1 /*
2  * Copyright (C) 2011-2012 Free Software Foundation, Inc.
3  *
4  * Author: Nikos Mavrogiannopoulos
5  *
6  * This file is part of GnuTLS.
7  *
8  * The GnuTLS is free software; you can redistribute it and/or
9  * modify it under the terms of the GNU Lesser General Public License
10  * as published by the Free Software Foundation; either version 2.1 of
11  * the License, or (at your option) any later version.
12  *
13  * This library is distributed in the hope that it will be useful, but
14  * WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
16  * Lesser General Public License for more details.
17  *
18  * You should have received a copy of the GNU Lesser General Public License
19  * along with this program.  If not, see <https://www.gnu.org/licenses/>
20  *
21  */
22 
23 #ifndef GNUTLS_LIB_CRYPTO_BACKEND_H
24 #define GNUTLS_LIB_CRYPTO_BACKEND_H
25 
26 #include <gnutls/crypto.h>
27 
28 #define gnutls_crypto_single_cipher_st gnutls_crypto_cipher_st
29 #define gnutls_crypto_single_mac_st gnutls_crypto_mac_st
30 #define gnutls_crypto_single_digest_st gnutls_crypto_digest_st
31 
32 typedef struct {
33 	gnutls_cipher_init_func init;
34 	gnutls_cipher_setkey_func setkey;
35 	gnutls_cipher_setiv_func setiv;
36 	gnutls_cipher_getiv_func getiv;
37 	gnutls_cipher_encrypt_func encrypt;
38 	gnutls_cipher_decrypt_func decrypt;
39 	gnutls_cipher_aead_encrypt_func aead_encrypt;
40 	gnutls_cipher_aead_decrypt_func aead_decrypt;
41 	gnutls_cipher_deinit_func deinit;
42 	gnutls_cipher_auth_func auth;
43 	gnutls_cipher_tag_func tag;
44 
45 	/* Not needed for registered on run-time. Only included
46 	 * should define it. */
47 	int (*exists) (gnutls_cipher_algorithm_t);	/* true/false */
48 } gnutls_crypto_cipher_st;
49 
50 typedef struct {
51 	gnutls_mac_init_func init;
52 	gnutls_mac_setkey_func setkey;
53 	gnutls_mac_setnonce_func setnonce;
54 	gnutls_mac_hash_func hash;
55 	gnutls_mac_output_func output;
56 	gnutls_mac_deinit_func deinit;
57 	gnutls_mac_fast_func fast;
58 	gnutls_mac_copy_func copy;
59 
60 	/* Not needed for registered on run-time. Only included
61 	 * should define it. */
62 	int (*exists) (gnutls_mac_algorithm_t);
63 } gnutls_crypto_mac_st;
64 
65 typedef struct {
66 	gnutls_digest_init_func init;
67 	gnutls_digest_hash_func hash;
68 	gnutls_digest_output_func output;
69 	gnutls_digest_deinit_func deinit;
70 	gnutls_digest_fast_func fast;
71 	gnutls_digest_copy_func copy;
72 
73 	/* Not needed for registered on run-time. Only included
74 	 * should define it. */
75 	int (*exists) (gnutls_digest_algorithm_t);
76 } gnutls_crypto_digest_st;
77 
78 typedef struct {
79 	int (*hkdf_extract) (gnutls_mac_algorithm_t,
80 			     const void *key, size_t keysize,
81 			     const void *salt, size_t saltsize,
82 			     void *output);
83 	int (*hkdf_expand) (gnutls_mac_algorithm_t,
84 			    const void *key, size_t keysize,
85 			    const void *info, size_t infosize,
86 			    void *output, size_t length);
87 	int (*pbkdf2) (gnutls_mac_algorithm_t,
88 		       const void *key, size_t keysize,
89 		       const void *salt, size_t saltsize,
90 		       unsigned iter_count,
91 		       void *output, size_t length);
92 } gnutls_crypto_kdf_st;
93 
94 typedef struct gnutls_crypto_rnd {
95 	int (*init) (void **ctx); /* called prior to first usage of randomness */
96 	int (*rnd) (void *ctx, int level, void *data, size_t datasize);
97 	void (*rnd_refresh) (void *ctx);
98 	void (*deinit) (void *ctx);
99 	int (*self_test) (void); /* this should not require rng initialization */
100 } gnutls_crypto_rnd_st;
101 
102 typedef void *bigint_t;
103 
104 /**
105  * gnutls_bigint_format_t:
106  * @GNUTLS_MPI_FORMAT_USG: Raw unsigned integer format.
