1 /* 2 * Public Key abstraction layer: wrapper functions 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 20 #include "common.h" 21 22 #if defined(MBEDTLS_PK_C) 23 #include "mbedtls/pk_internal.h" 24 #include "mbedtls/error.h" 25 26 /* Even if RSA not activated, for the sake of RSA-alt */ 27 #include "mbedtls/rsa.h" 28 29 #include <string.h> 30 31 #if defined(MBEDTLS_ECP_C) 32 #include "mbedtls/ecp.h" 33 #endif 34 35 #if defined(MBEDTLS_ECDSA_C) 36 #include "mbedtls/ecdsa.h" 37 #endif 38 39 #if defined(MBEDTLS_USE_PSA_CRYPTO) 40 #include "mbedtls/asn1write.h" 41 #endif 42 43 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) 44 #include "mbedtls/platform_util.h" 45 #endif 46 47 #if defined(MBEDTLS_USE_PSA_CRYPTO) 48 #include "psa/crypto.h" 49 #include "mbedtls/psa_util.h" 50 #include "mbedtls/asn1.h" 51 #endif 52 53 #if defined(MBEDTLS_PLATFORM_C) 54 #include "mbedtls/platform.h" 55 #else 56 #include <stdlib.h> 57 #define mbedtls_calloc calloc 58 #define mbedtls_free free 59 #endif 60 61 #include <limits.h> 62 #include <stdint.h> 63 64 #if defined(MBEDTLS_RSA_C) 65 static int rsa_can_do( mbedtls_pk_type_t type ) 66 { 67 return( type == MBEDTLS_PK_RSA || 68 type == MBEDTLS_PK_RSASSA_PSS ); 69 } 70 71 static size_t rsa_get_bitlen( const void *ctx ) 72 { 73 const mbedtls_rsa_context * rsa = (const mbedtls_rsa_context *) ctx; 74 return( 8 * mbedtls_rsa_get_len( rsa ) ); 75 } 76 77 static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 78 const unsigned char *hash, size_t hash_len, 79 const unsigned char *sig, size_t sig_len ) 80 { 81 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 82 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 83 size_t rsa_len = mbedtls_rsa_get_len( rsa ); 84 85 #if SIZE_MAX > UINT_MAX 86 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len ) 87 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 88 #endif /* SIZE_MAX > UINT_MAX */ 89 90 if( sig_len < rsa_len ) 91 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 92 93 if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, NULL, 94 MBEDTLS_RSA_PUBLIC, md_alg, 95 (unsigned int) hash_len, hash, sig ) ) != 0 ) 96 return( ret ); 97 98 /* The buffer contains a valid signature followed by extra data. 99 * We have a special error code for that so that so that callers can 100 * use mbedtls_pk_verify() to check "Does the buffer start with a 101 * valid signature?" and not just "Does the buffer contain a valid 102 * signature?". */ 103 if( sig_len > rsa_len ) 104 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); 105 106 return( 0 ); 107 } 108 109 static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 110 const unsigned char *hash, size_t hash_len, 111 unsigned char *sig, size_t *sig_len, 112 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 113 { 114 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 115 116 #if SIZE_MAX > UINT_MAX 117 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len ) 118 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 119 #endif /* SIZE_MAX > UINT_MAX */ 120 121 *sig_len = mbedtls_rsa_get_len( rsa ); 122 123 return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, 124 md_alg, (unsigned int) hash_len, hash, sig ) ); 125 } 126 127 static int rsa_decrypt_wrap( void *ctx, 128 const unsigned char *input, size_t ilen, 129 unsigned char *output, size_t *olen, size_t osize, 130 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 131 { 132 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 133 134 if( ilen != mbedtls_rsa_get_len( rsa ) ) 135 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 136 137 return( mbedtls_rsa_pkcs1_decrypt( rsa, f_rng, p_rng, 138 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) ); 139 } 140 141 static int rsa_encrypt_wrap( void *ctx, 142 const unsigned char *input, size_t ilen, 143 unsigned char *output, size_t *olen, size_t osize, 144 