feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fixes and cleanups for NXP SE050 support.

Browse Source
This commit is contained in:
David Garske
2021-08-20 15:45:10 -07:00
parent 3f76a76c46
commit 29f051e585
12 changed files with 805 additions and 750 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
configure.ac
View File

@@ -1344,9 +1344,8 @@ AC_ARG_WITH([se050],
[AS_HELP_STRING([--with-se050=PATH],[PATH to SE050 install (default /usr/local/lib/)])],
[
AC_MSG_CHECKING([for SE050])
CPPFLAGS="$CPPFLAGS -DWOLFSSL_SE050"
LIBS="$LIBS -lSSS_APIs"
LIBS="$LIBS -lSSS_APIs"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <fsl_sss_api.h>]], [[ sss_mac_init(0);]])],[ libse050_linked=yes ],[ libse050_linked=no ])
if test "x$libse050_linked" = "xno" ; then
@@ -1356,20 +1355,25 @@ AC_ARG_WITH([se050],
if test "x$withval" = "xyes" ; then
trylibse050dir="/usr/local/lib/"
fi
LDFLAGS="$LDFLAGS -L$trylibse050dir/simw-top_build/raspbian_native_se050_t1oi2c/sss/"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/simw-top/sss/inc -I$trylibse050dir/simw-top/sss/port/default \
-I$trylibse050dir/simw-top/hostlib/hostLib/inc/ -I$trylibse050dir/simw-top/hostlib/hostLib/libCommon/infra "
LDFLAGS="$LDFLAGS -L$trylibse050dir/build/sss"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/inc"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/port/default"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/inc"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/libCommon/infra"
AC_CHECK_FILES([$trylibse050dir/build/sss/libSSS_APIs.a], [SE050_STATIC=yes], [SE050_STATIC=no])
if test "x$SE050_STATIC" = "xyes"; then
LIB_STATIC_ADD="$trylibse050dir/build/sss/libSSS_APIs.a $LIB_STATIC_ADD"
else
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <fsl_sss_api.h>]], [[ sss_mac_init(0); ]])],[ libse050_linked=yes ],[ libse050_linked=no ])
if test "x$libse050_linked" = "xno" ; then
AC_MSG_ERROR([SE050 isn't found.
If it's already installed, specify its path using --with-SE050=/dir/])
If it's already installed, specify its path using --with-se050=/dir/])
fi
AM_LDFLAGS="$AM_LDFLAGS -L$trylibse050dir/simw-top_build/raspbian_native_se050_t1oi2c/sss/"
AM_CFLAGS="$AM_CFLAGS -I$trylibse050dir/simw-top/sss/inc/ \
-DWOLFSSL_AES_DIRECT"
fi
# Requires AES direct
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
AC_MSG_RESULT([yes])
else
@@ -7079,6 +7083,7 @@ AM_CONDITIONAL([BUILD_RC2],[test "x$ENABLED_RC2" = "xyes"])
AM_CONDITIONAL([BUILD_QNXCAAM],[test "x$ENABLED_CAAM" = "xqnx"])
AM_CONDITIONAL([BUILD_IOTSAFE],[test "x$ENABLED_IOTSAFE" = "xyes"])
AM_CONDITIONAL([BUILD_IOTSAFE_HWRNG],[test "x$ENABLED_IOTSAFE_HWRNG" = "xyes"])
AM_CONDITIONAL([BUILD_SE050],[test "x$ENABLED_SE050" = "xyes"])
if test "$ax_enable_debug" = "yes" ||
test "$ENABLED_STACKSIZE" != "no" ||
@@ -7453,6 +7458,7 @@ echo " * Crypto callbacks: $ENABLED_CRYPTOCB"
echo " * i.MX6 CAAM: $ENABLED_CAAM"
echo " * IoT-Safe: $ENABLED_IOTSAFE"
echo " * IoT-Safe HWRNG: $ENABLED_IOTSAFE_HWRNG"
echo " * NXP SE050: $ENABLED_SE050"
echo ""
echo "---"

14
wolfcrypt/src/aes.c
View File

@@ -873,13 +873,14 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
static int AES_ECB_encrypt(Aes* aes, const byte* inBlock, byte* outBlock,
int sz)
{
return se050_aes_crypt(aes, inBlock, outBlock, sz, AES_ENCRYPTION, kAlgorithm_SSS_AES_ECB);
return se050_aes_crypt(aes, inBlock, outBlock, sz, AES_ENCRYPTION,
kAlgorithm_SSS_AES_ECB);
}
static int AES_ECB_decrypt(Aes* aes, const byte* inBlock, byte* outBlock,
int sz)
{
return se050_aes_crypt(aes, inBlock, outBlock, sz, AES_DECRYPTION, kAlgorithm_SSS_AES_ECB);
return se050_aes_crypt(aes, inBlock, outBlock, sz, AES_DECRYPTION,
kAlgorithm_SSS_AES_ECB);
}
static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
{
@@ -2603,22 +2604,25 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
int dir)
{
int ret = 0;
int ret;
if (aes == NULL || !((keylen == 16) || (keylen == 24) || (keylen == 32))) {
if (aes == NULL || (keylen != 16 && keylen != 24 && keylen != 32)) {
return BAD_FUNC_ARG;
}
aes->ctxInitDone = 0;
#if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
defined(WOLFSSL_AES_OFB)
aes->left = 0;
#endif
ret = se050_aes_set_key(aes, userKey, keylen, iv, dir);
if (ret == 0) {
ret = wc_AesSetIV(aes, iv);
}
return ret;
}
int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
const byte* iv, int dir)
{

23
wolfcrypt/src/ecc.c
View File

@@ -4701,8 +4701,7 @@ int wc_ecc_make_key_ex2(WC_RNG* rng, int keysize, ecc_key* key, int curve_id,
err = NOT_COMPILED_IN;
}
#elif defined(WOLFSSL_SE050)
key->keyId = se050_allocate_key();
err = se050_ecc_create_key(key, key->keyId, keysize);
err = se050_ecc_create_key(key, curve_id, keysize);
key->type = ECC_PRIVATEKEY;
#elif defined(WOLFSSL_CRYPTOCELL)
@@ -5008,6 +5007,11 @@ int wc_ecc_init_ex(ecc_key* key, void* heap, int devId)
#if defined(WOLFSSL_DSP)
key->handle = -1;
#endif
#ifdef WOLFSSL_SE050
key->keyId = -1;
#endif
return ret;
}
@@ -7116,22 +7120,23 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
err = KcapiEcc_Verify(key, hash, hashlen, sigRS, key->dp->size * 2);
#elif defined(WOLFSSL_SE050)
{
/* Used when following a hardware sign operation */
int rLeadingZero = mp_leading_bit(r);
int sLeadingZero = mp_leading_bit(s);
int rLen = mp_unsigned_bin_size(r);
int sLen = mp_unsigned_bin_size(s);
word32 signatureLen = rLeadingZero + sLeadingZero + rLen + sLen + SIG_HEADER_SZ; /* see StoreECC_DSA_Sig */
word32 signatureLen = rLeadingZero + sLeadingZero +
rLen + sLen + SIG_HEADER_SZ; /* see StoreECC_DSA_Sig */
err = StoreECC_DSA_Sig(sigRS, &signatureLen, r, s);
if (err == 0) {
err = se050_ecc_verify_hash_ex(hash, hashlen, sigRS,
signatureLen, key, res);
}
if (err != 0)
return err;
err = se050_ecc_verify_hash_ex(hash, hashlen, sigRS, signatureLen, key, res);
if (err != 0)
return err;
}
#else
/* checking if private key with no public part */
if (key->type == ECC_PRIVATEKEY_ONLY) {

