[Cryptech-Commits] [sw/libhal] 01/04: Merge branch 'modexpng' to 'master'
git at cryptech.is
git at cryptech.is
Wed Mar 4 22:30:00 UTC 2020
This is an automated email from the git hooks/post-receive script.
paul at psgd.org pushed a commit to branch master
in repository sw/libhal.
commit a457bac2404d125726831e1b55fe6c80b41eecd6
Author: Paul Selkirk <paul at psgd.org>
AuthorDate: Wed Feb 26 12:31:27 2020 -0500
Merge branch 'modexpng' to 'master'
---
ks.c | 14 +---------
modexp.c | 11 --------
rpc_pkey.c | 53 ++++---------------------------------
rsa.c | 89 ++++++++++----------------------------------------------------
4 files changed, 20 insertions(+), 147 deletions(-)
diff --git a/ks.c b/ks.c
index 0e6b4ec..72bb0fe 100644
--- a/ks.c
+++ b/ks.c
@@ -41,13 +41,6 @@
#include "hal_internal.h"
#include "ks.h"
-#ifdef DO_TIMING
-#include "stm-dwt.h"
-#else
-#define DWT_start(x)
-#define DWT_stop(x)
-#endif
-
/*
* PIN block gets the all-zeros UUID, which will never be returned by
* the UUID generation code (by definition -- it's not a version 4 UUID).
@@ -676,13 +669,8 @@ hal_error_t hal_ks_fetch(hal_ks_t *ks,
*der_len = der_max;
- DWT_start(DWT_hal_mkm_get_kek);
- if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) == HAL_OK) {
- DWT_stop(DWT_hal_mkm_get_kek);
- DWT_start(DWT_hal_aes_keyunwrap);
+ if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) == HAL_OK)
err = hal_aes_keyunwrap(NULL, kek, kek_len, der, k_der_len, der, der_len);
- DWT_stop(DWT_hal_aes_keyunwrap);
- }
memset(kek, 0, sizeof(kek));
}
diff --git a/modexp.c b/modexp.c
index 8c026df..d8e2904 100644
--- a/modexp.c
+++ b/modexp.c
@@ -48,13 +48,6 @@
#include "hal.h"
#include "hal_internal.h"
-#ifdef DO_TIMING
-#include "stm-dwt.h"
-#else
-#define DWT_start(x) HAL_OK
-#define DWT_stop(x) HAL_OK
-#endif
-
/*
* Whether we want to use the new ModExpNG core.
*/
@@ -313,11 +306,9 @@ hal_error_t hal_modexp(const int precalc, hal_modexp_arg_t *a)
if ((!free_core ||
(err = hal_core_alloc(MODEXPA7_NAME, &a->core, NULL)) == HAL_OK) &&
- (err = DWT_start(DWT_precalc_n)) == HAL_OK &&
(err = setup_precalc(precalc, a)) == HAL_OK &&
(!precalc ||
(err = hal_io_wait_ready(a->core)) == HAL_OK) &&
- (err = DWT_stop(DWT_precalc_n)) == HAL_OK &&
(err = setup_calc(precalc, a)) == HAL_OK &&
(err = hal_io_wait_valid(a->core)) == HAL_OK &&
(err = extract_result(a)) == HAL_OK)
@@ -352,12 +343,10 @@ hal_error_t hal_modexp2(const int precalc, hal_modexp_arg_t *a1, hal_modexp_arg_
if ((!free_core ||
(err = hal_core_alloc2(MODEXPA7_NAME, &a1->core, NULL,
MODEXPA7_NAME, &a2->core, NULL)) == HAL_OK) &&
- (err = DWT_start(DWT_precalc_pq)) == HAL_OK &&
(err = setup_precalc(precalc, a1)) == HAL_OK &&
(err = setup_precalc(precalc, a2)) == HAL_OK &&
(!precalc ||
(err = hal_io_wait_ready2(a1->core, a2->core)) == HAL_OK) &&
- (err = DWT_stop(DWT_precalc_pq)) == HAL_OK &&
(err = setup_calc(precalc, a1)) == HAL_OK &&
(err = setup_calc(precalc, a2)) == HAL_OK &&
(err = hal_io_wait_valid2(a1->core, a2->core)) == HAL_OK &&
diff --git a/rpc_pkey.c b/rpc_pkey.c
index 630bf93..84e506d 100644
--- a/rpc_pkey.c
+++ b/rpc_pkey.c
@@ -49,13 +49,6 @@
static hal_pkey_slot_t pkey_slot[HAL_STATIC_PKEY_STATE_BLOCKS];
#endif
-#ifdef DO_TIMING
-#include "stm-dwt.h"
-#else
-#define DWT_start(x)
-#define DWT_stop(x)
-#endif
-
/*
* Handle allocation is simple: look for an unused (HAL_HANDLE_NONE)
