refactor!: MbedTLS on Windows, switch to uint32

VnUgE · Apr 23, 2024 · 7cb7a93 · 7cb7a93
1 parent 30e8dda
commit 7cb7a93
Show file tree

Hide file tree

Showing 112 changed files with 151 additions and 113 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -9,6 +9,7 @@ option(NC_DISABLE_INPUT_VALIDATION "Disables public function input validation" O
 option(NC_FETCH_MBEDTLS "Fetch Mbed-TLS from it's source repository locally" OFF)
 option(NC_INCLUDE_MONOCYPHER "Statically link to vendored monocypher library" ON)
 set(CRYPTO_LIB "none" CACHE STRING "The crypto library to link to (mbedtls, openssl, none)")
+set(CRYPTO_LIB_DIR "" CACHE STRING "The path to the crypto library if it's not globally available")
 
 string(TOLOWER ${CMAKE_BUILD_TYPE} build_type)
 
@@ -72,14 +73,14 @@ set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 
 set(NOSCRYPT_SRCS 
 	"src/noscrypt.c"	
-	"src/internal/nc-crypto.c"				#pulls in c impl files as needed
+	"src/crypto/nc-crypto.c"				#pulls in c impl files as needed
 )
 
 set(NOSCRYPT_HEADERS
-	"src/noscrypt.h"
-	"src/platform.h"
-	"src/internal/nc-crypto.h"
-	"src/internal/nc-util.h"
+	"include/noscrypt.h"
+	"include/platform.h"
+	"include/nc-util.h"
+	"src/crypto/nc-crypto.h"
 )
 
 #static/shared library
@@ -104,11 +105,36 @@ if(CRYPTO_LIB STREQUAL "mbedtls")
 
 	message(STATUS "Linking to MbedTLS crypto library")
 
-	target_link_libraries(${CMAKE_PROJECT_NAME} PRIVATE mbedcrypto PRIVATE mbedtls)
-	target_link_libraries(${CMAKE_PROJECT_NAME}_static PRIVATE mbedcrypto PRIVATE mbedtls)
+	target_include_directories(${CMAKE_PROJECT_NAME} SYSTEM PRIVATE vendor)
+	target_include_directories(${CMAKE_PROJECT_NAME}_static SYSTEM PRIVATE vendor)
+
+	if(NC_FETCH_MBEDTLS)
+		#link to included mbedtls
+		target_link_libraries(${CMAKE_PROJECT_NAME} PRIVATE mbedcrypto PRIVATE mbedtls)
+		target_link_libraries(${CMAKE_PROJECT_NAME}_static PRIVATE mbedcrypto PRIVATE mbedtls)
+	else()
+		#find the library
+		find_library(MBEDTLS_LIB_CRYPTO
+			NAMES mbedcrypto libmbedcrypto 
+			PATHS ${CRYPTO_LIB_DIR}
+		)
+
+		find_library(MBEDTLS_LIB_TLS
+			NAMES mbedtls libmbedtls
+			PATHS ${CRYPTO_LIB_DIR}
+		)
+
+		message(STATUS "Found mbedtls crypto library at ${MBEDTLS_LIB_CRYPTO}")
+		message(STATUS "Found mbedtls tls library at ${MBEDTLS_LIB_TLS}")
+
+		#link to the library
+		target_link_libraries(${CMAKE_PROJECT_NAME} PRIVATE ${MBEDTLS_LIB_CRYPTO} PRIVATE ${MBEDTLS_LIB_TLS})
+		target_link_libraries(${CMAKE_PROJECT_NAME}_static PRIVATE ${MBEDTLS_LIB_CRYPTO} PRIVATE ${MBEDTLS_LIB_TLS})
+	endif()
 
 	#enable mbedtls crypto library bindings
 	target_compile_definitions(${CMAKE_PROJECT_NAME} PRIVATE MBEDTLS_CRYPTO_LIB)
+	target_compile_definitions(${CMAKE_PROJECT_NAME}_static PRIVATE MBEDTLS_CRYPTO_LIB)
 
 elseif(CRYPTO_LIB STREQUAL "openssl")
 
@@ -119,6 +145,7 @@ elseif(CRYPTO_LIB STREQUAL "openssl")
 
 	#enable openssl crypto library bindings
 	target_compile_definitions(${CMAKE_PROJECT_NAME} PRIVATE OPENSSL_CRYPTO_LIB)
+	target_compile_definitions(${CMAKE_PROJECT_NAME}_static PRIVATE OPENSSL_CRYPTO_LIB)
 
 else()
 	#the library should be self sufficient in handling default crypto implementations
@@ -135,6 +162,7 @@ endif()
 #setup flags for windows compilation
 if(MSVC)
 
+	#link bcrypt for Windows platforms
     target_link_libraries(${CMAKE_PROJECT_NAME} PRIVATE "bcrypt.lib")
 	target_link_libraries(${CMAKE_PROJECT_NAME}_static PRIVATE "bcrypt.lib")
 
