1 /*
2 * PSA MAC layer on top of Mbed TLS software crypto
3 */
4 /*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7 */
8
9 #include "common.h"
10
11 #if defined(MBEDTLS_PSA_CRYPTO_C)
12
13 #include <psa/crypto.h>
14 #include "psa_crypto_core.h"
15 #include "psa_crypto_cipher.h"
16 #include "psa_crypto_mac.h"
17 #include <mbedtls/md.h>
18
19 #include <mbedtls/error.h>
20 #include <string.h>
21
22 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
psa_hmac_abort_internal(mbedtls_psa_hmac_operation_t * hmac)23 static psa_status_t psa_hmac_abort_internal(
24 mbedtls_psa_hmac_operation_t *hmac)
25 {
26 mbedtls_platform_zeroize(hmac->opad, sizeof(hmac->opad));
27 return psa_hash_abort(&hmac->hash_ctx);
28 }
29
psa_hmac_setup_internal(mbedtls_psa_hmac_operation_t * hmac,const uint8_t * key,size_t key_length,psa_algorithm_t hash_alg)30 static psa_status_t psa_hmac_setup_internal(
31 mbedtls_psa_hmac_operation_t *hmac,
32 const uint8_t *key,
33 size_t key_length,
34 psa_algorithm_t hash_alg)
35 {
36 uint8_t ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
37 size_t i;
38 size_t hash_size = PSA_HASH_LENGTH(hash_alg);
39 size_t block_size = PSA_HASH_BLOCK_LENGTH(hash_alg);
40 psa_status_t status;
41
42 hmac->alg = hash_alg;
43
44 /* Sanity checks on block_size, to guarantee that there won't be a buffer
45 * overflow below. This should never trigger if the hash algorithm
46 * is implemented correctly. */
47 /* The size checks against the ipad and opad buffers cannot be written
48 * `block_size > sizeof( ipad ) || block_size > sizeof( hmac->opad )`
49 * because that triggers -Wlogical-op on GCC 7.3. */
50 if (block_size > sizeof(ipad)) {
51 return PSA_ERROR_NOT_SUPPORTED;
52 }
53 if (block_size > sizeof(hmac->opad)) {
54 return PSA_ERROR_NOT_SUPPORTED;
55 }
56 if (block_size < hash_size) {
57 return PSA_ERROR_NOT_SUPPORTED;
58 }
59
60 if (key_length > block_size) {
61 status = psa_hash_compute(hash_alg, key, key_length,
62 ipad, sizeof(ipad), &key_length);
63 if (status != PSA_SUCCESS) {
64 goto cleanup;
65 }
66 }
67 /* A 0-length key is not commonly used in HMAC when used as a MAC,
68 * but it is permitted. It is common when HMAC is used in HKDF, for
69 * example. Don't call `memcpy` in the 0-length because `key` could be
70 * an invalid pointer which would make the behavior undefined. */
71 else if (key_length != 0) {
72 memcpy(ipad, key, key_length);
73 }
74
75 /* ipad contains the key followed by garbage. Xor and fill with 0x36
76 * to create the ipad value. */
77 for (i = 0; i < key_length; i++) {
78 ipad[i] ^= 0x36;
79 }
80 memset(ipad + key_length, 0x36, block_size - key_length);
81
82 /* Copy the key material from ipad to opad, flipping the requisite bits,
83 * and filling the rest of opad with the requisite constant. */
84 for (i = 0; i < key_length; i++) {
85 hmac->opad[i] = ipad[i] ^ 0x36 ^ 0x5C;
86 }
87 memset(hmac->opad + key_length, 0x5C, block_size - key_length);
88
89 status = psa_hash_setup(&hmac->hash_ctx, hash_alg);
90 if (status != PSA_SUCCESS) {
91 goto cleanup;
92 }
93
94 status = psa_hash_update(&hmac->hash_ctx, ipad, block_size);
95
96 cleanup:
97 mbedtls_platform_zeroize(ipad, sizeof(ipad));
98
99 return status;
100 }
101
psa_hmac_update_internal(mbedtls_psa_hmac_operation_t * hmac,const uint8_t * data,size_t data_length)102 static psa_status_t psa_hmac_update_internal(
103 mbedtls_psa_hmac_operation_t *hmac,
104 const uint8_t *data,
105 size_t data_length)
106 {
107 return psa_hash_update(&hmac->hash_ctx, data, data_length);
108 }
109
psa_hmac_finish_internal(mbedtls_psa_hmac_operation_t * hmac,uint8_t * mac,size_t mac_size)110 static psa_status_t psa_hmac_finish_internal(
111 mbedtls_psa_hmac_operation_t *hmac,
112 uint8_t *mac,
113 size_t mac_size)
114 {
115 uint8_t tmp[PSA_HASH_MAX_SIZE];
116 psa_algorithm_t hash_alg = hmac->alg;
117 size_t hash_size = 0;
118 size_t block_size = PSA_HASH_BLOCK_LENGTH(hash_alg);
119 psa_status_t status;
120
121 status = psa_hash_finish(&hmac->hash_ctx, tmp, sizeof(tmp), &hash_size);
122 if (status != PSA_SUCCESS) {
123 return status;
124 }
125 /* From here on, tmp needs to be wiped. */
126
127 status = psa_hash_setup(&hmac->hash_ctx, hash_alg);
128 if (status != PSA_SUCCESS) {
129 goto exit;
130 }
131
132 status = psa_hash_update(&hmac->hash_ctx, hmac->opad, block_size);
