From 7cb7a93de4f6f5e741bc5129e3d928e44f050930 Mon Sep 17 00:00:00 2001 From: vnugent Date: Tue, 23 Apr 2024 18:19:31 -0400 Subject: refactor!: MbedTLS on Windows, switch to uint32 --- src/crypto/impl/bcrypt.c | 295 +++++++++++++++++++++ src/crypto/impl/mbedtls.c | 170 +++++++++++++ src/crypto/impl/monocypher.c | 83 ++++++ src/crypto/impl/openssl.c | 46 ++++ src/crypto/nc-crypto.c | 272 ++++++++++++++++++++ src/crypto/nc-crypto.h | 73 ++++++ src/internal/impl/bcrypt.c | 297 ---------------------- src/internal/impl/mbedtls.c | 158 ------------ src/internal/impl/monocypher.c | 84 ------ src/internal/impl/openssl.c | 47 ---- src/internal/nc-crypto.c | 269 -------------------- src/internal/nc-crypto.h | 73 ------ src/internal/nc-util.h | 88 ------- src/noscrypt.c | 20 +- src/noscrypt.h | 562 ----------------------------------------- src/platform.h | 48 ---- 16 files changed, 949 insertions(+), 1636 deletions(-) create mode 100644 src/crypto/impl/bcrypt.c create mode 100644 src/crypto/impl/mbedtls.c create mode 100644 src/crypto/impl/monocypher.c create mode 100644 src/crypto/impl/openssl.c create mode 100644 src/crypto/nc-crypto.c create mode 100644 src/crypto/nc-crypto.h delete mode 100644 src/internal/impl/bcrypt.c delete mode 100644 src/internal/impl/mbedtls.c delete mode 100644 src/internal/impl/monocypher.c delete mode 100644 src/internal/impl/openssl.c delete mode 100644 src/internal/nc-crypto.c delete mode 100644 src/internal/nc-crypto.h delete mode 100644 src/internal/nc-util.h delete mode 100644 src/noscrypt.h delete mode 100644 src/platform.h (limited to 'src') diff --git a/src/crypto/impl/bcrypt.c b/src/crypto/impl/bcrypt.c new file mode 100644 index 0000000..970f68f --- /dev/null +++ b/src/crypto/impl/bcrypt.c @@ -0,0 +1,295 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Package: noscrypt +* File: impl/bcrypt.c +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public License +* as published by the Free Software Foundation; either version 2.1 +* of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public License +* along with noscrypt. If not, see http://www.gnu.org/licenses/. +*/ + + +/* +* This file provides as many fallback implementations on Windows plaforms +* as possible using the bcrypt library. This file should be included behind +* other libarry implementations, as it is a fallback. +*/ + +#ifdef _NC_IS_WINDOWS + +#define WIN32_LEAN_AND_MEAN +#include +#include + +#include "nc-util.h" + +#define IF_BC_FAIL(x) if(!BCRYPT_SUCCESS(x)) + +struct _bcrypt_ctx +{ + BCRYPT_ALG_HANDLE hAlg; + BCRYPT_HASH_HANDLE hHash; +}; + +_IMPLSTB NTSTATUS _bcInitSha256(struct _bcrypt_ctx* ctx, DWORD flags) +{ + NTSTATUS result; + + result = BCryptOpenAlgorithmProvider( + &ctx->hAlg, + BCRYPT_SHA256_ALGORITHM, + NULL, + flags + ); + + /* + * If operation failed, ensure the algorithm handle is null + * to make free code easier to cleanup + */ + if (!BCRYPT_SUCCESS(result)) + { + ctx->hAlg = NULL; + } + + return result; +} + +_IMPLSTB NTSTATUS _bcCreateHmac(struct _bcrypt_ctx* ctx, const cspan_t* key) +{ + /* + * NOTE: + * I am not explicitly managing the hash object buffer. By setting + * the hash object to NULL, and length to 0, the buffer will be + * managed by the bcrypt library. + * + * See: https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatehash + */ + + return BCryptCreateHash( + ctx->hAlg, + &ctx->hHash, + NULL, + 0, + (uint8_t*)key->data, + key->size, + BCRYPT_HASH_REUSABLE_FLAG /* Enable reusable for expand function */ + ); +} + +_IMPLSTB NTSTATUS _bcCreate(struct _bcrypt_ctx* ctx) +{ + cspan_t key; + + /* Zero out key span for 0 size and NULL data ptr */ + SecureZeroMemory(&key, sizeof(cspan_t)); + + return _bcCreateHmac(ctx, &key); +} + +_IMPLSTB NTSTATUS _bcHashDataRaw(const struct _bcrypt_ctx* ctx, const uint8_t* data, uint32_t len) +{ + return BCryptHashData(ctx->hHash, (uint8_t*)data, len, 0); +} + +_IMPLSTB NTSTATUS _bcHashData(const struct _bcrypt_ctx* ctx, const cspan_t* data) +{ + return _bcHashDataRaw(ctx, data->data, data->size); +} + +_IMPLSTB NTSTATUS _bcFinishHash(const struct _bcrypt_ctx* ctx, sha256_t digestOut32) +{ + return BCryptFinishHash(ctx->hHash, digestOut32, sizeof(sha256_t), 0); +} + +_IMPLSTB void _bcDestroyCtx(struct _bcrypt_ctx* ctx) +{ + /* Free the hash memory if it was allocated */ + if(ctx->hHash) BCryptDestroyHash(ctx->hHash); + + /* Close the algorithm provider */ + if (ctx->hAlg) BCryptCloseAlgorithmProvider(ctx->hAlg, 0); + + ctx->hAlg = NULL; + ctx->hHash = NULL; +} + +#ifndef _IMPL_SECURE_ZERO_MEMSET + /* + * On Windows, we can use SecureZeroMemory + * as platform zeroing function. + * + * NOTE: + * SecureZeroMemory2 uses volitle function argument + * pointers, which is a contested mehtod of compiler + * optimization prevention. GNU seems to oppose this method + * + * https://learn.microsoft.com/en-us/windows/win32/memory/winbase-securezeromemory2 + */ + #define _IMPL_SECURE_ZERO_MEMSET SecureZeroMemory +#endif /* !_IMPL_SECURE_ZERO_MEMSET */ + +/* +* Provide win32 fallback for sha256 digest if needed +*/ + +#ifndef _IMPL_CRYPTO_SHA256_DIGEST + + /* Export function fallack */ + #define _IMPL_CRYPTO_SHA256_DIGEST _bcrypt_sha256_digest + + _IMPLSTB cstatus_t _bcrypt_sha256_digest(const cspan_t* data, sha256_t digestOut32) + { + cstatus_t result; + struct _bcrypt_ctx ctx; + + result = CSTATUS_FAIL; /* Start in fail state */ + + IF_BC_FAIL(_bcInitSha256(&ctx, 0)) goto Exit; + + IF_BC_FAIL(_bcCreate(&ctx)) goto Exit; + + IF_BC_FAIL(_bcHashData(&ctx, data)) goto Exit; + + IF_BC_FAIL(_bcFinishHash(&ctx, digestOut32)) goto Exit; + + result = CSTATUS_OK; /* Hash operation completed, so set success */ + + Exit: + + _bcDestroyCtx(&ctx); + + return result; + } + +#endif /* !_IMPL_CRYPTO_SHA256_DIGEST */ + +#ifndef _IMPL_CRYPTO_SHA256_HMAC + + /* Export function */ + #define _IMPL_CRYPTO_SHA256_HMAC _bcrypt_hmac_sha256 + + _IMPLSTB cstatus_t _bcrypt_hmac_sha256(const cspan_t* key, const cspan_t* data, sha256_t hmacOut32) + { + cstatus_t result; + struct _bcrypt_ctx ctx; + + result = CSTATUS_FAIL; /* Start in fail state */ + + /* Init context with hmac flag set */ + IF_BC_FAIL(_bcInitSha256(&ctx, BCRYPT_ALG_HANDLE_HMAC_FLAG)) goto Exit; + + IF_BC_FAIL(_bcCreateHmac(&ctx, key)) goto Exit; + + IF_BC_FAIL(_bcHashData(&ctx, data)) goto Exit; + + IF_BC_FAIL(_bcFinishHash(&ctx, hmacOut32)) goto Exit; + + result = CSTATUS_OK; /* HMAC operation completed, so set success */ + + Exit: + + _bcDestroyCtx(&ctx); + + return result; + } + +#endif /* !_IMPL_CRYPTO_SHA256_HMAC */ + +/* +* Provide a fallback HKDF expand function using the +* HMAC function as a base. +*/ + +#ifndef _IMPL_CRYPTO_SHA256_HKDF_EXPAND + + #define _IMPL_CRYPTO_SHA256_HKDF_EXPAND _bcrypt_fallback_hkdf_expand + + /* Include string for memmove */ + #include + + static void ncWriteSpanS(span_t* span, uint32_t offset, const uint8_t* data, uint32_t size) + { + DEBUG_ASSERT2(span != NULL, "Expected span to be non-null") + DEBUG_ASSERT2(data != NULL, "Expected data to be non-null") + DEBUG_ASSERT2(offset + size <= span->size, "Expected offset + size to be less than span size") + + /* Copy data to span */ + memmove(span->data + offset, data, size); + } + + STATIC_ASSERT(HKDF_IN_BUF_SIZE > SHA256_DIGEST_SIZE, "HDK Buffer must be at least the size of the underlying hashing alg output") + + /* + * The following functions implements the HKDF expand function using an existing + * HMAC function. This is a fallback implementation for Windows platforms at the moment. + * + * This follows the guidence from RFC 5869: https://tools.ietf.org/html/rfc5869 + */ + + #define _BC_MIN(a, b) (a < b ? a : b) + + _IMPLSTB cstatus_t _bcrypt_fallback_hkdf_expand(const cspan_t* prk, const cspan_t* info, span_t* okm) + { + cstatus_t result; + struct _bcrypt_ctx ctx; + + uint8_t counter; + uint32_t tLen, okmOffset; + uint8_t t[HKDF_IN_BUF_SIZE]; + + _IMPL_SECURE_ZERO_MEMSET(t, sizeof(t)); + + tLen = 0; /* T(0) is an empty string(zero length) */ + okmOffset = 0; + result = CSTATUS_FAIL; /* Start in fail state */ + + /* Init context with hmac flag set, it will be reused */ + IF_BC_FAIL(_bcInitSha256(&ctx, BCRYPT_ALG_HANDLE_HMAC_FLAG)) goto Exit; + + /* Set hmac key to the prk, alg is set to reusable */ + IF_BC_FAIL(_bcCreateHmac(&ctx, prk)) goto Exit; + + /* Compute T(N) = HMAC(prk, T(n-1) | info | n) */ + for (counter = 1; okmOffset < okm->size; counter++) + { + IF_BC_FAIL(_bcHashDataRaw(&ctx, t, tLen)) goto Exit; + IF_BC_FAIL(_bcHashData(&ctx, info)) goto Exit; + IF_BC_FAIL(_bcHashDataRaw(&ctx, &counter, sizeof(counter))) goto Exit; + + /* Write current hash state to t buffer */ + IF_BC_FAIL(_bcFinishHash(&ctx, t)) goto Exit; + + /* Set the length of the current hash state */ + tLen = _BC_MIN(okm->size - okmOffset, SHA256_DIGEST_SIZE); + + DEBUG_ASSERT(tLen <= sizeof(t)); + + /* write the T buffer back to okm */ + ncWriteSpanS(okm, okmOffset, t, tLen); + + /* shift base okm pointer by T */ + okmOffset += tLen; + } + + result = CSTATUS_OK; /* HMAC operation completed, so set success */ + + Exit: + + _bcDestroyCtx(&ctx); + + return result; + } + +#endif /* !