Gitiles
Code Review Sign In
git01.mediatek.com / filogic / uboot / 0344c602eadc0802776b65ff90f0a02c856cf53c / . / library / psa_crypto.c
blob: 969c695ac09c25ccfed44d7b02472b48eb942ae8 [file] [log] [blame]
Tom Rini0344c602024-10-08 13:56:50 -0600[diff] [blame^]1/*
2 * PSA crypto layer on top of Mbed TLS crypto
3 */
4/*
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7 */
8
9#include "common.h"
10#include "psa_crypto_core_common.h"
11
12#if defined(MBEDTLS_PSA_CRYPTO_C)
13
14#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
15#include "check_crypto_config.h"
16#endif
17
18#include "psa/crypto.h"
19#include "psa/crypto_values.h"
20
21#include "psa_crypto_cipher.h"
22#include "psa_crypto_core.h"
23#include "psa_crypto_invasive.h"
24#include "psa_crypto_driver_wrappers.h"
25#include "psa_crypto_driver_wrappers_no_static.h"
26#include "psa_crypto_ecp.h"
27#include "psa_crypto_ffdh.h"
28#include "psa_crypto_hash.h"
29#include "psa_crypto_mac.h"
30#include "psa_crypto_rsa.h"
31#include "psa_crypto_ecp.h"
32#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
33#include "psa_crypto_se.h"
34#endif
35#include "psa_crypto_slot_management.h"
36/* Include internal declarations that are useful for implementing persistently
37 * stored keys. */
38#include "psa_crypto_storage.h"
39
40#include "psa_crypto_random_impl.h"
41
42#include <stdlib.h>
43#include <string.h>
44#include "mbedtls/platform.h"
45
46#include "mbedtls/aes.h"
47#include "mbedtls/asn1.h"
48#include "mbedtls/asn1write.h"
49#include "mbedtls/bignum.h"
50#include "mbedtls/camellia.h"
51#include "mbedtls/chacha20.h"
52#include "mbedtls/chachapoly.h"
53#include "mbedtls/cipher.h"
54#include "mbedtls/ccm.h"
55#include "mbedtls/cmac.h"
56#include "mbedtls/constant_time.h"
57#include "mbedtls/des.h"
58#include "mbedtls/ecdh.h"
59#include "mbedtls/ecp.h"
60#include "mbedtls/entropy.h"
61#include "mbedtls/error.h"
62#include "mbedtls/gcm.h"
63#include "mbedtls/md5.h"
64#include "mbedtls/pk.h"
65#include "pk_wrap.h"
66#include "mbedtls/platform_util.h"
67#include "mbedtls/error.h"
68#include "mbedtls/ripemd160.h"
69#include "mbedtls/rsa.h"
70#include "mbedtls/sha1.h"
71#include "mbedtls/sha256.h"
72#include "mbedtls/sha512.h"
73#include "mbedtls/psa_util.h"
74#include "mbedtls/threading.h"
75
76#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
77 defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
78 defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
79#define BUILTIN_ALG_ANY_HKDF 1
80#endif
81
82/****************************************************************/
83/* Global data, support functions and library management */
84/****************************************************************/
85
86static int key_type_is_raw_bytes(psa_key_type_t type)
87{
88 return PSA_KEY_TYPE_IS_UNSTRUCTURED(type);
89}
90
91/* Values for psa_global_data_t::rng_state */
92#define RNG_NOT_INITIALIZED 0
93#define RNG_INITIALIZED 1
94#define RNG_SEEDED 2
95
96/* IDs for PSA crypto subsystems. Starts at 1 to catch potential uninitialized
97 * variables as arguments. */
98typedef enum {
99 PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS = 1,
100 PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS,
101 PSA_CRYPTO_SUBSYSTEM_RNG,
102 PSA_CRYPTO_SUBSYSTEM_TRANSACTION,
103} mbedtls_psa_crypto_subsystem;
104
105/* Initialization flags for global_data::initialized */
106#define PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED 0x01
107#define PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED 0x02
108#define PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED 0x04
109
110#define PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED ( \
111 PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED | \
112 PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED | \
113 PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED)
114
115typedef struct {
116 uint8_t initialized;
117 uint8_t rng_state;
118 mbedtls_psa_random_context_t rng;
119} psa_global_data_t;
120
121static psa_global_data_t global_data;
122
123static uint8_t psa_get_initialized(void)
124{
125 uint8_t initialized;
126
127#if defined(MBEDTLS_THREADING_C)
128 mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
129#endif /* defined(MBEDTLS_THREADING_C) */
130
131 initialized = global_data.rng_state == RNG_SEEDED;
132
133#if defined(MBEDTLS_THREADING_C)
134 mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
135#endif /* defined(MBEDTLS_THREADING_C) */
136
137#if defined(MBEDTLS_THREADING_C)
138 mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
139#endif /* defined(MBEDTLS_THREADING_C) */
140
141 initialized =
142 (initialized && (global_data.initialized == PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED));
143
144#if defined(MBEDTLS_THREADING_C)
145 mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
146#endif /* defined(MBEDTLS_THREADING_C) */
147
148 return initialized;
149}
150
151static uint8_t psa_get_drivers_initialized(void)
152{
153 uint8_t initialized;
154
155#if defined(MBEDTLS_THREADING_C)
156 mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
157#endif /* defined(MBEDTLS_THREADING_C) */
158
159 initialized = (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED) != 0;
160
161#if defined(MBEDTLS_THREADING_C)
162 mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
163#endif /* defined(MBEDTLS_THREADING_C) */
164
165 return initialized;
166}
167
168#define GUARD_MODULE_INITIALIZED \
169 if (psa_get_initialized() == 0) \
170 return PSA_ERROR_BAD_STATE;
171
172#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
173
174/* Declare a local copy of an input buffer and a variable that will be used
175 * to store a pointer to the start of the buffer.
176 *
177 * Note: This macro must be called before any operations which may jump to
178 * the exit label, so that the local input copy object is safe to be freed.
179 *
180 * Assumptions:
181 * - input is the name of a pointer to the buffer to be copied
182 * - The name LOCAL_INPUT_COPY_OF_input is unused in the current scope
183 * - input_copy_name is a name that is unused in the current scope
184 */
185#define LOCAL_INPUT_DECLARE(input, input_copy_name) \
186 psa_crypto_local_input_t LOCAL_INPUT_COPY_OF_##input = PSA_CRYPTO_LOCAL_INPUT_INIT; \
187 const uint8_t *input_copy_name = NULL;
188
189/* Allocate a copy of the buffer input and set the pointer input_copy to
190 * point to the start of the copy.
191 *
192 * Assumptions:
193 * - psa_status_t status exists
194 * - An exit label is declared
195 * - input is the name of a pointer to the buffer to be copied
196 * - LOCAL_INPUT_DECLARE(input, input_copy) has previously been called
197 */
198#define LOCAL_INPUT_ALLOC(input, length, input_copy) \
199 status = psa_crypto_local_input_alloc(input, length, \
200 &LOCAL_INPUT_COPY_OF_##input); \
201 if (status != PSA_SUCCESS) { \
202 goto exit; \
203 } \
204 input_copy = LOCAL_INPUT_COPY_OF_##input.buffer;
205
206/* Free the local input copy allocated previously by LOCAL_INPUT_ALLOC()
207 *
208 * Assumptions:
209 * - input_copy is the name of the input copy pointer set by LOCAL_INPUT_ALLOC()
210 * - input is the name of the original buffer that was copied
211 */
212#define LOCAL_INPUT_FREE(input, input_copy) \
213 input_copy = NULL; \
214 psa_crypto_local_input_free(&LOCAL_INPUT_COPY_OF_##input);
215
216/* Declare a local copy of an output buffer and a variable that will be used
217 * to store a pointer to the start of the buffer.
218 *
219 * Note: This macro must be called before any operations which may jump to
220 * the exit label, so that the local output copy object is safe to be freed.
221 *
222 * Assumptions:
223 * - output is the name of a pointer to the buffer to be copied
224 * - The name LOCAL_OUTPUT_COPY_OF_output is unused in the current scope
225 * - output_copy_name is a name that is unused in the current scope
226 */
227#define LOCAL_OUTPUT_DECLARE(output, output_copy_name) \
228 psa_crypto_local_output_t LOCAL_OUTPUT_COPY_OF_##output = PSA_CRYPTO_LOCAL_OUTPUT_INIT; \
229 uint8_t *output_copy_name = NULL;
230
231/* Allocate a copy of the buffer output and set the pointer output_copy to
232 * point to the start of the copy.
233 *
234 * Assumptions:
235 * - psa_status_t status exists
236 * - An exit label is declared
237 * - output is the name of a pointer to the buffer to be copied
238 * - LOCAL_OUTPUT_DECLARE(output, output_copy) has previously been called
239 */
240#define LOCAL_OUTPUT_ALLOC(output, length, output_copy) \
241 status = psa_crypto_local_output_alloc(output, length, \
242 &LOCAL_OUTPUT_COPY_OF_##output); \
243 if (status != PSA_SUCCESS) { \
244 goto exit; \
245 } \
246 output_copy = LOCAL_OUTPUT_COPY_OF_##output.buffer;
247
248/* Free the local output copy allocated previously by LOCAL_OUTPUT_ALLOC()
249 * after first copying back its contents to the original buffer.
250 *
251 * Assumptions:
252 * - psa_status_t status exists
253 * - output_copy is the name of the output copy pointer set by LOCAL_OUTPUT_ALLOC()
254 * - output is the name of the original buffer that was copied
255 */
256#define LOCAL_OUTPUT_FREE(output, output_copy) \
257 output_copy = NULL; \
258 do { \
259 psa_status_t local_output_status; \
260 local_output_status = psa_crypto_local_output_free(&LOCAL_OUTPUT_COPY_OF_##output); \
261 if (local_output_status != PSA_SUCCESS) { \
262 /* Since this error case is an internal error, it's more serious than \
263 * any existing error code and so it's fine to overwrite the existing \
264 * status. */ \
265 status = local_output_status; \
266 } \
267 } while (0)
268#else /* !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */
269#define LOCAL_INPUT_DECLARE(input, input_copy_name) \
270 const uint8_t *input_copy_name = NULL;
271#define LOCAL_INPUT_ALLOC(input, length, input_copy) \
272 input_copy = input;
273#define LOCAL_INPUT_FREE(input, input_copy) \
274 input_copy = NULL;
275#define LOCAL_OUTPUT_DECLARE(output, output_copy_name) \
276 uint8_t *output_copy_name = NULL;
277#define LOCAL_OUTPUT_ALLOC(output, length, output_copy) \
278 output_copy = output;
279#define LOCAL_OUTPUT_FREE(output, output_copy) \
280 output_copy = NULL;
281#endif /* !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */
282
283
284int psa_can_do_hash(psa_algorithm_t hash_alg)
285{
286 (void) hash_alg;
287 return psa_get_drivers_initialized();
288}
289
290int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg)
291{
292 (void) key_type;
293 (void) cipher_alg;
294 return psa_get_drivers_initialized();
295}
296
297
298#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
299 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) || \
300 defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
301static int psa_is_dh_key_size_valid(size_t bits)
302{
303 switch (bits) {
304#if defined(PSA_WANT_DH_RFC7919_2048)
305 case 2048:
306 return 1;
307#endif /* PSA_WANT_DH_RFC7919_2048 */
308#if defined(PSA_WANT_DH_RFC7919_3072)
309 case 3072:
310 return 1;
311#endif /* PSA_WANT_DH_RFC7919_3072 */
312#if defined(PSA_WANT_DH_RFC7919_4096)
313 case 4096:
314 return 1;
315#endif /* PSA_WANT_DH_RFC7919_4096 */
316#if defined(PSA_WANT_DH_RFC7919_6144)
317 case 6144:
318 return 1;
319#endif /* PSA_WANT_DH_RFC7919_6144 */
320#if defined(PSA_WANT_DH_RFC7919_8192)
321 case 8192:
322 return 1;
323#endif /* PSA_WANT_DH_RFC7919_8192 */
324 default:
325 return 0;
326 }
327}
328#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT ||
329 MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY ||
330 PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */
331
332psa_status_t mbedtls_to_psa_error(int ret)
333{
334 /* Mbed TLS error codes can combine a high-level error code and a
335 * low-level error code. The low-level error usually reflects the
336 * root cause better, so dispatch on that preferably. */
337 int low_level_ret = -(-ret & 0x007f);
338 switch (low_level_ret != 0 ? low_level_ret : ret) {
339 case 0:
340 return PSA_SUCCESS;
341
342#if defined(MBEDTLS_AES_C)
343 case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
344 case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
345 return PSA_ERROR_NOT_SUPPORTED;
346 case MBEDTLS_ERR_AES_BAD_INPUT_DATA:
347 return PSA_ERROR_INVALID_ARGUMENT;
348#endif
349
350#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_ASN1_WRITE_C)
351 case MBEDTLS_ERR_ASN1_OUT_OF_DATA:
352 case MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:
353 case MBEDTLS_ERR_ASN1_INVALID_LENGTH:
354 case MBEDTLS_ERR_ASN1_LENGTH_MISMATCH:
355 case MBEDTLS_ERR_ASN1_INVALID_DATA:
356 return PSA_ERROR_INVALID_ARGUMENT;
357 case MBEDTLS_ERR_ASN1_ALLOC_FAILED:
358 return PSA_ERROR_INSUFFICIENT_MEMORY;
359 case MBEDTLS_ERR_ASN1_BUF_TOO_SMALL:
360 return PSA_ERROR_BUFFER_TOO_SMALL;
361#endif
362
363#if defined(MBEDTLS_CAMELLIA_C)
364 case MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA:
365 case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH:
366 return PSA_ERROR_NOT_SUPPORTED;
367#endif
368
369#if defined(MBEDTLS_CCM_C)
370 case MBEDTLS_ERR_CCM_BAD_INPUT:
371 return PSA_ERROR_INVALID_ARGUMENT;
372 case MBEDTLS_ERR_CCM_AUTH_FAILED:
373 return PSA_ERROR_INVALID_SIGNATURE;
374#endif
375
376#if defined(MBEDTLS_CHACHA20_C)
377 case MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA:
378 return PSA_ERROR_INVALID_ARGUMENT;
379#endif
380
381#if defined(MBEDTLS_CHACHAPOLY_C)
382 case MBEDTLS_ERR_CHACHAPOLY_BAD_STATE:
383 return PSA_ERROR_BAD_STATE;
384 case MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED:
385 return PSA_ERROR_INVALID_SIGNATURE;
386#endif
387
388#if defined(MBEDTLS_CIPHER_C)
389 case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
390 return PSA_ERROR_NOT_SUPPORTED;
391 case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
392 return PSA_ERROR_INVALID_ARGUMENT;
393 case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
394 return PSA_ERROR_INSUFFICIENT_MEMORY;
395 case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
396 return PSA_ERROR_INVALID_PADDING;
397 case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
398 return PSA_ERROR_INVALID_ARGUMENT;
399 case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
400 return PSA_ERROR_INVALID_SIGNATURE;
401 case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
402 return PSA_ERROR_CORRUPTION_DETECTED;
403#endif
404
405#if !(defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) || \
406 defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE))
407 /* Only check CTR_DRBG error codes if underlying mbedtls_xxx
408 * functions are passed a CTR_DRBG instance. */
409 case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
410 return PSA_ERROR_INSUFFICIENT_ENTROPY;
411 case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG:
412 case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG:
413 return PSA_ERROR_NOT_SUPPORTED;
414 case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR:
415 return PSA_ERROR_INSUFFICIENT_ENTROPY;
416#endif
417
418#if defined(MBEDTLS_DES_C)
419 case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:
420 return PSA_ERROR_NOT_SUPPORTED;
421#endif
422
423 case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
424 case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE:
425 case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
426 return PSA_ERROR_INSUFFICIENT_ENTROPY;
427
428#if defined(MBEDTLS_GCM_C)
429 case MBEDTLS_ERR_GCM_AUTH_FAILED:
430 return PSA_ERROR_INVALID_SIGNATURE;
431 case MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL:
432 return PSA_ERROR_BUFFER_TOO_SMALL;
433 case MBEDTLS_ERR_GCM_BAD_INPUT:
434 return PSA_ERROR_INVALID_ARGUMENT;
435#endif
436
437#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) && \
438 defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
439 /* Only check HMAC_DRBG error codes if underlying mbedtls_xxx
440 * functions are passed a HMAC_DRBG instance. */
441 case MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED:
442 return PSA_ERROR_INSUFFICIENT_ENTROPY;
443 case MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG:
444 case MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG:
445 return PSA_ERROR_NOT_SUPPORTED;
446 case MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR:
447 return PSA_ERROR_INSUFFICIENT_ENTROPY;
448#endif
449
450#if defined(MBEDTLS_MD_LIGHT)
451 case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
452 return PSA_ERROR_NOT_SUPPORTED;
453 case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
454 return PSA_ERROR_INVALID_ARGUMENT;
455 case MBEDTLS_ERR_MD_ALLOC_FAILED:
456 return PSA_ERROR_INSUFFICIENT_MEMORY;
457#if defined(MBEDTLS_FS_IO)
458 case MBEDTLS_ERR_MD_FILE_IO_ERROR:
459 return PSA_ERROR_STORAGE_FAILURE;
460#endif
461#endif
462
463#if defined(MBEDTLS_BIGNUM_C)
464#if defined(MBEDTLS_FS_IO)
465 case MBEDTLS_ERR_MPI_FILE_IO_ERROR:
466 return PSA_ERROR_STORAGE_FAILURE;
467#endif
468 case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
469 return PSA_ERROR_INVALID_ARGUMENT;
470 case MBEDTLS_ERR_MPI_INVALID_CHARACTER:
471 return PSA_ERROR_INVALID_ARGUMENT;
472 case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
473 return PSA_ERROR_BUFFER_TOO_SMALL;
474 case MBEDTLS_ERR_MPI_NEGATIVE_VALUE:
475 return PSA_ERROR_INVALID_ARGUMENT;
476 case MBEDTLS_ERR_MPI_DIVISION_BY_ZERO:
477 return PSA_ERROR_INVALID_ARGUMENT;
478 case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
479 return PSA_ERROR_INVALID_ARGUMENT;
480 case MBEDTLS_ERR_MPI_ALLOC_FAILED:
481 return PSA_ERROR_INSUFFICIENT_MEMORY;
482#endif
483
484#if defined(MBEDTLS_PK_C)
485 case MBEDTLS_ERR_PK_ALLOC_FAILED:
486 return PSA_ERROR_INSUFFICIENT_MEMORY;
487 case MBEDTLS_ERR_PK_TYPE_MISMATCH:
488 case MBEDTLS_ERR_PK_BAD_INPUT_DATA:
489 return PSA_ERROR_INVALID_ARGUMENT;
490#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || defined(MBEDTLS_FS_IO) || \
491 defined(MBEDTLS_PSA_ITS_FILE_C)
492 case MBEDTLS_ERR_PK_FILE_IO_ERROR:
493 return PSA_ERROR_STORAGE_FAILURE;
494#endif
495 case MBEDTLS_ERR_PK_KEY_INVALID_VERSION:
496 case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT:
497 return PSA_ERROR_INVALID_ARGUMENT;
498 case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG:
499 return PSA_ERROR_NOT_SUPPORTED;
500 case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
501 case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
502 return PSA_ERROR_NOT_PERMITTED;
503 case MBEDTLS_ERR_PK_INVALID_PUBKEY:
504 return PSA_ERROR_INVALID_ARGUMENT;
505 case MBEDTLS_ERR_PK_INVALID_ALG:
506 case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE:
507 case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:
508 return PSA_ERROR_NOT_SUPPORTED;
509 case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH:
510 return PSA_ERROR_INVALID_SIGNATURE;
511 case MBEDTLS_ERR_PK_BUFFER_TOO_SMALL:
512 return PSA_ERROR_BUFFER_TOO_SMALL;
513#endif
514
515 case MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED:
516 return PSA_ERROR_HARDWARE_FAILURE;
517 case MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
518 return PSA_ERROR_NOT_SUPPORTED;
519
520#if defined(MBEDTLS_RSA_C)
521 case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
522 return PSA_ERROR_INVALID_ARGUMENT;
523 case MBEDTLS_ERR_RSA_INVALID_PADDING:
524 return PSA_ERROR_INVALID_PADDING;
525 case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
526 return PSA_ERROR_HARDWARE_FAILURE;
527 case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
528 return PSA_ERROR_INVALID_ARGUMENT;
529 case MBEDTLS_ERR_RSA_PUBLIC_FAILED:
530 case MBEDTLS_ERR_RSA_PRIVATE_FAILED:
531 return PSA_ERROR_CORRUPTION_DETECTED;
532 case MBEDTLS_ERR_RSA_VERIFY_FAILED:
533 return PSA_ERROR_INVALID_SIGNATURE;
534 case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
535 return PSA_ERROR_BUFFER_TOO_SMALL;
536 case MBEDTLS_ERR_RSA_RNG_FAILED:
537 return PSA_ERROR_INSUFFICIENT_ENTROPY;
538#endif
539
540#if defined(MBEDTLS_ECP_LIGHT)
541 case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
542 case MBEDTLS_ERR_ECP_INVALID_KEY:
543 return PSA_ERROR_INVALID_ARGUMENT;
544 case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
545 return PSA_ERROR_BUFFER_TOO_SMALL;
546 case MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:
547 return PSA_ERROR_NOT_SUPPORTED;
548 case MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH:
549 case MBEDTLS_ERR_ECP_VERIFY_FAILED:
550 return PSA_ERROR_INVALID_SIGNATURE;
551 case MBEDTLS_ERR_ECP_ALLOC_FAILED:
552 return PSA_ERROR_INSUFFICIENT_MEMORY;
553 case MBEDTLS_ERR_ECP_RANDOM_FAILED:
554 return PSA_ERROR_INSUFFICIENT_ENTROPY;
555
556#if defined(MBEDTLS_ECP_RESTARTABLE)
557 case MBEDTLS_ERR_ECP_IN_PROGRESS:
558 return PSA_OPERATION_INCOMPLETE;
559#endif
560#endif
561
562 case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
563 return PSA_ERROR_CORRUPTION_DETECTED;
564
565 default:
566 return PSA_ERROR_GENERIC_ERROR;
567 }
568}
569
570/**
571 * \brief For output buffers which contain "tags"
572 * (outputs that may be checked for validity like
573 * hashes, MACs and signatures), fill the unused
574 * part of the output buffer (the whole buffer on
575 * error, the trailing part on success) with
576 * something that isn't a valid tag (barring an
577 * attack on the tag and deliberately-crafted
578 * input), in case the caller doesn't check the
579 * return status properly.
580 *
581 * \param output_buffer Pointer to buffer to wipe. May not be NULL
582 * unless \p output_buffer_size is zero.
583 * \param status Status of function called to generate
584 * output_buffer originally
585 * \param output_buffer_size Size of output buffer. If zero, \p output_buffer
586 * could be NULL.
587 * \param output_buffer_length Length of data written to output_buffer, must be
588 * less than \p output_buffer_size
589 */
590static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t status,
591 size_t output_buffer_size, size_t output_buffer_length)
592{
593 size_t offset = 0;
594
595 if (output_buffer_size == 0) {
596 /* If output_buffer_size is 0 then we have nothing to do. We must not
597 call memset because output_buffer may be NULL in this case */
598 return;
599 }
600
601 if (status == PSA_SUCCESS) {
602 offset = output_buffer_length;
603 }
604
605 memset(output_buffer + offset, '!', output_buffer_size - offset);
606}
607
608
609psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type,
610 size_t bits)
611{
612 /* Check that the bit size is acceptable for the key type */
613 switch (type) {
614 case PSA_KEY_TYPE_RAW_DATA:
615 case PSA_KEY_TYPE_HMAC:
616 case PSA_KEY_TYPE_DERIVE:
617 case PSA_KEY_TYPE_PASSWORD:
618 case PSA_KEY_TYPE_PASSWORD_HASH:
619 break;
620#if defined(PSA_WANT_KEY_TYPE_AES)
621 case PSA_KEY_TYPE_AES:
622 if (bits != 128 && bits != 192 && bits != 256) {
623 return PSA_ERROR_INVALID_ARGUMENT;
624 }
625 break;
626#endif
627#if defined(PSA_WANT_KEY_TYPE_ARIA)
628 case PSA_KEY_TYPE_ARIA:
629 if (bits != 128 && bits != 192 && bits != 256) {
630 return PSA_ERROR_INVALID_ARGUMENT;
631 }
632 break;
633#endif
634#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
635 case PSA_KEY_TYPE_CAMELLIA:
636 if (bits != 128 && bits != 192 && bits != 256) {
637 return PSA_ERROR_INVALID_ARGUMENT;
638 }
639 break;
640#endif
641#if defined(PSA_WANT_KEY_TYPE_DES)
642 case PSA_KEY_TYPE_DES:
643 if (bits != 64 && bits != 128 && bits != 192) {
644 return PSA_ERROR_INVALID_ARGUMENT;
645 }
646 break;
647#endif
648#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
649 case PSA_KEY_TYPE_CHACHA20:
650 if (bits != 256) {
651 return PSA_ERROR_INVALID_ARGUMENT;
652 }
653 break;
654#endif
655 default:
656 return PSA_ERROR_NOT_SUPPORTED;
657 }
658 if (bits % 8 != 0) {
659 return PSA_ERROR_INVALID_ARGUMENT;
660 }
661
662 return PSA_SUCCESS;
663}
664
665/** Check whether a given key type is valid for use with a given MAC algorithm
666 *
667 * Upon successful return of this function, the behavior of #PSA_MAC_LENGTH
668 * when called with the validated \p algorithm and \p key_type is well-defined.
669 *
670 * \param[in] algorithm The specific MAC algorithm (can be wildcard).
671 * \param[in] key_type The key type of the key to be used with the
672 * \p algorithm.
673 *
674 * \retval #PSA_SUCCESS
675 * The \p key_type is valid for use with the \p algorithm
676 * \retval #PSA_ERROR_INVALID_ARGUMENT
677 * The \p key_type is not valid for use with the \p algorithm
678 */
679MBEDTLS_STATIC_TESTABLE psa_status_t psa_mac_key_can_do(
680 psa_algorithm_t algorithm,
681 psa_key_type_t key_type)
682{
683 if (PSA_ALG_IS_HMAC(algorithm)) {
684 if (key_type == PSA_KEY_TYPE_HMAC) {
685 return PSA_SUCCESS;
686 }
687 }
688
689 if (PSA_ALG_IS_BLOCK_CIPHER_MAC(algorithm)) {
690 /* Check that we're calling PSA_BLOCK_CIPHER_BLOCK_LENGTH with a cipher
691 * key. */
692 if ((key_type & PSA_KEY_TYPE_CATEGORY_MASK) ==
693 PSA_KEY_TYPE_CATEGORY_SYMMETRIC) {
694 /* PSA_BLOCK_CIPHER_BLOCK_LENGTH returns 1 for stream ciphers and
695 * the block length (larger than 1) for block ciphers. */
696 if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1) {
697 return PSA_SUCCESS;
698 }
699 }
700 }
701
702 return PSA_ERROR_INVALID_ARGUMENT;
703}
704
705psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot,
706 size_t buffer_length)
707{
708 if (slot->key.data != NULL) {
709 return PSA_ERROR_ALREADY_EXISTS;
710 }
711
712 slot->key.data = mbedtls_calloc(1, buffer_length);
713 if (slot->key.data == NULL) {
714 return PSA_ERROR_INSUFFICIENT_MEMORY;
715 }
716
717 slot->key.bytes = buffer_length;
718 return PSA_SUCCESS;
719}
720
721psa_status_t psa_copy_key_material_into_slot(psa_key_slot_t *slot,
722 const uint8_t *data,
723 size_t data_length)
724{
725 psa_status_t status = psa_allocate_buffer_to_slot(slot,
726 data_length);
727 if (status != PSA_SUCCESS) {
728 return status;
729 }
730
731 memcpy(slot->key.data, data, data_length);
732 return PSA_SUCCESS;
733}
734
735psa_status_t psa_import_key_into_slot(
736 const psa_key_attributes_t *attributes,
737 const uint8_t *data, size_t data_length,
738 uint8_t *key_buffer, size_t key_buffer_size,
739 size_t *key_buffer_length, size_t *bits)
740{
741 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
742 psa_key_type_t type = attributes->type;
743
744 /* zero-length keys are never supported. */
745 if (data_length == 0) {
746 return PSA_ERROR_NOT_SUPPORTED;
747 }
748
749 if (key_type_is_raw_bytes(type)) {
750 *bits = PSA_BYTES_TO_BITS(data_length);
751
752 status = psa_validate_unstructured_key_bit_size(attributes->type,
753 *bits);
754 if (status != PSA_SUCCESS) {
755 return status;
756 }
757
758 /* Copy the key material. */
759 memcpy(key_buffer, data, data_length);
760 *key_buffer_length = data_length;
761 (void) key_buffer_size;
762
763 return PSA_SUCCESS;
764 } else if (PSA_KEY_TYPE_IS_ASYMMETRIC(type)) {
765#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
766 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
767 if (PSA_KEY_TYPE_IS_DH(type)) {
768 if (psa_is_dh_key_size_valid(PSA_BYTES_TO_BITS(data_length)) == 0) {
769 return PSA_ERROR_NOT_SUPPORTED;
770 }
771 return mbedtls_psa_ffdh_import_key(attributes,
772 data, data_length,
773 key_buffer, key_buffer_size,
774 key_buffer_length,
775 bits);
776 }
777#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) ||
778 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */
779#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
780 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
781 if (PSA_KEY_TYPE_IS_ECC(type)) {
782 return mbedtls_psa_ecp_import_key(attributes,
783 data, data_length,
784 key_buffer, key_buffer_size,
785 key_buffer_length,
786 bits);
787 }
788#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
789 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
790#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
791 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
792 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
793 if (PSA_KEY_TYPE_IS_RSA(type)) {
794 return mbedtls_psa_rsa_import_key(attributes,
795 data, data_length,
796 key_buffer, key_buffer_size,
797 key_buffer_length,
798 bits);
799 }
800#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) &&
801 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) ||
802 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
803 }
804
805 return PSA_ERROR_NOT_SUPPORTED;
806}
807
808/** Calculate the intersection of two algorithm usage policies.
809 *
810 * Return 0 (which allows no operation) on incompatibility.
811 */
812static psa_algorithm_t psa_key_policy_algorithm_intersection(
813 psa_key_type_t key_type,
814 psa_algorithm_t alg1,
815 psa_algorithm_t alg2)
816{
817 /* Common case: both sides actually specify the same policy. */
818 if (alg1 == alg2) {
819 return alg1;
820 }
821 /* If the policies are from the same hash-and-sign family, check
822 * if one is a wildcard. If so the other has the specific algorithm. */
823 if (PSA_ALG_IS_SIGN_HASH(alg1) &&
824 PSA_ALG_IS_SIGN_HASH(alg2) &&
825 (alg1 & ~PSA_ALG_HASH_MASK) == (alg2 & ~PSA_ALG_HASH_MASK)) {
826 if (PSA_ALG_SIGN_GET_HASH(alg1) == PSA_ALG_ANY_HASH) {
827 return alg2;
828 }
829 if (PSA_ALG_SIGN_GET_HASH(alg2) == PSA_ALG_ANY_HASH) {
830 return alg1;
831 }
832 }
833 /* If the policies are from the same AEAD family, check whether
834 * one of them is a minimum-tag-length wildcard. Calculate the most
835 * restrictive tag length. */
836 if (PSA_ALG_IS_AEAD(alg1) && PSA_ALG_IS_AEAD(alg2) &&
837 (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg1, 0) ==
838 PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg2, 0))) {
839 size_t alg1_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg1);
840 size_t alg2_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg2);
841 size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len;
842
843 /* If both are wildcards, return most restrictive wildcard */
844 if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
845 ((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
846 return PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(
847 alg1, restricted_len);
848 }
849 /* If only one is a wildcard, return specific algorithm if compatible. */
850 if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
851 (alg1_len <= alg2_len)) {
852 return alg2;
853 }
854 if (((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
855 (alg2_len <= alg1_len)) {
856 return alg1;
857 }
858 }
859 /* If the policies are from the same MAC family, check whether one
860 * of them is a minimum-MAC-length policy. Calculate the most
861 * restrictive tag length. */
862 if (PSA_ALG_IS_MAC(alg1) && PSA_ALG_IS_MAC(alg2) &&
863 (PSA_ALG_FULL_LENGTH_MAC(alg1) ==
864 PSA_ALG_FULL_LENGTH_MAC(alg2))) {
865 /* Validate the combination of key type and algorithm. Since the base
866 * algorithm of alg1 and alg2 are the same, we only need this once. */
867 if (PSA_SUCCESS != psa_mac_key_can_do(alg1, key_type)) {
868 return 0;
869 }
870
871 /* Get the (exact or at-least) output lengths for both sides of the
872 * requested intersection. None of the currently supported algorithms
873 * have an output length dependent on the actual key size, so setting it
874 * to a bogus value of 0 is currently OK.
875 *
876 * Note that for at-least-this-length wildcard algorithms, the output
877 * length is set to the shortest allowed length, which allows us to
878 * calculate the most restrictive tag length for the intersection. */
879 size_t alg1_len = PSA_MAC_LENGTH(key_type, 0, alg1);
880 size_t alg2_len = PSA_MAC_LENGTH(key_type, 0, alg2);
881 size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len;
882
883 /* If both are wildcards, return most restrictive wildcard */
884 if (((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
885 ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
886 return PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(alg1, restricted_len);
887 }
888
889 /* If only one is an at-least-this-length policy, the intersection would
890 * be the other (fixed-length) policy as long as said fixed length is
891 * equal to or larger than the shortest allowed length. */
892 if ((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
893 return (alg1_len <= alg2_len) ? alg2 : 0;
894 }
895 if ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
896 return (alg2_len <= alg1_len) ? alg1 : 0;
897 }
898
899 /* If none of them are wildcards, check whether they define the same tag
900 * length. This is still possible here when one is default-length and
901 * the other specific-length. Ensure to always return the
902 * specific-length version for the intersection. */
903 if (alg1_len == alg2_len) {
904 return PSA_ALG_TRUNCATED_MAC(alg1, alg1_len);
905 }
906 }
907 /* If the policies are incompatible, allow nothing. */
908 return 0;
909}
910
911static int psa_key_algorithm_permits(psa_key_type_t key_type,
912 psa_algorithm_t policy_alg,
913 psa_algorithm_t requested_alg)
914{
915 /* Common case: the policy only allows requested_alg. */
916 if (requested_alg == policy_alg) {
917 return 1;
918 }
919 /* If policy_alg is a hash-and-sign with a wildcard for the hash,
920 * and requested_alg is the same hash-and-sign family with any hash,
921 * then requested_alg is compliant with policy_alg. */
922 if (PSA_ALG_IS_SIGN_HASH(requested_alg) &&
923 PSA_ALG_SIGN_GET_HASH(policy_alg) == PSA_ALG_ANY_HASH) {
924 return (policy_alg & ~PSA_ALG_HASH_MASK) ==
925 (requested_alg & ~PSA_ALG_HASH_MASK);
926 }
927 /* If policy_alg is a wildcard AEAD algorithm of the same base as
928 * the requested algorithm, check the requested tag length to be
929 * equal-length or longer than the wildcard-specified length. */
930 if (PSA_ALG_IS_AEAD(policy_alg) &&
931 PSA_ALG_IS_AEAD(requested_alg) &&
932 (PSA_ALG_AEAD_WITH_SHORTENED_TAG(policy_alg, 0) ==
933 PSA_ALG_AEAD_WITH_SHORTENED_TAG(requested_alg, 0)) &&
934 ((policy_alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
935 return PSA_ALG_AEAD_GET_TAG_LENGTH(policy_alg) <=
936 PSA_ALG_AEAD_GET_TAG_LENGTH(requested_alg);
937 }
938 /* If policy_alg is a MAC algorithm of the same base as the requested
939 * algorithm, check whether their MAC lengths are compatible. */
940 if (PSA_ALG_IS_MAC(policy_alg) &&
941 PSA_ALG_IS_MAC(requested_alg) &&
942 (PSA_ALG_FULL_LENGTH_MAC(policy_alg) ==
943 PSA_ALG_FULL_LENGTH_MAC(requested_alg))) {
944 /* Validate the combination of key type and algorithm. Since the policy
945 * and requested algorithms are the same, we only need this once. */
946 if (PSA_SUCCESS != psa_mac_key_can_do(policy_alg, key_type)) {
947 return 0;
948 }
949
950 /* Get both the requested output length for the algorithm which is to be
951 * verified, and the default output length for the base algorithm.
952 * Note that none of the currently supported algorithms have an output
953 * length dependent on actual key size, so setting it to a bogus value
954 * of 0 is currently OK. */
955 size_t requested_output_length = PSA_MAC_LENGTH(
956 key_type, 0, requested_alg);
957 size_t default_output_length = PSA_MAC_LENGTH(
958 key_type, 0,
959 PSA_ALG_FULL_LENGTH_MAC(requested_alg));
960
961 /* If the policy is default-length, only allow an algorithm with
962 * a declared exact-length matching the default. */
963 if (PSA_MAC_TRUNCATED_LENGTH(policy_alg) == 0) {
964 return requested_output_length == default_output_length;
965 }
966
967 /* If the requested algorithm is default-length, allow it if the policy
968 * length exactly matches the default length. */
969 if (PSA_MAC_TRUNCATED_LENGTH(requested_alg) == 0 &&
970 PSA_MAC_TRUNCATED_LENGTH(policy_alg) == default_output_length) {
971 return 1;
972 }
973
974 /* If policy_alg is an at-least-this-length wildcard MAC algorithm,
975 * check for the requested MAC length to be equal to or longer than the
976 * minimum allowed length. */
977 if ((policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
978 return PSA_MAC_TRUNCATED_LENGTH(policy_alg) <=
979 requested_output_length;
980 }
981 }
982 /* If policy_alg is a generic key agreement operation, then using it for
983 * a key derivation with that key agreement should also be allowed. This
984 * behaviour is expected to be defined in a future specification version. */
985 if (PSA_ALG_IS_RAW_KEY_AGREEMENT(policy_alg) &&
986 PSA_ALG_IS_KEY_AGREEMENT(requested_alg)) {
987 return PSA_ALG_KEY_AGREEMENT_GET_BASE(requested_alg) ==
988 policy_alg;
989 }
990 /* If it isn't explicitly permitted, it's forbidden. */
991 return 0;
992}
993
994/** Test whether a policy permits an algorithm.
995 *
996 * The caller must test usage flags separately.
997 *
998 * \note This function requires providing the key type for which the policy is
999 * being validated, since some algorithm policy definitions (e.g. MAC)
1000 * have different properties depending on what kind of cipher it is
1001 * combined with.
1002 *
1003 * \retval PSA_SUCCESS When \p alg is a specific algorithm
1004 * allowed by the \p policy.
1005 * \retval PSA_ERROR_INVALID_ARGUMENT When \p alg is not a specific algorithm
1006 * \retval PSA_ERROR_NOT_PERMITTED When \p alg is a specific algorithm, but
1007 * the \p policy does not allow it.
