[Cryptech-Commits] [sw/libhal] 08/12: Merge branch 'master' into ecdsa

git at cryptech.is git at cryptech.is
Mon Sep 14 21:43:25 UTC 2015


This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch ecdsa
in repository sw/libhal.

commit e946b4661607736f1b89a7a107729382cb85fd55
Merge: 12fd927 5106b88
Author: Rob Austein <sra at hactrn.net>
Date:   Tue Sep 8 15:54:40 2015 -0400

    Merge branch 'master' into ecdsa
    
    This required a bit of manual cleanup in hal.h, hash.c, and rsa.c.  No
    intended changes to functionality provided by parent comments, just a
    few tweaks to track API changes beyond git's ken.

 hal.h            |  60 +++++++++----------
 hash.c           | 180 +++++++++++++++++++++++++++++++++++++++++++------------
 modexp.c         | 104 ++++++++++++++++----------------
 rsa.c            |  22 ++++---
 tests/test-rsa.c |   4 +-
 5 files changed, 238 insertions(+), 132 deletions(-)

diff --cc hal.h
index 547894e,64377b4..4a5e239
--- a/hal.h
+++ b/hal.h
@@@ -524,7 -510,8 +518,8 @@@ typedef struct 
    size_t hmac_state_length;
    const uint8_t * const digest_algorithm_id;
    size_t digest_algorithm_id_length;
 -  const void *driver;
 +  const hal_hash_driver_t *driver;
+   unsigned can_restore_state : 1;
  } hal_hash_descriptor_t;
  
  /*
@@@ -569,11 -556,14 +564,14 @@@ extern hal_error_t hal_hmac_initialize(
                                         void *state_buffer, const size_t state_length,
                                         const uint8_t * const key, const size_t key_length);
  
 -extern hal_error_t hal_hmac_update(const hal_hmac_state_t state,
 +extern hal_error_t hal_hmac_update(hal_hmac_state_t *state,
                                     const uint8_t * data, const size_t length);
  
 -extern hal_error_t hal_hmac_finalize(const hal_hmac_state_t state,
 +extern hal_error_t hal_hmac_finalize(hal_hmac_state_t *state,
                                       uint8_t *hmac, const size_t length);
 -extern void hal_hash_cleanup(hal_hash_state_t *state);
++extern void hal_hash_cleanup(hal_hash_state_t **state);
+ 
 -extern void hal_hmac_cleanup(hal_hmac_state_t *state);
++extern void hal_hmac_cleanup(hal_hmac_state_t **state);
  
  /*
   * AES key wrap functions.
diff --cc hash.c
index ce086f4,45e2f59..e06278d
--- a/hash.c
+++ b/hash.c
@@@ -73,22 -73,27 +73,27 @@@ struct hal_hash_driver 
    off_t name_addr;                      /* Where to read core name */
    char core_name[8];                    /* Expected name of core */
    uint8_t ctrl_mode;                    /* Digest mode, for cores that have modes */
 -} driver_t;
 +};
  
  /*
-  * Hash state.
+  * Hash state.  For now we assume that the only core state we need to
+  * save and restore is the current digest value.
   */
  
 -typedef struct {
 +struct hal_hash_state {
    const hal_hash_descriptor_t *descriptor;
 -  const driver_t *driver;
 +  const hal_hash_driver_t *driver;
    uint64_t msg_length_high;                     /* Total data hashed in this message */
    uint64_t msg_length_low;                      /* (128 bits in SHA-512 cases) */
-   uint8_t block[HAL_MAX_HASH_BLOCK_LENGTH];     /* Block we're accumulating */
+   uint8_t block[HAL_MAX_HASH_BLOCK_LENGTH],     /* Block we're accumulating */
+     core_state[HAL_MAX_HASH_DIGEST_LENGTH];     /* Saved core state */
    size_t block_used;                            /* How much of the block we've used */
    unsigned block_count;                         /* Blocks sent */
+   unsigned flags;
 -} internal_hash_state_t;
 +};
  
