1 /*
2 * Public Key abstraction layer: wrapper functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 #include "common.h"
9
10 #if defined(MBEDTLS_PK_C)
11 #include "mbedtls/pk_internal.h"
12 #include "mbedtls/error.h"
13
14 /* Even if RSA not activated, for the sake of RSA-alt */
15 #include "mbedtls/rsa.h"
16
17 #include <string.h>
18
19 #if defined(MBEDTLS_ECP_C)
20 #include "mbedtls/ecp.h"
21 #endif
22
23 #if defined(MBEDTLS_ECDSA_C)
24 #include "mbedtls/ecdsa.h"
25 #endif
26
27 #if defined(MBEDTLS_USE_PSA_CRYPTO)
28 #include "mbedtls/asn1write.h"
29 #endif
30
31 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
32 #include "mbedtls/platform_util.h"
33 #endif
34
35 #if defined(MBEDTLS_USE_PSA_CRYPTO)
36 #include "psa/crypto.h"
37 #include "mbedtls/psa_util.h"
38 #include "mbedtls/asn1.h"
39 #endif
40
41 #include "mbedtls/platform.h"
42
43 #include <limits.h>
44 #include <stdint.h>
45
46 #if defined(MBEDTLS_RSA_C)
rsa_can_do(mbedtls_pk_type_t type)47 static int rsa_can_do(mbedtls_pk_type_t type)
48 {
49 return type == MBEDTLS_PK_RSA ||
50 type == MBEDTLS_PK_RSASSA_PSS;
51 }
52
rsa_get_bitlen(const void * ctx)53 static size_t rsa_get_bitlen(const void *ctx)
54 {
55 const mbedtls_rsa_context *rsa = (const mbedtls_rsa_context *) ctx;
56 return 8 * mbedtls_rsa_get_len(rsa);
57 }
58
rsa_verify_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)59 static int rsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
60 const unsigned char *hash, size_t hash_len,
61 const unsigned char *sig, size_t sig_len)
62 {
63 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
64 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
65 size_t rsa_len = mbedtls_rsa_get_len(rsa);
66
67 #if SIZE_MAX > UINT_MAX
68 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
69 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
70 }
71 #endif /* SIZE_MAX > UINT_MAX */
72
73 if (sig_len < rsa_len) {
74 return MBEDTLS_ERR_RSA_VERIFY_FAILED;
75 }
76
77 if ((ret = mbedtls_rsa_pkcs1_verify(rsa, NULL, NULL,
78 MBEDTLS_RSA_PUBLIC, md_alg,
79 (unsigned int) hash_len, hash, sig)) != 0) {
80 return ret;
81 }
82
83 /* The buffer contains a valid signature followed by extra data.
84 * We have a special error code for that so that so that callers can
85 * use mbedtls_pk_verify() to check "Does the buffer start with a
86 * valid signature?" and not just "Does the buffer contain a valid
87 * signature?". */
88 if (sig_len > rsa_len) {
89 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
90 }
91
92 return 0;
93 }
94
rsa_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)95 static int rsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
96 const unsigned char *hash, size_t hash_len,
97 unsigned char *sig, size_t *sig_len,
98 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
99 {
100 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
101
102 #if SIZE_MAX > UINT_MAX
103 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
104 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
105 }
106 #endif /* SIZE_MAX > UINT_MAX */
107
108 *sig_len = mbedtls_rsa_get_len(rsa);
109
110 return mbedtls_rsa_pkcs1_sign(rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
111 md_alg, (unsigned int) hash_len, hash, sig);
112 }
113
rsa_decrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)114 static int rsa_decrypt_wrap(void *ctx,
115 const unsigned char *input, size_t ilen,
116 unsigned char *output, size_t *olen, size_t osize,
117 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
118 {
119 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
120
121 if (ilen != mbedtls_rsa_get_len(rsa)) {
122 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
123 }
124
125 return mbedtls_rsa_pkcs1_decrypt(rsa, f_rng, p_rng,
126 MBEDTLS_RSA_PRIVATE, olen, input, output, osize);
127 }
128
rsa_encrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)129 static int rsa_encrypt_wrap(void *ctx,
130 const unsigned char *input, size_t ilen,
131 unsigned char *output, size_t *olen, size_t osize,
132 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
133 {
134 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
135 *olen = mbedtls_rsa_get_len(rsa);
136
137 if (*olen > osize) {
138 return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
139 }
140
141 return mbedtls_rsa_pkcs1_encrypt(rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC,
142 ilen, input, output);
143 }
144
