1 /* 2 * PSA crypto layer on top of Mbed TLS crypto 3 */ 4 /* 5 * Copyright The Mbed TLS Contributors 6 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 7 */ 8 9 #include "common.h" 10 #include "psa_crypto_core_common.h" 11 12 #if defined(MBEDTLS_PSA_CRYPTO_C) 13 14 #if defined(MBEDTLS_PSA_CRYPTO_CONFIG) 15 #include "check_crypto_config.h" 16 #endif 17 18 #include "psa/crypto.h" 19 #include "psa/crypto_values.h" 20 21 #include "psa_crypto_cipher.h" 22 #include "psa_crypto_core.h" 23 #include "psa_crypto_invasive.h" 24 #include "psa_crypto_driver_wrappers.h" 25 #include "psa_crypto_driver_wrappers_no_static.h" 26 #include "psa_crypto_ecp.h" 27 #include "psa_crypto_ffdh.h" 28 #include "psa_crypto_hash.h" 29 #include "psa_crypto_mac.h" 30 #include "psa_crypto_rsa.h" 31 #include "psa_crypto_ecp.h" 32 #if defined(MBEDTLS_PSA_CRYPTO_SE_C) 33 #include "psa_crypto_se.h" 34 #endif 35 #include "psa_crypto_slot_management.h" 36 /* Include internal declarations that are useful for implementing persistently 37 * stored keys. */ 38 #include "psa_crypto_storage.h" 39 40 #include "psa_crypto_random_impl.h" 41 42 #include <stdlib.h> 43 #include <string.h> 44 #include "mbedtls/platform.h" 45 46 #include "mbedtls/aes.h" 47 #include "mbedtls/asn1.h" 48 #include "mbedtls/asn1write.h" 49 #include "mbedtls/bignum.h" 50 #include "mbedtls/camellia.h" 51 #include "mbedtls/chacha20.h" 52 #include "mbedtls/chachapoly.h" 53 #include "mbedtls/cipher.h" 54 #include "mbedtls/ccm.h" 55 #include "mbedtls/cmac.h" 56 #include "mbedtls/constant_time.h" 57 #include "mbedtls/des.h" 58 #include "mbedtls/ecdh.h" 59 #include "mbedtls/ecp.h" 60 #include "mbedtls/entropy.h" 61 #include "mbedtls/error.h" 62 #include "mbedtls/gcm.h" 63 #include "mbedtls/md5.h" 64 #include "mbedtls/pk.h" 65 #include "pk_wrap.h" 66 #include "mbedtls/platform_util.h" 67 #include "mbedtls/error.h" 68 #include "mbedtls/ripemd160.h" 69 #include "mbedtls/rsa.h" 70 #include "mbedtls/sha1.h" 71 #include "mbedtls/sha256.h" 72 #include "mbedtls/sha512.h" 73 #include "mbedtls/psa_util.h" 74 #include "mbedtls/threading.h" 75 76 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \ 77 defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \ 78 defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) 79 #define BUILTIN_ALG_ANY_HKDF 1 80 #endif 81 82 /****************************************************************/ 83 /* Global data, support functions and library management */ 84 /****************************************************************/ 85 86 static int key_type_is_raw_bytes(psa_key_type_t type) 87 { 88 return PSA_KEY_TYPE_IS_UNSTRUCTURED(type); 89 } 90 91 /* Values for psa_global_data_t::rng_state */ 92 #define RNG_NOT_INITIALIZED 0 93 #define RNG_INITIALIZED 1 94 #define RNG_SEEDED 2 95 96 /* IDs for PSA crypto subsystems. Starts at 1 to catch potential uninitialized 97 * variables as arguments. */ 98 typedef enum { 99 PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS = 1, 100 PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS, 101 PSA_CRYPTO_SUBSYSTEM_RNG, 102 PSA_CRYPTO_SUBSYSTEM_TRANSACTION, 103 } mbedtls_psa_crypto_subsystem; 104 105 /* Initialization flags for global_data::initialized */ 106 #define PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED 0x01 107 #define PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED 0x02 108 #define PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED 0x04 109 110 #define PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED ( \ 111 PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED | \ 112 PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED | \ 113 PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED) 114 115 typedef struct { 116 uint8_t initialized; 117 uint8_t rng_state; 118 mbedtls_psa_random_context_t rng; 119 } psa_global_data_t; 120 121 static psa_global_data_t global_data; 122 123 static uint8_t psa_get_initialized(void) 124 { 125 uint8_t initialized; 126 127 #if defined(MBEDTLS_THREADING_C) 128 mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex); 129 #endif /* defined(MBEDTLS_THREADING_C) */ 130 131 initialized = global_data.rng_state == RNG_SEEDED; 132 133 #if defined(MBEDTLS_THREADING_C) 134 mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex); 135 #endif /* defined(MBEDTLS_THREADING_C) */ 136 137 #if defined(MBEDTLS_THREADING_C) 138 mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex); 139 #endif /* defined(MBEDTLS_THREADING_C) */ 140 141 initialized = 142 (initialized && (global_data.initialized == PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED)); 143 144 #if defined(MBEDTLS_THREADING_C) 145 mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex); 146 #endif /* defined(MBEDTLS_THREADING_C) */ 147 148 return initialized; 149 } 150 151 static uint8_t psa_get_drivers_initialized(void) 152 { 153 uint8_t initialized; 154 155 #if defined(MBEDTLS_THREADING_C) 156 mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex); 157 #endif /* defined(MBEDTLS_THREADING_C) */ 158 159 initialized = (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED) != 0; 160 161 #if defined(MBEDTLS_THREADING_C) 162 mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex); 163 #endif /* defined(MBEDTLS_THREADING_C) */ 164 165 return initialized; 166 } 167 168 #define GUARD_MODULE_INITIALIZED \ 169 if (psa_get_initialized() == 0) \ 170 return PSA_ERROR_BAD_STATE; 171 172 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 173 174 /* Declare a local copy of an input buffer and a variable that will be used 175 * to store a pointer to the start of the buffer. 176 * 177 * Note: This macro must be called before any operations which may jump to 178 * the exit label, so that the local input copy object is safe to be freed. 179 * 180 * Assumptions: 181 * - input is the name of a pointer to the buffer to be copied 182 * - The name LOCAL_INPUT_COPY_OF_input is unused in the current scope 183 * - input_copy_name is a name that is unused in the current scope 184 */ 185 #define LOCAL_INPUT_DECLARE(input, input_copy_name) \ 186 psa_crypto_local_input_t LOCAL_INPUT_COPY_OF_##input = PSA_CRYPTO_LOCAL_INPUT_INIT; \ 187 const uint8_t *input_copy_name = NULL; 188 189 /* Allocate a copy of the buffer input and set the pointer input_copy to 190 * point to the start of the copy. 191 * 192 * Assumptions: 193 * - psa_status_t status exists 194 * - An exit label is declared 195 * - input is the name of a pointer to the buffer to be copied 196 * - LOCAL_INPUT_DECLARE(input, input_copy) has previously been called 197 */ 198 #define LOCAL_INPUT_ALLOC(input, length, input_copy) \ 199 status = psa_crypto_local_input_alloc(input, length, \ 200 &LOCAL_INPUT_COPY_OF_##input); \ 201 if (status != PSA_SUCCESS) { \ 202 goto exit; \ 203 } \ 204 input_copy = LOCAL_INPUT_COPY_OF_##input.buffer; 205 206 /* Free the local input copy allocated previously by LOCAL_INPUT_ALLOC() 207 * 208 * Assumptions: 209 * - input_copy is the name of the input copy pointer set by LOCAL_INPUT_ALLOC() 210 * - input is the name of the original buffer that was copied 211 */ 212 #define LOCAL_INPUT_FREE(input, input_copy) \ 213 input_copy = NULL; \ 214 psa_crypto_local_input_free(&LOCAL_INPUT_COPY_OF_##input); 215 216 /* Declare a local copy of an output buffer and a variable that will be used 217 * to store a pointer to the start of the buffer. 218 * 219 * Note: This macro must be called before any operations which may jump to 220 * the exit label, so that the local output copy object is safe to be freed. 221 * 222 * Assumptions: 223 * - output is the name of a pointer to the buffer to be copied 224 * - The name LOCAL_OUTPUT_COPY_OF_output is unused in the current scope 225 * - output_copy_name is a name that is unused in the current scope 226 */ 227 #define LOCAL_OUTPUT_DECLARE(output, output_copy_name) \ 228 psa_crypto_local_output_t LOCAL_OUTPUT_COPY_OF_##output = PSA_CRYPTO_LOCAL_OUTPUT_INIT; \ 229 uint8_t *output_copy_name = NULL; 230 231 /* Allocate a copy of the buffer output and set the pointer output_copy to 232 * point to the start of the copy. 233 * 234 * Assumptions: 235 * - psa_status_t status exists 236 * - An exit label is declared 237 * - output is the name of a pointer to the buffer to be copied 238 * - LOCAL_OUTPUT_DECLARE(output, output_copy) has previously been called 239 */ 240 #define LOCAL_OUTPUT_ALLOC(output, length, output_copy) \ 241 status = psa_crypto_local_output_alloc(output, length, \ 242 &LOCAL_OUTPUT_COPY_OF_##output); \ 243 if (status != PSA_SUCCESS) { \ 244 goto exit; \ 245 } \ 246 output_copy = LOCAL_OUTPUT_COPY_OF_##output.buffer; 247 248 /* Free the local output copy allocated previously by LOCAL_OUTPUT_ALLOC() 249 * after first copying back its contents to the original buffer. 250 * 251 * Assumptions: 252 * - psa_status_t status exists 253 * - output_copy is the name of the output copy pointer set by LOCAL_OUTPUT_ALLOC() 254 * - output is the name of the original buffer that was copied 255 */ 256 #define LOCAL_OUTPUT_FREE(output, output_copy) \ 257 output_copy = NULL; \ 258 do { \ 259 psa_status_t local_output_status; \ 260 local_output_status = psa_crypto_local_output_free(&LOCAL_OUTPUT_COPY_OF_##output); \ 261 if (local_output_status != PSA_SUCCESS) { \ 262 /* Since this error case is an internal error, it's more serious than \ 263 * any existing error code and so it's fine to overwrite the existing \ 264 * status. */ \ 265 status = local_output_status; \ 266 } \ 267 } while (0) 268 #else /* !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */ 269 #define LOCAL_INPUT_DECLARE(input, input_copy_name) \ 270 const uint8_t *input_copy_name = NULL; 271 #define LOCAL_INPUT_ALLOC(input, length, input_copy) \ 272 input_copy = input; 273 #define LOCAL_INPUT_FREE(input, input_copy) \ 274 input_copy = NULL; 275 #define LOCAL_OUTPUT_DECLARE(output, output_copy_name) \ 276 uint8_t *output_copy_name = NULL; 277 #define LOCAL_OUTPUT_ALLOC(output, length, output_copy) \ 278 output_copy = output; 279 #define LOCAL_OUTPUT_FREE(output, output_copy) \ 280 output_copy = NULL; 281 #endif /* !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */ 282 283 284 int psa_can_do_hash(psa_algorithm_t hash_alg) 285 { 286 (void) hash_alg; 287 return psa_get_drivers_initialized(); 288 } 289 290 int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg) 291 { 292 (void) key_type; 293 (void) cipher_alg; 294 return psa_get_drivers_initialized(); 295 } 296 297 298 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \ 299 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) || \ 300 defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) 301 static int psa_is_dh_key_size_valid(size_t bits) 302 { 303 switch (bits) { 304 #if defined(PSA_WANT_DH_RFC7919_2048) 305 case 2048: 306 return 1; 307 #endif /* PSA_WANT_DH_RFC7919_2048 */ 308 #if defined(PSA_WANT_DH_RFC7919_3072) 309 case 3072: 310 return 1; 311 #endif /* PSA_WANT_DH_RFC7919_3072 */ 312 #if defined(PSA_WANT_DH_RFC7919_4096) 313 case 4096: 314 return 1; 315 #endif /* PSA_WANT_DH_RFC7919_4096 */ 316 #if defined(PSA_WANT_DH_RFC7919_6144) 317 case 6144: 318 return 1; 319 #endif /* PSA_WANT_DH_RFC7919_6144 */ 320 #if defined(PSA_WANT_DH_RFC7919_8192) 321 case 8192: 322 return 1; 323 #endif /* PSA_WANT_DH_RFC7919_8192 */ 324 default: 325 return 0; 326 } 327 } 328 #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT || 329 MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY || 330 PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */ 331 332 psa_status_t mbedtls_to_psa_error(int ret) 333 { 334 /* Mbed TLS error codes can combine a high-level error code and a 335 * low-level error code. The low-level error usually reflects the 336 * root cause better, so dispatch on that preferably. */ 337 int low_level_ret = -(-ret & 0x007f); 338 switch (low_level_ret != 0 ? low_level_ret : ret) { 339 case 0: 340 return PSA_SUCCESS; 341 342 #if defined(MBEDTLS_AES_C) 343 case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH: 344 case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH: 345 return PSA_ERROR_NOT_SUPPORTED; 346 case MBEDTLS_ERR_AES_BAD_INPUT_DATA: 347 return PSA_ERROR_INVALID_ARGUMENT; 348 #endif 349 350 #if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_ASN1_WRITE_C) 351 case MBEDTLS_ERR_ASN1_OUT_OF_DATA: 352 case MBEDTLS_ERR_ASN1_UNEXPECTED_TAG: 353 case MBEDTLS_ERR_ASN1_INVALID_LENGTH: 354 case MBEDTLS_ERR_ASN1_LENGTH_MISMATCH: 355 case MBEDTLS_ERR_ASN1_INVALID_DATA: 356 return PSA_ERROR_INVALID_ARGUMENT; 357 case MBEDTLS_ERR_ASN1_ALLOC_FAILED: 358 return PSA_ERROR_INSUFFICIENT_MEMORY; 359 case MBEDTLS_ERR_ASN1_BUF_TOO_SMALL: 360 return PSA_ERROR_BUFFER_TOO_SMALL; 361 #endif 362 363 #if defined(MBEDTLS_CAMELLIA_C) 364 case MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA: 365 case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH: 366 return PSA_ERROR_NOT_SUPPORTED; 367 #endif 368 369 #if defined(MBEDTLS_CCM_C) 370 case MBEDTLS_ERR_CCM_BAD_INPUT: 371 return PSA_ERROR_INVALID_ARGUMENT; 372 case MBEDTLS_ERR_CCM_AUTH_FAILED: 373 return PSA_ERROR_INVALID_SIGNATURE; 374 #endif 375 376 #if defined(MBEDTLS_CHACHA20_C) 377 case MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA: 378 return PSA_ERROR_INVALID_ARGUMENT; 379 #endif 380 381 #if defined(MBEDTLS_CHACHAPOLY_C) 382 case MBEDTLS_ERR_CHACHAPOLY_BAD_STATE: 383 return PSA_ERROR_BAD_STATE; 384 case MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED: 385 return PSA_ERROR_INVALID_SIGNATURE; 386 #endif 387 388 #if defined(MBEDTLS_CIPHER_C) 389 case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE: 390 return PSA_ERROR_NOT_SUPPORTED; 391 case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA: 392 return PSA_ERROR_INVALID_ARGUMENT; 393 case MBEDTLS_ERR_CIPHER_ALLOC_FAILED: 394 return PSA_ERROR_INSUFFICIENT_MEMORY; 395 case MBEDTLS_ERR_CIPHER_INVALID_PADDING: 396 return PSA_ERROR_INVALID_PADDING; 397 case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED: 398 return PSA_ERROR_INVALID_ARGUMENT; 399 case MBEDTLS_ERR_CIPHER_AUTH_FAILED: 400 return PSA_ERROR_INVALID_SIGNATURE; 401 case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT: 402 return PSA_ERROR_CORRUPTION_DETECTED; 403 #endif 404 405 #if !(defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) || \ 406 defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)) 407 /* Only check CTR_DRBG error codes if underlying mbedtls_xxx 408 * functions are passed a CTR_DRBG instance. */ 409 case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED: 410 return PSA_ERROR_INSUFFICIENT_ENTROPY; 411 case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG: 412 case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG: 413 return PSA_ERROR_NOT_SUPPORTED; 414 case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR: 415 return PSA_ERROR_INSUFFICIENT_ENTROPY; 416 #endif 417 418 #if defined(MBEDTLS_DES_C) 419 case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH: 420 return PSA_ERROR_NOT_SUPPORTED; 421 #endif 422 423 case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED: 424 case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE: 425 case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED: 426 return PSA_ERROR_INSUFFICIENT_ENTROPY; 427 428 #if defined(MBEDTLS_GCM_C) 429 case MBEDTLS_ERR_GCM_AUTH_FAILED: 430 return PSA_ERROR_INVALID_SIGNATURE; 431 case MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL: 432 return PSA_ERROR_BUFFER_TOO_SMALL; 433 case MBEDTLS_ERR_GCM_BAD_INPUT: 434 return PSA_ERROR_INVALID_ARGUMENT; 435 #endif 436 437 #if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) && \ 438 defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE) 439 /* Only check HMAC_DRBG error codes if underlying mbedtls_xxx 440 * functions are passed a HMAC_DRBG instance. */ 441 case MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED: 442 return PSA_ERROR_INSUFFICIENT_ENTROPY; 443 case MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG: 444 case MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG: 445 return PSA_ERROR_NOT_SUPPORTED; 446 case MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR: 447 return PSA_ERROR_INSUFFICIENT_ENTROPY; 448 #endif 449 450 #if defined(MBEDTLS_MD_LIGHT) 451 case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE: 452 return PSA_ERROR_NOT_SUPPORTED; 453 case MBEDTLS_ERR_MD_BAD_INPUT_DATA: 454 return PSA_ERROR_INVALID_ARGUMENT; 455 case MBEDTLS_ERR_MD_ALLOC_FAILED: 456 return PSA_ERROR_INSUFFICIENT_MEMORY; 457 #if defined(MBEDTLS_FS_IO) 458 case MBEDTLS_ERR_MD_FILE_IO_ERROR: 459 return PSA_ERROR_STORAGE_FAILURE; 460 #endif 461 #endif 462 463 #if defined(MBEDTLS_BIGNUM_C) 464 #if defined(MBEDTLS_FS_IO) 465 case MBEDTLS_ERR_MPI_FILE_IO_ERROR: 466 return PSA_ERROR_STORAGE_FAILURE; 467 #endif 468 case MBEDTLS_ERR_MPI_BAD_INPUT_DATA: 469 return PSA_ERROR_INVALID_ARGUMENT; 470 case MBEDTLS_ERR_MPI_INVALID_CHARACTER: 471 return PSA_ERROR_INVALID_ARGUMENT; 472 case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL: 473 return PSA_ERROR_BUFFER_TOO_SMALL; 474 case MBEDTLS_ERR_MPI_NEGATIVE_VALUE: 475 return PSA_ERROR_INVALID_ARGUMENT; 476 case MBEDTLS_ERR_MPI_DIVISION_BY_ZERO: 477 return PSA_ERROR_INVALID_ARGUMENT; 478 case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: 479 return PSA_ERROR_INVALID_ARGUMENT; 480 case MBEDTLS_ERR_MPI_ALLOC_FAILED: 481 return PSA_ERROR_INSUFFICIENT_MEMORY; 482 #endif 483 484 #if defined(MBEDTLS_PK_C) 485 case MBEDTLS_ERR_PK_ALLOC_FAILED: 486 return PSA_ERROR_INSUFFICIENT_MEMORY; 487 case MBEDTLS_ERR_PK_TYPE_MISMATCH: 488 case MBEDTLS_ERR_PK_BAD_INPUT_DATA: 489 return PSA_ERROR_INVALID_ARGUMENT; 490 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || defined(MBEDTLS_FS_IO) || \ 491 defined(MBEDTLS_PSA_ITS_FILE_C) 492 case MBEDTLS_ERR_PK_FILE_IO_ERROR: 493 return PSA_ERROR_STORAGE_FAILURE; 494 #endif 495 case MBEDTLS_ERR_PK_KEY_INVALID_VERSION: 496 case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT: 497 return PSA_ERROR_INVALID_ARGUMENT; 498 case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG: 499 return PSA_ERROR_NOT_SUPPORTED; 500 case MBEDTLS_ERR_PK_PASSWORD_REQUIRED: 501 case MBEDTLS_ERR_PK_PASSWORD_MISMATCH: 502 return PSA_ERROR_NOT_PERMITTED; 503 case MBEDTLS_ERR_PK_INVALID_PUBKEY: 504 return PSA_ERROR_INVALID_ARGUMENT; 505 case MBEDTLS_ERR_PK_INVALID_ALG: 506 case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE: 507 case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE: 508 return PSA_ERROR_NOT_SUPPORTED; 509 case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH: 510 return PSA_ERROR_INVALID_SIGNATURE; 511 case MBEDTLS_ERR_PK_BUFFER_TOO_SMALL: 512 return PSA_ERROR_BUFFER_TOO_SMALL; 513 #endif 514 515 case MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED: 516 return PSA_ERROR_HARDWARE_FAILURE; 517 case MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED: 518 return PSA_ERROR_NOT_SUPPORTED; 519 520 #if defined(MBEDTLS_RSA_C) 521 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA: 522 return PSA_ERROR_INVALID_ARGUMENT; 523 case MBEDTLS_ERR_RSA_INVALID_PADDING: 524 return PSA_ERROR_INVALID_PADDING; 525 case MBEDTLS_ERR_RSA_KEY_GEN_FAILED: 526 return PSA_ERROR_HARDWARE_FAILURE; 527 case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED: 528 return PSA_ERROR_INVALID_ARGUMENT; 529 case MBEDTLS_ERR_RSA_PUBLIC_FAILED: 530 case MBEDTLS_ERR_RSA_PRIVATE_FAILED: 531 return PSA_ERROR_CORRUPTION_DETECTED; 532 case MBEDTLS_ERR_RSA_VERIFY_FAILED: 533 return PSA_ERROR_INVALID_SIGNATURE; 534 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE: 535 return PSA_ERROR_BUFFER_TOO_SMALL; 536 case MBEDTLS_ERR_RSA_RNG_FAILED: 537 return PSA_ERROR_INSUFFICIENT_ENTROPY; 538 #endif 539 540 #if defined(MBEDTLS_ECP_LIGHT) 541 case MBEDTLS_ERR_ECP_BAD_INPUT_DATA: 542 case MBEDTLS_ERR_ECP_INVALID_KEY: 543 return PSA_ERROR_INVALID_ARGUMENT; 544 case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL: 545 return PSA_ERROR_BUFFER_TOO_SMALL; 546 case MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE: 547 return PSA_ERROR_NOT_SUPPORTED; 548 case MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH: 549 case MBEDTLS_ERR_ECP_VERIFY_FAILED: 550 return PSA_ERROR_INVALID_SIGNATURE; 551 case MBEDTLS_ERR_ECP_ALLOC_FAILED: 552 return PSA_ERROR_INSUFFICIENT_MEMORY; 553 case MBEDTLS_ERR_ECP_RANDOM_FAILED: 554 return PSA_ERROR_INSUFFICIENT_ENTROPY; 555 556 #if defined(MBEDTLS_ECP_RESTARTABLE) 557 case MBEDTLS_ERR_ECP_IN_PROGRESS: 558 return PSA_OPERATION_INCOMPLETE; 559 #endif 560 #endif 561 562 case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED: 563 return PSA_ERROR_CORRUPTION_DETECTED; 564 565 default: 566 return PSA_ERROR_GENERIC_ERROR; 567 } 568 } 569 570 /** 571 * \brief For output buffers which contain "tags" 572 * (outputs that may be checked for validity like 573 * hashes, MACs and signatures), fill the unused 574 * part of the output buffer (the whole buffer on 575 * error, the trailing part on success) with 576 * something that isn't a valid tag (barring an 577 * attack on the tag and deliberately-crafted 578 * input), in case the caller doesn't check the 579 * return status properly. 580 * 581 * \param output_buffer Pointer to buffer to wipe. May not be NULL 582 * unless \p output_buffer_size is zero. 583 * \param status Status of function called to generate 584 * output_buffer originally 585 * \param output_buffer_size Size of output buffer. If zero, \p output_buffer 586 * could be NULL. 587 * \param output_buffer_length Length of data written to output_buffer, must be 588 * less than \p output_buffer_size 589 */ 590 static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t status, 591 size_t output_buffer_size, size_t output_buffer_length) 592 { 593 size_t offset = 0; 594 595 if (output_buffer_size == 0) { 596 /* If output_buffer_size is 0 then we have nothing to do. We must not 597 call memset because output_buffer may be NULL in this case */ 598 return; 599 } 600 601 if (status == PSA_SUCCESS) { 602 offset = output_buffer_length; 603 } 604 605 memset(output_buffer + offset, '!', output_buffer_size - offset); 606 } 607 608 609 psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type, 610 size_t bits) 611 { 612 /* Check that the bit size is acceptable for the key type */ 613 switch (type) { 614 case PSA_KEY_TYPE_RAW_DATA: 615 case PSA_KEY_TYPE_HMAC: 616 case PSA_KEY_TYPE_DERIVE: 617 case PSA_KEY_TYPE_PASSWORD: 618 case PSA_KEY_TYPE_PASSWORD_HASH: 619 break; 620 #if defined(PSA_WANT_KEY_TYPE_AES) 621 case PSA_KEY_TYPE_AES: 622 if (bits != 128 && bits != 192 && bits != 256) { 623 return PSA_ERROR_INVALID_ARGUMENT; 624 } 625 break; 626 #endif 627 #if defined(PSA_WANT_KEY_TYPE_ARIA) 628 case PSA_KEY_TYPE_ARIA: 629 if (bits != 128 && bits != 192 && bits != 256) { 630 return PSA_ERROR_INVALID_ARGUMENT; 631 } 632 break; 633 #endif 634 #if defined(PSA_WANT_KEY_TYPE_CAMELLIA) 635 case PSA_KEY_TYPE_CAMELLIA: 636 if (bits != 128 && bits != 192 && bits != 256) { 637 return PSA_ERROR_INVALID_ARGUMENT; 638 } 639 break; 640 #endif 641 #if defined(PSA_WANT_KEY_TYPE_DES) 642 case PSA_KEY_TYPE_DES: 643 if (bits != 64 && bits != 128 && bits != 192) { 644 return PSA_ERROR_INVALID_ARGUMENT; 645 } 646 break; 647 #endif 648 #if defined(PSA_WANT_KEY_TYPE_CHACHA20) 649 case PSA_KEY_TYPE_CHACHA20: 650 if (bits != 256) { 651 return PSA_ERROR_INVALID_ARGUMENT; 652 } 653 break; 654 #endif 655 default: 656 return PSA_ERROR_NOT_SUPPORTED; 657 } 658 if (bits % 8 != 0) { 659 return PSA_ERROR_INVALID_ARGUMENT; 660 } 661 662 return PSA_SUCCESS; 663 } 664 665 /** Check whether a given key type is valid for use with a given MAC algorithm 666 * 667 * Upon successful return of this function, the behavior of #PSA_MAC_LENGTH 668 * when called with the validated \p algorithm and \p key_type is well-defined. 669 * 670 * \param[in] algorithm The specific MAC algorithm (can be wildcard). 671 * \param[in] key_type The key type of the key to be used with the 672 * \p algorithm. 673 * 674 * \retval #PSA_SUCCESS 675 * The \p key_type is valid for use with the \p algorithm 676 * \retval #PSA_ERROR_INVALID_ARGUMENT 677 * The \p key_type is not valid for use with the \p algorithm 678 */ 679 MBEDTLS_STATIC_TESTABLE psa_status_t psa_mac_key_can_do( 680 psa_algorithm_t algorithm, 681 psa_key_type_t key_type) 682 { 683 if (PSA_ALG_IS_HMAC(algorithm)) { 684 if (key_type == PSA_KEY_TYPE_HMAC) { 685 return PSA_SUCCESS; 686 } 687 } 688 689 if (PSA_ALG_IS_BLOCK_CIPHER_MAC(algorithm)) { 690 /* Check that we're calling PSA_BLOCK_CIPHER_BLOCK_LENGTH with a cipher 691 * key. */ 692 if ((key_type & PSA_KEY_TYPE_CATEGORY_MASK) == 693 PSA_KEY_TYPE_CATEGORY_SYMMETRIC) { 694 /* PSA_BLOCK_CIPHER_BLOCK_LENGTH returns 1 for stream ciphers and 695 * the block length (larger than 1) for block ciphers. */ 696 if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1) { 697 return PSA_SUCCESS; 698 } 699 } 700 } 701 702 return PSA_ERROR_INVALID_ARGUMENT; 703 } 704 705 psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot, 706 size_t buffer_length) 707 { 708 if (slot->key.data != NULL) { 709 return PSA_ERROR_ALREADY_EXISTS; 710 } 711 712 slot->key.data = mbedtls_calloc(1, buffer_length); 713 if (slot->key.data == NULL) { 714 return PSA_ERROR_INSUFFICIENT_MEMORY; 715 } 716 717 slot->key.bytes = buffer_length; 718 return PSA_SUCCESS; 719 } 720 721 psa_status_t psa_copy_key_material_into_slot(psa_key_slot_t *slot, 722 const uint8_t *data, 723 size_t data_length) 724 { 725 psa_status_t status = psa_allocate_buffer_to_slot(slot, 726 data_length); 727 if (status != PSA_SUCCESS) { 728 return status; 729 } 730 731 memcpy(slot->key.data, data, data_length); 732 return PSA_SUCCESS; 733 } 734 735 psa_status_t psa_import_key_into_slot( 736 const psa_key_attributes_t *attributes, 737 const uint8_t *data, size_t data_length, 738 uint8_t *key_buffer, size_t key_buffer_size, 739 size_t *key_buffer_length, size_t *bits) 740 { 741 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 742 psa_key_type_t type = attributes->type; 743 744 /* zero-length keys are never supported. */ 745 if (data_length == 0) { 746 return PSA_ERROR_NOT_SUPPORTED; 747 } 748 749 if (key_type_is_raw_bytes(type)) { 750 *bits = PSA_BYTES_TO_BITS(data_length); 751 752 status = psa_validate_unstructured_key_bit_size(attributes->type, 753 *bits); 754 if (status != PSA_SUCCESS) { 755 return status; 756 } 757 758 /* Copy the key material. */ 759 memcpy(key_buffer, data, data_length); 760 *key_buffer_length = data_length; 761 (void) key_buffer_size; 762 763 return PSA_SUCCESS; 764 } else if (PSA_KEY_TYPE_IS_ASYMMETRIC(type)) { 765 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \ 766 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) 767 if (PSA_KEY_TYPE_IS_DH(type)) { 768 if (psa_is_dh_key_size_valid(PSA_BYTES_TO_BITS(data_length)) == 0) { 769 return PSA_ERROR_NOT_SUPPORTED; 770 } 771 return mbedtls_psa_ffdh_import_key(attributes, 772 data, data_length, 773 key_buffer, key_buffer_size, 774 key_buffer_length, 775 bits); 776 } 777 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || 778 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */ 779 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \ 780 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) 781 if (PSA_KEY_TYPE_IS_ECC(type)) { 782 return mbedtls_psa_ecp_import_key(attributes, 783 data, data_length, 784 key_buffer, key_buffer_size, 785 key_buffer_length, 786 bits); 787 } 788 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || 789 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */ 790 #if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \ 791 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \ 792 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) 793 if (PSA_KEY_TYPE_IS_RSA(type)) { 794 return mbedtls_psa_rsa_import_key(attributes, 795 data, data_length, 796 key_buffer, key_buffer_size, 797 key_buffer_length, 798 bits); 799 } 800 #endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && 801 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || 802 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ 803 } 804 805 return PSA_ERROR_NOT_SUPPORTED; 806 } 807 808 /** Calculate the intersection of two algorithm usage policies. 809 * 810 * Return 0 (which allows no operation) on incompatibility. 811 */ 812 static psa_algorithm_t psa_key_policy_algorithm_intersection( 813 psa_key_type_t key_type, 814 psa_algorithm_t alg1, 815 psa_algorithm_t alg2) 816 { 817 /* Common case: both sides actually specify the same policy. */ 818 if (alg1 == alg2) { 819 return alg1; 820 } 821 /* If the policies are from the same hash-and-sign family, check 822 * if one is a wildcard. If so the other has the specific algorithm. */ 823 if (PSA_ALG_IS_SIGN_HASH(alg1) && 824 PSA_ALG_IS_SIGN_HASH(alg2) && 825 (alg1 & ~PSA_ALG_HASH_MASK) == (alg2 & ~PSA_ALG_HASH_MASK)) { 826 if (PSA_ALG_SIGN_GET_HASH(alg1) == PSA_ALG_ANY_HASH) { 827 return alg2; 828 } 829 if (PSA_ALG_SIGN_GET_HASH(alg2) == PSA_ALG_ANY_HASH) { 830 return alg1; 831 } 832 } 833 /* If the policies are from the same AEAD family, check whether 834 * one of them is a minimum-tag-length wildcard. Calculate the most 835 * restrictive tag length. */ 836 if (PSA_ALG_IS_AEAD(alg1) && PSA_ALG_IS_AEAD(alg2) && 837 (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg1, 0) == 838 PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg2, 0))) { 839 size_t alg1_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg1); 840 size_t alg2_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg2); 841 size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len; 842 843 /* If both are wildcards, return most restrictive wildcard */ 844 if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) && 845 ((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) { 846 return PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG( 847 alg1, restricted_len); 848 } 849 /* If only one is a wildcard, return specific algorithm if compatible. */ 850 if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) && 851 (alg1_len <= alg2_len)) { 852 return alg2; 853 } 854 if (((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) && 855 (alg2_len <= alg1_len)) { 856 return alg1; 857 } 858 } 859 /* If the policies are from the same MAC family, check whether one 860 * of them is a minimum-MAC-length policy. Calculate the most 861 * restrictive tag length. */ 862 if (PSA_ALG_IS_MAC(alg1) && PSA_ALG_IS_MAC(alg2) && 863 (PSA_ALG_FULL_LENGTH_MAC(alg1) == 864 PSA_ALG_FULL_LENGTH_MAC(alg2))) { 865 /* Validate the combination of key type and algorithm. Since the base 866 * algorithm of alg1 and alg2 are the same, we only need this once. */ 867 if (PSA_SUCCESS != psa_mac_key_can_do(alg1, key_type)) { 868 return 0; 869 } 870 871 /* Get the (exact or at-least) output lengths for both sides of the 872 * requested intersection. None of the currently supported algorithms 873 * have an output length dependent on the actual key size, so setting it 874 * to a bogus value of 0 is currently OK. 875 * 876 * Note that for at-least-this-length wildcard algorithms, the output 877 * length is set to the shortest allowed length, which allows us to 878 * calculate the most restrictive tag length for the intersection. */ 879 size_t alg1_len = PSA_MAC_LENGTH(key_type, 0, alg1); 880 size_t alg2_len = PSA_MAC_LENGTH(key_type, 0, alg2); 881 size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len; 882 883 /* If both are wildcards, return most restrictive wildcard */ 884 if (((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) && 885 ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0)) { 886 return PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(alg1, restricted_len); 887 } 888 889 /* If only one is an at-least-this-length policy, the intersection would 890 * be the other (fixed-length) policy as long as said fixed length is 891 * equal to or larger than the shortest allowed length. */ 892 if ((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) { 893 return (alg1_len <= alg2_len) ? alg2 : 0; 894 } 895 if ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) { 896 return (alg2_len <= alg1_len) ? alg1 : 0; 897 } 898 899 /* If none of them are wildcards, check whether they define the same tag 900 * length. This is still possible here when one is default-length and 901 * the other specific-length. Ensure to always return the 902 * specific-length version for the intersection. */ 903 if (alg1_len == alg2_len) { 904 return PSA_ALG_TRUNCATED_MAC(alg1, alg1_len); 905 } 906 } 907 /* If the policies are incompatible, allow nothing. */ 908 return 0; 909 } 910 911 static int psa_key_algorithm_permits(psa_key_type_t key_type, 912 psa_algorithm_t policy_alg, 913 psa_algorithm_t requested_alg) 914 { 915 /* Common case: the policy only allows requested_alg. */ 916 if (requested_alg == policy_alg) { 917 return 1; 918 } 919 /* If policy_alg is a hash-and-sign with a wildcard for the hash, 920 * and requested_alg is the same hash-and-sign family with any hash, 921 * then requested_alg is compliant with policy_alg. */ 922 if (PSA_ALG_IS_SIGN_HASH(requested_alg) && 923 PSA_ALG_SIGN_GET_HASH(policy_alg) == PSA_ALG_ANY_HASH) { 924 return (policy_alg & ~PSA_ALG_HASH_MASK) == 925 (requested_alg & ~PSA_ALG_HASH_MASK); 926 } 927 /* If policy_alg is a wildcard AEAD algorithm of the same base as 928 * the requested algorithm, check the requested tag length to be 929 * equal-length or longer than the wildcard-specified length. */ 930 if (PSA_ALG_IS_AEAD(policy_alg) && 931 PSA_ALG_IS_AEAD(requested_alg) && 932 (PSA_ALG_AEAD_WITH_SHORTENED_TAG(policy_alg, 0) == 933 PSA_ALG_AEAD_WITH_SHORTENED_TAG(requested_alg, 0)) && 934 ((policy_alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) { 935 return PSA_ALG_AEAD_GET_TAG_LENGTH(policy_alg) <= 936 PSA_ALG_AEAD_GET_TAG_LENGTH(requested_alg); 937 } 938 /* If policy_alg is a MAC algorithm of the same base as the requested 939 * algorithm, check whether their MAC lengths are compatible. */ 940 if (PSA_ALG_IS_MAC(policy_alg) && 941 PSA_ALG_IS_MAC(requested_alg) && 942 (PSA_ALG_FULL_LENGTH_MAC(policy_alg) == 943 PSA_ALG_FULL_LENGTH_MAC(requested_alg))) { 944 /* Validate the combination of key type and algorithm. Since the policy 945 * and requested algorithms are the same, we only need this once. */ 946 if (PSA_SUCCESS != psa_mac_key_can_do(policy_alg, key_type)) { 947 return 0; 948 } 949 950 /* Get both the requested output length for the algorithm which is to be 951 * verified, and the default output length for the base algorithm. 952 * Note that none of the currently supported algorithms have an output 953 * length dependent on actual key size, so setting it to a bogus value 954 * of 0 is currently OK. */ 955 size_t requested_output_length = PSA_MAC_LENGTH( 956 key_type, 0, requested_alg); 957 size_t default_output_length = PSA_MAC_LENGTH( 958 key_type, 0, 959 PSA_ALG_FULL_LENGTH_MAC(requested_alg)); 960 961 /* If the policy is default-length, only allow an algorithm with 962 * a declared exact-length matching the default. */ 963 if (PSA_MAC_TRUNCATED_LENGTH(policy_alg) == 0) { 964 return requested_output_length == default_output_length; 965 } 966 967 /* If the requested algorithm is default-length, allow it if the policy 968 * length exactly matches the default length. */ 969 if (PSA_MAC_TRUNCATED_LENGTH(requested_alg) == 0 && 970 PSA_MAC_TRUNCATED_LENGTH(policy_alg) == default_output_length) { 971 return 1; 972 } 973 974 /* If policy_alg is an at-least-this-length wildcard MAC algorithm, 975 * check for the requested MAC length to be equal to or longer than the 976 * minimum allowed length. */ 977 if ((policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) { 978 return PSA_MAC_TRUNCATED_LENGTH(policy_alg) <= 979 requested_output_length; 980 } 981 } 982 /* If policy_alg is a generic key agreement operation, then using it for 983 * a key derivation with that key agreement should also be allowed. This 984 * behaviour is expected to be defined in a future specification version. */ 985 if (PSA_ALG_IS_RAW_KEY_AGREEMENT(policy_alg) && 986 PSA_ALG_IS_KEY_AGREEMENT(requested_alg)) { 987 return PSA_ALG_KEY_AGREEMENT_GET_BASE(requested_alg) == 988 policy_alg; 989 } 990 /* If it isn't explicitly permitted, it's forbidden. */ 991 return 0; 992 } 993 994 /** Test whether a policy permits an algorithm. 995 * 996 * The caller must test usage flags separately. 997 * 998 * \note This function requires providing the key type for which the policy is 999 * being validated, since some algorithm policy definitions (e.g. MAC) 1000 * have different properties depending on what kind of cipher it is 1001 * combined with. 1002 * 1003 * \retval PSA_SUCCESS When \p alg is a specific algorithm 1004 * allowed by the \p policy. 1005 * \retval PSA_ERROR_INVALID_ARGUMENT When \p alg is not a specific algorithm 1006 * \retval PSA_ERROR_NOT_PERMITTED When \p alg is a specific algorithm, but 1007 * the \p policy does not allow it. 1008 */ 1009 static psa_status_t psa_key_policy_permits(const psa_key_policy_t *policy, 1010 psa_key_type_t key_type, 1011 psa_algorithm_t alg) 1012 { 1013 /* '0' is not a valid algorithm */ 1014 if (alg == 0) { 1015 return PSA_ERROR_INVALID_ARGUMENT; 1016 } 1017 1018 /* A requested algorithm cannot be a wildcard. */ 1019 if (PSA_ALG_IS_WILDCARD(alg)) { 1020 return PSA_ERROR_INVALID_ARGUMENT; 1021 } 1022 1023 if (psa_key_algorithm_permits(key_type, policy->alg, alg) || 1024 psa_key_algorithm_permits(key_type, policy->alg2, alg)) { 1025 return PSA_SUCCESS; 1026 } else { 1027 return PSA_ERROR_NOT_PERMITTED; 1028 } 1029 } 1030 1031 /** Restrict a key policy based on a constraint. 