1 /**
2 * \file psa/crypto_struct.h
3 *
4 * \brief PSA cryptography module: Mbed TLS structured type implementations
5 *
6 * \note This file may not be included directly. Applications must
7 * include psa/crypto.h.
8 *
9 * This file contains the definitions of some data structures with
10 * implementation-specific definitions.
11 *
12 * In implementations with isolation between the application and the
13 * cryptography module, it is expected that the front-end and the back-end
14 * would have different versions of this file.
15 *
16 * <h3>Design notes about multipart operation structures</h3>
17 *
18 * Each multipart operation structure contains a `psa_algorithm_t alg`
19 * field which indicates which specific algorithm the structure is for.
20 * When the structure is not in use, `alg` is 0. Most of the structure
21 * consists of a union which is discriminated by `alg`.
22 *
23 * Note that when `alg` is 0, the content of other fields is undefined.
24 * In particular, it is not guaranteed that a freshly-initialized structure
25 * is all-zero: we initialize structures to something like `{0, 0}`, which
26 * is only guaranteed to initializes the first member of the union;
27 * GCC and Clang initialize the whole structure to 0 (at the time of writing),
28 * but MSVC and CompCert don't.
29 *
30 * In Mbed Crypto, multipart operation structures live independently from
31 * the key. This allows Mbed Crypto to free the key objects when destroying
32 * a key slot. If a multipart operation needs to remember the key after
33 * the setup function returns, the operation structure needs to contain a
34 * copy of the key.
35 */
36 /*
37 * Copyright The Mbed TLS Contributors
38 * SPDX-License-Identifier: Apache-2.0
39 *
40 * Licensed under the Apache License, Version 2.0 (the "License"); you may
41 * not use this file except in compliance with the License.
42 * You may obtain a copy of the License at
43 *
44 * http://www.apache.org/licenses/LICENSE-2.0
45 *
46 * Unless required by applicable law or agreed to in writing, software
47 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
48 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
49 * See the License for the specific language governing permissions and
50 * limitations under the License.
51 */
52
53 #ifndef PSA_CRYPTO_STRUCT_H
54 #define PSA_CRYPTO_STRUCT_H
55
56 #ifdef __cplusplus
57 extern "C" {
58 #endif
59
60 /* Include the Mbed TLS configuration file, the way Mbed TLS does it
61 * in each of its header files. */
62 #if !defined(MBEDTLS_CONFIG_FILE)
63 #include "mbedtls/config.h"
64 #else
65 #include MBEDTLS_CONFIG_FILE
66 #endif
67
68 #include "mbedtls/cipher.h"
69 #include "mbedtls/cmac.h"
70 #include "mbedtls/gcm.h"
71 #include "mbedtls/md.h"
72 #include "mbedtls/md2.h"
73 #include "mbedtls/md4.h"
74 #include "mbedtls/md5.h"
75 #include "mbedtls/ripemd160.h"
76 #include "mbedtls/sha1.h"
77 #include "mbedtls/sha256.h"
78 #include "mbedtls/sha512.h"
79
80 typedef struct {
81 /** Unique ID indicating which driver got assigned to do the
82 * operation. Since driver contexts are driver-specific, swapping
83 * drivers halfway through the operation is not supported.
