From 6d805ea76b2b8556b25ec846fada6f3c0b7f71f6 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Wed, 20 May 2015 21:54:04 -0400 Subject: Add AES Key Wrap using Cryptech AES core. --- Makefile.in | 2 +- aes_keywrap.c | 261 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ cryptech.h | 87 +++++++++++--------- csprng.c | 4 +- hash.c | 2 +- 5 files changed, 314 insertions(+), 42 deletions(-) create mode 100644 aes_keywrap.c diff --git a/Makefile.in b/Makefile.in index b03924b..b984151 100644 --- a/Makefile.in +++ b/Makefile.in @@ -2,7 +2,7 @@ INC = cryptech.h LIB = libcryptech.a -OBJ = ${IO_OBJ} csprng.o hash.o +OBJ = ${IO_OBJ} csprng.o hash.o aes_keywrap.o IO_OBJ = ${IO_OBJ_@FPGA_BUS@} IO_OBJ_EIM = hal_io_eim.o novena-eim.o diff --git a/aes_keywrap.c b/aes_keywrap.c new file mode 100644 index 0000000..b8f505f --- /dev/null +++ b/aes_keywrap.c @@ -0,0 +1,261 @@ +/* + * Implementation of RFC 5649 variant of AES Key Wrap, using Cryptlib + * to supply the AES ECB encryption and decryption functions. + * + * Note that there are two different block sizes involved here: the + * key wrap algorithm deals entirely with 64-bit blocks, while AES + * itself deals with 128-bit blocks. In practice, this is not as + * confusing as it sounds, because we combine two 64-bit blocks to + * create one 128-bit block just prior to performing an AES operation, + * then split the result back to 64-bit blocks immediately afterwards. + */ + +#include +#include +#include +#include +#include + +#include "cryptech.h" + + +/* + * How long the ciphertext will be for a given plaintext length. + */ + +size_t hal_aes_keywrap_ciphertext_length(const size_t plaintext_length) +{ + return (plaintext_length + 15) & ~7; +} + + +/* + * Check the KEK, then load it into the AES core. + * Note that our AES core only supports 128 and 256 bit keys. + */ + +typedef enum { KEK_encrypting, KEK_decrypting } kek_action_t; + +static hal_error_t load_kek(const uint8_t *K, const size_t K_len, const kek_action_t action) +{ + uint8_t config[4]; + hal_error_t err; + + if (K == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + memset(config, 0, sizeof(config)); + + switch (K_len) { + case bitsToBytes(128): + config[3] &= ~AES_CONFIG_KEYLEN; + break; + case bitsToBytes(256): + config[3] |= AES_CONFIG_KEYLEN; + break; + default: + return HAL_ERROR_BAD_ARGUMENTS; + } + + switch (action) { + case KEK_encrypting: + config[3] |= AES_CONFIG_ENCDEC; + break; + case KEK_decrypting: + config[3] &= !AES_CONFIG_ENCDEC; + break; + default: + return HAL_ERROR_BAD_ARGUMENTS; + } + + /* + * Load the KEK and tell the core to expand it. + */ + + if ((err = hal_io_write(AES_ADDR_KEY0, K, K_len)) != HAL_OK || + (err = hal_io_init(AES_ADDR_CTRL)) != HAL_OK) + return err; + + return HAL_OK; +} + + +/* + * Process one block. Since AES Key Wrap always deals with 64-bit + * half blocks and since the bus is going to break this up into 32-bit + * words no matter what we do, we can eliminate a few gratuitous + * memcpy() operations by receiving our arguments as two half blocks. + * + * Since the length of these half blocks is constant, there's no real + * point in passing the length as an argument, we'd just be checking a + * constant against a constant and a smart compiler will optimize + * the whole check out. + * + * Just be VERY careful if you change anything here. + */ + +static hal_error_t do_block(uint8_t *b1, uint8_t *b2) +{ + hal_error_t err; + + assert(b1 != NULL && b2 != NULL); + + if ((err = hal_io_write(AES_ADDR_BLOCK0, b1, 8)) != HAL_OK || + (err = hal_io_write(AES_ADDR_BLOCK2, b2, 8)) != HAL_OK || + (err = hal_io_next(AES_ADDR_CTRL)) != HAL_OK || + (err = hal_io_wait_ready(AES_ADDR_STATUS)) != HAL_OK || + (err = hal_io_read(AES_ADDR_RESULT0, b1, 8)) != HAL_OK || + (err = hal_io_read(AES_ADDR_RESULT2, b2, 8)) != HAL_OK) + return err; + + return HAL_OK; +} + + +/* + * Wrap plaintext Q using KEK K, placing result in C. + * + * Q and C can overlap. For encrypt-in-place, use Q = C + 8 (that is, + * leave 8 empty bytes before the plaintext). + * + * Use hal_aes_keywrap_ciphertext_length() to calculate the correct + * buffer size. + */ + +hal_error_t hal_aes_keywrap(const uint8_t *K, const size_t K_len, + const uint8_t * const Q, + const size_t m, + uint8_t *C, + size_t *C_len) +{ + const size_t calculated_C_len = hal_aes_keywrap_ciphertext_length(m); + hal_error_t err; + uint32_t n; + long i, j; + + assert(calculated_C_len % 8 == 0); + + if (Q == NULL || C == NULL || C_len == NULL || *C_len < calculated_C_len) + return HAL_ERROR_BAD_ARGUMENTS; + + if ((err = load_kek(K, K_len, KEK_encrypting)) != HAL_OK) + return err; + + *C_len = calculated_C_len; + + if (C + 8 != Q) + memmove(C + 8, Q, m); + if (m % 8 != 0) + memset(C + 8 + m, 0, 8 - (m % 8)); + C[0] = 0xA6; + C[1] = 0x59; + C[2] = 0x59; + C[3] = 0xA6; + C[4] = (m >> 24) & 0xFF; + C[5] = (m >> 16) & 0xFF; + C[6] = (m >> 8) & 0xFF; + C[7] = (m >> 0) & 0xFF; + + n = calculated_C_len/8 - 1; + + if (n == 1) { + if ((err = do_block(C, C + 8)) != HAL_OK) + return err; + } + + else { + for (j = 0; j <= 5; j++) { + for (i = 1; i <= n; i++) { + uint32_t t = n * j + i; + if ((err = do_block(C, C + i * 8)) != HAL_OK) + return err; + C[7] ^= t & 0xFF; t >>= 8; + C[6] ^= t & 0xFF; t >>= 8; + C[5] ^= t & 0xFF; t >>= 8; + C[4] ^= t & 0xFF; + } + } + } + + return HAL_OK; +} + + +/* + * Unwrap ciphertext C using KEK K, placing result in Q. + * + * Q should be the same size as C. Q and C can overlap. + */ + +hal_error_t hal_aes_keyunwrap(const uint8_t *K, const size_t K_len, + const uint8_t * const C, + const size_t C_len, + uint8_t *Q, + size_t *Q_len) +{ + hal_error_t err; + uint32_t n; + long i, j; + size_t m; + + if (C == NULL || Q == NULL || C_len % 8 != 0 || C_len < 16 || Q_len == NULL || *Q_len < C_len) + return HAL_ERROR_BAD_ARGUMENTS; + + if ((err = load_kek(K, K_len, KEK_decrypting)) != HAL_OK) + return err; + + n = (C_len / 8) - 1; + + if (Q != C) + memmove(Q, C, C_len); + + if (n == 1) { + if ((err = do_block(Q, Q + 8)) != HAL_OK) + return err; + } + + else { + for (j = 5; j >= 0; j--) { + for (i = n; i >= 1; i--) { + uint32_t t = n * j + i; + Q[7] ^= t & 0xFF; t >>= 8; + Q[6] ^= t & 0xFF; t >>= 8; + Q[5] ^= t & 0xFF; t >>= 8; + Q[4] ^= t & 0xFF; + if ((err = do_block(Q, Q + i * 8)) != HAL_OK) + return err; + } + } + } + + if (Q[0] != 0xA6 || Q[1] != 0x59 || Q[2] != 0x59 || Q[3] != 0xA6) + return HAL_ERROR_KEYWRAP_BAD_MAGIC; + + m = (((((Q[4] << 8) + Q[5]) << 8) + Q[6]) << 8) + Q[7]; + + if (m <= 8 * (n - 1) || m > 8 * n) + return HAL_ERROR_KEYWRAP_BAD_LENGTH; + + if (m % 8 != 0) + for (i = m + 8; i < 8 * (n + 1); i++) + if (Q[i] != 0x00) + return HAL_ERROR_KEYWRAP_BAD_PADDING; + + *Q_len = m; + + memmove(Q, Q + 8, m); + + return HAL_OK; +} + +/* + * "Any programmer who fails to comply with the standard naming, formatting, + * or commenting conventions should be shot. If it so happens that it is + * inconvenient to shoot him, then he is to be politely requested to recode + * his