1032 * 1033 * \note This function requires providing the key type for which the policy is 1034 * being restricted, since some algorithm policy definitions (e.g. MAC) 1035 * have different properties depending on what kind of cipher it is 1036 * combined with. 1037 * 1038 * \param[in] key_type The key type for which to restrict the policy 1039 * \param[in,out] policy The policy to restrict. 1040 * \param[in] constraint The policy constraint to apply. 1041 * 1042 * \retval #PSA_SUCCESS 1043 * \c *policy contains the intersection of the original value of 1044 * \c *policy and \c *constraint. 1045 * \retval #PSA_ERROR_INVALID_ARGUMENT 1046 * \c key_type, \c *policy and \c *constraint are incompatible. 1047 * \c *policy is unchanged. 1048 */ 1049 static psa_status_t psa_restrict_key_policy( 1050 psa_key_type_t key_type, 1051 psa_key_policy_t *policy, 1052 const psa_key_policy_t *constraint) 1053 { 1054 psa_algorithm_t intersection_alg = 1055 psa_key_policy_algorithm_intersection(key_type, policy->alg, 1056 constraint->alg); 1057 psa_algorithm_t intersection_alg2 = 1058 psa_key_policy_algorithm_intersection(key_type, policy->alg2, 1059 constraint->alg2); 1060 if (intersection_alg == 0 && policy->alg != 0 && constraint->alg != 0) { 1061 return PSA_ERROR_INVALID_ARGUMENT; 1062 } 1063 if (intersection_alg2 == 0 && policy->alg2 != 0 && constraint->alg2 != 0) { 1064 return PSA_ERROR_INVALID_ARGUMENT; 1065 } 1066 policy->usage &= constraint->usage; 1067 policy->alg = intersection_alg; 1068 policy->alg2 = intersection_alg2; 1069 return PSA_SUCCESS; 1070 } 1071 1072 /** Get the description of a key given its identifier and policy constraints 1073 * and lock it. 1074 * 1075 * The key must have allow all the usage flags set in \p usage. If \p alg is 1076 * nonzero, the key must allow operations with this algorithm. If \p alg is 1077 * zero, the algorithm is not checked. 1078 * 1079 * In case of a persistent key, the function loads the description of the key 1080 * into a key slot if not already done. 1081 * 1082 * On success, the returned key slot has been registered for reading. 1083 * It is the responsibility of the caller to then unregister 1084 * once they have finished reading the contents of the slot. 1085 * The caller unregisters by calling psa_unregister_read() or 1086 * psa_unregister_read_under_mutex(). psa_unregister_read() must be called 1087 * if and only if the caller already holds the global key slot mutex 1088 * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates 1089 * the unregister with mutex lock and unlock operations. 1090 */ 1091 static psa_status_t psa_get_and_lock_key_slot_with_policy( 1092 mbedtls_svc_key_id_t key, 1093 psa_key_slot_t **p_slot, 1094 psa_key_usage_t usage, 1095 psa_algorithm_t alg) 1096 { 1097 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 1098 psa_key_slot_t *slot = NULL; 1099 1100 status = psa_get_and_lock_key_slot(key, p_slot); 1101 if (status != PSA_SUCCESS) { 1102 return status; 1103 } 1104 slot = *p_slot; 1105 1106 /* Enforce that usage policy for the key slot contains all the flags 1107 * required by the usage parameter. There is one exception: public 1108 * keys can always be exported, so we treat public key objects as 1109 * if they had the export flag. */ 1110 if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) { 1111 usage &= ~PSA_KEY_USAGE_EXPORT; 1112 } 1113 1114 if ((slot->attr.policy.usage & usage) != usage) { 1115 status = PSA_ERROR_NOT_PERMITTED; 1116 goto error; 1117 } 1118 1119 /* Enforce that the usage policy permits the requested algorithm. */ 1120 if (alg != 0) { 1121 status = psa_key_policy_permits(&slot->attr.policy, 1122 slot->attr.type, 1123 alg); 1124 if (status != PSA_SUCCESS) { 1125 goto error; 1126 } 1127 } 1128 1129 return PSA_SUCCESS; 1130 1131 error: 1132 *p_slot = NULL; 1133 psa_unregister_read_under_mutex(slot); 1134 1135 return status; 1136 } 1137 1138 /** Get a key slot containing a transparent key and lock it. 1139 * 1140 * A transparent key is a key for which the key material is directly 1141 * available, as opposed to a key in a secure element and/or to be used 1142 * by a secure element. 1143 * 1144 * This is a temporary function that may be used instead of 1145 * psa_get_and_lock_key_slot_with_policy() when there is no opaque key support 1146 * for a cryptographic operation. 1147 * 1148 * On success, the returned key slot has been registered for reading. 1149 * It is the responsibility of the caller to then unregister 1150 * once they have finished reading the contents of the slot. 1151 * The caller unregisters by calling psa_unregister_read() or 1152 * psa_unregister_read_under_mutex(). psa_unregister_read() must be called 1153 * if and only if the caller already holds the global key slot mutex 1154 * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates 1155 * psa_unregister_read() with mutex lock and unlock operations. 1156 */ 1157 static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy( 1158 mbedtls_svc_key_id_t key, 1159 psa_key_slot_t **p_slot, 1160 psa_key_usage_t usage, 1161 psa_algorithm_t alg) 1162 { 1163 psa_status_t status = psa_get_and_lock_key_slot_with_policy(key, p_slot, 1164 usage, alg); 1165 if (status != PSA_SUCCESS) { 1166 return status; 1167 } 1168 1169 if (psa_key_lifetime_is_external((*p_slot)->attr.lifetime)) { 1170 psa_unregister_read_under_mutex(*p_slot); 1171 *p_slot = NULL; 1172 return PSA_ERROR_NOT_SUPPORTED; 1173 } 1174 1175 return PSA_SUCCESS; 1176 } 1177 1178 psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot) 1179 { 1180 if (slot->key.data != NULL) { 1181 mbedtls_zeroize_and_free(slot->key.data, slot->key.bytes); 1182 } 1183 1184 slot->key.data = NULL; 1185 slot->key.bytes = 0; 1186 1187 return PSA_SUCCESS; 1188 } 1189 1190 /** Completely wipe a slot in memory, including its policy. 1191 * Persistent storage is not affected. */ 1192 psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot) 1193 { 1194 psa_status_t status = psa_remove_key_data_from_memory(slot); 1195 1196 /* 1197 * As the return error code may not be handled in case of multiple errors, 1198 * do our best to report an unexpected amount of registered readers or 1199 * an unexpected state. 1200 * Assert with MBEDTLS_TEST_HOOK_TEST_ASSERT that the slot is valid for 1201 * wiping. 1202 * if the MBEDTLS_TEST_HOOKS configuration option is enabled and the 1203 * function is called as part of the execution of a test suite, the 1204 * execution of the test suite is stopped in error if the assertion fails. 1205 */ 1206 switch (slot->state) { 1207 case PSA_SLOT_FULL: 1208 /* In this state psa_wipe_key_slot() must only be called if the 1209 * caller is the last reader. */ 1210 case PSA_SLOT_PENDING_DELETION: 1211 /* In this state psa_wipe_key_slot() must only be called if the 1212 * caller is the last reader. */ 1213 if (slot->var.occupied.registered_readers != 1) { 1214 MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->var.occupied.registered_readers == 1); 1215 status = PSA_ERROR_CORRUPTION_DETECTED; 1216 } 1217 break; 1218 case PSA_SLOT_FILLING: 1219 /* In this state registered_readers must be 0. */ 1220 if (slot->var.occupied.registered_readers != 0) { 1221 MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->var.occupied.registered_readers == 0); 1222 status = PSA_ERROR_CORRUPTION_DETECTED; 1223 } 1224 break; 1225 case PSA_SLOT_EMPTY: 1226 /* The slot is already empty, it cannot be wiped. */ 1227 MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->state != PSA_SLOT_EMPTY); 1228 status = PSA_ERROR_CORRUPTION_DETECTED; 1229 break; 1230 default: 1231 /* The slot's state is invalid. */ 1232 status = PSA_ERROR_CORRUPTION_DETECTED; 1233 } 1234 1235 #if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) 1236 size_t slice_index = slot->slice_index; 1237 #endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ 1238 1239 1240 /* Multipart operations may still be using the key. This is safe 1241 * because all multipart operation objects are independent from 1242 * the key slot: if they need to access the key after the setup 1243 * phase, they have a copy of the key. Note that this means that 1244 * key material can linger until all operations are completed. */ 1245 /* At this point, key material and other type-specific content has 1246 * been wiped. Clear remaining metadata. We can call memset and not 1247 * zeroize because the metadata is not particularly sensitive. 1248 * This memset also sets the slot's state to PSA_SLOT_EMPTY. */ 1249 memset(slot, 0, sizeof(*slot)); 1250 1251 #if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) 1252 /* If the slot is already corrupted, something went deeply wrong, 1253 * like a thread still using the slot or a stray pointer leading 1254 * to the slot's memory being used for another object. Let the slot 1255 * leak rather than make the corruption worse. */ 1256 if (status == PSA_SUCCESS) { 1257 status = psa_free_key_slot(slice_index, slot); 1258 } 1259 #endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ 1260 1261 return status; 1262 } 1263 1264 psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key) 1265 { 1266 psa_key_slot_t *slot; 1267 psa_status_t status; /* status of the last operation */ 1268 psa_status_t overall_status = PSA_SUCCESS; 1269 #if defined(MBEDTLS_PSA_CRYPTO_SE_C) 1270 psa_se_drv_table_entry_t *driver; 1271 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 1272 1273 if (mbedtls_svc_key_id_is_null(key)) { 1274 return PSA_SUCCESS; 1275 } 1276 1277 /* 1278 * Get the description of the key in a key slot, and register to read it. 1279 * In the case of a persistent key, this will load the key description 1280 * from persistent memory if not done yet. 1281 * We cannot avoid this loading as without it we don't know if 1282 * the key is operated by an SE or not and this information is needed by 1283 * the current implementation. */ 1284 status = psa_get_and_lock_key_slot(key, &slot); 1285 if (status != PSA_SUCCESS) { 1286 return status; 1287 } 1288 1289 #if defined(MBEDTLS_THREADING_C) 1290 /* We cannot unlock between setting the state to PENDING_DELETION 1291 * and destroying the key in storage, as otherwise another thread 1292 * could load the key into a new slot and the key will not be 1293 * fully destroyed. */ 1294 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock( 1295 &mbedtls_threading_key_slot_mutex)); 1296 1297 if (slot->state == PSA_SLOT_PENDING_DELETION) { 1298 /* Another thread has destroyed the key between us locking the slot 1299 * and us gaining the mutex. Unregister from the slot, 1300 * and report that the key does not exist. */ 1301 status = psa_unregister_read(slot); 1302 1303 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( 1304 &mbedtls_threading_key_slot_mutex)); 1305 return (status == PSA_SUCCESS) ? PSA_ERROR_INVALID_HANDLE : status; 1306 } 1307 #endif 1308 /* Set the key slot containing the key description's state to 1309 * PENDING_DELETION. This stops new operations from registering 1310 * to read the slot. Current readers can safely continue to access 1311 * the key within the slot; the last registered reader will 1312 * automatically wipe the slot when they call psa_unregister_read(). 1313 * If the key is persistent, we can now delete the copy of the key 1314 * from memory. If the key is opaque, we require the driver to 1315 * deal with the deletion. */ 1316 overall_status = psa_key_slot_state_transition(slot, PSA_SLOT_FULL, 1317 PSA_SLOT_PENDING_DELETION); 1318 1319 if (overall_status != PSA_SUCCESS) { 1320 goto exit; 1321 } 1322 1323 if (PSA_KEY_LIFETIME_IS_READ_ONLY(slot->attr.lifetime)) { 1324 /* Refuse the destruction of a read-only key (which may or may not work 1325 * if we attempt it, depending on whether the key is merely read-only 1326 * by policy or actually physically read-only). 1327 * Just do the best we can, which is to wipe the copy in memory 1328 * (done in this function's cleanup code). */ 1329 overall_status = PSA_ERROR_NOT_PERMITTED; 1330 goto exit; 1331 } 1332 1333 #if defined(MBEDTLS_PSA_CRYPTO_SE_C) 1334 driver = psa_get_se_driver_entry(slot->attr.lifetime); 1335 if (driver != NULL) { 1336 /* For a key in a secure element, we need to do three things: 1337 * remove the key file in internal storage, destroy the 1338 * key inside the secure element, and update the driver's 1339 * persistent data. Start a transaction that will encompass these 1340 * three actions. */ 1341 psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_DESTROY_KEY); 1342 psa_crypto_transaction.key.lifetime = slot->attr.lifetime; 1343 psa_crypto_transaction.key.slot = psa_key_slot_get_slot_number(slot); 1344 psa_crypto_transaction.key.id = slot->attr.id; 1345 status = psa_crypto_save_transaction(); 1346 if (status != PSA_SUCCESS) { 1347 (void) psa_crypto_stop_transaction(); 1348 /* We should still try to destroy the key in the secure 1349 * element and the key metadata in storage. This is especially 1350 * important if the error is that the storage is full. 1351 * But how to do it exactly without risking an inconsistent 1352 * state after a reset? 1353 * https://github.com/ARMmbed/mbed-crypto/issues/215 1354 */ 1355 overall_status = status; 1356 goto exit; 1357 } 1358 1359 status = psa_destroy_se_key(driver, 1360 psa_key_slot_get_slot_number(slot)); 1361 if (overall_status == PSA_SUCCESS) { 1362 overall_status = status; 1363 } 1364 } 1365 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 1366 1367 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) 1368 if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) { 1369 /* Destroy the copy of the persistent key from storage. 1370 * The slot will still hold a copy of the key until the last reader 1371 * unregisters. */ 1372 status = psa_destroy_persistent_key(slot->attr.id); 1373 if (overall_status == PSA_SUCCESS) { 1374 overall_status = status; 1375 } 1376 } 1377 #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ 1378 1379 #if defined(MBEDTLS_PSA_CRYPTO_SE_C) 1380 if (driver != NULL) { 1381 status = psa_save_se_persistent_data(driver); 1382 if (overall_status == PSA_SUCCESS) { 1383 overall_status = status; 1384 } 1385 status = psa_crypto_stop_transaction(); 1386 if (overall_status == PSA_SUCCESS) { 1387 overall_status = status; 1388 } 1389 } 1390 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 1391 1392 exit: 1393 /* Unregister from reading the slot. If we are the last active reader 1394 * then this will wipe the slot. */ 1395 status = psa_unregister_read(slot); 1396 /* Prioritize CORRUPTION_DETECTED from unregistering over 1397 * a storage error. */ 1398 if (status != PSA_SUCCESS) { 1399 overall_status = status; 1400 } 1401 1402 #if defined(MBEDTLS_THREADING_C) 1403 /* Don't overwrite existing errors if the unlock fails. */ 1404 status = overall_status; 1405 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( 1406 &mbedtls_threading_key_slot_mutex)); 1407 #endif 1408 1409 return overall_status; 1410 } 1411 1412 /** Retrieve all the publicly-accessible attributes of a key. 1413 */ 1414 psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key, 1415 psa_key_attributes_t *attributes) 1416 { 1417 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 1418 psa_key_slot_t *slot; 1419 1420 psa_reset_key_attributes(attributes); 1421 1422 status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0); 1423 if (status != PSA_SUCCESS) { 1424 return status; 1425 } 1426 1427 *attributes = slot->attr; 1428 1429 #if defined(MBEDTLS_PSA_CRYPTO_SE_C) 1430 if (psa_get_se_driver_entry(slot->attr.lifetime) != NULL) { 1431 psa_set_key_slot_number(attributes, 1432 psa_key_slot_get_slot_number(slot)); 1433 } 1434 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 1435 1436 return psa_unregister_read_under_mutex(slot); 1437 } 1438 1439 #if defined(MBEDTLS_PSA_CRYPTO_SE_C) 1440 psa_status_t psa_get_key_slot_number( 1441 const psa_key_attributes_t *attributes, 1442 psa_key_slot_number_t *slot_number) 1443 { 1444 if (attributes->has_slot_number) { 1445 *slot_number = attributes->slot_number; 1446 return PSA_SUCCESS; 1447 } else { 1448 return PSA_ERROR_INVALID_ARGUMENT; 1449 } 1450 } 1451 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 1452 1453 static psa_status_t psa_export_key_buffer_internal(const uint8_t *key_buffer, 1454 size_t key_buffer_size, 1455 uint8_t *data, 1456 size_t data_size, 1457 size_t *data_length) 1458 { 1459 if (key_buffer_size > data_size) { 1460 return PSA_ERROR_BUFFER_TOO_SMALL; 1461 } 1462 memcpy(data, key_buffer, key_buffer_size); 1463 memset(data + key_buffer_size, 0, 1464 data_size - key_buffer_size); 1465 *data_length = key_buffer_size; 1466 return PSA_SUCCESS; 1467 } 1468 1469 psa_status_t psa_export_key_internal( 1470 const psa_key_attributes_t *attributes, 1471 const uint8_t *key_buffer, size_t key_buffer_size, 1472 uint8_t *data, size_t data_size, size_t *data_length) 1473 { 1474 psa_key_type_t type = attributes->type; 1475 1476 if (key_type_is_raw_bytes(type) || 1477 PSA_KEY_TYPE_IS_RSA(type) || 1478 PSA_KEY_TYPE_IS_ECC(type) || 1479 PSA_KEY_TYPE_IS_DH(type)) { 1480 return psa_export_key_buffer_internal( 1481 key_buffer, key_buffer_size, 1482 data, data_size, data_length); 1483 } else { 1484 /* This shouldn't happen in the reference implementation, but 1485 it is valid for a special-purpose implementation to omit 1486 support for exporting certain key types. */ 1487 return PSA_ERROR_NOT_SUPPORTED; 1488 } 1489 } 1490 1491 psa_status_t psa_export_key(mbedtls_svc_key_id_t key, 1492 uint8_t *data_external, 1493 size_t data_size, 1494 size_t *data_length) 1495 { 1496 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 1497 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 1498 psa_key_slot_t *slot; 1499 LOCAL_OUTPUT_DECLARE(data_external, data); 1500 1501 /* Reject a zero-length output buffer now, since this can never be a 1502 * valid key representation. This way we know that data must be a valid 1503 * pointer and we can do things like memset(data, ..., data_size). */ 1504 if (data_size == 0) { 1505 return PSA_ERROR_BUFFER_TOO_SMALL; 1506 } 1507 1508 /* Set the key to empty now, so that even when there are errors, we always 1509 * set data_length to a value between 0 and data_size. On error, setting 1510 * the key to empty is a good choice because an empty key representation is 1511 * unlikely to be accepted anywhere. */ 1512 *data_length = 0; 1513 1514 /* Export requires the EXPORT flag. There is an exception for public keys, 1515 * which don't require any flag, but 1516 * psa_get_and_lock_key_slot_with_policy() takes care of this. 1517 */ 1518 status = psa_get_and_lock_key_slot_with_policy(key, &slot, 1519 PSA_KEY_USAGE_EXPORT, 0); 1520 if (status != PSA_SUCCESS) { 1521 return status; 1522 } 1523 1524 LOCAL_OUTPUT_ALLOC(data_external, data_size, data); 1525 1526 status = psa_driver_wrapper_export_key(&slot->attr, 1527 slot->key.data, slot->key.bytes, 1528 data, data_size, data_length); 1529 1530 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 1531 exit: 1532 #endif 1533 unlock_status = psa_unregister_read_under_mutex(slot); 1534 1535 LOCAL_OUTPUT_FREE(data_external, data); 1536 return (status == PSA_SUCCESS) ? unlock_status : status; 1537 } 1538 1539 psa_status_t psa_export_public_key_internal( 1540 const psa_key_attributes_t *attributes, 1541 const uint8_t *key_buffer, 1542 size_t key_buffer_size, 1543 uint8_t *data, 1544 size_t data_size, 1545 size_t *data_length) 1546 { 1547 psa_key_type_t type = attributes->type; 1548 1549 if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) && 1550 (PSA_KEY_TYPE_IS_RSA(type) || PSA_KEY_TYPE_IS_ECC(type) || 1551 PSA_KEY_TYPE_IS_DH(type))) { 1552 /* Exporting public -> public */ 1553 return psa_export_key_buffer_internal( 1554 key_buffer, key_buffer_size, 1555 data, data_size, data_length); 1556 } else if (PSA_KEY_TYPE_IS_RSA(type)) { 1557 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \ 1558 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) 1559 return mbedtls_psa_rsa_export_public_key(attributes, 1560 key_buffer, 1561 key_buffer_size, 1562 data, 1563 data_size, 1564 data_length); 1565 #else 1566 /* We don't know how to convert a private RSA key to public. */ 1567 return PSA_ERROR_NOT_SUPPORTED; 1568 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || 1569 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ 1570 } else if (PSA_KEY_TYPE_IS_ECC(type)) { 1571 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \ 1572 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) 1573 return mbedtls_psa_ecp_export_public_key(attributes, 1574 key_buffer, 1575 key_buffer_size, 1576 data, 1577 data_size, 1578 data_length); 1579 #else 1580 /* We don't know how to convert a private ECC key to public */ 1581 return PSA_ERROR_NOT_SUPPORTED; 1582 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || 1583 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */ 1584 } else if (PSA_KEY_TYPE_IS_DH(type)) { 1585 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \ 1586 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) 1587 return mbedtls_psa_ffdh_export_public_key(attributes, 1588 key_buffer, 1589 key_buffer_size, 1590 data, data_size, 1591 data_length); 1592 #else 1593 return PSA_ERROR_NOT_SUPPORTED; 1594 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || 1595 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */ 1596 } else { 1597 (void) key_buffer; 1598 (void) key_buffer_size; 1599 (void) data; 1600 (void) data_size; 1601 (void) data_length; 1602 return PSA_ERROR_NOT_SUPPORTED; 1603 } 1604 } 1605 1606 psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key, 1607 uint8_t *data_external, 1608 size_t data_size, 1609 size_t *data_length) 1610 { 1611 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 1612 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 1613 psa_key_slot_t *slot; 1614 1615 LOCAL_OUTPUT_DECLARE(data_external, data); 1616 1617 /* Reject a zero-length output buffer now, since this can never be a 1618 * valid key representation. This way we know that data must be a valid 1619 * pointer and we can do things like memset(data, ..., data_size). */ 1620 if (data_size == 0) { 1621 return PSA_ERROR_BUFFER_TOO_SMALL; 1622 } 1623 1624 /* Set the key to empty now, so that even when there are errors, we always 1625 * set data_length to a value between 0 and data_size. On error, setting 1626 * the key to empty is a good choice because an empty key representation is 1627 * unlikely to be accepted anywhere. */ 1628 *data_length = 0; 1629 1630 /* Exporting a public key doesn't require a usage flag. */ 1631 status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0); 1632 if (status != PSA_SUCCESS) { 1633 return status; 1634 } 1635 1636 LOCAL_OUTPUT_ALLOC(data_external, data_size, data); 1637 1638 if (!PSA_KEY_TYPE_IS_ASYMMETRIC(slot->attr.type)) { 1639 status = PSA_ERROR_INVALID_ARGUMENT; 1640 goto exit; 1641 } 1642 1643 status = psa_driver_wrapper_export_public_key( 1644 &slot->attr, slot->key.data, slot->key.bytes, 1645 data, data_size, data_length); 1646 1647 exit: 1648 unlock_status = psa_unregister_read_under_mutex(slot); 1649 1650 LOCAL_OUTPUT_FREE(data_external, data); 1651 return (status == PSA_SUCCESS) ? unlock_status : status; 1652 } 1653 1654 /** Validate that a key policy is internally well-formed. 1655 * 1656 * This function only rejects invalid policies. It does not validate the 1657 * consistency of the policy with respect to other attributes of the key 1658 * such as the key type. 1659 */ 1660 static psa_status_t psa_validate_key_policy(const psa_key_policy_t *policy) 1661 { 1662 if ((policy->usage & ~(PSA_KEY_USAGE_EXPORT | 1663 PSA_KEY_USAGE_COPY | 1664 PSA_KEY_USAGE_ENCRYPT | 1665 PSA_KEY_USAGE_DECRYPT | 1666 PSA_KEY_USAGE_SIGN_MESSAGE | 1667 PSA_KEY_USAGE_VERIFY_MESSAGE | 1668 PSA_KEY_USAGE_SIGN_HASH | 1669 PSA_KEY_USAGE_VERIFY_HASH | 1670 PSA_KEY_USAGE_VERIFY_DERIVATION | 1671 PSA_KEY_USAGE_DERIVE)) != 0) { 1672 return PSA_ERROR_INVALID_ARGUMENT; 1673 } 1674 1675 return PSA_SUCCESS; 1676 } 1677 1678 /** Validate the internal consistency of key attributes. 1679 * 1680 * This function only rejects invalid attribute values. If does not 1681 * validate the consistency of the attributes with any key data that may 1682 * be involved in the creation of the key. 1683 * 1684 * Call this function early in the key creation process. 1685 * 1686 * \param[in] attributes Key attributes for the new key. 1687 * \param[out] p_drv On any return, the driver for the key, if any. 1688 * NULL for a transparent key. 1689 * 1690 */ 1691 static psa_status_t psa_validate_key_attributes( 1692 const psa_key_attributes_t *attributes, 1693 psa_se_drv_table_entry_t **p_drv) 1694 { 1695 psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; 1696 psa_key_lifetime_t lifetime = psa_get_key_lifetime(attributes); 1697 mbedtls_svc_key_id_t key = psa_get_key_id(attributes); 1698 1699 status = psa_validate_key_location(lifetime, p_drv); 1700 if (status != PSA_SUCCESS) { 1701 return status; 1702 } 1703 1704 status = psa_validate_key_persistence(lifetime); 1705 if (status != PSA_SUCCESS) { 1706 return status; 1707 } 1708 1709 if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) { 1710 if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key) != 0) { 1711 return PSA_ERROR_INVALID_ARGUMENT; 1712 } 1713 } else { 1714 if (!psa_is_valid_key_id(psa_get_key_id(attributes), 0)) { 1715 return PSA_ERROR_INVALID_ARGUMENT; 1716 } 1717 } 1718 1719 status = psa_validate_key_policy(&attributes->policy); 1720 if (status != PSA_SUCCESS) { 1721 return status; 1722 } 1723 1724 /* Refuse to create overly large keys. 1725 * Note that this doesn't trigger on import if the attributes don't 1726 * explicitly specify a size (so psa_get_key_bits returns 0), so 1727 * psa_import_key() needs its own checks. */ 1728 if (psa_get_key_bits(attributes) > PSA_MAX_KEY_BITS) { 1729 return PSA_ERROR_NOT_SUPPORTED; 1730 } 1731 1732 return PSA_SUCCESS; 1733 } 1734 1735 /** Prepare a key slot to receive key material. 1736 * 1737 * This function allocates a key slot and sets its metadata. 1738 * 1739 * If this function fails, call psa_fail_key_creation(). 1740 * 1741 * This function is intended to be used as follows: 1742 * -# Call psa_start_key_creation() to allocate a key slot, prepare 1743 * it with the specified attributes, and in case of a volatile key assign it 1744 * a volatile key identifier. 1745 * -# Populate the slot with the key material. 1746 * -# Call psa_finish_key_creation() to finalize the creation of the slot. 1747 * In case of failure at any step, stop the sequence and call 1748 * psa_fail_key_creation(). 1749 * 1750 * On success, the key slot's state is PSA_SLOT_FILLING. 1751 * It is the responsibility of the caller to change the slot's state to 1752 * PSA_SLOT_EMPTY/FULL once key creation has finished. 1753 * 1754 * \param method An identification of the calling function. 1755 * \param[in] attributes Key attributes for the new key. 1756 * \param[out] p_slot On success, a pointer to the prepared slot. 1757 * \param[out] p_drv On any return, the driver for the key, if any. 1758 * NULL for a transparent key. 1759 * 1760 * \retval #PSA_SUCCESS 1761 * The key slot is ready to receive key material. 1762 * \return If this function fails, the key slot is an invalid state. 1763 * You must call psa_fail_key_creation() to wipe and free the slot. 1764 */ 1765 static psa_status_t psa_start_key_creation( 1766 psa_key_creation_method_t method, 1767 const psa_key_attributes_t *attributes, 1768 psa_key_slot_t **p_slot, 1769 psa_se_drv_table_entry_t **p_drv) 1770 { 1771 psa_status_t status; 1772 1773 (void) method; 1774 *p_drv = NULL; 1775 1776 status = psa_validate_key_attributes(attributes, p_drv); 1777 if (status != PSA_SUCCESS) { 1778 return status; 1779 } 1780 1781 int key_is_volatile = PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime); 1782 psa_key_id_t volatile_key_id; 1783 1784 #if defined(MBEDTLS_THREADING_C) 1785 PSA_THREADING_CHK_RET(mbedtls_mutex_lock( 1786 &mbedtls_threading_key_slot_mutex)); 1787 #endif 1788 status = psa_reserve_free_key_slot( 1789 key_is_volatile ? &volatile_key_id : NULL, 1790 p_slot); 1791 #if defined(MBEDTLS_THREADING_C) 1792 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( 1793 &mbedtls_threading_key_slot_mutex)); 1794 #endif 1795 if (status != PSA_SUCCESS) { 1796 return status; 1797 } 1798 psa_key_slot_t *slot = *p_slot; 1799 1800 /* We're storing the declared bit-size of the key. It's up to each 1801 * creation mechanism to verify that this information is correct. 1802 * It's automatically correct for mechanisms that use the bit-size as 1803 * an input (generate, device) but not for those where the bit-size 1804 * is optional (import, copy). In case of a volatile key, assign it the 1805 * volatile key identifier associated to the slot returned to contain its 1806 * definition. */ 1807 1808 slot->attr = *attributes; 1809 if (key_is_volatile) { 1810 #if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) 1811 slot->attr.id = volatile_key_id; 1812 #else 1813 slot->attr.id.key_id = volatile_key_id; 1814 #endif 1815 } 1816 1817 #if defined(MBEDTLS_PSA_CRYPTO_SE_C) 1818 /* For a key in a secure element, we need to do three things 1819 * when creating or registering a persistent key: 1820 * create the key file in internal storage, create the 1821 * key inside the secure element, and update the driver's 1822 * persistent data. This is done by starting a transaction that will 1823 * encompass these three actions. 1824 * For registering a volatile key, we just need to find an appropriate 1825 * slot number inside the SE. Since the key is designated volatile, creating 1826 * a transaction is not required. */ 1827 /* The first thing to do is to find a slot number for the new key. 1828 * We save the slot number in persistent storage as part of the 1829 * transaction data. It will be needed to recover if the power 1830 * fails during the key creation process, to clean up on the secure 1831 * element side after restarting. Obtaining a slot number from the 1832 * secure element driver updates its persistent state, but we do not yet 1833 * save the driver's persistent state, so that if the power fails, 1834 * we can roll back to a state where the key doesn't exist. */ 1835 if (*p_drv != NULL) { 1836 psa_key_slot_number_t slot_number; 1837 status = psa_find_se_slot_for_key(attributes, method, *p_drv, 1838 &slot_number); 1839 if (status != PSA_SUCCESS) { 1840 return status; 1841 } 1842 1843 if (!PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime)) { 1844 psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_CREATE_KEY); 1845 psa_crypto_transaction.key.lifetime = slot->attr.lifetime; 1846 psa_crypto_transaction.key.slot = slot_number; 1847 psa_crypto_transaction.key.id = slot->attr.id; 1848 status = psa_crypto_save_transaction(); 1849 if (status != PSA_SUCCESS) { 1850 (void) psa_crypto_stop_transaction(); 1851 return status; 1852 } 1853 } 1854 1855 status = psa_copy_key_material_into_slot( 1856 slot, (uint8_t *) (&slot_number), sizeof(slot_number)); 1857 if (status != PSA_SUCCESS) { 1858 return status; 1859 } 1860 } 1861 1862 if (*p_drv == NULL && method == PSA_KEY_CREATION_REGISTER) { 1863 /* Key registration only makes sense with a secure element. */ 1864 return PSA_ERROR_INVALID_ARGUMENT; 1865 } 1866 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 1867 1868 return PSA_SUCCESS; 1869 } 1870 1871 /** Finalize the creation of a key once its key material has been set. 1872 * 1873 * This entails writing the key to persistent storage. 1874 * 1875 * If this function fails, call psa_fail_key_creation(). 1876 * See the documentation of psa_start_key_creation() for the intended use 1877 * of this function. 1878 * 1879 * If the finalization succeeds, the function sets the key slot's state to 1880 * PSA_SLOT_FULL, and the key slot can no longer be accessed as part of the 1881 * key creation process. 1882 * 1883 * \param[in,out] slot Pointer to the slot with key material. 1884 * \param[in] driver The secure element driver for the key, 1885 * or NULL for a transparent key. 1886 * \param[out] key On success, identifier of the key. Note that the 1887 * key identifier is also stored in the key slot. 1888 * 1889 * \retval #PSA_SUCCESS 1890 * The key was successfully created. 1891 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription 1892 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription 1893 * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription 1894 * \retval #PSA_ERROR_DATA_INVALID \emptydescription 1895 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription 1896 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription 1897 * 1898 * \return If this function fails, the key slot is an invalid state. 1899 * You must call psa_fail_key_creation() to wipe and free the slot. 1900 */ 1901 static psa_status_t psa_finish_key_creation( 1902 psa_key_slot_t *slot, 1903 psa_se_drv_table_entry_t *driver, 1904 mbedtls_svc_key_id_t *key) 1905 { 1906 psa_status_t status = PSA_SUCCESS; 1907 (void) slot; 1908 (void) driver; 1909 1910 #if defined(MBEDTLS_THREADING_C) 1911 PSA_THREADING_CHK_RET(mbedtls_mutex_lock( 1912 &mbedtls_threading_key_slot_mutex)); 1913 #endif 1914 1915 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) 1916 if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) { 1917 #if defined(MBEDTLS_PSA_CRYPTO_SE_C) 1918 if (driver != NULL) { 1919 psa_se_key_data_storage_t data; 1920 psa_key_slot_number_t slot_number = 1921 psa_key_slot_get_slot_number(slot); 1922 1923 MBEDTLS_STATIC_ASSERT(sizeof(slot_number) == 1924 sizeof(data.slot_number), 1925 "Slot number size does not match psa_se_key_data_storage_t"); 1926 1927 memcpy(&data.slot_number, &slot_number, sizeof(slot_number)); 1928 status = psa_save_persistent_key(&slot->attr, 1929 (uint8_t *) &data, 1930 sizeof(data)); 1931 } else 1932 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 1933 { 1934 /* Key material is saved in export representation in the slot, so 1935 * just pass the slot buffer for storage. */ 1936 status = psa_save_persistent_key(&slot->attr, 1937 slot->key.data, 1938 slot->key.bytes); 1939 } 1940 } 1941 #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ 1942 1943 #if defined(MBEDTLS_PSA_CRYPTO_SE_C) 1944 /* Finish the transaction for a key creation. This does not 1945 * happen when registering an existing key. Detect this case 1946 * by checking whether a transaction is in progress (actual 1947 * creation of a persistent key in a secure element requires a transaction, 1948 * but registration or volatile key creation doesn't use one). */ 1949 if (driver != NULL && 1950 psa_crypto_transaction.unknown.type == PSA_CRYPTO_TRANSACTION_CREATE_KEY) { 1951 status = psa_save_se_persistent_data(driver); 1952 if (status != PSA_SUCCESS) { 1953 psa_destroy_persistent_key(slot->attr.id); 1954 1955 #if defined(MBEDTLS_THREADING_C) 1956 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( 1957 &mbedtls_threading_key_slot_mutex)); 1958 #endif 1959 return status; 1960 } 1961 status = psa_crypto_stop_transaction(); 1962 } 1963 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 1964 1965 if (status == PSA_SUCCESS) { 1966 *key = slot->attr.id; 1967 status = psa_key_slot_state_transition(slot, PSA_SLOT_FILLING, 1968 PSA_SLOT_FULL); 1969 if (status != PSA_SUCCESS) { 1970 *key = MBEDTLS_SVC_KEY_ID_INIT; 1971 } 1972 } 1973 1974 #if defined(MBEDTLS_THREADING_C) 1975 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( 1976 &mbedtls_threading_key_slot_mutex)); 1977 #endif 1978 return status; 1979 } 1980 1981 /** Abort the creation of a key. 1982 * 1983 * You may call this function after calling psa_start_key_creation(), 1984 * or after psa_finish_key_creation() fails. In other circumstances, this 1985 * function may not clean up persistent storage. 1986 * See the documentation of psa_start_key_creation() for the intended use 1987 * of this function. Sets the slot's state to PSA_SLOT_EMPTY. 1988 * 1989 * \param[in,out] slot Pointer to the slot with key material. 1990 * \param[in] driver The secure element driver for the key, 1991 * or NULL for a transparent key. 1992 */ 1993 static void psa_fail_key_creation(psa_key_slot_t *slot, 1994 psa_se_drv_table_entry_t *driver) 1995 { 1996 (void) driver; 1997 1998 if (slot == NULL) { 1999 return; 2000 } 2001 2002 #if defined(MBEDTLS_THREADING_C) 2003 /* If the lock operation fails we still wipe the slot. 2004 * Operations will no longer work after a failed lock, 2005 * but we still need to wipe the slot of confidential data. */ 2006 mbedtls_mutex_lock(&mbedtls_threading_key_slot_mutex); 2007 #endif 2008 2009 #if defined(MBEDTLS_PSA_CRYPTO_SE_C) 2010 /* TODO: If the key has already been created in the secure 2011 * element, and the failure happened later (when saving metadata 2012 * to internal storage), we need to destroy the key in the secure 2013 * element. 2014 * https://github.com/ARMmbed/mbed-crypto/issues/217 2015 */ 2016 2017 /* Abort the ongoing transaction if any (there may not be one if 2018 * the creation process failed before starting one, or if the 2019 * key creation is a registration of a key in a secure element). 