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 145 { 146 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 147 *olen = mbedtls_rsa_get_len( rsa ); 148 149 if( *olen > osize ) 150 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); 151 152 return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC, 153 ilen, input, output ) ); 154 } 155 156 static int rsa_check_pair_wrap( const void *pub, const void *prv ) 157 { 158 return( mbedtls_rsa_check_pub_priv( (const mbedtls_rsa_context *) pub, 159 (const mbedtls_rsa_context *) prv ) ); 160 } 161 162 static void *rsa_alloc_wrap( void ) 163 { 164 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_context ) ); 165 166 if( ctx != NULL ) 167 mbedtls_rsa_init( (mbedtls_rsa_context *) ctx, 0, 0 ); 168 169 return( ctx ); 170 } 171 172 static void rsa_free_wrap( void *ctx ) 173 { 174 mbedtls_rsa_free( (mbedtls_rsa_context *) ctx ); 175 mbedtls_free( ctx ); 176 } 177 178 static void rsa_debug( const void *ctx, mbedtls_pk_debug_item *items ) 179 { 180 items->type = MBEDTLS_PK_DEBUG_MPI; 181 items->name = "rsa.N"; 182 items->value = &( ((mbedtls_rsa_context *) ctx)->N ); 183 184 items++; 185 186 items->type = MBEDTLS_PK_DEBUG_MPI; 187 items->name = "rsa.E"; 188 items->value = &( ((mbedtls_rsa_context *) ctx)->E ); 189 } 190 191 const mbedtls_pk_info_t mbedtls_rsa_info = { 192 MBEDTLS_PK_RSA, 193 "RSA", 194 rsa_get_bitlen, 195 rsa_can_do, 196 rsa_verify_wrap, 197 rsa_sign_wrap, 198 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 199 NULL, 200 NULL, 201 #endif 202 rsa_decrypt_wrap, 203 rsa_encrypt_wrap, 204 rsa_check_pair_wrap, 205 rsa_alloc_wrap, 206 rsa_free_wrap, 207 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 208 NULL, 209 NULL, 210 #endif 211 rsa_debug, 212 }; 213 #endif /* MBEDTLS_RSA_C */ 214 215 #if defined(MBEDTLS_ECP_C) 216 /* 217 * Generic EC key 218 */ 219 static int eckey_can_do( mbedtls_pk_type_t type ) 220 { 221 return( type == MBEDTLS_PK_ECKEY || 222 type == MBEDTLS_PK_ECKEY_DH || 223 type == MBEDTLS_PK_ECDSA ); 224 } 225 226 static size_t eckey_get_bitlen( const void *ctx ) 227 { 228 return( ((mbedtls_ecp_keypair *) ctx)->grp.pbits ); 229 } 230 231 #if defined(MBEDTLS_ECDSA_C) 232 /* Forward declarations */ 233 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 234 const unsigned char *hash, size_t hash_len, 235 const unsigned char *sig, size_t sig_len ); 236 237 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 238 const unsigned char *hash, size_t hash_len, 239 unsigned char *sig, size_t *sig_len, 240 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); 241 242 static int eckey_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 243 const unsigned char *hash, size_t hash_len, 244 const unsigned char *sig, size_t sig_len ) 245 { 246 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 247 mbedtls_ecdsa_context ecdsa; 248 249 mbedtls_ecdsa_init( &ecdsa ); 250 251 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 ) 252 ret = ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len ); 253 254 mbedtls_ecdsa_free( &ecdsa ); 255 256 return( ret ); 257 } 258 259 static int eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 260 const unsigned char *hash, size_t hash_len, 261 unsigned char *sig, size_t *sig_len, 262 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 263 { 264 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 265 mbedtls_ecdsa_context ecdsa; 266 267 mbedtls_ecdsa_init( &ecdsa ); 268 269 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 ) 270 ret = ecdsa_sign_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len, 271 f_rng, p_rng ); 272 273 mbedtls_ecdsa_free( &ecdsa ); 274 275 return( ret ); 276 } 277 278 #if defined(MBEDTLS_ECP_RESTARTABLE) 279 /* Forward declarations */ 280 static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 281 const unsigned char *hash, size_t hash_len, 282 const