diff options
| -rw-r--r-- | CMakeLists.txt | 154 | ||||
| -rw-r--r-- | README.md | 61 | ||||
| -rw-r--r-- | Taskfile.yaml | 36 | ||||
| -rw-r--r-- | include/nc-util.h | 4 | ||||
| -rw-r--r-- | src/crypto/impl/mbedtls.c | 10 | ||||
| -rw-r--r-- | src/crypto/impl/monocypher.c | 2 | ||||
| -rw-r--r-- | src/crypto/impl/openssl.c | 48 | ||||
| -rw-r--r-- | vendor/mbedtls/mbedtls_noscrypt_config.h | 56 |
8 files changed, 226 insertions, 145 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 2ce41e8..1b8ce3d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,6 +1,10 @@ -# CMakeList.txt : CMake project for noscrypt, include source and define -# project specific logic here. +# Copyright (c) 2024 Vaughn Nugent +# See the LICENSE in this directory for terms of use # +# This file configures noscrypt with best defaults as possible while offering +# some freedom in terms of crypto libraries if desired. Some defaults and +# worst case fallback functions are defined and will get better as time goes on +# cmake_minimum_required (VERSION 3.10) @@ -9,59 +13,54 @@ project(noscrypt C) option(NC_BUILD_TESTS "Build tests" OFF) option(NC_DISABLE_INPUT_VALIDATION "Disables public function input validation" OFF) option(NC_FETCH_MBEDTLS "Fetch Mbed-TLS from it's source repository locally" OFF) +option(NC_FETCH_SECP256K1 "Fetch and locally build secp256k1 source code" ON) option(NC_INCLUDE_MONOCYPHER "Statically link to vendored monocypher library" ON) -set(CRYPTO_LIB "none" CACHE STRING "The crypto library to link to (mbedtls, openssl, none)") +set(CRYPTO_LIB "" CACHE STRING "The crypto library to link to (mbedtls, openssl)") set(CRYPTO_LIB_DIR "" CACHE STRING "The path to the crypto library if it's not globally available") +set(SECP256K1_LIB_DIR "" CACHE STRING "An optional path to search for the secp256k1 library if not globally installed") string(TOLOWER ${CMAKE_BUILD_TYPE} build_type) +#list of noscrypt project defitnions +set(NC_PROJ_DEFINTIONS "") + include(FetchContent) -#SET SECP256k VARS -set(SECP256K1_BUILD_BENCHMARK OFF) -set(SECP256K1_BUILD_TESTS OFF) -set(SECP256K1_BUILD_EXAMPLES OFF) -set(SECP256K1_BUILD_EXHAUSTIVE_TESTS OFF) -set(SECP256K1_ENABLE_MODULE_ECDH ON) -set(SECP256K1_ENABLE_MODULE_RECOVERY ON) -set(SECP256K1_ENABLE_MODULE_SCHNORRSIG ON) -set(SECP256K1_ENABLE_MODULE_EXTRAKEYS ON) -set(SECP256K1_ENABLE_MODULE_ELLSWIFT OFF) -set(SECP256K1_INSTALL OFF) -set(SECP256K1_DISABLE_SHARED ON) #disales shared library output - -FetchContent_Declare( - libsecp256k1 - GIT_REPOSITORY https://github.com/bitcoin-core/secp256k1 - GIT_TAG 1ad5185cd42c0636104129fcc9f6a4bf9c67cc40 # release-0.4.1 - GIT_PROGRESS TRUE -) +if(NC_FETCH_SECP256K1) + + #Fetch libsecp256k1, and build a minimal static library + set(SECP256K1_BUILD_BENCHMARK OFF) + set(SECP256K1_BUILD_TESTS OFF) + set(SECP256K1_BUILD_EXAMPLES OFF) + set(SECP256K1_BUILD_EXHAUSTIVE_TESTS OFF) + set(SECP256K1_ENABLE_MODULE_ECDH ON) + set(SECP256K1_ENABLE_MODULE_RECOVERY ON) + set(SECP256K1_ENABLE_MODULE_SCHNORRSIG ON) + set(SECP256K1_ENABLE_MODULE_EXTRAKEYS ON) + set(SECP256K1_ENABLE_MODULE_ELLSWIFT OFF) + set(SECP256K1_INSTALL OFF) + set(SECP256K1_DISABLE_SHARED ON) #disales shared library output -FetchContent_MakeAvailable(libsecp256k1) + FetchContent_Declare( + libsecp256k1 + GIT_REPOSITORY