openharmony/security_huks
1
0
Fork 0
mirror of https://gitee.com/openharmony/security_huks synced 2024-11-27 00:40:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

mini平台新增接口,3DES、DES、RSA问题修改

Browse Source 
Signed-off-by: 绫地宁宁 <756090608@qq.com>
This commit is contained in:
绫地宁宁 2024-10-09 09:04:49 +08:00
parent 2c4998edaa
commit 12fc0638b8
11 changed files with 204 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
frameworks/huks_standard/main/common/include/hks_config_lite_wearable.h
View File

@ -51,6 +51,7 @@
/* HMAC */ /* HMAC */
#define HKS_SUPPORT_HMAC_C #define HKS_SUPPORT_HMAC_C
#define HKS_SUPPORT_HMAC_GENERATE_KEY
#define HKS_SUPPORT_HMAC_SHA256 #define HKS_SUPPORT_HMAC_SHA256
#define HKS_SUPPORT_HMAC_SHA384 #define HKS_SUPPORT_HMAC_SHA384
#define HKS_SUPPORT_HMAC_SHA512 #define HKS_SUPPORT_HMAC_SHA512

13
frameworks/huks_standard/main/common/include/hks_crypto_hal.h
View File

@ -143,11 +143,11 @@ typedef int32_t (*HmacUpdate)(void *, const struct HksBlob *);
typedef int32_t (*HmacFinal)(void **, const struct HksBlob *, struct HksBlob *); typedef int32_t (*HmacFinal)(void **, const struct HksBlob *, struct HksBlob *);
typedef int32_t (*CmacInit)(void **, const struct HksBlob *, uint32_t); typedef int32_t (*CmacInit)(void **, const struct HksBlob *, const struct HksUsageSpec *);
typedef int32_t (*CmacUpdate)(void *, const struct HksBlob *); typedef int32_t (*CmacUpdate)(void *, const struct HksBlob *, const struct HksUsageSpec *);
typedef int32_t (*CmacFinal)(void **, const struct HksBlob *, struct HksBlob *); typedef int32_t (*CmacFinal)(void **, const struct HksBlob *, struct HksBlob *, const struct HksUsageSpec *);
typedef int32_t (*Hash)(uint32_t, const struct HksBlob *, struct HksBlob *); typedef int32_t (*Hash)(uint32_t, const struct HksBlob *, struct HksBlob *);
@ -223,11 +223,12 @@ void HksCryptoHalHmacFreeCtx(void **ctx);
int32_t HksCryptoHalHmac(const struct HksBlob *key, uint32_t digestAlg, const struct HksBlob *msg, int32_t HksCryptoHalHmac(const struct HksBlob *key, uint32_t digestAlg, const struct HksBlob *msg,
struct HksBlob *mac); struct HksBlob *mac);
int32_t HksCryptoHalCmacInit(const struct HksBlob *key, uint32_t digestAlg, void **ctx); int32_t HksCryptoHalCmacInit(const struct HksBlob *key, void **ctx, const struct HksUsageSpec *usageSpec);
int32_t HksCryptoHalCmacUpdate(const struct HksBlob *chunk, void *ctx); int32_t HksCryptoHalCmacUpdate(const struct HksBlob *chunk, void *ctx, const struct HksUsageSpec *usageSpec);
int32_t HksCryptoHalCmacFinal(const struct HksBlob *msg, void **ctx, struct HksBlob *mac); int32_t HksCryptoHalCmacFinal(
const struct HksBlob *msg, void **ctx, struct HksBlob *mac, const struct HksUsageSpec *usageSpec);
void HksCryptoHalCmacFreeCtx(void **ctx); void HksCryptoHalCmacFreeCtx(void **ctx);

