From c53bc74c6c3b4edfb434e000725c8a13a0516235 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Tue, 19 Sep 2023 14:56:06 +0200 Subject: [PATCH] Check mandatory KBKFD params in TZ Change-Id: I151207b55b1051ac3cc870c885a33b951331bc61 --- src/manager/crypto/tz-backend/internals.cpp | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/src/manager/crypto/tz-backend/internals.cpp b/src/manager/crypto/tz-backend/internals.cpp index b97a70f..91098a4 100644 --- a/src/manager/crypto/tz-backend/internals.cpp +++ b/src/manager/crypto/tz-backend/internals.cpp @@ -852,21 +852,29 @@ void deriveKBKDF(const RawBuffer &secretId, const RawBuffer &keyHash) { RawBuffer label, context, fixed; - KbkdfCounterLocation counterLocation = KbkdfCounterLocation::BEFORE_FIXED; - KdfPrf prf = KdfPrf::HMAC_SHA256; - KbkdfMode mode = KbkdfMode::COUNTER; - size_t length, rlenBits = 32, llenBits = 32, tmp; + size_t rlenBits = 32, llenBits = 32, tmp; bool hasLabel = alg.getParam(ParamName::KBKDF_LABEL, label); bool hasContext = alg.getParam(ParamName::KBKDF_CONTEXT, context); bool hasFixed = alg.getParam(ParamName::KBKDF_FIXED_INPUT, fixed); - alg.getParam(ParamName::KBKDF_COUNTER_LOCATION, counterLocation); - alg.getParam(ParamName::KBKDF_MODE, mode); - alg.getParam(ParamName::KDF_PRF, prf); - alg.getParam(ParamName::KDF_LEN, length); + auto counterLocation = unpack(alg, ParamName::KBKDF_COUNTER_LOCATION); + auto mode = unpack(alg, ParamName::KBKDF_MODE); + auto prf = unpack(alg, ParamName::KDF_PRF); + auto length = unpack(alg, ParamName::KDF_LEN); alg.getParam(ParamName::KBKDF_RLEN, rlenBits); bool hasLLen = alg.getParam(ParamName::KBKDF_LLEN, llenBits); bool noSeparator = alg.getParam(ParamName::KBKDF_NO_SEPARATOR, tmp); + if (counterLocation != KbkdfCounterLocation::BEFORE_FIXED && + counterLocation != KbkdfCounterLocation::MIDDLE_FIXED && + counterLocation != KbkdfCounterLocation::AFTER_FIXED) + ThrowErr(Exc::Crypto::InputParam, "Invalid counter location"); + + if (mode != KbkdfMode::COUNTER) + ThrowErr(Exc::Crypto::InputParam, "Invalid mode"); + + if (prf != KdfPrf::HMAC_SHA256 && prf != KdfPrf::HMAC_SHA384 && prf != KdfPrf::HMAC_SHA512) + ThrowErr(Exc::Crypto::InputParam, "Invalid pseudo random function"); + RawBuffer key; if (hasFixed) { if (hasLabel || hasContext || noSeparator || hasLLen || -- 2.7.4