[Cryptech-Commits] [sw/libhal] 08/12: Merge branch 'master' into ecdsa
git at cryptech.is
git at cryptech.is
Mon Sep 14 21:43:25 UTC 2015
This is an automated email from the git hooks/post-receive script.
sra at hactrn.net pushed a commit to branch ecdsa
in repository sw/libhal.
commit e946b4661607736f1b89a7a107729382cb85fd55
Merge: 12fd927 5106b88
Author: Rob Austein <sra at hactrn.net>
Date: Tue Sep 8 15:54:40 2015 -0400
Merge branch 'master' into ecdsa
This required a bit of manual cleanup in hal.h, hash.c, and rsa.c. No
intended changes to functionality provided by parent comments, just a
few tweaks to track API changes beyond git's ken.
hal.h | 60 +++++++++----------
hash.c | 180 +++++++++++++++++++++++++++++++++++++++++++------------
modexp.c | 104 ++++++++++++++++----------------
rsa.c | 22 ++++---
tests/test-rsa.c | 4 +-
5 files changed, 238 insertions(+), 132 deletions(-)
diff --cc hal.h
index 547894e,64377b4..4a5e239
--- a/hal.h
+++ b/hal.h
@@@ -524,7 -510,8 +518,8 @@@ typedef struct
size_t hmac_state_length;
const uint8_t * const digest_algorithm_id;
size_t digest_algorithm_id_length;
- const void *driver;
+ const hal_hash_driver_t *driver;
+ unsigned can_restore_state : 1;
} hal_hash_descriptor_t;
/*
@@@ -569,11 -556,14 +564,14 @@@ extern hal_error_t hal_hmac_initialize(
void *state_buffer, const size_t state_length,
const uint8_t * const key, const size_t key_length);
-extern hal_error_t hal_hmac_update(const hal_hmac_state_t state,
+extern hal_error_t hal_hmac_update(hal_hmac_state_t *state,
const uint8_t * data, const size_t length);
-extern hal_error_t hal_hmac_finalize(const hal_hmac_state_t state,
+extern hal_error_t hal_hmac_finalize(hal_hmac_state_t *state,
uint8_t *hmac, const size_t length);
-extern void hal_hash_cleanup(hal_hash_state_t *state);
++extern void hal_hash_cleanup(hal_hash_state_t **state);
+
-extern void hal_hmac_cleanup(hal_hmac_state_t *state);
++extern void hal_hmac_cleanup(hal_hmac_state_t **state);
/*
* AES key wrap functions.
diff --cc hash.c
index ce086f4,45e2f59..e06278d
--- a/hash.c
+++ b/hash.c
@@@ -73,22 -73,27 +73,27 @@@ struct hal_hash_driver
off_t name_addr; /* Where to read core name */
char core_name[8]; /* Expected name of core */
uint8_t ctrl_mode; /* Digest mode, for cores that have modes */
-} driver_t;
+};
/*
- * Hash state.
+ * Hash state. For now we assume that the only core state we need to
+ * save and restore is the current digest value.
*/
-typedef struct {
+struct hal_hash_state {
const hal_hash_descriptor_t *descriptor;
- const driver_t *driver;
+ const hal_hash_driver_t *driver;
uint64_t msg_length_high; /* Total data hashed in this message */
uint64_t msg_length_low; /* (128 bits in SHA-512 cases) */
- uint8_t block[HAL_MAX_HASH_BLOCK_LENGTH]; /* Block we're accumulating */
+ uint8_t block[HAL_MAX_HASH_BLOCK_LENGTH], /* Block we're accumulating */
+ core_state[HAL_MAX_HASH_DIGEST_LENGTH]; /* Saved core state */
size_t block_used; /* How much of the block we've used */
unsigned block_count; /* Blocks sent */
+ unsigned flags;
-} internal_hash_state_t;
+};
+ #define STATE_FLAG_STATE_ALLOCATED 0x1 /* State buffer dynamically allocated */
+
/*
* HMAC state. Right now this just holds the key block and a hash
* context; if and when we figure out how PCLSR the hash cores, we
@@@ -183,44 -188,44 +188,44 @@@ static const uint8_
const hal_hash_descriptor_t hal_hash_sha1[1] = {{
SHA1_BLOCK_LEN, SHA1_DIGEST_LEN,
- sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
