1 /*
2 * libwebsockets - small server side websockets and web server implementation
3 *
4 * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to
8 * deal in the Software without restriction, including without limitation the
9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10 * sell copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
22 * IN THE SOFTWARE.
23 *
24 * lws_genrsa provides an RSA abstraction api in lws that works the
25 * same whether you are using openssl or mbedtls crypto functions underneath.
26 */
27 #include "private-lib-core.h"
28 #include "private-lib-tls-mbedtls.h"
29 #include <mbedtls/rsa.h>
30
31 void
lws_genrsa_destroy_elements(struct lws_gencrypto_keyelem * el)32 lws_genrsa_destroy_elements(struct lws_gencrypto_keyelem *el)
33 {
34 int n;
35
36 for (n = 0; n < LWS_GENCRYPTO_RSA_KEYEL_COUNT; n++)
37 if (el[n].buf)
38 lws_free_set_NULL(el[n].buf);
39 }
40
41 static int mode_map[] = { MBEDTLS_RSA_PKCS_V15, MBEDTLS_RSA_PKCS_V21 };
42
43 int
lws_genrsa_create(struct lws_genrsa_ctx * ctx,struct lws_gencrypto_keyelem * el,struct lws_context * context,enum enum_genrsa_mode mode,enum lws_genhash_types oaep_hashid)44 lws_genrsa_create(struct lws_genrsa_ctx *ctx, struct lws_gencrypto_keyelem *el,
45 struct lws_context *context, enum enum_genrsa_mode mode,
46 enum lws_genhash_types oaep_hashid)
47 {
48 memset(ctx, 0, sizeof(*ctx));
49 ctx->ctx = lws_zalloc(sizeof(*ctx->ctx), "genrsa");
50 if (!ctx->ctx)
51 return 1;
52
53 ctx->context = context;
54 ctx->mode = mode;
55
56 if (mode >= LGRSAM_COUNT)
57 return -1;
58
59 mbedtls_rsa_init(ctx->ctx, mode_map[mode], 0);
60
61 ctx->ctx->padding = mode_map[mode];
62 ctx->ctx->hash_id = lws_gencrypto_mbedtls_hash_to_MD_TYPE(oaep_hashid);
63
64 {
65 int n;
66
67 mbedtls_mpi *mpi[LWS_GENCRYPTO_RSA_KEYEL_COUNT] = {
68 &ctx->ctx->E, &ctx->ctx->N, &ctx->ctx->D, &ctx->ctx->P,
69 &ctx->ctx->Q, &ctx->ctx->DP, &ctx->ctx->DQ,
70 &ctx->ctx->QP,
71 };
72
73 for (n = 0; n < LWS_GENCRYPTO_RSA_KEYEL_COUNT; n++)
74 if (el[n].buf &&
75 mbedtls_mpi_read_binary(mpi[n], el[n].buf,
76 el[n].len)) {
77 lwsl_notice("mpi load failed\n");
78 lws_free_set_NULL(ctx->ctx);
79
80 return -1;
81 }
82
83 /* mbedtls... compute missing P & Q */
84
85 if ( el[LWS_GENCRYPTO_RSA_KEYEL_D].len &&
86 !el[LWS_GENCRYPTO_RSA_KEYEL_P].len &&
87 !el[LWS_GENCRYPTO_RSA_KEYEL_Q].len) {
88 if (mbedtls_rsa_complete(ctx->ctx)) {
89 lwsl_notice("mbedtls_rsa_complete failed\n");
90 lws_free_set_NULL(ctx->ctx);
91
92 return -1;
93 }
94
95 }
96 }
97
98 ctx->ctx->len = el[LWS_GENCRYPTO_RSA_KEYEL_N].len;
99
100 return 0;
101 }
102
103 static int
_rngf(void * context,unsigned char * buf,size_t len)104 _rngf(void *context, unsigned char *buf, size_t len)
105 {
106 if ((size_t)lws_get_random(context, buf, len) == len)
107 return 0;
108
109 return -1;
110 }
111
112 int
lws_genrsa_new_keypair(struct lws_context * context,struct lws_genrsa_ctx * ctx,enum enum_genrsa_mode mode,struct lws_gencrypto_keyelem * el,int bits)113 lws_genrsa_new_keypair(struct lws_context *context, struct lws_genrsa_ctx *ctx,
114 enum enum_genrsa_mode mode, struct lws_gencrypto_keyelem *el,