rsa_check_pair_wrap(const void * pub,const void * prv)145 static int rsa_check_pair_wrap(const void *pub, const void *prv)
146 {
147 return mbedtls_rsa_check_pub_priv((const mbedtls_rsa_context *) pub,
148 (const mbedtls_rsa_context *) prv);
149 }
150
rsa_alloc_wrap(void)151 static void *rsa_alloc_wrap(void)
152 {
153 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_context));
154
155 if (ctx != NULL) {
156 mbedtls_rsa_init((mbedtls_rsa_context *) ctx, 0, 0);
157 }
158
159 return ctx;
160 }
161
rsa_free_wrap(void * ctx)162 static void rsa_free_wrap(void *ctx)
163 {
164 mbedtls_rsa_free((mbedtls_rsa_context *) ctx);
165 mbedtls_free(ctx);
166 }
167
rsa_debug(const void * ctx,mbedtls_pk_debug_item * items)168 static void rsa_debug(const void *ctx, mbedtls_pk_debug_item *items)
169 {
170 items->type = MBEDTLS_PK_DEBUG_MPI;
171 items->name = "rsa.N";
172 items->value = &(((mbedtls_rsa_context *) ctx)->N);
173
174 items++;
175
176 items->type = MBEDTLS_PK_DEBUG_MPI;
177 items->name = "rsa.E";
178 items->value = &(((mbedtls_rsa_context *) ctx)->E);
179 }
180
181 const mbedtls_pk_info_t mbedtls_rsa_info = {
182 MBEDTLS_PK_RSA,
183 "RSA",
184 rsa_get_bitlen,
185 rsa_can_do,
186 rsa_verify_wrap,
187 rsa_sign_wrap,
188 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
189 NULL,
190 NULL,
191 #endif
192 rsa_decrypt_wrap,
193 rsa_encrypt_wrap,
194 rsa_check_pair_wrap,
195 rsa_alloc_wrap,
196 rsa_free_wrap,
197 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
198 NULL,
199 NULL,
200 #endif
201 rsa_debug,
202 };
203 #endif /* MBEDTLS_RSA_C */
204
205 #if defined(MBEDTLS_ECP_C)
206 /*
207 * Generic EC key
208 */
eckey_can_do(mbedtls_pk_type_t type)209 static int eckey_can_do(mbedtls_pk_type_t type)
210 {
211 return type == MBEDTLS_PK_ECKEY ||
212 type == MBEDTLS_PK_ECKEY_DH ||
213 type == MBEDTLS_PK_ECDSA;
214 }
215
eckey_get_bitlen(const void * ctx)216 static size_t eckey_get_bitlen(const void *ctx)
217 {
218 return ((mbedtls_ecp_keypair *) ctx)->grp.pbits;
219 }
220
221 #if defined(MBEDTLS_ECDSA_C)
222 /* Forward declarations */
223 static int ecdsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
224 const unsigned char *hash, size_t hash_len,
225 const unsigned char *sig, size_t sig_len);
226
227 static int ecdsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
228 const unsigned char *hash, size_t hash_len,
229 unsigned char *sig, size_t *sig_len,
230 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
231
eckey_verify_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)232 static int eckey_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
233 const unsigned char *hash, size_t hash_len,
234 const unsigned char *sig, size_t sig_len)
235 {
236 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
237 mbedtls_ecdsa_context ecdsa;
238
239 mbedtls_ecdsa_init(&ecdsa);
240
241 if ((ret = mbedtls_ecdsa_from_keypair(&ecdsa, ctx)) == 0) {
242 ret = ecdsa_verify_wrap(&ecdsa, md_alg, hash, hash_len, sig, sig_len);
243 }
244
245 mbedtls_ecdsa_free(&ecdsa);
246
247 return ret;
248 }
249
eckey_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)250 static int eckey_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
251 const unsigned char *hash, size_t hash_len,
252 unsigned char *sig, size_t *sig_len,
253 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
254 {
255 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
256 mbedtls_ecdsa_context ecdsa;
257
258 mbedtls_ecdsa_init(&ecdsa);
259
260 if ((ret = mbedtls_ecdsa_from_keypair(&ecdsa, ctx)) == 0) {
261 ret = ecdsa_sign_wrap(&ecdsa, md_alg, hash, hash_len, sig, sig_len,
262 f_rng, p_rng);
263 }
264
265 mbedtls_ecdsa_free(&ecdsa);
266
267 return ret;
268 }
269
270 #if defined(MBEDTLS_ECP_RESTARTABLE)
271 /* Forward declarations */
272 static int ecdsa_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
273 const unsigned char *hash, size_t hash_len,
274 const unsigned char *sig, size_t sig_len,
275 void *rs_ctx);
276
277 static int ecdsa_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
278 const unsigned char *hash, size_t hash_len,
279 unsigned char *sig, size_t *sig_len,
280 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
281 void *rs_ctx);
282
283 /*
284 * Restart context for ECDSA operations with ECKEY context
285 *
286 * We need to store an actual ECDSA context, as we need to pass the same to
287 * the underlying ecdsa function, so we can't create it on the fly every time.
