1 /*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "hmac_operation.h"
18
19 #include <utility>
20
21 #include <openssl/evp.h>
22 #include <openssl/hmac.h>
23
24 #include <keymaster/km_openssl/hmac_key.h>
25 #include <keymaster/km_openssl/openssl_err.h>
26 #include <keymaster/km_openssl/openssl_utils.h>
27
28 #if defined(OPENSSL_IS_BORINGSSL)
29 #include <openssl/mem.h>
30 typedef size_t openssl_size_t;
31 #else
32 typedef int openssl_size_t;
33 #endif
34
35 namespace keymaster {
36
CreateOperation(Key && key,const AuthorizationSet & begin_params,keymaster_error_t * error)37 OperationPtr HmacOperationFactory::CreateOperation(Key&& key, const AuthorizationSet& begin_params,
38 keymaster_error_t* error) {
39 uint32_t min_mac_length_bits;
40 if (!key.authorizations().GetTagValue(TAG_MIN_MAC_LENGTH, &min_mac_length_bits)) {
41 LOG_E("HMAC key must have KM_TAG_MIN_MAC_LENGTH", 0);
42 *error = KM_ERROR_INVALID_KEY_BLOB;
43 return nullptr;
44 }
45
46 uint32_t mac_length_bits = UINT32_MAX;
47 if (begin_params.GetTagValue(TAG_MAC_LENGTH, &mac_length_bits)) {
48 if (purpose() == KM_PURPOSE_VERIFY) {
49 LOG_E("MAC length may not be specified for verify", 0);
50 *error = KM_ERROR_INVALID_ARGUMENT;
51 return nullptr;
52 }
53 if ((mac_length_bits % 8) != 0) {
54 LOG_E("MAC length must be a multiple of 8", mac_length_bits);
55 *error = KM_ERROR_UNSUPPORTED_MAC_LENGTH;
56 return nullptr;
57 }
58 } else {
59 if (purpose() == KM_PURPOSE_SIGN) {
60 *error = KM_ERROR_MISSING_MAC_LENGTH;
61 return nullptr;
62 }
63 }
64
65 keymaster_digest_t digest;
66 if (!key.authorizations().GetTagValue(TAG_DIGEST, &digest)) {
67 LOG_E("%d digests found in HMAC key authorizations; must be exactly 1",
68 begin_params.GetTagCount(TAG_DIGEST));
69 *error = KM_ERROR_INVALID_KEY_BLOB;
70 return nullptr;
71 }
72
73 UniquePtr<HmacOperation> op(new (std::nothrow) HmacOperation(
74 std::move(key), purpose(), digest, mac_length_bits / 8, min_mac_length_bits / 8));
75 if (!op.get())
76 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
77 else
78 *error = op->error();
79
80 if (*error != KM_ERROR_OK) return nullptr;
81
82 return std::move(op);
83 }
84
85 static keymaster_digest_t supported_digests[] = {KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
86 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384,
87 KM_DIGEST_SHA_2_512};
SupportedDigests(size_t * digest_count) const88 const keymaster_digest_t* HmacOperationFactory::SupportedDigests(size_t* digest_count) const {
89 *digest_count = array_length(supported_digests);
90 return supported_digests;
91 }
92
HmacOperation(Key && key,keymaster_purpose_t purpose,keymaster_digest_t digest,size_t mac_length,size_t min_mac_length)93 HmacOperation::HmacOperation(Key&& key, keymaster_purpose_t purpose, keymaster_digest_t digest,
94 size_t mac_length, size_t min_mac_length)
95 : Operation(purpose, key.hw_enforced_move(), key.sw_enforced_move()), error_(KM_ERROR_OK),
96 mac_length_(mac_length), min_mac_length_(min_mac_length) {
97 // Initialize CTX first, so dtor won't crash even if we error out later.
