1 /*
2 * Public Key abstraction layer: wrapper functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 #include "common.h"
9
10 #include "mbedtls/platform_util.h"
11
12 #if defined(MBEDTLS_PK_C)
13 #include "pk_wrap.h"
14 #include "pk_internal.h"
15 #include "mbedtls/error.h"
16 #include "md_psa.h"
17
18 /* Even if RSA not activated, for the sake of RSA-alt */
19 #include "mbedtls/rsa.h"
20
21 #if defined(MBEDTLS_ECP_C)
22 #include "mbedtls/ecp.h"
23 #endif
24
25 #if defined(MBEDTLS_ECDSA_C)
26 #include "mbedtls/ecdsa.h"
27 #endif
28
29 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PSA_CRYPTO_C)
30 #include "pkwrite.h"
31 #endif
32
33 #if defined(MBEDTLS_PSA_CRYPTO_C)
34 #include "psa_util_internal.h"
35 #endif
36
37 #if defined(MBEDTLS_USE_PSA_CRYPTO)
38 #include "psa/crypto.h"
39
40 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
41 #include "mbedtls/asn1write.h"
42 #include "mbedtls/asn1.h"
43 #endif
44 #endif /* MBEDTLS_USE_PSA_CRYPTO */
45
46 #include "mbedtls/platform.h"
47
48 #include <limits.h>
49 #include <stdint.h>
50 #include <string.h>
51
52 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
53 #if defined(MBEDTLS_PSA_CRYPTO_C)
mbedtls_pk_error_from_psa(psa_status_t status)54 int mbedtls_pk_error_from_psa(psa_status_t status)
55 {
56 switch (status) {
57 case PSA_SUCCESS:
58 return 0;
59 case PSA_ERROR_INVALID_HANDLE:
60 return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
61 case PSA_ERROR_NOT_PERMITTED:
62 return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
63 case PSA_ERROR_BUFFER_TOO_SMALL:
64 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
65 case PSA_ERROR_NOT_SUPPORTED:
66 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
67 case PSA_ERROR_INVALID_ARGUMENT:
68 return MBEDTLS_ERR_PK_INVALID_ALG;
69 case PSA_ERROR_INSUFFICIENT_MEMORY:
70 return MBEDTLS_ERR_PK_ALLOC_FAILED;
71 case PSA_ERROR_BAD_STATE:
72 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
73 case PSA_ERROR_COMMUNICATION_FAILURE:
74 case PSA_ERROR_HARDWARE_FAILURE:
75 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
76 case PSA_ERROR_DATA_CORRUPT:
77 case PSA_ERROR_DATA_INVALID:
78 case PSA_ERROR_STORAGE_FAILURE:
79 return MBEDTLS_ERR_PK_FILE_IO_ERROR;
80 case PSA_ERROR_CORRUPTION_DETECTED:
81 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
82 default:
83 return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
84 }
85 }
86
87 #if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
88 defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
mbedtls_pk_error_from_psa_rsa(psa_status_t status)89 int mbedtls_pk_error_from_psa_rsa(psa_status_t status)
90 {
91 switch (status) {
92 case PSA_ERROR_NOT_PERMITTED:
93 case PSA_ERROR_INVALID_ARGUMENT:
94 case PSA_ERROR_INVALID_HANDLE:
95 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
96 case PSA_ERROR_BUFFER_TOO_SMALL:
97 return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
98 case PSA_ERROR_INSUFFICIENT_ENTROPY:
99 return MBEDTLS_ERR_RSA_RNG_FAILED;
100 case PSA_ERROR_INVALID_SIGNATURE:
101 return MBEDTLS_ERR_RSA_VERIFY_FAILED;
102 case PSA_ERROR_INVALID_PADDING:
103 return MBEDTLS_ERR_RSA_INVALID_PADDING;
104 case PSA_SUCCESS:
105 return 0;
106 case PSA_ERROR_NOT_SUPPORTED:
107 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
108 case PSA_ERROR_INSUFFICIENT_MEMORY:
109 return MBEDTLS_ERR_PK_ALLOC_FAILED;
110 case PSA_ERROR_BAD_STATE:
111 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
112 case PSA_ERROR_COMMUNICATION_FAILURE:
113 case PSA_ERROR_HARDWARE_FAILURE:
114 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
115 case PSA_ERROR_DATA_CORRUPT:
116 case PSA_ERROR_DATA_INVALID:
117 case PSA_ERROR_STORAGE_FAILURE:
118 return MBEDTLS_ERR_PK_FILE_IO_ERROR;
119 case PSA_ERROR_CORRUPTION_DETECTED:
120 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
121 default:
122 return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
123 }
124 }
125 #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
126 #endif /* MBEDTLS_PSA_CRYPTO_C */
127
128 #if defined(MBEDTLS_USE_PSA_CRYPTO)
129 #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
mbedtls_pk_error_from_psa_ecdsa(psa_status_t status)130 int mbedtls_pk_error_from_psa_ecdsa(psa_status_t status)
131 {
132 switch (status) {
133 case PSA_ERROR_NOT_PERMITTED:
134 case PSA_ERROR_INVALID_ARGUMENT:
135 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
136 case PSA_ERROR_INVALID_HANDLE:
137 return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
138 case PSA_ERROR_BUFFER_TOO_SMALL:
139 return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
140 case PSA_ERROR_INSUFFICIENT_ENTROPY:
141 return MBEDTLS_ERR_ECP_RANDOM_FAILED;
142 case PSA_ERROR_INVALID_SIGNATURE:
143 return MBEDTLS_ERR_ECP_VERIFY_FAILED;
144 case PSA_SUCCESS:
145 return 0;
146 case PSA_ERROR_NOT_SUPPORTED:
147 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
148 case PSA_ERROR_INSUFFICIENT_MEMORY:
149 return MBEDTLS_ERR_PK_ALLOC_FAILED;
150 case PSA_ERROR_BAD_STATE:
151 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
152 case PSA_ERROR_COMMUNICATION_FAILURE:
153 case PSA_ERROR_HARDWARE_FAILURE:
154 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
155 case PSA_ERROR_DATA_CORRUPT:
156 case PSA_ERROR_DATA_INVALID:
157 case PSA_ERROR_STORAGE_FAILURE:
158 return MBEDTLS_ERR_PK_FILE_IO_ERROR;
159 case PSA_ERROR_CORRUPTION_DETECTED:
160 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
161 default:
162 return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
163 }
164 }
165 #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
166 #endif /* MBEDTLS_USE_PSA_CRYPTO */
167 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
168
169 #if defined(MBEDTLS_RSA_C)
rsa_can_do(mbedtls_pk_type_t type)170 static int rsa_can_do(mbedtls_pk_type_t type)
171 {
172 return type == MBEDTLS_PK_RSA ||
173 type == MBEDTLS_PK_RSASSA_PSS;
174 }
175
rsa_get_bitlen(mbedtls_pk_context * pk)176 static size_t rsa_get_bitlen(mbedtls_pk_context *pk)
177 {
178 const mbedtls_rsa_context *rsa = (const mbedtls_rsa_context *) pk->pk_ctx;
179 return 8 * mbedtls_rsa_get_len(rsa);
180 }
181
182 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_verify_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)183 static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
184 const unsigned char *hash, size_t hash_len,
185 const unsigned char *sig, size_t sig_len)
186 {
187 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
188 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
189 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
190 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
191 psa_status_t status;
192 mbedtls_pk_context key;
193 int key_len;
194 unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
195 psa_algorithm_t psa_alg_md =
196 PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_md_psa_alg_from_type(md_alg));
197 size_t rsa_len = mbedtls_rsa_get_len(rsa);
198
199 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
200 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
201 }
202
203 if (sig_len < rsa_len) {
204 return MBEDTLS_ERR_RSA_VERIFY_FAILED;
205 }
206
207 /* mbedtls_pk_write_pubkey_der() expects a full PK context;
208 * re-construct one to make it happy */
209 key.pk_info = &mbedtls_rsa_info;
210 key.pk_ctx = rsa;
211 key_len = mbedtls_pk_write_pubkey_der(&key, buf, sizeof(buf));
212 if (key_len <= 0) {
213 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
214 }
215
216 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
217 psa_set_key_algorithm(&attributes, psa_alg_md);
218 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
219
220 status = psa_import_key(&attributes,
221 buf + sizeof(buf) - key_len, key_len,
222 &key_id);
223 if (status != PSA_SUCCESS) {
224 ret = PSA_PK_TO_MBEDTLS_ERR(status);
225 goto cleanup;
226 }
227
228 status = psa_verify_hash(key_id, psa_alg_md, hash, hash_len,
229 sig, sig_len);
230 if (status != PSA_SUCCESS) {
231 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
232 goto cleanup;
233 }
234 ret = 0;
235
236 cleanup:
237 status = psa_destroy_key(key_id);
238 if (ret == 0 && status != PSA_SUCCESS) {
239 ret = PSA_PK_TO_MBEDTLS_ERR(status);
240 }
241
242 return ret;
243 }
244 #else /* MBEDTLS_USE_PSA_CRYPTO */
rsa_verify_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)245 static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
246 const unsigned char *hash, size_t hash_len,
247 const unsigned char *sig, size_t sig_len)
248 {
249 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
250 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
251 size_t rsa_len = mbedtls_rsa_get_len(rsa);
252
253 #if SIZE_MAX > UINT_MAX
254 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
255 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
256 }
257 #endif
258
259 if (sig_len < rsa_len) {
260 return MBEDTLS_ERR_RSA_VERIFY_FAILED;
261 }
262
263 if ((ret = mbedtls_rsa_pkcs1_verify(rsa, md_alg,
264 (unsigned int) hash_len,
265 hash, sig)) != 0) {
266 return ret;
267 }
268
269 /* The buffer contains a valid signature followed by extra data.
