summaryrefslogtreecommitdiffhomepage
path: root/lib
diff options
context:
space:
mode:
authorMikael Magnusson <mikma@users.sourceforge.net>2024-09-14 20:40:58 +0200
committerMikael Magnusson <mikma@users.sourceforge.net>2024-12-26 22:25:08 +0100
commitaf915e9ce74ca793f6f7c272985a92671887a88e (patch)
treed482f2a7bb1a1d4c2ce144ad77e0cd3f3da94a9e /lib
parentef7033878f878c9a4c51ab73353db7b93a4f99e3 (diff)
lib: add Crypto MbedTLS plugin support
Implement message digest, and RSA and ECDSA signing and verification. Add NIST curve alises in order to support the same curve names in crypto-mbetls and crypto-openssl: * P-192 * P-224 * P-256 * P-384 * P-521 * brainpoolP256r1 * brainpoolP384r1 * brainpoolP512r1 Signed-off-by: Mikael Magnusson <mikma@users.sourceforge.net>
Diffstat (limited to 'lib')
-rw-r--r--lib/crypto-mbedtls.c412
1 files changed, 412 insertions, 0 deletions
diff --git a/lib/crypto-mbedtls.c b/lib/crypto-mbedtls.c
new file mode 100644
index 0000000..3ab9f5f
--- /dev/null
+++ b/lib/crypto-mbedtls.c
@@ -0,0 +1,412 @@
+/*
+ * Copyright (C) 2024 Mikael Magnusson <mikma@users.sourceforge.net>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdint.h>
+#include <errno.h>
+#include <alloca.h>
+
+#include <ucode/module.h>
+
+#include <mbedtls/ctr_drbg.h>
+#include <mbedtls/entropy.h>
+#include <mbedtls/error.h>
+#include <mbedtls/md.h>
+#include <mbedtls/pk.h>
+
+#define PK_TYPE "crypto_mbedtls.pk"
+
+#define TRUE ucv_boolean_new(true)
+#define FALSE ucv_boolean_new(false)
+
+const char *personalization = "ucode-crypto-mbedtls";
+
+struct context {
+ mbedtls_pk_context pk;
+ mbedtls_ctr_drbg_context ctr_drbg;
+};
+
+static uc_resource_type_t *pk_type;
+static mbedtls_entropy_context entropy;
+
+static void __attribute__((constructor)) load();
+static void __attribute__((destructor)) unload();
+
+static uc_value_t *
+md_digest(uc_vm_t *vm, size_t nargs)
+{
+ uc_value_t *alg = uc_fn_arg(0);
+ uc_value_t *input = uc_fn_arg(1);
+
+ if (ucv_type(alg) != UC_STRING) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "alg not a string");
+ return NULL;
+ }
+
+ if (ucv_type(input) != UC_STRING) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "input not a string");
+ return NULL;
+ }
+
+ const mbedtls_md_info_t *info = mbedtls_md_info_from_string(ucv_string_get(alg));
+
+ if (!info) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "unknown MD algorithm");
+ return NULL;
+ }
+
+ unsigned char size = mbedtls_md_get_size(info);
+ char *output = alloca(size);
+
+ if (mbedtls_md(info, (const unsigned char*)ucv_string_get(input), ucv_string_length(input), (unsigned char*)output)) {
+ uc_vm_raise_exception(vm, EXCEPTION_RUNTIME, "bad input data");
+ return NULL;
+ }
+
+ uc_value_t *rv = ucv_string_new_length(output, size);
+ return rv;
+}
+
+static uc_value_t *
+pk_init(uc_vm_t *vm, size_t nargs)
+{
+ struct context *ctx = calloc(1, sizeof(struct context));
+
+ mbedtls_pk_init(&ctx->pk);
+ mbedtls_ctr_drbg_init(&ctx->ctr_drbg);
+
+ int ret = mbedtls_ctr_drbg_seed(&ctx->ctr_drbg, mbedtls_entropy_func, &entropy,
+ (const unsigned char *) personalization,
+ strlen(personalization) );
+ if( ret != 0 ) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "Problem with random generator");
+ return NULL;
+ }
+
+ return uc_resource_new(pk_type, ctx);
+}
+
+static void
+pk_free(void *ptr)
+{
+ struct context *ctx = ptr;
+
+ mbedtls_pk_free(&ctx->pk);
+ mbedtls_ctr_drbg_free(&ctx->ctr_drbg);
+ free(ctx);
+}
+
+struct alias {
+ const char *alias;
+ const char *name;
+};
+
+static struct alias curve_aliases[] = {
+ { alias: "P-192", name: "secp192r1"},
+ { alias: "P-224", name: "secp224r1"},
+ { alias: "P-256", name: "secp256r1"},
+ { alias: "P-384", name: "secp384r1"},
+ { alias: "P-521", name: "secp521r1"},
+ { alias: NULL, name: NULL},
+};
+
+static const char *translate_curve(const char *type)
+{
+ if (!type)
+ return NULL;
+
+ for (int i=0; curve_aliases[i].alias; i++) {