1008 */
1009static psa_status_t psa_key_policy_permits(const psa_key_policy_t *policy,
1010 psa_key_type_t key_type,
1011 psa_algorithm_t alg)
1012{
1013 /* '0' is not a valid algorithm */
1014 if (alg == 0) {
1015 return PSA_ERROR_INVALID_ARGUMENT;
1016 }
1017
1018 /* A requested algorithm cannot be a wildcard. */
1019 if (PSA_ALG_IS_WILDCARD(alg)) {
1020 return PSA_ERROR_INVALID_ARGUMENT;
1021 }
1022
1023 if (psa_key_algorithm_permits(key_type, policy->alg, alg) ||
1024 psa_key_algorithm_permits(key_type, policy->alg2, alg)) {
1025 return PSA_SUCCESS;
1026 } else {
1027 return PSA_ERROR_NOT_PERMITTED;
1028 }
1029}
1030
1031/** Restrict a key policy based on a constraint.
1032 *
1033 * \note This function requires providing the key type for which the policy is
1034 * being restricted, since some algorithm policy definitions (e.g. MAC)
1035 * have different properties depending on what kind of cipher it is
1036 * combined with.
1037 *
1038 * \param[in] key_type The key type for which to restrict the policy
1039 * \param[in,out] policy The policy to restrict.
1040 * \param[in] constraint The policy constraint to apply.
1041 *
1042 * \retval #PSA_SUCCESS
1043 * \c *policy contains the intersection of the original value of
1044 * \c *policy and \c *constraint.
1045 * \retval #PSA_ERROR_INVALID_ARGUMENT
1046 * \c key_type, \c *policy and \c *constraint are incompatible.
1047 * \c *policy is unchanged.
1048 */
1049static psa_status_t psa_restrict_key_policy(
1050 psa_key_type_t key_type,
1051 psa_key_policy_t *policy,
1052 const psa_key_policy_t *constraint)
1053{
1054 psa_algorithm_t intersection_alg =
1055 psa_key_policy_algorithm_intersection(key_type, policy->alg,
1056 constraint->alg);
1057 psa_algorithm_t intersection_alg2 =
1058 psa_key_policy_algorithm_intersection(key_type, policy->alg2,
1059 constraint->alg2);
1060 if (intersection_alg == 0 && policy->alg != 0 && constraint->alg != 0) {
1061 return PSA_ERROR_INVALID_ARGUMENT;
1062 }
1063 if (intersection_alg2 == 0 && policy->alg2 != 0 && constraint->alg2 != 0) {
1064 return PSA_ERROR_INVALID_ARGUMENT;
1065 }
1066 policy->usage &= constraint->usage;
1067 policy->alg = intersection_alg;
1068 policy->alg2 = intersection_alg2;
1069 return PSA_SUCCESS;
1070}
1071
1072/** Get the description of a key given its identifier and policy constraints
1073 * and lock it.
1074 *
1075 * The key must have allow all the usage flags set in \p usage. If \p alg is
1076 * nonzero, the key must allow operations with this algorithm. If \p alg is
1077 * zero, the algorithm is not checked.
1078 *
1079 * In case of a persistent key, the function loads the description of the key
1080 * into a key slot if not already done.
1081 *
1082 * On success, the returned key slot has been registered for reading.
1083 * It is the responsibility of the caller to then unregister
1084 * once they have finished reading the contents of the slot.
1085 * The caller unregisters by calling psa_unregister_read() or
1086 * psa_unregister_read_under_mutex(). psa_unregister_read() must be called
1087 * if and only if the caller already holds the global key slot mutex
1088 * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates
1089 * the unregister with mutex lock and unlock operations.
1090 */
1091static psa_status_t psa_get_and_lock_key_slot_with_policy(
1092 mbedtls_svc_key_id_t key,
1093 psa_key_slot_t **p_slot,
1094 psa_key_usage_t usage,
1095 psa_algorithm_t alg)
1096{
1097 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1098 psa_key_slot_t *slot = NULL;
1099
1100 status = psa_get_and_lock_key_slot(key, p_slot);
1101 if (status != PSA_SUCCESS) {
1102 return status;
1103 }
1104 slot = *p_slot;
1105
1106 /* Enforce that usage policy for the key slot contains all the flags
1107 * required by the usage parameter. There is one exception: public
1108 * keys can always be exported, so we treat public key objects as
1109 * if they had the export flag. */
1110 if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) {
1111 usage &= ~PSA_KEY_USAGE_EXPORT;
1112 }
1113
1114 if ((slot->attr.policy.usage & usage) != usage) {
1115 status = PSA_ERROR_NOT_PERMITTED;
1116 goto error;
1117 }
1118
1119 /* Enforce that the usage policy permits the requested algorithm. */
1120 if (alg != 0) {
1121 status = psa_key_policy_permits(&slot->attr.policy,
1122 slot->attr.type,
1123 alg);
1124 if (status != PSA_SUCCESS) {
1125 goto error;
1126 }
1127 }
1128
1129 return PSA_SUCCESS;
1130
1131error:
1132 *p_slot = NULL;
1133 psa_unregister_read_under_mutex(slot);
1134
1135 return status;
1136}
1137
1138/** Get a key slot containing a transparent key and lock it.
1139 *
1140 * A transparent key is a key for which the key material is directly
1141 * available, as opposed to a key in a secure element and/or to be used
1142 * by a secure element.
1143 *
1144 * This is a temporary function that may be used instead of
1145 * psa_get_and_lock_key_slot_with_policy() when there is no opaque key support
1146 * for a cryptographic operation.
1147 *
1148 * On success, the returned key slot has been registered for reading.
1149 * It is the responsibility of the caller to then unregister
1150 * once they have finished reading the contents of the slot.
1151 * The caller unregisters by calling psa_unregister_read() or
1152 * psa_unregister_read_under_mutex(). psa_unregister_read() must be called
1153 * if and only if the caller already holds the global key slot mutex
1154 * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates
1155 * psa_unregister_read() with mutex lock and unlock operations.
1156 */
1157static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
1158 mbedtls_svc_key_id_t key,
1159 psa_key_slot_t **p_slot,
1160 psa_key_usage_t usage,
1161 psa_algorithm_t alg)
1162{
1163 psa_status_t status = psa_get_and_lock_key_slot_with_policy(key, p_slot,
1164 usage, alg);
1165 if (status != PSA_SUCCESS) {
1166 return status;
1167 }
1168
1169 if (psa_key_lifetime_is_external((*p_slot)->attr.lifetime)) {
1170 psa_unregister_read_under_mutex(*p_slot);
1171 *p_slot = NULL;
1172 return PSA_ERROR_NOT_SUPPORTED;
1173 }
1174
1175 return PSA_SUCCESS;
1176}
1177
1178psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot)
1179{
1180 if (slot->key.data != NULL) {
1181 mbedtls_zeroize_and_free(slot->key.data, slot->key.bytes);
1182 }
1183
1184 slot->key.data = NULL;
1185 slot->key.bytes = 0;
1186
1187 return PSA_SUCCESS;
1188}
1189
1190/** Completely wipe a slot in memory, including its policy.
1191 * Persistent storage is not affected. */
1192psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot)
1193{
1194 psa_status_t status = psa_remove_key_data_from_memory(slot);
1195
1196 /*
1197 * As the return error code may not be handled in case of multiple errors,
1198 * do our best to report an unexpected amount of registered readers or
1199 * an unexpected state.
1200 * Assert with MBEDTLS_TEST_HOOK_TEST_ASSERT that the slot is valid for
1201 * wiping.
1202 * if the MBEDTLS_TEST_HOOKS configuration option is enabled and the
1203 * function is called as part of the execution of a test suite, the
1204 * execution of the test suite is stopped in error if the assertion fails.
1205 */
1206 switch (slot->state) {
1207 case PSA_SLOT_FULL:
1208 /* In this state psa_wipe_key_slot() must only be called if the
1209 * caller is the last reader. */
1210 case PSA_SLOT_PENDING_DELETION:
1211 /* In this state psa_wipe_key_slot() must only be called if the
1212 * caller is the last reader. */
1213 if (slot->registered_readers != 1) {
1214 MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->registered_readers == 1);
1215 status = PSA_ERROR_CORRUPTION_DETECTED;
1216 }
1217 break;
1218 case PSA_SLOT_FILLING:
1219 /* In this state registered_readers must be 0. */
1220 if (slot->registered_readers != 0) {
1221 MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->registered_readers == 0);
1222 status = PSA_ERROR_CORRUPTION_DETECTED;
1223 }
1224 break;
1225 case PSA_SLOT_EMPTY:
1226 /* The slot is already empty, it cannot be wiped. */
1227 MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->state != PSA_SLOT_EMPTY);
1228 status = PSA_ERROR_CORRUPTION_DETECTED;
1229 break;
1230 default:
1231 /* The slot's state is invalid. */
1232 status = PSA_ERROR_CORRUPTION_DETECTED;
1233 }
1234
1235 /* Multipart operations may still be using the key. This is safe
1236 * because all multipart operation objects are independent from
1237 * the key slot: if they need to access the key after the setup
1238 * phase, they have a copy of the key. Note that this means that
1239 * key material can linger until all operations are completed. */
1240 /* At this point, key material and other type-specific content has
1241 * been wiped. Clear remaining metadata. We can call memset and not
1242 * zeroize because the metadata is not particularly sensitive.
1243 * This memset also sets the slot's state to PSA_SLOT_EMPTY. */
1244 memset(slot, 0, sizeof(*slot));
1245 return status;
1246}
1247
1248psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key)
1249{
1250 psa_key_slot_t *slot;
1251 psa_status_t status; /* status of the last operation */
1252 psa_status_t overall_status = PSA_SUCCESS;
1253#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1254 psa_se_drv_table_entry_t *driver;
1255#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1256
1257 if (mbedtls_svc_key_id_is_null(key)) {
1258 return PSA_SUCCESS;
1259 }
1260
1261 /*
1262 * Get the description of the key in a key slot, and register to read it.
1263 * In the case of a persistent key, this will load the key description
1264 * from persistent memory if not done yet.
1265 * We cannot avoid this loading as without it we don't know if
1266 * the key is operated by an SE or not and this information is needed by
1267 * the current implementation. */
1268 status = psa_get_and_lock_key_slot(key, &slot);
1269 if (status != PSA_SUCCESS) {
1270 return status;
1271 }
1272
1273#if defined(MBEDTLS_THREADING_C)
1274 /* We cannot unlock between setting the state to PENDING_DELETION
1275 * and destroying the key in storage, as otherwise another thread
1276 * could load the key into a new slot and the key will not be
1277 * fully destroyed. */
1278 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(
1279 &mbedtls_threading_key_slot_mutex));
1280
1281 if (slot->state == PSA_SLOT_PENDING_DELETION) {
1282 /* Another thread has destroyed the key between us locking the slot
1283 * and us gaining the mutex. Unregister from the slot,
1284 * and report that the key does not exist. */
1285 status = psa_unregister_read(slot);
1286
1287 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1288 &mbedtls_threading_key_slot_mutex));
1289 return (status == PSA_SUCCESS) ? PSA_ERROR_INVALID_HANDLE : status;
1290 }
1291#endif
1292 /* Set the key slot containing the key description's state to
1293 * PENDING_DELETION. This stops new operations from registering
1294 * to read the slot. Current readers can safely continue to access
1295 * the key within the slot; the last registered reader will
1296 * automatically wipe the slot when they call psa_unregister_read().
1297 * If the key is persistent, we can now delete the copy of the key
1298 * from memory. If the key is opaque, we require the driver to
1299 * deal with the deletion. */
1300 overall_status = psa_key_slot_state_transition(slot, PSA_SLOT_FULL,
1301 PSA_SLOT_PENDING_DELETION);
1302
1303 if (overall_status != PSA_SUCCESS) {
1304 goto exit;
1305 }
1306
1307 if (PSA_KEY_LIFETIME_IS_READ_ONLY(slot->attr.lifetime)) {
1308 /* Refuse the destruction of a read-only key (which may or may not work
1309 * if we attempt it, depending on whether the key is merely read-only
1310 * by policy or actually physically read-only).
1311 * Just do the best we can, which is to wipe the copy in memory
1312 * (done in this function's cleanup code). */
1313 overall_status = PSA_ERROR_NOT_PERMITTED;
1314 goto exit;
1315 }
1316
1317#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1318 driver = psa_get_se_driver_entry(slot->attr.lifetime);
1319 if (driver != NULL) {
1320 /* For a key in a secure element, we need to do three things:
1321 * remove the key file in internal storage, destroy the
1322 * key inside the secure element, and update the driver's
1323 * persistent data. Start a transaction that will encompass these
1324 * three actions. */
1325 psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_DESTROY_KEY);
1326 psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
1327 psa_crypto_transaction.key.slot = psa_key_slot_get_slot_number(slot);
1328 psa_crypto_transaction.key.id = slot->attr.id;
1329 status = psa_crypto_save_transaction();
1330 if (status != PSA_SUCCESS) {
1331 (void) psa_crypto_stop_transaction();
1332 /* We should still try to destroy the key in the secure
1333 * element and the key metadata in storage. This is especially
1334 * important if the error is that the storage is full.
1335 * But how to do it exactly without risking an inconsistent
1336 * state after a reset?
1337 * https://github.com/ARMmbed/mbed-crypto/issues/215
1338 */
1339 overall_status = status;
1340 goto exit;
1341 }
1342
1343 status = psa_destroy_se_key(driver,
1344 psa_key_slot_get_slot_number(slot));
1345 if (overall_status == PSA_SUCCESS) {
1346 overall_status = status;
1347 }
1348 }
1349#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1350
1351#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
1352 if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
1353 /* Destroy the copy of the persistent key from storage.
1354 * The slot will still hold a copy of the key until the last reader
1355 * unregisters. */
1356 status = psa_destroy_persistent_key(slot->attr.id);
1357 if (overall_status == PSA_SUCCESS) {
1358 overall_status = status;
1359 }
1360 }
1361#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
1362
1363#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1364 if (driver != NULL) {
1365 status = psa_save_se_persistent_data(driver);
1366 if (overall_status == PSA_SUCCESS) {
1367 overall_status = status;
1368 }
1369 status = psa_crypto_stop_transaction();
1370 if (overall_status == PSA_SUCCESS) {
1371 overall_status = status;
1372 }
1373 }
1374#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1375
1376exit:
1377 /* Unregister from reading the slot. If we are the last active reader
1378 * then this will wipe the slot. */
1379 status = psa_unregister_read(slot);
1380 /* Prioritize CORRUPTION_DETECTED from unregistering over
1381 * a storage error. */
1382 if (status != PSA_SUCCESS) {
1383 overall_status = status;
1384 }
1385
1386#if defined(MBEDTLS_THREADING_C)
1387 /* Don't overwrite existing errors if the unlock fails. */
1388 status = overall_status;
1389 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1390 &mbedtls_threading_key_slot_mutex));
1391#endif
1392
1393 return overall_status;
1394}
1395
1396/** Retrieve all the publicly-accessible attributes of a key.
1397 */
1398psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
1399 psa_key_attributes_t *attributes)
1400{
1401 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1402 psa_key_slot_t *slot;
1403
1404 psa_reset_key_attributes(attributes);
1405
1406 status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0);
1407 if (status != PSA_SUCCESS) {
1408 return status;
1409 }
1410
1411 *attributes = slot->attr;
1412
1413#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1414 if (psa_get_se_driver_entry(slot->attr.lifetime) != NULL) {
1415 psa_set_key_slot_number(attributes,
1416 psa_key_slot_get_slot_number(slot));
1417 }
1418#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1419
1420 return psa_unregister_read_under_mutex(slot);
1421}
1422
1423#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1424psa_status_t psa_get_key_slot_number(
1425 const psa_key_attributes_t *attributes,
1426 psa_key_slot_number_t *slot_number)
1427{
1428 if (attributes->has_slot_number) {
1429 *slot_number = attributes->slot_number;
1430 return PSA_SUCCESS;
1431 } else {
1432 return PSA_ERROR_INVALID_ARGUMENT;
1433 }
1434}
1435#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1436
1437static psa_status_t psa_export_key_buffer_internal(const uint8_t *key_buffer,
1438 size_t key_buffer_size,
1439 uint8_t *data,
1440 size_t data_size,
1441 size_t *data_length)
1442{
1443 if (key_buffer_size > data_size) {
1444 return PSA_ERROR_BUFFER_TOO_SMALL;
1445 }
1446 memcpy(data, key_buffer, key_buffer_size);
1447 memset(data + key_buffer_size, 0,
1448 data_size - key_buffer_size);
1449 *data_length = key_buffer_size;
1450 return PSA_SUCCESS;
1451}
1452
1453psa_status_t psa_export_key_internal(
1454 const psa_key_attributes_t *attributes,
1455 const uint8_t *key_buffer, size_t key_buffer_size,
1456 uint8_t *data, size_t data_size, size_t *data_length)
1457{
1458 psa_key_type_t type = attributes->type;
1459
1460 if (key_type_is_raw_bytes(type) ||
1461 PSA_KEY_TYPE_IS_RSA(type) ||
1462 PSA_KEY_TYPE_IS_ECC(type) ||
1463 PSA_KEY_TYPE_IS_DH(type)) {
1464 return psa_export_key_buffer_internal(
1465 key_buffer, key_buffer_size,
1466 data, data_size, data_length);
1467 } else {
1468 /* This shouldn't happen in the reference implementation, but
1469 it is valid for a special-purpose implementation to omit
1470 support for exporting certain key types. */
1471 return PSA_ERROR_NOT_SUPPORTED;
1472 }
1473}
1474
1475psa_status_t psa_export_key(mbedtls_svc_key_id_t key,
1476 uint8_t *data_external,
1477 size_t data_size,
1478 size_t *data_length)
1479{
1480 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1481 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
1482 psa_key_slot_t *slot;
1483 LOCAL_OUTPUT_DECLARE(data_external, data);
1484
1485 /* Reject a zero-length output buffer now, since this can never be a
1486 * valid key representation. This way we know that data must be a valid
1487 * pointer and we can do things like memset(data, ..., data_size). */
1488 if (data_size == 0) {
1489 return PSA_ERROR_BUFFER_TOO_SMALL;
1490 }
1491
1492 /* Set the key to empty now, so that even when there are errors, we always
1493 * set data_length to a value between 0 and data_size. On error, setting
1494 * the key to empty is a good choice because an empty key representation is
1495 * unlikely to be accepted anywhere. */
1496 *data_length = 0;
1497
1498 /* Export requires the EXPORT flag. There is an exception for public keys,
1499 * which don't require any flag, but
1500 * psa_get_and_lock_key_slot_with_policy() takes care of this.
1501 */
1502 status = psa_get_and_lock_key_slot_with_policy(key, &slot,
1503 PSA_KEY_USAGE_EXPORT, 0);
1504 if (status != PSA_SUCCESS) {
1505 return status;
1506 }
1507
1508 LOCAL_OUTPUT_ALLOC(data_external, data_size, data);
1509
1510 status = psa_driver_wrapper_export_key(&slot->attr,
1511 slot->key.data, slot->key.bytes,
1512 data, data_size, data_length);
1513
1514#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
1515exit:
1516#endif
1517 unlock_status = psa_unregister_read_under_mutex(slot);
1518
1519 LOCAL_OUTPUT_FREE(data_external, data);
1520 return (status == PSA_SUCCESS) ? unlock_status : status;
1521}
1522
1523psa_status_t psa_export_public_key_internal(
1524 const psa_key_attributes_t *attributes,
1525 const uint8_t *key_buffer,
1526 size_t key_buffer_size,
1527 uint8_t *data,
1528 size_t data_size,
1529 size_t *data_length)
1530{
1531 psa_key_type_t type = attributes->type;
1532
1533 if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
1534 (PSA_KEY_TYPE_IS_RSA(type) || PSA_KEY_TYPE_IS_ECC(type) ||
1535 PSA_KEY_TYPE_IS_DH(type))) {
1536 /* Exporting public -> public */
1537 return psa_export_key_buffer_internal(
1538 key_buffer, key_buffer_size,
1539 data, data_size, data_length);
1540 } else if (PSA_KEY_TYPE_IS_RSA(type)) {
1541#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
1542 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
1543 return mbedtls_psa_rsa_export_public_key(attributes,
1544 key_buffer,
1545 key_buffer_size,
1546 data,
1547 data_size,
1548 data_length);
1549#else
1550 /* We don't know how to convert a private RSA key to public. */
1551 return PSA_ERROR_NOT_SUPPORTED;
1552#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) ||
1553 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
1554 } else if (PSA_KEY_TYPE_IS_ECC(type)) {
1555#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
1556 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
1557 return mbedtls_psa_ecp_export_public_key(attributes,
1558 key_buffer,
1559 key_buffer_size,
1560 data,
1561 data_size,
1562 data_length);
1563#else
1564 /* We don't know how to convert a private ECC key to public */
1565 return PSA_ERROR_NOT_SUPPORTED;
1566#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
1567 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
1568 } else if (PSA_KEY_TYPE_IS_DH(type)) {
1569#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
1570 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
1571 return mbedtls_psa_ffdh_export_public_key(attributes,
1572 key_buffer,
1573 key_buffer_size,
1574 data, data_size,
1575 data_length);
1576#else
1577 return PSA_ERROR_NOT_SUPPORTED;
1578#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) ||
1579 * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */
1580 } else {
1581 (void) key_buffer;
1582 (void) key_buffer_size;
1583 (void) data;
1584 (void) data_size;
1585 (void) data_length;
1586 return PSA_ERROR_NOT_SUPPORTED;
1587 }
1588}
1589
1590psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key,
1591 uint8_t *data_external,
1592 size_t data_size,
1593 size_t *data_length)
1594{
1595 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1596 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
1597 psa_key_slot_t *slot;
1598
1599 LOCAL_OUTPUT_DECLARE(data_external, data);
1600
1601 /* Reject a zero-length output buffer now, since this can never be a
1602 * valid key representation. This way we know that data must be a valid
1603 * pointer and we can do things like memset(data, ..., data_size). */
1604 if (data_size == 0) {
1605 return PSA_ERROR_BUFFER_TOO_SMALL;
1606 }
1607
1608 /* Set the key to empty now, so that even when there are errors, we always
1609 * set data_length to a value between 0 and data_size. On error, setting
1610 * the key to empty is a good choice because an empty key representation is
1611 * unlikely to be accepted anywhere. */
1612 *data_length = 0;
1613
1614 /* Exporting a public key doesn't require a usage flag. */
1615 status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0);
1616 if (status != PSA_SUCCESS) {
1617 return status;
1618 }
1619
1620 LOCAL_OUTPUT_ALLOC(data_external, data_size, data);
1621
1622 if (!PSA_KEY_TYPE_IS_ASYMMETRIC(slot->attr.type)) {
1623 status = PSA_ERROR_INVALID_ARGUMENT;
1624 goto exit;
1625 }
1626
1627 status = psa_driver_wrapper_export_public_key(
1628 &slot->attr, slot->key.data, slot->key.bytes,
1629 data, data_size, data_length);
1630
1631exit:
1632 unlock_status = psa_unregister_read_under_mutex(slot);
1633
1634 LOCAL_OUTPUT_FREE(data_external, data);
1635 return (status == PSA_SUCCESS) ? unlock_status : status;
1636}
1637
1638/** Validate that a key policy is internally well-formed.
1639 *
1640 * This function only rejects invalid policies. It does not validate the
1641 * consistency of the policy with respect to other attributes of the key
1642 * such as the key type.
1643 */
1644static psa_status_t psa_validate_key_policy(const psa_key_policy_t *policy)
1645{
1646 if ((policy->usage & ~(PSA_KEY_USAGE_EXPORT |
1647 PSA_KEY_USAGE_COPY |
1648 PSA_KEY_USAGE_ENCRYPT |
1649 PSA_KEY_USAGE_DECRYPT |
1650 PSA_KEY_USAGE_SIGN_MESSAGE |
1651 PSA_KEY_USAGE_VERIFY_MESSAGE |
1652 PSA_KEY_USAGE_SIGN_HASH |
1653 PSA_KEY_USAGE_VERIFY_HASH |
1654 PSA_KEY_USAGE_VERIFY_DERIVATION |
1655 PSA_KEY_USAGE_DERIVE)) != 0) {
1656 return PSA_ERROR_INVALID_ARGUMENT;
1657 }
1658
1659 return PSA_SUCCESS;
1660}
1661
1662/** Validate the internal consistency of key attributes.
1663 *
1664 * This function only rejects invalid attribute values. If does not
1665 * validate the consistency of the attributes with any key data that may
1666 * be involved in the creation of the key.
1667 *
1668 * Call this function early in the key creation process.
1669 *
1670 * \param[in] attributes Key attributes for the new key.
1671 * \param[out] p_drv On any return, the driver for the key, if any.
1672 * NULL for a transparent key.
1673 *
1674 */
1675static psa_status_t psa_validate_key_attributes(
1676 const psa_key_attributes_t *attributes,
1677 psa_se_drv_table_entry_t **p_drv)
1678{
1679 psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
1680 psa_key_lifetime_t lifetime = psa_get_key_lifetime(attributes);
1681 mbedtls_svc_key_id_t key = psa_get_key_id(attributes);
1682
1683 status = psa_validate_key_location(lifetime, p_drv);
1684 if (status != PSA_SUCCESS) {
1685 return status;
1686 }
1687
1688 status = psa_validate_key_persistence(lifetime);
1689 if (status != PSA_SUCCESS) {
1690 return status;
1691 }
1692
1693 if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
1694 if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key) != 0) {
1695 return PSA_ERROR_INVALID_ARGUMENT;
1696 }
1697 } else {
1698 if (!psa_is_valid_key_id(psa_get_key_id(attributes), 0)) {
1699 return PSA_ERROR_INVALID_ARGUMENT;
1700 }
1701 }
1702
1703 status = psa_validate_key_policy(&attributes->policy);
1704 if (status != PSA_SUCCESS) {
1705 return status;
1706 }
1707
1708 /* Refuse to create overly large keys.
1709 * Note that this doesn't trigger on import if the attributes don't
1710 * explicitly specify a size (so psa_get_key_bits returns 0), so
1711 * psa_import_key() needs its own checks. */
1712 if (psa_get_key_bits(attributes) > PSA_MAX_KEY_BITS) {
1713 return PSA_ERROR_NOT_SUPPORTED;
1714 }
1715
1716 return PSA_SUCCESS;
1717}
1718
1719/** Prepare a key slot to receive key material.
1720 *
1721 * This function allocates a key slot and sets its metadata.
1722 *
1723 * If this function fails, call psa_fail_key_creation().
1724 *
1725 * This function is intended to be used as follows:
1726 * -# Call psa_start_key_creation() to allocate a key slot, prepare
1727 * it with the specified attributes, and in case of a volatile key assign it
1728 * a volatile key identifier.
1729 * -# Populate the slot with the key material.
1730 * -# Call psa_finish_key_creation() to finalize the creation of the slot.
1731 * In case of failure at any step, stop the sequence and call
1732 * psa_fail_key_creation().
1733 *
1734 * On success, the key slot's state is PSA_SLOT_FILLING.
1735 * It is the responsibility of the caller to change the slot's state to
1736 * PSA_SLOT_EMPTY/FULL once key creation has finished.
1737 *
1738 * \param method An identification of the calling function.
1739 * \param[in] attributes Key attributes for the new key.
1740 * \param[out] p_slot On success, a pointer to the prepared slot.
1741 * \param[out] p_drv On any return, the driver for the key, if any.
1742 * NULL for a transparent key.
1743 *
1744 * \retval #PSA_SUCCESS
1745 * The key slot is ready to receive key material.
1746 * \return If this function fails, the key slot is an invalid state.
1747 * You must call psa_fail_key_creation() to wipe and free the slot.
1748 */
1749static psa_status_t psa_start_key_creation(
1750 psa_key_creation_method_t method,
1751 const psa_key_attributes_t *attributes,
1752 psa_key_slot_t **p_slot,
1753 psa_se_drv_table_entry_t **p_drv)
1754{
1755 psa_status_t status;
1756 psa_key_id_t volatile_key_id;
1757 psa_key_slot_t *slot;
1758
1759 (void) method;
1760 *p_drv = NULL;
1761
1762 status = psa_validate_key_attributes(attributes, p_drv);
1763 if (status != PSA_SUCCESS) {
1764 return status;
1765 }
1766
1767#if defined(MBEDTLS_THREADING_C)
1768 PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
1769 &mbedtls_threading_key_slot_mutex));
1770#endif
1771 status = psa_reserve_free_key_slot(&volatile_key_id, p_slot);
1772#if defined(MBEDTLS_THREADING_C)
1773 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1774 &mbedtls_threading_key_slot_mutex));
1775#endif
1776 if (status != PSA_SUCCESS) {
1777 return status;
1778 }
1779 slot = *p_slot;
1780
1781 /* We're storing the declared bit-size of the key. It's up to each
1782 * creation mechanism to verify that this information is correct.
1783 * It's automatically correct for mechanisms that use the bit-size as
1784 * an input (generate, device) but not for those where the bit-size
1785 * is optional (import, copy). In case of a volatile key, assign it the
1786 * volatile key identifier associated to the slot returned to contain its
1787 * definition. */
1788
1789 slot->attr = *attributes;
1790 if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
1791#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
1792 slot->attr.id = volatile_key_id;
1793#else
1794 slot->attr.id.key_id = volatile_key_id;
1795#endif
1796 }
1797
1798#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1799 /* For a key in a secure element, we need to do three things
1800 * when creating or registering a persistent key:
1801 * create the key file in internal storage, create the
1802 * key inside the secure element, and update the driver's
1803 * persistent data. This is done by starting a transaction that will
1804 * encompass these three actions.
1805 * For registering a volatile key, we just need to find an appropriate
1806 * slot number inside the SE. Since the key is designated volatile, creating
1807 * a transaction is not required. */
1808 /* The first thing to do is to find a slot number for the new key.
1809 * We save the slot number in persistent storage as part of the
1810 * transaction data. It will be needed to recover if the power
1811 * fails during the key creation process, to clean up on the secure
1812 * element side after restarting. Obtaining a slot number from the
1813 * secure element driver updates its persistent state, but we do not yet
1814 * save the driver's persistent state, so that if the power fails,
1815 * we can roll back to a state where the key doesn't exist. */
1816 if (*p_drv != NULL) {
1817 psa_key_slot_number_t slot_number;
1818 status = psa_find_se_slot_for_key(attributes, method, *p_drv,
1819 &slot_number);
1820 if (status != PSA_SUCCESS) {
1821 return status;
1822 }
1823
1824 if (!PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime)) {
1825 psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_CREATE_KEY);
1826 psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
1827 psa_crypto_transaction.key.slot = slot_number;
1828 psa_crypto_transaction.key.id = slot->attr.id;
1829 status = psa_crypto_save_transaction();
1830 if (status != PSA_SUCCESS) {
1831 (void) psa_crypto_stop_transaction();
1832 return status;
1833 }
1834 }
1835
1836 status = psa_copy_key_material_into_slot(
1837 slot, (uint8_t *) (&slot_number), sizeof(slot_number));
1838 }
1839
1840 if (*p_drv == NULL && method == PSA_KEY_CREATION_REGISTER) {
1841 /* Key registration only makes sense with a secure element. */
1842 return PSA_ERROR_INVALID_ARGUMENT;
1843 }
1844#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1845
1846 return PSA_SUCCESS;
1847}
1848
1849/** Finalize the creation of a key once its key material has been set.
1850 *
1851 * This entails writing the key to persistent storage.
1852 *
1853 * If this function fails, call psa_fail_key_creation().
1854 * See the documentation of psa_start_key_creation() for the intended use
1855 * of this function.
1856 *
1857 * If the finalization succeeds, the function sets the key slot's state to
1858 * PSA_SLOT_FULL, and the key slot can no longer be accessed as part of the
1859 * key creation process.
1860 *
1861 * \param[in,out] slot Pointer to the slot with key material.
1862 * \param[in] driver The secure element driver for the key,
1863 * or NULL for a transparent key.
1864 * \param[out] key On success, identifier of the key. Note that the
1865 * key identifier is also stored in the key slot.
1866 *
1867 * \retval #PSA_SUCCESS
1868 * The key was successfully created.
1869 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1870 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
1871 * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
1872 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
1873 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
1874 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1875 *
1876 * \return If this function fails, the key slot is an invalid state.
1877 * You must call psa_fail_key_creation() to wipe and free the slot.
1878 */
1879static psa_status_t psa_finish_key_creation(
1880 psa_key_slot_t *slot,
1881 psa_se_drv_table_entry_t *driver,
1882 mbedtls_svc_key_id_t *key)
1883{
1884 psa_status_t status = PSA_SUCCESS;
1885 (void) slot;
1886 (void) driver;
1887
1888#if defined(MBEDTLS_THREADING_C)
1889 PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
1890 &mbedtls_threading_key_slot_mutex));
1891#endif
1892
1893#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
1894 if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
1895#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1896 if (driver != NULL) {
1897 psa_se_key_data_storage_t data;
1898 psa_key_slot_number_t slot_number =
1899 psa_key_slot_get_slot_number(slot);
1900
1901 MBEDTLS_STATIC_ASSERT(sizeof(slot_number) ==
1902 sizeof(data.slot_number),
1903 "Slot number size does not match psa_se_key_data_storage_t");
1904
1905 memcpy(&data.slot_number, &slot_number, sizeof(slot_number));
1906 status = psa_save_persistent_key(&slot->attr,
1907 (uint8_t *) &data,
1908 sizeof(data));
1909 } else
1910#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1911 {
1912 /* Key material is saved in export representation in the slot, so
1913 * just pass the slot buffer for storage. */
1914 status = psa_save_persistent_key(&slot->attr,
1915 slot->key.data,
1916 slot->key.bytes);
1917 }
1918 }
1919#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
1920
1921#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1922 /* Finish the transaction for a key creation. This does not
1923 * happen when registering an existing key. Detect this case
1924 * by checking whether a transaction is in progress (actual
1925 * creation of a persistent key in a secure element requires a transaction,
1926 * but registration or volatile key creation doesn't use one). */
1927 if (driver != NULL &&
1928 psa_crypto_transaction.unknown.type == PSA_CRYPTO_TRANSACTION_CREATE_KEY) {
1929 status = psa_save_se_persistent_data(driver);
1930 if (status != PSA_SUCCESS) {
1931 psa_destroy_persistent_key(slot->attr.id);
1932
1933#if defined(MBEDTLS_THREADING_C)
1934 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1935 &mbedtls_threading_key_slot_mutex));
1936#endif
1937 return status;
1938 }
1939 status = psa_crypto_stop_transaction();
1940 }
1941#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
1942
1943 if (status == PSA_SUCCESS) {
1944 *key = slot->attr.id;
1945 status = psa_key_slot_state_transition(slot, PSA_SLOT_FILLING,
1946 PSA_SLOT_FULL);
1947 if (status != PSA_SUCCESS) {
1948 *key = MBEDTLS_SVC_KEY_ID_INIT;
1949 }
1950 }
1951
1952#if defined(MBEDTLS_THREADING_C)
1953 PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
1954 &mbedtls_threading_key_slot_mutex));
1955#endif
1956 return status;
1957}
1958
1959/** Abort the creation of a key.
1960 *
1961 * You may call this function after calling psa_start_key_creation(),
1962 * or after psa_finish_key_creation() fails. In other circumstances, this
1963 * function may not clean up persistent storage.
1964 * See the documentation of psa_start_key_creation() for the intended use
1965 * of this function. Sets the slot's state to PSA_SLOT_EMPTY.
1966 *
1967 * \param[in,out] slot Pointer to the slot with key material.
1968 * \param[in] driver The secure element driver for the key,
1969 * or NULL for a transparent key.
1970 */
1971static void psa_fail_key_creation(psa_key_slot_t *slot,
1972 psa_se_drv_table_entry_t *driver)
1973{
1974 (void) driver;
1975
1976 if (slot == NULL) {
1977 return;
1978 }
1979
1980#if defined(MBEDTLS_THREADING_C)
1981 /* If the lock operation fails we still wipe the slot.
1982 * Operations will no longer work after a failed lock,
1983 * but we still need to wipe the slot of confidential data. */
1984 mbedtls_mutex_lock(&mbedtls_threading_key_slot_mutex);
1985#endif
1986
1987#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
1988 /* TODO: If the key has already been created in the secure
1989 * element, and the failure happened later (when saving metadata
1990 * to internal storage), we need to destroy the key in the secure
1991 * element.
1992 * https://github.com/ARMmbed/mbed-crypto/issues/217
1993 */
1994
1995 /* Abort the ongoing transaction if any (there may not be one if
1996 * the creation process failed before starting one, or if the
1997 * key creation is a registration of a key in a secure element).
1998 * Earlier functions must already have done what it takes to undo any
1999 * partial creation. All that's left is to update the transaction data
2000 * itself. */
2001 (void) psa_crypto_stop_transaction();
2002#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
2003
2004 psa_wipe_key_slot(slot);
2005
2006#if defined(MBEDTLS_THREADING_C)
2007 mbedtls_mutex_unlock(&mbedtls_threading_key_slot_mutex);
2008#endif
2009}
2010
2011/** Validate optional attributes during key creation.
2012 *
2013 * Some key attributes are optional during key creation. If they are
2014 * specified in the attributes structure, check that they are consistent
2015 * with the data in the slot.
2016 *
2017 * This function should be called near the end of key creation, after
2018 * the slot in memory is fully populated but before saving persistent data.
2019 */
2020static psa_status_t psa_validate_optional_attributes(
2021 const psa_key_slot_t *slot,
2022 const psa_key_attributes_t *attributes)
2023{
2024 if (attributes->type != 0) {
2025 if (attributes->type != slot->attr.type) {
2026 return PSA_ERROR_INVALID_ARGUMENT;
2027 }
2028 }
2029
2030 if (attributes->bits != 0) {
2031 if (attributes->bits != slot->attr.bits) {
2032 return PSA_ERROR_INVALID_ARGUMENT;
2033 }
2034 }
2035
2036 return PSA_SUCCESS;
2037}
2038
2039psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
2040 const uint8_t *data_external,
2041 size_t data_length,
2042 mbedtls_svc_key_id_t *key)
2043{
2044 psa_status_t status;
2045 LOCAL_INPUT_DECLARE(data_external, data);
2046 psa_key_slot_t *slot = NULL;
2047 psa_se_drv_table_entry_t *driver = NULL;
2048 size_t bits;
2049 size_t storage_size = data_length;
2050
2051 *key = MBEDTLS_SVC_KEY_ID_INIT;
2052
2053 /* Reject zero-length symmetric keys (including raw data key objects).