270 * We have a special error code for that so that so that callers can
271 * use mbedtls_pk_verify() to check "Does the buffer start with a
272 * valid signature?" and not just "Does the buffer contain a valid
273 * signature?". */
274 if (sig_len > rsa_len) {
275 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
276 }
277
278 return 0;
279 }
280 #endif /* MBEDTLS_USE_PSA_CRYPTO */
281
282 #if defined(MBEDTLS_PSA_CRYPTO_C)
mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,mbedtls_rsa_context * rsa_ctx,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len)283 int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,
284 mbedtls_rsa_context *rsa_ctx,
285 const unsigned char *hash, size_t hash_len,
286 unsigned char *sig, size_t sig_size,
287 size_t *sig_len)
288 {
289 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
290 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
291 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
292 psa_status_t status;
293 mbedtls_pk_context key;
294 int key_len;
295 unsigned char *buf = NULL;
296 buf = mbedtls_calloc(1, MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES);
297 if (buf == NULL) {
298 return MBEDTLS_ERR_PK_ALLOC_FAILED;
299 }
300 mbedtls_pk_info_t pk_info = mbedtls_rsa_info;
301
302 *sig_len = mbedtls_rsa_get_len(rsa_ctx);
303 if (sig_size < *sig_len) {
304 mbedtls_free(buf);
305 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
306 }
307
308 /* mbedtls_pk_write_key_der() expects a full PK context;
309 * re-construct one to make it happy */
310 key.pk_info = &pk_info;
311 key.pk_ctx = rsa_ctx;
312 key_len = mbedtls_pk_write_key_der(&key, buf, MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES);
313 if (key_len <= 0) {
314 mbedtls_free(buf);
315 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
316 }
317 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
318 psa_set_key_algorithm(&attributes, alg);
319 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
320
321 status = psa_import_key(&attributes,
322 buf + MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES - key_len, key_len,
323 &key_id);
324 if (status != PSA_SUCCESS) {
325 ret = PSA_PK_TO_MBEDTLS_ERR(status);
326 goto cleanup;
327 }
328 status = psa_sign_hash(key_id, alg, hash, hash_len,
329 sig, sig_size, sig_len);
330 if (status != PSA_SUCCESS) {
331 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
332 goto cleanup;
333 }
334
335 ret = 0;
336
337 cleanup:
338 mbedtls_free(buf);
339 status = psa_destroy_key(key_id);
340 if (ret == 0 && status != PSA_SUCCESS) {
341 ret = PSA_PK_TO_MBEDTLS_ERR(status);
342 }
343 return ret;
344 }
345 #endif /* MBEDTLS_PSA_CRYPTO_C */
346
347 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_sign_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)348 static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
349 const unsigned char *hash, size_t hash_len,
350 unsigned char *sig, size_t sig_size, size_t *sig_len,
351 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
352 {
353 ((void) f_rng);
354 ((void) p_rng);
355
356 psa_algorithm_t psa_md_alg;
357 psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
358 if (psa_md_alg == 0) {
359 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
360 }
361
362 return mbedtls_pk_psa_rsa_sign_ext(PSA_ALG_RSA_PKCS1V15_SIGN(
363 psa_md_alg),
364 pk->pk_ctx, hash, hash_len,
365 sig, sig_size, sig_len);
366 }
367 #else /* MBEDTLS_USE_PSA_CRYPTO */
rsa_sign_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)368 static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
369 const unsigned char *hash, size_t hash_len,
370 unsigned char *sig, size_t sig_size, size_t *sig_len,
371 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
372 {
373 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
374
375 #if SIZE_MAX > UINT_MAX
376 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
377 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
378 }
379 #endif
380
381 *sig_len = mbedtls_rsa_get_len(rsa);
382 if (sig_size < *sig_len) {
383 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
384 }
385
386 return mbedtls_rsa_pkcs1_sign(rsa, f_rng, p_rng,
387 md_alg, (unsigned int) hash_len,
388 hash, sig);
389 }
390 #endif /* MBEDTLS_USE_PSA_CRYPTO */
391
392 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_decrypt_wrap(mbedtls_pk_context * pk,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)393 static int rsa_decrypt_wrap(mbedtls_pk_context *pk,
394 const unsigned char *input, size_t ilen,
395 unsigned char *output, size_t *olen, size_t osize,
396 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
397 {
398 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
399 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
400 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
401 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
402 psa_status_t status;
403 mbedtls_pk_context key;
404 int key_len;
405 unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
406
407 ((void) f_rng);
408 ((void) p_rng);
409
410 #if !defined(MBEDTLS_RSA_ALT)
411 if (rsa->padding != MBEDTLS_RSA_PKCS_V15) {
412 return MBEDTLS_ERR_RSA_INVALID_PADDING;
413 }
414 #endif /* !MBEDTLS_RSA_ALT */
415
416 if (ilen != mbedtls_rsa_get_len(rsa)) {
417 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
418 }
419
420 /* mbedtls_pk_write_key_der() expects a full PK context;
421 * re-construct one to make it happy */
422 key.pk_info = &mbedtls_rsa_info;
423 key.pk_ctx = rsa;
424 key_len = mbedtls_pk_write_key_der(&key, buf, sizeof(buf));
425 if (key_len <= 0) {
426 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
427 }
428
429 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
430 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
431 psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT);
432
433 status = psa_import_key(&attributes,
434 buf + sizeof(buf) - key_len, key_len,
435 &key_id);
436 if (status != PSA_SUCCESS) {
437 ret = PSA_PK_TO_MBEDTLS_ERR(status);
438 goto cleanup;
439 }
440
441 status = psa_asymmetric_decrypt(key_id, PSA_ALG_RSA_PKCS1V15_CRYPT,
442 input, ilen,
443 NULL, 0,
444 output, osize, olen);
445 if (status != PSA_SUCCESS) {
446 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
447 goto cleanup;
448 }
449
450 ret = 0;
451
452 cleanup:
453 mbedtls_platform_zeroize(buf, sizeof(buf));
454 status = psa_destroy_key(key_id);
455 if (ret == 0 && status != PSA_SUCCESS) {
456 ret = PSA_PK_TO_MBEDTLS_ERR(status);
457 }
458
459 return ret;
460 }
461 #else /* MBEDTLS_USE_PSA_CRYPTO */
rsa_decrypt_wrap(mbedtls_pk_context * pk,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)462 static int rsa_decrypt_wrap(mbedtls_pk_context *pk,
463 const unsigned char *input, size_t ilen,
464 unsigned char *output, size_t *olen, size_t osize,
465 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
466 {
467 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
468
469 if (ilen != mbedtls_rsa_get_len(rsa)) {
470 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
471 }
472
473 return mbedtls_rsa_pkcs1_decrypt(rsa, f_rng, p_rng,
