1 /*
2 * Public Key abstraction layer: wrapper functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 #include "common.h"
21
22 #if defined(MBEDTLS_PK_C)
23 #include "mbedtls/pk_internal.h"
24 #include "mbedtls/error.h"
25
26 /* Even if RSA not activated, for the sake of RSA-alt */
27 #include "mbedtls/rsa.h"
28
29 #include <string.h>
30
31 #if defined(MBEDTLS_ECP_C)
32 #include "mbedtls/ecp.h"
33 #endif
34
35 #if defined(MBEDTLS_ECDSA_C)
36 #include "mbedtls/ecdsa.h"
37 #endif
38
39 #if defined(MBEDTLS_USE_PSA_CRYPTO)
40 #include "mbedtls/asn1write.h"
41 #endif
42
43 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
44 #include "mbedtls/platform_util.h"
45 #endif
46
47 #if defined(MBEDTLS_USE_PSA_CRYPTO)
48 #include "psa/crypto.h"
49 #include "mbedtls/psa_util.h"
50 #include "mbedtls/asn1.h"
51 #endif
52
53 #if defined(MBEDTLS_PLATFORM_C)
54 #include "mbedtls/platform.h"
55 #else
56 #include <stdlib.h>
57 #define mbedtls_calloc calloc
58 #define mbedtls_free free
59 #endif
60
61 #include <limits.h>
62 #include <stdint.h>
63
64 #if defined(MBEDTLS_RSA_C)
rsa_can_do(mbedtls_pk_type_t type)65 static int rsa_can_do( mbedtls_pk_type_t type )
66 {
67 return( type == MBEDTLS_PK_RSA ||
68 type == MBEDTLS_PK_RSASSA_PSS );
69 }
70
rsa_get_bitlen(const void * ctx)71 static size_t rsa_get_bitlen( const void *ctx )
72 {
73 const mbedtls_rsa_context * rsa = (const mbedtls_rsa_context *) ctx;
74 return( 8 * mbedtls_rsa_get_len( rsa ) );
75 }
76
rsa_verify_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)77 static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
78 const unsigned char *hash, size_t hash_len,
79 const unsigned char *sig, size_t sig_len )
80 {
81 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
82 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
83 size_t rsa_len = mbedtls_rsa_get_len( rsa );
84
85 #if SIZE_MAX > UINT_MAX
86 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
87 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
88 #endif /* SIZE_MAX > UINT_MAX */
89
90 if( sig_len < rsa_len )
91 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
92
93 if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, NULL,
94 MBEDTLS_RSA_PUBLIC, md_alg,
95 (unsigned int) hash_len, hash, sig ) ) != 0 )
96 return( ret );
97
98 /* The buffer contains a valid signature followed by extra data.
99 * We have a special error code for that so that so that callers can
100 * use mbedtls_pk_verify() to check "Does the buffer start with a
101 * valid signature?" and not just "Does the buffer contain a valid
102 * signature?". */
103 if( sig_len > rsa_len )
104 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
105
106 return( 0 );
107 }
108
rsa_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)109 static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
110 const unsigned char *hash, size_t hash_len,
111 unsigned char *sig, size_t *sig_len,
112 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
113 {
114 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
115
116 #if SIZE_MAX > UINT_MAX
117 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
118 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
119 #endif /* SIZE_MAX > UINT_MAX */
120
121 *sig_len = mbedtls_rsa_get_len( rsa );
122
123 return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
124 md_alg, (unsigned int) hash_len, hash, sig ) );
125 }
126
rsa_decrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)127 static int rsa_decrypt_wrap( void *ctx,
128 const unsigned char *input, size_t ilen,
129 unsigned char *output, size_t *olen, size_t osize,
130 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
131 {
132 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
133
134 if( ilen != mbedtls_rsa_get_len( rsa ) )
135 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
136
137 return( mbedtls_rsa_pkcs1_decrypt( rsa, f_rng, p_rng,
138 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) );
139 }
140
rsa_encrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)141 static int rsa_encrypt_wrap( void *ctx,
142 const unsigned char *input, size_t ilen,
143 unsigned char *output, size_t *olen, size_t osize,
144 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
145 {
146 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
147 *olen = mbedtls_rsa_get_len( rsa );
148
149 if( *olen > osize )
150 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
151
152 return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC,
