1 /**
2 * \file psa/crypto_struct.h
3 *
4 * \brief PSA cryptography module: Mbed TLS structured type implementations
5 *
6 * \note This file may not be included directly. Applications must
7 * include psa/crypto.h.
8 *
9 * This file contains the definitions of some data structures with
10 * implementation-specific definitions.
11 *
12 * In implementations with isolation between the application and the
13 * cryptography module, it is expected that the front-end and the back-end
14 * would have different versions of this file.
15 *
16 * <h3>Design notes about multipart operation structures</h3>
17 *
18 * For multipart operations without driver delegation support, each multipart
19 * operation structure contains a `psa_algorithm_t alg` field which indicates
20 * which specific algorithm the structure is for. When the structure is not in
21 * use, `alg` is 0. Most of the structure consists of a union which is
22 * discriminated by `alg`.
23 *
24 * For multipart operations with driver delegation support, each multipart
25 * operation structure contains an `unsigned int id` field indicating which
26 * driver got assigned to do the operation. When the structure is not in use,
27 * 'id' is 0. The structure contains also a driver context which is the union
28 * of the contexts of all drivers able to handle the type of multipart
29 * operation.
30 *
31 * Note that when `alg` or `id` is 0, the content of other fields is undefined.
32 * In particular, it is not guaranteed that a freshly-initialized structure
33 * is all-zero: we initialize structures to something like `{0, 0}`, which
34 * is only guaranteed to initializes the first member of the union;
35 * GCC and Clang initialize the whole structure to 0 (at the time of writing),
36 * but MSVC and CompCert don't.
37 *
38 * In Mbed TLS, multipart operation structures live independently from
39 * the key. This allows Mbed TLS to free the key objects when destroying
40 * a key slot. If a multipart operation needs to remember the key after
41 * the setup function returns, the operation structure needs to contain a
42 * copy of the key.
43 */
44 /*
45 * Copyright The Mbed TLS Contributors
46 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
47 */
48
49 #ifndef PSA_CRYPTO_STRUCT_H
50 #define PSA_CRYPTO_STRUCT_H
51
52 #ifdef __cplusplus
53 extern "C" {
54 #endif
55
56 /* Include the Mbed TLS configuration file, the way Mbed TLS does it
57 * in each of its header files. */
58 #if !defined(MBEDTLS_CONFIG_FILE)
59 #include "mbedtls/config.h"
60 #else
61 #include MBEDTLS_CONFIG_FILE
62 #endif
63
64 #include "mbedtls/cmac.h"
65 #include "mbedtls/gcm.h"
66
67 /* Include the context definition for the compiled-in drivers for the primitive
68 * algorithms. */
69 #include "psa/crypto_driver_contexts_primitives.h"
70
71 struct psa_hash_operation_s {
72 /** Unique ID indicating which driver got assigned to do the
73 * operation. Since driver contexts are driver-specific, swapping
74 * drivers halfway through the operation is not supported.
75 * ID values are auto-generated in psa_driver_wrappers.h.
76 * ID value zero means the context is not valid or not assigned to
77 * any driver (i.e. the driver context is not active, in use). */
78 unsigned int id;
79 psa_driver_hash_context_t ctx;
80 };
81
82 #define PSA_HASH_OPERATION_INIT { 0, { 0 } }
psa_hash_operation_init(void)83 static inline struct psa_hash_operation_s psa_hash_operation_init(void)
84 {
85 const struct psa_hash_operation_s v = PSA_HASH_OPERATION_INIT;
86 return v;
87 }
88
89 struct psa_cipher_operation_s {
90 /** Unique ID indicating which driver got assigned to do the
91 * operation. Since driver contexts are driver-specific, swapping
92 * drivers halfway through the operation is not supported.
93 * ID values are auto-generated in psa_crypto_driver_wrappers.h
94 * ID value zero means the context is not valid or not assigned to
95 * any driver (i.e. none of the driver contexts are active). */
96 unsigned int id;
97
98 unsigned int iv_required : 1;
99 unsigned int iv_set : 1;
100
101 uint8_t default_iv_length;
102
103 psa_driver_cipher_context_t ctx;
104 };
105
106 #define PSA_CIPHER_OPERATION_INIT { 0, 0, 0, 0, { 0 } }
psa_cipher_operation_init(void)107 static inline struct psa_cipher_operation_s psa_cipher_operation_init(void)
108 {
109 const struct psa_cipher_operation_s v = PSA_CIPHER_OPERATION_INIT;
110 return v;
111 }
112
113 /* Include the context definition for the compiled-in drivers for the composite
114 * algorithms. */
115 #include "psa/crypto_driver_contexts_composites.h"
116
117 struct psa_mac_operation_s {
118 /** Unique ID indicating which driver got assigned to do the
119 * operation. Since driver contexts are driver-specific, swapping
120 * drivers halfway through the operation is not supported.
