From 54f520e4bfc0fe23e2719d44b09739aa8709451c Mon Sep 17 00:00:00 2001 From: vnugent Date: Tue, 23 Jul 2024 19:55:13 -0400 Subject: latest changes --- src/providers/openssl.c | 94 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 62 insertions(+), 32 deletions(-) (limited to 'src/providers/openssl.c') diff --git a/src/providers/openssl.c b/src/providers/openssl.c index 1f31796..5bade3b 100644 --- a/src/providers/openssl.c +++ b/src/providers/openssl.c @@ -26,6 +26,8 @@ #define _OSSL_FAIL(x) if(!(x)) return CSTATUS_FAIL; +#define ossl_md_sha256() EVP_MD_fetch(NULL, "SHA2-256", NULL) + #ifndef _IMPL_SECURE_ZERO_MEMSET #define _IMPL_SECURE_ZERO_MEMSET _ossl_secure_zero_memset @@ -63,11 +65,11 @@ #define _IMPL_CRYPTO_SHA256_DIGEST _ossl_sha256_digest - _IMPLSTB cstatus_t _ossl_sha256_digest(const cspan_t* data, sha256_t digestOut32) + _IMPLSTB cstatus_t _ossl_sha256_digest(cspan_t data, sha256_t digestOut32) { - _overflow_check(data->size) + _overflow_check(data.size) - _OSSL_FAIL(SHA256(data->data, data->size, digestOut32)) + _OSSL_FAIL(SHA256(data.data, data.size, digestOut32)) return CSTATUS_OK; } @@ -81,22 +83,22 @@ /* Export function */ #define _IMPL_CRYPTO_SHA256_HMAC _ossl_hmac_sha256 - _IMPLSTB cstatus_t _ossl_hmac_sha256(const cspan_t* key, const cspan_t* data, sha256_t hmacOut32) + _IMPLSTB cstatus_t _ossl_hmac_sha256(cspan_t key, cspan_t data, sha256_t hmacOut32) { unsigned int hmacLen; - _overflow_check(key->size) - _overflow_check(data->size) + _overflow_check(key.size) + _overflow_check(data.size) hmacLen = sizeof(sha256_t); _OSSL_FAIL( HMAC( - EVP_sha256(), - key->data, - key->size, - data->data, - data->size, + ossl_md_sha256(), + key.data, + key.size, + data.data, + data.size, hmacOut32, &hmacLen ) @@ -112,30 +114,44 @@ #ifndef _IMPL_CRYPTO_SHA256_HKDF_EXPAND - #include + #include #define _IMPL_CRYPTO_SHA256_HKDF_EXPAND _ossl_sha256_hkdf_expand - cstatus_t _ossl_hkdf_update(void* ctx, const cspan_t* data) + cstatus_t _ossl_hkdf_update(void* ctx, cspan_t data) { DEBUG_ASSERT(ctx != NULL) - _overflow_check(data->size) + _overflow_check(data.size) - _OSSL_FAIL(EVP_DigestUpdate((EVP_MD_CTX*)ctx, data->data, data->size)) + _OSSL_FAIL( + EVP_MAC_update( + (EVP_MAC_CTX*)ctx, + data.data, + data.size + ) + ) return CSTATUS_OK; } cstatus_t _ossl_hkdf_finish(void* ctx, sha256_t hmacOut32) { - unsigned int hmacSize; + size_t hmacSize; - DEBUG_ASSERT(ctx != NULL) + DEBUG_ASSERT(ctx != NULL); + DEBUG_ASSERT(hmacOut32 != NULL) - hmacSize = sizeof(sha256_t); + hmacSize = 0; - _OSSL_FAIL(EVP_DigestFinal_ex((EVP_MD_CTX*)ctx, hmacOut32, &hmacSize)) + _OSSL_FAIL( + EVP_MAC_final( + (EVP_MAC_CTX*)ctx, + hmacOut32, + &hmacSize, + sizeof(sha256_t) + ) + ) /* When configured for sha256, should always be the same size in/out */ DEBUG_ASSERT(hmacSize == sizeof(sha256_t)) @@ -143,42 +159,56 @@ return CSTATUS_OK; } - _IMPLSTB cstatus_t _ossl_sha256_hkdf_expand(const cspan_t* prk, const cspan_t* info, span_t* okm) + _IMPLSTB cstatus_t _ossl_sha256_hkdf_expand(cspan_t prk, cspan_t info, span_t okm) { - EVP_MD_CTX* ctx; + EVP_MAC* mac; + EVP_MAC_CTX* ctx; cstatus_t result; + OSSL_PARAM params[2]; struct nc_hkdf_fn_cb_struct handler; result = CSTATUS_FAIL; + + handler.update = _ossl_hkdf_update; + handler.finish = _ossl_hkdf_finish; + _overflow_check(prk.size); + /* - * NOTE! Hmac reusable flag must be set to allow for multiple - * calls to the finish function without losing the context. + * Silly openssl stuff. Enable hmac with sha256 using the system default + * security provider. The one-shot flag must also be disabled (0) because + * we need to call update multiple times. + * + * "provider=default,digest=SHA256,digest-oneshot=0" */ - if ((ctx = EVP_MD_CTX_create()) == NULL) + ctx = NULL; + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + + if (mac == NULL) { - return CSTATUS_FAIL; + goto Cleanup; } - if (!EVP_DigestInit_ex2(ctx, EVP_sha256(), NULL)) + if ((ctx = EVP_MAC_CTX_new(mac)) == NULL) { goto Cleanup; } - if (!EVP_DigestUpdate(ctx, prk->data, prk->size)) + params[0] = OSSL_PARAM_construct_utf8_string("digest", "SHA2-256", 0); + params[1] = OSSL_PARAM_construct_end(); + + if (!EVP_MAC_init(ctx, prk.data, prk.size, params)) { goto Cleanup; } - - handler.update = _ossl_hkdf_update; - handler.finish = _ossl_hkdf_finish; result = hkdfExpandProcess(&handler, ctx, info, okm); Cleanup: - - EVP_MD_CTX_destroy(ctx); + + if (ctx) EVP_MAC_CTX_free(ctx); + if (mac) EVP_MAC_free(mac); return result; } -- cgit From 07de078a3b5b7b0043d9f81bb5a9e750a3a0c7c1 Mon Sep 17 00:00:00 2001 From: vnugent Date: Fri, 26 Jul 2024 23:37:15 -0400 Subject: refactor: Span invasion, checks and fix some evp api --- CHANGELOG.md | 37 ++++++++ src/hkdf.c | 2 +- src/nc-crypto.c | 8 +- src/nc-util.h | 37 +++++++- src/noscrypt.c | 7 +- src/noscryptutil.c | 58 ++++++------ src/providers/bcrypt.c | 16 ++-- src/providers/openssl.c | 230 +++++++++++++++++++++++++++++++++++++----------- 8 files changed, 305 insertions(+), 90 deletions(-) create mode 100644 CHANGELOG.md (limited to 'src/providers/openssl.c') diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..5a91c7e --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,37 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] + +## [0.1.2] - 2024-05-29 + +### Added + +- `NCGetSharedContext()` to get a process-wide shared context. +- C++ extern wrappers noscrypt.h public api +- Integrated test exe to cmake ctest + +### Fixed + +- Potential memory leak for openssl evp contexts during error conditions. +- mbedtls dependency compilation when using fetch for release builds. +- fPIC errors for libsecp256k1. + +### Changed + +- Update libsecp256k1 to v0.5.0. +- **Breaking** `NCValidateSecretKey()` retruns NC_SUCCESS instead of 1. +- Builds using OpenSSL as a crypto backend no longer require the monocypher dependency. + +### Removed + +- NCContext structure defintion. +- Internal headers from the public include directory. + +[unreleased]: https://github.com/VnUgE/noscrypt/compare/v0.1.2...HEAD +[0.1.2]: https://github.com/VnUgE/noscrypt/compare/v0.1.1...v0.1.2 +[0.1.1]: https://github.com/VnUgE/noscrypt/compare/v0.1.0...v0.1.1 diff --git a/src/hkdf.c b/src/hkdf.c index 16e0b5b..7b0b822 100644 --- a/src/hkdf.c +++ b/src/hkdf.c @@ -95,7 +95,7 @@ cstatus_t hkdfExpandProcess( } /* tlen becomes the hash size or remaining okm size */ - tLen = HKDF_MIN(okm.size - okmOffset, SHA256_DIGEST_SIZE); + tLen = HKDF_MIN(ncSpanGetSize(okm) - okmOffset, SHA256_DIGEST_SIZE); DEBUG_ASSERT(tLen <= sizeof(t)); diff --git