Coverage Report

Created: 2026-06-30 07:27

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/gnutls/lib/nettle/pk.c
Line
Count
Source
1
/*
2
 * Copyright (C) 2010-2012 Free Software Foundation, Inc.
3
 * Copyright (C) 2013-2017 Nikos Mavrogiannopoulos
4
 * Copyright (C) 2016-2017 Red Hat, Inc.
5
 *
6
 * Author: Nikos Mavrogiannopoulos
7
 *
8
 * This file is part of GNUTLS.
9
 *
10
 * The GNUTLS library is free software; you can redistribute it and/or
11
 * modify it under the terms of the GNU Lesser General Public License
12
 * as published by the Free Software Foundation; either version 2.1 of
13
 * the License, or (at your option) any later version.
14
 *
15
 * This library is distributed in the hope that it will be useful, but
16
 * WITHOUT ANY WARRANTY; without even the implied warranty of
17
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
18
 * Lesser General Public License for more details.
19
 *
20
 * You should have received a copy of the GNU Lesser General Public License
21
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
22
 *
23
 */
24
25
/* This file contains the functions needed for RSA/DSA public key
26
 * encryption and signatures.
27
 */
28
29
#include "gnutls_int.h"
30
#include "mpi.h"
31
#include "pk.h"
32
#include "errors.h"
33
#include "datum.h"
34
#include "global.h"
35
#include "tls-sig.h"
36
#include "num.h"
37
#include "x509/x509_int.h"
38
#include "x509/common.h"
39
#include "random.h"
40
#include "pk.h"
41
#include <nettle/dsa.h>
42
#include "dsa-fips.h"
43
#include "rsa-fips.h"
44
#include <nettle/rsa.h>
45
#include <gnutls/crypto.h>
46
#include <nettle/bignum.h>
47
#include <nettle/ecc.h>
48
#include <nettle/ecdsa.h>
49
#include <nettle/ecc-curve.h>
50
#include <nettle/curve25519.h>
51
#include <nettle/curve448.h>
52
#include <nettle/eddsa.h>
53
#include <nettle/version.h>
54
#if ENABLE_GOST
55
#if NEED_INT_ECC
56
#include "ecc/gostdsa.h"
57
#include "ecc-gost-curve.h"
58
#else
59
#include <nettle/gostdsa.h>
60
0
#define gost_point_mul_g ecc_point_mul_g
61
0
#define gost_point_set ecc_point_set
62
#endif
63
#include "gost/gostdsa2.h"
64
#endif
65
#include "int/ecdsa-compute-k.h"
66
#include "int/dsa-compute-k.h"
67
#include "gnettle.h"
68
#include "fips.h"
69
#include "dh.h"
70
#include "audit.h"
71
#ifdef HAVE_LEANCRYPTO
72
#include <leancrypto.h>
73
#endif
74
#include "attribute.h"
75
76
#define MAX_PRIME_CURVE_COORD_SIZE 66
77
78
static inline const struct ecc_curve *get_supported_nist_curve(int curve);
79
static inline const struct ecc_curve *get_supported_gost_curve(int curve);
80
81
static inline const char *get_supported_nist_curve_order(int curve);
82
static inline const char *get_supported_nist_curve_modulus(int curve);
83
84
/* When these callbacks are used for a nettle operation, the
85
 * caller must check the macro HAVE_LIB_ERROR() after the operation
86
 * is complete. If the macro is true, the operation is to be considered
87
 * failed (meaning the random generation failed).
88
 */
89
static void rnd_key_func(void *_ctx, size_t length, uint8_t *data)
90
0
{
91
0
  if (gnutls_rnd(GNUTLS_RND_KEY, data, length) < 0) {
92
0
    _gnutls_switch_lib_state(LIB_STATE_ERROR);
93
0
  }
94
0
}
95
96
static void rnd_tmpkey_func(void *_ctx, size_t length, uint8_t *data)
97
0
{
98
0
  if (gnutls_rnd(GNUTLS_RND_RANDOM, data, length) < 0) {
99
0
    _gnutls_switch_lib_state(LIB_STATE_ERROR);
100
0
  }
101
0
}
102
103
static void rnd_nonce_func(void *_ctx, size_t length, uint8_t *data)
104
0
{
105
0
  if (gnutls_rnd(GNUTLS_RND_NONCE, data, length) < 0) {
106
0
    _gnutls_switch_lib_state(LIB_STATE_ERROR);
107
0
  }
108
0
}
109
110
static void rnd_datum_func(void *ctx, size_t length, uint8_t *data)
111
0
{
112
0
  gnutls_datum_t *d = ctx;
113
114
0
  if (length > d->size) {
115
0
    memset(data, 0, length - d->size);
116
0
    memcpy(data + (length - d->size), d->data, d->size);
117
0
  } else {
118
0
    memcpy(data, d->data, length);
119
0
  }
120
0
}
121
122
static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t *data)
123
0
{
124
0
  if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) {
125
0
    _gnutls_switch_lib_state(LIB_STATE_ERROR);
126
0
  }
127
128
0
  memset(data, 0xAA, length);
129
0
}
130
131
static void ecc_scalar_zclear(struct ecc_scalar *s)
132
0
{
133
0
  zeroize_key(s->p, ecc_size(s->ecc) * sizeof(mp_limb_t));
134
0
  ecc_scalar_clear(s);
135
0
}
136
137
static void ecc_point_zclear(struct ecc_point *p)
138
0
{
139
0
  zeroize_key(p->p, ecc_size_a(p->ecc) * sizeof(mp_limb_t));
140
0
  ecc_point_clear(p);
141
0
}
142
143
static void _dsa_params_get(const gnutls_pk_params_st *pk_params,
144
          struct dsa_params *pub)
145
0
{
146
0
  memcpy(pub->p, pk_params->params[DSA_P], SIZEOF_MPZT);
147
148
0
  if (pk_params->params[DSA_Q])
149
0
    memcpy(&pub->q, pk_params->params[DSA_Q], SIZEOF_MPZT);
150
0
  memcpy(pub->g, pk_params->params[DSA_G], SIZEOF_MPZT);
151
0
}
152
153
static void _rsa_params_to_privkey(const gnutls_pk_params_st *pk_params,
154
           struct rsa_private_key *priv)
155
0
{
156
0
  memcpy(priv->d, pk_params->params[RSA_PRIV], SIZEOF_MPZT);
157
0
  memcpy(priv->p, pk_params->params[RSA_PRIME1], SIZEOF_MPZT);
158
0
  memcpy(priv->q, pk_params->params[RSA_PRIME2], SIZEOF_MPZT);
159
0
  memcpy(priv->c, pk_params->params[RSA_COEF], SIZEOF_MPZT);
160
0
  memcpy(priv->a, pk_params->params[RSA_E1], SIZEOF_MPZT);
161
0
  memcpy(priv->b, pk_params->params[RSA_E2], SIZEOF_MPZT);
162
  /* we do not rsa_private_key_prepare() because it involves a multiplication.
163
   * we call it once when we import the parameters */
164
0
  priv->size = nettle_mpz_sizeinbase_256_u(
165
0
    TOMPZ(pk_params->params[RSA_MODULUS]));
166
0
}
167
168
/* returns a negative value on invalid pubkey */
169
static int _rsa_params_to_pubkey(const gnutls_pk_params_st *pk_params,
170
         struct rsa_public_key *pub)
171
0
{
172
0
  memcpy(pub->n, pk_params->params[RSA_MODULUS], SIZEOF_MPZT);
173
0
  memcpy(pub->e, pk_params->params[RSA_PUB], SIZEOF_MPZT);
174
0
  if (rsa_public_key_prepare(pub) == 0)
175
0
    return gnutls_assert_val(GNUTLS_E_PK_INVALID_PUBKEY);
176
177
0
  return 0;
178
0
}
179
180
static int _ecc_params_to_privkey(const gnutls_pk_params_st *pk_params,
181
          struct ecc_scalar *priv,
182
          const struct ecc_curve *curve)
183
0
{
184
0
  ecc_scalar_init(priv, curve);
185
0
  if (ecc_scalar_set(priv, pk_params->params[ECC_K]) == 0) {
186
0
    ecc_scalar_clear(priv);
187
0
    return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
188
0
  }
189
190
0
  return 0;
191
0
}
192
193
static int _ecc_params_to_pubkey(const gnutls_pk_params_st *pk_params,
194
         struct ecc_point *pub,
195
         const struct ecc_curve *curve)
196
0
{
197
0
  ecc_point_init(pub, curve);
198
0
  if (ecc_point_set(pub, pk_params->params[ECC_X],
199
0
        pk_params->params[ECC_Y]) == 0) {
200
0
    ecc_point_clear(pub);
201
0
    return gnutls_assert_val(GNUTLS_E_PK_INVALID_PUBKEY);
202
0
  }
203
204
0
  return 0;
205
0
}
206
207
#if ENABLE_GOST
208
static int _gost_params_to_privkey(const gnutls_pk_params_st *pk_params,
209
           struct ecc_scalar *priv,
210
           const struct ecc_curve *curve)
211
0
{
212
0
  ecc_scalar_init(priv, curve);
213
0
  if (ecc_scalar_set(priv, pk_params->params[GOST_K]) == 0) {
214
0
    ecc_scalar_clear(priv);
215
0
    return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
216
0
  }
217
218
0
  return 0;
219
0
}
220
221
static int _gost_params_to_pubkey(const gnutls_pk_params_st *pk_params,
222
          struct ecc_point *pub,
223
          const struct ecc_curve *curve)
224
0
{
225
0
  ecc_point_init(pub, curve);
226
0
  if (gost_point_set(pub, pk_params->params[GOST_X],
227
0
         pk_params->params[GOST_Y]) == 0) {
228
0
    ecc_point_clear(pub);
229
0
    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
230
0
  }
231
232
0
  return 0;
233
0
}
234
#endif
235
236
static int ecc_shared_secret(struct ecc_scalar *private_key,
237
           struct ecc_point *public_key, void *out,
238
           unsigned size)
239
0
{
240
0
  struct ecc_point r;
241
0
  mpz_t x, y;
242
0
  int ret = 0;
243
244
0
  mpz_init(x);
245
0
  mpz_init(y);
246
0
  ecc_point_init(&r, public_key->ecc);
247
248
0
  ecc_point_mul(&r, private_key, public_key);
249
250
0
  ecc_point_get(&r, x, y);
251
252
  /* Check if the point is not an identity element.  Note that this cannot
253
   * happen in nettle implementation, because it cannot represent an
254
   * infinity point. */
255
0
  if (mpz_cmp_ui(x, 0) == 0 && mpz_cmp_ui(y, 0) == 0) {
256
0
    ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
257
0
    goto cleanup;
258
0
  }
259
260
0
  nettle_mpz_get_str_256(size, out, x);
261
262
0
cleanup:
263
0
  mpz_clear(x);
264
0
  mpz_clear(y);
265
0
  ecc_point_clear(&r);
266
267
0
  return ret;
268
0
}
269
270
0
#define MAX_DH_BITS DEFAULT_MAX_VERIFY_BITS
271
/* This is used when we have no idea on the structure
272
 * of p-1 used by the peer. It is still a conservative
273
 * choice, but small than what we've been using before.
274
 */
275
#define DH_EXPONENT_SIZE(p_size) (2 * _gnutls_pk_bits_to_subgroup_bits(p_size))
276
277
static inline int edwards_curve_mul(gnutls_pk_algorithm_t algo, uint8_t *q,
278
            const uint8_t *n, const uint8_t *p)
279
0
{
280
0
  switch (algo) {
281
0
  case GNUTLS_PK_ECDH_X25519:
282
0
    curve25519_mul(q, n, p);
283
0
    return 0;
284
0
  case GNUTLS_PK_ECDH_X448:
285
0
    curve448_mul(q, n, p);
286
0
    return 0;
287
0
  default:
288
0
    return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
289
0
  }
290
0
}
291
292
/* This is used for DH or ECDH key derivation. In DH for example
293
 * it is given the peers Y and our x, and calculates Y^x
294
 */
295
static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
296
          gnutls_datum_t *out,
297
          const gnutls_pk_params_st *priv,
298
          const gnutls_pk_params_st *pub,
299
          const gnutls_datum_t *nonce,
300
          unsigned int flags)
301
0
{
302
0
  int ret;
303
0
  bool not_approved = false;
304
305
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING, "pk::derive",
306
0
              "pk::algorithm", CRAU_STRING,
307
0
              gnutls_pk_get_name(algo), NULL);
308
309
0
  switch (algo) {
310
0
  case GNUTLS_PK_DH: {
311
0
    bigint_t f, x, q, prime;
312
0
    bigint_t k = NULL, primesub1 = NULL, r = NULL;
313
0
    unsigned int bits;
314
315
0
    if (nonce != NULL) {
316
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
317
0
      goto cleanup;
318
0
    }
319
320
0
    f = pub->params[DH_Y];
321
0
    x = priv->params[DH_X];
322
0
    q = priv->params[DH_Q];
323
0
    prime = priv->params[DH_P];
324
325
0
    ret = _gnutls_mpi_init_multi(&k, &primesub1, &r, NULL);
326
0
    if (ret < 0) {
327
0
      gnutls_assert();
328
0
      goto cleanup;
329
0
    }
330
331
0
    ret = _gnutls_mpi_sub_ui(primesub1, prime, 1);
332
0
    if (ret < 0) {
333
0
      gnutls_assert();
334
0
      goto dh_cleanup;
335
0
    }
336
337
    /* check if f==0,1, or f >= p-1 */
338
0
    if ((_gnutls_mpi_cmp_ui(f, 1) == 0) ||
339
0
        (_gnutls_mpi_cmp_ui(f, 0) == 0) ||
340
0
        (_gnutls_mpi_cmp(f, primesub1) >= 0)) {
341
0
      gnutls_assert();
342
0
      ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
343
0
      goto dh_cleanup;
344
0
    }
345
346
    /* if we have Q check that y ^ q mod p == 1 */
347
0
    if (q != NULL) {
348
0
      ret = _gnutls_mpi_powm(r, f, q, prime);
349
0
      if (ret < 0) {
350
0
        gnutls_assert();
351
0
        goto dh_cleanup;
352
0
      }
353
0
      ret = _gnutls_mpi_cmp_ui(r, 1);
354
0
      if (ret != 0) {
355
0
        gnutls_assert();
356
0
        ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
357
0
        goto dh_cleanup;
358
0
      }
359
0
    } else if ((flags & PK_DERIVE_TLS13) &&
360
0
         _gnutls_fips_mode_enabled()) {
361
      /* Mandatory in FIPS mode for TLS 1.3 */
362
0
      ret = gnutls_assert_val(
363
0
        GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
364
0
      goto dh_cleanup;
365
0
    }
366
367
    /* prevent denial of service */
368
0
    bits = _gnutls_mpi_get_nbits(prime);
369
0
    if (bits == 0 || bits > MAX_DH_BITS) {
370
0
      gnutls_assert();
371
0
      ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
372
0
      goto dh_cleanup;
373
0
    }
374
375
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, NULL);
376
377
0
    if (bits < 2048) {
378
0
      not_approved = true;
379
0
    }
380
381
0
    ret = _gnutls_mpi_powm(k, f, x, prime);
382
0
    if (ret < 0) {
383
0
      gnutls_assert();
384
0
      goto dh_cleanup;
385
0
    }
386
387
    /* check if k==0,1, or k = p-1 */
388
0
    if ((_gnutls_mpi_cmp_ui(k, 1) == 0) ||
389
0
        (_gnutls_mpi_cmp_ui(k, 0) == 0) ||
390
0
        (_gnutls_mpi_cmp(k, primesub1) == 0)) {
391
0
      ret = gnutls_assert_val(
392
0
        GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
393
0
      goto dh_cleanup;
394
0
    }
395
396
0
    if (flags & PK_DERIVE_TLS13) {
397
0
      ret = _gnutls_mpi_dprint_size(k, out, (bits + 7) / 8);
398
0
    } else {
399
0
      ret = _gnutls_mpi_dprint(k, out);
400
0
    }
401
402
0
    if (ret < 0) {
403
0
      gnutls_assert();
404
0
      goto dh_cleanup;
405
0
    }
406
407
0
    ret = 0;
408
0
  dh_cleanup:
409
0
    _gnutls_mpi_release(&r);
410
0
    _gnutls_mpi_release(&primesub1);
411
0
    zrelease_mpi_key(&k);
412
0
    if (ret < 0)
413
0
      goto cleanup;
414
415
0
    break;
416
0
  }
417
0
  case GNUTLS_PK_EC: {
418
0
    struct ecc_scalar ecc_priv;
419
0
    struct ecc_point ecc_pub;
420
0
    const struct ecc_curve *curve;
421
0
    struct ecc_scalar n;
422
0
    struct ecc_scalar m;
423
0
    struct ecc_point r;
424
0
    mpz_t x, y, xx, yy, nn, mm;
425
426
0
    out->data = NULL;
427
428
0
    if (nonce != NULL) {
429
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
430
0
      goto cleanup;
431
0
    }
432
433
0
    curve = get_supported_nist_curve(priv->curve);
434
0
    if (curve == NULL) {
435
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
436
0
      goto cleanup;
437
0
    }
438
439
0
    _gnutls_audit_data("pk::curve", CRAU_STRING,
440
0
           gnutls_ecc_curve_get_name(priv->curve),
441
0
           NULL);
442
443
    /* P-192 is not supported in FIPS 140-3 */
444
0
    if (priv->curve == GNUTLS_ECC_CURVE_SECP192R1) {
445
0
      not_approved = true;
446
0
    }
447
448
0
    mpz_init(x);
449
0
    mpz_init(y);
450
0
    mpz_init(xx);
451
0
    mpz_init(yy);
452
0
    mpz_init(nn);
453
0
    mpz_init(mm);
454
455
0
    ecc_scalar_init(&n, curve);
456
0
    ecc_scalar_init(&m, curve);
457
0
    ecc_point_init(&r, curve);
458
459
0
    ret = _ecc_params_to_pubkey(pub, &ecc_pub, curve);
460
0
    if (ret < 0) {
461
0
      gnutls_assert();
462
0
      goto ecc_fail_cleanup;
463
0
    }
464
465
0
    ret = _ecc_params_to_privkey(priv, &ecc_priv, curve);
466
0
    if (ret < 0) {
467
0
      ecc_point_clear(&ecc_pub);
468
0
      gnutls_assert();
469
0
      goto ecc_fail_cleanup;
470
0
    }
471
472
0
    out->size = gnutls_ecc_curve_get_size(priv->curve);
473
    /*ecc_size(curve)*sizeof(mp_limb_t); */
474
0
    out->data = gnutls_malloc(out->size);
475
0
    if (out->data == NULL) {
476
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
477
0
      goto ecc_cleanup;
478
0
    }
479
480
    /* Perform ECC Full Public-Key Validation Routine
481
       * according to SP800-56A (revision 3), 5.6.2.3.3.
482
       */
483
484
    /* Step 1: verify that Q is not an identity
485
       * element (an infinity point). Note that this
486
       * cannot happen in the nettle implementation,
487
       * because it cannot represent an infinity point
488
       * on curves. */
489
0
    ret = ecc_shared_secret(&ecc_priv, &ecc_pub, out->data,
490
0
          out->size);
491
0
    if (ret < 0) {
492
0
      gnutls_free(out->data);
493
0
      goto ecc_cleanup;
494
0
    }
495
#ifdef ENABLE_FIPS140
496
    if (_gnutls_fips_mode_enabled()) {
497
      const char *order, *modulus;
498
499
      ecc_point_mul(&r, &ecc_priv, &ecc_pub);
500
      ecc_point_get(&r, x, y);
501
502
      /* Step 2: verify that both coordinates of Q are
503
         * in the range [0, p - 1].
