Mirror/Momentum-Firmware
1
0
Fork 0
mirror of https://github.com/Next-Flip/Momentum-Firmware.git synced 2026-05-12 17:48:35 -07:00
Code Issues Packages Projects Releases Wiki Activity

Expose additional functions of the crypto engine to user (#2923)

Browse Source 
* Allow loading user supplied keys and add CTR mode
* Add GCM mode to furi_hal_crypto
* Split up CTR and GCM code, add flag for adv crypto
* Add convenience functions for GCM crypto
* Run fbt format
* Update GCM to support additional auth data
* Update APIs
* FuriHal: update crypto documentation, method names and usage
* Clean up code for key (un)loading, GCM and CTR
  - get rid of goto
  - do not use furi_hal_bt_is_alive() when not using secure enclave
  - give defines a type and wrap in ()
* Add unit test for CTR and GCM crypto
* FuriHal: const in crypto unit tests, cortex timer for crypto operations timeouts
* FuriHal: update crypto docs

Co-authored-by: twisted_pear <twstd@posteo.net>
Co-authored-by: hedger <hedger@users.noreply.github.com>
Co-authored-by: あく <alleteam@gmail.com>
This commit is contained in:
MX
2023-08-11 17:55:40 +03:00
parent 5f48968a05
commit 09d5b3b1ed
10 changed files with 1302 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

446
firmware/targets/f7/furi_hal/furi_hal_crypto.c
View File

@@ -1,4 +1,5 @@
#include <furi_hal_crypto.h>
#include <furi_hal_cortex.h>
#include <furi_hal_bt.h>
#include <furi_hal_random.h>
#include <furi_hal_bus.h>
@@ -13,7 +14,7 @@
#define ENCLAVE_SIGNATURE_SIZE 16
#define CRYPTO_BLK_LEN (4 * sizeof(uint32_t))
#define CRYPTO_TIMEOUT (1000)
#define CRYPTO_TIMEOUT_US (1000000)
#define CRYPTO_MODE_ENCRYPT 0U
#define CRYPTO_MODE_INIT (AES_CR_MODE_0)
@@ -24,6 +25,19 @@
#define CRYPTO_KEYSIZE_256B (AES_CR_KEYSIZE)
#define CRYPTO_AES_CBC (AES_CR_CHMOD_0)
#define CRYPTO_AES_CTR (AES_CR_CHMOD_1)
#define CRYPTO_CTR_IV_LEN (12U)
#define CRYPTO_CTR_CTR_LEN (4U)
#define CRYPTO_AES_GCM (AES_CR_CHMOD_1 | AES_CR_CHMOD_0)
#define CRYPTO_GCM_IV_LEN (12U)
#define CRYPTO_GCM_CTR_LEN (4U)
#define CRYPTO_GCM_TAG_LEN (16U)
#define CRYPTO_GCM_PH_INIT (0x0U << AES_CR_GCMPH_Pos)
#define CRYPTO_GCM_PH_HEADER (AES_CR_GCMPH_0)
#define CRYPTO_GCM_PH_PAYLOAD (AES_CR_GCMPH_1)
#define CRYPTO_GCM_PH_FINAL (AES_CR_GCMPH_1 | AES_CR_GCMPH_0)
static FuriMutex* furi_hal_crypto_mutex = NULL;
static bool furi_hal_crypto_mode_init_done = false;
@@ -80,7 +94,7 @@ static bool furi_hal_crypto_generate_unique_keys(uint8_t start_slot, uint8_t end
key.size = FuriHalCryptoKeySize256;
key.data = key_data;
furi_hal_random_fill_buf(key_data, 32);
if(!furi_hal_crypto_store_add_key(&key, &slot)) {
if(!furi_hal_crypto_enclave_store_key(&key, &slot)) {
FURI_LOG_E(TAG, "Error writing key to slot %u", slot);
return false;
}
@@ -88,21 +102,21 @@ static bool furi_hal_crypto_generate_unique_keys(uint8_t start_slot, uint8_t end