288 */
289 typedef struct {
290 mbedtls_ecdsa_restart_ctx ecdsa_rs;
291 mbedtls_ecdsa_context ecdsa_ctx;
292 } eckey_restart_ctx;
293
eckey_rs_alloc(void)294 static void *eckey_rs_alloc(void)
295 {
296 eckey_restart_ctx *rs_ctx;
297
298 void *ctx = mbedtls_calloc(1, sizeof(eckey_restart_ctx));
299
300 if (ctx != NULL) {
301 rs_ctx = ctx;
302 mbedtls_ecdsa_restart_init(&rs_ctx->ecdsa_rs);
303 mbedtls_ecdsa_init(&rs_ctx->ecdsa_ctx);
304 }
305
306 return ctx;
307 }
308
eckey_rs_free(void * ctx)309 static void eckey_rs_free(void *ctx)
310 {
311 eckey_restart_ctx *rs_ctx;
312
313 if (ctx == NULL) {
314 return;
315 }
316
317 rs_ctx = ctx;
318 mbedtls_ecdsa_restart_free(&rs_ctx->ecdsa_rs);
319 mbedtls_ecdsa_free(&rs_ctx->ecdsa_ctx);
320
321 mbedtls_free(ctx);
322 }
323
eckey_verify_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,void * rs_ctx)324 static int eckey_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
325 const unsigned char *hash, size_t hash_len,
326 const unsigned char *sig, size_t sig_len,
327 void *rs_ctx)
328 {
329 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
330 eckey_restart_ctx *rs = rs_ctx;
331
332 /* Should never happen */
333 if (rs == NULL) {
334 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
335 }
336
337 /* set up our own sub-context if needed (that is, on first run) */
338 if (rs->ecdsa_ctx.grp.pbits == 0) {
339 MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, ctx));
340 }
341
342 MBEDTLS_MPI_CHK(ecdsa_verify_rs_wrap(&rs->ecdsa_ctx,
343 md_alg, hash, hash_len,
344 sig, sig_len, &rs->ecdsa_rs));
345
346 cleanup:
347 return ret;
348 }
349
eckey_sign_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,void * rs_ctx)350 static int eckey_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
351 const unsigned char *hash, size_t hash_len,
352 unsigned char *sig, size_t *sig_len,
353 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
354 void *rs_ctx)
355 {
356 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
357 eckey_restart_ctx *rs = rs_ctx;
358
359 /* Should never happen */
360 if (rs == NULL) {
361 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
362 }
363
364 /* set up our own sub-context if needed (that is, on first run) */
365 if (rs->ecdsa_ctx.grp.pbits == 0) {
366 MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, ctx));
367 }
368
369 MBEDTLS_MPI_CHK(ecdsa_sign_rs_wrap(&rs->ecdsa_ctx, md_alg,
370 hash, hash_len, sig, sig_len,
371 f_rng, p_rng, &rs->ecdsa_rs));
372
373 cleanup:
374 return ret;
375 }
376 #endif /* MBEDTLS_ECP_RESTARTABLE */
377 #endif /* MBEDTLS_ECDSA_C */
378
eckey_check_pair(const void * pub,const void * prv)379 static int eckey_check_pair(const void *pub, const void *prv)
380 {
381 return mbedtls_ecp_check_pub_priv((const mbedtls_ecp_keypair *) pub,
382 (const mbedtls_ecp_keypair *) prv);
383 }
384
eckey_alloc_wrap(void)385 static void *eckey_alloc_wrap(void)
386 {
387 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
388
389 if (ctx != NULL) {
390 mbedtls_ecp_keypair_init(ctx);
391 }
392
393 return ctx;
394 }
395
eckey_free_wrap(void * ctx)396 static void eckey_free_wrap(void *ctx)
397 {
398 mbedtls_ecp_keypair_free((mbedtls_ecp_keypair *) ctx);
