blob: ef08eb7b05bd4f0ff59d236c6838282703dc973c [file] [log] [blame]
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001/*
2 * Public Key abstraction layer
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +02004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02005 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +020018 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +000019 * This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +020020 */
21
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020022#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000023#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020024#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020025#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020026#endif
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +020027
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020028#if defined(MBEDTLS_PK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000029#include "mbedtls/pk.h"
Manuel Pégourié-Gonnard50518f42015-05-26 11:04:15 +020030#include "mbedtls/pk_internal.h"
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +020031
Manuel Pégourié-Gonnard8cd28892019-09-19 10:45:14 +020032#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000033#include "mbedtls/rsa.h"
Manuel Pégourié-Gonnard81c313c2013-07-09 10:35:54 +020034#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020035#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000036#include "mbedtls/ecp.h"
Manuel Pégourié-Gonnard81c313c2013-07-09 10:35:54 +020037#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020038#if defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000039#include "mbedtls/ecdsa.h"
Manuel Pégourié-Gonnard7c5819e2013-07-10 12:29:57 +020040#endif
Manuel Pégourié-Gonnard4ed179f2019-09-19 10:45:14 +020041#if defined(MBEDTLS_USE_TINYCRYPT)
42#include "tinycrypt/ecc.h"
43#include "tinycrypt/ecc_dsa.h"
44#include "mbedtls/asn1.h"
45#include "mbedtls/asn1write.h"
46#endif /* MBEDTLS_USE_TINYCRYPT */
47
Manuel Pégourié-Gonnard4ed179f2019-09-19 10:45:14 +020048#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard4ed179f2019-09-19 10:45:14 +020049
50#if defined(MBEDTLS_PLATFORM_C)
51#include "mbedtls/platform.h"
52#else
53#include <stdlib.h>
54#define mbedtls_calloc calloc
55#define mbedtls_free free
56#endif
57
Manuel Pégourié-Gonnard8cd28892019-09-19 10:45:14 +020058#include <string.h>
Manuel Pégourié-Gonnard4ed179f2019-09-19 10:45:14 +020059#include <limits.h>
60#include <stdint.h>
61
Manuel Pégourié-Gonnard8cd28892019-09-19 10:45:14 +020062/* Parameter validation macros based on platform_util.h */
63#define PK_VALIDATE_RET( cond ) \
64 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
65#define PK_VALIDATE( cond ) \
66 MBEDTLS_INTERNAL_VALIDATE( cond )
67
68/*
69 * Internal wrappers around RSA functions
70 */
Manuel Pégourié-Gonnard4ed179f2019-09-19 10:45:14 +020071#if defined(MBEDTLS_RSA_C)
72static int rsa_can_do( mbedtls_pk_type_t type )
73{
74 return( type == MBEDTLS_PK_RSA ||
75 type == MBEDTLS_PK_RSASSA_PSS );
76}
77
78static size_t rsa_get_bitlen( const void *ctx )
79{
80 const mbedtls_rsa_context * rsa = (const mbedtls_rsa_context *) ctx;
81 return( 8 * mbedtls_rsa_get_len( rsa ) );
82}
83
84static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
85 const unsigned char *hash, size_t hash_len,
86 const unsigned char *sig, size_t sig_len )
87{
88 int ret;
89 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
90 size_t rsa_len = mbedtls_rsa_get_len( rsa );
91
92#if SIZE_MAX > UINT_MAX
93 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
94 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
95#endif /* SIZE_MAX > UINT_MAX */
96
97 if( sig_len < rsa_len )
98 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
99
100 if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, NULL,
101 MBEDTLS_RSA_PUBLIC, md_alg,
102 (unsigned int) hash_len, hash, sig ) ) != 0 )
103 return( ret );
104
105 /* The buffer contains a valid signature followed by extra data.
106 * We have a special error code for that so that so that callers can
107 * use mbedtls_pk_verify() to check "Does the buffer start with a
108 * valid signature?" and not just "Does the buffer contain a valid
109 * signature?". */
110 if( sig_len > rsa_len )
111 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
112
113 return( 0 );
114}
115
116static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
117 const unsigned char *hash, size_t hash_len,
118 unsigned char *sig, size_t *sig_len,
119 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
120{
121 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
122
123#if SIZE_MAX > UINT_MAX
124 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
125 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
126#endif /* SIZE_MAX > UINT_MAX */
127
128 *sig_len = mbedtls_rsa_get_len( rsa );
129
130 return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
131 md_alg, (unsigned int) hash_len, hash, sig ) );
132}
133
134static int rsa_decrypt_wrap( void *ctx,
135 const unsigned char *input, size_t ilen,
136 unsigned char *output, size_t *olen, size_t osize,
137 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
138{
139 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
140
141 if( ilen != mbedtls_rsa_get_len( rsa ) )
142 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
143
144 return( mbedtls_rsa_pkcs1_decrypt( rsa, f_rng, p_rng,
145 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) );
146}
147
148static int rsa_encrypt_wrap( void *ctx,
149 const unsigned char *input, size_t ilen,
150 unsigned char *output, size_t *olen, size_t osize,
151 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
152{
153 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
154 *olen = mbedtls_rsa_get_len( rsa );
155
156 if( *olen > osize )
157 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
158
159 return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC,
160 ilen, input, output ) );
161}
162
163static int rsa_check_pair_wrap( const void *pub, const void *prv )
164{
165 return( mbedtls_rsa_check_pub_priv( (const mbedtls_rsa_context *) pub,
166 (const mbedtls_rsa_context *) prv ) );
167}
168
169static void *rsa_alloc_wrap( void )
170{
171 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_context ) );
172
173 if( ctx != NULL )
174 mbedtls_rsa_init( (mbedtls_rsa_context *) ctx, 0, 0 );
175
176 return( ctx );
177}
178
179static void rsa_free_wrap( void *ctx )
180{
181 mbedtls_rsa_free( (mbedtls_rsa_context *) ctx );
182 mbedtls_free( ctx );
183}
184
185static void rsa_debug( const void *ctx, mbedtls_pk_debug_item *items )
186{
187 items->type = MBEDTLS_PK_DEBUG_MPI;
188 items->name = "rsa.N";
189 items->value = &( ((mbedtls_rsa_context *) ctx)->N );
190
191 items++;
192
193 items->type = MBEDTLS_PK_DEBUG_MPI;
194 items->name = "rsa.E";
195 items->value = &( ((mbedtls_rsa_context *) ctx)->E );
196}
197
198const mbedtls_pk_info_t mbedtls_rsa_info = {
199 MBEDTLS_PK_RSA,
200 "RSA",
201 rsa_get_bitlen,
202 rsa_can_do,
203 rsa_verify_wrap,
204 rsa_sign_wrap,
205#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
206 NULL,
207 NULL,
208#endif
209 rsa_decrypt_wrap,
210 rsa_encrypt_wrap,
211 rsa_check_pair_wrap,
212 rsa_alloc_wrap,
213 rsa_free_wrap,
214#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
215 NULL,
216 NULL,
217#endif
218 rsa_debug,
219};
220#endif /* MBEDTLS_RSA_C */
221
Manuel Pégourié-Gonnard8cd28892019-09-19 10:45:14 +0200222/*
223 * Internal wrappers around ECC functions - based on ECP module
224 */
Manuel Pégourié-Gonnard4ed179f2019-09-19 10:45:14 +0200225#if defined(MBEDTLS_ECP_C)
226/*
227 * Generic EC key
228 */
229static int eckey_can_do( mbedtls_pk_type_t type )
230{
231 return( type == MBEDTLS_PK_ECKEY ||
232 type == MBEDTLS_PK_ECKEY_DH ||
233 type == MBEDTLS_PK_ECDSA );
234}
235
236static size_t eckey_get_bitlen( const void *ctx )
237{
238 return( ((mbedtls_ecp_keypair *) ctx)->grp.pbits );
239}
240
241#if defined(MBEDTLS_ECDSA_C)
242/* Forward declarations */
243static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
244 const unsigned char *hash, size_t hash_len,
245 const unsigned char *sig, size_t sig_len );
246
247static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
248 const unsigned char *hash, size_t hash_len,
249 unsigned char *sig, size_t *sig_len,
250 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
251
252static int eckey_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
253 const unsigned char *hash, size_t hash_len,
254 const unsigned char *sig, size_t sig_len )
255{
256 int ret;
257 mbedtls_ecdsa_context ecdsa;
258
259 mbedtls_ecdsa_init( &ecdsa );
260
261 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
262 ret = ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len );
263
264 mbedtls_ecdsa_free( &ecdsa );
265
266 return( ret );
267}
268
269static int eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
270 const unsigned char *hash, size_t hash_len,
271 unsigned char *sig, size_t *sig_len,
272 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
273{
274 int ret;
275 mbedtls_ecdsa_context ecdsa;
276
277 mbedtls_ecdsa_init( &ecdsa );
278
279 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
280 ret = ecdsa_sign_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len,
281 f_rng, p_rng );
282
283 mbedtls_ecdsa_free( &ecdsa );
284
285 return( ret );
286}
287
288#if defined(MBEDTLS_ECP_RESTARTABLE)
289/* Forward declarations */
290static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
291 const unsigned char *hash, size_t hash_len,
292 const unsigned char *sig, size_t sig_len,
293 void *rs_ctx );
294
295static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
296 const unsigned char *hash, size_t hash_len,
297 unsigned char *sig, size_t *sig_len,
298 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
299 void *rs_ctx );
300
301/*
302 * Restart context for ECDSA operations with ECKEY context
303 *
304 * We need to store an actual ECDSA context, as we need to pass the same to
305 * the underlying ecdsa function, so we can't create it on the fly every time.