107  * @GNUTLS_MPI_FORMAT_STD: Raw signed integer format, always a leading
108  *   zero when positive.
109  *
110  * Enumeration of different bignum integer encoding formats.
111  */
112 typedef enum {
113 	/* raw unsigned integer format */
114 	GNUTLS_MPI_FORMAT_USG = 0,
115 	/* raw signed integer format - always a leading zero when positive */
116 	GNUTLS_MPI_FORMAT_STD = 1,
117 	/* raw unsigned integer format, little endian format */
118 	GNUTLS_MPI_FORMAT_ULE = 2
119 } gnutls_bigint_format_t;
120 
121 /* Multi precision integer arithmetic */
122 typedef struct gnutls_crypto_bigint {
123 	int (*bigint_init) (bigint_t*);
124 	int (*bigint_init_multi) (bigint_t*, ...);
125 	void (*bigint_release) (bigint_t n);
126 	void (*bigint_clear) (bigint_t n);	/* zeros the int */
127 	/* 0 for equality, > 0 for m1>m2, < 0 for m1<m2 */
128 	int (*bigint_cmp) (const bigint_t m1, const bigint_t m2);
129 	/* as bigint_cmp */
130 	int (*bigint_cmp_ui) (const bigint_t m1, unsigned long m2);
131 	/* r = a % b */
132 	int (*bigint_modm) (bigint_t r, const bigint_t a, const bigint_t b);
133 	/* a = b -> ret == a */
134 	int (*bigint_set) (bigint_t a, const bigint_t b);
135 	bigint_t (*bigint_copy) (const bigint_t a);
136 	/* a = b -> ret == a */
137 	int (*bigint_set_ui) (bigint_t a, unsigned long b);
138 	unsigned int (*bigint_get_nbits) (const bigint_t a);
139 	/* w = b ^ e mod m */
140 	int (*bigint_powm) (bigint_t w, const bigint_t b,
141 				 const bigint_t e, const bigint_t m);
142 	/* w = a + b mod m */
143 	int (*bigint_addm) (bigint_t w, const bigint_t a,
144 				 const bigint_t b, const bigint_t m);
145 	/* w = a - b mod m */
146 	int (*bigint_subm) (bigint_t w, const bigint_t a,
147 				 const bigint_t b, const bigint_t m);
148 	/* w = a * b mod m */
149 	int (*bigint_mulm) (bigint_t w, const bigint_t a,
150 				 const bigint_t b, const bigint_t m);
151 	/* w = a + b */ int (*bigint_add) (bigint_t w,
152 					       const bigint_t a,
153 					       const bigint_t b);
154 	/* w = a - b */ int (*bigint_sub) (bigint_t w,
155 					       const bigint_t a,
156 					       const bigint_t b);
157 	/* w = a * b */
158 	int (*bigint_mul) (bigint_t w, const bigint_t a,
159 				const bigint_t b);
160 	/* w = a + b */
161 	int (*bigint_add_ui) (bigint_t w, const bigint_t a,
162 				   unsigned long b);
163 	/* w = a - b */
164 	int (*bigint_sub_ui) (bigint_t w, const bigint_t a,
165 				   unsigned long b);
166 	/* w = a * b */
167 	int (*bigint_mul_ui) (bigint_t w, const bigint_t a,
168 				   unsigned long b);
169 	/* q = a / b */
170 	int (*bigint_div) (bigint_t q, const bigint_t a,
171 				const bigint_t b);
172 	/* 0 if prime */
173 	int (*bigint_prime_check) (const bigint_t pp);
174 
175 	/* reads a bigint from a buffer */
176 	/* stores a bigint into the buffer.  returns
177 	 * GNUTLS_E_SHORT_MEMORY_BUFFER if buf_size is not sufficient to
178 	 * store this integer, and updates the buf_size;
179 	 */
180 	int (*bigint_scan) (bigint_t m, const void *buf, size_t buf_size,
181 				 gnutls_bigint_format_t format);
182 	int (*bigint_print) (const bigint_t a, void *buf,
183 			     size_t * buf_size,
184 			     gnutls_bigint_format_t format);
185 } gnutls_crypto_bigint_st;
186 
187 /* Additional information about the public key, filled from
188  * SubjectPublicKeyInfo parameters. When there are no parameters,
189  * the pk field will be set to GNUTLS_PK_UNKNOWN.
