aboutsummaryrefslogtreecommitdiff
path: root/i2c/iseconfig/novena_i2c.xise
diff options
context:
space:
mode:
Diffstat (limited to 'i2c/iseconfig/novena_i2c.xise')
0 files changed, 0 insertions, 0 deletions
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294
/*
 * aes_keywrap.c
 * -------------
 * Implementation of RFC 5649 over Cryptech AES core.
 *
 * Authors: Rob Austein
 * Copyright (c) 2015, SUNET
 *
 * Redistribution and use in source and binary forms, with or
 * without modification, are permitted provided that the following
 * conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/*
 * Note that there are two different block sizes involved here: the
 * key wrap algorithm deals entirely with 64-bit blocks, while AES
 * itself deals with 128-bit blocks.  In practice, this is not as
 * confusing as it sounds, because we combine two 64-bit blocks to
 * create one 128-bit block just prior to performing an AES operation,
 * then split the result back to 64-bit blocks immediately afterwards.
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <assert.h>

#include "cryptech.h"

/*
 * How long the ciphertext will be for a given plaintext length.
 */

size_t hal_aes_keywrap_ciphertext_length(const size_t plaintext_length)
{
  return (plaintext_length + 15) & ~7;
}


/*
 * Check the KEK, then load it into the AES core.
 * Note that our AES core only supports 128 and 256 bit keys.
 */

typedef enum { KEK_encrypting, KEK_decrypting } kek_action_t;

static hal_error_t load_kek(const uint8_t *K, const size_t K_len, const kek_action_t action)
{
  uint8_t config[4];
  hal_error_t err;

  if (K == NULL)
    return HAL_ERROR_BAD_ARGUMENTS;

  memset(config, 0, sizeof(config));

  switch (K_len) {
  case bitsToBytes(128):
    config[3] &= ~AES_CONFIG_KEYLEN;
    break;
  case bitsToBytes(256):
    config[3] |=  AES_CONFIG_KEYLEN;
    break;
  case bitsToBytes(192):
    return HAL_ERROR_UNSUPPORTED_KEY;
  default:
    return HAL_ERROR_BAD_ARGUMENTS;
  }

  switch (action) {
  case KEK_encrypting:
    config[3] |=  AES_CONFIG_ENCDEC;
    break;
  case KEK_decrypting:
    config[3] &= ~AES_CONFIG_ENCDEC;
    break;
  default:
    return HAL_ERROR_BAD_ARGUMENTS;
  }

  /*
   * Load the KEK and tell the core to expand it.
   */

  if ((err = hal_io_write(AES_ADDR_KEY0, K, K_len))                 != HAL_OK ||
      (err = hal_io_write(AES_ADDR_CONFIG, config, sizeof(config))) != HAL_OK ||
      (err = hal_io_init(AES_ADDR_CTRL))                            != HAL_OK)
    return err;

  return HAL_OK;
}


/*
 * Process one block.  Since AES Key Wrap always deals with 64-bit
 * half blocks and since the bus is going to break this up into 32-bit
 * words no matter what we do, we can eliminate a few gratuitous
 * memcpy() operations by receiving our arguments as two half blocks.
 *
 * Since the length of these half blocks is constant, there's no real
 * point in passing the length as an argument, we'd just be checking a
 * constant against a constant and a smart compiler will optimize
 * the whole check out.
 *
 * Just be VERY careful if you change anything here.
 */

static hal_error_t do_block(uint8_t *b1, uint8_t *b2)
{
  hal_error_t err;

  assert(b1 != NULL && b2 != NULL);

  if ((err = hal_io_write(AES_ADDR_BLOCK0, b1, 8)) != HAL_OK ||
      (err = hal_io_write(AES_ADDR_BLOCK2, b2, 8)) != HAL_OK ||
      (err = hal_io_next(AES_ADDR_CTRL))           != HAL_OK ||
      (err = hal_io_wait_ready(AES_ADDR_STATUS))   != HAL_OK ||
      (err = hal_io_read(AES_ADDR_RESULT0, b1, 8)) != HAL_OK ||
      (err = hal_io_read(AES_ADDR_RESULT2, b2, 8)) != HAL_OK)
    return err;

  return HAL_OK;
}


/*
 * Wrap plaintext Q using KEK K, placing result in C.
 *
 * Q and C can overlap.  For encrypt-in-place, use Q = C + 8 (that is,
 * leave 8 empty bytes before the plaintext).
 *
 * Use hal_aes_keywrap_ciphertext_length() to calculate the correct
 * buffer size.
 */

