[Cryptech-Commits] [sw/cryptlib] 01/01: Initial working version of cryptech_novena_i2c_{coretest, simple} HALs in simplified version of Cryptlib build wrapper environment.

git at cryptech.is git at cryptech.is
Thu Oct 30 22:00:52 UTC 2014


This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch master
in repository sw/cryptlib.

commit 43511ee91bbfc41dbe8e05aa3ff5d5de51adeb25
Author: Rob Austein <sra at hactrn.net>
Date:   Thu Oct 30 16:27:33 2014 -0400

    Initial working version of cryptech_novena_i2c_{coretest,simple} HALs
    in simplified version of Cryptlib build wrapper environment.
---
 .gitignore                         |   3 +
 GNUmakefile                        |  83 ++++
 README.md                          |  77 ++++
 dist/cl342.zip                     | Bin 0 -> 5839450 bytes
 src/cryptech_novena_i2c_coretest.c | 829 +++++++++++++++++++++++++++++++++++++
 src/cryptech_novena_i2c_simple.c   | 542 ++++++++++++++++++++++++
 tests/test_hashes.py               | 104 +++++
 7 files changed, 1638 insertions(+)

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a25d100
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+*~
+TAGS
+build
diff --git a/GNUmakefile b/GNUmakefile
new file mode 100644
index 0000000..aed7b4a
--- /dev/null
+++ b/GNUmakefile
@@ -0,0 +1,83 @@
+# Cryptech project makefile for Cryptlib.  This is a work in progress.
+
+# The one thing that must be configured here is which Hardware
+# Adaption Layer ("HAL") to build into Cryptlib.  Due to the need to
+# support different Cryptech configurations on different boards, it's
+# not really possible to provide a single HAL which supports all
+# Cryptech configurations in a sane way, so you have to pick one.
+# This makefile provides a default, but you can override it by
+# providing a value for the CRYPTECH_HAL makefile variable on the
+# command line, or by setting the CRYPTECH_HAL environment variable
+# (explicit argument overrides environment variable, see GNU make
+# documentation for details).
+
+ifndef CRYPTECH_HAL
+  CRYPTECH_HAL := src/cryptech_novena_i2c_simple.c
+endif
+
+# Notes on the option settings we use when building cryptlib:
+#
+# - Python extension modules need to be position-independent code.  We
+#   could handle this by building cryptlib as a shared library, but
+#   for the moment it's simpler to force even the static library to
+#   use position independent code.  Works with gcc and clang, anyway,
+#   which are the only compilers we care about at the moment.
+#
+# - Point of the exercise is a hardware device, and we want the full
+#   set of SHA-2 digests.
+#
+# - See config.h for other options we might want to add here.  In
+#   particular, USE_ECDH, USE_ECDSA, and USE_GCM all touch on subjects
+#   that came up during the early Cryptech design discussions.
+
+################################################################
+
+# From here down is not intended to be user-servicable.  Tinker to
+# your heart's content, but don't complain if it breaks.
+
+LIB = build/libcl.a
+
+PYTHONPATH = $(firstword $(wildcard build/bindings/build/lib.*))
+
+all: build/makefile.ready
+	cd build; ${MAKE}
+	@${MAKE} python-bindings
+
+clean:
+	rm -rf build
+
+build/makefile.ready: GNUmakefile dist/cl342.zip
+	rm -rf build
+	mkdir build
+	cd build; unzip -a ../dist/cl342.zip
+	sed <build/makefile >build/makefile.cryptech \
+		-e 's=device/hw_dummy=../$(basename ${CRYPTECH_HAL})=g' \
+		-e 's=hw_dummy=$(notdir $(basename ${CRYPTECH_HAL}))=g' \
+		-e '/^CFLAGS/s=$$= -fPIC -DUSE_SHA2_EXT -DUSE_HARDWARE -DUSE_DEVICES='
+	mv build/makefile.cryptech build/makefile
+	touch $@
+
+ifeq (,${PYTHONPATH})
+
+  python-bindings:
+	cd build/bindings; python setup.py build
+
+else
+
+  python-bindings: ${PYTHONPATH}/cryptlib_py.so
+
+  ${PYTHONPATH}/cryptlib_py.so: ${LIB}
+	cd build/bindings; python setup.py build --force
+
+endif
+
+test: all
+	@${MAKE} run-tests
+
+run-tests:
+	for script in tests/*.py; do echo Running $$script; PYTHONPATH=${PYTHONPATH} python $$script; done
+
+tags: TAGS
+
+TAGS: build/makefile.ready
+	find src build -type f -name '*.[ch]' | etags -
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..5ff675d
--- /dev/null
+++ b/README.md
@@ -0,0 +1,77 @@
+cryptlib
+========
+
+## Introduction ##
+
+This is a port of Peter Gutmann's
+[cryptlib package](https://www.cs.auckland.ac.nz/~pgut001/cryptlib/)
+to the Cryptech project's environment.  This is a work in progress,
+and still at a very early stage as of this writing.
+
+The main addition to the stock cryptlib environment is a set of
+Hardware Adaption Layer (HAL) implementations that use the Cryptech
+FPGA cores.
+
+While we expect to be making more significant use of cryptlib in the
+future, the main purposes of this code at the moment are
+proof-of-concept and connecting the Cryptech cores to a more complete
+cryptographic programming environment for testing and development
+purposes.
+
+## Current status ##
+
+At present, the Cryptech HAL code runs only on the Novena PVT1.  There
+are two variants of the HAL, both using the I2C bus, but speaking
+different protocols:
+
+* An implementation using the `coretest` byte-stream protocol
+  implemented by the `core/novena` FPGA build.
+
+* An implementation using the simpler interface implemented by the
+  `core/novena_i2c_simple` environment.
+
+Both of these HAL implementations are in the `src/` directory.  See
+the `GNUmakefile` for details on how to select the variant you want.
+
+At present, the only relevant Cryptech cores are the TRNG and several
+digest algorithms.   The current HAL uses the SHA-1, SHA-256, and
+SHA-512 cores to implement the SHA-1, SHA-256, SHA-384, and SHA-512
+digests.  SHA-512/224 and SHA-512/256 are not supported.
+
+The TRGN is not yet supported, due to lack of an I2C interface.  At
+some point we will either add an I2C interface to the TRNG or skip
+over I2C entirely and go straight to EIM.
+
+In principal there is no reason why one could not write a HAL which
+spoke to a Terasic board, perhaps via the `coretest` protocol over a
+UART, but to date this has not been done.
+
+## Code import status ##
+
+Cryptlib itself is present in the repository in the form of a verbatim
+copy of the Cryptlib 3.4.2 distribution zipfile, which the top-level
+makefile unpacks while building.  This has proven simpler to work with
+than importing the entire Cryptlib distribution into a vendor branch.
+
+Packaging Cryptlib this way has two implications:
+
+* You may need to `apt-get install unzip` on your Novena.
+
+* Any changes you might make to Cryptlib itself will be lost when you
+  run `make clean`.
+
+## Test code ##
+
+The `tests/` directory contains an initial test script, written in
+Python, using the standard Cryptlib Python bindings.  The Cryptlib
+Python environment is a fairly literaly translation of the Cryptlib C
+environment, so portions of it will be a bit, um, surprising to Python
+programmers, but the basic functionality works.
+
+## Copyright status ##
+
+Cryptlib itself is copyright by Peter Gutmann.  See the Cryptlib web
+site for licensing details.
