diff options
| author | Manuel Pégourié-Gonnard <mpg@elzevir.fr> | 2023-09-20 16:09:56 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-09-20 16:09:56 +0000 |
| commit | 5edb9427086a4cdc8e567bb8069db9d09a58e21b (patch) | |
| tree | 14440ef0ea24fa271a6a9e081fb03b18cfab3d68 /3rdparty | |
| parent | 5382ba6987f58089dd33eef07a17165b1f6e2574 (diff) | |
| parent | 3ec976c42c229b39858559ee45627a294293bebd (diff) | |
| download | mbedtls-5edb9427086a4cdc8e567bb8069db9d09a58e21b.zip mbedtls-5edb9427086a4cdc8e567bb8069db9d09a58e21b.tar.gz mbedtls-5edb9427086a4cdc8e567bb8069db9d09a58e21b.tar.bz2 | |
Merge pull request #8041 from mpg/tfm-p256m
Test TF-M config with p256-m driver
Diffstat (limited to '3rdparty')
| -rw-r--r-- | 3rdparty/p256-m/p256-m/p256-m.c | 45 | ||||
| -rw-r--r-- | 3rdparty/p256-m/p256-m/p256-m.h | 39 | ||||
| -rw-r--r-- | 3rdparty/p256-m/p256-m_driver_entrypoints.c | 184 | ||||
| -rw-r--r-- | 3rdparty/p256-m/p256-m_driver_entrypoints.h | 99 |
4 files changed, 301 insertions, 66 deletions
diff --git a/3rdparty/p256-m/p256-m/p256-m.c b/3rdparty/p256-m/p256-m/p256-m.c index 693cc6d..050ffa5 100644 --- a/3rdparty/p256-m/p256-m/p256-m.c +++ b/3rdparty/p256-m/p256-m/p256-m.c @@ -1466,4 +1466,49 @@ int p256_ecdsa_verify(const uint8_t sig[64], const uint8_t pub[64], return P256_INVALID_SIGNATURE; } +/********************************************************************** + * + * Key management utilities + * + **********************************************************************/ + +int p256_validate_pubkey(const uint8_t pub[64]) +{ + uint32_t x[8], y[8]; + int ret = point_from_bytes(x, y, pub); + + return ret == 0 ? P256_SUCCESS : P256_INVALID_PUBKEY; +} + +int p256_validate_privkey(const uint8_t priv[32]) +{ + uint32_t s[8]; + int ret = scalar_from_bytes(s, priv); + zeroize(s, sizeof(s)); + + return ret == 0 ? P256_SUCCESS : P256_INVALID_PRIVKEY; +} + +int p256_public_from_private(uint8_t pub[64], const uint8_t priv[32]) +{ + int ret; + uint32_t s[8]; + + ret = scalar_from_bytes(s, priv); + if (ret != 0) + return P256_INVALID_PRIVKEY; + + /* compute and ouput the associated public key */ + uint32_t x[8], y[8]; + scalar_mult(x, y, p256_gx, p256_gy, s); + + /* the associated public key is not a secret, the scalar was */ + CT_UNPOISON(x, 32); + CT_UNPOISON(y, 32); + zeroize(s, sizeof(s)); + + point_to_bytes(pub, x, y); + return P256_SUCCESS; +} + #endif diff --git a/3rdparty/p256-m/p256-m/p256-m.h b/3rdparty/p256-m/p256-m/p256-m.h index 398c846..28d319f 100644 --- a/3rdparty/p256-m/p256-m/p256-m.h +++ b/3rdparty/p256-m/p256-m/p256-m.h @@ -89,6 +89,45 @@ int p256_ecdsa_sign(uint8_t sig[64], const uint8_t priv[32], int p256_ecdsa_verify(const uint8_t sig[64], const uint8_t pub[64], const uint8_t *hash, size_t hlen); +/* + * Public key validation + * + * Note: you never need to call this function, as all other functions always + * validate their input; however it's availabe if you want to validate the key + * without performing an operation. + * + * [in] pub: the public key, as two big-endian integers + * + * return: P256_SUCCESS if the key is valid + * P256_INVALID_PUBKEY if pub is invalid + */ +int p256_validate_pubkey(const uint8_t pub[64]); + +/* + * Private key validation + * + * Note: you never need to call this function, as all other functions always + * validate their input; however it's availabe if you want to validate the key + * without performing an operation. + * + * [in] priv: the private key, as a big-endian integer + * + * return: P256_SUCCESS if the key is valid + * P256_INVALID_PRIVKEY if priv is invalid + */ +int p256_validate_privkey(const uint8_t