5
wolfcrypt/src/ed25519.c
View File

@@ -262,11 +262,12 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
word32 *outLen, ed25519_key* key, byte type,
const byte* context, byte contextLen)
{
int ret;
#ifdef WOLFSSL_SE050
(void)context;
(void)contextLen;
(void)type;
int ret = se050_ed25519_sign_msg(in, inLen, out, outLen, key);
ret = se050_ed25519_sign_msg(in, inLen, out, outLen, key);
#else
#ifdef FREESCALE_LTC_ECC
byte tempBuf[ED25519_PRV_KEY_SIZE];
@@ -277,7 +278,6 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
byte nonce[WC_SHA512_DIGEST_SIZE];
byte hram[WC_SHA512_DIGEST_SIZE];
byte az[ED25519_PRV_KEY_SIZE];
int ret;
/* sanity check on arguments */
if (in == NULL || out == NULL || outLen == NULL || key == NULL ||
@@ -681,7 +681,6 @@ int wc_ed25519_verify_msg_ex(const byte* sig, word32 sigLen, const byte* msg,
(void)type;
(void)context;
(void)contextLen;
if (ed25519Ctx != NULL)
(void)ed25519Ctx;
ret = se050_ed25519_verify_msg(sig, sigLen, msg, msgLen, key, res);
#else

6
wolfcrypt/src/include.am
View File

@@ -68,6 +68,8 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \
wolfcrypt/src/port/arm/armv8-32-sha512-asm.c \
wolfcrypt/src/port/nxp/ksdk_port.c \
wolfcrypt/src/port/nxp/dcp_port.c \
wolfcrypt/src/port/nxp/se050_port.c \
wolfcrypt/src/port/nxp/README.md \
wolfcrypt/src/port/atmel/README.md \
wolfcrypt/src/port/xilinx/xil-sha3.c \
wolfcrypt/src/port/xilinx/xil-aesgcm.c \
@@ -174,3 +176,7 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/port/caam/wolfcaam_qnx.c
src_libwolfssl_la_SOURCES += wolfcrypt/src/port/caam/wolfcaam_ecdsa.c
src_libwolfssl_la_SOURCES += wolfcrypt/src/port/caam/wolfcaam_cmac.c
endif
if BUILD_SE050
src_libwolfssl_la_SOURCES += wolfcrypt/src/port/nxp/se050_port.c
endif

98
wolfcrypt/src/port/nxp/README.md Normal file
View File

@@ -0,0 +1,98 @@
# NXP Ports
Support for the NXP DCP, KSDK and SE050 hardware acceleration boards.
## NXP SE050
Support for the SE050 on-board crypto hardware acceleration for symmetric AES, SHA1/SHA256/SHA384/SHA512, ECC (including ed25519) and RNG. **(discuss p-256 ECC)**
## SE050 Acceleration
For details about SE050 HW acceleration, see [NXP's SE050 page](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-maximum-flexibility:SE050).
## Building simw-top
The code required to communicate with the SE050 is the `EdgeLock SE05x Plug & Trust Middleware (03.03.00)`, which can be found here [link](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-maximum-flexibility:SE050?tab=Design_Tools_Tab) (An NXP account is required to download).
Follow the build instruction in AN12570 (EdgeLockTM SE05x Quick start guide with Raspberry Pi) [here](https://www.nxp.com/docs/en/application-note/AN12570.pdf).
## Building wolfSSL
To enable support run:
``sh
./configure --with-se050=PATH
make
``
Where `PATH` is the directory location of `simw-top`.
Example: `./configure --with-se050=/Users/[user]/simw-top`
## Building Examples
Confirm that you are able to run the examples from the directory:
``sh
/simw-top_build/raspbian_native_se050_t1oi2c/bin/
``
Modify one of those examples in order to tie into wolfSSL. The `./se05x_Minimal` is the easiest one to modify.
Open the `simw-top/demos/se05x/se05x_Minimal` directory and edit `se05x_Minimal.c`. Add these headers to source file:
``c
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/types.h>
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
``
If you would like to run our wolfcrypt test or benchmark tool, add: `#include "test.h"` or `#include benchmark.h`.
Below is the code that was replaced in `ex_sss_entry()` to run the wolfcrypt test:
``c
sss_status_t status = kStatus_SSS_Success;
int ret;
sss_session_t *pSession2 = (sss_session_t *)&pCtx->session;
sss_key_store_t *pHostSession = (sss_key_store_t *)&pCtx->host_ks;
LOG_I("running setconfig");
ret = wc_se050_SetConfig(pSession2, pHostSession);
if (ret != 0) {
return kStatus_SSS_Fail;
}
LOG_I("ran setconfig correctly");
wolfcrypt_test(NULL);
LOG_I("ran wolfcrypt test");
return status;
``
Note: `wolfcrypt_test(NULL);` can be replaced with `benchmark_test();`
The two variables used in `wc_se050_SetConfig` are session and key store variables that are required to reference parts of the hardware.
The Makefile needs to be edited. At the top of the Makefile, the base wolfssl directory needs to be added to `INCLUDE_FLAGS`.
Next, Inside `CFLAGS`, the `se05x_Minimal` directory needs to be added so that test.c and benchmark.c are included.
Finally, underneath 'all', test.c, test.h, benchmark.c and benchmark.h need to be added, along with `-L[wolfssl directory] -lwolfssl` at the end of the line.
### Wolfcrypt Test
To run the wolfcrypt test, two files, `test.h` and `test.c` need to be added to the `./se05x_Minimal` directory. These files can be found inside of `/wolfcrypt/test`.
Make sure `NO_MAIN_DRIVER` is defined to avoid `int main()` conflicts. Either in the Makefile or modify test.h to define it.
You should be able to run `wolfcrypt_test()` now.
### wolfCrypt Benchmark
To run the benchmark, both `benchmark.c` and `benchmark.h` need to be copied from wolfcrypt/benchmark to the `./se05x_Minimal` directory.
In addition, the entire `./certs` directory will need to copied into the directory.
Make sure `NO_MAIN_DRIVER` is defined to avoid `int main()` conflicts. Either in the Makefile or modify test.h to define it.
Now you can run `benchmark_test()`.
## Support
For questions please email support@wolfssl.com