@@ -176,7 +204,7 @@ elseif(CMAKE_COMPILER_IS_GNUCC)
 			PRIVATE 
 
 			-g
-			-0g
+			-Og
 			-Wall
 			-Werror
 			-pedantic
@@ -197,8 +225,8 @@ endif()
 
 if(NC_INCLUDE_MONOCYPHER)
 
-	target_include_directories(${CMAKE_PROJECT_NAME} PRIVATE "vendor/monocypher")	
-	target_include_directories(${CMAKE_PROJECT_NAME}_static PRIVATE "vendor/monocypher")	
+	target_include_directories(${CMAKE_PROJECT_NAME} SYSTEM PRIVATE "vendor/monocypher")	
+	target_include_directories(${CMAKE_PROJECT_NAME}_static SYSTEM PRIVATE "vendor/monocypher")	
 
 	#add monocypher as a static dep to the project
 	add_library(monocypher STATIC 
@@ -208,10 +236,6 @@ if(NC_INCLUDE_MONOCYPHER)
 
 	target_link_libraries(${CMAKE_PROJECT_NAME} PRIVATE monocypher)
 	target_link_libraries(${CMAKE_PROJECT_NAME}_static PRIVATE monocypher)
-
-	#enable monocypher crypto library bindings
-	target_compile_definitions(${CMAKE_PROJECT_NAME} PRIVATE NC_ENABLE_MONOCYPHER)
-	target_compile_definitions(${CMAKE_PROJECT_NAME}_static PRIVATE NC_ENABLE_MONOCYPHER)
 
 	target_compile_features(monocypher PRIVATE c_std_99)			#targets c99
 
@@ -220,16 +244,21 @@ if(NC_INCLUDE_MONOCYPHER)
 			/sdl						#enable additional security checks
 			/TC							#compile as c
 			/GS							#buffer security check
-
-			$<$<CONFIG:Debug>:/FC>				#show full path in diagnostics
-			$<$<CONFIG:Debug>:/showIncludes>	#show a list of all included header files during build
-
-			#$<$<CONFIG:Debug>:/wd4820>	#disable warnings for struct padding and spectre mitigation wuen WX is enabled
-			#$<$<CONFIG:Debug>:/wd5045>	#disable warnings for spectre mitigation insertion
 		)
+
+		#enable monocypher crypto library bindings
+		target_compile_definitions(${CMAKE_PROJECT_NAME} PRIVATE NC_ENABLE_MONOCYPHER)
+		target_compile_definitions(${CMAKE_PROJECT_NAME}_static PRIVATE NC_ENABLE_MONOCYPHER)
+
 	elseif(CMAKE_COMPILER_IS_GNUCC)
 		#from monocypher's Makefile
 		target_compile_options(monocypher PRIVATE -pedantic -Wall -Wextra -O3 -march=native)
+
+		#enable monocypher crypto library bindings
+		target_compile_definitions(${CMAKE_PROJECT_NAME} PRIVATE NC_ENABLE_MONOCYPHER)
+		target_compile_definitions(${CMAKE_PROJECT_NAME}_static PRIVATE NC_ENABLE_MONOCYPHER)
+	else()
+		message(WARNING "Monocypher is not supported on this platform")
 	endif()
 endif()
 
@@ -240,7 +269,7 @@ if(NC_BUILD_TESTS)
 	#add test executable and link to library
 	add_executable(nctest tests/test.c)
 	target_link_libraries(nctest ${CMAKE_PROJECT_NAME}_static)
-	target_include_directories(nctest PRIVATE "src")
+	target_include_directories(nctest PRIVATE include)
 
 	#enable c11 for testing
 	target_compile_features(nctest PRIVATE c_std_11)

diff --git a/src/internal/nc-util.h → include/nc-util.h b/src/internal/nc-util.h → include/nc-util.h
@@ -24,12 +24,13 @@
 #ifndef NC_UTIL_H
 #define NC_UTIL_H
 
+#include "platform.h"
+
 /* NULL */
 #ifndef NULL
 	#define NULL ((void*)0)
 #endif /*  !NULL */
 
-
 #ifdef DEBUG
 	/* Must include assert.h for assertions */
 	#include <assert.h> 
@@ -64,22 +65,22 @@
 typedef struct memory_span_struct
 {
 	uint8_t* data;
-	uint64_t size;
+	uint32_t size;
 } span_t;
 
 typedef struct read_only_memory_span_struct
 {
 	const uint8_t* data;
-	uint64_t size;
+	uint32_t size;
 } cspan_t;
 
-static void ncSpanInitC(cspan_t* span, const uint8_t* data, uint64_t size)
+_nc_fn_inline void ncSpanInitC(cspan_t* span, const uint8_t* data, uint32_t size)
 {
 	span->data = data;
 	span->size = size;
 }
 
-static void ncSpanInit(span_t* span, uint8_t* data, uint64_t size)
+_nc_fn_inline void ncSpanInit(span_t* span, uint8_t* data, uint32_t size)
 {
 	span->data = data;
 	span->size = size;

diff --git a/src/noscrypt.h → include/noscrypt.h b/src/noscrypt.h → include/noscrypt.h
@@ -158,7 +158,7 @@ typedef struct nc_encryption_struct {
 	/* The size of the data buffers. Buffers must 
 	* be the same size or larger than this value
 	*/
-	uint64_t dataSize;
+	uint32_t dataSize;
 