priv[32]); + +/* + * Compute public key from private key + * + * [out] pub: the associated public key, as two big-endian integers + * [in] priv: the private key, as a big-endian integer + * + * return: P256_SUCCESS on success + * P256_INVALID_PRIVKEY if priv is invalid + */ +int p256_public_from_private(uint8_t pub[64], const uint8_t priv[32]); + #ifdef __cplusplus } #endif diff --git a/3rdparty/p256-m/p256-m_driver_entrypoints.c b/3rdparty/p256-m/p256-m_driver_entrypoints.c index 8828909..b2236e4 100644 --- a/3rdparty/p256-m/p256-m_driver_entrypoints.c +++ b/3rdparty/p256-m/p256-m_driver_entrypoints.c @@ -24,6 +24,7 @@ #include "psa/crypto.h" #include "psa_crypto_driver_wrappers.h" #include <stddef.h> +#include <string.h> #if defined(MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED) @@ -37,10 +38,20 @@ * total of 65 bytes. * * p256-m's internal format for private keys matches PSA. Its format for public - * keys is only 64 bytes; the same as PSA but without the leading byte (0x04). + * keys is only 64 bytes: the same as PSA but without the leading byte (0x04). * Hence, when passing public keys from PSA to p256-m, the leading byte is * removed. + * + * Shared secret and signature have the same format between PSA and p256-m. */ +#define PSA_PUBKEY_SIZE 65 +#define PSA_PUBKEY_HEADER_BYTE 0x04 +#define P256_PUBKEY_SIZE 64 +#define PRIVKEY_SIZE 32 +#define SHARED_SECRET_SIZE 32 +#define SIGNATURE_SIZE 64 + +#define CURVE_BITS 256 /* Convert between p256-m and PSA error codes */ static psa_status_t p256_to_psa_error(int ret) @@ -59,6 +70,83 @@ static psa_status_t p256_to_psa_error(int ret) } } +psa_status_t p256_transparent_import_key(const psa_key_attributes_t *attributes, + const uint8_t *data, + size_t data_length, + uint8_t *key_buffer, + size_t key_buffer_size, + size_t *key_buffer_length, + size_t *bits) +{ + /* Check the key size */ + if (*bits != 0 && *bits != CURVE_BITS) { + return PSA_ERROR_NOT_SUPPORTED; + } + + /* Validate the key (and its type and size) */ + psa_key_type_t type = psa_get_key_type(attributes); + if (type == PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1)) { + if (data_length != PSA_PUBKEY_SIZE) { + return *bits == 0 ? PSA_ERROR_NOT_SUPPORTED : PSA_ERROR_INVALID_ARGUMENT; + } + /* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */ + if (p256_validate_pubkey(data + 1) != P256_SUCCESS) { + return PSA_ERROR_INVALID_ARGUMENT; + } + } else if (type == PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)) { + if (data_length != PRIVKEY_SIZE) { + return *bits == 0 ? PSA_ERROR_NOT_SUPPORTED : PSA_ERROR_INVALID_ARGUMENT; + } + if (p256_validate_privkey(data) != P256_SUCCESS) { + return PSA_ERROR_INVALID_ARGUMENT; + } + } else { + return PSA_ERROR_NOT_SUPPORTED; + } + *bits = CURVE_BITS; + + /* We only support the export format for input, so just copy. */ + if (key_buffer_size < data_length) { + return PSA_ERROR_BUFFER_TOO_SMALL; + } + memcpy(key_buffer, data, data_length); + *key_buffer_length = data_length; + + return PSA_SUCCESS; +} + +psa_status_t p256_transparent_export_public_key(const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + uint8_t *data, + size_t data_size, + size_t *data_length) +{ + /* Is this the right curve? */ + size_t bits = psa_get_key_bits(attributes); + psa_key_type_t type = psa_get_key_type(attributes); + if (bits != CURVE_BITS || type != PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)) { + return PSA_ERROR_NOT_SUPPORTED; + } + + /* Validate sizes, as p256-m expects fixed-size buffers */ + if (key_buffer_size != PRIVKEY_SIZE) { + return PSA_ERROR_INVALID_ARGUMENT; + } + if (data_size < PSA_PUBKEY_SIZE) { + return PSA_ERROR_BUFFER_TOO_SMALL; + } + + /* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */ + data[0] = PSA_PUBKEY_HEADER_BYTE; + int ret = p256_public_from_private(data + 1, key_buffer); + if (ret == P256_SUCCESS) { + *data_length = PSA_PUBKEY_SIZE; + } + + return p256_to_psa_error(ret); +} + psa_status_t p256_transparent_generate_key( const psa_key_attributes_t *attributes, uint8_t *key_buffer, @@ -69,13 +157,9 @@ psa_status_t p256_transparent_generate_key( * of driver entry-points. (void) used to avoid compiler warning. */ (void) attributes; - psa_status_t status = PSA_ERROR_NOT_SUPPORTED; - - /* - * p256-m generates a 32 byte private key, and expects to write to a buffer - * that is of that size. */ - if (key_buffer_size != 32) { - return status; + /* Validate sizes, as p256-m expects fixed-size buffers */ + if (key_buffer_size != PRIVKEY_SIZE) { + return PSA_ERROR_BUFFER_TOO_SMALL; } /* @@ -83,15 +167,14 @@ psa_status_t p256_transparent_generate_key( * keys. Allocate a buffer to which the public key will be written. The * private key will be written to key_buffer, which is passed to this * function as an argument. */ - uint8_t public_key_buffer[64]; + uint8_t public_key_buffer[P256_PUBKEY_SIZE]; - status = p256_to_psa_error( - p256_gen_keypair(key_buffer, public_key_buffer)); - if (status == PSA_SUCCESS) { - *key_buffer_length = 32; + int ret = p256_gen_keypair(key_buffer, public_key_buffer); + if (ret == P256_SUCCESS) { + *key_buffer_length = PRIVKEY_SIZE; } - return status; + return p256_to_psa_error(ret); } psa_status_t p256_transparent_key_agreement( @@ -111,25 +194,22 @@ psa_status_t p256_transparent_key_agreement( (void) attributes; (void) alg; - /* - * Check that private key = 32 bytes, peer public key = 65 bytes, - * and that the shared secret buffer is big enough. */ - psa_status_t status = PSA_ERROR_NOT_SUPPORTED; - if (key_buffer_size != 32 || shared_secret_size < 32 || - peer_key_length != 65) { - return status; + /* Validate sizes, as p256-m expects fixed-size buffers */ + if (key_buffer_size != PRIVKEY_SIZE || peer_key_length != PSA_PUBKEY_SIZE) { + return PSA_ERROR_INVALID_ARGUMENT; + } + if (shared_secret_size < SHARED_SECRET_SIZE) { + return PSA_ERROR_BUFFER_TOO_SMALL; } - /* We add 1 to peer_key pointer to omit the leading byte of the public key - * representation (0x04). See information about PSA key formats at the top - * of the file. */ - status = p256_to_psa_error( - p256_ecdh_shared_secret(shared_secret, key_buffer, peer_key+1)); - if (status == PSA_SUCCESS) { - *shared_secret_length = 32; + /* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */ + const uint8_t *peer_key_p256m = peer_key + 1; + int ret = p256_ecdh_shared_secret(shared_secret, key_buffer, peer_key_p256m); + if (ret == P256_SUCCESS) { + *shared_secret_length = SHARED_SECRET_SIZE; } - return status; + return p256_to_psa_error(ret); } psa_status_t p256_transparent_sign_hash( @@ -149,21 +229,23 @@ psa_status_t p256_transparent_sign_hash( (void) attributes; (void) alg; - psa_status_t status = PSA_ERROR_NOT_SUPPORTED; - if (key_buffer_size != 32 || signature_size != 64) { - return status; + /* Validate sizes, as p256-m expects fixed-size buffers */ + if (key_buffer_size != PRIVKEY_SIZE) { + return PSA_ERROR_INVALID_ARGUMENT; + } + if (signature_size < SIGNATURE_SIZE) { + return PSA_ERROR_BUFFER_TOO_SMALL; } - status = p256_to_psa_error( - p256_ecdsa_sign(signature, key_buffer, hash, hash_length)); - if (status == PSA_SUCCESS) { - *signature_length = 64; + int ret = p256_ecdsa_sign(signature, key_buffer, hash, hash_length); + if (ret == P256_SUCCESS) { + *signature_length = SIGNATURE_SIZE; } - return status; + return p256_to_psa_error(ret); } -/* This function expects the key buffer to contain a 65 byte public key, +/* This function expects the key buffer to contain a PSA public key, * as exported by psa_export_public_key() */ static psa_status_t p256_verify_hash_with_public_key( const uint8_t *key_buffer, @@ -173,19 +255,19 @@ static psa_status_t p256_verify_hash_with_public_key( const uint8_t *signature, size_t signature_length) { - psa_status_t status = PSA_ERROR_NOT_SUPPORTED; - if (key_buffer_size != 65 || signature_length != 64 || *key_buffer != 0x04) { - return status; + /* Validate sizes, as p256-m expects fixed-size buffers */ + if (key_buffer_size != PSA_PUBKEY_SIZE || *key_buffer != PSA_PUBKEY_HEADER_BYTE) { + return PSA_ERROR_INVALID_ARGUMENT; + } + if (signature_length != SIGNATURE_SIZE) { + return PSA_ERROR_INVALID_SIGNATURE; } - /* We add 1 to public_key_buffer pointer to omit the leading byte of the - * public key representation (0x04). See information about PSA key formats - * at the top of the file. */ - const uint8_t *public_key_buffer = key_buffer + 1; - status = p256_to_psa_error( - p256_ecdsa_verify(signature, public_key_buffer, hash, hash_length)); + /* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */ + const uint8_t *public_key_p256m = key_buffer + 1; + int ret = p256_ecdsa_verify(signature, public_key_p256m, hash, hash_length); - return status; + return p256_to_psa_error(ret); } psa_status_t p256_transparent_verify_hash( @@ -203,10 +285,10 @@ psa_status_t p256_transparent_verify_hash( (void) alg; psa_status_t status; - uint8_t public_key_buffer[65]; - size_t public_key_buffer_size = 65; + uint8_t public_key_buffer[PSA_PUBKEY_SIZE]; + size_t public_key_buffer_size = PSA_PUBKEY_SIZE; - size_t public_key_length = 65; + size_t public_key_length = PSA_PUBKEY_SIZE; /* As p256-m doesn't require dynamic allocation, we want to avoid it in * the entrypoint functions as well. psa_driver_wrapper_export_public_key() * requires size_t*, so we use a pointer to a stack variable. */ diff --git a/3rdparty/p256-m/p256-m_driver_entrypoints.h b/3rdparty/p256-m/p256-m_driver_entrypoints.h index 9522ced..a509ba9 100644 --- a/3rdparty/p256-m/p256-m_driver_entrypoints.h +++ b/3rdparty/p256-m/p256-m_driver_entrypoints.h @@ -29,6 +29,66 @@ #include "psa/crypto_types.h" +/** Import SECP256R1 key. + * + * \param[in] attributes The attributes of the key to use for the + * operation. + * \param[in] data The raw key material. For private keys + * this must be a big-endian integer of 32 + * bytes; for public key this must be an + * uncompressed ECPoint (65 bytes). + * \param[in] data_length The size of the raw key material. + * \param[out] key_buffer The buffer to contain the key data in + * output format upon successful return. + * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes. + * \param[out] key_buffer_length The length of the data written in \p + * key_buffer in bytes. + * \param[out] bits The bitsize of the key. + * + * \retval #PSA_SUCCESS + * Success. Keypair generated and stored in buffer. + * \retval #PSA_ERROR_NOT_SUPPORTED + * The input is not supported by this driver (not SECP256R1). + * \retval #PSA_ERROR_INVALID_ARGUMENT + * The input is invalid. + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * \p key_buffer_size is too small. + */ +psa_status_t p256_transparent_import_key(const psa_key_attributes_t *attributes, + const uint8_t *data, + size_t data_length, + uint8_t *key_buffer, + size_t key_buffer_size, + size_t *key_buffer_length, + size_t *bits); + +/** Export SECP256R1 public key, from the