unsigned char *sig, size_t sig_len, 283 void *rs_ctx ); 284 285 static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 286 const unsigned char *hash, size_t hash_len, 287 unsigned char *sig, size_t *sig_len, 288 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 289 void *rs_ctx ); 290 291 /* 292 * Restart context for ECDSA operations with ECKEY context 293 * 294 * We need to store an actual ECDSA context, as we need to pass the same to 295 * the underlying ecdsa function, so we can't create it on the fly every time. 296 */ 297 typedef struct 298 { 299 mbedtls_ecdsa_restart_ctx ecdsa_rs; 300 mbedtls_ecdsa_context ecdsa_ctx; 301 } eckey_restart_ctx; 302 303 static void *eckey_rs_alloc( void ) 304 { 305 eckey_restart_ctx *rs_ctx; 306 307 void *ctx = mbedtls_calloc( 1, sizeof( eckey_restart_ctx ) ); 308 309 if( ctx != NULL ) 310 { 311 rs_ctx = ctx; 312 mbedtls_ecdsa_restart_init( &rs_ctx->ecdsa_rs ); 313 mbedtls_ecdsa_init( &rs_ctx->ecdsa_ctx ); 314 } 315 316 return( ctx ); 317 } 318 319 static void eckey_rs_free( void *ctx ) 320 { 321 eckey_restart_ctx *rs_ctx; 322 323 if( ctx == NULL) 324 return; 325 326 rs_ctx = ctx; 327 mbedtls_ecdsa_restart_free( &rs_ctx->ecdsa_rs ); 328 mbedtls_ecdsa_free( &rs_ctx->ecdsa_ctx ); 329 330 mbedtls_free( ctx ); 331 } 332 333 static int eckey_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 334 const unsigned char *hash, size_t hash_len, 335 const unsigned char *sig, size_t sig_len, 336 void *rs_ctx ) 337 { 338 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 339 eckey_restart_ctx *rs = rs_ctx; 340 341 /* Should never happen */ 342 if( rs == NULL ) 343 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 344 345 /* set up our own sub-context if needed (that is, on first run) */ 346 if( rs->ecdsa_ctx.grp.pbits == 0 ) 347 MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) ); 348 349 MBEDTLS_MPI_CHK( ecdsa_verify_rs_wrap( &rs->ecdsa_ctx, 350 md_alg, hash, hash_len, 351 sig, sig_len, &rs->ecdsa_rs ) ); 352 353 cleanup: 354 return( ret ); 355 } 356 357 static int eckey_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 358 const unsigned char *hash, size_t hash_len, 359 unsigned char *sig, size_t *sig_len, 360 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 361 void *rs_ctx ) 362 { 363 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 364 eckey_restart_ctx *rs = rs_ctx; 365 366 /* Should never happen */ 367 if( rs == NULL ) 368 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 369 370 /* set up our own sub-context if needed (that is, on first run) */ 371 if( rs->ecdsa_ctx.grp.pbits == 0 ) 372 MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) ); 373 374 MBEDTLS_MPI_CHK( ecdsa_sign_rs_wrap( &rs->ecdsa_ctx, md_alg, 375 hash, hash_len, sig, sig_len, 376 f_rng, p_rng, &rs->ecdsa_rs ) ); 377 378 cleanup: 379 return( ret ); 380 } 381 #endif /* MBEDTLS_ECP_RESTARTABLE */ 382 #endif /* MBEDTLS_ECDSA_C */ 383 384 static int eckey_check_pair( const void *pub, const void *prv ) 385 { 386 return( mbedtls_ecp_check_pub_priv( (const mbedtls_ecp_keypair *) pub, 387 (const mbedtls_ecp_keypair *) prv ) ); 388 } 389 390 static void *eckey_alloc_wrap( void ) 391 { 392 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) ); 393 394 if( ctx != NULL ) 395 mbedtls_ecp_keypair_init( ctx ); 396 397 return( ctx ); 398 } 399 400 static void eckey_free_wrap( void *ctx ) 401 { 402 mbedtls_ecp_keypair_free( (mbedtls_ecp_keypair *) ctx ); 403 mbedtls_free( ctx ); 404 } 405 406 static void eckey_debug( const void *ctx, mbedtls_pk_debug_item *items ) 407 { 408 items->type = MBEDTLS_PK_DEBUG_ECP; 409 items->name = "eckey.Q"; 410 items->value = &( ((mbedtls_ecp_keypair *) ctx)->Q ); 411 } 412 413 const mbedtls_pk_info_t mbedtls_eckey_info = { 414 MBEDTLS_PK_ECKEY, 415 "EC", 416 eckey_get_bitlen, 417 eckey_can_do, 418 #if defined(MBEDTLS_ECDSA_C) 419 eckey_verify_wrap, 420 eckey_sign_wrap, 