Coverage Report

Created: 2026-05-16 06:55

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/gnutls/lib/nettle/pk.c
Line
Count
Source
1
/*
2
 * Copyright (C) 2010-2012 Free Software Foundation, Inc.
3
 * Copyright (C) 2013-2017 Nikos Mavrogiannopoulos
4
 * Copyright (C) 2016-2017 Red Hat, Inc.
5
 *
6
 * Author: Nikos Mavrogiannopoulos
7
 *
8
 * This file is part of GNUTLS.
9
 *
10
 * The GNUTLS library is free software; you can redistribute it and/or
11
 * modify it under the terms of the GNU Lesser General Public License
12
 * as published by the Free Software Foundation; either version 2.1 of
13
 * the License, or (at your option) any later version.
14
 *
15
 * This library is distributed in the hope that it will be useful, but
16
 * WITHOUT ANY WARRANTY; without even the implied warranty of
17
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
18
 * Lesser General Public License for more details.
19
 *
20
 * You should have received a copy of the GNU Lesser General Public License
21
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
22
 *
23
 */
24
25
/* This file contains the functions needed for RSA/DSA public key
26
 * encryption and signatures.
27
 */
28
29
#include "gnutls_int.h"
30
#include "mpi.h"
31
#include "pk.h"
32
#include "errors.h"
33
#include "datum.h"
34
#include "global.h"
35
#include "tls-sig.h"
36
#include "num.h"
37
#include "x509/x509_int.h"
38
#include "x509/common.h"
39
#include "random.h"
40
#include "pk.h"
41
#include <nettle/dsa.h>
42
#include "dsa-fips.h"
43
#include "rsa-fips.h"
44
#include <nettle/rsa.h>
45
#include <gnutls/crypto.h>
46
#include <nettle/bignum.h>
47
#include <nettle/ecc.h>
48
#include <nettle/ecdsa.h>
49
#include <nettle/ecc-curve.h>
50
#include <nettle/curve25519.h>
51
#include <nettle/curve448.h>
52
#include <nettle/eddsa.h>
53
#include <nettle/version.h>
54
#if ENABLE_GOST
55
#if NEED_INT_ECC
56
#include "ecc/gostdsa.h"
57
#include "ecc-gost-curve.h"
58
#else
59
#include <nettle/gostdsa.h>
60
0
#define gost_point_mul_g ecc_point_mul_g
61
0
#define gost_point_set ecc_point_set
62
#endif
63
#include "gost/gostdsa2.h"
64
#endif
65
#include "int/ecdsa-compute-k.h"
66
#include "int/dsa-compute-k.h"
67
#include "gnettle.h"
68
#include "fips.h"
69
#include "dh.h"
70
#include "audit.h"
71
#ifdef HAVE_LEANCRYPTO
72
#include <leancrypto.h>
73
#endif
74
#include "attribute.h"
75
76
#define MAX_PRIME_CURVE_COORD_SIZE 66
77
78
static inline const struct ecc_curve *get_supported_nist_curve(int curve);
79
static inline const struct ecc_curve *get_supported_gost_curve(int curve);
80
81
static inline const char *get_supported_nist_curve_order(int curve);
82
static inline const char *get_supported_nist_curve_modulus(int curve);
83
84
/* When these callbacks are used for a nettle operation, the
85
 * caller must check the macro HAVE_LIB_ERROR() after the operation
86
 * is complete. If the macro is true, the operation is to be considered
87
 * failed (meaning the random generation failed).
88
 */
89
static void rnd_key_func(void *_ctx, size_t length, uint8_t *data)
90
0
{
91
0
  if (gnutls_rnd(GNUTLS_RND_KEY, data, length) < 0) {
92
0
    _gnutls_switch_lib_state(LIB_STATE_ERROR);
93
0
  }
94
0
}
95
96
static void rnd_tmpkey_func(void *_ctx, size_t length, uint8_t *data)
97
0
{
98
0
  if (gnutls_rnd(GNUTLS_RND_RANDOM, data, length) < 0) {
99
0
    _gnutls_switch_lib_state(LIB_STATE_ERROR);
100
0
  }
101
0
}
102
103
static void rnd_nonce_func(void *_ctx, size_t length, uint8_t *data)
104
0
{
105
0
  if (gnutls_rnd(GNUTLS_RND_NONCE, data, length) < 0) {
106
0
    _gnutls_switch_lib_state(LIB_STATE_ERROR);
107
0
  }
108
0
}
109
110
static void rnd_datum_func(void *ctx, size_t length, uint8_t *data)
111
0
{
112
0
  gnutls_datum_t *d = ctx;
113
114
0
  if (length > d->size) {
115
0
    memset(data, 0, length - d->size);
116
0
    memcpy(data + (length - d->size), d->data, d->size);
117
0
  } else {
118
0
    memcpy(data, d->data, length);
119
0
  }
120
0
}
121
122
static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t *data)
123
0
{
124
0
  if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) {
125
0
    _gnutls_switch_lib_state(LIB_STATE_ERROR);
126
0
  }
127
128
0
  memset(data, 0xAA, length);
129
0
}
130
131
static void ecc_scalar_zclear(struct ecc_scalar *s)
132
0
{
133
0
  zeroize_key(s->p, ecc_size(s->ecc) * sizeof(mp_limb_t));
134
0
  ecc_scalar_clear(s);
135
0
}
136
137
static void ecc_point_zclear(struct ecc_point *p)
138
0
{
139
0
  zeroize_key(p->p, ecc_size_a(p->ecc) * sizeof(mp_limb_t));
140
0
  ecc_point_clear(p);
141
0
}
142
143
static void _dsa_params_get(const gnutls_pk_params_st *pk_params,
144
          struct dsa_params *pub)
145
0
{
146
0
  memcpy(pub->p, pk_params->params[DSA_P], SIZEOF_MPZT);
147
148
0
  if (pk_params->params[DSA_Q])
149
0
    memcpy(&pub->q, pk_params->params[DSA_Q], SIZEOF_MPZT);
150
0
  memcpy(pub->g, pk_params->params[DSA_G], SIZEOF_MPZT);
151
0
}
152
153
static void _rsa_params_to_privkey(const gnutls_pk_params_st *pk_params,
154
           struct rsa_private_key *priv)
155
0
{
156
0
  memcpy(priv->d, pk_params->params[RSA_PRIV], SIZEOF_MPZT);
157
0
  memcpy(priv->p, pk_params->params[RSA_PRIME1], SIZEOF_MPZT);
158
0
  memcpy(priv->q, pk_params->params[RSA_PRIME2], SIZEOF_MPZT);
159
0
  memcpy(priv->c, pk_params->params[RSA_COEF], SIZEOF_MPZT);
160
0
  memcpy(priv->a, pk_params->params[RSA_E1], SIZEOF_MPZT);
161
0
  memcpy(priv->b, pk_params->params[RSA_E2], SIZEOF_MPZT);
162
  /* we do not rsa_private_key_prepare() because it involves a multiplication.
163
   * we call it once when we import the parameters */
164
0
  priv->size = nettle_mpz_sizeinbase_256_u(
165
0
    TOMPZ(pk_params->params[RSA_MODULUS]));
166
0
}
167
168
/* returns a negative value on invalid pubkey */
169
static int _rsa_params_to_pubkey(const gnutls_pk_params_st *pk_params,
170
         struct rsa_public_key *pub)
171
0
{
172
0
  memcpy(pub->n, pk_params->params[RSA_MODULUS], SIZEOF_MPZT);
173
0
  memcpy(pub->e, pk_params->params[RSA_PUB], SIZEOF_MPZT);
174
0
  if (rsa_public_key_prepare(pub) == 0)
175
0
    return gnutls_assert_val(GNUTLS_E_PK_INVALID_PUBKEY);
176
177
0
  return 0;
178
0
}
179
180
static int _ecc_params_to_privkey(const gnutls_pk_params_st *pk_params,
181
          struct ecc_scalar *priv,
182
          const struct ecc_curve *curve)
183
0
{
184
0
  ecc_scalar_init(priv, curve);
185
0
  if (ecc_scalar_set(priv, pk_params->params[ECC_K]) == 0) {
186
0
    ecc_scalar_clear(priv);
187
0
    return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
188
0
  }
189
190
0
  return 0;
191
0
}
192
193
static int _ecc_params_to_pubkey(const gnutls_pk_params_st *pk_params,
194
         struct ecc_point *pub,
195
         const struct ecc_curve *curve)
196
0
{
197
0
  ecc_point_init(pub, curve);
198
0
  if (ecc_point_set(pub, pk_params->params[ECC_X],
199
0
        pk_params->params[ECC_Y]) == 0) {
200
0
    ecc_point_clear(pub);
201
0
    return gnutls_assert_val(GNUTLS_E_PK_INVALID_PUBKEY);
202
0
  }
203
204
0
  return 0;
205
0
}
206
207
#if ENABLE_GOST
208
static int _gost_params_to_privkey(const gnutls_pk_params_st *pk_params,
209
           struct ecc_scalar *priv,
210
           const struct ecc_curve *curve)
211
0
{
212
0
  ecc_scalar_init(priv, curve);
213
0
  if (ecc_scalar_set(priv, pk_params->params[GOST_K]) == 0) {
214
0
    ecc_scalar_clear(priv);
215
0
    return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
216
0
  }
217
218
0
  return 0;
219
0
}
220
221
static int _gost_params_to_pubkey(const gnutls_pk_params_st *pk_params,
222
          struct ecc_point *pub,
223
          const struct ecc_curve *curve)
224
0
{
225
0
  ecc_point_init(pub, curve);
226
0
  if (gost_point_set(pub, pk_params->params[GOST_X],
227
0
         pk_params->params[GOST_Y]) == 0) {
228
0
    ecc_point_clear(pub);
229
0
    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
230
0
  }
231
232
0
  return 0;
233
0
}
234
#endif
235
236
static int ecc_shared_secret(struct ecc_scalar *private_key,
237
           struct ecc_point *public_key, void *out,
238
           unsigned size)
239
0
{
240
0
  struct ecc_point r;
241
0
  mpz_t x, y;
242
0
  int ret = 0;
243
244
0
  mpz_init(x);
245
0
  mpz_init(y);
246
0
  ecc_point_init(&r, public_key->ecc);
247
248
0
  ecc_point_mul(&r, private_key, public_key);
249
250
0
  ecc_point_get(&r, x, y);
251
252
  /* Check if the point is not an identity element.  Note that this cannot
253
   * happen in nettle implementation, because it cannot represent an
254
   * infinity point. */
255
0
  if (mpz_cmp_ui(x, 0) == 0 && mpz_cmp_ui(y, 0) == 0) {
256
0
    ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
257
0
    goto cleanup;
258
0
  }
259
260
0
  nettle_mpz_get_str_256(size, out, x);
261
262
0
cleanup:
263
0
  mpz_clear(x);
264
0
  mpz_clear(y);
265
0
  ecc_point_clear(&r);
266
267
0
  return ret;
268
0
}
269
270
0
#define MAX_DH_BITS DEFAULT_MAX_VERIFY_BITS
271
/* This is used when we have no idea on the structure
272
 * of p-1 used by the peer. It is still a conservative
273
 * choice, but small than what we've been using before.
274
 */
275
#define DH_EXPONENT_SIZE(p_size) (2 * _gnutls_pk_bits_to_subgroup_bits(p_size))
276
277
static inline int edwards_curve_mul(gnutls_pk_algorithm_t algo, uint8_t *q,
278
            const uint8_t *n, const uint8_t *p)
279
0
{
280
0
  switch (algo) {
281
0
  case GNUTLS_PK_ECDH_X25519:
282
0
    curve25519_mul(q, n, p);
283
0
    return 0;
284
0
  case GNUTLS_PK_ECDH_X448:
285
0
    curve448_mul(q, n, p);
286
0
    return 0;
287
0
  default:
288
0
    return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
289
0
  }
290
0
}
291
292
/* This is used for DH or ECDH key derivation. In DH for example
293
 * it is given the peers Y and our x, and calculates Y^x
294
 */
295
static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
296
          gnutls_datum_t *out,
297
          const gnutls_pk_params_st *priv,
298
          const gnutls_pk_params_st *pub,
299
          const gnutls_datum_t *nonce,
300
          unsigned int flags)
301
0
{
302
0
  int ret;
303
0
  bool not_approved = false;
304
305
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING, "pk::derive",
306
0
              "pk::algorithm", CRAU_STRING,
307
0
              gnutls_pk_get_name(algo), NULL);
308
309
0
  switch (algo) {
310
0
  case GNUTLS_PK_DH: {
311
0
    bigint_t f, x, q, prime;
312
0
    bigint_t k = NULL, primesub1 = NULL, r = NULL;
313
0
    unsigned int bits;
314
315
0
    if (nonce != NULL) {
316
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
317
0
      goto cleanup;
318
0
    }
319
320
0
    f = pub->params[DH_Y];
321
0
    x = priv->params[DH_X];
322
0
    q = priv->params[DH_Q];
323
0
    prime = priv->params[DH_P];
324
325
0
    ret = _gnutls_mpi_init_multi(&k, &primesub1, &r, NULL);
326
0
    if (ret < 0) {
327
0
      gnutls_assert();
328
0
      goto cleanup;
329
0
    }
330
331
0
    ret = _gnutls_mpi_sub_ui(primesub1, prime, 1);
332
0
    if (ret < 0) {
333
0
      gnutls_assert();
334
0
      goto dh_cleanup;
335
0
    }
336
337
    /* check if f==0,1, or f >= p-1 */
338
0
    if ((_gnutls_mpi_cmp_ui(f, 1) == 0) ||
339
0
        (_gnutls_mpi_cmp_ui(f, 0) == 0) ||
340
0
        (_gnutls_mpi_cmp(f, primesub1) >= 0)) {
341
0
      gnutls_assert();
342
0
      ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
343
0
      goto dh_cleanup;
344
0
    }
345
346
    /* if we have Q check that y ^ q mod p == 1 */
347
0
    if (q != NULL) {
348
0
      ret = _gnutls_mpi_powm(r, f, q, prime);
349
0
      if (ret < 0) {
350
0
        gnutls_assert();
351
0
        goto dh_cleanup;
352
0
      }
353
0
      ret = _gnutls_mpi_cmp_ui(r, 1);
354
0
      if (ret != 0) {
355
0
        gnutls_assert();
356
0
        ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
357
0
        goto dh_cleanup;
358
0
      }
359
0
    } else if ((flags & PK_DERIVE_TLS13) &&
360
0
         _gnutls_fips_mode_enabled()) {
361
      /* Mandatory in FIPS mode for TLS 1.3 */
362
0
      ret = gnutls_assert_val(
363
0
        GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
364
0
      goto dh_cleanup;
365
0
    }
366
367
    /* prevent denial of service */
368
0
    bits = _gnutls_mpi_get_nbits(prime);
369
0
    if (bits == 0 || bits > MAX_DH_BITS) {
370
0
      gnutls_assert();
371
0
      ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
372
0
      goto dh_cleanup;
373
0
    }
374
375
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, NULL);
376
377
0
    if (bits < 2048) {
378
0
      not_approved = true;
379
0
    }
380
381
0
    ret = _gnutls_mpi_powm(k, f, x, prime);
382
0
    if (ret < 0) {
383
0
      gnutls_assert();
384
0
      goto dh_cleanup;
385
0
    }
386
387
    /* check if k==0,1, or k = p-1 */
388
0
    if ((_gnutls_mpi_cmp_ui(k, 1) == 0) ||
389
0
        (_gnutls_mpi_cmp_ui(k, 0) == 0) ||
390
0
        (_gnutls_mpi_cmp(k, primesub1) == 0)) {
391
0
      ret = gnutls_assert_val(
392
0
        GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
393
0
      goto dh_cleanup;
394
0
    }
395
396
0
    if (flags & PK_DERIVE_TLS13) {
397
0
      ret = _gnutls_mpi_dprint_size(k, out, (bits + 7) / 8);
398
0
    } else {
399
0
      ret = _gnutls_mpi_dprint(k, out);
400
0
    }
401
402
0
    if (ret < 0) {
403
0
      gnutls_assert();
404
0
      goto dh_cleanup;
405
0
    }
406
407
0
    ret = 0;
408
0
  dh_cleanup:
409
0
    _gnutls_mpi_release(&r);
410
0
    _gnutls_mpi_release(&primesub1);
411
0
    zrelease_mpi_key(&k);
412
0
    if (ret < 0)
413
0
      goto cleanup;
414
415
0
    break;
416
0
  }
417
0
  case GNUTLS_PK_EC: {
418
0
    struct ecc_scalar ecc_priv;
419
0
    struct ecc_point ecc_pub;
420
0
    const struct ecc_curve *curve;
421
0
    struct ecc_scalar n;
422
0
    struct ecc_scalar m;
423
0
    struct ecc_point r;
424
0
    mpz_t x, y, xx, yy, nn, mm;
425
426
0
    out->data = NULL;
427
428
0
    if (nonce != NULL) {
429
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
430
0
      goto cleanup;
431
0
    }
432
433
0
    curve = get_supported_nist_curve(priv->curve);
434
0
    if (curve == NULL) {
435
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
436
0
      goto cleanup;
437
0
    }
438
439
0
    _gnutls_audit_data("pk::curve", CRAU_STRING,
440
0
           gnutls_ecc_curve_get_name(priv->curve),
441
0
           NULL);
442
443
    /* P-192 is not supported in FIPS 140-3 */
444
0
    if (priv->curve == GNUTLS_ECC_CURVE_SECP192R1) {
445
0
      not_approved = true;
446
0
    }
447
448
0
    mpz_init(x);
449
0
    mpz_init(y);
450
0
    mpz_init(xx);
451
0
    mpz_init(yy);
452
0
    mpz_init(nn);
453
0
    mpz_init(mm);
454
455
0
    ecc_scalar_init(&n, curve);
456
0
    ecc_scalar_init(&m, curve);
457
0
    ecc_point_init(&r, curve);
458
459
0
    ret = _ecc_params_to_pubkey(pub, &ecc_pub, curve);
460
0
    if (ret < 0) {
461
0
      gnutls_assert();
462
0
      goto ecc_fail_cleanup;
463
0
    }
464
465
0
    ret = _ecc_params_to_privkey(priv, &ecc_priv, curve);
466
0
    if (ret < 0) {
467
0
      ecc_point_clear(&ecc_pub);
468
0
      gnutls_assert();
469
0
      goto ecc_fail_cleanup;
470
0
    }
471
472
0
    out->size = gnutls_ecc_curve_get_size(priv->curve);
473
    /*ecc_size(curve)*sizeof(mp_limb_t); */
474
0
    out->data = gnutls_malloc(out->size);
475
0
    if (out->data == NULL) {
476
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
477
0
      goto ecc_cleanup;
478
0
    }
479
480
    /* Perform ECC Full Public-Key Validation Routine
481
       * according to SP800-56A (revision 3), 5.6.2.3.3.
482
       */
483
484
    /* Step 1: verify that Q is not an identity
485
       * element (an infinity point). Note that this
486
       * cannot happen in the nettle implementation,
487
       * because it cannot represent an infinity point
488
       * on curves. */
489
0
    ret = ecc_shared_secret(&ecc_priv, &ecc_pub, out->data,
490
0
          out->size);
491
0
    if (ret < 0) {
492
0
      gnutls_free(out->data);
493
0
      goto ecc_cleanup;
494
0
    }
495
#ifdef ENABLE_FIPS140
496
    if (_gnutls_fips_mode_enabled()) {
497
      const char *order, *modulus;
498
499
      ecc_point_mul(&r, &ecc_priv, &ecc_pub);
500
      ecc_point_get(&r, x, y);
501
502
      /* Step 2: verify that both coordinates of Q are
503
         * in the range [0, p - 1].