399 mbedtls_free(ctx);
400 }
401
eckey_debug(const void * ctx,mbedtls_pk_debug_item * items)402 static void eckey_debug(const void *ctx, mbedtls_pk_debug_item *items)
403 {
404 items->type = MBEDTLS_PK_DEBUG_ECP;
405 items->name = "eckey.Q";
406 items->value = &(((mbedtls_ecp_keypair *) ctx)->Q);
407 }
408
409 const mbedtls_pk_info_t mbedtls_eckey_info = {
410 MBEDTLS_PK_ECKEY,
411 "EC",
412 eckey_get_bitlen,
413 eckey_can_do,
414 #if defined(MBEDTLS_ECDSA_C)
415 eckey_verify_wrap,
416 eckey_sign_wrap,
417 #if defined(MBEDTLS_ECP_RESTARTABLE)
418 eckey_verify_rs_wrap,
419 eckey_sign_rs_wrap,
420 #endif
421 #else /* MBEDTLS_ECDSA_C */
422 NULL,
423 NULL,
424 #endif /* MBEDTLS_ECDSA_C */
425 NULL,
426 NULL,
427 eckey_check_pair,
428 eckey_alloc_wrap,
429 eckey_free_wrap,
430 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
431 eckey_rs_alloc,
432 eckey_rs_free,
433 #endif
434 eckey_debug,
435 };
436
437 /*
438 * EC key restricted to ECDH
439 */
eckeydh_can_do(mbedtls_pk_type_t type)440 static int eckeydh_can_do(mbedtls_pk_type_t type)
441 {
442 return type == MBEDTLS_PK_ECKEY ||
443 type == MBEDTLS_PK_ECKEY_DH;
444 }
445
446 const mbedtls_pk_info_t mbedtls_eckeydh_info = {
447 MBEDTLS_PK_ECKEY_DH,
448 "EC_DH",
449 eckey_get_bitlen, /* Same underlying key structure */
450 eckeydh_can_do,
451 NULL,
452 NULL,
453 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
454 NULL,
455 NULL,
456 #endif
457 NULL,
458 NULL,
459 eckey_check_pair,
460 eckey_alloc_wrap, /* Same underlying key structure */
461 eckey_free_wrap, /* Same underlying key structure */
462 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
463 NULL,
464 NULL,
465 #endif
466 eckey_debug, /* Same underlying key structure */
467 };
468 #endif /* MBEDTLS_ECP_C */
469
470 #if defined(MBEDTLS_ECDSA_C)
ecdsa_can_do(mbedtls_pk_type_t type)471 static int ecdsa_can_do(mbedtls_pk_type_t type)
472 {
473 return type == MBEDTLS_PK_ECDSA;
474 }
475
476 #if defined(MBEDTLS_USE_PSA_CRYPTO)
477 /*
478 * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of
479 * those integers and convert it to the fixed-length encoding expected by PSA.
480 */
extract_ecdsa_sig_int(unsigned char ** from,const unsigned char * end,unsigned char * to,size_t to_len)481 static int extract_ecdsa_sig_int(unsigned char **from, const unsigned char *end,
482 unsigned char *to, size_t to_len)
483 {
484 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
485 size_t unpadded_len, padding_len;
486
487 if ((ret = mbedtls_asn1_get_tag(from, end, &unpadded_len,
488 MBEDTLS_ASN1_INTEGER)) != 0) {
489 return ret;
490 }
491
492 while (unpadded_len > 0 && **from == 0x00) {
493 (*from)++;
494 unpadded_len--;
495 }
496
497 if (unpadded_len > to_len || unpadded_len == 0) {
498 return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
499 }
500
501 padding_len = to_len - unpadded_len;
502 memset(to, 0x00, padding_len);
503 memcpy(to + padding_len, *from, unpadded_len);
504 (*from) += unpadded_len;
505
506 return 0;
507 }
508
509 /*
510 * Convert a signature from an ASN.1 sequence of two integers
511 * to a raw {r,s} buffer. Note: the provided sig buffer must be at least
512 * twice as big as int_size.
