xref: /reactos/dll/3rdparty/mbedtls/pk_wrap.c (revision 7b1049c8)
1 /*
2  *  Public Key abstraction layer: wrapper functions
3  *
4  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6  *
7  *  This file is provided under the Apache License 2.0, or the
8  *  GNU General Public License v2.0 or later.
9  *
10  *  **********
11  *  Apache License 2.0:
12  *
13  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
14  *  not use this file except in compliance with the License.
15  *  You may obtain a copy of the License at
16  *
17  *  http://www.apache.org/licenses/LICENSE-2.0
18  *
19  *  Unless required by applicable law or agreed to in writing, software
20  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22  *  See the License for the specific language governing permissions and
23  *  limitations under the License.
24  *
25  *  **********
26  *
27  *  **********
28  *  GNU General Public License v2.0 or later:
29  *
30  *  This program is free software; you can redistribute it and/or modify
31  *  it under the terms of the GNU General Public License as published by
32  *  the Free Software Foundation; either version 2 of the License, or
33  *  (at your option) any later version.
34  *
35  *  This program is distributed in the hope that it will be useful,
36  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
37  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
38  *  GNU General Public License for more details.
39  *
40  *  You should have received a copy of the GNU General Public License along
41  *  with this program; if not, write to the Free Software Foundation, Inc.,
42  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43  *
44  *  **********
45  *
46  *  This file is part of mbed TLS (https://tls.mbed.org)
47  */
48 
49 #if !defined(MBEDTLS_CONFIG_FILE)
50 #include "mbedtls/config.h"
51 #else
52 #include MBEDTLS_CONFIG_FILE
53 #endif
54 
55 #if defined(MBEDTLS_PK_C)
56 #include "mbedtls/pk_internal.h"
57 
58 /* Even if RSA not activated, for the sake of RSA-alt */
59 #include "mbedtls/rsa.h"
60 
61 #include <string.h>
62 
63 #if defined(MBEDTLS_ECP_C)
64 #include "mbedtls/ecp.h"
65 #endif
66 
67 #if defined(MBEDTLS_ECDSA_C)
68 #include "mbedtls/ecdsa.h"
69 #endif
70 
71 #if defined(MBEDTLS_PLATFORM_C)
72 #include "mbedtls/platform.h"
73 #else
74 #include <stdlib.h>
75 #define mbedtls_calloc    calloc
76 #define mbedtls_free       free
77 #endif
78 
79 #include <limits.h>
80 #include <stdint.h>
81 
82 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
83 /* Implementation that should never be optimized out by the compiler */
84 static void mbedtls_zeroize( void *v, size_t n ) {
85     volatile unsigned char *p = v; while( n-- ) *p++ = 0;
86 }
87 #endif
88 
89 #if defined(MBEDTLS_RSA_C)
90 static int rsa_can_do( mbedtls_pk_type_t type )
91 {
92     return( type == MBEDTLS_PK_RSA ||
93             type == MBEDTLS_PK_RSASSA_PSS );
94 }
95 
96 static size_t rsa_get_bitlen( const void *ctx )
97 {
98     const mbedtls_rsa_context * rsa = (const mbedtls_rsa_context *) ctx;
99     return( 8 * mbedtls_rsa_get_len( rsa ) );
100 }
101 
102 static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
103                    const unsigned char *hash, size_t hash_len,
104                    const unsigned char *sig, size_t sig_len )
105 {
106     int ret;
107     mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
108     size_t rsa_len = mbedtls_rsa_get_len( rsa );
109 
110 #if SIZE_MAX > UINT_MAX
111     if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
112         return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
113 #endif /* SIZE_MAX > UINT_MAX */
114 
115     if( sig_len < rsa_len )
116         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
117 
118     if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, NULL,
119                                   MBEDTLS_RSA_PUBLIC, md_alg,
120                                   (unsigned int) hash_len, hash, sig ) ) != 0 )
121         return( ret );
122 
123     /* The buffer contains a valid signature followed by extra data.
