1 /* 2 * Public Key abstraction layer: wrapper functions 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 22 #if !defined(MBEDTLS_CONFIG_FILE) 23 #include "mbedtls/config.h" 24 #else 25 #include MBEDTLS_CONFIG_FILE 26 #endif 27 28 #if defined(MBEDTLS_PK_C) 29 #include "mbedtls/pk_internal.h" 30 31 /* Even if RSA not activated, for the sake of RSA-alt */ 32 #include "mbedtls/rsa.h" 33 #include "mbedtls/bignum.h" 34 35 #include <string.h> 36 37 #if defined(MBEDTLS_ECP_C) 38 #include "mbedtls/ecp.h" 39 #endif 40 41 #if defined(MBEDTLS_ECDSA_C) 42 #include "mbedtls/ecdsa.h" 43 #endif 44 45 #if defined(MBEDTLS_PLATFORM_C) 46 #include "mbedtls/platform.h" 47 #else 48 #include <stdlib.h> 49 #define mbedtls_calloc calloc 50 #define mbedtls_free free 51 #endif 52 53 #include <limits.h> 54 55 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) 56 /* Implementation that should never be optimized out by the compiler */ 57 static void mbedtls_zeroize( void *v, size_t n ) { 58 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 59 } 60 #endif 61 62 #if defined(MBEDTLS_RSA_C) 63 static int rsa_can_do( mbedtls_pk_type_t type ) 64 { 65 return( type == MBEDTLS_PK_RSA || 66 type == MBEDTLS_PK_RSASSA_PSS ); 67 } 68 69 static size_t rsa_get_bitlen( const void *ctx ) 70 { 71 return( 8 * ((const mbedtls_rsa_context *) ctx)->len ); 72 } 73 74 static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 75 const unsigned char *hash, size_t hash_len, 76 const unsigned char *sig, size_t sig_len ) 77 { 78 int ret; 79 80 #if defined(MBEDTLS_HAVE_INT64) 81 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len ) 82 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 83 #endif /* MBEDTLS_HAVE_INT64 */ 84 85 if( sig_len < ((mbedtls_rsa_context *) ctx)->len ) 86 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 87 88 if( ( ret = mbedtls_rsa_pkcs1_verify( (mbedtls_rsa_context *) ctx, NULL, NULL, 89 MBEDTLS_RSA_PUBLIC, md_alg, 90 (unsigned int) hash_len, hash, sig ) ) != 0 ) 91 return( ret ); 92 93 if( sig_len > ((mbedtls_rsa_context *) ctx)->len ) 94 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); 95 96 return( 0 ); 97 } 98 99 static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 100 const unsigned char *hash, size_t hash_len, 101 unsigned char *sig, size_t *sig_len, 102 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 103 { 104 #if defined(MBEDTLS_HAVE_INT64) 105 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len ) 106 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 107 #endif /* MBEDTLS_HAVE_INT64 */ 108 109 *sig_len = ((mbedtls_rsa_context *) ctx)->len; 110 111 return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, 112 md_alg, (unsigned int) hash_len, hash, sig ) ); 113 } 114 115 static int rsa_decrypt_wrap( void *ctx, 116 const unsigned char *input, size_t ilen, 117 unsigned char *output, size_t *olen, size_t osize, 118 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 119 { 120 if( ilen != ((mbedtls_rsa_context *) ctx)->len ) 121 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 122 123 return( mbedtls_rsa_pkcs1_decrypt( (mbedtls_rsa_context *) ctx, f_rng, p_rng, 124 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) ); 125 } 126 127 static int rsa_encrypt_wrap( void *ctx, 128 const unsigned char *input, size_t ilen, 129 unsigned char *output, size_t *olen, size_t osize, 130 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 