2021-07-26 22:16:43 +00:00
|
|
|
/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:4;tab-width:4;coding:utf-8 -*-│
|
|
|
|
|
│ vi: set et ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi │
|
|
|
|
|
╞══════════════════════════════════════════════════════════════════════════════╡
|
|
|
|
|
│ Copyright The Mbed TLS Contributors │
|
|
|
|
|
│ │
|
|
|
|
|
│ Licensed under the Apache License, Version 2.0 (the "License"); │
|
|
|
|
|
│ you may not use this file except in compliance with the License. │
|
|
|
|
|
│ You may obtain a copy of the License at │
|
|
|
|
|
│ │
|
|
|
|
|
│ http://www.apache.org/licenses/LICENSE-2.0 │
|
|
|
|
|
│ │
|
|
|
|
|
│ Unless required by applicable law or agreed to in writing, software │
|
|
|
|
|
│ distributed under the License is distributed on an "AS IS" BASIS, │
|
|
|
|
|
│ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. │
|
|
|
|
|
│ See the License for the specific language governing permissions and │
|
|
|
|
|
│ limitations under the License. │
|
|
|
|
|
╚─────────────────────────────────────────────────────────────────────────────*/
|
|
|
|
|
#include "third_party/mbedtls/ecdh_everest.h"
|
2023-09-02 03:49:13 +00:00
|
|
|
#include "libc/str/str.h"
|
2021-07-26 22:16:43 +00:00
|
|
|
#include "third_party/mbedtls/everest.h"
|
|
|
|
|
#if defined(MBEDTLS_ECDH_C) && defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
|
|
|
|
|
#define KEYSIZE 32
|
Release Cosmopolitan v3.3
This change upgrades to GCC 12.3 and GNU binutils 2.42. The GNU linker
appears to have changed things so that only a single de-duplicated str
table is present in the binary, and it gets placed wherever the linker
wants, regardless of what the linker script says. To cope with that we
need to stop using .ident to embed licenses. As such, this change does
significant work to revamp how third party licenses are defined in the
codebase, using `.section .notice,"aR",@progbits`.
This new GCC 12.3 toolchain has support for GNU indirect functions. It
lets us support __target_clones__ for the first time. This is used for
optimizing the performance of libc string functions such as strlen and
friends so far on x86, by ensuring AVX systems favor a second codepath
that uses VEX encoding. It shaves some latency off certain operations.
It's a useful feature to have for scientific computing for the reasons
explained by the test/libcxx/openmp_test.cc example which compiles for
fifteen different microarchitectures. Thanks to the upgrades, it's now
also possible to use newer instruction sets, such as AVX512FP16, VNNI.
Cosmo now uses the %gs register on x86 by default for TLS. Doing it is
helpful for any program that links `cosmo_dlopen()`. Such programs had
to recompile their binaries at startup to change the TLS instructions.
That's not great, since it means every page in the executable needs to
be faulted. The work of rewriting TLS-related x86 opcodes, is moved to
fixupobj.com instead. This is great news for MacOS x86 users, since we
previously needed to morph the binary every time for that platform but
now that's no longer necessary. The only platforms where we need fixup
of TLS x86 opcodes at runtime are now Windows, OpenBSD, and NetBSD. On
Windows we morph TLS to point deeper into the TIB, based on a TlsAlloc
assignment, and on OpenBSD/NetBSD we morph %gs back into %fs since the
kernels do not allow us to specify a value for the %gs register.
OpenBSD users are now required to use APE Loader to run Cosmo binaries
and assimilation is no longer possible. OpenBSD kernel needs to change
to allow programs to specify a value for the %gs register, or it needs
to stop marking executable pages loaded by the kernel as mimmutable().
This release fixes __constructor__, .ctor, .init_array, and lastly the
.preinit_array so they behave the exact same way as glibc.
We no longer use hex constants to define math.h symbols like M_PI.