22
frameworks/huks_standard/main/common/src/hks_crypto_adapter.c
View File

@ -184,22 +184,32 @@ static bool HksIsAlgorithmSm4(const struct HksParamSet *paramSet)
} }
#ifdef HKS_SUPPORT_3DES_C #ifdef HKS_SUPPORT_3DES_C
static bool HksIsAlgorithm3DES(const struct HksParamSet *paramSet) static bool HksIsNeedIv3DES(const struct HksParamSet *paramSet)
{ {
struct HksParam *algParam = NULL; struct HksParam *algParam = NULL;
int32_t ret = HksGetParam(paramSet, HKS_TAG_ALGORITHM, &algParam); int32_t ret = HksGetParam(paramSet, HKS_TAG_ALGORITHM, &algParam);
HKS_IF_NOT_SUCC_LOGE_RETURN(ret, false, "check 3DES get alg param failed!") HKS_IF_NOT_SUCC_LOGE_RETURN(ret, false, "check 3DES get alg param failed!")
return (algParam->uint32Param == HKS_ALG_3DES);
struct HksParam *modeParam = NULL;
ret = HksGetParam(paramSet, HKS_TAG_BLOCKMODE, &modeParam);
HKS_IF_NOT_SUCC_LOGE_RETURN(ret, false, "check 3DES get block mode param failed!")
return ((algParam->uint32Param == HKS_ALG_3DES) && (modeParam->uint32Param == HKS_MODE_CBC));
} }
#endif #endif
#ifdef HKS_SUPPORT_DES_C #ifdef HKS_SUPPORT_DES_C
static bool HksIsAlgorithmDES(const struct HksParamSet *paramSet) static bool HksIsNeedIvDES(const struct HksParamSet *paramSet)
{ {
struct HksParam *algParam = NULL; struct HksParam *algParam = NULL;
int32_t ret = HksGetParam(paramSet, HKS_TAG_ALGORITHM, &algParam); int32_t ret = HksGetParam(paramSet, HKS_TAG_ALGORITHM, &algParam);
HKS_IF_NOT_SUCC_LOGE_RETURN(ret, false, "check DES get alg param failed!") HKS_IF_NOT_SUCC_LOGE_RETURN(ret, false, "check DES get alg param failed!")
return (algParam->uint32Param == HKS_ALG_DES);
struct HksParam *modeParam = NULL;
ret = HksGetParam(paramSet, HKS_TAG_BLOCKMODE, &modeParam);
HKS_IF_NOT_SUCC_LOGE_RETURN(ret, false, "check DES get block mode param failed!")
return ((algParam->uint32Param == HKS_ALG_DES) && (modeParam->uint32Param == HKS_MODE_CBC));
} }
#endif #endif
@ -223,11 +233,11 @@ int32_t HksBuildCipherUsageSpec(
if (HksIsAlgorithmSm4(paramSet)) { // is sm4 if (HksIsAlgorithmSm4(paramSet)) { // is sm4
ret = HksFillIvParam(paramSet, usageSpec); ret = HksFillIvParam(paramSet, usageSpec);
#ifdef HKS_SUPPORT_3DES_C #ifdef HKS_SUPPORT_3DES_C
} else if (HksIsAlgorithm3DES(paramSet)) { // is 3des } else if (HksIsNeedIv3DES(paramSet)) { // is 3des
ret = HksFillIvParam(paramSet, usageSpec); ret = HksFillIvParam(paramSet, usageSpec);
#endif #endif
#ifdef HKS_SUPPORT_DES_C #ifdef HKS_SUPPORT_DES_C
} else if (HksIsAlgorithmDES(paramSet)) { // is des } else if (HksIsNeedIvDES(paramSet)) { // is des
ret = HksFillIvParam(paramSet, usageSpec); ret = HksFillIvParam(paramSet, usageSpec);
#endif #endif
} else if (!isAes) { // not sm4, not aes } else if (!isAes) { // not sm4, not aes

9
frameworks/huks_standard/main/crypto_engine/mbedtls/src/hks_mbedtls_3des.c
View File

@ -133,6 +133,14 @@ static int32_t Des3CbcNoPaddingCryptInit(
return HKS_ERROR_CRYPTO_ENGINE_ERROR; return HKS_ERROR_CRYPTO_ENGINE_ERROR;
} }
struct HksCipherParam *iv = (struct HksCipherParam *)(usageSpec->algParam);
if (iv->iv.size != HKS_3DES_CBC_NOPADDING_IV_SIZE) {
HKS_LOG_E("initialize iv fail");
mbedtls_des3_free(ctx);
HKS_FREE(ctx);
return HKS_ERROR_INVALID_IV;
}
struct HksMbedtls3DesCtx *outCtx = (struct HksMbedtls3DesCtx *)HksMalloc(sizeof(struct HksMbedtls3DesCtx)); struct HksMbedtls3DesCtx *outCtx = (struct HksMbedtls3DesCtx *)HksMalloc(sizeof(struct HksMbedtls3DesCtx));
if (outCtx == NULL) { if (outCtx == NULL) {
HKS_LOG_E("initialize outCtx fail"); HKS_LOG_E("initialize outCtx fail");
@ -144,7 +152,6 @@ static int32_t Des3CbcNoPaddingCryptInit(
outCtx->append = (void *)ctx; outCtx->append = (void *)ctx;
outCtx->mode = usageSpec->mode; outCtx->mode = usageSpec->mode;
outCtx->padding = usageSpec->padding; outCtx->padding = usageSpec->padding;
struct HksCipherParam *iv = (struct HksCipherParam *)(usageSpec->algParam);
(void)memcpy_s(outCtx->iv, HKS_3DES_CBC_NOPADDING_IV_SIZE, iv->iv.data, HKS_3DES_CBC_NOPADDING_IV_SIZE); (void)memcpy_s(outCtx->iv, HKS_3DES_CBC_NOPADDING_IV_SIZE, iv->iv.data, HKS_3DES_CBC_NOPADDING_IV_SIZE);
*cryptoCtx = (void *)outCtx; *cryptoCtx = (void *)outCtx;

9
frameworks/huks_standard/main/crypto_engine/mbedtls/src/hks_mbedtls_aes.c
View File

