• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  Public Key abstraction layer
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 #include "common.h"
21 
22 #if defined(MBEDTLS_PK_C)
23 #include "mbedtls/pk.h"
24 #include "pk_wrap.h"
25 #include "pkwrite.h"
26 
27 #include "hash_info.h"
28 
29 #include "mbedtls/platform_util.h"
30 #include "mbedtls/error.h"
31 
32 #if defined(MBEDTLS_RSA_C)
33 #include "mbedtls/rsa.h"
34 #endif
35 #if defined(MBEDTLS_ECP_C)
36 #include "mbedtls/ecp.h"
37 #endif
38 #if defined(MBEDTLS_ECDSA_C)
39 #include "mbedtls/ecdsa.h"
40 #endif
41 
42 #if defined(MBEDTLS_PSA_CRYPTO_C)
43 #include "mbedtls/psa_util.h"
44 #define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
45 #define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status,     \
46                                                                   psa_to_pk_rsa_errors,            \
47                                                                   psa_pk_status_to_mbedtls)
48 #define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status,   \
49                                                                     psa_to_pk_ecdsa_errors,        \
50                                                                     psa_pk_status_to_mbedtls)
51 #endif
52 
53 #include <limits.h>
54 #include <stdint.h>
55 
56 /*
57  * Initialise a mbedtls_pk_context
58  */
mbedtls_pk_init(mbedtls_pk_context * ctx)59 void mbedtls_pk_init(mbedtls_pk_context *ctx)
60 {
61     ctx->pk_info = NULL;
62     ctx->pk_ctx = NULL;
63 }
64 
65 /*
66  * Free (the components of) a mbedtls_pk_context
67  */
mbedtls_pk_free(mbedtls_pk_context * ctx)68 void mbedtls_pk_free(mbedtls_pk_context *ctx)
69 {
70     if (ctx == NULL) {
71         return;
72     }
73 
74     if (ctx->pk_info != NULL) {
75         ctx->pk_info->ctx_free_func(ctx->pk_ctx);
76     }
77 
78     mbedtls_platform_zeroize(ctx, sizeof(mbedtls_pk_context));
79 }
80 
81 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
82 /*
83  * Initialize a restart context
84  */
mbedtls_pk_restart_init(mbedtls_pk_restart_ctx * ctx)85 void mbedtls_pk_restart_init(mbedtls_pk_restart_ctx *ctx)
86 {
87     ctx->pk_info = NULL;
88     ctx->rs_ctx = NULL;
89 }
90 
91 /*
92  * Free the components of a restart context
93  */
mbedtls_pk_restart_free(mbedtls_pk_restart_ctx * ctx)94 void mbedtls_pk_restart_free(mbedtls_pk_restart_ctx *ctx)
95 {
96     if (ctx == NULL || ctx->pk_info == NULL ||
97         ctx->pk_info->rs_free_func == NULL) {
98         return;
99     }
100 
101     ctx->pk_info->rs_free_func(ctx->rs_ctx);
102 
103     ctx->pk_info = NULL;
104     ctx->rs_ctx = NULL;
105 }
106 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
107 
108 /*
109  * Get pk_info structure from type
110  */
mbedtls_pk_info_from_type(mbedtls_pk_type_t pk_type)111 const mbedtls_pk_info_t *mbedtls_pk_info_from_type(mbedtls_pk_type_t pk_type)
112 {
113     switch (pk_type) {
114 #if defined(MBEDTLS_RSA_C)
115         case MBEDTLS_PK_RSA:
116             return &mbedtls_rsa_info;
117 #endif
118 #if defined(MBEDTLS_ECP_C)
119         case MBEDTLS_PK_ECKEY:
120             return &mbedtls_eckey_info;
121         case MBEDTLS_PK_ECKEY_DH:
122             return &mbedtls_eckeydh_info;
123 #endif
124 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
125         case MBEDTLS_PK_ECDSA:
126             return &mbedtls_ecdsa_info;
127 #endif
128         /* MBEDTLS_PK_RSA_ALT omitted on purpose */
129         default:
130             return NULL;
131     }
132 }
133 
134 /*
135  * Initialise context
136  */
mbedtls_pk_setup(mbedtls_pk_context * ctx,const mbedtls_pk_info_t * info)137 int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info)
138 {
139     if (info == NULL || ctx->pk_info != NULL) {
140         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
141     }
142 
143     if ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL) {
144         return MBEDTLS_ERR_PK_ALLOC_FAILED;
