[Pal/lib] Remove redundant functionality from crypto

This commit simplifies the crypto code: - `rng-arch.h` header and its `get_rand64()` are replaced with `_DkRandomBitsRead()` and subsequently removed. - `lib_Base64Encode()` and `lib_Base64Decode()` are replaced with their mbedTLS counterparts and subsequently removed. - All mbedTLS wrappers are amalgamated in a single `mbedtls_adapter.c`. - `pal_crypto.h` header is renamed to `crypto.h` (it has nothing to do with PAL code). Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii@intel.com>
gramineproject · May 14, 2021 · adf6269 · adf6269
1 parent af31cd3
commit adf6269
Show file tree

Hide file tree

Showing 17 changed files with 123 additions and 236 deletions.
diff --git a/Pal/include/arch/x86_64/rng-arch.h b/Pal/include/arch/x86_64/rng-arch.h
diff --git a/Pal/include/lib/pal_crypto.h → Pal/include/lib/crypto.h b/Pal/include/lib/pal_crypto.h → Pal/include/lib/crypto.h
@@ -92,11 +92,6 @@ int lib_AESCMACInit(LIB_AESCMAC_CONTEXT* context, const uint8_t* key, size_t key
 int lib_AESCMACUpdate(LIB_AESCMAC_CONTEXT* context, const uint8_t* input, size_t input_size);
 int lib_AESCMACFinish(LIB_AESCMAC_CONTEXT* context, uint8_t* mac, size_t mac_size);
 
-// Encode and decode Base64 messages.
-// These two functions can be used to query encode and decode sizes if dst is given NULL
-int lib_Base64Encode(const uint8_t* src, size_t src_size, char* dst, size_t* dst_size);
-int lib_Base64Decode(const char* src, size_t src_size, uint8_t* dst, size_t* dst_size);
-
 /* SSL/TLS */
 int lib_SSLInit(LIB_SSL_CONTEXT* ssl_ctx, int stream_fd, bool is_server, const uint8_t* psk,
                 size_t psk_size, ssize_t (*pal_recv_cb)(int fd, void* buf, size_t buf_size),

diff --git a/Pal/lib/Makefile b/Pal/lib/Makefile
@@ -19,14 +19,7 @@ CFLAGS += \
 
 CRYPTO_PROVIDER ?= mbedtls
 
-# Select which crypto adpater you want to use here. This has to match
-# the #define in pal_crypto.h.
-#
-# Unfortunately, we cannot use just one .c file for the adapter. The LibOS
-# shim links against the crypto library, but it doesn't use Diffie-Hellman.
-# If the Diffie-Hellman stubs are in the same .o file as the SHA1 stubs,
-# this pulls Diffie-Hellman code into LibOS shim, resulting in unsatisfied
-# symbols.
+# Select which crypto adapter you want to use here. This has to match the #define in crypto.h.
 ifeq ($(CRYPTO_PROVIDER),mbedtls)
 crypto_mbedtls_library_objs = \
 	crypto/mbedtls/library/aes.o \
@@ -114,16 +107,11 @@ objs += \
 	string/utils.o \
 	toml.o
 
-$(addprefix $(target),crypto/adapters/mbedtls_adapter.o crypto/adapters/mbedtls_dh.o crypto/adapters/mbedtls_encoding.o): crypto/mbedtls/library/aes.c
+$(addprefix $(target),crypto/adapters/mbedtls_adapter.o): crypto/mbedtls/library/aes.c
 
 ifeq ($(CRYPTO_PROVIDER),mbedtls)
 CFLAGS += -DCRYPTO_USE_MBEDTLS
-ifeq ($(ARCH),x86_64)
-CFLAGS += -mrdrnd
-endif
 objs += crypto/adapters/mbedtls_adapter.o
-objs += crypto/adapters/mbedtls_dh.o
-objs += crypto/adapters/mbedtls_encoding.o
 endif
 
 .PHONY: all

diff --git a/Pal/lib/crypto/adapters/mbedtls_adapter.c b/Pal/lib/crypto/adapters/mbedtls_adapter.c
@@ -1,14 +1,14 @@
 /* SPDX-License-Identifier: LGPL-3.0-or-later */
 /* Copyright (C) 2017 Fortanix, Inc. */
-
-#include "mbedtls_adapter.h"
+/* Copyright (C) 2019 Texas A&M University */
 