115 int bits)
116 {
117 int n;
118
119 memset(ctx, 0, sizeof(*ctx));
120 ctx->ctx = lws_zalloc(sizeof(*ctx->ctx), "genrsa");
121 if (!ctx->ctx)
122 return -1;
123
124 ctx->context = context;
125 ctx->mode = mode;
126
127 if (mode >= LGRSAM_COUNT)
128 return -1;
129
130 mbedtls_rsa_init(ctx->ctx, mode_map[mode], 0);
131
132 n = mbedtls_rsa_gen_key(ctx->ctx, _rngf, context, bits, 65537);
133 if (n) {
134 lwsl_err("mbedtls_rsa_gen_key failed 0x%x\n", -n);
135 goto cleanup_1;
136 }
137
138 {
139 mbedtls_mpi *mpi[LWS_GENCRYPTO_RSA_KEYEL_COUNT] = {
140 &ctx->ctx->E, &ctx->ctx->N, &ctx->ctx->D, &ctx->ctx->P,
141 &ctx->ctx->Q, &ctx->ctx->DP, &ctx->ctx->DQ,
142 &ctx->ctx->QP,
143 };
144
145 for (n = 0; n < LWS_GENCRYPTO_RSA_KEYEL_COUNT; n++)
146 if (mbedtls_mpi_size(mpi[n])) {
147 el[n].buf = lws_malloc(
148 mbedtls_mpi_size(mpi[n]), "genrsakey");
149 if (!el[n].buf)
150 goto cleanup;
151 el[n].len = mbedtls_mpi_size(mpi[n]);
152 if (mbedtls_mpi_write_binary(mpi[n], el[n].buf,
153 el[n].len))
154 goto cleanup;
155 }
156 }
157
158 return 0;
159
160 cleanup:
161 for (n = 0; n < LWS_GENCRYPTO_RSA_KEYEL_COUNT; n++)
162 if (el[n].buf)
163 lws_free_set_NULL(el[n].buf);
164 cleanup_1:
165 lws_free(ctx->ctx);
166
167 return -1;
168 }
169
170 int
lws_genrsa_public_decrypt(struct lws_genrsa_ctx * ctx,const uint8_t * in,size_t in_len,uint8_t * out,size_t out_max)171 lws_genrsa_public_decrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in,
172 size_t in_len, uint8_t *out, size_t out_max)
173 {
174 size_t olen = 0;
175 int n;
176
177 ctx->ctx->len = in_len;
178
179 mbedtls_rsa_complete(ctx->ctx);
180
181 switch(ctx->mode) {
182 case LGRSAM_PKCS1_1_5:
183 n = mbedtls_rsa_rsaes_pkcs1_v15_decrypt(ctx->ctx, _rngf,
184 ctx->context,
185 MBEDTLS_RSA_PUBLIC,
186 &olen, in, out,
187 out_max);
188 break;
189 case LGRSAM_PKCS1_OAEP_PSS:
190 n = mbedtls_rsa_rsaes_oaep_decrypt(ctx->ctx, _rngf,
191 ctx->context,
192 MBEDTLS_RSA_PUBLIC,
193 NULL, 0,
194 &olen, in, out, out_max);
195 break;
196 default:
197 return -1;
198 }
199 if (n) {
200 lwsl_notice("%s: -0x%x\n", __func__, -n);
201
202 return -1;
203 }
204
205 return olen;
206 }
207
208 int
lws_genrsa_private_decrypt(struct lws_genrsa_ctx * ctx,const uint8_t * in,size_t in_len,uint8_t * out,size_t out_max)209 lws_genrsa_private_decrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in,
210 size_t in_len, uint8_t *out, size_t out_max)
211 {
212 size_t olen = 0;
213 int n;
214
215 ctx->ctx->len = in_len;
216
217 mbedtls_rsa_complete(ctx->ctx);
218
219 switch(ctx->mode) {
220 case LGRSAM_PKCS1_1_5:
221 n = mbedtls_rsa_rsaes_pkcs1_v15_decrypt(ctx->ctx, _rngf,
222 ctx->context,
223 MBEDTLS_RSA_PRIVATE,
224 &olen, in, out,
225 out_max);
226 break;
227 case LGRSAM_PKCS1_OAEP_PSS:
228 n = mbedtls_rsa_rsaes_oaep_decrypt(ctx->ctx, _rngf,
229 ctx->context,
230 MBEDTLS_RSA_PRIVATE,
231 NULL, 0,
232 &olen, in, out, out_max);
233 break;
234 default:
235 return -1;
236 }
237 if (n) {
238 lwsl_notice("%s: -0x%x\n", __func__, -n);
239
240 return -1;
241 }
242
243 return olen;
244 }
245
246 int