+
+Code written for the Cryptech project is under the usual Cryptech
+BSD-style license.
diff --git a/dist/cl342.zip b/dist/cl342.zip
new file mode 100644
index 0000000..1d24e0e
Binary files /dev/null and b/dist/cl342.zip differ
diff --git a/src/cryptech_novena_i2c_coretest.c b/src/cryptech_novena_i2c_coretest.c
new file mode 100644
index 0000000..31b4345
--- /dev/null
+++ b/src/cryptech_novena_i2c_coretest.c
@@ -0,0 +1,829 @@
+/* 
+ * cryptech_novena_i2c_coretest.c
+ * ------------------------------
+ *
+ * This is an early prototype Hardware Adaption Layer (HAL) for using
+ * Cryptlib with the Cryptech project's FGPA cores over an I2C bus on
+ * the Novena PVT1 development board using the "coretest" byte stream
+ * protocol.  This is compatible with the core/novena FPGA build.
+ *
+ * The communication channel used here is not suitable for production
+ * use, this is just a prototype.
+ * 
+ * Authors: Joachim Strömbergson, Paul Selkirk, Rob Austein
+ * Copyright (c) 2014, SUNET
+ * 
+ * Redistribution and use in source and binary forms, with or 
+ * without modification, are permitted provided that the following 
+ * conditions are met: 
+ * 
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in 
+ *    the documentation and/or other materials provided with the 
+ *    distribution. 
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * The HAL framework is taken from the Cryptlib hw_dummy.c template,
+ * and is Copyright 1998-2009 by Peter Gutmann.
+ */
+
+#include <assert.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+
+#if defined( INC_ALL )
+  #include "crypt.h"
+  #include "context.h"
+  #include "hardware.h"
+#else
+  #include "crypt.h"
+  #include "context/context.h"
+  #include "device/hardware.h"
+#endif /* Compiler-specific includes */
+
+/*
+ * I2C_SLAVE comes from /usr/include/linux/i2c-dev.h, but if we
+ * include that we won't be able to compile this except on Linux.  It
+ * won't *run* anywhere but on Linux, but it's useful to be able to do
+ * compilation tests on other platforms, eg, with Clang, so for now we
+ * take the small risk that this one magic constant might change.
+ */
+
+#define I2C_SLAVE       0x0703
+
+
+#ifdef USE_HARDWARE
+
+/*
+ * I2C-related parameters, copied from hash_tester.c
+ */
+
+/* I2C configuration */
+#define I2C_DEV   "/dev/i2c-2"
+#define I2C_ADDR  0x0f
+
+/* command codes */
+#define SOC       0x55
+#define EOC       0xaa
+#define READ_CMD  0x10
+#define WRITE_CMD 0x11
+#define RESET_CMD 0x01
+
+/* response codes */
+#define SOR       0xaa
+#define EOR       0x55
+#define READ_OK   0x7f
+#define WRITE_OK  0x7e
+#define RESET_OK  0x7d
+#define UNKNOWN   0xfe
+#define ERROR     0xfd
+
+/* addresses and codes common to all hash cores */
+#define ADDR_NAME0              0x00
+#define ADDR_NAME1              0x01
+#define ADDR_VERSION            0x02
+#define ADDR_CTRL               0x08
+#define CTRL_INIT_CMD           1
+#define CTRL_NEXT_CMD           2
+#define ADDR_STATUS             0x09
+#define STATUS_READY_BIT        0
+#define STATUS_VALID_BIT        1
+
+/*
+ * Addresses and codes for the specific hash cores.
+ * Lengths here are in bytes (not bits, not 32-bit words).
+ */
+
+#define SHA1_ADDR_PREFIX        0x10
+#define SHA1_ADDR_BLOCK         0x10
+#define SHA1_BLOCK_LEN          bitsToBytes(512)
+#define	SHA1_LENGTH_LEN		bitsToBytes(64)
+#define SHA1_ADDR_DIGEST        0x20
+#define SHA1_DIGEST_LEN         bitsToBytes(160)
+
+#define SHA256_ADDR_PREFIX      0x20
+#define SHA256_ADDR_BLOCK       0x10
+#define SHA256_BLOCK_LEN        bitsToBytes(512)
+#define	SHA256_LENGTH_LEN	bitsToBytes(64)
+#define SHA256_ADDR_DIGEST      0x20
+#define SHA256_DIGEST_LEN       bitsToBytes(256)
+
+#define SHA512_ADDR_PREFIX      0x30
+#define SHA512_CTRL_MODE_LOW    2
+#define SHA512_CTRL_MODE_HIGH   3
+#define SHA512_ADDR_BLOCK       0x10
+#define SHA512_BLOCK_LEN        bitsToBytes(1024)
+#define	SHA512_LENGTH_LEN	bitsToBytes(128)
+#define SHA512_ADDR_DIGEST      0x40
+#define SHA384_DIGEST_LEN       bitsToBytes(384)
+#define SHA512_DIGEST_LEN       bitsToBytes(512)
+#define MODE_SHA_512_224        (0 << SHA512_CTRL_MODE_LOW)
+#define MODE_SHA_512_256        (1 << SHA512_CTRL_MODE_LOW)
+#define MODE_SHA_384            (2 << SHA512_CTRL_MODE_LOW)
+#define MODE_SHA_512            (3 << SHA512_CTRL_MODE_LOW)
+
+/* Longest digest block we support at the moment */
+#define MAX_BLOCK_LEN           SHA512_BLOCK_LEN
+
+/* Hash state */
+typedef struct {
+  unsigned long long msg_length_high;   /* Total data hashed in this message */
+  unsigned long long msg_length_low;    /* (128 bits in SHA-512 cases) */
+  size_t block_length;                  /* Block length for this algorithm */
+  unsigned char block[MAX_BLOCK_LEN];   /* Block we're accumulating */
+  size_t block_used;                    /* How much of the block we've used */
+  unsigned block_count;                 /* Blocks sent */
+} hash_state_t;
+
+static int i2cfd = -1;
+static int debug = 0;
+
+/*
+ * I2C low-level code
+ */
+
+static int i2c_open(void)
+{
+  if (i2cfd >= 0)
+    return 1;
+
+  i2cfd = open(I2C_DEV, O_RDWR);
+
+  if (i2cfd < 0) {
+    perror("Unable to open " I2C_DEV);
+    i2cfd = -1;
+    return 0;
+  }
+
+  if (ioctl(i2cfd, I2C_SLAVE, I2C_ADDR) < 0) {
+    perror("Unable to set i2c slave device");
+    return 0;
+  }
+
+  if (debug)
+    fprintf(stderr, "[ Opened %s, fd %d ]\n", I2C_DEV, i2cfd);
+
+  return 1;
+}
+
+static int i2c_write_bytes(const unsigned char *buf, const size_t len)
+{
+  if (debug) {
+    int i;
+    fprintf(stderr, "write [");
+    for (i = 0; i < len; ++i)
+      fprintf(stderr, " %02x", buf[i]);
+    fprintf(stderr, " ]\n");
+  }
+
+  if (!i2c_open())
+    return 0;
+
+  if (write(i2cfd, buf, len) != len) {
+    perror("i2c write failed");
+    return 0;
+  }
+
+  return 1;
+}
+
+static int i2c_read_byte(unsigned char *b)
+{
+  /*
+   * read() on the i2c device only returns one byte at a time,
+   * and we need to parse the response one byte at a time anyway.
