From 15d7df2ba8ca706b944b771958cd23b6c2163f81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 17 Aug 2017 14:33:31 +0200 Subject: [PATCH] Introduce mbedtls_pk_restart_ctx and use it The fact that you needed to pass a pointer to mbedtls_ecdsa_restart_ctx (or that you needed to know the key type of the PK context) was a breach of abstraction. Change the API (and callers) now, and the implementation will be changed in the next commit. --- include/mbedtls/pk.h | 35 ++++++++++++++++++++++++----- include/mbedtls/x509_crt.h | 2 +- library/pk.c | 25 +++++++++++++++++++-- library/ssl_cli.c | 4 ++-- library/x509_crt.c | 6 ++--- tests/suites/test_suite_pk.function | 22 +++++++++--------- 6 files changed, 69 insertions(+), 25 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 05c51d38d..55b0668c2 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -129,6 +129,19 @@ typedef struct void * pk_ctx; /**< Underlying public key context */ } mbedtls_pk_context; +#if defined(MBEDTLS_ECP_RESTARTABLE) +/** + * \brief Context for resuming operations + */ +typedef struct +{ + mbedtls_ecdsa_restart_ctx ecdsa; /* temporary */ +} mbedtls_pk_restart_ctx; +#else +/* Now we can declare functions that take a pointer to that */ +typedef void mbedtls_pk_restart_ctx; +#endif + #if defined(MBEDTLS_RSA_C) /** * Quick access to an RSA context inside a PK context. @@ -188,6 +201,18 @@ void mbedtls_pk_init( mbedtls_pk_context *ctx ); */ void mbedtls_pk_free( mbedtls_pk_context *ctx ); +#if defined(MBEDTLS_ECP_RESTARTABLE) +/** + * \brief Initialize a restart context + */ +void mbedtls_pk_restart_init( mbedtls_pk_restart_ctx *ctx ); + +/** + * \brief Free the components of a restart context + */ +void mbedtls_pk_restart_free( mbedtls_pk_restart_ctx *ctx ); +#endif /* MBEDTLS_ECP_RESTARTABLE */ + /** * \brief Initialize a PK context with the information given * and allocates the type-specific PK subcontext. @@ -298,8 +323,7 @@ int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, * \param hash_len Hash length or 0 (see notes) * \param sig Signature to verify * \param sig_len Signature length - * \param rs_ctx Restart context: for ECC, must be NULL (no restart) or a - * pointer to a \c mbedtls_ecdsa_restart_ctx. Ignored for RSA. + * \param rs_ctx Restart context (NULL to disable restart) * * \return See \c mbedtls_pk_verify(), or * MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of @@ -309,7 +333,7 @@ int mbedtls_pk_verify_restartable( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len, - void *rs_ctx ); + mbedtls_pk_restart_ctx *rs_ctx ); /** * \brief Verify signature, with options. @@ -390,8 +414,7 @@ int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, * \param sig_len Number of bytes written * \param f_rng RNG function * \param p_rng RNG parameter - * \param rs_ctx Restart context: for ECC, must be NULL (no restart) or a - * pointer to a \c mbedtls_ecdsa_restart_ctx. Ignored for RSA. + * \param rs_ctx Restart context (NULL to disable restart) * * \return See \c mbedtls_pk_sign(), or * MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of @@ -402,7 +425,7 @@ int mbedtls_pk_sign_restartable( mbedtls_pk_context *ctx, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - void *rs_ctx ); + mbedtls_pk_restart_ctx *rs_ctx ); /** * \brief Decrypt message (including padding if relevant). diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 7487df619..3388c3b93 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -172,7 +172,7 @@ typedef struct typedef struct { /* for check_signature() */ - mbedtls_ecdsa_restart_ctx ecdsa; + mbedtls_pk_restart_ctx pk; /* for find_parent_in() */ mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */ diff --git a/library/pk.c b/library/pk.c index e439c7ad8..27ca5f3eb 100644 --- a/library/pk.c +++ b/library/pk.c @@ -73,6 +73,27 @@ void mbedtls_pk_free( mbedtls_pk_context *ctx ) mbedtls_zeroize( ctx, sizeof( mbedtls_pk_context ) ); } +#if defined(MBEDTLS_ECP_RESTARTABLE) +/* + * Initialize a restart context + */ +void mbedtls_pk_restart_init( mbedtls_pk_restart_ctx *ctx ) +{ + mbedtls_ecdsa_restart_init( &ctx->ecdsa ); +} + +/* + * Free the components of a restart context + */ +void mbedtls_pk_restart_free( mbedtls_pk_restart_ctx *ctx ) +{ + if( ctx == NULL ) + return; + + mbedtls_ecdsa_restart_free( &ctx->ecdsa ); +} +#endif /* MBEDTLS_ECP_RESTARTABLE */ + /* * Get pk_info structure from type */ @@ -182,7 +203,7 @@ int mbedtls_pk_verify_restartable( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len, - void *rs_ctx ) + mbedtls_pk_restart_ctx *rs_ctx ) { if( ctx == NULL || ctx->pk_info == NULL || pk_hashlen_helper( md_alg, &hash_len ) != 0 ) @@ -282,7 +303,7 @@ int