• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  Public Key abstraction layer: wrapper functions
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 #include "common.h"
21 
22 #include "mbedtls/platform_util.h"
23 
24 #if defined(MBEDTLS_PK_C)
25 #include "pk_wrap.h"
26 #include "mbedtls/error.h"
27 
28 /* Even if RSA not activated, for the sake of RSA-alt */
29 #include "mbedtls/rsa.h"
30 
31 #if defined(MBEDTLS_ECP_C)
32 #include "mbedtls/ecp.h"
33 #endif
34 
35 #if defined(MBEDTLS_ECDSA_C)
36 #include "mbedtls/ecdsa.h"
37 #endif
38 
39 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PSA_CRYPTO_C)
40 #include "pkwrite.h"
41 #endif
42 
43 #if defined(MBEDTLS_PSA_CRYPTO_C)
44 #include "mbedtls/psa_util.h"
45 #define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
46 #define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status,     \
47                                                                   psa_to_pk_rsa_errors,            \
48                                                                   psa_pk_status_to_mbedtls)
49 #define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status,   \
50                                                                     psa_to_pk_ecdsa_errors,        \
51                                                                     psa_pk_status_to_mbedtls)
52 #endif
53 
54 #if defined(MBEDTLS_USE_PSA_CRYPTO)
55 #include "psa/crypto.h"
56 #include "hash_info.h"
57 
58 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
59 #include "mbedtls/asn1write.h"
60 #include "mbedtls/asn1.h"
61 #endif
62 #endif  /* MBEDTLS_USE_PSA_CRYPTO */
63 
64 #include "mbedtls/platform.h"
65 
66 #include <limits.h>
67 #include <stdint.h>
68 #include <string.h>
69 
70 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
71 #if defined(MBEDTLS_PSA_CRYPTO_C)
mbedtls_pk_error_from_psa(psa_status_t status)72 int mbedtls_pk_error_from_psa(psa_status_t status)
73 {
74     switch (status) {
75         case PSA_SUCCESS:
76             return 0;
77         case PSA_ERROR_INVALID_HANDLE:
78             return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
79         case PSA_ERROR_NOT_PERMITTED:
80             return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
81         case PSA_ERROR_BUFFER_TOO_SMALL:
82             return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
83         case PSA_ERROR_NOT_SUPPORTED:
84             return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
85         case PSA_ERROR_INVALID_ARGUMENT:
86             return MBEDTLS_ERR_PK_INVALID_ALG;
87         case PSA_ERROR_INSUFFICIENT_MEMORY:
88             return MBEDTLS_ERR_PK_ALLOC_FAILED;
89         case PSA_ERROR_BAD_STATE:
90             return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
91         case PSA_ERROR_COMMUNICATION_FAILURE:
92         case PSA_ERROR_HARDWARE_FAILURE:
93             return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
94         case PSA_ERROR_DATA_CORRUPT:
95         case PSA_ERROR_DATA_INVALID:
96         case PSA_ERROR_STORAGE_FAILURE:
97             return MBEDTLS_ERR_PK_FILE_IO_ERROR;
98         case PSA_ERROR_CORRUPTION_DETECTED:
99             return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
100         default:
101             return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
102     }
103 }
104 
105 #if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) ||    \
106     defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
mbedtls_pk_error_from_psa_rsa(psa_status_t status)107 int mbedtls_pk_error_from_psa_rsa(psa_status_t status)
108 {
109     switch (status) {
110         case PSA_ERROR_NOT_PERMITTED:
111         case PSA_ERROR_INVALID_ARGUMENT:
112         case PSA_ERROR_INVALID_HANDLE:
113             return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
114         case PSA_ERROR_BUFFER_TOO_SMALL:
115             return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
116         case PSA_ERROR_INSUFFICIENT_ENTROPY:
117             return MBEDTLS_ERR_RSA_RNG_FAILED;
118         case PSA_ERROR_INVALID_SIGNATURE:
119             return MBEDTLS_ERR_RSA_VERIFY_FAILED;
120         case PSA_ERROR_INVALID_PADDING:
121             return MBEDTLS_ERR_RSA_INVALID_PADDING;
122         case PSA_SUCCESS:
123             return 0;
124         case PSA_ERROR_NOT_SUPPORTED:
125             return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
126         case PSA_ERROR_INSUFFICIENT_MEMORY:
127             return MBEDTLS_ERR_PK_ALLOC_FAILED;
128         case PSA_ERROR_BAD_STATE:
129             return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
130         case PSA_ERROR_COMMUNICATION_FAILURE:
131         case PSA_ERROR_HARDWARE_FAILURE:
132             return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
133         case PSA_ERROR_DATA_CORRUPT:
134         case PSA_ERROR_DATA_INVALID:
135         case PSA_ERROR_STORAGE_FAILURE:
136             return MBEDTLS_ERR_PK_FILE_IO_ERROR;
137         case PSA_ERROR_CORRUPTION_DETECTED:
138             return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
139         default:
140             return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
141     }
142 }
143 #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */
144 #endif /* MBEDTLS_PSA_CRYPTO_C */
145 
146 #if defined(MBEDTLS_USE_PSA_CRYPTO)
147 #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
mbedtls_pk_error_from_psa_ecdsa(psa_status_t status)148 int mbedtls_pk_error_from_psa_ecdsa(psa_status_t status)
149 {
150     switch (status) {
151         case PSA_ERROR_NOT_PERMITTED:
152         case PSA_ERROR_INVALID_ARGUMENT:
153             return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
154         case PSA_ERROR_INVALID_HANDLE:
155             return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
156         case PSA_ERROR_BUFFER_TOO_SMALL:
157             return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
158         case PSA_ERROR_INSUFFICIENT_ENTROPY:
159             return MBEDTLS_ERR_ECP_RANDOM_FAILED;
160         case PSA_ERROR_INVALID_SIGNATURE:
161             return MBEDTLS_ERR_ECP_VERIFY_FAILED;
162         case PSA_SUCCESS:
163             return 0;
164         case PSA_ERROR_NOT_SUPPORTED:
165             return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
166         case PSA_ERROR_INSUFFICIENT_MEMORY:
167             return MBEDTLS_ERR_PK_ALLOC_FAILED;
168         case PSA_ERROR_BAD_STATE:
169             return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
170         case PSA_ERROR_COMMUNICATION_FAILURE:
171         case PSA_ERROR_HARDWARE_FAILURE:
172             return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
173         case PSA_ERROR_DATA_CORRUPT:
174         case PSA_ERROR_DATA_INVALID:
175         case PSA_ERROR_STORAGE_FAILURE:
176             return MBEDTLS_ERR_PK_FILE_IO_ERROR;
177         case PSA_ERROR_CORRUPTION_DETECTED:
178             return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
179         default:
180             return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
181     }
182 }
183 #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
184 #endif /* MBEDTLS_USE_PSA_CRYPTO */
185 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
186 
187 #if defined(MBEDTLS_RSA_C)
rsa_can_do(mbedtls_pk_type_t type)188 static int rsa_can_do(mbedtls_pk_type_t type)
189 {
190     return type == MBEDTLS_PK_RSA ||
191            type == MBEDTLS_PK_RSASSA_PSS;
192 }
193 
rsa_get_bitlen(const void * ctx)194 static size_t rsa_get_bitlen(const void *ctx)
195 {
196     const mbedtls_rsa_context *rsa = (const mbedtls_rsa_context *) ctx;
197     return 8 * mbedtls_rsa_get_len(rsa);
198 }
199 
200 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_verify_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)201 static int rsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
202                            const unsigned char *hash, size_t hash_len,
203                            const unsigned char *sig, size_t sig_len)
204 {
205     mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
206     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
207     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
208     mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
209     psa_status_t status;
210     mbedtls_pk_context key;
211     int key_len;
212     unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
