytes,
3839 alg, hash, hash_length,
3840 signature, signature_length);
3841 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3842 exit:
3843 #endif
3844
3845 if (status != PSA_SUCCESS) {
3846 operation->error_occurred = 1;
3847 psa_verify_hash_abort_internal(operation);
3848 }
3849
3850 unlock_status = psa_unregister_read_under_mutex(slot);
3851
3852 if (unlock_status != PSA_SUCCESS) {
3853 operation->error_occurred = 1;
3854 }
3855
3856 LOCAL_INPUT_FREE(hash_external, hash);
3857 LOCAL_INPUT_FREE(signature_external, signature);
3858
3859 return (status == PSA_SUCCESS) ? unlock_status : status;
3860 }
3861
psa_verify_hash_complete(psa_verify_hash_interruptible_operation_t * operation)3862 psa_status_t psa_verify_hash_complete(
3863 psa_verify_hash_interruptible_operation_t *operation)
3864 {
3865 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3866
3867 /* Check that start has been called first, and that operation has not
3868 * previously errored. */
3869 if (operation->id == 0 || operation->error_occurred) {
3870 status = PSA_ERROR_BAD_STATE;
3871 goto exit;
3872 }
3873
3874 status = psa_driver_wrapper_verify_hash_complete(operation);
3875
3876 /* Update ops count with work done. */
3877 operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops(
3878 operation);
3879
3880 exit:
3881
3882 if (status != PSA_OPERATION_INCOMPLETE) {
3883 if (status != PSA_SUCCESS) {
3884 operation->error_occurred = 1;
3885 }
3886
3887 psa_verify_hash_abort_internal(operation);
3888 }
3889
3890 return status;
3891 }
3892
psa_verify_hash_abort(psa_verify_hash_interruptible_operation_t * operation)3893 psa_status_t psa_verify_hash_abort(
3894 psa_verify_hash_interruptible_operation_t *operation)
3895 {
3896 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3897
3898 status = psa_verify_hash_abort_internal(operation);
3899
3900 /* We clear the number of ops done here, so that it is not cleared when
3901 * the operation fails or succeeds, only on manual abort. */
3902 operation->num_ops = 0;
3903
3904 /* Likewise, failure state. */
3905 operation->error_occurred = 0;
3906
3907 return status;
3908 }
3909
3910 /****************************************************************/
3911 /* Asymmetric interruptible cryptography internal */
3912 /* implementations */
3913 /****************************************************************/
3914
mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops)3915 void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops)
3916 {
3917
3918 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3919 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
3920 defined(MBEDTLS_ECP_RESTARTABLE)
3921
3922 /* Internal implementation uses zero to indicate infinite number max ops,
3923 * therefore avoid this value, and set to minimum possible. */
3924 if (max_ops == 0) {
3925 max_ops = 1;
3926 }
3927
3928 mbedtls_ecp_set_max_ops(max_ops);
3929 #else
3930 (void) max_ops;
3931 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3932 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
3933 * defined( MBEDTLS_ECP_RESTARTABLE ) */
3934 }
3935
mbedtls_psa_sign_hash_get_num_ops(const mbedtls_psa_sign_hash_interruptible_operation_t * operation)3936 uint32_t mbedtls_psa_sign_hash_get_num_ops(
3937 const mbedtls_psa_sign_hash_interruptible_operation_t *operation)
3938 {
3939 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3940 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
3941 defined(MBEDTLS_ECP_RESTARTABLE)
3942
3943 return operation->num_ops;
3944 #else
3945 (void) operation;
3946 return 0;
3947 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3948 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
3949 * defined( MBEDTLS_ECP_RESTARTABLE ) */
3950 }
3951
mbedtls_psa_verify_hash_get_num_ops(const mbedtls_psa_verify_hash_interruptible_operation_t * operation)3952 uint32_t mbedtls_psa_verify_hash_get_num_ops(
3953 const mbedtls_psa_verify_hash_interruptible_operation_t *operation)
3954 {
3955 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3956 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
3957 defined(MBEDTLS_ECP_RESTARTABLE)
3958
3959 return operation->num_ops;
3960 #else
3961 (void) operation;
3962 return 0;
3963 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3964 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
3965 * defined( MBEDTLS_ECP_RESTARTABLE ) */
3966 }
3967
3968 /* Detect supported interruptible sign/verify mechanisms precisely.
3969 * This is not strictly needed: we could accept everything, and let the
3970 * code fail later during complete() if the mechanism is unsupported
3971 * (e.g. attempting deterministic ECDSA when only the randomized variant
3972 * is available). But it's easier for applications and especially for our
3973 * test code to detect all not-supported errors during start().
3974 *
3975 * Note that this function ignores the hash component. The core code
3976 * is supposed to check the hash part by calling is_hash_supported().
3977 */
can_do_interruptible_sign_verify(psa_algorithm_t alg)3978 static inline int can_do_interruptible_sign_verify(psa_algorithm_t alg)
3979 {
3980 #if defined(MBEDTLS_ECP_RESTARTABLE)
3981 #if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
3982 if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) {
3983 return 1;
3984 }
3985 #endif
3986 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA)
3987 if (PSA_ALG_IS_RANDOMIZED_ECDSA(alg)) {
3988 return 1;
3989 }
3990 #endif
3991 #endif /* defined(MBEDTLS_ECP_RESTARTABLE) */
3992 (void) alg;
3993 return 0;
3994 }
3995
mbedtls_psa_sign_hash_start(mbedtls_psa_sign_hash_interruptible_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length)3996 psa_status_t mbedtls_psa_sign_hash_start(
3997 mbedtls_psa_sign_hash_interruptible_operation_t *operation,
3998 const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
3999 size_t key_buffer_size, psa_algorithm_t alg,
4000 const uint8_t *hash, size_t hash_length)
4001 {
4002 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4003 size_t required_hash_length;
4004
4005 if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->type)) {
4006 return PSA_ERROR_NOT_SUPPORTED;
4007 }
4008 psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type);
4009 if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
4010 return PSA_ERROR_INVALID_ARGUMENT;
4011 }
4012
4013 if (!can_do_interruptible_sign_verify(alg)) {
4014 return PSA_ERROR_NOT_SUPPORTED;
4015 }
4016
4017 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4018 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4019 defined(MBEDTLS_ECP_RESTARTABLE)
4020
4021 mbedtls_ecdsa_restart_init(&operation->restart_ctx);
4022
4023 /* Ensure num_ops is zero'ed in case of context re-use. */
4024 operation->num_ops = 0;
4025
4026 status = mbedtls_psa_ecp_load_representation(attributes->type,
4027 attributes->bits,
4028 key_buffer,
4029 key_buffer_size,
4030 &operation->ctx);
4031
4032 if (status != PSA_SUCCESS) {
4033 return status;
4034 }
4035
4036 operation->coordinate_bytes = PSA_BITS_TO_BYTES(
4037 operation->ctx->grp.nbits);
4038
4039 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
4040 operation->md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
4041 operation->alg = alg;
4042
4043 /* We only need to store the same length of hash as the private key size
4044 * here, it would be truncated by the internal implementation anyway. */
4045 required_hash_length = (hash_length < operation->coordinate_bytes ?
4046 hash_length : operation->coordinate_bytes);
4047
4048 if (required_hash_length > sizeof(operation->hash)) {
4049 /* Shouldn't happen, but better safe than sorry. */
4050 return PSA_ERROR_CORRUPTION_DETECTED;
4051 }
4052
4053 memcpy(operation->hash, hash, required_hash_length);
4054 operation->hash_length = required_hash_length;
4055
4056 return PSA_SUCCESS;
4057
4058 #else
4059 (void) operation;
4060 (void) key_buffer;
4061 (void) key_buffer_size;
4062 (void) alg;
4063 (void) hash;
4064 (void) hash_length;
4065 (void) status;
4066 (void) required_hash_length;
4067
4068 return PSA_ERROR_NOT_SUPPORTED;
4069 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4070 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4071 * defined( MBEDTLS_ECP_RESTARTABLE ) */
4072 }
4073
mbedtls_psa_sign_hash_complete(mbedtls_psa_sign_hash_interruptible_operation_t * operation,uint8_t * signature,size_t signature_size,size_t * signature_length)4074 psa_status_t mbedtls_psa_sign_hash_complete(
4075 mbedtls_psa_sign_hash_interruptible_operation_t *operation,
4076 uint8_t *signature, size_t signature_size,
4077 size_t *signature_length)
4078 {
4079 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4080 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4081 defined(MBEDTLS_ECP_RESTARTABLE)
4082
4083 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4084 mbedtls_mpi r;
4085 mbedtls_mpi s;
4086
4087 mbedtls_mpi_init(&r);
4088 mbedtls_mpi_init(&s);
4089
4090 /* Ensure max_ops is set to the current value (or default). */
4091 mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops());
4092
4093 if (signature_size < 2 * operation->coordinate_bytes) {
4094 status = PSA_ERROR_BUFFER_TOO_SMALL;
4095 goto exit;
4096 }
4097
4098 if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) {
4099
4100 #if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
4101 status = mbedtls_to_psa_error(
4102 mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp,
4103 &r,
4104 &s,
4105 &operation->ctx->d,
4106 operation->hash,
4107 operation->hash_length,
4108 operation->md_alg,
4109 mbedtls_psa_get_random,
4110 MBEDTLS_PSA_RANDOM_STATE,
4111 &operation->restart_ctx));
4112 #else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
4113 status = PSA_ERROR_NOT_SUPPORTED;
4114 goto exit;
4115 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
4116 } else {
4117 status = mbedtls_to_psa_error(
4118 mbedtls_ecdsa_sign_restartable(&operation->ctx->grp,
4119 &r,
4120 &s,
4121 &operation->ctx->d,
4122 operation->hash,
4123 operation->hash_length,
4124 mbedtls_psa_get_random,
4125 MBEDTLS_PSA_RANDOM_STATE,
4126 mbedtls_psa_get_random,
4127 MBEDTLS_PSA_RANDOM_STATE,
4128 &operation->restart_ctx));
4129 }
4130
4131 /* Hide the fact that the restart context only holds a delta of number of
4132 * ops done during the last operation, not an absolute value. */
4133 operation->num_ops += operation->restart_ctx.ecp.ops_done;
4134
4135 if (status == PSA_SUCCESS) {
4136 status = mbedtls_to_psa_error(
4137 mbedtls_mpi_write_binary(&r,
4138 signature,
4139 operation->coordinate_bytes)
4140 );
4141
4142 if (status != PSA_SUCCESS) {
4143 goto exit;
4144 }
4145
4146 status = mbedtls_to_psa_error(
4147 mbedtls_mpi_write_binary(&s,
4148 signature +
4149 operation->coordinate_bytes,
4150 operation->coordinate_bytes)
4151 );
4152
4153 if (status != PSA_SUCCESS) {
4154 goto exit;
4155 }
4156
4157 *signature_length = operation->coordinate_bytes * 2;
4158
4159 status = PSA_SUCCESS;
4160 }
4161
4162 exit:
4163
4164 mbedtls_mpi_free(&r);
4165 mbedtls_mpi_free(&s);
4166 return status;
4167
4168 #else
4169
4170 (void) operation;
4171 (void) signature;
4172 (void) signature_size;
4173 (void) signature_length;
4174
4175 return PSA_ERROR_NOT_SUPPORTED;
4176
4177 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4178 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4179 * defined( MBEDTLS_ECP_RESTARTABLE ) */
4180 }
4181
mbedtls_psa_sign_hash_abort(mbedtls_psa_sign_hash_interruptible_operation_t * operation)4182 psa_status_t mbedtls_psa_sign_hash_abort(
4183 mbedtls_psa_sign_hash_interruptible_operation_t *operation)
4184 {
4185
4186 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4187 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4188 defined(MBEDTLS_ECP_RESTARTABLE)
4189
4190 if (operation->ctx) {
4191 mbedtls_ecdsa_free(operation->ctx);
4192 mbedtls_free(operation->ctx);
4193 operation->ctx = NULL;
4194 }
4195
4196 mbedtls_ecdsa_restart_free(&operation->restart_ctx);
4197
4198 operation->num_ops = 0;
4199
4200 return PSA_SUCCESS;
4201
4202 #else
4203
4204 (void) operation;
4205
4206 return PSA_ERROR_NOT_SUPPORTED;
4207
4208 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4209 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4210 * defined( MBEDTLS_ECP_RESTARTABLE ) */
4211 }
4212
mbedtls_psa_verify_hash_start(mbedtls_psa_verify_hash_interruptible_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * hash,size_t hash_length,const uint8_t * signature,size_t signature_length)4213 psa_status_t mbedtls_psa_verify_hash_start(
4214 mbedtls_psa_verify_hash_interruptible_operation_t *operation,
4215 const psa_key_attributes_t *attributes,
4216 const uint8_t *key_buffer, size_t key_buffer_size,
4217 psa_algorithm_t alg,
4218 const uint8_t *hash, size_t hash_length,
4219 const uint8_t *signature, size_t signature_length)
4220 {
4221 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4222 size_t coordinate_bytes = 0;
4223 size_t required_hash_length = 0;
4224
4225 if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
4226 return PSA_ERROR_NOT_SUPPORTED;
4227 }
4228 psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type);
4229 if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
4230 return PSA_ERROR_INVALID_ARGUMENT;
4231 }
4232
4233 if (!can_do_interruptible_sign_verify(alg)) {
4234 return PSA_ERROR_NOT_SUPPORTED;
4235 }
4236
4237 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4238 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4239 defined(MBEDTLS_ECP_RESTARTABLE)
4240
4241 mbedtls_ecdsa_restart_init(&operation->restart_ctx);
4242 mbedtls_mpi_init(&operation->r);
4243 mbedtls_mpi_init(&operation->s);
4244
4245 /* Ensure num_ops is zero'ed in case of context re-use. */
4246 operation->num_ops = 0;
4247
4248 status = mbedtls_psa_ecp_load_representation(attributes->type,
4249 attributes->bits,
4250 key_buffer,
4251 key_buffer_size,
4252 &operation->ctx);
4253
4254 if (status != PSA_SUCCESS) {
4255 return status;
4256 }
4257
4258 coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.nbits);
4259
4260 if (signature_length != 2 * coordinate_bytes) {
4261 return PSA_ERROR_INVALID_SIGNATURE;
4262 }
4263
4264 status = mbedtls_to_psa_error(
4265 mbedtls_mpi_read_binary(&operation->r,
4266 signature,
4267 coordinate_bytes));
4268
4269 if (status != PSA_SUCCESS) {
4270 return status;
4271 }
4272
4273 status = mbedtls_to_psa_error(
4274 mbedtls_mpi_read_binary(&operation->s,
4275 signature +
4276 coordinate_bytes,
4277 coordinate_bytes));
4278
4279 if (status != PSA_SUCCESS) {
4280 return status;
4281 }
4282
4283 status = mbedtls_psa_ecp_load_public_part(operation->ctx);
4284
4285 if (status != PSA_SUCCESS) {
4286 return status;
4287 }
4288
4289 /* We only need to store the same length of hash as the private key size
4290 * here, it would be truncated by the internal implementation anyway. */
4291 required_hash_length = (hash_length < coordinate_bytes ? hash_length :
4292 coordinate_bytes);
4293
4294 if (required_hash_length > sizeof(operation->hash)) {
4295 /* Shouldn't happen, but better safe than sorry. */
4296 return PSA_ERROR_CORRUPTION_DETECTED;
4297 }
4298
4299 memcpy(operation->hash, hash, required_hash_length);
4300 operation->hash_length = required_hash_length;
4301
4302 return PSA_SUCCESS;
4303 #else
4304 (void) operation;
4305 (void) key_buffer;
4306 (void) key_buffer_size;
4307 (void) alg;
4308 (void) hash;
4309 (void) hash_length;
4310 (void) signature;
4311 (void) signature_length;
4312 (void) status;
4313 (void) coordinate_bytes;
4314 (void) required_hash_length;
4315
4316 return PSA_ERROR_NOT_SUPPORTED;
4317 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4318 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4319 * defined( MBEDTLS_ECP_RESTARTABLE ) */
4320 }
4321
mbedtls_psa_verify_hash_complete(mbedtls_psa_verify_hash_interruptible_operation_t * operation)4322 psa_status_t mbedtls_psa_verify_hash_complete(
4323 mbedtls_psa_verify_hash_interruptible_operation_t *operation)
4324 {
4325
4326 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4327 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4328 defined(MBEDTLS_ECP_RESTARTABLE)
4329
4330 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4331
4332 /* Ensure max_ops is set to the current value (or default). */
4333 mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops());
4334
4335 status = mbedtls_to_psa_error(
4336 mbedtls_ecdsa_verify_restartable(&operation->ctx->grp,
4337 operation->hash,
4338 operation->hash_length,
4339 &operation->ctx->Q,
4340 &operation->r,
4341 &operation->s,
4342 &operation->restart_ctx));
4343
4344 /* Hide the fact that the restart context only holds a delta of number of
4345 * ops done during the last operation, not an absolute value. */
4346 operation->num_ops += operation->restart_ctx.ecp.ops_done;
4347
4348 return status;
4349 #else
4350 (void) operation;
4351
4352 return PSA_ERROR_NOT_SUPPORTED;
4353
4354 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4355 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4356 * defined( MBEDTLS_ECP_RESTARTABLE ) */
4357 }
4358
mbedtls_psa_verify_hash_abort(mbedtls_psa_verify_hash_interruptible_operation_t * operation)4359 psa_status_t mbedtls_psa_verify_hash_abort(
4360 mbedtls_psa_verify_hash_interruptible_operation_t *operation)
4361 {
4362
4363 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4364 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4365 defined(MBEDTLS_ECP_RESTARTABLE)
4366
4367 if (operation->ctx) {
4368 mbedtls_ecdsa_free(operation->ctx);
4369 mbedtls_free(operation->ctx);
4370 operation->ctx = NULL;
4371 }
4372
4373 mbedtls_ecdsa_restart_free(&operation->restart_ctx);
4374
4375 operation->num_ops = 0;
4376
4377 mbedtls_mpi_free(&operation->r);
4378 mbedtls_mpi_free(&operation->s);
4379
4380 return PSA_SUCCESS;
4381
4382 #else
4383 (void) operation;
4384
4385 return PSA_ERROR_NOT_SUPPORTED;
4386
4387 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4388 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4389 * defined( MBEDTLS_ECP_RESTARTABLE ) */
4390 }
4391
psa_generate_random_internal(uint8_t * output,size_t output_size)4392 static psa_status_t psa_generate_random_internal(uint8_t *output,
4393 size_t output_size)
4394 {
4395 GUARD_MODULE_INITIALIZED;
4396
4397 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
4398
4399 psa_status_t status;
4400 size_t output_length = 0;
4401 status = mbedtls_psa_external_get_random(&global_data.rng,
4402 output, output_size,
4403 &output_length);
4404 if (status != PSA_SUCCESS) {
4405 return status;
4406 }
4407 /* Breaking up a request into smaller chunks is currently not supported
4408 * for the external RNG interface. */
4409 if (output_length != output_size) {
4410 return PSA_ERROR_INSUFFICIENT_ENTROPY;
4411 }
4412 return PSA_SUCCESS;
4413
4414 #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
4415
4416 while (output_size > 0) {
4417 int ret = MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
4418 size_t request_size =
4419 (output_size > MBEDTLS_PSA_RANDOM_MAX_REQUEST ?
4420 MBEDTLS_PSA_RANDOM_MAX_REQUEST :
4421 output_size);
4422 #if defined(MBEDTLS_CTR_DRBG_C)
4423 ret = mbedtls_ctr_drbg_random(&global_data.rng.drbg, output, request_size);
4424 #elif defined(MBEDTLS_HMAC_DRBG_C)
4425 ret = mbedtls_hmac_drbg_random(&global_data.rng.drbg, output, request_size);
4426 #endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
4427 if (ret != 0) {
4428 return mbedtls_to_psa_error(ret);
4429 }
4430 output_size -= request_size;
4431 output += request_size;
4432 }
4433 return PSA_SUCCESS;
4434 #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
4435 }
4436
4437
4438 /****************************************************************/
4439 /* Symmetric cryptography */
4440 /****************************************************************/
4441
psa_cipher_setup(psa_cipher_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg,mbedtls_operation_t cipher_operation)4442 static psa_status_t psa_cipher_setup(psa_cipher_operation_t *operation,
4443 mbedtls_svc_key_id_t key,
4444 psa_algorithm_t alg,
4445 mbedtls_operation_t cipher_operation)
4446 {
4447 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4448 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
4449 psa_key_slot_t *slot = NULL;
4450 psa_key_usage_t usage = (cipher_operation == MBEDTLS_ENCRYPT ?
4451 PSA_KEY_USAGE_ENCRYPT :
4452 PSA_KEY_USAGE_DECRYPT);
4453
4454 /* A context must be freshly initialized before it can be set up. */
4455 if (operation->id != 0) {
4456 status = PSA_ERROR_BAD_STATE;
4457 goto exit;
4458 }
4459
4460 if (!PSA_ALG_IS_CIPHER(alg)) {
4461 status = PSA_ERROR_INVALID_ARGUMENT;
4462 goto exit;
4463 }
4464
4465 status = psa_get_and_lock_key_slot_with_policy(key, &slot, usage, alg);
4466 if (status != PSA_SUCCESS) {
4467 goto exit;
4468 }
4469
4470 /* Initialize the operation struct members, except for id. The id member
4471 * is used to indicate to psa_cipher_abort that there are resources to free,
4472 * so we only set it (in the driver wrapper) after resources have been
4473 * allocated/initialized. */
4474 operation->iv_set = 0;
4475 if (alg == PSA_ALG_ECB_NO_PADDING) {
4476 operation->iv_required = 0;
4477 } else {
4478 operation->iv_required = 1;
4479 }
4480 operation->default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg);
4481
4482
4483 /* Make sure the driver-dependent part of the operation is zeroed.
4484 * This is a guarantee we make to drivers. Initializing the operation
4485 * does not necessarily take care of it, since the context is a
4486 * union and initializing a union does not necessarily initialize
4487 * all of its members. */
4488 memset(&operation->ctx, 0, sizeof(operation->ctx));
4489
4490 /* Try doing the operation through a driver before using software fallback. */
4491 if (cipher_operation == MBEDTLS_ENCRYPT) {
4492 status = psa_driver_wrapper_cipher_encrypt_setup(operation,
4493 &slot->attr,
4494 slot->key.data,
4495 slot->key.bytes,
4496 alg);
4497 } else {
4498 status = psa_driver_wrapper_cipher_decrypt_setup(operation,
4499 &slot->attr,
4500 slot->key.data,
4501 slot->key.bytes,
4502 alg);
4503 }
4504
4505 exit:
4506 if (status != PSA_SUCCESS) {
4507 psa_cipher_abort(operation);
4508 }
4509
4510 unlock_status = psa_unregister_read_under_mutex(slot);
4511
4512 return (status == PSA_SUCCESS) ? unlock_status : status;
4513 }
4514
psa_cipher_encrypt_setup(psa_cipher_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg)4515 psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
4516 mbedtls_svc_key_id_t key,
4517 psa_algorithm_t alg)
4518 {
4519 return psa_cipher_setup(operation, key, alg, MBEDTLS_ENCRYPT);
4520 }
4521
psa_cipher_decrypt_setup(psa_cipher_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg)4522 psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
4523 mbedtls_svc_key_id_t key,
4524 psa_algorithm_t alg)
4525 {
4526 return psa_cipher_setup(operation, key, alg, MBEDTLS_DECRYPT);
4527 }
4528
psa_cipher_generate_iv(psa_cipher_operation_t * operation,uint8_t * iv_external,size_t iv_size,size_t * iv_length)4529 psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
4530 uint8_t *iv_external,
4531 size_t iv_size,
4532 size_t *iv_length)
4533 {
4534 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4535 size_t default_iv_length = 0;
4536
4537 LOCAL_OUTPUT_DECLARE(iv_external, iv);
4538
4539 if (operation->id == 0) {
4540 status = PSA_ERROR_BAD_STATE;
4541 goto exit;
4542 }
4543
4544 if (operation->iv_set || !operation->iv_required) {
4545 status = PSA_ERROR_BAD_STATE;
4546 goto exit;
4547 }
4548
4549 default_iv_length = operation->default_iv_length;
4550 if (iv_size < default_iv_length) {
4551 status = PSA_ERROR_BUFFER_TOO_SMALL;
4552 goto exit;
4553 }
4554
4555 if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) {
4556 status = PSA_ERROR_GENERIC_ERROR;
4557 goto exit;
4558 }
4559
4560 LOCAL_OUTPUT_ALLOC(iv_external, default_iv_length, iv);
4561
4562 status = psa_generate_random_internal(iv, default_iv_length);
4563 if (status != PSA_SUCCESS) {
4564 goto exit;
4565 }
4566
4567 status = psa_driver_wrapper_cipher_set_iv(operation,
4568 iv, default_iv_length);
4569
4570 exit:
4571 if (status == PSA_SUCCESS) {
4572 *iv_length = default_iv_length;
4573 operation->iv_set = 1;
4574 } else {
4575 *iv_length = 0;
4576 psa_cipher_abort(operation);
4577 if (iv != NULL) {
4578 mbedtls_platform_zeroize(iv, default_iv_length);
4579 }
4580 }
4581
4582 LOCAL_OUTPUT_FREE(iv_external, iv);
4583 return status;
4584 }
4585
psa_cipher_set_iv(psa_cipher_operation_t * operation,const uint8_t * iv_external,size_t iv_length)4586 psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
4587 const uint8_t *iv_external,
4588 size_t iv_length)
4589 {
4590 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4591
4592 LOCAL_INPUT_DECLARE(iv_external, iv);
4593
4594 if (operation->id == 0) {
4595 status = PSA_ERROR_BAD_STATE;
4596 goto exit;
4597 }
4598
4599 if (operation->iv_set || !operation->iv_required) {
4600 status = PSA_ERROR_BAD_STATE;
4601 goto exit;
4602 }
4603
4604 if (iv_length > PSA_CIPHER_IV_MAX_SIZE) {
4605 status = PSA_ERROR_INVALID_ARGUMENT;
4606 goto exit;
4607 }
4608
4609 LOCAL_INPUT_ALLOC(iv_external, iv_length, iv);
4610
4611 status = psa_driver_wrapper_cipher_set_iv(operation,
4612 iv,
4613 iv_length);
4614
4615 exit:
4616 if (status == PSA_SUCCESS) {
4617 operation->iv_set = 1;
4618 } else {
4619 psa_cipher_abort(operation);
4620 }
4621
4622 LOCAL_INPUT_FREE(iv_external, iv);
4623
4624 return status;
4625 }
4626
psa_cipher_update(psa_cipher_operation_t * operation,const uint8_t * input_external,size_t input_length,uint8_t * output_external,size_t output_size,size_t * output_length)4627 psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
4628 const uint8_t *input_external,
4629 size_t input_length,
4630 uint8_t *output_external,
4631 size_t output_size,
4632 size_t *output_length)
4633 {
4634 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4635
4636 LOCAL_INPUT_DECLARE(input_external, input);
4637 LOCAL_OUTPUT_DECLARE(output_external, output);
4638
4639 if (operation->id == 0) {
4640 status = PSA_ERROR_BAD_STATE;
4641 goto exit;
4642 }
4643
4644 if (operation->iv_required && !operation->iv_set) {
4645 status = PSA_ERROR_BAD_STATE;
4646 goto exit;
4647 }
4648
4649 LOCAL_INPUT_ALLOC(input_external, input_length, input);
4650 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
4651
4652 status = psa_driver_wrapper_cipher_update(operation,
4653 input,
4654 input_length,
4655 output,
4656 output_size,
4657 output_length);
4658
4659 exit:
4660 if (status != PSA_SUCCESS) {
4661 psa_cipher_abort(operation);
4662 }
4663
4664 LOCAL_INPUT_FREE(input_external, input);
4665 LOCAL_OUTPUT_FREE(output_external, output);
4666
4667 return status;
4668 }
4669
psa_cipher_finish(psa_cipher_operation_t * operation,uint8_t * output_external,size_t output_size,size_t * output_length)4670 psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
4671 uint8_t *output_external,
4672 size_t output_size,
4673 size_t *output_length)
4674 {
4675 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
4676
4677 LOCAL_OUTPUT_DECLARE(output_external, output);
4678
4679 if (operation->id == 0) {
4680 status = PSA_ERROR_BAD_STATE;
4681 goto exit;
4682 }
4683
4684 if (operation->iv_required && !operation->iv_set) {
4685 status = PSA_ERROR_BAD_STATE;
4686 goto exit;
4687 }
4688
4689 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
4690
4691 status = psa_driver_wrapper_cipher_finish(operation,
4692 output,
4693 output_size,
4694 output_length);
4695
4696 exit:
4697 /* C99 doesn't allow a declaration to follow a label */;
4698 psa_status_t abort_status = psa_cipher_abort(operation);
4699 /* Normally abort shouldn't fail unless the operation is in a bad
4700 * state, in which case we'd expect finish to fail with the same error.
