From 502da11df17c3d030e593158dbc3e4e108aa5dad Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Wed, 9 Feb 2022 15:33:15 +0100
Subject: [PATCH 01/10] Initialize PSA crypto in test_suite_pk
 pk_rsa_decrypt_test_vec() when USE_PSA_CRYPTO is enabled

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 tests/suites/test_suite_pk.function | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 29f862257e..8eff010fd1 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -756,6 +756,8 @@ void pk_rsa_decrypt_test_vec( data_t * cipher, int mod, int radix_P,
     mbedtls_pk_context pk;
     size_t olen;
 
+    USE_PSA_INIT( );
+
     mbedtls_pk_init( &pk );
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P );
     mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E );
@@ -794,6 +796,7 @@ exit:
     mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P );
     mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &E );
     mbedtls_pk_free( &pk );
+    USE_PSA_DONE( );
 }
 /* END_CASE */
 

From 18f43c7304ed3b3b870537ac9ffeb043b94f1e15 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Wed, 9 Feb 2022 15:32:45 +0100
Subject: [PATCH 02/10] PK: RSA decrypt PSA wrap implementation

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/pk_wrap.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index f7480c63bb..2d1c238eec 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -212,6 +212,81 @@ static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
                                     hash, sig ) );
 }
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int rsa_decrypt_wrap( void *ctx,
+                    const unsigned char *input, size_t ilen,
+                    unsigned char *output, size_t *olen, size_t osize,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+    psa_status_t status;
+    mbedtls_pk_context key;
+    int key_len;
+    /* see RSA_PRV_DER_MAX_BYTES in pkwrite.c */
+    unsigned char buf[47 + 3 * MBEDTLS_MPI_MAX_SIZE + \
+                      5 * ( MBEDTLS_MPI_MAX_SIZE / 2 + MBEDTLS_MPI_MAX_SIZE % 2 )];
+    mbedtls_pk_info_t pk_info = mbedtls_rsa_info;
+    psa_algorithm_t psa_sig_md;
+
+    ((void) f_rng);
+    ((void) p_rng);
+
+#if !defined(MBEDTLS_RSA_ALT)
+    switch( rsa->padding )
+    {
+        case MBEDTLS_RSA_PKCS_V15:
+            psa_sig_md = PSA_ALG_RSA_PKCS1V15_CRYPT;
+            break;
+
+        default:
+            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    }
+#else
+    psa_sig_md = PSA_ALG_RSA_PKCS1V15_CRYPT;
+#endif
+
+    if( ilen != mbedtls_rsa_get_len( rsa ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /* mbedtls_pk_write_key_der() expects a full PK context;
+     * re-construct one to make it happy */
+    key.pk_info = &pk_info;
+    key.pk_ctx = ctx;
+    key_len = mbedtls_pk_write_key_der( &key, buf, sizeof( buf ) );
+    if( key_len <= 0 )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_KEY_PAIR );
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
+    psa_set_key_algorithm( &attributes, psa_sig_md );
+
+    status = psa_import_key( &attributes,
+                             buf + sizeof( buf ) - key_len, key_len,
+                             &key_id );
+    if( status != PSA_SUCCESS )
+    {
+        ret = mbedtls_psa_err_translate_pk( status );
+        goto cleanup;
+    }
+
+    status = psa_asymmetric_decrypt( key_id, psa_sig_md, input, ilen,
+                                     NULL, 0, output, osize, olen);
+    if( status != PSA_SUCCESS )
+    {
+        ret = mbedtls_psa_err_translate_pk( status );
+        goto cleanup;
+    }
+
+    ret = 0;
+
+cleanup:
+    psa_destroy_key( key_id );
+    return( ret );
+}
+#else
 static int rsa_decrypt_wrap( void *ctx,
                     const unsigned char *input, size_t ilen,
                     unsigned char *output, size_t *olen, size_t osize,
@@ -225,6 +300,7 @@ static int rsa_decrypt_wrap( void *ctx,
     return( mbedtls_rsa_pkcs1_decrypt( rsa, f_rng, p_rng,
                 olen, input, output, osize ) );
 }
+#endif
 
 static int rsa_encrypt_wrap( void *ctx,
                     const unsigned char *input, size_t ilen,