2024-02-20 19:12:09 +00:00
|
|
|
__static_yoink("mbedtls_notice");
|
2021-07-26 22:16:43 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief This function sets up the ECDH context with the information
|
|
|
|
|
* given.
|
|
|
|
|
*
|
|
|
|
|
* This function should be called after mbedtls_ecdh_init() but
|
|
|
|
|
* before mbedtls_ecdh_make_params(). There is no need to call
|
|
|
|
|
* this function before mbedtls_ecdh_read_params().
|
|
|
|
|
*
|
|
|
|
|
* This is the first function used by a TLS server for
|
|
|
|
|
* ECDHE ciphersuites.
|
|
|
|
|
*
|
|
|
|
|
* \param ctx The ECDH context to set up.
|
|
|
|
|
* \param grp_id The group id of the group to set up the context for.
|
|
|
|
|
*
|
|
|
|
|
* \return \c 0 on success.
|
|
|
|
|
*/
|
|
|
|
|
int mbedtls_everest_setup(mbedtls_ecdh_context_everest *ctx, int grp_id)
|
|
|
|
|
{
|
|
|
|
|
if (grp_id != MBEDTLS_ECP_DP_CURVE25519)
|
|
|
|
|
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
|
|
|
|
mbedtls_platform_zeroize(ctx, sizeof(*ctx));
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief This function frees a context.
|
|
|
|
|
*
|
|
|
|
|
* \param ctx The context to free.
|
|
|
|
|
*/
|
|
|
|
|
void mbedtls_everest_free(mbedtls_ecdh_context_everest *ctx)
|
|
|
|
|
{
|
|
|
|
|
if (!ctx) return;
|
|
|
|
|
mbedtls_platform_zeroize(ctx, sizeof(*ctx));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief This function generates a public key and a TLS
|
|
|
|
|
* ServerKeyExchange payload.
|
|
|
|
|
*
|
|
|
|
|
* This is the second function used by a TLS server for ECDHE
|
|
|
|
|
* ciphersuites. (It is called after mbedtls_ecdh_setup().)
|
|
|
|
|
*
|
|
|
|
|
* \note This function assumes that the ECP group (grp) of the
|
|
|
|
|
* \p ctx context has already been properly set,
|
|
|
|
|
* for example, using mbedtls_ecp_group_load().
|
|
|
|
|
*
|
|
|
|
|
* \see ecp.h
|
|
|
|
|
*
|
|
|
|
|
* \param ctx The ECDH context.
|
|
|
|
|
* \param olen The number of characters written.
|
|
|
|
|
* \param buf The destination buffer.
|
|
|
|
|
* \param blen The length of the destination buffer.
|
|
|
|
|
* \param f_rng The RNG function.
|
|
|
|
|
* \param p_rng The RNG context.
|
|
|
|
|
*
|
|
|
|
|
* \return \c 0 on success.
|
|
|
|
|
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
|
|
|
*/
|
|
|
|
|
int mbedtls_everest_make_params(mbedtls_ecdh_context_everest *ctx, size_t *olen,
|
|
|
|
|
unsigned char *buf, size_t blen,
|
|
|
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
|
|
|
void *p_rng)
|
|
|
|
|
{
|
|
|
|
|
int ret = 0;
|
|
|
|
|
uint8_t base[KEYSIZE] = {9};
|
|
|
|
|
if ((ret = f_rng(p_rng, ctx->our_secret, KEYSIZE)) != 0) return ret;
|
|
|
|
|
*olen = KEYSIZE + 4;
|
|
|
|
|
if (blen < *olen) return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
|
|
|
|
|
*buf++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
|
|
|
|
|
*buf++ = MBEDTLS_ECP_TLS_CURVE25519 >> 8;
|
|
|
|
|
*buf++ = MBEDTLS_ECP_TLS_CURVE25519 & 0xFF;
|
|
|
|
|
*buf++ = KEYSIZE;
|
|
|
|
|
curve25519(buf, ctx->our_secret, base);
|
|
|
|
|
base[0] = 0;
|
2021-09-28 05:58:51 +00:00
|
|
|
if (!timingsafe_bcmp(buf, base, KEYSIZE))
|
2021-07-26 22:16:43 +00:00
|
|
|
return MBEDTLS_ERR_ECP_RANDOM_FAILED;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief This function parses and processes a TLS ServerKeyExhange
|
|
|
|
|
* payload.
|
|
|
|
|
*
|
|
|
|
|
* This is the first function used by a TLS client for ECDHE
|
|
|
|
|
* ciphersuites.
|
|
|
|
|
*
|
|
|
|
|
* \see ecp.h
|
|
|
|
|
*
|
|
|
|
|
* \param ctx The ECDH context.
|
|
|
|
|
* \param buf The pointer to the start of the input buffer.
