From 99407a540c7f1fbbc0987837173d1b81aee790bc Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Thu, 26 Jan 2017 00:49:12 -0500 Subject: First attempt at using Pavel's ecdsa256 core. Not working yet. Attempts to use Pavel's ecdsa256 base point multiplier instead of software point multiplier when selecting new random points (that is, when generating P-256 keys or P-256 signatures). Resulting points pass the point validation test (point_is_on_curve()) but the resulting signatures are invalid. Don't know why yet. Seems like an odd combination, as one would expect random garbage to fail validation. In any case: this commit is intended to archive progress so far, and perhaps see if somebody else can spot what's wrong. As presently coded, this wouldn't be suitable for production use even if it worked. NB: As I understand it, the ecdsa256 core is *not* a general purpose point multiplier even just for the P-256 curve. Rather, it is strictly a base point multiplier: it takes a single scalar as input, and returns the X,Y affine coordinates of the curve's base point multiplied by that scalar. This is essentially the eliptic curve portion of the computation involved in picking a random point for key or signature generation, but is not useful for signature validation. See the README.md in Pavel's source repository for further details. --- ecdsa.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++ hal.h | 3 +++ verilog_constants.h | 18 ++++++++++++- 3 files changed, 97 insertions(+), 1 deletion(-) diff --git a/ecdsa.c b/ecdsa.c index 916a2f4..42ea307 100644 --- a/ecdsa.c +++ b/ecdsa.c @@ -88,6 +88,18 @@ #define hal_get_random(core, buffer, length) hal_rpc_get_random(buffer, length) #endif +/* + * Whether to use experimental Verilog ECDSA-P256 point multiplier. + */ + +#ifndef HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER +#define HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER 1 +#endif + +#if HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER +static int verilog_ecdsa256_multiplier = 1; +#endif + /* * Whether we want debug output. */ @@ -748,6 +760,65 @@ static inline hal_error_t get_random(void *buffer, const size_t length) #endif /* HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM */ +/* + * Use experimental Verilog base point multiplier core to calculate + * public key given a private key. point_pick_random() has already + * selected a suitable private key for us, we just need to calculate + * the corresponding public key. + */ + +#if HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER + +static hal_error_t verilog_point_pick_random(fp_int *k, ec_point_t *P) +{ + assert(k != NULL && P != NULL); + + const size_t len = fp_unsigned_bin_size(k); + uint8_t b[ECDSA256_OPERAND_BITS / 8]; + const uint8_t zero[4] = {0, 0, 0, 0}; + hal_core_t *core = NULL; + hal_error_t err; + + if (len > sizeof(b)) + return HAL_ERROR_RESULT_TOO_LONG; + + if ((err = hal_core_alloc(ECDSA256_NAME, &core)) != HAL_OK) + goto fail; + +#define check(_x_) do { if ((err = (_x_)) != HAL_OK) goto fail; } while (0) + + memset(b, 0, sizeof(b)); + fp_to_unsigned_bin(k, b + sizeof(b) - len); + + for (int i = 0; i < sizeof(b); i += 4) + check(hal_io_write(core, ECDSA256_ADDR_K + i/4, &b[sizeof(b) - 