2054 * This also rejects any key which might be encoded as an empty string,
2055 * which is never valid. */
2056 if (data_length == 0) {
2057 return PSA_ERROR_INVALID_ARGUMENT;
2058 }
2059
2060 /* Ensure that the bytes-to-bits conversion cannot overflow. */
2061 if (data_length > SIZE_MAX / 8) {
2062 return PSA_ERROR_NOT_SUPPORTED;
2063 }
2064
2065 LOCAL_INPUT_ALLOC(data_external, data_length, data);
2066
2067 status = psa_start_key_creation(PSA_KEY_CREATION_IMPORT, attributes,
2068 &slot, &driver);
2069 if (status != PSA_SUCCESS) {
2070 goto exit;
2071 }
2072
2073 /* In the case of a transparent key or an opaque key stored in local
2074 * storage ( thus not in the case of importing a key in a secure element
2075 * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
2076 * buffer to hold the imported key material. */
2077 if (slot->key.data == NULL) {
2078 if (psa_key_lifetime_is_external(attributes->lifetime)) {
2079 status = psa_driver_wrapper_get_key_buffer_size_from_key_data(
2080 attributes, data, data_length, &storage_size);
2081 if (status != PSA_SUCCESS) {
2082 goto exit;
2083 }
2084 }
2085 status = psa_allocate_buffer_to_slot(slot, storage_size);
2086 if (status != PSA_SUCCESS) {
2087 goto exit;
2088 }
2089 }
2090
2091 bits = slot->attr.bits;
2092 status = psa_driver_wrapper_import_key(attributes,
2093 data, data_length,
2094 slot->key.data,
2095 slot->key.bytes,
2096 &slot->key.bytes, &bits);
2097 if (status != PSA_SUCCESS) {
2098 goto exit;
2099 }
2100
2101 if (slot->attr.bits == 0) {
2102 slot->attr.bits = (psa_key_bits_t) bits;
2103 } else if (bits != slot->attr.bits) {
2104 status = PSA_ERROR_INVALID_ARGUMENT;
2105 goto exit;
2106 }
2107
2108 /* Enforce a size limit, and in particular ensure that the bit
2109 * size fits in its representation type.*/
2110 if (bits > PSA_MAX_KEY_BITS) {
2111 status = PSA_ERROR_NOT_SUPPORTED;
2112 goto exit;
2113 }
2114 status = psa_validate_optional_attributes(slot, attributes);
2115 if (status != PSA_SUCCESS) {
2116 goto exit;
2117 }
2118
2119 status = psa_finish_key_creation(slot, driver, key);
2120exit:
2121 LOCAL_INPUT_FREE(data_external, data);
2122 if (status != PSA_SUCCESS) {
2123 psa_fail_key_creation(slot, driver);
2124 }
2125
2126 return status;
2127}
2128
2129#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
2130psa_status_t mbedtls_psa_register_se_key(
2131 const psa_key_attributes_t *attributes)
2132{
2133 psa_status_t status;
2134 psa_key_slot_t *slot = NULL;
2135 psa_se_drv_table_entry_t *driver = NULL;
2136 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
2137
2138 /* Leaving attributes unspecified is not currently supported.
2139 * It could make sense to query the key type and size from the
2140 * secure element, but not all secure elements support this
2141 * and the driver HAL doesn't currently support it. */
2142 if (psa_get_key_type(attributes) == PSA_KEY_TYPE_NONE) {
2143 return PSA_ERROR_NOT_SUPPORTED;
2144 }
2145 if (psa_get_key_bits(attributes) == 0) {
2146 return PSA_ERROR_NOT_SUPPORTED;
2147 }
2148
2149 status = psa_start_key_creation(PSA_KEY_CREATION_REGISTER, attributes,
2150 &slot, &driver);
2151 if (status != PSA_SUCCESS) {
2152 goto exit;
2153 }
2154
2155 status = psa_finish_key_creation(slot, driver, &key);
2156
2157exit:
2158 if (status != PSA_SUCCESS) {
2159 psa_fail_key_creation(slot, driver);
2160 }
2161
2162 /* Registration doesn't keep the key in RAM. */
2163 psa_close_key(key);
2164 return status;
2165}
2166#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
2167
2168psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key,
2169 const psa_key_attributes_t *specified_attributes,
2170 mbedtls_svc_key_id_t *target_key)
2171{
2172 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2173 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
2174 psa_key_slot_t *source_slot = NULL;
2175 psa_key_slot_t *target_slot = NULL;
2176 psa_key_attributes_t actual_attributes = *specified_attributes;
2177 psa_se_drv_table_entry_t *driver = NULL;
2178 size_t storage_size = 0;
2179
2180 *target_key = MBEDTLS_SVC_KEY_ID_INIT;
2181
2182 status = psa_get_and_lock_key_slot_with_policy(
2183 source_key, &source_slot, PSA_KEY_USAGE_COPY, 0);
2184 if (status != PSA_SUCCESS) {
2185 goto exit;
2186 }
2187
2188 status = psa_validate_optional_attributes(source_slot,
2189 specified_attributes);
2190 if (status != PSA_SUCCESS) {
2191 goto exit;
2192 }
2193
2194 /* The target key type and number of bits have been validated by
2195 * psa_validate_optional_attributes() to be either equal to zero or
2196 * equal to the ones of the source key. So it is safe to inherit
2197 * them from the source key now."
2198 * */
2199 actual_attributes.bits = source_slot->attr.bits;
2200 actual_attributes.type = source_slot->attr.type;
2201
2202
2203 status = psa_restrict_key_policy(source_slot->attr.type,
2204 &actual_attributes.policy,
2205 &source_slot->attr.policy);
2206 if (status != PSA_SUCCESS) {
2207 goto exit;
2208 }
2209
2210 status = psa_start_key_creation(PSA_KEY_CREATION_COPY, &actual_attributes,
2211 &target_slot, &driver);
2212 if (status != PSA_SUCCESS) {
2213 goto exit;
2214 }
2215 if (PSA_KEY_LIFETIME_GET_LOCATION(target_slot->attr.lifetime) !=
2216 PSA_KEY_LIFETIME_GET_LOCATION(source_slot->attr.lifetime)) {
2217 /*
2218 * If the source and target keys are stored in different locations,
2219 * the source key would need to be exported as plaintext and re-imported
2220 * in the other location. This has security implications which have not
2221 * been fully mapped. For now, this can be achieved through
2222 * appropriate API invocations from the application, if needed.
2223 * */
2224 status = PSA_ERROR_NOT_SUPPORTED;
2225 goto exit;
2226 }
2227 /*
2228 * When the source and target keys are within the same location,
2229 * - For transparent keys it is a blind copy without any driver invocation,
2230 * - For opaque keys this translates to an invocation of the drivers'
2231 * copy_key entry point through the dispatch layer.
2232 * */
2233 if (psa_key_lifetime_is_external(actual_attributes.lifetime)) {
2234 status = psa_driver_wrapper_get_key_buffer_size(&actual_attributes,
2235 &storage_size);
2236 if (status != PSA_SUCCESS) {
2237 goto exit;
2238 }
2239
2240 status = psa_allocate_buffer_to_slot(target_slot, storage_size);
2241 if (status != PSA_SUCCESS) {
2242 goto exit;
2243 }
2244
2245 status = psa_driver_wrapper_copy_key(&actual_attributes,
2246 source_slot->key.data,
2247 source_slot->key.bytes,
2248 target_slot->key.data,
2249 target_slot->key.bytes,
2250 &target_slot->key.bytes);
2251 if (status != PSA_SUCCESS) {
2252 goto exit;
2253 }
2254 } else {
2255 status = psa_copy_key_material_into_slot(target_slot,
2256 source_slot->key.data,
2257 source_slot->key.bytes);
2258 if (status != PSA_SUCCESS) {
2259 goto exit;
2260 }
2261 }
2262 status = psa_finish_key_creation(target_slot, driver, target_key);
2263exit:
2264 if (status != PSA_SUCCESS) {
2265 psa_fail_key_creation(target_slot, driver);
2266 }
2267
2268 unlock_status = psa_unregister_read_under_mutex(source_slot);
2269
2270 return (status == PSA_SUCCESS) ? unlock_status : status;
2271}
2272
2273
2274
2275/****************************************************************/
2276/* Message digests */
2277/****************************************************************/
2278
2279psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
2280{
2281 /* Aborting a non-active operation is allowed */
2282 if (operation->id == 0) {
2283 return PSA_SUCCESS;
2284 }
2285
2286 psa_status_t status = psa_driver_wrapper_hash_abort(operation);
2287 operation->id = 0;
2288
2289 return status;
2290}
2291
2292psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
2293 psa_algorithm_t alg)
2294{
2295 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2296
2297 /* A context must be freshly initialized before it can be set up. */
2298 if (operation->id != 0) {
2299 status = PSA_ERROR_BAD_STATE;
2300 goto exit;
2301 }
2302
2303 if (!PSA_ALG_IS_HASH(alg)) {
2304 status = PSA_ERROR_INVALID_ARGUMENT;
2305 goto exit;
2306 }
2307
2308 /* Ensure all of the context is zeroized, since PSA_HASH_OPERATION_INIT only
2309 * directly zeroes the int-sized dummy member of the context union. */
2310 memset(&operation->ctx, 0, sizeof(operation->ctx));
2311
2312 status = psa_driver_wrapper_hash_setup(operation, alg);
2313
2314exit:
2315 if (status != PSA_SUCCESS) {
2316 psa_hash_abort(operation);
2317 }
2318
2319 return status;
2320}
2321
2322psa_status_t psa_hash_update(psa_hash_operation_t *operation,
2323 const uint8_t *input_external,
2324 size_t input_length)
2325{
2326 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2327 LOCAL_INPUT_DECLARE(input_external, input);
2328
2329 if (operation->id == 0) {
2330 status = PSA_ERROR_BAD_STATE;
2331 goto exit;
2332 }
2333
2334 /* Don't require hash implementations to behave correctly on a
2335 * zero-length input, which may have an invalid pointer. */
2336 if (input_length == 0) {
2337 return PSA_SUCCESS;
2338 }
2339
2340 LOCAL_INPUT_ALLOC(input_external, input_length, input);
2341 status = psa_driver_wrapper_hash_update(operation, input, input_length);
2342
2343exit:
2344 if (status != PSA_SUCCESS) {
2345 psa_hash_abort(operation);
2346 }
2347
2348 LOCAL_INPUT_FREE(input_external, input);
2349 return status;
2350}
2351
2352static psa_status_t psa_hash_finish_internal(psa_hash_operation_t *operation,
2353 uint8_t *hash,
2354 size_t hash_size,
2355 size_t *hash_length)
2356{
2357 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2358
2359 *hash_length = 0;
2360 if (operation->id == 0) {
2361 return PSA_ERROR_BAD_STATE;
2362 }
2363
2364 status = psa_driver_wrapper_hash_finish(
2365 operation, hash, hash_size, hash_length);
2366 psa_hash_abort(operation);
2367
2368 return status;
2369}
2370
2371psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
2372 uint8_t *hash_external,
2373 size_t hash_size,
2374 size_t *hash_length)
2375{
2376 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2377 LOCAL_OUTPUT_DECLARE(hash_external, hash);
2378
2379 LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash);
2380 status = psa_hash_finish_internal(operation, hash, hash_size, hash_length);
2381
2382#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
2383exit:
2384#endif
2385 LOCAL_OUTPUT_FREE(hash_external, hash);
2386 return status;
2387}
2388
2389psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
2390 const uint8_t *hash_external,
2391 size_t hash_length)
2392{
2393 uint8_t actual_hash[PSA_HASH_MAX_SIZE];
2394 size_t actual_hash_length;
2395 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2396 LOCAL_INPUT_DECLARE(hash_external, hash);
2397
2398 status = psa_hash_finish_internal(
2399 operation,
2400 actual_hash, sizeof(actual_hash),
2401 &actual_hash_length);
2402
2403 if (status != PSA_SUCCESS) {
2404 goto exit;
2405 }
2406
2407 if (actual_hash_length != hash_length) {
2408 status = PSA_ERROR_INVALID_SIGNATURE;
2409 goto exit;
2410 }
2411
2412 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
2413 if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) {
2414 status = PSA_ERROR_INVALID_SIGNATURE;
2415 }
2416
2417exit:
2418 mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash));
2419 if (status != PSA_SUCCESS) {
2420 psa_hash_abort(operation);
2421 }
2422 LOCAL_INPUT_FREE(hash_external, hash);
2423 return status;
2424}
2425
2426psa_status_t psa_hash_compute(psa_algorithm_t alg,
2427 const uint8_t *input_external, size_t input_length,
2428 uint8_t *hash_external, size_t hash_size,
2429 size_t *hash_length)
2430{
2431 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2432 LOCAL_INPUT_DECLARE(input_external, input);
2433 LOCAL_OUTPUT_DECLARE(hash_external, hash);
2434
2435 *hash_length = 0;
2436 if (!PSA_ALG_IS_HASH(alg)) {
2437 return PSA_ERROR_INVALID_ARGUMENT;
2438 }
2439
2440 LOCAL_INPUT_ALLOC(input_external, input_length, input);
2441 LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash);
2442 status = psa_driver_wrapper_hash_compute(alg, input, input_length,
2443 hash, hash_size, hash_length);
2444
2445#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
2446exit:
2447#endif
2448 LOCAL_INPUT_FREE(input_external, input);
2449 LOCAL_OUTPUT_FREE(hash_external, hash);
2450 return status;
2451}
2452
2453psa_status_t psa_hash_compare(psa_algorithm_t alg,
2454 const uint8_t *input_external, size_t input_length,
2455 const uint8_t *hash_external, size_t hash_length)
2456{
2457 uint8_t actual_hash[PSA_HASH_MAX_SIZE];
2458 size_t actual_hash_length;
2459 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2460
2461 LOCAL_INPUT_DECLARE(input_external, input);
2462 LOCAL_INPUT_DECLARE(hash_external, hash);
2463
2464 if (!PSA_ALG_IS_HASH(alg)) {
2465 status = PSA_ERROR_INVALID_ARGUMENT;
2466 return status;
2467 }
2468
2469 LOCAL_INPUT_ALLOC(input_external, input_length, input);
2470 status = psa_driver_wrapper_hash_compute(
2471 alg, input, input_length,
2472 actual_hash, sizeof(actual_hash),
2473 &actual_hash_length);
2474 if (status != PSA_SUCCESS) {
2475 goto exit;
2476 }
2477 if (actual_hash_length != hash_length) {
2478 status = PSA_ERROR_INVALID_SIGNATURE;
2479 goto exit;
2480 }
2481
2482 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
2483 if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) {
2484 status = PSA_ERROR_INVALID_SIGNATURE;
2485 }
2486
2487exit:
2488 mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash));
2489
2490 LOCAL_INPUT_FREE(input_external, input);
2491 LOCAL_INPUT_FREE(hash_external, hash);
2492
2493 return status;
2494}
2495
2496psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
2497 psa_hash_operation_t *target_operation)
2498{
2499 if (source_operation->id == 0 ||
2500 target_operation->id != 0) {
2501 return PSA_ERROR_BAD_STATE;
2502 }
2503
2504 psa_status_t status = psa_driver_wrapper_hash_clone(source_operation,
2505 target_operation);
2506 if (status != PSA_SUCCESS) {
2507 psa_hash_abort(target_operation);
2508 }
2509
2510 return status;
2511}
2512
2513
2514/****************************************************************/
2515/* MAC */
2516/****************************************************************/
2517
2518psa_status_t psa_mac_abort(psa_mac_operation_t *operation)
2519{
2520 /* Aborting a non-active operation is allowed */
2521 if (operation->id == 0) {
2522 return PSA_SUCCESS;
2523 }
2524
2525 psa_status_t status = psa_driver_wrapper_mac_abort(operation);
2526 operation->mac_size = 0;
2527 operation->is_sign = 0;
2528 operation->id = 0;
2529
2530 return status;
2531}
2532
2533static psa_status_t psa_mac_finalize_alg_and_key_validation(
2534 psa_algorithm_t alg,
2535 const psa_key_attributes_t *attributes,
2536 uint8_t *mac_size)
2537{
2538 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2539 psa_key_type_t key_type = psa_get_key_type(attributes);
2540 size_t key_bits = psa_get_key_bits(attributes);
2541
2542 if (!PSA_ALG_IS_MAC(alg)) {
2543 return PSA_ERROR_INVALID_ARGUMENT;
2544 }
2545
2546 /* Validate the combination of key type and algorithm */
2547 status = psa_mac_key_can_do(alg, key_type);
2548 if (status != PSA_SUCCESS) {
2549 return status;
2550 }
2551
2552 /* Get the output length for the algorithm and key combination */
2553 *mac_size = PSA_MAC_LENGTH(key_type, key_bits, alg);
2554
2555 if (*mac_size < 4) {
2556 /* A very short MAC is too short for security since it can be
2557 * brute-forced. Ancient protocols with 32-bit MACs do exist,
2558 * so we make this our minimum, even though 32 bits is still
2559 * too small for security. */
2560 return PSA_ERROR_NOT_SUPPORTED;
2561 }
2562
2563 if (*mac_size > PSA_MAC_LENGTH(key_type, key_bits,
2564 PSA_ALG_FULL_LENGTH_MAC(alg))) {
2565 /* It's impossible to "truncate" to a larger length than the full length
2566 * of the algorithm. */
2567 return PSA_ERROR_INVALID_ARGUMENT;
2568 }
2569
2570 if (*mac_size > PSA_MAC_MAX_SIZE) {
2571 /* PSA_MAC_LENGTH returns the correct length even for a MAC algorithm
2572 * that is disabled in the compile-time configuration. The result can
2573 * therefore be larger than PSA_MAC_MAX_SIZE, which does take the
2574 * configuration into account. In this case, force a return of
2575 * PSA_ERROR_NOT_SUPPORTED here. Otherwise psa_mac_verify(), or
2576 * psa_mac_compute(mac_size=PSA_MAC_MAX_SIZE), would return
2577 * PSA_ERROR_BUFFER_TOO_SMALL for an unsupported algorithm whose MAC size
2578 * is larger than PSA_MAC_MAX_SIZE, which is misleading and which breaks
2579 * systematically generated tests. */
2580 return PSA_ERROR_NOT_SUPPORTED;
2581 }
2582
2583 return PSA_SUCCESS;
2584}
2585
2586static psa_status_t psa_mac_setup(psa_mac_operation_t *operation,
2587 mbedtls_svc_key_id_t key,
2588 psa_algorithm_t alg,
2589 int is_sign)
2590{
2591 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2592 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
2593 psa_key_slot_t *slot = NULL;
2594
2595 /* A context must be freshly initialized before it can be set up. */
2596 if (operation->id != 0) {
2597 status = PSA_ERROR_BAD_STATE;
2598 goto exit;
2599 }
2600
2601 status = psa_get_and_lock_key_slot_with_policy(
2602 key,
2603 &slot,
2604 is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE,
2605 alg);
2606 if (status != PSA_SUCCESS) {
2607 goto exit;
2608 }
2609
2610 status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr,
2611 &operation->mac_size);
2612 if (status != PSA_SUCCESS) {
2613 goto exit;
2614 }
2615
2616 operation->is_sign = is_sign;
2617 /* Dispatch the MAC setup call with validated input */
2618 if (is_sign) {
2619 status = psa_driver_wrapper_mac_sign_setup(operation,
2620 &slot->attr,
2621 slot->key.data,
2622 slot->key.bytes,
2623 alg);
2624 } else {
2625 status = psa_driver_wrapper_mac_verify_setup(operation,
2626 &slot->attr,
2627 slot->key.data,
2628 slot->key.bytes,
2629 alg);
2630 }
2631
2632exit:
2633 if (status != PSA_SUCCESS) {
2634 psa_mac_abort(operation);
2635 }
2636
2637 unlock_status = psa_unregister_read_under_mutex(slot);
2638
2639 return (status == PSA_SUCCESS) ? unlock_status : status;
2640}
2641
2642psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
2643 mbedtls_svc_key_id_t key,
2644 psa_algorithm_t alg)
2645{
2646 return psa_mac_setup(operation, key, alg, 1);
2647}
2648
2649psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
2650 mbedtls_svc_key_id_t key,
2651 psa_algorithm_t alg)
2652{
2653 return psa_mac_setup(operation, key, alg, 0);
2654}
2655
2656psa_status_t psa_mac_update(psa_mac_operation_t *operation,
2657 const uint8_t *input_external,
2658 size_t input_length)
2659{
2660 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2661 LOCAL_INPUT_DECLARE(input_external, input);
2662
2663 if (operation->id == 0) {
2664 status = PSA_ERROR_BAD_STATE;
2665 return status;
2666 }
2667
2668 /* Don't require hash implementations to behave correctly on a
2669 * zero-length input, which may have an invalid pointer. */
2670 if (input_length == 0) {
2671 status = PSA_SUCCESS;
2672 return status;
2673 }
2674
2675 LOCAL_INPUT_ALLOC(input_external, input_length, input);
2676 status = psa_driver_wrapper_mac_update(operation, input, input_length);
2677
2678 if (status != PSA_SUCCESS) {
2679 psa_mac_abort(operation);
2680 }
2681
2682#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
2683exit:
2684#endif
2685 LOCAL_INPUT_FREE(input_external, input);
2686
2687 return status;
2688}
2689
2690psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
2691 uint8_t *mac_external,
2692 size_t mac_size,
2693 size_t *mac_length)
2694{
2695 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2696 psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
2697 LOCAL_OUTPUT_DECLARE(mac_external, mac);
2698 LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac);
2699
2700 if (operation->id == 0) {
2701 status = PSA_ERROR_BAD_STATE;
2702 goto exit;
2703 }
2704
2705 if (!operation->is_sign) {
2706 status = PSA_ERROR_BAD_STATE;
2707 goto exit;
2708 }
2709
2710 /* Sanity check. This will guarantee that mac_size != 0 (and so mac != NULL)
2711 * once all the error checks are done. */
2712 if (operation->mac_size == 0) {
2713 status = PSA_ERROR_BAD_STATE;
2714 goto exit;
2715 }
2716
2717 if (mac_size < operation->mac_size) {
2718 status = PSA_ERROR_BUFFER_TOO_SMALL;
2719 goto exit;
2720 }
2721
2722
2723 status = psa_driver_wrapper_mac_sign_finish(operation,
2724 mac, operation->mac_size,
2725 mac_length);
2726
2727exit:
2728 /* In case of success, set the potential excess room in the output buffer
2729 * to an invalid value, to avoid potentially leaking a longer MAC.
2730 * In case of error, set the output length and content to a safe default,
2731 * such that in case the caller misses an error check, the output would be
2732 * an unachievable MAC.
2733 */
2734 if (status != PSA_SUCCESS) {
2735 *mac_length = mac_size;
2736 operation->mac_size = 0;
2737 }
2738
2739 if (mac != NULL) {
2740 psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
2741 }
2742
2743 abort_status = psa_mac_abort(operation);
2744 LOCAL_OUTPUT_FREE(mac_external, mac);
2745
2746 return status == PSA_SUCCESS ? abort_status : status;
2747}
2748
2749psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
2750 const uint8_t *mac_external,
2751 size_t mac_length)
2752{
2753 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2754 psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
2755 LOCAL_INPUT_DECLARE(mac_external, mac);
2756
2757 if (operation->id == 0) {
2758 status = PSA_ERROR_BAD_STATE;
2759 goto exit;
2760 }
2761
2762 if (operation->is_sign) {
2763 status = PSA_ERROR_BAD_STATE;
2764 goto exit;
2765 }
2766
2767 if (operation->mac_size != mac_length) {
2768 status = PSA_ERROR_INVALID_SIGNATURE;
2769 goto exit;
2770 }
2771
2772 LOCAL_INPUT_ALLOC(mac_external, mac_length, mac);
2773 status = psa_driver_wrapper_mac_verify_finish(operation,
2774 mac, mac_length);
2775
2776exit:
2777 abort_status = psa_mac_abort(operation);
2778 LOCAL_INPUT_FREE(mac_external, mac);
2779
2780 return status == PSA_SUCCESS ? abort_status : status;
2781}
2782
2783static psa_status_t psa_mac_compute_internal(mbedtls_svc_key_id_t key,
2784 psa_algorithm_t alg,
2785 const uint8_t *input,
2786 size_t input_length,
2787 uint8_t *mac,
2788 size_t mac_size,
2789 size_t *mac_length,
2790 int is_sign)
2791{
2792 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2793 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
2794 psa_key_slot_t *slot;
2795 uint8_t operation_mac_size = 0;
2796
2797 status = psa_get_and_lock_key_slot_with_policy(
2798 key,
2799 &slot,
2800 is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE,
2801 alg);
2802 if (status != PSA_SUCCESS) {
2803 goto exit;
2804 }
2805
2806 status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr,
2807 &operation_mac_size);
2808 if (status != PSA_SUCCESS) {
2809 goto exit;
2810 }
2811
2812 if (mac_size < operation_mac_size) {
2813 status = PSA_ERROR_BUFFER_TOO_SMALL;
2814 goto exit;
2815 }
2816
2817 status = psa_driver_wrapper_mac_compute(
2818 &slot->attr,
2819 slot->key.data, slot->key.bytes,
2820 alg,
2821 input, input_length,
2822 mac, operation_mac_size, mac_length);
2823
2824exit:
2825 /* In case of success, set the potential excess room in the output buffer
2826 * to an invalid value, to avoid potentially leaking a longer MAC.
2827 * In case of error, set the output length and content to a safe default,
2828 * such that in case the caller misses an error check, the output would be
2829 * an unachievable MAC.
2830 */
2831 if (status != PSA_SUCCESS) {
2832 *mac_length = mac_size;
2833 operation_mac_size = 0;
2834 }
2835
2836 psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
2837
2838 unlock_status = psa_unregister_read_under_mutex(slot);
2839
2840 return (status == PSA_SUCCESS) ? unlock_status : status;
2841}
2842
2843psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key,
2844 psa_algorithm_t alg,
2845 const uint8_t *input_external,
2846 size_t input_length,
2847 uint8_t *mac_external,
2848 size_t mac_size,
2849 size_t *mac_length)
2850{
2851 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2852 LOCAL_INPUT_DECLARE(input_external, input);
2853 LOCAL_OUTPUT_DECLARE(mac_external, mac);
2854
2855 LOCAL_INPUT_ALLOC(input_external, input_length, input);
2856 LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac);
2857 status = psa_mac_compute_internal(key, alg,
2858 input, input_length,
2859 mac, mac_size, mac_length, 1);
2860
2861#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
2862exit:
2863#endif
2864 LOCAL_INPUT_FREE(input_external, input);
2865 LOCAL_OUTPUT_FREE(mac_external, mac);
2866
2867 return status;
2868}
2869
2870psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
2871 psa_algorithm_t alg,
2872 const uint8_t *input_external,
2873 size_t input_length,
2874 const uint8_t *mac_external,
2875 size_t mac_length)
2876{
2877 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2878 uint8_t actual_mac[PSA_MAC_MAX_SIZE];
2879 size_t actual_mac_length;
2880 LOCAL_INPUT_DECLARE(input_external, input);
2881 LOCAL_INPUT_DECLARE(mac_external, mac);
2882
2883 LOCAL_INPUT_ALLOC(input_external, input_length, input);
2884 status = psa_mac_compute_internal(key, alg,
2885 input, input_length,
2886 actual_mac, sizeof(actual_mac),
2887 &actual_mac_length, 0);
2888 if (status != PSA_SUCCESS) {
2889 goto exit;
2890 }
2891
2892 if (mac_length != actual_mac_length) {
2893 status = PSA_ERROR_INVALID_SIGNATURE;
2894 goto exit;
2895 }
2896
2897 LOCAL_INPUT_ALLOC(mac_external, mac_length, mac);
2898 if (mbedtls_ct_memcmp(mac, actual_mac, actual_mac_length) != 0) {
2899 status = PSA_ERROR_INVALID_SIGNATURE;
2900 goto exit;
2901 }
2902
2903exit:
2904 mbedtls_platform_zeroize(actual_mac, sizeof(actual_mac));
2905 LOCAL_INPUT_FREE(input_external, input);
2906 LOCAL_INPUT_FREE(mac_external, mac);
2907
2908 return status;
2909}
2910
2911/****************************************************************/
2912/* Asymmetric cryptography */
2913/****************************************************************/
2914
2915static psa_status_t psa_sign_verify_check_alg(int input_is_message,
2916 psa_algorithm_t alg)
2917{
2918 if (input_is_message) {
2919 if (!PSA_ALG_IS_SIGN_MESSAGE(alg)) {
2920 return PSA_ERROR_INVALID_ARGUMENT;
2921 }
2922
2923 if (PSA_ALG_IS_SIGN_HASH(alg)) {
2924 if (!PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(alg))) {
2925 return PSA_ERROR_INVALID_ARGUMENT;
2926 }
2927 }
2928 } else {
2929 if (!PSA_ALG_IS_SIGN_HASH(alg)) {
2930 return PSA_ERROR_INVALID_ARGUMENT;
2931 }
2932 }
2933
2934 return PSA_SUCCESS;
2935}
2936
2937static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key,
2938 int input_is_message,
2939 psa_algorithm_t alg,
2940 const uint8_t *input,
2941 size_t input_length,
2942 uint8_t *signature,
2943 size_t signature_size,
2944 size_t *signature_length)
2945{
2946 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2947 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
2948 psa_key_slot_t *slot;
2949
2950 *signature_length = 0;
2951
2952 status = psa_sign_verify_check_alg(input_is_message, alg);
2953 if (status != PSA_SUCCESS) {
2954 return status;
2955 }
2956
2957 /* Immediately reject a zero-length signature buffer. This guarantees
2958 * that signature must be a valid pointer. (On the other hand, the input
2959 * buffer can in principle be empty since it doesn't actually have
2960 * to be a hash.) */
2961 if (signature_size == 0) {
2962 return PSA_ERROR_BUFFER_TOO_SMALL;
2963 }
2964
2965 status = psa_get_and_lock_key_slot_with_policy(
2966 key, &slot,
2967 input_is_message ? PSA_KEY_USAGE_SIGN_MESSAGE :
2968 PSA_KEY_USAGE_SIGN_HASH,
2969 alg);
2970
2971 if (status != PSA_SUCCESS) {
2972 goto exit;
2973 }
2974
2975 if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
2976 status = PSA_ERROR_INVALID_ARGUMENT;
2977 goto exit;
2978 }
2979
2980 if (input_is_message) {
2981 status = psa_driver_wrapper_sign_message(
2982 &slot->attr, slot->key.data, slot->key.bytes,
2983 alg, input, input_length,
2984 signature, signature_size, signature_length);
2985 } else {
2986
2987 status = psa_driver_wrapper_sign_hash(
2988 &slot->attr, slot->key.data, slot->key.bytes,
2989 alg, input, input_length,
2990 signature, signature_size, signature_length);
2991 }
2992
2993
2994exit:
2995 psa_wipe_tag_output_buffer(signature, status, signature_size,
2996 *signature_length);
2997
2998 unlock_status = psa_unregister_read_under_mutex(slot);
2999
3000 return (status == PSA_SUCCESS) ? unlock_status : status;
3001}
3002
3003static psa_status_t psa_verify_internal(mbedtls_svc_key_id_t key,
3004 int input_is_message,
3005 psa_algorithm_t alg,
3006 const uint8_t *input,
3007 size_t input_length,
3008 const uint8_t *signature,
3009 size_t signature_length)
3010{
3011 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3012 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3013 psa_key_slot_t *slot;
3014
3015 status = psa_sign_verify_check_alg(input_is_message, alg);
3016 if (status != PSA_SUCCESS) {
3017 return status;
3018 }
3019
3020 status = psa_get_and_lock_key_slot_with_policy(
3021 key, &slot,
3022 input_is_message ? PSA_KEY_USAGE_VERIFY_MESSAGE :
3023 PSA_KEY_USAGE_VERIFY_HASH,
3024 alg);
3025
3026 if (status != PSA_SUCCESS) {
3027 return status;
3028 }
3029
3030 if (input_is_message) {
3031 status = psa_driver_wrapper_verify_message(
3032 &slot->attr, slot->key.data, slot->key.bytes,
3033 alg, input, input_length,
3034 signature, signature_length);
3035 } else {
3036 status = psa_driver_wrapper_verify_hash(
3037 &slot->attr, slot->key.data, slot->key.bytes,
3038 alg, input, input_length,
3039 signature, signature_length);
3040 }
3041
3042 unlock_status = psa_unregister_read_under_mutex(slot);
3043
3044 return (status == PSA_SUCCESS) ? unlock_status : status;
3045
3046}
3047
3048psa_status_t psa_sign_message_builtin(
3049 const psa_key_attributes_t *attributes,
3050 const uint8_t *key_buffer,
3051 size_t key_buffer_size,
3052 psa_algorithm_t alg,
3053 const uint8_t *input,
3054 size_t input_length,
3055 uint8_t *signature,
3056 size_t signature_size,
3057 size_t *signature_length)
3058{
3059 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3060
3061 if (PSA_ALG_IS_SIGN_HASH(alg)) {
3062 size_t hash_length;
3063 uint8_t hash[PSA_HASH_MAX_SIZE];
3064
3065 status = psa_driver_wrapper_hash_compute(
3066 PSA_ALG_SIGN_GET_HASH(alg),
3067 input, input_length,
3068 hash, sizeof(hash), &hash_length);
3069
3070 if (status != PSA_SUCCESS) {
3071 return status;
3072 }
3073
3074 return psa_driver_wrapper_sign_hash(
3075 attributes, key_buffer, key_buffer_size,
3076 alg, hash, hash_length,
3077 signature, signature_size, signature_length);
3078 }
3079
3080 return PSA_ERROR_NOT_SUPPORTED;
3081}
3082
3083psa_status_t psa_sign_message(mbedtls_svc_key_id_t key,
3084 psa_algorithm_t alg,
3085 const uint8_t *input_external,
3086 size_t input_length,
3087 uint8_t *signature_external,
3088 size_t signature_size,
3089 size_t *signature_length)
3090{
3091 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3092 LOCAL_INPUT_DECLARE(input_external, input);
3093 LOCAL_OUTPUT_DECLARE(signature_external, signature);
3094
3095 LOCAL_INPUT_ALLOC(input_external, input_length, input);
3096 LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
3097 status = psa_sign_internal(key, 1, alg, input, input_length, signature,
3098 signature_size, signature_length);
3099
3100#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3101exit:
3102#endif
3103 LOCAL_INPUT_FREE(input_external, input);
3104 LOCAL_OUTPUT_FREE(signature_external, signature);
3105 return status;
3106}
3107
3108psa_status_t psa_verify_message_builtin(
3109 const psa_key_attributes_t *attributes,
3110 const uint8_t *key_buffer,
3111 size_t key_buffer_size,
3112 psa_algorithm_t alg,
3113 const uint8_t *input,
3114 size_t input_length,
3115 const uint8_t *signature,
3116 size_t signature_length)
3117{
3118 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3119
3120 if (PSA_ALG_IS_SIGN_HASH(alg)) {
3121 size_t hash_length;
3122 uint8_t hash[PSA_HASH_MAX_SIZE];
3123
3124 status = psa_driver_wrapper_hash_compute(
3125 PSA_ALG_SIGN_GET_HASH(alg),
3126 input, input_length,
3127 hash, sizeof(hash), &hash_length);
3128
3129 if (status != PSA_SUCCESS) {
3130 return status;
3131 }
3132
3133 return psa_driver_wrapper_verify_hash(
3134 attributes, key_buffer, key_buffer_size,
3135 alg, hash, hash_length,
3136 signature, signature_length);
3137 }
3138
3139 return PSA_ERROR_NOT_SUPPORTED;
3140}
3141
3142psa_status_t psa_verify_message(mbedtls_svc_key_id_t key,
3143 psa_algorithm_t alg,
3144 const uint8_t *input_external,
3145 size_t input_length,
3146 const uint8_t *signature_external,
3147 size_t signature_length)
3148{
3149 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3150 LOCAL_INPUT_DECLARE(input_external, input);
3151 LOCAL_INPUT_DECLARE(signature_external, signature);
3152
3153 LOCAL_INPUT_ALLOC(input_external, input_length, input);
3154 LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
3155 status = psa_verify_internal(key, 1, alg, input, input_length, signature,
3156 signature_length);
3157
3158#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3159exit:
3160#endif
3161 LOCAL_INPUT_FREE(input_external, input);
3162 LOCAL_INPUT_FREE(signature_external, signature);
3163
3164 return status;
3165}
3166
3167psa_status_t psa_sign_hash_builtin(
3168 const psa_key_attributes_t *attributes,
3169 const uint8_t *key_buffer, size_t key_buffer_size,
3170 psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
3171 uint8_t *signature, size_t signature_size, size_t *signature_length)