+ #define STATE_FLAG_STATE_ALLOCATED 0x1          /* State buffer dynamically allocated */
+ 
  /*
   * HMAC state.  Right now this just holds the key block and a hash
   * context; if and when we figure out how PCLSR the hash cores, we
@@@ -183,44 -188,44 +188,44 @@@ static const uint8_
  
  const hal_hash_descriptor_t hal_hash_sha1[1] = {{
    SHA1_BLOCK_LEN, SHA1_DIGEST_LEN,
 -  sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
 +  sizeof(hal_hash_state_t), sizeof(hal_hmac_state_t),
    dalgid_sha1, sizeof(dalgid_sha1),
-   &sha1_driver
+   &sha1_driver, 0
  }};
  
  const hal_hash_descriptor_t hal_hash_sha256[1] = {{
    SHA256_BLOCK_LEN, SHA256_DIGEST_LEN,
 -  sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
 +  sizeof(hal_hash_state_t), sizeof(hal_hmac_state_t),
    dalgid_sha256, sizeof(dalgid_sha256),
-   &sha256_driver
+   &sha256_driver, 1
  }};
  
  const hal_hash_descriptor_t hal_hash_sha512_224[1] = {{
    SHA512_BLOCK_LEN, SHA512_224_DIGEST_LEN,
 -  sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
 +  sizeof(hal_hash_state_t), sizeof(hal_hmac_state_t),
    dalgid_sha512_224, sizeof(dalgid_sha512_224),
-   &sha512_224_driver
+   &sha512_224_driver, 0
  }};
  
  const hal_hash_descriptor_t hal_hash_sha512_256[1] = {{
    SHA512_BLOCK_LEN, SHA512_256_DIGEST_LEN,
 -  sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
 +  sizeof(hal_hash_state_t), sizeof(hal_hmac_state_t),
    dalgid_sha512_256, sizeof(dalgid_sha512_256),
-   &sha512_256_driver
+   &sha512_256_driver, 0
  }};
  
  const hal_hash_descriptor_t hal_hash_sha384[1] = {{
    SHA512_BLOCK_LEN, SHA384_DIGEST_LEN,
 -  sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
 +  sizeof(hal_hash_state_t), sizeof(hal_hmac_state_t),
    dalgid_sha384, sizeof(dalgid_sha384),
-   &sha384_driver
+   &sha384_driver, 0
  }};
  
  const hal_hash_descriptor_t hal_hash_sha512[1] = {{
    SHA512_BLOCK_LEN, SHA512_DIGEST_LEN,
 -  sizeof(internal_hash_state_t), sizeof(internal_hmac_state_t),
 +  sizeof(hal_hash_state_t), sizeof(hal_hmac_state_t),
    dalgid_sha512, sizeof(dalgid_sha512),
-   &sha512_driver
+   &sha512_driver, 0
  }};
  
  /*
@@@ -268,26 -273,90 +273,90 @@@ hal_error_t hal_hash_core_present(cons
   */
  
  hal_error_t hal_hash_initialize(const hal_hash_descriptor_t * const descriptor,
 -                                hal_hash_state_t *opaque_state,
 +                                hal_hash_state_t **state_,
                                  void *state_buffer, const size_t state_length)
  {
 -  const driver_t * const driver = check_driver(descriptor);
 -  internal_hash_state_t *state = state_buffer;
 +  const hal_hash_driver_t * const driver = check_driver(descriptor);
 +  hal_hash_state_t *state = state_buffer;
  
-   if (driver == NULL || state == NULL || state_ == NULL ||
-       state_length < descriptor->hash_state_length)
 -  if (driver == NULL || opaque_state == NULL)
++  if (driver == NULL || state_ == NULL)
+     return HAL_ERROR_BAD_ARGUMENTS;
+ 
+   if (state_buffer != NULL && state_length < descriptor->hash_state_length)
      return HAL_ERROR_BAD_ARGUMENTS;
  
+   if (state_buffer == NULL && (state = malloc(descriptor->hash_state_length)) == NULL)
+       return HAL_ERROR_ALLOCATION_FAILURE;
+ 
    memset(state, 0, sizeof(*state));
    state->descriptor = descriptor;
    state->driver = driver;
+     
+   if (state_buffer == NULL)
+     state->flags |= STATE_FLAG_STATE_ALLOCATED;
  
 -  opaque_state->state = state;
 +  *state_ = state;
  