_IMPL_CRYPTO_SHA256_HKDF_EXPAND */ + +#endif /* _NC_IS_WINDOWS */ \ No newline at end of file diff --git a/src/crypto/impl/mbedtls.c b/src/crypto/impl/mbedtls.c new file mode 100644 index 0000000..ae36bbd --- /dev/null +++ b/src/crypto/impl/mbedtls.c @@ -0,0 +1,170 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Package: noscrypt +* File: mbedtls.c +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public License +* as published by the Free Software Foundation; either version 2.1 +* of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public License +* along with noscrypt. If not, see http://www.gnu.org/licenses/. +*/ + + +/* +* This file contains implemntation functions for the required +* cryptography primitives of noscrypt. This file stubs functionality +* using the Mbed-TLS library, if the builder desires to link against +* it. +*/ + +#ifdef MBEDTLS_CRYPTO_LIB + +#include +#include +#include +#include +#include +#include + +#include "nc-util.h" + +/* +* EXPORT SUPPORTED FUNCTION OVERRIDES +*/ + +_IMPLSTB const mbedtls_md_info_t* _mbed_sha256_alg(void) +{ + const mbedtls_md_info_t* info; + /* Get sha256 md info for hdkf operations */ + info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256); + DEBUG_ASSERT2(info != NULL, "Expected SHA256 md info pointer to be valid") + return info; +} + +#if SIZE_MAX < UINT64_MAX + #define _ssize_guard(x) if(x > SIZE_MAX) return CSTATUS_FAIL; + #define _ssize_guard_int(x) if(x > SIZE_MAX) return 1; +#else + #define _ssize_guard(x) + #define _ssize_guard_int(x) +#endif + +#ifndef _IMPL_CHACHA20_CRYPT + + /* Export chacha20 computation */ + #define _IMPL_CHACHA20_CRYPT _mbed_chacha20_encrypt + + _IMPLSTB cstatus_t _mbed_chacha20_encrypt( + const uint8_t* key, + const uint8_t* nonce, + const uint8_t* input, + uint8_t* output, + uint32_t dataLen + ) + { + _ssize_guard(dataLen) + + /* Counter always starts at 0 */ + return mbedtls_chacha20_crypt( + key, + nonce, + 0x00u, /* nip-44 counter version */ + dataLen, + input, + output + ) == 0 ? CSTATUS_OK : CSTATUS_FAIL; + } + +#endif + +/* Export sha256 if not already defined */ +#ifndef _IMPL_CRYPTO_SHA256_DIGEST + + #define _IMPL_CRYPTO_SHA256_DIGEST _mbed_sha256_digest + + _IMPLSTB cstatus_t _mbed_sha256_digest(const cspan_t* data, sha256_t digestOut32) + { + _ssize_guard(data->size) + + return mbedtls_sha256( + data->data, + data->size, + digestOut32, + 0 /* Set 0 for sha256 mode */ + ) == 0 ? CSTATUS_OK : CSTATUS_FAIL; + } + +#endif + +/* Export Sha256 hmac if not already defined by other libs */ +#ifndef _IMPL_CRYPTO_SHA256_HMAC + + #define _IMPL_CRYPTO_SHA256_HMAC _mbed_sha256_hmac + + _IMPLSTB cstatus_t _mbed_sha256_hmac(const cspan_t* key, const cspan_t* data, sha256_t hmacOut32) + { + _ssize_guard(data->size) + + /* Keys should never be large enough for this to matter, but sanity check. */ + DEBUG_ASSERT2(key->size < SIZE_MAX, "Expected key size to be less than SIZE_MAX") + + return mbedtls_md_hmac( + _mbed_sha256_alg(), + key->data, + key->size, + data->data, + data->size, + hmacOut32 + ) == 0 ? CSTATUS_OK : CSTATUS_FAIL; + } +#endif + +/* Export hkdf expand if not already defined */ +#ifndef _IMPL_CRYPTO_SHA256_HKDF_EXPAND + + #define _IMPL_CRYPTO_SHA256_HKDF_EXPAND _mbed_sha256_hkdf_expand + + _IMPLSTB cstatus_t _mbed_sha256_hkdf_expand(const cspan_t* prk, const cspan_t* info, span_t* okm) + { + /* These sizes should never be large enough to overflow on <64bit platforms, but sanity check */ + DEBUG_ASSERT(okm->size < SIZE_MAX) + DEBUG_ASSERT(prk->size < SIZE_MAX) + DEBUG_ASSERT(info->size < SIZE_MAX) + + return mbedtls_hkdf_expand( + _mbed_sha256_alg(), + prk->data, + prk->size, + info->data, + info->size, + okm->data, + okm->size + ) == 0 ? CSTATUS_OK : CSTATUS_FAIL; + } + +#endif + +/* Export fixed-time compare if not already defined */ +#ifndef _IMPL_CRYPTO_FIXED_TIME_COMPARE + + #define _IMPL_CRYPTO_FIXED_TIME_COMPARE _mbed_fixed_time_compare + + /* fixed-time memcmp */ + _IMPLSTB uint32_t _mbed_fixed_time_compare(const uint8_t* a, const uint8_t* b, uint32_t size) + { + _ssize_guard_int(size) + + return (uint32_t)mbedtls_ct_memcmp(a, b, size); + } +#endif + +#endif \ No newline at end of file diff --git a/src/crypto/impl/monocypher.c b/src/crypto/impl/monocypher.c new file mode 100644 index 0000000..790f5e9 --- /dev/null +++ b/src/crypto/impl/monocypher.c @@ -0,0 +1,83 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Package: noscrypt +* File: impl/monocypher.c +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public License +* as published by the Free Software Foundation; either version 2.1 +* of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public License +* along with noscrypt. If not, see http://www.gnu.org/licenses/. +*/ + + +/* +* This file handles some fallbacks that may not be available on +* some platforms. More specifically: +* - Secure memset 0 +* - Chacha20 cipher +* +*/ + +#ifdef NC_ENABLE_MONOCYPHER + +#include + +#include "nc-util.h" + +/* Export secure memse0 */ +#ifndef _IMPL_SECURE_ZERO_MEMSET + + /* export cytpo wipe function as is */ + #define _IMPL_SECURE_ZERO_MEMSET crypto_wipe +#endif + +/* Export Chacha20 */ +#ifndef _IMPL_CHACHA20_CRYPT + + #define _IMPL_CHACHA20_CRYPT _mc_chacha20_crypt + + _IMPLSTB cstatus_t _mc_chacha20_crypt( + const uint8_t* key, + const uint8_t* nonce, + const uint8_t* input, + uint8_t* output, + uint32_t dataLen + ) + { + if(dataLen > SIZE_MAX) + { + return CSTATUS_FAIL; + } + + /* + * Function returns the next counter value which is not + * needed for noscrypt as encryptions are one-shot, and + * require a new nonce for each encryption. + * + * ITEF function uses a 12byte nonce which is required for + * nip-44 compliant encryption. + */ + crypto_chacha20_ietf( + output, + input, + (size_t)dataLen, + key, + nonce, + 0x00 /* Counter always starts at 0 */ + ); + + return CSTATUS_OK; + } + +#endif + +#endif /* !NC_ENABLE_MONOCYPHER */ \ No newline at end of file diff --git a/src/crypto/impl/openssl.c b/src/crypto/impl/openssl.c new file mode 100644 index 0000000..1217e60 --- /dev/null +++ b/src/crypto/impl/openssl.c @@ -0,0 +1,46 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Package: noscrypt +* File: impl/openssl.c +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public License +* as published by the Free Software Foundation; either version 2.1 +* of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public License +* along with noscrypt. If not, see http://www.gnu.org/licenses/. +*/ + + +/* Setup openssl */ + +#ifdef OPENSSL_CRYPTO_LIB + +#include + +#include "nc-util.h" + +/* +* EXPORT SUPPORTED FUNCTIONS AS MACROS +*/ +#define _IMPL_CHACHA20_CRYPT _mbed_chacha20_encrypt +#define _IMPL_CRYPTO_SHA256_HMAC _mbed_sha256_hmac +#define _IMPL_CRYPTO_SHA256_DIGEST _ossl_sha256_digest +#define _IMPL_CRYPTO_FIXED_TIME_COMPARE _mbed_fixed_time_compare +#define _IMPL_CRYPTO_SHA256_HKDF_EXPAND _mbed_sha256_hkdf_expand +#define _IMPL_CRYPTO_SHA256_HKDF_EXTRACT _mbed_sha256_hkdf_extract + +_IMPLSTB int _ossl_sha256_digest(const uint8_t* data, uint8_t* digest) +{ + +} + + +#endif /*!OPENSSL_CRYPTO_LIB */ \ No newline at end of file diff --git a/src/crypto/nc-crypto.c b/src/crypto/nc-crypto.c new file mode 100644 index 0000000..fb2c0da --- /dev/null +++ b/src/crypto/nc-crypto.c @@ -0,0 +1,272 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Package: noscrypt +* File: nc-crypto.c +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public License +* as published by the Free Software Foundation; either version 2.1 +* of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public License +* along with noscrypt. If not, see http://www.gnu.org/licenses/. +*/ + +#include "nc-util.h" +#include "nc-crypto.h" + +/* +* Functions are not forced inline, just suggested. +* So unless it beomes a performance issue, I will leave +* most/all impl functions inline and let the compiler +* decide. +*/ + +#define _IMPLSTB static _nc_fn_inline + +/* +* Impl .c files may define the following macros for function implementations: +* +* _IMPL_SECURE_ZERO_MEMSET secure memset 0 function +* _IMPL_CHACHA20_CRYPT chacha20 cipher function +* _IMPL_CRYPTO_FIXED_TIME_COMPARE fixed time compare function +* _IMPL_CRYPTO_SHA256_HMAC sha256 hmac function +* _IMPL_CRYPTO_SHA256_DIGEST standard sha256 digest function +* _IMPL_CRYPTO_SHA256_HKDF_EXPAND hkdf expand function +* _IMPL_CRYPTO_SHA256_HKDF_EXTRACT hkdf extract function +* +* Macros are used to allow the preprocessor to select the correct implementation +* or raise errors if no implementation is defined. +*/ + + + +/* +* Prioritize embedded builds with mbedtls +*/ +#include "impl/mbedtls.c" + +/* +* Include openssl as an alternative default +* implementation +*/ +#include "impl/openssl.c" + +/* +* Include win32 platform specific fallback support +* using bcrypt. +*/ +#include "impl/bcrypt.c" + +/* +* Handle default implementations of secure +* memset 0 functions for each platform. +*/ +#ifndef _IMPL_SECURE_ZERO_MEMSET + #if defined(__GNUC__) + /* + * When using libc, we can use explicit_bzero + * as secure memset implementation. + * + * https://sourceware.org/glibc/manual/2.39/html_mono/libc.html#Erasing-Sensitive-Data + */ + #include + #define _IMPL_SECURE_ZERO_MEMSET explicit_bzero + #endif +#endif + +/* +* Finally fall back to monocipher to handle some +* that are not provided by other libraries. +* +* Platform specific opimizations are considered +* "better" than monocypher options, so this is +* added as a last resort. Momocypher is "correct" +* and portable, but not optimized for any specific +* platform. +*/ +#include "impl/monocypher.c" + + +#ifdef _IMPL_CRYPTO_SHA256_HMAC + + /* + * If a library does not provide a HKDF extract function, + * we can just use the HMAC function as a fallback. + * + * This is a fallback because another library may provide + * a more optimized implementation. + */ + + #ifndef _IMPL_CRYPTO_SHA256_HKDF_EXTRACT + + #define _IMPL_CRYPTO_SHA256_HKDF_EXTRACT _fallbackHkdfExtract + + _IMPLSTB cstatus_t _fallbackHkdfExtract(const cspan_t* salt, const cspan_t* ikm, sha256_t prk) + { + return _IMPL_CRYPTO_SHA256_HMAC(salt, ikm, prk); + } + + #endif /* !