@ -160,6 +160,14 @@ static int32_t AesCbcNoPaddingCryptInit(void **cryptoCtx, const struct HksBlob *
return HKS_ERROR_CRYPTO_ENGINE_ERROR; return HKS_ERROR_CRYPTO_ENGINE_ERROR;
} }
struct HksCipherParam *iv = (struct HksCipherParam *)(usageSpec->algParam);
if (iv->iv.size != HKS_AES_CBC_NOPADDING_IV_SIZE) {
HKS_LOG_E("initialize iv fail");
mbedtls_aes_free(ctx);
HKS_FREE(ctx);
return HKS_ERROR_INVALID_IV;
}
struct HksMbedtlsAesCtx *outCtx = (struct HksMbedtlsAesCtx *)HksMalloc(sizeof(HksMbedtlsAesCtx)); struct HksMbedtlsAesCtx *outCtx = (struct HksMbedtlsAesCtx *)HksMalloc(sizeof(HksMbedtlsAesCtx));
if (outCtx == NULL) { if (outCtx == NULL) {
HKS_LOG_E("initialize outCtx fail"); HKS_LOG_E("initialize outCtx fail");
@ -171,7 +179,6 @@ static int32_t AesCbcNoPaddingCryptInit(void **cryptoCtx, const struct HksBlob *
outCtx->append = (void *)ctx; outCtx->append = (void *)ctx;
outCtx->mode = usageSpec->mode; outCtx->mode = usageSpec->mode;
outCtx->padding = usageSpec->padding; outCtx->padding = usageSpec->padding;
struct HksCipherParam *iv = (struct HksCipherParam *)(usageSpec->algParam);
(void)memcpy_s(outCtx->iv, HKS_AES_CBC_NOPADDING_IV_SIZE, iv->iv.data, HKS_AES_CBC_NOPADDING_IV_SIZE); (void)memcpy_s(outCtx->iv, HKS_AES_CBC_NOPADDING_IV_SIZE, iv->iv.data, HKS_AES_CBC_NOPADDING_IV_SIZE);
*cryptoCtx = (void *)outCtx; *cryptoCtx = (void *)outCtx;

10
frameworks/huks_standard/main/crypto_engine/mbedtls/src/hks_mbedtls_des.c
View File

@ -122,6 +122,14 @@ static int32_t DesCbcNoPaddingCryptInit(
return HKS_ERROR_CRYPTO_ENGINE_ERROR; return HKS_ERROR_CRYPTO_ENGINE_ERROR;
} }
struct HksCipherParam *iv = (struct HksCipherParam *)(usageSpec->algParam);
if (iv->iv.size != HKS_DES_CBC_NOPADDING_IV_SIZE) {
HKS_LOG_E("initialize iv fail");
mbedtls_des_free(ctx);
HKS_FREE(ctx);
return HKS_ERROR_INVALID_IV;
}
struct HksMbedtlsDesCtx *outCtx = (struct HksMbedtlsDesCtx *)HksMalloc(sizeof(struct HksMbedtlsDesCtx)); struct HksMbedtlsDesCtx *outCtx = (struct HksMbedtlsDesCtx *)HksMalloc(sizeof(struct HksMbedtlsDesCtx));
if (outCtx == NULL) { if (outCtx == NULL) {
HKS_LOG_E("initialize outCtx fail"); HKS_LOG_E("initialize outCtx fail");
@ -133,8 +141,6 @@ static int32_t DesCbcNoPaddingCryptInit(
outCtx->append = (void *)ctx; outCtx->append = (void *)ctx;
outCtx->mode = usageSpec->mode; outCtx->mode = usageSpec->mode;
outCtx->padding = usageSpec->padding; outCtx->padding = usageSpec->padding;
struct HksCipherParam *iv = (struct HksCipherParam *)(usageSpec->algParam);
(void)memcpy_s(outCtx->iv, HKS_DES_CBC_NOPADDING_IV_SIZE, iv->iv.data, HKS_DES_CBC_NOPADDING_IV_SIZE); (void)memcpy_s(outCtx->iv, HKS_DES_CBC_NOPADDING_IV_SIZE, iv->iv.data, HKS_DES_CBC_NOPADDING_IV_SIZE);
*cryptoCtx = (void *)outCtx; *cryptoCtx = (void *)outCtx;

19
frameworks/huks_standard/main/crypto_engine/mbedtls/src/hks_mbedtls_engine.c
View File