4 - i], 4)); + + check(hal_io_write(core, ADDR_CTRL, zero, sizeof(zero))); + check(hal_io_next(core)); + check(hal_io_wait_ready(core)); + + for (int i = 0; i < sizeof(b); i += 4) + check(hal_io_read(core, ECDSA256_ADDR_X + i/4, &b[sizeof(b) - 4 - i], 4)); + fp_read_unsigned_bin(P->x, b, sizeof(b)); + + for (int i = 0; i < sizeof(b); i += 4) + check(hal_io_read(core, ECDSA256_ADDR_Y + i/4, &b[sizeof(b) - 4 - i], 4)); + fp_read_unsigned_bin(P->y, b, sizeof(b)); + + fp_set(P->z, 1); + +#undef check + + err = HAL_OK; + + fail: + hal_core_free(core); + memset(b, 0, sizeof(b)); + return err; +} + +#endif + /* * Pick a random point on the curve, return random scalar and * resulting point. @@ -792,6 +863,12 @@ static hal_error_t point_pick_random(const ecdsa_curve_t * const curve, memset(k_buf, 0, sizeof(k_buf)); +#if HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER + if (verilog_ecdsa256_multiplier && curve == get_curve(HAL_CURVE_P256) && + (err = verilog_point_pick_random(k, P)) != HAL_ERROR_CORE_NOT_FOUND) + return err; +#endif + /* * Calculate P = kG and return. */ diff --git a/hal.h b/hal.h index 72b1d58..b1a217a 100644 --- a/hal.h +++ b/hal.h @@ -103,6 +103,9 @@ #define MKMIF_NAME "mkmif " #define MKMIF_VERSION "0.10" +#define ECDSA256_NAME "ecdsa256" +#define ECDSA256_VERSION "0.11" + /* * C API error codes. Defined in this form so we can keep the tokens * and error strings together. See errorstrings.c. diff --git a/verilog_constants.h b/verilog_constants.h index f0ae070..900785c 100644 --- a/verilog_constants.h +++ b/verilog_constants.h @@ -8,7 +8,7 @@ * hand-edited. * * Authors: Joachim Strombergson, Paul Selkirk, Rob Austein - * Copyright (c) 2015-2016, NORDUnet A/S All rights reserved. + * Copyright (c) 2015-2017, NORDUnet A/S All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are @@ -240,6 +240,22 @@ #define MODEXPA7_ADDR_EXPONENT (MODEXPA7_ADDR_OPERANDS + 2 * MODEXPA7_OPERAND_WORDS) #define MODEXPA7_ADDR_RESULT (MODEXPA7_ADDR_OPERANDS + 3 * MODEXPA7_OPERAND_WORDS) +/* + * ECDSA P-256 point mulitipler core. ECDSA256_OPERAND_BITS is size + * in bits of the (only) supported operand size (256 bits, imagine that). + * + * (Not sure which category EC Point Mulitiplier will end up in, but + * let's pretend it's "math".) + */ + +#define ECDSA256_OPERAND_BITS (256) +#define ECDSA256_OPERAND_WORDS (ECDSA256_OPERAND_BITS / 32) +#define ECDSA256_ADDR_REGISTERS (0 * ECDSA256_OPERAND_WORDS) +#define ECDSA256_ADDR_OPERANDS (4 * ECDSA256_OPERAND_WORDS) +#define ECDSA256_ADDR_K (ECDSA256_ADDR_OPERANDS + 0 * ECDSA256_OPERAND_WORDS) +#define ECDSA256_ADDR_X (ECDSA256_ADDR_OPERANDS + 1 * ECDSA256_OPERAND_WORDS) +#define ECDSA256_ADDR_Y (ECDSA256_ADDR_OPERANDS + 2 * ECDSA256_OPERAND_WORDS) + /* * Utility cores. */ -- cgit v1.2.3 From 9afc5d0b081983779439aa6f91781efb3e56d01d Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Thu, 2 Mar 2017 17:23:02 -0500 Subject: Refactor to add P384 support. Untested. --- ecdsa.c | 109 ++++++++++++++++++++++++++++++++++++++++++++++------ hal.h | 3 ++ verilog_constants.h | 26 +++++++++---- 3 files changed, 119 insertions(+), 19 deletions(-) diff --git a/ecdsa.c b/ecdsa.c index 42ea307..bb585be 100644 --- a/ecdsa.c +++ b/ecdsa.c @@ -100,6 +100,25 @@ static int