a/src/nc-crypto.c b/src/nc-crypto.c index 752c9b0..56bdf75 100644 --- a/src/nc-crypto.c +++ b/src/nc-crypto.c @@ -292,10 +292,10 @@ cstatus_t ncCryptoChacha20( uint32_t dataSize ) { - DEBUG_ASSERT2(key != NULL, "Expected key to be non-null") - DEBUG_ASSERT2(nonce != NULL, "Expected nonce to be non-null") - DEBUG_ASSERT2(input != NULL, "Expected input to be non-null") - DEBUG_ASSERT2(output != NULL, "Expected output to be non-null") + DEBUG_ASSERT2(key != NULL, "Expected key to be non-null"); + DEBUG_ASSERT2(nonce != NULL, "Expected nonce to be non-null"); + DEBUG_ASSERT2(input != NULL, "Expected input to be non-null"); + DEBUG_ASSERT2(output != NULL, "Expected output to be non-null"); #ifndef _IMPL_CHACHA20_CRYPT #error "No chacha20 implementation defined" diff --git a/src/nc-util.h b/src/nc-util.h index 2ddfd3f..a248578 100644 --- a/src/nc-util.h +++ b/src/nc-util.h @@ -90,6 +90,10 @@ #endif /* NC_EXTREME_COMPAT */ +#ifndef EMPTY_SPANS + #define EMPTY_SPANS 1 +#endif + typedef struct memory_span_struct { uint8_t* data; @@ -136,6 +140,20 @@ static _nc_fn_inline void ncSpanInit(span_t* span, uint8_t* data, uint32_t size) static _nc_fn_inline const uint8_t* ncSpanGetOffsetC(cspan_t span, uint32_t offset) { + +#if EMPTY_SPANS + + /* + * Allow passing null pointers for empty spans, if enabled, + * otherwise debug guards will catch empty spans + */ + if (span.size == 0 && offset == 0) + { + return NULL; + } + +#endif /* !EMPTY_SPANS */ + DEBUG_ASSERT2(ncSpanIsValidC(span), "Expected span to be non-null"); DEBUG_ASSERT2(offset < span.size, "Expected offset to be less than span size"); @@ -144,10 +162,23 @@ static _nc_fn_inline const uint8_t* ncSpanGetOffsetC(cspan_t span, uint32_t offs static _nc_fn_inline uint8_t* ncSpanGetOffset(span_t span, uint32_t offset) { - DEBUG_ASSERT2(ncSpanIsValid(span), "Expected span to be non-null"); - DEBUG_ASSERT2(offset < span.size, "Expected offset to be less than span size"); + cspan_t cspan; + ncSpanInitC(&cspan, span.data, span.size); + return (uint8_t*)ncSpanGetOffsetC(cspan, offset); +} - return span.data + offset; +static _nc_fn_inline uint32_t ncSpanGetSizeC(cspan_t span) +{ + return ncSpanIsValidC(span) + ? span.size + : 0; +} + +static _nc_fn_inline uint32_t ncSpanGetSize(span_t span) +{ + return ncSpanIsValid(span) + ? span.size + : 0; } static _nc_fn_inline void ncSpanWrite(span_t span, uint32_t offset, const uint8_t* data, uint32_t size) diff --git a/src/noscrypt.c b/src/noscrypt.c index 46b3d65..deadca6 100644 --- a/src/noscrypt.c +++ b/src/noscrypt.c @@ -816,7 +816,12 @@ NC_EXPORT NCResult NC_CC NCEncryptEx( return E_VERSION_NOT_SUPPORTED; case NC_ENC_VERSION_NIP44: - return _encryptNip44Ex(ctx, (struct conversation_key*)conversationKey, args->keyData, args); + return _encryptNip44Ex( + ctx, + (struct conversation_key*)conversationKey, + args->keyData, + args + ); default: return E_VERSION_NOT_SUPPORTED; diff --git a/src/noscryptutil.c b/src/noscryptutil.c index 56acb1b..c47da13 100644 --- a/src/noscryptutil.c +++ b/src/noscryptutil.c @@ -309,7 +309,13 @@ static _nc_fn_inline void _cipherPublishOutput(NCUtilCipherContext* buffer, uint { /* use slice for debug guards */ slice = ncSpanSlice(buffer->buffer.output, offset, size); - ncSpanInitC(&buffer->buffer.actualOutput, slice.data, slice.size); + + /* init readonly span from mutable */ + ncSpanInitC( + &buffer->buffer.actualOutput, + ncSpanGetOffset(slice, 0), + ncSpanGetSize(slice) + ); } } @@ -330,7 +336,7 @@ static NCResult _nip44EncryptCompleteCore( NCResult result; cspan_t plainText; - span_t macData, macOutput, payload; + span_t macData, macOutput, message; uint32_t outPos; uint8_t ptSize[NIP44_PT_LEN_SIZE]; uint8_t hmacKeyOut[NC_ENCRYPTION_MAC_SIZE]; @@ -338,16 +344,18 @@ static NCResult _nip44EncryptCompleteCore( outPos = 0; encArgs = state->encArgs; - payload = state->buffer.output; + message = state->buffer.output; plainText = state->buffer.input; DEBUG_ASSERT(encArgs.version == NC_ENC_VERSION_NIP44); + ZERO_FILL(hmacKeyOut, sizeof(hmacKeyOut)); + /* Start by appending the version number */ - ncSpanAppend(payload, &outPos, Nip44VersionValue, sizeof(Nip44VersionValue)); + ncSpanAppend(message, &outPos, Nip44VersionValue, sizeof(Nip44VersionValue)); /* next is nonce data */ - ncSpanAppend(payload, &outPos, encArgs.nonceData, NC_ENCRYPTION_NONCE_SIZE); + ncSpanAppend(message, &outPos, encArgs.nonceData, NC_ENCRYPTION_NONCE_SIZE); DEBUG_ASSERT(outPos == 1 + NC_ENCRYPTION_NONCE_SIZE); /* @@ -385,16 +393,16 @@ static NCResult _nip44EncryptCompleteCore( result = NCSetEncryptionData( &encArgs, - ncSpanGetOffset(payload, outPos), /* in place encryption */ - ncSpanGetOffset(payload, outPos), + ncSpanGetOffset(message, outPos), /* in place encryption */ + ncSpanGetOffset(message, outPos), NIP44_PT_LEN_SIZE + _calcNip44PtPadding(plainText.size) /* Plaintext + pt size must be encrypted */ ); DEBUG_ASSERT(result == NC_SUCCESS); /* big endian plaintext size */ - ptSize[0] = (uint8_t)(plainText.size >> 8); - ptSize[1] = (uint8_t)(plainText.size & 0xFF); + ptSize[0] = (uint8_t)(ncSpanGetSizeC(plainText) >> 8); + ptSize[1] = (uint8_t)(ncSpanGetSizeC(plainText) & 0xFF); /* * Written position must point to the end of the padded ciphertext @@ -405,13 +413,13 @@ static NCResult _nip44EncryptCompleteCore( * the plaintext data, followed by zero padding. */ - ncSpanWrite(payload, outPos, ptSize, sizeof(ptSize)); + ncSpanWrite(message, outPos, ptSize, sizeof(ptSize)); ncSpanWrite( - payload, + message, outPos + NIP44_PT_LEN_SIZE, /* write pt directly after length */ - plainText.data, - plainText.size + ncSpanGetOffsetC(plainText, 0), + ncSpanGetSizeC(plainText) ); /* Move position pointer directly after final padding bytes */ @@ -429,14 +437,14 @@ static NCResult _nip44EncryptCompleteCore( this helper captures that data segment into a span */ - macData = _nip44GetMacData(payload); - macOutput = _nip44GetMacOutput(payload); + macData = _nip44GetMacData(message); + macOutput = _nip44GetMacOutput(message); result = NCComputeMac( libContext, hmacKeyOut, ncSpanGetOffset(macData, 0), - macData.size, + ncSpanGetSize(macData), ncSpanGetOffset(macOutput, 0) ); @@ -447,9 +455,9 @@ static NCResult _nip44EncryptCompleteCore( outPos += NC_ENCRYPTION_MAC_SIZE; - DEBUG_ASSERT2(outPos == payload.size, "Buffer under/overflow detected"); + DEBUG_ASSERT2(outPos == message.size, "Buffer under/overflow detected"); - /* publish all payload bytes to output */ + /* publish all message bytes to output */ _cipherPublishOutput(state, 0, outPos); /* zero hmac key before