306 */
307typedef struct
308{
309 mbedtls_ecdsa_restart_ctx ecdsa_rs;
310 mbedtls_ecdsa_context ecdsa_ctx;
311} eckey_restart_ctx;
312
313static void *eckey_rs_alloc( void )
314{
315 eckey_restart_ctx *rs_ctx;
316
317 void *ctx = mbedtls_calloc( 1, sizeof( eckey_restart_ctx ) );
318
319 if( ctx != NULL )
320 {
321 rs_ctx = ctx;
322 mbedtls_ecdsa_restart_init( &rs_ctx->ecdsa_rs );
323 mbedtls_ecdsa_init( &rs_ctx->ecdsa_ctx );
324 }
325
326 return( ctx );
327}
328
329static void eckey_rs_free( void *ctx )
330{
331 eckey_restart_ctx *rs_ctx;
332
333 if( ctx == NULL)
334 return;
335
336 rs_ctx = ctx;
337 mbedtls_ecdsa_restart_free( &rs_ctx->ecdsa_rs );
338 mbedtls_ecdsa_free( &rs_ctx->ecdsa_ctx );
339
340 mbedtls_free( ctx );
341}
342
343static int eckey_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
344 const unsigned char *hash, size_t hash_len,
345 const unsigned char *sig, size_t sig_len,
346 void *rs_ctx )
347{
348 int ret;
349 eckey_restart_ctx *rs = rs_ctx;
350
351 /* Should never happen */
352 if( rs == NULL )
353 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
354
355 /* set up our own sub-context if needed (that is, on first run) */
356 if( rs->ecdsa_ctx.grp.pbits == 0 )
357 MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) );
358
359 MBEDTLS_MPI_CHK( ecdsa_verify_rs_wrap( &rs->ecdsa_ctx,
360 md_alg, hash, hash_len,
361 sig, sig_len, &rs->ecdsa_rs ) );
362
363cleanup:
364 return( ret );
365}
366
367static int eckey_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
368 const unsigned char *hash, size_t hash_len,
369 unsigned char *sig, size_t *sig_len,
370 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
371 void *rs_ctx )
372{
373 int ret;
374 eckey_restart_ctx *rs = rs_ctx;
375
376 /* Should never happen */
377 if( rs == NULL )
378 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
379
380 /* set up our own sub-context if needed (that is, on first run) */
381 if( rs->ecdsa_ctx.grp.pbits == 0 )
382 MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) );
383
384 MBEDTLS_MPI_CHK( ecdsa_sign_rs_wrap( &rs->ecdsa_ctx, md_alg,
385 hash, hash_len, sig, sig_len,
386 f_rng, p_rng, &rs->ecdsa_rs ) );
387
388cleanup:
389 return( ret );
390}
391#endif /* MBEDTLS_ECP_RESTARTABLE */
392#endif /* MBEDTLS_ECDSA_C */
393
394static int eckey_check_pair( const void *pub, const void *prv )
395{
396 return( mbedtls_ecp_check_pub_priv( (const mbedtls_ecp_keypair *) pub,
397 (const mbedtls_ecp_keypair *) prv ) );
398}
399
400static void *eckey_alloc_wrap( void )
401{
402 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) );
403
404 if( ctx != NULL )
405 mbedtls_ecp_keypair_init( ctx );
406
407 return( ctx );
408}
409
410static void eckey_free_wrap( void *ctx )
411{
412 mbedtls_ecp_keypair_free( (mbedtls_ecp_keypair *) ctx );
413 mbedtls_free( ctx );
414}
415
416static void eckey_debug( const void *ctx, mbedtls_pk_debug_item *items )
417{
418 items->type = MBEDTLS_PK_DEBUG_ECP;
419 items->name = "eckey.Q";
420 items->value = &( ((mbedtls_ecp_keypair *) ctx)->Q );
421}
422
423const mbedtls_pk_info_t mbedtls_eckey_info = {
424 MBEDTLS_PK_ECKEY,
425 "EC",
426 eckey_get_bitlen,
427 eckey_can_do,
428#if defined(MBEDTLS_ECDSA_C)
429 eckey_verify_wrap,
430 eckey_sign_wrap,
431#if defined(MBEDTLS_ECP_RESTARTABLE)
432 eckey_verify_rs_wrap,
433 eckey_sign_rs_wrap,
434#endif
435#else /* MBEDTLS_ECDSA_C */
436 NULL,
437 NULL,
438#endif /* MBEDTLS_ECDSA_C */
439 NULL,
440 NULL,
441 eckey_check_pair,
442 eckey_alloc_wrap,
443 eckey_free_wrap,
444#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
445 eckey_rs_alloc,
446 eckey_rs_free,
447#endif
448 eckey_debug,
449};
450
451/*
452 * EC key restricted to ECDH
453 */
454static int eckeydh_can_do( mbedtls_pk_type_t type )
455{
456 return( type == MBEDTLS_PK_ECKEY ||
457 type == MBEDTLS_PK_ECKEY_DH );
458}
459
460const mbedtls_pk_info_t mbedtls_eckeydh_info = {
461 MBEDTLS_PK_ECKEY_DH,
462 "EC_DH",
463 eckey_get_bitlen, /* Same underlying key structure */
464 eckeydh_can_do,
465 NULL,
466 NULL,
467#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
468 NULL,
469 NULL,
470#endif
471 NULL,
472 NULL,
473 eckey_check_pair,
474 eckey_alloc_wrap, /* Same underlying key structure */
475 eckey_free_wrap, /* Same underlying key structure */
476#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
477 NULL,
478 NULL,
479#endif
480 eckey_debug, /* Same underlying key structure */
481};
482#endif /* MBEDTLS_ECP_C */
483
Manuel Pégourié-Gonnard8cd28892019-09-19 10:45:14 +0200484/*
485 * Internal wrappers around ECC functions - based on TinyCrypt
486 */
Manuel Pégourié-Gonnard4ed179f2019-09-19 10:45:14 +0200487#if defined(MBEDTLS_USE_TINYCRYPT)
Manuel Pégourié-Gonnard4ed179f2019-09-19 10:45:14 +0200488/*
489 * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of
490 * those integers and convert it to the fixed-length encoding.
491 */
492static int extract_ecdsa_sig_int( unsigned char **from, const unsigned char *end,
493 unsigned char *to, size_t to_len )
494{
495 int ret;
496 size_t unpadded_len, padding_len;
497
498 if( ( ret = mbedtls_asn1_get_tag( from, end, &unpadded_len,
499 MBEDTLS_ASN1_INTEGER ) ) != 0 )
500 {
501 return( ret );
502 }
503
504 while( unpadded_len > 0 && **from == 0x00 )
505 {
506 ( *from )++;
507 unpadded_len--;
508 }
509
510 if( unpadded_len > to_len || unpadded_len == 0 )
511 return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
512
513 padding_len = to_len - unpadded_len;
514 memset( to, 0x00, padding_len );
515 memcpy( to + padding_len, *from, unpadded_len );
516 ( *from ) += unpadded_len;
517
518 return( 0 );
519}
520
521/*
522 * Convert a signature from an ASN.1 sequence of two integers
523 * to a raw {r,s} buffer. Note: the provided sig buffer must be at least
524 * twice as big as int_size.
