From 8a0a0cc06b70cb81d947661b249cbf726b528ec2 Mon Sep 17 00:00:00 2001 From: Jade Philipoom Date: Mon, 15 Jan 2024 19:15:08 +0100 Subject: [PATCH 1/4] [crypto] Pass word and byte buffers by value always. Since word/byte buffers are structs containing only a pointer and a length, there is no need to make them pointers when they are return values, and this makes the API a little more ergonomic. Signed-off-by: Jade Philipoom --- sw/device/lib/crypto/impl/aes.c | 73 +++++++++---------- sw/device/lib/crypto/impl/drbg.c | 17 ++--- sw/device/lib/crypto/impl/kdf.c | 4 +- sw/device/lib/crypto/impl/key_transport.c | 24 +++--- sw/device/lib/crypto/impl/mac.c | 28 ++++--- sw/device/lib/crypto/impl/rsa.c | 40 +++++----- sw/device/lib/crypto/include/aes.h | 14 ++-- sw/device/lib/crypto/include/drbg.h | 4 +- sw/device/lib/crypto/include/key_transport.h | 4 +- sw/device/lib/crypto/include/mac.h | 6 +- sw/device/lib/crypto/include/rsa.h | 12 +-- sw/device/tests/crypto/aes_gcm_testutils.c | 10 +-- sw/device/tests/crypto/aes_kwp_functest.c | 2 +- .../tests/crypto/aes_kwp_sideload_functest.c | 2 +- sw/device/tests/crypto/drbg_functest.c | 6 +- sw/device/tests/crypto/hmac_sha256_functest.c | 2 +- sw/device/tests/crypto/hmac_sha384_functest.c | 2 +- sw/device/tests/crypto/hmac_sha512_functest.c | 2 +- sw/device/tests/crypto/kmac_functest.c | 2 +- .../crypto/rsa_2048_encryption_functest.c | 4 +- .../tests/crypto/rsa_2048_keygen_functest.c | 2 +- .../crypto/rsa_2048_signature_functest.c | 2 +- .../tests/crypto/rsa_3072_keygen_functest.c | 2 +- .../crypto/rsa_3072_signature_functest.c | 2 +- .../tests/crypto/rsa_4096_keygen_functest.c | 2 +- .../crypto/rsa_4096_signature_functest.c | 2 +- 26 files changed, 131 insertions(+), 139 deletions(-) diff --git a/sw/device/lib/crypto/impl/aes.c b/sw/device/lib/crypto/impl/aes.c index df5a109377523..0d6419c522b6d 100644 --- a/sw/device/lib/crypto/impl/aes.c +++ b/sw/device/lib/crypto/impl/aes.c @@ -574,31 +574,30 @@ otcrypto_status_t otcrypto_aes_gcm_encrypt(const otcrypto_blinded_key_t *key, otcrypto_const_word32_buf_t iv, otcrypto_const_byte_buf_t aad, otcrypto_aes_gcm_tag_len_t tag_len, - otcrypto_byte_buf_t *ciphertext, - otcrypto_word32_buf_t *auth_tag) { + otcrypto_byte_buf_t ciphertext, + otcrypto_word32_buf_t auth_tag) { // Check for NULL pointers in input pointers and required-nonzero-length data // buffers. - if (key == NULL || iv.data == NULL || ciphertext == NULL || - auth_tag == NULL || auth_tag->data == NULL) { + if (key == NULL || iv.data == NULL || auth_tag.data == NULL) { return OTCRYPTO_BAD_ARGS; } // Conditionally check for null pointers in data buffers that may be // 0-length. if ((aad.len != 0 && aad.data == NULL) || - (ciphertext->len != 0 && ciphertext->data == NULL) || + (ciphertext.len != 0 && ciphertext.data == NULL) || (plaintext.len != 0 && plaintext.data == NULL)) { return OTCRYPTO_BAD_ARGS; } // Ensure the plaintext and ciphertext lengths match. - if (launder32(ciphertext->len) != plaintext.len) { + if (launder32(ciphertext.len) != plaintext.len) { return OTCRYPTO_BAD_ARGS; } - HARDENED_CHECK_EQ(ciphertext->len, plaintext.len); + HARDENED_CHECK_EQ(ciphertext.len, plaintext.len); // Check the tag length. - HARDENED_TRY(aes_gcm_check_tag_length(auth_tag->len, tag_len)); + HARDENED_TRY(aes_gcm_check_tag_length(auth_tag.len, tag_len)); // Construct the AES key. aes_key_t aes_key; @@ -607,8 +606,8 @@ otcrypto_status_t otcrypto_aes_gcm_encrypt(const otcrypto_blinded_key_t *key, // Call the core encryption operation. HARDENED_TRY(aes_gcm_encrypt(aes_key, iv.len, iv.data, plaintext.len, - plaintext.data, aad.len, aad.data, auth_tag->len, - auth_tag->data, ciphertext->data)); + plaintext.data, aad.len, aad.data, auth_tag.len, + auth_tag.data, ciphertext.data)); HARDENED_TRY(clear_key_if_sideloaded(aes_key)); return OTCRYPTO_OK; @@ -618,11 +617,10 @@ otcrypto_status_t otcrypto_aes_gcm_decrypt( const otcrypto_blinded_key_t *key, otcrypto_const_byte_buf_t ciphertext, otcrypto_const_word32_buf_t iv, otcrypto_const_byte_buf_t aad, otcrypto_aes_gcm_tag_len_t tag_len, otcrypto_const_word32_buf_t auth_tag, - otcrypto_byte_buf_t *plaintext, hardened_bool_t *success) { + otcrypto_byte_buf_t plaintext, hardened_bool_t *success) { // Check for NULL pointers in input pointers and required-nonzero-length data // buffers. - if (key == NULL || iv.data == NULL || plaintext == NULL || - auth_tag.data == NULL) { + if (key == NULL || iv.data == NULL || auth_tag.data == NULL) { return OTCRYPTO_BAD_ARGS; } @@ -630,7 +628,7 @@ otcrypto_status_t otcrypto_aes_gcm_decrypt( // 0-length. if ((aad.len != 0 && aad.data == NULL) || (ciphertext.len != 0 && ciphertext.data == NULL) || - (plaintext->len != 0 && plaintext->data == NULL)) { + (plaintext.len != 0 && plaintext.data == NULL)) { return OTCRYPTO_BAD_ARGS; } @@ -640,10 +638,10 @@ otcrypto_status_t otcrypto_aes_gcm_decrypt( HARDENED_TRY(load_key_if_sideloaded(aes_key)); // Ensure the plaintext and ciphertext lengths match. - if (launder32(ciphertext.len) != plaintext->len) { + if (launder32(ciphertext.len) != plaintext.len) { return OTCRYPTO_BAD_ARGS; } - HARDENED_CHECK_EQ(ciphertext.len, plaintext->len); + HARDENED_CHECK_EQ(ciphertext.len, plaintext.len); // Check the tag length. HARDENED_TRY(aes_gcm_check_tag_length(auth_tag.len, tag_len)); @@ -651,7 +649,7 @@ otcrypto_status_t otcrypto_aes_gcm_decrypt( // Call the core decryption operation. HARDENED_TRY(aes_gcm_decrypt(aes_key, iv.len, iv.data, ciphertext.len, ciphertext.data, aad.len, aad.data, auth_tag.len, - auth_tag.data, plaintext->data, success)); + auth_tag.data, plaintext.data, success)); HARDENED_TRY(clear_key_if_sideloaded(aes_key)); return OTCRYPTO_OK; @@ -770,19 +768,19 @@ otcrypto_status_t otcrypto_aes_gcm_update_encrypted_data( otcrypto_status_t otcrypto_aes_gcm_encrypt_final( otcrypto_aes_gcm_context_t *ctx, otcrypto_aes_gcm_tag_len_t tag_len, - otcrypto_byte_buf_t *ciphertext, size_t *ciphertext_bytes_written, - otcrypto_word32_buf_t *auth_tag) { - if (ctx == NULL || ciphertext == NULL || ciphertext_bytes_written == NULL || - auth_tag == NULL || auth_tag->data == NULL) { + otcrypto_byte_buf_t ciphertext, size_t *ciphertext_bytes_written, + otcrypto_word32_buf_t auth_tag) { + if (ctx == NULL || ciphertext_bytes_written == NULL || + auth_tag.data == NULL) { return OTCRYPTO_BAD_ARGS; } - if (ciphertext->len != 0 && ciphertext->data == NULL) { + if (ciphertext.len != 0 && ciphertext.data == NULL) { return OTCRYPTO_BAD_ARGS; } *ciphertext_bytes_written = 0; // Check the tag length. - HARDENED_TRY(aes_gcm_check_tag_length(auth_tag->len, tag_len)); + HARDENED_TRY(aes_gcm_check_tag_length(auth_tag.len, tag_len)); // Restore the AES-GCM context object and load the key if needed. aes_gcm_context_t internal_ctx; @@ -792,14 +790,14 @@ otcrypto_status_t otcrypto_aes_gcm_encrypt_final( // If the partial block is nonempty, the output must be at least as long as // the partial block. size_t partial_block_len = internal_ctx.input_len % kAesBlockNumBytes; - if (ciphertext->len < partial_block_len) { + if (ciphertext.len < partial_block_len) { return OTCRYPTO_BAD_ARGS; } // Call the internal final operation. - HARDENED_TRY(aes_gcm_encrypt_final(&internal_ctx, auth_tag->len, - auth_tag->data, ciphertext_bytes_written, - ciphertext->data)); + HARDENED_TRY(aes_gcm_encrypt_final(&internal_ctx, auth_tag.len, auth_tag.data, + ciphertext_bytes_written, + ciphertext.data)); // Clear the context and the key if needed. hardened_memshred(ctx->data, ARRAYSIZE(ctx->data)); @@ -809,13 +807,13 @@ otcrypto_status_t otcrypto_aes_gcm_encrypt_final( otcrypto_status_t otcrypto_aes_gcm_decrypt_final( otcrypto_aes_gcm_context_t *ctx, otcrypto_const_word32_buf_t auth_tag, - otcrypto_aes_gcm_tag_len_t tag_len, otcrypto_byte_buf_t *plaintext, + otcrypto_aes_gcm_tag_len_t tag_len, otcrypto_byte_buf_t plaintext, size_t *plaintext_bytes_written, hardened_bool_t *success) { - if (ctx == NULL || plaintext == NULL || plaintext_bytes_written == NULL || - auth_tag.data == NULL || success == NULL) { + if (ctx == NULL || plaintext_bytes_written == NULL || auth_tag.data == NULL || + success == NULL) { return OTCRYPTO_BAD_ARGS; } - if (plaintext->len != 0 && plaintext->data == NULL) { + if (plaintext.len != 0 && plaintext.data == NULL) { return OTCRYPTO_BAD_ARGS; } *plaintext_bytes_written = 0; @@ -832,13 +830,13 @@ otcrypto_status_t otcrypto_aes_gcm_decrypt_final( // If the partial block is nonempty, the output must be at least as long as // the partial block. size_t partial_block_len = internal_ctx.input_len % kAesBlockNumBytes; - if (plaintext->len < partial_block_len) { + if (plaintext.len < partial_block_len) { return OTCRYPTO_BAD_ARGS; } // Call the internal final operation. HARDENED_TRY(aes_gcm_decrypt_final(&internal_ctx, auth_tag.len, auth_tag.data, - plaintext_bytes_written, plaintext->data, + plaintext_bytes_written, plaintext.data, success)); // Clear the context and the key if needed. @@ -925,10 +923,9 @@ static status_t aes_kwp_key_construct(const otcrypto_blinded_key_t *key_kek, otcrypto_status_t otcrypto_aes_kwp_wrap( const otcrypto_blinded_key_t *key_to_wrap, - const otcrypto_blinded_key_t *key_kek, otcrypto_word32_buf_t *wrapped_key) { + const otcrypto_blinded_key_t *key_kek, otcrypto_word32_buf_t wrapped_key) { if (key_to_wrap == NULL || key_to_wrap->keyblob == NULL || key_kek == NULL || - key_kek->keyblob == NULL || wrapped_key == NULL || - wrapped_key->data == NULL) { + key_kek->keyblob == NULL || wrapped_key.data == NULL) { return OTCRYPTO_BAD_ARGS; } @@ -943,7 +940,7 @@ otcrypto_status_t otcrypto_aes_kwp_wrap( // Check the length of the output buffer. size_t exp_len; HARDENED_TRY(otcrypto_aes_kwp_wrapped_len(key_to_wrap->config, &exp_len)); - if (wrapped_key->len != exp_len) { + if (wrapped_key.len != exp_len) { return OTCRYPTO_BAD_ARGS; } @@ -975,7 +972,7 @@ otcrypto_status_t otcrypto_aes_kwp_wrap( keyblob_words); // Wrap the key. - return aes_kwp_wrap(kek, plaintext, sizeof(plaintext), wrapped_key->data); + return aes_kwp_wrap(kek, plaintext, sizeof(plaintext), wrapped_key.data); } otcrypto_status_t otcrypto_aes_kwp_unwrap( diff --git a/sw/device/lib/crypto/impl/drbg.c b/sw/device/lib/crypto/impl/drbg.c index bd9410b187459..a6d7db4b7aef3 100644 --- a/sw/device/lib/crypto/impl/drbg.c +++ b/sw/device/lib/crypto/impl/drbg.c @@ -168,37 +168,34 @@ otcrypto_status_t otcrypto_drbg_manual_reseed( */ static otcrypto_status_t generate(hardened_bool_t fips_check, otcrypto_const_byte_buf_t additional_input, - otcrypto_word32_buf_t *drbg_output) { - if (drbg_output == NULL) { - return OTCRYPTO_BAD_ARGS; - } - if (drbg_output->len == 0) { + otcrypto_word32_buf_t drbg_output) { + if (drbg_output.len == 0) { // Nothing to do. return OTCRYPTO_OK; } if ((additional_input.len != 0 && additional_input.data == NULL) || - drbg_output->data == NULL) { + drbg_output.data == NULL) { return OTCRYPTO_BAD_ARGS; } entropy_seed_material_t seed_material; seed_material_construct(additional_input, &seed_material); - HARDENED_TRY(entropy_csrng_generate(&seed_material, drbg_output->data, - drbg_output->len, fips_check)); + HARDENED_TRY(entropy_csrng_generate(&seed_material, drbg_output.data, + drbg_output.len, fips_check)); return OTCRYPTO_OK; } otcrypto_status_t otcrypto_drbg_generate( otcrypto_const_byte_buf_t additional_input, - otcrypto_word32_buf_t *drbg_output) { + otcrypto_word32_buf_t drbg_output) { return generate(/*fips_check=*/kHardenedBoolTrue, additional_input, drbg_output); } otcrypto_status_t otcrypto_drbg_manual_generate( otcrypto_const_byte_buf_t additional_input, - otcrypto_word32_buf_t *drbg_output) { + otcrypto_word32_buf_t drbg_output) { return generate(/*fips_check=*/kHardenedBoolFalse, additional_input, drbg_output); } diff --git a/sw/device/lib/crypto/impl/kdf.c b/sw/device/lib/crypto/impl/kdf.c index 66acd0402fb52..454ebc52a2f67 100644 --- a/sw/device/lib/crypto/impl/kdf.c +++ b/sw/device/lib/crypto/impl/kdf.c @@ -216,7 +216,7 @@ otcrypto_status_t otcrypto_kdf_hkdf_extract(const otcrypto_blinded_key_t ikm, // Call HMAC(salt, IKM). uint32_t tag_data[digest_words]; otcrypto_word32_buf_t tag = {.data = tag_data, .len = ARRAYSIZE(tag_data)}; - HARDENED_TRY(otcrypto_hmac(&salt_key, unmasked_ikm, &tag)); + HARDENED_TRY(otcrypto_hmac(&salt_key, unmasked_ikm, tag)); // Construct the blinded keyblob for PRK (with an all-zero mask for now // because HMAC is unhardened anyway). @@ -303,7 +303,7 @@ otcrypto_status_t otcrypto_kdf_hkdf_expand(const otcrypto_blinded_key_t prk, .data = t_data, .len = digest_words, }; - HARDENED_TRY(otcrypto_hmac_final(&ctx, &t_words)); + HARDENED_TRY(otcrypto_hmac_final(&ctx, t_words)); } // Generate a mask (all-zero for now, since HMAC is unhardened anyway). diff --git a/sw/device/lib/crypto/impl/key_transport.c b/sw/device/lib/crypto/impl/key_transport.c index 996d6fd5dae72..09235247313a5 100644 --- a/sw/device/lib/crypto/impl/key_transport.c +++ b/sw/device/lib/crypto/impl/key_transport.c @@ -46,8 +46,8 @@ otcrypto_status_t otcrypto_symmetric_keygen( // Generate each share of the key independently. HARDENED_TRY(otcrypto_drbg_instantiate(perso_string)); - HARDENED_TRY(otcrypto_drbg_generate(empty, &share0_buf)); - HARDENED_TRY(otcrypto_drbg_generate(empty, &share1_buf)); + HARDENED_TRY(otcrypto_drbg_generate(empty, share0_buf)); + HARDENED_TRY(otcrypto_drbg_generate(empty, share1_buf)); // Populate the checksum and return. key->checksum = integrity_blinded_checksum(key); @@ -123,10 +123,10 @@ otcrypto_status_t otcrypto_import_blinded_key( } otcrypto_status_t otcrypto_export_blinded_key( - const otcrypto_blinded_key_t blinded_key, otcrypto_word32_buf_t *key_share0, - otcrypto_word32_buf_t *key_share1) { - if (blinded_key.keyblob == NULL || key_share0 == NULL || key_share1 == NULL || - key_share0->data == NULL || key_share1->data == NULL) { + const otcrypto_blinded_key_t blinded_key, otcrypto_word32_buf_t key_share0, + otcrypto_word32_buf_t key_share1) { + if (blinded_key.keyblob == NULL || key_share0.data == NULL || + key_share1.data == NULL) { return OTCRYPTO_BAD_ARGS; } @@ -149,13 +149,13 @@ otcrypto_status_t otcrypto_export_blinded_key( // Check