return true;
}
bool furi_hal_crypto_verify_key(uint8_t key_slot) {
bool furi_hal_crypto_enclave_ensure_key(uint8_t key_slot) {
uint8_t keys_nb = 0;
uint8_t valid_keys_nb = 0;
uint8_t last_valid_slot = ENCLAVE_FACTORY_KEY_SLOTS;
uint8_t empty_iv[16] = {0};
furi_hal_crypto_verify_enclave(&keys_nb, &valid_keys_nb);
furi_hal_crypto_enclave_verify(&keys_nb, &valid_keys_nb);
if(key_slot <= ENCLAVE_FACTORY_KEY_SLOTS) { // It's a factory key
if(key_slot > keys_nb) return false;
} else { // Unique key
if(keys_nb < ENCLAVE_FACTORY_KEY_SLOTS) // Some factory keys are missing
return false;
for(uint8_t i = key_slot; i > ENCLAVE_FACTORY_KEY_SLOTS; i--) {
if(furi_hal_crypto_store_load_key(i, empty_iv)) {
if(furi_hal_crypto_enclave_load_key(i, empty_iv)) {
last_valid_slot = i;
furi_hal_crypto_store_unload_key(i);
furi_hal_crypto_enclave_unload_key(i);
break;
}
}
@@ -114,14 +128,14 @@ bool furi_hal_crypto_verify_key(uint8_t key_slot) {
return true;
}
bool furi_hal_crypto_verify_enclave(uint8_t* keys_nb, uint8_t* valid_keys_nb) {
bool furi_hal_crypto_enclave_verify(uint8_t* keys_nb, uint8_t* valid_keys_nb) {
furi_assert(keys_nb);
furi_assert(valid_keys_nb);
uint8_t keys = 0;
uint8_t keys_valid = 0;
uint8_t buffer[ENCLAVE_SIGNATURE_SIZE];
for(size_t key_slot = 0; key_slot < ENCLAVE_FACTORY_KEY_SLOTS; key_slot++) {
if(furi_hal_crypto_store_load_key(key_slot + 1, enclave_signature_iv[key_slot])) {
if(furi_hal_crypto_enclave_load_key(key_slot + 1, enclave_signature_iv[key_slot])) {
keys++;
if(furi_hal_crypto_encrypt(
enclave_signature_input[key_slot], buffer, ENCLAVE_SIGNATURE_SIZE)) {
@@ -129,7 +143,7 @@ bool furi_hal_crypto_verify_enclave(uint8_t* keys_nb, uint8_t* valid_keys_nb) {
memcmp(buffer, enclave_signature_expected[key_slot], ENCLAVE_SIGNATURE_SIZE) ==
0;
}
furi_hal_crypto_store_unload_key(key_slot + 1);
furi_hal_crypto_enclave_unload_key(key_slot + 1);
}
}
*keys_nb = keys;
@@ -140,7 +154,7 @@ bool furi_hal_crypto_verify_enclave(uint8_t* keys_nb, uint8_t* valid_keys_nb) {
return false;
}
bool furi_hal_crypto_store_add_key(FuriHalCryptoKey* key, uint8_t* slot) {
bool furi_hal_crypto_enclave_store_key(FuriHalCryptoKey* key, uint8_t* slot) {
furi_assert(key);
furi_assert(slot);
@@ -205,6 +219,16 @@ static void crypto_key_init(uint32_t* key, uint32_t* iv) {
AES1->IVR0 = iv[3];
}
static bool furi_hal_crypto_wait_flag(uint32_t flag) {
FuriHalCortexTimer timer = furi_hal_cortex_timer_get(CRYPTO_TIMEOUT_US);
while(!READ_BIT(AES1->SR, flag)) {
if(furi_hal_cortex_timer_is_expired(timer)) {
return false;
}
}
return true;
}
static bool crypto_process_block(uint32_t* in, uint32_t* out, uint8_t blk_len) {
furi_check((blk_len <= 4) && (blk_len > 0));
@@ -216,14 +240,8 @@ static bool crypto_process_block(uint32_t* in, uint32_t* out, uint8_t blk_len) {
}
}
uint32_t countdown = CRYPTO_TIMEOUT;
