Fix RSA context initialization in rsa_alloc_wrap() plus some cleanups.

Print warnings on TTLS_ERR_BAD_INPUT_DATA in ttls_encrypt(): we have
net reatelimited warnings, so this won't cause serious logging problems.

Author: krizhanovsky

tls/config.h

@@ -35,32 +35,6 @@
 #define ttls_calloc(n, s)	kzalloc((n) * (s), GFP_ATOMIC)
 #define ttls_free(p)		kfree(p)
 
-/**
- * \def TTLS_AES_ALT
- *
- * TTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your
- * alternate core implementation of a symmetric crypto, an arithmetic or hash
- * module (e.g. platform specific assembly optimized implementations). Keep
- * in mind that the function prototypes should remain the same.
- *
- * This replaces the whole module. If you only want to replace one of the
- * functions, use one of the TTLS__FUNCTION_NAME__ALT flags.
- *
- * Example: In case you uncomment TTLS_AES_ALT, mbed TLS will no longer
- * provide the "struct ttls_aes_context" definition and omit the base
- * function declarations and implementations. "aes_alt.h" will be included from
- * "aes.h" to include the new function definitions.
- *
- * Uncomment a macro to enable alternate implementation of the corresponding
- * module.
- *
- * \warning   MD2, MD4, MD5, DES and SHA-1 are considered weak and their
- *			use constitutes a security risk. If possible, we recommend
- *			avoiding dependencies on them, and considering stronger message
- *			digests and ciphers instead.
- *
- */
-//#define TTLS_RSA_ALT
 /*
  * When replacing the elliptic curve module, pleace consider, that it is
  * implemented with two .c files:

tls/ecdsa.h

@@ -57,10 +57,6 @@
  */
 typedef ttls_ecp_keypair ttls_ecdsa_context;
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 /**
  * \brief		   This function computes the ECDSA signature of a
  *				  previously-hashed message.
@@ -189,8 +185,4 @@ void ttls_ecdsa_init(ttls_ecdsa_context *ctx);
  */
 void ttls_ecdsa_free(ttls_ecdsa_context *ctx);
 
-#ifdef __cplusplus
-}
-#endif
-
 #endif /* ecdsa.h */

tls/pk_wrap.c

@@ -113,8 +113,10 @@ static int rsa_check_pair_wrap(const void *pub, const void *prv)
 static void *
 rsa_alloc_wrap(void)
 {
-	void *ctx = kzalloc(sizeof(ttls_rsa_context), GFP_ATOMIC);
-	if (!ctx)
+	void *ctx;
+
+	might_sleep();
+	if ((ctx = kzalloc(sizeof(ttls_rsa_context), GFP_KERNEL)))
 		ttls_rsa_init((ttls_rsa_context *)ctx, 0, 0);
 
 	return ctx;

tls/rsa.c

@@ -3,6 +3,25 @@
  *
  * The RSA public-key cryptosystem.
  *
+ * TODO #1064: The Linux crypt API already has RSA implementation, so probably
+ * the stuff below should be just thrown out. Fallback to GPU is necessary
+ * however, so maybe not... A careful rethinking is requiered.
+ *
+ * The following sources were referenced in the design of this implementation
+ * of the RSA algorithm:
+ *
+ * [1] A method for obtaining digital signatures and public-key cryptosystems
+ *     R Rivest, A Shamir, and L Adleman
+ *     http://people.csail.mit.edu/rivest/pubs.html#RSA78
+ *
+ * [2] Handbook of Applied Cryptography - 1997, Chapter 8
+ *     Menezes, van Oorschot and Vanstone
+ *
+ * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
+ *     Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
+ *     Stefan Mangard
+ *     https://arxiv.org/abs/1702.08719v2
+ *
  * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
  * Copyright (C) 2015-2019 Tempesta Technologies, Inc.
  * SPDX-License-Identifier: GPL-2.0
@@ -21,23 +40,6 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
-/*
- *  The following sources were referenced in the design of this implementation
- *  of the RSA algorithm:
- *
- *  [1] A method for obtaining digital signatures and public-key cryptosystems
- *	  R Rivest, A Shamir, and L Adleman
- *	  http://people.csail.mit.edu/rivest/pubs.html#RSA78
- *
- *  [2] Handbook of Applied Cryptography - 1997, Chapter 8
- *	  Menezes, van Oorschot and Vanstone
- *
- *  [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
- *	  Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
- *	  Stefan Mangard
- *	  https://arxiv.org/abs/1702.08719v2
- *
- */
 #include <linux/random.h>
 
 #include "lib/str.h"
@@ -48,8 +50,6 @@
 #include "tls_internal.h"
 #include "oid.h"
 