4701 * So it doesn't matter much which call's error code we pick when both
4702 * fail. However, in unauthenticated decryption specifically, the
4703 * distinction between PSA_SUCCESS and PSA_ERROR_INVALID_PADDING is
4704 * security-sensitive (risk of a padding oracle attack), so here we
4705 * must not have a code path that depends on the value of status. */
4706 if (abort_status != PSA_SUCCESS) {
4707 status = abort_status;
4708 }
4709
4710 /* Set *output_length to 0 if status != PSA_SUCCESS, without
4711 * leaking the value of status through a timing side channel
4712 * (status == PSA_ERROR_INVALID_PADDING is sensitive when doing
4713 * unpadded decryption, due to the risk of padding oracle attack). */
4714 mbedtls_ct_condition_t success =
4715 mbedtls_ct_bool_not(mbedtls_ct_bool(status));
4716 *output_length = mbedtls_ct_size_if_else_0(success, *output_length);
4717
4718 LOCAL_OUTPUT_FREE(output_external, output);
4719
4720 return status;
4721 }
4722
psa_cipher_abort(psa_cipher_operation_t * operation)4723 psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation)
4724 {
4725 if (operation->id == 0) {
4726 /* The object has (apparently) been initialized but it is not (yet)
4727 * in use. It's ok to call abort on such an object, and there's
4728 * nothing to do. */
4729 return PSA_SUCCESS;
4730 }
4731
4732 psa_driver_wrapper_cipher_abort(operation);
4733
4734 operation->id = 0;
4735 operation->iv_set = 0;
4736 operation->iv_required = 0;
4737
4738 return PSA_SUCCESS;
4739 }
4740
psa_cipher_encrypt(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * input_external,size_t input_length,uint8_t * output_external,size_t output_size,size_t * output_length)4741 psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key,
4742 psa_algorithm_t alg,
4743 const uint8_t *input_external,
4744 size_t input_length,
4745 uint8_t *output_external,
4746 size_t output_size,
4747 size_t *output_length)
4748 {
4749 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4750 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
4751 psa_key_slot_t *slot = NULL;
4752 uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE];
4753 size_t default_iv_length = 0;
4754
4755 LOCAL_INPUT_DECLARE(input_external, input);
4756 LOCAL_OUTPUT_DECLARE(output_external, output);
4757
4758 if (!PSA_ALG_IS_CIPHER(alg)) {
4759 status = PSA_ERROR_INVALID_ARGUMENT;
4760 goto exit;
4761 }
4762
4763 status = psa_get_and_lock_key_slot_with_policy(key, &slot,
4764 PSA_KEY_USAGE_ENCRYPT,
4765 alg);
4766 if (status != PSA_SUCCESS) {
4767 goto exit;
4768 }
4769
4770 default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg);
4771 if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) {
4772 status = PSA_ERROR_GENERIC_ERROR;
4773 goto exit;
4774 }
4775
4776 if (default_iv_length > 0) {
4777 if (output_size < default_iv_length) {
4778 status = PSA_ERROR_BUFFER_TOO_SMALL;
4779 goto exit;
4780 }
4781
4782 status = psa_generate_random_internal(local_iv, default_iv_length);
4783 if (status != PSA_SUCCESS) {
4784 goto exit;
4785 }
4786 }
4787
4788 LOCAL_INPUT_ALLOC(input_external, input_length, input);
4789 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
4790
4791 status = psa_driver_wrapper_cipher_encrypt(
4792 &slot->attr, slot->key.data, slot->key.bytes,
4793 alg, local_iv, default_iv_length, input, input_length,
4794 psa_crypto_buffer_offset(output, default_iv_length),
4795 output_size - default_iv_length, output_length);
4796
4797 exit:
4798 unlock_status = psa_unregister_read_under_mutex(slot);
4799 if (status == PSA_SUCCESS) {
4800 status = unlock_status;
4801 }
4802
4803 if (status == PSA_SUCCESS) {
4804 if (default_iv_length > 0) {
4805 memcpy(output, local_iv, default_iv_length);
4806 }
4807 *output_length += default_iv_length;
4808 } else {
4809 *output_length = 0;
4810 }
4811
4812 LOCAL_INPUT_FREE(input_external, input);
4813 LOCAL_OUTPUT_FREE(output_external, output);
4814
4815 return status;
4816 }
4817
psa_cipher_decrypt(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * input_external,size_t input_length,uint8_t * output_external,size_t output_size,size_t * output_length)4818 psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key,
4819 psa_algorithm_t alg,
4820 const uint8_t *input_external,
4821 size_t input_length,
4822 uint8_t *output_external,
4823 size_t output_size,
4824 size_t *output_length)
4825 {
4826 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4827 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
4828 psa_key_slot_t *slot = NULL;
4829
4830 LOCAL_INPUT_DECLARE(input_external, input);
4831 LOCAL_OUTPUT_DECLARE(output_external, output);
4832
4833 if (!PSA_ALG_IS_CIPHER(alg)) {
4834 status = PSA_ERROR_INVALID_ARGUMENT;
4835 goto exit;
4836 }
4837
4838 status = psa_get_and_lock_key_slot_with_policy(key, &slot,
4839 PSA_KEY_USAGE_DECRYPT,
4840 alg);
4841 if (status != PSA_SUCCESS) {
4842 goto exit;
4843 }
4844
4845 if (input_length < PSA_CIPHER_IV_LENGTH(slot->attr.type, alg)) {
4846 status = PSA_ERROR_INVALID_ARGUMENT;
4847 goto exit;
4848 }
4849
4850 LOCAL_INPUT_ALLOC(input_external, input_length, input);
4851 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
4852
4853 status = psa_driver_wrapper_cipher_decrypt(
4854 &slot->attr, slot->key.data, slot->key.bytes,
4855 alg, input, input_length,
4856 output, output_size, output_length);
4857
4858 exit:
4859 unlock_status = psa_unregister_read_under_mutex(slot);
4860 if (unlock_status != PSA_SUCCESS) {
4861 status = unlock_status;
4862 }
4863
4864 /* Set *output_length to 0 if status != PSA_SUCCESS, without
4865 * leaking the value of status through a timing side channel
4866 * (status == PSA_ERROR_INVALID_PADDING is sensitive when doing
4867 * unpadded decryption, due to the risk of padding oracle attack). */
4868 mbedtls_ct_condition_t success =
4869 mbedtls_ct_bool_not(mbedtls_ct_bool(status));
4870 *output_length = mbedtls_ct_size_if_else_0(success, *output_length);
4871
4872 LOCAL_INPUT_FREE(input_external, input);
4873 LOCAL_OUTPUT_FREE(output_external, output);
4874
4875 return status;
4876 }
4877
4878
4879 /****************************************************************/
4880 /* AEAD */
4881 /****************************************************************/
4882
4883 /* Helper function to get the base algorithm from its variants. */
psa_aead_get_base_algorithm(psa_algorithm_t alg)4884 static psa_algorithm_t psa_aead_get_base_algorithm(psa_algorithm_t alg)
4885 {
4886 return PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg);
4887 }
4888
4889 /* Helper function to perform common nonce length checks. */
psa_aead_check_nonce_length(psa_algorithm_t alg,size_t nonce_length)4890 static psa_status_t psa_aead_check_nonce_length(psa_algorithm_t alg,
4891 size_t nonce_length)
4892 {
4893 psa_algorithm_t base_alg = psa_aead_get_base_algorithm(alg);
4894
4895 switch (base_alg) {
4896 #if defined(PSA_WANT_ALG_GCM)
4897 case PSA_ALG_GCM:
4898 /* Not checking max nonce size here as GCM spec allows almost
4899 * arbitrarily large nonces. Please note that we do not generally
4900 * recommend the usage of nonces of greater length than
4901 * PSA_AEAD_NONCE_MAX_SIZE, as large nonces are hashed to a shorter
4902 * size, which can then lead to collisions if you encrypt a very
4903 * large number of messages.*/
4904 if (nonce_length != 0) {
4905 return PSA_SUCCESS;
4906 }
4907 break;
4908 #endif /* PSA_WANT_ALG_GCM */
4909 #if defined(PSA_WANT_ALG_CCM)
4910 case PSA_ALG_CCM:
4911 if (nonce_length >= 7 && nonce_length <= 13) {
4912 return PSA_SUCCESS;
4913 }
4914 break;
4915 #endif /* PSA_WANT_ALG_CCM */
4916 #if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
4917 case PSA_ALG_CHACHA20_POLY1305:
4918 if (nonce_length == 12) {
4919 return PSA_SUCCESS;
4920 } else if (nonce_length == 8) {
4921 return PSA_ERROR_NOT_SUPPORTED;
4922 }
4923 break;
4924 #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
4925 default:
4926 (void) nonce_length;
4927 return PSA_ERROR_NOT_SUPPORTED;
4928 }
4929
4930 return PSA_ERROR_INVALID_ARGUMENT;
4931 }
4932
psa_aead_check_algorithm(psa_algorithm_t alg)4933 static psa_status_t psa_aead_check_algorithm(psa_algorithm_t alg)
4934 {
4935 if (!PSA_ALG_IS_AEAD(alg) || PSA_ALG_IS_WILDCARD(alg)) {
4936 return PSA_ERROR_INVALID_ARGUMENT;
4937 }
4938
4939 return PSA_SUCCESS;
4940 }
4941
psa_aead_encrypt(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * nonce_external,size_t nonce_length,const uint8_t * additional_data_external,size_t additional_data_length,const uint8_t * plaintext_external,size_t plaintext_length,uint8_t * ciphertext_external,size_t ciphertext_size,size_t * ciphertext_length)4942 psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
4943 psa_algorithm_t alg,
4944 const uint8_t *nonce_external,
4945 size_t nonce_length,
4946 const uint8_t *additional_data_external,
4947 size_t additional_data_length,
4948 const uint8_t *plaintext_external,
4949 size_t plaintext_length,
4950 uint8_t *ciphertext_external,
4951 size_t ciphertext_size,
4952 size_t *ciphertext_length)
4953 {
4954 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4955 psa_key_slot_t *slot;
4956
4957 LOCAL_INPUT_DECLARE(nonce_external, nonce);
4958 LOCAL_INPUT_DECLARE(additional_data_external, additional_data);
4959 LOCAL_INPUT_DECLARE(plaintext_external, plaintext);
4960 LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext);
4961
4962 *ciphertext_length = 0;
4963
4964 status = psa_aead_check_algorithm(alg);
4965 if (status != PSA_SUCCESS) {
4966 return status;
4967 }
4968
4969 status = psa_get_and_lock_key_slot_with_policy(
4970 key, &slot, PSA_KEY_USAGE_ENCRYPT, alg);
4971 if (status != PSA_SUCCESS) {
4972 return status;
4973 }
4974
4975 LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
4976 LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length, additional_data);
4977 LOCAL_INPUT_ALLOC(plaintext_external, plaintext_length, plaintext);
4978 LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext);
4979
4980 status = psa_aead_check_nonce_length(alg, nonce_length);
4981 if (status != PSA_SUCCESS) {
4982 goto exit;
4983 }
4984
4985 status = psa_driver_wrapper_aead_encrypt(
4986 &slot->attr, slot->key.data, slot->key.bytes,
4987 alg,
4988 nonce, nonce_length,
4989 additional_data, additional_data_length,
4990 plaintext, plaintext_length,
4991 ciphertext, ciphertext_size, ciphertext_length);
4992
4993 if (status != PSA_SUCCESS && ciphertext_size != 0) {
4994 memset(ciphertext, 0, ciphertext_size);
4995 }
4996
4997 exit:
4998 LOCAL_INPUT_FREE(nonce_external, nonce);
4999 LOCAL_INPUT_FREE(additional_data_external, additional_data);
5000 LOCAL_INPUT_FREE(plaintext_external, plaintext);
5001 LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext);
5002
5003 psa_unregister_read_under_mutex(slot);
5004
5005 return status;
5006 }
5007
psa_aead_decrypt(mbedtls_svc_key_id_t key,psa_algorithm_t alg,const uint8_t * nonce_external,size_t nonce_length,const uint8_t * additional_data_external,size_t additional_data_length,const uint8_t * ciphertext_external,size_t ciphertext_length,uint8_t * plaintext_external,size_t plaintext_size,size_t * plaintext_length)5008 psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
5009 psa_algorithm_t alg,
5010 const uint8_t *nonce_external,
5011 size_t nonce_length,
5012 const uint8_t *additional_data_external,
5013 size_t additional_data_length,
5014 const uint8_t *ciphertext_external,
5015 size_t ciphertext_length,
5016 uint8_t *plaintext_external,
5017 size_t plaintext_size,
5018 size_t *plaintext_length)
5019 {
5020 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5021 psa_key_slot_t *slot;
5022
5023 LOCAL_INPUT_DECLARE(nonce_external, nonce);
5024 LOCAL_INPUT_DECLARE(additional_data_external, additional_data);
5025 LOCAL_INPUT_DECLARE(ciphertext_external, ciphertext);
5026 LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext);
5027
5028 *plaintext_length = 0;
5029
5030 status = psa_aead_check_algorithm(alg);
5031 if (status != PSA_SUCCESS) {
5032 return status;
5033 }
5034
5035 status = psa_get_and_lock_key_slot_with_policy(
5036 key, &slot, PSA_KEY_USAGE_DECRYPT, alg);
5037 if (status != PSA_SUCCESS) {
5038 return status;
5039 }
5040
5041 LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
5042 LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length,
5043 additional_data);
5044 LOCAL_INPUT_ALLOC(ciphertext_external, ciphertext_length, ciphertext);
5045 LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext);
5046
5047 status = psa_aead_check_nonce_length(alg, nonce_length);
5048 if (status != PSA_SUCCESS) {
5049 goto exit;
5050 }
5051
5052 status = psa_driver_wrapper_aead_decrypt(
5053 &slot->attr, slot->key.data, slot->key.bytes,
5054 alg,
5055 nonce, nonce_length,
5056 additional_data, additional_data_length,
5057 ciphertext, ciphertext_length,
5058 plaintext, plaintext_size, plaintext_length);
5059
5060 if (status != PSA_SUCCESS && plaintext_size != 0) {
5061 memset(plaintext, 0, plaintext_size);
5062 }
5063
5064 exit:
5065 LOCAL_INPUT_FREE(nonce_external, nonce);
5066 LOCAL_INPUT_FREE(additional_data_external, additional_data);
5067 LOCAL_INPUT_FREE(ciphertext_external, ciphertext);
5068 LOCAL_OUTPUT_FREE(plaintext_external, plaintext);
5069
5070 psa_unregister_read_under_mutex(slot);
5071
5072 return status;
5073 }
5074
psa_validate_tag_length(psa_algorithm_t alg)5075 static psa_status_t psa_validate_tag_length(psa_algorithm_t alg)
5076 {
5077 const uint8_t tag_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg);
5078
5079 switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) {
5080 #if defined(PSA_WANT_ALG_CCM)
5081 case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
5082 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.*/
5083 if (tag_len < 4 || tag_len > 16 || tag_len % 2) {
5084 return PSA_ERROR_INVALID_ARGUMENT;
5085 }
5086 break;
5087 #endif /* PSA_WANT_ALG_CCM */
5088
5089 #if defined(PSA_WANT_ALG_GCM)
5090 case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
5091 /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16. */
5092 if (tag_len != 4 && tag_len != 8 && (tag_len < 12 || tag_len > 16)) {
5093 return PSA_ERROR_INVALID_ARGUMENT;
5094 }
5095 break;
5096 #endif /* PSA_WANT_ALG_GCM */
5097
5098 #if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
5099 case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
5100 /* We only support the default tag length. */
5101 if (tag_len != 16) {
5102 return PSA_ERROR_INVALID_ARGUMENT;
5103 }
5104 break;
5105 #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
5106
5107 default:
5108 (void) tag_len;
5109 return PSA_ERROR_NOT_SUPPORTED;
5110 }
5111 return PSA_SUCCESS;
5112 }
5113
5114 /* Set the key for a multipart authenticated operation. */
psa_aead_setup(psa_aead_operation_t * operation,int is_encrypt,mbedtls_svc_key_id_t key,psa_algorithm_t alg)5115 static psa_status_t psa_aead_setup(psa_aead_operation_t *operation,
5116 int is_encrypt,
5117 mbedtls_svc_key_id_t key,
5118 psa_algorithm_t alg)
5119 {
5120 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5121 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
5122 psa_key_slot_t *slot = NULL;
5123 psa_key_usage_t key_usage = 0;
5124
5125 status = psa_aead_check_algorithm(alg);
5126 if (status != PSA_SUCCESS) {
5127 goto exit;
5128 }
5129
5130 if (operation->id != 0) {
5131 status = PSA_ERROR_BAD_STATE;
5132 goto exit;
5133 }
5134
5135 if (operation->nonce_set || operation->lengths_set ||
5136 operation->ad_started || operation->body_started) {
5137 status = PSA_ERROR_BAD_STATE;
5138 goto exit;
5139 }
5140
5141 /* Make sure the driver-dependent part of the operation is zeroed.
5142 * This is a guarantee we make to drivers. Initializing the operation
5143 * does not necessarily take care of it, since the context is a
5144 * union and initializing a union does not necessarily initialize
5145 * all of its members. */
5146 memset(&operation->ctx, 0, sizeof(operation->ctx));
5147
5148 if (is_encrypt) {
5149 key_usage = PSA_KEY_USAGE_ENCRYPT;
5150 } else {
5151 key_usage = PSA_KEY_USAGE_DECRYPT;
5152 }
5153
5154 status = psa_get_and_lock_key_slot_with_policy(key, &slot, key_usage,
5155 alg);
5156 if (status != PSA_SUCCESS) {
5157 goto exit;
5158 }
5159
5160 if ((status = psa_validate_tag_length(alg)) != PSA_SUCCESS) {
5161 goto exit;
5162 }
5163
5164 if (is_encrypt) {
5165 status = psa_driver_wrapper_aead_encrypt_setup(operation,
5166 &slot->attr,
5167 slot->key.data,
5168 slot->key.bytes,
5169 alg);
5170 } else {
5171 status = psa_driver_wrapper_aead_decrypt_setup(operation,
5172 &slot->attr,
5173 slot->key.data,
5174 slot->key.bytes,
5175 alg);
5176 }
5177 if (status != PSA_SUCCESS) {
5178 goto exit;
5179 }
5180
5181 operation->key_type = psa_get_key_type(&slot->attr);
5182
5183 exit:
5184 unlock_status = psa_unregister_read_under_mutex(slot);
5185
5186 if (status == PSA_SUCCESS) {
5187 status = unlock_status;
5188 operation->alg = psa_aead_get_base_algorithm(alg);
5189 operation->is_encrypt = is_encrypt;
5190 } else {
5191 psa_aead_abort(operation);
5192 }
5193
5194 return status;
5195 }
5196
5197 /* Set the key for a multipart authenticated encryption operation. */
psa_aead_encrypt_setup(psa_aead_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg)5198 psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
5199 mbedtls_svc_key_id_t key,
5200 psa_algorithm_t alg)
5201 {
5202 return psa_aead_setup(operation, 1, key, alg);
5203 }
5204
5205 /* Set the key for a multipart authenticated decryption operation. */
psa_aead_decrypt_setup(psa_aead_operation_t * operation,mbedtls_svc_key_id_t key,psa_algorithm_t alg)5206 psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
5207 mbedtls_svc_key_id_t key,
5208 psa_algorithm_t alg)
5209 {
5210 return psa_aead_setup(operation, 0, key, alg);
5211 }
5212
psa_aead_set_nonce_internal(psa_aead_operation_t * operation,const uint8_t * nonce,size_t nonce_length)5213 static psa_status_t psa_aead_set_nonce_internal(psa_aead_operation_t *operation,
5214 const uint8_t *nonce,
5215 size_t nonce_length)
5216 {
5217 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5218
5219 if (operation->id == 0) {
5220 status = PSA_ERROR_BAD_STATE;
5221 goto exit;
5222 }
5223
5224 if (operation->nonce_set) {
5225 status = PSA_ERROR_BAD_STATE;
5226 goto exit;
5227 }
5228
5229 status = psa_aead_check_nonce_length(operation->alg, nonce_length);
5230 if (status != PSA_SUCCESS) {
5231 status = PSA_ERROR_INVALID_ARGUMENT;
5232 goto exit;
5233 }
5234
5235 status = psa_driver_wrapper_aead_set_nonce(operation, nonce,
5236 nonce_length);
5237
5238 exit:
5239 if (status == PSA_SUCCESS) {
5240 operation->nonce_set = 1;
5241 } else {
5242 psa_aead_abort(operation);
5243 }
5244
5245 return status;
5246 }
5247
5248 /* Generate a random nonce / IV for multipart AEAD operation */
psa_aead_generate_nonce(psa_aead_operation_t * operation,uint8_t * nonce_external,size_t nonce_size,size_t * nonce_length)5249 psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation,
5250 uint8_t *nonce_external,
5251 size_t nonce_size,
5252 size_t *nonce_length)
5253 {
5254 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5255 uint8_t local_nonce[PSA_AEAD_NONCE_MAX_SIZE];
5256 size_t required_nonce_size = 0;
5257
5258 LOCAL_OUTPUT_DECLARE(nonce_external, nonce);
5259 LOCAL_OUTPUT_ALLOC(nonce_external, nonce_size, nonce);
5260
5261 *nonce_length = 0;
5262
5263 if (operation->id == 0) {
5264 status = PSA_ERROR_BAD_STATE;
5265 goto exit;
5266 }
5267
5268 if (operation->nonce_set || !operation->is_encrypt) {
5269 status = PSA_ERROR_BAD_STATE;
5270 goto exit;
5271 }
5272
5273 /* For CCM, this size may not be correct according to the PSA
5274 * specification. The PSA Crypto 1.0.1 specification states:
5275 *
5276 * CCM encodes the plaintext length pLen in L octets, with L the smallest
5277 * integer >= 2 where pLen < 2^(8L). The nonce length is then 15 - L bytes.