98 HMAC_CTX_init(&ctx_);
99
100 const EVP_MD* md = nullptr;
101 switch (digest) {
102 case KM_DIGEST_NONE:
103 case KM_DIGEST_MD5:
104 error_ = KM_ERROR_UNSUPPORTED_DIGEST;
105 break;
106 case KM_DIGEST_SHA1:
107 md = EVP_sha1();
108 break;
109 case KM_DIGEST_SHA_2_224:
110 md = EVP_sha224();
111 break;
112 case KM_DIGEST_SHA_2_256:
113 md = EVP_sha256();
114 break;
115 case KM_DIGEST_SHA_2_384:
116 md = EVP_sha384();
117 break;
118 case KM_DIGEST_SHA_2_512:
119 md = EVP_sha512();
120 break;
121 }
122
123 if (md == nullptr) {
124 error_ = KM_ERROR_UNSUPPORTED_DIGEST;
125 return;
126 }
127
128 if (purpose == KM_PURPOSE_SIGN) {
129 if (mac_length > EVP_MD_size(md) || mac_length < kMinHmacLengthBits / 8) {
130 error_ = KM_ERROR_UNSUPPORTED_MAC_LENGTH;
131 return;
132 }
133 if (mac_length < min_mac_length) {
134 error_ = KM_ERROR_INVALID_MAC_LENGTH;
135 return;
136 }
137 }
138
139 KeymasterKeyBlob blob = key.key_material_move();
140 HMAC_Init_ex(&ctx_, blob.key_material, blob.key_material_size, md, nullptr /* engine */);
141 }
142
~HmacOperation()143 HmacOperation::~HmacOperation() {
144 HMAC_CTX_cleanup(&ctx_);
145 }
146
Begin(const AuthorizationSet &,AuthorizationSet *)147 keymaster_error_t HmacOperation::Begin(const AuthorizationSet& /* input_params */,
148 AuthorizationSet* /* output_params */) {
149 auto rc = GenerateRandom(reinterpret_cast<uint8_t*>(&operation_handle_),
150 (size_t)sizeof(operation_handle_));
151 if (rc != KM_ERROR_OK) return rc;
152
153 return error_;
154 }
155
Update(const AuthorizationSet &,const Buffer & input,AuthorizationSet *,Buffer *,size_t * input_consumed)156 keymaster_error_t HmacOperation::Update(const AuthorizationSet& /* additional_params */,
157 const Buffer& input, AuthorizationSet* /* output_params */,
158 Buffer* /* output */, size_t* input_consumed) {
159 if (!HMAC_Update(&ctx_, input.peek_read(), input.available_read()))
160 return TranslateLastOpenSslError();
161 *input_consumed = input.available_read();
162 return KM_ERROR_OK;
163 }
164
Abort()165 keymaster_error_t HmacOperation::Abort() {
166 return KM_ERROR_OK;
167 }
168
Finish(const AuthorizationSet & additional_params,const Buffer & input,const Buffer & signature,AuthorizationSet *,Buffer * output)169 keymaster_error_t HmacOperation::Finish(const AuthorizationSet& additional_params,
170 const Buffer& input, const Buffer& signature,
171 AuthorizationSet* /* output_params */, Buffer* output) {
172 keymaster_error_t error = UpdateForFinish(additional_params, input);
173 if (error != KM_ERROR_OK) return error;
174
175 uint8_t digest[EVP_MAX_MD_SIZE];
176 unsigned int digest_len;
177 if (!HMAC_Final(&ctx_, digest, &digest_len)) return TranslateLastOpenSslError();
178
179 switch (purpose()) {
180 case KM_PURPOSE_SIGN:
181 if (mac_length_ > digest_len) return KM_ERROR_UNSUPPORTED_MAC_LENGTH;
182 if (!output->reserve(mac_length_) || !output->write(digest, mac_length_))
183 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
184 return KM_ERROR_OK;
185 case KM_PURPOSE_VERIFY: {
186 size_t siglen = signature.available_read();
187 if (siglen > digest_len || siglen < kMinHmacLengthBits / 8)
188 return KM_ERROR_UNSUPPORTED_MAC_LENGTH;
189 if (siglen < min_mac_length_) return KM_ERROR_INVALID_MAC_LENGTH;
190 if (CRYPTO_memcmp(signature.peek_read(), digest, siglen) != 0)
191 return KM_ERROR_VERIFICATION_FAILED;
192 return KM_ERROR_OK;
193 }
194 default:
195 return KM_ERROR_UNSUPPORTED_PURPOSE;
196 }
197 }
198
199 } // namespace keymaster
200