From f1b564bb8d4be5075a235c92f3142d50d9e85fc6 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Thu, 24 Feb 2022 15:17:47 +0100
Subject: [PATCH 03/10] Check psa_destroy_key() return in rsa_decrypt_wrap()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/pk_wrap.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 2d1c238eec..66a62f82f6 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -283,7 +283,10 @@ static int rsa_decrypt_wrap( void *ctx,
     ret = 0;
 
 cleanup:
-    psa_destroy_key( key_id );
+    status = psa_destroy_key( key_id );
+    if( ret == 0 && status != PSA_SUCCESS )
+        ret = mbedtls_psa_err_translate_pk( status );
+
     return( ret );
 }
 #else

From 0d46786034d3b31299e43a9706bfaafade25eb01 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Thu, 24 Feb 2022 15:18:05 +0100
Subject: [PATCH 04/10] Fix style issue in rsa_decrypt_wrap()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/pk_wrap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 66a62f82f6..9036e00bee 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -273,7 +273,7 @@ static int rsa_decrypt_wrap( void *ctx,
     }
 
     status = psa_asymmetric_decrypt( key_id, psa_sig_md, input, ilen,
-                                     NULL, 0, output, osize, olen);
+                                     NULL, 0, output, osize, olen );
     if( status != PSA_SUCCESS )
     {
         ret = mbedtls_psa_err_translate_pk( status );

From f47135756c85868134acb5d2b2308c4d31e448cb Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Thu, 24 Feb 2022 15:23:42 +0100
Subject: [PATCH 05/10] Map INVALID_PADDING from PSA to MbedTLS error in
 rsa_decrypt_wrap()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/pk_wrap.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 9036e00bee..1735dd76e6 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -276,7 +276,14 @@ static int rsa_decrypt_wrap( void *ctx,
                                      NULL, 0, output, osize, olen );
     if( status != PSA_SUCCESS )
     {
-        ret = mbedtls_psa_err_translate_pk( status );
+        if ( status == PSA_ERROR_INVALID_PADDING )
+        {
+            ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+        }
+        else
+        {
+            ret = mbedtls_psa_err_translate_pk( status );
+        }
         goto cleanup;
     }
 

From b556a426561ef676ca309d3c336aab0138c1a9a6 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Fri, 25 Feb 2022 08:58:12 +0100
Subject: [PATCH 06/10] Use now shared RSA_PRV_DER_MAX_BYTES define in
 pk_wrap.c

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/pk_wrap.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 1735dd76e6..33200782e8 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -225,9 +225,7 @@ static int rsa_decrypt_wrap( void *ctx,
     psa_status_t status;
     mbedtls_pk_context key;
     int key_len;
-    /* see RSA_PRV_DER_MAX_BYTES in pkwrite.c */
-    unsigned char buf[47 + 3 * MBEDTLS_MPI_MAX_SIZE + \
-                      5 * ( MBEDTLS_MPI_MAX_SIZE / 2 + MBEDTLS_MPI_MAX_SIZE % 2 )];
+    unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
     mbedtls_pk_info_t pk_info = mbedtls_rsa_info;
     psa_algorithm_t psa_sig_md;
 

From e87804920a7100a7e12ff49fcb31962acc871422 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Thu, 3 Mar 2022 16:54:16 +0100
Subject: [PATCH 07/10] Use new PSA to mbedtls PK error mapping functions in
 rsa_decrypt_wrap()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/pk_wrap.c | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 33200782e8..aad56a4d1c 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -266,7 +266,7 @@ static int rsa_decrypt_wrap( void *ctx,
                              &key_id );
     if( status != PSA_SUCCESS )
     {
-        ret = mbedtls_psa_err_translate_pk( status );
+        ret = mbedtls_pk_error_from_psa( status );
         goto cleanup;
     }
 
@@ -274,14 +274,7 @@ static int rsa_decrypt_wrap( void *ctx,
                                      NULL, 0, output, osize, olen );
     if( status != PSA_SUCCESS )
     {
-        if ( status == PSA_ERROR_INVALID_PADDING )
-        {
-            ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
-        }
-        else
-        {
-            ret = mbedtls_psa_err_translate_pk( status );
-        }
+        ret = mbedtls_pk_error_from_psa_rsa( status );
         goto cleanup;
     }
 
