/src/mbedtls/library/psa_crypto_ecp.c

Source (jump to first uncovered line)
/*
 *  PSA ECP layer on top of Mbed TLS crypto
 */
/*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 */

#include "common.h"

#if defined(MBEDTLS_PSA_CRYPTO_C)

#include <psa/crypto.h>
#include "psa_crypto_core.h"
#include "psa_crypto_ecp.h"
#include "psa_crypto_random_impl.h"
#include "mbedtls/psa_util.h"

#include <stdlib.h>
#include <string.h>
#include "mbedtls/platform.h"

#include <mbedtls/ecdsa.h>
#include <mbedtls/ecdh.h>
#include <mbedtls/ecp.h>
#include <mbedtls/error.h>

#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
    defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \
    defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
/* Helper function to verify if the provided EC's family and key bit size are valid.
 *
 * Note: "bits" parameter is used both as input and output and it might be updated
 *       in case provided input value is not multiple of 8 ("sloppy" bits).
 */
static int check_ecc_parameters(psa_ecc_family_t family, size_t *bits)
{
    switch (family) {
        case PSA_ECC_FAMILY_SECP_R1:
            switch (*bits) {
                case 192:
                case 224:
                case 256:
                case 384:
                case 521:
                    return PSA_SUCCESS;
                case 528:
                    *bits = 521;
                    return PSA_SUCCESS;
            }
            break;

        case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
            switch (*bits) {
                case 256:
                case 384:
                case 512:
                    return PSA_SUCCESS;
            }
            break;

        case PSA_ECC_FAMILY_MONTGOMERY:
            switch (*bits) {
                case 448:
                case 255:
                    return PSA_SUCCESS;
                case 256:
                    *bits = 255;
                    return PSA_SUCCESS;
            }
            break;

        case PSA_ECC_FAMILY_SECP_K1:
            switch (*bits) {
                case 192:
                /* secp224k1 is not and will not be supported in PSA (#3541). */
                case 256:
                    return PSA_SUCCESS;
            }
            break;
    }

    return PSA_ERROR_INVALID_ARGUMENT;
}

psa_status_t mbedtls_psa_ecp_load_representation(
    psa_key_type_t type, size_t curve_bits,
    const uint8_t *data, size_t data_length,
    mbedtls_ecp_keypair **p_ecp)
{
    mbedtls_ecp_group_id grp_id = MBEDTLS_ECP_DP_NONE;
    psa_status_t status;
    mbedtls_ecp_keypair *ecp = NULL;
    size_t curve_bytes = data_length;
    int explicit_bits = (curve_bits != 0);

    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
        PSA_KEY_TYPE_ECC_GET_FAMILY(type) != PSA_ECC_FAMILY_MONTGOMERY) {
        /* A Weierstrass public key is represented as:
         * - The byte 0x04;
         * - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
         * - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
         * So its data length is 2m+1 where m is the curve size in bits.
         */
        if ((data_length & 1) == 0) {
            return PSA_ERROR_INVALID_ARGUMENT;
        }
        curve_bytes = data_length / 2;

        /* Montgomery public keys are represented in compressed format, meaning
         * their curve_bytes is equal to the amount of input. */

        /* Private keys are represented in uncompressed private random integer
         * format, meaning their curve_bytes is equal to the amount of input. */
    }

    if (explicit_bits) {
        /* With an explicit bit-size, the data must have the matching length. */
        if (curve_bytes != PSA_BITS_TO_BYTES(curve_bits)) {
            return PSA_ERROR_INVALID_ARGUMENT;
        }
    } else {
        /* We need to infer the bit-size from the data. Since the only
         * information we have is the length in bytes, the value of curve_bits
         * at this stage is rounded up to the nearest multiple of 8. */
        curve_bits = PSA_BYTES_TO_BITS(curve_bytes);
    }

    /* Allocate and initialize a key representation. */
    ecp = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
    if (ecp == NULL) {
        return PSA_ERROR_INSUFFICIENT_MEMORY;
    }
    mbedtls_ecp_keypair_init(ecp);

    status = check_ecc_parameters(PSA_KEY_TYPE_ECC_GET_FAMILY(type), &curve_bits);
    if (status != PSA_SUCCESS) {
        goto exit;
    }

    /* Load the group. */
    grp_id = mbedtls_ecc_group_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(type),
                                        curve_bits);
    if (grp_id == MBEDTLS_ECP_DP_NONE) {
        status = PSA_ERROR_NOT_SUPPORTED;
        goto exit;
    }

    status = mbedtls_to_psa_error(
        mbedtls_ecp_group_load(&ecp->grp, grp_id));
    if (status != PSA_SUCCESS) {
        goto exit;
    }

    /* Load the key material. */
    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
        /* Load the public value. */
        status = mbedtls_to_psa_error(
            mbedtls_ecp_point_read_binary(&ecp->grp, &ecp->Q,
                                          data,
                                          data_length));
        if (status != PSA_SUCCESS) {
            goto exit;
        }

