1 /**************************************************************************** 2 * * 3 * cryptlib Encryption Context Header File * 4 * Copyright Peter Gutmann 1992-2009 * 5 * * 6 ****************************************************************************/ 7 8 #ifndef _CRYPTCTX_DEFINED 9 10 #define _CRYPTCTX_DEFINED 11 12 /* Various include files needed by contexts. Since the bignum and stream 13 headers are only needed by PKC contexts, we only apply them in modules 14 that use PKC contexts */ 15 16 #ifdef PKC_CONTEXT 17 #ifndef _STREAM_DEFINED 18 #if defined( INC_ALL ) 19 #include "stream.h" 20 #else 21 #include "io/stream.h" 22 #endif /* Compiler-specific includes */ 23 #endif /* _STREAM_DEFINED */ 24 #ifndef HEADER_BN_H 25 #if defined( INC_ALL ) 26 #include "bn.h" 27 #else 28 #include "bn/bn.h" 29 #endif /* Compiler-specific includes */ 30 #endif /* HEADER_BN_H */ 31 #if ( defined( USE_ECDH ) || defined( USE_ECDSA ) ) && !defined( HEADER_EC_H ) 32 #if defined( INC_ALL ) 33 #include "ec_lcl.h" 34 #else 35 #include "bn/ec_lcl.h" 36 #endif /* Compiler-specific includes */ 37 #endif /* ( USE_ECDH || USE_ECDSA ) && HEADER_EC_H */ 38 #endif /* Extra eaders needed only for PKC contexts */ 39 #ifndef _CRYPTCAP_DEFINED 40 #if defined( INC_ALL ) 41 #include "capabil.h" 42 #else 43 #include "device/capabil.h" 44 #endif /* Compiler-specific includes */ 45 #endif /* _CRYPTCAP_DEFINED */ 46 47 /**************************************************************************** 48 * * 49 * Context Types and Constants * 50 * * 51 ****************************************************************************/ 52 53 /* Context information flags. Most of these flags are context-type-specific, 54 and are only used with some context types: 55 56 FLAG_DUMMY: The context is a dummy context with actions handled through 57 an external crypto device. When a device context is created, it 58 usually isn't instantiated at the device level until the key 59 (and possibly other parameters) are available because most 60 devices use an atomic created-initialised-context operation 61 rather than allowing incremental parameter setting like cryptlib 62 does. To handle this, we first create a dummy context and then 63 fill in the details on demand. 64 65 FLAG_DUMMY_INITED: The dummy context has been initialised. Since the 66 context isn't instantiated until required, this flag is needed 67 to keep track of whether any cached parameters retained from the 68 dummy state need to be set when the context is used. 69 70 FLAG_HASH_INITED: The hash parameters have been inited. 71 FLAG_HASH_DONE: The hash operation is complete, no further hashing can 72 be done 73 74 FLAG_ISPUBLICKEY: The key is a public or private key. 75 FLAG_ISPRIVATEKEY: 76 77 FLAG_IV_SET: The IV has been set. 78 FLAG_KEY_SET: The key has been initialised. 79 FLAG_PGPKEYID_SET: The PGP keyID has been set (this is only valid for 80 RSA keys, and may not be enabled if we're not using PGP). 81 FLAG_OPENPGPKEYID_SET: The OpenPGP keyID has been set (this may not be 82 enabled if we're not using PGP). 83 84 FLAG_PERSISTENT: The context is backed by a keyset or crypto device. 85 86 FLAG_SIDECHANNELPROTECTION: The context has side-channel protection 87 (additional checking for crypto operations, blinding, and so 88 on) enabled. 89 90 FLAG_FLAG_STATICCONTEXT: The context data has been instantiated via 91 staticInitContext() for internal use and doesn't correspond to 92 an actual cryptlib object */ 93 94 #define CONTEXT_FLAG_NONE 0x0000 /* No context flag */ 95 #define CONTEXT_FLAG_KEY_SET 0x0001 /* Key has been set */ 96 #define CONTEXT_FLAG_IV_SET 0x0002 /* IV has been set */ 97 #define CONTEXT_FLAG_ISPUBLICKEY 0x0004 /* Key is a public key */ 98 #define CONTEXT_FLAG_ISPRIVATEKEY 0x0008 /* Key is a private key */ 99 #define CONTEXT_FLAG_DUMMY 0x0010 /* Context actions handled externally */ 100 #define CONTEXT_FLAG_DUMMY_INITED 0x0020 /* Dummy context is inited */ 101 #define CONTEXT_FLAG_PERSISTENT 0x0040 /* Context is backed by dev.or keyset */ 102 #define CONTEXT_FLAG_SIDECHANNELPROTECTION \ 103 0x0080 /* Enabled side-channel prot.in ops */ 104 #define CONTEXT_FLAG_HASH_INITED 0x0100 /* Hash parameters have been inited */ 105 #define CONTEXT_FLAG_HASH_DONE 0x0200 /* Hash operation is complete */ 106 #define CONTEXT_FLAG_PGPKEYID_SET 0x0400 /* PGP keyID is set */ 107 #define CONTEXT_FLAG_OPENPGPKEYID_SET 0x0800 /* OpenPGP keyID is set */ 108 #define CONTEXT_FLAG_STATICCONTEXT 0x1000 /* Static context */ 109 #define CONTEXT_FLAG_MAX 0x1FFF /* Maximum possible flag value */ 110 111 /* DLP PKCs require a random value k that's then reduced mod p or q, however 112 if we make sizeof( k ) == sizeof( p ) then this introduced a bias into k 113 that eventually leaks the private key (see "The Insecurity of the Digital 114 Signature Algorithm with Partially Known Nonces" by Phong Nguyen and Igor 115 Shparlinski, or more recently Serge Vaudenay's "Evaluation Report on DSA"). 