Software APIs
ecc.c
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #include "sw/device/lib/crypto/include/ecc.h"
6 
7 #include "sw/device/lib/crypto/drivers/entropy.h"
8 #include "sw/device/lib/crypto/drivers/hmac.h"
9 #include "sw/device/lib/crypto/impl/ecc/p256.h"
10 #include "sw/device/lib/crypto/impl/ecc/p384.h"
11 #include "sw/device/lib/crypto/impl/integrity.h"
12 #include "sw/device/lib/crypto/impl/keyblob.h"
13 #include "sw/device/lib/crypto/include/datatypes.h"
14 
15 // Module ID for status codes.
16 #define MODULE_ID MAKE_MODULE_ID('e', 'c', 'c')
17 
18 otcrypto_status_t otcrypto_ecdsa_p256_keygen(
19  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
20  HARDENED_TRY(otcrypto_ecdsa_p256_keygen_async_start(private_key));
21  return otcrypto_ecdsa_p256_keygen_async_finalize(private_key, public_key);
22 }
23 
24 otcrypto_status_t otcrypto_ecdsa_p384_keygen(
25  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
26  HARDENED_TRY(otcrypto_ecdsa_p384_keygen_async_start(private_key));
27  return otcrypto_ecdsa_p384_keygen_async_finalize(private_key, public_key);
28 }
29 
30 otcrypto_status_t otcrypto_ecdsa_p256_sign(
31  const otcrypto_blinded_key_t *private_key,
32  const otcrypto_hash_digest_t message_digest,
33  otcrypto_word32_buf_t signature) {
34  HARDENED_TRY(
35  otcrypto_ecdsa_p256_sign_async_start(private_key, message_digest));
36  return otcrypto_ecdsa_p256_sign_async_finalize(signature);
37 }
38 
39 otcrypto_status_t otcrypto_ecdsa_p384_sign(
40  const otcrypto_blinded_key_t *private_key,
41  const otcrypto_hash_digest_t message_digest,
42  otcrypto_word32_buf_t signature) {
43  HARDENED_TRY(
44  otcrypto_ecdsa_p384_sign_async_start(private_key, message_digest));
45  return otcrypto_ecdsa_p384_sign_async_finalize(signature);
46 }
47 
48 otcrypto_status_t otcrypto_ecdsa_p256_verify(
49  const otcrypto_unblinded_key_t *public_key,
50  const otcrypto_hash_digest_t message_digest,
51  otcrypto_const_word32_buf_t signature,
52  hardened_bool_t *verification_result) {
53  HARDENED_TRY(otcrypto_ecdsa_p256_verify_async_start(
54  public_key, message_digest, signature));
55  return otcrypto_ecdsa_p256_verify_async_finalize(signature,
56  verification_result);
57 }
58 
59 otcrypto_status_t otcrypto_ecdsa_p384_verify(
60  const otcrypto_unblinded_key_t *public_key,
61  const otcrypto_hash_digest_t message_digest,
62  otcrypto_const_word32_buf_t signature,
63  hardened_bool_t *verification_result) {
64  HARDENED_TRY(otcrypto_ecdsa_p384_verify_async_start(
65  public_key, message_digest, signature));
66  return otcrypto_ecdsa_p384_verify_async_finalize(signature,
67  verification_result);
68 }
69 
70 otcrypto_status_t otcrypto_ecdh_p256_keygen(
71  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
72  HARDENED_TRY(otcrypto_ecdh_p256_keygen_async_start(private_key));
73  return otcrypto_ecdh_p256_keygen_async_finalize(private_key, public_key);
74 }
75 
76 otcrypto_status_t otcrypto_ecdh_p384_keygen(
77  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
78  HARDENED_TRY(otcrypto_ecdh_p384_keygen_async_start(private_key));
79  return otcrypto_ecdh_p384_keygen_async_finalize(private_key, public_key);
80 }
81 
82 otcrypto_status_t otcrypto_ecdh_p256(const otcrypto_blinded_key_t *private_key,
83  const otcrypto_unblinded_key_t *public_key,
84  otcrypto_blinded_key_t *shared_secret) {
85  HARDENED_TRY(otcrypto_ecdh_p256_async_start(private_key, public_key));
86  return otcrypto_ecdh_p256_async_finalize(shared_secret);
87 }
88 
89 otcrypto_status_t otcrypto_ecdh_p384(const otcrypto_blinded_key_t *private_key,
90  const otcrypto_unblinded_key_t *public_key,
91  otcrypto_blinded_key_t *shared_secret) {
92  HARDENED_TRY(otcrypto_ecdh_p384_async_start(private_key, public_key));
93  return otcrypto_ecdh_p384_async_finalize(shared_secret);
94 }
95 
96 otcrypto_status_t otcrypto_ed25519_keygen(
97  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
98  // TODO: Ed25519 is not yet implemented.
99  return OTCRYPTO_NOT_IMPLEMENTED;
100 }
101 
102 otcrypto_status_t otcrypto_ed25519_sign(
103  const otcrypto_blinded_key_t *private_key,
104  otcrypto_const_byte_buf_t input_message,
105  otcrypto_eddsa_sign_mode_t sign_mode, otcrypto_word32_buf_t signature) {
106  // TODO: Ed25519 is not yet implemented.
107  return OTCRYPTO_NOT_IMPLEMENTED;
108 }
109 
110 otcrypto_status_t otcrypto_ed25519_verify(
111  const otcrypto_unblinded_key_t *public_key,
112  otcrypto_const_byte_buf_t input_message,
113  otcrypto_eddsa_sign_mode_t sign_mode, otcrypto_const_word32_buf_t signature,
114  hardened_bool_t *verification_result) {
115  // TODO: Ed25519 is not yet implemented.
116  return OTCRYPTO_NOT_IMPLEMENTED;
117 }
118 
119 otcrypto_status_t otcrypto_x25519_keygen(otcrypto_blinded_key_t *private_key,
120  otcrypto_unblinded_key_t *public_key) {
121  // TODO: Connect X25519 operations to API.