474 olen, input, output, osize);
475 }
476 #endif /* MBEDTLS_USE_PSA_CRYPTO */
477
478 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_encrypt_wrap(mbedtls_pk_context * pk,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)479 static int rsa_encrypt_wrap(mbedtls_pk_context *pk,
480 const unsigned char *input, size_t ilen,
481 unsigned char *output, size_t *olen, size_t osize,
482 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
483 {
484 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
485 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
486 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
487 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
488 psa_status_t status;
489 mbedtls_pk_context key;
490 int key_len;
491 unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
492
493 ((void) f_rng);
494 ((void) p_rng);
495
496 #if !defined(MBEDTLS_RSA_ALT)
497 if (rsa->padding != MBEDTLS_RSA_PKCS_V15) {
498 return MBEDTLS_ERR_RSA_INVALID_PADDING;
499 }
500 #endif
501
502 if (mbedtls_rsa_get_len(rsa) > osize) {
503 return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
504 }
505
506 /* mbedtls_pk_write_pubkey_der() expects a full PK context;
507 * re-construct one to make it happy */
508 key.pk_info = &mbedtls_rsa_info;
509 key.pk_ctx = rsa;
510 key_len = mbedtls_pk_write_pubkey_der(&key, buf, sizeof(buf));
511 if (key_len <= 0) {
512 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
513 }
514
515 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
516 psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT);
517 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
518
519 status = psa_import_key(&attributes,
520 buf + sizeof(buf) - key_len, key_len,
521 &key_id);
522 if (status != PSA_SUCCESS) {
523 ret = PSA_PK_TO_MBEDTLS_ERR(status);
524 goto cleanup;
525 }
526
527 status = psa_asymmetric_encrypt(key_id, PSA_ALG_RSA_PKCS1V15_CRYPT,
528 input, ilen,
529 NULL, 0,
530 output, osize, olen);
531 if (status != PSA_SUCCESS) {
532 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
533 goto cleanup;
534 }
535
536 ret = 0;
537
538 cleanup:
539 status = psa_destroy_key(key_id);
540 if (ret == 0 && status != PSA_SUCCESS) {
541 ret = PSA_PK_TO_MBEDTLS_ERR(status);
542 }
543
544 return ret;
545 }
546 #else /* MBEDTLS_USE_PSA_CRYPTO */
rsa_encrypt_wrap(mbedtls_pk_context * pk,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)547 static int rsa_encrypt_wrap(mbedtls_pk_context *pk,
548 const unsigned char *input, size_t ilen,
549 unsigned char *output, size_t *olen, size_t osize,
550 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
551 {
552 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
553 *olen = mbedtls_rsa_get_len(rsa);
554
555 if (*olen > osize) {
556 return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
557 }
558
559 return mbedtls_rsa_pkcs1_encrypt(rsa, f_rng, p_rng,
560 ilen, input, output);
561 }
562 #endif /* MBEDTLS_USE_PSA_CRYPTO */
563
rsa_check_pair_wrap(mbedtls_pk_context * pub,mbedtls_pk_context * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)564 static int rsa_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
565 int (*f_rng)(void *, unsigned char *, size_t),
566 void *p_rng)
567 {
568 (void) f_rng;
569 (void) p_rng;
570 return mbedtls_rsa_check_pub_priv((const mbedtls_rsa_context *) pub->pk_ctx,
571 (const mbedtls_rsa_context *) prv->pk_ctx);
572 }
573
rsa_alloc_wrap(void)574 static void *rsa_alloc_wrap(void)
575 {
576 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_context));
577
578 if (ctx != NULL) {
579 mbedtls_rsa_init((mbedtls_rsa_context *) ctx);
580 }
581
582 return ctx;
583 }
584
rsa_free_wrap(void * ctx)585 static void rsa_free_wrap(void *ctx)
586 {
587 mbedtls_rsa_free((mbedtls_rsa_context *) ctx);
588 mbedtls_free(ctx);
589 }
590
rsa_debug(mbedtls_pk_context * pk,mbedtls_pk_debug_item * items)591 static void rsa_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
592 {
593 #if defined(MBEDTLS_RSA_ALT)
594 /* Not supported */
595 (void) pk;
596 (void) items;
597 #else
598 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
599
600 items->type = MBEDTLS_PK_DEBUG_MPI;
601 items->name = "rsa.N";
602 items->value = &(rsa->N);
603
604 items++;
605
606 items->type = MBEDTLS_PK_DEBUG_MPI;
607 items->name = "rsa.E";
608 items->value = &(rsa->E);
609 #endif
610 }
611
612 const mbedtls_pk_info_t mbedtls_rsa_info = {
613 .type = MBEDTLS_PK_RSA,
614 .name = "RSA",
615 .get_bitlen = rsa_get_bitlen,
616 .can_do = rsa_can_do,
617 .verify_func = rsa_verify_wrap,
618 .sign_func = rsa_sign_wrap,
619 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
620 .verify_rs_func = NULL,
621 .sign_rs_func = NULL,
622 .rs_alloc_func = NULL,
623 .rs_free_func = NULL,
624 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
625 .decrypt_func = rsa_decrypt_wrap,
626 .encrypt_func = rsa_encrypt_wrap,
627 .check_pair_func = rsa_check_pair_wrap,
628 .ctx_alloc_func = rsa_alloc_wrap,
629 .ctx_free_func = rsa_free_wrap,
630 .debug_func = rsa_debug,
631 };
632 #endif /* MBEDTLS_RSA_C */
633
634 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
635 /*
636 * Generic EC key
637 */
eckey_can_do(mbedtls_pk_type_t type)638 static int eckey_can_do(mbedtls_pk_type_t type)
639 {
640 return type == MBEDTLS_PK_ECKEY ||
641 type == MBEDTLS_PK_ECKEY_DH ||
642 type == MBEDTLS_PK_ECDSA;
643 }
644
eckey_get_bitlen(mbedtls_pk_context * pk)645 static size_t eckey_get_bitlen(mbedtls_pk_context *pk)
646 {
647 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
648 return pk->ec_bits;
649 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
650 mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
651 return ecp->grp.pbits;
652 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
653 }
654
655 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
656 #if defined(MBEDTLS_USE_PSA_CRYPTO)
657 /*
658 * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of
659 * those integers and convert it to the fixed-length encoding expected by PSA.
660 */
extract_ecdsa_sig_int(unsigned char ** from,const unsigned char * end,unsigned char * to,size_t to_len)661 static int extract_ecdsa_sig_int(unsigned char **from, const unsigned char *end,
662 unsigned char *to, size_t to_len)
663 {
664 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
665 size_t unpadded_len, padding_len;
666
667 if ((ret = mbedtls_asn1_get_tag(from, end, &unpadded_len,
668 MBEDTLS_ASN1_INTEGER)) != 0) {
669 return ret;
670 }
671
672 while (unpadded_len > 0 && **from == 0x00) {
673 (*from)++;
674 unpadded_len--;
675 }
676
677 if (unpadded_len > to_len || unpadded_len == 0) {
678 return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
679 }
680
681 padding_len = to_len - unpadded_len;
682 memset(to, 0x00, padding_len);
683 memcpy(to + padding_len, *from, unpadded_len);
684 (*from) += unpadded_len;
685
686 return 0;
687 }
688
689 /*
690 * Convert a signature from an ASN.1 sequence of two integers
691 * to a raw {r,s} buffer. Note: the provided sig buffer must be at least
692 * twice as big as int_size.