504
         *
505
         * Step 3: verify that Q lie on the curve
506
         *
507
         * Both checks are performed in nettle.  */
508
      if (!ecc_point_set(&r, x, y)) {
509
        ret = gnutls_assert_val(
510
          GNUTLS_E_ILLEGAL_PARAMETER);
511
        goto ecc_cleanup;
512
      }
513
514
      /* Step 4: verify that n * Q, where n is the
515
         * curve order, result in an identity element
516
         *
517
         * Since nettle internally cannot represent an
518
         * identity element on curves, we validate this
519
         * instead:
520
         *
521
         *   (n - 1) * Q = -Q
522
         *
523
         * That effectively means: n * Q = -Q + Q = O
524
         */
525
      order = get_supported_nist_curve_order(priv->curve);
526
      if (unlikely(order == NULL)) {
527
        ret = gnutls_assert_val(
528
          GNUTLS_E_INTERNAL_ERROR);
529
        goto ecc_cleanup;
530
      }
531
532
      ret = mpz_set_str(nn, order, 16);
533
      if (unlikely(ret < 0)) {
534
        ret = gnutls_assert_val(
535
          GNUTLS_E_MPI_SCAN_FAILED);
536
        goto ecc_cleanup;
537
      }
538
539
      modulus = get_supported_nist_curve_modulus(priv->curve);
540
      if (unlikely(modulus == NULL)) {
541
        ret = gnutls_assert_val(
542
          GNUTLS_E_INTERNAL_ERROR);
543
        goto ecc_cleanup;
544
      }
545
546
      ret = mpz_set_str(mm, modulus, 16);
547
      if (unlikely(ret < 0)) {
548
        ret = gnutls_assert_val(
549
          GNUTLS_E_MPI_SCAN_FAILED);
550
        goto ecc_cleanup;
551
      }
552
553
      /* (n - 1) * Q = -Q */
554
      mpz_sub_ui(nn, nn, 1);
555
      ecc_scalar_set(&n, nn);
556
      ecc_point_mul(&r, &n, &r);
557
      ecc_point_get(&r, xx, yy);
558
      mpz_sub(mm, mm, y);
559
560
      if (mpz_cmp(xx, x) != 0 || mpz_cmp(yy, mm) != 0) {
561
        ret = gnutls_assert_val(
562
          GNUTLS_E_ILLEGAL_PARAMETER);
563
        goto ecc_cleanup;
564
      }
565
    } else {
566
      not_approved = true;
567
    }
568
#endif
569
570
0
  ecc_cleanup:
571
0
    ecc_point_clear(&ecc_pub);
572
0
    ecc_scalar_zclear(&ecc_priv);
573
0
  ecc_fail_cleanup:
574
0
    mpz_clear(x);
575
0
    mpz_clear(y);
576
0
    mpz_clear(xx);
577
0
    mpz_clear(yy);
578
0
    mpz_clear(nn);
579
0
    mpz_clear(mm);
580
0
    ecc_point_clear(&r);
581
0
    ecc_scalar_clear(&n);
582
0
    ecc_scalar_clear(&m);
583
0
    if (ret < 0)
584
0
      goto cleanup;
585
0
    break;
586
0
  }
587
0
  case GNUTLS_PK_ECDH_X25519:
588
0
  case GNUTLS_PK_ECDH_X448: {
589
0
    unsigned size = gnutls_ecc_curve_get_size(priv->curve);
590
591
    /* Edwards curves are not approved */
592
0
    not_approved = true;
593
594
0
    if (nonce != NULL) {
595
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
596
0
      goto cleanup;
597
0
    }
598
599
    /* The point is in pub, while the private part (scalar) in priv. */
600
601
0
    if (size == 0 || priv->raw_priv.size != size) {
602
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
603
0
      goto cleanup;
604
0
    }
605
606
0
    out->data = gnutls_malloc(size);
607
0
    if (out->data == NULL) {
608
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
609
0
      goto cleanup;
610
0
    }
611
612
0
    out->size = size;
613
614
0
    ret = edwards_curve_mul(algo, out->data, priv->raw_priv.data,
615
0
          pub->raw_pub.data);
616
0
    if (ret < 0)
617
0
      goto cleanup;
618
619
0
    if (_gnutls_mem_is_zero(out->data, out->size)) {
620
0
      gnutls_free(out->data);
621
0
      gnutls_assert();
622
0
      ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
623
0
      goto cleanup;
624
0
    }
625
0
    break;
626
0
  }
627
0
#if ENABLE_GOST
628
0
  case GNUTLS_PK_GOST_01:
629
0
  case GNUTLS_PK_GOST_12_256:
630
0
  case GNUTLS_PK_GOST_12_512: {
631
0
    struct ecc_scalar ecc_priv;
632
0
    struct ecc_point ecc_pub;
633
0
    const struct ecc_curve *curve;
634
635
    /* GOST curves are not approved */
636
0
    not_approved = true;
637
638
0
    out->data = NULL;
639
640
0
    curve = get_supported_gost_curve(priv->curve);
641
0
    if (curve == NULL) {
642
0
      gnutls_assert();
643
0
      ret = GNUTLS_E_ECC_UNSUPPORTED_CURVE;
644
0
      goto cleanup;
645
0
    }
646
647
0
    _gnutls_audit_data("pk::curve", CRAU_STRING,
648
0
           gnutls_ecc_curve_get_name(priv->curve),
649
0
           NULL);
650
651
0
    if (nonce == NULL) {
652
0
      gnutls_assert();
653
0
      ret = GNUTLS_E_INVALID_REQUEST;
654
0
      goto cleanup;
655
0
    }
656
657
0
    ret = _gost_params_to_pubkey(pub, &ecc_pub, curve);
658
0
    if (ret < 0) {
659
0
      gnutls_assert();
660
0
      goto cleanup;
661
0
    }
662
663
0
    ret = _gost_params_to_privkey(priv, &ecc_priv, curve);
664
0
    if (ret < 0) {
665
0
      ecc_point_clear(&ecc_pub);
666
0
      gnutls_assert();
667
0
      goto cleanup;
668
0
    }
669
670
0
    out->size = 2 * gnutls_ecc_curve_get_size(priv->curve);
671
0
    out->data = gnutls_malloc(out->size);
672
0
    if (out->data == NULL) {
673
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
674
0
      goto gost_cleanup;
675
0
    }
676
677
0
    gostdsa_vko(&ecc_priv, &ecc_pub, nonce->size, nonce->data,
678
0
          out->data);
679
680
0
  gost_cleanup:
681
0
    ecc_point_clear(&ecc_pub);
682
0
    ecc_scalar_zclear(&ecc_priv);
683
0
    if (ret < 0)
684
0
      goto cleanup;
685
0
    break;
686
0
  }
687
0
#endif
688
0
  default:
689
0
    gnutls_assert();
690
0
    ret = GNUTLS_E_INTERNAL_ERROR;
691
0
    goto cleanup;
692
0
  }
693
694
0
  ret = 0;
695
696
0
cleanup:
697
0
  if (ret < 0) {
698
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
699
0
  } else if (not_approved) {
700
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
701
0
  } else {
702
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
703
0
  }
704
705
0
  gnutls_audit_pop_context();
706
707
0
  return ret;
708
0
}
709
710
#ifdef HAVE_LEANCRYPTO
711
static enum lc_kyber_type ml_kem_pk_to_lc_kyber_type(gnutls_pk_algorithm_t algo)
712
{
713
  switch (algo) {
714
#ifdef LC_KYBER_768_ENABLED
715
  case GNUTLS_PK_MLKEM768:
716
    return LC_KYBER_768;
717
#endif
718
#ifdef LC_KYBER_1024_ENABLED
719
  case GNUTLS_PK_MLKEM1024:
720
    return LC_KYBER_1024;
721
#endif
722
  default:
723
    return gnutls_assert_val(LC_KYBER_UNKNOWN);
724
  }
725
}
726
727
static int ml_kem_exists(gnutls_pk_algorithm_t algo)
728
{
729
  return ml_kem_pk_to_lc_kyber_type(algo) != LC_KYBER_UNKNOWN;
730
}
731
732
static int ml_kem_encaps(gnutls_pk_algorithm_t algo, gnutls_datum_t *ciphertext,
733
       gnutls_datum_t *shared_secret,
734
       const gnutls_datum_t *pub)
735
{
736
  enum lc_kyber_type type;
737
  struct lc_kyber_ct ct;
738
  struct lc_kyber_ss ss;
739
  struct lc_kyber_pk pk;
740
  gnutls_datum_t tmp_ciphertext = { NULL, 0 };
741
  gnutls_datum_t tmp_shared_secret = { NULL, 0 };
742
  uint8_t *ptr;
743
  size_t len;
744
  int ret;
745
746
  type = ml_kem_pk_to_lc_kyber_type(algo);
747
  if (type == LC_KYBER_UNKNOWN)
748
    return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
749
750
  ret = lc_kyber_pk_load(&pk, pub->data, pub->size);
751
  if (ret < 0 || lc_kyber_pk_type(&pk) != type) {
752
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
753
    goto cleanup;
754
  }
755
756
  ret = lc_kyber_enc(&ct, &ss, &pk);
757
  if (ret < 0) {
758
    ret = gnutls_assert_val(GNUTLS_E_PK_ENCRYPTION_FAILED);
759
    goto cleanup;
760
  }
761
762
  ret = lc_kyber_ct_ptr(&ptr, &len, &ct);
763
  if (ret < 0) {
764
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
765
    goto cleanup;
766
  }
767
  ret = _gnutls_set_datum(&tmp_ciphertext, ptr, len);
768
  if (ret < 0) {
769
    gnutls_assert();
770
    goto cleanup;
771
  }
772
773
  ret = lc_kyber_ss_ptr(&ptr, &len, &ss);
774
  if (ret < 0) {
775
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
776
    goto cleanup;
777
  }
778
  ret = _gnutls_set_datum(&tmp_shared_secret, ptr, len);
779
  if (ret < 0) {
780
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
781
    goto cleanup;
782
  }
783
784
  *ciphertext = _gnutls_take_datum(&tmp_ciphertext);
785
  *shared_secret = _gnutls_take_datum(&tmp_shared_secret);
786
787
  ret = 0;
788
789
cleanup:
790
  _gnutls_free_datum(&tmp_ciphertext);
791
  _gnutls_free_key_datum(&tmp_shared_secret);
792
  zeroize_key(&pk, sizeof(pk));
793
  return ret;
794
}
795
796
static int ml_kem_decaps(gnutls_pk_algorithm_t algo,
797
       gnutls_datum_t *shared_secret,
798
       const gnutls_datum_t *ciphertext,
799
       const gnutls_datum_t *priv)
800
{
801
  int ret;
802
  enum lc_kyber_type type;
803
  struct lc_kyber_ss ss;
804
  struct lc_kyber_ct ct;
805
  struct lc_kyber_sk sk;
806
  gnutls_datum_t tmp_shared_secret = { NULL, 0 };
807
  uint8_t *ptr;
808
  size_t len;
809
810
  type = ml_kem_pk_to_lc_kyber_type(algo);
811
  if (type == LC_KYBER_UNKNOWN)
812
    return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
813
814
  ret = lc_kyber_sk_load(&sk, priv->data, priv->size);
815
  if (ret < 0 || lc_kyber_sk_type(&sk) != type) {
816
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
817
    goto cleanup;
818
  }
819
820
  ret = lc_kyber_ct_load(&ct, ciphertext->data, ciphertext->size);
821
  if (ret < 0 || lc_kyber_ct_type(&ct) != type) {
822
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
823
    goto cleanup;
824
  }
825
826
  ret = lc_kyber_dec(&ss, &ct, &sk);
827
  if (ret < 0) {
828
    ret = gnutls_assert_val(GNUTLS_E_PK_DECRYPTION_FAILED);
829
    goto cleanup;
830
  }
831
832
  ret = lc_kyber_ss_ptr(&ptr, &len, &ss);
833
  if (ret < 0) {
834
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
835
    goto cleanup;
836
  }
837
838
  ret = _gnutls_set_datum(&tmp_shared_secret, ptr, len);
839
  if (ret < 0) {
840
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
841
    goto cleanup;
842
  }
843
844
  *shared_secret = _gnutls_take_datum(&tmp_shared_secret);
845
846
  ret = 0;
847
848
cleanup:
849
  _gnutls_free_key_datum(&tmp_shared_secret);
850
  zeroize_key(&ss, sizeof(ss));
851
  zeroize_key(&sk, sizeof(sk));
852
  return ret;
853
}
854
855
static int ml_kem_generate_keypair(gnutls_pk_algorithm_t algo,
856
           gnutls_datum_t *raw_priv,
857
           gnutls_datum_t *raw_pub)
858
{
859
  int ret;
860
  enum lc_kyber_type type;
861
  struct lc_kyber_sk sk;
862
  struct lc_kyber_pk pk;
863
  gnutls_datum_t tmp_raw_priv = { NULL, 0 };
864
  gnutls_datum_t tmp_raw_pub = { NULL, 0 };
865
  uint8_t *ptr;
866
  size_t len;
867
868
  type = ml_kem_pk_to_lc_kyber_type(algo);
869
  if (type == LC_KYBER_UNKNOWN)
870
    return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
871
872
  ret = lc_kyber_keypair(&pk, &sk, lc_seeded_rng, type);
873
  if (ret < 0) {
874
    ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
875
    goto cleanup;
876
  }
877
878
  ret = lc_kyber_sk_ptr(&ptr, &len, &sk);
879
  if (ret < 0) {
880
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
881
    goto cleanup;
882
  }
883
884
  ret = _gnutls_set_datum(&tmp_raw_priv, ptr, len);
885
  if (ret < 0) {
886
    gnutls_assert();
887
    goto cleanup;
888
  }
889
890
  ret = lc_kyber_pk_ptr(&ptr, &len, &pk);
891
  if (ret < 0) {
892
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
893
    goto cleanup;
894
  }
895
896
  ret = _gnutls_set_datum(&tmp_raw_pub, ptr, len);
897
  if (ret < 0) {
898
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
899
    goto cleanup;
900
  }
901
902
  *raw_priv = _gnutls_take_datum(&tmp_raw_priv);
903
  *raw_pub = _gnutls_take_datum(&tmp_raw_pub);
904
905
  ret = 0;
906
907
cleanup:
908
  _gnutls_free_key_datum(&tmp_raw_priv);
909
  _gnutls_free_key_datum(&tmp_raw_pub);
910
  zeroize_key(&pk, sizeof(pk));
911
  zeroize_key(&sk, sizeof(sk));
912
  return ret;
913
}
914
#else
915
static int ml_kem_exists(gnutls_pk_algorithm_t algo MAYBE_UNUSED)
916
0
{
917
0
  return 0;
918
0
}
919
920
static int ml_kem_encaps(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
921
       gnutls_datum_t *ciphertext MAYBE_UNUSED,
922
       gnutls_datum_t *shared_secret MAYBE_UNUSED,
923
       const gnutls_datum_t *pub MAYBE_UNUSED)
924
0
{
925
0
  return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM);
926
0
}
927
928
static int ml_kem_decaps(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
929
       gnutls_datum_t *shared_secret MAYBE_UNUSED,
930
       const gnutls_datum_t *ciphertext MAYBE_UNUSED,
931
       const gnutls_datum_t *priv MAYBE_UNUSED)
932
0
{
933
0
  return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM);
934
0
}
935
936
static int ml_kem_generate_keypair(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
937
           gnutls_datum_t *raw_priv MAYBE_UNUSED,
938
           gnutls_datum_t *raw_pub MAYBE_UNUSED)
939
0
{
940
0
  return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM);
941
0
}
942
#endif
943
944
static int _wrap_nettle_pk_encaps(gnutls_pk_algorithm_t algo,
945
          gnutls_datum_t *ciphertext,
946
          gnutls_datum_t *shared_secret,
947
          const gnutls_datum_t *pub)
948
0
{
949
0
  int ret;
950
951
0
  switch (algo) {
952
0
  case GNUTLS_PK_MLKEM768:
953
0
  case GNUTLS_PK_MLKEM1024:
954
0
    break;
955
0
  default:
956
0
    return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM);
957
0
  }
958
959
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING,
960
0
              "pk::encapsulate", "pk::algorithm",
961
0
              CRAU_STRING,
962
0
              gnutls_pk_get_name(algo), NULL);
963
964
0
  ret = ml_kem_encaps(algo, ciphertext, shared_secret, pub);
965
966
0
  gnutls_audit_pop_context();
967
968
0
  return ret;
969
0
}
970
971
static int _wrap_nettle_pk_decaps(gnutls_pk_algorithm_t algo,
972
          gnutls_datum_t *shared_secret,
973
          const gnutls_datum_t *ciphertext,
974
          const gnutls_datum_t *priv)
975
0
{
976
0
  int ret;
977
978
0
  switch (algo) {
979
0
  case GNUTLS_PK_MLKEM768:
980
0
  case GNUTLS_PK_MLKEM1024:
981
0
    break;
982
0
  default:
983
0
    return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM);
984
0
  }
985
986
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING,
987
0
              "pk::decapsulate", "pk::algorithm",
988
0
              CRAU_STRING,
989
0
              gnutls_pk_get_name(algo), NULL);
990
991
0
  ret = ml_kem_decaps(algo, shared_secret, ciphertext, priv);
992
993
0
  gnutls_audit_pop_context();
994
995
0
  return ret;
996
0
}
997
998
/* This wraps nettle_rsa_encrypt so it returns ciphertext as a byte
999
 * array instead of a mpz_t value.  Returns 1 on success; 0 otherwise.
1000
 */
1001
static inline int _rsa_encrypt(const struct rsa_public_key *key, void *rnd_ctx,
1002
             nettle_random_func *rnd_func, size_t length,
1003
             const uint8_t *message, uint8_t *ciphertext)
1004
0
{
1005
0
  mpz_t p;
1006
0
  int ret;
1007
1008
0
  mpz_init(p);
1009
1010
0
  ret = rsa_encrypt(key, rnd_ctx, rnd_func, length, message, p);
1011
1012
0
  if (ret == 0) {
1013
0
    gnutls_assert();
1014
0
    goto cleanup;
1015
0
  }
1016
1017
0
  if (_gnutls_mpi_bprint_size(p, ciphertext, key->size) < 0) {
1018
0
    gnutls_assert();
1019
0
    goto cleanup;
1020
0
  }
1021
1022
0
cleanup:
1023
0
  mpz_clear(p);
1024
0
  return ret;
1025
0
}
1026
1027
/* This wraps nettle_rsa_oaep_sha*_encrypt to parametrize the function
1028
 * calls with a DIG argument.  Returns 1 on success; 0 otherwise.
1029
 */
1030
static inline int _rsa_oaep_encrypt(gnutls_digest_algorithm_t dig,
1031
            const struct rsa_public_key *pub,
1032
            void *rnd_ctx, nettle_random_func *rnd_func,
1033
            size_t label_length, const uint8_t *label,
1034
            size_t length, const uint8_t *message,
1035
            uint8_t *ciphertext)
1036
0
{
1037
0
  int (*encrypt_func)(const struct rsa_public_key *, void *,
1038
0
          nettle_random_func *, size_t, const uint8_t *,
1039
0
          size_t, const uint8_t *, uint8_t *);
1040
1041
0
  switch (dig) {
1042
0
  case GNUTLS_DIG_SHA256:
1043
0
    encrypt_func = rsa_oaep_sha256_encrypt;
1044
0
    break;
1045
0
  case GNUTLS_DIG_SHA384:
1046
0
    encrypt_func = rsa_oaep_sha384_encrypt;
1047
0
    break;
1048
0
  case GNUTLS_DIG_SHA512:
1049
0
    encrypt_func = rsa_oaep_sha512_encrypt;
1050
0
    break;
1051
0
  default:
1052
0
    gnutls_assert();
1053
0
    return 0;
1054
0
  }
1055
1056
0
  return encrypt_func(pub, rnd_ctx, rnd_func, label_length, label, length,
1057
0
          message, ciphertext);
1058
0
}
1059
1060
static int _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
1061
           gnutls_datum_t *ciphertext,
1062
           const gnutls_datum_t *plaintext,
1063
           const gnutls_pk_params_st *pk_params,
1064
           const gnutls_x509_spki_st *encrypt_params)
1065
0
{
1066
0
  int ret;
1067
0
  bool not_approved = false;
1068
0
  uint8_t *buf = NULL;
1069
1070
0
  FAIL_IF_LIB_ERROR;
1071
1072
0
  if (algo == GNUTLS_PK_RSA && pk_params->spki.pk == GNUTLS_PK_RSA_OAEP) {
1073
0
    algo = GNUTLS_PK_RSA_OAEP;
1074
0
  }
1075
1076
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING, "pk::encrypt",
1077
0
              "pk::algorithm", CRAU_STRING,
1078
0
              gnutls_pk_get_name(algo), NULL);
1079
1080
0
  switch (algo) {
1081
0
  case GNUTLS_PK_RSA: {
1082
0
    struct rsa_public_key pub;
1083
0
    nettle_random_func *random_func;
1084
0
    size_t bits;
1085
1086
0
    if (!_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) {
1087
0
      ret = gnutls_assert_val(
1088
0
        GNUTLS_E_UNSUPPORTED_ENCRYPTION_ALGORITHM);
1089
0
      goto cleanup;
1090
0
    }
1091
1092
    /* RSA encryption with PKCS#1 v1.5 padding is not approved */
1093
0
    not_approved = true;
1094
1095
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
1096
0
    if (ret < 0) {
1097
0
      gnutls_assert();
1098
0
      goto cleanup;
1099
0
    }
1100
1101
0
    bits = mpz_sizeinbase(pub.n, 2);
1102
1103
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, NULL);
1104
1105
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
1106
0
      random_func = rnd_nonce_func_fallback;
1107
0
    else
1108
0
      random_func = rnd_nonce_func;
1109
1110
0
    buf = gnutls_malloc(pub.size);
1111
0
    if (!buf) {
1112
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1113
0
      goto cleanup;
1114
0
    }
1115
1116
0
    ret = _rsa_encrypt(&pub, NULL, random_func, plaintext->size,
1117
0
           plaintext->data, buf);
1118
0
    if (ret == 0 || HAVE_LIB_ERROR()) {
1119
0
      ret = gnutls_assert_val(GNUTLS_E_ENCRYPTION_FAILED);
1120
0
      goto cleanup;
1121
0
    }
1122
1123
0
    ciphertext->data = buf;
1124
0
    buf = NULL;
1125
0
    ciphertext->size = pub.size;
1126
0
    break;
1127
0
  }
1128
0
  case GNUTLS_PK_RSA_OAEP: {
1129
0
    struct rsa_public_key pub;
1130
0
    nettle_random_func *random_func;
1131
0
    size_t bits;
1132
1133
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
1134
0
    if (ret < 0) {
1135
0
      gnutls_assert();
1136
0
      goto cleanup;
1137
0
    }
1138
1139
0
    bits = mpz_sizeinbase(pub.n, 2);
1140
1141
0
    _gnutls_audit_data(
1142
0
      "pk::bits", CRAU_WORD, bits, "pk::hash", CRAU_STRING,
1143
0
      gnutls_digest_get_name(encrypt_params->rsa_oaep_dig),
1144
0
      NULL);
1145
1146
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
1147
0
      random_func = rnd_nonce_func_fallback;
1148
0
    else
1149
0
      random_func = rnd_nonce_func;
1150
1151
0
    buf = gnutls_malloc(pub.size);
1152
0
    if (!buf) {
1153
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1154
0
      goto cleanup;
1155
0
    }
1156
1157
0
    ret = _rsa_oaep_encrypt(encrypt_params->rsa_oaep_dig, &pub,
1158
0
          NULL, random_func,
1159
0
          encrypt_params->rsa_oaep_label.size,
1160
0
          encrypt_params->rsa_oaep_label.data,
1161
0
          plaintext->size, plaintext->data, buf);
1162
0
    if (ret == 0 || HAVE_LIB_ERROR()) {
1163
0
      ret = gnutls_assert_val(GNUTLS_E_ENCRYPTION_FAILED);
1164
0
      goto cleanup;
1165
0
    }
1166
0
    ciphertext->data = buf;
1167
0
    buf = NULL;
1168
0
    ciphertext->size = pub.size;
1169
0
    break;
1170
0
  }
1171
0
  default:
1172
0
    gnutls_assert();
1173
0
    ret = GNUTLS_E_INVALID_REQUEST;
1174
0
    goto cleanup;
1175
0
  }
1176
1177
0
  ret = 0;
1178
1179
0
cleanup:
1180
0
  gnutls_free(buf);
1181
0
  if (ret < 0) {
1182
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
1183
0
  } else if (not_approved) {
1184
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
1185
0
  } else {
1186
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
1187
0
  }
1188
1189
0
  gnutls_audit_pop_context();
1190
1191
0
  FAIL_IF_LIB_ERROR;
1192
0
  return ret;
1193
0
}
1194
1195
/* This wraps nettle_rsa_decrypt_tr so it takes ciphertext as a byte
1196
 * array instead of a mpz_t value.  Returns 1 on success; 0 otherwise.
1197
 */
1198
static inline int _rsa_decrypt_tr(const struct rsa_public_key *pub,
1199
          const struct rsa_private_key *key,
1200
          void *rnd_ctx, nettle_random_func *rnd_func,
1201
          size_t *length, uint8_t *message,
1202
          const uint8_t *ciphertext)
1203
0
{
1204
0
  bigint_t c;
1205
0
  int ret;
1206
1207
0
  if (_gnutls_mpi_init_scan_nz(&c, ciphertext, pub->size) < 0) {
1208
0
    gnutls_assert();
1209
0
    return 0;
1210
0
  }
1211
1212
0
  ret = rsa_decrypt_tr(pub, key, rnd_ctx, rnd_func, length, message, c);
1213
1214
0
  _gnutls_mpi_release(&c);
1215
1216
0
  return ret;
1217
0
}
1218
1219
/* This wraps nettle_rsa_oaep_sha*_decrypt to parametrize the function
1220
 * calls with a DIG argument.  Returns 1 on success; 0 otherwise.
1221
 */
1222
static inline int _rsa_oaep_decrypt(gnutls_digest_algorithm_t dig,
1223
            const struct rsa_public_key *pub,
1224
            const struct rsa_private_key *key,
1225
            void *rnd_ctx, nettle_random_func *rnd_func,
1226
            size_t label_length, const uint8_t *label,
1227
            size_t *length, uint8_t *message,
1228
            const uint8_t *ciphertext)
1229
0
{
1230
0
  int (*decrypt_func)(const struct rsa_public_key *,
1231
0
          const struct rsa_private_key *, void *,
1232
0
          nettle_random_func *, size_t, const uint8_t *,
1233
0
          size_t *, uint8_t *, const uint8_t *);
1234
1235
0
  switch (dig) {
1236
0
  case GNUTLS_DIG_SHA256:
1237
0
    decrypt_func = rsa_oaep_sha256_decrypt;
1238
0
    break;
1239
0
  case GNUTLS_DIG_SHA384:
1240
0
    decrypt_func = rsa_oaep_sha384_decrypt;
1241
0
    break;
1242
0
  case GNUTLS_DIG_SHA512:
1243
0
    decrypt_func = rsa_oaep_sha512_decrypt;
1244
0
    break;
1245
0
  default:
1246
0
    gnutls_assert();
1247
0
    return 0;
1248
0
  }
1249
1250
0
  return decrypt_func(pub, key, rnd_ctx, rnd_func, label_length, label,
1251
0
          length, message, ciphertext);
1252
0
}
1253
1254
static int _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
1255
           gnutls_datum_t *plaintext,
1256
           const gnutls_datum_t *ciphertext,
1257
           const gnutls_pk_params_st *pk_params,
1258
           const gnutls_x509_spki_st *encrypt_params)
1259
0
{
1260
0
  int ret;
1261
0
  bool not_approved = false;
1262
0
  uint8_t *buf = NULL;
1263
1264
0
  FAIL_IF_LIB_ERROR;
1265
1266
0
  if (algo == GNUTLS_PK_RSA && encrypt_params->pk == GNUTLS_PK_RSA_OAEP) {
1267
0
    algo = GNUTLS_PK_RSA_OAEP;
1268
0
  }
1269
1270
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING, "pk::decrypt",
1271
0
              "pk::algorithm", CRAU_STRING,
1272
0
              gnutls_pk_get_name(algo), NULL);
1273
1274
0
  switch (algo) {
1275
0
  case GNUTLS_PK_RSA: {
1276
0
    struct rsa_private_key priv;
1277
0
    struct rsa_public_key pub;
1278
0
    size_t length;
1279
0
    nettle_random_func *random_func;
1280
0
    size_t bits;
1281
1282
0
    if (!_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) {
1283
0
      ret = gnutls_assert_val(
1284
0
        GNUTLS_E_UNSUPPORTED_ENCRYPTION_ALGORITHM);
1285
0
      goto cleanup;
1286
0
    }
1287
1288
    /* RSA decryption with PKCS#1 v1.5 padding is not approved */
1289
0
    not_approved = true;
1290
1291
0
    _rsa_params_to_privkey(pk_params, &priv);
1292
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
1293
0
    if (ret < 0) {
1294
0
      gnutls_assert();
1295
0
      goto cleanup;
1296
0
    }
1297
1298
0
    bits = mpz_sizeinbase(pub.n, 2);
1299
1300
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, NULL);
1301
1302
0
    if (ciphertext->size != pub.size) {
1303
0
      ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
1304
0
      goto cleanup;
1305
0
    }
1306
1307
0
    length = pub.size;
1308
0
    buf = gnutls_malloc(length);
1309
0
    if (!buf) {
1310
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1311
0
      goto cleanup;
1312
0
    }
1313
1314
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
1315
0
      random_func = rnd_nonce_func_fallback;
1316
0
    else
1317
0
      random_func = rnd_nonce_func;
1318
0
    ret = _rsa_decrypt_tr(&pub, &priv, NULL, random_func, &length,
1319
0
              buf, ciphertext->data);
1320
1321
0
    if (ret == 0 || HAVE_LIB_ERROR()) {
1322
0
      ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
1323
0
      goto cleanup;
1324
0
    }
1325
1326
0
    plaintext->data = buf;
1327
0
    buf = NULL;
1328
0
    plaintext->size = length;
1329
0
    break;
1330
0
  }
1331
0
  case GNUTLS_PK_RSA_OAEP: {
1332
0
    struct rsa_private_key priv;
1333
0
    struct rsa_public_key pub;
1334
0
    size_t length;
1335
0
    nettle_random_func *random_func;
1336
0
    size_t bits;
1337
1338
0
    _rsa_params_to_privkey(pk_params, &priv);
1339
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
1340
0
    if (ret < 0) {
1341
0
      gnutls_assert();
1342
0
      goto cleanup;
1343
0
    }
1344
1345
0
    bits = mpz_sizeinbase(pub.n, 2);
1346
1347
0
    _gnutls_audit_data(
1348
0
      "pk::bits", CRAU_WORD, bits, "pk::hash", CRAU_STRING,
1349
0
      gnutls_digest_get_name(encrypt_params->rsa_oaep_dig),
1350
0
      NULL);
1351
1352
0
    if (ciphertext->size != pub.size) {
1353
0
      ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
1354
0
      goto cleanup;
1355
0
    }
1356
1357
0
    length = pub.size;
1358
0
    buf = gnutls_malloc(length);
1359
0
    if (!buf) {
1360
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1361
0
      goto cleanup;
1362
0
    }
1363
1364
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
1365
0
      random_func = rnd_nonce_func_fallback;
1366
0
    else
1367
0
      random_func = rnd_nonce_func;
1368
0
    ret = _rsa_oaep_decrypt(encrypt_params->rsa_oaep_dig, &pub,
1369
0
          &priv, NULL, random_func,
1370
0
          encrypt_params->rsa_oaep_label.size,
1371
0
          encrypt_params->rsa_oaep_label.data,
1372
0
          &length, buf, ciphertext->data);
1373
1374
0
    if (ret == 0 || HAVE_LIB_ERROR()) {
1375
0
      ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
1376
0
      goto cleanup;
1377
0
    }
1378
1379
0
    plaintext->data = buf;
1380
0
    buf = NULL;
1381
0
    plaintext->size = length;
1382
0
    break;
1383
0
  }
1384
0
  default:
1385
0
    gnutls_assert();
1386
0
    ret = GNUTLS_E_INTERNAL_ERROR;
1387
0
    goto cleanup;
1388
0
  }
1389
1390
0
  ret = 0;
1391
1392
0
cleanup:
1393
0
  gnutls_free(buf);
1394
0
  if (ret < 0) {
1395
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
1396
0
  } else if (not_approved) {
1397
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
1398
0
  } else {
1399
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
1400
0
  }
1401
1402
0
  gnutls_audit_pop_context();
1403
1404
0
  FAIL_IF_LIB_ERROR;
1405
0
  return ret;
1406
0
}
1407
1408
/* This wraps nettle_rsa_sec_decrypt so it takes ciphertext as a byte
1409
 * array instead of a mpz_t value.  Returns 1 on success; 0 otherwise.