@ -100,9 +100,9 @@ void HksCryptoHalHmacFreeCtx(void **ctx)
} }
#ifdef HKS_SUPPORT_CMAC_C #ifdef HKS_SUPPORT_CMAC_C
int32_t HksCryptoHalCmacInit(const struct HksBlob *key, uint32_t digestAlg, void **ctx) int32_t HksCryptoHalCmacInit(const struct HksBlob *key, void **ctx, const struct HksUsageSpec *usageSpec)
{ {
if (CheckBlob(key) != HKS_SUCCESS || ctx == NULL) { if (CheckBlob(key) != HKS_SUCCESS || ctx == NULL || usageSpec == NULL) {
HKS_LOG_E("Crypt Hal Cmac init msg is NULL"); HKS_LOG_E("Crypt Hal Cmac init msg is NULL");
return HKS_ERROR_INVALID_ARGUMENT; return HKS_ERROR_INVALID_ARGUMENT;
} }
@ -110,12 +110,12 @@ int32_t HksCryptoHalCmacInit(const struct HksBlob *key, uint32_t digestAlg, void
CmacInit func = (CmacInit)GetAbility(HKS_CRYPTO_ABILITY_CMAC_INIT); CmacInit func = (CmacInit)GetAbility(HKS_CRYPTO_ABILITY_CMAC_INIT);
HKS_IF_NULL_RETURN(func, HKS_ERROR_INVALID_ARGUMENT) HKS_IF_NULL_RETURN(func, HKS_ERROR_INVALID_ARGUMENT)
return func(ctx, key, digestAlg); return func(ctx, key, usageSpec);
} }
int32_t HksCryptoHalCmacUpdate(const struct HksBlob *chunk, void *ctx) int32_t HksCryptoHalCmacUpdate(const struct HksBlob *chunk, void *ctx, const struct HksUsageSpec *usageSpec)
{ {
if (CheckBlob(chunk) != HKS_SUCCESS || ctx == NULL) { if (CheckBlob(chunk) != HKS_SUCCESS || ctx == NULL || usageSpec == NULL) {
HKS_LOG_E("Crypt Hal Cmac update chunk is invalid param"); HKS_LOG_E("Crypt Hal Cmac update chunk is invalid param");
return HKS_ERROR_INVALID_ARGUMENT; return HKS_ERROR_INVALID_ARGUMENT;
} }
@ -123,12 +123,13 @@ int32_t HksCryptoHalCmacUpdate(const struct HksBlob *chunk, void *ctx)
CmacUpdate func = (CmacUpdate)GetAbility(HKS_CRYPTO_ABILITY_CMAC_UPDATE); CmacUpdate func = (CmacUpdate)GetAbility(HKS_CRYPTO_ABILITY_CMAC_UPDATE);
HKS_IF_NULL_RETURN(func, HKS_ERROR_INVALID_ARGUMENT) HKS_IF_NULL_RETURN(func, HKS_ERROR_INVALID_ARGUMENT)
return func(ctx, chunk); return func(ctx, chunk, usageSpec);
} }
int32_t HksCryptoHalCmacFinal(const struct HksBlob *msg, void **ctx, struct HksBlob *mac) int32_t HksCryptoHalCmacFinal(
const struct HksBlob *msg, void **ctx, struct HksBlob *mac, const struct HksUsageSpec *usageSpec)
{ {
if (msg == NULL || ctx == NULL || *ctx == NULL || CheckBlob(mac) != HKS_SUCCESS) { if (msg == NULL || ctx == NULL || *ctx == NULL || usageSpec == NULL || CheckBlob(mac) != HKS_SUCCESS) {
HKS_LOG_E("Crypt Hal Cmac final msg or mac is NULL"); HKS_LOG_E("Crypt Hal Cmac final msg or mac is NULL");
return HKS_ERROR_INVALID_ARGUMENT; return HKS_ERROR_INVALID_ARGUMENT;
} }
@ -136,7 +137,7 @@ int32_t HksCryptoHalCmacFinal(const struct HksBlob *msg, void **ctx, struct HksB
CmacFinal func = (CmacFinal)GetAbility(HKS_CRYPTO_ABILITY_CMAC_FINAL); CmacFinal func = (CmacFinal)GetAbility(HKS_CRYPTO_ABILITY_CMAC_FINAL);
HKS_IF_NULL_RETURN(func, HKS_ERROR_INVALID_ARGUMENT) HKS_IF_NULL_RETURN(func, HKS_ERROR_INVALID_ARGUMENT)
return func(ctx, msg, mac); return func(ctx, msg, mac, usageSpec);
} }
void HksCryptoHalCmacFreeCtx(void **ctx) void HksCryptoHalCmacFreeCtx(void **ctx)

83
frameworks/huks_standard/main/crypto_engine/mbedtls/src/hks_mbedtls_rsa.c
View File

