From 4691ae379b68fe4bfc97b0798dc9928cc8d0fc98 Mon Sep 17 00:00:00 2001 From: Laurence Lundblade Date: Thu, 16 Nov 2023 08:35:32 -0800 Subject: [PATCH] A little more tidying up --- crypto_adapters/t_cose_psa_crypto.c | 9 +++++++++ src/t_cose_mac_compute.c | 25 +++++++++++-------------- src/t_cose_mac_validate.c | 11 +++++------ 3 files changed, 25 insertions(+), 20 deletions(-) diff --git a/crypto_adapters/t_cose_psa_crypto.c b/crypto_adapters/t_cose_psa_crypto.c index 38ff22ac..3c1a363d 100644 --- a/crypto_adapters/t_cose_psa_crypto.c +++ b/crypto_adapters/t_cose_psa_crypto.c @@ -630,6 +630,15 @@ t_cose_crypto_hmac_finish(struct t_cose_crypto_hmac *hmac_ctx, } +/* The PSA API for MAC validation is not used because it results + * in larger code size overall and because OSSL doesn't have that + * API. There is no issue with a crypto service API that isolates + * the MAC key in an HSM or such by making this choice. It is still + * possible to to do. The MAC tag is a public value so it doesn't + * need to in the HSM. + */ + + enum t_cose_err_t t_cose_crypto_sign_eddsa(struct t_cose_key signing_key, void *crypto_context, diff --git a/src/t_cose_mac_compute.c b/src/t_cose_mac_compute.c index edaf6f06..827015c0 100644 --- a/src/t_cose_mac_compute.c +++ b/src/t_cose_mac_compute.c @@ -87,10 +87,8 @@ t_cose_mac_encode_tag(struct t_cose_mac_calculate_ctx *me, { enum t_cose_err_t return_value; QCBORError cbor_err; - /* Pointer and length of the completed tag */ - struct q_useful_buf_c tag; - /* Buffer for the actual tag */ - Q_USEFUL_BUF_MAKE_STACK_UB( tag_buf, + struct q_useful_buf_c computed_mac_tag; + Q_USEFUL_BUF_MAKE_STACK_UB( mac_tag_buf, T_COSE_CRYPTO_HMAC_TAG_MAX_SIZE); struct t_cose_sign_inputs mac_input; @@ -111,9 +109,8 @@ t_cose_mac_encode_tag(struct t_cose_mac_calculate_ctx *me, if(QCBOREncode_IsBufferNULL(cbor_encode_ctx)) { /* Just calculating sizes. All that is needed is the tag size. */ - tag.ptr = NULL; - tag.len = t_cose_tag_size(me->cose_algorithm_id); - + computed_mac_tag.ptr = NULL; + computed_mac_tag.len = t_cose_tag_size(me->cose_algorithm_id); return_value = T_COSE_SUCCESS; goto CloseArray; } @@ -128,19 +125,19 @@ t_cose_mac_encode_tag(struct t_cose_mac_calculate_ctx *me, mac_input.body_protected = me->protected_parameters; mac_input.sign_protected = NULL_Q_USEFUL_BUF_C; /* Never sign-protected for MAC */ - return_value = create_tbm(me->cose_algorithm_id, - me->mac_key, - true, /* in: is_mac0 */ - &mac_input, - tag_buf, - &tag); + return_value = create_tbm(me->cose_algorithm_id, /* in: algorithm ID*/ + me->mac_key, /* in: key */ + true, /* in: is_mac0 (MAC vs MAC0) */ + &mac_input, /* in: struct of all TBM inputs */ + mac_tag_buf, /* in: buffer to output to */ + &computed_mac_tag); /* out: the computed MAC tag */ if(return_value) { goto Done; } CloseArray: /* Add tag to CBOR and close out the array */ - QCBOREncode_AddBytes(cbor_encode_ctx, tag); + QCBOREncode_AddBytes(cbor_encode_ctx, computed_mac_tag); QCBOREncode_CloseArray(cbor_encode_ctx); /* CBOR encoding errors are tracked in the CBOR encoding context diff --git a/src/t_cose_mac_validate.c b/src/t_cose_mac_validate.c index 2d5e487a..1805bb1b 100644 --- a/src/t_cose_mac_validate.c +++ b/src/t_cose_mac_validate.c @@ -137,12 +137,11 @@ t_cose_mac_validate_private(struct t_cose_mac_validate_ctx *me, mac_input.sign_protected = NULL_Q_USEFUL_BUF_C; /* No sign-protected for MAC */ return_value = create_tbm(t_cose_param_find_alg_id_prot(decoded_params), - me->validation_key, - true, - &mac_input, - mac_tag_buf, - &computed_mac_tag); - + me->validation_key,/* in: the key */ + true, /* in: is_mac0 (MAC vs MAC0) */ + &mac_input, /* in: struct of all TBM inputs */ + mac_tag_buf, /* in: buffer to output to */ + &computed_mac_tag); /* out: the computed MAC tag */ if(return_value) { goto Done; }