1410
 */
1411
static inline int _rsa_sec_decrypt(const struct rsa_public_key *pub,
1412
           const struct rsa_private_key *key,
1413
           void *rnd_ctx, nettle_random_func *rnd_func,
1414
           size_t length, uint8_t *message,
1415
           const uint8_t *ciphertext)
1416
0
{
1417
0
  bigint_t c;
1418
0
  int ret;
1419
1420
0
  if (_gnutls_mpi_init_scan_nz(&c, ciphertext, pub->size) < 0) {
1421
0
    gnutls_assert();
1422
0
    return 0;
1423
0
  }
1424
1425
0
  ret = rsa_sec_decrypt(pub, key, rnd_ctx, rnd_func, length, message, c);
1426
1427
0
  _gnutls_mpi_release(&c);
1428
1429
0
  return ret;
1430
0
}
1431
1432
/* Note: we do not allocate in this function to avoid asymettric
1433
 * unallocation (which creates a side channel) in case of failure
1434
 * */
1435
static int _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
1436
            const gnutls_datum_t *ciphertext,
1437
            unsigned char *plaintext,
1438
            size_t plaintext_size,
1439
            const gnutls_pk_params_st *pk_params,
1440
            const gnutls_x509_spki_st *encrypt_params)
1441
0
{
1442
0
  struct rsa_private_key priv;
1443
0
  struct rsa_public_key pub;
1444
0
  uint32_t is_err;
1445
0
  int ret;
1446
0
  nettle_random_func *random_func;
1447
0
  bool not_approved = false;
1448
0
  size_t bits;
1449
1450
0
  FAIL_IF_LIB_ERROR;
1451
1452
0
  if ((algo != GNUTLS_PK_RSA && algo != GNUTLS_PK_RSA_OAEP) ||
1453
0
      plaintext == NULL) {
1454
0
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1455
0
    goto fail;
1456
0
  }
1457
1458
0
  if (encrypt_params->pk == GNUTLS_PK_RSA_OAEP) {
1459
0
    algo = GNUTLS_PK_RSA_OAEP;
1460
0
  }
1461
1462
0
  _rsa_params_to_privkey(pk_params, &priv);
1463
0
  ret = _rsa_params_to_pubkey(pk_params, &pub);
1464
0
  if (ret < 0) {
1465
0
    gnutls_assert();
1466
0
    goto fail;
1467
0
  }
1468
1469
0
  bits = mpz_sizeinbase(pub.n, 2);
1470
1471
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING, "pk::decrypt",
1472
0
              "pk::algorithm", CRAU_STRING,
1473
0
              gnutls_pk_get_name(algo),
1474
0
              "pk::bits", CRAU_WORD, bits, NULL);
1475
1476
0
  if (ciphertext->size != pub.size) {
1477
0
    ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
1478
0
    goto fail;
1479
0
  }
1480
1481
0
  if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
1482
0
    random_func = rnd_nonce_func_fallback;
1483
0
  else
1484
0
    random_func = rnd_nonce_func;
1485
1486
0
  switch (algo) {
1487
0
  case GNUTLS_PK_RSA:
1488
0
    if (!_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) {
1489
0
      ret = gnutls_assert_val(
1490
0
        GNUTLS_E_UNSUPPORTED_ENCRYPTION_ALGORITHM);
1491
0
      goto fail;
1492
0
    }
1493
1494
    /* RSA decryption with PKCS#1 v1.5 padding is not approved */
1495
0
    not_approved = true;
1496
1497
0
    ret = _rsa_sec_decrypt(&pub, &priv, NULL, random_func,
1498
0
               plaintext_size, plaintext,
1499
0
               ciphertext->data);
1500
0
    break;
1501
0
  case GNUTLS_PK_RSA_OAEP:
1502
0
    _gnutls_audit_data(
1503
0
      "pk::hash", CRAU_STRING,
1504
0
      gnutls_digest_get_name(encrypt_params->rsa_oaep_dig),
1505
0
      NULL);
1506
1507
0
    ret = _rsa_oaep_decrypt(encrypt_params->rsa_oaep_dig, &pub,
1508
0
          &priv, NULL, random_func,
1509
0
          encrypt_params->rsa_oaep_label.size,
1510
0
          encrypt_params->rsa_oaep_label.data,
1511
0
          &plaintext_size, plaintext,
1512
0
          ciphertext->data);
1513
0
    break;
1514
0
  default:
1515
0
    gnutls_assert();
1516
0
    ret = GNUTLS_E_INTERNAL_ERROR;
1517
0
    goto fail;
1518
0
  }
1519
1520
  /* The decrypt operation is infallible; treat the approved
1521
   * operation as complete at this point, regardless of any
1522
   * decryption failure detected below.
1523
   */
1524
0
  _gnutls_switch_fips_state(not_approved ?
1525
0
            GNUTLS_FIPS140_OP_NOT_APPROVED :
1526
0
            GNUTLS_FIPS140_OP_APPROVED);
1527
1528
  /* after this point, any conditional on failure that cause differences
1529
   * in execution may create a timing or cache access pattern side
1530
   * channel that can be used as an oracle, so thread very carefully */
1531
1532
  /* Here HAVE_LIB_ERROR() should be fine as it doesn't have
1533
   * branches in it and returns a bool */
1534
0
  is_err = HAVE_LIB_ERROR();
1535
  /* if is_err != 0 */
1536
0
  is_err = CONSTCHECK_NOT_EQUAL(is_err, 0);
1537
  /* or ret == 0 */
1538
0
  is_err |= CONSTCHECK_EQUAL(ret, 0);
1539
  /* then return GNUTLS_E_DECRYPTION_FAILED */
1540
0
  return (int)((is_err * UINT_MAX) & GNUTLS_E_DECRYPTION_FAILED);
1541
1542
0
fail:
1543
0
  _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
1544
1545
0
  gnutls_audit_pop_context();
1546
1547
0
  return ret;
1548
0
}
1549
1550
#define CHECK_INVALID_RSA_PSS_PARAMS(dig_size, salt_size, pub_size, err) \
1551
0
  if (unlikely(dig_size + salt_size + 2 > pub_size))               \
1552
0
  return gnutls_assert_val(err)
1553
1554
static int _rsa_pss_sign_digest_tr(gnutls_digest_algorithm_t dig,
1555
           const struct rsa_public_key *pub,
1556
           const struct rsa_private_key *priv,
1557
           void *rnd_ctx, nettle_random_func *rnd_func,
1558
           size_t salt_size, const uint8_t *digest,
1559
           mpz_t s)
1560
0
{
1561
0
  int (*sign_func)(const struct rsa_public_key *,
1562
0
       const struct rsa_private_key *, void *,
1563
0
       nettle_random_func *, size_t, const uint8_t *,
1564
0
       const uint8_t *, mpz_t);
1565
0
  uint8_t *salt = NULL;
1566
0
  size_t hash_size;
1567
0
  int ret;
1568
1569
0
  switch (dig) {
1570
0
  case GNUTLS_DIG_SHA256:
1571
0
    sign_func = rsa_pss_sha256_sign_digest_tr;
1572
0
    hash_size = 32;
1573
0
    break;
1574
0
  case GNUTLS_DIG_SHA384:
1575
0
    sign_func = rsa_pss_sha384_sign_digest_tr;
1576
0
    hash_size = 48;
1577
0
    break;
1578
0
  case GNUTLS_DIG_SHA512:
1579
0
    sign_func = rsa_pss_sha512_sign_digest_tr;
1580
0
    hash_size = 64;
1581
0
    break;
1582
0
  default:
1583
0
    gnutls_assert();
1584
0
    return GNUTLS_E_UNKNOWN_ALGORITHM;
1585
0
  }
1586
1587
  /* This is also checked in pss_encode_mgf1, but error out earlier.  */
1588
0
  CHECK_INVALID_RSA_PSS_PARAMS(hash_size, salt_size, pub->size,
1589
0
             GNUTLS_E_PK_INVALID_PUBKEY_PARAMS);
1590
1591
0
  if (salt_size > 0) {
1592
0
    salt = gnutls_malloc(salt_size);
1593
0
    if (salt == NULL)
1594
0
      return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1595
1596
0
    rnd_func(NULL, salt_size, salt);
1597
0
  }
1598
1599
0
  ret = sign_func(pub, priv, rnd_ctx, rnd_func, salt_size, salt, digest,
1600
0
      s);
1601
0
  if (ret == 0) {
1602
0
    gnutls_assert();
1603
0
    ret = GNUTLS_E_PK_SIGN_FAILED;
1604
0
  } else
1605
0
    ret = 0;
1606
1607
0
  gnutls_free(salt);
1608
0
  return ret;
1609
0
}
1610
1611
static inline gnutls_ecc_curve_t get_eddsa_curve(gnutls_pk_algorithm_t algo)
1612
0
{
1613
0
  switch (algo) {
1614
0
  case GNUTLS_PK_EDDSA_ED25519:
1615
0
    return GNUTLS_ECC_CURVE_ED25519;
1616
0
  case GNUTLS_PK_EDDSA_ED448:
1617
0
    return GNUTLS_ECC_CURVE_ED448;
1618
0
  default:
1619
0
    return gnutls_assert_val(GNUTLS_ECC_CURVE_INVALID);
1620
0
  }
1621
0
}
1622
1623
static inline gnutls_ecc_curve_t get_ecdh_curve(gnutls_pk_algorithm_t algo)
1624
0
{
1625
0
  switch (algo) {
1626
0
  case GNUTLS_PK_ECDH_X25519:
1627
0
    return GNUTLS_ECC_CURVE_X25519;
1628
0
  case GNUTLS_PK_ECDH_X448:
1629
0
    return GNUTLS_ECC_CURVE_X448;
1630
0
  default:
1631
0
    return gnutls_assert_val(GNUTLS_ECC_CURVE_INVALID);
1632
0
  }
1633
0
}
1634
1635
static inline int eddsa_sign(gnutls_pk_algorithm_t algo, const uint8_t *pub,
1636
           const uint8_t *priv, size_t length,
1637
           const uint8_t *msg, uint8_t *signature)
1638
0
{
1639
0
  switch (algo) {
1640
0
  case GNUTLS_PK_EDDSA_ED25519:
1641
0
    ed25519_sha512_sign(pub, priv, length, msg, signature);
1642
0
    return 0;
1643
0
  case GNUTLS_PK_EDDSA_ED448:
1644
0
    ed448_shake256_sign(pub, priv, length, msg, signature);
1645
0
    return 0;
1646
0
  default:
1647
0
    return gnutls_assert_val(
1648
0
      GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
1649
0
  }
1650
0
}
1651
1652
#ifdef HAVE_LEANCRYPTO
1653
static enum lc_dilithium_type
1654
ml_dsa_pk_to_lc_dilithium_type(gnutls_pk_algorithm_t algo)
1655
{
1656
  switch (algo) {
1657
#ifdef LC_DILITHIUM_44_ENABLED
1658
  case GNUTLS_PK_MLDSA44:
1659
    return LC_DILITHIUM_44;
1660
#endif
1661
#ifdef LC_DILITHIUM_65_ENABLED
1662
  case GNUTLS_PK_MLDSA65:
1663
    return LC_DILITHIUM_65;
1664
#endif
1665
#ifdef LC_DILITHIUM_87_ENABLED
1666
  case GNUTLS_PK_MLDSA87:
1667
    return LC_DILITHIUM_87;
1668
#endif
1669
  default:
1670
    return gnutls_assert_val(LC_DILITHIUM_UNKNOWN);
1671
  }
1672
}
1673
1674
static int ml_dsa_exists(gnutls_pk_algorithm_t algo)
1675
{
1676
  return ml_dsa_pk_to_lc_dilithium_type(algo) != LC_DILITHIUM_UNKNOWN;
1677
}
1678
1679
static int ml_dsa_sign(gnutls_pk_algorithm_t algo, gnutls_datum_t *signature,
1680
           const gnutls_datum_t *message,
1681
           const gnutls_datum_t *raw_priv)
1682
{
1683
  int ret;
1684
  enum lc_dilithium_type type;
1685
  struct lc_dilithium_sk sk;
1686
  struct lc_dilithium_sig sig;
1687
  gnutls_datum_t tmp_signature = { NULL, 0 };
1688
  uint8_t *ptr;
1689
  size_t len;
1690
1691
  type = ml_dsa_pk_to_lc_dilithium_type(algo);
1692
  if (type == LC_DILITHIUM_UNKNOWN)
1693
    return gnutls_assert_val(
1694
      GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
1695
1696
  ret = lc_dilithium_sk_load(&sk, raw_priv->data, raw_priv->size);
1697
  if (ret < 0 || lc_dilithium_sk_type(&sk) != type) {
1698
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1699
    goto cleanup;
1700
  }
1701
1702
  ret = lc_dilithium_sign(&sig, message->data, message->size, &sk,
1703
        lc_seeded_rng);
1704
  if (ret < 0) {
1705
    ret = gnutls_assert_val(GNUTLS_E_PK_SIGN_FAILED);
1706
    goto cleanup;
1707
  }
1708
1709
  ret = lc_dilithium_sig_ptr(&ptr, &len, &sig);
1710
  if (ret < 0) {
1711
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1712
    goto cleanup;
1713
  }
1714
  ret = _gnutls_set_datum(&tmp_signature, ptr, len);
1715
  if (ret < 0)
1716
    goto cleanup;
1717
1718
  *signature = _gnutls_take_datum(&tmp_signature);
1719
1720
  ret = 0;
1721
1722
cleanup:
1723
  _gnutls_free_datum(&tmp_signature);
1724
  zeroize_key(&sk, sizeof(sk));
1725
  return ret;
1726
}
1727
1728
static int ml_dsa_verify(gnutls_pk_algorithm_t algo,
1729
       const gnutls_datum_t *signature,
1730
       const gnutls_datum_t *message,
1731
       const gnutls_datum_t *raw_pub)
1732
{
1733
  int ret;
1734
  enum lc_dilithium_type type;
1735
  struct lc_dilithium_sig sig;
1736
  struct lc_dilithium_pk pk;
1737
1738
  type = ml_dsa_pk_to_lc_dilithium_type(algo);
1739
  if (type == LC_DILITHIUM_UNKNOWN)
1740
    return gnutls_assert_val(
1741
      GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
1742
1743
  ret = lc_dilithium_pk_load(&pk, raw_pub->data, raw_pub->size);
1744
  if (ret < 0 || lc_dilithium_pk_type(&pk) != type) {
1745
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1746
    goto cleanup;
1747
  }
1748
1749
  ret = lc_dilithium_sig_load(&sig, signature->data, signature->size);
1750
  if (ret < 0 || lc_dilithium_sig_type(&sig) != type) {
1751
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1752
    goto cleanup;
1753
  }
1754
1755
  ret = lc_dilithium_verify(&sig, message->data, message->size, &pk);
1756
  if (ret < 0) {
1757
    ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
1758
    goto cleanup;
1759
  }
1760
1761
  ret = 0;
1762
1763
cleanup:
1764
  zeroize_key(&pk, sizeof(pk));
1765
  return ret;
1766
}
1767
1768
static int ml_dsa_generate_keypair(gnutls_pk_algorithm_t algo,
1769
           gnutls_datum_t *raw_priv,
1770
           gnutls_datum_t *raw_pub,
1771
           const gnutls_datum_t *raw_seed)
1772
{
1773
  int ret;
1774
  enum lc_dilithium_type type;
1775
  struct lc_dilithium_sk sk;
1776
  struct lc_dilithium_pk pk;
1777
  gnutls_datum_t tmp_raw_priv = { NULL, 0 };
1778
  gnutls_datum_t tmp_raw_pub = { NULL, 0 };
1779
  uint8_t *ptr;
1780
  size_t len;
1781
1782
  type = ml_dsa_pk_to_lc_dilithium_type(algo);
1783
  if (type == LC_DILITHIUM_UNKNOWN)
1784
    return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
1785
1786
  ret = lc_dilithium_keypair_from_seed(&pk, &sk, raw_seed->data,
1787
               raw_seed->size, type);
1788
  if (ret < 0) {
1789
    ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
1790
    goto cleanup;
1791
  }
1792
1793
  ret = lc_dilithium_sk_ptr(&ptr, &len, &sk);
1794
  if (ret < 0) {
1795
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1796
    goto cleanup;
1797
  }
1798
1799
  ret = _gnutls_set_datum(&tmp_raw_priv, ptr, len);
1800
  if (ret < 0) {
1801
    gnutls_assert();
1802
    goto cleanup;
1803
  }
1804
1805
  ret = lc_dilithium_pk_ptr(&ptr, &len, &pk);
1806
  if (ret < 0) {
1807
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1808
    goto cleanup;
1809
  }
1810
1811
  ret = _gnutls_set_datum(&tmp_raw_pub, ptr, len);
1812
  if (ret < 0) {
1813
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1814
    goto cleanup;
1815
  }
1816
1817
  *raw_priv = _gnutls_take_datum(&tmp_raw_priv);
1818
  *raw_pub = _gnutls_take_datum(&tmp_raw_pub);
1819
1820
  ret = 0;
1821
1822
cleanup:
1823
  _gnutls_free_key_datum(&tmp_raw_priv);
1824
  _gnutls_free_key_datum(&tmp_raw_pub);
1825
  zeroize_key(&pk, sizeof(pk));
1826
  zeroize_key(&sk, sizeof(sk));
1827
  return ret;
1828
}
1829
1830
#ifdef HAVE_LC_DILITHIUM_PK_FROM_SK
1831
static int ml_dsa_privkey_to_pubkey(gnutls_pk_algorithm_t algo,
1832
            const gnutls_datum_t *raw_priv,
1833
            gnutls_datum_t *raw_pub)
1834
{
1835
  int ret;
1836
  enum lc_dilithium_type type;
1837
  struct lc_dilithium_sk sk;
1838
  struct lc_dilithium_pk pk;
1839
  gnutls_datum_t tmp_raw_pub = { NULL, 0 };
1840
  uint8_t *ptr;
1841
  size_t len;
1842
1843
  type = ml_dsa_pk_to_lc_dilithium_type(algo);
1844
  if (type == LC_DILITHIUM_UNKNOWN)
1845
    return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
1846
1847
  ret = lc_dilithium_sk_load(&sk, raw_priv->data, raw_priv->size);
1848
  if (ret < 0 || lc_dilithium_sk_type(&sk) != type) {
1849
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1850
    goto cleanup;
1851
  }
1852
1853
  ret = lc_dilithium_pk_from_sk(&pk, &sk);
1854
  if (ret < 0) {
1855
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1856
    goto cleanup;
1857
  }
1858
1859
  ret = lc_dilithium_pk_ptr(&ptr, &len, &pk);
1860
  if (ret < 0) {
1861
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1862
    goto cleanup;
1863
  }
1864
1865
  ret = _gnutls_set_datum(&tmp_raw_pub, ptr, len);
1866
  if (ret < 0) {
1867
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1868
    goto cleanup;
1869
  }
1870
1871
  *raw_pub = _gnutls_take_datum(&tmp_raw_pub);
1872
1873
  ret = 0;
1874
1875
cleanup:
1876
  _gnutls_free_key_datum(&tmp_raw_pub);
1877
  zeroize_key(&pk, sizeof(pk));
1878
  zeroize_key(&sk, sizeof(sk));
1879
  return ret;
1880
}
1881
#else /* !HAVE_LC_DILITHIUM_PK_FROM_SK */
1882
static int ml_dsa_privkey_to_pubkey(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
1883
            const gnutls_datum_t *raw_priv MAYBE_UNUSED,
1884
            gnutls_datum_t *raw_pub MAYBE_UNUSED)
1885
{
1886
  return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
1887
}
1888
#endif
1889
#else /* !HAVE_LEANCRYPTO */
1890
static int ml_dsa_exists(gnutls_pk_algorithm_t algo MAYBE_UNUSED)
1891
0
{
1892
0
  return 0;
1893
0
}
1894
1895
static int ml_dsa_sign(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
1896
           gnutls_datum_t *signature MAYBE_UNUSED,
1897
           const gnutls_datum_t *message MAYBE_UNUSED,
1898
           const gnutls_datum_t *raw_priv MAYBE_UNUSED)
1899
0
{
1900
0
  return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
1901
0
}
1902
1903
static int ml_dsa_verify(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
1904
       const gnutls_datum_t *signature MAYBE_UNUSED,
1905
       const gnutls_datum_t *message MAYBE_UNUSED,
1906
       const gnutls_datum_t *raw_pub MAYBE_UNUSED)
1907
0
{
1908
0
  return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
1909
0
}
1910
1911
static int ml_dsa_generate_keypair(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
1912
           gnutls_datum_t *raw_priv MAYBE_UNUSED,
1913
           gnutls_datum_t *raw_pub MAYBE_UNUSED,
1914
           const gnutls_datum_t *raw_seed MAYBE_UNUSED)
1915
0
{
1916
0
  return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
1917
0
}
1918
1919
static int ml_dsa_privkey_to_pubkey(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
1920
            const gnutls_datum_t *raw_priv MAYBE_UNUSED,
1921
            gnutls_datum_t *raw_pub MAYBE_UNUSED)
1922
0
{
1923
0
  return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
1924
0
}
1925
#endif
1926
1927
/* This is the lower-level part of privkey_sign_raw_data().
1928
 *
1929
 * It accepts data in the appropriate hash form, i.e., DigestInfo
1930
 * for PK_RSA, hash for PK_ECDSA, PK_DSA, PK_RSA_PSS, and raw data
1931
 * for Ed25519 and Ed448.