2020 * Earlier functions must already have done what it takes to undo any 2021 * partial creation. All that's left is to update the transaction data 2022 * itself. */ 2023 (void) psa_crypto_stop_transaction(); 2024 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 2025 2026 psa_wipe_key_slot(slot); 2027 2028 #if defined(MBEDTLS_THREADING_C) 2029 mbedtls_mutex_unlock(&mbedtls_threading_key_slot_mutex); 2030 #endif 2031 } 2032 2033 /** Validate optional attributes during key creation. 2034 * 2035 * Some key attributes are optional during key creation. If they are 2036 * specified in the attributes structure, check that they are consistent 2037 * with the data in the slot. 2038 * 2039 * This function should be called near the end of key creation, after 2040 * the slot in memory is fully populated but before saving persistent data. 2041 */ 2042 static psa_status_t psa_validate_optional_attributes( 2043 const psa_key_slot_t *slot, 2044 const psa_key_attributes_t *attributes) 2045 { 2046 if (attributes->type != 0) { 2047 if (attributes->type != slot->attr.type) { 2048 return PSA_ERROR_INVALID_ARGUMENT; 2049 } 2050 } 2051 2052 if (attributes->bits != 0) { 2053 if (attributes->bits != slot->attr.bits) { 2054 return PSA_ERROR_INVALID_ARGUMENT; 2055 } 2056 } 2057 2058 return PSA_SUCCESS; 2059 } 2060 2061 psa_status_t psa_import_key(const psa_key_attributes_t *attributes, 2062 const uint8_t *data_external, 2063 size_t data_length, 2064 mbedtls_svc_key_id_t *key) 2065 { 2066 psa_status_t status; 2067 LOCAL_INPUT_DECLARE(data_external, data); 2068 psa_key_slot_t *slot = NULL; 2069 psa_se_drv_table_entry_t *driver = NULL; 2070 size_t bits; 2071 size_t storage_size = data_length; 2072 2073 *key = MBEDTLS_SVC_KEY_ID_INIT; 2074 2075 /* Reject zero-length symmetric keys (including raw data key objects). 2076 * This also rejects any key which might be encoded as an empty string, 2077 * which is never valid. */ 2078 if (data_length == 0) { 2079 return PSA_ERROR_INVALID_ARGUMENT; 2080 } 2081 2082 /* Ensure that the bytes-to-bits conversion cannot overflow. */ 2083 if (data_length > SIZE_MAX / 8) { 2084 return PSA_ERROR_NOT_SUPPORTED; 2085 } 2086 2087 LOCAL_INPUT_ALLOC(data_external, data_length, data); 2088 2089 status = psa_start_key_creation(PSA_KEY_CREATION_IMPORT, attributes, 2090 &slot, &driver); 2091 if (status != PSA_SUCCESS) { 2092 goto exit; 2093 } 2094 2095 /* In the case of a transparent key or an opaque key stored in local 2096 * storage ( thus not in the case of importing a key in a secure element 2097 * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a 2098 * buffer to hold the imported key material. */ 2099 if (slot->key.data == NULL) { 2100 if (psa_key_lifetime_is_external(attributes->lifetime)) { 2101 status = psa_driver_wrapper_get_key_buffer_size_from_key_data( 2102 attributes, data, data_length, &storage_size); 2103 if (status != PSA_SUCCESS) { 2104 goto exit; 2105 } 2106 } 2107 status = psa_allocate_buffer_to_slot(slot, storage_size); 2108 if (status != PSA_SUCCESS) { 2109 goto exit; 2110 } 2111 } 2112 2113 bits = slot->attr.bits; 2114 status = psa_driver_wrapper_import_key(attributes, 2115 data, data_length, 2116 slot->key.data, 2117 slot->key.bytes, 2118 &slot->key.bytes, &bits); 2119 if (status != PSA_SUCCESS) { 2120 goto exit; 2121 } 2122 2123 if (slot->attr.bits == 0) { 2124 slot->attr.bits = (psa_key_bits_t) bits; 2125 } else if (bits != slot->attr.bits) { 2126 status = PSA_ERROR_INVALID_ARGUMENT; 2127 goto exit; 2128 } 2129 2130 /* Enforce a size limit, and in particular ensure that the bit 2131 * size fits in its representation type.*/ 2132 if (bits > PSA_MAX_KEY_BITS) { 2133 status = PSA_ERROR_NOT_SUPPORTED; 2134 goto exit; 2135 } 2136 status = psa_validate_optional_attributes(slot, attributes); 2137 if (status != PSA_SUCCESS) { 2138 goto exit; 2139 } 2140 2141 status = psa_finish_key_creation(slot, driver, key); 2142 exit: 2143 LOCAL_INPUT_FREE(data_external, data); 2144 if (status != PSA_SUCCESS) { 2145 psa_fail_key_creation(slot, driver); 2146 } 2147 2148 return status; 2149 } 2150 2151 #if defined(MBEDTLS_PSA_CRYPTO_SE_C) 2152 psa_status_t mbedtls_psa_register_se_key( 2153 const psa_key_attributes_t *attributes) 2154 { 2155 psa_status_t status; 2156 psa_key_slot_t *slot = NULL; 2157 psa_se_drv_table_entry_t *driver = NULL; 2158 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2159 2160 /* Leaving attributes unspecified is not currently supported. 2161 * It could make sense to query the key type and size from the 2162 * secure element, but not all secure elements support this 2163 * and the driver HAL doesn't currently support it. */ 2164 if (psa_get_key_type(attributes) == PSA_KEY_TYPE_NONE) { 2165 return PSA_ERROR_NOT_SUPPORTED; 2166 } 2167 if (psa_get_key_bits(attributes) == 0) { 2168 return PSA_ERROR_NOT_SUPPORTED; 2169 } 2170 2171 /* Not usable with volatile keys, even with an appropriate location, 2172 * due to the API design. 2173 * https://github.com/Mbed-TLS/mbedtls/issues/9253 2174 */ 2175 if (PSA_KEY_LIFETIME_IS_VOLATILE(psa_get_key_lifetime(attributes))) { 2176 return PSA_ERROR_INVALID_ARGUMENT; 2177 } 2178 2179 status = psa_start_key_creation(PSA_KEY_CREATION_REGISTER, attributes, 2180 &slot, &driver); 2181 if (status != PSA_SUCCESS) { 2182 goto exit; 2183 } 2184 2185 status = psa_finish_key_creation(slot, driver, &key); 2186 2187 exit: 2188 if (status != PSA_SUCCESS) { 2189 psa_fail_key_creation(slot, driver); 2190 } 2191 2192 /* Registration doesn't keep the key in RAM. */ 2193 psa_close_key(key); 2194 return status; 2195 } 2196 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 2197 2198 psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key, 2199 const psa_key_attributes_t *specified_attributes, 2200 mbedtls_svc_key_id_t *target_key) 2201 { 2202 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2203 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 2204 psa_key_slot_t *source_slot = NULL; 2205 psa_key_slot_t *target_slot = NULL; 2206 psa_key_attributes_t actual_attributes = *specified_attributes; 2207 psa_se_drv_table_entry_t *driver = NULL; 2208 size_t storage_size = 0; 2209 2210 *target_key = MBEDTLS_SVC_KEY_ID_INIT; 2211 2212 status = psa_get_and_lock_key_slot_with_policy( 2213 source_key, &source_slot, PSA_KEY_USAGE_COPY, 0); 2214 if (status != PSA_SUCCESS) { 2215 goto exit; 2216 } 2217 2218 status = psa_validate_optional_attributes(source_slot, 2219 specified_attributes); 2220 if (status != PSA_SUCCESS) { 2221 goto exit; 2222 } 2223 2224 /* The target key type and number of bits have been validated by 2225 * psa_validate_optional_attributes() to be either equal to zero or 2226 * equal to the ones of the source key. So it is safe to inherit 2227 * them from the source key now." 2228 * */ 2229 actual_attributes.bits = source_slot->attr.bits; 2230 actual_attributes.type = source_slot->attr.type; 2231 2232 2233 status = psa_restrict_key_policy(source_slot->attr.type, 2234 &actual_attributes.policy, 2235 &source_slot->attr.policy); 2236 if (status != PSA_SUCCESS) { 2237 goto exit; 2238 } 2239 2240 status = psa_start_key_creation(PSA_KEY_CREATION_COPY, &actual_attributes, 2241 &target_slot, &driver); 2242 if (status != PSA_SUCCESS) { 2243 goto exit; 2244 } 2245 if (PSA_KEY_LIFETIME_GET_LOCATION(target_slot->attr.lifetime) != 2246 PSA_KEY_LIFETIME_GET_LOCATION(source_slot->attr.lifetime)) { 2247 /* 2248 * If the source and target keys are stored in different locations, 2249 * the source key would need to be exported as plaintext and re-imported 2250 * in the other location. This has security implications which have not 2251 * been fully mapped. For now, this can be achieved through 2252 * appropriate API invocations from the application, if needed. 2253 * */ 2254 status = PSA_ERROR_NOT_SUPPORTED; 2255 goto exit; 2256 } 2257 /* 2258 * When the source and target keys are within the same location, 2259 * - For transparent keys it is a blind copy without any driver invocation, 2260 * - For opaque keys this translates to an invocation of the drivers' 2261 * copy_key entry point through the dispatch layer. 2262 * */ 2263 if (psa_key_lifetime_is_external(actual_attributes.lifetime)) { 2264 status = psa_driver_wrapper_get_key_buffer_size(&actual_attributes, 2265 &storage_size); 2266 if (status != PSA_SUCCESS) { 2267 goto exit; 2268 } 2269 2270 status = psa_allocate_buffer_to_slot(target_slot, storage_size); 2271 if (status != PSA_SUCCESS) { 2272 goto exit; 2273 } 2274 2275 status = psa_driver_wrapper_copy_key(&actual_attributes, 2276 source_slot->key.data, 2277 source_slot->key.bytes, 2278 target_slot->key.data, 2279 target_slot->key.bytes, 2280 &target_slot->key.bytes); 2281 if (status != PSA_SUCCESS) { 2282 goto exit; 2283 } 2284 } else { 2285 status = psa_copy_key_material_into_slot(target_slot, 2286 source_slot->key.data, 2287 source_slot->key.bytes); 2288 if (status != PSA_SUCCESS) { 2289 goto exit; 2290 } 2291 } 2292 status = psa_finish_key_creation(target_slot, driver, target_key); 2293 exit: 2294 if (status != PSA_SUCCESS) { 2295 psa_fail_key_creation(target_slot, driver); 2296 } 2297 2298 unlock_status = psa_unregister_read_under_mutex(source_slot); 2299 2300 return (status == PSA_SUCCESS) ? unlock_status : status; 2301 } 2302 2303 2304 2305 /****************************************************************/ 2306 /* Message digests */ 2307 /****************************************************************/ 2308 2309 psa_status_t psa_hash_abort(psa_hash_operation_t *operation) 2310 { 2311 /* Aborting a non-active operation is allowed */ 2312 if (operation->id == 0) { 2313 return PSA_SUCCESS; 2314 } 2315 2316 psa_status_t status = psa_driver_wrapper_hash_abort(operation); 2317 operation->id = 0; 2318 2319 return status; 2320 } 2321 2322 psa_status_t psa_hash_setup(psa_hash_operation_t *operation, 2323 psa_algorithm_t alg) 2324 { 2325 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2326 2327 /* A context must be freshly initialized before it can be set up. */ 2328 if (operation->id != 0) { 2329 status = PSA_ERROR_BAD_STATE; 2330 goto exit; 2331 } 2332 2333 if (!PSA_ALG_IS_HASH(alg)) { 2334 status = PSA_ERROR_INVALID_ARGUMENT; 2335 goto exit; 2336 } 2337 2338 /* Ensure all of the context is zeroized, since PSA_HASH_OPERATION_INIT only 2339 * directly zeroes the int-sized dummy member of the context union. */ 2340 memset(&operation->ctx, 0, sizeof(operation->ctx)); 2341 2342 status = psa_driver_wrapper_hash_setup(operation, alg); 2343 2344 exit: 2345 if (status != PSA_SUCCESS) { 2346 psa_hash_abort(operation); 2347 } 2348 2349 return status; 2350 } 2351 2352 psa_status_t psa_hash_update(psa_hash_operation_t *operation, 2353 const uint8_t *input_external, 2354 size_t input_length) 2355 { 2356 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2357 LOCAL_INPUT_DECLARE(input_external, input); 2358 2359 if (operation->id == 0) { 2360 status = PSA_ERROR_BAD_STATE; 2361 goto exit; 2362 } 2363 2364 /* Don't require hash implementations to behave correctly on a 2365 * zero-length input, which may have an invalid pointer. */ 2366 if (input_length == 0) { 2367 return PSA_SUCCESS; 2368 } 2369 2370 LOCAL_INPUT_ALLOC(input_external, input_length, input); 2371 status = psa_driver_wrapper_hash_update(operation, input, input_length); 2372 2373 exit: 2374 if (status != PSA_SUCCESS) { 2375 psa_hash_abort(operation); 2376 } 2377 2378 LOCAL_INPUT_FREE(input_external, input); 2379 return status; 2380 } 2381 2382 static psa_status_t psa_hash_finish_internal(psa_hash_operation_t *operation, 2383 uint8_t *hash, 2384 size_t hash_size, 2385 size_t *hash_length) 2386 { 2387 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2388 2389 *hash_length = 0; 2390 if (operation->id == 0) { 2391 return PSA_ERROR_BAD_STATE; 2392 } 2393 2394 status = psa_driver_wrapper_hash_finish( 2395 operation, hash, hash_size, hash_length); 2396 psa_hash_abort(operation); 2397 2398 return status; 2399 } 2400 2401 psa_status_t psa_hash_finish(psa_hash_operation_t *operation, 2402 uint8_t *hash_external, 2403 size_t hash_size, 2404 size_t *hash_length) 2405 { 2406 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2407 LOCAL_OUTPUT_DECLARE(hash_external, hash); 2408 2409 LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash); 2410 status = psa_hash_finish_internal(operation, hash, hash_size, hash_length); 2411 2412 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 2413 exit: 2414 #endif 2415 LOCAL_OUTPUT_FREE(hash_external, hash); 2416 return status; 2417 } 2418 2419 psa_status_t psa_hash_verify(psa_hash_operation_t *operation, 2420 const uint8_t *hash_external, 2421 size_t hash_length) 2422 { 2423 uint8_t actual_hash[PSA_HASH_MAX_SIZE]; 2424 size_t actual_hash_length; 2425 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2426 LOCAL_INPUT_DECLARE(hash_external, hash); 2427 2428 status = psa_hash_finish_internal( 2429 operation, 2430 actual_hash, sizeof(actual_hash), 2431 &actual_hash_length); 2432 2433 if (status != PSA_SUCCESS) { 2434 goto exit; 2435 } 2436 2437 if (actual_hash_length != hash_length) { 2438 status = PSA_ERROR_INVALID_SIGNATURE; 2439 goto exit; 2440 } 2441 2442 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash); 2443 if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) { 2444 status = PSA_ERROR_INVALID_SIGNATURE; 2445 } 2446 2447 exit: 2448 mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash)); 2449 if (status != PSA_SUCCESS) { 2450 psa_hash_abort(operation); 2451 } 2452 LOCAL_INPUT_FREE(hash_external, hash); 2453 return status; 2454 } 2455 2456 psa_status_t psa_hash_compute(psa_algorithm_t alg, 2457 const uint8_t *input_external, size_t input_length, 2458 uint8_t *hash_external, size_t hash_size, 2459 size_t *hash_length) 2460 { 2461 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2462 LOCAL_INPUT_DECLARE(input_external, input); 2463 LOCAL_OUTPUT_DECLARE(hash_external, hash); 2464 2465 *hash_length = 0; 2466 if (!PSA_ALG_IS_HASH(alg)) { 2467 return PSA_ERROR_INVALID_ARGUMENT; 2468 } 2469 2470 LOCAL_INPUT_ALLOC(input_external, input_length, input); 2471 LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash); 2472 status = psa_driver_wrapper_hash_compute(alg, input, input_length, 2473 hash, hash_size, hash_length); 2474 2475 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 2476 exit: 2477 #endif 2478 LOCAL_INPUT_FREE(input_external, input); 2479 LOCAL_OUTPUT_FREE(hash_external, hash); 2480 return status; 2481 } 2482 2483 psa_status_t psa_hash_compare(psa_algorithm_t alg, 2484 const uint8_t *input_external, size_t input_length, 2485 const uint8_t *hash_external, size_t hash_length) 2486 { 2487 uint8_t actual_hash[PSA_HASH_MAX_SIZE]; 2488 size_t actual_hash_length; 2489 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2490 2491 LOCAL_INPUT_DECLARE(input_external, input); 2492 LOCAL_INPUT_DECLARE(hash_external, hash); 2493 2494 if (!PSA_ALG_IS_HASH(alg)) { 2495 status = PSA_ERROR_INVALID_ARGUMENT; 2496 return status; 2497 } 2498 2499 LOCAL_INPUT_ALLOC(input_external, input_length, input); 2500 status = psa_driver_wrapper_hash_compute( 2501 alg, input, input_length, 2502 actual_hash, sizeof(actual_hash), 2503 &actual_hash_length); 2504 if (status != PSA_SUCCESS) { 2505 goto exit; 2506 } 2507 if (actual_hash_length != hash_length) { 2508 status = PSA_ERROR_INVALID_SIGNATURE; 2509 goto exit; 2510 } 2511 2512 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash); 2513 if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) { 2514 status = PSA_ERROR_INVALID_SIGNATURE; 2515 } 2516 2517 exit: 2518 mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash)); 2519 2520 LOCAL_INPUT_FREE(input_external, input); 2521 LOCAL_INPUT_FREE(hash_external, hash); 2522 2523 return status; 2524 } 2525 2526 psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation, 2527 psa_hash_operation_t *target_operation) 2528 { 2529 if (source_operation->id == 0 || 2530 target_operation->id != 0) { 2531 return PSA_ERROR_BAD_STATE; 2532 } 2533 2534 psa_status_t status = psa_driver_wrapper_hash_clone(source_operation, 2535 target_operation); 2536 if (status != PSA_SUCCESS) { 2537 psa_hash_abort(target_operation); 2538 } 2539 2540 return status; 2541 } 2542 2543 2544 /****************************************************************/ 2545 /* MAC */ 2546 /****************************************************************/ 2547 2548 psa_status_t psa_mac_abort(psa_mac_operation_t *operation) 2549 { 2550 /* Aborting a non-active operation is allowed */ 2551 if (operation->id == 0) { 2552 return PSA_SUCCESS; 2553 } 2554 2555 psa_status_t status = psa_driver_wrapper_mac_abort(operation); 2556 operation->mac_size = 0; 2557 operation->is_sign = 0; 2558 operation->id = 0; 2559 2560 return status; 2561 } 2562 2563 static psa_status_t psa_mac_finalize_alg_and_key_validation( 2564 psa_algorithm_t alg, 2565 const psa_key_attributes_t *attributes, 2566 uint8_t *mac_size) 2567 { 2568 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2569 psa_key_type_t key_type = psa_get_key_type(attributes); 2570 size_t key_bits = psa_get_key_bits(attributes); 2571 2572 if (!PSA_ALG_IS_MAC(alg)) { 2573 return PSA_ERROR_INVALID_ARGUMENT; 2574 } 2575 2576 /* Validate the combination of key type and algorithm */ 2577 status = psa_mac_key_can_do(alg, key_type); 2578 if (status != PSA_SUCCESS) { 2579 return status; 2580 } 2581 2582 /* Get the output length for the algorithm and key combination */ 2583 *mac_size = PSA_MAC_LENGTH(key_type, key_bits, alg); 2584 2585 if (*mac_size < 4) { 2586 /* A very short MAC is too short for security since it can be 2587 * brute-forced. Ancient protocols with 32-bit MACs do exist, 2588 * so we make this our minimum, even though 32 bits is still 2589 * too small for security. */ 2590 return PSA_ERROR_NOT_SUPPORTED; 2591 } 2592 2593 if (*mac_size > PSA_MAC_LENGTH(key_type, key_bits, 2594 PSA_ALG_FULL_LENGTH_MAC(alg))) { 2595 /* It's impossible to "truncate" to a larger length than the full length 2596 * of the algorithm. */ 2597 return PSA_ERROR_INVALID_ARGUMENT; 2598 } 2599 2600 if (*mac_size > PSA_MAC_MAX_SIZE) { 2601 /* PSA_MAC_LENGTH returns the correct length even for a MAC algorithm 2602 * that is disabled in the compile-time configuration. The result can 2603 * therefore be larger than PSA_MAC_MAX_SIZE, which does take the 2604 * configuration into account. In this case, force a return of 2605 * PSA_ERROR_NOT_SUPPORTED here. Otherwise psa_mac_verify(), or 2606 * psa_mac_compute(mac_size=PSA_MAC_MAX_SIZE), would return 2607 * PSA_ERROR_BUFFER_TOO_SMALL for an unsupported algorithm whose MAC size 2608 * is larger than PSA_MAC_MAX_SIZE, which is misleading and which breaks 2609 * systematically generated tests. */ 2610 return PSA_ERROR_NOT_SUPPORTED; 2611 } 2612 2613 return PSA_SUCCESS; 2614 } 2615 2616 static psa_status_t psa_mac_setup(psa_mac_operation_t *operation, 2617 mbedtls_svc_key_id_t key, 2618 psa_algorithm_t alg, 2619 int is_sign) 2620 { 2621 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2622 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 2623 psa_key_slot_t *slot = NULL; 2624 2625 /* A context must be freshly initialized before it can be set up. */ 2626 if (operation->id != 0) { 2627 status = PSA_ERROR_BAD_STATE; 2628 goto exit; 2629 } 2630 2631 status = psa_get_and_lock_key_slot_with_policy( 2632 key, 2633 &slot, 2634 is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE, 2635 alg); 2636 if (status != PSA_SUCCESS) { 2637 goto exit; 2638 } 2639 2640 status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr, 2641 &operation->mac_size); 2642 if (status != PSA_SUCCESS) { 2643 goto exit; 2644 } 2645 2646 operation->is_sign = is_sign; 2647 /* Dispatch the MAC setup call with validated input */ 2648 if (is_sign) { 2649 status = psa_driver_wrapper_mac_sign_setup(operation, 2650 &slot->attr, 2651 slot->key.data, 2652 slot->key.bytes, 2653 alg); 2654 } else { 2655 status = psa_driver_wrapper_mac_verify_setup(operation, 2656 &slot->attr, 2657 slot->key.data, 2658 slot->key.bytes, 2659 alg); 2660 } 2661 2662 exit: 2663 if (status != PSA_SUCCESS) { 2664 psa_mac_abort(operation); 2665 } 2666 2667 unlock_status = psa_unregister_read_under_mutex(slot); 2668 2669 return (status == PSA_SUCCESS) ? unlock_status : status; 2670 } 2671 2672 psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation, 2673 mbedtls_svc_key_id_t key, 2674 psa_algorithm_t alg) 2675 { 2676 return psa_mac_setup(operation, key, alg, 1); 2677 } 2678 2679 psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation, 2680 mbedtls_svc_key_id_t key, 2681 psa_algorithm_t alg) 2682 { 2683 return psa_mac_setup(operation, key, alg, 0); 2684 } 2685 2686 psa_status_t psa_mac_update(psa_mac_operation_t *operation, 2687 const uint8_t *input_external, 2688 size_t input_length) 2689 { 2690 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2691 LOCAL_INPUT_DECLARE(input_external, input); 2692 2693 if (operation->id == 0) { 2694 status = PSA_ERROR_BAD_STATE; 2695 return status; 2696 } 2697 2698 /* Don't require hash implementations to behave correctly on a 2699 * zero-length input, which may have an invalid pointer. */ 2700 if (input_length == 0) { 2701 status = PSA_SUCCESS; 2702 return status; 2703 } 2704 2705 LOCAL_INPUT_ALLOC(input_external, input_length, input); 2706 status = psa_driver_wrapper_mac_update(operation, input, input_length); 2707 2708 if (status != PSA_SUCCESS) { 2709 psa_mac_abort(operation); 2710 } 2711 2712 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 2713 exit: 2714 #endif 2715 LOCAL_INPUT_FREE(input_external, input); 2716 2717 return status; 2718 } 2719 2720 psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation, 2721 uint8_t *mac_external, 2722 size_t mac_size, 2723 size_t *mac_length) 2724 { 2725 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2726 psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; 2727 LOCAL_OUTPUT_DECLARE(mac_external, mac); 2728 LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac); 2729 2730 if (operation->id == 0) { 2731 status = PSA_ERROR_BAD_STATE; 2732 goto exit; 2733 } 2734 2735 if (!operation->is_sign) { 2736 status = PSA_ERROR_BAD_STATE; 2737 goto exit; 2738 } 2739 2740 /* Sanity check. This will guarantee that mac_size != 0 (and so mac != NULL) 2741 * once all the error checks are done. */ 2742 if (operation->mac_size == 0) { 2743 status = PSA_ERROR_BAD_STATE; 2744 goto exit; 2745 } 2746 2747 if (mac_size < operation->mac_size) { 2748 status = PSA_ERROR_BUFFER_TOO_SMALL; 2749 goto exit; 2750 } 2751 2752 2753 status = psa_driver_wrapper_mac_sign_finish(operation, 2754 mac, operation->mac_size, 2755 mac_length); 2756 2757 exit: 2758 /* In case of success, set the potential excess room in the output buffer 2759 * to an invalid value, to avoid potentially leaking a longer MAC. 2760 * In case of error, set the output length and content to a safe default, 2761 * such that in case the caller misses an error check, the output would be 2762 * an unachievable MAC. 2763 */ 2764 if (status != PSA_SUCCESS) { 2765 *mac_length = mac_size; 2766 operation->mac_size = 0; 2767 } 2768 2769 if (mac != NULL) { 2770 psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length); 2771 } 2772 2773 abort_status = psa_mac_abort(operation); 2774 LOCAL_OUTPUT_FREE(mac_external, mac); 2775 2776 return status == PSA_SUCCESS ? abort_status : status; 2777 } 2778 2779 psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation, 2780 const uint8_t *mac_external, 2781 size_t mac_length) 2782 { 2783 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2784 psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; 2785 LOCAL_INPUT_DECLARE(mac_external, mac); 2786 2787 if (operation->id == 0) { 2788 status = PSA_ERROR_BAD_STATE; 2789 goto exit; 2790 } 2791 2792 if (operation->is_sign) { 2793 status = PSA_ERROR_BAD_STATE; 2794 goto exit; 2795 } 2796 2797 if (operation->mac_size != mac_length) { 2798 status = PSA_ERROR_INVALID_SIGNATURE; 2799 goto exit; 2800 } 2801 2802 LOCAL_INPUT_ALLOC(mac_external, mac_length, mac); 2803 status = psa_driver_wrapper_mac_verify_finish(operation, 2804 mac, mac_length); 2805 2806 exit: 2807 abort_status = psa_mac_abort(operation); 2808 LOCAL_INPUT_FREE(mac_external, mac); 2809 2810 return status == PSA_SUCCESS ? abort_status : status; 2811 } 2812 2813 static psa_status_t psa_mac_compute_internal(mbedtls_svc_key_id_t key, 2814 psa_algorithm_t alg, 2815 const uint8_t *input, 2816 size_t input_length, 2817 uint8_t *mac, 2818 size_t mac_size, 2819 size_t *mac_length, 2820 int is_sign) 2821 { 2822 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2823 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 2824 psa_key_slot_t *slot; 2825 uint8_t operation_mac_size = 0; 2826 2827 status = psa_get_and_lock_key_slot_with_policy( 2828 key, 2829 &slot, 2830 is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE, 2831 alg); 2832 if (status != PSA_SUCCESS) { 2833 goto exit; 2834 } 2835 2836 status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr, 2837 &operation_mac_size); 2838 if (status != PSA_SUCCESS) { 2839 goto exit; 2840 } 2841 2842 if (mac_size < operation_mac_size) { 2843 status = PSA_ERROR_BUFFER_TOO_SMALL; 2844 goto exit; 2845 } 2846 2847 status = psa_driver_wrapper_mac_compute( 2848 &slot->attr, 2849 slot->key.data, slot->key.bytes, 2850 alg, 2851 input, input_length, 2852 mac, operation_mac_size, mac_length); 2853 2854 exit: 2855 /* In case of success, set the potential excess room in the output buffer 2856 * to an invalid value, to avoid potentially leaking a longer MAC. 2857 * In case of error, set the output length and content to a safe default, 2858 * such that in case the caller misses an error check, the output would be 2859 * an unachievable MAC. 2860 */ 2861 if (status != PSA_SUCCESS) { 2862 *mac_length = mac_size; 2863 operation_mac_size = 0; 2864 } 2865 2866 psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length); 2867 2868 unlock_status = psa_unregister_read_under_mutex(slot); 2869 2870 return (status == PSA_SUCCESS) ? unlock_status : status; 2871 } 2872 2873 psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key, 2874 psa_algorithm_t alg, 2875 const uint8_t *input_external, 2876 size_t input_length, 2877 uint8_t *mac_external, 2878 size_t mac_size, 2879 size_t *mac_length) 2880 { 2881 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2882 LOCAL_INPUT_DECLARE(input_external, input); 2883 LOCAL_OUTPUT_DECLARE(mac_external, mac); 2884 2885 LOCAL_INPUT_ALLOC(input_external, input_length, input); 2886 LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac); 2887 status = psa_mac_compute_internal(key, alg, 2888 input, input_length, 2889 mac, mac_size, mac_length, 1); 2890 2891 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 2892 exit: 2893 #endif 2894 LOCAL_INPUT_FREE(input_external, input); 2895 LOCAL_OUTPUT_FREE(mac_external, mac); 2896 2897 return status; 2898 } 2899 2900 psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key, 2901 psa_algorithm_t alg, 2902 const uint8_t *input_external, 2903 size_t input_length, 2904 const uint8_t *mac_external, 2905 size_t mac_length) 2906 { 2907 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2908 uint8_t actual_mac[PSA_MAC_MAX_SIZE]; 2909 size_t actual_mac_length; 2910 LOCAL_INPUT_DECLARE(input_external, input); 2911 LOCAL_INPUT_DECLARE(mac_external, mac); 2912 2913 LOCAL_INPUT_ALLOC(input_external, input_length, input); 2914 status = psa_mac_compute_internal(key, alg, 2915 input, input_length, 2916 actual_mac, sizeof(actual_mac), 2917 &actual_mac_length, 0); 2918 if (status != PSA_SUCCESS) { 2919 goto exit; 2920 } 2921 2922 if (mac_length != actual_mac_length) { 2923 status = PSA_ERROR_INVALID_SIGNATURE; 2924 goto exit; 2925 } 2926 2927 LOCAL_INPUT_ALLOC(mac_external, mac_length, mac); 2928 if (mbedtls_ct_memcmp(mac, actual_mac, actual_mac_length) != 0) { 2929 status = PSA_ERROR_INVALID_SIGNATURE; 2930 goto exit; 2931 } 2932 2933 exit: 2934 mbedtls_platform_zeroize(actual_mac, sizeof(actual_mac)); 2935 LOCAL_INPUT_FREE(input_external, input); 2936 LOCAL_INPUT_FREE(mac_external, mac); 2937 2938 return status; 2939 } 2940 2941 /****************************************************************/ 2942 /* Asymmetric cryptography */ 2943 /****************************************************************/ 2944 2945 static psa_status_t psa_sign_verify_check_alg(int input_is_message, 2946 psa_algorithm_t alg) 2947 { 2948 if (input_is_message) { 2949 if (!PSA_ALG_IS_SIGN_MESSAGE(alg)) { 2950 return PSA_ERROR_INVALID_ARGUMENT; 2951 } 2952 2953 if (PSA_ALG_IS_SIGN_HASH(alg)) { 2954 if (!PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(alg))) { 2955 return PSA_ERROR_INVALID_ARGUMENT; 2956 } 2957 } 2958 } else { 2959 if (!PSA_ALG_IS_SIGN_HASH(alg)) { 2960 return PSA_ERROR_INVALID_ARGUMENT; 2961 } 2962 } 2963 2964 return PSA_SUCCESS; 2965 } 2966 2967 static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key, 2968 int input_is_message, 2969 psa_algorithm_t alg, 2970 const uint8_t *input, 2971 size_t input_length, 2972 uint8_t *signature, 2973 size_t signature_size, 2974 size_t *signature_length) 2975 { 2976 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2977 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 2978 psa_key_slot_t *slot; 2979 2980 *signature_length = 0; 2981 2982 status = psa_sign_verify_check_alg(input_is_message, alg); 2983 if (status != PSA_SUCCESS) { 2984 return status; 2985 } 2986 2987 /* Immediately reject a zero-length signature buffer. This guarantees 2988 * that signature must be a valid pointer. (On the other hand, the input 2989 * buffer can in principle be empty since it doesn't actually have 2990 * to be a hash.) */ 2991 if (signature_size == 0) { 2992 return PSA_ERROR_BUFFER_TOO_SMALL; 2993 } 2994 2995 status = psa_get_and_lock_key_slot_with_policy( 2996 key, &slot, 2997 input_is_message ? PSA_KEY_USAGE_SIGN_MESSAGE : 2998 PSA_KEY_USAGE_SIGN_HASH, 2999 alg); 3000 3001 if (status != PSA_SUCCESS) { 3002 goto exit; 3003 } 3004 3005 if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) { 3006 status = PSA_ERROR_INVALID_ARGUMENT; 3007 goto exit; 3008 } 3009 3010 if (input_is_message) { 3011 status = psa_driver_wrapper_sign_message( 3012 &slot->attr, slot->key.data, slot->key.bytes, 3013 alg, input, input_length, 3014 signature, signature_size, signature_length); 3015 } else { 3016 3017 status = psa_driver_wrapper_sign_hash( 3018 &slot->attr, slot->key.data, slot->key.bytes, 3019 alg, input, input_length, 3020 signature, signature_size, signature_length); 3021 } 3022 3023 3024 exit: 3025 psa_wipe_tag_output_buffer(signature, status, signature_size, 3026 *signature_length); 3027 3028 unlock_status = psa_unregister_read_under_mutex(slot); 3029 3030 return (status == PSA_SUCCESS) ? unlock_status : status; 3031 } 3032 3033 static psa_status_t psa_verify_internal(mbedtls_svc_key_id_t key, 3034 int input_is_message, 3035 psa_algorithm_t alg, 3036 const uint8_t *input, 3037 size_t input_length, 3038 const uint8_t *signature, 3039 size_t signature_length) 3040 { 3041 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3042 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 3043 psa_key_slot_t *slot; 3044 3045 status = psa_sign_verify_check_alg(input_is_message, alg); 3046 if (status != PSA_SUCCESS) { 3047 return status; 3048 } 3049 3050 status = psa_get_and_lock_key_slot_with_policy( 3051 key, &slot, 3052 input_is_message ? PSA_KEY_USAGE_VERIFY_MESSAGE : 3053 PSA_KEY_USAGE_VERIFY_HASH, 3054 alg); 3055 3056 if (status != PSA_SUCCESS) { 3057 return status; 3058 } 3059 3060 if (input_is_message) { 3061 status = psa_driver_wrapper_verify_message( 3062 &slot->attr, slot->key.data, slot->key.bytes, 3063 alg, input, input_length, 3064 signature, signature_length); 3065 } else { 3066 status = psa_driver_wrapper_verify_hash( 3067 &slot->attr, slot->key.data, slot->key.bytes, 3068 alg, input, input_length, 3069 signature, signature_length); 3070 } 3071 3072 unlock_status = psa_unregister_read_under_mutex(slot); 3073 3074 return (status == PSA_SUCCESS) ? unlock_status : status; 3075 3076 } 3077 3078 psa_status_t psa_sign_message_builtin( 3079 const psa_key_attributes_t *attributes, 3080 const uint8_t *key_buffer, 3081 size_t key_buffer_size, 3082 psa_algorithm_t alg, 3083 const uint8_t *input, 3084 size_t input_length, 3085 uint8_t *signature, 3086 size_t signature_size, 3087 size_t *signature_length) 3088 { 3089 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3090 3091 if (PSA_ALG_IS_SIGN_HASH(alg)) { 3092 size_t hash_length; 3093 uint8_t hash[PSA_HASH_MAX_SIZE]; 3094 3095 status = psa_driver_wrapper_hash_compute( 3096 PSA_ALG_SIGN_GET_HASH(alg), 3097 input, input_length, 3098 hash, sizeof(hash), &hash_length); 3099 3100 if (status != PSA_SUCCESS) { 3101 return status; 3102 } 3103 3104 return psa_driver_wrapper_sign_hash( 3105 attributes, key_buffer, key_buffer_size, 3106 alg, hash, hash_length, 3107 signature, signature_size, signature_length); 3108 } 3109 3110 return PSA_ERROR_NOT_SUPPORTED; 3111 } 3112 3113 psa_status_t psa_sign_message(mbedtls_svc_key_id_t key, 3114 psa_algorithm_t alg, 3115 const uint8_t *input_external, 3116 size_t input_length, 3117 uint8_t *signature_external, 3118 size_t signature_size, 3119 size_t *signature_length) 3120 { 3121 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3122 LOCAL_INPUT_DECLARE(input_external, input); 3123 LOCAL_OUTPUT_DECLARE(signature_external, signature); 3124 3125 LOCAL_INPUT_ALLOC(input_external, input_length, input); 3126 LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature); 3127 status = psa_sign_internal(key, 1, alg, input, input_length, signature, 3128 signature_size, signature_length); 3129 3130 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 3131 exit: 3132 #endif 3133 LOCAL_INPUT_FREE(input_external, input); 3134 LOCAL_OUTPUT_FREE(signature_external, signature); 3135 return status; 3136 } 3137 3138 psa_status_t psa_verify_message_builtin( 3139 const psa_key_attributes_t *attributes, 3140 const uint8_t *key_buffer, 3141 size_t key_buffer_size, 3142 psa_algorithm_t alg, 3143 const uint8_t *input, 3144 size_t input_length, 3145 const uint8_t *signature, 3146 size_t signature_length) 3147 { 3148 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3149 3150 if (PSA_ALG_IS_SIGN_HASH(alg)) { 3151 size_t hash_length; 3152 uint8_t hash[PSA_HASH_MAX_SIZE]; 3153 3154 status = psa_driver_wrapper_hash_compute( 3155 PSA_ALG_SIGN_GET_HASH(alg), 3156 input, input_length, 3157 hash, sizeof(hash), &hash_length); 3158 3159 if (status != PSA_SUCCESS) { 3160 return status; 3161 } 3162 3163 return psa_driver_wrapper_verify_hash( 3164 attributes, key_buffer, key_buffer_size, 3165 alg, hash, hash_length, 3166 signature, signature_length); 3167 } 3168 3169 return PSA_ERROR_NOT_SUPPORTED; 3170 } 3171 3172 psa_status_t psa_verify_message(mbedtls_svc_key_id_t key, 3173 psa_algorithm_t alg, 3174 const uint8_t *input_external, 3175 size_t input_length, 3176 const uint8_t *signature_external, 3177 size_t signature_length) 3178 { 3179 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3180 LOCAL_INPUT_DECLARE(input_external, input); 3181 LOCAL_INPUT_DECLARE(signature_external, signature); 3182 3183 LOCAL_INPUT_ALLOC(input_external, input_length, input); 3184 LOCAL_INPUT_ALLOC(signature_external, signature_length, signature); 3185 status = psa_verify_internal(key, 1, alg, input, input_length, signature, 3186 signature_length); 3187 3188 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 3189 exit: 3190 #endif 3191 LOCAL_INPUT_FREE(input_external, input); 3192 LOCAL_INPUT_FREE(signature_external, signature); 3193 3194 return status; 3195 } 3196 3197 psa_status_t psa_sign_hash_builtin( 3198 const psa_key_attributes_t *attributes, 3199 const uint8_t *key_buffer, size_t key_buffer_size, 3200 psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, 3201 uint8_t *signature, size_t signature_size, size_t *signature_length) 3202 { 3203 if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) { 3204 if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || 3205 PSA_ALG_IS_RSA_PSS(alg)) { 3206 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ 3207 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) 3208 return mbedtls_psa_rsa_sign_hash( 3209 attributes, 3210 key_buffer, key_buffer_size, 3211 alg, hash, hash_length, 3212 signature, signature_size, signature_length); 3213 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || 3214 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */ 3215 } else { 3216 return PSA_ERROR_INVALID_ARGUMENT; 3217 } 3218 } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) { 3219 if (PSA_ALG_IS_ECDSA(alg)) { 3220 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ 3221 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) 3222 return mbedtls_psa_ecdsa_sign_hash( 3223 attributes, 3224 key_buffer, key_buffer_size, 3225 alg, hash, hash_length, 3226 signature, signature_size, signature_length); 3227 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || 3228 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ 3229 } else { 3230 return PSA_ERROR_INVALID_ARGUMENT; 3231 } 3232 } 3233 3234 (void) key_buffer; 3235 (void) key_buffer_size; 3236 (void) hash; 3237 (void) hash_length; 3238 (void) signature; 3239 (void) signature_size; 3240 (void) signature_length; 3241 3242 return PSA_ERROR_NOT_SUPPORTED; 3243 } 3244 3245 psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key, 3246 psa_algorithm_t alg, 3247 const uint8_t *hash_external, 3248 size_t hash_length, 3249 uint8_t *signature_external, 3250 size_t signature_size, 3251 size_t *signature_length) 3252 { 3253 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3254 LOCAL_INPUT_DECLARE(hash_external, hash); 3255 LOCAL_OUTPUT_DECLARE(signature_external, signature); 3256 3257 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash); 3258 LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature); 3259 status = psa_sign_internal(key, 0, alg, hash, hash_length, signature, 3260 signature_size, signature_length); 3261 3262 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 3263 exit: 3264 #endif 3265 LOCAL_INPUT_FREE(hash_external, hash); 3266 LOCAL_OUTPUT_FREE(signature_external, signature); 3267 3268 return status; 3269 } 3270 3271 psa_status_t psa_verify_hash_builtin( 3272 const psa_key_attributes_t *attributes, 3273 const uint8_t *key_buffer, size_t key_buffer_size, 3274 psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, 3275 const uint8_t *signature, size_t signature_length) 3276 { 3277 if (PSA_KEY_TYPE_IS_RSA(attributes->type)) { 3278 if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || 3279 PSA_ALG_IS_RSA_PSS(alg)) { 3280 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ 3281 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) 3282 return mbedtls_psa_rsa_verify_hash( 3283 attributes, 3284 key_buffer, key_buffer_size, 3285 alg, hash, hash_length, 3286 signature, signature_length); 3287 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || 3288 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */ 3289 } else { 3290 return PSA_ERROR_INVALID_ARGUMENT; 3291 } 3292 } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) { 3293 if (PSA_ALG_IS_ECDSA(alg)) { 3294 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ 3295 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) 3296 return mbedtls_psa_ecdsa_verify_hash( 3297 attributes, 3298 key_buffer, key_buffer_size, 3299 alg, hash, hash_length, 3300 signature, signature_length); 3301 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || 3302 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ 3303 } else { 3304 return PSA_ERROR_INVALID_ARGUMENT; 3305 } 3306 } 3307 3308 (void) key_buffer; 3309 (void) key_buffer_size; 3310 (void) hash; 3311 (void) hash_length; 3312 (void) signature; 3313 (void) signature_length; 3314 3315 return PSA_ERROR_NOT_SUPPORTED; 3316 } 3317 3318 psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key, 3319 psa_algorithm_t alg, 3320 const uint8_t *hash_external, 3321 size_t hash_length, 3322 const uint8_t *signature_external, 3323 size_t signature_length) 3324 { 3325 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3326 LOCAL_INPUT_DECLARE(hash_external, hash); 3327 LOCAL_INPUT_DECLARE(signature_external, signature); 3328 3329 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash); 3330 LOCAL_INPUT_ALLOC(signature_external, signature_length, signature); 3331 status = psa_verify_internal(key, 0, alg, hash, hash_length, signature, 3332 signature_length); 3333 3334 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 3335 exit: 3336 #endif 3337 LOCAL_INPUT_FREE(hash_external, hash); 3338 LOCAL_INPUT_FREE(signature_external, signature); 3339 3340 return status; 3341 } 3342 3343 psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key, 3344 psa_algorithm_t alg, 3345 const uint8_t *input_external, 3346 size_t input_length, 3347 const uint8_t *salt_external, 3348 size_t salt_length, 3349 uint8_t *output_external, 3350 size_t output_size, 3351 size_t *output_length) 3352 { 3353 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3354 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 3355 psa_key_slot_t *slot; 3356 3357 LOCAL_INPUT_DECLARE(input_external, input); 3358 LOCAL_INPUT_DECLARE(salt_external, salt); 3359 LOCAL_OUTPUT_DECLARE(output_external, output); 3360 3361 (void) input; 3362 (void) input_length; 3363 (void) salt; 3364 (void) output; 3365 (void) output_size; 3366 3367 *output_length = 0; 3368 3369 if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) { 3370 return PSA_ERROR_INVALID_ARGUMENT; 3371 } 3372 3373 status = psa_get_and_lock_key_slot_with_policy( 3374 key, &slot, PSA_KEY_USAGE_ENCRYPT, alg); 3375 if (status != PSA_SUCCESS) { 3376 return status; 3377 } 3378 if (!(PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type) || 3379 PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type))) { 3380 status = PSA_ERROR_INVALID_ARGUMENT; 3381 goto exit; 3382 } 3383 3384 LOCAL_INPUT_ALLOC(input_external, input_length, input); 3385 LOCAL_INPUT_ALLOC(salt_external, salt_length, salt); 3386 LOCAL_OUTPUT_ALLOC(output_external, output_size, output); 3387 3388 status = psa_driver_wrapper_asymmetric_encrypt( 3389 &slot->attr, slot->key.data, slot->key.bytes, 3390 alg, input, input_length, salt, salt_length, 3391 output, output_size, output_length); 3392 exit: 3393 unlock_status = psa_unregister_read_under_mutex(slot); 3394 3395 LOCAL_INPUT_FREE(input_external, input); 3396 LOCAL_INPUT_FREE(salt_external, salt); 3397 LOCAL_OUTPUT_FREE(output_external, output); 3398 3399 return (status == PSA_SUCCESS) ? unlock_status : status; 3400 } 3401 3402 psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key, 3403 psa_algorithm_t alg, 3404 const uint8_t *input_external, 3405 size_t input_length, 3406 const uint8_t *salt_external, 3407 size_t salt_length, 3408 uint8_t *output_external, 3409 size_t output_size, 3410 size_t *output_length) 3411 { 3412 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3413 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 3414 psa_key_slot_t *slot; 3415 3416 LOCAL_INPUT_DECLARE(input_external, input); 3417 LOCAL_INPUT_DECLARE(salt_external, salt); 3418 LOCAL_OUTPUT_DECLARE(output_external, output); 3419 3420 (void) input; 3421 (void) input_length; 3422 (void) salt; 3423 (void) output; 3424 (void) output_size; 3425 3426 *output_length = 0; 3427 3428 if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) { 3429 return PSA_ERROR_INVALID_ARGUMENT; 3430 } 3431 3432 status = psa_get_and_lock_key_slot_with_policy( 3433 key, &slot, PSA_KEY_USAGE_DECRYPT, alg); 3434 if (status != PSA_SUCCESS) { 3435 return status; 3436 } 3437 if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) { 3438 status = PSA_ERROR_INVALID_ARGUMENT; 3439 goto exit; 3440 } 3441 3442 LOCAL_INPUT_ALLOC(input_external, input_length, input); 3443 LOCAL_INPUT_ALLOC(salt_external, salt_length, salt); 3444 LOCAL_OUTPUT_ALLOC(output_external, output_size, output); 3445 3446 status = psa_driver_wrapper_asymmetric_decrypt( 3447 &slot->attr, slot->key.data, slot->key.bytes, 3448 alg, input, input_length, salt, salt_length, 3449 output, output_size, output_length); 3450 3451 exit: 3452 unlock_status = psa_unregister_read_under_mutex(slot); 3453 3454 LOCAL_INPUT_FREE(input_external, input); 3455 LOCAL_INPUT_FREE(salt_external, salt); 3456 LOCAL_OUTPUT_FREE(output_external, output); 3457 3458 return (status == PSA_SUCCESS) ? unlock_status : status; 3459 } 3460 3461 /****************************************************************/ 3462 /* Asymmetric interruptible cryptography */ 3463 /****************************************************************/ 3464 3465 static uint32_t psa_interruptible_max_ops = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED; 3466 3467 void psa_interruptible_set_max_ops(uint32_t max_ops) 3468 { 3469 psa_interruptible_max_ops = max_ops; 3470 } 3471 3472 uint32_t psa_interruptible_get_max_ops(void) 3473 { 3474 return psa_interruptible_max_ops; 3475 } 3476 3477 uint32_t psa_sign_hash_get_num_ops( 3478 const psa_sign_hash_interruptible_operation_t *operation) 3479 { 3480 return operation->num_ops; 3481 } 3482 3483 uint32_t psa_verify_hash_get_num_ops( 3484 const psa_verify_hash_interruptible_operation_t *operation) 3485 { 3486 return operation->num_ops; 3487 } 3488 3489 static psa_status_t psa_sign_hash_abort_internal( 3490 psa_sign_hash_interruptible_operation_t *operation) 3491 { 3492 if (operation->id == 0) { 3493 /* The object has (apparently) been initialized but it is not (yet) 3494 * in use. It's ok to call abort on such an object, and there's 3495 * nothing to do. */ 3496 return PSA_SUCCESS; 3497 } 3498 3499 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3500 3501 status = psa_driver_wrapper_sign_hash_abort(operation); 3502 3503 operation->id = 0; 3504 3505 /* Do not clear either the error_occurred or num_ops elements here as they 3506 * only want to be cleared by the application calling abort, not by abort 3507 * being called at completion of an operation. */ 3508 3509 return status; 3510 } 3511 3512 psa_status_t psa_sign_hash_start( 3513 psa_sign_hash_interruptible_operation_t *operation, 3514 mbedtls_svc_key_id_t key, psa_algorithm_t alg, 3515 const uint8_t *hash_external, size_t hash_length) 3516 { 3517 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3518 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 3519 psa_key_slot_t *slot; 3520 3521 LOCAL_INPUT_DECLARE(hash_external, hash); 3522 3523 /* Check that start has not been previously called, or operation has not 3524 * previously errored. */ 3525 if (operation->id != 0 || operation->error_occurred) { 3526 return PSA_ERROR_BAD_STATE; 3527 } 3528 3529 status = psa_sign_verify_check_alg(0, alg); 3530 if (status != PSA_SUCCESS) { 3531 operation->error_occurred = 1; 3532 return status; 3533 } 3534 3535 status = psa_get_and_lock_key_slot_with_policy(key, &slot, 3536 PSA_KEY_USAGE_SIGN_HASH, 3537 alg); 3538 3539 if (status != PSA_SUCCESS) { 3540 goto exit; 3541 } 3542 3543 if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) { 3544 status = PSA_ERROR_INVALID_ARGUMENT; 3545 goto exit; 3546 } 3547 3548 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash); 3549 3550 /* Ensure ops count gets reset, in case of operation re-use. */ 3551 operation->num_ops = 0; 3552 3553 status = psa_driver_wrapper_sign_hash_start(operation, &slot->attr, 3554 slot->key.data, 3555 slot->key.bytes, alg, 3556 hash, hash_length); 3557 exit: 3558 3559 if (status != PSA_SUCCESS) { 3560 operation->error_occurred = 1; 3561 psa_sign_hash_abort_internal(operation); 3562 } 3563 3564 unlock_status = psa_unregister_read_under_mutex(slot); 3565 3566 if (unlock_status != PSA_SUCCESS) { 3567 operation->error_occurred = 1; 3568 } 3569 3570 LOCAL_INPUT_FREE(hash_external, hash); 3571 3572 return (status == PSA_SUCCESS) ? unlock_status : status; 3573 } 3574 3575 3576 psa_status_t psa_sign_hash_complete( 3577 psa_sign_hash_interruptible_operation_t *operation, 3578 uint8_t *signature_external, size_t signature_size, 3579 size_t *signature_length) 3580 { 3581 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3582 3583 LOCAL_OUTPUT_DECLARE(signature_external, signature); 3584 3585 *signature_length = 0; 3586 3587 /* Check that start has been called first, and that operation has not 3588 * previously errored. */ 3589 if (operation->id == 0 || operation->error_occurred) { 3590 status = PSA_ERROR_BAD_STATE; 3591 goto exit; 3592 } 3593 3594 /* Immediately reject a zero-length signature buffer. This guarantees that 3595 * signature must be a valid pointer. */ 3596 if (signature_size == 0) { 3597 status = PSA_ERROR_BUFFER_TOO_SMALL; 3598 goto exit; 3599 } 3600 3601 LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature); 3602 3603 status = psa_driver_wrapper_sign_hash_complete(operation, signature, 3604 signature_size, 3605 signature_length); 3606 3607 /* Update ops count with work done. */ 3608 operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation); 3609 3610 exit: 3611 3612 if (signature != NULL) { 3613 psa_wipe_tag_output_buffer(signature, status, signature_size, 3614 *signature_length); 3615 } 3616 3617 if (status != PSA_OPERATION_INCOMPLETE) { 3618 if (status != PSA_SUCCESS) { 3619 operation->error_occurred = 1; 3620 } 3621 3622 psa_sign_hash_abort_internal(operation); 3623 } 3624 3625 LOCAL_OUTPUT_FREE(signature_external, signature); 3626 3627 return status; 3628 } 3629 3630 psa_status_t psa_sign_hash_abort( 3631 psa_sign_hash_interruptible_operation_t *operation) 3632 { 3633 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3634 3635 status = psa_sign_hash_abort_internal(operation); 3636 3637 /* We clear the number of ops done here, so that it is not cleared when 3638 * the operation fails or succeeds, only on manual abort. */ 3639 operation->num_ops = 0; 3640 3641 /* Likewise, failure state. */ 3642 operation->error_occurred = 0; 3643 3644 return status; 3645 } 3646 3647 static psa_status_t psa_verify_hash_abort_internal( 3648 psa_verify_hash_interruptible_operation_t *operation) 3649 { 3650 if (operation->id == 0) { 3651 /* The object has (apparently) been initialized but it is not (yet) 3652 * in use. It's ok to call abort on such an object, and there's 3653 * nothing to do. */ 3654 return PSA_SUCCESS; 3655 } 3656 3657 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3658 3659 status = psa_driver_wrapper_verify_hash_abort(operation); 3660 3661 operation->id = 0; 3662 3663 /* Do not clear either the error_occurred or num_ops elements here as they 3664 * only want to be cleared by the application calling abort, not by abort 3665 * being called at completion of an operation. */ 3666 3667 return status; 3668 } 3669 3670 psa_status_t psa_verify_hash_start( 3671 psa_verify_hash_interruptible_operation_t *operation, 3672 mbedtls_svc_key_id_t key, psa_algorithm_t alg, 3673 const uint8_t *hash_external, size_t hash_length, 3674 const uint8_t *signature_external, size_t signature_length) 3675 { 3676 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3677 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 3678 psa_key_slot_t *slot; 3679 3680 LOCAL_INPUT_DECLARE(hash_external, hash); 3681 LOCAL_INPUT_DECLARE(signature_external, signature); 3682 3683 /* Check that start has not been previously called, or operation has not 3684 * previously errored. */ 3685 if (operation->id != 0 || operation->error_occurred) { 3686 return PSA_ERROR_BAD_STATE; 3687 } 3688 3689 status = psa_sign_verify_check_alg(0, alg); 3690 if (status != PSA_SUCCESS) { 3691 operation->error_occurred = 1; 3692 return status; 3693 } 3694 3695 status = psa_get_and_lock_key_slot_with_policy(key, &slot, 3696 PSA_KEY_USAGE_VERIFY_HASH, 3697 alg); 3698 3699 if (status != PSA_SUCCESS) { 3700 operation->error_occurred = 1; 3701 return status; 3702 } 3703 3704 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash); 3705 LOCAL_INPUT_ALLOC(signature_external, signature_length, signature); 3706 3707 /* Ensure ops count gets reset, in case of operation re-use. */ 3708 operation->num_ops = 0; 3709 3710 status = psa_driver_wrapper_verify_hash_start(operation, &slot->attr, 3711 slot->key.data, 3712 slot->key.bytes, 3713 alg, hash, hash_length, 3714 signature, signature_length); 3715 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 3716 exit: 3717 #endif 3718 3719 if (status != PSA_SUCCESS) { 3720 operation->error_occurred = 1; 3721 psa_verify_hash_abort_internal(operation); 3722 } 3723 3724 unlock_status = psa_unregister_read_under_mutex(slot); 3725 3726 if (unlock_status != PSA_SUCCESS) { 3727 operation->error_occurred = 1; 3728 } 3729 3730 LOCAL_INPUT_FREE(hash_external, hash); 3731 LOCAL_INPUT_FREE(signature_external, signature); 3732 3733 return (status == PSA_SUCCESS) ? unlock_status : status; 3734 } 3735 3736 psa_status_t psa_verify_hash_complete( 3737 psa_verify_hash_interruptible_operation_t *operation) 3738 { 3739 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3740 3741 /* Check that start has been called first, and that operation has not 3742 * previously errored. */ 3743 if (operation->id == 0 || operation->error_occurred) { 3744 status = PSA_ERROR_BAD_STATE; 3745 goto exit; 3746 } 3747 3748 status = psa_driver_wrapper_verify_hash_complete(operation); 3749 3750 /* Update ops count with work done. */ 3751 operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops( 3752 operation); 3753 3754 exit: 3755 3756 if (status != PSA_OPERATION_INCOMPLETE) { 3757 if (status != PSA_SUCCESS) { 3758 operation->error_occurred = 1; 3759 } 3760 3761 psa_verify_hash_abort_internal(operation); 3762 } 3763 3764 return status; 3765 } 3766 3767 psa_status_t psa_verify_hash_abort( 3768 psa_verify_hash_interruptible_operation_t *operation) 3769 { 3770 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3771 3772 status = psa_verify_hash_abort_internal(operation); 3773 3774 /* We clear the number of ops done here, so that it is not cleared when 3775 * the operation fails or succeeds, only on manual abort. */ 3776 operation->num_ops = 0; 3777 3778 /* Likewise, failure state. */ 3779 operation->error_occurred = 0; 3780 3781 return status; 3782 } 3783 3784 /****************************************************************/ 3785 /* Asymmetric interruptible cryptography internal */ 3786 /* implementations */ 3787 /****************************************************************/ 3788 3789 void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops) 3790 { 3791 3792 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ 3793 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ 3794 defined(MBEDTLS_ECP_RESTARTABLE) 3795 3796 /* Internal implementation uses zero to indicate infinite number max ops, 3797 * therefore avoid this value, and set to minimum possible. */ 3798 if (max_ops == 0) { 3799 max_ops = 1; 3800 } 3801 3802 mbedtls_ecp_set_max_ops(max_ops); 3803 #else 3804 (void) max_ops; 3805 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || 3806 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && 3807 * defined( MBEDTLS_ECP_RESTARTABLE ) */ 3808 } 3809 3810 uint32_t mbedtls_psa_sign_hash_get_num_ops( 3811 const mbedtls_psa_sign_hash_interruptible_operation_t *operation) 3812 { 3813 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ 3814 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ 3815 defined(MBEDTLS_ECP_RESTARTABLE) 3816 3817 return operation->num_ops; 3818 #else 3819 (void) operation; 3820 return 0; 3821 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || 3822 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && 3823 * defined( MBEDTLS_ECP_RESTARTABLE ) */ 3824 } 3825 3826 uint32_t mbedtls_psa_verify_hash_get_num_ops( 3827 const mbedtls_psa_verify_hash_interruptible_operation_t *operation) 3828 { 3829 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ 3830 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ 3831 defined(MBEDTLS_ECP_RESTARTABLE) 3832 3833 return operation->num_ops; 3834 #else 3835 (void) operation; 3836 return 0; 3837 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || 3838 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && 3839 * defined( MBEDTLS_ECP_RESTARTABLE ) */ 3840 } 3841 3842 psa_status_t mbedtls_psa_sign_hash_start( 3843 mbedtls_psa_sign_hash_interruptible_operation_t *operation, 3844 const psa_key_attributes_t *attributes, const uint8_t *key_buffer, 3845 size_t key_buffer_size, psa_algorithm_t alg, 3846 const uint8_t *hash, size_t hash_length) 3847 { 3848 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3849 size_t required_hash_length; 3850 3851 if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) { 3852 return PSA_ERROR_NOT_SUPPORTED; 3853 } 3854 3855 if (!PSA_ALG_IS_ECDSA(alg)) { 3856 return PSA_ERROR_NOT_SUPPORTED; 3857 } 3858 3859 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ 3860 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ 3861 defined(MBEDTLS_ECP_RESTARTABLE) 3862 3863 mbedtls_ecdsa_restart_init(&operation->restart_ctx); 3864 3865 /* Ensure num_ops is zero'ed in case of context re-use. */ 3866 operation->num_ops = 0; 3867 3868 status = mbedtls_psa_ecp_load_representation(attributes->type, 3869 attributes->bits, 3870 key_buffer, 3871 key_buffer_size, 3872 &operation->ctx); 3873 3874 if (status != PSA_SUCCESS) { 3875 return status; 3876 } 3877 3878 operation->coordinate_bytes = PSA_BITS_TO_BYTES( 3879 operation->ctx->grp.nbits); 3880 3881 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg); 3882 operation->md_alg = mbedtls_md_type_from_psa_alg(hash_alg); 3883 operation->alg = alg; 3884 3885 /* We only need to store the same length of hash as the private key size 3886 * here, it would be truncated by the internal implementation anyway. */ 3887 required_hash_length = (hash_length < operation->coordinate_bytes ? 3888 hash_length : operation->coordinate_bytes); 3889 3890 if (required_hash_length > sizeof(operation->hash)) { 3891 /* Shouldn't happen, but better safe than sorry. */ 3892 return PSA_ERROR_CORRUPTION_DETECTED; 3893 } 3894 3895 memcpy(operation->hash, hash, required_hash_length); 3896 operation->hash_length = required_hash_length; 3897 3898 return PSA_SUCCESS; 3899 3900 #else 3901 (void) operation; 3902 (void) key_buffer; 3903 (void) key_buffer_size; 3904 (void) alg; 3905 (void) hash; 3906 (void) hash_length; 3907 (void) status; 3908 (void) required_hash_length; 3909 3910 return PSA_ERROR_NOT_SUPPORTED; 3911 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || 3912 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && 3913 * defined( MBEDTLS_ECP_RESTARTABLE ) */ 3914 } 3915 3916 psa_status_t mbedtls_psa_sign_hash_complete( 3917 mbedtls_psa_sign_hash_interruptible_operation_t *operation, 3918 uint8_t *signature, size_t signature_size, 3919 size_t *signature_length) 3920 { 3921 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ 3922 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ 3923 defined(MBEDTLS_ECP_RESTARTABLE) 3924 3925 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3926 mbedtls_mpi r; 3927 mbedtls_mpi s; 3928 3929 mbedtls_mpi_init(&r); 3930 mbedtls_mpi_init(&s); 3931 3932 /* Ensure max_ops is set to the current value (or default). */ 3933 mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops()); 3934 3935 if (signature_size < 2 * operation->coordinate_bytes) { 3936 status = PSA_ERROR_BUFFER_TOO_SMALL; 3937 goto exit; 3938 } 3939 3940 if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) { 3941 3942 #if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) 3943 status = mbedtls_to_psa_error( 3944 mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp, 3945 &r, 3946 &s, 3947 &operation->ctx->d, 3948 operation->hash, 3949 operation->hash_length, 3950 operation->md_alg, 3951 mbedtls_psa_get_random, 3952 MBEDTLS_PSA_RANDOM_STATE, 3953 &operation->restart_ctx)); 3954 #else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ 3955 status = PSA_ERROR_NOT_SUPPORTED; 3956 goto exit; 3957 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ 3958 } else { 3959 status = mbedtls_to_psa_error( 3960 mbedtls_ecdsa_sign_restartable(&operation->ctx->grp, 3961 &r, 3962 &s, 3963 &operation->ctx->d, 3964 operation->hash, 3965 operation->hash_length, 3966 mbedtls_psa_get_random, 3967 MBEDTLS_PSA_RANDOM_STATE, 3968 mbedtls_psa_get_random, 3969 MBEDTLS_PSA_RANDOM_STATE, 3970 &operation->restart_ctx)); 3971 } 3972 3973 /* Hide the fact that the restart context only holds a delta of number of 3974 * ops done during the last operation, not an absolute value. */ 3975 operation->num_ops += operation->restart_ctx.ecp.ops_done; 3976 3977 if (status == PSA_SUCCESS) { 3978 status = mbedtls_to_psa_error( 3979 mbedtls_mpi_write_binary(&r, 3980 signature, 3981 operation->coordinate_bytes) 3982 ); 3983 3984 if (status != PSA_SUCCESS) { 3985 goto exit; 3986 } 3987 3988 status = mbedtls_to_psa_error( 3989 mbedtls_mpi_write_binary(&s, 3990 signature + 3991 operation->coordinate_bytes, 3992 operation->coordinate_bytes) 3993 ); 3994 3995 if (status != PSA_SUCCESS) { 3996 goto exit; 3997 } 3998 3999 *signature_length = operation->coordinate_bytes * 2; 4000 4001 status = PSA_SUCCESS; 4002 } 4003 4004 exit: 4005 4006 mbedtls_mpi_free(&r); 4007 mbedtls_mpi_free(&s); 4008 return status; 4009 4010 #else 4011 4012 (void) operation; 4013 (void) signature; 4014 (void) signature_size; 4015 (void) signature_length; 4016 4017 return PSA_ERROR_NOT_SUPPORTED; 4018 4019 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || 4020 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && 4021 * defined( MBEDTLS_ECP_RESTARTABLE ) */ 4022 } 4023 4024 psa_status_t mbedtls_psa_sign_hash_abort( 4025 mbedtls_psa_sign_hash_interruptible_operation_t *operation) 4026 { 4027 4028 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ 4029 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ 4030 defined(MBEDTLS_ECP_RESTARTABLE) 4031 4032 if (operation->ctx) { 4033 mbedtls_ecdsa_free(operation->ctx); 4034 mbedtls_free(operation->ctx); 4035 operation->ctx = NULL; 4036 } 4037 4038 mbedtls_ecdsa_restart_free(&operation->restart_ctx); 4039 4040 operation->num_ops = 0; 4041 4042 return PSA_SUCCESS; 4043 4044 #else 4045 4046 (void) operation; 4047 4048 return PSA_ERROR_NOT_SUPPORTED; 4049 4050 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || 4051 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && 4052 * defined( MBEDTLS_ECP_RESTARTABLE ) */ 4053 } 4054 4055 psa_status_t mbedtls_psa_verify_hash_start( 4056 mbedtls_psa_verify_hash_interruptible_operation_t *operation, 4057 const psa_key_attributes_t *attributes, 4058 const uint8_t *key_buffer, size_t key_buffer_size, 4059 psa_algorithm_t alg, 4060 const uint8_t *hash, size_t hash_length, 4061 const uint8_t *signature, size_t signature_length) 4062 { 4063 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 4064 size_t coordinate_bytes = 0; 4065 size_t required_hash_length = 0; 4066 4067 if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) { 4068 return PSA_ERROR_NOT_SUPPORTED; 4069 } 4070 4071 if (!PSA_ALG_IS_ECDSA(alg)) { 4072 return PSA_ERROR_NOT_SUPPORTED; 4073 } 4074 4075 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ 4076 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ 4077 defined(MBEDTLS_ECP_RESTARTABLE) 4078 4079 mbedtls_ecdsa_restart_init(&operation->restart_ctx); 4080 mbedtls_mpi_init(&operation->r); 4081 mbedtls_mpi_init(&operation->s); 4082 4083 /* Ensure num_ops is zero'ed in case of context re-use. */ 4084 operation->num_ops = 0; 4085 4086 status = mbedtls_psa_ecp_load_representation(attributes->type, 4087 attributes->bits, 4088 key_buffer, 4089 key_buffer_size, 4090 &operation->ctx); 4091 4092 if (status != PSA_SUCCESS) { 4093 return status; 4094 } 4095 4096 coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.nbits); 4097 4098 if (signature_length != 2 * coordinate_bytes) { 4099 return PSA_ERROR_INVALID_SIGNATURE; 4100 } 4101 4102 status = mbedtls_to_psa_error( 4103 mbedtls_mpi_read_binary(&operation->r, 4104 signature, 4105 coordinate_bytes)); 4106 4107 if (status != PSA_SUCCESS) { 4108 return status; 4109 } 4110 4111 status = mbedtls_to_psa_error( 4112 mbedtls_mpi_read_binary(&operation->s, 4113 signature + 4114 coordinate_bytes, 4115 coordinate_bytes)); 4116 4117 if (status != PSA_SUCCESS) { 4118 return status; 4119 } 4120 4121 status = mbedtls_psa_ecp_load_public_part(operation->ctx); 4122 4123 if (status != PSA_SUCCESS) { 4124 return status; 4125 } 4126 4127 /* We only need to store the same length of hash as the private key size 4128 * here, it would be truncated by the internal implementation anyway. */ 4129 required_hash_length = (hash_length < coordinate_bytes ? hash_length : 4130 coordinate_bytes); 4131 4132 if (required_hash_length > sizeof(operation->hash)) { 4133 /* Shouldn't happen, but better safe than sorry. */ 4134 return PSA_ERROR_CORRUPTION_DETECTED; 4135 } 4136 4137 memcpy(operation->hash, hash, required_hash_length); 4138 operation->hash_length = required_hash_length; 4139 4140 return PSA_SUCCESS; 4141 #else 4142 (void) operation; 4143 (void) key_buffer; 4144 (void) key_buffer_size; 4145 (void) alg; 4146 (void) hash; 4147 (void) hash_length; 4148 (void) signature; 4149 (void) signature_length; 4150 (void) status; 4151 (void) coordinate_bytes; 4152 (void) required_hash_length; 4153 4154 return PSA_ERROR_NOT_SUPPORTED; 4155 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || 4156 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && 4157 * defined( MBEDTLS_ECP_RESTARTABLE ) */ 4158 } 4159 4160 psa_status_t mbedtls_psa_verify_hash_complete( 4161 mbedtls_psa_verify_hash_interruptible_operation_t *operation) 4162 { 4163 4164 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ 4165 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ 4166 defined(MBEDTLS_ECP_RESTARTABLE) 4167 4168 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 4169 4170 /* Ensure max_ops is set to the current value (or default). */ 4171 mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops()); 4172 4173 status = mbedtls_to_psa_error( 4174 mbedtls_ecdsa_verify_restartable(&operation->ctx->grp, 4175 operation->hash, 4176 operation->hash_length, 4177 &operation->ctx->Q, 4178 &operation->r, 4179 &operation->s, 4180 &operation->restart_ctx)); 4181 4182 /* Hide the fact that the restart context only holds a delta of number of 4183 * ops done during the last operation, not an absolute value. */ 4184 operation->num_ops += operation->restart_ctx.ecp.ops_done; 4185 4186 return status; 4187 #else 4188 (void) operation; 4189 4190 return PSA_ERROR_NOT_SUPPORTED; 4191 4192 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || 4193 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && 4194 * defined( MBEDTLS_ECP_RESTARTABLE ) */ 4195 } 4196 4197 psa_status_t mbedtls_psa_verify_hash_abort( 4198 mbedtls_psa_verify_hash_interruptible_operation_t *operation) 4199 { 4200 4201 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ 4202 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \ 4203 defined(MBEDTLS_ECP_RESTARTABLE) 4204 4205 if (operation->ctx) { 4206 mbedtls_ecdsa_free(operation->ctx); 4207 mbedtls_free(operation->ctx); 4208 operation->ctx = NULL; 4209 } 4210 4211 mbedtls_ecdsa_restart_free(&operation->restart_ctx); 4212 4213 operation->num_ops = 0; 4214 4215 mbedtls_mpi_free(&operation->r); 4216 mbedtls_mpi_free(&operation->s); 4217 4218 return PSA_SUCCESS; 4219 4220 #else 4221 (void) operation; 4222 4223 return PSA_ERROR_NOT_SUPPORTED; 4224 4225 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || 4226 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && 4227 * defined( MBEDTLS_ECP_RESTARTABLE ) */ 4228 } 4229 4230 static psa_status_t psa_generate_random_internal(uint8_t *output, 4231 size_t output_size) 4232 { 4233 GUARD_MODULE_INITIALIZED; 4234 4235 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) 4236 4237 psa_status_t status; 4238 size_t output_length = 0; 4239 status = mbedtls_psa_external_get_random(&global_data.rng, 4240 output, output_size, 4241 &output_length); 4242 if (status != PSA_SUCCESS) { 4243 return status; 4244 } 4245 /* Breaking up a request into smaller chunks is currently not supported 4246 * for the external RNG interface. */ 4247 if (output_length != output_size) { 4248 return PSA_ERROR_INSUFFICIENT_ENTROPY; 4249 } 4250 return PSA_SUCCESS; 4251 4252 #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ 4253 4254 while (output_size > 0) { 4255 int ret = MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED; 4256 size_t request_size = 4257 (output_size > MBEDTLS_PSA_RANDOM_MAX_REQUEST ? 4258 MBEDTLS_PSA_RANDOM_MAX_REQUEST : 4259 output_size); 4260 #if defined(MBEDTLS_CTR_DRBG_C) 4261 ret = mbedtls_ctr_drbg_random(&global_data.rng.drbg, output, request_size); 4262 #elif defined(MBEDTLS_HMAC_DRBG_C) 4263 ret = mbedtls_hmac_drbg_random(&global_data.rng.drbg, output, request_size); 4264 #endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */ 4265 if (ret != 0) { 4266 return mbedtls_to_psa_error(ret); 4267 } 4268 output_size -= request_size; 4269 output += request_size; 4270 } 4271 return PSA_SUCCESS; 4272 #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ 4273 } 4274 4275 4276 /****************************************************************/ 4277 /* Symmetric cryptography */ 4278 /****************************************************************/ 4279 4280 static psa_status_t psa_cipher_setup(psa_cipher_operation_t *operation, 4281 mbedtls_svc_key_id_t key, 4282 psa_algorithm_t alg, 4283 mbedtls_operation_t cipher_operation) 4284 { 4285 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 4286 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 4287 psa_key_slot_t *slot = NULL; 4288 psa_key_usage_t usage = (cipher_operation == MBEDTLS_ENCRYPT ? 