From f2f040bd6fa704704190f1e0f423d2c85e06aa43 Mon Sep 17 00:00:00 2001 From: Lukasz Pawelczyk Date: Tue, 17 May 2016 18:48:31 +0200 Subject: [PATCH 01/16] yaca_key import/export API change - passwords Change-Id: Ifcc7c3eca1323cb4418190867bedf1a197b08f73 --- api/yaca/error.h | 3 ++- api/yaca/key.h | 17 ++++++++++++++++- examples/encrypt_aes_gcm.c | 2 +- examples/key_exchange.c | 4 ++-- examples/key_import_export.c | 40 ++++++++++++++++++++-------------------- examples/test.c | 2 +- src/key.c | 2 ++ 7 files changed, 44 insertions(+), 26 deletions(-) diff --git a/api/yaca/error.h b/api/yaca/error.h index 55656bd..acdc2cb 100644 --- a/api/yaca/error.h +++ b/api/yaca/error.h @@ -43,7 +43,8 @@ enum __yaca_error_code { YACA_ERROR_INTERNAL = -3, YACA_ERROR_TOO_BIG_ARGUMENT = -4, YACA_ERROR_OUT_OF_MEMORY = -5, - YACA_ERROR_SIGNATURE_INVALID = -6 + YACA_ERROR_SIGNATURE_INVALID = -6, + YACA_ERROR_PASSWORD_INVALID = -7, }; // TODO disable debug function in release? diff --git a/api/yaca/key.h b/api/yaca/key.h index ce69f21..d6a34d2 100644 --- a/api/yaca/key.h +++ b/api/yaca/key.h @@ -67,16 +67,23 @@ int yaca_key_get_bits(const yaca_key_h key); * format. Additionally it is possible to import public RSA key from * X509 certificate. * + * If the key is encrypted the algorithm will be autodetected and password + * used. If it's not known if the key is encrypted one should pass NULL as + * password and check for the YACA_ERROR_PASSWORD_INVALID return code. + * * @param[out] key Returned key (must be freed with yaca_key_free()). * @param[in] key_type Type of the key. + * @param[in] password null terminated password for the key (can be NULL). * @param[in] data Blob containing the key. * @param[in] data_len Size of the blob. * - * @return 0 on success, negative on error. + * @return 0 on success, YACA_ERROR_PASSWORD_INVALID if wrong password given, + * negative on error. * @see #yaca_key_type_e, yaca_key_export(), yaca_key_free() */ int yaca_key_import(yaca_key_h *key, yaca_key_type_e key_type, + const char *password, const char *data, size_t data_len); @@ -96,9 +103,16 @@ int yaca_key_import(yaca_key_h *key, * - #YACA_KEY_FILE_FORMAT_PEM: used only for asymmetric, PEM file format * - #YACA_KEY_FILE_FORMAT_DER: used only for asymmetric, DER file format * + * If no password is provided the exported key will be unencrypted. Only private + * RSA/DSA exported as PEM can be encrypted. + * + * TODO: document the default encryption algorithm (AES256 for FORMAT_DEFAULT, + * unknown yet for the FORMAT_PKCS8) + * * @param[in] key Key to be exported. * @param[in] key_fmt Format of the key. * @param[in] key_file_fmt Format of the key file. + * @param[in] password Password used for the encryption (can be NULL). * @param[out] data Data, allocated by the library, containing exported key * (must be freed with yaca_free()). * @param[out] data_len Size of the output data. @@ -109,6 +123,7 @@ int yaca_key_import(yaca_key_h *key, int yaca_key_export(const yaca_key_h key, yaca_key_fmt_e key_fmt, yaca_key_file_fmt_e key_file_fmt, + const char *password, char **data, size_t *data_len); diff --git a/examples/encrypt_aes_gcm.c b/examples/encrypt_aes_gcm.c index 9fc1234..86da336 100644 --- a/examples/encrypt_aes_gcm.c +++ b/examples/encrypt_aes_gcm.c @@ -71,7 +71,7 @@ void encrypt_decrypt_aes_gcm(void) goto clean; // generate and export aad? - ret = yaca_key_export(aad_key, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_RAW, &aad, &aad_len); + ret = yaca_key_export(aad_key, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_RAW, NULL, &aad, &aad_len); if (ret < 0) goto clean; diff --git a/examples/key_exchange.c b/examples/key_exchange.c index b3e4f05..9464732 100644 --- a/examples/key_exchange.c +++ b/examples/key_exchange.c @@ -69,7 +69,7 @@ void key_exchange_dh(void) if (1 != fread(buffer, size, 1, fp)) goto clean; - ret = yaca_key_import(&peer_key, YACA_KEY_TYPE_DH_PUB, + ret = yaca_key_import(&peer_key, YACA_KEY_TYPE_DH_PUB, NULL, buffer, size); if (ret < 0) goto clean; @@ -129,7 +129,7 @@ void key_exchange_ecdh(void) if (1 != fread(buffer, size, 1, fp)) goto clean; - ret = yaca_key_import(&peer_key, YACA_KEY_TYPE_ECDH_PUB, buffer, size); + ret = yaca_key_import(&peer_key, YACA_KEY_TYPE_ECDH_PUB, NULL, buffer, size); if (ret < 0) goto clean; diff --git a/examples/key_import_export.c b/examples/key_import_export.c index 1c4db07..9d005c2 100644 --- a/examples/key_import_export.c +++ b/examples/key_import_export.c @@ -46,10 +46,10 @@ int key_import_export_sym(yaca_key_h sym) /* BASE64 */ - ret = yaca_key_export(sym, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_BASE64, &b64, &b64_len); + ret = yaca_key_export(sym, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_BASE64, NULL, &b64, &b64_len); if (ret != 0) return ret; - ret = yaca_key_import(&b64_imported, YACA_KEY_TYPE_SYMMETRIC, b64, b64_len); + ret = yaca_key_import(&b64_imported, YACA_KEY_TYPE_SYMMETRIC, NULL, b64, b64_len); if (ret != 0) goto free; @@ -57,7 +57,7 @@ int key_import_export_sym(yaca_key_h sym) yaca_free(b64); b64 = NULL; - ret = yaca_key_export(b64_imported, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_BASE64, &b64, &b64_len); + ret = yaca_key_export(b64_imported, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_BASE64, NULL, &b64, &b64_len); if (ret != 0) goto free; @@ -66,10 +66,10 @@ int key_import_export_sym(yaca_key_h sym) /* RAW */ - ret = yaca_key_export(sym, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_RAW, &raw, &raw_len); + ret = yaca_key_export(sym, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_RAW, NULL, &raw, &raw_len); if (ret != 0) goto free; - ret = yaca_key_import(&raw_imported, YACA_KEY_TYPE_SYMMETRIC, raw, raw_len); + ret = yaca_key_import(&raw_imported, YACA_KEY_TYPE_SYMMETRIC, NULL, raw, raw_len); if (ret != 0) goto free; @@ -77,7 +77,7 @@ int key_import_export_sym(yaca_key_h sym) yaca_free(raw); raw = NULL; - ret = yaca_key_export(raw_imported, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_RAW, &raw, &raw_len); + ret = yaca_key_export(raw_imported, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_RAW, NULL, &raw, &raw_len); if (ret != 0) goto free; @@ -118,10 +118,10 @@ int key_import_export_asym(yaca_key_h priv, yaca_key_h pub, /* PEM private */ - ret = yaca_key_export(priv, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_PEM, &pem_prv, &pem_prv_len); + ret = yaca_key_export(priv, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_PEM, NULL, &pem_prv, &pem_prv_len); if (ret != 0) return ret; - ret = yaca_key_import(&pem_prv_imported, priv_type, pem_prv, pem_prv_len); + ret = yaca_key_import(&pem_prv_imported, priv_type, NULL, pem_prv, pem_prv_len); if (ret != 0) goto free; @@ -129,7 +129,7 @@ int key_import_export_asym(yaca_key_h priv, yaca_key_h pub, yaca_free(pem_prv); pem_prv = NULL; - ret = yaca_key_export(pem_prv_imported, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_PEM, &pem_prv, &pem_prv_len); + ret = yaca_key_export(pem_prv_imported, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_PEM, NULL, &pem_prv, &pem_prv_len); if (ret != 0) goto free; @@ -138,10 +138,10 @@ int key_import_export_asym(yaca_key_h priv, yaca_key_h pub, /* DER private */ - ret = yaca_key_export(priv, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_DER, &der_prv, &der_prv_len); + ret = yaca_key_export(priv, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_DER, NULL, &der_prv, &der_prv_len); if (ret != 0) goto free; - ret = yaca_key_import(&der_prv_imported, priv_type, der_prv, der_prv_len); + ret = yaca_key_import(&der_prv_imported, priv_type, NULL, der_prv, der_prv_len); if (ret != 0) goto free; @@ -149,7 +149,7 @@ int key_import_export_asym(yaca_key_h priv, yaca_key_h pub, yaca_free(der_prv); der_prv = NULL; - ret = yaca_key_export(der_prv_imported, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_DER, &der_prv, &der_prv_len); + ret = yaca_key_export(der_prv_imported, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_DER, NULL, &der_prv, &der_prv_len); if (ret != 0) goto free; @@ -158,10 +158,10 @@ int key_import_export_asym(yaca_key_h priv, yaca_key_h pub, /* PEM public */ - ret = yaca_key_export(pub, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_PEM, &pem_pub, &pem_pub_len); + ret = yaca_key_export(pub, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_PEM, NULL, &pem_pub, &pem_pub_len); if (ret != 0) goto free; - ret = yaca_key_import(&pem_pub_imported, pub_type, pem_pub, pem_pub_len); + ret = yaca_key_import(&pem_pub_imported, pub_type, NULL, pem_pub, pem_pub_len); if (ret != 0) goto free; @@ -169,7 +169,7 @@ int key_import_export_asym(yaca_key_h priv, yaca_key_h pub, yaca_free(pem_pub); pem_pub = NULL; - ret = yaca_key_export(pem_pub_imported, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_PEM, &pem_pub, &pem_pub_len); + ret = yaca_key_export(pem_pub_imported, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_PEM, NULL, &pem_pub, &pem_pub_len); if (ret != 0) goto free; @@ -178,10 +178,10 @@ int key_import_export_asym(yaca_key_h priv, yaca_key_h pub, /* DER public */ - ret = yaca_key_export(pub, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_DER, &der_pub, &der_pub_len); + ret = yaca_key_export(pub, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_DER, NULL, &der_pub, &der_pub_len); if (ret != 0) goto free; - ret = yaca_key_import(&der_pub_imported, pub_type, der_pub, der_pub_len); + ret = yaca_key_import(&der_pub_imported, pub_type, NULL, der_pub, der_pub_len); if (ret != 0) goto free; @@ -189,7 +189,7 @@ int key_import_export_asym(yaca_key_h priv, yaca_key_h pub, yaca_free(der_pub); der_pub = NULL; - ret = yaca_key_export(der_pub_imported, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_DER, &der_pub, &der_pub_len); + ret = yaca_key_export(der_pub_imported, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_DER, NULL, &der_pub, &der_pub_len); if (ret != 0) goto free; @@ -225,14 +225,14 @@ int key_import_x509(void) return ret; } - ret = yaca_key_import(&rsa_pub_from_cert, YACA_KEY_TYPE_RSA_PUB, pub, pub_len); + ret = yaca_key_import(&rsa_pub_from_cert, YACA_KEY_TYPE_RSA_PUB, NULL, pub, pub_len); if (ret != 0) goto free; yaca_free(pub); pub = NULL; - ret = yaca_key_export(rsa_pub_from_cert, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_PEM, &pub, &pub_len); + ret = yaca_key_export(rsa_pub_from_cert, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_PEM, NULL, &pub, &pub_len); if (ret != 0) goto free; diff --git a/examples/test.c b/examples/test.c index 6f1bdf4..4e6f7f0 100644 --- a/examples/test.c +++ b/examples/test.c @@ -45,7 +45,7 @@ int main(int argc, char* argv[]) printf("done (%d)\n", ret); printf("Exporting key using CryptoAPI.. "); - ret = yaca_key_export(key, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_RAW, &k, &kl); + ret = yaca_key_export(key, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_RAW, NULL, &k, &kl); if (ret < 0) return ret; printf("done (%d)\n", ret); diff --git a/src/key.c b/src/key.c index bb6bc32..c906d5a 100644 --- a/src/key.c +++ b/src/key.c @@ -850,6 +850,7 @@ API int yaca_key_get_bits(const yaca_key_h key) API int yaca_key_import(yaca_key_h *key, yaca_key_type_e key_type, + const char *password, const char *data, size_t data_len) { @@ -881,6 +882,7 @@ API int yaca_key_import(yaca_key_h *key, API int yaca_key_export(const yaca_key_h key, yaca_key_fmt_e key_fmt, yaca_key_file_fmt_e key_file_fmt, + const char *password, char **data, size_t *data_len) { -- 2.7.4 From d528b491ced211becaf512a59ad2fdc7d7cf80d7 Mon Sep 17 00:00:00 2001 From: Lukasz Pawelczyk Date: Wed, 18 May 2016 15:41:11 +0200 Subject: [PATCH 02/16] API changes around key getters. yaca_key_get_bits() - return bits by size_t typed output param yaca_key_get_type() - new getter to get the type of the key Change-Id: I255f3bf3056a50602c1c2bd0a25c177ecf88ee07 --- api/yaca/key.h | 17 ++++++++++++++--- src/encrypt.c | 17 +++++++++++------ src/key.c | 25 +++++++++++++++++++++---- src/seal.c | 10 ++++++++-- 4 files changed, 54 insertions(+), 15 deletions(-) diff --git a/api/yaca/key.h b/api/yaca/key.h index d6a34d2..c58bc60 100644 --- a/api/yaca/key.h +++ b/api/yaca/key.h @@ -44,13 +44,24 @@ extern "C" { // TODO: We need a way to import keys encrypted with hw (or other) keys. New function like yaca_key_load or sth?? /** + * @brief Get key's type. + * + * @param[in] key Key which type we return. + * @param[out] key_type Key type. + * + * @return 0 on success, negative on error. + */ +int yaca_key_get_type(const yaca_key_h key, yaca_key_type_e *key_type); + +/** * @brief Get key's length (in bits). * - * @param[in] key Key which length we return. + * @param[in] key Key which length we return. + * @param[out] key_bits Key length in bits. * - * @return negative on error or key length (in bits). + * @return 0 on success, negative on error. */ -int yaca_key_get_bits(const yaca_key_h key); +int yaca_key_get_bits(const yaca_key_h key, size_t *key_bits); /** * @brief Imports a key. diff --git a/src/encrypt.c b/src/encrypt.c index c41b77a..a4516c3 100644 --- a/src/encrypt.c +++ b/src/encrypt.c @@ -216,9 +216,10 @@ static int encrypt_init(yaca_ctx_h *ctx, const struct yaca_key_simple_s *liv; struct yaca_encrypt_ctx_s *nc; const EVP_CIPHER *cipher; - int key_bits; + size_t key_bits; unsigned char *iv_data = NULL; - int iv_bits; + size_t iv_bits; + size_t iv_bits_check; int ret; if (ctx == NULL || sym_key == YACA_KEY_NULL) @@ -237,10 +238,9 @@ static int encrypt_init(yaca_ctx_h *ctx, nc->ctx.get_output_length = get_encrypt_output_length; nc->op_type = op_type; - ret = yaca_key_get_bits(sym_key); - if (ret < 0) + ret = yaca_key_get_bits(sym_key, &key_bits); + if (ret != 0) goto err_free; - key_bits = ret; ret = encrypt_get_algorithm(algo, bcm, key_bits, &cipher); if (ret != 0) @@ -265,7 +265,12 @@ static int encrypt_init(yaca_ctx_h *ctx, ret = YACA_ERROR_INVALID_ARGUMENT; goto err_free; } - if (iv_bits != yaca_key_get_bits(iv)) { /* IV length doesn't match cipher */ + ret = yaca_key_get_bits(iv, &iv_bits_check); + if (ret != 0) { + ret = YACA_ERROR_INVALID_ARGUMENT; + goto err_free; + } + if (iv_bits != iv_bits_check) { /* IV length doesn't match cipher */ ret = YACA_ERROR_INVALID_ARGUMENT; goto err_free; } diff --git a/src/key.c b/src/key.c index c906d5a..2730c09 100644 --- a/src/key.c +++ b/src/key.c @@ -823,13 +823,29 @@ struct yaca_key_evp_s *key_get_evp(const yaca_key_h key) } } -API int yaca_key_get_bits(const yaca_key_h key) +API int yaca_key_get_type(const yaca_key_h key, yaca_key_type_e *key_type) +{ + const struct yaca_key_s *lkey = (const struct yaca_key_s *)key; + + if (lkey == NULL || key_type == NULL) + return YACA_ERROR_INVALID_ARGUMENT; + + *key_type = lkey->type; + return 0; +} + +API int yaca_key_get_bits(const yaca_key_h key, size_t *key_bits) { const struct yaca_key_simple_s *simple_key = key_get_simple(key); const struct yaca_key_evp_s *evp_key = key_get_evp(key); - if (simple_key != NULL) - return simple_key->bits; + if (key_bits == NULL) + return YACA_ERROR_INVALID_ARGUMENT; + + if (simple_key != NULL) { + *key_bits = simple_key->bits; + return 0; + } if (evp_key != NULL) { int ret; @@ -842,7 +858,8 @@ API int yaca_key_get_bits(const yaca_key_h key) return ret; } - return ret; + *key_bits = ret; + return 0; } return YACA_ERROR_INVALID_ARGUMENT; diff --git a/src/seal.c b/src/seal.c index 47fe00f..bbaa2ca 100644 --- a/src/seal.c +++ b/src/seal.c @@ -222,7 +222,8 @@ static int open_init(yaca_ctx_h *ctx, const struct yaca_key_simple_s *liv; struct yaca_seal_ctx_s *nc; const EVP_CIPHER *cipher; - int iv_bits; + size_t iv_bits; + size_t iv_bits_check; int ret; if (ctx == NULL || prv_key == YACA_KEY_NULL || sym_key == YACA_KEY_NULL) @@ -271,7 +272,12 @@ static int open_init(yaca_ctx_h *ctx, } // TODO: handling of algorithms with variable IV length - if (iv_bits != yaca_key_get_bits(iv)) { /* IV length doesn't match cipher */ + ret = yaca_key_get_bits(iv, &iv_bits_check); + if (ret != 0) { + ret = YACA_ERROR_INVALID_ARGUMENT; + goto err_free; + } + if (iv_bits != iv_bits_check) { /* IV length doesn't match cipher */ ret = YACA_ERROR_INVALID_ARGUMENT; goto err_free; } -- 2.7.4 From 89ae7be7c0fb58432c1ff5f7b0c4c6251ca0cd3d Mon Sep 17 00:00:00 2001 From: Lukasz Pawelczyk Date: Wed, 18 May 2016 17:13:07 +0200 Subject: [PATCH 03/16] API update: add YACA_ERROR_NONE enum value Change-Id: I88b5786a375a7c5c0bda47266ea332a09fb73ae5 --- api/yaca/error.h | 1 + 1 file changed, 1 insertion(+) diff --git a/api/yaca/error.h b/api/yaca/error.h index acdc2cb..64de6f7 100644 --- a/api/yaca/error.h +++ b/api/yaca/error.h @@ -38,6 +38,7 @@ extern "C" { * @brief Error enums */ enum __yaca_error_code { + YACA_ERROR_NONE = 0, YACA_ERROR_INVALID_ARGUMENT = -1, YACA_ERROR_NOT_IMPLEMENTED = -2, YACA_ERROR_INTERNAL = -3, -- 2.7.4 From d3a8562d6c516dd966f543a413659dd64e1a194a Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Mon, 9 May 2016 16:25:03 +0200 Subject: [PATCH 04/16] Rework symmetric encrypt/decrypt example. Change-Id: If8427b9a1374169f28541bc2435ffb0ce4e20cd4 --- examples/encrypt.c | 197 ++++++++++++++++++++++++++--------------------------- 1 file changed, 97 insertions(+), 100 deletions(-) diff --git a/examples/encrypt.c b/examples/encrypt.c index 3e95c86..fe686ce 100644 --- a/examples/encrypt.c +++ b/examples/encrypt.c @@ -24,187 +24,148 @@ #include #include -#include #include +#include #include #include #include "lorem.h" #include "misc.h" -// Symmetric encryption using simple API -void encrypt_simple(void) +void encrypt_simple(const yaca_enc_algo_e algo, + const yaca_block_cipher_mode_e bcm, + const size_t key_bits) { - const yaca_enc_algo_e algo = YACA_ENC_AES; - const yaca_block_cipher_mode_e bcm = YACA_BCM_CBC; - const size_t key_bits = YACA_KEY_256BIT; - int ret; yaca_key_h key = YACA_KEY_NULL; yaca_key_h iv = YACA_KEY_NULL; - char *enc_data = NULL; - char *dec_data = NULL; - size_t enc_len; - size_t dec_len; + + char *enc = NULL; + char *dec = NULL; + size_t enc_size; + size_t dec_size; size_t iv_bits; - printf("Simple Encrypt\nPlain data (16 of %zu bytes): %.16s\n", - LOREM1024_SIZE, lorem1024); + printf("Plain data (16 of %zu bytes): %.16s\n", LOREM4096_SIZE, lorem4096); - ret = yaca_key_derive_pbkdf2("foo bar", "123456789", 10, 1000, - YACA_DIGEST_SHA256, key_bits, &key); - if (ret) + /* Key generation */ + if (yaca_key_derive_pbkdf2("foo bar", "123456789", 10, 1000, + YACA_DIGEST_SHA256, key_bits, &key) != 0) return; if (yaca_get_iv_bits(algo, bcm, key_bits, &iv_bits) != 0) - return; + goto exit; - if (iv_bits > 0) { - ret = yaca_key_gen(&iv, YACA_KEY_TYPE_IV, iv_bits); - if (ret) - goto exit; - } + if (iv_bits > 0 && yaca_key_gen(&iv, YACA_KEY_TYPE_IV, iv_bits) != 0) + goto exit; - ret = yaca_encrypt(algo, bcm, key, iv, lorem1024, LOREM1024_SIZE, - &enc_data, &enc_len); - if (ret) + if (yaca_encrypt(algo, bcm, key, iv, lorem4096, LOREM4096_SIZE, &enc, &enc_size) != 0) goto exit; - dump_hex(enc_data, 16, "Encrypted data (16 of %zu bytes): ", enc_len); + dump_hex(enc, 16, "Encrypted data (16 of %zu bytes): ", enc_size); - ret = yaca_decrypt(algo, bcm, key, iv, enc_data, enc_len, &dec_data, - &dec_len); - if (ret < 0) + if (yaca_decrypt(algo, bcm, key, iv, enc, enc_size, &dec, &dec_size) != 0) goto exit; - printf("Decrypted data (16 of %zu bytes): %.16s\n", dec_len, dec_data); + printf("Decrypted data (16 of %zu bytes): %.16s\n\n", dec_size, dec); + exit: - if (enc_data) - yaca_free(enc_data); - if (dec_data) - yaca_free(dec_data); - if (iv != YACA_KEY_NULL) - yaca_key_free(iv); + + yaca_free(enc); + yaca_free(dec); + yaca_key_free(iv); yaca_key_free(key); } -// Symmetric encryption using advanced API -void encrypt_advanced(void) +void encrypt_advanced(const yaca_enc_algo_e algo, + const yaca_block_cipher_mode_e bcm, + const yaca_key_type_e key_type, + const size_t key_bits) { - const yaca_enc_algo_e algo = YACA_ENC_AES; - const yaca_block_cipher_mode_e bcm = YACA_BCM_CBC; - const size_t key_bits = YACA_KEY_256BIT; - int ret; - yaca_ctx_h ctx; + yaca_ctx_h ctx = YACA_CTX_NULL; yaca_key_h key = YACA_KEY_NULL; yaca_key_h iv = YACA_KEY_NULL; + size_t iv_bits; + char *enc = NULL; char *dec = NULL; size_t enc_size; size_t dec_size; - size_t iv_bits; - printf("Advanced Encrypt\nPlain data (16 of %zu bytes): %.16s\n", - LOREM4096_SIZE, lorem4096); + size_t block_len; + size_t output_len; + size_t out_size; + size_t rem; - /// Key generation + printf("Plain data (16 of %zu bytes): %.16s\n", LOREM4096_SIZE, lorem4096); - ret = yaca_key_derive_pbkdf2("foo bar", "123456789", 10, 1000, - YACA_DIGEST_SHA256, key_bits, &key); - if (ret) + /* Key generation */ + if (yaca_key_gen(&key, key_type, key_bits) != 0) return; if (yaca_get_iv_bits(algo, bcm, key_bits, &iv_bits) != 0) goto ex_key; - if (iv_bits > 0) { - ret = yaca_key_gen(&iv, YACA_KEY_TYPE_IV, iv_bits); - if (ret) - goto ex_key; - } + if (iv_bits > 0 && yaca_key_gen(&iv, YACA_KEY_TYPE_IV, iv_bits) != 0) + goto ex_key; - /// Encryption + /* Encryption */ { - size_t block_len; - size_t output_len; - size_t out_size; - size_t rem; - - ret = yaca_encrypt_init(&ctx, algo, bcm, key, iv); - if (ret) + if (yaca_encrypt_init(&ctx, algo, bcm, key, iv) != 0) goto ex_iv; - ret = yaca_get_block_length(ctx, &block_len); - if (ret != 0) + if (yaca_get_block_length(ctx, &block_len) != 0) goto ex_ctx; - ret = yaca_get_output_length(ctx, LOREM4096_SIZE, &output_len); - if (ret != 0) + if (yaca_get_output_length(ctx, LOREM4096_SIZE, &output_len) != 0) goto ex_ctx; /* Calculate max output: size of update + final chunks */ enc_size = output_len + block_len; - enc = yaca_malloc(enc_size); - if (enc == NULL) + if ((enc = yaca_malloc(enc_size)) == NULL) goto ex_ctx; out_size = enc_size; - ret = yaca_encrypt_update(ctx, lorem4096, LOREM4096_SIZE, enc, - &out_size); - if (ret < 0) + if (yaca_encrypt_update(ctx, lorem4096, LOREM4096_SIZE, enc, &out_size) != 0) goto ex_of; rem = enc_size - out_size; - ret = yaca_encrypt_final(ctx, enc + out_size, &rem); - if (ret < 0) + if (yaca_encrypt_final(ctx, enc + out_size, &rem) != 0) goto ex_of; enc_size = rem + out_size; - dump_hex(enc, 16, "Encrypted data (16 of %zu bytes): ", - enc_size); + dump_hex(enc, 16, "Encrypted data (16 of %zu bytes): ", enc_size); yaca_ctx_free(ctx); + ctx = YACA_CTX_NULL; } - /// Decryption + /* Decryption */ { - size_t block_len; - size_t output_len; - size_t out_size; - size_t rem; - - ret = yaca_decrypt_init(&ctx, algo, bcm, key, iv); - if (ret < 0) { - ctx = YACA_CTX_NULL; + if (yaca_decrypt_init(&ctx, algo, bcm, key, iv) != 0) goto ex_of; - } - ret = yaca_get_block_length(ctx, &block_len); - if (ret != 0) + if (yaca_get_block_length(ctx, &block_len) != 0) goto ex_of; - ret = yaca_get_output_length(ctx, LOREM4096_SIZE, &output_len); - if (ret != 0) - goto ex_ctx; + if (yaca_get_output_length(ctx, LOREM4096_SIZE, &output_len) != 0) + goto ex_of; /* Calculate max output: size of update + final chunks */ dec_size = output_len + block_len; - dec = yaca_malloc(dec_size); - if (dec == NULL) + if ((dec = yaca_malloc(dec_size)) == NULL) goto ex_of; out_size = dec_size; - ret = yaca_decrypt_update(ctx, enc, enc_size, dec, &out_size); - if (ret < 0) + if (yaca_decrypt_update(ctx, enc, enc_size, dec, &out_size) != 0) goto ex_in; rem = dec_size - out_size; - ret = yaca_decrypt_final(ctx, dec + out_size, &rem); - if (ret < 0) + if (yaca_decrypt_final(ctx, dec + out_size, &rem) != 0) goto ex_in; dec_size = rem + out_size; - printf("Decrypted data (16 of %zu bytes): %.16s\n", dec_size, dec); + printf("Decrypted data (16 of %zu bytes): %.16s\n\n", dec_size, dec); } ex_in: @@ -227,10 +188,46 @@ int main() if (ret < 0) return ret; - encrypt_simple(); + yaca_enc_algo_e algo = YACA_ENC_AES; + yaca_block_cipher_mode_e bcm = YACA_BCM_ECB; + yaca_key_type_e key_type = YACA_KEY_TYPE_SYMMETRIC; + size_t key_bits = YACA_KEY_256BIT; + + encrypt_simple(algo, bcm, key_bits); + encrypt_advanced(algo, bcm, key_type,key_bits); - encrypt_advanced(); + algo = YACA_ENC_3DES_3TDEA; + bcm = YACA_BCM_OFB; + key_type = YACA_KEY_TYPE_DES; + key_bits = YACA_KEY_192BIT; + + encrypt_advanced(algo, bcm, key_type,key_bits); + + algo = YACA_ENC_CAST5; + bcm = YACA_BCM_CFB; + key_type = YACA_KEY_TYPE_SYMMETRIC; + key_bits = YACA_KEY_UNSAFE_40BIT; + + encrypt_simple(algo, bcm, key_bits); + encrypt_advanced(algo, bcm, key_type,key_bits); + + algo = YACA_ENC_UNSAFE_RC2; + bcm = YACA_BCM_CBC; + key_type = YACA_KEY_TYPE_SYMMETRIC; + key_bits = YACA_KEY_UNSAFE_8BIT; + + encrypt_simple(algo, bcm, key_bits); + encrypt_advanced(algo, bcm, key_type,key_bits); + + algo = YACA_ENC_UNSAFE_RC4; + bcm = YACA_BCM_NONE; + key_type = YACA_KEY_TYPE_SYMMETRIC; + key_bits = YACA_KEY_2048BIT; + + encrypt_simple(algo, bcm, key_bits); + encrypt_advanced(algo, bcm, key_type,key_bits); yaca_exit(); + return ret; } -- 2.7.4 From 805dc74af5c322ca0199cf67bc30b7fae7f3c070 Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Thu, 12 May 2016 16:46:09 +0200 Subject: [PATCH 05/16] Update AES description. Change-Id: I4172389ae79b2c1028f3035d051f69db0a90804a --- api/yaca/types.h | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/api/yaca/types.h b/api/yaca/types.h index 72d45f4..282d007 100644 --- a/api/yaca/types.h +++ b/api/yaca/types.h @@ -133,8 +133,17 @@ typedef enum { typedef enum { /** * AES encryption. - * - see #yaca_block_cipher_mode_e for details on additional parameters (mandatory). * - Supported key lengths: @c 128, @c 192 and @c 256. + * - Supported block cipher modes: + * #YACA_BCM_CBC, + * #YACA_BCM_OFB, + * #YACA_BCM_CFB, + * #YACA_BCM_ECB, + * #YACA_BCM_GCM, + * #YACA_BCM_CCM, + * #YACA_BCM_CTR, + * #YACA_BCM_OCB + * - see #yaca_block_cipher_mode_e for details on additional parameters (mandatory). */ YACA_ENC_AES = 0, -- 2.7.4 From 0c1494615b5825062ded2f289fef36577eeb59be Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Thu, 12 May 2016 17:24:26 +0200 Subject: [PATCH 06/16] Add CFB1 and CFB8 chaining modes. Change-Id: Ia464613fd38ec14f3d32905966eefe7ead430444 --- api/yaca/types.h | 20 +++++++++++++++++++- src/encrypt.c | 4 ++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/api/yaca/types.h b/api/yaca/types.h index 282d007..d025a15 100644 --- a/api/yaca/types.h +++ b/api/yaca/types.h @@ -138,6 +138,8 @@ typedef enum { * #YACA_BCM_CBC, * #YACA_BCM_OFB, * #YACA_BCM_CFB, + * #YACA_BCM_CFB1, + * #YACA_BCM_CFB8, * #YACA_BCM_ECB, * #YACA_BCM_GCM, * #YACA_BCM_CCM, @@ -154,6 +156,8 @@ typedef enum { * #YACA_BCM_CBC, * #YACA_BCM_OFB, * #YACA_BCM_CFB, + * #YACA_BCM_CFB1, + * #YACA_BCM_CFB8, * #YACA_BCM_ECB * - see #yaca_block_cipher_mode_e for details on additional parameters (mandatory). */ @@ -180,6 +184,8 @@ typedef enum { * #YACA_BCM_CBC, * #YACA_BCM_OFB, * #YACA_BCM_CFB, + * #YACA_BCM_CFB1, + * #YACA_BCM_CFB8, * #YACA_BCM_ECB * - see #yaca_block_cipher_mode_e for details on additional parameters (mandatory). * - Use triple DES keys to perform corresponding 3-key 3DES encryption. @@ -268,12 +274,24 @@ typedef enum { YACA_BCM_GCM, /** - * CFB block cipher mode. + * Default CFB block cipher mode. * 16-byte initialization vector is mandatory. */ YACA_BCM_CFB, /** + * 1 bit CFB block cipher mode. + * 16-byte initialization vector is mandatory. + */ + YACA_BCM_CFB1, + + /** + * 8 bits CFB block cipher mode. + * 16-byte initialization vector is mandatory. + */ + YACA_BCM_CFB8, + + /** * OFB block cipher mode. * 16-byte initialization vector is mandatory. */ diff --git a/src/encrypt.c b/src/encrypt.c index a4516c3..784ac35 100644 --- a/src/encrypt.c +++ b/src/encrypt.c @@ -135,6 +135,10 @@ static const char *bcm_to_str(yaca_block_cipher_mode_e bcm) return "gcm"; case YACA_BCM_CFB: return "cfb"; + case YACA_BCM_CFB1: + return "cfb1"; + case YACA_BCM_CFB8: + return "cfb8"; case YACA_BCM_OFB: return "ofb"; case YACA_BCM_OCB: -- 2.7.4 From bac18777652e6585c78392b02970a07644c68f30 Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Tue, 17 May 2016 10:59:43 +0200 Subject: [PATCH 07/16] Remove OCB block cipher mode. Change-Id: I676b80d4491ad70b6bbc0ef4ade80a3df8ca649b --- api/yaca/types.h | 6 ------ src/encrypt.c | 2 -- todo.txt | 1 + 3 files changed, 1 insertion(+), 8 deletions(-) diff --git a/api/yaca/types.h b/api/yaca/types.h index d025a15..1b5c1cc 100644 --- a/api/yaca/types.h +++ b/api/yaca/types.h @@ -144,7 +144,6 @@ typedef enum { * #YACA_BCM_GCM, * #YACA_BCM_CCM, * #YACA_BCM_CTR, - * #YACA_BCM_OCB * - see #yaca_block_cipher_mode_e for details on additional parameters (mandatory). */ YACA_ENC_AES = 0, @@ -298,11 +297,6 @@ typedef enum { YACA_BCM_OFB, /** - * Offest Codebook Mode (AES) - */ - YACA_BCM_OCB, - - /** * CBC-MAC Mode (AES). * Supported parameters: * - #YACA_PARAM_CCM_TAG = CCM tag diff --git a/src/encrypt.c b/src/encrypt.c index 784ac35..86572e2 100644 --- a/src/encrypt.c +++ b/src/encrypt.c @@ -141,8 +141,6 @@ static const char *bcm_to_str(yaca_block_cipher_mode_e bcm) return "cfb8"; case YACA_BCM_OFB: return "ofb"; - case YACA_BCM_OCB: - return "ocb"; case YACA_BCM_CCM: return "ccm"; default: diff --git a/todo.txt b/todo.txt index a13943d..3ed8333 100644 --- a/todo.txt +++ b/todo.txt @@ -2,3 +2,4 @@ Global: - Rethink and possibly add verification of output buffer lengths. In other words check whether the user won't cause a buffer overflow. - Importing/exporting encrypted (passphrased) RSA keys +- Support for OCB mode was added in OpenSSL 1.1.0 -- 2.7.4 From eec19e94a1135030f38ba708ab7e765f1ca3ec0c Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Tue, 17 May 2016 11:11:18 +0200 Subject: [PATCH 08/16] Remove CTR bits param. Only default 128b is supported by openssl at the moment. Change-Id: Id5f70b196940172e567e7e357269babeae714a29 --- api/yaca/types.h | 4 ---- 1 file changed, 4 deletions(-) diff --git a/api/yaca/types.h b/api/yaca/types.h index 1b5c1cc..3284ede 100644 --- a/api/yaca/types.h +++ b/api/yaca/types.h @@ -251,9 +251,6 @@ typedef enum { /** * CTR block cipher mode. * 16-byte initialization vector is mandatory. - * Supported parameters: - * - #YACA_PARAM_CTR_CNT = length of counter block in bits - * (optional, only 128b is supported at the moment) */ YACA_BCM_CTR, @@ -315,7 +312,6 @@ typedef enum { YACA_PARAM_PADDING, /**< Padding */ YACA_PARAM_RC2_EFFECTIVE_KEY_BITS, /**< RC2 effective key bits, 1-1024, 1 bit resolution */ - YACA_PARAM_CTR_CNT, /**< CTR Counter bits */ YACA_PARAM_GCM_AAD, /**< GCM Additional Authentication Data */ YACA_PARAM_GCM_TAG, /**< GCM Tag bits */ -- 2.7.4 From 95524d72c14a4a337e7826fbe17b8646ce8dfb0e Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Fri, 13 May 2016 15:15:36 +0200 Subject: [PATCH 09/16] Hide debug function Debug function is exported but the header is kept private. Change-Id: I399bc52688c126a061dc29d66029bfe66d993c47 --- api/yaca/error.h | 20 ++------------------ examples/digest.c | 3 ++- examples/encrypt.c | 3 ++- examples/encrypt_aes_gcm.c | 3 ++- examples/key_exchange.c | 3 ++- examples/key_import_export.c | 3 ++- examples/seal.c | 3 ++- examples/sign.c | 3 ++- examples/test.c | 3 ++- src/{error.c => debug.c} | 13 +++++++------ src/debug.h | 32 ++++++++++++++++++++++++++++++++ todo.txt | 1 + 12 files changed, 58 insertions(+), 32 deletions(-) rename src/{error.c => debug.c} (91%) create mode 100644 src/debug.h diff --git a/api/yaca/error.h b/api/yaca/error.h index 64de6f7..22030dd 100644 --- a/api/yaca/error.h +++ b/api/yaca/error.h @@ -29,7 +29,7 @@ extern "C" { #endif /** - * @defgroup Error Yet another Crypto API - error enums and debug functions. + * @defgroup Error Yet another Crypto API - error enums. * * @{ */ @@ -45,25 +45,9 @@ enum __yaca_error_code { YACA_ERROR_TOO_BIG_ARGUMENT = -4, YACA_ERROR_OUT_OF_MEMORY = -5, YACA_ERROR_SIGNATURE_INVALID = -6, - YACA_ERROR_PASSWORD_INVALID = -7, + YACA_ERROR_PASSWORD_INVALID = -7 }; -// TODO disable debug function in release? - -/** - * @brief Debug callback type. - */ -typedef void (*yaca_debug_func)(const char*); - -/** - * @brief Sets a current thread debug callback that will be called each time an - * internal error occurs. A NULL terminated string with location and - * description of the error will be passed as an argument. - * - * @param[in] fn Function to set as internal error callback. - */ -void yaca_error_set_debug_func(yaca_debug_func fn); - /**@}*/ #ifdef __cplusplus diff --git a/examples/digest.c b/examples/digest.c index a5ef093..68c6bcb 100644 --- a/examples/digest.c +++ b/examples/digest.c @@ -28,6 +28,7 @@ #include #include "lorem.h" #include "misc.h" +#include "../src/debug.h" void digest_simple(void) { @@ -80,7 +81,7 @@ exit_ctx: int main() { - yaca_error_set_debug_func(debug_func); + yaca_debug_set_error_cb(debug_func); int ret = yaca_init(); if (ret < 0) diff --git a/examples/encrypt.c b/examples/encrypt.c index fe686ce..c01ab04 100644 --- a/examples/encrypt.c +++ b/examples/encrypt.c @@ -30,6 +30,7 @@ #include #include "lorem.h" #include "misc.h" +#include "../src/debug.h" void encrypt_simple(const yaca_enc_algo_e algo, const yaca_block_cipher_mode_e bcm, @@ -182,7 +183,7 @@ ex_key: int main() { - yaca_error_set_debug_func(debug_func); + yaca_debug_set_error_cb(debug_func); int ret = yaca_init(); if (ret < 0) diff --git a/examples/encrypt_aes_gcm.c b/examples/encrypt_aes_gcm.c index 86da336..1e61bc3 100644 --- a/examples/encrypt_aes_gcm.c +++ b/examples/encrypt_aes_gcm.c @@ -31,6 +31,7 @@ #include "lorem.h" #include "misc.h" +#include "../src/debug.h" // Symmetric aes gcm encryption using advanced API void encrypt_decrypt_aes_gcm(void) @@ -180,7 +181,7 @@ clean: int main() { - yaca_error_set_debug_func(debug_func); + yaca_debug_set_error_cb(debug_func); int ret = yaca_init(); if (ret < 0) diff --git a/examples/key_exchange.c b/examples/key_exchange.c index 9464732..542beb8 100644 --- a/examples/key_exchange.c +++ b/examples/key_exchange.c @@ -28,6 +28,7 @@ #include #include #include "misc.h" +#include "../src/debug.h" void key_exchange_dh(void) { @@ -150,7 +151,7 @@ clean: int main() { - yaca_error_set_debug_func(debug_func); + yaca_debug_set_error_cb(debug_func); int ret = yaca_init(); if (ret < 0) diff --git a/examples/key_import_export.c b/examples/key_import_export.c index 9d005c2..183068c 100644 --- a/examples/key_import_export.c +++ b/examples/key_import_export.c @@ -24,6 +24,7 @@ #include #include "misc.h" +#include "../src/debug.h" #include #include @@ -259,7 +260,7 @@ int main() if (ret != 0) return ret; - yaca_error_set_debug_func(debug_func); + yaca_debug_set_error_cb(debug_func); ret = yaca_key_gen(&sym, YACA_KEY_TYPE_SYMMETRIC, YACA_KEY_1024BIT); if (ret != 0) diff --git a/examples/seal.c b/examples/seal.c index 4da8228..5d34da1 100644 --- a/examples/seal.c +++ b/examples/seal.c @@ -29,6 +29,7 @@ #include #include "lorem.h" #include "misc.h" +#include "../src/debug.h" void encrypt_seal(void) { @@ -139,7 +140,7 @@ ex_prvk: int main() { - yaca_error_set_debug_func(debug_func); + yaca_debug_set_error_cb(debug_func); int ret = yaca_init(); if (ret < 0) diff --git a/examples/sign.c b/examples/sign.c index faf0131..f2ba25e 100644 --- a/examples/sign.c +++ b/examples/sign.c @@ -29,6 +29,7 @@ #include "lorem.h" #include "misc.h" +#include "../src/debug.h" // Signature creation and verification using advanced API void sign_verify_asym(yaca_key_type_e type, const char *algo) @@ -202,7 +203,7 @@ finish: int main() { - yaca_error_set_debug_func(debug_func); + yaca_debug_set_error_cb(debug_func); int ret = yaca_init(); if (ret < 0) diff --git a/examples/test.c b/examples/test.c index 4e6f7f0..a9992b2 100644 --- a/examples/test.c +++ b/examples/test.c @@ -22,12 +22,13 @@ #include #include #include "misc.h" +#include "../src/debug.h" /** Simple test for development of library (before API is ready) */ int main(int argc, char* argv[]) { - yaca_error_set_debug_func(debug_func); + yaca_debug_set_error_cb(debug_func); yaca_key_h key; char *k; diff --git a/src/error.c b/src/debug.c similarity index 91% rename from src/error.c rename to src/debug.c index 140d1b4..2bdaa74 100644 --- a/src/error.c +++ b/src/debug.c @@ -14,7 +14,7 @@ * limitations under the License */ /* - * @file error.c + * @file debug.c * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com) */ @@ -26,14 +26,15 @@ #include #include "internal.h" +#include "debug.h" // TODO any better idea than to use __thread? -static __thread yaca_debug_func debug_fn = NULL; +static __thread yaca_error_cb error_cb = NULL; static bool error_strings_loaded = false; -API void yaca_error_set_debug_func(yaca_debug_func fn) +API void yaca_debug_set_error_cb(yaca_error_cb fn) { - debug_fn = fn; + error_cb = fn; } // TODO use peeking function to intercept common errors @@ -41,7 +42,7 @@ API void yaca_error_set_debug_func(yaca_debug_func fn) void error_dump(const char *file, int line, const char *function, int code) { - if (debug_fn == NULL) + if (error_cb == NULL) return; static const size_t BUF_SIZE = 512; @@ -81,6 +82,6 @@ void error_dump(const char *file, int line, const char *function, int code) } buf[written] = '\0'; - (*debug_fn)(buf); + (*error_cb)(buf); } diff --git a/src/debug.h b/src/debug.h new file mode 100644 index 0000000..f748d31 --- /dev/null +++ b/src/debug.h @@ -0,0 +1,32 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Krzysztof Jackiewicz + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +/** + * @file debug.h + * @brief + */ + +#ifndef YACA_DEBUG_H +#define YACA_DEBUG_H + +typedef void (*yaca_error_cb)(const char*); + +void yaca_debug_set_error_cb(yaca_error_cb cb); + + +#endif /* YACA_DEBUG_H */ diff --git a/todo.txt b/todo.txt index 3ed8333..216c413 100644 --- a/todo.txt +++ b/todo.txt @@ -3,3 +3,4 @@ Global: In other words check whether the user won't cause a buffer overflow. - Importing/exporting encrypted (passphrased) RSA keys - Support for OCB mode was added in OpenSSL 1.1.0 +- Remove debug function from examples -- 2.7.4 From 5e205eca2631457bbbc1af51323cc28586c81bd8 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Tue, 17 May 2016 11:57:12 +0200 Subject: [PATCH 10/16] Add separate API function stubs for HMAC/CMAC context initialization. MACs are symmetric equivalent for asymmetric signatures. For asymmetric signatures the signing algorithm can be easily deduced from the key. This is not the case for MAC's where plain symmetric key tells us nothing about the MAC algorithm we want to use. Considered solutions: 1. Introducing new key types for MACs. Cons: - unclear how to handle plain symmetric keys, - introduces an artificial division in symmetric keys, - new enum values, - CMAC cipher has to be set via ctx params. 2. Deducing MAC algorithm from digest algorithm. Digest->HMAC, no digest->CMAC. Cons: - unclear which algorithm will be used, - adding new MAC algorithm may require a significant API change, - CMAC cipher has to be set via ctx params. 3. Leaving CMAC as a digest algorithm. Cons: - CMAC is not a digest algorithm. It's an equivalent of HMAC, RSA, DSA,...etc, - CMAC can't be used for calculating message digest alone, - CMAC can't be used as a digest algorithm for HMAC - CMAC cipher has to be set via ctx params. 4. Adding new API for CMAC and HMAC context creation. Cons: - 1 new functions per MAC algo for context initalization, - 1 function for signature comparison - low API flexibility This is an initial commit for solution 4. Change-Id: I745854fd7b7d87f2c114475b709566ec512d7bbd --- api/yaca/crypto.h | 11 ++++++ api/yaca/error.h | 2 +- api/yaca/sign.h | 105 ++++++++++++++++++++++++++++++++++++++++++------------ src/crypto.c | 8 +++++ src/sign.c | 28 +++++++-------- 5 files changed, 116 insertions(+), 38 deletions(-) diff --git a/api/yaca/crypto.h b/api/yaca/crypto.h index 9959df0..76a2897 100644 --- a/api/yaca/crypto.h +++ b/api/yaca/crypto.h @@ -181,6 +181,17 @@ int yaca_get_output_length(const yaca_ctx_h ctx, size_t input_len, size_t *outpu */ #define yaca_get_block_length(ctxa, output_len) yaca_get_output_length((ctxa), 0, (output_len)) +/** + * @brief Safely compares first @b len bytes of two buffers. + * + * @param[in] first Pointer to the first buffer. + * @param[in] second Pointer to the second buffer. + * @param[in] len Length to compare. + * + * @return 0 when buffers are equal otherwise #YACA_ERROR_DATA_MISMATCH + */ +int yaca_memcmp(const void *first, const void *second, size_t len); + /**@}*/ #ifdef __cplusplus diff --git a/api/yaca/error.h b/api/yaca/error.h index 22030dd..8aa150b 100644 --- a/api/yaca/error.h +++ b/api/yaca/error.h @@ -44,7 +44,7 @@ enum __yaca_error_code { YACA_ERROR_INTERNAL = -3, YACA_ERROR_TOO_BIG_ARGUMENT = -4, YACA_ERROR_OUT_OF_MEMORY = -5, - YACA_ERROR_SIGNATURE_INVALID = -6, + YACA_ERROR_DATA_MISMATCH = -6, YACA_ERROR_PASSWORD_INVALID = -7 }; diff --git a/api/yaca/sign.h b/api/yaca/sign.h index f018a31..9dcbe43 100644 --- a/api/yaca/sign.h +++ b/api/yaca/sign.h @@ -41,57 +41,115 @@ extern "C" { */ /** - * @brief Initializes a signature context. + * @brief Initializes a signature context for asymmetric signatures. + * + * For verification use