122  return OTCRYPTO_NOT_IMPLEMENTED;
123 }
124 
125 otcrypto_status_t otcrypto_x25519(const otcrypto_blinded_key_t *private_key,
126  const otcrypto_unblinded_key_t *public_key,
127  otcrypto_blinded_key_t *shared_secret) {
128  // TODO: Connect X25519 operations to API.
129  return OTCRYPTO_NOT_IMPLEMENTED;
130 }
131 
132 /**
133  * Calls keymgr to sideload key material into OTBN.
134  *
135  * This routine should only ever be called on hardware-backed keys.
136  *
137  * @param private_key Sideloaded key handle.
138  * @return OK or error.
139  */
140 OT_WARN_UNUSED_RESULT
141 static status_t sideload_key_seed(const otcrypto_blinded_key_t *private_key) {
142  keymgr_diversification_t diversification;
143  HARDENED_TRY(
144  keyblob_to_keymgr_diversification(private_key, &diversification));
145  return keymgr_generate_key_otbn(diversification);
146 }
147 
148 /**
149  * Calls P-256 key generation.
150  *
151  * Can be used for both ECDSA and ECDH. If the key is hardware-backed, loads
152  * the data from key manager and calls the sideloaded key generation routine.
153  *
154  * @param private_key Sideloaded key handle.
155  * @return OK or error.
156  */
157 OT_WARN_UNUSED_RESULT
158 static status_t internal_p256_keygen_start(
159  const otcrypto_blinded_key_t *private_key) {
160  // Check that the entropy complex is initialized.
161  HARDENED_TRY(entropy_complex_check());
162 
163  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
164  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
165  HARDENED_TRY(sideload_key_seed(private_key));
166  return p256_sideload_keygen_start();
167  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
168  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
169  return p256_keygen_start();
170  } else {
171  return OTCRYPTO_BAD_ARGS;
172  }
173  return OTCRYPTO_OK;
174 }
175 
176 otcrypto_status_t otcrypto_ecdsa_p256_keygen_async_start(
177  const otcrypto_blinded_key_t *private_key) {
178  if (private_key == NULL || private_key->keyblob == NULL) {
179  return OTCRYPTO_BAD_ARGS;
180  }
181 
182  // Check the key mode.
183  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP256) {
184  return OTCRYPTO_BAD_ARGS;
185  }
186  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdsaP256);
187 
188  return internal_p256_keygen_start(private_key);
189 }
190 
191 /**
192  * Calls P-384 key generation.
193  *
194  * Can be used for both ECDSA and ECDH. If the key is hardware-backed, loads
195  * the data from key manager and calls the sideloaded key generation routine.
196  *
197  * @param private_key Sideloaded key handle.
198  * @return OK or error.
199  */
200 OT_WARN_UNUSED_RESULT
201 static status_t internal_p384_keygen_start(
202  const otcrypto_blinded_key_t *private_key) {
203  // Check that the entropy complex is initialized.
204  HARDENED_TRY(entropy_complex_check());
205 
206  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
207  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
208  HARDENED_TRY(sideload_key_seed(private_key));
209  return p384_sideload_keygen_start();
210  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
211  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
212  return p384_keygen_start();
213  } else {
214  return OTCRYPTO_BAD_ARGS;
215  }
216  return OTCRYPTO_OK;
217 }
218 
219 otcrypto_status_t otcrypto_ecdsa_p384_keygen_async_start(
220  const otcrypto_blinded_key_t *private_key) {
221  if (private_key == NULL || private_key->keyblob == NULL) {
222  return OTCRYPTO_BAD_ARGS;
223  }
224 
225  // Check the key mode.
226  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP384) {
227  return OTCRYPTO_BAD_ARGS;
228  }
229  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdsaP384);
230 
231  return internal_p384_keygen_start(private_key);
232 }
233 
234 /**
235  * Check the lengths of private keys for curve P-256.
236  *
237  * Checks the length of caller-allocated buffers for a P-256 private key. This
238  * function may be used for both ECDSA and ECDH keys, since the key structure
239  * is the same.
240  *
241  * If this check passes and `hw_backed` is false, it is safe to interpret
242  * `private_key->keyblob` as a `p256_masked_scalar_t *`.
243  *
244  * @param private_key Private key struct to check.
245  * @return OK if the lengths are correct or BAD_ARGS otherwise.
246  */
247 OT_WARN_UNUSED_RESULT
248 static status_t p256_private_key_length_check(
249  const otcrypto_blinded_key_t *private_key) {
250  if (private_key->keyblob == NULL) {
251  return OTCRYPTO_BAD_ARGS;
252  }
253 
254  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
255  // Skip the length check in this case; if the salt is the wrong length, the
256  // keyblob library will catch it before we sideload the key.
257  return OTCRYPTO_OK;
258  }
259  HARDENED_CHECK_NE(private_key->config.hw_backed, kHardenedBoolTrue);
260 
261  // Check the unmasked length.
262  if (launder32(private_key->config.key_length) != kP256ScalarBytes) {
263  return OTCRYPTO_BAD_ARGS;
264  }
265  HARDENED_CHECK_EQ(private_key->config.key_length, kP256ScalarBytes);
266 
267  // Check the single-share length.
268  if (launder32(keyblob_share_num_words(private_key->config)) !=
269  kP256MaskedScalarShareWords) {
270  return OTCRYPTO_BAD_ARGS;
271  }
272  HARDENED_CHECK_EQ(keyblob_share_num_words(private_key->config),
273  kP256MaskedScalarShareWords);
274 
275  // Check the keyblob length.
276  if (launder32(private_key->keyblob_length) != sizeof(p256_masked_scalar_t)) {
277  return OTCRYPTO_BAD_ARGS;
278  }
279  HARDENED_CHECK_EQ(private_key->keyblob_length, sizeof(p256_masked_scalar_t));
280 
281  return OTCRYPTO_OK;
282 }
283 
284 /**
285  * Check the lengths of public keys for curve P-256.