+   */
+
+  if (!i2c_open())
+    return 0;
+
+  if (read(i2cfd, b, 1) != 1) {
+    perror("i2c read failed");
+    return 0;
+  }
+
+  return 1;
+}
+
+static int i2c_send_write_cmd(const unsigned char addr0, const unsigned char addr1, const unsigned char data[])
+{
+  unsigned char buf[9];
+
+  buf[0] = SOC;
+  buf[1] = WRITE_CMD;
+  buf[2] = addr0;
+  buf[3] = addr1;
+  buf[4] = data[0];
+  buf[5] = data[1];
+  buf[6] = data[2];
+  buf[7] = data[3];
+  buf[8] = EOC;
+
+  return i2c_write_bytes(buf, sizeof(buf));
+}
+
+static int i2c_send_read_cmd(const unsigned char addr0, const unsigned char addr1)
+{
+  unsigned char buf[5];
+
+  buf[0] = SOC;
+  buf[1] = READ_CMD;
+  buf[2] = addr0;
+  buf[3] = addr1;
+  buf[4] = EOC;
+
+  return i2c_write_bytes(buf, sizeof(buf));
+}
+
+static int i2c_get_resp(unsigned char *buf, const size_t length)
+{
+  int i, len = length;
+
+  for (i = 0; i < len; ++i) {
+    assert(len <= length);      /* Paranoia */
+
+    if (!i2c_read_byte(&buf[i]))
+      return 0;
+
+    switch (i) {                /* Special handling for certain positions in response */
+
+    case 0:
+      if (buf[i] == SOR)        /* Start of record (we hope) */
+        continue;
+      fprintf(stderr, "Lost sync: expected 0x%02x (SOR), got 0x%02x\n", SOR, buf[0]);
+      return 0;
+
+    case 1:                     /* Response code */
+      switch (buf[i]) {
+      case READ_OK:
+        len = 9;
+        continue;
+      case WRITE_OK:
+        len = 5;
+        continue;
+      case RESET_OK:
+        len = 3;
+        continue;
+      case ERROR:
+      case UNKNOWN:
+        len = 4;
+        continue;
+      default:
+        fprintf(stderr, "Lost sync: unknown response code 0x%02x\n", buf[i]);
+        return 0;
+      }
+    }
+  }
+
+  if (debug) {
+    fprintf(stderr, "read  [");
+    for (i = 0; i < len; ++i)
+      fprintf(stderr, " %02x", buf[i]);
+    fprintf(stderr, " ]\n");
+  }
+
+  return 1;
+}
+
+static int i2c_check_expected(const unsigned char buf[], const int i, const unsigned char expected)
+{
+  if (buf[i] == expected)
+    return 1;
+  fprintf(stderr, "Response byte %d: expected 0x%02x, got 0x%02x\n", i, expected, buf[i]);
+  return 0;
+}
+
+static int i2c_write(const unsigned char addr0, const unsigned char addr1, const unsigned char data[])
+{
+  unsigned char buf[5];
+
+  if (!i2c_send_write_cmd(addr0, addr1, data) ||
+      !i2c_get_resp(buf, sizeof(buf))         ||
+      !i2c_check_expected(buf, 0, SOR)        ||
+      !i2c_check_expected(buf, 1, WRITE_OK)   ||
+      !i2c_check_expected(buf, 2, addr0)      ||
+      !i2c_check_expected(buf, 3, addr1)      ||
+      !i2c_check_expected(buf, 4, EOR))
+    return 0;
+
+  return 1;
+}
+
+static int i2c_read(const unsigned char addr0, const unsigned char addr1, unsigned char data[])
+{
+  unsigned char buf[9];
+
+  if (!i2c_send_read_cmd(addr0, addr1)     ||
+      !i2c_get_resp(buf, sizeof(buf))      ||
+      !i2c_check_expected(buf, 0, SOR)     ||
+      !i2c_check_expected(buf, 1, READ_OK) ||
+      !i2c_check_expected(buf, 2, addr0)   ||
+      !i2c_check_expected(buf, 3, addr1)   ||
+      !i2c_check_expected(buf, 8, EOR))
+    return 0;
+
+  data[0] = buf[4];
+  data[1] = buf[5];
+  data[2] = buf[6];
+  data[3] = buf[7];
+  return 1;
+}
+
+static int i2c_ctrl(const unsigned char addr0, const unsigned char ctrl_cmd)
+{
+  unsigned char data[4];
+  memset(data, 0, sizeof(data));
+  data[3] = ctrl_cmd;
+  return i2c_write(addr0, ADDR_CTRL, data);
+}
+
+static int i2c_wait(const unsigned char addr0, const unsigned char status)
+{
+  unsigned char buf[9];
+
+  do {
+    if (!i2c_send_read_cmd(addr0, ADDR_STATUS))
+      return 0;
+    if (!i2c_get_resp(buf, sizeof(buf)))
+      return 0;
+    if (buf[1] != READ_OK)
+      return 0;
+  } while ((buf[7] & status) != status);
+
+  if (debug)
+    fprintf(stderr, "[ Done waiting ]\n");
+
+  return 1;
+}
+
+static int i2c_wait_ready(const unsigned char addr0)
+{
+  if (debug)
+    fprintf(stderr, "[ Waiting for ready ]\n");
+  return i2c_wait(addr0, STATUS_READY_BIT);
+}
+
+static int i2c_wait_valid(const unsigned char addr0)
+{
+  if (debug)
+    fprintf(stderr, "[ Waiting for valid ]\n");
+  return i2c_wait(addr0, STATUS_VALID_BIT);
+}
+
+/*
+ * Send one block to a core.
+ */
+
+static int hash_write_block(const unsigned char addr_prefix,
+                            const unsigned char addr_block,
+                            const unsigned char ctrl_mode,
+                            const hash_state_t *state)
+{
+  unsigned char ctrl_cmd;
+  int i;
+
+  assert(state != NULL && state->block_length % 4 == 0);
+
+  for (i = 0; i + 3 < state->block_length; i += 4)
+    if (!i2c_write(addr_prefix, addr_block + i/4, state->block + i))
+      return 0;
+
+  ctrl_cmd = state->block_count == 0 ? CTRL_INIT_CMD : CTRL_NEXT_CMD;
+
+  if (debug)
+    fprintf(stderr, "[ %s ]\n", state->block_count == 0 ? "init" : "next");
+
+  return i2c_ctrl(addr_prefix, ctrl_cmd|ctrl_mode) && i2c_wait_ready(addr_prefix);
+}
+
+/*
+ * Read hash result from core.
+ */
+
+static int hash_read_digest(const unsigned char addr_prefix, const unsigned char addr_digest,
+                            unsigned char *digest, const size_t digest_length)
+{
+  int i;
+
+  assert(digest_length % 4 == 0);
+
+  if (!i2c_wait_valid(addr_prefix))
+    return 0;
+
+  for (i = 0; i + 3 < digest_length; i += 4)
+    if (!i2c_read(addr_prefix, addr_digest + i/4, digest + i))
+      return 0;
+
+  return 1;
+}
+
+/****************************************************************************
+ *                                                                          *
+ *                               Random Numbers                             *
+ *                                                                          *
+ ****************************************************************************/
+
+/*
+ * We have a TRNG core, but I don't think it's hooked up to I2C yet, so
+ * for the moment we use the toy generator from hw_dummy.c.
+ */
+
+static void dummyGenRandom(void *buffer, const int length)
+{
+  HASHFUNCTION_ATOMIC hashFunctionAtomic;
+  BYTE hashBuffer[CRYPT_MAX_HASHSIZE], *bufPtr = buffer;
+  static int counter = 0;
+  int hashSize, i;
+
+  assert(isWritePtr(buffer, length));
+
+  REQUIRES_V(length >= 1 && length < MAX_INTLENGTH);
+
+  /*
+   * Fill the buffer with random-ish data.  This gets a bit tricky
+   * because we need to fool the entropy tests so we can't just fill
+   * it with a fixed (or even semi-random) pattern but have to set up
+   * a somewhat kludgy PRNG.
+   */
+  getHashAtomicParameters(CRYPT_ALGO_SHA1, 0, &hashFunctionAtomic, &hashSize);
+  memset(hashBuffer, counter, hashSize);
+  counter++;
+  for (i = 0; i < length; i++) {
+    if (i % hashSize == 0)
+      hashFunctionAtomic(hashBuffer, CRYPT_MAX_HASHSIZE, hashBuffer, hashSize);
+    bufPtr[i] = hashBuffer[i % hashSize];
+  }
+}
+
+/****************************************************************************
+ *                                                                           *
+ *                   Hash/MAC Capability Interface Routines                  *
+ *                                                                           *
+ ****************************************************************************/
+
+/*
+ * Return context subtype-specific information.  All supported hash
+ * algorithms currently use the same state object, so they can all use
+ * this method.
