From 9ef733faa0b11bce4dee9be4e0a453d0622bd519 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 7 Feb 2018 21:05:37 +0100 Subject: [PATCH] Implement hash functions New header file crypto_struct.h. The main file crypto.sh declares structures which are implementation-defined. These structures must be defined in crypto_struct.h, which is included at the end so that the structures can use types defined in crypto.h. Implement psa_hash_start, psa_hash_update and psa_hash_final. This should work for all hash algorithms supported by Mbed TLS, but has only been smoke-tested for SHA-256, and only in the nominal case. --- include/psa/crypto.h | 54 ++++ include/psa/crypto_struct.h | 96 +++++++ library/psa_crypto.c | 283 ++++++++++++++++++++ tests/suites/test_suite_psa_crypto.data | 8 + tests/suites/test_suite_psa_crypto.function | 67 +++++ 5 files changed, 508 insertions(+) create mode 100644 include/psa/crypto_struct.h diff --git a/include/psa/crypto.h b/include/psa/crypto.h index c1eb60ff8..90140d7a9 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -307,6 +307,54 @@ psa_status_t psa_export_key(psa_key_slot_t key, /**@}*/ +/** \defgroup hash Message digests + * @{ + */ + +typedef struct psa_hash_operation_s psa_hash_operation_t; + +#define PSA_HASH_FINAL_SIZE(alg) \ + ( \ + (alg) == PSA_ALG_MD2 ? 16 : \ + (alg) == PSA_ALG_MD4 ? 16 : \ + (alg) == PSA_ALG_MD5 ? 16 : \ + (alg) == PSA_ALG_SHA_256_128 ? 16 : \ + (alg) == PSA_ALG_RIPEMD160 ? 20 : \ + (alg) == PSA_ALG_SHA_1 ? 20 : \ + (alg) == PSA_ALG_SHA_256_160 ? 20 : \ + (alg) == PSA_ALG_SHA_224 ? 28 : \ + (alg) == PSA_ALG_SHA_256 ? 32 : \ + (alg) == PSA_ALG_SHA_384 ? 48 : \ + (alg) == PSA_ALG_SHA_512 ? 64 : \ + (alg) == PSA_ALG_SHA_512_224 ? 28 : \ + (alg) == PSA_ALG_SHA_512_256 ? 32 : \ + (alg) == PSA_ALG_SHA3_224 ? 28 : \ + (alg) == PSA_ALG_SHA3_256 ? 32 : \ + (alg) == PSA_ALG_SHA3_384 ? 48 : \ + (alg) == PSA_ALG_SHA3_512 ? 64 : \ + 0) + +psa_status_t psa_hash_start(psa_hash_operation_t *operation, + psa_algorithm_t alg); + +psa_status_t psa_hash_update(psa_hash_operation_t *operation, + const uint8_t *input, + size_t input_length); + +psa_status_t psa_hash_finish(psa_hash_operation_t *operation, + uint8_t *hash, + size_t hash_size, + size_t *hash_length); + +psa_status_t psa_hash_verify(psa_hash_operation_t *operation, + const uint8_t *hash, + size_t hash_length); + +psa_status_t ps_hash_abort(psa_hash_operation_t *operation); + +/**@}*/ + +/** \defgroup MAC Message authentication codes /** \defgroup asymmetric Asymmetric cryptography * @{ */ @@ -379,6 +427,12 @@ psa_status_t psa_asymmetric_verify(psa_key_slot_t key, } #endif +/* The file "crypto_struct.h" contains definitions for + * implementation-specific structs that are declared above. */ +#include "crypto_struct.h" + +/* The file "crypto_extra.h" contains vendor-specific definitions. This + * can include vendor-defined algorithms, extra functions, etc. */ #include "crypto_extra.h" #endif /* PSA_CRYPTO_H */ diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h new file mode 100644 index 000000000..6bd4ed23d --- /dev/null +++ b/include/psa/crypto_struct.h @@ -0,0 +1,96 @@ +/** + * \file psa/crypto_struct.h + * + * \brief