504
         *
505
         * Step 3: verify that Q lie on the curve
506
         *
507
         * Both checks are performed in nettle.  */
508
      if (!ecc_point_set(&r, x, y)) {
509
        ret = gnutls_assert_val(
510
          GNUTLS_E_ILLEGAL_PARAMETER);
511
        goto ecc_cleanup;
512
      }
513
514
      /* Step 4: verify that n * Q, where n is the
515
         * curve order, result in an identity element
516
         *
517
         * Since nettle internally cannot represent an
518
         * identity element on curves, we validate this
519
         * instead:
520
         *
521
         *   (n - 1) * Q = -Q
522
         *
523
         * That effectively means: n * Q = -Q + Q = O
524
         */
525
      order = get_supported_nist_curve_order(priv->curve);
526
      if (unlikely(order == NULL)) {
527
        ret = gnutls_assert_val(
528
          GNUTLS_E_INTERNAL_ERROR);
529
        goto ecc_cleanup;
530
      }
531
532
      ret = mpz_set_str(nn, order, 16);
533
      if (unlikely(ret < 0)) {
534
        ret = gnutls_assert_val(
535
          GNUTLS_E_MPI_SCAN_FAILED);
536
        goto ecc_cleanup;
537
      }
538
539
      modulus = get_supported_nist_curve_modulus(priv->curve);
540
      if (unlikely(modulus == NULL)) {
541
        ret = gnutls_assert_val(
542
          GNUTLS_E_INTERNAL_ERROR);
543
        goto ecc_cleanup;
544
      }
545
546
      ret = mpz_set_str(mm, modulus, 16);
547
      if (unlikely(ret < 0)) {
548
        ret = gnutls_assert_val(
549
          GNUTLS_E_MPI_SCAN_FAILED);
550
        goto ecc_cleanup;
551
      }
552
553
      /* (n - 1) * Q = -Q */
554
      mpz_sub_ui(nn, nn, 1);
555
      ecc_scalar_set(&n, nn);
556
      ecc_point_mul(&r, &n, &r);
557
      ecc_point_get(&r, xx, yy);
558
      mpz_sub(mm, mm, y);
559
560
      if (mpz_cmp(xx, x) != 0 || mpz_cmp(yy, mm) != 0) {
561
        ret = gnutls_assert_val(
562
          GNUTLS_E_ILLEGAL_PARAMETER);
563
        goto ecc_cleanup;
564
      }
565
    } else {
566
      not_approved = true;
567
    }
568
#endif
569
570
0
  ecc_cleanup:
571
0
    ecc_point_clear(&ecc_pub);
572
0
    ecc_scalar_zclear(&ecc_priv);
573
0
  ecc_fail_cleanup:
574
0
    mpz_clear(x);
575
0
    mpz_clear(y);
576
0
    mpz_clear(xx);
577
0
    mpz_clear(yy);
578
0
    mpz_clear(nn);
579
0
    mpz_clear(mm);
580
0
    ecc_point_clear(&r);
581
0
    ecc_scalar_clear(&n);
582
0
    ecc_scalar_clear(&m);
583
0
    if (ret < 0)
584
0
      goto cleanup;
585
0
    break;
586
0
  }
587
0
  case GNUTLS_PK_ECDH_X25519:
588
0
  case GNUTLS_PK_ECDH_X448: {
589
0
    unsigned size = gnutls_ecc_curve_get_size(priv->curve);
590
591
    /* Edwards curves are not approved */
592
0
    not_approved = true;
593
594
0
    if (nonce != NULL) {
595
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
596
0
      goto cleanup;
597
0
    }
598
599
    /* The point is in pub, while the private part (scalar) in priv. */
600
601
0
    if (size == 0 || priv->raw_priv.size != size) {
602
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
603
0
      goto cleanup;
604
0
    }
605
606
0
    out->data = gnutls_malloc(size);
607
0
    if (out->data == NULL) {
608
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
609
0
      goto cleanup;
610
0
    }
611
612
0
    out->size = size;
613
614
0
    ret = edwards_curve_mul(algo, out->data, priv->raw_priv.data,
615
0
          pub->raw_pub.data);
616
0
    if (ret < 0)
617
0
      goto cleanup;
618
619
0
    if (_gnutls_mem_is_zero(out->data, out->size)) {
620
0
      gnutls_free(out->data);
621
0
      gnutls_assert();
622
0
      ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
623
0
      goto cleanup;
624
0
    }
625
0
    break;
626
0
  }
627
0
#if ENABLE_GOST
628
0
  case GNUTLS_PK_GOST_01:
629
0
  case GNUTLS_PK_GOST_12_256:
630
0
  case GNUTLS_PK_GOST_12_512: {
631
0
    struct ecc_scalar ecc_priv;
632
0
    struct ecc_point ecc_pub;
633
0
    const struct ecc_curve *curve;
634
635
    /* GOST curves are not approved */
636
0
    not_approved = true;
637
638
0
    out->data = NULL;
639
640
0
    curve = get_supported_gost_curve(priv->curve);
641
0
    if (curve == NULL) {
642
0
      gnutls_assert();
643
0
      ret = GNUTLS_E_ECC_UNSUPPORTED_CURVE;
644
0
      goto cleanup;
645
0
    }
646
647
0
    _gnutls_audit_data("pk::curve", CRAU_STRING,
648
0
           gnutls_ecc_curve_get_name(priv->curve),
649
0
           NULL);
650
651
0
    if (nonce == NULL) {
652
0
      gnutls_assert();
653
0
      ret = GNUTLS_E_INVALID_REQUEST;
654
0
      goto cleanup;
655
0
    }
656
657
0
    ret = _gost_params_to_pubkey(pub, &ecc_pub, curve);
658
0
    if (ret < 0) {
659
0
      gnutls_assert();
660
0
      goto cleanup;
661
0
    }
662
663
0
    ret = _gost_params_to_privkey(priv, &ecc_priv, curve);
664
0
    if (ret < 0) {
665
0
      ecc_point_clear(&ecc_pub);
666
0
      gnutls_assert();
667
0
      goto cleanup;
668
0
    }
669
670
0
    out->size = 2 * gnutls_ecc_curve_get_size(priv->curve);
671
0
    out->data = gnutls_malloc(out->size);
672
0
    if (out->data == NULL) {
673
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
674
0
      goto gost_cleanup;
675
0
    }
676
677
0
    gostdsa_vko(&ecc_priv, &ecc_pub, nonce->size, nonce->data,
678
0
          out->data);
679
680
0
  gost_cleanup:
681
0
    ecc_point_clear(&ecc_pub);
682
0
    ecc_scalar_zclear(&ecc_priv);
683
0
    if (ret < 0)
684
0
      goto cleanup;
685
0
    break;
686
0
  }
687
0
#endif
688
0
  default:
689
0
    gnutls_assert();
690
0
    ret = GNUTLS_E_INTERNAL_ERROR;
691
0
    goto cleanup;
692
0
  }
693
694
0
  ret = 0;
695
696
0
cleanup:
697
0
  if (ret < 0) {
698
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
699
0
  } else if (not_approved) {
700
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
701
0
  } else {
702
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
703
0
  }
704
705
0
  gnutls_audit_pop_context();
706
707
0
  return ret;
708
0
}
709
710
#ifdef HAVE_LEANCRYPTO
711
static enum lc_kyber_type ml_kem_pk_to_lc_kyber_type(gnutls_pk_algorithm_t algo)
712
{
713
  switch (algo) {
714
#ifdef LC_KYBER_768_ENABLED
715
  case GNUTLS_PK_MLKEM768:
716
    return LC_KYBER_768;
717
#endif
718
#ifdef LC_KYBER_1024_ENABLED
719
  case GNUTLS_PK_MLKEM1024:
720
    return LC_KYBER_1024;
721
#endif
722
  default:
723
    return gnutls_assert_val(LC_KYBER_UNKNOWN);
724
  }
725
}
726
727
static int ml_kem_exists(gnutls_pk_algorithm_t algo)
728
{
729
  return ml_kem_pk_to_lc_kyber_type(algo) != LC_KYBER_UNKNOWN;
730
}
731
732
static int ml_kem_encaps(gnutls_pk_algorithm_t algo, gnutls_datum_t *ciphertext,
733
       gnutls_datum_t *shared_secret,
734
       const gnutls_datum_t *pub)
735
{
736
  enum lc_kyber_type type;
737
  struct lc_kyber_ct ct;
738
  struct lc_kyber_ss ss;
739
  struct lc_kyber_pk pk;
740
  gnutls_datum_t tmp_ciphertext = { NULL, 0 };
741
  gnutls_datum_t tmp_shared_secret = { NULL, 0 };
742
  uint8_t *ptr;
743
  size_t len;
744
  int ret;
745
746
  type = ml_kem_pk_to_lc_kyber_type(algo);
747
  if (type == LC_KYBER_UNKNOWN)
748
    return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
749
750
  ret = lc_kyber_pk_load(&pk, pub->data, pub->size);
751
  if (ret < 0 || lc_kyber_pk_type(&pk) != type) {
752
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
753
    goto cleanup;
754
  }
755
756
  ret = lc_kyber_enc(&ct, &ss, &pk);
757
  if (ret < 0) {
758
    ret = gnutls_assert_val(GNUTLS_E_PK_ENCRYPTION_FAILED);
759
    goto cleanup;
760
  }
761
762
  ret = lc_kyber_ct_ptr(&ptr, &len, &ct);
763
  if (ret < 0) {
764
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
765
    goto cleanup;
766
  }
767
  ret = _gnutls_set_datum(&tmp_ciphertext, ptr, len);
768
  if (ret < 0) {
769
    gnutls_assert();
770
    goto cleanup;
771
  }
772
773
  ret = lc_kyber_ss_ptr(&ptr, &len, &ss);
774
  if (ret < 0) {
775
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
776
    goto cleanup;
777
  }
778
  ret = _gnutls_set_datum(&tmp_shared_secret, ptr, len);
779
  if (ret < 0) {
780
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
781
    goto cleanup;
782
  }
783
784
  *ciphertext = _gnutls_take_datum(&tmp_ciphertext);
785
  *shared_secret = _gnutls_take_datum(&tmp_shared_secret);
786
787
  ret = 0;
788
789
cleanup:
790
  _gnutls_free_datum(&tmp_ciphertext);
791
  _gnutls_free_key_datum(&tmp_shared_secret);
792
  zeroize_key(&pk, sizeof(pk));
793
  return ret;
794
}
795
796
static int ml_kem_decaps(gnutls_pk_algorithm_t algo,
797
       gnutls_datum_t *shared_secret,
798
       const gnutls_datum_t *ciphertext,
799
       const gnutls_datum_t *priv)
800
{
801
  int ret;
802
  enum lc_kyber_type type;
803
  struct lc_kyber_ss ss;
804
  struct lc_kyber_ct ct;
805
  struct lc_kyber_sk sk;
806
  gnutls_datum_t tmp_shared_secret = { NULL, 0 };
807
  uint8_t *ptr;
808
  size_t len;
809
810
  type = ml_kem_pk_to_lc_kyber_type(algo);
811
  if (type == LC_KYBER_UNKNOWN)
812
    return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
813
814
  ret = lc_kyber_sk_load(&sk, priv->data, priv->size);
815
  if (ret < 0 || lc_kyber_sk_type(&sk) != type) {
816
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
817
    goto cleanup;
818
  }
819
820
  ret = lc_kyber_ct_load(&ct, ciphertext->data, ciphertext->size);
821
  if (ret < 0 || lc_kyber_ct_type(&ct) != type) {
822
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
823
    goto cleanup;
824
  }
825
826
  ret = lc_kyber_dec(&ss, &ct, &sk);
827
  if (ret < 0) {
828
    ret = gnutls_assert_val(GNUTLS_E_PK_DECRYPTION_FAILED);
829
    goto cleanup;
830
  }
831
832
  ret = lc_kyber_ss_ptr(&ptr, &len, &ss);
833
  if (ret < 0) {
834
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
835
    goto cleanup;
836
  }
837
838
  ret = _gnutls_set_datum(&tmp_shared_secret, ptr, len);
839
  if (ret < 0) {
840
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
841
    goto cleanup;
842
  }
843
844
  *shared_secret = _gnutls_take_datum(&tmp_shared_secret);
845
846
  ret = 0;
847
848
cleanup:
849
  _gnutls_free_key_datum(&tmp_shared_secret);
850
  zeroize_key(&ss, sizeof(ss));
851
  zeroize_key(&sk, sizeof(sk));
852
  return ret;
853
}
854
855
static int ml_kem_generate_keypair(gnutls_pk_algorithm_t algo,
856
           gnutls_datum_t *raw_priv,
857
           gnutls_datum_t *raw_pub)
858
{
859
  int ret;
860
  enum lc_kyber_type type;
861
  struct lc_kyber_sk sk;
862
  struct lc_kyber_pk pk;
863
  gnutls_datum_t tmp_raw_priv = { NULL, 0 };
864
  gnutls_datum_t tmp_raw_pub = { NULL, 0 };
865
  uint8_t *ptr;
866
  size_t len;
867
868
  type = ml_kem_pk_to_lc_kyber_type(algo);
869
  if (type == LC_KYBER_UNKNOWN)
870
    return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
871
872
  ret = lc_kyber_keypair(&pk, &sk, lc_seeded_rng, type);
873
  if (ret < 0) {
874
    ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
875
    goto cleanup;
876
  }
877
878
  ret = lc_kyber_sk_ptr(&ptr, &len, &sk);
879
  if (ret < 0) {
880
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
881
    goto cleanup;
882
  }
883
884
  ret = _gnutls_set_datum(&tmp_raw_priv, ptr, len);
885
  if (ret < 0) {
886
    gnutls_assert();
887
    goto cleanup;
888
  }
889
890
  ret = lc_kyber_pk_ptr(&ptr, &len, &pk);
891
  if (ret < 0) {
892
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
893
    goto cleanup;
894
  }
895
896
  ret = _gnutls_set_datum(&tmp_raw_pub, ptr, len);
897
  if (ret < 0) {
898
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
899
    goto cleanup;
900
  }
901
902
  *raw_priv = _gnutls_take_datum(&tmp_raw_priv);
903
  *raw_pub = _gnutls_take_datum(&tmp_raw_pub);
904
905
  ret = 0;
906
907
cleanup:
908
  _gnutls_free_key_datum(&tmp_raw_priv);
909
  _gnutls_free_key_datum(&tmp_raw_pub);
910
  zeroize_key(&pk, sizeof(pk));
911
  zeroize_key(&sk, sizeof(sk));
912
  return ret;
913
}
914
#else
915
static int ml_kem_exists(gnutls_pk_algorithm_t algo MAYBE_UNUSED)
916
0
{
917
0
  return 0;
918
0
}
919
920
static int ml_kem_encaps(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
921
       gnutls_datum_t *ciphertext MAYBE_UNUSED,
922
       gnutls_datum_t *shared_secret MAYBE_UNUSED,
923
       const gnutls_datum_t *pub MAYBE_UNUSED)
924
0
{
925
0
  return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM);
926
0
}
927
928
static int ml_kem_decaps(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
929
       gnutls_datum_t *shared_secret MAYBE_UNUSED,
930
       const gnutls_datum_t *ciphertext MAYBE_UNUSED,
931
       const gnutls_datum_t *priv MAYBE_UNUSED)
932
0
{
933
0
  return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM);
934
0
}
935
936
static int ml_kem_generate_keypair(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
937
           gnutls_datum_t *raw_priv MAYBE_UNUSED,
938
           gnutls_datum_t *raw_pub MAYBE_UNUSED)
939
0
{
940
0
  return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM);
941
0
}
942
#endif
943
944
static int _wrap_nettle_pk_encaps(gnutls_pk_algorithm_t algo,
945
          gnutls_datum_t *ciphertext,
946
          gnutls_datum_t *shared_secret,
947
          const gnutls_datum_t *pub)
948
0
{
949
0
  int ret;
950
951
0
  switch (algo) {
952
0
  case GNUTLS_PK_MLKEM768:
953
0
  case GNUTLS_PK_MLKEM1024:
954
0
    break;
955
0
  default:
956
0
    return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM);
957
0
  }
958
959
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING,
960
0
              "pk::encapsulate", "pk::algorithm",
961
0
              CRAU_STRING,
962
0
              gnutls_pk_get_name(algo), NULL);
963
964
0
  ret = ml_kem_encaps(algo, ciphertext, shared_secret, pub);
965
966
0
  gnutls_audit_pop_context();
967
968
0
  return ret;
969
0
}
970
971
static int _wrap_nettle_pk_decaps(gnutls_pk_algorithm_t algo,
972
          gnutls_datum_t *shared_secret,
973
          const gnutls_datum_t *ciphertext,
974
          const gnutls_datum_t *priv)
975
0
{
976
0
  int ret;
977
978
0
  switch (algo) {
979
0
  case GNUTLS_PK_MLKEM768:
980
0
  case GNUTLS_PK_MLKEM1024:
981
0
    break;
982
0
  default:
983
0
    return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM);
984
0
  }
985
986
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING,
987
0
              "pk::decapsulate", "pk::algorithm",
988
0
              CRAU_STRING,
989
0
              gnutls_pk_get_name(algo), NULL);
990
991
0
  ret = ml_kem_decaps(algo, shared_secret, ciphertext, priv);
992
993
0
  gnutls_audit_pop_context();
994
995
0
  return ret;
996
0
}
997
998
/* This wraps nettle_rsa_encrypt so it returns ciphertext as a byte
999
 * array instead of a mpz_t value.  Returns 1 on success; 0 otherwise.
1000
 */
1001
static inline int _rsa_encrypt(const struct rsa_public_key *key, void *rnd_ctx,
1002
             nettle_random_func *rnd_func, size_t length,
1003
             const uint8_t *message, uint8_t *ciphertext)
1004
0
{
1005
0
  mpz_t p;
1006
0
  int ret;
1007
1008
0
  mpz_init(p);
1009
1010
0
  ret = rsa_encrypt(key, rnd_ctx, rnd_func, length, message, p);
1011
1012
0
  if (ret == 0) {
1013
0
    gnutls_assert();
1014
0
    goto cleanup;
1015
0
  }
1016
1017
0
  if (_gnutls_mpi_bprint_size(p, ciphertext, key->size) < 0) {
1018
0
    gnutls_assert();
1019
0
    goto cleanup;
1020
0
  }
1021
1022
0
cleanup:
1023
0
  mpz_clear(p);
1024
0
  return ret;
1025
0
}
1026
1027
/* This wraps nettle_rsa_oaep_sha*_encrypt to parametrize the function
1028
 * calls with a DIG argument.  Returns 1 on success; 0 otherwise.
1029
 */
1030
static inline int _rsa_oaep_encrypt(gnutls_digest_algorithm_t dig,
1031
            const struct rsa_public_key *pub,
1032
            void *rnd_ctx, nettle_random_func *rnd_func,
1033
            size_t label_length, const uint8_t *label,
1034
            size_t length, const uint8_t *message,
1035
            uint8_t *ciphertext)
1036
0
{
1037
0
  int (*encrypt_func)(const struct rsa_public_key *, void *,
1038
0
          nettle_random_func *, size_t, const uint8_t *,
1039
0
          size_t, const uint8_t *, uint8_t *);
1040
1041
0
  switch (dig) {
1042
0
  case GNUTLS_DIG_SHA256:
1043
0
    encrypt_func = rsa_oaep_sha256_encrypt;
1044
0
    break;
1045
0
  case GNUTLS_DIG_SHA384:
1046
0
    encrypt_func = rsa_oaep_sha384_encrypt;
1047
0
    break;
1048
0
  case GNUTLS_DIG_SHA512:
1049
0
    encrypt_func = rsa_oaep_sha512_encrypt;
1050
0
    break;
1051
0
  default:
1052
0
    gnutls_assert();
1053
0
    return 0;
1054
0
  }
1055
1056
0
  return encrypt_func(pub, rnd_ctx, rnd_func, label_length, label, length,
1057
0
          message, ciphertext);
1058
0
}
1059
1060
static int _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
1061
           gnutls_datum_t *ciphertext,
1062
           const gnutls_datum_t *plaintext,
1063
           const gnutls_pk_params_st *pk_params,
1064
           const gnutls_x509_spki_st *encrypt_params)
1065
0
{
1066
0
  int ret;
1067
0
  bool not_approved = false;
1068
0
  uint8_t *buf = NULL;
1069
1070
0
  FAIL_IF_LIB_ERROR;
1071
1072
0
  if (algo == GNUTLS_PK_RSA && pk_params->spki.pk == GNUTLS_PK_RSA_OAEP) {
1073
0
    algo = GNUTLS_PK_RSA_OAEP;
1074
0
  }
1075
1076
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING, "pk::encrypt",
1077
0
              "pk::algorithm", CRAU_STRING,
1078
0
              gnutls_pk_get_name(algo), NULL);
1079
1080
0
  switch (algo) {
1081
0
  case GNUTLS_PK_RSA: {
1082
0
    struct rsa_public_key pub;
1083
0
    nettle_random_func *random_func;
1084
0
    size_t bits;
1085
1086
0
    if (!_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) {
1087
0
      ret = gnutls_assert_val(
1088
0
        GNUTLS_E_UNSUPPORTED_ENCRYPTION_ALGORITHM);
1089
0
      goto cleanup;
1090
0
    }
1091
1092
    /* RSA encryption with PKCS#1 v1.5 padding is not approved */
1093
0
    not_approved = true;
1094
1095
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
1096
0
    if (ret < 0) {
1097
0
      gnutls_assert();
1098
0
      goto cleanup;
1099
0
    }
1100
1101
0
    bits = mpz_sizeinbase(pub.n, 2);
1102
1103
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, NULL);
1104
1105
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
1106
0
      random_func = rnd_nonce_func_fallback;
1107
0
    else
1108
0
      random_func = rnd_nonce_func;
1109
1110
0
    buf = gnutls_malloc(pub.size);
1111
0
    if (!buf) {
1112
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1113
0
      goto cleanup;
1114
0
    }
1115
1116
0
    ret = _rsa_encrypt(&pub, NULL, random_func, plaintext->size,
1117
0
           plaintext->data, buf);
1118
0
    if (ret == 0 || HAVE_LIB_ERROR()) {
1119
0
      ret = gnutls_assert_val(GNUTLS_E_ENCRYPTION_FAILED);
1120
0
      goto cleanup;
1121
0
    }
1122
1123
0
    ciphertext->data = buf;
1124
0
    buf = NULL;
1125
0
    ciphertext->size = pub.size;
1126
0
    break;
1127
0
  }
1128
0
  case GNUTLS_PK_RSA_OAEP: {
1129
0
    struct rsa_public_key pub;
1130
0
    nettle_random_func *random_func;
1131
0
    size_t bits;
1132
1133
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
1134
0
    if (ret < 0) {
1135
0
      gnutls_assert();
1136
0
      goto cleanup;
1137
0
    }
1138
1139
0
    bits = mpz_sizeinbase(pub.n, 2);
1140
1141
0
    _gnutls_audit_data(
1142
0
      "pk::bits", CRAU_WORD, bits, "pk::hash", CRAU_STRING,
1143
0
      gnutls_digest_get_name(encrypt_params->rsa_oaep_dig),
1144
0
      NULL);
1145
1146
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
1147
0
      random_func = rnd_nonce_func_fallback;
1148
0
    else
1149
0
      random_func = rnd_nonce_func;
1150
1151
0
    buf = gnutls_malloc(pub.size);
1152
0
    if (!buf) {
1153
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1154
0
      goto cleanup;
1155
0
    }
1156
1157
0
    ret = _rsa_oaep_encrypt(encrypt_params->rsa_oaep_dig, &pub,
1158
0
          NULL, random_func,
1159
0
          encrypt_params->rsa_oaep_label.size,
1160
0
          encrypt_params->rsa_oaep_label.data,
1161
0
          plaintext->size, plaintext->data, buf);
1162
0
    if (ret == 0 || HAVE_LIB_ERROR()) {
1163
0
      ret = gnutls_assert_val(GNUTLS_E_ENCRYPTION_FAILED);
1164
0
      goto cleanup;
1165
0
    }
1166
0
    ciphertext->data = buf;
1167
0
    buf = NULL;
1168
0
    ciphertext->size = pub.size;
1169
0
    break;
1170
0
  }
1171
0
  default:
1172
0
    gnutls_assert();
1173
0
    ret = GNUTLS_E_INVALID_REQUEST;
1174
0
    goto cleanup;
1175
0
  }
1176
1177
0
  ret = 0;
1178
1179
0
cleanup:
1180
0
  gnutls_free(buf);
1181
0
  if (ret < 0) {
1182
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
1183
0
  } else if (not_approved) {
1184
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
1185
0
  } else {
1186
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
1187
0
  }
1188
1189
0
  gnutls_audit_pop_context();
1190
1191
0
  FAIL_IF_LIB_ERROR;
1192
0
  return ret;
1193
0
}
1194
1195
/* This wraps nettle_rsa_decrypt_tr so it takes ciphertext as a byte
1196
 * array instead of a mpz_t value.  Returns 1 on success; 0 otherwise.
1197
 */
1198
static inline int _rsa_decrypt_tr(const struct rsa_public_key *pub,
1199
          const struct rsa_private_key *key,
1200
          void *rnd_ctx, nettle_random_func *rnd_func,
1201
          size_t *length, uint8_t *message,
1202
          const uint8_t *ciphertext)
1203
0
{
1204
0
  bigint_t c;
1205
0
  int ret;
1206
1207
0
  if (_gnutls_mpi_init_scan_nz(&c, ciphertext, pub->size) < 0) {
1208
0
    gnutls_assert();
1209
0
    return 0;
1210
0
  }
1211
1212
0
  ret = rsa_decrypt_tr(pub, key, rnd_ctx, rnd_func, length, message, c);
1213
1214
0
  _gnutls_mpi_release(&c);
1215
1216
0
  return ret;
1217
0
}
1218
1219
/* This wraps nettle_rsa_oaep_sha*_decrypt to parametrize the function
1220
 * calls with a DIG argument.  Returns 1 on success; 0 otherwise.
1221
 */
1222
static inline int _rsa_oaep_decrypt(gnutls_digest_algorithm_t dig,
1223
            const struct rsa_public_key *pub,
1224
            const struct rsa_private_key *key,
1225
            void *rnd_ctx, nettle_random_func *rnd_func,
1226
            size_t label_length, const uint8_t *label,
1227
            size_t *length, uint8_t *message,
1228
            const uint8_t *ciphertext)
1229
0
{
1230
0
  int (*decrypt_func)(const struct rsa_public_key *,
1231
0
          const struct rsa_private_key *, void *,
1232
0
          nettle_random_func *, size_t, const uint8_t *,
1233
0
          size_t *, uint8_t *, const uint8_t *);
1234
1235
0
  switch (dig) {
1236
0
  case GNUTLS_DIG_SHA256:
1237
0
    decrypt_func = rsa_oaep_sha256_decrypt;
1238
0
    break;
1239
0
  case GNUTLS_DIG_SHA384:
1240
0
    decrypt_func = rsa_oaep_sha384_decrypt;
1241
0
    break;
1242
0
  case GNUTLS_DIG_SHA512:
1243
0
    decrypt_func = rsa_oaep_sha512_decrypt;
1244
0
    break;
1245
0
  default:
1246
0
    gnutls_assert();
1247
0
    return 0;
1248
0
  }
1249
1250
0
  return decrypt_func(pub, key, rnd_ctx, rnd_func, label_length, label,
1251
0
          length, message, ciphertext);
1252
0
}
1253
1254
static int _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
1255
           gnutls_datum_t *plaintext,
1256
           const gnutls_datum_t *ciphertext,
1257
           const gnutls_pk_params_st *pk_params,
1258
           const gnutls_x509_spki_st *encrypt_params)
1259
0
{
1260
0
  int ret;
1261
0
  bool not_approved = false;
1262
0
  uint8_t *buf = NULL;
1263
1264
0
  FAIL_IF_LIB_ERROR;
1265
1266
0
  if (algo == GNUTLS_PK_RSA && encrypt_params->pk == GNUTLS_PK_RSA_OAEP) {
1267
0
    algo = GNUTLS_PK_RSA_OAEP;
1268
0
  }
1269
1270
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING, "pk::decrypt",
1271
0
              "pk::algorithm", CRAU_STRING,
1272
0
              gnutls_pk_get_name(algo), NULL);
1273
1274
0
  switch (algo) {
1275
0
  case GNUTLS_PK_RSA: {
1276
0
    struct rsa_private_key priv;
1277
0
    struct rsa_public_key pub;
1278
0
    size_t length;
1279
0
    nettle_random_func *random_func;
1280
0
    size_t bits;
1281
1282
0
    if (!_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) {
1283
0
      ret = gnutls_assert_val(
1284
0
        GNUTLS_E_UNSUPPORTED_ENCRYPTION_ALGORITHM);
1285
0
      goto cleanup;
1286
0
    }
1287
1288
    /* RSA decryption with PKCS#1 v1.5 padding is not approved */
1289
0
    not_approved = true;
1290
1291
0
    _rsa_params_to_privkey(pk_params, &priv);
1292
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
1293
0
    if (ret < 0) {
1294
0
      gnutls_assert();
1295
0
      goto cleanup;
1296
0
    }
1297
1298
0
    bits = mpz_sizeinbase(pub.n, 2);
1299
1300
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, NULL);
1301
1302
0
    if (ciphertext->size != pub.size) {
1303
0
      ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
1304
0
      goto cleanup;
1305
0
    }
1306
1307
0
    length = pub.size;
1308
0
    buf = gnutls_malloc(length);
1309
0
    if (!buf) {
1310
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1311
0
      goto cleanup;
1312
0
    }
1313
1314
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
1315
0
      random_func = rnd_nonce_func_fallback;
1316
0
    else
1317
0
      random_func = rnd_nonce_func;
1318
0
    ret = _rsa_decrypt_tr(&pub, &priv, NULL, random_func, &length,
1319
0
              buf, ciphertext->data);
1320
1321
0
    if (ret == 0 || HAVE_LIB_ERROR()) {
1322
0
      ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
1323
0
      goto cleanup;
1324
0
    }
1325
1326
0
    plaintext->data = buf;
1327
0
    buf = NULL;
1328
0
    plaintext->size = length;
1329
0
    break;
1330
0
  }
1331
0
  case GNUTLS_PK_RSA_OAEP: {
1332
0
    struct rsa_private_key priv;
1333
0
    struct rsa_public_key pub;
1334
0
    size_t length;
1335
0
    nettle_random_func *random_func;
1336
0
    size_t bits;
1337
1338
0
    _rsa_params_to_privkey(pk_params, &priv);
1339
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
1340
0
    if (ret < 0) {
1341
0
      gnutls_assert();
1342
0
      goto cleanup;
1343
0
    }
1344
1345
0
    bits = mpz_sizeinbase(pub.n, 2);
1346
1347
0
    _gnutls_audit_data(
1348
0
      "pk::bits", CRAU_WORD, bits, "pk::hash", CRAU_STRING,
1349
0
      gnutls_digest_get_name(encrypt_params->rsa_oaep_dig),
1350
0
      NULL);
1351
1352
0
    if (ciphertext->size != pub.size) {
1353
0
      ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
1354
0
      goto cleanup;
1355
0
    }
1356
1357
0
    length = pub.size;
1358
0
    buf = gnutls_malloc(length);
1359
0
    if (!buf) {
1360
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1361
0
      goto cleanup;
1362
0
    }
1363
1364
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
1365
0
      random_func = rnd_nonce_func_fallback;
1366
0
    else
1367
0
      random_func = rnd_nonce_func;
1368
0
    ret = _rsa_oaep_decrypt(encrypt_params->rsa_oaep_dig, &pub,
1369
0
          &priv, NULL, random_func,
1370
0
          encrypt_params->rsa_oaep_label.size,
1371
0
          encrypt_params->rsa_oaep_label.data,
1372
0
          &length, buf, ciphertext->data);
1373
1374
0
    if (ret == 0 || HAVE_LIB_ERROR()) {
1375
0
      ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
1376
0
      goto cleanup;
1377
0
    }
1378
1379
0
    plaintext->data = buf;
1380
0
    buf = NULL;
1381
0
    plaintext->size = length;
1382
0
    break;
1383
0
  }
1384
0
  default:
1385
0
    gnutls_assert();
1386
0
    ret = GNUTLS_E_INTERNAL_ERROR;
1387
0
    goto cleanup;
1388
0
  }
1389
1390
0
  ret = 0;
1391
1392
0
cleanup:
1393
0
  gnutls_free(buf);
1394
0
  if (ret < 0) {
1395
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
1396
0
  } else if (not_approved) {
1397
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
1398
0
  } else {
1399
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
1400
0
  }
1401
1402
0
  gnutls_audit_pop_context();
1403
1404
0
  FAIL_IF_LIB_ERROR;
1405
0
  return ret;
1406
0
}
1407
1408
/* This wraps nettle_rsa_sec_decrypt so it takes ciphertext as a byte
1409
 * array instead of a mpz_t value.  Returns 1 on success; 0 otherwise.