+ */
+
+static int hashGetInfo(const CAPABILITY_INFO_TYPE type,
+                      CONTEXT_INFO *contextInfoPtr, 
+                      void *data, const int length)
+{
+  switch (type) {
+  case CAPABILITY_INFO_STATESIZE:
+    /*
+     * Tell cryptlib how much hash-state storage we want allocated.
+     */
+    *(int *) data = sizeof(hash_state_t);
+    return CRYPT_OK;
+
+  default:
+    return getDefaultInfo(type, contextInfoPtr, data, length);
+  }
+}
+
+/*
+ * Hash data.  All supported hash algorithms use similar block
+ * manipulations and padding algorithms, so all can use this method
+ * with a few parameters which we handle via closures below.
+ */
+
+static int doHash(CONTEXT_INFO *contextInfoPtr, const unsigned char *buffer, int length,
+                  const size_t block_length, const unsigned char addr_prefix, const unsigned char addr_block,
+                  const size_t digest_length, const unsigned char addr_digest, const unsigned char ctrl_mode,
+                  const size_t length_length)
+{
+  hash_state_t *state = NULL;
+  size_t n;
+  int i;
+
+  assert(isWritePtr(contextInfoPtr, sizeof(CONTEXT_INFO)));
+  assert(length == 0 || isWritePtr(buffer, length));
+
+  state = (hash_state_t *) contextInfoPtr->ctxHash->hashInfo;
+
+  /*
+   * If the hash state was reset to allow another round of hashing,
+   * reinitialise things.
+   */
+
+  if (!(contextInfoPtr->flags & CONTEXT_FLAG_HASH_INITED)) {
+    memset(state, 0, sizeof(*state));
+    state->block_length = block_length;
+  }
+
+  /* May want an assertion here that state->block_length is correct */
+
+  if (length > 0) {             /* More data to hash */
+
+    const unsigned char *p = buffer;
+
+    while ((n = state->block_length - state->block_used) <= length) {
+      /*
+       * We have enough data for another complete block.
+       */
+      if (debug)
+        fprintf(stderr, "[ Full block, length %lu, used %lu, n %lu, msg_length %llu ]\n",
+                (unsigned long) length, (unsigned long) state->block_used, (unsigned long) n, state->msg_length_low);
+      memcpy(state->block + state->block_used, p, n);
+      if ((state->msg_length_low += n) < n)
+        state->msg_length_high++;
+      state->block_used = 0;
+      length -= n;
+      p += n;
+      if (!hash_write_block(addr_prefix, addr_block, ctrl_mode, state))
+        return CRYPT_ERROR_FAILED;
+      state->block_count++;
+    }
+
+    if (length > 0) {
+      /*
+       * Data left over, but not enough for a full block, stash it.
+       */
+      if (debug)
+        fprintf(stderr, "[ Partial block, length %lu, used %lu, n %lu, msg_length %llu ]\n",
+                (unsigned long) length, (unsigned long) state->block_used, (unsigned long) n, state->msg_length_low);
+      assert(length < n);
+      memcpy(state->block + state->block_used, p, length);
+      if ((state->msg_length_low += length) < length)
+        state->msg_length_high++;
+      state->block_used += length;
+    }
+  }
+
+  else {           /* Done: add padding, then pull result from chip */
+
+    unsigned long long bit_length_low  = (state->msg_length_low  << 3);
+    unsigned long long bit_length_high = (state->msg_length_high << 3) | (state->msg_length_low >> 61);
+    unsigned char *p;
+
+    /* Initial pad byte */
+    assert(state->block_used < state->block_length);
+    state->block[state->block_used++] = 0x80;
+
+    /* If not enough room for bit count, zero and push current block */
+    if ((n = state->block_length - state->block_used) < length_length) {
+      if (debug)
+        fprintf(stderr, "[ Overflow block, length %lu, used %lu, n %lu, msg_length %llu ]\n",
+                (unsigned long) length, (unsigned long) state->block_used, (unsigned long) n, state->msg_length_low);
+      if (n > 0)
+        memset(state->block + state->block_used, 0, n);
+      if (!hash_write_block(addr_prefix, addr_block, ctrl_mode, state))
+        return CRYPT_ERROR_FAILED;
+      state->block_count++;
+      state->block_used = 0;
+    }
+
+    /* Pad final block */
+    n = state->block_length - state->block_used;
+    assert(n >= length_length);
+    if (n > 0)
+      memset(state->block + state->block_used, 0, n);
+    if (debug)
+      fprintf(stderr, "[ Final block, length %lu, used %lu, n %lu, msg_length %llu ]\n",
+              (unsigned long) length, (unsigned long) state->block_used, (unsigned long) n, state->msg_length_low);
+    p = state->block + state->block_length;
+    for (i = 0; (bit_length_low || bit_length_high) && i < length_length; i++) {
+      *--p = (unsigned char) (bit_length_low & 0xFF);
+      bit_length_low >>= 8;
+      if (bit_length_high) {
+        bit_length_low |= ((bit_length_high & 0xFF) << 56);
+        bit_length_high >>= 8;
+      }
+    }
+
+    /* Push final block */
+    if (!hash_write_block(addr_prefix, addr_block, ctrl_mode, state))
+      return CRYPT_ERROR_FAILED;
+    state->block_count++;
+
+    /* All data pushed to core, now we just need to read back the result */
+
+    assert(digest_length <= sizeof(contextInfoPtr->ctxHash->hash));
+    if (!hash_read_digest(addr_prefix, addr_digest, contextInfoPtr->ctxHash->hash, digest_length))
+      return CRYPT_ERROR_FAILED;
+  }
+
+  return CRYPT_OK;
+}
+
+/* Perform a self-test */
+
+static int sha1SelfTest(void)
+{
+  /*
+   * If we think of a self-test, insert it here.
+   */
+
+  return CRYPT_OK;
+}
+
+/* Hash data */
+
+static int sha1Hash(CONTEXT_INFO *contextInfoPtr, unsigned char *buffer, int length)
+{
+  return doHash(contextInfoPtr, buffer, length,
+                SHA1_BLOCK_LEN, SHA1_ADDR_PREFIX, SHA1_ADDR_BLOCK,
+                SHA1_DIGEST_LEN, SHA1_ADDR_DIGEST, 0, SHA1_LENGTH_LEN);
+}
+
+/* Perform a self-test */
+
+static int sha2SelfTest(void)
+{
+  /*
+   * If we think of a self-test, insert it here.