        /* Check that the point is on the curve. */
        status = mbedtls_to_psa_error(
            mbedtls_ecp_check_pubkey(&ecp->grp, &ecp->Q));
        if (status != PSA_SUCCESS) {
            goto exit;
        }
    } else {
        /* Load and validate the secret value. */
        status = mbedtls_to_psa_error(
            mbedtls_ecp_read_key(ecp->grp.id,
                                 ecp,
                                 data,
                                 data_length));
        if (status != PSA_SUCCESS) {
            goto exit;
        }
    }

    *p_ecp = ecp;
exit:
    if (status != PSA_SUCCESS) {
        mbedtls_ecp_keypair_free(ecp);
        mbedtls_free(ecp);
    }

    return status;
}
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) ||
        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ||
        * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ||
        * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */

#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)

psa_status_t mbedtls_psa_ecp_import_key(
    const psa_key_attributes_t *attributes,
    const uint8_t *data, size_t data_length,
    uint8_t *key_buffer, size_t key_buffer_size,
    size_t *key_buffer_length, size_t *bits)
{
    psa_status_t status;
    mbedtls_ecp_keypair *ecp = NULL;

    /* Parse input */
    status = mbedtls_psa_ecp_load_representation(attributes->type,
                                                 attributes->bits,
                                                 data,
                                                 data_length,
                                                 &ecp);
    if (status != PSA_SUCCESS) {
        goto exit;
    }

    if (PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type) ==
        PSA_ECC_FAMILY_MONTGOMERY) {
        *bits = ecp->grp.nbits + 1;
    } else {
        *bits = ecp->grp.nbits;
    }

    /* Re-export the data to PSA export format. There is currently no support
     * for other input formats then the export format, so this is a 1-1
     * copy operation. */
    status = mbedtls_psa_ecp_export_key(attributes->type,
                                        ecp,
                                        key_buffer,
                                        key_buffer_size,
                                        key_buffer_length);
exit:
    /* Always free the PK object (will also free contained ECP context) */
    mbedtls_ecp_keypair_free(ecp);
    mbedtls_free(ecp);

    return status;
}

psa_status_t mbedtls_psa_ecp_export_key(psa_key_type_t type,
                                        mbedtls_ecp_keypair *ecp,
                                        uint8_t *data,
                                        size_t data_size,
                                        size_t *data_length)
{
    psa_status_t status;

    if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
        /* Check whether the public part is loaded */
        if (mbedtls_ecp_is_zero(&ecp->Q)) {
            /* Calculate the public key */
            status = mbedtls_to_psa_error(
                mbedtls_ecp_mul(&ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
                                mbedtls_psa_get_random,
                                MBEDTLS_PSA_RANDOM_STATE));
            if (status != PSA_SUCCESS) {
                return status;
            }
        }

        status = mbedtls_to_psa_error(
            mbedtls_ecp_point_write_binary(&ecp->grp, &ecp->Q,
                                           MBEDTLS_ECP_PF_UNCOMPRESSED,
                                           data_length,
                                           data,
                                           data_size));
        if (status != PSA_SUCCESS) {
            memset(data, 0, data_size);
        }

        return status;
    } else {
        status = mbedtls_to_psa_error(
            mbedtls_ecp_write_key_ext(ecp, data_length, data, data_size));
        return status;
    }
}

psa_status_t mbedtls_psa_ecp_export_public_key(
    const psa_key_attributes_t *attributes,
    const uint8_t *key_buffer, size_t key_buffer_size,
    uint8_t *data, size_t data_size, size_t *data_length)
{
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
    mbedtls_ecp_keypair *ecp = NULL;

    status = mbedtls_psa_ecp_load_representation(
        attributes->type, attributes->bits,
        key_buffer, key_buffer_size, &ecp);
    if (status != PSA_SUCCESS) {
        return status;
    }

    status = mbedtls_psa_ecp_export_key(
        PSA_KEY_TYPE_ECC_PUBLIC_KEY(
            PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type)),
        ecp, data, data_size, data_length);

    mbedtls_ecp_keypair_free(ecp);
    mbedtls_free(ecp);

    return status;
}
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */

#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
psa_status_t mbedtls_psa_ecp_generate_key(
    const psa_key_attributes_t *attributes,
    uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
{
    psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
        attributes->type);
    mbedtls_ecp_group_id grp_id =
        mbedtls_ecc_group_from_psa(curve, attributes->bits);
    if (grp_id == MBEDTLS_ECP_DP_NONE) {
        return PSA_ERROR_NOT_SUPPORTED;
    }

    mbedtls_ecp_keypair ecp;
    mbedtls_ecp_keypair_init(&ecp);
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

    ret = mbedtls_ecp_group_load(&ecp.grp, grp_id);
    if (ret != 0) {
        goto exit;
    }

    ret = mbedtls_ecp_gen_privkey(&ecp.grp, &ecp.d,
                                  mbedtls_psa_get_random,
                                  MBEDTLS_PSA_RANDOM_STATE);
    if (ret != 0) {
        goto exit;
    }

    ret = mbedtls_ecp_write_key_ext(&ecp, key_buffer_length,
                                    key_buffer, key_buffer_size);

exit:
    mbedtls_ecp_keypair_free(&ecp);
    return mbedtls_to_psa_error(ret);
}
#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE */

/****************************************************************/
/* ECDSA sign/verify */
/****************************************************************/

#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
psa_status_t mbedtls_psa_ecdsa_sign_hash(
    const psa_key_attributes_t *attributes,
    const uint8_t *key_buffer, size_t key_buffer_size,
    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
    uint8_t *signature, size_t signature_size, size_t *signature_length)
{
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
    mbedtls_ecp_keypair *ecp = NULL;
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    size_t curve_bytes;
    mbedtls_mpi r, s;

    status = mbedtls_psa_ecp_load_representation(attributes->type,
                                                 attributes->bits,
                                                 key_buffer,
                                                 key_buffer_size,
                                                 &ecp);
    if (status != PSA_SUCCESS) {
        return status;
    }

    curve_bytes = PSA_BITS_TO_BYTES(ecp->grp.pbits);
    mbedtls_mpi_init(&r);
    mbedtls_mpi_init(&s);

    if (signature_size < 2 * curve_bytes) {
        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
        goto cleanup;
    }

    if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) {
#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
        psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
        mbedtls_md_type_t md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
        MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_ext(
                            &ecp->grp, &r, &s,
                            &ecp->d, hash,
                            hash_length, md_alg,
                            mbedtls_psa_get_random,
                            MBEDTLS_PSA_RANDOM_STATE));
#else
        ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
        goto cleanup;
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
    } else {
        (void) alg;
        MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign(&ecp->grp, &r, &s, &ecp->d,
                                           hash, hash_length,
                                           mbedtls_psa_get_random,
                                           MBEDTLS_PSA_RANDOM_STATE));
    }

    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&r,
                                             signature,
                                             curve_bytes));
    MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&s,
                                             signature + curve_bytes,
                                             curve_bytes));
cleanup:
    mbedtls_mpi_free(&r);
    mbedtls_mpi_free(&s);
    if (ret == 0) {
        *signature_length = 2 * curve_bytes;
    }

    mbedtls_ecp_keypair_free(ecp);
    mbedtls_free(ecp);

    return mbedtls_to_psa_error(ret);
}

psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp)
{
    int ret = 0;

    /* Check whether the public part is loaded. If not, load it. */
    if (mbedtls_ecp_is_zero(&ecp->Q)) {
        ret = mbedtls_ecp_mul(&ecp->grp, &ecp->Q,
                              &ecp->d, &ecp->grp.G,
                              mbedtls_psa_get_random,
                              MBEDTLS_PSA_RANDOM_STATE);
    }

    return mbedtls_to_psa_error(ret);
}

psa_status_t mbedtls_psa_ecdsa_verify_hash(
    const psa_key_attributes_t *attributes,
    const uint8_t *key_buffer, size_t key_buffer_size,
    psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
    const uint8_t *signature, size_t signature_length)
{
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
    mbedtls_ecp_keypair *ecp = NULL;
    size_t curve_bytes;
    mbedtls_mpi r, s;

    (void) alg;

    status = mbedtls_psa_ecp_load_representation(attributes->type,
                                                 attributes->bits,
                                                 key_buffer,
                                                 key_buffer_size,
                                                 &ecp);
    if (status != PSA_SUCCESS) {
        return status;
    }

    curve_bytes = PSA_BITS_TO_BYTES(ecp->grp.pbits);
    mbedtls_mpi_init(&r);
    mbedtls_mpi_init(&s);

    if (signature_length != 2 * curve_bytes) {
        status = PSA_ERROR_INVALID_SIGNATURE;
        goto cleanup;
    }

    status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&r,
                                                          signature,
                                                          curve_bytes));
    if (status != PSA_SUCCESS) {
        goto cleanup;
    }

    status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&s,
                                                          signature + curve_bytes,
                                                          curve_bytes));
    if (status != PSA_SUCCESS) {
        goto cleanup;
    }

    status = mbedtls_psa_ecp_load_public_part(ecp);
    if (status != PSA_SUCCESS) {
        goto cleanup;
    }

    status = mbedtls_to_psa_error(mbedtls_ecdsa_verify(&ecp->grp, hash,
                                                       hash_length, &ecp->Q,
                                                       &r, &s));
cleanup:
    mbedtls_mpi_free(&r);
    mbedtls_mpi_free(&s);
    mbedtls_ecp_keypair_free(ecp);
    mbedtls_free(ecp);

    return status;
}

#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */

/****************************************************************/
/* ECDH Key Agreement */
/****************************************************************/

