Add Tinycrypt based SHA-512 for ED25519

boot/bootutil/pkg.yml

@@ -49,5 +49,7 @@ pkg.deps.BOOTUTIL_USE_TINYCRYPT:
  - "@mcuboot/ext/mbedtls-asn1"
 
 pkg.deps.BOOTUTIL_SIGN_ED25519:
- - "@apache-mynewt-core/crypto/mbedtls"
+ - "@mcuboot/ext/tinycrypt/lib"
+ - "@mcuboot/ext/tinycrypt-sha512/lib"
+ - "@mcuboot/ext/mbedtls-asn1"
  - "@mcuboot/ext/fiat"

boot/zephyr/CMakeLists.txt

@@ -51,6 +51,8 @@ get_filename_component(MCUBOOT_DIR ${BOOT_DIR} DIRECTORY)
 # Path to tinycrypt library source subdirectory of MCUBOOT_DIR.
 set(TINYCRYPT_DIR "${MCUBOOT_DIR}/ext/tinycrypt/lib")
 assert_exists(TINYCRYPT_DIR)
+set(TINYCRYPT_SHA512_DIR "${MCUBOOT_DIR}/ext/tinycrypt-sha512/lib")
+assert_exists(TINYCRYPT_SHA512_DIR)
 # Path to crypto-fiat
 set(FIAT_DIR "${MCUBOOT_DIR}/ext/fiat")
 assert_exists(FIAT_DIR)
@@ -144,8 +146,27 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_RSA)
  # is set using Kconfig.)
  zephyr_include_directories(include)
 elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
- # For ed25519, mbedTLS is used for ASN1 parsing and SHA512
- zephyr_include_directories(include)
+ if(CONFIG_BOOT_USE_TINYCRYPT)
+ zephyr_library_include_directories(
+ ${MBEDTLS_ASN1_DIR}/include
+ ${BOOT_DIR}/zephyr/include
+ ${TINYCRYPT_DIR}/include
+ ${TINYCRYPT_SHA512_DIR}/include
+ )
+ zephyr_library_sources(
+ ${TINYCRYPT_DIR}/source/sha256.c
+ ${TINYCRYPT_DIR}/source/utils.c
+ ${TINYCRYPT_SHA512_DIR}/source/sha512.c
+ # Additionally pull in just the ASN.1 parser from mbedTLS.
+ ${MBEDTLS_ASN1_DIR}/src/asn1parse.c
+ ${MBEDTLS_ASN1_DIR}/src/platform_util.c
+ )
+ zephyr_library_compile_definitions(
+ MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_LIST_DIR}/include/mcuboot-mbedtls-cfg.h"
+ )
+ else()
+ zephyr_include_directories(include)
+ endif()
 
  zephyr_library_include_directories(
  ${BOOT_DIR}/zephyr/include

boot/zephyr/Kconfig

@@ -76,16 +76,11 @@ endif
 config BOOT_SIGNATURE_TYPE_ECDSA_P256
  bool "Elliptic curve digital signatures with curve P-256"
 
-config BOOT_SIGNATURE_TYPE_ED25519
- bool "Edwards curve digital signatures using ed25519"
- select BOOT_USE_MBEDTLS
- select MBEDTLS
-
 if BOOT_SIGNATURE_TYPE_ECDSA_P256
 choice
  prompt "Ecdsa implementation"
- default BOOT_TINYCRYPT
-config BOOT_TINYCRYPT
+ default BOOT_ECDSA_TINYCRYPT
+config BOOT_ECDSA_TINYCRYPT
  bool "Use tinycrypt"
  select BOOT_USE_TINYCRYPT
 config BOOT_CC310
@@ -96,6 +91,24 @@ config BOOT_CC310
  select BOOT_USE_CC310
 endchoice
 endif
+
+config BOOT_SIGNATURE_TYPE_ED25519
+ bool "Edwards curve digital signatures using ed25519"
+
+if BOOT_SIGNATURE_TYPE_ED25519
+choice
+ prompt "Ecdsa implementation"
+ default BOOT_ED25519_TINYCRYPT
+config BOOT_ED25519_TINYCRYPT
+ bool "Use tinycrypt"
+ select BOOT_USE_TINYCRYPT
+config BOOT_ED25519_MBEDTLS
+ bool "Use mbedTLS"
+ select BOOT_USE_MBEDTLS
+ select MBEDTLS
+endchoice
+endif
+
 endchoice
 
 config BOOT_SIGNATURE_KEY_FILE

ext/fiat/src/curve25519.c

@@ -31,8 +31,16 @@
 #include <string.h>
 #include <stdint.h>
 
+#include <mcuboot_config/mcuboot_config.h>
+
+#if defined(MCUBOOT_USE_MBED_TLS)
 #include <mbedtls/platform_util.h>
 #include <mbedtls/sha512.h>
+#else
+#include <tinycrypt/constants.h>
+#include <tinycrypt/utils.h>
+#include <tinycrypt/sha512.h>
+#endif
 
 #include "curve25519.h"
 // Various pre-computed constants.
@@ -126,12 +134,20 @@ static void fe_tobytes(uint8_t s[32], const fe *f) {
 
 // h = 0
 static void fe_0(fe *h) {
+#if defined(MCUBOOT_USE_MBED_TLS)
  mbedtls_platform_zeroize(h, sizeof(fe));
+#else
+ _set(h, 0, sizeof(fe));
+#endif
 }
 
 // h = 1
 static void fe_1(fe *h) {
+#if defined(MCUBOOT_USE_MBED_TLS)
  mbedtls_platform_zeroize(h, sizeof(fe));
+#else
+ _set(h, 0, sizeof(fe));
+#endif
  h->v[0] = 1;
 }
 
