mbedtls_adapter.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455
  1. /* Copyright (C) 2017 Fortanix, Inc.
  2. This file is part of Graphene Library OS.
  3. Graphene Library OS is free software: you can redistribute it and/or
  4. modify it under the terms of the GNU Lesser General Public License
  5. as published by the Free Software Foundation, either version 3 of the
  6. License, or (at your option) any later version.
  7. Graphene Library OS is distributed in the hope that it will be useful,
  8. but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. GNU Lesser General Public License for more details.
  11. You should have received a copy of the GNU Lesser General Public License
  12. along with this program. If not, see <http://www.gnu.org/licenses/>. */
  13. #include <errno.h>
  14. #include <immintrin.h>
  15. #include <limits.h>
  16. #include <stdint.h>
  17. #include "api.h"
  18. #include "pal.h"
  19. #include "pal_crypto.h"
  20. #include "pal_error.h"
  21. #include "pal_debug.h"
  22. #include "assert.h"
  23. #include "mbedtls/aes.h"
  24. #include "mbedtls/cmac.h"
  25. #include "mbedtls/error.h"
  26. #include "mbedtls/net_sockets.h"
  27. #include "mbedtls/rsa.h"
  28. #include "mbedtls/sha256.h"
  29. int mbedtls_to_pal_error(int error)
  30. {
  31. switch(error) {
  32. case 0:
  33. return 0;
  34. case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
  35. return -PAL_ERROR_CRYPTO_INVALID_KEY_LENGTH;
  36. case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
  37. case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
  38. return -PAL_ERROR_CRYPTO_INVALID_INPUT_LENGTH;
  39. case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
  40. case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
  41. return -PAL_ERROR_CRYPTO_FEATURE_UNAVAILABLE;
  42. case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
  43. case MBEDTLS_ERR_DHM_BAD_INPUT_DATA:
  44. case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
  45. case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
  46. case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
  47. case MBEDTLS_ERR_RSA_PUBLIC_FAILED: // see mbedtls_rsa_public()
  48. case MBEDTLS_ERR_RSA_PRIVATE_FAILED: // see mbedtls_rsa_private()
  49. return -PAL_ERROR_CRYPTO_BAD_INPUT_DATA;
  50. case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
  51. return -PAL_ERROR_CRYPTO_INVALID_OUTPUT_LENGTH;
  52. case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
  53. case MBEDTLS_ERR_DHM_ALLOC_FAILED:
  54. case MBEDTLS_ERR_MD_ALLOC_FAILED:
  55. return -PAL_ERROR_NOMEM;
  56. case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
  57. case MBEDTLS_ERR_RSA_INVALID_PADDING:
  58. return -PAL_ERROR_CRYPTO_INVALID_PADDING;
  59. case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
  60. return -PAL_ERROR_CRYPTO_AUTH_FAILED;
  61. case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
  62. return -PAL_ERROR_CRYPTO_INVALID_CONTEXT;
  63. case MBEDTLS_ERR_DHM_READ_PARAMS_FAILED:
  64. case MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED:
  65. case MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED:
  66. case MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED:
  67. case MBEDTLS_ERR_DHM_CALC_SECRET_FAILED:
  68. return -PAL_ERROR_CRYPTO_INVALID_DH_STATE;
  69. case MBEDTLS_ERR_DHM_INVALID_FORMAT:
  70. return -PAL_ERROR_CRYPTO_INVALID_FORMAT;
  71. case MBEDTLS_ERR_DHM_FILE_IO_ERROR:
  72. case MBEDTLS_ERR_MD_FILE_IO_ERROR:
  73. return -PAL_ERROR_CRYPTO_IO_ERROR;
  74. case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
  75. return -PAL_ERROR_CRYPTO_KEY_GEN_FAILED;
  76. case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
  77. return -PAL_ERROR_CRYPTO_INVALID_KEY;
  78. case MBEDTLS_ERR_RSA_VERIFY_FAILED:
  79. return -PAL_ERROR_CRYPTO_VERIFY_FAILED;
  80. case MBEDTLS_ERR_RSA_RNG_FAILED:
  81. return -PAL_ERROR_CRYPTO_RNG_FAILED;
  82. default:
  83. return -PAL_ERROR_DENIED;
  84. }
  85. }
  86. #define BITS_PER_BYTE 8
  87. /* This is declared in pal_internal.h, but that can't be included here. */
  88. size_t _DkRandomBitsRead(void *buffer, size_t size);
  89. /* Wrapper to provide mbedtls the RNG interface it expects. It passes an
  90. * extra context parameter, and expects a return value of 0 for success
  91. * and nonzero for failure. */
  92. static int RandomWrapper(void *private, unsigned char *data, size_t size)
  93. {
  94. __UNUSED(private);
  95. return _DkRandomBitsRead(data, size);
  96. }
  97. #define BITS_PER_BYTE 8
  98. int lib_SHA256Init(LIB_SHA256_CONTEXT *context)
  99. {
  100. mbedtls_sha256_init(context);
  101. mbedtls_sha256_starts(context, 0 /* 0 = use SSH256 */);
  102. return 0;
  103. }
  104. int lib_SHA256Update(LIB_SHA256_CONTEXT *context, const uint8_t *data,
  105. uint64_t len)
  106. {
  107. /* For compatibility with other SHA256 providers, don't support
  108. * large lengths. */
  109. if (len > UINT32_MAX) {
  110. return -PAL_ERROR_INVAL;
  111. }
  112. mbedtls_sha256_update(context, data, len);
  113. return 0;
  114. }
  115. int lib_SHA256Final(LIB_SHA256_CONTEXT *context, uint8_t *output)
  116. {
  117. mbedtls_sha256_finish(context, output);
  118. /* This function is called free, but it doesn't actually free the memory.