693 */
extract_ecdsa_sig(unsigned char ** p,const unsigned char * end,unsigned char * sig,size_t int_size)694 static int extract_ecdsa_sig(unsigned char **p, const unsigned char *end,
695 unsigned char *sig, size_t int_size)
696 {
697 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
698 size_t tmp_size;
699
700 if ((ret = mbedtls_asn1_get_tag(p, end, &tmp_size,
701 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
702 return ret;
703 }
704
705 /* Extract r */
706 if ((ret = extract_ecdsa_sig_int(p, end, sig, int_size)) != 0) {
707 return ret;
708 }
709 /* Extract s */
710 if ((ret = extract_ecdsa_sig_int(p, end, sig + int_size, int_size)) != 0) {
711 return ret;
712 }
713
714 return 0;
715 }
716
717 /* Common helper for ECDSA verify using PSA functions. */
ecdsa_verify_psa(unsigned char * key,size_t key_len,psa_ecc_family_t curve,size_t curve_bits,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)718 static int ecdsa_verify_psa(unsigned char *key, size_t key_len,
719 psa_ecc_family_t curve, size_t curve_bits,
720 const unsigned char *hash, size_t hash_len,
721 const unsigned char *sig, size_t sig_len)
722 {
723 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
724 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
725 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
726 psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
727 size_t signature_len = PSA_ECDSA_SIGNATURE_SIZE(curve_bits);
728 unsigned char extracted_sig[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE];
729 unsigned char *p;
730 psa_status_t status;
731
732 if (curve == 0) {
733 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
734 }
735
736 psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve));
737 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
738 psa_set_key_algorithm(&attributes, psa_sig_md);
739
740 status = psa_import_key(&attributes, key, key_len, &key_id);
741 if (status != PSA_SUCCESS) {
742 ret = PSA_PK_TO_MBEDTLS_ERR(status);
743 goto cleanup;
744 }
745
746 if (signature_len > sizeof(extracted_sig)) {
747 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
748 goto cleanup;
749 }
750
751 p = (unsigned char *) sig;
752 /* extract_ecdsa_sig's last parameter is the size
753 * of each integer to be parsed, so it's actually half
754 * the size of the signature. */
755 if ((ret = extract_ecdsa_sig(&p, sig + sig_len, extracted_sig,
756 signature_len/2)) != 0) {
757 goto cleanup;
758 }
759
760 status = psa_verify_hash(key_id, psa_sig_md, hash, hash_len,
761 extracted_sig, signature_len);
762 if (status != PSA_SUCCESS) {
763 ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
764 goto cleanup;
765 }
766
767 if (p != sig + sig_len) {
768 ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
769 goto cleanup;
770 }
771 ret = 0;
772
773 cleanup:
774 status = psa_destroy_key(key_id);
775 if (ret == 0 && status != PSA_SUCCESS) {
776 ret = PSA_PK_TO_MBEDTLS_ERR(status);
777 }
778
779 return ret;
780 }
781
ecdsa_opaque_verify_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)782 static int ecdsa_opaque_verify_wrap(mbedtls_pk_context *pk,
783 mbedtls_md_type_t md_alg,
784 const unsigned char *hash, size_t hash_len,
785 const unsigned char *sig, size_t sig_len)
786 {
787 (void) md_alg;
788 unsigned char key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
789 size_t key_len;
790 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
791 psa_ecc_family_t curve;
792 size_t curve_bits;
793 psa_status_t status;
794
795 status = psa_get_key_attributes(pk->priv_id, &key_attr);
796 if (status != PSA_SUCCESS) {
797 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
798 }
799 curve = PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(&key_attr));
800 curve_bits = psa_get_key_bits(&key_attr);
801 psa_reset_key_attributes(&key_attr);
802
803 status = psa_export_public_key(pk->priv_id, key, sizeof(key), &key_len);
804 if (status != PSA_SUCCESS) {
805 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
806 }
807
808 return ecdsa_verify_psa(key, key_len, curve, curve_bits,
809 hash, hash_len, sig, sig_len);
810 }
811
812 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
ecdsa_verify_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)813 static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
814 mbedtls_md_type_t md_alg,
815 const unsigned char *hash, size_t hash_len,
816 const unsigned char *sig, size_t sig_len)
817 {
818 (void) md_alg;
819 psa_ecc_family_t curve = pk->ec_family;
820 size_t curve_bits = pk->ec_bits;
821
822 return ecdsa_verify_psa(pk->pub_raw, pk->pub_raw_len, curve, curve_bits,
823 hash, hash_len, sig, sig_len);
824 }
825 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
ecdsa_verify_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)826 static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
827 mbedtls_md_type_t md_alg,
828 const unsigned char *hash, size_t hash_len,
829 const unsigned char *sig, size_t sig_len)
830 {
831 (void) md_alg;
832 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
833 mbedtls_ecp_keypair *ctx = pk->pk_ctx;
834 unsigned char key[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
835 size_t key_len;
836 size_t curve_bits;
837 psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
838
839 ret = mbedtls_ecp_point_write_binary(&ctx->grp, &ctx->Q,
840 MBEDTLS_ECP_PF_UNCOMPRESSED,
841 &key_len, key, sizeof(key));
842 if (ret != 0) {
843 return ret;
844 }
845
846 return ecdsa_verify_psa(key, key_len, curve, curve_bits,
847 hash, hash_len, sig, sig_len);
848 }
849 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
850 #else /* MBEDTLS_USE_PSA_CRYPTO */
ecdsa_verify_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)851 static int ecdsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
852 const unsigned char *hash, size_t hash_len,
853 const unsigned char *sig, size_t sig_len)
854 {
855 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
856 ((void) md_alg);
857
858 ret = mbedtls_ecdsa_read_signature((mbedtls_ecdsa_context *) pk->pk_ctx,
859 hash, hash_len, sig, sig_len);
860
861 if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
862 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
863 }
864
865 return ret;
866 }
867 #endif /* MBEDTLS_USE_PSA_CRYPTO */
868 #endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
869
870 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
871 #if defined(MBEDTLS_USE_PSA_CRYPTO)
872 /*
873 * Simultaneously convert and move raw MPI from the beginning of a buffer
874 * to an ASN.1 MPI at the end of the buffer.
875 * See also mbedtls_asn1_write_mpi().
876 *
877 * p: pointer to the end of the output buffer
878 * start: start of the output buffer, and also of the mpi to write at the end
879 * n_len: length of the mpi to read from start
880 */
asn1_write_mpibuf(unsigned char ** p,unsigned char * start,size_t n_len)881 static int asn1_write_mpibuf(unsigned char **p, unsigned char *start,
882 size_t n_len)
883 {
884 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
885 size_t len = 0;
886
887 if ((size_t) (*p - start) < n_len) {
888 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
889 }
890
891 len = n_len;
892 *p -= len;
893 memmove(*p, start, len);
894
895 /* ASN.1 DER encoding requires minimal length, so skip leading 0s.
896 * Neither r nor s should be 0, but as a failsafe measure, still detect
897 * that rather than overflowing the buffer in case of a PSA error. */
898 while (len > 0 && **p == 0x00) {
899 ++(*p);
900 --len;
901 }
902
903 /* this is only reached if the signature was invalid */
904 if (len == 0) {
905 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
906 }
907
908 /* if the msb is 1, ASN.1 requires that we prepend a 0.
909 * Neither r nor s can be 0, so we can assume len > 0 at all times. */
910 if (**p & 0x80) {
911 if (*p - start < 1) {
912 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
913 }
914
915 *--(*p) = 0x00;
916 len += 1;
917 }
918
919 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
920 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
921 MBEDTLS_ASN1_INTEGER));
922
923 return (int) len;
924 }
925
926 /* Transcode signature from PSA format to ASN.1 sequence.
927 * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of
928 * MPIs, and in-place.