 #include <errno.h>
 #include <limits.h>
 #include <stdint.h>
 
 #include "api.h"
 #include "assert.h"
+#include "crypto.h"
 #include "mbedtls/aes.h"
 #include "mbedtls/cmac.h"
 #include "mbedtls/entropy_poll.h"
@@ -17,13 +17,12 @@
 #include "mbedtls/net_sockets.h"
 #include "mbedtls/rsa.h"
 #include "mbedtls/sha256.h"
-#include "pal.h"
-#include "pal_crypto.h"
-#include "pal_debug.h"
 #include "pal_error.h"
-#include "rng-arch.h"
 
-int mbedtls_to_pal_error(int error) {
+/* This is declared in pal_internal.h, but that can't be included here. */
+int _DkRandomBitsRead(void* buffer, size_t size);
+
+static int mbedtls_to_pal_error(int error) {
     switch (error) {
         case 0:
             return 0;
@@ -108,13 +107,6 @@ int mbedtls_to_pal_error(int error) {
     }
 }
 
-#define BITS_PER_BYTE 8
-
-/* This is declared in pal_internal.h, but that can't be included here. */
-int _DkRandomBitsRead(void* buffer, size_t size);
-
-#define BITS_PER_BYTE 8
-
 int lib_SHA256Init(LIB_SHA256_CONTEXT* context) {
     mbedtls_sha256_init(context);
     mbedtls_sha256_starts(context, 0 /* 0 = use SSH256 */);
@@ -151,7 +143,7 @@ int lib_AESGCMEncrypt(const uint8_t* key, size_t key_size, const uint8_t* iv, co
     if (key_size != 16 && key_size != 24 && key_size != 32)
         goto out;
 
-    ret = mbedtls_gcm_setkey(&gcm, MBEDTLS_CIPHER_ID_AES, key, key_size * BITS_PER_BYTE);
+    ret = mbedtls_gcm_setkey(&gcm, MBEDTLS_CIPHER_ID_AES, key, key_size * BITS_IN_BYTE);
     ret = mbedtls_to_pal_error(ret);
     if (ret != 0)
         goto out;
@@ -179,7 +171,7 @@ int lib_AESGCMDecrypt(const uint8_t* key, size_t key_size, const uint8_t* iv, co
     if (key_size != 16 && key_size != 24 && key_size != 32)
         goto out;
 
-    ret = mbedtls_gcm_setkey(&gcm, MBEDTLS_CIPHER_ID_AES, key, key_size * BITS_PER_BYTE);
+    ret = mbedtls_gcm_setkey(&gcm, MBEDTLS_CIPHER_ID_AES, key, key_size * BITS_IN_BYTE);
     ret = mbedtls_to_pal_error(ret);
     if (ret != 0)
         goto out;
@@ -220,7 +212,7 @@ int lib_AESCMAC(const uint8_t* key, size_t key_size, const uint8_t* input, size_
         return -PAL_ERROR_INVAL;
     }
 
-    int ret = mbedtls_cipher_cmac(cipher_info, key, key_size * BITS_PER_BYTE, input, input_size,
+    int ret = mbedtls_cipher_cmac(cipher_info, key, key_size * BITS_IN_BYTE, input, input_size,
                                   mac);
     return mbedtls_to_pal_error(ret);
 }
@@ -246,7 +238,7 @@ int lib_AESCMACInit(LIB_AESCMAC_CONTEXT* context, const uint8_t* key, size_t key
     if (ret != 0)
         return mbedtls_to_pal_error(ret);
 
-    ret = mbedtls_cipher_cmac_starts(&context->ctx, key, key_size * BITS_PER_BYTE);
+    ret = mbedtls_cipher_cmac_starts(&context->ctx, key, key_size * BITS_IN_BYTE);
     return mbedtls_to_pal_error(ret);
 }
 
@@ -275,12 +267,9 @@ int mbedtls_hardware_poll(void* data, unsigned char* output, size_t len, size_t*
     assert(output && olen);
     *olen = 0;
 
-    unsigned long long rand64;
-    for (size_t i = 0; i < len; i += sizeof(rand64)) {
-        rand64 = get_rand64();
-        size_t over = i + sizeof(rand64) < len ? 0 : i + sizeof(rand64) - len;
-        memcpy(output + i, &rand64, sizeof(rand64) - over);
-    }
+    int ret = _DkRandomBitsRead(output, len);
+    if (ret < 0)
+        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
 
