search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #2735 from jareckib/master
[RRG-proxmark3.git] / common / mbedtls / pk_wrap.c
blobb2057037e0747c25312a667ed39f959f34724803
1 /*
2 * Public Key abstraction layer: wrapper functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 #include "common.h"
21
22 #if defined(MBEDTLS_PK_C)
23 #include "mbedtls/pk_internal.h"
24 #include "mbedtls/error.h"
25
26 /* Even if RSA not activated, for the sake of RSA-alt */
27 #include "mbedtls/rsa.h"
28
29 #include <string.h>
30
31 #if defined(MBEDTLS_ECP_C)
32 #include "mbedtls/ecp.h"
33 #endif
34
35 #if defined(MBEDTLS_ECDSA_C)
36 #include "mbedtls/ecdsa.h"
37 #endif
38
39 #if defined(MBEDTLS_USE_PSA_CRYPTO)
40 #include "mbedtls/asn1write.h"
41 #endif
42
43 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
44 #include "mbedtls/platform_util.h"
45 #endif
46
47 #if defined(MBEDTLS_USE_PSA_CRYPTO)
48 #include "psa/crypto.h"
49 #include "mbedtls/psa_util.h"
50 #include "mbedtls/asn1.h"
51 #endif
52
53 #if defined(MBEDTLS_PLATFORM_C)
54 #include "mbedtls/platform.h"
55 #else
56 #include <stdlib.h>
57 #define mbedtls_calloc calloc
58 #define mbedtls_free free
59 #endif
60
61 #include <limits.h>
62 #include <stdint.h>
63
64 #if defined(MBEDTLS_RSA_C)
65 static int rsa_can_do(mbedtls_pk_type_t type) {
66 return (type == MBEDTLS_PK_RSA ||
67 type == MBEDTLS_PK_RSASSA_PSS);
68 }
69
70 static size_t rsa_get_bitlen(const void *ctx) {
71 const mbedtls_rsa_context *rsa = (const mbedtls_rsa_context *) ctx;
72 return (8 * mbedtls_rsa_get_len(rsa));
73 }
74
75 static int rsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
76 const unsigned char *hash, size_t hash_len,
77 const unsigned char *sig, size_t sig_len) {
78 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
79 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
80 size_t rsa_len = mbedtls_rsa_get_len(rsa);
81
82 #if SIZE_MAX > UINT_MAX
83 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len)
84 return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
85 #endif /* SIZE_MAX > UINT_MAX */
86
87 if (sig_len < rsa_len)
88 return (MBEDTLS_ERR_RSA_VERIFY_FAILED);
89
90 if ((ret = mbedtls_rsa_pkcs1_verify(rsa, NULL, NULL,
91 MBEDTLS_RSA_PUBLIC, md_alg,
92 (unsigned int) hash_len, hash, sig)) != 0)
93 return (ret);
94
95 /* The buffer contains a valid signature followed by extra data.
96 * We have a special error code for that so that so that callers can
97 * use mbedtls_pk_verify() to check "Does the buffer start with a
98 * valid signature?" and not just "Does the buffer contain a valid
99 * signature?". */
100 if (sig_len > rsa_len)
101 return (MBEDTLS_ERR_PK_SIG_LEN_MISMATCH);
102
103 return (0);
104 }
105
106 static int rsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
107 const unsigned char *hash, size_t hash_len,
108 unsigned char *sig, size_t *sig_len,
109 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
110 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
111
112 #if SIZE_MAX > UINT_MAX
113 if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len)
114 return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
115 #endif /* SIZE_MAX > UINT_MAX */
116
117 *sig_len = mbedtls_rsa_get_len(rsa);
118
119 return (mbedtls_rsa_pkcs1_sign(rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
120 md_alg, (unsigned int) hash_len, hash, sig));
121 }
122
123 static int rsa_decrypt_wrap(void *ctx,
124 const unsigned char *input, size_t ilen,
125 unsigned char *output, size_t *olen, size_t osize,
126 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
127 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
128
129 if (ilen != mbedtls_rsa_get_len(rsa))
130 return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
131
132 return (mbedtls_rsa_pkcs1_decrypt(rsa, f_rng, p_rng,
133 MBEDTLS_RSA_PRIVATE, olen, input, output, osize));
134 }
135
136 static int rsa_encrypt_wrap(void *ctx,
137 const unsigned char *input, size_t ilen,
138 unsigned char *output, size_t *olen, size_t osize,
139 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
140 mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
141 *olen = mbedtls_rsa_get_len(rsa);
142
143 if (*olen > osize)