213     psa_algorithm_t psa_alg_md =
214         PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_hash_info_psa_from_md(md_alg));
215     size_t rsa_len = mbedtls_rsa_get_len(rsa);
216 
217     if (md_alg == MBEDTLS_MD_NONE && (int)UINT_MAX < (int)hash_len) {
218         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
219     }
220 
221     if (sig_len < rsa_len) {
222         return MBEDTLS_ERR_RSA_VERIFY_FAILED;
223     }
224 
225     /* mbedtls_pk_write_pubkey_der() expects a full PK context;
226      * re-construct one to make it happy */
227     key.pk_info = &mbedtls_rsa_info;
228     key.pk_ctx = ctx;
229     key_len = mbedtls_pk_write_pubkey_der(&key, buf, sizeof(buf));
230     if (key_len <= 0) {
231         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
232     }
233 
234     psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
235     psa_set_key_algorithm(&attributes, psa_alg_md);
236     psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
237 
238     status = psa_import_key(&attributes,
239                             buf + sizeof(buf) - key_len, key_len,
240                             &key_id);
241     if (status != PSA_SUCCESS) {
242         ret = PSA_PK_TO_MBEDTLS_ERR(status);
243         goto cleanup;
244     }
245 
246     status = psa_verify_hash(key_id, psa_alg_md, hash, hash_len,
247                              sig, sig_len);
248     if (status != PSA_SUCCESS) {
249         ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
250         goto cleanup;
251     }
252     ret = 0;
253 
254 cleanup:
255     status = psa_destroy_key(key_id);
256     if (ret == 0 && status != PSA_SUCCESS) {
257         ret = PSA_PK_TO_MBEDTLS_ERR(status);
258     }
259 
260     return ret;
261 }
262 #else
rsa_verify_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)263 static int rsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
264                            const unsigned char *hash, size_t hash_len,
265                            const unsigned char *sig, size_t sig_len)
266 {
267     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
268     mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
269     size_t rsa_len = mbedtls_rsa_get_len(rsa);
270 
271     if (md_alg == MBEDTLS_MD_NONE && (int)UINT_MAX < (int)hash_len) {
272         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
273     }
274 
275     if (sig_len < rsa_len) {
276         return MBEDTLS_ERR_RSA_VERIFY_FAILED;
277     }
278 
279     if ((ret = mbedtls_rsa_pkcs1_verify(rsa, md_alg,
280                                         (unsigned int) hash_len,
281                                         hash, sig)) != 0) {
282         return ret;
283     }
284 
285     /* The buffer contains a valid signature followed by extra data.
286      * We have a special error code for that so that so that callers can
287      * use mbedtls_pk_verify() to check "Does the buffer start with a
288      * valid signature?" and not just "Does the buffer contain a valid
289      * signature?". */
290     if (sig_len > rsa_len) {
291         return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
292     }
293 
294     return 0;
295 }
296 #endif
297 
298 #if defined(MBEDTLS_PSA_CRYPTO_C)
mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,mbedtls_rsa_context * rsa_ctx,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len)299 int  mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,
300                                  mbedtls_rsa_context *rsa_ctx,
301                                  const unsigned char *hash, size_t hash_len,
302                                  unsigned char *sig, size_t sig_size,
303                                  size_t *sig_len)
304 {
305     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
306     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
307     mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
308     psa_status_t status;
309     mbedtls_pk_context key;
310     int key_len;
311     unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
312     mbedtls_pk_info_t pk_info = mbedtls_rsa_info;
313 
314     *sig_len = mbedtls_rsa_get_len(rsa_ctx);
315     if (sig_size < *sig_len) {
316         return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
317     }
318 
319     /* mbedtls_pk_write_key_der() expects a full PK context;
320      * re-construct one to make it happy */
321     key.pk_info = &pk_info;
322     key.pk_ctx = rsa_ctx;
323     key_len = mbedtls_pk_write_key_der(&key, buf, sizeof(buf));
324     if (key_len <= 0) {
325         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
326     }
327     psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
328     psa_set_key_algorithm(&attributes, alg);
329     psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
330 
331     status = psa_import_key(&attributes,
332                             buf + sizeof(buf) - key_len, key_len,
333                             &key_id);
334     if (status != PSA_SUCCESS) {
335         ret = PSA_PK_TO_MBEDTLS_ERR(status);
336         goto cleanup;
337     }
338     status = psa_sign_hash(key_id, alg, hash, hash_len,
339                            sig, sig_size, sig_len);
340     if (status != PSA_SUCCESS) {
341         ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
342         goto cleanup;
343     }
344 
345     ret = 0;
346 
347 cleanup:
348     status = psa_destroy_key(key_id);
349     if (ret == 0 && status != PSA_SUCCESS) {
350         ret = PSA_PK_TO_MBEDTLS_ERR(status);
351     }
352     return ret;
353 }
354 #endif /* MBEDTLS_PSA_CRYPTO_C */
355 
356 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)357 static int rsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
358                          const unsigned char *hash, size_t hash_len,
359                          unsigned char *sig, size_t sig_size, size_t *sig_len,
360                          int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
361 {
362     ((void) f_rng);
363     ((void) p_rng);
364 
365     psa_algorithm_t psa_md_alg;
366     psa_md_alg = mbedtls_hash_info_psa_from_md(md_alg);
367     if (psa_md_alg == 0) {
368         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
369     }
370 
371     return mbedtls_pk_psa_rsa_sign_ext(PSA_ALG_RSA_PKCS1V15_SIGN(
372                                            psa_md_alg),
373                                        ctx, hash, hash_len,
374                                        sig, sig_size, sig_len);
375 }
376 #else
rsa_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)377 static int rsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
378                          const unsigned char *hash, size_t hash_len,
379                          unsigned char *sig, size_t sig_size, size_t *sig_len,
380                          int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
381 {
382     mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
383 
384     if (md_alg == MBEDTLS_MD_NONE && (int)UINT_MAX < (int)hash_len) {
385         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
386     }
387 
388     *sig_len = mbedtls_rsa_get_len(rsa);
389     if (sig_size < *sig_len) {
390         return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
391     }
392 
393     return mbedtls_rsa_pkcs1_sign(rsa, f_rng, p_rng,
394                                   md_alg, (unsigned int) hash_len,
395                                   hash, sig);
396 }
397 #endif
398 
399 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_decrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)400 static int rsa_decrypt_wrap(void *ctx,
401                             const unsigned char *input, size_t ilen,
402                             unsigned char *output, size_t *olen, size_t osize,
403                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
404 {
405     mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
406     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
407     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
408     mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
409     psa_status_t status;
410     mbedtls_pk_context key;
411     int key_len;
412     unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
413 
414     ((void) f_rng);
415     ((void) p_rng);
416 
417 #if !defined(MBEDTLS_RSA_ALT)
418     if (rsa->padding != MBEDTLS_RSA_PKCS_V15) {
419         return MBEDTLS_ERR_RSA_INVALID_PADDING;