116 To get around this we generate a k that's somewhat larger than required, 117 the following defines the size in bytes of this overflow factor */ 118 119 #define DLP_OVERFLOW_SIZE bitsToBytes( 64 ) 120 121 /**************************************************************************** 122 * * 123 * Context Data Structures * 124 * * 125 ****************************************************************************/ 126 127 /* The internal fields in a context that hold data for a conventional, 128 public-key, hash, or MAC algorithm. CONTEXT_CONV and CONTEXT_MAC 129 should be allocated in pagelocked memory since they contain the sensitive 130 userKey data */ 131 132 typedef enum { 133 CONTEXT_NONE, /* No context type */ 134 CONTEXT_CONV, /* Conventional encryption context */ 135 CONTEXT_PKC, /* PKC context */ 136 CONTEXT_HASH, /* Hash context */ 137 CONTEXT_MAC, /* MAC context */ 138 CONTEXT_GENERIC, /* Generic-secret context */ 139 CONTEXT_LAST /* Last valid context type */ 140 } CONTEXT_TYPE; 141 142 #define needsSecureMemory( contextType ) \ 143 ( contextType == CONTEXT_CONV || contextType == CONTEXT_MAC || \ 144 contextType == CONTEXT_GENERIC ) 145 146 typedef struct { 147 /* General algorithm information */ 148 CRYPT_MODE_TYPE mode; /* Encryption mode being used */ 149 150 /* User keying information. The user key is the unprocessed key as 151 entered by the user (rather than the key in the form used by the 152 algorithm), the IV is the initial IV. We keep a copy of the 153 unprocessed key because we usually need to wrap it up in a KEK 154 at some point after it's loaded */ 155 BUFFER( CRYPT_MAX_KEYSIZE, userKeyLength ) \ 156 BYTE userKey[ CRYPT_MAX_KEYSIZE + 8 ]; /* User encryption key */ 157 BUFFER( CRYPT_MAX_IVSIZE, ivLength ) \ 158 BYTE iv[ CRYPT_MAX_IVSIZE + 8 ];/* Initial IV */ 159 int userKeyLength, ivLength; 160 161 /* Conventional encryption keying information. The key is the processed 162 encryption key stored in whatever form is required by the algorithm, 163 usually the key-scheduled user key. The IV is the current working IV. 164 The ivCount is the number of bytes of IV that have been used, and is 165 used when a block cipher is used as a stream cipher */ 166 void *key; /* Internal working key */ 167 BUFFER( CRYPT_MAX_IVSIZE, ivLength ) \ 168 BYTE currentIV[ CRYPT_MAX_IVSIZE + 8 ]; /* Internal working IV */ 169 int ivCount; /* Internal IV count for chaining modes */ 170 171 /* Information required when a key suitable for use by this algorithm 172 is derived from a longer user key */ 173 BUFFER( CRYPT_MAX_HASHSIZE, saltLength ) \ 174 BYTE salt[ CRYPT_MAX_HASHSIZE + 8 ];/* Salt */ 175 int saltLength; 176 int keySetupIterations; /* Number of times setup was iterated */ 177 CRYPT_ALGO_TYPE keySetupAlgorithm; /* Algorithm used for key setup */ 178 } CONV_INFO; 179 180 #ifdef PKC_CONTEXT 181 182 typedef CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 183 int ( *PKC_CALCULATEKEYID_FUNCTION )( INOUT struct CI *contextInfoPtr ); 184 typedef CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 185 int ( *PKC_READKEY_FUNCTION )( INOUT STREAM *stream, 186 INOUT struct CI *contextInfoPtr, 187 IN_ENUM( KEYFORMAT ) \ 188 const KEYFORMAT_TYPE formatType ); 189 typedef CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 4 ) ) \ 190 int ( *PKC_WRITEKEY_FUNCTION )( INOUT STREAM *stream, 191 const struct CI *contextInfoPtr, 192 IN_ENUM( KEYFORMAT ) \ 193 const KEYFORMAT_TYPE formatType, 194 IN_BUFFER( accessKeyLen ) \ 195 const char *accessKey, 196 IN_LENGTH_SHORT_MIN( 4 ) \ 197 const int accessKeyLen ); 198 typedef CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 3, 4, 5 ) ) \ 199 int ( *PKC_ENCODEDLVALUES_FUNCTION )( OUT_BUFFER( bufMaxSize, \ 200 *bufSize ) BYTE *buffer, 201 IN_LENGTH_SHORT_MIN( 20 + 20 ) \ 202 const int bufMaxSize, 203 OUT_LENGTH_BOUNDED_Z( bufMaxSize ) \ 204 int *bufSize, 205 IN const BIGNUM *value1, 206 IN const BIGNUM *value2, 207 IN_ENUM( CRYPT_FORMAT ) \ 208 const CRYPT_FORMAT_TYPE formatType ); 209 typedef CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 3, 4, 5 ) ) \ 210 int ( *PKC_DECODEDLVALUES_FUNCTION )( IN_BUFFER( bufSize ) const BYTE *buffer, 211 IN_LENGTH_SHORT_MIN( 32 ) const int bufSize, 212 INOUT BIGNUM *value1, 213 INOUT BIGNUM *value2, 214 const BIGNUM *maxRange, 215 IN_ENUM( CRYPT_FORMAT ) \ 216 const CRYPT_FORMAT_TYPE formatType ); 217 218 typedef struct { 219 /* General information on the key: The nominal key size in bits, the key 220 IDs, and key-related meta-info. Since the OpenPGP key ID can't be 221 calculated directly like the other IDs, we have to keep track of 222 whether it's been set or not with a flag */ 223 int keySizeBits; /* Nominal key size in bits */ 224 BUFFER_FIXED( KEYID_SIZE ) \ 225 BYTE keyID[ KEYID_SIZE + 8 ]; /* Key ID for this key */ 226 BUFFER_FIXED( PGP_KEYID_SIZE ) \ 227 BYTE pgp2KeyID[ PGP_KEYID_SIZE + 8 ];/* PGP 2 key ID for this key */ 228 BUFFER_FIXED( PGP_KEYID_SIZE ) \ 229 BYTE openPgpKeyID[ PGP_KEYID_SIZE + 8 ];/* OpenPGP key ID for this key */ 230 time_t pgpCreationTime; /* Key creation time (for OpenPGP ID) */ 231 232 /* Public-key encryption keying information. Since each algorithm has 233 its own unique parameters, the bignums are given generic names here. 234 The algorithm-specific code refers to them by their actual names, 235 which are implemented as symbolic defines of the form 236 <algo>Param_<param_name>, e.g.rsaParam_e */ 237 BIGNUM param1; /* PKC key components */ 238 BIGNUM param2; 239 BIGNUM param3; 240 BIGNUM param4; 241 BIGNUM param5; 242 BIGNUM param6; 243 BIGNUM param7; 244 BIGNUM param8; 245 BN_MONT_CTX montCTX1; /* Precomputed Montgomery values */ 246 BN_MONT_CTX montCTX2; 247 BN_MONT_CTX montCTX3; 248 #if defined( USE_ECDH ) || defined( USE_ECDSA ) 249 CRYPT_ECCCURVE_TYPE curveType; /* Additional info.needed for ECC ctxs.*/ 250 BOOLEAN isECC; 251 EC_GROUP *ecCTX; 252 EC_POINT *ecPoint; 253 #endif /* USE_ECDH || USE_ECDSA */ 254 int checksum; /* Checksum for key data */ 255 256 /* Temporary workspace values used to avoid having to allocate and 257 deallocate them on each PKC operation, and to keep better control 258 over the data in them. DLP operations that require extensive 259 temporary vars also reuse the last three general-purpose bignums 260 above, since they're not used for keying material */ 261 BIGNUM tmp1, tmp2, tmp3; 262 #if defined( USE_ECDH ) || defined( USE_ECDSA ) 263 EC_POINT *tmpPoint; 264 #endif /* USE_ECDH || USE_ECDSA */ 265 BN_CTX bnCTX; 266 #define CONTEXT_FLAG_PBO 0x08 267 268 /* If we're using side-channel protection, we also need to store values 269 used to perform extra operations that eliminate timing channels */ 270 BIGNUM blind1, blind2; 271 272 /* Domain parameters used by DLP and ECDLP algorithms */ 273 const void *domainParams; 274 275 /* If the context is tied to a device the keying info won't be available, 276 however we generally need the public key information for use in cert 277 requests and whatnot so we save a copy as SubjectPublicKeyInfo when 278 the key is loaded/generated */ 279 BUFFER_OPT_FIXED( publicKeyInfoSize ) \ 280 void *publicKeyInfo; /* X.509 SubjectPublicKeyInfo */ 281 int publicKeyInfoSize; /* Key info size */ 282 283 /* Pointers to functions to public-key context access methods. The 284 functions to read and write public and private keys are kept distinct 285 to enforce red/black separation */ 286 FNPTR_DECLARE( PKC_CALCULATEKEYID_FUNCTION, calculateKeyIDFunction ); 287 FNPTR_DECLARE( PKC_READKEY_FUNCTION, readPublicKeyFunction ); 288 FNPTR_DECLARE( PKC_READKEY_FUNCTION, readPrivateKeyFunction ); 289 FNPTR_DECLARE( PKC_WRITEKEY_FUNCTION, writePublicKeyFunction ); 290 FNPTR_DECLARE( PKC_WRITEKEY_FUNCTION, writePrivateKeyFunction ); 291 FNPTR_DECLARE( PKC_ENCODEDLVALUES_FUNCTION, encodeDLValuesFunction ); 292 FNPTR_DECLARE( PKC_DECODEDLVALUES_FUNCTION, decodeDLValuesFunction ); 293 } PKC_INFO; 294 #endif /* PKC_CONTEXT */ 295 296 typedef struct { 297 /* The current state of the hashing and the result from the last 298 completed hash operation */ 299 void *hashInfo; /* Current hash state */ 300 BUFFER_FIXED( CRYPT_MAX_HASHSIZE ) \ 301 BYTE hash[ CRYPT_MAX_HASHSIZE + 8 ];/* Last hash result */ 302 } HASH_INFO; 303 304 typedef struct { 305 /* User keying information. The user key is the unprocessed key as 306 entered by the user rather than the key in the form used by the 307 algorithm. We keep a copy of the unprocessed key because we usually 308 need to wrap it up in a KEK at some point after it's loaded */ 309 