513 */
extract_ecdsa_sig(unsigned char ** p,const unsigned char * end,unsigned char * sig,size_t int_size)514 static int extract_ecdsa_sig(unsigned char **p, const unsigned char *end,
515 unsigned char *sig, size_t int_size)
516 {
517 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
518 size_t tmp_size;
519
520 if ((ret = mbedtls_asn1_get_tag(p, end, &tmp_size,
521 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
522 return ret;
523 }
524
525 /* Extract r */
526 if ((ret = extract_ecdsa_sig_int(p, end, sig, int_size)) != 0) {
527 return ret;
528 }
529 /* Extract s */
530 if ((ret = extract_ecdsa_sig_int(p, end, sig + int_size, int_size)) != 0) {
531 return ret;
532 }
533
534 return 0;
535 }
536
ecdsa_verify_wrap(void * ctx_arg,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)537 static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
538 const unsigned char *hash, size_t hash_len,
539 const unsigned char *sig, size_t sig_len)
540 {
541 mbedtls_ecdsa_context *ctx = ctx_arg;
542 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
543 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
544 psa_key_id_t key_id = 0;
545 psa_status_t status;
546 mbedtls_pk_context key;
547 int key_len;
548 /* see ECP_PUB_DER_MAX_BYTES in pkwrite.c */
549 unsigned char buf[30 + 2 * MBEDTLS_ECP_MAX_BYTES];
550 unsigned char *p;
551 mbedtls_pk_info_t pk_info = mbedtls_eckey_info;
552 psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
553 size_t curve_bits;
554 psa_ecc_family_t curve =
555 mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
556 const size_t signature_part_size = (ctx->grp.nbits + 7) / 8;
557 ((void) md_alg);
558
559 if (curve == 0) {
560 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
561 }
562
563 /* mbedtls_pk_write_pubkey() expects a full PK context;
564 * re-construct one to make it happy */
565 key.pk_info = &pk_info;
566 key.pk_ctx = ctx;
567 p = buf + sizeof(buf);
568 key_len = mbedtls_pk_write_pubkey(&p, buf, &key);
569 if (key_len <= 0) {
570 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
571 }
572
573 psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve));
574 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
575 psa_set_key_algorithm(&attributes, psa_sig_md);
576
577 status = psa_import_key(&attributes,
578 buf + sizeof(buf) - key_len, key_len,
579 &key_id);
580 if (status != PSA_SUCCESS) {
581 ret = mbedtls_psa_err_translate_pk(status);
582 goto cleanup;
583 }
584
585 /* We don't need the exported key anymore and can
586 * reuse its buffer for signature extraction. */
587 if (2 * signature_part_size > sizeof(buf)) {
588 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
589 goto cleanup;
590 }
591
592 p = (unsigned char *) sig;
593 if ((ret = extract_ecdsa_sig(&p, sig + sig_len, buf,
594 signature_part_size)) != 0) {
595 goto cleanup;
596 }
597
598 if (psa_verify_hash(key_id, psa_sig_md,
599 hash, hash_len,
600 buf, 2 * signature_part_size)
601 != PSA_SUCCESS) {
602 ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
603 goto cleanup;
604 }
605
606 if (p != sig + sig_len) {
607 ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
608 goto cleanup;
609 }
610 ret = 0;
611
612 cleanup:
613 psa_destroy_key(key_id);
614 return ret;
615 }
616 #else /* MBEDTLS_USE_PSA_CRYPTO */
ecdsa_verify_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len)617 static int ecdsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
618 const unsigned char *hash, size_t hash_len,
619 const unsigned char *sig, size_t sig_len)
620 {
621 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
622 ((void) md_alg);
623
624 ret = mbedtls_ecdsa_read_signature((mbedtls_ecdsa_context *) ctx,
625 hash, hash_len, sig, sig_len);
626
627 if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
628 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
629 }
630
631 return ret;
632 }
633 #endif /* MBEDTLS_USE_PSA_CRYPTO */
634
ecdsa_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)635 static int ecdsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
636 const unsigned char *hash, size_t hash_len,
637 unsigned char *sig, size_t *sig_len,
638 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
639 {
640 return mbedtls_ecdsa_write_signature((mbedtls_ecdsa_context *) ctx,
641 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng);
642 }
643
644 #if defined(MBEDTLS_ECP_RESTARTABLE)
ecdsa_verify_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,const unsigned char * sig,size_t sig_len,void * rs_ctx)645 static int ecdsa_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