153 ilen, input, output ) );
154 }
155
rsa_check_pair_wrap(const void * pub,const void * prv)156 static int rsa_check_pair_wrap( const void *pub, const void *prv )
157 {
158 return( mbedtls_rsa_check_pub_priv( (const mbedtls_rsa_context *) pub,
159 (const mbedtls_rsa_context *) prv ) );
160 }
161
rsa_alloc_wrap(void)162 static void *rsa_alloc_wrap( void )
163 {
164 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_context ) );
165
166 if( ctx != NULL )
167 mbedtls_rsa_init( (mbedtls_rsa_context *) ctx, 0, 0 );
168
169 return( ctx );
170 }
171
rsa_free_wrap(void * ctx)172 static void rsa_free_wrap( void *ctx )
173 {
174 mbedtls_rsa_free( (mbedtls_rsa_context *) ctx );
175 mbedtls_free( ctx );
176 }
177
rsa_debug(const void * ctx,mbedtls_pk_debug_item * items)178 static void rsa_debug( const void *ctx, mbedtls_pk_debug_item *items )
179 {
180 items->type = MBEDTLS_PK_DEBUG_MPI;
181 items->name = "rsa.N";
182 items->value = &( ((mbedtls_rsa_context *) ctx)->N );
183
184 items++;
185
186 items->type = MBEDTLS_PK_DEBUG_MPI;
187 items->name = "rsa.E";
188 items->value = &( ((mbedtls_rsa_context *) ctx)->E );
189 }
190
191 const mbedtls_pk_info_t mbedtls_rsa_info = {
192 MBEDTLS_PK_RSA,
193 "RSA",
194 rsa_get_bitlen,
195 rsa_can_do,
196 rsa_verify_wrap,
197 rsa_sign_wrap,
198 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
199 NULL,
200 NULL,
201 #endif
202 rsa_decrypt_wrap,
203 rsa_encrypt_wrap,
204 rsa_check_pair_wrap,
205 rsa_alloc_wrap,
206 rsa_free_wrap,
207 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
208 NULL,
209 NULL,
210 #endif
211 rsa_debug,
212 };
213 #endif /* MBEDTLS_RSA_C */
214
215 #if defined(MBEDTLS_ECP_C)
216 /*
217 * Generic EC key
218 */
eckey_can_do(mbedtls_pk_type_t type)219 static int eckey_can_do( mbedtls_pk_type_t type )
220 {
221 return( type == MBEDTLS_PK_ECKEY ||
222 type == MBEDTLS_PK_ECKEY_DH ||
223 type == MBEDTLS_PK_ECDSA );
224 }
225
eckey_get_bitlen(const void * ctx)226 static size_t eckey_get_bitlen( const void *ctx )
227 {
228 return( ((mbedtls_ecp_keypair *) ctx)->grp.pbits );
229 }
230
231 #if defined(MBEDTLS_ECDSA_C)
232 /* Forward declarations */
233 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
234 const unsigned char *hash, size_t hash_len,
235 const unsigned char *sig, size_t sig_len );
236
237 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
238 const unsigned char *hash, size_t hash_len,
239 unsigned char *sig, size_t *sig_len,
240 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
241
eckey_verify_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)242 static int eckey_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
243 const unsigned char *hash, size_t hash_len,
244 const unsigned char *sig, size_t sig_len )
245 {
246 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
247 mbedtls_ecdsa_context ecdsa;
248
249 mbedtls_ecdsa_init( &ecdsa );
250
251 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
252 ret = ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len );
253
254 mbedtls_ecdsa_free( &ecdsa );
255
256 return( ret );
257 }
258
eckey_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)259 static int eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
260 const unsigned char *hash, size_t hash_len,
261 unsigned char *sig, size_t *sig_len,
262 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
263 {
264 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
265 mbedtls_ecdsa_context ecdsa;
266
267 mbedtls_ecdsa_init( &ecdsa );
268
269 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
270 ret = ecdsa_sign_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len,
271 f_rng, p_rng );
272
273 mbedtls_ecdsa_free( &ecdsa );
274
275 return( ret );
276 }
277
278 #if defined(MBEDTLS_ECP_RESTARTABLE)
279 /* Forward declarations */
280 static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
281 const unsigned char *hash, size_t hash_len,
282 const unsigned char *sig, size_t sig_len,
283 void *rs_ctx );
284
285 static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
286 const unsigned char *hash, size_t hash_len,
287 unsigned char *sig, size_t *sig_len,
288 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
289 void *rs_ctx );
290
291 /*
292 * Restart context for ECDSA operations with ECKEY context
293 *
294 * We need to store an actual ECDSA context, as we need to pass the same to
295 * the underlying ecdsa function, so we can't create it on the fly every time.