  119. * It zeroes out the context to avoid potentially leaking information
  120. * about the hash that was just performed. */
  121. mbedtls_sha256_free(context);
  122. return 0;
  123. }
  124. int lib_AESCMAC(const uint8_t *key, uint64_t key_len, const uint8_t *input,
  125. uint64_t input_len, uint8_t *mac, uint64_t mac_len) {
  126. mbedtls_cipher_type_t cipher;
  127. switch (key_len) {
  128. case 16:
  129. cipher = MBEDTLS_CIPHER_AES_128_ECB;
  130. break;
  131. case 24:
  132. cipher = MBEDTLS_CIPHER_AES_192_ECB;
  133. break;
  134. case 32:
  135. cipher = MBEDTLS_CIPHER_AES_256_ECB;
  136. break;
  137. default:
  138. return -PAL_ERROR_INVAL;
  139. }
  140. const mbedtls_cipher_info_t *cipher_info =
  141. mbedtls_cipher_info_from_type(cipher);
  142. if (mac_len < cipher_info->block_size) {
  143. return -PAL_ERROR_INVAL;
  144. }
  145. int ret = mbedtls_cipher_cmac(cipher_info, key, key_len * BITS_PER_BYTE, input, input_len, mac);
  146. return mbedtls_to_pal_error(ret);
  147. }
  148. int lib_AESCMACInit(LIB_AESCMAC_CONTEXT * context,
  149. const uint8_t *key, uint64_t key_len)
  150. {
  151. switch (key_len) {
  152. case 16:
  153. context->cipher = MBEDTLS_CIPHER_AES_128_ECB;
  154. break;
  155. case 24:
  156. context->cipher = MBEDTLS_CIPHER_AES_192_ECB;
  157. break;
  158. case 32:
  159. context->cipher = MBEDTLS_CIPHER_AES_256_ECB;
  160. break;
  161. default:
  162. return -PAL_ERROR_INVAL;
  163. }
  164. const mbedtls_cipher_info_t *cipher_info =
  165. mbedtls_cipher_info_from_type(context->cipher);
  166. int ret = mbedtls_cipher_setup(&context->ctx, cipher_info);
  167. if (ret != 0)
  168. return mbedtls_to_pal_error(ret);
  169. ret = mbedtls_cipher_cmac_starts(&context->ctx, key, key_len * BITS_PER_BYTE);
  170. return mbedtls_to_pal_error(ret);
  171. }
  172. int lib_AESCMACUpdate(LIB_AESCMAC_CONTEXT * context, const uint8_t * input,
  173. uint64_t input_len)
  174. {
  175. int ret = mbedtls_cipher_cmac_update(&context->ctx, input, input_len);
  176. return mbedtls_to_pal_error(ret);
  177. }
  178. int lib_AESCMACFinish(LIB_AESCMAC_CONTEXT * context, uint8_t * mac,
  179. uint64_t mac_len)
  180. {
  181. const mbedtls_cipher_info_t *cipher_info =
  182. mbedtls_cipher_info_from_type(context->cipher);
  183. int ret = -PAL_ERROR_INVAL;
  184. if (mac_len < cipher_info->block_size)
  185. goto exit;
  186. ret = mbedtls_cipher_cmac_finish(&context->ctx, mac);
  187. ret = mbedtls_to_pal_error(ret);
  188. exit:
  189. mbedtls_cipher_free( &context->ctx );
  190. return ret;
  191. }
  192. int lib_RSAInitKey(LIB_RSA_KEY *key)
  193. {
  194. /* For now, we only need PKCS_V15 type padding. If we need to support
  195. * multiple padding types, I guess we'll need to add the padding type
  196. * to this API. We might need to add a wrapper type around the crypto
  197. * library's key/context type, since not all crypto providers store this
  198. * in the conext, and instead require you to pass it on each call. */
  199. /* Last parameter here is the hash type, which is only used for
  200. * PKCS padding type 2.0. */
  201. mbedtls_rsa_init(key, MBEDTLS_RSA_PKCS_V15, 0);
  202. return 0;
  203. }
  204. int lib_RSAGenerateKey(LIB_RSA_KEY *key, uint64_t length_in_bits, uint64_t exponent)