503
wolfcrypt/src/port/nxp/se050_port.c
View File

@@ -33,37 +33,53 @@
#include <wolfssl/wolfcrypt/ed25519.h>
#if defined(WOLFSSL_SE050)
#ifdef WOLFSSL_SE050
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
#include "fsl_sss_api.h"
#include "fsl_sss_se05x_types.h"
#ifdef WOLFSSL_SP_MATH
struct sp_int;
#define MATH_INT_T struct sp_int
#elif defined(USE_FAST_MATH)
struct fp_int;
#define MATH_INT_T struct fp_int
#else
struct mp_int;
#define MATH_INT_T struct mp_int
#endif
struct ecc_key;
#include <wolfssl/wolfcrypt/ecc.h>
#include <wolfssl/wolfcrypt/asn_public.h>
/* ECC SIGN 70 = keyStoreId - Implementation specific ID */
/* AES 55 = keyStoreId - Implementation specific ID */
/* ECC Shared Secret 60 = keyStoreId - Implementation specific ID */
/* ECC VERIFY 61 = keyStoreId - Implementation specific ID */
/* ECC VERIFY AFTER SIGN 60 = keyStoreId - Implementation specific ID */
/* ED25519 55 = keyStoreId - Implementation specific ID */
/* Global variables */
static sss_session_t *cfg_se050_i2c_pi;
static sss_key_store_t *hostKeyStore;
static sss_key_store_t *keyStore;
int keyId_allocater = 100;
int wolfcrypt_se050_SetConfig(sss_session_t *pSession, sss_key_store_t *pHostKeyStore, sss_key_store_t *pKeyStore)
int wc_se050_SetConfig(sss_session_t *pSession, sss_key_store_t *pHostKeyStore,
sss_key_store_t *pKeyStore)
{
printf("Setting SE050 session configuration\n");
WOLFSSL_MSG("Setting SE050 session configuration");
XMEMSET(&cfg_se050_i2c_pi, 0, sizeof(cfg_se050_i2c_pi));
cfg_se050_i2c_pi = pSession;
XMEMSET(&hostKeyStore, 0, sizeof(hostKeyStore));
hostKeyStore = pHostKeyStore;
XMEMSET(&keyStore, 0, sizeof(keyStore));
keyStore = pKeyStore;
return 0;
}
int se050_allocate_key()
int se050_allocate_key(void)
{
static int keyId_allocater = 100;
return keyId_allocater++;
}
@@ -74,7 +90,9 @@ int se050_get_random_number(uint32_t count, uint8_t* rand_out)
sss_rng_context_t rng;
int ret = 0;
if (wolfSSL_CryptHwMutexLock() == 0) {
if (wolfSSL_CryptHwMutexLock() != 0) {
return BAD_MUTEX_E;
}
status = sss_rng_context_init(&rng, cfg_se050_i2c_pi);
if (status == kStatus_SSS_Success)
@@ -86,12 +104,11 @@ int se050_get_random_number(uint32_t count, uint8_t* rand_out)
if (status != kStatus_SSS_Success) {
ret = RNG_FAILURE_E;
}
}
wolfSSL_CryptHwMutexUnLock();
return ret;
}
#endif /* WC_NO_RNG */
#endif /* !WC_NO_RNG */
/* Used for sha/sha224/sha384/sha512 */
int se050_hash_init(SE050_HASH_Context* se050Ctx, void* heap)
@@ -111,78 +128,58 @@ int se050_hash_update(SE050_HASH_Context* se050Ctx, const byte* data, word32 len
if (se050Ctx->len < se050Ctx->used + len) {
if (se050Ctx->msg == NULL) {
se050Ctx->msg = (byte*)XMALLOC(se050Ctx->used + len, se050Ctx->heap,
DYNAMIC_TYPE_TMP_BUFFER);
se050Ctx->msg = (byte*)XMALLOC(se050Ctx->used + len,
se050Ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
}
else {
se050Ctx->msg = (byte*)XREALLOC(se050Ctx->msg, se050Ctx->used + len,
se050Ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
}
if (se050Ctx->msg == NULL) {
return MEMORY_E;
}
}
else {
byte* pt = (byte*)XREALLOC(se050Ctx->msg, se050Ctx->used + len, se050Ctx->heap,
DYNAMIC_TYPE_TMP_BUFFER);
if (pt == NULL) {
return MEMORY_E;
}
se050Ctx->msg = pt;
}
se050Ctx->len = se050Ctx->used + len;
}
XMEMCPY(se050Ctx->msg + se050Ctx->used, data , len);
se050Ctx->used += len;
return 0;
}
int se050_hash_final(SE050_HASH_Context* se050Ctx, byte* hash, size_t digestLen, sss_algorithm_t algo)
int se050_hash_final(SE050_HASH_Context* se050Ctx, byte* hash, size_t digestLen,
sss_algorithm_t algo)
{
sss_status_t status;
sss_digest_t digest_ctx;
// XMEMSET(&digest_ctx, 0, sizeof(digest_ctx));
const byte* data = se050Ctx->msg;
int size = (se050Ctx->len) / SSS_BLOCK_SIZE;
int leftover = (se050Ctx->len) % SSS_BLOCK_SIZE;
const byte* blocks;
blocks = data;
const byte* blocks = data;
if (wolfSSL_CryptHwMutexLock() == 0) {
status = sss_digest_context_init(&digest_ctx, cfg_se050_i2c_pi, algo, kMode_SSS_Digest);
if(status != kStatus_SSS_Success){
printf("error 1\n");
return -1;
if (wolfSSL_CryptHwMutexLock() != 0) {
return BAD_MUTEX_E;
}
status = sss_digest_context_init(&digest_ctx, cfg_se050_i2c_pi, algo,
kMode_SSS_Digest);
if (status == kStatus_SSS_Success) {
status = sss_digest_init(&digest_ctx);
if(status != kStatus_SSS_Success){
printf("error 2 - hash_final...\n");
return -1;
}
if (status == kStatus_SSS_Success) {
/* used to send chunks of size 512 */
while (size--) {
while (status == kStatus_SSS_Success && size--) {
status = sss_digest_update(&digest_ctx, blocks, SSS_BLOCK_SIZE);
if(status != kStatus_SSS_Success){
printf("error 3\n");
return -1;
}
blocks += SSS_BLOCK_SIZE;
}
if (leftover) {
if (status == kStatus_SSS_Success && leftover) {
status = sss_digest_update(&digest_ctx, blocks, leftover);
if(status != kStatus_SSS_Success){
printf("error 3\n");
return -1;
}
}
if (status == kStatus_SSS_Success) {
status = sss_digest_finish(&digest_ctx, hash, &digestLen);
if(status != kStatus_SSS_Success){
printf("error 4\n");
return -1;
}
sss_digest_context_free(&digest_ctx);
}
wolfSSL_CryptHwMutexUnLock();
return 0;
@@ -197,19 +194,24 @@ void se050_hash_free(SE050_HASH_Context* se050Ctx)
int se050_aes_set_key(Aes* aes, const byte* key, word32 len,
const byte* iv, int dir)
{
printf("\n\nrunning se050_set_key\n");
(void)dir;
(void)iv;
sss_status_t status;
aes->rounds = len/4 + 6;
sss_object_t newKey;
sss_key_store_t host_keystore;
uint32_t keyId = se050_allocate_key();
aes->keyId = keyId;
int keyId = se050_allocate_key();
int ret = BAD_MUTEX_E;
if (wolfSSL_CryptHwMutexLock() == 0) {
ret = 0;
WOLFSSL_MSG("se050_set_key");
(void)dir;
(void)iv;
aes->rounds = len/4 + 6;
aes->keyId = keyId;
if (wolfSSL_CryptHwMutexLock() != 0) {
return BAD_MUTEX_E;
}
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
if (status == kStatus_SSS_Success) {
@@ -219,18 +221,20 @@ int se050_aes_set_key(Aes* aes, const byte* key, word32 len,
if (status == kStatus_SSS_Success) {
status = sss_key_object_init(&newKey, &host_keystore);
}
/* aes_test runs perfectly with kKeyObject_Mode_Persistent, but might have caused previous board to have no free key slots */
/* aes_test runs perfectly with kKeyObject_Mode_Persistent,
* but might have caused previous board to have no free key slots */
if (status == kStatus_SSS_Success) {
status = sss_key_object_allocate_handle(&newKey, keyId, kSSS_KeyPart_Default,
