[crypto] Pass hash digests by value.

Signed-off-by: Jade Philipoom <[email protected]>
lowRISC · Jan 25, 2024 · 277faab · 277faab
1 parent 02cf30e
commit 277faab
Show file tree

Hide file tree

Showing 26 changed files with 182 additions and 186 deletions.
diff --git a/sw/device/lib/crypto/impl/ecc.c b/sw/device/lib/crypto/impl/ecc.c
@@ -25,7 +25,7 @@ otcrypto_status_t otcrypto_ecdsa_keygen(
 
 otcrypto_status_t otcrypto_ecdsa_sign(
     const otcrypto_blinded_key_t *private_key,
-    const otcrypto_hash_digest_t *message_digest,
+    const otcrypto_hash_digest_t message_digest,
     const otcrypto_ecc_curve_t *elliptic_curve,
     otcrypto_word32_buf_t signature) {
   HARDENED_TRY(otcrypto_ecdsa_sign_async_start(private_key, message_digest,
@@ -35,7 +35,7 @@ otcrypto_status_t otcrypto_ecdsa_sign(
 
 otcrypto_status_t otcrypto_ecdsa_verify(
     const otcrypto_unblinded_key_t *public_key,
-    const otcrypto_hash_digest_t *message_digest,
+    const otcrypto_hash_digest_t message_digest,
     otcrypto_const_word32_buf_t signature,
     const otcrypto_ecc_curve_t *elliptic_curve,
     hardened_bool_t *verification_result) {
@@ -326,12 +326,12 @@ otcrypto_status_t otcrypto_ecdsa_keygen_async_finalize(
  */
 static status_t internal_ecdsa_p256_sign_start(
     const otcrypto_blinded_key_t *private_key,
-    const otcrypto_hash_digest_t *message_digest) {
+    const otcrypto_hash_digest_t message_digest) {
   // Check the digest length.
-  if (launder32(message_digest->len) != kP256ScalarWords) {
+  if (launder32(message_digest.len) != kP256ScalarWords) {
     return OTCRYPTO_BAD_ARGS;
   }
-  HARDENED_CHECK_EQ(message_digest->len, kP256ScalarWords);
+  HARDENED_CHECK_EQ(message_digest.len, kP256ScalarWords);
 
   // Check the key length.
   HARDENED_TRY(p256_private_key_length_check(private_key));
@@ -340,12 +340,12 @@ static status_t internal_ecdsa_p256_sign_start(
     // Start the asynchronous signature-generation routine.
     HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
     p256_masked_scalar_t *sk = (p256_masked_scalar_t *)private_key->keyblob;
-    return ecdsa_p256_sign_start(message_digest->data, sk);
+    return ecdsa_p256_sign_start(message_digest.data, sk);
   } else if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
     // Load the key and start in sideloaded-key mode.
     HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
     HARDENED_TRY(sideload_key_seed(private_key));
-    return ecdsa_p256_sideload_sign_start(message_digest->data);
+    return ecdsa_p256_sideload_sign_start(message_digest.data);
   }
 
   // Invalid value for private_key->hw_backed.
@@ -354,11 +354,10 @@ static status_t internal_ecdsa_p256_sign_start(
 
 otcrypto_status_t otcrypto_ecdsa_sign_async_start(
     const otcrypto_blinded_key_t *private_key,
-    const otcrypto_hash_digest_t *message_digest,
+    const otcrypto_hash_digest_t message_digest,
     const otcrypto_ecc_curve_t *elliptic_curve) {
   if (private_key == NULL || private_key->keyblob == NULL ||
-      elliptic_curve == NULL || message_digest == NULL ||
-      message_digest->data == NULL) {
+      elliptic_curve == NULL || message_digest.data == NULL) {
     return OTCRYPTO_BAD_ARGS;
   }
 
@@ -465,34 +464,33 @@ otcrypto_status_t otcrypto_ecdsa_sign_async_finalize(
  */
 static status_t internal_ecdsa_p256_verify_start(
     const otcrypto_unblinded_key_t *public_key,
-    const otcrypto_hash_digest_t *message_digest,
+    const otcrypto_hash_digest_t message_digest,
     otcrypto_const_word32_buf_t signature) {
   // Check the public key size.
   HARDENED_TRY(p256_public_key_length_check(public_key));
   p256_point_t *pk = (p256_point_t *)public_key->key;
 