hal_error_t hal_aes_keywrap(const uint8_t *K, const size_t K_len,
                            const uint8_t * const Q,
                            const size_t m,
                            uint8_t *C,
                            size_t *C_len)
{
  const size_t calculated_C_len = hal_aes_keywrap_ciphertext_length(m);
  hal_error_t err;
  uint32_t n;
  long i, j;

  assert(calculated_C_len % 8 == 0);

  if (Q == NULL || C == NULL || C_len == NULL || *C_len < calculated_C_len)
    return HAL_ERROR_BAD_ARGUMENTS;

  if ((err = load_kek(K, K_len, KEK_encrypting)) != HAL_OK)
    return err;

  *C_len = calculated_C_len;

  if (C + 8 != Q)
    memmove(C + 8, Q, m);
  if (m % 8 != 0)
    memset(C + 8 + m, 0, 8 -  (m % 8));
  C[0] = 0xA6;
  C[1] = 0x59;
  C[2] = 0x59;
  C[3] = 0xA6;
  C[4] = (m >> 24) & 0xFF;
  C[5] = (m >> 16) & 0xFF;
  C[6] = (m >>  8) & 0xFF;
  C[7] = (m >>  0) & 0xFF;

  n = calculated_C_len/8 - 1;

  if (n == 1) {
    if ((err = do_block(C, C + 8)) != HAL_OK)
      return err;
  }

  else {
    for (j = 0; j <= 5; j++) {
      for (i = 1; i <= n; i++) {
        uint32_t t = n * j + i;
        if ((err = do_block(C, C + i * 8)) != HAL_OK)
          return err;
        C[7] ^= t & 0xFF; t >>= 8;
        C[6] ^= t & 0xFF; t >>= 8;
        C[5] ^= t & 0xFF; t >>= 8;
        C[4] ^= t & 0xFF;
      }
    }
  }

  return HAL_OK;
}


/*
 * Unwrap ciphertext C using KEK K, placing result in Q.
 *
 * Q should be the same size as C.  Q and C can overlap.
 */

hal_error_t hal_aes_keyunwrap(const uint8_t *K, const size_t K_len,
                              const uint8_t * const C,
                              const size_t C_len,
                              uint8_t *Q,
                              size_t *Q_len)
{
  hal_error_t err;
  uint32_t n;
  long i, j;
  size_t m;

  if (C == NULL || Q == NULL || C_len % 8 != 0 || C_len < 16 || Q_len == NULL || *Q_len < C_len)
    return HAL_ERROR_BAD_ARGUMENTS;

  if ((err = load_kek(K, K_len, KEK_decrypting)) != HAL_OK)
    return err;

  n = (C_len / 8) - 1;

  if (Q != C)
    memmove(Q, C, C_len);

  if (n == 1) {
    if ((err = do_block(Q, Q + 8)) != HAL_OK)
      return err;
  }

  else {
    for (j = 5; j >= 0; j--) {
      for (i = n; i >= 1; i--) {
        uint32_t t = n * j + i;
        Q[7] ^= t & 0xFF; t >>= 8;
        Q[6] ^= t & 0xFF; t >>= 8;
        Q[5] ^= t & 0xFF; t >>= 8;
        Q[4] ^= t & 0xFF;
        if ((err = do_block(Q, Q + i * 8)) != HAL_OK)
          return err;
      }
    }
  }

  if (Q[0] != 0xA6 || Q[1] != 0x59 || Q[2] != 0x59 || Q[3] != 0xA6)
    return HAL_ERROR_KEYWRAP_BAD_MAGIC;

  m = (((((Q[4] << 8) + Q[5]) << 8) + Q[6]) << 8) + Q[7];

  if (m <= 8 * (n - 1) || m > 8 * n)
    return HAL_ERROR_KEYWRAP_BAD_LENGTH;

  if (m % 8 != 0)
    for (i = m + 8; i < 8 * (n + 1); i++)
      if (Q[i] != 0x00)
        return HAL_ERROR_KEYWRAP_BAD_PADDING;

  *Q_len = m;

  memmove(Q, Q + 8, m);

  return HAL_OK;
}

/*
 * "Any programmer who fails to comply with the standard naming, formatting,
 *  or commenting conventions should be shot.  If it so happens that it is
 *  inconvenient to shoot him, then he is to be politely requested to recode
 *  his program in adherence to the above standard."
 *                      -- Michael Spier, Digital Equipment Corporation
 *
 * Local variables:
 * indent-tabs-mode: nil
 * End:
 */