1932
 *
1933
 * in case of EC/DSA, signed data are encoded into r,s values
1934
 */
1935
static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
1936
        gnutls_datum_t *signature,
1937
        const gnutls_datum_t *vdata,
1938
        const gnutls_pk_params_st *pk_params,
1939
        const gnutls_x509_spki_st *sign_params)
1940
0
{
1941
0
  int ret;
1942
0
  unsigned int hash_len;
1943
0
  const mac_entry_st *me;
1944
0
  bool not_approved = false;
1945
1946
0
  FAIL_IF_LIB_ERROR;
1947
1948
  /* check if the curve relates to the algorithm used */
1949
0
  if (IS_EC(algo) && gnutls_ecc_curve_get_pk(pk_params->curve) != algo) {
1950
0
    ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
1951
0
    goto cleanup;
1952
0
  }
1953
1954
  /* deterministic ECDSA/DSA is prohibited under FIPS except in
1955
   * the selftests */
1956
0
  if ((algo == GNUTLS_PK_DSA || algo == GNUTLS_PK_ECDSA) &&
1957
0
      (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) &&
1958
0
      _gnutls_fips_mode_enabled() &&
1959
0
      _gnutls_get_lib_state() != LIB_STATE_SELFTEST) {
1960
0
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1961
0
    goto cleanup;
1962
0
  }
1963
1964
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING, "pk::sign",
1965
0
              "pk::algorithm", CRAU_STRING,
1966
0
              gnutls_pk_get_name(algo), NULL);
1967
1968
0
  switch (algo) {
1969
0
  case GNUTLS_PK_EDDSA_ED25519: /* we do EdDSA */
1970
0
  case GNUTLS_PK_EDDSA_ED448: {
1971
0
    const gnutls_ecc_curve_entry_st *e;
1972
1973
0
    if (unlikely(get_eddsa_curve(algo) != pk_params->curve)) {
1974
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
1975
0
      goto cleanup;
1976
0
    }
1977
1978
0
    e = _gnutls_ecc_curve_get_params(pk_params->curve);
1979
0
    if (e == NULL) {
1980
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1981
0
      goto cleanup;
1982
0
    }
1983
1984
0
    signature->data = gnutls_malloc(e->sig_size);
1985
0
    if (signature->data == NULL) {
1986
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1987
0
      goto cleanup;
1988
0
    }
1989
1990
0
    signature->size = e->sig_size;
1991
1992
0
    if (pk_params->raw_pub.size != e->size ||
1993
0
        pk_params->raw_priv.size != e->size) {
1994
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIGN_FAILED);
1995
0
      goto cleanup;
1996
0
    }
1997
1998
0
    ret = eddsa_sign(algo, pk_params->raw_pub.data,
1999
0
         pk_params->raw_priv.data, vdata->size,
2000
0
         vdata->data, signature->data);
2001
0
    if (ret < 0)
2002
0
      goto cleanup;
2003
2004
0
    break;
2005
0
  }
2006
0
#if ENABLE_GOST
2007
0
  case GNUTLS_PK_GOST_01:
2008
0
  case GNUTLS_PK_GOST_12_256:
2009
0
  case GNUTLS_PK_GOST_12_512: {
2010
0
    struct ecc_scalar priv;
2011
0
    struct dsa_signature sig;
2012
0
    const struct ecc_curve *curve;
2013
2014
    /* GOSTDSA is not approved */
2015
0
    not_approved = true;
2016
2017
0
    curve = get_supported_gost_curve(pk_params->curve);
2018
0
    if (curve == NULL) {
2019
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
2020
0
      goto cleanup;
2021
0
    }
2022
2023
0
    _gnutls_audit_data("pk::curve", CRAU_STRING,
2024
0
           gnutls_ecc_curve_get_name(pk_params->curve),
2025
0
           NULL);
2026
2027
0
    ret = _ecc_params_to_privkey(pk_params, &priv, curve);
2028
0
    if (ret < 0) {
2029
0
      gnutls_assert();
2030
0
      goto cleanup;
2031
0
    }
2032
2033
    /* This call will return a valid MAC entry and
2034
       * getters will check that is not null anyway. */
2035
0
    me = hash_to_entry(_gnutls_gost_digest(pk_params->algo));
2036
0
    if (_gnutls_mac_get_algo_len(me) != vdata->size) {
2037
0
      _gnutls_debug_log(
2038
0
        "Security level of algorithm requires hash %s(%zd)\n",
2039
0
        _gnutls_mac_get_name(me),
2040
0
        _gnutls_mac_get_algo_len(me));
2041
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
2042
0
      goto cleanup;
2043
0
    }
2044
2045
0
    dsa_signature_init(&sig);
2046
2047
0
    gostdsa_sign(&priv, NULL, rnd_tmpkey_func, vdata->size,
2048
0
           vdata->data, &sig);
2049
2050
0
    ret = _gnutls_encode_gost_rs(signature, &sig.r, &sig.s,
2051
0
               (ecc_bit_size(curve) + 7) / 8);
2052
2053
0
    dsa_signature_clear(&sig);
2054
0
    ecc_scalar_zclear(&priv);
2055
2056
0
    if (ret < 0) {
2057
0
      gnutls_assert();
2058
0
      goto cleanup;
2059
0
    }
2060
0
    break;
2061
0
  }
2062
0
#endif
2063
0
  case GNUTLS_PK_ECDSA: /* we do ECDSA */
2064
0
  {
2065
0
    struct ecc_scalar priv;
2066
0
    struct dsa_signature sig;
2067
0
    int curve_id = pk_params->curve;
2068
0
    const struct ecc_curve *curve;
2069
0
    mpz_t q;
2070
    /* 521-bit elliptic curve generator at maximum */
2071
0
    uint8_t buf[(521 + 7) / 8];
2072
0
    gnutls_datum_t k = { NULL, 0 };
2073
0
    void *random_ctx;
2074
0
    nettle_random_func *random_func;
2075
2076
0
    curve = get_supported_nist_curve(curve_id);
2077
0
    if (curve == NULL) {
2078
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
2079
0
      goto cleanup;
2080
0
    }
2081
2082
    /* P-192 is not supported in FIPS 140-3 */
2083
0
    if (curve_id == GNUTLS_ECC_CURVE_SECP192R1) {
2084
0
      not_approved = true;
2085
0
    }
2086
2087
0
    ret = _ecc_params_to_privkey(pk_params, &priv, curve);
2088
0
    if (ret < 0) {
2089
0
      gnutls_assert();
2090
0
      goto cleanup;
2091
0
    }
2092
2093
0
    dsa_signature_init(&sig);
2094
2095
0
    me = _gnutls_dsa_q_to_hash(pk_params, &hash_len);
2096
2097
0
    if (hash_len > vdata->size) {
2098
0
      gnutls_assert();
2099
0
      _gnutls_debug_log(
2100
0
        "Security level of algorithm requires hash %s(%d) or better\n",
2101
0
        _gnutls_mac_get_name(me), hash_len);
2102
0
      hash_len = vdata->size;
2103
0
    }
2104
2105
    /* Only SHA-2 is allowed in FIPS 140-3 */
2106
0
    switch (DIG_TO_MAC(sign_params->dsa_dig)) {
2107
0
    case GNUTLS_MAC_SHA256:
2108
0
    case GNUTLS_MAC_SHA384:
2109
0
    case GNUTLS_MAC_SHA512:
2110
0
    case GNUTLS_MAC_SHA224:
2111
0
      break;
2112
0
    default:
2113
0
      not_approved = true;
2114
0
    }
2115
2116
0
    _gnutls_audit_data("pk::curve", CRAU_STRING,
2117
0
           gnutls_ecc_curve_get_name(curve_id),
2118
0
           "pk::hash", CRAU_STRING,
2119
0
           _gnutls_mac_get_name(me), NULL);
2120
2121
0
    mpz_init(q);
2122
2123
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
2124
0
        (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
2125
0
      mp_limb_t h[DSA_COMPUTE_K_ITCH];
2126
2127
0
      ret = _gnutls_ecc_curve_to_dsa_q(q, curve_id);
2128
0
      if (ret < 0)
2129
0
        goto ecdsa_cleanup;
2130
2131
0
      ret = _gnutls_dsa_compute_k(
2132
0
        h, mpz_limbs_read(q), priv.p,
2133
0
        ecc_size(priv.ecc), ecc_bit_size(priv.ecc),
2134
0
        DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
2135
0
        vdata->size);
2136
0
      if (ret < 0)
2137
0
        goto ecdsa_cleanup;
2138
2139
0
      k.data = buf;
2140
0
      k.size = (ecc_bit_size(priv.ecc) + 7) / 8;
2141
2142
0
      _gnutls_ecdsa_compute_k_finish(k.data, k.size, h,
2143
0
                   ecc_size(priv.ecc));
2144
2145
0
      random_ctx = &k;
2146
0
      random_func = rnd_datum_func;
2147
0
    } else {
2148
0
      random_ctx = NULL;
2149
0
      random_func = rnd_nonce_func;
2150
0
    }
2151
0
    ecdsa_sign(&priv, random_ctx, random_func, hash_len,
2152
0
         vdata->data, &sig);
2153
2154
    /* prevent memory leaks */
2155
0
    if (HAVE_LIB_ERROR()) {
2156
0
      ret = GNUTLS_E_LIB_IN_ERROR_STATE;
2157
0
      goto ecdsa_cleanup;
2158
0
    }
2159
2160
0
    ret = _gnutls_encode_ber_rs(signature, &sig.r, &sig.s);
2161
2162
0
  ecdsa_cleanup:
2163
0
    dsa_signature_clear(&sig);
2164
0
    ecc_scalar_zclear(&priv);
2165
0
    mpz_clear(q);
2166
2167
0
    if (ret < 0) {
2168
0
      gnutls_assert();
2169
0
      goto cleanup;
2170
0
    }
2171
0
    break;
2172
0
  }
2173
0
#ifdef ENABLE_DSA
2174
0
  case GNUTLS_PK_DSA: {
2175
0
    struct dsa_params pub;
2176
0
    bigint_t priv;
2177
0
    struct dsa_signature sig;
2178
    /* 512-bit DSA subgroup at maximum */
2179
0
    uint8_t buf[(512 + 7) / 8];
2180
0
    gnutls_datum_t k = { NULL, 0 };
2181
0
    void *random_ctx;
2182
0
    nettle_random_func *random_func;
2183
0
    size_t bits;
2184
2185
    /* DSA is currently being defined as sunset with the
2186
       * current draft of FIPS 186-5 */
2187
0
    not_approved = true;
2188
2189
0
    memset(&priv, 0, sizeof(priv));
2190
0
    memset(&pub, 0, sizeof(pub));
2191
0
    _dsa_params_get(pk_params, &pub);
2192
2193
0
    priv = pk_params->params[DSA_X];
2194
2195
0
    dsa_signature_init(&sig);
2196
2197
0
    me = _gnutls_dsa_q_to_hash(pk_params, &hash_len);
2198
2199
0
    if (hash_len > vdata->size) {
2200
0
      gnutls_assert();
2201
0
      _gnutls_debug_log(
2202
0
        "Security level of algorithm requires hash %s(%d) or better (have: %d)\n",
2203
0
        _gnutls_mac_get_name(me), hash_len,
2204
0
        (int)vdata->size);
2205
0
      hash_len = vdata->size;
2206
0
    }
2207
2208
0
    bits = mpz_sizeinbase(pub.p, 2);
2209
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, NULL);
2210
2211
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
2212
0
        (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
2213
0
      mp_limb_t h[DSA_COMPUTE_K_ITCH];
2214
2215
0
      ret = _gnutls_dsa_compute_k(
2216
0
        h, mpz_limbs_read(pub.q),
2217
0
        mpz_limbs_read(TOMPZ(priv)), mpz_size(pub.q),
2218
0
        mpz_sizeinbase(pub.q, 2),
2219
0
        DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
2220
0
        vdata->size);
2221
0
      if (ret < 0)
2222
0
        goto dsa_fail;
2223
2224
0
      k.data = buf;
2225
0
      k.size = (mpz_sizeinbase(pub.q, 2) + 7) / 8;
2226
2227
0
      _gnutls_dsa_compute_k_finish(k.data, k.size, h,
2228
0
                 mpz_size(pub.q));
2229
2230
0
      random_ctx = &k;
2231
0
      random_func = rnd_datum_func;
2232
0
    } else {
2233
0
      random_ctx = NULL;
2234
0
      random_func = rnd_nonce_func;
2235
0
    }
2236
0
    ret = dsa_sign(&pub, TOMPZ(priv), random_ctx, random_func,
2237
0
             hash_len, vdata->data, &sig);
2238
0
    if (ret == 0 || HAVE_LIB_ERROR()) {
2239
0
      gnutls_assert();
2240
0
      ret = GNUTLS_E_PK_SIGN_FAILED;
2241
0
      goto dsa_fail;
2242
0
    }
2243
2244
0
    ret = _gnutls_encode_ber_rs(signature, &sig.r, &sig.s);
2245
2246
0
  dsa_fail:
2247
0
    dsa_signature_clear(&sig);
2248
2249
0
    if (ret < 0) {
2250
0
      gnutls_assert();
2251
0
      goto cleanup;
2252
0
    }
2253
0
    break;
2254
0
  }
2255
0
#endif
2256
0
  case GNUTLS_PK_RSA: {
2257
0
    struct rsa_private_key priv;
2258
0
    struct rsa_public_key pub;
2259
0
    nettle_random_func *random_func;
2260
0
    mpz_t s;
2261
0
    size_t bits;
2262
2263
0
    _rsa_params_to_privkey(pk_params, &priv);
2264
2265
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
2266
0
    if (ret < 0) {
2267
0
      gnutls_assert();
2268
0
      goto cleanup;
2269
0
    }
2270
2271
0
    bits = mpz_sizeinbase(pub.n, 2);
2272
2273
    /* RSA modulus size should be 2048-bit or larger in FIPS
2274
       * 140-3.  In addition to this, only SHA-2 is allowed
2275
       * for SigGen; it is checked in pk_prepare_hash lib/pk.c
2276
       */
2277
0
    if (unlikely(bits < 2048)) {
2278
0
      not_approved = true;
2279
0
    }
2280
2281
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, NULL);
2282
2283
0
    mpz_init(s);
2284
2285
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
2286
0
      random_func = rnd_nonce_func_fallback;
2287
0
    else
2288
0
      random_func = rnd_nonce_func;
2289
0
    ret = rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func,
2290
0
          vdata->size, vdata->data, s);
2291
0
    if (ret == 0 || HAVE_LIB_ERROR()) {
2292
0
      gnutls_assert();
2293
0
      ret = GNUTLS_E_PK_SIGN_FAILED;
2294
0
      goto rsa_fail;
2295
0
    }
2296
2297
0
    ret = _gnutls_mpi_dprint_size(s, signature, pub.size);
2298
2299
0
  rsa_fail:
2300
0
    mpz_clear(s);
2301
2302
0
    if (ret < 0) {
2303
0
      gnutls_assert();
2304
0
      goto cleanup;
2305
0
    }
2306
2307
0
    break;
2308
0
  }
2309
0
  case GNUTLS_PK_RSA_PSS: {
2310
0
    struct rsa_private_key priv;
2311
0
    struct rsa_public_key pub;
2312
0
    nettle_random_func *random_func;
2313
0
    mpz_t s;
2314
0
    size_t bits;
2315
2316
0
    _rsa_params_to_privkey(pk_params, &priv);
2317
2318
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
2319
0
    if (ret < 0) {
2320
0
      gnutls_assert();
2321
0
      goto cleanup;
2322
0
    }
2323
2324
0
    bits = mpz_sizeinbase(pub.n, 2);
2325
2326
    /* RSA modulus size should be 2048-bit or larger in FIPS
2327
       * 140-3.  In addition to this, only SHA-2 is allowed
2328
       * for SigGen; however, Nettle only support SHA256,
2329
       * SHA384, and SHA512 for RSA-PSS (see
2330
       * _rsa_pss_sign_digest_tr in this file for details).
2331
       */
2332
0
    if (unlikely(bits < 2048)) {
2333
0
      not_approved = true;
2334
0
    }
2335
2336
0
    mpz_init(s);
2337
2338
0
    me = hash_to_entry(sign_params->rsa_pss_dig);
2339
2340
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, "pk::hash",
2341
0
           CRAU_STRING, _gnutls_mac_get_name(me), NULL);
2342
2343
    /* According to FIPS 186-5 5.4, the salt length must be
2344
       * in the range between 0 and the hash length inclusive.
2345
       */
2346
0
    if (sign_params->salt_size > _gnutls_mac_get_algo_len(me)) {
2347
0
      not_approved = true;
2348
0
    }
2349
2350
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
2351
0
      random_func = rnd_nonce_func_fallback;
2352
0
    else
2353
0
      random_func = rnd_nonce_func;
2354
0
    ret = _rsa_pss_sign_digest_tr(sign_params->rsa_pss_dig, &pub,
2355
0
                &priv, NULL, random_func,
2356
0
                sign_params->salt_size,
2357
0
                vdata->data, s);
2358
0
    if (ret < 0) {
2359
0
      gnutls_assert();
2360
0
      ret = GNUTLS_E_PK_SIGN_FAILED;
2361
0
      goto rsa_pss_fail;
2362
0
    }
2363
2364
0
    ret = _gnutls_mpi_dprint_size(s, signature, pub.size);
2365
2366
0
  rsa_pss_fail:
2367
0
    mpz_clear(s);
2368
2369
0
    if (ret < 0) {
2370
0
      gnutls_assert();
2371
0
      goto cleanup;
2372
0
    }
2373
2374
0
    break;
2375
0
  }
2376
0
  case GNUTLS_PK_MLDSA44:
2377
0
  case GNUTLS_PK_MLDSA65:
2378
0
  case GNUTLS_PK_MLDSA87:
2379
0
    not_approved = true;
2380
0
    ret = ml_dsa_sign(algo, signature, vdata, &pk_params->raw_priv);
2381
0
    if (ret < 0)
2382
0
      goto cleanup;
2383
0
    break;
2384
0
  default:
2385
0
    gnutls_assert();
2386
0
    ret = GNUTLS_E_INTERNAL_ERROR;
2387
0
    goto cleanup;
2388
0
  }
2389
2390
0
  ret = 0;
2391
2392
0
cleanup:
2393
0
  if (ret < 0) {
2394
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
2395
0
  } else if (not_approved) {
2396
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
2397
0
  } else {
2398
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
2399
0
  }
2400
2401
0
  gnutls_audit_pop_context();
2402
2403
0
  FAIL_IF_LIB_ERROR;
2404
0
  return ret;
2405
0
}
2406
2407
static int _rsa_pss_verify_digest(gnutls_digest_algorithm_t dig,
2408
          const struct rsa_public_key *pub,
2409
          size_t salt_size, const uint8_t *digest,
2410
          size_t digest_size, const mpz_t s)
2411
0
{
2412
0
  int (*verify_func)(const struct rsa_public_key *, size_t,
2413
0
         const uint8_t *, const mpz_t);
2414
0
  size_t hash_size;
2415
2416
0
  switch (dig) {
2417
0
  case GNUTLS_DIG_SHA256:
2418
0
    verify_func = rsa_pss_sha256_verify_digest;
2419
0
    hash_size = 32;
2420
0
    break;
2421
0
  case GNUTLS_DIG_SHA384:
2422
0
    verify_func = rsa_pss_sha384_verify_digest;
2423
0
    hash_size = 48;
2424
0
    break;
2425
0
  case GNUTLS_DIG_SHA512:
2426
0
    verify_func = rsa_pss_sha512_verify_digest;
2427
0
    hash_size = 64;
2428
0
    break;
2429
0
  default:
2430
0
    gnutls_assert();
2431
0
    return 0;
2432
0
  }
2433
2434
0
  if (digest_size != hash_size)
2435
0
    return gnutls_assert_val(0);
2436
2437
0
  CHECK_INVALID_RSA_PSS_PARAMS(hash_size, salt_size, pub->size, 0);
2438
2439
0
  return verify_func(pub, salt_size, digest, s);
2440
0
}
2441
2442
static inline int eddsa_verify(gnutls_pk_algorithm_t algo, const uint8_t *pub,
2443
             size_t length, const uint8_t *msg,
2444
             const uint8_t *signature)
2445
0
{
2446
0
  int ret;
2447
2448
0
  switch (algo) {
2449
0
  case GNUTLS_PK_EDDSA_ED25519:
2450
0
    ret = ed25519_sha512_verify(pub, length, msg, signature);
2451
0
    if (ret == 0)
2452
0
      return gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2453
0
    return 0;
2454
0
  case GNUTLS_PK_EDDSA_ED448:
2455
0
    ret = ed448_shake256_verify(pub, length, msg, signature);
2456
0
    if (ret == 0)
2457
0
      return gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2458
0
    return 0;
2459
0
  default:
2460
0
    return gnutls_assert_val(
2461
0
      GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
2462
0
  }
2463
0
}
2464
2465
static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
2466
          const gnutls_datum_t *vdata,
2467
          const gnutls_datum_t *signature,
2468
          const gnutls_pk_params_st *pk_params,
2469
          const gnutls_x509_spki_st *sign_params)
2470
0
{
2471
0
  int ret;
2472
0
  unsigned int hash_len;
2473
0
  bigint_t tmp[2] = { NULL, NULL };
2474
0
  bool not_approved = false;
2475
2476
0
  FAIL_IF_LIB_ERROR;
2477
2478
  /* check if the curve relates to the algorithm used */
2479
0
  if (IS_EC(algo) && gnutls_ecc_curve_get_pk(pk_params->curve) != algo) {
2480
0
    ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
2481
0
    goto cleanup;
2482
0
  }
2483
2484
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING, "pk::verify",
2485
0
              "pk::algorithm", CRAU_STRING,
2486
0
              gnutls_pk_get_name(algo), NULL);
2487
2488
0
  switch (algo) {
2489
0
  case GNUTLS_PK_EDDSA_ED25519: /* we do EdDSA */
2490
0
  case GNUTLS_PK_EDDSA_ED448: {
2491
0
    const gnutls_ecc_curve_entry_st *e;
2492
2493
0
    if (unlikely(get_eddsa_curve(algo) != pk_params->curve)) {
2494
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
2495
0
      goto cleanup;
2496
0
    }
2497
2498
0
    e = _gnutls_ecc_curve_get_params(pk_params->curve);
2499
0
    if (e == NULL) {
2500
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
2501
0
      goto cleanup;
2502
0
    }
2503
2504
0
    if (signature->size != e->sig_size) {
2505
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2506
0
      goto cleanup;
2507
0
    }
2508
2509
0
    if (pk_params->raw_pub.size != e->size) {
2510
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIGN_FAILED);
2511
0
      goto cleanup;
2512
0
    }
2513
2514
0
    ret = eddsa_verify(algo, pk_params->raw_pub.data, vdata->size,
2515
0
           vdata->data, signature->data);
2516
0
    break;
2517
0
  }
2518
0
#if ENABLE_GOST
2519
0
  case GNUTLS_PK_GOST_01:
2520
0
  case GNUTLS_PK_GOST_12_256:
2521
0
  case GNUTLS_PK_GOST_12_512: {
2522
0
    struct ecc_point pub;
2523
0
    struct dsa_signature sig;
2524
0
    const struct ecc_curve *curve;
2525
0
    const mac_entry_st *me;
2526
2527
    /* GOSTDSA is not approved */
2528
0
    not_approved = true;
2529
2530
0
    curve = get_supported_gost_curve(pk_params->curve);
2531
0
    if (curve == NULL) {
2532
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
2533
0
      goto cleanup;
2534
0
    }
2535
2536
0
    _gnutls_audit_data("pk::curve", CRAU_STRING,
2537
0
           gnutls_ecc_curve_get_name(pk_params->curve),
2538
0
           NULL);
2539
2540
    /* This call will return a valid MAC entry and
2541
       * getters will check that is not null anyway. */
2542
0
    me = hash_to_entry(_gnutls_gost_digest(pk_params->algo));
2543
0
    if (_gnutls_mac_get_algo_len(me) != vdata->size) {
2544
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2545
0
      goto cleanup;
2546
0
    }
2547
2548
0
    ret = _gnutls_decode_gost_rs(signature, &tmp[0], &tmp[1]);
2549
0
    if (ret < 0) {
2550
0
      gnutls_assert();
2551
0
      goto cleanup;
2552
0
    }
2553
2554
0
    ret = _gost_params_to_pubkey(pk_params, &pub, curve);
2555
0
    if (ret < 0) {
2556
0
      gnutls_assert();
2557
0
      goto cleanup;
2558
0
    }
2559
2560
0
    memcpy(sig.r, tmp[0], SIZEOF_MPZT);
2561
0
    memcpy(sig.s, tmp[1], SIZEOF_MPZT);
2562
2563
0
    ret = gostdsa_verify(&pub, vdata->size, vdata->data, &sig);
2564
0
    if (ret == 0) {
2565
0
      gnutls_assert();
2566
0
      ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
2567
0
    } else
2568
0
      ret = 0;
2569
2570
0
    ecc_point_clear(&pub);
2571
0
    break;
2572
0
  }
2573
0
#endif
2574
0
  case GNUTLS_PK_ECDSA: /* ECDSA */
2575
0
  {
2576
0
    struct ecc_point pub;
2577
0
    struct dsa_signature sig;
2578
0
    int curve_id = pk_params->curve;
2579
0
    const struct ecc_curve *curve;
2580
0
    const mac_entry_st *me;
2581
2582
0
    curve = get_supported_nist_curve(curve_id);
2583
0
    if (curve == NULL) {
2584
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
2585
0
      goto cleanup;
2586
0
    }
2587
2588
    /* P-192 is not supported in FIPS 140-3 */
2589
0
    if (curve_id == GNUTLS_ECC_CURVE_SECP192R1) {
2590
0
      not_approved = true;
2591
0
    }
2592
2593
0
    ret = _gnutls_decode_ber_rs(signature, &tmp[0], &tmp[1]);
2594
0
    if (ret < 0) {
2595
0
      gnutls_assert();
2596
0
      goto cleanup;
2597
0
    }
2598
2599
0
    ret = _ecc_params_to_pubkey(pk_params, &pub, curve);
2600
0
    if (ret < 0) {
2601
0
      gnutls_assert();
2602
0
      goto cleanup;
2603
0
    }
2604
2605
0
    memcpy(sig.r, tmp[0], SIZEOF_MPZT);
2606
0
    memcpy(sig.s, tmp[1], SIZEOF_MPZT);
2607
2608
0
    (void)_gnutls_dsa_q_to_hash(pk_params, &hash_len);
2609
2610
0
    if (hash_len > vdata->size)
2611
0
      hash_len = vdata->size;
2612
2613
0
    switch (DIG_TO_MAC(sign_params->dsa_dig)) {
2614
0
    case GNUTLS_MAC_SHA256:
2615
0
    case GNUTLS_MAC_SHA384:
2616
0
    case GNUTLS_MAC_SHA512:
2617
0
    case GNUTLS_MAC_SHA224:
2618
0
      break;
2619
0
    default:
2620
0
      not_approved = true;
2621
0
    }
2622
2623
0
    me = hash_to_entry(sign_params->dsa_dig);
2624
2625
0
    _gnutls_audit_data("pk::curve", CRAU_STRING,
2626
0
           gnutls_ecc_curve_get_name(curve_id),
2627
0
           "pk::hash", CRAU_STRING,
2628
0
           _gnutls_mac_get_name(me), NULL);
2629
2630
0
    ret = ecdsa_verify(&pub, hash_len, vdata->data, &sig);
2631
0
    if (ret == 0) {
2632
0
      gnutls_assert();
2633
0
      ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
2634
0
    } else
2635
0
      ret = 0;
2636
2637
0
    ecc_point_clear(&pub);
2638
0
    break;
2639
0
  }
2640
0
#ifdef ENABLE_DSA
2641
0
  case GNUTLS_PK_DSA: {
2642
0
    struct dsa_params pub;
2643
0
    struct dsa_signature sig;
2644
0
    bigint_t y;
2645
0
    size_t bits;
2646
2647
    /* DSA is currently being defined as sunset with the
2648
       * current draft of FIPS 186-5 */
2649
0
    not_approved = true;
2650
2651
0
    ret = _gnutls_decode_ber_rs(signature, &tmp[0], &tmp[1]);
2652
0
    if (ret < 0) {
2653
0
      gnutls_assert();
2654
0
      goto cleanup;
2655
0
    }
2656
0
    memset(&pub, 0, sizeof(pub));
2657
0
    _dsa_params_get(pk_params, &pub);
2658
0
    y = pk_params->params[DSA_Y];
2659
2660
0
    memcpy(sig.r, tmp[0], SIZEOF_MPZT);
2661
0
    memcpy(sig.s, tmp[1], SIZEOF_MPZT);
2662
2663
0
    _gnutls_dsa_q_to_hash(pk_params, &hash_len);
2664
2665
0
    if (hash_len > vdata->size)
2666
0
      hash_len = vdata->size;
2667
2668
0
    bits = mpz_sizeinbase(pub.p, 2);
2669
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, NULL);
2670
2671
0
    ret = dsa_verify(&pub, TOMPZ(y), hash_len, vdata->data, &sig);
2672
0
    if (ret == 0) {
2673
0
      gnutls_assert();
2674
0
      ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
2675
0
    } else
2676
0
      ret = 0;
2677
2678
0
    break;
2679
0
  }
2680
0
#endif
2681
0
  case GNUTLS_PK_RSA: {
2682
0
    struct rsa_public_key pub;
2683
0
    size_t bits;
2684
2685
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
2686
0
    if (ret < 0) {
2687
0
      gnutls_assert();
2688
0
      goto cleanup;
2689
0
    }
2690
2691
0
    bits = mpz_sizeinbase(pub.n, 2);
2692
2693
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, NULL);
2694
2695
    /* In FIPS 140-3, RSA key size should be larger than 2048-bit.
2696
       * In addition to this, only SHA-2 is allowed
2697
       * for SigVer; it is checked in _pkcs1_rsa_verify_sig in
2698
       * lib/pubkey.c.
2699
       */
2700
0
    if (unlikely(bits < 2048)) {
2701
0
      not_approved = true;
2702
0
    }
2703
2704
0
    if (signature->size != pub.size) {
2705
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2706
0
      goto cleanup;
2707
0
    }
2708
2709
0
    ret = _gnutls_mpi_init_scan_nz(&tmp[0], signature->data,
2710
0
                 signature->size);
2711
0
    if (ret < 0) {
2712
0
      gnutls_assert();
2713
0
      goto cleanup;
2714
0
    }
2715
2716
0
    ret = rsa_pkcs1_verify(&pub, vdata->size, vdata->data,
2717
0
               TOMPZ(tmp[0]));
2718
0
    if (ret == 0)
2719
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2720
0
    else
2721
0
      ret = 0;
2722
2723
0
    break;
2724
0
  }
2725
0
  case GNUTLS_PK_RSA_PSS: {
2726
0
    struct rsa_public_key pub;
2727
0
    size_t bits;
2728
2729
0
    if ((sign_params->flags &
2730
0
         GNUTLS_PK_FLAG_RSA_PSS_FIXED_SALT_LENGTH) &&
2731
0
        sign_params->salt_size != vdata->size) {
2732
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2733
0
      goto cleanup;
2734
0
    }
2735
2736
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
2737
0
    if (ret < 0) {
2738
0
      gnutls_assert();
2739
0
      goto cleanup;
2740
0
    }
2741
2742
0
    bits = mpz_sizeinbase(pub.n, 2);
2743
2744
    /* RSA modulus size should be 2048-bit or larger in FIPS
2745
       * 140-3.  In addition to this, only SHA-2 are
2746
       * allowed for SigVer, while Nettle only supports
2747
       * SHA256, SHA384, and SHA512 for RSA-PSS (see
2748
       * _rsa_pss_verify_digest in this file for the details).
