TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / 0fc9291f405157f935e0001622f91b759ce44be6 / . / lib / libmbedtls / mbedtls / library / pk_wrap.c
blob: 19196b559ae95ed75bc0ecfa6f38055b695a6b02 [file] [log] [blame]
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1/*
2 * Public Key abstraction layer: wrapper functions
3 *
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]6 */
7
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]8#include "common.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]9
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]10#include "mbedtls/platform_util.h"
11
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]12#if defined(MBEDTLS_PK_C)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]13#include "pk_wrap.h"
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]14#include "pk_internal.h"
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]15#include "mbedtls/error.h"
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]16#include "mbedtls/psa_util.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]17
18/* Even if RSA not activated, for the sake of RSA-alt */
19#include "mbedtls/rsa.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]20
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]21#if defined(MBEDTLS_ECP_C)
22#include "mbedtls/ecp.h"
23#endif
24
25#if defined(MBEDTLS_ECDSA_C)
26#include "mbedtls/ecdsa.h"
27#endif
28
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]29#if defined(MBEDTLS_USE_PSA_CRYPTO)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]30#include "psa_util_internal.h"
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]31#include "psa/crypto.h"
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]32#include "mbedtls/psa_util.h"
33
34#if defined(MBEDTLS_RSA_C)
35#include "pkwrite.h"
36#include "rsa_internal.h"
37#endif
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]38
39#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
40#include "mbedtls/asn1write.h"
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]41#include "mbedtls/asn1.h"
42#endif
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]43#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]44
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]45#include "mbedtls/platform.h"
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]46
47#include <limits.h>
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]48#include <stdint.h>
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]49#include <string.h>
50
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]51#if defined(MBEDTLS_RSA_C)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]52static int rsa_can_do(mbedtls_pk_type_t type)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]53{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]54 return type == MBEDTLS_PK_RSA ||
55 type == MBEDTLS_PK_RSASSA_PSS;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]56}
57
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]58static size_t rsa_get_bitlen(mbedtls_pk_context *pk)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]59{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]60 const mbedtls_rsa_context *rsa = (const mbedtls_rsa_context *) pk->pk_ctx;
61 return mbedtls_rsa_get_bitlen(rsa);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]62}
63
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]64#if defined(MBEDTLS_USE_PSA_CRYPTO)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]65static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]66 const unsigned char *hash, size_t hash_len,
67 const unsigned char *sig, size_t sig_len)
68{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]69 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]70 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
71 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
72 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
73 psa_status_t status;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]74 int key_len;
75 unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]76 unsigned char *p = buf + sizeof(buf);
77 psa_algorithm_t psa_alg_md;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]78 size_t rsa_len = mbedtls_rsa_get_len(rsa);
79
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]80#if SIZE_MAX > UINT_MAX
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]81 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
82 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
83 }
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]84#endif
85
86 if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
87 psa_alg_md = PSA_ALG_RSA_PSS(mbedtls_md_psa_alg_from_type(md_alg));
88 } else {
89 psa_alg_md = PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_md_psa_alg_from_type(md_alg));
90 }
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]91
92 if (sig_len < rsa_len) {
93 return MBEDTLS_ERR_RSA_VERIFY_FAILED;
94 }
95
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]96 key_len = mbedtls_rsa_write_pubkey(rsa, buf, &p);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]97 if (key_len <= 0) {
98 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
99 }
100
101 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
102 psa_set_key_algorithm(&attributes, psa_alg_md);
103 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
104
105 status = psa_import_key(&attributes,
106 buf + sizeof(buf) - key_len, key_len,
107 &key_id);
108 if (status != PSA_SUCCESS) {
109 ret = PSA_PK_TO_MBEDTLS_ERR(status);
110 goto cleanup;
111 }
112
113 status = psa_verify_hash(key_id, psa_alg_md, hash, hash_len,
114 sig, sig_len);
115 if (status != PSA_SUCCESS) {
116 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
117 goto cleanup;
118 }
119 ret = 0;
120
121cleanup:
122 status = psa_destroy_key(key_id);
123 if (ret == 0 && status != PSA_SUCCESS) {
124 ret = PSA_PK_TO_MBEDTLS_ERR(status);
125 }
126
127 return ret;
128}
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]129#else /* MBEDTLS_USE_PSA_CRYPTO */
130static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]131 const unsigned char *hash, size_t hash_len,
132 const unsigned char *sig, size_t sig_len)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]133{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]134 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]135 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]136 size_t rsa_len = mbedtls_rsa_get_len(rsa);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]137
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]138#if SIZE_MAX > UINT_MAX
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]139 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
140 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
141 }
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]142#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]143
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]144 if (sig_len < rsa_len) {
145 return MBEDTLS_ERR_RSA_VERIFY_FAILED;
146 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]147
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]148 if ((ret = mbedtls_rsa_pkcs1_verify(rsa, md_alg,
149 (unsigned int) hash_len,
150 hash, sig)) != 0) {
151 return ret;
152 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]153
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]154 /* The buffer contains a valid signature followed by extra data.