mbedtls_pk_sign_restartable( mbedtls_pk_context *ctx, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - void *rs_ctx ) + mbedtls_pk_restart_ctx *rs_ctx ) { if( ctx == NULL || ctx->pk_info == NULL || pk_hashlen_helper( md_alg, &hash_len ) != 0 ) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 7ffeb5bb4..d53f7b227 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2615,7 +2615,7 @@ ske_process: #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) if( ssl->handshake->ecrs_enabled ) - rs_ctx = &ssl->handshake->ecrs_ctx.ecdsa; + rs_ctx = &ssl->handshake->ecrs_ctx.pk; #endif if( ( ret = mbedtls_pk_verify_restartable( @@ -3290,7 +3290,7 @@ keys_derived: #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) if( ssl->handshake->ecrs_enabled ) - rs_ctx = &ssl->handshake->ecrs_ctx.ecdsa; + rs_ctx = &ssl->handshake->ecrs_ctx.pk; #endif if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ), diff --git a/library/x509_crt.c b/library/x509_crt.c index 9ab376db2..a6f6a78d8 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1875,7 +1875,7 @@ static int x509_crt_check_signature( const mbedtls_x509_crt *child, { return( mbedtls_pk_verify_restartable( &parent->pk, child->sig_md, hash, mbedtls_md_get_size( md_info ), - child->sig.p, child->sig.len, &rs_ctx->ecdsa ) ); + child->sig.p, child->sig.len, &rs_ctx->pk ) ); } #else (void) rs_ctx; @@ -2653,7 +2653,7 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ) */ void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx ) { - mbedtls_ecdsa_restart_init( &ctx->ecdsa ); + mbedtls_pk_restart_init( &ctx->pk ); ctx->parent = NULL; ctx->fallback_parent = NULL; @@ -2675,7 +2675,7 @@ void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx ) if( ctx == NULL ) return; - mbedtls_ecdsa_restart_free( &ctx->ecdsa ); + mbedtls_pk_restart_free( &ctx->pk ); mbedtls_x509_crt_restart_init( ctx ); } diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 6e8c032c1..176b08f98 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -127,12 +127,12 @@ void pk_rsa_verify_test_vec( char *message_hex_string, int digest, mbedtls_rsa_context *rsa; mbedtls_pk_context pk; int msg_len; - void *rs_ctx = NULL; + mbedtls_pk_restart_ctx *rs_ctx = NULL; #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) - mbedtls_ecdsa_restart_ctx ctx; + mbedtls_pk_restart_ctx ctx; rs_ctx = &ctx; - mbedtls_ecdsa_restart_init( rs_ctx ); + mbedtls_pk_restart_init( rs_ctx ); mbedtls_ecp_set_max_ops( 42 ); #endif @@ -163,7 +163,7 @@ void pk_rsa_verify_test_vec( char *message_hex_string, int digest, exit: #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) - mbedtls_ecdsa_restart_free( rs_ctx ); + mbedtls_pk_restart_free( rs_ctx ); #endif mbedtls_pk_free( &pk ); } @@ -274,7 +274,7 @@ void pk_sign_verify_restart( int pk_type, int grp_id, char *d_str, int max_ops, int min_restart, int max_restart ) { int ret, cnt_restart; - mbedtls_ecdsa_restart_ctx rs_ctx; + mbedtls_pk_restart_ctx rs_ctx; mbedtls_pk_context prv, pub; unsigned char hash[MBEDTLS_MD_MAX_SIZE]; unsigned char sig[MBEDTLS_ECDSA_MAX_LEN]; @@ -282,7 +282,7 @@ void pk_sign_verify_restart( int pk_type, int grp_id, char *d_str, size_t hlen, slen, slen_check; const mbedtls_md_info_t *md_info; - mbedtls_ecdsa_restart_init( &rs_ctx ); + mbedtls_pk_restart_init( &rs_ctx ); mbedtls_pk_init( &prv ); mbedtls_pk_init( &pub ); memset( hash, 0, sizeof( hash ) ); @@ -351,7 +351,7 @@ void pk_sign_verify_restart( int pk_type, int grp_id, char *d_str, ret = mbedtls_pk_verify_restartable( &pub, md_alg, hash, hlen, sig, slen, &rs_ctx ); TEST_ASSERT( ret == 0 || ret == MBEDTLS_ERR_ECP_IN_PROGRESS ); - mbedtls_ecdsa_restart_free( &rs_ctx ); + mbedtls_pk_restart_free( &rs_ctx ); slen = sizeof( sig ); ret = mbedtls_pk_sign_restartable( &prv, md_alg, hash, hlen, @@ -359,7 +359,7 @@ void pk_sign_verify_restart( int pk_type, int grp_id, char *d_str, TEST_ASSERT( ret == 0 || ret == MBEDTLS_ERR_ECP_IN_PROGRESS ); exit: - mbedtls_ecdsa_restart_free( &rs_ctx ); + mbedtls_pk_restart_free( &rs_ctx ); mbedtls_pk_free( &prv ); mbedtls_pk_free( &pub ); } @@ -373,10 +373,10 @@ void pk_sign_verify( int type, int sign_ret, int verify_ret ) size_t sig_len; void *rs_ctx = NULL; #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) - mbedtls_ecdsa_restart_ctx ctx; + mbedtls_pk_restart_ctx ctx; rs_ctx = &ctx; - mbedtls_ecdsa_restart_init( rs_ctx ); + mbedtls_pk_restart_init( rs_ctx ); mbedtls_ecp_set_max_ops( 42000 ); #endif @@ -429,7 +429,7 @@ void pk_sign_verify( int type, int sign_ret, int verify_ret ) exit: #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) - mbedtls_ecdsa_restart_free( rs_ctx ); + mbedtls_pk_restart_free( rs_ctx ); #endif mbedtls_pk_free( &pk ); }