lws_genrsa_public_encrypt(struct lws_genrsa_ctx * ctx,const uint8_t * in,size_t in_len,uint8_t * out)247 lws_genrsa_public_encrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in,
248 size_t in_len, uint8_t *out)
249 {
250 int n;
251
252 mbedtls_rsa_complete(ctx->ctx);
253
254 switch(ctx->mode) {
255 case LGRSAM_PKCS1_1_5:
256 n = mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx->ctx, _rngf,
257 ctx->context,
258 MBEDTLS_RSA_PUBLIC,
259 in_len, in, out);
260 break;
261 case LGRSAM_PKCS1_OAEP_PSS:
262 n = mbedtls_rsa_rsaes_oaep_encrypt(ctx->ctx, _rngf,
263 ctx->context,
264 MBEDTLS_RSA_PUBLIC,
265 NULL, 0,
266 in_len, in, out);
267 break;
268 default:
269 return -1;
270 }
271 if (n < 0) {
272 lwsl_notice("%s: -0x%x: in_len: %d\n", __func__, -n,
273 (int)in_len);
274
275 return -1;
276 }
277
278 return mbedtls_mpi_size(&ctx->ctx->N);
279 }
280
281 int
lws_genrsa_private_encrypt(struct lws_genrsa_ctx * ctx,const uint8_t * in,size_t in_len,uint8_t * out)282 lws_genrsa_private_encrypt(struct lws_genrsa_ctx *ctx, const uint8_t *in,
283 size_t in_len, uint8_t *out)
284 {
285 int n;
286
287 mbedtls_rsa_complete(ctx->ctx);
288
289 switch(ctx->mode) {
290 case LGRSAM_PKCS1_1_5:
291 n = mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx->ctx, _rngf,
292 ctx->context,
293 MBEDTLS_RSA_PRIVATE,
294 in_len, in, out);
295 break;
296 case LGRSAM_PKCS1_OAEP_PSS:
297 n = mbedtls_rsa_rsaes_oaep_encrypt(ctx->ctx, _rngf,
298 ctx->context,
299 MBEDTLS_RSA_PRIVATE,
300 NULL, 0,
301 in_len, in, out);
302 break;
303 default:
304 return -1;
305 }
306 if (n) {
307 lwsl_notice("%s: -0x%x: in_len: %d\n", __func__, -n,
308 (int)in_len);
309
310 return -1;
311 }
312
313 return mbedtls_mpi_size(&ctx->ctx->N);
314 }
315
316 int
lws_genrsa_hash_sig_verify(struct lws_genrsa_ctx * ctx,const uint8_t * in,enum lws_genhash_types hash_type,const uint8_t * sig,size_t sig_len)317 lws_genrsa_hash_sig_verify(struct lws_genrsa_ctx *ctx, const uint8_t *in,
318 enum lws_genhash_types hash_type, const uint8_t *sig,
319 size_t sig_len)
320 {
321 int n, h = lws_gencrypto_mbedtls_hash_to_MD_TYPE(hash_type);
322
323 if (h < 0)
324 return -1;
325
326 mbedtls_rsa_complete(ctx->ctx);
327
328 switch(ctx->mode) {
329 case LGRSAM_PKCS1_1_5:
330 n = mbedtls_rsa_rsassa_pkcs1_v15_verify(ctx->ctx, NULL, NULL,
331 MBEDTLS_RSA_PUBLIC,
332 h, 0, in, sig);
333 break;
334 case LGRSAM_PKCS1_OAEP_PSS:
335 n = mbedtls_rsa_rsassa_pss_verify(ctx->ctx, NULL, NULL,
336 MBEDTLS_RSA_PUBLIC,
337 h, 0, in, sig);
338 break;
339 default:
340 return -1;
341 }
342 if (n < 0) {
343 lwsl_notice("%s: -0x%x\n", __func__, -n);
344
345 return -1;
346 }
347
348 return n;
349 }
350
351 int
lws_genrsa_hash_sign(struct lws_genrsa_ctx * ctx,const uint8_t * in,enum lws_genhash_types hash_type,uint8_t * sig,size_t sig_len)352 lws_genrsa_hash_sign(struct lws_genrsa_ctx *ctx, const uint8_t *in,
353 enum lws_genhash_types hash_type, uint8_t *sig,
354 size_t sig_len)
355 {
356 int n, h = lws_gencrypto_mbedtls_hash_to_MD_TYPE(hash_type);
357
358 if (h < 0)
359 return -1;
360
361 mbedtls_rsa_complete(ctx->ctx);
362
363 /*
364 * The "sig" buffer must be as large as the size of ctx->N
365 * (eg. 128 bytes if RSA-1024 is used).