     *olen = len;
     return 0;
@@ -431,3 +420,68 @@ int lib_SSLSave(LIB_SSL_CONTEXT* ssl_ctx, uint8_t* buf, size_t buf_size, size_t*
     }
     return 0;
 }
+
+/* Wrapper to provide mbedtls the RNG interface it expects. It passes an extra context parameter,
+ * and expects a return value of 0 for success and nonzero for failure. */
+static int RandomWrapper(void* private, unsigned char* data, size_t size) {
+    __UNUSED(private);
+    return _DkRandomBitsRead(data, size);
+}
+
+int lib_DhInit(LIB_DH_CONTEXT* context) {
+    int ret;
+    mbedtls_dhm_init(context);
+
+    /* Configure parameters. Note that custom Diffie-Hellman parameters are considered more secure,
+     * but require more data be exchanged between the two parties to establish the parameters, so we
+     * haven't implemented that yet. */
+    ret = mbedtls_mpi_read_string(&context->P, 16 /* radix */, MBEDTLS_DHM_RFC3526_MODP_2048_P);
+    if (ret < 0)
+        return mbedtls_to_pal_error(ret);
+
+    ret = mbedtls_mpi_read_string(&context->G, 16 /* radix */, MBEDTLS_DHM_RFC3526_MODP_2048_G);
+    if (ret < 0)
+        return mbedtls_to_pal_error(ret);
+
+    context->len = mbedtls_mpi_size(&context->P);
+
+    return 0;
+}
+
+int lib_DhCreatePublic(LIB_DH_CONTEXT* context, uint8_t* public, size_t* public_size) {
+    int ret;
+
+    if (*public_size != DH_SIZE)
+        return -PAL_ERROR_INVAL;
+
+    /* The RNG here is used to generate secret exponent X. */
+    ret = mbedtls_dhm_make_public(context, context->len, public, *public_size, RandomWrapper, NULL);
+    if (ret < 0)
+        return mbedtls_to_pal_error(ret);
+
+    /* mbedtls writes leading zeros in the big-endian output to pad to public_size, so leave
+     * caller's public_size unchanged */
+    return 0;
+}
+
+int lib_DhCalcSecret(LIB_DH_CONTEXT* context, uint8_t* peer, size_t peer_size, uint8_t* secret,
+                     size_t* secret_size) {
+    int ret;
+
+    if (*secret_size != DH_SIZE)
+        return -PAL_ERROR_INVAL;
+
+    ret = mbedtls_dhm_read_public(context, peer, peer_size);
+    if (ret < 0)
+        return mbedtls_to_pal_error(ret);
+
+    /* The RNG here is used for blinding against timing attacks if X is reused and not used
+     * otherwise. mbedtls recommends always passing in an RNG. */
+    ret = mbedtls_dhm_calc_secret(context, secret, *secret_size, secret_size, RandomWrapper, NULL);
+    return mbedtls_to_pal_error(ret);
+}
+
+void lib_DhFinal(LIB_DH_CONTEXT* context) {
+    /* This call zeros out context for us. */
+    mbedtls_dhm_free(context);
+}
diff --git a/Pal/lib/crypto/adapters/mbedtls_adapter.h b/Pal/lib/crypto/adapters/mbedtls_adapter.h
diff --git a/Pal/lib/crypto/adapters/mbedtls_dh.c b/Pal/lib/crypto/adapters/mbedtls_dh.c
diff --git a/Pal/lib/crypto/adapters/mbedtls_encoding.c b/Pal/lib/crypto/adapters/mbedtls_encoding.c
diff --git a/Pal/src/host/Linux-SGX/db_pipes.c b/Pal/src/host/Linux-SGX/db_pipes.c
@@ -12,8 +12,8 @@
 
 #include "api.h"
 #include "cpu.h"
+#include "crypto.h"
 #include "pal.h"
-#include "pal_crypto.h"
 #include "pal_debug.h"
 #include "pal_defs.h"
 #include "pal_error.h"
@@ -23,7 +23,6 @@
 #include "pal_linux_error.h"
 #include "pal_security.h"
 
-
 static int pipe_addr(const char* name, struct sockaddr_un* addr) {
     /* use abstract UNIX sockets for pipes, with name format "@/graphene/<pipename>" */
     addr->sun_family = AF_UNIX;