525 */
526static int extract_ecdsa_sig( unsigned char **p, const unsigned char *end,
527 unsigned char *sig, size_t int_size )
528{
529 int ret;
530 size_t tmp_size;
531
532 if( ( ret = mbedtls_asn1_get_tag( p, end, &tmp_size,
533 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
534 return( ret );
535
536 /* Extract r */
537 if( ( ret = extract_ecdsa_sig_int( p, end, sig, int_size ) ) != 0 )
538 return( ret );
539 /* Extract s */
540 if( ( ret = extract_ecdsa_sig_int( p, end, sig + int_size, int_size ) ) != 0 )
541 return( ret );
542
543 return( 0 );
544}
545
546static size_t uecc_eckey_get_bitlen( const void *ctx )
547{
548 (void) ctx;
549 return( (size_t) ( NUM_ECC_BYTES * 8 ) );
550}
551
552static int uecc_eckey_check_pair( const void *pub, const void *prv )
553{
554 const mbedtls_uecc_keypair *uecc_pub =
555 (const mbedtls_uecc_keypair *) pub;
556 const mbedtls_uecc_keypair *uecc_prv =
557 (const mbedtls_uecc_keypair *) prv;
558
559 if( memcmp( uecc_pub->public_key,
560 uecc_prv->public_key,
561 2 * NUM_ECC_BYTES ) == 0 )
562 {
563 return( 0 );
564 }
565
566 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
567}
568
569static int uecc_eckey_can_do( mbedtls_pk_type_t type )
570{
571 return( type == MBEDTLS_PK_ECDSA ||
572 type == MBEDTLS_PK_ECKEY );
573}
574
575static int uecc_eckey_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
576 const unsigned char *hash, size_t hash_len,
577 const unsigned char *sig, size_t sig_len )
578{
579 int ret;
580 uint8_t signature[2*NUM_ECC_BYTES];
581 unsigned char *p;
582 const struct uECC_Curve_t * uecc_curve = uECC_secp256r1();
583 const mbedtls_uecc_keypair *keypair = (const mbedtls_uecc_keypair *) ctx;
584
585 ((void) md_alg);
586 p = (unsigned char*) sig;
587
588 ret = extract_ecdsa_sig( &p, sig + sig_len, signature, NUM_ECC_BYTES );
589 if( ret != 0 )
590 return( ret );
591
592 ret = uECC_verify( keypair->public_key, hash,
593 (unsigned) hash_len, signature, uecc_curve );
594 if( ret == 0 )
595 return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
596
597 return( 0 );
598}
599
600/*
601 * Simultaneously convert and move raw MPI from the beginning of a buffer
602 * to an ASN.1 MPI at the end of the buffer.
603 * See also mbedtls_asn1_write_mpi().
604 *
605 * p: pointer to the end of the output buffer
606 * start: start of the output buffer, and also of the mpi to write at the end
607 * n_len: length of the mpi to read from start
608 *
609 * Warning:
610 * The total length of the output buffer must be smaller than 128 Bytes.
611 */
612static int asn1_write_mpibuf( unsigned char **p, unsigned char *start,
613 size_t n_len )
614{
615 size_t len = 0;
616
617 if( (size_t)( *p - start ) < n_len )
618 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
619
620 len = n_len;
621 *p -= len;
622 memmove( *p, start, len );
623
624 /* ASN.1 DER encoding requires minimal length, so skip leading 0s.
625 * Neither r nor s should be 0, but as a failsafe measure, still detect
626 * that rather than overflowing the buffer in case of an error. */
627 while( len > 0 && **p == 0x00 )
628 {
629 ++(*p);
630 --len;
631 }
632
633 /* this is only reached if the signature was invalid */
634 if( len == 0 )
635 return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
636
637 /* if the msb is 1, ASN.1 requires that we prepend a 0.
638 * Neither r nor s can be 0, so we can assume len > 0 at all times. */
639 if( **p & 0x80 )
640 {
641 if( *p - start < 1 )
642 return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
643
644 *--(*p) = 0x00;
645 len += 1;
646 }
647
648 /* The ASN.1 length encoding is just a single Byte containing the length,
649 * as we assume that the total buffer length is smaller than 128 Bytes. */
650 *--(*p) = len;
651 *--(*p) = MBEDTLS_ASN1_INTEGER;
652 len += 2;
653
654 return( (int) len );
655}
656
657/* Transcode signature from uECC format to ASN.1 sequence.
658 * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of
659 * MPIs, and in-place.
660 *
661 * [in/out] sig: the signature pre- and post-transcoding
662 * [in/out] sig_len: signature length pre- and post-transcoding
663 * [int] buf_len: the available size the in/out buffer
664 *
665 * Warning: buf_len must be smaller than 128 Bytes.
666 */
667static int pk_ecdsa_sig_asn1_from_uecc( unsigned char *sig, size_t *sig_len,
668 size_t buf_len )
669{
670 int ret;
671 size_t len = 0;
672 const size_t rs_len = *sig_len / 2;
673 unsigned char *p = sig + buf_len;
674
675 MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig + rs_len, rs_len ) );
676 MBEDTLS_ASN1_CHK_ADD( len, asn1_write_mpibuf( &p, sig, rs_len ) );
677
678 /* The ASN.1 length encoding is just a single Byte containing the length,
679 * as we assume that the total buffer length is smaller than 128 Bytes. */
680 *--p = len;
681 *--p = MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE;
682 len += 2;
683
684 memmove( sig, p, len );
685 *sig_len = len;
686
687 return( 0 );
688}
689
690static int uecc_eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
691 const unsigned char *hash, size_t hash_len,
692 unsigned char *sig, size_t *sig_len,
693 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
694{
695 const mbedtls_uecc_keypair *keypair = (const mbedtls_uecc_keypair *) ctx;
696 const struct uECC_Curve_t * uecc_curve = uECC_secp256r1();
697 int ret;
698
699 /*
700 * RFC-4492 page 20:
701 *
702 * Ecdsa-Sig-Value ::= SEQUENCE {
703 * r INTEGER,
704 * s INTEGER
705 * }
706 *
707 * Size is at most
708 * 1 (tag) + 1 (len) + 1 (initial 0) + NUM_ECC_BYTES for each of r and s,
709 * twice that + 1 (tag) + 2 (len) for the sequence
710 *
711 * (The ASN.1 length encodings are all 1-Byte encodings because
712 * the total size is smaller than 128 Bytes).