  205. {
  206. if (length_in_bits > UINT_MAX)
  207. return -PAL_ERROR_INVAL;
  208. if (exponent > UINT_MAX || (int) exponent < 0)
  209. return -PAL_ERROR_INVAL;
  210. int ret = mbedtls_rsa_gen_key(key, RandomWrapper, NULL, length_in_bits, exponent);
  211. return mbedtls_to_pal_error(ret);
  212. }
  213. int lib_RSAExportPublicKey(LIB_RSA_KEY *key, uint8_t *e, uint64_t *e_size,
  214. uint8_t *n, uint64_t *n_size)
  215. {
  216. /* Public exponent. */
  217. int ret = mbedtls_mpi_write_binary(&key->E, e, *e_size);
  218. if (ret != 0)
  219. return mbedtls_to_pal_error(ret);
  220. /* Modulus. */
  221. ret = mbedtls_mpi_write_binary(&key->N, n, *n_size);
  222. return mbedtls_to_pal_error(ret);
  223. }
  224. int lib_RSAImportPublicKey(LIB_RSA_KEY *key, const uint8_t *e, uint64_t e_size,
  225. const uint8_t *n, uint64_t n_size)
  226. {
  227. int ret;
  228. /* Public exponent. */
  229. ret = mbedtls_mpi_read_binary(&key->E, e, e_size);
  230. if (ret != 0)
  231. return mbedtls_to_pal_error(ret);
  232. /* Modulus. */
  233. ret = mbedtls_mpi_read_binary(&key->N, n, n_size);
  234. if (ret != 0)
  235. return mbedtls_to_pal_error(ret);
  236. /* This length is in bytes. */
  237. key->len = (mbedtls_mpi_bitlen(&key->N) + 7) >> 3;
  238. return 0;
  239. }
  240. int lib_RSAVerifySHA256(LIB_RSA_KEY* key, const uint8_t* hash, uint64_t hash_len,
  241. const uint8_t* signature, uint64_t signature_len) {
  242. /* The mbedtls decrypt API assumes that you have a memory buffer that
  243. * is as large as the key size and take the length as a parameter. We
  244. * check, so that in the event the caller makes a mistake, you'll get
  245. * an error instead of reading off the end of the buffer. */
  246. if (signature_len != key->len)
  247. return -PAL_ERROR_INVAL;
  248. int ret = mbedtls_rsa_pkcs1_verify(key, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA256,
  249. hash_len, hash, signature);
  250. return mbedtls_to_pal_error(ret);
  251. }
  252. int lib_RSAFreeKey(LIB_RSA_KEY *key)
  253. {
  254. mbedtls_rsa_free(key);
  255. return 0;
  256. }
  257. int mbedtls_hardware_poll(void* data, unsigned char* output, size_t len, size_t* olen) {
  258. __UNUSED(data);
  259. assert(output && olen);
  260. *olen = 0;
  261. unsigned long long rand64;
  262. for (size_t i = 0; i < len; i += sizeof(rand64)) {
  263. while (__builtin_ia32_rdrand64_step(&rand64) == 0)
  264. /*nop*/;
  265. size_t over = i + sizeof(rand64) < len ? 0 : i + sizeof(rand64) - len;
  266. memcpy(output + i, &rand64, sizeof(rand64) - over);
  267. }
  268. *olen = len;
  269. return 0;
  270. }
  271. static int recv_cb(void* ctx, uint8_t* buf, size_t len) {
  272. LIB_SSL_CONTEXT* ssl_ctx = (LIB_SSL_CONTEXT*)ctx;
  273. int fd = ssl_ctx->stream_fd;
  274. if (fd < 0)
  275. return MBEDTLS_ERR_NET_INVALID_CONTEXT;
  276. if (len != (uint32_t)len) {
  277. /* pal_recv_cb cannot receive more than 32-bit limit, trim len to fit in 32-bit */
  278. len = UINT32_MAX;
  279. }
  280. int ret = ssl_ctx->pal_recv_cb(fd, buf, (uint32_t)len);
  281. if (ret < 0) {
  282. if (ret == -EINTR)
  283. return MBEDTLS_ERR_SSL_WANT_READ;
  284. return MBEDTLS_ERR_NET_RECV_FAILED;
  285. }
  286. return ret;
  287. }
  288. static int send_cb(void* ctx, uint8_t const* buf, size_t len) {