private key. + * + * \param[in] attributes The attributes of the key to use for the + * operation. + * \param[in] key_buffer The private key in the export format. + * \param[in] key_buffer_size The size of the private key in bytes. + * \param[out] data The buffer to contain the public key in + * the export format upon successful return. + * \param[in] data_size The size of the \p data buffer in bytes. + * \param[out] data_length The length written to \p data in bytes. + * + * \retval #PSA_SUCCESS + * Success. Keypair generated and stored in buffer. + * \retval #PSA_ERROR_NOT_SUPPORTED + * The input is not supported by this driver (not SECP256R1). + * \retval #PSA_ERROR_INVALID_ARGUMENT + * The input is invalid. + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * \p key_buffer_size is too small. + */ +psa_status_t p256_transparent_export_public_key(const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + uint8_t *data, + size_t data_size, + size_t *data_length); + /** Generate SECP256R1 ECC Key Pair. * Interface function which calls the p256-m key generation function and * places it in the key buffer provided by the caller (Mbed TLS) in the @@ -44,9 +104,10 @@ * * \retval #PSA_SUCCESS * Success. Keypair generated and stored in buffer. - * \retval #PSA_ERROR_NOT_SUPPORTED - * \retval #PSA_ERROR_GENERIC_ERROR - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * \p key_buffer_size is too small. + * \retval #PSA_ERROR_GENERIC_ERROR + * The internal RNG failed. */ psa_status_t p256_transparent_generate_key( const psa_key_attributes_t *attributes, @@ -72,9 +133,12 @@ psa_status_t p256_transparent_generate_key( * bytes. * \param[out] shared_secret_length On success, the number of bytes that * make up the returned shared secret. - * \retval #PSA_SUCCESS - * Success. Shared secret successfully calculated. - * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_SUCCESS + * Success. Shared secret successfully calculated. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * The input is invalid. + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * \p shared_secret_size is too small. */ psa_status_t p256_transparent_key_agreement( const psa_key_attributes_t *attributes, @@ -103,10 +167,14 @@ psa_status_t p256_transparent_key_agreement( * \param[out] signature_length On success, the number of bytes * that make up the returned signature value. * - * \retval #PSA_SUCCESS + * \retval #PSA_SUCCESS * Success. Hash was signed successfully. - * respectively of the key. - * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_ERROR_INVALID_ARGUMENT + * The input is invalid. + * \retval #PSA_ERROR_BUFFER_TOO_SMALL + * \p signature_size is too small. + * \retval #PSA_ERROR_GENERIC_ERROR + * The internal RNG failed. */ psa_status_t p256_transparent_sign_hash( const psa_key_attributes_t *attributes, @@ -142,12 +210,13 @@ psa_status_t p256_transparent_sign_hash( * \param[in] signature Buffer containing the signature to verify. * \param[in] signature_length Size of the \p signature buffer in bytes. * - * \retval #PSA_SUCCESS - * The signature is valid. - * \retval #PSA_ERROR_INVALID_SIGNATURE - * The calculation was performed successfully, but the passed - * signature is not a valid signature. - * \retval #PSA_ERROR_NOT_SUPPORTED + * \retval #PSA_SUCCESS + * The signature is valid. + * \retval #PSA_ERROR_INVALID_SIGNATURE + * The calculation was performed successfully, but the passed + * signature is not a valid signature. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * The input is invalid. */ psa_status_t p256_transparent_verify_hash( const psa_key_attributes_t *attributes, |