A little more tidying up

crypto_adapters/t_cose_psa_crypto.c

@@ -630,6 +630,15 @@ t_cose_crypto_hmac_finish(struct t_cose_crypto_hmac *hmac_ctx,
 }
 
 
+/* The PSA API for MAC validation is not used because it results
+ * in larger code size overall and because OSSL doesn't have that
+ * API. There is no issue with a crypto service API that isolates
+ * the MAC key in an HSM or such by making this choice. It is still
+ * possible to to do. The MAC tag is a public value so it doesn't
+ * need to in the HSM.
+ */
+
+
 enum t_cose_err_t
 t_cose_crypto_sign_eddsa(struct t_cose_key      signing_key,
                          void                 *crypto_context,

src/t_cose_mac_compute.c

@@ -87,10 +87,8 @@ t_cose_mac_encode_tag(struct t_cose_mac_calculate_ctx *me,
 {
     enum t_cose_err_t            return_value;
     QCBORError                   cbor_err;
-    /* Pointer and length of the completed tag */
-    struct q_useful_buf_c        tag;
-    /* Buffer for the actual tag */
-    Q_USEFUL_BUF_MAKE_STACK_UB(  tag_buf,
+    struct q_useful_buf_c        computed_mac_tag;
+    Q_USEFUL_BUF_MAKE_STACK_UB(  mac_tag_buf,
                                  T_COSE_CRYPTO_HMAC_TAG_MAX_SIZE);
     struct t_cose_sign_inputs    mac_input;
 
@@ -111,9 +109,8 @@ t_cose_mac_encode_tag(struct t_cose_mac_calculate_ctx *me,
 
     if(QCBOREncode_IsBufferNULL(cbor_encode_ctx)) {
         /* Just calculating sizes. All that is needed is the tag size. */
-        tag.ptr = NULL;
-        tag.len = t_cose_tag_size(me->cose_algorithm_id);
-
+        computed_mac_tag.ptr = NULL;
+        computed_mac_tag.len = t_cose_tag_size(me->cose_algorithm_id);
         return_value = T_COSE_SUCCESS;
         goto CloseArray;
     }
@@ -128,19 +125,19 @@ t_cose_mac_encode_tag(struct t_cose_mac_calculate_ctx *me,
     mac_input.body_protected = me->protected_parameters;
     mac_input.sign_protected = NULL_Q_USEFUL_BUF_C; /* Never sign-protected for MAC */
 
-    return_value = create_tbm(me->cose_algorithm_id,
-                              me->mac_key,
-                              true, /* in: is_mac0   */
-                             &mac_input,
-                              tag_buf,
-                             &tag);
+    return_value = create_tbm(me->cose_algorithm_id, /* in: algorithm ID*/
+                              me->mac_key, /* in: key */
+                              true,        /* in: is_mac0 (MAC vs MAC0) */
+                             &mac_input,   /* in: struct of all TBM inputs */
+                              mac_tag_buf, /* in: buffer to output to */
+                             &computed_mac_tag); /* out: the computed MAC tag */
     if(return_value) {
         goto Done;
     }
 
 CloseArray:
     /* Add tag to CBOR and close out the array */
-    QCBOREncode_AddBytes(cbor_encode_ctx, tag);
+    QCBOREncode_AddBytes(cbor_encode_ctx, computed_mac_tag);
     QCBOREncode_CloseArray(cbor_encode_ctx);
 
     /* CBOR encoding errors are tracked in the CBOR encoding context

src/t_cose_mac_validate.c

@@ -137,12 +137,11 @@ t_cose_mac_validate_private(struct t_cose_mac_validate_ctx *me,
     mac_input.sign_protected = NULL_Q_USEFUL_BUF_C; /* No sign-protected for MAC */
 
     return_value = create_tbm(t_cose_param_find_alg_id_prot(decoded_params),
-                               me->validation_key,
-                               true,
-                               &mac_input,
-                               mac_tag_buf,
-                               &computed_mac_tag);
-
+                              me->validation_key,/* in: the key */
+                              true,              /* in: is_mac0 (MAC vs MAC0) */
+                             &mac_input,         /* in: struct of all TBM inputs */
+                              mac_tag_buf,       /* in: buffer to output to */
+                             &computed_mac_tag); /* out: the computed MAC tag */
     if(return_value) {
         goto Done;
     }