124      * We have a special error code for that so that so that callers can
125      * use mbedtls_pk_verify() to check "Does the buffer start with a
126      * valid signature?" and not just "Does the buffer contain a valid
127      * signature?". */
128     if( sig_len > rsa_len )
129         return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
130 
131     return( 0 );
132 }
133 
134 static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
135                    const unsigned char *hash, size_t hash_len,
136                    unsigned char *sig, size_t *sig_len,
137                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
138 {
139     mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
140 
141 #if SIZE_MAX > UINT_MAX
142     if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
143         return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
144 #endif /* SIZE_MAX > UINT_MAX */
145 
146     *sig_len = mbedtls_rsa_get_len( rsa );
147 
148     return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
149                 md_alg, (unsigned int) hash_len, hash, sig ) );
150 }
151 
152 static int rsa_decrypt_wrap( void *ctx,
153                     const unsigned char *input, size_t ilen,
154                     unsigned char *output, size_t *olen, size_t osize,
155                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
156 {
157     mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
158 
159     if( ilen != mbedtls_rsa_get_len( rsa ) )
160         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
161 
162     return( mbedtls_rsa_pkcs1_decrypt( rsa, f_rng, p_rng,
163                 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) );
164 }
165 
166 static int rsa_encrypt_wrap( void *ctx,
167                     const unsigned char *input, size_t ilen,
168                     unsigned char *output, size_t *olen, size_t osize,
169                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
170 {
171     mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
172     *olen = mbedtls_rsa_get_len( rsa );
173 
174     if( *olen > osize )
175         return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
176 
177     return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC,
178                                        ilen, input, output ) );
179 }
180 
181 static int rsa_check_pair_wrap( const void *pub, const void *prv )
182 {
183     return( mbedtls_rsa_check_pub_priv( (const mbedtls_rsa_context *) pub,
184                                 (const mbedtls_rsa_context *) prv ) );
185 }
186 
187 static void *rsa_alloc_wrap( void )
188 {
189     void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_context ) );
190 
191     if( ctx != NULL )
192         mbedtls_rsa_init( (mbedtls_rsa_context *) ctx, 0, 0 );
193 
194     return( ctx );
195 }
196 
197 static void rsa_free_wrap( void *ctx )
198 {
199     mbedtls_rsa_free( (mbedtls_rsa_context *) ctx );
200     mbedtls_free( ctx );
201 }
202 
203 static void rsa_debug( const void *ctx, mbedtls_pk_debug_item *items )
204 {
205     items->type = MBEDTLS_PK_DEBUG_MPI;
206     items->name = "rsa.N";
207     items->value = &( ((mbedtls_rsa_context *) ctx)->N );
208 
209     items++;
210 
211     items->type = MBEDTLS_PK_DEBUG_MPI;
212     items->name = "rsa.E";
213     items->value = &( ((mbedtls_rsa_context *) ctx)->E );
214 }
215 
216 const mbedtls_pk_info_t mbedtls_rsa_info = {
217     MBEDTLS_PK_RSA,
218     "RSA",
219     rsa_get_bitlen,
220     rsa_can_do,
221     rsa_verify_wrap,
222     rsa_sign_wrap,
223     rsa_decrypt_wrap,
224     rsa_encrypt_wrap,
225     rsa_check_pair_wrap,
226     rsa_alloc_wrap,
227     rsa_free_wrap,
228     rsa_debug,
229 };
230 #endif /* MBEDTLS_RSA_C */
231 
232 #if defined(MBEDTLS_ECP_C)
233 /*
234  * Generic EC key
235  */
236 static int eckey_can_do( mbedtls_pk_type_t type )
237 {
238     return( type == MBEDTLS_PK_ECKEY ||
239             type == MBEDTLS_PK_ECKEY_DH ||
240             type == MBEDTLS_PK_ECDSA );
241 }
242 
243 static size_t eckey_get_bitlen( const void *ctx )
244 {
245     return( ((mbedtls_ecp_keypair *) ctx)->grp.pbits );
246 }
247 
248 #if defined(MBEDTLS_ECDSA_C)
249 /* Forward declarations */
250 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
251                        const unsigned char *hash, size_t hash_len,
252                        const unsigned char *sig, size_t sig_len );
253 
254 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
255                    const unsigned char *hash, size_t hash_len,
