mbedtls_adapter.c 9.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314
  1. /* Copyright (C) 2017 Fortanix, Inc.
  2. This file is part of Graphene Library OS.
  3. Graphene Library OS is free software: you can redistribute it and/or
  4. modify it under the terms of the GNU Lesser General Public License
  5. as published by the Free Software Foundation, either version 3 of the
  6. License, or (at your option) any later version.
  7. Graphene Library OS is distributed in the hope that it will be useful,
  8. but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. GNU Lesser General Public License for more details.
  11. You should have received a copy of the GNU Lesser General Public License
  12. along with this program. If not, see <http://www.gnu.org/licenses/>. */
  13. #include <errno.h>
  14. #include <stdint.h>
  15. #include <limits.h>
  16. #include "api.h"
  17. #include "pal.h"
  18. #include "pal_crypto.h"
  19. #include "pal_error.h"
  20. #include "pal_debug.h"
  21. #include "assert.h"
  22. #include "mbedtls/aes.h"
  23. #include "mbedtls/cmac.h"
  24. #include "mbedtls/sha256.h"
  25. #include "mbedtls/rsa.h"
  26. int mbedtls_to_pal_error(int error)
  27. {
  28. switch(error) {
  29. case 0:
  30. return 0;
  31. case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
  32. return -PAL_ERROR_CRYPTO_INVALID_KEY_LENGTH;
  33. case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
  34. case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
  35. return -PAL_ERROR_CRYPTO_INVALID_INPUT_LENGTH;
  36. case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
  37. case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
  38. return -PAL_ERROR_CRYPTO_FEATURE_UNAVAILABLE;
  39. case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
  40. case MBEDTLS_ERR_DHM_BAD_INPUT_DATA:
  41. case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
  42. case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
  43. case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
  44. case MBEDTLS_ERR_RSA_PUBLIC_FAILED: // see mbedtls_rsa_public()
  45. case MBEDTLS_ERR_RSA_PRIVATE_FAILED: // see mbedtls_rsa_private()
  46. return -PAL_ERROR_CRYPTO_BAD_INPUT_DATA;
  47. case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
  48. return -PAL_ERROR_CRYPTO_INVALID_OUTPUT_LENGTH;
  49. case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
  50. case MBEDTLS_ERR_DHM_ALLOC_FAILED:
  51. case MBEDTLS_ERR_MD_ALLOC_FAILED:
  52. return -PAL_ERROR_NOMEM;
  53. case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
  54. case MBEDTLS_ERR_RSA_INVALID_PADDING:
  55. return -PAL_ERROR_CRYPTO_INVALID_PADDING;
  56. case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
  57. return -PAL_ERROR_CRYPTO_AUTH_FAILED;
  58. case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
  59. return -PAL_ERROR_CRYPTO_INVALID_CONTEXT;
  60. case MBEDTLS_ERR_DHM_READ_PARAMS_FAILED:
  61. case MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED:
  62. case MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED:
  63. case MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED:
  64. case MBEDTLS_ERR_DHM_CALC_SECRET_FAILED:
  65. return -PAL_ERROR_CRYPTO_INVALID_DH_STATE;
  66. case MBEDTLS_ERR_DHM_INVALID_FORMAT:
  67. return -PAL_ERROR_CRYPTO_INVALID_FORMAT;
  68. case MBEDTLS_ERR_DHM_FILE_IO_ERROR:
  69. case MBEDTLS_ERR_MD_FILE_IO_ERROR:
  70. return -PAL_ERROR_CRYPTO_IO_ERROR;
  71. case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