2749
       */
2750
0
    if (unlikely(bits < 2048)) {
2751
0
      not_approved = true;
2752
0
    }
2753
2754
0
    if (signature->size != pub.size) {
2755
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2756
0
      goto cleanup;
2757
0
    }
2758
2759
0
    ret = _gnutls_mpi_init_scan_nz(&tmp[0], signature->data,
2760
0
                 signature->size);
2761
0
    if (ret < 0) {
2762
0
      gnutls_assert();
2763
0
      goto cleanup;
2764
0
    }
2765
2766
0
    _gnutls_audit_data(
2767
0
      "pk::bits", CRAU_WORD, bits, "pk::hash", CRAU_STRING,
2768
0
      gnutls_digest_get_name(sign_params->rsa_pss_dig), NULL);
2769
2770
0
    ret = _rsa_pss_verify_digest(sign_params->rsa_pss_dig, &pub,
2771
0
               sign_params->salt_size,
2772
0
               vdata->data, vdata->size,
2773
0
               TOMPZ(tmp[0]));
2774
0
    if (ret == 0)
2775
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2776
0
    else
2777
0
      ret = 0;
2778
2779
0
    break;
2780
0
  }
2781
0
  case GNUTLS_PK_MLDSA44:
2782
0
  case GNUTLS_PK_MLDSA65:
2783
0
  case GNUTLS_PK_MLDSA87:
2784
0
    not_approved = true;
2785
0
    ret = ml_dsa_verify(algo, signature, vdata,
2786
0
            &pk_params->raw_pub);
2787
0
    if (ret < 0)
2788
0
      goto cleanup;
2789
0
    break;
2790
0
  default:
2791
0
    gnutls_assert();
2792
0
    ret = GNUTLS_E_INTERNAL_ERROR;
2793
0
    goto cleanup;
2794
0
  }
2795
2796
0
cleanup:
2797
0
  if (ret < 0) {
2798
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
2799
0
  } else if (not_approved) {
2800
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
2801
0
  } else {
2802
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
2803
0
  }
2804
2805
0
  _gnutls_mpi_release(&tmp[0]);
2806
0
  _gnutls_mpi_release(&tmp[1]);
2807
2808
0
  gnutls_audit_pop_context();
2809
2810
0
  FAIL_IF_LIB_ERROR;
2811
0
  return ret;
2812
0
}
2813
2814
static inline const struct ecc_curve *get_supported_nist_curve(int curve)
2815
0
{
2816
0
  switch (curve) {
2817
0
#ifdef ENABLE_NON_SUITEB_CURVES
2818
0
  case GNUTLS_ECC_CURVE_SECP192R1:
2819
0
    return nettle_get_secp_192r1();
2820
0
  case GNUTLS_ECC_CURVE_SECP224R1:
2821
0
    return nettle_get_secp_224r1();
2822
0
#endif
2823
0
  case GNUTLS_ECC_CURVE_SECP256R1:
2824
0
    return nettle_get_secp_256r1();
2825
0
  case GNUTLS_ECC_CURVE_SECP384R1:
2826
0
    return nettle_get_secp_384r1();
2827
0
  case GNUTLS_ECC_CURVE_SECP521R1:
2828
0
    return nettle_get_secp_521r1();
2829
0
  default:
2830
0
    return NULL;
2831
0
  }
2832
0
}
2833
2834
static inline const char *get_supported_nist_curve_order(int curve)
2835
0
{
2836
0
  static const struct {
2837
0
    int curve;
2838
0
    const char *order;
2839
0
  } orders[] = {
2840
0
#ifdef ENABLE_NON_SUITEB_CURVES
2841
0
    { GNUTLS_ECC_CURVE_SECP192R1, "ffffffffffffffffffffffff99def836"
2842
0
                "146bc9b1b4d22831" },
2843
0
    { GNUTLS_ECC_CURVE_SECP224R1, "ffffffffffffffffffffffffffff16a2"
2844
0
                "e0b8f03e13dd29455c5c2a3d" },
2845
0
#endif
2846
0
    { GNUTLS_ECC_CURVE_SECP256R1,
2847
0
      "ffffffff00000000ffffffffffffffff"
2848
0
      "bce6faada7179e84f3b9cac2fc632551" },
2849
0
    { GNUTLS_ECC_CURVE_SECP384R1,
2850
0
      "ffffffffffffffffffffffffffffffff"
2851
0
      "ffffffffffffffffc7634d81f4372ddf"
2852
0
      "581a0db248b0a77aecec196accc52973" },
2853
0
    { GNUTLS_ECC_CURVE_SECP521R1, "1fffffffffffffffffffffffffffffff"
2854
0
                "ffffffffffffffffffffffffffffffff"
2855
0
                "ffa51868783bf2f966b7fcc0148f709a"
2856
0
                "5d03bb5c9b8899c47aebb6fb71e91386"
2857
0
                "409" },
2858
0
  };
2859
0
  size_t i;
2860
0
2861
0
  for (i = 0; i < sizeof(orders) / sizeof(orders[0]); i++) {
2862
0
    if (orders[i].curve == curve)
2863
0
      return orders[i].order;
2864
0
  }
2865
0
  return NULL;
2866
0
}
2867
2868
static inline const char *get_supported_nist_curve_modulus(int curve)
2869
0
{
2870
0
  static const struct {
2871
0
    int curve;
2872
0
    const char *order;
2873
0
  } orders[] = {
2874
0
#ifdef ENABLE_NON_SUITEB_CURVES
2875
0
    { GNUTLS_ECC_CURVE_SECP192R1, "fffffffffffffffffffffffffffffffe"
2876
0
                "ffffffffffffffff" },
2877
0
    { GNUTLS_ECC_CURVE_SECP224R1, "ffffffffffffffffffffffffffffffff"
2878
0
                "000000000000000000000001" },
2879
0
#endif
2880
0
    { GNUTLS_ECC_CURVE_SECP256R1,
2881
0
      "ffffffff000000010000000000000000"
2882
0
      "00000000ffffffffffffffffffffffff" },
2883
0
    { GNUTLS_ECC_CURVE_SECP384R1,
2884
0
      "ffffffffffffffffffffffffffffffff"
2885
0
      "fffffffffffffffffffffffffffffffe"
2886
0
      "ffffffff0000000000000000ffffffff" },
2887
0
    { GNUTLS_ECC_CURVE_SECP521R1,
2888
0
      "1ff"
2889
0
      "ffffffffffffffffffffffffffffffff"
2890
0
      "ffffffffffffffffffffffffffffffff"
2891
0
      "ffffffffffffffffffffffffffffffff"
2892
0
      "ffffffffffffffffffffffffffffffff" },
2893
0
  };
2894
0
  size_t i;
2895
0
2896
0
  for (i = 0; i < sizeof(orders) / sizeof(orders[0]); i++) {
2897
0
    if (orders[i].curve == curve)
2898
0
      return orders[i].order;
2899
0
  }
2900
0
  return NULL;
2901
0
}
2902
2903
static inline const struct ecc_curve *get_supported_gost_curve(int curve)
2904
0
{
2905
0
  switch (curve) {
2906
0
#if ENABLE_GOST
2907
0
  case GNUTLS_ECC_CURVE_GOST256CPA:
2908
0
  case GNUTLS_ECC_CURVE_GOST256CPXA:
2909
0
  case GNUTLS_ECC_CURVE_GOST256B:
2910
0
    return nettle_get_gost_gc256b();
2911
0
  case GNUTLS_ECC_CURVE_GOST512A:
2912
0
    return nettle_get_gost_gc512a();
2913
0
#endif
2914
0
  default:
2915
0
    return NULL;
2916
0
  }
2917
0
}
2918
2919
static int _wrap_nettle_pk_curve_exists(gnutls_ecc_curve_t curve)
2920
0
{
2921
0
  switch (curve) {
2922
0
  case GNUTLS_ECC_CURVE_ED25519:
2923
0
  case GNUTLS_ECC_CURVE_X25519:
2924
0
  case GNUTLS_ECC_CURVE_ED448:
2925
0
  case GNUTLS_ECC_CURVE_X448:
2926
0
    return 1;
2927
0
  default:
2928
0
    return ((get_supported_nist_curve(curve) != NULL ||
2929
0
       get_supported_gost_curve(curve) != NULL) ?
2930
0
        1 :
2931
0
        0);
2932
0
  }
2933
0
}
2934
2935
static int _wrap_nettle_pk_exists(gnutls_pk_algorithm_t pk)
2936
0
{
2937
0
  switch (pk) {
2938
0
  case GNUTLS_PK_RSA:
2939
0
#ifdef ENABLE_DSA
2940
0
  case GNUTLS_PK_DSA:
2941
0
#endif
2942
0
  case GNUTLS_PK_DH:
2943
0
  case GNUTLS_PK_ECDSA:
2944
0
  case GNUTLS_PK_ECDH_X25519:
2945
0
  case GNUTLS_PK_RSA_PSS:
2946
0
  case GNUTLS_PK_RSA_OAEP:
2947
0
  case GNUTLS_PK_EDDSA_ED25519:
2948
0
#if ENABLE_GOST
2949
0
  case GNUTLS_PK_GOST_01:
2950
0
  case GNUTLS_PK_GOST_12_256:
2951
0
  case GNUTLS_PK_GOST_12_512:
2952
0
#endif
2953
0
  case GNUTLS_PK_ECDH_X448:
2954
0
  case GNUTLS_PK_EDDSA_ED448:
2955
0
    return 1;
2956
0
  case GNUTLS_PK_MLKEM768:
2957
0
  case GNUTLS_PK_MLKEM1024:
2958
0
    return ml_kem_exists(pk);
2959
0
  case GNUTLS_PK_MLDSA44:
2960
0
  case GNUTLS_PK_MLDSA65:
2961
0
  case GNUTLS_PK_MLDSA87:
2962
0
    return ml_dsa_exists(pk);
2963
0
  default:
2964
0
    return 0;
2965
0
  }
2966
0
}
2967
2968
static int _wrap_nettle_pk_sign_exists(gnutls_sign_algorithm_t sign)
2969
0
{
2970
0
  switch (sign) {
2971
0
  case GNUTLS_SIGN_RSA_SHA1:
2972
0
#ifdef ENABLE_DSA
2973
0
  case GNUTLS_SIGN_DSA_SHA1:
2974
0
#endif
2975
0
  case GNUTLS_SIGN_RSA_MD5:
2976
0
  case GNUTLS_SIGN_RSA_MD2:
2977
0
  case GNUTLS_SIGN_RSA_RMD160:
2978
0
  case GNUTLS_SIGN_RSA_SHA256:
2979
0
  case GNUTLS_SIGN_RSA_SHA384:
2980
0
  case GNUTLS_SIGN_RSA_SHA512:
2981
0
  case GNUTLS_SIGN_RSA_SHA224:
2982
0
#ifdef ENABLE_DSA
2983
0
  case GNUTLS_SIGN_DSA_SHA224:
2984
0
  case GNUTLS_SIGN_DSA_SHA256:
2985
0
#endif
2986
0
  case GNUTLS_SIGN_ECDSA_SHA1:
2987
0
  case GNUTLS_SIGN_ECDSA_SHA224:
2988
0
  case GNUTLS_SIGN_ECDSA_SHA256:
2989
0
  case GNUTLS_SIGN_ECDSA_SHA384:
2990
0
  case GNUTLS_SIGN_ECDSA_SHA512:
2991
0
#ifdef ENABLE_DSA
2992
0
  case GNUTLS_SIGN_DSA_SHA384:
2993
0
  case GNUTLS_SIGN_DSA_SHA512:
2994
0
#endif
2995
0
  case GNUTLS_SIGN_ECDSA_SHA3_224:
2996
0
  case GNUTLS_SIGN_ECDSA_SHA3_256:
2997
0
  case GNUTLS_SIGN_ECDSA_SHA3_384:
2998
0
  case GNUTLS_SIGN_ECDSA_SHA3_512:
2999
3000
0
#ifdef ENABLE_DSA
3001
0
  case GNUTLS_SIGN_DSA_SHA3_224:
3002
0
  case GNUTLS_SIGN_DSA_SHA3_256:
3003
0
  case GNUTLS_SIGN_DSA_SHA3_384:
3004
0
  case GNUTLS_SIGN_DSA_SHA3_512:
3005
0
#endif
3006
0
  case GNUTLS_SIGN_RSA_SHA3_224:
3007
0
  case GNUTLS_SIGN_RSA_SHA3_256:
3008
0
  case GNUTLS_SIGN_RSA_SHA3_384:
3009
0
  case GNUTLS_SIGN_RSA_SHA3_512:
3010
3011
0
  case GNUTLS_SIGN_RSA_PSS_SHA256:
3012
0
  case GNUTLS_SIGN_RSA_PSS_SHA384:
3013
0
  case GNUTLS_SIGN_RSA_PSS_SHA512:
3014
0
  case GNUTLS_SIGN_EDDSA_ED25519:
3015
0
  case GNUTLS_SIGN_RSA_RAW:
3016
3017
0
  case GNUTLS_SIGN_ECDSA_SECP256R1_SHA256:
3018
0
  case GNUTLS_SIGN_ECDSA_SECP384R1_SHA384:
3019
0
  case GNUTLS_SIGN_ECDSA_SECP521R1_SHA512:
3020
3021
0
  case GNUTLS_SIGN_RSA_PSS_RSAE_SHA256:
3022
0
  case GNUTLS_SIGN_RSA_PSS_RSAE_SHA384:
3023
0
  case GNUTLS_SIGN_RSA_PSS_RSAE_SHA512:
3024
3025
0
#if ENABLE_GOST
3026
0
  case GNUTLS_SIGN_GOST_94:
3027
0
  case GNUTLS_SIGN_GOST_256:
3028
0
  case GNUTLS_SIGN_GOST_512:
3029
0
#endif
3030
0
  case GNUTLS_SIGN_EDDSA_ED448:
3031
0
    return 1;
3032
0
  default:
3033
0
    return 0;
3034
0
  }
3035
0
}
3036
3037
/* Generates algorithm's parameters. That is:
3038
 *  For DSA: p, q, and g are generated.
3039
 *  For RSA: nothing
3040
 *  For ECDSA/EDDSA: nothing
3041
 */
3042
static int wrap_nettle_pk_generate_params(gnutls_pk_algorithm_t algo,
3043
            unsigned int level /*bits or curve */,
3044
            gnutls_pk_params_st *params)
3045
0
{
3046
0
  int ret;
3047
0
  unsigned int i, q_bits;
3048
3049
0
  FAIL_IF_LIB_ERROR;
3050
3051
0
  params->algo = algo;
3052
3053
0
  switch (algo) {
3054
0
#ifdef ENABLE_DSA
3055
0
  case GNUTLS_PK_DSA:
3056
0
#endif
3057
0
  case GNUTLS_PK_DH: {
3058
0
    struct dsa_params pub;
3059
0
    struct dss_params_validation_seeds cert;
3060
0
    unsigned index;
3061
3062
0
    dsa_params_init(&pub);
3063
3064
0
    if (GNUTLS_BITS_HAVE_SUBGROUP(level)) {
3065
0
      q_bits = GNUTLS_BITS_TO_SUBGROUP(level);
3066
0
      level = GNUTLS_BITS_TO_GROUP(level);
3067
0
    } else {
3068
0
      q_bits = _gnutls_pk_bits_to_subgroup_bits(level);
3069
0
    }
3070
3071
0
    if (q_bits == 0)
3072
0
      return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
3073
3074
0
    if (_gnutls_fips_mode_enabled() != 0 ||
3075
0
        params->pkflags & GNUTLS_PK_FLAG_PROVABLE) {
3076
0
      if (algo == GNUTLS_PK_DSA)
3077
0
        index = 1;
3078
0
      else
3079
0
        index = 2;
3080
3081
0
      if (params->palgo != 0 &&
3082
0
          params->palgo != GNUTLS_DIG_SHA384) {
3083
0
        ret = GNUTLS_E_INVALID_REQUEST;
3084
0
        goto dsa_fail;
3085
0
      }
3086
3087
0
      params->palgo = GNUTLS_DIG_SHA384;
3088
3089
0
      if (params->seed_size) {
3090
0
        ret = _dsa_generate_dss_pqg(&pub, &cert, index,
3091
0
                  params->seed_size,
3092
0
                  params->seed, NULL,
3093
0
                  NULL, level,
3094
0
                  q_bits);
3095
0
      } else {
3096
0
        ret = dsa_generate_dss_pqg(&pub, &cert, index,
3097
0
                 NULL,
3098
0
                 rnd_tmpkey_func,
3099
0
                 NULL, NULL, level,
3100
0
                 q_bits);
3101
0
      }
3102
0
      if (ret != 1 || HAVE_LIB_ERROR()) {
3103
0
        gnutls_assert();
3104
0
        ret = GNUTLS_E_PK_GENERATION_ERROR;
3105
0
        goto dsa_fail;
3106
0
      }
3107
3108
0
      if (cert.seed_length &&
3109
0
          cert.seed_length < sizeof(params->seed)) {
3110
0
        params->seed_size = cert.seed_length;
3111
0
        memcpy(params->seed, cert.seed,
3112
0
               cert.seed_length);
3113
0
      }
3114
3115
      /* verify the generated parameters */
3116
0
      ret = dsa_validate_dss_pqg(&pub, &cert, index);
3117
0
      if (ret != 1) {
3118
0
        gnutls_assert();
3119
0
        ret = GNUTLS_E_PK_GENERATION_ERROR;
3120
0
        goto dsa_fail;
3121
0
      }
3122
0
    } else {
3123
0
      if (q_bits < 160)
3124
0
        q_bits = 160;
3125
3126
0
      ret = dsa_generate_params(&pub, NULL, rnd_tmpkey_func,
3127
0
              NULL, NULL, level, q_bits);
3128
0
      if (ret != 1 || HAVE_LIB_ERROR()) {
3129
0
        gnutls_assert();
3130
0
        ret = GNUTLS_E_PK_GENERATION_ERROR;
3131
0
        goto dsa_fail;
3132
0
      }
3133
0
    }
3134
3135
0
    params->params_nr = 0;
3136
3137
0
    ret = _gnutls_mpi_init_multi(&params->params[DSA_P],
3138
0
               &params->params[DSA_Q],
3139
0
               &params->params[DSA_G], NULL);
3140
0
    if (ret < 0) {
3141
0
      gnutls_assert();
3142
0
      goto dsa_fail;
3143
0
    }
3144
0
    params->params_nr = 3;
3145
3146
0
    mpz_set(TOMPZ(params->params[DSA_P]), pub.p);
3147
0
    mpz_set(TOMPZ(params->params[DSA_Q]), pub.q);
3148
0
    mpz_set(TOMPZ(params->params[DSA_G]), pub.g);
3149
3150
0
    ret = 0;
3151
3152
0
  dsa_fail:
3153
0
    dsa_params_clear(&pub);
3154
3155
0
    if (ret < 0)
3156
0
      goto fail;
3157
3158
0
    break;
3159
0
  }
3160
0
  case GNUTLS_PK_RSA_PSS:
3161
0
  case GNUTLS_PK_RSA_OAEP:
3162
0
  case GNUTLS_PK_RSA:
3163
0
  case GNUTLS_PK_ECDSA:
3164
0
  case GNUTLS_PK_EDDSA_ED25519:
3165
0
  case GNUTLS_PK_EDDSA_ED448:
3166
0
  case GNUTLS_PK_ECDH_X25519:
3167
0
  case GNUTLS_PK_ECDH_X448:
3168
0
#if ENABLE_GOST
3169
0
  case GNUTLS_PK_GOST_01:
3170
0
  case GNUTLS_PK_GOST_12_256:
3171
0
  case GNUTLS_PK_GOST_12_512:
3172
0
#endif
3173
0
  case GNUTLS_PK_MLKEM768:
3174
0
  case GNUTLS_PK_MLDSA44:
3175
0
  case GNUTLS_PK_MLDSA65:
3176
0
  case GNUTLS_PK_MLDSA87:
3177
0
    break;
3178
0
  default:
3179
0
    gnutls_assert();
3180
0
    return GNUTLS_E_INVALID_REQUEST;
3181
0
  }
3182
3183
0
  FAIL_IF_LIB_ERROR;
3184
0
  return 0;
3185
3186
0
fail:
3187
3188
0
  for (i = 0; i < params->params_nr; i++) {
3189
0
    _gnutls_mpi_release(&params->params[i]);
3190
0
  }
3191
0
  params->params_nr = 0;
3192
3193
0
  FAIL_IF_LIB_ERROR;
3194
0
  return ret;
3195
0
}
3196
3197
#ifdef ENABLE_FIPS140
3198
int _gnutls_dh_generate_key(gnutls_dh_params_t dh_params,
3199
          gnutls_datum_t *priv_key, gnutls_datum_t *pub_key);
3200
3201
int _gnutls_dh_compute_key(gnutls_dh_params_t dh_params,
3202
         const gnutls_datum_t *priv_key,
3203
         const gnutls_datum_t *pub_key,
3204
         const gnutls_datum_t *peer_key, gnutls_datum_t *Z);
3205
3206
int _gnutls_ecdh_compute_key(gnutls_ecc_curve_t curve, const gnutls_datum_t *x,
3207
           const gnutls_datum_t *y, const gnutls_datum_t *k,
3208
           const gnutls_datum_t *peer_x,
3209
           const gnutls_datum_t *peer_y, gnutls_datum_t *Z);
3210
3211
int _gnutls_ecdh_generate_key(gnutls_ecc_curve_t curve, gnutls_datum_t *x,
3212
            gnutls_datum_t *y, gnutls_datum_t *k);
3213
3214
int _gnutls_dh_generate_key(gnutls_dh_params_t dh_params,
3215
          gnutls_datum_t *priv_key, gnutls_datum_t *pub_key)
3216
{
3217
  gnutls_pk_params_st params;
3218
  int ret;
3219
3220
  gnutls_pk_params_init(&params);
3221
  params.params[DH_P] = _gnutls_mpi_copy(dh_params->params[0]);
3222
  params.params[DH_G] = _gnutls_mpi_copy(dh_params->params[1]);
3223
3224
  params.params_nr = 5;
3225
  params.algo = GNUTLS_PK_DH;
3226
3227
  priv_key->data = NULL;
3228
  pub_key->data = NULL;
3229
3230
  ret = _gnutls_pk_generate_keys(GNUTLS_PK_DH, dh_params->q_bits, &params,
3231
               0);
3232
  if (ret < 0) {
3233
    return gnutls_assert_val(ret);
3234
  }
3235
3236
  ret = _gnutls_mpi_dprint_lz(params.params[DH_X], priv_key);
3237
  if (ret < 0) {
3238
    gnutls_assert();
3239
    goto fail;
3240
  }
3241
3242
  ret = _gnutls_mpi_dprint_lz(params.params[DH_Y], pub_key);
3243
  if (ret < 0) {
3244
    gnutls_assert();
3245
    goto fail;
3246
  }
3247
3248
  ret = 0;
3249
  goto cleanup;
3250
fail:
3251
  gnutls_free(pub_key->data);
3252
  gnutls_free(priv_key->data);
3253
cleanup:
3254
  gnutls_pk_params_clear(&params);
3255
  gnutls_pk_params_release(&params);
3256
  return ret;
3257
}
3258
3259
/* Note that the value of Z will have the leading bytes stripped if they are zero -
3260
 * which follows the TLS approach. */
3261
int _gnutls_dh_compute_key(gnutls_dh_params_t dh_params,
3262
         const gnutls_datum_t *priv_key,
3263
         const gnutls_datum_t *pub_key,
3264
         const gnutls_datum_t *peer_key, gnutls_datum_t *Z)
3265
{
3266
  gnutls_pk_params_st pub, priv;
3267
  int ret;
3268
3269
  gnutls_pk_params_init(&pub);
3270
  pub.params_nr = 5;
3271
  pub.algo = GNUTLS_PK_DH;
3272
3273
  gnutls_pk_params_init(&priv);
3274
  priv.params_nr = 5;
3275
  priv.algo = GNUTLS_PK_DH;
3276
3277
  if (_gnutls_mpi_init_scan_nz(&pub.params[DH_Y], peer_key->data,
3278
             peer_key->size) != 0) {
3279
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3280
    goto cleanup;
3281
  }
3282
3283
  priv.params[DH_P] = _gnutls_mpi_copy(dh_params->params[0]);
3284
  priv.params[DH_G] = _gnutls_mpi_copy(dh_params->params[1]);
3285
  if (dh_params->params[2])
3286
    priv.params[DH_Q] = _gnutls_mpi_copy(dh_params->params[2]);
3287
3288
  if (_gnutls_mpi_init_scan_nz(&priv.params[DH_X], priv_key->data,
3289
             priv_key->size) != 0) {
3290
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3291
    goto cleanup;
3292
  }
3293
3294
  Z->data = NULL;
3295
3296
  ret = _gnutls_pk_derive(GNUTLS_PK_DH, Z, &priv, &pub);
3297
  if (ret < 0) {
3298
    gnutls_assert();
3299
    goto cleanup;
3300
  }
3301
3302
  ret = 0;
3303
cleanup:
3304
  gnutls_pk_params_clear(&pub);
3305
  gnutls_pk_params_release(&pub);
3306
  gnutls_pk_params_clear(&priv);
3307
  gnutls_pk_params_release(&priv);
3308
  return ret;
3309
}
3310
3311
int _gnutls_ecdh_generate_key(gnutls_ecc_curve_t curve, gnutls_datum_t *x,
3312
            gnutls_datum_t *y, gnutls_datum_t *k)
3313
{
3314
  gnutls_pk_params_st params;
3315
  int ret;
3316
3317
  gnutls_pk_params_init(&params);
3318
  params.params_nr = 3;
3319
  params.curve = curve;
3320
  params.algo = GNUTLS_PK_ECDSA;
3321
3322
  x->data = NULL;
3323
  y->data = NULL;
3324
  k->data = NULL;
3325
3326
  ret = _gnutls_pk_generate_keys(GNUTLS_PK_ECDSA, curve, &params, 0);
3327
  if (ret < 0) {
3328
    return gnutls_assert_val(ret);
3329
  }
3330
3331
  ret = _gnutls_mpi_dprint_lz(params.params[ECC_X], x);
3332
  if (ret < 0) {
3333
    gnutls_assert();
3334
    goto fail;
3335
  }
3336
3337
  ret = _gnutls_mpi_dprint_lz(params.params[ECC_Y], y);
3338
  if (ret < 0) {
3339
    gnutls_assert();
3340
    goto fail;
3341
  }
3342
3343
  ret = _gnutls_mpi_dprint_lz(params.params[ECC_K], k);
3344
  if (ret < 0) {
3345
    gnutls_assert();
3346
    goto fail;
3347
  }
3348
3349
  ret = 0;
3350
  goto cleanup;
3351
fail:
3352
  gnutls_free(y->data);
3353
  gnutls_free(x->data);
3354
  gnutls_free(k->data);
3355
cleanup:
3356
  gnutls_pk_params_clear(&params);
3357
  gnutls_pk_params_release(&params);
3358
  return ret;
3359
}
3360
3361
int _gnutls_ecdh_compute_key(gnutls_ecc_curve_t curve, const gnutls_datum_t *x,
3362
           const gnutls_datum_t *y, const gnutls_datum_t *k,
3363
           const gnutls_datum_t *peer_x,
3364
           const gnutls_datum_t *peer_y, gnutls_datum_t *Z)
3365
{
3366
  gnutls_pk_params_st pub, priv;
3367
  int ret;
3368
3369
  gnutls_pk_params_init(&pub);
3370
  pub.params_nr = 3;
3371
  pub.algo = GNUTLS_PK_ECDSA;
3372
  pub.curve = curve;
3373