84 * ID values are auto-generated in psa_driver_wrappers.h */
85 unsigned int id;
86 /** Context structure for the assigned driver, when id is not zero. */
87 void* ctx;
88 } psa_operation_driver_context_t;
89
90 struct psa_hash_operation_s
91 {
92 psa_algorithm_t alg;
93 union
94 {
95 unsigned dummy; /* Make the union non-empty even with no supported algorithms. */
96 #if defined(MBEDTLS_MD2_C)
97 mbedtls_md2_context md2;
98 #endif
99 #if defined(MBEDTLS_MD4_C)
100 mbedtls_md4_context md4;
101 #endif
102 #if defined(MBEDTLS_MD5_C)
103 mbedtls_md5_context md5;
104 #endif
105 #if defined(MBEDTLS_RIPEMD160_C)
106 mbedtls_ripemd160_context ripemd160;
107 #endif
108 #if defined(MBEDTLS_SHA1_C)
109 mbedtls_sha1_context sha1;
110 #endif
111 #if defined(MBEDTLS_SHA256_C)
112 mbedtls_sha256_context sha256;
113 #endif
114 #if defined(MBEDTLS_SHA512_C)
115 mbedtls_sha512_context sha512;
116 #endif
117 } ctx;
118 };
119
120 #define PSA_HASH_OPERATION_INIT {0, {0}}
psa_hash_operation_init(void)121 static inline struct psa_hash_operation_s psa_hash_operation_init( void )
122 {
123 const struct psa_hash_operation_s v = PSA_HASH_OPERATION_INIT;
124 return( v );
125 }
126
127 #if defined(MBEDTLS_MD_C)
128 typedef struct
129 {
130 /** The hash context. */
131 struct psa_hash_operation_s hash_ctx;
132 /** The HMAC part of the context. */
133 uint8_t opad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
134 } psa_hmac_internal_data;
135 #endif /* MBEDTLS_MD_C */
136
137 struct psa_mac_operation_s
138 {
139 psa_algorithm_t alg;
140 unsigned int key_set : 1;
141 unsigned int iv_required : 1;
142 unsigned int iv_set : 1;
143 unsigned int has_input : 1;
144 unsigned int is_sign : 1;
145 uint8_t mac_size;
146 union
147 {
148 unsigned dummy; /* Make the union non-empty even with no supported algorithms. */
149 #if defined(MBEDTLS_MD_C)
150 psa_hmac_internal_data hmac;
151 #endif
152 #if defined(MBEDTLS_CMAC_C)
153 mbedtls_cipher_context_t cmac;
154 #endif
155 } ctx;
156 };
157
158 #define PSA_MAC_OPERATION_INIT {0, 0, 0, 0, 0, 0, 0, {0}}
psa_mac_operation_init(void)159 static inline struct psa_mac_operation_s psa_mac_operation_init( void )
160 {
161 const struct psa_mac_operation_s v = PSA_MAC_OPERATION_INIT;
162 return( v );
163 }
164
165 struct psa_cipher_operation_s
166 {
167 psa_algorithm_t alg;
168 unsigned int key_set : 1;
169 unsigned int iv_required : 1;
170 unsigned int iv_set : 1;
171 unsigned int mbedtls_in_use : 1; /* Indicates mbed TLS is handling the operation. */
172 uint8_t iv_size;
173 uint8_t block_size;
174 union
175 {
176 unsigned dummy; /* Enable easier initializing of the union. */
177 mbedtls_cipher_context_t cipher;
178 psa_operation_driver_context_t driver;
179 } ctx;
180 };
181
182 #define PSA_CIPHER_OPERATION_INIT {0, 0, 0, 0, 0, 0, 0, {0}}
psa_cipher_operation_init(void)183 static inline struct psa_cipher_operation_s psa_cipher_operation_init( void )
184 {
185 const struct psa_cipher_operation_s v = PSA_CIPHER_OPERATION_INIT;
186 return( v );
187 }
188
189 struct psa_aead_operation_s
190 {
191 psa_algorithm_t alg;
192 unsigned int key_set : 1;
193 unsigned int iv_set : 1;
194 uint8_t iv_size;
195 uint8_t block_size;
196 union
197 {
