[crypto] Manual backport from eg100 to master #30280
Merged
Merged
Conversation
The following changes are made - Remove the prime and secp calls - Connect the base point multiplications for ecc - Update the test vectors - Include python tests for the new calls Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit 99eb63b)
As this code is not used, lets remove it to save some bytes. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit eda54a8)
Change the public functions for the user to have the otcrypto_ prefix in the name. Change the OTCRYPTO_MAKE_BUF macro to ingest the inline function. Include the new public functions to otcrypto_interface. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit 1529671)
Merge the OTBN code of x25519 into the one from ed25519 and re-use the scalar multiplication from ed25519. Adapt the tests of x25519 such that they are in the test suite, cehck for failures, and are adapted to work again. Warning: The new x25519 code now works for non-twist points, it rejects twist points. This means we follows https://datatracker.ietf.org/doc/html/rfc7748#section-4 but not https://datatracker.ietf.org/doc/html/rfc7748#section-5. The x25519.s OTBN app is left in the repo which does implement section 5, but it is left unconnected to the cryptolib. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit d69995c)
Recently, `integrity_blinded_checksum` was renamed to `otcrypto_integrity_blinded_checksum` - we've missed one spot. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 5fba06c)
Cover more error cases for the p384 check public key function. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 32fdeb3)
As there should be no reason to not combine those two functions, put them into one function. That fixes also a bug in the previous `p384_check_public_key` function. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit bb71ab5)
Also test the other conditions when a point check could fail. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 1b9fe4c)
Adapt the instruction counter values to reflect the current impl. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit aa64e22)
The compiler could get rid of the memset when aggressive compiler optimizations are enabled. Although this wouldn't be a big problem (the API documentation states that the result only should be used when the CL reports back a success), switch to a volatile loop to guarantee that we always return a zero buffer independent of the compiler optimiziations we use or don't use. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 682aafd)
Add sideload support for the keygen and ecdh for x25519 and include a new functest for it. Switch the keymgr tests to the new 25519 apps. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit e8ccf53)
Bundle the 2k, 3k, and 4k calls in RSA with a size input (though leave the API unchanged). In order to save code size. At the time of writing, this saves 1.3k bytes. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit f0bea42)
Add cmac functionality to the cryptolib and add its functest. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit ef1f7ef)
Connect the cmac cryptolib call to the pentest framework and add tests for the new calls. Added the new function's explanation to cryptolib_api. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit b43cf89)
Extend the existing file with some dummy values. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit b4bfce2)
As this function checks afterwards whether the key can be used, rename this function to make this behaviour clear. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 8baa51d)
Add a function that performs the RSA keygen and returns the key to the host. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 5212ce2)
Read the RSA CAVP sign test vector and perform: - per group, one key generation on the device - per test case in a group: use the keys and sign the message on the device. Verify the signature afterwards on the device Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 62b527a)
Change the loop logic in kdf_ctr such that we process the hmac maximum digest size block at a time. Introduce randomization into the masking of the key. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit 36233b8)
Use streaming for the hmac to stream into the user provided buffer and apply masking to the keys. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit d84cc08)
When running the cryptolib with `--define=disable_null_checks=true`, one can disable all the API's NULL checks on the input allowing to save code size. At the time of writing this option saves 3.4k bytes. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit 70b16b4)
Refactor p256 and p384 to save on code size by making subroutines which are used accross multiple functions. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit 1719213)
This commit adds ACVP testing for the Ed25519 signature verification to the cryptotest framework. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 117d459)
…ions Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit a3d0516)
Return the signature as well as the public key. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 78fa08f)
Read the ACVP Ed25519 SigGen test vector that contains a message. The device signs the message and returns the signature as well as the public key. The ACVP server then can use this information to check if the signature is valid. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 3fe3db0)
Create d, split it up into two shares, compute q, return q and d. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 1967ee4)
Trigger a key generation on the device, store the returned q and d into a json file that can be validated by the ACVP server. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 8cf9681)
As we include the NIST copyright header, do not check those files. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 403947e)
Previously, an attacker would have been able to provide an arbitrary length for the wrapped key length. As this is dangerous, limit the size to the max key length we currently have (RSA 4096). Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org> (cherry picked from commit 7bf5ac7)
Make a hmac_redundant_core function in the hmac driver with a size input such that the code can be re-used over all SHA sizes. Create dispatch functions in the hmac API to squash code size for different SHA sizes. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit a869752)
The private_scalar local variable in p256 and p384 should be shredded after use. The arithmetic share private key routines in p256 and p384 create a private variable that should be shredded after use. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit 4e3f4cc)
Shred the subkey after its creation and use in gcm. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit 182a811)
Warn the user that the plaintext nullification does not happen in the streaming API when the tag is invalid. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com> (cherry picked from commit acb2179)
d6fa7a3 to
0c3e775
Compare
andrea-caforio
approved these changes
Jun 3, 2026
andrea-caforio
left a comment
Contributor
There was a problem hiding this comment.
Thanks @nasahlpa.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport the following PRs from earlgrey_1.0.0 to master:
montmuldependency fromrun_rsa_key_from_cofactor#30067