190  */
191 typedef struct gnutls_x509_spki_st {
192 	/* We can have a key which is of type RSA, but a certificate
193 	 * of type RSA-PSS; the value here will be the expected value
194 	 * for signatures (i.e., RSA-PSS) */
195 	gnutls_pk_algorithm_t pk;
196 
197 	/* the digest used by RSA-PSS */
198 	gnutls_digest_algorithm_t rsa_pss_dig;
199 
200 	/* the size of salt used by RSA-PSS */
201 	unsigned int salt_size;
202 
203 	/* if non-zero, the legacy value for PKCS#7 signatures will be
204 	 * written for RSA signatures. */
205 	unsigned int legacy;
206 
207 	/* the digest used by ECDSA/DSA */
208 	gnutls_digest_algorithm_t dsa_dig;
209 
210 	/* flags may include GNUTLS_PK_FLAG_REPRODUCIBLE for
211 	 * deterministic ECDSA/DSA */
212 	unsigned int flags;
213 } gnutls_x509_spki_st;
214 
215 #define GNUTLS_MAX_PK_PARAMS 16
216 
217 typedef struct {
218 	bigint_t params[GNUTLS_MAX_PK_PARAMS];
219 	unsigned int params_nr;	/* the number of parameters */
220 	unsigned int pkflags; /* gnutls_pk_flag_t */
221 	unsigned int qbits; /* GNUTLS_PK_DH */
222 	gnutls_ecc_curve_t curve; /* GNUTLS_PK_EC, GNUTLS_PK_ED25519, GNUTLS_PK_GOST* */
223 	gnutls_group_t dh_group; /* GNUTLS_PK_DH - used by ext/key_share */
224 	gnutls_gost_paramset_t gost_params; /* GNUTLS_PK_GOST_* */
225 	gnutls_datum_t raw_pub; /* used by x25519 */
226 	gnutls_datum_t raw_priv;
227 
228 	unsigned int seed_size;
229 	uint8_t seed[MAX_PVP_SEED_SIZE];
230 	gnutls_digest_algorithm_t palgo;
231 	/* public key information */
232 	gnutls_x509_spki_st spki;
233 
234 	gnutls_pk_algorithm_t algo;
235 } gnutls_pk_params_st;
236 
237 /**
238  * gnutls_pk_flag_t:
239  * @GNUTLS_PK_FLAG_NONE: No flag.
240  *
241  * Enumeration of public-key flag.
242  */
243 typedef enum {
244 	GNUTLS_PK_FLAG_NONE = 0,
245 	GNUTLS_PK_FLAG_PROVABLE = 1,
246 	GNUTLS_PK_FLAG_REPRODUCIBLE = 2
247 } gnutls_pk_flag_t;
248 
249 #define FIX_SIGN_PARAMS(params, flags, dig) do {		\
250 	if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) {	\
251 		(params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE;	\
252 		(params).dsa_dig = (dig);			\
253 	}							\
254 } while (0)
255 
256 void gnutls_pk_params_release(gnutls_pk_params_st * p);
257 void gnutls_pk_params_clear(gnutls_pk_params_st * p);
258 void gnutls_pk_params_init(gnutls_pk_params_st * p);
259 
260 
261 #define MAX_PUBLIC_PARAMS_SIZE 4	/* ok for RSA and DSA */
262 
263 /* parameters should not be larger than this limit */