verilog_ecdsa256_multiplier = 1; #endif +/* + * Whether to use experimental Verilog ECDSA-P384 point multiplier. + */ + +#ifndef HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER +#define HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER 1 +#endif + +#if HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER +static int verilog_ecdsa384_multiplier = 1; +#endif + +/* + * Whether to include Verilog point multiplier code at all. + */ + +#define HAL_ECDSA_ANY_VERILOG_MULTIPLIER \ + (HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER | HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER) + /* * Whether we want debug output. */ @@ -136,6 +155,7 @@ typedef struct { fp_digit rho; /* Montgomery reduction value */ const uint8_t *oid; /* OBJECT IDENTIFIER */ size_t oid_len; /* Length of OBJECT IDENTIFIER */ + hal_curve_name_t curve; /* Curve name */ } ecdsa_curve_t; /* @@ -218,6 +238,7 @@ static const ecdsa_curve_t * const get_curve(const hal_curve_name_t curve) fp_montgomery_calc_normalization(curve_p256.mu, curve_p256.q); curve_p256.oid = p256_oid; curve_p256.oid_len = sizeof(p256_oid); + curve_p256.curve = HAL_CURVE_P256; fp_read_unsigned_bin(curve_p384.q, unconst_uint8_t(p384_q), sizeof(p384_q)); fp_read_unsigned_bin(curve_p384.b, unconst_uint8_t(p384_b), sizeof(p384_b)); @@ -230,6 +251,7 @@ static const ecdsa_curve_t * const get_curve(const hal_curve_name_t curve) fp_montgomery_calc_normalization(curve_p384.mu, curve_p384.q); curve_p384.oid = p384_oid; curve_p384.oid_len = sizeof(p384_oid); + curve_p384.curve = HAL_CURVE_P384; fp_read_unsigned_bin(curve_p521.q, unconst_uint8_t(p521_q), sizeof(p521_q)); fp_read_unsigned_bin(curve_p521.b, unconst_uint8_t(p521_b), sizeof(p521_b)); @@ -242,6 +264,7 @@ static const ecdsa_curve_t * const get_curve(const hal_curve_name_t curve) fp_montgomery_calc_normalization(curve_p521.mu, curve_p521.q); curve_p521.oid = p521_oid; curve_p521.oid_len = sizeof(p521_oid); + curve_p521.curve = HAL_CURVE_P521; initialized = 1; } @@ -761,20 +784,30 @@ static inline hal_error_t get_random(void *buffer, const size_t length) #endif /* HAL_ECDSA_DEBUG_ONLY_STATIC_TEST_VECTOR_RANDOM */ /* - * Use experimental Verilog base point multiplier core to calculate + * Use experimental Verilog base point multiplier cores to calculate * public key given a private key. point_pick_random() has already * selected a suitable private key for us, we just need to calculate * the corresponding public key. */ -#if HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER +#if HAL_ECDSA_ANY_VERILOG_MULTIPLIER -static hal_error_t verilog_point_pick_random(fp_int *k, ec_point_t *P) +typedef struct { + size_t bytes; + const char *name; + hal_addr_t k_addr; + hal_addr_t x_addr; + hal_addr_t y_addr; +} verilog_ecdsa_driver_t; + +static hal_error_t verilog_point_pick_random(const verilog_ecdsa_driver_t * const driver, + fp_int *k, + ec_point_t *P) { assert(k != NULL && P != NULL); const size_t len = fp_unsigned_bin_size(k); - uint8_t b[ECDSA256_OPERAND_BITS / 8]; + uint8_t b[driver->bytes]; const uint8_t zero[4] = {0, 0, 0, 0}; hal_core_t *core = NULL; hal_error_t err; @@ -782,7 +815,7 @@ static hal_error_t verilog_point_pick_random(fp_int *k, ec_point_t *P) if (len > sizeof(b)) return