  72. return -PAL_ERROR_CRYPTO_KEY_GEN_FAILED;
  73. case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
  74. return -PAL_ERROR_CRYPTO_INVALID_KEY;
  75. case MBEDTLS_ERR_RSA_VERIFY_FAILED:
  76. return -PAL_ERROR_CRYPTO_VERIFY_FAILED;
  77. case MBEDTLS_ERR_RSA_RNG_FAILED:
  78. return -PAL_ERROR_CRYPTO_RNG_FAILED;
  79. default:
  80. return -PAL_ERROR_DENIED;
  81. }
  82. }
  83. #define BITS_PER_BYTE 8
  84. /* This is declared in pal_internal.h, but that can't be included here. */
  85. size_t _DkRandomBitsRead(void *buffer, size_t size);
  86. /* Wrapper to provide mbedtls the RNG interface it expects. It passes an
  87. * extra context parameter, and expects a return value of 0 for success
  88. * and nonzero for failure. */
  89. static int RandomWrapper(void *private, unsigned char *data, size_t size)
  90. {
  91. __UNUSED(private);
  92. return _DkRandomBitsRead(data, size);
  93. }
  94. #define BITS_PER_BYTE 8
  95. int lib_SHA256Init(LIB_SHA256_CONTEXT *context)
  96. {
  97. mbedtls_sha256_init(context);
  98. mbedtls_sha256_starts(context, 0 /* 0 = use SSH256 */);
  99. return 0;
  100. }
  101. int lib_SHA256Update(LIB_SHA256_CONTEXT *context, const uint8_t *data,
  102. uint64_t len)
  103. {
  104. /* For compatibility with other SHA256 providers, don't support
  105. * large lengths. */
  106. if (len > UINT32_MAX) {
  107. return -PAL_ERROR_INVAL;
  108. }
  109. mbedtls_sha256_update(context, data, len);
  110. return 0;
  111. }
  112. int lib_SHA256Final(LIB_SHA256_CONTEXT *context, uint8_t *output)
  113. {
  114. mbedtls_sha256_finish(context, output);
  115. /* This function is called free, but it doesn't actually free the memory.
  116. * It zeroes out the context to avoid potentially leaking information
  117. * about the hash that was just performed. */
  118. mbedtls_sha256_free(context);
  119. return 0;
  120. }
  121. int lib_AESCMAC(const uint8_t *key, uint64_t key_len, const uint8_t *input,
  122. uint64_t input_len, uint8_t *mac, uint64_t mac_len) {
  123. mbedtls_cipher_type_t cipher;
  124. switch (key_len) {
  125. case 16:
  126. cipher = MBEDTLS_CIPHER_AES_128_ECB;
  127. break;
  128. case 24:
  129. cipher = MBEDTLS_CIPHER_AES_192_ECB;
  130. break;
  131. case 32:
  132. cipher = MBEDTLS_CIPHER_AES_256_ECB;
  133. break;
  134. default:
  135. return -PAL_ERROR_INVAL;
  136. }
  137. const mbedtls_cipher_info_t *cipher_info =
  138. mbedtls_cipher_info_from_type(cipher);
  139. if (mac_len < cipher_info->block_size) {
  140. return -PAL_ERROR_INVAL;
  141. }
  142. int ret = mbedtls_cipher_cmac(cipher_info, key, key_len * BITS_PER_BYTE, input, input_len, mac);
  143. return mbedtls_to_pal_error(ret);
  144. }
  145. int lib_AESCMACInit(LIB_AESCMAC_CONTEXT * context,
  146. const uint8_t *key, uint64_t key_len)
  147. {
  148. switch (key_len) {
  149. case 16:
  150. context->cipher = MBEDTLS_CIPHER_AES_128_ECB;
  151. break;
  152. case 24:
  153. context->cipher = MBEDTLS_CIPHER_AES_192_ECB;
  154. break;
  155. case 32:
  156. context->cipher = MBEDTLS_CIPHER_AES_256_ECB;
  157. break;
  158. default:
  159. return -PAL_ERROR_INVAL;
  160. }
  161. const mbedtls_cipher_info_t *cipher_info =
  162. mbedtls_cipher_info_from_type(context->cipher);
  163. int ret = mbedtls_cipher_setup(&context->ctx, cipher_info);
  164. if (ret != 0)
  165. return mbedtls_to_pal_error(ret);
  166. ret = mbedtls_cipher_cmac_starts(&context->ctx, key, key_len * BITS_PER_BYTE);
  167. return mbedtls_to_pal_error(ret);
  168. }