929 *
930 * [in/out] sig: the signature pre- and post-transcoding
931 * [in/out] sig_len: signature length pre- and post-transcoding
932 * [int] buf_len: the available size the in/out buffer
933 */
pk_ecdsa_sig_asn1_from_psa(unsigned char * sig,size_t * sig_len,size_t buf_len)934 static int pk_ecdsa_sig_asn1_from_psa(unsigned char *sig, size_t *sig_len,
935 size_t buf_len)
936 {
937 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
938 size_t len = 0;
939 const size_t rs_len = *sig_len / 2;
940 unsigned char *p = sig + buf_len;
941
942 MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig + rs_len, rs_len));
943 MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig, rs_len));
944
945 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, sig, len));
946 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, sig,
947 MBEDTLS_ASN1_CONSTRUCTED |
948 MBEDTLS_ASN1_SEQUENCE));
949
950 memmove(sig, p, len);
951 *sig_len = len;
952
953 return 0;
954 }
955
956 /* Common helper for ECDSA sign using PSA functions. */
ecdsa_sign_psa(mbedtls_svc_key_id_t key_id,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len)957 static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg,
958 const unsigned char *hash, size_t hash_len,
959 unsigned char *sig, size_t sig_size, size_t *sig_len)
960 {
961 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
962 psa_status_t status;
963 psa_algorithm_t psa_sig_md;
964 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
965 psa_algorithm_t alg;
966
967 status = psa_get_key_attributes(key_id, &key_attr);
968 if (status != PSA_SUCCESS) {
969 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
970 }
971 alg = psa_get_key_algorithm(&key_attr);
972 psa_reset_key_attributes(&key_attr);
973
974 if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) {
975 psa_sig_md = PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg));
976 } else {
977 psa_sig_md = PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(md_alg));
978 }
979
980 status = psa_sign_hash(key_id, psa_sig_md, hash, hash_len,
981 sig, sig_size, sig_len);
982 if (status != PSA_SUCCESS) {
983 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
984 }
985
986 ret = pk_ecdsa_sig_asn1_from_psa(sig, sig_len, sig_size);
987
988 return ret;
989 }
990
ecdsa_opaque_sign_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)991 static int ecdsa_opaque_sign_wrap(mbedtls_pk_context *pk,
992 mbedtls_md_type_t md_alg,
993 const unsigned char *hash, size_t hash_len,
994 unsigned char *sig, size_t sig_size,
995 size_t *sig_len,
996 int (*f_rng)(void *, unsigned char *, size_t),
997 void *p_rng)
998 {
999 ((void) f_rng);
1000 ((void) p_rng);
1001
1002 return ecdsa_sign_psa(pk->priv_id, md_alg, hash, hash_len, sig, sig_size,
1003 sig_len);
1004 }
1005
1006 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1007 /* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
1008 * using the same function. */
1009 #define ecdsa_sign_wrap ecdsa_opaque_sign_wrap
1010 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
ecdsa_sign_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1011 static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1012 const unsigned char *hash, size_t hash_len,
1013 unsigned char *sig, size_t sig_size, size_t *sig_len,
1014 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1015 {
1016 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1017 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
1018 psa_status_t status;
1019 mbedtls_ecp_keypair *ctx = pk->pk_ctx;
1020 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1021 unsigned char buf[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
1022 size_t curve_bits;
1023 psa_ecc_family_t curve =
1024 mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
1025 size_t key_len = PSA_BITS_TO_BYTES(curve_bits);
1026 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
1027 psa_algorithm_t psa_sig_md =
1028 PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg));
1029 #else
1030 psa_algorithm_t psa_sig_md =
1031 PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(md_alg));
1032 #endif
1033 ((void) f_rng);
1034 ((void) p_rng);
1035
1036 if (curve == 0) {
1037 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1038 }
1039
1040 if (key_len > sizeof(buf)) {
1041 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1042 }
1043 ret = mbedtls_mpi_write_binary(&ctx->d, buf, key_len);
1044 if (ret != 0) {
1045 goto cleanup;
1046 }
1047
1048 psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
1049 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
1050 psa_set_key_algorithm(&attributes, psa_sig_md);
1051
1052 status = psa_import_key(&attributes, buf, key_len, &key_id);
1053 if (status != PSA_SUCCESS) {
1054 ret = PSA_PK_TO_MBEDTLS_ERR(status);
1055 goto cleanup;
1056 }
1057
1058 ret = ecdsa_sign_psa(key_id, md_alg, hash, hash_len, sig, sig_size, sig_len);
1059
1060 cleanup:
1061 mbedtls_platform_zeroize(buf, sizeof(buf));
1062 status = psa_destroy_key(key_id);
1063 if (ret == 0 && status != PSA_SUCCESS) {
1064 ret = PSA_PK_TO_MBEDTLS_ERR(status);
1065 }
1066
1067 return ret;
1068 }
1069 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1070 #else /* MBEDTLS_USE_PSA_CRYPTO */
ecdsa_sign_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1071 static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1072 const unsigned char *hash, size_t hash_len,
1073 unsigned char *sig, size_t sig_size, size_t *sig_len,
1074 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1075 {
1076 return mbedtls_ecdsa_write_signature((mbedtls_ecdsa_context *) pk->pk_ctx,
1077 md_alg, hash, hash_len,
1078 sig, sig_size, sig_len,
1079 f_rng, p_rng);
1080 }
1081 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1082 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1083
1084 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1085 /* Forward declarations */
1086 static int ecdsa_verify_rs_wrap(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
1087 const unsigned char *hash, size_t hash_len,
1088 const unsigned char *sig, size_t sig_len,
1089 void *rs_ctx);
1090
1091 static int ecdsa_sign_rs_wrap(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
1092 const unsigned char *hash, size_t hash_len,
1093 unsigned char *sig, size_t sig_size, size_t *sig_len,
1094 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
1095 void *rs_ctx);
1096
1097 /*
1098 * Restart context for ECDSA operations with ECKEY context
1099 *
1100 * We need to store an actual ECDSA context, as we need to pass the same to
1101 * the underlying ecdsa function, so we can't create it on the fly every time.
1102 */
1103 typedef struct {
1104 mbedtls_ecdsa_restart_ctx ecdsa_rs;
1105 mbedtls_ecdsa_context ecdsa_ctx;
1106 } eckey_restart_ctx;
1107
eckey_rs_alloc(void)1108 static void *eckey_rs_alloc(void)
1109 {
1110 eckey_restart_ctx *rs_ctx;
1111
1112 void *ctx = mbedtls_calloc(1, sizeof(eckey_restart_ctx));
1113
1114 if (ctx != NULL) {
1115 rs_ctx = ctx;
1116 mbedtls_ecdsa_restart_init(&rs_ctx->ecdsa_rs);
1117 mbedtls_ecdsa_init(&rs_ctx->ecdsa_ctx);
1118 }
1119
1120 return ctx;
1121 }
1122
eckey_rs_free(void * ctx)1123 static void eckey_rs_free(void *ctx)
1124 {
1125 eckey_restart_ctx *rs_ctx;
1126
1127 if (ctx == NULL) {
1128 return;
1129 }
1130
1131 rs_ctx = ctx;
1132 mbedtls_ecdsa_restart_free(&rs_ctx->ecdsa_rs);
1133 mbedtls_ecdsa_free(&rs_ctx->ecdsa_ctx);
1134
1135 mbedtls_free(ctx);
1136 }
1137
eckey_verify_rs_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,void * rs_ctx)1138 static int eckey_verify_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1139 const unsigned char *hash, size_t hash_len,
1140 const unsigned char *sig, size_t sig_len,
1141 void *rs_ctx)
1142 {
1143 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1144 eckey_restart_ctx *rs = rs_ctx;
1145
1146 /* Should never happen */
1147 if (rs == NULL) {
1148 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1149 }
1150
1151 /* set up our own sub-context if needed (that is, on first run) */
1152 if (rs->ecdsa_ctx.grp.pbits == 0) {
1153 MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, pk->pk_ctx));
1154 }
1155