#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
psa_status_t mbedtls_psa_key_agreement_ecdh(
    const psa_key_attributes_t *attributes,
    const uint8_t *key_buffer, size_t key_buffer_size,
    psa_algorithm_t alg, const uint8_t *peer_key, size_t peer_key_length,
    uint8_t *shared_secret, size_t shared_secret_size,
    size_t *shared_secret_length)
{
    psa_status_t status;
    if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->type) ||
        !PSA_ALG_IS_ECDH(alg)) {
        return PSA_ERROR_INVALID_ARGUMENT;
    }
    mbedtls_ecp_keypair *ecp = NULL;
    status = mbedtls_psa_ecp_load_representation(
        attributes->type,
        attributes->bits,
        key_buffer,
        key_buffer_size,
        &ecp);
    if (status != PSA_SUCCESS) {
        return status;
    }
    mbedtls_ecp_keypair *their_key = NULL;
    mbedtls_ecdh_context ecdh;
    size_t bits = 0;
    psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(ecp->grp.id, &bits);
    mbedtls_ecdh_init(&ecdh);

    status = mbedtls_psa_ecp_load_representation(
        PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve),
        bits,
        peer_key,
        peer_key_length,
        &their_key);
    if (status != PSA_SUCCESS) {
        goto exit;
    }

    status = mbedtls_to_psa_error(
        mbedtls_ecdh_get_params(&ecdh, their_key, MBEDTLS_ECDH_THEIRS));
    if (status != PSA_SUCCESS) {
        goto exit;
    }
    status = mbedtls_to_psa_error(
        mbedtls_ecdh_get_params(&ecdh, ecp, MBEDTLS_ECDH_OURS));
    if (status != PSA_SUCCESS) {
        goto exit;
    }

    status = mbedtls_to_psa_error(
        mbedtls_ecdh_calc_secret(&ecdh,
                                 shared_secret_length,
                                 shared_secret, shared_secret_size,
                                 mbedtls_psa_get_random,
                                 MBEDTLS_PSA_RANDOM_STATE));
    if (status != PSA_SUCCESS) {
        goto exit;
    }
    if (PSA_BITS_TO_BYTES(bits) != *shared_secret_length) {
        status = PSA_ERROR_CORRUPTION_DETECTED;
    }
exit:
    if (status != PSA_SUCCESS) {
        mbedtls_platform_zeroize(shared_secret, shared_secret_size);
    }
    mbedtls_ecdh_free(&ecdh);
    mbedtls_ecp_keypair_free(their_key);
    mbedtls_free(their_key);
    mbedtls_ecp_keypair_free(ecp);
    mbedtls_free(ecp);
    return status;
}
#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */


#endif /* MBEDTLS_PSA_CRYPTO_C */

Coverage Report

Created: 2025-03-01 06:26

Line	Count	Source (jump to first uncovered line)
1		/*
2		* PSA ECP layer on top of Mbed TLS crypto
3		*/
4		/*
5		* Copyright The Mbed TLS Contributors
6		* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7		*/
8
9		#include "common.h"
10
11		#if defined(MBEDTLS_PSA_CRYPTO_C)
12
13		#include <psa/crypto.h>
14		#include "psa_crypto_core.h"
15		#include "psa_crypto_ecp.h"
16		#include "psa_crypto_random_impl.h"
17		#include "mbedtls/psa_util.h"
18
19		#include <stdlib.h>
20		#include <string.h>
21		#include "mbedtls/platform.h"
22
23		#include <mbedtls/ecdsa.h>
24		#include <mbedtls/ecdh.h>
25		#include <mbedtls/ecp.h>
26		#include <mbedtls/error.h>
27
28		#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) \|\| \
29		defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) \|\| \
30		defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) \|\| \
31		defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) \|\| \
32		defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) \|\| \
33		defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) \|\| \
34		defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
35		/* Helper function to verify if the provided EC's family and key bit size are valid.
36		*
37		* Note: "bits" parameter is used both as input and output and it might be updated
38		* in case provided input value is not multiple of 8 ("sloppy" bits).
39		*/
40		static int check_ecc_parameters(psa_ecc_family_t family, size_t *bits)
41	0	{
42	0	switch (family) {
43	0	case PSA_ECC_FAMILY_SECP_R1:
44	0	switch (*bits) {
45	0	case 192:
46	0	case 224:
47	0	case 256:
48	0	case 384:
49	0	case 521:
50	0	return PSA_SUCCESS;
51	0	case 528:
52	0	*bits = 521;
53	0	return PSA_SUCCESS;
54	0	}
55	0	break;
56
57	0	case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
58	0	switch (*bits) {
59	0	case 256:
60	0	case 384:
61	0	case 512:
62	0	return PSA_SUCCESS;
63	0	}
64	0	break;
65
66	0	case PSA_ECC_FAMILY_MONTGOMERY:
67	0	switch (*bits) {
68	0	case 448:
69	0	case 255:
70	0	return PSA_SUCCESS;
71	0	case 256:
72	0	*bits = 255;
73	0	return PSA_SUCCESS;
74	0	}
75	0	break;
76
77	0	case PSA_ECC_FAMILY_SECP_K1:
78	0	switch (*bits) {
79	0	case 192:
80		/* secp224k1 is not and will not be supported in PSA (#3541). */
81	0	case 256:
82	0	return PSA_SUCCESS;
83	0	}
84	0	break;
85	0	}
86
87	0	return PSA_ERROR_INVALID_ARGUMENT;
88	0	}
89
90		psa_status_t mbedtls_psa_ecp_load_representation(
91		psa_key_type_t type, size_t curve_bits,
92		const uint8_t *data, size_t data_length,
93		mbedtls_ecp_keypair **p_ecp)
94	0	{
95	0	mbedtls_ecp_group_id grp_id = MBEDTLS_ECP_DP_NONE;
96	0	psa_status_t status;
97	0	mbedtls_ecp_keypair *ecp = NULL;
98	0	size_t curve_bytes = data_length;
99	0	int explicit_bits = (curve_bits != 0);
100
101	0	if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
102	0	PSA_KEY_TYPE_ECC_GET_FAMILY(type) != PSA_ECC_FAMILY_MONTGOMERY) {
103		/* A Weierstrass public key is represented as:
104		* - The byte 0x04;
105		* - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
106		* - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
107		* So its data length is 2m+1 where m is the curve size in bits.
108		*/
109	0	if ((data_length & 1) == 0) {
110	0	return PSA_ERROR_INVALID_ARGUMENT;
111	0	}
112	0	curve_bytes = data_length / 2;
113
114		/* Montgomery public keys are represented in compressed format, meaning
115		* their curve_bytes is equal to the amount of input. */
116
117		/* Private keys are represented in uncompressed private random integer
118		* format, meaning their curve_bytes is equal to the amount of input. */
119	0	}
120
121	0	if (explicit_bits) {
122		/* With an explicit bit-size, the data must have the matching length. */
123	0	if (curve_bytes != PSA_BITS_TO_BYTES(curve_bits)) {
124	0	return PSA_ERROR_INVALID_ARGUMENT;
125	0	}
126	0	} else {
127		/* We need to infer the bit-size from the data. Since the only
128		* information we have is the length in bytes, the value of curve_bits
129		* at this stage is rounded up to the nearest multiple of 8. */
130	0	curve_bits = PSA_BYTES_TO_BITS(curve_bytes);
131	0	}
132
133		/* Allocate and initialize a key representation. */
134	0	ecp = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
135	0	if (ecp == NULL) {
136	0	return PSA_ERROR_INSUFFICIENT_MEMORY;
137	0	}
138	0	mbedtls_ecp_keypair_init(ecp);
139
140	0	status = check_ecc_parameters(PSA_KEY_TYPE_ECC_GET_FAMILY(type), &curve_bits);
141	0	if (status != PSA_SUCCESS) {
142	0	goto exit;
143	0	}
144
145		/* Load the group. */