3172{
3173 if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
3174 if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
3175 PSA_ALG_IS_RSA_PSS(alg)) {
3176#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
3177 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
3178 return mbedtls_psa_rsa_sign_hash(
3179 attributes,
3180 key_buffer, key_buffer_size,
3181 alg, hash, hash_length,
3182 signature, signature_size, signature_length);
3183#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
3184 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
3185 } else {
3186 return PSA_ERROR_INVALID_ARGUMENT;
3187 }
3188 } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) {
3189 if (PSA_ALG_IS_ECDSA(alg)) {
3190#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3191 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
3192 return mbedtls_psa_ecdsa_sign_hash(
3193 attributes,
3194 key_buffer, key_buffer_size,
3195 alg, hash, hash_length,
3196 signature, signature_size, signature_length);
3197#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3198 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
3199 } else {
3200 return PSA_ERROR_INVALID_ARGUMENT;
3201 }
3202 }
3203
3204 (void) key_buffer;
3205 (void) key_buffer_size;
3206 (void) hash;
3207 (void) hash_length;
3208 (void) signature;
3209 (void) signature_size;
3210 (void) signature_length;
3211
3212 return PSA_ERROR_NOT_SUPPORTED;
3213}
3214
3215psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key,
3216 psa_algorithm_t alg,
3217 const uint8_t *hash_external,
3218 size_t hash_length,
3219 uint8_t *signature_external,
3220 size_t signature_size,
3221 size_t *signature_length)
3222{
3223 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3224 LOCAL_INPUT_DECLARE(hash_external, hash);
3225 LOCAL_OUTPUT_DECLARE(signature_external, signature);
3226
3227 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
3228 LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
3229 status = psa_sign_internal(key, 0, alg, hash, hash_length, signature,
3230 signature_size, signature_length);
3231
3232#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3233exit:
3234#endif
3235 LOCAL_INPUT_FREE(hash_external, hash);
3236 LOCAL_OUTPUT_FREE(signature_external, signature);
3237
3238 return status;
3239}
3240
3241psa_status_t psa_verify_hash_builtin(
3242 const psa_key_attributes_t *attributes,
3243 const uint8_t *key_buffer, size_t key_buffer_size,
3244 psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
3245 const uint8_t *signature, size_t signature_length)
3246{
3247 if (PSA_KEY_TYPE_IS_RSA(attributes->type)) {
3248 if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
3249 PSA_ALG_IS_RSA_PSS(alg)) {
3250#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
3251 defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
3252 return mbedtls_psa_rsa_verify_hash(
3253 attributes,
3254 key_buffer, key_buffer_size,
3255 alg, hash, hash_length,
3256 signature, signature_length);
3257#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
3258 * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
3259 } else {
3260 return PSA_ERROR_INVALID_ARGUMENT;
3261 }
3262 } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) {
3263 if (PSA_ALG_IS_ECDSA(alg)) {
3264#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3265 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
3266 return mbedtls_psa_ecdsa_verify_hash(
3267 attributes,
3268 key_buffer, key_buffer_size,
3269 alg, hash, hash_length,
3270 signature, signature_length);
3271#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3272 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
3273 } else {
3274 return PSA_ERROR_INVALID_ARGUMENT;
3275 }
3276 }
3277
3278 (void) key_buffer;
3279 (void) key_buffer_size;
3280 (void) hash;
3281 (void) hash_length;
3282 (void) signature;
3283 (void) signature_length;
3284
3285 return PSA_ERROR_NOT_SUPPORTED;
3286}
3287
3288psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key,
3289 psa_algorithm_t alg,
3290 const uint8_t *hash_external,
3291 size_t hash_length,
3292 const uint8_t *signature_external,
3293 size_t signature_length)
3294{
3295 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3296 LOCAL_INPUT_DECLARE(hash_external, hash);
3297 LOCAL_INPUT_DECLARE(signature_external, signature);
3298
3299 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
3300 LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
3301 status = psa_verify_internal(key, 0, alg, hash, hash_length, signature,
3302 signature_length);
3303
3304#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3305exit:
3306#endif
3307 LOCAL_INPUT_FREE(hash_external, hash);
3308 LOCAL_INPUT_FREE(signature_external, signature);
3309
3310 return status;
3311}
3312
3313psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,
3314 psa_algorithm_t alg,
3315 const uint8_t *input_external,
3316 size_t input_length,
3317 const uint8_t *salt_external,
3318 size_t salt_length,
3319 uint8_t *output_external,
3320 size_t output_size,
3321 size_t *output_length)
3322{
3323 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3324 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3325 psa_key_slot_t *slot;
3326
3327 LOCAL_INPUT_DECLARE(input_external, input);
3328 LOCAL_INPUT_DECLARE(salt_external, salt);
3329 LOCAL_OUTPUT_DECLARE(output_external, output);
3330
3331 (void) input;
3332 (void) input_length;
3333 (void) salt;
3334 (void) output;
3335 (void) output_size;
3336
3337 *output_length = 0;
3338
3339 if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) {
3340 return PSA_ERROR_INVALID_ARGUMENT;
3341 }
3342
3343 status = psa_get_and_lock_key_slot_with_policy(
3344 key, &slot, PSA_KEY_USAGE_ENCRYPT, alg);
3345 if (status != PSA_SUCCESS) {
3346 return status;
3347 }
3348 if (!(PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type) ||
3349 PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type))) {
3350 status = PSA_ERROR_INVALID_ARGUMENT;
3351 goto exit;
3352 }
3353
3354 LOCAL_INPUT_ALLOC(input_external, input_length, input);
3355 LOCAL_INPUT_ALLOC(salt_external, salt_length, salt);
3356 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
3357
3358 status = psa_driver_wrapper_asymmetric_encrypt(
3359 &slot->attr, slot->key.data, slot->key.bytes,
3360 alg, input, input_length, salt, salt_length,
3361 output, output_size, output_length);
3362exit:
3363 unlock_status = psa_unregister_read_under_mutex(slot);
3364
3365 LOCAL_INPUT_FREE(input_external, input);
3366 LOCAL_INPUT_FREE(salt_external, salt);
3367 LOCAL_OUTPUT_FREE(output_external, output);
3368
3369 return (status == PSA_SUCCESS) ? unlock_status : status;
3370}
3371
3372psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key,
3373 psa_algorithm_t alg,
3374 const uint8_t *input_external,
3375 size_t input_length,
3376 const uint8_t *salt_external,
3377 size_t salt_length,
3378 uint8_t *output_external,
3379 size_t output_size,
3380 size_t *output_length)
3381{
3382 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3383 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3384 psa_key_slot_t *slot;
3385
3386 LOCAL_INPUT_DECLARE(input_external, input);
3387 LOCAL_INPUT_DECLARE(salt_external, salt);
3388 LOCAL_OUTPUT_DECLARE(output_external, output);
3389
3390 (void) input;
3391 (void) input_length;
3392 (void) salt;
3393 (void) output;
3394 (void) output_size;
3395
3396 *output_length = 0;
3397
3398 if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) {
3399 return PSA_ERROR_INVALID_ARGUMENT;
3400 }
3401
3402 status = psa_get_and_lock_key_slot_with_policy(
3403 key, &slot, PSA_KEY_USAGE_DECRYPT, alg);
3404 if (status != PSA_SUCCESS) {
3405 return status;
3406 }
3407 if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
3408 status = PSA_ERROR_INVALID_ARGUMENT;
3409 goto exit;
3410 }
3411
3412 LOCAL_INPUT_ALLOC(input_external, input_length, input);
3413 LOCAL_INPUT_ALLOC(salt_external, salt_length, salt);
3414 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
3415
3416 status = psa_driver_wrapper_asymmetric_decrypt(
3417 &slot->attr, slot->key.data, slot->key.bytes,
3418 alg, input, input_length, salt, salt_length,
3419 output, output_size, output_length);
3420
3421exit:
3422 unlock_status = psa_unregister_read_under_mutex(slot);
3423
3424 LOCAL_INPUT_FREE(input_external, input);
3425 LOCAL_INPUT_FREE(salt_external, salt);
3426 LOCAL_OUTPUT_FREE(output_external, output);
3427
3428 return (status == PSA_SUCCESS) ? unlock_status : status;
3429}
3430
3431/****************************************************************/
3432/* Asymmetric interruptible cryptography */
3433/****************************************************************/
3434
3435static uint32_t psa_interruptible_max_ops = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
3436
3437void psa_interruptible_set_max_ops(uint32_t max_ops)
3438{
3439 psa_interruptible_max_ops = max_ops;
3440}
3441
3442uint32_t psa_interruptible_get_max_ops(void)
3443{
3444 return psa_interruptible_max_ops;
3445}
3446
3447uint32_t psa_sign_hash_get_num_ops(
3448 const psa_sign_hash_interruptible_operation_t *operation)
3449{
3450 return operation->num_ops;
3451}
3452
3453uint32_t psa_verify_hash_get_num_ops(
3454 const psa_verify_hash_interruptible_operation_t *operation)
3455{
3456 return operation->num_ops;
3457}
3458
3459static psa_status_t psa_sign_hash_abort_internal(
3460 psa_sign_hash_interruptible_operation_t *operation)
3461{
3462 if (operation->id == 0) {
3463 /* The object has (apparently) been initialized but it is not (yet)
3464 * in use. It's ok to call abort on such an object, and there's
3465 * nothing to do. */
3466 return PSA_SUCCESS;
3467 }
3468
3469 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3470
3471 status = psa_driver_wrapper_sign_hash_abort(operation);
3472
3473 operation->id = 0;
3474
3475 /* Do not clear either the error_occurred or num_ops elements here as they
3476 * only want to be cleared by the application calling abort, not by abort
3477 * being called at completion of an operation. */
3478
3479 return status;
3480}
3481
3482psa_status_t psa_sign_hash_start(
3483 psa_sign_hash_interruptible_operation_t *operation,
3484 mbedtls_svc_key_id_t key, psa_algorithm_t alg,
3485 const uint8_t *hash_external, size_t hash_length)
3486{
3487 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3488 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3489 psa_key_slot_t *slot;
3490
3491 LOCAL_INPUT_DECLARE(hash_external, hash);
3492
3493 /* Check that start has not been previously called, or operation has not
3494 * previously errored. */
3495 if (operation->id != 0 || operation->error_occurred) {
3496 return PSA_ERROR_BAD_STATE;
3497 }
3498
3499 status = psa_sign_verify_check_alg(0, alg);
3500 if (status != PSA_SUCCESS) {
3501 operation->error_occurred = 1;
3502 return status;
3503 }
3504
3505 status = psa_get_and_lock_key_slot_with_policy(key, &slot,
3506 PSA_KEY_USAGE_SIGN_HASH,
3507 alg);
3508
3509 if (status != PSA_SUCCESS) {
3510 goto exit;
3511 }
3512
3513 if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
3514 status = PSA_ERROR_INVALID_ARGUMENT;
3515 goto exit;
3516 }
3517
3518 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
3519
3520 /* Ensure ops count gets reset, in case of operation re-use. */
3521 operation->num_ops = 0;
3522
3523 status = psa_driver_wrapper_sign_hash_start(operation, &slot->attr,
3524 slot->key.data,
3525 slot->key.bytes, alg,
3526 hash, hash_length);
3527exit:
3528
3529 if (status != PSA_SUCCESS) {
3530 operation->error_occurred = 1;
3531 psa_sign_hash_abort_internal(operation);
3532 }
3533
3534 unlock_status = psa_unregister_read_under_mutex(slot);
3535
3536 if (unlock_status != PSA_SUCCESS) {
3537 operation->error_occurred = 1;
3538 }
3539
3540 LOCAL_INPUT_FREE(hash_external, hash);
3541
3542 return (status == PSA_SUCCESS) ? unlock_status : status;
3543}
3544
3545
3546psa_status_t psa_sign_hash_complete(
3547 psa_sign_hash_interruptible_operation_t *operation,
3548 uint8_t *signature_external, size_t signature_size,
3549 size_t *signature_length)
3550{
3551 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3552
3553 LOCAL_OUTPUT_DECLARE(signature_external, signature);
3554
3555 *signature_length = 0;
3556
3557 /* Check that start has been called first, and that operation has not
3558 * previously errored. */
3559 if (operation->id == 0 || operation->error_occurred) {
3560 status = PSA_ERROR_BAD_STATE;
3561 goto exit;
3562 }
3563
3564 /* Immediately reject a zero-length signature buffer. This guarantees that
3565 * signature must be a valid pointer. */
3566 if (signature_size == 0) {
3567 status = PSA_ERROR_BUFFER_TOO_SMALL;
3568 goto exit;
3569 }
3570
3571 LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
3572
3573 status = psa_driver_wrapper_sign_hash_complete(operation, signature,
3574 signature_size,
3575 signature_length);
3576
3577 /* Update ops count with work done. */
3578 operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation);
3579
3580exit:
3581
3582 if (signature != NULL) {
3583 psa_wipe_tag_output_buffer(signature, status, signature_size,
3584 *signature_length);
3585 }
3586
3587 if (status != PSA_OPERATION_INCOMPLETE) {
3588 if (status != PSA_SUCCESS) {
3589 operation->error_occurred = 1;
3590 }
3591
3592 psa_sign_hash_abort_internal(operation);
3593 }
3594
3595 LOCAL_OUTPUT_FREE(signature_external, signature);
3596
3597 return status;
3598}
3599
3600psa_status_t psa_sign_hash_abort(
3601 psa_sign_hash_interruptible_operation_t *operation)
3602{
3603 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3604
3605 status = psa_sign_hash_abort_internal(operation);
3606
3607 /* We clear the number of ops done here, so that it is not cleared when
3608 * the operation fails or succeeds, only on manual abort. */
3609 operation->num_ops = 0;
3610
3611 /* Likewise, failure state. */
3612 operation->error_occurred = 0;
3613
3614 return status;
3615}
3616
3617static psa_status_t psa_verify_hash_abort_internal(
3618 psa_verify_hash_interruptible_operation_t *operation)
3619{
3620 if (operation->id == 0) {
3621 /* The object has (apparently) been initialized but it is not (yet)
3622 * in use. It's ok to call abort on such an object, and there's
3623 * nothing to do. */
3624 return PSA_SUCCESS;
3625 }
3626
3627 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3628
3629 status = psa_driver_wrapper_verify_hash_abort(operation);
3630
3631 operation->id = 0;
3632
3633 /* Do not clear either the error_occurred or num_ops elements here as they
3634 * only want to be cleared by the application calling abort, not by abort
3635 * being called at completion of an operation. */
3636
3637 return status;
3638}
3639
3640psa_status_t psa_verify_hash_start(
3641 psa_verify_hash_interruptible_operation_t *operation,
3642 mbedtls_svc_key_id_t key, psa_algorithm_t alg,
3643 const uint8_t *hash_external, size_t hash_length,
3644 const uint8_t *signature_external, size_t signature_length)
3645{
3646 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3647 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
3648 psa_key_slot_t *slot;
3649
3650 LOCAL_INPUT_DECLARE(hash_external, hash);
3651 LOCAL_INPUT_DECLARE(signature_external, signature);
3652
3653 /* Check that start has not been previously called, or operation has not
3654 * previously errored. */
3655 if (operation->id != 0 || operation->error_occurred) {
3656 return PSA_ERROR_BAD_STATE;
3657 }
3658
3659 status = psa_sign_verify_check_alg(0, alg);
3660 if (status != PSA_SUCCESS) {
3661 operation->error_occurred = 1;
3662 return status;
3663 }
3664
3665 status = psa_get_and_lock_key_slot_with_policy(key, &slot,
3666 PSA_KEY_USAGE_VERIFY_HASH,
3667 alg);
3668
3669 if (status != PSA_SUCCESS) {
3670 operation->error_occurred = 1;
3671 return status;
3672 }
3673
3674 LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
3675 LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
3676
3677 /* Ensure ops count gets reset, in case of operation re-use. */
3678 operation->num_ops = 0;
3679
3680 status = psa_driver_wrapper_verify_hash_start(operation, &slot->attr,
3681 slot->key.data,
3682 slot->key.bytes,
3683 alg, hash, hash_length,
3684 signature, signature_length);
3685#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
3686exit:
3687#endif
3688
3689 if (status != PSA_SUCCESS) {
3690 operation->error_occurred = 1;
3691 psa_verify_hash_abort_internal(operation);
3692 }
3693
3694 unlock_status = psa_unregister_read_under_mutex(slot);
3695
3696 if (unlock_status != PSA_SUCCESS) {
3697 operation->error_occurred = 1;
3698 }
3699
3700 LOCAL_INPUT_FREE(hash_external, hash);
3701 LOCAL_INPUT_FREE(signature_external, signature);
3702
3703 return (status == PSA_SUCCESS) ? unlock_status : status;
3704}
3705
3706psa_status_t psa_verify_hash_complete(
3707 psa_verify_hash_interruptible_operation_t *operation)
3708{
3709 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3710
3711 /* Check that start has been called first, and that operation has not
3712 * previously errored. */
3713 if (operation->id == 0 || operation->error_occurred) {
3714 status = PSA_ERROR_BAD_STATE;
3715 goto exit;
3716 }
3717
3718 status = psa_driver_wrapper_verify_hash_complete(operation);
3719
3720 /* Update ops count with work done. */
3721 operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops(
3722 operation);
3723
3724exit:
3725
3726 if (status != PSA_OPERATION_INCOMPLETE) {
3727 if (status != PSA_SUCCESS) {
3728 operation->error_occurred = 1;
3729 }
3730
3731 psa_verify_hash_abort_internal(operation);
3732 }
3733
3734 return status;
3735}
3736
3737psa_status_t psa_verify_hash_abort(
3738 psa_verify_hash_interruptible_operation_t *operation)
3739{
3740 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3741
3742 status = psa_verify_hash_abort_internal(operation);
3743
3744 /* We clear the number of ops done here, so that it is not cleared when
3745 * the operation fails or succeeds, only on manual abort. */
3746 operation->num_ops = 0;
3747
3748 /* Likewise, failure state. */
3749 operation->error_occurred = 0;
3750
3751 return status;
3752}
3753
3754/****************************************************************/
3755/* Asymmetric interruptible cryptography internal */
3756/* implementations */
3757/****************************************************************/
3758
3759void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops)
3760{
3761
3762#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3763 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
3764 defined(MBEDTLS_ECP_RESTARTABLE)
3765
3766 /* Internal implementation uses zero to indicate infinite number max ops,
3767 * therefore avoid this value, and set to minimum possible. */
3768 if (max_ops == 0) {
3769 max_ops = 1;
3770 }
3771
3772 mbedtls_ecp_set_max_ops(max_ops);
3773#else
3774 (void) max_ops;
3775#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3776 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
3777 * defined( MBEDTLS_ECP_RESTARTABLE ) */
3778}
3779
3780uint32_t mbedtls_psa_sign_hash_get_num_ops(
3781 const mbedtls_psa_sign_hash_interruptible_operation_t *operation)
3782{
3783#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3784 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
3785 defined(MBEDTLS_ECP_RESTARTABLE)
3786
3787 return operation->num_ops;
3788#else
3789 (void) operation;
3790 return 0;
3791#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3792 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
3793 * defined( MBEDTLS_ECP_RESTARTABLE ) */
3794}
3795
3796uint32_t mbedtls_psa_verify_hash_get_num_ops(
3797 const mbedtls_psa_verify_hash_interruptible_operation_t *operation)
3798{
3799 #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3800 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
3801 defined(MBEDTLS_ECP_RESTARTABLE)
3802
3803 return operation->num_ops;
3804#else
3805 (void) operation;
3806 return 0;
3807#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3808 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
3809 * defined( MBEDTLS_ECP_RESTARTABLE ) */
3810}
3811
3812psa_status_t mbedtls_psa_sign_hash_start(
3813 mbedtls_psa_sign_hash_interruptible_operation_t *operation,
3814 const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
3815 size_t key_buffer_size, psa_algorithm_t alg,
3816 const uint8_t *hash, size_t hash_length)
3817{
3818 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3819 size_t required_hash_length;
3820
3821 if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
3822 return PSA_ERROR_NOT_SUPPORTED;
3823 }
3824
3825 if (!PSA_ALG_IS_ECDSA(alg)) {
3826 return PSA_ERROR_NOT_SUPPORTED;
3827 }
3828
3829#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3830 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
3831 defined(MBEDTLS_ECP_RESTARTABLE)
3832
3833 mbedtls_ecdsa_restart_init(&operation->restart_ctx);
3834
3835 /* Ensure num_ops is zero'ed in case of context re-use. */
3836 operation->num_ops = 0;
3837
3838 status = mbedtls_psa_ecp_load_representation(attributes->type,
3839 attributes->bits,
3840 key_buffer,
3841 key_buffer_size,
3842 &operation->ctx);
3843
3844 if (status != PSA_SUCCESS) {
3845 return status;
3846 }
3847
3848 operation->coordinate_bytes = PSA_BITS_TO_BYTES(
3849 operation->ctx->grp.nbits);
3850
3851 psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
3852 operation->md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
3853 operation->alg = alg;
3854
3855 /* We only need to store the same length of hash as the private key size
3856 * here, it would be truncated by the internal implementation anyway. */
3857 required_hash_length = (hash_length < operation->coordinate_bytes ?
3858 hash_length : operation->coordinate_bytes);
3859
3860 if (required_hash_length > sizeof(operation->hash)) {
3861 /* Shouldn't happen, but better safe than sorry. */
3862 return PSA_ERROR_CORRUPTION_DETECTED;
3863 }
3864
3865 memcpy(operation->hash, hash, required_hash_length);
3866 operation->hash_length = required_hash_length;
3867
3868 return PSA_SUCCESS;
3869
3870#else
3871 (void) operation;
3872 (void) key_buffer;
3873 (void) key_buffer_size;
3874 (void) alg;
3875 (void) hash;
3876 (void) hash_length;
3877 (void) status;
3878 (void) required_hash_length;
3879
3880 return PSA_ERROR_NOT_SUPPORTED;
3881#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3882 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
3883 * defined( MBEDTLS_ECP_RESTARTABLE ) */
3884}
3885
3886psa_status_t mbedtls_psa_sign_hash_complete(
3887 mbedtls_psa_sign_hash_interruptible_operation_t *operation,
3888 uint8_t *signature, size_t signature_size,
3889 size_t *signature_length)
3890{
3891#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3892 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
3893 defined(MBEDTLS_ECP_RESTARTABLE)
3894
3895 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3896 mbedtls_mpi r;
3897 mbedtls_mpi s;
3898
3899 mbedtls_mpi_init(&r);
3900 mbedtls_mpi_init(&s);
3901
3902 /* Ensure max_ops is set to the current value (or default). */
3903 mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops());
3904
3905 if (signature_size < 2 * operation->coordinate_bytes) {
3906 status = PSA_ERROR_BUFFER_TOO_SMALL;
3907 goto exit;
3908 }
3909
3910 if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) {
3911
3912#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
3913 status = mbedtls_to_psa_error(
3914 mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp,
3915 &r,
3916 &s,
3917 &operation->ctx->d,
3918 operation->hash,
3919 operation->hash_length,
3920 operation->md_alg,
3921 mbedtls_psa_get_random,
3922 MBEDTLS_PSA_RANDOM_STATE,
3923 &operation->restart_ctx));
3924#else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
3925 status = PSA_ERROR_NOT_SUPPORTED;
3926 goto exit;
3927#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
3928 } else {
3929 status = mbedtls_to_psa_error(
3930 mbedtls_ecdsa_sign_restartable(&operation->ctx->grp,
3931 &r,
3932 &s,
3933 &operation->ctx->d,
3934 operation->hash,
3935 operation->hash_length,
3936 mbedtls_psa_get_random,
3937 MBEDTLS_PSA_RANDOM_STATE,
3938 mbedtls_psa_get_random,
3939 MBEDTLS_PSA_RANDOM_STATE,
3940 &operation->restart_ctx));
3941 }
3942
3943 /* Hide the fact that the restart context only holds a delta of number of
3944 * ops done during the last operation, not an absolute value. */
3945 operation->num_ops += operation->restart_ctx.ecp.ops_done;
3946
3947 if (status == PSA_SUCCESS) {
3948 status = mbedtls_to_psa_error(
3949 mbedtls_mpi_write_binary(&r,
3950 signature,
3951 operation->coordinate_bytes)
3952 );
3953
3954 if (status != PSA_SUCCESS) {
3955 goto exit;
3956 }
3957
3958 status = mbedtls_to_psa_error(
3959 mbedtls_mpi_write_binary(&s,
3960 signature +
3961 operation->coordinate_bytes,
3962 operation->coordinate_bytes)
3963 );
3964
3965 if (status != PSA_SUCCESS) {
3966 goto exit;
3967 }
3968
3969 *signature_length = operation->coordinate_bytes * 2;
3970
3971 status = PSA_SUCCESS;
3972 }
3973
3974exit:
3975
3976 mbedtls_mpi_free(&r);
3977 mbedtls_mpi_free(&s);
3978 return status;
3979
3980 #else
3981
3982 (void) operation;
3983 (void) signature;
3984 (void) signature_size;
3985 (void) signature_length;
3986
3987 return PSA_ERROR_NOT_SUPPORTED;
3988
3989#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
3990 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
3991 * defined( MBEDTLS_ECP_RESTARTABLE ) */
3992}
3993
3994psa_status_t mbedtls_psa_sign_hash_abort(
3995 mbedtls_psa_sign_hash_interruptible_operation_t *operation)
3996{
3997
3998#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
3999 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4000 defined(MBEDTLS_ECP_RESTARTABLE)
4001
4002 if (operation->ctx) {
4003 mbedtls_ecdsa_free(operation->ctx);
4004 mbedtls_free(operation->ctx);
4005 operation->ctx = NULL;
4006 }
4007
4008 mbedtls_ecdsa_restart_free(&operation->restart_ctx);
4009
4010 operation->num_ops = 0;
4011
4012 return PSA_SUCCESS;
4013
4014#else
4015
4016 (void) operation;
4017
4018 return PSA_ERROR_NOT_SUPPORTED;
4019
4020#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4021 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4022 * defined( MBEDTLS_ECP_RESTARTABLE ) */
4023}
4024
4025psa_status_t mbedtls_psa_verify_hash_start(
4026 mbedtls_psa_verify_hash_interruptible_operation_t *operation,
4027 const psa_key_attributes_t *attributes,
4028 const uint8_t *key_buffer, size_t key_buffer_size,
4029 psa_algorithm_t alg,
4030 const uint8_t *hash, size_t hash_length,
4031 const uint8_t *signature, size_t signature_length)
4032{
4033 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4034 size_t coordinate_bytes = 0;
4035 size_t required_hash_length = 0;
4036
4037 if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
4038 return PSA_ERROR_NOT_SUPPORTED;
4039 }
4040
4041 if (!PSA_ALG_IS_ECDSA(alg)) {
4042 return PSA_ERROR_NOT_SUPPORTED;
4043 }
4044
4045#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4046 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4047 defined(MBEDTLS_ECP_RESTARTABLE)
4048
4049 mbedtls_ecdsa_restart_init(&operation->restart_ctx);
4050 mbedtls_mpi_init(&operation->r);
4051 mbedtls_mpi_init(&operation->s);
4052
4053 /* Ensure num_ops is zero'ed in case of context re-use. */
4054 operation->num_ops = 0;
4055
4056 status = mbedtls_psa_ecp_load_representation(attributes->type,
4057 attributes->bits,
4058 key_buffer,
4059 key_buffer_size,
4060 &operation->ctx);
4061
4062 if (status != PSA_SUCCESS) {
4063 return status;
4064 }
4065
4066 coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.nbits);
4067
4068 if (signature_length != 2 * coordinate_bytes) {
4069 return PSA_ERROR_INVALID_SIGNATURE;
4070 }
4071
4072 status = mbedtls_to_psa_error(
4073 mbedtls_mpi_read_binary(&operation->r,
4074 signature,
4075 coordinate_bytes));
4076
4077 if (status != PSA_SUCCESS) {
4078 return status;
4079 }
4080
4081 status = mbedtls_to_psa_error(
4082 mbedtls_mpi_read_binary(&operation->s,
4083 signature +
4084 coordinate_bytes,
4085 coordinate_bytes));
4086
4087 if (status != PSA_SUCCESS) {
4088 return status;
4089 }
4090
4091 status = mbedtls_psa_ecp_load_public_part(operation->ctx);
4092
4093 if (status != PSA_SUCCESS) {
4094 return status;
4095 }
4096
4097 /* We only need to store the same length of hash as the private key size
4098 * here, it would be truncated by the internal implementation anyway. */
4099 required_hash_length = (hash_length < coordinate_bytes ? hash_length :
4100 coordinate_bytes);
4101
4102 if (required_hash_length > sizeof(operation->hash)) {
4103 /* Shouldn't happen, but better safe than sorry. */
4104 return PSA_ERROR_CORRUPTION_DETECTED;
4105 }
4106
4107 memcpy(operation->hash, hash, required_hash_length);
4108 operation->hash_length = required_hash_length;
4109
4110 return PSA_SUCCESS;
4111#else
4112 (void) operation;
4113 (void) key_buffer;
4114 (void) key_buffer_size;
4115 (void) alg;
4116 (void) hash;
4117 (void) hash_length;
4118 (void) signature;
4119 (void) signature_length;
4120 (void) status;
4121 (void) coordinate_bytes;
4122 (void) required_hash_length;
4123
4124 return PSA_ERROR_NOT_SUPPORTED;
4125#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4126 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4127 * defined( MBEDTLS_ECP_RESTARTABLE ) */
4128}
4129
4130psa_status_t mbedtls_psa_verify_hash_complete(
4131 mbedtls_psa_verify_hash_interruptible_operation_t *operation)
4132{
4133
4134#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4135 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4136 defined(MBEDTLS_ECP_RESTARTABLE)
4137
4138 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4139
4140 /* Ensure max_ops is set to the current value (or default). */
4141 mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops());
4142
4143 status = mbedtls_to_psa_error(
4144 mbedtls_ecdsa_verify_restartable(&operation->ctx->grp,
4145 operation->hash,
4146 operation->hash_length,
4147 &operation->ctx->Q,
4148 &operation->r,
4149 &operation->s,
4150 &operation->restart_ctx));
4151
4152 /* Hide the fact that the restart context only holds a delta of number of
4153 * ops done during the last operation, not an absolute value. */
4154 operation->num_ops += operation->restart_ctx.ecp.ops_done;
4155
4156 return status;
4157#else
4158 (void) operation;
4159
4160 return PSA_ERROR_NOT_SUPPORTED;
4161
4162#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4163 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4164 * defined( MBEDTLS_ECP_RESTARTABLE ) */
4165}
4166
4167psa_status_t mbedtls_psa_verify_hash_abort(
4168 mbedtls_psa_verify_hash_interruptible_operation_t *operation)
4169{
4170
4171#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
4172 defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
4173 defined(MBEDTLS_ECP_RESTARTABLE)
4174
4175 if (operation->ctx) {
4176 mbedtls_ecdsa_free(operation->ctx);
4177 mbedtls_free(operation->ctx);
4178 operation->ctx = NULL;
4179 }
4180
4181 mbedtls_ecdsa_restart_free(&operation->restart_ctx);
4182
4183 operation->num_ops = 0;
4184
4185 mbedtls_mpi_free(&operation->r);
4186 mbedtls_mpi_free(&operation->s);
4187
4188 return PSA_SUCCESS;
4189
4190#else
4191 (void) operation;
4192
4193 return PSA_ERROR_NOT_SUPPORTED;
4194
4195#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
4196 * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
4197 * defined( MBEDTLS_ECP_RESTARTABLE ) */
4198}
4199
4200static psa_status_t psa_generate_random_internal(uint8_t *output,
4201 size_t output_size)
4202{
4203 GUARD_MODULE_INITIALIZED;
4204
4205#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
4206
4207 psa_status_t status;
4208 size_t output_length = 0;
4209 status = mbedtls_psa_external_get_random(&global_data.rng,
4210 output, output_size,
4211 &output_length);
4212 if (status != PSA_SUCCESS) {
4213 return status;
4214 }
4215 /* Breaking up a request into smaller chunks is currently not supported
4216 * for the external RNG interface. */
4217 if (output_length != output_size) {
4218 return PSA_ERROR_INSUFFICIENT_ENTROPY;
4219 }
4220 return PSA_SUCCESS;
4221
4222#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
4223
4224 while (output_size > 0) {
4225 int ret = MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
4226 size_t request_size =
4227 (output_size > MBEDTLS_PSA_RANDOM_MAX_REQUEST ?
4228 MBEDTLS_PSA_RANDOM_MAX_REQUEST :
4229 output_size);
4230#if defined(MBEDTLS_CTR_DRBG_C)
4231 ret = mbedtls_ctr_drbg_random(&global_data.rng.drbg, output, request_size);
4232#elif defined(MBEDTLS_HMAC_DRBG_C)
4233 ret = mbedtls_hmac_drbg_random(&global_data.rng.drbg, output, request_size);
4234#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
4235 if (ret != 0) {
4236 return mbedtls_to_psa_error(ret);
4237 }
4238 output_size -= request_size;
4239 output += request_size;
4240 }
4241 return PSA_SUCCESS;
4242#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
4243}
4244
4245
4246/****************************************************************/
4247/* Symmetric cryptography */
4248/****************************************************************/
4249
4250static psa_status_t psa_cipher_setup(psa_cipher_operation_t *operation,
4251 mbedtls_svc_key_id_t key,
4252 psa_algorithm_t alg,
4253 mbedtls_operation_t cipher_operation)
4254{
4255 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4256 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
4257 psa_key_slot_t *slot = NULL;
4258 psa_key_usage_t usage = (cipher_operation == MBEDTLS_ENCRYPT ?
