From 0c296bba301e50db09398aa4807df8c57256ea6b Mon Sep 17 00:00:00 2001
From: Nicolas Stalder <n@stalder.io>
Date: Mon, 25 Feb 2019 02:41:58 +0100
Subject: [PATCH] First go at using cifra for SHA512

---
 .gitmodules                            |  3 +++
 crypto/cifra                           |  1 +
 fido2/crypto.h                         |  4 ++++
 fido2/ctaphid.c                        | 27 ++++++++++++++++++++++++++
 fido2/ctaphid.h                        |  1 +
 targets/stm32l432/build/application.mk |  3 +++
 targets/stm32l432/src/crypto.c         | 16 +++++++++++++++
 7 files changed, 55 insertions(+)
 create mode 160000 crypto/cifra

diff --git a/.gitmodules b/.gitmodules
index 05c9e6f..8f2ea4e 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -13,3 +13,6 @@
 [submodule "targets/stm32l442/dfuse-tool"]
 	path = targets/stm32l442/dfuse-tool
     url = https://github.com/solokeys/dfuse-tool
+[submodule "crypto/cifra"]
+	path = crypto/cifra
+	url = https://github.com/ctz/cifra.git
diff --git a/crypto/cifra b/crypto/cifra
new file mode 160000
index 0000000..d04dd31
--- /dev/null
+++ b/crypto/cifra
@@ -0,0 +1 @@
+Subproject commit d04dd318609733d809904d4f2973597240655cde
diff --git a/fido2/crypto.h b/fido2/crypto.h
index 844e7f3..4fc54a2 100644
--- a/fido2/crypto.h
+++ b/fido2/crypto.h
@@ -19,6 +19,10 @@ void crypto_sha256_final(uint8_t * hash);
 void crypto_sha256_hmac_init(uint8_t * key, uint32_t klen, uint8_t * hmac);
 void crypto_sha256_hmac_final(uint8_t * key, uint32_t klen, uint8_t * hmac);
 
+void crypto_sha512_init();
+void crypto_sha512_update(const uint8_t * data, size_t len);
+void crypto_sha512_final(uint8_t * hash);
+
 
 void crypto_ecc256_init();
 void crypto_ecc256_derive_public_key(uint8_t * data, int len, uint8_t * x, uint8_t * y);
diff --git a/fido2/ctaphid.c b/fido2/ctaphid.c
index 5ddc260..0885ed9 100644
--- a/fido2/ctaphid.c
+++ b/fido2/ctaphid.c
@@ -16,6 +16,12 @@
 #include "util.h"
 #include "log.h"
 #include "extensions.h"
+
+// move custom HASH512 command out,
+// and the following headers too
+#include "sha2.h"
+#include "crypto.h"
+
 #include APP_CONFIG
 
 typedef enum
@@ -718,6 +724,27 @@ uint8_t ctaphid_handle_packet(uint8_t * pkt_raw)
             ctaphid_write(&wb, NULL, 0);
             is_busy = 0;
         break;
+#endif
+#if defined(SOLO_HACKER)
+        case CTAPHID_HASH512:
+            // some random logging
+            printf1(TAG_HID,"CTAPHID_HASH512\n");
+            // initialise CTAP response object
+            ctap_response_init(&ctap_resp);
+            // initialise write buffer
+            ctaphid_write_buffer_init(&wb);
+            wb.cid = cid;
+            wb.cmd = CTAPHID_HASH512;
+            wb.bcnt = CF_SHA512_HASHSZ;  // 64 bytes
+            // calculate hash
+            crypto_sha512_init();
+            crypto_sha512_update(ctap_buffer, buffer_len());
+            crypto_sha512_final(ctap_buffer);
+            // copy to output
+            ctaphid_write(&wb, &ctap_buffer, CF_SHA512_HASHSZ);
+            ctaphid_write(&wb, NULL, 0);
+            is_busy = 0;
+        break;
 #endif
         default:
             printf2(TAG_ERR,"error, unimplemented HID cmd: %02x\r\n", buffer_cmd());
diff --git a/fido2/ctaphid.h b/fido2/ctaphid.h
index d5ea35b..b728b0f 100644
--- a/fido2/ctaphid.h
+++ b/fido2/ctaphid.h
@@ -28,6 +28,7 @@
 #define CTAPHID_ENTERBOOT       (TYPE_INIT | 0x51)
 #define CTAPHID_ENTERSTBOOT     (TYPE_INIT | 0x52)
 #define CTAPHID_GETRNG          (TYPE_INIT | 0x60)
+#define CTAPHID_HASH512         (TYPE_INIT | 0x70)
 