286  *
287  * Checks the length of caller-allocated buffers for a P-256 public key. This
288  * function may be used for both ECDSA and ECDH keys, since the key structure
289  * is the same.
290  *
291  * If this check passes, it is safe to interpret public_key->key as a
292  * `p256_point_t *`.
293  *
294  * @param public_key Public key struct to check.
295  * @return OK if the lengths are correct or BAD_ARGS otherwise.
296  */
297 OT_WARN_UNUSED_RESULT
298 static status_t p256_public_key_length_check(
299  const otcrypto_unblinded_key_t *public_key) {
300  if (launder32(public_key->key_length) != sizeof(p256_point_t)) {
301  return OTCRYPTO_BAD_ARGS;
302  }
303  HARDENED_CHECK_EQ(public_key->key_length, sizeof(p256_point_t));
304  return OTCRYPTO_OK;
305 }
306 
307 /**
308  * Check the lengths of private keys for curve P-384.
309  *
310  * Checks the length of caller-allocated buffers for a P-384 private key. This
311  * function may be used for both ECDSA and ECDH keys, since the key structure
312  * is the same.
313  *
314  * If this check passes and `hw_backed` is false, it is safe to interpret
315  * `private_key->keyblob` as a `p384_masked_scalar_t *`.
316  *
317  * @param private_key Private key struct to check.
318  * @return OK if the lengths are correct or BAD_ARGS otherwise.
319  */
320 OT_WARN_UNUSED_RESULT
321 static status_t p384_private_key_length_check(
322  const otcrypto_blinded_key_t *private_key) {
323  if (private_key->keyblob == NULL) {
324  return OTCRYPTO_BAD_ARGS;
325  }
326 
327  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
328  // Skip the length check in this case; if the salt is the wrong length, the
329  // keyblob library will catch it before we sideload the key.
330  return OTCRYPTO_OK;
331  }
332  HARDENED_CHECK_NE(private_key->config.hw_backed, kHardenedBoolTrue);
333 
334  // Check the unmasked length.
335  if (launder32(private_key->config.key_length) != kP384ScalarBytes) {
336  return OTCRYPTO_BAD_ARGS;
337  }
338  HARDENED_CHECK_EQ(private_key->config.key_length, kP384ScalarBytes);
339 
340  // Check the single-share length.
341  if (launder32(keyblob_share_num_words(private_key->config)) !=
342  kP384MaskedScalarShareWords) {
343  return OTCRYPTO_BAD_ARGS;
344  }
345  HARDENED_CHECK_EQ(keyblob_share_num_words(private_key->config),
346  kP384MaskedScalarShareWords);
347 
348  // Check the keyblob length.
349  if (launder32(private_key->keyblob_length) != sizeof(p384_masked_scalar_t)) {
350  return OTCRYPTO_BAD_ARGS;
351  }
352  HARDENED_CHECK_EQ(private_key->keyblob_length, sizeof(p384_masked_scalar_t));
353 
354  return OTCRYPTO_OK;
355 }
356 
357 /**
358  * Check the lengths of public keys for curve P-384.
359  *
360  * Checks the length of caller-allocated buffers for a P-384 public key. This
361  * function may be used for both ECDSA and ECDH keys, since the key structure
362  * is the same.
363  *
364  * If this check passes, it is safe to interpret public_key->key as a
365  * `p384_point_t *`.
366  *
367  * @param public_key Public key struct to check.
368  * @return OK if the lengths are correct or BAD_ARGS otherwise.
369  */
370 OT_WARN_UNUSED_RESULT
371 static status_t p384_public_key_length_check(
372  const otcrypto_unblinded_key_t *public_key) {
373  if (launder32(public_key->key_length) != sizeof(p384_point_t)) {
374  return OTCRYPTO_BAD_ARGS;
375  }
376  HARDENED_CHECK_EQ(public_key->key_length, sizeof(p384_point_t));
377  return OTCRYPTO_OK;
378 }
379 
380 /**
381  * Finalize a keypair generation operation for curve P-256.
382  *
383  * This function assumes that space is already allocated for all key material
384  * and that the length parameters on the structs are set accordingly, in the
385  * same way as for `otcrypto_ecdh_p256_keygen_async_finalize` and
386  * `otcrypto_ecdsa_p256_keygen_async_finalize`.
387  *
388  * @param[out] private_key Private key to populate.
389  * @param[out] public_key Public key to populate.
390  * @return OK or error.
391  */
392 OT_WARN_UNUSED_RESULT
393 static status_t internal_p256_keygen_finalize(
394  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
395  // Check the lengths of caller-allocated buffers.
396  HARDENED_TRY(p256_private_key_length_check(private_key));
397  HARDENED_TRY(p256_public_key_length_check(public_key));
398  p256_point_t *pk = (p256_point_t *)public_key->key;
399 
400  // Note: The `finalize` operations wipe DMEM after retrieving the keys, so if
401  // an error occurs after this point then the keys would be unrecoverable.
402  // The `finalize` call should be the last potentially error-causing line
403  // before returning to the caller.
404 
405  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
406  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
407  HARDENED_TRY(p256_sideload_keygen_finalize(pk));
408  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
409  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
410  p256_masked_scalar_t *sk = (p256_masked_scalar_t *)private_key->keyblob;
411  HARDENED_TRY(p256_keygen_finalize(sk, pk));
412  private_key->checksum = integrity_blinded_checksum(private_key);
413  } else {
414  return OTCRYPTO_BAD_ARGS;
415  }
416 
417  // Prepare the public key.
418  public_key->checksum = integrity_unblinded_checksum(public_key);
419 
420  // Clear the OTBN sideload slot (in case the seed was sideloaded).