+ sizeof(hal_hash_state_t), sizeof(hal_hmac_state_t),
dalgid_sha1, sizeof(dalgid_sha1),
- &sha1_driver
+ &sha1_driver, 0
}};
const hal_hash_descriptor_t hal_hash_sha256[1] = {{
SHA256_BLOCK_LEN, SHA256_DIGEST_LEN,
- sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
+ sizeof(hal_hash_state_t), sizeof(hal_hmac_state_t),
dalgid_sha256, sizeof(dalgid_sha256),
- &sha256_driver
+ &sha256_driver, 1
}};
const hal_hash_descriptor_t hal_hash_sha512_224[1] = {{
SHA512_BLOCK_LEN, SHA512_224_DIGEST_LEN,
- sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
+ sizeof(hal_hash_state_t), sizeof(hal_hmac_state_t),
dalgid_sha512_224, sizeof(dalgid_sha512_224),
- &sha512_224_driver
+ &sha512_224_driver, 0
}};
const hal_hash_descriptor_t hal_hash_sha512_256[1] = {{
SHA512_BLOCK_LEN, SHA512_256_DIGEST_LEN,
- sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
+ sizeof(hal_hash_state_t), sizeof(hal_hmac_state_t),
dalgid_sha512_256, sizeof(dalgid_sha512_256),
- &sha512_256_driver
+ &sha512_256_driver, 0
}};
const hal_hash_descriptor_t hal_hash_sha384[1] = {{
SHA512_BLOCK_LEN, SHA384_DIGEST_LEN,
- sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
+ sizeof(hal_hash_state_t), sizeof(hal_hmac_state_t),
dalgid_sha384, sizeof(dalgid_sha384),
- &sha384_driver
+ &sha384_driver, 0
}};
const hal_hash_descriptor_t hal_hash_sha512[1] = {{
SHA512_BLOCK_LEN, SHA512_DIGEST_LEN,
- sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
+ sizeof(hal_hash_state_t), sizeof(hal_hmac_state_t),
dalgid_sha512, sizeof(dalgid_sha512),
- &sha512_driver
+ &sha512_driver, 0
}};
/*
@@@ -268,26 -273,90 +273,90 @@@ hal_error_t hal_hash_core_present(cons
*/
hal_error_t hal_hash_initialize(const hal_hash_descriptor_t * const descriptor,
- hal_hash_state_t *opaque_state,
+ hal_hash_state_t **state_,
void *state_buffer, const size_t state_length)
{
- const driver_t * const driver = check_driver(descriptor);
- internal_hash_state_t *state = state_buffer;
+ const hal_hash_driver_t * const driver = check_driver(descriptor);
+ hal_hash_state_t *state = state_buffer;
- if (driver == NULL || state == NULL || state_ == NULL ||
- state_length < descriptor->hash_state_length)
- if (driver == NULL || opaque_state == NULL)
++ if (driver == NULL || state_ == NULL)
+ return HAL_ERROR_BAD_ARGUMENTS;
+
+ if (state_buffer != NULL && state_length < descriptor->hash_state_length)
return HAL_ERROR_BAD_ARGUMENTS;
+ if (state_buffer == NULL && (state = malloc(descriptor->hash_state_length)) == NULL)
+ return HAL_ERROR_ALLOCATION_FAILURE;
+
memset(state, 0, sizeof(*state));
state->descriptor = descriptor;
state->driver = driver;
+
+ if (state_buffer == NULL)
+ state->flags |= STATE_FLAG_STATE_ALLOCATED;
- opaque_state->state = state;
+ *state_ = state;
return HAL_OK;
}
/*
+ * Clean up hash state. No-op unless memory was dynamically allocated.
+ */
+
-void hal_hash_cleanup(hal_hash_state_t *opaque_state)
++void hal_hash_cleanup(hal_hash_state_t **state_)
+ {
- if (opaque_state == NULL)
++ if (state_ == NULL)
+ return;
+
- internal_hash_state_t *state = opaque_state->state;
++ hal_hash_state_t *state = *state_;
+
+ if (state == NULL || (state->flags & STATE_FLAG_STATE_ALLOCATED) == 0)
+ return;
+
+ memset(state, 0, state->descriptor->hash_state_length);
+ free(state);
- opaque_state->state = NULL;
++ *state_ = NULL;
+ }
+
+ /*
+ * Read hash result from core. At least for now, this also serves to
+ * read current hash state from core.