+ if (!strcmp(type, curve_aliases[i].alias))
+ return curve_aliases[i].name;
+ }
+
+ return type;
+};
+
+static uc_value_t *
+pk_keygen(uc_vm_t *vm, size_t nargs)
+{
+ struct context *ctx = uc_fn_thisval(PK_TYPE);
+
+ if (!ctx) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "invalid " PK_TYPE " object");
+ return NULL;
+ }
+
+ uc_value_t *type = uc_fn_arg(0);
+ if (ucv_type(type) != UC_STRING) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "type is not a string");
+ return NULL;
+ }
+
+ const char *type_str = ucv_string_get(type);
+
+ if (!strcasecmp(type_str, "EC")) {
+ if (nargs != 2) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "Expected 2 arguments got %d", nargs);
+ return NULL;
+ }
+
+ uc_value_t *curve_v = uc_fn_arg(1);
+ if (ucv_type(curve_v) != UC_STRING) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "curve is not a string");
+ return NULL;
+ }
+
+ const char *curve = translate_curve(ucv_string_get(curve_v));
+ const mbedtls_ecp_curve_info *curve_info = mbedtls_ecp_curve_info_from_name(curve);
+
+ if (!curve_info) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "Unsupported curve: %s", curve);
+ return NULL;
+ }
+
+ const mbedtls_pk_info_t *info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
+ if (mbedtls_pk_setup(&ctx->pk, info)) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "PK setup failed");
+ return NULL;
+ }
+ int err = mbedtls_ecp_gen_key(curve_info->grp_id,
+ mbedtls_pk_ec(ctx->pk),
+ mbedtls_ctr_drbg_random, &ctx->ctr_drbg);
+ if (err != 0) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "EC gen key failed");
+ return NULL;
+ }
+ } else if (!strcasecmp(type_str, "RSA")) {
+ if (nargs != 2) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "Expected 2 arguments got %d", nargs);
+ return NULL;
+ }
+
+ uc_value_t *size_v = uc_fn_arg(1);
+ if (ucv_type(size_v) != UC_INTEGER) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "size is not a number");
+ return NULL;
+ }
+
+ size_t size = ucv_to_integer(size_v);
+ const mbedtls_pk_info_t *info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA);
+ if (mbedtls_pk_setup(&ctx->pk, info)) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "PK setup failed");
+ return NULL;
+ }
+
+ int err = mbedtls_rsa_gen_key(mbedtls_pk_rsa(ctx->pk),
+ mbedtls_ctr_drbg_random, &ctx->ctr_drbg,
+ size, 65537);
+ if (err != 0) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "RSA gen key failed");
+ return NULL;
+ }
+ } else {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "Unsupported key type %s", type_str);
+ return NULL;
+ }
+
+ return TRUE;
+}
+
+static uc_value_t *
+pk_get_public_key(uc_vm_t *vm, size_t nargs)
+{
+ struct context *ctx = uc_fn_thisval(PK_TYPE);
+
+ if (!ctx) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "invalid " PK_TYPE " object");
+ return NULL;
+ }
+
+ if (!mbedtls_pk_get_len(&ctx->pk)) {
+ // No key
+ return NULL;
+ }
+
+ unsigned char buf[16000];
+ int res = mbedtls_pk_write_pubkey_der(&ctx->pk, buf, sizeof(buf));
+ if (res <= 0) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "failed to get public key");
+ return NULL;
+ }
+
+ uc_value_t *rv = ucv_string_new_length((const char*)(buf + sizeof(buf) - res), res);
+ return rv;
+}
+
+static uc_value_t *
+pk_set_public_key(uc_vm_t *vm, size_t nargs)
+{
+ struct context *ctx = uc_fn_thisval(PK_TYPE);
+
+ if (!ctx) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "invalid " PK_TYPE " object");
+ return NULL;
+ }
+
+ uc_value_t *key = uc_fn_arg(0);
+ if (ucv_type(key) == UC_NULL) {
+ mbedtls_pk_free(&ctx->pk);
+ return NULL;
+ }
+
+ if (ucv_type(key) != UC_STRING) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "key is not a string");
+ return NULL;
+ }
+
+ int err = mbedtls_pk_parse_public_key(&ctx->pk, (const unsigned char*)ucv_string_get(key), ucv_string_length(key));
+ if (err)
+ uc_vm_raise_exception(vm, EXCEPTION_RUNTIME, "not a valid DER key %s: %s",