144 return (MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE);
145
146 return (mbedtls_rsa_pkcs1_encrypt(rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC,
147 ilen, input, output));
148 }
149
150 static int rsa_check_pair_wrap(const void *pub, const void *prv) {
151 return (mbedtls_rsa_check_pub_priv((const mbedtls_rsa_context *) pub,
152 (const mbedtls_rsa_context *) prv));
153 }
154
155 static void *rsa_alloc_wrap(void) {
156 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_context));
157
158 if (ctx != NULL)
159 mbedtls_rsa_init((mbedtls_rsa_context *) ctx, 0, 0);
160
161 return (ctx);
162 }
163
164 static void rsa_free_wrap(void *ctx) {
165 mbedtls_rsa_free((mbedtls_rsa_context *) ctx);
166 mbedtls_free(ctx);
167 }
168
169 static void rsa_debug(const void *ctx, mbedtls_pk_debug_item *items) {
170 items->type = MBEDTLS_PK_DEBUG_MPI;
171 items->name = "rsa.N";
172 items->value = &(((mbedtls_rsa_context *) ctx)->N);
173
174 items++;
175
176 items->type = MBEDTLS_PK_DEBUG_MPI;
177 items->name = "rsa.E";
178 items->value = &(((mbedtls_rsa_context *) ctx)->E);
179 }
180
181 const mbedtls_pk_info_t mbedtls_rsa_info = {
182 MBEDTLS_PK_RSA,
183 "RSA",
184 rsa_get_bitlen,
185 rsa_can_do,
186 rsa_verify_wrap,
187 rsa_sign_wrap,
188 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
189 NULL,
190 NULL,
191 #endif
192 rsa_decrypt_wrap,
193 rsa_encrypt_wrap,
194 rsa_check_pair_wrap,
195 rsa_alloc_wrap,
196 rsa_free_wrap,
197 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
198 NULL,
199 NULL,
200 #endif
201 rsa_debug,
202 };
203 #endif /* MBEDTLS_RSA_C */
204
205 #if defined(MBEDTLS_ECP_C)
206 /*
207 * Generic EC key
208 */
209 static int eckey_can_do(mbedtls_pk_type_t type) {
210 return (type == MBEDTLS_PK_ECKEY ||
211 type == MBEDTLS_PK_ECKEY_DH ||
212 type == MBEDTLS_PK_ECDSA);
213 }
214
215 static size_t eckey_get_bitlen(const void *ctx) {
216 return (((mbedtls_ecp_keypair *) ctx)->grp.pbits);
217 }
218
219 #if defined(MBEDTLS_ECDSA_C)
220 /* Forward declarations */
221 static int ecdsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
222 const unsigned char *hash, size_t hash_len,
223 const unsigned char *sig, size_t sig_len);
224
225 static int ecdsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
226 const unsigned char *hash, size_t hash_len,
227 unsigned char *sig, size_t *sig_len,
228 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
229
230 static int eckey_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
231 const unsigned char *hash, size_t hash_len,
232 const unsigned char *sig, size_t sig_len) {
233 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
234 mbedtls_ecdsa_context ecdsa;
235
236 mbedtls_ecdsa_init(&ecdsa);
237
238 if ((ret = mbedtls_ecdsa_from_keypair(&ecdsa, ctx)) == 0)
239 ret = ecdsa_verify_wrap(&ecdsa, md_alg, hash, hash_len, sig, sig_len);
240
241 mbedtls_ecdsa_free(&ecdsa);
242
243 return (ret);
244 }
245
246 static int eckey_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
247 const unsigned char *hash, size_t hash_len,
248 unsigned char *sig, size_t *sig_len,
249 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
250 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
251 mbedtls_ecdsa_context ecdsa;
252
253 mbedtls_ecdsa_init(&ecdsa);
254
255 if ((ret = mbedtls_ecdsa_from_keypair(&ecdsa, ctx)) == 0)
256 ret = ecdsa_sign_wrap(&ecdsa, md_alg, hash, hash_len, sig, sig_len,
257 f_rng, p_rng);
258
259 mbedtls_ecdsa_free(&ecdsa);
260
261 return (ret);
262 }
263
264 #if defined(MBEDTLS_ECP_RESTARTABLE)
265 /* Forward declarations */
266 static int ecdsa_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
267 const unsigned char *hash, size_t hash_len,
268 const unsigned char *sig, size_t sig_len,
269 void *rs_ctx);
270
271 static int ecdsa_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
272 const unsigned char *hash, size_t hash_len,
273 unsigned char *sig, size_t *sig_len,
274 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
275 void *rs_ctx);
276
277 /*
278 * Restart context for ECDSA operations with ECKEY context
279 *
280 * We need to store an actual ECDSA context, as we need to pass the same to
281 * the underlying ecdsa function, so we can't create it on the fly every time.