155 * We have a special error code for that so that so that callers can
156 * use mbedtls_pk_verify() to check "Does the buffer start with a
157 * valid signature?" and not just "Does the buffer contain a valid
158 * signature?". */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]159 if (sig_len > rsa_len) {
160 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
161 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]162
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]163 return 0;
164}
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]165#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]166
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]167#if defined(MBEDTLS_USE_PSA_CRYPTO)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]168int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,
169 mbedtls_rsa_context *rsa_ctx,
170 const unsigned char *hash, size_t hash_len,
171 unsigned char *sig, size_t sig_size,
172 size_t *sig_len)
173{
174 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
175 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
176 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
177 psa_status_t status;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]178 int key_len;
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]179 unsigned char *buf = NULL;
180 unsigned char *p;
181
182 buf = mbedtls_calloc(1, MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES);
183 if (buf == NULL) {
184 return MBEDTLS_ERR_PK_ALLOC_FAILED;
185 }
186 p = buf + MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]187
188 *sig_len = mbedtls_rsa_get_len(rsa_ctx);
189 if (sig_size < *sig_len) {
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]190 mbedtls_free(buf);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]191 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
192 }
193
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]194 key_len = mbedtls_rsa_write_key(rsa_ctx, buf, &p);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]195 if (key_len <= 0) {
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]196 mbedtls_free(buf);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]197 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
198 }
199 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
200 psa_set_key_algorithm(&attributes, alg);
201 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
202
203 status = psa_import_key(&attributes,
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]204 buf + MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES - key_len, key_len,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]205 &key_id);
206 if (status != PSA_SUCCESS) {
207 ret = PSA_PK_TO_MBEDTLS_ERR(status);
208 goto cleanup;
209 }
210 status = psa_sign_hash(key_id, alg, hash, hash_len,
211 sig, sig_size, sig_len);
212 if (status != PSA_SUCCESS) {
213 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
214 goto cleanup;
215 }
216
217 ret = 0;
218
219cleanup:
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]220 mbedtls_free(buf);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]221 status = psa_destroy_key(key_id);
222 if (ret == 0 && status != PSA_SUCCESS) {
223 ret = PSA_PK_TO_MBEDTLS_ERR(status);
224 }
225 return ret;
226}
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]227#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]228
229#if defined(MBEDTLS_USE_PSA_CRYPTO)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]230static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]231 const unsigned char *hash, size_t hash_len,
232 unsigned char *sig, size_t sig_size, size_t *sig_len,
233 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
234{
235 ((void) f_rng);
236 ((void) p_rng);
237
238 psa_algorithm_t psa_md_alg;
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]239 psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]240 if (psa_md_alg == 0) {
241 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
242 }
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]243 psa_algorithm_t psa_alg;
244 if (mbedtls_rsa_get_padding_mode(mbedtls_pk_rsa(*pk)) == MBEDTLS_RSA_PKCS_V21) {
245 psa_alg = PSA_ALG_RSA_PSS(psa_md_alg);
246 } else {
247 psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN(psa_md_alg);
248 }
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]249
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]250 return mbedtls_pk_psa_rsa_sign_ext(psa_alg, pk->pk_ctx, hash, hash_len,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]251 sig, sig_size, sig_len);
252}
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]253#else /* MBEDTLS_USE_PSA_CRYPTO */
254static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]255 const unsigned char *hash, size_t hash_len,
256 unsigned char *sig, size_t sig_size, size_t *sig_len,
257 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
258{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]259 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]260
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]261#if SIZE_MAX > UINT_MAX
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]262 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
263 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
264 }
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]265#endif
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]266
267 *sig_len = mbedtls_rsa_get_len(rsa);
268 if (sig_size < *sig_len) {
269 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
270 }
271
272 return mbedtls_rsa_pkcs1_sign(rsa, f_rng, p_rng,
273 md_alg, (unsigned int) hash_len,
274 hash, sig);
275}
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]276#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]277
278#if defined(MBEDTLS_USE_PSA_CRYPTO)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]279static int rsa_decrypt_wrap(mbedtls_pk_context *pk,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]280 const unsigned char *input, size_t ilen,
281 unsigned char *output, size_t *olen, size_t osize,
282 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
283{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]284 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]285 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
286 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
287 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]288 psa_algorithm_t psa_md_alg, decrypt_alg;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]289 psa_status_t status;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]290 int key_len;
291 unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]292 unsigned char *p = buf + sizeof(buf);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]293
294 ((void) f_rng);
295 ((void) p_rng);
296
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]297 if (ilen != mbedtls_rsa_get_len(rsa)) {
298 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
299 }
300
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]301 key_len = mbedtls_rsa_write_key(rsa, buf, &p);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]302 if (key_len <= 0) {
303 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
304 }
305
306 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
307 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]308 if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
309 psa_md_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa));
310 decrypt_alg = PSA_ALG_RSA_OAEP(psa_md_alg);
311 } else {
312 decrypt_alg = PSA_ALG_RSA_PKCS1V15_CRYPT;
313 }
314 psa_set_key_algorithm(&attributes, decrypt_alg);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]315
316 status = psa_import_key(&attributes,
317 buf + sizeof(buf) - key_len, key_len,
318 &key_id);
319 if (status != PSA_SUCCESS) {
320 ret = PSA_PK_TO_MBEDTLS_ERR(status);
321 goto cleanup;
322 }
323
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]324 status = psa_asymmetric_decrypt(key_id, decrypt_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]325 input, ilen,
326 NULL, 0,
327 output, osize, olen);
328 if (status != PSA_SUCCESS) {
329 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
330 goto cleanup;
331 }
332
333 ret = 0;
334
335cleanup:
336 mbedtls_platform_zeroize(buf, sizeof(buf));
337 status = psa_destroy_key(key_id);
338 if (ret == 0 && status != PSA_SUCCESS) {
339 ret = PSA_PK_TO_MBEDTLS_ERR(status);
340 }
341
342 return ret;
343}
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]344#else /* MBEDTLS_USE_PSA_CRYPTO */
345static int rsa_decrypt_wrap(mbedtls_pk_context *pk,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]346 const unsigned char *input, size_t ilen,
347 unsigned char *output, size_t *olen, size_t osize,
348 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
349{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]350 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]351
352 if (ilen != mbedtls_rsa_get_len(rsa)) {
353 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
354 }
355
356 return mbedtls_rsa_pkcs1_decrypt(rsa, f_rng, p_rng,
357 olen, input, output, osize);
358}
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]359#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]360
361#if defined(MBEDTLS_USE_PSA_CRYPTO)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]362static int rsa_encrypt_wrap(mbedtls_pk_context *pk,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]363 const unsigned char *input, size_t ilen,
364 unsigned char *output, size_t *olen, size_t osize,
365 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
366{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]367 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]368 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
369 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
370 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]371 psa_algorithm_t psa_md_alg, psa_encrypt_alg;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]372 psa_status_t status;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]373 int key_len;
374 unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]375 unsigned char *p = buf + sizeof(buf);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]376