BUFFER( CRYPT_MAX_KEYSIZE, userKeyLength ) \ 310 BYTE userKey[ CRYPT_MAX_KEYSIZE + 8 ]; /* User MAC key */ 311 int userKeyLength; 312 313 /* The current state of the MAC'ing and the result from the last 314 completed MAC operation */ 315 void *macInfo; /* Current MAC state */ 316 BUFFER_FIXED( CRYPT_MAX_HASHSIZE ) \ 317 BYTE mac[ CRYPT_MAX_HASHSIZE + 8 ]; /* Last MAC result */ 318 319 /* Information required when a key suitable for use by this algorithm 320 is derived from a longer user key */ 321 BUFFER( CRYPT_MAX_HASHSIZE, saltLength ) \ 322 BYTE salt[ CRYPT_MAX_HASHSIZE + 8 ];/* Salt */ 323 int saltLength; 324 int keySetupIterations; /* Number of times setup was iterated */ 325 CRYPT_ALGO_TYPE keySetupAlgorithm; /* Algorithm used for key setup */ 326 } MAC_INFO; 327 328 typedef struct { 329 /* Generic-secret information */ 330 BUFFER( CRYPT_MAX_KEYSIZE, genericSecretLength ) \ 331 BYTE genericSecret[ CRYPT_MAX_KEYSIZE + 8 ]; 332 int genericSecretLength; 333 334 /* Parameter information for the optional KDF and the encryption and MAC 335 contexts that are derived from the generic-secret context */ 336 BUFFER( CRYPT_MAX_TEXTSIZE, kdfParamSize ) \ 337 BYTE kdfParams[ CRYPT_MAX_TEXTSIZE + 8 ]; 338 int kdfParamSize; 339 BUFFER( CRYPT_MAX_TEXTSIZE, encAlgoParamSize ) \ 340 BYTE encAlgoParams[ CRYPT_MAX_TEXTSIZE + 8 ]; 341 int encAlgoParamSize; 342 BUFFER( CRYPT_MAX_TEXTSIZE, macAlgoParamSize ) \ 343 BYTE macAlgoParams[ CRYPT_MAX_TEXTSIZE + 8 ]; 344 int macAlgoParamSize; 345 } GENERIC_INFO; 346 347 /* Defines to make access to the union fields less messy */ 348 349 #define ctxConv keyingInfo.convInfo 350 #define ctxPKC keyingInfo.pkcInfo 351 #define ctxHash keyingInfo.hashInfo 352 #define ctxMAC keyingInfo.macInfo 353 #define ctxGeneric keyingInfo.genericInfo 354 355 /* An encryption context */ 356 357 typedef CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 358 int ( *CTX_LOADKEY_FUNCTION )( INOUT struct CI *contextInfoPtr, 359 IN_BUFFER_OPT( keyLength ) const void *key, 360 IN_LENGTH_SHORT_Z const int keyLength ); 361 typedef CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 362 int ( *CTX_GENERATEKEY_FUNCTION )( INOUT struct CI *contextInfoPtr ); 363 typedef CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 364 int ( *CTX_ENCRYPT_FUNCTION )( INOUT struct CI *contextInfoPtr, 365 INOUT_BUFFER_FIXED( length ) BYTE *buffer, 366 IN_LENGTH_Z int length ); 367 368 typedef struct CI { 369 /* Control and status information */ 370 CONTEXT_TYPE type; /* The context type */ 371 const CAPABILITY_INFO *capabilityInfo; /* Encryption capability info */ 372 int flags; /* Context information flags */ 373 374 /* Context type-specific information */ 375 union { 376 CONV_INFO *convInfo; 377 #ifdef PKC_CONTEXT 378 PKC_INFO *pkcInfo; 379 #endif /* PKC_CONTEXT */ 380 HASH_INFO *hashInfo; 381 MAC_INFO *macInfo; 382 GENERIC_INFO *genericInfo; 383 } keyingInfo; 384 385 #ifdef USE_DEVICES 386 /* If implemented using a crypto device, the object information is 387 usually stored inside the device. The following value contains the 388 reference to the crypto object inside the device. In addition some 389 objects (specifically, DH) that aren't really public- or private-key 390 objects but a mixture of both require a second handle to the other 391 part of the object in the device */ 392 long deviceObject, altDeviceObject; 393 394 #ifdef USE_HARDWARE 395 /* When data used to instantiate a context is stored in a device we may 396 need a unique ID value to locate the data, the following value 397 contains this storage ID */ 398 BUFFER_FIXED( KEYID_SIZE ) \ 399 BYTE deviceStorageID[ KEYID_SIZE + 8 ]; 400 BOOLEAN deviceStorageIDset; 401 #endif /* USE_HARDWARE */ 402 #endif /* USE_DEVICES */ 403 404 /* The label for this object, typically used to identify stored keys */ 405 BUFFER( CRYPT_MAX_TEXTSIZE, labelSize ) \ 406 char label[ CRYPT_MAX_TEXTSIZE + 8 ];/* Text string identifying key */ 407 int labelSize; 408 409 /* Pointers to context access methods. These are somewhat higher-level 410 than the capability info methods and apply to entire classes of 411 context rather than at a per-algorithm level */ 412 FNPTR_DECLARE( CTX_LOADKEY_FUNCTION, loadKeyFunction ); 413 FNPTR_DECLARE( CTX_GENERATEKEY_FUNCTION, generateKeyFunction ); 414 FNPTR_DECLARE( CTX_ENCRYPT_FUNCTION, encryptFunction ); 415 FNPTR_DECLARE( CTX_ENCRYPT_FUNCTION, decryptFunction ); 416 417 /* Error information */ 418 CRYPT_ATTRIBUTE_TYPE errorLocus;/* Error locus */ 419 CRYPT_ERRTYPE_TYPE errorType; /* Error type */ 420 421 /* The object's handle and the handle of the user who owns this object. 