-#if !defined(TTLS_RSA_ALT)
-
 /* constant-time buffer comparison */
 static inline int ttls_safer_memcmp(const void *a, const void *b, size_t n)
 {
@@ -429,36 +429,44 @@ int ttls_rsa_export_crt(const ttls_rsa_context *ctx,
 	return 0;
 }
 
-/*
- * Initialize an RSA context
- */
-void ttls_rsa_init(ttls_rsa_context *ctx,
-			   int padding,
-			   int hash_id)
-{
-	memset(ctx, 0, sizeof(ttls_rsa_context));
-
-	ttls_rsa_set_padding(ctx, padding, hash_id);
-
-	spin_lock_init(&ctx->mutex);
-}
-
-/*
- * Set padding for an existing RSA context
+/**
+ * Initialize an RSA context.
+ *
+ * TODO #1064: Set padding to #TTLS_RSA_PKCS_V21 for the RSAES-OAEP encryption
+ * scheme and the RSASSA-PSS signature scheme. The choice of padding mode is
+ * strictly enforced for private key operations, since there might be security
+ * concerns in mixing padding modes. For public key operations it is a default
+ * value, which can be overriden by calling specific rsa_rsaes_xxx or
+ * rsa_rsassa_xxx functions.
+ *
+ * The hash selected in hash_id is always used for OEAP encryption. For PSS
+ * signatures, it is always used for making signatures, but can be overriden
+ * for verifying them. If set to TTLS_MD_NONE, it is always overriden.
  */
-void ttls_rsa_set_padding(ttls_rsa_context *ctx, int padding, int hash_id)
+void
+ttls_rsa_init(ttls_rsa_context *ctx, int padding, int hash_id)
 {
+	/*
+	 * TODO Select padding mode: TTLS_RSA_PKCS_V15 or TTLS_RSA_PKCS_V21.
+	 */
 	ctx->padding = padding;
+	/*
+	 * TODO The hash identifier of ttls_md_type_t type, if padding is
+	 * TTLS_RSA_PKCS_V21. The hash_id parameter is ignored when using
+	 * TTLS_RSA_PKCS_V15 padding.
+	 */
 	ctx->hash_id = hash_id;
+
+	spin_lock_init(&ctx->mutex);
 }
 
-/*
- * Get length in bytes of RSA modulus
+/**
+ * Get length in bytes of RSA modulus.
  */
-
-size_t ttls_rsa_get_len(const ttls_rsa_context *ctx)
+size_t
+ttls_rsa_get_len(const ttls_rsa_context *ctx)
 {
-	return(ctx->len);
+	return ctx->len;
 }
 
 
@@ -2013,5 +2021,3 @@ void ttls_rsa_free(ttls_rsa_context *ctx)
 	ttls_mpi_free(&ctx->DP);
 #endif /* TTLS_RSA_NO_CRT */
 }
-
-#endif /* !TTLS_RSA_ALT */

tls/rsa.h

@@ -106,35 +106,7 @@ typedef struct
 }
 ttls_rsa_context;
 
-/**
- * \brief		  This function initializes an RSA context.
- *
- * \note		   Set padding to #TTLS_RSA_PKCS_V21 for the RSAES-OAEP
- *				 encryption scheme and the RSASSA-PSS signature scheme.
- *
- * \param ctx	  The RSA context to initialize.
- * \param padding  Selects padding mode: #TTLS_RSA_PKCS_V15 or
- *				 #TTLS_RSA_PKCS_V21.
- * \param hash_id  The hash identifier of #ttls_md_type_t type, if
- *				 \p padding is #TTLS_RSA_PKCS_V21.
- *
- * \note		   The \p hash_id parameter is ignored when using
- *				 #TTLS_RSA_PKCS_V15 padding.
- *
- * \note		   The choice of padding mode is strictly enforced for private key
- *				 operations, since there might be security concerns in
- *				 mixing padding modes. For public key operations it is
- *				 a default value, which can be overriden by calling specific
- *				 \c rsa_rsaes_xxx or \c rsa_rsassa_xxx functions.
- *
- * \note		   The hash selected in \p hash_id is always used for OEAP
- *				 encryption. For PSS signatures, it is always used for
- *				 making signatures, but can be overriden for verifying them.
- *				 If set to #TTLS_MD_NONE, it is always overriden.
- */
-void ttls_rsa_init(ttls_rsa_context *ctx,
-		   int padding,
-		   int hash_id);
+void ttls_rsa_init(ttls_rsa_context *ctx, int padding, int hash_id);
 
 /**
  * \brief		  This function imports a set of core parameters into an
@@ -350,18 +322,6 @@ int ttls_rsa_export_raw(const ttls_rsa_context *ctx,
 int ttls_rsa_export_crt(const ttls_rsa_context *ctx,
 				ttls_mpi *DP, ttls_mpi *DQ, ttls_mpi *QP);
 