the lengths of the shares. size_t share_words = launder32(keyblob_share_num_words(blinded_key.config)); - if (launder32(key_share0->len) != share_words || - launder32(key_share1->len) != share_words) { + if (launder32(key_share0.len) != share_words || + launder32(key_share1.len) != share_words) { return OTCRYPTO_BAD_ARGS; } - HARDENED_CHECK_EQ(key_share0->len, + HARDENED_CHECK_EQ(key_share0.len, keyblob_share_num_words(blinded_key.config)); - HARDENED_CHECK_EQ(key_share1->len, + HARDENED_CHECK_EQ(key_share1.len, keyblob_share_num_words(blinded_key.config)); // Check the length of the keyblob. @@ -172,7 +172,7 @@ otcrypto_status_t otcrypto_export_blinded_key( uint32_t *keyblob_share1; HARDENED_TRY( keyblob_to_shares(&blinded_key, &keyblob_share0, &keyblob_share1)); - hardened_memcpy(key_share0->data, keyblob_share0, key_share0->len); - hardened_memcpy(key_share1->data, keyblob_share1, key_share1->len); + hardened_memcpy(key_share0.data, keyblob_share0, key_share0.len); + hardened_memcpy(key_share1.data, keyblob_share1, key_share1.len); return OTCRYPTO_OK; } diff --git a/sw/device/lib/crypto/impl/mac.c b/sw/device/lib/crypto/impl/mac.c index 9466834fd1c37..f77405528161c 100644 --- a/sw/device/lib/crypto/impl/mac.c +++ b/sw/device/lib/crypto/impl/mac.c @@ -20,7 +20,7 @@ OT_WARN_UNUSED_RESULT otcrypto_status_t otcrypto_hmac(const otcrypto_blinded_key_t *key, otcrypto_const_byte_buf_t input_message, - otcrypto_word32_buf_t *tag) { + otcrypto_word32_buf_t tag) { // Compute HMAC using the streaming API. otcrypto_hmac_context_t ctx; HARDENED_TRY(otcrypto_hmac_init(&ctx, key)); @@ -34,11 +34,11 @@ otcrypto_status_t otcrypto_kmac(const otcrypto_blinded_key_t *key, otcrypto_kmac_mode_t kmac_mode, otcrypto_const_byte_buf_t customization_string, size_t required_output_len, - otcrypto_word32_buf_t *tag) { + otcrypto_word32_buf_t tag) { // TODO (#16410) Revisit/complete error checks // Check for null pointers. - if (key == NULL || key->keyblob == NULL || tag == NULL || tag->data == NULL) { + if (key == NULL || key->keyblob == NULL || tag.data == NULL) { return OTCRYPTO_BAD_ARGS; } @@ -53,8 +53,8 @@ otcrypto_status_t otcrypto_kmac(const otcrypto_blinded_key_t *key, } // Ensure that the output will fit in the tag buffer. - if (required_output_len > tag->len * sizeof(uint32_t) || - tag->len > SIZE_MAX / sizeof(uint32_t)) { + if (required_output_len > tag.len * sizeof(uint32_t) || + tag.len > SIZE_MAX / sizeof(uint32_t)) { return OTCRYPTO_BAD_ARGS; } @@ -85,8 +85,7 @@ otcrypto_status_t otcrypto_kmac(const otcrypto_blinded_key_t *key, } HARDENED_TRY(kmac_kmac_128(&kmac_key, input_message.data, input_message.len, customization_string.data, - customization_string.len, tag->data, - tag->len)); + customization_string.len, tag.data, tag.len)); break; case kOtcryptoKmacModeKmac256: // Check `key_mode` matches `mac_mode` @@ -96,8 +95,7 @@ otcrypto_status_t otcrypto_kmac(const otcrypto_blinded_key_t *key, HARDENED_TRY(kmac_kmac_256(&kmac_key, input_message.data, input_message.len, customization_string.data, - customization_string.len, tag->data, - tag->len)); + customization_string.len, tag.data, tag.len)); break; default: return OTCRYPTO_BAD_ARGS; @@ -237,16 +235,16 @@ otcrypto_status_t otcrypto_hmac_update( } otcrypto_status_t otcrypto_hmac_final(otcrypto_hmac_context_t *const ctx, - otcrypto_word32_buf_t *tag) { - if (ctx == NULL || tag == NULL || tag->data == NULL) { + otcrypto_word32_buf_t tag) { + if (ctx == NULL || tag.data == NULL) { return OTCRYPTO_BAD_ARGS; } // Create digest buffer that points to the tag. otcrypto_hash_digest_t digest_buf = { .mode = ctx->inner.mode, - .len = tag->len, - .data = tag->data, + .len = tag.len, + .data = tag.data, }; // Finalize the computation of the inner hash = H(K0 ^ ipad || message) and @@ -257,8 +255,8 @@ otcrypto_status_t otcrypto_hmac_final(otcrypto_hmac_context_t *const ctx, // = H(K0 ^ opad || H(K0 ^ ipad || message)). HARDENED_TRY(otcrypto_hash_update( &ctx->outer, - (otcrypto_const_byte_buf_t){.len = sizeof(uint32_t) * tag->len, - .data = (unsigned char *)tag->data})); + (otcrypto_const_byte_buf_t){.len = sizeof(uint32_t) * tag.len, + .data = (unsigned char *)tag.data})); return otcrypto_hash_final(&ctx->outer, &digest_buf); } diff --git a/sw/device/lib/crypto/impl/rsa.c b/sw/device/lib/crypto/impl/rsa.c index 7dfd7736494d0..0c602382854e7 100644 --- a/sw/device/lib/crypto/impl/rsa.c +++ b/sw/device/lib/crypto/impl/rsa.c @@ -292,7 +292,7 @@ otcrypto_status_t otcrypto_rsa_keypair_from_cofactor( otcrypto_status_t otcrypto_rsa_sign( const otcrypto_blinded_key_t *private_key, const otcrypto_hash_digest_t *message_digest, - otcrypto_rsa_padding_t padding_mode, otcrypto_word32_buf_t *signature) { + otcrypto_rsa_padding_t padding_mode, otcrypto_word32_buf_t signature) { HARDENED_TRY( otcrypto_rsa_sign_async_start(private_key, message_digest, padding_mode)); return otcrypto_rsa_sign_async_finalize(signature); @@ -311,7 +311,7 @@ otcrypto_status_t otcrypto_rsa_verify( otcrypto_status_t otcrypto_rsa_encrypt( const otcrypto_unblinded_key_t *public_key, const otcrypto_hash_mode_t hash_mode, otcrypto_const_byte_buf_t message, - otcrypto_const_byte_buf_t label, otcrypto_word32_buf_t *ciphertext) { + otcrypto_const_byte_buf_t label, otcrypto_word32_buf_t ciphertext) { HARDENED_TRY( otcrypto_rsa_encrypt_async_start(public_key, hash_mode, message, label)); return otcrypto_rsa_encrypt_async_finalize(ciphertext); @@ -321,7 +321,7 @@ otcrypto_status_t otcrypto_rsa_decrypt( const otcrypto_blinded_key_t *private_key, const otcrypto_hash_mode_t hash_mode, otcrypto_const_word32_buf_t ciphertext, otcrypto_const_byte_buf_t label, - otcrypto_byte_buf_t *plaintext) { + otcrypto_byte_buf_t plaintext) { HARDENED_TRY(otcrypto_rsa_decrypt_async_start(private_key, ciphertext)); return otcrypto_rsa_decrypt_async_finalize(hash_mode, label, plaintext); } @@ -668,23 +668,23 @@ otcrypto_status_t otcrypto_rsa_sign_async_start( } otcrypto_status_t otcrypto_rsa_sign_async_finalize( - otcrypto_word32_buf_t *signature) { + otcrypto_word32_buf_t signature) { // Check for NULL pointers. - if (signature == NULL || signature->data == NULL) { + if (signature.data == NULL) { return OTCRYPTO_BAD_ARGS; } // Determine the size based on the signature buffer length. - switch (signature->len) { + switch (signature.len) { case kRsa2048NumWords: return rsa_signature_generate_2048_finalize( - (rsa_2048_int_t *)signature->data); + (rsa_2048_int_t *)signature.data); case kRsa3072NumWords: return rsa_signature_generate_3072_finalize( - (rsa_3072_int_t *)signature->data); + (rsa_3072_int_t *)signature.data); case kRsa4096NumWords: return rsa_signature_generate_4096_finalize( - (rsa_4096_int_t *)signature->data); + (rsa_4096_int_t *)signature.data); default: return OTCRYPTO_BAD_ARGS; } @@ -838,17 +838,17 @@ otcrypto_status_t otcrypto_rsa_encrypt_async_start( } otcrypto_status_t otcrypto_rsa_encrypt_async_finalize( - otcrypto_word32_buf_t *ciphertext) { + otcrypto_word32_buf_t ciphertext) { // Check for NULL pointers. - if (ciphertext == NULL || ciphertext->data == NULL) { + if (ciphertext.data == NULL) { return OTCRYPTO_BAD_ARGS; } - switch (launder32(ciphertext->len)) { + switch (launder32(ciphertext.len)) { case kRsa2048NumWords: { - HARDENED_CHECK_EQ(ciphertext->len * sizeof(uint32_t), + HARDENED_CHECK_EQ(ciphertext.len * sizeof(uint32_t), sizeof(rsa_2048_int_t)); - rsa_2048_int_t *ctext = (rsa_2048_int_t *)ciphertext->data; + rsa_2048_int_t *ctext = (rsa_2048_int_t *)ciphertext.data; return rsa_encrypt_2048_finalize(ctext); } case kRsa3072NumWords: { @@ -952,8 +952,8 @@ otcrypto_status_t otcrypto_rsa_decrypt_async_start( otcrypto_status_t otcrypto_rsa_decrypt_async_finalize( const otcrypto_hash_mode_t hash_mode, otcrypto_const_byte_buf_t label, - otcrypto_byte_buf_t *plaintext) { - if (plaintext == NULL || plaintext->data == NULL || label.data == NULL) { + otcrypto_byte_buf_t plaintext) { + if (plaintext.data == NULL || label.data == NULL) { return OTCRYPTO_BAD_ARGS; } @@ -961,16 +961,16 @@ otcrypto_status_t otcrypto_rsa_decrypt_async_finalize( // from OTBN. size_t actual_plaintext_len; HARDENED_TRY(rsa_decrypt_finalize(hash_mode, label.data, label.len, - plaintext->len, plaintext->data, + plaintext.len, plaintext.data, &actual_plaintext_len)); // Consistency check; this should never happen. - if (launder32(actual_plaintext_len) >= plaintext->len) { + if (launder32(actual_plaintext_len) >= plaintext.len) { HARDENED_TRAP(); return OTCRYPTO_FATAL_ERR; } - HARDENED_CHECK_LE(actual_plaintext_len, plaintext->len); + HARDENED_CHECK_LE(actual_plaintext_len, plaintext.len); - plaintext->len = actual_plaintext_len; + plaintext.len = actual_plaintext_len; return OTCRYPTO_OK; } diff --git a/sw/device/lib/crypto/include/aes.h b/sw/device/lib/crypto/include/aes.h index 717929012fb9a..9f7f47caf75fa 100644 --- a/sw/device/lib/crypto/include/aes.h +++ b/sw/device/lib/crypto/include/aes.h @@ -165,8 +165,8 @@ otcrypto_status_t otcrypto_aes_gcm_encrypt(const otcrypto_blinded_key_t *key, otcrypto_const_word32_buf_t iv, otcrypto_const_byte_buf_t aad, otcrypto_aes_gcm_tag_len_t tag_len, - otcrypto_byte_buf_t *ciphertext, - otcrypto_word32_buf_t *auth_tag); + otcrypto_byte_buf_t ciphertext, + otcrypto_word32_buf_t auth_tag); /** * Performs the AES-GCM authenticated decryption operation. @@ -199,7 +199,7 @@ otcrypto_status_t otcrypto_aes_gcm_decrypt( const otcrypto_blinded_key_t *key, otcrypto_const_byte_buf_t ciphertext, otcrypto_const_word32_buf_t iv, otcrypto_const_byte_buf_t aad, otcrypto_aes_gcm_tag_len_t tag_len, otcrypto_const_word32_buf_t auth_tag, - otcrypto_byte_buf_t *plaintext, hardened_bool_t *success); + otcrypto_byte_buf_t plaintext, hardened_bool_t *success); /** * Initializes the AES-GCM authenticated encryption operation. @@ -318,8 +318,8 @@ otcrypto_status_t otcrypto_aes_gcm_update_encrypted_data( */ otcrypto_status_t otcrypto_aes_gcm_encrypt_final( otcrypto_aes_gcm_context_t *ctx, otcrypto_aes_gcm_tag_len_t tag_len, - otcrypto_byte_buf_t *ciphertext, size_t *ciphertext_bytes_written, - otcrypto_word32_buf_t *auth_tag); + otcrypto_byte_buf_t ciphertext, size_t *ciphertext_bytes_written, + otcrypto_word32_buf_t auth_tag); /** * Finishes the AES-GCM authenticated decryption operation. @@ -346,7 +346,7 @@ otcrypto_status_t otcrypto_aes_gcm_encrypt_final( */ otcrypto_status_t otcrypto_aes_gcm_decrypt_final( otcrypto_aes_gcm_context_t *ctx, otcrypto_const_word32_buf_t auth_tag, - otcrypto_aes_gcm_tag_len_t tag_len, otcrypto_byte_buf_t *plaintext, + otcrypto_aes_gcm_tag_len_t tag_len, otcrypto_byte_buf_t plaintext, size_t *plaintext_bytes_written, hardened_bool_t *success); /** @@ -379,7 +379,7 @@ otcrypto_status_t otcrypto_aes_kwp_wrapped_len( */ otcrypto_status_t otcrypto_aes_kwp_wrap( const otcrypto_blinded_key_t *key_to_wrap, - const otcrypto_blinded_key_t *key_kek, otcrypto_word32_buf_t *wrapped_key); + const otcrypto_blinded_key_t *key_kek, otcrypto_word32_buf_t wrapped_key); /** * Performs the cryptographic key unwrapping operation. diff --git a/sw/device/lib/crypto/include/drbg.h b/sw/device/lib/crypto/include/drbg.h index 2dc0313bd5c6a..d6ac49f093088 100644 --- a/sw/device/lib/crypto/include/drbg.h +++ b/sw/device/lib/crypto/include/drbg.h @@ -96,7 +96,7 @@ otcrypto_status_t otcrypto_drbg_manual_reseed( */ otcrypto_status_t otcrypto_drbg_generate( otcrypto_const_byte_buf_t additional_input, - otcrypto_word32_buf_t *drbg_output); + otcrypto_word32_buf_t drbg_output); /** * DRBG function for generating random bits. @@ -118,7 +118,7 @@ otcrypto_status_t otcrypto_drbg_generate( */ otcrypto_status_t otcrypto_drbg_manual_generate( otcrypto_const_byte_buf_t additional_input, - otcrypto_word32_buf_t *drbg_output); + otcrypto_word32_buf_t drbg_output); /** * Uninstantiates DRBG and clears the context. diff --git a/sw/device/lib/crypto/include/key_transport.h b/sw/device/lib/crypto/include/key_transport.h index 1999f15b348ff..c74eb1a29bc72 100644 --- a/sw/device/lib/crypto/include/key_transport.h +++ b/sw/device/lib/crypto/include/key_transport.h @@ -113,8 +113,8 @@ otcrypto_status_t otcrypto_import_blinded_key( * @return Result of the blinded key export operation. */ otcrypto_status_t otcrypto_export_blinded_key( - const otcrypto_blinded_key_t blinded_key, otcrypto_word32_buf_t *key_share0, - otcrypto_word32_buf_t *key_share1); + const otcrypto_blinded_key_t blinded_key, otcrypto_word32_buf_t key_share0, + otcrypto_word32_buf_t key_share1); #ifdef __cplusplus } // extern "C" diff --git a/sw/device/lib/crypto/include/mac.h b/sw/device/lib/crypto/include/mac.h index 705c0d4353bf7..1d036aad3f707 100644 --- a/sw/device/lib/crypto/include/mac.h +++ b/sw/device/lib/crypto/include/mac.h @@ -61,7 +61,7 @@ typedef struct otcrypto_hmac_context { */ otcrypto_status_t otcrypto_hmac(const otcrypto_blinded_key_t *key, otcrypto_const_byte_buf_t input_message, - otcrypto_word32_buf_t *tag); + otcrypto_word32_buf_t tag); /** * Performs the KMAC function on the input data. @@ -90,7 +90,7 @@ otcrypto_status_t otcrypto_kmac(const otcrypto_blinded_key_t *key, otcrypto_kmac_mode_t kmac_mode, otcrypto_const_byte_buf_t customization_string, size_t required_output_len, - otcrypto_word32_buf_t *tag); + otcrypto_word32_buf_t tag); /** * Performs the INIT operation for HMAC. @@ -143,7 +143,7 @@ otcrypto_status_t otcrypto_hmac_update(otcrypto_hmac_context_t *const ctx, * @return Result of the HMAC final operation. */ otcrypto_status_t otcrypto_hmac_final(otcrypto_hmac_context_t *const ctx, - otcrypto_word32_buf_t *tag); + otcrypto_word32_buf_t tag); #ifdef __cplusplus } // extern "C" diff --git a/sw/device/lib/crypto/include/rsa.h b/sw/device/lib/crypto/include/rsa.h index dacc9292d2170..ed13b198d49ee 100644 --- a/sw/device/lib/crypto/include/rsa.h +++ b/sw/device/lib/crypto/include/rsa.h @@ -177,7 +177,7 @@ otcrypto_status_t otcrypto_rsa_keypair_from_cofactor( otcrypto_status_t otcrypto_rsa_sign( const otcrypto_blinded_key_t *private_key, const otcrypto_hash_digest_t *message_digest, - otcrypto_rsa_padding_t padding_mode, otcrypto_word32_buf_t *signature); + otcrypto_rsa_padding_t padding_mode, otcrypto_word32_buf_t