/*
* Copyright 2014 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "hmac_operation.h"
#include <keymaster/new>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <keymaster/km_openssl/hmac_key.h>
#include <keymaster/km_openssl/openssl_err.h>
#include <keymaster/km_openssl/openssl_utils.h>
#if defined(OPENSSL_IS_BORINGSSL)
#include <openssl/mem.h>
typedef size_t openssl_size_t;
#else
typedef int openssl_size_t;
#endif
namespace keymaster {
OperationPtr HmacOperationFactory::CreateOperation(Key&& key, const AuthorizationSet& begin_params,
keymaster_error_t* error) {
uint32_t min_mac_length_bits;
if (!key.authorizations().GetTagValue(TAG_MIN_MAC_LENGTH, &min_mac_length_bits)) {
LOG_E("HMAC key must have KM_TAG_MIN_MAC_LENGTH", 0);
*error = KM_ERROR_INVALID_KEY_BLOB;
return nullptr;
}
uint32_t mac_length_bits = UINT32_MAX;
if (begin_params.GetTagValue(TAG_MAC_LENGTH, &mac_length_bits)) {
if (purpose() == KM_PURPOSE_VERIFY) {
LOG_E("MAC length may not be specified for verify", 0);
*error = KM_ERROR_INVALID_ARGUMENT;
return nullptr;
}
} else {
if (purpose() == KM_PURPOSE_SIGN) {
*error = KM_ERROR_MISSING_MAC_LENGTH;
return nullptr;
}
}
keymaster_digest_t digest;
if (!key.authorizations().GetTagValue(TAG_DIGEST, &digest)) {
LOG_E("%d digests found in HMAC key authorizations; must be exactly 1",
begin_params.GetTagCount(TAG_DIGEST));
*error = KM_ERROR_INVALID_KEY_BLOB;
return nullptr;
}
UniquePtr<HmacOperation> op(new (std::nothrow) HmacOperation(
move(key), purpose(), digest, mac_length_bits / 8, min_mac_length_bits / 8));
if (!op.get())
*error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
else
*error = op->error();
if (*error != KM_ERROR_OK) return nullptr;
return op;
}
static keymaster_digest_t supported_digests[] = {KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384,
KM_DIGEST_SHA_2_512};
const keymaster_digest_t* HmacOperationFactory::SupportedDigests(size_t* digest_count) const {
*digest_count = array_length(supported_digests);
return supported_digests;
}
HmacOperation::HmacOperation(Key&& key, keymaster_purpose_t purpose, keymaster_digest_t digest,
size_t mac_length, size_t min_mac_length)
: Operation(purpose, key.hw_enforced_move(), key.sw_enforced_move()), error_(KM_ERROR_OK),
mac_length_(mac_length), min_mac_length_(min_mac_length) {
// Initialize CTX first, so dtor won't crash even if we error out later.
HMAC_CTX_init(&ctx_);
const EVP_MD* md = nullptr;
switch (digest) {
case KM_DIGEST_NONE:
case KM_DIGEST_MD5:
error_ = KM_ERROR_UNSUPPORTED_DIGEST;
break;
case KM_DIGEST_SHA1:
md = EVP_sha1();
break;
case KM_DIGEST_SHA_2_224:
md = EVP_sha224();
break;
case KM_DIGEST_SHA_2_256:
md = EVP_sha256();
break;
case KM_DIGEST_SHA_2_384:
md = EVP_sha384();
break;
case KM_DIGEST_SHA_2_512:
md = EVP_sha512();
break;
}
if (md == nullptr) {
error_ = KM_ERROR_UNSUPPORTED_DIGEST;
return;
}
if (purpose == KM_PURPOSE_SIGN) {
if (mac_length > EVP_MD_size(md) || mac_length < kMinHmacLengthBits / 8) {
error_ = KM_ERROR_UNSUPPORTED_MAC_LENGTH;
return;
}
if (mac_length < min_mac_length) {
error_ = KM_ERROR_INVALID_MAC_LENGTH;
return;
}
}
KeymasterKeyBlob blob = key.key_material_move();
HMAC_Init_ex(&ctx_, blob.key_material, blob.key_material_size, md, NULL /* engine */);
}
HmacOperation::~HmacOperation() {
HMAC_CTX_cleanup(&ctx_);
}
keymaster_error_t HmacOperation::Begin(const AuthorizationSet& /* input_params */,
AuthorizationSet* /* output_params */) {
auto rc = GenerateRandom(reinterpret_cast<uint8_t*>(&operation_handle_),
(size_t)sizeof(operation_handle_));
if (rc != KM_ERROR_OK) return rc;
return error_;
}
keymaster_error_t HmacOperation::Update(const AuthorizationSet& /* additional_params */,
const Buffer& input, AuthorizationSet* /* output_params */,
Buffer* /* output */, size_t* input_consumed) {
if (!HMAC_Update(&ctx_, input.peek_read(), input.available_read()))
return TranslateLastOpenSslError();
*input_consumed = input.available_read();
return KM_ERROR_OK;
}
keymaster_error_t HmacOperation::Abort() {
return KM_ERROR_OK;
}
keymaster_error_t HmacOperation::Finish(const AuthorizationSet& additional_params,
const Buffer& input, const Buffer& signature,
AuthorizationSet* /* output_params */, Buffer* output) {
keymaster_error_t error = UpdateForFinish(additional_params, input);
if (error != KM_ERROR_OK) return error;
uint8_t digest[EVP_MAX_MD_SIZE];
unsigned int digest_len;
if (!HMAC_Final(&ctx_, digest, &digest_len)) return TranslateLastOpenSslError();
switch (purpose()) {
case KM_PURPOSE_SIGN:
if (mac_length_ > digest_len) return KM_ERROR_UNSUPPORTED_MAC_LENGTH;
if (!output->reserve(mac_length_) || !output->write(digest, mac_length_))
return KM_ERROR_MEMORY_ALLOCATION_FAILED;
return KM_ERROR_OK;
case KM_PURPOSE_VERIFY: {
size_t siglen = signature.available_read();
if (siglen > digest_len || siglen < kMinHmacLengthBits / 8)
return KM_ERROR_UNSUPPORTED_MAC_LENGTH;
if (siglen < min_mac_length_) return KM_ERROR_INVALID_MAC_LENGTH;
if (CRYPTO_memcmp(signature.peek_read(), digest, siglen) != 0)
return KM_ERROR_VERIFICATION_FAILED;
return KM_ERROR_OK;
}
default:
return KM_ERROR_UNSUPPORTED_PURPOSE;
}
}
} // namespace keymaster