+   */
+
+  return CRYPT_OK;
+}
+
+/* Hash data */
+
+static int sha2Hash(CONTEXT_INFO *contextInfoPtr, unsigned char *buffer, int length)
+{
+  assert(contextInfoPtr != NULL && contextInfoPtr->capabilityInfo != NULL);
+
+  switch (contextInfoPtr->capabilityInfo->blockSize) {
+
+  case bitsToBytes(256):
+    return doHash(contextInfoPtr, buffer, length,
+                  SHA256_BLOCK_LEN, SHA256_ADDR_PREFIX, SHA256_ADDR_BLOCK,
+                  SHA256_DIGEST_LEN, SHA256_ADDR_DIGEST, 0, SHA256_LENGTH_LEN);
+
+  case bitsToBytes(384):
+    return doHash(contextInfoPtr, buffer, length,
+                  SHA512_BLOCK_LEN, SHA512_ADDR_PREFIX, SHA512_ADDR_BLOCK,
+                  SHA384_DIGEST_LEN, SHA512_ADDR_DIGEST, MODE_SHA_384,
+                  SHA512_LENGTH_LEN);
+
+  case bitsToBytes(512):
+    return doHash(contextInfoPtr, buffer, length,
+                  SHA512_BLOCK_LEN, SHA512_ADDR_PREFIX, SHA512_ADDR_BLOCK,
+                  SHA512_DIGEST_LEN, SHA512_ADDR_DIGEST, MODE_SHA_512,
+                  SHA512_LENGTH_LEN);
+
+  default:
+    return CRYPT_ERROR_FAILED;
+  }
+}
+
+/* Parameter initialization, to handle SHA-2 algorithms other than SHA-256 */
+
+static int sha2InitParams(INOUT CONTEXT_INFO *contextInfoPtr, 
+                          IN_ENUM(KEYPARAM) const KEYPARAM_TYPE paramType,
+                          IN_OPT const void *data, 
+                          IN_INT const int dataLength)
+{
+  static const CAPABILITY_INFO capabilityInfoSHA384 = {
+    CRYPT_ALGO_SHA2, bitsToBytes( 384 ), "SHA-384", 7,
+    bitsToBytes( 0 ), bitsToBytes( 0 ), bitsToBytes( 0 ),
+    sha2SelfTest, hashGetInfo, NULL, NULL, NULL, NULL, sha2Hash, sha2Hash
+  };
+
+  static const CAPABILITY_INFO capabilityInfoSHA512 = {
+    CRYPT_ALGO_SHA2, bitsToBytes( 512 ), "SHA-512", 7,
+    bitsToBytes( 0 ), bitsToBytes( 0 ), bitsToBytes( 0 ),
+    sha2SelfTest, hashGetInfo, NULL, NULL, NULL, NULL, sha2Hash, sha2Hash
+  };
+
+  assert(isWritePtr(contextInfoPtr, sizeof(CONTEXT_INFO)));
+  REQUIRES(contextInfoPtr->type == CONTEXT_HASH);
+  REQUIRES(paramType > KEYPARAM_NONE && paramType < KEYPARAM_LAST);
+
+  if (paramType == KEYPARAM_BLOCKSIZE) {
+    switch (dataLength) {
+    case bitsToBytes(256):
+      return CRYPT_OK;
+    case bitsToBytes(384):
+      contextInfoPtr->capabilityInfo = &capabilityInfoSHA384;
+      return CRYPT_OK;
+    case bitsToBytes(512):
+      contextInfoPtr->capabilityInfo = &capabilityInfoSHA512;
+      return CRYPT_OK;
+    default:
+      return CRYPT_ARGERROR_NUM1;
+    }
+  }
+
+  return initGenericParams(contextInfoPtr, paramType, data, dataLength);
+}
+
+/****************************************************************************
+ *                                                                          *
+ *                           Hardware External Interface                    *
+ *                                                                          *
+ ****************************************************************************/
+
+/* The capability information for this device */
+
+static const CAPABILITY_INFO capabilities[] = {
+
+  { CRYPT_ALGO_SHA1, bitsToBytes( 160 ), "SHA-1", 5,
+    bitsToBytes( 0 ), bitsToBytes( 0 ), bitsToBytes( 0 ),
+    sha1SelfTest, hashGetInfo, NULL, NULL, NULL, NULL, sha1Hash, sha1Hash },
+
+  { CRYPT_ALGO_SHA2, bitsToBytes( 256 ), "SHA-2", 5,
+    bitsToBytes( 0 ), bitsToBytes( 0 ), bitsToBytes( 0 ),
+    sha2SelfTest, hashGetInfo, NULL, sha2InitParams, NULL, NULL, sha2Hash, sha2Hash },
+
+  { CRYPT_ALGO_NONE }, { CRYPT_ALGO_NONE }
+};
+
+/* Return the hardware capabilities list */
+
+int hwGetCapabilities(const CAPABILITY_INFO **capabilityInfo, int *noCapabilities)
+{
+  assert(isReadPtr(capabilityInfo, sizeof(CAPABILITY_INFO *)));
+  assert(isWritePtr(noCapabilities, sizeof(int)));
+
+  *capabilityInfo = capabilities;
+  *noCapabilities = FAILSAFE_ARRAYSIZE(capabilities, CAPABILITY_INFO);
+
+  return CRYPT_OK;
+}
+
+/*
+ * Get random data from the hardware.  We have a TRNG core, but I
+ * don't think we hae I2C code for it yet, so leave this as a dummy
+ * for the moment.
+ */
+
+int hwGetRandom(void *buffer, const int length)
+{
+  assert(isWritePtr(buffer, length));
+
+  REQUIRES(length >= 1 && length < MAX_INTLENGTH);
+
+  /* Fill the buffer with random-ish data */
+  dummyGenRandom(buffer, length);
+
+  return CRYPT_OK;
+}
+
+/*
+ * These "personality" methods are trivial stubs, as we do not yet
+ * have any cores which do encyrption or signature.  When we do, these
+ * methods will need to be rewritten, and whoever does that rewriting
+ * will definitely want to look at the detailed comments and template
+ * code in device/hw_dummy.c.
+ */
+
+/* Look up an item held in the hardware */
+
+int hwLookupItem(const void *keyID, const int keyIDlength, int *keyHandle)
+{
+  assert(keyHandle != NULL);
+  *keyHandle = CRYPT_ERROR;
+  return CRYPT_ERROR_NOTFOUND;
+}
+
+/* Delete an item held in the hardware */
+
+int hwDeleteItem(const int keyHandle)
+{
+  return CRYPT_OK;
+}
+
+/* Initialise/zeroise the hardware */
+
+int hwInitialise(void)
+{
+  return CRYPT_OK;
+}
+
+#endif /* USE_HARDWARE */
+
+/*
+ * "Any programmer who fails to comply with the standard naming, formatting,
+ *  or commenting conventions should be shot.  If it so happens that it is
+ *  inconvenient to shoot him, then he is to be politely requested to recode
+ *  his program in adherence to the above standard."
+ *                      -- Michael Spier, Digital Equipment Corporation
+ *
+ * Local variables:
+ * indent-tabs-mode: nil
+ * End:
+ */
diff --git a/src/cryptech_novena_i2c_simple.c b/src/cryptech_novena_i2c_simple.c
new file mode 100644
index 0000000..e023b3b
--- /dev/null
+++ b/src/cryptech_novena_i2c_simple.c
@@ -0,0 +1,542 @@
+/* 
+ * cryptech_novena_i2c_simple.c
+ * ----------------------------
+ *
+ * This is an early prototype Hardware Adaption Layer (HAL) for using
+ * Cryptlib with the Cryptech project's FGPA cores over an I2C bus on
+ * the Novena PVT1 development board using a simple stream-based
+ * protocol in which each core is represented as a separate I2C device.
+ * This is compatible with the core/novena_i2c_simple FPGA build.
+ *
+ * The communication channel used here is not suitable for production
+ * use, this is just a prototype.
+ * 
+ * Authors: Joachim Strömbergson, Paul Selkirk, Rob Austein
+ * Copyright (c) 2014, SUNET
+ * 
+ * Redistribution and use in source and binary forms, with or 
+ * without modification, are permitted provided that the following 
+ * conditions are met: 
+ * 
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in 
+ *    the documentation and/or other materials provided with the 
+ *    distribution. 
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * The HAL framework is taken from the Cryptlib hw_dummy.c template,
+ * and is Copyright 1998-2009 by Peter Gutmann.