5278 *
5279 * However this restriction that L has to be the smallest integer is not
5280 * applied in practice, and it is not implementable here since the
5281 * plaintext length may or may not be known at this time. */
5282 required_nonce_size = PSA_AEAD_NONCE_LENGTH(operation->key_type,
5283 operation->alg);
5284 if (nonce_size < required_nonce_size) {
5285 status = PSA_ERROR_BUFFER_TOO_SMALL;
5286 goto exit;
5287 }
5288
5289 status = psa_generate_random_internal(local_nonce, required_nonce_size);
5290 if (status != PSA_SUCCESS) {
5291 goto exit;
5292 }
5293
5294 status = psa_aead_set_nonce_internal(operation, local_nonce,
5295 required_nonce_size);
5296
5297 exit:
5298 if (status == PSA_SUCCESS) {
5299 memcpy(nonce, local_nonce, required_nonce_size);
5300 *nonce_length = required_nonce_size;
5301 } else {
5302 psa_aead_abort(operation);
5303 }
5304
5305 LOCAL_OUTPUT_FREE(nonce_external, nonce);
5306
5307 return status;
5308 }
5309
5310 /* Set the nonce for a multipart authenticated encryption or decryption
5311 operation.*/
psa_aead_set_nonce(psa_aead_operation_t * operation,const uint8_t * nonce_external,size_t nonce_length)5312 psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation,
5313 const uint8_t *nonce_external,
5314 size_t nonce_length)
5315 {
5316 psa_status_t status;
5317
5318 LOCAL_INPUT_DECLARE(nonce_external, nonce);
5319 LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
5320
5321 status = psa_aead_set_nonce_internal(operation, nonce, nonce_length);
5322
5323 /* Exit label is only needed for buffer copying, prevent unused warnings. */
5324 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
5325 exit:
5326 #endif
5327
5328 LOCAL_INPUT_FREE(nonce_external, nonce);
5329
5330 return status;
5331 }
5332
5333 /* Declare the lengths of the message and additional data for multipart AEAD. */
psa_aead_set_lengths(psa_aead_operation_t * operation,size_t ad_length,size_t plaintext_length)5334 psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation,
5335 size_t ad_length,
5336 size_t plaintext_length)
5337 {
5338 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5339
5340 if (operation->id == 0) {
5341 status = PSA_ERROR_BAD_STATE;
5342 goto exit;
5343 }
5344
5345 if (operation->lengths_set || operation->ad_started ||
5346 operation->body_started) {
5347 status = PSA_ERROR_BAD_STATE;
5348 goto exit;
5349 }
5350
5351 switch (operation->alg) {
5352 #if defined(PSA_WANT_ALG_GCM)
5353 case PSA_ALG_GCM:
5354 /* Lengths can only be too large for GCM if size_t is bigger than 32
5355 * bits. Without the guard this code will generate warnings on 32bit
5356 * builds. */
5357 #if SIZE_MAX > UINT32_MAX
5358 if (((uint64_t) ad_length) >> 61 != 0 ||
5359 ((uint64_t) plaintext_length) > 0xFFFFFFFE0ull) {
5360 status = PSA_ERROR_INVALID_ARGUMENT;
5361 goto exit;
5362 }
5363 #endif
5364 break;
5365 #endif /* PSA_WANT_ALG_GCM */
5366 #if defined(PSA_WANT_ALG_CCM)
5367 case PSA_ALG_CCM:
5368 if (ad_length > 0xFF00) {
5369 status = PSA_ERROR_INVALID_ARGUMENT;
5370 goto exit;
5371 }
5372 break;
5373 #endif /* PSA_WANT_ALG_CCM */
5374 #if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
5375 case PSA_ALG_CHACHA20_POLY1305:
5376 /* No length restrictions for ChaChaPoly. */
5377 break;
5378 #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
5379 default:
5380 break;
5381 }
5382
5383 status = psa_driver_wrapper_aead_set_lengths(operation, ad_length,
5384 plaintext_length);
5385
5386 exit:
5387 if (status == PSA_SUCCESS) {
5388 operation->ad_remaining = ad_length;
5389 operation->body_remaining = plaintext_length;
5390 operation->lengths_set = 1;
5391 } else {
5392 psa_aead_abort(operation);
5393 }
5394
5395 return status;
5396 }
5397
5398 /* Pass additional data to an active multipart AEAD operation. */
psa_aead_update_ad(psa_aead_operation_t * operation,const uint8_t * input_external,size_t input_length)5399 psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
5400 const uint8_t *input_external,
5401 size_t input_length)
5402 {
5403 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5404
5405 LOCAL_INPUT_DECLARE(input_external, input);
5406 LOCAL_INPUT_ALLOC(input_external, input_length, input);
5407
5408 if (operation->id == 0) {
5409 status = PSA_ERROR_BAD_STATE;
5410 goto exit;
5411 }
5412
5413 if (!operation->nonce_set || operation->body_started) {
5414 status = PSA_ERROR_BAD_STATE;
5415 goto exit;
5416 }
5417
5418 /* No input to add (zero length), nothing to do. */
5419 if (input_length == 0) {
5420 status = PSA_SUCCESS;
5421 goto exit;
5422 }
5423
5424 if (operation->lengths_set) {
5425 if (operation->ad_remaining < input_length) {
5426 status = PSA_ERROR_INVALID_ARGUMENT;
5427 goto exit;
5428 }
5429
5430 operation->ad_remaining -= input_length;
5431 }
5432 #if defined(PSA_WANT_ALG_CCM)
5433 else if (operation->alg == PSA_ALG_CCM) {
5434 status = PSA_ERROR_BAD_STATE;
5435 goto exit;
5436 }
5437 #endif /* PSA_WANT_ALG_CCM */
5438
5439 status = psa_driver_wrapper_aead_update_ad(operation, input,
5440 input_length);
5441
5442 exit:
5443 if (status == PSA_SUCCESS) {
5444 operation->ad_started = 1;
5445 } else {
5446 psa_aead_abort(operation);
5447 }
5448
5449 LOCAL_INPUT_FREE(input_external, input);
5450
5451 return status;
5452 }
5453
5454 /* Encrypt or decrypt a message fragment in an active multipart AEAD
5455 operation.*/
psa_aead_update(psa_aead_operation_t * operation,const uint8_t * input_external,size_t input_length,uint8_t * output_external,size_t output_size,size_t * output_length)5456 psa_status_t psa_aead_update(psa_aead_operation_t *operation,
5457 const uint8_t *input_external,
5458 size_t input_length,
5459 uint8_t *output_external,
5460 size_t output_size,
5461 size_t *output_length)
5462 {
5463 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5464
5465
5466 LOCAL_INPUT_DECLARE(input_external, input);
5467 LOCAL_OUTPUT_DECLARE(output_external, output);
5468
5469 LOCAL_INPUT_ALLOC(input_external, input_length, input);
5470 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
5471
5472 *output_length = 0;
5473
5474 if (operation->id == 0) {
5475 status = PSA_ERROR_BAD_STATE;
5476 goto exit;
5477 }
5478
5479 if (!operation->nonce_set) {
5480 status = PSA_ERROR_BAD_STATE;
5481 goto exit;
5482 }
5483
5484 if (operation->lengths_set) {
5485 /* Additional data length was supplied, but not all the additional
5486 data was supplied.*/
5487 if (operation->ad_remaining != 0) {
5488 status = PSA_ERROR_INVALID_ARGUMENT;
5489 goto exit;
5490 }
5491
5492 /* Too much data provided. */
5493 if (operation->body_remaining < input_length) {
5494 status = PSA_ERROR_INVALID_ARGUMENT;
5495 goto exit;
5496 }
5497
5498 operation->body_remaining -= input_length;
5499 }
5500 #if defined(PSA_WANT_ALG_CCM)
5501 else if (operation->alg == PSA_ALG_CCM) {
5502 status = PSA_ERROR_BAD_STATE;
5503 goto exit;
5504 }
5505 #endif /* PSA_WANT_ALG_CCM */
5506
5507 status = psa_driver_wrapper_aead_update(operation, input, input_length,
5508 output, output_size,
5509 output_length);
5510
5511 exit:
5512 if (status == PSA_SUCCESS) {
5513 operation->body_started = 1;
5514 } else {
5515 psa_aead_abort(operation);
5516 }
5517
5518 LOCAL_INPUT_FREE(input_external, input);
5519 LOCAL_OUTPUT_FREE(output_external, output);
5520
5521 return status;
5522 }
5523
psa_aead_final_checks(const psa_aead_operation_t * operation)5524 static psa_status_t psa_aead_final_checks(const psa_aead_operation_t *operation)
5525 {
5526 if (operation->id == 0 || !operation->nonce_set) {
5527 return PSA_ERROR_BAD_STATE;
5528 }
5529
5530 if (operation->lengths_set && (operation->ad_remaining != 0 ||
5531 operation->body_remaining != 0)) {
5532 return PSA_ERROR_INVALID_ARGUMENT;
5533 }
5534
5535 return PSA_SUCCESS;
5536 }
5537
5538 /* Finish encrypting a message in a multipart AEAD operation. */
psa_aead_finish(psa_aead_operation_t * operation,uint8_t * ciphertext_external,size_t ciphertext_size,size_t * ciphertext_length,uint8_t * tag_external,size_t tag_size,size_t * tag_length)5539 psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
5540 uint8_t *ciphertext_external,
5541 size_t ciphertext_size,
5542 size_t *ciphertext_length,
5543 uint8_t *tag_external,
5544 size_t tag_size,
5545 size_t *tag_length)
5546 {
5547 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5548
5549 LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext);
5550 LOCAL_OUTPUT_DECLARE(tag_external, tag);
5551
5552 LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext);
5553 LOCAL_OUTPUT_ALLOC(tag_external, tag_size, tag);
5554
5555 *ciphertext_length = 0;
5556 *tag_length = tag_size;
5557
5558 status = psa_aead_final_checks(operation);
5559 if (status != PSA_SUCCESS) {
5560 goto exit;
5561 }
5562
5563 if (!operation->is_encrypt) {
5564 status = PSA_ERROR_BAD_STATE;
5565 goto exit;
5566 }
5567
5568 status = psa_driver_wrapper_aead_finish(operation, ciphertext,
5569 ciphertext_size,
5570 ciphertext_length,
5571 tag, tag_size, tag_length);
5572
5573 exit:
5574
5575
5576 /* In case the operation fails and the user fails to check for failure or
5577 * the zero tag size, make sure the tag is set to something implausible.
5578 * Even if the operation succeeds, make sure we clear the rest of the
5579 * buffer to prevent potential leakage of anything previously placed in
5580 * the same buffer.*/
5581 psa_wipe_tag_output_buffer(tag, status, tag_size, *tag_length);
5582
5583 psa_aead_abort(operation);
5584
5585 LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext);
5586 LOCAL_OUTPUT_FREE(tag_external, tag);
5587
5588 return status;
5589 }
5590
5591 /* Finish authenticating and decrypting a message in a multipart AEAD
5592 operation.*/
psa_aead_verify(psa_aead_operation_t * operation,uint8_t * plaintext_external,size_t plaintext_size,size_t * plaintext_length,const uint8_t * tag_external,size_t tag_length)5593 psa_status_t psa_aead_verify(psa_aead_operation_t *operation,
5594 uint8_t *plaintext_external,
5595 size_t plaintext_size,
5596 size_t *plaintext_length,
5597 const uint8_t *tag_external,
5598 size_t tag_length)
5599 {
5600 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5601
5602 LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext);
5603 LOCAL_INPUT_DECLARE(tag_external, tag);
5604
5605 LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext);
5606 LOCAL_INPUT_ALLOC(tag_external, tag_length, tag);
5607
5608 *plaintext_length = 0;
5609
5610 status = psa_aead_final_checks(operation);
5611 if (status != PSA_SUCCESS) {
5612 goto exit;
5613 }
5614
5615 if (operation->is_encrypt) {
5616 status = PSA_ERROR_BAD_STATE;
5617 goto exit;
5618 }
5619
5620 status = psa_driver_wrapper_aead_verify(operation, plaintext,
5621 plaintext_size,
5622 plaintext_length,
5623 tag, tag_length);
5624
5625 exit:
5626 psa_aead_abort(operation);
5627
5628 LOCAL_OUTPUT_FREE(plaintext_external, plaintext);
5629 LOCAL_INPUT_FREE(tag_external, tag);
5630
5631 return status;
5632 }
5633
5634 /* Abort an AEAD operation. */
psa_aead_abort(psa_aead_operation_t * operation)5635 psa_status_t psa_aead_abort(psa_aead_operation_t *operation)
5636 {
5637 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5638
5639 if (operation->id == 0) {
5640 /* The object has (apparently) been initialized but it is not (yet)
5641 * in use. It's ok to call abort on such an object, and there's
5642 * nothing to do. */
5643 return PSA_SUCCESS;
5644 }
5645
5646 status = psa_driver_wrapper_aead_abort(operation);
5647
5648 memset(operation, 0, sizeof(*operation));
5649
5650 return status;
5651 }
5652
5653 /****************************************************************/
5654 /* Key derivation: output generation */
5655 /****************************************************************/
5656
5657 #if defined(BUILTIN_ALG_ANY_HKDF) || \
5658 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5659 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \
5660 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) || \
5661 defined(PSA_HAVE_SOFT_PBKDF2)
5662 #define AT_LEAST_ONE_BUILTIN_KDF
5663 #endif /* At least one builtin KDF */
5664
5665 #if defined(BUILTIN_ALG_ANY_HKDF) || \
5666 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5667 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5668
5669 /** Internal helper to set up an HMAC operation with a key passed directly.
5670 *
5671 * \param[in,out] operation A MAC operation object. It does not need to
5672 * be initialized.
5673 * \param hash_alg The hash algorithm used for HMAC.
5674 * \param hmac_key The HMAC key.
5675 * \param hmac_key_length Length of \p hmac_key in bytes.
5676 *
5677 * \return A PSA status code.
5678 */
psa_key_derivation_start_hmac(psa_mac_operation_t * operation,psa_algorithm_t hash_alg,const uint8_t * hmac_key,size_t hmac_key_length)5679 static psa_status_t psa_key_derivation_start_hmac(
5680 psa_mac_operation_t *operation,
5681 psa_algorithm_t hash_alg,
5682 const uint8_t *hmac_key,
5683 size_t hmac_key_length)
5684 {
5685 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5686 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5687 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
5688 psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(hmac_key_length));
5689 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
5690
5691 /* Make sure the whole the operation is zeroed.
5692 * It isn't enough to require the caller to initialize operation to
5693 * PSA_MAC_OPERATION_INIT, since one field is a union and initializing
5694 * a union does not necessarily initialize all of its members.
5695 * psa_mac_setup() would handle PSA_MAC_OPERATION_INIT, but here we
5696 * bypass it and call lower-level functions directly. */
5697 memset(operation, 0, sizeof(*operation));
5698
5699 operation->is_sign = 1;
5700 operation->mac_size = PSA_HASH_LENGTH(hash_alg);
5701
5702 status = psa_driver_wrapper_mac_sign_setup(operation,
5703 &attributes,
5704 hmac_key, hmac_key_length,
5705 PSA_ALG_HMAC(hash_alg));
5706
5707 psa_reset_key_attributes(&attributes);
5708 return status;
5709 }
5710 #endif /* KDF algorithms reliant on HMAC */
5711
5712 #define HKDF_STATE_INIT 0 /* no input yet */
5713 #define HKDF_STATE_STARTED 1 /* got salt */
5714 #define HKDF_STATE_KEYED 2 /* got key */
5715 #define HKDF_STATE_OUTPUT 3 /* output started */
5716
psa_key_derivation_get_kdf_alg(const psa_key_derivation_operation_t * operation)5717 static psa_algorithm_t psa_key_derivation_get_kdf_alg(
5718 const psa_key_derivation_operation_t *operation)
5719 {
5720 if (PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) {
5721 return PSA_ALG_KEY_AGREEMENT_GET_KDF(operation->alg);
5722 } else {
5723 return operation->alg;
5724 }
5725 }
5726
psa_key_derivation_abort(psa_key_derivation_operation_t * operation)5727 psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation)
5728 {
5729 psa_status_t status = PSA_SUCCESS;
5730 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
5731 if (kdf_alg == 0) {
5732 /* The object has (apparently) been initialized but it is not
5733 * in use. It's ok to call abort on such an object, and there's
5734 * nothing to do. */
5735 } else
5736 #if defined(BUILTIN_ALG_ANY_HKDF)
5737 if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
5738 mbedtls_free(operation->ctx.hkdf.info);
5739 status = psa_mac_abort(&operation->ctx.hkdf.hmac);
5740 } else
5741 #endif /* BUILTIN_ALG_ANY_HKDF */
5742 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5743 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5744 if (PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
5745 /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */
5746 PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
5747 if (operation->ctx.tls12_prf.secret != NULL) {
5748 mbedtls_zeroize_and_free(operation->ctx.tls12_prf.secret,
5749 operation->ctx.tls12_prf.secret_length);
5750 }
5751
5752 if (operation->ctx.tls12_prf.seed != NULL) {
5753 mbedtls_zeroize_and_free(operation->ctx.tls12_prf.seed,
5754 operation->ctx.tls12_prf.seed_length);
5755 }
5756
5757 if (operation->ctx.tls12_prf.label != NULL) {
5758 mbedtls_zeroize_and_free(operation->ctx.tls12_prf.label,
5759 operation->ctx.tls12_prf.label_length);
5760 }
5761 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5762 if (operation->ctx.tls12_prf.other_secret != NULL) {
5763 mbedtls_zeroize_and_free(operation->ctx.tls12_prf.other_secret,
5764 operation->ctx.tls12_prf.other_secret_length);
5765 }
5766 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
5767 status = PSA_SUCCESS;
5768
5769 /* We leave the fields Ai and output_block to be erased safely by the
5770 * mbedtls_platform_zeroize() in the end of this function. */
5771 } else
5772 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
5773 * defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) */
5774 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
5775 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
5776 mbedtls_platform_zeroize(operation->ctx.tls12_ecjpake_to_pms.data,
5777 sizeof(operation->ctx.tls12_ecjpake_to_pms.data));
5778 } else
5779 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) */
5780 #if defined(PSA_HAVE_SOFT_PBKDF2)
5781 if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
5782 if (operation->ctx.pbkdf2.salt != NULL) {
5783 mbedtls_zeroize_and_free(operation->ctx.pbkdf2.salt,
5784 operation->ctx.pbkdf2.salt_length);
5785 }
5786
5787 status = PSA_SUCCESS;
5788 } else
5789 #endif /* defined(PSA_HAVE_SOFT_PBKDF2) */
5790 {
5791 status = PSA_ERROR_BAD_STATE;
5792 }
5793 mbedtls_platform_zeroize(operation, sizeof(*operation));
5794 return status;
5795 }
5796
psa_key_derivation_get_capacity(const psa_key_derivation_operation_t * operation,size_t * capacity)5797 psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t *operation,
5798 size_t *capacity)
5799 {
5800 if (operation->alg == 0) {
5801 /* This is a blank key derivation operation. */
5802 return PSA_ERROR_BAD_STATE;
5803 }
5804
5805 *capacity = operation->capacity;
5806 return PSA_SUCCESS;
5807 }
5808
psa_key_derivation_set_capacity(psa_key_derivation_operation_t * operation,size_t capacity)5809 psa_status_t psa_key_derivation_set_capacity(psa_key_derivation_operation_t *operation,
5810 size_t capacity)
5811 {
5812 if (operation->alg == 0) {
5813 return PSA_ERROR_BAD_STATE;
5814 }
5815 if (capacity > operation->capacity) {
5816 return PSA_ERROR_INVALID_ARGUMENT;
5817 }
5818 operation->capacity = capacity;
5819 return PSA_SUCCESS;
5820 }
5821
5822 #if defined(BUILTIN_ALG_ANY_HKDF)
5823 /* Read some bytes from an HKDF-based operation. */
psa_key_derivation_hkdf_read(psa_hkdf_key_derivation_t * hkdf,psa_algorithm_t kdf_alg,uint8_t * output,size_t output_length)5824 static psa_status_t psa_key_derivation_hkdf_read(psa_hkdf_key_derivation_t *hkdf,
5825 psa_algorithm_t kdf_alg,
5826 uint8_t *output,
5827 size_t output_length)
5828 {
5829 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
5830 uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
5831 size_t hmac_output_length;
5832 psa_status_t status;
5833 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
5834 const uint8_t last_block = PSA_ALG_IS_HKDF_EXTRACT(kdf_alg) ? 0 : 0xff;
5835 #else
5836 const uint8_t last_block = 0xff;
5837 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
5838
5839 if (hkdf->state < HKDF_STATE_KEYED ||
5840 (!hkdf->info_set
5841 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
5842 && !PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)
5843 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
5844 )) {
5845 return PSA_ERROR_BAD_STATE;
5846 }
5847 hkdf->state = HKDF_STATE_OUTPUT;
5848
5849 while (output_length != 0) {
5850 /* Copy what remains of the current block */
5851 uint8_t n = hash_length - hkdf->offset_in_block;
5852 if (n > output_length) {
5853 n = (uint8_t) output_length;
5854 }
5855 memcpy(output, hkdf->output_block + hkdf->offset_in_block, n);
5856 output += n;
5857 output_length -= n;
5858 hkdf->offset_in_block += n;
5859 if (output_length == 0) {
5860 break;
5861 }
5862 /* We can't be wanting more output after the last block, otherwise
5863 * the capacity check in psa_key_derivation_output_bytes() would have
5864 * prevented this call. It could happen only if the operation
5865 * object was corrupted or if this function is called directly
5866 * inside the library. */
5867 if (hkdf->block_number == last_block) {
5868 return PSA_ERROR_BAD_STATE;
5869 }
5870
5871 /* We need a new block */
5872 ++hkdf->block_number;
5873 hkdf->offset_in_block = 0;
5874
5875 status = psa_key_derivation_start_hmac(&hkdf->hmac,
5876 hash_alg,
5877 hkdf->prk,
5878 hash_length);
5879 if (status != PSA_SUCCESS) {
5880 return status;
5881 }
5882
5883 if (hkdf->block_number != 1) {
5884 status = psa_mac_update(&hkdf->hmac,
5885 hkdf->output_block,
5886 hash_length);
5887 if (status != PSA_SUCCESS) {
5888 return status;
5889 }
5890 }
5891 status = psa_mac_update(&hkdf->hmac,
5892 hkdf->info,
5893 hkdf->info_length);
5894 if (status != PSA_SUCCESS) {
5895 return status;
5896 }
5897 status = psa_mac_update(&hkdf->hmac,
5898 &hkdf->block_number, 1);
5899 if (status != PSA_SUCCESS) {
5900 return status;
5901 }
5902 status = psa_mac_sign_finish(&hkdf->hmac,
5903 hkdf->output_block,
5904 sizeof(hkdf->output_block),
5905 &hmac_output_length);
5906 if (status != PSA_SUCCESS) {
5907 return status;
5908 }
5909 }
5910
5911 return PSA_SUCCESS;
5912 }
5913 #endif /* BUILTIN_ALG_ANY_HKDF */
5914
5915 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5916 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
psa_key_derivation_tls12_prf_generate_next_block(psa_tls12_prf_key_derivation_t * tls12_prf,psa_algorithm_t alg)5917 static psa_status_t psa_key_derivation_tls12_prf_generate_next_block(
5918 psa_tls12_prf_key_derivation_t *tls12_prf,
5919 psa_algorithm_t alg)
5920 {
5921 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(alg);
5922 uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
5923 psa_mac_operation_t hmac;
5924 size_t hmac_output_length;
5925 psa_status_t status, cleanup_status;
5926
5927 /* We can't be wanting more output after block 0xff, otherwise
5928 * the capacity check in psa_key_derivation_output_bytes() would have
5929 * prevented this call. It could happen only if the operation
5930 * object was corrupted or if this function is called directly
5931 * inside the library. */
5932 if (tls12_prf->block_number == 0xff) {
5933 return PSA_ERROR_CORRUPTION_DETECTED;
5934 }
5935
5936 /* We need a new block */
5937 ++tls12_prf->block_number;
5938 tls12_prf->left_in_block = hash_length;
5939
5940 /* Recall the definition of the TLS-1.2-PRF from RFC 5246:
5941 *
5942 * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
5943 *
5944 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
5945 * HMAC_hash(secret, A(2) + seed) +
5946 * HMAC_hash(secret, A(3) + seed) + ...
5947 *
5948 * A(0) = seed
5949 * A(i) = HMAC_hash(secret, A(i-1))
5950 *
5951 * The `psa_tls12_prf_key_derivation` structure saves the block
5952 * `HMAC_hash(secret, A(i) + seed)` from which the output
5953 * is currently extracted as `output_block` and where i is
5954 * `block_number`.
5955 */
5956
5957 status = psa_key_derivation_start_hmac(&hmac,
5958 hash_alg,
5959 tls12_prf->secret,
5960 tls12_prf->secret_length);
5961 if (status != PSA_SUCCESS) {
5962 goto cleanup;
5963 }
5964
5965 /* Calculate A(i) where i = tls12_prf->block_number. */
5966 if (tls12_prf->block_number == 1) {
5967 /* A(1) = HMAC_hash(secret, A(0)), where A(0) = seed. (The RFC overloads
5968 * the variable seed and in this instance means it in the context of the
5969 * P_hash function, where seed = label + seed.) */
5970 status = psa_mac_update(&hmac,
5971 tls12_prf->label,
5972 tls12_prf->label_length);
5973 if (status != PSA_SUCCESS) {
5974 goto cleanup;
5975 }
5976 status = psa_mac_update(&hmac,
5977 tls12_prf->seed,
5978 tls12_prf->seed_length);
5979 if (status != PSA_SUCCESS) {
5980 goto cleanup;
5981 }
5982 } else {
5983 /* A(i) = HMAC_hash(secret, A(i-1)) */
5984 status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length);
5985 if (status != PSA_SUCCESS) {
5986 goto cleanup;
5987 }
5988 }
5989
5990 status = psa_mac_sign_finish(&hmac,
5991 tls12_prf->Ai, hash_length,
5992 &hmac_output_length);
5993 if (hmac_output_length != hash_length) {
5994 status = PSA_ERROR_CORRUPTION_DETECTED;
5995 }
5996 if (status != PSA_SUCCESS) {
5997 goto cleanup;
5998 }
5999
6000 /* Calculate HMAC_hash(secret, A(i) + label + seed). */
6001 status = psa_key_derivation_start_hmac(&hmac,
6002 hash_alg,
6003 tls12_prf->secret,
6004 tls12_prf->secret_length);
6005 if (status != PSA_SUCCESS) {
6006 goto cleanup;
6007 }
6008 status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length);
6009 if (status != PSA_SUCCESS) {
6010 goto cleanup;
6011 }
6012 status = psa_mac_update(&hmac, tls12_prf->label, tls12_prf->label_length);
6013 if (status != PSA_SUCCESS) {
6014 goto cleanup;
6015 }
6016 status = psa_mac_update(&hmac, tls12_prf->seed, tls12_prf->seed_length);
6017 if (status != PSA_SUCCESS) {
6018 goto cleanup;
6019 }
6020 status = psa_mac_sign_finish(&hmac,
6021 tls12_prf->output_block, hash_length,
6022 &hmac_output_length);
6023 if (status != PSA_SUCCESS) {
6024 goto cleanup;
6025 }
6026
6027
6028 cleanup:
6029 cleanup_status = psa_mac_abort(&hmac);
6030 if (status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS) {
6031 status = cleanup_status;
6032 }
6033
6034 return status;
6035 }
6036
psa_key_derivation_tls12_prf_read(psa_tls12_prf_key_derivation_t * tls12_prf,psa_algorithm_t alg,uint8_t * output,size_t output_length)6037 static psa_status_t psa_key_derivation_tls12_prf_read(
6038 psa_tls12_prf_key_derivation_t *tls12_prf,
6039 psa_algorithm_t alg,
6040 uint8_t *output,
6041 size_t output_length)
6042 {
6043 psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH(alg);
6044 uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
6045 psa_status_t status;
6046 uint8_t offset, length;
6047
6048 switch (tls12_prf->state) {
6049 case PSA_TLS12_PRF_STATE_LABEL_SET:
6050 tls12_prf->state = PSA_TLS12_PRF_STATE_OUTPUT;
6051 break;
6052 case PSA_TLS12_PRF_STATE_OUTPUT:
6053 break;
6054 default:
6055 return PSA_ERROR_BAD_STATE;
6056 }
6057
6058 while (output_length != 0) {
6059 /* Check if we have fully processed the current block. */
6060 if (tls12_prf->left_in_block == 0) {
6061 status = psa_key_derivation_tls12_prf_generate_next_block(tls12_prf,
6062 alg);
6063 if (status != PSA_SUCCESS) {
6064 return status;
6065 }
6066
6067 continue;
6068 }
6069
6070 if (tls12_prf->left_in_block > output_length) {
6071 length = (uint8_t) output_length;
6072 } else {
6073 length = tls12_prf->left_in_block;
6074 }
6075
6076 offset = hash_length - tls12_prf->left_in_block;
6077 memcpy(output, tls12_prf->output_block + offset, length);
6078 output += length;
6079 output_length -= length;
6080 tls12_prf->left_in_block -= length;
6081 }
6082
6083 return PSA_SUCCESS;
6084 }
6085 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
6086 * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
6087
6088 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
psa_key_derivation_tls12_ecjpake_to_pms_read(psa_tls12_ecjpake_to_pms_t * ecjpake,uint8_t * output,size_t output_length)6089 static psa_status_t psa_key_derivation_tls12_ecjpake_to_pms_read(
6090 psa_tls12_ecjpake_to_pms_t *ecjpake,
6091 uint8_t *output,
6092 size_t output_length)
6093 {
6094 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6095 size_t output_size = 0;
6096
6097 if (output_length != 32) {
6098 return PSA_ERROR_INVALID_ARGUMENT;
6099 }
6100
6101 status = psa_hash_compute(PSA_ALG_SHA_256, ecjpake->data,
6102 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE, output, output_length,
6103 &output_size);
6104 if (status != PSA_SUCCESS) {
6105 return status;
6106 }
6107
6108 if (output_size != output_length) {
6109 return PSA_ERROR_GENERIC_ERROR;
6110 }
6111
6112 return PSA_SUCCESS;
6113 }
6114 #endif
6115
6116 #if defined(PSA_HAVE_SOFT_PBKDF2)
psa_key_derivation_pbkdf2_generate_block(psa_pbkdf2_key_derivation_t * pbkdf2,psa_algorithm_t prf_alg,uint8_t prf_output_length,psa_key_attributes_t * attributes)6117 static psa_status_t psa_key_derivation_pbkdf2_generate_block(
6118 psa_pbkdf2_key_derivation_t *pbkdf2,
6119 psa_algorithm_t prf_alg,
6120 uint8_t prf_output_length,
6121 psa_key_attributes_t *attributes)
6122 {
6123 psa_status_t status;
6124 psa_mac_operation_t mac_operation;
6125 /* Make sure the whole the operation is zeroed.