420     }
421 #endif /* !MBEDTLS_RSA_ALT */
422 
423     if (ilen != mbedtls_rsa_get_len(rsa)) {
424         return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
425     }
426 
427     /* mbedtls_pk_write_key_der() expects a full PK context;
428      * re-construct one to make it happy */
429     key.pk_info = &mbedtls_rsa_info;
430     key.pk_ctx = ctx;
431     key_len = mbedtls_pk_write_key_der(&key, buf, sizeof(buf));
432     if (key_len <= 0) {
433         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
434     }
435 
436     psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
437     psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
438     psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT);
439 
440     status = psa_import_key(&attributes,
441                             buf + sizeof(buf) - key_len, key_len,
442                             &key_id);
443     if (status != PSA_SUCCESS) {
444         ret = PSA_PK_TO_MBEDTLS_ERR(status);
445         goto cleanup;
446     }
447 
448     status = psa_asymmetric_decrypt(key_id, PSA_ALG_RSA_PKCS1V15_CRYPT,
449                                     input, ilen,
450                                     NULL, 0,
451                                     output, osize, olen);
452     if (status != PSA_SUCCESS) {
453         ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
454         goto cleanup;
455     }
456 
457     ret = 0;
458 
459 cleanup:
460     mbedtls_platform_zeroize(buf, sizeof(buf));
461     status = psa_destroy_key(key_id);
462     if (ret == 0 && status != PSA_SUCCESS) {
463         ret = PSA_PK_TO_MBEDTLS_ERR(status);
464     }
465 
466     return ret;
467 }
468 #else
rsa_decrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)469 static int rsa_decrypt_wrap(void *ctx,
470                             const unsigned char *input, size_t ilen,
471                             unsigned char *output, size_t *olen, size_t osize,
472                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
473 {
474     mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
475 
476     if (ilen != mbedtls_rsa_get_len(rsa)) {
477         return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
478     }
479 
480     return mbedtls_rsa_pkcs1_decrypt(rsa, f_rng, p_rng,
481                                      olen, input, output, osize);
482 }
483 #endif
484 
485 #if defined(MBEDTLS_USE_PSA_CRYPTO)
rsa_encrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)486 static int rsa_encrypt_wrap(void *ctx,
487                             const unsigned char *input, size_t ilen,
488                             unsigned char *output, size_t *olen, size_t osize,
489                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
490 {
491     mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
492     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
493     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
494     mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
495     psa_status_t status;
496     mbedtls_pk_context key;
497     int key_len;
498     unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
499 
500     ((void) f_rng);
501     ((void) p_rng);
502 
503 #if !defined(MBEDTLS_RSA_ALT)
504     if (rsa->padding != MBEDTLS_RSA_PKCS_V15) {
505         return MBEDTLS_ERR_RSA_INVALID_PADDING;
506     }
507 #endif
508 
509     if (mbedtls_rsa_get_len(rsa) > osize) {
510         return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
511     }
512 
513     /* mbedtls_pk_write_pubkey_der() expects a full PK context;
514      * re-construct one to make it happy */
515     key.pk_info = &mbedtls_rsa_info;
516     key.pk_ctx = ctx;
517     key_len = mbedtls_pk_write_pubkey_der(&key, buf, sizeof(buf));
518     if (key_len <= 0) {
519         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
520     }
521 
522     psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
523     psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT);
524     psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
525 
526     status = psa_import_key(&attributes,
527                             buf + sizeof(buf) - key_len, key_len,
528                             &key_id);
529     if (status != PSA_SUCCESS) {
530         ret = PSA_PK_TO_MBEDTLS_ERR(status);
531         goto cleanup;
532     }
533 
534     status = psa_asymmetric_encrypt(key_id, PSA_ALG_RSA_PKCS1V15_CRYPT,
535                                     input, ilen,
536                                     NULL, 0,
537                                     output, osize, olen);
538     if (status != PSA_SUCCESS) {
539         ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
540         goto cleanup;
541     }
542 
543     ret = 0;
544 
545 cleanup:
546     status = psa_destroy_key(key_id);
547     if (ret == 0 && status != PSA_SUCCESS) {
548         ret = PSA_PK_TO_MBEDTLS_ERR(status);
549     }
550 
551     return ret;
552 }
553 #else
rsa_encrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)554 static int rsa_encrypt_wrap(void *ctx,
555                             const unsigned char *input, size_t ilen,
556                             unsigned char *output, size_t *olen, size_t osize,
557                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
558 {
559     mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
560     *olen = mbedtls_rsa_get_len(rsa);
561 
562     if (*olen > osize) {
563         return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
564     }
565 
566     return mbedtls_rsa_pkcs1_encrypt(rsa, f_rng, p_rng,
567                                      ilen, input, output);
568 }
569 #endif
570 
rsa_check_pair_wrap(const void * pub,const void * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)571 static int rsa_check_pair_wrap(const void *pub, const void *prv,
572                                int (*f_rng)(void *, unsigned char *, size_t),
573                                void *p_rng)
574 {
575     (void) f_rng;
576     (void) p_rng;
577     return mbedtls_rsa_check_pub_priv((const mbedtls_rsa_context *) pub,
578                                       (const mbedtls_rsa_context *) prv);
579 }
580 
rsa_alloc_wrap(void)581 static void *rsa_alloc_wrap(void)
582 {
583     void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_context));
584 
585     if (ctx != NULL) {
586         mbedtls_rsa_init((mbedtls_rsa_context *) ctx);
587     }
588 
589     return ctx;
590 }
591 
rsa_free_wrap(void * ctx)592 static void rsa_free_wrap(void *ctx)
593 {
594     mbedtls_rsa_free((mbedtls_rsa_context *) ctx);
595     mbedtls_free(ctx);
596 }
597 
rsa_debug(const void * ctx,mbedtls_pk_debug_item * items)598 static void rsa_debug(const void *ctx, mbedtls_pk_debug_item *items)
599 {
600 #if defined(MBEDTLS_RSA_ALT)
601     /* Not supported */
602     (void) ctx;
603     (void) items;
604 #else
605     items->type = MBEDTLS_PK_DEBUG_MPI;
606     items->name = "rsa.N";
607     items->value = &(((mbedtls_rsa_context *) ctx)->N);
608 
609     items++;
610 
611     items->type = MBEDTLS_PK_DEBUG_MPI;
612     items->name = "rsa.E";
613     items->value = &(((mbedtls_rsa_context *) ctx)->E);
614 #endif
615 }
616 
617 const mbedtls_pk_info_t mbedtls_rsa_info = {
618     MBEDTLS_PK_RSA,
619     "RSA",
620     rsa_get_bitlen,
621     rsa_can_do,
622     rsa_verify_wrap,
623     rsa_sign_wrap,
624 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
625     NULL,
626     NULL,
627 #endif
628     rsa_decrypt_wrap,
629     rsa_encrypt_wrap,
630     rsa_check_pair_wrap,
631     rsa_alloc_wrap,
632     rsa_free_wrap,
633 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
634     NULL,
635     NULL,
636 #endif
637     rsa_debug,
638 };
639 #endif /* MBEDTLS_RSA_C */
640 
641 #if defined(MBEDTLS_ECP_C)
642 /*
643  * Generic EC key
644  */
eckey_can_do(mbedtls_pk_type_t type)645 static int eckey_can_do(mbedtls_pk_type_t type)
646 {
647     return type == MBEDTLS_PK_ECKEY ||
648            type == MBEDTLS_PK_ECKEY_DH ||
649            type == MBEDTLS_PK_ECDSA;
650 }
651 
eckey_get_bitlen(const void * ctx)652 static size_t eckey_get_bitlen(const void *ctx)
653 {
654     return ((mbedtls_ecp_keypair *) ctx)->grp.pbits;
655 }
656 
657 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
658 #if defined(MBEDTLS_USE_PSA_CRYPTO)
659 /*
660  * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of
661  * those integers and convert it to the fixed-length encoding expected by PSA.