421 #if defined(MBEDTLS_ECP_RESTARTABLE) 422 eckey_verify_rs_wrap, 423 eckey_sign_rs_wrap, 424 #endif 425 #else /* MBEDTLS_ECDSA_C */ 426 NULL, 427 NULL, 428 #endif /* MBEDTLS_ECDSA_C */ 429 NULL, 430 NULL, 431 eckey_check_pair, 432 eckey_alloc_wrap, 433 eckey_free_wrap, 434 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 435 eckey_rs_alloc, 436 eckey_rs_free, 437 #endif 438 eckey_debug, 439 }; 440 441 /* 442 * EC key restricted to ECDH 443 */ 444 static int eckeydh_can_do( mbedtls_pk_type_t type ) 445 { 446 return( type == MBEDTLS_PK_ECKEY || 447 type == MBEDTLS_PK_ECKEY_DH ); 448 } 449 450 const mbedtls_pk_info_t mbedtls_eckeydh_info = { 451 MBEDTLS_PK_ECKEY_DH, 452 "EC_DH", 453 eckey_get_bitlen, /* Same underlying key structure */ 454 eckeydh_can_do, 455 NULL, 456 NULL, 457 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 458 NULL, 459 NULL, 460 #endif 461 NULL, 462 NULL, 463 eckey_check_pair, 464 eckey_alloc_wrap, /* Same underlying key structure */ 465 eckey_free_wrap, /* Same underlying key structure */ 466 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 467 NULL, 468 NULL, 469 #endif 470 eckey_debug, /* Same underlying key structure */ 471 }; 472 #endif /* MBEDTLS_ECP_C */ 473 474 #if defined(MBEDTLS_ECDSA_C) 475 static int ecdsa_can_do( mbedtls_pk_type_t type ) 476 { 477 return( type == MBEDTLS_PK_ECDSA ); 478 } 479 480 #if defined(MBEDTLS_USE_PSA_CRYPTO) 481 /* 482 * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of 483 * those integers and convert it to the fixed-length encoding expected by PSA. 484 */ 485 static int extract_ecdsa_sig_int( unsigned char **from, const unsigned char *end, 486 unsigned char *to, size_t to_len ) 487 { 488 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 489 size_t unpadded_len, padding_len; 490 491 if( ( ret = mbedtls_asn1_get_tag( from, end, &unpadded_len, 492 MBEDTLS_ASN1_INTEGER ) ) != 0 ) 493 { 494 return( ret ); 495 } 496 497 while( unpadded_len > 0 && **from == 0x00 ) 498 { 499 ( *from )++; 500 unpadded_len--; 501 } 502 503 if( unpadded_len > to_len || unpadded_len == 0 ) 504 return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 505 506 padding_len = to_len - unpadded_len; 507 memset( to, 0x00, padding_len ); 508 memcpy( to + padding_len, *from, unpadded_len ); 509 ( *from ) += unpadded_len; 510 511 return( 0 ); 512 } 513 514 /* 515 * Convert a signature from an ASN.1 sequence of two integers 516 * to a raw {r,s} buffer. Note: the provided sig buffer must be at least 517 * twice as big as int_size. 518 */ 519 static int extract_ecdsa_sig( unsigned char **p, const unsigned char *end, 520 unsigned char *sig, size_t int_size ) 521 { 522 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 523 size_t tmp_size; 524 525 if( ( ret = mbedtls_asn1_get_tag( p, end, &tmp_size, 526 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 527 return( ret ); 528 529 /* Extract r */ 530 if( ( ret = extract_ecdsa_sig_int( p, end, sig, int_size ) ) != 0 ) 531 return( ret ); 532 /* Extract s */ 533 if( ( ret = extract_ecdsa_sig_int( p, end, sig + int_size, int_size ) ) != 0 ) 534 return( ret ); 535 536 return( 0 ); 537 } 538 539 static int ecdsa_verify_wrap( void *ctx_arg, mbedtls_md_type_t md_alg, 540 const unsigned char *hash, size_t hash_len, 541 const unsigned char *sig, size_t sig_len ) 542 { 543 mbedtls_ecdsa_context *ctx = ctx_arg; 544 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 545 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 546 psa_key_id_t key_id = 0; 547 psa_status_t status; 548 mbedtls_pk_context key; 549 int key_len; 550 /* see ECP_PUB_DER_MAX_BYTES in pkwrite.c */ 551 unsigned char buf[30 + 2 * MBEDTLS_ECP_MAX_BYTES]; 552 unsigned char *p; 553 mbedtls_pk_info_t pk_info = mbedtls_eckey_info; 554 psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY; 555 size_t curve_bits; 556 psa_ecc_family_t curve = 557 