@ -34,6 +34,7 @@
#include "hks_log.h" #include "hks_log.h"
#include "hks_mbedtls_common.h" #include "hks_mbedtls_common.h"
#include "hks_common_check.h"
#include "hks_mem.h" #include "hks_mem.h"
#include "hks_template.h" #include "hks_template.h"
@ -42,6 +43,13 @@
#define MBEDTLS_RSA_PUBLIC 0 #define MBEDTLS_RSA_PUBLIC 0
#define MBEDTLS_RSA_PRIVATE 1 #define MBEDTLS_RSA_PRIVATE 1
#define HKS_RSA_KEYSIZE_CNT 8 #define HKS_RSA_KEYSIZE_CNT 8
#define MBEDTLS_RSA_PSS_DIGEST_NUM 2
typedef struct HksMbedtlsSignVerifyParam {
uint32_t mbedtlsAlg;
int32_t padding;
uint32_t pssSaltLen;
} HksMbedtlsSignVerifyParam;
static int32_t RsaCheckKeySize(const uint32_t keySize) static int32_t RsaCheckKeySize(const uint32_t keySize)
{ {
@ -384,6 +392,67 @@ static int32_t HksToMbedtlsSignPadding(uint32_t hksPadding, int32_t *padding)
return HKS_SUCCESS; return HKS_SUCCESS;
} }
static int32_t HksToMbedtlsRsaSetPssSaltLen(const struct HksBlob *key, const uint32_t digest,
const uint32_t hksPssSaltLen, HksMbedtlsSignVerifyParam *param)
{
const struct KeyMaterialRsa *keyMaterial = (struct KeyMaterialRsa *)(key->data);
uint32_t digestLen = 0;
int32_t ret = HksGetDigestLen(digest, &digestLen);
HKS_IF_NOT_SUCC_RETURN(ret, ret);
int32_t saltLen = 0;
switch (hksPssSaltLen) {
case HKS_RSA_PSS_SALTLEN_DIGEST:
saltLen = digestLen;
break;
case HKS_RSA_PSS_SALTLEN_MAX:
saltLen = (keyMaterial->keySize / HKS_BITS_PER_BYTE) - digestLen - MBEDTLS_RSA_PSS_DIGEST_NUM;
if (saltLen < 0) {
return HKS_ERROR_INVALID_KEY_SIZE;
}
break;
default:
return HKS_ERROR_NOT_SUPPORTED;
}
param->pssSaltLen = saltLen;
return HKS_SUCCESS;
}
static int32_t HksMbedtlsRsaSignHandle(mbedtls_rsa_context *ctx, mbedtls_ctr_drbg_context *ctrDrbg,
HksMbedtlsSignVerifyParam *signParam, const struct HksBlob *message, struct HksBlob *signature)
{
int32_t ret = HKS_SUCCESS;
if (signParam->padding == MBEDTLS_RSA_PKCS_V21) {
// 支持传入saltlen
ret = mbedtls_rsa_rsassa_pss_sign_ext(ctx, mbedtls_ctr_drbg_random, ctrDrbg,
(mbedtls_md_type_t)signParam->mbedtlsAlg, message->size, message->data, signParam->pssSaltLen,
signature->data);
} else {
ret = mbedtls_rsa_pkcs1_sign(ctx, mbedtls_ctr_drbg_random, ctrDrbg,
(mbedtls_md_type_t)signParam->mbedtlsAlg, message->size, message->data, signature->data);
}
return ret;
}
static int32_t HksMbedtlsRsaVerifyHandle(mbedtls_rsa_context *ctx, mbedtls_ctr_drbg_context *ctrDrbg,
HksMbedtlsSignVerifyParam *verifyParam, const struct HksBlob *message, struct HksBlob *signature)
{
int32_t ret = HKS_SUCCESS;
if (verifyParam->padding == MBEDTLS_RSA_PKCS_V21) {
// 支持传入saltlen
ret = mbedtls_rsa_rsassa_pss_verify_ext(ctx, (mbedtls_md_type_t)verifyParam->mbedtlsAlg,
message->size, message->data, (mbedtls_md_type_t)verifyParam->mbedtlsAlg, verifyParam->pssSaltLen,
signature->data);
} else {
ret = mbedtls_rsa_pkcs1_verify(ctx,
(mbedtls_md_type_t)verifyParam->mbedtlsAlg, message->size, message->data, signature->data);
}
return ret;
}
static int32_t HksMbedtlsRsaSignVerify(const struct HksBlob *key, const struct HksUsageSpec *usageSpec, static int32_t HksMbedtlsRsaSignVerify(const struct HksBlob *key, const struct HksUsageSpec *usageSpec,
const struct HksBlob *message, const bool sign, struct HksBlob *signature) const struct HksBlob *message, const bool sign, struct HksBlob *signature)
{ {
@ -404,16 +473,22 @@ static int32_t HksMbedtlsRsaSignVerify(const struct HksBlob *key, const struct H
mbedtls_rsa_context ctx; mbedtls_rsa_context ctx;
(void)memset_s(&ctx, sizeof(mbedtls_rsa_context), 0, sizeof(mbedtls_rsa_context)); (void)memset_s(&ctx, sizeof(mbedtls_rsa_context), 0, sizeof(mbedtls_rsa_context));
mbedtls_rsa_init(&ctx); mbedtls_rsa_init(&ctx);
mbedtls_rsa_set_padding(&ctx, padding, (mbedtls_md_type_t)mbedtlsAlg);
HksMbedtlsSignVerifyParam mbedtlsSignVerifyParam = { 0 };
if (padding == MBEDTLS_RSA_PKCS_V21) {
ret = HksToMbedtlsRsaSetPssSaltLen(key, usageSpec->digest, usageSpec->pssSaltLenType, &mbedtlsSignVerifyParam);
HKS_IF_NOT_SUCC_RETURN(ret, ret)
}
mbedtlsSignVerifyParam.mbedtlsAlg = mbedtlsAlg;
mbedtlsSignVerifyParam.padding = padding;
do { do {
ret = RsaKeyMaterialToCtx(key, sign, &ctx); /* sign need private exponent (d) */ ret = RsaKeyMaterialToCtx(key, sign, &ctx); /* sign need private exponent (d) */
HKS_IF_NOT_SUCC_BREAK(ret) HKS_IF_NOT_SUCC_BREAK(ret)
if (sign) { if (sign) {
ret = mbedtls_rsa_pkcs1_sign(&ctx, mbedtls_ctr_drbg_random, &ctrDrbg, ret = HksMbedtlsRsaSignHandle(&ctx, &ctrDrbg, &mbedtlsSignVerifyParam, message, signature);
(mbedtls_md_type_t)mbedtlsAlg, message->size, message->data, signature->data);
} else { } else {
ret = mbedtls_rsa_pkcs1_verify(&ctx, ret = HksMbedtlsRsaVerifyHandle(&ctx, &ctrDrbg, &mbedtlsSignVerifyParam, message, signature);
(mbedtls_md_type_t)mbedtlsAlg, message->size, message->data, signature->data);
} }
if (ret != HKS_MBEDTLS_SUCCESS) { if (ret != HKS_MBEDTLS_SUCCESS) {
HKS_LOG_E("Mbedtls rsa sign/verify failed! mbedtls ret = 0x%" LOG_PUBLIC "X", ret); HKS_LOG_E("Mbedtls rsa sign/verify failed! mbedtls ret = 0x%" LOG_PUBLIC "X", ret);