_IMPL_CRYPTO_SHA256_HKDF_EXTRACT */ + +#endif /* _IMPL_CRYPTO_SHA256_HMAC */ + +/* Fallback for fixed time comparison for all platforms */ +#ifndef _IMPL_CRYPTO_FIXED_TIME_COMPARE + + #pragma message("Warning: No fixed time compare implementation defined, using fallback. This may not be secure on all platforms") + + #define _IMPL_CRYPTO_FIXED_TIME_COMPARE _fallbackFixedTimeCompare + + /* + * This implemntation is a slightly simplified version of + * MBed TLS constant time memcmp function, knowm to be a 32bit + * integer size + */ + + static uint32_t _fallbackFixedTimeCompare(const uint8_t* a, const uint8_t* b, uint32_t size) + { + size_t i; + uint32_t result; + uint8_t O; + volatile const uint8_t* A, * B; + + result = 0; + O = 0; + A = (volatile const uint8_t*)a; + B = (volatile const uint8_t*)b; + + /* Compare each byte */ + for(i = 0; i < size; i++) + { + /* Handle volatile read */ + O |= (A[i] ^ B[i]); + + result |= O; + } + + return result; + } + +#endif /* !_IMPL_CRYPTO_FIXED_TIME_COMPARE */ + + +/* +* Internal function implementations that perform +* basic checking and call the correct implementation +* for the desired crypto impl. +*/ + +void ncCryptoSecureZero(void* ptr, uint32_t size) +{ + DEBUG_ASSERT2(ptr != NULL, "Expected ptr to be non-null") + +#ifndef _IMPL_SECURE_ZERO_MEMSET + #error "No secure memset implementation defined" +#endif /* _IMPL_SECURE_ZERO_MEMSET */ + + _IMPL_SECURE_ZERO_MEMSET(ptr, size); +} + +uint32_t ncCryptoFixedTimeComp(const uint8_t* a, const uint8_t* b, uint32_t size) +{ + DEBUG_ASSERT2(a != NULL, "Expected a to be non-null") + DEBUG_ASSERT2(b != NULL, "Expected b to be non-null") + +#ifndef _IMPL_CRYPTO_FIXED_TIME_COMPARE + #error "No fixed time compare implementation defined" +#endif /* !_IMPL_CRYPTO_FIXED_TIME_COMPARE */ + + return _IMPL_CRYPTO_FIXED_TIME_COMPARE(a, b, size); +} + +cstatus_t ncCryptoDigestSha256(const cspan_t* data, sha256_t digestOut32) +{ + /* Debug arg validate */ + DEBUG_ASSERT2(data != NULL && data->data != NULL, "Expected data to be non-null") + DEBUG_ASSERT2(digestOut32 != NULL, "Expected digestOut32 to be non-null") + +#ifndef _IMPL_CRYPTO_SHA256_DIGEST + #error "No SHA256 implementation defined" +#endif /* !_IMPL_CRYPTO_SHA256_DIGEST */ + + return _IMPL_CRYPTO_SHA256_DIGEST(data, digestOut32); +} + +cstatus_t ncCryptoHmacSha256(const cspan_t* key, const cspan_t* data, sha256_t hmacOut32) +{ + /* Debug arg validate */ + DEBUG_ASSERT2(key != NULL && key->data != NULL, "Expected key to be non-null") + DEBUG_ASSERT2(data != NULL && data->data != NULL, "Expected data to be non-null") + DEBUG_ASSERT2(hmacOut32 != NULL && data->data != NULL, "Expected hmacOut32 to be non-null") + +#ifndef _IMPL_CRYPTO_SHA256_HMAC + #error "No SHA256 HMAC implementation defined" +#endif /* !_IMPL_CRYPTO_SHA256_HMAC */ + + return _IMPL_CRYPTO_SHA256_HMAC(key, data, hmacOut32); +} + +cstatus_t ncCryptoSha256HkdfExpand(const cspan_t* prk, const cspan_t* info, span_t* okm) +{ + /* Debug arg validate */ + DEBUG_ASSERT2(prk != NULL && prk->data != NULL, "Expected prk to be non-null") + DEBUG_ASSERT2(info != NULL && info->data != NULL, "Expected info to be non-null") + DEBUG_ASSERT2(okm != NULL && okm->data != NULL, "Expected okm to be non-null") + + /* + * RFC 5869: 2.3 + * "length of output keying material in octets (<= 255 * HashLen)" + */ + + if(okm->size > (uint32_t)(0xFFu * SHA256_DIGEST_SIZE)) + { + return CSTATUS_FAIL; + } + +#ifndef _IMPL_CRYPTO_SHA256_HKDF_EXPAND + #error "No SHA256 HKDF expand implementation defined" +#endif /* !_IMPL_CRYPTO_SHA256_HKDF_EXPAND */ + + return _IMPL_CRYPTO_SHA256_HKDF_EXPAND(prk, info, okm); +} + +cstatus_t ncCryptoSha256HkdfExtract(const cspan_t* salt, const cspan_t* ikm, sha256_t prk) +{ + /* Debug arg validate */ + DEBUG_ASSERT2(salt != NULL, "Expected salt to be non-null") + DEBUG_ASSERT2(ikm != NULL, "Expected ikm to be non-null") + DEBUG_ASSERT2(prk != NULL, "Expected prk to be non-null") + +#ifndef _IMPL_CRYPTO_SHA256_HKDF_EXTRACT + #error "No SHA256 HKDF extract implementation defined" +#endif /* !_IMPL_CRYPTO_SHA256_HKDF_EXTRACT */ + + return _IMPL_CRYPTO_SHA256_HKDF_EXTRACT(salt, ikm, prk); +} + +cstatus_t ncCryptoChacha20( + const uint8_t key[CHACHA_KEY_SIZE], + const uint8_t nonce[CHACHA_NONCE_SIZE], + const uint8_t* input, + uint8_t* output, + uint32_t dataSize +) +{ + DEBUG_ASSERT2(key != NULL, "Expected key to be non-null") + DEBUG_ASSERT2(nonce != NULL, "Expected nonce to be non-null") + DEBUG_ASSERT2(input != NULL, "Expected input to be non-null") + DEBUG_ASSERT2(output != NULL, "Expected output to be non-null") + +#ifndef _IMPL_CHACHA20_CRYPT + #error "No chacha20 implementation defined" +#endif /* !_IMPL_CHACHA20_CRYPT */ + + return _IMPL_CHACHA20_CRYPT(key, nonce, input, output, dataSize); +} diff --git a/src/crypto/nc-crypto.h b/src/crypto/nc-crypto.h new file mode 100644 index 0000000..64d4ad8 --- /dev/null +++ b/src/crypto/nc-crypto.h @@ -0,0 +1,73 @@ + +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Package: noscrypt +* File: nc-crypto.h +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public License +* as published by the Free Software Foundation; either version 2.1 +* of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public License +* along with noscrypt. If not, see http://www.gnu.org/licenses/. +*/ + +#pragma once + +#ifndef _NC_CRYPTO_H +#define _NC_CRYPTO_H + +#include + +#define CHACHA_NONCE_SIZE 0x0cu /* Size of 12 is set by the cipher spec */ +#define CHACHA_KEY_SIZE 0x20u /* Size of 32 is set by the cipher spec */ +#define SHA256_DIGEST_SIZE 0x20u /* Size of 32 is set by the cipher spec */ + +typedef uint8_t cstatus_t; +#define CSTATUS_OK ((cstatus_t)0x01u) +#define CSTATUS_FAIL ((cstatus_t)0x00u) + +typedef uint8_t sha256_t[SHA256_DIGEST_SIZE]; + +/* +* IMPORTANT: +* The HKDF_IN_BUF_SIZE defintion sets the internal stack buffer size to use +* during fallback HKDF_Expand operations. +* +* 128 bytes should be more than enough for most use cases, without going +* overboard. Could be dialed in better for specific use cases later. +*/ + +#ifndef HKDF_IN_BUF_SIZE + #define HKDF_IN_BUF_SIZE 0x80 +#endif + + +uint32_t ncCryptoFixedTimeComp(const uint8_t* a, const uint8_t* b, uint32_t size); + +void ncCryptoSecureZero(void* ptr, uint32_t size); + +cstatus_t ncCryptoDigestSha256(const cspan_t* data, sha256_t digestOut32); + +cstatus_t ncCryptoHmacSha256(const cspan_t* key, const cspan_t* data, sha256_t hmacOut32); + +cstatus_t ncCryptoSha256HkdfExpand(const cspan_t* prk, const cspan_t* info, span_t* okm); + +cstatus_t ncCryptoSha256HkdfExtract(const cspan_t* salt, const cspan_t* ikm, sha256_t prk); + +cstatus_t ncCryptoChacha20( + const uint8_t key[CHACHA_KEY_SIZE], + const uint8_t nonce[CHACHA_NONCE_SIZE], + const uint8_t* input, + uint8_t* output, + uint32_t dataSize +); + +#endif /* !_NC_CRYPTO_H */ diff --git a/src/internal/impl/bcrypt.c b/src/internal/impl/bcrypt.c deleted file mode 100644 index 8ae6c5a..0000000 --- a/src/internal/impl/bcrypt.c +++ /dev/null @@ -1,297 +0,0 @@ -/* -* Copyright (c) 2024 Vaughn Nugent -* -* Package: noscrypt -* File: impl/bcrypt.c -* -* This library is free software; you can redistribute it and/or -* modify it under the terms of the GNU Lesser General Public License -* as published by the Free Software Foundation; either version 2.1 -* of the License, or (at your option) any later version. -* -* This library is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -* Lesser General Public License for more details. -* -* You should have received a copy of the GNU Lesser General Public License -* along with noscrypt. If not, see http://www.gnu.org/licenses/. -*/ - - -/* -* This file provides as many fallback implementations on Windows plaforms -* as possible using the bcrypt library. This file should be included behind -* other libarry implementations, as it is a fallback. -*/ - -#ifdef _NC_IS_WINDOWS - -#define WIN32_LEAN_AND_MEAN -#include -#include - -#include "../../platform.h" -#include "../nc-util.h" - -#define IF_BC_FAIL(x) if(!BCRYPT_SUCCESS(x)) - -struct _bcrypt_ctx -{ - BCRYPT_ALG_HANDLE hAlg; - BCRYPT_HASH_HANDLE hHash; -}; - -_IMPLSTB NTSTATUS _bcInitSha256(struct _bcrypt_ctx* ctx, DWORD flags) -{ - NTSTATUS result; - - result = BCryptOpenAlgorithmProvider( - &ctx->hAlg, - BCRYPT_SHA256_ALGORITHM, - NULL, - flags - ); - - /* - * If operation failed, ensure the algorithm handle is null - * to make free code easier to cleanup - */ - if (!BCRYPT_SUCCESS(result)) - { - ctx->hAlg = NULL; - } - - return result; -} - -_IMPLSTB NTSTATUS _bcCreateHmac(struct _bcrypt_ctx* ctx, const cspan_t* key) -{ - /* - * NOTE: - * I am not explicitly managing the hash object buffer. By setting - * the hash object to NULL, and length to 0, the buffer will be - * managed by the bcrypt library. - * - * See: https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatehash - */ - - return BCryptCreateHash( - ctx->hAlg, - &ctx->hHash, - NULL, - 0, - (uint8_t*)key->data, - key->size, - BCRYPT_HASH_REUSABLE_FLAG /* Enable reusable for expand function */ - ); -} - -_IMPLSTB NTSTATUS _bcCreate(struct _bcrypt_ctx* ctx) -{ - cspan_t key; - - /* Zero out key span for 0 size and NULL data ptr */ - SecureZeroMemory(&key, sizeof(cspan_t)); - - return _bcCreateHmac(ctx, &key); -} - -_IMPLSTB NTSTATUS _bcHashDataRaw(const struct _bcrypt_ctx* ctx, const uint8_t* data, uint64_t len) -{ - return BCryptHashData(ctx->hHash, (uint8_t*)data, len, 0); -} - -_IMPLSTB NTSTATUS _bcHashData(const struct _bcrypt_ctx* ctx, const cspan_t* data) -{ - return _bcHashDataRaw(ctx, data->data, data->size); -} - -_IMPLSTB NTSTATUS _bcFinishHash(const struct _bcrypt_ctx* ctx, sha256_t digestOut32) -{ - return BCryptFinishHash(ctx->hHash, digestOut32, sizeof(sha256_t), 0); -} - -_IMPLSTB void _bcDestroyCtx(struct _bcrypt_ctx* ctx) -{ - /* Free the hash memory if it was allocated */ - if(ctx->hHash) BCryptDestroyHash(ctx->hHash); - - /* Close the algorithm provider */ - if (ctx->hAlg) BCryptCloseAlgorithmProvider(ctx->hAlg, 0); - - ctx->hAlg = NULL; - ctx->hHash = NULL; -} - -#ifndef _IMPL_SECURE_ZERO_MEMSET - /* - * On Windows, we can use SecureZeroMemory - * as platform zeroing function. - * - * NOTE: - * SecureZeroMemory2 uses volitle function argument - * pointers, which is a contested mehtod of compiler - * optimization prevention. GNU seems to oppose this method - * - * https://learn.microsoft.com/en-us/windows/win32/memory/winbase-securezeromemory2 - */ - #define _IMPL_SECURE_ZERO_MEMSET SecureZeroMemory -#endif /* !