1410
 */
1411
static inline int _rsa_sec_decrypt(const struct rsa_public_key *pub,
1412
           const struct rsa_private_key *key,
1413
           void *rnd_ctx, nettle_random_func *rnd_func,
1414
           size_t length, uint8_t *message,
1415
           const uint8_t *ciphertext)
1416
0
{
1417
0
  bigint_t c;
1418
0
  int ret;
1419
1420
0
  if (_gnutls_mpi_init_scan_nz(&c, ciphertext, pub->size) < 0) {
1421
0
    gnutls_assert();
1422
0
    return 0;
1423
0
  }
1424
1425
0
  ret = rsa_sec_decrypt(pub, key, rnd_ctx, rnd_func, length, message, c);
1426
1427
0
  _gnutls_mpi_release(&c);
1428
1429
0
  return ret;
1430
0
}
1431
1432
/* Note: we do not allocate in this function to avoid asymettric
1433
 * unallocation (which creates a side channel) in case of failure
1434
 * */
1435
static int _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
1436
            const gnutls_datum_t *ciphertext,
1437
            unsigned char *plaintext,
1438
            size_t plaintext_size,
1439
            const gnutls_pk_params_st *pk_params,
1440
            const gnutls_x509_spki_st *encrypt_params)
1441
0
{
1442
0
  struct rsa_private_key priv;
1443
0
  struct rsa_public_key pub;
1444
0
  uint32_t is_err;
1445
0
  int ret;
1446
0
  nettle_random_func *random_func;
1447
0
  bool not_approved = false;
1448
0
  size_t bits;
1449
1450
0
  FAIL_IF_LIB_ERROR;
1451
1452
0
  if ((algo != GNUTLS_PK_RSA && algo != GNUTLS_PK_RSA_OAEP) ||
1453
0
      plaintext == NULL) {
1454
0
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1455
0
    goto fail;
1456
0
  }
1457
1458
0
  if (encrypt_params->pk == GNUTLS_PK_RSA_OAEP) {
1459
0
    algo = GNUTLS_PK_RSA_OAEP;
1460
0
  }
1461
1462
0
  _rsa_params_to_privkey(pk_params, &priv);
1463
0
  ret = _rsa_params_to_pubkey(pk_params, &pub);
1464
0
  if (ret < 0) {
1465
0
    gnutls_assert();
1466
0
    goto fail;
1467
0
  }
1468
1469
0
  bits = mpz_sizeinbase(pub.n, 2);
1470
1471
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING, "pk::decrypt",
1472
0
              "pk::algorithm", CRAU_STRING,
1473
0
              gnutls_pk_get_name(algo),
1474
0
              "pk::bits", CRAU_WORD, bits, NULL);
1475
1476
0
  if (ciphertext->size != pub.size) {
1477
0
    ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
1478
0
    goto fail;
1479
0
  }
1480
1481
0
  if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
1482
0
    random_func = rnd_nonce_func_fallback;
1483
0
  else
1484
0
    random_func = rnd_nonce_func;
1485
1486
0
  switch (algo) {
1487
0
  case GNUTLS_PK_RSA:
1488
0
    if (!_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) {
1489
0
      ret = gnutls_assert_val(
1490
0
        GNUTLS_E_UNSUPPORTED_ENCRYPTION_ALGORITHM);
1491
0
      goto fail;
1492
0
    }
1493
1494
    /* RSA decryption with PKCS#1 v1.5 padding is not approved */
1495
0
    not_approved = true;
1496
1497
0
    ret = _rsa_sec_decrypt(&pub, &priv, NULL, random_func,
1498
0
               plaintext_size, plaintext,
1499
0
               ciphertext->data);
1500
0
    break;
1501
0
  case GNUTLS_PK_RSA_OAEP:
1502
0
    _gnutls_audit_data(
1503
0
      "pk::hash", CRAU_STRING,
1504
0
      gnutls_digest_get_name(encrypt_params->rsa_oaep_dig),
1505
0
      NULL);
1506
1507
0
    ret = _rsa_oaep_decrypt(encrypt_params->rsa_oaep_dig, &pub,
1508
0
          &priv, NULL, random_func,
1509
0
          encrypt_params->rsa_oaep_label.size,
1510
0
          encrypt_params->rsa_oaep_label.data,
1511
0
          &plaintext_size, plaintext,
1512
0
          ciphertext->data);
1513
0
    break;
1514
0
  default:
1515
0
    gnutls_assert();
1516
0
    ret = GNUTLS_E_INTERNAL_ERROR;
1517
0
    goto fail;
1518
0
  }
1519
1520
  /* The decrypt operation is infallible; treat the approved
1521
   * operation as complete at this point, regardless of any
1522
   * decryption failure detected below.
1523
   */
1524
0
  _gnutls_switch_fips_state(not_approved ?
1525
0
            GNUTLS_FIPS140_OP_NOT_APPROVED :
1526
0
            GNUTLS_FIPS140_OP_APPROVED);
1527
1528
  /* after this point, any conditional on failure that cause differences
1529
   * in execution may create a timing or cache access pattern side
1530
   * channel that can be used as an oracle, so thread very carefully */
1531
1532
  /* Here HAVE_LIB_ERROR() should be fine as it doesn't have
1533
   * branches in it and returns a bool */
1534
0
  is_err = HAVE_LIB_ERROR();
1535
  /* if is_err != 0 */
1536
0
  is_err = CONSTCHECK_NOT_EQUAL(is_err, 0);
1537
  /* or ret == 0 */
1538
0
  is_err |= CONSTCHECK_EQUAL(ret, 0);
1539
  /* then return GNUTLS_E_DECRYPTION_FAILED */
1540
0
  return (int)((is_err * UINT_MAX) & GNUTLS_E_DECRYPTION_FAILED);
1541
1542
0
fail:
1543
0
  _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
1544
1545
0
  gnutls_audit_pop_context();
1546
1547
0
  return ret;
1548
0
}
1549
1550
#define CHECK_INVALID_RSA_PSS_PARAMS(dig_size, salt_size, pub_size, err) \
1551
0
  if (unlikely(dig_size + salt_size + 2 > pub_size))               \
1552
0
  return gnutls_assert_val(err)
1553
1554
static int _rsa_pss_sign_digest_tr(gnutls_digest_algorithm_t dig,
1555
           const struct rsa_public_key *pub,
1556
           const struct rsa_private_key *priv,
1557
           void *rnd_ctx, nettle_random_func *rnd_func,
1558
           size_t salt_size, const uint8_t *digest,
1559
           mpz_t s)
1560
0
{
1561
0
  int (*sign_func)(const struct rsa_public_key *,
1562
0
       const struct rsa_private_key *, void *,
1563
0
       nettle_random_func *, size_t, const uint8_t *,
1564
0
       const uint8_t *, mpz_t);
1565
0
  uint8_t *salt = NULL;
1566
0
  size_t hash_size;
1567
0
  int ret;
1568
1569
0
  switch (dig) {
1570
0
  case GNUTLS_DIG_SHA256:
1571
0
    sign_func = rsa_pss_sha256_sign_digest_tr;
1572
0
    hash_size = 32;
1573
0
    break;
1574
0
  case GNUTLS_DIG_SHA384:
1575
0
    sign_func = rsa_pss_sha384_sign_digest_tr;
1576
0
    hash_size = 48;
1577
0
    break;
1578
0
  case GNUTLS_DIG_SHA512:
1579
0
    sign_func = rsa_pss_sha512_sign_digest_tr;
1580
0
    hash_size = 64;
1581
0
    break;
1582
0
  default:
1583
0
    gnutls_assert();
1584
0
    return GNUTLS_E_UNKNOWN_ALGORITHM;
1585
0
  }
1586
1587
  /* This is also checked in pss_encode_mgf1, but error out earlier.  */
1588
0
  CHECK_INVALID_RSA_PSS_PARAMS(hash_size, salt_size, pub->size,
1589
0
             GNUTLS_E_PK_INVALID_PUBKEY_PARAMS);
1590
1591
0
  if (salt_size > 0) {
1592
0
    salt = gnutls_malloc(salt_size);
1593
0
    if (salt == NULL)
1594
0
      return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1595
1596
0
    rnd_func(NULL, salt_size, salt);
1597
0
  }
1598
1599
0
  ret = sign_func(pub, priv, rnd_ctx, rnd_func, salt_size, salt, digest,
1600
0
      s);
1601
0
  if (ret == 0) {
1602
0
    gnutls_assert();
1603
0
    ret = GNUTLS_E_PK_SIGN_FAILED;
1604
0
  } else
1605
0
    ret = 0;
1606
1607
0
  gnutls_free(salt);
1608
0
  return ret;
1609
0
}
1610
1611
static inline gnutls_ecc_curve_t get_eddsa_curve(gnutls_pk_algorithm_t algo)
1612
0
{
1613
0
  switch (algo) {
1614
0
  case GNUTLS_PK_EDDSA_ED25519:
1615
0
    return GNUTLS_ECC_CURVE_ED25519;
1616
0
  case GNUTLS_PK_EDDSA_ED448:
1617
0
    return GNUTLS_ECC_CURVE_ED448;
1618
0
  default:
1619
0
    return gnutls_assert_val(GNUTLS_ECC_CURVE_INVALID);
1620
0
  }
1621
0
}
1622
1623
static inline gnutls_ecc_curve_t get_ecdh_curve(gnutls_pk_algorithm_t algo)
1624
0
{
1625
0
  switch (algo) {
1626
0
  case GNUTLS_PK_ECDH_X25519:
1627
0
    return GNUTLS_ECC_CURVE_X25519;
1628
0
  case GNUTLS_PK_ECDH_X448:
1629
0
    return GNUTLS_ECC_CURVE_X448;
1630
0
  default:
1631
0
    return gnutls_assert_val(GNUTLS_ECC_CURVE_INVALID);
1632
0
  }
1633
0
}
1634
1635
static inline int eddsa_sign(gnutls_pk_algorithm_t algo, const uint8_t *pub,
1636
           const uint8_t *priv, size_t length,
1637
           const uint8_t *msg, uint8_t *signature)
1638
0
{
1639
0
  switch (algo) {
1640
0
  case GNUTLS_PK_EDDSA_ED25519:
1641
0
    ed25519_sha512_sign(pub, priv, length, msg, signature);
1642
0
    return 0;
1643
0
  case GNUTLS_PK_EDDSA_ED448:
1644
0
    ed448_shake256_sign(pub, priv, length, msg, signature);
1645
0
    return 0;
1646
0
  default:
1647
0
    return gnutls_assert_val(
1648
0
      GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
1649
0
  }
1650
0
}
1651
1652
#ifdef HAVE_LEANCRYPTO
1653
static enum lc_dilithium_type
1654
ml_dsa_pk_to_lc_dilithium_type(gnutls_pk_algorithm_t algo)
1655
{
1656
  switch (algo) {
1657
#ifdef LC_DILITHIUM_44_ENABLED
1658
  case GNUTLS_PK_MLDSA44:
1659
    return LC_DILITHIUM_44;
1660
#endif
1661
#ifdef LC_DILITHIUM_65_ENABLED
1662
  case GNUTLS_PK_MLDSA65:
1663
    return LC_DILITHIUM_65;
1664
#endif
1665
#ifdef LC_DILITHIUM_87_ENABLED
1666
  case GNUTLS_PK_MLDSA87:
1667
    return LC_DILITHIUM_87;
1668
#endif
1669
  default:
1670
    return gnutls_assert_val(LC_DILITHIUM_UNKNOWN);
1671
  }
1672
}
1673
1674
static int ml_dsa_exists(gnutls_pk_algorithm_t algo)
1675
{
1676
  return ml_dsa_pk_to_lc_dilithium_type(algo) != LC_DILITHIUM_UNKNOWN;
1677
}
1678
1679
static int ml_dsa_sign(gnutls_pk_algorithm_t algo, gnutls_datum_t *signature,
1680
           const gnutls_datum_t *message,
1681
           const gnutls_datum_t *raw_priv)
1682
{
1683
  int ret;
1684
  enum lc_dilithium_type type;
1685
  struct lc_dilithium_sk sk;
1686
  struct lc_dilithium_sig sig;
1687
  gnutls_datum_t tmp_signature = { NULL, 0 };
1688
  uint8_t *ptr;
1689
  size_t len;
1690
1691
  type = ml_dsa_pk_to_lc_dilithium_type(algo);
1692
  if (type == LC_DILITHIUM_UNKNOWN)
1693
    return gnutls_assert_val(
1694
      GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
1695
1696
  ret = lc_dilithium_sk_load(&sk, raw_priv->data, raw_priv->size);
1697
  if (ret < 0 || lc_dilithium_sk_type(&sk) != type) {
1698
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1699
    goto cleanup;
1700
  }
1701
1702
  ret = lc_dilithium_sign(&sig, message->data, message->size, &sk,
1703
        lc_seeded_rng);
1704
  if (ret < 0) {
1705
    ret = gnutls_assert_val(GNUTLS_E_PK_SIGN_FAILED);
1706
    goto cleanup;
1707
  }
1708
1709
  ret = lc_dilithium_sig_ptr(&ptr, &len, &sig);
1710
  if (ret < 0) {
1711
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1712
    goto cleanup;
1713
  }
1714
  ret = _gnutls_set_datum(&tmp_signature, ptr, len);
1715
  if (ret < 0)
1716
    goto cleanup;
1717
1718
  *signature = _gnutls_take_datum(&tmp_signature);
1719
1720
  ret = 0;
1721
1722
cleanup:
1723
  _gnutls_free_datum(&tmp_signature);
1724
  zeroize_key(&sk, sizeof(sk));
1725
  return ret;
1726
}
1727
1728
static int ml_dsa_verify(gnutls_pk_algorithm_t algo,
1729
       const gnutls_datum_t *signature,
1730
       const gnutls_datum_t *message,
1731
       const gnutls_datum_t *raw_pub)
1732
{
1733
  int ret;
1734
  enum lc_dilithium_type type;
1735
  struct lc_dilithium_sig sig;
1736
  struct lc_dilithium_pk pk;
1737
1738
  type = ml_dsa_pk_to_lc_dilithium_type(algo);
1739
  if (type == LC_DILITHIUM_UNKNOWN)
1740
    return gnutls_assert_val(
1741
      GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
1742
1743
  ret = lc_dilithium_pk_load(&pk, raw_pub->data, raw_pub->size);
1744
  if (ret < 0 || lc_dilithium_pk_type(&pk) != type) {
1745
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1746
    goto cleanup;
1747
  }
1748
1749
  ret = lc_dilithium_sig_load(&sig, signature->data, signature->size);
1750
  if (ret < 0 || lc_dilithium_sig_type(&sig) != type) {
1751
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1752
    goto cleanup;
1753
  }
1754
1755
  ret = lc_dilithium_verify(&sig, message->data, message->size, &pk);
1756
  if (ret < 0) {
1757
    ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
1758
    goto cleanup;
1759
  }
1760
1761
  ret = 0;
1762
1763
cleanup:
1764
  zeroize_key(&pk, sizeof(pk));
1765
  return ret;
1766
}
1767
1768
static int ml_dsa_generate_keypair(gnutls_pk_algorithm_t algo,
1769
           gnutls_datum_t *raw_priv,
1770
           gnutls_datum_t *raw_pub,
1771
           const gnutls_datum_t *raw_seed)
1772
{
1773
  int ret;
1774
  enum lc_dilithium_type type;
1775
  struct lc_dilithium_sk sk;
1776
  struct lc_dilithium_pk pk;
1777
  gnutls_datum_t tmp_raw_priv = { NULL, 0 };
1778
  gnutls_datum_t tmp_raw_pub = { NULL, 0 };
1779
  uint8_t *ptr;
1780
  size_t len;
1781
1782
  type = ml_dsa_pk_to_lc_dilithium_type(algo);
1783
  if (type == LC_DILITHIUM_UNKNOWN)
1784
    return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
1785
1786
  ret = lc_dilithium_keypair_from_seed(&pk, &sk, raw_seed->data,
1787
               raw_seed->size, type);
1788
  if (ret < 0) {
1789
    ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
1790
    goto cleanup;
1791
  }
1792
1793
  ret = lc_dilithium_sk_ptr(&ptr, &len, &sk);
1794
  if (ret < 0) {
1795
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1796
    goto cleanup;
1797
  }
1798
1799
  ret = _gnutls_set_datum(&tmp_raw_priv, ptr, len);
1800
  if (ret < 0) {
1801
    gnutls_assert();
1802
    goto cleanup;
1803
  }
1804
1805
  ret = lc_dilithium_pk_ptr(&ptr, &len, &pk);
1806
  if (ret < 0) {
1807
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1808
    goto cleanup;
1809
  }
1810
1811
  ret = _gnutls_set_datum(&tmp_raw_pub, ptr, len);
1812
  if (ret < 0) {
1813
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1814
    goto cleanup;
1815
  }
1816
1817
  *raw_priv = _gnutls_take_datum(&tmp_raw_priv);
1818
  *raw_pub = _gnutls_take_datum(&tmp_raw_pub);
1819
1820
  ret = 0;
1821
1822
cleanup:
1823
  _gnutls_free_key_datum(&tmp_raw_priv);
1824
  _gnutls_free_key_datum(&tmp_raw_pub);
1825
  zeroize_key(&pk, sizeof(pk));
1826
  zeroize_key(&sk, sizeof(sk));
1827
  return ret;
1828
}
1829
1830
#ifdef HAVE_LC_DILITHIUM_PK_FROM_SK
1831
static int ml_dsa_privkey_to_pubkey(gnutls_pk_algorithm_t algo,
1832
            const gnutls_datum_t *raw_priv,
1833
            gnutls_datum_t *raw_pub)
1834
{
1835
  int ret;
1836
  enum lc_dilithium_type type;
1837
  struct lc_dilithium_sk sk;
1838
  struct lc_dilithium_pk pk;
1839
  gnutls_datum_t tmp_raw_pub = { NULL, 0 };
1840
  uint8_t *ptr;
1841
  size_t len;
1842
1843
  type = ml_dsa_pk_to_lc_dilithium_type(algo);
1844
  if (type == LC_DILITHIUM_UNKNOWN)
1845
    return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
1846
1847
  ret = lc_dilithium_sk_load(&sk, raw_priv->data, raw_priv->size);
1848
  if (ret < 0 || lc_dilithium_sk_type(&sk) != type) {
1849
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1850
    goto cleanup;
1851
  }
1852
1853
  ret = lc_dilithium_pk_from_sk(&pk, &sk);
1854
  if (ret < 0) {
1855
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1856
    goto cleanup;
1857
  }
1858
1859
  ret = lc_dilithium_pk_ptr(&ptr, &len, &pk);
1860
  if (ret < 0) {
1861
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1862
    goto cleanup;
1863
  }
1864
1865
  ret = _gnutls_set_datum(&tmp_raw_pub, ptr, len);
1866
  if (ret < 0) {
1867
    ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
1868
    goto cleanup;
1869
  }
1870
1871
  *raw_pub = _gnutls_take_datum(&tmp_raw_pub);
1872
1873
  ret = 0;
1874
1875
cleanup:
1876
  _gnutls_free_key_datum(&tmp_raw_pub);
1877
  zeroize_key(&pk, sizeof(pk));
1878
  zeroize_key(&sk, sizeof(sk));
1879
  return ret;
1880
}
1881
#else /* !HAVE_LC_DILITHIUM_PK_FROM_SK */
1882
static int ml_dsa_privkey_to_pubkey(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
1883
            const gnutls_datum_t *raw_priv MAYBE_UNUSED,
1884
            gnutls_datum_t *raw_pub MAYBE_UNUSED)
1885
{
1886
  return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
1887
}
1888
#endif
1889
#else /* !HAVE_LEANCRYPTO */
1890
static int ml_dsa_exists(gnutls_pk_algorithm_t algo MAYBE_UNUSED)
1891
0
{
1892
0
  return 0;
1893
0
}
1894
1895
static int ml_dsa_sign(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
1896
           gnutls_datum_t *signature MAYBE_UNUSED,
1897
           const gnutls_datum_t *message MAYBE_UNUSED,
1898
           const gnutls_datum_t *raw_priv MAYBE_UNUSED)
1899
0
{
1900
0
  return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
1901
0
}
1902
1903
static int ml_dsa_verify(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
1904
       const gnutls_datum_t *signature MAYBE_UNUSED,
1905
       const gnutls_datum_t *message MAYBE_UNUSED,
1906
       const gnutls_datum_t *raw_pub MAYBE_UNUSED)
1907
0
{
1908
0
  return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
1909
0
}
1910
1911
static int ml_dsa_generate_keypair(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
1912
           gnutls_datum_t *raw_priv MAYBE_UNUSED,
1913
           gnutls_datum_t *raw_pub MAYBE_UNUSED,
1914
           const gnutls_datum_t *raw_seed MAYBE_UNUSED)
1915
0
{
1916
0
  return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
1917
0
}
1918
1919
static int ml_dsa_privkey_to_pubkey(gnutls_pk_algorithm_t algo MAYBE_UNUSED,
1920
            const gnutls_datum_t *raw_priv MAYBE_UNUSED,
1921
            gnutls_datum_t *raw_pub MAYBE_UNUSED)
1922
0
{
1923
0
  return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
1924
0
}
1925
#endif
1926
1927
/* This is the lower-level part of privkey_sign_raw_data().
1928
 *
1929
 * It accepts data in the appropriate hash form, i.e., DigestInfo
1930
 * for PK_RSA, hash for PK_ECDSA, PK_DSA, PK_RSA_PSS, and raw data
1931
 * for Ed25519 and Ed448.