   // Check the digest length.
-  if (launder32(message_digest->len) != kP256ScalarWords) {
+  if (launder32(message_digest.len) != kP256ScalarWords) {
     return OTCRYPTO_BAD_ARGS;
   }
-  HARDENED_CHECK_EQ(message_digest->len, kP256ScalarWords);
+  HARDENED_CHECK_EQ(message_digest.len, kP256ScalarWords);
 
   // Check the signature lengths.
   HARDENED_TRY(p256_signature_length_check(signature.len));
   ecdsa_p256_signature_t *sig = (ecdsa_p256_signature_t *)signature.data;
 
   // Start the asynchronous signature-verification routine.
-  return ecdsa_p256_verify_start(sig, message_digest->data, pk);
+  return ecdsa_p256_verify_start(sig, message_digest.data, pk);
 }
 
 otcrypto_status_t otcrypto_ecdsa_verify_async_start(
     const otcrypto_unblinded_key_t *public_key,
-    const otcrypto_hash_digest_t *message_digest,
+    const otcrypto_hash_digest_t message_digest,
     otcrypto_const_word32_buf_t signature,
     const otcrypto_ecc_curve_t *elliptic_curve) {
   if (public_key == NULL || elliptic_curve == NULL || signature.data == NULL ||
-      message_digest == NULL || message_digest->data == NULL ||
-      public_key->key == NULL) {
+      message_digest.data == NULL || public_key->key == NULL) {
     return OTCRYPTO_BAD_ARGS;
   }
 

diff --git a/sw/device/lib/crypto/impl/hash.c b/sw/device/lib/crypto/impl/hash.c
@@ -139,35 +139,35 @@ static void sha512_state_restore(const otcrypto_hash_context_t *restrict ctx,
  * @return Error status.
  */
 OT_WARN_UNUSED_RESULT
-static status_t check_digest_len(otcrypto_hash_digest_t *digest) {
-  switch (launder32(digest->mode)) {
+static status_t check_digest_len(otcrypto_hash_digest_t digest) {
+  switch (launder32(digest.mode)) {
     case kOtcryptoHashModeSha3_224:
-      if (launder32(digest->len) == (224 / 32)) {
-        HARDENED_CHECK_EQ(digest->len * sizeof(uint32_t) * 8, 224);
+      if (launder32(digest.len) == (224 / 32)) {
+        HARDENED_CHECK_EQ(digest.len * sizeof(uint32_t) * 8, 224);
         return OTCRYPTO_OK;
       }
       return OTCRYPTO_BAD_ARGS;
     case kOtcryptoHashModeSha256:
       OT_FALLTHROUGH_INTENDED;
     case kOtcryptoHashModeSha3_256:
-      if (launder32(digest->len) == (256 / 32)) {
-        HARDENED_CHECK_EQ(digest->len * sizeof(uint32_t) * 8, 256);
+      if (launder32(digest.len) == (256 / 32)) {
+        HARDENED_CHECK_EQ(digest.len * sizeof(uint32_t) * 8, 256);
         return OTCRYPTO_OK;
       }
       return OTCRYPTO_BAD_ARGS;
     case kOtcryptoHashModeSha384:
       OT_FALLTHROUGH_INTENDED;
     case kOtcryptoHashModeSha3_384:
-      if (launder32(digest->len) == (384 / 32)) {
-        HARDENED_CHECK_EQ(digest->len * sizeof(uint32_t) * 8, 384);
+      if (launder32(digest.len) == (384 / 32)) {
+        HARDENED_CHECK_EQ(digest.len * sizeof(uint32_t) * 8, 384);
         return OTCRYPTO_OK;
       }
       return OTCRYPTO_BAD_ARGS;
     case kOtcryptoHashModeSha512:
       OT_FALLTHROUGH_INTENDED;
     case kOtcryptoHashModeSha3_512:
-      if (launder32(digest->len) == (512 / 32)) {
-        HARDENED_CHECK_EQ(digest->len * sizeof(uint32_t) * 8, 512);
+      if (launder32(digest.len) == (512 / 32)) {
+        HARDENED_CHECK_EQ(digest.len * sizeof(uint32_t) * 8, 512);
         return OTCRYPTO_OK;
       }
       return OTCRYPTO_BAD_ARGS;
@@ -187,9 +187,9 @@ static status_t check_digest_len(otcrypto_hash_digest_t *digest) {
  */
 OT_WARN_UNUSED_RESULT
 static status_t hmac_sha256(otcrypto_const_byte_buf_t message,
-                            otcrypto_hash_digest_t *digest) {
-  HARDENED_CHECK_EQ(digest->len, kHmacDigestNumWords);
-  HARDENED_CHECK_EQ(digest->mode, kOtcryptoHashModeSha256);
+                            otcrypto_hash_digest_t digest) {
+  HARDENED_CHECK_EQ(digest.len, kHmacDigestNumWords);
+  HARDENED_CHECK_EQ(digest.mode, kOtcryptoHashModeSha256);
 
