nodemcu-firmware/app/include/mbedtls/pkcs11.h

/**
 * \file pkcs11.h
 *
 * \brief Wrapper for PKCS#11 library libpkcs11-helper
 *
 * \author Adriaan de Jong <dejong@fox-it.com>
 */
/*
 *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  This file is part of mbed TLS (https://tls.mbed.org)
 */
#ifndef MBEDTLS_PKCS11_H
#define MBEDTLS_PKCS11_H

#if !defined(MBEDTLS_CONFIG_FILE)
#include "config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif

#if defined(MBEDTLS_PKCS11_C)

#include "x509_crt.h"

#include <pkcs11-helper-1.0/pkcs11h-certificate.h>

#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
    !defined(inline) && !defined(__cplusplus)
#define inline __inline
#endif

#ifdef __cplusplus
extern "C" {
#endif

/**
 * Context for PKCS #11 private keys.
 */
typedef struct mbedtls_pkcs11_context
{
        pkcs11h_certificate_t pkcs11h_cert;
        int len;
} mbedtls_pkcs11_context;

/**
 * Initialize a mbedtls_pkcs11_context.
 * (Just making memory references valid.)
 */
void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );

/**
 * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
 *
 * \param cert          X.509 certificate to fill
 * \param pkcs11h_cert  PKCS #11 helper certificate
 *
 * \return              0 on success.
 */
int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );

/**
 * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
 * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
 * done.
 *
 * \param priv_key      Private key structure to fill.
 * \param pkcs11_cert   PKCS #11 helper certificate
 *
 * \return              0 on success
 */
int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
        pkcs11h_certificate_t pkcs11_cert );

/**
 * Free the contents of the given private key context. Note that the structure
 * itself is not freed.
 *
 * \param priv_key      Private key structure to cleanup
 */
void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );

/**
 * \brief          Do an RSA private key decrypt, then remove the message
 *                 padding
 *
 * \param ctx      PKCS #11 context
 * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
 * \param input    buffer holding the encrypted data
 * \param output   buffer that will hold the plaintext
 * \param olen     will contain the plaintext length
 * \param output_max_len    maximum length of the output buffer
 *
 * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
 *
 * \note           The output buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
 *                 an error is thrown.
 */
int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
                       int mode, size_t *olen,
                       const unsigned char *input,
                       unsigned char *output,
                       size_t output_max_len );

/**
 * \brief          Do a private RSA to sign a message digest
 *
 * \param ctx      PKCS #11 context
 * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
 * \param md_alg   a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
 * \param hashlen  message digest length (for MBEDTLS_MD_NONE only)
 * \param hash     buffer holding the message digest
 * \param sig      buffer that will hold the ciphertext
 *
 * \return         0 if the signing operation was successful,
 *                 or an MBEDTLS_ERR_RSA_XXX error code
 *
 * \note           The "sig" buffer must be as large as the size
 *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
 */
int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
                    int mode,
                    mbedtls_md_type_t md_alg,
                    unsigned int hashlen,
                    const unsigned char *hash,
                    unsigned char *sig );

/**
 * SSL/TLS wrappers for PKCS#11 functions
 */
static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
                        const unsigned char *input, unsigned char *output,
                        size_t output_max_len )
{
    return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
                           output_max_len );
}

static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
                     int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
                     const unsigned char *hash, unsigned char *sig )
{
    ((void) f_rng);
    ((void) p_rng);
    return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,
                        hashlen, hash, sig );
}

static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
{
    return ( (mbedtls_pkcs11_context *) ctx )->len;
}