-/**
- * \brief		  This function sets padding for an already initialized RSA
- *				 context. See ttls_rsa_init() for details.
- *
- * \param ctx	  The RSA context to be set.
- * \param padding  Selects padding mode: #TTLS_RSA_PKCS_V15 or
- *				 #TTLS_RSA_PKCS_V21.
- * \param hash_id  The #TTLS_RSA_PKCS_V21 hash identifier.
- */
-void ttls_rsa_set_padding(ttls_rsa_context *ctx, int padding,
-				  int hash_id);
-
 /**
  * \brief		  This function retrieves the length of RSA modulus in Bytes.
  *

tls/rsa_internal.h

@@ -1,71 +1,52 @@
 /**
- * \file rsa_internal.h
- *
- * \brief Context-independent RSA helper functions
- */
-/*
- *  Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: GPL-2.0
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- *
- *
- *  This file declares some RSA-related helper functions useful when
- *  implementing the RSA interface. They are public and provided in a
- *  separate compilation unit in order to make it easy for designers of
- *  alternative RSA implementations to use them in their code, as it is
- *  conceived that the functionality they provide will be necessary
- *  for most complete implementations.
- *
- *  End-users of Mbed TLS not intending to re-implement the RSA functionality
- *  are not expected to get into the need of making use of these functions directly,
- *  but instead should be able to use the functions declared in rsa.h.
- *
- *  There are two classes of helper functions:
- *  (1) Parameter-generating helpers. These are:
- *	  - ttls_rsa_deduce_primes
- *	  - ttls_rsa_deduce_private_exponent
- *	  - ttls_rsa_deduce_crt
- *	   Each of these functions takes a set of core RSA parameters
- *	   and generates some other, or CRT related parameters.
- *  (2) Parameter-checking helpers. These are:
- *	  - ttls_rsa_validate_params
- *	  - ttls_rsa_validate_crt
- *	  They take a set of core or CRT related RSA parameters
- *	  and check their validity.
- *
+ *		Tempesta TLS
+ *
+ * Context-independent RSA helper functions.
+ *
+ * This file declares some RSA-related helper functions useful when
+ * implementing the RSA interface. They are public and provided in a
+ * separate compilation unit in order to make it easy for designers of
+ * alternative RSA implementations to use them in their code, as it is
+ * conceived that the functionality they provide will be necessary
+ * for most complete implementations.
+ *
+ * There are two classes of helper functions:
+ * (1) Parameter-generating helpers. These are:
+ *  - ttls_rsa_deduce_primes
+ *  - ttls_rsa_deduce_private_exponent
+ *  - ttls_rsa_deduce_crt
+ *   Each of these functions takes a set of core RSA parameters
+ *   and generates some other, or CRT related parameters.
+ * (2) Parameter-checking helpers. These are:
+ *  - ttls_rsa_validate_params
+ *  - ttls_rsa_validate_crt
+ *  They take a set of core or CRT related RSA parameters
+ *  and check their validity.
+ *
+ * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
+ * Copyright (C) 2015-2019 Tempesta Technologies, Inc.
+ * SPDX-License-Identifier: GPL-2.0
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
-
 #ifndef TTLS_RSA_INTERNAL_H
 #define TTLS_RSA_INTERNAL_H
 
-#if !defined(TTLS_CONFIG_FILE)
 #include "config.h"
-#else
-#include TTLS_CONFIG_FILE
-#endif
-
 #include "bignum.h"
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-
 /**
  * \brief		  Compute RSA prime moduli P, Q from public modulus N=PQ
  *				 and a pair of private and public key.

tls/ttls.c

@@ -781,8 +781,8 @@ ttls_encrypt(TlsCtx *tls, struct sg_table *sgt)
 
 	WARN_ON_ONCE(!ttls_xfrm_ready(tls));
 	if (io->msglen > TLS_MAX_PAYLOAD_SIZE) {
-		T_DBG("%s record content %u too large, maximum %lu\n",
-		      __func__, io->msglen, TLS_MAX_PAYLOAD_SIZE);
+		T_WARN("cannot encrypt a record: content %u too large,"
+		       " maximum %lu\n", io->msglen, TLS_MAX_PAYLOAD_SIZE);
 		return TTLS_ERR_BAD_INPUT_DATA;
 	}
 
@@ -810,7 +810,7 @@ ttls_encrypt(TlsCtx *tls, struct sg_table *sgt)
 		  min_t(size_t, 256, io->msglen + TLS_HEADER_SIZE));
 
 	if ((r = crypto_aead_encrypt(req))) {
-		T_DBG2("encrypt failed: %d\n", r);
+		T_WARN("AEAD encryption failed: %d\n", r);
 		goto err;
 	}
 	T_DBG3_SL("encrypted buf (first 64 bytes)", sgt->sgl, sgt->nents, 0,