133 if (status != PSA_SUCCESS) {
134 goto exit;
135 }
136
137 status = psa_hash_update(&hmac->hash_ctx, tmp, hash_size);
138 if (status != PSA_SUCCESS) {
139 goto exit;
140 }
141
142 status = psa_hash_finish(&hmac->hash_ctx, tmp, sizeof(tmp), &hash_size);
143 if (status != PSA_SUCCESS) {
144 goto exit;
145 }
146
147 memcpy(mac, tmp, mac_size);
148
149 exit:
150 mbedtls_platform_zeroize(tmp, hash_size);
151 return status;
152 }
153 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
154
155 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
cmac_setup(mbedtls_psa_mac_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer)156 static psa_status_t cmac_setup(mbedtls_psa_mac_operation_t *operation,
157 const psa_key_attributes_t *attributes,
158 const uint8_t *key_buffer)
159 {
160 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
161
162 #if defined(PSA_WANT_KEY_TYPE_DES)
163 /* Mbed TLS CMAC does not accept 3DES with only two keys, nor does it accept
164 * to do CMAC with pure DES, so return NOT_SUPPORTED here. */
165 if (psa_get_key_type(attributes) == PSA_KEY_TYPE_DES &&
166 (psa_get_key_bits(attributes) == 64 ||
167 psa_get_key_bits(attributes) == 128)) {
168 return PSA_ERROR_NOT_SUPPORTED;
169 }
170 #endif
171
172 const mbedtls_cipher_info_t *cipher_info =
173 mbedtls_cipher_info_from_psa(
174 PSA_ALG_CMAC,
175 psa_get_key_type(attributes),
176 psa_get_key_bits(attributes),
177 NULL);
178
179 if (cipher_info == NULL) {
180 return PSA_ERROR_NOT_SUPPORTED;
181 }
182
183 ret = mbedtls_cipher_setup(&operation->ctx.cmac, cipher_info);
184 if (ret != 0) {
185 goto exit;
186 }
187
188 ret = mbedtls_cipher_cmac_starts(&operation->ctx.cmac,
189 key_buffer,
190 psa_get_key_bits(attributes));
191 exit:
192 return mbedtls_to_psa_error(ret);
193 }
194 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
195
196 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || \
197 defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
198
199 /* Initialize this driver's MAC operation structure. Once this function has been
200 * called, mbedtls_psa_mac_abort can run and will do the right thing. */
mac_init(mbedtls_psa_mac_operation_t * operation,psa_algorithm_t alg)201 static psa_status_t mac_init(
202 mbedtls_psa_mac_operation_t *operation,
203 psa_algorithm_t alg)
204 {
205 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
206
207 operation->alg = alg;
208
209 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
210 if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
211 mbedtls_cipher_init(&operation->ctx.cmac);
212 status = PSA_SUCCESS;
213 } else
214 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
215 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
216 if (PSA_ALG_IS_HMAC(operation->alg)) {
217 /* We'll set up the hash operation later in psa_hmac_setup_internal. */
218 operation->ctx.hmac.alg = 0;
219 status = PSA_SUCCESS;
220 } else
221 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
222 {
223 (void) operation;
224 status = PSA_ERROR_NOT_SUPPORTED;
225 }
226
227 if (status != PSA_SUCCESS) {
228 memset(operation, 0, sizeof(*operation));
229 }
230 return status;
231 }
232
mbedtls_psa_mac_abort(mbedtls_psa_mac_operation_t * operation)233 psa_status_t mbedtls_psa_mac_abort(mbedtls_psa_mac_operation_t *operation)
234 {
235 if (operation->alg == 0) {
236 /* The object has (apparently) been initialized but it is not
237 * in use. It's ok to call abort on such an object, and there's
238 * nothing to do. */
239 return PSA_SUCCESS;
240 } else
241 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
242 if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
243 mbedtls_cipher_free(&operation->ctx.cmac);
244 } else
245 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
246 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
247 if (PSA_ALG_IS_HMAC(operation->alg)) {
248 psa_hmac_abort_internal(&operation->ctx.hmac);
249 } else
250 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
251 {
252 /* Sanity check (shouldn't happen: operation->alg should
253 * always have been initialized to a valid value). */
254 goto bad_state;
255 }
256
257 operation->alg = 0;
258
259 return PSA_SUCCESS;
260
261 bad_state:
262 /* If abort is called on an uninitialized object, we can't trust
263 * anything. Wipe the object in case it contains confidential data.