713 */
714 #define MAX_SECP256R1_ECDSA_SIG_LEN ( 3 + 2 * ( 3 + NUM_ECC_BYTES ) )
715
716 ret = uECC_sign( keypair->private_key, hash, hash_len, sig, uecc_curve );
717 /* TinyCrypt uses 0 to signal errors. */
718 if( ret == 0 )
719 return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
720
721 *sig_len = 2 * NUM_ECC_BYTES;
722
723 /* uECC owns its rng function pointer */
724 (void) f_rng;
725 (void) p_rng;
726 (void) md_alg;
727
728 return( pk_ecdsa_sig_asn1_from_uecc( sig, sig_len,
729 MAX_SECP256R1_ECDSA_SIG_LEN ) );
730
731 #undef MAX_SECP256R1_ECDSA_SIG_LEN
732}
733
734static void *uecc_eckey_alloc_wrap( void )
735{
736 return( mbedtls_calloc( 1, sizeof( mbedtls_uecc_keypair ) ) );
737}
738
739static void uecc_eckey_free_wrap( void *ctx )
740{
741 if( ctx == NULL )
742 return;
743
744 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_uecc_keypair ) );
745 mbedtls_free( ctx );
746}
747
748const mbedtls_pk_info_t mbedtls_uecc_eckey_info =
749 MBEDTLS_PK_INFO( MBEDTLS_PK_INFO_ECKEY );
750#endif /* MBEDTLS_USE_TINYCRYPT */
751
Manuel Pégourié-Gonnard8cd28892019-09-19 10:45:14 +0200752/*
753 * Internal wrappers around ECDSA functions
754 */
Manuel Pégourié-Gonnard4ed179f2019-09-19 10:45:14 +0200755#if defined(MBEDTLS_ECDSA_C)
756static int ecdsa_can_do( mbedtls_pk_type_t type )
757{
758 return( type == MBEDTLS_PK_ECDSA );
759}
760
761static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
762 const unsigned char *hash, size_t hash_len,
763 const unsigned char *sig, size_t sig_len )
764{
765 int ret;
766 ((void) md_alg);
767
768 ret = mbedtls_ecdsa_read_signature( (mbedtls_ecdsa_context *) ctx,
769 hash, hash_len, sig, sig_len );
770
771 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
772 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
773
774 return( ret );
775}
776
777static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
778 const unsigned char *hash, size_t hash_len,
779 unsigned char *sig, size_t *sig_len,
780 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
781{
782 return( mbedtls_ecdsa_write_signature( (mbedtls_ecdsa_context *) ctx,
783 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng ) );
784}
785
786#if defined(MBEDTLS_ECP_RESTARTABLE)
787static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
788 const unsigned char *hash, size_t hash_len,
789 const unsigned char *sig, size_t sig_len,
790 void *rs_ctx )
791{
792 int ret;
793 ((void) md_alg);
794
795 ret = mbedtls_ecdsa_read_signature_restartable(
796 (mbedtls_ecdsa_context *) ctx,
797 hash, hash_len, sig, sig_len,
798 (mbedtls_ecdsa_restart_ctx *) rs_ctx );
799
800 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
801 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
802
803 return( ret );
804}
805
806static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
807 const unsigned char *hash, size_t hash_len,
808 unsigned char *sig, size_t *sig_len,
809 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
810 void *rs_ctx )
811{
812 return( mbedtls_ecdsa_write_signature_restartable(
813 (mbedtls_ecdsa_context *) ctx,
814 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng,
815 (mbedtls_ecdsa_restart_ctx *) rs_ctx ) );
816
817}
818#endif /* MBEDTLS_ECP_RESTARTABLE */
819
820static void *ecdsa_alloc_wrap( void )
821{
822 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_context ) );
823
824 if( ctx != NULL )
825 mbedtls_ecdsa_init( (mbedtls_ecdsa_context *) ctx );
826
827 return( ctx );
828}
829
830static void ecdsa_free_wrap( void *ctx )
831{
832 mbedtls_ecdsa_free( (mbedtls_ecdsa_context *) ctx );
833 mbedtls_free( ctx );
834}
835
836#if defined(MBEDTLS_ECP_RESTARTABLE)
837static void *ecdsa_rs_alloc( void )
838{
839 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_restart_ctx ) );
840
841 if( ctx != NULL )
842 mbedtls_ecdsa_restart_init( ctx );
843
844 return( ctx );
845}
846
847static void ecdsa_rs_free( void *ctx )
848{
849 mbedtls_ecdsa_restart_free( ctx );
850 mbedtls_free( ctx );
851}
852#endif /* MBEDTLS_ECP_RESTARTABLE */
853
854const mbedtls_pk_info_t mbedtls_ecdsa_info = {
855 MBEDTLS_PK_ECDSA,
856 "ECDSA",
857 eckey_get_bitlen, /* Compatible key structures */
858 ecdsa_can_do,
859 ecdsa_verify_wrap,
860 ecdsa_sign_wrap,
861#if defined(MBEDTLS_ECP_RESTARTABLE)
862 ecdsa_verify_rs_wrap,
863 ecdsa_sign_rs_wrap,
864#endif
865 NULL,
866 NULL,
867 eckey_check_pair, /* Compatible key structures */
868 ecdsa_alloc_wrap,
869 ecdsa_free_wrap,
870#if defined(MBEDTLS_ECP_RESTARTABLE)
871 ecdsa_rs_alloc,
872 ecdsa_rs_free,
873#endif
874 eckey_debug, /* Compatible key structures */
875};
876#endif /* MBEDTLS_ECDSA_C */
877
Manuel Pégourié-Gonnard4ed179f2019-09-19 10:45:14 +0200878/*
Manuel Pégourié-Gonnard8cd28892019-09-19 10:45:14 +0200879 * Internal wrappers for RSA-alt support
Manuel Pégourié-Gonnard4ed179f2019-09-19 10:45:14 +0200880 */
Manuel Pégourié-Gonnard8cd28892019-09-19 10:45:14 +0200881#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
Manuel Pégourié-Gonnard4ed179f2019-09-19 10:45:14 +0200882static int rsa_alt_can_do( mbedtls_pk_type_t type )
883{
884 return( type == MBEDTLS_PK_RSA );
885}
886
887static size_t rsa_alt_get_bitlen( const void *ctx )
888{
889 const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx;
890
891 return( 8 * rsa_alt->key_len_func( rsa_alt->key ) );
892}
893
894static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
895 const unsigned char *hash, size_t hash_len,
896 unsigned char *sig, size_t *sig_len,
897 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
898{
899 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
900
901#if SIZE_MAX > UINT_MAX
902 if( UINT_MAX < hash_len )
903 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
904#endif /* SIZE_MAX > UINT_MAX */
905
906 *sig_len = rsa_alt->key_len_func( rsa_alt->key );
907
908 return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
909 md_alg, (unsigned int) hash_len, hash, sig ) );
910}
911
912static int rsa_alt_decrypt_wrap( void *ctx,
913 const unsigned char *input, size_t ilen,
914 unsigned char *output, size_t *olen, size_t osize,
915 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
916{
917 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
918
919 ((void) f_rng);
920 ((void) p_rng);
921
922 if( ilen != rsa_alt->key_len_func( rsa_alt->key ) )
923 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
924
925 return( rsa_alt->decrypt_func( rsa_alt->key,
926 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) );
927}
928
929#if defined(MBEDTLS_RSA_C)
930static int rsa_alt_check_pair( const void *pub, const void *prv )
931{
932 unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
933 unsigned char hash[32];
934 size_t sig_len = 0;
935 int ret;
936
937 if( rsa_alt_get_bitlen( prv ) != rsa_get_bitlen( pub ) )
938 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
939
940 memset( hash, 0x2a, sizeof( hash ) );
941
942 if( ( ret = rsa_alt_sign_wrap( (void *) prv, MBEDTLS_MD_NONE,
943 hash, sizeof( hash ),
944 sig, &sig_len, NULL, NULL ) ) != 0 )
945 {
946 return( ret );
947 }
948
949 if( rsa_verify_wrap( (void *) pub, MBEDTLS_MD_NONE,
950 hash, sizeof( hash ), sig, sig_len ) != 0 )
951 {
952 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
953 }
954
955 return( 0 );
956}
957#endif /* MBEDTLS_RSA_C */
958
959static void *rsa_alt_alloc_wrap( void )
960{
961 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_alt_context ) );
962
963 if( ctx != NULL )
964 memset( ctx, 0, sizeof( mbedtls_rsa_alt_context ) );
965
966 return( ctx );
967}
968
969static void rsa_alt_free_wrap( void *ctx )
970{
971 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) );
972 mbedtls_free( ctx );
973}
974
975const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
976 MBEDTLS_PK_RSA_ALT,
977 "RSA-alt",
978 rsa_alt_get_bitlen,
979 rsa_alt_can_do,
980 NULL,
981 rsa_alt_sign_wrap,
982#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
983 NULL,
984 NULL,
985#endif
986 rsa_alt_decrypt_wrap,
987 NULL,
988#if defined(MBEDTLS_RSA_C)
989 rsa_alt_check_pair,
990#else
991 NULL,
992#endif
993 rsa_alt_alloc_wrap,
994 rsa_alt_free_wrap,
995#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
996 NULL,
997 NULL,
998#endif
999 NULL,
1000};
Manuel Pégourié-Gonnard4ed179f2019-09-19 10:45:14 +02001001#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
1002
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001003/*
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001004 * Access to members of the pk_info structure. These are meant to be replaced
1005 * by zero-runtime-cost accessors when a single PK type is hardcoded.
1006 *
1007 * For function members, don't make a getter, but a function that directly
1008 * calls the method, so that we can entirely get rid of function pointers
1009 * when hardcoding a single PK - some compilers optimize better that way.