kSSS_CipherType_AES, len,
kKeyObject_Mode_Transient); //kKeyObject_Mode_Persistent
status = sss_key_object_allocate_handle(&newKey, keyId,
kSSS_KeyPart_Default, kSSS_CipherType_AES, len,
kKeyObject_Mode_Transient);
}
if (status == kStatus_SSS_Success) {
status = sss_key_store_set_key(&host_keystore, &newKey, key, len,
len * 8, NULL, 0);
}
}
wolfSSL_CryptHwMutexUnLock();
if (status != kStatus_SSS_Success)
@@ -239,13 +243,15 @@ int se050_aes_set_key(Aes* aes, const byte* key, word32 len,
}
int se050_aes_crypt(Aes* aes, const byte* in, byte* out, word32 sz, int dir, sss_algorithm_t algorithm)
int se050_aes_crypt(Aes* aes, const byte* in, byte* out, word32 sz, int dir,
sss_algorithm_t algorithm)
{
sss_status_t status;
sss_object_t keyObject;
sss_mode_t mode;
sss_key_store_t host_keystore;
int ret = BAD_MUTEX_E;
XMEMSET(&mode, 0, sizeof(mode));
if (dir == AES_DECRYPTION)
@@ -253,8 +259,9 @@ int se050_aes_crypt(Aes* aes, const byte* in, byte* out, word32 sz, int dir, sss
else if (dir == AES_ENCRYPTION)
mode = kMode_SSS_Encrypt;
if (wolfSSL_CryptHwMutexLock() == 0) {
ret = 0;
if (wolfSSL_CryptHwMutexLock() != 0) {
return BAD_MUTEX_E;
}
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
@@ -270,22 +277,24 @@ int se050_aes_crypt(Aes* aes, const byte* in, byte* out, word32 sz, int dir, sss
status = sss_key_object_get_handle(&keyObject, aes->keyId);
}
/* The first call to this function needs an initialization call, subsequent calls just need to call update */
/* The first call to this function needs an initialization call,
* subsequent calls just need to call update */
if (aes->ctxInitDone == 0) {
aes->ctxInitDone = 1;
if (status == kStatus_SSS_Success) {
status = sss_symmetric_context_init(&aes->aes_ctx, cfg_se050_i2c_pi,
&keyObject, algorithm, mode);
status = sss_symmetric_context_init(&aes->aes_ctx,
cfg_se050_i2c_pi, &keyObject, algorithm, mode);
}
if (status == kStatus_SSS_Success) {
status = sss_cipher_init(&aes->aes_ctx, (uint8_t *)aes->reg, sizeof(aes->reg));
status = sss_cipher_init(&aes->aes_ctx, (uint8_t*)aes->reg,
sizeof(aes->reg));
}
}
if (status == kStatus_SSS_Success) {
status = sss_cipher_update(&aes->aes_ctx, in, sz, out, &sz);
}
}
wolfSSL_CryptHwMutexUnLock();
if (status != kStatus_SSS_Success)
@@ -298,9 +307,14 @@ void se050_aes_free(Aes* aes)
sss_status_t status;
sss_key_store_t host_keystore;
sss_object_t keyObject;
aes->ctxInitDone = 0; /* sets back to zero to indicate that a free has been called */
if (wolfSSL_CryptHwMutexLock() == 0) {
/* sets back to zero to indicate that a free has been called */
aes->ctxInitDone = 0;
if (wolfSSL_CryptHwMutexLock() != 0) {
return BAD_MUTEX_E;
}
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
if (status == kStatus_SSS_Success) {
@@ -318,26 +332,10 @@ void se050_aes_free(Aes* aes)
sss_symmetric_context_free(&aes->aes_ctx);
}
wolfSSL_CryptHwMutexUnLock();
}
#endif /* NO_AES */
#ifdef WOLFSSL_SP_MATH
struct sp_int;
#define MATH_INT_T struct sp_int
#elif defined(USE_FAST_MATH)
struct fp_int;
#define MATH_INT_T struct fp_int
#else
struct mp_int;
#define MATH_INT_T struct mp_int
#endif
struct ecc_key;
#include <wolfssl/wolfcrypt/ecc.h>
#include <wolfssl/wolfcrypt/asn_public.h>
#endif /* !NO_AES */
#ifdef HAVE_ECC
int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
@@ -347,10 +345,8 @@ int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
sss_asymmetric_t ctx_asymm;
sss_key_store_t host_keystore;
sss_object_t newKey;
sss_algorithm_t algorithm;
XMEMSET(&algorithm, 0, sizeof(algorithm));
uint32_t keyId = se050_allocate_key();
sss_algorithm_t algorithm = kAlgorithm_None;
int keyId = se050_allocate_key();
int keysize = (word32)key->dp->size;
int ret = BAD_MUTEX_E;
@@ -369,9 +365,10 @@ int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
else if (inLen == 64)
algorithm = kAlgorithm_SSS_SHA512;
if (wolfSSL_CryptHwMutexLock() != 0) {
return BAD_MUTEX_E;
}
if (wolfSSL_CryptHwMutexLock() == 0) {
ret = 0;
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
if (status == kStatus_SSS_Success) {
@@ -384,8 +381,8 @@ int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
if (status == kStatus_SSS_Success) {
status = sss_key_object_allocate_handle(&newKey, keyId, kSSS_KeyPart_Pair,
kSSS_CipherType_EC_NIST_P, keysize,
status = sss_key_object_allocate_handle(&newKey, keyId,
kSSS_KeyPart_Pair, kSSS_CipherType_EC_NIST_P, keysize,
kKeyObject_Mode_Transient);
}
@@ -405,14 +402,15 @@ int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
}
sss_asymmetric_context_free(&ctx_asymm);
}
wolfSSL_CryptHwMutexUnLock();
if (status != kStatus_SSS_Success)
ret = WC_HW_E;
if (status == kStatus_SSS_Success) {
key->keyId = keyId;
ret = 0;
}
else {
ret = WC_HW_E;
}
return ret;
}
@@ -420,21 +418,17 @@ int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
int se050_ecc_verify_hash_ex(const byte* hash, word32 hashLen, byte* signature,
word32 signatureLen, struct ecc_key* key, int* res)
{
printf("runing verify!\n");
sss_status_t status;
sss_asymmetric_t ctx_asymm;
sss_object_t newKey;
sss_key_store_t host_keystore;
sss_algorithm_t algorithm;
XMEMSET(&algorithm, 0, sizeof(algorithm));
sss_algorithm_t algorithm = kAlgorithm_None;
word32 derSz = 0;
int ret = WC_HW_E;
byte* derBuf;
uint32_t keyId = rand();
int ret;
int keySize = (word32)key->dp->size;
WOLFSSL_MSG("se050_ecc_verify_hash_ex");
*res = 0;
if (hashLen > 64)
@@ -451,81 +445,80 @@ int se050_ecc_verify_hash_ex(const byte* hash, word32 hashLen, byte* signature,
else if (hashLen == 64)
algorithm = kAlgorithm_SSS_SHA512;
printf("KeyId 3 = %d\n", key->keyId);
if (wolfSSL_CryptHwMutexLock() != 0) {
return BAD_MUTEX_E;
}
if (wolfSSL_CryptHwMutexLock() == 0) {
if (key->keyId == 0) { //this is run when a key was not generated and was instead passed in
/* this is run when a key was not generated and was instead passed in */
if (key->keyId == 0) {
int keyId = se050_allocate_key();
byte* derBuf = NULL;
ret = wc_EccKeyToPKCS8(key, NULL, &derSz);
if (ret != -202){
printf("first wc_EccKeyToPKCS8 failed\n");
return -1;
if (ret != LENGTH_ONLY_E) {
return ret;
}
derBuf = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (derBuf == NULL) {
return MEMORY_E;
}
derBuf = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_OPENSSL);
ret = wc_EccKeyToPKCS8(key, derBuf, &derSz);
if (ret <= 0) {
printf("second wc_EccKeyToPKCS8 failed, ret = %d\n", ret);
return -1;
XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
}
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
if (status == kStatus_SSS_Success) {
status = sss_key_store_allocate(&host_keystore, 61);
}
if (status == kStatus_SSS_Success) {
status = sss_key_object_init(&newKey, &host_keystore);
}
if (status == kStatus_SSS_Success) {
status = sss_key_object_allocate_handle(&newKey, keyId, kSSS_KeyPart_Pair,
kSSS_CipherType_EC_NIST_P, derSz,
status = sss_key_object_allocate_handle(&newKey, keyId,
kSSS_KeyPart_Pair, kSSS_CipherType_EC_NIST_P, derSz,
kKeyObject_Mode_Transient);
}
if (status == kStatus_SSS_Success) {
status = sss_key_store_set_key(&host_keystore, &newKey, derBuf,
derSz, keySize * 8, NULL, 0);
}
if (derBuf) {
XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
}
if (status == kStatus_SSS_Success) {
status = sss_asymmetric_context_init(&ctx_asymm, cfg_se050_i2c_pi,
&newKey, algorithm, kMode_SSS_Verify);
}
printf("ran through inital key setup !\n");
if (status == kStatus_SSS_Success) {
status = sss_asymmetric_verify_digest(&ctx_asymm, (uint8_t *)hash,
hashLen, signature, signatureLen);
}
sss_asymmetric_context_free(&ctx_asymm);
printf("sss_asymmetric_verify_digest with set key worked!\n\n\n");
key->keyId = keyId;
}
else if (key->keyId != 0) { //this is run after a sign function has taken place
ret = 0;
/* this is run after a sign function has taken place */
else if (key->keyId != 0) {
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
if (status == kStatus_SSS_Success)
if (status == kStatus_SSS_Success) {
status = sss_key_store_allocate(&host_keystore, 60);
if (status == kStatus_SSS_Success)
}
if (status == kStatus_SSS_Success) {
status = sss_key_object_init(&newKey, &host_keystore);
if (status == kStatus_SSS_Success)
}
if (status == kStatus_SSS_Success) {
status = sss_key_object_get_handle(&newKey, key->keyId);
}
if (status == kStatus_SSS_Success) {
status = sss_asymmetric_context_init(&ctx_asymm, cfg_se050_i2c_pi,
&newKey, algorithm, kMode_SSS_Verify);
}
if (status == kStatus_SSS_Success) {
status = sss_asymmetric_verify_digest(&ctx_asymm, (uint8_t *)hash,
hashLen, signature, signatureLen);
@@ -533,17 +526,16 @@ int se050_ecc_verify_hash_ex(const byte* hash, word32 hashLen, byte* signature,
sss_asymmetric_context_free(&ctx_asymm);
}
}
wolfSSL_CryptHwMutexUnLock();
if (status != kStatus_SSS_Success)
ret = WC_HW_E;
printf("ran verify correctly!!\n\n\n");
if (status == kStatus_SSS_Success) {
*res = 1;
ret = 0;
}
else {
ret = WC_HW_E;
}
return 0;
}
@@ -555,89 +547,93 @@ int se050_ecc_free_key(struct ecc_key* key)
int ret = WC_HW_E;
sss_key_store_t host_keystore;
/* less tha 10,000 as one example from test.c tried to free a key that was not created on the SE050 */
if(key->keyId != 0 && key->keyId < 10000) {
if (wolfSSL_CryptHwMutexLock() == 0) {
ret = 0;
if (key->keyId <= 0) {
return BAD_FUNC_ARG;
}
if (wolfSSL_CryptHwMutexLock() != 0) {
return BAD_MUTEX_E;
}
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
if (status == kStatus_SSS_Success)
if (status == kStatus_SSS_Success) {
status = sss_key_store_allocate(&host_keystore, 60);
if (status == kStatus_SSS_Success)
status = sss_key_object_init(&keyObject, &host_keystore);
if (status == kStatus_SSS_Success)
status = sss_key_object_get_handle(&keyObject, key->keyId);
if (status == kStatus_SSS_Success)
sss_key_object_free(&keyObject);
}
if (status == kStatus_SSS_Success) {
status = sss_key_object_init(&keyObject, &host_keystore);
}
if (status == kStatus_SSS_Success) {
status = sss_key_object_get_handle(&keyObject, key->keyId);
}
if (status == kStatus_SSS_Success) {
sss_key_object_free(&keyObject);
}
wolfSSL_CryptHwMutexUnLock();
if (status != kStatus_SSS_Success)
if (status != kStatus_SSS_Success) {
ret = WC_CLEANUP_E;
}
return ret;
}
int se050_ecc_create_key(struct ecc_key* key, int keyId, int keySize)
int se050_ecc_create_key(struct ecc_key* key, int curve_id, int keySize)
{
sss_status_t status = kStatus_SSS_Success;
sss_object_t keyPair;
sss_key_store_t host_keystore;
uint8_t keyPairExport[128];
int keyId = se050_allocate_key();
uint8_t keyPairExport[MAX_ECC_BYTES];
size_t keyPairExportLen = sizeof(keyPairExport);
size_t keyPairExportBitLen = sizeof(keyPairExport) * 8;
int ret = WC_HW_E;
int ret;
(void)curve_id;
if (wolfSSL_CryptHwMutexLock() == 0) {
ret = 0;
if (wolfSSL_CryptHwMutexLock() != 0) {
return BAD_MUTEX_E;
}
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
if (status == kStatus_SSS_Success) {
status = sss_key_store_allocate(&host_keystore, 60);
}
if (status == kStatus_SSS_Success) {
status = sss_key_object_init(&keyPair, &host_keystore);
}
if (status == kStatus_SSS_Success) {
status = sss_key_object_allocate_handle(&keyPair, keyId, kSSS_KeyPart_Pair,
kSSS_CipherType_EC_NIST_P, 256,
kKeyObject_Mode_None); //kKeyObject_Mode_Transient
status = sss_key_object_allocate_handle(&keyPair, keyId,
kSSS_KeyPart_Pair, kSSS_CipherType_EC_NIST_P, 256,
kKeyObject_Mode_None);
}
if (status == kStatus_SSS_Success) {
status = sss_key_store_generate_key(&host_keystore, &keyPair, 256, NULL);
status = sss_key_store_generate_key(&host_keystore, &keyPair,
256, NULL);
}
if (status == kStatus_SSS_Success) {
status = sss_key_store_get_key(&host_keystore, &keyPair, keyPairExport,
&keyPairExportLen, &keyPairExportBitLen);
}
status = sss_key_store_get_key(&host_keystore, &keyPair,
keyPairExport, &keyPairExportLen, &keyPairExportBitLen);
}
wolfSSL_CryptHwMutexUnLock();
if (status != kStatus_SSS_Success)
ret = WC_CLEANUP_E;
if (status == kStatus_SSS_Success) {
mp_read_unsigned_bin(key->pubkey.x, keyPairExport, keySize);
mp_read_unsigned_bin(key->pubkey.y, keyPairExport + keySize, keySize);
key->keyId = keyId;
ret = 0;
}
else {
ret = WC_HW_E;
}
return ret;
}
int se050_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out,
word32* outlen)
int se050_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key,
byte* out, word32* outlen)
{
sss_status_t status = kStatus_SSS_Success;
sss_key_store_t host_keystore;
@@ -646,27 +642,21 @@ int se050_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out
sss_object_t ref_public_key;
sss_object_t deriveKey;
sss_derive_key_t ctx_derive_key;
int keyId = se050_allocate_key();
int keyId;
int keySize = (word32)public_key->dp->size;
size_t ecdhKeyLen = keySize;
size_t ecdhKeyBitLen = keySize;
int ret = WC_HW_E;
if (public_key->keyId == 0) {
