1 /* 2 * Public Key abstraction layer: wrapper functions 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: GPL-2.0 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License along 18 * with this program; if not, write to the Free Software Foundation, Inc., 19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * This file is part of mbed TLS (https://tls.mbed.org) 22 */ 23 24 #if !defined(MBEDTLS_CONFIG_FILE) 25 #include "mbedtls/config.h" 26 #else 27 #include MBEDTLS_CONFIG_FILE 28 #endif 29 30 #if defined(MBEDTLS_PK_C) 31 #include "mbedtls/pk_internal.h" 32 33 /* Even if RSA not activated, for the sake of RSA-alt */ 34 #include "mbedtls/rsa.h" 35 36 #include <string.h> 37 38 #if defined(MBEDTLS_ECP_C) 39 #include "mbedtls/ecp.h" 40 #endif 41 42 #if defined(MBEDTLS_ECDSA_C) 43 #include "mbedtls/ecdsa.h" 44 #endif 45 46 #if defined(MBEDTLS_PLATFORM_C) 47 #include "mbedtls/platform.h" 48 #else 49 #include <stdlib.h> 50 #define mbedtls_calloc calloc 51 #define mbedtls_free free 52 #endif 53 54 #include <limits.h> 55 #include <stdint.h> 56 57 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) 58 /* Implementation that should never be optimized out by the compiler */ 59 static void mbedtls_zeroize( void *v, size_t n ) { 60 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 61 } 62 #endif 63 64 #if defined(MBEDTLS_RSA_C) 65 static int rsa_can_do( mbedtls_pk_type_t type ) 66 { 67 return( type == MBEDTLS_PK_RSA || 68 type == MBEDTLS_PK_RSASSA_PSS ); 69 } 70 71 static size_t rsa_get_bitlen( const void *ctx ) 72 { 73 const mbedtls_rsa_context * rsa = (const mbedtls_rsa_context *) ctx; 74 return( 8 * mbedtls_rsa_get_len( rsa ) ); 75 } 76 77 static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 78 const unsigned char *hash, size_t hash_len, 79 const unsigned char *sig, size_t sig_len ) 80 { 81 int ret; 82 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 83 size_t rsa_len = mbedtls_rsa_get_len( rsa ); 84 85 #if SIZE_MAX > UINT_MAX 86 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len ) 87 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 88 #endif /* SIZE_MAX > UINT_MAX */ 89 90 if( sig_len < rsa_len ) 91 return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); 92 93 if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, NULL, 94 MBEDTLS_RSA_PUBLIC, md_alg, 95 (unsigned int) hash_len, hash, sig ) ) != 0 ) 96 return( ret ); 97 98 /* The buffer contains a valid signature followed by extra data. 99 * We have a special error code for that so that so that callers can 100 * use mbedtls_pk_verify() to check "Does the buffer start with a 101 * valid signature?" and not just "Does the buffer contain a valid 102 * signature?". */ 103 if( sig_len > rsa_len ) 104 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); 105 106 return( 0 ); 107 } 108 109 static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 110 const unsigned char *hash, size_t hash_len, 111 unsigned char *sig, size_t *sig_len, 112 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 113 { 114 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 115 116 #if SIZE_MAX > UINT_MAX 117 if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len ) 118 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 119 #endif /* SIZE_MAX > UINT_MAX */ 120 121 *sig_len = mbedtls_rsa_get_len( rsa ); 122 123 return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, 124 md_alg, (unsigned int) hash_len, hash, sig ) ); 125 } 126 127 static int rsa_decrypt_wrap( void *ctx, 128 const unsigned char *input, size_t ilen, 129 unsigned char *output, size_t *olen, size_t osize, 