program in adherence to the above standard." + * -- Michael Spier, Digital Equipment Corporation + * + * Local variables: + * indent-tabs-mode: nil + * End: + */ diff --git a/cryptech.h b/cryptech.h index 903fbd4..dce2b8b 100644 --- a/cryptech.h +++ b/cryptech.h @@ -429,15 +429,18 @@ */ typedef enum { - HAL_OK, /* All's well */ - HAL_ERROR_MEMORY, /* malloc() failure or similar */ - HAL_ERROR_INCONSISTENT_ARGS, /* Inconsistent arguments given */ - HAL_ERROR_IO_SETUP_FAILED, /* Could not set up I/O with FPGA */ - HAL_ERROR_IO_TIMEOUT, /* I/O with FPGA timed out */ - HAL_ERROR_IO_UNEXPECTED, /* Unexpected response from FPGA */ - HAL_ERROR_IO_OS_ERROR, /* Operating system error talking to FPGA */ - HAL_ERROR_CSPRNG_ZEROED, /* CSPRNG is returning zeros (perhaps core not present?) */ - N_HAL_ERRORS /* Number of error codes (must be last) */ + HAL_OK, /* All's well */ + HAL_ERROR_MEMORY, /* malloc() failure or similar */ + HAL_ERROR_BAD_ARGUMENTS, /* Bad arguments given */ + HAL_ERROR_IO_SETUP_FAILED, /* Could not set up I/O with FPGA */ + HAL_ERROR_IO_TIMEOUT, /* I/O with FPGA timed out */ + HAL_ERROR_IO_UNEXPECTED, /* Unexpected response from FPGA */ + HAL_ERROR_IO_OS_ERROR, /* Operating system error talking to FPGA */ + HAL_ERROR_CSPRNG_BROKEN, /* CSPRNG is returning nonsense (perhaps core not present?) */ + HAL_ERROR_KEYWRAP_BAD_MAGIC, /* Bad magic number while unwrapping key */ + HAL_ERROR_KEYWRAP_BAD_LENGTH, /* Length out of range while unwrapping key */ + HAL_ERROR_KEYWRAP_BAD_PADDING, /* Nonzero padding detected while unwrapping key */ + N_HAL_ERRORS /* Number of error codes (must be last) */ } hal_error_t; @@ -449,39 +452,47 @@ typedef enum { * Public I/O functions. */ -void hal_io_set_debug(int onoff); -hal_error_t hal_io_write(off_t offset, const uint8_t *buf, size_t len); -hal_error_t hal_io_read(off_t offset, uint8_t *buf, size_t len); -hal_error_t hal_io_expected(off_t offset, const uint8_t *expected, size_t len); -hal_error_t hal_io_init(off_t offset); -hal_error_t hal_io_next(off_t offset); -hal_error_t hal_io_wait(off_t offset, uint8_t status, int *count); -hal_error_t hal_io_wait_ready(off_t offset); -hal_error_t hal_io_wait_valid(off_t offset); +extern void hal_io_set_debug(int onoff); +extern hal_error_t hal_io_write(off_t offset, const uint8_t *buf, size_t len); +extern hal_error_t hal_io_read(off_t offset, uint8_t *buf, size_t len); +extern hal_error_t hal_io_expected(off_t offset, const uint8_t *expected, size_t len); +extern hal_error_t hal_io_init(off_t offset); +extern hal_error_t hal_io_next(off_t offset); +extern hal_error_t hal_io_wait(off_t offset, uint8_t status, int *count); +extern hal_error_t hal_io_wait_ready(off_t offset); +extern hal_error_t hal_io_wait_valid(off_t offset); /* * Higher level public API. */ -hal_error_t hal_random(void *buffer, const size_t length); - -void hal_hash_set_debug(int onoff); -hal_error_t hash_sha1_core_present(void); -hal_error_t hash_sha256_core_present(void); -hal_error_t hash_sha512_core_present(void); -size_t hal_hash_state_size(void); -void hal_hash_state_initialize(void *state); -hal_error_t hal_hash_sha1(void *state, const uint8_t * data_buffer, const size_t data_buffer_length, - uint8_t *digest_buffer, const size_t digest_buffer_length); -hal_error_t hal_hash_sha256(void *state, const uint8_t *data_buffer, const size_t data_buffer_length, - uint8_t *digest_buffer, const size_t digest_buffer_length); -hal_error_t hal_hash_sha512_224(void *state, const uint8_t *data_buffer, const size_t data_buffer_length, - uint8_t *digest_buffer, const size_t digest_buffer_length); -hal_error_t hal_hash_sha512_256(void *state, const uint8_t *data_buffer, const size_t data_buffer_length, - uint8_t *digest_buffer, const size_t digest_buffer_length); -hal_error_t hal_hash_sha384(void *state, const uint8_t *data_buffer, const size_t data_buffer_length, - uint8_t *digest_buffer, const size_t digest_buffer_length); -hal_error_t hal_hash_sha512(void *state, const uint8_t *data_buffer, const size_t data_buffer_length, - uint8_t *digest_buffer, const size_t digest_buffer_length); +extern hal_error_t hal_get_random(void *buffer, const size_t length); + +extern void hal_hash_set_debug(int onoff); +extern hal_error_t hash_sha1_core_present(void); +extern hal_error_t hash_sha256_core_present(void); +extern hal_error_t hash_sha512_core_present(void); +extern size_t hal_hash_state_size(void); +extern void hal_hash_state_initialize(void *state); +extern hal_error_t hal_hash_sha1(void *state, const uint8_t * data_buffer, const size_t data_buffer_length, + uint8_t *digest_buffer, const size_t digest_buffer_length); +extern hal_error_t hal_hash_sha256(void *state, const uint8_t *data_buffer, const size_t data_buffer_length, + uint8_t *digest_buffer, const size_t digest_buffer_length); +extern hal_error_t hal_hash_sha512_224(void *state, const uint8_t *data_buffer, const size_t data_buffer_length, + uint8_t *digest_buffer, const size_t digest_buffer_length); +extern hal_error_t hal_hash_sha512_256(void *state, const uint8_t *data_buffer, const size_t data_buffer_length, + uint8_t *digest_buffer, const size_t digest_buffer_length); +extern hal_error_t hal_hash_sha384(void *state, const uint8_t *data_buffer, const size_t data_buffer_length, + uint8_t *digest_buffer, const size_t digest_buffer_length); +extern hal_error_t hal_hash_sha512(void *state, const uint8_t *data_buffer, const size_t data_buffer_length, + uint8_t *digest_buffer, const size_t digest_buffer_length); + +extern hal_error_t hal_aes_keywrap(const uint8_t *kek, const size_t kek_length, + const uint8_t *plaintext, const size_t plaintext_length, + uint8_t *cyphertext, size_t *ciphertext_length); +extern hal_error_t hal_aes_keyunwrap(const uint8_t *kek, const size_t kek_length, + const uint8_t *ciphertext, const size_t ciphertext_length, + unsigned char *plaintext, size_t *plaintext_length); +extern size_t hal_aes_keywrap_ciphertext_length(const size_t plaintext_length); #endif /* _CRYPTECH_H_ */ diff --git a/csprng.c b/csprng.c index f4f835d..becd3f7 100644 --- a/csprng.c +++ b/csprng.c @@ -53,7 +53,7 @@ #define WAIT_FOR_CSPRNG_VALID 1 #endif -hal_error_t hal_random(void *buffer, const size_t length) +hal_error_t hal_get_random(void *buffer, const size_t length) { uint8_t temp[4], *buf = buffer; hal_error_t err; @@ -77,7 +77,7 @@ hal_error_t hal_random(void *buffer, const size_t length) if (*buf != 0) return HAL_OK; - return HAL_ERROR_CSPRNG_ZEROED; + return HAL_ERROR_CSPRNG_BROKEN; } /* diff --git a/hash.c b/hash.c index e41bf20..4a15491 100644 --- a/hash.c +++ b/hash.c @@ -191,7 +191,7 @@ static hal_error_t hash_do_hash(hash_state_t *state, /* Opaqu (data_buffer_length > 0 && data_buffer == NULL) || (data_buffer_length == 0 && digest_buffer == NULL) || (digest_buffer != NULL && digest_buffer_length < digest_length)) - return HAL_ERROR_INCONSISTENT_ARGS; + return HAL_ERROR_BAD_ARGUMENTS; if (state->block_length == 0) state->block_length = block_length; -- cgit v1.2.3