From 401965f1e9f74b43c88477d2ff6ac4d6c62ab5a8 Mon Sep 17 00:00:00 2001 From: Paul Selkirk Date: Tue, 28 Apr 2020 12:11:49 -0400 Subject: The new keywrap core now talks directly to the MKM, so I split the code that talks to that core out of aes_keywrap.c. The HSM will now be built with just the keywrap core, with no user access to aes or mkmif. --- keywrap.c | 436 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 436 insertions(+) create mode 100644 keywrap.c (limited to 'keywrap.c') diff --git a/keywrap.c b/keywrap.c new file mode 100644 index 0000000..ccf7ea8 --- /dev/null +++ b/keywrap.c @@ -0,0 +1,436 @@ +/* + * keywrap.c + * --------- + * Implementation of RFC 5649 over Cryptech keywrap core. + * + * Authors: Rob Austein + * Copyright (c) 2015-2018, NORDUnet A/S All rights reserved. + * Copyright: 2020, The Commons Conservancy Cryptech Project + * SPDX-License-Identifier: BSD-3-Clause + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * - Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS + * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This file is derived from aes_keywrap.c, and still shares some code + * with it, but the keywrap core has evolved to the point where it is no + * longer comfortable trying to support both cores in one driver. + */ + +#include +#include + +#include "hal.h" +#include "hal_internal.h" + +typedef union { + uint8_t b[4]; + uint32_t w; +} byteword_t; + +/* + * Match uninitialized flash for the "not set" value. + * Leave some bits at 1 for the "set" value to allow + * for adding more values later, if needed. + */ +#define MKM_STATUS_NOT_SET 0xffffffff +#define MKM_STATUS_SET 0x0000ffff +#define MKM_STATUS_ERASED 0x00000000 + +static hal_error_t mkm_status = HAL_ERROR_IMPOSSIBLE; + + +static inline hal_error_t hal_io_cmd_read(const hal_core_t *core) +{ + const uint8_t buf[4] = { 0, 0, 0, KEYWRAP_CTRL_READ }; + return hal_io_write(core, ADDR_CTRL, buf, sizeof(buf)); +} + +static inline hal_error_t hal_io_cmd_write(const hal_core_t *core) +{ + const uint8_t buf[4] = { 0, 0, 0, KEYWRAP_CTRL_WRITE }; + return hal_io_write(core, ADDR_CTRL, buf, sizeof(buf)); +} + + +/* + * Check the MKM status + */ + +hal_error_t hal_keywrap_mkm_status(hal_core_t *core) +{ + const int free_core = core == NULL; + uint8_t config[4] = { 0, 0, 0, 0 }; + byteword_t status; + hal_error_t err; + + if (free_core && (err = hal_core_alloc(KEYWRAP_NAME, &core, NULL)) != HAL_OK) + return err; + + if ((err = hal_io_write(core, KEYWRAP_ADDR_CONFIG, config, sizeof(config))) == HAL_OK && + (err = hal_io_cmd_read(core)) == HAL_OK && + (err = hal_io_wait_ready(core)) == HAL_OK) + err = hal_io_read(core, KEYWRAP_ADDR_MSTATUS, status.b, 4); + + if (free_core) + hal_core_free(core); + + if (err != HAL_OK) + return err; + + switch (htonl(status.w)) { + case MKM_STATUS_SET: return mkm_status = HAL_OK; + case MKM_STATUS_NOT_SET: return mkm_status = HAL_ERROR_MASTERKEY_NOT_SET; + default: return mkm_status = HAL_ERROR_MASTERKEY_FAIL; + } +} + +hal_error_t hal_keywrap_mkm_write(hal_core_t *core, const uint8_t *K, const size_t K_len) +{ + const int free_core = core == NULL; + uint8_t config[4] = { 0, 0, 0, 0 }; + byteword_t status; + hal_error_t err; + + if (K == NULL) + return HAL_ERROR_BAD_ARGUMENTS; + + if (K_len != KEK_LENGTH) + return HAL_ERROR_MASTERKEY_BAD_LENGTH; + + status.w = htonl(MKM_STATUS_NOT_SET); + for (size_t i = 0; i < K_len; ++i) { + if (K[i] != 0) { + status.w = htonl(MKM_STATUS_SET); + break; + } + } + + if (free_core && (err = hal_core_alloc(KEYWRAP_NAME, &core, NULL)) != HAL_OK) + return err; + + /* first write the key */ + config[3] |= KEYWRAP_CONFIG_MKS; + if ((err = hal_io_write(core, KEYWRAP_ADDR_KEY0, K, K_len)) != HAL_OK || + (err = hal_io_write(core, KEYWRAP_ADDR_CONFIG, config, sizeof(config))) != HAL_OK || + (err = hal_io_cmd_write(core)) != HAL_OK || + (err = hal_io_wait_ready(core)) != HAL_OK) + goto out; + + /* then write the status */ + config[3] &= ~KEYWRAP_CONFIG_MKS; + if ((err = hal_io_write(core, KEYWRAP_ADDR_MSTATUS, status.b, 4)) != HAL_OK || + (err = hal_io_write(core, KEYWRAP_ADDR_CONFIG, config, sizeof(config))) != HAL_OK || + (err = hal_io_cmd_write(core)) != HAL_OK || + (err = hal_io_wait_ready(core)) != HAL_OK) + goto out; + +out: + if (free_core) + hal_core_free(core); + + return err; +} + +hal_error_t hal_keywrap_mkm_erase(hal_core_t *core, const size_t K_len) +{ + uint8_t buf[KEK_LENGTH] = { 0 }; + + return hal_keywrap_mkm_write(core, buf, sizeof(buf)); +} + +/* + * How long the ciphertext will be for a given plaintext length. + * This rounds up the length to a multiple of 8, and adds 8 for the IV. + */ + +static size_t hal_keywrap_ciphertext_length(const size_t plaintext_length) +{ + return (plaintext_length + 15) & ~7; +} + +/* + * Check the KEK, then load it into the AES core. + * Note that our AES core only supports 128 and 256 bit keys. + */ + +typedef enum { KEK_encrypting, KEK_decrypting } kek_action_t; + +static hal_error_t load_kek(hal_core_t *core, const uint8_t *K, const size_t K_len, const kek_action_t action) +{ + uint8_t config[4] = { 0 }; + hal_error_t err; + + if (K != NULL) { + /* user-provided KEK, for key export/import */ + config[3] |= KEYWRAP_CONFIG_MKK; + + if ((err = hal_io_write(core, AES_ADDR_KEY0, K, K_len)) != HAL_OK) + return err; + + switch (K_len) { + case bitsToBytes(128): + config[3] &= ~KEYWRAP_CONFIG_KEYLEN; + break; + case bitsToBytes(256): + config[3] |= KEYWRAP_CONFIG_KEYLEN; + break; + case bitsToBytes(192): + return HAL_ERROR_UNSUPPORTED_KEY; + default: + return HAL_ERROR_BAD_ARGUMENTS; + } + } + + else { + /* read the MKM KEK into the keywrap core */ + if (mkm_status != HAL_OK && + (err = hal_keywrap_mkm_status(core)) != HAL_OK) + return err; + + config[3] &= ~KEYWRAP_CONFIG_MKS; + if ((err = hal_io_write(core, KEYWRAP_ADDR_CONFIG, config, sizeof(config))) != HAL_OK || + (err = hal_io_cmd_read(core)) != HAL_OK || + (err = hal_io_wait_ready(core)) != HAL_OK) + return err; + + config[3] &= ~KEYWRAP_CONFIG_MKK; + config[3] |= KEYWRAP_CONFIG_KEYLEN; /* XXX hardwire to 256-bits for now */ + } + + switch (action) { + case KEK_encrypting: + config[3] |= KEYWRAP_CONFIG_ENCDEC; + break; + case KEK_decrypting: + config[3] &= ~KEYWRAP_CONFIG_ENCDEC; + break; + default: + return HAL_ERROR_BAD_ARGUMENTS; + } + + /* + * Load the KEK and tell the core to expand it. + */ + + if ((err = hal_io_write(core, KEYWRAP_ADDR_CONFIG, config, sizeof(config))) != HAL_OK || + (err = hal_io_init(core)) != HAL_OK) + return err; + + return HAL_OK; +} + + +/* + * Wrap/unwrap n 64-bit blocks of plaintext. + * The wrapped/unwrapped key is returned in the same buffer. + */ + +static hal_error_t do_wrap_unwrap(hal_core_t *core, uint8_t * const C, const size_t n) +{ + hal_error_t err; + + hal_assert(core != NULL && C != NULL && n > 0); + + /* n is the number of 64-bit (8-byte) blocks in the input. + * KEYWRAP_LEN_R_DATA is the number of 4-byte data registers in the core. + */ + if (n == 0 || n > KEYWRAP_LEN_R_DATA * 2) + return HAL_ERROR_BAD_ARGUMENTS; + + /* write the AIV to A */ + if ((err = hal_io_write(core, KEYWRAP_ADDR_A0, C, 8)) != HAL_OK) + return err; + + /* write the length to RLEN */ + uint32_t nn = htonl(n); + if ((err = hal_io_write(core, KEYWRAP_ADDR_RLEN, (const uint8_t *)&nn, 4)) != HAL_OK) + return err; + + /* write the data to R_DATA */ + if ((err = hal_io_write(core, KEYWRAP_ADDR_R_DATA, C + 8, 8 * n)) != HAL_OK) + return err; + + /* start the wrap/unwrap operation, and wait for it to complete */ + if ((err = hal_io_next(core)) != HAL_OK || + (err = hal_io_wait_ready(core)) != HAL_OK) + return err; + + /* read the A registers */ + if ((err = hal_io_read(core, KEYWRAP_ADDR_A0, C, 8)) != HAL_OK) + return err; + + /* read the data from R_DATA */ + if ((err = hal_io_read(core, KEYWRAP_ADDR_R_DATA, C + 8, 8 * n)) != HAL_OK) + return err; + + return HAL_OK; +} + + +/* + * Wrap plaintext Q using KEK K, placing result in C. + * + * Q and C can overlap. For encrypt-in-place, use Q = C + 8 (that is, + * leave 8 empty bytes before the plaintext). + * + * Use hal_keywrap_ciphertext_length() to calculate the correct + * buffer size. + */ + +hal_error_t hal_keywrap_wrap(hal_core_t *core, + const uint8_t *K, const size_t K_len, + const uint8_t * const Q, + const size_t Q_len, + uint8_t *C, + size_t *C_len) +{ + const size_t calculated_C_len = hal_keywrap_ciphertext_length(Q_len); + const int free_core = (core == NULL); + hal_error_t err; + size_t n; + + hal_assert(calculated_C_len % 8 == 0); + + if (Q == NULL || C == NULL || C_len == NULL || *C_len < calculated_C_len) + return HAL_ERROR_BAD_ARGUMENTS; + + if (free_core && (err = hal_core_alloc(KEYWRAP_NAME, &core, NULL)) != HAL_OK) + return err; + + if ((err = load_kek(core, K, K_len, KEK_encrypting)) != HAL_OK) + goto out; + + *C_len = calculated_C_len; + + if (C + 8 != Q) + memmove(C + 8, Q, Q_len); + if (Q_len % 8 != 0) + memset(C + 8 + Q_len, 0, 8 - (Q_len % 8)); + C[0] = 0xA6; + C[1] = 0x59; + C[2] = 0x59; + C[3] = 0xA6; + C[4] = (Q_len >> 24) & 0xFF; + C[5] = (Q_len >> 16) & 0xFF; + C[6] = (Q_len >> 8) & 0xFF; + C[7] = (Q_len >> 0) & 0xFF; + + n = calculated_C_len/8 - 1; + + /* Make sure the key expansion has completed. */ + if ((err = hal_io_wait_ready(core)) != HAL_OK) + goto out; + + err = do_wrap_unwrap(core, C, n); + +out: + if (free_core) + hal_core_free(core); + return err; +} + + +/* + * Unwrap ciphertext C using KEK K, placing result in Q. + * + * Q should be the same size as C. Q and C can overlap. + */ + +hal_error_t hal_keywrap_unwrap(hal_core_t *core, + const uint8_t *K, const size_t K_len, + const uint8_t * const C, + const size_t C_len, + uint8_t *Q, + size_t *Q_len) +{ + const int free_core = core == NULL; + hal_error_t err; + size_t n; + size_t m; + + if (C == NULL || Q == NULL || C_len % 8 != 0 || C_len < 16 || Q_len == NULL || *Q_len < C_len) + return HAL_ERROR_BAD_ARGUMENTS; + + if (free_core && (err = hal_core_alloc(KEYWRAP_NAME, &core, NULL)) != HAL_OK) + return err; + + if ((err = load_kek(core, K, K_len, KEK_decrypting)) != HAL_OK) + goto out; + + n = (C_len / 8) - 1; + + if (Q != C) + memmove(Q, C, C_len); + + /* Make sure the key expansion has completed. */ + if ((err = hal_io_wait_ready(core)) != HAL_OK) + goto out; + + if ((err = do_wrap_unwrap(core, Q, n)) != HAL_OK) + goto out; + + if (Q[0] != 0xA6 || Q[1] != 0x59 || Q[2] != 0x59 || Q[3] != 0xA6) { + err = HAL_ERROR_KEYWRAP_BAD_MAGIC; + goto out; + } + + m = (((((Q[4] << 8) + Q[5]) << 8) + Q[6]) << 8) + Q[7]; + + if (m <= 8 * (n - 1) || m > 8 * n) { + err = HAL_ERROR_KEYWRAP_BAD_LENGTH; + goto out; + } + + if (m % 8 != 0) + for (size_t i = m + 8; i < 8 * (n + 1); i++) + if (Q[i] != 0x00) { + err = HAL_ERROR_KEYWRAP_BAD_PADDING; + goto out; + } + + *Q_len = m; + + memmove(Q, Q + 8, m); + +out: + if (free_core) + hal_core_free(core); + return err; +} + +/* + * "Any programmer who fails to comply with the standard naming, formatting, + * or commenting conventions should be shot. If it so happens that it is + * inconvenient to shoot him, then he is to be politely requested to recode + * his program in adherence to the above standard." + * -- Michael Spier, Digital Equipment Corporation + * + * Local variables: + * indent-tabs-mode: nil + * End: + */ -- cgit v1.2.3