421  return keymgr_sideload_clear_otbn();
422 }
423 
424 /**
425  * Finalize a keypair generation operation for curve P-384.
426  *
427  * This function assumes that space is already allocated for all key material
428  * and that the length parameters on the structs are set accordingly, in the
429  * same way as for `otcrypto_ecdh_p384_keygen_async_finalize` and
430  * `otcrypto_ecdsa_p384_keygen_async_finalize`.
431  *
432  * @param[out] private_key Private key to populate.
433  * @param[out] public_key Public key to populate.
434  * @return OK or error.
435  */
436 OT_WARN_UNUSED_RESULT
437 static status_t internal_p384_keygen_finalize(
438  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
439  // Check the lengths of caller-allocated buffers.
440  HARDENED_TRY(p384_private_key_length_check(private_key));
441  HARDENED_TRY(p384_public_key_length_check(public_key));
442 
443  // Interpret the key buffer as a P-384 point.
444  p384_point_t *pk = (p384_point_t *)public_key->key;
445 
446  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
447  // Note: This operation wipes DMEM after retrieving the keys, so if an error
448  // occurs after this point then the keys would be unrecoverable. This should
449  // be the last potentially error-causing line before returning to the
450  // caller.
451  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
452  HARDENED_TRY(p384_sideload_keygen_finalize(pk));
453  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
454  p384_masked_scalar_t *sk = (p384_masked_scalar_t *)private_key->keyblob;
455  // Note: This operation wipes DMEM after retrieving the keys, so if an error
456  // occurs after this point then the keys would be unrecoverable. This should
457  // be the last potentially error-causing line before returning to the
458  // caller.
459  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
460  HARDENED_TRY(p384_keygen_finalize(sk, pk));
461  private_key->checksum = integrity_blinded_checksum(private_key);
462  } else {
463  return OTCRYPTO_BAD_ARGS;
464  }
465 
466  public_key->checksum = integrity_unblinded_checksum(public_key);
467  return OTCRYPTO_OK;
468 }
469 
470 otcrypto_status_t otcrypto_ecdsa_p256_keygen_async_finalize(
471  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
472  // Check for any NULL pointers.
473  if (private_key == NULL || public_key == NULL ||
474  private_key->keyblob == NULL || public_key->key == NULL) {
475  return OTCRYPTO_BAD_ARGS;
476  }
477 
478  // Check the key modes.
479  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP256 ||
480  launder32(public_key->key_mode) != kOtcryptoKeyModeEcdsaP256) {
481  return OTCRYPTO_BAD_ARGS;
482  }
483  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdsaP256);
484  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdsaP256);
485 
486  return internal_p256_keygen_finalize(private_key, public_key);
487 }
488 
489 otcrypto_status_t otcrypto_ecdsa_p384_keygen_async_finalize(
490  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
491  // Check for any NULL pointers.
492  if (private_key == NULL || public_key == NULL ||
493  private_key->keyblob == NULL || public_key->key == NULL) {
494  return OTCRYPTO_BAD_ARGS;
495  }
496 
497  // Check the key modes.
498  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP384 ||
499  launder32(public_key->key_mode) != kOtcryptoKeyModeEcdsaP384) {
500  return OTCRYPTO_BAD_ARGS;
501  }
502  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdsaP384);
503  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdsaP384);
504 
505  HARDENED_TRY(internal_p384_keygen_finalize(private_key, public_key));
506 
507  // Clear the OTBN sideload slot (in case the seed was sideloaded).
508  return keymgr_sideload_clear_otbn();
509 }
510 
511 otcrypto_status_t otcrypto_ecdsa_p256_sign_async_start(
512  const otcrypto_blinded_key_t *private_key,
513  const otcrypto_hash_digest_t message_digest) {
514  if (private_key == NULL || private_key->keyblob == NULL ||
515  message_digest.data == NULL) {
516  return OTCRYPTO_BAD_ARGS;
517  }
518 
519  // Check the integrity of the private key.
520  if (launder32(integrity_blinded_key_check(private_key)) !=
521  kHardenedBoolTrue) {
522  return OTCRYPTO_BAD_ARGS;
523  }
524  HARDENED_CHECK_EQ(integrity_blinded_key_check(private_key),
525  kHardenedBoolTrue);
526 
527  // Check that the entropy complex is initialized.
528  HARDENED_TRY(entropy_complex_check());
529 
530  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP256) {
531  return OTCRYPTO_BAD_ARGS;
532  }
533  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdsaP256);
534 
535  // Check the digest length.
536  if (launder32(message_digest.len) != kP256ScalarWords) {
537  return OTCRYPTO_BAD_ARGS;
538  }
539  HARDENED_CHECK_EQ(message_digest.len, kP256ScalarWords);
540 
541  // Check the key length.
542  HARDENED_TRY(p256_private_key_length_check(private_key));
543 
544  if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
545  // Start the asynchronous signature-generation routine.
546  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
547  p256_masked_scalar_t *sk = (p256_masked_scalar_t *)private_key->keyblob;
548  return p256_ecdsa_sign_start(message_digest.data, sk);
549  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
550  // Load the key and start in sideloaded-key mode.
551  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
552  HARDENED_TRY(sideload_key_seed(private_key));
553  return p256_ecdsa_sideload_sign_start(message_digest.data);
554  }
555 
556  // Invalid value for private_key->hw_backed.
557  return OTCRYPTO_BAD_ARGS;
558 }
559 
560 otcrypto_status_t otcrypto_ecdsa_p384_sign_async_start(
561  const otcrypto_blinded_key_t *private_key,
562  const otcrypto_hash_digest_t message_digest) {
563  if (private_key == NULL || private_key->keyblob == NULL ||
564  message_digest.data == NULL) {
565  return OTCRYPTO_BAD_ARGS;
566  }
567 
568  // Check the integrity of the private key.