_IMPL_SECURE_ZERO_MEMSET */ - -/* -* Provide win32 fallback for sha256 digest if needed -*/ - -#ifndef _IMPL_CRYPTO_SHA256_DIGEST - - /* Export function fallack */ - #define _IMPL_CRYPTO_SHA256_DIGEST _bcrypt_sha256_digest - - _IMPLSTB cstatus_t _bcrypt_sha256_digest(const cspan_t* data, sha256_t digestOut32) - { - cstatus_t result; - struct _bcrypt_ctx ctx; - - result = CSTATUS_FAIL; /* Start in fail state */ - - IF_BC_FAIL(_bcInitSha256(&ctx, 0)) goto Exit; - - IF_BC_FAIL(_bcCreate(&ctx)) goto Exit; - - IF_BC_FAIL(_bcHashData(&ctx, data)) goto Exit; - - IF_BC_FAIL(_bcFinishHash(&ctx, digestOut32)) goto Exit; - - result = CSTATUS_OK; /* Hash operation completed, so set success */ - - Exit: - - _bcDestroyCtx(&ctx); - - return result; - } - -#endif /* !_IMPL_CRYPTO_SHA256_DIGEST */ - -#ifndef _IMPL_CRYPTO_SHA256_HMAC - - /* Export function */ - #define _IMPL_CRYPTO_SHA256_HMAC _bcrypt_hmac_sha256 - - _IMPLSTB cstatus_t _bcrypt_hmac_sha256(const cspan_t* key, const cspan_t* data, sha256_t hmacOut32) - { - cstatus_t result; - struct _bcrypt_ctx ctx; - - result = CSTATUS_FAIL; /* Start in fail state */ - - /* Init context with hmac flag set */ - IF_BC_FAIL(_bcInitSha256(&ctx, BCRYPT_ALG_HANDLE_HMAC_FLAG)) goto Exit; - - IF_BC_FAIL(_bcCreateHmac(&ctx, key)) goto Exit; - - IF_BC_FAIL(_bcHashData(&ctx, data)) goto Exit; - - IF_BC_FAIL(_bcFinishHash(&ctx, hmacOut32)) goto Exit; - - result = CSTATUS_OK; /* HMAC operation completed, so set success */ - - Exit: - - _bcDestroyCtx(&ctx); - - return result; - } - -#endif /* !_IMPL_CRYPTO_SHA256_HMAC */ - -/* -* Provide a fallback HKDF expand function using the -* HMAC function as a base. -*/ - -#ifndef _IMPL_CRYPTO_SHA256_HKDF_EXPAND - - #define _IMPL_CRYPTO_SHA256_HKDF_EXPAND _fallbackHkdfExpand - - /* Include string for memmove */ - #include - - static void ncWriteSpanS(span_t* span, uint64_t offset, const uint8_t* data, uint64_t size) - { - DEBUG_ASSERT2(span != NULL, "Expected span to be non-null") - DEBUG_ASSERT2(data != NULL, "Expected data to be non-null") - DEBUG_ASSERT2(offset + size <= span->size, "Expected offset + size to be less than span size") - - /* Copy data to span */ - memmove(span->data + offset, data, size); - } - - STATIC_ASSERT(HKDF_IN_BUF_SIZE > SHA256_DIGEST_SIZE, "HDK Buffer must be at least the size of the underlying hashing alg output") - - /* - * The following functions implements the HKDF expand function using an existing - * HMAC function. This is a fallback implementation for Windows platforms at the moment. - * - * This follows the guidence from RFC 5869: https://tools.ietf.org/html/rfc5869 - */ - - #define _BC_MIN(a, b) (a < b ? a : b) - - _IMPLSTB cstatus_t _fallbackHkdfExpand(const cspan_t* prk, const cspan_t* info, span_t* okm) - { - cstatus_t result; - struct _bcrypt_ctx ctx; - - uint8_t counter; - uint64_t tLen, okmOffset; - uint8_t t[HKDF_IN_BUF_SIZE]; - - _IMPL_SECURE_ZERO_MEMSET(t, sizeof(t)); - - tLen = 0; /* T(0) is an empty string(zero length) */ - okmOffset = 0; - result = CSTATUS_FAIL; /* Start in fail state */ - - /* Init context with hmac flag set, it will be reused */ - IF_BC_FAIL(_bcInitSha256(&ctx, BCRYPT_ALG_HANDLE_HMAC_FLAG)) goto Exit; - - /* Set hmac key to the prk, alg is set to reusable */ - IF_BC_FAIL(_bcCreateHmac(&ctx, prk)) goto Exit; - - /* Compute T(N) = HMAC(prk, T(n-1) | info | n) */ - for (counter = 1; okmOffset < okm->size; counter++) - { - IF_BC_FAIL(_bcHashDataRaw(&ctx, t, tLen)) goto Exit; - IF_BC_FAIL(_bcHashData(&ctx, info)) goto Exit; - IF_BC_FAIL(_bcHashDataRaw(&ctx, &counter, sizeof(counter))) goto Exit; - - /* Write current hash state to t buffer */ - IF_BC_FAIL(_bcFinishHash(&ctx, t)) goto Exit; - - /* Set the length of the current hash state */ - tLen = _BC_MIN(okm->size - okmOffset, SHA256_DIGEST_SIZE); - - DEBUG_ASSERT(tLen <= sizeof(t)); - DEBUG_ASSERT((tLen + okmOffset) < okm->size); - - /* write the T buffer back to okm */ - ncWriteSpanS(okm, okmOffset, t, tLen); - - /* shift base okm pointer by T */ - okmOffset += tLen; - } - - result = CSTATUS_OK; /* HMAC operation completed, so set success */ - - Exit: - - _bcDestroyCtx(&ctx); - - return result; - } - -#endif /* !_IMPL_CRYPTO_SHA256_HKDF_EXPAND */ - -#endif /* _NC_IS_WINDOWS */ \ No newline at end of file diff --git a/src/internal/impl/mbedtls.c b/src/internal/impl/mbedtls.c deleted file mode 100644 index 54caa44..0000000 --- a/src/internal/impl/mbedtls.c +++ /dev/null @@ -1,158 +0,0 @@ -/* -* Copyright (c) 2024 Vaughn Nugent -* -* Package: noscrypt -* File: mbedtls.c -* -* This library is free software; you can redistribute it and/or -* modify it under the terms of the GNU Lesser General Public License -* as published by the Free Software Foundation; either version 2.1 -* of the License, or (at your option) any later version. -* -* This library is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -* Lesser General Public License for more details. -* -* You should have received a copy of the GNU Lesser General Public License -* along with noscrypt. If not, see http://www.gnu.org/licenses/. -*/ - - -/* -* This file contains implemntation functions for the required -* cryptography primitives of noscrypt. This file stubs functionality -* using the Mbed-TLS library, if the builder desires to link against -* it. -*/ - -#ifdef MBEDTLS_CRYPTO_LIB - -#include -#include -#include -#include -#include -#include - -#include "../../platform.h" -#include "../nc-util.h" - -/* -* EXPORT SUPPORTED FUNCTION OVERRIDES -*/ - -_IMPLSTB const mbedtls_md_info_t* _mbed_sha256_alg(void) -{ - const mbedtls_md_info_t* info; - /* Get sha256 md info for hdkf operations */ - info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256); - DEBUG_ASSERT2(info != NULL, "Expected SHA256 md info pointer to be valid") - return info; -} - -#ifndef _IMPL_CHACHA20_CRYPT - - /* Export chacha20 computation */ - #define _IMPL_CHACHA20_CRYPT _mbed_chacha20_encrypt - - _IMPLSTB int _mbed_chacha20_encrypt( - const uint8_t* key, - const uint8_t* nonce, - const uint8_t* input, - uint8_t* output, - size_t dataLen - ) - { - /* Counter always starts at 0 */ - return mbedtls_chacha20_crypt(key, nonce, 0x00u, dataLen, input, output); - } - -#endif - -/* Export sha256 if not already defined */ -#ifndef _IMPL_CRYPTO_SHA256_DIGEST - - #define _IMPL_CRYPTO_SHA256_DIGEST _mbed_sha256_digest - - _IMPLSTB CStatus _mbed_sha256_digest(const uint8_t* data, size_t dataSize,uint8_t* digestOut32) - { - return mbedtls_sha256(data, dataSize, digestOut32, 0); - } - -#endif - -/* Export Sha256 hmac if not already defined by other libs */ -#ifndef _IMPL_CRYPTO_SHA256_HMAC - - #define _IMPL_CRYPTO_SHA256_HMAC _mbed_sha256_hmac - - _IMPLSTB CStatus _mbed_sha256_hmac( - const uint8_t* key, size_t keyLen, - const uint8_t* data, size_t dataLen, - void* hmacOut32 - ) - { - return mbedtls_md_hmac( - _mbed_sha256_alg(), - key, keyLen, - data, dataLen, - hmacOut32 - ); - } -#endif - -/* Export hkdf expand if not already defined */ -#ifndef _IMPL_CRYPTO_SHA256_HKDF_EXPAND - - #define _IMPL_CRYPTO_SHA256_HKDF_EXPAND _mbed_sha256_hkdf_expand - - _IMPLSTB int _mbed_sha256_hkdf_expand( - const uint8_t* prk, size_t prkLen, - const uint8_t* info, size_t infoLen, - void* okm, size_t okmLen - ) - { - return mbedtls_hkdf_expand( - _mbed_sha256_alg(), - prk, prkLen, - info, infoLen, - okm, okmLen - ); - } - -#endif - -/* Export hkdf extract if not already defined */ -#ifndef _IMPL_CRYPTO_SHA256_HKDF_EXTRACT - - #define _IMPL_CRYPTO_SHA256_HKDF_EXTRACT _mbed_sha256_hkdf_extract - - _IMPLSTB int _mbed_sha256_hkdf_extract( - const uint8_t* salt, size_t saltLen, - const uint8_t* ikm, size_t ikmLen, - void* prk - ) - { - return mbedtls_hkdf_extract( - _mbed_sha256_alg(), - salt, saltLen, - ikm, ikmLen, - prk - ); - } -#endif - -/* Export fixed-time compare if not already defined */ -#ifndef _IMPL_CRYPTO_FIXED_TIME_COMPARE - - #define _IMPL_CRYPTO_FIXED_TIME_COMPARE _mbed_fixed_time_compare - - /* fixed-time memcmp */ - _IMPLSTB int _mbed_fixed_time_compare(const uint8_t* a, const uint8_t* b, size_t size) - { - return mbedtls_ct_memcmp(a, b, size); - } -#endif - -#endif \ No newline at end of file diff --git a/src/internal/impl/monocypher.c b/src/internal/impl/monocypher.c deleted file mode 100644 index 6e93c63..0000000 --- a/src/internal/impl/monocypher.c +++ /dev/null @@ -1,84 +0,0 @@ -/* -* Copyright (c) 2024 Vaughn Nugent -* -* Package: noscrypt -* File: impl/monocypher.c -* -* This library is free software; you can redistribute it and/or -* modify it under