|
|
|
|
|
* \param end The address for one Byte past the end of the buffer.
|
|
|
|
|
*
|
|
|
|
|
* \return \c 0 on success.
|
|
|
|
|
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
|
|
|
*/
|
|
|
|
|
int mbedtls_everest_read_params(mbedtls_ecdh_context_everest *ctx,
|
|
|
|
|
const unsigned char **buf,
|
|
|
|
|
const unsigned char *end)
|
|
|
|
|
{
|
|
|
|
|
if (end - *buf < KEYSIZE + 1) return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
|
|
|
|
if ((*(*buf)++ != KEYSIZE)) return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
|
|
|
|
memcpy(ctx->peer_point, *buf, KEYSIZE);
|
|
|
|
|
*buf += KEYSIZE;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief This function sets up an ECDH context from an EC key.
|
|
|
|
|
*
|
|
|
|
|
* It is used by clients and servers in place of the
|
|
|
|
|
* ServerKeyEchange for static ECDH, and imports ECDH
|
|
|
|
|
* parameters from the EC key information of a certificate.
|
|
|
|
|
*
|
|
|
|
|
* \see ecp.h
|
|
|
|
|
*
|
|
|
|
|
* \param ctx The ECDH context to set up.
|
|
|
|
|
* \param key The EC key to use.
|
|
|
|
|
* \param side Defines the source of the key: 1: Our key, or
|
|
|
|
|
* 0: The key of the peer.
|
|
|
|
|
*
|
|
|
|
|
* \return \c 0 on success.
|
|
|
|
|
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
|
|
|
*/
|
|
|
|
|
int mbedtls_everest_get_params(mbedtls_ecdh_context_everest *ctx,
|
|
|
|
|
const mbedtls_ecp_keypair *key,
|
|
|
|
|
mbedtls_everest_ecdh_side side)
|
|
|
|
|
{
|
|
|
|
|
size_t olen = 0;
|
|
|
|
|
switch (side)
|
|
|
|
|
{
|
|
|
|
|
case MBEDTLS_EVEREST_ECDH_THEIRS:
|
|
|
|
|
return mbedtls_ecp_point_write_binary(&key->grp, &key->Q,
|
|
|
|
|
MBEDTLS_ECP_PF_COMPRESSED, &olen,
|
|
|
|
|
ctx->peer_point, KEYSIZE);
|
|
|
|
|
case MBEDTLS_EVEREST_ECDH_OURS:
|
|
|
|
|
return mbedtls_mpi_write_binary_le(&key->d, ctx->our_secret, KEYSIZE);
|
|
|
|
|
default:
|
|
|
|
|
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief This function generates a public key and a TLS
|
|
|
|
|
* ClientKeyExchange payload.
|
|
|
|
|
*
|
|
|
|
|
* This is the second function used by a TLS client for ECDH(E)
|
|
|
|
|
* ciphersuites.
|
|
|
|
|
*
|
|
|
|
|
* \see ecp.h
|
|
|
|
|
*
|
|
|
|
|
* \param ctx The ECDH context.
|
|
|
|
|
* \param olen The number of Bytes written.
|
|
|
|
|
* \param buf The destination buffer.
|
|
|
|
|
* \param blen The size of the destination buffer.
|
|
|
|
|
* \param f_rng The RNG function.
|
|
|
|
|
* \param p_rng The RNG context.
|
|
|
|
|
*
|
|
|
|
|
* \return \c 0 on success.
|
|
|
|
|
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
|
|
|
*/
|
|
|
|
|
int mbedtls_everest_make_public(mbedtls_ecdh_context_everest *ctx, size_t *olen,
|
|
|
|
|
unsigned char *buf, size_t blen,
|
|
|
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
|
|
|
void *p_rng)
|
|
|
|
|
{
|
|
|
|
|
int ret = 0;
|
|
|
|
|
unsigned char base[KEYSIZE] = {9};
|
|
|
|
|
if (!ctx) return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
|
|
|
|
if ((ret = f_rng(p_rng, ctx->our_secret, KEYSIZE))) return ret;
|
|
|
|
|
*olen = KEYSIZE + 1;
|
|
|
|
|
if (blen < *olen) return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
|
|
|
|
|
*buf++ = KEYSIZE;
|
|
|
|
|
curve25519(buf, ctx->our_secret, base);
|
|
|
|
|
base[0] = 0;
|
2021-09-28 05:58:51 +00:00
|
|
|
if (!timingsafe_bcmp(buf, base, KEYSIZE))
|
2021-07-26 22:16:43 +00:00
|
|
|
return MBEDTLS_ERR_ECP_RANDOM_FAILED;
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief This function parses and processes a TLS ClientKeyExchange
|
|
|
|
|
* payload.