662  */
extract_ecdsa_sig_int(unsigned char ** from,const unsigned char * end,unsigned char * to,size_t to_len)663 static int extract_ecdsa_sig_int(unsigned char **from, const unsigned char *end,
664                                  unsigned char *to, size_t to_len)
665 {
666     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
667     size_t unpadded_len, padding_len;
668 
669     if ((ret = mbedtls_asn1_get_tag(from, end, &unpadded_len,
670                                     MBEDTLS_ASN1_INTEGER)) != 0) {
671         return ret;
672     }
673 
674     while (unpadded_len > 0 && **from == 0x00) {
675         (*from)++;
676         unpadded_len--;
677     }
678 
679     if (unpadded_len > to_len || unpadded_len == 0) {
680         return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
681     }
682 
683     padding_len = to_len - unpadded_len;
684     memset(to, 0x00, padding_len);
685     memcpy(to + padding_len, *from, unpadded_len);
686     (*from) += unpadded_len;
687 
688     return 0;
689 }
690 
691 /*
692  * Convert a signature from an ASN.1 sequence of two integers
693  * to a raw {r,s} buffer. Note: the provided sig buffer must be at least
694  * twice as big as int_size.
695  */
extract_ecdsa_sig(unsigned char ** p,const unsigned char * end,unsigned char * sig,size_t int_size)696 static int extract_ecdsa_sig(unsigned char **p, const unsigned char *end,
697                              unsigned char *sig, size_t int_size)
698 {
699     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
700     size_t tmp_size;
701 
702     if ((ret = mbedtls_asn1_get_tag(p, end, &tmp_size,
703                                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
704         return ret;
705     }
706 
707     /* Extract r */
708     if ((ret = extract_ecdsa_sig_int(p, end, sig, int_size)) != 0) {
709         return ret;
710     }
711     /* Extract s */
712     if ((ret = extract_ecdsa_sig_int(p, end, sig + int_size, int_size)) != 0) {
713         return ret;
714     }
715 
716     return 0;
717 }
718 
ecdsa_verify_wrap(void * ctx_arg,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)719 static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
720                              const unsigned char *hash, size_t hash_len,
721                              const unsigned char *sig, size_t sig_len)
722 {
723     mbedtls_ecp_keypair *ctx = ctx_arg;
724     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
725     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
726     mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
727     psa_status_t status;
728     size_t key_len;
729     /* This buffer will initially contain the public key and then the signature
730      * but at different points in time. For all curves except secp224k1, which
731      * is not currently supported in PSA, the public key is one byte longer
732      * (header byte + 2 numbers, while the signature is only 2 numbers),
733      * so use that as the buffer size. */
734     unsigned char buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
735     unsigned char *p;
736     psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
737     size_t curve_bits;
738     psa_ecc_family_t curve =
739         mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
740     const size_t signature_part_size = (ctx->grp.nbits + 7) / 8;
741     ((void) md_alg);
742 
743     if (curve == 0) {
744         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
745     }
746 
747     psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve));
748     psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
749     psa_set_key_algorithm(&attributes, psa_sig_md);
750 
751     ret = mbedtls_ecp_point_write_binary(&ctx->grp, &ctx->Q,
752                                          MBEDTLS_ECP_PF_UNCOMPRESSED,
753                                          &key_len, buf, sizeof(buf));
754     if (ret != 0) {
755         goto cleanup;
756     }
757 
758     status = psa_import_key(&attributes,
759                             buf, key_len,
760                             &key_id);
761     if (status != PSA_SUCCESS) {
762         ret = PSA_PK_TO_MBEDTLS_ERR(status);
763         goto cleanup;
764     }
765 
766     /* We don't need the exported key anymore and can
767      * reuse its buffer for signature extraction. */
768     if (2 * signature_part_size > sizeof(buf)) {
769         ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
770         goto cleanup;
771     }
772 
773     p = (unsigned char *) sig;
774     if ((ret = extract_ecdsa_sig(&p, sig + sig_len, buf,
775                                  signature_part_size)) != 0) {
776         goto cleanup;
777     }
778 
779     status = psa_verify_hash(key_id, psa_sig_md,
780                              hash, hash_len,
781                              buf, 2 * signature_part_size);
782     if (status != PSA_SUCCESS) {
783         ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
784         goto cleanup;
785     }
786 
787     if (p != sig + sig_len) {
788         ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
789         goto cleanup;
790     }
791     ret = 0;
792 
793 cleanup:
794     status = psa_destroy_key(key_id);
795     if (ret == 0 && status != PSA_SUCCESS) {
796         ret = PSA_PK_TO_MBEDTLS_ERR(status);
797     }
798 
799     return ret;
800 }
801 #else /* MBEDTLS_USE_PSA_CRYPTO */
ecdsa_verify_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)802 static int ecdsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
803                              const unsigned char *hash, size_t hash_len,
804                              const unsigned char *sig, size_t sig_len)
805 {
806     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
807     ((void) md_alg);
808 
809     ret = mbedtls_ecdsa_read_signature((mbedtls_ecdsa_context *) ctx,
810                                        hash, hash_len, sig, sig_len);
811 
812     if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
813         return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
814     }
815 
816     return ret;
817 }
818 #endif /* MBEDTLS_USE_PSA_CRYPTO */
819 #endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
820 
821 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
822 #if defined(MBEDTLS_USE_PSA_CRYPTO)
823 /*
824  * Simultaneously convert and move raw MPI from the beginning of a buffer
825  * to an ASN.1 MPI at the end of the buffer.