296 */
297 typedef struct
298 {
299 mbedtls_ecdsa_restart_ctx ecdsa_rs;
300 mbedtls_ecdsa_context ecdsa_ctx;
301 } eckey_restart_ctx;
302
eckey_rs_alloc(void)303 static void *eckey_rs_alloc( void )
304 {
305 eckey_restart_ctx *rs_ctx;
306
307 void *ctx = mbedtls_calloc( 1, sizeof( eckey_restart_ctx ) );
308
309 if( ctx != NULL )
310 {
311 rs_ctx = ctx;
312 mbedtls_ecdsa_restart_init( &rs_ctx->ecdsa_rs );
313 mbedtls_ecdsa_init( &rs_ctx->ecdsa_ctx );
314 }
315
316 return( ctx );
317 }
318
eckey_rs_free(void * ctx)319 static void eckey_rs_free( void *ctx )
320 {
321 eckey_restart_ctx *rs_ctx;
322
323 if( ctx == NULL)
324 return;
325
326 rs_ctx = ctx;
327 mbedtls_ecdsa_restart_free( &rs_ctx->ecdsa_rs );
328 mbedtls_ecdsa_free( &rs_ctx->ecdsa_ctx );
329
330 mbedtls_free( ctx );
331 }
332
eckey_verify_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,void * rs_ctx)333 static int eckey_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
334 const unsigned char *hash, size_t hash_len,
335 const unsigned char *sig, size_t sig_len,
336 void *rs_ctx )
337 {
338 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
339 eckey_restart_ctx *rs = rs_ctx;
340
341 /* Should never happen */
342 if( rs == NULL )
343 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
344
345 /* set up our own sub-context if needed (that is, on first run) */
346 if( rs->ecdsa_ctx.grp.pbits == 0 )
347 MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) );
348
349 MBEDTLS_MPI_CHK( ecdsa_verify_rs_wrap( &rs->ecdsa_ctx,
350 md_alg, hash, hash_len,
351 sig, sig_len, &rs->ecdsa_rs ) );
352
353 cleanup:
354 return( ret );
355 }
356
eckey_sign_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,void * rs_ctx)357 static int eckey_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
358 const unsigned char *hash, size_t hash_len,
359 unsigned char *sig, size_t *sig_len,
360 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
361 void *rs_ctx )
362 {
363 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
364 eckey_restart_ctx *rs = rs_ctx;
365
366 /* Should never happen */
367 if( rs == NULL )
368 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
369
370 /* set up our own sub-context if needed (that is, on first run) */
371 if( rs->ecdsa_ctx.grp.pbits == 0 )
372 MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) );
373
374 MBEDTLS_MPI_CHK( ecdsa_sign_rs_wrap( &rs->ecdsa_ctx, md_alg,
375 hash, hash_len, sig, sig_len,
376 f_rng, p_rng, &rs->ecdsa_rs ) );
377
378 cleanup:
379 return( ret );
380 }
381 #endif /* MBEDTLS_ECP_RESTARTABLE */
382 #endif /* MBEDTLS_ECDSA_C */
383
eckey_check_pair(const void * pub,const void * prv)384 static int eckey_check_pair( const void *pub, const void *prv )
385 {
386 return( mbedtls_ecp_check_pub_priv( (const mbedtls_ecp_keypair *) pub,
387 (const mbedtls_ecp_keypair *) prv ) );
388 }
389
eckey_alloc_wrap(void)390 static void *eckey_alloc_wrap( void )
391 {
392 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) );
393
394 if( ctx != NULL )
395 mbedtls_ecp_keypair_init( ctx );
396
397 return( ctx );
398 }
399
eckey_free_wrap(void * ctx)400 static void eckey_free_wrap( void *ctx )
401 {
402 mbedtls_ecp_keypair_free( (mbedtls_ecp_keypair *) ctx );