* slot in the table, and, assuming we find one, construct a composite
@@ -454,9 +447,6 @@ static hal_error_t pkey_local_generate_rsa(const hal_client_handle_t client,
uint8_t der[hal_rsa_private_key_to_der_len(key)];
size_t der_len;
-#if 0
- printf("pkey_local_generate_rsa: key_len = %u, der_len = %u\n", key_length, sizeof(der));
-#endif
if ((err = hal_rsa_private_key_to_der(key, der, &der_len, sizeof(der))) == HAL_OK)
err = hal_ks_store(ks_from_flags(flags), slot, der, der_len);
@@ -515,9 +505,6 @@ static hal_error_t pkey_local_generate_ec(const hal_client_handle_t client,
uint8_t der[hal_ecdsa_private_key_to_der_len(key)];
size_t der_len;
-#if 0
- printf("pkey_local_generate_ec: curve = %u, der_len = %u\n", curve, sizeof(der));
-#endif
if ((err = hal_ecdsa_private_key_to_der(key, der, &der_len, sizeof(der))) == HAL_OK)
err = hal_ks_store(ks_from_flags(flags), slot, der, der_len);
@@ -577,9 +564,6 @@ static hal_error_t pkey_local_generate_hashsig(const hal_client_handle_t client,
uint8_t der[hal_hashsig_private_key_to_der_len(key)];
size_t der_len;
-#if 0
- printf("pkey_local_generate_hashsig: hss = %u, lms = %u, lmots = %u, der_len = %u\n", hss_levels, lms_type, lmots_type, sizeof(der));
-#endif
if ((err = hal_hashsig_private_key_to_der(key, der, &der_len, sizeof(der))) == HAL_OK)
err = hal_ks_store(ks_from_flags(flags), slot, der, der_len);
@@ -816,10 +800,7 @@ static hal_error_t pkey_local_sign_rsa(hal_pkey_slot_t *slot,
hal_assert(signature != NULL && signature_len != NULL);
hal_assert((hash.handle == HAL_HANDLE_NONE) != (input == NULL || input_len == 0));
- DWT_start(DWT_hal_rsa_private_key_from_der);
- err = hal_rsa_private_key_from_der(&key, keybuf, keybuf_len, der, der_len);
- DWT_stop(DWT_hal_rsa_private_key_from_der);
- if (err != HAL_OK ||
+ if ((err = hal_rsa_private_key_from_der(&key, keybuf, keybuf_len, der, der_len)) != HAL_OK ||
(err = hal_rsa_key_get_modulus(key, NULL, signature_len, 0)) != HAL_OK)
return err;
@@ -832,30 +813,15 @@ static hal_error_t pkey_local_sign_rsa(hal_pkey_slot_t *slot,
input = signature;
}
- if ((err = pkcs1_5_pad(input, input_len, signature, *signature_len, 0x01)) != HAL_OK)
- return err;
- DWT_start(DWT_hal_rsa_decrypt);
- err = hal_rsa_decrypt(NULL, NULL, key, signature, *signature_len, signature, *signature_len);
- DWT_stop(DWT_hal_rsa_decrypt);
- if (err != HAL_OK)
+ if ((err = pkcs1_5_pad(input, input_len, signature, *signature_len, 0x01)) != HAL_OK ||
+ (err = hal_rsa_decrypt(NULL, NULL, key, signature, *signature_len, signature, *signature_len)) != HAL_OK)
return err;
if (hal_rsa_key_needs_saving(key)) {
uint8_t pkcs8[hal_rsa_private_key_to_der_extra_len(key)];
size_t pkcs8_len = 0;
-#if 0
- printf("pkey_local_sign_rsa: der_len = %u\n", sizeof(pkcs8));
-#endif
if ((err = hal_rsa_private_key_to_der_extra(key, pkcs8, &pkcs8_len, sizeof(pkcs8))) == HAL_OK)
err = hal_ks_rewrite_der(ks_from_flags(slot->flags), slot, pkcs8, pkcs8_len);
-#if 0
- size_t i;
- for (i = 0; i < sizeof(pkcs8); ++i) {
- printf("%02x%c", pkcs8[i], (i & 0x0f) == 0x0f ? '\n' : ' ');
- }
- if (i & 0x0f)
- printf("\n");
-#endif
memset(pkcs8, 0, sizeof(pkcs8));
if (err != HAL_OK)
return err;
@@ -987,15 +953,9 @@ static hal_error_t pkey_local_sign(const hal_pkey_handle_t pkey,
size_t der_len;
hal_error_t err;
- DWT_start(DWT_hal_ks_fetch);