  169. int lib_AESCMACUpdate(LIB_AESCMAC_CONTEXT * context, const uint8_t * input,
  170. uint64_t input_len)
  171. {
  172. int ret = mbedtls_cipher_cmac_update(&context->ctx, input, input_len);
  173. return mbedtls_to_pal_error(ret);
  174. }
  175. int lib_AESCMACFinish(LIB_AESCMAC_CONTEXT * context, uint8_t * mac,
  176. uint64_t mac_len)
  177. {
  178. const mbedtls_cipher_info_t *cipher_info =
  179. mbedtls_cipher_info_from_type(context->cipher);
  180. int ret = -PAL_ERROR_INVAL;
  181. if (mac_len < cipher_info->block_size)
  182. goto exit;
  183. ret = mbedtls_cipher_cmac_finish(&context->ctx, mac);
  184. ret = mbedtls_to_pal_error(ret);
  185. exit:
  186. mbedtls_cipher_free( &context->ctx );
  187. return ret;
  188. }
  189. int lib_RSAInitKey(LIB_RSA_KEY *key)
  190. {
  191. /* For now, we only need PKCS_V15 type padding. If we need to support
  192. * multiple padding types, I guess we'll need to add the padding type
  193. * to this API. We might need to add a wrapper type around the crypto
  194. * library's key/context type, since not all crypto providers store this
  195. * in the conext, and instead require you to pass it on each call. */
  196. /* Last parameter here is the hash type, which is only used for
  197. * PKCS padding type 2.0. */
  198. mbedtls_rsa_init(key, MBEDTLS_RSA_PKCS_V15, 0);
  199. return 0;
  200. }
  201. int lib_RSAGenerateKey(LIB_RSA_KEY *key, uint64_t length_in_bits, uint64_t exponent)
  202. {
  203. if (length_in_bits > UINT_MAX)
  204. return -PAL_ERROR_INVAL;
  205. if (exponent > UINT_MAX || (int) exponent < 0)
  206. return -PAL_ERROR_INVAL;
  207. int ret = mbedtls_rsa_gen_key(key, RandomWrapper, NULL, length_in_bits, exponent);
  208. return mbedtls_to_pal_error(ret);
  209. }
  210. int lib_RSAExportPublicKey(LIB_RSA_KEY *key, uint8_t *e, uint64_t *e_size,
  211. uint8_t *n, uint64_t *n_size)
  212. {
  213. /* Public exponent. */
  214. int ret = mbedtls_mpi_write_binary(&key->E, e, *e_size);
  215. if (ret != 0)
  216. return mbedtls_to_pal_error(ret);
  217. /* Modulus. */
  218. ret = mbedtls_mpi_write_binary(&key->N, n, *n_size);
  219. return mbedtls_to_pal_error(ret);
  220. }
  221. int lib_RSAImportPublicKey(LIB_RSA_KEY *key, const uint8_t *e, uint64_t e_size,
  222. const uint8_t *n, uint64_t n_size)
  223. {
  224. int ret;
  225. /* Public exponent. */
  226. ret = mbedtls_mpi_read_binary(&key->E, e, e_size);
  227. if (ret != 0)
  228. return mbedtls_to_pal_error(ret);
  229. /* Modulus. */
  230. ret = mbedtls_mpi_read_binary(&key->N, n, n_size);
  231. if (ret != 0)
  232. return mbedtls_to_pal_error(ret);
  233. /* This length is in bytes. */
  234. key->len = (mbedtls_mpi_bitlen(&key->N) + 7) >> 3;
  235. return 0;
  236. }
  237. int lib_RSAVerifySHA256(LIB_RSA_KEY* key, const uint8_t* hash, uint64_t hash_len,
  238. const uint8_t* signature, uint64_t signature_len) {
  239. /* The mbedtls decrypt API assumes that you have a memory buffer that
  240. * is as large as the key size and take the length as a parameter. We
  241. * check, so that in the event the caller makes a mistake, you'll get
  242. * an error instead of reading off the end of the buffer. */
  243. if (signature_len != key->len)
  244. return -PAL_ERROR_INVAL;
  245. int ret = mbedtls_rsa_pkcs1_verify(key, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA256,
  246. hash_len, hash, signature);
  247. return mbedtls_to_pal_error(ret);
  248. }
  249. int lib_RSAFreeKey(LIB_RSA_KEY *key)
  250. {
  251. mbedtls_rsa_free(key);
  252. return 0;
  253. }