4259 PSA_KEY_USAGE_ENCRYPT :
4260 PSA_KEY_USAGE_DECRYPT);
4261
4262 /* A context must be freshly initialized before it can be set up. */
4263 if (operation->id != 0) {
4264 status = PSA_ERROR_BAD_STATE;
4265 goto exit;
4266 }
4267
4268 if (!PSA_ALG_IS_CIPHER(alg)) {
4269 status = PSA_ERROR_INVALID_ARGUMENT;
4270 goto exit;
4271 }
4272
4273 status = psa_get_and_lock_key_slot_with_policy(key, &slot, usage, alg);
4274 if (status != PSA_SUCCESS) {
4275 goto exit;
4276 }
4277
4278 /* Initialize the operation struct members, except for id. The id member
4279 * is used to indicate to psa_cipher_abort that there are resources to free,
4280 * so we only set it (in the driver wrapper) after resources have been
4281 * allocated/initialized. */
4282 operation->iv_set = 0;
4283 if (alg == PSA_ALG_ECB_NO_PADDING) {
4284 operation->iv_required = 0;
4285 } else {
4286 operation->iv_required = 1;
4287 }
4288 operation->default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg);
4289
4290 /* Try doing the operation through a driver before using software fallback. */
4291 if (cipher_operation == MBEDTLS_ENCRYPT) {
4292 status = psa_driver_wrapper_cipher_encrypt_setup(operation,
4293 &slot->attr,
4294 slot->key.data,
4295 slot->key.bytes,
4296 alg);
4297 } else {
4298 status = psa_driver_wrapper_cipher_decrypt_setup(operation,
4299 &slot->attr,
4300 slot->key.data,
4301 slot->key.bytes,
4302 alg);
4303 }
4304
4305exit:
4306 if (status != PSA_SUCCESS) {
4307 psa_cipher_abort(operation);
4308 }
4309
4310 unlock_status = psa_unregister_read_under_mutex(slot);
4311
4312 return (status == PSA_SUCCESS) ? unlock_status : status;
4313}
4314
4315psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
4316 mbedtls_svc_key_id_t key,
4317 psa_algorithm_t alg)
4318{
4319 return psa_cipher_setup(operation, key, alg, MBEDTLS_ENCRYPT);
4320}
4321
4322psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
4323 mbedtls_svc_key_id_t key,
4324 psa_algorithm_t alg)
4325{
4326 return psa_cipher_setup(operation, key, alg, MBEDTLS_DECRYPT);
4327}
4328
4329psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
4330 uint8_t *iv_external,
4331 size_t iv_size,
4332 size_t *iv_length)
4333{
4334 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4335 size_t default_iv_length = 0;
4336
4337 LOCAL_OUTPUT_DECLARE(iv_external, iv);
4338
4339 if (operation->id == 0) {
4340 status = PSA_ERROR_BAD_STATE;
4341 goto exit;
4342 }
4343
4344 if (operation->iv_set || !operation->iv_required) {
4345 status = PSA_ERROR_BAD_STATE;
4346 goto exit;
4347 }
4348
4349 default_iv_length = operation->default_iv_length;
4350 if (iv_size < default_iv_length) {
4351 status = PSA_ERROR_BUFFER_TOO_SMALL;
4352 goto exit;
4353 }
4354
4355 if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) {
4356 status = PSA_ERROR_GENERIC_ERROR;
4357 goto exit;
4358 }
4359
4360 LOCAL_OUTPUT_ALLOC(iv_external, default_iv_length, iv);
4361
4362 status = psa_generate_random_internal(iv, default_iv_length);
4363 if (status != PSA_SUCCESS) {
4364 goto exit;
4365 }
4366
4367 status = psa_driver_wrapper_cipher_set_iv(operation,
4368 iv, default_iv_length);
4369
4370exit:
4371 if (status == PSA_SUCCESS) {
4372 *iv_length = default_iv_length;
4373 operation->iv_set = 1;
4374 } else {
4375 *iv_length = 0;
4376 psa_cipher_abort(operation);
4377 if (iv != NULL) {
4378 mbedtls_platform_zeroize(iv, default_iv_length);
4379 }
4380 }
4381
4382 LOCAL_OUTPUT_FREE(iv_external, iv);
4383 return status;
4384}
4385
4386psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
4387 const uint8_t *iv_external,
4388 size_t iv_length)
4389{
4390 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4391
4392 LOCAL_INPUT_DECLARE(iv_external, iv);
4393
4394 if (operation->id == 0) {
4395 status = PSA_ERROR_BAD_STATE;
4396 goto exit;
4397 }
4398
4399 if (operation->iv_set || !operation->iv_required) {
4400 status = PSA_ERROR_BAD_STATE;
4401 goto exit;
4402 }
4403
4404 if (iv_length > PSA_CIPHER_IV_MAX_SIZE) {
4405 status = PSA_ERROR_INVALID_ARGUMENT;
4406 goto exit;
4407 }
4408
4409 LOCAL_INPUT_ALLOC(iv_external, iv_length, iv);
4410
4411 status = psa_driver_wrapper_cipher_set_iv(operation,
4412 iv,
4413 iv_length);
4414
4415exit:
4416 if (status == PSA_SUCCESS) {
4417 operation->iv_set = 1;
4418 } else {
4419 psa_cipher_abort(operation);
4420 }
4421
4422 LOCAL_INPUT_FREE(iv_external, iv);
4423
4424 return status;
4425}
4426
4427psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
4428 const uint8_t *input_external,
4429 size_t input_length,
4430 uint8_t *output_external,
4431 size_t output_size,
4432 size_t *output_length)
4433{
4434 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4435
4436 LOCAL_INPUT_DECLARE(input_external, input);
4437 LOCAL_OUTPUT_DECLARE(output_external, output);
4438
4439 if (operation->id == 0) {
4440 status = PSA_ERROR_BAD_STATE;
4441 goto exit;
4442 }
4443
4444 if (operation->iv_required && !operation->iv_set) {
4445 status = PSA_ERROR_BAD_STATE;
4446 goto exit;
4447 }
4448
4449 LOCAL_INPUT_ALLOC(input_external, input_length, input);
4450 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
4451
4452 status = psa_driver_wrapper_cipher_update(operation,
4453 input,
4454 input_length,
4455 output,
4456 output_size,
4457 output_length);
4458
4459exit:
4460 if (status != PSA_SUCCESS) {
4461 psa_cipher_abort(operation);
4462 }
4463
4464 LOCAL_INPUT_FREE(input_external, input);
4465 LOCAL_OUTPUT_FREE(output_external, output);
4466
4467 return status;
4468}
4469
4470psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
4471 uint8_t *output_external,
4472 size_t output_size,
4473 size_t *output_length)
4474{
4475 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
4476
4477 LOCAL_OUTPUT_DECLARE(output_external, output);
4478
4479 if (operation->id == 0) {
4480 status = PSA_ERROR_BAD_STATE;
4481 goto exit;
4482 }
4483
4484 if (operation->iv_required && !operation->iv_set) {
4485 status = PSA_ERROR_BAD_STATE;
4486 goto exit;
4487 }
4488
4489 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
4490
4491 status = psa_driver_wrapper_cipher_finish(operation,
4492 output,
4493 output_size,
4494 output_length);
4495
4496exit:
4497 if (status == PSA_SUCCESS) {
4498 status = psa_cipher_abort(operation);
4499 } else {
4500 *output_length = 0;
4501 (void) psa_cipher_abort(operation);
4502 }
4503
4504 LOCAL_OUTPUT_FREE(output_external, output);
4505
4506 return status;
4507}
4508
4509psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation)
4510{
4511 if (operation->id == 0) {
4512 /* The object has (apparently) been initialized but it is not (yet)
4513 * in use. It's ok to call abort on such an object, and there's
4514 * nothing to do. */
4515 return PSA_SUCCESS;
4516 }
4517
4518 psa_driver_wrapper_cipher_abort(operation);
4519
4520 operation->id = 0;
4521 operation->iv_set = 0;
4522 operation->iv_required = 0;
4523
4524 return PSA_SUCCESS;
4525}
4526
4527psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key,
4528 psa_algorithm_t alg,
4529 const uint8_t *input_external,
4530 size_t input_length,
4531 uint8_t *output_external,
4532 size_t output_size,
4533 size_t *output_length)
4534{
4535 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4536 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
4537 psa_key_slot_t *slot = NULL;
4538 uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE];
4539 size_t default_iv_length = 0;
4540
4541 LOCAL_INPUT_DECLARE(input_external, input);
4542 LOCAL_OUTPUT_DECLARE(output_external, output);
4543
4544 if (!PSA_ALG_IS_CIPHER(alg)) {
4545 status = PSA_ERROR_INVALID_ARGUMENT;
4546 goto exit;
4547 }
4548
4549 status = psa_get_and_lock_key_slot_with_policy(key, &slot,
4550 PSA_KEY_USAGE_ENCRYPT,
4551 alg);
4552 if (status != PSA_SUCCESS) {
4553 goto exit;
4554 }
4555
4556 default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg);
4557 if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) {
4558 status = PSA_ERROR_GENERIC_ERROR;
4559 goto exit;
4560 }
4561
4562 if (default_iv_length > 0) {
4563 if (output_size < default_iv_length) {
4564 status = PSA_ERROR_BUFFER_TOO_SMALL;
4565 goto exit;
4566 }
4567
4568 status = psa_generate_random_internal(local_iv, default_iv_length);
4569 if (status != PSA_SUCCESS) {
4570 goto exit;
4571 }
4572 }
4573
4574 LOCAL_INPUT_ALLOC(input_external, input_length, input);
4575 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
4576
4577 status = psa_driver_wrapper_cipher_encrypt(
4578 &slot->attr, slot->key.data, slot->key.bytes,
4579 alg, local_iv, default_iv_length, input, input_length,
4580 psa_crypto_buffer_offset(output, default_iv_length),
4581 output_size - default_iv_length, output_length);
4582
4583exit:
4584 unlock_status = psa_unregister_read_under_mutex(slot);
4585 if (status == PSA_SUCCESS) {
4586 status = unlock_status;
4587 }
4588
4589 if (status == PSA_SUCCESS) {
4590 if (default_iv_length > 0) {
4591 memcpy(output, local_iv, default_iv_length);
4592 }
4593 *output_length += default_iv_length;
4594 } else {
4595 *output_length = 0;
4596 }
4597
4598 LOCAL_INPUT_FREE(input_external, input);
4599 LOCAL_OUTPUT_FREE(output_external, output);
4600
4601 return status;
4602}
4603
4604psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key,
4605 psa_algorithm_t alg,
4606 const uint8_t *input_external,
4607 size_t input_length,
4608 uint8_t *output_external,
4609 size_t output_size,
4610 size_t *output_length)
4611{
4612 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4613 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
4614 psa_key_slot_t *slot = NULL;
4615
4616 LOCAL_INPUT_DECLARE(input_external, input);
4617 LOCAL_OUTPUT_DECLARE(output_external, output);
4618
4619 if (!PSA_ALG_IS_CIPHER(alg)) {
4620 status = PSA_ERROR_INVALID_ARGUMENT;
4621 goto exit;
4622 }
4623
4624 status = psa_get_and_lock_key_slot_with_policy(key, &slot,
4625 PSA_KEY_USAGE_DECRYPT,
4626 alg);
4627 if (status != PSA_SUCCESS) {
4628 goto exit;
4629 }
4630
4631 if (alg == PSA_ALG_CCM_STAR_NO_TAG &&
4632 input_length < PSA_BLOCK_CIPHER_BLOCK_LENGTH(slot->attr.type)) {
4633 status = PSA_ERROR_INVALID_ARGUMENT;
4634 goto exit;
4635 } else if (input_length < PSA_CIPHER_IV_LENGTH(slot->attr.type, alg)) {
4636 status = PSA_ERROR_INVALID_ARGUMENT;
4637 goto exit;
4638 }
4639
4640 LOCAL_INPUT_ALLOC(input_external, input_length, input);
4641 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
4642
4643 status = psa_driver_wrapper_cipher_decrypt(
4644 &slot->attr, slot->key.data, slot->key.bytes,
4645 alg, input, input_length,
4646 output, output_size, output_length);
4647
4648exit:
4649 unlock_status = psa_unregister_read_under_mutex(slot);
4650 if (status == PSA_SUCCESS) {
4651 status = unlock_status;
4652 }
4653
4654 if (status != PSA_SUCCESS) {
4655 *output_length = 0;
4656 }
4657
4658 LOCAL_INPUT_FREE(input_external, input);
4659 LOCAL_OUTPUT_FREE(output_external, output);
4660
4661 return status;
4662}
4663
4664
4665/****************************************************************/
4666/* AEAD */
4667/****************************************************************/
4668
4669/* Helper function to get the base algorithm from its variants. */
4670static psa_algorithm_t psa_aead_get_base_algorithm(psa_algorithm_t alg)
4671{
4672 return PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg);
4673}
4674
4675/* Helper function to perform common nonce length checks. */
4676static psa_status_t psa_aead_check_nonce_length(psa_algorithm_t alg,
4677 size_t nonce_length)
4678{
4679 psa_algorithm_t base_alg = psa_aead_get_base_algorithm(alg);
4680
4681 switch (base_alg) {
4682#if defined(PSA_WANT_ALG_GCM)
4683 case PSA_ALG_GCM:
4684 /* Not checking max nonce size here as GCM spec allows almost
4685 * arbitrarily large nonces. Please note that we do not generally
4686 * recommend the usage of nonces of greater length than
4687 * PSA_AEAD_NONCE_MAX_SIZE, as large nonces are hashed to a shorter
4688 * size, which can then lead to collisions if you encrypt a very
4689 * large number of messages.*/
4690 if (nonce_length != 0) {
4691 return PSA_SUCCESS;
4692 }
4693 break;
4694#endif /* PSA_WANT_ALG_GCM */
4695#if defined(PSA_WANT_ALG_CCM)
4696 case PSA_ALG_CCM:
4697 if (nonce_length >= 7 && nonce_length <= 13) {
4698 return PSA_SUCCESS;
4699 }
4700 break;
4701#endif /* PSA_WANT_ALG_CCM */
4702#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
4703 case PSA_ALG_CHACHA20_POLY1305:
4704 if (nonce_length == 12) {
4705 return PSA_SUCCESS;
4706 } else if (nonce_length == 8) {
4707 return PSA_ERROR_NOT_SUPPORTED;
4708 }
4709 break;
4710#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
4711 default:
4712 (void) nonce_length;
4713 return PSA_ERROR_NOT_SUPPORTED;
4714 }
4715
4716 return PSA_ERROR_INVALID_ARGUMENT;
4717}
4718
4719static psa_status_t psa_aead_check_algorithm(psa_algorithm_t alg)
4720{
4721 if (!PSA_ALG_IS_AEAD(alg) || PSA_ALG_IS_WILDCARD(alg)) {
4722 return PSA_ERROR_INVALID_ARGUMENT;
4723 }
4724
4725 return PSA_SUCCESS;
4726}
4727
4728psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
4729 psa_algorithm_t alg,
4730 const uint8_t *nonce_external,
4731 size_t nonce_length,
4732 const uint8_t *additional_data_external,
4733 size_t additional_data_length,
4734 const uint8_t *plaintext_external,
4735 size_t plaintext_length,
4736 uint8_t *ciphertext_external,
4737 size_t ciphertext_size,
4738 size_t *ciphertext_length)
4739{
4740 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4741 psa_key_slot_t *slot;
4742
4743 LOCAL_INPUT_DECLARE(nonce_external, nonce);
4744 LOCAL_INPUT_DECLARE(additional_data_external, additional_data);
4745 LOCAL_INPUT_DECLARE(plaintext_external, plaintext);
4746 LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext);
4747
4748 *ciphertext_length = 0;
4749
4750 status = psa_aead_check_algorithm(alg);
4751 if (status != PSA_SUCCESS) {
4752 return status;
4753 }
4754
4755 status = psa_get_and_lock_key_slot_with_policy(
4756 key, &slot, PSA_KEY_USAGE_ENCRYPT, alg);
4757 if (status != PSA_SUCCESS) {
4758 return status;
4759 }
4760
4761 LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
4762 LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length, additional_data);
4763 LOCAL_INPUT_ALLOC(plaintext_external, plaintext_length, plaintext);
4764 LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext);
4765
4766 status = psa_aead_check_nonce_length(alg, nonce_length);
4767 if (status != PSA_SUCCESS) {
4768 goto exit;
4769 }
4770
4771 status = psa_driver_wrapper_aead_encrypt(
4772 &slot->attr, slot->key.data, slot->key.bytes,
4773 alg,
4774 nonce, nonce_length,
4775 additional_data, additional_data_length,
4776 plaintext, plaintext_length,
4777 ciphertext, ciphertext_size, ciphertext_length);
4778
4779 if (status != PSA_SUCCESS && ciphertext_size != 0) {
4780 memset(ciphertext, 0, ciphertext_size);
4781 }
4782
4783exit:
4784 LOCAL_INPUT_FREE(nonce_external, nonce);
4785 LOCAL_INPUT_FREE(additional_data_external, additional_data);
4786 LOCAL_INPUT_FREE(plaintext_external, plaintext);
4787 LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext);
4788
4789 psa_unregister_read_under_mutex(slot);
4790
4791 return status;
4792}
4793
4794psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
4795 psa_algorithm_t alg,
4796 const uint8_t *nonce_external,
4797 size_t nonce_length,
4798 const uint8_t *additional_data_external,
4799 size_t additional_data_length,
4800 const uint8_t *ciphertext_external,
4801 size_t ciphertext_length,
4802 uint8_t *plaintext_external,
4803 size_t plaintext_size,
4804 size_t *plaintext_length)
4805{
4806 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4807 psa_key_slot_t *slot;
4808
4809 LOCAL_INPUT_DECLARE(nonce_external, nonce);
4810 LOCAL_INPUT_DECLARE(additional_data_external, additional_data);
4811 LOCAL_INPUT_DECLARE(ciphertext_external, ciphertext);
4812 LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext);
4813
4814 *plaintext_length = 0;
4815
4816 status = psa_aead_check_algorithm(alg);
4817 if (status != PSA_SUCCESS) {
4818 return status;
4819 }
4820
4821 status = psa_get_and_lock_key_slot_with_policy(
4822 key, &slot, PSA_KEY_USAGE_DECRYPT, alg);
4823 if (status != PSA_SUCCESS) {
4824 return status;
4825 }
4826
4827 LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
4828 LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length,
4829 additional_data);
4830 LOCAL_INPUT_ALLOC(ciphertext_external, ciphertext_length, ciphertext);
4831 LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext);
4832
4833 status = psa_aead_check_nonce_length(alg, nonce_length);
4834 if (status != PSA_SUCCESS) {
4835 goto exit;
4836 }
4837
4838 status = psa_driver_wrapper_aead_decrypt(
4839 &slot->attr, slot->key.data, slot->key.bytes,
4840 alg,
4841 nonce, nonce_length,
4842 additional_data, additional_data_length,
4843 ciphertext, ciphertext_length,
4844 plaintext, plaintext_size, plaintext_length);
4845
4846 if (status != PSA_SUCCESS && plaintext_size != 0) {
4847 memset(plaintext, 0, plaintext_size);
4848 }
4849
4850exit:
4851 LOCAL_INPUT_FREE(nonce_external, nonce);
4852 LOCAL_INPUT_FREE(additional_data_external, additional_data);
4853 LOCAL_INPUT_FREE(ciphertext_external, ciphertext);
4854 LOCAL_OUTPUT_FREE(plaintext_external, plaintext);
4855
4856 psa_unregister_read_under_mutex(slot);
4857
4858 return status;
4859}
4860
4861static psa_status_t psa_validate_tag_length(psa_algorithm_t alg)
4862{
4863 const uint8_t tag_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg);
4864
4865 switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) {
4866#if defined(PSA_WANT_ALG_CCM)
4867 case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
4868 /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.*/
4869 if (tag_len < 4 || tag_len > 16 || tag_len % 2) {
4870 return PSA_ERROR_INVALID_ARGUMENT;
4871 }
4872 break;
4873#endif /* PSA_WANT_ALG_CCM */
4874
4875#if defined(PSA_WANT_ALG_GCM)
4876 case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
4877 /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16. */
4878 if (tag_len != 4 && tag_len != 8 && (tag_len < 12 || tag_len > 16)) {
4879 return PSA_ERROR_INVALID_ARGUMENT;
4880 }
4881 break;
4882#endif /* PSA_WANT_ALG_GCM */
4883
4884#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
4885 case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
4886 /* We only support the default tag length. */
4887 if (tag_len != 16) {
4888 return PSA_ERROR_INVALID_ARGUMENT;
4889 }
4890 break;
4891#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
4892
4893 default:
4894 (void) tag_len;
4895 return PSA_ERROR_NOT_SUPPORTED;
4896 }
4897 return PSA_SUCCESS;
4898}
4899
4900/* Set the key for a multipart authenticated operation. */
4901static psa_status_t psa_aead_setup(psa_aead_operation_t *operation,
4902 int is_encrypt,
4903 mbedtls_svc_key_id_t key,
4904 psa_algorithm_t alg)
4905{
4906 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4907 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
4908 psa_key_slot_t *slot = NULL;
4909 psa_key_usage_t key_usage = 0;
4910
4911 status = psa_aead_check_algorithm(alg);
4912 if (status != PSA_SUCCESS) {
4913 goto exit;
4914 }
4915
4916 if (operation->id != 0) {
4917 status = PSA_ERROR_BAD_STATE;
4918 goto exit;
4919 }
4920
4921 if (operation->nonce_set || operation->lengths_set ||
4922 operation->ad_started || operation->body_started) {
4923 status = PSA_ERROR_BAD_STATE;
4924 goto exit;
4925 }
4926
4927 if (is_encrypt) {
4928 key_usage = PSA_KEY_USAGE_ENCRYPT;
4929 } else {
4930 key_usage = PSA_KEY_USAGE_DECRYPT;
4931 }
4932
4933 status = psa_get_and_lock_key_slot_with_policy(key, &slot, key_usage,
4934 alg);
4935 if (status != PSA_SUCCESS) {
4936 goto exit;
4937 }
4938
4939 if ((status = psa_validate_tag_length(alg)) != PSA_SUCCESS) {
4940 goto exit;
4941 }
4942
4943 if (is_encrypt) {
4944 status = psa_driver_wrapper_aead_encrypt_setup(operation,
4945 &slot->attr,
4946 slot->key.data,
4947 slot->key.bytes,
4948 alg);
4949 } else {
4950 status = psa_driver_wrapper_aead_decrypt_setup(operation,
4951 &slot->attr,
4952 slot->key.data,
4953 slot->key.bytes,
4954 alg);
4955 }
4956 if (status != PSA_SUCCESS) {
4957 goto exit;
4958 }
4959
4960 operation->key_type = psa_get_key_type(&slot->attr);
4961
4962exit:
4963 unlock_status = psa_unregister_read_under_mutex(slot);
4964
4965 if (status == PSA_SUCCESS) {
4966 status = unlock_status;
4967 operation->alg = psa_aead_get_base_algorithm(alg);
4968 operation->is_encrypt = is_encrypt;
4969 } else {
4970 psa_aead_abort(operation);
4971 }
4972
4973 return status;
4974}
4975
4976/* Set the key for a multipart authenticated encryption operation. */
4977psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
4978 mbedtls_svc_key_id_t key,
4979 psa_algorithm_t alg)
4980{
4981 return psa_aead_setup(operation, 1, key, alg);
4982}
4983
4984/* Set the key for a multipart authenticated decryption operation. */
4985psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
4986 mbedtls_svc_key_id_t key,
4987 psa_algorithm_t alg)
4988{
4989 return psa_aead_setup(operation, 0, key, alg);
4990}
4991
4992static psa_status_t psa_aead_set_nonce_internal(psa_aead_operation_t *operation,
4993 const uint8_t *nonce,
4994 size_t nonce_length)
4995{
4996 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
4997
4998 if (operation->id == 0) {
4999 status = PSA_ERROR_BAD_STATE;
5000 goto exit;
5001 }
5002
5003 if (operation->nonce_set) {
5004 status = PSA_ERROR_BAD_STATE;
5005 goto exit;
5006 }
5007
5008 status = psa_aead_check_nonce_length(operation->alg, nonce_length);
5009 if (status != PSA_SUCCESS) {
5010 status = PSA_ERROR_INVALID_ARGUMENT;
5011 goto exit;
5012 }
5013
5014 status = psa_driver_wrapper_aead_set_nonce(operation, nonce,
5015 nonce_length);
5016
5017exit:
5018 if (status == PSA_SUCCESS) {
5019 operation->nonce_set = 1;
5020 } else {
5021 psa_aead_abort(operation);
5022 }
5023
5024 return status;
5025}
5026
5027/* Generate a random nonce / IV for multipart AEAD operation */
5028psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation,
5029 uint8_t *nonce_external,
5030 size_t nonce_size,
5031 size_t *nonce_length)
5032{
5033 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5034 uint8_t local_nonce[PSA_AEAD_NONCE_MAX_SIZE];
5035 size_t required_nonce_size = 0;
5036
5037 LOCAL_OUTPUT_DECLARE(nonce_external, nonce);
5038 LOCAL_OUTPUT_ALLOC(nonce_external, nonce_size, nonce);
5039
5040 *nonce_length = 0;
5041
5042 if (operation->id == 0) {
5043 status = PSA_ERROR_BAD_STATE;
5044 goto exit;
5045 }
5046
5047 if (operation->nonce_set || !operation->is_encrypt) {
5048 status = PSA_ERROR_BAD_STATE;
5049 goto exit;
5050 }
5051
5052 /* For CCM, this size may not be correct according to the PSA
5053 * specification. The PSA Crypto 1.0.1 specification states:
5054 *
5055 * CCM encodes the plaintext length pLen in L octets, with L the smallest
5056 * integer >= 2 where pLen < 2^(8L). The nonce length is then 15 - L bytes.
5057 *
5058 * However this restriction that L has to be the smallest integer is not
5059 * applied in practice, and it is not implementable here since the
5060 * plaintext length may or may not be known at this time. */
5061 required_nonce_size = PSA_AEAD_NONCE_LENGTH(operation->key_type,
5062 operation->alg);
5063 if (nonce_size < required_nonce_size) {
5064 status = PSA_ERROR_BUFFER_TOO_SMALL;
5065 goto exit;
5066 }
5067
5068 status = psa_generate_random_internal(local_nonce, required_nonce_size);
5069 if (status != PSA_SUCCESS) {
5070 goto exit;
5071 }
5072
5073 status = psa_aead_set_nonce_internal(operation, local_nonce,
5074 required_nonce_size);
5075
5076exit:
5077 if (status == PSA_SUCCESS) {
5078 memcpy(nonce, local_nonce, required_nonce_size);
5079 *nonce_length = required_nonce_size;
5080 } else {
5081 psa_aead_abort(operation);
5082 }
5083
5084 LOCAL_OUTPUT_FREE(nonce_external, nonce);
5085
5086 return status;
5087}
5088
5089/* Set the nonce for a multipart authenticated encryption or decryption
5090 operation.*/
5091psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation,
5092 const uint8_t *nonce_external,
5093 size_t nonce_length)
5094{
5095 psa_status_t status;
5096
5097 LOCAL_INPUT_DECLARE(nonce_external, nonce);
5098 LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
5099
5100 status = psa_aead_set_nonce_internal(operation, nonce, nonce_length);
5101
5102/* Exit label is only needed for buffer copying, prevent unused warnings. */
5103#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
5104exit:
5105#endif
5106
5107 LOCAL_INPUT_FREE(nonce_external, nonce);
5108
5109 return status;
5110}
5111
5112/* Declare the lengths of the message and additional data for multipart AEAD. */
5113psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation,
5114 size_t ad_length,
5115 size_t plaintext_length)
5116{
5117 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5118
5119 if (operation->id == 0) {
5120 status = PSA_ERROR_BAD_STATE;
5121 goto exit;
5122 }
5123
5124 if (operation->lengths_set || operation->ad_started ||
5125 operation->body_started) {
5126 status = PSA_ERROR_BAD_STATE;
5127 goto exit;
5128 }
5129
5130 switch (operation->alg) {
5131#if defined(PSA_WANT_ALG_GCM)
5132 case PSA_ALG_GCM:
5133 /* Lengths can only be too large for GCM if size_t is bigger than 32
5134 * bits. Without the guard this code will generate warnings on 32bit
5135 * builds. */
5136#if SIZE_MAX > UINT32_MAX
5137 if (((uint64_t) ad_length) >> 61 != 0 ||
5138 ((uint64_t) plaintext_length) > 0xFFFFFFFE0ull) {
5139 status = PSA_ERROR_INVALID_ARGUMENT;
5140 goto exit;
5141 }
5142#endif
5143 break;
5144#endif /* PSA_WANT_ALG_GCM */
5145#if defined(PSA_WANT_ALG_CCM)
5146 case PSA_ALG_CCM:
5147 if (ad_length > 0xFF00) {
5148 status = PSA_ERROR_INVALID_ARGUMENT;
5149 goto exit;
5150 }
5151 break;
5152#endif /* PSA_WANT_ALG_CCM */
5153#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
5154 case PSA_ALG_CHACHA20_POLY1305:
5155 /* No length restrictions for ChaChaPoly. */
5156 break;
5157#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
5158 default:
5159 break;
5160 }
5161
5162 status = psa_driver_wrapper_aead_set_lengths(operation, ad_length,
5163 plaintext_length);
5164
5165exit:
5166 if (status == PSA_SUCCESS) {
5167 operation->ad_remaining = ad_length;
5168 operation->body_remaining = plaintext_length;
5169 operation->lengths_set = 1;
5170 } else {
5171 psa_aead_abort(operation);
5172 }
5173
5174 return status;
5175}
5176
5177/* Pass additional data to an active multipart AEAD operation. */
5178psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
5179 const uint8_t *input_external,
5180 size_t input_length)
5181{
5182 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5183
5184 LOCAL_INPUT_DECLARE(input_external, input);
5185 LOCAL_INPUT_ALLOC(input_external, input_length, input);
5186
5187 if (operation->id == 0) {
5188 status = PSA_ERROR_BAD_STATE;
5189 goto exit;
5190 }
5191
5192 if (!operation->nonce_set || operation->body_started) {
5193 status = PSA_ERROR_BAD_STATE;
5194 goto exit;
5195 }
5196
5197 if (operation->lengths_set) {
5198 if (operation->ad_remaining < input_length) {
5199 status = PSA_ERROR_INVALID_ARGUMENT;
5200 goto exit;
5201 }
5202
5203 operation->ad_remaining -= input_length;
5204 }
5205#if defined(PSA_WANT_ALG_CCM)
5206 else if (operation->alg == PSA_ALG_CCM) {
5207 status = PSA_ERROR_BAD_STATE;
5208 goto exit;
5209 }
5210#endif /* PSA_WANT_ALG_CCM */
5211
5212 status = psa_driver_wrapper_aead_update_ad(operation, input,
5213 input_length);
5214
5215exit:
5216 if (status == PSA_SUCCESS) {
5217 operation->ad_started = 1;
5218 } else {
5219 psa_aead_abort(operation);
5220 }
5221
5222 LOCAL_INPUT_FREE(input_external, input);
5223
5224 return status;
5225}
5226
5227/* Encrypt or decrypt a message fragment in an active multipart AEAD
5228 operation.*/
5229psa_status_t psa_aead_update(psa_aead_operation_t *operation,
5230 const uint8_t *input_external,
5231 size_t input_length,
5232 uint8_t *output_external,
5233 size_t output_size,
5234 size_t *output_length)
5235{
5236 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5237
5238
5239 LOCAL_INPUT_DECLARE(input_external, input);
5240 LOCAL_OUTPUT_DECLARE(output_external, output);
5241
5242 LOCAL_INPUT_ALLOC(input_external, input_length, input);
5243 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
5244
5245 *output_length = 0;
5246
5247 if (operation->id == 0) {
5248 status = PSA_ERROR_BAD_STATE;
5249 goto exit;
5250 }
5251
5252 if (!operation->nonce_set) {
5253 status = PSA_ERROR_BAD_STATE;
5254 goto exit;
5255 }
5256
5257 if (operation->lengths_set) {
5258 /* Additional data length was supplied, but not all the additional
5259 data was supplied.*/
5260 if (operation->ad_remaining != 0) {
5261 status = PSA_ERROR_INVALID_ARGUMENT;
5262 goto exit;
5263 }
5264
5265 /* Too much data provided. */
5266 if (operation->body_remaining < input_length) {
5267 status = PSA_ERROR_INVALID_ARGUMENT;
5268 goto exit;
5269 }
5270
5271 operation->body_remaining -= input_length;
5272 }
5273#if defined(PSA_WANT_ALG_CCM)
5274 else if (operation->alg == PSA_ALG_CCM) {
5275 status = PSA_ERROR_BAD_STATE;
5276 goto exit;
5277 }
5278#endif /* PSA_WANT_ALG_CCM */
5279
5280 status = psa_driver_wrapper_aead_update(operation, input, input_length,
5281 output, output_size,
5282 output_length);
5283
5284exit:
5285 if (status == PSA_SUCCESS) {
5286 operation->body_started = 1;
5287 } else {
5288 psa_aead_abort(operation);
5289 }
5290
5291 LOCAL_INPUT_FREE(input_external, input);
5292 LOCAL_OUTPUT_FREE(output_external, output);
5293
5294 return status;
5295}
5296
5297static psa_status_t psa_aead_final_checks(const psa_aead_operation_t *operation)
5298{
5299 if (operation->id == 0 || !operation->nonce_set) {
5300 return PSA_ERROR_BAD_STATE;
5301 }
5302
5303 if (operation->lengths_set && (operation->ad_remaining != 0 ||
5304 operation->body_remaining != 0)) {
5305 return PSA_ERROR_INVALID_ARGUMENT;
5306 }
5307
5308 return PSA_SUCCESS;
5309}
5310
5311/* Finish encrypting a message in a multipart AEAD operation. */
5312psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
5313 uint8_t *ciphertext_external,
5314 size_t ciphertext_size,
5315 size_t *ciphertext_length,
5316 uint8_t *tag_external,
5317 size_t tag_size,
5318 size_t *tag_length)
5319{
5320 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5321
5322 LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext);
5323 LOCAL_OUTPUT_DECLARE(tag_external, tag);
5324
5325 LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext);
5326 LOCAL_OUTPUT_ALLOC(tag_external, tag_size, tag);
5327
5328 *ciphertext_length = 0;
5329 *tag_length = tag_size;
5330
5331 status = psa_aead_final_checks(operation);
5332 if (status != PSA_SUCCESS) {
5333 goto exit;
5334 }
5335
5336 if (!operation->is_encrypt) {
5337 status = PSA_ERROR_BAD_STATE;
5338 goto exit;
5339 }
5340
5341 status = psa_driver_wrapper_aead_finish(operation, ciphertext,
5342 ciphertext_size,
5343 ciphertext_length,
5344 tag, tag_size, tag_length);
5345
5346exit:
5347
5348
5349 /* In case the operation fails and the user fails to check for failure or
5350 * the zero tag size, make sure the tag is set to something implausible.
5351 * Even if the operation succeeds, make sure we clear the rest of the
5352 * buffer to prevent potential leakage of anything previously placed in
5353 * the same buffer.*/
5354 psa_wipe_tag_output_buffer(tag, status, tag_size, *tag_length);
5355
5356 psa_aead_abort(operation);
5357
5358 LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext);
5359 LOCAL_OUTPUT_FREE(tag_external, tag);
5360
5361 return status;
5362}
5363
5364/* Finish authenticating and decrypting a message in a multipart AEAD
5365 operation.*/
5366psa_status_t psa_aead_verify(psa_aead_operation_t *operation,
5367 uint8_t *plaintext_external,
5368 size_t plaintext_size,
5369 size_t *plaintext_length,
5370 const uint8_t *tag_external,
5371 size_t tag_length)
5372{
5373 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5374
5375 LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext);
5376 LOCAL_INPUT_DECLARE(tag_external, tag);
5377
5378 LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext);
5379 LOCAL_INPUT_ALLOC(tag_external, tag_length, tag);
5380
5381 *plaintext_length = 0;
5382
5383 status = psa_aead_final_checks(operation);
5384 if (status != PSA_SUCCESS) {
5385 goto exit;
5386 }
5387
5388 if (operation->is_encrypt) {
5389 status = PSA_ERROR_BAD_STATE;
5390 goto exit;
5391 }
5392
5393 status = psa_driver_wrapper_aead_verify(operation, plaintext,
5394 plaintext_size,
5395 plaintext_length,
5396 tag, tag_length);
5397
5398exit:
5399 psa_aead_abort(operation);
5400
5401 LOCAL_OUTPUT_FREE(plaintext_external, plaintext);
5402 LOCAL_INPUT_FREE(tag_external, tag);
5403
5404 return status;
5405}
5406
5407/* Abort an AEAD operation. */
5408psa_status_t psa_aead_abort(psa_aead_operation_t *operation)
5409{
5410 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5411
5412 if (operation->id == 0) {
5413 /* The object has (apparently) been initialized but it is not (yet)
5414 * in use. It's ok to call abort on such an object, and there's
5415 * nothing to do. */
5416 return PSA_SUCCESS;
5417 }
5418
5419 status = psa_driver_wrapper_aead_abort(operation);
5420
5421 memset(operation, 0, sizeof(*operation));
5422
5423 return status;
5424}
5425
5426/****************************************************************/
5427/* Generators */
5428/****************************************************************/
5429
5430#if defined(BUILTIN_ALG_ANY_HKDF) || \
5431 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5432 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \
5433 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) || \
5434 defined(PSA_HAVE_SOFT_PBKDF2)
5435#define AT_LEAST_ONE_BUILTIN_KDF
5436#endif /* At least one builtin KDF */
5437
5438#if defined(BUILTIN_ALG_ANY_HKDF) || \
5439 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5440 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5441static psa_status_t psa_key_derivation_start_hmac(
5442 psa_mac_operation_t *operation,
5443 psa_algorithm_t hash_alg,
5444 const uint8_t *hmac_key,
5445 size_t hmac_key_length)
5446{
5447 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5448 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5449 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
5450 psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(hmac_key_length));
5451 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
5452
5453 operation->is_sign = 1;
5454 operation->mac_size = PSA_HASH_LENGTH(hash_alg);
5455
5456 status = psa_driver_wrapper_mac_sign_setup(operation,
5457 &attributes,
5458 hmac_key, hmac_key_length,
5459 PSA_ALG_HMAC(hash_alg));
5460
5461 psa_reset_key_attributes(&attributes);
5462 return status;
5463}
5464#endif /* KDF algorithms reliant on HMAC */
5465
5466#define HKDF_STATE_INIT 0 /* no input yet */
5467#define HKDF_STATE_STARTED 1 /* got salt */
5468#define HKDF_STATE_KEYED 2 /* got key */
5469#define HKDF_STATE_OUTPUT 3 /* output started */
5470
5471static psa_algorithm_t psa_key_derivation_get_kdf_alg(
5472 const psa_key_derivation_operation_t *operation)
5473{
5474 if (PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) {
5475 return PSA_ALG_KEY_AGREEMENT_GET_KDF(operation->alg);
5476 } else {
5477 return operation->alg;
5478 }
5479}
5480
5481psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation)
5482{
5483 psa_status_t status = PSA_SUCCESS;
5484 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
5485 if (kdf_alg == 0) {
5486 /* The object has (apparently) been initialized but it is not
5487 * in use. It's ok to call abort on such an object, and there's
5488 * nothing to do. */
5489 } else
5490#if defined(BUILTIN_ALG_ANY_HKDF)
5491 if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
5492 mbedtls_free(operation->ctx.hkdf.info);
5493 status = psa_mac_abort(&operation->ctx.hkdf.hmac);
5494 } else
5495#endif /* BUILTIN_ALG_ANY_HKDF */
5496#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5497 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5498 if (PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
5499 /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */
5500 PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
5501 if (operation->ctx.tls12_prf.secret != NULL) {
5502 mbedtls_zeroize_and_free(operation->ctx.tls12_prf.secret,
5503 operation->ctx.tls12_prf.secret_length);
5504 }
5505
5506 if (operation->ctx.tls12_prf.seed != NULL) {
5507 mbedtls_zeroize_and_free(operation->ctx.tls12_prf.seed,
5508 operation->ctx.tls12_prf.seed_length);
5509 }
5510
5511 if (operation->ctx.tls12_prf.label != NULL) {
5512 mbedtls_zeroize_and_free(operation->ctx.tls12_prf.label,
5513 operation->ctx.tls12_prf.label_length);
5514 }
5515#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5516 if (operation->ctx.tls12_prf.other_secret != NULL) {
5517 mbedtls_zeroize_and_free(operation->ctx.tls12_prf.other_secret,
5518 operation->ctx.tls12_prf.other_secret_length);
5519 }
5520#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
5521 status = PSA_SUCCESS;
5522
5523 /* We leave the fields Ai and output_block to be erased safely by the
5524 * mbedtls_platform_zeroize() in the end of this function. */
5525 } else
5526#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
5527 * defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) */
5528#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
5529 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
5530 mbedtls_platform_zeroize(operation->ctx.tls12_ecjpake_to_pms.data,
5531 sizeof(operation->ctx.tls12_ecjpake_to_pms.data));
5532 } else
5533#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) */
5534#if defined(PSA_HAVE_SOFT_PBKDF2)
5535 if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
5536 if (operation->ctx.pbkdf2.salt != NULL) {
5537 mbedtls_zeroize_and_free(operation->ctx.pbkdf2.salt,
5538 operation->ctx.pbkdf2.salt_length);
5539 }
5540
5541 status = PSA_SUCCESS;
5542 } else
5543#endif /* defined(PSA_HAVE_SOFT_PBKDF2) */
5544 {
5545 status = PSA_ERROR_BAD_STATE;
5546 }
5547 mbedtls_platform_zeroize(operation, sizeof(*operation));
5548 return status;
5549}
5550
5551psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t *operation,
5552 size_t *capacity)
5553{
5554 if (operation->alg == 0) {
5555 /* This is a blank key derivation operation. */
5556 return PSA_ERROR_BAD_STATE;
5557 }
5558
5559 *capacity = operation->capacity;
5560 return PSA_SUCCESS;
5561}
5562
5563psa_status_t psa_key_derivation_set_capacity(psa_key_derivation_operation_t *operation,
5564 size_t capacity)
5565{
5566 if (operation->alg == 0) {
5567 return PSA_ERROR_BAD_STATE;
5568 }
5569 if (capacity > operation->capacity) {
5570 return PSA_ERROR_INVALID_ARGUMENT;
5571 }
5572 operation->capacity = capacity;
5573 return PSA_SUCCESS;
5574}
5575
5576#if defined(BUILTIN_ALG_ANY_HKDF)
5577/* Read some bytes from an HKDF-based operation. */
5578static psa_status_t psa_key_derivation_hkdf_read(psa_hkdf_key_derivation_t *hkdf,
5579 psa_algorithm_t kdf_alg,
5580 uint8_t *output,
5581 size_t output_length)
5582{
5583 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
5584 uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
5585 size_t hmac_output_length;
5586 psa_status_t status;
5587#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
5588 const uint8_t last_block = PSA_ALG_IS_HKDF_EXTRACT(kdf_alg) ? 0 : 0xff;
5589#else
5590 const uint8_t last_block = 0xff;
5591#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
5592
5593 if (hkdf->state < HKDF_STATE_KEYED ||
5594 (!hkdf->info_set
5595#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
5596 && !PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)
5597#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
5598 )) {
5599 return PSA_ERROR_BAD_STATE;
5600 }
5601 hkdf->state = HKDF_STATE_OUTPUT;
5602
5603 while (output_length != 0) {
5604 /* Copy what remains of the current block */
5605 uint8_t n = hash_length - hkdf->offset_in_block;
5606 if (n > output_length) {
5607 n = (uint8_t) output_length;
5608 }
5609 memcpy(output, hkdf->output_block + hkdf->offset_in_block, n);
5610 output += n;
5611 output_length -= n;
5612 hkdf->offset_in_block += n;
5613 if (output_length == 0) {
5614 break;
5615 }
5616 /* We can't be wanting more output after the last block, otherwise
5617 * the capacity check in psa_key_derivation_output_bytes() would have
5618 * prevented this call. It could happen only if the operation
5619 * object was corrupted or if this function is called directly
5620 * inside the library. */
5621 if (hkdf->block_number == last_block) {
5622 return PSA_ERROR_BAD_STATE;
5623 }
5624
5625 /* We need a new block */
5626 ++hkdf->block_number;
5627 hkdf->offset_in_block = 0;
5628
5629 status = psa_key_derivation_start_hmac(&hkdf->hmac,
5630 hash_alg,
5631 hkdf->prk,
5632 hash_length);
5633 if (status != PSA_SUCCESS) {
5634 return status;
5635 }
5636
5637 if (hkdf->block_number != 1) {
5638 status = psa_mac_update(&hkdf->hmac,
5639 hkdf->output_block,
5640 hash_length);
5641 if (status != PSA_SUCCESS) {
5642 return status;
5643 }
5644 }
5645 status = psa_mac_update(&hkdf->hmac,
5646 hkdf->info,
5647 hkdf->info_length);
5648 if (status != PSA_SUCCESS) {
5649 return status;
5650 }
5651 status = psa_mac_update(&hkdf->hmac,
5652 &hkdf->block_number, 1);
5653 if (status != PSA_SUCCESS) {
5654 return status;
5655 }
5656 status = psa_mac_sign_finish(&hkdf->hmac,
5657 hkdf->output_block,
5658 sizeof(hkdf->output_block),
5659 &hmac_output_length);
5660 if (status != PSA_SUCCESS) {
5661 return status;
5662 }
5663 }
5664
5665 return PSA_SUCCESS;
5666}
5667#endif /* BUILTIN_ALG_ANY_HKDF */
5668
5669#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
5670 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
5671static psa_status_t psa_key_derivation_tls12_prf_generate_next_block(
5672 psa_tls12_prf_key_derivation_t *tls12_prf,
5673 psa_algorithm_t alg)
5674{
5675 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(alg);
5676 uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
5677 psa_mac_operation_t hmac = PSA_MAC_OPERATION_INIT;
5678 size_t hmac_output_length;
5679 psa_status_t status, cleanup_status;
5680
5681 /* We can't be wanting more output after block 0xff, otherwise
5682 * the capacity check in psa_key_derivation_output_bytes() would have
5683 * prevented this call. It could happen only if the operation
5684 * object was corrupted or if this function is called directly
5685 * inside the library. */
5686 if (tls12_prf->block_number == 0xff) {
5687 return PSA_ERROR_CORRUPTION_DETECTED;
5688 }
5689
5690 /* We need a new block */
5691 ++tls12_prf->block_number;
5692 tls12_prf->left_in_block = hash_length;
5693
5694 /* Recall the definition of the TLS-1.2-PRF from RFC 5246:
5695 *
5696 * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
5697 *
5698 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
5699 * HMAC_hash(secret, A(2) + seed) +
5700 * HMAC_hash(secret, A(3) + seed) + ...
5701 *
5702 * A(0) = seed
5703 * A(i) = HMAC_hash(secret, A(i-1))
5704 *
5705 * The `psa_tls12_prf_key_derivation` structure saves the block
5706 * `HMAC_hash(secret, A(i) + seed)` from which the output
5707 * is currently extracted as `output_block` and where i is
5708 * `block_number`.
