gen/doxy/lib_2crypto_2impl_2hmac_8c_source.html

// Copyright lowRISC contributors (OpenTitan project).

// Licensed under the Apache License, Version 2.0, see LICENSE for details.

// SPDX-License-Identifier: Apache-2.0


#include "sw/device/lib/crypto/include/hmac.h"


#include "sw/device/lib/base/hardened_memory.h"

#include "sw/device/lib/crypto/drivers/hmac.h"

#include "sw/device/lib/crypto/impl/integrity.h"

#include "sw/device/lib/crypto/impl/keyblob.h"

#include "sw/device/lib/crypto/impl/status.h"

#include "sw/device/lib/crypto/include/hash.h"


// Module ID for status codes.

#define MODULE_ID MAKE_MODULE_ID('h', 'm', 'c')


/**

 * Ensure that the hash context is large enough for HMAC driver struct.

 */

static_assert(

    sizeof(otcrypto_hmac_context_t) >= sizeof(hmac_ctx_t),

    "`otcrypto_hash_context_t` must be big enough to hold `hmac_ctx_t`.");


/**

 * Ensure that HMAC driver struct is suitable for `hardened_memcpy()`.

 */

static_assert(sizeof(hmac_ctx_t) % sizeof(uint32_t) == 0,

              "Size of `hmac_ctx_t` must be a multiple of the word size for "

              "`hardened_memcpy()`");


/**

 * Save the internal HMAC driver context to a generic Hmac context.

 *

 * @param[out] ctx Generic hash context to copy to.

 * @param hmac_ctx The internal context object from HMAC driver.

 */

static void hmac_ctx_save(otcrypto_hmac_context_t *restrict ctx,

                          const hmac_ctx_t *restrict hmac_ctx) {

  // As per the `hardened_memcpy()` documentation, it is OK to cast to

  // `uint32_t *` here as long as `state` is word-aligned, which it must be

  // because all its fields are.

  hardened_memcpy(ctx->data, (uint32_t *)hmac_ctx,

                  sizeof(hmac_ctx_t) / sizeof(uint32_t));

}


/**

 * Restore an internal HMAC driver context from a generic Hmac context.

 *

 * @param ctx Generic hash context to restore from.

 * @param[out] hmac_ctx Destination HMAC driver context object.

 */

static void hmac_ctx_restore(const otcrypto_hmac_context_t *restrict ctx,

                             hmac_ctx_t *restrict hmac_ctx) {

  // As per the `hardened_memcpy()` documentation, it is OK to cast to

  // `uint32_t *` here as long as `state` is word-aligned, which it must be

  // because all its fields are.

  hardened_memcpy((uint32_t *)hmac_ctx, ctx->data,

                  sizeof(hmac_ctx_t) / sizeof(uint32_t));

}


/**

 * For given `key_mode`, return the corresponding driver-level `hmac_mode` and

 * `block_size`. `block_size` is the internal block size of the hash function

 * implied by `hash_mode`, and its unit is words.

 *

 * This function must only be used with HMAC key modes, otherwise an error

 * is returned.

 *

 * @param key_mode The input key mode.

 * @param[out] hmac_mode HMAC driver-level equivalent of `key_mode`.

 * @param[out] block_size The internal block size of the hash function

 * associated with `hmac_mode`.

 * @return Result of the operation.

 */

static status_t get_hmac_mode(otcrypto_key_mode_t key_mode,

                              hmac_mode_t *hmac_mode, size_t *block_size) {

  switch (key_mode) {

    case kOtcryptoKeyModeHmacSha256:

      *hmac_mode = kHmacModeHmac256;

      *block_size = kHmacSha256BlockWords;

      break;

    case kOtcryptoKeyModeHmacSha384:

      *hmac_mode = kHmacModeHmac384;

      // Note that HMAC-384 and HMAC-512 have the same internal block size.

      *block_size = kHmacSha512BlockWords;

      break;

    case kOtcryptoKeyModeHmacSha512:

      *hmac_mode = kHmacModeHmac512;

      *block_size = kHmacSha512BlockWords;

      break;

    default:

      return OTCRYPTO_BAD_ARGS;

  }

  return OTCRYPTO_OK;

}


/**

 * Pad or hash HMAC key to full block. I.e. compute K0 as defined in FIPS 198-1,

 * Section 4, Steps 1-3.

 *

 * For HMAC-256, `processed_key` is 512 bits, and for HMAC-384/512,

 * `processed_key` is 1024 bits.

 *

 * The caller must allocate `processed_key` buffer with internal block size.

 *

 * @param key The blinded input key.

 * @param[out] processed_key Padding/hashed key whose size matches the internal

 * block size of the hash function.

 * @return Result of the operation.

 */

static status_t hmac_key_process(const otcrypto_blinded_key_t *key,

                                 uint32_t *processed_key) {

  otcrypto_hash_mode_t hash_mode;

  size_t block_size;

  size_t digest_size;

  switch (key->config.key_mode) {

    case kOtcryptoKeyModeHmacSha256:

      hash_mode = kOtcryptoHashModeSha256;

      block_size = kHmacSha256BlockWords;

      digest_size = kHmacSha256DigestWords;

      break;

    case kOtcryptoKeyModeHmacSha384:

      hash_mode = kOtcryptoHashModeSha384;

      // Note that HMAC-384 and HMAC-512 have the same internal block size.

      block_size = kHmacSha512BlockWords;

      digest_size = kHmacSha384DigestWords;

      break;

    case kOtcryptoKeyModeHmacSha512:

      hash_mode = kOtcryptoHashModeSha512;

      block_size = kHmacSha512BlockWords;

      digest_size = kHmacSha512DigestWords;

      break;

    default:

      return OTCRYPTO_BAD_ARGS;