3374
  gnutls_pk_params_init(&priv);
3375
  priv.params_nr = 3;
3376
  priv.algo = GNUTLS_PK_ECDSA;
3377
  priv.curve = curve;
3378
3379
  if (_gnutls_mpi_init_scan_nz(&pub.params[ECC_Y], peer_y->data,
3380
             peer_y->size) != 0) {
3381
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3382
    goto cleanup;
3383
  }
3384
3385
  if (_gnutls_mpi_init_scan_nz(&pub.params[ECC_X], peer_x->data,
3386
             peer_x->size) != 0) {
3387
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3388
    goto cleanup;
3389
  }
3390
3391
  if (_gnutls_mpi_init_scan_nz(&priv.params[ECC_Y], y->data, y->size) !=
3392
      0) {
3393
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3394
    goto cleanup;
3395
  }
3396
3397
  if (_gnutls_mpi_init_scan_nz(&priv.params[ECC_X], x->data, x->size) !=
3398
      0) {
3399
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3400
    goto cleanup;
3401
  }
3402
3403
  if (_gnutls_mpi_init_scan_nz(&priv.params[ECC_K], k->data, k->size) !=
3404
      0) {
3405
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3406
    goto cleanup;
3407
  }
3408
3409
  Z->data = NULL;
3410
3411
  ret = _gnutls_pk_derive(GNUTLS_PK_ECDSA, Z, &priv, &pub);
3412
  if (ret < 0) {
3413
    gnutls_assert();
3414
    goto cleanup;
3415
  }
3416
3417
  ret = 0;
3418
cleanup:
3419
  gnutls_pk_params_clear(&pub);
3420
  gnutls_pk_params_release(&pub);
3421
  gnutls_pk_params_clear(&priv);
3422
  gnutls_pk_params_release(&priv);
3423
  return ret;
3424
}
3425
3426
static gnutls_sign_algorithm_t pct_pk_to_sign(gnutls_pk_algorithm_t algo,
3427
                const gnutls_x509_spki_st *spki)
3428
{
3429
  switch (algo) {
3430
  case GNUTLS_PK_RSA_PSS:
3431
    return gnutls_pk_to_sign(algo, spki->rsa_pss_dig);
3432
#ifdef ENABLE_DSA
3433
  case GNUTLS_PK_DSA:
3434
#endif
3435
  case GNUTLS_PK_ECDSA:
3436
    return gnutls_pk_to_sign(algo, spki->dsa_dig);
3437
  case GNUTLS_PK_EDDSA_ED25519:
3438
    return GNUTLS_SIGN_EDDSA_ED25519;
3439
  case GNUTLS_PK_EDDSA_ED448:
3440
    return GNUTLS_SIGN_EDDSA_ED448;
3441
#if ENABLE_GOST
3442
  case GNUTLS_PK_GOST_01:
3443
    return GNUTLS_SIGN_GOST_94;
3444
  case GNUTLS_PK_GOST_12_256:
3445
    return GNUTLS_SIGN_GOST_256;
3446
  case GNUTLS_PK_GOST_12_512:
3447
    return GNUTLS_SIGN_GOST_512;
3448
#endif
3449
  case GNUTLS_PK_MLDSA44:
3450
    return GNUTLS_SIGN_MLDSA44;
3451
  case GNUTLS_PK_MLDSA65:
3452
    return GNUTLS_SIGN_MLDSA65;
3453
  case GNUTLS_PK_MLDSA87:
3454
    return GNUTLS_SIGN_MLDSA87;
3455
  default:
3456
    return GNUTLS_SIGN_UNKNOWN;
3457
  }
3458
}
3459
3460
static int pct_hash_sign_test(gnutls_pk_algorithm_t algo,
3461
            const gnutls_pk_params_st *params,
3462
            const gnutls_x509_spki_st *spki,
3463
            const gnutls_datum_t *data)
3464
{
3465
  gnutls_privkey_t privkey = NULL;
3466
  gnutls_pubkey_t pubkey = NULL;
3467
  gnutls_x509_privkey_t xprivkey = NULL;
3468
  gnutls_datum_t sig = { NULL, 0 };
3469
  gnutls_sign_algorithm_t sign_algo;
3470
  int ret;
3471
3472
  sign_algo = pct_pk_to_sign(algo, spki);
3473
  if (sign_algo == GNUTLS_SIGN_UNKNOWN)
3474
    return gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3475
3476
  ret = gnutls_x509_privkey_init(&xprivkey);
3477
  if (ret < 0) {
3478
    gnutls_assert();
3479
    goto cleanup;
3480
  }
3481
3482
  ret = _gnutls_pk_params_copy(&xprivkey->params, params);
3483
  if (ret < 0) {
3484
    gnutls_assert();
3485
    goto cleanup;
3486
  }
3487
3488
  ret = gnutls_privkey_init(&privkey);
3489
  if (ret < 0) {
3490
    gnutls_assert();
3491
    goto cleanup;
3492
  }
3493
3494
  ret = gnutls_privkey_import_x509(privkey, xprivkey,
3495
           GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
3496
  if (ret < 0) {
3497
    gnutls_assert();
3498
    goto cleanup;
3499
  }
3500
  xprivkey = NULL;
3501
3502
  ret = gnutls_pubkey_init(&pubkey);
3503
  if (ret < 0) {
3504
    gnutls_assert();
3505
    goto cleanup;
3506
  }
3507
3508
  ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0);
3509
  if (ret < 0) {
3510
    gnutls_assert();
3511
    goto cleanup;
3512
  }
3513
3514
  ret = gnutls_privkey_sign_data2(privkey, sign_algo, 0, data, &sig);
3515
  if (ret < 0) {
3516
    gnutls_assert();
3517
    goto cleanup;
3518
  }
3519
3520
  /* Ignore algorithm disablement through configuration during PCT.  */
3521
  ret = gnutls_pubkey_verify_data2(
3522
    pubkey, sign_algo, GNUTLS_VERIFY_ALLOW_BROKEN, data, &sig);
3523
  if (ret < 0) {
3524
    gnutls_assert();
3525
    goto cleanup;
3526
  }
3527
3528
cleanup:
3529
  if (ret < 0) {
3530
    _gnutls_debug_log("PCT: %s hash+sign self-test failed: %s\n",
3531
          gnutls_sign_get_name(sign_algo),
3532
          gnutls_strerror(ret));
3533
  } else {
3534
    _gnutls_debug_log("PCT: %s hash+sign self-test succeeded\n",
3535
          gnutls_sign_get_name(sign_algo));
3536
  }
3537
3538
  gnutls_x509_privkey_deinit(xprivkey);
3539
  gnutls_privkey_deinit(privkey);
3540
  gnutls_pubkey_deinit(pubkey);
3541
  _gnutls_free_datum(&sig);
3542
3543
  return ret;
3544
}
3545
3546
static int pct_test(gnutls_pk_algorithm_t algo,
3547
        const gnutls_pk_params_st *params)
3548
{
3549
  int ret;
3550
  gnutls_datum_t sig = { NULL, 0 };
3551
  const char const_data[20] = "onetwothreefourfive";
3552
  const char const_data_sha256[32] = "onetwothreefourfivesixseveneigh";
3553
  const char const_data_sha384[48] =
3554
    "onetwothreefourfivesixseveneightnineteneleventw";
3555
  const char const_data_sha512[64] =
3556
    "onetwothreefourfivesixseveneightnineteneleventwelvethirteenfour";
3557
  gnutls_datum_t ddata, tmp = { NULL, 0 };
3558
  char gen_data[MAX_HASH_SIZE];
3559
  gnutls_x509_spki_st spki;
3560
3561
  ret = _gnutls_x509_spki_copy(&spki, &params->spki);
3562
  if (ret < 0) {
3563
    gnutls_assert();
3564
    goto cleanup;
3565
  }
3566
3567
  if (algo == GNUTLS_PK_DSA || algo == GNUTLS_PK_EC) {
3568
    unsigned hash_len;
3569
    const mac_entry_st *me;
3570
3571
    me = _gnutls_dsa_q_to_hash(params, &hash_len);
3572
    spki.dsa_dig = MAC_TO_DIG(me->id);
3573
    gnutls_rnd(GNUTLS_RND_NONCE, gen_data, hash_len);
3574
3575
    ddata.data = (void *)gen_data;
3576
    ddata.size = hash_len;
3577
  } else if (algo == GNUTLS_PK_GOST_01 || algo == GNUTLS_PK_GOST_12_256) {
3578
    ddata.data = (void *)const_data_sha256;
3579
    ddata.size = sizeof(const_data_sha256);
3580
  } else if (algo == GNUTLS_PK_GOST_12_512) {
3581
    ddata.data = (void *)const_data_sha512;
3582
    ddata.size = sizeof(const_data_sha512);
3583
  } else if (algo == GNUTLS_PK_RSA_PSS) {
3584
    if (spki.rsa_pss_dig == GNUTLS_DIG_UNKNOWN)
3585
      spki.rsa_pss_dig = GNUTLS_DIG_SHA256;
3586
3587
    switch (spki.rsa_pss_dig) {
3588
    case GNUTLS_DIG_SHA256:
3589
      ddata.data = (void *)const_data_sha256;
3590
      ddata.size = sizeof(const_data_sha256);
3591
      break;
3592
    case GNUTLS_DIG_SHA384:
3593
      ddata.data = (void *)const_data_sha384;
3594
      ddata.size = sizeof(const_data_sha384);
3595
      break;
3596
    case GNUTLS_DIG_SHA512:
3597
      ddata.data = (void *)const_data_sha512;
3598
      ddata.size = sizeof(const_data_sha512);
3599
      break;
3600
    default:
3601
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3602
      goto cleanup;
3603
    }
3604
  } else if (algo == GNUTLS_PK_RSA_OAEP) {
3605
    if (spki.rsa_oaep_dig == GNUTLS_DIG_UNKNOWN)
3606
      spki.rsa_oaep_dig = GNUTLS_DIG_SHA256;
3607
    ddata.data = (void *)const_data;
3608
    ddata.size = sizeof(const_data);
3609
  } else {
3610
    ddata.data = (void *)const_data;
3611
    ddata.size = sizeof(const_data);
3612
  }
3613
3614
  switch (algo) {
3615
  case GNUTLS_PK_RSA:
3616
    /* To comply with FIPS 140-3 IG 10.3.A, additional comment 1,
3617
     * Perform both key transport and signature PCTs for
3618
     * unrestricted RSA key.  */
3619
    ret = pct_test(GNUTLS_PK_RSA_OAEP, params);
3620
    if (ret < 0) {
3621
      gnutls_assert();
3622
      break;
3623
    }
3624
    ret = pct_test(GNUTLS_PK_RSA_PSS, params);
3625
    if (ret < 0) {
3626
      gnutls_assert();
3627
      break;
3628
    }
3629
    break;
3630
  case GNUTLS_PK_RSA_OAEP:
3631
    ret = _gnutls_pk_encrypt(GNUTLS_PK_RSA_OAEP, &sig, &ddata,
3632
           params, &spki);
3633
    if (ret < 0) {
3634
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3635
    }
3636
    if (ret == 0 && ddata.size == sig.size &&
3637
        memcmp(ddata.data, sig.data, sig.size) == 0) {
3638
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3639
    }
3640
    if (ret == 0 &&
3641
        _gnutls_pk_decrypt(algo, &tmp, &sig, params, &spki) < 0) {
3642
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3643
    }
3644
    if (ret == 0 &&
3645
        !(tmp.size == ddata.size &&
3646
          memcmp(tmp.data, ddata.data, tmp.size) == 0)) {
3647
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3648
    }
3649
    if (ret == 0 &&
3650
        _gnutls_pk_decrypt2(algo, &sig, tmp.data, tmp.size, params,
3651
          &spki) < 0) {
3652
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3653
    }
3654
    if (ret == 0 &&
3655
        !(tmp.size == ddata.size &&
3656
          memcmp(tmp.data, ddata.data, tmp.size) == 0)) {
3657
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3658
    }
3659
3660
    if (ret < 0) {
3661
      goto cleanup;
3662
    }
3663
3664
    free(sig.data);
3665
    sig.data = NULL;
3666
3667
    break;
3668
  case GNUTLS_PK_EC: /* we only do keys for ECDSA */
3669
  case GNUTLS_PK_EDDSA_ED25519:
3670
  case GNUTLS_PK_EDDSA_ED448:
3671
#ifdef ENABLE_DSA
3672
  case GNUTLS_PK_DSA:
3673
#endif
3674
  case GNUTLS_PK_RSA_PSS:
3675
  case GNUTLS_PK_GOST_01:
3676
  case GNUTLS_PK_GOST_12_256:
3677
  case GNUTLS_PK_GOST_12_512:
3678
  case GNUTLS_PK_MLDSA44:
3679
  case GNUTLS_PK_MLDSA65:
3680
  case GNUTLS_PK_MLDSA87:
3681
    ret = _gnutls_pk_sign(algo, &sig, &ddata, params, &spki);
3682
    if (ret < 0) {
3683
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3684
      goto cleanup;
3685
    }
3686
3687
    ret = _gnutls_pk_verify(algo, &ddata, &sig, params, &spki);
3688
    if (ret < 0) {
3689
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3690
      goto cleanup;
3691
    }
3692
3693
    /* Exercise the combined hash+sign operation, using
3694
     * the abstract key interface.
3695
     *
3696
     * FIXME: rework this once the crypto-backend
3697
     * interface natively supports hash+sign operation, see:
3698
     * https://gitlab.com/gnutls/gnutls/-/merge_requests/2066
3699
     */
3700
    ret = pct_hash_sign_test(algo, params, &spki, &ddata);
3701
    if (ret < 0) {
3702
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3703
      goto cleanup;
3704
    }
3705
    break;
3706
  case GNUTLS_PK_DH: {
3707
    mpz_t y;
3708
3709
    /* Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance
3710
       * of Pair-wise Consistency check, even if we only
3711
       * support ephemeral DH, as it is required by FIPS
3712
       * 140-3 IG 10.3.A.
3713
       *
3714
       * Use the private key, x, along with the generator g
3715
       * and prime modulus p included in the domain
3716
       * parameters associated with the key pair to compute
3717
       * g^x mod p. Compare the result to the public key, y.
3718
       */
3719
    mpz_init(y);
3720
    mpz_powm(y, TOMPZ(params->params[DSA_G]),
3721
       TOMPZ(params->params[DSA_X]),
3722
       TOMPZ(params->params[DSA_P]));
3723
    if (unlikely(mpz_cmp(y, TOMPZ(params->params[DSA_Y])) != 0)) {
3724
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3725
      mpz_clear(y);
3726
      goto cleanup;
3727
    }
3728
    mpz_clear(y);
3729
    break;
3730
  }
3731
  case GNUTLS_PK_ECDH_X25519:
3732
  case GNUTLS_PK_ECDH_X448:
3733
    break;
3734
  case GNUTLS_PK_MLKEM768:
3735
  case GNUTLS_PK_MLKEM1024:
3736
    if (!ml_kem_exists(algo)) {
3737
      ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
3738
      goto cleanup;
3739
    }
3740
    break;
3741
  default:
3742
    ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
3743
    goto cleanup;
3744
  }
3745
3746
  ret = 0;
3747
cleanup:
3748
  if (ret == GNUTLS_E_PK_GENERATION_ERROR) {
3749
    _gnutls_switch_lib_state(LIB_STATE_ERROR);
3750
  }
3751
  _gnutls_x509_spki_clear(&spki);
3752
  gnutls_free(sig.data);
3753
  gnutls_free(tmp.data);
3754
  return ret;
3755
}
3756
#endif
3757
3758
static inline int eddsa_public_key(gnutls_pk_algorithm_t algo, uint8_t *pub,
3759
           const uint8_t *priv)
3760
0
{
3761
0
  switch (algo) {
3762
0
  case GNUTLS_PK_EDDSA_ED25519:
3763
0
    ed25519_sha512_public_key(pub, priv);
3764
0
    return 0;
3765
0
  case GNUTLS_PK_EDDSA_ED448:
3766
0
    ed448_shake256_public_key(pub, priv);
3767
0
    return 0;
3768
0
  default:
3769
0
    return gnutls_assert_val(
3770
0
      GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
3771
0
  }
3772
0
}
3773
3774
static inline int edwards_curve_mul_g(gnutls_pk_algorithm_t algo, uint8_t *q,
3775
              const uint8_t *n)
3776
0
{
3777
0
  switch (algo) {
3778
0
  case GNUTLS_PK_ECDH_X25519:
3779
0
    curve25519_mul_g(q, n);
3780
0
    return 0;
3781
0
  case GNUTLS_PK_ECDH_X448:
3782
0
    curve448_mul_g(q, n);
3783
0
    return 0;
3784
0
  default:
3785
0
    return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
3786
0
  }
3787
0
}
3788
3789
static inline int dh_find_q(const gnutls_pk_params_st *pk_params, mpz_t q)
3790
0
{
3791
0
  gnutls_datum_t prime = { NULL, 0 };
3792
0
  gnutls_datum_t generator = { NULL, 0 };
3793
0
  uint8_t *data_q;
3794
0
  size_t n_q;
3795
0
  bigint_t _q;
3796
0
  int ret = 0;
3797
0
3798
0
  ret = _gnutls_mpi_dprint(pk_params->params[DSA_P], &prime);
3799
0
  if (ret < 0) {
3800
0
    gnutls_assert();
3801
0
    goto cleanup;
3802
0
  }
3803
0
3804
0
  ret = _gnutls_mpi_dprint(pk_params->params[DSA_G], &generator);
3805
0
  if (ret < 0) {
3806
0
    gnutls_assert();
3807
0
    goto cleanup;
3808
0
  }
3809
0
3810
0
  if (!_gnutls_dh_prime_match_fips_approved(
3811
0
        prime.data, prime.size, generator.data, generator.size,
3812
0
        &data_q, &n_q)) {
3813
0
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
3814
0
    goto cleanup;
3815
0
  }
3816
0
3817
0
  if (_gnutls_mpi_init_scan_nz(&_q, data_q, n_q) != 0) {
3818
0
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3819
0
    goto cleanup;
3820
0
  }
3821
0
3822
0
  mpz_set(q, TOMPZ(_q));
3823
0
  _gnutls_mpi_release(&_q);
3824
0
3825
0
cleanup:
3826
0
  gnutls_free(prime.data);
3827
0
  gnutls_free(generator.data);
3828
0
3829
0
  return ret;
3830
0
}
3831
3832
/* To generate a DH key either q must be set in the params or
3833
 * level should be set to the number of required bits.
3834
 */
3835
static int
3836
wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
3837
           unsigned int level /*bits or curve */,
3838
           gnutls_pk_params_st *params, unsigned ephemeral
3839
           /*non-zero if they are ephemeral keys */)
3840
0
{
3841
0
  int ret;
3842
0
  unsigned int i;
3843
0
  unsigned rnd_level;
3844
0
  nettle_random_func *rnd_func;
3845
0
  bool not_approved = false;
3846
3847
0
  FAIL_IF_LIB_ERROR;
3848
3849
  /* check if the curve relates to the algorithm used */
3850
0
  if (IS_EC(algo) && gnutls_ecc_curve_get_pk(level) != algo) {
3851
0
    ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
3852
0
    goto cleanup;
3853
0
  }
3854
3855
0
  if (ephemeral) {
3856
0
    rnd_level = GNUTLS_RND_RANDOM;
3857
0
    rnd_func = rnd_tmpkey_func;
3858
0
  } else {
3859
0
    rnd_func = rnd_key_func;
3860
0
    rnd_level = GNUTLS_RND_KEY;
3861
0
  }
3862
3863
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING, "pk::generate",
3864
0
              "pk::algorithm", CRAU_STRING,
3865
0
              gnutls_pk_get_name(algo), NULL);
3866
3867
0
  switch (algo) {
3868
0
#ifdef ENABLE_DSA
3869
0
  case GNUTLS_PK_DSA:
3870
#ifdef ENABLE_FIPS140
3871
    if (_gnutls_fips_mode_enabled() != 0) {
3872
      struct dsa_params pub;
3873
      mpz_t x, y;
3874
3875
      /* DSA is currently being defined as sunset with the
3876
       * current draft of FIPS 186-5 */
3877
      not_approved = true;
3878
3879
      if (params->params[DSA_Q] == NULL) {
3880
        ret = gnutls_assert_val(
3881
          GNUTLS_E_INVALID_REQUEST);
3882
        goto cleanup;
3883
      }
3884
3885
      _dsa_params_get(params, &pub);
3886
3887
      mpz_init(x);
3888
      mpz_init(y);
3889
3890
      ret = dsa_generate_dss_keypair(&pub, y, x, NULL,
3891
                   rnd_func, NULL, NULL);
3892
      if (ret != 1 || HAVE_LIB_ERROR()) {
3893
        gnutls_assert();
3894
        ret = GNUTLS_E_PK_GENERATION_ERROR;
3895
        goto dsa_fail;
3896
      }
3897
3898
      ret = _gnutls_mpi_init_multi(&params->params[DSA_Y],
3899
                 &params->params[DSA_X],
3900
                 NULL);
3901
      if (ret < 0) {
3902
        gnutls_assert();
3903
        goto dsa_fail;
3904
      }
3905
3906
      mpz_set(TOMPZ(params->params[DSA_Y]), y);
3907
      mpz_set(TOMPZ(params->params[DSA_X]), x);
3908
      params->params_nr += 2;
3909
3910
    dsa_fail:
3911
      mpz_clear(x);
3912
      mpz_clear(y);
3913
3914
      if (ret < 0)
3915
        goto cleanup;
3916
3917
      break;
3918
    }
3919
#endif
3920
0
    FALLTHROUGH;
3921
0
#endif
3922
0
  case GNUTLS_PK_DH: {
3923
0
    struct dsa_params pub;
3924
0
    mpz_t r;
3925
0
    mpz_t x, y;
3926
0
    int max_tries;
3927
0
    unsigned have_q = 0;
3928
0
    mpz_t q;
3929
0
    mpz_t primesub1;
3930
0
    mpz_t ypowq;
3931
3932
0
    if (algo != params->algo) {
3933
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
3934
0
      goto cleanup;
3935
0
    }
3936
3937
0
    _dsa_params_get(params, &pub);
3938
3939
0
    if (params->params[DSA_Q] != NULL)
3940
0
      have_q = 1;
3941
3942
    /* This check is for the case !ENABLE_FIPS140 */
3943
0
    if (algo == GNUTLS_PK_DSA && have_q == 0) {
3944
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
3945
0
      goto cleanup;
3946
0
    }
3947
3948
0
    mpz_init(r);
3949
0
    mpz_init(x);
3950
0
    mpz_init(y);
3951
3952
0
    mpz_init(q);
3953
0
    mpz_init(primesub1);
3954
0
    mpz_init(ypowq);
3955
3956
0
    max_tries = 3;
3957
0
    do {
3958
0
      if (have_q) {
3959
0
        mpz_set(r, pub.q);
3960
0
        mpz_sub_ui(r, r, 2);
3961
0
        nettle_mpz_random(x, NULL, rnd_func, r);
3962
0
        mpz_add_ui(x, x, 1);
3963
0
      } else {
3964
0
        unsigned size = mpz_sizeinbase(pub.p, 2);
3965
0
        if (level == 0)
3966
0
          level = MIN(size,
3967
0
                DH_EXPONENT_SIZE(size));
3968
0
        nettle_mpz_random_size(x, NULL, rnd_func,
3969
0
                   level);
3970
3971
0
        if (level >= size)
3972
0
          mpz_mod(x, x, pub.p);
3973
0
      }
3974
3975
0
      mpz_powm(y, pub.g, x, pub.p);
3976
3977
0
      max_tries--;
3978
0
      if (max_tries <= 0) {
3979
0
        gnutls_assert();
3980
0
        ret = GNUTLS_E_RANDOM_FAILED;
3981
0
        goto dh_fail;
3982
0
      }
3983
3984
0
      if (HAVE_LIB_ERROR()) {
3985
0
        gnutls_assert();
3986
0
        ret = GNUTLS_E_LIB_IN_ERROR_STATE;
3987
0
        goto dh_fail;
3988
0
      }
3989
3990
0
    } while (mpz_cmp_ui(y, 1) == 0);
3991
3992
#ifdef ENABLE_FIPS140
3993
    if (_gnutls_fips_mode_enabled()) {
3994
      /* Perform FFC full public key validation checks
3995
         * according to SP800-56A (revision 3), 5.6.2.3.1.