145     }
146 
147     ctx->pk_info = info;
148 
149     return 0;
150 }
151 
152 #if defined(MBEDTLS_USE_PSA_CRYPTO)
153 /*
154  * Initialise a PSA-wrapping context
155  */
mbedtls_pk_setup_opaque(mbedtls_pk_context * ctx,const mbedtls_svc_key_id_t key)156 int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
157                             const mbedtls_svc_key_id_t key)
158 {
159     const mbedtls_pk_info_t *info = NULL;
160     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
161     mbedtls_svc_key_id_t *pk_ctx;
162     psa_key_type_t type;
163 
164     if (ctx == NULL || ctx->pk_info != NULL) {
165         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
166     }
167 
168     if (PSA_SUCCESS != psa_get_key_attributes(key, &attributes)) {
169         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
170     }
171     type = psa_get_key_type(&attributes);
172     psa_reset_key_attributes(&attributes);
173 
174     if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) {
175         info = &mbedtls_pk_ecdsa_opaque_info;
176     } else if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
177         info = &mbedtls_pk_rsa_opaque_info;
178     } else {
179         return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
180     }
181 
182     if ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL) {
183         return MBEDTLS_ERR_PK_ALLOC_FAILED;
184     }
185 
186     ctx->pk_info = info;
187 
188     pk_ctx = (mbedtls_svc_key_id_t *) ctx->pk_ctx;
189     *pk_ctx = key;
190 
191     return 0;
192 }
193 #endif /* MBEDTLS_USE_PSA_CRYPTO */
194 
195 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
196 /*
197  * Initialize an RSA-alt context
198  */
mbedtls_pk_setup_rsa_alt(mbedtls_pk_context * ctx,void * key,mbedtls_pk_rsa_alt_decrypt_func decrypt_func,mbedtls_pk_rsa_alt_sign_func sign_func,mbedtls_pk_rsa_alt_key_len_func key_len_func)199 int mbedtls_pk_setup_rsa_alt(mbedtls_pk_context *ctx, void *key,
200                              mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
201                              mbedtls_pk_rsa_alt_sign_func sign_func,
202                              mbedtls_pk_rsa_alt_key_len_func key_len_func)
203 {
204     mbedtls_rsa_alt_context *rsa_alt;
205     const mbedtls_pk_info_t *info = &mbedtls_rsa_alt_info;
206 
207     if (ctx->pk_info != NULL) {
208         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
209     }
210 
211     if ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL) {
212         return MBEDTLS_ERR_PK_ALLOC_FAILED;
213     }
214 
215     ctx->pk_info = info;
216 
217     rsa_alt = (mbedtls_rsa_alt_context *) ctx->pk_ctx;
218 
219     rsa_alt->key = key;
220     rsa_alt->decrypt_func = decrypt_func;
221     rsa_alt->sign_func = sign_func;
222     rsa_alt->key_len_func = key_len_func;
223 
224     return 0;
225 }
226 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
227 
228 /*
229  * Tell if a PK can do the operations of the given type
230  */
mbedtls_pk_can_do(const mbedtls_pk_context * ctx,mbedtls_pk_type_t type)231 int mbedtls_pk_can_do(const mbedtls_pk_context *ctx, mbedtls_pk_type_t type)
232 {
233     /* A context with null pk_info is not set up yet and can't do anything.
234      * For backward compatibility, also accept NULL instead of a context
235      * pointer. */
236     if (ctx == NULL || ctx->pk_info == NULL) {
237         return 0;
238     }
239 
240     return ctx->pk_info->can_do(type);
241 }
242 
243 #if defined(MBEDTLS_USE_PSA_CRYPTO)
244 /*
245  * Tell if a PK can do the operations of the given PSA algorithm
246  */
mbedtls_pk_can_do_ext(const mbedtls_pk_context * ctx,psa_algorithm_t alg,psa_key_usage_t usage)247 int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
248                           psa_key_usage_t usage)
249 {
250     psa_key_usage_t key_usage;
251 
252     /* A context with null pk_info is not set up yet and can't do anything.