198 unsigned dummy; /* Enable easier initializing of the union. */
199 mbedtls_cipher_context_t cipher;
200 } ctx;
201 };
202
203 #define PSA_AEAD_OPERATION_INIT {0, 0, 0, 0, 0, {0}}
psa_aead_operation_init(void)204 static inline struct psa_aead_operation_s psa_aead_operation_init( void )
205 {
206 const struct psa_aead_operation_s v = PSA_AEAD_OPERATION_INIT;
207 return( v );
208 }
209
210 #if defined(MBEDTLS_MD_C)
211 typedef struct
212 {
213 uint8_t *info;
214 size_t info_length;
215 psa_hmac_internal_data hmac;
216 uint8_t prk[PSA_HASH_MAX_SIZE];
217 uint8_t output_block[PSA_HASH_MAX_SIZE];
218 #if PSA_HASH_MAX_SIZE > 0xff
219 #error "PSA_HASH_MAX_SIZE does not fit in uint8_t"
220 #endif
221 uint8_t offset_in_block;
222 uint8_t block_number;
223 unsigned int state : 2;
224 unsigned int info_set : 1;
225 } psa_hkdf_key_derivation_t;
226 #endif /* MBEDTLS_MD_C */
227
228 #if defined(MBEDTLS_MD_C)
229 typedef enum
230 {
231 TLS12_PRF_STATE_INIT, /* no input provided */
232 TLS12_PRF_STATE_SEED_SET, /* seed has been set */
233 TLS12_PRF_STATE_KEY_SET, /* key has been set */
234 TLS12_PRF_STATE_LABEL_SET, /* label has been set */
235 TLS12_PRF_STATE_OUTPUT /* output has been started */
236 } psa_tls12_prf_key_derivation_state_t;
237
238 typedef struct psa_tls12_prf_key_derivation_s
239 {
240 #if PSA_HASH_MAX_SIZE > 0xff
241 #error "PSA_HASH_MAX_SIZE does not fit in uint8_t"
242 #endif
243
244 /* Indicates how many bytes in the current HMAC block have
245 * not yet been read by the user. */
246 uint8_t left_in_block;
247
248 /* The 1-based number of the block. */
249 uint8_t block_number;
250
251 psa_tls12_prf_key_derivation_state_t state;
252
253 uint8_t *seed;
254 size_t seed_length;
255 uint8_t *label;
256 size_t label_length;
257 psa_hmac_internal_data hmac;
258 uint8_t Ai[PSA_HASH_MAX_SIZE];
259
260 /* `HMAC_hash( prk, A(i) + seed )` in the notation of RFC 5246, Sect. 5. */
261 uint8_t output_block[PSA_HASH_MAX_SIZE];
262 } psa_tls12_prf_key_derivation_t;
263 #endif /* MBEDTLS_MD_C */
264
265 struct psa_key_derivation_s
266 {
267 psa_algorithm_t alg;
268 unsigned int can_output_key : 1;
269 size_t capacity;
270 union
271 {
272 /* Make the union non-empty even with no supported algorithms. */
273 uint8_t dummy;
274 #if defined(MBEDTLS_MD_C)
275 psa_hkdf_key_derivation_t hkdf;
276 psa_tls12_prf_key_derivation_t tls12_prf;
277 #endif
278 } ctx;
279 };
280
281 /* This only zeroes out the first byte in the union, the rest is unspecified. */
282 #define PSA_KEY_DERIVATION_OPERATION_INIT {0, 0, 0, {0}}
psa_key_derivation_operation_init(void)283 static inline struct psa_key_derivation_s psa_key_derivation_operation_init( void )
284 {
285 const struct psa_key_derivation_s v = PSA_KEY_DERIVATION_OPERATION_INIT;
286 return( v );
287 }
288
289 struct psa_key_policy_s
290 {
291 psa_key_usage_t usage;
292 psa_algorithm_t alg;
293 psa_algorithm_t alg2;
294 };
295 typedef struct psa_key_policy_s psa_key_policy_t;
296
297 #define PSA_KEY_POLICY_INIT {0, 0, 0}
psa_key_policy_init(void)298 static inline struct psa_key_policy_s psa_key_policy_init( void )
299 {
300 const struct psa_key_policy_s v = PSA_KEY_POLICY_INIT;
301 return( v );
302 }
303
304 /* The type used internally for key sizes.