2
services/huks_standard/huks_engine/main/core/src/hks_auth.c
View File

@ -37,7 +37,7 @@ static uint32_t g_signVerifyEccPolicyTag[] = { HKS_TAG_ALGORITHM, HKS_TAG_DIGEST
static uint32_t g_signVerifyEd25519PolicyTag[] = { HKS_TAG_PURPOSE }; static uint32_t g_signVerifyEd25519PolicyTag[] = { HKS_TAG_PURPOSE };
static uint32_t g_macPolicyTag[] = { HKS_TAG_DIGEST, HKS_TAG_PURPOSE }; static uint32_t g_macPolicyTag[] = { HKS_TAG_DIGEST, HKS_TAG_PURPOSE };
static uint32_t g_macSm3PolicyTag[] = { HKS_TAG_ALGORITHM, HKS_TAG_DIGEST, HKS_TAG_PURPOSE }; static uint32_t g_macSm3PolicyTag[] = { HKS_TAG_ALGORITHM, HKS_TAG_DIGEST, HKS_TAG_PURPOSE };
static uint32_t g_macCmacPolicyTag[] = { HKS_TAG_ALGORITHM, HKS_TAG_PURPOSE }; static uint32_t g_macCmacPolicyTag[] = { HKS_TAG_BLOCK_MODE, HKS_TAG_PADDING, HKS_TAG_PURPOSE };
static uint32_t g_derivePolicyTag[] = { HKS_TAG_DIGEST, HKS_TAG_PURPOSE }; static uint32_t g_derivePolicyTag[] = { HKS_TAG_DIGEST, HKS_TAG_PURPOSE };
static uint32_t g_agreePolicyTag[] = { HKS_TAG_PURPOSE }; static uint32_t g_agreePolicyTag[] = { HKS_TAG_PURPOSE };

41
services/huks_standard/huks_engine/main/core/src/hks_core_service_three_stage.c
View File