826  * See also mbedtls_asn1_write_mpi().
827  *
828  * p: pointer to the end of the output buffer
829  * start: start of the output buffer, and also of the mpi to write at the end
830  * n_len: length of the mpi to read from start
831  */
asn1_write_mpibuf(unsigned char ** p,unsigned char * start,size_t n_len)832 static int asn1_write_mpibuf(unsigned char **p, unsigned char *start,
833                              size_t n_len)
834 {
835     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
836     size_t len = 0;
837 
838     if ((size_t) (*p - start) < n_len) {
839         return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
840     }
841 
842     len = n_len;
843     *p -= len;
844     memmove(*p, start, len);
845 
846     /* ASN.1 DER encoding requires minimal length, so skip leading 0s.
847      * Neither r nor s should be 0, but as a failsafe measure, still detect
848      * that rather than overflowing the buffer in case of a PSA error. */
849     while (len > 0 && **p == 0x00) {
850         ++(*p);
851         --len;
852     }
853 
854     /* this is only reached if the signature was invalid */
855     if (len == 0) {
856         return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
857     }
858 
859     /* if the msb is 1, ASN.1 requires that we prepend a 0.
860      * Neither r nor s can be 0, so we can assume len > 0 at all times. */
861     if (**p & 0x80) {
862         if (*p - start < 1) {
863             return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
864         }
865 
866         *--(*p) = 0x00;
867         len += 1;
868     }
869 
870     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
871     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
872                                                      MBEDTLS_ASN1_INTEGER));
873 
874     return (int) len;
875 }
876 
877 /* Transcode signature from PSA format to ASN.1 sequence.
878  * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of
879  * MPIs, and in-place.
880  *
881  * [in/out] sig: the signature pre- and post-transcoding
882  * [in/out] sig_len: signature length pre- and post-transcoding
883  * [int] buf_len: the available size the in/out buffer
884  */
pk_ecdsa_sig_asn1_from_psa(unsigned char * sig,size_t * sig_len,size_t buf_len)885 static int pk_ecdsa_sig_asn1_from_psa(unsigned char *sig, size_t *sig_len,
886                                       size_t buf_len)
887 {
888     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
889     size_t len = 0;
890     const size_t rs_len = *sig_len / 2;
891     unsigned char *p = sig + buf_len;
892 
893     MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig + rs_len, rs_len));
894     MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig, rs_len));
895 
896     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, sig, len));
897     MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, sig,
898                                                      MBEDTLS_ASN1_CONSTRUCTED |
899                                                      MBEDTLS_ASN1_SEQUENCE));
900 
901     memmove(sig, p, len);
902     *sig_len = len;
903 
904     return 0;
905 }
906 
ecdsa_sign_wrap(void * ctx_arg,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)907 static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
908                            const unsigned char *hash, size_t hash_len,
909                            unsigned char *sig, size_t sig_size, size_t *sig_len,
910                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
911 {
912     mbedtls_ecp_keypair *ctx = ctx_arg;
913     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
914     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
915     mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
916     psa_status_t status;
917     unsigned char buf[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
918 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
919     psa_algorithm_t psa_sig_md =
920         PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_hash_info_psa_from_md(md_alg));
921 #else
922     psa_algorithm_t psa_sig_md =
923         PSA_ALG_ECDSA(mbedtls_hash_info_psa_from_md(md_alg));
924 #endif
925     size_t curve_bits;
926     psa_ecc_family_t curve =
927         mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
928     size_t key_len = PSA_BITS_TO_BYTES(curve_bits);
929 
930     /* PSA has its own RNG */
931     ((void) f_rng);
932     ((void) p_rng);
933 
934     if (curve == 0) {
935         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
936     }
937 
938     if (key_len > sizeof(buf)) {
939         return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
940     }
941     ret = mbedtls_mpi_write_binary(&ctx->d, buf, key_len);
942     if (ret != 0) {
943         goto cleanup;
944     }
945 
946     psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
947     psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
948     psa_set_key_algorithm(&attributes, psa_sig_md);
949 
950     status = psa_import_key(&attributes,
951                             buf, key_len,
952                             &key_id);
953     if (status != PSA_SUCCESS) {
954         ret = PSA_PK_TO_MBEDTLS_ERR(status);
955         goto cleanup;
956     }
957 
958     status = psa_sign_hash(key_id, psa_sig_md, hash, hash_len,
959                            sig, sig_size, sig_len);
960     if (status != PSA_SUCCESS) {
961         ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
962         goto cleanup;
963     }
964 
965     ret = pk_ecdsa_sig_asn1_from_psa(sig, sig_len, sig_size);
966 
967 cleanup:
968     mbedtls_platform_zeroize(buf, sizeof(buf));
969     status = psa_destroy_key(key_id);
970     if (ret == 0 && status != PSA_SUCCESS) {
971         ret = PSA_PK_TO_MBEDTLS_ERR(status);
972     }
973 
974     return ret;
975 }
976 #else /* MBEDTLS_USE_PSA_CRYPTO */
ecdsa_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)977 static int ecdsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
978                            const unsigned char *hash, size_t hash_len,
979                            unsigned char *sig, size_t sig_size, size_t *sig_len,
980                            int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
981 {
982     return mbedtls_ecdsa_write_signature((mbedtls_ecdsa_context *) ctx,
983                                          md_alg, hash, hash_len,
984                                          sig, sig_size, sig_len,
985                                          f_rng, p_rng);
986 }
987 #endif /* MBEDTLS_USE_PSA_CRYPTO */
988 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
989 
990 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
991 /* Forward declarations */
992 static int ecdsa_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
993                                 const unsigned char *hash, size_t hash_len,
994                                 const unsigned char *sig, size_t sig_len,
995                                 void *rs_ctx);
996 
997 static int ecdsa_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
998                               const unsigned char *hash, size_t hash_len,
999                               unsigned char *sig, size_t sig_size, size_t *sig_len,
1000                               int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
1001                               void *rs_ctx);
1002 
1003 /*
1004  * Restart context for ECDSA operations with ECKEY context
1005  *
1006  * We need to store an actual ECDSA context, as we need to pass the same to
1007  * the underlying ecdsa function, so we can't create it on the fly every time.