4289 PSA_KEY_USAGE_ENCRYPT : 4290 PSA_KEY_USAGE_DECRYPT); 4291 4292 /* A context must be freshly initialized before it can be set up. */ 4293 if (operation->id != 0) { 4294 status = PSA_ERROR_BAD_STATE; 4295 goto exit; 4296 } 4297 4298 if (!PSA_ALG_IS_CIPHER(alg)) { 4299 status = PSA_ERROR_INVALID_ARGUMENT; 4300 goto exit; 4301 } 4302 4303 status = psa_get_and_lock_key_slot_with_policy(key, &slot, usage, alg); 4304 if (status != PSA_SUCCESS) { 4305 goto exit; 4306 } 4307 4308 /* Initialize the operation struct members, except for id. The id member 4309 * is used to indicate to psa_cipher_abort that there are resources to free, 4310 * so we only set it (in the driver wrapper) after resources have been 4311 * allocated/initialized. */ 4312 operation->iv_set = 0; 4313 if (alg == PSA_ALG_ECB_NO_PADDING) { 4314 operation->iv_required = 0; 4315 } else { 4316 operation->iv_required = 1; 4317 } 4318 operation->default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg); 4319 4320 /* Try doing the operation through a driver before using software fallback. */ 4321 if (cipher_operation == MBEDTLS_ENCRYPT) { 4322 status = psa_driver_wrapper_cipher_encrypt_setup(operation, 4323 &slot->attr, 4324 slot->key.data, 4325 slot->key.bytes, 4326 alg); 4327 } else { 4328 status = psa_driver_wrapper_cipher_decrypt_setup(operation, 4329 &slot->attr, 4330 slot->key.data, 4331 slot->key.bytes, 4332 alg); 4333 } 4334 4335 exit: 4336 if (status != PSA_SUCCESS) { 4337 psa_cipher_abort(operation); 4338 } 4339 4340 unlock_status = psa_unregister_read_under_mutex(slot); 4341 4342 return (status == PSA_SUCCESS) ? unlock_status : status; 4343 } 4344 4345 psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation, 4346 mbedtls_svc_key_id_t key, 4347 psa_algorithm_t alg) 4348 { 4349 return psa_cipher_setup(operation, key, alg, MBEDTLS_ENCRYPT); 4350 } 4351 4352 psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation, 4353 mbedtls_svc_key_id_t key, 4354 psa_algorithm_t alg) 4355 { 4356 return psa_cipher_setup(operation, key, alg, MBEDTLS_DECRYPT); 4357 } 4358 4359 psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation, 4360 uint8_t *iv_external, 4361 size_t iv_size, 4362 size_t *iv_length) 4363 { 4364 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 4365 size_t default_iv_length = 0; 4366 4367 LOCAL_OUTPUT_DECLARE(iv_external, iv); 4368 4369 if (operation->id == 0) { 4370 status = PSA_ERROR_BAD_STATE; 4371 goto exit; 4372 } 4373 4374 if (operation->iv_set || !operation->iv_required) { 4375 status = PSA_ERROR_BAD_STATE; 4376 goto exit; 4377 } 4378 4379 default_iv_length = operation->default_iv_length; 4380 if (iv_size < default_iv_length) { 4381 status = PSA_ERROR_BUFFER_TOO_SMALL; 4382 goto exit; 4383 } 4384 4385 if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) { 4386 status = PSA_ERROR_GENERIC_ERROR; 4387 goto exit; 4388 } 4389 4390 LOCAL_OUTPUT_ALLOC(iv_external, default_iv_length, iv); 4391 4392 status = psa_generate_random_internal(iv, default_iv_length); 4393 if (status != PSA_SUCCESS) { 4394 goto exit; 4395 } 4396 4397 status = psa_driver_wrapper_cipher_set_iv(operation, 4398 iv, default_iv_length); 4399 4400 exit: 4401 if (status == PSA_SUCCESS) { 4402 *iv_length = default_iv_length; 4403 operation->iv_set = 1; 4404 } else { 4405 *iv_length = 0; 4406 psa_cipher_abort(operation); 4407 if (iv != NULL) { 4408 mbedtls_platform_zeroize(iv, default_iv_length); 4409 } 4410 } 4411 4412 LOCAL_OUTPUT_FREE(iv_external, iv); 4413 return status; 4414 } 4415 4416 psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation, 4417 const uint8_t *iv_external, 4418 size_t iv_length) 4419 { 4420 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 4421 4422 LOCAL_INPUT_DECLARE(iv_external, iv); 4423 4424 if (operation->id == 0) { 4425 status = PSA_ERROR_BAD_STATE; 4426 goto exit; 4427 } 4428 4429 if (operation->iv_set || !operation->iv_required) { 4430 status = PSA_ERROR_BAD_STATE; 4431 goto exit; 4432 } 4433 4434 if (iv_length > PSA_CIPHER_IV_MAX_SIZE) { 4435 status = PSA_ERROR_INVALID_ARGUMENT; 4436 goto exit; 4437 } 4438 4439 LOCAL_INPUT_ALLOC(iv_external, iv_length, iv); 4440 4441 status = psa_driver_wrapper_cipher_set_iv(operation, 4442 iv, 4443 iv_length); 4444 4445 exit: 4446 if (status == PSA_SUCCESS) { 4447 operation->iv_set = 1; 4448 } else { 4449 psa_cipher_abort(operation); 4450 } 4451 4452 LOCAL_INPUT_FREE(iv_external, iv); 4453 4454 return status; 4455 } 4456 4457 psa_status_t psa_cipher_update(psa_cipher_operation_t *operation, 4458 const uint8_t *input_external, 4459 size_t input_length, 4460 uint8_t *output_external, 4461 size_t output_size, 4462 size_t *output_length) 4463 { 4464 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 4465 4466 LOCAL_INPUT_DECLARE(input_external, input); 4467 LOCAL_OUTPUT_DECLARE(output_external, output); 4468 4469 if (operation->id == 0) { 4470 status = PSA_ERROR_BAD_STATE; 4471 goto exit; 4472 } 4473 4474 if (operation->iv_required && !operation->iv_set) { 4475 status = PSA_ERROR_BAD_STATE; 4476 goto exit; 4477 } 4478 4479 LOCAL_INPUT_ALLOC(input_external, input_length, input); 4480 LOCAL_OUTPUT_ALLOC(output_external, output_size, output); 4481 4482 status = psa_driver_wrapper_cipher_update(operation, 4483 input, 4484 input_length, 4485 output, 4486 output_size, 4487 output_length); 4488 4489 exit: 4490 if (status != PSA_SUCCESS) { 4491 psa_cipher_abort(operation); 4492 } 4493 4494 LOCAL_INPUT_FREE(input_external, input); 4495 LOCAL_OUTPUT_FREE(output_external, output); 4496 4497 return status; 4498 } 4499 4500 psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation, 4501 uint8_t *output_external, 4502 size_t output_size, 4503 size_t *output_length) 4504 { 4505 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 4506 4507 LOCAL_OUTPUT_DECLARE(output_external, output); 4508 4509 if (operation->id == 0) { 4510 status = PSA_ERROR_BAD_STATE; 4511 goto exit; 4512 } 4513 4514 if (operation->iv_required && !operation->iv_set) { 4515 status = PSA_ERROR_BAD_STATE; 4516 goto exit; 4517 } 4518 4519 LOCAL_OUTPUT_ALLOC(output_external, output_size, output); 4520 4521 status = psa_driver_wrapper_cipher_finish(operation, 4522 output, 4523 output_size, 4524 output_length); 4525 4526 exit: 4527 if (status == PSA_SUCCESS) { 4528 status = psa_cipher_abort(operation); 4529 } else { 4530 *output_length = 0; 4531 (void) psa_cipher_abort(operation); 4532 } 4533 4534 LOCAL_OUTPUT_FREE(output_external, output); 4535 4536 return status; 4537 } 4538 4539 psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation) 4540 { 4541 if (operation->id == 0) { 4542 /* The object has (apparently) been initialized but it is not (yet) 4543 * in use. It's ok to call abort on such an object, and there's 4544 * nothing to do. */ 4545 return PSA_SUCCESS; 4546 } 4547 4548 psa_driver_wrapper_cipher_abort(operation); 4549 4550 operation->id = 0; 4551 operation->iv_set = 0; 4552 operation->iv_required = 0; 4553 4554 return PSA_SUCCESS; 4555 } 4556 4557 psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key, 4558 psa_algorithm_t alg, 4559 const uint8_t *input_external, 4560 size_t input_length, 4561 uint8_t *output_external, 4562 size_t output_size, 4563 size_t *output_length) 4564 { 4565 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 4566 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 4567 psa_key_slot_t *slot = NULL; 4568 uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE]; 4569 size_t default_iv_length = 0; 4570 4571 LOCAL_INPUT_DECLARE(input_external, input); 4572 LOCAL_OUTPUT_DECLARE(output_external, output); 4573 4574 if (!PSA_ALG_IS_CIPHER(alg)) { 4575 status = PSA_ERROR_INVALID_ARGUMENT; 4576 goto exit; 4577 } 4578 4579 status = psa_get_and_lock_key_slot_with_policy(key, &slot, 4580 PSA_KEY_USAGE_ENCRYPT, 4581 alg); 4582 if (status != PSA_SUCCESS) { 4583 goto exit; 4584 } 4585 4586 default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg); 4587 if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) { 4588 status = PSA_ERROR_GENERIC_ERROR; 4589 goto exit; 4590 } 4591 4592 if (default_iv_length > 0) { 4593 if (output_size < default_iv_length) { 4594 status = PSA_ERROR_BUFFER_TOO_SMALL; 4595 goto exit; 4596 } 4597 4598 status = psa_generate_random_internal(local_iv, default_iv_length); 4599 if (status != PSA_SUCCESS) { 4600 goto exit; 4601 } 4602 } 4603 4604 LOCAL_INPUT_ALLOC(input_external, input_length, input); 4605 LOCAL_OUTPUT_ALLOC(output_external, output_size, output); 4606 4607 status = psa_driver_wrapper_cipher_encrypt( 4608 &slot->attr, slot->key.data, slot->key.bytes, 4609 alg, local_iv, default_iv_length, input, input_length, 4610 psa_crypto_buffer_offset(output, default_iv_length), 4611 output_size - default_iv_length, output_length); 4612 4613 exit: 4614 unlock_status = psa_unregister_read_under_mutex(slot); 4615 if (status == PSA_SUCCESS) { 4616 status = unlock_status; 4617 } 4618 4619 if (status == PSA_SUCCESS) { 4620 if (default_iv_length > 0) { 4621 memcpy(output, local_iv, default_iv_length); 4622 } 4623 *output_length += default_iv_length; 4624 } else { 4625 *output_length = 0; 4626 } 4627 4628 LOCAL_INPUT_FREE(input_external, input); 4629 LOCAL_OUTPUT_FREE(output_external, output); 4630 4631 return status; 4632 } 4633 4634 psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key, 4635 psa_algorithm_t alg, 4636 const uint8_t *input_external, 4637 size_t input_length, 4638 uint8_t *output_external, 4639 size_t output_size, 4640 size_t *output_length) 4641 { 4642 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 4643 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 4644 psa_key_slot_t *slot = NULL; 4645 4646 LOCAL_INPUT_DECLARE(input_external, input); 4647 LOCAL_OUTPUT_DECLARE(output_external, output); 4648 4649 if (!PSA_ALG_IS_CIPHER(alg)) { 4650 status = PSA_ERROR_INVALID_ARGUMENT; 4651 goto exit; 4652 } 4653 4654 status = psa_get_and_lock_key_slot_with_policy(key, &slot, 4655 PSA_KEY_USAGE_DECRYPT, 4656 alg); 4657 if (status != PSA_SUCCESS) { 4658 goto exit; 4659 } 4660 4661 if (input_length < PSA_CIPHER_IV_LENGTH(slot->attr.type, alg)) { 4662 status = PSA_ERROR_INVALID_ARGUMENT; 4663 goto exit; 4664 } 4665 4666 LOCAL_INPUT_ALLOC(input_external, input_length, input); 4667 LOCAL_OUTPUT_ALLOC(output_external, output_size, output); 4668 4669 status = psa_driver_wrapper_cipher_decrypt( 4670 &slot->attr, slot->key.data, slot->key.bytes, 4671 alg, input, input_length, 4672 output, output_size, output_length); 4673 4674 exit: 4675 unlock_status = psa_unregister_read_under_mutex(slot); 4676 if (status == PSA_SUCCESS) { 4677 status = unlock_status; 4678 } 4679 4680 if (status != PSA_SUCCESS) { 4681 *output_length = 0; 4682 } 4683 4684 LOCAL_INPUT_FREE(input_external, input); 4685 LOCAL_OUTPUT_FREE(output_external, output); 4686 4687 return status; 4688 } 4689 4690 4691 /****************************************************************/ 4692 /* AEAD */ 4693 /****************************************************************/ 4694 4695 /* Helper function to get the base algorithm from its variants. */ 4696 static psa_algorithm_t psa_aead_get_base_algorithm(psa_algorithm_t alg) 4697 { 4698 return PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg); 4699 } 4700 4701 /* Helper function to perform common nonce length checks. */ 4702 static psa_status_t psa_aead_check_nonce_length(psa_algorithm_t alg, 4703 size_t nonce_length) 4704 { 4705 psa_algorithm_t base_alg = psa_aead_get_base_algorithm(alg); 4706 4707 switch (base_alg) { 4708 #if defined(PSA_WANT_ALG_GCM) 4709 case PSA_ALG_GCM: 4710 /* Not checking max nonce size here as GCM spec allows almost 4711 * arbitrarily large nonces. Please note that we do not generally 4712 * recommend the usage of nonces of greater length than 4713 * PSA_AEAD_NONCE_MAX_SIZE, as large nonces are hashed to a shorter 4714 * size, which can then lead to collisions if you encrypt a very 4715 * large number of messages.*/ 4716 if (nonce_length != 0) { 4717 return PSA_SUCCESS; 4718 } 4719 break; 4720 #endif /* PSA_WANT_ALG_GCM */ 4721 #if defined(PSA_WANT_ALG_CCM) 4722 case PSA_ALG_CCM: 4723 if (nonce_length >= 7 && nonce_length <= 13) { 4724 return PSA_SUCCESS; 4725 } 4726 break; 4727 #endif /* PSA_WANT_ALG_CCM */ 4728 #if defined(PSA_WANT_ALG_CHACHA20_POLY1305) 4729 case PSA_ALG_CHACHA20_POLY1305: 4730 if (nonce_length == 12) { 4731 return PSA_SUCCESS; 4732 } else if (nonce_length == 8) { 4733 return PSA_ERROR_NOT_SUPPORTED; 4734 } 4735 break; 4736 #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */ 4737 default: 4738 (void) nonce_length; 4739 return PSA_ERROR_NOT_SUPPORTED; 4740 } 4741 4742 return PSA_ERROR_INVALID_ARGUMENT; 4743 } 4744 4745 static psa_status_t psa_aead_check_algorithm(psa_algorithm_t alg) 4746 { 4747 if (!PSA_ALG_IS_AEAD(alg) || PSA_ALG_IS_WILDCARD(alg)) { 4748 return PSA_ERROR_INVALID_ARGUMENT; 4749 } 4750 4751 return PSA_SUCCESS; 4752 } 4753 4754 psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key, 4755 psa_algorithm_t alg, 4756 const uint8_t *nonce_external, 4757 size_t nonce_length, 4758 const uint8_t *additional_data_external, 4759 size_t additional_data_length, 4760 const uint8_t *plaintext_external, 4761 size_t plaintext_length, 4762 uint8_t *ciphertext_external, 4763 size_t ciphertext_size, 4764 size_t *ciphertext_length) 4765 { 4766 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 4767 psa_key_slot_t *slot; 4768 4769 LOCAL_INPUT_DECLARE(nonce_external, nonce); 4770 LOCAL_INPUT_DECLARE(additional_data_external, additional_data); 4771 LOCAL_INPUT_DECLARE(plaintext_external, plaintext); 4772 LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext); 4773 4774 *ciphertext_length = 0; 4775 4776 status = psa_aead_check_algorithm(alg); 4777 if (status != PSA_SUCCESS) { 4778 return status; 4779 } 4780 4781 status = psa_get_and_lock_key_slot_with_policy( 4782 key, &slot, PSA_KEY_USAGE_ENCRYPT, alg); 4783 if (status != PSA_SUCCESS) { 4784 return status; 4785 } 4786 4787 LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce); 4788 LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length, additional_data); 4789 LOCAL_INPUT_ALLOC(plaintext_external, plaintext_length, plaintext); 4790 LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext); 4791 4792 status = psa_aead_check_nonce_length(alg, nonce_length); 4793 if (status != PSA_SUCCESS) { 4794 goto exit; 4795 } 4796 4797 status = psa_driver_wrapper_aead_encrypt( 4798 &slot->attr, slot->key.data, slot->key.bytes, 4799 alg, 4800 nonce, nonce_length, 4801 additional_data, additional_data_length, 4802 plaintext, plaintext_length, 4803 ciphertext, ciphertext_size, ciphertext_length); 4804 4805 if (status != PSA_SUCCESS && ciphertext_size != 0) { 4806 memset(ciphertext, 0, ciphertext_size); 4807 } 4808 4809 exit: 4810 LOCAL_INPUT_FREE(nonce_external, nonce); 4811 LOCAL_INPUT_FREE(additional_data_external, additional_data); 4812 LOCAL_INPUT_FREE(plaintext_external, plaintext); 4813 LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext); 4814 4815 psa_unregister_read_under_mutex(slot); 4816 4817 return status; 4818 } 4819 4820 psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key, 4821 psa_algorithm_t alg, 4822 const uint8_t *nonce_external, 4823 size_t nonce_length, 4824 const uint8_t *additional_data_external, 4825 size_t additional_data_length, 4826 const uint8_t *ciphertext_external, 4827 size_t ciphertext_length, 4828 uint8_t *plaintext_external, 4829 size_t plaintext_size, 4830 size_t *plaintext_length) 4831 { 4832 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 4833 psa_key_slot_t *slot; 4834 4835 LOCAL_INPUT_DECLARE(nonce_external, nonce); 4836 LOCAL_INPUT_DECLARE(additional_data_external, additional_data); 4837 LOCAL_INPUT_DECLARE(ciphertext_external, ciphertext); 4838 LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext); 4839 4840 *plaintext_length = 0; 4841 4842 status = psa_aead_check_algorithm(alg); 4843 if (status != PSA_SUCCESS) { 4844 return status; 4845 } 4846 4847 status = psa_get_and_lock_key_slot_with_policy( 4848 key, &slot, PSA_KEY_USAGE_DECRYPT, alg); 4849 if (status != PSA_SUCCESS) { 4850 return status; 4851 } 4852 4853 LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce); 4854 LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length, 4855 additional_data); 4856 LOCAL_INPUT_ALLOC(ciphertext_external, ciphertext_length, ciphertext); 4857 LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext); 4858 4859 status = psa_aead_check_nonce_length(alg, nonce_length); 4860 if (status != PSA_SUCCESS) { 4861 goto exit; 4862 } 4863 4864 status = psa_driver_wrapper_aead_decrypt( 4865 &slot->attr, slot->key.data, slot->key.bytes, 4866 alg, 4867 nonce, nonce_length, 4868 additional_data, additional_data_length, 4869 ciphertext, ciphertext_length, 4870 plaintext, plaintext_size, plaintext_length); 4871 4872 if (status != PSA_SUCCESS && plaintext_size != 0) { 4873 memset(plaintext, 0, plaintext_size); 4874 } 4875 4876 exit: 4877 LOCAL_INPUT_FREE(nonce_external, nonce); 4878 LOCAL_INPUT_FREE(additional_data_external, additional_data); 4879 LOCAL_INPUT_FREE(ciphertext_external, ciphertext); 4880 LOCAL_OUTPUT_FREE(plaintext_external, plaintext); 4881 4882 psa_unregister_read_under_mutex(slot); 4883 4884 return status; 4885 } 4886 4887 static psa_status_t psa_validate_tag_length(psa_algorithm_t alg) 4888 { 4889 const uint8_t tag_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg); 4890 4891 switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) { 4892 #if defined(PSA_WANT_ALG_CCM) 4893 case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0): 4894 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.*/ 4895 if (tag_len < 4 || tag_len > 16 || tag_len % 2) { 4896 return PSA_ERROR_INVALID_ARGUMENT; 4897 } 4898 break; 4899 #endif /* PSA_WANT_ALG_CCM */ 4900 4901 #if defined(PSA_WANT_ALG_GCM) 4902 case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0): 4903 /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16. */ 4904 if (tag_len != 4 && tag_len != 8 && (tag_len < 12 || tag_len > 16)) { 4905 return PSA_ERROR_INVALID_ARGUMENT; 4906 } 4907 break; 4908 #endif /* PSA_WANT_ALG_GCM */ 4909 4910 #if defined(PSA_WANT_ALG_CHACHA20_POLY1305) 4911 case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0): 4912 /* We only support the default tag length. */ 4913 if (tag_len != 16) { 4914 return PSA_ERROR_INVALID_ARGUMENT; 4915 } 4916 break; 4917 #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */ 4918 4919 default: 4920 (void) tag_len; 4921 return PSA_ERROR_NOT_SUPPORTED; 4922 } 4923 return PSA_SUCCESS; 4924 } 4925 4926 /* Set the key for a multipart authenticated operation. */ 4927 static psa_status_t psa_aead_setup(psa_aead_operation_t *operation, 4928 int is_encrypt, 4929 mbedtls_svc_key_id_t key, 4930 psa_algorithm_t alg) 4931 { 4932 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 4933 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 4934 psa_key_slot_t *slot = NULL; 4935 psa_key_usage_t key_usage = 0; 4936 4937 status = psa_aead_check_algorithm(alg); 4938 if (status != PSA_SUCCESS) { 4939 goto exit; 4940 } 4941 4942 if (operation->id != 0) { 4943 status = PSA_ERROR_BAD_STATE; 4944 goto exit; 4945 } 4946 4947 if (operation->nonce_set || operation->lengths_set || 4948 operation->ad_started || operation->body_started) { 4949 status = PSA_ERROR_BAD_STATE; 4950 goto exit; 4951 } 4952 4953 if (is_encrypt) { 4954 key_usage = PSA_KEY_USAGE_ENCRYPT; 4955 } else { 4956 key_usage = PSA_KEY_USAGE_DECRYPT; 4957 } 4958 4959 status = psa_get_and_lock_key_slot_with_policy(key, &slot, key_usage, 4960 alg); 4961 if (status != PSA_SUCCESS) { 4962 goto exit; 4963 } 4964 4965 if ((status = psa_validate_tag_length(alg)) != PSA_SUCCESS) { 4966 goto exit; 4967 } 4968 4969 if (is_encrypt) { 4970 status = psa_driver_wrapper_aead_encrypt_setup(operation, 4971 &slot->attr, 4972 slot->key.data, 4973 slot->key.bytes, 4974 alg); 4975 } else { 4976 status = psa_driver_wrapper_aead_decrypt_setup(operation, 4977 &slot->attr, 4978 slot->key.data, 4979 slot->key.bytes, 4980 alg); 4981 } 4982 if (status != PSA_SUCCESS) { 4983 goto exit; 4984 } 4985 4986 operation->key_type = psa_get_key_type(&slot->attr); 4987 4988 exit: 4989 unlock_status = psa_unregister_read_under_mutex(slot); 4990 4991 if (status == PSA_SUCCESS) { 4992 status = unlock_status; 4993 operation->alg = psa_aead_get_base_algorithm(alg); 4994 operation->is_encrypt = is_encrypt; 4995 } else { 4996 psa_aead_abort(operation); 4997 } 4998 4999 return status; 5000 } 5001 5002 /* Set the key for a multipart authenticated encryption operation. */ 5003 psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation, 5004 mbedtls_svc_key_id_t key, 5005 psa_algorithm_t alg) 5006 { 5007 return psa_aead_setup(operation, 1, key, alg); 5008 } 5009 5010 /* Set the key for a multipart authenticated decryption operation. */ 5011 psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation, 5012 mbedtls_svc_key_id_t key, 5013 psa_algorithm_t alg) 5014 { 5015 return psa_aead_setup(operation, 0, key, alg); 5016 } 5017 5018 static psa_status_t psa_aead_set_nonce_internal(psa_aead_operation_t *operation, 5019 const uint8_t *nonce, 5020 size_t nonce_length) 5021 { 5022 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 5023 5024 if (operation->id == 0) { 5025 status = PSA_ERROR_BAD_STATE; 5026 goto exit; 5027 } 5028 5029 if (operation->nonce_set) { 5030 status = PSA_ERROR_BAD_STATE; 5031 goto exit; 5032 } 5033 5034 status = psa_aead_check_nonce_length(operation->alg, nonce_length); 5035 if (status != PSA_SUCCESS) { 5036 status = PSA_ERROR_INVALID_ARGUMENT; 5037 goto exit; 5038 } 5039 5040 status = psa_driver_wrapper_aead_set_nonce(operation, nonce, 5041 nonce_length); 5042 5043 exit: 5044 if (status == PSA_SUCCESS) { 5045 operation->nonce_set = 1; 5046 } else { 5047 psa_aead_abort(operation); 5048 } 5049 5050 return status; 5051 } 5052 5053 /* Generate a random nonce / IV for multipart AEAD operation */ 5054 psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation, 5055 uint8_t *nonce_external, 5056 size_t nonce_size, 5057 size_t *nonce_length) 5058 { 5059 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 5060 uint8_t local_nonce[PSA_AEAD_NONCE_MAX_SIZE]; 5061 size_t required_nonce_size = 0; 5062 5063 LOCAL_OUTPUT_DECLARE(nonce_external, nonce); 5064 LOCAL_OUTPUT_ALLOC(nonce_external, nonce_size, nonce); 5065 5066 *nonce_length = 0; 5067 5068 if (operation->id == 0) { 5069 status = PSA_ERROR_BAD_STATE; 5070 goto exit; 5071 } 5072 5073 if (operation->nonce_set || !operation->is_encrypt) { 5074 status = PSA_ERROR_BAD_STATE; 5075 goto exit; 5076 } 5077 5078 /* For CCM, this size may not be correct according to the PSA 5079 * specification. The PSA Crypto 1.0.1 specification states: 5080 * 5081 * CCM encodes the plaintext length pLen in L octets, with L the smallest 5082 * integer >= 2 where pLen < 2^(8L). The nonce length is then 15 - L bytes. 5083 * 5084 * However this restriction that L has to be the smallest integer is not 5085 * applied in practice, and it is not implementable here since the 5086 * plaintext length may or may not be known at this time. */ 5087 required_nonce_size = PSA_AEAD_NONCE_LENGTH(operation->key_type, 5088 operation->alg); 5089 if (nonce_size < required_nonce_size) { 5090 status = PSA_ERROR_BUFFER_TOO_SMALL; 5091 goto exit; 5092 } 5093 5094 status = psa_generate_random_internal(local_nonce, required_nonce_size); 5095 if (status != PSA_SUCCESS) { 5096 goto exit; 5097 } 5098 5099 status = psa_aead_set_nonce_internal(operation, local_nonce, 5100 required_nonce_size); 5101 5102 exit: 5103 if (status == PSA_SUCCESS) { 5104 memcpy(nonce, local_nonce, required_nonce_size); 5105 *nonce_length = required_nonce_size; 5106 } else { 5107 psa_aead_abort(operation); 5108 } 5109 5110 LOCAL_OUTPUT_FREE(nonce_external, nonce); 5111 5112 return status; 5113 } 5114 5115 /* Set the nonce for a multipart authenticated encryption or decryption 5116 operation.*/ 5117 psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation, 5118 const uint8_t *nonce_external, 5119 size_t nonce_length) 5120 { 5121 psa_status_t status; 5122 5123 LOCAL_INPUT_DECLARE(nonce_external, nonce); 5124 LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce); 5125 5126 status = psa_aead_set_nonce_internal(operation, nonce, nonce_length); 5127 5128 /* Exit label is only needed for buffer copying, prevent unused warnings. */ 5129 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 5130 exit: 5131 #endif 5132 5133 LOCAL_INPUT_FREE(nonce_external, nonce); 5134 5135 return status; 5136 } 5137 5138 /* Declare the lengths of the message and additional data for multipart AEAD. */ 5139 psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation, 5140 size_t ad_length, 5141 size_t plaintext_length) 5142 { 5143 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 5144 5145 if (operation->id == 0) { 5146 status = PSA_ERROR_BAD_STATE; 5147 goto exit; 5148 } 5149 5150 if (operation->lengths_set || operation->ad_started || 5151 operation->body_started) { 5152 status = PSA_ERROR_BAD_STATE; 5153 goto exit; 5154 } 5155 5156 switch (operation->alg) { 5157 #if defined(PSA_WANT_ALG_GCM) 5158 case PSA_ALG_GCM: 5159 /* Lengths can only be too large for GCM if size_t is bigger than 32 5160 * bits. Without the guard this code will generate warnings on 32bit 5161 * builds. */ 5162 #if SIZE_MAX > UINT32_MAX 5163 if (((uint64_t) ad_length) >> 61 != 0 || 5164 ((uint64_t) plaintext_length) > 0xFFFFFFFE0ull) { 5165 status = PSA_ERROR_INVALID_ARGUMENT; 5166 goto exit; 5167 } 5168 #endif 5169 break; 5170 #endif /* PSA_WANT_ALG_GCM */ 5171 #if defined(PSA_WANT_ALG_CCM) 5172 case PSA_ALG_CCM: 5173 if (ad_length > 0xFF00) { 5174 status = PSA_ERROR_INVALID_ARGUMENT; 5175 goto exit; 5176 } 5177 break; 5178 #endif /* PSA_WANT_ALG_CCM */ 5179 #if defined(PSA_WANT_ALG_CHACHA20_POLY1305) 5180 case PSA_ALG_CHACHA20_POLY1305: 5181 /* No length restrictions for ChaChaPoly. */ 5182 break; 5183 #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */ 5184 default: 5185 break; 5186 } 5187 5188 status = psa_driver_wrapper_aead_set_lengths(operation, ad_length, 5189 plaintext_length); 5190 5191 exit: 5192 if (status == PSA_SUCCESS) { 5193 operation->ad_remaining = ad_length; 5194 operation->body_remaining = plaintext_length; 5195 operation->lengths_set = 1; 5196 } else { 5197 psa_aead_abort(operation); 5198 } 5199 5200 return status; 5201 } 5202 5203 /* Pass additional data to an active multipart AEAD operation. */ 5204 psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation, 5205 const uint8_t *input_external, 5206 size_t input_length) 5207 { 5208 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 5209 5210 LOCAL_INPUT_DECLARE(input_external, input); 5211 LOCAL_INPUT_ALLOC(input_external, input_length, input); 5212 5213 if (operation->id == 0) { 5214 status = PSA_ERROR_BAD_STATE; 5215 goto exit; 5216 } 5217 5218 if (!operation->nonce_set || operation->body_started) { 5219 status = PSA_ERROR_BAD_STATE; 5220 goto exit; 5221 } 5222 5223 /* No input to add (zero length), nothing to do. */ 5224 if (input_length == 0) { 5225 status = PSA_SUCCESS; 5226 goto exit; 5227 } 5228 5229 if (operation->lengths_set) { 5230 if (operation->ad_remaining < input_length) { 5231 status = PSA_ERROR_INVALID_ARGUMENT; 5232 goto exit; 5233 } 5234 5235 operation->ad_remaining -= input_length; 5236 } 5237 #if defined(PSA_WANT_ALG_CCM) 5238 else if (operation->alg == PSA_ALG_CCM) { 5239 status = PSA_ERROR_BAD_STATE; 5240 goto exit; 5241 } 5242 #endif /* PSA_WANT_ALG_CCM */ 5243 5244 status = psa_driver_wrapper_aead_update_ad(operation, input, 5245 input_length); 5246 5247 exit: 5248 if (status == PSA_SUCCESS) { 5249 operation->ad_started = 1; 5250 } else { 5251 psa_aead_abort(operation); 5252 } 5253 5254 LOCAL_INPUT_FREE(input_external, input); 5255 5256 return status; 5257 } 5258 5259 /* Encrypt or decrypt a message fragment in an active multipart AEAD 5260 operation.*/ 5261 psa_status_t psa_aead_update(psa_aead_operation_t *operation, 5262 const uint8_t *input_external, 5263 size_t input_length, 5264 uint8_t *output_external, 5265 size_t output_size, 5266 size_t *output_length) 5267 { 5268 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 5269 5270 5271 LOCAL_INPUT_DECLARE(input_external, input); 5272 LOCAL_OUTPUT_DECLARE(output_external, output); 5273 5274 LOCAL_INPUT_ALLOC(input_external, input_length, input); 5275 LOCAL_OUTPUT_ALLOC(output_external, output_size, output); 5276 5277 *output_length = 0; 5278 5279 if (operation->id == 0) { 5280 status = PSA_ERROR_BAD_STATE; 5281 goto exit; 5282 } 5283 5284 if (!operation->nonce_set) { 5285 status = PSA_ERROR_BAD_STATE; 5286 goto exit; 5287 } 5288 5289 if (operation->lengths_set) { 5290 /* Additional data length was supplied, but not all the additional 5291 data was supplied.*/ 5292 if (operation->ad_remaining != 0) { 5293 status = PSA_ERROR_INVALID_ARGUMENT; 5294 goto exit; 5295 } 5296 5297 /* Too much data provided. */ 5298 if (operation->body_remaining < input_length) { 5299 status = PSA_ERROR_INVALID_ARGUMENT; 5300 goto exit; 5301 } 5302 5303 operation->body_remaining -= input_length; 5304 } 5305 #if defined(PSA_WANT_ALG_CCM) 5306 else if (operation->alg == PSA_ALG_CCM) { 5307 status = PSA_ERROR_BAD_STATE; 5308 goto exit; 5309 } 5310 #endif /* PSA_WANT_ALG_CCM */ 5311 5312 status = psa_driver_wrapper_aead_update(operation, input, input_length, 5313 output, output_size, 5314 output_length); 5315 5316 exit: 5317 if (status == PSA_SUCCESS) { 5318 operation->body_started = 1; 5319 } else { 5320 psa_aead_abort(operation); 5321 } 5322 5323 LOCAL_INPUT_FREE(input_external, input); 5324 LOCAL_OUTPUT_FREE(output_external, output); 5325 5326 return status; 5327 } 5328 5329 static psa_status_t psa_aead_final_checks(const psa_aead_operation_t *operation) 5330 { 5331 if (operation->id == 0 || !operation->nonce_set) { 5332 return PSA_ERROR_BAD_STATE; 5333 } 5334 5335 if (operation->lengths_set && (operation->ad_remaining != 0 || 5336 operation->body_remaining != 0)) { 5337 return PSA_ERROR_INVALID_ARGUMENT; 5338 } 5339 5340 return PSA_SUCCESS; 5341 } 5342 5343 /* Finish encrypting a message in a multipart AEAD operation. */ 5344 psa_status_t psa_aead_finish(psa_aead_operation_t *operation, 5345 uint8_t *ciphertext_external, 5346 size_t ciphertext_size, 5347 size_t *ciphertext_length, 5348 uint8_t *tag_external, 5349 size_t tag_size, 5350 size_t *tag_length) 5351 { 5352 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 5353 5354 LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext); 5355 LOCAL_OUTPUT_DECLARE(tag_external, tag); 5356 5357 LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext); 5358 LOCAL_OUTPUT_ALLOC(tag_external, tag_size, tag); 5359 5360 *ciphertext_length = 0; 5361 *tag_length = tag_size; 5362 5363 status = psa_aead_final_checks(operation); 5364 if (status != PSA_SUCCESS) { 5365 goto exit; 5366 } 5367 5368 if (!operation->is_encrypt) { 5369 status = PSA_ERROR_BAD_STATE; 5370 goto exit; 5371 } 5372 5373 status = psa_driver_wrapper_aead_finish(operation, ciphertext, 5374 ciphertext_size, 5375 ciphertext_length, 5376 tag, tag_size, tag_length); 5377 5378 exit: 5379 5380 5381 /* In case the operation fails and the user fails to check for failure or 5382 * the zero tag size, make sure the tag is set to something implausible. 5383 * Even if the operation succeeds, make sure we clear the rest of the 5384 * buffer to prevent potential leakage of anything previously placed in 5385 * the same buffer.*/ 5386 psa_wipe_tag_output_buffer(tag, status, tag_size, *tag_length); 5387 5388 psa_aead_abort(operation); 5389 5390 LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext); 5391 LOCAL_OUTPUT_FREE(tag_external, tag); 5392 5393 return status; 5394 } 5395 5396 /* Finish authenticating and decrypting a message in a multipart AEAD 5397 operation.*/ 5398 psa_status_t psa_aead_verify(psa_aead_operation_t *operation, 5399 uint8_t *plaintext_external, 5400 size_t plaintext_size, 5401 size_t *plaintext_length, 5402 const uint8_t *tag_external, 5403 size_t tag_length) 5404 { 5405 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 5406 5407 LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext); 5408 LOCAL_INPUT_DECLARE(tag_external, tag); 5409 5410 LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext); 5411 LOCAL_INPUT_ALLOC(tag_external, tag_length, tag); 5412 5413 *plaintext_length = 0; 5414 5415 status = psa_aead_final_checks(operation); 5416 if (status != PSA_SUCCESS) { 5417 goto exit; 5418 } 5419 5420 if (operation->is_encrypt) { 5421 status = PSA_ERROR_BAD_STATE; 5422 goto exit; 5423 } 5424 5425 status = psa_driver_wrapper_aead_verify(operation, plaintext, 5426 plaintext_size, 5427 plaintext_length, 5428 tag, tag_length); 5429 5430 exit: 5431 psa_aead_abort(operation); 5432 5433 LOCAL_OUTPUT_FREE(plaintext_external, plaintext); 5434 LOCAL_INPUT_FREE(tag_external, tag); 5435 5436 return status; 5437 } 5438 5439 /* Abort an AEAD operation. */ 5440 psa_status_t psa_aead_abort(psa_aead_operation_t *operation) 5441 { 5442 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 5443 5444 if (operation->id == 0) { 5445 /* The object has (apparently) been initialized but it is not (yet) 5446 * in use. It's ok to call abort on such an object, and there's 5447 * nothing to do. */ 5448 return PSA_SUCCESS; 5449 } 5450 5451 status = psa_driver_wrapper_aead_abort(operation); 5452 5453 memset(operation, 0, sizeof(*operation)); 5454 5455 return status; 5456 } 5457 5458 /****************************************************************/ 5459 /* Generators */ 5460 /****************************************************************/ 5461 5462 #if defined(BUILTIN_ALG_ANY_HKDF) || \ 5463 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ 5464 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \ 5465 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) || \ 5466 defined(PSA_HAVE_SOFT_PBKDF2) 5467 #define AT_LEAST_ONE_BUILTIN_KDF 5468 #endif /* At least one builtin KDF */ 5469 5470 #if defined(BUILTIN_ALG_ANY_HKDF) || \ 5471 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ 5472 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) 5473 static psa_status_t psa_key_derivation_start_hmac( 5474 psa_mac_operation_t *operation, 5475 psa_algorithm_t hash_alg, 5476 const uint8_t *hmac_key, 5477 size_t hmac_key_length) 5478 { 5479 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 5480 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5481 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); 5482 psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(hmac_key_length)); 5483 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 5484 5485 operation->is_sign = 1; 5486 operation->mac_size = PSA_HASH_LENGTH(hash_alg); 5487 5488 status = psa_driver_wrapper_mac_sign_setup(operation, 5489 &attributes, 5490 hmac_key, hmac_key_length, 5491 PSA_ALG_HMAC(hash_alg)); 5492 5493 psa_reset_key_attributes(&attributes); 5494 return status; 5495 } 5496 #endif /* KDF algorithms reliant on HMAC */ 5497 5498 #define HKDF_STATE_INIT 0 /* no input yet */ 5499 #define HKDF_STATE_STARTED 1 /* got salt */ 5500 #define HKDF_STATE_KEYED 2 /* got key */ 5501 #define HKDF_STATE_OUTPUT 3 /* output started */ 5502 5503 static psa_algorithm_t psa_key_derivation_get_kdf_alg( 5504 const psa_key_derivation_operation_t *operation) 5505 { 5506 if (PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) { 5507 return PSA_ALG_KEY_AGREEMENT_GET_KDF(operation->alg); 5508 } else { 5509 return operation->alg; 5510 } 5511 } 5512 5513 psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation) 5514 { 5515 psa_status_t status = PSA_SUCCESS; 5516 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation); 5517 if (kdf_alg == 0) { 5518 /* The object has (apparently) been initialized but it is not 5519 * in use. It's ok to call abort on such an object, and there's 5520 * nothing to do. */ 5521 } else 5522 #if defined(BUILTIN_ALG_ANY_HKDF) 5523 if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) { 5524 mbedtls_free(operation->ctx.hkdf.info); 5525 status = psa_mac_abort(&operation->ctx.hkdf.hmac); 5526 } else 5527 #endif /* BUILTIN_ALG_ANY_HKDF */ 5528 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ 5529 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) 5530 if (PSA_ALG_IS_TLS12_PRF(kdf_alg) || 5531 /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */ 5532 PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) { 5533 if (operation->ctx.tls12_prf.secret != NULL) { 5534 mbedtls_zeroize_and_free(operation->ctx.tls12_prf.secret, 5535 operation->ctx.tls12_prf.secret_length); 5536 } 5537 5538 if (operation->ctx.tls12_prf.seed != NULL) { 5539 mbedtls_zeroize_and_free(operation->ctx.tls12_prf.seed, 5540 operation->ctx.tls12_prf.seed_length); 5541 } 5542 5543 if (operation->ctx.tls12_prf.label != NULL) { 5544 mbedtls_zeroize_and_free(operation->ctx.tls12_prf.label, 5545 operation->ctx.tls12_prf.label_length); 5546 } 5547 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) 5548 if (operation->ctx.tls12_prf.other_secret != NULL) { 5549 mbedtls_zeroize_and_free(operation->ctx.tls12_prf.other_secret, 5550 operation->ctx.tls12_prf.other_secret_length); 5551 } 5552 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ 5553 status = PSA_SUCCESS; 5554 5555 /* We leave the fields Ai and output_block to be erased safely by the 5556 * mbedtls_platform_zeroize() in the end of this function. */ 5557 } else 5558 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || 5559 * defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) */ 5560 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) 5561 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { 5562 mbedtls_platform_zeroize(operation->ctx.tls12_ecjpake_to_pms.data, 5563 sizeof(operation->ctx.tls12_ecjpake_to_pms.data)); 5564 } else 5565 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) */ 5566 #if defined(PSA_HAVE_SOFT_PBKDF2) 5567 if (PSA_ALG_IS_PBKDF2(kdf_alg)) { 5568 if (operation->ctx.pbkdf2.salt != NULL) { 5569 mbedtls_zeroize_and_free(operation->ctx.pbkdf2.salt, 5570 operation->ctx.pbkdf2.salt_length); 5571 } 5572 5573 status = PSA_SUCCESS; 5574 } else 5575 #endif /* defined(PSA_HAVE_SOFT_PBKDF2) */ 5576 { 5577 status = PSA_ERROR_BAD_STATE; 5578 } 5579 mbedtls_platform_zeroize(operation, sizeof(*operation)); 5580 return status; 5581 } 5582 5583 psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t *operation, 5584 size_t *capacity) 5585 { 5586 if (operation->alg == 0) { 5587 /* This is a blank key derivation operation. */ 5588 return PSA_ERROR_BAD_STATE; 5589 } 5590 5591 *capacity = operation->capacity; 5592 return PSA_SUCCESS; 5593 } 5594 5595 psa_status_t psa_key_derivation_set_capacity(psa_key_derivation_operation_t *operation, 5596 size_t capacity) 5597 { 5598 if (operation->alg == 0) { 5599 return PSA_ERROR_BAD_STATE; 5600 } 5601 if (capacity > operation->capacity) { 5602 return PSA_ERROR_INVALID_ARGUMENT; 5603 } 5604 operation->capacity = capacity; 5605 return PSA_SUCCESS; 5606 } 5607 5608 #if defined(BUILTIN_ALG_ANY_HKDF) 5609 /* Read some bytes from an HKDF-based operation. */ 5610 static psa_status_t psa_key_derivation_hkdf_read(psa_hkdf_key_derivation_t *hkdf, 5611 psa_algorithm_t kdf_alg, 5612 uint8_t *output, 5613 size_t output_length) 5614 { 5615 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg); 5616 uint8_t hash_length = PSA_HASH_LENGTH(hash_alg); 5617 size_t hmac_output_length; 5618 psa_status_t status; 5619 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) 5620 const uint8_t last_block = PSA_ALG_IS_HKDF_EXTRACT(kdf_alg) ? 0 : 0xff; 5621 #else 5622 const uint8_t last_block = 0xff; 5623 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ 5624 5625 if (hkdf->state < HKDF_STATE_KEYED || 5626 (!hkdf->info_set 5627 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) 5628 && !PSA_ALG_IS_HKDF_EXTRACT(kdf_alg) 5629 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ 5630 )) { 5631 return PSA_ERROR_BAD_STATE; 5632 } 5633 hkdf->state = HKDF_STATE_OUTPUT; 5634 5635 while (output_length != 0) { 5636 /* Copy what remains of the current block */ 5637 uint8_t n = hash_length - hkdf->offset_in_block; 5638 if (n > output_length) { 5639 n = (uint8_t) output_length; 5640 } 5641 memcpy(output, hkdf->output_block + hkdf->offset_in_block, n); 5642 output += n; 5643 output_length -= n; 5644 hkdf->offset_in_block += n; 5645 if (output_length == 0) { 5646 break; 5647 } 5648 /* We can't be wanting more output after the last block, otherwise 5649 * the capacity check in psa_key_derivation_output_bytes() would have 5650 * prevented this call. It could happen only if the operation 5651 * object was corrupted or if this function is called directly 5652 * inside the library. */ 5653 if (hkdf->block_number == last_block) { 5654 return PSA_ERROR_BAD_STATE; 5655 } 5656 5657 /* We need a new block */ 5658 ++hkdf->block_number; 5659 hkdf->offset_in_block = 0; 5660 5661 status = psa_key_derivation_start_hmac(&hkdf->hmac, 5662 hash_alg, 5663 hkdf->prk, 5664 hash_length); 5665 if (status != PSA_SUCCESS) { 5666 return status; 5667 } 5668 5669 if (hkdf->block_number != 1) { 5670 status = psa_mac_update(&hkdf->hmac, 5671 hkdf->output_block, 5672 hash_length); 5673 if (status != PSA_SUCCESS) { 5674 return status; 5675 } 5676 } 5677 status = psa_mac_update(&hkdf->hmac, 5678 hkdf->info, 5679 hkdf->info_length); 5680 if (status != PSA_SUCCESS) { 5681 return status; 5682 } 5683 status = psa_mac_update(&hkdf->hmac, 5684 &hkdf->block_number, 1); 5685 if (status != PSA_SUCCESS) { 5686 return status; 5687 } 5688 status = psa_mac_sign_finish(&hkdf->hmac, 5689 hkdf->output_block, 5690 sizeof(hkdf->output_block), 5691 &hmac_output_length); 5692 if (status != PSA_SUCCESS) { 5693 return status; 5694 } 5695 } 5696 5697 return PSA_SUCCESS; 5698 } 5699 #endif /* BUILTIN_ALG_ANY_HKDF */ 5700 5701 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ 5702 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) 5703 static psa_status_t psa_key_derivation_tls12_prf_generate_next_block( 5704 psa_tls12_prf_key_derivation_t *tls12_prf, 5705 psa_algorithm_t alg) 5706 { 5707 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(alg); 5708 uint8_t hash_length = PSA_HASH_LENGTH(hash_alg); 5709 psa_mac_operation_t hmac = PSA_MAC_OPERATION_INIT; 5710 size_t hmac_output_length; 5711 psa_status_t status, cleanup_status; 5712 5713 /* We can't be wanting more output after block 0xff, otherwise 5714 * the capacity check in psa_key_derivation_output_bytes() would have 5715 * prevented this call. It could happen only if the operation 5716 * object was corrupted or if this function is called directly 5717 * inside the library. */ 5718 if (tls12_prf->block_number == 0xff) { 5719 return PSA_ERROR_CORRUPTION_DETECTED; 5720 } 5721 5722 /* We need a new block */ 5723 ++tls12_prf->block_number; 5724 tls12_prf->left_in_block = hash_length; 5725 5726 /* Recall the definition of the TLS-1.2-PRF from RFC 5246: 5727 * 5728 * PRF(secret, label, seed) = P_<hash>(secret, label + seed) 5729 * 5730 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) + 5731 * HMAC_hash(secret, A(2) + seed) + 5732 * HMAC_hash(secret, A(3) + seed) + ... 