1932
 *
1933
 * in case of EC/DSA, signed data are encoded into r,s values
1934
 */
1935
static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
1936
        gnutls_datum_t *signature,
1937
        const gnutls_datum_t *vdata,
1938
        const gnutls_pk_params_st *pk_params,
1939
        const gnutls_x509_spki_st *sign_params)
1940
0
{
1941
0
  int ret;
1942
0
  unsigned int hash_len;
1943
0
  const mac_entry_st *me;
1944
0
  bool not_approved = false;
1945
1946
0
  FAIL_IF_LIB_ERROR;
1947
1948
  /* check if the curve relates to the algorithm used */
1949
0
  if (IS_EC(algo) && gnutls_ecc_curve_get_pk(pk_params->curve) != algo) {
1950
0
    ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
1951
0
    goto cleanup;
1952
0
  }
1953
1954
  /* deterministic ECDSA/DSA is prohibited under FIPS except in
1955
   * the selftests */
1956
0
  if ((algo == GNUTLS_PK_DSA || algo == GNUTLS_PK_ECDSA) &&
1957
0
      (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) &&
1958
0
      _gnutls_fips_mode_enabled() &&
1959
0
      _gnutls_get_lib_state() != LIB_STATE_SELFTEST) {
1960
0
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1961
0
    goto cleanup;
1962
0
  }
1963
1964
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING, "pk::sign",
1965
0
              "pk::algorithm", CRAU_STRING,
1966
0
              gnutls_pk_get_name(algo), NULL);
1967
1968
0
  switch (algo) {
1969
0
  case GNUTLS_PK_EDDSA_ED25519: /* we do EdDSA */
1970
0
  case GNUTLS_PK_EDDSA_ED448: {
1971
0
    const gnutls_ecc_curve_entry_st *e;
1972
1973
0
    if (unlikely(get_eddsa_curve(algo) != pk_params->curve)) {
1974
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
1975
0
      goto cleanup;
1976
0
    }
1977
1978
0
    e = _gnutls_ecc_curve_get_params(pk_params->curve);
1979
0
    if (e == NULL) {
1980
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1981
0
      goto cleanup;
1982
0
    }
1983
1984
0
    signature->data = gnutls_malloc(e->sig_size);
1985
0
    if (signature->data == NULL) {
1986
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1987
0
      goto cleanup;
1988
0
    }
1989
1990
0
    signature->size = e->sig_size;
1991
1992
0
    if (pk_params->raw_pub.size != e->size ||
1993
0
        pk_params->raw_priv.size != e->size) {
1994
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIGN_FAILED);
1995
0
      goto cleanup;
1996
0
    }
1997
1998
0
    ret = eddsa_sign(algo, pk_params->raw_pub.data,
1999
0
         pk_params->raw_priv.data, vdata->size,
2000
0
         vdata->data, signature->data);
2001
0
    if (ret < 0)
2002
0
      goto cleanup;
2003
2004
0
    break;
2005
0
  }
2006
0
#if ENABLE_GOST
2007
0
  case GNUTLS_PK_GOST_01:
2008
0
  case GNUTLS_PK_GOST_12_256:
2009
0
  case GNUTLS_PK_GOST_12_512: {
2010
0
    struct ecc_scalar priv;
2011
0
    struct dsa_signature sig;
2012
0
    const struct ecc_curve *curve;
2013
2014
    /* GOSTDSA is not approved */
2015
0
    not_approved = true;
2016
2017
0
    curve = get_supported_gost_curve(pk_params->curve);
2018
0
    if (curve == NULL) {
2019
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
2020
0
      goto cleanup;
2021
0
    }
2022
2023
0
    _gnutls_audit_data("pk::curve", CRAU_STRING,
2024
0
           gnutls_ecc_curve_get_name(pk_params->curve),
2025
0
           NULL);
2026
2027
0
    ret = _ecc_params_to_privkey(pk_params, &priv, curve);
2028
0
    if (ret < 0) {
2029
0
      gnutls_assert();
2030
0
      goto cleanup;
2031
0
    }
2032
2033
    /* This call will return a valid MAC entry and
2034
       * getters will check that is not null anyway. */
2035
0
    me = hash_to_entry(_gnutls_gost_digest(pk_params->algo));
2036
0
    if (_gnutls_mac_get_algo_len(me) != vdata->size) {
2037
0
      _gnutls_debug_log(
2038
0
        "Security level of algorithm requires hash %s(%zd)\n",
2039
0
        _gnutls_mac_get_name(me),
2040
0
        _gnutls_mac_get_algo_len(me));
2041
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
2042
0
      goto cleanup;
2043
0
    }
2044
2045
0
    dsa_signature_init(&sig);
2046
2047
0
    gostdsa_sign(&priv, NULL, rnd_tmpkey_func, vdata->size,
2048
0
           vdata->data, &sig);
2049
2050
0
    ret = _gnutls_encode_gost_rs(signature, &sig.r, &sig.s,
2051
0
               (ecc_bit_size(curve) + 7) / 8);
2052
2053
0
    dsa_signature_clear(&sig);
2054
0
    ecc_scalar_zclear(&priv);
2055
2056
0
    if (ret < 0) {
2057
0
      gnutls_assert();
2058
0
      goto cleanup;
2059
0
    }
2060
0
    break;
2061
0
  }
2062
0
#endif
2063
0
  case GNUTLS_PK_ECDSA: /* we do ECDSA */
2064
0
  {
2065
0
    struct ecc_scalar priv;
2066
0
    struct dsa_signature sig;
2067
0
    int curve_id = pk_params->curve;
2068
0
    const struct ecc_curve *curve;
2069
0
    mpz_t q;
2070
    /* 521-bit elliptic curve generator at maximum */
2071
0
    uint8_t buf[(521 + 7) / 8];
2072
0
    gnutls_datum_t k = { NULL, 0 };
2073
0
    void *random_ctx;
2074
0
    nettle_random_func *random_func;
2075
2076
0
    curve = get_supported_nist_curve(curve_id);
2077
0
    if (curve == NULL) {
2078
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
2079
0
      goto cleanup;
2080
0
    }
2081
2082
    /* P-192 is not supported in FIPS 140-3 */
2083
0
    if (curve_id == GNUTLS_ECC_CURVE_SECP192R1) {
2084
0
      not_approved = true;
2085
0
    }
2086
2087
0
    ret = _ecc_params_to_privkey(pk_params, &priv, curve);
2088
0
    if (ret < 0) {
2089
0
      gnutls_assert();
2090
0
      goto cleanup;
2091
0
    }
2092
2093
0
    dsa_signature_init(&sig);
2094
2095
0
    me = _gnutls_dsa_q_to_hash(pk_params, &hash_len);
2096
2097
0
    if (hash_len > vdata->size) {
2098
0
      gnutls_assert();
2099
0
      _gnutls_debug_log(
2100
0
        "Security level of algorithm requires hash %s(%d) or better\n",
2101
0
        _gnutls_mac_get_name(me), hash_len);
2102
0
      hash_len = vdata->size;
2103
0
    }
2104
2105
    /* Only SHA-2 is allowed in FIPS 140-3 */
2106
0
    switch (DIG_TO_MAC(sign_params->dsa_dig)) {
2107
0
    case GNUTLS_MAC_SHA256:
2108
0
    case GNUTLS_MAC_SHA384:
2109
0
    case GNUTLS_MAC_SHA512:
2110
0
    case GNUTLS_MAC_SHA224:
2111
0
      break;
2112
0
    default:
2113
0
      not_approved = true;
2114
0
    }
2115
2116
0
    _gnutls_audit_data("pk::curve", CRAU_STRING,
2117
0
           gnutls_ecc_curve_get_name(curve_id),
2118
0
           "pk::hash", CRAU_STRING,
2119
0
           _gnutls_mac_get_name(me), NULL);
2120
2121
0
    mpz_init(q);
2122
2123
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
2124
0
        (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
2125
0
      mp_limb_t h[DSA_COMPUTE_K_ITCH];
2126
2127
0
      ret = _gnutls_ecc_curve_to_dsa_q(q, curve_id);
2128
0
      if (ret < 0)
2129
0
        goto ecdsa_cleanup;
2130
2131
0
      ret = _gnutls_dsa_compute_k(
2132
0
        h, mpz_limbs_read(q), priv.p,
2133
0
        ecc_size(priv.ecc), ecc_bit_size(priv.ecc),
2134
0
        DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
2135
0
        vdata->size);
2136
0
      if (ret < 0)
2137
0
        goto ecdsa_cleanup;
2138
2139
0
      k.data = buf;
2140
0
      k.size = (ecc_bit_size(priv.ecc) + 7) / 8;
2141
2142
0
      _gnutls_ecdsa_compute_k_finish(k.data, k.size, h,
2143
0
                   ecc_size(priv.ecc));
2144
2145
0
      random_ctx = &k;
2146
0
      random_func = rnd_datum_func;
2147
0
    } else {
2148
0
      random_ctx = NULL;
2149
0
      random_func = rnd_nonce_func;
2150
0
    }
2151
0
    ecdsa_sign(&priv, random_ctx, random_func, hash_len,
2152
0
         vdata->data, &sig);
2153
2154
    /* prevent memory leaks */
2155
0
    if (HAVE_LIB_ERROR()) {
2156
0
      ret = GNUTLS_E_LIB_IN_ERROR_STATE;
2157
0
      goto ecdsa_cleanup;
2158
0
    }
2159
2160
0
    ret = _gnutls_encode_ber_rs(signature, &sig.r, &sig.s);
2161
2162
0
  ecdsa_cleanup:
2163
0
    dsa_signature_clear(&sig);
2164
0
    ecc_scalar_zclear(&priv);
2165
0
    mpz_clear(q);
2166
2167
0
    if (ret < 0) {
2168
0
      gnutls_assert();
2169
0
      goto cleanup;
2170
0
    }
2171
0
    break;
2172
0
  }
2173
0
#ifdef ENABLE_DSA
2174
0
  case GNUTLS_PK_DSA: {
2175
0
    struct dsa_params pub;
2176
0
    bigint_t priv;
2177
0
    struct dsa_signature sig;
2178
    /* 512-bit DSA subgroup at maximum */
2179
0
    uint8_t buf[(512 + 7) / 8];
2180
0
    gnutls_datum_t k = { NULL, 0 };
2181
0
    void *random_ctx;
2182
0
    nettle_random_func *random_func;
2183
0
    size_t bits;
2184
2185
    /* DSA is currently being defined as sunset with the
2186
       * current draft of FIPS 186-5 */
2187
0
    not_approved = true;
2188
2189
0
    memset(&priv, 0, sizeof(priv));
2190
0
    memset(&pub, 0, sizeof(pub));
2191
0
    _dsa_params_get(pk_params, &pub);
2192
2193
0
    priv = pk_params->params[DSA_X];
2194
2195
0
    dsa_signature_init(&sig);
2196
2197
0
    me = _gnutls_dsa_q_to_hash(pk_params, &hash_len);
2198
2199
0
    if (hash_len > vdata->size) {
2200
0
      gnutls_assert();
2201
0
      _gnutls_debug_log(
2202
0
        "Security level of algorithm requires hash %s(%d) or better (have: %d)\n",
2203
0
        _gnutls_mac_get_name(me), hash_len,
2204
0
        (int)vdata->size);
2205
0
      hash_len = vdata->size;
2206
0
    }
2207
2208
0
    bits = mpz_sizeinbase(pub.p, 2);
2209
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, NULL);
2210
2211
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
2212
0
        (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
2213
0
      mp_limb_t h[DSA_COMPUTE_K_ITCH];
2214
2215
0
      ret = _gnutls_dsa_compute_k(
2216
0
        h, mpz_limbs_read(pub.q),
2217
0
        mpz_limbs_read(TOMPZ(priv)), mpz_size(pub.q),
2218
0
        mpz_sizeinbase(pub.q, 2),
2219
0
        DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
2220
0
        vdata->size);
2221
0
      if (ret < 0)
2222
0
        goto dsa_fail;
2223
2224
0
      k.data = buf;
2225
0
      k.size = (mpz_sizeinbase(pub.q, 2) + 7) / 8;
2226
2227
0
      _gnutls_dsa_compute_k_finish(k.data, k.size, h,
2228
0
                 mpz_size(pub.q));
2229
2230
0
      random_ctx = &k;
2231
0
      random_func = rnd_datum_func;
2232
0
    } else {
2233
0
      random_ctx = NULL;
2234
0
      random_func = rnd_nonce_func;
2235
0
    }
2236
0
    ret = dsa_sign(&pub, TOMPZ(priv), random_ctx, random_func,
2237
0
             hash_len, vdata->data, &sig);
2238
0
    if (ret == 0 || HAVE_LIB_ERROR()) {
2239
0
      gnutls_assert();
2240
0
      ret = GNUTLS_E_PK_SIGN_FAILED;
2241
0
      goto dsa_fail;
2242
0
    }
2243
2244
0
    ret = _gnutls_encode_ber_rs(signature, &sig.r, &sig.s);
2245
2246
0
  dsa_fail:
2247
0
    dsa_signature_clear(&sig);
2248
2249
0
    if (ret < 0) {
2250
0
      gnutls_assert();
2251
0
      goto cleanup;
2252
0
    }
2253
0
    break;
2254
0
  }
2255
0
#endif
2256
0
  case GNUTLS_PK_RSA: {
2257
0
    struct rsa_private_key priv;
2258
0
    struct rsa_public_key pub;
2259
0
    nettle_random_func *random_func;
2260
0
    mpz_t s;
2261
0
    size_t bits;
2262
2263
0
    _rsa_params_to_privkey(pk_params, &priv);
2264
2265
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
2266
0
    if (ret < 0) {
2267
0
      gnutls_assert();
2268
0
      goto cleanup;
2269
0
    }
2270
2271
0
    bits = mpz_sizeinbase(pub.n, 2);
2272
2273
    /* RSA modulus size should be 2048-bit or larger in FIPS
2274
       * 140-3.  In addition to this, only SHA-2 is allowed
2275
       * for SigGen; it is checked in pk_prepare_hash lib/pk.c
2276
       */
2277
0
    if (unlikely(bits < 2048)) {
2278
0
      not_approved = true;
2279
0
    }
2280
2281
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, NULL);
2282
2283
0
    mpz_init(s);
2284
2285
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
2286
0
      random_func = rnd_nonce_func_fallback;
2287
0
    else
2288
0
      random_func = rnd_nonce_func;
2289
0
    ret = rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func,
2290
0
          vdata->size, vdata->data, s);
2291
0
    if (ret == 0 || HAVE_LIB_ERROR()) {
2292
0
      gnutls_assert();
2293
0
      ret = GNUTLS_E_PK_SIGN_FAILED;
2294
0
      goto rsa_fail;
2295
0
    }
2296
2297
0
    ret = _gnutls_mpi_dprint_size(s, signature, pub.size);
2298
2299
0
  rsa_fail:
2300
0
    mpz_clear(s);
2301
2302
0
    if (ret < 0) {
2303
0
      gnutls_assert();
2304
0
      goto cleanup;
2305
0
    }
2306
2307
0
    break;
2308
0
  }
2309
0
  case GNUTLS_PK_RSA_PSS: {
2310
0
    struct rsa_private_key priv;
2311
0
    struct rsa_public_key pub;
2312
0
    nettle_random_func *random_func;
2313
0
    mpz_t s;
2314
0
    size_t bits;
2315
2316
0
    _rsa_params_to_privkey(pk_params, &priv);
2317
2318
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
2319
0
    if (ret < 0) {
2320
0
      gnutls_assert();
2321
0
      goto cleanup;
2322
0
    }
2323
2324
0
    bits = mpz_sizeinbase(pub.n, 2);
2325
2326
    /* RSA modulus size should be 2048-bit or larger in FIPS
2327
       * 140-3.  In addition to this, only SHA-2 is allowed
2328
       * for SigGen; however, Nettle only support SHA256,
2329
       * SHA384, and SHA512 for RSA-PSS (see
2330
       * _rsa_pss_sign_digest_tr in this file for details).
2331
       */
2332
0
    if (unlikely(bits < 2048)) {
2333
0
      not_approved = true;
2334
0
    }
2335
2336
0
    mpz_init(s);
2337
2338
0
    me = hash_to_entry(sign_params->rsa_pss_dig);
2339
2340
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, "pk::hash",
2341
0
           CRAU_STRING, _gnutls_mac_get_name(me), NULL);
2342
2343
    /* According to FIPS 186-5 5.4, the salt length must be
2344
       * in the range between 0 and the hash length inclusive.
2345
       */
2346
0
    if (sign_params->salt_size > _gnutls_mac_get_algo_len(me)) {
2347
0
      not_approved = true;
2348
0
    }
2349
2350
0
    if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
2351
0
      random_func = rnd_nonce_func_fallback;
2352
0
    else
2353
0
      random_func = rnd_nonce_func;
2354
0
    ret = _rsa_pss_sign_digest_tr(sign_params->rsa_pss_dig, &pub,
2355
0
                &priv, NULL, random_func,
2356
0
                sign_params->salt_size,
2357
0
                vdata->data, s);
2358
0
    if (ret < 0) {
2359
0
      gnutls_assert();
2360
0
      ret = GNUTLS_E_PK_SIGN_FAILED;
2361
0
      goto rsa_pss_fail;
2362
0
    }
2363
2364
0
    ret = _gnutls_mpi_dprint_size(s, signature, pub.size);
2365
2366
0
  rsa_pss_fail:
2367
0
    mpz_clear(s);
2368
2369
0
    if (ret < 0) {
2370
0
      gnutls_assert();
2371
0
      goto cleanup;
2372
0
    }
2373
2374
0
    break;
2375
0
  }
2376
0
  case GNUTLS_PK_MLDSA44:
2377
0
  case GNUTLS_PK_MLDSA65:
2378
0
  case GNUTLS_PK_MLDSA87:
2379
0
    not_approved = true;
2380
0
    ret = ml_dsa_sign(algo, signature, vdata, &pk_params->raw_priv);
2381
0
    if (ret < 0)
2382
0
      goto cleanup;
2383
0
    break;
2384
0
  default:
2385
0
    gnutls_assert();
2386
0
    ret = GNUTLS_E_INTERNAL_ERROR;
2387
0
    goto cleanup;
2388
0
  }
2389
2390
0
  ret = 0;
2391
2392
0
cleanup:
2393
0
  if (ret < 0) {
2394
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
2395
0
  } else if (not_approved) {
2396
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
2397
0
  } else {
2398
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
2399
0
  }
2400
2401
0
  gnutls_audit_pop_context();
2402
2403
0
  FAIL_IF_LIB_ERROR;
2404
0
  return ret;
2405
0
}
2406
2407
static int _rsa_pss_verify_digest(gnutls_digest_algorithm_t dig,
2408
          const struct rsa_public_key *pub,
2409
          size_t salt_size, const uint8_t *digest,
2410
          size_t digest_size, const mpz_t s)
2411
0
{
2412
0
  int (*verify_func)(const struct rsa_public_key *, size_t,
2413
0
         const uint8_t *, const mpz_t);
2414
0
  size_t hash_size;
2415
2416
0
  switch (dig) {
2417
0
  case GNUTLS_DIG_SHA256:
2418
0
    verify_func = rsa_pss_sha256_verify_digest;
2419
0
    hash_size = 32;
2420
0
    break;
2421
0
  case GNUTLS_DIG_SHA384:
2422
0
    verify_func = rsa_pss_sha384_verify_digest;
2423
0
    hash_size = 48;
2424
0
    break;
2425
0
  case GNUTLS_DIG_SHA512:
2426
0
    verify_func = rsa_pss_sha512_verify_digest;
2427
0
    hash_size = 64;
2428
0
    break;
2429
0
  default:
2430
0
    gnutls_assert();
2431
0
    return 0;
2432
0
  }
2433
2434
0
  if (digest_size != hash_size)
2435
0
    return gnutls_assert_val(0);
2436
2437
0
  CHECK_INVALID_RSA_PSS_PARAMS(hash_size, salt_size, pub->size, 0);
2438
2439
0
  return verify_func(pub, salt_size, digest, s);
2440
0
}
2441
2442
static inline int eddsa_verify(gnutls_pk_algorithm_t algo, const uint8_t *pub,
2443
             size_t length, const uint8_t *msg,
2444
             const uint8_t *signature)
2445
0
{
2446
0
  int ret;
2447
2448
0
  switch (algo) {
2449
0
  case GNUTLS_PK_EDDSA_ED25519:
2450
0
    ret = ed25519_sha512_verify(pub, length, msg, signature);
2451
0
    if (ret == 0)
2452
0
      return gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2453
0
    return 0;
2454
0
  case GNUTLS_PK_EDDSA_ED448:
2455
0
    ret = ed448_shake256_verify(pub, length, msg, signature);
2456
0
    if (ret == 0)
2457
0
      return gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2458
0
    return 0;
2459
0
  default:
2460
0
    return gnutls_assert_val(
2461
0
      GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
2462
0
  }
2463
0
}
2464
2465
static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
2466
          const gnutls_datum_t *vdata,
2467
          const gnutls_datum_t *signature,
2468
          const gnutls_pk_params_st *pk_params,
2469
          const gnutls_x509_spki_st *sign_params)
2470
0
{
2471
0
  int ret;
2472
0
  unsigned int hash_len;
2473
0
  bigint_t tmp[2] = { NULL, NULL };
2474
0
  bool not_approved = false;
2475
2476
0
  FAIL_IF_LIB_ERROR;
2477
2478
  /* check if the curve relates to the algorithm used */
2479
0
  if (IS_EC(algo) && gnutls_ecc_curve_get_pk(pk_params->curve) != algo) {
2480
0
    ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
2481
0
    goto cleanup;
2482
0
  }
2483
2484
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING, "pk::verify",
2485
0
              "pk::algorithm", CRAU_STRING,
2486
0
              gnutls_pk_get_name(algo), NULL);
2487
2488
0
  switch (algo) {
2489
0
  case GNUTLS_PK_EDDSA_ED25519: /* we do EdDSA */
2490
0
  case GNUTLS_PK_EDDSA_ED448: {
2491
0
    const gnutls_ecc_curve_entry_st *e;
2492
2493
0
    if (unlikely(get_eddsa_curve(algo) != pk_params->curve)) {
2494
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
2495
0
      goto cleanup;
2496
0
    }
2497
2498
0
    e = _gnutls_ecc_curve_get_params(pk_params->curve);
2499
0
    if (e == NULL) {
2500
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
2501
0
      goto cleanup;
2502
0
    }
2503
2504
0
    if (signature->size != e->sig_size) {
2505
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2506
0
      goto cleanup;
2507
0
    }
2508
2509
0
    if (pk_params->raw_pub.size != e->size) {
2510
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIGN_FAILED);
2511
0
      goto cleanup;
2512
0
    }
2513
2514
0
    ret = eddsa_verify(algo, pk_params->raw_pub.data, vdata->size,
2515
0
           vdata->data, signature->data);
2516
0
    break;
2517
0
  }
2518
0
#if ENABLE_GOST
2519
0
  case GNUTLS_PK_GOST_01:
2520
0
  case GNUTLS_PK_GOST_12_256:
2521
0
  case GNUTLS_PK_GOST_12_512: {
2522
0
    struct ecc_point pub;
2523
0
    struct dsa_signature sig;
2524
0
    const struct ecc_curve *curve;
2525
0
    const mac_entry_st *me;
2526
2527
    /* GOSTDSA is not approved */
2528
0
    not_approved = true;
2529
2530
0
    curve = get_supported_gost_curve(pk_params->curve);
2531
0
    if (curve == NULL) {
2532
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
2533
0
      goto cleanup;
2534
0
    }
2535
2536
0
    _gnutls_audit_data("pk::curve", CRAU_STRING,
2537
0
           gnutls_ecc_curve_get_name(pk_params->curve),
2538
0
           NULL);
2539
2540
    /* This call will return a valid MAC entry and
2541
       * getters will check that is not null anyway. */
2542
0
    me = hash_to_entry(_gnutls_gost_digest(pk_params->algo));
2543
0
    if (_gnutls_mac_get_algo_len(me) != vdata->size) {
2544
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2545
0
      goto cleanup;
2546
0
    }
2547
2548
0
    ret = _gnutls_decode_gost_rs(signature, &tmp[0], &tmp[1]);
2549
0
    if (ret < 0) {
2550
0
      gnutls_assert();
2551
0
      goto cleanup;
2552
0
    }
2553
2554
0
    ret = _gost_params_to_pubkey(pk_params, &pub, curve);
2555
0
    if (ret < 0) {
2556
0
      gnutls_assert();
2557
0
      goto cleanup;
2558
0
    }
2559
2560
0
    memcpy(sig.r, tmp[0], SIZEOF_MPZT);
2561
0
    memcpy(sig.s, tmp[1], SIZEOF_MPZT);
2562
2563
0
    ret = gostdsa_verify(&pub, vdata->size, vdata->data, &sig);
2564
0
    if (ret == 0) {
2565
0
      gnutls_assert();
2566
0
      ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
2567
0
    } else
2568
0
      ret = 0;
2569
2570
0
    ecc_point_clear(&pub);
2571
0
    break;
2572
0
  }
2573
0
#endif
2574
0
  case GNUTLS_PK_ECDSA: /* ECDSA */
2575
0
  {
2576
0
    struct ecc_point pub;
2577
0
    struct dsa_signature sig;
2578
0
    int curve_id = pk_params->curve;
2579
0
    const struct ecc_curve *curve;
2580
0
    const mac_entry_st *me;
2581
2582
0
    curve = get_supported_nist_curve(curve_id);
2583
0
    if (curve == NULL) {
2584
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
2585
0
      goto cleanup;
2586
0
    }
2587
2588
    /* P-192 is not supported in FIPS 140-3 */
2589
0
    if (curve_id == GNUTLS_ECC_CURVE_SECP192R1) {
2590
0
      not_approved = true;
2591
0
    }
2592
2593
0
    ret = _gnutls_decode_ber_rs(signature, &tmp[0], &tmp[1]);
2594
0
    if (ret < 0) {
2595
0
      gnutls_assert();
2596
0
      goto cleanup;
2597
0
    }
2598
2599
0
    ret = _ecc_params_to_pubkey(pk_params, &pub, curve);
2600
0
    if (ret < 0) {
2601
0
      gnutls_assert();
2602
0
      goto cleanup;
2603
0
    }
2604
2605
0
    memcpy(sig.r, tmp[0], SIZEOF_MPZT);
2606
0
    memcpy(sig.s, tmp[1], SIZEOF_MPZT);
2607
2608
0
    (void)_gnutls_dsa_q_to_hash(pk_params, &hash_len);
2609
2610
0
    if (hash_len > vdata->size)
2611
0
      hash_len = vdata->size;
2612
2613
0
    switch (DIG_TO_MAC(sign_params->dsa_dig)) {
2614
0
    case GNUTLS_MAC_SHA256:
2615
0
    case GNUTLS_MAC_SHA384:
2616
0
    case GNUTLS_MAC_SHA512:
2617
0
    case GNUTLS_MAC_SHA224:
2618
0
      break;
2619
0
    default:
2620
0
      not_approved = true;
2621
0
    }
2622
2623
0
    me = hash_to_entry(sign_params->dsa_dig);
2624
2625
0
    _gnutls_audit_data("pk::curve", CRAU_STRING,
2626
0
           gnutls_ecc_curve_get_name(curve_id),
2627
0
           "pk::hash", CRAU_STRING,
2628
0
           _gnutls_mac_get_name(me), NULL);
2629
2630
0
    ret = ecdsa_verify(&pub, hash_len, vdata->data, &sig);
2631
0
    if (ret == 0) {
2632
0
      gnutls_assert();
2633
0
      ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
2634
0
    } else
2635
0
      ret = 0;
2636
2637
0
    ecc_point_clear(&pub);
2638
0
    break;
2639
0
  }
2640
0
#ifdef ENABLE_DSA
2641
0
  case GNUTLS_PK_DSA: {
2642
0
    struct dsa_params pub;
2643
0
    struct dsa_signature sig;
2644
0
    bigint_t y;
2645
0
    size_t bits;
2646
2647
    /* DSA is currently being defined as sunset with the
2648
       * current draft of FIPS 186-5 */
2649
0
    not_approved = true;
2650
2651
0
    ret = _gnutls_decode_ber_rs(signature, &tmp[0], &tmp[1]);
2652
0
    if (ret < 0) {
2653
0
      gnutls_assert();
2654
0
      goto cleanup;
2655
0
    }
2656
0
    memset(&pub, 0, sizeof(pub));
2657
0
    _dsa_params_get(pk_params, &pub);
2658
0
    y = pk_params->params[DSA_Y];
2659
2660
0
    memcpy(sig.r, tmp[0], SIZEOF_MPZT);
2661
0
    memcpy(sig.s, tmp[1], SIZEOF_MPZT);
2662
2663
0
    _gnutls_dsa_q_to_hash(pk_params, &hash_len);
2664
2665
0
    if (hash_len > vdata->size)
2666
0
      hash_len = vdata->size;
2667
2668
0
    bits = mpz_sizeinbase(pub.p, 2);
2669
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, NULL);
2670
2671
0
    ret = dsa_verify(&pub, TOMPZ(y), hash_len, vdata->data, &sig);
2672
0
    if (ret == 0) {
2673
0
      gnutls_assert();
2674
0
      ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
2675
0
    } else
2676
0
      ret = 0;
2677
2678
0
    break;
2679
0
  }
2680
0
#endif
2681
0
  case GNUTLS_PK_RSA: {
2682
0
    struct rsa_public_key pub;
2683
0
    size_t bits;
2684
2685
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
2686
0
    if (ret < 0) {
2687
0
      gnutls_assert();
2688
0
      goto cleanup;
2689
0
    }
2690
2691
0
    bits = mpz_sizeinbase(pub.n, 2);
2692
2693
0
    _gnutls_audit_data("pk::bits", CRAU_WORD, bits, NULL);
2694
2695
    /* In FIPS 140-3, RSA key size should be larger than 2048-bit.
