Change the encoding of key types to have a parity bit

Change the encoding of key types, EC curve families and DH group
families to make the low-order bit a parity bit (with even parity).

This ensures that distinct key type values always have a Hamming
distance of at least 2, which makes it easier for implementations to
resist single bit flips.

Author: gilles-peskine-arm

include/psa/crypto_extra.h

@@ -329,7 +329,7 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
  * string. The length of the byte string is the length of the base prime `p`
  * in bytes.
  */
-#define PSA_KEY_TYPE_DSA_PUBLIC_KEY                 ((psa_key_type_t)0x6004)
+#define PSA_KEY_TYPE_DSA_PUBLIC_KEY                 ((psa_key_type_t)0x4002)
 
 /** DSA key pair (private and public key).
  *
@@ -347,7 +347,7 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
  * Add 1 to the resulting integer and use this as the private key *x*.
  *
  */
-#define PSA_KEY_TYPE_DSA_KEY_PAIR                    ((psa_key_type_t)0x7004)
+#define PSA_KEY_TYPE_DSA_KEY_PAIR                    ((psa_key_type_t)0x7002)
 
 /** Whether a key type is an DSA key (pair or public-only). */
 #define PSA_KEY_TYPE_IS_DSA(type)                                       \
@@ -418,7 +418,7 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
  * #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_GROUP_CUSTOM), the group data comes
  * from domain parameters set by psa_set_key_domain_parameters().
  */
-#define PSA_DH_GROUP_CUSTOM             ((psa_dh_group_t) 0x80)
+#define PSA_DH_GROUP_CUSTOM             ((psa_dh_group_t) 0x7e)
 
 
 /**

include/psa/crypto_values.h

@@ -294,12 +294,12 @@
 #define PSA_KEY_TYPE_VENDOR_FLAG                    ((psa_key_type_t)0x8000)
 
 #define PSA_KEY_TYPE_CATEGORY_MASK                  ((psa_key_type_t)0x7000)
-#define PSA_KEY_TYPE_CATEGORY_SYMMETRIC             ((psa_key_type_t)0x4000)
-#define PSA_KEY_TYPE_CATEGORY_RAW                   ((psa_key_type_t)0x5000)
-#define PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY            ((psa_key_type_t)0x6000)
+#define PSA_KEY_TYPE_CATEGORY_RAW                   ((psa_key_type_t)0x1000)
+#define PSA_KEY_TYPE_CATEGORY_SYMMETRIC             ((psa_key_type_t)0x2000)
+#define PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY            ((psa_key_type_t)0x4000)
 #define PSA_KEY_TYPE_CATEGORY_KEY_PAIR              ((psa_key_type_t)0x7000)
 
-#define PSA_KEY_TYPE_CATEGORY_FLAG_PAIR             ((psa_key_type_t)0x1000)
+#define PSA_KEY_TYPE_CATEGORY_FLAG_PAIR             ((psa_key_type_t)0x3000)
 
 /** Whether a key type is vendor-defined.
  *
@@ -313,8 +313,8 @@
  * This encompasses both symmetric keys and non-key data.
  */
 #define PSA_KEY_TYPE_IS_UNSTRUCTURED(type) \
-    (((type) & PSA_KEY_TYPE_CATEGORY_MASK & ~(psa_key_type_t)0x1000) == \
-     PSA_KEY_TYPE_CATEGORY_SYMMETRIC)
+    (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_RAW || \
+     ((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC)
 
 /** Whether a key type is asymmetric: either a key pair or a public key. */
 #define PSA_KEY_TYPE_IS_ASYMMETRIC(type)                                \
@@ -357,7 +357,7 @@
  *
  * A "key" of this type cannot be used for any cryptographic operation.
  * Applications may use this type to store arbitrary data in the keystore. */
-#define PSA_KEY_TYPE_RAW_DATA                       ((psa_key_type_t)0x5001)
+#define PSA_KEY_TYPE_RAW_DATA                       ((psa_key_type_t)0x1001)
 
 /** HMAC key.
  *
@@ -367,21 +367,21 @@
  * HMAC keys should generally have the same size as the underlying hash.
  * This size can be calculated with #PSA_HASH_SIZE(\c alg) where
  * \c alg is the HMAC algorithm or the underlying hash algorithm. */
-#define PSA_KEY_TYPE_HMAC                           ((psa_key_type_t)0x5100)
+#define PSA_KEY_TYPE_HMAC                           ((psa_key_type_t)0x1100)
 
 /** A secret for key derivation.
  *
  * The key policy determines which key derivation algorithm the key
  * can be used for.
  */
-#define PSA_KEY_TYPE_DERIVE                         ((psa_key_type_t)0x5200)
+#define PSA_KEY_TYPE_DERIVE                         ((psa_key_type_t)0x1200)
 
 /** Key for a cipher, AEAD or MAC algorithm based on the AES block cipher.
  *
  * The size of the key can be 16 bytes (AES-128), 24 bytes (AES-192) or
  * 32 bytes (AES-256).
  */
-#define PSA_KEY_TYPE_AES                            ((psa_key_type_t)0x4042)
+#define PSA_KEY_TYPE_AES                            ((psa_key_type_t)0x2040)
 
 /** Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES).
  *
@@ -392,17 +392,17 @@
  * deprecated and should only be used to decrypt legacy data. 3-key 3DES
  * is weak and deprecated and should only be used in legacy protocols.
  */
-#define PSA_KEY_TYPE_DES                            ((psa_key_type_t)0x4032)
+#define PSA_KEY_TYPE_DES                            ((psa_key_type_t)0x2031)
 
 /** Key for a cipher, AEAD or MAC algorithm based on the
  * Camellia block cipher. */
-#define PSA_KEY_TYPE_CAMELLIA                       ((psa_key_type_t)0x4044)
+#define PSA_KEY_TYPE_CAMELLIA                       ((psa_key_type_t)0x2043)
 
 /** Key for the RC4 stream cipher.
  *
  * Note that RC4 is weak and deprecated and should only be used in
  * legacy protocols. */
-#define PSA_KEY_TYPE_ARC4                           ((psa_key_type_t)0x4002)
+#define PSA_KEY_TYPE_ARC4                           ((psa_key_type_t)0x2002)
 
 /** Key for the ChaCha20 stream cipher or the Chacha20-Poly1305 AEAD algorithm.
  *
@@ -411,17 +411,17 @@
  * Implementations must support 12-byte nonces, may support 8-byte nonces,
  * and should reject other sizes.
  */
-#define PSA_KEY_TYPE_CHACHA20                       ((psa_key_type_t)0x4004)
+#define PSA_KEY_TYPE_CHACHA20                       ((psa_key_type_t)0x2004)
 
 /** RSA public key. */
-#define PSA_KEY_TYPE_RSA_PUBLIC_KEY                 ((psa_key_type_t)0x6002)
+#define PSA_KEY_TYPE_RSA_PUBLIC_KEY                 ((psa_key_type_t)0x4001)
 /** RSA key pair (private and public key). */
-#define PSA_KEY_TYPE_RSA_KEY_PAIR                   ((psa_key_type_t)0x7002)
+#define PSA_KEY_TYPE_RSA_KEY_PAIR                   ((psa_key_type_t)0x7001)
 /** Whether a key type is an RSA key (pair or public-only). */
 #define PSA_KEY_TYPE_IS_RSA(type)                                       \
     (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY)
 
-#define PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE            ((psa_key_type_t)0x6100)
+#define PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE            ((psa_key_type_t)0x4100)
 #define PSA_KEY_TYPE_ECC_KEY_PAIR_BASE              ((psa_key_type_t)0x7100)
 #define PSA_KEY_TYPE_ECC_CURVE_MASK                 ((psa_key_type_t)0x00ff)
 /** Elliptic curve key pair.
@@ -466,7 +466,7 @@
  * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
  * https://www.secg.org/sec2-v2.pdf
  */
-#define PSA_ECC_CURVE_SECP_K1           ((psa_ecc_curve_t) 0x16)
+#define PSA_ECC_CURVE_SECP_K1           ((psa_ecc_curve_t) 0x17)
 
 /** SEC random curves over prime fields.
  *
@@ -478,7 +478,7 @@
  */
 #define PSA_ECC_CURVE_SECP_R1           ((psa_ecc_curve_t) 0x12)
 /* SECP160R2 (SEC2 v1, obsolete) */
-#define PSA_ECC_CURVE_SECP_R2           ((psa_ecc_curve_t) 0x1a)
+#define PSA_ECC_CURVE_SECP_R2           ((psa_ecc_curve_t) 0x1b)
 
 /** SEC Koblitz curves over binary fields.
  *
@@ -488,7 +488,7 @@
  * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
  * https://www.secg.org/sec2-v2.pdf
  */
-#define PSA_ECC_CURVE_SECT_K1           ((psa_ecc_curve_t) 0x26)
+#define PSA_ECC_CURVE_SECT_K1           ((psa_ecc_curve_t) 0x27)
 
 /** SEC random curves over binary fields.
  *
@@ -508,7 +508,7 @@
  * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
  * https://www.secg.org/sec2-v2.pdf
  */
-#define PSA_ECC_CURVE_SECT_R2           ((psa_ecc_curve_t) 0x2a)
+#define PSA_ECC_CURVE_SECT_R2           ((psa_ecc_curve_t) 0x2b)
 
 /** Brainpool P random curves.
  *
@@ -529,9 +529,9 @@
  *   _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.
  *   The algorithm #PSA_ALG_ECDH performs X448 when used with this curve.
  */
-#define PSA_ECC_CURVE_XED               ((psa_ecc_curve_t) 0x40)
+#define PSA_ECC_CURVE_XED               ((psa_ecc_curve_t) 0x41)
 
-#define PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE             ((psa_key_type_t)0x6200)
+#define PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE             ((psa_key_type_t)0x4200)
 #define PSA_KEY_TYPE_DH_KEY_PAIR_BASE               ((psa_key_type_t)0x7200)
 #define PSA_KEY_TYPE_DH_GROUP_MASK                  ((psa_key_type_t)0x00ff)
 /** Diffie-Hellman key pair.
@@ -574,7 +574,7 @@
  * 2048, 3072, 4096, 6144, 8192. A given implementation may support
  * all of these sizes or only a subet.
  */
-#define PSA_DH_GROUP_RFC7919            ((psa_dh_group_t) 0x02)
+#define PSA_DH_GROUP_RFC7919            ((psa_dh_group_t) 0x03)
 
 #define PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type)      \
     (((type) >> 4) & 7)

tests/suites/test_suite_psa_crypto_metadata.function

@@ -56,6 +56,18 @@
 #define TEST_CLASSIFICATION_MACRO( flag, alg, flags )           \
     TEST_ASSERT( PSA_##flag( alg ) == !! ( ( flags ) & flag ) )
 
+/* Check the parity of value.
+ * Return 0 if value has even parity and a nonzero value otherwise. */
+int test_parity( uint32_t value )
+{
+    value ^= value >> 16;
+    value ^= value >> 8;
+    value ^= value >> 4;
+    return( 0x9669 & 1 << ( value & 0xf ) );
+}
+#define TEST_PARITY( value )                    \
+    TEST_ASSERT( test_parity( value ) )
+
 void algorithm_classification( psa_algorithm_t alg, unsigned flags )
 {
     TEST_CLASSIFICATION_MACRO( ALG_IS_VENDOR_DEFINED, alg, flags );
@@ -113,6 +125,8 @@ void key_type_classification( psa_key_type_t type, unsigned flags )
                 ( PSA_KEY_TYPE_IS_DH( type ) &&
                   PSA_KEY_TYPE_IS_PUBLIC_KEY( type ) ) );
 
+    TEST_PARITY( type );
+
 exit: ;
 }
 
@@ -481,6 +495,8 @@ void ecc_key_family( int curve_arg )
     psa_key_type_t public_type = PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve );
     psa_key_type_t pair_type = PSA_KEY_TYPE_ECC_KEY_PAIR( curve );
 
+    test_parity( curve );
+
     test_key_type( public_type, KEY_TYPE_IS_ECC | KEY_TYPE_IS_PUBLIC_KEY );
     test_key_type( pair_type, KEY_TYPE_IS_ECC | KEY_TYPE_IS_KEY_PAIR );
 
@@ -496,6 +512,8 @@ void dh_key_family( int group_arg )
     psa_key_type_t public_type = PSA_KEY_TYPE_DH_PUBLIC_KEY( group );
     psa_key_type_t pair_type = PSA_KEY_TYPE_DH_KEY_PAIR( group );
 
+    test_parity( group );
+
     test_key_type( public_type, KEY_TYPE_IS_DH | KEY_TYPE_IS_PUBLIC_KEY );
     test_key_type( pair_type, KEY_TYPE_IS_DH | KEY_TYPE_IS_KEY_PAIR );