- err = ks_fetch_from_flags(slot, der, &der_len, sizeof(der));
- DWT_stop(DWT_hal_ks_fetch);
- if (err == HAL_OK) {
- DWT_start(DWT_pkey_local_sign_rsa);
+ if ((err = ks_fetch_from_flags(slot, der, &der_len, sizeof(der))) == HAL_OK)
err = signer(slot, keybuf, sizeof(keybuf), der, der_len, hash, input, input_len,
signature, signature_len, signature_max);
- DWT_stop(DWT_pkey_local_sign_rsa);
- }
memset(keybuf, 0, sizeof(keybuf));
memset(der, 0, sizeof(der));
@@ -1476,10 +1436,7 @@ static hal_error_t pkey_local_import(const hal_client_handle_t client,
goto fail;
}
- DWT_start(DWT_hal_rsa_decrypt);
- err = hal_rsa_decrypt(NULL, NULL, rsa, data, data_len, der, data_len);
- DWT_stop(DWT_hal_rsa_decrypt);
- if (err != HAL_OK)
+ if ((err = hal_rsa_decrypt(NULL, NULL, rsa, data, data_len, der, data_len)) != HAL_OK)
goto fail;
if ((err = hal_get_random(NULL, kek, sizeof(kek))) != HAL_OK)
diff --git a/rsa.c b/rsa.c
index 4b90ecc..3adbd49 100644
--- a/rsa.c
+++ b/rsa.c
@@ -77,13 +77,6 @@
#include <tfm.h>
#include "asn1_internal.h"
-#ifdef DO_TIMING
-#include "stm-dwt.h"
-#else
-#define DWT_start(x)
-#define DWT_stop(x)
-#endif
-
/*
* Whether to use ModExp core. It works, but it's painfully slow.
*/
@@ -309,21 +302,13 @@ static hal_error_t modexp(hal_core_t *core,
.mont = mont, .mont_len = mont_len
};
- if (precalc) {
- DWT_start(DWT_precalc_n);
- if ((err = modexpng_precalc(mod, coeff, coeff_len, mont, mont_len)) != HAL_OK)
- goto fail;
- DWT_stop(DWT_precalc_n);
- }
-
- if ((err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK ||
+ if ((precalc &&
+ (err = modexpng_precalc(mod, coeff, coeff_len, mont, mont_len)) != HAL_OK) ||
+ (err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK ||
(err = unpack_fp(exp, expbuf, sizeof(expbuf))) != HAL_OK ||
- (err = unpack_fp(mod, modbuf, sizeof(modbuf))) != HAL_OK)
- goto fail;
- DWT_start(DWT_hal_modexpng_n);
- if ((err = hal_modexpng(&args)) != HAL_OK)
+ (err = unpack_fp(mod, modbuf, sizeof(modbuf))) != HAL_OK ||
+ (err = hal_modexpng(&args)) != HAL_OK)
goto fail;
- DWT_stop(DWT_hal_modexpng_n);
}
else {
hal_modexp_arg_t args = {
@@ -338,12 +323,9 @@ static hal_error_t modexp(hal_core_t *core,
if ((err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK ||
(err = unpack_fp(exp, expbuf, sizeof(expbuf))) != HAL_OK ||
- (err = unpack_fp(mod, modbuf, sizeof(modbuf))) != HAL_OK)
- goto fail;
- DWT_start(DWT_hal_modexp);
- if ((err = hal_modexp(precalc, &args)) != HAL_OK)
+ (err = unpack_fp(mod, modbuf, sizeof(modbuf))) != HAL_OK ||
+ (err = hal_modexp(precalc, &args)) != HAL_OK)
goto fail;
- DWT_stop(DWT_hal_modexp);
}
fp_read_unsigned_bin(res, resbuf, sizeof(resbuf));
@@ -408,18 +390,13 @@ static hal_error_t modexp2(const int precalc,
.mont = mont2, .mont_len = mont2_len
};
- DWT_start(DWT_unpack_fp);
if ((err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK ||
(err = unpack_fp(exp1, expbuf1, sizeof(expbuf1))) != HAL_OK ||
(err = unpack_fp(mod1, modbuf1, sizeof(modbuf1))) != HAL_OK ||
(err = unpack_fp(exp2, expbuf2, sizeof(expbuf2))) != HAL_OK ||
- (err = unpack_fp(mod2, modbuf2, sizeof(modbuf2))) != HAL_OK)
- goto fail;
- DWT_stop(DWT_unpack_fp);
- DWT_start(DWT_hal_modexp2);
- if ((err = hal_modexp2(precalc, &args1, &args2)) != HAL_OK)
+ (err = unpack_fp(mod2, modbuf2, sizeof(modbuf2))) != HAL_OK ||