5709 */
5710
5711 status = psa_key_derivation_start_hmac(&hmac,
5712 hash_alg,
5713 tls12_prf->secret,
5714 tls12_prf->secret_length);
5715 if (status != PSA_SUCCESS) {
5716 goto cleanup;
5717 }
5718
5719 /* Calculate A(i) where i = tls12_prf->block_number. */
5720 if (tls12_prf->block_number == 1) {
5721 /* A(1) = HMAC_hash(secret, A(0)), where A(0) = seed. (The RFC overloads
5722 * the variable seed and in this instance means it in the context of the
5723 * P_hash function, where seed = label + seed.) */
5724 status = psa_mac_update(&hmac,
5725 tls12_prf->label,
5726 tls12_prf->label_length);
5727 if (status != PSA_SUCCESS) {
5728 goto cleanup;
5729 }
5730 status = psa_mac_update(&hmac,
5731 tls12_prf->seed,
5732 tls12_prf->seed_length);
5733 if (status != PSA_SUCCESS) {
5734 goto cleanup;
5735 }
5736 } else {
5737 /* A(i) = HMAC_hash(secret, A(i-1)) */
5738 status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length);
5739 if (status != PSA_SUCCESS) {
5740 goto cleanup;
5741 }
5742 }
5743
5744 status = psa_mac_sign_finish(&hmac,
5745 tls12_prf->Ai, hash_length,
5746 &hmac_output_length);
5747 if (hmac_output_length != hash_length) {
5748 status = PSA_ERROR_CORRUPTION_DETECTED;
5749 }
5750 if (status != PSA_SUCCESS) {
5751 goto cleanup;
5752 }
5753
5754 /* Calculate HMAC_hash(secret, A(i) + label + seed). */
5755 status = psa_key_derivation_start_hmac(&hmac,
5756 hash_alg,
5757 tls12_prf->secret,
5758 tls12_prf->secret_length);
5759 if (status != PSA_SUCCESS) {
5760 goto cleanup;
5761 }
5762 status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length);
5763 if (status != PSA_SUCCESS) {
5764 goto cleanup;
5765 }
5766 status = psa_mac_update(&hmac, tls12_prf->label, tls12_prf->label_length);
5767 if (status != PSA_SUCCESS) {
5768 goto cleanup;
5769 }
5770 status = psa_mac_update(&hmac, tls12_prf->seed, tls12_prf->seed_length);
5771 if (status != PSA_SUCCESS) {
5772 goto cleanup;
5773 }
5774 status = psa_mac_sign_finish(&hmac,
5775 tls12_prf->output_block, hash_length,
5776 &hmac_output_length);
5777 if (status != PSA_SUCCESS) {
5778 goto cleanup;
5779 }
5780
5781
5782cleanup:
5783 cleanup_status = psa_mac_abort(&hmac);
5784 if (status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS) {
5785 status = cleanup_status;
5786 }
5787
5788 return status;
5789}
5790
5791static psa_status_t psa_key_derivation_tls12_prf_read(
5792 psa_tls12_prf_key_derivation_t *tls12_prf,
5793 psa_algorithm_t alg,
5794 uint8_t *output,
5795 size_t output_length)
5796{
5797 psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH(alg);
5798 uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
5799 psa_status_t status;
5800 uint8_t offset, length;
5801
5802 switch (tls12_prf->state) {
5803 case PSA_TLS12_PRF_STATE_LABEL_SET:
5804 tls12_prf->state = PSA_TLS12_PRF_STATE_OUTPUT;
5805 break;
5806 case PSA_TLS12_PRF_STATE_OUTPUT:
5807 break;
5808 default:
5809 return PSA_ERROR_BAD_STATE;
5810 }
5811
5812 while (output_length != 0) {
5813 /* Check if we have fully processed the current block. */
5814 if (tls12_prf->left_in_block == 0) {
5815 status = psa_key_derivation_tls12_prf_generate_next_block(tls12_prf,
5816 alg);
5817 if (status != PSA_SUCCESS) {
5818 return status;
5819 }
5820
5821 continue;
5822 }
5823
5824 if (tls12_prf->left_in_block > output_length) {
5825 length = (uint8_t) output_length;
5826 } else {
5827 length = tls12_prf->left_in_block;
5828 }
5829
5830 offset = hash_length - tls12_prf->left_in_block;
5831 memcpy(output, tls12_prf->output_block + offset, length);
5832 output += length;
5833 output_length -= length;
5834 tls12_prf->left_in_block -= length;
5835 }
5836
5837 return PSA_SUCCESS;
5838}
5839#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
5840 * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
5841
5842#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
5843static psa_status_t psa_key_derivation_tls12_ecjpake_to_pms_read(
5844 psa_tls12_ecjpake_to_pms_t *ecjpake,
5845 uint8_t *output,
5846 size_t output_length)
5847{
5848 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5849 size_t output_size = 0;
5850
5851 if (output_length != 32) {
5852 return PSA_ERROR_INVALID_ARGUMENT;
5853 }
5854
5855 status = psa_hash_compute(PSA_ALG_SHA_256, ecjpake->data,
5856 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE, output, output_length,
5857 &output_size);
5858 if (status != PSA_SUCCESS) {
5859 return status;
5860 }
5861
5862 if (output_size != output_length) {
5863 return PSA_ERROR_GENERIC_ERROR;
5864 }
5865
5866 return PSA_SUCCESS;
5867}
5868#endif
5869
5870#if defined(PSA_HAVE_SOFT_PBKDF2)
5871static psa_status_t psa_key_derivation_pbkdf2_generate_block(
5872 psa_pbkdf2_key_derivation_t *pbkdf2,
5873 psa_algorithm_t prf_alg,
5874 uint8_t prf_output_length,
5875 psa_key_attributes_t *attributes)
5876{
5877 psa_status_t status;
5878 psa_mac_operation_t mac_operation = PSA_MAC_OPERATION_INIT;
5879 size_t mac_output_length;
5880 uint8_t U_i[PSA_MAC_MAX_SIZE];
5881 uint8_t *U_accumulator = pbkdf2->output_block;
5882 uint64_t i;
5883 uint8_t block_counter[4];
5884
5885 mac_operation.is_sign = 1;
5886 mac_operation.mac_size = prf_output_length;
5887 MBEDTLS_PUT_UINT32_BE(pbkdf2->block_number, block_counter, 0);
5888
5889 status = psa_driver_wrapper_mac_sign_setup(&mac_operation,
5890 attributes,
5891 pbkdf2->password,
5892 pbkdf2->password_length,
5893 prf_alg);
5894 if (status != PSA_SUCCESS) {
5895 goto cleanup;
5896 }
5897 status = psa_mac_update(&mac_operation, pbkdf2->salt, pbkdf2->salt_length);
5898 if (status != PSA_SUCCESS) {
5899 goto cleanup;
5900 }
5901 status = psa_mac_update(&mac_operation, block_counter, sizeof(block_counter));
5902 if (status != PSA_SUCCESS) {
5903 goto cleanup;
5904 }
5905 status = psa_mac_sign_finish(&mac_operation, U_i, sizeof(U_i),
5906 &mac_output_length);
5907 if (status != PSA_SUCCESS) {
5908 goto cleanup;
5909 }
5910
5911 if (mac_output_length != prf_output_length) {
5912 status = PSA_ERROR_CORRUPTION_DETECTED;
5913 goto cleanup;
5914 }
5915
5916 memcpy(U_accumulator, U_i, prf_output_length);
5917
5918 for (i = 1; i < pbkdf2->input_cost; i++) {
5919 /* We are passing prf_output_length as mac_size because the driver
5920 * function directly sets mac_output_length as mac_size upon success.
5921 * See https://github.com/Mbed-TLS/mbedtls/issues/7801 */
5922 status = psa_driver_wrapper_mac_compute(attributes,
5923 pbkdf2->password,
5924 pbkdf2->password_length,
5925 prf_alg, U_i, prf_output_length,
5926 U_i, prf_output_length,
5927 &mac_output_length);
5928 if (status != PSA_SUCCESS) {
5929 goto cleanup;
5930 }
5931
5932 mbedtls_xor(U_accumulator, U_accumulator, U_i, prf_output_length);
5933 }
5934
5935cleanup:
5936 /* Zeroise buffers to clear sensitive data from memory. */
5937 mbedtls_platform_zeroize(U_i, PSA_MAC_MAX_SIZE);
5938 return status;
5939}
5940
5941static psa_status_t psa_key_derivation_pbkdf2_read(
5942 psa_pbkdf2_key_derivation_t *pbkdf2,
5943 psa_algorithm_t kdf_alg,
5944 uint8_t *output,
5945 size_t output_length)
5946{
5947 psa_status_t status;
5948 psa_algorithm_t prf_alg;
5949 uint8_t prf_output_length;
5950 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
5951 psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(pbkdf2->password_length));
5952 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
5953
5954 if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
5955 prf_alg = PSA_ALG_HMAC(PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg));
5956 prf_output_length = PSA_HASH_LENGTH(prf_alg);
5957 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
5958 } else if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
5959 prf_alg = PSA_ALG_CMAC;
5960 prf_output_length = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC);
5961 psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
5962 } else {
5963 return PSA_ERROR_INVALID_ARGUMENT;
5964 }
5965
5966 switch (pbkdf2->state) {
5967 case PSA_PBKDF2_STATE_PASSWORD_SET:
5968 /* Initially we need a new block so bytes_used is equal to block size*/
5969 pbkdf2->bytes_used = prf_output_length;
5970 pbkdf2->state = PSA_PBKDF2_STATE_OUTPUT;
5971 break;
5972 case PSA_PBKDF2_STATE_OUTPUT:
5973 break;
5974 default:
5975 return PSA_ERROR_BAD_STATE;
5976 }
5977
5978 while (output_length != 0) {
5979 uint8_t n = prf_output_length - pbkdf2->bytes_used;
5980 if (n > output_length) {
5981 n = (uint8_t) output_length;
5982 }
5983 memcpy(output, pbkdf2->output_block + pbkdf2->bytes_used, n);
5984 output += n;
5985 output_length -= n;
5986 pbkdf2->bytes_used += n;
5987
5988 if (output_length == 0) {
5989 break;
5990 }
5991
5992 /* We need a new block */
5993 pbkdf2->bytes_used = 0;
5994 pbkdf2->block_number++;
5995
5996 status = psa_key_derivation_pbkdf2_generate_block(pbkdf2, prf_alg,
5997 prf_output_length,
5998 &attributes);
5999 if (status != PSA_SUCCESS) {
6000 return status;
6001 }
6002 }
6003
6004 return PSA_SUCCESS;
6005}
6006#endif /* PSA_HAVE_SOFT_PBKDF2 */
6007
6008psa_status_t psa_key_derivation_output_bytes(
6009 psa_key_derivation_operation_t *operation,
6010 uint8_t *output_external,
6011 size_t output_length)
6012{
6013 psa_status_t status;
6014 LOCAL_OUTPUT_DECLARE(output_external, output);
6015
6016 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
6017
6018 if (operation->alg == 0) {
6019 /* This is a blank operation. */
6020 return PSA_ERROR_BAD_STATE;
6021 }
6022
6023 if (output_length == 0 && operation->capacity == 0) {
6024 /* Edge case: this is a finished operation, and 0 bytes
6025 * were requested. The right error in this case could
6026 * be either INSUFFICIENT_CAPACITY or BAD_STATE. Return
6027 * INSUFFICIENT_CAPACITY, which is right for a finished
6028 * operation, for consistency with the case when
6029 * output_length > 0. */
6030 return PSA_ERROR_INSUFFICIENT_DATA;
6031 }
6032
6033 LOCAL_OUTPUT_ALLOC(output_external, output_length, output);
6034 if (output_length > operation->capacity) {
6035 operation->capacity = 0;
6036 /* Go through the error path to wipe all confidential data now
6037 * that the operation object is useless. */
6038 status = PSA_ERROR_INSUFFICIENT_DATA;
6039 goto exit;
6040 }
6041
6042 operation->capacity -= output_length;
6043
6044#if defined(BUILTIN_ALG_ANY_HKDF)
6045 if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
6046 status = psa_key_derivation_hkdf_read(&operation->ctx.hkdf, kdf_alg,
6047 output, output_length);
6048 } else
6049#endif /* BUILTIN_ALG_ANY_HKDF */
6050#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
6051 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
6052 if (PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
6053 PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
6054 status = psa_key_derivation_tls12_prf_read(&operation->ctx.tls12_prf,
6055 kdf_alg, output,
6056 output_length);
6057 } else
6058#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
6059 * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
6060#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
6061 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
6062 status = psa_key_derivation_tls12_ecjpake_to_pms_read(
6063 &operation->ctx.tls12_ecjpake_to_pms, output, output_length);
6064 } else
6065#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
6066#if defined(PSA_HAVE_SOFT_PBKDF2)
6067 if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
6068 status = psa_key_derivation_pbkdf2_read(&operation->ctx.pbkdf2, kdf_alg,
6069 output, output_length);
6070 } else
6071#endif /* PSA_HAVE_SOFT_PBKDF2 */
6072
6073 {
6074 (void) kdf_alg;
6075 status = PSA_ERROR_BAD_STATE;
6076 LOCAL_OUTPUT_FREE(output_external, output);
6077
6078 return status;
6079 }
6080
6081exit:
6082 if (status != PSA_SUCCESS) {
6083 /* Preserve the algorithm upon errors, but clear all sensitive state.
6084 * This allows us to differentiate between exhausted operations and
6085 * blank operations, so we can return PSA_ERROR_BAD_STATE on blank
6086 * operations. */
6087 psa_algorithm_t alg = operation->alg;
6088 psa_key_derivation_abort(operation);
6089 operation->alg = alg;
6090 if (output != NULL) {
6091 memset(output, '!', output_length);
6092 }
6093 }
6094
6095 LOCAL_OUTPUT_FREE(output_external, output);
6096 return status;
6097}
6098
6099#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
6100static void psa_des_set_key_parity(uint8_t *data, size_t data_size)
6101{
6102 if (data_size >= 8) {
6103 mbedtls_des_key_set_parity(data);
6104 }
6105 if (data_size >= 16) {
6106 mbedtls_des_key_set_parity(data + 8);
6107 }
6108 if (data_size >= 24) {
6109 mbedtls_des_key_set_parity(data + 16);
6110 }
6111}
6112#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
6113
6114/*
6115 * ECC keys on a Weierstrass elliptic curve require the generation
6116 * of a private key which is an integer
6117 * in the range [1, N - 1], where N is the boundary of the private key domain:
6118 * N is the prime p for Diffie-Hellman, or the order of the
6119 * curve’s base point for ECC.
6120 *
6121 * Let m be the bit size of N, such that 2^m > N >= 2^(m-1).
6122 * This function generates the private key using the following process:
6123 *
6124 * 1. Draw a byte string of length ceiling(m/8) bytes.
6125 * 2. If m is not a multiple of 8, set the most significant
6126 * (8 * ceiling(m/8) - m) bits of the first byte in the string to zero.
6127 * 3. Convert the string to integer k by decoding it as a big-endian byte string.
6128 * 4. If k > N - 2, discard the result and return to step 1.
6129 * 5. Output k + 1 as the private key.
6130 *
6131 * This method allows compliance to NIST standards, specifically the methods titled
6132 * Key-Pair Generation by Testing Candidates in the following publications:
6133 * - NIST Special Publication 800-56A: Recommendation for Pair-Wise Key-Establishment
6134 * Schemes Using Discrete Logarithm Cryptography [SP800-56A] §5.6.1.1.4 for
6135 * Diffie-Hellman keys.
6136 *
6137 * - [SP800-56A] §5.6.1.2.2 or FIPS Publication 186-4: Digital Signature
6138 * Standard (DSS) [FIPS186-4] §B.4.2 for elliptic curve keys.
6139 *
6140 * Note: Function allocates memory for *data buffer, so given *data should be
6141 * always NULL.
6142 */
6143#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
6144#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
6145static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
6146 psa_key_slot_t *slot,
6147 size_t bits,
6148 psa_key_derivation_operation_t *operation,
6149 uint8_t **data
6150 )
6151{
6152 unsigned key_out_of_range = 1;
6153 mbedtls_mpi k;
6154 mbedtls_mpi diff_N_2;
6155 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6156 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6157 size_t m;
6158 size_t m_bytes;
6159
6160 mbedtls_mpi_init(&k);
6161 mbedtls_mpi_init(&diff_N_2);
6162
6163 psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
6164 slot->attr.type);
6165 mbedtls_ecp_group_id grp_id =
6166 mbedtls_ecc_group_from_psa(curve, bits);
6167
6168 if (grp_id == MBEDTLS_ECP_DP_NONE) {
6169 ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
6170 goto cleanup;
6171 }
6172
6173 mbedtls_ecp_group ecp_group;
6174 mbedtls_ecp_group_init(&ecp_group);
6175
6176 MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ecp_group, grp_id));
6177
6178 /* N is the boundary of the private key domain (ecp_group.N). */
6179 /* Let m be the bit size of N. */
6180 m = ecp_group.nbits;
6181
6182 m_bytes = PSA_BITS_TO_BYTES(m);
6183
6184 /* Calculate N - 2 - it will be needed later. */
6185 MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&diff_N_2, &ecp_group.N, 2));
6186
6187 /* Note: This function is always called with *data == NULL and it
6188 * allocates memory for the data buffer. */
6189 *data = mbedtls_calloc(1, m_bytes);
6190 if (*data == NULL) {
6191 ret = MBEDTLS_ERR_ASN1_ALLOC_FAILED;
6192 goto cleanup;
6193 }
6194
6195 while (key_out_of_range) {
6196 /* 1. Draw a byte string of length ceiling(m/8) bytes. */
6197 if ((status = psa_key_derivation_output_bytes(operation, *data, m_bytes)) != 0) {
6198 goto cleanup;
6199 }
6200
6201 /* 2. If m is not a multiple of 8 */
6202 if (m % 8 != 0) {
6203 /* Set the most significant
6204 * (8 * ceiling(m/8) - m) bits of the first byte in
6205 * the string to zero.
6206 */
6207 uint8_t clear_bit_mask = (1 << (m % 8)) - 1;
6208 (*data)[0] &= clear_bit_mask;
6209 }
6210
6211 /* 3. Convert the string to integer k by decoding it as a
6212 * big-endian byte string.
6213 */
6214 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&k, *data, m_bytes));
6215
6216 /* 4. If k > N - 2, discard the result and return to step 1.
6217 * Result of comparison is returned. When it indicates error
6218 * then this function is called again.
6219 */
6220 MBEDTLS_MPI_CHK(mbedtls_mpi_lt_mpi_ct(&diff_N_2, &k, &key_out_of_range));
6221 }
6222
6223 /* 5. Output k + 1 as the private key. */
6224 MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&k, &k, 1));
6225 MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&k, *data, m_bytes));
6226cleanup:
6227 if (ret != 0) {
6228 status = mbedtls_to_psa_error(ret);
6229 }
6230 if (status != PSA_SUCCESS) {
6231 mbedtls_free(*data);
6232 *data = NULL;
6233 }
6234 mbedtls_mpi_free(&k);
6235 mbedtls_mpi_free(&diff_N_2);
6236 return status;
6237}
6238
6239/* ECC keys on a Montgomery elliptic curve draws a byte string whose length
6240 * is determined by the curve, and sets the mandatory bits accordingly. That is:
6241 *
6242 * - Curve25519 (PSA_ECC_FAMILY_MONTGOMERY, 255 bits):
6243 * draw a 32-byte string and process it as specified in
6244 * Elliptic Curves for Security [RFC7748] §5.
6245 *
6246 * - Curve448 (PSA_ECC_FAMILY_MONTGOMERY, 448 bits):
6247 * draw a 56-byte string and process it as specified in [RFC7748] §5.
6248 *
6249 * Note: Function allocates memory for *data buffer, so given *data should be
6250 * always NULL.
6251 */
6252
6253static psa_status_t psa_generate_derived_ecc_key_montgomery_helper(
6254 size_t bits,
6255 psa_key_derivation_operation_t *operation,
6256 uint8_t **data
6257 )
6258{
6259 size_t output_length;
6260 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6261
6262 switch (bits) {
6263 case 255:
6264 output_length = 32;
6265 break;
6266 case 448:
6267 output_length = 56;
6268 break;
6269 default:
6270 return PSA_ERROR_INVALID_ARGUMENT;
6271 break;
6272 }
6273
6274 *data = mbedtls_calloc(1, output_length);
6275
6276 if (*data == NULL) {
6277 return PSA_ERROR_INSUFFICIENT_MEMORY;
6278 }
6279
6280 status = psa_key_derivation_output_bytes(operation, *data, output_length);
6281
6282 if (status != PSA_SUCCESS) {
6283 return status;
6284 }
6285
6286 switch (bits) {
6287 case 255:
6288 (*data)[0] &= 248;
6289 (*data)[31] &= 127;
6290 (*data)[31] |= 64;
6291 break;
6292 case 448:
6293 (*data)[0] &= 252;
6294 (*data)[55] |= 128;
6295 break;
6296 default:
6297 return PSA_ERROR_CORRUPTION_DETECTED;
6298 break;
6299 }
6300
6301 return status;
6302}
6303#else /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
6304static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
6305 psa_key_slot_t *slot, size_t bits,
6306 psa_key_derivation_operation_t *operation, uint8_t **data)
6307{
6308 (void) slot;
6309 (void) bits;
6310 (void) operation;
6311 (void) data;
6312 return PSA_ERROR_NOT_SUPPORTED;
6313}
6314
6315static psa_status_t psa_generate_derived_ecc_key_montgomery_helper(
6316 size_t bits, psa_key_derivation_operation_t *operation, uint8_t **data)
6317{
6318 (void) bits;
6319 (void) operation;
6320 (void) data;
6321 return PSA_ERROR_NOT_SUPPORTED;
6322}
6323#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
6324#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
6325
6326static psa_status_t psa_generate_derived_key_internal(
6327 psa_key_slot_t *slot,
6328 size_t bits,
6329 psa_key_derivation_operation_t *operation)
6330{
6331 uint8_t *data = NULL;
6332 size_t bytes = PSA_BITS_TO_BYTES(bits);
6333 size_t storage_size = bytes;
6334 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6335
6336 if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) {
6337 return PSA_ERROR_INVALID_ARGUMENT;
6338 }
6339
6340#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
6341 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
6342 if (PSA_KEY_TYPE_IS_ECC(slot->attr.type)) {
6343 psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(slot->attr.type);
6344 if (PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
6345 /* Weierstrass elliptic curve */
6346 status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data);
6347 if (status != PSA_SUCCESS) {
6348 goto exit;
6349 }
6350 } else {
6351 /* Montgomery elliptic curve */
6352 status = psa_generate_derived_ecc_key_montgomery_helper(bits, operation, &data);
6353 if (status != PSA_SUCCESS) {
6354 goto exit;
6355 }
6356 }
6357 } else
6358#endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) ||
6359 defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) */
6360 if (key_type_is_raw_bytes(slot->attr.type)) {
6361 if (bits % 8 != 0) {
6362 return PSA_ERROR_INVALID_ARGUMENT;
6363 }
6364 data = mbedtls_calloc(1, bytes);
6365 if (data == NULL) {
6366 return PSA_ERROR_INSUFFICIENT_MEMORY;
6367 }
6368
6369 status = psa_key_derivation_output_bytes(operation, data, bytes);
6370 if (status != PSA_SUCCESS) {
6371 goto exit;
6372 }
6373#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
6374 if (slot->attr.type == PSA_KEY_TYPE_DES) {
6375 psa_des_set_key_parity(data, bytes);
6376 }
6377#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) */
6378 } else {
6379 return PSA_ERROR_NOT_SUPPORTED;
6380 }
6381
6382 slot->attr.bits = (psa_key_bits_t) bits;
6383
6384 if (psa_key_lifetime_is_external(slot->attr.lifetime)) {
6385 status = psa_driver_wrapper_get_key_buffer_size(&slot->attr,
6386 &storage_size);
6387 if (status != PSA_SUCCESS) {
6388 goto exit;
6389 }
6390 }
6391 status = psa_allocate_buffer_to_slot(slot, storage_size);
6392 if (status != PSA_SUCCESS) {
6393 goto exit;
6394 }
6395
6396 status = psa_driver_wrapper_import_key(&slot->attr,
6397 data, bytes,
6398 slot->key.data,
6399 slot->key.bytes,
6400 &slot->key.bytes, &bits);
6401 if (bits != slot->attr.bits) {
6402 status = PSA_ERROR_INVALID_ARGUMENT;
6403 }
6404
6405exit:
6406 mbedtls_free(data);
6407 return status;
6408}
6409
6410static const psa_key_production_parameters_t default_production_parameters =
6411 PSA_KEY_PRODUCTION_PARAMETERS_INIT;
6412
6413int psa_key_production_parameters_are_default(
6414 const psa_key_production_parameters_t *params,
6415 size_t params_data_length)
6416{
6417 if (params->flags != 0) {
6418 return 0;
6419 }
6420 if (params_data_length != 0) {
6421 return 0;
6422 }
6423 return 1;
6424}
6425
6426psa_status_t psa_key_derivation_output_key_ext(
6427 const psa_key_attributes_t *attributes,
6428 psa_key_derivation_operation_t *operation,
6429 const psa_key_production_parameters_t *params,
6430 size_t params_data_length,
6431 mbedtls_svc_key_id_t *key)
6432{
6433 psa_status_t status;
6434 psa_key_slot_t *slot = NULL;
6435 psa_se_drv_table_entry_t *driver = NULL;
6436
6437 *key = MBEDTLS_SVC_KEY_ID_INIT;
6438
6439 /* Reject any attempt to create a zero-length key so that we don't
6440 * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
6441 if (psa_get_key_bits(attributes) == 0) {
6442 return PSA_ERROR_INVALID_ARGUMENT;
6443 }
6444
6445 if (!psa_key_production_parameters_are_default(params, params_data_length)) {
6446 return PSA_ERROR_INVALID_ARGUMENT;
6447 }
6448
6449 if (operation->alg == PSA_ALG_NONE) {
6450 return PSA_ERROR_BAD_STATE;
6451 }
6452
6453 if (!operation->can_output_key) {
6454 return PSA_ERROR_NOT_PERMITTED;
6455 }
6456
6457 status = psa_start_key_creation(PSA_KEY_CREATION_DERIVE, attributes,
6458 &slot, &driver);
6459#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
6460 if (driver != NULL) {
6461 /* Deriving a key in a secure element is not implemented yet. */
6462 status = PSA_ERROR_NOT_SUPPORTED;
6463 }
6464#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
6465 if (status == PSA_SUCCESS) {
6466 status = psa_generate_derived_key_internal(slot,
6467 attributes->bits,
6468 operation);
6469 }
6470 if (status == PSA_SUCCESS) {
6471 status = psa_finish_key_creation(slot, driver, key);
6472 }
6473 if (status != PSA_SUCCESS) {
6474 psa_fail_key_creation(slot, driver);
6475 }
6476
6477 return status;
6478}
6479
6480psa_status_t psa_key_derivation_output_key(
6481 const psa_key_attributes_t *attributes,
6482 psa_key_derivation_operation_t *operation,
6483 mbedtls_svc_key_id_t *key)
6484{
6485 return psa_key_derivation_output_key_ext(attributes, operation,
6486 &default_production_parameters, 0,
6487 key);
6488}
6489
6490
6491/****************************************************************/
6492/* Key derivation */
6493/****************************************************************/
6494
6495#if defined(AT_LEAST_ONE_BUILTIN_KDF)
6496static int is_kdf_alg_supported(psa_algorithm_t kdf_alg)
6497{
6498#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
6499 if (PSA_ALG_IS_HKDF(kdf_alg)) {
6500 return 1;
6501 }
6502#endif
6503#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
6504 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
6505 return 1;
6506 }
6507#endif
6508#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
6509 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
6510 return 1;
6511 }
6512#endif
6513#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
6514 if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) {
6515 return 1;
6516 }
6517#endif
6518#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
6519 if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
6520 return 1;
6521 }
6522#endif
6523#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
6524 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
6525 return 1;
6526 }
6527#endif
6528#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
6529 if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
6530 return 1;
6531 }
6532#endif
6533#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
6534 if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
6535 return 1;
6536 }
6537#endif
6538 return 0;
6539}
6540
6541static psa_status_t psa_hash_try_support(psa_algorithm_t alg)
6542{
6543 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
6544 psa_status_t status = psa_hash_setup(&operation, alg);
6545 psa_hash_abort(&operation);
6546 return status;
6547}
6548
6549static psa_status_t psa_key_derivation_set_maximum_capacity(
6550 psa_key_derivation_operation_t *operation,
6551 psa_algorithm_t kdf_alg)
6552{
6553#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
6554 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
6555 operation->capacity = PSA_HASH_LENGTH(PSA_ALG_SHA_256);
6556 return PSA_SUCCESS;
6557 }
6558#endif
6559#if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128)
6560 if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
6561#if (SIZE_MAX > UINT32_MAX)
6562 operation->capacity = UINT32_MAX * (size_t) PSA_MAC_LENGTH(
6563 PSA_KEY_TYPE_AES,
6564 128U,
6565 PSA_ALG_CMAC);
6566#else
6567 operation->capacity = SIZE_MAX;
6568#endif
6569 return PSA_SUCCESS;
6570 }
6571#endif /* PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 */
6572
6573 /* After this point, if kdf_alg is not valid then value of hash_alg may be
6574 * invalid or meaningless but it does not affect this function */
6575 psa_algorithm_t hash_alg = PSA_ALG_GET_HASH(kdf_alg);
6576 size_t hash_size = PSA_HASH_LENGTH(hash_alg);
6577 if (hash_size == 0) {
6578 return PSA_ERROR_NOT_SUPPORTED;
6579 }
6580
6581 /* Make sure that hash_alg is a supported hash algorithm. Otherwise
6582 * we might fail later, which is somewhat unfriendly and potentially
6583 * risk-prone. */
6584 psa_status_t status = psa_hash_try_support(hash_alg);
6585 if (status != PSA_SUCCESS) {
6586 return status;
6587 }
6588
6589#if defined(PSA_WANT_ALG_HKDF)
6590 if (PSA_ALG_IS_HKDF(kdf_alg)) {
6591 operation->capacity = 255 * hash_size;
6592 } else
6593#endif
6594#if defined(PSA_WANT_ALG_HKDF_EXTRACT)
6595 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
6596 operation->capacity = hash_size;
6597 } else
6598#endif
6599#if defined(PSA_WANT_ALG_HKDF_EXPAND)
6600 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
6601 operation->capacity = 255 * hash_size;
6602 } else
6603#endif
6604#if defined(PSA_WANT_ALG_TLS12_PRF)
6605 if (PSA_ALG_IS_TLS12_PRF(kdf_alg) &&
6606 (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) {
6607 operation->capacity = SIZE_MAX;
6608 } else
6609#endif
6610#if defined(PSA_WANT_ALG_TLS12_PSK_TO_MS)
6611 if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg) &&
6612 (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) {
6613 /* Master Secret is always 48 bytes
6614 * https://datatracker.ietf.org/doc/html/rfc5246.html#section-8.1 */
6615 operation->capacity = 48U;
6616 } else
6617#endif
6618#if defined(PSA_WANT_ALG_PBKDF2_HMAC)
6619 if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
6620#if (SIZE_MAX > UINT32_MAX)
6621 operation->capacity = UINT32_MAX * hash_size;
6622#else
6623 operation->capacity = SIZE_MAX;
6624#endif
6625 } else
6626#endif /* PSA_WANT_ALG_PBKDF2_HMAC */
6627 {
6628 (void) hash_size;
6629 status = PSA_ERROR_NOT_SUPPORTED;
6630 }
6631 return status;
6632}
6633
6634static psa_status_t psa_key_derivation_setup_kdf(
6635 psa_key_derivation_operation_t *operation,
6636 psa_algorithm_t kdf_alg)
6637{
6638 /* Make sure that operation->ctx is properly zero-initialised. (Macro
6639 * initialisers for this union leave some bytes unspecified.) */
6640 memset(&operation->ctx, 0, sizeof(operation->ctx));
6641
6642 /* Make sure that kdf_alg is a supported key derivation algorithm. */
6643 if (!is_kdf_alg_supported(kdf_alg)) {
6644 return PSA_ERROR_NOT_SUPPORTED;
6645 }
6646
6647 psa_status_t status = psa_key_derivation_set_maximum_capacity(operation,
6648 kdf_alg);
6649 return status;
6650}
6651
6652static psa_status_t psa_key_agreement_try_support(psa_algorithm_t alg)
6653{
6654#if defined(PSA_WANT_ALG_ECDH)
6655 if (alg == PSA_ALG_ECDH) {
6656 return PSA_SUCCESS;
6657 }
6658#endif
6659#if defined(PSA_WANT_ALG_FFDH)
6660 if (alg == PSA_ALG_FFDH) {
6661 return PSA_SUCCESS;
6662 }
6663#endif
6664 (void) alg;
6665 return PSA_ERROR_NOT_SUPPORTED;
6666}
6667
6668static int psa_key_derivation_allows_free_form_secret_input(
6669 psa_algorithm_t kdf_alg)
6670{
6671#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
6672 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
6673 return 0;
6674 }
6675#endif
6676 (void) kdf_alg;
6677 return 1;
6678}
6679#endif /* AT_LEAST_ONE_BUILTIN_KDF */
6680
6681psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t *operation,
6682 psa_algorithm_t alg)
6683{
6684 psa_status_t status;
6685
6686 if (operation->alg != 0) {
6687 return PSA_ERROR_BAD_STATE;
6688 }
6689
6690 if (PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) {
6691 return PSA_ERROR_INVALID_ARGUMENT;
6692 } else if (PSA_ALG_IS_KEY_AGREEMENT(alg)) {
6693#if defined(AT_LEAST_ONE_BUILTIN_KDF)
6694 psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF(alg);
6695 psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(alg);
6696 status = psa_key_agreement_try_support(ka_alg);
6697 if (status != PSA_SUCCESS) {
6698 return status;
6699 }
6700 if (!psa_key_derivation_allows_free_form_secret_input(kdf_alg)) {
6701 return PSA_ERROR_INVALID_ARGUMENT;
6702 }
6703 status = psa_key_derivation_setup_kdf(operation, kdf_alg);
6704#else
6705 return PSA_ERROR_NOT_SUPPORTED;
6706#endif /* AT_LEAST_ONE_BUILTIN_KDF */
6707 } else if (PSA_ALG_IS_KEY_DERIVATION(alg)) {
6708#if defined(AT_LEAST_ONE_BUILTIN_KDF)
6709 status = psa_key_derivation_setup_kdf(operation, alg);
6710#else
6711 return PSA_ERROR_NOT_SUPPORTED;
6712#endif /* AT_LEAST_ONE_BUILTIN_KDF */
6713 } else {
6714 return PSA_ERROR_INVALID_ARGUMENT;
6715 }
6716
6717 if (status == PSA_SUCCESS) {
6718 operation->alg = alg;
6719 }
6720 return status;
6721}
6722
6723#if defined(BUILTIN_ALG_ANY_HKDF)
6724static psa_status_t psa_hkdf_input(psa_hkdf_key_derivation_t *hkdf,
6725 psa_algorithm_t kdf_alg,
6726 psa_key_derivation_step_t step,
6727 const uint8_t *data,
6728 size_t data_length)
6729{
6730 psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
6731 psa_status_t status;
6732 switch (step) {
6733 case PSA_KEY_DERIVATION_INPUT_SALT:
6734#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
6735 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
6736 return PSA_ERROR_INVALID_ARGUMENT;
6737 }
6738#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
6739 if (hkdf->state != HKDF_STATE_INIT) {
6740 return PSA_ERROR_BAD_STATE;
6741 } else {
6742 status = psa_key_derivation_start_hmac(&hkdf->hmac,
6743 hash_alg,
6744 data, data_length);
6745 if (status != PSA_SUCCESS) {
6746 return status;
6747 }
6748 hkdf->state = HKDF_STATE_STARTED;
6749 return PSA_SUCCESS;
6750 }
6751 case PSA_KEY_DERIVATION_INPUT_SECRET:
6752#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
6753 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
6754 /* We shouldn't be in different state as HKDF_EXPAND only allows
6755 * two inputs: SECRET (this case) and INFO which does not modify
6756 * the state. It could happen only if the hkdf
6757 * object was corrupted. */
6758 if (hkdf->state != HKDF_STATE_INIT) {
6759 return PSA_ERROR_BAD_STATE;
6760 }
6761
6762 /* Allow only input that fits expected prk size */
6763 if (data_length != PSA_HASH_LENGTH(hash_alg)) {
6764 return PSA_ERROR_INVALID_ARGUMENT;
6765 }
6766
6767 memcpy(hkdf->prk, data, data_length);
6768 } else
6769#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
6770 {
6771 /* HKDF: If no salt was provided, use an empty salt.
6772 * HKDF-EXTRACT: salt is mandatory. */
6773 if (hkdf->state == HKDF_STATE_INIT) {
6774#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
6775 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
6776 return PSA_ERROR_BAD_STATE;
6777 }
6778#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
6779 status = psa_key_derivation_start_hmac(&hkdf->hmac,
6780 hash_alg,
6781 NULL, 0);
6782 if (status != PSA_SUCCESS) {
6783 return status;
6784 }
6785 hkdf->state = HKDF_STATE_STARTED;
6786 }
6787 if (hkdf->state != HKDF_STATE_STARTED) {
6788 return PSA_ERROR_BAD_STATE;
6789 }
6790 status = psa_mac_update(&hkdf->hmac,
6791 data, data_length);
6792 if (status != PSA_SUCCESS) {
6793 return status;
6794 }
6795 status = psa_mac_sign_finish(&hkdf->hmac,
6796 hkdf->prk,
6797 sizeof(hkdf->prk),
6798 &data_length);
6799 if (status != PSA_SUCCESS) {
6800 return status;
6801 }
6802 }
6803
6804 hkdf->state = HKDF_STATE_KEYED;
6805 hkdf->block_number = 0;
6806#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
6807 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
6808 /* The only block of output is the PRK. */
6809 memcpy(hkdf->output_block, hkdf->prk, PSA_HASH_LENGTH(hash_alg));
6810 hkdf->offset_in_block = 0;
6811 } else
6812#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
6813 {
6814 /* Block 0 is empty, and the next block will be
6815 * generated by psa_key_derivation_hkdf_read(). */
6816 hkdf->offset_in_block = PSA_HASH_LENGTH(hash_alg);
6817 }
6818
6819 return PSA_SUCCESS;
6820 case PSA_KEY_DERIVATION_INPUT_INFO:
6821#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
6822 if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
6823 return PSA_ERROR_INVALID_ARGUMENT;
6824 }
6825#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
6826#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
6827 if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg) &&
6828 hkdf->state == HKDF_STATE_INIT) {
6829 return PSA_ERROR_BAD_STATE;
6830 }
6831#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
6832 if (hkdf->state == HKDF_STATE_OUTPUT) {
6833 return PSA_ERROR_BAD_STATE;
6834 }
6835 if (hkdf->info_set) {
6836 return PSA_ERROR_BAD_STATE;
6837 }
6838 hkdf->info_length = data_length;
6839 if (data_length != 0) {
6840 hkdf->info = mbedtls_calloc(1, data_length);
6841 if (hkdf->info == NULL) {
6842 return PSA_ERROR_INSUFFICIENT_MEMORY;
6843 }
6844 memcpy(hkdf->info, data, data_length);
6845 }
6846 hkdf->info_set = 1;
6847 return PSA_SUCCESS;
6848 default:
6849 return PSA_ERROR_INVALID_ARGUMENT;
6850 }
6851}
6852#endif /* BUILTIN_ALG_ANY_HKDF */
6853
6854#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
6855 defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
6856static psa_status_t psa_tls12_prf_set_seed(psa_tls12_prf_key_derivation_t *prf,
6857 const uint8_t *data,
6858 size_t data_length)
6859{
6860 if (prf->state != PSA_TLS12_PRF_STATE_INIT) {
6861 return PSA_ERROR_BAD_STATE;
6862 }
6863
6864 if (data_length != 0) {
6865 prf->seed = mbedtls_calloc(1, data_length);
6866 if (prf->seed == NULL) {
6867 return PSA_ERROR_INSUFFICIENT_MEMORY;
6868 }
6869
6870 memcpy(prf->seed, data, data_length);
6871 prf->seed_length = data_length;
6872 }
6873
6874 prf->state = PSA_TLS12_PRF_STATE_SEED_SET;
6875
6876 return PSA_SUCCESS;
6877}
6878
6879static psa_status_t psa_tls12_prf_set_key(psa_tls12_prf_key_derivation_t *prf,
6880 const uint8_t *data,
6881 size_t data_length)
6882{
6883 if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET &&
6884 prf->state != PSA_TLS12_PRF_STATE_OTHER_KEY_SET) {
6885 return PSA_ERROR_BAD_STATE;
6886 }
6887
6888 if (data_length != 0) {
6889 prf->secret = mbedtls_calloc(1, data_length);
6890 if (prf->secret == NULL) {
6891 return PSA_ERROR_INSUFFICIENT_MEMORY;
6892 }
6893
6894 memcpy(prf->secret, data, data_length);
6895 prf->secret_length = data_length;
6896 }
6897
6898 prf->state = PSA_TLS12_PRF_STATE_KEY_SET;
6899
6900 return PSA_SUCCESS;
6901}
6902
6903static psa_status_t psa_tls12_prf_set_label(psa_tls12_prf_key_derivation_t *prf,
6904 const uint8_t *data,
6905 size_t data_length)
6906{
6907 if (prf->state != PSA_TLS12_PRF_STATE_KEY_SET) {
6908 return PSA_ERROR_BAD_STATE;
6909 }
6910
6911 if (data_length != 0) {
6912 prf->label = mbedtls_calloc(1, data_length);
6913 if (prf->label == NULL) {
6914 return PSA_ERROR_INSUFFICIENT_MEMORY;
6915 }
6916
6917 memcpy(prf->label, data, data_length);
6918 prf->label_length = data_length;
6919 }
6920
6921 prf->state = PSA_TLS12_PRF_STATE_LABEL_SET;
6922
6923 return PSA_SUCCESS;
6924}
6925
6926static psa_status_t psa_tls12_prf_input(psa_tls12_prf_key_derivation_t *prf,
6927 psa_key_derivation_step_t step,
6928 const uint8_t *data,
6929 size_t data_length)
6930{
6931 switch (step) {
6932 case PSA_KEY_DERIVATION_INPUT_SEED:
6933 return psa_tls12_prf_set_seed(prf, data, data_length);
6934 case PSA_KEY_DERIVATION_INPUT_SECRET:
6935 return psa_tls12_prf_set_key(prf, data, data_length);
6936 case PSA_KEY_DERIVATION_INPUT_LABEL:
6937 return psa_tls12_prf_set_label(prf, data, data_length);
6938 default:
6939 return PSA_ERROR_INVALID_ARGUMENT;
6940 }
6941}
6942#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
6943 * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
6944
6945#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
6946static psa_status_t psa_tls12_prf_psk_to_ms_set_key(
6947 psa_tls12_prf_key_derivation_t *prf,
6948 const uint8_t *data,
6949 size_t data_length)
6950{
6951 psa_status_t status;
6952 const size_t pms_len = (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET ?