1008  */
1009 typedef struct {
1010     mbedtls_ecdsa_restart_ctx ecdsa_rs;
1011     mbedtls_ecdsa_context ecdsa_ctx;
1012 } eckey_restart_ctx;
1013 
eckey_rs_alloc(void)1014 static void *eckey_rs_alloc(void)
1015 {
1016     eckey_restart_ctx *rs_ctx;
1017 
1018     void *ctx = mbedtls_calloc(1, sizeof(eckey_restart_ctx));
1019 
1020     if (ctx != NULL) {
1021         rs_ctx = ctx;
1022         mbedtls_ecdsa_restart_init(&rs_ctx->ecdsa_rs);
1023         mbedtls_ecdsa_init(&rs_ctx->ecdsa_ctx);
1024     }
1025 
1026     return ctx;
1027 }
1028 
eckey_rs_free(void * ctx)1029 static void eckey_rs_free(void *ctx)
1030 {
1031     eckey_restart_ctx *rs_ctx;
1032 
1033     if (ctx == NULL) {
1034         return;
1035     }
1036 
1037     rs_ctx = ctx;
1038     mbedtls_ecdsa_restart_free(&rs_ctx->ecdsa_rs);
1039     mbedtls_ecdsa_free(&rs_ctx->ecdsa_ctx);
1040 
1041     mbedtls_free(ctx);
1042 }
1043 
eckey_verify_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,void * rs_ctx)1044 static int eckey_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
1045                                 const unsigned char *hash, size_t hash_len,
1046                                 const unsigned char *sig, size_t sig_len,
1047                                 void *rs_ctx)
1048 {
1049     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1050     eckey_restart_ctx *rs = rs_ctx;
1051 
1052     /* Should never happen */
1053     if (rs == NULL) {
1054         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1055     }
1056 
1057     /* set up our own sub-context if needed (that is, on first run) */
1058     if (rs->ecdsa_ctx.grp.pbits == 0) {
1059         MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, ctx));
1060     }
1061 
1062     MBEDTLS_MPI_CHK(ecdsa_verify_rs_wrap(&rs->ecdsa_ctx,
1063                                          md_alg, hash, hash_len,
1064                                          sig, sig_len, &rs->ecdsa_rs));
1065 
1066 cleanup:
1067     return ret;
1068 }
1069 
eckey_sign_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,void * rs_ctx)1070 static int eckey_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
1071                               const unsigned char *hash, size_t hash_len,
1072                               unsigned char *sig, size_t sig_size, size_t *sig_len,
1073                               int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
1074                               void *rs_ctx)
1075 {
1076     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1077     eckey_restart_ctx *rs = rs_ctx;
1078 
1079     /* Should never happen */
1080     if (rs == NULL) {
1081         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1082     }
1083 
1084     /* set up our own sub-context if needed (that is, on first run) */
1085     if (rs->ecdsa_ctx.grp.pbits == 0) {
1086         MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, ctx));
1087     }
1088 
1089     MBEDTLS_MPI_CHK(ecdsa_sign_rs_wrap(&rs->ecdsa_ctx, md_alg,
1090                                        hash, hash_len, sig, sig_size, sig_len,
1091                                        f_rng, p_rng, &rs->ecdsa_rs));
1092 
1093 cleanup:
1094     return ret;
1095 }
1096 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1097 
eckey_check_pair(const void * pub,const void * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1098 static int eckey_check_pair(const void *pub, const void *prv,
1099                             int (*f_rng)(void *, unsigned char *, size_t),
1100                             void *p_rng)
1101 {
1102     return mbedtls_ecp_check_pub_priv((const mbedtls_ecp_keypair *) pub,
1103                                       (const mbedtls_ecp_keypair *) prv,
1104                                       f_rng, p_rng);
1105 }
1106 
eckey_alloc_wrap(void)1107 static void *eckey_alloc_wrap(void)
1108 {
1109     void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
1110 
1111     if (ctx != NULL) {
1112         mbedtls_ecp_keypair_init(ctx);
1113     }
1114 
1115     return ctx;
1116 }
1117 
eckey_free_wrap(void * ctx)1118 static void eckey_free_wrap(void *ctx)
1119 {
1120     mbedtls_ecp_keypair_free((mbedtls_ecp_keypair *) ctx);
1121     mbedtls_free(ctx);
1122 }
1123 
eckey_debug(const void * ctx,mbedtls_pk_debug_item * items)1124 static void eckey_debug(const void *ctx, mbedtls_pk_debug_item *items)
1125 {
1126     items->type = MBEDTLS_PK_DEBUG_ECP;
1127     items->name = "eckey.Q";
1128     items->value = &(((mbedtls_ecp_keypair *) ctx)->Q);
1129 }
1130 
1131 const mbedtls_pk_info_t mbedtls_eckey_info = {
1132     MBEDTLS_PK_ECKEY,
1133     "EC",
1134     eckey_get_bitlen,
1135     eckey_can_do,
1136 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
1137     ecdsa_verify_wrap,   /* Compatible key structures */
1138 #else
1139     NULL,
1140 #endif
1141 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1142     ecdsa_sign_wrap,   /* Compatible key structures */
1143 #else
1144     NULL,
1145 #endif
1146 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1147     eckey_verify_rs_wrap,
1148     eckey_sign_rs_wrap,
1149 #endif
1150     NULL,
1151     NULL,
1152     eckey_check_pair,
1153     eckey_alloc_wrap,
1154     eckey_free_wrap,
1155 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1156     eckey_rs_alloc,
1157     eckey_rs_free,
1158 #endif
1159     eckey_debug,
1160 };
1161 
1162 /*
1163  * EC key restricted to ECDH
1164  */
eckeydh_can_do(mbedtls_pk_type_t type)1165 static int eckeydh_can_do(mbedtls_pk_type_t type)
1166 {
1167     return type == MBEDTLS_PK_ECKEY ||
1168            type == MBEDTLS_PK_ECKEY_DH;
1169 }
1170 
1171 const mbedtls_pk_info_t mbedtls_eckeydh_info = {
1172     MBEDTLS_PK_ECKEY_DH,
1173     "EC_DH",
1174     eckey_get_bitlen,         /* Same underlying key structure */
1175     eckeydh_can_do,
1176     NULL,
1177     NULL,
1178 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1179     NULL,
1180     NULL,
1181 #endif
1182     NULL,
1183     NULL,
1184     eckey_check_pair,
1185     eckey_alloc_wrap,       /* Same underlying key structure */
1186     eckey_free_wrap,        /* Same underlying key structure */
1187 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1188     NULL,
1189     NULL,
1190 #endif
1191     eckey_debug,            /* Same underlying key structure */
1192 };
1193 #endif /* MBEDTLS_ECP_C */
1194 
1195 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
ecdsa_can_do(mbedtls_pk_type_t type)1196 static int ecdsa_can_do(mbedtls_pk_type_t type)
1197 {
1198     return type == MBEDTLS_PK_ECDSA;
1199 }
1200 
1201 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
ecdsa_verify_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,void * rs_ctx)1202 static int ecdsa_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
1203                                 const unsigned char *hash, size_t hash_len,
1204                                 const unsigned char *sig, size_t sig_len,
1205                                 void *rs_ctx)
1206 {
1207     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1208     ((void) md_alg);
1209 
1210     ret = mbedtls_ecdsa_read_signature_restartable(
1211         (mbedtls_ecdsa_context *) ctx,
1212         hash, hash_len, sig, sig_len,
1213         (mbedtls_ecdsa_restart_ctx *) rs_ctx);
1214 
1215     if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
1216         return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
1217     }
1218 
1219     return ret;
1220 }
1221 