253      * For backward compatibility, also accept NULL instead of a context
254      * pointer. */
255     if (ctx == NULL || ctx->pk_info == NULL) {
256         return 0;
257     }
258 
259     /* Filter out non allowed algorithms */
260     if (PSA_ALG_IS_ECDSA(alg) == 0 &&
261         PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) == 0 &&
262         PSA_ALG_IS_RSA_PSS(alg) == 0 &&
263         alg != PSA_ALG_RSA_PKCS1V15_CRYPT &&
264         PSA_ALG_IS_ECDH(alg) == 0) {
265         return 0;
266     }
267 
268     /* Filter out non allowed usage flags */
269     if (usage == 0 ||
270         (usage & ~(PSA_KEY_USAGE_SIGN_HASH |
271                    PSA_KEY_USAGE_DECRYPT |
272                    PSA_KEY_USAGE_DERIVE)) != 0) {
273         return 0;
274     }
275 
276     /* Wildcard hash is not allowed */
277     if (PSA_ALG_IS_SIGN_HASH(alg) &&
278         PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH) {
279         return 0;
280     }
281 
282     if (mbedtls_pk_get_type(ctx) != MBEDTLS_PK_OPAQUE) {
283         mbedtls_pk_type_t type;
284 
285         if (PSA_ALG_IS_ECDSA(alg) || PSA_ALG_IS_ECDH(alg)) {
286             type = MBEDTLS_PK_ECKEY;
287         } else if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
288                    alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
289             type = MBEDTLS_PK_RSA;
290         } else if (PSA_ALG_IS_RSA_PSS(alg)) {
291             type = MBEDTLS_PK_RSASSA_PSS;
292         } else {
293             return 0;
294         }
295 
296         if (ctx->pk_info->can_do(type) == 0) {
297             return 0;
298         }
299 
300         switch (type) {
301             case MBEDTLS_PK_ECKEY:
302                 key_usage = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_DERIVE;
303                 break;
304             case MBEDTLS_PK_RSA:
305             case MBEDTLS_PK_RSASSA_PSS:
306                 key_usage = PSA_KEY_USAGE_SIGN_HASH |
307                             PSA_KEY_USAGE_SIGN_MESSAGE |
308                             PSA_KEY_USAGE_DECRYPT;
309                 break;
310             default:
311                 /* Should never happen */
312                 return 0;
313         }
314 
315         return (key_usage & usage) == usage;
316     }
317 
318     const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx->pk_ctx;
319     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
320     psa_algorithm_t key_alg, key_alg2;
321     psa_status_t status;
322 
323     status = psa_get_key_attributes(*key, &attributes);
324     if (status != PSA_SUCCESS) {
325         return 0;
326     }
327 
328     key_alg = psa_get_key_algorithm(&attributes);
329     key_alg2 = psa_get_key_enrollment_algorithm(&attributes);
330     key_usage = psa_get_key_usage_flags(&attributes);
331     psa_reset_key_attributes(&attributes);
332 
333     if ((key_usage & usage) != usage) {
334         return 0;
335     }
336 
337     /*
338      * Common case: the key alg or alg2 only allows alg.
339      * This will match PSA_ALG_RSA_PKCS1V15_CRYPT & PSA_ALG_IS_ECDH
340      * directly.
341      * This would also match ECDSA/RSA_PKCS1V15_SIGN/RSA_PSS with
342      * a fixed hash on key_alg/key_alg2.