PSA cryptography module: Mbed TLS structured type implementations + */ +/* + * Copyright (C) 2018, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#ifndef PSA_CRYPTO_STRUCT_H +#define PSA_CRYPTO_STRUCT_H + +/* Include the Mbed TLS configuration file, the way Mbed TLS does it + * in each of its header files. */ +#if !defined(MBEDTLS_CONFIG_FILE) +#include "../mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#include "mbedtls/cipher.h" +#include "mbedtls/cmac.h" +#include "mbedtls/gcm.h" +#include "mbedtls/md.h" +#include "mbedtls/md2.h" +#include "mbedtls/md4.h" +#include "mbedtls/md5.h" +#include "mbedtls/ripemd160.h" +#include "mbedtls/sha1.h" +#include "mbedtls/sha256.h" +#include "mbedtls/sha512.h" + +struct psa_hash_operation_s +{ + psa_algorithm_t alg; + union + { +#if defined(MBEDTLS_MD2_C) + mbedtls_md2_context md2; +#endif +#if defined(MBEDTLS_MD4_C) + mbedtls_md4_context md4; +#endif +#if defined(MBEDTLS_MD5_C) + mbedtls_md5_context md5; +#endif +#if defined(MBEDTLS_RIPEMD160_C) + mbedtls_ripemd160_context ripemd160; +#endif +#if defined(MBEDTLS_SHA1_C) + mbedtls_sha1_context sha1; +#endif +#if defined(MBEDTLS_SHA256_C) + mbedtls_sha256_context sha256; +#endif +#if defined(MBEDTLS_SHA512_C) + mbedtls_sha512_context sha512; +#endif + } ctx; +}; + +struct psa_mac_operation_s +{ + psa_algorithm_t alg; + int key_set : 1; + int iv_required : 1; + int iv_set : 1; + int has_input : 1; + uint8_t mac_size; + union + { +#if defined(MBEDTLS_MD_C) + mbedtls_md_context_t hmac; +#endif +#if defined(MBEDTLS_CMAC_C) + mbedtls_cipher_context_t cmac; +#endif + } ctx; +}; + +#endif /* PSA_CRYPTO_STRUCT_H */ diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 84995176c..ca275495f 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -72,6 +72,20 @@ static void mbedtls_zeroize( void *v, size_t n ) volatile unsigned char *p = v; while( n-- ) *p++ = 0; } +/* constant-time buffer comparison */ +static inline int safer_memcmp( const uint8_t *a, const uint8_t *b, size_t n ) +{ + size_t i; + unsigned char diff = 0; + + for( i = 0; i < n; i++ ) + diff |= a[i] ^ b[i]; + + return( diff ); +} + + + /****************************************************************/ /* Global data, support functions and library management */ /****************************************************************/ @@ -573,6 +587,275 @@ static psa_algorithm_t mbedtls_md_alg_to_psa( mbedtls_md_type_t md_alg ) } #endif +psa_status_t psa_hash_abort( psa_hash_operation_t *operation ) +{ + switch( operation->alg ) + { +#if defined(MBEDTLS_MD2_C) + case PSA_ALG_MD2: + mbedtls_md2_free( &operation->ctx.md2 ); + break; +#endif +#if defined(MBEDTLS_MD4_C) + case PSA_ALG_MD4: + mbedtls_md4_free( &operation->ctx.md4 ); + break; +#endif +#if defined(MBEDTLS_MD5_C) + case PSA_ALG_MD5: + mbedtls_md5_free( &operation->ctx.md5 ); + break; +#endif +#if defined(MBEDTLS_RIPEMD160_C) + case PSA_ALG_RIPEMD160: + mbedtls_ripemd160_free( &operation->ctx.ripemd160 ); + break; +#endif +#if defined(MBEDTLS_SHA1_C) + case PSA_ALG_SHA_1: + mbedtls_sha1_free( &operation->ctx.sha1 ); + break; +#endif +#if defined(MBEDTLS_SHA256_C) + case PSA_ALG_SHA_224: + case PSA_ALG_SHA_256: + mbedtls_sha256_free( &operation->ctx.sha256 ); + break; +#endif +#if defined(MBEDTLS_SHA512_C) + case PSA_ALG_SHA_384: + case PSA_ALG_SHA_512: + mbedtls_sha512_free( &operation->ctx.sha512 ); + break; +#endif + default: + return( PSA_ERROR_NOT_SUPPORTED ); + } + operation->alg = 0; + return( PSA_SUCCESS ); +} + +psa_status_t psa_hash_start( psa_hash_operation_t *operation, + psa_algorithm_t alg ) +{ + int ret; + operation->alg = 0; + switch( alg ) + { +#if defined(MBEDTLS_MD2_C) + case PSA_ALG_MD2: + mbedtls_md2_init( &operation->ctx.md2 ); + ret = mbedtls_md2_starts_ret( &operation->ctx.md2 ); + break; +#endif +#if defined(MBEDTLS_MD4_C) + case PSA_ALG_MD4: + mbedtls_md4_init( &operation->ctx.md4 ); + ret = mbedtls_md4_starts_ret( &operation->ctx.md4 ); + break; +#endif +#if defined(MBEDTLS_MD5_C) + case PSA_ALG_MD5: + mbedtls_md5_init( &operation->ctx.md5 ); + ret = mbedtls_md5_starts_ret( &operation->ctx.md5 ); + break; +#endif +#if defined(MBEDTLS_RIPEMD160_C) + case PSA_ALG_RIPEMD160: + mbedtls_ripemd160_init( &operation->ctx.ripemd160 ); + ret = mbedtls_ripemd160_starts_ret( &operation->ctx.ripemd160 ); + break; +#endif +#if defined(MBEDTLS_SHA1_C) + case PSA_ALG_SHA_1: + mbedtls_sha1_init( &operation->ctx.sha1 ); + ret = mbedtls_sha1_starts_ret( &operation->ctx.sha1 ); + break; +#endif +#if defined(MBEDTLS_SHA256_C) + case PSA_ALG_SHA_224: + mbedtls_sha256_init( &operation->ctx.sha256 ); + ret = mbedtls_sha256_starts_ret( &operation->ctx.sha256, 1 ); + break; + case PSA_ALG_SHA_256: + mbedtls_sha256_init( &operation->ctx.sha256 ); + ret = mbedtls_sha256_starts_ret( &operation->ctx.sha256, 0 ); + break; +#endif +#if defined(MBEDTLS_SHA512_C) + case PSA_ALG_SHA_384: + mbedtls_sha512_init( &operation->ctx.sha512 ); + ret = mbedtls_sha512_starts_ret( &operation->ctx.sha512, 1 ); + break; + case PSA_ALG_SHA_512: + mbedtls_sha512_init( &operation->ctx.sha512 ); + ret = mbedtls_sha512_starts_ret( &operation->ctx.sha512, 0 ); + break; +#endif + default: + return( PSA_ERROR_NOT_SUPPORTED ); + } + if( ret == 0 ) + operation->alg = alg; + else + psa_hash_abort( operation ); + return( mbedtls_to_psa_error( ret ) ); +} + +psa_status_t psa_hash_update( psa_hash_operation_t *operation, + const uint8_t *input, + size_t input_length ) +{ + int ret; + switch( operation->alg ) + { +#if defined(MBEDTLS_MD2_C) + case PSA_ALG_MD2: + ret = mbedtls_md2_update_ret( &operation->ctx.md2, + input, input_length ); + break; +#endif +#if defined(MBEDTLS_MD4_C) + case PSA_ALG_MD4: + ret = mbedtls_md4_update_ret( &operation->ctx.md4, + input, input_length ); + break; +#endif +#if defined(MBEDTLS_MD5_C) + case PSA_ALG_MD5: + ret = mbedtls_md5_update_ret( &operation->ctx.md5, + input, input_length ); + break; +#endif +#if defined(MBEDTLS_RIPEMD160_C) + case PSA_ALG_RIPEMD160: + ret = mbedtls_ripemd160_update_ret( &operation->ctx.ripemd160, + input, input_length ); + break; +#endif +#if defined(MBEDTLS_SHA1_C) + case PSA_ALG_SHA_1: + ret = mbedtls_sha1_update_ret( &operation->ctx.sha1, + input, input_length ); + break; +#endif +#if defined(MBEDTLS_SHA256_C) + case PSA_ALG_SHA_224: + case PSA_ALG_SHA_256: + ret = mbedtls_sha256_update_ret( &operation->ctx.sha256, + input, input_length ); + break; +#endif +#if defined(MBEDTLS_SHA512_C) + case PSA_ALG_SHA_384: + case PSA_ALG_SHA_512: + ret = mbedtls_sha512_update_ret( &operation->ctx.sha512, + input, input_length ); + break; +#endif + default: + ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA; + break; + } + if( ret != 0 ) + psa_hash_abort( operation ); + return( mbedtls_to_psa_error( ret ) ); +} + +psa_status_t psa_hash_finish( psa_hash_operation_t *operation, + uint8_t *hash, + size_t hash_size, + size_t *hash_length ) +{ + int ret; + size_t actual_hash_length = PSA_HASH_FINAL_SIZE( operation->alg ); + + /* Fill the output buffer with something that isn't a valid hash + * (barring an attack on the hash and deliberately-crafted input), + * in case the caller doesn't check the return status properly. */ + *hash_length = actual_hash_length; + memset( hash, '!', hash_size ); + + if( hash_size < actual_hash_length ) + return( PSA_ERROR_BUFFER_TOO_SMALL ); + + switch( operation->alg ) + { +#if defined(MBEDTLS_MD2_C) + case PSA_ALG_MD2: + ret = mbedtls_md2_finish_ret( &operation->ctx.md2, hash ); + break; +#endif +#if defined(MBEDTLS_MD4_C) + case PSA_ALG_MD4: + ret = mbedtls_md4_finish_ret( &operation->ctx.md4, hash ); + break; +#endif +#if defined(MBEDTLS_MD5_C) + case PSA_ALG_MD5: + ret = mbedtls_md5_finish_ret( &operation->ctx.md5, hash ); + break; +#endif +#if defined(MBEDTLS_RIPEMD160_C) + case PSA_ALG_RIPEMD160: + ret = mbedtls_ripemd160_finish_ret( &operation->ctx.ripemd160, hash ); + break; +#endif +#if defined(MBEDTLS_SHA1_C) + case PSA_ALG_SHA_1: + ret = mbedtls_sha1_finish_ret( &operation->ctx.sha1, hash ); + break; +#endif +#if defined(MBEDTLS_SHA256_C) + case PSA_ALG_SHA_224: + case PSA_ALG_SHA_256: + ret = mbedtls_sha256_finish_ret( &operation->ctx.sha256, hash ); + break; +#endif +#if defined(MBEDTLS_SHA512_C) + case PSA_ALG_SHA_384: + case PSA_ALG_SHA_512: + ret = mbedtls_sha512_finish_ret( &operation->ctx.sha512, hash ); + break; +#endif + default: + ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA; + break; + } + + if( ret == 0 ) + { + return( psa_hash_abort( operation ) ); + } + else + { + psa_hash_abort( operation ); + return( mbedtls_to_psa_error( ret ) ); + } +} + +psa_status_t psa_hash_verify(psa_hash_operation_t *operation, + const uint8_t *hash, + size_t hash_length) +{ + uint8_t actual_hash[MBEDTLS_MD_MAX_SIZE]; + size_t actual_hash_length; + psa_status_t status = psa_hash_finish( operation, + actual_hash, sizeof( actual_hash ), + &actual_hash_length ); + if( status != PSA_SUCCESS ) + return( status ); + if( actual_hash_length != hash_length ) + return( PSA_ERROR_INVALID_SIGNATURE ); + if( safer_memcmp( hash, actual_hash, actual_hash_length ) != 0 ) + return( PSA_ERROR_INVALID_SIGNATURE ); + return( PSA_SUCCESS ); +} + + + + +/****************************************************************/ /****************************************************************/ diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index a2d6b89fd..f53b1a436 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -37,6 +37,14 @@ import_export:"3082025a0201000281806c49704e91f3df44fc99e9b3c0fee5025cc04d09529a1 #depends_on:MBEDTLS_PK_C:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED #import_export:"3077020101042049c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eeea00a06082a8648ce3d030107a144034200047772656f814b399279d5e1f1781fac6f099a3c5ca1b0e35351834b08b65e0b572590cdaf8f769361bcf34acfc11e5e074e8426bdde04be6e653945449617de45":PSA_KEY_TYPE_ECC_NISTP256R1:256:0:PSA_SUCCESS:1 # +PSA hash finish: SHA-256 +depends_on:MBEDTLS_SHA256_C +hash_finish:PSA_ALG_SHA_256:"bd":"68325720aabd7c82f30f554b313d0570c95accbb7dc4b5aae11204c08ffe732b" + +PSA hash verify: SHA-256 +depends_on:MBEDTLS_SHA256_C +hash_verify:PSA_ALG_SHA_256:"bd":"68325720aabd7c82f30f554b313d0570c95accbb7dc4b5aae11204c08ffe732b" + PSA signature size: RSA keypair, 1024 bits, PKCS#1 v1.5 raw signature_size:PSA_KEY_TYPE_RSA_KEYPAIR:1024:PSA_ALG_RSA_PKCS1V15_RAW:128 diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index c5d536e46..21802d147 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -133,6 +133,73 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void hash_finish( int alg_arg, char *input_hex, char *hash_hex ) +{ + psa_algorithm_t alg = alg_arg; + unsigned char *input = NULL; + size_t input_size; + unsigned char expected_hash[MBEDTLS_MD_MAX_SIZE]; + size_t expected_hash_length; + unsigned char actual_hash[MBEDTLS_MD_MAX_SIZE]; + size_t actual_hash_length; + psa_hash_operation_t operation; + + input_size = strlen( input_hex ) / 2; + input = mbedtls_calloc( 1, input_size ); + TEST_ASSERT( input != NULL ); + input_size = unhexify( input, input_hex ); + expected_hash_length = unhexify( expected_hash, hash_hex ); + + TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_hash_start( &operation, alg ) == PSA_SUCCESS ); + TEST_ASSERT( psa_hash_update( &operation, + input, input_size ) == PSA_SUCCESS ); + TEST_ASSERT( psa_hash_finish( &operation, + actual_hash, sizeof( actual_hash ), + &actual_hash_length ) == PSA_SUCCESS ); + TEST_ASSERT( actual_hash_length == expected_hash_length ); + TEST_ASSERT( memcmp( expected_hash, actual_hash, + expected_hash_length ) == 0 ); + +exit: + mbedtls_free( input ); + mbedtls_psa_crypto_free( ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void hash_verify( int alg_arg, char *input_hex, char *hash_hex ) +{ + psa_algorithm_t alg = alg_arg; + unsigned char *input = NULL; + size_t input_size; + unsigned char expected_hash[MBEDTLS_MD_MAX_SIZE]; + size_t expected_hash_length; + psa_hash_operation_t operation; + + input_size = strlen( input_hex ) / 2; + input = mbedtls_calloc( 1, input_size ); + TEST_ASSERT( input != NULL ); + input_size = unhexify( input, input_hex ); + expected_hash_length = unhexify( expected_hash, hash_hex ); + + TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); + + TEST_ASSERT( psa_hash_start( &operation, alg ) == PSA_SUCCESS ); + TEST_ASSERT( psa_hash_update( &operation, + input, input_size ) == PSA_SUCCESS ); + TEST_ASSERT( psa_hash_verify( &operation, + expected_hash, + expected_hash_length ) == PSA_SUCCESS ); + +exit: + mbedtls_free( input ); + mbedtls_psa_crypto_free( ); +} +/* END_CASE */ + /* BEGIN_CASE */ void signature_size( int type_arg, int bits, int alg_arg, int expected_size_arg ) {