264 #define DSA_PUBLIC_PARAMS 4
265 #define DH_PUBLIC_PARAMS 4
266 #define RSA_PUBLIC_PARAMS 2
267 #define ECC_PUBLIC_PARAMS 2
268 #define GOST_PUBLIC_PARAMS 2
269 
270 
271 #define MAX_PRIV_PARAMS_SIZE GNUTLS_MAX_PK_PARAMS	/* ok for RSA and DSA */
272 
273 /* parameters should not be larger than this limit */
274 #define DSA_PRIVATE_PARAMS 5
275 #define DH_PRIVATE_PARAMS 5
276 #define RSA_PRIVATE_PARAMS 8
277 #define ECC_PRIVATE_PARAMS 3
278 #define GOST_PRIVATE_PARAMS 3
279 
280 #if MAX_PRIV_PARAMS_SIZE - RSA_PRIVATE_PARAMS < 0
281 #error INCREASE MAX_PRIV_PARAMS
282 #endif
283 
284 #if MAX_PRIV_PARAMS_SIZE - ECC_PRIVATE_PARAMS < 0
285 #error INCREASE MAX_PRIV_PARAMS
286 #endif
287 
288 #if MAX_PRIV_PARAMS_SIZE - GOST_PRIVATE_PARAMS < 0
289 #error INCREASE MAX_PRIV_PARAMS
290 #endif
291 
292 #if MAX_PRIV_PARAMS_SIZE - DSA_PRIVATE_PARAMS < 0
293 #error INCREASE MAX_PRIV_PARAMS
294 #endif
295 
296 
297 /* params are:
298  * RSA:
299  *  [0] is modulus
300  *  [1] is public exponent
301  *  [2] is private exponent (private key only)
302  *  [3] is prime1 (p) (private key only)
303  *  [4] is prime2 (q) (private key only)
304  *  [5] is coefficient (u == inverse of p mod q) (private key only)
305  *  [6] e1 == d mod (p-1)
306  *  [7] e2 == d mod (q-1)
307  *
308  *  note that for libgcrypt that does not use the inverse of q mod p,
309  *  we need to perform conversions using fixup_params().
310  *
311  * DSA:
312  *  [0] is p
313  *  [1] is q
314  *  [2] is g
315  *  [3] is y (public key)
316  *  [4] is x (private key only)
317  *
318  * DH: as DSA
319  *
320  * ECC:
321  *  [0] is prime
322  *  [1] is order
323  *  [2] is A
324  *  [3] is B
325  *  [4] is Gx
326  *  [5] is Gy
327  *  [6] is x
328  *  [7] is y
329  *  [8] is k (private key)
330  */
331 
332 #define ECC_X 0
333 #define ECC_Y 1
334 #define ECC_K 2
335 
336 #define GOST_X 0
337 #define GOST_Y 1
338 #define GOST_K 2
339 
340 #define DSA_P 0
341 #define DSA_Q 1
342 #define DSA_G 2
343 #define DSA_Y 3
344 #define DSA_X 4
345 
346 #define DH_P 0
347 #define DH_Q 1
348 #define DH_G 2
349 #define DH_Y 3
350 #define DH_X 4
351 
352 #define RSA_MODULUS 0
353 #define RSA_PUB 1
354 #define RSA_PRIV 2
355 #define RSA_PRIME1 3
356 #define RSA_PRIME2 4
357 #define RSA_COEF 5
358 #define RSA_E1 6
359 #define RSA_E2 7
360 
361 /**
362  * gnutls_direction_t:
363  * @GNUTLS_IMPORT: Import direction.
364  * @GNUTLS_EXPORT: Export direction.
365  *
366  * Enumeration of different directions.