1010 *
1011 * Not implemented for members that are only present in builds with
1012 * MBEDTLS_ECP_RESTARTABLE for now, as the main target for hardcoded is builds
1013 * with MBEDTLS_USE_TINYCRYPT, which don't have MBEDTLS_ECP_RESTARTABLE.
1014 */
1015
1016MBEDTLS_ALWAYS_INLINE static inline mbedtls_pk_type_t pk_info_type(
1017 const mbedtls_pk_info_t *info )
1018{
1019 return( info->type );
1020}
1021
1022MBEDTLS_ALWAYS_INLINE static inline const char * pk_info_name(
1023 const mbedtls_pk_info_t *info )
1024{
1025 return( info->name );
1026}
1027
1028MBEDTLS_ALWAYS_INLINE static inline size_t pk_info_get_bitlen(
1029 const mbedtls_pk_info_t *info, const void *ctx )
1030{
1031 return( info->get_bitlen( ctx ) );
1032}
1033
1034MBEDTLS_ALWAYS_INLINE static inline int pk_info_can_do(
1035 const mbedtls_pk_info_t *info, mbedtls_pk_type_t type )
1036{
1037 return( info->can_do( type ) );
1038}
1039
1040MBEDTLS_ALWAYS_INLINE static inline int pk_info_verify_func(
1041 const mbedtls_pk_info_t *info, void *ctx, mbedtls_md_type_t md_alg,
1042 const unsigned char *hash, size_t hash_len,
1043 const unsigned char *sig, size_t sig_len )
1044{
Manuel Pégourié-Gonnard57d96cd2019-09-19 10:45:14 +02001045 if( info->verify_func == NULL )
1046 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
1047
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001048 return( info->verify_func( ctx, md_alg, hash, hash_len, sig, sig_len ) );
1049}
1050
1051MBEDTLS_ALWAYS_INLINE static inline int pk_info_sign_func(
1052 const mbedtls_pk_info_t *info, void *ctx, mbedtls_md_type_t md_alg,
1053 const unsigned char *hash, size_t hash_len,
1054 unsigned char *sig, size_t *sig_len,
1055 int (*f_rng)(void *, unsigned char *, size_t),
1056 void *p_rng )
1057{
Manuel Pégourié-Gonnard57d96cd2019-09-19 10:45:14 +02001058 if( info->sign_func == NULL )
1059 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
1060
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001061 return( info->sign_func( ctx, md_alg, hash, hash_len, sig, sig_len,
1062 f_rng, p_rng ) );
1063}
1064
1065MBEDTLS_ALWAYS_INLINE static inline int pk_info_decrypt_func(
1066 const mbedtls_pk_info_t *info, void *ctx,
1067 const unsigned char *input, size_t ilen,
1068 unsigned char *output, size_t *olen, size_t osize,
1069 int (*f_rng)(void *, unsigned char *, size_t),
1070 void *p_rng )
1071{
Manuel Pégourié-Gonnard57d96cd2019-09-19 10:45:14 +02001072 if( info->decrypt_func == NULL )
1073 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
1074
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001075 return( info->decrypt_func( ctx, input, ilen, output, olen, osize,
1076 f_rng, p_rng ) );
1077}
1078
1079MBEDTLS_ALWAYS_INLINE static inline int pk_info_encrypt_func(
1080 const mbedtls_pk_info_t *info, void *ctx,
1081 const unsigned char *input, size_t ilen,
1082 unsigned char *output, size_t *olen, size_t osize,
1083 int (*f_rng)(void *, unsigned char *, size_t),
1084 void *p_rng )
1085{
Manuel Pégourié-Gonnard57d96cd2019-09-19 10:45:14 +02001086 if( info->encrypt_func == NULL )
1087 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
1088
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001089 return( info->encrypt_func( ctx, input, ilen, output, olen, osize,
1090 f_rng, p_rng ) );
1091}
1092
1093MBEDTLS_ALWAYS_INLINE static inline int pk_info_check_pair_func(
1094 const mbedtls_pk_info_t *info, const void *pub, const void *prv )
1095{
Manuel Pégourié-Gonnard57d96cd2019-09-19 10:45:14 +02001096 if( info->check_pair_func == NULL )
1097 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
1098
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001099 return( info->check_pair_func( pub, prv ) );
1100}
1101
1102MBEDTLS_ALWAYS_INLINE static inline void *pk_info_ctx_alloc_func(
1103 const mbedtls_pk_info_t *info )
1104{
1105 return( info->ctx_alloc_func( ) );
1106}
1107
1108MBEDTLS_ALWAYS_INLINE static inline void pk_info_ctx_free_func(
1109 const mbedtls_pk_info_t *info, void *ctx )
1110{
1111 info->ctx_free_func( ctx );
1112}
1113
Manuel Pégourié-Gonnard57d96cd2019-09-19 10:45:14 +02001114MBEDTLS_ALWAYS_INLINE static inline int pk_info_debug_func(
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001115 const mbedtls_pk_info_t *info,
1116 const void *ctx, mbedtls_pk_debug_item *items )
1117{
Manuel Pégourié-Gonnard57d96cd2019-09-19 10:45:14 +02001118 if( info->debug_func == NULL )
1119 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
1120
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001121 info->debug_func( ctx, items );
Manuel Pégourié-Gonnard57d96cd2019-09-19 10:45:14 +02001122 return( 0 );
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001123}
1124
1125/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001126 * Initialise a mbedtls_pk_context
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001127 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001128void mbedtls_pk_init( mbedtls_pk_context *ctx )
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001129{
Gilles Peskinee97dc602018-12-19 00:51:38 +01001130 PK_VALIDATE( ctx != NULL );
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001131
Manuel Pégourié-Gonnard3fb5c5e2013-08-14 18:26:41 +02001132 ctx->pk_info = NULL;
1133 ctx->pk_ctx = NULL;
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001134}
1135
1136/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001137 * Free (the components of) a mbedtls_pk_context
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001138 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001139void mbedtls_pk_free( mbedtls_pk_context *ctx )
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001140{
irwir2239a862018-06-12 18:25:09 +03001141 if( ctx == NULL )
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001142 return;
1143
irwir2239a862018-06-12 18:25:09 +03001144 if ( ctx->pk_info != NULL )
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001145 pk_info_ctx_free_func( ctx->pk_info, ctx->pk_ctx );
Manuel Pégourié-Gonnard1f73a652013-07-09 10:26:41 +02001146
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05001147 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_pk_context ) );
Manuel Pégourié-Gonnard765db072013-08-14 15:00:27 +02001148}
1149
Manuel Pégourié-Gonnardaaa98142017-08-18 17:30:37 +02001150#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +02001151/*
1152 * Initialize a restart context
1153 */
1154void mbedtls_pk_restart_init( mbedtls_pk_restart_ctx *ctx )
1155{
Gilles Peskinee97dc602018-12-19 00:51:38 +01001156 PK_VALIDATE( ctx != NULL );
Manuel Pégourié-Gonnard0bbc66c2017-08-18 16:22:06 +02001157 ctx->pk_info = NULL;
1158 ctx->rs_ctx = NULL;
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +02001159}
1160
1161/*
1162 * Free the components of a restart context
1163 */
1164void mbedtls_pk_restart_free( mbedtls_pk_restart_ctx *ctx )
1165{
Gilles Peskine1f19fa62018-12-19 14:18:39 +01001166 if( ctx == NULL || ctx->pk_info == NULL ||
Manuel Pégourié-Gonnard0bbc66c2017-08-18 16:22:06 +02001167 ctx->pk_info->rs_free_func == NULL )
1168 {
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +02001169 return;
Manuel Pégourié-Gonnard0bbc66c2017-08-18 16:22:06 +02001170 }
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +02001171
Manuel Pégourié-Gonnard0bbc66c2017-08-18 16:22:06 +02001172 ctx->pk_info->rs_free_func( ctx->rs_ctx );
1173
1174 ctx->pk_info = NULL;
1175 ctx->rs_ctx = NULL;
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +02001176}
Manuel Pégourié-Gonnardaaa98142017-08-18 17:30:37 +02001177#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +02001178
Manuel Pégourié-Gonnard765db072013-08-14 15:00:27 +02001179/*
1180 * Get pk_info structure from type
1181 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001182const mbedtls_pk_info_t * mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type )
Manuel Pégourié-Gonnard765db072013-08-14 15:00:27 +02001183{
1184 switch( pk_type ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001185#if defined(MBEDTLS_RSA_C)
1186 case MBEDTLS_PK_RSA:
1187 return( &mbedtls_rsa_info );