while(!READ_BIT(AES1->SR, AES_SR_CCF)) {
if(LL_SYSTICK_IsActiveCounterFlag()) {
countdown--;
}
if(countdown == 0) {
return false;
}
if(!furi_hal_crypto_wait_flag(AES_SR_CCF)) {
return false;
}
SET_BIT(AES1->CR, AES_CR_CCFC);
@@ -237,7 +255,7 @@ static bool crypto_process_block(uint32_t* in, uint32_t* out, uint8_t blk_len) {
return true;
}
bool furi_hal_crypto_store_load_key(uint8_t slot, const uint8_t* iv) {
bool furi_hal_crypto_enclave_load_key(uint8_t slot, const uint8_t* iv) {
furi_assert(slot > 0 && slot <= 100);
furi_assert(furi_hal_crypto_mutex);
furi_check(furi_mutex_acquire(furi_hal_crypto_mutex, FuriWaitForever) == FuriStatusOk);
@@ -260,7 +278,7 @@ bool furi_hal_crypto_store_load_key(uint8_t slot, const uint8_t* iv) {
}
}
bool furi_hal_crypto_store_unload_key(uint8_t slot) {
bool furi_hal_crypto_enclave_unload_key(uint8_t slot) {
if(!furi_hal_bt_is_alive()) {
return false;
}
@@ -276,6 +294,27 @@ bool furi_hal_crypto_store_unload_key(uint8_t slot) {
return (shci_state == SHCI_Success);
}
bool furi_hal_crypto_load_key(const uint8_t* key, const uint8_t* iv) {
furi_assert(furi_hal_crypto_mutex);
furi_check(furi_mutex_acquire(furi_hal_crypto_mutex, FuriWaitForever) == FuriStatusOk);
furi_hal_bus_enable(FuriHalBusAES1);
furi_hal_crypto_mode_init_done = false;
crypto_key_init((uint32_t*)key, (uint32_t*)iv);
return true;
}
bool furi_hal_crypto_unload_key(void) {
CLEAR_BIT(AES1->CR, AES_CR_EN);
furi_hal_bus_disable(FuriHalBusAES1);
furi_check(furi_mutex_release(furi_hal_crypto_mutex) == FuriStatusOk);
return true;
}
bool furi_hal_crypto_encrypt(const uint8_t* input, uint8_t* output, size_t size) {
bool state = false;
@@ -307,14 +346,8 @@ bool furi_hal_crypto_decrypt(const uint8_t* input, uint8_t* output, size_t size)
SET_BIT(AES1->CR, AES_CR_EN);
uint32_t countdown = CRYPTO_TIMEOUT;
while(!READ_BIT(AES1->SR, AES_SR_CCF)) {
if(LL_SYSTICK_IsActiveCounterFlag()) {
countdown--;
}
if(countdown == 0) {
return false;
}
if(!furi_hal_crypto_wait_flag(AES_SR_CCF)) {
return false;
}
SET_BIT(AES1->CR, AES_CR_CCFC);
@@ -340,3 +373,360 @@ bool furi_hal_crypto_decrypt(const uint8_t* input, uint8_t* output, size_t size)
return state;
}
static void crypto_key_init_bswap(uint32_t* key, uint32_t* iv, uint32_t chaining_mode) {
CLEAR_BIT(AES1->CR, AES_CR_EN);
MODIFY_REG(
AES1->CR,
AES_CR_DATATYPE | AES_CR_KEYSIZE | AES_CR_CHMOD,
CRYPTO_DATATYPE_32B | CRYPTO_KEYSIZE_256B | chaining_mode);
if(key != NULL) {
AES1->KEYR7 = __builtin_bswap32(key[0]);
AES1->KEYR6 = __builtin_bswap32(key[1]);
AES1->KEYR5 = __builtin_bswap32(key[2]);
AES1->KEYR4 = __builtin_bswap32(key[3]);
AES1->KEYR3 = __builtin_bswap32(key[4]);
AES1->KEYR2 = __builtin_bswap32(key[5]);
AES1->KEYR1 = __builtin_bswap32(key[6]);
AES1->KEYR0 = __builtin_bswap32(key[7]);
}
AES1->IVR3 = __builtin_bswap32(iv[0]);