+ */
+
-static hal_error_t hash_read_digest(const driver_t * const driver,
++static hal_error_t hash_read_digest(const hal_hash_driver_t * const driver,
+ uint8_t *digest,
+ const size_t digest_length)
+ {
+ hal_error_t err;
+
+ assert(digest != NULL && digest_length % 4 == 0);
+
+ if ((err = hal_io_wait_valid(driver->status_addr)) != HAL_OK)
+ return err;
+
+ return hal_io_read(driver->digest_addr, digest, digest_length);
+ }
+
+ /*
+ * Write hash state back to core.
+ */
+
-static hal_error_t hash_write_digest(const driver_t * const driver,
++static hal_error_t hash_write_digest(const hal_hash_driver_t * const driver,
+ const uint8_t * const digest,
+ const size_t digest_length)
+ {
+ hal_error_t err;
+
+ assert(digest != NULL && digest_length % 4 == 0);
+
+ if ((err = hal_io_wait_ready(driver->status_addr)) != HAL_OK)
+ return err;
+
+ return hal_io_write(driver->digest_addr, digest, digest_length);
+ }
+
+ /*
* Send one block to a core.
*/
@@@ -306,14 -388,9 +388,9 @@@ static hal_error_t hash_write_block(hal
return err;
ctrl_cmd[0] = ctrl_cmd[1] = ctrl_cmd[2] = 0;
- ctrl_cmd[3] = state->block_count == 0 ? CTRL_INIT : CTRL_NEXT;
+ ctrl_cmd[3] = state->block_count == 0 ? CTRL_INIT : CTRL_NEXT;
ctrl_cmd[3] |= state->driver->ctrl_mode;
- /*
- * Not sure why we're waiting for ready here, but it's what the old
- * (read: tested) code did, so keep that behavior for now.
- */
-
if ((err = hal_io_write(state->driver->ctrl_addr, ctrl_cmd, sizeof(ctrl_cmd))) != HAL_OK)
return err;
@@@ -481,16 -547,23 +545,22 @@@ hal_error_t hal_hmac_initialize(const h
void *state_buffer, const size_t state_length,
const uint8_t * const key, const size_t key_length)
{
- const driver_t * const driver = check_driver(descriptor);
- internal_hmac_state_t *state = state_buffer;
- hal_hash_state_t oh;
+ const hal_hash_driver_t * const driver = check_driver(descriptor);
+ hal_hmac_state_t *state = state_buffer;
- hal_hash_state_t *h = NULL;
hal_error_t err;
int i;
- if (descriptor == NULL || driver == NULL || state == NULL || state_ == NULL ||
- state_length < descriptor->hmac_state_length)
- if (driver == NULL || opaque_state == NULL)
++ if (descriptor == NULL || driver == NULL || state_ == NULL)
return HAL_ERROR_BAD_ARGUMENTS;
+ if (state_buffer != NULL && state_length < descriptor->hmac_state_length)
+ return HAL_ERROR_BAD_ARGUMENTS;
+
+ if (state_buffer == NULL && (state = malloc(descriptor->hmac_state_length)) == NULL)
+ return HAL_ERROR_ALLOCATION_FAILURE;
+
- internal_hash_state_t *h = &state->hash_state;
++ hal_hash_state_t *h = &state->hash_state;
+
assert(descriptor->block_length <= sizeof(state->keybuf));
#if 0
@@@ -503,9 -576,11 +573,12 @@@
return HAL_ERROR_UNSUPPORTED_KEY;
#endif
- if ((err = hal_hash_initialize(descriptor, &oh, h, sizeof(*h))) != HAL_OK)
+ if ((err = hal_hash_initialize(descriptor, &h, &state->hash_state,
+ sizeof(state->hash_state))) != HAL_OK)
- return err;
+ goto fail;
+
+ if (state_buffer == NULL)
+ h->flags |= STATE_FLAG_STATE_ALLOCATED;
/*
* If the supplied HMAC key is longer than the hash block length, we
@@@ -518,11 -593,10 +591,11 @@@
if (key_length <= descriptor->block_length)
memcpy(state->keybuf, key, key_length);
- else if ((err = hal_hash_update(oh, key, key_length)) != HAL_OK ||
- (err = hal_hash_finalize(oh, state->keybuf, sizeof(state->keybuf))) != HAL_OK ||
- (err = hal_hash_initialize(descriptor, &oh, h, sizeof(*h))) != HAL_OK)
+ else if ((err = hal_hash_update(h, key, key_length)) != HAL_OK ||
+ (err = hal_hash_finalize(h, state->keybuf, sizeof(state->keybuf))) != HAL_OK ||
+ (err = hal_hash_initialize(descriptor, &h, &state->hash_state,
+ sizeof(state->hash_state))) != HAL_OK)
- return err;
+ goto fail;
/*
* XOR the key with the IPAD value, then start the inner hash.