282 */
283 typedef struct {
284 mbedtls_ecdsa_restart_ctx ecdsa_rs;
285 mbedtls_ecdsa_context ecdsa_ctx;
286 } eckey_restart_ctx;
287
288 static void *eckey_rs_alloc(void) {
289 eckey_restart_ctx *rs_ctx;
290
291 void *ctx = mbedtls_calloc(1, sizeof(eckey_restart_ctx));
292
293 if (ctx != NULL) {
294 rs_ctx = ctx;
295 mbedtls_ecdsa_restart_init(&rs_ctx->ecdsa_rs);
296 mbedtls_ecdsa_init(&rs_ctx->ecdsa_ctx);
297 }
298
299 return (ctx);
300 }
301
302 static void eckey_rs_free(void *ctx) {
303 eckey_restart_ctx *rs_ctx;
304
305 if (ctx == NULL)
306 return;
307
308 rs_ctx = ctx;
309 mbedtls_ecdsa_restart_free(&rs_ctx->ecdsa_rs);
310 mbedtls_ecdsa_free(&rs_ctx->ecdsa_ctx);
311
312 mbedtls_free(ctx);
313 }
314
315 static int eckey_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
316 const unsigned char *hash, size_t hash_len,
317 const unsigned char *sig, size_t sig_len,
318 void *rs_ctx) {
319 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
320 eckey_restart_ctx *rs = rs_ctx;
321
322 /* Should never happen */
323 if (rs == NULL)
324 return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
325
326 /* set up our own sub-context if needed (that is, on first run) */
327 if (rs->ecdsa_ctx.grp.pbits == 0)
328 MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, ctx));
329
330 MBEDTLS_MPI_CHK(ecdsa_verify_rs_wrap(&rs->ecdsa_ctx,
331 md_alg, hash, hash_len,
332 sig, sig_len, &rs->ecdsa_rs));
333
334 cleanup:
335 return (ret);
336 }
337
338 static int eckey_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
339 const unsigned char *hash, size_t hash_len,
340 unsigned char *sig, size_t *sig_len,
341 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
342 void *rs_ctx) {
343 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
344 eckey_restart_ctx *rs = rs_ctx;
345
346 /* Should never happen */
347 if (rs == NULL)
348 return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
349
350 /* set up our own sub-context if needed (that is, on first run) */
351 if (rs->ecdsa_ctx.grp.pbits == 0)
352 MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, ctx));
353
354 MBEDTLS_MPI_CHK(ecdsa_sign_rs_wrap(&rs->ecdsa_ctx, md_alg,
355 hash, hash_len, sig, sig_len,
356 f_rng, p_rng, &rs->ecdsa_rs));
357
358 cleanup:
359 return (ret);
360 }
361 #endif /* MBEDTLS_ECP_RESTARTABLE */
362 #endif /* MBEDTLS_ECDSA_C */
363
364 static int eckey_check_pair(const void *pub, const void *prv) {
365 return (mbedtls_ecp_check_pub_priv((const mbedtls_ecp_keypair *) pub,
366 (const mbedtls_ecp_keypair *) prv));
367 }
368
369 static void *eckey_alloc_wrap(void) {
370 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
371
372 if (ctx != NULL)
373 mbedtls_ecp_keypair_init(ctx);
374
375 return (ctx);
376 }
377
378 static void eckey_free_wrap(void *ctx) {
379 mbedtls_ecp_keypair_free((mbedtls_ecp_keypair *) ctx);
380 mbedtls_free(ctx);
381 }
382