377 ((void) f_rng);
378 ((void) p_rng);
379
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]380 if (mbedtls_rsa_get_len(rsa) > osize) {
381 return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
382 }
383
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]384 key_len = mbedtls_rsa_write_pubkey(rsa, buf, &p);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]385 if (key_len <= 0) {
386 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
387 }
388
389 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]390 if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
391 psa_md_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa));
392 psa_encrypt_alg = PSA_ALG_RSA_OAEP(psa_md_alg);
393 } else {
394 psa_encrypt_alg = PSA_ALG_RSA_PKCS1V15_CRYPT;
395 }
396 psa_set_key_algorithm(&attributes, psa_encrypt_alg);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]397 psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
398
399 status = psa_import_key(&attributes,
400 buf + sizeof(buf) - key_len, key_len,
401 &key_id);
402 if (status != PSA_SUCCESS) {
403 ret = PSA_PK_TO_MBEDTLS_ERR(status);
404 goto cleanup;
405 }
406
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]407 status = psa_asymmetric_encrypt(key_id, psa_encrypt_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]408 input, ilen,
409 NULL, 0,
410 output, osize, olen);
411 if (status != PSA_SUCCESS) {
412 ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
413 goto cleanup;
414 }
415
416 ret = 0;
417
418cleanup:
419 status = psa_destroy_key(key_id);
420 if (ret == 0 && status != PSA_SUCCESS) {
421 ret = PSA_PK_TO_MBEDTLS_ERR(status);
422 }
423
424 return ret;
425}
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]426#else /* MBEDTLS_USE_PSA_CRYPTO */
427static int rsa_encrypt_wrap(mbedtls_pk_context *pk,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]428 const unsigned char *input, size_t ilen,
429 unsigned char *output, size_t *olen, size_t osize,
430 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
431{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]432 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]433 *olen = mbedtls_rsa_get_len(rsa);
434
435 if (*olen > osize) {
436 return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
437 }
438
439 return mbedtls_rsa_pkcs1_encrypt(rsa, f_rng, p_rng,
440 ilen, input, output);
441}
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]442#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]443
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]444static int rsa_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]445 int (*f_rng)(void *, unsigned char *, size_t),
446 void *p_rng)
447{
448 (void) f_rng;
449 (void) p_rng;
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]450 return mbedtls_rsa_check_pub_priv((const mbedtls_rsa_context *) pub->pk_ctx,
451 (const mbedtls_rsa_context *) prv->pk_ctx);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]452}
453
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]454static void *rsa_alloc_wrap(void)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]455{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]456 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_context));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]457
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]458 if (ctx != NULL) {
459 mbedtls_rsa_init((mbedtls_rsa_context *) ctx);
460 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]461
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]462 return ctx;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]463}
464
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]465static void rsa_free_wrap(void *ctx)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]466{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]467 mbedtls_rsa_free((mbedtls_rsa_context *) ctx);
468 mbedtls_free(ctx);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]469}
470
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]471static void rsa_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]472{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]473#if defined(MBEDTLS_RSA_ALT)
474 /* Not supported */
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]475 (void) pk;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]476 (void) items;
477#else
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]478 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
479
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]480 items->type = MBEDTLS_PK_DEBUG_MPI;
481 items->name = "rsa.N";
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]482 items->value = &(rsa->N);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]483
484 items++;
485
486 items->type = MBEDTLS_PK_DEBUG_MPI;
487 items->name = "rsa.E";
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]488 items->value = &(rsa->E);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]489#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]490}
491
492const mbedtls_pk_info_t mbedtls_rsa_info = {
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]493 .type = MBEDTLS_PK_RSA,
494 .name = "RSA",
495 .get_bitlen = rsa_get_bitlen,
496 .can_do = rsa_can_do,
497 .verify_func = rsa_verify_wrap,
498 .sign_func = rsa_sign_wrap,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]499#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]500 .verify_rs_func = NULL,
501 .sign_rs_func = NULL,
502 .rs_alloc_func = NULL,
503 .rs_free_func = NULL,
504#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
505 .decrypt_func = rsa_decrypt_wrap,
506 .encrypt_func = rsa_encrypt_wrap,
507 .check_pair_func = rsa_check_pair_wrap,
508 .ctx_alloc_func = rsa_alloc_wrap,
509 .ctx_free_func = rsa_free_wrap,
510 .debug_func = rsa_debug,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]511};
512#endif /* MBEDTLS_RSA_C */
513
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]514#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]515/*
516 * Generic EC key
517 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]518static int eckey_can_do(mbedtls_pk_type_t type)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]519{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]520 return type == MBEDTLS_PK_ECKEY ||
521 type == MBEDTLS_PK_ECKEY_DH ||
522 type == MBEDTLS_PK_ECDSA;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]523}
524
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]525static size_t eckey_get_bitlen(mbedtls_pk_context *pk)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]526{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]527#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
528 return pk->ec_bits;
529#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
530 mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
531 return ecp->grp.pbits;
532#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]533}
534
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]535#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
536#if defined(MBEDTLS_USE_PSA_CRYPTO)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]537/* Common helper for ECDSA verify using PSA functions. */
538static int ecdsa_verify_psa(unsigned char *key, size_t key_len,
539 psa_ecc_family_t curve, size_t curve_bits,
540 const unsigned char *hash, size_t hash_len,
541 const unsigned char *sig, size_t sig_len)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]542{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]543 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]544 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
545 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]546 psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]547 size_t signature_len = PSA_ECDSA_SIGNATURE_SIZE(curve_bits);
548 size_t converted_sig_len;
549 unsigned char extracted_sig[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE];
550 unsigned char *p;
551 psa_status_t status;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]552
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]553 if (curve == 0) {
554 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
555 }
556
557 psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve));
558 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
559 psa_set_key_algorithm(&attributes, psa_sig_md);
560
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]561 status = psa_import_key(&attributes, key, key_len, &key_id);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]562 if (status != PSA_SUCCESS) {
563 ret = PSA_PK_TO_MBEDTLS_ERR(status);
564 goto cleanup;
565 }
566
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]567 if (signature_len > sizeof(extracted_sig)) {
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]568 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
569 goto cleanup;
570 }
571
572 p = (unsigned char *) sig;
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]573 ret = mbedtls_ecdsa_der_to_raw(curve_bits, p, sig_len, extracted_sig,
574 sizeof(extracted_sig), &converted_sig_len);
575 if (ret != 0) {
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]576 goto cleanup;
577 }
578
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]579 if (converted_sig_len != signature_len) {
580 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
581 goto cleanup;
582 }
583
584 status = psa_verify_hash(key_id, psa_sig_md, hash, hash_len,
585 extracted_sig, signature_len);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]586 if (status != PSA_SUCCESS) {
587 ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
588 goto cleanup;
589 }
590
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]591 ret = 0;
592
593cleanup:
594 status = psa_destroy_key(key_id);
595 if (ret == 0 && status != PSA_SUCCESS) {
596 ret = PSA_PK_TO_MBEDTLS_ERR(status);
597 }
598
599 return ret;
600}
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]601
602static int ecdsa_opaque_verify_wrap(mbedtls_pk_context *pk,
603 mbedtls_md_type_t md_alg,
604 const unsigned char *hash, size_t hash_len,
605 const unsigned char *sig, size_t sig_len)
606{
607 (void) md_alg;
608 unsigned char key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