  }


  // HMAC HWIP does not support masking, so we need to unmask the key.

  size_t unmasked_key_len = keyblob_share_num_words(key->config);

  uint32_t unmasked_key[unmasked_key_len];

  HARDENED_TRY(keyblob_key_unmask(key, unmasked_key_len, unmasked_key));


  // Pre-populate with 0s, in order to pad keys smaller than the internal

  // block size, according to FIPS 198-1, Section 4.

  memset(processed_key, 0, block_size * sizeof(uint32_t));

  // If the key is larger than the internal block size, we need to hash it

  // according to FIPS 198-1, Section 4, Step 2.

  if (key->config.key_length > block_size * sizeof(uint32_t)) {

    otcrypto_hash_digest_t key_digest = {

        .mode = hash_mode,

        .data = processed_key,

        .len = digest_size,

    };

    otcrypto_const_byte_buf_t msg_buf = {

        .len = key->config.key_length,

        .data = (unsigned char *)unmasked_key,

    };

    HARDENED_TRY(otcrypto_hash(msg_buf, key_digest));

  } else {

    hardened_memcpy(processed_key, unmasked_key, unmasked_key_len);

    // If the key size isn't a multiple of the word size, zero the last few

    // bytes.

    size_t offset = key->config.key_length % sizeof(uint32_t);

    if (offset != 0) {

      unsigned char *key_end_ptr =

          (unsigned char *)&processed_key[unmasked_key_len];

      size_t num_zero_bytes = sizeof(uint32_t) - offset;

      memset(key_end_ptr - num_zero_bytes, 0, num_zero_bytes);

    }

  }

  return OTCRYPTO_OK;

}


OT_WARN_UNUSED_RESULT

otcrypto_status_t otcrypto_hmac(const otcrypto_blinded_key_t *key,

                                otcrypto_const_byte_buf_t input_message,

                                otcrypto_word32_buf_t tag) {

  // Validate key struct.

  if (key == NULL || key->keyblob == NULL || tag.data == NULL) {

    return OTCRYPTO_BAD_ARGS;

  }


  // HMAC HWIP is not masked and it does not have sideload support, so the

  // following conditions return not implemented.

  if (key->config.hw_backed != kHardenedBoolFalse) {

    return OTCRYPTO_NOT_IMPLEMENTED;

  }

  if (key->config.security_level != kOtcryptoKeySecurityLevelLow) {

    return OTCRYPTO_NOT_IMPLEMENTED;

  }


  // Check for null input message with nonzero length.

  if (input_message.data == NULL && input_message.len != 0) {

    return OTCRYPTO_BAD_ARGS;

  }


  hmac_mode_t hmac_mode;

  size_t block_size;

  HARDENED_TRY(get_hmac_mode(key->config.key_mode, &hmac_mode, &block_size));


  uint32_t processed_key[block_size];

  HARDENED_TRY(hmac_key_process(key, processed_key));


  return hmac(hmac_mode, processed_key, block_size, input_message.data,

              input_message.len, tag.data, tag.len);

}


otcrypto_status_t otcrypto_hmac_init(otcrypto_hmac_context_t *ctx,

                                     const otcrypto_blinded_key_t *key) {

  if (ctx == NULL || key == NULL || key->keyblob == NULL) {

    return OTCRYPTO_BAD_ARGS;

  }

  if (key->config.hw_backed != kHardenedBoolFalse) {

    // TODO(#15590): Add support for sideloaded keys via a custom OTBN program.

    return OTCRYPTO_NOT_IMPLEMENTED;

  }

  if (key->config.security_level != kOtcryptoKeySecurityLevelLow) {

    // TODO: Harden SHA2 implementations.

    return OTCRYPTO_NOT_IMPLEMENTED;

  }


  // Ensure the key is for HMAC and the hash function matches, and remember the

  // digest and message block sizes.

  hmac_mode_t hmac_mode;

  size_t block_size;

  HARDENED_TRY(get_hmac_mode(key->config.key_mode, &hmac_mode, &block_size));


  uint32_t processed_key[block_size];

  HARDENED_TRY(hmac_key_process(key, processed_key));


  hmac_ctx_t hmac_ctx;

  HARDENED_TRY(hmac_init(&hmac_ctx, hmac_mode, processed_key, block_size));

  hmac_ctx_save(ctx, &hmac_ctx);

  return OTCRYPTO_OK;

}


otcrypto_status_t otcrypto_hmac_update(

    otcrypto_hmac_context_t *const ctx,

    otcrypto_const_byte_buf_t input_message) {

  if (ctx == NULL) {

    return OTCRYPTO_BAD_ARGS;

  }


  // Check for null input message with nonzero length.

  if (input_message.data == NULL && input_message.len != 0) {

    return OTCRYPTO_BAD_ARGS;

  }


  hmac_ctx_t hmac_ctx;

  hmac_ctx_restore(ctx, &hmac_ctx);

  HARDENED_TRY(hmac_update(&hmac_ctx, input_message.data, input_message.len));

  hmac_ctx_save(ctx, &hmac_ctx);

  return OTCRYPTO_OK;

}


otcrypto_status_t otcrypto_hmac_final(otcrypto_hmac_context_t *const ctx,

                                      otcrypto_word32_buf_t tag) {

  if (ctx == NULL || tag.data == NULL) {

    return OTCRYPTO_BAD_ARGS;

  }


  hmac_ctx_t hmac_ctx;

  hmac_ctx_restore(ctx, &hmac_ctx);

  HARDENED_TRY(hmac_final(&hmac_ctx, tag.data, tag.len));

  // TODO(#23191): Clear `ctx`.

  hmac_ctx_save(ctx, &hmac_ctx);

  return OTCRYPTO_OK;

}