  289. LIB_SSL_CONTEXT* ssl_ctx = (LIB_SSL_CONTEXT*)ctx;
  290. int fd = ssl_ctx->stream_fd;
  291. if (fd < 0)
  292. return MBEDTLS_ERR_NET_INVALID_CONTEXT;
  293. if (len != (uint32_t)len) {
  294. /* pal_send_cb cannot send more than 32-bit limit, trim len to fit in 32-bit */
  295. len = UINT32_MAX;
  296. }
  297. int ret = ssl_ctx->pal_send_cb(fd, buf, (uint32_t)len);
  298. if (ret < 0) {
  299. if (ret == -EINTR)
  300. return MBEDTLS_ERR_SSL_WANT_WRITE;
  301. return MBEDTLS_ERR_NET_SEND_FAILED;
  302. }
  303. return ret;
  304. }
  305. int lib_SSLInit(LIB_SSL_CONTEXT* ssl_ctx, int stream_fd, bool is_server,
  306. const uint8_t* psk, size_t psk_size,
  307. int (*pal_recv_cb)(int fd, void* buf, uint32_t len),
  308. int (*pal_send_cb)(int fd, const void* buf, uint32_t len)) {
  309. int ret;
  310. memset(ssl_ctx, 0, sizeof(*ssl_ctx));
  311. ssl_ctx->ciphersuites[0] = MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256;
  312. memset(&ssl_ctx->ciphersuites[1], 0, sizeof(ssl_ctx->ciphersuites[1]));
  313. ssl_ctx->pal_recv_cb = pal_recv_cb;
  314. ssl_ctx->pal_send_cb = pal_send_cb;
  315. ssl_ctx->stream_fd = stream_fd;
  316. mbedtls_entropy_init(&ssl_ctx->entropy);
  317. mbedtls_ctr_drbg_init(&ssl_ctx->ctr_drbg);
  318. mbedtls_ssl_config_init(&ssl_ctx->conf);
  319. mbedtls_ssl_init(&ssl_ctx->ssl);
  320. ret = mbedtls_ctr_drbg_seed(&ssl_ctx->ctr_drbg, mbedtls_entropy_func, &ssl_ctx->entropy, NULL, 0);
  321. if (ret != 0)
  322. return -PAL_ERROR_DENIED;
  323. ret = mbedtls_ssl_config_defaults(&ssl_ctx->conf,
  324. is_server ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
  325. MBEDTLS_SSL_TRANSPORT_STREAM,
  326. MBEDTLS_SSL_PRESET_DEFAULT);
  327. if (ret != 0)
  328. return -PAL_ERROR_DENIED;
  329. mbedtls_ssl_conf_rng(&ssl_ctx->conf, mbedtls_ctr_drbg_random, &ssl_ctx->ctr_drbg);
  330. mbedtls_ssl_conf_ciphersuites(&ssl_ctx->conf, ssl_ctx->ciphersuites);
  331. const unsigned char psk_identity[] = "dummy";
  332. ret = mbedtls_ssl_conf_psk(&ssl_ctx->conf, psk, psk_size, psk_identity, sizeof(psk_identity) - 1);
  333. if (ret != 0)
  334. return -PAL_ERROR_DENIED;
  335. ret = mbedtls_ssl_setup(&ssl_ctx->ssl, &ssl_ctx->conf);
  336. if (ret != 0)
  337. return -PAL_ERROR_DENIED;
  338. mbedtls_ssl_set_bio(&ssl_ctx->ssl, ssl_ctx, send_cb, recv_cb, NULL);
  339. while ((ret = mbedtls_ssl_handshake(&ssl_ctx->ssl)) != 0) {
  340. if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE)
  341. break;
  342. }
  343. if (ret != 0)
  344. return -PAL_ERROR_DENIED;
  345. return 0;
  346. }
  347. int lib_SSLFree(LIB_SSL_CONTEXT* ssl_ctx) {
  348. mbedtls_ssl_free(&ssl_ctx->ssl);
  349. mbedtls_ssl_config_free(&ssl_ctx->conf);
  350. mbedtls_ctr_drbg_free(&ssl_ctx->ctr_drbg);
  351. mbedtls_entropy_free(&ssl_ctx->entropy);
  352. return 0;
  353. }
  354. int lib_SSLRead(LIB_SSL_CONTEXT* ssl_ctx, uint8_t* buf, size_t len) {
  355. int ret = mbedtls_ssl_read(&ssl_ctx->ssl, buf, len);
  356. if (ret <= 0)
  357. return -PAL_ERROR_DENIED;
  358. return ret;
  359. }
  360. int lib_SSLWrite(LIB_SSL_CONTEXT* ssl_ctx, const uint8_t* buf, size_t len) {
  361. int ret = mbedtls_ssl_write(&ssl_ctx->ssl, buf, len);
  362. if (ret <= 0)
  363. return -PAL_ERROR_DENIED;
  364. return ret;
  365. }