AES1->IVR2 = __builtin_bswap32(iv[1]);
AES1->IVR1 = __builtin_bswap32(iv[2]);
AES1->IVR0 = __builtin_bswap32(iv[3]);
}
static bool
furi_hal_crypto_load_key_bswap(const uint8_t* key, const uint8_t* iv, uint32_t chaining_mode) {
furi_assert(furi_hal_crypto_mutex);
furi_check(furi_mutex_acquire(furi_hal_crypto_mutex, FuriWaitForever) == FuriStatusOk);
furi_hal_bus_enable(FuriHalBusAES1);
crypto_key_init_bswap((uint32_t*)key, (uint32_t*)iv, chaining_mode);
return true;
}
static bool wait_for_crypto(void) {
if(!furi_hal_crypto_wait_flag(AES_SR_CCF)) {
return false;
}
SET_BIT(AES1->CR, AES_CR_CCFC);
return true;
}
static bool furi_hal_crypto_process_block_bswap(const uint8_t* in, uint8_t* out, size_t bytes) {
uint32_t block[CRYPTO_BLK_LEN / 4];
memset(block, 0, sizeof(block));
memcpy(block, in, bytes);
block[0] = __builtin_bswap32(block[0]);
block[1] = __builtin_bswap32(block[1]);
block[2] = __builtin_bswap32(block[2]);
block[3] = __builtin_bswap32(block[3]);
if(!crypto_process_block(block, block, CRYPTO_BLK_LEN / 4)) {
return false;
}
block[0] = __builtin_bswap32(block[0]);
block[1] = __builtin_bswap32(block[1]);
block[2] = __builtin_bswap32(block[2]);
block[3] = __builtin_bswap32(block[3]);
memcpy(out, block, bytes);
return true;
}
static bool furi_hal_crypto_process_block_no_read_bswap(const uint8_t* in, size_t bytes) {
uint32_t block[CRYPTO_BLK_LEN / 4];
memset(block, 0, sizeof(block));
memcpy(block, in, bytes);
AES1->DINR = __builtin_bswap32(block[0]);
AES1->DINR = __builtin_bswap32(block[1]);
AES1->DINR = __builtin_bswap32(block[2]);
AES1->DINR = __builtin_bswap32(block[3]);
return wait_for_crypto();
}
static void furi_hal_crypto_ctr_prep_iv(uint8_t* iv) {
/* append counter to IV */
iv[CRYPTO_CTR_IV_LEN] = 0;
iv[CRYPTO_CTR_IV_LEN + 1] = 0;
iv[CRYPTO_CTR_IV_LEN + 2] = 0;
iv[CRYPTO_CTR_IV_LEN + 3] = 1;
}
static bool furi_hal_crypto_ctr_payload(const uint8_t* input, uint8_t* output, size_t length) {
SET_BIT(AES1->CR, AES_CR_EN);
MODIFY_REG(AES1->CR, AES_CR_MODE, CRYPTO_MODE_ENCRYPT);
size_t last_block_bytes = length % CRYPTO_BLK_LEN;
size_t i;
for(i = 0; i < length - last_block_bytes; i += CRYPTO_BLK_LEN) {
if(!furi_hal_crypto_process_block_bswap(&input[i], &output[i], CRYPTO_BLK_LEN)) {
CLEAR_BIT(AES1->CR, AES_CR_EN);
return false;
}
}
if(last_block_bytes > 0) {
if(!furi_hal_crypto_process_block_bswap(&input[i], &output[i], last_block_bytes)) {
CLEAR_BIT(AES1->CR, AES_CR_EN);
return false;
}
}
CLEAR_BIT(AES1->CR, AES_CR_EN);
return true;
}
bool furi_hal_crypto_ctr(
const uint8_t* key,
const uint8_t* iv,
const uint8_t* input,
uint8_t* output,
size_t length) {
/* prepare IV and counter */
uint8_t iv_and_counter[CRYPTO_CTR_IV_LEN + CRYPTO_CTR_CTR_LEN];
memcpy(iv_and_counter, iv, CRYPTO_CTR_IV_LEN);
furi_hal_crypto_ctr_prep_iv(iv_and_counter);
/* load key and IV and set the mode to CTR */