609 size_t key_len;
610 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
611 psa_ecc_family_t curve;
612 size_t curve_bits;
613 psa_status_t status;
614
615 status = psa_get_key_attributes(pk->priv_id, &key_attr);
616 if (status != PSA_SUCCESS) {
617 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
618 }
619 curve = PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(&key_attr));
620 curve_bits = psa_get_key_bits(&key_attr);
621 psa_reset_key_attributes(&key_attr);
622
623 status = psa_export_public_key(pk->priv_id, key, sizeof(key), &key_len);
624 if (status != PSA_SUCCESS) {
625 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
626 }
627
628 return ecdsa_verify_psa(key, key_len, curve, curve_bits,
629 hash, hash_len, sig, sig_len);
630}
631
632#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
633static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
634 mbedtls_md_type_t md_alg,
635 const unsigned char *hash, size_t hash_len,
636 const unsigned char *sig, size_t sig_len)
637{
638 (void) md_alg;
639 psa_ecc_family_t curve = pk->ec_family;
640 size_t curve_bits = pk->ec_bits;
641
642 return ecdsa_verify_psa(pk->pub_raw, pk->pub_raw_len, curve, curve_bits,
643 hash, hash_len, sig, sig_len);
644}
645#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
646static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
647 mbedtls_md_type_t md_alg,
648 const unsigned char *hash, size_t hash_len,
649 const unsigned char *sig, size_t sig_len)
650{
651 (void) md_alg;
652 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
653 mbedtls_ecp_keypair *ctx = pk->pk_ctx;
654 unsigned char key[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
655 size_t key_len;
656 size_t curve_bits;
657 psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
658
659 ret = mbedtls_ecp_point_write_binary(&ctx->grp, &ctx->Q,
660 MBEDTLS_ECP_PF_UNCOMPRESSED,
661 &key_len, key, sizeof(key));
662 if (ret != 0) {
663 return ret;
664 }
665
666 return ecdsa_verify_psa(key, key_len, curve, curve_bits,
667 hash, hash_len, sig, sig_len);
668}
669#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]670#else /* MBEDTLS_USE_PSA_CRYPTO */
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]671static int ecdsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]672 const unsigned char *hash, size_t hash_len,
673 const unsigned char *sig, size_t sig_len)
674{
675 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
676 ((void) md_alg);
677
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]678 ret = mbedtls_ecdsa_read_signature((mbedtls_ecdsa_context *) pk->pk_ctx,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]679 hash, hash_len, sig, sig_len);
680
681 if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
682 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
683 }
684
685 return ret;
686}
687#endif /* MBEDTLS_USE_PSA_CRYPTO */
688#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
689
690#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
691#if defined(MBEDTLS_USE_PSA_CRYPTO)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]692/* Common helper for ECDSA sign using PSA functions.
693 * Instead of extracting key's properties in order to check which kind of ECDSA
694 * signature it supports, we try both deterministic and non-deterministic.
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]695 */
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]696static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg,
697 const unsigned char *hash, size_t hash_len,
698 unsigned char *sig, size_t sig_size, size_t *sig_len)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]699{
700 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]701 psa_status_t status;
702 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
703 size_t key_bits = 0;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]704
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]705 status = psa_get_key_attributes(key_id, &key_attr);
706 if (status != PSA_SUCCESS) {
707 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
708 }
709 key_bits = psa_get_key_bits(&key_attr);
710 psa_reset_key_attributes(&key_attr);
711
712 status = psa_sign_hash(key_id,
713 PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)),
714 hash, hash_len, sig, sig_size, sig_len);
715 if (status == PSA_SUCCESS) {
716 goto done;
717 } else if (status != PSA_ERROR_NOT_PERMITTED) {
718 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]719 }
720
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]721 status = psa_sign_hash(key_id,
722 PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)),
723 hash, hash_len, sig, sig_size, sig_len);
724 if (status != PSA_SUCCESS) {
725 return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]726 }
727
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]728done:
729 ret = mbedtls_ecdsa_raw_to_der(key_bits, sig, *sig_len, sig, sig_size, sig_len);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]730
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]731 return ret;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]732}
733
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]734static int ecdsa_opaque_sign_wrap(mbedtls_pk_context *pk,
735 mbedtls_md_type_t md_alg,
736 const unsigned char *hash, size_t hash_len,
737 unsigned char *sig, size_t sig_size,
738 size_t *sig_len,
739 int (*f_rng)(void *, unsigned char *, size_t),
740 void *p_rng)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]741{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]742 ((void) f_rng);
743 ((void) p_rng);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]744
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]745 return ecdsa_sign_psa(pk->priv_id, md_alg, hash, hash_len, sig, sig_size,
746 sig_len);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]747}
748
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]749#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
750/* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
751 * using the same function. */
752#define ecdsa_sign_wrap ecdsa_opaque_sign_wrap
753#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
754static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]755 const unsigned char *hash, size_t hash_len,
756 unsigned char *sig, size_t sig_size, size_t *sig_len,
757 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
758{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]759 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]760 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
761 psa_status_t status;
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]762 mbedtls_ecp_keypair *ctx = pk->pk_ctx;
763 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]764 unsigned char buf[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]765 size_t curve_bits;
766 psa_ecc_family_t curve =
767 mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
768 size_t key_len = PSA_BITS_TO_BYTES(curve_bits);
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]769 psa_algorithm_t psa_hash = mbedtls_md_psa_alg_from_type(md_alg);
770 psa_algorithm_t psa_sig_md = MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(psa_hash);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]771 ((void) f_rng);
772 ((void) p_rng);
773
774 if (curve == 0) {
775 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
776 }
777
778 if (key_len > sizeof(buf)) {
779 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
780 }
781 ret = mbedtls_mpi_write_binary(&ctx->d, buf, key_len);
782 if (ret != 0) {
783 goto cleanup;
784 }
785
786 psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
787 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
788 psa_set_key_algorithm(&attributes, psa_sig_md);
789
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]790 status = psa_import_key(&attributes, buf, key_len, &key_id);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]791 if (status != PSA_SUCCESS) {
792 ret = PSA_PK_TO_MBEDTLS_ERR(status);
793 goto cleanup;
794 }
795
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]796 ret = ecdsa_sign_psa(key_id, md_alg, hash, hash_len, sig, sig_size, sig_len);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]797
798cleanup:
799 mbedtls_platform_zeroize(buf, sizeof(buf));
800 status = psa_destroy_key(key_id);
801 if (ret == 0 && status != PSA_SUCCESS) {
802 ret = PSA_PK_TO_MBEDTLS_ERR(status);
803 }
804
805 return ret;
806}
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]807#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]808#else /* MBEDTLS_USE_PSA_CRYPTO */
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]809static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]810 const unsigned char *hash, size_t hash_len,
811 unsigned char *sig, size_t sig_size, size_t *sig_len,
812 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
813{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]814 return mbedtls_ecdsa_write_signature((mbedtls_ecdsa_context *) pk->pk_ctx,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]815 md_alg, hash, hash_len,
816 sig, sig_size, sig_len,
817 f_rng, p_rng);
818}
819#endif /* MBEDTLS_USE_PSA_CRYPTO */
820#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
821
822#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
823/* Forward declarations */
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]824static int ecdsa_verify_rs_wrap(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]825 const unsigned char *hash, size_t hash_len,
826 const unsigned char *sig, size_t sig_len,
827 void *rs_ctx);
828
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]829static int ecdsa_sign_rs_wrap(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]830 const unsigned char *hash, size_t hash_len,
831 unsigned char *sig, size_t sig_size, size_t *sig_len,
832 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
833 void *rs_ctx);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]834
835/*
836 * Restart context for ECDSA operations with ECKEY context
837 *
838 * We need to store an actual ECDSA context, as we need to pass the same to
839 * the underlying ecdsa function, so we can't create it on the fly every time.