121 * ID values are auto-generated in psa_driver_wrappers.h
122 * ID value zero means the context is not valid or not assigned to
123 * any driver (i.e. none of the driver contexts are active). */
124 unsigned int id;
125 uint8_t mac_size;
126 unsigned int is_sign : 1;
127 psa_driver_mac_context_t ctx;
128 };
129
130 #define PSA_MAC_OPERATION_INIT { 0, 0, 0, { 0 } }
psa_mac_operation_init(void)131 static inline struct psa_mac_operation_s psa_mac_operation_init(void)
132 {
133 const struct psa_mac_operation_s v = PSA_MAC_OPERATION_INIT;
134 return v;
135 }
136
137 struct psa_aead_operation_s {
138 psa_algorithm_t alg;
139 unsigned int key_set : 1;
140 unsigned int iv_set : 1;
141 uint8_t iv_size;
142 uint8_t block_size;
143 union {
144 unsigned dummy; /* Enable easier initializing of the union. */
145 mbedtls_cipher_context_t cipher;
146 } ctx;
147 };
148
149 #define PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, 0, { 0 } }
psa_aead_operation_init(void)150 static inline struct psa_aead_operation_s psa_aead_operation_init(void)
151 {
152 const struct psa_aead_operation_s v = PSA_AEAD_OPERATION_INIT;
153 return v;
154 }
155
156 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
157 typedef struct {
158 uint8_t *info;
159 size_t info_length;
160 #if PSA_HASH_MAX_SIZE > 0xff
161 #error "PSA_HASH_MAX_SIZE does not fit in uint8_t"
162 #endif
163 uint8_t offset_in_block;
164 uint8_t block_number;
165 unsigned int state : 2;
166 unsigned int info_set : 1;
167 uint8_t output_block[PSA_HASH_MAX_SIZE];
168 uint8_t prk[PSA_HASH_MAX_SIZE];
169 struct psa_mac_operation_s hmac;
170 } psa_hkdf_key_derivation_t;
171 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
172
173 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
174 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
175 typedef enum {
176 PSA_TLS12_PRF_STATE_INIT, /* no input provided */
177 PSA_TLS12_PRF_STATE_SEED_SET, /* seed has been set */
178 PSA_TLS12_PRF_STATE_KEY_SET, /* key has been set */
179 PSA_TLS12_PRF_STATE_LABEL_SET, /* label has been set */
180 PSA_TLS12_PRF_STATE_OUTPUT /* output has been started */
181 } psa_tls12_prf_key_derivation_state_t;
182
183 typedef struct psa_tls12_prf_key_derivation_s {
184 #if PSA_HASH_MAX_SIZE > 0xff
185 #error "PSA_HASH_MAX_SIZE does not fit in uint8_t"
186 #endif
187
188 /* Indicates how many bytes in the current HMAC block have
189 * not yet been read by the user. */
190 uint8_t left_in_block;
191
192 /* The 1-based number of the block. */
193 uint8_t block_number;
194
195 psa_tls12_prf_key_derivation_state_t state;
196
197 uint8_t *secret;
198 size_t secret_length;
199 uint8_t *seed;
200 size_t seed_length;
201 uint8_t *label;
202 size_t label_length;
203
204 uint8_t Ai[PSA_HASH_MAX_SIZE];
205
206 /* `HMAC_hash( prk, A(i) + seed )` in the notation of RFC 5246, Sect. 5. */
207 uint8_t output_block[PSA_HASH_MAX_SIZE];
208 } psa_tls12_prf_key_derivation_t;
209 #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
210 * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
211
212 struct psa_key_derivation_s {
213 psa_algorithm_t alg;
214 unsigned int can_output_key : 1;
215 size_t capacity;
216 union {
217 /* Make the union non-empty even with no supported algorithms. */
218 uint8_t dummy;
219 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
220 psa_hkdf_key_derivation_t hkdf;
221 #endif
222 #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
223 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
224 psa_tls12_prf_key_derivation_t tls12_prf;
225 #endif
226 } ctx;
227 };
228
229 /* This only zeroes out the first byte in the union, the rest is unspecified. */
230 #define PSA_KEY_DERIVATION_OPERATION_INIT { 0, 0, 0, { 0 } }
psa_key_derivation_operation_init(void)231 static inline struct psa_key_derivation_s psa_key_derivation_operation_init(void)
232 {
233 const struct psa_key_derivation_s v = PSA_KEY_DERIVATION_OPERATION_INIT;
234 return v;
235 }
236
237 struct psa_key_policy_s {
238 psa_key_usage_t usage;
239 psa_algorithm_t alg;
240 psa_algorithm_t alg2;
241 };
242 typedef struct psa_key_policy_s psa_key_policy_t;
243
244 #define PSA_KEY_POLICY_INIT { 0, 0, 0 }
psa_key_policy_init(void)245 static inline struct psa_key_policy_s psa_key_policy_init(void)
246 {
247 const struct psa_key_policy_s v = PSA_KEY_POLICY_INIT;
248 return v;
249 }
250
251 /* The type used internally for key sizes.