Manuel Pégourié-Gonnard765db072013-08-14 15:00:27 +02001188#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001189#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001190 case MBEDTLS_PK_ECKEY_DH:
1191 return( &mbedtls_eckeydh_info );
Manuel Pégourié-Gonnard765db072013-08-14 15:00:27 +02001192#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001193#if defined(MBEDTLS_ECDSA_C)
1194 case MBEDTLS_PK_ECDSA:
1195 return( &mbedtls_ecdsa_info );
Manuel Pégourié-Gonnard765db072013-08-14 15:00:27 +02001196#endif
Hanno Beckeradf11e12019-08-21 13:03:44 +01001197#if defined(MBEDTLS_USE_TINYCRYPT)
1198 case MBEDTLS_PK_ECKEY:
1199 return( &mbedtls_uecc_eckey_info );
1200#else /* MBEDTLS_USE_TINYCRYPT */
1201#if defined(MBEDTLS_ECP_C)
1202 case MBEDTLS_PK_ECKEY:
1203 return( &mbedtls_eckey_info );
1204#endif
Jarno Lamsa42b83db2019-04-16 16:48:22 +03001205#endif /* MBEDTLS_USE_TINYCRYPT */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001206 /* MBEDTLS_PK_RSA_ALT omitted on purpose */
Manuel Pégourié-Gonnard765db072013-08-14 15:00:27 +02001207 default:
Paul Bakkerd8bb8262014-06-17 14:06:49 +02001208 return( NULL );
Manuel Pégourié-Gonnard765db072013-08-14 15:00:27 +02001209 }
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001210}
1211
1212/*
Manuel Pégourié-Gonnardab466942013-08-15 11:30:27 +02001213 * Initialise context
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001214 */
Manuel Pégourié-Gonnardd9e6a3a2015-05-14 19:41:36 +02001215int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info )
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001216{
Gilles Peskinee97dc602018-12-19 00:51:38 +01001217 PK_VALIDATE_RET( ctx != NULL );
1218 if( info == NULL || ctx->pk_info != NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001219 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001220
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001221 if( ( ctx->pk_ctx = pk_info_ctx_alloc_func( info ) ) == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02001222 return( MBEDTLS_ERR_PK_ALLOC_FAILED );
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001223
Manuel Pégourié-Gonnard3fb5c5e2013-08-14 18:26:41 +02001224 ctx->pk_info = info;
Manuel Pégourié-Gonnard12e0ed92013-07-04 13:31:32 +02001225
1226 return( 0 );
1227}
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02001228
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001229#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
Manuel Pégourié-Gonnardb4fae572014-01-20 11:22:25 +01001230/*
Manuel Pégourié-Gonnard12c1ff02013-08-21 12:28:31 +02001231 * Initialize an RSA-alt context
1232 */
Manuel Pégourié-Gonnardd9e6a3a2015-05-14 19:41:36 +02001233int mbedtls_pk_setup_rsa_alt( mbedtls_pk_context *ctx, void * key,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001234 mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
1235 mbedtls_pk_rsa_alt_sign_func sign_func,
1236 mbedtls_pk_rsa_alt_key_len_func key_len_func )
Manuel Pégourié-Gonnard12c1ff02013-08-21 12:28:31 +02001237{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001238 mbedtls_rsa_alt_context *rsa_alt;
1239 const mbedtls_pk_info_t *info = &mbedtls_rsa_alt_info;
Manuel Pégourié-Gonnard12c1ff02013-08-21 12:28:31 +02001240
Gilles Peskinee97dc602018-12-19 00:51:38 +01001241 PK_VALIDATE_RET( ctx != NULL );
1242 if( ctx->pk_info != NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001243 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard12c1ff02013-08-21 12:28:31 +02001244
1245 if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL )
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02001246 return( MBEDTLS_ERR_PK_ALLOC_FAILED );
Manuel Pégourié-Gonnard12c1ff02013-08-21 12:28:31 +02001247
1248 ctx->pk_info = info;
1249
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001250 rsa_alt = (mbedtls_rsa_alt_context *) ctx->pk_ctx;
Manuel Pégourié-Gonnard12c1ff02013-08-21 12:28:31 +02001251
1252 rsa_alt->key = key;
1253 rsa_alt->decrypt_func = decrypt_func;
1254 rsa_alt->sign_func = sign_func;
1255 rsa_alt->key_len_func = key_len_func;
1256
1257 return( 0 );
1258}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001259#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
Manuel Pégourié-Gonnard12c1ff02013-08-21 12:28:31 +02001260
1261/*
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02001262 * Tell if a PK can do the operations of the given type
1263 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001264int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type )
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02001265{
Gilles Peskine6af45ec2018-12-19 17:52:05 +01001266 /* A context with null pk_info is not set up yet and can't do anything.
1267 * For backward compatibility, also accept NULL instead of a context
1268 * pointer. */
Manuel Pégourié-Gonnard3fb5c5e2013-08-14 18:26:41 +02001269 if( ctx == NULL || ctx->pk_info == NULL )
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02001270 return( 0 );
1271
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001272 return( pk_info_can_do( ctx->pk_info, type ) );
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02001273}
1274
1275/*
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001276 * Helper for mbedtls_pk_sign and mbedtls_pk_verify
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02001277 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001278static inline int pk_hashlen_helper( mbedtls_md_type_t md_alg, size_t *hash_len )
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02001279{
Hanno Beckera5cedbc2019-07-17 11:21:02 +01001280 mbedtls_md_handle_t md_info;
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02001281
1282 if( *hash_len != 0 )
1283 return( 0 );
1284
Hanno Beckera5cedbc2019-07-17 11:21:02 +01001285 if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) ==
1286 MBEDTLS_MD_INVALID_HANDLE )
1287 {
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02001288 return( -1 );
Hanno Beckera5cedbc2019-07-17 11:21:02 +01001289 }
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02001290
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001291 *hash_len = mbedtls_md_get_size( md_info );
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02001292 return( 0 );
1293}
1294
Manuel Pégourié-Gonnardaaa98142017-08-18 17:30:37 +02001295#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
Manuel Pégourié-Gonnard0bbc66c2017-08-18 16:22:06 +02001296/*
1297 * Helper to set up a restart context if needed
1298 */
1299static int pk_restart_setup( mbedtls_pk_restart_ctx *ctx,
Manuel Pégourié-Gonnardee68cff2018-10-15 15:27:49 +02001300 const mbedtls_pk_info_t *info )
Manuel Pégourié-Gonnard0bbc66c2017-08-18 16:22:06 +02001301{
Manuel Pégourié-Gonnardc8c12b62018-07-02 13:09:39 +02001302 /* Don't do anything if already set up or invalid */
1303 if( ctx == NULL || ctx->pk_info != NULL )
Manuel Pégourié-Gonnard0bbc66c2017-08-18 16:22:06 +02001304 return( 0 );
1305
1306 /* Should never happen when we're called */
1307 if( info->rs_alloc_func == NULL || info->rs_free_func == NULL )
1308 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
1309
1310 if( ( ctx->rs_ctx = info->rs_alloc_func() ) == NULL )
1311 return( MBEDTLS_ERR_PK_ALLOC_FAILED );
1312
1313 ctx->pk_info = info;
1314
1315 return( 0 );
1316}
Manuel Pégourié-Gonnardaaa98142017-08-18 17:30:37 +02001317#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
Manuel Pégourié-Gonnard0bbc66c2017-08-18 16:22:06 +02001318
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02001319/*
Manuel Pégourié-Gonnard82cb27b2017-05-03 10:59:45 +02001320 * Verify a signature (restartable)
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02001321 */
Manuel Pégourié-Gonnard82cb27b2017-05-03 10:59:45 +02001322int mbedtls_pk_verify_restartable( mbedtls_pk_context *ctx,
1323 mbedtls_md_type_t md_alg,
Manuel Pégourié-Gonnardf73da022013-08-17 14:36:32 +02001324 const unsigned char *hash, size_t hash_len,
Manuel Pégourié-Gonnard82cb27b2017-05-03 10:59:45 +02001325 const unsigned char *sig, size_t sig_len,
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +02001326 mbedtls_pk_restart_ctx *rs_ctx )
