aboutsummaryrefslogblamecommitdiff
path: root/keywrap.c
blob: dc1c6ba29723e7d307654735c7726c3fab616a12 (plain) (tree)





















































                                                                           
 








                                                     
                                                















                                                                  
                             




                                                    
                            
















                                                                                          



                                                              


   




                              


                                                                                         
                            



































                                                                                          

                               






                        




                              



                                                                       


                                          















































                                                                                                              






                                                                         
                 
     







                                                                                            
                                                                                 





















































































































































































































                                                                                                
/*
 * keywrap.c
 * ---------
 * Implementation of RFC 5649 over Cryptech keywrap core.
 *
 * Authors: Rob Austein
 * Copyright (c) 2015-2018, NORDUnet A/S All rights reserved.
 * Copyright: 2020, The Commons Conservancy Cryptech Project
 * SPDX-License-Identifier: BSD-3-Clause
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 * - Redistributions of source code must retain the above copyright notice,
 *   this list of conditions and the following disclaimer.
 *
 * - Redistributions in binary form must reproduce the above copyright
 *   notice, this list of conditions and the following disclaimer in the
 *   documentation and/or other materials provided with the distribution.
 *
 * - Neither the name of the copyright holder nor the names of its
 *   contributors may be used to endorse or promote products derived from
 *   this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/*
 * This file is derived from aes_keywrap.c, and still shares some code
 * with it, but the keywrap core has evolved to the point where it is no
 * longer comfortable trying to support both cores in one driver.
 */

#include <stdint.h>
#include <string.h>

#include "hal.h"
#include "hal_internal.h"

typedef union {
    uint8_t b[4];
    uint32_t w;
} byteword_t;


/*
 * Match uninitialized flash for the "not set" value.
 * Leave some bits at 1 for the "set" value to allow
 * for adding more values later, if needed.
 */
#define MKM_STATUS_NOT_SET              0xffffffff
#define MKM_STATUS_SET                  0x0000ffff
#define MKM_STATUS_ERASED               0x00000000

static uint32_t mkm_status = MKM_STATUS_NOT_SET;


static inline hal_error_t hal_io_cmd_read(const hal_core_t *core)
{
  const uint8_t buf[4] = { 0, 0, 0, KEYWRAP_CTRL_READ };
  return hal_io_write(core, ADDR_CTRL, buf, sizeof(buf));
}

static inline hal_error_t hal_io_cmd_write(const hal_core_t *core)
{
  const uint8_t buf[4] = { 0, 0, 0, KEYWRAP_CTRL_WRITE };
  return hal_io_write(core, ADDR_CTRL, buf, sizeof(buf));
}


/*
 * Check the MKM status word.
 */

hal_error_t hal_keywrap_mkm_status(hal_core_t *core)
{
  const int free_core = core == NULL;
  uint8_t config[4] = { 0 };
  byteword_t status;
  hal_error_t err;

  if (free_core && (err = hal_core_alloc(KEYWRAP_NAME, &core, NULL)) != HAL_OK)
    return err;

  if ((err = hal_io_write(core, KEYWRAP_ADDR_CONFIG, config, sizeof(config))) == HAL_OK &&
      (err = hal_io_cmd_read(core))                                           == HAL_OK &&
      (err = hal_io_wait_ready(core))                                         == HAL_OK)
    err = hal_io_read(core, KEYWRAP_ADDR_MSTATUS, status.b, 4);

  if (free_core)
    hal_core_free(core);

  if (err != HAL_OK)
    return err;

  switch (mkm_status = ntohl(status.w)) {
  case MKM_STATUS_SET:     return HAL_OK;
  case MKM_STATUS_NOT_SET: return HAL_ERROR_MASTERKEY_NOT_SET;
  default:                 return HAL_ERROR_MASTERKEY_FAIL;
  }
}