if(!furi_hal_crypto_load_key_bswap(key, iv_and_counter, CRYPTO_AES_CTR)) {
furi_hal_crypto_unload_key();
return false;
}
/* process the input and write to output */
bool state = furi_hal_crypto_ctr_payload(input, output, length);
furi_hal_crypto_unload_key();
return state;
}
static void furi_hal_crypto_gcm_prep_iv(uint8_t* iv) {
/* append counter to IV */
iv[CRYPTO_GCM_IV_LEN] = 0;
iv[CRYPTO_GCM_IV_LEN + 1] = 0;
iv[CRYPTO_GCM_IV_LEN + 2] = 0;
iv[CRYPTO_GCM_IV_LEN + 3] = 2;
}
static bool furi_hal_crypto_gcm_init(bool decrypt) {
/* GCM init phase */
MODIFY_REG(AES1->CR, AES_CR_GCMPH, CRYPTO_GCM_PH_INIT);
if(decrypt) {
MODIFY_REG(AES1->CR, AES_CR_MODE, CRYPTO_MODE_DECRYPT);
} else {
MODIFY_REG(AES1->CR, AES_CR_MODE, CRYPTO_MODE_ENCRYPT);
}
SET_BIT(AES1->CR, AES_CR_EN);
if(!wait_for_crypto()) {
CLEAR_BIT(AES1->CR, AES_CR_EN);
return false;
}
return true;
}
static bool furi_hal_crypto_gcm_header(const uint8_t* aad, size_t aad_length) {
/* GCM header phase */
MODIFY_REG(AES1->CR, AES_CR_GCMPH, CRYPTO_GCM_PH_HEADER);
SET_BIT(AES1->CR, AES_CR_EN);
size_t last_block_bytes = aad_length % CRYPTO_BLK_LEN;
size_t i;
for(i = 0; i < aad_length - last_block_bytes; i += CRYPTO_BLK_LEN) {
if(!furi_hal_crypto_process_block_no_read_bswap(&aad[i], CRYPTO_BLK_LEN)) {
CLEAR_BIT(AES1->CR, AES_CR_EN);
return false;
}
}
if(last_block_bytes > 0) {
if(!furi_hal_crypto_process_block_no_read_bswap(&aad[i], last_block_bytes)) {
CLEAR_BIT(AES1->CR, AES_CR_EN);
return false;
}
}
return true;
}
static bool furi_hal_crypto_gcm_payload(
const uint8_t* input,
uint8_t* output,
size_t length,
bool decrypt) {
/* GCM payload phase */
MODIFY_REG(AES1->CR, AES_CR_GCMPH, CRYPTO_GCM_PH_PAYLOAD);
SET_BIT(AES1->CR, AES_CR_EN);
size_t last_block_bytes = length % CRYPTO_BLK_LEN;
size_t i;
for(i = 0; i < length - last_block_bytes; i += CRYPTO_BLK_LEN) {
if(!furi_hal_crypto_process_block_bswap(&input[i], &output[i], CRYPTO_BLK_LEN)) {
CLEAR_BIT(AES1->CR, AES_CR_EN);
return false;
}
}
if(last_block_bytes > 0) {
if(!decrypt) {
MODIFY_REG(
AES1->CR, AES_CR_NPBLB, (CRYPTO_BLK_LEN - last_block_bytes) << AES_CR_NPBLB_Pos);
}
if(!furi_hal_crypto_process_block_bswap(&input[i], &output[i], last_block_bytes)) {
CLEAR_BIT(AES1->CR, AES_CR_EN);
return false;
}
}
return true;
}
static bool furi_hal_crypto_gcm_finish(size_t aad_length, size_t payload_length, uint8_t* tag) {
/* GCM final phase */
MODIFY_REG(AES1->CR, AES_CR_GCMPH, CRYPTO_GCM_PH_FINAL);
uint32_t last_block[CRYPTO_BLK_LEN / 4];
memset(last_block, 0, sizeof(last_block));
last_block[1] = __builtin_bswap32((uint32_t)(aad_length * 8));
last_block[3] = __builtin_bswap32((uint32_t)(payload_length * 8));
if(!furi_hal_crypto_process_block_bswap((uint8_t*)&last_block[0], tag, CRYPTO_BLK_LEN)) {
CLEAR_BIT(AES1->CR, AES_CR_EN);
return false;
}
return true;
}