367  */
368 typedef enum {
369 	GNUTLS_IMPORT = 0,
370 	GNUTLS_EXPORT = 1
371 } gnutls_direction_t;
372 
373 /* Public key algorithms */
374 typedef struct gnutls_crypto_pk {
375 	/* The params structure should contain the private or public key
376 	 * parameters, depending on the operation */
377 	int (*encrypt) (gnutls_pk_algorithm_t, gnutls_datum_t * ciphertext,
378 			const gnutls_datum_t * plaintext,
379 			const gnutls_pk_params_st * pub);
380 	int (*decrypt) (gnutls_pk_algorithm_t,
381                         gnutls_datum_t * plaintext,
382 			const gnutls_datum_t * ciphertext,
383 			const gnutls_pk_params_st * priv);
384 	int (*decrypt2) (gnutls_pk_algorithm_t,
385 			 const gnutls_datum_t * ciphertext,
386                          unsigned char * plaintext,
387                          size_t paintext_size,
388 			 const gnutls_pk_params_st * priv);
389 	int (*sign) (gnutls_pk_algorithm_t, gnutls_datum_t * signature,
390 		     const gnutls_datum_t * data,
391 		     const gnutls_pk_params_st *priv,
392 		     const gnutls_x509_spki_st *sign);
393 	int (*verify) (gnutls_pk_algorithm_t, const gnutls_datum_t * data,
394 		       const gnutls_datum_t * sig,
395 		       const gnutls_pk_params_st *pub,
396 		       const gnutls_x509_spki_st *sign);
397 	/* sanity checks the public key parameters */
398 	int (*verify_priv_params) (gnutls_pk_algorithm_t,
399 			      const gnutls_pk_params_st * priv);
400 	int (*verify_pub_params) (gnutls_pk_algorithm_t,
401 			      const gnutls_pk_params_st * pub);
402 	int (*generate_keys) (gnutls_pk_algorithm_t, unsigned int nbits,
403 			 gnutls_pk_params_st *, unsigned ephemeral);
404 	int (*generate_params) (gnutls_pk_algorithm_t, unsigned int nbits,
405 			 gnutls_pk_params_st *);
406 	/* this function should convert params to ones suitable
407 	 * for the above functions
408 	 */
409 	int (*pk_fixup_private_params) (gnutls_pk_algorithm_t,
410 					gnutls_direction_t,
411 					gnutls_pk_params_st *);
412 #define PK_DERIVE_TLS13 1
413 	int (*derive) (gnutls_pk_algorithm_t, gnutls_datum_t * out,
414 		       const gnutls_pk_params_st * priv,
415 		       const gnutls_pk_params_st * pub,
416 		       const gnutls_datum_t *nonce,
417 		       unsigned int flags);
418 
419 	int (*curve_exists) (gnutls_ecc_curve_t);	/* true/false */
420 } gnutls_crypto_pk_st;
421 
422 /* priority: infinity for backend algorithms, 90 for kernel
423    algorithms, lowest wins
424  */
425 int gnutls_crypto_single_cipher_register(gnutls_cipher_algorithm_t
426 					 algorithm, int priority,
427 					 const gnutls_crypto_single_cipher_st *s,
428 					 int free_s);
429 int gnutls_crypto_single_mac_register(gnutls_mac_algorithm_t algorithm,
430 				      int priority,
431 				      const gnutls_crypto_single_mac_st *
432 				      s, int free_s);
433 int gnutls_crypto_single_digest_register(gnutls_digest_algorithm_t
434 					 algorithm, int priority,
435 					 const
436 					 gnutls_crypto_single_digest_st *
437 					 s, int free_s);
438 
439 int gnutls_crypto_rnd_register(int priority,
440 			       const gnutls_crypto_rnd_st * s);
441 int gnutls_crypto_pk_register(int priority, const gnutls_crypto_pk_st * s);
442 int gnutls_crypto_bigint_register(int priority,
443 				  const gnutls_crypto_bigint_st * s);
444 
445 /* Provided by crypto-backend */
446 int
447 _gnutls_prf_raw(gnutls_mac_algorithm_t mac,
448 		size_t master_size, const void *master,
449 		size_t label_size, const char *label,
450 		size_t seed_size, const uint8_t *seed, size_t outsize,
451 		char *out);
452 
453 int _gnutls_gost_key_wrap(gnutls_gost_paramset_t gost_params,
454 			  const gnutls_datum_t *kek,
455 			  const gnutls_datum_t *ukm,
456 			  const gnutls_datum_t *cek,
457 			  gnutls_datum_t *enc,
458 			  gnutls_datum_t *imit);
459 
460 int _gnutls_gost_key_unwrap(gnutls_gost_paramset_t gost_params,
461 			    const gnutls_datum_t *kek,
462 			    const gnutls_datum_t *ukm,
463 			    const gnutls_datum_t *enc,
464 			    const gnutls_datum_t *imit,
465 			    gnutls_datum_t *cek);
466 
467 #endif /* GNUTLS_LIB_CRYPTO_BACKEND_H */
468