264 * This may result in a memory leak if a pointer gets overwritten,
265 * but it's too late to do anything about this. */
266 memset(operation, 0, sizeof(*operation));
267 return PSA_ERROR_BAD_STATE;
268 }
269
psa_mac_setup(mbedtls_psa_mac_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)270 static psa_status_t psa_mac_setup(mbedtls_psa_mac_operation_t *operation,
271 const psa_key_attributes_t *attributes,
272 const uint8_t *key_buffer,
273 size_t key_buffer_size,
274 psa_algorithm_t alg)
275 {
276 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
277
278 /* A context must be freshly initialized before it can be set up. */
279 if (operation->alg != 0) {
280 return PSA_ERROR_BAD_STATE;
281 }
282
283 status = mac_init(operation, alg);
284 if (status != PSA_SUCCESS) {
285 return status;
286 }
287
288 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
289 if (PSA_ALG_FULL_LENGTH_MAC(alg) == PSA_ALG_CMAC) {
290 /* Key buffer size for CMAC is dictated by the key bits set on the
291 * attributes, and previously validated by the core on key import. */
292 (void) key_buffer_size;
293 status = cmac_setup(operation, attributes, key_buffer);
294 } else
295 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
296 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
297 if (PSA_ALG_IS_HMAC(alg)) {
298 status = psa_hmac_setup_internal(&operation->ctx.hmac,
299 key_buffer,
300 key_buffer_size,
301 PSA_ALG_HMAC_GET_HASH(alg));
302 } else
303 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
304 {
305 (void) attributes;
306 (void) key_buffer;
307 (void) key_buffer_size;
308 status = PSA_ERROR_NOT_SUPPORTED;
309 }
310
311 if (status != PSA_SUCCESS) {
312 mbedtls_psa_mac_abort(operation);
313 }
314
315 return status;
316 }
317
mbedtls_psa_mac_sign_setup(mbedtls_psa_mac_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)318 psa_status_t mbedtls_psa_mac_sign_setup(
319 mbedtls_psa_mac_operation_t *operation,
320 const psa_key_attributes_t *attributes,
321 const uint8_t *key_buffer,
322 size_t key_buffer_size,
323 psa_algorithm_t alg)
324 {
325 return psa_mac_setup(operation, attributes,
326 key_buffer, key_buffer_size, alg);
327 }
328
mbedtls_psa_mac_verify_setup(mbedtls_psa_mac_operation_t * operation,const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg)329 psa_status_t mbedtls_psa_mac_verify_setup(
330 mbedtls_psa_mac_operation_t *operation,
331 const psa_key_attributes_t *attributes,
332 const uint8_t *key_buffer,
333 size_t key_buffer_size,
334 psa_algorithm_t alg)
335 {
336 return psa_mac_setup(operation, attributes,
337 key_buffer, key_buffer_size, alg);
338 }
339
mbedtls_psa_mac_update(mbedtls_psa_mac_operation_t * operation,const uint8_t * input,size_t input_length)340 psa_status_t mbedtls_psa_mac_update(
341 mbedtls_psa_mac_operation_t *operation,
342 const uint8_t *input,
343 size_t input_length)
344 {
345 if (operation->alg == 0) {
346 return PSA_ERROR_BAD_STATE;
347 }
348
349 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
350 if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
351 return mbedtls_to_psa_error(
352 mbedtls_cipher_cmac_update(&operation->ctx.cmac,
353 input, input_length));
354 } else
355 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
356 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
357 if (PSA_ALG_IS_HMAC(operation->alg)) {
358 return psa_hmac_update_internal(&operation->ctx.hmac,
359 input, input_length);
360 } else
361 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
362 {
363 /* This shouldn't happen if `operation` was initialized by
364 * a setup function. */
365 (void) input;
366 (void) input_length;
367 return PSA_ERROR_BAD_STATE;
368 }
369 }
370
psa_mac_finish_internal(mbedtls_psa_mac_operation_t * operation,uint8_t * mac,size_t mac_size)371 static psa_status_t psa_mac_finish_internal(