2696
       * In addition to this, only SHA-2 is allowed
2697
       * for SigVer; it is checked in _pkcs1_rsa_verify_sig in
2698
       * lib/pubkey.c.
2699
       */
2700
0
    if (unlikely(bits < 2048)) {
2701
0
      not_approved = true;
2702
0
    }
2703
2704
0
    if (signature->size != pub.size) {
2705
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2706
0
      goto cleanup;
2707
0
    }
2708
2709
0
    ret = _gnutls_mpi_init_scan_nz(&tmp[0], signature->data,
2710
0
                 signature->size);
2711
0
    if (ret < 0) {
2712
0
      gnutls_assert();
2713
0
      goto cleanup;
2714
0
    }
2715
2716
0
    ret = rsa_pkcs1_verify(&pub, vdata->size, vdata->data,
2717
0
               TOMPZ(tmp[0]));
2718
0
    if (ret == 0)
2719
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2720
0
    else
2721
0
      ret = 0;
2722
2723
0
    break;
2724
0
  }
2725
0
  case GNUTLS_PK_RSA_PSS: {
2726
0
    struct rsa_public_key pub;
2727
0
    size_t bits;
2728
2729
0
    if ((sign_params->flags &
2730
0
         GNUTLS_PK_FLAG_RSA_PSS_FIXED_SALT_LENGTH) &&
2731
0
        sign_params->salt_size != vdata->size) {
2732
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2733
0
      goto cleanup;
2734
0
    }
2735
2736
0
    ret = _rsa_params_to_pubkey(pk_params, &pub);
2737
0
    if (ret < 0) {
2738
0
      gnutls_assert();
2739
0
      goto cleanup;
2740
0
    }
2741
2742
0
    bits = mpz_sizeinbase(pub.n, 2);
2743
2744
    /* RSA modulus size should be 2048-bit or larger in FIPS
2745
       * 140-3.  In addition to this, only SHA-2 are
2746
       * allowed for SigVer, while Nettle only supports
2747
       * SHA256, SHA384, and SHA512 for RSA-PSS (see
2748
       * _rsa_pss_verify_digest in this file for the details).
2749
       */
2750
0
    if (unlikely(bits < 2048)) {
2751
0
      not_approved = true;
2752
0
    }
2753
2754
0
    if (signature->size != pub.size) {
2755
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2756
0
      goto cleanup;
2757
0
    }
2758
2759
0
    ret = _gnutls_mpi_init_scan_nz(&tmp[0], signature->data,
2760
0
                 signature->size);
2761
0
    if (ret < 0) {
2762
0
      gnutls_assert();
2763
0
      goto cleanup;
2764
0
    }
2765
2766
0
    _gnutls_audit_data(
2767
0
      "pk::bits", CRAU_WORD, bits, "pk::hash", CRAU_STRING,
2768
0
      gnutls_digest_get_name(sign_params->rsa_pss_dig), NULL);
2769
2770
0
    ret = _rsa_pss_verify_digest(sign_params->rsa_pss_dig, &pub,
2771
0
               sign_params->salt_size,
2772
0
               vdata->data, vdata->size,
2773
0
               TOMPZ(tmp[0]));
2774
0
    if (ret == 0)
2775
0
      ret = gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED);
2776
0
    else
2777
0
      ret = 0;
2778
2779
0
    break;
2780
0
  }
2781
0
  case GNUTLS_PK_MLDSA44:
2782
0
  case GNUTLS_PK_MLDSA65:
2783
0
  case GNUTLS_PK_MLDSA87:
2784
0
    not_approved = true;
2785
0
    ret = ml_dsa_verify(algo, signature, vdata,
2786
0
            &pk_params->raw_pub);
2787
0
    if (ret < 0)
2788
0
      goto cleanup;
2789
0
    break;
2790
0
  default:
2791
0
    gnutls_assert();
2792
0
    ret = GNUTLS_E_INTERNAL_ERROR;
2793
0
    goto cleanup;
2794
0
  }
2795
2796
0
cleanup:
2797
0
  if (ret < 0) {
2798
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
2799
0
  } else if (not_approved) {
2800
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
2801
0
  } else {
2802
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
2803
0
  }
2804
2805
0
  _gnutls_mpi_release(&tmp[0]);
2806
0
  _gnutls_mpi_release(&tmp[1]);
2807
2808
0
  gnutls_audit_pop_context();
2809
2810
0
  FAIL_IF_LIB_ERROR;
2811
0
  return ret;
2812
0
}
2813
2814
static inline const struct ecc_curve *get_supported_nist_curve(int curve)
2815
0
{
2816
0
  switch (curve) {
2817
0
#ifdef ENABLE_NON_SUITEB_CURVES
2818
0
  case GNUTLS_ECC_CURVE_SECP192R1:
2819
0
    return nettle_get_secp_192r1();
2820
0
  case GNUTLS_ECC_CURVE_SECP224R1:
2821
0
    return nettle_get_secp_224r1();
2822
0
#endif
2823
0
  case GNUTLS_ECC_CURVE_SECP256R1:
2824
0
    return nettle_get_secp_256r1();
2825
0
  case GNUTLS_ECC_CURVE_SECP384R1:
2826
0
    return nettle_get_secp_384r1();
2827
0
  case GNUTLS_ECC_CURVE_SECP521R1:
2828
0
    return nettle_get_secp_521r1();
2829
0
  default:
2830
0
    return NULL;
2831
0
  }
2832
0
}
2833
2834
static inline const char *get_supported_nist_curve_order(int curve)
2835
0
{
2836
0
  static const struct {
2837
0
    int curve;
2838
0
    const char *order;
2839
0
  } orders[] = {
2840
0
#ifdef ENABLE_NON_SUITEB_CURVES
2841
0
    { GNUTLS_ECC_CURVE_SECP192R1, "ffffffffffffffffffffffff99def836"
2842
0
                "146bc9b1b4d22831" },
2843
0
    { GNUTLS_ECC_CURVE_SECP224R1, "ffffffffffffffffffffffffffff16a2"
2844
0
                "e0b8f03e13dd29455c5c2a3d" },
2845
0
#endif
2846
0
    { GNUTLS_ECC_CURVE_SECP256R1,
2847
0
      "ffffffff00000000ffffffffffffffff"
2848
0
      "bce6faada7179e84f3b9cac2fc632551" },
2849
0
    { GNUTLS_ECC_CURVE_SECP384R1,
2850
0
      "ffffffffffffffffffffffffffffffff"
2851
0
      "ffffffffffffffffc7634d81f4372ddf"
2852
0
      "581a0db248b0a77aecec196accc52973" },
2853
0
    { GNUTLS_ECC_CURVE_SECP521R1, "1fffffffffffffffffffffffffffffff"
2854
0
                "ffffffffffffffffffffffffffffffff"
2855
0
                "ffa51868783bf2f966b7fcc0148f709a"
2856
0
                "5d03bb5c9b8899c47aebb6fb71e91386"
2857
0
                "409" },
2858
0
  };
2859
0
  size_t i;
2860
0
2861
0
  for (i = 0; i < sizeof(orders) / sizeof(orders[0]); i++) {
2862
0
    if (orders[i].curve == curve)
2863
0
      return orders[i].order;
2864
0
  }
2865
0
  return NULL;
2866
0
}
2867
2868
static inline const char *get_supported_nist_curve_modulus(int curve)
2869
0
{
2870
0
  static const struct {
2871
0
    int curve;
2872
0
    const char *order;
2873
0
  } orders[] = {
2874
0
#ifdef ENABLE_NON_SUITEB_CURVES
2875
0
    { GNUTLS_ECC_CURVE_SECP192R1, "fffffffffffffffffffffffffffffffe"
2876
0
                "ffffffffffffffff" },
2877
0
    { GNUTLS_ECC_CURVE_SECP224R1, "ffffffffffffffffffffffffffffffff"
2878
0
                "000000000000000000000001" },
2879
0
#endif
2880
0
    { GNUTLS_ECC_CURVE_SECP256R1,
2881
0
      "ffffffff000000010000000000000000"
2882
0
      "00000000ffffffffffffffffffffffff" },
2883
0
    { GNUTLS_ECC_CURVE_SECP384R1,
2884
0
      "ffffffffffffffffffffffffffffffff"
2885
0
      "fffffffffffffffffffffffffffffffe"
2886
0
      "ffffffff0000000000000000ffffffff" },
2887
0
    { GNUTLS_ECC_CURVE_SECP521R1,
2888
0
      "1ff"
2889
0
      "ffffffffffffffffffffffffffffffff"
2890
0
      "ffffffffffffffffffffffffffffffff"
2891
0
      "ffffffffffffffffffffffffffffffff"
2892
0
      "ffffffffffffffffffffffffffffffff" },
2893
0
  };
2894
0
  size_t i;
2895
0
2896
0
  for (i = 0; i < sizeof(orders) / sizeof(orders[0]); i++) {
2897
0
    if (orders[i].curve == curve)
2898
0
      return orders[i].order;
2899
0
  }
2900
0
  return NULL;
2901
0
}
2902
2903
static inline const struct ecc_curve *get_supported_gost_curve(int curve)
2904
0
{
2905
0
  switch (curve) {
2906
0
#if ENABLE_GOST
2907
0
  case GNUTLS_ECC_CURVE_GOST256CPA:
2908
0
  case GNUTLS_ECC_CURVE_GOST256CPXA:
2909
0
  case GNUTLS_ECC_CURVE_GOST256B:
2910
0
    return nettle_get_gost_gc256b();
2911
0
  case GNUTLS_ECC_CURVE_GOST512A:
2912
0
    return nettle_get_gost_gc512a();
2913
0
#endif
2914
0
  default:
2915
0
    return NULL;
2916
0
  }
2917
0
}
2918
2919
static int _wrap_nettle_pk_curve_exists(gnutls_ecc_curve_t curve)
2920
0
{
2921
0
  switch (curve) {
2922
0
  case GNUTLS_ECC_CURVE_ED25519:
2923
0
  case GNUTLS_ECC_CURVE_X25519:
2924
0
  case GNUTLS_ECC_CURVE_ED448:
2925
0
  case GNUTLS_ECC_CURVE_X448:
2926
0
    return 1;
2927
0
  default:
2928
0
    return ((get_supported_nist_curve(curve) != NULL ||
2929
0
       get_supported_gost_curve(curve) != NULL) ?
2930
0
        1 :
2931
0
        0);
2932
0
  }
2933
0
}
2934
2935
static int _wrap_nettle_pk_exists(gnutls_pk_algorithm_t pk)
2936
0
{
2937
0
  switch (pk) {
2938
0
  case GNUTLS_PK_RSA:
2939
0
#ifdef ENABLE_DSA
2940
0
  case GNUTLS_PK_DSA:
2941
0
#endif
2942
0
  case GNUTLS_PK_DH:
2943
0
  case GNUTLS_PK_ECDSA:
2944
0
  case GNUTLS_PK_ECDH_X25519:
2945
0
  case GNUTLS_PK_RSA_PSS:
2946
0
  case GNUTLS_PK_RSA_OAEP:
2947
0
  case GNUTLS_PK_EDDSA_ED25519:
2948
0
#if ENABLE_GOST
2949
0
  case GNUTLS_PK_GOST_01:
2950
0
  case GNUTLS_PK_GOST_12_256:
2951
0
  case GNUTLS_PK_GOST_12_512:
2952
0
#endif
2953
0
  case GNUTLS_PK_ECDH_X448:
2954
0
  case GNUTLS_PK_EDDSA_ED448:
2955
0
    return 1;
2956
0
  case GNUTLS_PK_MLKEM768:
2957
0
  case GNUTLS_PK_MLKEM1024:
2958
0
    return ml_kem_exists(pk);
2959
0
  case GNUTLS_PK_MLDSA44:
2960
0
  case GNUTLS_PK_MLDSA65:
2961
0
  case GNUTLS_PK_MLDSA87:
2962
0
    return ml_dsa_exists(pk);
2963
0
  default:
2964
0
    return 0;
2965
0
  }
2966
0
}
2967
2968
static int _wrap_nettle_pk_sign_exists(gnutls_sign_algorithm_t sign)
2969
0
{
2970
0
  switch (sign) {
2971
0
  case GNUTLS_SIGN_RSA_SHA1:
2972
0
#ifdef ENABLE_DSA
2973
0
  case GNUTLS_SIGN_DSA_SHA1:
2974
0
#endif
2975
0
  case GNUTLS_SIGN_RSA_MD5:
2976
0
  case GNUTLS_SIGN_RSA_MD2:
2977
0
  case GNUTLS_SIGN_RSA_RMD160:
2978
0
  case GNUTLS_SIGN_RSA_SHA256:
2979
0
  case GNUTLS_SIGN_RSA_SHA384:
2980
0
  case GNUTLS_SIGN_RSA_SHA512:
2981
0
  case GNUTLS_SIGN_RSA_SHA224:
2982
0
#ifdef ENABLE_DSA
2983
0
  case GNUTLS_SIGN_DSA_SHA224:
2984
0
  case GNUTLS_SIGN_DSA_SHA256:
2985
0
#endif
2986
0
  case GNUTLS_SIGN_ECDSA_SHA1:
2987
0
  case GNUTLS_SIGN_ECDSA_SHA224:
2988
0
  case GNUTLS_SIGN_ECDSA_SHA256:
2989
0
  case GNUTLS_SIGN_ECDSA_SHA384:
2990
0
  case GNUTLS_SIGN_ECDSA_SHA512:
2991
0
#ifdef ENABLE_DSA
2992
0
  case GNUTLS_SIGN_DSA_SHA384:
2993
0
  case GNUTLS_SIGN_DSA_SHA512:
2994
0
#endif
2995
0
  case GNUTLS_SIGN_ECDSA_SHA3_224:
2996
0
  case GNUTLS_SIGN_ECDSA_SHA3_256:
2997
0
  case GNUTLS_SIGN_ECDSA_SHA3_384:
2998
0
  case GNUTLS_SIGN_ECDSA_SHA3_512:
2999
3000
0
#ifdef ENABLE_DSA
3001
0
  case GNUTLS_SIGN_DSA_SHA3_224:
3002
0
  case GNUTLS_SIGN_DSA_SHA3_256:
3003
0
  case GNUTLS_SIGN_DSA_SHA3_384:
3004
0
  case GNUTLS_SIGN_DSA_SHA3_512:
3005
0
#endif
3006
0
  case GNUTLS_SIGN_RSA_SHA3_224:
3007
0
  case GNUTLS_SIGN_RSA_SHA3_256:
3008
0
  case GNUTLS_SIGN_RSA_SHA3_384:
3009
0
  case GNUTLS_SIGN_RSA_SHA3_512:
3010
3011
0
  case GNUTLS_SIGN_RSA_PSS_SHA256:
3012
0
  case GNUTLS_SIGN_RSA_PSS_SHA384:
3013
0
  case GNUTLS_SIGN_RSA_PSS_SHA512:
3014
0
  case GNUTLS_SIGN_EDDSA_ED25519:
3015
0
  case GNUTLS_SIGN_RSA_RAW:
3016
3017
0
  case GNUTLS_SIGN_ECDSA_SECP256R1_SHA256:
3018
0
  case GNUTLS_SIGN_ECDSA_SECP384R1_SHA384:
3019
0
  case GNUTLS_SIGN_ECDSA_SECP521R1_SHA512:
3020
3021
0
  case GNUTLS_SIGN_RSA_PSS_RSAE_SHA256:
3022
0
  case GNUTLS_SIGN_RSA_PSS_RSAE_SHA384:
3023
0
  case GNUTLS_SIGN_RSA_PSS_RSAE_SHA512:
3024
3025
0
#if ENABLE_GOST
3026
0
  case GNUTLS_SIGN_GOST_94:
3027
0
  case GNUTLS_SIGN_GOST_256:
3028
0
  case GNUTLS_SIGN_GOST_512:
3029
0
#endif
3030
0
  case GNUTLS_SIGN_EDDSA_ED448:
3031
0
    return 1;
3032
0
  default:
3033
0
    return 0;
3034
0
  }
3035
0
}
3036
3037
/* Generates algorithm's parameters. That is:
3038
 *  For DSA: p, q, and g are generated.
3039
 *  For RSA: nothing
3040
 *  For ECDSA/EDDSA: nothing
3041
 */
3042
static int wrap_nettle_pk_generate_params(gnutls_pk_algorithm_t algo,
3043
            unsigned int level /*bits or curve */,
3044
            gnutls_pk_params_st *params)
3045
0
{
3046
0
  int ret;
3047
0
  unsigned int i, q_bits;
3048
3049
0
  FAIL_IF_LIB_ERROR;
3050
3051
0
  params->algo = algo;
3052
3053
0
  switch (algo) {
3054
0
#ifdef ENABLE_DSA
3055
0
  case GNUTLS_PK_DSA:
3056
0
#endif
3057
0
  case GNUTLS_PK_DH: {
3058
0
    struct dsa_params pub;
3059
0
    struct dss_params_validation_seeds cert;
3060
0
    unsigned index;
3061
3062
0
    dsa_params_init(&pub);
3063
3064
0
    if (GNUTLS_BITS_HAVE_SUBGROUP(level)) {
3065
0
      q_bits = GNUTLS_BITS_TO_SUBGROUP(level);
3066
0
      level = GNUTLS_BITS_TO_GROUP(level);
3067
0
    } else {
3068
0
      q_bits = _gnutls_pk_bits_to_subgroup_bits(level);
3069
0
    }
3070
3071
0
    if (q_bits == 0)
3072
0
      return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
3073
3074
0
    if (_gnutls_fips_mode_enabled() != 0 ||
3075
0
        params->pkflags & GNUTLS_PK_FLAG_PROVABLE) {
3076
0
      if (algo == GNUTLS_PK_DSA)
3077
0
        index = 1;
3078
0
      else
3079
0
        index = 2;
3080
3081
0
      if (params->palgo != 0 &&
3082
0
          params->palgo != GNUTLS_DIG_SHA384) {
3083
0
        ret = GNUTLS_E_INVALID_REQUEST;
3084
0
        goto dsa_fail;
3085
0
      }
3086
3087
0
      params->palgo = GNUTLS_DIG_SHA384;
3088
3089
0
      if (params->seed_size) {
3090
0
        ret = _dsa_generate_dss_pqg(&pub, &cert, index,
3091
0
                  params->seed_size,
3092
0
                  params->seed, NULL,
3093
0
                  NULL, level,
3094
0
                  q_bits);
3095
0
      } else {
3096
0
        ret = dsa_generate_dss_pqg(&pub, &cert, index,
3097
0
                 NULL,
3098
0
                 rnd_tmpkey_func,
3099
0
                 NULL, NULL, level,
3100
0
                 q_bits);
3101
0
      }
3102
0
      if (ret != 1 || HAVE_LIB_ERROR()) {
3103
0
        gnutls_assert();
3104
0
        ret = GNUTLS_E_PK_GENERATION_ERROR;
3105
0
        goto dsa_fail;
3106
0
      }
3107
3108
0
      if (cert.seed_length &&
3109
0
          cert.seed_length < sizeof(params->seed)) {
3110
0
        params->seed_size = cert.seed_length;
3111
0
        memcpy(params->seed, cert.seed,
3112
0
               cert.seed_length);
3113
0
      }
3114
3115
      /* verify the generated parameters */
3116
0
      ret = dsa_validate_dss_pqg(&pub, &cert, index);
3117
0
      if (ret != 1) {
3118
0
        gnutls_assert();
3119
0
        ret = GNUTLS_E_PK_GENERATION_ERROR;
3120
0
        goto dsa_fail;
3121
0
      }
3122
0
    } else {
3123
0
      if (q_bits < 160)
3124
0
        q_bits = 160;
3125
3126
0
      ret = dsa_generate_params(&pub, NULL, rnd_tmpkey_func,
3127
0
              NULL, NULL, level, q_bits);
3128
0
      if (ret != 1 || HAVE_LIB_ERROR()) {
3129
0
        gnutls_assert();
3130
0
        ret = GNUTLS_E_PK_GENERATION_ERROR;
3131
0
        goto dsa_fail;
3132
0
      }
3133
0
    }
3134
3135
0
    params->params_nr = 0;
3136
3137
0
    ret = _gnutls_mpi_init_multi(&params->params[DSA_P],
3138
0
               &params->params[DSA_Q],
3139
0
               &params->params[DSA_G], NULL);
3140
0
    if (ret < 0) {
3141
0
      gnutls_assert();
3142
0
      goto dsa_fail;
3143
0
    }
3144
0
    params->params_nr = 3;
3145
3146
0
    mpz_set(TOMPZ(params->params[DSA_P]), pub.p);
3147
0
    mpz_set(TOMPZ(params->params[DSA_Q]), pub.q);
3148
0
    mpz_set(TOMPZ(params->params[DSA_G]), pub.g);
3149
3150
0
    ret = 0;
3151
3152
0
  dsa_fail:
3153
0
    dsa_params_clear(&pub);
3154
3155
0
    if (ret < 0)
3156
0
      goto fail;
3157
3158
0
    break;
3159
0
  }
3160
0
  case GNUTLS_PK_RSA_PSS:
3161
0
  case GNUTLS_PK_RSA_OAEP:
3162
0
  case GNUTLS_PK_RSA:
3163
0
  case GNUTLS_PK_ECDSA:
3164
0
  case GNUTLS_PK_EDDSA_ED25519:
3165
0
  case GNUTLS_PK_EDDSA_ED448:
3166
0
  case GNUTLS_PK_ECDH_X25519:
3167
0
  case GNUTLS_PK_ECDH_X448:
3168
0
#if ENABLE_GOST
3169
0
  case GNUTLS_PK_GOST_01:
3170
0
  case GNUTLS_PK_GOST_12_256:
3171
0
  case GNUTLS_PK_GOST_12_512:
3172
0
#endif
3173
0
  case GNUTLS_PK_MLKEM768:
3174
0
  case GNUTLS_PK_MLDSA44:
3175
0
  case GNUTLS_PK_MLDSA65:
3176
0
  case GNUTLS_PK_MLDSA87:
3177
0
    break;
3178
0
  default:
3179
0
    gnutls_assert();
3180
0
    return GNUTLS_E_INVALID_REQUEST;
3181
0
  }
3182
3183
0
  FAIL_IF_LIB_ERROR;
3184
0
  return 0;
3185
3186
0
fail:
3187
3188
0
  for (i = 0; i < params->params_nr; i++) {
3189
0
    _gnutls_mpi_release(&params->params[i]);
3190
0
  }
3191
0
  params->params_nr = 0;
3192
3193
0
  FAIL_IF_LIB_ERROR;
3194
0
  return ret;
3195
0
}
3196
3197
#ifdef ENABLE_FIPS140
3198
int _gnutls_dh_generate_key(gnutls_dh_params_t dh_params,
3199
          gnutls_datum_t *priv_key, gnutls_datum_t *pub_key);
3200
3201
int _gnutls_dh_compute_key(gnutls_dh_params_t dh_params,
3202
         const gnutls_datum_t *priv_key,
3203
         const gnutls_datum_t *pub_key,
3204
         const gnutls_datum_t *peer_key, gnutls_datum_t *Z);
3205
3206
int _gnutls_ecdh_compute_key(gnutls_ecc_curve_t curve, const gnutls_datum_t *x,
3207
           const gnutls_datum_t *y, const gnutls_datum_t *k,
3208
           const gnutls_datum_t *peer_x,
3209
           const gnutls_datum_t *peer_y, gnutls_datum_t *Z);
3210
3211
int _gnutls_ecdh_generate_key(gnutls_ecc_curve_t curve, gnutls_datum_t *x,
3212
            gnutls_datum_t *y, gnutls_datum_t *k);
3213
3214
int _gnutls_dh_generate_key(gnutls_dh_params_t dh_params,
3215
          gnutls_datum_t *priv_key, gnutls_datum_t *pub_key)
3216
{
3217
  gnutls_pk_params_st params;
3218
  int ret;
3219
3220
  gnutls_pk_params_init(&params);
3221
  params.params[DH_P] = _gnutls_mpi_copy(dh_params->params[0]);
3222
  params.params[DH_G] = _gnutls_mpi_copy(dh_params->params[1]);
3223
3224
  params.params_nr = 5;
3225
  params.algo = GNUTLS_PK_DH;
3226
3227
  priv_key->data = NULL;
3228
  pub_key->data = NULL;
3229
3230
  ret = _gnutls_pk_generate_keys(GNUTLS_PK_DH, dh_params->q_bits, &params,
3231
               0);
3232
  if (ret < 0) {
3233
    return gnutls_assert_val(ret);
3234
  }
3235
3236
  ret = _gnutls_mpi_dprint_lz(params.params[DH_X], priv_key);
3237
  if (ret < 0) {
3238
    gnutls_assert();
3239
    goto fail;
3240
  }
3241
3242
  ret = _gnutls_mpi_dprint_lz(params.params[DH_Y], pub_key);
3243
  if (ret < 0) {
3244
    gnutls_assert();
3245
    goto fail;
3246
  }
3247
3248
  ret = 0;
3249
  goto cleanup;
3250
fail:
3251
  gnutls_free(pub_key->data);
3252
  gnutls_free(priv_key->data);
3253
cleanup:
3254
  gnutls_pk_params_clear(&params);
3255
  gnutls_pk_params_release(&params);
3256
  return ret;
3257
}
3258
3259
/* Note that the value of Z will have the leading bytes stripped if they are zero -
3260
 * which follows the TLS approach. */
3261
int _gnutls_dh_compute_key(gnutls_dh_params_t dh_params,
3262
         const gnutls_datum_t *priv_key,
3263
         const gnutls_datum_t *pub_key,
3264
         const gnutls_datum_t *peer_key, gnutls_datum_t *Z)
3265
{
3266
  gnutls_pk_params_st pub, priv;
3267
  int ret;
3268
3269
  gnutls_pk_params_init(&pub);
3270