840 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]841typedef struct {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]842 mbedtls_ecdsa_restart_ctx ecdsa_rs;
843 mbedtls_ecdsa_context ecdsa_ctx;
844} eckey_restart_ctx;
845
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]846static void *eckey_rs_alloc(void)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]847{
848 eckey_restart_ctx *rs_ctx;
849
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]850 void *ctx = mbedtls_calloc(1, sizeof(eckey_restart_ctx));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]851
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]852 if (ctx != NULL) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]853 rs_ctx = ctx;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]854 mbedtls_ecdsa_restart_init(&rs_ctx->ecdsa_rs);
855 mbedtls_ecdsa_init(&rs_ctx->ecdsa_ctx);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]856 }
857
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]858 return ctx;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]859}
860
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]861static void eckey_rs_free(void *ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]862{
863 eckey_restart_ctx *rs_ctx;
864
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]865 if (ctx == NULL) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]866 return;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]867 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]868
869 rs_ctx = ctx;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]870 mbedtls_ecdsa_restart_free(&rs_ctx->ecdsa_rs);
871 mbedtls_ecdsa_free(&rs_ctx->ecdsa_ctx);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]872
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]873 mbedtls_free(ctx);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]874}
875
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]876static int eckey_verify_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]877 const unsigned char *hash, size_t hash_len,
878 const unsigned char *sig, size_t sig_len,
879 void *rs_ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]880{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]881 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]882 eckey_restart_ctx *rs = rs_ctx;
883
884 /* Should never happen */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]885 if (rs == NULL) {
886 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
887 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]888
889 /* set up our own sub-context if needed (that is, on first run) */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]890 if (rs->ecdsa_ctx.grp.pbits == 0) {
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]891 MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, pk->pk_ctx));
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]892 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]893
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]894 MBEDTLS_MPI_CHK(ecdsa_verify_rs_wrap(pk,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]895 md_alg, hash, hash_len,
896 sig, sig_len, &rs->ecdsa_rs));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]897
898cleanup:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]899 return ret;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]900}
901
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]902static int eckey_sign_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]903 const unsigned char *hash, size_t hash_len,
904 unsigned char *sig, size_t sig_size, size_t *sig_len,
905 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
906 void *rs_ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]907{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]908 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]909 eckey_restart_ctx *rs = rs_ctx;
910
911 /* Should never happen */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]912 if (rs == NULL) {
913 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
914 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]915
916 /* set up our own sub-context if needed (that is, on first run) */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]917 if (rs->ecdsa_ctx.grp.pbits == 0) {
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]918 MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, pk->pk_ctx));
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]919 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]920
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]921 MBEDTLS_MPI_CHK(ecdsa_sign_rs_wrap(pk, md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]922 hash, hash_len, sig, sig_size, sig_len,
923 f_rng, p_rng, &rs->ecdsa_rs));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]924
925cleanup:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]926 return ret;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]927}
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]928#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]929
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]930#if defined(MBEDTLS_USE_PSA_CRYPTO)
931#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
932static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]933{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]934 psa_status_t status;
935 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
936 uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
937 size_t prv_key_len;
938 mbedtls_svc_key_id_t key_id = prv->priv_id;
939
940 status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
941 &prv_key_len);
942 ret = PSA_PK_TO_MBEDTLS_ERR(status);
943 if (ret != 0) {
944 return ret;
945 }
946
947 if (memcmp(prv_key_buf, pub->pub_raw, pub->pub_raw_len) != 0) {
948 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
949 }
950
951 return 0;
952}
953#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
954static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
955{
956 psa_status_t status;
957 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
958 uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
959 size_t prv_key_len;
960 psa_status_t destruction_status;
961 mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
962 psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
963 uint8_t pub_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
964 size_t pub_key_len;
965 size_t curve_bits;
966 const psa_ecc_family_t curve =
967 mbedtls_ecc_group_to_psa(mbedtls_pk_ec_ro(*prv)->grp.id, &curve_bits);
968 const size_t curve_bytes = PSA_BITS_TO_BYTES(curve_bits);
969
970 if (curve == 0) {
971 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
972 }
973
974 psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
975 psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
976
977 ret = mbedtls_mpi_write_binary(&mbedtls_pk_ec_ro(*prv)->d,
978 prv_key_buf, curve_bytes);
979 if (ret != 0) {
980 mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
981 return ret;
982 }
983
984 status = psa_import_key(&key_attr, prv_key_buf, curve_bytes, &key_id);
985 mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
986 ret = PSA_PK_TO_MBEDTLS_ERR(status);
987 if (ret != 0) {
988 return ret;
989 }
990
991 // From now on prv_key_buf is used to store the public key of prv.