305 * Public interfaces use size_t, but internally we use a smaller type. */
306 typedef uint16_t psa_key_bits_t;
307 /* The maximum value of the type used to represent bit-sizes.
308 * This is used to mark an invalid key size. */
309 #define PSA_KEY_BITS_TOO_LARGE ( (psa_key_bits_t) ( -1 ) )
310 /* The maximum size of a key in bits.
311 * Currently defined as the maximum that can be represented, rounded down
312 * to a whole number of bytes.
313 * This is an uncast value so that it can be used in preprocessor
314 * conditionals. */
315 #define PSA_MAX_KEY_BITS 0xfff8
316
317 /** A mask of flags that can be stored in key attributes.
318 *
319 * This type is also used internally to store flags in slots. Internal
320 * flags are defined in library/psa_crypto_core.h. Internal flags may have
321 * the same value as external flags if they are properly handled during
322 * key creation and in psa_get_key_attributes.
323 */
324 typedef uint16_t psa_key_attributes_flag_t;
325
326 #define MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER \
327 ( (psa_key_attributes_flag_t) 0x0001 )
328
329 /* A mask of key attribute flags used externally only.
330 * Only meant for internal checks inside the library. */
331 #define MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY ( \
332 MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER | \
333 0 )
334
335 /* A mask of key attribute flags used both internally and externally.
336 * Currently there aren't any. */
337 #define MBEDTLS_PSA_KA_MASK_DUAL_USE ( \
338 0 )
339
340 typedef struct
341 {
342 psa_key_type_t type;
343 psa_key_bits_t bits;
344 psa_key_lifetime_t lifetime;
345 mbedtls_svc_key_id_t id;
346 psa_key_policy_t policy;
347 psa_key_attributes_flag_t flags;
348 } psa_core_key_attributes_t;
349
350 #define PSA_CORE_KEY_ATTRIBUTES_INIT {PSA_KEY_TYPE_NONE, 0, PSA_KEY_LIFETIME_VOLATILE, MBEDTLS_SVC_KEY_ID_INIT, PSA_KEY_POLICY_INIT, 0}
351
352 struct psa_key_attributes_s
353 {
354 psa_core_key_attributes_t core;
355 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
356 psa_key_slot_number_t slot_number;
357 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
358 void *domain_parameters;
359 size_t domain_parameters_size;
360 };
361
362 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
363 #define PSA_KEY_ATTRIBUTES_INIT {PSA_CORE_KEY_ATTRIBUTES_INIT, 0, NULL, 0}
364 #else
365 #define PSA_KEY_ATTRIBUTES_INIT {PSA_CORE_KEY_ATTRIBUTES_INIT, NULL, 0}
366 #endif
367
psa_key_attributes_init(void)368 static inline struct psa_key_attributes_s psa_key_attributes_init( void )
369 {
370 const struct psa_key_attributes_s v = PSA_KEY_ATTRIBUTES_INIT;
371 return( v );
372 }
373
psa_set_key_id(psa_key_attributes_t * attributes,mbedtls_svc_key_id_t key)374 static inline void psa_set_key_id( psa_key_attributes_t *attributes,
375 mbedtls_svc_key_id_t key )
376 {
377 psa_key_lifetime_t lifetime = attributes->core.lifetime;
378
379 attributes->core.id = key;
380
381 if( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) )
382 {
383 attributes->core.lifetime =
384 PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
385 PSA_KEY_LIFETIME_PERSISTENT,
386 PSA_KEY_LIFETIME_GET_LOCATION( lifetime ) );
387 }
388 }
389
psa_get_key_id(const psa_key_attributes_t * attributes)390 static inline mbedtls_svc_key_id_t psa_get_key_id(
391 const psa_key_attributes_t *attributes)
392 {
393 return( attributes->core.id );
394 }
395
396 #ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