403 mbedtls_free( ctx );
404 }
405
eckey_debug(const void * ctx,mbedtls_pk_debug_item * items)406 static void eckey_debug( const void *ctx, mbedtls_pk_debug_item *items )
407 {
408 items->type = MBEDTLS_PK_DEBUG_ECP;
409 items->name = "eckey.Q";
410 items->value = &( ((mbedtls_ecp_keypair *) ctx)->Q );
411 }
412
413 const mbedtls_pk_info_t mbedtls_eckey_info = {
414 MBEDTLS_PK_ECKEY,
415 "EC",
416 eckey_get_bitlen,
417 eckey_can_do,
418 #if defined(MBEDTLS_ECDSA_C)
419 eckey_verify_wrap,
420 eckey_sign_wrap,
421 #if defined(MBEDTLS_ECP_RESTARTABLE)
422 eckey_verify_rs_wrap,
423 eckey_sign_rs_wrap,
424 #endif
425 #else /* MBEDTLS_ECDSA_C */
426 NULL,
427 NULL,
428 #endif /* MBEDTLS_ECDSA_C */
429 NULL,
430 NULL,
431 eckey_check_pair,
432 eckey_alloc_wrap,
433 eckey_free_wrap,
434 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
435 eckey_rs_alloc,
436 eckey_rs_free,
437 #endif
438 eckey_debug,
439 };
440
441 /*
442 * EC key restricted to ECDH
443 */
eckeydh_can_do(mbedtls_pk_type_t type)444 static int eckeydh_can_do( mbedtls_pk_type_t type )
445 {
446 return( type == MBEDTLS_PK_ECKEY ||
447 type == MBEDTLS_PK_ECKEY_DH );
448 }
449
450 const mbedtls_pk_info_t mbedtls_eckeydh_info = {
451 MBEDTLS_PK_ECKEY_DH,
452 "EC_DH",
453 eckey_get_bitlen, /* Same underlying key structure */
454 eckeydh_can_do,
455 NULL,
456 NULL,
457 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
458 NULL,
459 NULL,
460 #endif
461 NULL,
462 NULL,
463 eckey_check_pair,
464 eckey_alloc_wrap, /* Same underlying key structure */
465 eckey_free_wrap, /* Same underlying key structure */
466 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
467 NULL,
468 NULL,
469 #endif
470 eckey_debug, /* Same underlying key structure */
471 };
472 #endif /* MBEDTLS_ECP_C */
473
474 #if defined(MBEDTLS_ECDSA_C)
ecdsa_can_do(mbedtls_pk_type_t type)475 static int ecdsa_can_do( mbedtls_pk_type_t type )
476 {
477 return( type == MBEDTLS_PK_ECDSA );
478 }
479
480 #if defined(MBEDTLS_USE_PSA_CRYPTO)
481 /*
482 * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of
483 * those integers and convert it to the fixed-length encoding expected by PSA.
484 */
extract_ecdsa_sig_int(unsigned char ** from,const unsigned char * end,unsigned char * to,size_t to_len)485 static int extract_ecdsa_sig_int( unsigned char **from, const unsigned char *end,
486 unsigned char *to, size_t to_len )
487 {
488 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
489 size_t unpadded_len, padding_len;
490
491 if( ( ret = mbedtls_asn1_get_tag( from, end, &unpadded_len,
492 MBEDTLS_ASN1_INTEGER ) ) != 0 )
493 {
494 return( ret );
495 }
496
497 while( unpadded_len > 0 && **from == 0x00 )
498 {
499 ( *from )++;
500 unpadded_len--;
501 }
502
503 if( unpadded_len > to_len || unpadded_len == 0 )
504 return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
505
506 padding_len = to_len - unpadded_len;
507 memset( to, 0x00, padding_len );
508 memcpy( to + padding_len, *from, unpadded_len );
509 ( *from ) += unpadded_len;
510
511 return( 0 );
512 }
513
514 /*
515 * Convert a signature from an ASN.1 sequence of two integers
516 * to a raw {r,s} buffer. Note: the provided sig buffer must be at least
517 * twice as big as int_size.