5733 * 5734 * A(0) = seed 5735 * A(i) = HMAC_hash(secret, A(i-1)) 5736 * 5737 * The `psa_tls12_prf_key_derivation` structure saves the block 5738 * `HMAC_hash(secret, A(i) + seed)` from which the output 5739 * is currently extracted as `output_block` and where i is 5740 * `block_number`. 5741 */ 5742 5743 status = psa_key_derivation_start_hmac(&hmac, 5744 hash_alg, 5745 tls12_prf->secret, 5746 tls12_prf->secret_length); 5747 if (status != PSA_SUCCESS) { 5748 goto cleanup; 5749 } 5750 5751 /* Calculate A(i) where i = tls12_prf->block_number. */ 5752 if (tls12_prf->block_number == 1) { 5753 /* A(1) = HMAC_hash(secret, A(0)), where A(0) = seed. (The RFC overloads 5754 * the variable seed and in this instance means it in the context of the 5755 * P_hash function, where seed = label + seed.) */ 5756 status = psa_mac_update(&hmac, 5757 tls12_prf->label, 5758 tls12_prf->label_length); 5759 if (status != PSA_SUCCESS) { 5760 goto cleanup; 5761 } 5762 status = psa_mac_update(&hmac, 5763 tls12_prf->seed, 5764 tls12_prf->seed_length); 5765 if (status != PSA_SUCCESS) { 5766 goto cleanup; 5767 } 5768 } else { 5769 /* A(i) = HMAC_hash(secret, A(i-1)) */ 5770 status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length); 5771 if (status != PSA_SUCCESS) { 5772 goto cleanup; 5773 } 5774 } 5775 5776 status = psa_mac_sign_finish(&hmac, 5777 tls12_prf->Ai, hash_length, 5778 &hmac_output_length); 5779 if (hmac_output_length != hash_length) { 5780 status = PSA_ERROR_CORRUPTION_DETECTED; 5781 } 5782 if (status != PSA_SUCCESS) { 5783 goto cleanup; 5784 } 5785 5786 /* Calculate HMAC_hash(secret, A(i) + label + seed). */ 5787 status = psa_key_derivation_start_hmac(&hmac, 5788 hash_alg, 5789 tls12_prf->secret, 5790 tls12_prf->secret_length); 5791 if (status != PSA_SUCCESS) { 5792 goto cleanup; 5793 } 5794 status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length); 5795 if (status != PSA_SUCCESS) { 5796 goto cleanup; 5797 } 5798 status = psa_mac_update(&hmac, tls12_prf->label, tls12_prf->label_length); 5799 if (status != PSA_SUCCESS) { 5800 goto cleanup; 5801 } 5802 status = psa_mac_update(&hmac, tls12_prf->seed, tls12_prf->seed_length); 5803 if (status != PSA_SUCCESS) { 5804 goto cleanup; 5805 } 5806 status = psa_mac_sign_finish(&hmac, 5807 tls12_prf->output_block, hash_length, 5808 &hmac_output_length); 5809 if (status != PSA_SUCCESS) { 5810 goto cleanup; 5811 } 5812 5813 5814 cleanup: 5815 cleanup_status = psa_mac_abort(&hmac); 5816 if (status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS) { 5817 status = cleanup_status; 5818 } 5819 5820 return status; 5821 } 5822 5823 static psa_status_t psa_key_derivation_tls12_prf_read( 5824 psa_tls12_prf_key_derivation_t *tls12_prf, 5825 psa_algorithm_t alg, 5826 uint8_t *output, 5827 size_t output_length) 5828 { 5829 psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH(alg); 5830 uint8_t hash_length = PSA_HASH_LENGTH(hash_alg); 5831 psa_status_t status; 5832 uint8_t offset, length; 5833 5834 switch (tls12_prf->state) { 5835 case PSA_TLS12_PRF_STATE_LABEL_SET: 5836 tls12_prf->state = PSA_TLS12_PRF_STATE_OUTPUT; 5837 break; 5838 case PSA_TLS12_PRF_STATE_OUTPUT: 5839 break; 5840 default: 5841 return PSA_ERROR_BAD_STATE; 5842 } 5843 5844 while (output_length != 0) { 5845 /* Check if we have fully processed the current block. */ 5846 if (tls12_prf->left_in_block == 0) { 5847 status = psa_key_derivation_tls12_prf_generate_next_block(tls12_prf, 5848 alg); 5849 if (status != PSA_SUCCESS) { 5850 return status; 5851 } 5852 5853 continue; 5854 } 5855 5856 if (tls12_prf->left_in_block > output_length) { 5857 length = (uint8_t) output_length; 5858 } else { 5859 length = tls12_prf->left_in_block; 5860 } 5861 5862 offset = hash_length - tls12_prf->left_in_block; 5863 memcpy(output, tls12_prf->output_block + offset, length); 5864 output += length; 5865 output_length -= length; 5866 tls12_prf->left_in_block -= length; 5867 } 5868 5869 return PSA_SUCCESS; 5870 } 5871 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF || 5872 * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ 5873 5874 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) 5875 static psa_status_t psa_key_derivation_tls12_ecjpake_to_pms_read( 5876 psa_tls12_ecjpake_to_pms_t *ecjpake, 5877 uint8_t *output, 5878 size_t output_length) 5879 { 5880 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 5881 size_t output_size = 0; 5882 5883 if (output_length != 32) { 5884 return PSA_ERROR_INVALID_ARGUMENT; 5885 } 5886 5887 status = psa_hash_compute(PSA_ALG_SHA_256, ecjpake->data, 5888 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE, output, output_length, 5889 &output_size); 5890 if (status != PSA_SUCCESS) { 5891 return status; 5892 } 5893 5894 if (output_size != output_length) { 5895 return PSA_ERROR_GENERIC_ERROR; 5896 } 5897 5898 return PSA_SUCCESS; 5899 } 5900 #endif 5901 5902 #if defined(PSA_HAVE_SOFT_PBKDF2) 5903 static psa_status_t psa_key_derivation_pbkdf2_generate_block( 5904 psa_pbkdf2_key_derivation_t *pbkdf2, 5905 psa_algorithm_t prf_alg, 5906 uint8_t prf_output_length, 5907 psa_key_attributes_t *attributes) 5908 { 5909 psa_status_t status; 5910 psa_mac_operation_t mac_operation = PSA_MAC_OPERATION_INIT; 5911 size_t mac_output_length; 5912 uint8_t U_i[PSA_MAC_MAX_SIZE]; 5913 uint8_t *U_accumulator = pbkdf2->output_block; 5914 uint64_t i; 5915 uint8_t block_counter[4]; 5916 5917 mac_operation.is_sign = 1; 5918 mac_operation.mac_size = prf_output_length; 5919 MBEDTLS_PUT_UINT32_BE(pbkdf2->block_number, block_counter, 0); 5920 5921 status = psa_driver_wrapper_mac_sign_setup(&mac_operation, 5922 attributes, 5923 pbkdf2->password, 5924 pbkdf2->password_length, 5925 prf_alg); 5926 if (status != PSA_SUCCESS) { 5927 goto cleanup; 5928 } 5929 status = psa_mac_update(&mac_operation, pbkdf2->salt, pbkdf2->salt_length); 5930 if (status != PSA_SUCCESS) { 5931 goto cleanup; 5932 } 5933 status = psa_mac_update(&mac_operation, block_counter, sizeof(block_counter)); 5934 if (status != PSA_SUCCESS) { 5935 goto cleanup; 5936 } 5937 status = psa_mac_sign_finish(&mac_operation, U_i, sizeof(U_i), 5938 &mac_output_length); 5939 if (status != PSA_SUCCESS) { 5940 goto cleanup; 5941 } 5942 5943 if (mac_output_length != prf_output_length) { 5944 status = PSA_ERROR_CORRUPTION_DETECTED; 5945 goto cleanup; 5946 } 5947 5948 memcpy(U_accumulator, U_i, prf_output_length); 5949 5950 for (i = 1; i < pbkdf2->input_cost; i++) { 5951 /* We are passing prf_output_length as mac_size because the driver 5952 * function directly sets mac_output_length as mac_size upon success. 5953 * See https://github.com/Mbed-TLS/mbedtls/issues/7801 */ 5954 status = psa_driver_wrapper_mac_compute(attributes, 5955 pbkdf2->password, 5956 pbkdf2->password_length, 5957 prf_alg, U_i, prf_output_length, 5958 U_i, prf_output_length, 5959 &mac_output_length); 5960 if (status != PSA_SUCCESS) { 5961 goto cleanup; 5962 } 5963 5964 mbedtls_xor(U_accumulator, U_accumulator, U_i, prf_output_length); 5965 } 5966 5967 cleanup: 5968 /* Zeroise buffers to clear sensitive data from memory. */ 5969 mbedtls_platform_zeroize(U_i, PSA_MAC_MAX_SIZE); 5970 return status; 5971 } 5972 5973 static psa_status_t psa_key_derivation_pbkdf2_read( 5974 psa_pbkdf2_key_derivation_t *pbkdf2, 5975 psa_algorithm_t kdf_alg, 5976 uint8_t *output, 5977 size_t output_length) 5978 { 5979 psa_status_t status; 5980 psa_algorithm_t prf_alg; 5981 uint8_t prf_output_length; 5982 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 5983 psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(pbkdf2->password_length)); 5984 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); 5985 5986 if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) { 5987 prf_alg = PSA_ALG_HMAC(PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg)); 5988 prf_output_length = PSA_HASH_LENGTH(prf_alg); 5989 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); 5990 } else if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) { 5991 prf_alg = PSA_ALG_CMAC; 5992 prf_output_length = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC); 5993 psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); 5994 } else { 5995 return PSA_ERROR_INVALID_ARGUMENT; 5996 } 5997 5998 switch (pbkdf2->state) { 5999 case PSA_PBKDF2_STATE_PASSWORD_SET: 6000 /* Initially we need a new block so bytes_used is equal to block size*/ 6001 pbkdf2->bytes_used = prf_output_length; 6002 pbkdf2->state = PSA_PBKDF2_STATE_OUTPUT; 6003 break; 6004 case PSA_PBKDF2_STATE_OUTPUT: 6005 break; 6006 default: 6007 return PSA_ERROR_BAD_STATE; 6008 } 6009 6010 while (output_length != 0) { 6011 uint8_t n = prf_output_length - pbkdf2->bytes_used; 6012 if (n > output_length) { 6013 n = (uint8_t) output_length; 6014 } 6015 memcpy(output, pbkdf2->output_block + pbkdf2->bytes_used, n); 6016 output += n; 6017 output_length -= n; 6018 pbkdf2->bytes_used += n; 6019 6020 if (output_length == 0) { 6021 break; 6022 } 6023 6024 /* We need a new block */ 6025 pbkdf2->bytes_used = 0; 6026 pbkdf2->block_number++; 6027 6028 status = psa_key_derivation_pbkdf2_generate_block(pbkdf2, prf_alg, 6029 prf_output_length, 6030 &attributes); 6031 if (status != PSA_SUCCESS) { 6032 return status; 6033 } 6034 } 6035 6036 return PSA_SUCCESS; 6037 } 6038 #endif /* PSA_HAVE_SOFT_PBKDF2 */ 6039 6040 psa_status_t psa_key_derivation_output_bytes( 6041 psa_key_derivation_operation_t *operation, 6042 uint8_t *output_external, 6043 size_t output_length) 6044 { 6045 psa_status_t status; 6046 LOCAL_OUTPUT_DECLARE(output_external, output); 6047 6048 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation); 6049 6050 if (operation->alg == 0) { 6051 /* This is a blank operation. */ 6052 return PSA_ERROR_BAD_STATE; 6053 } 6054 6055 if (output_length == 0 && operation->capacity == 0) { 6056 /* Edge case: this is a finished operation, and 0 bytes 6057 * were requested. The right error in this case could 6058 * be either INSUFFICIENT_CAPACITY or BAD_STATE. Return 6059 * INSUFFICIENT_CAPACITY, which is right for a finished 6060 * operation, for consistency with the case when 6061 * output_length > 0. */ 6062 return PSA_ERROR_INSUFFICIENT_DATA; 6063 } 6064 6065 LOCAL_OUTPUT_ALLOC(output_external, output_length, output); 6066 if (output_length > operation->capacity) { 6067 operation->capacity = 0; 6068 /* Go through the error path to wipe all confidential data now 6069 * that the operation object is useless. */ 6070 status = PSA_ERROR_INSUFFICIENT_DATA; 6071 goto exit; 6072 } 6073 6074 operation->capacity -= output_length; 6075 6076 #if defined(BUILTIN_ALG_ANY_HKDF) 6077 if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) { 6078 status = psa_key_derivation_hkdf_read(&operation->ctx.hkdf, kdf_alg, 6079 output, output_length); 6080 } else 6081 #endif /* BUILTIN_ALG_ANY_HKDF */ 6082 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ 6083 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) 6084 if (PSA_ALG_IS_TLS12_PRF(kdf_alg) || 6085 PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) { 6086 status = psa_key_derivation_tls12_prf_read(&operation->ctx.tls12_prf, 6087 kdf_alg, output, 6088 output_length); 6089 } else 6090 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF || 6091 * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ 6092 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) 6093 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { 6094 status = psa_key_derivation_tls12_ecjpake_to_pms_read( 6095 &operation->ctx.tls12_ecjpake_to_pms, output, output_length); 6096 } else 6097 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ 6098 #if defined(PSA_HAVE_SOFT_PBKDF2) 6099 if (PSA_ALG_IS_PBKDF2(kdf_alg)) { 6100 status = psa_key_derivation_pbkdf2_read(&operation->ctx.pbkdf2, kdf_alg, 6101 output, output_length); 6102 } else 6103 #endif /* PSA_HAVE_SOFT_PBKDF2 */ 6104 6105 { 6106 (void) kdf_alg; 6107 status = PSA_ERROR_BAD_STATE; 6108 LOCAL_OUTPUT_FREE(output_external, output); 6109 6110 return status; 6111 } 6112 6113 exit: 6114 if (status != PSA_SUCCESS) { 6115 /* Preserve the algorithm upon errors, but clear all sensitive state. 6116 * This allows us to differentiate between exhausted operations and 6117 * blank operations, so we can return PSA_ERROR_BAD_STATE on blank 6118 * operations. */ 6119 psa_algorithm_t alg = operation->alg; 6120 psa_key_derivation_abort(operation); 6121 operation->alg = alg; 6122 if (output != NULL) { 6123 memset(output, '!', output_length); 6124 } 6125 } 6126 6127 LOCAL_OUTPUT_FREE(output_external, output); 6128 return status; 6129 } 6130 6131 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) 6132 static void psa_des_set_key_parity(uint8_t *data, size_t data_size) 6133 { 6134 if (data_size >= 8) { 6135 mbedtls_des_key_set_parity(data); 6136 } 6137 if (data_size >= 16) { 6138 mbedtls_des_key_set_parity(data + 8); 6139 } 6140 if (data_size >= 24) { 6141 mbedtls_des_key_set_parity(data + 16); 6142 } 6143 } 6144 #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */ 6145 6146 /* 6147 * ECC keys on a Weierstrass elliptic curve require the generation 6148 * of a private key which is an integer 6149 * in the range [1, N - 1], where N is the boundary of the private key domain: 6150 * N is the prime p for Diffie-Hellman, or the order of the 6151 * curve’s base point for ECC. 6152 * 6153 * Let m be the bit size of N, such that 2^m > N >= 2^(m-1). 6154 * This function generates the private key using the following process: 6155 * 6156 * 1. Draw a byte string of length ceiling(m/8) bytes. 6157 * 2. If m is not a multiple of 8, set the most significant 6158 * (8 * ceiling(m/8) - m) bits of the first byte in the string to zero. 6159 * 3. Convert the string to integer k by decoding it as a big-endian byte string. 6160 * 4. If k > N - 2, discard the result and return to step 1. 6161 * 5. Output k + 1 as the private key. 6162 * 6163 * This method allows compliance to NIST standards, specifically the methods titled 6164 * Key-Pair Generation by Testing Candidates in the following publications: 6165 * - NIST Special Publication 800-56A: Recommendation for Pair-Wise Key-Establishment 6166 * Schemes Using Discrete Logarithm Cryptography [SP800-56A] §5.6.1.1.4 for 6167 * Diffie-Hellman keys. 6168 * 6169 * - [SP800-56A] §5.6.1.2.2 or FIPS Publication 186-4: Digital Signature 6170 * Standard (DSS) [FIPS186-4] §B.4.2 for elliptic curve keys. 6171 * 6172 * Note: Function allocates memory for *data buffer, so given *data should be 6173 * always NULL. 6174 */ 6175 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) 6176 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) 6177 static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( 6178 psa_key_slot_t *slot, 6179 size_t bits, 6180 psa_key_derivation_operation_t *operation, 6181 uint8_t **data 6182 ) 6183 { 6184 unsigned key_out_of_range = 1; 6185 mbedtls_mpi k; 6186 mbedtls_mpi diff_N_2; 6187 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 6188 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 6189 size_t m; 6190 size_t m_bytes; 6191 6192 mbedtls_mpi_init(&k); 6193 mbedtls_mpi_init(&diff_N_2); 6194 6195 psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( 6196 slot->attr.type); 6197 mbedtls_ecp_group_id grp_id = 6198 mbedtls_ecc_group_from_psa(curve, bits); 6199 6200 if (grp_id == MBEDTLS_ECP_DP_NONE) { 6201 ret = MBEDTLS_ERR_ASN1_INVALID_DATA; 6202 goto cleanup; 6203 } 6204 6205 mbedtls_ecp_group ecp_group; 6206 mbedtls_ecp_group_init(&ecp_group); 6207 6208 MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ecp_group, grp_id)); 6209 6210 /* N is the boundary of the private key domain (ecp_group.N). */ 6211 /* Let m be the bit size of N. */ 6212 m = ecp_group.nbits; 6213 6214 m_bytes = PSA_BITS_TO_BYTES(m); 6215 6216 /* Calculate N - 2 - it will be needed later. */ 6217 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&diff_N_2, &ecp_group.N, 2)); 6218 6219 /* Note: This function is always called with *data == NULL and it 6220 * allocates memory for the data buffer. */ 6221 *data = mbedtls_calloc(1, m_bytes); 6222 if (*data == NULL) { 6223 ret = MBEDTLS_ERR_ASN1_ALLOC_FAILED; 6224 goto cleanup; 6225 } 6226 6227 while (key_out_of_range) { 6228 /* 1. Draw a byte string of length ceiling(m/8) bytes. */ 6229 if ((status = psa_key_derivation_output_bytes(operation, *data, m_bytes)) != 0) { 6230 goto cleanup; 6231 } 6232 6233 /* 2. If m is not a multiple of 8 */ 6234 if (m % 8 != 0) { 6235 /* Set the most significant 6236 * (8 * ceiling(m/8) - m) bits of the first byte in 6237 * the string to zero. 6238 */ 6239 uint8_t clear_bit_mask = (1 << (m % 8)) - 1; 6240 (*data)[0] &= clear_bit_mask; 6241 } 6242 6243 /* 3. Convert the string to integer k by decoding it as a 6244 * big-endian byte string. 6245 */ 6246 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&k, *data, m_bytes)); 6247 6248 /* 4. If k > N - 2, discard the result and return to step 1. 6249 * Result of comparison is returned. When it indicates error 6250 * then this function is called again. 6251 */ 6252 MBEDTLS_MPI_CHK(mbedtls_mpi_lt_mpi_ct(&diff_N_2, &k, &key_out_of_range)); 6253 } 6254 6255 /* 5. Output k + 1 as the private key. */ 6256 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&k, &k, 1)); 6257 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&k, *data, m_bytes)); 6258 cleanup: 6259 if (ret != 0) { 6260 status = mbedtls_to_psa_error(ret); 6261 } 6262 if (status != PSA_SUCCESS) { 6263 mbedtls_free(*data); 6264 *data = NULL; 6265 } 6266 mbedtls_mpi_free(&k); 6267 mbedtls_mpi_free(&diff_N_2); 6268 return status; 6269 } 6270 6271 /* ECC keys on a Montgomery elliptic curve draws a byte string whose length 6272 * is determined by the curve, and sets the mandatory bits accordingly. That is: 6273 * 6274 * - Curve25519 (PSA_ECC_FAMILY_MONTGOMERY, 255 bits): 6275 * draw a 32-byte string and process it as specified in 6276 * Elliptic Curves for Security [RFC7748] §5. 6277 * 6278 * - Curve448 (PSA_ECC_FAMILY_MONTGOMERY, 448 bits): 6279 * draw a 56-byte string and process it as specified in [RFC7748] §5. 6280 * 6281 * Note: Function allocates memory for *data buffer, so given *data should be 6282 * always NULL. 6283 */ 6284 6285 static psa_status_t psa_generate_derived_ecc_key_montgomery_helper( 6286 size_t bits, 6287 psa_key_derivation_operation_t *operation, 6288 uint8_t **data 6289 ) 6290 { 6291 size_t output_length; 6292 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 6293 6294 switch (bits) { 6295 case 255: 6296 output_length = 32; 6297 break; 6298 case 448: 6299 output_length = 56; 6300 break; 6301 default: 6302 return PSA_ERROR_INVALID_ARGUMENT; 6303 break; 6304 } 6305 6306 *data = mbedtls_calloc(1, output_length); 6307 6308 if (*data == NULL) { 6309 return PSA_ERROR_INSUFFICIENT_MEMORY; 6310 } 6311 6312 status = psa_key_derivation_output_bytes(operation, *data, output_length); 6313 6314 if (status != PSA_SUCCESS) { 6315 return status; 6316 } 6317 6318 switch (bits) { 6319 case 255: 6320 (*data)[0] &= 248; 6321 (*data)[31] &= 127; 6322 (*data)[31] |= 64; 6323 break; 6324 case 448: 6325 (*data)[0] &= 252; 6326 (*data)[55] |= 128; 6327 break; 6328 default: 6329 return PSA_ERROR_CORRUPTION_DETECTED; 6330 break; 6331 } 6332 6333 return status; 6334 } 6335 #else /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */ 6336 static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( 6337 psa_key_slot_t *slot, size_t bits, 6338 psa_key_derivation_operation_t *operation, uint8_t **data) 6339 { 6340 (void) slot; 6341 (void) bits; 6342 (void) operation; 6343 (void) data; 6344 return PSA_ERROR_NOT_SUPPORTED; 6345 } 6346 6347 static psa_status_t psa_generate_derived_ecc_key_montgomery_helper( 6348 size_t bits, psa_key_derivation_operation_t *operation, uint8_t **data) 6349 { 6350 (void) bits; 6351 (void) operation; 6352 (void) data; 6353 return PSA_ERROR_NOT_SUPPORTED; 6354 } 6355 #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */ 6356 #endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE */ 6357 6358 static psa_status_t psa_generate_derived_key_internal( 6359 psa_key_slot_t *slot, 6360 size_t bits, 6361 psa_key_derivation_operation_t *operation) 6362 { 6363 uint8_t *data = NULL; 6364 size_t bytes = PSA_BITS_TO_BYTES(bits); 6365 size_t storage_size = bytes; 6366 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 6367 6368 if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) { 6369 return PSA_ERROR_INVALID_ARGUMENT; 6370 } 6371 6372 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \ 6373 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) 6374 if (PSA_KEY_TYPE_IS_ECC(slot->attr.type)) { 6375 psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(slot->attr.type); 6376 if (PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) { 6377 /* Weierstrass elliptic curve */ 6378 status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data); 6379 if (status != PSA_SUCCESS) { 6380 goto exit; 6381 } 6382 } else { 6383 /* Montgomery elliptic curve */ 6384 status = psa_generate_derived_ecc_key_montgomery_helper(bits, operation, &data); 6385 if (status != PSA_SUCCESS) { 6386 goto exit; 6387 } 6388 } 6389 } else 6390 #endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || 6391 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) */ 6392 if (key_type_is_raw_bytes(slot->attr.type)) { 6393 if (bits % 8 != 0) { 6394 return PSA_ERROR_INVALID_ARGUMENT; 6395 } 6396 data = mbedtls_calloc(1, bytes); 6397 if (data == NULL) { 6398 return PSA_ERROR_INSUFFICIENT_MEMORY; 6399 } 6400 6401 status = psa_key_derivation_output_bytes(operation, data, bytes); 6402 if (status != PSA_SUCCESS) { 6403 goto exit; 6404 } 6405 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) 6406 if (slot->attr.type == PSA_KEY_TYPE_DES) { 6407 psa_des_set_key_parity(data, bytes); 6408 } 6409 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) */ 6410 } else { 6411 return PSA_ERROR_NOT_SUPPORTED; 6412 } 6413 6414 slot->attr.bits = (psa_key_bits_t) bits; 6415 6416 if (psa_key_lifetime_is_external(slot->attr.lifetime)) { 6417 status = psa_driver_wrapper_get_key_buffer_size(&slot->attr, 6418 &storage_size); 6419 if (status != PSA_SUCCESS) { 6420 goto exit; 6421 } 6422 } 6423 status = psa_allocate_buffer_to_slot(slot, storage_size); 6424 if (status != PSA_SUCCESS) { 6425 goto exit; 6426 } 6427 6428 status = psa_driver_wrapper_import_key(&slot->attr, 6429 data, bytes, 6430 slot->key.data, 6431 slot->key.bytes, 6432 &slot->key.bytes, &bits); 6433 if (bits != slot->attr.bits) { 6434 status = PSA_ERROR_INVALID_ARGUMENT; 6435 } 6436 6437 exit: 6438 mbedtls_free(data); 6439 return status; 6440 } 6441 6442 static const psa_custom_key_parameters_t default_custom_production = 6443 PSA_CUSTOM_KEY_PARAMETERS_INIT; 6444 6445 int psa_custom_key_parameters_are_default( 6446 const psa_custom_key_parameters_t *custom, 6447 size_t custom_data_length) 6448 { 6449 if (custom->flags != 0) { 6450 return 0; 6451 } 6452 if (custom_data_length != 0) { 6453 return 0; 6454 } 6455 return 1; 6456 } 6457 6458 psa_status_t psa_key_derivation_output_key_custom( 6459 const psa_key_attributes_t *attributes, 6460 psa_key_derivation_operation_t *operation, 6461 const psa_custom_key_parameters_t *custom, 6462 const uint8_t *custom_data, 6463 size_t custom_data_length, 6464 mbedtls_svc_key_id_t *key) 6465 { 6466 psa_status_t status; 6467 psa_key_slot_t *slot = NULL; 6468 psa_se_drv_table_entry_t *driver = NULL; 6469 6470 *key = MBEDTLS_SVC_KEY_ID_INIT; 6471 6472 /* Reject any attempt to create a zero-length key so that we don't 6473 * risk tripping up later, e.g. on a malloc(0) that returns NULL. */ 6474 if (psa_get_key_bits(attributes) == 0) { 6475 return PSA_ERROR_INVALID_ARGUMENT; 6476 } 6477 6478 (void) custom_data; /* We only accept 0-length data */ 6479 if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) { 6480 return PSA_ERROR_INVALID_ARGUMENT; 6481 } 6482 6483 if (operation->alg == PSA_ALG_NONE) { 6484 return PSA_ERROR_BAD_STATE; 6485 } 6486 6487 if (!operation->can_output_key) { 6488 return PSA_ERROR_NOT_PERMITTED; 6489 } 6490 6491 status = psa_start_key_creation(PSA_KEY_CREATION_DERIVE, attributes, 6492 &slot, &driver); 6493 #if defined(MBEDTLS_PSA_CRYPTO_SE_C) 6494 if (driver != NULL) { 6495 /* Deriving a key in a secure element is not implemented yet. */ 6496 status = PSA_ERROR_NOT_SUPPORTED; 6497 } 6498 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ 6499 if (status == PSA_SUCCESS) { 6500 status = psa_generate_derived_key_internal(slot, 6501 attributes->bits, 6502 operation); 6503 } 6504 if (status == PSA_SUCCESS) { 6505 status = psa_finish_key_creation(slot, driver, key); 6506 } 6507 if (status != PSA_SUCCESS) { 6508 psa_fail_key_creation(slot, driver); 6509 } 6510 6511 return status; 6512 } 6513 6514 psa_status_t psa_key_derivation_output_key_ext( 6515 const psa_key_attributes_t *attributes, 6516 psa_key_derivation_operation_t *operation, 6517 const psa_key_production_parameters_t *params, 6518 size_t params_data_length, 6519 mbedtls_svc_key_id_t *key) 6520 { 6521 return psa_key_derivation_output_key_custom( 6522 attributes, operation, 6523 (const psa_custom_key_parameters_t *) params, 6524 params->data, params_data_length, 6525 key); 6526 } 6527 6528 psa_status_t psa_key_derivation_output_key( 6529 const psa_key_attributes_t *attributes, 6530 psa_key_derivation_operation_t *operation, 6531 mbedtls_svc_key_id_t *key) 6532 { 6533 return psa_key_derivation_output_key_custom(attributes, operation, 6534 &default_custom_production, 6535 NULL, 0, 6536 key); 6537 } 6538 6539 6540 /****************************************************************/ 6541 /* Key derivation */ 6542 /****************************************************************/ 6543 6544 #if defined(AT_LEAST_ONE_BUILTIN_KDF) 6545 static int is_kdf_alg_supported(psa_algorithm_t kdf_alg) 6546 { 6547 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) 6548 if (PSA_ALG_IS_HKDF(kdf_alg)) { 6549 return 1; 6550 } 6551 #endif 6552 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) 6553 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) { 6554 return 1; 6555 } 6556 #endif 6557 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) 6558 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) { 6559 return 1; 6560 } 6561 #endif 6562 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) 6563 if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) { 6564 return 1; 6565 } 6566 #endif 6567 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) 6568 if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) { 6569 return 1; 6570 } 6571 #endif 6572 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) 6573 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { 6574 return 1; 6575 } 6576 #endif 6577 #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC) 6578 if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) { 6579 return 1; 6580 } 6581 #endif 6582 #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128) 6583 if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) { 6584 return 1; 6585 } 6586 #endif 6587 return 0; 6588 } 6589 6590 static psa_status_t psa_hash_try_support(psa_algorithm_t alg) 6591 { 6592 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; 6593 psa_status_t status = psa_hash_setup(&operation, alg); 6594 psa_hash_abort(&operation); 6595 return status; 6596 } 6597 6598 static psa_status_t psa_key_derivation_set_maximum_capacity( 6599 psa_key_derivation_operation_t *operation, 6600 psa_algorithm_t kdf_alg) 6601 { 6602 #if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) 6603 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { 6604 operation->capacity = PSA_HASH_LENGTH(PSA_ALG_SHA_256); 6605 return PSA_SUCCESS; 6606 } 6607 #endif 6608 #if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128) 6609 if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) { 6610 #if (SIZE_MAX > UINT32_MAX) 6611 operation->capacity = UINT32_MAX * (size_t) PSA_MAC_LENGTH( 6612 PSA_KEY_TYPE_AES, 6613 128U, 6614 PSA_ALG_CMAC); 6615 #else 6616 operation->capacity = SIZE_MAX; 6617 #endif 6618 return PSA_SUCCESS; 6619 } 6620 #endif /* PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 */ 6621 6622 /* After this point, if kdf_alg is not valid then value of hash_alg may be 6623 * invalid or meaningless but it does not affect this function */ 6624 psa_algorithm_t hash_alg = PSA_ALG_GET_HASH(kdf_alg); 6625 size_t hash_size = PSA_HASH_LENGTH(hash_alg); 6626 if (hash_size == 0) { 6627 return PSA_ERROR_NOT_SUPPORTED; 6628 } 6629 6630 /* Make sure that hash_alg is a supported hash algorithm. Otherwise 6631 * we might fail later, which is somewhat unfriendly and potentially 6632 * risk-prone. */ 6633 psa_status_t status = psa_hash_try_support(hash_alg); 6634 if (status != PSA_SUCCESS) { 6635 return status; 6636 } 6637 6638 #if defined(PSA_WANT_ALG_HKDF) 6639 if (PSA_ALG_IS_HKDF(kdf_alg)) { 6640 operation->capacity = 255 * hash_size; 6641 } else 6642 #endif 6643 #if defined(PSA_WANT_ALG_HKDF_EXTRACT) 6644 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) { 6645 operation->capacity = hash_size; 6646 } else 6647 #endif 6648 #if defined(PSA_WANT_ALG_HKDF_EXPAND) 6649 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) { 6650 operation->capacity = 255 * hash_size; 6651 } else 6652 #endif 6653 #if defined(PSA_WANT_ALG_TLS12_PRF) 6654 if (PSA_ALG_IS_TLS12_PRF(kdf_alg) && 6655 (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) { 6656 operation->capacity = SIZE_MAX; 6657 } else 6658 #endif 6659 #if defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) 6660 if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg) && 6661 (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) { 6662 /* Master Secret is always 48 bytes 6663 * https://datatracker.ietf.org/doc/html/rfc5246.html#section-8.1 */ 6664 operation->capacity = 48U; 6665 } else 6666 #endif 6667 #if defined(PSA_WANT_ALG_PBKDF2_HMAC) 6668 if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) { 6669 #if (SIZE_MAX > UINT32_MAX) 6670 operation->capacity = UINT32_MAX * hash_size; 6671 #else 6672 operation->capacity = SIZE_MAX; 6673 #endif 6674 } else 6675 #endif /* PSA_WANT_ALG_PBKDF2_HMAC */ 6676 { 6677 (void) hash_size; 6678 status = PSA_ERROR_NOT_SUPPORTED; 6679 } 6680 return status; 6681 } 6682 6683 static psa_status_t psa_key_derivation_setup_kdf( 6684 psa_key_derivation_operation_t *operation, 6685 psa_algorithm_t kdf_alg) 6686 { 6687 /* Make sure that operation->ctx is properly zero-initialised. (Macro 6688 * initialisers for this union leave some bytes unspecified.) */ 6689 memset(&operation->ctx, 0, sizeof(operation->ctx)); 6690 6691 /* Make sure that kdf_alg is a supported key derivation algorithm. */ 6692 if (!is_kdf_alg_supported(kdf_alg)) { 6693 return PSA_ERROR_NOT_SUPPORTED; 6694 } 6695 6696 psa_status_t status = psa_key_derivation_set_maximum_capacity(operation, 6697 kdf_alg); 6698 return status; 6699 } 6700 6701 static psa_status_t psa_key_agreement_try_support(psa_algorithm_t alg) 6702 { 6703 #if defined(PSA_WANT_ALG_ECDH) 6704 if (alg == PSA_ALG_ECDH) { 6705 return PSA_SUCCESS; 6706 } 6707 #endif 6708 #if defined(PSA_WANT_ALG_FFDH) 6709 if (alg == PSA_ALG_FFDH) { 6710 return PSA_SUCCESS; 6711 } 6712 #endif 6713 (void) alg; 6714 return PSA_ERROR_NOT_SUPPORTED; 6715 } 6716 6717 static int psa_key_derivation_allows_free_form_secret_input( 6718 psa_algorithm_t kdf_alg) 6719 { 6720 #if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) 6721 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { 6722 return 0; 6723 } 6724 #endif 6725 (void) kdf_alg; 6726 return 1; 6727 } 6728 #endif /* AT_LEAST_ONE_BUILTIN_KDF */ 6729 6730 psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t *operation, 6731 psa_algorithm_t alg) 6732 { 6733 psa_status_t status; 6734 6735 if (operation->alg != 0) { 6736 return PSA_ERROR_BAD_STATE; 6737 } 6738 6739 if (PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) { 6740 return PSA_ERROR_INVALID_ARGUMENT; 6741 } else if (PSA_ALG_IS_KEY_AGREEMENT(alg)) { 6742 #if defined(AT_LEAST_ONE_BUILTIN_KDF) 6743 psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF(alg); 6744 psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(alg); 6745 status = psa_key_agreement_try_support(ka_alg); 6746 if (status != PSA_SUCCESS) { 6747 return status; 6748 } 6749 if (!psa_key_derivation_allows_free_form_secret_input(kdf_alg)) { 6750 return PSA_ERROR_INVALID_ARGUMENT; 6751 } 6752 status = psa_key_derivation_setup_kdf(operation, kdf_alg); 6753 #else 6754 return PSA_ERROR_NOT_SUPPORTED; 6755 #endif /* AT_LEAST_ONE_BUILTIN_KDF */ 6756 } else if (PSA_ALG_IS_KEY_DERIVATION(alg)) { 6757 #if defined(AT_LEAST_ONE_BUILTIN_KDF) 6758 status = psa_key_derivation_setup_kdf(operation, alg); 6759 #else 6760 return PSA_ERROR_NOT_SUPPORTED; 6761 #endif /* AT_LEAST_ONE_BUILTIN_KDF */ 6762 } else { 6763 return PSA_ERROR_INVALID_ARGUMENT; 6764 } 6765 6766 if (status == PSA_SUCCESS) { 6767 operation->alg = alg; 6768 } 6769 return status; 6770 } 6771 6772 #if defined(BUILTIN_ALG_ANY_HKDF) 6773 static psa_status_t psa_hkdf_input(psa_hkdf_key_derivation_t *hkdf, 6774 psa_algorithm_t kdf_alg, 6775 psa_key_derivation_step_t step, 6776 const uint8_t *data, 6777 size_t data_length) 6778 { 6779 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg); 6780 psa_status_t status; 6781 switch (step) { 6782 case PSA_KEY_DERIVATION_INPUT_SALT: 6783 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) 6784 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) { 6785 return PSA_ERROR_INVALID_ARGUMENT; 6786 } 6787 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */ 6788 if (hkdf->state != HKDF_STATE_INIT) { 6789 return PSA_ERROR_BAD_STATE; 6790 } else { 6791 status = psa_key_derivation_start_hmac(&hkdf->hmac, 6792 hash_alg, 6793 data, data_length); 6794 if (status != PSA_SUCCESS) { 6795 return status; 6796 } 6797 hkdf->state = HKDF_STATE_STARTED; 6798 return PSA_SUCCESS; 6799 } 6800 case PSA_KEY_DERIVATION_INPUT_SECRET: 6801 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) 6802 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) { 6803 /* We shouldn't be in different state as HKDF_EXPAND only allows 6804 * two inputs: SECRET (this case) and INFO which does not modify 6805 * the state. It could happen only if the hkdf 6806 * object was corrupted. */ 6807 if (hkdf->state != HKDF_STATE_INIT) { 6808 return PSA_ERROR_BAD_STATE; 6809 } 6810 6811 /* Allow only input that fits expected prk size */ 6812 if (data_length != PSA_HASH_LENGTH(hash_alg)) { 6813 return PSA_ERROR_INVALID_ARGUMENT; 6814 } 6815 6816 memcpy(hkdf->prk, data, data_length); 6817 } else 6818 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */ 6819 { 6820 /* HKDF: If no salt was provided, use an empty salt. 6821 * HKDF-EXTRACT: salt is mandatory. */ 6822 if (hkdf->state == HKDF_STATE_INIT) { 6823 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) 6824 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) { 6825 return PSA_ERROR_BAD_STATE; 6826 } 6827 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ 6828 status = psa_key_derivation_start_hmac(&hkdf->hmac, 6829 hash_alg, 6830 NULL, 0); 6831 if (status != PSA_SUCCESS) { 6832 return status; 6833 } 6834 hkdf->state = HKDF_STATE_STARTED; 6835 } 6836 if (hkdf->state != HKDF_STATE_STARTED) { 6837 return PSA_ERROR_BAD_STATE; 6838 } 6839 status = psa_mac_update(&hkdf->hmac, 6840 data, data_length); 6841 if (status != PSA_SUCCESS) { 6842 return status; 6843 } 6844 status = psa_mac_sign_finish(&hkdf->hmac, 6845 hkdf->prk, 6846 sizeof(hkdf->prk), 6847 &data_length); 6848 if (status != PSA_SUCCESS) { 6849 return status; 6850 } 6851 } 6852 6853 hkdf->state = HKDF_STATE_KEYED; 6854 hkdf->block_number = 0; 6855 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) 6856 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) { 6857 /* The only block of output is the PRK. */ 6858 memcpy(hkdf->output_block, hkdf->prk, PSA_HASH_LENGTH(hash_alg)); 6859 hkdf->offset_in_block = 0; 6860 } else 6861 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ 6862 { 6863 /* Block 0 is empty, and the next block will be 6864 * generated by psa_key_derivation_hkdf_read(). */ 6865 hkdf->offset_in_block = PSA_HASH_LENGTH(hash_alg); 6866 } 6867 6868 return PSA_SUCCESS; 6869 case PSA_KEY_DERIVATION_INPUT_INFO: 6870 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) 6871 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) { 6872 return PSA_ERROR_INVALID_ARGUMENT; 6873 } 6874 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ 6875 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) 6876 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg) && 6877 hkdf->state == HKDF_STATE_INIT) { 6878 return PSA_ERROR_BAD_STATE; 6879 } 6880 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */ 6881 if (hkdf->state == HKDF_STATE_OUTPUT) { 6882 return PSA_ERROR_BAD_STATE; 6883 } 6884 if (hkdf->info_set) { 6885 return PSA_ERROR_BAD_STATE; 6886 } 6887 hkdf->info_length = data_length; 6888 if (data_length != 0) { 6889 hkdf->info = mbedtls_calloc(1, data_length); 6890 if (hkdf->info == NULL) { 6891 return PSA_ERROR_INSUFFICIENT_MEMORY; 6892 } 6893 memcpy(hkdf->info, data, data_length); 6894 } 6895 hkdf->info_set = 1; 6896 return PSA_SUCCESS; 6897 default: 6898 return PSA_ERROR_INVALID_ARGUMENT; 6899 } 6900 } 6901 #endif /* BUILTIN_ALG_ANY_HKDF */ 6902 6903 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ 6904 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) 6905 static psa_status_t psa_tls12_prf_set_seed(psa_tls12_prf_key_derivation_t *prf, 6906 const uint8_t *data, 6907 size_t data_length) 6908 { 6909 if (prf->state != PSA_TLS12_PRF_STATE_INIT) { 6910 return PSA_ERROR_BAD_STATE; 6911 } 6912 6913 if (data_length != 0) { 6914 prf->seed = mbedtls_calloc(1, data_length); 6915 if (prf->seed == NULL) { 6916 return PSA_ERROR_INSUFFICIENT_MEMORY; 6917 } 6918 6919 memcpy(prf->seed, data, data_length); 6920 prf->seed_length = data_length; 6921 } 6922 6923 prf->state = PSA_TLS12_PRF_STATE_SEED_SET; 6924 6925 return PSA_SUCCESS; 6926 } 6927 6928 static psa_status_t psa_tls12_prf_set_key(psa_tls12_prf_key_derivation_t *prf, 6929 const uint8_t *data, 6930 size_t data_length) 6931 { 6932 if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET && 6933 prf->state != PSA_TLS12_PRF_STATE_OTHER_KEY_SET) { 6934 return PSA_ERROR_BAD_STATE; 6935 } 6936 6937 if (data_length != 0) { 6938 prf->secret = mbedtls_calloc(1, data_length); 6939 if (prf->secret == NULL) { 6940 return PSA_ERROR_INSUFFICIENT_MEMORY; 6941 } 6942 6943 memcpy(prf->secret, data, data_length); 6944 prf->secret_length = data_length; 6945 } 6946 6947 prf->state = PSA_TLS12_PRF_STATE_KEY_SET; 6948 6949 return PSA_SUCCESS; 6950 } 6951 6952 static psa_status_t psa_tls12_prf_set_label(psa_tls12_prf_key_derivation_t *prf, 6953 const uint8_t *data, 6954 size_t data_length) 6955 { 6956 if (prf->state != PSA_TLS12_PRF_STATE_KEY_SET) { 6957 return PSA_ERROR_BAD_STATE; 6958 } 6959 6960 if (data_length != 0) { 6961 prf->label = mbedtls_calloc(1, data_length); 6962 if (prf->label == NULL) { 6963 return PSA_ERROR_INSUFFICIENT_MEMORY; 6964 } 6965 6966 memcpy(prf->label, data, data_length); 6967 prf->label_length = data_length; 6968 } 6969 6970 prf->state = PSA_TLS12_PRF_STATE_LABEL_SET; 6971 6972 return PSA_SUCCESS; 6973 } 6974 6975 static psa_status_t psa_tls12_prf_input(psa_tls12_prf_key_derivation_t *prf, 6976 psa_key_derivation_step_t step, 6977 const uint8_t *data, 6978 size_t data_length) 6979 { 6980 switch (step) { 6981 case PSA_KEY_DERIVATION_INPUT_SEED: 6982 return psa_tls12_prf_set_seed(prf, data, data_length); 6983 case PSA_KEY_DERIVATION_INPUT_SECRET: 6984 return psa_tls12_prf_set_key(prf, data, data_length); 6985 case PSA_KEY_DERIVATION_INPUT_LABEL: 6986 return psa_tls12_prf_set_label(prf, data, data_length); 6987 default: 6988 return PSA_ERROR_INVALID_ARGUMENT; 6989 } 6990 } 6991 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || 6992 * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ 6993 6994 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) 6995 static psa_status_t psa_tls12_prf_psk_to_ms_set_key( 6996 psa_tls12_prf_key_derivation_t *prf, 6997 const uint8_t *data, 6998 size_t data_length) 6999 { 7000 psa_status_t status; 7001 const size_t pms_len = (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET ? 