HAL_ERROR_RESULT_TOO_LONG; - if ((err = hal_core_alloc(ECDSA256_NAME, &core)) != HAL_OK) + if ((err = hal_core_alloc(driver->name, &core)) != HAL_OK) goto fail; #define check(_x_) do { if ((err = (_x_)) != HAL_OK) goto fail; } while (0) @@ -791,18 +824,18 @@ static hal_error_t verilog_point_pick_random(fp_int *k, ec_point_t *P) fp_to_unsigned_bin(k, b + sizeof(b) - len); for (int i = 0; i < sizeof(b); i += 4) - check(hal_io_write(core, ECDSA256_ADDR_K + i/4, &b[sizeof(b) - 4 - i], 4)); + check(hal_io_write(core, driver->k_addr + i/4, &b[sizeof(b) - 4 - i], 4)); check(hal_io_write(core, ADDR_CTRL, zero, sizeof(zero))); check(hal_io_next(core)); check(hal_io_wait_ready(core)); for (int i = 0; i < sizeof(b); i += 4) - check(hal_io_read(core, ECDSA256_ADDR_X + i/4, &b[sizeof(b) - 4 - i], 4)); + check(hal_io_read(core, driver->x_addr + i/4, &b[sizeof(b) - 4 - i], 4)); fp_read_unsigned_bin(P->x, b, sizeof(b)); for (int i = 0; i < sizeof(b); i += 4) - check(hal_io_read(core, ECDSA256_ADDR_Y + i/4, &b[sizeof(b) - 4 - i], 4)); + check(hal_io_read(core, driver->y_addr + i/4, &b[sizeof(b) - 4 - i], 4)); fp_read_unsigned_bin(P->y, b, sizeof(b)); fp_set(P->z, 1); @@ -819,6 +852,46 @@ static hal_error_t verilog_point_pick_random(fp_int *k, ec_point_t *P) #endif +static inline hal_error_t verilog_p256_point_pick_random(fp_int *k, ec_point_t *P) +{ +#if HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER + + static const verilog_ecdsa_driver_t verilog_p256_driver = { + .name = ECDSA256_NAME, + .bytes = ECDSA256_OPERAND_BITS / 8, + .k_addr = ECDSA256_ADDR_K, + .x_addr = ECDSA256_ADDR_X, + .y_addr = ECDSA256_ADDR_Y + }; + + if (verilog_ecdsa256_multiplier) + return verilog_point_pick_random(&verilog_p256_driver, k, P); + +#endif + + return HAL_ERROR_CORE_NOT_FOUND; +} + +static inline hal_error_t verilog_p384_point_pick_random(fp_int *k, ec_point_t *P) +{ +#if HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER + + static const verilog_ecdsa_driver_t verilog_p384_driver = { + .name = ECDSA384_NAME, + .bytes = ECDSA384_OPERAND_BITS / 8, + .k_addr = ECDSA384_ADDR_K, + .x_addr = ECDSA384_ADDR_X, + .y_addr = ECDSA384_ADDR_Y + }; + + if (verilog_ecdsa256_multiplier) + return verilog_point_pick_random(&verilog_p256_driver, k, P); + +#endif + + return HAL_ERROR_CORE_NOT_FOUND; +} + /* * Pick a random point on the curve, return random scalar and * resulting point. @@ -863,10 +936,22 @@ static hal_error_t point_pick_random(const ecdsa_curve_t * const curve, memset(k_buf, 0, sizeof(k_buf)); -#if HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER - if (verilog_ecdsa256_multiplier && curve == get_curve(HAL_CURVE_P256) && - (err = verilog_point_pick_random(k, P)) != HAL_ERROR_CORE_NOT_FOUND) - return err; +#if HAL_ECDSA_ANY_VERILOG_MULTIPLIER + switch (curve->curve) { + + case HAL_CURVE_P256: + if ((err = verilog_p256_point_pick_random(k, P)) != HAL_ERROR_CORE_NOT_FOUND) + return err; + break; + + case HAL_CURVE_P384: + if ((err = verilog_p384_point_pick_random(k, P)) != HAL_ERROR_CORE_NOT_FOUND) + return err; + break; + + default: + break; + } #endif /* diff --git a/hal.h b/hal.h index b1a217a..7b4fcb7 100644 --- a/hal.h +++ b/hal.h @@ -106,6 +106,9 @@ #define ECDSA256_NAME "ecdsa256" #define