6126 * PSA_MAC_OPERATION_INIT does not necessarily do it fully,
6127 * since one field is a union and initializing a union does not
6128 * necessarily initialize all of its members.
6129 * psa_mac_setup() would do it, but here we bypass it and call
6130 * lower-level functions directly. */
6131 memset(&mac_operation, 0, sizeof(mac_operation));
6132 size_t mac_output_length;
6133 uint8_t U_i[PSA_MAC_MAX_SIZE];
6134 uint8_t *U_accumulator = pbkdf2->output_block;
6135 uint64_t i;
6136 uint8_t block_counter[4];
6137
6138 mac_operation.is_sign = 1;
6139 mac_operation.mac_size = prf_output_length;
6140 MBEDTLS_PUT_UINT32_BE(pbkdf2->block_number, block_counter, 0);
6141
6142 status = psa_driver_wrapper_mac_sign_setup(&mac_operation,
6143 attributes,
6144 pbkdf2->password,
6145 pbkdf2->password_length,
6146 prf_alg);
6147 if (status != PSA_SUCCESS) {
6148 goto cleanup;
6149 }
6150 status = psa_mac_update(&mac_operation, pbkdf2->salt, pbkdf2->salt_length);
6151 if (status != PSA_SUCCESS) {
6152 goto cleanup;
6153 }
6154 status = psa_mac_update(&mac_operation, block_counter, sizeof(block_counter));
6155 if (status != PSA_SUCCESS) {
6156 goto cleanup;
6157 }
6158 status = psa_mac_sign_finish(&mac_operation, U_i, sizeof(U_i),
6159 &mac_output_length);
6160 if (status != PSA_SUCCESS) {
6161 goto cleanup;
6162 }
6163
6164 if (mac_output_length != prf_output_length) {
6165 status = PSA_ERROR_CORRUPTION_DETECTED;
6166 goto cleanup;
6167 }
6168
6169 memcpy(U_accumulator, U_i, prf_output_length);
6170
6171 for (i = 1; i < pbkdf2->input_cost; i++) {
6172 /* We are passing prf_output_length as mac_size because the driver
6173 * function directly sets mac_output_length as mac_size upon success.
6174 * See https://github.com/Mbed-TLS/mbedtls/issues/7801 */
6175 status = psa_driver_wrapper_mac_compute(attributes,
6176 pbkdf2->password,
6177 pbkdf2->password_length,
6178 prf_alg, U_i, prf_output_length,
6179 U_i, prf_output_length,
6180 &mac_output_length);
6181 if (status != PSA_SUCCESS) {
6182 goto cleanup;
6183 }
6184
6185 mbedtls_xor(U_accumulator, U_accumulator, U_i, prf_output_length);
6186 }
6187
6188 cleanup:
6189 /* Zeroise buffers to clear sensitive data from memory. */
6190 mbedtls_platform_zeroize(U_i, PSA_MAC_MAX_SIZE);
6191 return status;
6192 }
6193
psa_key_derivation_pbkdf2_read(psa_pbkdf2_key_derivation_t * pbkdf2,psa_algorithm_t kdf_alg,uint8_t * output,size_t output_length)6194 static psa_status_t psa_key_derivation_pbkdf2_read(
6195 psa_pbkdf2_key_derivation_t *pbkdf2,
6196 psa_algorithm_t kdf_alg,
6197 uint8_t *output,
6198 size_t output_length)
6199 {
6200 psa_status_t status;
6201 psa_algorithm_t prf_alg;
6202 uint8_t prf_output_length;
6203 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
6204 psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(pbkdf2->password_length));
6205 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
6206
6207 if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
6208 prf_alg = PSA_ALG_HMAC(PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg));
6209 prf_output_length = PSA_HASH_LENGTH(prf_alg);
6210 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
6211 } else if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
6212 prf_alg = PSA_ALG_CMAC;
6213 prf_output_length = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC);
6214 psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
6215 } else {
6216 return PSA_ERROR_INVALID_ARGUMENT;
6217 }
6218
6219 switch (pbkdf2->state) {
6220 case PSA_PBKDF2_STATE_PASSWORD_SET:
6221 /* Initially we need a new block so bytes_used is equal to block size*/
6222 pbkdf2->bytes_used = prf_output_length;
6223 pbkdf2->state = PSA_PBKDF2_STATE_OUTPUT;
6224 break;
6225 case PSA_PBKDF2_STATE_OUTPUT:
6226 break;
6227 default:
6228 return PSA_ERROR_BAD_STATE;
6229 }
6230
6231 while (output_length != 0) {
6232 uint8_t n = prf_output_length - pbkdf2->bytes_used;
6233 if (n > output_length) {
6234 n = (uint8_t) output_length;
6235 }
6236 memcpy(output, pbkdf2->output_block + pbkdf2->bytes_used, n);
6237 output += n;
6238 output_length -= n;
6239 pbkdf2->bytes_used += n;
6240
6241 if (output_length == 0) {
6242 break;
6243 }
6244
6245 /* We need a new block */
6246 pbkdf2->bytes_used = 0;
6247 pbkdf2->block_number++;
6248
6249 status = psa_key_derivation_pbkdf2_generate_block(pbkdf2, prf_alg,
6250 prf_output_length,
6251 &attributes);
6252 if (status != PSA_SUCCESS) {
6253 return status;
6254 }
6255 }
6256
6257 return PSA_SUCCESS;
6258 }
6259 #endif /* PSA_HAVE_SOFT_PBKDF2 */
6260
psa_key_derivation_output_bytes(psa_key_derivation_operation_t * operation,uint8_t * output_external,size_t output_length)6261 psa_status_t psa_key_derivation_output_bytes(
6262 psa_key_derivation_operation_t *operation,
6263 uint8_t *output_external,
6264 size_t output_length)
6265 {
6266 psa_status_t status;
6267 LOCAL_OUTPUT_DECLARE(output_external, output);
6268
6269 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
6270
6271 if (operation->alg == 0) {
6272 /* This is a blank operation. */
6273 return PSA_ERROR_BAD_STATE;
6274 }
6275
6276 if (output_length == 0 && operation->capacity == 0) {
6277 /* Edge case: this is a finished operation, and 0 bytes
6278 * were requested. The right error in this case could
6279 * be either INSUFFICIENT_CAPACITY or BAD_STATE. Return
6280 * INSUFFICIENT_CAPACITY, which is right for a finished
6281 * operation, for consistency with the case when
6282 * output_length > 0. */
6283 return PSA_ERROR_INSUFFICIENT_DATA;
6284 }
6285
6286 LOCAL_OUTPUT_ALLOC(output_external, output_length, output);
6287 if (output_length > operation->capacity) {
6288 operation->capacity = 0;
6289 /* Go through the error path to wipe all confidential data now
6290 * that the operation object is useless. */
6291 status = PSA_ERROR_INSUFFICIENT_DATA;
6292 goto exit;
6293 }
6294
6295 operation->capacity -= output_length;
6296
6297 #if defined(BUILTIN_ALG_ANY_HKDF)
6298 if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
6299 status = psa_key_derivation_hkdf_read(&operation->ctx.hkdf, kdf_alg,
6300 output, output_length);
6301 } else
6302 #endif /* BUILTIN_ALG_ANY_HKDF */
6303 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
6304 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
6305 if (PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
6306 PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
6307 status = psa_key_derivation_tls12_prf_read(&operation->ctx.tls12_prf,
6308 kdf_alg, output,
6309 output_length);
6310 } else
6311 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
6312 * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
6313 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
6314 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
6315 status = psa_key_derivation_tls12_ecjpake_to_pms_read(
6316 &operation->ctx.tls12_ecjpake_to_pms, output, output_length);
6317 } else
6318 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
6319 #if defined(PSA_HAVE_SOFT_PBKDF2)
6320 if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
6321 status = psa_key_derivation_pbkdf2_read(&operation->ctx.pbkdf2, kdf_alg,
6322 output, output_length);
6323 } else
6324 #endif /* PSA_HAVE_SOFT_PBKDF2 */
6325
6326 {
6327 (void) kdf_alg;
6328 status = PSA_ERROR_BAD_STATE;
6329 LOCAL_OUTPUT_FREE(output_external, output);
6330
6331 return status;
6332 }
6333
6334 exit:
6335 if (status != PSA_SUCCESS) {
6336 /* Preserve the algorithm upon errors, but clear all sensitive state.
6337 * This allows us to differentiate between exhausted operations and
6338 * blank operations, so we can return PSA_ERROR_BAD_STATE on blank
6339 * operations. */
6340 psa_algorithm_t alg = operation->alg;
6341 psa_key_derivation_abort(operation);
6342 operation->alg = alg;
6343 if (output != NULL) {
6344 memset(output, '!', output_length);
6345 }
6346 }
6347
6348 LOCAL_OUTPUT_FREE(output_external, output);
6349 return status;
6350 }
6351
6352 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
psa_des_set_key_parity(uint8_t * data,size_t data_size)6353 static void psa_des_set_key_parity(uint8_t *data, size_t data_size)
6354 {
6355 if (data_size >= 8) {
6356 mbedtls_des_key_set_parity(data);
6357 }
6358 if (data_size >= 16) {
6359 mbedtls_des_key_set_parity(data + 8);
6360 }
6361 if (data_size >= 24) {
6362 mbedtls_des_key_set_parity(data + 16);
6363 }
6364 }
6365 #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
6366
6367 /*
6368 * ECC keys on a Weierstrass elliptic curve require the generation
6369 * of a private key which is an integer
6370 * in the range [1, N - 1], where N is the boundary of the private key domain:
6371 * N is the prime p for Diffie-Hellman, or the order of the
6372 * curve’s base point for ECC.
6373 *
6374 * Let m be the bit size of N, such that 2^m > N >= 2^(m-1).
6375 * This function generates the private key using the following process:
6376 *
6377 * 1. Draw a byte string of length ceiling(m/8) bytes.
6378 * 2. If m is not a multiple of 8, set the most significant
6379 * (8 * ceiling(m/8) - m) bits of the first byte in the string to zero.
6380 * 3. Convert the string to integer k by decoding it as a big-endian byte string.
6381 * 4. If k > N - 2, discard the result and return to step 1.
6382 * 5. Output k + 1 as the private key.
6383 *
6384 * This method allows compliance to NIST standards, specifically the methods titled
6385 * Key-Pair Generation by Testing Candidates in the following publications:
6386 * - NIST Special Publication 800-56A: Recommendation for Pair-Wise Key-Establishment
6387 * Schemes Using Discrete Logarithm Cryptography [SP800-56A] §5.6.1.1.4 for
6388 * Diffie-Hellman keys.
6389 *
6390 * - [SP800-56A] §5.6.1.2.2 or FIPS Publication 186-4: Digital Signature
6391 * Standard (DSS) [FIPS186-4] §B.4.2 for elliptic curve keys.
6392 *
6393 * Note: Function allocates memory for *data buffer, so given *data should be
6394 * always NULL.
6395 */
6396 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
6397 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
psa_generate_derived_ecc_key_weierstrass_helper(psa_key_slot_t * slot,size_t bits,psa_key_derivation_operation_t * operation,uint8_t ** data)6398 static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
6399 psa_key_slot_t *slot,
6400 size_t bits,
6401 psa_key_derivation_operation_t *operation,
6402 uint8_t **data
6403 )
6404 {
6405 unsigned key_out_of_range = 1;
6406 mbedtls_mpi k;
6407 mbedtls_mpi diff_N_2;
6408 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6409 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6410 size_t m;
6411 size_t m_bytes = 0;
6412
6413 mbedtls_mpi_init(&k);
6414 mbedtls_mpi_init(&diff_N_2);
6415
6416 psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
6417 slot->attr.type);
6418 mbedtls_ecp_group_id grp_id =
6419 mbedtls_ecc_group_from_psa(curve, bits);
6420
6421 if (grp_id == MBEDTLS_ECP_DP_NONE) {
6422 ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
6423 goto cleanup;
6424 }
6425
6426 mbedtls_ecp_group ecp_group;
6427 mbedtls_ecp_group_init(&ecp_group);
6428
6429 MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ecp_group, grp_id));
6430
6431 /* N is the boundary of the private key domain (ecp_group.N). */
6432 /* Let m be the bit size of N. */
6433 m = ecp_group.nbits;
6434
6435 m_bytes = PSA_BITS_TO_BYTES(m);
6436
6437 /* Calculate N - 2 - it will be needed later. */
6438 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&diff_N_2, &ecp_group.N, 2));
6439
6440 /* Note: This function is always called with *data == NULL and it
6441 * allocates memory for the data buffer. */
6442 *data = mbedtls_calloc(1, m_bytes);
6443 if (*data == NULL) {
6444 ret = MBEDTLS_ERR_ASN1_ALLOC_FAILED;
6445 goto cleanup;
6446 }
6447
6448 while (key_out_of_range) {
6449 /* 1. Draw a byte string of length ceiling(m/8) bytes. */
6450 if ((status = psa_key_derivation_output_bytes(operation, *data, m_bytes)) != 0) {
6451 goto cleanup;
6452 }
6453
6454 /* 2. If m is not a multiple of 8 */
6455 if (m % 8 != 0) {
6456 /* Set the most significant
6457 * (8 * ceiling(m/8) - m) bits of the first byte in
6458 * the string to zero.
6459 */
6460 uint8_t clear_bit_mask = (1 << (m % 8)) - 1;
6461 (*data)[0] &= clear_bit_mask;
6462 }
6463
6464 /* 3. Convert the string to integer k by decoding it as a
6465 * big-endian byte string.
6466 */
6467 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&k, *data, m_bytes));
6468
6469 /* 4. If k > N - 2, discard the result and return to step 1.
6470 * Result of comparison is returned. When it indicates error
6471 * then this function is called again.
6472 */
6473 MBEDTLS_MPI_CHK(mbedtls_mpi_lt_mpi_ct(&diff_N_2, &k, &key_out_of_range));
6474 }
6475
6476 /* 5. Output k + 1 as the private key. */
6477 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&k, &k, 1));
6478 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&k, *data, m_bytes));
6479 cleanup:
6480 if (ret != 0) {
6481 status = mbedtls_to_psa_error(ret);
6482 }
6483 if (status != PSA_SUCCESS) {
6484 mbedtls_zeroize_and_free(*data, m_bytes);
6485 *data = NULL;
6486 }
6487 mbedtls_mpi_free(&k);
6488 mbedtls_mpi_free(&diff_N_2);
6489 return status;
6490 }
6491
6492 /* ECC keys on a Montgomery elliptic curve draws a byte string whose length
6493 * is determined by the curve, and sets the mandatory bits accordingly. That is:
6494 *
6495 * - Curve25519 (PSA_ECC_FAMILY_MONTGOMERY, 255 bits):
6496 * draw a 32-byte string and process it as specified in
6497 * Elliptic Curves for Security [RFC7748] §5.
6498 *
6499 * - Curve448 (PSA_ECC_FAMILY_MONTGOMERY, 448 bits):
6500 * draw a 56-byte string and process it as specified in [RFC7748] §5.
6501 *
6502 * Note: Function allocates memory for *data buffer, so given *data should be
6503 * always NULL.
6504 */
6505
psa_generate_derived_ecc_key_montgomery_helper(size_t bits,psa_key_derivation_operation_t * operation,uint8_t ** data)6506 static psa_status_t psa_generate_derived_ecc_key_montgomery_helper(
6507 size_t bits,
6508 psa_key_derivation_operation_t *operation,
6509 uint8_t **data
6510 )
6511 {
6512 size_t output_length;
6513 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6514
6515 switch (bits) {
6516 case 255:
6517 output_length = 32;
6518 break;
6519 case 448:
6520 output_length = 56;
6521 break;
6522 default:
6523 return PSA_ERROR_INVALID_ARGUMENT;
6524 break;
6525 }
6526
6527 *data = mbedtls_calloc(1, output_length);
6528
6529 if (*data == NULL) {
6530 return PSA_ERROR_INSUFFICIENT_MEMORY;
6531 }
6532
6533 status = psa_key_derivation_output_bytes(operation, *data, output_length);
6534
6535 if (status != PSA_SUCCESS) {
6536 return status;
6537 }
6538
6539 switch (bits) {
6540 case 255:
6541 (*data)[0] &= 248;
6542 (*data)[31] &= 127;
6543 (*data)[31] |= 64;
6544 break;
6545 case 448:
6546 (*data)[0] &= 252;
6547 (*data)[55] |= 128;
6548 break;
6549 default:
6550 return PSA_ERROR_CORRUPTION_DETECTED;
6551 break;
6552 }
6553
6554 return status;
6555 }
6556 #else /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
psa_generate_derived_ecc_key_weierstrass_helper(psa_key_slot_t * slot,size_t bits,psa_key_derivation_operation_t * operation,uint8_t ** data)6557 static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
6558 psa_key_slot_t *slot, size_t bits,
6559 psa_key_derivation_operation_t *operation, uint8_t **data)
6560 {
6561 (void) slot;
6562 (void) bits;
6563 (void) operation;
6564 (void) data;
6565 return PSA_ERROR_NOT_SUPPORTED;
6566 }
6567
psa_generate_derived_ecc_key_montgomery_helper(size_t bits,psa_key_derivation_operation_t * operation,uint8_t ** data)6568 static psa_status_t psa_generate_derived_ecc_key_montgomery_helper(
6569 size_t bits, psa_key_derivation_operation_t *operation, uint8_t **data)
6570 {
6571 (void) bits;
6572 (void) operation;
6573 (void) data;
6574 return PSA_ERROR_NOT_SUPPORTED;
6575 }
6576 #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
6577 #endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
6578
psa_generate_derived_key_internal(psa_key_slot_t * slot,size_t bits,psa_key_derivation_operation_t * operation)6579 static psa_status_t psa_generate_derived_key_internal(
6580 psa_key_slot_t *slot,
6581 size_t bits,
6582 psa_key_derivation_operation_t *operation)
6583 {
6584 uint8_t *data = NULL;
6585 size_t bytes = PSA_BITS_TO_BYTES(bits);
6586 size_t storage_size = bytes;
6587 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6588
6589 if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) {
6590 return PSA_ERROR_INVALID_ARGUMENT;
6591 }
6592
6593 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
6594 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
6595 if (PSA_KEY_TYPE_IS_ECC(slot->attr.type)) {
6596 psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(slot->attr.type);
6597 if (PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
6598 /* Weierstrass elliptic curve */
6599 status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data);
6600 if (status != PSA_SUCCESS) {
6601 goto exit;
6602 }
6603 } else {
6604 /* Montgomery elliptic curve */
6605 status = psa_generate_derived_ecc_key_montgomery_helper(bits, operation, &data);
6606 if (status != PSA_SUCCESS) {
6607 goto exit;
6608 }
6609 }
6610 } else
6611 #endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) ||
6612 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) */
6613 if (key_type_is_raw_bytes(slot->attr.type)) {
6614 if (bits % 8 != 0) {
6615 return PSA_ERROR_INVALID_ARGUMENT;
6616 }
6617 data = mbedtls_calloc(1, bytes);
6618 if (data == NULL) {
6619 return PSA_ERROR_INSUFFICIENT_MEMORY;
6620 }
6621
6622 status = psa_key_derivation_output_bytes(operation, data, bytes);
6623 if (status != PSA_SUCCESS) {
6624 goto exit;
6625 }
6626 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
6627 if (slot->attr.type == PSA_KEY_TYPE_DES) {
6628 psa_des_set_key_parity(data, bytes);
6629 }
6630 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) */
6631 } else {
6632 return PSA_ERROR_NOT_SUPPORTED;
6633 }
6634
6635 slot->attr.bits = (psa_key_bits_t) bits;
6636
6637 if (psa_key_lifetime_is_external(slot->attr.lifetime)) {
6638 status = psa_driver_wrapper_get_key_buffer_size(&slot->attr,
6639 &storage_size);
6640 if (status != PSA_SUCCESS) {
6641 goto exit;
6642 }
6643 }
6644 status = psa_allocate_buffer_to_slot(slot, storage_size);
6645 if (status != PSA_SUCCESS) {
6646 goto exit;
6647 }
6648
6649 status = psa_driver_wrapper_import_key(&slot->attr,
6650 data, bytes,
6651 slot->key.data,
6652 slot->key.bytes,
6653 &slot->key.bytes, &bits);
6654 if (bits != slot->attr.bits) {
6655 status = PSA_ERROR_INVALID_ARGUMENT;
6656 }
6657
6658 exit:
6659 mbedtls_zeroize_and_free(data, bytes);
6660 return status;
6661 }
6662
6663 static const psa_custom_key_parameters_t default_custom_production =
6664 PSA_CUSTOM_KEY_PARAMETERS_INIT;
6665
psa_custom_key_parameters_are_default(const psa_custom_key_parameters_t * custom,size_t custom_data_length)6666 int psa_custom_key_parameters_are_default(
6667 const psa_custom_key_parameters_t *custom,
6668 size_t custom_data_length)
6669 {
6670 if (custom->flags != 0) {
6671 return 0;
6672 }
6673 if (custom_data_length != 0) {
6674 return 0;
6675 }
6676 return 1;
6677 }
6678
psa_key_derivation_output_key_custom(const psa_key_attributes_t * attributes,psa_key_derivation_operation_t * operation,const psa_custom_key_parameters_t * custom,const uint8_t * custom_data,size_t custom_data_length,mbedtls_svc_key_id_t * key)6679 psa_status_t psa_key_derivation_output_key_custom(
6680 const psa_key_attributes_t *attributes,
6681 psa_key_derivation_operation_t *operation,
6682 const psa_custom_key_parameters_t *custom,
6683 const uint8_t *custom_data,
6684 size_t custom_data_length,
6685 mbedtls_svc_key_id_t *key)
6686 {
6687 psa_status_t status;
6688 psa_key_slot_t *slot = NULL;
6689 psa_se_drv_table_entry_t *driver = NULL;
6690
6691 *key = MBEDTLS_SVC_KEY_ID_INIT;
6692
6693 /* Reject any attempt to create a zero-length key so that we don't
6694 * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
6695 if (psa_get_key_bits(attributes) == 0) {
6696 return PSA_ERROR_INVALID_ARGUMENT;
6697 }
6698
6699 (void) custom_data; /* We only accept 0-length data */
6700 if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) {
6701 return PSA_ERROR_INVALID_ARGUMENT;
6702 }
6703
6704 if (operation->alg == PSA_ALG_NONE) {
6705 return PSA_ERROR_BAD_STATE;
6706 }
6707
6708 if (!operation->can_output_key) {
6709 return PSA_ERROR_NOT_PERMITTED;
6710 }
6711
6712 status = psa_start_key_creation(PSA_KEY_CREATION_DERIVE, attributes,
6713 &slot, &driver);
6714 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
6715 if (driver != NULL) {
6716 /* Deriving a key in a secure element is not implemented yet. */
6717 status = PSA_ERROR_NOT_SUPPORTED;
6718 }
6719 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
6720 if (status == PSA_SUCCESS) {
6721 status = psa_generate_derived_key_internal(slot,
6722 attributes->bits,
6723 operation);
6724 }
6725 if (status == PSA_SUCCESS) {
6726 status = psa_finish_key_creation(slot, driver, key);
6727 }
6728 if (status != PSA_SUCCESS) {
6729 psa_fail_key_creation(slot, driver);
6730 }
6731
6732 return status;
6733 }
6734
psa_key_derivation_output_key_ext(const psa_key_attributes_t * attributes,psa_key_derivation_operation_t * operation,const psa_key_production_parameters_t * params,size_t params_data_length,mbedtls_svc_key_id_t * key)6735 psa_status_t psa_key_derivation_output_key_ext(
6736 const psa_key_attributes_t *attributes,
6737 psa_key_derivation_operation_t *operation,
6738 const psa_key_production_parameters_t *params,
6739 size_t params_data_length,
6740 mbedtls_svc_key_id_t *key)
6741 {
6742 return psa_key_derivation_output_key_custom(
6743 attributes, operation,
6744 (const psa_custom_key_parameters_t *) params,
6745 params->data, params_data_length,
6746 key);
6747 }
6748
psa_key_derivation_output_key(const psa_key_attributes_t * attributes,psa_key_derivation_operation_t * operation,mbedtls_svc_key_id_t * key)6749 psa_status_t psa_key_derivation_output_key(
6750 const psa_key_attributes_t *attributes,
6751 psa_key_derivation_operation_t *operation,
6752 mbedtls_svc_key_id_t *key)
6753 {
6754 return psa_key_derivation_output_key_custom(attributes, operation,
6755 &default_custom_production,
6756 NULL, 0,
6757 key);
6758 }
6759
6760
6761 /****************************************************************/
6762 /* Key derivation: operation management */
6763 /****************************************************************/
6764
6765 #if defined(AT_LEAST_ONE_BUILTIN_KDF)
is_kdf_alg_supported(psa_algorithm_t kdf_alg)6766 static int is_kdf_alg_supported(psa_algorithm_t kdf_alg)
6767 {
6768 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
6769 if (PSA_ALG_IS_HKDF(kdf_alg)) {
6770 return 1;
6771 }
6772 #endif
6773 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
6774 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
6775 return 1;
6776 }
6777 #endif
6778 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
6779 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
6780 return 1;
6781 }
6782 #endif
6783 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
6784 if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) {
6785 return 1;
6786 }
6787 #endif
6788 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
6789 if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
6790 return 1;
6791 }
6792 #endif
6793 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
6794 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
6795 return 1;
6796 }
6797 #endif
6798 #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
6799 if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
6800 return 1;
6801 }
6802 #endif
6803 #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
6804 if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
6805 return 1;
6806 }
6807 #endif
6808 return 0;
6809 }
6810
psa_hash_try_support(psa_algorithm_t alg)6811 static psa_status_t psa_hash_try_support(psa_algorithm_t alg)
6812 {
6813 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
6814 psa_status_t status = psa_hash_setup(&operation, alg);
6815 psa_hash_abort(&operation);
6816 return status;
6817 }
6818
psa_key_derivation_set_maximum_capacity(psa_key_derivation_operation_t * operation,psa_algorithm_t kdf_alg)6819 static psa_status_t psa_key_derivation_set_maximum_capacity(
6820 psa_key_derivation_operation_t *operation,
6821 psa_algorithm_t kdf_alg)
6822 {
6823 #if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