343      */
344     if (alg == key_alg || alg == key_alg2) {
345         return 1;
346     }
347 
348     /*
349      * If key_alg or key_alg2 is a hash-and-sign with a wildcard for the hash,
350      * and alg is the same hash-and-sign family with any hash,
351      * then alg is compliant with this key alg
352      */
353     if (PSA_ALG_IS_SIGN_HASH(alg)) {
354 
355         if (PSA_ALG_IS_SIGN_HASH(key_alg) &&
356             PSA_ALG_SIGN_GET_HASH(key_alg) == PSA_ALG_ANY_HASH &&
357             (alg & ~PSA_ALG_HASH_MASK) == (key_alg & ~PSA_ALG_HASH_MASK)) {
358             return 1;
359         }
360 
361         if (PSA_ALG_IS_SIGN_HASH(key_alg2) &&
362             PSA_ALG_SIGN_GET_HASH(key_alg2) == PSA_ALG_ANY_HASH &&
363             (alg & ~PSA_ALG_HASH_MASK) == (key_alg2 & ~PSA_ALG_HASH_MASK)) {
364             return 1;
365         }
366     }
367 
368     return 0;
369 }
370 #endif /* MBEDTLS_USE_PSA_CRYPTO */
371 
372 /*
373  * Helper for mbedtls_pk_sign and mbedtls_pk_verify
374  */
pk_hashlen_helper(mbedtls_md_type_t md_alg,size_t * hash_len)375 static inline int pk_hashlen_helper(mbedtls_md_type_t md_alg, size_t *hash_len)
376 {
377     if (*hash_len != 0) {
378         return 0;
379     }
380 
381     *hash_len = mbedtls_hash_info_get_size(md_alg);
382 
383     if (*hash_len == 0) {
384         return -1;
385     }
386 
387     return 0;
388 }
389 
390 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
391 /*
392  * Helper to set up a restart context if needed
393  */
pk_restart_setup(mbedtls_pk_restart_ctx * ctx,const mbedtls_pk_info_t * info)394 static int pk_restart_setup(mbedtls_pk_restart_ctx *ctx,
395                             const mbedtls_pk_info_t *info)
396 {
397     /* Don't do anything if already set up or invalid */
398     if (ctx == NULL || ctx->pk_info != NULL) {
399         return 0;
400     }
401 
402     /* Should never happen when we're called */
403     if (info->rs_alloc_func == NULL || info->rs_free_func == NULL) {
404         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
405     }
406 
407     if ((ctx->rs_ctx = info->rs_alloc_func()) == NULL) {
408         return MBEDTLS_ERR_PK_ALLOC_FAILED;
409     }
410 
411     ctx->pk_info = info;
412 
413     return 0;
414 }
415 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
416 
417 /*
418  * Verify a signature (restartable)
419  */
mbedtls_pk_verify_restartable(mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,mbedtls_pk_restart_ctx * rs_ctx)420 int mbedtls_pk_verify_restartable(mbedtls_pk_context *ctx,
421                                   mbedtls_md_type_t md_alg,
422                                   const unsigned char *hash, size_t hash_len,
423                                   const unsigned char *sig, size_t sig_len,
424                                   mbedtls_pk_restart_ctx *rs_ctx)
425 {
426     if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
427         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
428     }
429 
430     if (ctx->pk_info == NULL ||
431         pk_hashlen_helper(md_alg, &hash_len) != 0) {
432         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
433     }
434 
435 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
436     /* optimization: use non-restartable version if restart disabled */
437     if (rs_ctx != NULL &&
438         mbedtls_ecp_restart_is_enabled() &&
439         ctx->pk_info->verify_rs_func != NULL) {
440         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
441 
442         if ((ret = pk_restart_setup(rs_ctx, ctx->pk_info)) != 0) {
443             return ret;
444         }
445 
446         ret = ctx->pk_info->verify_rs_func(ctx->pk_ctx,
447                                            md_alg, hash, hash_len, sig, sig_len, rs_ctx->rs_ctx);
448 
449         if (ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
450             mbedtls_pk_restart_free(rs_ctx);
451         }
452 
453         return ret;
454     }
455 #else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
456     (void) rs_ctx;
457 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
458 
459     if (ctx->pk_info->verify_func == NULL) {
460         return MBEDTLS_ERR_PK_TYPE_MISMATCH;
461     }
462 
463     return ctx->pk_info->verify_func(ctx->pk_ctx, md_alg, hash, hash_len,
464                                      sig, sig_len);
465 }
466 
467 /*
468  * Verify a signature
469  */
mbedtls_pk_verify(mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)470 int mbedtls_pk_verify(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
471                       const unsigned char *hash, size_t hash_len,
472                       const unsigned char *sig, size_t sig_len)
473 {
474     return mbedtls_pk_verify_restartable(ctx, md_alg, hash, hash_len,
475                                          sig, sig_len, NULL);
476 }
477 
478 /*
479  * Verify a signature with options
480  */