returning */ @@ -475,7 +483,7 @@ static NCResult _nip44DecryptCompleteCore( DEBUG_ASSERT(libContext && recvKey && sendKey && state); DEBUG_ASSERT(state->encArgs.version == NC_ENC_VERSION_NIP44); - DEBUG_ASSERT(state->buffer.input.size >= NIP44_MIN_PAYLOAD_SIZE); + DEBUG_ASSERT(ncSpanGetSizeC(state->buffer.input) >= NIP44_MIN_PAYLOAD_SIZE); /* ensure decryption mode */ DEBUG_ASSERT(state->_flags & NC_UTIL_CIPHER_MODE_DECRYPT); @@ -503,16 +511,16 @@ static NCResult _nip44DecryptCompleteCore( /* Verify mac if the user allowed it */ if ((state->_flags & NC_UTIL_CIPHER_MAC_NO_VERIFY) == 0) { - DEBUG_ASSERT(macValue.size == NC_ENCRYPTION_MAC_SIZE); - DEBUG_ASSERT(macData.size > NC_ENCRYPTION_NONCE_SIZE + MIN_PADDING_SIZE); + DEBUG_ASSERT(ncSpanGetSizeC(macValue) == NC_ENCRYPTION_MAC_SIZE); + DEBUG_ASSERT(ncSpanGetSizeC(macData) > NC_ENCRYPTION_NONCE_SIZE + MIN_PADDING_SIZE); /* Assign the mac data to the mac verify args */ macArgs.mac32 = ncSpanGetOffsetC(macValue, 0); macArgs.nonce32 = ncSpanGetOffsetC(nonce, 0); - /* payload for verifying a mac in nip44 is the nonce+ciphertext */ + /* message for verifying a mac in nip44 is the nonce+ciphertext */ macArgs.payload = ncSpanGetOffsetC(macData, 0); - macArgs.payloadSize = macData.size; + macArgs.payloadSize = ncSpanGetSizeC(macData); /* Verify the mac */ result = NCVerifyMac(libContext, recvKey, sendKey, &macArgs); @@ -541,7 +549,7 @@ static NCResult _nip44DecryptCompleteCore( &encArgs, ncSpanGetOffsetC(cipherText, 0), ncSpanGetOffset(output, 0), /*decrypt ciphertext and write directly to the output buffer */ - cipherText.size + ncSpanGetSizeC(cipherText) ); DEBUG_ASSERT(result == NC_SUCCESS); @@ -582,7 +590,7 @@ static NCResult _nip44DecryptCompleteCore( */ _cipherPublishOutput(state, NIP44_PT_LEN_SIZE, ptSize); - DEBUG_ASSERT(state->buffer.actualOutput.size < cipherText.size); + DEBUG_ASSERT(ncSpanGetSizeC(state->buffer.actualOutput) < cipherText.size); return result; } diff --git a/src/providers/bcrypt.c b/src/providers/bcrypt.c index 10cf801..2b9ba52 100644 --- a/src/providers/bcrypt.c +++ b/src/providers/bcrypt.c @@ -79,8 +79,8 @@ _IMPLSTB NTSTATUS _bcCreateHmac(struct _bcrypt_ctx* ctx, cspan_t key) &ctx->hHash, NULL, 0, - (uint8_t*)key.data, - key.size, + (uint8_t*)ncSpanGetOffsetC(key, 0), + ncSpanGetSizeC(key), BCRYPT_HASH_REUSABLE_FLAG /* Enable reusable for expand function */ ); } @@ -102,7 +102,11 @@ _IMPLSTB NTSTATUS _bcHashDataRaw(const struct _bcrypt_ctx* ctx, const uint8_t* d _IMPLSTB NTSTATUS _bcHashData(const struct _bcrypt_ctx* ctx, cspan_t data) { - return _bcHashDataRaw(ctx, data.data, data.size); + return _bcHashDataRaw( + ctx, + ncSpanGetOffsetC(data, 0), + ncSpanGetSizeC(data) + ); } _IMPLSTB NTSTATUS _bcFinishHash(const struct _bcrypt_ctx* ctx, sha256_t digestOut32) @@ -118,8 +122,8 @@ _IMPLSTB void _bcDestroyCtx(struct _bcrypt_ctx* ctx) /* Close the algorithm provider */ if (ctx->hAlg) BCryptCloseAlgorithmProvider(ctx->hAlg, 0); - ctx->hAlg = NULL; ctx->hHash = NULL; + ctx->hAlg = NULL; } #ifndef _IMPL_SECURE_ZERO_MEMSET @@ -213,7 +217,7 @@ _IMPLSTB void _bcDestroyCtx(struct _bcrypt_ctx* ctx) #define _IMPL_CRYPTO_SHA256_HKDF_EXPAND _bcrypt_fallback_hkdf_expand - cstatus_t _bcrypt_hkdf_update(void* ctx, cspan_t data) + static cstatus_t _bcrypt_hkdf_update(void* ctx, cspan_t data) { DEBUG_ASSERT(ctx != NULL) @@ -221,7 +225,7 @@ _IMPLSTB void _bcDestroyCtx(struct _bcrypt_ctx* ctx) return CSTATUS_OK; } - cstatus_t _bcrypt_hkdf_finish(void* ctx, sha256_t hmacOut32) + static cstatus_t _bcrypt_hkdf_finish(void* ctx, sha256_t hmacOut32) { DEBUG_ASSERT(ctx != NULL); DEBUG_ASSERT(hmacOut32 != NULL); diff --git a/src/providers/openssl.c b/src/providers/openssl.c index 5bade3b..7f405ef 100644 --- a/src/providers/openssl.c +++ b/src/providers/openssl.c @@ -27,6 +27,8 @@ #define _OSSL_FAIL(x) if(!(x)) return CSTATUS_FAIL; #define ossl_md_sha256() EVP_MD_fetch(NULL, "SHA2-256", NULL) +#define ossl_evp_fetch_chacha20() EVP_CIPHER_fetch(NULL, "ChaCha20", NULL) +#define ossl_mac_fetch_hmac() EVP_MAC_fetch(NULL, "hmac", NULL) #ifndef _IMPL_SECURE_ZERO_MEMSET @@ -67,9 +69,18 @@ _IMPLSTB cstatus_t _ossl_sha256_digest(cspan_t data, sha256_t digestOut32) { - _overflow_check(data.size) + _overflow_check(data.size); - _OSSL_FAIL(SHA256(data.data, data.size, digestOut32)) + DEBUG_ASSERT(digestOut32 != NULL); + DEBUG_ASSERT(ncSpanIsValidC(data)); + + _OSSL_FAIL( + SHA256( + ncSpanGetOffsetC(data, 0), + ncSpanGetSizeC(data), + digestOut32 + ) + ); return CSTATUS_OK; } @@ -95,17 +106,17 @@ _OSSL_FAIL( HMAC( ossl_md_sha256(), - key.data, - key.size, - data.data, - data.size, + ncSpanGetOffsetC(key, 0), + ncSpanGetSizeC(key), + ncSpanGetOffsetC(data, 0), + ncSpanGetSizeC(data), hmacOut32, &hmacLen ) - ) + ); /* digest length should match the actual digest size */ - DEBUG_ASSERT(hmacLen == sizeof(sha256_t)) + DEBUG_ASSERT(hmacLen == sizeof(sha256_t)); return CSTATUS_OK; } @@ -118,54 +129,91 @@ #define _IMPL_CRYPTO_SHA256_HKDF_EXPAND _ossl_sha256_hkdf_expand - cstatus_t _ossl_hkdf_update(void* ctx, cspan_t data) + struct ossl_hmac_state { + EVP_MAC_CTX* libCtx; + OSSL_PARAM params[2]; + cspan_t prk; + }; + + static cstatus_t _ossl_hmac_init(const struct ossl_hmac_state* osslCtx) { - DEBUG_ASSERT(ctx != NULL) + DEBUG_ASSERT(ncSpanIsValidC(osslCtx->prk)); + DEBUG_ASSERT(osslCtx->params != NULL); - _overflow_check(data.size) + _OSSL_FAIL( + EVP_MAC_init( + osslCtx->libCtx, + ncSpanGetOffsetC(osslCtx->prk, 0), + ncSpanGetSizeC(osslCtx->prk), + osslCtx->params + ) + ); + + return CSTATUS_OK; + } + + static cstatus_t _ossl_hkdf_update(void* ctx, cspan_t data) + { + const struct ossl_hmac_state* osslCtx; + + DEBUG_ASSERT(ctx != NULL); + _overflow_check(data.size); + + osslCtx = (const struct ossl_hmac_state*)ctx; + + DEBUG_ASSERT(osslCtx->libCtx != NULL); _OSSL_FAIL( EVP_MAC_update( - (EVP_MAC_CTX*)ctx, - data.data, - data.size + osslCtx->libCtx, + ncSpanGetOffsetC(data, 0), + ncSpanGetSizeC(data) ) - ) + ); return CSTATUS_OK; } - cstatus_t _ossl_hkdf_finish(void* ctx, sha256_t hmacOut32) + static cstatus_t _ossl_hkdf_finish(void* ctx, sha256_t hmacOut32) { + const struct ossl_hmac_state* osslCtx; size_t hmacSize; DEBUG_ASSERT(ctx != NULL); - DEBUG_ASSERT(hmacOut32 != NULL) + DEBUG_ASSERT(hmacOut32 != NULL); + osslCtx = (const struct ossl_hmac_state*)ctx; hmacSize = 0; + DEBUG_ASSERT(osslCtx->libCtx != NULL); + _OSSL_FAIL( EVP_MAC_final( - (EVP_MAC_CTX*)ctx, - hmacOut32, - &hmacSize, + osslCtx->libCtx, + hmacOut32, + &hmacSize, sizeof(sha256_t) ) - ) + ); /* When configured for sha256, should