https://github.com/bitcoin-core/secp256k1 + GIT_TAG 1ad5185cd42c0636104129fcc9f6a4bf9c67cc40 # release-0.4.1 + GIT_PROGRESS TRUE + ) -#Include mbedtls if enabled -if(NC_FETCH_MBEDTLS) + FetchContent_MakeAvailable(libsecp256k1) - set(ENABLE_PROGRAMS OFF) - set(ENABLE_TESTING OFF) - set(USE_SHARED_MBEDTLS_LIBRARY OFF) - set(USE_STATIC_MBEDTLS_LIBRARY ON) - set(DISABLE_PACKAGE_CONFIG_AND_INSTALL OFF) - set(MBEDTLS_CONFIG_FILE "${CMAKE_CURRENT_SOURCE_DIR}/mbedtls_custom_config.h" CACHE STRING "" FORCE) +else() - FetchContent_Declare( - libmbedtls - GIT_REPOSITORY https://github.com/Mbed-TLS/mbedtls.git - GIT_TAG v3.6.0 - GIT_PROGRESS TRUE + #search for an existing library, it's a required dependency + find_library(secp256k1 + NAMES secp256k1 libsecp256k1 + PATHS ${SECP256K1_LIB_DIR} + REQUIRED ) - FetchContent_MakeAvailable(libmbedtls) - - set(CRYPTO_LIB "mbedtls") #enable linking to mbedtls endif() - #----------------------------- # MAIN PROJECT #----------------------------- @@ -99,6 +98,7 @@ else() target_link_libraries(${CMAKE_PROJECT_NAME} INTERFACE secp256k1) target_link_libraries(${CMAKE_PROJECT_NAME}_static INTERFACE secp256k1) endif() + #include secp256k1 headers target_include_directories(${CMAKE_PROJECT_NAME} SYSTEM PUBLIC vendor/secp256k1/include) target_include_directories(${CMAKE_PROJECT_NAME}_static SYSTEM PUBLIC vendor/secp256k1/include) @@ -109,6 +109,42 @@ target_include_directories(${CMAKE_PROJECT_NAME}_static SYSTEM PUBLIC vendor/sec # ############################################# +#try to load openssl quietly in order to check for its availability +find_package(OpenSSL QUIET) + +#setup default linking to crypto libraries for certain plaftorms. +#Windows defaults to bcrypt, openssl otherwise if installed +if(CRYPTO_LIB STREQUAL "") + if(MSVC) + set(CRYPTO_LIB "bcrypt") + elseif(OPENSSL_FOUND) + set(CRYPTO_LIB "openssl") + endif() +endif() + +#Include mbedtls if enabled +if(NC_FETCH_MBEDTLS) + + set(ENABLE_PROGRAMS OFF) + set(ENABLE_TESTING OFF) + set(USE_SHARED_MBEDTLS_LIBRARY OFF) + set(USE_STATIC_MBEDTLS_LIBRARY ON) + set(DISABLE_PACKAGE_CONFIG_AND_INSTALL OFF) + set(MBEDTLS_CONFIG_FILE "${CMAKE_CURRENT_SOURCE_DIR}/vendor/mbedtls/mbedtls_noscrypt_config.h" CACHE STRING "" FORCE) + + FetchContent_Declare( + libmbedtls + GIT_REPOSITORY https://github.com/Mbed-TLS/mbedtls.git + GIT_TAG v3.6.0 + GIT_PROGRESS TRUE + ) + + FetchContent_MakeAvailable(libmbedtls) + + set(CRYPTO_LIB "mbedtls") #enable linking to mbedtls + +endif() + #if mbedtls linking is enabled target the library if(CRYPTO_LIB STREQUAL "mbedtls") @@ -143,8 +179,7 @@ if(CRYPTO_LIB STREQUAL "mbedtls") endif() #enable mbedtls crypto library bindings - target_compile_definitions(${CMAKE_PROJECT_NAME} PRIVATE MBEDTLS_CRYPTO_LIB) - target_compile_definitions(${CMAKE_PROJECT_NAME}_static PRIVATE MBEDTLS_CRYPTO_LIB) + list(APPEND NC_PROJ_DEFINTIONS MBEDTLS_CRYPTO_LIB) elseif(CRYPTO_LIB STREQUAL "openssl") @@ -161,27 +196,33 @@ elseif(CRYPTO_LIB STREQUAL "openssl") target_link_libraries(${CMAKE_PROJECT_NAME}_static PRIVATE OpenSSL::Crypto) #enable openssl crypto library bindings - target_compile_definitions(${CMAKE_PROJECT_NAME} PRIVATE OPENSSL_CRYPTO_LIB) - target_compile_definitions(${CMAKE_PROJECT_NAME}_static PRIVATE OPENSSL_CRYPTO_LIB) + list(APPEND NC_PROJ_DEFINTIONS