992 status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
993 &prv_key_len);
994 ret = PSA_PK_TO_MBEDTLS_ERR(status);
995 destruction_status = psa_destroy_key(key_id);
996 if (ret != 0) {
997 return ret;
998 } else if (destruction_status != PSA_SUCCESS) {
999 return PSA_PK_TO_MBEDTLS_ERR(destruction_status);
1000 }
1001
1002 ret = mbedtls_ecp_point_write_binary(&mbedtls_pk_ec_rw(*pub)->grp,
1003 &mbedtls_pk_ec_rw(*pub)->Q,
1004 MBEDTLS_ECP_PF_UNCOMPRESSED,
1005 &pub_key_len, pub_key_buf,
1006 sizeof(pub_key_buf));
1007 if (ret != 0) {
1008 return ret;
1009 }
1010
1011 if (memcmp(prv_key_buf, pub_key_buf, curve_bytes) != 0) {
1012 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1013 }
1014
1015 return 0;
1016}
1017#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1018
1019static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
1020 int (*f_rng)(void *, unsigned char *, size_t),
1021 void *p_rng)
1022{
1023 (void) f_rng;
1024 (void) p_rng;
1025 return eckey_check_pair_psa(pub, prv);
1026}
1027#else /* MBEDTLS_USE_PSA_CRYPTO */
1028static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
1029 int (*f_rng)(void *, unsigned char *, size_t),
1030 void *p_rng)
1031{
1032 return mbedtls_ecp_check_pub_priv((const mbedtls_ecp_keypair *) pub->pk_ctx,
1033 (const mbedtls_ecp_keypair *) prv->pk_ctx,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1034 f_rng, p_rng);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1035}
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1036#endif /* MBEDTLS_USE_PSA_CRYPTO */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1037
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1038#if defined(MBEDTLS_USE_PSA_CRYPTO)
1039#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1040/* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
1041 * using the same function. */
1042#define ecdsa_opaque_check_pair_wrap eckey_check_pair_wrap
1043#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1044static int ecdsa_opaque_check_pair_wrap(mbedtls_pk_context *pub,
1045 mbedtls_pk_context *prv,
1046 int (*f_rng)(void *, unsigned char *, size_t),
1047 void *p_rng)
1048{
1049 psa_status_t status;
1050 uint8_t exp_pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
1051 size_t exp_pub_key_len = 0;
1052 uint8_t pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
1053 size_t pub_key_len = 0;
1054 int ret;
1055 (void) f_rng;
1056 (void) p_rng;
1057
1058 status = psa_export_public_key(prv->priv_id, exp_pub_key, sizeof(exp_pub_key),
1059 &exp_pub_key_len);
1060 if (status != PSA_SUCCESS) {
1061 ret = psa_pk_status_to_mbedtls(status);
1062 return ret;
1063 }
1064 ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(*pub)->grp),
1065 &(mbedtls_pk_ec_ro(*pub)->Q),
1066 MBEDTLS_ECP_PF_UNCOMPRESSED,
1067 &pub_key_len, pub_key, sizeof(pub_key));
1068 if (ret != 0) {
1069 return ret;
1070 }
1071 if ((exp_pub_key_len != pub_key_len) ||
1072 memcmp(exp_pub_key, pub_key, exp_pub_key_len)) {
1073 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1074 }
1075 return 0;
1076}
1077#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1078#endif /* MBEDTLS_USE_PSA_CRYPTO */
1079
1080#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1081static void *eckey_alloc_wrap(void)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1082{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1083 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1084
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1085 if (ctx != NULL) {
1086 mbedtls_ecp_keypair_init(ctx);
1087 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1088
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1089 return ctx;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1090}
1091
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1092static void eckey_free_wrap(void *ctx)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1093{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1094 mbedtls_ecp_keypair_free((mbedtls_ecp_keypair *) ctx);
1095 mbedtls_free(ctx);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1096}
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1097#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1098
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1099static void eckey_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1100{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1101#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1102 items->type = MBEDTLS_PK_DEBUG_PSA_EC;
1103 items->name = "eckey.Q";
1104 items->value = pk;
1105#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1106 mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1107 items->type = MBEDTLS_PK_DEBUG_ECP;
1108 items->name = "eckey.Q";
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1109 items->value = &(ecp->Q);
1110#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1111}
1112
1113const mbedtls_pk_info_t mbedtls_eckey_info = {
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1114 .type = MBEDTLS_PK_ECKEY,
1115 .name = "EC",
1116 .get_bitlen = eckey_get_bitlen,
1117 .can_do = eckey_can_do,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1118#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1119 .verify_func = ecdsa_verify_wrap, /* Compatible key structures */
1120#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1121 .verify_func = NULL,
1122#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1123#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1124 .sign_func = ecdsa_sign_wrap, /* Compatible key structures */
1125#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1126 .sign_func = NULL,
1127#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1128#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1129 .verify_rs_func = eckey_verify_rs_wrap,
1130 .sign_rs_func = eckey_sign_rs_wrap,
1131 .rs_alloc_func = eckey_rs_alloc,
1132 .rs_free_func = eckey_rs_free,
1133#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1134 .decrypt_func = NULL,
1135 .encrypt_func = NULL,
1136 .check_pair_func = eckey_check_pair_wrap,
1137#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1138 .ctx_alloc_func = NULL,
1139 .ctx_free_func = NULL,
1140#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1141 .ctx_alloc_func = eckey_alloc_wrap,
1142 .ctx_free_func = eckey_free_wrap,
1143#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1144 .debug_func = eckey_debug,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1145};
1146
1147/*
1148 * EC key restricted to ECDH
1149 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1150static int eckeydh_can_do(mbedtls_pk_type_t type)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1151{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1152 return type == MBEDTLS_PK_ECKEY ||
1153 type == MBEDTLS_PK_ECKEY_DH;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1154}
1155
1156const mbedtls_pk_info_t mbedtls_eckeydh_info = {
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1157 .type = MBEDTLS_PK_ECKEY_DH,
1158 .name = "EC_DH",
1159 .get_bitlen = eckey_get_bitlen, /* Same underlying key structure */
1160 .can_do = eckeydh_can_do,
1161 .verify_func = NULL,
1162 .sign_func = NULL,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1163#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1164 .verify_rs_func = NULL,
1165 .sign_rs_func = NULL,
1166#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1167 .decrypt_func = NULL,
1168 .encrypt_func = NULL,
1169 .check_pair_func = eckey_check_pair_wrap,
1170#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1171 .ctx_alloc_func = NULL,
1172 .ctx_free_func = NULL,
1173#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1174 .ctx_alloc_func = eckey_alloc_wrap, /* Same underlying key structure */
1175 .ctx_free_func = eckey_free_wrap, /* Same underlying key structure */
1176#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1177 .debug_func = eckey_debug, /* Same underlying key structure */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1178};
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1179
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1180#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
1181static int ecdsa_can_do(mbedtls_pk_type_t type)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1182{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1183 return type == MBEDTLS_PK_ECDSA;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1184}
1185
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1186#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1187static int ecdsa_verify_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1188 const unsigned char *hash, size_t hash_len,
1189 const unsigned char *sig, size_t sig_len,
1190 void *rs_ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1191{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1192 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1193 ((void) md_alg);
1194
1195 ret = mbedtls_ecdsa_read_signature_restartable(
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1196 (mbedtls_ecdsa_context *) pk->pk_ctx,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1197 hash, hash_len, sig, sig_len,
1198 (mbedtls_ecdsa_restart_ctx *) rs_ctx);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1199
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1200 if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