  pub.params_nr = 5;
3271
  pub.algo = GNUTLS_PK_DH;
3272
3273
  gnutls_pk_params_init(&priv);
3274
  priv.params_nr = 5;
3275
  priv.algo = GNUTLS_PK_DH;
3276
3277
  if (_gnutls_mpi_init_scan_nz(&pub.params[DH_Y], peer_key->data,
3278
             peer_key->size) != 0) {
3279
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3280
    goto cleanup;
3281
  }
3282
3283
  priv.params[DH_P] = _gnutls_mpi_copy(dh_params->params[0]);
3284
  priv.params[DH_G] = _gnutls_mpi_copy(dh_params->params[1]);
3285
  if (dh_params->params[2])
3286
    priv.params[DH_Q] = _gnutls_mpi_copy(dh_params->params[2]);
3287
3288
  if (_gnutls_mpi_init_scan_nz(&priv.params[DH_X], priv_key->data,
3289
             priv_key->size) != 0) {
3290
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3291
    goto cleanup;
3292
  }
3293
3294
  Z->data = NULL;
3295
3296
  ret = _gnutls_pk_derive(GNUTLS_PK_DH, Z, &priv, &pub);
3297
  if (ret < 0) {
3298
    gnutls_assert();
3299
    goto cleanup;
3300
  }
3301
3302
  ret = 0;
3303
cleanup:
3304
  gnutls_pk_params_clear(&pub);
3305
  gnutls_pk_params_release(&pub);
3306
  gnutls_pk_params_clear(&priv);
3307
  gnutls_pk_params_release(&priv);
3308
  return ret;
3309
}
3310
3311
int _gnutls_ecdh_generate_key(gnutls_ecc_curve_t curve, gnutls_datum_t *x,
3312
            gnutls_datum_t *y, gnutls_datum_t *k)
3313
{
3314
  gnutls_pk_params_st params;
3315
  int ret;
3316
3317
  gnutls_pk_params_init(&params);
3318
  params.params_nr = 3;
3319
  params.curve = curve;
3320
  params.algo = GNUTLS_PK_ECDSA;
3321
3322
  x->data = NULL;
3323
  y->data = NULL;
3324
  k->data = NULL;
3325
3326
  ret = _gnutls_pk_generate_keys(GNUTLS_PK_ECDSA, curve, &params, 0);
3327
  if (ret < 0) {
3328
    return gnutls_assert_val(ret);
3329
  }
3330
3331
  ret = _gnutls_mpi_dprint_lz(params.params[ECC_X], x);
3332
  if (ret < 0) {
3333
    gnutls_assert();
3334
    goto fail;
3335
  }
3336
3337
  ret = _gnutls_mpi_dprint_lz(params.params[ECC_Y], y);
3338
  if (ret < 0) {
3339
    gnutls_assert();
3340
    goto fail;
3341
  }
3342
3343
  ret = _gnutls_mpi_dprint_lz(params.params[ECC_K], k);
3344
  if (ret < 0) {
3345
    gnutls_assert();
3346
    goto fail;
3347
  }
3348
3349
  ret = 0;
3350
  goto cleanup;
3351
fail:
3352
  gnutls_free(y->data);
3353
  gnutls_free(x->data);
3354
  gnutls_free(k->data);
3355
cleanup:
3356
  gnutls_pk_params_clear(&params);
3357
  gnutls_pk_params_release(&params);
3358
  return ret;
3359
}
3360
3361
int _gnutls_ecdh_compute_key(gnutls_ecc_curve_t curve, const gnutls_datum_t *x,
3362
           const gnutls_datum_t *y, const gnutls_datum_t *k,
3363
           const gnutls_datum_t *peer_x,
3364
           const gnutls_datum_t *peer_y, gnutls_datum_t *Z)
3365
{
3366
  gnutls_pk_params_st pub, priv;
3367
  int ret;
3368
3369
  gnutls_pk_params_init(&pub);
3370
  pub.params_nr = 3;
3371
  pub.algo = GNUTLS_PK_ECDSA;
3372
  pub.curve = curve;
3373
3374
  gnutls_pk_params_init(&priv);
3375
  priv.params_nr = 3;
3376
  priv.algo = GNUTLS_PK_ECDSA;
3377
  priv.curve = curve;
3378
3379
  if (_gnutls_mpi_init_scan_nz(&pub.params[ECC_Y], peer_y->data,
3380
             peer_y->size) != 0) {
3381
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3382
    goto cleanup;
3383
  }
3384
3385
  if (_gnutls_mpi_init_scan_nz(&pub.params[ECC_X], peer_x->data,
3386
             peer_x->size) != 0) {
3387
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3388
    goto cleanup;
3389
  }
3390
3391
  if (_gnutls_mpi_init_scan_nz(&priv.params[ECC_Y], y->data, y->size) !=
3392
      0) {
3393
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3394
    goto cleanup;
3395
  }
3396
3397
  if (_gnutls_mpi_init_scan_nz(&priv.params[ECC_X], x->data, x->size) !=
3398
      0) {
3399
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3400
    goto cleanup;
3401
  }
3402
3403
  if (_gnutls_mpi_init_scan_nz(&priv.params[ECC_K], k->data, k->size) !=
3404
      0) {
3405
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3406
    goto cleanup;
3407
  }
3408
3409
  Z->data = NULL;
3410
3411
  ret = _gnutls_pk_derive(GNUTLS_PK_ECDSA, Z, &priv, &pub);
3412
  if (ret < 0) {
3413
    gnutls_assert();
3414
    goto cleanup;
3415
  }
3416
3417
  ret = 0;
3418
cleanup:
3419
  gnutls_pk_params_clear(&pub);
3420
  gnutls_pk_params_release(&pub);
3421
  gnutls_pk_params_clear(&priv);
3422
  gnutls_pk_params_release(&priv);
3423
  return ret;
3424
}
3425
3426
static int pct_test(gnutls_pk_algorithm_t algo,
3427
        const gnutls_pk_params_st *params)
3428
{
3429
  int ret;
3430
  gnutls_datum_t sig = { NULL, 0 };
3431
  const char const_data[20] = "onetwothreefourfive";
3432
  const char const_data_sha256[32] = "onetwothreefourfivesixseveneigh";
3433
  const char const_data_sha384[48] =
3434
    "onetwothreefourfivesixseveneightnineteneleventw";
3435
  const char const_data_sha512[64] =
3436
    "onetwothreefourfivesixseveneightnineteneleventwelvethirteenfour";
3437
  gnutls_datum_t ddata, tmp = { NULL, 0 };
3438
  char gen_data[MAX_HASH_SIZE];
3439
  gnutls_x509_spki_st spki;
3440
3441
  ret = _gnutls_x509_spki_copy(&spki, &params->spki);
3442
  if (ret < 0) {
3443
    gnutls_assert();
3444
    goto cleanup;
3445
  }
3446
3447
  if (algo == GNUTLS_PK_DSA || algo == GNUTLS_PK_EC) {
3448
    unsigned hash_len;
3449
    const mac_entry_st *me;
3450
3451
    me = _gnutls_dsa_q_to_hash(params, &hash_len);
3452
    spki.dsa_dig = MAC_TO_DIG(me->id);
3453
    gnutls_rnd(GNUTLS_RND_NONCE, gen_data, hash_len);
3454
3455
    ddata.data = (void *)gen_data;
3456
    ddata.size = hash_len;
3457
  } else if (algo == GNUTLS_PK_GOST_01 || algo == GNUTLS_PK_GOST_12_256) {
3458
    ddata.data = (void *)const_data_sha256;
3459
    ddata.size = sizeof(const_data_sha256);
3460
  } else if (algo == GNUTLS_PK_GOST_12_512) {
3461
    ddata.data = (void *)const_data_sha512;
3462
    ddata.size = sizeof(const_data_sha512);
3463
  } else if (algo == GNUTLS_PK_RSA_PSS) {
3464
    if (spki.rsa_pss_dig == GNUTLS_DIG_UNKNOWN)
3465
      spki.rsa_pss_dig = GNUTLS_DIG_SHA256;
3466
3467
    switch (spki.rsa_pss_dig) {
3468
    case GNUTLS_DIG_SHA256:
3469
      ddata.data = (void *)const_data_sha256;
3470
      ddata.size = sizeof(const_data_sha256);
3471
      break;
3472
    case GNUTLS_DIG_SHA384:
3473
      ddata.data = (void *)const_data_sha384;
3474
      ddata.size = sizeof(const_data_sha384);
3475
      break;
3476
    case GNUTLS_DIG_SHA512:
3477
      ddata.data = (void *)const_data_sha512;
3478
      ddata.size = sizeof(const_data_sha512);
3479
      break;
3480
    default:
3481
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3482
      goto cleanup;
3483
    }
3484
  } else if (algo == GNUTLS_PK_RSA_OAEP) {
3485
    if (spki.rsa_oaep_dig == GNUTLS_DIG_UNKNOWN)
3486
      spki.rsa_oaep_dig = GNUTLS_DIG_SHA256;
3487
    ddata.data = (void *)const_data;
3488
    ddata.size = sizeof(const_data);
3489
  } else {
3490
    ddata.data = (void *)const_data;
3491
    ddata.size = sizeof(const_data);
3492
  }
3493
3494
  switch (algo) {
3495
  case GNUTLS_PK_RSA:
3496
    /* To comply with FIPS 140-3 IG 10.3.A, additional comment 1,
3497
     * Perform both key transport and signature PCTs for
3498
     * unrestricted RSA key.  */
3499
    ret = pct_test(GNUTLS_PK_RSA_OAEP, params);
3500
    if (ret < 0) {
3501
      gnutls_assert();
3502
      break;
3503
    }
3504
    ret = pct_test(GNUTLS_PK_RSA_PSS, params);
3505
    if (ret < 0) {
3506
      gnutls_assert();
3507
      break;
3508
    }
3509
    break;
3510
  case GNUTLS_PK_RSA_OAEP:
3511
    ret = _gnutls_pk_encrypt(GNUTLS_PK_RSA_OAEP, &sig, &ddata,
3512
           params, &spki);
3513
    if (ret < 0) {
3514
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3515
    }
3516
    if (ret == 0 && ddata.size == sig.size &&
3517
        memcmp(ddata.data, sig.data, sig.size) == 0) {
3518
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3519
    }
3520
    if (ret == 0 &&
3521
        _gnutls_pk_decrypt(algo, &tmp, &sig, params, &spki) < 0) {
3522
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3523
    }
3524
    if (ret == 0 &&
3525
        !(tmp.size == ddata.size &&
3526
          memcmp(tmp.data, ddata.data, tmp.size) == 0)) {
3527
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3528
    }
3529
    if (ret == 0 &&
3530
        _gnutls_pk_decrypt2(algo, &sig, tmp.data, tmp.size, params,
3531
          &spki) < 0) {
3532
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3533
    }
3534
    if (ret == 0 &&
3535
        !(tmp.size == ddata.size &&
3536
          memcmp(tmp.data, ddata.data, tmp.size) == 0)) {
3537
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3538
    }
3539
3540
    if (ret < 0) {
3541
      goto cleanup;
3542
    }
3543
3544
    free(sig.data);
3545
    sig.data = NULL;
3546
3547
    break;
3548
  case GNUTLS_PK_EC: /* we only do keys for ECDSA */
3549
  case GNUTLS_PK_EDDSA_ED25519:
3550
  case GNUTLS_PK_EDDSA_ED448:
3551
#ifdef ENABLE_DSA
3552
  case GNUTLS_PK_DSA:
3553
#endif
3554
  case GNUTLS_PK_RSA_PSS:
3555
  case GNUTLS_PK_GOST_01:
3556
  case GNUTLS_PK_GOST_12_256:
3557
  case GNUTLS_PK_GOST_12_512:
3558
  case GNUTLS_PK_MLDSA44:
3559
  case GNUTLS_PK_MLDSA65:
3560
  case GNUTLS_PK_MLDSA87:
3561
    ret = _gnutls_pk_sign(algo, &sig, &ddata, params, &spki);
3562
    if (ret < 0) {
3563
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3564
      goto cleanup;
3565
    }
3566
3567
    ret = _gnutls_pk_verify(algo, &ddata, &sig, params, &spki);
3568
    if (ret < 0) {
3569
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3570
      gnutls_assert();
3571
      goto cleanup;
3572
    }
3573
    break;
3574
  case GNUTLS_PK_DH: {
3575
    mpz_t y;
3576
3577
    /* Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance
3578
       * of Pair-wise Consistency check, even if we only
3579
       * support ephemeral DH, as it is required by FIPS
3580
       * 140-3 IG 10.3.A.
3581
       *
3582
       * Use the private key, x, along with the generator g
3583
       * and prime modulus p included in the domain
3584
       * parameters associated with the key pair to compute
3585
       * g^x mod p. Compare the result to the public key, y.
3586
       */
3587
    mpz_init(y);
3588
    mpz_powm(y, TOMPZ(params->params[DSA_G]),
3589
       TOMPZ(params->params[DSA_X]),
3590
       TOMPZ(params->params[DSA_P]));
3591
    if (unlikely(mpz_cmp(y, TOMPZ(params->params[DSA_Y])) != 0)) {
3592
      ret = gnutls_assert_val(GNUTLS_E_PK_GENERATION_ERROR);
3593
      mpz_clear(y);
3594
      goto cleanup;
3595
    }
3596
    mpz_clear(y);
3597
    break;
3598
  }
3599
  case GNUTLS_PK_ECDH_X25519:
3600
  case GNUTLS_PK_ECDH_X448:
3601
    break;
3602
  case GNUTLS_PK_MLKEM768:
3603
  case GNUTLS_PK_MLKEM1024:
3604
    if (!ml_kem_exists(algo)) {
3605
      ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
3606
      goto cleanup;
3607
    }
3608
    break;
3609
  default:
3610
    ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
3611
    goto cleanup;
3612
  }
3613
3614
  ret = 0;
3615
cleanup:
3616
  if (ret == GNUTLS_E_PK_GENERATION_ERROR) {
3617
    _gnutls_switch_lib_state(LIB_STATE_ERROR);
3618
  }
3619
  _gnutls_x509_spki_clear(&spki);
3620
  gnutls_free(sig.data);
3621
  gnutls_free(tmp.data);
3622
  return ret;
3623
}
3624
#endif
3625
3626
static inline int eddsa_public_key(gnutls_pk_algorithm_t algo, uint8_t *pub,
3627
           const uint8_t *priv)
3628
0
{
3629
0
  switch (algo) {
3630
0
  case GNUTLS_PK_EDDSA_ED25519:
3631
0
    ed25519_sha512_public_key(pub, priv);
3632
0
    return 0;
3633
0
  case GNUTLS_PK_EDDSA_ED448:
3634
0
    ed448_shake256_public_key(pub, priv);
3635
0
    return 0;
3636
0
  default:
3637
0
    return gnutls_assert_val(
3638
0
      GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
3639
0
  }
3640
0
}
3641
3642
static inline int edwards_curve_mul_g(gnutls_pk_algorithm_t algo, uint8_t *q,
3643
              const uint8_t *n)
3644
0
{
3645
0
  switch (algo) {
3646
0
  case GNUTLS_PK_ECDH_X25519:
3647
0
    curve25519_mul_g(q, n);
3648
0
    return 0;
3649
0
  case GNUTLS_PK_ECDH_X448:
3650
0
    curve448_mul_g(q, n);
3651
0
    return 0;
3652
0
  default:
3653
0
    return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
3654
0
  }
3655
0
}
3656
3657
static inline int dh_find_q(const gnutls_pk_params_st *pk_params, mpz_t q)
3658
0
{
3659
0
  gnutls_datum_t prime = { NULL, 0 };
3660
0
  gnutls_datum_t generator = { NULL, 0 };
3661
0
  uint8_t *data_q;
3662
0
  size_t n_q;
3663
0
  bigint_t _q;
3664
0
  int ret = 0;
3665
0
3666
0
  ret = _gnutls_mpi_dprint(pk_params->params[DSA_P], &prime);
3667
0
  if (ret < 0) {
3668
0
    gnutls_assert();
3669
0
    goto cleanup;
3670
0
  }
3671
0
3672
0
  ret = _gnutls_mpi_dprint(pk_params->params[DSA_G], &generator);
3673
0
  if (ret < 0) {
3674
0
    gnutls_assert();
3675
0
    goto cleanup;
3676
0
  }
3677
0
3678
0
  if (!_gnutls_dh_prime_match_fips_approved(
3679
0
        prime.data, prime.size, generator.data, generator.size,
3680
0
        &data_q, &n_q)) {
3681
0
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
3682
0
    goto cleanup;
3683
0
  }
3684
0
3685
0
  if (_gnutls_mpi_init_scan_nz(&_q, data_q, n_q) != 0) {
3686
0
    ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
3687
0
    goto cleanup;
3688
0
  }
3689
0
3690
0
  mpz_set(q, TOMPZ(_q));
3691
0
  _gnutls_mpi_release(&_q);
3692
0
3693
0
cleanup:
3694
0
  gnutls_free(prime.data);
3695
0
  gnutls_free(generator.data);
3696
0
3697
0
  return ret;
3698
0
}
3699
3700
/* To generate a DH key either q must be set in the params or
3701
 * level should be set to the number of required bits.
3702
 */
3703
static int
3704
wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
3705
           unsigned int level /*bits or curve */,
3706
           gnutls_pk_params_st *params, unsigned ephemeral
3707
           /*non-zero if they are ephemeral keys */)
3708
0
{
3709
0
  int ret;
3710
0
  unsigned int i;
3711
0
  unsigned rnd_level;
3712
0
  nettle_random_func *rnd_func;
3713
0
  bool not_approved = false;
3714
3715
0
  FAIL_IF_LIB_ERROR;
3716
3717
  /* check if the curve relates to the algorithm used */
3718
0
  if (IS_EC(algo) && gnutls_ecc_curve_get_pk(level) != algo) {
3719
0
    ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
3720
0
    goto cleanup;
3721
0
  }
3722
3723
0
  if (ephemeral) {
3724
0
    rnd_level = GNUTLS_RND_RANDOM;
3725
0
    rnd_func = rnd_tmpkey_func;
3726
0
  } else {
3727
0
    rnd_func = rnd_key_func;
3728
0
    rnd_level = GNUTLS_RND_KEY;
3729
0
  }
3730
3731
0
  _gnutls_audit_new_context_with_data("name", CRAU_STRING, "pk::generate",
3732
0
              "pk::algorithm", CRAU_STRING,
3733
0
              gnutls_pk_get_name(algo), NULL);
3734
3735
0
  switch (algo) {
3736
0
#ifdef ENABLE_DSA
3737
0
  case GNUTLS_PK_DSA:
3738
#ifdef ENABLE_FIPS140
3739
    if (_gnutls_fips_mode_enabled() != 0) {
3740
      struct dsa_params pub;
3741
      mpz_t x, y;
3742
3743
      /* DSA is currently being defined as sunset with the
3744
       * current draft of FIPS 186-5 */
3745
      not_approved = true;
3746
3747
      if (params->params[DSA_Q] == NULL) {
3748
        ret = gnutls_assert_val(
3749
          GNUTLS_E_INVALID_REQUEST);
3750
        goto cleanup;
3751
      }
3752
3753
      _dsa_params_get(params, &pub);
3754
3755
      mpz_init(x);
3756
      mpz_init(y);
3757
3758
      ret = dsa_generate_dss_keypair(&pub, y, x, NULL,
3759
                   rnd_func, NULL, NULL);
3760
      if (ret != 1 || HAVE_LIB_ERROR()) {
3761
        gnutls_assert();
3762
        ret = GNUTLS_E_PK_GENERATION_ERROR;
3763
        goto dsa_fail;
3764
      }
3765
3766
      ret = _gnutls_mpi_init_multi(&params->params[DSA_Y],
3767
                 &params->params[DSA_X],
3768
                 NULL);
3769
      if (ret < 0) {
3770
        gnutls_assert();
3771
        goto dsa_fail;
3772
      }
3773
3774
      mpz_set(TOMPZ(params->params[DSA_Y]), y);
3775
      mpz_set(TOMPZ(params->params[DSA_X]), x);
3776
      params->params_nr += 2;
3777
3778
    dsa_fail:
3779
      mpz_clear(x);
3780
      mpz_clear(y);
3781
3782
      if (ret < 0)
3783
        goto cleanup;
3784
3785
      break;
3786
    }
3787
#endif
3788
0
    FALLTHROUGH;
3789
0
#endif
3790
0
  case GNUTLS_PK_DH: {
3791
0
    struct dsa_params pub;
3792
0
    mpz_t r;
3793
0
    mpz_t x, y;
3794
0
    int max_tries;
3795
0
    unsigned have_q = 0;
3796
0
    mpz_t q;
3797
0
    mpz_t primesub1;
3798
0
    mpz_t ypowq;
3799
3800
0
    if (algo != params->algo) {
3801
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
3802
0
      goto cleanup;
3803
0
    }
3804
3805
0
    _dsa_params_get(params, &pub);
3806
3807
0
    if (params->params[DSA_Q] != NULL)
3808
0
      have_q = 1;
3809
3810
    /* This check is for the case !ENABLE_FIPS140 */
3811
0
    if (algo == GNUTLS_PK_DSA && have_q == 0) {
3812
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
3813
0
      goto cleanup;
3814
0
    }
3815
3816
0
    mpz_init(r);
3817
0
    mpz_init(x);
3818
0
    mpz_init(y);
3819
3820
0
    mpz_init(q);
3821
0
    mpz_init(primesub1);
3822
0
    mpz_init(ypowq);
3823
3824
0
    max_tries = 3;
3825
0
    do {
3826
0
      if (have_q) {
3827
0
        mpz_set(r, pub.q);
3828
0
        mpz_sub_ui(r, r, 2);
3829
0
        nettle_mpz_random(x, NULL, rnd_func, r);
3830
0
        mpz_add_ui(x, x, 1);
3831
0
      } else {
3832
0
        unsigned size = mpz_sizeinbase(pub.p, 2);
3833
0
        if (level == 0)
3834
0
          level = MIN(size,
3835
0
                DH_EXPONENT_SIZE(size));
3836
0
        nettle_mpz_random_size(x, NULL, rnd_func,
3837
0
                   level);
3838
3839
0
        if (level >= size)
3840
0
          mpz_mod(x, x, pub.p);
3841
0
      }
3842
3843
0
      mpz_powm(y, pub.g, x, pub.p);
3844
3845
0
      max_tries--;
3846
0
      if (max_tries <= 0) {
3847
0
        gnutls_assert();
3848
0
        ret = GNUTLS_E_RANDOM_FAILED;
3849
0
        goto dh_fail;
3850
0
      }
3851
3852
0
      if (HAVE_LIB_ERROR()) {
3853
0
        gnutls_assert();
3854
0
        ret = GNUTLS_E_LIB_IN_ERROR_STATE;
3855
0
        goto dh_fail;
3856
0
      }
3857
3858
0
    } while (mpz_cmp_ui(y, 1) == 0);
3859
3860
#ifdef ENABLE_FIPS140
3861
    if (_gnutls_fips_mode_enabled()) {
3862
      /* Perform FFC full public key validation checks
3863
         * according to SP800-56A (revision 3), 5.6.2.3.1.