mbedtls_pk_verify_ext(mbedtls_pk_type_t type,const void * options,mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)481 int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
482                           mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
483                           const unsigned char *hash, size_t hash_len,
484                           const unsigned char *sig, size_t sig_len)
485 {
486     if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
487         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
488     }
489 
490     if (ctx->pk_info == NULL) {
491         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
492     }
493 
494     if (!mbedtls_pk_can_do(ctx, type)) {
495         return MBEDTLS_ERR_PK_TYPE_MISMATCH;
496     }
497 
498     if (type != MBEDTLS_PK_RSASSA_PSS) {
499         /* General case: no options */
500         if (options != NULL) {
501             return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
502         }
503 
504         return mbedtls_pk_verify(ctx, md_alg, hash, hash_len, sig, sig_len);
505     }
506 
507 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
508     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
509     const mbedtls_pk_rsassa_pss_options *pss_opts;
510 
511     if (md_alg == MBEDTLS_MD_NONE && (int)UINT_MAX < (int)hash_len) {
512         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
513     }
514 
515     if (options == NULL) {
516         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
517     }
518 
519     pss_opts = (const mbedtls_pk_rsassa_pss_options *) options;
520 
521 #if defined(MBEDTLS_USE_PSA_CRYPTO)
522     if (pss_opts->mgf1_hash_id == md_alg) {
523         unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
524         unsigned char *p;
525         int key_len;
526         size_t signature_length;
527         psa_status_t status = PSA_ERROR_DATA_CORRUPT;
528         psa_status_t destruction_status = PSA_ERROR_DATA_CORRUPT;
529 
530         psa_algorithm_t psa_md_alg = mbedtls_hash_info_psa_from_md(md_alg);
531         mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
532         psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
533         psa_algorithm_t psa_sig_alg = PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg);
534         p = buf + sizeof(buf);
535         key_len = mbedtls_pk_write_pubkey(&p, buf, ctx);
536 
537         if (key_len < 0) {
538             return key_len;
539         }
540 
541         psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
542         psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
543         psa_set_key_algorithm(&attributes, psa_sig_alg);
544 
545         status = psa_import_key(&attributes,
546                                 buf + sizeof(buf) - key_len, key_len,
547                                 &key_id);
548         if (status != PSA_SUCCESS) {
549             psa_destroy_key(key_id);
550             return PSA_PK_TO_MBEDTLS_ERR(status);
551         }
552 
553         /* This function requires returning MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
554          * on a valid signature with trailing data in a buffer, but
555          * mbedtls_psa_rsa_verify_hash requires the sig_len to be exact,
556          * so for this reason the passed sig_len is overwritten. Smaller
557          * signature lengths should not be accepted for verification. */
558         signature_length = sig_len > mbedtls_pk_get_len(ctx) ?
559                            mbedtls_pk_get_len(ctx) : sig_len;
560         status = psa_verify_hash(key_id, psa_sig_alg, hash,
561                                  hash_len, sig, signature_length);
562         destruction_status = psa_destroy_key(key_id);
563 
564         if (status == PSA_SUCCESS && sig_len > mbedtls_pk_get_len(ctx)) {
565             return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
566         }
567 
568         if (status == PSA_SUCCESS) {
569             status = destruction_status;
570         }
571 
572         return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
573     } else
574 #endif
575     {
576         if (sig_len < mbedtls_pk_get_len(ctx)) {
577             return MBEDTLS_ERR_RSA_VERIFY_FAILED;
578         }
579 
580         ret = mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_pk_rsa(*ctx),
581                                                 md_alg, (unsigned int) hash_len, hash,
582                                                 pss_opts->mgf1_hash_id,
583                                                 pss_opts->expected_salt_len,
584                                                 sig);
585         if (ret != 0) {
586             return ret;
587         }
588 
589         if (sig_len > mbedtls_pk_get_len(ctx)) {
590             return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
591         }
592 
593         return 0;
594     }
595 #else
596     return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