569  if (launder32(integrity_blinded_key_check(private_key)) !=
570  kHardenedBoolTrue) {
571  return OTCRYPTO_BAD_ARGS;
572  }
573  HARDENED_CHECK_EQ(integrity_blinded_key_check(private_key),
574  kHardenedBoolTrue);
575 
576  // Check that the entropy complex is initialized.
577  HARDENED_TRY(entropy_complex_check());
578 
579  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdsaP384) {
580  return OTCRYPTO_BAD_ARGS;
581  }
582  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdsaP384);
583 
584  // Check the digest length.
585  if (launder32(message_digest.len) != kP384ScalarWords) {
586  return OTCRYPTO_BAD_ARGS;
587  }
588  HARDENED_CHECK_EQ(message_digest.len, kP384ScalarWords);
589 
590  // Check the key length.
591  HARDENED_TRY(p384_private_key_length_check(private_key));
592 
593  if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
594  // Start the asynchronous signature-generation routine.
595  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
596  p384_masked_scalar_t *sk = (p384_masked_scalar_t *)private_key->keyblob;
597  return p384_ecdsa_sign_start(message_digest.data, sk);
598  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
599  // Load the key and start in sideloaded-key mode.
600  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
601  HARDENED_TRY(sideload_key_seed(private_key));
602  return p384_ecdsa_sideload_sign_start(message_digest.data);
603  }
604 
605  // Invalid value for private_key->hw_backed.
606  return OTCRYPTO_BAD_ARGS;
607 }
608 
609 /**
610  * Check the length of a signature buffer for ECDSA with P-256.
611  *
612  * If this check passes on `signature.len`, it is safe to interpret
613  * `signature.data` as `p256_ecdsa_signature_t *`.
614  *
615  * @param len Length to check.
616  * @return OK if the lengths are correct or BAD_ARGS otherwise.
617  */
618 OT_WARN_UNUSED_RESULT
619 static status_t p256_signature_length_check(size_t len) {
620  if (launder32(len) > UINT32_MAX / sizeof(uint32_t) ||
621  launder32(len) * sizeof(uint32_t) != sizeof(p256_ecdsa_signature_t)) {
622  return OTCRYPTO_BAD_ARGS;
623  }
624  HARDENED_CHECK_EQ(len * sizeof(uint32_t), sizeof(p256_ecdsa_signature_t));
625 
626  return OTCRYPTO_OK;
627 }
628 
629 /**
630  * Check the length of a signature buffer for ECDSA with P-384.
631  *
632  * If this check passes on `signature.len`, it is safe to interpret
633  * `signature.data` as `p384_ecdsa_signature_t *`.
634  *
635  * @param len Length to check.
636  * @return OK if the lengths are correct or BAD_ARGS otherwise.
637  */
638 OT_WARN_UNUSED_RESULT
639 static status_t p384_signature_length_check(size_t len) {
640  if (launder32(len) > UINT32_MAX / sizeof(uint32_t) ||
641  launder32(len) * sizeof(uint32_t) != sizeof(p384_ecdsa_signature_t)) {
642  return OTCRYPTO_BAD_ARGS;
643  }
644  HARDENED_CHECK_EQ(len * sizeof(uint32_t), sizeof(p384_ecdsa_signature_t));
645 
646  return OTCRYPTO_OK;
647 }
648 
649 otcrypto_status_t otcrypto_ecdsa_p256_sign_async_finalize(
650  otcrypto_word32_buf_t signature) {
651  if (signature.data == NULL) {
652  return OTCRYPTO_BAD_ARGS;
653  }
654 
655  HARDENED_TRY(p256_signature_length_check(signature.len));
656  p256_ecdsa_signature_t *sig_p256 = (p256_ecdsa_signature_t *)signature.data;
657  // Note: This operation wipes DMEM, so if an error occurs after this
658  // point then the signature would be unrecoverable. This should be the
659  // last potentially error-causing line before returning to the caller.
660  HARDENED_TRY(p256_ecdsa_sign_finalize(sig_p256));
661 
662  // Clear the OTBN sideload slot (in case the key was sideloaded).
663  return keymgr_sideload_clear_otbn();
664 }
665 
666 otcrypto_status_t otcrypto_ecdsa_p384_sign_async_finalize(
667  otcrypto_word32_buf_t signature) {
668  if (signature.data == NULL) {
669  return OTCRYPTO_BAD_ARGS;
670  }
671 
672  HARDENED_TRY(p384_signature_length_check(signature.len));
673  p384_ecdsa_signature_t *sig_p384 = (p384_ecdsa_signature_t *)signature.data;
674  // Note: This operation wipes DMEM, so if an error occurs after this
675  // point then the signature would be unrecoverable. This should be the
676  // last potentially error-causing line before returning to the caller.
677  HARDENED_TRY(p384_ecdsa_sign_finalize(sig_p384));
678 
679  // Clear the OTBN sideload slot (in case the key was sideloaded).
680  return keymgr_sideload_clear_otbn();
681 }
682 
683 otcrypto_status_t otcrypto_ecdsa_p256_verify_async_start(
684  const otcrypto_unblinded_key_t *public_key,
685  const otcrypto_hash_digest_t message_digest,
686  otcrypto_const_word32_buf_t signature) {
687  if (public_key == NULL || signature.data == NULL ||
688  message_digest.data == NULL || public_key->key == NULL) {
689  return OTCRYPTO_BAD_ARGS;
690  }
691 
692  // Check the integrity of the public key.
693  if (launder32(integrity_unblinded_key_check(public_key)) !=
694  kHardenedBoolTrue) {
695  return OTCRYPTO_BAD_ARGS;
696  }
697  HARDENED_CHECK_EQ(integrity_unblinded_key_check(public_key),
698  kHardenedBoolTrue);
699 
700  // Check the public key mode.
701  if (launder32(public_key->key_mode) != kOtcryptoKeyModeEcdsaP256) {
702  return OTCRYPTO_BAD_ARGS;
703  }
704  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdsaP256);
705 
706  // Check the public key size.
