hmac_operation.cpp 6.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194
  1. /*
  2. * Copyright 2014 The Android Open Source Project
  3. *
  4. * Licensed under the Apache License, Version 2.0 (the "License");
  5. * you may not use this file except in compliance with the License.
  6. * You may obtain a copy of the License at
  7. *
  8. * http://www.apache.org/licenses/LICENSE-2.0
  9. *
  10. * Unless required by applicable law or agreed to in writing, software
  11. * distributed under the License is distributed on an "AS IS" BASIS,
  12. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13. * See the License for the specific language governing permissions and
  14. * limitations under the License.
  15. */
  16. #include "hmac_operation.h"
  17. #include <keymaster/new>
  18. #include <openssl/evp.h>
  19. #include <openssl/hmac.h>
  20. #include <keymaster/km_openssl/hmac_key.h>
  21. #include <keymaster/km_openssl/openssl_err.h>
  22. #include <keymaster/km_openssl/openssl_utils.h>
  23. #if defined(OPENSSL_IS_BORINGSSL)
  24. #include <openssl/mem.h>
  25. typedef size_t openssl_size_t;
  26. #else
  27. typedef int openssl_size_t;
  28. #endif
  29. namespace keymaster {
  30. OperationPtr HmacOperationFactory::CreateOperation(Key&& key, const AuthorizationSet& begin_params,
  31. keymaster_error_t* error) const {
  32. uint32_t min_mac_length_bits;
  33. if (!key.authorizations().GetTagValue(TAG_MIN_MAC_LENGTH, &min_mac_length_bits)) {
  34. LOG_E("HMAC key must have KM_TAG_MIN_MAC_LENGTH", 0);
  35. *error = KM_ERROR_INVALID_KEY_BLOB;
  36. return nullptr;
  37. }
  38. uint32_t mac_length_bits = UINT32_MAX;
  39. if (begin_params.GetTagValue(TAG_MAC_LENGTH, &mac_length_bits)) {
  40. if (purpose() == KM_PURPOSE_VERIFY) {
  41. LOG_E("MAC length may not be specified for verify", 0);
  42. *error = KM_ERROR_INVALID_ARGUMENT;
  43. return nullptr;
  44. }
  45. } else {
  46. if (purpose() == KM_PURPOSE_SIGN) {
  47. *error = KM_ERROR_MISSING_MAC_LENGTH;
  48. return nullptr;
  49. }
  50. }
  51. keymaster_digest_t digest;
  52. if (!key.authorizations().GetTagValue(TAG_DIGEST, &digest)) {
  53. LOG_E("%d digests found in HMAC key authorizations; must be exactly 1",
  54. begin_params.GetTagCount(TAG_DIGEST));
  55. *error = KM_ERROR_INVALID_KEY_BLOB;
  56. return nullptr;
  57. }
  58. UniquePtr<HmacOperation> op(new (std::nothrow) HmacOperation(
  59. move(key), purpose(), digest, mac_length_bits / 8, min_mac_length_bits / 8));
  60. if (!op.get())
  61. *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
  62. else
  63. *error = op->error();
  64. if (*error != KM_ERROR_OK) return nullptr;
  65. return move(op);
  66. }
  67. static keymaster_digest_t supported_digests[] = {KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
  68. KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384,
  69. KM_DIGEST_SHA_2_512};
  70. const keymaster_digest_t* HmacOperationFactory::SupportedDigests(size_t* digest_count) const {
  71. *digest_count = array_length(supported_digests);
  72. return supported_digests;
  73. }
  74. HmacOperation::HmacOperation(Key&& key, keymaster_purpose_t purpose, keymaster_digest_t digest,
  75. size_t mac_length, size_t min_mac_length)
  76. : Operation(purpose, key.hw_enforced_move(), key.sw_enforced_move()), error_(KM_ERROR_OK),
  77. mac_length_(mac_length), min_mac_length_(min_mac_length) {
  78. // Initialize CTX first, so dtor won't crash even if we error out later.