    return HAL_OK;
  }
  
  /*
+  * Clean up hash state.  No-op unless memory was dynamically allocated.
+  */
+ 
 -void hal_hash_cleanup(hal_hash_state_t *opaque_state)
++void hal_hash_cleanup(hal_hash_state_t **state_)
+ {
 -  if (opaque_state == NULL)
++  if (state_ == NULL)
+     return;
+ 
 -  internal_hash_state_t *state = opaque_state->state;
++  hal_hash_state_t *state = *state_;
+ 
+   if (state == NULL || (state->flags & STATE_FLAG_STATE_ALLOCATED) == 0)
+     return;
+ 
+   memset(state, 0, state->descriptor->hash_state_length);
+   free(state);
 -  opaque_state->state = NULL;
++  *state_ = NULL;
+ }
+ 
+ /*
+  * Read hash result from core.  At least for now, this also serves to
+  * read current hash state from core.
+  */
+ 
 -static hal_error_t hash_read_digest(const driver_t * const driver,
++static hal_error_t hash_read_digest(const hal_hash_driver_t * const driver,
+                                     uint8_t *digest,
+                                     const size_t digest_length)
+ {
+   hal_error_t err;
+ 
+   assert(digest != NULL && digest_length % 4 == 0);
+ 
+   if ((err = hal_io_wait_valid(driver->status_addr)) != HAL_OK)
+     return err;
+ 
+   return hal_io_read(driver->digest_addr, digest, digest_length);
+ }
+ 
+ /*
+  * Write hash state back to core.
+  */
+ 
 -static hal_error_t hash_write_digest(const driver_t * const driver,
++static hal_error_t hash_write_digest(const hal_hash_driver_t * const driver,
+                                      const uint8_t * const digest,
+                                      const size_t digest_length)
+ {
+   hal_error_t err;
+ 
+   assert(digest != NULL && digest_length % 4 == 0);
+ 
+   if ((err = hal_io_wait_ready(driver->status_addr)) != HAL_OK)
+     return err;
+ 
+   return hal_io_write(driver->digest_addr, digest, digest_length);
+ }
+ 
+ /*
   * Send one block to a core.
   */
  
@@@ -306,14 -388,9 +388,9 @@@ static hal_error_t hash_write_block(hal
      return err;
  
    ctrl_cmd[0] = ctrl_cmd[1] = ctrl_cmd[2] = 0;
 -  ctrl_cmd[3] = state->block_count == 0 ? CTRL_INIT : CTRL_NEXT;  
 +  ctrl_cmd[3] = state->block_count == 0 ? CTRL_INIT : CTRL_NEXT;
    ctrl_cmd[3] |= state->driver->ctrl_mode;
  
-   /*
-    * Not sure why we're waiting for ready here, but it's what the old
-    * (read: tested) code did, so keep that behavior for now.
-    */
- 
    if ((err = hal_io_write(state->driver->ctrl_addr, ctrl_cmd, sizeof(ctrl_cmd))) != HAL_OK)
      return err;
  
@@@ -481,16 -547,23 +545,22 @@@ hal_error_t hal_hmac_initialize(const h
                                  void *state_buffer, const size_t state_length,
                                  const uint8_t * const key, const size_t key_length)
  {
 -  const driver_t * const driver = check_driver(descriptor);
 -  internal_hmac_state_t *state = state_buffer;
 -  hal_hash_state_t oh;
 +  const hal_hash_driver_t * const driver = check_driver(descriptor);
 +  hal_hmac_state_t *state = state_buffer;
-   hal_hash_state_t *h = NULL;
    hal_error_t err;
    int i;
  
-   if (descriptor == NULL || driver == NULL || state == NULL || state_ == NULL ||
-       state_length < descriptor->hmac_state_length)
 -  if (driver == NULL || opaque_state == NULL)
++  if (descriptor == NULL || driver == NULL || state_ == NULL)
      return HAL_ERROR_BAD_ARGUMENTS;
  
+   if (state_buffer != NULL && state_length < descriptor->hmac_state_length)
+     return HAL_ERROR_BAD_ARGUMENTS;
+ 
+   if (state_buffer == NULL && (state = malloc(descriptor->hmac_state_length)) == NULL)
+     return HAL_ERROR_ALLOCATION_FAILURE;
+ 
 -  internal_hash_state_t *h = &state->hash_state;
++  hal_hash_state_t *h = &state->hash_state;
+ 
    assert(descriptor->block_length <= sizeof(state->keybuf));
  
  #if 0
@@@ -503,9 -576,11 +573,12 @@@
      return HAL_ERROR_UNSUPPORTED_KEY;
  #endif
  
 -  if ((err = hal_hash_initialize(descriptor, &oh, h, sizeof(*h))) != HAL_OK)
 +  if ((err = hal_hash_initialize(descriptor, &h, &state->hash_state,
 +                                 sizeof(state->hash_state))) != HAL_OK)
-     return err;
+     goto fail;
+ 
+   if (state_buffer == NULL)
+     h->flags |= STATE_FLAG_STATE_ALLOCATED;
  
    /*
     * If the supplied HMAC key is longer than the hash block length, we
@@@ -518,11 -593,10 +591,11 @@@
    if (key_length <= descriptor->block_length)
      memcpy(state->keybuf, key, key_length);
  
 -  else if ((err = hal_hash_update(oh, key, key_length))                        != HAL_OK ||
 -           (err = hal_hash_finalize(oh, state->keybuf, sizeof(state->keybuf))) != HAL_OK ||
 -           (err = hal_hash_initialize(descriptor, &oh, h, sizeof(*h)))         != HAL_OK)
 +  else if ((err = hal_hash_update(h, key, key_length))                         != HAL_OK ||
 +           (err = hal_hash_finalize(h, state->keybuf, sizeof(state->keybuf)))  != HAL_OK ||
 +           (err = hal_hash_initialize(descriptor, &h, &state->hash_state,
 +                                      sizeof(state->hash_state)))              != HAL_OK)
-     return err;
+     goto fail;
  