   // Initialize the hardware.
   hmac_sha_init();
@@ -200,40 +200,40 @@ static status_t hmac_sha256(otcrypto_const_byte_buf_t message,
   // Retrieve the digest and copy it to the destination buffer.
   hmac_digest_t hmac_digest;
   hmac_final(&hmac_digest);
-  hardened_memcpy(digest->data, hmac_digest.digest, kHmacDigestNumWords);
+  hardened_memcpy(digest.data, hmac_digest.digest, kHmacDigestNumWords);
 
   return OTCRYPTO_OK;
 }
 
 otcrypto_status_t otcrypto_hash(otcrypto_const_byte_buf_t input_message,
-                                otcrypto_hash_digest_t *digest) {
+                                otcrypto_hash_digest_t digest) {
   if (input_message.data == NULL && input_message.len != 0) {
     return OTCRYPTO_BAD_ARGS;
   }
 
-  if (digest == NULL || digest->data == NULL) {
+  if (digest.data == NULL) {
     return OTCRYPTO_BAD_ARGS;
   }
 
   // Check that digest length and mode match.
   HARDENED_TRY(check_digest_len(digest));
 
-  switch (digest->mode) {
+  switch (digest.mode) {
     case kOtcryptoHashModeSha3_224:
-      return kmac_sha3_224(input_message.data, input_message.len, digest->data);
+      return kmac_sha3_224(input_message.data, input_message.len, digest.data);
     case kOtcryptoHashModeSha3_256:
-      return kmac_sha3_256(input_message.data, input_message.len, digest->data);
+      return kmac_sha3_256(input_message.data, input_message.len, digest.data);
     case kOtcryptoHashModeSha3_384:
-      return kmac_sha3_384(input_message.data, input_message.len, digest->data);
+      return kmac_sha3_384(input_message.data, input_message.len, digest.data);
     case kOtcryptoHashModeSha3_512:
-      return kmac_sha3_512(input_message.data, input_message.len, digest->data);
+      return kmac_sha3_512(input_message.data, input_message.len, digest.data);
     case kOtcryptoHashModeSha256:
       // Call the HMAC block driver in SHA-256 mode.
       return hmac_sha256(input_message, digest);
     case kOtcryptoHashModeSha384:
-      return sha384(input_message.data, input_message.len, digest->data);
+      return sha384(input_message.data, input_message.len, digest.data);
     case kOtcryptoHashModeSha512:
-      return sha512(input_message.data, input_message.len, digest->data);
+      return sha512(input_message.data, input_message.len, digest.data);
     default:
       // Invalid hash mode.
       return OTCRYPTO_BAD_ARGS;
@@ -245,14 +245,14 @@ otcrypto_status_t otcrypto_hash(otcrypto_const_byte_buf_t input_message,
 }
 
