Split BoringSSL ops into hash+kdf and ed25519

Done in preparation to support ECDSA P-384.

Change-Id: If85d54a46ba23b32776f97e6bca3b5a071d4e06b
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/84500
Reviewed-by: Andrew Scull <ascull@google.com>
Reviewed-by: Darren Krahn <dkrahn@google.com>
Commit-Queue: Atul Luykx <aluykx@google.com>

3 files changed, 53 insertions, 28 deletions

diff --git a/BUILD.gn b/BUILD.gn
index fa15140..f2c68a9 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -66,7 +66,8 @@ pw_static_library("dice_with_boringssl_ops") {
   ]
   sources = [
     "src/boringssl_cert_op.c",
-    "src/boringssl_hash_kdf_sign_ops.c",
+    "src/boringssl_hash_kdf_ops.c",
+    "src/boringssl_ed25519_ops.c",
     "src/clear_memory.c",
     "src/dice.c",
     "src/utils.c",
@@ -104,7 +105,8 @@ pw_static_library("dice_with_cbor_cert") {
     "include/dice/utils.h",
   ]
   sources = [
-    "src/boringssl_hash_kdf_sign_ops.c",
+    "src/boringssl_hash_kdf_ops.c",
+    "src/boringssl_ed25519_ops.c",
     "src/cbor_cert_op.c",
     "src/clear_memory.c",
     "src/dice.c",
@@ -123,7 +125,8 @@ pw_static_library("dice_with_cbor_template_cert") {
     "include/dice/utils.h",
   ]
   sources = [
-    "src/boringssl_hash_kdf_sign_ops.c",
+    "src/boringssl_hash_kdf_ops.c",
+    "src/boringssl_ed25519_ops.c",
     "src/clear_memory.c",
     "src/dice.c",
     "src/template_cbor_cert_op.c",
@@ -141,7 +144,8 @@ pw_static_library("dice_with_x509_template_cert") {
     "include/dice/utils.h",
   ]
   sources = [
-    "src/boringssl_hash_kdf_sign_ops.c",
+    "src/boringssl_hash_kdf_ops.c",
+    "src/boringssl_ed25519_ops.c",
     "src/clear_memory.c",
     "src/dice.c",
     "src/template_cert_op.c",
diff --git a/src/boringssl_hash_kdf_sign_ops.c b/src/boringssl_ed25519_ops.c
index 9198b4a..a1b9797 100644
--- a/src/boringssl_hash_kdf_sign_ops.c
+++ b/src/boringssl_ed25519_ops.c
@@ -1,4 +1,4 @@
-// Copyright 2020 Google LLC
+// Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not
 // use this file except in compliance with the License. You may obtain a copy of
@@ -12,8 +12,7 @@
 // License for the specific language governing permissions and limitations under
 // the License.
 
-// This is an implementation of the crypto operations that uses boringssl. The
-// algorithms used are SHA512, HKDF-SHA512, and Ed25519-SHA512.
+// An implementation of the ed25519 signature operations using boringssl.
 
 #include <stdint.h>
 
@@ -21,9 +20,6 @@
 #include "dice/ops.h"
 #include "openssl/curve25519.h"
 #include "openssl/evp.h"
-#include "openssl/hkdf.h"
-#include "openssl/is_boringssl.h"
-#include "openssl/sha.h"
 
 #if DICE_PRIVATE_KEY_SEED_SIZE != 32
 #error "Private key seed is expected to be 32 bytes."
@@ -38,24 +34,6 @@
 #error "Ed25519 needs 64 bytes to store the signature."
 #endif
 
-DiceResult DiceHash(void* context_not_used, const uint8_t* input,
-                    size_t input_size, uint8_t output[DICE_HASH_SIZE]) {
-  (void)context_not_used;
-  SHA512(input, input_size, output);
-  return kDiceResultOk;
-}
-
-DiceResult DiceKdf(void* context_not_used, size_t length, const uint8_t* ikm,
-                   size_t ikm_size, const uint8_t* salt, size_t salt_size,
-                   const uint8_t* info, size_t info_size, uint8_t* output) {
-  (void)context_not_used;
-  if (!HKDF(output, length, EVP_sha512(), ikm, ikm_size, salt, salt_size, info,
-            info_size)) {
-    return kDiceResultPlatformError;
-  }
-  return kDiceResultOk;
-}
-
 DiceResult DiceKeypairFromSeed(void* context_not_used,
                                const uint8_t seed[DICE_PRIVATE_KEY_SEED_SIZE],
                                uint8_t public_key[DICE_PUBLIC_KEY_SIZE],
diff --git a/src/boringssl_hash_kdf_ops.c b/src/boringssl_hash_kdf_ops.c
new file mode 100644
index 0000000..657276a
--- /dev/null
+++ b/src/boringssl_hash_kdf_ops.c
@@ -0,0 +1,43 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not
+// use this file except in compliance with the License. You may obtain a copy of
+// the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations under
+// the License.
+
+// An implementation of the hash and kdf crypto operations using boringssl. The
+// algorithms used are SHA512 and HKDF-SHA512.
+
+#include <stdint.h>
+
+#include "dice/dice.h"
+#include "dice/ops.h"
+#include "openssl/evp.h"
+#include "openssl/hkdf.h"
+#include "openssl/is_boringssl.h"
+#include "openssl/sha.h"
+
+DiceResult DiceHash(void* context_not_used, const uint8_t* input,
+                    size_t input_size, uint8_t output[DICE_HASH_SIZE]) {
+  (void)context_not_used;
+  SHA512(input, input_size, output);
+  return kDiceResultOk;
+}
+
+DiceResult DiceKdf(void* context_not_used, size_t length, const uint8_t* ikm,
+                   size_t ikm_size, const uint8_t* salt, size_t salt_size,
+                   const uint8_t* info, size_t info_size, uint8_t* output) {
+  (void)context_not_used;
+  if (!HKDF(output, length, EVP_sha512(), ikm, ikm_size, salt, salt_size, info,
+            info_size)) {
+    return kDiceResultPlatformError;
+  }
+  return kDiceResultOk;
+}