597 #endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */
598 }
599 
600 /*
601  * Make a signature (restartable)
602  */
mbedtls_pk_sign_restartable(mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,mbedtls_pk_restart_ctx * rs_ctx)603 int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx,
604                                 mbedtls_md_type_t md_alg,
605                                 const unsigned char *hash, size_t hash_len,
606                                 unsigned char *sig, size_t sig_size, size_t *sig_len,
607                                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
608                                 mbedtls_pk_restart_ctx *rs_ctx)
609 {
610     if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
611         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
612     }
613 
614     if (ctx->pk_info == NULL || pk_hashlen_helper(md_alg, &hash_len) != 0) {
615         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
616     }
617 
618 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
619     /* optimization: use non-restartable version if restart disabled */
620     if (rs_ctx != NULL &&
621         mbedtls_ecp_restart_is_enabled() &&
622         ctx->pk_info->sign_rs_func != NULL) {
623         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
624 
625         if ((ret = pk_restart_setup(rs_ctx, ctx->pk_info)) != 0) {
626             return ret;
627         }
628 
629         ret = ctx->pk_info->sign_rs_func(ctx->pk_ctx, md_alg,
630                                          hash, hash_len,
631                                          sig, sig_size, sig_len,
632                                          f_rng, p_rng, rs_ctx->rs_ctx);
633 
634         if (ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
635             mbedtls_pk_restart_free(rs_ctx);
636         }
637 
638         return ret;
639     }
640 #else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
641     (void) rs_ctx;
642 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
643 
644     if (ctx->pk_info->sign_func == NULL) {
645         return MBEDTLS_ERR_PK_TYPE_MISMATCH;
646     }
647 
648     return ctx->pk_info->sign_func(ctx->pk_ctx, md_alg,
649                                    hash, hash_len,
650                                    sig, sig_size, sig_len,
651                                    f_rng, p_rng);
652 }
653 
654 /*
655  * Make a signature
656  */
mbedtls_pk_sign(mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)657 int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
658                     const unsigned char *hash, size_t hash_len,
659                     unsigned char *sig, size_t sig_size, size_t *sig_len,
660                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
661 {
662     return mbedtls_pk_sign_restartable(ctx, md_alg, hash, hash_len,
663                                        sig, sig_size, sig_len,
664                                        f_rng, p_rng, NULL);
665 }
666 
667 #if defined(MBEDTLS_PSA_CRYPTO_C)
668 /*
669  * Make a signature given a signature type.
670  */
mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,mbedtls_pk_context * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)671 int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
672                         mbedtls_pk_context *ctx,
673                         mbedtls_md_type_t md_alg,
674                         const unsigned char *hash, size_t hash_len,
675                         unsigned char *sig, size_t sig_size, size_t *sig_len,
676                         int (*f_rng)(void *, unsigned char *, size_t),
677                         void *p_rng)
678 {
679 #if defined(MBEDTLS_RSA_C)
680     psa_algorithm_t psa_md_alg;
681 #endif /* MBEDTLS_RSA_C */
682     *sig_len = 0;
683 
684     if (ctx->pk_info == NULL) {
685         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
686     }
687 
688     if (!mbedtls_pk_can_do(ctx, pk_type)) {
689         return MBEDTLS_ERR_PK_TYPE_MISMATCH;
690     }
691 
692     if (pk_type != MBEDTLS_PK_RSASSA_PSS) {
693         return mbedtls_pk_sign(ctx, md_alg, hash, hash_len,
694                                sig, sig_size, sig_len, f_rng, p_rng);
695     }
696 
697 #if defined(MBEDTLS_RSA_C)
698     psa_md_alg = mbedtls_hash_info_psa_from_md(md_alg);
699     if (psa_md_alg == 0) {
700         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
701     }
702 
703     if (mbedtls_pk_get_type(ctx) == MBEDTLS_PK_OPAQUE) {
704         const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx->pk_ctx;
705         psa_status_t status;
706 
707         status = psa_sign_hash(*key, PSA_ALG_RSA_PSS(psa_md_alg),
708                                hash, hash_len,
709                                sig, sig_size, sig_len);
710         return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
711     }
712 
713     return mbedtls_pk_psa_rsa_sign_ext(PSA_ALG_RSA_PSS(psa_md_alg),