/*
 * Write a new KEK to the MKM.
 */

hal_error_t hal_keywrap_mkm_write(hal_core_t *core, const uint8_t *K, const size_t K_len)
{
  const int free_core = core == NULL;
  uint8_t config[4] = { 0 };
  byteword_t status;
  hal_error_t err;

  if (K == NULL)
    return HAL_ERROR_BAD_ARGUMENTS;

  if (K_len != KEK_LENGTH)
    return HAL_ERROR_MASTERKEY_BAD_LENGTH;

  status.w = htonl(MKM_STATUS_NOT_SET);
  for (size_t i = 0; i < K_len; ++i) {
    if (K[i] != 0) {
      status.w = htonl(MKM_STATUS_SET);
      break;
    }
  }

  if (free_core && (err = hal_core_alloc(KEYWRAP_NAME, &core, NULL)) != HAL_OK)
    return err;

  /* first write the key */
  config[3] |= KEYWRAP_CONFIG_MKS;
  if ((err = hal_io_write(core, KEYWRAP_ADDR_KEY0, K, K_len))                 != HAL_OK ||
      (err = hal_io_write(core, KEYWRAP_ADDR_CONFIG, config, sizeof(config))) != HAL_OK ||
      (err = hal_io_cmd_write(core))                                          != HAL_OK ||
      (err = hal_io_wait_ready(core))                                         != HAL_OK)
    goto out;

  /* then write the status */
  config[3] &= ~KEYWRAP_CONFIG_MKS;
  if ((err = hal_io_write(core, KEYWRAP_ADDR_MSTATUS, status.b, 4))           != HAL_OK ||
      (err = hal_io_write(core, KEYWRAP_ADDR_CONFIG, config, sizeof(config))) != HAL_OK ||
      (err = hal_io_cmd_write(core))                                          != HAL_OK ||
      (err = hal_io_wait_ready(core))                                         != HAL_OK)
    goto out;

  mkm_status = ntohl(status.w);

out:
  if (free_core)
    hal_core_free(core);

  return err;
}


/*
 * Erase the KEK from the MKM.
 */

hal_error_t hal_keywrap_mkm_erase(hal_core_t *core, const size_t K_len)
{
  uint8_t buf[KEK_LENGTH] = { 0 };

  if (K_len != KEK_LENGTH)
    return HAL_ERROR_MASTERKEY_BAD_LENGTH;

  return hal_keywrap_mkm_write(core, buf, sizeof(buf));
}

/*
 * How long the ciphertext will be for a given plaintext length.
 * This rounds up the length to a multiple of 8, and adds 8 for the IV.
 */

static size_t hal_keywrap_ciphertext_length(const size_t plaintext_length)
{
  return (plaintext_length + 15) & ~7;
}

/*
 * Check the KEK, then load it into the AES core.
 * Note that our AES core only supports 128 and 256 bit keys.
 */

typedef enum { KEK_encrypting, KEK_decrypting } kek_action_t;

static hal_error_t load_kek(hal_core_t *core, const uint8_t *K, const size_t K_len, const kek_action_t action)
{
  uint8_t config[4] = { 0 };
  hal_error_t err;

  if (K != NULL) {
    /* user-provided KEK, for key export/import */
    config[3] |= KEYWRAP_CONFIG_MKK;

    if ((err = hal_io_write(core, AES_ADDR_KEY0, K, K_len)) != HAL_OK)
      return err;

    switch (K_len) {
    case bitsToBytes(128):
      config[3] &= ~KEYWRAP_CONFIG_KEYLEN;
      break;
    case bitsToBytes(256):
      config[3] |=  KEYWRAP_CONFIG_KEYLEN;
      break;
    case bitsToBytes(192):
      return HAL_ERROR_UNSUPPORTED_KEY;
    default:
      return HAL_ERROR_BAD_ARGUMENTS;
    }
  }

  else {
    /* read the MKM KEK into the keywrap core */
    if (mkm_status != MKM_STATUS_SET &&
        (err = hal_keywrap_mkm_status(core)) != HAL_OK) {
#if HAL_MKM_FLASH_BACKUP_KLUDGE
      uint8_t kek[KEK_LENGTH];
      if ((err = hal_mkm_flash_read_no_lock(kek, sizeof(kek))) == HAL_OK)
        return load_kek(core, kek, sizeof(kek), action);
#endif
      return err;
    }