signature); /** * Verifies the authenticity of the input signature. @@ -233,7 +233,7 @@ otcrypto_status_t otcrypto_rsa_verify( otcrypto_status_t otcrypto_rsa_encrypt( const otcrypto_unblinded_key_t *public_key, const otcrypto_hash_mode_t hash_mode, otcrypto_const_byte_buf_t message, - otcrypto_const_byte_buf_t label, otcrypto_word32_buf_t *ciphertext); + otcrypto_const_byte_buf_t label, otcrypto_word32_buf_t ciphertext); /** * Decrypts a message with RSA. @@ -269,7 +269,7 @@ otcrypto_status_t otcrypto_rsa_decrypt( const otcrypto_blinded_key_t *private_key, const otcrypto_hash_mode_t hash_mode, otcrypto_const_word32_buf_t ciphertext, otcrypto_const_byte_buf_t label, - otcrypto_byte_buf_t *plaintext); + otcrypto_byte_buf_t plaintext); /** * Starts the asynchronous RSA key generation function. * @@ -356,7 +356,7 @@ otcrypto_status_t otcrypto_rsa_sign_async_start( * @return Result of async RSA sign finalize operation. */ otcrypto_status_t otcrypto_rsa_sign_async_finalize( - otcrypto_word32_buf_t *signature); + otcrypto_word32_buf_t signature); /** * Starts the asynchronous signature verification function. @@ -417,7 +417,7 @@ otcrypto_status_t otcrypto_rsa_encrypt_async_start( * @return The result of the RSA encryption operation. */ otcrypto_status_t otcrypto_rsa_encrypt_async_finalize( - otcrypto_word32_buf_t *ciphertext); + otcrypto_word32_buf_t ciphertext); /** * Starts the asynchronous decryption function. @@ -446,7 +446,7 @@ otcrypto_status_t otcrypto_rsa_decrypt_async_start( */ otcrypto_status_t otcrypto_rsa_decrypt_async_finalize( const otcrypto_hash_mode_t hash_mode, otcrypto_const_byte_buf_t label, - otcrypto_byte_buf_t *plaintext); + otcrypto_byte_buf_t plaintext); #ifdef __cplusplus } // extern "C" diff --git a/sw/device/tests/crypto/aes_gcm_testutils.c b/sw/device/tests/crypto/aes_gcm_testutils.c index 03bb4ac4e948d..4c08fe56a7467 100644 --- a/sw/device/tests/crypto/aes_gcm_testutils.c +++ b/sw/device/tests/crypto/aes_gcm_testutils.c @@ -192,14 +192,14 @@ status_t aes_gcm_testutils_encrypt(const aes_gcm_test_t *test, bool streaming, .data = actual_ciphertext.data + ciphertext_bytes_written, .len = test->plaintext_len - ciphertext_bytes_written, }; - TRY(otcrypto_aes_gcm_encrypt_final(&ctx, tag_len, &final_ciphertext, - &ciphertext_bytes_written, &actual_tag)); + TRY(otcrypto_aes_gcm_encrypt_final(&ctx, tag_len, final_ciphertext, + &ciphertext_bytes_written, actual_tag)); *cycles = profile_end(t_start); } else { // Call encrypt() with a cycle count timing profile. uint64_t t_start = profile_start(); otcrypto_status_t err = otcrypto_aes_gcm_encrypt( - &key, plaintext, iv, aad, tag_len, &actual_ciphertext, &actual_tag); + &key, plaintext, iv, aad, tag_len, actual_ciphertext, actual_tag); *cycles = profile_end(t_start); // Check for errors. @@ -290,7 +290,7 @@ status_t aes_gcm_testutils_decrypt(const aes_gcm_test_t *test, .len = actual_plaintext.len - plaintext_bytes_written, }; size_t final_plaintext_bytes_written; - TRY(otcrypto_aes_gcm_decrypt_final(&ctx, tag, tag_len, &final_plaintext, + TRY(otcrypto_aes_gcm_decrypt_final(&ctx, tag, tag_len, final_plaintext, &final_plaintext_bytes_written, tag_valid)); *cycles = profile_end(t_start); @@ -299,7 +299,7 @@ status_t aes_gcm_testutils_decrypt(const aes_gcm_test_t *test, icache_invalidate(); uint64_t t_start = profile_start(); otcrypto_status_t err = otcrypto_aes_gcm_decrypt( - &key, ciphertext, iv, aad, tag_len, tag, &actual_plaintext, tag_valid); + &key, ciphertext, iv, aad, tag_len, tag, actual_plaintext, tag_valid); *cycles = profile_end(t_start); icache_invalidate(); diff --git a/sw/device/tests/crypto/aes_kwp_functest.c b/sw/device/tests/crypto/aes_kwp_functest.c index df52735adeaab..8d5ddc721d080 100644 --- a/sw/device/tests/crypto/aes_kwp_functest.c +++ b/sw/device/tests/crypto/aes_kwp_functest.c @@ -39,7 +39,7 @@ static status_t run_wrap_unwrap(const otcrypto_blinded_key_t *key_to_wrap, .data = wrapped_key_data, .len = ARRAYSIZE(wrapped_key_data), }; - TRY(otcrypto_aes_kwp_wrap(key_to_wrap, key_kek, &wrapped_key)); + TRY(otcrypto_aes_kwp_wrap(key_to_wrap, key_kek, wrapped_key)); // Unwrap the key. hardened_bool_t success; diff --git a/sw/device/tests/crypto/aes_kwp_sideload_functest.c b/sw/device/tests/crypto/aes_kwp_sideload_functest.c index fc55eca130eb3..7ac2d3a006398 100644 --- a/sw/device/tests/crypto/aes_kwp_sideload_functest.c +++ b/sw/device/tests/crypto/aes_kwp_sideload_functest.c @@ -49,7 +49,7 @@ static status_t run_wrap_unwrap(const otcrypto_blinded_key_t *key_to_wrap, .data = wrapped_key_data, .len = ARRAYSIZE(wrapped_key_data), }; - TRY(otcrypto_aes_kwp_wrap(key_to_wrap, key_kek, &wrapped_key)); + TRY(otcrypto_aes_kwp_wrap(key_to_wrap, key_kek, wrapped_key)); // Unwrap the key. hardened_bool_t success; diff --git a/sw/device/tests/crypto/drbg_functest.c b/sw/device/tests/crypto/drbg_functest.c index b788c635bfa47..fefc376bbb3ad 100644 --- a/sw/device/tests/crypto/drbg_functest.c +++ b/sw/device/tests/crypto/drbg_functest.c @@ -49,10 +49,10 @@ static status_t kat_test(void) { // Generate output twice. LOG_INFO("Generating..."); TRY(otcrypto_drbg_manual_generate(/*additional_input=*/kEmptyBuffer, - &actual_output)); + actual_output)); LOG_INFO("Generating again..."); TRY(otcrypto_drbg_manual_generate(/*additional_input=*/kEmptyBuffer, - &actual_output)); + actual_output)); // Compare second result to expected output. TRY_CHECK_ARRAYS_EQ(kExpOutput, actual_output_words, ARRAYSIZE(kExpOutput)); @@ -71,7 +71,7 @@ static status_t random_test(void) { .data = output_data, .len = ARRAYSIZE(output_data), }; - TRY(otcrypto_drbg_generate(/*additional_input=*/kEmptyBuffer, &output)); + TRY(otcrypto_drbg_generate(/*additional_input=*/kEmptyBuffer, output)); // Run a basic randomness-quality check on the output. return randomness_quality_monobit_test( diff --git a/sw/device/tests/crypto/hmac_sha256_functest.c b/sw/device/tests/crypto/hmac_sha256_functest.c index 50a9e3e5390d2..2a62e43d0fad3 100644 --- a/sw/device/tests/crypto/hmac_sha256_functest.c +++ b/sw/device/tests/crypto/hmac_sha256_functest.c @@ -79,7 +79,7 @@ static status_t run_test(const uint32_t *key, size_t key_len, .len = ARRAYSIZE(act_tag), }; - TRY(otcrypto_hmac(&blinded_key, msg, &tag_buf)); + TRY(otcrypto_hmac(&blinded_key, msg, tag_buf)); TRY_CHECK_ARRAYS_EQ(act_tag, exp_tag, kTagLenWords); return OK_STATUS(); } diff --git a/sw/device/tests/crypto/hmac_sha384_functest.c b/sw/device/tests/crypto/hmac_sha384_functest.c index 29b7ff8085854..e44fe59b8c1fe 100644 --- a/sw/device/tests/crypto/hmac_sha384_functest.c +++ b/sw/device/tests/crypto/hmac_sha384_functest.c @@ -84,7 +84,7 @@ static status_t run_test(const uint32_t *key, size_t key_len, .len = ARRAYSIZE(act_tag), }; - TRY(otcrypto_hmac(&blinded_key, msg, &tag_buf)); + TRY(otcrypto_hmac(&blinded_key, msg, tag_buf)); TRY_CHECK_ARRAYS_EQ(act_tag, exp_tag, kTagLenWords); return OK_STATUS(); } diff --git a/sw/device/tests/crypto/hmac_sha512_functest.c b/sw/device/tests/crypto/hmac_sha512_functest.c index 542ee79d6bc56..16797181d1235 100644 --- a/sw/device/tests/crypto/hmac_sha512_functest.c +++ b/sw/device/tests/crypto/hmac_sha512_functest.c @@ -87,7 +87,7 @@ static status_t run_test(const uint32_t *key, size_t key_len, .len = ARRAYSIZE(act_tag), }; - TRY(otcrypto_hmac(&blinded_key, msg, &tag_buf)); + TRY(otcrypto_hmac(&blinded_key, msg, tag_buf)); TRY_CHECK_ARRAYS_EQ(act_tag, exp_tag, kTagLenWords); return OK_STATUS(); } diff --git a/sw/device/tests/crypto/kmac_functest.c b/sw/device/tests/crypto/kmac_functest.c index 3571147f066b2..4c434f0d1bb16 100644 --- a/sw/device/tests/crypto/kmac_functest.c +++ b/sw/device/tests/crypto/kmac_functest.c @@ -157,7 +157,7 @@ static status_t run_test_vector(void) { TRY(otcrypto_kmac(¤t_test_vector->key, current_test_vector->input_msg, mode, current_test_vector->cust_str, - current_test_vector->digest.len, &tag_buf)); + current_test_vector->digest.len, tag_buf)); break; } default: { diff --git a/sw/device/tests/crypto/rsa_2048_encryption_functest.c b/sw/device/tests/crypto/rsa_2048_encryption_functest.c index 0953103cd8a9b..3f2e606ed099f 100644 --- a/sw/device/tests/crypto/rsa_2048_encryption_functest.c +++ b/sw/device/tests/crypto/rsa_2048_encryption_functest.c @@ -124,7 +124,7 @@ static status_t run_rsa_2048_encrypt(const uint8_t *msg, size_t msg_len, }; uint64_t t_start = profile_start(); TRY(otcrypto_rsa_encrypt(&public_key, kTestHashMode, msg_buf, label_buf, - &ciphertext_buf)); + ciphertext_buf)); profile_end_and_print(t_start, "RSA-2048 encryption"); return OK_STATUS(); @@ -193,7 +193,7 @@ static status_t run_rsa_2048_decrypt(const uint8_t *label, size_t label_len, }; uint64_t t_start = profile_start(); TRY(otcrypto_rsa_decrypt(&private_key, kTestHashMode, ciphertext_buf, - label_buf, &plaintext_buf)); + label_buf, plaintext_buf)); profile_end_and_print(t_start, "RSA-2048 decryption"); // Write the actual plaintext length to `msg_len`. diff --git a/sw/device/tests/crypto/rsa_2048_keygen_functest.c b/sw/device/tests/crypto/rsa_2048_keygen_functest.c index 13e5c4c16b78a..0101dc39eddc9 100644 --- a/sw/device/tests/crypto/rsa_2048_keygen_functest.c +++ b/sw/device/tests/crypto/rsa_2048_keygen_functest.c @@ -112,7 +112,7 @@ status_t keygen_then_sign_test(void) { // Generate a signature. LOG_INFO("Starting signature generation..."); TRY(otcrypto_rsa_sign(&private_key, &msg_digest, kOtcryptoRsaPaddingPkcs, - &sig_buf)); + sig_buf)); LOG_INFO("Signature generation complete."); LOG_INFO("OTBN instruction count: %u", otbn_instruction_count_get()); diff --git a/sw/device/tests/crypto/rsa_2048_signature_functest.c b/sw/device/tests/crypto/rsa_2048_signature_functest.c index dda5112fb756a..51a49af3dcb0b 100644 --- a/sw/device/tests/crypto/rsa_2048_signature_functest.c +++ b/sw/device/tests/crypto/rsa_2048_signature_functest.c @@ -167,7 +167,7 @@ static status_t run_rsa_2048_sign(const uint8_t *msg, size_t msg_len, .len = kRsa2048NumWords, }; uint64_t t_start = profile_start(); - TRY(otcrypto_rsa_sign(&private_key, &msg_digest, padding_mode, &sig_buf)); + TRY(otcrypto_rsa_sign(&private_key, &msg_digest, padding_mode, sig_buf)); profile_end_and_print(t_start, "RSA signature generation"); return OK_STATUS(); diff --git a/sw/device/tests/crypto/rsa_3072_keygen_functest.c b/sw/device/tests/crypto/rsa_3072_keygen_functest.c index f3992600bee94..c8ea48af9c303 100644 --- a/sw/device/tests/crypto/rsa_3072_keygen_functest.c +++ b/sw/device/tests/crypto/rsa_3072_keygen_functest.c @@ -114,7 +114,7 @@ status_t keygen_then_sign_test(void) { // Generate a signature. LOG_INFO("Starting signature generation..."); TRY(otcrypto_rsa_sign(&private_key, &msg_digest, kOtcryptoRsaPaddingPkcs, - &sig_buf)); + sig_buf)); LOG_INFO("Signature generation complete."); LOG_INFO("OTBN instruction count: %u", otbn_instruction_count_get()); diff --git a/sw/device/tests/crypto/rsa_3072_signature_functest.c b/sw/device/tests/crypto/rsa_3072_signature_functest.c index 32dcfa0a13790..4521eae26a4c5 100644 --- a/sw/device/tests/crypto/rsa_3072_signature_functest.c +++ b/sw/device/tests/crypto/rsa_3072_signature_functest.c @@ -194,7 +194,7 @@ static status_t run_rsa_3072_sign(const uint8_t *msg, size_t msg_len, }; uint64_t t_start = profile_start(); - TRY(otcrypto_rsa_sign(&private_key, &msg_digest, padding_mode, &sig_buf)); + TRY(otcrypto_rsa_sign(&private_key, &msg_digest, padding_mode, sig_buf)); profile_end_and_print(t_start, "RSA signature generation"); return OK_STATUS(); diff --git a/sw/device/tests/crypto/rsa_4096_keygen_functest.c b/sw/device/tests/crypto/rsa_4096_keygen_functest.c index 76feef82e1a90..5de073f7436a8 100644 --- a/sw/device/tests/crypto/rsa_4096_keygen_functest.c +++ b/sw/device/tests/crypto/rsa_4096_keygen_functest.c @@ -114,7 +114,7 @@ status_t keygen_then_sign_test(void) { // Generate a signature. LOG_INFO("Starting signature generation..."); TRY(otcrypto_rsa_sign(&private_key, &msg_digest, kOtcryptoRsaPaddingPkcs, - &sig_buf)); + sig_buf)); LOG_INFO("Signature generation complete."); LOG_INFO("OTBN instruction count: %u", otbn_instruction_count_get()); diff --git a/sw/device/tests/crypto/rsa_4096_signature_functest.c b/sw/device/tests/crypto/rsa_4096_signature_functest.c index a353834145710..aee95c1b935e0 100644 --- a/sw/device/tests/crypto/rsa_4096_signature_functest.c +++ b/sw/device/tests/crypto/rsa_4096_signature_functest.c @@ -223,7 +223,7 @@ static status_t run_rsa_4096_sign(const uint8_t *msg, size_t msg_len, }; uint64_t t_start = profile_start(); - TRY(otcrypto_rsa_sign(&private_key, &msg_digest, padding_mode, &sig_buf)); + TRY(otcrypto_rsa_sign(&private_key, &msg_digest, padding_mode, sig_buf)); profile_end_and_print(t_start, "RSA signature generation"); return OK_STATUS(); From a80d188dda8390343bb08ed23404c9186b62ec2b Mon Sep 17 00:00:00 2001 From: Jade Philipoom Date: Thu, 18 Jan 2024 09:28:25 +0100 Subject: [PATCH 2/4] [crypto] Change ordering of buffer fields to match Rust. This is helpful for compatibility when the cryptolib is called from Rust code. Signed-off-by: Jade Philipoom --- .../lib/crypto/impl/key_transport_unittest.cc | 50 +++++++++---------- sw/device/lib/crypto/include/datatypes.h | 20 ++++---- 2 files changed, 35 insertions(+), 35 deletions(-) diff --git a/sw/device/lib/crypto/impl/key_transport_unittest.cc b/sw/device/lib/crypto/impl/key_transport_unittest.cc index 1c5a89390b29d..26a12f28cfc9b 100644 --- a/sw/device/lib/crypto/impl/key_transport_unittest.cc +++ b/sw/device/lib/crypto/impl/key_transport_unittest.cc @@ -129,12 +129,12 @@ TEST(KeyTransport, BlindedKeyImportExport) { // Import the key into the blinded key struct. EXPECT_EQ(status_ok(otcrypto_import_blinded_key( (otcrypto_const_word32_buf_t){ - .len = share0.size(), .data = share0.data(), + .len = share0.size(), }, (otcrypto_const_word32_buf_t){ - .len = share1.size(), .data = share1.data(), + .len = share1.size(), }, &blinded_key)), true); @@ -145,15 +145,15 @@ TEST(KeyTransport, BlindedKeyImportExport) { // Export the key again. otcrypto_word32_buf_t share0_buf = { - .len = share0.size(), .data = share0.data(), + .len = share0.size(), }; otcrypto_word32_buf_t