707  HARDENED_TRY(p256_public_key_length_check(public_key));
708  p256_point_t *pk = (p256_point_t *)public_key->key;
709 
710  // Check the digest length.
711  if (launder32(message_digest.len) != kP256ScalarWords) {
712  return OTCRYPTO_BAD_ARGS;
713  }
714  HARDENED_CHECK_EQ(message_digest.len, kP256ScalarWords);
715 
716  // Check the signature lengths.
717  HARDENED_TRY(p256_signature_length_check(signature.len));
718  p256_ecdsa_signature_t *sig = (p256_ecdsa_signature_t *)signature.data;
719 
720  // Start the asynchronous signature-verification routine.
721  return p256_ecdsa_verify_start(sig, message_digest.data, pk);
722 }
723 
724 otcrypto_status_t otcrypto_ecdsa_p256_verify_async_finalize(
725  otcrypto_const_word32_buf_t signature,
726  hardened_bool_t *verification_result) {
727  if (verification_result == NULL) {
728  return OTCRYPTO_BAD_ARGS;
729  }
730 
731  HARDENED_TRY(p256_signature_length_check(signature.len));
732  p256_ecdsa_signature_t *sig_p256 = (p256_ecdsa_signature_t *)signature.data;
733  return p256_ecdsa_verify_finalize(sig_p256, verification_result);
734 }
735 
736 otcrypto_status_t otcrypto_ecdsa_p384_verify_async_start(
737  const otcrypto_unblinded_key_t *public_key,
738  const otcrypto_hash_digest_t message_digest,
739  otcrypto_const_word32_buf_t signature) {
740  if (public_key == NULL || signature.data == NULL ||
741  message_digest.data == NULL || public_key->key == NULL) {
742  return OTCRYPTO_BAD_ARGS;
743  }
744 
745  // Check the integrity of the public key.
746  if (launder32(integrity_unblinded_key_check(public_key)) !=
747  kHardenedBoolTrue) {
748  return OTCRYPTO_BAD_ARGS;
749  }
750  HARDENED_CHECK_EQ(integrity_unblinded_key_check(public_key),
751  kHardenedBoolTrue);
752 
753  // Check the public key mode.
754  if (launder32(public_key->key_mode) != kOtcryptoKeyModeEcdsaP384) {
755  return OTCRYPTO_BAD_ARGS;
756  }
757  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdsaP384);
758 
759  // Check the public key size.
760  HARDENED_TRY(p384_public_key_length_check(public_key));
761  p384_point_t *pk = (p384_point_t *)public_key->key;
762 
763  // Check the digest length.
764  if (launder32(message_digest.len) != kP384ScalarWords) {
765  return OTCRYPTO_BAD_ARGS;
766  }
767  HARDENED_CHECK_EQ(message_digest.len, kP384ScalarWords);
768 
769  // Check the signature lengths.
770  HARDENED_TRY(p384_signature_length_check(signature.len));
771  p384_ecdsa_signature_t *sig = (p384_ecdsa_signature_t *)signature.data;
772 
773  // Start the asynchronous signature-verification routine.
774  return p384_ecdsa_verify_start(sig, message_digest.data, pk);
775 }
776 
777 otcrypto_status_t otcrypto_ecdsa_p384_verify_async_finalize(
778  otcrypto_const_word32_buf_t signature,
779  hardened_bool_t *verification_result) {
780  if (verification_result == NULL) {
781  return OTCRYPTO_BAD_ARGS;
782  }
783 
784  HARDENED_TRY(p384_signature_length_check(signature.len));
785  p384_ecdsa_signature_t *sig_p384 = (p384_ecdsa_signature_t *)signature.data;
786  return p384_ecdsa_verify_finalize(sig_p384, verification_result);
787 }
788 
789 otcrypto_status_t otcrypto_ecdh_p256_keygen_async_start(
790  const otcrypto_blinded_key_t *private_key) {
791  if (private_key == NULL || private_key->keyblob == NULL) {
792  return OTCRYPTO_BAD_ARGS;
793  }
794 
795  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP256) {
796  return OTCRYPTO_BAD_ARGS;
797  }
798  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdhP256);
799  return internal_p256_keygen_start(private_key);
800 }
801 
802 otcrypto_status_t otcrypto_ecdh_p384_keygen_async_start(
803  const otcrypto_blinded_key_t *private_key) {
804  if (private_key == NULL || private_key->keyblob == NULL) {
805  return OTCRYPTO_BAD_ARGS;
806  }
807 
808  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP384) {
809  return OTCRYPTO_BAD_ARGS;
810  }
811  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdhP384);
812  return internal_p384_keygen_start(private_key);
813 }
814 
815 otcrypto_status_t otcrypto_ecdh_p256_keygen_async_finalize(
816  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
817  // Check for any NULL pointers.
818  if (private_key == NULL || public_key == NULL ||
819  private_key->keyblob == NULL || public_key->key == NULL) {
820  return OTCRYPTO_BAD_ARGS;
821  }
822 
823  if (launder32(public_key->key_mode) != kOtcryptoKeyModeEcdhP256 ||
824  launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP256) {
825  return OTCRYPTO_BAD_ARGS;
826  }
827  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdhP256);
828  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdhP256);
829  return internal_p256_keygen_finalize(private_key, public_key);
830 }
831 
832 otcrypto_status_t otcrypto_ecdh_p384_keygen_async_finalize(
833  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
834  // Check for any NULL pointers.