  79. HMAC_CTX_init(&ctx_);
  80. const EVP_MD* md = nullptr;
  81. switch (digest) {
  82. case KM_DIGEST_NONE:
  83. case KM_DIGEST_MD5:
  84. error_ = KM_ERROR_UNSUPPORTED_DIGEST;
  85. break;
  86. case KM_DIGEST_SHA1:
  87. md = EVP_sha1();
  88. break;
  89. case KM_DIGEST_SHA_2_224:
  90. md = EVP_sha224();
  91. break;
  92. case KM_DIGEST_SHA_2_256:
  93. md = EVP_sha256();
  94. break;
  95. case KM_DIGEST_SHA_2_384:
  96. md = EVP_sha384();
  97. break;
  98. case KM_DIGEST_SHA_2_512:
  99. md = EVP_sha512();
  100. break;
  101. }
  102. if (md == nullptr) {
  103. error_ = KM_ERROR_UNSUPPORTED_DIGEST;
  104. return;
  105. }
  106. if (purpose == KM_PURPOSE_SIGN) {
  107. if (mac_length > EVP_MD_size(md) || mac_length < kMinHmacLengthBits / 8) {
  108. error_ = KM_ERROR_UNSUPPORTED_MAC_LENGTH;
  109. return;
  110. }
  111. if (mac_length < min_mac_length) {
  112. error_ = KM_ERROR_INVALID_MAC_LENGTH;
  113. return;
  114. }
  115. }
  116. KeymasterKeyBlob blob = key.key_material_move();
  117. HMAC_Init_ex(&ctx_, blob.key_material, blob.key_material_size, md, nullptr /* engine */);
  118. }
  119. HmacOperation::~HmacOperation() {
  120. HMAC_CTX_cleanup(&ctx_);
  121. }
  122. keymaster_error_t HmacOperation::Begin(const AuthorizationSet& /* input_params */,
  123. AuthorizationSet* /* output_params */) {
  124. auto rc = GenerateRandom(reinterpret_cast<uint8_t*>(&operation_handle_),
  125. (size_t)sizeof(operation_handle_));
  126. if (rc != KM_ERROR_OK) return rc;
  127. return error_;
  128. }
  129. keymaster_error_t HmacOperation::Update(const AuthorizationSet& /* additional_params */,
  130. const Buffer& input, AuthorizationSet* /* output_params */,
  131. Buffer* /* output */, size_t* input_consumed) {
  132. if (!HMAC_Update(&ctx_, input.peek_read(), input.available_read()))
  133. return TranslateLastOpenSslError();
  134. *input_consumed = input.available_read();
  135. return KM_ERROR_OK;
  136. }
  137. keymaster_error_t HmacOperation::Abort() {
  138. return KM_ERROR_OK;
  139. }
  140. keymaster_error_t HmacOperation::Finish(const AuthorizationSet& additional_params,
  141. const Buffer& input, const Buffer& signature,
  142. AuthorizationSet* /* output_params */, Buffer* output) {
  143. keymaster_error_t error = UpdateForFinish(additional_params, input);
  144. if (error != KM_ERROR_OK) return error;
  145. uint8_t digest[EVP_MAX_MD_SIZE];
  146. unsigned int digest_len;
  147. if (!HMAC_Final(&ctx_, digest, &digest_len)) return TranslateLastOpenSslError();
  148. switch (purpose()) {
  149. case KM_PURPOSE_SIGN:
  150. if (mac_length_ > digest_len) return KM_ERROR_UNSUPPORTED_MAC_LENGTH;
  151. if (!output->reserve(mac_length_) || !output->write(digest, mac_length_))
  152. return KM_ERROR_MEMORY_ALLOCATION_FAILED;
  153. return KM_ERROR_OK;
  154. case KM_PURPOSE_VERIFY: {
  155. size_t siglen = signature.available_read();
  156. if (siglen > digest_len || siglen < kMinHmacLengthBits / 8)
  157. return KM_ERROR_UNSUPPORTED_MAC_LENGTH;
  158. if (siglen < min_mac_length_) return KM_ERROR_INVALID_MAC_LENGTH;
  159. if (CRYPTO_memcmp(signature.peek_read(), digest, siglen) != 0)
  160. return KM_ERROR_VERIFICATION_FAILED;
  161. return KM_ERROR_OK;
  162. }
  163. default:
  164. return KM_ERROR_UNSUPPORTED_PURPOSE;
  165. }
  166. }
  167. } // namespace keymaster