383 static void eckey_debug(const void *ctx, mbedtls_pk_debug_item *items) {
384 items->type = MBEDTLS_PK_DEBUG_ECP;
385 items->name = "eckey.Q";
386 items->value = &(((mbedtls_ecp_keypair *) ctx)->Q);
387 }
388
389 const mbedtls_pk_info_t mbedtls_eckey_info = {
390 MBEDTLS_PK_ECKEY,
391 "EC",
392 eckey_get_bitlen,
393 eckey_can_do,
394 #if defined(MBEDTLS_ECDSA_C)
395 eckey_verify_wrap,
396 eckey_sign_wrap,
397 #if defined(MBEDTLS_ECP_RESTARTABLE)
398 eckey_verify_rs_wrap,
399 eckey_sign_rs_wrap,
400 #endif
401 #else /* MBEDTLS_ECDSA_C */
402 NULL,
403 NULL,
404 #endif /* MBEDTLS_ECDSA_C */
405 NULL,
406 NULL,
407 eckey_check_pair,
408 eckey_alloc_wrap,
409 eckey_free_wrap,
410 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
411 eckey_rs_alloc,
412 eckey_rs_free,
413 #endif
414 eckey_debug,
415 };
416
417 /*
418 * EC key restricted to ECDH
419 */
420 static int eckeydh_can_do(mbedtls_pk_type_t type) {
421 return (type == MBEDTLS_PK_ECKEY ||
422 type == MBEDTLS_PK_ECKEY_DH);
423 }
424
425 const mbedtls_pk_info_t mbedtls_eckeydh_info = {
426 MBEDTLS_PK_ECKEY_DH,
427 "EC_DH",
428 eckey_get_bitlen, /* Same underlying key structure */
429 eckeydh_can_do,
430 NULL,
431 NULL,
432 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
433 NULL,
434 NULL,
435 #endif
436 NULL,
437 NULL,
438 eckey_check_pair,
439 eckey_alloc_wrap, /* Same underlying key structure */
440 eckey_free_wrap, /* Same underlying key structure */
441 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
442 NULL,
443 NULL,
444 #endif
445 eckey_debug, /* Same underlying key structure */
446 };
447 #endif /* MBEDTLS_ECP_C */
448
449 #if defined(MBEDTLS_ECDSA_C)
450 static int ecdsa_can_do(mbedtls_pk_type_t type) {
451 return (type == MBEDTLS_PK_ECDSA);
452 }
453
454 #if defined(MBEDTLS_USE_PSA_CRYPTO)
455 /*
456 * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of
457 * those integers and convert it to the fixed-length encoding expected by PSA.
458 */
459 static int extract_ecdsa_sig_int(unsigned char **from, const unsigned char *end,
460 unsigned char *to, size_t to_len) {
461 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
462 size_t unpadded_len, padding_len;
463
464 if ((ret = mbedtls_asn1_get_tag(from, end, &unpadded_len,
465 MBEDTLS_ASN1_INTEGER)) != 0) {
466 return (ret);
467 }
468
469 while (unpadded_len > 0 && **from == 0x00) {
470 (*from)++;
471 unpadded_len--;
472 }
473
474 if (unpadded_len > to_len || unpadded_len == 0)
475 return (MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
476
477 padding_len = to_len - unpadded_len;
478 memset(to, 0x00, padding_len);
479 memcpy(to + padding_len, *from, unpadded_len);
480 (*from) += unpadded_len;
481
482 return (0);
483 }
484
485 /*
486 * Convert a signature from an ASN.1 sequence of two integers
487 * to a raw {r,s} buffer. Note: the provided sig buffer must be at least
488 * twice as big as int_size.