1201 return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
1202 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1203
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1204 return ret;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1205}
1206
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1207static int ecdsa_sign_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1208 const unsigned char *hash, size_t hash_len,
1209 unsigned char *sig, size_t sig_size, size_t *sig_len,
1210 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
1211 void *rs_ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1212{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1213 return mbedtls_ecdsa_write_signature_restartable(
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1214 (mbedtls_ecdsa_context *) pk->pk_ctx,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1215 md_alg, hash, hash_len, sig, sig_size, sig_len, f_rng, p_rng,
1216 (mbedtls_ecdsa_restart_ctx *) rs_ctx);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1217
1218}
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1219
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1220static void *ecdsa_rs_alloc(void)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1221{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1222 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_restart_ctx));
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1223
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1224 if (ctx != NULL) {
1225 mbedtls_ecdsa_restart_init(ctx);
1226 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1227
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1228 return ctx;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1229}
1230
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1231static void ecdsa_rs_free(void *ctx)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1232{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1233 mbedtls_ecdsa_restart_free(ctx);
1234 mbedtls_free(ctx);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1235}
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1236#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1237
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1238const mbedtls_pk_info_t mbedtls_ecdsa_info = {
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1239 .type = MBEDTLS_PK_ECDSA,
1240 .name = "ECDSA",
1241 .get_bitlen = eckey_get_bitlen, /* Compatible key structures */
1242 .can_do = ecdsa_can_do,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1243#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1244 .verify_func = ecdsa_verify_wrap, /* Compatible key structures */
1245#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1246 .verify_func = NULL,
1247#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1248#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1249 .sign_func = ecdsa_sign_wrap, /* Compatible key structures */
1250#else /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1251 .sign_func = NULL,
1252#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1253#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1254 .verify_rs_func = ecdsa_verify_rs_wrap,
1255 .sign_rs_func = ecdsa_sign_rs_wrap,
1256 .rs_alloc_func = ecdsa_rs_alloc,
1257 .rs_free_func = ecdsa_rs_free,
1258#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1259 .decrypt_func = NULL,
1260 .encrypt_func = NULL,
1261 .check_pair_func = eckey_check_pair_wrap, /* Compatible key structures */
1262#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
1263 .ctx_alloc_func = NULL,
1264 .ctx_free_func = NULL,
1265#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
1266 .ctx_alloc_func = eckey_alloc_wrap, /* Compatible key structures */
1267 .ctx_free_func = eckey_free_wrap, /* Compatible key structures */
1268#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
1269 .debug_func = eckey_debug, /* Compatible key structures */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1270};
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1271#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1272#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1273
1274#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
1275/*
1276 * Support for alternative RSA-private implementations
1277 */
1278
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1279static int rsa_alt_can_do(mbedtls_pk_type_t type)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1280{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1281 return type == MBEDTLS_PK_RSA;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1282}
1283
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1284static size_t rsa_alt_get_bitlen(mbedtls_pk_context *pk)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1285{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1286 const mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1287
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1288 return 8 * rsa_alt->key_len_func(rsa_alt->key);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1289}
1290
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1291static int rsa_alt_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1292 const unsigned char *hash, size_t hash_len,
1293 unsigned char *sig, size_t sig_size, size_t *sig_len,
1294 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1295{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1296 mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1297
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1298#if SIZE_MAX > UINT_MAX
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1299 if (UINT_MAX < hash_len) {
1300 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1301 }
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1302#endif
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1303
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1304 *sig_len = rsa_alt->key_len_func(rsa_alt->key);
1305 if (*sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE) {
1306 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1307 }
1308 if (*sig_len > sig_size) {
1309 return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
1310 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1311
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1312 return rsa_alt->sign_func(rsa_alt->key, f_rng, p_rng,
1313 md_alg, (unsigned int) hash_len, hash, sig);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1314}
1315
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1316static int rsa_alt_decrypt_wrap(mbedtls_pk_context *pk,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1317 const unsigned char *input, size_t ilen,
1318 unsigned char *output, size_t *olen, size_t osize,
1319 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1320{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1321 mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1322
1323 ((void) f_rng);
1324 ((void) p_rng);
1325
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1326 if (ilen != rsa_alt->key_len_func(rsa_alt->key)) {
1327 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1328 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1329
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1330 return rsa_alt->decrypt_func(rsa_alt->key,
1331 olen, input, output, osize);
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1332}
1333
1334#if defined(MBEDTLS_RSA_C)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1335static int rsa_alt_check_pair(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1336 int (*f_rng)(void *, unsigned char *, size_t),
1337 void *p_rng)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1338{
1339 unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
1340 unsigned char hash[32];
1341 size_t sig_len = 0;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1342 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1343
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1344 if (rsa_alt_get_bitlen(prv) != rsa_get_bitlen(pub)) {
1345 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1346 }
1347
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1348 memset(hash, 0x2a, sizeof(hash));
1349
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1350 if ((ret = rsa_alt_sign_wrap(prv, MBEDTLS_MD_NONE,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1351 hash, sizeof(hash),
1352 sig, sizeof(sig), &sig_len,
1353 f_rng, p_rng)) != 0) {
1354 return ret;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1355 }
1356
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1357 if (rsa_verify_wrap(pub, MBEDTLS_MD_NONE,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1358 hash, sizeof(hash), sig, sig_len) != 0) {
1359 return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
1360 }
1361
1362 return 0;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1363}
1364#endif /* MBEDTLS_RSA_C */
1365
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1366static void *rsa_alt_alloc_wrap(void)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1367{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1368 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_alt_context));
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1369