518 */
extract_ecdsa_sig(unsigned char ** p,const unsigned char * end,unsigned char * sig,size_t int_size)519 static int extract_ecdsa_sig( unsigned char **p, const unsigned char *end,
520 unsigned char *sig, size_t int_size )
521 {
522 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
523 size_t tmp_size;
524
525 if( ( ret = mbedtls_asn1_get_tag( p, end, &tmp_size,
526 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
527 return( ret );
528
529 /* Extract r */
530 if( ( ret = extract_ecdsa_sig_int( p, end, sig, int_size ) ) != 0 )
531 return( ret );
532 /* Extract s */
533 if( ( ret = extract_ecdsa_sig_int( p, end, sig + int_size, int_size ) ) != 0 )
534 return( ret );
535
536 return( 0 );
537 }
538
ecdsa_verify_wrap(void * ctx_arg,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)539 static int ecdsa_verify_wrap( void *ctx_arg, mbedtls_md_type_t md_alg,
540 const unsigned char *hash, size_t hash_len,
541 const unsigned char *sig, size_t sig_len )
542 {
543 mbedtls_ecdsa_context *ctx = ctx_arg;
544 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
545 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
546 psa_key_id_t key_id = 0;
547 psa_status_t status;
548 mbedtls_pk_context key;
549 int key_len;
550 /* see ECP_PUB_DER_MAX_BYTES in pkwrite.c */
551 unsigned char buf[30 + 2 * MBEDTLS_ECP_MAX_BYTES];
552 unsigned char *p;
553 mbedtls_pk_info_t pk_info = mbedtls_eckey_info;
554 psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
555 size_t curve_bits;
556 psa_ecc_family_t curve =
557 mbedtls_ecc_group_to_psa( ctx->grp.id, &curve_bits );
558 const size_t signature_part_size = ( ctx->grp.nbits + 7 ) / 8;
559 ((void) md_alg);
560
561 if( curve == 0 )
562 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
563
564 /* mbedtls_pk_write_pubkey() expects a full PK context;
565 * re-construct one to make it happy */
566 key.pk_info = &pk_info;
567 key.pk_ctx = ctx;
568 p = buf + sizeof( buf );
569 key_len = mbedtls_pk_write_pubkey( &p, buf, &key );
570 if( key_len <= 0 )
571 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
572
573 psa_set_key_type( &attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve ) );
574 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
575 psa_set_key_algorithm( &attributes, psa_sig_md );
576
577 status = psa_import_key( &attributes,
578 buf + sizeof( buf ) - key_len, key_len,
579 &key_id );
580 if( status != PSA_SUCCESS )
581 {
582 ret = mbedtls_psa_err_translate_pk( status );
583 goto cleanup;
584 }
585
586 /* We don't need the exported key anymore and can
587 * reuse its buffer for signature extraction. */
588 if( 2 * signature_part_size > sizeof( buf ) )
589 {
590 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
591 goto cleanup;
592 }
593
594 p = (unsigned char*) sig;
595 if( ( ret = extract_ecdsa_sig( &p, sig + sig_len, buf,
596 signature_part_size ) ) != 0 )
597 {
598 goto cleanup;
599 }
600
601 if( psa_verify_hash( key_id, psa_sig_md,
602 hash, hash_len,
603 buf, 2 * signature_part_size )
604 != PSA_SUCCESS )
605 {
606 ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
607 goto cleanup;
608 }
609
610 if( p != sig + sig_len )
611 {
612 ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
613 goto cleanup;
614 }
615 ret = 0;
616
617 cleanup:
618 psa_destroy_key( key_id );
619 return( ret );
620 }
621 #else /* MBEDTLS_USE_PSA_CRYPTO */
ecdsa_verify_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)622 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
623 const unsigned char *hash, size_t hash_len,
624 const unsigned char *sig, size_t sig_len )
625 {
626 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
627 ((void) md_alg);
628
629 ret = mbedtls_ecdsa_read_signature( (mbedtls_ecdsa_context *) ctx,
630 hash, hash_len, sig, sig_len );
631
632 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
633 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
634
635 return( ret );
636 }
637 #endif /* MBEDTLS_USE_PSA_CRYPTO */
638
ecdsa_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)639 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
640 const unsigned char *hash, size_t hash_len,
641 unsigned char *sig, size_t *sig_len,
642 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
643 {
644 return( mbedtls_ecdsa_write_signature( (mbedtls_ecdsa_context *) ctx,
645 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng ) );
646 }
647
648 #if defined(MBEDTLS_ECP_RESTARTABLE)
ecdsa_verify_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,void * rs_ctx)649 static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