@@@ -531,8 -605,8 +604,8 @@@
for (i = 0; i < descriptor->block_length; i++)
state->keybuf[i] ^= HMAC_IPAD;
- if ((err = hal_hash_update(oh, state->keybuf, descriptor->block_length)) != HAL_OK)
+ if ((err = hal_hash_update(h, state->keybuf, descriptor->block_length)) != HAL_OK)
- return err;
+ goto fail;
/*
* Prepare the key for the final hash. Since we just XORed key with
@@@ -550,9 -624,38 +623,38 @@@
* when the hash cores support such a thing.
*/
- opaque_state->state = state;
+ *state_ = state;
return HAL_OK;
+
+ fail:
+ if (state_buffer == NULL)
+ free(state);
+ return err;
+ }
+
+ /*
+ * Clean up HMAC state. No-op unless memory was dynamically allocated.
+ */
+
-void hal_hmac_cleanup(hal_hmac_state_t *opaque_state)
++void hal_hmac_cleanup(hal_hmac_state_t **state_)
+ {
- if (opaque_state == NULL)
++ if (state_ == NULL)
+ return;
+
- internal_hmac_state_t *state = opaque_state->state;
++ hal_hmac_state_t *state = *state_;
+
+ if (state == NULL)
+ return;
+
- internal_hash_state_t *h = &state->hash_state;
++ hal_hash_state_t *h = &state->hash_state;
+
+ if ((h->flags & STATE_FLAG_STATE_ALLOCATED) == 0)
+ return;
+
+ memset(state, 0, h->descriptor->hmac_state_length);
+ free(state);
- opaque_state->state = NULL;
++ *state_ = NULL;
}
/*
diff --cc rsa.c
index b863fdd,2e950b8..3962a74
--- a/rsa.c
+++ b/rsa.c
@@@ -169,22 -164,27 +169,30 @@@ static hal_error_t unpack_fp(const fp_i
* wrap result back up as a bignum.
*/
- static hal_error_t modexp(const fp_int * const msg,
-static hal_error_t modexp(fp_int *msg, fp_int *exp, fp_int *mod, fp_int *res)
++static hal_error_t modexp(const fp_int * msg,
+ const fp_int * const exp,
+ const fp_int * const mod,
+ fp_int *res)
{
hal_error_t err = HAL_OK;
assert(msg != NULL && exp != NULL && mod != NULL && res != NULL);
- const size_t msg_len = fp_unsigned_bin_size(msg);
- const size_t exp_len = fp_unsigned_bin_size(exp);
- const size_t mod_len = fp_unsigned_bin_size(mod);
+ fp_int reduced_msg;
- const size_t len = (MAX(MAX(msg_len, exp_len), mod_len) + 3) & ~3;
- if (fp_cmp_mag(msg, mod) != FP_LT) {
++ if (fp_cmp_mag(unconst_fp_int(msg), unconst_fp_int(mod)) != FP_LT) {
+ fp_init(&reduced_msg);
- fp_mod(msg, mod, &reduced_msg);
++ fp_mod(unconst_fp_int(msg), unconst_fp_int(mod), &reduced_msg);
+ msg = &reduced_msg;
+ }
- uint8_t msgbuf[len], expbuf[len], modbuf[len], resbuf[len];
- const size_t exp_len = (fp_unsigned_bin_size(exp) + 3) & ~3;
- const size_t mod_len = (fp_unsigned_bin_size(mod) + 3) & ~3;
++ const size_t exp_len = (fp_unsigned_bin_size(unconst_fp_int(exp)) + 3) & ~3;
++ const size_t mod_len = (fp_unsigned_bin_size(unconst_fp_int(mod)) + 3) & ~3;
+
+ uint8_t msgbuf[mod_len];
+ uint8_t expbuf[exp_len];
+ uint8_t modbuf[mod_len];
+ uint8_t resbuf[mod_len];
if ((err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK ||
(err = unpack_fp(exp, expbuf, sizeof(expbuf))) != HAL_OK ||
More information about the Commits
mailing list