714                                        ctx->pk_ctx, hash, hash_len,
715                                        sig, sig_size, sig_len);
716 #else /* MBEDTLS_RSA_C */
717     return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
718 #endif /* !MBEDTLS_RSA_C */
719 
720 }
721 #endif /* MBEDTLS_PSA_CRYPTO_C */
722 
723 /*
724  * Decrypt message
725  */
mbedtls_pk_decrypt(mbedtls_pk_context * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)726 int mbedtls_pk_decrypt(mbedtls_pk_context *ctx,
727                        const unsigned char *input, size_t ilen,
728                        unsigned char *output, size_t *olen, size_t osize,
729                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
730 {
731     if (ctx->pk_info == NULL) {
732         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
733     }
734 
735     if (ctx->pk_info->decrypt_func == NULL) {
736         return MBEDTLS_ERR_PK_TYPE_MISMATCH;
737     }
738 
739     return ctx->pk_info->decrypt_func(ctx->pk_ctx, input, ilen,
740                                       output, olen, osize, f_rng, p_rng);
741 }
742 
743 /*
744  * Encrypt message
745  */
mbedtls_pk_encrypt(mbedtls_pk_context * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)746 int mbedtls_pk_encrypt(mbedtls_pk_context *ctx,
747                        const unsigned char *input, size_t ilen,
748                        unsigned char *output, size_t *olen, size_t osize,
749                        int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
750 {
751     if (ctx->pk_info == NULL) {
752         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
753     }
754 
755     if (ctx->pk_info->encrypt_func == NULL) {
756         return MBEDTLS_ERR_PK_TYPE_MISMATCH;
757     }
758 
759     return ctx->pk_info->encrypt_func(ctx->pk_ctx, input, ilen,
760                                       output, olen, osize, f_rng, p_rng);
761 }
762 
763 /*
764  * Check public-private key pair
765  */
mbedtls_pk_check_pair(const mbedtls_pk_context * pub,const mbedtls_pk_context * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)766 int mbedtls_pk_check_pair(const mbedtls_pk_context *pub,
767                           const mbedtls_pk_context *prv,
768                           int (*f_rng)(void *, unsigned char *, size_t),
769                           void *p_rng)
770 {
771     if (pub->pk_info == NULL ||
772         prv->pk_info == NULL) {
773         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
774     }
775 
776     if (f_rng == NULL) {
777         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
778     }
779 
780     if (prv->pk_info->check_pair_func == NULL) {
781         return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
782     }
783 
784     if (prv->pk_info->type == MBEDTLS_PK_RSA_ALT) {
785         if (pub->pk_info->type != MBEDTLS_PK_RSA) {
786             return MBEDTLS_ERR_PK_TYPE_MISMATCH;
787         }
788     } else {
789         if (pub->pk_info != prv->pk_info) {
790             return MBEDTLS_ERR_PK_TYPE_MISMATCH;
791         }
792     }
793 
794     return prv->pk_info->check_pair_func(pub->pk_ctx, prv->pk_ctx, f_rng, p_rng);
795 }
796 
797 /*
798  * Get key size in bits
799  */
mbedtls_pk_get_bitlen(const mbedtls_pk_context * ctx)800 size_t mbedtls_pk_get_bitlen(const mbedtls_pk_context *ctx)
801 {
802     /* For backward compatibility, accept NULL or a context that
803      * isn't set up yet, and return a fake value that should be safe. */
804     if (ctx == NULL || ctx->pk_info == NULL) {
805         return 0;
806     }
807 
808     return ctx->pk_info->get_bitlen(ctx->pk_ctx);
809 }
810 
811 /*
812  * Export debug information
813  */
mbedtls_pk_debug(const mbedtls_pk_context * ctx,mbedtls_pk_debug_item * items)814 int mbedtls_pk_debug(const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items)
815 {
816     if (ctx->pk_info == NULL) {
817         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
818     }
819 
820     if (ctx->pk_info->debug_func == NULL) {
821         return MBEDTLS_ERR_PK_TYPE_MISMATCH;
822     }
823 
824     ctx->pk_info->debug_func(ctx->pk_ctx, items);
825     return 0;
826 }
827 
828 /*
829  * Access the PK type name
830  */
mbedtls_pk_get_name(const mbedtls_pk_context * ctx)831 const char *mbedtls_pk_get_name(const mbedtls_pk_context *ctx)
832 {
833     if (ctx == NULL || ctx->pk_info == NULL) {
834         return "invalid PK";
835     }
836 
837     return ctx->pk_info->name;
838 }
839 
840 /*
841  * Access the PK type
842  */
mbedtls_pk_get_type(const mbedtls_pk_context * ctx)843 mbedtls_pk_type_t mbedtls_pk_get_type(const mbedtls_pk_context *ctx)
844 {
845     if (ctx == NULL || ctx->pk_info == NULL) {
846         return MBEDTLS_PK_NONE;
847     }
848 
849     return ctx->pk_info->type;
850 }
851 
852 #if defined(MBEDTLS_USE_PSA_CRYPTO)
853 /*
854  * Load the key to a PSA key slot,
855  * then turn the PK context into a wrapper for that key slot.