public_key->keyId = se050_allocate_key();
se050_ecc_create_key(public_key, public_key->keyId, keySize);
}
if (private_key->keyId == 0) {
private_key->keyId = se050_allocate_key();
se050_ecc_create_key(private_key, private_key->keyId, keySize);
if (private_key->keyId <= 0 || public_key->keyId <= 0) {
return BAD_FUNC_ARG;
}
if (wolfSSL_CryptHwMutexLock() != 0) {
return BAD_MUTEX_E;
}
if (wolfSSL_CryptHwMutexLock() == 0) {
ret = 0;
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
if (status == kStatus_SSS_Success) {
status = sss_key_store_allocate(&host_keystore, 60);
}
@@ -700,12 +690,14 @@ int se050_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out
}
if (status == kStatus_SSS_Success) {
keyId = se050_allocate_key();
status = sss_key_object_allocate_handle(&deriveKey,
keyId,
kSSS_KeyPart_Default, //try kSSS_KeyPart_Part, didn't have any noticable changes
kSSS_KeyPart_Default,
kSSS_CipherType_AES,
ecdhKeyLen,
kKeyObject_Mode_Transient); //try kKeyObject_Mode_None
kKeyObject_Mode_Transient);
}
if (status == kStatus_SSS_Success) {
@@ -727,9 +719,11 @@ int se050_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out
if (deriveKey.keyStore != NULL)
sss_key_object_free(&deriveKey);
if (status != kStatus_SSS_Success)
if (status == kStatus_SSS_Success)
ret = 0;
else
ret = WC_HW_E;
}
wolfSSL_CryptHwMutexUnLock();
return ret;
@@ -738,21 +732,20 @@ int se050_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out
#ifdef HAVE_ED25519
int se050_ed25519_create_key(ed25519_key* key)
{
printf("\n\nrunning se050_ed25519_create_key\n");
sss_status_t status;
sss_key_store_t host_keystore;
sss_object_t newKey;
int keysize = ED25519_KEY_SIZE;
uint32_t keyId = se050_allocate_key();
key->keyId = keyId;
int keyId;
int ret = 0;
if (wolfSSL_CryptHwMutexLock() == 0) {
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
if (wolfSSL_CryptHwMutexLock() != 0) {
return BAD_MUTEX_E;
}
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
if (status == kStatus_SSS_Success) {
status = sss_key_store_allocate(&host_keystore, 55);
}
@@ -762,25 +755,28 @@ int se050_ed25519_create_key(ed25519_key* key)
}
if (status == kStatus_SSS_Success) {
status = sss_key_object_allocate_handle(&newKey, keyId, kSSS_KeyPart_Pair,
kSSS_CipherType_EC_TWISTED_ED, keysize,
keyId = se050_allocate_key();
status = sss_key_object_allocate_handle(&newKey, keyId,
kSSS_KeyPart_Pair, kSSS_CipherType_EC_TWISTED_ED, keysize,
kKeyObject_Mode_Transient);
}
if (status == kStatus_SSS_Success) {
status = sss_key_store_generate_key(&host_keystore, &newKey, keysize * 8, NULL);
status = sss_key_store_generate_key(&host_keystore, &newKey,
keysize * 8, NULL);
}
if (status != kStatus_SSS_Success) {
if (status == kStatus_SSS_Success) {
key->keyId = keyId;
ret = 0;
}
else {
sss_key_object_free(&newKey);
ret = WC_HW_E;
}
}
wolfSSL_CryptHwMutexUnLock();
printf("ran se050_ed25519_create_key\n\n\n");
return ret;
}
@@ -790,12 +786,14 @@ void se050_ed25519_free_key(ed25519_key* key)
sss_object_t newKey;
sss_key_store_t host_keystore;
if (wolfSSL_CryptHwMutexLock() == 0) {
if (wolfSSL_CryptHwMutexLock() != 0) {
return BAD_MUTEX_E;
}
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
if (status == kStatus_SSS_Success) {
status = sss_key_store_allocate(&host_keystore, 60);
status = sss_key_store_allocate(&host_keystore, 55);
}
if (status == kStatus_SSS_Success) {
status = sss_key_object_init(&newKey, &host_keystore);
@@ -806,39 +804,29 @@ void se050_ed25519_free_key(ed25519_key* key)
if (status == kStatus_SSS_Success) {
sss_key_object_free(&newKey);
}
}
wolfSSL_CryptHwMutexUnLock();
}
int se050_ed25519_sign_msg(const byte* in, word32 inLen, byte* out,
word32 *outLen, ed25519_key* key)
{
printf("\n\nhit se050_ed25519_sign_msg...\n");
sss_status_t status = kStatus_SSS_Success;
sss_asymmetric_t ctx_asymm;
sss_key_store_t host_keystore;
sss_object_t newKey;
int ret = 0;
inLen = 64;
*outLen = 64;
/* used to fix edge case when ed25519_init is not called prior to signing */
/* figure out if needed or not for -10801 */
if (key->keyId > 10000 || key->keyId == 0) {
key->keyId = se050_allocate_key();
ret = se050_ed25519_create_key(key);
if (ret != 0) {
printf("calling se050_ed25519_create_key failed..., ret = %d\n", ret);
if (wolfSSL_CryptHwMutexLock() != 0) {
return BAD_MUTEX_E;
}
}
if (wolfSSL_CryptHwMutexLock() == 0 && ret == 0) {
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
if (status == kStatus_SSS_Success) {
status = sss_key_store_allocate(&host_keystore, 60);
status = sss_key_store_allocate(&host_keystore, 55);
}
if (status == kStatus_SSS_Success) {
@@ -859,33 +847,34 @@ int se050_ed25519_sign_msg(const byte* in, word32 inLen, byte* out,
(uint8_t *)in, inLen, out, outLen);
}
sss_asymmetric_context_free(&ctx_asymm);
if (status != kStatus_SSS_Success) {
printf("status != kStatus_SSS_Success, status = %d\n", status);
sss_key_object_free(&newKey);
ret = WC_HW_E;
}
sss_asymmetric_context_free(&ctx_asymm);
}
wolfSSL_CryptHwMutexUnLock();
return ret;
}
int se050_ed25519_verify_msg(const byte* signature, word32 signatureLen, const byte* msg,
word32 msgLen, struct ed25519_key* key, int* res)
int se050_ed25519_verify_msg(const byte* signature, word32 signatureLen,
const byte* msg, word32 msgLen, struct ed25519_key* key, int* res)
{
printf("runing se050_ed25519_verify_msg!\n");
sss_status_t status = kStatus_SSS_Success;
sss_asymmetric_t ctx_asymm;
sss_object_t newKey;
sss_key_store_t host_keystore;
int ret = 0;
msgLen = 64;
*res = 1;
if (wolfSSL_CryptHwMutexLock() == 0) {
msgLen = 64;
if (wolfSSL_CryptHwMutexLock() != 0) {
return BAD_MUTEX_E;
}
status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
if (status == kStatus_SSS_Success) {
@@ -906,22 +895,24 @@ int se050_ed25519_verify_msg(const byte* signature, word32 signatureLen, const b
}
if (status == kStatus_SSS_Success) {
status = sss_se05x_asymmetric_verify((sss_se05x_asymmetric_t *)&ctx_asymm,
(uint8_t *)msg, msgLen,
status = sss_se05x_asymmetric_verify(
(sss_se05x_asymmetric_t*)&ctx_asymm, (uint8_t*)msg, msgLen,
(uint8_t*)signature, (size_t)signatureLen);
}
sss_asymmetric_context_free(&ctx_asymm);
}
wolfSSL_CryptHwMutexUnLock();
if (status != kStatus_SSS_Success) {
if (status == kStatus_SSS_Success) {
*res = 1;
}
else {
ret = WC_HW_E;
*res = 0;
}
return ret;
}
#endif /* HAVE_ED25519 */
#endif /* SE050 */
#endif /* WOLFSSL_SE050 */