252 * Public interfaces use size_t, but internally we use a smaller type. */
253 typedef uint16_t psa_key_bits_t;
254 /* The maximum value of the type used to represent bit-sizes.
255 * This is used to mark an invalid key size. */
256 #define PSA_KEY_BITS_TOO_LARGE ((psa_key_bits_t) (-1))
257 /* The maximum size of a key in bits.
258 * Currently defined as the maximum that can be represented, rounded down
259 * to a whole number of bytes.
260 * This is an uncast value so that it can be used in preprocessor
261 * conditionals. */
262 #define PSA_MAX_KEY_BITS 0xfff8
263
264 /** A mask of flags that can be stored in key attributes.
265 *
266 * This type is also used internally to store flags in slots. Internal
267 * flags are defined in library/psa_crypto_core.h. Internal flags may have
268 * the same value as external flags if they are properly handled during
269 * key creation and in psa_get_key_attributes.
270 */
271 typedef uint16_t psa_key_attributes_flag_t;
272
273 #define MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER \
274 ((psa_key_attributes_flag_t) 0x0001)
275
276 /* A mask of key attribute flags used externally only.
277 * Only meant for internal checks inside the library. */
278 #define MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY ( \
279 MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER | \
280 0)
281
282 /* A mask of key attribute flags used both internally and externally.
283 * Currently there aren't any. */
284 #define MBEDTLS_PSA_KA_MASK_DUAL_USE ( \
285 0)
286
287 typedef struct {
288 psa_key_type_t type;
289 psa_key_bits_t bits;
290 psa_key_lifetime_t lifetime;
291 mbedtls_svc_key_id_t id;
292 psa_key_policy_t policy;
293 psa_key_attributes_flag_t flags;
294 } psa_core_key_attributes_t;
295
296 #define PSA_CORE_KEY_ATTRIBUTES_INIT { PSA_KEY_TYPE_NONE, 0, PSA_KEY_LIFETIME_VOLATILE, \
297 MBEDTLS_SVC_KEY_ID_INIT, PSA_KEY_POLICY_INIT, 0 }
298
299 struct psa_key_attributes_s {
300 psa_core_key_attributes_t core;
301 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
302 psa_key_slot_number_t slot_number;
303 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
304 void *domain_parameters;
305 size_t domain_parameters_size;
306 };
307
308 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
309 #define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT, 0, NULL, 0 }
310 #else
311 #define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT, NULL, 0 }
312 #endif
313
psa_key_attributes_init(void)314 static inline struct psa_key_attributes_s psa_key_attributes_init(void)
315 {
316 const struct psa_key_attributes_s v = PSA_KEY_ATTRIBUTES_INIT;
317 return v;
318 }
319
psa_set_key_id(psa_key_attributes_t * attributes,mbedtls_svc_key_id_t key)320 static inline void psa_set_key_id(psa_key_attributes_t *attributes,
321 mbedtls_svc_key_id_t key)
322 {
323 psa_key_lifetime_t lifetime = attributes->core.lifetime;
324
325 attributes->core.id = key;
326
327 if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
328 attributes->core.lifetime =
329 PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
330 PSA_KEY_LIFETIME_PERSISTENT,
331 PSA_KEY_LIFETIME_GET_LOCATION(lifetime));
332 }
333 }
334
psa_get_key_id(const psa_key_attributes_t * attributes)335 static inline mbedtls_svc_key_id_t psa_get_key_id(
336 const psa_key_attributes_t *attributes)
337 {
338 return attributes->core.id;
339 }
340
341 #ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
mbedtls_set_key_owner_id(psa_key_attributes_t * attributes,mbedtls_key_owner_id_t owner)342 static inline void mbedtls_set_key_owner_id(psa_key_attributes_t *attributes,
343 mbedtls_key_owner_id_t owner)
344 {
345 attributes->core.id.owner = owner;
346 }
347 #endif
348