372 mbedtls_psa_mac_operation_t *operation,
373 uint8_t *mac, size_t mac_size)
374 {
375 #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
376 if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
377 uint8_t tmp[PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE];
378 int ret = mbedtls_cipher_cmac_finish(&operation->ctx.cmac, tmp);
379 if (ret == 0) {
380 memcpy(mac, tmp, mac_size);
381 }
382 mbedtls_platform_zeroize(tmp, sizeof(tmp));
383 return mbedtls_to_psa_error(ret);
384 } else
385 #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
386 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
387 if (PSA_ALG_IS_HMAC(operation->alg)) {
388 return psa_hmac_finish_internal(&operation->ctx.hmac,
389 mac, mac_size);
390 } else
391 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
392 {
393 /* This shouldn't happen if `operation` was initialized by
394 * a setup function. */
395 (void) operation;
396 (void) mac;
397 (void) mac_size;
398 return PSA_ERROR_BAD_STATE;
399 }
400 }
401
mbedtls_psa_mac_sign_finish(mbedtls_psa_mac_operation_t * operation,uint8_t * mac,size_t mac_size,size_t * mac_length)402 psa_status_t mbedtls_psa_mac_sign_finish(
403 mbedtls_psa_mac_operation_t *operation,
404 uint8_t *mac,
405 size_t mac_size,
406 size_t *mac_length)
407 {
408 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
409
410 if (operation->alg == 0) {
411 return PSA_ERROR_BAD_STATE;
412 }
413
414 status = psa_mac_finish_internal(operation, mac, mac_size);
415 if (status == PSA_SUCCESS) {
416 *mac_length = mac_size;
417 }
418
419 return status;
420 }
421
mbedtls_psa_mac_verify_finish(mbedtls_psa_mac_operation_t * operation,const uint8_t * mac,size_t mac_length)422 psa_status_t mbedtls_psa_mac_verify_finish(
423 mbedtls_psa_mac_operation_t *operation,
424 const uint8_t *mac,
425 size_t mac_length)
426 {
427 uint8_t actual_mac[PSA_MAC_MAX_SIZE];
428 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
429
430 if (operation->alg == 0) {
431 return PSA_ERROR_BAD_STATE;
432 }
433
434 /* Consistency check: requested MAC length fits our local buffer */
435 if (mac_length > sizeof(actual_mac)) {
436 return PSA_ERROR_INVALID_ARGUMENT;
437 }
438
439 status = psa_mac_finish_internal(operation, actual_mac, mac_length);
440 if (status != PSA_SUCCESS) {
441 goto cleanup;
442 }
443
444 if (mbedtls_psa_safer_memcmp(mac, actual_mac, mac_length) != 0) {
445 status = PSA_ERROR_INVALID_SIGNATURE;
446 }
447
448 cleanup:
449 mbedtls_platform_zeroize(actual_mac, sizeof(actual_mac));
450
451 return status;
452 }
453
mbedtls_psa_mac_compute(const psa_key_attributes_t * attributes,const uint8_t * key_buffer,size_t key_buffer_size,psa_algorithm_t alg,const uint8_t * input,size_t input_length,uint8_t * mac,size_t mac_size,size_t * mac_length)454 psa_status_t mbedtls_psa_mac_compute(
455 const psa_key_attributes_t *attributes,
456 const uint8_t *key_buffer,
457 size_t key_buffer_size,
458 psa_algorithm_t alg,
459 const uint8_t *input,
460 size_t input_length,
461 uint8_t *mac,
462 size_t mac_size,
463 size_t *mac_length)
464 {
465 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
466 mbedtls_psa_mac_operation_t operation = MBEDTLS_PSA_MAC_OPERATION_INIT;
467
468 status = psa_mac_setup(&operation,
469 attributes, key_buffer, key_buffer_size,
470 alg);
471 if (status != PSA_SUCCESS) {
472 goto exit;
473 }
474
475 if (input_length > 0) {
476 status = mbedtls_psa_mac_update(&operation, input, input_length);
477 if (status != PSA_SUCCESS) {
478 goto exit;
479 }
480 }
481
482 status = psa_mac_finish_internal(&operation, mac, mac_size);
483 if (status == PSA_SUCCESS) {
484 *mac_length = mac_size;
485 }
486
487 exit:
488 mbedtls_psa_mac_abort(&operation);
489
490 return status;
491 }
492
493 #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_CMAC */
494
495 #endif /* MBEDTLS_PSA_CRYPTO_C */
496