130 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 131 { 132 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 133 134 if( ilen != mbedtls_rsa_get_len( rsa ) ) 135 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 136 137 return( mbedtls_rsa_pkcs1_decrypt( rsa, f_rng, p_rng, 138 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) ); 139 } 140 141 static int rsa_encrypt_wrap( void *ctx, 142 const unsigned char *input, size_t ilen, 143 unsigned char *output, size_t *olen, size_t osize, 144 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 145 { 146 mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx; 147 *olen = mbedtls_rsa_get_len( rsa ); 148 149 if( *olen > osize ) 150 return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); 151 152 return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC, 153 ilen, input, output ) ); 154 } 155 156 static int rsa_check_pair_wrap( const void *pub, const void *prv ) 157 { 158 return( mbedtls_rsa_check_pub_priv( (const mbedtls_rsa_context *) pub, 159 (const mbedtls_rsa_context *) prv ) ); 160 } 161 162 static void *rsa_alloc_wrap( void ) 163 { 164 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_context ) ); 165 166 if( ctx != NULL ) 167 mbedtls_rsa_init( (mbedtls_rsa_context *) ctx, 0, 0 ); 168 169 return( ctx ); 170 } 171 172 static void rsa_free_wrap( void *ctx ) 173 { 174 mbedtls_rsa_free( (mbedtls_rsa_context *) ctx ); 175 mbedtls_free( ctx ); 176 } 177 178 static void rsa_debug( const void *ctx, mbedtls_pk_debug_item *items ) 179 { 180 items->type = MBEDTLS_PK_DEBUG_MPI; 181 items->name = "rsa.N"; 182 items->value = &( ((mbedtls_rsa_context *) ctx)->N ); 183 184 items++; 185 186 items->type = MBEDTLS_PK_DEBUG_MPI; 187 items->name = "rsa.E"; 188 items->value = &( ((mbedtls_rsa_context *) ctx)->E ); 189 } 190 191 const mbedtls_pk_info_t mbedtls_rsa_info = { 192 MBEDTLS_PK_RSA, 193 "RSA", 194 rsa_get_bitlen, 195 rsa_can_do, 196 rsa_verify_wrap, 197 rsa_sign_wrap, 198 rsa_decrypt_wrap, 199 rsa_encrypt_wrap, 200 rsa_check_pair_wrap, 201 rsa_alloc_wrap, 202 rsa_free_wrap, 203 rsa_debug, 204 }; 205 #endif /* MBEDTLS_RSA_C */ 206 207 #if defined(MBEDTLS_ECP_C) 208 /* 209 * Generic EC key 210 */ 211 static int eckey_can_do( mbedtls_pk_type_t type ) 212 { 213 return( type == MBEDTLS_PK_ECKEY || 214 type == MBEDTLS_PK_ECKEY_DH || 215 type == MBEDTLS_PK_ECDSA ); 216 } 217 218 static size_t eckey_get_bitlen( const void *ctx ) 219 { 220 return( ((mbedtls_ecp_keypair *) ctx)->grp.pbits ); 221 } 222 223 #if defined(MBEDTLS_ECDSA_C) 224 /* Forward declarations */ 225 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 226 const unsigned char *hash, size_t hash_len, 227 const unsigned char *sig, size_t sig_len ); 228 229 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 230 const unsigned char *hash, size_t hash_len, 231 unsigned char *sig, size_t *sig_len, 232 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); 233 234 static int eckey_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 235 const unsigned char *hash, size_t hash_len, 236 const unsigned char *sig, size_t sig_len ) 237 { 238 int ret; 239 mbedtls_ecdsa_context ecdsa; 240 241 mbedtls_ecdsa_init( &ecdsa ); 242 243 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 ) 244 ret = ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len ); 245 246 mbedtls_ecdsa_free( &ecdsa ); 247 248 return( ret ); 249 } 250 251 static int eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 252 const unsigned char *hash, size_t hash_len, 253 unsigned char *sig, size_t *sig_len, 254 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 