1156 MBEDTLS_MPI_CHK(ecdsa_verify_rs_wrap(pk,
1157 md_alg, hash, hash_len,
1158 sig, sig_len, &rs->ecdsa_rs));
1159
1160 cleanup:
1161 return ret;
1162 }
1163
eckey_sign_rs_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,void * rs_ctx)1164 static int eckey_sign_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1165 const unsigned char *hash, size_t hash_len,
1166 unsigned char *sig, size_t sig_size, size_t *sig_len,
1167 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
1168 void *rs_ctx)
1169 {
1170 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1171 eckey_restart_ctx *rs = rs_ctx;
1172
1173 /* Should never happen */
1174 if (rs == NULL) {
1175 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1176 }
1177
1178 /* set up our own sub-context if needed (that is, on first run) */
1179 if (rs->ecdsa_ctx.grp.pbits == 0) {
1180 MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, pk->pk_ctx));
1181 }
1182
1183 MBEDTLS_MPI_CHK(ecdsa_sign_rs_wrap(pk, md_alg,
1184 hash, hash_len, sig, sig_size, sig_len,
1185 f_rng, p_rng, &rs->ecdsa_rs));
1186
1187 cleanup:
1188 return ret;
1189 }
1190 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1191
1192 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1193 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
eckey_check_pair_psa(mbedtls_pk_context * pub,mbedtls_pk_context * prv)1194 static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
1195 {
1196 psa_status_t status;
1197 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1198 uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
1199 size_t prv_key_len;
1200 mbedtls_svc_key_id_t key_id = prv->priv_id;
1201
1202 status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
1203 &prv_key_len);
1204 ret = PSA_PK_TO_MBEDTLS_ERR(status);
1205 if (ret != 0) {
1206 return ret;
1207 }
1208
1209 if (memcmp(prv_key_buf, pub->pub_raw, pub->pub_raw_len) != 0) {
1210 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1211 }
1212
1213 return 0;
1214 }
1215 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
eckey_check_pair_psa(mbedtls_pk_context * pub,mbedtls_pk_context * prv)1216 static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
1217 {
1218 psa_status_t status;
1219 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1220 uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
1221 size_t prv_key_len;
1222 psa_status_t destruction_status;
1223 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
1224 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
1225 uint8_t pub_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
1226 size_t pub_key_len;
1227 size_t curve_bits;
1228 const psa_ecc_family_t curve =
1229 mbedtls_ecc_group_to_psa(mbedtls_pk_ec_ro(*prv)->grp.id, &curve_bits);
1230 const size_t curve_bytes = PSA_BITS_TO_BYTES(curve_bits);
1231
1232 if (curve == 0) {
1233 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1234 }
1235
1236 psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
1237 psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
1238
1239 ret = mbedtls_mpi_write_binary(&mbedtls_pk_ec_ro(*prv)->d,
1240 prv_key_buf, curve_bytes);
1241 if (ret != 0) {
1242 mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
1243 return ret;
1244 }
1245
1246 status = psa_import_key(&key_attr, prv_key_buf, curve_bytes, &key_id);
1247 mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
1248 ret = PSA_PK_TO_MBEDTLS_ERR(status);
1249 if (ret != 0) {
1250 return ret;
1251 }
1252
1253 // From now on prv_key_buf is used to store the public key of prv.
1254 status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
1255 &prv_key_len);
1256 ret = PSA_PK_TO_MBEDTLS_ERR(status);
1257 destruction_status = psa_destroy_key(key_id);
1258 if (ret != 0) {
1259 return ret;
1260 } else if (destruction_status != PSA_SUCCESS) {
1261 return PSA_PK_TO_MBEDTLS_ERR(destruction_status);
1262 }
1263
1264 ret = mbedtls_ecp_point_write_binary(&mbedtls_pk_ec_rw(*pub)->grp,
1265 &mbedtls_pk_ec_rw(*pub)->Q,
1266 MBEDTLS_ECP_PF_UNCOMPRESSED,
1267 &pub_key_len, pub_key_buf,
1268 sizeof(pub_key_buf));
1269 if (ret != 0) {
1270 return ret;
1271 }
1272
1273 if (memcmp(prv_key_buf, pub_key_buf, curve_bytes) != 0) {
1274 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1275 }
1276
1277 return 0;
1278 }
1279 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1280
eckey_check_pair_wrap(mbedtls_pk_context * pub,mbedtls_pk_context * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1281 static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
1282 int (*f_rng)(void *, unsigned char *, size_t),
1283 void *p_rng)
1284 {
1285 (void) f_rng;
1286 (void) p_rng;
1287 return eckey_check_pair_psa(pub, prv);
1288 }
1289 #else /* MBEDTLS_USE_PSA_CRYPTO */
eckey_check_pair_wrap(mbedtls_pk_context * pub,mbedtls_pk_context * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1290 static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
1291 int (*f_rng)(void *, unsigned char *, size_t),
1292 void *p_rng)
1293 {
1294 return mbedtls_ecp_check_pub_priv((const mbedtls_ecp_keypair *) pub->pk_ctx,
1295 (const mbedtls_ecp_keypair *) prv->pk_ctx,
1296 f_rng, p_rng);
1297 }
1298 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1299
1300 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1301 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1302 /* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
1303 * using the same function. */
1304 #define ecdsa_opaque_check_pair_wrap eckey_check_pair_wrap
1305 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
ecdsa_opaque_check_pair_wrap(mbedtls_pk_context * pub,mbedtls_pk_context * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1306 static int ecdsa_opaque_check_pair_wrap(mbedtls_pk_context *pub,
1307 mbedtls_pk_context *prv,
1308 int (*f_rng)(void *, unsigned char *, size_t),
1309 void *p_rng)
1310 {
1311 psa_status_t status;
1312 uint8_t exp_pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
1313 size_t exp_pub_key_len = 0;
1314 uint8_t pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
1315 size_t pub_key_len = 0;
1316 int ret;
1317 (void) f_rng;
1318 (void) p_rng;
1319
1320 status = psa_export_public_key(prv->priv_id, exp_pub_key, sizeof(exp_pub_key),
1321 &exp_pub_key_len);
1322 if (status != PSA_SUCCESS) {
1323 ret = psa_pk_status_to_mbedtls(status);
1324 return ret;
1325 }
1326 ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(*pub)->grp),
1327 &(mbedtls_pk_ec_ro(*pub)->Q),
1328 MBEDTLS_ECP_PF_UNCOMPRESSED,
1329 &pub_key_len, pub_key, sizeof(pub_key));
1330 if (ret != 0) {
1331 return ret;
1332 }
1333 if ((exp_pub_key_len != pub_key_len) ||
1334 memcmp(exp_pub_key, pub_key, exp_pub_key_len)) {
1335 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1336 }
1337 return 0;
1338 }
1339 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1340 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1341
1342 #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
eckey_alloc_wrap(void)1343 static void *eckey_alloc_wrap(void)
1344 {
1345 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
1346
1347 if (ctx != NULL) {
1348 mbedtls_ecp_keypair_init(ctx);
1349 }
1350
1351 return ctx;
1352 }
1353
eckey_free_wrap(void * ctx)1354 static void eckey_free_wrap(void *ctx)
1355 {
1356 mbedtls_ecp_keypair_free((mbedtls_ecp_keypair *) ctx);
1357 mbedtls_free(ctx);
1358 }
1359 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1360
eckey_debug(mbedtls_pk_context * pk,mbedtls_pk_debug_item * items)1361 static void eckey_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
1362 {
1363 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1364 items->type = MBEDTLS_PK_DEBUG_PSA_EC;
1365 items->name = "eckey.Q";
1366 items->value = pk;
1367 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1368 mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
1369 items->type = MBEDTLS_PK_DEBUG_ECP;
1370 items->name = "eckey.Q";
1371 items->value = &(ecp->Q);
1372 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1373 }
1374
1375 const mbedtls_pk_info_t mbedtls_eckey_info = {
1376 .type = MBEDTLS_PK_ECKEY,
1377 .name = "EC",
1378 .get_bitlen = eckey_get_bitlen,
1379 .can_do = eckey_can_do,