ecdsa_sign_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,void * rs_ctx)1222 static int ecdsa_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
1223                               const unsigned char *hash, size_t hash_len,
1224                               unsigned char *sig, size_t sig_size, size_t *sig_len,
1225                               int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
1226                               void *rs_ctx)
1227 {
1228     return mbedtls_ecdsa_write_signature_restartable(
1229         (mbedtls_ecdsa_context *) ctx,
1230         md_alg, hash, hash_len, sig, sig_size, sig_len, f_rng, p_rng,
1231         (mbedtls_ecdsa_restart_ctx *) rs_ctx);
1232 
1233 }
1234 
ecdsa_rs_alloc(void)1235 static void *ecdsa_rs_alloc(void)
1236 {
1237     void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_restart_ctx));
1238 
1239     if (ctx != NULL) {
1240         mbedtls_ecdsa_restart_init(ctx);
1241     }
1242 
1243     return ctx;
1244 }
1245 
ecdsa_rs_free(void * ctx)1246 static void ecdsa_rs_free(void *ctx)
1247 {
1248     mbedtls_ecdsa_restart_free(ctx);
1249     mbedtls_free(ctx);
1250 }
1251 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1252 
1253 const mbedtls_pk_info_t mbedtls_ecdsa_info = {
1254     MBEDTLS_PK_ECDSA,
1255     "ECDSA",
1256     eckey_get_bitlen,     /* Compatible key structures */
1257     ecdsa_can_do,
1258 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
1259     ecdsa_verify_wrap,   /* Compatible key structures */
1260 #else
1261     NULL,
1262 #endif
1263 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1264     ecdsa_sign_wrap,   /* Compatible key structures */
1265 #else
1266     NULL,
1267 #endif
1268 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1269     ecdsa_verify_rs_wrap,
1270     ecdsa_sign_rs_wrap,
1271 #endif
1272     NULL,
1273     NULL,
1274     eckey_check_pair,   /* Compatible key structures */
1275     eckey_alloc_wrap,   /* Compatible key structures */
1276     eckey_free_wrap,   /* Compatible key structures */
1277 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1278     ecdsa_rs_alloc,
1279     ecdsa_rs_free,
1280 #endif
1281     eckey_debug,        /* Compatible key structures */
1282 };
1283 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
1284 
1285 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
1286 /*
1287  * Support for alternative RSA-private implementations
1288  */
1289 
rsa_alt_can_do(mbedtls_pk_type_t type)1290 static int rsa_alt_can_do(mbedtls_pk_type_t type)
1291 {
1292     return type == MBEDTLS_PK_RSA;
1293 }
1294 
rsa_alt_get_bitlen(const void * ctx)1295 static size_t rsa_alt_get_bitlen(const void *ctx)
1296 {
1297     const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx;
1298 
1299     return 8 * rsa_alt->key_len_func(rsa_alt->key);
1300 }
1301 
rsa_alt_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1302 static int rsa_alt_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
1303                              const unsigned char *hash, size_t hash_len,
1304                              unsigned char *sig, size_t sig_size, size_t *sig_len,
1305                              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1306 {
1307     mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
1308 
1309     if ((int)UINT_MAX < (int)hash_len) {
1310         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1311     }
1312 
1313     *sig_len = rsa_alt->key_len_func(rsa_alt->key);
1314     if (*sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE) {
1315         return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1316     }
1317     if (*sig_len > sig_size) {
1318         return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
1319     }
1320 
1321     return rsa_alt->sign_func(rsa_alt->key, f_rng, p_rng,
1322                               md_alg, (unsigned int) hash_len, hash, sig);
1323 }
1324 
rsa_alt_decrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1325 static int rsa_alt_decrypt_wrap(void *ctx,
1326                                 const unsigned char *input, size_t ilen,
1327                                 unsigned char *output, size_t *olen, size_t osize,
1328                                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1329 {
1330     mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
1331 
1332     ((void) f_rng);
1333     ((void) p_rng);
1334 
1335     if (ilen != rsa_alt->key_len_func(rsa_alt->key)) {
1336         return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1337     }
1338 
1339     return rsa_alt->decrypt_func(rsa_alt->key,
1340                                  olen, input, output, osize);
1341 }
1342 
1343 #if defined(MBEDTLS_RSA_C)
rsa_alt_check_pair(const void * pub,const void * prv,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1344 static int rsa_alt_check_pair(const void *pub, const void *prv,
1345                               int (*f_rng)(void *, unsigned char *, size_t),
1346                               void *p_rng)
1347 {
1348     unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
1349     unsigned char hash[32];
1350     size_t sig_len = 0;
1351     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1352 
1353     if (rsa_alt_get_bitlen(prv) != rsa_get_bitlen(pub)) {
1354         return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
1355     }
1356 
1357     memset(hash, 0x2a, sizeof(hash));
1358 
1359     if ((ret = rsa_alt_sign_wrap((void *) prv, MBEDTLS_MD_NONE,
1360                                  hash, sizeof(hash),
1361                                  sig, sizeof(sig), &sig_len,
1362                                  f_rng, p_rng)) != 0) {
1363         return ret;
1364     }
1365 
1366     if (rsa_verify_wrap((void *) pub, MBEDTLS_MD_NONE,
1367                         hash, sizeof(hash), sig, sig_len) != 0) {
1368         return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
1369     }
1370 
1371     return 0;
1372 }
1373 #endif /* MBEDTLS_RSA_C */
1374 
rsa_alt_alloc_wrap(void)1375 static void *rsa_alt_alloc_wrap(void)
1376 {
1377     void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_alt_context));
1378 
1379     if (ctx != NULL) {
1380         memset(ctx, 0, sizeof(mbedtls_rsa_alt_context));
1381     }
1382 
1383     return ctx;
1384 }
1385 
rsa_alt_free_wrap(void * ctx)1386 static void rsa_alt_free_wrap(void *ctx)
1387 {
1388     mbedtls_platform_zeroize(ctx, sizeof(mbedtls_rsa_alt_context));
1389     mbedtls_free(ctx);
1390 }
1391 
1392 const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
1393     MBEDTLS_PK_RSA_ALT,
1394     "RSA-alt",
1395     rsa_alt_get_bitlen,
1396     rsa_alt_can_do,
1397     NULL,
1398     rsa_alt_sign_wrap,
1399 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1400     NULL,
1401     NULL,
1402 #endif
1403     rsa_alt_decrypt_wrap,
1404     NULL,
1405 #if defined(MBEDTLS_RSA_C)
1406     rsa_alt_check_pair,
1407 #else
1408     NULL,
1409 #endif
1410     rsa_alt_alloc_wrap,
1411     rsa_alt_free_wrap,
1412 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1413     NULL,
1414     NULL,
1415 #endif
1416     NULL,
1417 };
1418 
1419 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
1420 
1421 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1422 
pk_opaque_alloc_wrap(void)1423 static void *pk_opaque_alloc_wrap(void)
1424 {
1425     void *ctx = mbedtls_calloc(1, sizeof(mbedtls_svc_key_id_t));
1426 
1427     /* no _init() function to call, as calloc() already zeroized */
1428 