1
wolfcrypt/src/sha.c
View File

@@ -347,7 +347,6 @@
(void)devId;
return se050_hash_init(&sha->se050Ctx, heap);
}
int wc_ShaUpdate(wc_Sha* sha, const byte* data, word32 len)

27
wolfcrypt/src/sha512.c
View File

@@ -49,6 +49,10 @@
#include <wolfssl/wolfcrypt/cryptocb.h>
#endif
#ifdef WOLFSSL_SE050
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
#endif
/* deprecated USE_SLOW_SHA2 (replaced with USE_SLOW_SHA512) */
#if defined(USE_SLOW_SHA2) && !defined(USE_SLOW_SHA512)
#define USE_SLOW_SHA512
@@ -200,7 +204,6 @@
/* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */
#elif defined(WOLFSSL_SE050)
//#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
int wc_InitSha512(wc_Sha512* sha512)
{
if (sha512 == NULL)
@@ -224,17 +227,31 @@
int wc_Sha512Final(wc_Sha512* sha512, byte* hash)
{
int ret = 0;
int devId = INVALID_DEVID;
if (sha512 == NULL) {
return BAD_FUNC_ARG;
}
#ifdef WOLF_CRYPTO_CB
devId = sha512->devId;
#endif
ret = se050_hash_final(&sha512->se050Ctx, hash, WC_SHA512_DIGEST_SIZE,
kAlgorithm_SSS_SHA512);
(void)wc_InitSha512_ex(sha512);
(void)wc_InitSha512_ex(sha512, sha512->heap, devId);
return ret;
}
int wc_Sha512FinalRaw(wc_Sha512* sha512, byte* hash)
{
int ret = 0;
int devId = INVALID_DEVID;
if (sha512 == NULL) {
return BAD_FUNC_ARG;
}
#ifdef WOLF_CRYPTO_CB
devId = sha512->devId;
#endif
ret = se050_hash_final(&sha512->se050Ctx, hash, WC_SHA512_DIGEST_SIZE,
kAlgorithm_SSS_SHA512);
(void)wc_InitSha512(sha512);
(void)wc_InitSha512_ex(sha512, sha512->heap, devId);
return ret;
}
void wc_Sha512Free(wc_Sha512* sha512)
@@ -948,6 +965,7 @@ int wc_Sha512Update(wc_Sha512* sha512, const byte* data, word32 len)
#else
#ifndef WOLFSSL_SE050
static WC_INLINE int Sha512Final(wc_Sha512* sha512)
{
byte* local = (byte*)sha512->buffer;
@@ -1207,6 +1225,7 @@ int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data)
}
#endif /* OPENSSL_EXTRA */
#endif /* WOLFSSL_SHA512 */
#endif /* WOLFSSL_SE050 */
/* -------------------------------------------------------------------------- */
/* SHA384 */
@@ -1217,8 +1236,6 @@ int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data)
!defined(WOLFSSL_QNX_CAAM)
/* functions defined in wolfcrypt/src/port/caam/caam_sha.c */
#elif defined(WOLFSSL_SE050)
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
int wc_InitSha384_ex(wc_Sha384* sha384, void* heap, int devId)
{
if (sha384 == NULL) {