255 { 256 int ret; 257 mbedtls_ecdsa_context ecdsa; 258 259 mbedtls_ecdsa_init( &ecdsa ); 260 261 if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 ) 262 ret = ecdsa_sign_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len, 263 f_rng, p_rng ); 264 265 mbedtls_ecdsa_free( &ecdsa ); 266 267 return( ret ); 268 } 269 270 #endif /* MBEDTLS_ECDSA_C */ 271 272 static int eckey_check_pair( const void *pub, const void *prv ) 273 { 274 return( mbedtls_ecp_check_pub_priv( (const mbedtls_ecp_keypair *) pub, 275 (const mbedtls_ecp_keypair *) prv ) ); 276 } 277 278 static void *eckey_alloc_wrap( void ) 279 { 280 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) ); 281 282 if( ctx != NULL ) 283 mbedtls_ecp_keypair_init( ctx ); 284 285 return( ctx ); 286 } 287 288 static void eckey_free_wrap( void *ctx ) 289 { 290 mbedtls_ecp_keypair_free( (mbedtls_ecp_keypair *) ctx ); 291 mbedtls_free( ctx ); 292 } 293 294 static void eckey_debug( const void *ctx, mbedtls_pk_debug_item *items ) 295 { 296 items->type = MBEDTLS_PK_DEBUG_ECP; 297 items->name = "eckey.Q"; 298 items->value = &( ((mbedtls_ecp_keypair *) ctx)->Q ); 299 } 300 301 const mbedtls_pk_info_t mbedtls_eckey_info = { 302 MBEDTLS_PK_ECKEY, 303 "EC", 304 eckey_get_bitlen, 305 eckey_can_do, 306 #if defined(MBEDTLS_ECDSA_C) 307 eckey_verify_wrap, 308 eckey_sign_wrap, 309 #else 310 NULL, 311 NULL, 312 #endif 313 NULL, 314 NULL, 315 eckey_check_pair, 316 eckey_alloc_wrap, 317 eckey_free_wrap, 318 eckey_debug, 319 }; 320 321 /* 322 * EC key restricted to ECDH 323 */ 324 static int eckeydh_can_do( mbedtls_pk_type_t type ) 325 { 326 return( type == MBEDTLS_PK_ECKEY || 327 type == MBEDTLS_PK_ECKEY_DH ); 328 } 329 330 const mbedtls_pk_info_t mbedtls_eckeydh_info = { 331 MBEDTLS_PK_ECKEY_DH, 332 "EC_DH", 333 eckey_get_bitlen, /* Same underlying key structure */ 334 eckeydh_can_do, 335 NULL, 336 NULL, 337 NULL, 338 NULL, 339 eckey_check_pair, 340 eckey_alloc_wrap, /* Same underlying key structure */ 341 eckey_free_wrap, /* Same underlying key structure */ 342 eckey_debug, /* Same underlying key structure */ 343 }; 344 #endif /* MBEDTLS_ECP_C */ 345 346 #if defined(MBEDTLS_ECDSA_C) 347 static int ecdsa_can_do( mbedtls_pk_type_t type ) 348 { 349 return( type == MBEDTLS_PK_ECDSA ); 350 } 351 352 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, 353 const unsigned char *hash, size_t hash_len, 354 const unsigned char *sig, size_t sig_len ) 355 { 356 int ret; 357 ((void) md_alg); 358 359 ret = mbedtls_ecdsa_read_signature( (mbedtls_ecdsa_context *) ctx, 360 hash, hash_len, sig, sig_len ); 361 362 if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH ) 363 return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH ); 364 365 return( ret ); 366 } 367 368 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 369 const unsigned char *hash, size_t hash_len, 370 unsigned char *sig, size_t *sig_len, 371 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 372 { 373 return( mbedtls_ecdsa_write_signature( (mbedtls_ecdsa_context *) ctx, 374 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng ) ); 375 } 376 377 static void *ecdsa_alloc_wrap( void ) 378 { 379 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_context ) ); 380 381 if( ctx != NULL ) 382 mbedtls_ecdsa_init( (mbedtls_ecdsa_context *) ctx ); 383 384 return( ctx ); 385 } 386 387 static void ecdsa_free_wrap( void *ctx ) 388 { 389 mbedtls_ecdsa_free( (mbedtls_ecdsa_context *) ctx ); 390 mbedtls_free( ctx ); 391 } 392 393 const mbedtls_pk_info_t mbedtls_ecdsa_info = { 394 MBEDTLS_PK_ECDSA, 395 "ECDSA", 396 eckey_get_bitlen, /* Compatible