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1370 if (ctx != NULL) {
1371 memset(ctx, 0, sizeof(mbedtls_rsa_alt_context));
1372 }
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1373
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1374 return ctx;
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1375}
1376
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1377static void rsa_alt_free_wrap(void *ctx)
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1378{
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1379 mbedtls_zeroize_and_free(ctx, sizeof(mbedtls_rsa_alt_context));
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1380}
1381
1382const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1383 .type = MBEDTLS_PK_RSA_ALT,
1384 .name = "RSA-alt",
1385 .get_bitlen = rsa_alt_get_bitlen,
1386 .can_do = rsa_alt_can_do,
1387 .verify_func = NULL,
1388 .sign_func = rsa_alt_sign_wrap,
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1389#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1390 .verify_rs_func = NULL,
1391 .sign_rs_func = NULL,
1392 .rs_alloc_func = NULL,
1393 .rs_free_func = NULL,
1394#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1395 .decrypt_func = rsa_alt_decrypt_wrap,
1396 .encrypt_func = NULL,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1397#if defined(MBEDTLS_RSA_C)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1398 .check_pair_func = rsa_alt_check_pair,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1399#else
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1400 .check_pair_func = NULL,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1401#endif
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1402 .ctx_alloc_func = rsa_alt_alloc_wrap,
1403 .ctx_free_func = rsa_alt_free_wrap,
1404 .debug_func = NULL,
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1405};
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1406#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
1407
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1408#if defined(MBEDTLS_USE_PSA_CRYPTO)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1409static size_t opaque_get_bitlen(mbedtls_pk_context *pk)
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1410{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1411 size_t bits;
1412 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1413
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1414 if (PSA_SUCCESS != psa_get_key_attributes(pk->priv_id, &attributes)) {
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1415 return 0;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1416 }
1417
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1418 bits = psa_get_key_bits(&attributes);
1419 psa_reset_key_attributes(&attributes);
1420 return bits;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1421}
1422
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1423#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
1424static int ecdsa_opaque_can_do(mbedtls_pk_type_t type)
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1425{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1426 return type == MBEDTLS_PK_ECKEY ||
1427 type == MBEDTLS_PK_ECDSA;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1428}
1429
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1430const mbedtls_pk_info_t mbedtls_ecdsa_opaque_info = {
1431 .type = MBEDTLS_PK_OPAQUE,
1432 .name = "Opaque",
1433 .get_bitlen = opaque_get_bitlen,
1434 .can_do = ecdsa_opaque_can_do,
1435#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
1436 .verify_func = ecdsa_opaque_verify_wrap,
1437#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1438 .verify_func = NULL,
1439#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
1440#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
1441 .sign_func = ecdsa_opaque_sign_wrap,
1442#else /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1443 .sign_func = NULL,
1444#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
1445#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1446 .verify_rs_func = NULL,
1447 .sign_rs_func = NULL,
1448 .rs_alloc_func = NULL,
1449 .rs_free_func = NULL,
1450#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1451 .decrypt_func = NULL,
1452 .encrypt_func = NULL,
1453 .check_pair_func = ecdsa_opaque_check_pair_wrap,
1454 .ctx_alloc_func = NULL,
1455 .ctx_free_func = NULL,
1456 .debug_func = NULL,
1457};
1458#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
1459
1460static int rsa_opaque_can_do(mbedtls_pk_type_t type)
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1461{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1462 return type == MBEDTLS_PK_RSA ||
1463 type == MBEDTLS_PK_RSASSA_PSS;
1464}
1465
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1466#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
1467static int rsa_opaque_decrypt(mbedtls_pk_context *pk,
1468 const unsigned char *input, size_t ilen,
1469 unsigned char *output, size_t *olen, size_t osize,
1470 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1471{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1472 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1473 psa_algorithm_t alg;
1474 psa_key_type_t type;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1475 psa_status_t status;
1476
1477 /* PSA has its own RNG */
1478 (void) f_rng;
1479 (void) p_rng;
1480
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1481 status = psa_get_key_attributes(pk->priv_id, &attributes);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1482 if (status != PSA_SUCCESS) {
1483 return PSA_PK_TO_MBEDTLS_ERR(status);
1484 }
1485
1486 type = psa_get_key_type(&attributes);
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1487 alg = psa_get_key_algorithm(&attributes);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1488 psa_reset_key_attributes(&attributes);
1489
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1490 if (!PSA_KEY_TYPE_IS_RSA(type)) {
1491 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1492 }
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1493
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1494 status = psa_asymmetric_decrypt(pk->priv_id, alg, input, ilen, NULL, 0, output, osize, olen);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1495 if (status != PSA_SUCCESS) {
1496 return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
1497 }
1498
1499 return 0;
1500}
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1501#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1502
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1503static int rsa_opaque_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
1504 const unsigned char *hash, size_t hash_len,
1505 unsigned char *sig, size_t sig_size, size_t *sig_len,
1506 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
1507{
1508#if defined(MBEDTLS_RSA_C)
1509 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1510 psa_algorithm_t alg;
1511 psa_key_type_t type;
1512 psa_status_t status;
1513
1514 /* PSA has its own RNG */
1515 (void) f_rng;
1516 (void) p_rng;
1517
1518 status = psa_get_key_attributes(pk->priv_id, &attributes);
1519 if (status != PSA_SUCCESS) {
1520 return PSA_PK_TO_MBEDTLS_ERR(status);
1521 }
1522
1523 type = psa_get_key_type(&attributes);
1524 alg = psa_get_key_algorithm(&attributes);
1525 psa_reset_key_attributes(&attributes);
1526
1527 if (PSA_KEY_TYPE_IS_RSA(type)) {
1528 alg = (alg & ~PSA_ALG_HASH_MASK) | mbedtls_md_psa_alg_from_type(md_alg);
1529 } else {
1530 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1531 }
1532
1533 status = psa_sign_hash(pk->priv_id, alg, hash, hash_len, sig, sig_size, sig_len);
1534 if (status != PSA_SUCCESS) {
1535 if (PSA_KEY_TYPE_IS_RSA(type)) {
1536 return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
1537 } else {
1538 return PSA_PK_TO_MBEDTLS_ERR(status);
1539 }
1540 }
1541
1542 return 0;
1543#else /* !MBEDTLS_RSA_C */
1544 ((void) pk);
1545 ((void) md_alg);
1546 ((void) hash);
1547 ((void) hash_len);
1548 ((void) sig);
1549 ((void) sig_size);
1550 ((void) sig_len);
1551 ((void) f_rng);
1552 ((void) p_rng);
1553 return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1554#endif /* !MBEDTLS_RSA_C */
1555}
1556
1557const mbedtls_pk_info_t mbedtls_rsa_opaque_info = {
1558 .type = MBEDTLS_PK_OPAQUE,
1559 .name = "Opaque",
1560 .get_bitlen = opaque_get_bitlen,
1561 .can_do = rsa_opaque_can_do,
1562 .verify_func = NULL,
1563 .sign_func = rsa_opaque_sign_wrap,
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1564#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]1565 .verify_rs_func = NULL,
1566 .sign_rs_func = NULL,
1567 .rs_alloc_func = NULL,
1568 .rs_free_func = NULL,
1569#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
1570#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
1571 .decrypt_func = rsa_opaque_decrypt,
1572#else /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
1573 .decrypt_func = NULL,
1574#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
1575 .encrypt_func = NULL,
1576 .check_pair_func = NULL,
1577 .ctx_alloc_func = NULL,
1578 .ctx_free_func = NULL,
1579 .debug_func = NULL,
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]1580};
1581
1582#endif /* MBEDTLS_USE_PSA_CRYPTO */
1583
Jens Wiklander817466c2018-05-22 13:49:31 +0200[diff] [blame]1584#endif /* MBEDTLS_PK_C */