the terms of the GNU Lesser General Public License -* as published by the Free Software Foundation; either version 2.1 -* of the License, or (at your option) any later version. -* -* This library is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -* Lesser General Public License for more details. -* -* You should have received a copy of the GNU Lesser General Public License -* along with noscrypt. If not, see http://www.gnu.org/licenses/. -*/ - - -/* -* This file handles some fallbacks that may not be available on -* some platforms. More specifically: -* - Secure memset 0 -* - Chacha20 cipher -* -*/ - -#ifdef NC_ENABLE_MONOCYPHER - -#include - -#include "../../platform.h" -#include "../nc-util.h" - -/* Export secure memse0 */ -#ifndef _IMPL_SECURE_ZERO_MEMSET - - /* export cytpo wipe function as is */ - #define _IMPL_SECURE_ZERO_MEMSET crypto_wipe -#endif - -/* Export Chacha20 */ -#ifndef _IMPL_CHACHA20_CRYPT - - #define _IMPL_CHACHA20_CRYPT _mc_chacha20_crypt - - _IMPLSTB cstatus_t _mc_chacha20_crypt( - const uint8_t* key, - const uint8_t* nonce, - const uint8_t* input, - uint8_t* output, - uint64_t dataLen - ) - { - if(dataLen > SIZE_MAX) - { - return CSTATUS_FAIL; - } - - /* - * Function returns the next counter value which is not - * needed for noscrypt as encryptions are one-shot, and - * require a new nonce for each encryption. - * - * ITEF function uses a 12byte nonce which is required for - * nip-44 compliant encryption. - */ - crypto_chacha20_ietf( - output, - input, - (size_t)dataLen, - key, - nonce, - 0x00 /* Counter always starts at 0 */ - ); - - return CSTATUS_OK; - } - -#endif - -#endif /* !NC_ENABLE_MONOCYPHER */ \ No newline at end of file diff --git a/src/internal/impl/openssl.c b/src/internal/impl/openssl.c deleted file mode 100644 index d0cdb8c..0000000 --- a/src/internal/impl/openssl.c +++ /dev/null @@ -1,47 +0,0 @@ -/* -* Copyright (c) 2024 Vaughn Nugent -* -* Package: noscrypt -* File: impl/openssl.c -* -* This library is free software; you can redistribute it and/or -* modify it under the terms of the GNU Lesser General Public License -* as published by the Free Software Foundation; either version 2.1 -* of the License, or (at your option) any later version. -* -* This library is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -* Lesser General Public License for more details. -* -* You should have received a copy of the GNU Lesser General Public License -* along with noscrypt. If not, see http://www.gnu.org/licenses/. -*/ - - -/* Setup openssl */ - -#ifdef OPENSSL_CRYPTO_LIB - -#include - -#include "../../platform.h" -#include "../nc-util.h" - -/* -* EXPORT SUPPORTED FUNCTIONS AS MACROS -*/ -#define _IMPL_CHACHA20_CRYPT _mbed_chacha20_encrypt -#define _IMPL_CRYPTO_SHA256_HMAC _mbed_sha256_hmac -#define _IMPL_CRYPTO_SHA256_DIGEST _ossl_sha256_digest -#define _IMPL_CRYPTO_FIXED_TIME_COMPARE _mbed_fixed_time_compare -#define _IMPL_CRYPTO_SHA256_HKDF_EXPAND _mbed_sha256_hkdf_expand -#define _IMPL_CRYPTO_SHA256_HKDF_EXTRACT _mbed_sha256_hkdf_extract - -_IMPLSTB int _ossl_sha256_digest(const uint8_t* data, uint8_t* digest) -{ - -} - - -#endif /*!OPENSSL_CRYPTO_LIB */ \ No newline at end of file diff --git a/src/internal/nc-crypto.c b/src/internal/nc-crypto.c deleted file mode 100644 index 9cd2c3e..0000000 --- a/src/internal/nc-crypto.c +++ /dev/null @@ -1,269 +0,0 @@ -/* -* Copyright (c) 2024 Vaughn Nugent -* -* Package: noscrypt -* File: nc-crypto.c -* -* This library is free software; you can redistribute it and/or -* modify it under the terms of the GNU Lesser General Public License -* as published by the Free Software Foundation; either version 2.1 -* of the License, or (at your option) any later version. -* -* This library is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -* Lesser General Public License for more details. -* -* You should have received a copy of the GNU Lesser General Public License -* along with noscrypt. If not, see http://www.gnu.org/licenses/. -*/ - -#include "nc-util.h" -#include "nc-crypto.h" -#include "../platform.h" - -/* -* Functions are not forced inline, just suggested. -* So unless it beomes a performance issue, I will leave -* most/all impl functions inline and let the compiler -* decide. -*/ - -#define _IMPLSTB static _nc_fn_inline - -/* -* Impl .c files may define the following macros for function implementations: -* -* _IMPL_SECURE_ZERO_MEMSET secure memset 0 function -* _IMPL_CHACHA20_CRYPT chacha20 cipher function -* _IMPL_CRYPTO_FIXED_TIME_COMPARE fixed time compare function -* _IMPL_CRYPTO_SHA256_HMAC sha256 hmac function -* _IMPL_CRYPTO_SHA256_DIGEST standard sha256 digest function -* _IMPL_CRYPTO_SHA256_HKDF_EXPAND hkdf expand function -* _IMPL_CRYPTO_SHA256_HKDF_EXTRACT hkdf extract function -* -* Macros are used to allow the preprocessor to select the correct implementation -* or raise errors if no implementation is defined. -*/ - - - -/* -* Prioritize embedded builds with mbedtls -*/ -#include "impl/mbedtls.c" - -/* -* Include openssl as an alternative default -* implementation -*/ -#include "impl/openssl.c" - -/* -* Include win32 platform specific fallback support -* using bcrypt. -*/ -#include "impl/bcrypt.c" - -/* -* Handle default implementations of secure -* memset 0 functions for each platform. -*/ -#ifndef _IMPL_SECURE_ZERO_MEMSET - #if defined(__GNUC__) - /* - * When using libc, we can use explicit_bzero - * as secure memset implementation. - * - * https://sourceware.org/glibc/manual/2.39/html_mono/libc.html#Erasing-Sensitive-Data - */ - #include - #define _IMPL_SECURE_ZERO_MEMSET explicit_bzero - #endif -#endif - -/* -* Finally fall back to monocipher to handle some -* that are not provided by other libraries. -* -* Platform specific opimizations are considered -* "better" than monocypher options, so this is -* added as a last resort. Momocypher is "correct" -* and portable, but not optimized for any specific -* platform. -*/ -#include "impl/monocypher.c" - - -#ifdef _IMPL_CRYPTO_SHA256_HMAC - - /* - * If a library does not provide a HKDF extract function, - * we can just use the HMAC function as a fallback. - * - * This is a fallback because another library may provide - * a more optimized implementation. - */ - - #ifndef _IMPL_CRYPTO_SHA256_HKDF_EXTRACT - - #define _IMPL_CRYPTO_SHA256_HKDF_EXTRACT _fallbackHkdfExtract - - _IMPLSTB cstatus_t _fallbackHkdfExtract(const cspan_t* salt, const cspan_t* ikm, sha256_t prk) - { - return _IMPL_CRYPTO_SHA256_HMAC(salt, ikm, prk); - } - - #endif /* !_IMPL_CRYPTO_SHA256_HKDF_EXTRACT */ - -#endif /* _IMPL_CRYPTO_SHA256_HMAC */ - -/* Fallback for fixed time comparison for all platforms */ -#ifndef _IMPL_CRYPTO_FIXED_TIME_COMPARE - - #pragma message("Warning: No fixed time compare implementation defined, using fallback. This may not be secure on all platforms") - - #define _IMPL_CRYPTO_FIXED_TIME_COMPARE _fallbackFixedTimeCompare - - /* - * This implemntation is a slightly simplified version of - * MBed TLS constant time memcmp function, knowm to be a 32bit - * integer size - */ - - static uint32_t _fallbackFixedTimeCompare(const uint8_t* a, const uint8_t* b, uint64_t size) - { - size_t i; - uint32_t result; - uint8_t O; - volatile const uint8_t* A, * B; - - result = 0; - O = 0; - A = (volatile const uint8_t*)a; - B = (volatile const uint8_t*)b; - - /* Compare each byte */ - for(i = 0; i < size; i++) - { - /* Handle volatile read */ - O |= (A[i] ^ B[i]); - - result |= O; - } - - return result; - } - -#endif /* !_IMPL_CRYPTO_FIXED_TIME_COMPARE */ - - -/* -* Internal function implementations that perform -* basic checking and call the correct implementation -* for the desired crypto impl. -*/ - -void ncCryptoSecureZero(void* ptr, uint64_t size) -{ - DEBUG_ASSERT2(ptr != NULL, "Expected ptr to be non-null") - -#ifndef _IMPL_SECURE_ZERO_MEMSET - #error "No secure memset implementation defined" -#endif /* _IMPL_SECURE_ZERO_MEMSET */ - - _IMPL_SECURE_ZERO_MEMSET(ptr, size); -} - -uint32_t ncCryptoFixedTimeComp(const uint8_t* a, const uint8_t* b, uint64_t size) -{ - DEBUG_ASSERT2(a != NULL, "Expected a to be non-null") - DEBUG_ASSERT2(b != NULL, "Expected b to be non-null") - -#ifndef _IMPL_CRYPTO_FIXED_TIME_COMPARE - #error "No fixed time compare implementation defined" -#endif /* !_IMPL_CRYPTO_FIXED_TIME_COMPARE */ - - return _IMPL_CRYPTO_FIXED_TIME_COMPARE(a, b, size); -} - -cstatus_t ncCryptoDigestSha256(const cspan_t* data, sha256_t digestOut32) -{ - /* Debug arg validate */ - DEBUG_ASSERT2(data != NULL && data->data != NULL, "Expected data to be non-null") - DEBUG_ASSERT2(digestOut32 != NULL, "Expected digestOut32 to be non-null") - -#ifndef _IMPL_CRYPTO_SHA256_DIGEST - #error "No SHA256 implementation defined" -#endif /* !_IMPL_CRYPTO_SHA256_DIGEST */ - - return _IMPL_CRYPTO_SHA256_DIGEST(data, digestOut32); -} - -cstatus_t ncCryptoHmacSha256(const cspan_t* key, const cspan_t* data, sha256_t hmacOut32) -{ - /* Debug arg validate */ - DEBUG_ASSERT2(key != NULL && key->data != NULL, "Expected key to be non-null") - DEBUG_ASSERT2(data != NULL && data->data != NULL, "Expected data to be non-null") - DEBUG_ASSERT2(hmacOut32 != NULL && data->data != NULL, "Expected hmacOut32 to be non-null") - -#ifndef _IMPL_CRYPTO_SHA256_HMAC - #error "No SHA256 HMAC implementation defined" -#endif /* !