646 const unsigned char *hash, size_t hash_len,
647 const unsigned char *sig, size_t sig_len,
648 void *rs_ctx)
649 {
650 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
651 ((void) md_alg);
652
653 ret = mbedtls_ecdsa_read_signature_restartable(
654 (mbedtls_ecdsa_context *) ctx,
655 hash, hash_len, sig, sig_len,
656 (mbedtls_ecdsa_restart_ctx *) rs_ctx);
657
658 if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
659 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
660 }
661
662 return ret;
663 }
664
ecdsa_sign_rs_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng,void * rs_ctx)665 static int ecdsa_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
666 const unsigned char *hash, size_t hash_len,
667 unsigned char *sig, size_t *sig_len,
668 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
669 void *rs_ctx)
670 {
671 return mbedtls_ecdsa_write_signature_restartable(
672 (mbedtls_ecdsa_context *) ctx,
673 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng,
674 (mbedtls_ecdsa_restart_ctx *) rs_ctx);
675
676 }
677 #endif /* MBEDTLS_ECP_RESTARTABLE */
678
ecdsa_alloc_wrap(void)679 static void *ecdsa_alloc_wrap(void)
680 {
681 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_context));
682
683 if (ctx != NULL) {
684 mbedtls_ecdsa_init((mbedtls_ecdsa_context *) ctx);
685 }
686
687 return ctx;
688 }
689
ecdsa_free_wrap(void * ctx)690 static void ecdsa_free_wrap(void *ctx)
691 {
692 mbedtls_ecdsa_free((mbedtls_ecdsa_context *) ctx);
693 mbedtls_free(ctx);
694 }
695
696 #if defined(MBEDTLS_ECP_RESTARTABLE)
ecdsa_rs_alloc(void)697 static void *ecdsa_rs_alloc(void)
698 {
699 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_restart_ctx));
700
701 if (ctx != NULL) {
702 mbedtls_ecdsa_restart_init(ctx);
703 }
704
705 return ctx;
706 }
707
ecdsa_rs_free(void * ctx)708 static void ecdsa_rs_free(void *ctx)
709 {
710 mbedtls_ecdsa_restart_free(ctx);
711 mbedtls_free(ctx);
712 }
713 #endif /* MBEDTLS_ECP_RESTARTABLE */
714
715 const mbedtls_pk_info_t mbedtls_ecdsa_info = {
716 MBEDTLS_PK_ECDSA,
717 "ECDSA",
718 eckey_get_bitlen, /* Compatible key structures */
719 ecdsa_can_do,
720 ecdsa_verify_wrap,
721 ecdsa_sign_wrap,
722 #if defined(MBEDTLS_ECP_RESTARTABLE)
723 ecdsa_verify_rs_wrap,
724 ecdsa_sign_rs_wrap,
725 #endif
726 NULL,
727 NULL,
728 eckey_check_pair, /* Compatible key structures */
729 ecdsa_alloc_wrap,
730 ecdsa_free_wrap,
731 #if defined(MBEDTLS_ECP_RESTARTABLE)
732 ecdsa_rs_alloc,
733 ecdsa_rs_free,
734 #endif
735 eckey_debug, /* Compatible key structures */
736 };
737 #endif /* MBEDTLS_ECDSA_C */
738
739 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
740 /*
741 * Support for alternative RSA-private implementations
742 */
743
rsa_alt_can_do(mbedtls_pk_type_t type)744 static int rsa_alt_can_do(mbedtls_pk_type_t type)
745 {
746 return type == MBEDTLS_PK_RSA;
747 }
748
rsa_alt_get_bitlen(const void * ctx)749 static size_t rsa_alt_get_bitlen(const void *ctx)
750 {
751 const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx;
752
753 return 8 * rsa_alt->key_len_func(rsa_alt->key);
754 }
755
rsa_alt_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)756 static int rsa_alt_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
757 const unsigned char *hash, size_t hash_len,
758 unsigned char *sig, size_t *sig_len,
759 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
760 {
761 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
762
763 #if SIZE_MAX > UINT_MAX
764 if (UINT_MAX < hash_len) {
765 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
766 }
767 #endif /* SIZE_MAX > UINT_MAX */
768
769 *sig_len = rsa_alt->key_len_func(rsa_alt->key);
770 if (*sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE) {
771 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
772 }
773
774 return rsa_alt->sign_func(rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
775 md_alg, (unsigned int) hash_len, hash, sig);
776 }
777
rsa_alt_decrypt_wrap(void * ctx,const unsigned char * input,size_t ilen,unsigned char * output,size_t * olen,size_t osize,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)778 static int rsa_alt_decrypt_wrap(void *ctx,
779 const unsigned char *input, size_t ilen,
780 unsigned char *output, size_t *olen, size_t osize,
781 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
782 {
783 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
784
785 ((void) f_rng);
786 ((void) p_rng);
787
788 if (ilen != rsa_alt->key_len_func(rsa_alt->key)) {
789 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
790 }
791