+ */
+
+#include <assert.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+
+#if defined( INC_ALL )
+  #include "crypt.h"
+  #include "context.h"
+  #include "hardware.h"
+#else
+  #include "crypt.h"
+  #include "context/context.h"
+  #include "device/hardware.h"
+#endif /* Compiler-specific includes */
+
+/*
+ * I2C_SLAVE comes from /usr/include/linux/i2c-dev.h, but if we
+ * include that we won't be able to compile this except on Linux.  It
+ * won't *run* anywhere but on Linux, but it's useful to be able to do
+ * compilation tests on other platforms, eg, with Clang, so for now we
+ * take the small risk that this one magic constant might change.
+ */
+
+#define I2C_SLAVE       0x0703
+
+#ifdef USE_HARDWARE
+
+/*
+ * I2C configuration.  Note that, unlike the i2c_coretest HAL, each
+ * hash core has its own I2C address.  The SHA-512 core still has mode
+ * bits to select which of its four hash algorithms we want, but since
+ * they're stuffed into the low bits of the I2C address, they look
+ * like separate devices to us, so we treat them that way.
+ */
+
+#define I2C_DEV                 "/dev/i2c-2"
+#define I2C_SHA1_ADDR           0x1e
+#define I2C_SHA256_ADDR         0x1f
+#define I2C_SHA384_ADDR         0x22
+#define I2C_SHA512_ADDR         0x23
+
+/*
+ * Length parameters for the various hashes.
+ */
+
+#define SHA1_BLOCK_LEN          bitsToBytes(512)
+#define	SHA1_LENGTH_LEN		bitsToBytes(64)
+#define SHA1_DIGEST_LEN         bitsToBytes(160)
+
+#define SHA256_BLOCK_LEN        bitsToBytes(512)
+#define	SHA256_LENGTH_LEN	bitsToBytes(64)
+#define SHA256_DIGEST_LEN       bitsToBytes(256)
+
+#define	SHA384_BLOCK_LEN	SHA512_BLOCK_LEN
+#define	SHA384_LENGTH_LEN	SHA512_LENGTH_LEN
+#define SHA384_DIGEST_LEN       bitsToBytes(384)
+
+#define SHA512_BLOCK_LEN        bitsToBytes(1024)
+#define	SHA512_LENGTH_LEN	bitsToBytes(128)
+#define SHA512_DIGEST_LEN       bitsToBytes(512)
+
+#define MAX_BLOCK_LEN           SHA512_BLOCK_LEN
+
+/* Hash state */
+typedef struct {
+  unsigned long long msg_length_high;   /* Total data hashed in this message */
+  unsigned long long msg_length_low;    /* (128 bits in SHA-512 cases) */
+} hash_state_t;
+
+static int i2cfd = -1;
+static int debug = 0;
+
+/*
+ * I2C low-level code
+ */
+
+static int i2c_open(void)
+{
+  if (i2cfd >= 0)
+    return 1;
+
+  i2cfd = open(I2C_DEV, O_RDWR);
+
+  if (i2cfd < 0) {
+    perror("Unable to open " I2C_DEV);
+    i2cfd = -1;
+    return 0;
+  }
+
+  if (debug)
+    fprintf(stderr, "[ Opened %s, fd %d ]\n", I2C_DEV, i2cfd);
+
+  return 1;
+}
+
+static int i2c_addr(const int addr)
+{
+  if (!addr)
+    return 1;
+
+  if (ioctl(i2cfd, I2C_SLAVE, addr) < 0) {
+    perror("Unable to set slave address on I2C " I2C_DEV);
+    return 0;
+  }
+
+  if (debug)
+    fprintf(stderr, "[ Selected I2C slave 0x%x ]\n", (unsigned) addr);
+
+  return 1;
+}
+
+static int i2c_write(const int addr, const unsigned char *buf, const size_t len)
+{
+  if (debug) {
+    int i;
+    fprintf(stderr, "write [");
+    for (i = 0; i < len; ++i)
+      fprintf(stderr, " %02x", buf[i]);
+    fprintf(stderr, " ]\n");
+  }
+
+  if (!i2c_open() || !i2c_addr(addr))
+    return 0;
+
+  if (write(i2cfd, buf, len) != len) {
+    perror("i2c write failed");
+    return 0;
+  }
+
+  return 1;
+}
+
+/*
+ * read() on i2c device returns one byte at a time.
+ */
+
+static int i2c_read(unsigned char *buf, const size_t len)
+{
+  size_t i;
+
+  assert(i2cfd >= 0);
+
+  for (i = 0; i < len; i++) {
+    if (read(i2cfd, buf + i, 1) != 1) {
+      perror("i2c read failed");
+      return 0;
+    }
+  }
+
+  return 1;
+}
+
+/****************************************************************************
+ *                                                                          *
+ *                               Random Numbers                             *
+ *                                                                          *
+ ****************************************************************************/
+
+/*
+ * We have a TRNG core, but I don't think it's hooked up to I2C yet, so
+ * for the moment we use the toy generator from hw_dummy.c.
+ */
+
+static void dummyGenRandom(void *buffer, const int length)
+{
+  HASHFUNCTION_ATOMIC hashFunctionAtomic;
+  BYTE hashBuffer[CRYPT_MAX_HASHSIZE], *bufPtr = buffer;
+  static int counter = 0;
+  int hashSize, i;
+
+  assert(isWritePtr(buffer, length));
+
+  REQUIRES_V(length >= 1 && length < MAX_INTLENGTH);
+
+  /*
+   * Fill the buffer with random-ish data.  This gets a bit tricky
+   * because we need to fool the entropy tests so we can't just fill
+   * it with a fixed (or even semi-random) pattern but have to set up
+   * a somewhat kludgy PRNG.
+   */
+  getHashAtomicParameters(CRYPT_ALGO_SHA1, 0, &hashFunctionAtomic, &hashSize);
+  memset(hashBuffer, counter, hashSize);
+  counter++;
+  for (i = 0; i < length; i++) {
+    if (i % hashSize == 0)
+      hashFunctionAtomic(hashBuffer, CRYPT_MAX_HASHSIZE, hashBuffer, hashSize);
+    bufPtr[i] = hashBuffer[i % hashSize];
+  }
+}
+
+/****************************************************************************
+ *                                                                           *
+ *                   Hash/MAC Capability Interface Routines                  *
+ *                                                                           *
+ ****************************************************************************/
+
+/*
+ * Return context subtype-specific information.  All supported hash
+ * algorithms currently use the same state object, so they can all use
+ * this method.
+ */
+
+static int hashGetInfo(const CAPABILITY_INFO_TYPE type,
+                      CONTEXT_INFO *contextInfoPtr, 
+                      void *data, const int length)
+{
+  switch (type) {
+  case CAPABILITY_INFO_STATESIZE:
+    /*
+     * Tell cryptlib how much hash-state storage we want allocated.
+     */
+    *(int *) data = sizeof(hash_state_t);
+    return CRYPT_OK;
+
+  default:
+    return getDefaultInfo(type, contextInfoPtr, data, length);
+  }
+}
+
+/*
+ * Hash data.  All supported hash algorithms use similar block
+ * manipulations and padding algorithms, so all can use this method
+ * with a few parameters which we handle via closures below.
+ */
+
+static int doHash(CONTEXT_INFO *contextInfoPtr,
+                  const unsigned char *buffer,
+                  int length,
+                  const int addr,
+                  const size_t block_length,
+                  const size_t digest_length,
+                  const size_t length_length)
+{
+  hash_state_t *state = NULL;
+
+  assert(isWritePtr(contextInfoPtr, sizeof(CONTEXT_INFO)));
+  assert(length == 0 || isWritePtr(buffer, length));
+
+  state = (hash_state_t *) contextInfoPtr->ctxHash->hashInfo;
+
+  /*
+   * If the hash state was reset to allow another round of hashing,
+   * reinitialise things.