always be the same size in/out */ - DEBUG_ASSERT(hmacSize == sizeof(sha256_t)) - - return CSTATUS_OK; + DEBUG_ASSERT(hmacSize == sizeof(sha256_t)); + + /* + * Context must be re-initalized after finalize + * See lifecycle https://docs.openssl.org/3.0/man7/life_cycle-mac/#copyright + */ + + return _ossl_hmac_init(osslCtx); } + _IMPLSTB cstatus_t _ossl_sha256_hkdf_expand(cspan_t prk, cspan_t info, span_t okm) { EVP_MAC* mac; - EVP_MAC_CTX* ctx; cstatus_t result; - OSSL_PARAM params[2]; - struct nc_hkdf_fn_cb_struct handler; + struct ossl_hmac_state hkdfState; + struct nc_hkdf_fn_cb_struct handler; result = CSTATUS_FAIL; @@ -173,41 +221,47 @@ handler.finish = _ossl_hkdf_finish; _overflow_check(prk.size); + _overflow_check(info.size); + _overflow_check(okm.size); + + hkdfState.params[0] = OSSL_PARAM_construct_utf8_string("digest", "sha256", 0); + hkdfState.params[1] = OSSL_PARAM_construct_end(); + + hkdfState.prk = prk; /* * Silly openssl stuff. Enable hmac with sha256 using the system default * security provider. The one-shot flag must also be disabled (0) because * we need to call update multiple times. - * - * "provider=default,digest=SHA256,digest-oneshot=0" */ - ctx = NULL; - mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + mac = ossl_mac_fetch_hmac(); if (mac == NULL) { goto Cleanup; } - if ((ctx = EVP_MAC_CTX_new(mac)) == NULL) + hkdfState.libCtx = EVP_MAC_CTX_new(mac); + + if (hkdfState.libCtx == NULL) { goto Cleanup; } - params[0] = OSSL_PARAM_construct_utf8_string("digest", "SHA2-256", 0); - params[1] = OSSL_PARAM_construct_end(); - - if (!EVP_MAC_init(ctx, prk.data, prk.size, params)) + if (_ossl_hmac_init(&hkdfState) != CSTATUS_OK) { goto Cleanup; } - result = hkdfExpandProcess(&handler, ctx, info, okm); + DEBUG_ASSERT(EVP_MAC_CTX_get_mac_size(hkdfState.libCtx) == sizeof(sha256_t)); + + /* Pass the library */ + result = hkdfExpandProcess(&handler, &hkdfState, info, okm); Cleanup: - if (ctx) EVP_MAC_CTX_free(ctx); + if (hkdfState.libCtx) EVP_MAC_CTX_free(hkdfState.libCtx); if (mac) EVP_MAC_free(mac); return result; @@ -221,39 +275,115 @@ #define _IMPL_CHACHA20_CRYPT _ossl_chacha20_crypt - _IMPLSTB cstatus_t _ossl_chacha20_crypt( - const uint8_t* key, - const uint8_t* nonce, - const uint8_t* input, - uint8_t* output, - uint32_t dataLen + _IMPLSTB cstatus_t _ossl_chacha20_cipher_core( + const EVP_CIPHER* cipher, + cspan_t key, + cspan_t iv, + cspan_t input, + span_t output ) { cstatus_t result; EVP_CIPHER_CTX* ctx; + int tempLen, osslResult; - result = CSTATUS_FAIL; + DEBUG_ASSERT2(ncSpanGetSize(output) <= ncSpanGetSizeC(input), "Output buffer must be equal or larger than the input buffer"); + DEBUG_ASSERT(cipher != NULL); + + result = CSTATUS_FAIL; - if ((ctx = EVP_CIPHER_CTX_new()) == NULL) + ctx = EVP_CIPHER_CTX_new(); + + if (ctx == NULL) { - return CSTATUS_FAIL; + goto Cleanup; } - if (!EVP_EncryptInit_ex(ctx, EVP_chacha20(), NULL, key, nonce)) + osslResult = EVP_EncryptInit_ex2( + ctx, + cipher, + ncSpanGetOffsetC(key, 0), + ncSpanGetOffsetC(iv, 0), + NULL + ); + + if (!osslResult) { goto Cleanup; } - if (!EVP_EncryptUpdate(ctx, output, (int*)&dataLen, input, dataLen)) + osslResult = EVP_EncryptUpdate( + ctx, + ncSpanGetOffset(output, 0), + &tempLen, + ncSpanGetOffsetC(input, 0), + ncSpanGetSizeC(input) + ); + + if (!osslResult) { goto Cleanup; } + /* + * We can't get a pointer outside the range of the + * output buffer + */ + if (((uint32_t)tempLen) < ncSpanGetSize(output)) + { + if (!EVP_EncryptFinal_ex(ctx, ncSpanGetOffset(output, tempLen), &tempLen)) + { + goto Cleanup; + } + } + result = CSTATUS_OK; Cleanup: - EVP_CIPHER_CTX_free(ctx); + if (ctx) EVP_CIPHER_CTX_free(ctx); + + return result; + } + + _IMPLSTB cstatus_t _ossl_chacha20_crypt( + const uint8_t* key, + const uint8_t* nonce, + const uint8_t* input, + uint8_t* output, + uint32_t dataLen + ) + { + cstatus_t result; + EVP_CIPHER* cipher; + cspan_t keySpan, nonceSpan, inputSpan; + span_t outputSpan; + + result = CSTATUS_FAIL; + + ncSpanInitC(&keySpan, key, CHACHA_KEY_SIZE); + ncSpanInitC(&nonceSpan, nonce, CHACHA_NONCE_SIZE); + ncSpanInitC(&inputSpan, input, dataLen); + ncSpanInit(&outputSpan, output, dataLen); + + cipher = ossl_evp_fetch_chacha20(); + + if (cipher == NULL) + { + goto Cleanup; + } + + result = _ossl_chacha20_cipher_core( + cipher, + keySpan, + nonceSpan, + inputSpan, + outputSpan + ); + + Cleanup: + + if (cipher) EVP_CIPHER_free(cipher); return result; } -- cgit From e949ae5aa1fd25d4d11fe31e30b7d82ae7778dc2 Mon Sep 17 00:00:00 2001 From: vnugent Date: Mon, 5 Aug 2024 18:01:03 -0400 Subject: fix: Find and fix openssl encryption bug --- src/providers/bcrypt.c | 2 +- src/providers/mbedtls.c | 2 +- src/providers/monocypher.c | 2 +- src/providers/openssl.c | 21 ++++++++++++++++++--- 4 files changed, 21 insertions(+), 6 deletions(-) (limited to 'src/providers/openssl.c') diff --git a/src/providers/bcrypt.c b/src/providers/bcrypt.c index 2b9ba52..b9c370b 100644 --- a/src/providers/bcrypt.c +++ b/src/providers/bcrypt.c @@ -2,7 +2,7 @@ * Copyright (c) 2024 Vaughn Nugent * * Package: noscrypt -* File: impl/bcrypt.c +* File: providers/bcrypt.c * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License diff --git a/src/providers/mbedtls.c b/src/providers/mbedtls.c index 8479380..ead3279 100644 --- a/src/providers/mbedtls.c +++ b/src/providers/mbedtls.c @@ -2,7 +2,7 @@ * Copyright (c) 2024 Vaughn Nugent * * Package: noscrypt -* File: mbedtls.c +* File: providers/mbedtls.c * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License diff --git a/src/providers/monocypher.c b/src/providers/monocypher.c index 8ffe048..c35f63e 100644 --- a/src/providers/monocypher.c +++ b/src/providers/monocypher.c @@ -2,7 +2,7 @@ * Copyright (c) 2024 Vaughn Nugent * * Package: noscrypt -* File: impl/monocypher.c +* File: providers/monocypher.c * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License diff --git a/src/providers/openssl.c b/src/providers/openssl.c index 7f405ef..90f2fa9 100644 --- a/src/providers/openssl.c +++ b/src/providers/openssl.c @@ -2,7 +2,7 @@ * Copyright (c) 2024 Vaughn Nugent * * Package: noscrypt -* File: impl/openssl.c +* File: providers/openssl.c * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License @@ -290,7 +290,10 @@ DEBUG_ASSERT2(ncSpanGetSize(output) <= ncSpanGetSizeC(input), "Output buffer must be equal or larger than the input buffer"); DEBUG_ASSERT(cipher != NULL); - result = CSTATUS_FAIL; + DEBUG_ASSERT((uint32_t)EVP_CIPHER_get_key_length(cipher) == ncSpanGetSizeC(key)); + DEBUG_ASSERT((uint32_t)EVP_CIPHER_iv_length(cipher) == ncSpanGetSizeC(iv)); + + result = CSTATUS_FAIL; ctx = EVP_CIPHER_CTX_new(); @@ -356,13 +359,25 @@ { cstatus_t result; EVP_CIPHER* cipher; + uint8_t chaChaIv[CHACHA_NONCE_SIZE + 4]; cspan_t keySpan, nonceSpan, inputSpan; span_t outputSpan; result = CSTATUS_FAIL; + /* + * RFC 7539 ChaCha20 requires a 16 byte initialization vector. A + * counter value is preprended to the nonce to make up the 16 byte + * size. + * + * The counter is always set to 0 for the nonce. + */ + + ncCryptoSecureZero(chaChaIv, sizeof(chaChaIv)); + MEMMOV(chaChaIv + 4, nonce, CHACHA_NONCE_SIZE); + ncSpanInitC(&keySpan, key, CHACHA_KEY_SIZE); - ncSpanInitC(&nonceSpan, nonce, CHACHA_NONCE_SIZE); + ncSpanInitC(&nonceSpan, chaChaIv, sizeof(chaChaIv)); ncSpanInitC(&inputSpan, input, dataLen); ncSpanInit(&outputSpan, output, dataLen); -- cgit From 942aed8a4e7c173a2c9423829c2b38087cbd49e4 Mon Sep 17 00:00:00 2001 From: vnugent Date: Tue, 6 Aug 2024 20:54:03 -0400 Subject: chore: update changelog and mbedtls headers --- CHANGELOG.md | 26 +++- README.md | 2 +- src/providers/openssl.c | 4 +- vendor/mbedtls/include/mbedtls/build_info.h | 22 ++- vendor/mbedtls/include/mbedtls/check_config.h | 62 +++------ .../include/mbedtls/config_adjust_legacy_crypto.h | 19 ++- .../mbedtls/config_adjust_psa_from_legacy.h | 10 ++ vendor/mbedtls/include/mbedtls/config_adjust_ssl.h | 12 +- .../mbedtls/include/mbedtls/config_adjust_x509.h | 12 +- vendor/mbedtls/include/mbedtls/mbedtls_config.h | 148 +-------------------- vendor/mbedtls/include/mbedtls/ssl.h | 10 +- 11 files changed, 121 insertions(+), 206 deletions(-) (limited to 'src/providers/openssl.c') diff --git a/CHANGELOG.md b/CHANGELOG.md index 5a91c7e..375d11c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.1.3-beta] - 2024-08-6 + +### Added +- Utilities sidecar library for easy note encryption (noscryptutil.h) +- Utilities for padding calculations +- Prints the name of the configured crypto backend during build +- Many internal hardening improvments (span pass-by-value, span validation functions) + +### Fixed +- OpenSSL EVP incorrect cipher initialization vector +- OpenSSL HKDF incorrect key derivation when switching to EVP api + +### Changed +- Updated libsecp256k1 to v0.5.1 +- Updated OpenSSL to v3.3.1 +- Converted `NCToSecKey()` and `NCToPubKey()` to a explicitly named macros +- Converted error code helper functions from header-only functions to standard api +- Added helper functions to alter the `NCEncryptionArgs` api. Altering fields directly is now deprecated. +- Public API visibility for non-Windows platforms now defaults to `extern` +- **Breaking:** Changed the `nonce32` and `hmacKeyOut32` properties of the `NCEncryptionArgs` struct to `nonceData` and `keyData` respectively. ABI is still compatible, but API has changed. Again mutating this structure manually is now deprecated. + ## [0.1.2] - 2024-05-29 ### Added @@ -24,7 +45,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed - Update libsecp256k1 to v0.5.0. -- **Breaking** `NCValidateSecretKey()` retruns NC_SUCCESS instead of 1. +- **Breaking:** `NCValidateSecretKey()` retruns NC_SUCCESS instead of 1. - Builds using OpenSSL as a crypto backend no longer require the monocypher dependency. ### Removed @@ -32,6 +53,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - NCContext structure defintion. - Internal headers from the public include directory. -[unreleased]: https://github.com/VnUgE/noscrypt/compare/v0.1.2...HEAD +[unreleased]: https://github.com/VnUgE/noscrypt/compare/v0.1.3-beta...HEAD +[0.1.3-beta]: https://github.com/VnUgE/noscrypt/compare/v0.1.2...v0.1.3-beta [0.1.2]: https://github.com/VnUgE/noscrypt/compare/v0.1.1...v0.1.2 [0.1.1]: https://github.com/VnUgE/noscrypt/compare/v0.1.0...v0.1.1 diff --git a/README.md b/README.md index ebbb9f7..f6fe93f 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ The following table lists the supported platforms and cryptography libraries tha GitHub is simply a mirror for my projects. Extended documentation, pre-compiled binaries and source code bundles are always available on my website, along with PGP signatures and checksums. - **[Documentation](https://www.vaughnnugent.com/resources/software/articles?tags=docs,_noscrypt)** -- **[Signed builds and sourc ecode](https://www.vaughnnugent.com/resources/software/modules/noscrypt)** +- **[Signed builds and source code](https://www.vaughnnugent.com/resources/software/modules/noscrypt)** ### Getting the package There are 3 ways to get the source code to build this project. diff --git a/src/providers/openssl.c b/src/providers/openssl.c index 90f2fa9..c2933fb 100644 --- a/src/providers/openssl.c +++ b/src/providers/openssl.c @@ -275,7 +275,7 @@ #define _IMPL_CHACHA20_CRYPT _ossl_chacha20_crypt - _IMPLSTB cstatus_t _ossl_chacha20_cipher_core( + _IMPLSTB cstatus_t _ossl_cipher_core( const EVP_CIPHER* cipher, cspan_t key, cspan_t iv, @@ -388,7 +388,7 @@ goto Cleanup; } - result = _ossl_chacha20_cipher_core( + result = _ossl_cipher_core( cipher, keySpan, nonceSpan, diff --git a/vendor/mbedtls/include/mbedtls/build_info.h b/vendor/mbedtls/include/mbedtls/build_info.h index eab167f..cf38f90 100644 --- a/vendor/mbedtls/include/mbedtls/build_info.h +++ b/vendor/mbedtls/include/mbedtls/build_info.h @@ -101,6 +101,13 @@ #define inline __inline #endif +#if defined(MBEDTLS_CONFIG_FILES_READ) +#error "Something went wrong: MBEDTLS_CONFIG_FILES_READ defined before reading the config files!" +#endif +#if defined(MBEDTLS_CONFIG_IS_FINALIZED) +#error "Something went wrong: MBEDTLS_CONFIG_IS_FINALIZED defined before reading the config files!" +#endif + /* X.509, TLS and non-PSA crypto configuration */ #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/mbedtls_config.h" @@ -135,6 +142,12 @@ #endif #endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */ +/* Indicate that all configuration files have been read. + * It is now time to adjust the configuration (follow through on dependencies, + * make PSA and legacy crypto consistent, etc.). + */ +#define MBEDTLS_CONFIG_FILES_READ + /* Auto-enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY if * MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH and MBEDTLS_CTR_DRBG_C defined * to ensure a 128-bit key size in CTR_DRBG. @@ -169,8 +182,13 @@ #include "mbedtls/config_adjust_ssl.h" -/* Make sure all configuration symbols are set before including check_config.h, - * even the ones that are calculated programmatically. */ +/* Indicate that all configuration symbols are set, + * even