146	0	grp_id = mbedtls_ecc_group_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(type),
147	0	curve_bits);
148	0	if (grp_id == MBEDTLS_ECP_DP_NONE) {
149	0	status = PSA_ERROR_NOT_SUPPORTED;
150	0	goto exit;
151	0	}
152
153	0	status = mbedtls_to_psa_error(
154	0	mbedtls_ecp_group_load(&ecp->grp, grp_id));
155	0	if (status != PSA_SUCCESS) {
156	0	goto exit;
157	0	}
158
159		/* Load the key material. */
160	0	if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
161		/* Load the public value. */
162	0	status = mbedtls_to_psa_error(
163	0	mbedtls_ecp_point_read_binary(&ecp->grp, &ecp->Q,
164	0	data,
165	0	data_length));
166	0	if (status != PSA_SUCCESS) {
167	0	goto exit;
168	0	}
169
170		/* Check that the point is on the curve. */
171	0	status = mbedtls_to_psa_error(
172	0	mbedtls_ecp_check_pubkey(&ecp->grp, &ecp->Q));
173	0	if (status != PSA_SUCCESS) {
174	0	goto exit;
175	0	}
176	0	} else {
177		/* Load and validate the secret value. */
178	0	status = mbedtls_to_psa_error(
179	0	mbedtls_ecp_read_key(ecp->grp.id,
180	0	ecp,
181	0	data,
182	0	data_length));
183	0	if (status != PSA_SUCCESS) {
184	0	goto exit;
185	0	}
186	0	}
187
188	0	*p_ecp = ecp;
189	0	exit:
190	0	if (status != PSA_SUCCESS) {
191	0	mbedtls_ecp_keypair_free(ecp);
192	0	mbedtls_free(ecp);
193	0	}
194
195	0	return status;
196	0	}
197		#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) \|\|
198		* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) \|\|
199		* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) \|\|
200		* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) \|\|
201		* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) \|\|
202		* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) \|\|
203		* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */
204
205		#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) \|\| \
206		defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) \|\| \
207		defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
208
209		psa_status_t mbedtls_psa_ecp_import_key(
210		const psa_key_attributes_t *attributes,
211		const uint8_t *data, size_t data_length,
212		uint8_t *key_buffer, size_t key_buffer_size,
213		size_t key_buffer_length, size_t bits)
214	0	{
215	0	psa_status_t status;
216	0	mbedtls_ecp_keypair *ecp = NULL;
217
218		/* Parse input */
219	0	status = mbedtls_psa_ecp_load_representation(attributes->type,
220	0	attributes->bits,
221	0	data,
222	0	data_length,
223	0	&ecp);
224	0	if (status != PSA_SUCCESS) {
225	0	goto exit;
226	0	}
227
228	0	if (PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type) ==
229	0	PSA_ECC_FAMILY_MONTGOMERY) {
230	0	*bits = ecp->grp.nbits + 1;
231	0	} else {
232	0	*bits = ecp->grp.nbits;
233	0	}
234
235		/* Re-export the data to PSA export format. There is currently no support
236		* for other input formats then the export format, so this is a 1-1
237		* copy operation. */
238	0	status = mbedtls_psa_ecp_export_key(attributes->type,
239	0	ecp,
240	0	key_buffer,
241	0	key_buffer_size,
242	0	key_buffer_length);
243	0	exit:
244		/* Always free the PK object (will also free contained ECP context) */
245	0	mbedtls_ecp_keypair_free(ecp);
246	0	mbedtls_free(ecp);
247
248	0	return status;
249	0	}
250
251		psa_status_t mbedtls_psa_ecp_export_key(psa_key_type_t type,
252		mbedtls_ecp_keypair *ecp,
253		uint8_t *data,
254		size_t data_size,
255		size_t *data_length)
256	0	{
257	0	psa_status_t status;
258
259	0	if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
260		/* Check whether the public part is loaded */
261	0	if (mbedtls_ecp_is_zero(&ecp->Q)) {
262		/* Calculate the public key */
263	0	status = mbedtls_to_psa_error(
264	0	mbedtls_ecp_mul(&ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
265	0	mbedtls_psa_get_random,
266	0	MBEDTLS_PSA_RANDOM_STATE));
267	0	if (status != PSA_SUCCESS) {
268	0	return status;
269	0	}
270	0	}
271
272	0	status = mbedtls_to_psa_error(
273	0	mbedtls_ecp_point_write_binary(&ecp->grp, &ecp->Q,
274	0	MBEDTLS_ECP_PF_UNCOMPRESSED,
275	0	data_length,
276	0	data,
277	0	data_size));
278	0	if (status != PSA_SUCCESS) {
279	0	memset(data, 0, data_size);
280	0	}
281
282	0	return status;
283	0	} else {
284	0	status = mbedtls_to_psa_error(
285	0	mbedtls_ecp_write_key_ext(ecp, data_length, data, data_size));
286	0	return status;
287	0	}
288	0	}
289
290		psa_status_t mbedtls_psa_ecp_export_public_key(
291		const psa_key_attributes_t *attributes,
292		const uint8_t *key_buffer, size_t key_buffer_size,
293		uint8_t data, size_t data_size, size_t data_length)
294	0	{
295	0	psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
296	0	mbedtls_ecp_keypair *ecp = NULL;
297
298	0	status = mbedtls_psa_ecp_load_representation(