489 */
490 static int extract_ecdsa_sig(unsigned char **p, const unsigned char *end,
491 unsigned char *sig, size_t int_size) {
492 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
493 size_t tmp_size;
494
495 if ((ret = mbedtls_asn1_get_tag(p, end, &tmp_size,
496 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0)
497 return (ret);
498
499 /* Extract r */
500 if ((ret = extract_ecdsa_sig_int(p, end, sig, int_size)) != 0)
501 return (ret);
502 /* Extract s */
503 if ((ret = extract_ecdsa_sig_int(p, end, sig + int_size, int_size)) != 0)
504 return (ret);
505
506 return (0);
507 }
508
509 static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
510 const unsigned char *hash, size_t hash_len,
511 const unsigned char *sig, size_t sig_len) {
512 mbedtls_ecdsa_context *ctx = ctx_arg;
513 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
514 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
515 psa_key_id_t key_id = 0;
516 psa_status_t status;
517 mbedtls_pk_context key;
518 int key_len;
519 /* see ECP_PUB_DER_MAX_BYTES in pkwrite.c */
520 unsigned char buf[30 + 2 * MBEDTLS_ECP_MAX_BYTES];
521 unsigned char *p;
522 mbedtls_pk_info_t pk_info = mbedtls_eckey_info;
523 psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
524 size_t curve_bits;
525 psa_ecc_family_t curve =
526 mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
527 const size_t signature_part_size = (ctx->grp.nbits + 7) / 8;
528 ((void) md_alg);
529
530 if (curve == 0)
531 return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
532
533 /* mbedtls_pk_write_pubkey() expects a full PK context;
534 * re-construct one to make it happy */
535 key.pk_info = &pk_info;
536 key.pk_ctx = ctx;
537 p = buf + sizeof(buf);
538 key_len = mbedtls_pk_write_pubkey(&p, buf, &key);
539 if (key_len <= 0)
540 return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
541
542 psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve));
543 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
544 psa_set_key_algorithm(&attributes, psa_sig_md);
545
546 status = psa_import_key(&attributes,
547 buf + sizeof(buf) - key_len, key_len,
548 &key_id);
549 if (status != PSA_SUCCESS) {
550 ret = mbedtls_psa_err_translate_pk(status);
551 goto cleanup;
552 }
553
554 /* We don't need the exported key anymore and can
555 * reuse its buffer for signature extraction. */
556 if (2 * signature_part_size > sizeof(buf)) {
557 ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
558 goto cleanup;
559 }
560
561 p = (unsigned char *) sig;
562 if ((ret = extract_ecdsa_sig(&p, sig + sig_len, buf,
563 signature_part_size)) != 0) {
564 goto cleanup;
565 }
566
567 if (psa_verify_hash(key_id, psa_sig_md,
568 hash, hash_len,
569 buf, 2 * signature_part_size)
570 != PSA_SUCCESS) {
571 ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
572 goto cleanup;
573 }
574
575 if (p != sig + sig_len) {
576 ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
577 goto cleanup;
578 }
579 ret = 0;
580
581 cleanup:
582 psa_destroy_key(key_id);
583 return (ret);
584 }
585 #else /* MBEDTLS_USE_PSA_CRYPTO */
586 static int ecdsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
587 const unsigned char *hash, size_t hash_len,
588 const unsigned char *sig, size_t sig_len) {
589 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
590 ((void) md_alg);
591
592 ret = mbedtls_ecdsa_read_signature((mbedtls_ecdsa_context *) ctx,
593 hash, hash_len, sig, sig_len);
594
595 if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH)
596 return (MBEDTLS_ERR_PK_SIG_LEN_MISMATCH);
597
598 return (ret);
599 }
600 #endif /* MBEDTLS_USE_PSA_CRYPTO */
601
602 static int ecdsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
603 const unsigned char *hash, size_t hash_len,
604 unsigned char *sig, size_t *sig_len,
605 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
606 return (mbedtls_ecdsa_write_signature((mbedtls_ecdsa_context *) ctx,
607 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng));
608 }
609
610 #if defined(MBEDTLS_ECP_RESTARTABLE)
611 static int ecdsa_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