_IMPL_CRYPTO_SHA256_HMAC */ - - return _IMPL_CRYPTO_SHA256_HMAC(key, data, hmacOut32); -} - -cstatus_t ncCryptoSha256HkdfExpand(const cspan_t* prk, const cspan_t* info, span_t* okm) -{ - /* Debug arg validate */ - DEBUG_ASSERT2(prk != NULL && prk->data != NULL, "Expected prk to be non-null") - DEBUG_ASSERT2(info != NULL && info->data != NULL, "Expected info to be non-null") - DEBUG_ASSERT2(okm != NULL && okm->data != NULL, "Expected okm to be non-null") - - /* - * RFC 5869: 2.3 - * "length of output keying material in octets (<= 255 * HashLen)" - */ - - if(okm->size > (uint64_t)(0xFFu * SHA256_DIGEST_SIZE)) - { - return CSTATUS_FAIL; - } - -#ifndef _IMPL_CRYPTO_SHA256_HKDF_EXPAND - #error "No SHA256 HKDF expand implementation defined" -#endif /* !_IMPL_CRYPTO_SHA256_HKDF_EXPAND */ - - return _IMPL_CRYPTO_SHA256_HKDF_EXPAND(prk, info, okm); -} - -cstatus_t ncCryptoSha256HkdfExtract(const cspan_t* salt, const cspan_t* ikm, sha256_t prk) -{ - /* Debug arg validate */ - DEBUG_ASSERT2(salt != NULL, "Expected salt to be non-null") - DEBUG_ASSERT2(ikm != NULL, "Expected ikm to be non-null") - DEBUG_ASSERT2(prk != NULL, "Expected prk to be non-null") - -#ifndef _IMPL_CRYPTO_SHA256_HKDF_EXTRACT - #error "No SHA256 HKDF extract implementation defined" -#endif /* !_IMPL_CRYPTO_SHA256_HKDF_EXTRACT */ - - return _IMPL_CRYPTO_SHA256_HKDF_EXTRACT(salt, ikm, prk); -} - -cstatus_t ncCryptoChacha20( - const uint8_t key[CHACHA_KEY_SIZE], - const uint8_t nonce[CHACHA_NONCE_SIZE], - const uint8_t* input, - uint8_t* output, - uint64_t dataSize -) -{ - DEBUG_ASSERT2(key != NULL, "Expected key to be non-null") - DEBUG_ASSERT2(nonce != NULL, "Expected nonce to be non-null") - DEBUG_ASSERT2(input != NULL, "Expected input to be non-null") - DEBUG_ASSERT2(output != NULL, "Expected output to be non-null") - - return _IMPL_CHACHA20_CRYPT(key, nonce, input, output, dataSize); -} diff --git a/src/internal/nc-crypto.h b/src/internal/nc-crypto.h deleted file mode 100644 index 3487b2b..0000000 --- a/src/internal/nc-crypto.h +++ /dev/null @@ -1,73 +0,0 @@ - -/* -* Copyright (c) 2024 Vaughn Nugent -* -* Package: noscrypt -* File: nc-crypto.h -* -* This library is free software; you can redistribute it and/or -* modify it under the terms of the GNU Lesser General Public License -* as published by the Free Software Foundation; either version 2.1 -* of the License, or (at your option) any later version. -* -* This library is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -* Lesser General Public License for more details. -* -* You should have received a copy of the GNU Lesser General Public License -* along with noscrypt. If not, see http://www.gnu.org/licenses/. -*/ - -#pragma once - -#ifndef _NC_CRYPTO_H -#define _NC_CRYPTO_H - -#include - -#define CHACHA_NONCE_SIZE 0x0cu /* Size of 12 is set by the cipher spec */ -#define CHACHA_KEY_SIZE 0x20u /* Size of 32 is set by the cipher spec */ -#define SHA256_DIGEST_SIZE 0x20u /* Size of 32 is set by the cipher spec */ - -typedef uint8_t cstatus_t; -#define CSTATUS_OK ((cstatus_t)0x01u) -#define CSTATUS_FAIL ((cstatus_t)0x00u) - -typedef uint8_t sha256_t[SHA256_DIGEST_SIZE]; - -/* -* IMPORTANT: -* The HKDF_IN_BUF_SIZE defintion sets the internal stack buffer size to use -* during fallback HKDF_Expand operations. -* -* 128 bytes should be more than enough for most use cases, without going -* overboard. Could be dialed in better for specific use cases later. -*/ - -#ifndef HKDF_IN_BUF_SIZE - #define HKDF_IN_BUF_SIZE 0x80 -#endif - - -uint32_t ncCryptoFixedTimeComp(const uint8_t* a, const uint8_t* b, uint64_t size); - -void ncCryptoSecureZero(void* ptr, uint64_t size); - -cstatus_t ncCryptoDigestSha256(const cspan_t* data, sha256_t digestOut32); - -cstatus_t ncCryptoHmacSha256(const cspan_t* key, const cspan_t* data, sha256_t hmacOut32); - -cstatus_t ncCryptoSha256HkdfExpand(const cspan_t* prk, const cspan_t* info, span_t* okm); - -cstatus_t ncCryptoSha256HkdfExtract(const cspan_t* salt, const cspan_t* ikm, sha256_t prk); - -cstatus_t ncCryptoChacha20( - const uint8_t key[CHACHA_KEY_SIZE], - const uint8_t nonce[CHACHA_NONCE_SIZE], - const uint8_t* input, - uint8_t* output, - uint64_t dataSize -); - -#endif /* !_NC_CRYPTO_H */ diff --git a/src/internal/nc-util.h b/src/internal/nc-util.h deleted file mode 100644 index 9f72470..0000000 --- a/src/internal/nc-util.h +++ /dev/null @@ -1,88 +0,0 @@ - -/* -* Copyright (c) 2024 Vaughn Nugent -* -* Package: noscrypt -* File: nc-util.h -* -* This library is free software; you can redistribute it and/or -* modify it under the terms of the GNU Lesser General Public License -* as published by the Free Software Foundation; either version 2.1 -* of the License, or (at your option) any later version. -* -* This library is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -* Lesser General Public License for more details. -* -* You should have received a copy of the GNU Lesser General Public License -* along with noscrypt. If not, see http://www.gnu.org/licenses/. -*/ - -#pragma once - -#ifndef NC_UTIL_H -#define NC_UTIL_H - -/* NULL */ -#ifndef NULL - #define NULL ((void*)0) -#endif /* !NULL */ - - -#ifdef DEBUG - /* Must include assert.h for assertions */ - #include - #define DEBUG_ASSERT(x) assert(x); - #define DEBUG_ASSERT2(x, message) assert(x && message); - - /* - * Compiler enabled static assertion keywords are - * only available in C11 and later. Later versions - * have macros built-in from assert.h so we can use - * the static_assert macro directly. - * - * Static assertions are only used for testing such as - * sanity checks and this library targets the c89 standard - * so static_assret very likely will not be available. - */ - #if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L - #define STATIC_ASSERT(x, m) static_assert(x, m) - #elif !defined(STATIC_ASSERT) - #define STATIC_ASSERT(x, m) - #pragma message("Static assertions are not supported by this language version") - #endif - -#else - #define DEBUG_ASSERT(x) - #define DEBUG_ASSERT2(x, message) - #define STATIC_ASSERT(x, m) -#endif - -#include - -typedef struct memory_span_struct -{ - uint8_t* data; - uint64_t size; -} span_t; - -typedef struct read_only_memory_span_struct -{ - const uint8_t* data; - uint64_t size; -} cspan_t; - -static void ncSpanInitC(cspan_t* span, const uint8_t* data, uint64_t size) -{ - span->data = data; - span->size = size; -} - -static void ncSpanInit(span_t* span, uint8_t* data, uint64_t size) -{ - span->data = data; - span->size = size; -} - -#endif /* NC_UTIL_H */ \ No newline at end of file diff --git a/src/noscrypt.c b/src/noscrypt.c index 4715d50..00684b8 100644 --- a/src/noscrypt.c +++ b/src/noscrypt.c @@ -20,8 +20,8 @@ #include "noscrypt.h" -#include "internal/nc-util.h" -#include "internal/nc-crypto.h" +#include "nc-util.h" +#include "crypto/nc-crypto.h" #include #include @@ -84,7 +84,7 @@ struct nc_expand_keys { /* Pointer typecast must work between expanded keys * and message key, size must be identical to work */ -STATIC_ASSERT(sizeof(struct nc_expand_keys) == sizeof(struct message_key), "Expected struct nc_expand_keys to be the same size as struct message_key"); +STATIC_ASSERT(sizeof(struct nc_expand_keys) == sizeof(struct message_key), "Expected struct nc_expand_keys to be the same size as struct message_key") /* * Check that the fallback hkdf extract internal buffer is large enough @@ -569,7 +569,7 @@ NC_EXPORT NCResult NC_CC NCSignData( const NCSecretKey* sk, const uint8_t random32[32], const uint8_t* data, - uint64_t dataSize, + uint32_t dataSize, uint8_t sig64[64] ) { @@ -630,7 +630,7 @@ NC_EXPORT NCResult NC_CC NCVerifyData( const NCContext* ctx, const NCPublicKey* pk, const uint8_t* data, - const uint64_t dataSize, + const uint32_t dataSize, const uint8_t sig64[64] ) { @@ -857,7 +857,7 @@ NC_EXPORT NCResult NCComputeMac( const NCContext* ctx, const uint8_t hmacKey[NC_HMAC_KEY_SIZE], const uint8_t* payload, - uint64_t payloadSize, + uint32_t payloadSize, uint8_t hmacOut[NC_ENCRYPTION_MAC_SIZE] ) { @@ -905,6 +905,10 @@ NC_EXPORT NCResult NC_CC NCVerifyMac( NCMacVerifyArgs* args ) { + NCResult result; + struct shared_secret sharedSecret; + struct conversation_key conversationKey; + CHECK_NULL_ARG(ctx, 0) CHECK_CONTEXT_STATE(ctx, 0) CHECK_NULL_ARG(sk, 1) @@ -916,10 +920,6 @@ NC_EXPORT NCResult NC_CC NCVerifyMac( CHECK_INVALID_ARG(args->nonce32, 3) CHECK_ARG_RANGE(args->payloadSize, NIP44_MIN_ENC_MESSAGE_SIZE, NIP44_MAX_ENC_MESSAGE_SIZE, 3) - NCResult result; - struct shared_secret sharedSecret; - struct conversation_key conversationKey; - /* Computed the shared point so we can get the converstation key */ if ((result = _computeSharedSecret(ctx, sk, pk, &sharedSecret)) != NC_SUCCESS) { diff --git a/src/noscrypt.h b/src/noscrypt.h deleted file mode 100644 index a8a42ee..0000000 --- a/src/noscrypt.h +++ /dev/null @@ -1,562 +0,0 @@ -/* -* Copyright (c) 2024 Vaughn Nugent -* -* Package: noscrypt -* File: noscrypt.h -* -* This library is free software; you can redistribute it and/or -* modify it under the terms of the GNU Lesser General Public License -* as published by the Free Software Foundation; either version 2.1 -* of the License, or (at your option) any later version. -* -* This library is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -* Lesser General Public License for more details. -* -* You should have received a copy of the GNU Lesser General Public License -* along with noscrypt. If not, see http://www.gnu.org/licenses/. -*/ - -/* -* noscrypt is a an open-source, strict C89 library that performs the basic -* cryptographic operations found in the Nostr protocol. It is designed to be -* portable and easy to use in any C89 compatible environment. It is also designed -*/ - -#pragma once - -#ifndef NOSCRYPT_H -#define NOSCRYPT_H - -#include -#include -#include "platform.h" - -/* Set api export calling convention (allow