psa_set_key_lifetime(psa_key_attributes_t * attributes,psa_key_lifetime_t lifetime)349 static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes,
350 psa_key_lifetime_t lifetime)
351 {
352 attributes->core.lifetime = lifetime;
353 if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
354 #ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
355 attributes->core.id.key_id = 0;
356 #else
357 attributes->core.id = 0;
358 #endif
359 }
360 }
361
psa_get_key_lifetime(const psa_key_attributes_t * attributes)362 static inline psa_key_lifetime_t psa_get_key_lifetime(
363 const psa_key_attributes_t *attributes)
364 {
365 return attributes->core.lifetime;
366 }
367
psa_extend_key_usage_flags(psa_key_usage_t * usage_flags)368 static inline void psa_extend_key_usage_flags(psa_key_usage_t *usage_flags)
369 {
370 if (*usage_flags & PSA_KEY_USAGE_SIGN_HASH) {
371 *usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE;
372 }
373
374 if (*usage_flags & PSA_KEY_USAGE_VERIFY_HASH) {
375 *usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE;
376 }
377 }
378
psa_set_key_usage_flags(psa_key_attributes_t * attributes,psa_key_usage_t usage_flags)379 static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
380 psa_key_usage_t usage_flags)
381 {
382 psa_extend_key_usage_flags(&usage_flags);
383 attributes->core.policy.usage = usage_flags;
384 }
385
psa_get_key_usage_flags(const psa_key_attributes_t * attributes)386 static inline psa_key_usage_t psa_get_key_usage_flags(
387 const psa_key_attributes_t *attributes)
388 {
389 return attributes->core.policy.usage;
390 }
391
psa_set_key_algorithm(psa_key_attributes_t * attributes,psa_algorithm_t alg)392 static inline void psa_set_key_algorithm(psa_key_attributes_t *attributes,
393 psa_algorithm_t alg)
394 {
395 attributes->core.policy.alg = alg;
396 }
397
psa_get_key_algorithm(const psa_key_attributes_t * attributes)398 static inline psa_algorithm_t psa_get_key_algorithm(
399 const psa_key_attributes_t *attributes)
400 {
401 return attributes->core.policy.alg;
402 }
403
404 /* This function is declared in crypto_extra.h, which comes after this
405 * header file, but we need the function here, so repeat the declaration. */
406 psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes,
407 psa_key_type_t type,
408 const uint8_t *data,
409 size_t data_length);
410
psa_set_key_type(psa_key_attributes_t * attributes,psa_key_type_t type)411 static inline void psa_set_key_type(psa_key_attributes_t *attributes,
412 psa_key_type_t type)
413 {
414 if (attributes->domain_parameters == NULL) {
415 /* Common case: quick path */
416 attributes->core.type = type;
417 } else {
418 /* Call the bigger function to free the old domain parameters.
419 * Ignore any errors which may arise due to type requiring
420 * non-default domain parameters, since this function can't
421 * report errors. */
422 (void) psa_set_key_domain_parameters(attributes, type, NULL, 0);
423 }
424 }
425
psa_get_key_type(const psa_key_attributes_t * attributes)426 static inline psa_key_type_t psa_get_key_type(
427 const psa_key_attributes_t *attributes)
428 {
429 return attributes->core.type;
430 }
431
psa_set_key_bits(psa_key_attributes_t * attributes,size_t bits)432 static inline void psa_set_key_bits(psa_key_attributes_t *attributes,
433 size_t bits)
434 {
435 if (bits > PSA_MAX_KEY_BITS) {
436 attributes->core.bits = PSA_KEY_BITS_TOO_LARGE;
437 } else {
438 attributes->core.bits = (psa_key_bits_t) bits;
439 }
440 }
441
psa_get_key_bits(const psa_key_attributes_t * attributes)442 static inline size_t psa_get_key_bits(
443 const psa_key_attributes_t *attributes)
444 {
445 return attributes->core.bits;
446 }
447
448 #ifdef __cplusplus
449 }
450 #endif
451
452 #endif /* PSA_CRYPTO_STRUCT_H */
453