@@ -1074,9 +1090,13 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
  }
  }
 
+#if defined(MCUBOOT_USE_MBED_TLS)
+
  mbedtls_sha512_context ctx;
- mbedtls_sha512_init(&ctx);
  int ret;
+
+ mbedtls_sha512_init(&ctx);
+
  ret = mbedtls_sha512_starts_ret(&ctx, 0);
  assert(ret == 0);
 
@@ -1092,6 +1112,27 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
  assert(ret == 0);
  mbedtls_sha512_free(&ctx);
 
+#else
+
+ struct tc_sha512_state_struct s;
+ int rc;
+
+ rc = tc_sha512_init(&s);
+ assert(rc == TC_CRYPTO_SUCCESS);
+
+ rc = tc_sha512_update(&s, signature, 32);
+ assert(rc == TC_CRYPTO_SUCCESS);
+ rc = tc_sha512_update(&s, public_key, 32);
+ assert(rc == TC_CRYPTO_SUCCESS);
+ rc = tc_sha512_update(&s, message, message_len);
+ assert(rc == TC_CRYPTO_SUCCESS);
+
+ uint8_t h[TC_SHA512_DIGEST_SIZE];
+ rc = tc_sha512_final(h, &s);
+ assert(rc == TC_CRYPTO_SUCCESS);
+
+#endif
+
  x25519_sc_reduce(h);
 
  ge_p2 R;

ext/tinycrypt-sha512/lib/include/tinycrypt/sha512.h

@@ -0,0 +1,129 @@
+/* sha512.h - TinyCrypt interface to a SHA-512 implementation */
+
+/*
+ * Copyright (C) 2020 by Intel Corporation, All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * - Neither the name of Intel Corporation nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * @file
+ * @brief Interface to a SHA-512 implementation.
+ *
+ * Overview: SHA-512 is a NIST approved cryptographic hashing algorithm
+ * specified in FIPS 180. A hash algorithm maps data of arbitrary
+ * size to data of fixed length.
+ *
+ * Security: SHA-512 provides 256 bits of security against collision attacks
+ * and 512 bits of security against pre-image attacks. SHA-512 does
+ * NOT behave like a random oracle, but it can be used as one if
+ * the string being hashed is prefix-free encoded before hashing.
+ *
+ * Usage: 1) call tc_sha512_init to initialize a struct
+ * tc_sha512_state_struct before hashing a new string.
+ *
+ * 2) call tc_sha512_update to hash the next string segment;
+ * tc_sha512_update can be called as many times as needed to hash
+ * all of the segments of a string; the order is important.
+ *
+ * 3) call tc_sha512_final to out put the digest from a hashing
+ * operation.
+ */
+
+#ifndef __TC_SHA512_H__
+#define __TC_SHA512_H__
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define TC_SHA512_BLOCK_SIZE (128)
+#define TC_SHA512_DIGEST_SIZE (64)
+#define TC_SHA512_STATE_BLOCKS (TC_SHA512_DIGEST_SIZE/8)
+
+struct tc_sha512_state_struct {
+ uint64_t iv[TC_SHA512_STATE_BLOCKS];
+ uint64_t bits_hashed;
+ uint8_t leftover[TC_SHA512_BLOCK_SIZE];
+ size_t leftover_offset;
+};
+
+typedef struct tc_sha512_state_struct *TCSha512State_t;
+
+/**
+ * @brief SHA512 initialization procedure
+ * Initializes s
+ * @return returns TC_CRYPTO_SUCCESS (1)
+ * returns TC_CRYPTO_FAIL (0) if s == NULL
+ * @param s Sha512 state struct
+ */
+int tc_sha512_init(TCSha512State_t s);
+
+/**
+ * @brief SHA512 update procedure
+ * Hashes data_length bytes addressed by data into state s
+ * @return returns TC_CRYPTO_SUCCESS (1)
+ * returns TC_CRYPTO_FAIL (0) if:
+ * s == NULL,
+ * s->iv == NULL,
+ * data == NULL
+ * @note Assumes s has been initialized by tc_sha512_init
+ * @warning The state buffer 'leftover' is left in memory after processing
+ * If your application intends to have sensitive data in this
+ * buffer, remind to erase it after the data has been processed
+ * @param s Sha512 state struct
+ * @param data message to hash
+ * @param datalen length of message to hash
+ */
+int tc_sha512_update (TCSha512State_t s, const uint8_t *data, size_t datalen);
+
+/**
+ * @brief SHA512 final procedure
+ * Inserts the completed hash computation into digest
+ * @return returns TC_CRYPTO_SUCCESS (1)
+ * returns TC_CRYPTO_FAIL (0) if:
+ * s == NULL,
+ * s->iv == NULL,
+ * digest == NULL
+ * @note Assumes: s has been initialized by tc_sha512_init
+ * digest points to at least TC_SHA512_DIGEST_SIZE bytes
+ * @warning The state buffer 'leftover' is left in memory after processing
+ * If your application intends to have sensitive data in this
+ * buffer, remind to erase it after the data has been processed
+ * @param digest unsigned eight bit integer
+ * @param Sha512 state struct
+ */
+int tc_sha512_final(uint8_t *digest, TCSha512State_t s);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __TC_SHA512_H__ */

ext/tinycrypt-sha512/lib/pkg.yml

@@ -0,0 +1,30 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+# 
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+pkg.name: ext/tinycrypt-sha512/lib
+pkg.description: "MCUboot's SHA512 for tinycrypt"
+pkg.author: "Apache Mynewt <[email protected]>"
+pkg.homepage: "http://mynewt.apache.org/"
+pkg.keywords:
+
+pkg.src_dirs:
+ - "source"
+
+pkg.cflags:
+ - "-std=c99"