650 const unsigned char *hash, size_t hash_len,
651 const unsigned char *sig, size_t sig_len,
652 void *rs_ctx )
653 {
654 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
655 ((void) md_alg);
656
657 ret = mbedtls_ecdsa_read_signature_restartable(
658 (mbedtls_ecdsa_context *) ctx,
659 hash, hash_len, sig, sig_len,
660 (mbedtls_ecdsa_restart_ctx *) rs_ctx );
661
662 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
663 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
664
665 return( ret );
666 }
667
ecdsa_sign_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,void * rs_ctx)668 static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
669 const unsigned char *hash, size_t hash_len,
670 unsigned char *sig, size_t *sig_len,
671 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
672 void *rs_ctx )
673 {
674 return( mbedtls_ecdsa_write_signature_restartable(
675 (mbedtls_ecdsa_context *) ctx,
676 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng,
677 (mbedtls_ecdsa_restart_ctx *) rs_ctx ) );
678
679 }
680 #endif /* MBEDTLS_ECP_RESTARTABLE */
681
ecdsa_alloc_wrap(void)682 static void *ecdsa_alloc_wrap( void )
683 {
684 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_context ) );
685
686 if( ctx != NULL )
687 mbedtls_ecdsa_init( (mbedtls_ecdsa_context *) ctx );
688
689 return( ctx );
690 }
691
ecdsa_free_wrap(void * ctx)692 static void ecdsa_free_wrap( void *ctx )
693 {
694 mbedtls_ecdsa_free( (mbedtls_ecdsa_context *) ctx );
695 mbedtls_free( ctx );
696 }
697
698 #if defined(MBEDTLS_ECP_RESTARTABLE)
ecdsa_rs_alloc(void)699 static void *ecdsa_rs_alloc( void )
700 {
701 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_restart_ctx ) );
702
703 if( ctx != NULL )
704 mbedtls_ecdsa_restart_init( ctx );
705
706 return( ctx );
707 }
708
ecdsa_rs_free(void * ctx)709 static void ecdsa_rs_free( void *ctx )
710 {
711 mbedtls_ecdsa_restart_free( ctx );
712 mbedtls_free( ctx );
713 }
714 #endif /* MBEDTLS_ECP_RESTARTABLE */
715
716 const mbedtls_pk_info_t mbedtls_ecdsa_info = {
717 MBEDTLS_PK_ECDSA,
718 "ECDSA",
719 eckey_get_bitlen, /* Compatible key structures */
720 ecdsa_can_do,
721 ecdsa_verify_wrap,
722 ecdsa_sign_wrap,
723 #if defined(MBEDTLS_ECP_RESTARTABLE)
724 ecdsa_verify_rs_wrap,
725 ecdsa_sign_rs_wrap,
726 #endif
727 NULL,
728 NULL,
729 eckey_check_pair, /* Compatible key structures */
730 ecdsa_alloc_wrap,
731 ecdsa_free_wrap,
732 #if defined(MBEDTLS_ECP_RESTARTABLE)
733 ecdsa_rs_alloc,
734 ecdsa_rs_free,
735 #endif
736 eckey_debug, /* Compatible key structures */
737 };
738 #endif /* MBEDTLS_ECDSA_C */
739
740 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
741 /*
742 * Support for alternative RSA-private implementations
743 */
744
rsa_alt_can_do(mbedtls_pk_type_t type)745 static int rsa_alt_can_do( mbedtls_pk_type_t type )
746 {
747 return( type == MBEDTLS_PK_RSA );
748 }
749
rsa_alt_get_bitlen(const void * ctx)750 static size_t rsa_alt_get_bitlen( const void *ctx )
751 {
752 const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx;
753
754 return( 8 * rsa_alt->key_len_func( rsa_alt->key ) );
755 }
756
rsa_alt_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)757 static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
758 const unsigned char *hash, size_t hash_len,
759 unsigned char *sig, size_t *sig_len,
760 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
761 {
762 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
763
764 #if SIZE_MAX > UINT_MAX
765 if( UINT_MAX < hash_len )
766 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
767 #endif /* SIZE_MAX > UINT_MAX */
768
769 *sig_len = rsa_alt->key_len_func( rsa_alt->key );
770 if( *sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE )
771 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
772
773 return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
774 md_alg, (unsigned int) hash_len, hash, sig ) );
775 }
776
rsa_alt_decrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)777 static int rsa_alt_decrypt_wrap( void *ctx,
778 const unsigned char *input, size_t ilen,
779 unsigned char *output, size_t *olen, size_t osize,
780 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
781 {
782 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
783
784 ((void) f_rng);
785 ((void) p_rng);
786
787 if( ilen != rsa_alt->key_len_func( rsa_alt->key ) )
788 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
789
790 return( rsa_alt->decrypt_func( rsa_alt->key,
791 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) );
792 }
793