@ -50,6 +50,7 @@
#define HKS_RSA_OAEP_DIGEST_NUM 2 #define HKS_RSA_OAEP_DIGEST_NUM 2
#define HKS_SM2_C1_LEN_NUM 2 #define HKS_SM2_C1_LEN_NUM 2
#define HKS_BLOCK_CIPHER_CBC_BLOCK_SIZE 16 #define HKS_BLOCK_CIPHER_CBC_BLOCK_SIZE 16
#define HKS_BLOCK_CIPHER_DES_CBC_BLOCK_SIZE 8
#define HKS_TEMP_SIZE 32 #define HKS_TEMP_SIZE 32
#define MAX_BUF_SIZE (5 * 1024 * 1024) #define MAX_BUF_SIZE (5 * 1024 * 1024)
#define HKS_AES_GCM_NONCE_LEN 12 #define HKS_AES_GCM_NONCE_LEN 12
@ -136,19 +137,23 @@ static int32_t CheckAesCipherAead(bool isEncrypt, const struct HksBlob *inData,
return HKS_SUCCESS; return HKS_SUCCESS;
} }
static int32_t CheckBlockCipherOther(uint32_t mode, bool isEncrypt, uint32_t padding, const struct HksBlob *inData, static int32_t CheckBlockCipherOther(uint32_t mode, bool isEncrypt, const struct HksUsageSpec *usageSpec,
const struct HksBlob *outData) const struct HksBlob *inData, const struct HksBlob *outData)
{ {
uint32_t paddingSize = 0; uint32_t paddingSize = 0;
if (isEncrypt) { if (isEncrypt) {
if (padding == HKS_PADDING_NONE) { uint32_t blockSize = HKS_BLOCK_CIPHER_CBC_BLOCK_SIZE;
if ((mode == HKS_MODE_CBC || mode == HKS_MODE_ECB) && inData->size % HKS_BLOCK_CIPHER_CBC_BLOCK_SIZE != 0) { if (usageSpec->algType == HKS_ALG_DES || usageSpec->algType == HKS_ALG_3DES) {
blockSize = HKS_BLOCK_CIPHER_DES_CBC_BLOCK_SIZE;
}
if (usageSpec->padding == HKS_PADDING_NONE) {
if ((mode == HKS_MODE_CBC || mode == HKS_MODE_ECB) && inData->size % blockSize != 0) {
HKS_LOG_E("encrypt cbc or ecb no-padding, invalid inSize: %" LOG_PUBLIC "u", inData->size); HKS_LOG_E("encrypt cbc or ecb no-padding, invalid inSize: %" LOG_PUBLIC "u", inData->size);
return HKS_ERROR_INVALID_ARGUMENT; return HKS_ERROR_INVALID_ARGUMENT;
} }
} else { } else {
paddingSize = HKS_BLOCK_CIPHER_CBC_BLOCK_SIZE - inData->size % HKS_BLOCK_CIPHER_CBC_BLOCK_SIZE; paddingSize = blockSize - inData->size % blockSize;
if (inData->size > (UINT32_MAX - paddingSize)) { if (inData->size > (UINT32_MAX - paddingSize)) {
HKS_LOG_E("encrypt, invalid inData size: %" LOG_PUBLIC "u", inData->size); HKS_LOG_E("encrypt, invalid inData size: %" LOG_PUBLIC "u", inData->size);
return HKS_ERROR_INVALID_ARGUMENT; return HKS_ERROR_INVALID_ARGUMENT;
@ -173,7 +178,6 @@ static int32_t CheckBlockCipherOther(uint32_t mode, bool isEncrypt, uint32_t pad
static int32_t CheckBlockCipherData(bool isEncrypt, const struct HksUsageSpec *usageSpec, static int32_t CheckBlockCipherData(bool isEncrypt, const struct HksUsageSpec *usageSpec,
const struct HksBlob *inData, const struct HksBlob *outData) const struct HksBlob *inData, const struct HksBlob *outData)
{ {
const uint32_t padding = usageSpec->padding;
const uint32_t mode = usageSpec->mode; const uint32_t mode = usageSpec->mode;
const uint32_t alg = usageSpec->algType; const uint32_t alg = usageSpec->algType;
int32_t ret = HKS_ERROR_NOT_SUPPORTED; int32_t ret = HKS_ERROR_NOT_SUPPORTED;
@ -184,10 +188,10 @@ static int32_t CheckBlockCipherData(bool isEncrypt, const struct HksUsageSpec *u
} }
} else if (mode == HKS_MODE_CFB || mode == HKS_MODE_OFB) { } else if (mode == HKS_MODE_CFB || mode == HKS_MODE_OFB) {
if (alg == HKS_ALG_SM4) { if (alg == HKS_ALG_SM4) {
ret = CheckBlockCipherOther(mode, isEncrypt, padding, inData, outData); ret = CheckBlockCipherOther(mode, isEncrypt, usageSpec, inData, outData);
} }
} else if (mode == HKS_MODE_CBC || mode == HKS_MODE_CTR || mode == HKS_MODE_ECB) { } else if (mode == HKS_MODE_CBC || mode == HKS_MODE_CTR || mode == HKS_MODE_ECB) {
ret = CheckBlockCipherOther(mode, isEncrypt, padding, inData, outData); ret = CheckBlockCipherOther(mode, isEncrypt, usageSpec, inData, outData);
} }
return ret; return ret;
@ -269,7 +273,7 @@ static int32_t HmacAuth(const struct HuksKeyNode *keyNode, const struct HksParam
if (algParam->uint32Param == HKS_ALG_HMAC) { if (algParam->uint32Param == HKS_ALG_HMAC) {
return HksThreeStageAuth(HKS_AUTH_ID_MAC_HMAC, keyNode); return HksThreeStageAuth(HKS_AUTH_ID_MAC_HMAC, keyNode);
#ifdef HKS_SUPPORT_CMAC_C #ifdef HKS_SUPPORT_CMAC_C
} else if (algParam->uint32Param == HKS_ALG_3DES) { // CMACinit校验密钥算法只支持3DES } else if (algParam->uint32Param == HKS_ALG_CMAC) {
return HksThreeStageAuth(HKS_AUTH_ID_MAC_CMAC, keyNode); return HksThreeStageAuth(HKS_AUTH_ID_MAC_CMAC, keyNode);
#endif #endif
} else if (algParam->uint32Param == HKS_ALG_SM3) { } else if (algParam->uint32Param == HKS_ALG_SM3) {
@ -1973,9 +1977,16 @@ int32_t HksCoreMacThreeStageInit(const struct HuksKeyNode *keyNode, const struct
struct HksParam *algParam = NULL; struct HksParam *algParam = NULL;
ret = HksGetParam(paramSet, HKS_TAG_ALGORITHM, &algParam); ret = HksGetParam(paramSet, HKS_TAG_ALGORITHM, &algParam);
HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "append hmac get alg param failed!"); HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "append hmac get alg param failed!");
if (algParam->uint32Param == HKS_ALG_3DES) { // CMACinit阶段校验密钥只支持3DES if (algParam->uint32Param == HKS_ALG_CMAC) {
#ifdef HKS_SUPPORT_CMAC_C #ifdef HKS_SUPPORT_CMAC_C
ret = HksCryptoHalCmacInit(&rawKey, alg, &ctx); struct HksUsageSpec usageSpec = {0};
HksFillUsageSpec(paramSet, &usageSpec);
ret = HksFillIvParam(paramSet, &usageSpec);
if (ret != HKS_SUCCESS) {
HKS_LOG_E("fill Iv failed!");
break;
}
ret = HksCryptoHalCmacInit(&rawKey, &ctx, &usageSpec);
#endif #endif
} else { } else {
ret = HksCryptoHalHmacInit(&rawKey, alg, &ctx); ret = HksCryptoHalHmacInit(&rawKey, alg, &ctx);
@ -2009,7 +2020,9 @@ int32_t HksCoreMacThreeStageUpdate(const struct HuksKeyNode *keyNode, const stru
HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "append hmac get alg param failed!"); HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "append hmac get alg param failed!");
if (algParam->uint32Param == HKS_ALG_CMAC) { if (algParam->uint32Param == HKS_ALG_CMAC) {
#ifdef HKS_SUPPORT_CMAC_C #ifdef HKS_SUPPORT_CMAC_C
ret = HksCryptoHalCmacUpdate(srcData, ctx); struct HksUsageSpec usageSpec = {0};
HksFillUsageSpec(paramSet, &usageSpec);
ret = HksCryptoHalCmacUpdate(srcData, ctx, &usageSpec);
#endif #endif
} else { } else {
ret = HksCryptoHalHmacUpdate(srcData, ctx); ret = HksCryptoHalHmacUpdate(srcData, ctx);
@ -2054,7 +2067,9 @@ int32_t HksCoreMacThreeStageFinish(const struct HuksKeyNode *keyNode, const stru
if (algParam->uint32Param == HKS_ALG_CMAC) { if (algParam->uint32Param == HKS_ALG_CMAC) {
#ifdef HKS_SUPPORT_CMAC_C #ifdef HKS_SUPPORT_CMAC_C
ret = HksCryptoHalCmacFinal(inData, &ctx, outData); struct HksUsageSpec usageSpec = {0};
HksFillUsageSpec(paramSet, &usageSpec);
ret = HksCryptoHalCmacFinal(inData, &ctx, outData, &usageSpec);
#endif #endif
} else { } else {
ret = HksCryptoHalHmacFinal(inData, &ctx, outData); ret = HksCryptoHalHmacFinal(inData, &ctx, outData);