3996
         */
3997
3998
      /* Step 1: 2 <= y <= p - 2 */
3999
      mpz_sub_ui(primesub1, pub.p, 1);
4000
4001
      if (mpz_cmp_ui(y, 2) < 0 ||
4002
          mpz_cmp(y, primesub1) >= 0) {
4003
        ret = gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
4004
        goto dh_fail;
4005
      }
4006
4007
      /* Step 2: 1 = y^q mod p */
4008
      if (have_q)
4009
        mpz_set(q, pub.q);
4010
      else {
4011
        ret = dh_find_q(params, q);
4012
        if (ret < 0)
4013
          goto dh_fail;
4014
      }
4015
4016
      mpz_powm(ypowq, y, q, pub.p);
4017
      if (mpz_cmp_ui(ypowq, 1) != 0) {
4018
        ret = gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
4019
        goto dh_fail;
4020
      }
4021
    }
4022
#endif
4023
4024
0
    ret = _gnutls_mpi_init_multi(&params->params[DSA_Y],
4025
0
               &params->params[DSA_X], NULL);
4026
0
    if (ret < 0) {
4027
0
      gnutls_assert();
4028
0
      goto dh_fail;
4029
0
    }
4030
4031
0
    mpz_set(TOMPZ(params->params[DSA_Y]), y);
4032
0
    mpz_set(TOMPZ(params->params[DSA_X]), x);
4033
0
    params->params_nr += 2;
4034
4035
0
    ret = 0;
4036
4037
0
  dh_fail:
4038
0
    mpz_clear(r);
4039
0
    mpz_clear(x);
4040
0
    mpz_clear(y);
4041
0
    mpz_clear(q);
4042
0
    mpz_clear(primesub1);
4043
0
    mpz_clear(ypowq);
4044
4045
0
    if (ret < 0)
4046
0
      goto cleanup;
4047
4048
0
    break;
4049
0
  }
4050
0
  case GNUTLS_PK_RSA_PSS:
4051
0
  case GNUTLS_PK_RSA_OAEP:
4052
0
  case GNUTLS_PK_RSA: {
4053
0
    struct rsa_public_key pub;
4054
0
    struct rsa_private_key priv;
4055
4056
0
    rsa_public_key_init(&pub);
4057
0
    rsa_private_key_init(&priv);
4058
4059
0
    mpz_set_ui(pub.e, 65537);
4060
4061
0
    if ((params->pkflags & GNUTLS_PK_FLAG_PROVABLE) ||
4062
0
        _gnutls_fips_mode_enabled() != 0) {
4063
0
      params->pkflags |= GNUTLS_PK_FLAG_PROVABLE;
4064
0
      if (params->palgo != 0 &&
4065
0
          params->palgo != GNUTLS_DIG_SHA384) {
4066
0
        ret = GNUTLS_E_INVALID_REQUEST;
4067
0
        goto rsa_fail;
4068
0
      }
4069
4070
0
      params->palgo = GNUTLS_DIG_SHA384;
4071
4072
0
      if (params->seed_size) {
4073
0
        ret = _rsa_generate_fips186_4_keypair(
4074
0
          &pub, &priv, params->seed_size,
4075
0
          params->seed, NULL, NULL, level);
4076
0
      } else {
4077
0
        unsigned retries = 0;
4078
        /* The provable RSA key generation process is deterministic
4079
           * but has an internal maximum iteration counter and when
4080
           * exceed will fail for certain random seeds. This is a very
4081
           * rare condition, but it nevertheless happens and even CI builds fail
4082
           * occasionally. When we generate the random seed internally, remediate
4083
           * by retrying a different seed on failure. */
4084
0
        do {
4085
0
          params->seed_size =
4086
0
            sizeof(params->seed);
4087
0
          ret = rsa_generate_fips186_4_keypair(
4088
0
            &pub, &priv, NULL, rnd_func,
4089
0
            NULL, NULL, &params->seed_size,
4090
0
            params->seed, level);
4091
0
        } while (ret != 1 && ++retries < 3);
4092
0
      }
4093
0
    } else {
4094
0
      not_approved = true;
4095
4096
0
      ret = rsa_generate_keypair(&pub, &priv, NULL, rnd_func,
4097
0
               NULL, NULL, level, 0);
4098
0
    }
4099
0
    if (ret != 1 || HAVE_LIB_ERROR()) {
4100
0
      gnutls_assert();
4101
0
      ret = GNUTLS_E_PK_GENERATION_ERROR;
4102
0
      goto rsa_fail;
4103
0
    }
4104
4105
0
    params->params_nr = 0;
4106
0
    for (i = 0; i < RSA_PRIVATE_PARAMS; i++) {
4107
0
      ret = _gnutls_mpi_init(&params->params[i]);
4108
0
      if (ret < 0) {
4109
0
        gnutls_assert();
4110
0
        goto rsa_fail;
4111
0
      }
4112
0
      params->params_nr++;
4113
0
    }
4114
4115
    /* In FIPS 140-3, pub.n should be 2048-bit or larger; it
4116
       * is assured in rsa_generate_fips186_4_keypair in
4117
       * lib/nettle/int/rsa-keygen-fips186.c. */
4118
4119
0
    mpz_set(TOMPZ(params->params[RSA_MODULUS]), pub.n);
4120
0
    mpz_set(TOMPZ(params->params[RSA_PUB]), pub.e);
4121
0
    mpz_set(TOMPZ(params->params[RSA_PRIV]), priv.d);
4122
0
    mpz_set(TOMPZ(params->params[RSA_PRIME1]), priv.p);
4123
0
    mpz_set(TOMPZ(params->params[RSA_PRIME2]), priv.q);
4124
0
    mpz_set(TOMPZ(params->params[RSA_COEF]), priv.c);
4125
0
    mpz_set(TOMPZ(params->params[RSA_E1]), priv.a);
4126
0
    mpz_set(TOMPZ(params->params[RSA_E2]), priv.b);
4127
4128
0
    ret = 0;
4129
4130
0
  rsa_fail:
4131
0
    rsa_private_key_clear(&priv);
4132
0
    rsa_public_key_clear(&pub);
4133
4134
0
    if (ret < 0)
4135
0
      goto cleanup;
4136
4137
0
    break;
4138
0
  }
4139
0
  case GNUTLS_PK_EDDSA_ED25519:
4140
0
  case GNUTLS_PK_EDDSA_ED448: {
4141
0
    unsigned size = gnutls_ecc_curve_get_size(level);
4142
4143
0
    if (params->pkflags & GNUTLS_PK_FLAG_PROVABLE) {
4144
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4145
0
      goto cleanup;
4146
0
    }
4147
4148
0
    if (unlikely(get_eddsa_curve(algo) != level)) {
4149
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4150
0
      goto cleanup;
4151
0
    }
4152
4153
0
    if (size == 0) {
4154
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4155
0
      goto cleanup;
4156
0
    }
4157
4158
0
    params->curve = level;
4159
4160
0
    params->raw_priv.data = gnutls_malloc(size);
4161
0
    if (params->raw_priv.data == NULL) {
4162
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4163
0
      goto cleanup;
4164
0
    }
4165
4166
0
    params->raw_pub.data = gnutls_malloc(size);
4167
0
    if (params->raw_pub.data == NULL) {
4168
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4169
0
      goto cleanup;
4170
0
    }
4171
4172
0
    ret = gnutls_rnd(rnd_level, params->raw_priv.data, size);
4173
0
    if (ret < 0) {
4174
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4175
0
      goto cleanup;
4176
0
    }
4177
0
    params->raw_pub.size = size;
4178
0
    params->raw_priv.size = size;
4179
4180
0
    ret = eddsa_public_key(algo, params->raw_pub.data,
4181
0
               params->raw_priv.data);
4182
0
    if (ret < 0)
4183
0
      goto cleanup;
4184
4185
0
    break;
4186
0
  }
4187
0
  case GNUTLS_PK_ECDSA:
4188
0
    if (params->pkflags & GNUTLS_PK_FLAG_PROVABLE)
4189
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4190
4191
0
    {
4192
0
      struct ecc_scalar key;
4193
0
      struct ecc_point pub;
4194
0
      const struct ecc_curve *curve;
4195
0
      struct ecc_scalar n;
4196
0
      struct ecc_scalar m;
4197
0
      struct ecc_point r;
4198
0
      mpz_t x, y, xx, yy, nn, mm;
4199
4200
0
      curve = get_supported_nist_curve(level);
4201
0
      if (curve == NULL) {
4202
0
        ret = gnutls_assert_val(
4203
0
          GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4204
0
        goto cleanup;
4205
0
      }
4206
4207
0
      _gnutls_audit_data("pk::curve", CRAU_STRING,
4208
0
             gnutls_ecc_curve_get_name(level),
4209
0
             NULL);
4210
4211
      /* P-192 is not supported in FIPS 140-3 */
4212
0
      if (level == GNUTLS_ECC_CURVE_SECP192R1) {
4213
0
        not_approved = true;
4214
0
      }
4215
4216
0
      mpz_init(x);
4217
0
      mpz_init(y);
4218
0
      mpz_init(xx);
4219
0
      mpz_init(yy);
4220
0
      mpz_init(nn);
4221
0
      mpz_init(mm);
4222
4223
0
      ecc_scalar_init(&key, curve);
4224
0
      ecc_point_init(&pub, curve);
4225
0
      ecc_scalar_init(&n, curve);
4226
0
      ecc_scalar_init(&m, curve);
4227
0
      ecc_point_init(&r, curve);
4228
4229
0
      ecdsa_generate_keypair(&pub, &key, NULL, rnd_func);
4230
0
      if (HAVE_LIB_ERROR()) {
4231
0
        ret = gnutls_assert_val(
4232
0
          GNUTLS_E_LIB_IN_ERROR_STATE);
4233
0
        goto ecc_fail;
4234
0
      }
4235
4236
0
      ret = _gnutls_mpi_init_multi(&params->params[ECC_X],
4237
0
                 &params->params[ECC_Y],
4238
0
                 &params->params[ECC_K],
4239
0
                 NULL);
4240
0
      if (ret < 0) {
4241
0
        gnutls_assert();
4242
0
        goto ecc_fail;
4243
0
      }
4244
4245
0
      params->curve = level;
4246
0
      params->params_nr = ECC_PRIVATE_PARAMS;
4247
4248
0
      ecc_point_get(&pub, x, y);
4249
4250
#ifdef ENABLE_FIPS140
4251
      if (_gnutls_fips_mode_enabled()) {
4252
        /* Perform ECC full public key validation checks
4253
         * according to SP800-56A (revision 3), 5.6.2.3.3.
4254
         */
4255
4256
        const char *order, *modulus;
4257
4258
        /* Step 1: verify that Q is not an identity
4259
         * element (an infinity point).  Note that this
4260
         * cannot happen in the nettle implementation,
4261
         * because it cannot represent an infinity point
4262
         * on curves. */
4263
        if (mpz_cmp_ui(x, 0) == 0 &&
4264
            mpz_cmp_ui(y, 0) == 0) {
4265
          ret = gnutls_assert_val(
4266
            GNUTLS_E_ILLEGAL_PARAMETER);
4267
          goto ecc_fail;
4268
        }
4269
4270
        /* Step 2: verify that both coordinates of Q are
4271
         * in the range [0, p - 1].
4272
         *
4273
         * Step 3: verify that Q lie on the curve
4274
         *
4275
         * Both checks are performed in nettle.  */
4276
        if (!ecc_point_set(&r, x, y)) {
4277
          ret = gnutls_assert_val(
4278
            GNUTLS_E_ILLEGAL_PARAMETER);
4279
          goto ecc_fail;
4280
        }
4281
4282
        /* Step 4: verify that n * Q, where n is the
4283
         * curve order, result in an identity element
4284
         *
4285
         * Since nettle internally cannot represent an
4286
         * identity element on curves, we validate this
4287
         * instead:
4288
         *
4289
         *   (n - 1) * Q = -Q
4290
         *
4291
         * That effectively means: n * Q = -Q + Q = O
4292
         */
4293
        order = get_supported_nist_curve_order(level);
4294
        if (unlikely(order == NULL)) {
4295
          ret = gnutls_assert_val(
4296
            GNUTLS_E_INTERNAL_ERROR);
4297
          goto ecc_fail;
4298
        }
4299
4300
        ret = mpz_set_str(nn, order, 16);
4301
        if (unlikely(ret < 0)) {
4302
          ret = gnutls_assert_val(
4303
            GNUTLS_E_MPI_SCAN_FAILED);
4304
          goto ecc_fail;
4305
        }
4306
4307
        modulus =
4308
          get_supported_nist_curve_modulus(level);
4309
        if (unlikely(modulus == NULL)) {
4310
          ret = gnutls_assert_val(
4311
            GNUTLS_E_INTERNAL_ERROR);
4312
          goto ecc_fail;
4313
        }
4314
4315
        ret = mpz_set_str(mm, modulus, 16);
4316
        if (unlikely(ret < 0)) {
4317
          ret = gnutls_assert_val(
4318
            GNUTLS_E_MPI_SCAN_FAILED);
4319
          goto ecc_fail;
4320
        }
4321
4322
        /* (n - 1) * Q = -Q */
4323
        mpz_sub_ui(nn, nn, 1);
4324
        ecc_scalar_set(&n, nn);
4325
        ecc_point_mul(&r, &n, &r);
4326
        ecc_point_get(&r, xx, yy);
4327
        mpz_sub(mm, mm, y);
4328
4329
        if (mpz_cmp(xx, x) != 0 ||
4330
            mpz_cmp(yy, mm) != 0) {
4331
          ret = gnutls_assert_val(
4332
            GNUTLS_E_ILLEGAL_PARAMETER);
4333
          goto ecc_fail;
4334
        }
4335
      } else {
4336
        not_approved = true;
4337
      }
4338
#endif
4339
4340
0
      mpz_set(TOMPZ(params->params[ECC_X]), x);
4341
0
      mpz_set(TOMPZ(params->params[ECC_Y]), y);
4342
4343
0
      ecc_scalar_get(&key, TOMPZ(params->params[ECC_K]));
4344
4345
0
      ret = 0;
4346
4347
0
    ecc_fail:
4348
0
      mpz_clear(x);
4349
0
      mpz_clear(y);
4350
0
      mpz_clear(xx);
4351
0
      mpz_clear(yy);
4352
0
      mpz_clear(nn);
4353
0
      mpz_clear(mm);
4354
0
      ecc_point_clear(&pub);
4355
0
      ecc_scalar_clear(&key);
4356
0
      ecc_point_clear(&r);
4357
0
      ecc_scalar_clear(&n);
4358
0
      ecc_scalar_clear(&m);
4359
4360
0
      if (ret < 0)
4361
0
        goto cleanup;
4362
4363
0
      break;
4364
0
    }
4365
0
#if ENABLE_GOST
4366
0
  case GNUTLS_PK_GOST_01:
4367
0
  case GNUTLS_PK_GOST_12_256:
4368
0
  case GNUTLS_PK_GOST_12_512:
4369
0
    if (params->pkflags & GNUTLS_PK_FLAG_PROVABLE)
4370
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4371
4372
0
    {
4373
0
      struct ecc_scalar key;
4374
0
      struct ecc_point pub;
4375
0
      const struct ecc_curve *curve;
4376
0
      const mac_entry_st *me;
4377
4378
      /* GOST curves are not approved */
4379
0
      not_approved = true;
4380
4381
0
      curve = get_supported_gost_curve(level);
4382
0
      if (curve == NULL) {
4383
0
        ret = gnutls_assert_val(
4384
0
          GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4385
0
        goto cleanup;
4386
0
      }
4387
4388
0
      me = hash_to_entry(_gnutls_gost_digest(algo));
4389
0
      if (!me || me->output_size * 8 != ecc_bit_size(curve)) {
4390
0
        ret = gnutls_assert_val(
4391
0
          GNUTLS_E_INVALID_REQUEST);
4392
0
        goto cleanup;
4393
0
      }
4394
4395
0
      ecc_scalar_init(&key, curve);
4396
0
      ecc_point_init(&pub, curve);
4397
4398
0
      gostdsa_generate_keypair(&pub, &key, NULL,
4399
0
             rnd_key_func);
4400
0
      if (HAVE_LIB_ERROR()) {
4401
0
        ret = gnutls_assert_val(
4402
0
          GNUTLS_E_LIB_IN_ERROR_STATE);
4403
0
        goto ecc_fail;
4404
0
      }
4405
4406
0
      ret = _gnutls_mpi_init_multi(&params->params[GOST_X],
4407
0
                 &params->params[GOST_Y],
4408
0
                 &params->params[GOST_K],
4409
0
                 NULL);
4410
0
      if (ret < 0) {
4411
0
        gnutls_assert();
4412
0
        goto gost_fail;
4413
0
      }
4414
4415
0
      params->curve = level;
4416
0
      params->params_nr = GOST_PRIVATE_PARAMS;
4417
4418
0
      ecc_point_get(&pub, TOMPZ(params->params[GOST_X]),
4419
0
              TOMPZ(params->params[GOST_Y]));
4420
0
      ecc_scalar_get(&key, TOMPZ(params->params[GOST_K]));
4421
4422
0
      ret = 0;
4423
4424
0
    gost_fail:
4425
0
      ecc_point_clear(&pub);
4426
0
      ecc_scalar_clear(&key);
4427
4428
0
      if (ret < 0)
4429
0
        goto cleanup;
4430
4431
0
      break;
4432
0
    }
4433
0
#endif
4434
0
  case GNUTLS_PK_ECDH_X25519:
4435
0
  case GNUTLS_PK_ECDH_X448: {
4436
0
    unsigned size = gnutls_ecc_curve_get_size(level);
4437
4438
0
    not_approved = true;
4439
4440
0
    if (size == 0) {
4441
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4442
0
      goto cleanup;
4443
0
    }
4444
4445
0
    params->curve = level;
4446
4447
0
    params->raw_priv.data = gnutls_malloc(size);
4448
0
    if (params->raw_priv.data == NULL) {
4449
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4450
0
      goto cleanup;
4451
0
    }
4452
4453
0
    params->raw_pub.data = gnutls_malloc(size);
4454
0
    if (params->raw_pub.data == NULL) {
4455
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4456
0
      goto cleanup;
4457
0
    }
4458
4459
0
    ret = gnutls_rnd(rnd_level, params->raw_priv.data, size);
4460
0
    if (ret < 0) {
4461
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4462
0
      goto cleanup;
4463
0
    }
4464
0
    params->raw_pub.size = size;
4465
0
    params->raw_priv.size = size;
4466
4467
0
    ret = edwards_curve_mul_g(algo, params->raw_pub.data,
4468
0
            params->raw_priv.data);
4469
0
    if (ret < 0)
4470
0
      goto cleanup;
4471
0
    break;
4472
0
  }
4473
0
  case GNUTLS_PK_MLKEM768:
4474
0
  case GNUTLS_PK_MLKEM1024:
4475
0
    not_approved = true;
4476
0
    ret = ml_kem_generate_keypair(algo, &params->raw_priv,
4477
0
                &params->raw_pub);
4478
0
    if (ret < 0)
4479
0
      goto cleanup;
4480
0
    break;
4481
0
  case GNUTLS_PK_MLDSA44:
4482
0
  case GNUTLS_PK_MLDSA65:
4483
0
  case GNUTLS_PK_MLDSA87:
4484
0
    if (params->pkflags & GNUTLS_PK_FLAG_PROVABLE)
4485
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4486
4487
0
    not_approved = true;
4488
4489
0
    if (!(params->pkflags & GNUTLS_PK_FLAG_EXPAND_KEYS_FROM_SEED)) {
4490
0
      _gnutls_free_key_datum(&params->raw_seed);
4491
0
      params->raw_seed.data = gnutls_malloc(32);
4492
0
      params->raw_seed.size = 32;
4493
0
      ret = gnutls_rnd(GNUTLS_RND_KEY, params->raw_seed.data,
4494
0
           params->raw_seed.size);
4495
0
      if (ret < 0)
4496
0
        goto cleanup;
4497
0
    }
4498
4499
0
    ret = ml_dsa_generate_keypair(algo, &params->raw_priv,
4500
0
                &params->raw_pub,
4501
0
                &params->raw_seed);
4502
0
    if (ret < 0)
4503
0
      goto cleanup;
4504
0
    break;
4505
0
  default:
4506
0
    gnutls_assert();
4507
0
    return GNUTLS_E_INVALID_REQUEST;
4508
0
  }
4509
4510
0
  params->algo = algo;
4511
4512
#ifdef ENABLE_FIPS140
4513
  if (_gnutls_fips_mode_enabled()) {
4514
    ret = pct_test(algo, params);
4515
    if (ret < 0) {
4516
      gnutls_assert();
4517
      goto cleanup;
4518
    }
4519
  }
4520
#endif
4521
4522
0
cleanup:
4523
0
  if (ret < 0) {
4524
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
4525
0
    for (i = 0; i < params->params_nr; i++) {
4526
0
      _gnutls_mpi_release(&params->params[i]);
4527
0
    }
4528
0
    params->params_nr = 0;
4529
0
    gnutls_free(params->raw_priv.data);
4530
0
    gnutls_free(params->raw_pub.data);
4531
0
  } else if (not_approved) {
4532
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
4533
0
  } else {
4534
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
4535
0
  }
4536
4537
0
  gnutls_audit_pop_context();
4538
4539
0
  FAIL_IF_LIB_ERROR;
4540
0
  return ret;
4541
0
}
4542
4543
static int wrap_nettle_pk_verify_priv_params(gnutls_pk_algorithm_t algo,
4544
               const gnutls_pk_params_st *params)
4545
0
{
4546
0
  int ret;
4547
4548
0
  switch (algo) {
4549
0
  case GNUTLS_PK_RSA:
4550
0
  case GNUTLS_PK_RSA_PSS:
4551
0
  case GNUTLS_PK_RSA_OAEP: {
4552
0
    bigint_t t1 = NULL, t2 = NULL;
4553
4554
0
    if (params->params_nr != RSA_PRIVATE_PARAMS)
4555
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4556
4557
0
    ret = _gnutls_mpi_init_multi(&t1, &t2, NULL);
4558
0
    if (ret < 0)
4559
0
      return gnutls_assert_val(ret);
4560
4561
0
    _gnutls_mpi_mulm(t1, params->params[RSA_PRIME1],
4562
0
         params->params[RSA_PRIME2],
4563
0
         params->params[RSA_MODULUS]);
4564
0
    if (_gnutls_mpi_cmp_ui(t1, 0) != 0) {
4565
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4566
0
      goto rsa_cleanup;
4567
0
    }
4568
4569
0
    if (!mpz_invert(TOMPZ(t1), TOMPZ(params->params[RSA_PRIME2]),
4570
0
        TOMPZ(params->params[RSA_PRIME1]))) {
4571
0
      ret = gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
4572
0
      goto rsa_cleanup;
4573
0
    }
4574
0
    if (_gnutls_mpi_cmp(t1, params->params[RSA_COEF]) != 0) {
4575
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4576
0
      goto rsa_cleanup;
4577
0
    }
4578
4579
    /* [RSA_PRIME1] = d % p-1, [RSA_PRIME2] = d % q-1 */
4580
0
    _gnutls_mpi_sub_ui(t1, params->params[RSA_PRIME1], 1);
4581
0
    ret = _gnutls_mpi_modm(t2, params->params[RSA_PRIV], t1);
4582
0
    if (ret < 0) {
4583
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4584
0
      goto rsa_cleanup;
4585
0
    }
4586
4587
0
    if (_gnutls_mpi_cmp(params->params[RSA_E1], t2) != 0) {
4588
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4589
0
      goto rsa_cleanup;
4590
0
    }
4591
4592
0
    _gnutls_mpi_sub_ui(t1, params->params[RSA_PRIME2], 1);
4593
4594
0
    ret = _gnutls_mpi_modm(t2, params->params[RSA_PRIV], t1);
4595
0
    if (ret < 0) {
4596
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4597
0
      goto rsa_cleanup;
4598
0
    }
4599
4600
0
    if (_gnutls_mpi_cmp(params->params[RSA_E2], t2) != 0) {
4601
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4602
0
      goto rsa_cleanup;
4603
0
    }
4604
4605
0
    ret = 0;
4606
4607
0
  rsa_cleanup:
4608
0
    zrelease_mpi_key(&t1);
4609
0
    zrelease_mpi_key(&t2);
4610
0
  }
4611
4612
0
  break;
4613
0
#ifdef ENABLE_DSA
4614
0
  case GNUTLS_PK_DSA:
4615
0
#endif
4616
0
  case GNUTLS_PK_DH: {
4617
0
    bigint_t t1 = NULL;
4618
4619
0
    if (params->params_nr != DSA_PRIVATE_PARAMS)
4620
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4621
4622
0
    ret = _gnutls_mpi_init(&t1);
4623
0
    if (ret < 0)
4624
0
      return gnutls_assert_val(ret);
4625
4626
0
    ret = _gnutls_mpi_powm(t1, params->params[DSA_G],
4627
0
               params->params[DSA_X],
4628
0
               params->params[DSA_P]);
4629
0
    if (ret < 0) {
4630
0
      gnutls_assert();
4631
0
      goto dsa_cleanup;
4632
0
    }
4633
4634
0
    if (_gnutls_mpi_cmp(t1, params->params[DSA_Y]) != 0) {
4635
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4636
0
      goto dsa_cleanup;
4637
0
    }
4638
4639
0
    ret = 0;
4640
4641
0
  dsa_cleanup:
4642
0
    zrelease_mpi_key(&t1);
4643
0
  }
4644
4645
0
  break;
4646
0
  case GNUTLS_PK_ECDSA: {
4647
0
    struct ecc_point r, pub;
4648
0
    struct ecc_scalar priv;
4649
0
    mpz_t x1, y1, x2, y2;
4650
0
    const struct ecc_curve *curve;
4651
4652
0
    if (params->params_nr != ECC_PRIVATE_PARAMS)
4653
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4654
4655
0
    curve = get_supported_nist_curve(params->curve);
4656
0
    if (curve == NULL)
4657
0
      return gnutls_assert_val(
4658
0
        GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4659
4660
0
    ret = _ecc_params_to_pubkey(params, &pub, curve);
4661
0
    if (ret < 0)
4662
0
      return gnutls_assert_val(ret);
4663
4664
0
    ret = _ecc_params_to_privkey(params, &priv, curve);
4665
0
    if (ret < 0) {
4666
0
      ecc_point_clear(&pub);
4667
0
      return gnutls_assert_val(ret);
4668
0
    }
4669
4670
0
    ecc_point_init(&r, curve);
4671
    /* verify that x,y lie on the curve */
4672
0