OPENSSL_CRYPTO_LIB) + +elseif(CRYPTO_LIB STREQUAL "bcrypt") + + if(MSVC) + #link bcrypt for Windows platforms + target_link_libraries(${CMAKE_PROJECT_NAME} PRIVATE "bcrypt.lib") + target_link_libraries(${CMAKE_PROJECT_NAME}_static PRIVATE "bcrypt.lib") + else() + message(FATAL_ERROR "Bcrypt is only supported on Windows platforms") + endif() else() - #the library should be self sufficient in handling default crypto implementations - + + message(FATAL_ERROR "You must select a supported cryptography library: openssl, mbedtls, or bcrypt (Windows only)") + endif() add_compile_definitions($<$<CONFIG:Debug>:DEBUG>) add_compile_definitions(NOSCRYPT_EXPORTING) #enable exporting symbols if(NC_DISABLE_INPUT_VALIDATION) - target_compile_definitions(${CMAKE_PROJECT_NAME} PRIVATE NC_INPUT_VALIDATION_OFF) + list(APPEND NC_PROJ_DEFINTIONS NC_INPUT_VALIDATION_OFF) endif() #setup flags for windows compilation if(MSVC) - - #link bcrypt for Windows platforms - target_link_libraries(${CMAKE_PROJECT_NAME} PRIVATE "bcrypt.lib") - target_link_libraries(${CMAKE_PROJECT_NAME}_static PRIVATE "bcrypt.lib") #global windows cl flags target_compile_options(${CMAKE_PROJECT_NAME} PRIVATE @@ -204,7 +245,7 @@ if(MSVC) ) #set build macros - target_compile_definitions(${CMAKE_PROJECT_NAME} PRIVATE + list(APPEND NC_PROJ_DEFINTIONS $<$<CONFIG:DEBUG>:DEBUG> $<$<CONFIG:RELEASE>:RELEASE> ) @@ -264,21 +305,22 @@ if(NC_INCLUDE_MONOCYPHER) ) #enable monocypher crypto library bindings - target_compile_definitions(${CMAKE_PROJECT_NAME} PRIVATE NC_ENABLE_MONOCYPHER) - target_compile_definitions(${CMAKE_PROJECT_NAME}_static PRIVATE NC_ENABLE_MONOCYPHER) + list(APPEND NC_PROJ_DEFINTIONS NC_ENABLE_MONOCYPHER) elseif(CMAKE_COMPILER_IS_GNUCC) #from monocypher's Makefile target_compile_options(monocypher PRIVATE -pedantic -Wall -Wextra -O3 -march=native) #enable monocypher crypto library bindings - target_compile_definitions(${CMAKE_PROJECT_NAME} PRIVATE NC_ENABLE_MONOCYPHER) - target_compile_definitions(${CMAKE_PROJECT_NAME}_static PRIVATE NC_ENABLE_MONOCYPHER) + list(APPEND NC_PROJ_DEFINTIONS NC_ENABLE_MONOCYPHER) else() message(WARNING "Monocypher is not supported on this platform") endif() endif() +#Set NC variables to both projects +target_compile_definitions(${CMAKE_PROJECT_NAME} PRIVATE ${NC_PROJ_DEFINTIONS}) +target_compile_definitions(${CMAKE_PROJECT_NAME}_static PRIVATE ${NC_PROJ_DEFINTIONS}) #TESTS if(NC_BUILD_TESTS) @@ -32,20 +32,20 @@ Testing is an will be important to a cryptography library, I take that responsib - No explicit/dynamic memory allocations - Public API function input validation is on by default - All stack allocated structures are securely zeroed before return -- Stack protection is enabled by default for GCC and MSVC compilers (also for deps) +- Stack protection is enabled by default for GCC and MSVC compilers - Schnorr signatures are validated before the signing function returns - Carefully selected, widley used, tested, and audited dependencies ## Platform Support +The following table lists the supported platforms and cryptography libraries that noscrypt supports. This will expand in the future. You are free to choose and specify the location of these libraries if you desire during build time, otherwise safe defaults are attempted on your platform. + | Arch | Support | Notes | Tested | | ----- | ---------- | ------- | ------- | -| Windows | OpenSSL, Mbed-TLS, BCrypt | NT 6.1 + | ✅ | -| Linux | OpenSSL, Mbed-TLS | GCC only | ✅ | -| FreeBSD | OpenSSL, Mbed-TLS | GCC Only | | +| Windows | OpenSSL (3.0), Mbed-TLS, BCrypt | NT 6.1 + | ✅ | +| Linux | OpenSSL (3.0), Mbed-TLS | GCC only | ✅ | +| FreeBSD | OpenSSL (3.0), Mbed-TLS | GCC Only | | -### Configuring libraries -Noscrypt now supports linking to multiple cryptographic libraries and expanded platform support. At built-time you may choose ## Packages and Docs GitHub is simply a mirror for my projects. Extended documentation, pre-compiled binaries and source code bundles are always available on my website, along with PGP signatures and checksums. @@ -55,53 +55,30 @@ GitHub is simply a mirror for my projects. Extended documentation, pre-compiled ### Getting the package There are 3 ways to get the source code to build this project. -1. Download the package from my website above (recommended) +1. Download the signed `noscrypt-src.tgz` package from my website above (recommended) 2. Clone the GitHub repo `git clone https://github.com/VnUgE/noscrypt.git` 3. Download a github archive or release when they are available ## Building -This project was built from the start using cmake as the build generator so it is easily cross platform. Builds produce a shared library and a static library so you can choose how to link it with your project. - -*Extended documentation includes more exhaustive build conditions and supported platforms* - -### Prerequisites -Before building this library you must install the following dependencies -- [task](https://taskfile.dev/installation/) - build exec tool -- git -- [cmake](https://cmake.org) -- Your preferred C compiler. Currently supports GCC and MSVC - ->[!NOTE] ->The build process will install dependencies locally (in a deps/ dir) and verify the file hashes. Read extended documentation for installing dependencies manually/globally. - -### Instructions -After Task is installed you can run the following commands to execute the build steps. I test build steps against Debian, Ubuntu, Fedora, Windows 10 and Windows Server 2019 targets. If you have a platform that is having issues please get in touch. - ->[!TIP] -> Run `task --list-all` to see all available build commands +Please see extended documentation for all custom build configurations and tips. For now, here is enough to get most developers going. -#### Normal build -The following command will install dependencies and build the libraries in release mode -``` shell -task #or task build +### CMake +```shell +cmake -S . -Bbuild/ -DCMAKE_BUILD_TYPE=Release ``` -#### Build tests in debug mode ->[!WARNING] -> You may want to clean the entire project before rebuilding in debug mode to cleanup caches -``` shell -task build-tests +#### Enable built-in tets and debug mode +```shell +cmake -S . -Bbuild/test -DCMAKE_BUILD_TYPE=Debug -DNC_BUILD_TESTS=ON ``` -#### Cleanup -You can delete all build related data (including dependencies) and start over -``` shell -task clean +#### Specify the crypto library +```shell +cmake -S . -Bbuild/ -DCMAKE_BUILD_TYPE=Release -DCRYPTO_LIB=<openssl | mbedtls | bcrypt> ``` -The task file is configured to cache your dependencies once they are built. If you