422 The former is used when sending messages to the object when only the 423 xxx_INFO is available, the latter is used to avoid having to fetch the 424 same information from the system object table */ 425 CRYPT_HANDLE objectHandle; 426 CRYPT_USER ownerHandle; 427 } CONTEXT_INFO; 428 429 #ifdef PKC_CONTEXT 430 431 /* Symbolic defines for the various PKC components for different PKC 432 algorithms. All of the DLP algorithms actually use the same parameters, 433 so we define generic DLP names for them */ 434 435 #define dlpParam_p param1 436 #define dlpParam_g param2 437 #define dlpParam_q param3 438 #define dlpParam_y param4 439 #define dlpParam_x param5 440 #define dlpTmp1 param6 441 #define dlpTmp2 param7 442 #define dlpTmp3 param8 /* More temp.values for DLP PKCs */ 443 #define dhParam_yPrime param8 /* Special value for DH */ 444 #define dlpParam_mont_p montCTX1 445 446 #define rsaParam_n param1 447 #define rsaParam_e param2 448 #define rsaParam_d param3 /* Required for PGP, PKCS #12 */ 449 #define rsaParam_p param4 450 #define rsaParam_q param5 451 #define rsaParam_u param6 452 #define rsaParam_exponent1 param7 453 #define rsaParam_exponent2 param8 454 #define rsaParam_blind_k blind1 455 #define rsaParam_blind_kInv blind2 456 #define rsaParam_mont_n montCTX1 457 #define rsaParam_mont_p montCTX2 458 #define rsaParam_mont_q montCTX3 459 460 /* p, a, b, gx, gy, n and h are stored as ECC_DOMAINPARAMS. In addition 461 since this frees up so many parameter bignums, we can use two of them as 462 extra temporaries */ 463 #define eccParam_qx param1 464 #define eccParam_qy param2 465 #define eccParam_d param3 466 #define eccParam_tmp4 param4 467 #define eccParam_tmp5 param5 468 469 /* Minimum and maximum permitted lengths for various PKC components. These 470 can be loaded in various ways (read from ASN.1 data, read from 471 PGP/SSH/SSL data, loaded by the user, and so on) so we define permitted 472 length values in a central location for use in the different read 473 routines. 474 475 For the PKC sub-components we allow a bit of leeway (one byte's worth) 476 in order to deal with situations where one component is a few bits short 477 and the other a few bits long (with the total still fitting into the 478 MIN_PKCSIZE limit), otherwise we'll occasionally get valid values 479 rejected for being a few bits shy of the MIN_PKCSIZE / 2 limit */ 480 481 #define RSAPARAM_MIN_N MIN_PKCSIZE 482 #define RSAPARAM_MAX_N CRYPT_MAX_PKCSIZE 483 #define RSAPARAM_MIN_E 1 484 #define RSAPARAM_MAX_E 4 485 #define RSAPARAM_MIN_D MIN_PKCSIZE 486 #define RSAPARAM_MAX_D CRYPT_MAX_PKCSIZE 487 #define RSAPARAM_MIN_P ( MIN_PKCSIZE / 2 ) - 1 488 #define RSAPARAM_MAX_P CRYPT_MAX_PKCSIZE 489 #define RSAPARAM_MIN_Q ( MIN_PKCSIZE / 2 ) - 1 490 #define RSAPARAM_MAX_Q CRYPT_MAX_PKCSIZE 491 #define RSAPARAM_MIN_U ( MIN_PKCSIZE / 2 ) - 1 492 #define RSAPARAM_MAX_U CRYPT_MAX_PKCSIZE 493 #define RSAPARAM_MIN_EXP1 ( MIN_PKCSIZE / 2 ) - 1 494 #define RSAPARAM_MAX_EXP1 CRYPT_MAX_PKCSIZE 495 #define RSAPARAM_MIN_EXP2 ( MIN_PKCSIZE / 2 ) - 1 496 #define RSAPARAM_MAX_EXP2 CRYPT_MAX_PKCSIZE 497 498 #define DLPPARAM_MIN_P MIN_PKCSIZE 499 #define DLPPARAM_MAX_P CRYPT_MAX_PKCSIZE 500 #define DLPPARAM_MIN_G 1 501 #define DLPPARAM_MAX_G CRYPT_MAX_PKCSIZE 502 #define DLPPARAM_MIN_Q bitsToBytes( 128 ) 503 #define DLPPARAM_MAX_Q CRYPT_MAX_PKCSIZE 504 #define DLPPARAM_MIN_Y MIN_PKCSIZE - 1 505 #define DLPPARAM_MAX_Y CRYPT_MAX_PKCSIZE 506 #define DLPPARAM_MIN_X bitsToBytes( 128 ) 507 #define DLPPARAM_MAX_X CRYPT_MAX_PKCSIZE 508 509 #define DLPPARAM_MIN_SIG_R DLPPARAM_MIN_Q /* For DSA sigs */ 510 #define DLPPARAM_MIN_SIG_S DLPPARAM_MIN_Q /* For DSA sigs */ 511 512 #define ECCPARAM_MIN_P MIN_PKCSIZE_ECC 513 #define ECCPARAM_MAX_P CRYPT_MAX_PKCSIZE_ECC 514 #define ECCPARAM_MIN_A MIN_PKCSIZE_ECC / 2 515 #define ECCPARAM_MAX_A CRYPT_MAX_PKCSIZE_ECC 516 #define ECCPARAM_MIN_B MIN_PKCSIZE_ECC / 2 517 #define ECCPARAM_MAX_B CRYPT_MAX_PKCSIZE_ECC 518 #define ECCPARAM_MIN_GX 1 519 #define ECCPARAM_MAX_GX CRYPT_MAX_PKCSIZE_ECC 520 #define ECCPARAM_MIN_GY 1 521 #define ECCPARAM_MAX_GY CRYPT_MAX_PKCSIZE_ECC 522 #define ECCPARAM_MIN_N MIN_PKCSIZE_ECC 523 #define ECCPARAM_MAX_N CRYPT_MAX_PKCSIZE_ECC 524 #define ECCPARAM_MIN_H MIN_PKCSIZE_ECC 525 #define ECCPARAM_MAX_H CRYPT_MAX_PKCSIZE_ECC 526 #define ECCPARAM_MIN_QX MIN_PKCSIZE_ECC / 2 527 #define ECCPARAM_MAX_QX CRYPT_MAX_PKCSIZE_ECC 