612 const unsigned char *hash, size_t hash_len,
613 const unsigned char *sig, size_t sig_len,
614 void *rs_ctx) {
615 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
616 ((void) md_alg);
617
618 ret = mbedtls_ecdsa_read_signature_restartable(
619 (mbedtls_ecdsa_context *) ctx,
620 hash, hash_len, sig, sig_len,
621 (mbedtls_ecdsa_restart_ctx *) rs_ctx);
622
623 if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH)
624 return (MBEDTLS_ERR_PK_SIG_LEN_MISMATCH);
625
626 return (ret);
627 }
628
629 static int ecdsa_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
630 const unsigned char *hash, size_t hash_len,
631 unsigned char *sig, size_t *sig_len,
632 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
633 void *rs_ctx) {
634 return (mbedtls_ecdsa_write_signature_restartable(
635 (mbedtls_ecdsa_context *) ctx,
636 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng,
637 (mbedtls_ecdsa_restart_ctx *) rs_ctx));
638
639 }
640 #endif /* MBEDTLS_ECP_RESTARTABLE */
641
642 static void *ecdsa_alloc_wrap(void) {
643 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_context));
644
645 if (ctx != NULL)
646 mbedtls_ecdsa_init((mbedtls_ecdsa_context *) ctx);
647
648 return (ctx);
649 }
650
651 static void ecdsa_free_wrap(void *ctx) {
652 mbedtls_ecdsa_free((mbedtls_ecdsa_context *) ctx);
653 mbedtls_free(ctx);
654 }
655
656 #if defined(MBEDTLS_ECP_RESTARTABLE)
657 static void *ecdsa_rs_alloc(void) {
658 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_restart_ctx));
659
660 if (ctx != NULL)
661 mbedtls_ecdsa_restart_init(ctx);
662
663 return (ctx);
664 }
665
666 static void ecdsa_rs_free(void *ctx) {
667 mbedtls_ecdsa_restart_free(ctx);
668 mbedtls_free(ctx);
669 }
670 #endif /* MBEDTLS_ECP_RESTARTABLE */
671
672 const mbedtls_pk_info_t mbedtls_ecdsa_info = {
673 MBEDTLS_PK_ECDSA,
674 "ECDSA",
675 eckey_get_bitlen, /* Compatible key structures */
676 ecdsa_can_do,
677 ecdsa_verify_wrap,
678 ecdsa_sign_wrap,
679 #if defined(MBEDTLS_ECP_RESTARTABLE)
680 ecdsa_verify_rs_wrap,
681 ecdsa_sign_rs_wrap,
682 #endif
683 NULL,
684 NULL,
685 eckey_check_pair, /* Compatible key structures */
686 ecdsa_alloc_wrap,
687 ecdsa_free_wrap,
688 #if defined(MBEDTLS_ECP_RESTARTABLE)
689 ecdsa_rs_alloc,
690 ecdsa_rs_free,
691 #endif
692 eckey_debug, /* Compatible key structures */
693 };
694 #endif /* MBEDTLS_ECDSA_C */
695
696 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
697 /*
698 * Support for alternative RSA-private implementations
699 */
700
701 static int rsa_alt_can_do(mbedtls_pk_type_t type) {
702 return (type == MBEDTLS_PK_RSA);
703 }
704
705 static size_t rsa_alt_get_bitlen(const void *ctx) {
706 const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx;
707
708 return (8 * rsa_alt->key_len_func(rsa_alt->key));
709 }
710
711 static int rsa_alt_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
712 const unsigned char *hash, size_t hash_len,
713 unsigned char *sig, size_t *sig_len,
714 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
715 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
716
717 #if SIZE_MAX > UINT_MAX
718 if (UINT_MAX < hash_len)
719 return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
720 #endif /* SIZE_MAX > UINT_MAX */
721
722 *sig_len = rsa_alt->key_len_func(rsa_alt->key);
723 if (*sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE)
724 return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
725
726 return (rsa_alt->sign_func(rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
727 md_alg, (unsigned int) hash_len, hash, sig));
728 }
729
730 static int rsa_alt_decrypt_wrap(void *ctx,
731 const unsigned char *input, size_t ilen,
732 unsigned char *output, size_t *olen, size_t osize,
733 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
734 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
735
736 ((void) f_rng);
737 ((void) p_rng);
738
739 if (ilen != rsa_alt->key_len_func(rsa_alt->key))
740 return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
741
742 return (rsa_alt->decrypt_func(rsa_alt->key,
743 MBEDTLS_RSA_PRIVATE, olen, input, output, osize));
744 }
745