yaca_verify_init(), yaca_verify_update() and + * yaca_verify_final() functions with matching public key. * * @param[out] ctx Newly created context (must be freed with yaca_ctx_free()). * @param[in] algo Digest algorithm that will be used. - * @param[in] key Private or symmetric key that will be used (algorithm is deduced based on key type). + * @param[in] key Private key that will be used. Algorithm is deduced based + * on key type. Supported key types: + * - #YACA_KEY_TYPE_RSA_PRIV, + * - #YACA_KEY_TYPE_DSA_PRIV, + * - #YACA_KEY_TYPE_ECDSA_PRIV. * * @return 0 on success, negative on error. - * @see #yaca_digest_algo_e, yaca_sign_update(), yaca_sign_final() + * @see #yaca_key_type_e, #yaca_digest_algo_e, yaca_sign_update(), + * yaca_sign_final(), yaca_verify_init(), yaca_verify_update(), + * yaca_verify_final() */ int yaca_sign_init(yaca_ctx_h *ctx, yaca_digest_algo_e algo, const yaca_key_h key); /** - * @brief Feeds the data into the digital signature algorithm. + * @brief Initializes a signature context for HMAC. + * + * For verification, calculate message HMAC and compare with received MAC using + * yaca_memcmp(). + * + * @param[out] ctx Newly created context (must be freed with yaca_ctx_free()). + * @param[in] algo Digest algorithm that will be used. + * @param[in] key Symmetric key that will be used. Supported key types: + * - #YACA_KEY_TYPE_SYMMETRIC, + * - #YACA_KEY_TYPE_DES. + * + * @return 0 on success, negative on error. + * @see #yaca_key_type_e, #yaca_digest_algo_e, yaca_sign_update(), + * yaca_sign_final(), yaca_memcmp() + */ +int yaca_sign_hmac_init(yaca_ctx_h *ctx, + yaca_digest_algo_e algo, + const yaca_key_h key); + +/** + * @brief Initializes a signature context for CMAC. * - * @param[in,out] ctx Context created by yaca_sign_init(). + * For verification, calculate message CMAC and compare with received MAC using + * yaca_memcmp(). + * + * @param[out] ctx Newly created context (must be freed with yaca_ctx_free()). + * @param[in] algo Encryption algorithm that will be used. + * @param[in] key Symmetric key that will be used. Supported key types: + * - #YACA_KEY_TYPE_SYMMETRIC, + * - #YACA_KEY_TYPE_DES. + * + * @return 0 on success, negative on error. + * @see #yaca_key_type_e, #yaca_enc_algo_e, yaca_sign_update(), + * yaca_sign_final(), yaca_memcmp() + */ +int yaca_sign_cmac_init(yaca_ctx_h *ctx, + yaca_enc_algo_e algo, + const yaca_key_h key); + +/** + * @brief Feeds the data into the digital signature or MAC algorithm. + * + * @param[in,out] ctx Context created by yaca_sign_init(), + * yaca_sign_hmac_init() or yaca_sign_cmac_init(). * @param[in] data Data to be signed. * @param[in] data_len Length of the data. * * @return 0 on success, negative on error. - * @see yaca_sign_init(), yaca_sign_final() + * @see yaca_sign_init(), yaca_sign_final(), yaca_sign_hmac_init(), + * yaca_sign_cmac_init() */ int yaca_sign_update(yaca_ctx_h ctx, const char *data, size_t data_len); /** - * @brief Calculates the final signature. + * @brief Calculates the final signature or MAC. * - * @param[in,out] ctx A valid sign context. - * @param[out] mac Buffer for the MAC or the signature (must be allocated by client, see - * yaca_get_sign_length()). - * @param[out] mac_len Length of the MAC or the signature, actual number of bytes written will be returned here. + * @param[in,out] ctx A valid sign context. + * @param[out] signature Buffer for the MAC or the signature, + * (must be allocated by client, see yaca_get_sign_length()). + * @param[out] signature_len Length of the MAC or the signature, + * actual number of bytes written will be returned here. * * @return 0 on success, negative on error. - * @see yaca_sign_init(), yaca_sign_update() + * @see yaca_sign_init(), yaca_sign_update(), yaca_sign_hmac_init(), + * yaca_sign_cmac_init() */ int yaca_sign_final(yaca_ctx_h ctx, - char *mac, - size_t *mac_len); + char *signature, + size_t *signature_len); /** - * @brief Initializes a signature verification context. + * @brief Initializes a signature verification context for asymmetric signatures * * @param[out] ctx Newly created context (must be freed with yaca_ctx_free()). * @param[in] algo Digest algorithm that will be used. - * @param[in] key Private or symmetric key that will be used (algorithm is deduced based on key type). + * @param[in] key Public key that will be used. Algorithm is deduced based on + * key type. Supported key types: + * - #YACA_KEY_TYPE_RSA_PUB, + * - #YACA_KEY_TYPE_DSA_PUB, + * - #YACA_KEY_TYPE_ECDSA_PUB. * * @return 0 on success, negative on error. - * @see #yaca_digest_algo_e, yaca_verify_update(), yaca_verify_final() + * @see #yaca_key_type_e, #yaca_digest_algo_e, yaca_verify_update(), + * yaca_verify_final() */ int yaca_verify_init(yaca_ctx_h *ctx, yaca_digest_algo_e algo, @@ -114,16 +172,17 @@ int yaca_verify_update(yaca_ctx_h ctx, /** * @brief Performs the verification. * - * @param[in,out] ctx A valid verify context. - * @param[in] mac Input MAC or signature (returned by yaca_sign_final()). - * @param[in] mac_len Size of the MAC or the signature. + * @param[in,out] ctx A valid verify context. + * @param[in] signature Input signature (returned by yaca_sign_final()). + * @param[in] signature_len Size of the signature. * - * @return 0 on success, negative on error. + * @return 0 on success, YACA_ERROR_DATA_MISMATCH if verification fails, + * negative on error. * @see yaca_verify_init(), yaca_verify_update() */ int yaca_verify_final(yaca_ctx_h ctx, - const char *mac, - size_t mac_len); + const char *signature, + size_t signature_len); /**@}*/ diff --git a/src/crypto.c b/src/crypto.c index df5ba7d..bca42a8 100644 --- a/src/crypto.c +++ b/src/crypto.c @@ -127,3 +127,11 @@ API int yaca_get_output_length(const yaca_ctx_h ctx, size_t input_len, size_t *o return ctx->get_output_length(ctx, input_len, output_len); } + +API int yaca_memcmp(const void *first, const void *second, size_t len) +{ + if (CRYPTO_memcmp(first, second, len) == 0) + return 0; + + return YACA_ERROR_DATA_MISMATCH; +} diff --git a/src/sign.c b/src/sign.c index 9573c4c..e47c839 100644 --- a/src/sign.c +++ b/src/sign.c @@ -356,17 +356,17 @@ API int yaca_sign_update(yaca_ctx_h ctx, } API int yaca_sign_final(yaca_ctx_h ctx, - char *mac, - size_t *mac_len) + char *signature, + size_t *signature_len) { struct yaca_sign_ctx_s *c = get_sign_ctx(ctx); int ret; if (c == NULL || c->op_type != OP_SIGN || - mac == NULL || mac_len == NULL || *mac_len == 0) + signature == NULL || signature_len == NULL || *signature_len == 0) return YACA_ERROR_INVALID_ARGUMENT; - ret = EVP_DigestSignFinal(c->mdctx, (unsigned char *)mac, mac_len); + ret = EVP_DigestSignFinal(c->mdctx, (unsigned char *)signature, signature_len); if(ret != 1) { ret = YACA_ERROR_INTERNAL; ERROR_DUMP(ret); @@ -499,15 +499,15 @@ API int yaca_verify_update(yaca_ctx_h ctx, } API int yaca_verify_final(yaca_ctx_h ctx, - const char *mac, - size_t mac_len) + const char *signature, + size_t signature_len) { struct yaca_sign_ctx_s *c = get_sign_ctx(ctx); - char mac_cmp[mac_len]; - size_t mac_cmp_len = mac_len; + char mac_cmp[signature_len]; + size_t mac_cmp_len = signature_len; int ret; - if (c == NULL || mac == NULL || mac_len == 0) + if (c == NULL || signature == NULL || signature_len == 0) return YACA_ERROR_INVALID_ARGUMENT; switch (c->op_type) @@ -522,19 +522,19 @@ API int yaca_verify_final(yaca_ctx_h ctx, return ret; } - if (mac_len != mac_cmp_len || CRYPTO_memcmp(mac, mac_cmp, mac_len) != 0) - return YACA_ERROR_SIGNATURE_INVALID; + if (signature_len != mac_cmp_len || CRYPTO_memcmp(signature, mac_cmp, signature_len) != 0) + return YACA_ERROR_DATA_MISMATCH; return 0; case OP_VERIFY_ASYMMETRIC: ret = EVP_DigestVerifyFinal(c->mdctx, - (unsigned char *)mac, - mac_len); + (unsigned char *)signature, + signature_len); if (ret == 1) return 0; if (ret == 0) - ret = YACA_ERROR_SIGNATURE_INVALID; + ret = YACA_ERROR_DATA_MISMATCH; else ret = YACA_ERROR_INTERNAL; -- 2.7.4 From aff97e9576a188849aa42beace30b8dc6f83053f Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Fri, 13 May 2016 09:37:10 +0200 Subject: [PATCH 11/16] Remove CMAC from digest algorithms. Change-Id: I3bb2ddd69b3f7d052cf2fbaea5feaf1b88be9795 --- api/yaca/types.h | 3 +-- examples/sign.c | 3 +++ src/digest.c | 3 --- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/api/yaca/types.h b/api/yaca/types.h index 3284ede..b6068a9 100644 --- a/api/yaca/types.h +++ b/api/yaca/types.h @@ -115,7 +115,7 @@ typedef enum { } yaca_key_bits_e; /** - * @brief Message digest algorithms. CMAC is included to simplify API + * @brief Message digest algorithms. */ typedef enum { YACA_DIGEST_MD5, /**< Message digest algorithm MD5 */ @@ -124,7 +124,6 @@ typedef enum { YACA_DIGEST_SHA256, /**< Message digest algorithm SHA2, 256bit */ YACA_DIGEST_SHA384, /**< Message digest algorithm SHA2, 384bit */ YACA_DIGEST_SHA512, /**< Message digest algorithm SHA2, 512bit */ - YACA_DIGEST_CMAC /**< TODO: perhaps CMAC should be handled differently */ } yaca_digest_algo_e; /** diff --git a/examples/sign.c b/examples/sign.c index f2ba25e..5612ead 100644 --- a/examples/sign.c +++ b/examples/sign.c @@ -150,6 +150,8 @@ finish: void sign_verify_cmac(void) { + // TODO rewrite it +#if 0 char* signature = NULL; size_t signature_len; @@ -199,6 +201,7 @@ finish: yaca_free(signature); yaca_key_free(key); yaca_ctx_free(ctx); +#endif } int main() diff --git a/src/digest.c b/src/digest.c index 10d4dbf..09fbd34 100644 --- a/src/digest.c +++ b/src/digest.c @@ -100,9 +100,6 @@ int digest_get_algorithm(yaca_digest_algo_e algo, const EVP_MD **md) case YACA_DIGEST_SHA512: *md = EVP_sha512(); break; - case YACA_DIGEST_CMAC: - ret = YACA_ERROR_NOT_IMPLEMENTED; - break; default: ret = YACA_ERROR_INVALID_ARGUMENT; break; -- 2.7.4 From 594df4c3a99a10453c80877674b62f809f6e7753 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Tue, 17 May 2016 16:26:42 +0200 Subject: [PATCH 12/16] Simple API for signatures, verification & MACs Change-Id: I3bb49a82f2778e1c81ad64c8d8268d9181cbc51b --- api/yaca/simple.h | 102 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 101 insertions(+), 1 deletion(-) diff --git a/api/yaca/simple.h b/api/yaca/simple.h index ec1e333..bbd4bf0 100644 --- a/api/yaca/simple.h +++ b/api/yaca/simple.h @@ -116,7 +116,107 @@ int yaca_decrypt(yaca_enc_algo_e algo, char **plain, size_t * plain_len); -// TODO: sign/verify +/** + * @brief Create a signature using asymmetric private key. + * + * @param[in] algo Digest algorithm that will be used. + * @param[in] key Private key that will be used. Algorithm is + * deduced based on key type. Supported key types: + * - #YACA_KEY_TYPE_RSA_PRIV, + * - #YACA_KEY_TYPE_DSA_PRIV, + * - #YACA_KEY_TYPE_ECDSA_PRIV. + * @param[in] data Data to be signed. + * @param[in] data_len Length of the data. + * @param[out] signature Message signature. Will be allocated by the + * library. Should be freed with yaca_free(). + * @param[out] signature_len Length of the signature. + * + * @return 0 on success, negative on error. + * @see #yaca_key_type_e, #yaca_digest_algo_e, yaca_verify(), + */ +int yaca_sign(yaca_digest_algo_e algo, + const yaca_key_h key, + const char *data, + size_t data_len, + char** signature, + size_t* signature_len); + +/** + * @brief Verify a signature using asymmetric public key. + * + * @param[in] algo Digest algorithm that will be used. + * @param[in] key Public key that will be used. Algorithm is + * deduced based on key type. Supported key types: + * - #YACA_KEY_TYPE_RSA_PUB, + * - #YACA_KEY_TYPE_DSA_PUB, + * - #YACA_KEY_TYPE_ECDSA_PUB. + * @param[in] data Signed data. + * @param[in] data_len Length of the data. + * @param[in] signature Message signature. + * @param[in] signature_len Length of the signature. + * + * @return 0 on success, YACA_ERROR_SIGNATURE_INVALID if verification fails, + * negative on error. + * @see #yaca_key_type_e, #yaca_digest_algo_e, yaca_sign(), + */ +int yaca_verify(yaca_digest_algo_e algo, + const yaca_key_h key, + const char *data, + size_t data_len, + const char* signature, + size_t signature_len); + +/** + * @brief Calculate a HMAC of given message using symmetric key. + * + * For verification, calculate message HMAC and compare with received MAC using + * yaca_memcmp(). + * + * @param[in] algo Digest algorithm that will be used. + * @param[in] key Key that will be used. Supported key types: + * - #YACA_KEY_TYPE_SYMMETRIC, + * - #YACA_KEY_TYPE_DES. + * @param[in] data Data to calculate HMAC from. + * @param[in] data_len Length of the data. + * @param[out] mac MAC. Will be allocated by the library. Should be freed + * with yaca_free(). + * @param[out] mac_len Length of the MAC. + * + * @return 0 on success, negative on error. + * @see #yaca_key_type_e, #yaca_digest_algo_e, yaca_memcmp() + */ +int yaca_hmac(yaca_digest_algo_e algo, + const yaca_key_h key, + const char *data, + size_t data_len, + char** mac, + size_t* mac_len); + +/** + * @brief Calculate a CMAC of given message using symmetric key. + * + * For verification, calculate message CMAC and compare with received MAC using + * yaca_memcmp(). + * + * @param[in] algo Encryption algorithm that will be used. + * @param[in] key Key that will be used. Supported key types: + * - #YACA_KEY_TYPE_SYMMETRIC, + * - #YACA_KEY_TYPE_DES. + * @param[in] data Data to calculate CMAC from. + * @param[in] data_len Length of the data. + * @param[out] mac MAC. Will be allocated by the library. Should be freed + * with yaca_free(). + * @param[out] mac_len Length of the MAC. + * + * @return 0 on success, negative on error. + * @see #yaca_key_type_e, #yaca_enc_algo_e, yaca_memcmp() + */ +int yaca_cmac(yaca_enc_algo_e algo, + const yaca_key_h key, + const char *data, + size_t data_len, + char** mac, + size_t* mac_len); /**@}*/ -- 2.7.4 From 5de61ea13048da2560db6e2baa3a452bc0843f81 Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Thu, 19 May 2016 12:00:18 +0200 Subject: [PATCH 13/16] Remove RC2 effective key bits param. Only default 128b is supported at the moment. Change-Id: I5908983614bfda58ed7466980734a110b504eb48 --- api/yaca/types.h | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/api/yaca/types.h b/api/yaca/types.h index b6068a9..f10deb5 100644 --- a/api/yaca/types.h +++ b/api/yaca/types.h @@ -194,8 +194,7 @@ typedef enum { * RC2 encryption. * This is a variable key length cipher. * - Supported key lengths: 8-1024 bits in steps of 8 bits. - * - Additional parameter, effective key bits: #YACA_PARAM_RC2_EFFECTIVE_KEY_BITS, - * by default equals to 128 + * - Effective key bits parameter by default equals to 128. * - Supported block cipher modes: * #YACA_BCM_CBC, * #YACA_BCM_OFB, @@ -310,8 +309,6 @@ typedef enum { typedef enum { YACA_PARAM_PADDING, /**< Padding */ - YACA_PARAM_RC2_EFFECTIVE_KEY_BITS, /**< RC2 effective key bits, 1-1024, 1 bit resolution */ - YACA_PARAM_GCM_AAD, /**< GCM Additional Authentication Data */ YACA_PARAM_GCM_TAG, /**< GCM Tag bits */ YACA_PARAM_GCM_TAG_LEN, /**< GCM Tag length */ -- 2.7.4 From 792a7b82d76dcac72c5c18d817bba5974540323c Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Thu, 19 May 2016 13:03:35 +0200 Subject: [PATCH 14/16] Join ECDSA and ECDH key to EC type. Change-Id: I8817ce9a9e08283af3c25d5c3a133a4212b3dd60 --- api/yaca/sign.h | 4 ++-- api/yaca/simple.h | 4 ++-- api/yaca/types.h | 7 ++----- examples/key_exchange.c | 4 ++-- src/key.c | 27 ++++++++++----------------- src/sign.c | 4 ++-- 6 files changed, 20 insertions(+), 30 deletions(-) diff --git a/api/yaca/sign.h b/api/yaca/sign.h index 9dcbe43..beb5df2 100644 --- a/api/yaca/sign.h +++ b/api/yaca/sign.h @@ -52,7 +52,7 @@ extern "C" { * on key type. Supported key types: * - #YACA_KEY_TYPE_RSA_PRIV, * - #YACA_KEY_TYPE_DSA_PRIV, - * - #YACA_KEY_TYPE_ECDSA_PRIV. + * - #YACA_KEY_TYPE_EC_PRIV. * * @return 0 on success, negative on error. * @see #yaca_key_type_e, #yaca_digest_algo_e, yaca_sign_update(), @@ -145,7 +145,7 @@ int yaca_sign_final(yaca_ctx_h ctx, * key type. Supported key types: * - #YACA_KEY_TYPE_RSA_PUB, * - #YACA_KEY_TYPE_DSA_PUB, - * - #YACA_KEY_TYPE_ECDSA_PUB. + * - #YACA_KEY_TYPE_EC_PUB. * * @return 0 on success, negative on error. * @see #yaca_key_type_e, #yaca_digest_algo_e, yaca_verify_update(), diff --git a/api/yaca/simple.h b/api/yaca/simple.h index bbd4bf0..c1d1d2b 100644 --- a/api/yaca/simple.h +++ b/api/yaca/simple.h @@ -124,7 +124,7 @@ int yaca_decrypt(yaca_enc_algo_e algo, * deduced based on