share1_buf = { - .len = share1.size(), .data = share1.data(), + .len = share1.size(), }; - EXPECT_EQ(status_ok(otcrypto_export_blinded_key(blinded_key, &share0_buf, - &share1_buf)), + EXPECT_EQ(status_ok(otcrypto_export_blinded_key(blinded_key, share0_buf, + share1_buf)), true); // Unmask the result and compare to the unmasked key. @@ -179,12 +179,12 @@ TEST(KeyTransport, BlindedKeyImportBadLengths) { // Set a bad length for share 0 and expect the import to fail. EXPECT_EQ(status_ok(otcrypto_import_blinded_key( (otcrypto_const_word32_buf_t){ - .len = share0.size() - 1, .data = share0.data(), + .len = share0.size() - 1, }, (otcrypto_const_word32_buf_t){ - .len = share1.size(), .data = share1.data(), + .len = share1.size(), }, &blinded_key)), false); @@ -192,12 +192,12 @@ TEST(KeyTransport, BlindedKeyImportBadLengths) { // Set a bad length for share 1 and expect the import to fail. EXPECT_EQ(status_ok(otcrypto_import_blinded_key( (otcrypto_const_word32_buf_t){ - .len = share0.size(), .data = share0.data(), + .len = share0.size(), }, (otcrypto_const_word32_buf_t){ - .len = share1.size() - 1, .data = share1.data(), + .len = share1.size() - 1, }, &blinded_key)), false); @@ -210,12 +210,12 @@ TEST(KeyTransport, BlindedKeyImportBadLengths) { }; EXPECT_EQ(status_ok(otcrypto_import_blinded_key( (otcrypto_const_word32_buf_t){ - .len = share0.size(), .data = share0.data(), + .len = share0.size(), }, (otcrypto_const_word32_buf_t){ - .len = share1.size(), .data = share1.data(), + .len = share1.size(), }, &bad_blinded_key)), false); @@ -238,33 +238,33 @@ TEST(KeyTransport, BlindedKeyExportBadLengths) { // Import the key. EXPECT_EQ(status_ok(otcrypto_import_blinded_key( (otcrypto_const_word32_buf_t){ - .len = share0.size(), .data = share0.data(), + .len = share0.size(), }, (otcrypto_const_word32_buf_t){ - .len = share1.size(), .data = share1.data(), + .len = share1.size(), }, &blinded_key)), true); otcrypto_word32_buf_t share_with_good_length = { - .len = share0.size(), .data = share0.data(), + .len = share0.size(), }; otcrypto_word32_buf_t share_with_bad_length = { - .len = share1.size() - 1, .data = share1.data(), + .len = share1.size() - 1, }; // Set a bad length for share 0 and expect the import to fail. EXPECT_EQ(status_ok(otcrypto_export_blinded_key( - blinded_key, &share_with_bad_length, &share_with_good_length)), + blinded_key, share_with_bad_length, share_with_good_length)), false); // Set a bad length for share 1 and expect the import to fail. EXPECT_EQ(status_ok(otcrypto_export_blinded_key( - blinded_key, &share_with_good_length, &share_with_bad_length)), + blinded_key, share_with_good_length, share_with_bad_length)), false); // Set a bad length for the keyblob and expect the export to fail. @@ -275,7 +275,7 @@ TEST(KeyTransport, BlindedKeyExportBadLengths) { }; EXPECT_EQ( status_ok(otcrypto_export_blinded_key( - bad_blinded_key, &share_with_good_length, &share_with_good_length)), + bad_blinded_key, share_with_good_length, share_with_good_length)), false); } @@ -296,27 +296,27 @@ TEST(KeyTransport, BlindedKeyExportNotExportable) { // Import the key. EXPECT_EQ(status_ok(otcrypto_import_blinded_key( (otcrypto_const_word32_buf_t){ - .len = share0.size(), .data = share0.data(), + .len = share0.size(), }, (otcrypto_const_word32_buf_t){ - .len = share1.size(), .data = share1.data(), + .len = share1.size(), }, &blinded_key)), true); // Expect key export to fail. otcrypto_word32_buf_t share0_buf = { - .len = share0.size(), .data = share0.data(), + .len = share0.size(), }; otcrypto_word32_buf_t share1_buf = { - .len = share1.size(), .data = share1.data(), + .len = share1.size(), }; - EXPECT_EQ(status_ok(otcrypto_export_blinded_key(blinded_key, &share0_buf, - &share1_buf)), + EXPECT_EQ(status_ok(otcrypto_export_blinded_key(blinded_key, share0_buf, + share1_buf)), false); } diff --git a/sw/device/lib/crypto/include/datatypes.h b/sw/device/lib/crypto/include/datatypes.h index 7966b3c7bab9a..319ebfad22112 100644 --- a/sw/device/lib/crypto/include/datatypes.h +++ b/sw/device/lib/crypto/include/datatypes.h @@ -81,10 +81,10 @@ typedef enum otcrypto_status_value { * crypto library will throw an error if `len` doesn't match expectations. */ typedef struct otcrypto_byte_buf { - // Length of the data in bytes. - size_t len; // Pointer to the data. uint8_t *data; + // Length of the data in bytes. + size_t len; } otcrypto_byte_buf_t; /** @@ -96,10 +96,10 @@ typedef struct otcrypto_byte_buf { * otcrypto_byte_buf_t` would still allow data to change. */ typedef struct otcrypto_const_byte_buf { - // Length of the data in bytes. - const size_t len; // Pointer to the data. const uint8_t *const data; + // Length of the data in bytes. + const size_t len; } otcrypto_const_byte_buf_t; /** @@ -110,10 +110,10 @@ typedef struct otcrypto_const_byte_buf { * crypto library will throw an error if `len` doesn't match expectations. */ typedef struct otcrypto_word32_buf { - // Length of the data in words. - size_t len; // Pointer to the data. uint32_t *data; + // Length of the data in words. + size_t len; } otcrypto_word32_buf_t; /** @@ -125,10 +125,10 @@ typedef struct otcrypto_word32_buf { * otcrypto_word32_buf_t` would still allow data to change. */ typedef struct otcrypto_const_word32_buf { - // Length of the data in words. - const size_t len; // Pointer to the data. const uint32_t *const data; + // Length of the data in words. + const size_t len; } otcrypto_const_word32_buf_t; /** @@ -445,10 +445,10 @@ typedef enum otcrypto_hash_mode { typedef struct otcrypto_hash_digest { // Digest type. otcrypto_hash_mode_t mode; - // Digest length in 32-bit words. - size_t len; // Digest data. uint32_t *data; + // Digest length in 32-bit words. + size_t len; } otcrypto_hash_digest_t; #ifdef __cplusplus From 9b01dcb8f711a924e1b475b4c496863d5a5f2863 Mon Sep 17 00:00:00 2001 From: Jade Philipoom Date: Thu, 18 Jan 2024 16:58:36 +0100 Subject: [PATCH 3/4] [crypto] Pass hash digests by value. Signed-off-by: Jade Philipoom --- sw/device/lib/crypto/impl/ecc.c | 32 ++++--- sw/device/lib/crypto/impl/hash.c | 84 +++++++++---------- sw/device/lib/crypto/impl/mac.c | 6 +- sw/device/lib/crypto/impl/rsa.c | 21 +++-- sw/device/lib/crypto/impl/rsa/rsa_padding.c | 64 +++++++------- sw/device/lib/crypto/impl/rsa/rsa_padding.h | 8 +- sw/device/lib/crypto/impl/rsa/rsa_signature.c | 20 ++--- sw/device/lib/crypto/impl/rsa/rsa_signature.h | 8 +- sw/device/lib/crypto/include/ecc.h | 8 +- sw/device/lib/crypto/include/hash.h | 8 +- sw/device/lib/crypto/include/rsa.h | 14 ++-- .../manuf/lib/individualize_sw_cfg.c | 3 +- sw/device/silicon_creator/manuf/lib/util.c | 16 ++-- sw/device/silicon_creator/manuf/lib/util.h | 2 +- sw/device/tests/crypto/ecdsa_p256_functest.c | 6 +- .../crypto/ecdsa_p256_sideload_functest.c | 6 +- sw/device/tests/crypto/kmac_functest.c | 6 +- .../tests/crypto/rsa_2048_keygen_functest.c | 6 +- .../crypto/rsa_2048_signature_functest.c | 8 +- .../tests/crypto/rsa_3072_keygen_functest.c | 6 +- .../crypto/rsa_3072_signature_functest.c | 8 +- .../tests/crypto/rsa_4096_keygen_functest.c | 6 +- .../crypto/rsa_4096_signature_functest.c | 8 +- sw/device/tests/crypto/sha256_functest.c | 6 +- sw/device/tests/crypto/sha384_functest.c | 4 +- sw/device/tests/crypto/sha512_functest.c | 4 +- 26 files changed, 182 insertions(+), 186 deletions(-) diff --git a/sw/device/lib/crypto/impl/ecc.c b/sw/device/lib/crypto/impl/ecc.c index d1cc5dfd4e60c..dfe543afe36d5 100644 --- a/sw/device/lib/crypto/impl/ecc.c +++ b/sw/device/lib/crypto/impl/ecc.c @@ -25,7 +25,7 @@ otcrypto_status_t otcrypto_ecdsa_keygen( otcrypto_status_t otcrypto_ecdsa_sign( const otcrypto_blinded_key_t *private_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const otcrypto_ecc_curve_t *elliptic_curve, otcrypto_word32_buf_t signature) { HARDENED_TRY(otcrypto_ecdsa_sign_async_start(private_key, message_digest, @@ -35,7 +35,7 @@ otcrypto_status_t otcrypto_ecdsa_sign( otcrypto_status_t otcrypto_ecdsa_verify( const otcrypto_unblinded_key_t *public_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, otcrypto_const_word32_buf_t signature, const otcrypto_ecc_curve_t *elliptic_curve, hardened_bool_t *verification_result) { @@ -326,12 +326,12 @@ otcrypto_status_t otcrypto_ecdsa_keygen_async_finalize( */ static status_t internal_ecdsa_p256_sign_start( const otcrypto_blinded_key_t *private_key, - const otcrypto_hash_digest_t *message_digest) { + const otcrypto_hash_digest_t message_digest) { // Check the digest length. - if (launder32(message_digest->len) != kP256ScalarWords) { + if (launder32(message_digest.len) != kP256ScalarWords) { return OTCRYPTO_BAD_ARGS; } - HARDENED_CHECK_EQ(message_digest->len, kP256ScalarWords); + HARDENED_CHECK_EQ(message_digest.len, kP256ScalarWords); // Check the key length. HARDENED_TRY(p256_private_key_length_check(private_key)); @@ -340,12 +340,12 @@ static status_t internal_ecdsa_p256_sign_start( // Start the asynchronous signature-generation routine. HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse); p256_masked_scalar_t *sk = (p256_masked_scalar_t *)private_key->keyblob; - return ecdsa_p256_sign_start(message_digest->data, sk); + return ecdsa_p256_sign_start(message_digest.data, sk); } else if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) { // Load the key and start in sideloaded-key mode. HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue); HARDENED_TRY(sideload_key_seed(private_key)); - return ecdsa_p256_sideload_sign_start(message_digest->data); + return ecdsa_p256_sideload_sign_start(message_digest.data); } // Invalid value for private_key->hw_backed. @@ -354,11 +354,10 @@ static status_t internal_ecdsa_p256_sign_start( otcrypto_status_t otcrypto_ecdsa_sign_async_start( const otcrypto_blinded_key_t *private_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const otcrypto_ecc_curve_t *elliptic_curve) { if (private_key == NULL || private_key->keyblob == NULL || - elliptic_curve == NULL || message_digest == NULL || - message_digest->data == NULL) { + elliptic_curve == NULL || message_digest.data == NULL) { return OTCRYPTO_BAD_ARGS; } @@ -465,34 +464,33 @@ otcrypto_status_t otcrypto_ecdsa_sign_async_finalize( */ static status_t internal_ecdsa_p256_verify_start( const otcrypto_unblinded_key_t *public_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, otcrypto_const_word32_buf_t signature) { // Check the public key size. HARDENED_TRY(p256_public_key_length_check(public_key)); p256_point_t *pk = (p256_point_t *)public_key->key; // Check the digest length. - if (launder32(message_digest->len) != kP256ScalarWords) { + if (launder32(message_digest.len) != kP256ScalarWords) { return OTCRYPTO_BAD_ARGS; } - HARDENED_CHECK_EQ(message_digest->len, kP256ScalarWords); + HARDENED_CHECK_EQ(message_digest.len, kP256ScalarWords); // Check the signature lengths. HARDENED_TRY(p256_signature_length_check(signature.len)); ecdsa_p256_signature_t *sig = (ecdsa_p256_signature_t *)signature.data; // Start the asynchronous signature-verification routine. - return ecdsa_p256_verify_start(sig, message_digest->data, pk); + return ecdsa_p256_verify_start(sig, message_digest.data, pk); } otcrypto_status_t otcrypto_ecdsa_verify_async_start( const otcrypto_unblinded_key_t *public_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, otcrypto_const_word32_buf_t signature, const otcrypto_ecc_curve_t *elliptic_curve) { if (public_key == NULL || elliptic_curve == NULL || signature.data == NULL || - message_digest == NULL || message_digest->data == NULL || - public_key->key == NULL) { + message_digest.data == NULL || public_key->key == NULL) { return OTCRYPTO_BAD_ARGS; } diff --git a/sw/device/lib/crypto/impl/hash.c b/sw/device/lib/crypto/impl/hash.c index 7ba790afa807f..895bc341e7106 100644 --- a/sw/device/lib/crypto/impl/hash.c +++ b/sw/device/lib/crypto/impl/hash.c @@ -139,35 +139,35 @@ static void sha512_state_restore(const otcrypto_hash_context_t *restrict ctx, * @return Error status. */ OT_WARN_UNUSED_RESULT -static status_t check_digest_len(otcrypto_hash_digest_t *digest) { - switch (launder32(digest->mode)) { +static status_t check_digest_len(otcrypto_hash_digest_t digest) { + switch (launder32(digest.mode)) { case kOtcryptoHashModeSha3_224: - if (launder32(digest->len) == (224 / 32)) { - HARDENED_CHECK_EQ(digest->len * sizeof(uint32_t) * 8, 224); + if (launder32(digest.len) == (224 / 32)) { + HARDENED_CHECK_EQ(digest.len * sizeof(uint32_t) * 8, 224); return OTCRYPTO_OK; } return OTCRYPTO_BAD_ARGS; case kOtcryptoHashModeSha256: OT_FALLTHROUGH_INTENDED; case kOtcryptoHashModeSha3_256: - if (launder32(digest->len) == (256 / 32)) { - HARDENED_CHECK_EQ(digest->len * sizeof(uint32_t) * 8, 256); + if (launder32(digest.len) == (256 / 32)) { + HARDENED_CHECK_EQ(digest.len * sizeof(uint32_t) * 8, 256); return OTCRYPTO_OK; } return OTCRYPTO_BAD_ARGS; case kOtcryptoHashModeSha384: OT_FALLTHROUGH_INTENDED; case kOtcryptoHashModeSha3_384: - if (launder32(digest->len) == (384 / 32)) { - HARDENED_CHECK_EQ(digest->len * sizeof(uint32_t) * 8, 384); + if (launder32(digest.len) == (384 / 32)) { + HARDENED_CHECK_EQ(digest.len * sizeof(uint32_t) * 8, 384); return OTCRYPTO_OK; } return OTCRYPTO_BAD_ARGS; case kOtcryptoHashModeSha512: OT_FALLTHROUGH_INTENDED; case kOtcryptoHashModeSha3_512: - if (launder32(digest->len) == (512 / 32)) { - HARDENED_CHECK_EQ(digest->len * sizeof(uint32_t) * 8, 512); + if (launder32(digest.len) == (512 / 32)) { + HARDENED_CHECK_EQ(digest.len * sizeof(uint32_t) * 8, 512); return OTCRYPTO_OK; } return OTCRYPTO_BAD_ARGS; @@ -187,9 +187,9 @@ static status_t check_digest_len(otcrypto_hash_digest_t *digest) { */ OT_WARN_UNUSED_RESULT static status_t hmac_sha256(otcrypto_const_byte_buf_t message, - otcrypto_hash_digest_t *digest) { - HARDENED_CHECK_EQ(digest->len, kHmacDigestNumWords); - HARDENED_CHECK_EQ(digest->mode, kOtcryptoHashModeSha256); + otcrypto_hash_digest_t digest) { + HARDENED_CHECK_EQ(digest.len, kHmacDigestNumWords); + HARDENED_CHECK_EQ(digest.mode, kOtcryptoHashModeSha256); // Initialize the hardware. hmac_sha_init(); @@ -200,40 +200,40 @@ static status_t hmac_sha256(otcrypto_const_byte_buf_t