diff --git a/tools/sdk/include/bearssl/bearssl_aead.h b/tools/sdk/include/bearssl/bearssl_aead.h index c495dc20db..8e35a1fdeb 100644 --- a/tools/sdk/include/bearssl/bearssl_aead.h +++ b/tools/sdk/include/bearssl/bearssl_aead.h @@ -877,7 +877,7 @@ extern const br_aead_class br_eax_vtable; * can still be provided by chunks, but the total size must match * the value provided upon initialisation. * - * - The nonce length is constrained betwen 7 and 13 bytes (inclusive). + * - The nonce length is constrained between 7 and 13 bytes (inclusive). * Furthermore, the plaintext length, when encoded, must fit over * 15-nonceLen bytes; thus, if the nonce has length 13 bytes, then * the plaintext length cannot exceed 65535 bytes. diff --git a/tools/sdk/include/bearssl/bearssl_git.h b/tools/sdk/include/bearssl/bearssl_git.h index 22f0c2915f..e59da25da1 100644 --- a/tools/sdk/include/bearssl/bearssl_git.h +++ b/tools/sdk/include/bearssl/bearssl_git.h @@ -1,2 +1,2 @@ // Do not edit -- Automatically generated by tools/sdk/ssl/bearssl/Makefile -#define BEARSSL_GIT 94e9704 +#define BEARSSL_GIT 6d1cefc diff --git a/tools/sdk/include/bearssl/bearssl_hash.h b/tools/sdk/include/bearssl/bearssl_hash.h index 860ab718b3..3b15ba7ca4 100644 --- a/tools/sdk/include/bearssl/bearssl_hash.h +++ b/tools/sdk/include/bearssl/bearssl_hash.h @@ -93,7 +93,7 @@ extern "C" { * - `br_xxx_out(const br_xxx_context *ctx, void *out)` * * Complete the hash computation and write the result in the provided - * buffer. The output buffer MUST be large enough to accomodate the + * buffer. The output buffer MUST be large enough to accommodate the * result. The context is NOT modified by this operation, so this * function can be used to get a "partial hash" while still keeping * the possibility of adding more bytes to the input. diff --git a/tools/sdk/include/bearssl/bearssl_hmac.h b/tools/sdk/include/bearssl/bearssl_hmac.h index 511dbbe438..14147d8586 100644 --- a/tools/sdk/include/bearssl/bearssl_hmac.h +++ b/tools/sdk/include/bearssl/bearssl_hmac.h @@ -155,7 +155,7 @@ void br_hmac_update(br_hmac_context *ctx, const void *data, size_t len); /** * \brief Compute the HMAC output. * - * The destination buffer MUST be large enough to accomodate the result; + * The destination buffer MUST be large enough to accommodate the result; * its length is at most the "natural length" of HMAC (i.e. the output * length of the underlying hash function). The context is NOT modified; * further bytes may be processed. Thus, "partial HMAC" values can be diff --git a/tools/sdk/include/bearssl/bearssl_prf.h b/tools/sdk/include/bearssl/bearssl_prf.h index 9d54ad8d34..fdf608c853 100644 --- a/tools/sdk/include/bearssl/bearssl_prf.h +++ b/tools/sdk/include/bearssl/bearssl_prf.h @@ -37,7 +37,7 @@ extern "C" { * # The TLS PRF * * The "PRF" is the pseudorandom function used internally during the - * SSL/TLS handshake, notably to expand negociated shared secrets into + * SSL/TLS handshake, notably to expand negotiated shared secrets into * the symmetric encryption keys that will be used to process the * application data. * diff --git a/tools/sdk/include/bearssl/bearssl_rand.h b/tools/sdk/include/bearssl/bearssl_rand.h index 37379d2bf8..060cb40273 100644 --- a/tools/sdk/include/bearssl/bearssl_rand.h +++ b/tools/sdk/include/bearssl/bearssl_rand.h @@ -279,7 +279,7 @@ typedef int (*br_prng_seeder)(const br_prng_class **ctx); * is returned. * * If `name` is not `NULL`, then `*name` is set to a symbolic string - * that identifies the seeder implemention. If no seeder is returned + * that identifies the seeder implementation. If no seeder is returned * and `name` is not `NULL`, then `*name` is set to a pointer to the * constant string `"none"`. * diff --git a/tools/sdk/include/bearssl/bearssl_rsa.h b/tools/sdk/include/bearssl/bearssl_rsa.h index 3d5c26a322..ac0415f9e7 100644 --- a/tools/sdk/include/bearssl/bearssl_rsa.h +++ b/tools/sdk/include/bearssl/bearssl_rsa.h @@ -277,6 +277,57 @@ typedef uint32_t (*br_rsa_pkcs1_vrfy)(const unsigned char *x, size_t xlen, const unsigned char *hash_oid, size_t hash_len, const br_rsa_public_key *pk, unsigned char *hash_out); +/** + * \brief Type for a RSA encryption engine (OAEP). + * + * Parameters are: + * + * - A source of random bytes. The source must be already initialized. + * + * - A hash function, used internally with the mask generation function + * (MGF1). + * + * - A label. The `label` pointer may be `NULL` if `label_len` is zero + * (an empty label, which is the default in PKCS#1 v2.2). + * + * - The public key. + * + * - The destination buffer. Its maximum length (in bytes) is provided; + * if that length is lower than the public key length, then an error + * is reported. + * + * - The source message. + * + * The encrypted message output has exactly the same length as the modulus + * (mathematical length, in bytes, not counting extra leading zeros in the + * modulus representation in the public key). + * + * The source message (`src`, length `src_len`) may overlap with the + * destination buffer (`dst`, length `dst_max_len`). + * + * This function returns the actual encrypted message length, in bytes; + * on error, zero is returned. An error is reported if the output buffer + * is not large enough, or the public is invalid, or the public key + * modulus exceeds the maximum supported RSA size. + * + * \param rnd source of random bytes. + * \param dig hash function to use with MGF1. + * \param label label value (may be `NULL` if `label_len` is zero). + * \param label_len label length, in bytes. + * \param pk RSA public key. + * \param dst destination buffer. + * \param dst_max_len destination buffer length (maximum encrypted data size). + * \param src message to encrypt. + * \param src_len source message length (in bytes). + * \return encrypted message length (in bytes), or 0 on error. + */ +typedef size_t (*br_rsa_oaep_encrypt)( + const br_prng_class **rnd, const br_hash_class *dig, + const void *label, size_t label_len, + const br_rsa_public_key *pk, + void *dst, size_t dst_max_len, + const void *src, size_t src_len); + /** * \brief Type for a RSA private key engine. * @@ -362,6 +413,47 @@ typedef uint32_t (*br_rsa_pkcs1_sign)(const unsigned char *hash_oid, #define BR_HASH_OID_SHA512 \ ((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03") +/** + * \brief Type for a RSA decryption engine (OAEP). + * + * Parameters are: + * + * - A hash function, used internally with the mask generation function + * (MGF1). + * + * - A label. The `label` pointer may be `NULL` if `label_len` is zero + * (an empty label, which is the default in PKCS#1 v2.2). + * + * - The private key. + * + * - The source and destination buffer. The buffer initially contains + * the encrypted message; the buffer contents are altered, and the + * decrypted message is written at the start of that buffer + * (decrypted message is always shorter than the encrypted message). + * + * If decryption fails in any way, then `*len` is unmodified, and the + * function returns 0. Otherwise, `*len` is set to the decrypted message + * length, and 1 is returned. The implementation is responsible for + * checking that the input message length matches the key modulus length, + * and that the padding is correct. + * + * Implementations MUST use constant-time check of the validity of the + * OAEP padding, at least until the leading byte and hash value have + * been checked. Whether overall decryption worked, and the length of + * the decrypted message, may leak. + * + * \param dig hash function to use with MGF1. + * \param label label value (may be `NULL` if `label_len` is zero). + * \param label_len label length, in bytes. + * \param sk RSA private key. + * \param data input/output buffer. + * \param len encrypted/decrypted message length. + * \return 1 on success, 0 on error. + */ +typedef uint32_t (*br_rsa_oaep_decrypt)( + const br_hash_class *dig, const void *label, size_t label_len, + const br_rsa_private_key *sk, void *data, size_t *len); + /* * RSA "i32" engine. Integers are internally represented as arrays of * 32-bit integers, and the core multiplication primitive is the @@ -501,7 +593,7 @@ uint32_t br_rsa_i31_pkcs1_sign(const unsigned char *hash_oid, * * This function is