856  *
857  * Currently only works for EC & RSA private keys.
858  */
mbedtls_pk_wrap_as_opaque(mbedtls_pk_context * pk,mbedtls_svc_key_id_t * key,psa_algorithm_t alg,psa_key_usage_t usage,psa_algorithm_t alg2)859 int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
860                               mbedtls_svc_key_id_t *key,
861                               psa_algorithm_t alg,
862                               psa_key_usage_t usage,
863                               psa_algorithm_t alg2)
864 {
865 #if !defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_RSA_C)
866     ((void) pk);
867     ((void) key);
868     ((void) alg);
869     ((void) usage);
870     ((void) alg2);
871 #else
872 #if defined(MBEDTLS_ECP_C)
873     if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY) {
874         const mbedtls_ecp_keypair *ec;
875         unsigned char d[MBEDTLS_ECP_MAX_BYTES];
876         size_t d_len;
877         psa_ecc_family_t curve_id;
878         psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
879         psa_key_type_t key_type;
880         size_t bits;
881         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
882         psa_status_t status;
883 
884         /* export the private key material in the format PSA wants */
885         ec = mbedtls_pk_ec(*pk);
886         d_len = PSA_BITS_TO_BYTES(ec->grp.nbits);
887         if ((ret = mbedtls_mpi_write_binary(&ec->d, d, d_len)) != 0) {
888             return ret;
889         }
890 
891         curve_id = mbedtls_ecc_group_to_psa(ec->grp.id, &bits);
892         key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(curve_id);
893 
894         /* prepare the key attributes */
895         psa_set_key_type(&attributes, key_type);
896         psa_set_key_bits(&attributes, bits);
897         psa_set_key_usage_flags(&attributes, usage);
898         psa_set_key_algorithm(&attributes, alg);
899         if (alg2 != PSA_ALG_NONE) {
900             psa_set_key_enrollment_algorithm(&attributes, alg2);
901         }
902 
903         /* import private key into PSA */
904         status = psa_import_key(&attributes, d, d_len, key);
905         if (status != PSA_SUCCESS) {
906             return PSA_PK_TO_MBEDTLS_ERR(status);
907         }
908 
909         /* make PK context wrap the key slot */
910         mbedtls_pk_free(pk);
911         mbedtls_pk_init(pk);
912 
913         return mbedtls_pk_setup_opaque(pk, *key);
914     } else
915 #endif /* MBEDTLS_ECP_C */
916 #if defined(MBEDTLS_RSA_C)
917     if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_RSA) {
918         unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
919         psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
920         int key_len;
921         psa_status_t status;
922 
923         /* export the private key material in the format PSA wants */
924         key_len = mbedtls_pk_write_key_der(pk, buf, sizeof(buf));
925         if (key_len <= 0) {
926             return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
927         }
928 
929         /* prepare the key attributes */
930         psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
931         psa_set_key_bits(&attributes, mbedtls_pk_get_bitlen(pk));
932         psa_set_key_usage_flags(&attributes, usage);
933         psa_set_key_algorithm(&attributes, alg);
934         if (alg2 != PSA_ALG_NONE) {
935             psa_set_key_enrollment_algorithm(&attributes, alg2);
936         }
937 
938         /* import private key into PSA */
939         status = psa_import_key(&attributes,
940                                 buf + sizeof(buf) - key_len,
941                                 key_len, key);
942 
943         mbedtls_platform_zeroize(buf, sizeof(buf));
944 
945         if (status != PSA_SUCCESS) {
946             return PSA_PK_TO_MBEDTLS_ERR(status);
947         }
948 
949         /* make PK context wrap the key slot */
950         mbedtls_pk_free(pk);
951         mbedtls_pk_init(pk);
952 
953         return mbedtls_pk_setup_opaque(pk, *key);
954     } else
955 #endif /* MBEDTLS_RSA_C */
956 #endif /* !MBEDTLS_ECP_C && !MBEDTLS_RSA_C */
957     return MBEDTLS_ERR_PK_TYPE_MISMATCH;
958 }
959 #endif /* MBEDTLS_USE_PSA_CRYPTO */
960 #endif /* MBEDTLS_PK_C */
961