diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h index bff30fcad..8baa6b1b8 100644 --- a/include/mbedtls/ecdsa.h +++ b/include/mbedtls/ecdsa.h @@ -256,8 +256,8 @@ int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx, */ int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig, size_t ssize, uint16_t byte_len, - unsigned char *buf, size_t bufsize, - size_t* buflen ); + unsigned char *buf, size_t* buflen, + size_t bufsize ); /** * \brief Convert a signature from numbers to ASN.1 * @@ -280,6 +280,29 @@ int mbedtls_ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s, unsigned char *sig, size_t *slen, size_t ssize ); +/** + * \brief Convert a signature from a raw representation to ASN.1 + * + * \param r First number of the signature + * \param s Second number of the signature + * \param num_len Length of each number in bytes + * \param sig Buffer that will hold the signature + * \param slen Length of the signature written + * \param ssize Size of the sig buffer + * + * \note The size of the buffer \c ssize should be at least + * `MBEDTLS_ECDSA_MAX_SIG_LEN(grp->pbits)` bytes long if + * the signature was produced from curve \c grp, + * otherwise this function will return an error. + * + * \return 0 if successful, + * or a MBEDTLS_ERR_MPI_XXX or MBEDTLS_ERR_ASN1_XXX error code + * + */ +int mbedtls_raw_ecdsa_signature_to_asn1(const unsigned char *r, + const unsigned char *s, uint16_t num_len, + unsigned char *sig, size_t *slen, size_t ssize ); + /** * \brief Read and verify an ECDSA signature * diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 43d001ce2..96d158b33 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -513,7 +513,7 @@ int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen, * The output is the group's OID wrapped as ASN.1. * * \param grp ECP group used - * \param buf Buffer to write to + * \param p Buffer to write to * \param size Buffer size * * \return Number of bytes written to \c buf, diff --git a/include/mbedtls/pkcs11_client.h b/include/mbedtls/pkcs11_client.h index 83aed5157..ac858f940 100644 --- a/include/mbedtls/pkcs11_client.h +++ b/include/mbedtls/pkcs11_client.h @@ -2,8 +2,9 @@ * \file pkcs11_client.h * * \brief Generic wrapper for Cryptoki (PKCS#11) support - * - * Copyright (C) 2017, ARM Limited, All Rights Reserved + */ +/* + * Copyright (C) 2017-2018, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -46,12 +47,12 @@ extern "C" { #if defined(MBEDTLS_PK_C) -#define MBEDTLS_PK_FLAG_SENSITIVE ( (uint32_t) 0x00000001 ) -#define MBEDTLS_PK_FLAG_EXTRACTABLE ( (uint32_t) 0x00000002 ) -#define MBEDTLS_PK_FLAG_SIGN ( (uint32_t) 0x00000010 ) -#define MBEDTLS_PK_FLAG_VERIFY ( (uint32_t) 0x00000020 ) -#define MBEDTLS_PK_FLAG_DECRYPT ( (uint32_t) 0x00000040 ) -#define MBEDTLS_PK_FLAG_ENCRYPT ( (uint32_t) 0x00000080 ) +#define MBEDTLS_PKCS11_FLAG_SENSITIVE ( (uint32_t) 0x00000001 ) +#define MBEDTLS_PKCS11_FLAG_EXTRACTABLE ( (uint32_t) 0x00000002 ) +#define MBEDTLS_PKCS11_FLAG_SIGN ( (uint32_t) 0x00000010 ) +#define MBEDTLS_PKCS11_FLAG_VERIFY ( (uint32_t) 0x00000020 ) +#define MBEDTLS_PKCS11_FLAG_DECRYPT ( (uint32_t) 0x00000040 ) +#define MBEDTLS_PKCS11_FLAG_ENCRYPT ( (uint32_t) 0x00000080 ) #include "pk.h" @@ -69,12 +70,11 @@ extern "C" { * \return 0 on success, * or MBEDTLS_ERR_PK_XXX error code. * - * \note The session and the key(s) must remain valid until the - * PK context is closed with mbedtls_pk_free(). As an - * exception, it's ok to call mbedtls_pk_free() itself - * even if the Cryptoki handles have become invalid. + * \note If any of the handles become invalid, then you may no + * longer do anything with the pk object except call + * mbedtls_pk_free on it. */ -int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx, +int mbedtls_pkcs11_setup_pk( mbedtls_pk_context *ctx, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hPublicKey, CK_OBJECT_HANDLE hPrivateKey ); @@ -87,36 +87,42 @@ int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx, * PKCS#11 token. * * \param ctx PK context, which must contain a transparent pk - * object (type \c MBEDTLS_PK_RSA, - * \c MBEDTLS_PK_RSASSA_PSS, \c MBEDTLS_PK_ECKEY or - * \c MBEDTLS_PK_ECDSA). - * \param flags Mask of \c MBEDTLS_PKCS11_FLAG_XXX and - * \c MBEDTLS_PK_FLAG_XXX, applying as follows: - * - \c MBEDTLS_PKCS11_FLAG_TOKEN: PKCS#11 \c CKA_TOKEN + * object (type #MBEDTLS_PK_RSA, + * #MBEDTLS_PK_RSASSA_PSS, #MBEDTLS_PK_ECKEY or + * #MBEDTLS_PK_ECDSA). + * \param flags Mask of #MBEDTLS_PKCS11_FLAG_XXX and + * #MBEDTLS_PK_FLAG_XXX, applying as follows: + * - #MBEDTLS_PKCS11_FLAG_TOKEN: PKCS#11 \c CKA_TOKEN * flag: if set, import as token object; if clear, * import as session object. - * - \c MBEDTLS_PK_FLAG_EXTRACTABLE: PKCS#11 - * \c CKA_EXTRACTABLE flag: if set, the key will be - * extractable at least in wrapped form; if clear, - * the key will not be extractable at all. - * - \c MBEDTLS_PK_FLAG_SENSITIVE: PKCS#11 - * \c CKA_SENSITIVE flag: if set, the key will be - * not be extractable in plain form; if clear, the - * key will be extractable at least in wrapped form. - * - \c MBEDTLS_PK_FLAG_SIGN: if set, the private key + * - #MBEDTLS_PK_FLAG_EXTRACTABLE: PKCS#11 + * \c CKA_EXTRACTABLE flag: if set, the private key + * will be extractable at least in wrapped form; if + * clear, the key will not be extractable at all. + * - #MBEDTLS_PK_FLAG_SENSITIVE: PKCS#11 + * \c CKA_SENSITIVE flag: if set, the private key + * will not be extractable in plain form; if clear, + * the key will be extractable in plain form if + * #MBEDTLS_PK_FLAG_EXTRACTABLE is set. + * - #MBEDTLS_PK_FLAG_SIGN: if set, the private key * will be authorized for signing. - * - \c MBEDTLS_PK_FLAG_VERIFY: if set, the public key + * - #MBEDTLS_PK_FLAG_VERIFY: if set, the public key * will be authorized for verification. - * - \c MBEDTLS_PK_FLAG_DECRYPT: if set, the private key - * will be authorized for signing. - * - \c MBEDTLS_PK_FLAG_ENCRYPT: if set, the public key + * - #MBEDTLS_PK_FLAG_DECRYPT: if set, the private key + * will be authorized for decryption. + * - #MBEDTLS_PK_FLAG_ENCRYPT: if set, the public key * will be authorized for encryption. * - * \param hSession Cryptoki session. + * \param hSession Cryptoki session. The session must remain valid as long + * as the PK object is in use. * \param hPublicKey If non-null, on output, Cryptoki handle of the public - * key. If null, the public key is not imported. + * key. This handle must remain valid as long as the PK + * object is in use. If null, the public key is not + * imported. * \param hPrivateKey If non-null, on output, Cryptoki handle of the private - * key. If null, the private key is not imported. + * key. This handle must remain valid as long as the PK + * object is in use. If null, the private key is not + * imported. * * \return 0 on success, * or MBEDTLS_ERR_PK_XXX error code. @@ -133,7 +139,7 @@ int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx, * also failed, for example because the token was * disconnected. */ -int mbedtls_pk_import_to_pkcs11( const mbedtls_pk_context *ctx, +int mbedtls_pkcs11_import_pk( const mbedtls_pk_context *ctx, uint32_t flags, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE *hPublicKey, diff --git a/library/ecdsa.c b/library/ecdsa.c index 0f33b83ce..6be57d5c0 100644 --- a/library/ecdsa.c +++ b/library/ecdsa.c @@ -289,66 +289,75 @@ cleanup: /* * Convert a signature to a raw concatenation of {r, s} */ -/*int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig, - size_t ssize, uint16_t byte_len, - unsigned char *buf, size_t* slen )*/ int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig, size_t ssize, uint16_t byte_len, - unsigned char *buf, size_t bufsize, - size_t* buflen ) + unsigned char *buf, size_t* buflen, + size_t bufsize) { int ret; unsigned char *p = (unsigned char *) sig; + unsigned char *buf_ptr; const unsigned char *end = sig + ssize; - size_t len; - mbedtls_mpi r, s; + size_t len, bytes_skipped; if( 2 * byte_len > bufsize ) { - return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA); } - mbedtls_mpi_init( &r ); - mbedtls_mpi_init( &s ); - if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) { ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA; - goto cleanup; + return ret; } if( p + len != end ) { - ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA + + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; - goto cleanup; } - if( ( ret = mbedtls_asn1_get_mpi( &p, end, &r ) ) != 0 || - ( ret = mbedtls_asn1_get_mpi( &p, end, &s ) ) != 0 ) - { - ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA; - goto cleanup; - } - p = (unsigned char *) buf; - if( ( ret = mbedtls_mpi_write_binary(&r, p, byte_len) ) ) - { - ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA; - goto cleanup; - } - p += byte_len; - if( ( ret = mbedtls_mpi_write_binary(&s, p, byte_len) ) ) - { - ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA; - goto cleanup; - } - *buflen = 2*byte_len; - cleanup: - mbedtls_mpi_free( &r ); - mbedtls_mpi_free( &s ); + /* + * Step 1: write R + */ + buf_ptr = buf; + if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 ) + return( ret ); - return( ret ); + for( bytes_skipped = 0; bytes_skipped < len; bytes_skipped++ ) + if( p[bytes_skipped] != 0 ) + break; + + if( len - bytes_skipped > bufsize ) + { + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + } + *buflen = len - bytes_skipped; + + memmove(buf_ptr, &p[bytes_skipped], *buflen); + p += len; + buf_ptr += *buflen; + + /* + * Step 2: write S + */ + if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 ) + return( ret ); + + for( bytes_skipped = 0; bytes_skipped < len; bytes_skipped++ ) + if( p[bytes_skipped] != 0 ) + break; + + if( len - bytes_skipped + *buflen > bufsize ) + { + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + } + + *buflen += len - bytes_skipped; + memmove(buf_ptr, &p[bytes_skipped], len - bytes_skipped); + + return( ret ); } /* @@ -372,6 +381,76 @@ int mbedtls_ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s, memset( sig + len, 0, ssize - len ); *slen = len; + return( 0 ); + } + +int mbedtls_raw_ecdsa_signature_to_asn1( const unsigned char *r, + const unsigned char *s, uint16_t num_len, + unsigned char *sig, size_t *slen, size_t ssize ) +{ + int ret; + unsigned char *p = sig + ssize; + size_t total_len = 0; + size_t padding_len = 0; + + /* + * Step 1: write S + */ + memmove( p - num_len, s, num_len ); + p -= num_len; + total_len += num_len; + if( *p & 0x80 ) + { + if( p - sig < 1 ) + return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); + + *--p = 0x00; + padding_len += 1; + } + total_len += padding_len; + + MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig, + num_len + padding_len ) ); + MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig, + MBEDTLS_ASN1_INTEGER ) ); + + padding_len = 0; + + /* + * Step 2: write R + */ + memmove( p - num_len, r, num_len ); + p -= num_len; + total_len += num_len; + if( *p & 0x80 ) + { + if( p - sig < 1 ) + return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); + + *--p = 0x00; + padding_len += 1; + } + total_len += padding_len; + + MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig, + num_len + padding_len ) ); + MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig, + MBEDTLS_ASN1_INTEGER ) ); + + /* + * Step 3: write rest of the data + */ + MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig, total_len ) ); + MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); + + /* + * Step 4: move to the beginning of the buffer, zeroize the rest + */ + memmove( sig, p, total_len ); + memset( sig + total_len, 0, ssize - total_len ); + *slen = total_len; + return( 0 ); } diff --git a/library/pkcs11_client.c b/library/pkcs11_client.c index 040b971bf..439c50cff 100644 --- a/library/pkcs11_client.c +++ b/library/pkcs11_client.c @@ -1,7 +1,7 @@ /* * Generic wrapper for Cryptoki (PKCS#11) support * - * Copyright (C) 2017, ARM Limited, All Rights Reserved + * Copyright (C) 2017-2018, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -29,7 +29,6 @@ #include #include -#include #include "mbedtls/pkcs11_client.h" @@ -144,7 +143,7 @@ static int pkcs11_sign( void *ctx_arg, CK_RV rv; CK_MECHANISM mechanism = {0, NULL_PTR, 0}; CK_ULONG ck_sig_len; - + (void)(md_alg); /* This function takes size_t arguments but the underlying layer takes unsigned long. Either type may be smaller than the other. Legitimate values won't overflow either type but we still need @@ -180,7 +179,8 @@ static int pkcs11_sign( void *ctx_arg, * each in the form of a big-endian byte sequence, with r and s * having the same length as the base point. * - * A standard ECDSA signature is encoded in ASN.1: + * This library encodes ECDSA signatures in ASN.1 as documented + * for mbedtls_ecdsa_write_signature: * SEQUENCE { * r INTEGER, * s INTEGER @@ -191,9 +191,7 @@ static int pkcs11_sign( void *ctx_arg, */ uint16_t byte_len = ( ( ctx->bit_length + 7 ) / 8 ); size_t sig_size = MBEDTLS_ECDSA_MAX_SIG_LEN( ctx->bit_length ); - mbedtls_mpi r, s; - mbedtls_mpi_init( &r ); - mbedtls_mpi_init( &s ); + rv = CKR_OK; if( ck_sig_len != 2 * byte_len ) { @@ -201,22 +199,15 @@ static int pkcs11_sign( void *ctx_arg, rv = CKR_GENERAL_ERROR; goto ecdsa_exit; } - if( mbedtls_mpi_read_binary( &r, sig, byte_len ) != 0 || - mbedtls_mpi_read_binary( &s, sig + byte_len, byte_len ) != 0 ) - { - rv = CKR_HOST_MEMORY; - goto ecdsa_exit; - } + /* The signature buffer is guaranteed to have enough room for the encoded signature by the pk_sign interface. */ - if( mbedtls_ecdsa_signature_to_asn1( &r, &s, sig, sig_len, sig_size ) != 0 ) + if( mbedtls_raw_ecdsa_signature_to_asn1( sig, sig + byte_len, byte_len, sig, sig_len, sig_size ) != 0 ) { rv = CKR_GENERAL_ERROR; goto ecdsa_exit; } ecdsa_exit: - mbedtls_mpi_free( &r ); - mbedtls_mpi_free( &s ); if( rv != CKR_OK ) goto exit; } @@ -292,8 +283,8 @@ static int pkcs11_verify( void *ctx_arg, return( MBEDTLS_ERR_PK_ALLOC_FAILED ); } if( mbedtls_ecdsa_signature_to_raw( sig, sig_len, byte_len, - decoded_sig, 2 * byte_len, - &decoded_sig_len ) != 0 ) + decoded_sig, &decoded_sig_len, + 2 * byte_len ) != 0 ) { rv = CKR_GENERAL_ERROR; goto exit; @@ -315,7 +306,7 @@ exit: static const mbedtls_pk_info_t mbedtls_pk_pkcs11_info = MBEDTLS_PK_OPAQUE_INFO_1( "pkcs11" , pkcs11_pk_get_bitlen - , pkcs11_pk_can_do //can_do + , pkcs11_pk_can_do , pkcs11_pk_signature_size , pkcs11_verify , pkcs11_sign @@ -327,7 +318,7 @@ static const mbedtls_pk_info_t mbedtls_pk_pkcs11_info = , NULL //debug_func ); -int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx, +int mbedtls_pkcs11_setup_pk( mbedtls_pk_context *ctx, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hPublicKey, CK_OBJECT_HANDLE hPrivateKey ) @@ -368,7 +359,7 @@ int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx, case CKK_ECDSA: can_do = MBEDTLS_PK_ECKEY; { - unsigned char ecParams[16]; + unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE]; mbedtls_asn1_buf params_asn1; mbedtls_ecp_group_id grp_id; const mbedtls_ecp_curve_info *curve_info; @@ -416,29 +407,30 @@ static int mpi_to_ck( const mbedtls_mpi *mpi, CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE at, unsigned char **p, size_t len ) { - if( mbedtls_mpi_write_binary( mpi, *p, len ) != 0 ) - return( 0 ); + int ret = mbedtls_mpi_write_binary( mpi, *p, len ); + if( ret != 0 ) + return( ret ); attr->type = at; attr->pValue = *p; attr->ulValueLen = len; *p += len; - return( 1 ); + return( 0 ); } -#define MPI_TO_CK( mpi, attr, at, p, len ) \ - do \ - { \ - if( !mpi_to_ck( ( mpi ), ( attr ), ( at ), ( p ), ( len ) ) ) \ - { \ - rv = CKR_ARGUMENTS_BAD; \ - goto exit; \ - } \ - } \ +#define MPI_TO_CK( mpi, attr, at, p, len ) \ + do \ + { \ + if( mpi_to_ck( ( mpi ), ( attr ), ( at ), ( p ), ( len ) ) != 0) \ + { \ + rv = CKR_ARGUMENTS_BAD; \ + goto exit; \ + } \ + } \ while( 0 ) #endif /* defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) */ -#define CK_BOOL( x ) ( ( x ) ? CK_TRUE : CK_FALSE ) +#define MBEDTLS_PKCS11_BOOL( x ) ( ( x ) ? CK_TRUE : CK_FALSE ) -int mbedtls_pk_import_to_pkcs11( const mbedtls_pk_context *ctx, +int mbedtls_pkcs11_import_pk( const mbedtls_pk_context *ctx, uint32_t flags, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE *hPublicKey, @@ -447,13 +439,13 @@ int mbedtls_pk_import_to_pkcs11( const mbedtls_pk_context *ctx, CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY; CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY; CK_KEY_TYPE ck_key_type; - CK_BBOOL ck_sensitive = CK_BOOL( flags & MBEDTLS_PK_FLAG_SENSITIVE ); - CK_BBOOL ck_extractable = CK_BOOL( flags & MBEDTLS_PK_FLAG_EXTRACTABLE ); - CK_BBOOL ck_sign = CK_BOOL( flags & MBEDTLS_PK_FLAG_SIGN ); - CK_BBOOL ck_verify = CK_BOOL( flags & MBEDTLS_PK_FLAG_VERIFY ); - CK_BBOOL ck_decrypt = CK_BOOL( flags & MBEDTLS_PK_FLAG_DECRYPT ); - CK_BBOOL ck_encrypt = CK_BOOL( flags & MBEDTLS_PK_FLAG_ENCRYPT ); - CK_BBOOL ck_token = CK_BOOL( flags & MBEDTLS_PKCS11_FLAG_TOKEN ); + CK_BBOOL ck_sensitive = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_SENSITIVE ); + CK_BBOOL ck_extractable = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_EXTRACTABLE ); + CK_BBOOL ck_sign = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_SIGN ); + CK_BBOOL ck_verify = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_VERIFY ); + CK_BBOOL ck_decrypt = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_DECRYPT ); + CK_BBOOL ck_encrypt = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_ENCRYPT ); + CK_BBOOL ck_token = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_TOKEN ); CK_ATTRIBUTE public_attributes[] = { {CKA_CLASS, &cko_public_key, sizeof( cko_public_key )}, {CKA_KEY_TYPE, &ck_key_type, sizeof( ck_key_type )}, diff --git a/programs/.gitignore b/programs/.gitignore index 05fb0b621..60942d76e 100644 --- a/programs/.gitignore +++ b/programs/.gitignore @@ -49,7 +49,7 @@ test/ssl_cert_test test/udp_proxy util/pem2der util/strerror -util/syslog2stderr.so +test/syslog2stderr.so x509/cert_app x509/cert_req x509/crl_app diff --git a/programs/Makefile b/programs/Makefile index 163059b54..805ab20fa 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -278,14 +278,15 @@ x509/req_app$(EXEXT): x509/req_app.c $(DEP) $(CC) $(LOCAL_CFLAGS) $(CFLAGS) x509/req_app.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ ifndef WINDOWS -util/syslog2stderr.so: util/syslog2stderr.c - echo " CC util/syslog2stderr.c" +test/syslog2stderr.so: test/syslog2stderr.c + echo " CC test/syslog2stderr.c" $(CC) $(CFLAGS) -fPIC -shared -o $@ $< -ldl endif clean: ifndef WINDOWS rm -f $(APPS) + rm -f test/syslog2stderr.so else del /S /Q /F *.o *.exe endif diff --git a/programs/test/syslog2stderr.c b/programs/test/syslog2stderr.c new file mode 100644 index 000000000..3e34985fc --- /dev/null +++ b/programs/test/syslog2stderr.c @@ -0,0 +1,69 @@ +/** \brief Syslog to stderr wrapper for Unix-like systems + * + * By dynamically linking this module into an executable, any message sent to the system logs + * via the POSIX or Linux API is instead redirected to standard error. +* +* Compile this program with `cc -fPID -shared -o syslog2stderr.so syslog2stderr.c -ldl` +* and load it dynamically when running `myprogram` with +* `LD_PRELOAD=/path/to/syslog2stderr.so myprogram`. +* On macOS, replace `LD_PRELOAD` by `DYLD_PRELOAD`. + */ + /** + * Copyright (C) 2017-2018, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ +#include +#include +#include +#include +#include +#include + + +void openlog( const char *ident, int option, int facility ) +{ + (void) ident; + (void) option; + (void) facility; +} + +/* POSIX API */ +void syslog( int priority, const char *format, ... ) +{ + va_list args; + va_start( args, format ); + vfprintf( stderr, format, args ); + va_end( args ); +} + +/* Linux ABI + * http://refspecs.linux-foundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/libc---syslog-chk-1.html + */ +void __syslog_chk( int priority, int flag, const char *format, ... ) +{ + va_list args; + (int) flag; + va_start( args, format ); + vfprintf( stderr, format, args ); + fputc( '\n', stderr ); + va_end( args ); +} + +void closelog( void ) +{ + /* no-op */ +} diff --git a/programs/util/syslog2stderr.c b/programs/util/syslog2stderr.c deleted file mode 100644 index 6a636ecd8..000000000 --- a/programs/util/syslog2stderr.c +++ /dev/null @@ -1,41 +0,0 @@ -#include -#include -#include -#include -#include -#include - - -void openlog( const char *ident, int option, int facility ) -{ - (void) ident; - (void) option; - (void) facility; -} - -/* POSIX API */ -void syslog( int priority, const char *format, ... ) -{ - va_list args; - va_start( args, format ); - vfprintf( stderr, format, args ); - va_end( args ); -} - -/* Linux ABI - * http://refspecs.linux-foundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/libc---syslog-chk-1.html - */ -void __syslog_chk( int priority, int flag, const char *format, ... ) -{ - va_list args; - (int) flag; - va_start( args, format ); - vfprintf( stderr, format, args ); - fputc( '\n', stderr ); - va_end( args ); -} - -void closelog( void ) -{ - /* no-op */ -} diff --git a/tests/scripts/pkcs11-client-test.sh b/tests/scripts/pkcs11-client-test.sh index aaf7d9427..05f819213 100755 --- a/tests/scripts/pkcs11-client-test.sh +++ b/tests/scripts/pkcs11-client-test.sh @@ -14,14 +14,16 @@ elif [ -e ../../../library/aes.c ]; then else unset TOPDIR fi +# The SoftHSM library sends error messages to the system logs. If possible, send +# the messages to standard error instead, by overloading the logging functions. if [ -n "${TOPDIR+1}" ] && - make -C "$TOPDIR/programs" util/syslog2stderr.so >/dev/null 2>&1 + make -C "$TOPDIR/programs" test/syslog2stderr.so >/dev/null 2>&1 then case $(uname) in Darwin) - export DYLD_PRELOAD="${DYLD_PRELOAD-}:$TOPDIR/programs/util/syslog2stderr.so";; + export DYLD_PRELOAD="${DYLD_PRELOAD-}:$TOPDIR/programs/test/syslog2stderr.so";; *) - export LD_PRELOAD="${LD_PRELOAD-}:$TOPDIR/programs/util/syslog2stderr.so";; + export LD_PRELOAD="${LD_PRELOAD-}:$TOPDIR/programs/test/syslog2stderr.so";; esac fi diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index bf1bcc74e..413551970 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -163,6 +163,7 @@ pk_opaque_fail_allocation: PK opaque minimal pk_opaque_minimal: -PK opaque wrapper (RSA) -depends_on:MBEDTLS_RSA_C -pk_opaque_wrapper: +#PK opaque wrapper (RSA) +#depends_on:MBEDTLS_RSA_C +#pk_opaque_wrapper: +# \ No newline at end of file diff --git a/tests/suites/test_suite_pkcs11_client.data b/tests/suites/test_suite_pkcs11_client.data index 17930235f..881ca8367 100644 --- a/tests/suites/test_suite_pkcs11_client.data +++ b/tests/suites/test_suite_pkcs11_client.data @@ -1,19 +1,19 @@ PKCS#11 ECDSA import and sign -depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C +depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED pk_import_sign:"data_files/server3.key" PKCS#11 ECDSA generate and sign -depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C +depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED pk_generate_sign:MBEDTLS_PK_ECDSA PKCS#11 ECDSA import, sign and verify with Cryptoki -depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C +depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED pk_import_sign_verify:"data_files/server3.key" PKCS#11 ECDSA import, sign with MbedTLS and verify with