defined only on architecture that offer a 64x64->128 * opcode. Use `br_rsa_i62_public_get()` to dynamically obtain a pointer - * to that functiom. + * to that function. * * \see br_rsa_public * @@ -518,7 +610,7 @@ uint32_t br_rsa_i62_public(unsigned char *x, size_t xlen, * * This function is defined only on architecture that offer a 64x64->128 * opcode. Use `br_rsa_i62_pkcs1_vrfy_get()` to dynamically obtain a pointer - * to that functiom. + * to that function. * * \see br_rsa_pkcs1_vrfy * @@ -539,7 +631,7 @@ uint32_t br_rsa_i62_pkcs1_vrfy(const unsigned char *x, size_t xlen, * * This function is defined only on architecture that offer a 64x64->128 * opcode. Use `br_rsa_i62_private_get()` to dynamically obtain a pointer - * to that functiom. + * to that function. * * \see br_rsa_private * @@ -555,7 +647,7 @@ uint32_t br_rsa_i62_private(unsigned char *x, * * This function is defined only on architecture that offer a 64x64->128 * opcode. Use `br_rsa_i62_pkcs1_sign_get()` to dynamically obtain a pointer - * to that functiom. + * to that function. * * \see br_rsa_pkcs1_sign * @@ -602,6 +694,22 @@ br_rsa_private br_rsa_i62_private_get(void); */ br_rsa_pkcs1_sign br_rsa_i62_pkcs1_sign_get(void); +/** + * \brief Get the RSA "i62" implementation (OAEP encryption), + * if available. + * + * \return the implementation, or 0. + */ +br_rsa_oaep_encrypt br_rsa_i62_oaep_encrypt_get(void); + +/** + * \brief Get the RSA "i62" implementation (OAEP decryption), + * if available. + * + * \return the implementation, or 0. + */ +br_rsa_oaep_decrypt br_rsa_i62_oaep_decrypt_get(void); + /* * RSA "i15" engine. Integers are represented as 15-bit integers, so * the code uses only 32-bit multiplication (no 64-bit result), which @@ -706,6 +814,26 @@ br_rsa_pkcs1_vrfy br_rsa_pkcs1_vrfy_get_default(void); */ br_rsa_pkcs1_sign br_rsa_pkcs1_sign_get_default(void); +/** + * \brief Get "default" RSA implementation (OAEP encryption). + * + * This returns the preferred implementation of RSA (OAEP encryption) + * on the current system. + * + * \return the default implementation. + */ +br_rsa_oaep_encrypt br_rsa_oaep_encrypt_get_default(void); + +/** + * \brief Get "default" RSA implementation (OAEP decryption). + * + * This returns the preferred implementation of RSA (OAEP decryption) + * on the current system. + * + * \return the default implementation. + */ +br_rsa_oaep_decrypt br_rsa_oaep_decrypt_get_default(void); + /** * \brief RSA decryption helper, for SSL/TLS. * @@ -736,6 +864,174 @@ br_rsa_pkcs1_sign br_rsa_pkcs1_sign_get_default(void); uint32_t br_rsa_ssl_decrypt(br_rsa_private core, const br_rsa_private_key *sk, unsigned char *data, size_t len); +/** + * \brief RSA encryption (OAEP) with the "i15" engine. + * + * \see br_rsa_oaep_encrypt + * + * \param rnd source of random bytes. + * \param dig hash function to use with MGF1. + * \param label label value (may be `NULL` if `label_len` is zero). + * \param label_len label length, in bytes. + * \param pk RSA public key. + * \param dst destination buffer. + * \param dst_max_len destination buffer length (maximum encrypted data size). + * \param src message to encrypt. + * \param src_len source message length (in bytes). + * \return encrypted message length (in bytes), or 0 on error. + */ +size_t br_rsa_i15_oaep_encrypt( + const br_prng_class **rnd, const br_hash_class *dig, + const void *label, size_t label_len, + const br_rsa_public_key *pk, + void *dst, size_t dst_max_len, + const void *src, size_t src_len); + +/** + * \brief RSA decryption (OAEP) with the "i15" engine. + * + * \see br_rsa_oaep_decrypt + * + * \param dig hash function to use with MGF1. + * \param label label value (may be `NULL` if `label_len` is zero). + * \param label_len label length, in bytes. + * \param sk RSA private key. + * \param data input/output buffer. + * \param len encrypted/decrypted message length. + * \return 1 on success, 0 on error. + */ +uint32_t br_rsa_i15_oaep_decrypt( + const br_hash_class *dig, const void *label, size_t label_len, + const br_rsa_private_key *sk, void *data, size_t *len); + +/** + * \brief RSA encryption (OAEP) with the "i31" engine. + * + * \see br_rsa_oaep_encrypt + * + * \param rnd source of random bytes. + * \param dig hash function to use with MGF1. + * \param label label value (may be `NULL` if `label_len` is zero). + * \param label_len label length, in bytes. + * \param pk RSA public key. + * \param dst destination buffer. + * \param dst_max_len destination buffer length (maximum encrypted data size). + * \param src message to encrypt. + * \param src_len source message length (in bytes). + * \return encrypted message length (in bytes), or 0 on error. + */ +size_t br_rsa_i31_oaep_encrypt( + const br_prng_class **rnd, const br_hash_class *dig, + const void *label, size_t label_len, + const br_rsa_public_key *pk, + void *dst, size_t dst_max_len, + const void *src, size_t src_len); + +/** + * \brief RSA decryption (OAEP) with the "i31" engine. + * + * \see br_rsa_oaep_decrypt + * + * \param dig hash function to use with MGF1. + * \param label label value (may be `NULL` if `label_len` is zero). + * \param label_len label length, in bytes. + * \param sk RSA private key. + * \param data input/output buffer. + * \param len encrypted/decrypted message length. + * \return 1 on success, 0 on error. + */ +uint32_t br_rsa_i31_oaep_decrypt( + const br_hash_class *dig, const void *label, size_t label_len, + const br_rsa_private_key *sk, void *data, size_t *len); + +/** + * \brief RSA encryption (OAEP) with the "i32" engine. + * + * \see br_rsa_oaep_encrypt + * + * \param rnd source of random bytes. + * \param dig hash function to use with MGF1. + * \param label label value (may be `NULL` if `label_len` is zero). + * \param label_len label length, in bytes. + * \param pk RSA public key. + * \param dst destination buffer. + * \param dst_max_len destination buffer length (maximum encrypted data size). + * \param src message to encrypt. + * \param src_len source message length (in bytes). + * \return encrypted message length (in bytes), or 0 on error. + */ +size_t br_rsa_i32_oaep_encrypt( + const br_prng_class **rnd, const br_hash_class *dig, + const void *label, size_t label_len, + const br_rsa_public_key *pk, + void *dst, size_t dst_max_len, + const void *src, size_t src_len); + +/** + * \brief RSA decryption (OAEP) with the "i32" engine. + * + * \see br_rsa_oaep_decrypt + * + * \param dig hash function to use with MGF1. + * \param label label value (may be `NULL` if `label_len` is zero). + * \param label_len label length, in bytes. + * \param sk RSA private key. + * \param data input/output buffer. + * \param len encrypted/decrypted message length. + * \return 1 on success, 0 on error. + */ +uint32_t br_rsa_i32_oaep_decrypt( + const br_hash_class *dig, const void *label, size_t label_len, + const br_rsa_private_key *sk, void *data, size_t *len); + +/** + * \brief RSA encryption (OAEP) with the "i62" engine. + * + * This function is defined only on architecture that offer a 64x64->128 + * opcode. Use `br_rsa_i62_oaep_encrypt_get()` to dynamically obtain a pointer + * to that function. + * + * \see br_rsa_oaep_encrypt + * + * \param rnd source of random bytes. + * \param dig hash function to use with MGF1. + * \param label label value (may be `NULL` if `label_len` is zero). + * \param label_len label length, in bytes. + * \param pk RSA public key. + * \param dst destination buffer. + * \param dst_max_len destination buffer length (maximum encrypted data size). + * \param src message to encrypt. + * \param src_len source message length (in bytes). + * \return encrypted message length (in bytes), or 0 on error. + */ +size_t br_rsa_i62_oaep_encrypt( + const br_prng_class **rnd, const br_hash_class *dig, + const void *label, size_t label_len, + const br_rsa_public_key *pk, + void *dst, size_t dst_max_len, + const void *src, size_t src_len); + +/** + * \brief RSA decryption (OAEP) with the "i62" engine. + * + * This function is defined only on architecture that offer a 64x64->128 + * opcode. Use `br_rsa_i62_oaep_decrypt_get()` to dynamically obtain a pointer + * to that function. + * + * \see br_rsa_oaep_decrypt + * + * \param dig hash function to use with MGF1. + * \param label