message, // Retrieve the digest and copy it to the destination buffer. hmac_digest_t hmac_digest; hmac_final(&hmac_digest); - hardened_memcpy(digest->data, hmac_digest.digest, kHmacDigestNumWords); + hardened_memcpy(digest.data, hmac_digest.digest, kHmacDigestNumWords); return OTCRYPTO_OK; } otcrypto_status_t otcrypto_hash(otcrypto_const_byte_buf_t input_message, - otcrypto_hash_digest_t *digest) { + otcrypto_hash_digest_t digest) { if (input_message.data == NULL && input_message.len != 0) { return OTCRYPTO_BAD_ARGS; } - if (digest == NULL || digest->data == NULL) { + if (digest.data == NULL) { return OTCRYPTO_BAD_ARGS; } // Check that digest length and mode match. HARDENED_TRY(check_digest_len(digest)); - switch (digest->mode) { + switch (digest.mode) { case kOtcryptoHashModeSha3_224: - return kmac_sha3_224(input_message.data, input_message.len, digest->data); + return kmac_sha3_224(input_message.data, input_message.len, digest.data); case kOtcryptoHashModeSha3_256: - return kmac_sha3_256(input_message.data, input_message.len, digest->data); + return kmac_sha3_256(input_message.data, input_message.len, digest.data); case kOtcryptoHashModeSha3_384: - return kmac_sha3_384(input_message.data, input_message.len, digest->data); + return kmac_sha3_384(input_message.data, input_message.len, digest.data); case kOtcryptoHashModeSha3_512: - return kmac_sha3_512(input_message.data, input_message.len, digest->data); + return kmac_sha3_512(input_message.data, input_message.len, digest.data); case kOtcryptoHashModeSha256: // Call the HMAC block driver in SHA-256 mode. return hmac_sha256(input_message, digest); case kOtcryptoHashModeSha384: - return sha384(input_message.data, input_message.len, digest->data); + return sha384(input_message.data, input_message.len, digest.data); case kOtcryptoHashModeSha512: - return sha512(input_message.data, input_message.len, digest->data); + return sha512(input_message.data, input_message.len, digest.data); default: // Invalid hash mode. return OTCRYPTO_BAD_ARGS; @@ -245,14 +245,14 @@ otcrypto_status_t otcrypto_hash(otcrypto_const_byte_buf_t input_message, } otcrypto_status_t otcrypto_xof_shake(otcrypto_const_byte_buf_t input_message, - otcrypto_hash_digest_t *digest) { - switch (digest->mode) { + otcrypto_hash_digest_t digest) { + switch (digest.mode) { case kOtcryptoHashXofModeShake128: - return kmac_shake_128(input_message.data, input_message.len, digest->data, - digest->len); + return kmac_shake_128(input_message.data, input_message.len, digest.data, + digest.len); case kOtcryptoHashXofModeShake256: - return kmac_shake_256(input_message.data, input_message.len, digest->data, - digest->len); + return kmac_shake_256(input_message.data, input_message.len, digest.data, + digest.len); default: return OTCRYPTO_BAD_ARGS; } @@ -266,34 +266,34 @@ otcrypto_status_t otcrypto_xof_cshake( otcrypto_const_byte_buf_t input_message, otcrypto_const_byte_buf_t function_name_string, otcrypto_const_byte_buf_t customization_string, - otcrypto_hash_digest_t *digest) { + otcrypto_hash_digest_t digest) { // According to NIST SP 800-185 Section 3.2, cSHAKE call should use SHAKE, if // both `customization_string` and `function_name_string` are empty string if (customization_string.len == 0 && function_name_string.len == 0) { - switch (digest->mode) { + switch (digest.mode) { case kOtcryptoHashXofModeCshake128: return kmac_shake_128(input_message.data, input_message.len, - digest->data, digest->len); + digest.data, digest.len); case kOtcryptoHashXofModeCshake256: return kmac_shake_256(input_message.data, input_message.len, - digest->data, digest->len); + digest.data, digest.len); default: return OTCRYPTO_BAD_ARGS; } } - switch (digest->mode) { + switch (digest.mode) { case kOtcryptoHashXofModeCshake128: return kmac_cshake_128( input_message.data, input_message.len, function_name_string.data, function_name_string.len, customization_string.data, - customization_string.len, digest->data, digest->len); + customization_string.len, digest.data, digest.len); break; case kOtcryptoHashXofModeCshake256: return kmac_cshake_256( input_message.data, input_message.len, function_name_string.data, function_name_string.len, customization_string.data, - customization_string.len, digest->data, digest->len); + customization_string.len, digest.data, digest.len); default: return OTCRYPTO_BAD_ARGS; } @@ -378,14 +378,14 @@ otcrypto_status_t otcrypto_hash_update( } otcrypto_status_t otcrypto_hash_final(otcrypto_hash_context_t *const ctx, - otcrypto_hash_digest_t *digest) { - if (ctx == NULL || digest == NULL || digest->data == NULL) { + otcrypto_hash_digest_t digest) { + if (ctx == NULL || digest.data == NULL) { return OTCRYPTO_BAD_ARGS; } // Check that digest length and mode are consistent. HARDENED_TRY(check_digest_len(digest)); - if (ctx->mode != digest->mode) { + if (ctx->mode != digest.mode) { return OTCRYPTO_BAD_ARGS; } @@ -393,19 +393,19 @@ otcrypto_status_t otcrypto_hash_final(otcrypto_hash_context_t *const ctx, case kOtcryptoHashModeSha256: { sha256_state_t state; sha256_state_restore(ctx, &state); - HARDENED_TRY(sha256_final(&state, digest->data)); + HARDENED_TRY(sha256_final(&state, digest.data)); break; } case kOtcryptoHashModeSha384: { sha384_state_t state; sha384_state_restore(ctx, &state); - HARDENED_TRY(sha384_final(&state, digest->data)); + HARDENED_TRY(sha384_final(&state, digest.data)); break; } case kOtcryptoHashModeSha512: { sha512_state_t state; sha512_state_restore(ctx, &state); - HARDENED_TRY(sha512_final(&state, digest->data)); + HARDENED_TRY(sha512_final(&state, digest.data)); break; } default: diff --git a/sw/device/lib/crypto/impl/mac.c b/sw/device/lib/crypto/impl/mac.c index f77405528161c..dc81a945af309 100644 --- a/sw/device/lib/crypto/impl/mac.c +++ b/sw/device/lib/crypto/impl/mac.c @@ -193,7 +193,7 @@ otcrypto_status_t otcrypto_hmac_init(otcrypto_hmac_context_t *ctx, .len = key->config.key_length, .data = (unsigned char *)unmasked_key, }, - &key_digest)); + key_digest)); } // Compute (K0 ^ ipad). @@ -249,7 +249,7 @@ otcrypto_status_t otcrypto_hmac_final(otcrypto_hmac_context_t *const ctx, // Finalize the computation of the inner hash = H(K0 ^ ipad || message) and // store it in `tag` temporarily. - HARDENED_TRY(otcrypto_hash_final(&ctx->inner, &digest_buf)); + HARDENED_TRY(otcrypto_hash_final(&ctx->inner, digest_buf)); // Finalize the computation of the outer hash // = H(K0 ^ opad || H(K0 ^ ipad || message)). @@ -258,5 +258,5 @@ otcrypto_status_t otcrypto_hmac_final(otcrypto_hmac_context_t *const ctx, (otcrypto_const_byte_buf_t){.len = sizeof(uint32_t) * tag.len, .data = (unsigned char *)tag.data})); - return otcrypto_hash_final(&ctx->outer, &digest_buf); + return otcrypto_hash_final(&ctx->outer, digest_buf); } diff --git a/sw/device/lib/crypto/impl/rsa.c b/sw/device/lib/crypto/impl/rsa.c index 0c602382854e7..1e553ab93b9c6 100644 --- a/sw/device/lib/crypto/impl/rsa.c +++ b/sw/device/lib/crypto/impl/rsa.c @@ -289,10 +289,10 @@ otcrypto_status_t otcrypto_rsa_keypair_from_cofactor( return OTCRYPTO_OK; } -otcrypto_status_t otcrypto_rsa_sign( - const otcrypto_blinded_key_t *private_key, - const otcrypto_hash_digest_t *message_digest, - otcrypto_rsa_padding_t padding_mode, otcrypto_word32_buf_t signature) { +otcrypto_status_t otcrypto_rsa_sign(const otcrypto_blinded_key_t *private_key, + const otcrypto_hash_digest_t message_digest, + otcrypto_rsa_padding_t padding_mode, + otcrypto_word32_buf_t signature) { HARDENED_TRY( otcrypto_rsa_sign_async_start(private_key, message_digest, padding_mode)); return otcrypto_rsa_sign_async_finalize(signature); @@ -300,7 +300,7 @@ otcrypto_status_t otcrypto_rsa_sign( otcrypto_status_t otcrypto_rsa_verify( const otcrypto_unblinded_key_t *public_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, otcrypto_rsa_padding_t padding_mode, otcrypto_const_word32_buf_t signature, hardened_bool_t *verification_result) { HARDENED_TRY(otcrypto_rsa_verify_async_start(public_key, signature)); @@ -612,11 +612,11 @@ static status_t key_mode_padding_check(otcrypto_key_mode_t key_mode, otcrypto_status_t otcrypto_rsa_sign_async_start( const otcrypto_blinded_key_t *private_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, otcrypto_rsa_padding_t padding_mode) { // Check for NULL pointers. - if (message_digest == NULL || message_digest->data == NULL || - private_key == NULL || private_key->keyblob == NULL) { + if (message_digest.data == NULL || private_key == NULL || + private_key->keyblob == NULL) { return OTCRYPTO_BAD_ARGS; } @@ -751,11 +751,10 @@ otcrypto_status_t otcrypto_rsa_verify_async_start( } otcrypto_status_t otcrypto_rsa_verify_async_finalize( - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, otcrypto_rsa_padding_t padding_mode, hardened_bool_t *verification_result) { // Check for NULL pointers. - if (message_digest == NULL || message_digest->data == NULL || - verification_result == NULL) { + if (message_digest.data == NULL || verification_result == NULL) { return OTCRYPTO_BAD_ARGS; } diff --git a/sw/device/lib/crypto/impl/rsa/rsa_padding.c b/sw/device/lib/crypto/impl/rsa/rsa_padding.c index 4a68c371dafc6..9c34ae2acd1d7 100644 --- a/sw/device/lib/crypto/impl/rsa/rsa_padding.c +++ b/sw/device/lib/crypto/impl/rsa/rsa_padding.c @@ -82,25 +82,25 @@ static status_t digest_info_length_get(const otcrypto_hash_mode_t hash_mode, * @return OTCRYPTO_BAD_ARGS if the hash function is not valid, otherwise OK. */ OT_WARN_UNUSED_RESULT -static status_t digest_info_write(const otcrypto_hash_digest_t *message_digest, +static status_t digest_info_write(const otcrypto_hash_digest_t message_digest, uint32_t *encoding) { - switch (message_digest->mode) { + switch (message_digest.mode) { case kOtcryptoHashModeSha256: - if (message_digest->len != kSha256DigestWords) { + if (message_digest.len != kSha256DigestWords) { return OTCRYPTO_BAD_ARGS; } memcpy(encoding + kSha256DigestWords, &kSha256DigestIdentifier, sizeof(kSha256DigestIdentifier)); break; case kOtcryptoHashModeSha384: - if (message_digest->len != kSha384DigestWords) { + if (message_digest.len != kSha384DigestWords) { return OTCRYPTO_BAD_ARGS; } memcpy(encoding + kSha384DigestWords, &kSha384DigestIdentifier, sizeof(kSha384DigestIdentifier)); break; case kOtcryptoHashModeSha512: - if (message_digest->len != kSha512DigestWords) { + if (message_digest.len != kSha512DigestWords) { return OTCRYPTO_BAD_ARGS; } memcpy(encoding + kSha512DigestWords, &kSha512DigestIdentifier, @@ -112,18 +112,18 @@ static status_t digest_info_write(const otcrypto_hash_digest_t *message_digest, }; // Copy the digest into the encoding, reversing the order of bytes. - for (size_t i = 0; i < message_digest->len / 2; i++) { - uint32_t tmp = __builtin_bswap32(message_digest->data[i]); + for (size_t i = 0; i < message_digest.len / 2; i++) { + uint32_t tmp = __builtin_bswap32(message_digest.data[i]); encoding[i] = - __builtin_bswap32(message_digest->data[message_digest->len - 1 - i]); - encoding[message_digest->len - 1 - i] = tmp; + __builtin_bswap32(message_digest.data[message_digest.len - 1 - i]); + encoding[message_digest.len - 1 - i] = tmp; } return OTCRYPTO_OK; } status_t rsa_padding_pkcs1v15_encode( - const otcrypto_hash_digest_t *message_digest, size_t encoded_message_len, + const otcrypto_hash_digest_t message_digest, size_t encoded_message_len, uint32_t *encoded_message) { // Initialize all bits of the encoded message to 1. size_t encoded_message_bytelen = encoded_message_len * sizeof(uint32_t); @@ -138,7 +138,7 @@ status_t rsa_padding_pkcs1v15_encode( // Get the length of the digest info (called T in the RFC). size_t tlen; - HARDENED_TRY(digest_info_length_get(message_digest->mode, &tlen)); + HARDENED_TRY(digest_info_length_get(message_digest.mode, &tlen)); if (tlen + 3 + 8 >= encoded_message_bytelen) { // Invalid encoded message length/hash function combination; the RFC @@ -156,7 +156,7 @@ status_t rsa_padding_pkcs1v15_encode( } status_t rsa_padding_pkcs1v15_verify( - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const uint32_t *encoded_message, const size_t encoded_message_len, hardened_bool_t *result) { // Re-encode the message. @@ -253,7 +253,7 @@ static status_t mgf1(otcrypto_hash_mode_t hash_mode, const uint8_t *seed, .data = hash_input, .len = sizeof(hash_input), }, - &digest)); + digest)); mask += digest_wordlen; mask_len -= digest_bytelen; } @@ -269,7 +269,7 @@ static status_t mgf1(otcrypto_hash_mode_t hash_mode, const uint8_t *seed, HARDENED_TRY( otcrypto_hash((otcrypto_const_byte_buf_t){.data = hash_input, .len = sizeof(hash_input)}, - &digest)); + digest)); hardened_memcpy(mask, digest_data, ceil_div(mask_len, sizeof(uint32_t))); return OTCRYPTO_OK; } @@ -304,36 +304,36 @@ static inline void reverse_bytes(size_t input_len, uint32_t *input) { * @param[out] h Resulting digest, H. */ OT_WARN_UNUSED_RESULT -static status_t pss_construct_h(const otcrypto_hash_digest_t *message_digest, +static status_t pss_construct_h(const otcrypto_hash_digest_t message_digest, const uint32_t *salt, size_t salt_len, uint32_t *h) { // Create a buffer for M' = (0x0000000000000000 || digest || salt). - size_t m_prime_wordlen = 2 + message_digest->len + salt_len; + size_t m_prime_wordlen = 2 + message_digest.len + salt_len; uint32_t m_prime[m_prime_wordlen]; m_prime[0] = 0; m_prime[1] = 0; uint32_t *digest_dst = &m_prime[2]; - uint32_t *salt_dst = digest_dst + message_digest->len; - hardened_memcpy(digest_dst, message_digest->data, message_digest->len); + uint32_t *salt_dst = digest_dst + message_digest.len; + hardened_memcpy(digest_dst, message_digest.data, message_digest.len); if (salt_len > 0) { hardened_memcpy(salt_dst, salt, salt_len); } // Construct H = Hash(M'). otcrypto_hash_digest_t h_buffer = { - .data = h, .len = message_digest->len, .mode = message_digest->mode}; + .data = h, .len = message_digest.len, .mode = message_digest.mode}; return otcrypto_hash( (otcrypto_const_byte_buf_t){.data = (unsigned char *)m_prime, .len = sizeof(m_prime)}, - &h_buffer); + h_buffer); } -status_t rsa_padding_pss_encode(const otcrypto_hash_digest_t *message_digest, +status_t rsa_padding_pss_encode(const