mbedtls_ecc_group_to_psa( ctx->grp.id, &curve_bits ); 558 const size_t signature_part_size = ( ctx->grp.nbits + 7 ) / 8; 559 ((void) md_alg); 560 561 if( curve == 0 ) 562 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 563 564 /* mbedtls_pk_write_pubkey() expects a full PK context; 565 * re-construct one to make it happy */ 566 key.pk_info = &pk_info; 567 key.pk_ctx = ctx; 568 p = buf + sizeof( buf ); 569 key_len = mbedtls_pk_write_pubkey( &p, buf, &key ); 570 if( key_len <= 0 ) 571 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 572 573 psa_set_key_type( &attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve ) ); 574 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); 575 psa_set_key_algorithm( &attributes, psa_sig_md ); 576 577 status = psa_import_key( &attributes, 578 buf + sizeof( buf ) - key_len, key_len, 579 &key_id ); 580 if( status != PSA_SUCCESS ) 581 { 582 ret = mbedtls_psa_err_translate_pk( status ); 583 goto cleanup; 584 } 585 586 /* We don't need the exported key anymore and can 587 * reuse its buffer for signature extraction. */ 588 if( 2 * signature_part_size > sizeof( buf ) ) 589 { 590 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA; 591 goto cleanup; 592 } 593 594 p = (unsigned char*) sig; 595 if( ( ret = extract_ecdsa_sig( &p, sig + sig_len, buf, 596 signature_part_size ) ) != 0 ) 597 { 598 goto cleanup; 599 } 600 601 if( psa_verify_hash( key_id, psa_sig_md, 602 hash, hash_len, 603 buf, 2 * signature_part_size ) 604 != PSA_SUCCESS ) 605 { 606 ret = MBEDTLS_ERR_ECP_VERIFY_FAILED; 607 goto cleanup; 608 } 609 610 if( p != sig + sig_len ) 611 { 612 ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH; 613 goto cleanup; 614 } 615 ret = 0; 616 617 cleanup: 618 psa_destroy_key( key_id ); 619 return( ret ); 620 } 621 #else /* MBEDTLS_USE_PSA_CRYPTO */ 622 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 623 const unsigned char *hash, size_t hash_len, 624 const unsigned char *sig, size_t sig_len ) 625 { 626 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 627 ((void) md_alg); 628 629 ret = mbedtls_ecdsa_read_signature( (mbedtls_ecdsa_context *) ctx, 630 hash, hash_len, sig, sig_len ); 631 632 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH ) 633 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); 634 635 return( ret ); 636 } 637 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 638 639 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 640 const unsigned char *hash, size_t hash_len, 641 unsigned char *sig, size_t *sig_len, 642 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 643 { 644 return( mbedtls_ecdsa_write_signature( (mbedtls_ecdsa_context *) ctx, 645 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng ) ); 646 } 647 648 #if defined(MBEDTLS_ECP_RESTARTABLE) 649 static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 650 const unsigned char *hash, size_t hash_len, 651 const unsigned char *sig, size_t sig_len, 652 void *rs_ctx ) 653 { 654 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 655 ((void) md_alg); 656 657 ret = mbedtls_ecdsa_read_signature_restartable( 658 (mbedtls_ecdsa_context *) ctx, 659 hash, hash_len, sig, sig_len, 660 (mbedtls_ecdsa_restart_ctx *) rs_ctx ); 661 662 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH ) 663 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); 664 665 return( ret ); 666 } 667 668 static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg, 669 const unsigned char *hash, size_t hash_len, 670 unsigned char *sig, size_t *sig_len, 671 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, 672 void *rs_ctx ) 673 { 674 return( mbedtls_ecdsa_write_signature_restartable( 675 (mbedtls_ecdsa_context *) ctx, 676 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng, 677 (mbedtls_ecdsa_restart_ctx *) rs_ctx ) ); 678 679 } 680 #endif /* MBEDTLS_ECP_RESTARTABLE */ 681 682 static void *ecdsa_alloc_wrap( void ) 683 { 684 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_context ) ); 685 686 if( ctx != NULL ) 687 mbedtls_ecdsa_init( (mbedtls_ecdsa_context *) ctx ); 688 689 return( ctx ); 690 } 691 692 static void ecdsa_free_wrap( void *ctx ) 693 { 694 mbedtls_ecdsa_free( (mbedtls_ecdsa_context *) ctx ); 695 mbedtls_free( ctx ); 696 } 697 698 #if defined(MBEDTLS_ECP_RESTARTABLE) 699 static void *ecdsa_rs_alloc( void ) 700 { 701 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_restart_ctx ) ); 702 703 if( ctx != NULL ) 704 mbedtls_ecdsa_restart_init( ctx ); 705 706 return( ctx ); 707 } 708 709 static void ecdsa_rs_free( void *ctx ) 710 { 711 mbedtls_ecdsa_restart_free( ctx ); 712 mbedtls_free( ctx ); 713 } 714 #endif /* MBEDTLS_ECP_RESTARTABLE */ 715 716 const mbedtls_pk_info_t mbedtls_ecdsa_info = { 717 MBEDTLS_PK_ECDSA, 718 "ECDSA", 719 eckey_get_bitlen, /* Compatible key structures */ 720 ecdsa_can_do, 721 ecdsa_verify_wrap, 722 ecdsa_sign_wrap, 723 #if defined(MBEDTLS_ECP_RESTARTABLE) 724 ecdsa_verify_rs_wrap, 725 ecdsa_sign_rs_wrap, 726 #endif 727 NULL, 728 NULL, 729 eckey_check_pair, /* Compatible key structures */ 730 ecdsa_alloc_wrap, 731 ecdsa_free_wrap, 732 #if defined(MBEDTLS_ECP_RESTARTABLE) 733 ecdsa_rs_alloc, 734 ecdsa_rs_free, 735 #endif 736 eckey_debug, /* Compatible key structures */ 737 }; 738 #endif /* MBEDTLS_ECDSA_C */ 739 740 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) 741 /* 742 * Support for alternative RSA-private implementations 743 */ 744 745 static int rsa_alt_can_do( mbedtls_pk_type_t type ) 746 { 747 return( type == MBEDTLS_PK_RSA ); 748 } 749 750 static size_t rsa_alt_get_bitlen( const void *ctx ) 751 { 752 const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx; 753 754 return( 8 * rsa_alt->key_len_func( rsa_alt->key ) ); 755 } 756 757 static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 758 const unsigned char *hash, size_t hash_len, 759 unsigned char *sig, size_t *sig_len, 760 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 761 { 762 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx; 763 764 #if SIZE_MAX > UINT_MAX 765 if( UINT_MAX < hash_len ) 766 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 767 #endif /* SIZE_MAX > UINT_MAX */ 768 769 *sig_len = rsa_alt->key_len_func( rsa_alt->key ); 770 if( *sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE ) 771 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 772 773 return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, 774 md_alg, (unsigned int) hash_len, hash, sig ) ); 775 } 776 777 static int rsa_alt_decrypt_wrap( void *ctx, 778 const unsigned char *input, size_t ilen, 779 unsigned char *output, size_t *olen, size_t osize, 780 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 781 { 782 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx; 783 784 ((void) f_rng); 785 ((void) p_rng); 786 787 if( ilen != rsa_alt->key_len_func( rsa_alt->key ) ) 788 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 789 790 return( rsa_alt->decrypt_func( rsa_alt->key, 791 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) ); 792 } 793 794 #if defined(MBEDTLS_RSA_C) 795 static int rsa_alt_check_pair( const void *pub, const void *prv ) 796 { 797 unsigned char sig[MBEDTLS_MPI_MAX_SIZE]; 798 unsigned char hash[32]; 799 size_t sig_len = 0; 800 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 801 802 if( rsa_alt_get_bitlen( prv ) != rsa_get_bitlen( pub ) ) 803 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 804 805 memset( hash, 0x2a, sizeof( hash ) ); 806 807 if( ( ret = rsa_alt_sign_wrap( (void *) prv, MBEDTLS_MD_NONE, 808 hash, sizeof( hash ), 809 sig, &sig_len, NULL, NULL ) ) != 0 ) 810 { 811 return( ret ); 812 } 813 814 if( rsa_verify_wrap( (void *) pub, MBEDTLS_MD_NONE, 815 hash, sizeof( hash ), sig, sig_len ) != 0 ) 816 { 817 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 