746 #if defined(MBEDTLS_RSA_C)
747 static int rsa_alt_check_pair(const void *pub, const void *prv) {
748 unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
749 unsigned char hash[32];
750 size_t sig_len = 0;
751 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
752
753 if (rsa_alt_get_bitlen(prv) != rsa_get_bitlen(pub))
754 return (MBEDTLS_ERR_RSA_KEY_CHECK_FAILED);
755
756 memset(hash, 0x2a, sizeof(hash));
757
758 if ((ret = rsa_alt_sign_wrap((void *) prv, MBEDTLS_MD_NONE,
759 hash, sizeof(hash),
760 sig, &sig_len, NULL, NULL)) != 0) {
761 return (ret);
762 }
763
764 if (rsa_verify_wrap((void *) pub, MBEDTLS_MD_NONE,
765 hash, sizeof(hash), sig, sig_len) != 0) {
766 return (MBEDTLS_ERR_RSA_KEY_CHECK_FAILED);
767 }
768
769 return (0);
770 }
771 #endif /* MBEDTLS_RSA_C */
772
773 static void *rsa_alt_alloc_wrap(void) {
774 void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_alt_context));
775
776 if (ctx != NULL)
777 memset(ctx, 0, sizeof(mbedtls_rsa_alt_context));
778
779 return (ctx);
780 }
781
782 static void rsa_alt_free_wrap(void *ctx) {
783 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_rsa_alt_context));
784 mbedtls_free(ctx);
785 }
786
787 const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
788 MBEDTLS_PK_RSA_ALT,
789 "RSA-alt",
790 rsa_alt_get_bitlen,
791 rsa_alt_can_do,
792 NULL,
793 rsa_alt_sign_wrap,
794 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
795 NULL,
796 NULL,
797 #endif
798 rsa_alt_decrypt_wrap,
799 NULL,
800 #if defined(MBEDTLS_RSA_C)
801 rsa_alt_check_pair,
802 #else
803 NULL,
804 #endif
805 rsa_alt_alloc_wrap,
806 rsa_alt_free_wrap,
807 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
808 NULL,
809 NULL,
810 #endif
811 NULL,
812 };
813
814 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
815
816 #if defined(MBEDTLS_USE_PSA_CRYPTO)
817
818 static void *pk_opaque_alloc_wrap(void) {
819 void *ctx = mbedtls_calloc(1, sizeof(psa_key_id_t));
820
821 /* no _init() function to call, an calloc() already zeroized */
822
823 return (ctx);
824 }
825
826 static void pk_opaque_free_wrap(void *ctx) {
827 mbedtls_platform_zeroize(ctx, sizeof(psa_key_id_t));
828 mbedtls_free(ctx);
829 }
830
831 static size_t pk_opaque_get_bitlen(const void *ctx) {
832 const psa_key_id_t *key = (const psa_key_id_t *) ctx;
833 size_t bits;
834 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
835
836 if (PSA_SUCCESS != psa_get_key_attributes(*key, &attributes))
837 return (0);
838
839 bits = psa_get_key_bits(&attributes);
840 psa_reset_key_attributes(&attributes);
841 return (bits);
842 }
843
844 static int pk_opaque_can_do(mbedtls_pk_type_t type) {
845 /* For now opaque PSA keys can only wrap ECC keypairs,
846 * as checked by setup_psa().
847 * Also, ECKEY_DH does not really make sense with the current API. */
848 return (type == MBEDTLS_PK_ECKEY ||
849 type == MBEDTLS_PK_ECDSA);
850 }
851
852 #if defined(MBEDTLS_ECDSA_C)
853
854 /*
855 * Simultaneously convert and move raw MPI from the beginning of a buffer
856 * to an ASN.1 MPI at the end of the buffer.
857 * See also mbedtls_asn1_write_mpi().
858 *
859 * p: pointer to the end of the output buffer
860 * start: start of the output buffer, and also of the mpi to write at the end
861 * n_len: length of the mpi to read from start
862 */
863 static int asn1_write_mpibuf(unsigned char **p, unsigned char *start,
864 size_t n_len) {
865 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
866 size_t len = 0;
867
868 if ((size_t)(*p - start) < n_len)
869 return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
870
871 len = n_len;
872 *p -= len;
873 memmove(*p, start, len);
874
875 /* ASN.1 DER encoding requires minimal length, so skip leading 0s.
876 * Neither r nor s should be 0, but as a failsafe measure, still detect
877 * that rather than overflowing the buffer in case of a PSA error. */
878 while (len > 0 && **p == 0x00) {
879 ++(*p);
880 --len;
881 }
882
883 /* this is only reached if the signature was invalid */
884 if (len == 0)
885 return (MBEDTLS_ERR_PK_HW_ACCEL_FAILED);
886
887 /* if the msb is 1, ASN.1 requires that we prepend a 0.
