bootutil: Remove BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE

BOOT_ENC_KEY_SIZE is enough.
BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE has been replaced with
BOOT_ENC_BLOCK_SIZE.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>

Author: de-nordic

boot/boot_serial/src/boot_serial_encryption.c

@@ -11,7 +11,6 @@
 #include "bootutil/bootutil_log.h"
 #include "bootutil/bootutil_public.h"
 #include "bootutil/fault_injection_hardening.h"
-#include "bootutil/enc_key.h"
 
 #include "mcuboot_config/mcuboot_config.h"
 

boot/bootutil/include/bootutil/crypto/aes_ctr.h

@@ -19,30 +19,27 @@
     #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT or PSA"
 #endif
 
+#include "bootutil/enc_key_public.h"
+
 #if defined(MCUBOOT_USE_MBED_TLS)
     #include <mbedtls/aes.h>
-    #include "bootutil/enc_key_public.h"
-    #define BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE BOOT_ENC_KEY_SIZE
-    #define BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE (16)
+    #define BOOT_ENC_BLOCK_SIZE (16)
 #endif /* MCUBOOT_USE_MBED_TLS */
 
 #if defined(MCUBOOT_USE_TINYCRYPT)
-    #if defined(MCUBOOT_AES_256)
-        #error "Cannot use AES-256 for encryption with Tinycrypt library."
-    #endif
     #include <string.h>
     #include <tinycrypt/aes.h>
     #include <tinycrypt/ctr_mode.h>
     #include <tinycrypt/constants.h>
-    #define BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE TC_AES_KEY_SIZE
-    #define BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE TC_AES_BLOCK_SIZE
+    #if defined(MCUBOOT_AES_256) || (BOOT_ENC_KEY_SIZE != TC_AES_KEY_SIZE)
+        #error "Cannot use AES-256 for encryption with Tinycrypt library."
+    #endif
+    #define BOOT_ENC_BLOCK_SIZE TC_AES_BLOCK_SIZE
 #endif /* MCUBOOT_USE_TINYCRYPT */
 
 #if defined(MCUBOOT_USE_PSA_CRYPTO)
     #include <psa/crypto.h>
-    #include "bootutil/enc_key_public.h"
-    #define BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE BOOT_ENC_KEY_SIZE
-    #define BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE (16)
+    #define BOOT_ENC_BLOCK_SIZE (16)
 #endif
 
 #include <stdint.h>
@@ -91,18 +88,18 @@ static inline void bootutil_aes_ctr_drop(bootutil_aes_ctr_context *ctx)
 
 static inline int bootutil_aes_ctr_set_key(bootutil_aes_ctr_context *ctx, const uint8_t *k)
 {
-    return mbedtls_aes_setkey_enc(ctx, k, BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE * 8);
+    return mbedtls_aes_setkey_enc(ctx, k, BOOT_ENC_KEY_SIZE * 8);
 }
 
 static inline int bootutil_aes_ctr_encrypt(bootutil_aes_ctr_context *ctx, uint8_t *counter, const uint8_t *m, uint32_t mlen, size_t blk_off, uint8_t *c)
 {
-    uint8_t stream_block[BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE];
+    uint8_t stream_block[BOOT_ENC_BLOCK_SIZE];
     return mbedtls_aes_crypt_ctr(ctx, mlen, &blk_off, counter, stream_block, m, c);
 }
 
 static inline int bootutil_aes_ctr_decrypt(bootutil_aes_ctr_context *ctx, uint8_t *counter, const uint8_t *c, uint32_t clen, size_t blk_off, uint8_t *m)
 {
-    uint8_t stream_block[BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE];
+    uint8_t stream_block[BOOT_ENC_BLOCK_SIZE];
     return mbedtls_aes_crypt_ctr(ctx, clen, &blk_off, counter, stream_block, c, m);
 }
 #endif /* MCUBOOT_USE_MBED_TLS */

boot/bootutil/src/encrypted.c

@@ -422,11 +422,11 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
     bootutil_aes_ctr_context aes_ctr;
     uint8_t tag[BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE];
     uint8_t shared[SHARED_KEY_LEN];
-    uint8_t derived_key[BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE];
+    uint8_t derived_key[BOOT_ENC_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE];
     uint8_t *cp;
     uint8_t *cpend;
     uint8_t private_key[PRIV_KEY_LEN];
-    uint8_t counter[BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE];
+    uint8_t counter[BOOT_ENC_BLOCK_SIZE];
     uint16_t len;
 #endif
     struct bootutil_key *bootutil_enc_key = NULL;
@@ -530,10 +530,10 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
      * Expand shared secret to create keys for AES-128-CTR + HMAC-SHA256
      */
 
