1 /*
2 * Copyright (c) 2020-2021 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #define HUKS_DISABLE_LOG_AT_FILE_TO_REDUCE_ROM_SIZE
16
17 #ifdef HKS_CONFIG_FILE
18 #include HKS_CONFIG_FILE
19 #else
20 #include "hks_config.h"
21 #endif
22
23 #ifdef HKS_SUPPORT_KDF_C
24
25 #include "hks_mbedtls_kdf.h"
26
27 #include <mbedtls/hkdf.h>
28 #include <mbedtls/md.h>
29 #include <mbedtls/pkcs5.h>
30 #include <securec.h>
31
32 #include "hks_log.h"
33 #include "hks_mbedtls_common.h"
34 #include "hks_template.h"
35 #include "hks_type_inner.h"
36
37 #ifdef _CUT_AUTHENTICATE
38 #undef HKS_SUPPORT_KDF_PBKDF2
39 #endif
40
41 #ifdef HKS_SUPPORT_KDF_PBKDF2
42 #ifdef USE_HISI_MBED
DeriveKeyPbkdf2(const struct HksBlob * mainKey,const struct HksKeyDerivationParam * derParam,const mbedtls_md_info_t * info,struct HksBlob * derivedKey)43 static int32_t DeriveKeyPbkdf2(const struct HksBlob *mainKey, const struct HksKeyDerivationParam *derParam,
44 const mbedtls_md_info_t *info, struct HksBlob *derivedKey)
45 {
46 mbedtls_md_context_t ctx;
47 (void)memset_s(&ctx, sizeof(mbedtls_md_context_t), 0, sizeof(mbedtls_md_context_t));
48 mbedtls_md_init(&ctx);
49
50 int32_t ret;
51 do {
52 ret = mbedtls_md_setup(&ctx, info, 1); /* 1 for using HMAC */
53 if (ret != HKS_MBEDTLS_SUCCESS) {
54 HKS_LOG_E("Mbedtls md setup failed! mbedtls ret = 0x%" LOG_PUBLIC "X", ret);
55 break;
56 }
57
58 ret = mbedtls_pkcs5_pbkdf2_hmac(&ctx, mainKey->data, mainKey->size, derParam->salt.data,
59 derParam->salt.size, derParam->iterations, derivedKey->size, derivedKey->data);
60 if (ret != HKS_MBEDTLS_SUCCESS) {
61 HKS_LOG_E("Mbedtls pbkdf2 failed! mbedtls ret = 0x%" LOG_PUBLIC "X", ret);
62 (void)memset_s(derivedKey->data, derivedKey->size, 0, derivedKey->size);
63 }
64 } while (0);
65
66 mbedtls_md_free(&ctx);
67 return ret;
68 }
69 #else
DeriveKeyPbkdf2(const struct HksBlob * mainKey,const struct HksKeyDerivationParam * derParam,mbedtls_md_type_t type,struct HksBlob * derivedKey)70 static int32_t DeriveKeyPbkdf2(const struct HksBlob *mainKey, const struct HksKeyDerivationParam *derParam,
71 mbedtls_md_type_t type, struct HksBlob *derivedKey)
72 {
73 int32_t ret = mbedtls_pkcs5_pbkdf2_hmac_ext(type, mainKey->data, mainKey->size, derParam->salt.data,
74 derParam->salt.size, derParam->iterations, derivedKey->size, derivedKey->data);
75 return ret;
76 }
77 #endif
78 #endif /* HKS_SUPPORT_KDF_PBKDF2 */
79
80 #ifdef HKS_SUPPORT_KDF_HKDF
DeriveKeyHkdf(const struct HksBlob * mainKey,const struct HksKeyDerivationParam * derParam,const mbedtls_md_info_t * info,struct HksBlob * derivedKey)81 static int32_t DeriveKeyHkdf(const struct HksBlob *mainKey, const struct HksKeyDerivationParam *derParam,
82 const mbedtls_md_info_t *info, struct HksBlob *derivedKey)
83 {
84 int32_t ret = mbedtls_hkdf(info, derParam->salt.data, derParam->salt.size, mainKey->data, mainKey->size,
85 derParam->info.data, derParam->info.size, derivedKey->data, derivedKey->size);
86 if (ret != HKS_MBEDTLS_SUCCESS) {
87 HKS_LOG_E("Mbedtls hkdf failed! mbedtls ret = 0x%" LOG_PUBLIC "X", ret);
88 (void)memset_s(derivedKey->data, derivedKey->size, 0, derivedKey->size);
89 }
90
91 return ret;
92 }
93 #endif /* HKS_SUPPORT_KDF_HKDF */
94
HksMbedtlsDeriveKey(const struct HksBlob * mainKey,const struct HksKeySpec * derivationSpec,struct HksBlob * derivedKey)95 int32_t HksMbedtlsDeriveKey(const struct HksBlob *mainKey,
96 const struct HksKeySpec *derivationSpec, struct HksBlob *derivedKey)
97 {
98 const struct HksKeyDerivationParam *derParam = (struct HksKeyDerivationParam *)(derivationSpec->algParam);
99
100 uint32_t mbedtlsAlg;
101 int32_t ret = HksToMbedtlsDigestAlg(derParam->digestAlg, &mbedtlsAlg);
102 HKS_IF_NOT_SUCC_RETURN(ret, ret)
103
104 const mbedtls_md_info_t *info = mbedtls_md_info_from_type((mbedtls_md_type_t)mbedtlsAlg);
105 HKS_IF_NULL_LOGE_RETURN(info, HKS_ERROR_CRYPTO_ENGINE_ERROR,
106 "Mbedtls get md info failed! mbedtls ret = 0x%" LOG_PUBLIC "X", ret)
107
108 switch (derivationSpec->algType) {
109 #ifdef HKS_SUPPORT_KDF_PBKDF2
110 case HKS_ALG_PBKDF2:
111 #ifdef USE_HISI_MBED
112 return DeriveKeyPbkdf2(mainKey, derParam, info, derivedKey);
113 #else
114 return DeriveKeyPbkdf2(mainKey, derParam, (mbedtls_md_type_t)mbedtlsAlg, derivedKey);
115 #endif
116 #endif
117 #ifdef HKS_SUPPORT_KDF_HKDF
118 case HKS_ALG_HKDF:
119 return DeriveKeyHkdf(mainKey, derParam, info, derivedKey);
120 #endif
121 default:
122 HKS_LOG_E("Unsupport derive key alg! mode = 0x%" LOG_PUBLIC "X", derivationSpec->algType);
123 return HKS_ERROR_INVALID_ARGUMENT;
124 }
125 }
126 #endif /* HKS_SUPPORT_KDF_C */
127