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02001327{
Gilles Peskinee97dc602018-12-19 00:51:38 +01001328 PK_VALIDATE_RET( ctx != NULL );
Gilles Peskineee3cfec2018-12-19 17:10:02 +01001329 PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
1330 hash != NULL );
Gilles Peskinee97dc602018-12-19 00:51:38 +01001331 PK_VALIDATE_RET( sig != NULL );
1332
1333 if( ctx->pk_info == NULL ||
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02001334 pk_hashlen_helper( md_alg, &hash_len ) != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001335 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02001336
Manuel Pégourié-Gonnardaaa98142017-08-18 17:30:37 +02001337#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd55f7762017-08-18 17:40:15 +02001338 /* optimization: use non-restartable version if restart disabled */
1339 if( rs_ctx != NULL &&
Manuel Pégourié-Gonnardb843b152018-10-16 10:41:31 +02001340 mbedtls_ecp_restart_is_enabled() &&
Manuel Pégourié-Gonnardd55f7762017-08-18 17:40:15 +02001341 ctx->pk_info->verify_rs_func != NULL )
Manuel Pégourié-Gonnard1f596062017-05-09 10:42:40 +02001342 {
Manuel Pégourié-Gonnard0bbc66c2017-08-18 16:22:06 +02001343 int ret;
1344
1345 if( ( ret = pk_restart_setup( rs_ctx, ctx->pk_info ) ) != 0 )
1346 return( ret );
1347
1348 ret = ctx->pk_info->verify_rs_func( ctx->pk_ctx,
1349 md_alg, hash, hash_len, sig, sig_len, rs_ctx->rs_ctx );
1350
1351 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
1352 mbedtls_pk_restart_free( rs_ctx );
1353
1354 return( ret );
Manuel Pégourié-Gonnard1f596062017-05-09 10:42:40 +02001355 }
Manuel Pégourié-Gonnardaaa98142017-08-18 17:30:37 +02001356#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
Manuel Pégourié-Gonnard1f596062017-05-09 10:42:40 +02001357 (void) rs_ctx;
Manuel Pégourié-Gonnardaaa98142017-08-18 17:30:37 +02001358#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
Manuel Pégourié-Gonnard1f596062017-05-09 10:42:40 +02001359
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001360 return( pk_info_verify_func( ctx->pk_info, ctx->pk_ctx, md_alg, hash, hash_len,
Manuel Pégourié-Gonnardf73da022013-08-17 14:36:32 +02001361 sig, sig_len ) );
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02001362}
1363
1364/*
Manuel Pégourié-Gonnard82cb27b2017-05-03 10:59:45 +02001365 * Verify a signature
1366 */
1367int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
1368 const unsigned char *hash, size_t hash_len,
1369 const unsigned char *sig, size_t sig_len )
1370{
1371 return( mbedtls_pk_verify_restartable( ctx, md_alg, hash, hash_len,
1372 sig, sig_len, NULL ) );
1373}
1374
1375/*
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001376 * Verify a signature with options
1377 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001378int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
1379 mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001380 const unsigned char *hash, size_t hash_len,
1381 const unsigned char *sig, size_t sig_len )
1382{
Gilles Peskinee97dc602018-12-19 00:51:38 +01001383 PK_VALIDATE_RET( ctx != NULL );
Gilles Peskineee3cfec2018-12-19 17:10:02 +01001384 PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
1385 hash != NULL );
Gilles Peskinee97dc602018-12-19 00:51:38 +01001386 PK_VALIDATE_RET( sig != NULL );
1387
1388 if( ctx->pk_info == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001389 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001391 if( ! mbedtls_pk_can_do( ctx, type ) )
1392 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001393
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001394 if( type == MBEDTLS_PK_RSASSA_PSS )
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001395 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001396#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001397 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001398 const mbedtls_pk_rsassa_pss_options *pss_opts;
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001399
Andres Amaya Garcia7c02c502017-08-04 13:32:15 +01001400#if SIZE_MAX > UINT_MAX
Andres AG72849872017-01-19 11:24:33 +00001401 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
1402 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Andres Amaya Garcia7c02c502017-08-04 13:32:15 +01001403#endif /* SIZE_MAX > UINT_MAX */
Andres AG72849872017-01-19 11:24:33 +00001404
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001405 if( options == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001406 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001407
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001408 pss_opts = (const mbedtls_pk_rsassa_pss_options *) options;
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001409
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001410 if( sig_len < mbedtls_pk_get_len( ctx ) )
1411 return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001412
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001413 ret = mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_pk_rsa( *ctx ),
1414 NULL, NULL, MBEDTLS_RSA_PUBLIC,
Sander Niemeijeref5087d2014-08-16 12:45:52 +02001415 md_alg, (unsigned int) hash_len, hash,
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001416 pss_opts->mgf1_hash_id,
1417 pss_opts->expected_salt_len,
1418 sig );
1419 if( ret != 0 )
1420 return( ret );
1421
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001422 if( sig_len > mbedtls_pk_get_len( ctx ) )
1423 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001424
1425 return( 0 );
1426#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001427 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
Andres AG72849872017-01-19 11:24:33 +00001428#endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001429 }
1430
1431 /* General case: no options */
1432 if( options != NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001433 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001434
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001435 return( mbedtls_pk_verify( ctx, md_alg, hash, hash_len, sig, sig_len ) );
Manuel Pégourié-Gonnard20422e92014-06-05 13:41:44 +02001436}
1437
1438/*
Manuel Pégourié-Gonnard82cb27b2017-05-03 10:59:45 +02001439 * Make a signature (restartable)
Manuel Pégourié-Gonnard8df27692013-08-21 10:34:38 +02001440 */
Manuel Pégourié-Gonnard82cb27b2017-05-03 10:59:45 +02001441int mbedtls_pk_sign_restartable( mbedtls_pk_context *ctx,
1442 mbedtls_md_type_t md_alg,
Manuel Pégourié-Gonnard8df27692013-08-21 10:34:38 +02001443 const unsigned char *hash, size_t hash_len,
1444 unsigned char *sig, size_t *sig_len,
Manuel Pégourié-Gonnard82cb27b2017-05-03 10:59:45 +02001445 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +02001446 mbedtls_pk_restart_ctx *rs_ctx )
Manuel Pégourié-Gonnard8df27692013-08-21 10:34:38 +02001447{
Gilles Peskinee97dc602018-12-19 00:51:38 +01001448 PK_VALIDATE_RET( ctx != NULL );
Gilles Peskineee3cfec2018-12-19 17:10:02 +01001449 PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
1450 hash != NULL );
Gilles Peskinee97dc602018-12-19 00:51:38 +01001451 PK_VALIDATE_RET( sig != NULL );
1452
1453 if( ctx->pk_info == NULL ||
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02001454 pk_hashlen_helper( md_alg, &hash_len ) != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001455 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard8df27692013-08-21 10:34:38 +02001456
Manuel Pégourié-Gonnardaaa98142017-08-18 17:30:37 +02001457#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd55f7762017-08-18 17:40:15 +02001458 /* optimization: use non-restartable version if restart disabled */
1459 if( rs_ctx != NULL &&
Manuel Pégourié-Gonnardb843b152018-10-16 10:41:31 +02001460 mbedtls_ecp_restart_is_enabled() &&
Manuel Pégourié-Gonnardd55f7762017-08-18 17:40:15 +02001461 ctx->pk_info->sign_rs_func != NULL )
Manuel Pégourié-Gonnard1f596062017-05-09 10:42:40 +02001462 {
Manuel Pégourié-Gonnard0bbc66c2017-08-18 16:22:06 +02001463 int ret;
1464
1465 if( ( ret = pk_restart_setup( rs_ctx, ctx->pk_info ) ) != 0 )
1466 return( ret );
1467
1468 ret = ctx->pk_info->sign_rs_func( ctx->pk_ctx, md_alg,