    /*
     * XOR the key with the IPAD value, then start the inner hash.
@@@ -531,8 -605,8 +604,8 @@@
    for (i = 0; i < descriptor->block_length; i++)
      state->keybuf[i] ^= HMAC_IPAD;
  
 -  if ((err = hal_hash_update(oh, state->keybuf, descriptor->block_length)) != HAL_OK)
 +  if ((err = hal_hash_update(h, state->keybuf, descriptor->block_length)) != HAL_OK)
-     return err;
+     goto fail;
  
    /*
     * Prepare the key for the final hash.  Since we just XORed key with
@@@ -550,9 -624,38 +623,38 @@@
     * when the hash cores support such a thing.
     */
  
 -  opaque_state->state = state;
 +  *state_ = state;
  
    return HAL_OK;
+ 
+  fail:
+   if (state_buffer == NULL)
+     free(state);
+   return err;
+ }
+ 
+ /*
+  * Clean up HMAC state.  No-op unless memory was dynamically allocated.
+  */
+ 
 -void hal_hmac_cleanup(hal_hmac_state_t *opaque_state)
++void hal_hmac_cleanup(hal_hmac_state_t **state_)
+ {
 -  if (opaque_state == NULL)
++  if (state_ == NULL)
+     return;
+ 
 -  internal_hmac_state_t *state = opaque_state->state;
++  hal_hmac_state_t *state = *state_;
+ 
+   if (state == NULL)
+     return;
+ 
 -  internal_hash_state_t *h = &state->hash_state;
++  hal_hash_state_t *h = &state->hash_state;
+ 
+   if ((h->flags & STATE_FLAG_STATE_ALLOCATED) == 0)
+     return;
+ 
+   memset(state, 0, h->descriptor->hmac_state_length);
+   free(state);
 -  opaque_state->state = NULL;
++  *state_ = NULL;
  }
  
  /*
diff --cc rsa.c
index b863fdd,2e950b8..3962a74
--- a/rsa.c
+++ b/rsa.c
@@@ -169,22 -164,27 +169,30 @@@ static hal_error_t unpack_fp(const fp_i
   * wrap result back up as a bignum.
   */
  
- static hal_error_t modexp(const fp_int * const msg,
 -static hal_error_t modexp(fp_int *msg, fp_int *exp, fp_int *mod, fp_int *res)
++static hal_error_t modexp(const fp_int * msg,
 +                          const fp_int * const exp,
 +                          const fp_int * const mod,
 +                          fp_int *res)
  {
    hal_error_t err = HAL_OK;
  
    assert(msg != NULL && exp != NULL && mod != NULL && res != NULL);
  
-   const size_t msg_len = fp_unsigned_bin_size(msg);
-   const size_t exp_len = fp_unsigned_bin_size(exp);
-   const size_t mod_len = fp_unsigned_bin_size(mod);
+   fp_int reduced_msg;
  
-   const size_t len = (MAX(MAX(msg_len, exp_len), mod_len) + 3) & ~3;
 -  if (fp_cmp_mag(msg, mod) != FP_LT) {
++  if (fp_cmp_mag(unconst_fp_int(msg), unconst_fp_int(mod)) != FP_LT) {
+     fp_init(&reduced_msg);
 -    fp_mod(msg, mod, &reduced_msg);
++    fp_mod(unconst_fp_int(msg), unconst_fp_int(mod), &reduced_msg);
+     msg = &reduced_msg;
+   }
  
-   uint8_t msgbuf[len], expbuf[len], modbuf[len], resbuf[len];
 -  const size_t exp_len = (fp_unsigned_bin_size(exp) + 3) & ~3;
 -  const size_t mod_len = (fp_unsigned_bin_size(mod) + 3) & ~3;
++  const size_t exp_len = (fp_unsigned_bin_size(unconst_fp_int(exp)) + 3) & ~3;
++  const size_t mod_len = (fp_unsigned_bin_size(unconst_fp_int(mod)) + 3) & ~3;
+ 
+   uint8_t msgbuf[mod_len];
+   uint8_t expbuf[exp_len];
+   uint8_t modbuf[mod_len];
+   uint8_t resbuf[mod_len];
  
    if ((err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK ||
        (err = unpack_fp(exp, expbuf, sizeof(expbuf))) != HAL_OK ||



More information about the Commits mailing list