299	0	attributes->type, attributes->bits,
300	0	key_buffer, key_buffer_size, &ecp);
301	0	if (status != PSA_SUCCESS) {
302	0	return status;
303	0	}
304
305	0	status = mbedtls_psa_ecp_export_key(
306	0	PSA_KEY_TYPE_ECC_PUBLIC_KEY(
307	0	PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type)),
308	0	ecp, data, data_size, data_length);
309
310	0	mbedtls_ecp_keypair_free(ecp);
311	0	mbedtls_free(ecp);
312
313	0	return status;
314	0	}
315		#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) \|\|
316		* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) \|\|
317		* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
318
319		#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
320		psa_status_t mbedtls_psa_ecp_generate_key(
321		const psa_key_attributes_t *attributes,
322		uint8_t key_buffer, size_t key_buffer_size, size_t key_buffer_length)
323	0	{
324	0	psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
325	0	attributes->type);
326	0	mbedtls_ecp_group_id grp_id =
327	0	mbedtls_ecc_group_from_psa(curve, attributes->bits);
328	0	if (grp_id == MBEDTLS_ECP_DP_NONE) {
329	0	return PSA_ERROR_NOT_SUPPORTED;
330	0	}
331
332	0	mbedtls_ecp_keypair ecp;
333	0	mbedtls_ecp_keypair_init(&ecp);
334	0	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
335
336	0	ret = mbedtls_ecp_group_load(&ecp.grp, grp_id);
337	0	if (ret != 0) {
338	0	goto exit;
339	0	}
340
341	0	ret = mbedtls_ecp_gen_privkey(&ecp.grp, &ecp.d,
342	0	mbedtls_psa_get_random,
343	0	MBEDTLS_PSA_RANDOM_STATE);
344	0	if (ret != 0) {
345	0	goto exit;
346	0	}
347
348	0	ret = mbedtls_ecp_write_key_ext(&ecp, key_buffer_length,
349	0	key_buffer, key_buffer_size);
350
351	0	exit:
352	0	mbedtls_ecp_keypair_free(&ecp);
353	0	return mbedtls_to_psa_error(ret);
354	0	}
355		#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
356
357		/****************************************************************/
358		/* ECDSA sign/verify */
359		/****************************************************************/
360
361		#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) \|\| \
362		defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
363		psa_status_t mbedtls_psa_ecdsa_sign_hash(
364		const psa_key_attributes_t *attributes,
365		const uint8_t *key_buffer, size_t key_buffer_size,
366		psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
367		uint8_t signature, size_t signature_size, size_t signature_length)
368	0	{
369	0	psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
370	0	mbedtls_ecp_keypair *ecp = NULL;
371	0	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
372	0	size_t curve_bytes;
373	0	mbedtls_mpi r, s;
374
375	0	status = mbedtls_psa_ecp_load_representation(attributes->type,
376	0	attributes->bits,
377	0	key_buffer,
378	0	key_buffer_size,
379	0	&ecp);
380	0	if (status != PSA_SUCCESS) {
381	0	return status;
382	0	}
383
384	0	curve_bytes = PSA_BITS_TO_BYTES(ecp->grp.pbits);
385	0	mbedtls_mpi_init(&r);
386	0	mbedtls_mpi_init(&s);
387
388	0	if (signature_size < 2 * curve_bytes) {
389	0	ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
390	0	goto cleanup;
391	0	}
392
393	0	if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) {
394	0	#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
395	0	psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
396	0	mbedtls_md_type_t md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
397	0	MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_ext(
398	0	&ecp->grp, &r, &s,
399	0	&ecp->d, hash,
400	0	hash_length, md_alg,
401	0	mbedtls_psa_get_random,
402	0	MBEDTLS_PSA_RANDOM_STATE));
403		#else
404		ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
405		goto cleanup;
406		#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
407	0	} else {
408	0	(void) alg;
409	0	MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign(&ecp->grp, &r, &s, &ecp->d,
410	0	hash, hash_length,
411	0	mbedtls_psa_get_random,
412	0	MBEDTLS_PSA_RANDOM_STATE));
413	0	}
414
415	0	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&r,
416	0	signature,
417	0	curve_bytes));
418	0	MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&s,
419	0	signature + curve_bytes,
420	0	curve_bytes));
421	0	cleanup:
422	0	mbedtls_mpi_free(&r);
423	0	mbedtls_mpi_free(&s);
424	0	if (ret == 0) {
425	0	signature_length = 2 curve_bytes;
426	0	}
427
428	0	mbedtls_ecp_keypair_free(ecp);
429	0	mbedtls_free(ecp);
430
431	0	return mbedtls_to_psa_error(ret);
432	0	}
433
434		psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp)
435	0	{
436	0	int ret = 0;
437
438		/* Check whether the public part is loaded. If not, load it. */
439	0	if (mbedtls_ecp_is_zero(&ecp->Q)) {