256                    unsigned char *sig, size_t *sig_len,
257                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
258 
259 static int eckey_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
260                        const unsigned char *hash, size_t hash_len,
261                        const unsigned char *sig, size_t sig_len )
262 {
263     int ret;
264     mbedtls_ecdsa_context ecdsa;
265 
266     mbedtls_ecdsa_init( &ecdsa );
267 
268     if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
269         ret = ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len );
270 
271     mbedtls_ecdsa_free( &ecdsa );
272 
273     return( ret );
274 }
275 
276 static int eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
277                    const unsigned char *hash, size_t hash_len,
278                    unsigned char *sig, size_t *sig_len,
279                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
280 {
281     int ret;
282     mbedtls_ecdsa_context ecdsa;
283 
284     mbedtls_ecdsa_init( &ecdsa );
285 
286     if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
287         ret = ecdsa_sign_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len,
288                                f_rng, p_rng );
289 
290     mbedtls_ecdsa_free( &ecdsa );
291 
292     return( ret );
293 }
294 
295 #endif /* MBEDTLS_ECDSA_C */
296 
297 static int eckey_check_pair( const void *pub, const void *prv )
298 {
299     return( mbedtls_ecp_check_pub_priv( (const mbedtls_ecp_keypair *) pub,
300                                 (const mbedtls_ecp_keypair *) prv ) );
301 }
302 
303 static void *eckey_alloc_wrap( void )
304 {
305     void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) );
306 
307     if( ctx != NULL )
308         mbedtls_ecp_keypair_init( ctx );
309 
310     return( ctx );
311 }
312 
313 static void eckey_free_wrap( void *ctx )
314 {
315     mbedtls_ecp_keypair_free( (mbedtls_ecp_keypair *) ctx );
316     mbedtls_free( ctx );
317 }
318 
319 static void eckey_debug( const void *ctx, mbedtls_pk_debug_item *items )
320 {
321     items->type = MBEDTLS_PK_DEBUG_ECP;
322     items->name = "eckey.Q";
323     items->value = &( ((mbedtls_ecp_keypair *) ctx)->Q );
324 }
325 
326 const mbedtls_pk_info_t mbedtls_eckey_info = {
327     MBEDTLS_PK_ECKEY,
328     "EC",
329     eckey_get_bitlen,
330     eckey_can_do,
331 #if defined(MBEDTLS_ECDSA_C)
332     eckey_verify_wrap,
333     eckey_sign_wrap,
334 #else
335     NULL,
336     NULL,
337 #endif
338     NULL,
339     NULL,
340     eckey_check_pair,
341     eckey_alloc_wrap,
342     eckey_free_wrap,
343     eckey_debug,
344 };
345 
346 /*
347  * EC key restricted to ECDH
348  */
349 static int eckeydh_can_do( mbedtls_pk_type_t type )
350 {
351     return( type == MBEDTLS_PK_ECKEY ||
352             type == MBEDTLS_PK_ECKEY_DH );
353 }
354 
355 const mbedtls_pk_info_t mbedtls_eckeydh_info = {
356     MBEDTLS_PK_ECKEY_DH,
357     "EC_DH",
358     eckey_get_bitlen,         /* Same underlying key structure */
359     eckeydh_can_do,
360     NULL,
361     NULL,
362     NULL,
363     NULL,
364     eckey_check_pair,
365     eckey_alloc_wrap,       /* Same underlying key structure */
366     eckey_free_wrap,        /* Same underlying key structure */
367     eckey_debug,            /* Same underlying key structure */
368 };
369 #endif /* MBEDTLS_ECP_C */
370 
371 #if defined(MBEDTLS_ECDSA_C)
372 static int ecdsa_can_do( mbedtls_pk_type_t type )
373 {
374     return( type == MBEDTLS_PK_ECDSA );
375 }
376 
377 static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
378                        const unsigned char *hash, size_t hash_len,
379                        const unsigned char *sig, size_t sig_len )
380 {
381     int ret;
382     ((void) md_alg);
383 
384     ret = mbedtls_ecdsa_read_signature( (mbedtls_ecdsa_context *) ctx,
385                                 hash, hash_len, sig, sig_len );
386 
387     if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
388         return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
389 
390     return( ret );
391 }
392 
393 static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
394                    const unsigned char *hash, size_t hash_len,
395                    unsigned char *sig, size_t *sig_len,
396                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
397 {
398     return( mbedtls_ecdsa_write_signature( (mbedtls_ecdsa_context *) ctx,
399                 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng ) );
400 }
401 
402 static void *ecdsa_alloc_wrap( void )
403 {