key type. Supported key types: * - #YACA_KEY_TYPE_RSA_PRIV, * - #YACA_KEY_TYPE_DSA_PRIV, - * - #YACA_KEY_TYPE_ECDSA_PRIV. + * - #YACA_KEY_TYPE_EC_PRIV. * @param[in] data Data to be signed. * @param[in] data_len Length of the data. * @param[out] signature Message signature. Will be allocated by the @@ -149,7 +149,7 @@ int yaca_sign(yaca_digest_algo_e algo, * deduced based on key type. Supported key types: * - #YACA_KEY_TYPE_RSA_PUB, * - #YACA_KEY_TYPE_DSA_PUB, - * - #YACA_KEY_TYPE_ECDSA_PUB. + * - #YACA_KEY_TYPE_EC_PUB. * @param[in] data Signed data. * @param[in] data_len Length of the data. * @param[in] signature Message signature. diff --git a/api/yaca/types.h b/api/yaca/types.h index f10deb5..5a99113 100644 --- a/api/yaca/types.h +++ b/api/yaca/types.h @@ -81,12 +81,9 @@ typedef enum { YACA_KEY_TYPE_DH_PUB, /**< Diffie-Hellman public key */ YACA_KEY_TYPE_DH_PRIV, /**< Diffie-Hellman private key */ - YACA_KEY_TYPE_ECDSA_PUB, /**< Elliptic Curve Digital Signature Algorithm public key */ - YACA_KEY_TYPE_ECDSA_PRIV, /**< Elliptic Curve Digital Signature Algorithm private key */ + YACA_KEY_TYPE_EC_PUB, /**< Elliptic Curve public key (for DSA and DH) */ - // TODO: ECDH might not exist as a separate key type, remove? - YACA_KEY_TYPE_ECDH_PUB, /**< Elliptic Curve Diffie-Hellman public key */ - YACA_KEY_TYPE_ECDH_PRIV, /**< Elliptic Curve Diffie-Hellman private key */ + YACA_KEY_TYPE_EC_PRIV, /**< Elliptic Curve private key (for DSA and DH) */ } yaca_key_type_e; /** diff --git a/examples/key_exchange.c b/examples/key_exchange.c index 542beb8..7d2bf78 100644 --- a/examples/key_exchange.c +++ b/examples/key_exchange.c @@ -104,7 +104,7 @@ void key_exchange_ecdh(void) long size; // generate private, public key - ret = yaca_key_gen(&private_key, YACA_KEY_TYPE_ECDH_PRIV, YACA_KEY_CURVE_P256); + ret = yaca_key_gen(&private_key, YACA_KEY_TYPE_EC_PRIV, YACA_KEY_CURVE_P256); if (ret < 0) goto clean; @@ -130,7 +130,7 @@ void key_exchange_ecdh(void) if (1 != fread(buffer, size, 1, fp)) goto clean; - ret = yaca_key_import(&peer_key, YACA_KEY_TYPE_ECDH_PUB, NULL, buffer, size); + ret = yaca_key_import(&peer_key, YACA_KEY_TYPE_EC_PUB, NULL, buffer, size); if (ret < 0) goto clean; diff --git a/src/key.c b/src/key.c index 2730c09..d8580a8 100644 --- a/src/key.c +++ b/src/key.c @@ -308,7 +308,7 @@ int import_evp(yaca_key_h *key, break; case EVP_PKEY_EC: - type = private ? YACA_KEY_TYPE_ECDSA_PRIV : YACA_KEY_TYPE_ECDSA_PUB; + type = private ? YACA_KEY_TYPE_EC_PRIV : YACA_KEY_TYPE_EC_PUB; break; default: @@ -473,10 +473,8 @@ int export_evp(struct yaca_key_evp_s *evp_key, case YACA_KEY_TYPE_DH_PRIV: case YACA_KEY_TYPE_DH_PUB: - case YACA_KEY_TYPE_ECDSA_PRIV: - case YACA_KEY_TYPE_ECDSA_PUB: - case YACA_KEY_TYPE_ECDH_PRIV: - case YACA_KEY_TYPE_ECDH_PUB: + case YACA_KEY_TYPE_EC_PRIV: + case YACA_KEY_TYPE_EC_PUB: ret = YACA_ERROR_NOT_IMPLEMENTED; goto free_bio; @@ -505,10 +503,8 @@ int export_evp(struct yaca_key_evp_s *evp_key, case YACA_KEY_TYPE_DH_PRIV: case YACA_KEY_TYPE_DH_PUB: - case YACA_KEY_TYPE_ECDSA_PRIV: - case YACA_KEY_TYPE_ECDSA_PUB: - case YACA_KEY_TYPE_ECDH_PRIV: - case YACA_KEY_TYPE_ECDH_PUB: + case YACA_KEY_TYPE_EC_PRIV: + case YACA_KEY_TYPE_EC_PUB: ret = YACA_ERROR_NOT_IMPLEMENTED; goto free_bio; @@ -886,10 +882,8 @@ API int yaca_key_import(yaca_key_h *key, return import_evp(key, key_type, data, data_len); case YACA_KEY_TYPE_DH_PUB: case YACA_KEY_TYPE_DH_PRIV: - case YACA_KEY_TYPE_ECDSA_PUB: - case YACA_KEY_TYPE_ECDSA_PRIV: - case YACA_KEY_TYPE_ECDH_PUB: - case YACA_KEY_TYPE_ECDH_PRIV: + case YACA_KEY_TYPE_EC_PUB: + case YACA_KEY_TYPE_EC_PRIV: return YACA_ERROR_NOT_IMPLEMENTED; default: return YACA_ERROR_INVALID_ARGUMENT; @@ -986,8 +980,7 @@ API int yaca_key_gen(yaca_key_h *key, return 0; case YACA_KEY_TYPE_DH_PRIV: - case YACA_KEY_TYPE_ECDSA_PRIV: - case YACA_KEY_TYPE_ECDH_PRIV: + case YACA_KEY_TYPE_EC_PRIV: return YACA_ERROR_NOT_IMPLEMENTED; default: return YACA_ERROR_INVALID_ARGUMENT; @@ -1044,8 +1037,8 @@ API int yaca_key_extract_public(const yaca_key_h prv_key, yaca_key_h *pub_key) case YACA_KEY_TYPE_DSA_PRIV: (*pub_key)->type = YACA_KEY_TYPE_DSA_PUB; break; - case YACA_KEY_TYPE_ECDSA_PRIV: - (*pub_key)->type = YACA_KEY_TYPE_ECDSA_PUB; + case YACA_KEY_TYPE_EC_PRIV: + (*pub_key)->type = YACA_KEY_TYPE_EC_PUB; break; default: ret = YACA_ERROR_INVALID_ARGUMENT; diff --git a/src/sign.c b/src/sign.c index e47c839..0b6d8f7 100644 --- a/src/sign.c +++ b/src/sign.c @@ -292,7 +292,7 @@ API int yaca_sign_init(yaca_ctx_h *ctx, case YACA_KEY_TYPE_DSA_PRIV: nc->op_type = OP_SIGN; break; - case YACA_KEY_TYPE_ECDSA_PRIV: + case YACA_KEY_TYPE_EC_PRIV: ret = YACA_ERROR_NOT_IMPLEMENTED; goto free_ctx; default: @@ -413,7 +413,7 @@ API int yaca_verify_init(yaca_ctx_h *ctx, case YACA_KEY_TYPE_DSA_PUB: nc->op_type = OP_VERIFY_ASYMMETRIC; break; - case YACA_KEY_TYPE_ECDSA_PUB: + case YACA_KEY_TYPE_EC_PUB: ret = YACA_ERROR_NOT_IMPLEMENTED; goto free_ctx; default: -- 2.7.4 From 26a445cab4a8a3c1d523702db0a9eb2a685bd97d Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Thu, 19 May 2016 13:18:48 +0200 Subject: [PATCH 15/16] Remove TODOs that no longer apply. Change-Id: Ibb4990346808a1934a549703122c704d15935794 --- api/yaca/key.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/api/yaca/key.h b/api/yaca/key.h index c58bc60..e020171 100644 --- a/api/yaca/key.h +++ b/api/yaca/key.h @@ -179,7 +179,6 @@ void yaca_key_free(yaca_key_h key); /** * @defgroup Key-Derivation Advanced API for the key derivation. * - * TODO: rethink separate group. * TODO: extended description and examples. * * @{ @@ -225,8 +224,8 @@ int yaca_key_derive_kea(const yaca_key_h prv_key, * @param[in] password User password as a NULL-terminated string. * @param[in] salt Salt, should be non-zero. * @param[in] salt_len Length of the salt. - * @param[in] iter Number of iterations. (TODO: add enum to proposed number of iterations, pick sane defaults). - * @param[in] algo Digest algorithm that should be used in key generation. (TODO: sane defaults). + * @param[in] iter Number of iterations. + * @param[in] algo Digest algorithm that should be used in key generation. * @param[in] key_bits Length of a key (in bits) to be generated. * @param[out] key Newly generated key (must be freed with yaca_key_free()). * -- 2.7.4 From 51a55d687be79d46d708e4ca7c735ea62cbd6a6f Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Thu, 19 May 2016 15:42:26 +0200 Subject: [PATCH 16/16] Remove unnecessary test example. Change-Id: Iba5d726cda3dfb74e91463a565938b43b5a1d53b --- examples/CMakeLists.txt | 1 - examples/test.c | 59 ------------------------------------------------- 2 files changed, 60 deletions(-) delete mode 100644 examples/test.c diff --git a/examples/CMakeLists.txt b/examples/CMakeLists.txt index fe238d2..c8461ec 100644 --- a/examples/CMakeLists.txt +++ b/examples/CMakeLists.txt @@ -49,7 +49,6 @@ BUILD_EXAMPLE("yaca-example-seal" seal.c) BUILD_EXAMPLE("yaca-example-encrypt-gcm" encrypt_aes_gcm.c) BUILD_EXAMPLE("yaca-example-sign" sign.c) BUILD_EXAMPLE("yaca-example-key-exchange" key_exchange.c) -BUILD_EXAMPLE("yaca-example-test" test.c) BUILD_EXAMPLE("yaca-example-key-impexp" key_import_export.c) INSTALL(FILES ${COMMON_SOURCES} diff --git a/examples/test.c b/examples/test.c deleted file mode 100644 index a9992b2..0000000 --- a/examples/test.c +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ - -#include -#include -#include -#include -#include -#include "misc.h" -#include "../src/debug.h" - -/** Simple test for development of library (before API is ready) */ - -int main(int argc, char* argv[]) -{ - yaca_debug_set_error_cb(debug_func); - - yaca_key_h key; - char *k; - size_t kl; - int ret; - - ret = yaca_init(); - if (ret < 0) - return ret; - - printf("Generating key using CryptoAPI.. "); - ret = yaca_key_gen(&key, YACA_KEY_TYPE_SYMMETRIC, YACA_KEY_UNSAFE_128BIT); - if (ret < 0) - return ret; - printf("done (%d)\n", ret); - - printf("Exporting key using CryptoAPI.. "); - ret = yaca_key_export(key, YACA_KEY_FORMAT_DEFAULT, YACA_KEY_FILE_FORMAT_RAW, NULL, &k, &kl); - if (ret < 0) - return ret; - printf("done (%d)\n", ret); - - dump_hex(k, kl, "%zu-bit key: \n", kl); - - yaca_exit(); - - return 0; -} -- 2.7.4