+ (err = hal_modexp2(precalc, &args1, &args2)) != HAL_OK)
goto fail;
- DWT_stop(DWT_hal_modexp2);
fp_read_unsigned_bin(res1, resbuf1, sizeof(resbuf1));
fp_read_unsigned_bin(res2, resbuf2, sizeof(resbuf2));
@@ -450,19 +427,15 @@ static hal_error_t modexpng(hal_core_t *core,
return HAL_ERROR_IMPOSSIBLE;
if (!(key->flags & RSA_FLAG_PRECALC_N_DONE)) {
- DWT_start(DWT_precalc_n);
if ((err = modexpng_precalc(key->n, key->nC, sizeof(key->nC), key->nF, sizeof(key->nF))) != HAL_OK)
return err;
- DWT_stop(DWT_precalc_n);
key->flags |= RSA_FLAG_PRECALC_N_DONE | RSA_FLAG_NEEDS_SAVING;
}
if (key->p && !(key->flags & RSA_FLAG_PRECALC_PQ_DONE)) {
- DWT_start(DWT_precalc_pq);
if ((err = modexpng_precalc(key->p, key->pC, sizeof(key->pC), key->pF, sizeof(key->pF))) != HAL_OK ||
(err = modexpng_precalc(key->q, key->qC, sizeof(key->qC), key->qF, sizeof(key->qF))) != HAL_OK)
return err;
- DWT_stop(DWT_precalc_pq);
key->flags |= RSA_FLAG_PRECALC_PQ_DONE | RSA_FLAG_NEEDS_SAVING;
}
@@ -504,7 +477,6 @@ static hal_error_t modexpng(hal_core_t *core,
.ubf = ubf_buf, .ubf_len = sizeof(ubf_buf),
};
- DWT_start(DWT_unpack_fp);
if (bf) {
if ((err = unpack_fp(bf, bf_buf, sizeof(bf_buf))) != HAL_OK ||
(err = unpack_fp(ubf, ubf_buf, sizeof(ubf_buf))) != HAL_OK)
@@ -523,13 +495,9 @@ static hal_error_t modexpng(hal_core_t *core,
(err = unpack_fp(key->q, q_buf, sizeof(q_buf))) != HAL_OK ||
(err = unpack_fp(key->u, u_buf, sizeof(u_buf))) != HAL_OK ||
(err = unpack_fp(key->dP, dP_buf, sizeof(dP_buf))) != HAL_OK ||
- (err = unpack_fp(key->dQ, dQ_buf, sizeof(dQ_buf))) != HAL_OK)
- goto fail;
- DWT_stop(DWT_unpack_fp);
- DWT_start(DWT_hal_modexpng);
- if ((err = hal_modexpng(&args)) != HAL_OK)
+ (err = unpack_fp(key->dQ, dQ_buf, sizeof(dQ_buf))) != HAL_OK ||
+ (err = hal_modexpng(&args)) != HAL_OK)
goto fail;
- DWT_stop(DWT_hal_modexpng);
fp_read_unsigned_bin(res, resbuf, sizeof(resbuf));
/* we do the blinding factor mutation in create_blinding_factors,
@@ -688,21 +656,17 @@ static hal_error_t create_blinding_factors(hal_rsa_key_t *key, fp_int *bf, fp_in
}
#endif
- DWT_start(DWT_hal_get_random);
if ((err = hal_get_random(NULL, rnd, sizeof(rnd))) != HAL_OK)
goto fail;
- DWT_stop(DWT_hal_get_random);
fp_init(bf);
fp_read_unsigned_bin(bf, rnd, sizeof(rnd));
fp_copy(bf, ubf);
/* bf = ubf ** e mod n */
- DWT_start(DWT_modexp);
if ((err = modexp(NULL, precalc, bf, key->e, key->n, bf,
key->nC, sizeof(key->nC), key->nF, sizeof(key->nF))) != HAL_OK)
goto fail;
- DWT_stop(DWT_modexp);
if (precalc)
key->flags |= RSA_FLAG_PRECALC_N_DONE | RSA_FLAG_NEEDS_SAVING;
@@ -740,20 +704,12 @@ static hal_error_t rsa_crt(hal_core_t *core1, hal_core_t *core2, hal_rsa_key_t *
if (hal_modexp_using_modexpng()) {
if (blinding) {
- DWT_start(DWT_create_blinding_factors);
if ((err = create_blinding_factors(key, bf, ubf)) != HAL_OK)
return err;
- DWT_stop(DWT_create_blinding_factors);
- DWT_start(DWT_modexpng);
- err = modexpng(core1, msg, key, bf, ubf, sig);
- DWT_stop(DWT_modexpng);
- return err;
+ return modexpng(core1, msg, key, bf, ubf, sig);
}
else {
- DWT_start(DWT_modexpng);
- err = modexpng(core1, msg, key, NULL, NULL, sig);
- DWT_stop(DWT_modexpng);
- return err;
+ return modexpng(core1, msg, key, NULL, NULL, sig);
}
}
@@ -766,26 +722,20 @@ static hal_error_t rsa_crt(hal_core_t *core1, hal_core_t *core2, hal_rsa_key_t *
* Handle blinding if requested.