have issues with a download and need to re-run a command, try using `task <cmd> --force` to override the build caching. -#### All done -Once building is complete, your library files should be located under `build/libnoscrypt` or `build/Release/noscrypt.dll` on Windows +### Easy mode +A [Taskfile](https://taskfile.dev) file is included for easy building if you wish to build in easy mode! Use the `task --list-all` to see all available commands. The default command `task` will build the library in release mode using defaults. You may specify extra cmake build variables using the `USER_ARGS` variable on the command line. ## Notes #### Builds diff --git a/Taskfile.yaml b/Taskfile.yaml index 77572f0..a2c673a 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -13,34 +13,38 @@ version: '3' vars: - END_USER_CMAKE_ARGS: '-DNC_BUILD_TESTS=OFF -DNC_DISABLE_INPUT_VALIDATION=OFF -DNC_INCLUDE_MONOCYPHER=ON' + CMAKE_BUILD_DIR: 'build/{{ OS }}' tasks: default: desc: "Build the library for your system" - deps: - - install cmds: - - task: build-local + - task: build-internal vars: { CMAKE_TEST_STATUS: 'OFF', BUILD_CONFIG: 'Release' } - build-tests: + build-debug: desc: "Build libraries and test executable in debug mode" - deps: - - install cmds: - - task: build-local + - task: build-internal vars: { CMAKE_TEST_STATUS: 'ON', BUILD_CONFIG: 'Debug' } - build-local: + build-internal: internal: true cmds: - - cmake -S . -Bbuild/ -DCMAKE_BUILD_TYPE={{.BUILD_CONFIG}} {{.END_USER_CMAKE_ARGS}} - - cmake --build build/ --config {{.BUILD_CONFIG}} - - cmd: echo "Build complete your files can be found in the build/ directory" + - cmake -S . -B{{.CMAKE_BUILD_DIR}} -DCMAKE_BUILD_TYPE={{.BUILD_CONFIG}} -DNC_BUILD_TESTS={{ .CMAKE_TEST_STATUS }} {{.USER_ARGS}} + - cmake --build {{.CMAKE_BUILD_DIR}} --config {{.BUILD_CONFIG}} + - cmd: echo "Build complete. Your files can be found in the {{.CMAKE_BUILD_DIR}} directory" silent: true + #available to users and vnbuild runner + test: + desc: "Builds a local copy of the library in a debug configuration, then runs the test executable" + cmds: + - task: build-debug + - cmd: cd {{.CMAKE_BUILD_DIR}} && {{if eq OS "windows"}}debug/nctest.exe{{else}}./nctest{{end}} + + #CI ONLY!! #called by build pipeline to build module @@ -61,7 +65,7 @@ tasks: desc: "Cleans the artifact directory" ignore_error: true cmds: - - for: [ bin/, build/, deps/] + - for: [ bin/, build/ ] task: clean-internal vars: { FILE: '{{.ITEM}}'} @@ -73,7 +77,7 @@ tasks: - cmd: rm -rf '{{.FILE}}' platforms: [linux, darwin] - - cmd: powershell rm -Recurse '{{.FILE}}' + - cmd: powershell rm -Recurse -Force '{{.FILE}}' platforms: [windows] build_win_x64: @@ -86,7 +90,7 @@ tasks: BUILD_DIR: 'out/build/win-x64' cmds: - #invoke cmake build + #invoke cmake build - cmake -S . -B {{.BUILD_DIR}} -G "Visual Studio 17 2022" -A x64 -DCMAKE_BUILD_TYPE=Release - cmake --build {{.BUILD_DIR}} --config Release @@ -104,7 +108,7 @@ tasks: internal: true desc: "Packs up the project source code and creates a tarball in the builds binary directory" vars: - TARGET_SOURCE: '{{.PROJECT_DIR}}/{{.BINARY_DIR}}/{{.PROJECT_NAME}}-source.tgz' + TARGET_SOURCE: '{{.PROJECT_DIR}}/{{.BINARY_DIR}}/{{.PROJECT_NAME}}-src.tgz' SOURCE_FILES: 'CMakeLists.txt src include license tests Taskfile.yaml' cmds: diff --git a/include/nc-util.h b/include/nc-util.h index 6a0e149..8fb74ff 100644 --- a/include/nc-util.h +++ b/include/nc-util.h @@ -63,9 +63,9 @@ #include <stdint.h> #if SIZE_MAX < UINT32_MAX - #define _sizet_check(x) if(x > SIZE_MAX) return CSTATUS_FAIL; + #define _overflow_check(x) if(x > SIZE_MAX) return CSTATUS_FAIL; #else - #define _sizet_check(x) + #define _overflow_check(x) #endif typedef struct memory_span_struct diff --git a/src/crypto/impl/mbedtls.c b/src/crypto/impl/mbedtls.c index 18eb9db..057e7b4 100644 --- a/src/crypto/impl/mbedtls.c +++ b/src/crypto/impl/mbedtls.c @@ -30,7 +30,7 @@ /* Inline errors on linux in header files on linux */ #ifndef inline -#define inline __inline + #define inline __inline #endif #include <mbedtls/md.h> @@ -41,7 +41,7 @@ #include <mbedtls/constant_time.h> #ifndef inline -#undef inline + #undef inline #endif @@ -73,7 +73,7 @@ _IMPLSTB const mbedtls_md_info_t* _mbed_sha256_alg(void) uint32_t dataLen ) { - _sizet_check(dataLen) + _overflow_check(dataLen) /* Counter always starts at 0 */ return mbedtls_chacha20_crypt( @@ -95,7 +95,7 @@ _IMPLSTB const mbedtls_md_info_t* _mbed_sha256_alg(void) _IMPLSTB cstatus_t _mbed_sha256_digest(const cspan_t* data, sha256_t digestOut32) { - _sizet_check(data->size) + _overflow_check(data->size) return mbedtls_sha256( data->data, @@ -114,7 +114,7 @@ _IMPLSTB const mbedtls_md_info_t* _mbed_sha256_alg(void) _IMPLSTB cstatus_t _mbed_sha256_hmac(const cspan_t* key, const cspan_t* data, sha256_t hmacOut32) { - _sizet_check(data->size) + _overflow_check(data->size) /* Keys should never be large enough for this to matter, but sanity check. */ DEBUG_ASSERT2(key->size < SIZE_MAX, "Expected key size to be less than SIZE_MAX") diff --git a/src/crypto/impl/monocypher.c b/src/crypto/impl/monocypher.c index b695d08..7c9faea 100644 --- a/src/crypto/impl/monocypher.c +++ b/src/crypto/impl/monocypher.c @@ -53,7 +53,7 @@ uint32_t dataLen ) { - _sizet_check(dataLen) + _overflow_check(dataLen) /* * Function returns the next counter value which is not diff --git a/src/crypto/impl/openssl.c b/src/crypto/impl/openssl.c index 90028e6..fd3b4e6 100644 --- a/src/crypto/impl/openssl.c +++ b/src/crypto/impl/openssl.c @@ -20,7 +20,6 @@ /* Setup openssl */ - #ifdef OPENSSL_CRYPTO_LIB #include "nc-util.h" @@ -34,7 +33,7 @@ _IMPLSTB void _ossl_secure_zero_memset(void* ptr, size_t size) { - _sizet_check(size) + _overflow_check(size) OPENSSL_cleanse(ptr, size); } @@ -48,7 +47,8 @@ { int result; - _sizet_check(size) + /* Size checks are required for platforms that have integer sizes under 32bit */ + _overflow_check(size) result = CRYPTO_memcmp(a, b, size); @@ -66,7 +66,7 @@ _IMPLSTB cstatus_t _ossl_sha256_digest(const cspan_t* data, sha256_t digestOut32) { - _sizet_check(data->size) + _overflow_check(data->size) _OSSL_FAIL(SHA256(data->data, data->size, digestOut32)) @@ -86,8 +86,8 @@ { unsigned int hmacLen; - _sizet_check(key->size) - _sizet_check(data->size) + _overflow_check(key->size) + _overflow_check(data->size) hmacLen = sizeof(sha256_t); @@ -104,7 +104,7 @@ ) /* digest length should match the actual digest size */ - _OSSL_FAIL(hmacLen != sizeof(sha256_t)) + DEBUG_ASSERT(hmacLen == sizeof(sha256_t)) return CSTATUS_OK; } @@ -122,23 +122,32 @@ { DEBUG_ASSERT(ctx != NULL) - _OSS_FAIL(HMAC_Update((HMAC_CTX*)ctx, data->data, data->size)) + _overflow_check(data->size) + + _OSSL_FAIL(EVP_DigestUpdate((EVP_MD_CTX*)ctx, data->data, data->size)) return CSTATUS_OK; } cstatus_t _ossl_hkdf_finish(void* ctx, sha256_t hmacOut32) { + unsigned int hmacSize; + DEBUG_ASSERT(ctx != NULL) - _OSSL_FAIL(HMAC_Final((HMAC_CTX*)ctx, hmacOut32, NULL)) + hmacSize = sizeof(sha256_t); + + _OSSL_FAIL(EVP_DigestFinal_ex((EVP_MD_CTX*)ctx, hmacOut32, &hmacSize)) + + /* When configured for sha256, should always be the same size in/out */ + DEBUG_ASSERT(hmacSize == sizeof(sha256_t)) return CSTATUS_OK; } - _IMPLSTB cstatus_t _ossl_fallback_hkdf_expand(const cspan_t* prk, const cspan_t* info, span_t* okm) + _IMPLSTB cstatus_t _ossl_sha256_hkdf_expand(const cspan_t* prk, const cspan_t* info, span_t* okm) { - HMAC_CTX* hmac; + EVP_MD_CTX* ctx; cstatus_t result; struct nc_hkdf_fn_cb_struct handler; @@ -147,28 +156,21 @@ * calls to the finish function without losing the context. */ - if ((hmac = HMAC_CTX_new()) == NULL) + if ((ctx = EVP_MD_CTX_create()) == NULL) { return CSTATUS_FAIL; } + _OSSL_FAIL(EVP_DigestInit_ex2(ctx, EVP_sha256(), NULL)) - _OSSL_FAIL( - HMAC_Init_ex( - hmac, - prk->data, - pkr->size, - EVP_sha256(), - NULL - ) - ) + _OSSL_FAIL(EVP_DigestUpdate(ctx, prk->data, prk->size)); handler.update = _ossl_hkdf_update; handler.finish = _ossl_hkdf_finish; - result = hkdfExpandProcess(&handler, hmac, info, okm); + result = hkdfExpandProcess(&handler, ctx, info, okm); - HMAC_CTX_free(hmac); + EVP_MD_CTX_destroy(ctx); return result; } diff --git a/vendor/mbedtls/mbedtls_noscrypt_config.h b/vendor/mbedtls/mbedtls_noscrypt_config.h new file mode 100644 index 0000000..2ae70c5 --- /dev/null +++ b/vendor/mbedtls/mbedtls_noscrypt_config.h @@ -0,0 +1,56 @@ +/** + * \file config-suite-b.h + * + * \brief Minimal configuration for TLS NSA Suite B Profile (RFC 6460) + */ + /* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + /* + * Minimal configuration for TLS NSA Suite B Profile (RFC 6460) + * + * Distinguishing features: + * - no RSA or classic DH, fully based on ECC + * - optimized for low RAM usage + * + * Possible improvements: + * - if 128-bit security is enough, disable secp384r1 and SHA-512 + * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C + * + * See README.txt for usage instructions. + */ + + /* System support */ +#define MBEDTLS_HAVE_ASM +#define MBEDTLS_HAVE_TIME + +/* Mbed TLS feature support */ + +/* Mbed TLS modules */ +#define MBEDTLS_MD_C +#define MBEDTLS_HKDF_C +#define MBEDTLS_CHACHA20_C +#define MBEDTLS_SHA256_C +#define MBEDTLS_ENTROPY_C + + +/* Save RAM at the expense of ROM */ +//#define MBEDTLS_AES_ROM_TABLES + +/* Save RAM by adjusting to our exact needs */ +//#define MBEDTLS_MPI_MAX_SIZE 48 // 384-bit EC curve = 48 bytes + +/* Save RAM at the expense of speed, see ecp.h */ +//#define MBEDTLS_ECP_WINDOW_SIZE 2 +//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 + +/* Significant speed benefit at the expense of some ROM */ +//#define MBEDTLS_ECP_NIST_OPTIM + +/* + * You should adjust this to the exact number of sources you're using: default + * is the "mbedtls_platform_entropy_poll" source, but you may want to add other ones. + * Minimum is 2 for the entropy test suite. + */ +#define MBEDTLS_ENTROPY_MAX_SOURCES 2
\ No newline at end of file |