the ones that are calculated programmatically. + * It is now safe to query the configuration (to check it, to size buffers, + * etc.). + */ +#define MBEDTLS_CONFIG_IS_FINALIZED + #include "mbedtls/check_config.h" #endif /* MBEDTLS_BUILD_INFO_H */ diff --git a/vendor/mbedtls/include/mbedtls/check_config.h b/vendor/mbedtls/include/mbedtls/check_config.h index b3c038d..2673229 100644 --- a/vendor/mbedtls/include/mbedtls/check_config.h +++ b/vendor/mbedtls/include/mbedtls/check_config.h @@ -2,6 +2,13 @@ * \file check_config.h * * \brief Consistency checks for configuration options + * + * This is an internal header. Do not include it directly. + * + * This header is included automatically by all public Mbed TLS headers + * (via mbedtls/build_info.h). Do not include it directly in a configuration + * file such as mbedtls/mbedtls_config.h or #MBEDTLS_USER_CONFIG_FILE! + * It would run at the wrong time due to missing derived symbols. */ /* * Copyright The Mbed TLS Contributors @@ -12,6 +19,13 @@ #define MBEDTLS_CHECK_CONFIG_H /* *INDENT-OFF* */ + +#if !defined(MBEDTLS_CONFIG_IS_FINALIZED) +#warning "Do not include mbedtls/check_config.h manually! " \ + "This may cause spurious errors. " \ + "It is included automatically at the right point since Mbed TLS 3.0." +#endif /* !MBEDTLS_CONFIG_IS_FINALIZED */ + /* * We assume CHAR_BIT is 8 in many places. In practice, this is true on our * target platforms, so not an issue, but let's just be extra sure. @@ -175,9 +189,7 @@ defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT) || \ defined(MBEDTLS_ECDSA_SIGN_ALT) || \ defined(MBEDTLS_ECDSA_VERIFY_ALT) || \ - defined(MBEDTLS_ECDSA_GENKEY_ALT) || \ - defined(MBEDTLS_ECP_INTERNAL_ALT) || \ - defined(MBEDTLS_ECP_ALT) ) + defined(MBEDTLS_ECDSA_GENKEY_ALT) ) #error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative ECP implementation" #endif @@ -255,42 +267,6 @@ #error "MBEDTLS_CHACHAPOLY_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_RANDOMIZE_JAC_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_ADD_MIXED_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_ADD_MIXED_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_DOUBLE_JAC_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_NORMALIZE_JAC_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_RANDOMIZE_MXZ_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_NORMALIZE_MXZ_ALT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_ECP_NO_FALLBACK) && !defined(MBEDTLS_ECP_INTERNAL_ALT) -#error "MBEDTLS_ECP_NO_FALLBACK defined, but no alternative implementation enabled" -#endif - #if defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_MD_C) #error "MBEDTLS_HKDF_C defined, but not all prerequisites" #endif @@ -754,8 +730,8 @@ #if !defined(MBEDTLS_SHA512_C) #error "MBEDTLS_SHA512_USE_A64_CRYPTO_* defined without MBEDTLS_SHA512_C" #endif -#if defined(MBEDTLS_SHA512_ALT) || defined(MBEDTLS_SHA512_PROCESS_ALT) -#error "MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_*" +#if defined(MBEDTLS_SHA512_PROCESS_ALT) +#error "MBEDTLS_SHA512_PROCESS_ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_*" #endif #endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ @@ -774,8 +750,8 @@ #if !defined(MBEDTLS_SHA256_C) #error "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_* defined without MBEDTLS_SHA256_C" #endif -#if defined(MBEDTLS_SHA256_ALT) || defined(MBEDTLS_SHA256_PROCESS_ALT) -#error "MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" +#if defined(MBEDTLS_SHA256_PROCESS_ALT) +#error "MBEDTLS_SHA256_PROCESS_ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" #endif #endif diff --git a/vendor/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h b/vendor/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h index e477c07..7a375d8 100644 --- a/vendor/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h +++ b/vendor/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h @@ -2,7 +2,9 @@ * \file mbedtls/config_adjust_legacy_crypto.h * \brief Adjust legacy configuration configuration * - * Automatically enable certain dependencies. Generally, MBEDLTS_xxx + * This is an internal header. Do not include it directly. + * + * Automatically enable certain dependencies. Generally, MBEDTLS_xxx * configurations need to be explicitly enabled by the user: enabling * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a * compilation error. However, we do automatically enable certain options @@ -22,6 +24,14 @@ #ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H #define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H +#if !defined(MBEDTLS_CONFIG_FILES_READ) +#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \ + "up to and including runtime errors such as buffer overflows. " \ + "If you're trying to fix a complaint from check_config.h, just remove " \ + "it from your configuration file: since Mbed TLS 3.0, it is included " \ + "automatically at the right point." +#endif /* */ + /* Ideally, we'd set those as defaults in mbedtls_config.h, but * putting an #ifdef _WIN32 in mbedtls_config.h would confuse config.py. * @@ -48,7 +58,8 @@ defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG)) + defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)) #define MBEDTLS_CIPHER_C #endif @@ -422,7 +433,7 @@ #define MBEDTLS_PSA_UTIL_HAVE_ECDSA #endif -/* Some internal helpers to determine which keys are availble. */ +/* Some internal helpers to determine which keys are available. */ #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_AES_C)) || \ (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_AES)) #define MBEDTLS_SSL_HAVE_AES @@ -436,7 +447,7 @@ #define MBEDTLS_SSL_HAVE_CAMELLIA #endif -/* Some internal helpers to determine which operation modes are availble. */ +/* Some internal helpers to determine which operation modes are available. */ #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CIPHER_MODE_CBC)) || \ (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CBC_NO_PADDING)) #define MBEDTLS_SSL_HAVE_CBC diff --git a/vendor/mbedtls/include/mbedtls/config_adjust_psa_from_legacy.h b/vendor/mbedtls/include/mbedtls/config_adjust_psa_from_legacy.h index 3456615..14ca146 100644 --- a/vendor/mbedtls/include/mbedtls/config_adjust_psa_from_legacy.h +++ b/vendor/mbedtls/include/mbedtls/config_adjust_psa_from_legacy.h @@ -2,6 +2,8 @@ * \file mbedtls/config_adjust_psa_from_legacy.h * \brief Adjust PSA configuration: construct PSA configuration from legacy * + * This is an internal header. Do not include it directly. + * * When