 otcrypto_status_t otcrypto_xof_shake(otcrypto_const_byte_buf_t input_message,
-                                     otcrypto_hash_digest_t *digest) {
-  switch (digest->mode) {
+                                     otcrypto_hash_digest_t digest) {
+  switch (digest.mode) {
     case kOtcryptoHashXofModeShake128:
-      return kmac_shake_128(input_message.data, input_message.len, digest->data,
-                            digest->len);
+      return kmac_shake_128(input_message.data, input_message.len, digest.data,
+                            digest.len);
     case kOtcryptoHashXofModeShake256:
-      return kmac_shake_256(input_message.data, input_message.len, digest->data,
-                            digest->len);
+      return kmac_shake_256(input_message.data, input_message.len, digest.data,
+                            digest.len);
     default:
       return OTCRYPTO_BAD_ARGS;
   }
@@ -266,34 +266,34 @@ otcrypto_status_t otcrypto_xof_cshake(
     otcrypto_const_byte_buf_t input_message,
     otcrypto_const_byte_buf_t function_name_string,
     otcrypto_const_byte_buf_t customization_string,
-    otcrypto_hash_digest_t *digest) {
+    otcrypto_hash_digest_t digest) {
   // According to NIST SP 800-185 Section 3.2, cSHAKE call should use SHAKE, if
   // both `customization_string` and `function_name_string` are empty string
   if (customization_string.len == 0 && function_name_string.len == 0) {
-    switch (digest->mode) {
+    switch (digest.mode) {
       case kOtcryptoHashXofModeCshake128:
         return kmac_shake_128(input_message.data, input_message.len,
-                              digest->data, digest->len);
+                              digest.data, digest.len);
       case kOtcryptoHashXofModeCshake256:
         return kmac_shake_256(input_message.data, input_message.len,
-                              digest->data, digest->len);
+                              digest.data, digest.len);
       default:
         return OTCRYPTO_BAD_ARGS;
     }
   }
 
-  switch (digest->mode) {
+  switch (digest.mode) {
     case kOtcryptoHashXofModeCshake128:
       return kmac_cshake_128(
           input_message.data, input_message.len, function_name_string.data,
           function_name_string.len, customization_string.data,
-          customization_string.len, digest->data, digest->len);
+          customization_string.len, digest.data, digest.len);
       break;
     case kOtcryptoHashXofModeCshake256:
       return kmac_cshake_256(
           input_message.data, input_message.len, function_name_string.data,
           function_name_string.len, customization_string.data,
-          customization_string.len, digest->data, digest->len);
+          customization_string.len, digest.data, digest.len);
     default:
       return OTCRYPTO_BAD_ARGS;
   }
@@ -378,34 +378,34 @@ otcrypto_status_t otcrypto_hash_update(
 }
 
 otcrypto_status_t otcrypto_hash_final(otcrypto_hash_context_t *const ctx,
-                                      otcrypto_hash_digest_t *digest) {
-  if (ctx == NULL || digest == NULL || digest->data == NULL) {
+                                      otcrypto_hash_digest_t digest) {
+  if (ctx == NULL || digest.data == NULL) {
     return OTCRYPTO_BAD_ARGS;
   }
 
   // Check that digest length and mode are consistent.
   HARDENED_TRY(check_digest_len(digest));
-  if (ctx->mode != digest->mode) {
+  if (ctx->mode != digest.mode) {
     return OTCRYPTO_BAD_ARGS;
   }
 
   switch (ctx->mode) {
     case kOtcryptoHashModeSha256: {
       sha256_state_t state;
       sha256_state_restore(ctx, &state);
-      HARDENED_TRY(sha256_final(&state, digest->data));
+      HARDENED_TRY(sha256_final(&state, digest.data));
       break;
     }
     case kOtcryptoHashModeSha384: {
       sha384_state_t state;
       sha384_state_restore(ctx, &state);
-      HARDENED_TRY(sha384_final(&state, digest->data));
+      HARDENED_TRY(sha384_final(&state, digest.data));
       break;
     }
     case kOtcryptoHashModeSha512: {
       sha512_state_t state;
       sha512_state_restore(ctx, &state);
-      HARDENED_TRY(sha512_final(&state, digest->data));
+      HARDENED_TRY(sha512_final(&state, digest.data));
       break;
     }
     default:

diff --git a/sw/device/lib/crypto/impl/mac.c b/sw/device/lib/crypto/impl/mac.c
@@ -193,7 +193,7 @@ otcrypto_status_t otcrypto_hmac_init(otcrypto_hmac_context_t *ctx,
             .len = key->config.key_length,
             .data = (unsigned char *)unmasked_key,
         },
-        &key_digest));
+        key_digest));
   }
 