1380 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
1381 .verify_func = ecdsa_verify_wrap, /* Compatible key structures */
1382 #else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1383 .verify_func = NULL,
1384 #endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1385 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1386 .sign_func = ecdsa_sign_wrap, /* Compatible key structures */
1387 #else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1388 .sign_func = NULL,
1389 #endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1390 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1391 .verify_rs_func = eckey_verify_rs_wrap,
1392 .sign_rs_func = eckey_sign_rs_wrap,
1393 .rs_alloc_func = eckey_rs_alloc,
1394 .rs_free_func = eckey_rs_free,
1395 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1396 .decrypt_func = NULL,
1397 .encrypt_func = NULL,
1398 .check_pair_func = eckey_check_pair_wrap,
1399 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1400 .ctx_alloc_func = NULL,
1401 .ctx_free_func = NULL,
1402 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1403 .ctx_alloc_func = eckey_alloc_wrap,
1404 .ctx_free_func = eckey_free_wrap,
1405 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1406 .debug_func = eckey_debug,
1407 };
1408
1409 /*
1410 * EC key restricted to ECDH
1411 */
eckeydh_can_do(mbedtls_pk_type_t type)1412 static int eckeydh_can_do(mbedtls_pk_type_t type)
1413 {
1414 return type == MBEDTLS_PK_ECKEY ||
1415 type == MBEDTLS_PK_ECKEY_DH;
1416 }
1417
1418 const mbedtls_pk_info_t mbedtls_eckeydh_info = {
1419 .type = MBEDTLS_PK_ECKEY_DH,
1420 .name = "EC_DH",
1421 .get_bitlen = eckey_get_bitlen, /* Same underlying key structure */
1422 .can_do = eckeydh_can_do,
1423 .verify_func = NULL,
1424 .sign_func = NULL,
1425 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1426 .verify_rs_func = NULL,
1427 .sign_rs_func = NULL,
1428 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1429 .decrypt_func = NULL,
1430 .encrypt_func = NULL,
1431 .check_pair_func = eckey_check_pair_wrap,
1432 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1433 .ctx_alloc_func = NULL,
1434 .ctx_free_func = NULL,
1435 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1436 .ctx_alloc_func = eckey_alloc_wrap, /* Same underlying key structure */
1437 .ctx_free_func = eckey_free_wrap, /* Same underlying key structure */
1438 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1439 .debug_func = eckey_debug, /* Same underlying key structure */
1440 };
1441
1442 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
ecdsa_can_do(mbedtls_pk_type_t type)1443 static int ecdsa_can_do(mbedtls_pk_type_t type)
1444 {
1445 return type == MBEDTLS_PK_ECDSA;
1446 }
1447
1448 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
ecdsa_verify_rs_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,void * rs_ctx)1449 static int ecdsa_verify_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1450 const unsigned char *hash, size_t hash_len,
1451 const unsigned char *sig, size_t sig_len,
1452 void *rs_ctx)
1453 {
1454 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1455 ((void) md_alg);
1456
1457 ret = mbedtls_ecdsa_read_signature_restartable(
1458 (mbedtls_ecdsa_context *) pk->pk_ctx,
1459 hash, hash_len, sig, sig_len,
1460 (mbedtls_ecdsa_restart_ctx *) rs_ctx);
1461
1462 if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
1463 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
1464 }
1465
1466 return ret;
1467 }
1468
ecdsa_sign_rs_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,void * rs_ctx)1469 static int ecdsa_sign_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1470 const unsigned char *hash, size_t hash_len,
1471 unsigned char *sig, size_t sig_size, size_t *sig_len,
1472 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
1473 void *rs_ctx)
1474 {
1475 return mbedtls_ecdsa_write_signature_restartable(
1476 (mbedtls_ecdsa_context *) pk->pk_ctx,
1477 md_alg, hash, hash_len, sig, sig_size, sig_len, f_rng, p_rng,
1478 (mbedtls_ecdsa_restart_ctx *) rs_ctx);
1479
1480 }
1481
ecdsa_rs_alloc(void)1482 static void *ecdsa_rs_alloc(void)
1483 {
1484 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_restart_ctx));
1485
1486 if (ctx != NULL) {
1487 mbedtls_ecdsa_restart_init(ctx);
1488 }
1489
1490 return ctx;
1491 }
1492
ecdsa_rs_free(void * ctx)1493 static void ecdsa_rs_free(void *ctx)
1494 {
1495 mbedtls_ecdsa_restart_free(ctx);
1496 mbedtls_free(ctx);
1497 }
1498 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1499
1500 const mbedtls_pk_info_t mbedtls_ecdsa_info = {
1501 .type = MBEDTLS_PK_ECDSA,
1502 .name = "ECDSA",
1503 .get_bitlen = eckey_get_bitlen, /* Compatible key structures */
1504 .can_do = ecdsa_can_do,
1505 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
1506 .verify_func = ecdsa_verify_wrap, /* Compatible key structures */
1507 #else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1508 .verify_func = NULL,
1509 #endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1510 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1511 .sign_func = ecdsa_sign_wrap, /* Compatible key structures */
1512 #else /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1513 .sign_func = NULL,
1514 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1515 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1516 .verify_rs_func = ecdsa_verify_rs_wrap,
1517 .sign_rs_func = ecdsa_sign_rs_wrap,
1518 .rs_alloc_func = ecdsa_rs_alloc,
1519 .rs_free_func = ecdsa_rs_free,
1520 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1521 .decrypt_func = NULL,
1522 .encrypt_func = NULL,
1523 .check_pair_func = eckey_check_pair_wrap, /* Compatible key structures */
1524 #if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1525 .ctx_alloc_func = NULL,
1526 .ctx_free_func = NULL,
1527 #else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1528 .ctx_alloc_func = eckey_alloc_wrap, /* Compatible key structures */
1529 .ctx_free_func = eckey_free_wrap, /* Compatible key structures */
1530 #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1531 .debug_func = eckey_debug, /* Compatible key structures */
1532 };
1533 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
1534 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
1535
1536 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
1537 /*
1538 * Support for alternative RSA-private implementations
1539 */
1540
rsa_alt_can_do(mbedtls_pk_type_t type)1541 static int rsa_alt_can_do(mbedtls_pk_type_t type)
1542 {
1543 return type == MBEDTLS_PK_RSA;
1544 }
1545
rsa_alt_get_bitlen(mbedtls_pk_context * pk)1546 static size_t rsa_alt_get_bitlen(mbedtls_pk_context *pk)
1547 {
1548 const mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
1549
1550 return 8 * rsa_alt->key_len_func(rsa_alt->key);
1551 }
1552
rsa_alt_sign_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1553 static int rsa_alt_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1554 const unsigned char *hash, size_t hash_len,
1555 unsigned char *sig, size_t sig_size, size_t *sig_len,
1556 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1557 {
1558 mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
1559
1560 #if SIZE_MAX > UINT_MAX
1561 if (UINT_MAX < hash_len) {
1562 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1563 }
1564 #endif
1565
1566 *sig_len = rsa_alt->key_len_func(rsa_alt->key);
1567 if (*sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE) {
1568 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1569 }
1570 if (*sig_len > sig_size) {
1571 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
1572 }
1573
1574 return rsa_alt->sign_func(rsa_alt->key, f_rng, p_rng,
1575 md_alg, (unsigned int) hash_len, hash, sig);
1576 }
1577
rsa_alt_decrypt_wrap(mbedtls_pk_context * pk,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1578 static int rsa_alt_decrypt_wrap(mbedtls_pk_context *pk,
1579 const unsigned char *input, size_t ilen,
1580 unsigned char *output, size_t *olen, size_t osize,
1581 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1582 {
1583 mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
1584
1585 ((void) f_rng);
1586 ((void) p_rng);
1587