818 } 819 820 return( 0 ); 821 } 822 #endif /* MBEDTLS_RSA_C */ 823 824 static void *rsa_alt_alloc_wrap( void ) 825 { 826 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_alt_context ) ); 827 828 if( ctx != NULL ) 829 memset( ctx, 0, sizeof( mbedtls_rsa_alt_context ) ); 830 831 return( ctx ); 832 } 833 834 static void rsa_alt_free_wrap( void *ctx ) 835 { 836 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) ); 837 mbedtls_free( ctx ); 838 } 839 840 const mbedtls_pk_info_t mbedtls_rsa_alt_info = { 841 MBEDTLS_PK_RSA_ALT, 842 "RSA-alt", 843 rsa_alt_get_bitlen, 844 rsa_alt_can_do, 845 NULL, 846 rsa_alt_sign_wrap, 847 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 848 NULL, 849 NULL, 850 #endif 851 rsa_alt_decrypt_wrap, 852 NULL, 853 #if defined(MBEDTLS_RSA_C) 854 rsa_alt_check_pair, 855 #else 856 NULL, 857 #endif 858 rsa_alt_alloc_wrap, 859 rsa_alt_free_wrap, 860 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 861 NULL, 862 NULL, 863 #endif 864 NULL, 865 }; 866 867 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */ 868 869 #if defined(MBEDTLS_USE_PSA_CRYPTO) 870 871 static void *pk_opaque_alloc_wrap( void ) 872 { 873 void *ctx = mbedtls_calloc( 1, sizeof( psa_key_id_t ) ); 874 875 /* no _init() function to call, an calloc() already zeroized */ 876 877 return( ctx ); 878 } 879 880 static void pk_opaque_free_wrap( void *ctx ) 881 { 882 mbedtls_platform_zeroize( ctx, sizeof( psa_key_id_t ) ); 883 mbedtls_free( ctx ); 884 } 885 886 static size_t pk_opaque_get_bitlen( const void *ctx ) 887 { 888 const psa_key_id_t *key = (const psa_key_id_t *) ctx; 889 size_t bits; 890 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 891 892 if( PSA_SUCCESS != psa_get_key_attributes( *key, &attributes ) ) 893 return( 0 ); 894 895 bits = psa_get_key_bits( &attributes ); 896 psa_reset_key_attributes( &attributes ); 897 return( bits ); 898 } 899 900 static int pk_opaque_can_do( mbedtls_pk_type_t type ) 901 { 902 /* For now opaque PSA keys can only wrap ECC keypairs, 903 * as checked by setup_psa(). 904 * Also, ECKEY_DH does not really make sense with the current API. */ 905 return( type == MBEDTLS_PK_ECKEY || 906 type == MBEDTLS_PK_ECDSA ); 907 } 908 909 #if defined(MBEDTLS_ECDSA_C) 910 911 /* 912 * Simultaneously convert and move raw MPI from the beginning of a buffer 913 * to an ASN.1 MPI at the end of the buffer. 914 * See also mbedtls_asn1_write_mpi(). 915 * 916 * p: pointer to the end of the output buffer 917 * start: start of the output buffer, and also of the mpi to write at the end 918 * n_len: length of the mpi to read from start 919 */ 920 static int asn1_write_mpibuf( unsigned char **p, unsigned char *start, 921 size_t n_len ) 922 { 923 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 924 size_t len = 0; 925 926 if( (size_t)( *p - start ) < n_len ) 927 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); 928 929 len = n_len; 930 *p -= len; 931 memmove( *p, start, len ); 932 933 /* ASN.1 DER encoding requires minimal length, so skip leading 0s. 934 * Neither r nor s should be 0, but as a failsafe measure, still detect 935 * that rather than overflowing the buffer in case of a PSA error. */ 936 while( len > 0 && **p == 0x00 ) 937 { 938 ++(*p); 939 --len; 940 } 941 942 /* this is only reached if the signature was invalid */ 943 if( len == 0 ) 944 return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED ); 945 946 /* if the msb is 1, ASN.1 requires that we prepend a 0. 947 * Neither r nor s can be 0, so we can assume len > 0 at all times. */ 948 if( **p & 0x80 ) 949 { 950 if( *p - start < 1 ) 951 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); 952 953 *--(*p) = 0x00; 954 len += 1; 955 } 956 957 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); 958 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, 959 MBEDTLS_ASN1_INTEGER ) ); 960 961 return( (int) len ); 962 } 963 964 /* Transcode signature from PSA format to ASN.1 sequence. 