MBEDTLS_PSA_CRYPTO_CONFIG is disabled, we automatically enable * cryptographic mechanisms through the PSA interface when the corresponding * legacy mechanism is enabled. In many cases, this just enables the PSA @@ -18,6 +20,14 @@ #ifndef MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H #define MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H +#if !defined(MBEDTLS_CONFIG_FILES_READ) +#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \ + "up to and including runtime errors such as buffer overflows. " \ + "If you're trying to fix a complaint from check_config.h, just remove " \ + "it from your configuration file: since Mbed TLS 3.0, it is included " \ + "automatically at the right point." +#endif /* */ + /* * Ensure PSA_WANT_* defines are setup properly if MBEDTLS_PSA_CRYPTO_CONFIG * is not defined diff --git a/vendor/mbedtls/include/mbedtls/config_adjust_ssl.h b/vendor/mbedtls/include/mbedtls/config_adjust_ssl.h index 39c7b3b..1f82d9c 100644 --- a/vendor/mbedtls/include/mbedtls/config_adjust_ssl.h +++ b/vendor/mbedtls/include/mbedtls/config_adjust_ssl.h @@ -2,7 +2,9 @@ * \file mbedtls/config_adjust_ssl.h * \brief Adjust TLS configuration * - * Automatically enable certain dependencies. Generally, MBEDLTS_xxx + * This is an internal header. Do not include it directly. + * + * Automatically enable certain dependencies. Generally, MBEDTLS_xxx * configurations need to be explicitly enabled by the user: enabling * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a * compilation error. However, we do automatically enable certain options @@ -22,6 +24,14 @@ #ifndef MBEDTLS_CONFIG_ADJUST_SSL_H #define MBEDTLS_CONFIG_ADJUST_SSL_H +#if !defined(MBEDTLS_CONFIG_FILES_READ) +#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \ + "up to and including runtime errors such as buffer overflows. " \ + "If you're trying to fix a complaint from check_config.h, just remove " \ + "it from your configuration file: since Mbed TLS 3.0, it is included " \ + "automatically at the right point." +#endif /* */ + /* The following blocks make it easier to disable all of TLS, * or of TLS 1.2 or 1.3 or DTLS, without having to manually disable all * key exchanges, options and extensions related to them. */ diff --git a/vendor/mbedtls/include/mbedtls/config_adjust_x509.h b/vendor/mbedtls/include/mbedtls/config_adjust_x509.h index 346c8ae..cfb2d88 100644 --- a/vendor/mbedtls/include/mbedtls/config_adjust_x509.h +++ b/vendor/mbedtls/include/mbedtls/config_adjust_x509.h @@ -2,7 +2,9 @@ * \file mbedtls/config_adjust_x509.h * \brief Adjust X.509 configuration * - * Automatically enable certain dependencies. Generally, MBEDLTS_xxx + * This is an internal header. Do not include it directly. + * + * Automatically enable certain dependencies. Generally, MBEDTLS_xxx * configurations need to be explicitly enabled by the user: enabling * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a * compilation error. However, we do automatically enable certain options @@ -22,4 +24,12 @@ #ifndef MBEDTLS_CONFIG_ADJUST_X509_H #define MBEDTLS_CONFIG_ADJUST_X509_H +#if !defined(MBEDTLS_CONFIG_FILES_READ) +#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \ + "up to and including runtime errors such as buffer overflows. " \ + "If you're trying to fix a complaint from check_config.h, just remove " \ + "it from your configuration file: since Mbed TLS 3.0, it is included " \ + "automatically at the right point." +#endif /* */ + #endif /* MBEDTLS_CONFIG_ADJUST_X509_H */ diff --git a/vendor/mbedtls/include/mbedtls/mbedtls_config.h b/vendor/mbedtls/include/mbedtls/mbedtls_config.h index 3592141..0f1b54e 100644 --- a/vendor/mbedtls/include/mbedtls/mbedtls_config.h +++ b/vendor/mbedtls/include/mbedtls/mbedtls_config.h @@ -40,12 +40,10 @@ * library/aria.c * library/bn_mul.h * library/constant_time.c - * library/padlock.h * * Required by: * MBEDTLS_AESCE_C * MBEDTLS_AESNI_C (on some platforms) - * MBEDTLS_PADLOCK_C * * Comment to disable the use of assembly code. */ @@ -352,62 +350,6 @@ */ //#define MBEDTLS_TIMING_ALT -/** - * \def MBEDTLS_AES_ALT - * - * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let Mbed TLS use your - * alternate core implementation of a symmetric crypto, an arithmetic or hash - * module (e.g. platform specific assembly optimized implementations). Keep - * in mind that the function prototypes should remain the same. - * - * This replaces the whole module. If you only want to replace one of the - * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags. - * - * Example: In case you uncomment MBEDTLS_AES_ALT, Mbed TLS will no longer - * provide the "struct mbedtls_aes_context" definition and omit the base - * function declarations and implementations. "aes_alt.h" will be included from - * "aes.h" to include the new function definitions. - * - * Uncomment a macro to enable alternate implementation of the corresponding - * module. - * - * \warning MD5, DES and SHA-1 are considered weak and their - * use constitutes a security risk. If possible, we recommend - * avoiding dependencies on them, and considering stronger message - * digests and ciphers instead. - * - */ -//#define MBEDTLS_AES_ALT -//#define MBEDTLS_ARIA_ALT -//#define MBEDTLS_CAMELLIA_ALT -//#define MBEDTLS_CCM_ALT -//#define MBEDTLS_CHACHA20_ALT -//#define MBEDTLS_CHACHAPOLY_ALT -//#define MBEDTLS_CMAC_ALT -//#define MBEDTLS_DES_ALT -//#define MBEDTLS_DHM_ALT -//#define MBEDTLS_ECJPAKE_ALT -//#define MBEDTLS_GCM_ALT -//#define MBEDTLS_NIST_KW_ALT -//#define MBEDTLS_MD5_ALT -//#define MBEDTLS_POLY1305_ALT -//#define MBEDTLS_RIPEMD160_ALT -//#define MBEDTLS_RSA_ALT -//#define MBEDTLS_SHA1_ALT -//#define MBEDTLS_SHA256_ALT -//#define MBEDTLS_SHA512_ALT - -/* - * When replacing the elliptic curve module, please consider, that it is - * implemented with two .c files: - * - ecp.c - * - ecp_curves.c - * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT - * macros as described above. The only difference is that you have to make sure - * that you provide functionality for both .c files. - */ -//#define MBEDTLS_ECP_ALT - /** * \def MBEDTLS_SHA256_PROCESS_ALT * @@ -463,71 +405,6 @@ //#define MBEDTLS_ECDSA_SIGN_ALT //#define MBEDTLS_ECDSA_GENKEY_ALT -/** - * \def MBEDTLS_ECP_INTERNAL_ALT - * - * Expose a part of the internal interface of the Elliptic Curve Point module. - * - * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let Mbed TLS use your - * alternative core implementation of elliptic curve arithmetic. Keep in mind - * that function prototypes should remain the same. - * - * This