131 { 132 *olen = ((mbedtls_rsa_context *) ctx)->len; 133 134 if( *olen > osize ) 135 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); 136 137 return( mbedtls_rsa_pkcs1_encrypt( (mbedtls_rsa_context *) ctx, 138 f_rng, p_rng, MBEDTLS_RSA_PUBLIC, ilen, input, output ) ); 139 } 140 141 static int rsa_check_pair_wrap( const void *pub, const void *prv ) 142 { 143 return( mbedtls_rsa_check_pub_priv( (const mbedtls_rsa_context *) pub, 144 (const mbedtls_rsa_context *) prv ) ); 145 } 146 147 static void *rsa_alloc_wrap( void ) 148 { 149 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_context ) ); 150 151 if( ctx != NULL ) 152 mbedtls_rsa_init( (mbedtls_rsa_context *) ctx, 0, 0 ); 153 154 return( ctx ); 155 } 156 157 static void rsa_free_wrap( void *ctx ) 158 { 159 mbedtls_rsa_free( (mbedtls_rsa_context *) ctx ); 160 mbedtls_free( ctx ); 161 } 162 163 static void rsa_debug( const void *ctx, mbedtls_pk_debug_item *items ) 164 { 165 items->type = MBEDTLS_PK_DEBUG_MPI; 166 items->name = "rsa.N"; 167 items->value = &( ((mbedtls_rsa_context *) ctx)->N ); 168 169 items++; 170 171 items->type = MBEDTLS_PK_DEBUG_MPI; 172 items->name = "rsa.E"; 173 items->value = &( ((mbedtls_rsa_context *) ctx)->E ); 174 } 175 176 const mbedtls_pk_info_t mbedtls_rsa_info = { 177 MBEDTLS_PK_RSA, 178 "RSA", 179 rsa_get_bitlen, 180 rsa_can_do, 181 rsa_verify_wrap, 182 rsa_sign_wrap, 183 rsa_decrypt_wrap, 184 rsa_encrypt_wrap, 185 rsa_check_pair_wrap, 186 rsa_alloc_wrap, 187 rsa_free_wrap, 188 rsa_debug, 189 }; 190 #endif /* MBEDTLS_RSA_C */ 191 192 #if defined(MBEDTLS_ECP_C) 193 /* 194 * Generic EC key 195 */ 196 static int eckey_can_do( mbedtls_pk_type_t type ) 197 { 198 return( type == MBEDTLS_PK_ECKEY || 199 type == MBEDTLS_PK_ECKEY_DH || 200 type == MBEDTLS_PK_ECDSA ); 201 } 202 203 static size_t eckey_get_bitlen( const void *ctx ) 204 { 205 return( ((mbedtls_ecp_keypair *) ctx)->grp.pbits ); 206 } 207 208 #if defined(MBEDTLS_ECDSA_C) 209 /* Forward declarations */ 210 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 211 const unsigned char *hash, size_t hash_len, 212 const unsigned char *sig, size_t sig_len ); 213 214 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 215 const unsigned char *hash, size_t hash_len, 216 unsigned char *sig, size_t *sig_len, 217 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); 218 219 static int eckey_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 220 const unsigned char *hash, size_t hash_len, 221 const unsigned char *sig, size_t sig_len ) 222 { 223 int ret; 224 mbedtls_ecdsa_context ecdsa; 225 226 mbedtls_ecdsa_init( &ecdsa ); 227 228 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 ) 229 ret = ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len ); 230 231 mbedtls_ecdsa_free( &ecdsa ); 232 233 return( ret ); 234 } 235 236 static int eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 237 const unsigned char *hash, size_t hash_len, 238 unsigned char *sig, size_t *sig_len, 239 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 240 { 241 int ret; 242 mbedtls_ecdsa_context ecdsa; 243 244 mbedtls_ecdsa_init( &ecdsa ); 245 246 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 ) 247 ret = ecdsa_sign_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len, 248 f_rng, p_rng ); 249 250 mbedtls_ecdsa_free( &ecdsa ); 251 252 return( ret ); 253 } 254 255 #endif /* MBEDTLS_ECDSA_C */ 256 257 static int eckey_check_pair( const void *pub, const void *prv ) 258 { 259 return( mbedtls_ecp_check_pub_priv( (const mbedtls_ecp_keypair *) pub, 260 (const mbedtls_ecp_keypair *) prv ) ); 261 } 262 263 static void *eckey_alloc_wrap( void ) 264 { 265 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) ); 266 267 if( ctx != NULL ) 268 mbedtls_ecp_keypair_init( ctx ); 269 270 return( ctx ); 271 } 272 273 static void eckey_free_wrap( void *ctx ) 274 { 275 mbedtls_ecp_keypair_free( (mbedtls_ecp_keypair *) ctx ); 276 mbedtls_free( ctx ); 277 } 278 279 static void eckey_debug( const void *ctx, mbedtls_pk_debug_item *items ) 280 { 281 items->type = MBEDTLS_PK_DEBUG_ECP; 282 items->name = "eckey.Q"; 283 items->value = &( ((mbedtls_ecp_keypair *) ctx)->Q ); 284 } 285 286 const mbedtls_pk_info_t mbedtls_eckey_info = { 287 MBEDTLS_PK_ECKEY, 288 "EC", 289 eckey_get_bitlen, 290 eckey_can_do, 291 #if defined(MBEDTLS_ECDSA_C) 292 eckey_verify_wrap, 293 eckey_sign_wrap, 294 #else 295 NULL, 296 NULL, 297 #endif 298 NULL, 299 NULL, 300 eckey_check_pair, 301 eckey_alloc_wrap, 302 eckey_free_wrap, 303 eckey_debug, 304 }; 305 306 /* 307 * EC key restricted to ECDH 308 */ 309 static int eckeydh_can_do( mbedtls_pk_type_t type ) 310 { 311 return( type == MBEDTLS_PK_ECKEY || 312 type == MBEDTLS_PK_ECKEY_DH ); 313 } 314 315 const mbedtls_pk_info_t mbedtls_eckeydh_info = { 316 MBEDTLS_PK_ECKEY_DH, 317 "EC_DH", 318 eckey_get_bitlen, /* Same underlying key structure */ 319 eckeydh_can_do, 320 NULL, 321 NULL, 322 NULL, 323 NULL, 324 eckey_check_pair, 325 eckey_alloc_wrap, /* Same underlying key structure */ 326 eckey_free_wrap, /* Same underlying key structure */ 327 eckey_debug, /* Same underlying key structure */ 328 }; 329 #endif /* MBEDTLS_ECP_C */ 330 331 #if defined(MBEDTLS_ECDSA_C) 332 static int ecdsa_can_do( mbedtls_pk_type_t type ) 333 { 334 return( type == MBEDTLS_PK_ECDSA ); 335 } 336 337 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 338 const unsigned char *hash, size_t hash_len, 339 const unsigned char *sig, size_t sig_len ) 340 { 341 int ret; 342 ((void) md_alg); 343 344 ret = mbedtls_ecdsa_read_signature( (mbedtls_ecdsa_context *) ctx, 345 hash, hash_len, sig, sig_len ); 346 347 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH ) 348 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); 349 350 return( ret ); 351 } 352 353 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 354 const unsigned char *hash, size_t hash_len, 355 unsigned char *sig, size_t *sig_len, 356 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 357 { 358 return( mbedtls_ecdsa_write_signature( (mbedtls_ecdsa_context *) ctx, 359 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng ) ); 360 } 361 362 static void *ecdsa_alloc_wrap( void ) 363 { 364 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_context ) ); 365 366 if( ctx != NULL ) 367 mbedtls_ecdsa_init( (mbedtls_ecdsa_context *) ctx ); 368 369 return( ctx ); 370 } 371 372 static void ecdsa_free_wrap( void *ctx ) 373 { 374 mbedtls_ecdsa_free( (mbedtls_ecdsa_context *) ctx ); 375 mbedtls_free( ctx ); 376 } 377 378 const mbedtls_pk_info_t mbedtls_ecdsa_info = { 379 MBEDTLS_PK_ECDSA, 380 "ECDSA", 381 eckey_get_bitlen, /* Compatible key structures */ 382 ecdsa_can_do, 383 ecdsa_verify_wrap, 384 ecdsa_sign_wrap, 385 NULL, 386 NULL, 387 eckey_check_pair, /* Compatible key structures */ 388 