#ifdef __cplusplus
}
#endif

#endif /* MBEDTLS_PKCS11_C */

#endif /* MBEDTLS_PKCS11_H */
Upgrade to SDK 2.0.0 (#1435) * Update LWIP from SDK * mbedTLS integration * Fix argument type in dbg_printf (#1624) * Migrate to espressif’s download center (#1604) * Fixed BBS links to firmware * Adjust net module docs with mbedTLS info * Remove unrelevant axTLS notice 2016-12-11 21:03:00 +01:00			`/**`
			`* \file pkcs11.h`
			`*`
			`* \brief Wrapper for PKCS#11 library libpkcs11-helper`
			`*`
			`* \author Adriaan de Jong <dejong@fox-it.com>`
Update mbedTLS to 2.7.0 (#2267) * mbedtls 2.7.0 (mbedtls-2.7.0-0-g32605dc8) Wholesale import, with a few changes from earlier preserved through. Ideally we would soon get to the point of having no divergences from upstream. * tls: add function to adjust mbedTLS debug level 2018-03-03 23:28:26 +01:00			`*/`
			`/*`
Upgrade to SDK 2.0.0 (#1435) * Update LWIP from SDK * mbedTLS integration * Fix argument type in dbg_printf (#1624) * Migrate to espressif’s download center (#1604) * Fixed BBS links to firmware * Adjust net module docs with mbedTLS info * Remove unrelevant axTLS notice 2016-12-11 21:03:00 +01:00			`* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved`
			`* SPDX-License-Identifier: Apache-2.0`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License"); you may`
			`* not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT`
			`* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*`
			`* This file is part of mbed TLS (https://tls.mbed.org)`
			`*/`
			`#ifndef MBEDTLS_PKCS11_H`
			`#define MBEDTLS_PKCS11_H`

			`#if !defined(MBEDTLS_CONFIG_FILE)`
			`#include "config.h"`
			`#else`
			`#include MBEDTLS_CONFIG_FILE`
			`#endif`

			`#if defined(MBEDTLS_PKCS11_C)`

			`#include "x509_crt.h"`

			`#include <pkcs11-helper-1.0/pkcs11h-certificate.h>`

			`#if ( defined(__ARMCC_VERSION) \|\| defined(_MSC_VER) ) && \`
			`!defined(inline) && !defined(__cplusplus)`
			`#define inline __inline`
			`#endif`

			`#ifdef __cplusplus`
			`extern "C" {`
			`#endif`

			`/**`
			`* Context for PKCS #11 private keys.`
			`*/`
SSL rampage (#2938) * Remove stale putative MD2 support This hasn't worked in a while, presumably since one of our upstream merges. Don't bother making it work, since MD2 is generally considered insecure. * Land mbedtls 2.16.3-77-gf02988e57 * TLS: remove some dead code from espconn_mbedtls There was some... frankly kind of scary buffer and data shuffling if ESP8266_PLATFORM was defined. Since we don't, in fact, define that preprocessor symbol, just drop the code lest anyone (possibly future-me) be scared. * TLS: espconn_mbedtls: run through astyle No functional changes * TLS: espconn_mbedtls: put the file_params on the stack There's no need to malloc a structure that's used only locally. * TLS: Further minor tidying of mbedtls glue What an absolute shitshow this is. mbedtls should absolutely not be mentioned inside sys/socket.h and app/mbedtls/app/lwIPSocket.c is not so much glue as it as a complete copy of a random subset of lwIP; it should go, but we aren't there yet. Get rid of the mysterious "mbedlts_record" struct, which housed merely a length of bytes sent solely for gating the "record sent" callback. Remove spurious __attribute__((weak)) from symbols not otherwise defined and rename them to emphasize that they are not actually part of mbedtls proper. * TLS: Rampage esp mbedtls glue and delete unused code This at least makes the shitshow smaller * TLS: lwip: fix some memp definitions I presume these also need the new arguments * TLS: Remove more non-NodeMCU code from our mbedtls * TLS: drop support for 1.1 Depending on who you ask it's either EOL already or EOL soon, so we may as well get rid of it now. 2019-12-27 14:17:44 +01:00			`typedef struct mbedtls_pkcs11_context`
			`{`
Upgrade to SDK 2.0.0 (#1435) * Update LWIP from SDK * mbedTLS integration * Fix argument type in dbg_printf (#1624) * Migrate to espressif’s download center (#1604) * Fixed BBS links to firmware * Adjust net module docs with mbedTLS info * Remove unrelevant axTLS notice 2016-12-11 21:03:00 +01:00			`pkcs11h_certificate_t pkcs11h_cert;`
			`int len;`
			`} mbedtls_pkcs11_context;`