@@ -290,7 +283,7 @@ static int rsa_decrypt_wrap( void *ctx,
 cleanup:
     status = psa_destroy_key( key_id );
     if( ret == 0 && status != PSA_SUCCESS )
-        ret = mbedtls_psa_err_translate_pk( status );
+        ret = mbedtls_pk_error_from_psa( status );
 
     return( ret );
 }

From 169e61add63d5ee2f5df158f10c7068204abd932 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Mon, 14 Mar 2022 14:26:49 +0100
Subject: [PATCH 08/10] Zeroise stack buffer containing private key

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/pk_wrap.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index aad56a4d1c..d5d57aa3b7 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -281,6 +281,7 @@ static int rsa_decrypt_wrap( void *ctx,
     ret = 0;
 
 cleanup:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
     status = psa_destroy_key( key_id );
     if( ret == 0 && status != PSA_SUCCESS )
         ret = mbedtls_pk_error_from_psa( status );

From 8e80504b46764c2a590a6290cccc5716ff51ea79 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Wed, 16 Mar 2022 15:30:31 +0100
Subject: [PATCH 09/10] Simplify padding check and get rid of psa_sig_md in
 rsa_decrypt_wrap()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/pk_wrap.c | 24 ++++++++----------------
 1 file changed, 8 insertions(+), 16 deletions(-)

diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index d5d57aa3b7..c4d715ccf4 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -227,24 +227,14 @@ static int rsa_decrypt_wrap( void *ctx,
     int key_len;
     unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
     mbedtls_pk_info_t pk_info = mbedtls_rsa_info;
-    psa_algorithm_t psa_sig_md;
 
     ((void) f_rng);
     ((void) p_rng);
 
 #if !defined(MBEDTLS_RSA_ALT)
-    switch( rsa->padding )
-    {
-        case MBEDTLS_RSA_PKCS_V15:
-            psa_sig_md = PSA_ALG_RSA_PKCS1V15_CRYPT;
-            break;
-
-        default:
-            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
-    }
-#else
-    psa_sig_md = PSA_ALG_RSA_PKCS1V15_CRYPT;
-#endif
+    if( rsa->padding != MBEDTLS_RSA_PKCS_V15 )
+        return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+#endif /* !MBEDTLS_RSA_ALT */
 
     if( ilen != mbedtls_rsa_get_len( rsa ) )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@@ -259,7 +249,7 @@ static int rsa_decrypt_wrap( void *ctx,
 
     psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_KEY_PAIR );
     psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
-    psa_set_key_algorithm( &attributes, psa_sig_md );
+    psa_set_key_algorithm( &attributes, PSA_ALG_RSA_PKCS1V15_CRYPT );
 
     status = psa_import_key( &attributes,
                              buf + sizeof( buf ) - key_len, key_len,
@@ -270,8 +260,10 @@ static int rsa_decrypt_wrap( void *ctx,
         goto cleanup;
     }
 
-    status = psa_asymmetric_decrypt( key_id, psa_sig_md, input, ilen,
-                                     NULL, 0, output, osize, olen );
+    status = psa_asymmetric_decrypt( key_id, PSA_ALG_RSA_PKCS1V15_CRYPT,
+                                     input, ilen,
+                                     NULL, 0,
+                                     output, osize, olen );
     if( status != PSA_SUCCESS )
     {
         ret = mbedtls_pk_error_from_psa_rsa( status );

From 6b03a3de5c68bba20719ef752293c36950406760 Mon Sep 17 00:00:00 2001
From: Neil Armstrong <narmstrong@baylibre.com>
Date: Wed, 16 Mar 2022 15:31:07 +0100
Subject: [PATCH 10/10] Use mbedtls_rsa_info directly in rsa_decrypt_wrap()

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
---
 library/pk_wrap.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index c4d715ccf4..c354af81c2 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -226,7 +226,6 @@ static int rsa_decrypt_wrap( void *ctx,
     mbedtls_pk_context key;
     int key_len;
     unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
-    mbedtls_pk_info_t pk_info = mbedtls_rsa_info;
 
     ((void) f_rng);
     ((void) p_rng);
@@ -241,7 +240,7 @@ static int rsa_decrypt_wrap( void *ctx,
 
     /* mbedtls_pk_write_key_der() expects a full PK context;
      * re-construct one to make it happy */
-    key.pk_info = &pk_info;
+    key.pk_info = &mbedtls_rsa_info;
     key.pk_ctx = ctx;
     key_len = mbedtls_pk_write_key_der( &key, buf, sizeof( buf ) );
     if( key_len <= 0 )