used to override) */ -#ifndef NC_CC - #ifdef _NC_IS_WINDOWS - /* STD for importing to other languages such as .NET */ - #define NC_CC __stdcall - #else - #define NC_CC - #endif -#endif /* !NC_CC */ - -#ifndef NC_EXPORT /* Allow users to disable the export/impoty macro if using source code directly */ - #ifdef NOSCRYPT_EXPORTING - #ifdef _NC_IS_WINDOWS - #define NC_EXPORT __declspec(dllexport) - #else - #define NC_EXPORT __attribute__((visibility("default"))) - #endif /* _NC_IS_WINDOWS */ - #else - #ifdef _NC_IS_WINDOWS - #define NC_EXPORT __declspec(dllimport) - #else - #define NC_EXPORT - #endif /* _NC_IS_WINDOWS */ - #endif /* !NOSCRYPT_EXPORTING */ -#endif /* !NC_EXPORT */ - -/* -* CONSTANTS -*/ -#define BIP340_PUBKEY_HEADER_BYTE 0x02 -#define NIP44_MESSAGE_KEY_SIZE 0x4c /*32 + 12 + 32 = 76 */ -#define NC_ENCRYPTION_NONCE_SIZE 0x20 -#define NC_SEC_KEY_SIZE 0x20 -#define NC_PUBKEY_SIZE 0x20 -#define NC_CONTEXT_ENTROPY_SIZE 0x20 -#define NC_SHARED_SEC_SIZE 0x20 -#define NC_CONV_KEY_SIZE 0x20 -#define NC_HMAC_KEY_SIZE 0x20 -#define NC_ENCRYPTION_MAC_SIZE 0x20 -#define NC_MESSAGE_KEY_SIZE NIP44_MESSAGE_KEY_SIZE - -/* -* From spec -* https://github.com/nostr-protocol/nips/blob/master/44.md#decryption -*/ -#define NIP44_MIN_ENC_MESSAGE_SIZE 0x01 -#define NIP44_MAX_ENC_MESSAGE_SIZE 0xffff - -/* -* ERROR CODES -* -* Error codes are 64bit integers. The lower 8 bits are reserved for -* the error code, and the upper 8 bits are reserved for the argument -* position. -* -* NCResult type is 64bit to also allow for positive return values for -* operations that return a value count. -*/ - -#define NC_ARG_POSITION_OFFSET 0x08 -#define NC_ERROR_CODE_MASK 0xFF - -#define NC_SUCCESS 0x00 -#define E_NULL_PTR -1 -#define E_INVALID_ARG -2 -#define E_INVALID_CONTEXT -3 -#define E_ARGUMENT_OUT_OF_RANGE -4 -#define E_OPERATION_FAILED -5 - -/* A compressed resul/return value, negative values -are failure, 0 is success and positive values are -defined by the operation. -*/ -typedef int64_t NCResult; - -/* - An secp256k1 secret key (aka private key buffer) -*/ -typedef struct secret_key_struct { - - uint8_t key[NC_SEC_KEY_SIZE]; - -} NCSecretKey; - -/* - An x-only secp256k1 public key -*/ -typedef struct xonly_pubkey_struct { - - uint8_t key[NC_PUBKEY_SIZE]; - -} NCPublicKey; - -/* - An opaque full library context object -*/ -typedef struct ctx_struct { - - void* secpCtx; - -} NCContext; - -/* -* The encryption arguments structure. This structure is used to pass -arguments to the encryption and decryption functions. It stores the -data buffers and required nonce used for the stream cipher. -*/ -typedef struct nc_encryption_struct { - - /* The nonce used for the stream cipher. */ - const uint8_t* nonce32; - - /* Writes the hmac key to the buffer during encryption events. - Set to NULL on decryption */ - uint8_t* hmacKeyOut32; - - /* The input data buffer to encrypt/decrypt */ - const uint8_t* inputData; - - /* The output data buffer to write data to */ - uint8_t* outputData; - - /* The size of the data buffers. Buffers must - * be the same size or larger than this value - */ - uint64_t dataSize; - -} NCEncryptionArgs; - -/* -* A structure for Nip44 message authentication code verification. This structure -* is used to pass arguments to the NCVerifyMac and NCVerifyMacEx functions. -*/ -typedef struct nc_mac_verify { - - /* The message authentication code certifying the Nip44 payload */ - const uint8_t* mac32; - - /* The nonce used for the original message encryption */ - const uint8_t* nonce32; - - /* The message payload data */ - const uint8_t* payload; - - /* The size of the payload data */ - uint64_t payloadSize; - -} NCMacVerifyArgs; - - -/* - API FUNCTIONS -*/ - -/* -* A helper function to cast a buffer to a NCSecretKey struct -* @param key The buffer to cast -* @return A pointer to the NCSecretKey struct -*/ -static _nc_fn_inline NCSecretKey* NCToSecKey(uint8_t key[NC_SEC_KEY_SIZE]) -{ - return (NCSecretKey*)key; -} - -/* -* A helper function to cast a buffer to a NCPublicKey struct -* @param key The buffer to cast -* @return A pointer to the NCPublicKey struct -*/ -static _nc_fn_inline NCPublicKey* NCToPubKey(uint8_t key[NC_PUBKEY_SIZE]) -{ - return (NCPublicKey*)key; -} - -static _nc_fn_inline NCResult NCResultWithArgPosition(NCResult err, uint8_t argPosition) -{ - return -(((NCResult)argPosition << NC_ARG_POSITION_OFFSET) | -err); -} - -/* -* Parses an error code and returns the error code and the argument position -that caused the error. -* @param result The error code to parse -* @param argPositionOut A pointer to the argument position to write to -* @return The error code -*/ -static _nc_fn_inline int NCParseErrorCode(NCResult result, uint8_t* argPositionOut) -{ - NCResult asPositive; - int code; - - /* convert result to a positive value*/ - asPositive = -result; - - /* Get the error code from the lower 8 bits and the argument position from the upper 8 bits*/ - code = -(asPositive & NC_ERROR_CODE_MASK); - *argPositionOut = (asPositive >> NC_ARG_POSITION_OFFSET) & 0xFF; - - return code; -} - -/*-------------------------------------- -* LIB CONTEXT API -*/ - -/* -* Runtime check for the size of the context struct to allow -for dynamic allocation when context size structure is not known. -* @return The size of the context struct in bytes -*/ -NC_EXPORT uint32_t NC_CC NCGetContextStructSize(void); -/* -* Initializes a context struct with the given entropy -* @param ctx A pointer to the context structure to initialize -* @param entropy The entropy to initialize the context with -* @return NC_SUCCESS if the operation was successful, otherwise an error code -*/ -NC_EXPORT NCResult NC_CC NCInitContext( - NCContext* ctx, - const uint8_t entropy[NC_CONTEXT_ENTROPY_SIZE] -); -/* -* Reinitializes a context struct with the given -* @param ctx A pointer to the context structure to initialize -* @param entropy The entropy to initialize the context with -* @return NC_SUCCESS if the operation was successful, otherwise an error code -*/ -NC_EXPORT NCResult NC_CC NCReInitContext( - NCContext* ctx, - const uint8_t entropy[NC_CONTEXT_ENTROPY_SIZE] -); - -/* -* Destroys a context struct -* @param ctx A pointer to the existing context structure to destroy -* @return NC_SUCCESS if the operation was successful, otherwise an error code -*/ -NC_EXPORT NCResult NC_CC NCDestroyContext(NCContext* ctx); - - - -/*-------------------------------------- -* HIGH LEVEL SIGNING API -*/ - -/* -* Gets a x-only compressed public key from the given secret key -* @param ctx A pointer to the existing library context -* @param sk A pointer to the secret key -* @param pk A pointer to the compressed public key buffer to write to -* @return NC_SUCCESS if the operation was successful, otherwise an error code -*/ -NC_EXPORT NCResult NC_CC NCGetPublicKey( - const NCContext* ctx, - const NCSecretKey* sk, - NCPublicKey* pk -); -/* -* Validates that a given secret key is valid according to the secp256k1 curve. This -is functionally the same as calling secp256k1_ec_seckey_verify. -* @param ctx A pointer to the existing library context -* @param sk A pointer to the secret key to verify -* @return 1 if the secret key is valid, 0 if it is not, otherwise an error code -*/ -NC_EXPORT NCResult NC_CC NCValidateSecretKey( - const NCContext* ctx, - const NCSecretKey* sk -); - - -/* -* Signs a raw message after computing the sha256 checksum using the -given secret key and writes the signature to the sig64 buffer. -* @param ctx A pointer to the existing library context -* @param sk A pointer to the secret key to sign with -* @param random32 A pointer to the random32 buffer to use for signing -* @param data A pointer to the raw data buffer to sign -* @param dataSize The size of the raw data buffer -* @param sig64 A pointer to the 64byte buffer to write the signature to -* @return NC_SUCCESS if the operation was successful, otherwise an error code -*/ -NC_EXPORT NCResult NC_CC NCSignData( - const NCContext* ctx, - const NCSecretKey* sk, - const uint8_t random32[32], - const uint8_t* data, - const uint64_t dataSize, - uint8_t sig64[64] -); - -/* -* Verifies a signature of a raw data buffer matches the output using the given public key. -* @param ctx A pointer to the existing library context -* @param sig64 The 64byte signature to verify -* @param data A pointer to the raw data buffer to verify -* @param dataSize The size of the raw data buffer -* @param pk A pointer to the the x-only compressed public key (x-only serialized public key) -* @return NC_SUCCESS if the signature could be verified, otherwise an error code -*/ -NC_EXPORT NCResult NC_CC NCVerifyData( - const NCContext* ctx, - const NCPublicKey* pk, - const uint8_t* data, - const uint64_t dataSize, - const uint8_t sig64[64] -); - -/*-------------------------------------- -* EXTENDED SIGNING API -*/ - -/* -* Signs a message using the given secret key and writes the signature to the sig64 buffer -* @param ctx A pointer to the existing library context -* @param sk A pointer to the secret key to sign with -* @param random32 A pointer to the random32 buffer to use for signing -* @param digest32 A pointer to sha256 digest32 to sign -* @param sig64 A pointer to the 64byte buffer to write the signature to -* @return NC_SUCCESS if the operation was successful, otherwise an error code -*/ -NC_EXPORT NCResult NC_CC NCSignDigest( - const NCContext* ctx, - const NCSecretKey* sk, - const uint8_t random32[32], - const uint8_t digest32[32], - uint8_t sig64[64] -); - -/* -* Verifies a signature of a digest32 matches the output using