7002 4 + data_length + prf->other_secret_length : 7003 4 + 2 * data_length); 7004 7005 if (data_length > PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE) { 7006 return PSA_ERROR_INVALID_ARGUMENT; 7007 } 7008 7009 uint8_t *pms = mbedtls_calloc(1, pms_len); 7010 if (pms == NULL) { 7011 return PSA_ERROR_INSUFFICIENT_MEMORY; 7012 } 7013 uint8_t *cur = pms; 7014 7015 /* pure-PSK: 7016 * Quoting RFC 4279, Section 2: 7017 * 7018 * The premaster secret is formed as follows: if the PSK is N octets 7019 * long, concatenate a uint16 with the value N, N zero octets, a second 7020 * uint16 with the value N, and the PSK itself. 7021 * 7022 * mixed-PSK: 7023 * In a DHE-PSK, RSA-PSK, ECDHE-PSK the premaster secret is formed as 7024 * follows: concatenate a uint16 with the length of the other secret, 7025 * the other secret itself, uint16 with the length of PSK, and the 7026 * PSK itself. 7027 * For details please check: 7028 * - RFC 4279, Section 4 for the definition of RSA-PSK, 7029 * - RFC 4279, Section 3 for the definition of DHE-PSK, 7030 * - RFC 5489 for the definition of ECDHE-PSK. 7031 */ 7032 7033 if (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET) { 7034 *cur++ = MBEDTLS_BYTE_1(prf->other_secret_length); 7035 *cur++ = MBEDTLS_BYTE_0(prf->other_secret_length); 7036 if (prf->other_secret_length != 0) { 7037 memcpy(cur, prf->other_secret, prf->other_secret_length); 7038 mbedtls_platform_zeroize(prf->other_secret, prf->other_secret_length); 7039 cur += prf->other_secret_length; 7040 } 7041 } else { 7042 *cur++ = MBEDTLS_BYTE_1(data_length); 7043 *cur++ = MBEDTLS_BYTE_0(data_length); 7044 memset(cur, 0, data_length); 7045 cur += data_length; 7046 } 7047 7048 *cur++ = MBEDTLS_BYTE_1(data_length); 7049 *cur++ = MBEDTLS_BYTE_0(data_length); 7050 memcpy(cur, data, data_length); 7051 cur += data_length; 7052 7053 status = psa_tls12_prf_set_key(prf, pms, (size_t) (cur - pms)); 7054 7055 mbedtls_zeroize_and_free(pms, pms_len); 7056 return status; 7057 } 7058 7059 static psa_status_t psa_tls12_prf_psk_to_ms_set_other_key( 7060 psa_tls12_prf_key_derivation_t *prf, 7061 const uint8_t *data, 7062 size_t data_length) 7063 { 7064 if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET) { 7065 return PSA_ERROR_BAD_STATE; 7066 } 7067 7068 if (data_length != 0) { 7069 prf->other_secret = mbedtls_calloc(1, data_length); 7070 if (prf->other_secret == NULL) { 7071 return PSA_ERROR_INSUFFICIENT_MEMORY; 7072 } 7073 7074 memcpy(prf->other_secret, data, data_length); 7075 prf->other_secret_length = data_length; 7076 } else { 7077 prf->other_secret_length = 0; 7078 } 7079 7080 prf->state = PSA_TLS12_PRF_STATE_OTHER_KEY_SET; 7081 7082 return PSA_SUCCESS; 7083 } 7084 7085 static psa_status_t psa_tls12_prf_psk_to_ms_input( 7086 psa_tls12_prf_key_derivation_t *prf, 7087 psa_key_derivation_step_t step, 7088 const uint8_t *data, 7089 size_t data_length) 7090 { 7091 switch (step) { 7092 case PSA_KEY_DERIVATION_INPUT_SECRET: 7093 return psa_tls12_prf_psk_to_ms_set_key(prf, 7094 data, data_length); 7095 break; 7096 case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET: 7097 return psa_tls12_prf_psk_to_ms_set_other_key(prf, 7098 data, 7099 data_length); 7100 break; 7101 default: 7102 return psa_tls12_prf_input(prf, step, data, data_length); 7103 break; 7104 7105 } 7106 } 7107 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ 7108 7109 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) 7110 static psa_status_t psa_tls12_ecjpake_to_pms_input( 7111 psa_tls12_ecjpake_to_pms_t *ecjpake, 7112 psa_key_derivation_step_t step, 7113 const uint8_t *data, 7114 size_t data_length) 7115 { 7116 if (data_length != PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE || 7117 step != PSA_KEY_DERIVATION_INPUT_SECRET) { 7118 return PSA_ERROR_INVALID_ARGUMENT; 7119 } 7120 7121 /* Check if the passed point is in an uncompressed form */ 7122 if (data[0] != 0x04) { 7123 return PSA_ERROR_INVALID_ARGUMENT; 7124 } 7125 7126 /* Only K.X has to be extracted - bytes 1 to 32 inclusive. */ 7127 memcpy(ecjpake->data, data + 1, PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE); 7128 7129 return PSA_SUCCESS; 7130 } 7131 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ 7132 7133 #if defined(PSA_HAVE_SOFT_PBKDF2) 7134 static psa_status_t psa_pbkdf2_set_input_cost( 7135 psa_pbkdf2_key_derivation_t *pbkdf2, 7136 psa_key_derivation_step_t step, 7137 uint64_t data) 7138 { 7139 if (step != PSA_KEY_DERIVATION_INPUT_COST) { 7140 return PSA_ERROR_INVALID_ARGUMENT; 7141 } 7142 7143 if (pbkdf2->state != PSA_PBKDF2_STATE_INIT) { 7144 return PSA_ERROR_BAD_STATE; 7145 } 7146 7147 if (data > PSA_VENDOR_PBKDF2_MAX_ITERATIONS) { 7148 return PSA_ERROR_NOT_SUPPORTED; 7149 } 7150 7151 if (data == 0) { 7152 return PSA_ERROR_INVALID_ARGUMENT; 7153 } 7154 7155 pbkdf2->input_cost = data; 7156 pbkdf2->state = PSA_PBKDF2_STATE_INPUT_COST_SET; 7157 7158 return PSA_SUCCESS; 7159 } 7160 7161 static psa_status_t psa_pbkdf2_set_salt(psa_pbkdf2_key_derivation_t *pbkdf2, 7162 const uint8_t *data, 7163 size_t data_length) 7164 { 7165 if (pbkdf2->state == PSA_PBKDF2_STATE_INPUT_COST_SET) { 7166 pbkdf2->state = PSA_PBKDF2_STATE_SALT_SET; 7167 } else if (pbkdf2->state == PSA_PBKDF2_STATE_SALT_SET) { 7168 /* Appending to existing salt. No state change. */ 7169 } else { 7170 return PSA_ERROR_BAD_STATE; 7171 } 7172 7173 if (data_length == 0) { 7174 /* Appending an empty string, nothing to do. */ 7175 } else { 7176 uint8_t *next_salt; 7177 7178 next_salt = mbedtls_calloc(1, data_length + pbkdf2->salt_length); 7179 if (next_salt == NULL) { 7180 return PSA_ERROR_INSUFFICIENT_MEMORY; 7181 } 7182 7183 if (pbkdf2->salt_length != 0) { 7184 memcpy(next_salt, pbkdf2->salt, pbkdf2->salt_length); 7185 } 7186 memcpy(next_salt + pbkdf2->salt_length, data, data_length); 7187 pbkdf2->salt_length += data_length; 7188 mbedtls_free(pbkdf2->salt); 7189 pbkdf2->salt = next_salt; 7190 } 7191 return PSA_SUCCESS; 7192 } 7193 7194 #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC) 7195 static psa_status_t psa_pbkdf2_hmac_set_password(psa_algorithm_t hash_alg, 7196 const uint8_t *input, 7197 size_t input_len, 7198 uint8_t *output, 7199 size_t *output_len) 7200 { 7201 psa_status_t status = PSA_SUCCESS; 7202 if (input_len > PSA_HASH_BLOCK_LENGTH(hash_alg)) { 7203 return psa_hash_compute(hash_alg, input, input_len, output, 7204 PSA_HMAC_MAX_HASH_BLOCK_SIZE, output_len); 7205 } else if (input_len > 0) { 7206 memcpy(output, input, input_len); 7207 } 7208 *output_len = PSA_HASH_BLOCK_LENGTH(hash_alg); 7209 return status; 7210 } 7211 #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */ 7212 7213 #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128) 7214 static psa_status_t psa_pbkdf2_cmac_set_password(const uint8_t *input, 7215 size_t input_len, 7216 uint8_t *output, 7217 size_t *output_len) 7218 { 7219 psa_status_t status = PSA_SUCCESS; 7220 if (input_len != PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC)) { 7221 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 7222 uint8_t zeros[16] = { 0 }; 7223 psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); 7224 psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(sizeof(zeros))); 7225 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); 7226 /* Passing PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC) as 7227 * mac_size as the driver function sets mac_output_length = mac_size 7228 * on success. See https://github.com/Mbed-TLS/mbedtls/issues/7801 */ 7229 status = psa_driver_wrapper_mac_compute(&attributes, 7230 zeros, sizeof(zeros), 7231 PSA_ALG_CMAC, input, input_len, 7232 output, 7233 PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 7234 128U, 7235 PSA_ALG_CMAC), 7236 output_len); 7237 } else { 7238 memcpy(output, input, input_len); 7239 *output_len = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC); 7240 } 7241 return status; 7242 } 7243 #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */ 7244 7245 static psa_status_t psa_pbkdf2_set_password(psa_pbkdf2_key_derivation_t *pbkdf2, 7246 psa_algorithm_t kdf_alg, 7247 const uint8_t *data, 7248 size_t data_length) 7249 { 7250 psa_status_t status = PSA_SUCCESS; 7251 if (pbkdf2->state != PSA_PBKDF2_STATE_SALT_SET) { 7252 return PSA_ERROR_BAD_STATE; 7253 } 7254 7255 #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC) 7256 if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) { 7257 psa_algorithm_t hash_alg = PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg); 7258 status = psa_pbkdf2_hmac_set_password(hash_alg, data, data_length, 7259 pbkdf2->password, 7260 &pbkdf2->password_length); 7261 } else 7262 #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */ 7263 #if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128) 7264 if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) { 7265 status = psa_pbkdf2_cmac_set_password(data, data_length, 7266 pbkdf2->password, 7267 &pbkdf2->password_length); 7268 } else 7269 #endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */ 7270 { 7271 return PSA_ERROR_INVALID_ARGUMENT; 7272 } 7273 7274 pbkdf2->state = PSA_PBKDF2_STATE_PASSWORD_SET; 7275 7276 return status; 7277 } 7278 7279 static psa_status_t psa_pbkdf2_input(psa_pbkdf2_key_derivation_t *pbkdf2, 7280 psa_algorithm_t kdf_alg, 7281 psa_key_derivation_step_t step, 7282 const uint8_t *data, 7283 size_t data_length) 7284 { 7285 switch (step) { 7286 case PSA_KEY_DERIVATION_INPUT_SALT: 7287 return psa_pbkdf2_set_salt(pbkdf2, data, data_length); 7288 case PSA_KEY_DERIVATION_INPUT_PASSWORD: 7289 return psa_pbkdf2_set_password(pbkdf2, kdf_alg, data, data_length); 7290 default: 7291 return PSA_ERROR_INVALID_ARGUMENT; 7292 } 7293 } 7294 #endif /* PSA_HAVE_SOFT_PBKDF2 */ 7295 7296 /** Check whether the given key type is acceptable for the given 7297 * input step of a key derivation. 7298 * 7299 * Secret inputs must have the type #PSA_KEY_TYPE_DERIVE. 7300 * Non-secret inputs must have the type #PSA_KEY_TYPE_RAW_DATA. 7301 * Both secret and non-secret inputs can alternatively have the type 7302 * #PSA_KEY_TYPE_NONE, which is never the type of a key object, meaning 7303 * that the input was passed as a buffer rather than via a key object. 7304 */ 7305 static int psa_key_derivation_check_input_type( 7306 psa_key_derivation_step_t step, 7307 psa_key_type_t key_type) 7308 { 7309 switch (step) { 7310 case PSA_KEY_DERIVATION_INPUT_SECRET: 7311 if (key_type == PSA_KEY_TYPE_DERIVE) { 7312 return PSA_SUCCESS; 7313 } 7314 if (key_type == PSA_KEY_TYPE_NONE) { 7315 return PSA_SUCCESS; 7316 } 7317 break; 7318 case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET: 7319 if (key_type == PSA_KEY_TYPE_DERIVE) { 7320 return PSA_SUCCESS; 7321 } 7322 if (key_type == PSA_KEY_TYPE_NONE) { 7323 return PSA_SUCCESS; 7324 } 7325 break; 7326 case PSA_KEY_DERIVATION_INPUT_LABEL: 7327 case PSA_KEY_DERIVATION_INPUT_SALT: 7328 case PSA_KEY_DERIVATION_INPUT_INFO: 7329 case PSA_KEY_DERIVATION_INPUT_SEED: 7330 if (key_type == PSA_KEY_TYPE_RAW_DATA) { 7331 return PSA_SUCCESS; 7332 } 7333 if (key_type == PSA_KEY_TYPE_NONE) { 7334 return PSA_SUCCESS; 7335 } 7336 break; 7337 case PSA_KEY_DERIVATION_INPUT_PASSWORD: 7338 if (key_type == PSA_KEY_TYPE_PASSWORD) { 7339 return PSA_SUCCESS; 7340 } 7341 if (key_type == PSA_KEY_TYPE_DERIVE) { 7342 return PSA_SUCCESS; 7343 } 7344 if (key_type == PSA_KEY_TYPE_NONE) { 7345 return PSA_SUCCESS; 7346 } 7347 break; 7348 } 7349 return PSA_ERROR_INVALID_ARGUMENT; 7350 } 7351 7352 static psa_status_t psa_key_derivation_input_internal( 7353 psa_key_derivation_operation_t *operation, 7354 psa_key_derivation_step_t step, 7355 psa_key_type_t key_type, 7356 const uint8_t *data, 7357 size_t data_length) 7358 { 7359 psa_status_t status; 7360 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation); 7361 7362 status = psa_key_derivation_check_input_type(step, key_type); 7363 if (status != PSA_SUCCESS) { 7364 goto exit; 7365 } 7366 7367 #if defined(BUILTIN_ALG_ANY_HKDF) 7368 if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) { 7369 status = psa_hkdf_input(&operation->ctx.hkdf, kdf_alg, 7370 step, data, data_length); 7371 } else 7372 #endif /* BUILTIN_ALG_ANY_HKDF */ 7373 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) 7374 if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) { 7375 status = psa_tls12_prf_input(&operation->ctx.tls12_prf, 7376 step, data, data_length); 7377 } else 7378 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF */ 7379 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) 7380 if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) { 7381 status = psa_tls12_prf_psk_to_ms_input(&operation->ctx.tls12_prf, 7382 step, data, data_length); 7383 } else 7384 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ 7385 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) 7386 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) { 7387 status = psa_tls12_ecjpake_to_pms_input( 7388 &operation->ctx.tls12_ecjpake_to_pms, step, data, data_length); 7389 } else 7390 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ 7391 #if defined(PSA_HAVE_SOFT_PBKDF2) 7392 if (PSA_ALG_IS_PBKDF2(kdf_alg)) { 7393 status = psa_pbkdf2_input(&operation->ctx.pbkdf2, kdf_alg, 7394 step, data, data_length); 7395 } else 7396 #endif /* PSA_HAVE_SOFT_PBKDF2 */ 7397 { 7398 /* This can't happen unless the operation object was not initialized */ 7399 (void) data; 7400 (void) data_length; 7401 (void) kdf_alg; 7402 return PSA_ERROR_BAD_STATE; 7403 } 7404 7405 exit: 7406 if (status != PSA_SUCCESS) { 7407 psa_key_derivation_abort(operation); 7408 } 7409 return status; 7410 } 7411 7412 static psa_status_t psa_key_derivation_input_integer_internal( 7413 psa_key_derivation_operation_t *operation, 7414 psa_key_derivation_step_t step, 7415 uint64_t value) 7416 { 7417 psa_status_t status; 7418 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation); 7419 7420 #if defined(PSA_HAVE_SOFT_PBKDF2) 7421 if (PSA_ALG_IS_PBKDF2(kdf_alg)) { 7422 status = psa_pbkdf2_set_input_cost( 7423 &operation->ctx.pbkdf2, step, value); 7424 } else 7425 #endif /* PSA_HAVE_SOFT_PBKDF2 */ 7426 { 7427 (void) step; 7428 (void) value; 7429 (void) kdf_alg; 7430 status = PSA_ERROR_INVALID_ARGUMENT; 7431 } 7432 7433 if (status != PSA_SUCCESS) { 7434 psa_key_derivation_abort(operation); 7435 } 7436 return status; 7437 } 7438 7439 psa_status_t psa_key_derivation_input_bytes( 7440 psa_key_derivation_operation_t *operation, 7441 psa_key_derivation_step_t step, 7442 const uint8_t *data_external, 7443 size_t data_length) 7444 { 7445 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 7446 LOCAL_INPUT_DECLARE(data_external, data); 7447 7448 LOCAL_INPUT_ALLOC(data_external, data_length, data); 7449 7450 status = psa_key_derivation_input_internal(operation, step, 7451 PSA_KEY_TYPE_NONE, 7452 data, data_length); 7453 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 7454 exit: 7455 #endif 7456 LOCAL_INPUT_FREE(data_external, data); 7457 return status; 7458 } 7459 7460 psa_status_t psa_key_derivation_input_integer( 7461 psa_key_derivation_operation_t *operation, 7462 psa_key_derivation_step_t step, 7463 uint64_t value) 7464 { 7465 return psa_key_derivation_input_integer_internal(operation, step, value); 7466 } 7467 7468 psa_status_t psa_key_derivation_input_key( 7469 psa_key_derivation_operation_t *operation, 7470 psa_key_derivation_step_t step, 7471 mbedtls_svc_key_id_t key) 7472 { 7473 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 7474 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 7475 psa_key_slot_t *slot; 7476 7477 status = psa_get_and_lock_transparent_key_slot_with_policy( 7478 key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg); 7479 if (status != PSA_SUCCESS) { 7480 psa_key_derivation_abort(operation); 7481 return status; 7482 } 7483 7484 /* Passing a key object as a SECRET or PASSWORD input unlocks the 7485 * permission to output to a key object. */ 7486 if (step == PSA_KEY_DERIVATION_INPUT_SECRET || 7487 step == PSA_KEY_DERIVATION_INPUT_PASSWORD) { 7488 operation->can_output_key = 1; 7489 } 7490 7491 status = psa_key_derivation_input_internal(operation, 7492 step, slot->attr.type, 7493 slot->key.data, 7494 slot->key.bytes); 7495 7496 unlock_status = psa_unregister_read_under_mutex(slot); 7497 7498 return (status == PSA_SUCCESS) ? unlock_status : status; 7499 } 7500 7501 7502 7503 /****************************************************************/ 7504 /* Key agreement */ 7505 /****************************************************************/ 7506 7507 psa_status_t psa_key_agreement_raw_builtin(const psa_key_attributes_t *attributes, 7508 const uint8_t *key_buffer, 7509 size_t key_buffer_size, 7510 psa_algorithm_t alg, 7511 const uint8_t *peer_key, 7512 size_t peer_key_length, 7513 uint8_t *shared_secret, 7514 size_t shared_secret_size, 7515 size_t *shared_secret_length) 7516 { 7517 switch (alg) { 7518 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) 7519 case PSA_ALG_ECDH: 7520 return mbedtls_psa_key_agreement_ecdh(attributes, key_buffer, 7521 key_buffer_size, alg, 7522 peer_key, peer_key_length, 7523 shared_secret, 7524 shared_secret_size, 7525 shared_secret_length); 7526 #endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */ 7527 7528 #if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH) 7529 case PSA_ALG_FFDH: 7530 return mbedtls_psa_ffdh_key_agreement(attributes, 7531 peer_key, 7532 peer_key_length, 7533 key_buffer, 7534 key_buffer_size, 7535 shared_secret, 7536 shared_secret_size, 7537 shared_secret_length); 7538 #endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */ 7539 7540 default: 7541 (void) attributes; 7542 (void) key_buffer; 7543 (void) key_buffer_size; 7544 (void) peer_key; 7545 (void) peer_key_length; 7546 (void) shared_secret; 7547 (void) shared_secret_size; 7548 (void) shared_secret_length; 7549 return PSA_ERROR_NOT_SUPPORTED; 7550 } 7551 } 7552 7553 /** Internal function for raw key agreement 7554 * Calls the driver wrapper which will hand off key agreement task 7555 * to the driver's implementation if a driver is present. 7556 * Fallback specified in the driver wrapper is built-in raw key agreement 7557 * (psa_key_agreement_raw_builtin). 7558 */ 7559 static psa_status_t psa_key_agreement_raw_internal(psa_algorithm_t alg, 7560 psa_key_slot_t *private_key, 7561 const uint8_t *peer_key, 7562 size_t peer_key_length, 7563 uint8_t *shared_secret, 7564 size_t shared_secret_size, 7565 size_t *shared_secret_length) 7566 { 7567 if (!PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) { 7568 return PSA_ERROR_NOT_SUPPORTED; 7569 } 7570 7571 return psa_driver_wrapper_key_agreement(&private_key->attr, 7572 private_key->key.data, 7573 private_key->key.bytes, alg, 7574 peer_key, peer_key_length, 7575 shared_secret, 7576 shared_secret_size, 7577 shared_secret_length); 7578 } 7579 7580 /* Note that if this function fails, you must call psa_key_derivation_abort() 7581 * to potentially free embedded data structures and wipe confidential data. 7582 */ 7583 static psa_status_t psa_key_agreement_internal(psa_key_derivation_operation_t *operation, 7584 psa_key_derivation_step_t step, 7585 psa_key_slot_t *private_key, 7586 const uint8_t *peer_key, 7587 size_t peer_key_length) 7588 { 7589 psa_status_t status; 7590 uint8_t shared_secret[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE] = { 0 }; 7591 size_t shared_secret_length = 0; 7592 psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(operation->alg); 7593 7594 /* Step 1: run the secret agreement algorithm to generate the shared 7595 * secret. */ 7596 status = psa_key_agreement_raw_internal(ka_alg, 7597 private_key, 7598 peer_key, peer_key_length, 7599 shared_secret, 7600 sizeof(shared_secret), 7601 &shared_secret_length); 7602 if (status != PSA_SUCCESS) { 7603 goto exit; 7604 } 7605 7606 /* Step 2: set up the key derivation to generate key material from 7607 * the shared secret. A shared secret is permitted wherever a key 7608 * of type DERIVE is permitted. */ 7609 status = psa_key_derivation_input_internal(operation, step, 7610 PSA_KEY_TYPE_DERIVE, 7611 shared_secret, 7612 shared_secret_length); 7613 exit: 7614 mbedtls_platform_zeroize(shared_secret, shared_secret_length); 7615 return status; 7616 } 7617 7618 psa_status_t psa_key_derivation_key_agreement(psa_key_derivation_operation_t *operation, 7619 psa_key_derivation_step_t step, 7620 mbedtls_svc_key_id_t private_key, 7621 const uint8_t *peer_key_external, 7622 size_t peer_key_length) 7623 { 7624 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 7625 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 7626 psa_key_slot_t *slot; 7627 LOCAL_INPUT_DECLARE(peer_key_external, peer_key); 7628 7629 if (!PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) { 7630 return PSA_ERROR_INVALID_ARGUMENT; 7631 } 7632 status = psa_get_and_lock_transparent_key_slot_with_policy( 7633 private_key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg); 7634 if (status != PSA_SUCCESS) { 7635 return status; 7636 } 7637 7638 LOCAL_INPUT_ALLOC(peer_key_external, peer_key_length, peer_key); 7639 status = psa_key_agreement_internal(operation, step, 7640 slot, 7641 peer_key, peer_key_length); 7642 7643 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 7644 exit: 7645 #endif 7646 if (status != PSA_SUCCESS) { 7647 psa_key_derivation_abort(operation); 7648 } else { 7649 /* If a private key has been added as SECRET, we allow the derived 7650 * key material to be used as a key in PSA Crypto. */ 7651 if (step == PSA_KEY_DERIVATION_INPUT_SECRET) { 7652 operation->can_output_key = 1; 7653 } 7654 } 7655 7656 unlock_status = psa_unregister_read_under_mutex(slot); 7657 LOCAL_INPUT_FREE(peer_key_external, peer_key); 7658 7659 return (status == PSA_SUCCESS) ? unlock_status : status; 7660 } 7661 7662 psa_status_t psa_raw_key_agreement(psa_algorithm_t alg, 7663 mbedtls_svc_key_id_t private_key, 7664 const uint8_t *peer_key_external, 7665 size_t peer_key_length, 7666 uint8_t *output_external, 7667 size_t output_size, 7668 size_t *output_length) 7669 { 7670 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 7671 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 7672 psa_key_slot_t *slot = NULL; 7673 size_t expected_length; 7674 LOCAL_INPUT_DECLARE(peer_key_external, peer_key); 7675 LOCAL_OUTPUT_DECLARE(output_external, output); 7676 LOCAL_OUTPUT_ALLOC(output_external, output_size, output); 7677 7678 if (!PSA_ALG_IS_KEY_AGREEMENT(alg)) { 7679 status = PSA_ERROR_INVALID_ARGUMENT; 7680 goto exit; 7681 } 7682 status = psa_get_and_lock_transparent_key_slot_with_policy( 7683 private_key, &slot, PSA_KEY_USAGE_DERIVE, alg); 7684 if (status != PSA_SUCCESS) { 7685 goto exit; 7686 } 7687 7688 /* PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is in general an upper bound 7689 * for the output size. The PSA specification only guarantees that this 7690 * function works if output_size >= PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(...), 7691 * but it might be nice to allow smaller buffers if the output fits. 7692 * At the time of writing this comment, with only ECDH implemented, 7693 * PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is exact so the point is moot. 7694 * If FFDH is implemented, PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() can easily 7695 * be exact for it as well. */ 7696 expected_length = 7697 PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(slot->attr.type, slot->attr.bits); 7698 if (output_size < expected_length) { 7699 status = PSA_ERROR_BUFFER_TOO_SMALL; 7700 goto exit; 7701 } 7702 7703 LOCAL_INPUT_ALLOC(peer_key_external, peer_key_length, peer_key); 7704 status = psa_key_agreement_raw_internal(alg, slot, 7705 peer_key, peer_key_length, 7706 output, output_size, 7707 output_length); 7708 7709 exit: 7710 /* Check for successful allocation of output, 7711 * with an unsuccessful status. */ 7712 if (output != NULL && status != PSA_SUCCESS) { 7713 /* If an error happens and is not handled properly, the output 7714 * may be used as a key to protect sensitive data. Arrange for such 7715 * a key to be random, which is likely to result in decryption or 7716 * verification errors. This is better than filling the buffer with 7717 * some constant data such as zeros, which would result in the data 7718 * being protected with a reproducible, easily knowable key. 7719 */ 7720 psa_generate_random_internal(output, output_size); 7721 *output_length = output_size; 7722 } 7723 7724 if (output == NULL) { 7725 /* output allocation failed. */ 7726 *output_length = 0; 7727 } 7728 7729 unlock_status = psa_unregister_read_under_mutex(slot); 7730 7731 LOCAL_INPUT_FREE(peer_key_external, peer_key); 7732 LOCAL_OUTPUT_FREE(output_external, output); 7733 return (status == PSA_SUCCESS) ? unlock_status : status; 7734 } 7735 7736 7737 /****************************************************************/ 7738 /* Random generation */ 7739 /****************************************************************/ 7740 7741 #if defined(MBEDTLS_PSA_INJECT_ENTROPY) 7742 #include "entropy_poll.h" 7743 #endif 7744 7745 /** Initialize the PSA random generator. 7746 * 7747 * Note: the mbedtls_threading_psa_rngdata_mutex should be held when calling 7748 * this function if mutexes are enabled. 7749 */ 7750 static void mbedtls_psa_random_init(mbedtls_psa_random_context_t *rng) 7751 { 7752 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) 7753 memset(rng, 0, sizeof(*rng)); 7754 #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ 7755 7756 /* Set default configuration if 7757 * mbedtls_psa_crypto_configure_entropy_sources() hasn't been called. */ 7758 if (rng->entropy_init == NULL) { 7759 rng->entropy_init = mbedtls_entropy_init; 7760 } 7761 if (rng->entropy_free == NULL) { 7762 rng->entropy_free = mbedtls_entropy_free; 7763 } 7764 7765 rng->entropy_init(&rng->entropy); 7766 #if defined(MBEDTLS_PSA_INJECT_ENTROPY) && \ 7767 defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) 7768 /* The PSA entropy injection feature depends on using NV seed as an entropy 7769 * source. Add NV seed as an entropy source for PSA entropy injection. */ 7770 mbedtls_entropy_add_source(&rng->entropy, 7771 mbedtls_nv_seed_poll, NULL, 7772 MBEDTLS_ENTROPY_BLOCK_SIZE, 7773 MBEDTLS_ENTROPY_SOURCE_STRONG); 7774 #endif 7775 7776 mbedtls_psa_drbg_init(&rng->drbg); 7777 #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ 7778 } 7779 7780 /** Deinitialize the PSA random generator. 7781 * 7782 * Note: the mbedtls_threading_psa_rngdata_mutex should be held when calling 7783 * this function if mutexes are enabled. 7784 */ 7785 static void mbedtls_psa_random_free(mbedtls_psa_random_context_t *rng) 7786 { 7787 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) 7788 memset(rng, 0, sizeof(*rng)); 7789 #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ 7790 mbedtls_psa_drbg_free(&rng->drbg); 7791 rng->entropy_free(&rng->entropy); 7792 #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ 7793 } 7794 7795 /** Seed the PSA random generator. 7796 */ 7797 static psa_status_t mbedtls_psa_random_seed(mbedtls_psa_random_context_t *rng) 7798 { 7799 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) 7800 /* Do nothing: the external RNG seeds itself. */ 7801 (void) rng; 7802 return PSA_SUCCESS; 7803 #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ 7804 const unsigned char drbg_seed[] = "PSA"; 7805 int ret = mbedtls_psa_drbg_seed(&rng->drbg, &rng->entropy, 7806 drbg_seed, sizeof(drbg_seed) - 1); 7807 return mbedtls_to_psa_error(ret); 7808 #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ 7809 } 7810 7811 psa_status_t psa_generate_random(uint8_t *output_external, 7812 size_t output_size) 7813 { 7814 psa_status_t status; 7815 7816 LOCAL_OUTPUT_DECLARE(output_external, output); 7817 LOCAL_OUTPUT_ALLOC(output_external, output_size, output); 7818 7819 status = psa_generate_random_internal(output, output_size); 7820 7821 #if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) 7822 exit: 7823 #endif 7824 LOCAL_OUTPUT_FREE(output_external, output); 7825 return status; 7826 } 7827 7828 #if defined(MBEDTLS_PSA_INJECT_ENTROPY) 7829 psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed, 7830 size_t seed_size) 7831 { 7832 if (psa_get_initialized()) { 7833 return PSA_ERROR_NOT_PERMITTED; 7834 } 7835 7836 if (((seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM) || 7837 (seed_size < MBEDTLS_ENTROPY_BLOCK_SIZE)) || 7838 (seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE)) { 7839 return PSA_ERROR_INVALID_ARGUMENT; 7840 } 7841 7842 return mbedtls_psa_storage_inject_entropy(seed, seed_size); 7843 } 7844 #endif /* MBEDTLS_PSA_INJECT_ENTROPY */ 7845 7846 /** Validate the key type and size for key generation 7847 * 7848 * \param type The key type 7849 * \param bits The number of bits of the key 7850 * 7851 * \retval #PSA_SUCCESS 7852 * The key type and size are valid. 7853 * \retval #PSA_ERROR_INVALID_ARGUMENT 7854 * The size in bits of the key is not valid. 7855 * \retval #PSA_ERROR_NOT_SUPPORTED 7856 * The type and/or the size in bits of the key or the combination of 7857 * the two is not supported. 