45
utils/crypto_adapter/hks_client_service_adapter_common.c
View File

@ -74,6 +74,40 @@ static int32_t TranslateToInnerCurve25519Format(const uint32_t alg, const struct
} }
#endif #endif
static int32_t HksSymmetricKeySizeCheck(
struct HksParam *algParam, const struct HksBlob *key, struct HksBlob *outKey)
{
switch (algParam->uint32Param) {
case HKS_ALG_AES:
if ((key->size != HKS_KEY_BYTES(HKS_AES_KEY_SIZE_128)) &&
(key->size != HKS_KEY_BYTES(HKS_AES_KEY_SIZE_192)) &&
(key->size != HKS_KEY_BYTES(HKS_AES_KEY_SIZE_256))) {
HKS_LOG_E("invalid input key size: %" LOG_PUBLIC "u", key->size);
return HKS_ERROR_INVALID_KEY_INFO;
}
break;
case HKS_ALG_DES:
if (key->size != HKS_KEY_BYTES(HKS_DES_KEY_SIZE_64)) {
HKS_LOG_E("invalid input key size: %" LOG_PUBLIC "u", key->size);
return HKS_ERROR_INVALID_KEY_INFO;
}
break;
case HKS_ALG_3DES:
if ((key->size != HKS_KEY_BYTES(HKS_3DES_KEY_SIZE_128)) &&
(key->size != HKS_KEY_BYTES(HKS_3DES_KEY_SIZE_192))) {
HKS_LOG_E("invalid input key size: %" LOG_PUBLIC "u", key->size);
return HKS_ERROR_INVALID_KEY_INFO;
}
break;
default:
HKS_LOG_E("invalid input key algParam: %" LOG_PUBLIC "u", algParam->uint32Param);
return HKS_ERROR_INVALID_ALGORITHM;
}
return CopyToInnerKey(key, outKey);
}
int32_t GetHksPubKeyInnerFormat(const struct HksParamSet *paramSet, int32_t GetHksPubKeyInnerFormat(const struct HksParamSet *paramSet,
const struct HksBlob *key, struct HksBlob *outKey) const struct HksBlob *key, struct HksBlob *outKey)
{ {
@ -88,14 +122,11 @@ int32_t GetHksPubKeyInnerFormat(const struct HksParamSet *paramSet,
switch (algParam->uint32Param) { switch (algParam->uint32Param) {
#if defined(HKS_SUPPORT_HMAC_C) || defined(HKS_SUPPORT_SM3_C) || defined(HKS_SUPPORT_SM4_C) || \ #if defined(HKS_SUPPORT_HMAC_C) || defined(HKS_SUPPORT_SM3_C) || defined(HKS_SUPPORT_SM4_C) || \
defined(HKS_SUPPORT_AES_C) defined(HKS_SUPPORT_AES_C) || defined(HKS_SUPPORT_DES_C) || defined(HKS_SUPPORT_3DES_C)
case HKS_ALG_AES: case HKS_ALG_AES:
if ((key->size != HKS_KEY_BYTES(HKS_AES_KEY_SIZE_128)) && case HKS_ALG_DES:
(key->size != HKS_KEY_BYTES(HKS_AES_KEY_SIZE_192)) && case HKS_ALG_3DES:
(key->size != HKS_KEY_BYTES(HKS_AES_KEY_SIZE_256))) { return HksSymmetricKeySizeCheck(algParam, key, outKey);
HKS_LOG_E("invalid input key size: %" LOG_PUBLIC "u", key->size);
return HKS_ERROR_INVALID_KEY_INFO;
} /* fall-through */
case HKS_ALG_HMAC: case HKS_ALG_HMAC:
case HKS_ALG_SM3: case HKS_ALG_SM3:
case HKS_ALG_SM4: case HKS_ALG_SM4: