Use recommened static sizes for AES GCM IV and Tag

Author: AlexLanzano

examples/demo/client/wh_demo_client_keystore.c

@@ -126,10 +126,10 @@ int wh_DemoClient_KeystoreAes(whClientContext* clientContext)
 {
     int      ret;
     Aes      aes = {0};
-    uint8_t  key[AES_128_KEY_SIZE] = {'0','1','2','3','4','5','6','7',
-                                      '8','9','a','b','c','d','e','f'};
-    uint8_t  iv[AES_IV_SIZE]       = {'1','2','3','4','5','6','7','8',
-                                      '9','0','a','b','c','d','e','f'};
+    uint8_t  key[AES_128_KEY_SIZE] = {'0', '1', '2', '3', '4', '5', '6', '7',
+                                      '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
+    uint8_t  iv[AES_IV_SIZE]       = {'1', '2', '3', '4', '5', '6', '7', '8',
+                                      '9', '0', 'a', 'b', 'c', 'd', 'e', 'f'};
     uint8_t  label[]               = "my secret AES key";
     uint8_t  plainText[]           = "This is a test.";
     uint8_t  cipherText[sizeof(plainText)];

examples/demo/client/wh_demo_client_keywrap.c

@@ -41,7 +41,7 @@
 #define WH_TEST_AES_TEXTSIZE 16
 #define WH_TEST_AES_IVSIZE 12
 #define WH_TEST_AES_TAGSIZE 16
-#define WH_TEST_AES_WRAPPED_KEYSIZE                                     \
+#define WH_TEST_AES_WRAPPED_KEYSIZE                                   \
     (WH_TEST_AES_IVSIZE + WH_TEST_AES_TAGSIZE + WH_TEST_AES_KEYSIZE + \
      sizeof(whNvmMetadata))
 #define WH_TEST_WRAPKEY_ID 8

src/wh_server_keystore.c

@@ -554,15 +554,18 @@ int wh_Server_KeystoreEraseKey(whServerContext* server, whNvmId keyId)
 #ifndef NO_AES
 #ifdef HAVE_AESGCM
 
+#define WOLFHSM_KEYWRAP_AES_GCM_TAG_SIZE 16
+#define WOLFHSM_KEYWRAP_AES_GCM_IV_SIZE 12
+
 static int _AesGcmWrapKey(whServerContext* server, whKeyId serverKeyId,
                           uint8_t* keyIn, uint16_t keySz,
                           whNvmMetadata* metadataIn, uint8_t* wrappedKeyOut,
                           uint16_t wrappedKeySz)
 {
     int      ret = 0;
     Aes      aes[1];
-    uint8_t  authTag[WOLFHSM_CFG_KEYWRAP_AES_GCM_TAG_SIZE];
-    uint8_t  iv[WOLFHSM_CFG_KEYWRAP_AES_GCM_IV_SIZE];
+    uint8_t  authTag[WOLFHSM_KEYWRAP_AES_GCM_TAG_SIZE];
+    uint8_t  iv[WOLFHSM_KEYWRAP_AES_GCM_IV_SIZE];
     uint8_t  serverKey[AES_MAX_KEY_SIZE];
     uint32_t serverKeySz = sizeof(serverKey);
 
@@ -637,8 +640,8 @@ static int _AesGcmUnwrapKey(whServerContext* server, uint16_t serverKeyId,
 {
     int      ret = 0;
     Aes      aes[1];
-    uint8_t  authTag[WOLFHSM_CFG_KEYWRAP_AES_GCM_TAG_SIZE];
-    uint8_t  iv[WOLFHSM_CFG_KEYWRAP_AES_GCM_IV_SIZE];
+    uint8_t  authTag[WOLFHSM_KEYWRAP_AES_GCM_TAG_SIZE];
+    uint8_t  iv[WOLFHSM_KEYWRAP_AES_GCM_IV_SIZE];
     uint8_t  serverKey[AES_MAX_KEY_SIZE];
     uint32_t serverKeySz = sizeof(serverKey);
     uint8_t* encBlob   = (uint8_t*)wrappedKeyIn + sizeof(iv) + sizeof(authTag);
@@ -727,8 +730,8 @@ static int _HandleWrapKeyRequest(whServerContext*               server,
 #ifndef NO_AES
 #ifdef HAVE_AESGCM
         case WC_CIPHER_AES_GCM: {
-            uint16_t wrappedKeySz = WOLFHSM_CFG_KEYWRAP_AES_GCM_IV_SIZE +
-                                    WOLFHSM_CFG_KEYWRAP_AES_GCM_TAG_SIZE +
+            uint16_t wrappedKeySz = WOLFHSM_KEYWRAP_AES_GCM_IV_SIZE +
+                                    WOLFHSM_KEYWRAP_AES_GCM_TAG_SIZE +
                                     sizeof(metadata) + req->keySz;
 