+   */
+
+  if (!(contextInfoPtr->flags & CONTEXT_FLAG_HASH_INITED))
+    memset(state, 0, sizeof(*state));
+
+  if (length > 0) {             /* More data to hash */
+
+    if (!i2c_write(addr, buffer, length))
+      return CRYPT_ERROR_FAILED;
+
+    if ((state->msg_length_low += length) < length)
+      state->msg_length_high++;
+
+  }
+
+  else {           /* Done: add padding, then pull result from chip */
+
+    unsigned long long bit_length_low  = (state->msg_length_low  << 3);
+    unsigned long long bit_length_high = (state->msg_length_high << 3) | (state->msg_length_low >> 61);
+    unsigned char block[MAX_BLOCK_LEN];
+    unsigned char *p;
+    size_t n;
+    int i;
+
+    /* Prepare padding buffer */
+    memset(block, 0, sizeof(block));
+    block[0] = 0x80;
+
+    /* How much room is left in the current block */
+    n = block_length - ((state->msg_length_low) & (block_length - 1));
+
+    /* If there's not enough room for length count and initial padding byte, push an extra block  */
+    if (n < length_length + 1) {
+      if (debug)
+        fprintf(stderr, "[ Overflow block, n %lu, msg_length %llu ]\n", n, state->msg_length_low);
+      if (!i2c_write(addr, block, n))
+        return CRYPT_ERROR_FAILED;
+      block[0] = 0;
+      n = block_length;
+    }
+
+    /* Finish padding with length count and push final block */
+    assert(n >= length_length + 1);
+    if (debug)
+      fprintf(stderr, "[ Final block, n %lu, msg_length %llu ]\n", (unsigned long) n, state->msg_length_low);
+    p = block + n;
+    for (i = 0; (bit_length_low || bit_length_high) && i < length_length; i++) {
+      *--p = (unsigned char) (bit_length_low & 0xFF);
+      bit_length_low >>= 8;
+      if (bit_length_high) {
+        bit_length_low |= ((bit_length_high & 0xFF) << 56);
+        bit_length_high >>= 8;
+      }
+    }
+    if (!i2c_write(addr, block, n))
+      return CRYPT_ERROR_FAILED;
+
+    /* All data pushed to core, now we just need to read back the result */
+
+    assert(digest_length <= sizeof(contextInfoPtr->ctxHash->hash));
+    if (!i2c_read(contextInfoPtr->ctxHash->hash, digest_length))
+      return CRYPT_ERROR_FAILED;
+  }
+
+  return CRYPT_OK;
+}
+
+/* Perform a self-test */
+
+static int sha1SelfTest(void)
+{
+  /*
+   * If we think of a self-test, insert it here.
+   */
+
+  return CRYPT_OK;
+}
+
+/* Hash data */
+
+static int sha1Hash(CONTEXT_INFO *contextInfoPtr, unsigned char *buffer, int length)
+{
+  return doHash(contextInfoPtr, buffer, length, I2C_SHA1_ADDR, SHA1_BLOCK_LEN, SHA1_DIGEST_LEN, SHA1_LENGTH_LEN);
+}
+
+/* Perform a self-test */
+
+static int sha2SelfTest(void)
+{
+  /*
+   * If we think of a self-test, insert it here.
+   */
+
+  return CRYPT_OK;
+}
+
+/* Hash data */
+
+static int sha2Hash(CONTEXT_INFO *contextInfoPtr, unsigned char *buffer, int length)
+{
+  assert(contextInfoPtr != NULL && contextInfoPtr->capabilityInfo != NULL);
+  switch (contextInfoPtr->capabilityInfo->blockSize) {
+  case bitsToBytes(256):
+    return doHash(contextInfoPtr, buffer, length, I2C_SHA256_ADDR, SHA256_BLOCK_LEN, SHA256_DIGEST_LEN, SHA256_LENGTH_LEN);
+  case bitsToBytes(384):
+    return doHash(contextInfoPtr, buffer, length, I2C_SHA384_ADDR, SHA384_BLOCK_LEN, SHA384_DIGEST_LEN, SHA384_LENGTH_LEN);
+  case bitsToBytes(512):
+    return doHash(contextInfoPtr, buffer, length, I2C_SHA512_ADDR, SHA512_BLOCK_LEN, SHA512_DIGEST_LEN, SHA512_LENGTH_LEN);
+  default:
+    return CRYPT_ERROR_FAILED;
+  }
+}
+
+/* Parameter initialization, to handle SHA-2 algorithms other than SHA-256 */
+
+static int sha2InitParams(INOUT CONTEXT_INFO *contextInfoPtr, 
+                          IN_ENUM(KEYPARAM) const KEYPARAM_TYPE paramType,
+                          IN_OPT const void *data, 
+                          IN_INT const int dataLength)
+{
+  static const CAPABILITY_INFO capabilityInfoSHA384 = {
+    CRYPT_ALGO_SHA2, bitsToBytes( 384 ), "SHA-384", 7,
+    bitsToBytes( 0 ), bitsToBytes( 0 ), bitsToBytes( 0 ),
+    sha2SelfTest, hashGetInfo, NULL, NULL, NULL, NULL, sha2Hash, sha2Hash
+  };
+
+  static const CAPABILITY_INFO capabilityInfoSHA512 = {
+    CRYPT_ALGO_SHA2, bitsToBytes( 512 ), "SHA-512", 7,
+    bitsToBytes( 0 ), bitsToBytes( 0 ), bitsToBytes( 0 ),
+    sha2SelfTest, hashGetInfo, NULL, NULL, NULL, NULL, sha2Hash, sha2Hash
+  };
+
+  assert(isWritePtr(contextInfoPtr, sizeof(CONTEXT_INFO)));
+  REQUIRES(contextInfoPtr->type == CONTEXT_HASH);
+  REQUIRES(paramType > KEYPARAM_NONE && paramType < KEYPARAM_LAST);
+
+  if (paramType == KEYPARAM_BLOCKSIZE) {
+    switch (dataLength) {
+    case bitsToBytes(256):
+      return CRYPT_OK;
+    case bitsToBytes(384):
+      contextInfoPtr->capabilityInfo = &capabilityInfoSHA384;
+      return CRYPT_OK;
+    case bitsToBytes(512):
+      contextInfoPtr->capabilityInfo = &capabilityInfoSHA512;
+      return CRYPT_OK;
+    default:
+      return CRYPT_ARGERROR_NUM1;
+    }
+  }
+
+  return initGenericParams(contextInfoPtr, paramType, data, dataLength);
+}
+
+/****************************************************************************
+ *                                                                          *
+ *                           Hardware External Interface                    *
+ *                                                                          *
+ ****************************************************************************/
+
+/* The capability information for this device */
+
+static const CAPABILITY_INFO capabilities[] = {
+
+  { CRYPT_ALGO_SHA1, bitsToBytes( 160 ), "SHA-1", 5,
+    bitsToBytes( 0 ), bitsToBytes( 0 ), bitsToBytes( 0 ),
+    sha1SelfTest, hashGetInfo, NULL, NULL, NULL, NULL, sha1Hash, sha1Hash },
+
+  { CRYPT_ALGO_SHA2, bitsToBytes( 256 ), "SHA-2", 5,
+    bitsToBytes( 0 ), bitsToBytes( 0 ), bitsToBytes( 0 ),
+    sha2SelfTest, hashGetInfo, NULL, sha2InitParams, NULL, NULL, sha2Hash, sha2Hash },
+
+  { CRYPT_ALGO_NONE }, { CRYPT_ALGO_NONE }
+};
+
+/* Return the hardware capabilities list */
+
+int hwGetCapabilities(const CAPABILITY_INFO **capabilityInfo, int *noCapabilities)
+{
+  assert(isReadPtr(capabilityInfo, sizeof(CAPABILITY_INFO *)));
+  assert(isWritePtr(noCapabilities, sizeof(int)));
+
+  *capabilityInfo = capabilities;
+  *noCapabilities = FAILSAFE_ARRAYSIZE(capabilities, CAPABILITY_INFO);
+
+  return CRYPT_OK;
+}
+
+/*
+ * Get random data from the hardware.  We have a TRNG core, but I
+ * don't think we hae I2C code for it yet, so leave this as a dummy
+ * for the moment.
