nrf_security: Apply is_first_block to Cracen HMAC

The is_first_block variable should be used by the Cracen
HMAC as well as CMAC. So move the variable to the MAC
operation instead of the CMAC specific one.

Also use this variable to HMAC as well. The call sx_hash_resume_state
expects that the sx_hash_save_state was called before so this makes
sure that the sx_hash_resume_state is only called in this case

Signed-off-by: Georgios Vasilakis <[email protected]>

Author: Vge0rge

subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_primitives.h

@@ -192,6 +192,7 @@ struct cracen_mac_operation_s {
 	/* Buffer for input data to fill up the next block */
 	uint8_t input_buffer[SX_MAX(SX_HASH_MAX_ENABLED_BLOCK_SIZE, SX_BLKCIPHER_PRIV_SZ)];
 
+	bool is_first_block;
 	union {
 #if defined(PSA_NEED_CRACEN_HMAC)
 		struct {
@@ -203,8 +204,6 @@ struct cracen_mac_operation_s {
 #if defined(PSA_NEED_CRACEN_CMAC)
 		struct {
 			struct sxmac ctx;
-			bool is_first_block;
-
 			struct sxkeyref keyref;
 			uint8_t key_buffer[CRACEN_MAX_AES_KEY_SIZE];
 		} cmac;

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cracen_mac_cmac.c

@@ -50,7 +50,7 @@ psa_status_t cracen_cmac_setup(cracen_mac_operation_t *operation,
 
 	/* As only AES is supported it is always the same block size*/
 	operation->bytes_left_for_next_block = AES_BLOCK_SIZE;
-	operation->cmac.is_first_block = true;
+	operation->is_first_block = true;
 
 	return PSA_SUCCESS;
 }
@@ -76,7 +76,7 @@ psa_status_t cracen_cmac_update(cracen_mac_operation_t *operation, const uint8_t
 	/* The state can only be resumed if is not the first time data are
 	 * processed.
 	 */
-	if (!operation->cmac.is_first_block) {
+	if (!operation->is_first_block) {
 		sx_status = sx_mac_resume_state(&operation->cmac.ctx);
 		if (sx_status) {
 			return silex_statuscodes_to_psa(sx_status);
@@ -111,18 +111,18 @@ psa_status_t cracen_cmac_update(cracen_mac_operation_t *operation, const uint8_t
 		 * empty input buffer
 		 */
 		operation->bytes_left_for_next_block = AES_BLOCK_SIZE;
-		operation->cmac.is_first_block = false;
+		operation->is_first_block = false;
 	}
 
 	if (block_bytes) {
 		sx_status = sx_mac_feed(&operation->cmac.ctx, input, block_bytes);
 		if (sx_status) {
 			return silex_statuscodes_to_psa(sx_status);
 		}
-		operation->cmac.is_first_block = false;
+		operation->is_first_block = false;
 	}
 
-	if (!operation->cmac.is_first_block) {
+	if (!operation->is_first_block) {
 		/* save state and wait until processed */
 		sx_status = sx_mac_save_state(&operation->cmac.ctx);
 		if (sx_status) {
@@ -156,7 +156,7 @@ psa_status_t cracen_cmac_finish(cracen_mac_operation_t *operation)
 		return PSA_ERROR_INVALID_ARGUMENT;
 	}
 
-	if (!operation->cmac.is_first_block) {
+	if (!operation->is_first_block) {
 		sx_status = sx_mac_resume_state(&operation->cmac.ctx);
 		if (sx_status) {
 			return silex_statuscodes_to_psa(sx_status);

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cracen_mac_hmac.c

@@ -37,6 +37,7 @@ psa_status_t cracen_hmac_setup(cracen_mac_operation_t *operation,
 	}
 
 	operation->bytes_left_for_next_block = sx_hash_get_alg_blocksz(sx_hash_algo);
+	operation->is_first_block = true;
 
 	return PSA_SUCCESS;
 }
@@ -71,6 +72,8 @@ psa_status_t cracen_hmac_update(cracen_mac_operation_t *operation, const uint8_t
 		return PSA_SUCCESS;
 	}
 
+	operation->is_first_block = false;
+
 	/* Feed the data that are currently in the input buffer to the driver */
 	sx_status = sx_hash_feed(&operation->hmac.hashctx, operation->input_buffer,
 			(block_size - operation->bytes_left_for_next_block));
@@ -130,9 +133,11 @@ psa_status_t cracen_hmac_finish(cracen_mac_operation_t *operation)
 	digestsz = sx_hash_get_alg_digestsz(sx_hash_algo);
 	block_size = sx_hash_get_alg_blocksz(sx_hash_algo);
 
-	sx_status = sx_hash_resume_state(&operation->hmac.hashctx);
-	if (sx_status != SX_OK) {
-		return silex_statuscodes_to_psa(sx_status);
+	if (!operation->is_first_block) {
+		sx_status = sx_hash_resume_state(&operation->hmac.hashctx);
+		if (sx_status != SX_OK) {
+			return silex_statuscodes_to_psa(sx_status);
+		}
 	}
 
 	/* Process the data that are left in the input buffer. */