528 #define ECCPARAM_MIN_QY MIN_PKCSIZE_ECC / 2 529 #define ECCPARAM_MAX_QY CRYPT_MAX_PKCSIZE_ECC 530 #define ECCPARAM_MIN_D MIN_PKCSIZE_ECC / 2 531 #define ECCPARAM_MAX_D CRYPT_MAX_PKCSIZE_ECC 532 533 #define ECCPARAM_MIN_SIG_R ECCPARAM_MIN_QX /* For ECDSA sigs */ 534 #define ECCPARAM_MIN_SIG_S ECCPARAM_MIN_QX /* For ECDSA sigs */ 535 536 /* Because there's no really clean way to throw an exception in C and the 537 bnlib routines don't carry around state information like cryptlib objects 538 do, we need to perform an error check for most of the routines we call. 539 To make this slightly less ugly we define the following macro that 540 performs the check for us by updating a variable called `bnStatus' with 541 the result of a bnlib call, which returns 1 for OK and 0 for error. 542 Annoyingly, this interface isn't quite consistent and some calls return 543 pointers rather than integer values, so we define a second macro that 544 checks for pointer values rather than integers */ 545 546 #define CK( expr ) { if( bnStatus ) bnStatus &= expr; } 547 #define CKPTR( expr ) { if( bnStatus ) bnStatus &= ( ( expr ) == NULL ? 0 : 1 ); } 548 #define BN_STATUS 1 549 #define bnStatusOK( value ) value 550 #define bnStatusError( value ) ( !value ) 551 #define getBnStatus( value ) ( value ? CRYPT_OK : CRYPT_ERROR_FAILED ) 552 #define getBnStatusBool( value ) ( value ? TRUE : FALSE ) 553 554 /* Storage for fixed domain parameters for DH and ECC */ 555 556 typedef struct { 557 const BIGNUM p, g; 558 const BN_ULONG p_checksum, g_checksum; 559 } DH_DOMAINPARAMS; 560 561 typedef struct { 562 const BIGNUM p, a, b, gx, gy, n, h; 563 const BN_ULONG p_checksum, a_checksum, b_checksum; 564 const BN_ULONG gx_checksum, gy_checksum, n_checksum, h_checksum; 565 } ECC_DOMAINPARAMS; 566 567 #endif /* PKC_CONTEXT */ 568 569 /**************************************************************************** 570 * * 571 * Internal API Functions * 572 * * 573 ****************************************************************************/ 574 575 /* Determine whether a context needs to have a key loaded */ 576 577 #define needsKey( contextInfoPtr ) \ 578 !( ( contextInfoPtr )->flags & CONTEXT_FLAG_KEY_SET ) 579 580 /* Low-level capability checking and context-creation functions used when 581 creating a context in a device */ 582 583 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 584 int checkCapability( const CAPABILITY_INFO FAR_BSS *capabilityInfoPtr ); 585 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 3 ) ) \ 586 int createContextFromCapability( OUT_HANDLE_OPT CRYPT_CONTEXT *iCryptContext, 587 IN_HANDLE const CRYPT_USER iCryptOwner, 588 const CAPABILITY_INFO *capabilityInfoPtr, 589 IN_FLAGS_Z( CREATEOBJECT ) const int objectFlags ); 590 591 /* Statically init/destroy a context for the self-check, and perform various 592 types of self-check */ 593 594 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 3, 4 ) ) \ 595 int staticInitContext( OUT CONTEXT_INFO *contextInfoPtr, 596 IN_ENUM( CONTEXT ) const CONTEXT_TYPE type, 597 const CAPABILITY_INFO *capabilityInfoPtr, 598 OUT_BUFFER_FIXED( contextDataSize ) void *contextData, 599 IN_LENGTH_MIN( 32 ) const int contextDataSize, 600 IN_OPT const void *keyData ); 601 STDC_NONNULL_ARG( ( 1 ) ) \ 602 void staticDestroyContext( INOUT CONTEXT_INFO *contextInfoPtr ); 603 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3, 5, 6 ) ) \ 604 int testCipher( const CAPABILITY_INFO *capabilityInfo, 605 IN const void *keyDataStorage, 606 IN_BUFFER( keySize ) const void *key, 607 IN_LENGTH_SHORT_MIN( MIN_KEYSIZE ) const int keySize, 608 const void *plaintext, 609 const void *ciphertext ); 610 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 5 ) ) \ 611 int testHash( const CAPABILITY_INFO *capabilityInfo, 612 IN const void *hashDataStorage, 613 IN_BUFFER_OPT( dataLength ) const void *data, 614 IN_LENGTH_SHORT_Z const int dataLength, 615 const void *hashValue ); 616 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3, 5, 7 ) ) \ 617 int testMAC( const CAPABILITY_INFO *capabilityInfo, 618 IN const void *macDataStorage, 619 IN_BUFFER( keySize ) const void *key, 620 IN_LENGTH_SHORT_MIN( MIN_KEYSIZE ) const int keySize, 621 IN_BUFFER( dataLength ) const void *data, 622 IN_LENGTH_SHORT_MIN( 8 ) const int dataLength, 623 const void *hashValue ); 624 625 /* Context attribute handling functions */ 626 627 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 628 int getContextAttribute( INOUT CONTEXT_INFO *contextInfoPtr, 629 OUT_INT_Z int *valuePtr, 630 IN_ATTRIBUTE const CRYPT_ATTRIBUTE_TYPE attribute ); 631 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 632 int getContextAttributeS( INOUT CONTEXT_INFO *contextInfoPtr, 633 INOUT MESSAGE_DATA *msgData, 634 IN_ATTRIBUTE const CRYPT_ATTRIBUTE_TYPE attribute ); 635 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 636 int setContextAttribute( INOUT CONTEXT_INFO *contextInfoPtr, 637 IN_INT_Z const int value, 638 IN_ATTRIBUTE const CRYPT_ATTRIBUTE_TYPE attribute ); 639 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 640 int setContextAttributeS( INOUT CONTEXT_INFO *contextInfoPtr, 641 IN_BUFFER( dataLength ) const void *data, 642 IN_LENGTH const int dataLength, 643 IN_ATTRIBUTE const CRYPT_ATTRIBUTE_TYPE attribute ); 644 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 645 int deleteContextAttribute( INOUT CONTEXT_INFO *contextInfoPtr, 646 IN_ATTRIBUTE const CRYPT_ATTRIBUTE_TYPE attribute ); 647 648 /* General key load/generation routines */ 649 650 STDC_NONNULL_ARG( ( 1 ) ) \ 651 void initKeyHandling( INOUT CONTEXT_INFO *contextInfoPtr ); 652 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 3 ) ) \ 653 int setEncodedKey( INOUT CONTEXT_INFO *contextInfoPtr, 654 IN_ATTRIBUTE const CRYPT_ATTRIBUTE_TYPE keyType, 655 IN_BUFFER( keyDataLen ) const void *keyData, 656 IN_LENGTH_SHORT const int keyDataLen ); 657 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 658 int setKeyComponents( INOUT CONTEXT_INFO *contextInfoPtr, 659 IN_BUFFER( keyDataLen ) const void *keyData, 660 IN_LENGTH_SHORT_MIN( 32 ) const int keyDataLen ); 661 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 662 int completeKeyLoad( INOUT CONTEXT_INFO *contextInfoPtr, 663 const BOOLEAN isPGPkey ); 664 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 665 int deriveKey( INOUT CONTEXT_INFO *contextInfoPtr, 666 IN_BUFFER( keyValueLen ) const void *keyValue, 667 IN_LENGTH_SHORT const int keyValueLen ); 668 669 /* PKC key-generation and related routines */ 670 671 #ifdef PKC_CONTEXT 672 673 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 674 int loadDHparams( INOUT CONTEXT_INFO *contextInfoPtr, 675 IN_LENGTH_PKC const int requestedKeySize ); 676 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 677 int initCheckDLPkey( INOUT CONTEXT_INFO *contextInfoPtr, 678 const BOOLEAN isDH, const BOOLEAN isPKCS3 ); 679 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 680 int generateDLPkey( INOUT CONTEXT_INFO *contextInfoPtr, 681 IN_LENGTH_SHORT_MIN( MIN_PKCSIZE * 8 ) const int keyBits ); 682 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 683 int initCheckRSAkey( INOUT CONTEXT_INFO *contextInfoPtr ); 684 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 685 int generateRSAkey( INOUT CONTEXT_INFO *contextInfoPtr, 686 IN_LENGTH_SHORT_MIN( MIN_PKCSIZE * 8 ) const int keyBits ); 687 #if defined( USE_ECDSA ) || defined( USE_ECDH ) 688 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 689 int loadECCparams( INOUT CONTEXT_INFO *contextInfoPtr, 690 IN_ENUM( CRYPT_ECCCURVE ) \ 691 const CRYPT_ECCCURVE_TYPE curveType ); 692 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 693 int initCheckECCkey( INOUT CONTEXT_INFO *contextInfoPtr, 694 const BOOLEAN isECDH ); 695 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 696 int generateECCkey( INOUT CONTEXT_INFO *contextInfoPtr, 697 IN_LENGTH_SHORT_MIN( MIN_PKCSIZE_ECC * 8 ) \ 698 const int keyBits ); 699 CHECK_RETVAL STDC_NONNULL_ARG( ( 2 ) ) \ 700 int getECCFieldSize( IN_ENUM( CRYPT_ECCCURVE ) const CRYPT_ECCCURVE_TYPE fieldID, 701 OUT_INT_Z int *fieldSize, const BOOLEAN isBits ); 702 CHECK_RETVAL STDC_NONNULL_ARG( ( 2 ) ) \ 703 int getECCFieldID( IN_LENGTH_SHORT_MIN( MIN_PKCSIZE_ECC ) \ 704 const int fieldSize, 705 OUT_ENUM_OPT( CRYPT_ECCCURVE ) 706 CRYPT_ECCCURVE_TYPE *fieldID ); 707 #endif /* USE_ECDSA || USE_ECDH */ 708 709 CHECK_RETVAL_LENGTH_SHORT_NOERROR STDC_NONNULL_ARG( ( 1 ) ) \ 710 int getBNMaxSize( const BIGNUM *bignum ); 711 CHECK_RETVAL_BOOL STDC_NONNULL_ARG( ( 1 ) ) \ 712 BOOLEAN sanityCheckBignum( const BIGNUM *bignum ); 713 CHECK_RETVAL_BOOL STDC_NONNULL_ARG( ( 1 ) ) \ 714 BOOLEAN sanityCheckBNCTX( const BN_CTX *bnCTX ); 715 CHECK_RETVAL_BOOL STDC_NONNULL_ARG( ( 1 ) ) \ 716 BOOLEAN sanityCheckBNMontCTX( const BN_MONT_CTX *bnMontCTX ); 717 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 718 int generateBignum( OUT BIGNUM *bn, 719 IN_LENGTH_SHORT_MIN( 120 ) const int noBits, 720 IN_BYTE const int high, IN_BYTE