1429     return ctx;
1430 }
1431 
pk_opaque_free_wrap(void * ctx)1432 static void pk_opaque_free_wrap(void *ctx)
1433 {
1434     mbedtls_platform_zeroize(ctx, sizeof(mbedtls_svc_key_id_t));
1435     mbedtls_free(ctx);
1436 }
1437 
pk_opaque_get_bitlen(const void * ctx)1438 static size_t pk_opaque_get_bitlen(const void *ctx)
1439 {
1440     const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx;
1441     size_t bits;
1442     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1443 
1444     if (PSA_SUCCESS != psa_get_key_attributes(*key, &attributes)) {
1445         return 0;
1446     }
1447 
1448     bits = psa_get_key_bits(&attributes);
1449     psa_reset_key_attributes(&attributes);
1450     return bits;
1451 }
1452 
pk_opaque_ecdsa_can_do(mbedtls_pk_type_t type)1453 static int pk_opaque_ecdsa_can_do(mbedtls_pk_type_t type)
1454 {
1455     return type == MBEDTLS_PK_ECKEY ||
1456            type == MBEDTLS_PK_ECDSA;
1457 }
1458 
pk_opaque_rsa_can_do(mbedtls_pk_type_t type)1459 static int pk_opaque_rsa_can_do(mbedtls_pk_type_t type)
1460 {
1461     return type == MBEDTLS_PK_RSA ||
1462            type == MBEDTLS_PK_RSASSA_PSS;
1463 }
1464 
pk_opaque_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t sig_size,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1465 static int pk_opaque_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
1466                                const unsigned char *hash, size_t hash_len,
1467                                unsigned char *sig, size_t sig_size, size_t *sig_len,
1468                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1469 {
1470 #if !defined(MBEDTLS_PK_CAN_ECDSA_SIGN) && !defined(MBEDTLS_RSA_C)
1471     ((void) ctx);
1472     ((void) md_alg);
1473     ((void) hash);
1474     ((void) hash_len);
1475     ((void) sig);
1476     ((void) sig_size);
1477     ((void) sig_len);
1478     ((void) f_rng);
1479     ((void) p_rng);
1480     return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1481 #else /* !MBEDTLS_PK_CAN_ECDSA_SIGN && !MBEDTLS_RSA_C */
1482     const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx;
1483     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1484     psa_algorithm_t alg;
1485     psa_key_type_t type;
1486     psa_status_t status;
1487 
1488     /* PSA has its own RNG */
1489     (void) f_rng;
1490     (void) p_rng;
1491 
1492     status = psa_get_key_attributes(*key, &attributes);
1493     if (status != PSA_SUCCESS) {
1494         return PSA_PK_TO_MBEDTLS_ERR(status);
1495     }
1496 
1497     type = psa_get_key_type(&attributes);
1498     psa_reset_key_attributes(&attributes);
1499 
1500 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1501     if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) {
1502         alg = PSA_ALG_ECDSA(mbedtls_hash_info_psa_from_md(md_alg));
1503     } else
1504 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1505 #if defined(MBEDTLS_RSA_C)
1506     if (PSA_KEY_TYPE_IS_RSA(type)) {
1507         alg = PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_hash_info_psa_from_md(md_alg));
1508     } else
1509 #endif /* MBEDTLS_RSA_C */
1510     return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1511 
1512     /* make the signature */
1513     status = psa_sign_hash(*key, alg, hash, hash_len,
1514                            sig, sig_size, sig_len);
1515     if (status != PSA_SUCCESS) {
1516 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1517         if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) {
1518             return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
1519         } else
1520 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1521 #if defined(MBEDTLS_RSA_C)
1522         if (PSA_KEY_TYPE_IS_RSA(type)) {
1523             return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
1524         } else
1525 #endif /* MBEDTLS_RSA_C */
1526         return PSA_PK_TO_MBEDTLS_ERR(status);
1527     }
1528 
1529 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1530     if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) {
1531         /* transcode it to ASN.1 sequence */
1532         return pk_ecdsa_sig_asn1_from_psa(sig, sig_len, sig_size);
1533     }
1534 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1535 
1536     return 0;
1537 #endif /* !MBEDTLS_PK_CAN_ECDSA_SIGN && !MBEDTLS_RSA_C */
1538 }
1539 
1540 const mbedtls_pk_info_t mbedtls_pk_ecdsa_opaque_info = {
1541     MBEDTLS_PK_OPAQUE,
1542     "Opaque",
1543     pk_opaque_get_bitlen,
1544     pk_opaque_ecdsa_can_do,
1545     NULL, /* verify - will be done later */
1546     pk_opaque_sign_wrap,
1547 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1548     NULL, /* restartable verify - not relevant */
1549     NULL, /* restartable sign - not relevant */
1550 #endif
1551     NULL, /* decrypt - not relevant */
1552     NULL, /* encrypt - not relevant */
1553     NULL, /* check_pair - could be done later or left NULL */
1554     pk_opaque_alloc_wrap,
1555     pk_opaque_free_wrap,
1556 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1557     NULL, /* restart alloc - not relevant */
1558     NULL, /* restart free - not relevant */
1559 #endif
1560     NULL, /* debug - could be done later, or even left NULL */
1561 };
1562 
1563 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
pk_opaque_rsa_decrypt(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1564 static int pk_opaque_rsa_decrypt(void *ctx,
1565                                  const unsigned char *input, size_t ilen,
1566                                  unsigned char *output, size_t *olen, size_t osize,
1567                                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1568 {
1569     const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx;
1570     psa_status_t status;
1571 
1572     /* PSA has its own RNG */
1573     (void) f_rng;
1574     (void) p_rng;
1575 
1576     status = psa_asymmetric_decrypt(*key, PSA_ALG_RSA_PKCS1V15_CRYPT,
1577                                     input, ilen,
1578                                     NULL, 0,
1579                                     output, osize, olen);
1580     if (status != PSA_SUCCESS) {
1581         return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
1582     }
1583 
1584     return 0;
1585 }
1586 #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */
1587 
1588 const mbedtls_pk_info_t mbedtls_pk_rsa_opaque_info = {
1589     MBEDTLS_PK_OPAQUE,
1590     "Opaque",
1591     pk_opaque_get_bitlen,
1592     pk_opaque_rsa_can_do,
1593     NULL, /* verify - will be done later */
1594     pk_opaque_sign_wrap,
1595 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1596     NULL, /* restartable verify - not relevant */
1597     NULL, /* restartable sign - not relevant */
1598 #endif
1599 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
1600     pk_opaque_rsa_decrypt,
1601 #else
1602     NULL, /* decrypt - not available */
1603 #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */
1604     NULL, /* encrypt - will be done later */
1605     NULL, /* check_pair - could be done later or left NULL */
1606     pk_opaque_alloc_wrap,
1607     pk_opaque_free_wrap,
1608 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1609     NULL, /* restart alloc - not relevant */
1610     NULL, /* restart free - not relevant */
1611 #endif
1612     NULL, /* debug - could be done later, or even left NULL */
1613 };
1614 
1615 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1616 
1617 #endif /* MBEDTLS_PK_C */
1618