835  if (private_key == NULL || public_key == NULL ||
836  private_key->keyblob == NULL || public_key->key == NULL) {
837  return OTCRYPTO_BAD_ARGS;
838  }
839 
840  if (launder32(public_key->key_mode) != kOtcryptoKeyModeEcdhP384 ||
841  launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP384) {
842  return OTCRYPTO_BAD_ARGS;
843  }
844  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdhP384);
845  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdhP384);
846  return internal_p384_keygen_finalize(private_key, public_key);
847 }
848 
849 otcrypto_status_t otcrypto_ecdh_p256_async_start(
850  const otcrypto_blinded_key_t *private_key,
851  const otcrypto_unblinded_key_t *public_key) {
852  if (private_key == NULL || public_key == NULL || public_key->key == NULL ||
853  private_key->keyblob == NULL) {
854  return OTCRYPTO_BAD_ARGS;
855  }
856 
857  // Check the integrity of the keys.
858  if (launder32(integrity_blinded_key_check(private_key)) !=
859  kHardenedBoolTrue ||
860  launder32(integrity_unblinded_key_check(public_key)) !=
861  kHardenedBoolTrue) {
862  return OTCRYPTO_BAD_ARGS;
863  }
864  HARDENED_CHECK_EQ(integrity_blinded_key_check(private_key),
865  kHardenedBoolTrue);
866  HARDENED_CHECK_EQ(integrity_unblinded_key_check(public_key),
867  kHardenedBoolTrue);
868 
869  // Check the key modes.
870  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP256 ||
871  launder32(public_key->key_mode) != kOtcryptoKeyModeEcdhP256) {
872  return OTCRYPTO_BAD_ARGS;
873  }
874  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdhP256);
875  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdhP256);
876 
877  // Check the key lengths.
878  HARDENED_TRY(p256_private_key_length_check(private_key));
879  HARDENED_TRY(p256_public_key_length_check(public_key));
880  p256_point_t *pk = (p256_point_t *)public_key->key;
881 
882  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
883  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
884  HARDENED_TRY(sideload_key_seed(private_key));
885  return p256_sideload_ecdh_start(pk);
886  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
887  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
888  p256_masked_scalar_t *sk = (p256_masked_scalar_t *)private_key->keyblob;
889  return p256_ecdh_start(sk, pk);
890  }
891 
892  // Invalid value for `hw_backed`.
893  return OTCRYPTO_BAD_ARGS;
894 }
895 
896 otcrypto_status_t otcrypto_ecdh_p256_async_finalize(
897  otcrypto_blinded_key_t *shared_secret) {
898  if (shared_secret == NULL || shared_secret->keyblob == NULL) {
899  return OTCRYPTO_BAD_ARGS;
900  }
901 
902  // Shared keys cannot be sideloaded because they are software-generated.
903  if (launder32(shared_secret->config.hw_backed) != kHardenedBoolFalse) {
904  return OTCRYPTO_BAD_ARGS;
905  }
906  HARDENED_CHECK_EQ(shared_secret->config.hw_backed, kHardenedBoolFalse);
907 
908  // Check shared secret length.
909  if (launder32(shared_secret->config.key_length) != kP256CoordBytes) {
910  return OTCRYPTO_BAD_ARGS;
911  }
912  HARDENED_CHECK_EQ(shared_secret->config.key_length, kP256CoordBytes);
913  if (launder32(shared_secret->keyblob_length) !=
914  keyblob_num_words(shared_secret->config) * sizeof(uint32_t)) {
915  return OTCRYPTO_BAD_ARGS;
916  }
917  HARDENED_CHECK_EQ(
918  shared_secret->keyblob_length,
919  keyblob_num_words(shared_secret->config) * sizeof(uint32_t));
920 
921  // Note: This operation wipes DMEM after retrieving the keys, so if an error
922  // occurs after this point then the keys would be unrecoverable. This should
923  // be the last potentially error-causing line before returning to the caller.
924  p256_ecdh_shared_key_t ss;
925  HARDENED_TRY(p256_ecdh_finalize(&ss));
926 
927  keyblob_from_shares(ss.share0, ss.share1, shared_secret->config,
928  shared_secret->keyblob);
929 
930  // Set the checksum.
931  shared_secret->checksum = integrity_blinded_checksum(shared_secret);
932 
933  // Clear the OTBN sideload slot (in case the seed was sideloaded).
934  return keymgr_sideload_clear_otbn();
935 }
936 
937 otcrypto_status_t otcrypto_ecdh_p384_async_start(
938  const otcrypto_blinded_key_t *private_key,
939  const otcrypto_unblinded_key_t *public_key) {
940  if (private_key == NULL || public_key == NULL || public_key->key == NULL ||
941  private_key->keyblob == NULL) {
942  return OTCRYPTO_BAD_ARGS;
943  }
944 
945  // Check the integrity of the keys.
946  if (launder32(integrity_blinded_key_check(private_key)) !=
947  kHardenedBoolTrue ||
948  launder32(integrity_unblinded_key_check(public_key)) !=
949  kHardenedBoolTrue) {
950  return OTCRYPTO_BAD_ARGS;
951  }
952  HARDENED_CHECK_EQ(integrity_blinded_key_check(private_key),
953  kHardenedBoolTrue);
954  HARDENED_CHECK_EQ(integrity_unblinded_key_check(public_key),
955  kHardenedBoolTrue);
956 
957  // Check the key modes.
958  if (launder32(private_key->config.key_mode) != kOtcryptoKeyModeEcdhP384 ||
959  launder32(public_key->key_mode) != kOtcryptoKeyModeEcdhP384) {
960  return OTCRYPTO_BAD_ARGS;
961  }
962  HARDENED_CHECK_EQ(private_key->config.key_mode, kOtcryptoKeyModeEcdhP384);
963  HARDENED_CHECK_EQ(public_key->key_mode, kOtcryptoKeyModeEcdhP384);
964 
965  // Check the key lengths.