|
|
|
|
|
*
|
|
|
|
|
* This is the third function used by a TLS server for ECDH(E)
|
|
|
|
|
* ciphersuites. (It is called after mbedtls_ecdh_setup() and
|
|
|
|
|
* mbedtls_ecdh_make_params().)
|
|
|
|
|
*
|
|
|
|
|
* \see ecp.h
|
|
|
|
|
*
|
|
|
|
|
* \param ctx The ECDH context.
|
|
|
|
|
* \param buf The start of the input buffer.
|
|
|
|
|
* \param blen The length of the input buffer.
|
|
|
|
|
*
|
|
|
|
|
* \return \c 0 on success.
|
|
|
|
|
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
|
|
|
*/
|
|
|
|
|
int mbedtls_everest_read_public(mbedtls_ecdh_context_everest *ctx,
|
|
|
|
|
const unsigned char *buf, size_t blen)
|
|
|
|
|
{
|
|
|
|
|
if (blen < KEYSIZE + 1) return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
|
|
|
|
|
if ((*buf++ != KEYSIZE)) return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
|
|
|
|
memcpy(ctx->peer_point, buf, KEYSIZE);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief This function derives and exports the shared secret.
|
|
|
|
|
*
|
|
|
|
|
* This is the last function used by both TLS client
|
|
|
|
|
* and servers.
|
|
|
|
|
*
|
|
|
|
|
* \note If \p f_rng is not NULL, it is used to implement
|
|
|
|
|
* countermeasures against side-channel attacks.
|
|
|
|
|
* For more information, see mbedtls_ecp_mul().
|
|
|
|
|
*
|
|
|
|
|
* \see ecp.h
|
|
|
|
|
*
|
|
|
|
|
* \param ctx The ECDH context.
|
|
|
|
|
* \param olen The number of Bytes written.
|
|
|
|
|
* \param buf The destination buffer.
|
|
|
|
|
* \param blen The length of the destination buffer.
|
|
|
|
|
* \param f_rng The RNG function.
|
|
|
|
|
* \param p_rng The RNG context.
|
|
|
|
|
*
|
|
|
|
|
* \return \c 0 on success.
|
|
|
|
|
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
|
|
|
*/
|
|
|
|
|
int mbedtls_everest_calc_secret(mbedtls_ecdh_context_everest *ctx, size_t *olen,
|
|
|
|
|
unsigned char *buf, size_t blen,
|
|
|
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
|
|
|
void *p_rng)
|
|
|
|
|
{
|
|
|
|
|
/* f_rng and p_rng are not used here because this implementation does not
|
|
|
|
|
need blinding since it has constant trace. (todo(jart): wut?) */
|
|
|
|
|
*olen = KEYSIZE;
|
|
|
|
|
if (blen < *olen) return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
|
|
|
|
|
curve25519(buf, ctx->our_secret, ctx->peer_point);
|
2021-09-28 05:58:51 +00:00
|
|
|
if (!timingsafe_bcmp(buf, ctx->our_secret, KEYSIZE)) goto wut;
|
2021-07-26 22:16:43 +00:00
|
|
|
/* Wipe the DH secret and don't let the peer chose a small subgroup point */
|
|
|
|
|
mbedtls_platform_zeroize(ctx->our_secret, KEYSIZE);
|
2021-09-28 05:58:51 +00:00
|
|
|
if (!timingsafe_bcmp(buf, ctx->our_secret, KEYSIZE)) goto wut;
|
2021-07-26 22:16:43 +00:00
|
|
|
return 0;
|
|
|
|
|
wut:
|
|
|
|
|
mbedtls_platform_zeroize(buf, KEYSIZE);
|
|
|
|
|
mbedtls_platform_zeroize(ctx->our_secret, KEYSIZE);
|
|
|
|
|
return MBEDTLS_ERR_ECP_RANDOM_FAILED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif
|