partially replaces one function. The header file from Mbed TLS is still - * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation - * is still present and it is used for group structures not supported by the - * alternative. - * - * The original implementation can in addition be removed by setting the - * MBEDTLS_ECP_NO_FALLBACK option, in which case any function for which the - * corresponding MBEDTLS_ECP__FUNCTION_NAME__ALT macro is defined will not be - * able to fallback to curves not supported by the alternative implementation. - * - * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT - * and implementing the following functions: - * unsigned char mbedtls_internal_ecp_grp_capable( - * const mbedtls_ecp_group *grp ) - * int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp ) - * void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp ) - * The mbedtls_internal_ecp_grp_capable function should return 1 if the - * replacement functions implement arithmetic for the given group and 0 - * otherwise. - * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free are - * called before and after each point operation and provide an opportunity to - * implement optimized set up and tear down instructions. - * - * Example: In case you set MBEDTLS_ECP_INTERNAL_ALT and - * MBEDTLS_ECP_DOUBLE_JAC_ALT, Mbed TLS will still provide the ecp_double_jac() - * function, but will use your mbedtls_internal_ecp_double_jac() if the group - * for the operation is supported by your implementation (i.e. your - * mbedtls_internal_ecp_grp_capable() function returns 1 for this group). If the - * group is not supported by your implementation, then the original Mbed TLS - * implementation of ecp_double_jac() is used instead, unless this fallback - * behaviour is disabled by setting MBEDTLS_ECP_NO_FALLBACK (in which case - * ecp_double_jac() will return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE). - * - * The function prototypes and the definition of mbedtls_ecp_group and - * mbedtls_ecp_point will not change based on MBEDTLS_ECP_INTERNAL_ALT, so your - * implementation of mbedtls_internal_ecp__function_name__ must be compatible - * with their definitions. - * - * Uncomment a macro to enable alternate implementation of the corresponding - * function. - */ -/* Required for all the functions in this section */ -//#define MBEDTLS_ECP_INTERNAL_ALT -/* Turn off software fallback for curves not supported in hardware */ -//#define MBEDTLS_ECP_NO_FALLBACK -/* Support for Weierstrass curves with Jacobi representation */ -//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT -//#define MBEDTLS_ECP_ADD_MIXED_ALT -//#define MBEDTLS_ECP_DOUBLE_JAC_ALT -//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT -//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT -/* Support for curves with Montgomery arithmetic */ -//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT -//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT -//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT - /** * \def MBEDTLS_ENTROPY_HARDWARE_ALT * @@ -830,7 +707,7 @@ * * \note This option only works with the default software implementation of * elliptic curve functionality. It is incompatible with - * MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT. + * MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT. * * Requires: MBEDTLS_ECP_C * @@ -1118,7 +995,7 @@ * MBEDTLS_ECP_DP_SECP256R1_ENABLED * * \warning If SHA-256 is provided only by a PSA driver, you must call - * psa_crypto_init() before the first hanshake (even if + * psa_crypto_init() before the first handshake (even if * MBEDTLS_USE_PSA_CRYPTO is disabled). * * This enables the following ciphersuites (if other requisites are @@ -2606,11 +2483,6 @@ * Enable the CMAC (Cipher-based Message Authentication Code) mode for block * ciphers. * - * \note When #MBEDTLS_CMAC_ALT is active, meaning that the underlying - * implementation of the CMAC algorithm is provided by an alternate - * implementation, that alternate implementation may opt to not support - * AES-192 or 3DES as underlying block ciphers for the CMAC operation. - * * Module: library/cmac.c * * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_DES_C @@ -2625,7 +2497,7 @@ * The CTR_DRBG generator uses AES-256 by default. * To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above. * - * AES support can either be achived through builtin (MBEDTLS_AES_C) or PSA. + * AES support can either be achieved through builtin (MBEDTLS_AES_C) or PSA. * Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA * is used. * @@ -3010,20 +2882,6 @@ */ #define MBEDTLS_OID_C -/** - * \def MBEDTLS_PADLOCK_C - * - * Enable VIA Padlock support on x86. - * - * Module: library/padlock.c - * Caller: library/aes.c - * - * Requires: MBEDTLS_HAVE_ASM - * - * This modules adds support for the VIA PadLock on x86. - */ -#define MBEDTLS_PADLOCK_C - /** * \def MBEDTLS_PEM_PARSE_C * diff --git a/vendor/mbedtls/include/mbedtls/ssl.h b/vendor/mbedtls/include/mbedtls/ssl.h index ca130a3..5b22517 100644 --- a/vendor/mbedtls/include/mbedtls/ssl.h +++ b/vendor/mbedtls/include/mbedtls/ssl.h @@ -643,8 +643,8 @@ */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_SSL_SESSION_TICKETS) && \ - defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) && \ - defined(MBEDTLS_MD_CAN_SHA384) + defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_GCM) && \ + defined(PSA_WANT_ALG_SHA_384) #define MBEDTLS_PSK_MAX_LEN 48 /* 384 bits */ #else #define MBEDTLS_PSK_MAX_LEN 32 /* 256 bits */ @@ -1153,10 +1153,10 @@ typedef void mbedtls_ssl_async_cancel_t(mbedtls_ssl_context *ssl); #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \ !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) #define MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN 48 -#if defined(MBEDTLS_MD_CAN_SHA256) +#if defined(PSA_WANT_ALG_SHA_256) #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA256 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN 32 -#elif defined(MBEDTLS_MD_CAN_SHA384) +#elif defined(PSA_WANT_ALG_SHA_384) #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA384 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN 48 #elif defined(MBEDTLS_MD_CAN_SHA1) @@ -2364,7 +2364,7 @@ int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl, */ int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl, int *enabled, - unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX], + unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX], size_t *own_cid_len); /** -- cgit