366 */
367 if (sig_len < ctx->ctx->len)
368 return -1;
369
370 switch(ctx->mode) {
371 case LGRSAM_PKCS1_1_5:
372 n = mbedtls_rsa_rsassa_pkcs1_v15_sign(ctx->ctx, NULL, NULL,
373 MBEDTLS_RSA_PRIVATE,
374 h, 0, in, sig);
375 break;
376 case LGRSAM_PKCS1_OAEP_PSS:
377 n = mbedtls_rsa_rsassa_pss_sign(ctx->ctx, NULL, NULL,
378 MBEDTLS_RSA_PRIVATE,
379 h, 0, in, sig);
380 break;
381 default:
382 return -1;
383 }
384
385 if (n < 0) {
386 lwsl_notice("%s: -0x%x\n", __func__, -n);
387
388 return -1;
389 }
390
391 return ctx->ctx->len;
392 }
393
394 int
lws_genrsa_render_pkey_asn1(struct lws_genrsa_ctx * ctx,int _private,uint8_t * pkey_asn1,size_t pkey_asn1_len)395 lws_genrsa_render_pkey_asn1(struct lws_genrsa_ctx *ctx, int _private,
396 uint8_t *pkey_asn1, size_t pkey_asn1_len)
397 {
398 uint8_t *p = pkey_asn1, *totlen, *end = pkey_asn1 + pkey_asn1_len - 1;
399 mbedtls_mpi *mpi[LWS_GENCRYPTO_RSA_KEYEL_COUNT] = {
400 &ctx->ctx->N, &ctx->ctx->E, &ctx->ctx->D, &ctx->ctx->P,
401 &ctx->ctx->Q, &ctx->ctx->DP, &ctx->ctx->DQ,
402 &ctx->ctx->QP,
403 };
404 int n;
405
406 /* 30 82 - sequence
407 * 09 29 <-- length(0x0929) less 4 bytes
408 * 02 01 <- length (1)
409 * 00
410 * 02 82
411 * 02 01 <- length (513) N
412 * ...
413 *
414 * 02 03 <- length (3) E
415 * 01 00 01
416 *
417 * 02 82
418 * 02 00 <- length (512) D P Q EXP1 EXP2 COEFF
419 *
420 * */
421
422 *p++ = 0x30;
423 *p++ = 0x82;
424 totlen = p;
425 p += 2;
426
427 *p++ = 0x02;
428 *p++ = 0x01;
429 *p++ = 0x00;
430
431 for (n = 0; n < LWS_GENCRYPTO_RSA_KEYEL_COUNT; n++) {
432 int m = mbedtls_mpi_size(mpi[n]);
433 uint8_t *elen;
434
435 *p++ = 0x02;
436 elen = p;
437 if (m < 0x7f)
438 *p++ = m;
439 else {
440 *p++ = 0x82;
441 *p++ = m >> 8;
442 *p++ = m & 0xff;
443 }
444
445 if (p + m > end)
446 return -1;
447
448 if (mbedtls_mpi_write_binary(mpi[n], p, m))
449 return -1;
450 if (p[0] & 0x80) {
451 p[0] = 0x00;
452 if (mbedtls_mpi_write_binary(mpi[n], &p[1], m))
453 return -1;
454 m++;
455 }
456 if (m < 0x7f)
457 *elen = m;
458 else {
459 *elen++ = 0x82;
460 *elen++ = m >> 8;
461 *elen = m & 0xff;
462 }
463 p += m;
464 }
465
466 n = lws_ptr_diff(p, pkey_asn1);
467
468 *totlen++ = (n - 4) >> 8;
469 *totlen = (n - 4) & 0xff;
470
471 return n;
472 }
473
474 void
lws_genrsa_destroy(struct lws_genrsa_ctx * ctx)475 lws_genrsa_destroy(struct lws_genrsa_ctx *ctx)
476 {
477 if (!ctx->ctx)
478 return;
479 mbedtls_rsa_free(ctx->ctx);
480 lws_free(ctx->ctx);
481 ctx->ctx = NULL;
482 }
483