794 #if defined(MBEDTLS_RSA_C)
rsa_alt_check_pair(const void * pub,const void * prv)795 static int rsa_alt_check_pair( const void *pub, const void *prv )
796 {
797 unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
798 unsigned char hash[32];
799 size_t sig_len = 0;
800 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
801
802 if( rsa_alt_get_bitlen( prv ) != rsa_get_bitlen( pub ) )
803 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
804
805 memset( hash, 0x2a, sizeof( hash ) );
806
807 if( ( ret = rsa_alt_sign_wrap( (void *) prv, MBEDTLS_MD_NONE,
808 hash, sizeof( hash ),
809 sig, &sig_len, NULL, NULL ) ) != 0 )
810 {
811 return( ret );
812 }
813
814 if( rsa_verify_wrap( (void *) pub, MBEDTLS_MD_NONE,
815 hash, sizeof( hash ), sig, sig_len ) != 0 )
816 {
817 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
818 }
819
820 return( 0 );
821 }
822 #endif /* MBEDTLS_RSA_C */
823
rsa_alt_alloc_wrap(void)824 static void *rsa_alt_alloc_wrap( void )
825 {
826 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_alt_context ) );
827
828 if( ctx != NULL )
829 memset( ctx, 0, sizeof( mbedtls_rsa_alt_context ) );
830
831 return( ctx );
832 }
833
rsa_alt_free_wrap(void * ctx)834 static void rsa_alt_free_wrap( void *ctx )
835 {
836 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) );
837 mbedtls_free( ctx );
838 }
839
840 const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
841 MBEDTLS_PK_RSA_ALT,
842 "RSA-alt",
843 rsa_alt_get_bitlen,
844 rsa_alt_can_do,
845 NULL,
846 rsa_alt_sign_wrap,
847 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
848 NULL,
849 NULL,
850 #endif
851 rsa_alt_decrypt_wrap,
852 NULL,
853 #if defined(MBEDTLS_RSA_C)
854 rsa_alt_check_pair,
855 #else
856 NULL,
857 #endif
858 rsa_alt_alloc_wrap,
859 rsa_alt_free_wrap,
860 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
861 NULL,
862 NULL,
863 #endif
864 NULL,
865 };
866
867 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
868
869 #if defined(MBEDTLS_USE_PSA_CRYPTO)
870
pk_opaque_alloc_wrap(void)871 static void *pk_opaque_alloc_wrap( void )
872 {
873 void *ctx = mbedtls_calloc( 1, sizeof( psa_key_id_t ) );
874
875 /* no _init() function to call, an calloc() already zeroized */
876
877 return( ctx );
878 }
879
pk_opaque_free_wrap(void * ctx)880 static void pk_opaque_free_wrap( void *ctx )
881 {
882 mbedtls_platform_zeroize( ctx, sizeof( psa_key_id_t ) );
883 mbedtls_free( ctx );
884 }
885
pk_opaque_get_bitlen(const void * ctx)886 static size_t pk_opaque_get_bitlen( const void *ctx )
887 {
888 const psa_key_id_t *key = (const psa_key_id_t *) ctx;
889 size_t bits;
890 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
891
892 if( PSA_SUCCESS != psa_get_key_attributes( *key, &attributes ) )
893 return( 0 );
894
895 bits = psa_get_key_bits( &attributes );
896 psa_reset_key_attributes( &attributes );
897 return( bits );
898 }
899
pk_opaque_can_do(mbedtls_pk_type_t type)900 static int pk_opaque_can_do( mbedtls_pk_type_t type )
901 {
902 /* For now opaque PSA keys can only wrap ECC keypairs,
903 * as checked by setup_psa().
904 * Also, ECKEY_DH does not really make sense with the current API. */
905 return( type == MBEDTLS_PK_ECKEY ||
906 type == MBEDTLS_PK_ECDSA );
907 }
908
909 #if defined(MBEDTLS_ECDSA_C)
910
911 /*
912 * Simultaneously convert and move raw MPI from the beginning of a buffer
913 * to an ASN.1 MPI at the end of the buffer.
914 * See also mbedtls_asn1_write_mpi().
915 *
916 * p: pointer to the end of the output buffer
917 * start: start of the output buffer, and also of the mpi to write at the end
918 * n_len: length of the mpi to read from start
919 */
asn1_write_mpibuf(unsigned char ** p,unsigned char * start,size_t n_len)920 static int asn1_write_mpibuf( unsigned char **p, unsigned char *start,
921 size_t n_len )
922 {
923 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
924 size_t len = 0;
925
926 if( (size_t)( *p - start ) < n_len )
927 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
928
929 len = n_len;
930 *p -= len;
931 memmove( *p, start, len );
932
933 /* ASN.1 DER encoding requires minimal length, so skip leading 0s.
934 * Neither r nor s should be 0, but as a failsafe measure, still detect
935 * that rather than overflowing the buffer in case of a PSA error. */
936 while( len > 0 && **p == 0x00 )
937 {
938 ++(*p);
939 --len;
940 }
941
942 /* this is only reached if the signature was invalid */
943 if( len == 0 )
944 return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
945
946 /* if the msb is 1, ASN.1 requires that we prepend a 0.