otcrypto_hash_digest_t message_digest, const uint32_t *salt, size_t salt_len, size_t encoded_message_len, uint32_t *encoded_message) { // Check that the message length is long enough. - size_t digest_bytelen = message_digest->len * sizeof(uint32_t); + size_t digest_bytelen = message_digest.len * sizeof(uint32_t); size_t salt_bytelen = salt_len * sizeof(uint32_t); size_t encoded_message_bytelen = encoded_message_len * sizeof(uint32_t); if (encoded_message_bytelen < salt_bytelen + digest_bytelen + 2) { @@ -341,7 +341,7 @@ status_t rsa_padding_pss_encode(const otcrypto_hash_digest_t *message_digest, } // Construct H = Hash(0x0000000000000000 || digest || salt). - uint32_t h[message_digest->len]; + uint32_t h[message_digest.len]; HARDENED_TRY(pss_construct_h(message_digest, salt, salt_len, h)); // Construct DB = 00...00 || 0x01 || salt. @@ -356,7 +356,7 @@ status_t rsa_padding_pss_encode(const otcrypto_hash_digest_t *message_digest, // Compute the mask. uint32_t mask[ARRAYSIZE(db)]; - HARDENED_TRY(mgf1(message_digest->mode, (unsigned char *)h, sizeof(h), + HARDENED_TRY(mgf1(message_digest.mode, (unsigned char *)h, sizeof(h), db_bytelen, mask)); // Compute maskedDB = DB ^ mask. @@ -379,7 +379,7 @@ status_t rsa_padding_pss_encode(const otcrypto_hash_digest_t *message_digest, return OTCRYPTO_OK; } -status_t rsa_padding_pss_verify(const otcrypto_hash_digest_t *message_digest, +status_t rsa_padding_pss_verify(const otcrypto_hash_digest_t message_digest, uint32_t *encoded_message, size_t encoded_message_len, hardened_bool_t *result) { @@ -387,7 +387,7 @@ status_t rsa_padding_pss_verify(const otcrypto_hash_digest_t *message_digest, *result = kHardenedBoolFalse; // Check that the message length is long enough. - size_t digest_bytelen = message_digest->len * sizeof(uint32_t); + size_t digest_bytelen = message_digest.len * sizeof(uint32_t); size_t salt_bytelen = digest_bytelen; size_t encoded_message_bytelen = encoded_message_len * sizeof(uint32_t); if (encoded_message_bytelen < salt_bytelen + digest_bytelen + 2) { @@ -413,13 +413,13 @@ status_t rsa_padding_pss_verify(const otcrypto_hash_digest_t *message_digest, } // Extract H. - uint32_t h[message_digest->len]; + uint32_t h[message_digest.len]; memcpy(h, encoded_message_bytes + db_bytelen, sizeof(h)); // Compute the mask = MFG(H, emLen - hLen - 1). Zero the last bytes if // needed. uint32_t mask[ARRAYSIZE(db)]; - HARDENED_TRY(mgf1(message_digest->mode, (unsigned char *)h, sizeof(h), + HARDENED_TRY(mgf1(message_digest.mode, (unsigned char *)h, sizeof(h), db_bytelen, mask)); if (sizeof(mask) > db_bytelen) { memset(((unsigned char *)mask) + db_bytelen, 0, sizeof(mask) - db_bytelen); @@ -453,11 +453,11 @@ status_t rsa_padding_pss_verify(const otcrypto_hash_digest_t *message_digest, } // Extract the salt. - uint32_t salt[message_digest->len]; + uint32_t salt[message_digest.len]; memcpy(salt, db_bytes + db_bytelen - salt_bytelen, sizeof(salt)); // Construct the expected value of H and compare. - uint32_t exp_h[message_digest->len]; + uint32_t exp_h[message_digest.len]; HARDENED_TRY(pss_construct_h(message_digest, salt, ARRAYSIZE(salt), exp_h)); *result = hardened_memeq(h, exp_h, ARRAYSIZE(exp_h)); return OTCRYPTO_OK; @@ -511,7 +511,7 @@ status_t rsa_padding_oaep_encode(const otcrypto_hash_mode_t hash_mode, .len = ARRAYSIZE(lhash_data), .mode = hash_mode, }; - HARDENED_TRY(otcrypto_hash(label_buf, &lhash)); + HARDENED_TRY(otcrypto_hash(label_buf, lhash)); // Generate a random string the same length as a hash digest (step 2d). uint32_t seed[digest_wordlen]; @@ -633,7 +633,7 @@ status_t rsa_padding_oaep_decode(const otcrypto_hash_mode_t hash_mode, .len = digest_wordlen, .mode = hash_mode, }; - HARDENED_TRY(otcrypto_hash(label_buf, &lhash)); + HARDENED_TRY(otcrypto_hash(label_buf, lhash)); // Note: as we compare parts of the encoded message to their expected values, // we must be careful that the attacker cannot differentiate error codes or diff --git a/sw/device/lib/crypto/impl/rsa/rsa_padding.h b/sw/device/lib/crypto/impl/rsa/rsa_padding.h index 6694d48ffc14c..ef4925daba08f 100644 --- a/sw/device/lib/crypto/impl/rsa/rsa_padding.h +++ b/sw/device/lib/crypto/impl/rsa/rsa_padding.h @@ -33,7 +33,7 @@ extern "C" { */ OT_WARN_UNUSED_RESULT status_t rsa_padding_pkcs1v15_encode( - const otcrypto_hash_digest_t *message_digest, size_t encoded_message_len, + const otcrypto_hash_digest_t message_digest, size_t encoded_message_len, uint32_t *encoded_message); /** @@ -56,7 +56,7 @@ status_t rsa_padding_pkcs1v15_encode( */ OT_WARN_UNUSED_RESULT status_t rsa_padding_pkcs1v15_verify( - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const uint32_t *encoded_message, const size_t encoded_message_len, hardened_bool_t *result); @@ -77,7 +77,7 @@ status_t rsa_padding_pkcs1v15_verify( * @return Result of the operation (OK or error). */ OT_WARN_UNUSED_RESULT -status_t rsa_padding_pss_encode(const otcrypto_hash_digest_t *message_digest, +status_t rsa_padding_pss_encode(const otcrypto_hash_digest_t message_digest, const uint32_t *salt, size_t salt_len, size_t encoded_message_len, uint32_t *encoded_message); @@ -107,7 +107,7 @@ status_t rsa_padding_pss_encode(const otcrypto_hash_digest_t *message_digest, * @return Result of the operation (OK or error). */ OT_WARN_UNUSED_RESULT -status_t rsa_padding_pss_verify(const otcrypto_hash_digest_t *message_digest, +status_t rsa_padding_pss_verify(const otcrypto_hash_digest_t message_digest, uint32_t *encoded_message, size_t encoded_message_len, hardened_bool_t *result); diff --git a/sw/device/lib/crypto/impl/rsa/rsa_signature.c b/sw/device/lib/crypto/impl/rsa/rsa_signature.c index 0b72b99d343ac..14b46435b56f1 100644 --- a/sw/device/lib/crypto/impl/rsa/rsa_signature.c +++ b/sw/device/lib/crypto/impl/rsa/rsa_signature.c @@ -28,9 +28,9 @@ * @return Result of the operation (OK or BAD_ARGS). */ OT_WARN_UNUSED_RESULT -static status_t digest_check(const otcrypto_hash_digest_t *digest) { +static status_t digest_check(const otcrypto_hash_digest_t digest) { size_t num_words = 0; - switch (digest->mode) { + switch (digest.mode) { case kOtcryptoHashModeSha3_224: num_words = 224 / 32; break; @@ -54,7 +54,7 @@ static status_t digest_check(const otcrypto_hash_digest_t *digest) { } HARDENED_CHECK_GT(num_words, 0); - if (num_words != digest->len) { + if (num_words != digest.len) { return OTCRYPTO_BAD_ARGS; } return OTCRYPTO_OK; @@ -70,7 +70,7 @@ static status_t digest_check(const otcrypto_hash_digest_t *digest) { * @return Result of the operation (OK or error). */ OT_WARN_UNUSED_RESULT -static status_t message_encode(const otcrypto_hash_digest_t *message_digest, +static status_t message_encode(const otcrypto_hash_digest_t message_digest, const rsa_signature_padding_t padding_mode, size_t encoded_message_len, uint32_t *encoded_message) { @@ -83,7 +83,7 @@ static status_t message_encode(const otcrypto_hash_digest_t *message_digest, encoded_message); case kRsaSignaturePaddingPss: { // Generate a random salt value whose length matches the digest length. - uint32_t salt[message_digest->len]; + uint32_t salt[message_digest.len]; HARDENED_TRY(entropy_complex_check()); HARDENED_TRY(entropy_csrng_uninstantiate()); HARDENED_TRY(entropy_csrng_instantiate( @@ -123,7 +123,7 @@ static status_t message_encode(const otcrypto_hash_digest_t *message_digest, */ OT_WARN_UNUSED_RESULT static status_t encoded_message_verify( - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const rsa_signature_padding_t padding_mode, uint32_t *encoded_message, const size_t encoded_message_len, hardened_bool_t *result) { // Check that the digest length is OK. @@ -148,7 +148,7 @@ static status_t encoded_message_verify( status_t rsa_signature_generate_2048_start( const rsa_2048_private_key_t *private_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const rsa_signature_padding_t padding_mode) { // Encode the message. rsa_2048_int_t encoded_message; @@ -173,7 +173,7 @@ status_t rsa_signature_verify_2048_start( } status_t rsa_signature_verify_finalize( - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const rsa_signature_padding_t padding_mode, hardened_bool_t *verification_result) { // Wait for OTBN to complete and get the size for the last RSA operation. @@ -216,7 +216,7 @@ status_t rsa_signature_verify_finalize( status_t rsa_signature_generate_3072_start( const rsa_3072_private_key_t *private_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const rsa_signature_padding_t padding_mode) { // Encode the message. rsa_3072_int_t encoded_message; @@ -242,7 +242,7 @@ status_t rsa_signature_verify_3072_start( status_t rsa_signature_generate_4096_start( const rsa_4096_private_key_t *private_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const rsa_signature_padding_t padding_mode) { // Encode the message. rsa_4096_int_t encoded_message; diff --git a/sw/device/lib/crypto/impl/rsa/rsa_signature.h b/sw/device/lib/crypto/impl/rsa/rsa_signature.h index ce95959928e6d..00e37cb1f1f45 100644 --- a/sw/device/lib/crypto/impl/rsa/rsa_signature.h +++ b/sw/device/lib/crypto/impl/rsa/rsa_signature.h @@ -55,7 +55,7 @@ typedef enum rsa_signature_padding { OT_WARN_UNUSED_RESULT status_t rsa_signature_generate_2048_start( const rsa_2048_private_key_t *private_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const rsa_signature_padding_t padding_mode); /** @@ -102,7 +102,7 @@ status_t rsa_signature_verify_2048_start( */ OT_WARN_UNUSED_RESULT status_t rsa_signature_verify_finalize( - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const rsa_signature_padding_t padding_mode, hardened_bool_t *verification_result); @@ -121,7 +121,7 @@ status_t rsa_signature_verify_finalize( OT_WARN_UNUSED_RESULT status_t rsa_signature_generate_3072_start( const rsa_3072_private_key_t *private_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const rsa_signature_padding_t padding_mode); /** @@ -164,7 +164,7 @@ status_t rsa_signature_verify_3072_start( OT_WARN_UNUSED_RESULT status_t rsa_signature_generate_4096_start( const rsa_4096_private_key_t *private_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const rsa_signature_padding_t padding_mode); /** diff --git a/sw/device/lib/crypto/include/ecc.h b/sw/device/lib/crypto/include/ecc.h index 6d435e2d5846f..33b0f794720a8 100644 --- a/sw/device/lib/crypto/include/ecc.h +++ b/sw/device/lib/crypto/include/ecc.h @@ -131,7 +131,7 @@ otcrypto_status_t otcrypto_ecdsa_keygen( OT_WARN_UNUSED_RESULT otcrypto_status_t otcrypto_ecdsa_sign( const otcrypto_blinded_key_t *private_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const otcrypto_ecc_curve_t *elliptic_curve, otcrypto_word32_buf_t signature); @@ -159,7 +159,7 @@ otcrypto_status_t otcrypto_ecdsa_sign( OT_WARN_UNUSED_RESULT otcrypto_status_t otcrypto_ecdsa_verify( const otcrypto_unblinded_key_t *public_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, otcrypto_const_word32_buf_t signature, const otcrypto_ecc_curve_t *elliptic_curve, hardened_bool_t *verification_result); @@ -372,7 +372,7 @@ otcrypto_status_t otcrypto_ecdsa_keygen_async_finalize( OT_WARN_UNUSED_RESULT otcrypto_status_t otcrypto_ecdsa_sign_async_start( const otcrypto_blinded_key_t *private_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, const otcrypto_ecc_curve_t *elliptic_curve); /** @@ -412,7 +412,7 @@ otcrypto_status_t otcrypto_ecdsa_sign_async_finalize( OT_WARN_UNUSED_RESULT otcrypto_status_t otcrypto_ecdsa_verify_async_start( const otcrypto_unblinded_key_t *public_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, otcrypto_const_word32_buf_t signature, const otcrypto_ecc_curve_t *elliptic_curve); diff --git a/sw/device/lib/crypto/include/hash.h b/sw/device/lib/crypto/include/hash.h index 8ffe6da4e4182..6d306417a3270 100644 --- a/sw/device/lib/crypto/include/hash.h +++ b/sw/device/lib/crypto/include/hash.h @@ -48,7 +48,7 @@ typedef struct otcrypto_hash_context { * @return Result of the hash operation. */ otcrypto_status_t otcrypto_hash(otcrypto_const_byte_buf_t input_message, - otcrypto_hash_digest_t *digest); + otcrypto_hash_digest_t digest); /** * Performs the SHAKE extendable output function (XOF) on input data. @@ -63,7 +63,7 @@ otcrypto_status_t otcrypto_hash(otcrypto_const_byte_buf_t input_message, * @return Result of the xof operation. */ otcrypto_status_t otcrypto_xof_shake(otcrypto_const_byte_buf_t input_message, - otcrypto_hash_digest_t *digest); + otcrypto_hash_digest_t digest); /** * Performs the CSHAKE extendable output function (XOF) on input data. @@ -88,7 +88,7 @@ otcrypto_status_t otcrypto_xof_cshake( otcrypto_const_byte_buf_t input_message, otcrypto_const_byte_buf_t function_name_string, otcrypto_const_byte_buf_t customization_string, - otcrypto_hash_digest_t *digest); + otcrypto_hash_digest_t digest); /** * Performs the INIT operation for a cryptographic hash function. @@ -143,7 +143,7 @@ otcrypto_status_t otcrypto_hash_update(otcrypto_hash_context_t *const ctx, * @return Result of the hash final operation. */ otcrypto_status_t otcrypto_hash_final(otcrypto_hash_context_t *const ctx, - otcrypto_hash_digest_t *digest); + otcrypto_hash_digest_t digest); #ifdef __cplusplus } // extern "C" diff --git a/sw/device/lib/crypto/include/rsa.h b/sw/device/lib/crypto/include/rsa.h index ed13b198d49ee..849eb54a3aaa2 100644 --- a/sw/device/lib/crypto/include/rsa.h +++ b/sw/device/lib/crypto/include/rsa.h @@ -174,10 +174,10 @@ otcrypto_status_t otcrypto_rsa_keypair_from_cofactor( * @param[out] signature Pointer to the generated signature struct. * @return The result of the RSA signature generation. */ -otcrypto_status_t otcrypto_rsa_sign( - const otcrypto_blinded_key_t *private_key, - const otcrypto_hash_digest_t *message_digest, - otcrypto_rsa_padding_t padding_mode, otcrypto_word32_buf_t signature); +otcrypto_status_t otcrypto_rsa_sign(const otcrypto_blinded_key_t *private_key, + const otcrypto_hash_digest_t message_digest, + otcrypto_rsa_padding_t padding_mode, + otcrypto_word32_buf_t signature); /** * Verifies the authenticity of the input signature. @@ -195,7 +195,7 @@ otcrypto_status_t otcrypto_rsa_sign( */ otcrypto_status_t otcrypto_rsa_verify( const otcrypto_unblinded_key_t *public_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, otcrypto_rsa_padding_t padding_mode, otcrypto_const_word32_buf_t signature, hardened_bool_t *verification_result); @@ -344,7 +344,7 @@ otcrypto_status_t otcrypto_rsa_keypair_from_cofactor_async_finalize( */ otcrypto_status_t otcrypto_rsa_sign_async_start( const otcrypto_blinded_key_t *private_key, - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, otcrypto_rsa_padding_t padding_mode); /** @@ -385,7 +385,7 @@ otcrypto_status_t otcrypto_rsa_verify_async_start( * @return Result of async RSA verify finalize operation. */ otcrypto_status_t otcrypto_rsa_verify_async_finalize( - const otcrypto_hash_digest_t *message_digest, + const otcrypto_hash_digest_t message_digest, otcrypto_rsa_padding_t padding_mode, hardened_bool_t *verification_result); /** diff --git a/sw/device/silicon_creator/manuf/lib/individualize_sw_cfg.c b/sw/device/silicon_creator/manuf/lib/individualize_sw_cfg.c index bb7db87604d23..25c418ba7299d 100644 --- a/sw/device/silicon_creator/manuf/lib/individualize_sw_cfg.c +++ b/sw/device/silicon_creator/manuf/lib/individualize_sw_cfg.c @@ -101,8 +101,7 @@ static status_t lock_otp_partition(const dif_otp_ctrl_t *otp_ctrl, .len = ARRAYSIZE(digest), .data = digest, }; - TRY(manuf_util_hash_otp_partition(otp_ctrl, partition, - &otp_partition_digest)); + TRY(manuf_util_hash_otp_partition(otp_ctrl, partition, otp_partition_digest)); // Get the least significant 64 bits of the digest. We will use this as the // digest to lock the OTP partition. The complete digest will be used in the diff --git a/sw/device/silicon_creator/manuf/lib/util.c b/sw/device/silicon_creator/manuf/lib/util.c index 9dbfd4fdd5868..80a030ff69f29 100644 --- a/sw/device/silicon_creator/manuf/lib/util.c +++ b/sw/device/silicon_creator/manuf/lib/util.c @@ -54,7 +54,7 @@ status_t manuf_util_hash_lc_transition_token(const uint32_t *raw_token, }; TRY(otcrypto_xof_cshake(input, function_name_string, customization_string, - &output)); + output)); memcpy(hashed_token, token_data, sizeof(token_data)); return OK_STATUS(); @@ -62,13 +62,13 @@ status_t manuf_util_hash_lc_transition_token(const uint32_t *raw_token, status_t manuf_util_hash_otp_partition(const dif_otp_ctrl_t *otp_ctrl, dif_otp_ctrl_partition_t partition, - otcrypto_word32_buf_t *output) { - if (otp_ctrl == NULL || output == NULL || output->len != kSha256DigestWords) { + otcrypto_word32_buf_t output) { + if (otp_ctrl == NULL || output.len != kSha256DigestWords) { return INVALID_ARGUMENT(); } otcrypto_hash_digest_t digest = { - .data = output->data, - .len = output->len, + .data = output.data, + .len = output.len, .mode = kOtcryptoHashModeSha256, }; @@ -84,7 +84,7 @@ status_t manuf_util_hash_otp_partition(const dif_otp_ctrl_t *otp_ctrl, .data = (unsigned char *)vendor_test_32bit_array, .len = OTP_CTRL_PARAM_VENDOR_TEST_SIZE, }; - TRY(otcrypto_hash(input, &digest)); + TRY(otcrypto_hash(input, digest)); } break; case kDifOtpCtrlPartitionCreatorSwCfg: { otcrypto_const_byte_buf_t input = { @@ -92,7 +92,7 @@ status_t manuf_util_hash_otp_partition(const dif_otp_ctrl_t *otp_ctrl, OTP_CTRL_SW_CFG_WINDOW_REG_OFFSET), .len = OTP_CTRL_PARAM_CREATOR_SW_CFG_SIZE, }; - TRY(otcrypto_hash(input, &digest)); + TRY(otcrypto_hash(input, digest)); } break; case kDifOtpCtrlPartitionOwnerSwCfg: { otcrypto_const_byte_buf_t input = { @@ -101,7 +101,7 @@ status_t manuf_util_hash_otp_partition(const dif_otp_ctrl_t *otp_ctrl, OTP_CTRL_PARAM_CREATOR_SW_CFG_SIZE), .len = OTP_CTRL_PARAM_OWNER_SW_CFG_SIZE, }; - TRY(otcrypto_hash(input, &digest)); + TRY(otcrypto_hash(input, digest)); } break; default: return INVALID_ARGUMENT(); diff --git a/sw/device/silicon_creator/manuf/lib/util.h b/sw/device/silicon_creator/manuf/lib/util.h index 23370d9367e00..0b9bfc60226ec 100644 --- a/sw/device/silicon_creator/manuf/lib/util.h +++ b/sw/device/silicon_creator/manuf/lib/util.h @@ -52,6 +52,6 @@ status_t manuf_util_hash_lc_transition_token(const uint32_t *raw_token, OT_WARN_UNUSED_RESULT status_t manuf_util_hash_otp_partition(const dif_otp_ctrl_t *otp_ctrl, dif_otp_ctrl_partition_t partition, - otcrypto_word32_buf_t *hash); + otcrypto_word32_buf_t hash); #endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_MANUF_LIB_UTIL_H_ diff --git a/sw/device/tests/crypto/ecdsa_p256_functest.c b/sw/device/tests/crypto/ecdsa_p256_functest.c index 9e21f5dfdd785..fe87f84fc4620 100644 --- a/sw/device/tests/crypto/ecdsa_p256_functest.c +++ b/sw/device/tests/crypto/ecdsa_p256_functest.c @@ -73,7 +73,7 @@ status_t sign_then_verify_test(hardened_bool_t *verification_result) { .len = ARRAYSIZE(msg_digest_data), .mode = kOtcryptoHashModeSha256, }; - TRY(otcrypto_hash(msg, &msg_digest)); + TRY(otcrypto_hash(msg, msg_digest)); // Allocate space for the signature. uint32_t sig[kP256SignatureWords] = {0}; @@ -81,13 +81,13 @@ status_t sign_then_verify_test(hardened_bool_t *verification_result) { // Generate a signature for the message. LOG_INFO("Signing..."); CHECK_STATUS_OK(otcrypto_ecdsa_sign( - &private_key, &msg_digest, &kCurveP256, + &private_key, msg_digest, &kCurveP256, (otcrypto_word32_buf_t){.data = sig, .len = ARRAYSIZE(sig)})); // Verify the signature. LOG_INFO("Verifying..."); CHECK_STATUS_OK(otcrypto_ecdsa_verify( - &public_key, &msg_digest, + &public_key, msg_digest, (otcrypto_const_word32_buf_t){.data = sig, .len = ARRAYSIZE(sig)}, &kCurveP256, verification_result)); diff --git a/sw/device/tests/crypto/ecdsa_p256_sideload_functest.c b/sw/device/tests/crypto/ecdsa_p256_sideload_functest.c index 83329c3a80ed3..daf3e9efc1445 100644 --- a/sw/device/tests/crypto/ecdsa_p256_sideload_functest.c +++ b/sw/device/tests/crypto/ecdsa_p256_sideload_functest.c @@ -84,7 +84,7 @@ status_t sign_then_verify_test(void) { .len = ARRAYSIZE(message_digest_data), .mode = kOtcryptoHashModeSha256, }; - TRY(otcrypto_hash(message, &message_digest)); + TRY(otcrypto_hash(message, message_digest)); // Allocate space for the signature. uint32_t sig[kP256SignatureWords] = {0}; @@ -92,14 +92,14 @@ status_t sign_then_verify_test(void) { // Generate a signature for the message. LOG_INFO("Signing..."); CHECK_STATUS_OK(otcrypto_ecdsa_sign( - &private_key, &message_digest, &kCurveP256, + &private_key, message_digest, &kCurveP256, (otcrypto_word32_buf_t){.data = sig, .len = ARRAYSIZE(sig)})); // Verify the signature. LOG_INFO("Verifying..."); hardened_bool_t verification_result; CHECK_STATUS_OK(otcrypto_ecdsa_verify( - &public_key, &message_digest, + &public_key, message_digest, (otcrypto_const_word32_buf_t){.data = sig, .len = ARRAYSIZE(sig)}, &kCurveP256, &verification_result)); diff --git a/sw/device/tests/crypto/kmac_functest.c b/sw/device/tests/crypto/kmac_functest.c index 4c434f0d1bb16..83f6440f0d66d 100644 --- a/sw/device/tests/crypto/kmac_functest.c +++ b/sw/device/tests/crypto/kmac_functest.c @@ -130,7 +130,7 @@ static status_t run_test_vector(void) { case kKmacTestOperationShake: { TRY(get_shake_mode(current_test_vector->security_strength, &digest_buf.mode)); - TRY(otcrypto_xof_shake(current_test_vector->input_msg, &digest_buf)); + TRY(otcrypto_xof_shake(current_test_vector->input_msg, digest_buf)); break; } case kKmacTestOperationCshake: { @@ -138,13 +138,13 @@ static status_t run_test_vector(void) { &digest_buf.mode)); TRY(otcrypto_xof_cshake(current_test_vector->input_msg, current_test_vector->func_name, - current_test_vector->cust_str, &digest_buf)); + current_test_vector->cust_str, digest_buf)); break; } case kKmacTestOperationSha3: { TRY(get_sha3_mode(current_test_vector->security_strength, &digest_buf.mode)); - TRY(otcrypto_hash(current_test_vector->input_msg, &digest_buf)); + TRY(otcrypto_hash(current_test_vector->input_msg, digest_buf)); break; } case kKmacTestOperationKmac: { diff --git a/sw/device/tests/crypto/rsa_2048_keygen_functest.c b/sw/device/tests/crypto/rsa_2048_keygen_functest.c index 0101dc39eddc9..e1fc26e5306a9 100644 --- a/sw/device/tests/crypto/rsa_2048_keygen_functest.c +++ b/sw/device/tests/crypto/rsa_2048_keygen_functest.c @@ -97,7 +97,7 @@ status_t keygen_then_sign_test(void) { .len = ARRAYSIZE(msg_digest_data), .mode = kOtcryptoHashModeSha256, }; - TRY(otcrypto_hash(msg_buf, &msg_digest)); + TRY(otcrypto_hash(msg_buf, msg_digest)); uint32_t sig[kRsa2048NumWords]; otcrypto_word32_buf_t sig_buf = { @@ -111,7 +111,7 @@ status_t keygen_then_sign_test(void) { // Generate a signature. LOG_INFO("Starting signature generation..."); - TRY(otcrypto_rsa_sign(&private_key, &msg_digest, kOtcryptoRsaPaddingPkcs, + TRY(otcrypto_rsa_sign(&private_key, msg_digest, kOtcryptoRsaPaddingPkcs, sig_buf)); LOG_INFO("Signature generation complete."); LOG_INFO("OTBN instruction count: %u", otbn_instruction_count_get()); @@ -120,7 +120,7 @@ status_t keygen_then_sign_test(void) { // p and q, incorrect d), then this is likely to fail. LOG_INFO("Starting signature verification..."); hardened_bool_t verification_result; - TRY(otcrypto_rsa_verify(&public_key, &msg_digest, kOtcryptoRsaPaddingPkcs, + TRY(otcrypto_rsa_verify(&public_key, msg_digest, kOtcryptoRsaPaddingPkcs, const_sig_buf, &verification_result)); LOG_INFO("Signature verification complete."); LOG_INFO("OTBN instruction count: %u", otbn_instruction_count_get()); diff --git a/sw/device/tests/crypto/rsa_2048_signature_functest.c b/sw/device/tests/crypto/rsa_2048_signature_functest.c index 51a49af3dcb0b..c52f1cf170914 100644 --- a/sw/device/tests/crypto/rsa_2048_signature_functest.c +++ b/sw/device/tests/crypto/rsa_2048_signature_functest.c @@ -160,14 +160,14 @@ static status_t run_rsa_2048_sign(const uint8_t *msg, size_t msg_len, .len = ARRAYSIZE(msg_digest_data), .mode = kOtcryptoHashModeSha256, }; - TRY(otcrypto_hash(msg_buf, &msg_digest)); + TRY(otcrypto_hash(msg_buf, msg_digest)); otcrypto_word32_buf_t sig_buf = { .data = sig, .len = kRsa2048NumWords, }; uint64_t t_start = profile_start(); - TRY(otcrypto_rsa_sign(&private_key, &msg_digest, padding_mode, sig_buf)); + TRY(otcrypto_rsa_sign(&private_key, msg_digest, padding_mode, sig_buf)); profile_end_and_print(t_start, "RSA signature generation"); return OK_STATUS(); @@ -226,14 +226,14 @@ static status_t run_rsa_2048_verify(const uint8_t *msg, size_t msg_len, .len = ARRAYSIZE(msg_digest_data), .mode = kOtcryptoHashModeSha256, }; - TRY(otcrypto_hash(msg_buf, &msg_digest)); + TRY(otcrypto_hash(msg_buf, msg_digest)); otcrypto_const_word32_buf_t sig_buf = { .data = sig, .len = kRsa2048NumWords, }; uint64_t t_start = profile_start(); - TRY(otcrypto_rsa_verify(&public_key, &msg_digest, padding_mode, sig_buf, + TRY(otcrypto_rsa_verify(&public_key, msg_digest, padding_mode, sig_buf, verification_result)); profile_end_and_print(t_start, "RSA verify"); diff --git a/sw/device/tests/crypto/rsa_3072_keygen_functest.c b/sw/device/tests/crypto/rsa_3072_keygen_functest.c index c8ea48af9c303..08e960784be95 100644 --- a/sw/device/tests/crypto/rsa_3072_keygen_functest.c +++ b/sw/device/tests/crypto/rsa_3072_keygen_functest.c @@ -99,7 +99,7 @@ status_t keygen_then_sign_test(void) { .len = ARRAYSIZE(msg_digest_data), .mode = kOtcryptoHashModeSha512, }; - TRY(otcrypto_hash(msg_buf, &msg_digest)); + TRY(otcrypto_hash(msg_buf, msg_digest)); uint32_t sig[kRsa3072NumWords]; otcrypto_word32_buf_t sig_buf = { @@ -113,7 +113,7 @@ status_t keygen_then_sign_test(void) { // Generate a signature. LOG_INFO("Starting signature generation..."); - TRY(otcrypto_rsa_sign(&private_key, &msg_digest, kOtcryptoRsaPaddingPkcs, + TRY(otcrypto_rsa_sign(&private_key, msg_digest, kOtcryptoRsaPaddingPkcs, sig_buf)); LOG_INFO("Signature generation complete."); LOG_INFO("OTBN instruction count: %u", otbn_instruction_count_get()); @@ -122,7 +122,7 @@ status_t keygen_then_sign_test(void) { // p and q, incorrect d), then this is likely to fail. LOG_INFO("Starting signature verification..."); hardened_bool_t verification_result; - TRY(otcrypto_rsa_verify(&public_key, &msg_digest, kOtcryptoRsaPaddingPkcs, + TRY(otcrypto_rsa_verify(&public_key, msg_digest, kOtcryptoRsaPaddingPkcs, const_sig_buf, &verification_result)); LOG_INFO("Signature verification complete."); LOG_INFO("OTBN instruction count: %u", otbn_instruction_count_get()); diff --git a/sw/device/tests/crypto/rsa_3072_signature_functest.c b/sw/device/tests/crypto/rsa_3072_signature_functest.c index 4521eae26a4c5..b5ef37d79d8e5 100644 --- a/sw/device/tests/crypto/rsa_3072_signature_functest.c +++ b/sw/device/tests/crypto/rsa_3072_signature_functest.c @@ -186,7 +186,7 @@ static status_t run_rsa_3072_sign(const uint8_t *msg, size_t msg_len, .len = ARRAYSIZE(msg_digest_data), .mode = kOtcryptoHashModeSha512, }; - TRY(otcrypto_hash(msg_buf, &msg_digest)); + TRY(otcrypto_hash(msg_buf, msg_digest)); otcrypto_word32_buf_t sig_buf = { .data = sig, @@ -194,7 +194,7 @@ static status_t run_rsa_3072_sign(const uint8_t *msg, size_t msg_len, }; uint64_t t_start = profile_start(); - TRY(otcrypto_rsa_sign(&private_key, &msg_digest, padding_mode, sig_buf)); + TRY(otcrypto_rsa_sign(&private_key, msg_digest, padding_mode, sig_buf)); profile_end_and_print(t_start, "RSA signature generation"); return OK_STATUS(); @@ -253,7 +253,7 @@ static status_t run_rsa_3072_verify(const uint8_t *msg, size_t msg_len, .len = ARRAYSIZE(msg_digest_data), .mode = kOtcryptoHashModeSha512, }; - TRY(otcrypto_hash(msg_buf, &msg_digest)); + TRY(otcrypto_hash(msg_buf, msg_digest)); otcrypto_const_word32_buf_t sig_buf = { .data = sig, @@ -261,7 +261,7 @@ static status_t run_rsa_3072_verify(const uint8_t *msg, size_t msg_len, }; uint64_t t_start = profile_start(); - TRY(otcrypto_rsa_verify(&public_key, &msg_digest, padding_mode, sig_buf, + TRY(otcrypto_rsa_verify(&public_key, msg_digest, padding_mode, sig_buf, verification_result)); profile_end_and_print(t_start, "RSA verify"); diff --git a/sw/device/tests/crypto/rsa_4096_keygen_functest.c b/sw/device/tests/crypto/rsa_4096_keygen_functest.c index 5de073f7436a8..af6858916413c 100644 --- a/sw/device/tests/crypto/rsa_4096_keygen_functest.c +++ b/sw/device/tests/crypto/rsa_4096_keygen_functest.c @@ -99,7 +99,7 @@ status_t keygen_then_sign_test(void) { .len = ARRAYSIZE(msg_digest_data), .mode = kOtcryptoHashModeSha512, }; - TRY(otcrypto_hash(msg_buf, &msg_digest)); + TRY(otcrypto_hash(msg_buf, msg_digest)); uint32_t sig[kRsa4096NumWords]; otcrypto_word32_buf_t sig_buf = { @@ -113,7 +113,7 @@ status_t keygen_then_sign_test(void) { // Generate a signature. LOG_INFO("Starting signature generation..."); - TRY(otcrypto_rsa_sign(&private_key, &msg_digest, kOtcryptoRsaPaddingPkcs, + TRY(otcrypto_rsa_sign(&private_key, msg_digest, kOtcryptoRsaPaddingPkcs, sig_buf)); LOG_INFO("Signature generation complete."); LOG_INFO("OTBN instruction count: %u", otbn_instruction_count_get()); @@ -122,7 +122,7 @@ status_t keygen_then_sign_test(void) { // p and q, incorrect d), then this is likely to fail. LOG_INFO("Starting signature verification..."); hardened_bool_t verification_result; - TRY(otcrypto_rsa_verify(&public_key, &msg_digest, kOtcryptoRsaPaddingPkcs, + TRY(otcrypto_rsa_verify(&public_key, msg_digest, kOtcryptoRsaPaddingPkcs, const_sig_buf, &verification_result)); LOG_INFO("Signature verification complete."); LOG_INFO("OTBN instruction count: %u", otbn_instruction_count_get()); diff --git a/sw/device/tests/crypto/rsa_4096_signature_functest.c b/sw/device/tests/crypto/rsa_4096_signature_functest.c index aee95c1b935e0..b6228135c03e1 100644 --- a/sw/device/tests/crypto/rsa_4096_signature_functest.c +++ b/sw/device/tests/crypto/rsa_4096_signature_functest.c @@ -215,7 +215,7 @@ static status_t run_rsa_4096_sign(const uint8_t *msg, size_t msg_len, .len = ARRAYSIZE(msg_digest_data), .mode = kOtcryptoHashModeSha512, }; - TRY(otcrypto_hash(msg_buf, &msg_digest)); + TRY(otcrypto_hash(msg_buf, msg_digest)); otcrypto_word32_buf_t sig_buf = { .data = sig, @@ -223,7 +223,7 @@ static status_t run_rsa_4096_sign(const uint8_t *msg, size_t msg_len, }; uint64_t t_start = profile_start(); - TRY(otcrypto_rsa_sign(&private_key, &msg_digest, padding_mode, sig_buf)); + TRY(otcrypto_rsa_sign(&private_key, msg_digest, padding_mode, sig_buf)); profile_end_and_print(t_start, "RSA signature generation"); return OK_STATUS(); @@ -282,7 +282,7 @@ static status_t run_rsa_4096_verify(const uint8_t *msg, size_t msg_len, .len = ARRAYSIZE(msg_digest_data), .mode = kOtcryptoHashModeSha512, }; - TRY(otcrypto_hash(msg_buf, &msg_digest)); + TRY(otcrypto_hash(msg_buf, msg_digest)); otcrypto_const_word32_buf_t sig_buf = { .data = sig, @@ -290,7 +290,7 @@ static status_t run_rsa_4096_verify(const uint8_t *msg, size_t msg_len, }; uint64_t t_start = profile_start(); - TRY(otcrypto_rsa_verify(&public_key, &msg_digest, padding_mode, sig_buf, + TRY(otcrypto_rsa_verify(&public_key, msg_digest, padding_mode, sig_buf, verification_result)); profile_end_and_print(t_start, "RSA verify"); diff --git a/sw/device/tests/crypto/sha256_functest.c b/sw/device/tests/crypto/sha256_functest.c index bca114b8c9bb1..527febaa641aa 100644 --- a/sw/device/tests/crypto/sha256_functest.c +++ b/sw/device/tests/crypto/sha256_functest.c @@ -62,7 +62,7 @@ static status_t run_test(otcrypto_const_byte_buf_t msg, .len = kHmacDigestNumWords, .mode = kOtcryptoHashModeSha256, }; - TRY(otcrypto_hash(msg, &digest_buf)); + TRY(otcrypto_hash(msg, digest_buf)); TRY_CHECK_ARRAYS_EQ(act_digest, exp_digest, kHmacDigestNumWords); return OK_STATUS(); } @@ -125,7 +125,7 @@ static status_t one_update_streaming_test(void) { .len = digest_num_words, .mode = kOtcryptoHashModeSha256, }; - TRY(otcrypto_hash_final(&ctx, &digest_buf)); + TRY(otcrypto_hash_final(&ctx, digest_buf)); TRY_CHECK_ARRAYS_EQ((unsigned char *)act_digest, kExactBlockExpDigest, sizeof(kExactBlockExpDigest)); return OK_STATUS(); @@ -161,7 +161,7 @@ static status_t multiple_update_streaming_test(void) { .len = digest_num_words, .mode = kOtcryptoHashModeSha256, }; - TRY(otcrypto_hash_final(&ctx, &digest_buf)); + TRY(otcrypto_hash_final(&ctx, digest_buf)); TRY_CHECK_ARRAYS_EQ((unsigned char *)act_digest, kTwoBlockExpDigest, sizeof(kTwoBlockExpDigest)); return OK_STATUS(); diff --git a/sw/device/tests/crypto/sha384_functest.c b/sw/device/tests/crypto/sha384_functest.c index 48fe0b232a373..7ac6866b2a114 100644 --- a/sw/device/tests/crypto/sha384_functest.c +++ b/sw/device/tests/crypto/sha384_functest.c @@ -65,7 +65,7 @@ status_t sha384_test(const unsigned char *msg, const size_t msg_len, .len = ARRAYSIZE(actual_digest_data), .mode = kOtcryptoHashModeSha384, }; - TRY(otcrypto_hash(input_message, &actual_digest)); + TRY(otcrypto_hash(input_message, actual_digest)); // Check that the expected and actual digests match. TRY_CHECK_ARRAYS_EQ((unsigned char *)actual_digest_data, expected_digest, @@ -102,7 +102,7 @@ status_t sha384_streaming_test(const unsigned char *msg, size_t msg_len, .len = ARRAYSIZE(actual_digest_data), .mode = kOtcryptoHashModeSha384, }; - TRY(otcrypto_hash_final(&ctx, &actual_digest)); + TRY(otcrypto_hash_final(&ctx, actual_digest)); // Check that the expected and actual digests match. TRY_CHECK_ARRAYS_EQ((unsigned char *)actual_digest_data, expected_digest, diff --git a/sw/device/tests/crypto/sha512_functest.c b/sw/device/tests/crypto/sha512_functest.c index 24fa068c220fa..5955e3985c139 100644 --- a/sw/device/tests/crypto/sha512_functest.c +++ b/sw/device/tests/crypto/sha512_functest.c @@ -58,7 +58,7 @@ status_t sha512_test(const unsigned char *msg, const size_t msg_len, .data = actual_digest_data, .mode = kOtcryptoHashModeSha512, }; - TRY(otcrypto_hash(input_message, &actual_digest)); + TRY(otcrypto_hash(input_message, actual_digest)); // Check that the expected and actual digests match. TRY_CHECK_ARRAYS_EQ((unsigned char *)actual_digest_data, expected_digest, @@ -95,7 +95,7 @@ status_t sha512_streaming_test(const unsigned char *msg, size_t msg_len, .len = ARRAYSIZE(actual_digest_data), .mode = kOtcryptoHashModeSha512, }; - TRY(otcrypto_hash_final(&ctx, &actual_digest)); + TRY(otcrypto_hash_final(&ctx, actual_digest)); // Check that the expected and actual digests match. TRY_CHECK_ARRAYS_EQ((unsigned char *)actual_digest_data, expected_digest, From bd00104c21f8cfa32f9752901acb28f2bdfad5e8 Mon Sep 17 00:00:00 2001 From: Jade Philipoom Date: Mon, 22 Jan 2024 13:46:04 +0100 Subject: [PATCH 4/4] [crypto] Change the way RSA encryption returns plaintext len. Now that the output buffer is passed by value, the length must be returned separately. Signed-off-by: Jade Philipoom --- sw/device/lib/crypto/impl/rsa.c | 23 +++++++++---------- sw/device/lib/crypto/include/rsa.h | 11 +++++---- .../crypto/rsa_2048_encryption_functest.c | 5 +--- .../crypto/rsa_3072_encryption_functest.c | 7 ++---- .../crypto/rsa_4096_encryption_functest.c | 7 ++---- 5 files changed, 22 insertions(+), 31 deletions(-) diff --git a/sw/device/lib/crypto/impl/rsa.c b/sw/device/lib/crypto/impl/rsa.c index 1e553ab93b9c6..d0526a11a8e24 100644 --- a/sw/device/lib/crypto/impl/rsa.c +++ b/sw/device/lib/crypto/impl/rsa.c @@ -321,9 +321,10 @@ otcrypto_status_t otcrypto_rsa_decrypt( const otcrypto_blinded_key_t *private_key, const otcrypto_hash_mode_t hash_mode, otcrypto_const_word32_buf_t ciphertext, otcrypto_const_byte_buf_t label, - otcrypto_byte_buf_t plaintext) { + otcrypto_byte_buf_t plaintext, size_t *plaintext_bytelen) { HARDENED_TRY(otcrypto_rsa_decrypt_async_start(private_key, ciphertext)); - return otcrypto_rsa_decrypt_async_finalize(hash_mode, label, plaintext); + return otcrypto_rsa_decrypt_async_finalize(hash_mode, label, plaintext, + plaintext_bytelen); } /** @@ -851,15 +852,15 @@ otcrypto_status_t otcrypto_rsa_encrypt_async_finalize( return rsa_encrypt_2048_finalize(ctext); } case kRsa3072NumWords: { - HARDENED_CHECK_EQ(ciphertext->len * sizeof(uint32_t), + HARDENED_CHECK_EQ(ciphertext.len * sizeof(uint32_t), sizeof(rsa_3072_int_t)); - rsa_3072_int_t *ctext = (rsa_3072_int_t *)ciphertext->data; + rsa_3072_int_t *ctext = (rsa_3072_int_t *)ciphertext.data; return rsa_encrypt_3072_finalize(ctext); } case kRsa4096NumWords: { - HARDENED_CHECK_EQ(ciphertext->len * sizeof(uint32_t), + HARDENED_CHECK_EQ(ciphertext.len * sizeof(uint32_t), sizeof(rsa_4096_int_t)); - rsa_4096_int_t *ctext = (rsa_4096_int_t *)ciphertext->data; + rsa_4096_int_t *ctext = (rsa_4096_int_t *)ciphertext.data; return rsa_encrypt_4096_finalize(ctext); } default: @@ -951,25 +952,23 @@ otcrypto_status_t otcrypto_rsa_decrypt_async_start( otcrypto_status_t otcrypto_rsa_decrypt_async_finalize( const otcrypto_hash_mode_t hash_mode, otcrypto_const_byte_buf_t label, - otcrypto_byte_buf_t plaintext) { + otcrypto_byte_buf_t plaintext, size_t *plaintext_bytelen) { if (plaintext.data == NULL || label.data == NULL) { return OTCRYPTO_BAD_ARGS; } // Call the unified `finalize()` operation, which will infer the RSA size // from OTBN. - size_t actual_plaintext_len; HARDENED_TRY(rsa_decrypt_finalize(hash_mode, label.data, label.len, plaintext.len, plaintext.data, - &actual_plaintext_len)); + plaintext_bytelen)); // Consistency check; this should never happen. - if (launder32(actual_plaintext_len) >= plaintext.len) { + if (launder32(*plaintext_bytelen) >= plaintext.len) { HARDENED_TRAP(); return OTCRYPTO_FATAL_ERR; } - HARDENED_CHECK_LE(actual_plaintext_len, plaintext.len); + HARDENED_CHECK_LE(*plaintext_bytelen, plaintext.len); - plaintext.len = actual_plaintext_len; return OTCRYPTO_OK; } diff --git a/sw/device/lib/crypto/include/rsa.h b/sw/device/lib/crypto/include/rsa.h index 849eb54a3aaa2..264a5392498f9 100644 --- a/sw/device/lib/crypto/include/rsa.h +++ b/sw/device/lib/crypto/include/rsa.h @@ -249,9 +249,8 @@ otcrypto_status_t otcrypto_rsa_encrypt( * of the hash function digest. If the plaintext buffer is not long enough, * this function will return an error. * - * If the plaintext buffer is longer than necessary, this function will change - * the `len` field in `plaintext` to match the actual plaintext length. At this - * point, excess memory at the end of the buffer may be safely freed. + * Decryption recovers the original length of the plaintext buffer and will + * return its value in `plaintext_bytelen`. * * Note: RSA encryption is included for compatibility with legacy interfaces, * and is typically not recommended for modern applications because it is @@ -263,13 +262,14 @@ otcrypto_status_t otcrypto_rsa_encrypt( * @param ciphertext Ciphertext to decrypt. * @param label Label for OAEP encoding. * @param[out] plaintext Buffer for the decrypted message. + * @param[out] plaintext_bytelen Recovered byte-length of plaintext. * @return Result of the RSA decryption operation. */ otcrypto_status_t otcrypto_rsa_decrypt( const otcrypto_blinded_key_t *private_key, const otcrypto_hash_mode_t hash_mode, otcrypto_const_word32_buf_t ciphertext, otcrypto_const_byte_buf_t label, - otcrypto_byte_buf_t plaintext); + otcrypto_byte_buf_t plaintext, size_t *plaintext_bytelen); /** * Starts the asynchronous RSA key generation function. * @@ -442,11 +442,12 @@ otcrypto_status_t otcrypto_rsa_decrypt_async_start( * @param hash_mode Hash function to use for OAEP encoding. * @param label Label for OAEP encoding. * @param[out] plaintext Buffer for the decrypted message. + * @param[out] plaintext_bytelen Recovered byte-length of plaintext. * @return Result of the RSA decryption finalize operation. */ otcrypto_status_t otcrypto_rsa_decrypt_async_finalize( const otcrypto_hash_mode_t hash_mode, otcrypto_const_byte_buf_t label, - otcrypto_byte_buf_t plaintext); + otcrypto_byte_buf_t plaintext, size_t *plaintext_bytelen); #ifdef __cplusplus } // extern "C" diff --git a/sw/device/tests/crypto/rsa_2048_encryption_functest.c b/sw/device/tests/crypto/rsa_2048_encryption_functest.c index 3f2e606ed099f..d7615267917a2 100644 --- a/sw/device/tests/crypto/rsa_2048_encryption_functest.c +++ b/sw/device/tests/crypto/rsa_2048_encryption_functest.c @@ -193,12 +193,9 @@ static status_t run_rsa_2048_decrypt(const uint8_t *label, size_t label_len, }; uint64_t t_start = profile_start(); TRY(otcrypto_rsa_decrypt(&private_key, kTestHashMode, ciphertext_buf, - label_buf, plaintext_buf)); + label_buf, plaintext_buf, msg_len)); profile_end_and_print(t_start, "RSA-2048 decryption"); - // Write the actual plaintext length to `msg_len`. - *msg_len = plaintext_buf.len; - return OK_STATUS(); } diff --git a/sw/device/tests/crypto/rsa_3072_encryption_functest.c b/sw/device/tests/crypto/rsa_3072_encryption_functest.c index a4e4c0ae704ba..c6eba5a74444e 100644 --- a/sw/device/tests/crypto/rsa_3072_encryption_functest.c +++ b/sw/device/tests/crypto/rsa_3072_encryption_functest.c @@ -145,7 +145,7 @@ static status_t run_rsa_3072_encrypt(const uint8_t *msg, size_t msg_len, }; uint64_t t_start = profile_start(); TRY(otcrypto_rsa_encrypt(&public_key, kTestHashMode, msg_buf, label_buf, - &ciphertext_buf)); + ciphertext_buf)); profile_end_and_print(t_start, "RSA-3072 encryption"); return OK_STATUS(); @@ -214,12 +214,9 @@ static status_t run_rsa_3072_decrypt(const uint8_t *label, size_t label_len, }; uint64_t t_start = profile_start(); TRY(otcrypto_rsa_decrypt(&private_key, kTestHashMode, ciphertext_buf, - label_buf, &plaintext_buf)); + label_buf, plaintext_buf, msg_len)); profile_end_and_print(t_start, "RSA-3072 decryption"); - // Write the actual plaintext length to `msg_len`. - *msg_len = plaintext_buf.len; - return OK_STATUS(); } diff --git a/sw/device/tests/crypto/rsa_4096_encryption_functest.c b/sw/device/tests/crypto/rsa_4096_encryption_functest.c index 62a25ac3784e7..58e9f8ad85314 100644 --- a/sw/device/tests/crypto/rsa_4096_encryption_functest.c +++ b/sw/device/tests/crypto/rsa_4096_encryption_functest.c @@ -165,7 +165,7 @@ static status_t run_rsa_4096_encrypt(const uint8_t *msg, size_t msg_len, }; uint64_t t_start = profile_start(); TRY(otcrypto_rsa_encrypt(&public_key, kTestHashMode, msg_buf, label_buf, - &ciphertext_buf)); + ciphertext_buf)); profile_end_and_print(t_start, "RSA-4096 encryption"); return OK_STATUS(); @@ -234,12 +234,9 @@ static status_t run_rsa_4096_decrypt(const uint8_t *label, size_t label_len, }; uint64_t t_start = profile_start(); TRY(otcrypto_rsa_decrypt(&private_key, kTestHashMode, ciphertext_buf, - label_buf, &plaintext_buf)); + label_buf, plaintext_buf, msg_len)); profile_end_and_print(t_start, "RSA-4096 decryption"); - // Write the actual plaintext length to `msg_len`. - *msg_len = plaintext_buf.len; - return OK_STATUS(); }