ECDSA256_VERSION "0.11" +#define ECDSA256_NAME "ecdsa384" +#define ECDSA256_VERSION "0.11" + /* * C API error codes. Defined in this form so we can keep the tokens * and error strings together. See errorstrings.c. diff --git a/verilog_constants.h b/verilog_constants.h index 900785c..c9bb566 100644 --- a/verilog_constants.h +++ b/verilog_constants.h @@ -241,7 +241,7 @@ #define MODEXPA7_ADDR_RESULT (MODEXPA7_ADDR_OPERANDS + 3 * MODEXPA7_OPERAND_WORDS) /* - * ECDSA P-256 point mulitipler core. ECDSA256_OPERAND_BITS is size + * ECDSA P-256 point multiplier core. ECDSA256_OPERAND_BITS is size * in bits of the (only) supported operand size (256 bits, imagine that). * * (Not sure which category EC Point Mulitiplier will end up in, but @@ -249,12 +249,24 @@ */ #define ECDSA256_OPERAND_BITS (256) -#define ECDSA256_OPERAND_WORDS (ECDSA256_OPERAND_BITS / 32) -#define ECDSA256_ADDR_REGISTERS (0 * ECDSA256_OPERAND_WORDS) -#define ECDSA256_ADDR_OPERANDS (4 * ECDSA256_OPERAND_WORDS) -#define ECDSA256_ADDR_K (ECDSA256_ADDR_OPERANDS + 0 * ECDSA256_OPERAND_WORDS) -#define ECDSA256_ADDR_X (ECDSA256_ADDR_OPERANDS + 1 * ECDSA256_OPERAND_WORDS) -#define ECDSA256_ADDR_Y (ECDSA256_ADDR_OPERANDS + 2 * ECDSA256_OPERAND_WORDS) +#define ECDSA256_ADDR_REGISTERS (0x00) +#define ECDSA256_ADDR_K (0x20) +#define ECDSA256_ADDR_X (0x28) +#define ECDSA256_ADDR_Y (0x30) + +/* + * ECDSA P-384 point multiplier core. ECDSA384_OPERAND_BITS is size + * in bits of the (only) supported operand size (384 bits, imagine that). + * + * (Not sure which category EC Point Mulitiplier will end up in, but + * let's pretend it's "math".) + */ + +#define ECDSA384_OPERAND_BITS (384) +#define ECDSA384_ADDR_REGISTERS (0x00) +#define ECDSA384_ADDR_K (0x40) +#define ECDSA384_ADDR_X (0x50) +#define ECDSA384_ADDR_Y (0x60) /* * Utility cores. -- cgit v1.2.3 From c2f499e0a301d4ad0f92d58f436d01087ceae1bb Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Thu, 2 Mar 2017 20:32:18 -0500 Subject: Fix dumb copy/paste errors. --- ecdsa.c | 10 +++++----- hal.h | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ecdsa.c b/ecdsa.c index bb585be..83f2188 100644 --- a/ecdsa.c +++ b/ecdsa.c @@ -856,7 +856,7 @@ static inline hal_error_t verilog_p256_point_pick_random(fp_int *k, ec_point_t * { #if HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER - static const verilog_ecdsa_driver_t verilog_p256_driver = { + static const verilog_ecdsa_driver_t p256_driver = { .name = ECDSA256_NAME, .bytes = ECDSA256_OPERAND_BITS / 8, .k_addr = ECDSA256_ADDR_K, @@ -865,7 +865,7 @@ static inline hal_error_t verilog_p256_point_pick_random(fp_int *k, ec_point_t * }; if (verilog_ecdsa256_multiplier) - return verilog_point_pick_random(&verilog_p256_driver, k, P); + return verilog_point_pick_random(&p256_driver, k, P); #endif @@ -876,7 +876,7 @@ static inline hal_error_t verilog_p384_point_pick_random(fp_int *k, ec_point_t * { #if HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER - static const verilog_ecdsa_driver_t verilog_p384_driver = { + static const verilog_ecdsa_driver_t p384_driver = { .name = ECDSA384_NAME, .bytes = ECDSA384_OPERAND_BITS / 8, .k_addr = ECDSA384_ADDR_K, @@ -884,8 +884,8 @@ static inline hal_error_t verilog_p384_point_pick_random(fp_int *k, ec_point_t * .y_addr = ECDSA384_ADDR_Y }; - if (verilog_ecdsa256_multiplier) - return verilog_point_pick_random(&verilog_p256_driver, k, P); + if (verilog_ecdsa384_multiplier) + return verilog_point_pick_random(&p384_driver, k, P); #endif diff --git a/hal.h b/hal.h index 7b4fcb7..29b4dab 100644 --- a/hal.h +++ b/hal.h @@ -106,8 +106,8 @@ #define ECDSA256_NAME "ecdsa256" #define ECDSA256_VERSION "0.11" -#define ECDSA256_NAME "ecdsa384" -#define ECDSA256_VERSION "0.11" +#define ECDSA384_NAME "ecdsa384" +#define ECDSA384_VERSION "0.11" /* * C API error codes. Defined in this form so we can keep the tokens -- cgit v1.2.3 From ad9bca732bf9001aa5293ede674a52eada3118fa Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Fri, 3 Mar 2017 08:32:05 -0500 Subject: Doh! Works better if one tests the right status bit. --- ecdsa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ecdsa.c b/ecdsa.c index bbb9865..3ca377b 100644 --- a/ecdsa.c +++ b/ecdsa.c @@ -828,7 +828,7 @@ static hal_error_t verilog_point_pick_random(const verilog_ecdsa_driver_t * cons check(hal_io_write(core, ADDR_CTRL, zero, sizeof(zero))); check(hal_io_next(core)); - check(hal_io_wait_ready(core)); + check(hal_io_wait_valid(core)); for (int i = 0; i < sizeof(b); i += 4) check(hal_io_read(core, driver->x_addr + i/4, &b[sizeof(b) - 4 - i], 4)); -- cgit v1.2.3 From 00d93e0898d5ba5ff3c749105569b23a16c7b0cc Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Wed, 8 Mar 2017 23:23:41 -0500 Subject: Cleanup. --- ecdsa.c | 31 +++++-------------------------- 1 file changed, 5 insertions(+), 26 deletions(-) diff --git a/ecdsa.c b/ecdsa.c index 3ca377b..16d2b27 100644 --- a/ecdsa.c +++ b/ecdsa.c @@ -89,36 +89,17 @@ #endif /* - * Whether to use experimental Verilog ECDSA-P256 point multiplier. + * Whether to use the Verilog point multipliers. */ #ifndef HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER #define HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER 1 #endif -#if HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER -static int verilog_ecdsa256_multiplier = 1; -#endif - -/* - * Whether to use experimental Verilog ECDSA-P384 point multiplier. - */ - #ifndef HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER #define HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER 1 #endif -#if HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER -static int verilog_ecdsa384_multiplier = 1; -#endif - -/* - * Whether to include Verilog point multiplier code at all. - */ - -#define HAL_ECDSA_ANY_VERILOG_MULTIPLIER \ - (HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER | HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER) - /* * Whether we want debug output. */ @@ -790,7 +771,7 @@ static inline hal_error_t get_random(void *buffer, const size_t length) * the corresponding public key. */ -#if HAL_ECDSA_ANY_VERILOG_MULTIPLIER +#if HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER || HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER typedef struct { size_t bytes; @@ -864,8 +845,7 @@ static inline hal_error_t verilog_p256_point_pick_random(fp_int *k, ec_point_t * .y_addr = ECDSA256_ADDR_Y }; - if (verilog_ecdsa256_multiplier) - return verilog_point_pick_random(&p256_driver, k, P); + return