Merge pull request #6 from betrusted-io/dalek_to_v4

Fix `engine ed` and pull in SHA engine fixes
betrusted-io · Feb 8, 2024 · 99a3348 · 99a3348
2 parents eab5751 + c376186
commit 99a3348
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 35 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -138,6 +138,8 @@ opt-level = "s" # z,s: Optimize for size instead of performance; 1 for easier de
 # prefer hardware-accelerated versions of services
 [patch.crates-io]
 sha2 = { git = "https://github.com/betrusted-io/hashes.git", branch = "sha2-v0.10.8-xous" }
+# sha2 = { path = "../hashes/sha2" }
+# This is needed by `p256`, currently the last holdout (a `vault` depenedncy)
 sha2_legacy = { git = "https://github.com/RustCrypto/hashes.git", tag = "sha2-v0.9.9", package = "sha2" }
 
 [patch.crates-io.aes]
@@ -146,7 +148,7 @@ path = "services/aes"
 [patch.crates-io.curve25519-dalek]
 #git = "https://github.com/betrusted-io/curve25519-dalek.git"
 #branch = "main"
-path = "../curve25519-dalek/curve25519-dalek"  # when doing local dev work
+path = "../curve25519-dalek/curve25519-dalek" # when doing local dev work
 # feature overrides are specified at the crate level
 
 [patch."https://github.com/betrusted-io/xous-engine-25519.git"]

diff --git a/RELEASE-v0.9.md b/RELEASE-v0.9.md
@@ -466,7 +466,9 @@ perform the Xous firmware upgrade. This requires running manual update commands,
 - Formatting and contribution standards have been modified. Formatting with `rustfmt` and trailing white space removal is now mandatory for all Xous contributions, see [#477](https://github.com/betrusted-io/xous-core/pull/477) for a discussion of how we got there and why.
 - The repo has gone through a "flag day" where all the crates have been formatted, which means commits before the flag day may be more difficult to undo. The changes are committed on a crate-by-crate basis, so if something is really broken we can undo the formatting for the crate and add an exception to the rustfmt rules.
 - Implement #478: backlight should turn on automatically when a U2F/FIDO packet comes in from the host, allowing users in dark conditions to see the screen and know what they are approving.
-- the `sha2` API has been upgraded from 0.9.9 to 0.10.8. In the process of upgrading this, the `sha2` code is now domiciled in a fork of the `RustCrypto/hashes` repo. This should hopefully make tracking changes on RustCrypto somewhat easier, at the price of some difficulty in maintaining external crate pins (but I think that can be solved with some scripting). In the process of conversion, crates that depend on the 0.9.9 API for acceleration are now not accelerated. In particular, the ed25519-dalek signature check on the gateware at boot now runs with software SHA-512, which means that boot is much slower. This should be fixed before the release is live, but users testing the bleeding edge should be aware of this temporary regression in performance.
+- the `sha2` API has been upgraded from 0.9.9 to 0.10.8. In the process of upgrading this, the `sha2` code is now domiciled in a fork of the `RustCrypto/hashes` repo. This should hopefully make tracking changes on RustCrypto somewhat easier, at the price of some difficulty in maintaining external crate pins (but I think that can be solved with some scripting). In the process of conversion, crates that depend on the 0.9.9 API for acceleration are now not accelerated.
+- upgrade all other crypto APIs to latest version, with the exception of `p256` inside `vault` (this code is vendored from OpenSK), and the curve25519 implementations inside the loader (because they have been tightly optimized for size, we'll have to revisit the patch set later; but also, only verification steps are done in the loader so there is less risk of leaking secret key material - not as worried about ct_eq and zeroize bugs)
+- a number of other crates and pins were upgraded in the process due to a cargo `update` run; the `build.rs` changes were reviewed and nothing nefarious was found, so at least this process did not introduce any obvious attacks against build hosts through supply chain contamination.
 - @gsora has added the `hidapi` - apps can now register a HID descriptor for custom interactions over USB. See `apps/hidv2` for democumentation.
 - change kernel and loader targets to riscv-unknown-elf-none because `xous` is now a proper target (required for Rust 1.76 compatibility)
 

diff --git a/services/shellchat/Cargo.toml b/services/shellchat/Cargo.toml
@@ -110,7 +110,7 @@ default-features = false
 features = ["legacy_compatibility"]
 
 [dependencies.x25519-dalek]
-version = "2.0.0"
+version = "2.0.1"
 # TODO: static_secrets is only needed by the engine tests. Ideally, we would put the static_secrets version in dev deps only
 default-features = false
 features = ["static_secrets"]

diff --git a/services/shellchat/src/cmds/engine.rs b/services/shellchat/src/cmds/engine.rs
@@ -180,9 +180,9 @@ pub fn benchmark_thread(sid0: usize, sid1: usize, sid2: usize, sid3: usize) {
                 let mut fails = 0;
 