+ */
+
+int hwGetRandom(void *buffer, const int length)
+{
+  assert(isWritePtr(buffer, length));
+
+  REQUIRES(length >= 1 && length < MAX_INTLENGTH);
+
+  /* Fill the buffer with random-ish data */
+  dummyGenRandom(buffer, length);
+
+  return CRYPT_OK;
+}
+
+/*
+ * These "personality" methods are trivial stubs, as we do not yet
+ * have any cores which do encyrption or signature.  When we do, these
+ * methods will need to be rewritten, and whoever does that rewriting
+ * will definitely want to look at the detailed comments and template
+ * code in device/hw_dummy.c.
+ */
+
+/* Look up an item held in the hardware */
+
+int hwLookupItem(const void *keyID, const int keyIDlength, int *keyHandle)
+{
+  assert(keyHandle != NULL);
+  *keyHandle = CRYPT_ERROR;
+  return CRYPT_ERROR_NOTFOUND;
+}
+
+/* Delete an item held in the hardware */
+
+int hwDeleteItem(const int keyHandle)
+{
+  return CRYPT_OK;
+}
+
+/* Initialise/zeroise the hardware */
+
+int hwInitialise(void)
+{
+  return CRYPT_OK;
+}
+
+#endif /* USE_HARDWARE */
+
+/*
+ * "Any programmer who fails to comply with the standard naming, formatting,
+ *  or commenting conventions should be shot.  If it so happens that it is
+ *  inconvenient to shoot him, then he is to be politely requested to recode
+ *  his program in adherence to the above standard."
+ *                      -- Michael Spier, Digital Equipment Corporation
+ *
+ * Local variables:
+ * indent-tabs-mode: nil
+ * End:
+ */
diff --git a/tests/test_hashes.py b/tests/test_hashes.py
new file mode 100644
index 0000000..2e38ca3
--- /dev/null
+++ b/tests/test_hashes.py
@@ -0,0 +1,104 @@
+# Trivial test of cryptech hash cores via cryptlib python interface.
+# Might upgrade to Python's unittest framework eventually.
+
+import atexit, os.path
+from cryptlib_py import *
+
+cryptInit()
+atexit.register(cryptEnd)
+
+hwdev = cryptDeviceOpen(CRYPT_UNUSED, CRYPT_DEVICE_HARDWARE, None)
+atexit.register(cryptDeviceClose, hwdev)
+
+# Usual NIST sample messages.
+
+def hextext(s):
+    return "".join(s.split()).lower()
+
+NIST_512_SINGLE      = "abc"
+SHA1_SINGLE_DIGEST   = hextext("A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D")
+SHA256_SINGLE_DIGEST = hextext("BA7816BF 8F01CFEA 414140DE 5DAE2223 B00361A3 96177A9C B410FF61 F20015AD")
+
+NIST_512_DOUBLE      = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
+SHA1_DOUBLE_DIGEST   = hextext("84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1")
+SHA256_DOUBLE_DIGEST = hextext("248D6A61 D20638B8 E5C02693 0C3E6039 A33CE459 64FF2167 F6ECEDD4 19DB06C1")
+
+NIST_1024_SINGLE     = "abc"
+SHA384_SINGLE_DIGEST = hextext("CB00753F 45A35E8B B5A03D69 9AC65007 272C32AB 0EDED163"
+                               "1A8B605A 43FF5BED 8086072B A1E7CC23 58BAECA1 34C825A7")
+SHA512_SINGLE_DIGEST = hextext("DDAF35A1 93617ABA CC417349 AE204131 12E6FA4E 89A97EA2 0A9EEEE6 4B55D39A"
+                               "2192992A 274FC1A8 36BA3C23 A3FEEBBD 454D4423 643CE80E 2A9AC94F A54CA49F")
+
+NIST_1024_DOUBLE     = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" \
+                       "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"
+SHA384_DOUBLE_DIGEST = hextext("09330C33 F71147E8 3D192FC7 82CD1B47 53111B17 3B3B05D2"
+                               "2FA08086 E3B0F712 FCC7C71A 557E2DB9 66C3E9FA 91746039")
+SHA512_DOUBLE_DIGEST = hextext("8E959B75 DAE313DA 8CF4F728 14FC143F 8F7779C6 EB9F7FA1 7299AEAD B6889018"
+                               "501D289E 4900F7E4 331B99DE C4B5433A C7D329EE B6DD2654 5E96E55B 874BE909")
+
+def do_hash(ctx, s):
+    try:
+        cryptEncrypt(ctx, array("c", s))
+        cryptEncrypt(ctx, array("c", ""))
+        result = ctx.CRYPT_CTXINFO_HASHVALUE
+        return result.encode("hex")
+    finally:
+        cryptDestroyContext(ctx)
+
+def sha1(d, s):
+    if d is None:
+        ctx = cryptCreateContext(CRYPT_UNUSED, CRYPT_ALGO_SHA1)
+    else:
+        ctx = cryptDeviceCreateContext(d, CRYPT_ALGO_SHA1)
+    return do_hash(ctx, s)
+
+def sha256(d, s):
+    if d is None:
+        ctx = cryptCreateContext(CRYPT_UNUSED, CRYPT_ALGO_SHA2)
+    else:
+        ctx = cryptDeviceCreateContext(d, CRYPT_ALGO_SHA2)
+    return do_hash(ctx, s)
+
+def sha384(d, s):
+    if d is None:
+        ctx = cryptCreateContext(CRYPT_UNUSED, CRYPT_ALGO_SHA2)
+    else:
+        ctx = cryptDeviceCreateContext(d, CRYPT_ALGO_SHA2)
+    ctx.CTXINFO_BLOCKSIZE = 48
+    return do_hash(ctx, s)
+
+def sha512(d, s):
+    if d is None:
+        ctx = cryptCreateContext(CRYPT_UNUSED, CRYPT_ALGO_SHA2)
+    else:
+        ctx = cryptDeviceCreateContext(d, CRYPT_ALGO_SHA2)
+    ctx.CTXINFO_BLOCKSIZE = 64
+    return do_hash(ctx, s)
+
+have_i2c = os.path.exists("/dev/i2c-2")
+
+if not have_i2c:
+    print
+    print "I2C device not found, so testing software only, no hardware cores tested"
+
+def test(digest, text, expect):
+    print
+    print "Testing %s(%r)" % (digest.__name__, text)
+    hashes = [digest(None, text)]
+    if have_i2c:
+        hashes.append(digest(hwdev, text))
+    for hash in hashes:
+        if hash == expect:
+            print "+", hash
+        else:
+            print "-", hash
+            print "!", expect
+
+test(sha1,   NIST_512_SINGLE,  SHA1_SINGLE_DIGEST)
+test(sha1,   NIST_512_DOUBLE,  SHA1_DOUBLE_DIGEST)
+test(sha256, NIST_512_SINGLE,  SHA256_SINGLE_DIGEST)
+test(sha256, NIST_512_DOUBLE,  SHA256_DOUBLE_DIGEST)
+test(sha384, NIST_1024_SINGLE, SHA384_SINGLE_DIGEST)
+test(sha384, NIST_1024_DOUBLE, SHA384_DOUBLE_DIGEST)
+test(sha512, NIST_1024_SINGLE, SHA512_SINGLE_DIGEST)
+test(sha512, NIST_1024_DOUBLE, SHA512_DOUBLE_DIGEST)



More information about the Commits mailing list