Cryptoki -depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C +depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED pk_import_verify_signed:"data_files/server3.key" PKCS#11 ECDSA verify a hardcoded signature with Cryptoki -depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED +depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_PK_C:MBEDTLS_ECDSA_C pk_ecdsa_hardcoded_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP192R1:"046FDD3028FA94A863CD4F78DBFF8B3AA561FC6D9CCBBCA88E0AE6FA437F5415F957542D0717FF8B84562DAE99872EF841":"546869732073686F756C64206265207468652068617368206F662061206D6573736167652E00":"30350218185B2A7FB5CD9C9A8488B119B68B47D6EC833509CE9FA1FF021900FB7D259A744A2348BD45D241A39DC915B81CC2084100FA24":0 diff --git a/tests/suites/test_suite_pkcs11_client.function b/tests/suites/test_suite_pkcs11_client.function index 87d1a617f..05dd12664 100644 --- a/tests/suites/test_suite_pkcs11_client.function +++ b/tests/suites/test_suite_pkcs11_client.function @@ -110,8 +110,7 @@ static CK_RV pkcs11_generate_key( mbedtls_pk_type_t key_type, {CKA_DECRYPT, &ck_true, sizeof( ck_true )}, {CKA_SIGN, &ck_true, sizeof( ck_true )}, }; - CK_ULONG ck_rsa_key_size = RSA_KEY_SIZE_BITS; - unsigned char ecParams[16]; + unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE]; size_t ecParams_length; switch( key_type ) @@ -190,7 +189,7 @@ void pk_generate_sign( int key_type ) /* Prepare the mbed TLS contexts */ TEST_ASSERT( mbedtls_pk_setup( &transparent_ctx, mbedtls_pk_info_from_type( key_type ) ) == 0 ); - TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx, + TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx, hSession, hPublicKey, hPrivateKey ) == 0 ); @@ -201,8 +200,8 @@ void pk_generate_sign( int key_type ) #if defined(MBEDTLS_ECDSA_C) case MBEDTLS_PK_ECDSA: { - unsigned char ecParams[16]; - unsigned char ecPoint[128]; + unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE]; + unsigned char ecPoint[MBEDTLS_ECP_MAX_PT_LEN]; CK_ATTRIBUTE public_attributes[] = { {CKA_EC_PARAMS, ecParams, sizeof( ecParams )}, {CKA_EC_POINT, ecPoint, sizeof( ecPoint )}, @@ -246,7 +245,7 @@ void pk_generate_sign( int key_type ) break; } - /* Sign with the token and verify in software */ + /* Sign with cryptoki and verify with mbed TLS */ TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256, hash_value, 32, sig_buffer, &sig_length, @@ -267,7 +266,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */ void pk_import_sign( char *file ) { mbedtls_pk_context pkcs11_ctx; @@ -276,7 +275,7 @@ void pk_import_sign( char *file ) CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE; CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE; unsigned char hash_value[32] = "Fake hash, it doesn't matter...."; - unsigned char sig_buffer[4096]; + unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE]; size_t sig_length = sizeof( sig_buffer ); mbedtls_pk_init( &pkcs11_ctx ); @@ -289,20 +288,20 @@ void pk_import_sign( char *file ) hSession = pkcs11_init( ); TEST_ASSERT( hSession != CK_INVALID_HANDLE ); - TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx, - MBEDTLS_PK_FLAG_SIGN | - MBEDTLS_PK_FLAG_VERIFY, + TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx, + MBEDTLS_PKCS11_FLAG_SIGN | + MBEDTLS_PKCS11_FLAG_VERIFY, hSession, &hPublicKey, &hPrivateKey ) == 0 ); TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE ); TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE ); - TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx, + TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx, hSession, hPublicKey, hPrivateKey ) == 0 ); - /* Sign with the token and verify in software */ + /* Sign with cryptoki and verify with mbedTLS */ TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) ); TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256, hash_value, 32, @@ -324,7 +323,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */ void pk_import_sign_verify( char *file ) { /* Sign with cryptoki, convert to mbedTLS format and save, @@ -336,7 +335,7 @@ void pk_import_sign_verify( char *file ) CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE; CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE; unsigned char hash_value[32] = "Fake hash, it doesn't matter...."; - unsigned char sig_buffer[4096]; + unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE]; size_t sig_length = sizeof( sig_buffer ); mbedtls_pk_init( &pkcs11_ctx ); @@ -349,20 +348,20 @@ void pk_import_sign_verify( char *file ) hSession = pkcs11_init( ); TEST_ASSERT( hSession != CK_INVALID_HANDLE ); - TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx, - MBEDTLS_PK_FLAG_SIGN | - MBEDTLS_PK_FLAG_VERIFY, + TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx, + MBEDTLS_PKCS11_FLAG_SIGN | + MBEDTLS_PKCS11_FLAG_VERIFY, hSession, &hPublicKey, &hPrivateKey ) == 0 ); TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE ); TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE ); - TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx, + TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx, hSession, hPublicKey, hPrivateKey ) == 0 ); - /* Sign with the token and verify with cryptoki */ + /* Sign with cryptoki and verify with cryptoki */ TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) ); TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256, hash_value, 32, @@ -384,7 +383,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */ void pk_import_verify_signed( char *file ) { /* Sign with mbedTLS, verify by cryptoki with a conversion @@ -395,7 +394,7 @@ void pk_import_verify_signed( char *file ) CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE; CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE; unsigned char hash_value[32] = "Fake hash, it doesn't matter...."; - unsigned char sig_buffer[4096]; + unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE]; size_t sig_length = sizeof( sig_buffer ); mbedtls_pk_init( &pkcs11_ctx ); @@ -408,19 +407,19 @@ void pk_import_verify_signed( char *file ) hSession = pkcs11_init( ); TEST_ASSERT( hSession != CK_INVALID_HANDLE ); - TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx, - MBEDTLS_PK_FLAG_SIGN | - MBEDTLS_PK_FLAG_VERIFY, + TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx, + MBEDTLS_PKCS11_FLAG_SIGN | + MBEDTLS_PKCS11_FLAG_VERIFY, hSession, &hPublicKey, NULL ) == 0 ); TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE ); - TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx, + TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx, hSession, hPublicKey, CK_INVALID_HANDLE ) == 0 ); - /* Sign with the token and verify with cryptoki */ + /* Sign with mbed TLS and verify with cryptoki */ TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) ); TEST_ASSERT( mbedtls_pk_sign( &transparent_ctx, MBEDTLS_MD_SHA256, hash_value, 32, @@ -442,7 +441,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C */ +/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PK_C */ void pk_ecdsa_hardcoded_verify( int type, int id, char *key_str, char *hash_str, char * sig_str, int ret ) { @@ -477,14 +476,14 @@ void pk_ecdsa_hardcoded_verify( int type, int id, char *key_str, /* Initialize cryptoki and import the key into the token */ hSession = pkcs11_init( ); TEST_ASSERT( hSession != CK_INVALID_HANDLE ); - TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx, - MBEDTLS_PK_FLAG_SIGN | - MBEDTLS_PK_FLAG_VERIFY, + TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx, + MBEDTLS_PKCS11_FLAG_SIGN | + MBEDTLS_PKCS11_FLAG_VERIFY, hSession, &hPublicKey, NULL ) == 0 ); TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE ); - TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx, + TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx, hSession, hPublicKey, CK_INVALID_HANDLE ) == 0 );