*/
if (blinding) {
- DWT_start(DWT_create_blinding_factors);
if ((err = create_blinding_factors(key, bf, ubf)) != HAL_OK)
goto fail;
- DWT_stop(DWT_create_blinding_factors);
/* msg = (msg * bf) % modulus */
- DWT_start(DWT_blind_message);
FP_CHECK(fp_mulmod(msg, bf, unconst_fp_int(key->n), msg));
- DWT_stop(DWT_blind_message);
}
/*
* m1 = msg ** dP mod p
* m2 = msg ** dQ mod q
*/
- DWT_start(DWT_modexp2);
if ((err = modexp2(precalc, msg,
core1, key->dP, key->p, m1, key->pC, sizeof(key->pC), key->pF, sizeof(key->pF),
core2, key->dQ, key->q, m2, key->qC, sizeof(key->qC), key->qF, sizeof(key->qF))) != HAL_OK)
goto fail;
- DWT_stop(DWT_modexp2);
if (precalc)
key->flags |= RSA_FLAG_PRECALC_PQ_DONE | RSA_FLAG_NEEDS_SAVING;
@@ -817,11 +767,8 @@ static hal_error_t rsa_crt(hal_core_t *core1, hal_core_t *core2, hal_rsa_key_t *
* Unblind if necessary.
*/
/* sig = (sig * ubf) % modulus */
- if (blinding) {
- DWT_restart(DWT_blind_message);
+ if (blinding)
FP_CHECK(fp_mulmod(sig, ubf, unconst_fp_int(key->n), sig));
- DWT_stop(DWT_blind_message);
- }
fail:
fp_zero(t);
@@ -895,18 +842,14 @@ hal_error_t hal_rsa_decrypt(hal_core_t *core1,
*/
if (do_crt && !fp_iszero(key->p) && !fp_iszero(key->q) && !fp_iszero(key->u) &&
!fp_iszero(key->dP) && !fp_iszero(key->dQ)) {
- DWT_start(DWT_rsa_crt);
err = rsa_crt(core1, core2, key, i, o);
- DWT_stop(DWT_rsa_crt);
}
else {
const int precalc = !(key->flags & RSA_FLAG_PRECALC_N_DONE);
/* o = i ** d % n */
- DWT_start(DWT_modexp);
err = modexp(core1, precalc, i, key->d, key->n, o, key->nC, sizeof(key->nC),
key->nF, sizeof(key->nF));
- DWT_stop(DWT_modexp);
if (err == HAL_OK && precalc)
key->flags |= RSA_FLAG_PRECALC_N_DONE | RSA_FLAG_NEEDS_SAVING;
}
@@ -1240,14 +1183,10 @@ hal_error_t hal_rsa_key_gen(hal_core_t *core,
#if 0
if (hal_modexp_using_modexpng()) {
- DWT_start(DWT_precalc_n);
modexpng_precalc(key->n, key->nC, sizeof(key->nC), key->nF, sizeof(key->nF));
- DWT_stop(DWT_precalc_n);
- DWT_start(DWT_precalc_pq);
modexpng_precalc(key->p, key->pC, sizeof(key->pC), key->pF, sizeof(key->pF));
modexpng_precalc(key->q, key->qC, sizeof(key->qC), key->qF, sizeof(key->qF));
key->flags |= RSA_FLAG_PRECALC_N_DONE | RSA_FLAG_PRECALC_PQ_DONE;
- DWT_stop(DWT_precalc_pq);
}
#endif
More information about the Commits
mailing list