792 return rsa_alt->decrypt_func(rsa_alt->key,
793 MBEDTLS_RSA_PRIVATE, olen, input, output, osize);
794 }
795
796 #if defined(MBEDTLS_RSA_C)
rsa_alt_check_pair(const void * pub,const void * prv)797 static int rsa_alt_check_pair(const void *pub, const void *prv)
798 {
799 unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
800 unsigned char hash[32];
801 size_t sig_len = 0;
802 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
803
804 if (rsa_alt_get_bitlen(prv) != rsa_get_bitlen(pub)) {
805 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
806 }
807
808 memset(hash, 0x2a, sizeof(hash));
809
810 if ((ret = rsa_alt_sign_wrap((void *) prv, MBEDTLS_MD_NONE,
811 hash, sizeof(hash),
812 sig, &sig_len, NULL, NULL)) != 0) {
813 return ret;
814 }
815
816 if (rsa_verify_wrap((void *) pub, MBEDTLS_MD_NONE,
817 hash, sizeof(hash), sig, sig_len) != 0) {
818 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
819 }
820
821 return 0;
822 }
823 #endif /* MBEDTLS_RSA_C */
824
rsa_alt_alloc_wrap(void)825 static void *rsa_alt_alloc_wrap(void)
826 {
827 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_alt_context));
828
829 if (ctx != NULL) {
830 memset(ctx, 0, sizeof(mbedtls_rsa_alt_context));
831 }
832
833 return ctx;
834 }
835
rsa_alt_free_wrap(void * ctx)836 static void rsa_alt_free_wrap(void *ctx)
837 {
838 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_rsa_alt_context));
839 mbedtls_free(ctx);
840 }
841
842 const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
843 MBEDTLS_PK_RSA_ALT,
844 "RSA-alt",
845 rsa_alt_get_bitlen,
846 rsa_alt_can_do,
847 NULL,
848 rsa_alt_sign_wrap,
849 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
850 NULL,
851 NULL,
852 #endif
853 rsa_alt_decrypt_wrap,
854 NULL,
855 #if defined(MBEDTLS_RSA_C)
856 rsa_alt_check_pair,
857 #else
858 NULL,
859 #endif
860 rsa_alt_alloc_wrap,
861 rsa_alt_free_wrap,
862 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
863 NULL,
864 NULL,
865 #endif
866 NULL,
867 };
868
869 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
870
871 #if defined(MBEDTLS_USE_PSA_CRYPTO)
872
pk_opaque_alloc_wrap(void)873 static void *pk_opaque_alloc_wrap(void)
874 {
875 void *ctx = mbedtls_calloc(1, sizeof(psa_key_id_t));
876
877 /* no _init() function to call, as calloc() already zeroized */
878
879 return ctx;
880 }
881
pk_opaque_free_wrap(void * ctx)882 static void pk_opaque_free_wrap(void *ctx)
883 {
884 mbedtls_platform_zeroize(ctx, sizeof(psa_key_id_t));
885 mbedtls_free(ctx);
886 }
887
pk_opaque_get_bitlen(const void * ctx)888 static size_t pk_opaque_get_bitlen(const void *ctx)
889 {
890 const psa_key_id_t *key = (const psa_key_id_t *) ctx;
891 size_t bits;
892 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
893
894 if (PSA_SUCCESS != psa_get_key_attributes(*key, &attributes)) {
895 return 0;
896 }
897
898 bits = psa_get_key_bits(&attributes);
899 psa_reset_key_attributes(&attributes);
900 return bits;
901 }
902
pk_opaque_can_do(mbedtls_pk_type_t type)903 static int pk_opaque_can_do(mbedtls_pk_type_t type)
904 {
905 /* For now opaque PSA keys can only wrap ECC keypairs,
906 * as checked by setup_psa().
907 * Also, ECKEY_DH does not really make sense with the current API. */
908 return type == MBEDTLS_PK_ECKEY ||
909 type == MBEDTLS_PK_ECDSA;
910 }
911
912 #if defined(MBEDTLS_ECDSA_C)
913
914 /*
915 * Simultaneously convert and move raw MPI from the beginning of a buffer
916 * to an ASN.1 MPI at the end of the buffer.
917 * See also mbedtls_asn1_write_mpi().
918 *
919 * p: pointer to the end of the output buffer
920 * start: start of the output buffer, and also of the mpi to write at the end
921 * n_len: length of the mpi to read from start
922 */
asn1_write_mpibuf(unsigned char ** p,unsigned char * start,size_t n_len)923 static int asn1_write_mpibuf(unsigned char **p, unsigned char *start,
924 size_t n_len)
925 {
926 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
927 size_t len = 0;
928
929 if ((size_t) (*p - start) < n_len) {
930 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
931 }
932
933 len = n_len;
934 *p -= len;
935 memmove(*p, start, len);
936
937 /* ASN.1 DER encoding requires minimal length, so skip leading 0s.
938 * Neither r nor s should be 0, but as a failsafe measure, still detect
939 * that rather than overflowing the buffer in case of a PSA error. */
940 while (len > 0 && **p == 0x00) {
941 ++(*p);
942 --len;
943 }
944
945 /* this is only reached if the signature was invalid */
946 if (len == 0) {
947 return MBEDTLS_ERR_PK_HW_ACCEL_FAILED;
948 }
949
950 /* if the msb is 1, ASN.1 requires that we prepend a 0.