ecdsa_alloc_wrap, 389 ecdsa_free_wrap, 390 eckey_debug, /* Compatible key structures */ 391 }; 392 #endif /* MBEDTLS_ECDSA_C */ 393 394 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) 395 /* 396 * Support for alternative RSA-private implementations 397 */ 398 399 static int rsa_alt_can_do( mbedtls_pk_type_t type ) 400 { 401 return( type == MBEDTLS_PK_RSA ); 402 } 403 404 static size_t rsa_alt_get_bitlen( const void *ctx ) 405 { 406 const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx; 407 408 return( 8 * rsa_alt->key_len_func( rsa_alt->key ) ); 409 } 410 411 static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 412 const unsigned char *hash, size_t hash_len, 413 unsigned char *sig, size_t *sig_len, 414 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 415 { 416 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx; 417 418 #if defined(MBEDTLS_HAVE_INT64) 419 if( UINT_MAX < hash_len ) 420 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 421 #endif /* MBEDTLS_HAVE_INT64 */ 422 423 *sig_len = rsa_alt->key_len_func( rsa_alt->key ); 424 425 return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, 426 md_alg, (unsigned int) hash_len, hash, sig ) ); 427 } 428 429 static int rsa_alt_decrypt_wrap( void *ctx, 430 const unsigned char *input, size_t ilen, 431 unsigned char *output, size_t *olen, size_t osize, 432 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 433 { 434 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx; 435 436 ((void) f_rng); 437 ((void) p_rng); 438 439 if( ilen != rsa_alt->key_len_func( rsa_alt->key ) ) 440 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 441 442 return( rsa_alt->decrypt_func( rsa_alt->key, 443 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) ); 444 } 445 446 #if defined(MBEDTLS_RSA_C) 447 static int rsa_alt_check_pair( const void *pub, const void *prv ) 448 { 449 unsigned char sig[MBEDTLS_MPI_MAX_SIZE]; 450 unsigned char hash[32]; 451 size_t sig_len = 0; 452 int ret; 453 454 if( rsa_alt_get_bitlen( prv ) != rsa_get_bitlen( pub ) ) 455 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 456 457 memset( hash, 0x2a, sizeof( hash ) ); 458 459 if( ( ret = rsa_alt_sign_wrap( (void *) prv, MBEDTLS_MD_NONE, 460 hash, sizeof( hash ), 461 sig, &sig_len, NULL, NULL ) ) != 0 ) 462 { 463 return( ret ); 464 } 465 466 if( rsa_verify_wrap( (void *) pub, MBEDTLS_MD_NONE, 467 hash, sizeof( hash ), sig, sig_len ) != 0 ) 468 { 469 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 470 } 471 472 return( 0 ); 473 } 474 #endif /* MBEDTLS_RSA_C */ 475 476 static void *rsa_alt_alloc_wrap( void ) 477 { 478 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_alt_context ) ); 479 480 if( ctx != NULL ) 481 memset( ctx, 0, sizeof( mbedtls_rsa_alt_context ) ); 482 483 return( ctx ); 484 } 485 486 static void rsa_alt_free_wrap( void *ctx ) 487 { 488 mbedtls_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) ); 489 mbedtls_free( ctx ); 490 } 491 492 const mbedtls_pk_info_t mbedtls_rsa_alt_info = { 493 MBEDTLS_PK_RSA_ALT, 494 "RSA-alt", 495 rsa_alt_get_bitlen, 496 rsa_alt_can_do, 497 NULL, 498 rsa_alt_sign_wrap, 499 rsa_alt_decrypt_wrap, 500 NULL, 501 #if defined(MBEDTLS_RSA_C) 502 rsa_alt_check_pair, 503 #else 504 NULL, 505 #endif 506 rsa_alt_alloc_wrap, 507 rsa_alt_free_wrap, 508 NULL, 509 }; 510 511 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */ 512 513 #endif /* MBEDTLS_PK_C */ 514