+ mbedtls_high_level_strerr(err),
+ mbedtls_low_level_strerr(err));
+ return NULL;
+}
+
+static uc_value_t *
+pk_sign(uc_vm_t *vm, size_t nargs)
+{
+ struct context *ctx = uc_fn_thisval(PK_TYPE);
+
+ if (!ctx) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "invalid " PK_TYPE " object");
+ return NULL;
+ }
+
+ uc_value_t *md_alg = uc_fn_arg(0);
+ uc_value_t *input = uc_fn_arg(1);
+
+ if (ucv_type(md_alg) != UC_STRING) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "md_alg is not a string");
+ return NULL;
+ }
+
+ if (ucv_type(input) != UC_STRING)
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "input is not a string");
+
+ const mbedtls_md_info_t *md_info = mbedtls_md_info_from_string(ucv_string_get(md_alg));
+ if (!md_info) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "unknown MD algorithm");
+ return NULL;
+ }
+
+ unsigned char hash_len = mbedtls_md_get_size(md_info);
+ unsigned char *hash = alloca(hash_len);
+
+ if (mbedtls_md(md_info, (const unsigned char*)ucv_string_get(input), ucv_string_length(input), (unsigned char*)hash)) {
+ uc_vm_raise_exception(vm, EXCEPTION_RUNTIME, "bad input data");
+ return NULL;
+ }
+
+ const mbedtls_md_type_t md_type = mbedtls_md_get_type(md_info);
+ unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
+ size_t sig_len = sizeof(sig);
+
+ if (mbedtls_pk_sign(&ctx->pk, md_type, hash, hash_len,
+ sig, &sig_len,
+ mbedtls_ctr_drbg_random, &ctx->ctr_drbg)) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "pk sign failed");
+ return NULL;
+ }
+
+ uc_value_t *rv = ucv_string_new_length((const char*)sig, sig_len);
+ return rv;
+}
+
+static uc_value_t *
+pk_verify(uc_vm_t *vm, size_t nargs)
+{
+ struct context *ctx = uc_fn_thisval(PK_TYPE);
+
+ if (!ctx) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "invalid " PK_TYPE " object");
+ return NULL;
+ }
+
+ uc_value_t *md_alg = uc_fn_arg(0);
+ uc_value_t *input = uc_fn_arg(1);
+ uc_value_t *sig = uc_fn_arg(2);
+
+ if (ucv_type(md_alg) != UC_STRING) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "md_alg is not a string");
+ return NULL;
+ }
+
+ if (ucv_type(input) != UC_STRING) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "input is not a string");
+ return NULL;
+ }
+
+ if (ucv_type(sig) != UC_STRING) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "sig is not a string");
+ return NULL;
+ }
+
+ const mbedtls_md_info_t *md_info = mbedtls_md_info_from_string(ucv_string_get(md_alg));
+
+ if (!md_info) {
+ uc_vm_raise_exception(vm, EXCEPTION_TYPE, "unknown MD algorithm");
+ return NULL;
+ }
+
+ unsigned char hash_size = mbedtls_md_get_size(md_info);
+ unsigned char *hash = alloca(hash_size);
+
+ if (mbedtls_md(md_info, (const unsigned char*)ucv_string_get(input), ucv_string_length(input), (unsigned char*)hash))
+ uc_vm_raise_exception(vm, EXCEPTION_RUNTIME, "bad input data");
+
+ const mbedtls_md_type_t md_type = mbedtls_md_get_type(md_info);
+
+ int err = mbedtls_pk_verify(&ctx->pk, md_type,
+ hash, hash_size,
+ (const unsigned char*)ucv_string_get(sig), ucv_string_length(sig));
+ if (err) {
+ uc_vm_raise_exception(vm, EXCEPTION_RUNTIME, "validation failed: %s: %s",
+ mbedtls_high_level_strerr(err),
+ mbedtls_low_level_strerr(err));
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+static const uc_function_list_t global_fns[] = {
+ { "md_digest", md_digest },
+ { "pk", pk_init },
+};
+
+static const uc_function_list_t pk_fns[] = {
+ { "keygen", pk_keygen },
+ { "get_public_key", pk_get_public_key },
+ { "set_public_key", pk_set_public_key },
+ { "sign", pk_sign },
+ { "verify", pk_verify },
+};
+
+void uc_module_init(uc_vm_t *vm, uc_value_t *scope)
+{
+ uc_function_list_register(scope, global_fns);
+
+ pk_type = uc_type_declare(vm, PK_TYPE, pk_fns, pk_free);
+}
+
+static void load()
+{
+ mbedtls_entropy_init(&entropy);
+}
+
+static void unload()
+{
+ mbedtls_entropy_free(&entropy);
+}