6824 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
6825 operation->capacity = PSA_HASH_LENGTH(PSA_ALG_SHA_256);
6826 return PSA_SUCCESS;
6827 }
6828 #endif
6829 #if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128)
6830 if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
6831 #if (SIZE_MAX > UINT32_MAX)
6832 operation->capacity = UINT32_MAX * (size_t) PSA_MAC_LENGTH(
6833 PSA_KEY_TYPE_AES,
6834 128U,
6835 PSA_ALG_CMAC);
6836 #else
6837 operation->capacity = SIZE_MAX;
6838 #endif
6839 return PSA_SUCCESS;
6840 }
6841 #endif /* PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 */
6842
6843 /* After this point, if kdf_alg is not valid then value of hash_alg may be
6844 * invalid or meaningless but it does not affect this function */
6845 psa_algorithm_t hash_alg = PSA_ALG_GET_HASH(kdf_alg);
6846 size_t hash_size = PSA_HASH_LENGTH(hash_alg);
6847 if (hash_size == 0) {
6848 return PSA_ERROR_NOT_SUPPORTED;
6849 }
6850
6851 /* Make sure that hash_alg is a supported hash algorithm. Otherwise
6852 * we might fail later, which is somewhat unfriendly and potentially
6853 * risk-prone. */
6854 psa_status_t status = psa_hash_try_support(hash_alg);
6855 if (status != PSA_SUCCESS) {
6856 return status;
6857 }
6858
6859 #if defined(PSA_WANT_ALG_HKDF)
6860 if (PSA_ALG_IS_HKDF(kdf_alg)) {
6861 operation->capacity = 255 * hash_size;
6862 } else
6863 #endif
6864 #if defined(PSA_WANT_ALG_HKDF_EXTRACT)
6865 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
6866 operation->capacity = hash_size;
6867 } else
6868 #endif
6869 #if defined(PSA_WANT_ALG_HKDF_EXPAND)
6870 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
6871 operation->capacity = 255 * hash_size;
6872 } else
6873 #endif
6874 #if defined(PSA_WANT_ALG_TLS12_PRF)
6875 if (PSA_ALG_IS_TLS12_PRF(kdf_alg) &&
6876 (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) {
6877 operation->capacity = SIZE_MAX;
6878 } else
6879 #endif
6880 #if defined(PSA_WANT_ALG_TLS12_PSK_TO_MS)
6881 if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg) &&
6882 (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) {
6883 /* Master Secret is always 48 bytes
6884 * https://datatracker.ietf.org/doc/html/rfc5246.html#section-8.1 */
6885 operation->capacity = 48U;
6886 } else
6887 #endif
6888 #if defined(PSA_WANT_ALG_PBKDF2_HMAC)
6889 if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
6890 #if (SIZE_MAX > UINT32_MAX)
6891 operation->capacity = UINT32_MAX * hash_size;
6892 #else
6893 operation->capacity = SIZE_MAX;
6894 #endif
6895 } else
6896 #endif /* PSA_WANT_ALG_PBKDF2_HMAC */
6897 {
6898 (void) hash_size;
6899 status = PSA_ERROR_NOT_SUPPORTED;
6900 }
6901 return status;
6902 }
6903
psa_key_derivation_setup_kdf(psa_key_derivation_operation_t * operation,psa_algorithm_t kdf_alg)6904 static psa_status_t psa_key_derivation_setup_kdf(
6905 psa_key_derivation_operation_t *operation,
6906 psa_algorithm_t kdf_alg)
6907 {
6908 /* Make sure that operation->ctx is properly zero-initialised. (Macro
6909 * initialisers for this union leave some bytes unspecified.) */
6910 memset(&operation->ctx, 0, sizeof(operation->ctx));
6911
6912 /* Make sure that kdf_alg is a supported key derivation algorithm. */
6913 if (!is_kdf_alg_supported(kdf_alg)) {
6914 return PSA_ERROR_NOT_SUPPORTED;
6915 }
6916
6917 psa_status_t status = psa_key_derivation_set_maximum_capacity(operation,
6918 kdf_alg);
6919 return status;
6920 }
6921
psa_key_agreement_try_support(psa_algorithm_t alg)6922 static psa_status_t psa_key_agreement_try_support(psa_algorithm_t alg)
6923 {
6924 #if defined(PSA_WANT_ALG_ECDH)
6925 if (alg == PSA_ALG_ECDH) {
6926 return PSA_SUCCESS;
6927 }
6928 #endif
6929 #if defined(PSA_WANT_ALG_FFDH)
6930 if (alg == PSA_ALG_FFDH) {
6931 return PSA_SUCCESS;
6932 }
6933 #endif
6934 (void) alg;
6935 return PSA_ERROR_NOT_SUPPORTED;
6936 }
6937
psa_key_derivation_allows_free_form_secret_input(psa_algorithm_t kdf_alg)6938 static int psa_key_derivation_allows_free_form_secret_input(
6939 psa_algorithm_t kdf_alg)
6940 {
6941 #if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
6942 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
6943 return 0;
6944 }
6945 #endif
6946 (void) kdf_alg;
6947 return 1;
6948 }
6949 #endif /* AT_LEAST_ONE_BUILTIN_KDF */
6950
psa_key_derivation_setup(psa_key_derivation_operation_t * operation,psa_algorithm_t alg)6951 psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t *operation,
6952 psa_algorithm_t alg)
6953 {
6954 psa_status_t status;
6955
6956 if (operation->alg != 0) {
6957 return PSA_ERROR_BAD_STATE;
6958 }
6959
6960 if (PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) {
6961 return PSA_ERROR_INVALID_ARGUMENT;
6962 } else if (PSA_ALG_IS_KEY_AGREEMENT(alg)) {
6963 #if defined(AT_LEAST_ONE_BUILTIN_KDF)
6964 psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF(alg);
6965 psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(alg);
6966 status = psa_key_agreement_try_support(ka_alg);
6967 if (status != PSA_SUCCESS) {
6968 return status;
6969 }
6970 if (!psa_key_derivation_allows_free_form_secret_input(kdf_alg)) {
6971 return PSA_ERROR_INVALID_ARGUMENT;
6972 }
6973 status = psa_key_derivation_setup_kdf(operation, kdf_alg);
6974 #else
6975 return PSA_ERROR_NOT_SUPPORTED;
6976 #endif /* AT_LEAST_ONE_BUILTIN_KDF */
6977 } else if (PSA_ALG_IS_KEY_DERIVATION(alg)) {
6978 #if defined(AT_LEAST_ONE_BUILTIN_KDF)
6979 status = psa_key_derivation_setup_kdf(operation, alg);
6980 #else
6981 return PSA_ERROR_NOT_SUPPORTED;
6982 #endif /* AT_LEAST_ONE_BUILTIN_KDF */
6983 } else {
6984 return PSA_ERROR_INVALID_ARGUMENT;
6985 }
6986
6987 if (status == PSA_SUCCESS) {
6988 operation->alg = alg;
6989 }
6990 return status;
6991 }
6992
6993 #if defined(BUILTIN_ALG_ANY_HKDF)
psa_hkdf_input(psa_hkdf_key_derivation_t * hkdf,psa_algorithm_t kdf_alg,psa_key_derivation_step_t step,const uint8_t * data,size_t data_length)6994 static psa_status_t psa_hkdf_input(psa_hkdf_key_derivation_t *hkdf,
6995 psa_algorithm_t kdf_alg,
6996 psa_key_derivation_step_t step,
6997 const uint8_t *data,
6998 size_t data_length)
6999 {
7000 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
7001 psa_status_t status;
7002 switch (step) {
7003 case PSA_KEY_DERIVATION_INPUT_SALT:
7004 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
7005 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
7006 return PSA_ERROR_INVALID_ARGUMENT;
7007 }
7008 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
7009 if (hkdf->state != HKDF_STATE_INIT) {
7010 return PSA_ERROR_BAD_STATE;
7011 } else {
7012 status = psa_key_derivation_start_hmac(&hkdf->hmac,
7013 hash_alg,
7014 data, data_length);
7015 if (status != PSA_SUCCESS) {
7016 return status;
7017 }
7018 hkdf->state = HKDF_STATE_STARTED;
7019 return PSA_SUCCESS;
7020 }
7021 case PSA_KEY_DERIVATION_INPUT_SECRET:
7022 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
7023 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
7024 /* We shouldn't be in different state as HKDF_EXPAND only allows
7025 * two inputs: SECRET (this case) and INFO which does not modify
7026 * the state. It could happen only if the hkdf
7027 * object was corrupted. */
7028 if (hkdf->state != HKDF_STATE_INIT) {
7029 return PSA_ERROR_BAD_STATE;
7030 }
7031
7032 /* Allow only input that fits expected prk size */
7033 if (data_length != PSA_HASH_LENGTH(hash_alg)) {
7034 return PSA_ERROR_INVALID_ARGUMENT;
7035 }
7036
7037 memcpy(hkdf->prk, data, data_length);
7038 } else
7039 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
7040 {
7041 /* HKDF: If no salt was provided, use an empty salt.
7042 * HKDF-EXTRACT: salt is mandatory. */
7043 if (hkdf->state == HKDF_STATE_INIT) {
7044 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
7045 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
7046 return PSA_ERROR_BAD_STATE;
7047 }
7048 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
7049 status = psa_key_derivation_start_hmac(&hkdf->hmac,
7050 hash_alg,
7051 NULL, 0);
7052 if (status != PSA_SUCCESS) {
7053 return status;
7054 }
7055 hkdf->state = HKDF_STATE_STARTED;
7056 }
7057 if (hkdf->state != HKDF_STATE_STARTED) {
7058 return PSA_ERROR_BAD_STATE;
7059 }
7060 status = psa_mac_update(&hkdf->hmac,
7061 data, data_length);
7062 if (status != PSA_SUCCESS) {
7063 return status;
7064 }
7065 status = psa_mac_sign_finish(&hkdf->hmac,
7066 hkdf->prk,
7067 sizeof(hkdf->prk),
7068 &data_length);
7069 if (status != PSA_SUCCESS) {
7070 return status;
7071 }
7072 }
7073
7074 hkdf->state = HKDF_STATE_KEYED;
7075 hkdf->block_number = 0;
7076 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
7077 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
7078 /* The only block of output is the PRK. */
7079 memcpy(hkdf->output_block, hkdf->prk, PSA_HASH_LENGTH(hash_alg));
7080 hkdf->offset_in_block = 0;
7081 } else
7082 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
7083 {
7084 /* Block 0 is empty, and the next block will be
7085 * generated by psa_key_derivation_hkdf_read(). */
7086 hkdf->offset_in_block = PSA_HASH_LENGTH(hash_alg);
7087 }
7088
7089 return PSA_SUCCESS;
7090 case PSA_KEY_DERIVATION_INPUT_INFO:
7091 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
7092 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
7093 return PSA_ERROR_INVALID_ARGUMENT;
7094 }
7095 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
7096 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
7097 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg) &&
7098 hkdf->state == HKDF_STATE_INIT) {
7099 return PSA_ERROR_BAD_STATE;
7100 }
7101 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
7102 if (hkdf->state == HKDF_STATE_OUTPUT) {
7103 return PSA_ERROR_BAD_STATE;
7104 }
7105 if (hkdf->info_set) {
7106 return PSA_ERROR_BAD_STATE;
7107 }
7108 hkdf->info_length = data_length;
7109 if (data_length != 0) {
7110 hkdf->info = mbedtls_calloc(1, data_length);
7111 if (hkdf->info == NULL) {
7112 return PSA_ERROR_INSUFFICIENT_MEMORY;
7113 }
7114 memcpy(hkdf->info, data, data_length);
7115 }
7116 hkdf->info_set = 1;
7117 return PSA_SUCCESS;
7118 default:
7119 return PSA_ERROR_INVALID_ARGUMENT;
7120 }
7121 }
7122 #endif /* BUILTIN_ALG_ANY_HKDF */
7123
7124 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
7125 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
psa_tls12_prf_set_seed(psa_tls12_prf_key_derivation_t * prf,const uint8_t * data,size_t data_length)7126 static psa_status_t psa_tls12_prf_set_seed(psa_tls12_prf_key_derivation_t *prf,
7127 const uint8_t *data,
7128 size_t data_length)
7129 {
7130 if (prf->state != PSA_TLS12_PRF_STATE_INIT) {
7131 return PSA_ERROR_BAD_STATE;
7132 }
7133
7134 if (data_length != 0) {
7135 prf->seed = mbedtls_calloc(1, data_length);
7136 if (prf->seed == NULL) {
7137 return PSA_ERROR_INSUFFICIENT_MEMORY;
7138 }
7139
7140 memcpy(prf->seed, data, data_length);
7141 prf->seed_length = data_length;
7142 }
7143
7144 prf->state = PSA_TLS12_PRF_STATE_SEED_SET;
7145
7146 return PSA_SUCCESS;
7147 }
7148
psa_tls12_prf_set_key(psa_tls12_prf_key_derivation_t * prf,const uint8_t * data,size_t data_length)7149 static psa_status_t psa_tls12_prf_set_key(psa_tls12_prf_key_derivation_t *prf,
7150 const uint8_t *data,
7151 size_t data_length)
7152 {
7153 if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET &&
7154 prf->state != PSA_TLS12_PRF_STATE_OTHER_KEY_SET) {
7155 return PSA_ERROR_BAD_STATE;
7156 }
7157
7158 if (data_length != 0) {
7159 prf->secret = mbedtls_calloc(1, data_length);
7160 if (prf->secret == NULL) {
7161 return PSA_ERROR_INSUFFICIENT_MEMORY;
7162 }
7163
7164 memcpy(prf->secret, data, data_length);
7165 prf->secret_length = data_length;
7166 }
7167
7168 prf->state = PSA_TLS12_PRF_STATE_KEY_SET;
7169
7170 return PSA_SUCCESS;
7171 }
7172
psa_tls12_prf_set_label(psa_tls12_prf_key_derivation_t * prf,const uint8_t * data,size_t data_length)7173 static psa_status_t psa_tls12_prf_set_label(psa_tls12_prf_key_derivation_t *prf,
7174 const uint8_t *data,
7175 size_t data_length)
7176 {
7177 if (prf->state != PSA_TLS12_PRF_STATE_KEY_SET) {
7178 return PSA_ERROR_BAD_STATE;
7179 }
7180
7181 if (data_length != 0) {
7182 prf->label = mbedtls_calloc(1, data_length);
7183 if (prf->label == NULL) {
7184 return PSA_ERROR_INSUFFICIENT_MEMORY;
7185 }
7186
7187 memcpy(prf->label, data, data_length);
7188 prf->label_length = data_length;
7189 }
7190
7191 prf->state = PSA_TLS12_PRF_STATE_LABEL_SET;
7192
7193 return PSA_SUCCESS;
7194 }
7195
psa_tls12_prf_input(psa_tls12_prf_key_derivation_t * prf,psa_key_derivation_step_t step,const uint8_t * data,size_t data_length)7196 static psa_status_t psa_tls12_prf_input(psa_tls12_prf_key_derivation_t *prf,
7197 psa_key_derivation_step_t step,
7198 const uint8_t *data,
7199 size_t data_length)
7200 {
7201 switch (step) {
7202 case PSA_KEY_DERIVATION_INPUT_SEED:
7203 return psa_tls12_prf_set_seed(prf, data, data_length);
7204 case PSA_KEY_DERIVATION_INPUT_SECRET:
7205 return psa_tls12_prf_set_key(prf, data, data_length);
7206 case PSA_KEY_DERIVATION_INPUT_LABEL:
7207 return psa_tls12_prf_set_label(prf, data, data_length);
7208 default:
7209 return PSA_ERROR_INVALID_ARGUMENT;
7210 }
7211 }
7212 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
7213 * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
7214
7215 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
psa_tls12_prf_psk_to_ms_set_key(psa_tls12_prf_key_derivation_t * prf,const uint8_t * data,size_t data_length)7216 static psa_status_t psa_tls12_prf_psk_to_ms_set_key(
7217 psa_tls12_prf_key_derivation_t *prf,
7218 const uint8_t *data,
7219 size_t data_length)
7220 {
7221 psa_status_t status;
7222 const size_t pms_len = (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET ?
7223 4 + data_length + prf->other_secret_length :
7224 4 + 2 * data_length);
7225
7226 if (data_length > PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE) {
7227 return PSA_ERROR_INVALID_ARGUMENT;
7228 }
7229
7230 uint8_t *pms = mbedtls_calloc(1, pms_len);
7231 if (pms == NULL) {
7232 return PSA_ERROR_INSUFFICIENT_MEMORY;
7233 }
7234 uint8_t *cur = pms;
7235
7236 /* pure-PSK:
7237 * Quoting RFC 4279, Section 2:
7238 *
7239 * The premaster secret is formed as follows: if the PSK is N octets
7240 * long, concatenate a uint16 with the value N, N zero octets, a second
7241 * uint16 with the value N, and the PSK itself.
7242 *
7243 * mixed-PSK:
7244 * In a DHE-PSK, RSA-PSK, ECDHE-PSK the premaster secret is formed as
7245 * follows: concatenate a uint16 with the length of the other secret,
7246 * the other secret itself, uint16 with the length of PSK, and the
7247 * PSK itself.
7248 * For details please check:
7249 * - RFC 4279, Section 4 for the definition of RSA-PSK,
7250 * - RFC 4279, Section 3 for the definition of DHE-PSK,
7251 * - RFC 5489 for the definition of ECDHE-PSK.
7252 */
7253
7254 if (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET) {
7255 *cur++ = MBEDTLS_BYTE_1(prf->other_secret_length);
7256 *cur++ = MBEDTLS_BYTE_0(prf->other_secret_length);
7257 if (prf->other_secret_length != 0) {
7258 memcpy(cur, prf->other_secret, prf->other_secret_length);
7259 mbedtls_platform_zeroize(prf->other_secret, prf->other_secret_length);
7260 cur += prf->other_secret_length;
7261 }
7262 } else {
7263 *cur++ = MBEDTLS_BYTE_1(data_length);
7264 *cur++ = MBEDTLS_BYTE_0(data_length);
7265 memset(cur, 0, data_length);
7266 cur += data_length;
7267 }
7268
7269 *cur++ = MBEDTLS_BYTE_1(data_length);
7270 *cur++ = MBEDTLS_BYTE_0(data_length);
7271 memcpy(cur, data, data_length);
7272 cur += data_length;
7273
7274 status = psa_tls12_prf_set_key(prf, pms, (size_t) (cur - pms));
7275
7276 mbedtls_zeroize_and_free(pms, pms_len);
7277 return status;
7278 }
7279
psa_tls12_prf_psk_to_ms_set_other_key(psa_tls12_prf_key_derivation_t * prf,const uint8_t * data,size_t data_length)7280 static psa_status_t psa_tls12_prf_psk_to_ms_set_other_key(
7281 psa_tls12_prf_key_derivation_t *prf,
7282 const uint8_t *data,
7283 size_t data_length)
7284 {
7285 if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET) {
7286 return PSA_ERROR_BAD_STATE;
7287 }
7288
7289 if (data_length != 0) {
7290 prf->other_secret = mbedtls_calloc(1, data_length);
7291 if (prf->other_secret == NULL) {
7292 return PSA_ERROR_INSUFFICIENT_MEMORY;
7293 }
7294
7295 memcpy(prf->other_secret, data, data_length);
7296 prf->other_secret_length = data_length;
7297 } else {
7298 prf->other_secret_length = 0;
7299 }
7300
7301 prf->state = PSA_TLS12_PRF_STATE_OTHER_KEY_SET;
7302
7303 return PSA_SUCCESS;
7304 }
7305
psa_tls12_prf_psk_to_ms_input(psa_tls12_prf_key_derivation_t * prf,psa_key_derivation_step_t step,const uint8_t * data,size_t data_length)7306 static psa_status_t psa_tls12_prf_psk_to_ms_input(
7307 psa_tls12_prf_key_derivation_t *prf,
7308 psa_key_derivation_step_t step,
7309 const uint8_t *data,
7310 size_t data_length)
7311 {
7312 switch (step) {
7313 case PSA_KEY_DERIVATION_INPUT_SECRET:
7314 return psa_tls12_prf_psk_to_ms_set_key(prf,
7315 data, data_length);
7316 break;
7317 case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
7318 return psa_tls12_prf_psk_to_ms_set_other_key(prf,
7319 data,
7320 data_length);
7321 break;
7322 default:
7323 return psa_tls12_prf_input(prf, step, data, data_length);
7324 break;
7325
7326 }
7327 }
7328 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
7329
7330 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
psa_tls12_ecjpake_to_pms_input(psa_tls12_ecjpake_to_pms_t * ecjpake,psa_key_derivation_step_t step,const uint8_t * data,size_t data_length)7331 static psa_status_t psa_tls12_ecjpake_to_pms_input(
7332 psa_tls12_ecjpake_to_pms_t *ecjpake,
7333 psa_key_derivation_step_t step,
7334 const uint8_t *data,
7335 size_t data_length)
7336 {
7337 if (data_length != PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE ||
7338 step != PSA_KEY_DERIVATION_INPUT_SECRET) {
7339 return PSA_ERROR_INVALID_ARGUMENT;
7340 }
7341
7342 /* Check if the passed point is in an uncompressed form */
7343 if (data[0] != 0x04) {
7344 return PSA_ERROR_INVALID_ARGUMENT;
7345 }
7346
7347 /* Only K.X has to be extracted - bytes 1 to 32 inclusive. */
7348 memcpy(ecjpake->data, data + 1, PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
7349
7350 return PSA_SUCCESS;
7351 }
7352 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
7353
7354 #if defined(PSA_HAVE_SOFT_PBKDF2)
psa_pbkdf2_set_input_cost(psa_pbkdf2_key_derivation_t * pbkdf2,psa_key_derivation_step_t step,uint64_t data)7355 static psa_status_t psa_pbkdf2_set_input_cost(
7356 psa_pbkdf2_key_derivation_t *pbkdf2,
7357 psa_key_derivation_step_t step,
7358 uint64_t data)
7359 {
7360 if (step != PSA_KEY_DERIVATION_INPUT_COST) {
7361 return PSA_ERROR_INVALID_ARGUMENT;
7362 }
7363
7364 if (pbkdf2->state != PSA_PBKDF2_STATE_INIT) {
7365 return PSA_ERROR_BAD_STATE;
7366 }
7367
7368 if (data > PSA_VENDOR_PBKDF2_MAX_ITERATIONS) {
7369 return PSA_ERROR_NOT_SUPPORTED;
7370 }
7371
7372 if (data == 0) {
7373 return PSA_ERROR_INVALID_ARGUMENT;
7374 }
7375
7376 pbkdf2->input_cost = data;
7377 pbkdf2->state = PSA_PBKDF2_STATE_INPUT_COST_SET;
7378
7379 return PSA_SUCCESS;
7380 }
7381
psa_pbkdf2_set_salt(psa_pbkdf2_key_derivation_t * pbkdf2,const uint8_t * data,size_t data_length)7382 static psa_status_t psa_pbkdf2_set_salt(psa_pbkdf2_key_derivation_t *pbkdf2,
7383 const uint8_t *data,
7384 size_t data_length)
7385 {
7386 if (pbkdf2->state == PSA_PBKDF2_STATE_INPUT_COST_SET) {
7387 pbkdf2->state = PSA_PBKDF2_STATE_SALT_SET;
7388 } else if (pbkdf2->state == PSA_PBKDF2_STATE_SALT_SET) {
7389 /* Appending to existing salt. No state change. */
7390 } else {
7391 return PSA_ERROR_BAD_STATE;
7392 }
7393
7394 if (data_length == 0) {
7395 /* Appending an empty string, nothing to do. */
7396 } else {
7397 uint8_t *next_salt;
7398
7399 next_salt = mbedtls_calloc(1, data_length + pbkdf2->salt_length);
7400 if (next_salt == NULL) {
7401 return PSA_ERROR_INSUFFICIENT_MEMORY;
7402 }
7403
7404 if (pbkdf2->salt_length != 0) {
7405 memcpy(next_salt, pbkdf2->salt, pbkdf2->salt_length);
7406 }
7407 memcpy(next_salt + pbkdf2->salt_length, data, data_length);
7408 pbkdf2->salt_length += data_length;
7409 mbedtls_free(pbkdf2->salt);
7410 pbkdf2->salt = next_salt;
7411 }
7412 return PSA_SUCCESS;
7413 }
7414
7415 #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
psa_pbkdf2_hmac_set_password(psa_algorithm_t hash_alg,const uint8_t * input,size_t input_len,uint8_t * output,size_t * output_len)7416 static psa_status_t psa_pbkdf2_hmac_set_password(psa_algorithm_t hash_alg,
7417 const uint8_t *input,
7418 size_t input_len,
7419 uint8_t *output,
7420 size_t *output_len)
7421 {
7422 psa_status_t status = PSA_SUCCESS;
7423 if (input_len > PSA_HASH_BLOCK_LENGTH(hash_alg)) {
7424 return psa_hash_compute(hash_alg, input, input_len, output,
7425 PSA_HMAC_MAX_HASH_BLOCK_SIZE, output_len);
7426 } else if (input_len > 0) {
7427 memcpy(output, input, input_len);
7428 }
7429 *output_len = PSA_HASH_BLOCK_LENGTH(hash_alg);
7430 return status;
7431 }
7432 #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
7433
7434 #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
psa_pbkdf2_cmac_set_password(const uint8_t * input,size_t input_len,uint8_t * output,size_t * output_len)7435 static psa_status_t psa_pbkdf2_cmac_set_password(const uint8_t *input,
7436 size_t input_len,
7437 uint8_t *output,
7438 size_t *output_len)
7439 {
7440 psa_status_t status = PSA_SUCCESS;
7441 if (input_len != PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC)) {
7442 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7443 uint8_t zeros[16] = { 0 };
7444 psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
7445 psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(sizeof(zeros)));
7446 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
7447 /* Passing PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC) as
7448 * mac_size as the driver function sets mac_output_length = mac_size
7449 * on success. See https://github.com/Mbed-TLS/mbedtls/issues/7801 */
7450 status = psa_driver_wrapper_mac_compute(&attributes,
7451 zeros, sizeof(zeros),
7452 PSA_ALG_CMAC, input, input_len,
7453 output,
7454 PSA_MAC_LENGTH(PSA_KEY_TYPE_AES,
7455 128U,
7456 PSA_ALG_CMAC),
7457 output_len);
7458 } else {
7459 memcpy(output, input, input_len);
7460 *output_len = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC);
7461 }
7462 return status;
7463 }
7464 #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */
7465
psa_pbkdf2_set_password(psa_pbkdf2_key_derivation_t * pbkdf2,psa_algorithm_t kdf_alg,const uint8_t * data,size_t data_length)7466 static psa_status_t psa_pbkdf2_set_password(psa_pbkdf2_key_derivation_t *pbkdf2,
7467 psa_algorithm_t kdf_alg,
7468 const uint8_t *data,
7469 size_t data_length)
7470 {
7471 psa_status_t status = PSA_SUCCESS;
7472 if (pbkdf2->state != PSA_PBKDF2_STATE_SALT_SET) {
7473 return PSA_ERROR_BAD_STATE;
7474 }
7475
7476 #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
7477 if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
7478 psa_algorithm_t hash_alg = PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg);
7479 status = psa_pbkdf2_hmac_set_password(hash_alg, data, data_length,
7480 pbkdf2->password,
7481 &pbkdf2->password_length);
7482 } else
7483 #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
7484 #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
7485 if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
7486 status = psa_pbkdf2_cmac_set_password(data, data_length,
7487 pbkdf2->password,
7488 &pbkdf2->password_length);
7489 } else
7490 #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */
7491 {
7492 return PSA_ERROR_INVALID_ARGUMENT;
7493 }
7494
7495 pbkdf2->state = PSA_PBKDF2_STATE_PASSWORD_SET;
7496
7497 return status;
7498 }
7499
psa_pbkdf2_input(psa_pbkdf2_key_derivation_t * pbkdf2,psa_algorithm_t kdf_alg,psa_key_derivation_step_t step,const uint8_t * data,size_t data_length)7500 static psa_status_t psa_pbkdf2_input(psa_pbkdf2_key_derivation_t *pbkdf2,
7501 psa_algorithm_t kdf_alg,
7502 psa_key_derivation_step_t step,
7503 const uint8_t *data,
7504 size_t data_length)
7505 {
7506 switch (step) {
7507 case PSA_KEY_DERIVATION_INPUT_SALT:
7508 return psa_pbkdf2_set_salt(pbkdf2, data, data_length);
7509 case PSA_KEY_DERIVATION_INPUT_PASSWORD:
7510 return psa_pbkdf2_set_password(pbkdf2, kdf_alg, data, data_length);
7511 default:
7512 return PSA_ERROR_INVALID_ARGUMENT;
7513 }
7514 }
7515 #endif /* PSA_HAVE_SOFT_PBKDF2 */
7516
7517 /** Check whether the given key type is acceptable for the given
7518 * input step of a key derivation.
