Split BoringSSL ops into hash+kdf and ed25519
Done in preparation to support ECDSA P-384.
Change-Id: If85d54a46ba23b32776f97e6bca3b5a071d4e06b
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/84500
Reviewed-by: Andrew Scull <ascull@google.com>
Reviewed-by: Darren Krahn <dkrahn@google.com>
Commit-Queue: Atul Luykx <aluykx@google.com>
diff --git a/BUILD.gn b/BUILD.gn
index fa15140..f2c68a9 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -66,7 +66,8 @@
]
sources = [
"src/boringssl_cert_op.c",
- "src/boringssl_hash_kdf_sign_ops.c",
+ "src/boringssl_hash_kdf_ops.c",
+ "src/boringssl_ed25519_ops.c",
"src/clear_memory.c",
"src/dice.c",
"src/utils.c",
@@ -104,7 +105,8 @@
"include/dice/utils.h",
]
sources = [
- "src/boringssl_hash_kdf_sign_ops.c",
+ "src/boringssl_hash_kdf_ops.c",
+ "src/boringssl_ed25519_ops.c",
"src/cbor_cert_op.c",
"src/clear_memory.c",
"src/dice.c",
@@ -123,7 +125,8 @@
"include/dice/utils.h",
]
sources = [
- "src/boringssl_hash_kdf_sign_ops.c",
+ "src/boringssl_hash_kdf_ops.c",
+ "src/boringssl_ed25519_ops.c",
"src/clear_memory.c",
"src/dice.c",
"src/template_cbor_cert_op.c",
@@ -141,7 +144,8 @@
"include/dice/utils.h",
]
sources = [
- "src/boringssl_hash_kdf_sign_ops.c",
+ "src/boringssl_hash_kdf_ops.c",
+ "src/boringssl_ed25519_ops.c",
"src/clear_memory.c",
"src/dice.c",
"src/template_cert_op.c",
diff --git a/src/boringssl_hash_kdf_sign_ops.c b/src/boringssl_ed25519_ops.c
similarity index 71%
rename from src/boringssl_hash_kdf_sign_ops.c
rename to src/boringssl_ed25519_ops.c
index 9198b4a..a1b9797 100644
--- a/src/boringssl_hash_kdf_sign_ops.c
+++ b/src/boringssl_ed25519_ops.c
@@ -1,4 +1,4 @@
-// Copyright 2020 Google LLC
+// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
// use this file except in compliance with the License. You may obtain a copy of
@@ -12,8 +12,7 @@
// License for the specific language governing permissions and limitations under
// the License.
-// This is an implementation of the crypto operations that uses boringssl. The
-// algorithms used are SHA512, HKDF-SHA512, and Ed25519-SHA512.
+// An implementation of the ed25519 signature operations using boringssl.
#include <stdint.h>
@@ -21,9 +20,6 @@
#include "dice/ops.h"
#include "openssl/curve25519.h"
#include "openssl/evp.h"
-#include "openssl/hkdf.h"
-#include "openssl/is_boringssl.h"
-#include "openssl/sha.h"
#if DICE_PRIVATE_KEY_SEED_SIZE != 32
#error "Private key seed is expected to be 32 bytes."
@@ -38,24 +34,6 @@
#error "Ed25519 needs 64 bytes to store the signature."
#endif
-DiceResult DiceHash(void* context_not_used, const uint8_t* input,
- size_t input_size, uint8_t output[DICE_HASH_SIZE]) {
- (void)context_not_used;
- SHA512(input, input_size, output);
- return kDiceResultOk;
-}
-
-DiceResult DiceKdf(void* context_not_used, size_t length, const uint8_t* ikm,
- size_t ikm_size, const uint8_t* salt, size_t salt_size,
- const uint8_t* info, size_t info_size, uint8_t* output) {
- (void)context_not_used;
- if (!HKDF(output, length, EVP_sha512(), ikm, ikm_size, salt, salt_size, info,
- info_size)) {
- return kDiceResultPlatformError;
- }
- return kDiceResultOk;
-}
-
DiceResult DiceKeypairFromSeed(void* context_not_used,
const uint8_t seed[DICE_PRIVATE_KEY_SEED_SIZE],
uint8_t public_key[DICE_PUBLIC_KEY_SIZE],
diff --git a/src/boringssl_hash_kdf_ops.c b/src/boringssl_hash_kdf_ops.c
new file mode 100644
index 0000000..657276a
--- /dev/null
+++ b/src/boringssl_hash_kdf_ops.c
@@ -0,0 +1,43 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not
+// use this file except in compliance with the License. You may obtain a copy of
+// the License at
+//
+// https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations under
+// the License.
+
+// An implementation of the hash and kdf crypto operations using boringssl. The
+// algorithms used are SHA512 and HKDF-SHA512.
+
+#include <stdint.h>
+
+#include "dice/dice.h"
+#include "dice/ops.h"
+#include "openssl/evp.h"
+#include "openssl/hkdf.h"
+#include "openssl/is_boringssl.h"
+#include "openssl/sha.h"
+
+DiceResult DiceHash(void* context_not_used, const uint8_t* input,
+ size_t input_size, uint8_t output[DICE_HASH_SIZE]) {
+ (void)context_not_used;
+ SHA512(input, input_size, output);
+ return kDiceResultOk;
+}
+
+DiceResult DiceKdf(void* context_not_used, size_t length, const uint8_t* ikm,
+ size_t ikm_size, const uint8_t* salt, size_t salt_size,
+ const uint8_t* info, size_t info_size, uint8_t* output) {
+ (void)context_not_used;
+ if (!HKDF(output, length, EVP_sha512(), ikm, ikm_size, salt, salt_size, info,
+ info_size)) {
+ return kDiceResultPlatformError;
+ }
+ return kDiceResultOk;
+}