6953 4 + data_length + prf->other_secret_length :
6954 4 + 2 * data_length);
6955
6956 if (data_length > PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE) {
6957 return PSA_ERROR_INVALID_ARGUMENT;
6958 }
6959
6960 uint8_t *pms = mbedtls_calloc(1, pms_len);
6961 if (pms == NULL) {
6962 return PSA_ERROR_INSUFFICIENT_MEMORY;
6963 }
6964 uint8_t *cur = pms;
6965
6966 /* pure-PSK:
6967 * Quoting RFC 4279, Section 2:
6968 *
6969 * The premaster secret is formed as follows: if the PSK is N octets
6970 * long, concatenate a uint16 with the value N, N zero octets, a second
6971 * uint16 with the value N, and the PSK itself.
6972 *
6973 * mixed-PSK:
6974 * In a DHE-PSK, RSA-PSK, ECDHE-PSK the premaster secret is formed as
6975 * follows: concatenate a uint16 with the length of the other secret,
6976 * the other secret itself, uint16 with the length of PSK, and the
6977 * PSK itself.
6978 * For details please check:
6979 * - RFC 4279, Section 4 for the definition of RSA-PSK,
6980 * - RFC 4279, Section 3 for the definition of DHE-PSK,
6981 * - RFC 5489 for the definition of ECDHE-PSK.
6982 */
6983
6984 if (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET) {
6985 *cur++ = MBEDTLS_BYTE_1(prf->other_secret_length);
6986 *cur++ = MBEDTLS_BYTE_0(prf->other_secret_length);
6987 if (prf->other_secret_length != 0) {
6988 memcpy(cur, prf->other_secret, prf->other_secret_length);
6989 mbedtls_platform_zeroize(prf->other_secret, prf->other_secret_length);
6990 cur += prf->other_secret_length;
6991 }
6992 } else {
6993 *cur++ = MBEDTLS_BYTE_1(data_length);
6994 *cur++ = MBEDTLS_BYTE_0(data_length);
6995 memset(cur, 0, data_length);
6996 cur += data_length;
6997 }
6998
6999 *cur++ = MBEDTLS_BYTE_1(data_length);
7000 *cur++ = MBEDTLS_BYTE_0(data_length);
7001 memcpy(cur, data, data_length);
7002 cur += data_length;
7003
7004 status = psa_tls12_prf_set_key(prf, pms, (size_t) (cur - pms));
7005
7006 mbedtls_zeroize_and_free(pms, pms_len);
7007 return status;
7008}
7009
7010static psa_status_t psa_tls12_prf_psk_to_ms_set_other_key(
7011 psa_tls12_prf_key_derivation_t *prf,
7012 const uint8_t *data,
7013 size_t data_length)
7014{
7015 if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET) {
7016 return PSA_ERROR_BAD_STATE;
7017 }
7018
7019 if (data_length != 0) {
7020 prf->other_secret = mbedtls_calloc(1, data_length);
7021 if (prf->other_secret == NULL) {
7022 return PSA_ERROR_INSUFFICIENT_MEMORY;
7023 }
7024
7025 memcpy(prf->other_secret, data, data_length);
7026 prf->other_secret_length = data_length;
7027 } else {
7028 prf->other_secret_length = 0;
7029 }
7030
7031 prf->state = PSA_TLS12_PRF_STATE_OTHER_KEY_SET;
7032
7033 return PSA_SUCCESS;
7034}
7035
7036static psa_status_t psa_tls12_prf_psk_to_ms_input(
7037 psa_tls12_prf_key_derivation_t *prf,
7038 psa_key_derivation_step_t step,
7039 const uint8_t *data,
7040 size_t data_length)
7041{
7042 switch (step) {
7043 case PSA_KEY_DERIVATION_INPUT_SECRET:
7044 return psa_tls12_prf_psk_to_ms_set_key(prf,
7045 data, data_length);
7046 break;
7047 case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
7048 return psa_tls12_prf_psk_to_ms_set_other_key(prf,
7049 data,
7050 data_length);
7051 break;
7052 default:
7053 return psa_tls12_prf_input(prf, step, data, data_length);
7054 break;
7055
7056 }
7057}
7058#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
7059
7060#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
7061static psa_status_t psa_tls12_ecjpake_to_pms_input(
7062 psa_tls12_ecjpake_to_pms_t *ecjpake,
7063 psa_key_derivation_step_t step,
7064 const uint8_t *data,
7065 size_t data_length)
7066{
7067 if (data_length != PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE ||
7068 step != PSA_KEY_DERIVATION_INPUT_SECRET) {
7069 return PSA_ERROR_INVALID_ARGUMENT;
7070 }
7071
7072 /* Check if the passed point is in an uncompressed form */
7073 if (data[0] != 0x04) {
7074 return PSA_ERROR_INVALID_ARGUMENT;
7075 }
7076
7077 /* Only K.X has to be extracted - bytes 1 to 32 inclusive. */
7078 memcpy(ecjpake->data, data + 1, PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
7079
7080 return PSA_SUCCESS;
7081}
7082#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
7083
7084#if defined(PSA_HAVE_SOFT_PBKDF2)
7085static psa_status_t psa_pbkdf2_set_input_cost(
7086 psa_pbkdf2_key_derivation_t *pbkdf2,
7087 psa_key_derivation_step_t step,
7088 uint64_t data)
7089{
7090 if (step != PSA_KEY_DERIVATION_INPUT_COST) {
7091 return PSA_ERROR_INVALID_ARGUMENT;
7092 }
7093
7094 if (pbkdf2->state != PSA_PBKDF2_STATE_INIT) {
7095 return PSA_ERROR_BAD_STATE;
7096 }
7097
7098 if (data > PSA_VENDOR_PBKDF2_MAX_ITERATIONS) {
7099 return PSA_ERROR_NOT_SUPPORTED;
7100 }
7101
7102 if (data == 0) {
7103 return PSA_ERROR_INVALID_ARGUMENT;
7104 }
7105
7106 pbkdf2->input_cost = data;
7107 pbkdf2->state = PSA_PBKDF2_STATE_INPUT_COST_SET;
7108
7109 return PSA_SUCCESS;
7110}
7111
7112static psa_status_t psa_pbkdf2_set_salt(psa_pbkdf2_key_derivation_t *pbkdf2,
7113 const uint8_t *data,
7114 size_t data_length)
7115{
7116 if (pbkdf2->state == PSA_PBKDF2_STATE_INPUT_COST_SET) {
7117 pbkdf2->state = PSA_PBKDF2_STATE_SALT_SET;
7118 } else if (pbkdf2->state == PSA_PBKDF2_STATE_SALT_SET) {
7119 /* Appending to existing salt. No state change. */
7120 } else {
7121 return PSA_ERROR_BAD_STATE;
7122 }
7123
7124 if (data_length == 0) {
7125 /* Appending an empty string, nothing to do. */
7126 } else {
7127 uint8_t *next_salt;
7128
7129 next_salt = mbedtls_calloc(1, data_length + pbkdf2->salt_length);
7130 if (next_salt == NULL) {
7131 return PSA_ERROR_INSUFFICIENT_MEMORY;
7132 }
7133
7134 if (pbkdf2->salt_length != 0) {
7135 memcpy(next_salt, pbkdf2->salt, pbkdf2->salt_length);
7136 }
7137 memcpy(next_salt + pbkdf2->salt_length, data, data_length);
7138 pbkdf2->salt_length += data_length;
7139 mbedtls_free(pbkdf2->salt);
7140 pbkdf2->salt = next_salt;
7141 }
7142 return PSA_SUCCESS;
7143}
7144
7145#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
7146static psa_status_t psa_pbkdf2_hmac_set_password(psa_algorithm_t hash_alg,
7147 const uint8_t *input,
7148 size_t input_len,
7149 uint8_t *output,
7150 size_t *output_len)
7151{
7152 psa_status_t status = PSA_SUCCESS;
7153 if (input_len > PSA_HASH_BLOCK_LENGTH(hash_alg)) {
7154 return psa_hash_compute(hash_alg, input, input_len, output,
7155 PSA_HMAC_MAX_HASH_BLOCK_SIZE, output_len);
7156 } else if (input_len > 0) {
7157 memcpy(output, input, input_len);
7158 }
7159 *output_len = PSA_HASH_BLOCK_LENGTH(hash_alg);
7160 return status;
7161}
7162#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
7163
7164#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
7165static psa_status_t psa_pbkdf2_cmac_set_password(const uint8_t *input,
7166 size_t input_len,
7167 uint8_t *output,
7168 size_t *output_len)
7169{
7170 psa_status_t status = PSA_SUCCESS;
7171 if (input_len != PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC)) {
7172 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
7173 uint8_t zeros[16] = { 0 };
7174 psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
7175 psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(sizeof(zeros)));
7176 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
7177 /* Passing PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC) as
7178 * mac_size as the driver function sets mac_output_length = mac_size
7179 * on success. See https://github.com/Mbed-TLS/mbedtls/issues/7801 */
7180 status = psa_driver_wrapper_mac_compute(&attributes,
7181 zeros, sizeof(zeros),
7182 PSA_ALG_CMAC, input, input_len,
7183 output,
7184 PSA_MAC_LENGTH(PSA_KEY_TYPE_AES,
7185 128U,
7186 PSA_ALG_CMAC),
7187 output_len);
7188 } else {
7189 memcpy(output, input, input_len);
7190 *output_len = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC);
7191 }
7192 return status;
7193}
7194#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */
7195
7196static psa_status_t psa_pbkdf2_set_password(psa_pbkdf2_key_derivation_t *pbkdf2,
7197 psa_algorithm_t kdf_alg,
7198 const uint8_t *data,
7199 size_t data_length)
7200{
7201 psa_status_t status = PSA_SUCCESS;
7202 if (pbkdf2->state != PSA_PBKDF2_STATE_SALT_SET) {
7203 return PSA_ERROR_BAD_STATE;
7204 }
7205
7206#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
7207 if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
7208 psa_algorithm_t hash_alg = PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg);
7209 status = psa_pbkdf2_hmac_set_password(hash_alg, data, data_length,
7210 pbkdf2->password,
7211 &pbkdf2->password_length);
7212 } else
7213#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
7214#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
7215 if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
7216 status = psa_pbkdf2_cmac_set_password(data, data_length,
7217 pbkdf2->password,
7218 &pbkdf2->password_length);
7219 } else
7220#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */
7221 {
7222 return PSA_ERROR_INVALID_ARGUMENT;
7223 }
7224
7225 pbkdf2->state = PSA_PBKDF2_STATE_PASSWORD_SET;
7226
7227 return status;
7228}
7229
7230static psa_status_t psa_pbkdf2_input(psa_pbkdf2_key_derivation_t *pbkdf2,
7231 psa_algorithm_t kdf_alg,
7232 psa_key_derivation_step_t step,
7233 const uint8_t *data,
7234 size_t data_length)
7235{
7236 switch (step) {
7237 case PSA_KEY_DERIVATION_INPUT_SALT:
7238 return psa_pbkdf2_set_salt(pbkdf2, data, data_length);
7239 case PSA_KEY_DERIVATION_INPUT_PASSWORD:
7240 return psa_pbkdf2_set_password(pbkdf2, kdf_alg, data, data_length);
7241 default:
7242 return PSA_ERROR_INVALID_ARGUMENT;
7243 }
7244}
7245#endif /* PSA_HAVE_SOFT_PBKDF2 */
7246
7247/** Check whether the given key type is acceptable for the given
7248 * input step of a key derivation.
7249 *
7250 * Secret inputs must have the type #PSA_KEY_TYPE_DERIVE.
7251 * Non-secret inputs must have the type #PSA_KEY_TYPE_RAW_DATA.
7252 * Both secret and non-secret inputs can alternatively have the type
7253 * #PSA_KEY_TYPE_NONE, which is never the type of a key object, meaning
7254 * that the input was passed as a buffer rather than via a key object.
7255 */
7256static int psa_key_derivation_check_input_type(
7257 psa_key_derivation_step_t step,
7258 psa_key_type_t key_type)
7259{
7260 switch (step) {
7261 case PSA_KEY_DERIVATION_INPUT_SECRET:
7262 if (key_type == PSA_KEY_TYPE_DERIVE) {
7263 return PSA_SUCCESS;
7264 }
7265 if (key_type == PSA_KEY_TYPE_NONE) {
7266 return PSA_SUCCESS;
7267 }
7268 break;
7269 case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
7270 if (key_type == PSA_KEY_TYPE_DERIVE) {
7271 return PSA_SUCCESS;
7272 }
7273 if (key_type == PSA_KEY_TYPE_NONE) {
7274 return PSA_SUCCESS;
7275 }
7276 break;
7277 case PSA_KEY_DERIVATION_INPUT_LABEL:
7278 case PSA_KEY_DERIVATION_INPUT_SALT:
7279 case PSA_KEY_DERIVATION_INPUT_INFO:
7280 case PSA_KEY_DERIVATION_INPUT_SEED:
7281 if (key_type == PSA_KEY_TYPE_RAW_DATA) {
7282 return PSA_SUCCESS;
7283 }
7284 if (key_type == PSA_KEY_TYPE_NONE) {
7285 return PSA_SUCCESS;
7286 }
7287 break;
7288 case PSA_KEY_DERIVATION_INPUT_PASSWORD:
7289 if (key_type == PSA_KEY_TYPE_PASSWORD) {
7290 return PSA_SUCCESS;
7291 }
7292 if (key_type == PSA_KEY_TYPE_DERIVE) {
7293 return PSA_SUCCESS;
7294 }
7295 if (key_type == PSA_KEY_TYPE_NONE) {
7296 return PSA_SUCCESS;
7297 }
7298 break;
7299 }
7300 return PSA_ERROR_INVALID_ARGUMENT;
7301}
7302
7303static psa_status_t psa_key_derivation_input_internal(
7304 psa_key_derivation_operation_t *operation,
7305 psa_key_derivation_step_t step,
7306 psa_key_type_t key_type,
7307 const uint8_t *data,
7308 size_t data_length)
7309{
7310 psa_status_t status;
7311 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
7312
7313 status = psa_key_derivation_check_input_type(step, key_type);
7314 if (status != PSA_SUCCESS) {
7315 goto exit;
7316 }
7317
7318#if defined(BUILTIN_ALG_ANY_HKDF)
7319 if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
7320 status = psa_hkdf_input(&operation->ctx.hkdf, kdf_alg,
7321 step, data, data_length);
7322 } else
7323#endif /* BUILTIN_ALG_ANY_HKDF */
7324#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
7325 if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) {
7326 status = psa_tls12_prf_input(&operation->ctx.tls12_prf,
7327 step, data, data_length);
7328 } else
7329#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF */
7330#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
7331 if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
7332 status = psa_tls12_prf_psk_to_ms_input(&operation->ctx.tls12_prf,
7333 step, data, data_length);
7334 } else
7335#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
7336#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
7337 if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
7338 status = psa_tls12_ecjpake_to_pms_input(
7339 &operation->ctx.tls12_ecjpake_to_pms, step, data, data_length);
7340 } else
7341#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
7342#if defined(PSA_HAVE_SOFT_PBKDF2)
7343 if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
7344 status = psa_pbkdf2_input(&operation->ctx.pbkdf2, kdf_alg,
7345 step, data, data_length);
7346 } else
7347#endif /* PSA_HAVE_SOFT_PBKDF2 */
7348 {
7349 /* This can't happen unless the operation object was not initialized */
7350 (void) data;
7351 (void) data_length;
7352 (void) kdf_alg;
7353 return PSA_ERROR_BAD_STATE;
7354 }
7355
7356exit:
7357 if (status != PSA_SUCCESS) {
7358 psa_key_derivation_abort(operation);
7359 }
7360 return status;
7361}
7362
7363static psa_status_t psa_key_derivation_input_integer_internal(
7364 psa_key_derivation_operation_t *operation,
7365 psa_key_derivation_step_t step,
7366 uint64_t value)
7367{
7368 psa_status_t status;
7369 psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
7370
7371#if defined(PSA_HAVE_SOFT_PBKDF2)
7372 if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
7373 status = psa_pbkdf2_set_input_cost(
7374 &operation->ctx.pbkdf2, step, value);
7375 } else
7376#endif /* PSA_HAVE_SOFT_PBKDF2 */
7377 {
7378 (void) step;
7379 (void) value;
7380 (void) kdf_alg;
7381 status = PSA_ERROR_INVALID_ARGUMENT;
7382 }
7383
7384 if (status != PSA_SUCCESS) {
7385 psa_key_derivation_abort(operation);
7386 }
7387 return status;
7388}
7389
7390psa_status_t psa_key_derivation_input_bytes(
7391 psa_key_derivation_operation_t *operation,
7392 psa_key_derivation_step_t step,
7393 const uint8_t *data_external,
7394 size_t data_length)
7395{
7396 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7397 LOCAL_INPUT_DECLARE(data_external, data);
7398
7399 LOCAL_INPUT_ALLOC(data_external, data_length, data);
7400
7401 status = psa_key_derivation_input_internal(operation, step,
7402 PSA_KEY_TYPE_NONE,
7403 data, data_length);
7404#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
7405exit:
7406#endif
7407 LOCAL_INPUT_FREE(data_external, data);
7408 return status;
7409}
7410
7411psa_status_t psa_key_derivation_input_integer(
7412 psa_key_derivation_operation_t *operation,
7413 psa_key_derivation_step_t step,
7414 uint64_t value)
7415{
7416 return psa_key_derivation_input_integer_internal(operation, step, value);
7417}
7418
7419psa_status_t psa_key_derivation_input_key(
7420 psa_key_derivation_operation_t *operation,
7421 psa_key_derivation_step_t step,
7422 mbedtls_svc_key_id_t key)
7423{
7424 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7425 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
7426 psa_key_slot_t *slot;
7427
7428 status = psa_get_and_lock_transparent_key_slot_with_policy(
7429 key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg);
7430 if (status != PSA_SUCCESS) {
7431 psa_key_derivation_abort(operation);
7432 return status;
7433 }
7434
7435 /* Passing a key object as a SECRET or PASSWORD input unlocks the
7436 * permission to output to a key object. */
7437 if (step == PSA_KEY_DERIVATION_INPUT_SECRET ||
7438 step == PSA_KEY_DERIVATION_INPUT_PASSWORD) {
7439 operation->can_output_key = 1;
7440 }
7441
7442 status = psa_key_derivation_input_internal(operation,
7443 step, slot->attr.type,
7444 slot->key.data,
7445 slot->key.bytes);
7446
7447 unlock_status = psa_unregister_read_under_mutex(slot);
7448
7449 return (status == PSA_SUCCESS) ? unlock_status : status;
7450}
7451
7452
7453
7454/****************************************************************/
7455/* Key agreement */
7456/****************************************************************/
7457
7458psa_status_t psa_key_agreement_raw_builtin(const psa_key_attributes_t *attributes,
7459 const uint8_t *key_buffer,
7460 size_t key_buffer_size,
7461 psa_algorithm_t alg,
7462 const uint8_t *peer_key,
7463 size_t peer_key_length,
7464 uint8_t *shared_secret,
7465 size_t shared_secret_size,
7466 size_t *shared_secret_length)
7467{
7468 switch (alg) {
7469#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
7470 case PSA_ALG_ECDH:
7471 return mbedtls_psa_key_agreement_ecdh(attributes, key_buffer,
7472 key_buffer_size, alg,
7473 peer_key, peer_key_length,
7474 shared_secret,
7475 shared_secret_size,
7476 shared_secret_length);
7477#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
7478
7479#if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
7480 case PSA_ALG_FFDH:
7481 return mbedtls_psa_ffdh_key_agreement(attributes,
7482 peer_key,
7483 peer_key_length,
7484 key_buffer,
7485 key_buffer_size,
7486 shared_secret,
7487 shared_secret_size,
7488 shared_secret_length);
7489#endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */
7490
7491 default:
7492 (void) attributes;
7493 (void) key_buffer;
7494 (void) key_buffer_size;
7495 (void) peer_key;
7496 (void) peer_key_length;
7497 (void) shared_secret;
7498 (void) shared_secret_size;
7499 (void) shared_secret_length;
7500 return PSA_ERROR_NOT_SUPPORTED;
7501 }
7502}
7503
7504/** Internal function for raw key agreement
7505 * Calls the driver wrapper which will hand off key agreement task
7506 * to the driver's implementation if a driver is present.
7507 * Fallback specified in the driver wrapper is built-in raw key agreement
7508 * (psa_key_agreement_raw_builtin).
7509 */
7510static psa_status_t psa_key_agreement_raw_internal(psa_algorithm_t alg,
7511 psa_key_slot_t *private_key,
7512 const uint8_t *peer_key,
7513 size_t peer_key_length,
7514 uint8_t *shared_secret,
7515 size_t shared_secret_size,
7516 size_t *shared_secret_length)
7517{
7518 if (!PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) {
7519 return PSA_ERROR_NOT_SUPPORTED;
7520 }
7521
7522 return psa_driver_wrapper_key_agreement(&private_key->attr,
7523 private_key->key.data,
7524 private_key->key.bytes, alg,
7525 peer_key, peer_key_length,
7526 shared_secret,
7527 shared_secret_size,
7528 shared_secret_length);
7529}
7530
7531/* Note that if this function fails, you must call psa_key_derivation_abort()
7532 * to potentially free embedded data structures and wipe confidential data.
7533 */
7534static psa_status_t psa_key_agreement_internal(psa_key_derivation_operation_t *operation,
7535 psa_key_derivation_step_t step,
7536 psa_key_slot_t *private_key,
7537 const uint8_t *peer_key,
7538 size_t peer_key_length)
7539{
7540 psa_status_t status;
7541 uint8_t shared_secret[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE] = { 0 };
7542 size_t shared_secret_length = 0;
7543 psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(operation->alg);
7544
7545 /* Step 1: run the secret agreement algorithm to generate the shared
7546 * secret. */
7547 status = psa_key_agreement_raw_internal(ka_alg,
7548 private_key,
7549 peer_key, peer_key_length,
7550 shared_secret,
7551 sizeof(shared_secret),
7552 &shared_secret_length);
7553 if (status != PSA_SUCCESS) {
7554 goto exit;
7555 }
7556
7557 /* Step 2: set up the key derivation to generate key material from
7558 * the shared secret. A shared secret is permitted wherever a key
7559 * of type DERIVE is permitted. */
7560 status = psa_key_derivation_input_internal(operation, step,
7561 PSA_KEY_TYPE_DERIVE,
7562 shared_secret,
7563 shared_secret_length);
7564exit:
7565 mbedtls_platform_zeroize(shared_secret, shared_secret_length);
7566 return status;
7567}
7568
7569psa_status_t psa_key_derivation_key_agreement(psa_key_derivation_operation_t *operation,
7570 psa_key_derivation_step_t step,
7571 mbedtls_svc_key_id_t private_key,
7572 const uint8_t *peer_key_external,
7573 size_t peer_key_length)
7574{
7575 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7576 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
7577 psa_key_slot_t *slot;
7578 LOCAL_INPUT_DECLARE(peer_key_external, peer_key);
7579
7580 if (!PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) {
7581 return PSA_ERROR_INVALID_ARGUMENT;
7582 }
7583 status = psa_get_and_lock_transparent_key_slot_with_policy(
7584 private_key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg);
7585 if (status != PSA_SUCCESS) {
7586 return status;
7587 }
7588
7589 LOCAL_INPUT_ALLOC(peer_key_external, peer_key_length, peer_key);
7590 status = psa_key_agreement_internal(operation, step,
7591 slot,
7592 peer_key, peer_key_length);
7593
7594#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
7595exit:
7596#endif
7597 if (status != PSA_SUCCESS) {
7598 psa_key_derivation_abort(operation);
7599 } else {
7600 /* If a private key has been added as SECRET, we allow the derived
7601 * key material to be used as a key in PSA Crypto. */
7602 if (step == PSA_KEY_DERIVATION_INPUT_SECRET) {
7603 operation->can_output_key = 1;
7604 }
7605 }
7606
7607 unlock_status = psa_unregister_read_under_mutex(slot);
7608 LOCAL_INPUT_FREE(peer_key_external, peer_key);
7609
7610 return (status == PSA_SUCCESS) ? unlock_status : status;
7611}
7612
7613psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
7614 mbedtls_svc_key_id_t private_key,
7615 const uint8_t *peer_key_external,
7616 size_t peer_key_length,
7617 uint8_t *output_external,
7618 size_t output_size,
7619 size_t *output_length)
7620{
7621 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7622 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
7623 psa_key_slot_t *slot = NULL;
7624 size_t expected_length;
7625 LOCAL_INPUT_DECLARE(peer_key_external, peer_key);
7626 LOCAL_OUTPUT_DECLARE(output_external, output);
7627 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
7628
7629 if (!PSA_ALG_IS_KEY_AGREEMENT(alg)) {
7630 status = PSA_ERROR_INVALID_ARGUMENT;
7631 goto exit;
7632 }
7633 status = psa_get_and_lock_transparent_key_slot_with_policy(
7634 private_key, &slot, PSA_KEY_USAGE_DERIVE, alg);
7635 if (status != PSA_SUCCESS) {
7636 goto exit;
7637 }
7638
7639 /* PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is in general an upper bound
7640 * for the output size. The PSA specification only guarantees that this
7641 * function works if output_size >= PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(...),
7642 * but it might be nice to allow smaller buffers if the output fits.
7643 * At the time of writing this comment, with only ECDH implemented,
7644 * PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is exact so the point is moot.
7645 * If FFDH is implemented, PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() can easily
7646 * be exact for it as well. */
7647 expected_length =
7648 PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(slot->attr.type, slot->attr.bits);
7649 if (output_size < expected_length) {
7650 status = PSA_ERROR_BUFFER_TOO_SMALL;
7651 goto exit;
7652 }
7653
7654 LOCAL_INPUT_ALLOC(peer_key_external, peer_key_length, peer_key);
7655 status = psa_key_agreement_raw_internal(alg, slot,
7656 peer_key, peer_key_length,
7657 output, output_size,
7658 output_length);
7659
7660exit:
7661 /* Check for successful allocation of output,
7662 * with an unsuccessful status. */
7663 if (output != NULL && status != PSA_SUCCESS) {
7664 /* If an error happens and is not handled properly, the output
7665 * may be used as a key to protect sensitive data. Arrange for such
7666 * a key to be random, which is likely to result in decryption or
7667 * verification errors. This is better than filling the buffer with
7668 * some constant data such as zeros, which would result in the data
7669 * being protected with a reproducible, easily knowable key.
7670 */
7671 psa_generate_random_internal(output, output_size);
7672 *output_length = output_size;
7673 }
7674
7675 if (output == NULL) {
7676 /* output allocation failed. */
7677 *output_length = 0;
7678 }
7679
7680 unlock_status = psa_unregister_read_under_mutex(slot);
7681
7682 LOCAL_INPUT_FREE(peer_key_external, peer_key);
7683 LOCAL_OUTPUT_FREE(output_external, output);
7684 return (status == PSA_SUCCESS) ? unlock_status : status;
7685}
7686
7687
7688/****************************************************************/
7689/* Random generation */
7690/****************************************************************/
7691
7692#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
7693#include "entropy_poll.h"
7694#endif
7695
7696/** Initialize the PSA random generator.
7697 *
7698 * Note: the mbedtls_threading_psa_rngdata_mutex should be held when calling
7699 * this function if mutexes are enabled.
7700 */
7701static void mbedtls_psa_random_init(mbedtls_psa_random_context_t *rng)
7702{
7703#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
7704 memset(rng, 0, sizeof(*rng));
7705#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
7706
7707 /* Set default configuration if
7708 * mbedtls_psa_crypto_configure_entropy_sources() hasn't been called. */
7709 if (rng->entropy_init == NULL) {
7710 rng->entropy_init = mbedtls_entropy_init;
7711 }
7712 if (rng->entropy_free == NULL) {
7713 rng->entropy_free = mbedtls_entropy_free;
7714 }
7715
7716 rng->entropy_init(&rng->entropy);
7717#if defined(MBEDTLS_PSA_INJECT_ENTROPY) && \
7718 defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
7719 /* The PSA entropy injection feature depends on using NV seed as an entropy
7720 * source. Add NV seed as an entropy source for PSA entropy injection. */
7721 mbedtls_entropy_add_source(&rng->entropy,
7722 mbedtls_nv_seed_poll, NULL,
7723 MBEDTLS_ENTROPY_BLOCK_SIZE,
7724 MBEDTLS_ENTROPY_SOURCE_STRONG);
7725#endif
7726
7727 mbedtls_psa_drbg_init(&rng->drbg);
7728#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
7729}
7730
7731/** Deinitialize the PSA random generator.
7732 *
7733 * Note: the mbedtls_threading_psa_rngdata_mutex should be held when calling
7734 * this function if mutexes are enabled.
7735 */
7736static void mbedtls_psa_random_free(mbedtls_psa_random_context_t *rng)
7737{
7738#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
7739 memset(rng, 0, sizeof(*rng));
7740#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
7741 mbedtls_psa_drbg_free(&rng->drbg);
7742 rng->entropy_free(&rng->entropy);
7743#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
7744}
7745
7746/** Seed the PSA random generator.
7747 */
7748static psa_status_t mbedtls_psa_random_seed(mbedtls_psa_random_context_t *rng)
7749{
7750#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
7751 /* Do nothing: the external RNG seeds itself. */
7752 (void) rng;
7753 return PSA_SUCCESS;
7754#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
7755 const unsigned char drbg_seed[] = "PSA";
7756 int ret = mbedtls_psa_drbg_seed(&rng->drbg, &rng->entropy,
7757 drbg_seed, sizeof(drbg_seed) - 1);
7758 return mbedtls_to_psa_error(ret);
7759#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
7760}
7761
7762psa_status_t psa_generate_random(uint8_t *output_external,
7763 size_t output_size)
7764{
7765 psa_status_t status;
7766
7767 LOCAL_OUTPUT_DECLARE(output_external, output);
7768 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
7769
7770 status = psa_generate_random_internal(output, output_size);
7771
7772#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
7773exit:
7774#endif
7775 LOCAL_OUTPUT_FREE(output_external, output);
7776 return status;
7777}
7778
7779#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
7780psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
7781 size_t seed_size)
7782{
7783 if (psa_get_initialized()) {
7784 return PSA_ERROR_NOT_PERMITTED;
7785 }
7786
7787 if (((seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM) ||
7788 (seed_size < MBEDTLS_ENTROPY_BLOCK_SIZE)) ||
7789 (seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE)) {
7790 return PSA_ERROR_INVALID_ARGUMENT;
7791 }
7792
7793 return mbedtls_psa_storage_inject_entropy(seed, seed_size);
7794}
7795#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
7796
7797/** Validate the key type and size for key generation
7798 *
7799 * \param type The key type
7800 * \param bits The number of bits of the key
7801 *
7802 * \retval #PSA_SUCCESS
7803 * The key type and size are valid.
7804 * \retval #PSA_ERROR_INVALID_ARGUMENT
7805 * The size in bits of the key is not valid.
7806 * \retval #PSA_ERROR_NOT_SUPPORTED
7807 * The type and/or the size in bits of the key or the combination of
7808 * the two is not supported.
7809 */
7810static psa_status_t psa_validate_key_type_and_size_for_key_generation(
7811 psa_key_type_t type, size_t bits)
7812{
7813 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7814
7815 if (key_type_is_raw_bytes(type)) {
7816 status = psa_validate_unstructured_key_bit_size(type, bits);
7817 if (status != PSA_SUCCESS) {
7818 return status;
7819 }
7820 } else
7821#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
7822 if (PSA_KEY_TYPE_IS_RSA(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
7823 if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS) {
7824 return PSA_ERROR_NOT_SUPPORTED;
7825 }
7826 if (bits < PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS) {
7827 return PSA_ERROR_NOT_SUPPORTED;
7828 }
7829
7830 /* Accept only byte-aligned keys, for the same reasons as
7831 * in psa_import_rsa_key(). */
7832 if (bits % 8 != 0) {
7833 return PSA_ERROR_NOT_SUPPORTED;
7834 }
7835 } else
7836#endif /* defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
7837
7838#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
7839 if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
7840 /* To avoid empty block, return successfully here. */
7841 return PSA_SUCCESS;
7842 } else
7843#endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */
7844
7845#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
7846 if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
7847 if (psa_is_dh_key_size_valid(bits) == 0) {
7848 return PSA_ERROR_NOT_SUPPORTED;
7849 }
7850 } else
7851#endif /* defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) */
7852 {
7853 return PSA_ERROR_NOT_SUPPORTED;
7854 }
7855
7856 return PSA_SUCCESS;
7857}
7858
7859psa_status_t psa_generate_key_internal(
7860 const psa_key_attributes_t *attributes,
7861 const psa_key_production_parameters_t *params, size_t params_data_length,
7862 uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
7863{
7864 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
7865 psa_key_type_t type = attributes->type;
7866
7867 /* Only used for RSA */
7868 (void) params;
7869 (void) params_data_length;
7870
7871 if (key_type_is_raw_bytes(type)) {
7872 status = psa_generate_random_internal(key_buffer, key_buffer_size);
7873 if (status != PSA_SUCCESS) {
7874 return status;
7875 }
7876
7877#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
7878 if (type == PSA_KEY_TYPE_DES) {
7879 psa_des_set_key_parity(key_buffer, key_buffer_size);
7880 }
7881#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
7882 } else
7883
7884#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
7885 if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
7886 return mbedtls_psa_rsa_generate_key(attributes,
7887 params, params_data_length,
7888 key_buffer,
7889 key_buffer_size,
7890 key_buffer_length);
7891 } else
7892#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
7893
7894#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
7895 if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
7896 return mbedtls_psa_ecp_generate_key(attributes,
7897 key_buffer,
7898 key_buffer_size,
7899 key_buffer_length);
7900 } else
7901#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */
7902
7903#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE)
7904 if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
7905 return mbedtls_psa_ffdh_generate_key(attributes,
7906 key_buffer,
7907 key_buffer_size,
7908 key_buffer_length);
7909 } else
7910#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) */
7911 {
7912 (void) key_buffer_length;
7913 return PSA_ERROR_NOT_SUPPORTED;
7914 }
7915
7916 return PSA_SUCCESS;
7917}
7918
7919psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
7920 const psa_key_production_parameters_t *params,
7921 size_t params_data_length,
7922 mbedtls_svc_key_id_t *key)
7923{
7924 psa_status_t status;
7925 psa_key_slot_t *slot = NULL;
7926 psa_se_drv_table_entry_t *driver = NULL;
7927 size_t key_buffer_size;
7928
7929 *key = MBEDTLS_SVC_KEY_ID_INIT;
7930
7931 /* Reject any attempt to create a zero-length key so that we don't
7932 * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
7933 if (psa_get_key_bits(attributes) == 0) {
7934 return PSA_ERROR_INVALID_ARGUMENT;
7935 }
7936
7937 /* Reject any attempt to create a public key. */
7938 if (PSA_KEY_TYPE_IS_PUBLIC_KEY(attributes->type)) {
7939 return PSA_ERROR_INVALID_ARGUMENT;
7940 }
7941
7942#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
7943 if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
7944 if (params->flags != 0) {
7945 return PSA_ERROR_INVALID_ARGUMENT;
7946 }
7947 } else
7948#endif
7949 if (!psa_key_production_parameters_are_default(params, params_data_length)) {
7950 return PSA_ERROR_INVALID_ARGUMENT;
7951 }
7952
7953 status = psa_start_key_creation(PSA_KEY_CREATION_GENERATE, attributes,
7954 &slot, &driver);
7955 if (status != PSA_SUCCESS) {
7956 goto exit;
7957 }
7958
7959 /* In the case of a transparent key or an opaque key stored in local
7960 * storage ( thus not in the case of generating a key in a secure element
7961 * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
7962 * buffer to hold the generated key material. */
7963 if (slot->key.data == NULL) {
7964 if (PSA_KEY_LIFETIME_GET_LOCATION(attributes->lifetime) ==
7965 PSA_KEY_LOCATION_LOCAL_STORAGE) {
7966 status = psa_validate_key_type_and_size_for_key_generation(
7967 attributes->type, attributes->bits);
7968 if (status != PSA_SUCCESS) {
7969 goto exit;
7970 }
7971
7972 key_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
7973 attributes->type,
7974 attributes->bits);
7975 } else {
7976 status = psa_driver_wrapper_get_key_buffer_size(
7977 attributes, &key_buffer_size);
7978 if (status != PSA_SUCCESS) {
7979 goto exit;
7980 }
7981 }
7982
7983 status = psa_allocate_buffer_to_slot(slot, key_buffer_size);
7984 if (status != PSA_SUCCESS) {
7985 goto exit;
7986 }
7987 }
7988
7989 status = psa_driver_wrapper_generate_key(attributes,
7990 params, params_data_length,
7991 slot->key.data, slot->key.bytes,
7992 &slot->key.bytes);
7993 if (status != PSA_SUCCESS) {
7994 psa_remove_key_data_from_memory(slot);
7995 }
7996
7997exit:
7998 if (status == PSA_SUCCESS) {
7999 status = psa_finish_key_creation(slot, driver, key);
8000 }
8001 if (status != PSA_SUCCESS) {
8002 psa_fail_key_creation(slot, driver);
8003 }
8004
8005 return status;
8006}
8007
8008psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
8009 mbedtls_svc_key_id_t *key)
8010{
8011 return psa_generate_key_ext(attributes,
8012 &default_production_parameters, 0,
8013 key);
8014}
8015
8016/****************************************************************/
8017/* Module setup */
8018/****************************************************************/
8019
8020#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
8021psa_status_t mbedtls_psa_crypto_configure_entropy_sources(
8022 void (* entropy_init)(mbedtls_entropy_context *ctx),
8023 void (* entropy_free)(mbedtls_entropy_context *ctx))
8024{
8025 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8026
8027#if defined(MBEDTLS_THREADING_C)
8028 mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
8029#endif /* defined(MBEDTLS_THREADING_C) */
8030
8031 if (global_data.rng_state != RNG_NOT_INITIALIZED) {
8032 status = PSA_ERROR_BAD_STATE;
8033 } else {
8034 global_data.rng.entropy_init = entropy_init;
8035 global_data.rng.entropy_free = entropy_free;
8036 status = PSA_SUCCESS;
8037 }
8038
8039#if defined(MBEDTLS_THREADING_C)
8040 mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
8041#endif /* defined(MBEDTLS_THREADING_C) */
8042
8043 return status;
8044}
8045#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
8046
8047void mbedtls_psa_crypto_free(void)
8048{
8049
8050#if defined(MBEDTLS_THREADING_C)
8051 mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
8052#endif /* defined(MBEDTLS_THREADING_C) */
8053
8054 /* Nothing to do to free transaction. */
8055 if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED) {
8056 global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
8057 }
8058
8059 if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED) {
8060 psa_wipe_all_key_slots();
8061 global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED;
8062 }
8063
8064#if defined(MBEDTLS_THREADING_C)
8065 mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
8066#endif /* defined(MBEDTLS_THREADING_C) */
8067
8068#if defined(MBEDTLS_THREADING_C)
8069 mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
8070#endif /* defined(MBEDTLS_THREADING_C) */
8071
8072 if (global_data.rng_state != RNG_NOT_INITIALIZED) {
8073 mbedtls_psa_random_free(&global_data.rng);
8074 }
8075 global_data.rng_state = RNG_NOT_INITIALIZED;
8076 mbedtls_platform_zeroize(&global_data.rng, sizeof(global_data.rng));
8077
8078#if defined(MBEDTLS_THREADING_C)
8079 mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
8080#endif /* defined(MBEDTLS_THREADING_C) */
8081
8082#if defined(MBEDTLS_THREADING_C)
8083 mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
8084#endif /* defined(MBEDTLS_THREADING_C) */
8085
8086 /* Terminate drivers */
8087 if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED) {
8088 psa_driver_wrapper_free();
8089 global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED;
8090 }
8091
8092#if defined(MBEDTLS_THREADING_C)
8093 mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
8094#endif /* defined(MBEDTLS_THREADING_C) */
8095
8096}
8097
8098#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
8099/** Recover a transaction that was interrupted by a power failure.