888 * Neither r nor s can be 0, so we can assume len > 0 at all times. */
889 if (**p & 0x80) {
890 if (*p - start < 1)
891 return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
892
893 *--(*p) = 0x00;
894 len += 1;
895 }
896
897 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
898 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
899 MBEDTLS_ASN1_INTEGER));
900
901 return ((int) len);
902 }
903
904 /* Transcode signature from PSA format to ASN.1 sequence.
905 * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of
906 * MPIs, and in-place.
907 *
908 * [in/out] sig: the signature pre- and post-transcoding
909 * [in/out] sig_len: signature length pre- and post-transcoding
910 * [int] buf_len: the available size the in/out buffer
911 */
912 static int pk_ecdsa_sig_asn1_from_psa(unsigned char *sig, size_t *sig_len,
913 size_t buf_len) {
914 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
915 size_t len = 0;
916 const size_t rs_len = *sig_len / 2;
917 unsigned char *p = sig + buf_len;
918
919 MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig + rs_len, rs_len));
920 MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig, rs_len));
921
922 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, sig, len));
923 MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, sig,
924 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
925
926 memmove(sig, p, len);
927 *sig_len = len;
928
929 return (0);
930 }
931
932 #endif /* MBEDTLS_ECDSA_C */
933
934 static int pk_opaque_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
935 const unsigned char *hash, size_t hash_len,
936 unsigned char *sig, size_t *sig_len,
937 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) {
938 #if !defined(MBEDTLS_ECDSA_C)
939 ((void) ctx);
940 ((void) md_alg);
941 ((void) hash);
942 ((void) hash_len);
943 ((void) sig);
944 ((void) sig_len);
945 ((void) f_rng);
946 ((void) p_rng);
947 return (MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE);
948 #else /* !MBEDTLS_ECDSA_C */
949 const psa_key_id_t *key = (const psa_key_id_t *) ctx;
950 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
951 psa_algorithm_t alg = PSA_ALG_ECDSA(mbedtls_psa_translate_md(md_alg));
952 size_t buf_len;
953 psa_status_t status;
954
955 /* PSA has its own RNG */
956 (void) f_rng;
957 (void) p_rng;
958
959 /* PSA needs an output buffer of known size, but our API doesn't provide
960 * that information. Assume that the buffer is large enough for a
961 * maximal-length signature with that key (otherwise the application is
962 * buggy anyway). */
963 status = psa_get_key_attributes(*key, &attributes);
964 if (status != PSA_SUCCESS)
965 return (mbedtls_psa_err_translate_pk(status));
966 buf_len = MBEDTLS_ECDSA_MAX_SIG_LEN(psa_get_key_bits(&attributes));
967 psa_reset_key_attributes(&attributes);
968 if (buf_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE)
969 return (MBEDTLS_ERR_PK_BAD_INPUT_DATA);
970
971 /* make the signature */
972 status = psa_sign_hash(*key, alg, hash, hash_len,
973 sig, buf_len, sig_len);
974 if (status != PSA_SUCCESS)
975 return (mbedtls_psa_err_translate_pk(status));
976
977 /* transcode it to ASN.1 sequence */
978 return (pk_ecdsa_sig_asn1_from_psa(sig, sig_len, buf_len));
979 #endif /* !MBEDTLS_ECDSA_C */
980 }
981
982 const mbedtls_pk_info_t mbedtls_pk_opaque_info = {
983 MBEDTLS_PK_OPAQUE,
984 "Opaque",
985 pk_opaque_get_bitlen,
986 pk_opaque_can_do,
987 NULL, /* verify - will be done later */
988 pk_opaque_sign_wrap,
989 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
990 NULL, /* restartable verify - not relevant */
991 NULL, /* restartable sign - not relevant */
992 #endif
993 NULL, /* decrypt - will be done later */
994 NULL, /* encrypt - will be done later */
995 NULL, /* check_pair - could be done later or left NULL */
996 pk_opaque_alloc_wrap,
997 pk_opaque_free_wrap,
998 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
999 NULL, /* restart alloc - not relevant */
1000 NULL, /* restart free - not relevant */
1001 #endif
1002 NULL, /* debug - could be done later, or even left NULL */
1003 };
1004
1005 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1006
1007 #endif /* MBEDTLS_PK_C */
Proxmark3 - the RFID research Swiss army knife. Iceman firmware