   // Compute (K0 ^ ipad).
@@ -249,7 +249,7 @@ otcrypto_status_t otcrypto_hmac_final(otcrypto_hmac_context_t *const ctx,
 
   // Finalize the computation of the inner hash = H(K0 ^ ipad || message) and
   // store it in `tag` temporarily.
-  HARDENED_TRY(otcrypto_hash_final(&ctx->inner, &digest_buf));
+  HARDENED_TRY(otcrypto_hash_final(&ctx->inner, digest_buf));
 
   // Finalize the computation of the outer hash
   //    = H(K0 ^ opad || H(K0 ^ ipad || message)).
@@ -258,5 +258,5 @@ otcrypto_status_t otcrypto_hmac_final(otcrypto_hmac_context_t *const ctx,
       (otcrypto_const_byte_buf_t){.len = sizeof(uint32_t) * tag.len,
                                   .data = (unsigned char *)tag.data}));
 
-  return otcrypto_hash_final(&ctx->outer, &digest_buf);
+  return otcrypto_hash_final(&ctx->outer, digest_buf);
 }
diff --git a/sw/device/lib/crypto/impl/rsa.c b/sw/device/lib/crypto/impl/rsa.c
@@ -289,18 +289,18 @@ otcrypto_status_t otcrypto_rsa_keypair_from_cofactor(
   return OTCRYPTO_OK;
 }
 
-otcrypto_status_t otcrypto_rsa_sign(
-    const otcrypto_blinded_key_t *private_key,
-    const otcrypto_hash_digest_t *message_digest,
-    otcrypto_rsa_padding_t padding_mode, otcrypto_word32_buf_t signature) {
+otcrypto_status_t otcrypto_rsa_sign(const otcrypto_blinded_key_t *private_key,
+                                    const otcrypto_hash_digest_t message_digest,
+                                    otcrypto_rsa_padding_t padding_mode,
+                                    otcrypto_word32_buf_t signature) {
   HARDENED_TRY(
       otcrypto_rsa_sign_async_start(private_key, message_digest, padding_mode));
   return otcrypto_rsa_sign_async_finalize(signature);
 }
 
 otcrypto_status_t otcrypto_rsa_verify(
     const otcrypto_unblinded_key_t *public_key,
-    const otcrypto_hash_digest_t *message_digest,
+    const otcrypto_hash_digest_t message_digest,
     otcrypto_rsa_padding_t padding_mode, otcrypto_const_word32_buf_t signature,
     hardened_bool_t *verification_result) {
   HARDENED_TRY(otcrypto_rsa_verify_async_start(public_key, signature));
@@ -612,11 +612,11 @@ static status_t key_mode_padding_check(otcrypto_key_mode_t key_mode,
 
 otcrypto_status_t otcrypto_rsa_sign_async_start(
     const otcrypto_blinded_key_t *private_key,
-    const otcrypto_hash_digest_t *message_digest,
+    const otcrypto_hash_digest_t message_digest,
     otcrypto_rsa_padding_t padding_mode) {
   // Check for NULL pointers.
-  if (message_digest == NULL || message_digest->data == NULL ||
-      private_key == NULL || private_key->keyblob == NULL) {
+  if (message_digest.data == NULL || private_key == NULL ||
+      private_key->keyblob == NULL) {
     return OTCRYPTO_BAD_ARGS;
   }
 
@@ -751,11 +751,10 @@ otcrypto_status_t otcrypto_rsa_verify_async_start(
 }
 
 otcrypto_status_t otcrypto_rsa_verify_async_finalize(
-    const otcrypto_hash_digest_t *message_digest,
+    const otcrypto_hash_digest_t message_digest,
     otcrypto_rsa_padding_t padding_mode, hardened_bool_t *verification_result) {
   // Check for NULL pointers.
-  if (message_digest == NULL || message_digest->data == NULL ||
-      verification_result == NULL) {
+  if (message_digest.data == NULL || verification_result == NULL) {
     return OTCRYPTO_BAD_ARGS;
   }