1588 if (ilen != rsa_alt->key_len_func(rsa_alt->key)) {
1589 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1590 }
1591
1592 return rsa_alt->decrypt_func(rsa_alt->key,
1593 olen, input, output, osize);
1594 }
1595
1596 #if defined(MBEDTLS_RSA_C)
rsa_alt_check_pair(mbedtls_pk_context * pub,mbedtls_pk_context * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1597 static int rsa_alt_check_pair(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
1598 int (*f_rng)(void *, unsigned char *, size_t),
1599 void *p_rng)
1600 {
1601 unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
1602 unsigned char hash[32];
1603 size_t sig_len = 0;
1604 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1605
1606 if (rsa_alt_get_bitlen(prv) != rsa_get_bitlen(pub)) {
1607 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
1608 }
1609
1610 memset(hash, 0x2a, sizeof(hash));
1611
1612 if ((ret = rsa_alt_sign_wrap(prv, MBEDTLS_MD_NONE,
1613 hash, sizeof(hash),
1614 sig, sizeof(sig), &sig_len,
1615 f_rng, p_rng)) != 0) {
1616 return ret;
1617 }
1618
1619 if (rsa_verify_wrap(pub, MBEDTLS_MD_NONE,
1620 hash, sizeof(hash), sig, sig_len) != 0) {
1621 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
1622 }
1623
1624 return 0;
1625 }
1626 #endif /* MBEDTLS_RSA_C */
1627
rsa_alt_alloc_wrap(void)1628 static void *rsa_alt_alloc_wrap(void)
1629 {
1630 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_alt_context));
1631
1632 if (ctx != NULL) {
1633 memset(ctx, 0, sizeof(mbedtls_rsa_alt_context));
1634 }
1635
1636 return ctx;
1637 }
1638
rsa_alt_free_wrap(void * ctx)1639 static void rsa_alt_free_wrap(void *ctx)
1640 {
1641 mbedtls_zeroize_and_free(ctx, sizeof(mbedtls_rsa_alt_context));
1642 }
1643
1644 const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
1645 .type = MBEDTLS_PK_RSA_ALT,
1646 .name = "RSA-alt",
1647 .get_bitlen = rsa_alt_get_bitlen,
1648 .can_do = rsa_alt_can_do,
1649 .verify_func = NULL,
1650 .sign_func = rsa_alt_sign_wrap,
1651 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1652 .verify_rs_func = NULL,
1653 .sign_rs_func = NULL,
1654 .rs_alloc_func = NULL,
1655 .rs_free_func = NULL,
1656 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1657 .decrypt_func = rsa_alt_decrypt_wrap,
1658 .encrypt_func = NULL,
1659 #if defined(MBEDTLS_RSA_C)
1660 .check_pair_func = rsa_alt_check_pair,
1661 #else
1662 .check_pair_func = NULL,
1663 #endif
1664 .ctx_alloc_func = rsa_alt_alloc_wrap,
1665 .ctx_free_func = rsa_alt_free_wrap,
1666 .debug_func = NULL,
1667 };
1668 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
1669
1670 #if defined(MBEDTLS_USE_PSA_CRYPTO)
opaque_get_bitlen(mbedtls_pk_context * pk)1671 static size_t opaque_get_bitlen(mbedtls_pk_context *pk)
1672 {
1673 size_t bits;
1674 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1675
1676 if (PSA_SUCCESS != psa_get_key_attributes(pk->priv_id, &attributes)) {
1677 return 0;
1678 }
1679
1680 bits = psa_get_key_bits(&attributes);
1681 psa_reset_key_attributes(&attributes);
1682 return bits;
1683 }
1684
1685 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
ecdsa_opaque_can_do(mbedtls_pk_type_t type)1686 static int ecdsa_opaque_can_do(mbedtls_pk_type_t type)
1687 {
1688 return type == MBEDTLS_PK_ECKEY ||
1689 type == MBEDTLS_PK_ECDSA;
1690 }
1691
1692 const mbedtls_pk_info_t mbedtls_ecdsa_opaque_info = {
1693 .type = MBEDTLS_PK_OPAQUE,
1694 .name = "Opaque",
1695 .get_bitlen = opaque_get_bitlen,
1696 .can_do = ecdsa_opaque_can_do,
1697 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
1698 .verify_func = ecdsa_opaque_verify_wrap,
1699 #else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1700 .verify_func = NULL,
1701 #endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1702 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1703 .sign_func = ecdsa_opaque_sign_wrap,
1704 #else /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1705 .sign_func = NULL,
1706 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1707 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1708 .verify_rs_func = NULL,
1709 .sign_rs_func = NULL,
1710 .rs_alloc_func = NULL,
1711 .rs_free_func = NULL,
1712 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1713 .decrypt_func = NULL,
1714 .encrypt_func = NULL,
1715 .check_pair_func = ecdsa_opaque_check_pair_wrap,
1716 .ctx_alloc_func = NULL,
1717 .ctx_free_func = NULL,
1718 .debug_func = NULL,
1719 };
1720 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
1721
rsa_opaque_can_do(mbedtls_pk_type_t type)1722 static int rsa_opaque_can_do(mbedtls_pk_type_t type)
1723 {
1724 return type == MBEDTLS_PK_RSA ||
1725 type == MBEDTLS_PK_RSASSA_PSS;
1726 }
1727
1728 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
rsa_opaque_decrypt(mbedtls_pk_context * pk,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1729 static int rsa_opaque_decrypt(mbedtls_pk_context *pk,
1730 const unsigned char *input, size_t ilen,
1731 unsigned char *output, size_t *olen, size_t osize,
1732 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1733 {
1734 psa_status_t status;
1735
1736 /* PSA has its own RNG */
1737 (void) f_rng;
1738 (void) p_rng;
1739
1740 status = psa_asymmetric_decrypt(pk->priv_id, PSA_ALG_RSA_PKCS1V15_CRYPT,
1741 input, ilen,
1742 NULL, 0,
1743 output, osize, olen);
1744 if (status != PSA_SUCCESS) {
1745 return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
1746 }
1747
1748 return 0;
1749 }
1750 #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
1751
rsa_opaque_sign_wrap(mbedtls_pk_context * pk,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1752 static int rsa_opaque_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1753 const unsigned char *hash, size_t hash_len,
1754 unsigned char *sig, size_t sig_size, size_t *sig_len,
1755 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1756 {
1757 #if defined(MBEDTLS_RSA_C)
1758 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1759 psa_algorithm_t alg;
1760 psa_key_type_t type;
1761 psa_status_t status;
1762
1763 /* PSA has its own RNG */
1764 (void) f_rng;
1765 (void) p_rng;
1766
1767 status = psa_get_key_attributes(pk->priv_id, &attributes);
1768 if (status != PSA_SUCCESS) {
1769 return PSA_PK_TO_MBEDTLS_ERR(status);
1770 }
1771
1772 type = psa_get_key_type(&attributes);
1773 psa_reset_key_attributes(&attributes);
1774
1775 if (PSA_KEY_TYPE_IS_RSA(type)) {
1776 alg = PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_md_psa_alg_from_type(md_alg));
1777 } else {
1778 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1779 }
1780
1781 /* make the signature */
1782 status = psa_sign_hash(pk->priv_id, alg, hash, hash_len,
1783 sig, sig_size, sig_len);
1784 if (status != PSA_SUCCESS) {
1785 if (PSA_KEY_TYPE_IS_RSA(type)) {
1786 return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
1787 } else {
1788 return PSA_PK_TO_MBEDTLS_ERR(status);
1789 }
1790 }
1791
1792 return 0;
1793 #else /* !MBEDTLS_RSA_C */
1794 ((void) pk);
1795 ((void) md_alg);
1796 ((void) hash);
1797 ((void) hash_len);
1798 ((void) sig);
1799 ((void) sig_size);
1800 ((void) sig_len);
1801 ((void) f_rng);
1802 ((void) p_rng);
1803 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1804 #endif /* !MBEDTLS_RSA_C */
1805 }
1806
1807 const mbedtls_pk_info_t mbedtls_rsa_opaque_info = {
1808 .type = MBEDTLS_PK_OPAQUE,
1809 .name = "Opaque",
1810 .get_bitlen = opaque_get_bitlen,
1811 .can_do = rsa_opaque_can_do,
1812 .verify_func = NULL,
1813 .sign_func = rsa_opaque_sign_wrap,
1814 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1815 .verify_rs_func = NULL,
1816 .sign_rs_func = NULL,
1817 .rs_alloc_func = NULL,
1818 .rs_free_func = NULL,
1819 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1820 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
1821 .decrypt_func = rsa_opaque_decrypt,
1822 #else /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
1823 .decrypt_func = NULL,
1824 #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
1825 .encrypt_func = NULL,
1826 .check_pair_func = NULL,
1827 .ctx_alloc_func = NULL,
1828 .ctx_free_func = NULL,
1829 .debug_func = NULL,
1830 };
1831
1832 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1833
1834 #endif /* MBEDTLS_PK_C */
1835