const int low, 721 IN_BUFFER_OPT( seedLength ) const void *seed, 722 IN_LENGTH_SHORT_OPT const int seedLength ); 723 CHECK_RETVAL_BOOL STDC_NONNULL_ARG( ( 1 ) ) \ 724 BOOLEAN sanityCheckPKCInfo( const PKC_INFO *pkcInfo ); 725 STDC_NONNULL_ARG( ( 1 ) ) \ 726 void clearTempBignums( INOUT PKC_INFO *pkcInfo ); 727 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 728 int initContextBignums( INOUT PKC_INFO *pkcInfo, const BOOLEAN isECC ); 729 STDC_NONNULL_ARG( ( 1 ) ) \ 730 void endContextBignums( INOUT PKC_INFO *pkcInfo, 731 IN_FLAGS( CONTEXT ) const int contextFlags ); 732 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 733 int checksumContextData( INOUT PKC_INFO *pkcInfo, 734 IN_ALGO const CRYPT_ALGO_TYPE cryptAlgo, 735 const BOOLEAN isPrivateKey ); 736 CHECK_RETVAL_BOOL STDC_NONNULL_ARG( ( 1 ) ) \ 737 BOOLEAN checksumDomainParameters( const void *domainParams, 738 const BOOLEAN isECC ); 739 #ifndef NDEBUG 740 void printBignumChecksum( const BIGNUM *bignum ); 741 void printBignum( const BIGNUM *bignum, const char *label ); 742 CHECK_RETVAL_BOOL \ 743 BOOLEAN bnmathSelfTest( void ); 744 #endif /* !NDEBUG */ 745 #endif /* PKC_CONTEXT */ 746 747 /* Key read/write routines */ 748 749 STDC_NONNULL_ARG( ( 1 ) ) \ 750 void initKeyID( INOUT CONTEXT_INFO *contextInfoPtr ); 751 STDC_NONNULL_ARG( ( 1 ) ) \ 752 void initPrivKeyRead( INOUT CONTEXT_INFO *contextInfoPtr ); 753 STDC_NONNULL_ARG( ( 1 ) ) \ 754 void initPubKeyRead( INOUT CONTEXT_INFO *contextInfoPtr ); 755 STDC_NONNULL_ARG( ( 1 ) ) \ 756 void initKeyWrite( INOUT CONTEXT_INFO *contextInfoPtr ); 757 758 /* Internal functions shared across a small number of modules, declared via 759 a header to allow type checking (attributeToFormatType() from keyload.c, 760 hash functions from ctx_XXX.c accessed via the universal interface in 761 ctx_misc.c) */ 762 763 CHECK_RETVAL \ 764 int attributeToFormatType( IN_ATTRIBUTE const CRYPT_ATTRIBUTE_TYPE attribute, 765 OUT_ENUM_OPT( KEYFORMAT ) KEYFORMAT_TYPE *keyformat ); 766 767 STDC_NONNULL_ARG( ( 1 ) ) \ 768 void md5HashBuffer( INOUT_OPT HASHINFO hashInfo, 769 OUT_BUFFER_OPT_C( outBufMaxLength, 16 ) BYTE *outBuffer, 770 IN_LENGTH_SHORT_Z const int outBufMaxLength, 771 IN_BUFFER_OPT( inLength ) const void *inBuffer, 772 IN_LENGTH_SHORT_Z const int inLength, 773 IN_ENUM( HASH_STATE ) const HASH_STATE hashState ); 774 STDC_NONNULL_ARG( ( 1 ) ) \ 775 void shaHashBuffer( INOUT_OPT HASHINFO hashInfo, 776 OUT_BUFFER_OPT_C( outBufMaxLength, 20 ) BYTE *outBuffer, 777 IN_LENGTH_SHORT_Z const int outBufMaxLength, 778 IN_BUFFER_OPT( inLength ) const void *inBuffer, 779 IN_LENGTH_SHORT_Z const int inLength, 780 IN_ENUM( HASH_STATE ) const HASH_STATE hashState ); 781 STDC_NONNULL_ARG( ( 1 ) ) \ 782 void sha2HashBuffer( INOUT_OPT HASHINFO hashInfo, 783 OUT_BUFFER_OPT_C( outBufMaxLength, 32 ) BYTE *outBuffer, 784 IN_LENGTH_SHORT_Z const int outBufMaxLength, 785 IN_BUFFER_OPT( inLength ) const void *inBuffer, 786 IN_LENGTH_SHORT_Z const int inLength, 787 IN_ENUM( HASH_STATE ) const HASH_STATE hashState ); 788 STDC_NONNULL_ARG( ( 1 ) ) \ 789 void sha2_ExtHashBuffer( INOUT_OPT HASHINFO hashInfo, 790 OUT_BUFFER_OPT_C( outBufMaxLength, 64 ) BYTE *outBuffer, 791 IN_LENGTH_SHORT_Z const int outBufMaxLength, 792 IN_BUFFER_OPT( inLength ) const void *inBuffer, 793 IN_LENGTH_SHORT_Z const int inLength, 794 IN_ENUM( HASH_STATE ) const HASH_STATE hashState ); 795 796 STDC_NONNULL_ARG( ( 1, 3 ) ) \ 797 void md5HashBufferAtomic( OUT_BUFFER_C( outBufMaxLength, 16 ) BYTE *outBuffer, 798 IN_LENGTH_SHORT_MIN( 16 ) const int outBufMaxLength, 799 IN_BUFFER( inLength ) const void *inBuffer, 800 IN_LENGTH_SHORT const int inLength ); 801 STDC_NONNULL_ARG( ( 1, 3 ) ) \ 802 void shaHashBufferAtomic( OUT_BUFFER_C( outBufMaxLength, 20 ) BYTE *outBuffer, 803 IN_LENGTH_SHORT_MIN( 20 ) const int outBufMaxLength, 804 IN_BUFFER( inLength ) const void *inBuffer, 805 IN_LENGTH_SHORT const int inLength ); 806 STDC_NONNULL_ARG( ( 1, 3 ) ) \ 807 void sha2HashBufferAtomic( OUT_BUFFER_C( outBufMaxLength, 32 ) BYTE *outBuffer, 808 IN_LENGTH_SHORT_MIN( 32 ) const int outBufMaxLength, 809 IN_BUFFER( inLength ) const void *inBuffer, 810 IN_LENGTH_SHORT const int inLength ); 811 STDC_NONNULL_ARG( ( 1, 3 ) ) \ 812 void sha2_ExtHashBufferAtomic( OUT_BUFFER_C( outBufMaxLength, 64 ) BYTE *outBuffer, 813 IN_LENGTH_SHORT_MIN( 64 ) const int outBufMaxLength, 814 IN_BUFFER( inLength ) const void *inBuffer, 815 IN_LENGTH_SHORT const int inLength ); 816 817 #endif /* _CRYPTCTX_DEFINED */ 818