			`/**`
			`* Initialize a mbedtls_pkcs11_context.`
			`* (Just making memory references valid.)`
			`*/`
			`void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );`

			`/**`
			`* Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.`
			`*`
			`* \param cert X.509 certificate to fill`
			`* \param pkcs11h_cert PKCS #11 helper certificate`
			`*`
			`* \return 0 on success.`
			`*/`
			`int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );`

			`/**`
			`* Set up a mbedtls_pkcs11_context storing the given certificate. Note that the`
			`* mbedtls_pkcs11_context will take over control of the certificate, freeing it when`
			`* done.`
			`*`
			`* \param priv_key Private key structure to fill.`
			`* \param pkcs11_cert PKCS #11 helper certificate`
			`*`
			`* \return 0 on success`
			`*/`
			`int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,`
			`pkcs11h_certificate_t pkcs11_cert );`

			`/**`
			`* Free the contents of the given private key context. Note that the structure`
			`* itself is not freed.`
			`*`
			`* \param priv_key Private key structure to cleanup`
			`*/`
			`void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );`

			`/**`
			`* \brief Do an RSA private key decrypt, then remove the message`
			`* padding`
			`*`
			`* \param ctx PKCS #11 context`
			`* \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature`
			`* \param input buffer holding the encrypted data`
			`* \param output buffer that will hold the plaintext`
			`* \param olen will contain the plaintext length`
			`* \param output_max_len maximum length of the output buffer`
			`*`
			`* \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code`
			`*`
			`* \note The output buffer must be as large as the size`
			`* of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise`
			`* an error is thrown.`
			`*/`
			`int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,`
			`int mode, size_t *olen,`
			`const unsigned char *input,`
			`unsigned char *output,`
			`size_t output_max_len );`

			`/**`
			`* \brief Do a private RSA to sign a message digest`
			`*`
			`* \param ctx PKCS #11 context`
			`* \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature`
			`* \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)`
			`* \param hashlen message digest length (for MBEDTLS_MD_NONE only)`
			`* \param hash buffer holding the message digest`
			`* \param sig buffer that will hold the ciphertext`
			`*`
			`* \return 0 if the signing operation was successful,`
			`* or an MBEDTLS_ERR_RSA_XXX error code`
			`*`
			`* \note The "sig" buffer must be as large as the size`
			`* of ctx->N (eg. 128 bytes if RSA-1024 is used).`
			`*/`
			`int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,`
			`int mode,`
			`mbedtls_md_type_t md_alg,`
			`unsigned int hashlen,`
			`const unsigned char *hash,`
			`unsigned char *sig );`

			`/**`
			`* SSL/TLS wrappers for PKCS#11 functions`
			`*/`
			`static inline int mbedtls_ssl_pkcs11_decrypt( void ctx, int mode, size_t olen,`
			`const unsigned char input, unsigned char output,`
			`size_t output_max_len )`
			`{`
			`return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,`
			`output_max_len );`
			`}`

			`static inline int mbedtls_ssl_pkcs11_sign( void *ctx,`
			`int (f_rng)(void , unsigned char , size_t), void p_rng,`
			`int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,`
			`const unsigned char hash, unsigned char sig )`
			`{`
			`((void) f_rng);`
			`((void) p_rng);`
			`return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,`
			`hashlen, hash, sig );`
			`}`

			`static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )`
			`{`
			`return ( (mbedtls_pkcs11_context *) ctx )->len;`
			`}`

			`#ifdef __cplusplus`
			`}`
			`#endif`

			`#endif /* MBEDTLS_PKCS11_C */`

			`#endif /* MBEDTLS_PKCS11_H */`