label value (may be `NULL` if `label_len` is zero). + * \param label_len label length, in bytes. + * \param sk RSA private key. + * \param data input/output buffer. + * \param len encrypted/decrypted message length. + * \return 1 on success, 0 on error. + */ +uint32_t br_rsa_i62_oaep_decrypt( + const br_hash_class *dig, const void *label, size_t label_len, + const br_rsa_private_key *sk, void *data, size_t *len); + #ifdef __cplusplus } #endif diff --git a/tools/sdk/include/bearssl/bearssl_ssl.h b/tools/sdk/include/bearssl/bearssl_ssl.h index 6640bc6518..2a4fadadd8 100644 --- a/tools/sdk/include/bearssl/bearssl_ssl.h +++ b/tools/sdk/include/bearssl/bearssl_ssl.h @@ -1278,7 +1278,7 @@ br_ssl_engine_get_hash(br_ssl_engine_context *ctx, int id) /** * \brief Set the PRF implementation (for TLS 1.0 and 1.1). * - * This function sets (or removes, if `impl` is `NULL`) the implemenation + * This function sets (or removes, if `impl` is `NULL`) the implementation * for the PRF used in TLS 1.0 and 1.1. * * \param cc SSL engine context. @@ -1293,7 +1293,7 @@ br_ssl_engine_set_prf10(br_ssl_engine_context *cc, br_tls_prf_impl impl) /** * \brief Set the PRF implementation with SHA-256 (for TLS 1.2). * - * This function sets (or removes, if `impl` is `NULL`) the implemenation + * This function sets (or removes, if `impl` is `NULL`) the implementation * for the SHA-256 variant of the PRF used in TLS 1.2. * * \param cc SSL engine context. @@ -1308,7 +1308,7 @@ br_ssl_engine_set_prf_sha256(br_ssl_engine_context *cc, br_tls_prf_impl impl) /** * \brief Set the PRF implementation with SHA-384 (for TLS 1.2). * - * This function sets (or removes, if `impl` is `NULL`) the implemenation + * This function sets (or removes, if `impl` is `NULL`) the implementation * for the SHA-384 variant of the PRF used in TLS 1.2. * * \param cc SSL engine context. @@ -1916,7 +1916,7 @@ br_ssl_engine_last_error(const br_ssl_engine_context *cc) * Informs the engine that 'len' bytes have been read from the buffer * (extract operation) or written to the buffer (inject operation). * The 'len' value MUST NOT be zero. The 'len' value MUST NOT exceed - * that which was obtained from a preceeding br_ssl_engine_xxx_buf() + * that which was obtained from a preceding br_ssl_engine_xxx_buf() * call. */ @@ -2517,7 +2517,7 @@ struct br_ssl_client_context_ { * then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1, * or 2 to 6 for the SHA family). * - * - If ECDSA is suported with hash function of ID `x`, then bit `8+x` + * - If ECDSA is supported with hash function of ID `x`, then bit `8+x` * is set. * * - Newer algorithms are symbolic 16-bit identifiers that do not @@ -3564,7 +3564,7 @@ br_ssl_server_get_client_suites(const br_ssl_server_context *cc, size_t *num) * then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1, * or 2 to 6 for the SHA family). * - * - If ECDSA is suported with hash function of ID `x`, then bit `8+x` + * - If ECDSA is supported with hash function of ID `x`, then bit `8+x` * is set. * * - Newer algorithms are symbolic 16-bit identifiers that do not diff --git a/tools/sdk/include/bearssl/bearssl_x509.h b/tools/sdk/include/bearssl/bearssl_x509.h index af01693f0e..fee49d41b4 100644 --- a/tools/sdk/include/bearssl/bearssl_x509.h +++ b/tools/sdk/include/bearssl/bearssl_x509.h @@ -360,7 +360,7 @@ typedef struct { * - `end_chain()` is called when the last certificate in the chain * was processed. * - `get_pkey()` is called after chain processing, if the chain - * validation was succesfull. + * validation was successful. * * A context structure may be reused; the `start_chain()` method shall * ensure (re)initialisation. diff --git a/tools/sdk/lib/libbearssl.a b/tools/sdk/lib/libbearssl.a index d145f0996a..f1072391a9 100644 Binary files a/tools/sdk/lib/libbearssl.a and b/tools/sdk/lib/libbearssl.a differ diff --git a/tools/sdk/ssl/bearssl b/tools/sdk/ssl/bearssl index 94e97043bb..6d1cefcf70 160000 --- a/tools/sdk/ssl/bearssl +++ b/tools/sdk/ssl/bearssl @@ -1 +1 @@ -Subproject commit 94e97043bbdebed43ecd9372bd7fd21d45bd789f +Subproject commit 6d1cefcf70fcfefb4628047b7376a7147f2130cf