             /* Check if the response data can fit the wrapped key */
@@ -792,8 +795,8 @@ static int _HandleUnwrapAndExportKeyRequest(
 #ifdef HAVE_AESGCM
         case WC_CIPHER_AES_GCM: {
             uint16_t keySz =
-                req->wrappedKeySz - WOLFHSM_CFG_KEYWRAP_AES_GCM_IV_SIZE -
-                WOLFHSM_CFG_KEYWRAP_AES_GCM_TAG_SIZE - sizeof(*metadata);
+                req->wrappedKeySz - WOLFHSM_KEYWRAP_AES_GCM_IV_SIZE -
+                WOLFHSM_KEYWRAP_AES_GCM_TAG_SIZE - sizeof(*metadata);
 
             /* Check if the response data can fit the metadata + key  */
             if (respDataSz < sizeof(*metadata) + keySz) {
@@ -862,8 +865,8 @@ _HandleUnwrapAndCacheKeyRequest(whServerContext*                         server,
 #ifndef NO_AES
 #ifdef HAVE_AESGCM
         case WC_CIPHER_AES_GCM: {
-            keySz = req->wrappedKeySz - WOLFHSM_CFG_KEYWRAP_AES_GCM_IV_SIZE -
-                    WOLFHSM_CFG_KEYWRAP_AES_GCM_TAG_SIZE - sizeof(metadata);
+            keySz = req->wrappedKeySz - WOLFHSM_KEYWRAP_AES_GCM_IV_SIZE -
+                    WOLFHSM_KEYWRAP_AES_GCM_TAG_SIZE - sizeof(metadata);
 
             ret = _AesGcmUnwrapKey(server, req->serverKeyId, wrappedKey,
                                    req->wrappedKeySz, &metadata, key, keySz);

test/wh_test_keywrap.c

@@ -50,7 +50,7 @@
 #define WH_TEST_AES_TEXTSIZE 16
 #define WH_TEST_AES_IVSIZE 12
 #define WH_TEST_AES_TAGSIZE 16
-#define WH_TEST_AES_WRAPPED_KEYSIZE                                     \
+#define WH_TEST_AES_WRAPPED_KEYSIZE                                   \
     (WH_TEST_AES_IVSIZE + WH_TEST_AES_TAGSIZE + WH_TEST_AES_KEYSIZE + \
      sizeof(whNvmMetadata))
 

wolfhsm/wh_message_comm.h

@@ -50,7 +50,6 @@ enum WH_INFO_ENUM {
 };
 
 
-
 /* Generic error response message. */
 typedef struct {
     int return_code;

wolfhsm/wh_settings.h

@@ -40,14 +40,6 @@
  *  can be wrapped
  *      Default: 512
  *
- *  WOLFHSM_CFG_KEYWRAP_AES_GCM_TAG_SIZE - The size (in bytes) of the auth
- *  tag attached to an AES GCM wrapped key
- *      Default: 16
- *
- *  WOLFHSM_CFG_KEYWRAP_AES_GCM_IV_SIZE - The size (in bytes) of the IV
- *  attached to an AES GCM wrapped key
- *      Default: 12
- *
  *  WOLFHSM_CFG_HEXDUMP - If defined, include wh_Utils_HexDump functionality
  *                          using stdio.h
  *      Default: Not defined
@@ -245,15 +237,7 @@
 #if defined(HAVE_AESGCM)
 
 #ifndef WOLFHSM_CFG_KEYWRAP_MAX_KEY_SIZE
-#define WOLFHSM_CFG_KEYWRAP_MAX_KEY_SIZE 512
-#endif
-
-#ifndef WOLFHSM_CFG_KEYWRAP_AES_GCM_TAG_SIZE
-#define WOLFHSM_CFG_KEYWRAP_AES_GCM_TAG_SIZE 16
-#endif
-
-#ifndef WOLFHSM_CFG_KEYWRAP_AES_GCM_IV_SIZE
-#define WOLFHSM_CFG_KEYWRAP_AES_GCM_IV_SIZE 12
+#define WOLFHSM_CFG_KEYWRAP_MAX_KEY_SIZE 2000
 #endif
 
 #endif