3864
         */
3865
3866
      /* Step 1: 2 <= y <= p - 2 */
3867
      mpz_sub_ui(primesub1, pub.p, 1);
3868
3869
      if (mpz_cmp_ui(y, 2) < 0 ||
3870
          mpz_cmp(y, primesub1) >= 0) {
3871
        ret = gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
3872
        goto dh_fail;
3873
      }
3874
3875
      /* Step 2: 1 = y^q mod p */
3876
      if (have_q)
3877
        mpz_set(q, pub.q);
3878
      else {
3879
        ret = dh_find_q(params, q);
3880
        if (ret < 0)
3881
          goto dh_fail;
3882
      }
3883
3884
      mpz_powm(ypowq, y, q, pub.p);
3885
      if (mpz_cmp_ui(ypowq, 1) != 0) {
3886
        ret = gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
3887
        goto dh_fail;
3888
      }
3889
    }
3890
#endif
3891
3892
0
    ret = _gnutls_mpi_init_multi(&params->params[DSA_Y],
3893
0
               &params->params[DSA_X], NULL);
3894
0
    if (ret < 0) {
3895
0
      gnutls_assert();
3896
0
      goto dh_fail;
3897
0
    }
3898
3899
0
    mpz_set(TOMPZ(params->params[DSA_Y]), y);
3900
0
    mpz_set(TOMPZ(params->params[DSA_X]), x);
3901
0
    params->params_nr += 2;
3902
3903
0
    ret = 0;
3904
3905
0
  dh_fail:
3906
0
    mpz_clear(r);
3907
0
    mpz_clear(x);
3908
0
    mpz_clear(y);
3909
0
    mpz_clear(q);
3910
0
    mpz_clear(primesub1);
3911
0
    mpz_clear(ypowq);
3912
3913
0
    if (ret < 0)
3914
0
      goto cleanup;
3915
3916
0
    break;
3917
0
  }
3918
0
  case GNUTLS_PK_RSA_PSS:
3919
0
  case GNUTLS_PK_RSA_OAEP:
3920
0
  case GNUTLS_PK_RSA: {
3921
0
    struct rsa_public_key pub;
3922
0
    struct rsa_private_key priv;
3923
3924
0
    rsa_public_key_init(&pub);
3925
0
    rsa_private_key_init(&priv);
3926
3927
0
    mpz_set_ui(pub.e, 65537);
3928
3929
0
    if ((params->pkflags & GNUTLS_PK_FLAG_PROVABLE) ||
3930
0
        _gnutls_fips_mode_enabled() != 0) {
3931
0
      params->pkflags |= GNUTLS_PK_FLAG_PROVABLE;
3932
0
      if (params->palgo != 0 &&
3933
0
          params->palgo != GNUTLS_DIG_SHA384) {
3934
0
        ret = GNUTLS_E_INVALID_REQUEST;
3935
0
        goto rsa_fail;
3936
0
      }
3937
3938
0
      params->palgo = GNUTLS_DIG_SHA384;
3939
3940
0
      if (params->seed_size) {
3941
0
        ret = _rsa_generate_fips186_4_keypair(
3942
0
          &pub, &priv, params->seed_size,
3943
0
          params->seed, NULL, NULL, level);
3944
0
      } else {
3945
0
        unsigned retries = 0;
3946
        /* The provable RSA key generation process is deterministic
3947
           * but has an internal maximum iteration counter and when
3948
           * exceed will fail for certain random seeds. This is a very
3949
           * rare condition, but it nevertheless happens and even CI builds fail
3950
           * occasionally. When we generate the random seed internally, remediate
3951
           * by retrying a different seed on failure. */
3952
0
        do {
3953
0
          params->seed_size =
3954
0
            sizeof(params->seed);
3955
0
          ret = rsa_generate_fips186_4_keypair(
3956
0
            &pub, &priv, NULL, rnd_func,
3957
0
            NULL, NULL, &params->seed_size,
3958
0
            params->seed, level);
3959
0
        } while (ret != 1 && ++retries < 3);
3960
0
      }
3961
0
    } else {
3962
0
      not_approved = true;
3963
3964
0
      ret = rsa_generate_keypair(&pub, &priv, NULL, rnd_func,
3965
0
               NULL, NULL, level, 0);
3966
0
    }
3967
0
    if (ret != 1 || HAVE_LIB_ERROR()) {
3968
0
      gnutls_assert();
3969
0
      ret = GNUTLS_E_PK_GENERATION_ERROR;
3970
0
      goto rsa_fail;
3971
0
    }
3972
3973
0
    params->params_nr = 0;
3974
0
    for (i = 0; i < RSA_PRIVATE_PARAMS; i++) {
3975
0
      ret = _gnutls_mpi_init(&params->params[i]);
3976
0
      if (ret < 0) {
3977
0
        gnutls_assert();
3978
0
        goto rsa_fail;
3979
0
      }
3980
0
      params->params_nr++;
3981
0
    }
3982
3983
    /* In FIPS 140-3, pub.n should be 2048-bit or larger; it
3984
       * is assured in rsa_generate_fips186_4_keypair in
3985
       * lib/nettle/int/rsa-keygen-fips186.c. */
3986
3987
0
    mpz_set(TOMPZ(params->params[RSA_MODULUS]), pub.n);
3988
0
    mpz_set(TOMPZ(params->params[RSA_PUB]), pub.e);
3989
0
    mpz_set(TOMPZ(params->params[RSA_PRIV]), priv.d);
3990
0
    mpz_set(TOMPZ(params->params[RSA_PRIME1]), priv.p);
3991
0
    mpz_set(TOMPZ(params->params[RSA_PRIME2]), priv.q);
3992
0
    mpz_set(TOMPZ(params->params[RSA_COEF]), priv.c);
3993
0
    mpz_set(TOMPZ(params->params[RSA_E1]), priv.a);
3994
0
    mpz_set(TOMPZ(params->params[RSA_E2]), priv.b);
3995
3996
0
    ret = 0;
3997
3998
0
  rsa_fail:
3999
0
    rsa_private_key_clear(&priv);
4000
0
    rsa_public_key_clear(&pub);
4001
4002
0
    if (ret < 0)
4003
0
      goto cleanup;
4004
4005
0
    break;
4006
0
  }
4007
0
  case GNUTLS_PK_EDDSA_ED25519:
4008
0
  case GNUTLS_PK_EDDSA_ED448: {
4009
0
    unsigned size = gnutls_ecc_curve_get_size(level);
4010
4011
0
    if (params->pkflags & GNUTLS_PK_FLAG_PROVABLE) {
4012
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4013
0
      goto cleanup;
4014
0
    }
4015
4016
0
    if (unlikely(get_eddsa_curve(algo) != level)) {
4017
0
      ret = gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4018
0
      goto cleanup;
4019
0
    }
4020
4021
0
    if (size == 0) {
4022
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4023
0
      goto cleanup;
4024
0
    }
4025
4026
0
    params->curve = level;
4027
4028
0
    params->raw_priv.data = gnutls_malloc(size);
4029
0
    if (params->raw_priv.data == NULL) {
4030
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4031
0
      goto cleanup;
4032
0
    }
4033
4034
0
    params->raw_pub.data = gnutls_malloc(size);
4035
0
    if (params->raw_pub.data == NULL) {
4036
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4037
0
      goto cleanup;
4038
0
    }
4039
4040
0
    ret = gnutls_rnd(rnd_level, params->raw_priv.data, size);
4041
0
    if (ret < 0) {
4042
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4043
0
      goto cleanup;
4044
0
    }
4045
0
    params->raw_pub.size = size;
4046
0
    params->raw_priv.size = size;
4047
4048
0
    ret = eddsa_public_key(algo, params->raw_pub.data,
4049
0
               params->raw_priv.data);
4050
0
    if (ret < 0)
4051
0
      goto cleanup;
4052
4053
0
    break;
4054
0
  }
4055
0
  case GNUTLS_PK_ECDSA:
4056
0
    if (params->pkflags & GNUTLS_PK_FLAG_PROVABLE)
4057
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4058
4059
0
    {
4060
0
      struct ecc_scalar key;
4061
0
      struct ecc_point pub;
4062
0
      const struct ecc_curve *curve;
4063
0
      struct ecc_scalar n;
4064
0
      struct ecc_scalar m;
4065
0
      struct ecc_point r;
4066
0
      mpz_t x, y, xx, yy, nn, mm;
4067
4068
0
      curve = get_supported_nist_curve(level);
4069
0
      if (curve == NULL) {
4070
0
        ret = gnutls_assert_val(
4071
0
          GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4072
0
        goto cleanup;
4073
0
      }
4074
4075
0
      _gnutls_audit_data("pk::curve", CRAU_STRING,
4076
0
             gnutls_ecc_curve_get_name(level),
4077
0
             NULL);
4078
4079
      /* P-192 is not supported in FIPS 140-3 */
4080
0
      if (level == GNUTLS_ECC_CURVE_SECP192R1) {
4081
0
        not_approved = true;
4082
0
      }
4083
4084
0
      mpz_init(x);
4085
0
      mpz_init(y);
4086
0
      mpz_init(xx);
4087
0
      mpz_init(yy);
4088
0
      mpz_init(nn);
4089
0
      mpz_init(mm);
4090
4091
0
      ecc_scalar_init(&key, curve);
4092
0
      ecc_point_init(&pub, curve);
4093
0
      ecc_scalar_init(&n, curve);
4094
0
      ecc_scalar_init(&m, curve);
4095
0
      ecc_point_init(&r, curve);
4096
4097
0
      ecdsa_generate_keypair(&pub, &key, NULL, rnd_func);
4098
0
      if (HAVE_LIB_ERROR()) {
4099
0
        ret = gnutls_assert_val(
4100
0
          GNUTLS_E_LIB_IN_ERROR_STATE);
4101
0
        goto ecc_fail;
4102
0
      }
4103
4104
0
      ret = _gnutls_mpi_init_multi(&params->params[ECC_X],
4105
0
                 &params->params[ECC_Y],
4106
0
                 &params->params[ECC_K],
4107
0
                 NULL);
4108
0
      if (ret < 0) {
4109
0
        gnutls_assert();
4110
0
        goto ecc_fail;
4111
0
      }
4112
4113
0
      params->curve = level;
4114
0
      params->params_nr = ECC_PRIVATE_PARAMS;
4115
4116
0
      ecc_point_get(&pub, x, y);
4117
4118
#ifdef ENABLE_FIPS140
4119
      if (_gnutls_fips_mode_enabled()) {
4120
        /* Perform ECC full public key validation checks
4121
         * according to SP800-56A (revision 3), 5.6.2.3.3.
4122
         */
4123
4124
        const char *order, *modulus;
4125
4126
        /* Step 1: verify that Q is not an identity
4127
         * element (an infinity point).  Note that this
4128
         * cannot happen in the nettle implementation,
4129
         * because it cannot represent an infinity point
4130
         * on curves. */
4131
        if (mpz_cmp_ui(x, 0) == 0 &&
4132
            mpz_cmp_ui(y, 0) == 0) {
4133
          ret = gnutls_assert_val(
4134
            GNUTLS_E_ILLEGAL_PARAMETER);
4135
          goto ecc_fail;
4136
        }
4137
4138
        /* Step 2: verify that both coordinates of Q are
4139
         * in the range [0, p - 1].
4140
         *
4141
         * Step 3: verify that Q lie on the curve
4142
         *
4143
         * Both checks are performed in nettle.  */
4144
        if (!ecc_point_set(&r, x, y)) {
4145
          ret = gnutls_assert_val(
4146
            GNUTLS_E_ILLEGAL_PARAMETER);
4147
          goto ecc_fail;
4148
        }
4149
4150
        /* Step 4: verify that n * Q, where n is the
4151
         * curve order, result in an identity element
4152
         *
4153
         * Since nettle internally cannot represent an
4154
         * identity element on curves, we validate this
4155
         * instead:
4156
         *
4157
         *   (n - 1) * Q = -Q
4158
         *
4159
         * That effectively means: n * Q = -Q + Q = O
4160
         */
4161
        order = get_supported_nist_curve_order(level);
4162
        if (unlikely(order == NULL)) {
4163
          ret = gnutls_assert_val(
4164
            GNUTLS_E_INTERNAL_ERROR);
4165
          goto ecc_fail;
4166
        }
4167
4168
        ret = mpz_set_str(nn, order, 16);
4169
        if (unlikely(ret < 0)) {
4170
          ret = gnutls_assert_val(
4171
            GNUTLS_E_MPI_SCAN_FAILED);
4172
          goto ecc_fail;
4173
        }
4174
4175
        modulus =
4176
          get_supported_nist_curve_modulus(level);
4177
        if (unlikely(modulus == NULL)) {
4178
          ret = gnutls_assert_val(
4179
            GNUTLS_E_INTERNAL_ERROR);
4180
          goto ecc_fail;
4181
        }
4182
4183
        ret = mpz_set_str(mm, modulus, 16);
4184
        if (unlikely(ret < 0)) {
4185
          ret = gnutls_assert_val(
4186
            GNUTLS_E_MPI_SCAN_FAILED);
4187
          goto ecc_fail;
4188
        }
4189
4190
        /* (n - 1) * Q = -Q */
4191
        mpz_sub_ui(nn, nn, 1);
4192
        ecc_scalar_set(&n, nn);
4193
        ecc_point_mul(&r, &n, &r);
4194
        ecc_point_get(&r, xx, yy);
4195
        mpz_sub(mm, mm, y);
4196
4197
        if (mpz_cmp(xx, x) != 0 ||
4198
            mpz_cmp(yy, mm) != 0) {
4199
          ret = gnutls_assert_val(
4200
            GNUTLS_E_ILLEGAL_PARAMETER);
4201
          goto ecc_fail;
4202
        }
4203
      } else {
4204
        not_approved = true;
4205
      }
4206
#endif
4207
4208
0
      mpz_set(TOMPZ(params->params[ECC_X]), x);
4209
0
      mpz_set(TOMPZ(params->params[ECC_Y]), y);
4210
4211
0
      ecc_scalar_get(&key, TOMPZ(params->params[ECC_K]));
4212
4213
0
      ret = 0;
4214
4215
0
    ecc_fail:
4216
0
      mpz_clear(x);
4217
0
      mpz_clear(y);
4218
0
      mpz_clear(xx);
4219
0
      mpz_clear(yy);
4220
0
      mpz_clear(nn);
4221
0
      mpz_clear(mm);
4222
0
      ecc_point_clear(&pub);
4223
0
      ecc_scalar_clear(&key);
4224
0
      ecc_point_clear(&r);
4225
0
      ecc_scalar_clear(&n);
4226
0
      ecc_scalar_clear(&m);
4227
4228
0
      if (ret < 0)
4229
0
        goto cleanup;
4230
4231
0
      break;
4232
0
    }
4233
0
#if ENABLE_GOST
4234
0
  case GNUTLS_PK_GOST_01:
4235
0
  case GNUTLS_PK_GOST_12_256:
4236
0
  case GNUTLS_PK_GOST_12_512:
4237
0
    if (params->pkflags & GNUTLS_PK_FLAG_PROVABLE)
4238
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4239
4240
0
    {
4241
0
      struct ecc_scalar key;
4242
0
      struct ecc_point pub;
4243
0
      const struct ecc_curve *curve;
4244
0
      const mac_entry_st *me;
4245
4246
      /* GOST curves are not approved */
4247
0
      not_approved = true;
4248
4249
0
      curve = get_supported_gost_curve(level);
4250
0
      if (curve == NULL) {
4251
0
        ret = gnutls_assert_val(
4252
0
          GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4253
0
        goto cleanup;
4254
0
      }
4255
4256
0
      me = hash_to_entry(_gnutls_gost_digest(algo));
4257
0
      if (!me || me->output_size * 8 != ecc_bit_size(curve)) {
4258
0
        ret = gnutls_assert_val(
4259
0
          GNUTLS_E_INVALID_REQUEST);
4260
0
        goto cleanup;
4261
0
      }
4262
4263
0
      ecc_scalar_init(&key, curve);
4264
0
      ecc_point_init(&pub, curve);
4265
4266
0
      gostdsa_generate_keypair(&pub, &key, NULL,
4267
0
             rnd_key_func);
4268
0
      if (HAVE_LIB_ERROR()) {
4269
0
        ret = gnutls_assert_val(
4270
0
          GNUTLS_E_LIB_IN_ERROR_STATE);
4271
0
        goto ecc_fail;
4272
0
      }
4273
4274
0
      ret = _gnutls_mpi_init_multi(&params->params[GOST_X],
4275
0
                 &params->params[GOST_Y],
4276
0
                 &params->params[GOST_K],
4277
0
                 NULL);
4278
0
      if (ret < 0) {
4279
0
        gnutls_assert();
4280
0
        goto gost_fail;
4281
0
      }
4282
4283
0
      params->curve = level;
4284
0
      params->params_nr = GOST_PRIVATE_PARAMS;
4285
4286
0
      ecc_point_get(&pub, TOMPZ(params->params[GOST_X]),
4287
0
              TOMPZ(params->params[GOST_Y]));
4288
0
      ecc_scalar_get(&key, TOMPZ(params->params[GOST_K]));
4289
4290
0
      ret = 0;
4291
4292
0
    gost_fail:
4293
0
      ecc_point_clear(&pub);
4294
0
      ecc_scalar_clear(&key);
4295
4296
0
      if (ret < 0)
4297
0
        goto cleanup;
4298
4299
0
      break;
4300
0
    }
4301
0
#endif
4302
0
  case GNUTLS_PK_ECDH_X25519:
4303
0
  case GNUTLS_PK_ECDH_X448: {
4304
0
    unsigned size = gnutls_ecc_curve_get_size(level);
4305
4306
0
    not_approved = true;
4307
4308
0
    if (size == 0) {
4309
0
      ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4310
0
      goto cleanup;
4311
0
    }
4312
4313
0
    params->curve = level;
4314
4315
0
    params->raw_priv.data = gnutls_malloc(size);
4316
0
    if (params->raw_priv.data == NULL) {
4317
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4318
0
      goto cleanup;
4319
0
    }
4320
4321
0
    params->raw_pub.data = gnutls_malloc(size);
4322
0
    if (params->raw_pub.data == NULL) {
4323
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4324
0
      goto cleanup;
4325
0
    }
4326
4327
0
    ret = gnutls_rnd(rnd_level, params->raw_priv.data, size);
4328
0
    if (ret < 0) {
4329
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4330
0
      goto cleanup;
4331
0
    }
4332
0
    params->raw_pub.size = size;
4333
0
    params->raw_priv.size = size;
4334
4335
0
    ret = edwards_curve_mul_g(algo, params->raw_pub.data,
4336
0
            params->raw_priv.data);
4337
0
    if (ret < 0)
4338
0
      goto cleanup;
4339
0
    break;
4340
0
  }
4341
0
  case GNUTLS_PK_MLKEM768:
4342
0
  case GNUTLS_PK_MLKEM1024:
4343
0
    not_approved = true;
4344
0
    ret = ml_kem_generate_keypair(algo, &params->raw_priv,
4345
0
                &params->raw_pub);
4346
0
    if (ret < 0)
4347
0
      goto cleanup;
4348
0
    break;
4349
0
  case GNUTLS_PK_MLDSA44:
4350
0
  case GNUTLS_PK_MLDSA65:
4351
0
  case GNUTLS_PK_MLDSA87:
4352
0
    if (params->pkflags & GNUTLS_PK_FLAG_PROVABLE)
4353
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4354
4355
0
    not_approved = true;
4356
4357
0
    if (!(params->pkflags & GNUTLS_PK_FLAG_EXPAND_KEYS_FROM_SEED)) {
4358
0
      _gnutls_free_key_datum(&params->raw_seed);
4359
0
      params->raw_seed.data = gnutls_malloc(32);
4360
0
      params->raw_seed.size = 32;
4361
0
      ret = gnutls_rnd(GNUTLS_RND_KEY, params->raw_seed.data,
4362
0
           params->raw_seed.size);
4363
0
      if (ret < 0)
4364
0
        goto cleanup;
4365
0
    }
4366
4367
0
    ret = ml_dsa_generate_keypair(algo, &params->raw_priv,
4368
0
                &params->raw_pub,
4369
0
                &params->raw_seed);
4370
0
    if (ret < 0)
4371
0
      goto cleanup;
4372
0
    break;
4373
0
  default:
4374
0
    gnutls_assert();
4375
0
    return GNUTLS_E_INVALID_REQUEST;
4376
0
  }
4377
4378
0
  params->algo = algo;
4379
4380
#ifdef ENABLE_FIPS140
4381
  if (_gnutls_fips_mode_enabled()) {
4382
    ret = pct_test(algo, params);
4383
    if (ret < 0) {
4384
      gnutls_assert();
4385
      goto cleanup;
4386
    }
4387
  }
4388
#endif
4389
4390
0
cleanup:
4391
0
  if (ret < 0) {
4392
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
4393
0
    for (i = 0; i < params->params_nr; i++) {
4394
0
      _gnutls_mpi_release(&params->params[i]);
4395
0
    }
4396
0
    params->params_nr = 0;
4397
0
    gnutls_free(params->raw_priv.data);
4398
0
    gnutls_free(params->raw_pub.data);
4399
0
  } else if (not_approved) {
4400
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
4401
0
  } else {
4402
0
    _gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
4403
0
  }
4404
4405
0
  gnutls_audit_pop_context();
4406
4407
0
  FAIL_IF_LIB_ERROR;
4408
0
  return ret;
4409
0
}
4410
4411
static int wrap_nettle_pk_verify_priv_params(gnutls_pk_algorithm_t algo,
4412
               const gnutls_pk_params_st *params)
4413
0
{
4414
0
  int ret;
4415
4416
0
  switch (algo) {
4417
0
  case GNUTLS_PK_RSA:
4418
0
  case GNUTLS_PK_RSA_PSS:
4419
0
  case GNUTLS_PK_RSA_OAEP: {
4420
0
    bigint_t t1 = NULL, t2 = NULL;
4421
4422
0
    if (params->params_nr != RSA_PRIVATE_PARAMS)
4423
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4424
4425
0
    ret = _gnutls_mpi_init_multi(&t1, &t2, NULL);
4426
0
    if (ret < 0)
4427
0
      return gnutls_assert_val(ret);
4428
4429
0
    _gnutls_mpi_mulm(t1, params->params[RSA_PRIME1],
4430
0
         params->params[RSA_PRIME2],
4431
0
         params->params[RSA_MODULUS]);
4432
0
    if (_gnutls_mpi_cmp_ui(t1, 0) != 0) {
4433
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4434
0
      goto rsa_cleanup;
4435
0
    }
4436
4437
0
    if (!mpz_invert(TOMPZ(t1), TOMPZ(params->params[RSA_PRIME2]),
4438
0
        TOMPZ(params->params[RSA_PRIME1]))) {
4439
0
      ret = gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
4440
0
      goto rsa_cleanup;
4441
0
    }
4442
0
    if (_gnutls_mpi_cmp(t1, params->params[RSA_COEF]) != 0) {
4443
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4444
0
      goto rsa_cleanup;
4445
0
    }
4446
4447
    /* [RSA_PRIME1] = d % p-1, [RSA_PRIME2] = d % q-1 */
4448
0
    _gnutls_mpi_sub_ui(t1, params->params[RSA_PRIME1], 1);
4449
0
    ret = _gnutls_mpi_modm(t2, params->params[RSA_PRIV], t1);
4450
0
    if (ret < 0) {
4451
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4452
0
      goto rsa_cleanup;
4453
0
    }
4454
4455
0
    if (_gnutls_mpi_cmp(params->params[RSA_E1], t2) != 0) {
4456
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4457
0
      goto rsa_cleanup;
4458
0
    }
4459
4460
0
    _gnutls_mpi_sub_ui(t1, params->params[RSA_PRIME2], 1);
4461
4462
0
    ret = _gnutls_mpi_modm(t2, params->params[RSA_PRIV], t1);
4463
0
    if (ret < 0) {
4464
0
      ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4465
0
      goto rsa_cleanup;
4466
0
    }
4467
4468
0
    if (_gnutls_mpi_cmp(params->params[RSA_E2], t2) != 0) {
4469
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4470
0
      goto rsa_cleanup;
4471
0
    }
4472
4473
0
    ret = 0;
4474
4475
0
  rsa_cleanup:
4476
0
    zrelease_mpi_key(&t1);
4477
0
    zrelease_mpi_key(&t2);
4478
0
  }
4479
4480
0
  break;
4481
0
#ifdef ENABLE_DSA
4482
0
  case GNUTLS_PK_DSA:
4483
0
#endif
4484
0
  case GNUTLS_PK_DH: {
4485
0
    bigint_t t1 = NULL;
4486
4487
0
    if (params->params_nr != DSA_PRIVATE_PARAMS)
4488
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4489
4490
0
    ret = _gnutls_mpi_init(&t1);
4491
0
    if (ret < 0)
4492
0
      return gnutls_assert_val(ret);
4493
4494
0
    ret = _gnutls_mpi_powm(t1, params->params[DSA_G],
4495
0
               params->params[DSA_X],
4496
0
               params->params[DSA_P]);
4497
0
    if (ret < 0) {
4498
0
      gnutls_assert();
4499
0
      goto dsa_cleanup;
4500
0
    }
4501
4502
0
    if (_gnutls_mpi_cmp(t1, params->params[DSA_Y]) != 0) {
4503
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4504
0
      goto dsa_cleanup;
4505
0
    }
4506
4507
0
    ret = 0;
4508
4509
0
  dsa_cleanup:
4510
0
    zrelease_mpi_key(&t1);
4511
0
  }
4512
4513
0
  break;
4514
0
  case GNUTLS_PK_ECDSA: {
4515
0
    struct ecc_point r, pub;
4516
0
    struct ecc_scalar priv;
4517
0
    mpz_t x1, y1, x2, y2;
4518
0
    const struct ecc_curve *curve;
4519
4520
0
    if (params->params_nr != ECC_PRIVATE_PARAMS)
4521
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4522
4523
0
    curve = get_supported_nist_curve(params->curve);
4524
0
    if (curve == NULL)
4525
0
      return gnutls_assert_val(
4526
0
        GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4527
4528
0
    ret = _ecc_params_to_pubkey(params, &pub, curve);
4529
0
    if (ret < 0)
4530
0
      return gnutls_assert_val(ret);
4531
4532
0
    ret = _ecc_params_to_privkey(params, &priv, curve);
4533
0
    if (ret < 0) {
4534
0
      ecc_point_clear(&pub);
4535
0
      return gnutls_assert_val(ret);
4536
0
    }
4537
4538
0
    ecc_point_init(&r, curve);
4539
    /* verify that x,y lie on the curve */
4540