966  HARDENED_TRY(p384_private_key_length_check(private_key));
967  HARDENED_TRY(p384_public_key_length_check(public_key));
968  p384_point_t *pk = (p384_point_t *)public_key->key;
969 
970  if (launder32(private_key->config.hw_backed) == kHardenedBoolTrue) {
971  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolTrue);
972  HARDENED_TRY(sideload_key_seed(private_key));
973  return p384_sideload_ecdh_start(pk);
974  } else if (launder32(private_key->config.hw_backed) == kHardenedBoolFalse) {
975  HARDENED_CHECK_EQ(private_key->config.hw_backed, kHardenedBoolFalse);
976  p384_masked_scalar_t *sk = (p384_masked_scalar_t *)private_key->keyblob;
977  return p384_ecdh_start(sk, pk);
978  }
979 
980  // Invalid value for `hw_backed`.
981  return OTCRYPTO_BAD_ARGS;
982 }
983 
984 otcrypto_status_t otcrypto_ecdh_p384_async_finalize(
985  otcrypto_blinded_key_t *shared_secret) {
986  if (shared_secret == NULL || shared_secret->keyblob == NULL) {
987  return OTCRYPTO_BAD_ARGS;
988  }
989 
990  // Shared keys cannot be sideloaded because they are software-generated.
991  if (launder32(shared_secret->config.hw_backed) != kHardenedBoolFalse) {
992  return OTCRYPTO_BAD_ARGS;
993  }
994  HARDENED_CHECK_EQ(shared_secret->config.hw_backed, kHardenedBoolFalse);
995 
996  // Check shared secret length.
997  if (launder32(shared_secret->config.key_length) != kP384CoordBytes) {
998  return OTCRYPTO_BAD_ARGS;
999  }
1000  HARDENED_CHECK_EQ(shared_secret->config.key_length, kP384CoordBytes);
1001  if (launder32(shared_secret->keyblob_length) !=
1002  keyblob_num_words(shared_secret->config) * sizeof(uint32_t)) {
1003  return OTCRYPTO_BAD_ARGS;
1004  }
1005  HARDENED_CHECK_EQ(
1006  shared_secret->keyblob_length,
1007  keyblob_num_words(shared_secret->config) * sizeof(uint32_t));
1008 
1009  // Note: This operation wipes DMEM after retrieving the keys, so if an error
1010  // occurs after this point then the keys would be unrecoverable. This should
1011  // be the last potentially error-causing line before returning to the caller.
1012  p384_ecdh_shared_key_t ss;
1013  HARDENED_TRY(p384_ecdh_finalize(&ss));
1014 
1015  keyblob_from_shares(ss.share0, ss.share1, shared_secret->config,
1016  shared_secret->keyblob);
1017 
1018  // Set the checksum.
1019  shared_secret->checksum = integrity_blinded_checksum(shared_secret);
1020 
1021  // Clear the OTBN sideload slot (in case the seed was sideloaded).
1022  return keymgr_sideload_clear_otbn();
1023 }
1024 
1025 otcrypto_status_t otcrypto_ed25519_keygen_async_start(
1026  const otcrypto_blinded_key_t *private_key) {
1027  // TODO: Ed25519 is not yet implemented.
1028  return OTCRYPTO_NOT_IMPLEMENTED;
1029 }
1030 
1031 otcrypto_status_t otcrypto_ed25519_keygen_async_finalize(
1032  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
1033  // TODO: Ed25519 is not yet implemented.
1034  return OTCRYPTO_NOT_IMPLEMENTED;
1035 }
1036 
1037 otcrypto_status_t otcrypto_ed25519_sign_async_start(
1038  const otcrypto_blinded_key_t *private_key,
1039  otcrypto_const_byte_buf_t input_message,
1040  otcrypto_eddsa_sign_mode_t sign_mode, otcrypto_word32_buf_t signature) {
1041  // TODO: Ed25519 is not yet implemented.
1042  return OTCRYPTO_NOT_IMPLEMENTED;
1043 }
1044 
1045 otcrypto_status_t otcrypto_ed25519_sign_async_finalize(
1046  otcrypto_word32_buf_t signature) {
1047  // TODO: Ed25519 is not yet implemented.
1048  return OTCRYPTO_NOT_IMPLEMENTED;
1049 }
1050 
1051 otcrypto_status_t otcrypto_ed25519_verify_async_start(
1052  const otcrypto_unblinded_key_t *public_key,
1053  otcrypto_const_byte_buf_t input_message,
1054  otcrypto_eddsa_sign_mode_t sign_mode,
1055  otcrypto_const_word32_buf_t signature) {
1056  // TODO: Ed25519 is not yet implemented.
1057  return OTCRYPTO_NOT_IMPLEMENTED;
1058 }
1059 
1060 otcrypto_status_t otcrypto_ed25519_verify_async_finalize(
1061  hardened_bool_t *verification_result) {
1062  // TODO: Ed25519 is not yet implemented.
1063  return OTCRYPTO_NOT_IMPLEMENTED;
1064 }
1065 
1066 otcrypto_status_t otcrypto_x25519_keygen_async_start(
1067  const otcrypto_blinded_key_t *private_key) {
1068  // TODO: X25519 is not yet implemented.
1069  return OTCRYPTO_NOT_IMPLEMENTED;
1070 }
1071 
1072 otcrypto_status_t otcrypto_x25519_keygen_async_finalize(
1073  otcrypto_blinded_key_t *private_key, otcrypto_unblinded_key_t *public_key) {
1074  // TODO: X25519 is not yet implemented.
1075  return OTCRYPTO_NOT_IMPLEMENTED;
1076 }
1077 
1078 otcrypto_status_t otcrypto_x25519_async_start(
1079  const otcrypto_blinded_key_t *private_key,
1080  const otcrypto_unblinded_key_t *public_key) {
1081  // TODO: X25519 is not yet implemented.
1082  return OTCRYPTO_NOT_IMPLEMENTED;
1083 }
1084 
1085 otcrypto_status_t otcrypto_x25519_async_finalize(
1086  otcrypto_blinded_key_t *shared_secret) {
1087  // TODO: X25519 is not yet implemented.
1088  return OTCRYPTO_NOT_IMPLEMENTED;
1089 }
Return to OpenTitan Documentation