    config[3] &= ~KEYWRAP_CONFIG_MKS;
    if ((err = hal_io_write(core, KEYWRAP_ADDR_CONFIG, config, sizeof(config))) != HAL_OK ||
        (err = hal_io_cmd_read(core))                                           != HAL_OK ||
        (err = hal_io_wait_ready(core))                                         != HAL_OK)
      return err;

    config[3] &= ~KEYWRAP_CONFIG_MKK;
    config[3] |= KEYWRAP_CONFIG_KEYLEN;  /* MKM KEK is required to be 256 bits */
  }

  switch (action) {
  case KEK_encrypting:
    config[3] |=  KEYWRAP_CONFIG_ENCDEC;
    break;
  case KEK_decrypting:
    config[3] &= ~KEYWRAP_CONFIG_ENCDEC;
    break;
  default:
    return HAL_ERROR_BAD_ARGUMENTS;
  }

  /*
   * Load the KEK and tell the core to expand it.
   */

  if ((err = hal_io_write(core, KEYWRAP_ADDR_CONFIG, config, sizeof(config))) != HAL_OK ||
      (err = hal_io_init(core))                                               != HAL_OK)
    return err;

  return HAL_OK;
}


/*
 * Wrap/unwrap n 64-bit blocks of plaintext.
 * The wrapped/unwrapped key is returned in the same buffer.
 */

static hal_error_t do_wrap_unwrap(hal_core_t *core, uint8_t * const C, const size_t n)
{
  hal_error_t err;

  hal_assert(core != NULL && C != NULL && n > 0);

  /* n is the number of 64-bit (8-byte) blocks in the input.
   * KEYWRAP_LEN_R_DATA is the number of 4-byte data registers in the core.
   */
  if (n == 0 || n > KEYWRAP_LEN_R_DATA * 2)
    return HAL_ERROR_BAD_ARGUMENTS;

  /* write the AIV to A */
  if ((err = hal_io_write(core, KEYWRAP_ADDR_A0, C, 8)) != HAL_OK)
    return err;

  /* write the length to RLEN */
  uint32_t nn = htonl(n);
  if ((err = hal_io_write(core, KEYWRAP_ADDR_RLEN, (const uint8_t *)&nn, 4)) != HAL_OK)
    return err;

  /* write the data to R_DATA */
  if ((err = hal_io_write(core, KEYWRAP_ADDR_R_DATA, C + 8, 8 * n)) != HAL_OK)
      return err;

  /* start the wrap/unwrap operation, and wait for it to complete */
  if ((err = hal_io_next(core)) != HAL_OK ||
      (err = hal_io_wait_ready(core)) != HAL_OK)
    return err;

  /* read the A registers */
  if ((err = hal_io_read(core, KEYWRAP_ADDR_A0, C, 8)) != HAL_OK)
    return err;

  /* read the data from R_DATA */
  if ((err = hal_io_read(core, KEYWRAP_ADDR_R_DATA, C + 8, 8 * n)) != HAL_OK)
      return err;

  return HAL_OK;
}


/*
 * Wrap plaintext Q using KEK K, placing result in C.
 *
 * Q and C can overlap.  For encrypt-in-place, use Q = C + 8 (that is,
 * leave 8 empty bytes before the plaintext).
 *
 * Use hal_keywrap_ciphertext_length() to calculate the correct
 * buffer size.
 */

hal_error_t hal_keywrap_wrap(hal_core_t *core,
                             const uint8_t *K, const size_t K_len,
                             const uint8_t * const Q,
                             const size_t Q_len,
                             uint8_t *C,
                             size_t *C_len)
{
  const size_t calculated_C_len = hal_keywrap_ciphertext_length(Q_len);
  const int free_core = (core == NULL);
  hal_error_t err;
  size_t n;

  hal_assert(calculated_C_len % 8 == 0);

  if (Q == NULL || C == NULL || C_len == NULL || *C_len < calculated_C_len)
    return HAL_ERROR_BAD_ARGUMENTS;

  if (free_core && (err = hal_core_alloc(KEYWRAP_NAME, &core, NULL)) != HAL_OK)
    return err;

  if ((err = load_kek(core, K, K_len, KEK_encrypting)) != HAL_OK)
      goto out;