0
    ret = ecc_point_set(&r, TOMPZ(params->params[ECC_X]),
4541
0
            TOMPZ(params->params[ECC_Y]));
4542
0
    if (ret == 0) {
4543
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4544
0
      goto ecc_cleanup;
4545
0
    }
4546
0
    ecc_point_clear(&r);
4547
4548
0
    ecc_point_init(&r, curve);
4549
0
    ecc_point_mul_g(&r, &priv);
4550
4551
0
    mpz_init(x1);
4552
0
    mpz_init(y1);
4553
0
    ecc_point_get(&r, x1, y1);
4554
0
    ecc_point_zclear(&r);
4555
4556
0
    mpz_init(x2);
4557
0
    mpz_init(y2);
4558
0
    ecc_point_get(&pub, x2, y2);
4559
4560
    /* verify that k*(Gx,Gy)=(x,y) */
4561
0
    if (mpz_cmp(x1, x2) != 0 || mpz_cmp(y1, y2) != 0) {
4562
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4563
0
      goto ecc_cleanup;
4564
0
    }
4565
4566
0
    ret = 0;
4567
4568
0
  ecc_cleanup:
4569
0
    ecc_scalar_zclear(&priv);
4570
0
    ecc_point_clear(&pub);
4571
4572
0
    mpz_clear(x1);
4573
0
    mpz_clear(y1);
4574
0
    mpz_clear(x2);
4575
0
    mpz_clear(y2);
4576
0
  } break;
4577
0
  case GNUTLS_PK_EDDSA_ED25519:
4578
0
  case GNUTLS_PK_EDDSA_ED448: {
4579
0
    gnutls_ecc_curve_t curve;
4580
0
    const gnutls_ecc_curve_entry_st *e;
4581
0
    uint8_t pub[57]; /* can accommodate both curves */
4582
4583
0
    curve = get_eddsa_curve(algo);
4584
0
    e = _gnutls_ecc_curve_get_params(curve);
4585
0
    if (e == NULL)
4586
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4587
4588
0
    if (params->raw_pub.data == NULL) {
4589
0
      return 0; /* nothing to verify */
4590
0
    }
4591
4592
0
    if (params->raw_pub.size != e->size)
4593
0
      return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4594
4595
0
    ret = eddsa_public_key(algo, pub, params->raw_priv.data);
4596
0
    if (ret < 0)
4597
0
      return ret;
4598
4599
0
    if (memcmp(params->raw_pub.data, pub, e->size) != 0)
4600
0
      return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4601
4602
0
    ret = 0;
4603
0
    break;
4604
0
  }
4605
0
  case GNUTLS_PK_ECDH_X25519:
4606
0
  case GNUTLS_PK_ECDH_X448: {
4607
0
    gnutls_ecc_curve_t curve;
4608
0
    const gnutls_ecc_curve_entry_st *e;
4609
0
    uint8_t pub[57]; /* can accommodate both curves */
4610
4611
0
    curve = get_ecdh_curve(algo);
4612
0
    e = _gnutls_ecc_curve_get_params(curve);
4613
0
    if (e == NULL)
4614
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4615
4616
0
    if (params->raw_pub.data == NULL) {
4617
0
      return 0; /* nothing to verify */
4618
0
    }
4619
4620
0
    if (params->raw_pub.size != e->size)
4621
0
      return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4622
4623
0
    ret = edwards_curve_mul_g(algo, pub, params->raw_priv.data);
4624
0
    if (ret < 0)
4625
0
      return ret;
4626
4627
0
    if (memcmp(params->raw_pub.data, pub, e->size) != 0)
4628
0
      return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4629
4630
0
    ret = 0;
4631
0
    break;
4632
0
  }
4633
0
  case GNUTLS_PK_MLKEM768:
4634
0
  case GNUTLS_PK_MLKEM1024:
4635
0
    if (!ml_kem_exists(algo))
4636
0
      return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
4637
4638
0
    ret = 0;
4639
0
    break;
4640
0
  case GNUTLS_PK_MLDSA44:
4641
0
  case GNUTLS_PK_MLDSA65:
4642
0
  case GNUTLS_PK_MLDSA87: {
4643
0
    if (!ml_dsa_exists(algo))
4644
0
      return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
4645
4646
0
    ret = 0;
4647
0
    break;
4648
0
  }
4649
0
#if ENABLE_GOST
4650
0
  case GNUTLS_PK_GOST_01:
4651
0
  case GNUTLS_PK_GOST_12_256:
4652
0
  case GNUTLS_PK_GOST_12_512: {
4653
0
    struct ecc_point r, pub;
4654
0
    struct ecc_scalar priv;
4655
0
    mpz_t x1, y1, x2, y2;
4656
0
    const struct ecc_curve *curve;
4657
4658
0
    if (params->params_nr != GOST_PRIVATE_PARAMS)
4659
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4660
4661
0
    curve = get_supported_gost_curve(params->curve);
4662
0
    if (curve == NULL)
4663
0
      return gnutls_assert_val(
4664
0
        GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4665
4666
0
    ret = _gost_params_to_pubkey(params, &pub, curve);
4667
0
    if (ret < 0)
4668
0
      return gnutls_assert_val(ret);
4669
4670
0
    ret = _gost_params_to_privkey(params, &priv, curve);
4671
0
    if (ret < 0) {
4672
0
      ecc_point_clear(&pub);
4673
0
      return gnutls_assert_val(ret);
4674
0
    }
4675
4676
0
    ecc_point_init(&r, curve);
4677
    /* verify that x,y lie on the curve */
4678
0
    ret = gost_point_set(&r, TOMPZ(params->params[GOST_X]),
4679
0
             TOMPZ(params->params[GOST_Y]));
4680
0
    if (ret == 0) {
4681
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4682
0
      goto gost_cleanup;
4683
0
    }
4684
0
    ecc_point_clear(&r);
4685
4686
0
    ecc_point_init(&r, curve);
4687
0
    gost_point_mul_g(&r, &priv);
4688
4689
0
    mpz_init(x1);
4690
0
    mpz_init(y1);
4691
0
    ecc_point_get(&r, x1, y1);
4692
0
    ecc_point_zclear(&r);
4693
4694
0
    mpz_init(x2);
4695
0
    mpz_init(y2);
4696
0
    ecc_point_get(&pub, x2, y2);
4697
4698
    /* verify that k*(Gx,Gy)=(x,y) */
4699
0
    if (mpz_cmp(x1, x2) != 0 || mpz_cmp(y1, y2) != 0) {
4700
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4701
0
      goto gost_cleanup;
4702
0
    }
4703
4704
0
    ret = 0;
4705
4706
0
  gost_cleanup:
4707
0
    ecc_scalar_zclear(&priv);
4708
0
    ecc_point_clear(&pub);
4709
4710
0
    mpz_clear(x1);
4711
0
    mpz_clear(y1);
4712
0
    mpz_clear(x2);
4713
0
    mpz_clear(y2);
4714
0
  } break;
4715
0
#endif
4716
0
  default:
4717
0
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4718
0
  }
4719
4720
0
  return ret;
4721
0
}
4722
4723
static int wrap_nettle_pk_verify_pub_params(gnutls_pk_algorithm_t algo,
4724
              const gnutls_pk_params_st *params)
4725
0
{
4726
0
  int ret;
4727
4728
0
  switch (algo) {
4729
0
  case GNUTLS_PK_RSA:
4730
0
  case GNUTLS_PK_RSA_PSS:
4731
0
  case GNUTLS_PK_RSA_OAEP:
4732
0
#ifdef ENABLE_DSA
4733
0
  case GNUTLS_PK_DSA:
4734
0
#endif
4735
0
  case GNUTLS_PK_EDDSA_ED25519:
4736
0
  case GNUTLS_PK_EDDSA_ED448:
4737
0
    return 0;
4738
0
  case GNUTLS_PK_ECDSA: {
4739
    /* just verify that x and y lie on the curve */
4740
0
    struct ecc_point r, pub;
4741
0
    const struct ecc_curve *curve;
4742
4743
0
    if (params->params_nr != ECC_PUBLIC_PARAMS)
4744
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4745
4746
0
    curve = get_supported_nist_curve(params->curve);
4747
0
    if (curve == NULL)
4748
0
      return gnutls_assert_val(
4749
0
        GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4750
4751
0
    ret = _ecc_params_to_pubkey(params, &pub, curve);
4752
0
    if (ret < 0)
4753
0
      return gnutls_assert_val(ret);
4754
4755
0
    ecc_point_init(&r, curve);
4756
    /* verify that x,y lie on the curve */
4757
0
    ret = ecc_point_set(&r, TOMPZ(params->params[ECC_X]),
4758
0
            TOMPZ(params->params[ECC_Y]));
4759
0
    if (ret == 0) {
4760
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4761
0
      goto ecc_cleanup;
4762
0
    }
4763
0
    ecc_point_clear(&r);
4764
4765
0
    ret = 0;
4766
4767
0
  ecc_cleanup:
4768
0
    ecc_point_clear(&pub);
4769
0
  } break;
4770
0
#if ENABLE_GOST
4771
0
  case GNUTLS_PK_GOST_01:
4772
0
  case GNUTLS_PK_GOST_12_256:
4773
0
  case GNUTLS_PK_GOST_12_512: {
4774
    /* just verify that x and y lie on the curve */
4775
0
    struct ecc_point r, pub;
4776
0
    const struct ecc_curve *curve;
4777
4778
0
    if (params->params_nr != GOST_PUBLIC_PARAMS)
4779
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4780
4781
0
    curve = get_supported_gost_curve(params->curve);
4782
0
    if (curve == NULL)
4783
0
      return gnutls_assert_val(
4784
0
        GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4785
4786
0
    ret = _gost_params_to_pubkey(params, &pub, curve);
4787
0
    if (ret < 0)
4788
0
      return gnutls_assert_val(ret);
4789
4790
0
    ecc_point_init(&r, curve);
4791
    /* verify that x,y lie on the curve */
4792
0
    ret = ecc_point_set(&r, TOMPZ(params->params[GOST_X]),
4793
0
            TOMPZ(params->params[GOST_Y]));
4794
0
    if (ret == 0) {
4795
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
4796
0
      goto gost_cleanup;
4797
0
    }
4798
0
    ecc_point_clear(&r);
4799
4800
0
    ret = 0;
4801
4802
0
  gost_cleanup:
4803
0
    ecc_point_clear(&pub);
4804
0
  } break;
4805
0
#endif
4806
0
  default:
4807
0
    ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
4808
0
  }
4809
4810
0
  return ret;
4811
0
}
4812
4813
static int calc_rsa_exp(gnutls_pk_params_st *params)
4814
0
{
4815
0
  bigint_t tmp;
4816
0
  int ret;
4817
4818
0
  if (params->params_nr < RSA_PRIVATE_PARAMS - 2) {
4819
0
    gnutls_assert();
4820
0
    return GNUTLS_E_INTERNAL_ERROR;
4821
0
  }
4822
4823
0
  params->params[RSA_E1] = params->params[RSA_E2] = NULL;
4824
4825
0
  ret = _gnutls_mpi_init_multi(&tmp, &params->params[RSA_E1],
4826
0
             &params->params[RSA_E2], NULL);
4827
0
  if (ret < 0)
4828
0
    return gnutls_assert_val(ret);
4829
4830
  /* [6] = d % p-1, [7] = d % q-1 */
4831
0
  _gnutls_mpi_sub_ui(tmp, params->params[RSA_PRIME1], 1);
4832
0
  ret = _gnutls_mpi_modm(params->params[RSA_E1],
4833
0
             params->params[RSA_PRIV] /*d */, tmp);
4834
0
  if (ret < 0)
4835
0
    goto fail;
4836
4837
0
  _gnutls_mpi_sub_ui(tmp, params->params[RSA_PRIME2], 1);
4838
0
  ret = _gnutls_mpi_modm(params->params[RSA_E2],
4839
0
             params->params[RSA_PRIV] /*d */, tmp);
4840
0
  if (ret < 0)
4841
0
    goto fail;
4842
4843
0
  zrelease_mpi_key(&tmp);
4844
4845
0
  return 0;
4846
4847
0
fail:
4848
0
  zrelease_mpi_key(&tmp);
4849
0
  zrelease_mpi_key(&params->params[RSA_E1]);
4850
0
  zrelease_mpi_key(&params->params[RSA_E2]);
4851
4852
0
  return ret;
4853
0
}
4854
4855
static int calc_rsa_priv(gnutls_pk_params_st *params)
4856
0
{
4857
0
  bigint_t lcm, p1, q1;
4858
0
  int ret;
4859
4860
0
  params->params[RSA_PRIV] = NULL;
4861
4862
0
  ret = _gnutls_mpi_init_multi(&params->params[RSA_PRIV], &lcm, &p1, &q1,
4863
0
             NULL);
4864
0
  if (ret < 0)
4865
0
    return gnutls_assert_val(ret);
4866
4867
  /* lcm(p - 1, q - 1) */
4868
0
  mpz_sub_ui(p1, params->params[RSA_PRIME1], 1);
4869
0
  mpz_sub_ui(q1, params->params[RSA_PRIME2], 1);
4870
0
  mpz_lcm(lcm, p1, q1);
4871
4872
0
  zrelease_mpi_key(&p1);
4873
0
  zrelease_mpi_key(&q1);
4874
4875
  /* d = e^{-1} (mod lcm) */
4876
0
  ret = mpz_invert(params->params[RSA_PRIV], params->params[RSA_PUB],
4877
0
       lcm);
4878
4879
0
  zrelease_mpi_key(&lcm);
4880
4881
0
  if (ret == 0) {
4882
0
    zrelease_mpi_key(&params->params[RSA_PRIV]);
4883
0
    return GNUTLS_E_INVALID_REQUEST;
4884
0
  }
4885
4886
0
  return 0;
4887
0
}
4888
4889
#ifdef ENABLE_DSA
4890
static int calc_dsa_pub(gnutls_pk_params_st *params)
4891
0
{
4892
0
  int ret;
4893
4894
0
  params->params[DSA_Y] = NULL;
4895
4896
0
  ret = _gnutls_mpi_init(&params->params[DSA_Y]);
4897
0
  if (ret < 0)
4898
0
    return gnutls_assert_val(ret);
4899
4900
  /* y = g^x mod p */
4901
0
  ret = _gnutls_mpi_powm(params->params[DSA_Y], params->params[DSA_G],
4902
0
             params->params[DSA_X], params->params[DSA_P]);
4903
0
  if (ret < 0) {
4904
0
    zrelease_mpi_key(&params->params[DSA_Y]);
4905
0
    return gnutls_assert_val(ret);
4906
0
  }
4907
4908
0
  return 0;
4909
0
}
4910
#endif
4911
4912
static int wrap_nettle_pk_fixup(gnutls_pk_algorithm_t algo,
4913
        gnutls_direction_t direction,
4914
        gnutls_pk_params_st *params)
4915
0
{
4916
0
  int ret = 0;
4917
4918
0
  if (direction != GNUTLS_IMPORT)
4919
0
    return 0;
4920
4921
0
  switch (algo) {
4922
0
  case GNUTLS_PK_RSA: {
4923
0
    struct rsa_private_key priv;
4924
4925
0
    if (params->params[RSA_PRIV] == NULL) {
4926
0
      ret = calc_rsa_priv(params);
4927
0
      if (ret < 0)
4928
0
        return gnutls_assert_val(ret);
4929
0
      params->params_nr++;
4930
0
    }
4931
4932
    /* do not trust the generated values. Some old private keys
4933
     * generated by us have mess on the values. Those were very
4934
     * old but it seemed some of the shipped example private
4935
     * keys were as old.
4936
     */
4937
0
    if (params->params_nr < RSA_PRIVATE_PARAMS - 3)
4938
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
4939
4940
0
    if (params->params[RSA_COEF] == NULL) {
4941
0
      ret = _gnutls_mpi_init(&params->params[RSA_COEF]);
4942
0
      if (ret < 0)
4943
0
        return gnutls_assert_val(ret);
4944
0
    }
4945
4946
0
    if (mpz_cmp_ui(TOMPZ(params->params[RSA_PRIME1]), 0) == 0)
4947
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
4948
4949
0
    if (mpz_invert(TOMPZ(params->params[RSA_COEF]),
4950
0
             TOMPZ(params->params[RSA_PRIME2]),
4951
0
             TOMPZ(params->params[RSA_PRIME1])) == 0)
4952
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
4953
4954
    /* calculate exp1 [6] and exp2 [7] */
4955
0
    zrelease_mpi_key(&params->params[RSA_E1]);
4956
0
    zrelease_mpi_key(&params->params[RSA_E2]);
4957
4958
    /* marks RSA_COEF as present */
4959
0
    params->params_nr = RSA_PRIVATE_PARAMS - 2;
4960
0
    ret = calc_rsa_exp(params);
4961
0
    if (ret < 0)
4962
0
      return gnutls_assert_val(ret);
4963
4964
0
    params->params_nr = RSA_PRIVATE_PARAMS;
4965
4966
    /* perform nettle's internal checks */
4967
0
    _rsa_params_to_privkey(params, &priv);
4968
0
    ret = rsa_private_key_prepare(&priv);
4969
0
    if (ret == 0) {
4970
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
4971
0
    }
4972
0
    ret = 0;
4973
0
  } break;
4974
0
  case GNUTLS_PK_EDDSA_ED25519:
4975
0
  case GNUTLS_PK_EDDSA_ED448:
4976
0
    if (unlikely(get_eddsa_curve(algo) != params->curve))
4977
0
      return gnutls_assert_val(
4978
0
        GNUTLS_E_ECC_UNSUPPORTED_CURVE);
4979
4980
0
    if (params->raw_priv.data == NULL)
4981
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
4982
4983
0
    if (params->raw_pub.data == NULL) {
4984
0
      params->raw_pub.data =
4985
0
        gnutls_malloc(params->raw_priv.size);
4986
0
    }
4987
4988
0
    if (params->raw_pub.data == NULL)
4989
0
      return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
4990
4991
0
    ret = eddsa_public_key(algo, params->raw_pub.data,
4992
0
               params->raw_priv.data);
4993
0
    if (ret < 0) {
4994
0
      gnutls_free(params->raw_pub.data);
4995
0
      return ret;
4996
0
    }
4997
4998
0
    params->raw_pub.size = params->raw_priv.size;
4999
0
    break;
5000
5001
0
  case GNUTLS_PK_ECDH_X25519:
5002
0
  case GNUTLS_PK_ECDH_X448:
5003
0
    if (unlikely(get_ecdh_curve(algo) != params->curve))
5004
0
      return gnutls_assert_val(
5005
0
        GNUTLS_E_ECC_UNSUPPORTED_CURVE);
5006
5007
0
    if (params->raw_priv.data == NULL)
5008
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
5009
5010
0
    if (params->raw_pub.data == NULL) {
5011
0
      params->raw_pub.data =
5012
0
        gnutls_malloc(params->raw_priv.size);
5013
0
    }
5014
5015
0
    if (params->raw_pub.data == NULL)
5016
0
      return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
5017
5018
0
    ret = edwards_curve_mul_g(algo, params->raw_pub.data,
5019
0
            params->raw_priv.data);
5020
0
    if (ret < 0) {
5021
0
      gnutls_free(params->raw_pub.data);
5022
0
      return ret;
5023
0
    }
5024
5025
0
    params->raw_pub.size = params->raw_priv.size;
5026
0
    break;
5027
5028
0
  case GNUTLS_PK_RSA_PSS:
5029
0
    if (params->params_nr < RSA_PRIVATE_PARAMS - 3)
5030
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
5031
5032
0
    if (params->spki.rsa_pss_dig != 0) {
5033
0
      unsigned pub_size = nettle_mpz_sizeinbase_256_u(
5034
0
        TOMPZ(params->params[RSA_MODULUS]));
5035
      /* sanity check for private key */
5036
0
      CHECK_INVALID_RSA_PSS_PARAMS(
5037
0
        gnutls_hash_get_len(params->spki.rsa_pss_dig),
5038
0
        params->spki.salt_size, pub_size,
5039
0
        GNUTLS_E_PK_INVALID_PUBKEY_PARAMS);
5040
0
    }
5041
0
    break;
5042
5043
0
  case GNUTLS_PK_MLDSA44:
5044
0
  case GNUTLS_PK_MLDSA65:
5045
0
  case GNUTLS_PK_MLDSA87:
5046
0
    if (params->raw_priv.data == NULL)
5047
0
      return gnutls_assert_val(GNUTLS_E_PK_INVALID_PRIVKEY);
5048
5049
0
    if (params->raw_pub.data == NULL) {
5050
0
      ret = ml_dsa_privkey_to_pubkey(algo, &params->raw_priv,
5051
0
                   &params->raw_pub);
5052
0
      if (ret < 0) {
5053
0
        if (ret == GNUTLS_E_UNIMPLEMENTED_FEATURE) {
5054
0
          _gnutls_debug_log(
5055
0
            "Deriving public key from an ML-DSA private key is not implemented; ignoring the request\n");
5056
0
          return 0;
5057
0
        }
5058
0
        return gnutls_assert_val(ret);
5059
0
      }
5060
0
    }
5061
0
    break;
5062
5063
0
#ifdef ENABLE_DSA
5064
0
  case GNUTLS_PK_DSA:
5065
0
    if (params->params[DSA_Y] == NULL) {
5066
0
      ret = calc_dsa_pub(params);
5067
0
      if (ret < 0)
5068
0
        return gnutls_assert_val(ret);
5069
0
      params->params_nr++;
5070
0
    }
5071
0
    break;
5072
0
#endif
5073
0
#if ENABLE_GOST
5074
0
  case GNUTLS_PK_GOST_01:
5075
0
  case GNUTLS_PK_GOST_12_256:
5076
0
  case GNUTLS_PK_GOST_12_512: {
5077
0
    struct ecc_point r;
5078
0
    struct ecc_scalar priv;
5079
0
    const struct ecc_curve *curve;
5080
5081
0
    if (params->params_nr != GOST_PRIVATE_PARAMS)
5082
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
5083
5084
0
    curve = get_supported_gost_curve(params->curve);
5085
0
    if (curve == NULL)
5086
0
      return gnutls_assert_val(
5087
0
        GNUTLS_E_ECC_UNSUPPORTED_CURVE);
5088
5089
0
    if (ecc_bit_size(curve) <
5090
0
        _gnutls_mpi_get_nbits(params->params[GOST_K]))
5091
0
      gostdsa_unmask_key(curve,
5092
0
             TOMPZ(params->params[GOST_K]));
5093
5094
0
    ret = _gost_params_to_privkey(params, &priv, curve);
5095
0
    if (ret < 0) {
5096
0
      return gnutls_assert_val(ret);
5097
0
    }
5098
5099
0
    ecc_point_init(&r, curve);
5100
0
    gost_point_mul_g(&r, &priv);
5101
5102
0
    ecc_point_get(&r, params->params[GOST_X],
5103
0
            params->params[GOST_Y]);
5104
5105
0
    ecc_point_clear(&r);
5106
0
    ecc_scalar_clear(&priv);
5107
0
  } break;
5108
0
#endif
5109
0
  case GNUTLS_PK_EC:
5110
0
    if (params->params_nr == ECC_PRIVATE_PARAMS) {
5111
0
      return 0;
5112
0
    }
5113
0
    struct ecc_scalar s;
5114
0
    struct ecc_point p;
5115
0
    mpz_t pk, px, py;
5116
0
    gnutls_datum_t k = { NULL, 0 };
5117
0
    unsigned char exported_mpz_buf[MAX_PRIME_CURVE_COORD_SIZE] = {
5118
0
      0
5119
0
    };
5120
0
    uint8_t x_buf[MAX_PRIME_CURVE_COORD_SIZE] = { 0 };
5121
0
    uint8_t y_buf[MAX_PRIME_CURVE_COORD_SIZE] = { 0 };
5122
0
    size_t count = 0;
5123
5124
0
    const struct ecc_curve *ecc =
5125
0
      get_supported_nist_curve(params->curve);
5126
5127
0
    if (ecc == NULL) {
5128
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
5129
0
    }
5130
5131
0
    size_t coord_size = gnutls_ecc_curve_get_size(params->curve);
5132
0
    if (coord_size == 0) {
5133
0
      return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
5134
0
    }
5135
5136
0
    mpz_init(pk);
5137
0
    mpz_init(px);
5138
0
    mpz_init(py);
5139
5140
0
    ret = _gnutls_mpi_dprint(params->params[ECC_K], &k);
5141
0
    if (ret != 0) {
5142
0
      ret = gnutls_assert_val(ret);
5143
0
      goto cleanup;
5144
0
    }
5145
5146
0
    mpz_import(pk, k.size, 1, 1, 1, 0, k.data);
5147
5148
0
    ecc_scalar_init(&s, ecc);
5149
5150
0
    if (!ecc_scalar_set(&s, pk)) {
5151
0
      ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
5152
0
      goto cleanup;
5153
0
    }
5154
5155
0
    ecc_point_init(&p, ecc);
5156
0
    ecc_point_mul_g(&p, &s);
5157
0
    ecc_point_get(&p, px, py);
5158
5159
0
    mpz_export(exported_mpz_buf, &count, 1, 1, 1, 0, px);
5160
0
    memcpy(x_buf + (coord_size - count), exported_mpz_buf, count);
5161
5162
0
    zeroize_key(exported_mpz_buf, MAX_PRIME_CURVE_COORD_SIZE);
5163
0
    mpz_export(exported_mpz_buf, &count, 1, 1, 1, 0, py);
5164
0
    memcpy(y_buf + (coord_size - count), exported_mpz_buf, count);
5165
5166
0
    ret = _gnutls_mpi_init_scan(&params->params[ECC_X], x_buf,
5167
0
              coord_size);
5168
0
    if (ret != 0) {
5169
0
      ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
5170
0
      goto cleanup;
5171
0
    }
5172
0
    params->params_nr++;
5173
5174
0
    ret = _gnutls_mpi_init_scan(&params->params[ECC_Y], y_buf,
5175
0
              coord_size);
5176
0
    if (ret != 0) {
5177
0
      ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
5178
0
      goto cleanup;
5179
0
    }
5180
0
    params->params_nr++;
5181
5182
0
  cleanup:
5183
0
    ecc_point_clear(&p);
5184
0
    ecc_scalar_clear(&s);
5185
0
    mpz_clear(pk);
5186
0
    mpz_clear(px);
5187
0
    mpz_clear(py);
5188
5189
0
    _gnutls_free_key_datum(&k);
5190
0
    break;
5191
0
  default:
5192
0
    break;
5193
0
  }
5194
5195
0
  return ret;
5196
0
}
5197
5198
int crypto_pk_prio = INT_MAX;
5199
5200
gnutls_crypto_pk_st _gnutls_pk_ops = {
5201
  .encrypt = _wrap_nettle_pk_encrypt,
5202
  .decrypt = _wrap_nettle_pk_decrypt,
5203
  .decrypt2 = _wrap_nettle_pk_decrypt2,
5204
  .sign = _wrap_nettle_pk_sign,
5205
  .verify = _wrap_nettle_pk_verify,
5206
  .verify_priv_params = wrap_nettle_pk_verify_priv_params,
5207
  .verify_pub_params = wrap_nettle_pk_verify_pub_params,
5208
  .generate_params = wrap_nettle_pk_generate_params,
5209
  .generate_keys = wrap_nettle_pk_generate_keys,
5210
  .pk_fixup_private_params = wrap_nettle_pk_fixup,
5211
  .derive = _wrap_nettle_pk_derive,
5212
  .encaps = _wrap_nettle_pk_encaps,
5213
  .decaps = _wrap_nettle_pk_decaps,
5214
  .curve_exists = _wrap_nettle_pk_curve_exists,
5215
  .pk_exists = _wrap_nettle_pk_exists,
5216
  .sign_exists = _wrap_nettle_pk_sign_exists
5217
};