404     void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_context ) );
405 
406     if( ctx != NULL )
407         mbedtls_ecdsa_init( (mbedtls_ecdsa_context *) ctx );
408 
409     return( ctx );
410 }
411 
412 static void ecdsa_free_wrap( void *ctx )
413 {
414     mbedtls_ecdsa_free( (mbedtls_ecdsa_context *) ctx );
415     mbedtls_free( ctx );
416 }
417 
418 const mbedtls_pk_info_t mbedtls_ecdsa_info = {
419     MBEDTLS_PK_ECDSA,
420     "ECDSA",
421     eckey_get_bitlen,     /* Compatible key structures */
422     ecdsa_can_do,
423     ecdsa_verify_wrap,
424     ecdsa_sign_wrap,
425     NULL,
426     NULL,
427     eckey_check_pair,   /* Compatible key structures */
428     ecdsa_alloc_wrap,
429     ecdsa_free_wrap,
430     eckey_debug,        /* Compatible key structures */
431 };
432 #endif /* MBEDTLS_ECDSA_C */
433 
434 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
435 /*
436  * Support for alternative RSA-private implementations
437  */
438 
439 static int rsa_alt_can_do( mbedtls_pk_type_t type )
440 {
441     return( type == MBEDTLS_PK_RSA );
442 }
443 
444 static size_t rsa_alt_get_bitlen( const void *ctx )
445 {
446     const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx;
447 
448     return( 8 * rsa_alt->key_len_func( rsa_alt->key ) );
449 }
450 
451 static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
452                    const unsigned char *hash, size_t hash_len,
453                    unsigned char *sig, size_t *sig_len,
454                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
455 {
456     mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
457 
458 #if SIZE_MAX > UINT_MAX
459     if( UINT_MAX < hash_len )
460         return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
461 #endif /* SIZE_MAX > UINT_MAX */
462 
463     *sig_len = rsa_alt->key_len_func( rsa_alt->key );
464 
465     return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
466                 md_alg, (unsigned int) hash_len, hash, sig ) );
467 }
468 
469 static int rsa_alt_decrypt_wrap( void *ctx,
470                     const unsigned char *input, size_t ilen,
471                     unsigned char *output, size_t *olen, size_t osize,
472                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
473 {
474     mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
475 
476     ((void) f_rng);
477     ((void) p_rng);
478 
479     if( ilen != rsa_alt->key_len_func( rsa_alt->key ) )
480         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
481 
482     return( rsa_alt->decrypt_func( rsa_alt->key,
483                 MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) );
484 }
485 
486 #if defined(MBEDTLS_RSA_C)
487 static int rsa_alt_check_pair( const void *pub, const void *prv )
488 {
489     unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
490     unsigned char hash[32];
491     size_t sig_len = 0;
492     int ret;
493 
494     if( rsa_alt_get_bitlen( prv ) != rsa_get_bitlen( pub ) )
495         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
496 
497     memset( hash, 0x2a, sizeof( hash ) );
498 
499     if( ( ret = rsa_alt_sign_wrap( (void *) prv, MBEDTLS_MD_NONE,
500                                    hash, sizeof( hash ),
501                                    sig, &sig_len, NULL, NULL ) ) != 0 )
502     {
503         return( ret );
504     }
505 
506     if( rsa_verify_wrap( (void *) pub, MBEDTLS_MD_NONE,
507                          hash, sizeof( hash ), sig, sig_len ) != 0 )
508     {
509         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
510     }
511 
512     return( 0 );
513 }
514 #endif /* MBEDTLS_RSA_C */
515 
516 static void *rsa_alt_alloc_wrap( void )
517 {
518     void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_alt_context ) );
519 
520     if( ctx != NULL )
521         memset( ctx, 0, sizeof( mbedtls_rsa_alt_context ) );
522 
523     return( ctx );
524 }
525 
526 static void rsa_alt_free_wrap( void *ctx )
527 {
528     mbedtls_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) );
529     mbedtls_free( ctx );
530 }
531 
532 const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
533     MBEDTLS_PK_RSA_ALT,
534     "RSA-alt",
535     rsa_alt_get_bitlen,
536     rsa_alt_can_do,
537     NULL,
538     rsa_alt_sign_wrap,
539     rsa_alt_decrypt_wrap,
540     NULL,
541 #if defined(MBEDTLS_RSA_C)
542     rsa_alt_check_pair,
543 #else
544     NULL,
545 #endif
546     rsa_alt_alloc_wrap,
547     rsa_alt_free_wrap,
548     NULL,
549 };
550 
551 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
552 
553 #endif /* MBEDTLS_PK_C */
554