                 use x25519_dalek::{PublicKey, StaticSecret};
-                let alice_secret = StaticSecret::new(&mut trng);
+                let alice_secret = StaticSecret::random_from_rng(&mut trng);
                 let alice_public = PublicKey::from(&alice_secret);
-                let bob_secret = StaticSecret::new(&mut trng);
+                let bob_secret = StaticSecret::random_from_rng(&mut trng);
                 let bob_public = PublicKey::from(&bob_secret);
                 for _ in 0..TEST_ITERS_DH {
                     let alice_shared_secret = alice_secret.diffie_hellman(&bob_public);
@@ -365,9 +365,9 @@ impl<'a> ShellCmdApi<'a> for Engine {
                 }
                 "dh" => {
                     use x25519_dalek::{EphemeralSecret, PublicKey};
-                    let alice_secret = EphemeralSecret::new(&mut env.trng);
+                    let alice_secret = EphemeralSecret::random_from_rng(&mut env.trng);
                     let alice_public = PublicKey::from(&alice_secret);
-                    let bob_secret = EphemeralSecret::new(&mut env.trng);
+                    let bob_secret = EphemeralSecret::random_from_rng(&mut env.trng);
                     let bob_public = PublicKey::from(&bob_secret);
                     let alice_shared_secret = alice_secret.diffie_hellman(&bob_public);
                     let bob_shared_secret = bob_secret.diffie_hellman(&alice_public);
@@ -389,29 +389,12 @@ impl<'a> ShellCmdApi<'a> for Engine {
 
                     /////////////////////// fixed vectors from x25519-dalek tests
                     use curve25519_dalek::montgomery::MontgomeryPoint;
-                    use curve25519_dalek::scalar::Scalar;
-                    /// "Decode" a scalar from a 32-byte array.
-                    ///
-                    /// By "decode" here, what is really meant is applying key clamping by twiddling
-                    /// some bits.
-                    ///
-                    /// # Returns
-                    ///
-                    /// A `Scalar`.
-                    fn clamp_scalar(mut scalar: [u8; 32]) -> Scalar {
-                        scalar[0] &= 248;
-                        scalar[31] &= 127;
-                        scalar[31] |= 64;
-
-                        Scalar::from_bits(scalar)
-                    }
-
                     /// The bare, byte-oriented x25519 function, exactly as specified in RFC7748.
                     ///
                     /// This can be used with [`X25519_BASEPOINT_BYTES`] for people who
                     /// cannot use the better, safer, and faster DH API.
                     fn x25519(k: [u8; 32], u: [u8; 32]) -> [u8; 32] {
-                        (clamp_scalar(k) * MontgomeryPoint(u)).to_bytes()
+                        MontgomeryPoint(u).mul_clamped(k).to_bytes()
                     }
                     {
                         let input_scalar: [u8; 32] = [
@@ -465,7 +448,7 @@ impl<'a> ShellCmdApi<'a> for Engine {
                     }
                 }
                 "ed2" => {
-                    use ed25519_dalek::{Signature, Signer, SigningKey};
+                    use ed25519_dalek::{Signer, SigningKey};
                     let good: &[u8] = "test message".as_bytes();
                     let bad: &[u8] = "wrong message".as_bytes();
 
@@ -501,19 +484,21 @@ impl<'a> ShellCmdApi<'a> for Engine {
                     use ed25519_dalek::*;
                     // use ed25519::signature::Signature as _;
                     use hex::FromHex;
-                    let secret_key: &[u8] =
-                        b"833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42";
                     let signing_key: &[u8] =
+                        b"833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42";
+                    let public_key: &[u8] =
                         b"ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf";
                     let message: &[u8] = b"616263";
                     let signature: &[u8] = b"98a70222f0b8121aa9d30f813d683f809e462b469c7ff87639499bb94e6dae4131f85042463c2a355a2003d062adf5aaa10b8c61e636062aaad11c2a26083406";
                     let msg_bytes = <[u8; 3]>::from_hex(message).unwrap();
 
-                    let secret_key_bytes = <[u8; SECRET_KEY_LENGTH]>::from_hex(secret_key).unwrap();
-                    let signing_key_bytes = <[u8; PUBLIC_KEY_LENGTH]>::from_hex(signing_key).unwrap();
+                    let signing_key_bytes = <[u8; SECRET_KEY_LENGTH]>::from_hex(signing_key).unwrap();
+                    let public_key_bytes = <[u8; PUBLIC_KEY_LENGTH]>::from_hex(public_key).unwrap();
                     let signature_bytes = <[u8; SIGNATURE_LENGTH]>::from_hex(signature).unwrap();
 
                     let signingkey: SigningKey = SigningKey::from_bytes(&signing_key_bytes);
+                    let expected_verifying_key = VerifyingKey::from_bytes(&public_key_bytes).unwrap();
+                    assert_eq!(expected_verifying_key, signingkey.verifying_key());
                     let sig1: Signature = Signature::from_bytes(&signature_bytes);
 
                     //let mut prehash_for_signing = engine_sha512::Sha512::default(); // this defaults to Hw

diff --git a/services/shellchat/src/cmds/sha.rs b/services/shellchat/src/cmds/sha.rs
@@ -47,7 +47,8 @@ power consumption -
 ~50% power savings to use hardware hasher
 
 v0.10.8 API implementation
-TEST_MAX_LEN = 8192 (fixed length) / TEST_ITERS = 1000: hw 11.464ms/hash, sw 21.502ms/hash
+TEST_MAX_LEN = 8192 (fixed length) / TEST_ITERS = 1000: hw 11.464ms/hash, sw 21.502ms/hash (with trng ID bug (ID was not regenerated on each iteration), oops)
+TEST_MAX_LEN = 8192 (fixed length) / TEST_ITERS = 1000: hw 12.196ms/hash, sw 21.643ms/hash
  */
 
 pub fn benchmark_thread(sid0: usize, sid1: usize, sid2: usize, sid3: usize) {