951 * Neither r nor s can be 0, so we can assume len > 0 at all times. */
952 if (**p & 0x80) {
953 if (*p - start < 1) {
954 return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
955 }
956
957 *--(*p) = 0x00;
958 len += 1;
959 }
960
961 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
962 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
963 MBEDTLS_ASN1_INTEGER));
964
965 return (int) len;
966 }
967
968 /* Transcode signature from PSA format to ASN.1 sequence.
969 * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of
970 * MPIs, and in-place.
971 *
972 * [in/out] sig: the signature pre- and post-transcoding
973 * [in/out] sig_len: signature length pre- and post-transcoding
974 * [int] buf_len: the available size the in/out buffer
975 */
pk_ecdsa_sig_asn1_from_psa(unsigned char * sig,size_t * sig_len,size_t buf_len)976 static int pk_ecdsa_sig_asn1_from_psa(unsigned char *sig, size_t *sig_len,
977 size_t buf_len)
978 {
979 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
980 size_t len = 0;
981 const size_t rs_len = *sig_len / 2;
982 unsigned char *p = sig + buf_len;
983
984 MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig + rs_len, rs_len));
985 MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig, rs_len));
986
987 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, sig, len));
988 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, sig,
989 MBEDTLS_ASN1_CONSTRUCTED |
990 MBEDTLS_ASN1_SEQUENCE));
991
992 memmove(sig, p, len);
993 *sig_len = len;
994
995 return 0;
996 }
997
998 #endif /* MBEDTLS_ECDSA_C */
999
pk_opaque_sign_wrap(void * ctx,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len,unsigned char * sig,size_t * sig_len,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1000 static int pk_opaque_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
1001 const unsigned char *hash, size_t hash_len,
1002 unsigned char *sig, size_t *sig_len,
1003 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1004 {
1005 #if !defined(MBEDTLS_ECDSA_C)
1006 ((void) ctx);
1007 ((void) md_alg);
1008 ((void) hash);
1009 ((void) hash_len);
1010 ((void) sig);
1011 ((void) sig_len);
1012 ((void) f_rng);
1013 ((void) p_rng);
1014 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1015 #else /* !MBEDTLS_ECDSA_C */
1016 const psa_key_id_t *key = (const psa_key_id_t *) ctx;
1017 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1018 psa_algorithm_t alg = PSA_ALG_ECDSA(mbedtls_psa_translate_md(md_alg));
1019 size_t buf_len;
1020 psa_status_t status;
1021
1022 /* PSA has its own RNG */
1023 (void) f_rng;
1024 (void) p_rng;
1025
1026 /* PSA needs an output buffer of known size, but our API doesn't provide
1027 * that information. Assume that the buffer is large enough for a
1028 * maximal-length signature with that key (otherwise the application is
1029 * buggy anyway). */
1030 status = psa_get_key_attributes(*key, &attributes);
1031 if (status != PSA_SUCCESS) {
1032 return mbedtls_psa_err_translate_pk(status);
1033 }
1034 buf_len = MBEDTLS_ECDSA_MAX_SIG_LEN(psa_get_key_bits(&attributes));
1035 psa_reset_key_attributes(&attributes);
1036 if (buf_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE) {
1037 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1038 }
1039
1040 /* make the signature */
1041 status = psa_sign_hash(*key, alg, hash, hash_len,
1042 sig, buf_len, sig_len);
1043 if (status != PSA_SUCCESS) {
1044 return mbedtls_psa_err_translate_pk(status);
1045 }
1046
1047 /* transcode it to ASN.1 sequence */
1048 return pk_ecdsa_sig_asn1_from_psa(sig, sig_len, buf_len);
1049 #endif /* !MBEDTLS_ECDSA_C */
1050 }
1051
1052 const mbedtls_pk_info_t mbedtls_pk_opaque_info = {
1053 MBEDTLS_PK_OPAQUE,
1054 "Opaque",
1055 pk_opaque_get_bitlen,
1056 pk_opaque_can_do,
1057 NULL, /* verify - will be done later */
1058 pk_opaque_sign_wrap,
1059 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1060 NULL, /* restartable verify - not relevant */
1061 NULL, /* restartable sign - not relevant */
1062 #endif
1063 NULL, /* decrypt - will be done later */
1064 NULL, /* encrypt - will be done later */
1065 NULL, /* check_pair - could be done later or left NULL */
1066 pk_opaque_alloc_wrap,
1067 pk_opaque_free_wrap,
1068 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1069 NULL, /* restart alloc - not relevant */
1070 NULL, /* restart free - not relevant */
1071 #endif
1072 NULL, /* debug - could be done later, or even left NULL */
1073 };
1074
1075 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1076
1077 #endif /* MBEDTLS_PK_C */
1078