-    len = BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE;
+    len = BOOT_ENC_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE;
     rc = hkdf(shared, SHARED_KEY_LEN, (uint8_t *)"MCUBoot_ECIES_v1", 16,
             derived_key, &len);
-    if (rc != 0 || len != (BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE)) {
+    if (rc != 0 || len != (BOOT_ENC_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE)) {
         return -1;
     }
 
@@ -585,8 +585,8 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
         return -1;
     }
 
-    memset(counter, 0, BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE);
-    rc = bootutil_aes_ctr_decrypt(&aes_ctr, counter, &buf[EC_CIPHERKEY_INDEX], BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE, 0, enckey);
+    memset(counter, 0, BOOT_ENC_BLOCK_SIZE);
+    rc = bootutil_aes_ctr_decrypt(&aes_ctr, counter, &buf[EC_CIPHERKEY_INDEX], BOOT_ENC_KEY_SIZE, 0, enckey);
     if (rc != 0) {
         bootutil_aes_ctr_drop(&aes_ctr);
         return -1;

boot/bootutil/src/encrypted_psa.c

@@ -114,7 +114,7 @@ extern const struct bootutil_key bootutil_enc_key;
 int
 boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
 {
-    uint8_t derived_key[BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE];
+    uint8_t derived_key[BOOT_ENC_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE];
     uint8_t *cp;
     uint8_t *cpend;
     uint8_t private_key[PRIV_KEY_LEN];
@@ -134,7 +134,7 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
      * the beginning of the input buffer.
      */
     uint8_t iv_and_key[PSA_CIPHER_IV_LENGTH(PSA_KEY_TYPE_AES, PSA_ALG_CTR) +
-                       BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE];
+                       BOOT_ENC_KEY_SIZE];
 
     psa_ret = psa_crypto_init();
     if (psa_ret != PSA_SUCCESS) {
@@ -208,7 +208,7 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
         return -1;
     }
 
-    len = BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE;
+    len = BOOT_ENC_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE;
     psa_ret = psa_key_derivation_output_bytes(&key_do, derived_key, len);
     psa_cleanup_ret = psa_key_derivation_abort(&key_do);
     if (psa_cleanup_ret != PSA_SUCCESS) {
@@ -219,7 +219,7 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
         return -1;
     }
 
-    /* The derived key consists of BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE bytes
+    /* The derived key consists of BOOT_ENC_KEY_SIZE bytes
      * followed by BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE bytes. Both parts will
      * be imported at the point where needed and discarded immediately after.
      */
@@ -228,11 +228,11 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
     psa_set_key_algorithm(&kattr, PSA_ALG_HMAC(PSA_ALG_SHA_256));
 
     /* Import the MAC tag key part of derived key, that is the part that starts
-     * after BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE and has length of
+     * after BOOT_ENC_KEY_SIZE and has length of
      * BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE bytes.
      */
     psa_ret = psa_import_key(&kattr,
-                             &derived_key[BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE],
+                             &derived_key[BOOT_ENC_KEY_SIZE],
                              BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE, &kid);
     psa_reset_key_attributes(&kattr);
     if (psa_ret != PSA_SUCCESS) {
@@ -262,8 +262,7 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
     psa_set_key_algorithm(&kattr, PSA_ALG_CTR);
 
     /* Import the AES partition of derived key, the first 16 bytes */
-    psa_ret = psa_import_key(&kattr, &derived_key[0],
-                             BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE, &kid);
+    psa_ret = psa_import_key(&kattr, &derived_key[0], BOOT_ENC_KEY_SIZE, &kid);
     memset(derived_key, 0, sizeof(derived_key));
     if (psa_ret != PSA_SUCCESS) {
         BOOT_LOG_ERR("AES key import failed %d", psa_ret);
@@ -279,14 +278,14 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
 
     len = 0;
     psa_ret = psa_cipher_decrypt(kid, PSA_ALG_CTR, iv_and_key, sizeof(iv_and_key),
-                                 enckey, BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE, &len);
+                                 enckey, BOOT_ENC_KEY_SIZE, &len);
     memset(iv_and_key, 0, sizeof(iv_and_key));
     psa_cleanup_ret = psa_destroy_key(kid);
     if (psa_cleanup_ret != PSA_SUCCESS) {
 	BOOT_LOG_WRN("AES key destruction failed %d", psa_cleanup_ret);
     }
-    if (psa_ret != PSA_SUCCESS || len != BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE) {
-        memset(enckey, 0, BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE);
+    if (psa_ret != PSA_SUCCESS || len != BOOT_ENC_KEY_SIZE) {
+        memset(enckey, 0, BOOT_ENC_KEY_SIZE);
         BOOT_LOG_ERR("Random key decryption failed %d", psa_ret);
         return -1;
     }