mbedtls_set_key_owner_id(psa_key_attributes_t * attributes,mbedtls_key_owner_id_t owner)397 static inline void mbedtls_set_key_owner_id( psa_key_attributes_t *attributes,
398 mbedtls_key_owner_id_t owner )
399 {
400 attributes->core.id.owner = owner;
401 }
402 #endif
403
psa_set_key_lifetime(psa_key_attributes_t * attributes,psa_key_lifetime_t lifetime)404 static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes,
405 psa_key_lifetime_t lifetime)
406 {
407 attributes->core.lifetime = lifetime;
408 if( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) )
409 {
410 #ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
411 attributes->core.id.key_id = 0;
412 #else
413 attributes->core.id = 0;
414 #endif
415 }
416 }
417
psa_get_key_lifetime(const psa_key_attributes_t * attributes)418 static inline psa_key_lifetime_t psa_get_key_lifetime(
419 const psa_key_attributes_t *attributes)
420 {
421 return( attributes->core.lifetime );
422 }
423
psa_set_key_usage_flags(psa_key_attributes_t * attributes,psa_key_usage_t usage_flags)424 static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
425 psa_key_usage_t usage_flags)
426 {
427 attributes->core.policy.usage = usage_flags;
428 }
429
psa_get_key_usage_flags(const psa_key_attributes_t * attributes)430 static inline psa_key_usage_t psa_get_key_usage_flags(
431 const psa_key_attributes_t *attributes)
432 {
433 return( attributes->core.policy.usage );
434 }
435
psa_set_key_algorithm(psa_key_attributes_t * attributes,psa_algorithm_t alg)436 static inline void psa_set_key_algorithm(psa_key_attributes_t *attributes,
437 psa_algorithm_t alg)
438 {
439 attributes->core.policy.alg = alg;
440 }
441
psa_get_key_algorithm(const psa_key_attributes_t * attributes)442 static inline psa_algorithm_t psa_get_key_algorithm(
443 const psa_key_attributes_t *attributes)
444 {
445 return( attributes->core.policy.alg );
446 }
447
448 /* This function is declared in crypto_extra.h, which comes after this
449 * header file, but we need the function here, so repeat the declaration. */
450 psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes,
451 psa_key_type_t type,
452 const uint8_t *data,
453 size_t data_length);
454
psa_set_key_type(psa_key_attributes_t * attributes,psa_key_type_t type)455 static inline void psa_set_key_type(psa_key_attributes_t *attributes,
456 psa_key_type_t type)
457 {
458 if( attributes->domain_parameters == NULL )
459 {
460 /* Common case: quick path */
461 attributes->core.type = type;
462 }
463 else
464 {
465 /* Call the bigger function to free the old domain paramteres.
466 * Ignore any errors which may arise due to type requiring
467 * non-default domain parameters, since this function can't
468 * report errors. */
469 (void) psa_set_key_domain_parameters( attributes, type, NULL, 0 );
470 }
471 }
472
psa_get_key_type(const psa_key_attributes_t * attributes)473 static inline psa_key_type_t psa_get_key_type(
474 const psa_key_attributes_t *attributes)
475 {
476 return( attributes->core.type );
477 }
478
psa_set_key_bits(psa_key_attributes_t * attributes,size_t bits)479 static inline void psa_set_key_bits(psa_key_attributes_t *attributes,
480 size_t bits)
481 {
482 if( bits > PSA_MAX_KEY_BITS )
483 attributes->core.bits = PSA_KEY_BITS_TOO_LARGE;
484 else
485 attributes->core.bits = (psa_key_bits_t) bits;
486 }
487
psa_get_key_bits(const psa_key_attributes_t * attributes)488 static inline size_t psa_get_key_bits(
489 const psa_key_attributes_t *attributes)
490 {
491 return( attributes->core.bits );
492 }
493
494 #ifdef __cplusplus
495 }
496 #endif
497
498 #endif /* PSA_CRYPTO_STRUCT_H */
499