7519 *
7520 * Secret inputs must have the type #PSA_KEY_TYPE_DERIVE.
7521 * Non-secret inputs must have the type #PSA_KEY_TYPE_RAW_DATA.
7522 * Both secret and non-secret inputs can alternatively have the type
7523 * #PSA_KEY_TYPE_NONE, which is never the type of a key object, meaning
7524 * that the input was passed as a buffer rather than via a key object.
7525 */
psa_key_derivation_check_input_type(psa_key_derivation_step_t step,psa_key_type_t key_type)7526 static int psa_key_derivation_check_input_type(
7527 psa_key_derivation_step_t step,
7528 psa_key_type_t key_type)
7529 {
7530 switch (step) {
7531 case PSA_KEY_DERIVATION_INPUT_SECRET:
7532 if (key_type == PSA_KEY_TYPE_DERIVE) {
7533 return PSA_SUCCESS;
7534 }
7535 if (key_type == PSA_KEY_TYPE_NONE) {
7536 return PSA_SUCCESS;
7537 }
7538 break;
7539 case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
7540 if (key_type == PSA_KEY_TYPE_DERIVE) {
7541 return PSA_SUCCESS;
7542 }
7543 if (key_type == PSA_KEY_TYPE_NONE) {
7544 return PSA_SUCCESS;
7545 }
7546 break;
7547 case PSA_KEY_DERIVATION_INPUT_LABEL:
7548 case PSA_KEY_DERIVATION_INPUT_SALT:
7549 case PSA_KEY_DERIVATION_INPUT_INFO:
7550 case PSA_KEY_DERIVATION_INPUT_SEED:
7551 if (key_type == PSA_KEY_TYPE_RAW_DATA) {
7552 return PSA_SUCCESS;
7553 }
7554 if (key_type == PSA_KEY_TYPE_NONE) {
7555 return PSA_SUCCESS;
7556 }
7557 break;
7558 case PSA_KEY_DERIVATION_INPUT_PASSWORD:
7559 if (key_type == PSA_KEY_TYPE_PASSWORD) {
7560 return PSA_SUCCESS;
7561 }
7562 if (key_type == PSA_KEY_TYPE_DERIVE) {
7563 return PSA_SUCCESS;
7564 }
7565 if (key_type == PSA_KEY_TYPE_NONE) {
7566 return PSA_SUCCESS;
7567 }
7568 break;
7569 }
7570 return PSA_ERROR_INVALID_ARGUMENT;
7571 }
7572
psa_key_derivation_input_internal(psa_key_derivation_operation_t * operation,psa_key_derivation_step_t step,psa_key_type_t key_type,const uint8_t * data,size_t data_length)7573 static psa_status_t psa_key_derivation_input_internal(
7574 psa_key_derivation_operation_t *operation,
7575 psa_key_derivation_step_t step,
7576 psa_key_type_t key_type,
7577 const uint8_t *data,
7578 size_t data_length)
7579 {
7580 psa_status_t status;
7581 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
7582
7583 if (kdf_alg == PSA_ALG_NONE) {
7584 /* This is a blank or aborted operation. */
7585 status = PSA_ERROR_BAD_STATE;
7586 goto exit;
7587 }
7588
7589 status = psa_key_derivation_check_input_type(step, key_type);
7590 if (status != PSA_SUCCESS) {
7591 goto exit;
7592 }
7593
7594 #if defined(BUILTIN_ALG_ANY_HKDF)
7595 if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
7596 status = psa_hkdf_input(&operation->ctx.hkdf, kdf_alg,
7597 step, data, data_length);
7598 } else
7599 #endif /* BUILTIN_ALG_ANY_HKDF */
7600 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
7601 if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) {
7602 status = psa_tls12_prf_input(&operation->ctx.tls12_prf,
7603 step, data, data_length);
7604 } else
7605 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF */
7606 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
7607 if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
7608 status = psa_tls12_prf_psk_to_ms_input(&operation->ctx.tls12_prf,
7609 step, data, data_length);
7610 } else
7611 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
7612 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
7613 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
7614 status = psa_tls12_ecjpake_to_pms_input(
7615 &operation->ctx.tls12_ecjpake_to_pms, step, data, data_length);
7616 } else
7617 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
7618 #if defined(PSA_HAVE_SOFT_PBKDF2)
7619 if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
7620 status = psa_pbkdf2_input(&operation->ctx.pbkdf2, kdf_alg,
7621 step, data, data_length);
7622 } else
7623 #endif /* PSA_HAVE_SOFT_PBKDF2 */
7624 {
7625 /* This can't happen unless the operation object was not initialized */
7626 (void) data;
7627 (void) data_length;
7628 (void) kdf_alg;
7629 return PSA_ERROR_BAD_STATE;
7630 }
7631
7632 exit:
7633 if (status != PSA_SUCCESS) {
7634 psa_key_derivation_abort(operation);
7635 }
7636 return status;
7637 }
7638
psa_key_derivation_input_integer_internal(psa_key_derivation_operation_t * operation,psa_key_derivation_step_t step,uint64_t value)7639 static psa_status_t psa_key_derivation_input_integer_internal(
7640 psa_key_derivation_operation_t *operation,
7641 psa_key_derivation_step_t step,
7642 uint64_t value)
7643 {
7644 psa_status_t status;
7645 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
7646
7647 if (kdf_alg == PSA_ALG_NONE) {
7648 /* This is a blank or aborted operation. */
7649 status = PSA_ERROR_BAD_STATE;
7650 goto exit;
7651 }
7652
7653 #if defined(PSA_HAVE_SOFT_PBKDF2)
7654 if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
7655 status = psa_pbkdf2_set_input_cost(
7656 &operation->ctx.pbkdf2, step, value);
7657 } else
7658 #endif /* PSA_HAVE_SOFT_PBKDF2 */
7659 {
7660 (void) step;
7661 (void) value;
7662 (void) kdf_alg;
7663 status = PSA_ERROR_INVALID_ARGUMENT;
7664 }
7665
7666 exit:
7667 if (status != PSA_SUCCESS) {
7668 psa_key_derivation_abort(operation);
7669 }
7670 return status;
7671 }
7672
psa_key_derivation_input_bytes(psa_key_derivation_operation_t * operation,psa_key_derivation_step_t step,const uint8_t * data_external,size_t data_length)7673 psa_status_t psa_key_derivation_input_bytes(
7674 psa_key_derivation_operation_t *operation,
7675 psa_key_derivation_step_t step,
7676 const uint8_t *data_external,
7677 size_t data_length)
7678 {
7679 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7680 LOCAL_INPUT_DECLARE(data_external, data);
7681
7682 LOCAL_INPUT_ALLOC(data_external, data_length, data);
7683
7684 status = psa_key_derivation_input_internal(operation, step,
7685 PSA_KEY_TYPE_NONE,
7686 data, data_length);
7687 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
7688 exit:
7689 #endif
7690 LOCAL_INPUT_FREE(data_external, data);
7691 return status;
7692 }
7693
psa_key_derivation_input_integer(psa_key_derivation_operation_t * operation,psa_key_derivation_step_t step,uint64_t value)7694 psa_status_t psa_key_derivation_input_integer(
7695 psa_key_derivation_operation_t *operation,
7696 psa_key_derivation_step_t step,
7697 uint64_t value)
7698 {
7699 return psa_key_derivation_input_integer_internal(operation, step, value);
7700 }
7701
psa_key_derivation_input_key(psa_key_derivation_operation_t * operation,psa_key_derivation_step_t step,mbedtls_svc_key_id_t key)7702 psa_status_t psa_key_derivation_input_key(
7703 psa_key_derivation_operation_t *operation,
7704 psa_key_derivation_step_t step,
7705 mbedtls_svc_key_id_t key)
7706 {
7707 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7708 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
7709 psa_key_slot_t *slot;
7710
7711 status = psa_get_and_lock_transparent_key_slot_with_policy(
7712 key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg);
7713 if (status != PSA_SUCCESS) {
7714 psa_key_derivation_abort(operation);
7715 return status;
7716 }
7717
7718 /* Passing a key object as a SECRET or PASSWORD input unlocks the
7719 * permission to output to a key object. */
7720 if (step == PSA_KEY_DERIVATION_INPUT_SECRET ||
7721 step == PSA_KEY_DERIVATION_INPUT_PASSWORD) {
7722 operation->can_output_key = 1;
7723 }
7724
7725 status = psa_key_derivation_input_internal(operation,
7726 step, slot->attr.type,
7727 slot->key.data,
7728 slot->key.bytes);
7729
7730 unlock_status = psa_unregister_read_under_mutex(slot);
7731
7732 return (status == PSA_SUCCESS) ? unlock_status : status;
7733 }
7734
7735
7736
7737 /****************************************************************/
7738 /* Key agreement */
7739 /****************************************************************/
7740
psa_key_agreement_raw_builtin(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * peer_key,size_t peer_key_length,uint8_t * shared_secret,size_t shared_secret_size,size_t * shared_secret_length)7741 psa_status_t psa_key_agreement_raw_builtin(const psa_key_attributes_t *attributes,
7742 const uint8_t *key_buffer,
7743 size_t key_buffer_size,
7744 psa_algorithm_t alg,
7745 const uint8_t *peer_key,
7746 size_t peer_key_length,
7747 uint8_t *shared_secret,
7748 size_t shared_secret_size,
7749 size_t *shared_secret_length)
7750 {
7751 switch (alg) {
7752 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
7753 case PSA_ALG_ECDH:
7754 return mbedtls_psa_key_agreement_ecdh(attributes, key_buffer,
7755 key_buffer_size, alg,
7756 peer_key, peer_key_length,
7757 shared_secret,
7758 shared_secret_size,
7759 shared_secret_length);
7760 #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
7761
7762 #if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
7763 case PSA_ALG_FFDH:
7764 return mbedtls_psa_ffdh_key_agreement(attributes,
7765 peer_key,
7766 peer_key_length,
7767 key_buffer,
7768 key_buffer_size,
7769 shared_secret,
7770 shared_secret_size,
7771 shared_secret_length);
7772 #endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */
7773
7774 default:
7775 (void) attributes;
7776 (void) key_buffer;
7777 (void) key_buffer_size;
7778 (void) peer_key;
7779 (void) peer_key_length;
7780 (void) shared_secret;
7781 (void) shared_secret_size;
7782 (void) shared_secret_length;
7783 return PSA_ERROR_NOT_SUPPORTED;
7784 }
7785 }
7786
7787 /** Internal function for raw key agreement
7788 * Calls the driver wrapper which will hand off key agreement task
7789 * to the driver's implementation if a driver is present.
7790 * Fallback specified in the driver wrapper is built-in raw key agreement
7791 * (psa_key_agreement_raw_builtin).
7792 */
psa_key_agreement_raw_internal(psa_algorithm_t alg,psa_key_slot_t * private_key,const uint8_t * peer_key,size_t peer_key_length,uint8_t * shared_secret,size_t shared_secret_size,size_t * shared_secret_length)7793 static psa_status_t psa_key_agreement_raw_internal(psa_algorithm_t alg,
7794 psa_key_slot_t *private_key,
7795 const uint8_t *peer_key,
7796 size_t peer_key_length,
7797 uint8_t *shared_secret,
7798 size_t shared_secret_size,
7799 size_t *shared_secret_length)
7800 {
7801 if (!PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) {
7802 return PSA_ERROR_NOT_SUPPORTED;
7803 }
7804
7805 return psa_driver_wrapper_key_agreement(&private_key->attr,
7806 private_key->key.data,
7807 private_key->key.bytes, alg,
7808 peer_key, peer_key_length,
7809 shared_secret,
7810 shared_secret_size,
7811 shared_secret_length);
7812 }
7813
7814 /* Note that if this function fails, you must call psa_key_derivation_abort()
7815 * to potentially free embedded data structures and wipe confidential data.
7816 */
psa_key_agreement_internal(psa_key_derivation_operation_t * operation,psa_key_derivation_step_t step,psa_key_slot_t * private_key,const uint8_t * peer_key,size_t peer_key_length)7817 static psa_status_t psa_key_agreement_internal(psa_key_derivation_operation_t *operation,
7818 psa_key_derivation_step_t step,
7819 psa_key_slot_t *private_key,
7820 const uint8_t *peer_key,
7821 size_t peer_key_length)
7822 {
7823 psa_status_t status;
7824 uint8_t shared_secret[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE] = { 0 };
7825 size_t shared_secret_length = 0;
7826 psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(operation->alg);
7827
7828 /* Step 1: run the secret agreement algorithm to generate the shared
7829 * secret. */
7830 status = psa_key_agreement_raw_internal(ka_alg,
7831 private_key,
7832 peer_key, peer_key_length,
7833 shared_secret,
7834 sizeof(shared_secret),
7835 &shared_secret_length);
7836 if (status != PSA_SUCCESS) {
7837 goto exit;
7838 }
7839
7840 /* Step 2: set up the key derivation to generate key material from
7841 * the shared secret. A shared secret is permitted wherever a key
7842 * of type DERIVE is permitted. */
7843 status = psa_key_derivation_input_internal(operation, step,
7844 PSA_KEY_TYPE_DERIVE,
7845 shared_secret,
7846 shared_secret_length);
7847 exit:
7848 mbedtls_platform_zeroize(shared_secret, shared_secret_length);
7849 return status;
7850 }
7851
psa_key_derivation_key_agreement(psa_key_derivation_operation_t * operation,psa_key_derivation_step_t step,mbedtls_svc_key_id_t private_key,const uint8_t * peer_key_external,size_t peer_key_length)7852 psa_status_t psa_key_derivation_key_agreement(psa_key_derivation_operation_t *operation,
7853 psa_key_derivation_step_t step,
7854 mbedtls_svc_key_id_t private_key,
7855 const uint8_t *peer_key_external,
7856 size_t peer_key_length)
7857 {
7858 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7859 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
7860 psa_key_slot_t *slot;
7861 LOCAL_INPUT_DECLARE(peer_key_external, peer_key);
7862
7863 if (!PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) {
7864 return PSA_ERROR_INVALID_ARGUMENT;
7865 }
7866 status = psa_get_and_lock_transparent_key_slot_with_policy(
7867 private_key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg);
7868 if (status != PSA_SUCCESS) {
7869 return status;
7870 }
7871
7872 LOCAL_INPUT_ALLOC(peer_key_external, peer_key_length, peer_key);
7873 status = psa_key_agreement_internal(operation, step,
7874 slot,
7875 peer_key, peer_key_length);
7876
7877 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
7878 exit:
7879 #endif
7880 if (status != PSA_SUCCESS) {
7881 psa_key_derivation_abort(operation);
7882 } else {
7883 /* If a private key has been added as SECRET, we allow the derived
7884 * key material to be used as a key in PSA Crypto. */
7885 if (step == PSA_KEY_DERIVATION_INPUT_SECRET) {
7886 operation->can_output_key = 1;
7887 }
7888 }
7889
7890 unlock_status = psa_unregister_read_under_mutex(slot);
7891 LOCAL_INPUT_FREE(peer_key_external, peer_key);
7892
7893 return (status == PSA_SUCCESS) ? unlock_status : status;
7894 }
7895
psa_raw_key_agreement(psa_algorithm_t alg,mbedtls_svc_key_id_t private_key,const uint8_t * peer_key_external,size_t peer_key_length,uint8_t * output_external,size_t output_size,size_t * output_length)7896 psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
7897 mbedtls_svc_key_id_t private_key,
7898 const uint8_t *peer_key_external,
7899 size_t peer_key_length,
7900 uint8_t *output_external,
7901 size_t output_size,
7902 size_t *output_length)
7903 {
7904 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7905 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
7906 psa_key_slot_t *slot = NULL;
7907 size_t expected_length;
7908 LOCAL_INPUT_DECLARE(peer_key_external, peer_key);
7909 LOCAL_OUTPUT_DECLARE(output_external, output);
7910 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
7911
7912 if (!PSA_ALG_IS_KEY_AGREEMENT(alg)) {
7913 status = PSA_ERROR_INVALID_ARGUMENT;
7914 goto exit;
7915 }
7916 status = psa_get_and_lock_transparent_key_slot_with_policy(
7917 private_key, &slot, PSA_KEY_USAGE_DERIVE, alg);
7918 if (status != PSA_SUCCESS) {
7919 goto exit;
7920 }
7921
7922 /* PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is in general an upper bound
7923 * for the output size. The PSA specification only guarantees that this
7924 * function works if output_size >= PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(...),
7925 * but it might be nice to allow smaller buffers if the output fits.
7926 * At the time of writing this comment, with only ECDH implemented,
7927 * PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is exact so the point is moot.
7928 * If FFDH is implemented, PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() can easily
7929 * be exact for it as well. */
7930 expected_length =
7931 PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(slot->attr.type, slot->attr.bits);
7932 if (output_size < expected_length) {
7933 status = PSA_ERROR_BUFFER_TOO_SMALL;
7934 goto exit;
7935 }
7936
7937 LOCAL_INPUT_ALLOC(peer_key_external, peer_key_length, peer_key);
7938 status = psa_key_agreement_raw_internal(alg, slot,
7939 peer_key, peer_key_length,
7940 output, output_size,
7941 output_length);
7942
7943 exit:
7944 /* Check for successful allocation of output,
7945 * with an unsuccessful status. */
7946 if (output != NULL && status != PSA_SUCCESS) {
7947 /* If an error happens and is not handled properly, the output
7948 * may be used as a key to protect sensitive data. Arrange for such
7949 * a key to be random, which is likely to result in decryption or
7950 * verification errors. This is better than filling the buffer with
7951 * some constant data such as zeros, which would result in the data
7952 * being protected with a reproducible, easily knowable key.
7953 */
7954 psa_generate_random_internal(output, output_size);
7955 *output_length = output_size;
7956 }
7957
7958 if (output == NULL) {
7959 /* output allocation failed. */
7960 *output_length = 0;
7961 }
7962
7963 unlock_status = psa_unregister_read_under_mutex(slot);
7964
7965 LOCAL_INPUT_FREE(peer_key_external, peer_key);
7966 LOCAL_OUTPUT_FREE(output_external, output);
7967 return (status == PSA_SUCCESS) ? unlock_status : status;
7968 }
7969
7970
7971 /****************************************************************/
7972 /* Random generation */
7973 /****************************************************************/
7974
7975 #if defined(MBEDTLS_PSA_INJECT_ENTROPY)
7976 #include "entropy_poll.h"
7977 #endif
7978
7979 /** Initialize the PSA random generator.
7980 *
7981 * Note: the mbedtls_threading_psa_rngdata_mutex should be held when calling
7982 * this function if mutexes are enabled.
7983 */
mbedtls_psa_random_init(mbedtls_psa_random_context_t * rng)7984 static void mbedtls_psa_random_init(mbedtls_psa_random_context_t *rng)
7985 {
7986 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
7987 memset(rng, 0, sizeof(*rng));
7988 #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
7989
7990 /* Set default configuration if
7991 * mbedtls_psa_crypto_configure_entropy_sources() hasn't been called. */
7992 if (rng->entropy_init == NULL) {
7993 rng->entropy_init = mbedtls_entropy_init;
7994 }
7995 if (rng->entropy_free == NULL) {
7996 rng->entropy_free = mbedtls_entropy_free;
7997 }
7998
7999 rng->entropy_init(&rng->entropy);
8000 #if defined(MBEDTLS_PSA_INJECT_ENTROPY) && \
8001 defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
8002 /* The PSA entropy injection feature depends on using NV seed as an entropy
8003 * source. Add NV seed as an entropy source for PSA entropy injection. */
8004 mbedtls_entropy_add_source(&rng->entropy,
8005 mbedtls_nv_seed_poll, NULL,
8006 MBEDTLS_ENTROPY_BLOCK_SIZE,
8007 MBEDTLS_ENTROPY_SOURCE_STRONG);
8008 #endif
8009
8010 mbedtls_psa_drbg_init(&rng->drbg);
8011 #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
8012 }
8013
8014 /** Deinitialize the PSA random generator.
8015 *
8016 * Note: the mbedtls_threading_psa_rngdata_mutex should be held when calling
8017 * this function if mutexes are enabled.
8018 */
mbedtls_psa_random_free(mbedtls_psa_random_context_t * rng)8019 static void mbedtls_psa_random_free(mbedtls_psa_random_context_t *rng)
8020 {
8021 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
8022 memset(rng, 0, sizeof(*rng));
8023 #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
8024 mbedtls_psa_drbg_free(&rng->drbg);
8025 rng->entropy_free(&rng->entropy);
8026 #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
8027 }
8028
8029 /** Seed the PSA random generator.
8030 */
mbedtls_psa_random_seed(mbedtls_psa_random_context_t * rng)8031 static psa_status_t mbedtls_psa_random_seed(mbedtls_psa_random_context_t *rng)
8032 {
8033 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
8034 /* Do nothing: the external RNG seeds itself. */
8035 (void) rng;
8036 return PSA_SUCCESS;
8037 #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
8038 const unsigned char drbg_seed[] = "PSA";
8039 int ret = mbedtls_psa_drbg_seed(&rng->drbg, &rng->entropy,
8040 drbg_seed, sizeof(drbg_seed) - 1);
8041 return mbedtls_to_psa_error(ret);
8042 #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
8043 }
8044
psa_generate_random(uint8_t * output_external,size_t output_size)8045 psa_status_t psa_generate_random(uint8_t *output_external,
8046 size_t output_size)
8047 {
8048 psa_status_t status;
8049
8050 LOCAL_OUTPUT_DECLARE(output_external, output);
8051 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
8052
8053 status = psa_generate_random_internal(output, output_size);
8054
8055 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
8056 exit:
8057 #endif
8058 LOCAL_OUTPUT_FREE(output_external, output);
8059 return status;
8060 }
8061
8062 #if defined(MBEDTLS_PSA_INJECT_ENTROPY)
mbedtls_psa_inject_entropy(const uint8_t * seed,size_t seed_size)8063 psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
8064 size_t seed_size)
8065 {
8066 if (psa_get_initialized()) {
8067 return PSA_ERROR_NOT_PERMITTED;
8068 }
8069
8070 if (((seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM) ||
8071 (seed_size < MBEDTLS_ENTROPY_BLOCK_SIZE)) ||
8072 (seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE)) {
8073 return PSA_ERROR_INVALID_ARGUMENT;
8074 }
8075
8076 return mbedtls_psa_storage_inject_entropy(seed, seed_size);
8077 }
8078 #endif /* MBEDTLS_PSA_INJECT_ENTROPY */
8079
8080 /** Validate the key type and size for key generation
8081 *
8082 * \param type The key type
8083 * \param bits The number of bits of the key
8084 *
8085 * \retval #PSA_SUCCESS
8086 * The key type and size are valid.