8100 *
8101 * This function is called during initialization, before psa_crypto_init()
8102 * returns. If this function returns a failure status, the initialization
8103 * fails.
8104 */
8105static psa_status_t psa_crypto_recover_transaction(
8106 const psa_crypto_transaction_t *transaction)
8107{
8108 switch (transaction->unknown.type) {
8109 case PSA_CRYPTO_TRANSACTION_CREATE_KEY:
8110 case PSA_CRYPTO_TRANSACTION_DESTROY_KEY:
8111 /* TODO - fall through to the failure case until this
8112 * is implemented.
8113 * https://github.com/ARMmbed/mbed-crypto/issues/218
8114 */
8115 default:
8116 /* We found an unsupported transaction in the storage.
8117 * We don't know what state the storage is in. Give up. */
8118 return PSA_ERROR_DATA_INVALID;
8119 }
8120}
8121#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
8122
8123static psa_status_t mbedtls_psa_crypto_init_subsystem(mbedtls_psa_crypto_subsystem subsystem)
8124{
8125 psa_status_t status = PSA_SUCCESS;
8126 uint8_t driver_wrappers_initialized = 0;
8127
8128 switch (subsystem) {
8129 case PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS:
8130
8131#if defined(MBEDTLS_THREADING_C)
8132 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
8133#endif /* defined(MBEDTLS_THREADING_C) */
8134
8135 if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED)) {
8136 /* Init drivers */
8137 status = psa_driver_wrapper_init();
8138
8139 /* Drivers need shutdown regardless of startup errors. */
8140 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED;
8141
8142
8143 }
8144#if defined(MBEDTLS_THREADING_C)
8145 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8146 &mbedtls_threading_psa_globaldata_mutex));
8147#endif /* defined(MBEDTLS_THREADING_C) */
8148
8149 break;
8150
8151 case PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS:
8152
8153#if defined(MBEDTLS_THREADING_C)
8154 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
8155#endif /* defined(MBEDTLS_THREADING_C) */
8156
8157 if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED)) {
8158 status = psa_initialize_key_slots();
8159
8160 /* Need to wipe keys even if initialization fails. */
8161 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED;
8162
8163 }
8164#if defined(MBEDTLS_THREADING_C)
8165 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8166 &mbedtls_threading_psa_globaldata_mutex));
8167#endif /* defined(MBEDTLS_THREADING_C) */
8168
8169 break;
8170
8171 case PSA_CRYPTO_SUBSYSTEM_RNG:
8172
8173#if defined(MBEDTLS_THREADING_C)
8174 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
8175#endif /* defined(MBEDTLS_THREADING_C) */
8176
8177 driver_wrappers_initialized =
8178 (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED);
8179
8180#if defined(MBEDTLS_THREADING_C)
8181 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8182 &mbedtls_threading_psa_globaldata_mutex));
8183#endif /* defined(MBEDTLS_THREADING_C) */
8184
8185 /* Need to use separate mutex here, as initialisation can require
8186 * testing of init flags, which requires locking the global data
8187 * mutex. */
8188#if defined(MBEDTLS_THREADING_C)
8189 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex));
8190#endif /* defined(MBEDTLS_THREADING_C) */
8191
8192 /* Initialize and seed the random generator. */
8193 if (global_data.rng_state == RNG_NOT_INITIALIZED && driver_wrappers_initialized) {
8194 mbedtls_psa_random_init(&global_data.rng);
8195 global_data.rng_state = RNG_INITIALIZED;
8196
8197 status = mbedtls_psa_random_seed(&global_data.rng);
8198 if (status == PSA_SUCCESS) {
8199 global_data.rng_state = RNG_SEEDED;
8200 }
8201 }
8202
8203#if defined(MBEDTLS_THREADING_C)
8204 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8205 &mbedtls_threading_psa_rngdata_mutex));
8206#endif /* defined(MBEDTLS_THREADING_C) */
8207
8208 break;
8209
8210 case PSA_CRYPTO_SUBSYSTEM_TRANSACTION:
8211
8212#if defined(MBEDTLS_THREADING_C)
8213 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
8214#endif /* defined(MBEDTLS_THREADING_C) */
8215
8216 if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED)) {
8217#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
8218 status = psa_crypto_load_transaction();
8219 if (status == PSA_SUCCESS) {
8220 status = psa_crypto_recover_transaction(&psa_crypto_transaction);
8221 if (status == PSA_SUCCESS) {
8222 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
8223 }
8224 status = psa_crypto_stop_transaction();
8225 } else if (status == PSA_ERROR_DOES_NOT_EXIST) {
8226 /* There's no transaction to complete. It's all good. */
8227 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
8228 status = PSA_SUCCESS;
8229 }
8230#else /* defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) */
8231 global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
8232 status = PSA_SUCCESS;
8233#endif /* defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) */
8234 }
8235
8236#if defined(MBEDTLS_THREADING_C)
8237 PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
8238 &mbedtls_threading_psa_globaldata_mutex));
8239#endif /* defined(MBEDTLS_THREADING_C) */
8240
8241 break;
8242
8243 default:
8244 status = PSA_ERROR_CORRUPTION_DETECTED;
8245 }
8246
8247 /* Exit label only required when using threading macros. */
8248#if defined(MBEDTLS_THREADING_C)
8249exit:
8250#endif /* defined(MBEDTLS_THREADING_C) */
8251
8252 return status;
8253}
8254
8255psa_status_t psa_crypto_init(void)
8256{
8257 psa_status_t status;
8258
8259 /* Double initialization is explicitly allowed. Early out if everything is
8260 * done. */
8261 if (psa_get_initialized()) {
8262 return PSA_SUCCESS;
8263 }
8264
8265 status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS);
8266 if (status != PSA_SUCCESS) {
8267 goto exit;
8268 }
8269
8270 status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS);
8271 if (status != PSA_SUCCESS) {
8272 goto exit;
8273 }
8274
8275 status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_RNG);
8276 if (status != PSA_SUCCESS) {
8277 goto exit;
8278 }
8279
8280 status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_TRANSACTION);
8281
8282exit:
8283
8284 if (status != PSA_SUCCESS) {
8285 mbedtls_psa_crypto_free();
8286 }
8287
8288 return status;
8289}
8290
8291#if defined(PSA_WANT_ALG_SOME_PAKE)
8292psa_status_t psa_crypto_driver_pake_get_password_len(
8293 const psa_crypto_driver_pake_inputs_t *inputs,
8294 size_t *password_len)
8295{
8296 if (inputs->password_len == 0) {
8297 return PSA_ERROR_BAD_STATE;
8298 }
8299
8300 *password_len = inputs->password_len;
8301
8302 return PSA_SUCCESS;
8303}
8304
8305psa_status_t psa_crypto_driver_pake_get_password(
8306 const psa_crypto_driver_pake_inputs_t *inputs,
8307 uint8_t *buffer, size_t buffer_size, size_t *buffer_length)
8308{
8309 if (inputs->password_len == 0) {
8310 return PSA_ERROR_BAD_STATE;
8311 }
8312
8313 if (buffer_size < inputs->password_len) {
8314 return PSA_ERROR_BUFFER_TOO_SMALL;
8315 }
8316
8317 memcpy(buffer, inputs->password, inputs->password_len);
8318 *buffer_length = inputs->password_len;
8319
8320 return PSA_SUCCESS;
8321}
8322
8323psa_status_t psa_crypto_driver_pake_get_user_len(
8324 const psa_crypto_driver_pake_inputs_t *inputs,
8325 size_t *user_len)
8326{
8327 if (inputs->user_len == 0) {
8328 return PSA_ERROR_BAD_STATE;
8329 }
8330
8331 *user_len = inputs->user_len;
8332
8333 return PSA_SUCCESS;
8334}
8335
8336psa_status_t psa_crypto_driver_pake_get_user(
8337 const psa_crypto_driver_pake_inputs_t *inputs,
8338 uint8_t *user_id, size_t user_id_size, size_t *user_id_len)
8339{
8340 if (inputs->user_len == 0) {
8341 return PSA_ERROR_BAD_STATE;
8342 }
8343
8344 if (user_id_size < inputs->user_len) {
8345 return PSA_ERROR_BUFFER_TOO_SMALL;
8346 }
8347
8348 memcpy(user_id, inputs->user, inputs->user_len);
8349 *user_id_len = inputs->user_len;
8350
8351 return PSA_SUCCESS;
8352}
8353
8354psa_status_t psa_crypto_driver_pake_get_peer_len(
8355 const psa_crypto_driver_pake_inputs_t *inputs,
8356 size_t *peer_len)
8357{
8358 if (inputs->peer_len == 0) {
8359 return PSA_ERROR_BAD_STATE;
8360 }
8361
8362 *peer_len = inputs->peer_len;
8363
8364 return PSA_SUCCESS;
8365}
8366
8367psa_status_t psa_crypto_driver_pake_get_peer(
8368 const psa_crypto_driver_pake_inputs_t *inputs,
8369 uint8_t *peer_id, size_t peer_id_size, size_t *peer_id_length)
8370{
8371 if (inputs->peer_len == 0) {
8372 return PSA_ERROR_BAD_STATE;
8373 }
8374
8375 if (peer_id_size < inputs->peer_len) {
8376 return PSA_ERROR_BUFFER_TOO_SMALL;
8377 }
8378
8379 memcpy(peer_id, inputs->peer, inputs->peer_len);
8380 *peer_id_length = inputs->peer_len;
8381
8382 return PSA_SUCCESS;
8383}
8384
8385psa_status_t psa_crypto_driver_pake_get_cipher_suite(
8386 const psa_crypto_driver_pake_inputs_t *inputs,
8387 psa_pake_cipher_suite_t *cipher_suite)
8388{
8389 if (inputs->cipher_suite.algorithm == PSA_ALG_NONE) {
8390 return PSA_ERROR_BAD_STATE;
8391 }
8392
8393 *cipher_suite = inputs->cipher_suite;
8394
8395 return PSA_SUCCESS;
8396}
8397
8398psa_status_t psa_pake_setup(
8399 psa_pake_operation_t *operation,
8400 const psa_pake_cipher_suite_t *cipher_suite)
8401{
8402 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8403
8404 if (operation->stage != PSA_PAKE_OPERATION_STAGE_SETUP) {
8405 status = PSA_ERROR_BAD_STATE;
8406 goto exit;
8407 }
8408
8409 if (PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 ||
8410 PSA_ALG_IS_HASH(cipher_suite->hash) == 0) {
8411 status = PSA_ERROR_INVALID_ARGUMENT;
8412 goto exit;
8413 }
8414
8415 memset(&operation->data.inputs, 0, sizeof(operation->data.inputs));
8416
8417 operation->alg = cipher_suite->algorithm;
8418 operation->primitive = PSA_PAKE_PRIMITIVE(cipher_suite->type,
8419 cipher_suite->family, cipher_suite->bits);
8420 operation->data.inputs.cipher_suite = *cipher_suite;
8421
8422#if defined(PSA_WANT_ALG_JPAKE)
8423 if (operation->alg == PSA_ALG_JPAKE) {
8424 psa_jpake_computation_stage_t *computation_stage =
8425 &operation->computation_stage.jpake;
8426
8427 memset(computation_stage, 0, sizeof(*computation_stage));
8428 computation_stage->step = PSA_PAKE_STEP_KEY_SHARE;
8429 } else
8430#endif /* PSA_WANT_ALG_JPAKE */
8431 {
8432 status = PSA_ERROR_NOT_SUPPORTED;
8433 goto exit;
8434 }
8435
8436 operation->stage = PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS;
8437
8438 return PSA_SUCCESS;
8439exit:
8440 psa_pake_abort(operation);
8441 return status;
8442}
8443
8444psa_status_t psa_pake_set_password_key(
8445 psa_pake_operation_t *operation,
8446 mbedtls_svc_key_id_t password)
8447{
8448 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8449 psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
8450 psa_key_slot_t *slot = NULL;
8451 psa_key_type_t type;
8452
8453 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8454 status = PSA_ERROR_BAD_STATE;
8455 goto exit;
8456 }
8457
8458 status = psa_get_and_lock_key_slot_with_policy(password, &slot,
8459 PSA_KEY_USAGE_DERIVE,
8460 operation->alg);
8461 if (status != PSA_SUCCESS) {
8462 goto exit;
8463 }
8464
8465 type = psa_get_key_type(&slot->attr);
8466
8467 if (type != PSA_KEY_TYPE_PASSWORD &&
8468 type != PSA_KEY_TYPE_PASSWORD_HASH) {
8469 status = PSA_ERROR_INVALID_ARGUMENT;
8470 goto exit;
8471 }
8472
8473 operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes);
8474 if (operation->data.inputs.password == NULL) {
8475 status = PSA_ERROR_INSUFFICIENT_MEMORY;
8476 goto exit;
8477 }
8478
8479 memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes);
8480 operation->data.inputs.password_len = slot->key.bytes;
8481 operation->data.inputs.attributes = slot->attr;
8482
8483exit:
8484 if (status != PSA_SUCCESS) {
8485 psa_pake_abort(operation);
8486 }
8487 unlock_status = psa_unregister_read_under_mutex(slot);
8488 return (status == PSA_SUCCESS) ? unlock_status : status;
8489}
8490
8491psa_status_t psa_pake_set_user(
8492 psa_pake_operation_t *operation,
8493 const uint8_t *user_id_external,
8494 size_t user_id_len)
8495{
8496 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8497 LOCAL_INPUT_DECLARE(user_id_external, user_id);
8498
8499 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8500 status = PSA_ERROR_BAD_STATE;
8501 goto exit;
8502 }
8503
8504 if (user_id_len == 0) {
8505 status = PSA_ERROR_INVALID_ARGUMENT;
8506 goto exit;
8507 }
8508
8509 if (operation->data.inputs.user_len != 0) {
8510 status = PSA_ERROR_BAD_STATE;
8511 goto exit;
8512 }
8513
8514 operation->data.inputs.user = mbedtls_calloc(1, user_id_len);
8515 if (operation->data.inputs.user == NULL) {
8516 status = PSA_ERROR_INSUFFICIENT_MEMORY;
8517 goto exit;
8518 }
8519
8520 LOCAL_INPUT_ALLOC(user_id_external, user_id_len, user_id);
8521
8522 memcpy(operation->data.inputs.user, user_id, user_id_len);
8523 operation->data.inputs.user_len = user_id_len;
8524
8525 status = PSA_SUCCESS;
8526
8527exit:
8528 LOCAL_INPUT_FREE(user_id_external, user_id);
8529 if (status != PSA_SUCCESS) {
8530 psa_pake_abort(operation);
8531 }
8532 return status;
8533}
8534
8535psa_status_t psa_pake_set_peer(
8536 psa_pake_operation_t *operation,
8537 const uint8_t *peer_id_external,
8538 size_t peer_id_len)
8539{
8540 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8541 LOCAL_INPUT_DECLARE(peer_id_external, peer_id);
8542
8543 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8544 status = PSA_ERROR_BAD_STATE;
8545 goto exit;
8546 }
8547
8548 if (peer_id_len == 0) {
8549 status = PSA_ERROR_INVALID_ARGUMENT;
8550 goto exit;
8551 }
8552
8553 if (operation->data.inputs.peer_len != 0) {
8554 status = PSA_ERROR_BAD_STATE;
8555 goto exit;
8556 }
8557
8558 operation->data.inputs.peer = mbedtls_calloc(1, peer_id_len);
8559 if (operation->data.inputs.peer == NULL) {
8560 status = PSA_ERROR_INSUFFICIENT_MEMORY;
8561 goto exit;
8562 }
8563
8564 LOCAL_INPUT_ALLOC(peer_id_external, peer_id_len, peer_id);
8565
8566 memcpy(operation->data.inputs.peer, peer_id, peer_id_len);
8567 operation->data.inputs.peer_len = peer_id_len;
8568
8569 status = PSA_SUCCESS;
8570
8571exit:
8572 LOCAL_INPUT_FREE(peer_id_external, peer_id);
8573 if (status != PSA_SUCCESS) {
8574 psa_pake_abort(operation);
8575 }
8576 return status;
8577}
8578
8579psa_status_t psa_pake_set_role(
8580 psa_pake_operation_t *operation,
8581 psa_pake_role_t role)
8582{
8583 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8584
8585 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8586 status = PSA_ERROR_BAD_STATE;
8587 goto exit;
8588 }
8589
8590 switch (operation->alg) {
8591#if defined(PSA_WANT_ALG_JPAKE)
8592 case PSA_ALG_JPAKE:
8593 if (role == PSA_PAKE_ROLE_NONE) {
8594 return PSA_SUCCESS;
8595 }
8596 status = PSA_ERROR_INVALID_ARGUMENT;
8597 break;
8598#endif
8599 default:
8600 (void) role;
8601 status = PSA_ERROR_NOT_SUPPORTED;
8602 goto exit;
8603 }
8604exit:
8605 psa_pake_abort(operation);
8606 return status;
8607}
8608
8609/* Auxiliary function to convert core computation stage to single driver step. */
8610#if defined(PSA_WANT_ALG_JPAKE)
8611static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_step(
8612 psa_jpake_computation_stage_t *stage)
8613{
8614 psa_crypto_driver_pake_step_t key_share_step;
8615 if (stage->round == PSA_JPAKE_FIRST) {
8616 int is_x1;
8617
8618 if (stage->io_mode == PSA_JPAKE_OUTPUT) {
8619 is_x1 = (stage->outputs < 1);
8620 } else {
8621 is_x1 = (stage->inputs < 1);
8622 }
8623
8624 key_share_step = is_x1 ?
8625 PSA_JPAKE_X1_STEP_KEY_SHARE :
8626 PSA_JPAKE_X2_STEP_KEY_SHARE;
8627 } else if (stage->round == PSA_JPAKE_SECOND) {
8628 key_share_step = (stage->io_mode == PSA_JPAKE_OUTPUT) ?
8629 PSA_JPAKE_X2S_STEP_KEY_SHARE :
8630 PSA_JPAKE_X4S_STEP_KEY_SHARE;
8631 } else {
8632 return PSA_JPAKE_STEP_INVALID;
8633 }
8634 return (psa_crypto_driver_pake_step_t) (key_share_step + stage->step - PSA_PAKE_STEP_KEY_SHARE);
8635}
8636#endif /* PSA_WANT_ALG_JPAKE */
8637
8638static psa_status_t psa_pake_complete_inputs(
8639 psa_pake_operation_t *operation)
8640{
8641 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8642 /* Create copy of the inputs on stack as inputs share memory
8643 with the driver context which will be setup by the driver. */
8644 psa_crypto_driver_pake_inputs_t inputs = operation->data.inputs;
8645
8646 if (inputs.password_len == 0) {
8647 return PSA_ERROR_BAD_STATE;
8648 }
8649
8650 if (operation->alg == PSA_ALG_JPAKE) {
8651 if (inputs.user_len == 0 || inputs.peer_len == 0) {
8652 return PSA_ERROR_BAD_STATE;
8653 }
8654 }
8655
8656 /* Clear driver context */
8657 mbedtls_platform_zeroize(&operation->data, sizeof(operation->data));
8658
8659 status = psa_driver_wrapper_pake_setup(operation, &inputs);
8660
8661 /* Driver is responsible for creating its own copy of the password. */
8662 mbedtls_zeroize_and_free(inputs.password, inputs.password_len);
8663
8664 /* User and peer are translated to role. */
8665 mbedtls_free(inputs.user);
8666 mbedtls_free(inputs.peer);
8667
8668 if (status == PSA_SUCCESS) {
8669#if defined(PSA_WANT_ALG_JPAKE)
8670 if (operation->alg == PSA_ALG_JPAKE) {
8671 operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION;
8672 } else
8673#endif /* PSA_WANT_ALG_JPAKE */
8674 {
8675 status = PSA_ERROR_NOT_SUPPORTED;
8676 }
8677 }
8678 return status;
8679}
8680
8681#if defined(PSA_WANT_ALG_JPAKE)
8682static psa_status_t psa_jpake_prologue(
8683 psa_pake_operation_t *operation,
8684 psa_pake_step_t step,
8685 psa_jpake_io_mode_t io_mode)
8686{
8687 if (step != PSA_PAKE_STEP_KEY_SHARE &&
8688 step != PSA_PAKE_STEP_ZK_PUBLIC &&
8689 step != PSA_PAKE_STEP_ZK_PROOF) {
8690 return PSA_ERROR_INVALID_ARGUMENT;
8691 }
8692
8693 psa_jpake_computation_stage_t *computation_stage =
8694 &operation->computation_stage.jpake;
8695
8696 if (computation_stage->round != PSA_JPAKE_FIRST &&
8697 computation_stage->round != PSA_JPAKE_SECOND) {
8698 return PSA_ERROR_BAD_STATE;
8699 }
8700
8701 /* Check that the step we are given is the one we were expecting */
8702 if (step != computation_stage->step) {
8703 return PSA_ERROR_BAD_STATE;
8704 }
8705
8706 if (step == PSA_PAKE_STEP_KEY_SHARE &&
8707 computation_stage->inputs == 0 &&
8708 computation_stage->outputs == 0) {
8709 /* Start of the round, so function decides whether we are inputting
8710 * or outputting */
8711 computation_stage->io_mode = io_mode;
8712 } else if (computation_stage->io_mode != io_mode) {
8713 /* Middle of the round so the mode we are in must match the function
8714 * called by the user */
8715 return PSA_ERROR_BAD_STATE;
8716 }
8717
8718 return PSA_SUCCESS;
8719}
8720
8721static psa_status_t psa_jpake_epilogue(
8722 psa_pake_operation_t *operation,
8723 psa_jpake_io_mode_t io_mode)
8724{
8725 psa_jpake_computation_stage_t *stage =
8726 &operation->computation_stage.jpake;
8727
8728 if (stage->step == PSA_PAKE_STEP_ZK_PROOF) {
8729 /* End of an input/output */
8730 if (io_mode == PSA_JPAKE_INPUT) {
8731 stage->inputs++;
8732 if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round)) {
8733 stage->io_mode = PSA_JPAKE_OUTPUT;
8734 }
8735 }
8736 if (io_mode == PSA_JPAKE_OUTPUT) {
8737 stage->outputs++;
8738 if (stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) {
8739 stage->io_mode = PSA_JPAKE_INPUT;
8740 }
8741 }
8742 if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round) &&
8743 stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) {
8744 /* End of a round, move to the next round */
8745 stage->inputs = 0;
8746 stage->outputs = 0;
8747 stage->round++;
8748 }
8749 stage->step = PSA_PAKE_STEP_KEY_SHARE;
8750 } else {
8751 stage->step++;
8752 }
8753 return PSA_SUCCESS;
8754}
8755
8756#endif /* PSA_WANT_ALG_JPAKE */
8757
8758psa_status_t psa_pake_output(
8759 psa_pake_operation_t *operation,
8760 psa_pake_step_t step,
8761 uint8_t *output_external,
8762 size_t output_size,
8763 size_t *output_length)
8764{
8765 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8766 psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID;
8767 LOCAL_OUTPUT_DECLARE(output_external, output);
8768 *output_length = 0;
8769
8770 if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8771 status = psa_pake_complete_inputs(operation);
8772 if (status != PSA_SUCCESS) {
8773 goto exit;
8774 }
8775 }
8776
8777 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
8778 status = PSA_ERROR_BAD_STATE;
8779 goto exit;
8780 }
8781
8782 if (output_size == 0) {
8783 status = PSA_ERROR_INVALID_ARGUMENT;
8784 goto exit;
8785 }
8786
8787 switch (operation->alg) {
8788#if defined(PSA_WANT_ALG_JPAKE)
8789 case PSA_ALG_JPAKE:
8790 status = psa_jpake_prologue(operation, step, PSA_JPAKE_OUTPUT);
8791 if (status != PSA_SUCCESS) {
8792 goto exit;
8793 }
8794 driver_step = convert_jpake_computation_stage_to_driver_step(
8795 &operation->computation_stage.jpake);
8796 break;
8797#endif /* PSA_WANT_ALG_JPAKE */
8798 default:
8799 (void) step;
8800 status = PSA_ERROR_NOT_SUPPORTED;
8801 goto exit;
8802 }
8803
8804 LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
8805
8806 status = psa_driver_wrapper_pake_output(operation, driver_step,
8807 output, output_size, output_length);
8808
8809 if (status != PSA_SUCCESS) {
8810 goto exit;
8811 }
8812
8813 switch (operation->alg) {
8814#if defined(PSA_WANT_ALG_JPAKE)
8815 case PSA_ALG_JPAKE:
8816 status = psa_jpake_epilogue(operation, PSA_JPAKE_OUTPUT);
8817 if (status != PSA_SUCCESS) {
8818 goto exit;
8819 }
8820 break;
8821#endif /* PSA_WANT_ALG_JPAKE */
8822 default:
8823 status = PSA_ERROR_NOT_SUPPORTED;
8824 goto exit;
8825 }
8826
8827exit:
8828 LOCAL_OUTPUT_FREE(output_external, output);
8829 if (status != PSA_SUCCESS) {
8830 psa_pake_abort(operation);
8831 }
8832 return status;
8833}
8834
8835psa_status_t psa_pake_input(
8836 psa_pake_operation_t *operation,
8837 psa_pake_step_t step,
8838 const uint8_t *input_external,
8839 size_t input_length)
8840{
8841 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8842 psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID;
8843 const size_t max_input_length = (size_t) PSA_PAKE_INPUT_SIZE(operation->alg,
8844 operation->primitive,
8845 step);
8846 LOCAL_INPUT_DECLARE(input_external, input);
8847
8848 if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8849 status = psa_pake_complete_inputs(operation);
8850 if (status != PSA_SUCCESS) {
8851 goto exit;
8852 }
8853 }
8854
8855 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
8856 status = PSA_ERROR_BAD_STATE;
8857 goto exit;
8858 }
8859
8860 if (input_length == 0 || input_length > max_input_length) {
8861 status = PSA_ERROR_INVALID_ARGUMENT;
8862 goto exit;
8863 }
8864
8865 switch (operation->alg) {
8866#if defined(PSA_WANT_ALG_JPAKE)
8867 case PSA_ALG_JPAKE:
8868 status = psa_jpake_prologue(operation, step, PSA_JPAKE_INPUT);
8869 if (status != PSA_SUCCESS) {
8870 goto exit;
8871 }
8872 driver_step = convert_jpake_computation_stage_to_driver_step(
8873 &operation->computation_stage.jpake);
8874 break;
8875#endif /* PSA_WANT_ALG_JPAKE */
8876 default:
8877 (void) step;
8878 status = PSA_ERROR_NOT_SUPPORTED;
8879 goto exit;
8880 }
8881
8882 LOCAL_INPUT_ALLOC(input_external, input_length, input);
8883 status = psa_driver_wrapper_pake_input(operation, driver_step,
8884 input, input_length);
8885
8886 if (status != PSA_SUCCESS) {
8887 goto exit;
8888 }
8889
8890 switch (operation->alg) {
8891#if defined(PSA_WANT_ALG_JPAKE)
8892 case PSA_ALG_JPAKE:
8893 status = psa_jpake_epilogue(operation, PSA_JPAKE_INPUT);
8894 if (status != PSA_SUCCESS) {
8895 goto exit;
8896 }
8897 break;
8898#endif /* PSA_WANT_ALG_JPAKE */
8899 default:
8900 status = PSA_ERROR_NOT_SUPPORTED;
8901 goto exit;
8902 }
8903
8904exit:
8905 LOCAL_INPUT_FREE(input_external, input);
8906 if (status != PSA_SUCCESS) {
8907 psa_pake_abort(operation);
8908 }
8909 return status;
8910}
8911
8912psa_status_t psa_pake_get_implicit_key(
8913 psa_pake_operation_t *operation,
8914 psa_key_derivation_operation_t *output)
8915{
8916 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8917 psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
8918 uint8_t shared_key[MBEDTLS_PSA_JPAKE_BUFFER_SIZE];
8919 size_t shared_key_len = 0;
8920
8921 if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
8922 status = PSA_ERROR_BAD_STATE;
8923 goto exit;
8924 }
8925
8926#if defined(PSA_WANT_ALG_JPAKE)
8927 if (operation->alg == PSA_ALG_JPAKE) {
8928 psa_jpake_computation_stage_t *computation_stage =
8929 &operation->computation_stage.jpake;
8930 if (computation_stage->round != PSA_JPAKE_FINISHED) {
8931 status = PSA_ERROR_BAD_STATE;
8932 goto exit;
8933 }
8934 } else
8935#endif /* PSA_WANT_ALG_JPAKE */
8936 {
8937 status = PSA_ERROR_NOT_SUPPORTED;
8938 goto exit;
8939 }
8940
8941 status = psa_driver_wrapper_pake_get_implicit_key(operation,
8942 shared_key,
8943 sizeof(shared_key),
8944 &shared_key_len);
8945
8946 if (status != PSA_SUCCESS) {
8947 goto exit;
8948 }
8949
8950 status = psa_key_derivation_input_bytes(output,
8951 PSA_KEY_DERIVATION_INPUT_SECRET,
8952 shared_key,
8953 shared_key_len);
8954
8955 mbedtls_platform_zeroize(shared_key, sizeof(shared_key));
8956exit:
8957 abort_status = psa_pake_abort(operation);
8958 return status == PSA_SUCCESS ? abort_status : status;
8959}
8960
8961psa_status_t psa_pake_abort(
8962 psa_pake_operation_t *operation)
8963{
8964 psa_status_t status = PSA_SUCCESS;
8965
8966 if (operation->stage == PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
8967 status = psa_driver_wrapper_pake_abort(operation);
8968 }
8969
8970 if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
8971 if (operation->data.inputs.password != NULL) {
8972 mbedtls_zeroize_and_free(operation->data.inputs.password,
8973 operation->data.inputs.password_len);
8974 }
8975 if (operation->data.inputs.user != NULL) {
8976 mbedtls_free(operation->data.inputs.user);
8977 }
8978 if (operation->data.inputs.peer != NULL) {
8979 mbedtls_free(operation->data.inputs.peer);
8980 }
8981 }
8982 memset(operation, 0, sizeof(psa_pake_operation_t));
8983
8984 return status;
8985}
8986#endif /* PSA_WANT_ALG_SOME_PAKE */
8987
8988/* Memory copying test hooks. These are called before input copy, after input
8989 * copy, before output copy and after output copy, respectively.
8990 * They are used by memory-poisoning tests to temporarily unpoison buffers
8991 * while they are copied. */
8992#if defined(MBEDTLS_TEST_HOOKS)
8993void (*psa_input_pre_copy_hook)(const uint8_t *input, size_t input_len) = NULL;
8994void (*psa_input_post_copy_hook)(const uint8_t *input, size_t input_len) = NULL;
8995void (*psa_output_pre_copy_hook)(const uint8_t *output, size_t output_len) = NULL;
8996void (*psa_output_post_copy_hook)(const uint8_t *output, size_t output_len) = NULL;
8997#endif
8998
8999/** Copy from an input buffer to a local copy.
9000 *
9001 * \param[in] input Pointer to input buffer.
9002 * \param[in] input_len Length of the input buffer.
9003 * \param[out] input_copy Pointer to a local copy in which to store the input data.
9004 * \param[out] input_copy_len Length of the local copy buffer.
9005 * \return #PSA_SUCCESS, if the buffer was successfully
9006 * copied.
9007 * \return #PSA_ERROR_CORRUPTION_DETECTED, if the local
9008 * copy is too small to hold contents of the
9009 * input buffer.
9010 */
9011MBEDTLS_STATIC_TESTABLE
9012psa_status_t psa_crypto_copy_input(const uint8_t *input, size_t input_len,
9013 uint8_t *input_copy, size_t input_copy_len)
9014{
9015 if (input_len > input_copy_len) {
9016 return PSA_ERROR_CORRUPTION_DETECTED;
9017 }
9018
9019#if defined(MBEDTLS_TEST_HOOKS)
9020 if (psa_input_pre_copy_hook != NULL) {
9021 psa_input_pre_copy_hook(input, input_len);
9022 }
9023#endif
9024
9025 if (input_len > 0) {
9026 memcpy(input_copy, input, input_len);
9027 }
9028
9029#if defined(MBEDTLS_TEST_HOOKS)
9030 if (psa_input_post_copy_hook != NULL) {
9031 psa_input_post_copy_hook(input, input_len);
9032 }
9033#endif
9034
9035 return PSA_SUCCESS;
9036}
9037
9038/** Copy from a local output buffer into a user-supplied one.
9039 *
9040 * \param[in] output_copy Pointer to a local buffer containing the output.
9041 * \param[in] output_copy_len Length of the local buffer.
9042 * \param[out] output Pointer to user-supplied output buffer.
9043 * \param[out] output_len Length of the user-supplied output buffer.
9044 * \return #PSA_SUCCESS, if the buffer was successfully
9045 * copied.
9046 * \return #PSA_ERROR_BUFFER_TOO_SMALL, if the
9047 * user-supplied output buffer is too small to
9048 * hold the contents of the local buffer.
9049 */
9050MBEDTLS_STATIC_TESTABLE
9051psa_status_t psa_crypto_copy_output(const uint8_t *output_copy, size_t output_copy_len,
9052 uint8_t *output, size_t output_len)
9053{
9054 if (output_len < output_copy_len) {
9055 return PSA_ERROR_BUFFER_TOO_SMALL;
9056 }
9057
9058#if defined(MBEDTLS_TEST_HOOKS)
9059 if (psa_output_pre_copy_hook != NULL) {
9060 psa_output_pre_copy_hook(output, output_len);
9061 }
9062#endif
9063
9064 if (output_copy_len > 0) {
9065 memcpy(output, output_copy, output_copy_len);
9066 }
9067
9068#if defined(MBEDTLS_TEST_HOOKS)
9069 if (psa_output_post_copy_hook != NULL) {
9070 psa_output_post_copy_hook(output, output_len);
9071 }
9072#endif
9073
9074 return PSA_SUCCESS;
9075}
9076
9077psa_status_t psa_crypto_local_input_alloc(const uint8_t *input, size_t input_len,
9078 psa_crypto_local_input_t *local_input)
9079{
9080 psa_status_t status;
9081
9082 *local_input = PSA_CRYPTO_LOCAL_INPUT_INIT;
9083
9084 if (input_len == 0) {
9085 return PSA_SUCCESS;
9086 }
9087
9088 local_input->buffer = mbedtls_calloc(input_len, 1);
9089 if (local_input->buffer == NULL) {
9090 /* Since we dealt with the zero-length case above, we know that
9091 * a NULL return value means a failure of allocation. */
9092 return PSA_ERROR_INSUFFICIENT_MEMORY;
9093 }
9094 /* From now on, we must free local_input->buffer on error. */
9095
9096 local_input->length = input_len;
9097
9098 status = psa_crypto_copy_input(input, input_len,
9099 local_input->buffer, local_input->length);
9100 if (status != PSA_SUCCESS) {
9101 goto error;
9102 }
9103
9104 return PSA_SUCCESS;
9105
9106error:
9107 mbedtls_free(local_input->buffer);
9108 local_input->buffer = NULL;
9109 local_input->length = 0;
9110 return status;
9111}
9112
9113void psa_crypto_local_input_free(psa_crypto_local_input_t *local_input)
9114{
9115 mbedtls_free(local_input->buffer);
9116 local_input->buffer = NULL;
9117 local_input->length = 0;
9118}
9119
9120psa_status_t psa_crypto_local_output_alloc(uint8_t *output, size_t output_len,
9121 psa_crypto_local_output_t *local_output)
9122{
9123 *local_output = PSA_CRYPTO_LOCAL_OUTPUT_INIT;
9124
9125 if (output_len == 0) {
9126 return PSA_SUCCESS;
9127 }
9128 local_output->buffer = mbedtls_calloc(output_len, 1);
9129 if (local_output->buffer == NULL) {
9130 /* Since we dealt with the zero-length case above, we know that
9131 * a NULL return value means a failure of allocation. */
9132 return PSA_ERROR_INSUFFICIENT_MEMORY;
9133 }
9134 local_output->length = output_len;
9135 local_output->original = output;
9136
9137 return PSA_SUCCESS;
9138}
9139
9140psa_status_t psa_crypto_local_output_free(psa_crypto_local_output_t *local_output)
9141{
9142 psa_status_t status;
9143
9144 if (local_output->buffer == NULL) {
9145 local_output->length = 0;
9146 return PSA_SUCCESS;
9147 }
9148 if (local_output->original == NULL) {
9149 /* We have an internal copy but nothing to copy back to. */
9150 return PSA_ERROR_CORRUPTION_DETECTED;
9151 }
9152
9153 status = psa_crypto_copy_output(local_output->buffer, local_output->length,
9154 local_output->original, local_output->length);
9155 if (status != PSA_SUCCESS) {
9156 return status;
9157 }
9158
9159 mbedtls_free(local_output->buffer);
9160 local_output->buffer = NULL;
9161 local_output->length = 0;
9162
9163 return PSA_SUCCESS;
9164}
9165
9166#endif /* MBEDTLS_PSA_CRYPTO_C */