the given public key. -Equivalent to calling secp256k1_schnorrsig_verify. -* @param ctx A pointer to the existing library context -* @param sig64 The 64byte signature to verify -* @param digest32 The digest32 to verify -* @param pk A pointer to the the x-only compressed public key (x-only serialized public key) -* @return NC_SUCCESS if the signature could be verified, otherwise an error code -*/ -NC_EXPORT NCResult NC_CC NCVerifyDigest( - const NCContext* ctx, - const NCPublicKey* pk, - const uint8_t digest32[32], - const uint8_t sig64[64] -); - - - -/*-------------------------------------- -* HIGH LEVEL ENCRYPTION API -*/ - -/* -* NOTES -* -* NIP-44 requires that plaintext/ciphertext must be padded in powers of 2. -* Since this library operates on data at the binary level, and does not do -* ANY runtime heap allocation, it is up to the user to ensure that the -* plaintext/ciphertext buffers are padded properly in The NCryptoData struct -* before calling the encryption/decryption functions. -*/ - -/* -* High level api for encrypting nostr messages using a secret key and a public key. Use -the NCEncryptEx functions for extended encryption functionality -* @param ctx The library context -* @param sk The secret key (the local private key) -* @param pk The compressed public key (x-only serialized public key) the other user's public key -* @param args The encryption arguments -* @return NC_SUCCESS if the operation was successful, otherwise an error code. Use NCParseErrorCode to -the error code and positional argument that caused the error -*/ -NC_EXPORT NCResult NC_CC NCEncrypt( - const NCContext* ctx, - const NCSecretKey* sk, - const NCPublicKey* pk, - NCEncryptionArgs* args -); - -/* -* High level api for decrypting nostr messages using a secret key and a public key. Use -the NCDecryptEx functions for extended decryption functionality. -* @param ctx The library context -* @param sk The secret key (the local private key) -* @param pk The compressed public key (x-only serialized public key) the other user's public key -* @param args The decryption arguments -* @return NC_SUCCESS if the operation was successful, otherwise an error code. Use NCParseErrorCode to -the error code and positional argument that caused the error -*/ -NC_EXPORT NCResult NC_CC NCDecrypt( - const NCContext* ctx, - const NCSecretKey* sk, - const NCPublicKey* pk, - NCEncryptionArgs* args -); - -/* -* High level api for verifying a Nip44 message authentication code using a secret key -and a public key. Use the NCVerifyMacEx functions for extended verification functionality. -* @param ctx A pointer to an existing library context -* @param sk A pointer to the secret key -* @param pk A pointer to the compressed public key (x-only serialized public key) -* @param args A pointer to the mac verification arguments -* @return NC_SUCCESS if the operation was successful, otherwise an error code. Use NCParseErrorCode to -* the error code and positional argument that caused the error -*/ -NC_EXPORT NCResult NC_CC NCVerifyMac( - const NCContext* ctx, - const NCSecretKey* sk, - const NCPublicKey* pk, - NCMacVerifyArgs* args -); - -/*-------------------------------------- -* EXTENDED ENCRYPTION API -*/ - -/* -* Computes a NIP-44 shared secret from a secret key and a public key and -stores it in the sharedPoint buffer. -* @param ctx A pointer to the existing library context -* @param sk The secret key -* @param pk The compressed public key (x-only serialized public key) -* @param sharedPoint The buffer to store write the secret data to -* @return NC_SUCCESS if the operation was successful, otherwise an error code. Use NCParseErrorCode to -the error code and positional argument that caused the error -*/ -NC_EXPORT NCResult NC_CC NCGetSharedSecret( - const NCContext* ctx, - const NCSecretKey* sk, - const NCPublicKey* pk, - uint8_t sharedPoint[NC_SHARED_SEC_SIZE] -); - -/* -* Computes a NIP-44 conversation key from the local secret key and the remote -public key, and stores it in the conversationKey buffer. -* @param ctx A pointer to the existing library context -* @param sk A pointer to the the secret key -* @param pk A pointer to the compressed public key (x-only serialized public key) -* @param conversationKey The buffer to store write the conversation key to -* @return NC_SUCCESS if the operation was successful, otherwise an error code. Use NCParseErrorCode to -the error code and positional argument that caused the error -*/ -NC_EXPORT NCResult NC_CC NCGetConversationKey( - const NCContext* ctx, - const NCSecretKey* sk, - const NCPublicKey* pk, - uint8_t conversationKey[NC_CONV_KEY_SIZE] -); -/* -* Computes a NIP-44 conversation key a shared secret/point, and stores it in the -conversationKey buffer. -* @param ctx A pointer to the existing library context -* @param sharedPoint A pointer to the shared secret/point -* @param conversationKey The buffer to store write the conversation key to -* @return NC_SUCCESS if the operation was successful, otherwise an error code. Use NCParseErrorCode to -the error code and positional argument that caused the error -*/ -NC_EXPORT NCResult NC_CC NCGetConversationKeyEx( - const NCContext* ctx, - const uint8_t sharedPoint[NC_SHARED_SEC_SIZE], - uint8_t conversationKey[NC_CONV_KEY_SIZE] -); - -/* -* Encrypts a message using the given conversation key and writes the encrypted message to the -* output buffer. The output buffer must be at least 99 bytes in size. -* @param ctx A pointer to the existing library context -* @param conversationKey A pointer to the conversation key -* @param args A pointer to the encryption arguments structure -* @return NC_SUCCESS if the operation was successful, otherwise an error code. Use NCParseErrorCode to -the error code and positional argument that caused the error. -*/ -NC_EXPORT NCResult NC_CC NCEncryptEx( - const NCContext* ctx, - const uint8_t conversationKey[NC_CONV_KEY_SIZE], - NCEncryptionArgs* args -); - -/* -* Decrypts a message using the given conversation key and writes the decrypted message to the -* output buffer. -* @param ctx A pointer to the existing library context -* @param conversationKey A pointer to the conversation key -* @param args A pointer to the decryption arguments structure -* @return NC_SUCCESS if the operation was successful, otherwise an error code. Use NCParseErrorCode to -the error code and positional argument that caused the error. -*/ -NC_EXPORT NCResult NC_CC NCDecryptEx( - const NCContext* ctx, - const uint8_t conversationKey[NC_CONV_KEY_SIZE], - NCEncryptionArgs* args -); - -/* -* Verifies a Nip44 message authentication code using the given conversation key. -* @param ctx A pointer to the existing library context -* @param conversationKey A pointer to the conversation key -* @param args A pointer to the mac verification arguments -* @return NC_SUCCESS if the operation was successful, otherwise an error code. Use NCParseErrorCode to -* the error code and positional argument that caused the error. -*/ -NC_EXPORT NCResult NC_CC NCVerifyMacEx( - const NCContext* ctx, - const uint8_t conversationKey[NC_CONV_KEY_SIZE], - NCMacVerifyArgs* args -); - -/* -* Computes a message authentication code for a given payload using the given hmacKey and writes the -* mac to the hmacOut buffer. -* @param ctx A pointer to the existing library context -* @param hmacKey A pointer to the hmac key -* @param payload A pointer to the payload data buffer -* @param payloadSize The size of the payload data buffer -* @param hmacOut A pointer to the buffer to write the mac to -* @return NC_SUCCESS if the operation was successful, otherwise an error code. Use NCParseErrorCode to -* the error code and positional argument that caused the error. -*/ -NC_EXPORT NCResult NCComputeMac( - const NCContext* ctx, - const uint8_t hmacKey[NC_HMAC_KEY_SIZE], - const uint8_t* payload, - uint64_t payloadSize, - uint8_t hmacOut[NC_ENCRYPTION_MAC_SIZE] -); - -#endif /* !NOSCRYPT_H */ diff --git a/src/platform.h b/src/platform.h deleted file mode 100644 index 8abaadd..0000000 --- a/src/platform.h +++ /dev/null @@ -1,48 +0,0 @@ -/* -* Copyright (c) 2024 Vaughn Nugent -* -* Package: noscrypt -* File: platform.h -* -* This library is free software; you can redistribute it and/or -* modify it under the terms of the GNU Lesser General Public License -* as published by the Free Software Foundation; either version 2.1 -* of the License, or (at your option) any later version. -* -* This library is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -* Lesser General Public License for more details. -* -* You should have received a copy of the GNU Lesser General Public License -* along with noscrypt. If not, see http://www.gnu.org/licenses/. -*/ - - -/* -* Contains platform specific defintions -*/ - -#if defined(_MSC_VER) || defined(WIN32) || defined(_WIN32) - #define _NC_IS_WINDOWS -#elif defined(__linux__) || defined(__unix__) || defined(__posix__) - #define _NC_IS_LINUX -#elif defined(__APPLE__) || defined(__MACH__) - #define _NC_IS_MAC -#endif - -/* -* Define supported inline defintions for various compilers -* and C standards -*/ - -#if defined(_NC_IS_WINDOWS) || defined(inline) || defined(__clang__) - #define _nc_fn_inline inline -#elif defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L /* C99 allows usage of inline keyword */ - #define _nc_fn_inline inline -#elif defined(__GNUC__) || defined(__GNUG__) - #define _nc_fn_inline __inline__ -#else - #define _nc_fn_inline - #pragma message("Warning: No inline keyword defined for this compiler") -#endif \ No newline at end of file -- cgit