965 * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of 966 * MPIs, and in-place. 967 * 968 * [in/out] sig: the signature pre- and post-transcoding 969 * [in/out] sig_len: signature length pre- and post-transcoding 970 * [int] buf_len: the available size the in/out buffer 971 */ 972 static int pk_ecdsa_sig_asn1_from_psa( unsigned char *sig, size_t *sig_len, 973 size_t buf_len ) 974 { 975 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 976 size_t len = 0; 977 const size_t rs_len = *sig_len / 2; 978 unsigned char *p = sig + buf_len; 979 980 MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig + rs_len, rs_len ) ); 981 MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig, rs_len ) ); 982 983 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, sig, len ) ); 984 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, sig, 985 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); 986 987 memmove( sig, p, len ); 988 *sig_len = len; 989 990 return( 0 ); 991 } 992 993 #endif /* MBEDTLS_ECDSA_C */ 994 995 static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 996 const unsigned char *hash, size_t hash_len, 997 unsigned char *sig, size_t *sig_len, 998 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 999 { 1000 #if !defined(MBEDTLS_ECDSA_C) 1001 ((void) ctx); 1002 ((void) md_alg); 1003 ((void) hash); 1004 ((void) hash_len); 1005 ((void) sig); 1006 ((void) sig_len); 1007 ((void) f_rng); 1008 ((void) p_rng); 1009 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); 1010 #else /* !MBEDTLS_ECDSA_C */ 1011 const psa_key_id_t *key = (const psa_key_id_t *) ctx; 1012 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 1013 psa_algorithm_t alg = PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) ); 1014 size_t buf_len; 1015 psa_status_t status; 1016 1017 /* PSA has its own RNG */ 1018 (void) f_rng; 1019 (void) p_rng; 1020 1021 /* PSA needs an output buffer of known size, but our API doesn't provide 1022 * that information. Assume that the buffer is large enough for a 1023 * maximal-length signature with that key (otherwise the application is 1024 * buggy anyway). */ 1025 status = psa_get_key_attributes( *key, &attributes ); 1026 if( status != PSA_SUCCESS ) 1027 return( mbedtls_psa_err_translate_pk( status ) ); 1028 buf_len = MBEDTLS_ECDSA_MAX_SIG_LEN( psa_get_key_bits( &attributes ) ); 1029 psa_reset_key_attributes( &attributes ); 1030 if( buf_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE ) 1031 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 1032 1033 /* make the signature */ 1034 status = psa_sign_hash( *key, alg, hash, hash_len, 1035 sig, buf_len, sig_len ); 1036 if( status != PSA_SUCCESS ) 1037 return( mbedtls_psa_err_translate_pk( status ) ); 1038 1039 /* transcode it to ASN.1 sequence */ 1040 return( pk_ecdsa_sig_asn1_from_psa( sig, sig_len, buf_len ) ); 1041 #endif /* !MBEDTLS_ECDSA_C */ 1042 } 1043 1044 const mbedtls_pk_info_t mbedtls_pk_opaque_info = { 1045 MBEDTLS_PK_OPAQUE, 1046 "Opaque", 1047 pk_opaque_get_bitlen, 1048 pk_opaque_can_do, 1049 NULL, /* verify - will be done later */ 1050 pk_opaque_sign_wrap, 1051 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1052 NULL, /* restartable verify - not relevant */ 1053 NULL, /* restartable sign - not relevant */ 1054 #endif 1055 NULL, /* decrypt - will be done later */ 1056 NULL, /* encrypt - will be done later */ 1057 NULL, /* check_pair - could be done later or left NULL */ 1058 pk_opaque_alloc_wrap, 1059 pk_opaque_free_wrap, 1060 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 1061 NULL, /* restart alloc - not relevant */ 1062 NULL, /* restart free - not relevant */ 1063 #endif 1064 NULL, /* debug - could be done later, or even left NULL */ 1065 }; 1066 1067 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1068 1069 #endif /* MBEDTLS_PK_C */ 1070