key structures */ 397 ecdsa_can_do, 398 ecdsa_verify_wrap, 399 ecdsa_sign_wrap, 400 NULL, 401 NULL, 402 eckey_check_pair, /* Compatible key structures */ 403 ecdsa_alloc_wrap, 404 ecdsa_free_wrap, 405 eckey_debug, /* Compatible key structures */ 406 }; 407 #endif /* MBEDTLS_ECDSA_C */ 408 409 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) 410 /* 411 * Support for alternative RSA-private implementations 412 */ 413 414 static int rsa_alt_can_do( mbedtls_pk_type_t type ) 415 { 416 return( type == MBEDTLS_PK_RSA ); 417 } 418 419 static size_t rsa_alt_get_bitlen( const void *ctx ) 420 { 421 const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx; 422 423 return( 8 * rsa_alt->key_len_func( rsa_alt->key ) ); 424 } 425 426 static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, 427 const unsigned char *hash, size_t hash_len, 428 unsigned char *sig, size_t *sig_len, 429 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 430 { 431 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx; 432 433 #if SIZE_MAX > UINT_MAX 434 if( UINT_MAX < hash_len ) 435 return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); 436 #endif /* SIZE_MAX > UINT_MAX */ 437 438 *sig_len = rsa_alt->key_len_func( rsa_alt->key ); 439 440 return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, 441 md_alg, (unsigned int) hash_len, hash, sig ) ); 442 } 443 444 static int rsa_alt_decrypt_wrap( void *ctx, 445 const unsigned char *input, size_t ilen, 446 unsigned char *output, size_t *olen, size_t osize, 447 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) 448 { 449 mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx; 450 451 ((void) f_rng); 452 ((void) p_rng); 453 454 if( ilen != rsa_alt->key_len_func( rsa_alt->key ) ) 455 return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); 456 457 return( rsa_alt->decrypt_func( rsa_alt->key, 458 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) ); 459 } 460 461 #if defined(MBEDTLS_RSA_C) 462 static int rsa_alt_check_pair( const void *pub, const void *prv ) 463 { 464 unsigned char sig[MBEDTLS_MPI_MAX_SIZE]; 465 unsigned char hash[32]; 466 size_t sig_len = 0; 467 int ret; 468 469 if( rsa_alt_get_bitlen( prv ) != rsa_get_bitlen( pub ) ) 470 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 471 472 memset( hash, 0x2a, sizeof( hash ) ); 473 474 if( ( ret = rsa_alt_sign_wrap( (void *) prv, MBEDTLS_MD_NONE, 475 hash, sizeof( hash ), 476 sig, &sig_len, NULL, NULL ) ) != 0 ) 477 { 478 return( ret ); 479 } 480 481 if( rsa_verify_wrap( (void *) pub, MBEDTLS_MD_NONE, 482 hash, sizeof( hash ), sig, sig_len ) != 0 ) 483 { 484 return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED ); 485 } 486 487 return( 0 ); 488 } 489 #endif /* MBEDTLS_RSA_C */ 490 491 static void *rsa_alt_alloc_wrap( void ) 492 { 493 void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_alt_context ) ); 494 495 if( ctx != NULL ) 496 memset( ctx, 0, sizeof( mbedtls_rsa_alt_context ) ); 497 498 return( ctx ); 499 } 500 501 static void rsa_alt_free_wrap( void *ctx ) 502 { 503 mbedtls_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) ); 504 mbedtls_free( ctx ); 505 } 506 507 const mbedtls_pk_info_t mbedtls_rsa_alt_info = { 508 MBEDTLS_PK_RSA_ALT, 509 "RSA-alt", 510 rsa_alt_get_bitlen, 511 rsa_alt_can_do, 512 NULL, 513 rsa_alt_sign_wrap, 514 rsa_alt_decrypt_wrap, 515 NULL, 516 #if defined(MBEDTLS_RSA_C) 517 rsa_alt_check_pair, 518 #else 519 NULL, 520 #endif 521 rsa_alt_alloc_wrap, 522 rsa_alt_free_wrap, 523 NULL, 524 }; 525 526 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */ 527 528 #endif /* MBEDTLS_PK_C */ 529