  *C_len = calculated_C_len;

  if (C + 8 != Q)
    memmove(C + 8, Q, Q_len);
  if (Q_len % 8 != 0)
    memset(C + 8 + Q_len, 0, 8 -  (Q_len % 8));
  C[0] = 0xA6;
  C[1] = 0x59;
  C[2] = 0x59;
  C[3] = 0xA6;
  C[4] = (Q_len >> 24) & 0xFF;
  C[5] = (Q_len >> 16) & 0xFF;
  C[6] = (Q_len >>  8) & 0xFF;
  C[7] = (Q_len >>  0) & 0xFF;

  n = calculated_C_len/8 - 1;

  /* Make sure the key expansion has completed. */
  if ((err = hal_io_wait_ready(core)) != HAL_OK)
    goto out;

  err = do_wrap_unwrap(core, C, n);

out:
  if (free_core)
    hal_core_free(core);
  return err;
}


/*
 * Unwrap ciphertext C using KEK K, placing result in Q.
 *
 * Q should be the same size as C.  Q and C can overlap.
 */

hal_error_t hal_keywrap_unwrap(hal_core_t *core,
                               const uint8_t *K, const size_t K_len,
                               const uint8_t * const C,
                               const size_t C_len,
                               uint8_t *Q,
                               size_t *Q_len)
{
  const int free_core = core == NULL;
  hal_error_t err;
  size_t n;
  size_t m;

  if (C == NULL || Q == NULL || C_len % 8 != 0 || C_len < 16 || Q_len == NULL || *Q_len < C_len)
    return HAL_ERROR_BAD_ARGUMENTS;

  if (free_core && (err = hal_core_alloc(KEYWRAP_NAME, &core, NULL)) != HAL_OK)
    return err;

  if ((err = load_kek(core, K, K_len, KEK_decrypting)) != HAL_OK)
    goto out;

  n = (C_len / 8) - 1;

  if (Q != C)
    memmove(Q, C, C_len);

  /* Make sure the key expansion has completed. */
  if ((err = hal_io_wait_ready(core)) != HAL_OK)
    goto out;

  if ((err = do_wrap_unwrap(core, Q, n)) != HAL_OK)
    goto out;

  if (Q[0] != 0xA6 || Q[1] != 0x59 || Q[2] != 0x59 || Q[3] != 0xA6) {
    err = HAL_ERROR_KEYWRAP_BAD_MAGIC;
    goto out;
  }

  m = (((((Q[4] << 8) + Q[5]) << 8) + Q[6]) << 8) + Q[7];

  if (m <= 8 * (n - 1) || m > 8 * n) {
    err = HAL_ERROR_KEYWRAP_BAD_LENGTH;
    goto out;
  }

  if (m % 8 != 0)
    for (size_t i = m + 8; i < 8 * (n + 1); i++)
      if (Q[i] != 0x00) {
        err = HAL_ERROR_KEYWRAP_BAD_PADDING;
        goto out;
      }

  *Q_len = m;

  memmove(Q, Q + 8, m);

out:
  if (free_core)
    hal_core_free(core);
  return err;
}

/*
 * "Any programmer who fails to comply with the standard naming, formatting,
 *  or commenting conventions should be shot.  If it so happens that it is
 *  inconvenient to shoot him, then he is to be politely requested to recode
 *  his program in adherence to the above standard."
 *                      -- Michael Spier, Digital Equipment Corporation
 *
 * Local variables:
 * indent-tabs-mode: nil
 * End:
 */