8087 * \retval #PSA_ERROR_INVALID_ARGUMENT
8088 * The size in bits of the key is not valid.
8089 * \retval #PSA_ERROR_NOT_SUPPORTED
8090 * The type and/or the size in bits of the key or the combination of
8091 * the two is not supported.
8092 */
psa_validate_key_type_and_size_for_key_generation(psa_key_type_t type,size_t bits)8093 static psa_status_t psa_validate_key_type_and_size_for_key_generation(
8094 psa_key_type_t type, size_t bits)
8095 {
8096 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8097
8098 if (key_type_is_raw_bytes(type)) {
8099 status = psa_validate_unstructured_key_bit_size(type, bits);
8100 if (status != PSA_SUCCESS) {
8101 return status;
8102 }
8103 } else
8104 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
8105 if (PSA_KEY_TYPE_IS_RSA(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
8106 if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS) {
8107 return PSA_ERROR_NOT_SUPPORTED;
8108 }
8109 if (bits < PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS) {
8110 return PSA_ERROR_NOT_SUPPORTED;
8111 }
8112
8113 /* Accept only byte-aligned keys, for the same reasons as
8114 * in psa_import_rsa_key(). */
8115 if (bits % 8 != 0) {
8116 return PSA_ERROR_NOT_SUPPORTED;
8117 }
8118 } else
8119 #endif /* defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
8120
8121 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
8122 if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
8123 /* To avoid empty block, return successfully here. */
8124 return PSA_SUCCESS;
8125 } else
8126 #endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */
8127
8128 #if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
8129 if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
8130 if (psa_is_dh_key_size_valid(bits) == 0) {
8131 return PSA_ERROR_NOT_SUPPORTED;
8132 }
8133 } else
8134 #endif /* defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) */
8135 {
8136 return PSA_ERROR_NOT_SUPPORTED;
8137 }
8138
8139 return PSA_SUCCESS;
8140 }
8141
psa_generate_key_internal(const psa_key_attributes_t * attributes,const psa_custom_key_parameters_t * custom,const uint8_t * custom_data,size_t custom_data_length,uint8_t * key_buffer,size_t key_buffer_size,size_t * key_buffer_length)8142 psa_status_t psa_generate_key_internal(
8143 const psa_key_attributes_t *attributes,
8144 const psa_custom_key_parameters_t *custom,
8145 const uint8_t *custom_data,
8146 size_t custom_data_length,
8147 uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
8148 {
8149 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8150 psa_key_type_t type = attributes->type;
8151
8152 /* Only used for RSA */
8153 (void) custom;
8154 (void) custom_data;
8155 (void) custom_data_length;
8156
8157 if (key_type_is_raw_bytes(type)) {
8158 status = psa_generate_random_internal(key_buffer, key_buffer_size);
8159 if (status != PSA_SUCCESS) {
8160 return status;
8161 }
8162
8163 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
8164 if (type == PSA_KEY_TYPE_DES) {
8165 psa_des_set_key_parity(key_buffer, key_buffer_size);
8166 }
8167 #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
8168 } else
8169
8170 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
8171 if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
8172 return mbedtls_psa_rsa_generate_key(attributes,
8173 custom_data, custom_data_length,
8174 key_buffer,
8175 key_buffer_size,
8176 key_buffer_length);
8177 } else
8178 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
8179
8180 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
8181 if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
8182 return mbedtls_psa_ecp_generate_key(attributes,
8183 key_buffer,
8184 key_buffer_size,
8185 key_buffer_length);
8186 } else
8187 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */
8188
8189 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE)
8190 if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
8191 return mbedtls_psa_ffdh_generate_key(attributes,
8192 key_buffer,
8193 key_buffer_size,
8194 key_buffer_length);
8195 } else
8196 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) */
8197 {
8198 (void) key_buffer_length;
8199 return PSA_ERROR_NOT_SUPPORTED;
8200 }
8201
8202 return PSA_SUCCESS;
8203 }
8204
psa_generate_key_custom(const psa_key_attributes_t * attributes,const psa_custom_key_parameters_t * custom,const uint8_t * custom_data,size_t custom_data_length,mbedtls_svc_key_id_t * key)8205 psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes,
8206 const psa_custom_key_parameters_t *custom,
8207 const uint8_t *custom_data,
8208 size_t custom_data_length,
8209 mbedtls_svc_key_id_t *key)
8210 {
8211 psa_status_t status;
8212 psa_key_slot_t *slot = NULL;
8213 psa_se_drv_table_entry_t *driver = NULL;
8214 size_t key_buffer_size;
8215
8216 *key = MBEDTLS_SVC_KEY_ID_INIT;
8217
8218 /* Reject any attempt to create a zero-length key so that we don't
8219 * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
8220 if (psa_get_key_bits(attributes) == 0) {
8221 return PSA_ERROR_INVALID_ARGUMENT;
8222 }
8223
8224 /* Reject any attempt to create a public key. */
8225 if (PSA_KEY_TYPE_IS_PUBLIC_KEY(attributes->type)) {
8226 return PSA_ERROR_INVALID_ARGUMENT;
8227 }
8228
8229 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
8230 if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
8231 if (custom->flags != 0) {
8232 return PSA_ERROR_INVALID_ARGUMENT;
8233 }
8234 } else
8235 #endif
8236 if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) {
8237 return PSA_ERROR_INVALID_ARGUMENT;
8238 }
8239
8240 status = psa_start_key_creation(PSA_KEY_CREATION_GENERATE, attributes,
8241 &slot, &driver);
8242 if (status != PSA_SUCCESS) {
8243 goto exit;
8244 }
8245
8246 /* In the case of a transparent key or an opaque key stored in local
8247 * storage ( thus not in the case of generating a key in a secure element
8248 * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
8249 * buffer to hold the generated key material. */
8250 if (slot->key.bytes == 0) {
8251 if (PSA_KEY_LIFETIME_GET_LOCATION(attributes->lifetime) ==
8252 PSA_KEY_LOCATION_LOCAL_STORAGE) {
8253 status = psa_validate_key_type_and_size_for_key_generation(
8254 attributes->type, attributes->bits);
8255 if (status != PSA_SUCCESS) {
8256 goto exit;
8257 }
8258
8259 key_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
8260 attributes->type,
8261 attributes->bits);
8262 } else {
8263 status = psa_driver_wrapper_get_key_buffer_size(
8264 attributes, &key_buffer_size);
8265 if (status != PSA_SUCCESS) {
8266 goto exit;
8267 }
8268 }
8269
8270 status = psa_allocate_buffer_to_slot(slot, key_buffer_size);
8271 if (status != PSA_SUCCESS) {
8272 goto exit;
8273 }
8274 }
8275
8276 status = psa_driver_wrapper_generate_key(attributes,
8277 custom,
8278 custom_data, custom_data_length,
8279 slot->key.data, slot->key.bytes,
8280 &slot->key.bytes);
8281 if (status != PSA_SUCCESS) {
8282 psa_remove_key_data_from_memory(slot);
8283 }
8284
8285 exit:
8286 if (status == PSA_SUCCESS) {
8287 status = psa_finish_key_creation(slot, driver, key);
8288 }
8289 if (status != PSA_SUCCESS) {
8290 psa_fail_key_creation(slot, driver);
8291 }
8292
8293 return status;
8294 }
8295
psa_generate_key_ext(const psa_key_attributes_t * attributes,const psa_key_production_parameters_t * params,size_t params_data_length,mbedtls_svc_key_id_t * key)8296 psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
8297 const psa_key_production_parameters_t *params,
8298 size_t params_data_length,
8299 mbedtls_svc_key_id_t *key)
8300 {
8301 return psa_generate_key_custom(
8302 attributes,
8303 (const psa_custom_key_parameters_t *) params,
8304 params->data, params_data_length,
8305 key);
8306 }
8307
psa_generate_key(const psa_key_attributes_t * attributes,mbedtls_svc_key_id_t * key)8308 psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
8309 mbedtls_svc_key_id_t *key)
8310 {
8311 return psa_generate_key_custom(attributes,
8312 &default_custom_production,
8313 NULL, 0,
8314 key);
8315 }
8316
8317
8318
8319 /****************************************************************/
8320 /* Module setup */
8321 /****************************************************************/
8322
8323 #if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
mbedtls_psa_crypto_configure_entropy_sources(void (* entropy_init)(mbedtls_entropy_context * ctx),void (* entropy_free)(mbedtls_entropy_context * ctx))8324 psa_status_t mbedtls_psa_crypto_configure_entropy_sources(
8325 void (* entropy_init)(mbedtls_entropy_context *ctx),
8326 void (* entropy_free)(mbedtls_entropy_context *ctx))
8327 {
8328 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8329
8330 #if defined(MBEDTLS_THREADING_C)
8331 mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
8332 #endif /* defined(MBEDTLS_THREADING_C) */
8333
8334 if (global_data.rng_state != RNG_NOT_INITIALIZED) {
8335 status = PSA_ERROR_BAD_STATE;
8336 } else {
8337 global_data.rng.entropy_init = entropy_init;
8338 global_data.rng.entropy_free = entropy_free;
8339 status = PSA_SUCCESS;
8340 }
8341
8342 #if defined(MBEDTLS_THREADING_C)
8343 mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
8344 #endif /* defined(MBEDTLS_THREADING_C) */
8345
8346 return status;
8347 }
8348 #endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
8349
mbedtls_psa_crypto_free(void)8350 void mbedtls_psa_crypto_free(void)
8351 {
8352
8353 #if defined(MBEDTLS_THREADING_C)
8354 mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
8355 #endif /* defined(MBEDTLS_THREADING_C) */
8356
8357 /* Nothing to do to free transaction. */
8358 if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED) {
8359 global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
8360 }
8361
8362 if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED) {
8363 psa_wipe_all_key_slots();
8364 global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED;
8365 }
8366
8367 #if defined(MBEDTLS_THREADING_C)
8368 mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
8369 #endif /* defined(MBEDTLS_THREADING_C) */
8370
8371 #if defined(MBEDTLS_THREADING_C)
8372 mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
8373 #endif /* defined(MBEDTLS_THREADING_C) */
8374
8375 if (global_data.rng_state != RNG_NOT_INITIALIZED) {
8376 mbedtls_psa_random_free(&global_data.rng);
8377 }
8378 global_data.rng_state = RNG_NOT_INITIALIZED;
8379 mbedtls_platform_zeroize(&global_data.rng, sizeof(global_data.rng));
8380
8381 #if defined(MBEDTLS_THREADING_C)
8382 mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
8383 #endif /* defined(MBEDTLS_THREADING_C) */
8384
8385 #if defined(MBEDTLS_THREADING_C)
8386 mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
8387 #endif /* defined(MBEDTLS_THREADING_C) */
8388
8389 /* Terminate drivers */
8390 if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED) {
8391 psa_driver_wrapper_free();
8392 global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED;
8393 }
8394
8395 #if defined(MBEDTLS_THREADING_C)
8396 mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
8397 #endif /* defined(MBEDTLS_THREADING_C) */
8398
8399 }
8400
8401 #if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
8402 /** Recover a transaction that was interrupted by a power failure.
8403 *
8404 * This function is called during initialization, before psa_crypto_init()
8405 * returns. If this function returns a failure status, the initialization
8406 * fails.
8407 */
psa_crypto_recover_transaction(const psa_crypto_transaction_t * transaction)8408 static psa_status_t psa_crypto_recover_transaction(
8409 const psa_crypto_transaction_t *transaction)
8410 {
8411 switch (transaction->unknown.type) {
8412 case PSA_CRYPTO_TRANSACTION_CREATE_KEY:
8413 case PSA_CRYPTO_TRANSACTION_DESTROY_KEY:
8414 /* TODO - fall through to the failure case until this
8415 * is implemented.
8416 * https://github.com/ARMmbed/mbed-crypto/issues/218
8417 */
8418 default:
8419 /* We found an unsupported transaction in the storage.
8420 * We don't know what state the storage is in. Give up. */
8421 return PSA_ERROR_DATA_INVALID;
8422 }
8423 }
8424 #endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
8425
mbedtls_psa_crypto_init_subsystem(mbedtls_psa_crypto_subsystem subsystem)8426 static psa_status_t mbedtls_psa_crypto_init_subsystem(mbedtls_psa_crypto_subsystem subsystem)
8427 {
8428 psa_status_t status = PSA_SUCCESS;
8429 uint8_t driver_wrappers_initialized = 0;
8430
8431 switch (subsystem) {
8432 case PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS:
8433
8434 #if defined(MBEDTLS_THREADING_C)
8435 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
8436 #endif /* defined(MBEDTLS_THREADING_C) */
8437
8438 if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED)) {
8439 /* Init drivers */
8440 status = psa_driver_wrapper_init();
8441
8442 /* Drivers need shutdown regardless of startup errors. */
8443 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED;
8444
8445
8446 }
8447 #if defined(MBEDTLS_THREADING_C)
8448 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8449 &mbedtls_threading_psa_globaldata_mutex));
8450 #endif /* defined(MBEDTLS_THREADING_C) */
8451
8452 break;
8453
8454 case PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS:
8455
8456 #if defined(MBEDTLS_THREADING_C)
8457 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
8458 #endif /* defined(MBEDTLS_THREADING_C) */
8459
8460 if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED)) {
8461 status = psa_initialize_key_slots();
8462
8463 /* Need to wipe keys even if initialization fails. */
8464 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED;
8465
8466 }
8467 #if defined(MBEDTLS_THREADING_C)
8468 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8469 &mbedtls_threading_psa_globaldata_mutex));
8470 #endif /* defined(MBEDTLS_THREADING_C) */
8471
8472 break;
8473
8474 case PSA_CRYPTO_SUBSYSTEM_RNG:
8475
8476 #if defined(MBEDTLS_THREADING_C)
8477 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
8478 #endif /* defined(MBEDTLS_THREADING_C) */
8479
8480 driver_wrappers_initialized =
8481 (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED);
8482
8483 #if defined(MBEDTLS_THREADING_C)
8484 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8485 &mbedtls_threading_psa_globaldata_mutex));
8486 #endif /* defined(MBEDTLS_THREADING_C) */
8487
8488 /* Need to use separate mutex here, as initialisation can require
8489 * testing of init flags, which requires locking the global data
8490 * mutex. */
8491 #if defined(MBEDTLS_THREADING_C)
8492 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex));
8493 #endif /* defined(MBEDTLS_THREADING_C) */
8494
8495 /* Initialize and seed the random generator. */
8496 if (global_data.rng_state == RNG_NOT_INITIALIZED && driver_wrappers_initialized) {
8497 mbedtls_psa_random_init(&global_data.rng);
8498 global_data.rng_state = RNG_INITIALIZED;
8499
8500 status = mbedtls_psa_random_seed(&global_data.rng);
8501 if (status == PSA_SUCCESS) {
8502 global_data.rng_state = RNG_SEEDED;
8503 }
8504 }
8505
8506 #if defined(MBEDTLS_THREADING_C)
8507 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8508 &mbedtls_threading_psa_rngdata_mutex));
8509 #endif /* defined(MBEDTLS_THREADING_C) */
8510
8511 break;
8512
8513 case PSA_CRYPTO_SUBSYSTEM_TRANSACTION:
8514
8515 #if defined(MBEDTLS_THREADING_C)
8516 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
8517 #endif /* defined(MBEDTLS_THREADING_C) */
8518
8519 if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED)) {
8520 #if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
8521 status = psa_crypto_load_transaction();
8522 if (status == PSA_SUCCESS) {
8523 status = psa_crypto_recover_transaction(&psa_crypto_transaction);
8524 if (status == PSA_SUCCESS) {
8525 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
8526 }
8527 status = psa_crypto_stop_transaction();
8528 } else if (status == PSA_ERROR_DOES_NOT_EXIST) {
8529 /* There's no transaction to complete. It's all good. */
8530 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
8531 status = PSA_SUCCESS;
8532 }
8533 #else /* defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) */
8534 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
8535 status = PSA_SUCCESS;
8536 #endif /* defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) */
8537 }
8538
8539 #if defined(MBEDTLS_THREADING_C)
8540 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8541 &mbedtls_threading_psa_globaldata_mutex));
8542 #endif /* defined(MBEDTLS_THREADING_C) */
8543
8544 break;
8545
8546 default:
8547 status = PSA_ERROR_CORRUPTION_DETECTED;
8548 }
8549
8550 /* Exit label only required when using threading macros. */
8551 #if defined(MBEDTLS_THREADING_C)
8552 exit:
8553 #endif /* defined(MBEDTLS_THREADING_C) */
8554
8555 return status;
8556 }
8557
psa_crypto_init(void)8558 psa_status_t psa_crypto_init(void)
8559 {
8560 psa_status_t status;
8561
8562 /* Double initialization is explicitly allowed. Early out if everything is
8563 * done. */
8564 if (psa_get_initialized()) {
8565 return PSA_SUCCESS;
8566 }
8567
8568 status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS);
8569 if (status != PSA_SUCCESS) {
8570 goto exit;
8571 }
8572
8573 status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS);
8574 if (status != PSA_SUCCESS) {
8575 goto exit;
8576 }
8577
8578 status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_RNG);
8579 if (status != PSA_SUCCESS) {
8580 goto exit;
8581 }
8582
8583 status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_TRANSACTION);
8584
8585 exit:
8586
8587 if (status != PSA_SUCCESS) {
8588 mbedtls_psa_crypto_free();
8589 }
8590
8591 return status;
8592 }
8593
8594
8595
8596 /****************************************************************/
8597 /* PAKE */
8598 /****************************************************************/
8599
8600 #if defined(PSA_WANT_ALG_SOME_PAKE)
psa_crypto_driver_pake_get_password_len(const psa_crypto_driver_pake_inputs_t * inputs,size_t * password_len)8601 psa_status_t psa_crypto_driver_pake_get_password_len(
8602 const psa_crypto_driver_pake_inputs_t *inputs,
8603 size_t *password_len)
8604 {
8605 if (inputs->password_len == 0) {
8606 return PSA_ERROR_BAD_STATE;
8607 }
8608
8609 *password_len = inputs->password_len;
8610
8611 return PSA_SUCCESS;
8612 }
8613
psa_crypto_driver_pake_get_password(const psa_crypto_driver_pake_inputs_t * inputs,uint8_t * buffer,size_t buffer_size,size_t * buffer_length)8614 psa_status_t psa_crypto_driver_pake_get_password(
8615 const psa_crypto_driver_pake_inputs_t *inputs,
8616 uint8_t *buffer, size_t buffer_size, size_t *buffer_length)
8617 {
8618 if (inputs->password_len == 0) {
8619 return PSA_ERROR_BAD_STATE;
8620 }
8621
8622 if (buffer_size < inputs->password_len) {
8623 return PSA_ERROR_BUFFER_TOO_SMALL;
8624 }
8625
8626 memcpy(buffer, inputs->password, inputs->password_len);
8627 *buffer_length = inputs->password_len;
8628
8629 return PSA_SUCCESS;
8630 }
8631
psa_crypto_driver_pake_get_user_len(const psa_crypto_driver_pake_inputs_t * inputs,size_t * user_len)8632 psa_status_t psa_crypto_driver_pake_get_user_len(
8633 const psa_crypto_driver_pake_inputs_t *inputs,
8634 size_t *user_len)
8635 {
8636 if (inputs->user_len == 0) {
8637 return PSA_ERROR_BAD_STATE;
8638 }
8639
8640 *user_len = inputs->user_len;
8641
8642 return PSA_SUCCESS;
8643 }
8644
psa_crypto_driver_pake_get_user(const psa_crypto_driver_pake_inputs_t * inputs,uint8_t * user_id,size_t user_id_size,size_t * user_id_len)8645 psa_status_t psa_crypto_driver_pake_get_user(
8646 const psa_crypto_driver_pake_inputs_t *inputs,
8647 uint8_t *user_id, size_t user_id_size, size_t *user_id_len)
8648 {
8649 if (inputs->user_len == 0) {
8650 return PSA_ERROR_BAD_STATE;
8651 }
8652
8653 if (user_id_size < inputs->user_len) {
8654 return PSA_ERROR_BUFFER_TOO_SMALL;
8655 }
8656
8657 memcpy(user_id, inputs->user, inputs->user_len);
8658 *user_id_len = inputs->user_len;
8659
8660 return PSA_SUCCESS;
8661 }
8662
psa_crypto_driver_pake_get_peer_len(const psa_crypto_driver_pake_inputs_t * inputs,size_t * peer_len)8663 psa_status_t psa_crypto_driver_pake_get_peer_len(
8664 const psa_crypto_driver_pake_inputs_t *inputs,
8665 size_t *peer_len)
8666 {
8667 if (inputs->peer_len == 0) {
8668 return PSA_ERROR_BAD_STATE;
8669 }
8670
8671 *peer_len = inputs->peer_len;
8672
8673 return PSA_SUCCESS;
8674 }
8675
psa_crypto_driver_pake_get_peer(const psa_crypto_driver_pake_inputs_t * inputs,uint8_t * peer_id,size_t peer_id_size,size_t * peer_id_length)8676 psa_status_t psa_crypto_driver_pake_get_peer(
8677 const psa_crypto_driver_pake_inputs_t *inputs,
8678 uint8_t *peer_id, size_t peer_id_size, size_t *peer_id_length)
8679 {
8680 if (inputs->peer_len == 0) {
8681 return PSA_ERROR_BAD_STATE;
8682 }
8683
8684 if (peer_id_size < inputs->peer_len) {
8685 return PSA_ERROR_BUFFER_TOO_SMALL;
8686 }
8687
8688 memcpy(peer_id, inputs->peer, inputs->peer_len);
8689 *peer_id_length = inputs->peer_len;
8690
8691 return PSA_SUCCESS;
8692 }
8693
psa_crypto_driver_pake_get_cipher_suite(const psa_crypto_driver_pake_inputs_t * inputs,psa_pake_cipher_suite_t * cipher_suite)8694 psa_status_t psa_crypto_driver_pake_get_cipher_suite(
8695 const psa_crypto_driver_pake_inputs_t *inputs,
8696 psa_pake_cipher_suite_t *cipher_suite)
8697 {
8698 if (inputs->cipher_suite.algorithm == PSA_ALG_NONE) {
8699 return PSA_ERROR_BAD_STATE;
8700 }
8701
8702 *cipher_suite = inputs->cipher_suite;
8703
8704 return PSA_SUCCESS;
8705 }
8706
psa_pake_setup(psa_pake_operation_t * operation,const psa_pake_cipher_suite_t * cipher_suite)8707 psa_status_t psa_pake_setup(
8708 psa_pake_operation_t *operation,
8709 const psa_pake_cipher_suite_t *cipher_suite)
8710 {
8711 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8712
8713 if (operation->stage != PSA_PAKE_OPERATION_STAGE_SETUP) {
8714 status = PSA_ERROR_BAD_STATE;
8715 goto exit;
8716 }
8717
8718 if (PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 ||
8719 PSA_ALG_IS_HASH(cipher_suite->hash) == 0) {
8720 status = PSA_ERROR_INVALID_ARGUMENT;
8721 goto exit;
8722 }
8723
8724 /* Make sure the variable-purpose part of the operation is zeroed.