1469 hash, hash_len, sig, sig_len, f_rng, p_rng, rs_ctx->rs_ctx );
1470
1471 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
1472 mbedtls_pk_restart_free( rs_ctx );
1473
1474 return( ret );
Manuel Pégourié-Gonnard1f596062017-05-09 10:42:40 +02001475 }
Manuel Pégourié-Gonnardaaa98142017-08-18 17:30:37 +02001476#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
Manuel Pégourié-Gonnard1f596062017-05-09 10:42:40 +02001477 (void) rs_ctx;
Manuel Pégourié-Gonnardaaa98142017-08-18 17:30:37 +02001478#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
Manuel Pégourié-Gonnard1f596062017-05-09 10:42:40 +02001479
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001480 return( pk_info_sign_func( ctx->pk_info, ctx->pk_ctx, md_alg, hash, hash_len,
Manuel Pégourié-Gonnard8df27692013-08-21 10:34:38 +02001481 sig, sig_len, f_rng, p_rng ) );
1482}
1483
1484/*
Manuel Pégourié-Gonnard82cb27b2017-05-03 10:59:45 +02001485 * Make a signature
1486 */
1487int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
1488 const unsigned char *hash, size_t hash_len,
1489 unsigned char *sig, size_t *sig_len,
1490 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
1491{
1492 return( mbedtls_pk_sign_restartable( ctx, md_alg, hash, hash_len,
1493 sig, sig_len, f_rng, p_rng, NULL ) );
1494}
1495
1496/*
Manuel Pégourié-Gonnarda2d3f222013-08-21 11:51:08 +02001497 * Decrypt message
1498 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001499int mbedtls_pk_decrypt( mbedtls_pk_context *ctx,
Manuel Pégourié-Gonnarda2d3f222013-08-21 11:51:08 +02001500 const unsigned char *input, size_t ilen,
1501 unsigned char *output, size_t *olen, size_t osize,
1502 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
1503{
Gilles Peskinee97dc602018-12-19 00:51:38 +01001504 PK_VALIDATE_RET( ctx != NULL );
1505 PK_VALIDATE_RET( input != NULL || ilen == 0 );
1506 PK_VALIDATE_RET( output != NULL || osize == 0 );
1507 PK_VALIDATE_RET( olen != NULL );
1508
1509 if( ctx->pk_info == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001510 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarda2d3f222013-08-21 11:51:08 +02001511
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001512 return( pk_info_decrypt_func( ctx->pk_info, ctx->pk_ctx, input, ilen,
Manuel Pégourié-Gonnarda2d3f222013-08-21 11:51:08 +02001513 output, olen, osize, f_rng, p_rng ) );
1514}
1515
1516/*
1517 * Encrypt message
1518 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001519int mbedtls_pk_encrypt( mbedtls_pk_context *ctx,
Manuel Pégourié-Gonnarda2d3f222013-08-21 11:51:08 +02001520 const unsigned char *input, size_t ilen,
1521 unsigned char *output, size_t *olen, size_t osize,
1522 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
1523{
Gilles Peskinee97dc602018-12-19 00:51:38 +01001524 PK_VALIDATE_RET( ctx != NULL );
1525 PK_VALIDATE_RET( input != NULL || ilen == 0 );
1526 PK_VALIDATE_RET( output != NULL || osize == 0 );
1527 PK_VALIDATE_RET( olen != NULL );
1528
1529 if( ctx->pk_info == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001530 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Manuel Pégourié-Gonnarda2d3f222013-08-21 11:51:08 +02001531
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001532 return( pk_info_encrypt_func( ctx->pk_info, ctx->pk_ctx, input, ilen,
Manuel Pégourié-Gonnarda2d3f222013-08-21 11:51:08 +02001533 output, olen, osize, f_rng, p_rng ) );
1534}
1535
1536/*
Manuel Pégourié-Gonnard70bdadf2014-11-06 16:51:20 +01001537 * Check public-private key pair
1538 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001539int mbedtls_pk_check_pair( const mbedtls_pk_context *pub, const mbedtls_pk_context *prv )
Manuel Pégourié-Gonnard70bdadf2014-11-06 16:51:20 +01001540{
Gilles Peskinee97dc602018-12-19 00:51:38 +01001541 PK_VALIDATE_RET( pub != NULL );
1542 PK_VALIDATE_RET( prv != NULL );
1543
Manuel Pégourié-Gonnard2d9466f2019-09-19 10:45:14 +02001544 if( pub->pk_info == NULL || prv->pk_info == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001545 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard70bdadf2014-11-06 16:51:20 +01001546
Manuel Pégourié-Gonnard2d9466f2019-09-19 10:45:14 +02001547#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001548 if( pk_info_type( prv->pk_info ) == MBEDTLS_PK_RSA_ALT )
Manuel Pégourié-Gonnard70bdadf2014-11-06 16:51:20 +01001549 {
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001550 if( pk_info_type( pub->pk_info ) != MBEDTLS_PK_RSA )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001551 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnarda1efcb02014-11-08 17:08:08 +01001552 }
1553 else
Manuel Pégourié-Gonnard2d9466f2019-09-19 10:45:14 +02001554#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
Manuel Pégourié-Gonnarda1efcb02014-11-08 17:08:08 +01001555 {
1556 if( pub->pk_info != prv->pk_info )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001557 return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnard70bdadf2014-11-06 16:51:20 +01001558 }
1559
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001560 return( pk_info_check_pair_func( prv->pk_info, pub->pk_ctx, prv->pk_ctx ) );
Manuel Pégourié-Gonnard70bdadf2014-11-06 16:51:20 +01001561}
1562
1563/*
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02001564 * Get key size in bits
1565 */
Manuel Pégourié-Gonnard097c7bb2015-06-18 16:43:38 +02001566size_t mbedtls_pk_get_bitlen( const mbedtls_pk_context *ctx )
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02001567{
Gilles Peskine6af45ec2018-12-19 17:52:05 +01001568 /* For backward compatibility, accept NULL or a context that
1569 * isn't set up yet, and return a fake value that should be safe. */
Manuel Pégourié-Gonnard3fb5c5e2013-08-14 18:26:41 +02001570 if( ctx == NULL || ctx->pk_info == NULL )
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02001571 return( 0 );
1572
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001573 return( pk_info_get_bitlen( ctx->pk_info, ctx->pk_ctx ) );
Manuel Pégourié-Gonnardb3d91872013-08-14 15:56:19 +02001574}
Manuel Pégourié-Gonnardc6ac8872013-08-14 18:04:18 +02001575
1576/*
1577 * Export debug information
1578 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001579int mbedtls_pk_debug( const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items )
Manuel Pégourié-Gonnardc6ac8872013-08-14 18:04:18 +02001580{
Gilles Peskinee97dc602018-12-19 00:51:38 +01001581 PK_VALIDATE_RET( ctx != NULL );
1582 if( ctx->pk_info == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001583 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardc6ac8872013-08-14 18:04:18 +02001584
Manuel Pégourié-Gonnard57d96cd2019-09-19 10:45:14 +02001585 return( pk_info_debug_func( ctx->pk_info, ctx->pk_ctx, items ) );
Manuel Pégourié-Gonnardc6ac8872013-08-14 18:04:18 +02001586}
Manuel Pégourié-Gonnard3fb5c5e2013-08-14 18:26:41 +02001587
1588/*
1589 * Access the PK type name
1590 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001591const char *mbedtls_pk_get_name( const mbedtls_pk_context *ctx )
Manuel Pégourié-Gonnard3fb5c5e2013-08-14 18:26:41 +02001592{
1593 if( ctx == NULL || ctx->pk_info == NULL )
1594 return( "invalid PK" );
1595
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001596 return( pk_info_name( ctx->pk_info ) );
Manuel Pégourié-Gonnard3fb5c5e2013-08-14 18:26:41 +02001597}
Manuel Pégourié-Gonnardc40b4c32013-08-22 13:29:31 +02001598
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +02001599/*
1600 * Access the PK type
1601 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001602mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx )
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +02001603{
1604 if( ctx == NULL || ctx->pk_info == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001605 return( MBEDTLS_PK_NONE );
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +02001606
Manuel Pégourié-Gonnardc10f0922019-09-19 10:45:14 +02001607 return( pk_info_type( ctx->pk_info ) );
Manuel Pégourié-Gonnard8053da42013-09-11 22:28:30 +02001608}
1609
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001610#endif /* MBEDTLS_PK_C */