verilog_point_pick_random(&p256_driver, k, P); #endif @@ -884,8 +864,7 @@ static inline hal_error_t verilog_p384_point_pick_random(fp_int *k, ec_point_t * .y_addr = ECDSA384_ADDR_Y }; - if (verilog_ecdsa384_multiplier) - return verilog_point_pick_random(&p384_driver, k, P); + return verilog_point_pick_random(&p384_driver, k, P); #endif @@ -936,7 +915,7 @@ static hal_error_t point_pick_random(const ecdsa_curve_t * const curve, memset(k_buf, 0, sizeof(k_buf)); -#if HAL_ECDSA_ANY_VERILOG_MULTIPLIER +#if HAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER || HAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER switch (curve->curve) { case HAL_CURVE_P256: -- cgit v1.2.3 From 7343b9a5f06a8085a4968b62a9b67a544a2623dd Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Wed, 8 Mar 2017 23:24:08 -0500 Subject: Clean up libhal build system a bit. Exporting CFLAGS as an environment variable turns out to interact badly with certain other settings here. I *think* this only happens when we use one of the shorthand targets which re-runs make in the same directory with non-default settings, but this is complicated enough without having to remember which voodoo triggers it. So instead of exporting CFLAGS as an environment variable we just pass it on the command line in the handful of cases where it's needed. --- Makefile | 61 +++++++++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 47 insertions(+), 14 deletions(-) diff --git a/Makefile b/Makefile index 08215a8..812d176 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -# Copyright (c) 2015-2016, NORDUnet A/S +# Copyright (c) 2015-2017, NORDUnet A/S # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -41,7 +41,7 @@ LIB = libhal.a # Error checking on known control options, some of which allow the user entirely too much rope. -USAGE := "usage: ${MAKE} [IO_BUS=eim|i2c|fmc] [RPC_MODE=none|server|client-simple|client-mixed] [KS=mmap|flash] [RPC_TRANSPORT=none|loopback|serial|daemon] [MODEXP_CORE=no|yes]" +USAGE := "usage: ${MAKE} [IO_BUS=eim|i2c|fmc] [RPC_MODE=none|server|client-simple|client-mixed] [KS=mmap|flash] [RPC_TRANSPORT=none|loopback|serial|daemon] [MODEXP_CORE=no|yes] [HASH_CORES=no|yes] [ECDSA_CORES=no|yes]" IO_BUS ?= none KS ?= flash @@ -49,6 +49,7 @@ RPC_MODE ?= none RPC_TRANSPORT ?= none MODEXP_CORE ?= no HASH_CORES ?= no +ECDSA_CORES ?= yes ifeq (,$(and \ $(filter none eim i2c fmc ,${IO_BUS}),\ @@ -56,11 +57,12 @@ ifeq (,$(and \ $(filter mmap flash ,${KS}),\ $(filter none loopback serial daemon ,${RPC_TRANSPORT}),\ $(filter no yes ,${MODEXP_CORE}),\ - $(filter no yes ,${HASH_CORES}))) + $(filter no yes ,${HASH_CORES}),\ + $(filter no yes ,${ECDSA_CORES}))) $(error ${USAGE}) endif -$(info Building libhal with configuration IO_BUS=${IO_BUS} RPC_MODE=${RPC_MODE} KS=${KS} RPC_TRANSPORT=${RPC_TRANSPORT} MODEXP_CORE=${MODEXP_CORE} HASH_CORES=${HASH_CORES}) +$(info Building libhal with configuration IO_BUS=${IO_BUS} RPC_MODE=${RPC_MODE} KS=${KS} RPC_TRANSPORT=${RPC_TRANSPORT} MODEXP_CORE=${MODEXP_CORE} HASH_CORES=${HASH_CORES} ECDSA_CORES=${ECDSA_CORES}) # Whether the RSA code should use the ModExp | ModExpS6 | ModExpA7 core. @@ -78,6 +80,16 @@ else HASH_ONLY_USE_SOFT_CORES := 1 endif +# Whether the ECDSA code should use the ECDSA256 and ECDSA384 cores. + +ifeq "${ECDSA_CORES}" "yes" + ECDSA_USE_ECDSA256_CORE := 1 + ECDSA_USE_ECDSA384_CORE := 1 +else + ECDSA_USE_ECDSA256_CORE := 0 + ECDSA_USE_ECDSA384_CORE := 0 +endif + # Object files to build, initialized with ones we always want. # There's a balance here between skipping files we don't strictly # need and reducing the number of unnecessary conditionals in this @@ -175,15 +187,30 @@ endif ifeq "${RPC_MODE}" "none" OBJ += ${CORE_OBJ} CFLAGS += -DHAL_RSA_USE_MODEXP=${RSA_USE_MODEXP_CORE} + CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=${HASH_ONLY_USE_SOFT_CORES} + CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=${ECDSA_USE_ECDSA256_CORE} + CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=${ECDSA_USE_ECDSA384_CORE} else ifeq "${RPC_MODE}" "server" OBJ += ${CORE_OBJ} ${RPC_SERVER_OBJ} - CFLAGS += -DRPC_CLIENT=RPC_CLIENT_LOCAL -DHAL_RSA_USE_MODEXP=${RSA_USE_MODEXP_CORE} -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=${HASH_ONLY_USE_SOFT_CORES} + CFLAGS += -DRPC_CLIENT=RPC_CLIENT_LOCAL + CFLAGS += -DHAL_RSA_USE_MODEXP=${RSA_USE_MODEXP_CORE} + CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=${HASH_ONLY_USE_SOFT_CORES} + CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=${ECDSA_USE_ECDSA256_CORE} + CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=${ECDSA_USE_ECDSA384_CORE} else ifeq "${RPC_MODE}" "client-simple" OBJ += ${RPC_CLIENT_OBJ} - CFLAGS += -DRPC_CLIENT=RPC_CLIENT_REMOTE -DHAL_RSA_USE_MODEXP=0 -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=1 + CFLAGS += -DRPC_CLIENT=RPC_CLIENT_REMOTE + CFLAGS += -DHAL_RSA_USE_MODEXP=0 + CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=1 + CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=0 + CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=0 else ifeq "${RPC_MODE}" "client-mixed" OBJ += ${RPC_CLIENT_OBJ} - CFLAGS += -DRPC_CLIENT=RPC_CLIENT_MIXED -DHAL_RSA_USE_MODEXP=0 -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=1 + CFLAGS += -DRPC_CLIENT=RPC_CLIENT_MIXED + CFLAGS += -DHAL_RSA_USE_MODEXP=0 + CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=1 + CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=0 + CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=0 endif ifndef CRYPTECH_ROOT @@ -212,12 +239,19 @@ CFLAGS += -I${LIBTFM_BLD} CFLAGS += -DHAL_ENABLE_SOFTWARE_HASH_CORES=1 -export CFLAGS +# We used to "export CFLAGS" here, but for some reason that causes GNU +# make to duplicate its value, sometimes with conflicting settings. +# Weird, but this is complicated enough already, so we just pass +# CFLAGS explicitly in the small number of cases where we run a +# sub-make, below. + +#export CFLAGS + export RPC_MODE all: ${LIB} - cd tests; ${MAKE} $@ - cd utils; ${MAKE} $@ + ${MAKE} -C tests $@ CFLAGS='${CFLAGS}' + ${MAKE} -C utils $@ CFLAGS='${CFLAGS}' client: ${MAKE} RPC_MODE=client-simple RPC_TRANSPORT=daemon @@ -250,13 +284,12 @@ last_gasp_pin_internal.h: ./utils/last_gasp_default_pin >$@ test: all - export RPC_MODE - cd tests; ${MAKE} -k $@ + ${MAKE} -C tests -k $@ CFLAGS='${CFLAGS}' clean: rm -f *.o ${LIB} - cd tests; ${MAKE} $@ - cd utils; ${MAKE} $@ + ${MAKE} -C tests $@ CFLAGS='${CFLAGS}' + ${MAKE} -C utils $@ CFLAGS='${CFLAGS}' distclean: clean rm -f TAGS -- cgit v1.2.3