     #define ERR_INVALID_CMD         0x01
     #define ERR_INVALID_PAR         0x02
diff --git a/targets/stm32l432/build/application.mk b/targets/stm32l432/build/application.mk
index a22bc1d..2efb050 100644
--- a/targets/stm32l432/build/application.mk
+++ b/targets/stm32l432/build/application.mk
@@ -14,6 +14,7 @@ SRC += ../../fido2/extensions/extensions.c ../../fido2/extensions/solo.c
 
 # Crypto libs
 SRC += ../../crypto/sha256/sha256.c ../../crypto/micro-ecc/uECC.c ../../crypto/tiny-AES-c/aes.c
+SRC += ../../crypto/cifra/src/sha512.c ../../crypto/cifra/src/blockwise.c
 
 OBJ1=$(SRC:.c=.o)
 OBJ=$(OBJ1:.s=.o)
@@ -21,6 +22,7 @@ OBJ=$(OBJ1:.s=.o)
 INC = -Isrc/ -Isrc/cmsis/ -Ilib/ -Ilib/usbd/ -I../../fido2/ -I../../fido2/extensions
 INC += -I../../tinycbor/src -I../../crypto/sha256 -I../../crypto/micro-ecc
 INC += -I../../crypto/tiny-AES-c
+INC += -I../../crypto/cifra/src
 
 SEARCH=-L../../tinycbor/lib
 
@@ -66,6 +68,7 @@ all: $(TARGET).elf
 	$(CC) $^ $(HW) $(LDFLAGS) -o $@
 
 %.hex: %.elf
+	$(SZ) $^
 	$(CP) -O ihex $^ $(TARGET).hex
 
 clean:
diff --git a/targets/stm32l432/src/crypto.c b/targets/stm32l432/src/crypto.c
index 7de78fa..31812d4 100644
--- a/targets/stm32l432/src/crypto.c
+++ b/targets/stm32l432/src/crypto.c
@@ -24,6 +24,9 @@
 #include "aes.h"
 #include "ctap.h"
 #include "device.h"
+// stuff for SHA512
+#include "sha2.h"
+#include "blockwise.h"
 #include APP_CONFIG
 #include "log.h"
 #include "memory_layout.h"
@@ -48,6 +51,7 @@ typedef enum
 
 
 static SHA256_CTX sha256_ctx;
+static cf_sha512_context sha512_ctx;
 static const struct uECC_Curve_t * _es256_curve = NULL;
 static const uint8_t * _signing_key = NULL;
 static int _key_len = 0;
@@ -62,6 +66,9 @@ void crypto_sha256_init()
     sha256_init(&sha256_ctx);
 }
 
+void crypto_sha512_init() {
+    cf_sha512_init(&sha512_ctx);
+}
 
 void crypto_load_master_secret(uint8_t * key)
 {
@@ -86,6 +93,10 @@ void crypto_sha256_update(uint8_t * data, size_t len)
     sha256_update(&sha256_ctx, data, len);
 }
 
+void crypto_sha512_update(const uint8_t * data, size_t len) {
+    cf_sha512_update(&sha512_ctx, data, len);
+}
+
 void crypto_sha256_update_secret()
 {
     sha256_update(&sha256_ctx, master_secret, 32);
@@ -96,6 +107,11 @@ void crypto_sha256_final(uint8_t * hash)
     sha256_final(&sha256_ctx, hash);
 }
 
+void crypto_sha512_final(uint8_t * hash) {
+    // NB: there is also cf_sha512_digest
+    cf_sha512_digest_final(&sha512_ctx, hash);
+}
+
 void crypto_sha256_hmac_init(uint8_t * key, uint32_t klen, uint8_t * hmac)
 {
     uint8_t buf[64];