 } NCEncryptionArgs;
 
@@ -178,7 +178,7 @@ typedef struct nc_mac_verify {
 	const uint8_t* payload;
 
 	/* The size of the payload data */
-	uint64_t payloadSize;
+	uint32_t payloadSize;
 
 } NCMacVerifyArgs;
 
@@ -319,7 +319,7 @@ NC_EXPORT NCResult NC_CC NCSignData(
 	const NCSecretKey* sk,
 	const uint8_t random32[32],
 	const uint8_t* data,
-	const uint64_t dataSize,
+	const uint32_t dataSize,
 	uint8_t sig64[64]
 );
 
@@ -336,7 +336,7 @@ NC_EXPORT NCResult NC_CC NCVerifyData(
 	const NCContext* ctx,
 	const NCPublicKey* pk,
 	const uint8_t* data,
-	const uint64_t dataSize,
+	const uint32_t dataSize,
 	const uint8_t sig64[64]
 );
 
@@ -555,7 +555,7 @@ NC_EXPORT NCResult NCComputeMac(
 	const NCContext* ctx,
 	const uint8_t hmacKey[NC_HMAC_KEY_SIZE],
 	const uint8_t* payload,
-	uint64_t payloadSize,
+	uint32_t payloadSize,
 	uint8_t hmacOut[NC_ENCRYPTION_MAC_SIZE]
 );
 

diff --git a/src/platform.h → include/platform.h b/src/platform.h → include/platform.h
diff --git a/src/internal/impl/bcrypt.c → src/crypto/impl/bcrypt.c b/src/internal/impl/bcrypt.c → src/crypto/impl/bcrypt.c
@@ -31,8 +31,7 @@
 #include <Windows.h>
 #include <bcrypt.h>
 
-#include "../../platform.h"
-#include "../nc-util.h"
+#include "nc-util.h"
 
 #define IF_BC_FAIL(x) if(!BCRYPT_SUCCESS(x))
 
@@ -97,7 +96,7 @@ _IMPLSTB NTSTATUS _bcCreate(struct _bcrypt_ctx* ctx)
 	return _bcCreateHmac(ctx, &key);
 }
 
-_IMPLSTB NTSTATUS _bcHashDataRaw(const struct _bcrypt_ctx* ctx, const uint8_t* data, uint64_t len)
+_IMPLSTB NTSTATUS _bcHashDataRaw(const struct _bcrypt_ctx* ctx, const uint8_t* data, uint32_t len)
 {
 	return BCryptHashData(ctx->hHash, (uint8_t*)data, len, 0);
 }
@@ -213,12 +212,12 @@ _IMPLSTB void _bcDestroyCtx(struct _bcrypt_ctx* ctx)
 
 #ifndef _IMPL_CRYPTO_SHA256_HKDF_EXPAND
 
-	#define _IMPL_CRYPTO_SHA256_HKDF_EXPAND		_fallbackHkdfExpand
+	#define _IMPL_CRYPTO_SHA256_HKDF_EXPAND		_bcrypt_fallback_hkdf_expand
 
 	/* Include string for memmove */
 	#include <string.h>
 
-	static void ncWriteSpanS(span_t* span, uint64_t offset, const uint8_t* data, uint64_t size)
+	static void ncWriteSpanS(span_t* span, uint32_t offset, const uint8_t* data, uint32_t size)
 	{
 		DEBUG_ASSERT2(span != NULL, "Expected span to be non-null")
 		DEBUG_ASSERT2(data != NULL, "Expected data to be non-null")
@@ -239,13 +238,13 @@ _IMPLSTB void _bcDestroyCtx(struct _bcrypt_ctx* ctx)
 
 	#define _BC_MIN(a, b) (a < b ? a : b)
 
-	_IMPLSTB cstatus_t _fallbackHkdfExpand(const cspan_t* prk, const cspan_t* info, span_t* okm)
+	_IMPLSTB cstatus_t _bcrypt_fallback_hkdf_expand(const cspan_t* prk, const cspan_t* info, span_t* okm)
 	{
 		cstatus_t result;
 		struct _bcrypt_ctx ctx;
 
 		uint8_t counter;
-		uint64_t tLen, okmOffset;
+		uint32_t tLen, okmOffset;
 		uint8_t t[HKDF_IN_BUF_SIZE];
 
 		_IMPL_SECURE_ZERO_MEMSET(t, sizeof(t));
@@ -274,7 +273,6 @@ _IMPLSTB void _bcDestroyCtx(struct _bcrypt_ctx* ctx)
 			tLen = _BC_MIN(okm->size - okmOffset, SHA256_DIGEST_SIZE);
 
 			DEBUG_ASSERT(tLen <= sizeof(t));
-			DEBUG_ASSERT((tLen + okmOffset) < okm->size);
 
 			/* write the T buffer back to okm */
 			ncWriteSpanS(okm, okmOffset, t, tLen);