68
wolfssl/wolfcrypt/port/nxp/README.md
View File

@@ -1,68 +0,0 @@
# NXP Ports
Support for the NXP DCP, KSDK and SE050 hardware acceleration boards.
## NXP SE050
Support for the SE050 on-board crypto hardware acceleration for symmetric AES, SHA1/SHA256/SHA384/SHA512, ECC (including ed25519) and RNG. **(discuss p-256 ECC)**
## SE050 Acceleration
For details about SE050 HW acceleration, see [NXP's SE050 page](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-maximum-flexibility:SE050).
## Building
To enable support run:
```
./configure --with-se050=PATH
```
Followed by:
```
make && make install
```
With PATH being the directory location of simw-top.
The code required to communicate with the SE050 can be found at this NXP [link](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-maximum-flexibility:SE050?tab=Design_Tools_Tab) (An NXP account is required to download). Follow the instructions [here](https://www.nxp.com/docs/en/application-note/AN12570.pdf) to install and setup with a Raspberry Pi.
Confirm that you are able to run the examples from the
```
/simw-top_build/raspbian_native_se050_t1oi2c/bin/
```
directory. Once that's done, it's time to modify one of those examples in order to tie into wolfSSL.
The ``./se05x_Minimal `` is the easiest one to modify. Open the ``simw-top/demos/se05x/se05x_Minimal `` directory and edit ``se05x_Minimal.c``. Add these headers to source file:
```
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/types.h>
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
```
If you would like to run our wolfcrypt test or benchmark tool, add:
``#include "test.h"`` or ``#include benchmark.h``, respectively. Below is the code that was replaced in ``ex_sss_entry()`` that ran the wolfcrypt test:
```
sss_status_t status = kStatus_SSS_Success;
int ret;
sss_session_t *pSession2 = (sss_session_t *)&pCtx->session;
sss_key_store_t *pHostSession = (sss_key_store_t *)&pCtx->host_ks;
LOG_I("running setconfig");
ret = wolfcrypt_se050_SetConfig(pSession2, pHostSession);
if (ret != 0) {
return kStatus_SSS_Fail;
}
LOG_I("ran setconfig correctly");
wolfcrypt_test(NULL);
LOG_I("ran wolfcrypt test");
return status;
```
``wolfcrypt_test(NULL);`` can be replaced with ``benchmark_test();``
The two variables used in ``wolfcrypt_se050_SetConfig`` are session and key store variables that are required to reference parts of the hardware.
Next, the Makefile needs to be edited.
At the top of the Makefile, the base wolfssl directory needs to be added to ``INCLUDE_FLAGS``. Next, Inside ``CFLAGS``, the ``se05x_Minimal`` directory needs to be added so that test.c and benchmark.c are included. Finally, underneath 'all', test.c, test.h, benchmark.c and benchmark.h need to be added, along with ``-L (wolfssl directory) -lwolfssl`` at the end of the line.
## Wolfcrypt Test
To run the wolfcrypt test, two files, ``test.h`` and ``test.c`` need to be added to the ``./se05x_Minimal`` directory. These files can be found inside of ``/wolfcrypt/test``.
Next, ``#define NO_MAIN_DRIVER`` needs to be added to test.h.
You should be able to run `wolfcrypt_test()` now.
## Benchmark
To run the benchmark, both ``benchmark.c`` and ``benchmark.h`` need to be copied from wolfcrypt/benchmark to the `./se05x_Minimal` directory. In addition, the entire `./certs` directory will need to copied into the directory. ``#define NO_MAIN_DRIVER`` will need to be added to `benchmark.h`. You should be able to run `benchmark_test() ` now.

64
wolfssl/wolfcrypt/port/nxp/se050_port.h
View File

@@ -22,7 +22,6 @@
#ifndef _SE050_PORT_H_
#define _SE050_PORT_H_
#include <wolfssl/wolfcrypt/settings.h>
#include "fsl_sss_api.h"
@@ -39,27 +38,25 @@ typedef struct {
} SE050_HASH_Context;
WOLFSSL_API int wolfcrypt_se050_SetConfig(sss_session_t *pSession, sss_key_store_t *pHostKeyStore, sss_key_store_t *pKeyStore);
int se050_allocate_key(void);
int se050_get_random_number(uint32_t count, uint8_t* rand_out);
int se050_hash_init(SE050_HASH_Context* se050Ctx, void* heap);
int se050_hash_update(SE050_HASH_Context* se050Ctx, const byte* data, word32 len);
int se050_hash_final(SE050_HASH_Context* se050Ctx, byte* hash, size_t digestLen, word32 algo);
void se050_hash_free(SE050_HASH_Context* se050Ctx);
WOLFSSL_API int wc_se050_SetConfig(sss_session_t *pSession,
sss_key_store_t *pHostKeyStore, sss_key_store_t *pKeyStore);
WOLFSSL_LOCAL int se050_allocate_key(void);
WOLFSSL_LOCAL int se050_get_random_number(uint32_t count, uint8_t* rand_out);
WOLFSSL_LOCAL int se050_hash_init(SE050_HASH_Context* se050Ctx, void* heap);
WOLFSSL_LOCAL int se050_hash_update(SE050_HASH_Context* se050Ctx,
const byte* data, word32 len);
WOLFSSL_LOCAL int se050_hash_final(SE050_HASH_Context* se050Ctx, byte* hash,
size_t digestLen, word32 algo);
WOLFSSL_LOCAL void se050_hash_free(SE050_HASH_Context* se050Ctx);
struct Aes;
int se050_aes_set_key(struct Aes* aes, const byte* key, word32 len, const byte* iv, int dir);
int se050_aes_crypt(struct Aes* aes, const byte* in, byte* out, word32 sz, int dir, sss_algorithm_t algorithm);
void se050_aes_free(struct Aes* aes);
//int se050_aes_ctr_crypt(struct Aes* aes, const byte* in, byte* out, word32 sz);
WOLFSSL_LOCAL int se050_aes_set_key(struct Aes* aes, const byte* key,
word32 len, const byte* iv, int dir);
WOLFSSL_LOCAL int se050_aes_crypt(struct Aes* aes, const byte* in, byte* out,
word32 sz, int dir, sss_algorithm_t algorithm);
WOLFSSL_LOCAL void se050_aes_free(struct Aes* aes);
struct ecc_key;
@@ -74,25 +71,26 @@ struct WC_RNG;
struct mp_int;
#define MATH_INT_T struct mp_int
#endif
int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
word32 *outLen, struct ecc_key* key);
int se050_ecc_verify_hash_ex(const byte* hash, word32 hashlen, byte* signature,
word32 signatureLen, struct ecc_key* key, int* res);
WOLFSSL_LOCAL int se050_ecc_sign_hash_ex(const byte* in, word32 inLen,
byte* out, word32 *outLen, struct ecc_key* key);
int se050_ecc_create_key(struct ecc_key* key, int keyId, int keySize);
int se050_ecc_shared_secret(struct ecc_key* private_key, struct ecc_key* public_key, byte* out,
word32* outlen);
int se050_ecc_free_key(struct ecc_key* key);
WOLFSSL_LOCAL int se050_ecc_verify_hash_ex(const byte* hash, word32 hashlen,
byte* signature, word32 signatureLen, struct ecc_key* key, int* res);
WOLFSSL_LOCAL int se050_ecc_create_key(struct ecc_key* key, int curve_id, int keySize);
WOLFSSL_LOCAL int se050_ecc_shared_secret(struct ecc_key* private_key,
struct ecc_key* public_key, byte* out, word32* outlen);
WOLFSSL_LOCAL int se050_ecc_free_key(struct ecc_key* key);
struct ed25519_key;
//#include <wolfssl/wolfcrypt/ed25519.h>
int se050_ed25519_create_key(struct ed25519_key* key);
void se050_ed25519_free_key(struct ed25519_key* key);
int se050_ed25519_sign_msg(const byte* in, word32 inLen, byte* out,
word32 *outLen, struct ed25519_key* key);
WOLFSSL_LOCAL int se050_ed25519_create_key(struct ed25519_key* key);
WOLFSSL_LOCAL void se050_ed25519_free_key(struct ed25519_key* key);
WOLFSSL_LOCAL int se050_ed25519_sign_msg(const byte* in, word32 inLen,
byte* out, word32 *outLen, struct ed25519_key* key);
int se050_ed25519_verify_msg(const byte* signature, word32 signatureLen, const byte* msg,
word32 msgLen, struct ed25519_key* key, int* res);
WOLFSSL_LOCAL int se050_ed25519_verify_msg(const byte* signature,
word32 signatureLen, const byte* msg, word32 msgLen,
struct ed25519_key* key, int* res);
#endif /* _SE050_PORT_H_ */