    ret = ecc_point_set(&r, TOMPZ(params->params[ECC_X]),
4673
0
            TOMPZ(params->params[ECC_Y]));
4674
0
    if (ret == 0) {
4675
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4676
0
      goto ecc_cleanup;
4677
0
    }
4678
0
    ecc_point_clear(&r);
4679
4680
0
    ecc_point_init(&r, curve);
4681
0
    ecc_point_mul_g(&r, &priv);
4682
4683
0
    mpz_init(x1);
4684
0
    mpz_init(y1);
4685
0
    ecc_point_get(&r, x1, y1);
4686
0
    ecc_point_zclear(&r);
4687
4688
0
    mpz_init(x2);
4689
0
    mpz_init(y2);
4690
0
    ecc_point_get(&pub, x2, y2);
4691
4692
    /* verify that k*(Gx,Gy)=(x,y) */
4693
0
    if (mpz_cmp(x1, x2) != 0 || mpz_cmp(y1, y2) != 0) {
4694
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4695
0
      goto ecc_cleanup;
4696
0
    }
4697
4698
0
    ret = 0;
4699
4700
0
  ecc_cleanup:
4701
0
    ecc_scalar_zclear(&priv);
4702
0
    ecc_point_clear(&pub);
4703
4704
0
    mpz_clear(x1);
4705
0
    mpz_clear(y1);
4706
0
    mpz_clear(x2);
4707
0
    mpz_clear(y2);
4708
0
  } break;
4709
0
  case GNUTLS_PK_EDDSA_ED25519:
4710
0
  case GNUTLS_PK_EDDSA_ED448: {
4711
0
    gnutls_ecc_curve_t curve;
4712
0
    const gnutls_ecc_curve_entry_st *e;
4713
0
    uint8_t pub[57]; /* can accommodate both curves */
4714
4715
0
    curve = get_eddsa_curve(algo);
4716
0
    e = _gnutls_ecc_curve_get_params(curve);
4717
0
    if (e == NULL)
4718
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4719
4720
0
    if (params->raw_pub.data == NULL) {
4721
0
      return 0; /* nothing to verify */
4722
0
    }
4723
4724
0
    if (params->raw_pub.size != e->size)
4725
0
      return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4726
4727
0
    ret = eddsa_public_key(algo, pub, params->raw_priv.data);
4728
0
    if (ret < 0)
4729
0
      return ret;
4730
4731
0
    if (memcmp(params->raw_pub.data, pub, e->size) != 0)
4732
0
      return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4733
4734
0
    ret = 0;
4735
0
    break;
4736
0
  }
4737
0
  case GNUTLS_PK_ECDH_X25519:
4738
0
  case GNUTLS_PK_ECDH_X448: {
4739
0
    gnutls_ecc_curve_t curve;
4740
0
    const gnutls_ecc_curve_entry_st *e;
4741
0
    uint8_t pub[57]; /* can accommodate both curves */
4742
4743
0
    curve = get_ecdh_curve(algo);
4744
0
    e = _gnutls_ecc_curve_get_params(curve);
4745
0
    if (e == NULL)
4746
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4747
4748
0
    if (params->raw_pub.data == NULL) {
4749
0
      return 0; /* nothing to verify */
4750
0
    }
4751
4752
0
    if (params->raw_pub.size != e->size)
4753
0
      return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4754
4755
0
    ret = edwards_curve_mul_g(algo, pub, params->raw_priv.data);
4756
0
    if (ret < 0)
4757
0
      return ret;
4758
4759
0
    if (memcmp(params->raw_pub.data, pub, e->size) != 0)
4760
0
      return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4761
4762
0
    ret = 0;
4763
0
    break;
4764
0
  }
4765
0
  case GNUTLS_PK_MLKEM768:
4766
0
  case GNUTLS_PK_MLKEM1024:
4767
0
    if (!ml_kem_exists(algo))
4768
0
      return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
4769
4770
0
    ret = 0;
4771
0
    break;
4772
0
  case GNUTLS_PK_MLDSA44:
4773
0
  case GNUTLS_PK_MLDSA65:
4774
0
  case GNUTLS_PK_MLDSA87: {
4775
0
    if (!ml_dsa_exists(algo))
4776
0
      return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
4777
4778
0
    ret = 0;
4779
0
    break;
4780
0
  }
4781
0
#if ENABLE_GOST
4782
0
  case GNUTLS_PK_GOST_01:
4783
0
  case GNUTLS_PK_GOST_12_256:
4784
0
  case GNUTLS_PK_GOST_12_512: {
4785
0
    struct ecc_point r, pub;
4786
0
    struct ecc_scalar priv;
4787
0
    mpz_t x1, y1, x2, y2;
4788
0
    const struct ecc_curve *curve;
4789
4790
0
    if (params->params_nr != GOST_PRIVATE_PARAMS)
4791
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4792
4793
0
    curve = get_supported_gost_curve(params->curve);
4794
0
    if (curve == NULL)
4795
0
      return gnutls_assert_val(
4796
0
        GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4797
4798
0
    ret = _gost_params_to_pubkey(params, &pub, curve);
4799
0
    if (ret < 0)
4800
0
      return gnutls_assert_val(ret);
4801
4802
0
    ret = _gost_params_to_privkey(params, &priv, curve);
4803
0
    if (ret < 0) {
4804
0
      ecc_point_clear(&pub);
4805
0
      return gnutls_assert_val(ret);
4806
0
    }
4807
4808
0
    ecc_point_init(&r, curve);
4809
    /* verify that x,y lie on the curve */
4810
0
    ret = gost_point_set(&r, TOMPZ(params->params[GOST_X]),
4811
0
             TOMPZ(params->params[GOST_Y]));
4812
0
    if (ret == 0) {
4813
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4814
0
      goto gost_cleanup;
4815
0
    }
4816
0
    ecc_point_clear(&r);
4817
4818
0
    ecc_point_init(&r, curve);
4819
0
    gost_point_mul_g(&r, &priv);
4820
4821
0
    mpz_init(x1);
4822
0
    mpz_init(y1);
4823
0
    ecc_point_get(&r, x1, y1);
4824
0
    ecc_point_zclear(&r);
4825
4826
0
    mpz_init(x2);
4827
0
    mpz_init(y2);
4828
0
    ecc_point_get(&pub, x2, y2);
4829
4830
    /* verify that k*(Gx,Gy)=(x,y) */
4831
0
    if (mpz_cmp(x1, x2) != 0 || mpz_cmp(y1, y2) != 0) {
4832
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4833
0
      goto gost_cleanup;
4834
0
    }
4835
4836
0
    ret = 0;
4837
4838
0
  gost_cleanup:
4839
0
    ecc_scalar_zclear(&priv);
4840
0
    ecc_point_clear(&pub);
4841
4842
0
    mpz_clear(x1);
4843
0
    mpz_clear(y1);
4844
0
    mpz_clear(x2);
4845
0
    mpz_clear(y2);
4846
0
  } break;
4847
0
#endif
4848
0
  default:
4849
0
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4850
0
  }
4851
4852
0
  return ret;
4853
0
}
4854
4855
static int wrap_nettle_pk_verify_pub_params(gnutls_pk_algorithm_t algo,
4856
              const gnutls_pk_params_st *params)
4857
0
{
4858
0
  int ret;
4859
4860
0
  switch (algo) {
4861
0
  case GNUTLS_PK_RSA:
4862
0
  case GNUTLS_PK_RSA_PSS:
4863
0
  case GNUTLS_PK_RSA_OAEP:
4864
0
#ifdef ENABLE_DSA
4865
0
  case GNUTLS_PK_DSA:
4866
0
#endif
4867
0
  case GNUTLS_PK_EDDSA_ED25519:
4868
0
  case GNUTLS_PK_EDDSA_ED448:
4869
0
    return 0;
4870
0
  case GNUTLS_PK_ECDSA: {
4871
    /* just verify that x and y lie on the curve */
4872
0
    struct ecc_point r, pub;
4873
0
    const struct ecc_curve *curve;
4874
4875
0
    if (params->params_nr != ECC_PUBLIC_PARAMS)
4876
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4877
4878
0
    curve = get_supported_nist_curve(params->curve);
4879
0
    if (curve == NULL)
4880
0
      return gnutls_assert_val(
4881
0
        GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4882
4883
0
    ret = _ecc_params_to_pubkey(params, &pub, curve);
4884
0
    if (ret < 0)
4885
0
      return gnutls_assert_val(ret);
4886
4887
0
    ecc_point_init(&r, curve);
4888
    /* verify that x,y lie on the curve */
4889
0
    ret = ecc_point_set(&r, TOMPZ(params->params[ECC_X]),
4890
0
            TOMPZ(params->params[ECC_Y]));
4891
0
    if (ret == 0) {
4892
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4893
0
      goto ecc_cleanup;
4894
0
    }
4895
0
    ecc_point_clear(&r);
4896
4897
0
    ret = 0;
4898
4899
0
  ecc_cleanup:
4900
0
    ecc_point_clear(&pub);
4901
0
  } break;
4902
0
#if ENABLE_GOST
4903
0
  case GNUTLS_PK_GOST_01:
4904
0
  case GNUTLS_PK_GOST_12_256:
4905
0
  case GNUTLS_PK_GOST_12_512: {
4906
    /* just verify that x and y lie on the curve */
4907
0
    struct ecc_point r, pub;
4908
0
    const struct ecc_curve *curve;
4909
4910
0
    if (params->params_nr != GOST_PUBLIC_PARAMS)
4911
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4912
4913
0
    curve = get_supported_gost_curve(params->curve);
4914
0
    if (curve == NULL)
4915
0
      return gnutls_assert_val(
4916
0
        GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4917
4918
0
    ret = _gost_params_to_pubkey(params, &pub, curve);
4919
0
    if (ret < 0)
4920
0
      return gnutls_assert_val(ret);
4921
4922
0
    ecc_point_init(&r, curve);
4923
    /* verify that x,y lie on the curve */
4924
0
    ret = ecc_point_set(&r, TOMPZ(params->params[GOST_X]),
4925
0
            TOMPZ(params->params[GOST_Y]));
4926
0
    if (ret == 0) {
4927
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4928
0
      goto gost_cleanup;
4929
0
    }
4930
0
    ecc_point_clear(&r);
4931
4932
0
    ret = 0;
4933
4934
0
  gost_cleanup:
4935
0
    ecc_point_clear(&pub);
4936
0
  } break;
4937
0
#endif
4938
0
  default:
4939
0
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4940
0
  }
4941
4942
0
  return ret;
4943
0
}
4944
4945
static int calc_rsa_exp(gnutls_pk_params_st *params)
4946
0
{
4947
0
  bigint_t tmp;
4948
0
  int ret;
4949
4950
0
  if (params->params_nr < RSA_PRIVATE_PARAMS - 2) {
4951
0
    gnutls_assert();
4952
0
    return GNUTLS_E_INTERNAL_ERROR;
4953
0
  }
4954
4955
0
  params->params[RSA_E1] = params->params[RSA_E2] = NULL;
4956
4957
0
  ret = _gnutls_mpi_init_multi(&tmp, &params->params[RSA_E1],
4958
0
             &params->params[RSA_E2], NULL);
4959
0
  if (ret < 0)
4960
0
    return gnutls_assert_val(ret);
4961
4962
  /* [6] = d % p-1, [7] = d % q-1 */
4963
0
  _gnutls_mpi_sub_ui(tmp, params->params[RSA_PRIME1], 1);
4964
0
  ret = _gnutls_mpi_modm(params->params[RSA_E1],
4965
0
             params->params[RSA_PRIV] /*d */, tmp);
4966
0
  if (ret < 0)
4967
0
    goto fail;
4968
4969
0
  _gnutls_mpi_sub_ui(tmp, params->params[RSA_PRIME2], 1);
4970
0
  ret = _gnutls_mpi_modm(params->params[RSA_E2],
4971
0
             params->params[RSA_PRIV] /*d */, tmp);
4972
0
  if (ret < 0)
4973
0
    goto fail;
4974
4975
0
  zrelease_mpi_key(&tmp);
4976
4977
0
  return 0;
4978
4979
0
fail:
4980
0
  zrelease_mpi_key(&tmp);
4981
0
  zrelease_mpi_key(&params->params[RSA_E1]);
4982
0
  zrelease_mpi_key(&params->params[RSA_E2]);
4983
4984
0
  return ret;
4985
0
}
4986
4987
static int calc_rsa_priv(gnutls_pk_params_st *params)
4988
0
{
4989
0
  bigint_t lcm, p1, q1;
4990
0
  int ret;
4991
4992
0
  params->params[RSA_PRIV] = NULL;
4993
4994
0
  ret = _gnutls_mpi_init_multi(&params->params[RSA_PRIV], &lcm, &p1, &q1,
4995
0
             NULL);
4996
0
  if (ret < 0)
4997
0
    return gnutls_assert_val(ret);
4998
4999
  /* lcm(p - 1, q - 1) */
5000
0
  mpz_sub_ui(p1, params->params[RSA_PRIME1], 1);
5001
0
  mpz_sub_ui(q1, params->params[RSA_PRIME2], 1);
5002
0
  mpz_lcm(lcm, p1, q1);
5003
5004
0
  zrelease_mpi_key(&p1);
5005
0
  zrelease_mpi_key(&q1);
5006
5007
  /* d = e^{-1} (mod lcm) */
5008
0
  ret = mpz_invert(params->params[RSA_PRIV], params->params[RSA_PUB],
5009
0
       lcm);
5010
5011
0
  zrelease_mpi_key(&lcm);
5012
5013
0
  if (ret == 0) {
5014
0
    zrelease_mpi_key(&params->params[RSA_PRIV]);
5015
0
    return GNUTLS_E_INVALID_REQUEST;
5016
0
  }
5017
5018
0
  return 0;
5019
0
}
5020
5021
#ifdef ENABLE_DSA
5022
static int calc_dsa_pub(gnutls_pk_params_st *params)
5023
0
{
5024
0
  int ret;
5025
5026
0
  params->params[DSA_Y] = NULL;
5027
5028
0
  ret = _gnutls_mpi_init(&params->params[DSA_Y]);
5029
0
  if (ret < 0)
5030
0
    return gnutls_assert_val(ret);
5031
5032
  /* y = g^x mod p */
5033
0
  ret = _gnutls_mpi_powm(params->params[DSA_Y], params->params[DSA_G],
5034
0
             params->params[DSA_X], params->params[DSA_P]);
5035
0
  if (ret < 0) {
5036
0
    zrelease_mpi_key(&params->params[DSA_Y]);
5037
0
    return gnutls_assert_val(ret);
5038
0
  }
5039
5040
0
  return 0;
5041
0
}
5042
#endif
5043
5044
static int wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo,
5045
        gnutls_direction_t direction,
5046
        gnutls_pk_params_st *params)
5047
0
{
5048
0
  int ret = 0;
5049
5050
0
  if (direction != GNUTLS_IMPORT)
5051
0
    return 0;
5052
5053
0
  switch (algo) {
5054
0
  case GNUTLS_PK_RSA: {
5055
0
    struct rsa_private_key priv;
5056
5057
0
    if (params->params[RSA_PRIV] == NULL) {
5058
0
      ret = calc_rsa_priv(params);
5059
0
      if (ret < 0)
5060
0
        return gnutls_assert_val(ret);
5061
0
      params->params_nr++;
5062
0
    }
5063
5064
    /* do not trust the generated values. Some old private keys
5065
     * generated by us have mess on the values. Those were very
5066
     * old but it seemed some of the shipped example private
5067
     * keys were as old.
5068
     */
5069
0
    if (params->params_nr < RSA_PRIVATE_PARAMS - 3)
5070
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
5071
5072
0
    if (params->params[RSA_COEF] == NULL) {
5073
0
      ret = _gnutls_mpi_init(&params->params[RSA_COEF]);
5074
0
      if (ret < 0)
5075
0
        return gnutls_assert_val(ret);
5076
0
    }
5077
5078
0
    if (mpz_cmp_ui(TOMPZ(params->params[RSA_PRIME1]), 0) == 0)
5079
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
5080
5081
0
    if (mpz_invert(TOMPZ(params->params[RSA_COEF]),
5082
0
             TOMPZ(params->params[RSA_PRIME2]),
5083
0
             TOMPZ(params->params[RSA_PRIME1])) == 0)
5084
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
5085
5086
    /* calculate exp1 [6] and exp2 [7] */
5087
0
    zrelease_mpi_key(&params->params[RSA_E1]);
5088
0
    zrelease_mpi_key(&params->params[RSA_E2]);
5089
5090
    /* marks RSA_COEF as present */
5091
0
    params->params_nr = RSA_PRIVATE_PARAMS - 2;
5092
0
    ret = calc_rsa_exp(params);
5093
0
    if (ret < 0)
5094
0
      return gnutls_assert_val(ret);
5095
5096
0
    params->params_nr = RSA_PRIVATE_PARAMS;
5097
5098
    /* perform nettle's internal checks */
5099
0
    _rsa_params_to_privkey(params, &priv);
5100
0
    ret = rsa_private_key_prepare(&priv);
5101
0
    if (ret == 0) {
5102
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
5103
0
    }
5104
0
    ret = 0;
5105
0
  } break;
5106
0
  case GNUTLS_PK_EDDSA_ED25519:
5107
0
  case GNUTLS_PK_EDDSA_ED448:
5108
0
    if (unlikely(get_eddsa_curve(algo) != params->curve))
5109
0
      return gnutls_assert_val(
5110
0
        GNUTLS_E_ECC_UNSUPPORTED_CURVE);
5111
5112
0
    if (params->raw_priv.data == NULL)
5113
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
5114
5115
0
    if (params->raw_pub.data == NULL) {
5116
0
      params->raw_pub.data =
5117
0
        gnutls_malloc(params->raw_priv.size);
5118
0
    }
5119
5120
0
    if (params->raw_pub.data == NULL)
5121
0
      return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
5122
5123
0
    ret = eddsa_public_key(algo, params->raw_pub.data,
5124
0
               params->raw_priv.data);
5125
0
    if (ret < 0) {
5126
0
      gnutls_free(params->raw_pub.data);
5127
0
      return ret;
5128
0
    }
5129
5130
0
    params->raw_pub.size = params->raw_priv.size;
5131
0
    break;
5132
5133
0
  case GNUTLS_PK_ECDH_X25519:
5134
0
  case GNUTLS_PK_ECDH_X448:
5135
0
    if (unlikely(get_ecdh_curve(algo) != params->curve))
5136
0
      return gnutls_assert_val(
5137
0
        GNUTLS_E_ECC_UNSUPPORTED_CURVE);
5138
5139
0
    if (params->raw_priv.data == NULL)
5140
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
5141
5142
0
    if (params->raw_pub.data == NULL) {
5143
0
      params->raw_pub.data =
5144
0
        gnutls_malloc(params->raw_priv.size);
5145
0
    }
5146
5147
0
    if (params->raw_pub.data == NULL)
5148
0
      return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
5149
5150
0
    ret = edwards_curve_mul_g(algo, params->raw_pub.data,
5151
0
            params->raw_priv.data);
5152
0
    if (ret < 0) {
5153
0
      gnutls_free(params->raw_pub.data);
5154
0
      return ret;
5155
0
    }
5156
5157
0
    params->raw_pub.size = params->raw_priv.size;
5158
0
    break;
5159
5160
0
  case GNUTLS_PK_RSA_PSS:
5161
0
    if (params->params_nr < RSA_PRIVATE_PARAMS - 3)
5162
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
5163
5164
0
    if (params->spki.rsa_pss_dig != 0) {
5165
0
      unsigned pub_size = nettle_mpz_sizeinbase_256_u(
5166
0
        TOMPZ(params->params[RSA_MODULUS]));
5167
      /* sanity check for private key */
5168
0
      CHECK_INVALID_RSA_PSS_PARAMS(
5169
0
        gnutls_hash_get_len(params->spki.rsa_pss_dig),
5170
0
        params->spki.salt_size, pub_size,
5171
0
        GNUTLS_E_PK_INVALID_PUBKEY_PARAMS);
5172
0
    }
5173
0
    break;
5174
5175
0
  case GNUTLS_PK_MLDSA44:
5176
0
  case GNUTLS_PK_MLDSA65:
5177
0
  case GNUTLS_PK_MLDSA87:
5178
0
    if (params->raw_priv.data == NULL)
5179
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
5180
5181
0
    if (params->raw_pub.data == NULL) {
5182
0
      ret = ml_dsa_privkey_to_pubkey(algo, &params->raw_priv,
5183
0
                   &params->raw_pub);
5184
0
      if (ret < 0) {
5185
0
        if (ret == GNUTLS_E_UNIMPLEMENTED_FEATURE) {
5186
0
          _gnutls_debug_log(
5187
0
            "Deriving public key from an ML-DSA private key is not implemented; ignoring the request\n");
5188
0
          return 0;
5189
0
        }
5190
0
        return gnutls_assert_val(ret);
5191
0
      }
5192
0
    }
5193
0
    break;
5194
5195
0
#ifdef ENABLE_DSA
5196
0
  case GNUTLS_PK_DSA:
5197
0
    if (params->params[DSA_Y] == NULL) {
5198
0
      ret = calc_dsa_pub(params);
5199
0
      if (ret < 0)
5200
0
        return gnutls_assert_val(ret);
5201
0
      params->params_nr++;
5202
0
    }
5203
0
    break;
5204
0
#endif
5205
0
#if ENABLE_GOST
5206
0
  case GNUTLS_PK_GOST_01:
5207
0
  case GNUTLS_PK_GOST_12_256:
5208
0
  case GNUTLS_PK_GOST_12_512: {
5209
0
    struct ecc_point r;
5210
0
    struct ecc_scalar priv;
5211
0
    const struct ecc_curve *curve;
5212
5213
0
    if (params->params_nr != GOST_PRIVATE_PARAMS)
5214
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
5215
5216
0
    curve = get_supported_gost_curve(params->curve);
5217
0
    if (curve == NULL)
5218
0
      return gnutls_assert_val(
5219
0
        GNUTLS_E_ECC_UNSUPPORTED_CURVE);
5220
5221
0
    if (ecc_bit_size(curve) <
5222
0
        _gnutls_mpi_get_nbits(params->params[GOST_K]))
5223
0
      gostdsa_unmask_key(curve,
5224
0
             TOMPZ(params->params[GOST_K]));
5225
5226
0
    ret = _gost_params_to_privkey(params, &priv, curve);
5227
0
    if (ret < 0) {
5228
0
      return gnutls_assert_val(ret);
5229
0
    }
5230
5231
0
    ecc_point_init(&r, curve);
5232
0
    gost_point_mul_g(&r, &priv);
5233
5234
0
    ecc_point_get(&r, params->params[GOST_X],
5235
0
            params->params[GOST_Y]);
5236
5237
0
    ecc_point_clear(&r);
5238
0
    ecc_scalar_clear(&priv);
5239
0
  } break;
5240
0
#endif
5241
0
  case GNUTLS_PK_EC:
5242
0
    if (params->params_nr == ECC_PRIVATE_PARAMS) {
5243
0
      return 0;
5244
0
    }
5245
0
    struct ecc_scalar s;
5246
0
    struct ecc_point p;
5247
0
    mpz_t pk, px, py;
5248
0
    gnutls_datum_t k = { NULL, 0 };
5249
0
    unsigned char exported_mpz_buf[MAX_PRIME_CURVE_COORD_SIZE] = {
5250
0
      0
5251
0
    };
5252
0
    uint8_t x_buf[MAX_PRIME_CURVE_COORD_SIZE] = { 0 };
5253
0
    uint8_t y_buf[MAX_PRIME_CURVE_COORD_SIZE] = { 0 };
5254
0
    size_t count = 0;
5255
5256
0
    const struct ecc_curve *ecc =
5257
0
      get_supported_nist_curve(params->curve);
5258
5259
0
    if (ecc == NULL) {
5260
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
5261
0
    }
5262
5263
0
    size_t coord_size = gnutls_ecc_curve_get_size(params->curve);
5264
0
    if (coord_size == 0) {
5265
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
5266
0
    }
5267
5268
0
    mpz_init(pk);
5269
0
    mpz_init(px);
5270
0
    mpz_init(py);
5271
5272
0
    ret = _gnutls_mpi_dprint(params->params[ECC_K], &k);
5273
0
    if (ret != 0) {
5274
0
      ret = gnutls_assert_val(ret);
5275
0
      goto cleanup;
5276
0
    }
5277
5278
0
    mpz_import(pk, k.size, 1, 1, 1, 0, k.data);
5279
5280
0
    ecc_scalar_init(&s, ecc);
5281
5282
0
    if (!ecc_scalar_set(&s, pk)) {
5283
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
5284
0
      goto cleanup;
5285
0
    }
5286
5287
0
    ecc_point_init(&p, ecc);
5288
0
    ecc_point_mul_g(&p, &s);
5289
0
    ecc_point_get(&p, px, py);
5290
5291
0
    mpz_export(exported_mpz_buf, &count, 1, 1, 1, 0, px);
5292
0
    memcpy(x_buf + (coord_size - count), exported_mpz_buf, count);
5293
5294
0
    zeroize_key(exported_mpz_buf, MAX_PRIME_CURVE_COORD_SIZE);
5295
0
    mpz_export(exported_mpz_buf, &count, 1, 1, 1, 0, py);
5296
0
    memcpy(y_buf + (coord_size - count), exported_mpz_buf, count);
5297
5298
0
    ret = _gnutls_mpi_init_scan(&params->params[ECC_X], x_buf,
5299
0
              coord_size);
5300
0
    if (ret != 0) {
5301
0
      ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
5302
0
      goto cleanup;
5303
0
    }
5304
0
    params->params_nr++;
5305
5306
0
    ret = _gnutls_mpi_init_scan(&params->params[ECC_Y], y_buf,
5307
0
              coord_size);
5308
0
    if (ret != 0) {
5309
0
      ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
5310
0
      goto cleanup;
5311
0
    }
5312
0
    params->params_nr++;
5313
5314
0
  cleanup:
5315
0
    ecc_point_clear(&p);
5316
0
    ecc_scalar_clear(&s);
5317
0
    mpz_clear(pk);
5318
0
    mpz_clear(px);
5319
0
    mpz_clear(py);
5320
5321
0
    _gnutls_free_key_datum(&k);
5322
0
    break;
5323
0
  default:
5324
0
    break;
5325
0
  }
5326
5327
0
  return ret;
5328
0
}
5329
5330
int crypto_pk_prio = INT_MAX;
5331
5332
gnutls_crypto_pk_st _gnutls_pk_ops = {
5333
  .encrypt = _wrap_nettle_pk_encrypt,
5334
  .decrypt = _wrap_nettle_pk_decrypt,
5335
  .decrypt2 = _wrap_nettle_pk_decrypt2,
5336
  .sign = _wrap_nettle_pk_sign,
5337
  .verify = _wrap_nettle_pk_verify,
5338
  .verify_priv_params = wrap_nettle_pk_verify_priv_params,
5339
  .verify_pub_params = wrap_nettle_pk_verify_pub_params,
5340
  .generate_params = wrap_nettle_pk_generate_params,
5341
  .generate_keys = wrap_nettle_pk_generate_keys,
5342
  .pk_fixup_private_params = wrap_nettle_pk_fixup,
5343
  .derive = _wrap_nettle_pk_derive,
5344
  .encaps = _wrap_nettle_pk_encaps,
5345
  .decaps = _wrap_nettle_pk_decaps,
5346
  .curve_exists = _wrap_nettle_pk_curve_exists,
5347
  .pk_exists = _wrap_nettle_pk_exists,
5348
  .sign_exists = _wrap_nettle_pk_sign_exists
5349
};