7858 */ 7859 static psa_status_t psa_validate_key_type_and_size_for_key_generation( 7860 psa_key_type_t type, size_t bits) 7861 { 7862 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 7863 7864 if (key_type_is_raw_bytes(type)) { 7865 status = psa_validate_unstructured_key_bit_size(type, bits); 7866 if (status != PSA_SUCCESS) { 7867 return status; 7868 } 7869 } else 7870 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) 7871 if (PSA_KEY_TYPE_IS_RSA(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) { 7872 if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS) { 7873 return PSA_ERROR_NOT_SUPPORTED; 7874 } 7875 if (bits < PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS) { 7876 return PSA_ERROR_NOT_SUPPORTED; 7877 } 7878 7879 /* Accept only byte-aligned keys, for the same reasons as 7880 * in psa_import_rsa_key(). */ 7881 if (bits % 8 != 0) { 7882 return PSA_ERROR_NOT_SUPPORTED; 7883 } 7884 } else 7885 #endif /* defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */ 7886 7887 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) 7888 if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) { 7889 /* To avoid empty block, return successfully here. */ 7890 return PSA_SUCCESS; 7891 } else 7892 #endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */ 7893 7894 #if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) 7895 if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) { 7896 if (psa_is_dh_key_size_valid(bits) == 0) { 7897 return PSA_ERROR_NOT_SUPPORTED; 7898 } 7899 } else 7900 #endif /* defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) */ 7901 { 7902 return PSA_ERROR_NOT_SUPPORTED; 7903 } 7904 7905 return PSA_SUCCESS; 7906 } 7907 7908 psa_status_t psa_generate_key_internal( 7909 const psa_key_attributes_t *attributes, 7910 const psa_custom_key_parameters_t *custom, 7911 const uint8_t *custom_data, 7912 size_t custom_data_length, 7913 uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) 7914 { 7915 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 7916 psa_key_type_t type = attributes->type; 7917 7918 /* Only used for RSA */ 7919 (void) custom; 7920 (void) custom_data; 7921 (void) custom_data_length; 7922 7923 if (key_type_is_raw_bytes(type)) { 7924 status = psa_generate_random_internal(key_buffer, key_buffer_size); 7925 if (status != PSA_SUCCESS) { 7926 return status; 7927 } 7928 7929 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) 7930 if (type == PSA_KEY_TYPE_DES) { 7931 psa_des_set_key_parity(key_buffer, key_buffer_size); 7932 } 7933 #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */ 7934 } else 7935 7936 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) 7937 if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { 7938 return mbedtls_psa_rsa_generate_key(attributes, 7939 custom_data, custom_data_length, 7940 key_buffer, 7941 key_buffer_size, 7942 key_buffer_length); 7943 } else 7944 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */ 7945 7946 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE) 7947 if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) { 7948 return mbedtls_psa_ecp_generate_key(attributes, 7949 key_buffer, 7950 key_buffer_size, 7951 key_buffer_length); 7952 } else 7953 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */ 7954 7955 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) 7956 if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) { 7957 return mbedtls_psa_ffdh_generate_key(attributes, 7958 key_buffer, 7959 key_buffer_size, 7960 key_buffer_length); 7961 } else 7962 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) */ 7963 { 7964 (void) key_buffer_length; 7965 return PSA_ERROR_NOT_SUPPORTED; 7966 } 7967 7968 return PSA_SUCCESS; 7969 } 7970 7971 psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes, 7972 const psa_custom_key_parameters_t *custom, 7973 const uint8_t *custom_data, 7974 size_t custom_data_length, 7975 mbedtls_svc_key_id_t *key) 7976 { 7977 psa_status_t status; 7978 psa_key_slot_t *slot = NULL; 7979 psa_se_drv_table_entry_t *driver = NULL; 7980 size_t key_buffer_size; 7981 7982 *key = MBEDTLS_SVC_KEY_ID_INIT; 7983 7984 /* Reject any attempt to create a zero-length key so that we don't 7985 * risk tripping up later, e.g. on a malloc(0) that returns NULL. */ 7986 if (psa_get_key_bits(attributes) == 0) { 7987 return PSA_ERROR_INVALID_ARGUMENT; 7988 } 7989 7990 /* Reject any attempt to create a public key. */ 7991 if (PSA_KEY_TYPE_IS_PUBLIC_KEY(attributes->type)) { 7992 return PSA_ERROR_INVALID_ARGUMENT; 7993 } 7994 7995 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) 7996 if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) { 7997 if (custom->flags != 0) { 7998 return PSA_ERROR_INVALID_ARGUMENT; 7999 } 8000 } else 8001 #endif 8002 if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) { 8003 return PSA_ERROR_INVALID_ARGUMENT; 8004 } 8005 8006 status = psa_start_key_creation(PSA_KEY_CREATION_GENERATE, attributes, 8007 &slot, &driver); 8008 if (status != PSA_SUCCESS) { 8009 goto exit; 8010 } 8011 8012 /* In the case of a transparent key or an opaque key stored in local 8013 * storage ( thus not in the case of generating a key in a secure element 8014 * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a 8015 * buffer to hold the generated key material. */ 8016 if (slot->key.data == NULL) { 8017 if (PSA_KEY_LIFETIME_GET_LOCATION(attributes->lifetime) == 8018 PSA_KEY_LOCATION_LOCAL_STORAGE) { 8019 status = psa_validate_key_type_and_size_for_key_generation( 8020 attributes->type, attributes->bits); 8021 if (status != PSA_SUCCESS) { 8022 goto exit; 8023 } 8024 8025 key_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE( 8026 attributes->type, 8027 attributes->bits); 8028 } else { 8029 status = psa_driver_wrapper_get_key_buffer_size( 8030 attributes, &key_buffer_size); 8031 if (status != PSA_SUCCESS) { 8032 goto exit; 8033 } 8034 } 8035 8036 status = psa_allocate_buffer_to_slot(slot, key_buffer_size); 8037 if (status != PSA_SUCCESS) { 8038 goto exit; 8039 } 8040 } 8041 8042 status = psa_driver_wrapper_generate_key(attributes, 8043 custom, 8044 custom_data, custom_data_length, 8045 slot->key.data, slot->key.bytes, 8046 &slot->key.bytes); 8047 if (status != PSA_SUCCESS) { 8048 psa_remove_key_data_from_memory(slot); 8049 } 8050 8051 exit: 8052 if (status == PSA_SUCCESS) { 8053 status = psa_finish_key_creation(slot, driver, key); 8054 } 8055 if (status != PSA_SUCCESS) { 8056 psa_fail_key_creation(slot, driver); 8057 } 8058 8059 return status; 8060 } 8061 8062 psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, 8063 const psa_key_production_parameters_t *params, 8064 size_t params_data_length, 8065 mbedtls_svc_key_id_t *key) 8066 { 8067 return psa_generate_key_custom( 8068 attributes, 8069 (const psa_custom_key_parameters_t *) params, 8070 params->data, params_data_length, 8071 key); 8072 } 8073 8074 psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, 8075 mbedtls_svc_key_id_t *key) 8076 { 8077 return psa_generate_key_custom(attributes, 8078 &default_custom_production, 8079 NULL, 0, 8080 key); 8081 } 8082 8083 /****************************************************************/ 8084 /* Module setup */ 8085 /****************************************************************/ 8086 8087 #if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) 8088 psa_status_t mbedtls_psa_crypto_configure_entropy_sources( 8089 void (* entropy_init)(mbedtls_entropy_context *ctx), 8090 void (* entropy_free)(mbedtls_entropy_context *ctx)) 8091 { 8092 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8093 8094 #if defined(MBEDTLS_THREADING_C) 8095 mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex); 8096 #endif /* defined(MBEDTLS_THREADING_C) */ 8097 8098 if (global_data.rng_state != RNG_NOT_INITIALIZED) { 8099 status = PSA_ERROR_BAD_STATE; 8100 } else { 8101 global_data.rng.entropy_init = entropy_init; 8102 global_data.rng.entropy_free = entropy_free; 8103 status = PSA_SUCCESS; 8104 } 8105 8106 #if defined(MBEDTLS_THREADING_C) 8107 mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex); 8108 #endif /* defined(MBEDTLS_THREADING_C) */ 8109 8110 return status; 8111 } 8112 #endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */ 8113 8114 void mbedtls_psa_crypto_free(void) 8115 { 8116 8117 #if defined(MBEDTLS_THREADING_C) 8118 mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex); 8119 #endif /* defined(MBEDTLS_THREADING_C) */ 8120 8121 /* Nothing to do to free transaction. */ 8122 if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED) { 8123 global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED; 8124 } 8125 8126 if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED) { 8127 psa_wipe_all_key_slots(); 8128 global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED; 8129 } 8130 8131 #if defined(MBEDTLS_THREADING_C) 8132 mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex); 8133 #endif /* defined(MBEDTLS_THREADING_C) */ 8134 8135 #if defined(MBEDTLS_THREADING_C) 8136 mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex); 8137 #endif /* defined(MBEDTLS_THREADING_C) */ 8138 8139 if (global_data.rng_state != RNG_NOT_INITIALIZED) { 8140 mbedtls_psa_random_free(&global_data.rng); 8141 } 8142 global_data.rng_state = RNG_NOT_INITIALIZED; 8143 mbedtls_platform_zeroize(&global_data.rng, sizeof(global_data.rng)); 8144 8145 #if defined(MBEDTLS_THREADING_C) 8146 mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex); 8147 #endif /* defined(MBEDTLS_THREADING_C) */ 8148 8149 #if defined(MBEDTLS_THREADING_C) 8150 mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex); 8151 #endif /* defined(MBEDTLS_THREADING_C) */ 8152 8153 /* Terminate drivers */ 8154 if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED) { 8155 psa_driver_wrapper_free(); 8156 global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED; 8157 } 8158 8159 #if defined(MBEDTLS_THREADING_C) 8160 mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex); 8161 #endif /* defined(MBEDTLS_THREADING_C) */ 8162 8163 } 8164 8165 #if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) 8166 /** Recover a transaction that was interrupted by a power failure. 8167 * 8168 * This function is called during initialization, before psa_crypto_init() 8169 * returns. If this function returns a failure status, the initialization 8170 * fails. 8171 */ 8172 static psa_status_t psa_crypto_recover_transaction( 8173 const psa_crypto_transaction_t *transaction) 8174 { 8175 switch (transaction->unknown.type) { 8176 case PSA_CRYPTO_TRANSACTION_CREATE_KEY: 8177 case PSA_CRYPTO_TRANSACTION_DESTROY_KEY: 8178 /* TODO - fall through to the failure case until this 8179 * is implemented. 8180 * https://github.com/ARMmbed/mbed-crypto/issues/218 8181 */ 8182 default: 8183 /* We found an unsupported transaction in the storage. 8184 * We don't know what state the storage is in. Give up. */ 8185 return PSA_ERROR_DATA_INVALID; 8186 } 8187 } 8188 #endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */ 8189 8190 static psa_status_t mbedtls_psa_crypto_init_subsystem(mbedtls_psa_crypto_subsystem subsystem) 8191 { 8192 psa_status_t status = PSA_SUCCESS; 8193 uint8_t driver_wrappers_initialized = 0; 8194 8195 switch (subsystem) { 8196 case PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS: 8197 8198 #if defined(MBEDTLS_THREADING_C) 8199 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex)); 8200 #endif /* defined(MBEDTLS_THREADING_C) */ 8201 8202 if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED)) { 8203 /* Init drivers */ 8204 status = psa_driver_wrapper_init(); 8205 8206 /* Drivers need shutdown regardless of startup errors. */ 8207 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED; 8208 8209 8210 } 8211 #if defined(MBEDTLS_THREADING_C) 8212 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock( 8213 &mbedtls_threading_psa_globaldata_mutex)); 8214 #endif /* defined(MBEDTLS_THREADING_C) */ 8215 8216 break; 8217 8218 case PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS: 8219 8220 #if defined(MBEDTLS_THREADING_C) 8221 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex)); 8222 #endif /* defined(MBEDTLS_THREADING_C) */ 8223 8224 if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED)) { 8225 status = psa_initialize_key_slots(); 8226 8227 /* Need to wipe keys even if initialization fails. */ 8228 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED; 8229 8230 } 8231 #if defined(MBEDTLS_THREADING_C) 8232 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock( 8233 &mbedtls_threading_psa_globaldata_mutex)); 8234 #endif /* defined(MBEDTLS_THREADING_C) */ 8235 8236 break; 8237 8238 case PSA_CRYPTO_SUBSYSTEM_RNG: 8239 8240 #if defined(MBEDTLS_THREADING_C) 8241 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex)); 8242 #endif /* defined(MBEDTLS_THREADING_C) */ 8243 8244 driver_wrappers_initialized = 8245 (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED); 8246 8247 #if defined(MBEDTLS_THREADING_C) 8248 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock( 8249 &mbedtls_threading_psa_globaldata_mutex)); 8250 #endif /* defined(MBEDTLS_THREADING_C) */ 8251 8252 /* Need to use separate mutex here, as initialisation can require 8253 * testing of init flags, which requires locking the global data 8254 * mutex. */ 8255 #if defined(MBEDTLS_THREADING_C) 8256 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex)); 8257 #endif /* defined(MBEDTLS_THREADING_C) */ 8258 8259 /* Initialize and seed the random generator. */ 8260 if (global_data.rng_state == RNG_NOT_INITIALIZED && driver_wrappers_initialized) { 8261 mbedtls_psa_random_init(&global_data.rng); 8262 global_data.rng_state = RNG_INITIALIZED; 8263 8264 status = mbedtls_psa_random_seed(&global_data.rng); 8265 if (status == PSA_SUCCESS) { 8266 global_data.rng_state = RNG_SEEDED; 8267 } 8268 } 8269 8270 #if defined(MBEDTLS_THREADING_C) 8271 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock( 8272 &mbedtls_threading_psa_rngdata_mutex)); 8273 #endif /* defined(MBEDTLS_THREADING_C) */ 8274 8275 break; 8276 8277 case PSA_CRYPTO_SUBSYSTEM_TRANSACTION: 8278 8279 #if defined(MBEDTLS_THREADING_C) 8280 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex)); 8281 #endif /* defined(MBEDTLS_THREADING_C) */ 8282 8283 if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED)) { 8284 #if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) 8285 status = psa_crypto_load_transaction(); 8286 if (status == PSA_SUCCESS) { 8287 status = psa_crypto_recover_transaction(&psa_crypto_transaction); 8288 if (status == PSA_SUCCESS) { 8289 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED; 8290 } 8291 status = psa_crypto_stop_transaction(); 8292 } else if (status == PSA_ERROR_DOES_NOT_EXIST) { 8293 /* There's no transaction to complete. It's all good. */ 8294 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED; 8295 status = PSA_SUCCESS; 8296 } 8297 #else /* defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) */ 8298 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED; 8299 status = PSA_SUCCESS; 8300 #endif /* defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) */ 8301 } 8302 8303 #if defined(MBEDTLS_THREADING_C) 8304 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock( 8305 &mbedtls_threading_psa_globaldata_mutex)); 8306 #endif /* defined(MBEDTLS_THREADING_C) */ 8307 8308 break; 8309 8310 default: 8311 status = PSA_ERROR_CORRUPTION_DETECTED; 8312 } 8313 8314 /* Exit label only required when using threading macros. */ 8315 #if defined(MBEDTLS_THREADING_C) 8316 exit: 8317 #endif /* defined(MBEDTLS_THREADING_C) */ 8318 8319 return status; 8320 } 8321 8322 psa_status_t psa_crypto_init(void) 8323 { 8324 psa_status_t status; 8325 8326 /* Double initialization is explicitly allowed. Early out if everything is 8327 * done. */ 8328 if (psa_get_initialized()) { 8329 return PSA_SUCCESS; 8330 } 8331 8332 status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS); 8333 if (status != PSA_SUCCESS) { 8334 goto exit; 8335 } 8336 8337 status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS); 8338 if (status != PSA_SUCCESS) { 8339 goto exit; 8340 } 8341 8342 status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_RNG); 8343 if (status != PSA_SUCCESS) { 8344 goto exit; 8345 } 8346 8347 status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_TRANSACTION); 8348 8349 exit: 8350 8351 if (status != PSA_SUCCESS) { 8352 mbedtls_psa_crypto_free(); 8353 } 8354 8355 return status; 8356 } 8357 8358 #if defined(PSA_WANT_ALG_SOME_PAKE) 8359 psa_status_t psa_crypto_driver_pake_get_password_len( 8360 const psa_crypto_driver_pake_inputs_t *inputs, 8361 size_t *password_len) 8362 { 8363 if (inputs->password_len == 0) { 8364 return PSA_ERROR_BAD_STATE; 8365 } 8366 8367 *password_len = inputs->password_len; 8368 8369 return PSA_SUCCESS; 8370 } 8371 8372 psa_status_t psa_crypto_driver_pake_get_password( 8373 const psa_crypto_driver_pake_inputs_t *inputs, 8374 uint8_t *buffer, size_t buffer_size, size_t *buffer_length) 8375 { 8376 if (inputs->password_len == 0) { 8377 return PSA_ERROR_BAD_STATE; 8378 } 8379 8380 if (buffer_size < inputs->password_len) { 8381 return PSA_ERROR_BUFFER_TOO_SMALL; 8382 } 8383 8384 memcpy(buffer, inputs->password, inputs->password_len); 8385 *buffer_length = inputs->password_len; 8386 8387 return PSA_SUCCESS; 8388 } 8389 8390 psa_status_t psa_crypto_driver_pake_get_user_len( 8391 const psa_crypto_driver_pake_inputs_t *inputs, 8392 size_t *user_len) 8393 { 8394 if (inputs->user_len == 0) { 8395 return PSA_ERROR_BAD_STATE; 8396 } 8397 8398 *user_len = inputs->user_len; 8399 8400 return PSA_SUCCESS; 8401 } 8402 8403 psa_status_t psa_crypto_driver_pake_get_user( 8404 const psa_crypto_driver_pake_inputs_t *inputs, 8405 uint8_t *user_id, size_t user_id_size, size_t *user_id_len) 8406 { 8407 if (inputs->user_len == 0) { 8408 return PSA_ERROR_BAD_STATE; 8409 } 8410 8411 if (user_id_size < inputs->user_len) { 8412 return PSA_ERROR_BUFFER_TOO_SMALL; 8413 } 8414 8415 memcpy(user_id, inputs->user, inputs->user_len); 8416 *user_id_len = inputs->user_len; 8417 8418 return PSA_SUCCESS; 8419 } 8420 8421 psa_status_t psa_crypto_driver_pake_get_peer_len( 8422 const psa_crypto_driver_pake_inputs_t *inputs, 8423 size_t *peer_len) 8424 { 8425 if (inputs->peer_len == 0) { 8426 return PSA_ERROR_BAD_STATE; 8427 } 8428 8429 *peer_len = inputs->peer_len; 8430 8431 return PSA_SUCCESS; 8432 } 8433 8434 psa_status_t psa_crypto_driver_pake_get_peer( 8435 const psa_crypto_driver_pake_inputs_t *inputs, 8436 uint8_t *peer_id, size_t peer_id_size, size_t *peer_id_length) 8437 { 8438 if (inputs->peer_len == 0) { 8439 return PSA_ERROR_BAD_STATE; 8440 } 8441 8442 if (peer_id_size < inputs->peer_len) { 8443 return PSA_ERROR_BUFFER_TOO_SMALL; 8444 } 8445 8446 memcpy(peer_id, inputs->peer, inputs->peer_len); 8447 *peer_id_length = inputs->peer_len; 8448 8449 return PSA_SUCCESS; 8450 } 8451 8452 psa_status_t psa_crypto_driver_pake_get_cipher_suite( 8453 const psa_crypto_driver_pake_inputs_t *inputs, 8454 psa_pake_cipher_suite_t *cipher_suite) 8455 { 8456 if (inputs->cipher_suite.algorithm == PSA_ALG_NONE) { 8457 return PSA_ERROR_BAD_STATE; 8458 } 8459 8460 *cipher_suite = inputs->cipher_suite; 8461 8462 return PSA_SUCCESS; 8463 } 8464 8465 psa_status_t psa_pake_setup( 8466 psa_pake_operation_t *operation, 8467 const psa_pake_cipher_suite_t *cipher_suite) 8468 { 8469 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8470 8471 if (operation->stage != PSA_PAKE_OPERATION_STAGE_SETUP) { 8472 status = PSA_ERROR_BAD_STATE; 8473 goto exit; 8474 } 8475 8476 if (PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 || 8477 PSA_ALG_IS_HASH(cipher_suite->hash) == 0) { 8478 status = PSA_ERROR_INVALID_ARGUMENT; 8479 goto exit; 8480 } 8481 8482 memset(&operation->data.inputs, 0, sizeof(operation->data.inputs)); 8483 8484 operation->alg = cipher_suite->algorithm; 8485 operation->primitive = PSA_PAKE_PRIMITIVE(cipher_suite->type, 8486 cipher_suite->family, cipher_suite->bits); 8487 operation->data.inputs.cipher_suite = *cipher_suite; 8488 8489 #if defined(PSA_WANT_ALG_JPAKE) 8490 if (operation->alg == PSA_ALG_JPAKE) { 8491 psa_jpake_computation_stage_t *computation_stage = 8492 &operation->computation_stage.jpake; 8493 8494 memset(computation_stage, 0, sizeof(*computation_stage)); 8495 computation_stage->step = PSA_PAKE_STEP_KEY_SHARE; 8496 } else 8497 #endif /* PSA_WANT_ALG_JPAKE */ 8498 { 8499 status = PSA_ERROR_NOT_SUPPORTED; 8500 goto exit; 8501 } 8502 8503 operation->stage = PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS; 8504 8505 return PSA_SUCCESS; 8506 exit: 8507 psa_pake_abort(operation); 8508 return status; 8509 } 8510 8511 psa_status_t psa_pake_set_password_key( 8512 psa_pake_operation_t *operation, 8513 mbedtls_svc_key_id_t password) 8514 { 8515 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8516 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; 8517 psa_key_slot_t *slot = NULL; 8518 psa_key_type_t type; 8519 8520 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { 8521 status = PSA_ERROR_BAD_STATE; 8522 goto exit; 8523 } 8524 8525 status = psa_get_and_lock_key_slot_with_policy(password, &slot, 8526 PSA_KEY_USAGE_DERIVE, 8527 operation->alg); 8528 if (status != PSA_SUCCESS) { 8529 goto exit; 8530 } 8531 8532 type = psa_get_key_type(&slot->attr); 8533 8534 if (type != PSA_KEY_TYPE_PASSWORD && 8535 type != PSA_KEY_TYPE_PASSWORD_HASH) { 8536 status = PSA_ERROR_INVALID_ARGUMENT; 8537 goto exit; 8538 } 8539 8540 operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes); 8541 if (operation->data.inputs.password == NULL) { 8542 status = PSA_ERROR_INSUFFICIENT_MEMORY; 8543 goto exit; 8544 } 8545 8546 memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes); 8547 operation->data.inputs.password_len = slot->key.bytes; 8548 operation->data.inputs.attributes = slot->attr; 8549 8550 exit: 8551 if (status != PSA_SUCCESS) { 8552 psa_pake_abort(operation); 8553 } 8554 unlock_status = psa_unregister_read_under_mutex(slot); 8555 return (status == PSA_SUCCESS) ? unlock_status : status; 8556 } 8557 8558 psa_status_t psa_pake_set_user( 8559 psa_pake_operation_t *operation, 8560 const uint8_t *user_id_external, 8561 size_t user_id_len) 8562 { 8563 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8564 LOCAL_INPUT_DECLARE(user_id_external, user_id); 8565 8566 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { 8567 status = PSA_ERROR_BAD_STATE; 8568 goto exit; 8569 } 8570 8571 if (user_id_len == 0) { 8572 status = PSA_ERROR_INVALID_ARGUMENT; 8573 goto exit; 8574 } 8575 8576 if (operation->data.inputs.user_len != 0) { 8577 status = PSA_ERROR_BAD_STATE; 8578 goto exit; 8579 } 8580 8581 operation->data.inputs.user = mbedtls_calloc(1, user_id_len); 8582 if (operation->data.inputs.user == NULL) { 8583 status = PSA_ERROR_INSUFFICIENT_MEMORY; 8584 goto exit; 8585 } 8586 8587 LOCAL_INPUT_ALLOC(user_id_external, user_id_len, user_id); 8588 8589 memcpy(operation->data.inputs.user, user_id, user_id_len); 8590 operation->data.inputs.user_len = user_id_len; 8591 8592 status = PSA_SUCCESS; 8593 8594 exit: 8595 LOCAL_INPUT_FREE(user_id_external, user_id); 8596 if (status != PSA_SUCCESS) { 8597 psa_pake_abort(operation); 8598 } 8599 return status; 8600 } 8601 8602 psa_status_t psa_pake_set_peer( 8603 psa_pake_operation_t *operation, 8604 const uint8_t *peer_id_external, 8605 size_t peer_id_len) 8606 { 8607 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8608 LOCAL_INPUT_DECLARE(peer_id_external, peer_id); 8609 8610 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { 8611 status = PSA_ERROR_BAD_STATE; 8612 goto exit; 8613 } 8614 8615 if (peer_id_len == 0) { 8616 status = PSA_ERROR_INVALID_ARGUMENT; 8617 goto exit; 8618 } 8619 8620 if (operation->data.inputs.peer_len != 0) { 8621 status = PSA_ERROR_BAD_STATE; 8622 goto exit; 8623 } 8624 8625 operation->data.inputs.peer = mbedtls_calloc(1, peer_id_len); 8626 if (operation->data.inputs.peer == NULL) { 8627 status = PSA_ERROR_INSUFFICIENT_MEMORY; 8628 goto exit; 8629 } 8630 8631 LOCAL_INPUT_ALLOC(peer_id_external, peer_id_len, peer_id); 8632 8633 memcpy(operation->data.inputs.peer, peer_id, peer_id_len); 8634 operation->data.inputs.peer_len = peer_id_len; 8635 8636 status = PSA_SUCCESS; 8637 8638 exit: 8639 LOCAL_INPUT_FREE(peer_id_external, peer_id); 8640 if (status != PSA_SUCCESS) { 8641 psa_pake_abort(operation); 8642 } 8643 return status; 8644 } 8645 8646 psa_status_t psa_pake_set_role( 8647 psa_pake_operation_t *operation, 8648 psa_pake_role_t role) 8649 { 8650 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8651 8652 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { 8653 status = PSA_ERROR_BAD_STATE; 8654 goto exit; 8655 } 8656 8657 switch (operation->alg) { 8658 #if defined(PSA_WANT_ALG_JPAKE) 8659 case PSA_ALG_JPAKE: 8660 if (role == PSA_PAKE_ROLE_NONE) { 8661 return PSA_SUCCESS; 8662 } 8663 status = PSA_ERROR_INVALID_ARGUMENT; 8664 break; 8665 #endif 8666 default: 8667 (void) role; 8668 status = PSA_ERROR_NOT_SUPPORTED; 8669 goto exit; 8670 } 8671 exit: 8672 psa_pake_abort(operation); 8673 return status; 8674 } 8675 8676 /* Auxiliary function to convert core computation stage to single driver step. */ 8677 #if defined(PSA_WANT_ALG_JPAKE) 8678 static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_step( 8679 psa_jpake_computation_stage_t *stage) 8680 { 8681 psa_crypto_driver_pake_step_t key_share_step; 8682 if (stage->round == PSA_JPAKE_FIRST) { 8683 int is_x1; 8684 8685 if (stage->io_mode == PSA_JPAKE_OUTPUT) { 8686 is_x1 = (stage->outputs < 1); 8687 } else { 8688 is_x1 = (stage->inputs < 1); 8689 } 8690 8691 key_share_step = is_x1 ? 8692 PSA_JPAKE_X1_STEP_KEY_SHARE : 8693 PSA_JPAKE_X2_STEP_KEY_SHARE; 8694 } else if (stage->round == PSA_JPAKE_SECOND) { 8695 key_share_step = (stage->io_mode == PSA_JPAKE_OUTPUT) ? 8696 PSA_JPAKE_X2S_STEP_KEY_SHARE : 8697 PSA_JPAKE_X4S_STEP_KEY_SHARE; 8698 } else { 8699 return PSA_JPAKE_STEP_INVALID; 8700 } 8701 return (psa_crypto_driver_pake_step_t) (key_share_step + stage->step - PSA_PAKE_STEP_KEY_SHARE); 8702 } 8703 #endif /* PSA_WANT_ALG_JPAKE */ 8704 8705 static psa_status_t psa_pake_complete_inputs( 8706 psa_pake_operation_t *operation) 8707 { 8708 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8709 /* Create copy of the inputs on stack as inputs share memory 8710 with the driver context which will be setup by the driver. */ 8711 psa_crypto_driver_pake_inputs_t inputs = operation->data.inputs; 8712 8713 if (inputs.password_len == 0) { 8714 return PSA_ERROR_BAD_STATE; 8715 } 8716 8717 if (operation->alg == PSA_ALG_JPAKE) { 8718 if (inputs.user_len == 0 || inputs.peer_len == 0) { 8719 return PSA_ERROR_BAD_STATE; 8720 } 8721 } 8722 8723 /* Clear driver context */ 8724 mbedtls_platform_zeroize(&operation->data, sizeof(operation->data)); 8725 8726 status = psa_driver_wrapper_pake_setup(operation, &inputs); 8727 8728 /* Driver is responsible for creating its own copy of the password. */ 8729 mbedtls_zeroize_and_free(inputs.password, inputs.password_len); 8730 8731 /* User and peer are translated to role. */ 8732 mbedtls_free(inputs.user); 8733 mbedtls_free(inputs.peer); 8734 8735 if (status == PSA_SUCCESS) { 8736 #if defined(PSA_WANT_ALG_JPAKE) 8737 if (operation->alg == PSA_ALG_JPAKE) { 8738 operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION; 8739 } else 8740 #endif /* PSA_WANT_ALG_JPAKE */ 8741 { 8742 status = PSA_ERROR_NOT_SUPPORTED; 8743 } 8744 } 8745 return status; 8746 } 8747 8748 #if defined(PSA_WANT_ALG_JPAKE) 8749 static psa_status_t psa_jpake_prologue( 8750 psa_pake_operation_t *operation, 8751 psa_pake_step_t step, 8752 psa_jpake_io_mode_t io_mode) 8753 { 8754 if (step != PSA_PAKE_STEP_KEY_SHARE && 8755 step != PSA_PAKE_STEP_ZK_PUBLIC && 8756 step != PSA_PAKE_STEP_ZK_PROOF) { 8757 return PSA_ERROR_INVALID_ARGUMENT; 8758 } 8759 8760 psa_jpake_computation_stage_t *computation_stage = 8761 &operation->computation_stage.jpake; 8762 8763 if (computation_stage->round != PSA_JPAKE_FIRST && 8764 computation_stage->round != PSA_JPAKE_SECOND) { 8765 return PSA_ERROR_BAD_STATE; 8766 } 8767 8768 /* Check that the step we are given is the one we were expecting */ 8769 if (step != computation_stage->step) { 8770 return PSA_ERROR_BAD_STATE; 8771 } 8772 8773 if (step == PSA_PAKE_STEP_KEY_SHARE && 8774 computation_stage->inputs == 0 && 8775 computation_stage->outputs == 0) { 8776 /* Start of the round, so function decides whether we are inputting 8777 * or outputting */ 8778 computation_stage->io_mode = io_mode; 8779 } else if (computation_stage->io_mode != io_mode) { 8780 /* Middle of the round so the mode we are in must match the function 8781 * called by the user */ 8782 return PSA_ERROR_BAD_STATE; 8783 } 8784 8785 return PSA_SUCCESS; 8786 } 8787 8788 static psa_status_t psa_jpake_epilogue( 8789 psa_pake_operation_t *operation, 8790 psa_jpake_io_mode_t io_mode) 8791 { 8792 psa_jpake_computation_stage_t *stage = 8793 &operation->computation_stage.jpake; 8794 8795 if (stage->step == PSA_PAKE_STEP_ZK_PROOF) { 8796 /* End of an input/output */ 8797 if (io_mode == PSA_JPAKE_INPUT) { 8798 stage->inputs++; 8799 if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round)) { 8800 stage->io_mode = PSA_JPAKE_OUTPUT; 8801 } 8802 } 8803 if (io_mode == PSA_JPAKE_OUTPUT) { 8804 stage->outputs++; 8805 if (stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) { 8806 stage->io_mode = PSA_JPAKE_INPUT; 8807 } 8808 } 8809 if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round) && 8810 stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) { 8811 /* End of a round, move to the next round */ 8812 stage->inputs = 0; 8813 stage->outputs = 0; 8814 stage->round++; 8815 } 8816 stage->step = PSA_PAKE_STEP_KEY_SHARE; 8817 } else { 8818 stage->step++; 8819 } 8820 return PSA_SUCCESS; 8821 } 8822 8823 #endif /* PSA_WANT_ALG_JPAKE */ 8824 8825 psa_status_t psa_pake_output( 8826 psa_pake_operation_t *operation, 8827 psa_pake_step_t step, 8828 uint8_t *output_external, 8829 size_t output_size, 8830 size_t *output_length) 8831 { 8832 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8833 psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID; 8834 LOCAL_OUTPUT_DECLARE(output_external, output); 8835 *output_length = 0; 8836 8837 if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { 8838 status = psa_pake_complete_inputs(operation); 8839 if (status != PSA_SUCCESS) { 8840 goto exit; 8841 } 8842 } 8843 8844 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) { 8845 status = PSA_ERROR_BAD_STATE; 8846 goto exit; 8847 } 8848 8849 if (output_size == 0) { 8850 status = PSA_ERROR_INVALID_ARGUMENT; 8851 goto exit; 8852 } 8853 8854 switch (operation->alg) { 8855 #if defined(PSA_WANT_ALG_JPAKE) 8856 case PSA_ALG_JPAKE: 8857 status = psa_jpake_prologue(operation, step, PSA_JPAKE_OUTPUT); 8858 if (status != PSA_SUCCESS) { 8859 goto exit; 8860 } 8861 driver_step = convert_jpake_computation_stage_to_driver_step( 8862 &operation->computation_stage.jpake); 8863 break; 8864 #endif /* PSA_WANT_ALG_JPAKE */ 8865 default: 8866 (void) step; 8867 status = PSA_ERROR_NOT_SUPPORTED; 8868 goto exit; 8869 } 8870 8871 LOCAL_OUTPUT_ALLOC(output_external, output_size, output); 8872 8873 status = psa_driver_wrapper_pake_output(operation, driver_step, 8874 output, output_size, output_length); 8875 8876 if (status != PSA_SUCCESS) { 8877 goto exit; 8878 } 8879 8880 switch (operation->alg) { 8881 #if defined(PSA_WANT_ALG_JPAKE) 8882 case PSA_ALG_JPAKE: 8883 status = psa_jpake_epilogue(operation, PSA_JPAKE_OUTPUT); 8884 if (status != PSA_SUCCESS) { 8885 goto exit; 8886 } 8887 break; 8888 #endif /* PSA_WANT_ALG_JPAKE */ 8889 default: 8890 status = PSA_ERROR_NOT_SUPPORTED; 8891 goto exit; 8892 } 8893 8894 exit: 8895 LOCAL_OUTPUT_FREE(output_external, output); 8896 if (status != PSA_SUCCESS) { 8897 psa_pake_abort(operation); 8898 } 8899 return status; 8900 } 8901 8902 psa_status_t psa_pake_input( 8903 psa_pake_operation_t *operation, 8904 psa_pake_step_t step, 8905 const uint8_t *input_external, 8906 size_t input_length) 8907 { 8908 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8909 psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID; 8910 const size_t max_input_length = (size_t) PSA_PAKE_INPUT_SIZE(operation->alg, 8911 operation->primitive, 8912 step); 8913 LOCAL_INPUT_DECLARE(input_external, input); 8914 8915 if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { 8916 status = psa_pake_complete_inputs(operation); 8917 if (status != PSA_SUCCESS) { 8918 goto exit; 8919 } 8920 } 8921 8922 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) { 8923 status = PSA_ERROR_BAD_STATE; 8924 goto exit; 8925 } 8926 8927 if (input_length == 0 || input_length > max_input_length) { 8928 status = PSA_ERROR_INVALID_ARGUMENT; 8929 goto exit; 8930 } 8931 8932 switch (operation->alg) { 8933 #if defined(PSA_WANT_ALG_JPAKE) 8934 case PSA_ALG_JPAKE: 8935 status = psa_jpake_prologue(operation, step, PSA_JPAKE_INPUT); 8936 if (status != PSA_SUCCESS) { 8937 goto exit; 8938 } 8939 driver_step = convert_jpake_computation_stage_to_driver_step( 8940 &operation->computation_stage.jpake); 8941 break; 8942 #endif /* PSA_WANT_ALG_JPAKE */ 8943 default: 8944 (void) step; 8945 status = PSA_ERROR_NOT_SUPPORTED; 8946 goto exit; 8947 } 8948 8949 LOCAL_INPUT_ALLOC(input_external, input_length, input); 8950 status = psa_driver_wrapper_pake_input(operation, driver_step, 8951 input, input_length); 8952 8953 if (status != PSA_SUCCESS) { 8954 goto exit; 8955 } 8956 8957 switch (operation->alg) { 8958 #if defined(PSA_WANT_ALG_JPAKE) 8959 case PSA_ALG_JPAKE: 8960 status = psa_jpake_epilogue(operation, PSA_JPAKE_INPUT); 8961 if (status != PSA_SUCCESS) { 8962 goto exit; 8963 } 8964 break; 8965 #endif /* PSA_WANT_ALG_JPAKE */ 8966 default: 8967 status = PSA_ERROR_NOT_SUPPORTED; 8968 goto exit; 8969 } 8970 8971 exit: 8972 LOCAL_INPUT_FREE(input_external, input); 8973 if (status != PSA_SUCCESS) { 8974 psa_pake_abort(operation); 8975 } 8976 return status; 8977 } 8978 8979 psa_status_t psa_pake_get_implicit_key( 8980 psa_pake_operation_t *operation, 8981 psa_key_derivation_operation_t *output) 8982 { 8983 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8984 psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; 8985 uint8_t shared_key[MBEDTLS_PSA_JPAKE_BUFFER_SIZE]; 8986 size_t shared_key_len = 0; 8987 8988 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) { 8989 status = PSA_ERROR_BAD_STATE; 8990 goto exit; 8991 } 8992 8993 #if defined(PSA_WANT_ALG_JPAKE) 8994 if (operation->alg == PSA_ALG_JPAKE) { 8995 psa_jpake_computation_stage_t *computation_stage = 8996 &operation->computation_stage.jpake; 8997 if (computation_stage->round != PSA_JPAKE_FINISHED) { 8998 status = PSA_ERROR_BAD_STATE; 8999 goto exit; 9000 } 9001 } else 9002 #endif /* PSA_WANT_ALG_JPAKE */ 9003 { 9004 status = PSA_ERROR_NOT_SUPPORTED; 9005 goto exit; 9006 } 9007 9008 status = psa_driver_wrapper_pake_get_implicit_key(operation, 9009 shared_key, 9010 sizeof(shared_key), 9011 &shared_key_len); 9012 9013 if (status != PSA_SUCCESS) { 9014 goto exit; 9015 } 9016 9017 status = psa_key_derivation_input_bytes(output, 9018 PSA_KEY_DERIVATION_INPUT_SECRET, 9019 shared_key, 9020 shared_key_len); 9021 9022 mbedtls_platform_zeroize(shared_key, sizeof(shared_key)); 9023 exit: 9024 abort_status = psa_pake_abort(operation); 9025 return status == PSA_SUCCESS ? abort_status : status; 9026 } 9027 9028 psa_status_t psa_pake_abort( 9029 psa_pake_operation_t *operation) 9030 { 9031 psa_status_t status = PSA_SUCCESS; 9032 9033 if (operation->stage == PSA_PAKE_OPERATION_STAGE_COMPUTATION) { 9034 status = psa_driver_wrapper_pake_abort(operation); 9035 } 9036 9037 if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { 9038 if (operation->data.inputs.password != NULL) { 9039 mbedtls_zeroize_and_free(operation->data.inputs.password, 9040 operation->data.inputs.password_len); 9041 } 9042 if (operation->data.inputs.user != NULL) { 9043 mbedtls_free(operation->data.inputs.user); 9044 } 9045 if (operation->data.inputs.peer != NULL) { 9046 mbedtls_free(operation->data.inputs.peer); 9047 } 9048 } 9049 memset(operation, 0, sizeof(psa_pake_operation_t)); 9050 9051 return status; 9052 } 9053 #endif /* PSA_WANT_ALG_SOME_PAKE */ 9054 9055 /* Memory copying test hooks. These are called before input copy, after input 9056 * copy, before output copy and after output copy, respectively. 9057 * They are used by memory-poisoning tests to temporarily unpoison buffers 9058 * while they are copied. */ 9059 #if defined(MBEDTLS_TEST_HOOKS) 9060 void (*psa_input_pre_copy_hook)(const uint8_t *input, size_t input_len) = NULL; 9061 void (*psa_input_post_copy_hook)(const uint8_t *input, size_t input_len) = NULL; 9062 void (*psa_output_pre_copy_hook)(const uint8_t *output, size_t output_len) = NULL; 9063 void (*psa_output_post_copy_hook)(const uint8_t *output, size_t output_len) = NULL; 9064 #endif 9065 9066 /** Copy from an input buffer to a local copy. 9067 * 9068 * \param[in] input Pointer to input buffer. 9069 * \param[in] input_len Length of the input buffer. 9070 * \param[out] input_copy Pointer to a local copy in which to store the input data. 9071 * \param[out] input_copy_len Length of the local copy buffer. 9072 * \return #PSA_SUCCESS, if the buffer was successfully 9073 * copied. 9074 * \return #PSA_ERROR_CORRUPTION_DETECTED, if the local 9075 * copy is too small to hold contents of the 9076 * input buffer. 9077 */ 9078 MBEDTLS_STATIC_TESTABLE 9079 psa_status_t psa_crypto_copy_input(const uint8_t *input, size_t input_len, 9080 uint8_t *input_copy, size_t input_copy_len) 9081 { 9082 if (input_len > input_copy_len) { 9083 return PSA_ERROR_CORRUPTION_DETECTED; 9084 } 9085 9086 #if defined(MBEDTLS_TEST_HOOKS) 9087 if (psa_input_pre_copy_hook != NULL) { 9088 psa_input_pre_copy_hook(input, input_len); 9089 } 9090 #endif 9091 9092 if (input_len > 0) { 9093 memcpy(input_copy, input, input_len); 9094 } 9095 9096 #if defined(MBEDTLS_TEST_HOOKS) 9097 if (psa_input_post_copy_hook != NULL) { 9098 psa_input_post_copy_hook(input, input_len); 9099 } 9100 #endif 9101 9102 return PSA_SUCCESS; 9103 } 9104 9105 /** Copy from a local output buffer into a user-supplied one. 9106 * 9107 * \param[in] output_copy Pointer to a local buffer containing the output. 9108 * \param[in] output_copy_len Length of the local buffer. 9109 * \param[out] output Pointer to user-supplied output buffer. 9110 * \param[out] output_len Length of the user-supplied output buffer. 9111 * \return #PSA_SUCCESS, if the buffer was successfully 9112 * copied. 9113 * \return #PSA_ERROR_BUFFER_TOO_SMALL, if the 9114 * user-supplied output buffer is too small to 9115 * hold the contents of the local buffer. 9116 */ 9117 MBEDTLS_STATIC_TESTABLE 9118 psa_status_t psa_crypto_copy_output(const uint8_t *output_copy, size_t output_copy_len, 9119 uint8_t *output, size_t output_len) 9120 { 9121 if (output_len < output_copy_len) { 9122 return PSA_ERROR_BUFFER_TOO_SMALL; 9123 } 9124 9125 #if defined(MBEDTLS_TEST_HOOKS) 9126 if (psa_output_pre_copy_hook != NULL) { 9127 psa_output_pre_copy_hook(output, output_len); 9128 } 9129 #endif 9130 9131 if (output_copy_len > 0) { 9132 memcpy(output, output_copy, output_copy_len); 9133 } 9134 9135 #if defined(MBEDTLS_TEST_HOOKS) 9136 if (psa_output_post_copy_hook != NULL) { 9137 psa_output_post_copy_hook(output, output_len); 9138 } 9139 #endif 9140 9141 return PSA_SUCCESS; 9142 } 9143 9144 psa_status_t psa_crypto_local_input_alloc(const uint8_t *input, size_t input_len, 9145 psa_crypto_local_input_t *local_input) 9146 { 9147 psa_status_t status; 9148 9149 *local_input = PSA_CRYPTO_LOCAL_INPUT_INIT; 9150 9151 if (input_len == 0) { 9152 return PSA_SUCCESS; 9153 } 9154 9155 local_input->buffer = mbedtls_calloc(input_len, 1); 9156 if (local_input->buffer == NULL) { 9157 /* Since we dealt with the zero-length case above, we know that 9158 * a NULL return value means a failure of allocation. */ 9159 return PSA_ERROR_INSUFFICIENT_MEMORY; 9160 } 9161 /* From now on, we must free local_input->buffer on error. */ 9162 9163 local_input->length = input_len; 9164 9165 status = psa_crypto_copy_input(input, input_len, 9166 local_input->buffer, local_input->length); 9167 if (status != PSA_SUCCESS) { 9168 goto error; 9169 } 9170 9171 return PSA_SUCCESS; 9172 9173 error: 9174 mbedtls_free(local_input->buffer); 9175 local_input->buffer = NULL; 9176 local_input->length = 0; 9177 return status; 9178 } 9179 9180 void psa_crypto_local_input_free(psa_crypto_local_input_t *local_input) 9181 { 9182 mbedtls_free(local_input->buffer); 9183 local_input->buffer = NULL; 9184 local_input->length = 0; 9185 } 9186 9187 psa_status_t psa_crypto_local_output_alloc(uint8_t *output, size_t output_len, 9188 psa_crypto_local_output_t *local_output) 9189 { 9190 *local_output = PSA_CRYPTO_LOCAL_OUTPUT_INIT; 9191 9192 if (output_len == 0) { 9193 return PSA_SUCCESS; 9194 } 9195 local_output->buffer = mbedtls_calloc(output_len, 1); 9196 if (local_output->buffer == NULL) { 9197 /* Since we dealt with the zero-length case above, we know that 9198 * a NULL return value means a failure of allocation. */ 9199 return PSA_ERROR_INSUFFICIENT_MEMORY; 9200 } 9201 local_output->length = output_len; 9202 local_output->original = output; 9203 9204 return PSA_SUCCESS; 9205 } 9206 9207 psa_status_t psa_crypto_local_output_free(psa_crypto_local_output_t *local_output) 9208 { 9209 psa_status_t status; 9210 9211 if (local_output->buffer == NULL) { 9212 local_output->length = 0; 9213 return PSA_SUCCESS; 9214 } 9215 if (local_output->original == NULL) { 9216 /* We have an internal copy but nothing to copy back to. */ 9217 return PSA_ERROR_CORRUPTION_DETECTED; 9218 } 9219 9220 status = psa_crypto_copy_output(local_output->buffer, local_output->length, 9221 local_output->original, local_output->length); 9222 if (status != PSA_SUCCESS) { 9223 return status; 9224 } 9225 9226 mbedtls_free(local_output->buffer); 9227 local_output->buffer = NULL; 9228 local_output->length = 0; 9229 9230 return PSA_SUCCESS; 9231 } 9232 9233 #endif /* MBEDTLS_PSA_CRYPTO_C */ 9234