1 /* srp-crypto.h 2 * 3 * Copyright (c) 2018-2021 Apple Computer, Inc. All rights reserved. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * https://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 * DNS SIG(0) signature generation for DNSSD SRP using mbedtls. 18 * 19 * Functions required for loading, saving, and generating public/private keypairs, extracting the public key 20 * into KEY RR data, and computing signatures. 21 */ 22 23 #ifndef __SRP_CRYPTO_H 24 #define __SRP_CRYPTO_H 25 26 #include "srp.h" 27 28 // Anonymous key structure, depends on the target. 29 typedef struct srp_key srp_key_t; 30 typedef struct hmac_key hmac_key_t; 31 struct hmac_key { 32 int algorithm; 33 dns_name_t *NONNULL name; 34 uint8_t *NONNULL secret; 35 int length; 36 }; 37 38 #define ECDSA_KEY_SIZE 64 39 #define ECDSA_KEY_PART_SIZE 32 40 #define ECDSA_SHA256_HASH_SIZE 32 41 #define ECDSA_SHA256_SIG_SIZE 64 42 #define ECDSA_SHA256_SIG_PART_SIZE 32 43 44 #define SIG_HEADERLEN 11 45 #define SIG_STATIC_RDLEN 18 46 47 #define dnssec_keytype_ecdsa 13 48 49 #define SRP_SHA256_DIGEST_SIZE 32 50 #define SRP_SHA256_BLOCK_SIZE 64 51 #define SRP_HMAC_TYPE_SHA256 1 52 53 #ifdef SRP_CRYPTO_MACOS_INTERNAL 54 #include <CoreFoundation/CoreFoundation.h> 55 #include <Security/Security.h> 56 // #include <Security/SecTransform.h> 57 #include <CoreServices/CoreServices.h> 58 59 struct srp_key { 60 SecKeyRef NONNULL public; 61 SecKeyRef NONNULL private; 62 }; 63 64 // An ECDSASHA256 signature in ASN.1 DER format is 0x30 | x | 0x02 | y | r | 0x02 | z | s, where x is the 65 // length of the whole sequence (minus the first byte), y is the encoded length of r, and z is 66 // the encoded length of s. 67 // type offset in output buffer sub-template size of output buffer 68 // ---- ----------------------- ------------ --------------------- 69 #define ECDSA_SIG_TEMPLATE(name) \ 70 static const SecAsn1Template sig_template[] = { \ 71 { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(raw_signature_data_t) }, \ 72 { SEC_ASN1_INTEGER, offsetof(raw_signature_data_t, r), NULL, 0 }, \ 73 { SEC_ASN1_INTEGER, offsetof(raw_signature_data_t, s), NULL, 0 }, \ 74 { 0, 0, NULL, 0 } \ 75 }; 76 77 #if !TARGET_OS_IPHONE && !TARGET_OS_TV && !TARGET_OS_WATCH 78 #endif // MACOS only 79 #endif // SRP_CRYPTO_MACOS_INTERNAL 80 81 #ifdef SRP_CRYPTO_MBEDTLS 82 #include <mbedtls/error.h> 83 #include <mbedtls/pk.h> 84 #include <mbedtls/md.h> 85 #include <mbedtls/ecp.h> 86 #include <mbedtls/ecdsa.h> 87 #include <mbedtls/entropy.h> 88 #include <mbedtls/ctr_drbg.h> 89 #include <mbedtls/sha256.h> 90 #include <mbedtls/base64.h> 91 92 // Works just fine with mbedtls. 93 #define KEYCOPY_WORKS 1 94 95 // The SRP key includes both the ecdsa key and the pseudo-random number generator context, so that we can 96 // use the PRNG for signing as well as generating keys. The PRNG is seeded with a high-entropy data source. 97 // This structure assumes that we are just using this one key; if we want to support multiple keys then 98 // the entropy source and PRNG should be shared by all keys (of course, that's not thread-safe, so...) 99 struct srp_key { 100 mbedtls_pk_context key; 101 }; 102 103 // Uncomment the following line to print the data being feed into the hash operation for debugging purpose. 