947 * Neither r nor s can be 0, so we can assume len > 0 at all times. */
948 if( **p & 0x80 )
949 {
950 if( *p - start < 1 )
951 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
952
953 *--(*p) = 0x00;
954 len += 1;
955 }
956
957 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
958 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
959 MBEDTLS_ASN1_INTEGER ) );
960
961 return( (int) len );
962 }
963
964 /* Transcode signature from PSA format to ASN.1 sequence.
965 * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of
966 * MPIs, and in-place.
967 *
968 * [in/out] sig: the signature pre- and post-transcoding
969 * [in/out] sig_len: signature length pre- and post-transcoding
970 * [int] buf_len: the available size the in/out buffer
971 */
pk_ecdsa_sig_asn1_from_psa(unsigned char * sig,size_t * sig_len,size_t buf_len)972 static int pk_ecdsa_sig_asn1_from_psa( unsigned char *sig, size_t *sig_len,
973 size_t buf_len )
974 {
975 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
976 size_t len = 0;
977 const size_t rs_len = *sig_len / 2;
978 unsigned char *p = sig + buf_len;
979
980 MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig + rs_len, rs_len ) );
981 MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig, rs_len ) );
982
983 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, sig, len ) );
984 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, sig,
985 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
986
987 memmove( sig, p, len );
988 *sig_len = len;
989
990 return( 0 );
991 }
992
993 #endif /* MBEDTLS_ECDSA_C */
994
pk_opaque_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)995 static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
996 const unsigned char *hash, size_t hash_len,
997 unsigned char *sig, size_t *sig_len,
998 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
999 {
1000 #if !defined(MBEDTLS_ECDSA_C)
1001 ((void) ctx);
1002 ((void) md_alg);
1003 ((void) hash);
1004 ((void) hash_len);
1005 ((void) sig);
1006 ((void) sig_len);
1007 ((void) f_rng);
1008 ((void) p_rng);
1009 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
1010 #else /* !MBEDTLS_ECDSA_C */
1011 const psa_key_id_t *key = (const psa_key_id_t *) ctx;
1012 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1013 psa_algorithm_t alg = PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) );
1014 size_t buf_len;
1015 psa_status_t status;
1016
1017 /* PSA has its own RNG */
1018 (void) f_rng;
1019 (void) p_rng;
1020
1021 /* PSA needs an output buffer of known size, but our API doesn't provide
1022 * that information. Assume that the buffer is large enough for a
1023 * maximal-length signature with that key (otherwise the application is
1024 * buggy anyway). */
1025 status = psa_get_key_attributes( *key, &attributes );
1026 if( status != PSA_SUCCESS )
1027 return( mbedtls_psa_err_translate_pk( status ) );
1028 buf_len = MBEDTLS_ECDSA_MAX_SIG_LEN( psa_get_key_bits( &attributes ) );
1029 psa_reset_key_attributes( &attributes );
1030 if( buf_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE )
1031 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
1032
1033 /* make the signature */
1034 status = psa_sign_hash( *key, alg, hash, hash_len,
1035 sig, buf_len, sig_len );
1036 if( status != PSA_SUCCESS )
1037 return( mbedtls_psa_err_translate_pk( status ) );
1038
1039 /* transcode it to ASN.1 sequence */
1040 return( pk_ecdsa_sig_asn1_from_psa( sig, sig_len, buf_len ) );
1041 #endif /* !MBEDTLS_ECDSA_C */
1042 }
1043
1044 const mbedtls_pk_info_t mbedtls_pk_opaque_info = {
1045 MBEDTLS_PK_OPAQUE,
1046 "Opaque",
1047 pk_opaque_get_bitlen,
1048 pk_opaque_can_do,
1049 NULL, /* verify - will be done later */
1050 pk_opaque_sign_wrap,
1051 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1052 NULL, /* restartable verify - not relevant */
1053 NULL, /* restartable sign - not relevant */
1054 #endif
1055 NULL, /* decrypt - will be done later */
1056 NULL, /* encrypt - will be done later */
1057 NULL, /* check_pair - could be done later or left NULL */
1058 pk_opaque_alloc_wrap,
1059 pk_opaque_free_wrap,
1060 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1061 NULL, /* restart alloc - not relevant */
1062 NULL, /* restart free - not relevant */
1063 #endif
1064 NULL, /* debug - could be done later, or even left NULL */
1065 };
1066
1067 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1068
1069 #endif /* MBEDTLS_PK_C */
1070