440	0	ret = mbedtls_ecp_mul(&ecp->grp, &ecp->Q,
441	0	&ecp->d, &ecp->grp.G,
442	0	mbedtls_psa_get_random,
443	0	MBEDTLS_PSA_RANDOM_STATE);
444	0	}
445
446	0	return mbedtls_to_psa_error(ret);
447	0	}
448
449		psa_status_t mbedtls_psa_ecdsa_verify_hash(
450		const psa_key_attributes_t *attributes,
451		const uint8_t *key_buffer, size_t key_buffer_size,
452		psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
453		const uint8_t *signature, size_t signature_length)
454	0	{
455	0	psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
456	0	mbedtls_ecp_keypair *ecp = NULL;
457	0	size_t curve_bytes;
458	0	mbedtls_mpi r, s;
459
460	0	(void) alg;
461
462	0	status = mbedtls_psa_ecp_load_representation(attributes->type,
463	0	attributes->bits,
464	0	key_buffer,
465	0	key_buffer_size,
466	0	&ecp);
467	0	if (status != PSA_SUCCESS) {
468	0	return status;
469	0	}
470
471	0	curve_bytes = PSA_BITS_TO_BYTES(ecp->grp.pbits);
472	0	mbedtls_mpi_init(&r);
473	0	mbedtls_mpi_init(&s);
474
475	0	if (signature_length != 2 * curve_bytes) {
476	0	status = PSA_ERROR_INVALID_SIGNATURE;
477	0	goto cleanup;
478	0	}
479
480	0	status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&r,
481	0	signature,
482	0	curve_bytes));
483	0	if (status != PSA_SUCCESS) {
484	0	goto cleanup;
485	0	}
486
487	0	status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&s,
488	0	signature + curve_bytes,
489	0	curve_bytes));
490	0	if (status != PSA_SUCCESS) {
491	0	goto cleanup;
492	0	}
493
494	0	status = mbedtls_psa_ecp_load_public_part(ecp);
495	0	if (status != PSA_SUCCESS) {
496	0	goto cleanup;
497	0	}
498
499	0	status = mbedtls_to_psa_error(mbedtls_ecdsa_verify(&ecp->grp, hash,
500	0	hash_length, &ecp->Q,
501	0	&r, &s));
502	0	cleanup:
503	0	mbedtls_mpi_free(&r);
504	0	mbedtls_mpi_free(&s);
505	0	mbedtls_ecp_keypair_free(ecp);
506	0	mbedtls_free(ecp);
507
508	0	return status;
509	0	}
510
511		#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) \|\| \
512		* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
513
514		/****************************************************************/
515		/* ECDH Key Agreement */
516		/****************************************************************/
517
518		#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
519		psa_status_t mbedtls_psa_key_agreement_ecdh(
520		const psa_key_attributes_t *attributes,
521		const uint8_t *key_buffer, size_t key_buffer_size,
522		psa_algorithm_t alg, const uint8_t *peer_key, size_t peer_key_length,
523		uint8_t *shared_secret, size_t shared_secret_size,
524		size_t *shared_secret_length)
525	0	{
526	0	psa_status_t status;
527	0	if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->type) \|\|
528	0	!PSA_ALG_IS_ECDH(alg)) {
529	0	return PSA_ERROR_INVALID_ARGUMENT;
530	0	}
531	0	mbedtls_ecp_keypair *ecp = NULL;
532	0	status = mbedtls_psa_ecp_load_representation(
533	0	attributes->type,
534	0	attributes->bits,
535	0	key_buffer,
536	0	key_buffer_size,
537	0	&ecp);
538	0	if (status != PSA_SUCCESS) {
539	0	return status;
540	0	}
541	0	mbedtls_ecp_keypair *their_key = NULL;
542	0	mbedtls_ecdh_context ecdh;
543	0	size_t bits = 0;
544	0	psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(ecp->grp.id, &bits);
545	0	mbedtls_ecdh_init(&ecdh);
546
547	0	status = mbedtls_psa_ecp_load_representation(
548	0	PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve),
549	0	bits,
550	0	peer_key,
551	0	peer_key_length,
552	0	&their_key);
553	0	if (status != PSA_SUCCESS) {
554	0	goto exit;
555	0	}
556
557	0	status = mbedtls_to_psa_error(
558	0	mbedtls_ecdh_get_params(&ecdh, their_key, MBEDTLS_ECDH_THEIRS));
559	0	if (status != PSA_SUCCESS) {
560	0	goto exit;
561	0	}
562	0	status = mbedtls_to_psa_error(
563	0	mbedtls_ecdh_get_params(&ecdh, ecp, MBEDTLS_ECDH_OURS));
564	0	if (status != PSA_SUCCESS) {
565	0	goto exit;
566	0	}
567
568	0	status = mbedtls_to_psa_error(
569	0	mbedtls_ecdh_calc_secret(&ecdh,
570	0	shared_secret_length,
571	0	shared_secret, shared_secret_size,
572	0	mbedtls_psa_get_random,
573	0	MBEDTLS_PSA_RANDOM_STATE));
574	0	if (status != PSA_SUCCESS) {
575	0	goto exit;
576	0	}
577	0	if (PSA_BITS_TO_BYTES(bits) != *shared_secret_length) {
578	0	status = PSA_ERROR_CORRUPTION_DETECTED;
579	0	}
580	0	exit:
581	0	if (status != PSA_SUCCESS) {
582	0	mbedtls_platform_zeroize(shared_secret, shared_secret_size);
583	0	}
584	0	mbedtls_ecdh_free(&ecdh);
585	0	mbedtls_ecp_keypair_free(their_key);
586	0	mbedtls_free(their_key);
587	0	mbedtls_ecp_keypair_free(ecp);
588	0	mbedtls_free(ecp);
589	0	return status;
590	0	}
591		#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
592
593
594		#endif /* MBEDTLS_PSA_CRYPTO_C */