104 // #define DEBUG_SHA256 105 #ifdef DEBUG_SHA256 106 int srp_mbedtls_sha256_update_ret(const char *NONNULL thing_name, 107 mbedtls_sha256_context *NONNULL sha, uint8_t *NONNULL message, size_t msglen); 108 int srp_mbedtls_sha256_finish_ret(mbedtls_sha256_context *NONNULL sha, uint8_t *NONNULL hash); 109 #else 110 #define srp_mbedtls_sha256_update_ret(name, ...) mbedtls_sha256_update_ret(__VA_ARGS__) 111 #define srp_mbedtls_sha256_finish_ret mbedtls_sha256_finish_ret 112 #endif // DEBUG_SHA256 113 #ifdef THREAD_DEVKIT_ADK 114 #define mbedtls_strerror(code, buf, bufsize) snprintf(buf, bufsize, "%d", (int)(code)) 115 #endif 116 117 // The following entry points must be provided by the host for hosts that use mbedtls signing. 118 119 // The SRP host is expected to load the SRP-specific host key out of stable storage. 120 // If no key has previously been stored, this function must return kDNSServiceErr_NoSuchKey. 121 // If the key doesn't fit in the buffer, this function must return kDNSServiceErr_NoMemory. 122 // Otherwise, the function is expected to copy the key into the buffer and store the key length 123 // through the length pointer, and return kDNSServiceErr_NoError. 124 int srp_load_key_data(void *NULLABLE host_context, const char *NONNULL key_name, 125 uint8_t *NONNULL buffer, uint16_t *NONNULL length, uint16_t buffer_size); 126 127 // The SRP host is expected to store the SRP-specific host key in stable storage. 128 // If the key store fails, the server returns a relevant kDNSServiceErr_* error, 129 // such as kDNSServiceErr_NoMemory. Otherwise, the function returns kDNSServiceErr_NoError. 130 // It is generally expected that storing the key will not fail--if it does fail, SRP can't 131 // function. 132 int srp_store_key_data(void *NULLABLE host_context, const char *NONNULL key_name, uint8_t *NONNULL buffer, 133 uint16_t length); 134 135 int srp_remove_key_file(void *NULLABLE host_context, const char *NONNULL key_name); 136 #endif // SRP_CRYPTO_MBEDTLS 137 138 // sign_*.c: 139 void srp_keypair_free(srp_key_t *NONNULL key); 140 uint64_t srp_random64(void); 141 uint32_t srp_random32(void); 142 uint16_t srp_random16(void); 143 bool srp_randombytes(uint8_t *NONNULL dest, size_t num); 144 uint8_t srp_key_algorithm(srp_key_t *NONNULL key); 145 size_t srp_pubkey_length(srp_key_t *NONNULL key); 146 size_t srp_signature_length(srp_key_t *NONNULL key); 147 size_t srp_pubkey_copy(uint8_t *NONNULL buf, size_t max, srp_key_t *NONNULL key); 148 int srp_sign(uint8_t *NONNULL output, size_t max, uint8_t *NONNULL message, size_t msglen, 149 uint8_t *NONNULL rdata, size_t rdlen, srp_key_t *NONNULL key); 150 151 // verify_*.c: 152 bool srp_sig0_verify(dns_wire_t *NONNULL message, dns_rr_t *NONNULL key, dns_rr_t *NONNULL signature); 153 void srp_print_key(srp_key_t *NONNULL key); 154 155 // hash_*.c: 156 void srp_hmac_iov(hmac_key_t *NONNULL key, uint8_t *NONNULL output, size_t max, struct iovec *NONNULL iov, int count); 157 int srp_base64_parse(char *NONNULL src, size_t *NONNULL len_ret, uint8_t *NONNULL buf, size_t buflen); 158 #endif // __SRP_CRYPTO_H 159 160 // Local Variables: 161 // mode: C 162 // tab-width: 4 163 // c-file-style: "bsd" 164 // c-basic-offset: 4 165 // fill-column: 108 166 // indent-tabs-mode: nil 167 // End: 168