static bool furi_hal_crypto_gcm_compare_tag(const uint8_t* tag1, const uint8_t* tag2) {
uint8_t diff = 0;
size_t i;
for(i = 0; i < CRYPTO_GCM_TAG_LEN; i++) {
diff |= tag1[i] ^ tag2[i];
}
return (diff == 0);
}
bool furi_hal_crypto_gcm(
const uint8_t* key,
const uint8_t* iv,
const uint8_t* aad,
size_t aad_length,
const uint8_t* input,
uint8_t* output,
size_t length,
uint8_t* tag,
bool decrypt) {
/* GCM init phase */
/* prepare IV and counter */
uint8_t iv_and_counter[CRYPTO_GCM_IV_LEN + CRYPTO_GCM_CTR_LEN];
memcpy(iv_and_counter, iv, CRYPTO_GCM_IV_LEN);
furi_hal_crypto_gcm_prep_iv(iv_and_counter);
/* load key and IV and set the mode to CTR */
if(!furi_hal_crypto_load_key_bswap(key, iv_and_counter, CRYPTO_AES_GCM)) {
furi_hal_crypto_unload_key();
return false;
}
if(!furi_hal_crypto_gcm_init(decrypt)) {
furi_hal_crypto_unload_key();
return false;
}
/* GCM header phase */
if(aad_length > 0) {
if(!furi_hal_crypto_gcm_header(aad, aad_length)) {
furi_hal_crypto_unload_key();
return false;
}
}
/* GCM payload phase */
if(!furi_hal_crypto_gcm_payload(input, output, length, decrypt)) {
furi_hal_crypto_unload_key();
return false;
}
/* GCM final phase */
if(!furi_hal_crypto_gcm_finish(aad_length, length, tag)) {
furi_hal_crypto_unload_key();
return false;
}
furi_hal_crypto_unload_key();
return true;
}
FuriHalCryptoGCMState furi_hal_crypto_gcm_encrypt_and_tag(
const uint8_t* key,
const uint8_t* iv,
const uint8_t* aad,
size_t aad_length,
const uint8_t* input,
uint8_t* output,
size_t length,
uint8_t* tag) {
if(!furi_hal_crypto_gcm(key, iv, aad, aad_length, input, output, length, tag, false)) {
memset(output, 0, length);
memset(tag, 0, CRYPTO_GCM_TAG_LEN);
return FuriHalCryptoGCMStateError;
}
return FuriHalCryptoGCMStateOk;
}
FuriHalCryptoGCMState furi_hal_crypto_gcm_decrypt_and_verify(
const uint8_t* key,
const uint8_t* iv,
const uint8_t* aad,
size_t aad_length,
const uint8_t* input,
uint8_t* output,
size_t length,
const uint8_t* tag) {
uint8_t dtag[CRYPTO_GCM_TAG_LEN];
if(!furi_hal_crypto_gcm(key, iv, aad, aad_length, input, output, length, dtag, true)) {
memset(output, 0, length);
return FuriHalCryptoGCMStateError;
}
if(!furi_hal_crypto_gcm_compare_tag(dtag, tag)) {
memset(output, 0, length);
return FuriHalCryptoGCMStateAuthFailure;
}
return FuriHalCryptoGCMStateOk;
}

2
firmware/targets/f7/furi_hal/furi_hal_info.c
View File

@@ -283,7 +283,7 @@ void furi_hal_info_get(PropertyValueCallback out, char sep, void* context) {
// Signature verification
uint8_t enclave_keys = 0;
uint8_t enclave_valid_keys = 0;
bool enclave_valid = furi_hal_crypto_verify_enclave(&enclave_keys, &enclave_valid_keys);
bool enclave_valid = furi_hal_crypto_enclave_verify(&enclave_keys, &enclave_valid_keys);
if(sep == '.') {
property_value_out(
&property_context, "%d", 3, "enclave", "keys", "valid", enclave_valid_keys);