8725 * Initializing the operation does not necessarily take care of it,
8726 * since the context is a union and initializing a union does not
8727 * necessarily initialize all of its members. */
8728 memset(&operation->data, 0, sizeof(operation->data));
8729
8730 operation->alg = cipher_suite->algorithm;
8731 operation->primitive = PSA_PAKE_PRIMITIVE(cipher_suite->type,
8732 cipher_suite->family, cipher_suite->bits);
8733 operation->data.inputs.cipher_suite = *cipher_suite;
8734
8735 #if defined(PSA_WANT_ALG_JPAKE)
8736 if (operation->alg == PSA_ALG_JPAKE) {
8737 psa_jpake_computation_stage_t *computation_stage =
8738 &operation->computation_stage.jpake;
8739
8740 memset(computation_stage, 0, sizeof(*computation_stage));
8741 computation_stage->step = PSA_PAKE_STEP_KEY_SHARE;
8742 } else
8743 #endif /* PSA_WANT_ALG_JPAKE */
8744 {
8745 status = PSA_ERROR_NOT_SUPPORTED;
8746 goto exit;
8747 }
8748
8749 operation->stage = PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS;
8750
8751 return PSA_SUCCESS;
8752 exit:
8753 psa_pake_abort(operation);
8754 return status;
8755 }
8756
psa_pake_set_password_key(psa_pake_operation_t * operation,mbedtls_svc_key_id_t password)8757 psa_status_t psa_pake_set_password_key(
8758 psa_pake_operation_t *operation,
8759 mbedtls_svc_key_id_t password)
8760 {
8761 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8762 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
8763 psa_key_slot_t *slot = NULL;
8764 psa_key_type_t type;
8765
8766 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8767 status = PSA_ERROR_BAD_STATE;
8768 goto exit;
8769 }
8770
8771 status = psa_get_and_lock_key_slot_with_policy(password, &slot,
8772 PSA_KEY_USAGE_DERIVE,
8773 operation->alg);
8774 if (status != PSA_SUCCESS) {
8775 goto exit;
8776 }
8777
8778 type = psa_get_key_type(&slot->attr);
8779
8780 if (type != PSA_KEY_TYPE_PASSWORD &&
8781 type != PSA_KEY_TYPE_PASSWORD_HASH) {
8782 status = PSA_ERROR_INVALID_ARGUMENT;
8783 goto exit;
8784 }
8785
8786 operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes);
8787 if (operation->data.inputs.password == NULL) {
8788 status = PSA_ERROR_INSUFFICIENT_MEMORY;
8789 goto exit;
8790 }
8791
8792 memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes);
8793 operation->data.inputs.password_len = slot->key.bytes;
8794 operation->data.inputs.attributes = slot->attr;
8795
8796 exit:
8797 if (status != PSA_SUCCESS) {
8798 psa_pake_abort(operation);
8799 }
8800 unlock_status = psa_unregister_read_under_mutex(slot);
8801 return (status == PSA_SUCCESS) ? unlock_status : status;
8802 }
8803
psa_pake_set_user(psa_pake_operation_t * operation,const uint8_t * user_id_external,size_t user_id_len)8804 psa_status_t psa_pake_set_user(
8805 psa_pake_operation_t *operation,
8806 const uint8_t *user_id_external,
8807 size_t user_id_len)
8808 {
8809 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8810 LOCAL_INPUT_DECLARE(user_id_external, user_id);
8811
8812 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8813 status = PSA_ERROR_BAD_STATE;
8814 goto exit;
8815 }
8816
8817 if (user_id_len == 0) {
8818 status = PSA_ERROR_INVALID_ARGUMENT;
8819 goto exit;
8820 }
8821
8822 if (operation->data.inputs.user_len != 0) {
8823 status = PSA_ERROR_BAD_STATE;
8824 goto exit;
8825 }
8826
8827 operation->data.inputs.user = mbedtls_calloc(1, user_id_len);
8828 if (operation->data.inputs.user == NULL) {
8829 status = PSA_ERROR_INSUFFICIENT_MEMORY;
8830 goto exit;
8831 }
8832
8833 LOCAL_INPUT_ALLOC(user_id_external, user_id_len, user_id);
8834
8835 memcpy(operation->data.inputs.user, user_id, user_id_len);
8836 operation->data.inputs.user_len = user_id_len;
8837
8838 status = PSA_SUCCESS;
8839
8840 exit:
8841 LOCAL_INPUT_FREE(user_id_external, user_id);
8842 if (status != PSA_SUCCESS) {
8843 psa_pake_abort(operation);
8844 }
8845 return status;
8846 }
8847
psa_pake_set_peer(psa_pake_operation_t * operation,const uint8_t * peer_id_external,size_t peer_id_len)8848 psa_status_t psa_pake_set_peer(
8849 psa_pake_operation_t *operation,
8850 const uint8_t *peer_id_external,
8851 size_t peer_id_len)
8852 {
8853 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8854 LOCAL_INPUT_DECLARE(peer_id_external, peer_id);
8855
8856 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8857 status = PSA_ERROR_BAD_STATE;
8858 goto exit;
8859 }
8860
8861 if (peer_id_len == 0) {
8862 status = PSA_ERROR_INVALID_ARGUMENT;
8863 goto exit;
8864 }
8865
8866 if (operation->data.inputs.peer_len != 0) {
8867 status = PSA_ERROR_BAD_STATE;
8868 goto exit;
8869 }
8870
8871 operation->data.inputs.peer = mbedtls_calloc(1, peer_id_len);
8872 if (operation->data.inputs.peer == NULL) {
8873 status = PSA_ERROR_INSUFFICIENT_MEMORY;
8874 goto exit;
8875 }
8876
8877 LOCAL_INPUT_ALLOC(peer_id_external, peer_id_len, peer_id);
8878
8879 memcpy(operation->data.inputs.peer, peer_id, peer_id_len);
8880 operation->data.inputs.peer_len = peer_id_len;
8881
8882 status = PSA_SUCCESS;
8883
8884 exit:
8885 LOCAL_INPUT_FREE(peer_id_external, peer_id);
8886 if (status != PSA_SUCCESS) {
8887 psa_pake_abort(operation);
8888 }
8889 return status;
8890 }
8891
psa_pake_set_role(psa_pake_operation_t * operation,psa_pake_role_t role)8892 psa_status_t psa_pake_set_role(
8893 psa_pake_operation_t *operation,
8894 psa_pake_role_t role)
8895 {
8896 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8897
8898 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8899 status = PSA_ERROR_BAD_STATE;
8900 goto exit;
8901 }
8902
8903 switch (operation->alg) {
8904 #if defined(PSA_WANT_ALG_JPAKE)
8905 case PSA_ALG_JPAKE:
8906 if (role == PSA_PAKE_ROLE_NONE) {
8907 return PSA_SUCCESS;
8908 }
8909 status = PSA_ERROR_INVALID_ARGUMENT;
8910 break;
8911 #endif
8912 default:
8913 (void) role;
8914 status = PSA_ERROR_NOT_SUPPORTED;
8915 goto exit;
8916 }
8917 exit:
8918 psa_pake_abort(operation);
8919 return status;
8920 }
8921
8922 /* Auxiliary function to convert core computation stage to single driver step. */
8923 #if defined(PSA_WANT_ALG_JPAKE)
convert_jpake_computation_stage_to_driver_step(psa_jpake_computation_stage_t * stage)8924 static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_step(
8925 psa_jpake_computation_stage_t *stage)
8926 {
8927 psa_crypto_driver_pake_step_t key_share_step;
8928 if (stage->round == PSA_JPAKE_FIRST) {
8929 int is_x1;
8930
8931 if (stage->io_mode == PSA_JPAKE_OUTPUT) {
8932 is_x1 = (stage->outputs < 1);
8933 } else {
8934 is_x1 = (stage->inputs < 1);
8935 }
8936
8937 key_share_step = is_x1 ?
8938 PSA_JPAKE_X1_STEP_KEY_SHARE :
8939 PSA_JPAKE_X2_STEP_KEY_SHARE;
8940 } else if (stage->round == PSA_JPAKE_SECOND) {
8941 key_share_step = (stage->io_mode == PSA_JPAKE_OUTPUT) ?
8942 PSA_JPAKE_X2S_STEP_KEY_SHARE :
8943 PSA_JPAKE_X4S_STEP_KEY_SHARE;
8944 } else {
8945 return PSA_JPAKE_STEP_INVALID;
8946 }
8947 return (psa_crypto_driver_pake_step_t) (key_share_step + stage->step - PSA_PAKE_STEP_KEY_SHARE);
8948 }
8949 #endif /* PSA_WANT_ALG_JPAKE */
8950
psa_pake_complete_inputs(psa_pake_operation_t * operation)8951 static psa_status_t psa_pake_complete_inputs(
8952 psa_pake_operation_t *operation)
8953 {
8954 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8955 /* Create copy of the inputs on stack as inputs share memory
8956 with the driver context which will be setup by the driver. */
8957 psa_crypto_driver_pake_inputs_t inputs = operation->data.inputs;
8958
8959 if (inputs.password_len == 0) {
8960 return PSA_ERROR_BAD_STATE;
8961 }
8962
8963 if (operation->alg == PSA_ALG_JPAKE) {
8964 if (inputs.user_len == 0 || inputs.peer_len == 0) {
8965 return PSA_ERROR_BAD_STATE;
8966 }
8967 }
8968
8969 /* Clear driver context */
8970 mbedtls_platform_zeroize(&operation->data, sizeof(operation->data));
8971
8972 status = psa_driver_wrapper_pake_setup(operation, &inputs);
8973
8974 /* Driver is responsible for creating its own copy of the password. */
8975 mbedtls_zeroize_and_free(inputs.password, inputs.password_len);
8976
8977 /* User and peer are translated to role. */
8978 mbedtls_free(inputs.user);
8979 mbedtls_free(inputs.peer);
8980
8981 if (status == PSA_SUCCESS) {
8982 #if defined(PSA_WANT_ALG_JPAKE)
8983 if (operation->alg == PSA_ALG_JPAKE) {
8984 operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION;
8985 } else
8986 #endif /* PSA_WANT_ALG_JPAKE */
8987 {
8988 status = PSA_ERROR_NOT_SUPPORTED;
8989 }
8990 }
8991 return status;
8992 }
8993
8994 #if defined(PSA_WANT_ALG_JPAKE)
psa_jpake_prologue(psa_pake_operation_t * operation,psa_pake_step_t step,psa_jpake_io_mode_t io_mode)8995 static psa_status_t psa_jpake_prologue(
8996 psa_pake_operation_t *operation,
8997 psa_pake_step_t step,
8998 psa_jpake_io_mode_t io_mode)
8999 {
9000 if (step != PSA_PAKE_STEP_KEY_SHARE &&
9001 step != PSA_PAKE_STEP_ZK_PUBLIC &&
9002 step != PSA_PAKE_STEP_ZK_PROOF) {
9003 return PSA_ERROR_INVALID_ARGUMENT;
9004 }
9005
9006 psa_jpake_computation_stage_t *computation_stage =
9007 &operation->computation_stage.jpake;
9008
9009 if (computation_stage->round != PSA_JPAKE_FIRST &&
9010 computation_stage->round != PSA_JPAKE_SECOND) {
9011 return PSA_ERROR_BAD_STATE;
9012 }
9013
9014 /* Check that the step we are given is the one we were expecting */
9015 if (step != computation_stage->step) {
9016 return PSA_ERROR_BAD_STATE;
9017 }
9018
9019 if (step == PSA_PAKE_STEP_KEY_SHARE &&
9020 computation_stage->inputs == 0 &&
9021 computation_stage->outputs == 0) {
9022 /* Start of the round, so function decides whether we are inputting
9023 * or outputting */
9024 computation_stage->io_mode = io_mode;
9025 } else if (computation_stage->io_mode != io_mode) {
9026 /* Middle of the round so the mode we are in must match the function
9027 * called by the user */
9028 return PSA_ERROR_BAD_STATE;
9029 }
9030
9031 return PSA_SUCCESS;
9032 }
9033
psa_jpake_epilogue(psa_pake_operation_t * operation,psa_jpake_io_mode_t io_mode)9034 static psa_status_t psa_jpake_epilogue(
9035 psa_pake_operation_t *operation,
9036 psa_jpake_io_mode_t io_mode)
9037 {
9038 psa_jpake_computation_stage_t *stage =
9039 &operation->computation_stage.jpake;
9040
9041 if (stage->step == PSA_PAKE_STEP_ZK_PROOF) {
9042 /* End of an input/output */
9043 if (io_mode == PSA_JPAKE_INPUT) {
9044 stage->inputs++;
9045 if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round)) {
9046 stage->io_mode = PSA_JPAKE_OUTPUT;
9047 }
9048 }
9049 if (io_mode == PSA_JPAKE_OUTPUT) {
9050 stage->outputs++;
9051 if (stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) {
9052 stage->io_mode = PSA_JPAKE_INPUT;
9053 }
9054 }
9055 if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round) &&
9056 stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) {
9057 /* End of a round, move to the next round */
9058 stage->inputs = 0;
9059 stage->outputs = 0;
9060 stage->round++;
9061 }
9062 stage->step = PSA_PAKE_STEP_KEY_SHARE;
9063 } else {
9064 stage->step++;
9065 }
9066 return PSA_SUCCESS;
9067 }
9068
9069 #endif /* PSA_WANT_ALG_JPAKE */
9070
psa_pake_output(psa_pake_operation_t * operation,psa_pake_step_t step,uint8_t * output_external,size_t output_size,size_t * output_length)9071 psa_status_t psa_pake_output(
9072 psa_pake_operation_t *operation,
9073 psa_pake_step_t step,
9074 uint8_t *output_external,
9075 size_t output_size,
9076 size_t *output_length)
9077 {
9078 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
9079 psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID;
9080 LOCAL_OUTPUT_DECLARE(output_external, output);
9081 *output_length = 0;
9082
9083 if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
9084 status = psa_pake_complete_inputs(operation);
9085 if (status != PSA_SUCCESS) {
9086 goto exit;
9087 }
9088 }
9089
9090 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
9091 status = PSA_ERROR_BAD_STATE;
9092 goto exit;
9093 }
9094
9095 if (output_size == 0) {
9096 status = PSA_ERROR_INVALID_ARGUMENT;
9097 goto exit;
9098 }
9099
9100 switch (operation->alg) {
9101 #if defined(PSA_WANT_ALG_JPAKE)
9102 case PSA_ALG_JPAKE:
9103 status = psa_jpake_prologue(operation, step, PSA_JPAKE_OUTPUT);
9104 if (status != PSA_SUCCESS) {
9105 goto exit;
9106 }
9107 driver_step = convert_jpake_computation_stage_to_driver_step(
9108 &operation->computation_stage.jpake);
9109 break;
9110 #endif /* PSA_WANT_ALG_JPAKE */
9111 default:
9112 (void) step;
9113 status = PSA_ERROR_NOT_SUPPORTED;
9114 goto exit;
9115 }
9116
9117 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
9118
9119 status = psa_driver_wrapper_pake_output(operation, driver_step,
9120 output, output_size, output_length);
9121
9122 if (status != PSA_SUCCESS) {
9123 goto exit;
9124 }
9125
9126 switch (operation->alg) {
9127 #if defined(PSA_WANT_ALG_JPAKE)
9128 case PSA_ALG_JPAKE:
9129 status = psa_jpake_epilogue(operation, PSA_JPAKE_OUTPUT);
9130 if (status != PSA_SUCCESS) {
9131 goto exit;
9132 }
9133 break;
9134 #endif /* PSA_WANT_ALG_JPAKE */
9135 default:
9136 status = PSA_ERROR_NOT_SUPPORTED;
9137 goto exit;
9138 }
9139
9140 exit:
9141 LOCAL_OUTPUT_FREE(output_external, output);
9142 if (status != PSA_SUCCESS) {
9143 psa_pake_abort(operation);
9144 }
9145 return status;
9146 }
9147
psa_pake_input(psa_pake_operation_t * operation,psa_pake_step_t step,const uint8_t * input_external,size_t input_length)9148 psa_status_t psa_pake_input(
9149 psa_pake_operation_t *operation,
9150 psa_pake_step_t step,
9151 const uint8_t *input_external,
9152 size_t input_length)
9153 {
9154 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
9155 psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID;
9156 const size_t max_input_length = (size_t) PSA_PAKE_INPUT_SIZE(operation->alg,
9157 operation->primitive,
9158 step);
9159 LOCAL_INPUT_DECLARE(input_external, input);
9160
9161 if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
9162 status = psa_pake_complete_inputs(operation);
9163 if (status != PSA_SUCCESS) {
9164 goto exit;
9165 }
9166 }
9167
9168 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
9169 status = PSA_ERROR_BAD_STATE;
9170 goto exit;
9171 }
9172
9173 if (input_length == 0 || input_length > max_input_length) {
9174 status = PSA_ERROR_INVALID_ARGUMENT;
9175 goto exit;
9176 }
9177
9178 switch (operation->alg) {
9179 #if defined(PSA_WANT_ALG_JPAKE)
9180 case PSA_ALG_JPAKE:
9181 status = psa_jpake_prologue(operation, step, PSA_JPAKE_INPUT);
9182 if (status != PSA_SUCCESS) {
9183 goto exit;
9184 }
9185 driver_step = convert_jpake_computation_stage_to_driver_step(
9186 &operation->computation_stage.jpake);
9187 break;
9188 #endif /* PSA_WANT_ALG_JPAKE */
9189 default:
9190 (void) step;
9191 status = PSA_ERROR_NOT_SUPPORTED;
9192 goto exit;
9193 }
9194
9195 LOCAL_INPUT_ALLOC(input_external, input_length, input);
9196 status = psa_driver_wrapper_pake_input(operation, driver_step,
9197 input, input_length);
9198
9199 if (status != PSA_SUCCESS) {
9200 goto exit;
9201 }
9202
9203 switch (operation->alg) {
9204 #if defined(PSA_WANT_ALG_JPAKE)
9205 case PSA_ALG_JPAKE:
9206 status = psa_jpake_epilogue(operation, PSA_JPAKE_INPUT);
9207 if (status != PSA_SUCCESS) {
9208 goto exit;
9209 }
9210 break;
9211 #endif /* PSA_WANT_ALG_JPAKE */
9212 default:
9213 status = PSA_ERROR_NOT_SUPPORTED;
9214 goto exit;
9215 }
9216
9217 exit:
9218 LOCAL_INPUT_FREE(input_external, input);
9219 if (status != PSA_SUCCESS) {
9220 psa_pake_abort(operation);
9221 }
9222 return status;
9223 }
9224
psa_pake_get_implicit_key(psa_pake_operation_t * operation,psa_key_derivation_operation_t * output)9225 psa_status_t psa_pake_get_implicit_key(
9226 psa_pake_operation_t *operation,
9227 psa_key_derivation_operation_t *output)
9228 {
9229 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
9230 psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
9231 uint8_t shared_key[MBEDTLS_PSA_JPAKE_BUFFER_SIZE];
9232 size_t shared_key_len = 0;
9233
9234 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
9235 status = PSA_ERROR_BAD_STATE;
9236 goto exit;
9237 }
9238
9239 #if defined(PSA_WANT_ALG_JPAKE)
9240 if (operation->alg == PSA_ALG_JPAKE) {
9241 psa_jpake_computation_stage_t *computation_stage =
9242 &operation->computation_stage.jpake;
9243 if (computation_stage->round != PSA_JPAKE_FINISHED) {
9244 status = PSA_ERROR_BAD_STATE;
9245 goto exit;
9246 }
9247 } else
9248 #endif /* PSA_WANT_ALG_JPAKE */
9249 {
9250 status = PSA_ERROR_NOT_SUPPORTED;
9251 goto exit;
9252 }
9253
9254 status = psa_driver_wrapper_pake_get_implicit_key(operation,
9255 shared_key,
9256 sizeof(shared_key),
9257 &shared_key_len);
9258
9259 if (status != PSA_SUCCESS) {
9260 goto exit;
9261 }
9262
9263 status = psa_key_derivation_input_bytes(output,
9264 PSA_KEY_DERIVATION_INPUT_SECRET,
9265 shared_key,
9266 shared_key_len);
9267
9268 mbedtls_platform_zeroize(shared_key, sizeof(shared_key));
9269 exit:
9270 abort_status = psa_pake_abort(operation);
9271 return status == PSA_SUCCESS ? abort_status : status;
9272 }
9273
psa_pake_abort(psa_pake_operation_t * operation)9274 psa_status_t psa_pake_abort(
9275 psa_pake_operation_t *operation)
9276 {
9277 psa_status_t status = PSA_SUCCESS;
9278
9279 if (operation->stage == PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
9280 status = psa_driver_wrapper_pake_abort(operation);
9281 }
9282
9283 if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
9284 if (operation->data.inputs.password != NULL) {
9285 mbedtls_zeroize_and_free(operation->data.inputs.password,
9286 operation->data.inputs.password_len);
9287 }
9288 if (operation->data.inputs.user != NULL) {
9289 mbedtls_free(operation->data.inputs.user);
9290 }
9291 if (operation->data.inputs.peer != NULL) {
9292 mbedtls_free(operation->data.inputs.peer);
9293 }
9294 }
9295 memset(operation, 0, sizeof(psa_pake_operation_t));
9296
9297 return status;
9298 }
9299 #endif /* PSA_WANT_ALG_SOME_PAKE */
9300
9301 /* Memory copying test hooks. These are called before input copy, after input
9302 * copy, before output copy and after output copy, respectively.
9303 * They are used by memory-poisoning tests to temporarily unpoison buffers
9304 * while they are copied. */
9305 #if defined(MBEDTLS_TEST_HOOKS)
9306 void (*psa_input_pre_copy_hook)(const uint8_t *input, size_t input_len) = NULL;
9307 void (*psa_input_post_copy_hook)(const uint8_t *input, size_t input_len) = NULL;
9308 void (*psa_output_pre_copy_hook)(const uint8_t *output, size_t output_len) = NULL;
9309 void (*psa_output_post_copy_hook)(const uint8_t *output, size_t output_len) = NULL;
9310 #endif
9311
9312 /** Copy from an input buffer to a local copy.
9313 *
9314 * \param[in] input Pointer to input buffer.
9315 * \param[in] input_len Length of the input buffer.
9316 * \param[out] input_copy Pointer to a local copy in which to store the input data.
9317 * \param[out] input_copy_len Length of the local copy buffer.
9318 * \return #PSA_SUCCESS, if the buffer was successfully
9319 * copied.
9320 * \return #PSA_ERROR_CORRUPTION_DETECTED, if the local
9321 * copy is too small to hold contents of the
9322 * input buffer.
9323 */
9324 MBEDTLS_STATIC_TESTABLE
psa_crypto_copy_input(const uint8_t * input,size_t input_len,uint8_t * input_copy,size_t input_copy_len)9325 psa_status_t psa_crypto_copy_input(const uint8_t *input, size_t input_len,
9326 uint8_t *input_copy, size_t input_copy_len)
9327 {
9328 if (input_len > input_copy_len) {
9329 return PSA_ERROR_CORRUPTION_DETECTED;
9330 }
9331
9332 #if defined(MBEDTLS_TEST_HOOKS)
9333 if (psa_input_pre_copy_hook != NULL) {
9334 psa_input_pre_copy_hook(input, input_len);
9335 }
9336 #endif
9337
9338 if (input_len > 0) {
9339 memcpy(input_copy, input, input_len);
9340 }
9341
9342 #if defined(MBEDTLS_TEST_HOOKS)
9343 if (psa_input_post_copy_hook != NULL) {
9344 psa_input_post_copy_hook(input, input_len);
9345 }
9346 #endif
9347
9348 return PSA_SUCCESS;
9349 }
9350
9351 /** Copy from a local output buffer into a user-supplied one.
9352 *
9353 * \param[in] output_copy Pointer to a local buffer containing the output.
9354 * \param[in] output_copy_len Length of the local buffer.
9355 * \param[out] output Pointer to user-supplied output buffer.
9356 * \param[out] output_len Length of the user-supplied output buffer.
9357 * \return #PSA_SUCCESS, if the buffer was successfully
9358 * copied.
9359 * \return #PSA_ERROR_BUFFER_TOO_SMALL, if the
9360 * user-supplied output buffer is too small to
9361 * hold the contents of the local buffer.
9362 */
9363 MBEDTLS_STATIC_TESTABLE
psa_crypto_copy_output(const uint8_t * output_copy,size_t output_copy_len,uint8_t * output,size_t output_len)9364 psa_status_t psa_crypto_copy_output(const uint8_t *output_copy, size_t output_copy_len,
9365 uint8_t *output, size_t output_len)
9366 {
9367 if (output_len < output_copy_len) {
9368 return PSA_ERROR_BUFFER_TOO_SMALL;
9369 }
9370
9371 #if defined(MBEDTLS_TEST_HOOKS)
9372 if (psa_output_pre_copy_hook != NULL) {
9373 psa_output_pre_copy_hook(output, output_len);
9374 }
9375 #endif
9376
9377 if (output_copy_len > 0) {
9378 memcpy(output, output_copy, output_copy_len);
9379 }
9380
9381 #if defined(MBEDTLS_TEST_HOOKS)
9382 if (psa_output_post_copy_hook != NULL) {
9383 psa_output_post_copy_hook(output, output_len);
9384 }
9385 #endif
9386
9387 return PSA_SUCCESS;
9388 }
9389
psa_crypto_local_input_alloc(const uint8_t * input,size_t input_len,psa_crypto_local_input_t * local_input)9390 psa_status_t psa_crypto_local_input_alloc(const uint8_t *input, size_t input_len,
9391 psa_crypto_local_input_t *local_input)
9392 {
9393 psa_status_t status;
9394
9395 *local_input = PSA_CRYPTO_LOCAL_INPUT_INIT;
9396
9397 if (input_len == 0) {
9398 return PSA_SUCCESS;
9399 }
9400
9401 local_input->buffer = mbedtls_calloc(input_len, 1);
9402 if (local_input->buffer == NULL) {
9403 /* Since we dealt with the zero-length case above, we know that
9404 * a NULL return value means a failure of allocation. */
9405 return PSA_ERROR_INSUFFICIENT_MEMORY;
9406 }
9407 /* From now on, we must free local_input->buffer on error. */
9408
9409 local_input->length = input_len;
9410
9411 status = psa_crypto_copy_input(input, input_len,
9412 local_input->buffer, local_input->length);
9413 if (status != PSA_SUCCESS) {
9414 goto error;
9415 }
9416
9417 return PSA_SUCCESS;
9418
9419 error:
9420 mbedtls_zeroize_and_free(local_input->buffer, local_input->length);
9421 local_input->buffer = NULL;
9422 local_input->length = 0;
9423 return status;
9424 }
9425
psa_crypto_local_input_free(psa_crypto_local_input_t * local_input)9426 void psa_crypto_local_input_free(psa_crypto_local_input_t *local_input)
9427 {
9428 mbedtls_zeroize_and_free(local_input->buffer, local_input->length);
9429 local_input->buffer = NULL;
9430 local_input->length = 0;
9431 }
9432
psa_crypto_local_output_alloc(uint8_t * output,size_t output_len,psa_crypto_local_output_t * local_output)9433 psa_status_t psa_crypto_local_output_alloc(uint8_t *output, size_t output_len,
9434 psa_crypto_local_output_t *local_output)
9435 {
9436 *local_output = PSA_CRYPTO_LOCAL_OUTPUT_INIT;
9437
9438 if (output_len == 0) {
9439 return PSA_SUCCESS;
9440 }
9441 local_output->buffer = mbedtls_calloc(output_len, 1);
9442 if (local_output->buffer == NULL) {
9443 /* Since we dealt with the zero-length case above, we know that
9444 * a NULL return value means a failure of allocation. */
9445 return PSA_ERROR_INSUFFICIENT_MEMORY;
9446 }
9447 local_output->length = output_len;
9448 local_output->original = output;
9449
9450 return PSA_SUCCESS;
9451 }
9452
psa_crypto_local_output_free(psa_crypto_local_output_t * local_output)9453 psa_status_t psa_crypto_local_output_free(psa_crypto_local_output_t *local_output)
9454 {
9455 psa_status_t status;
9456
9457 if (local_output->buffer == NULL) {
9458 local_output->length = 0;
9459 return PSA_SUCCESS;
9460 }
9461 if (local_output->original == NULL) {
9462 /* We have an internal copy but nothing to copy back to. */
9463 return PSA_ERROR_CORRUPTION_DETECTED;
9464 }
9465
9466 status = psa_crypto_copy_output(local_output->buffer, local_output->length,
9467 local_output->original, local_output->length);
9468 if (status != PSA_SUCCESS) {
9469 return status;
9470 }
9471
9472 mbedtls_zeroize_and_free(local_output->buffer, local_output->length);
9473 local_output->buffer = NULL;
9474 local_output->length = 0;
9475
9476 return PSA_SUCCESS;
9477 }
9478
9479 #endif /* MBEDTLS_PSA_CRYPTO_C */
9480