hmac_drbg: define error codes, add parameter check

Added check for output len as defined by NIST for HMAC_DRBG and
define error codes instead of constants.

Propagate status for hmac_drbg_generate_p256

BUG=b:138578157
TEST=make buildall ; make BOARD=cr50 ; tpmtest.py

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I16a1eac51ca11a6419a86922cfe59c13d9c703a0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2243762
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>

2 files changed, 21 insertions, 14 deletions

diff --git a/chip/g/dcrypto/hmac_drbg.c b/chip/g/dcrypto/hmac_drbg.c
index 0643c9bf84..73df952a67 100644
--- a/chip/g/dcrypto/hmac_drbg.c
+++ b/chip/g/dcrypto/hmac_drbg.c
@@ -107,14 +107,19 @@ void hmac_drbg_reseed(struct drbg_ctx *ctx,
 	ctx->reseed_counter = 1;
 }
 
-int hmac_drbg_generate(struct drbg_ctx *ctx,
+enum hmac_result hmac_drbg_generate(struct drbg_ctx *ctx,
 		       void *out, size_t out_len,
 		       const void *input, size_t input_len)
 {
-	/* TODO(louiscollard): Assert maximum output length? */
+	/* According to NIST SP 800-90A rev 1 B.2
+	 * Maximum number of bits per request = 7500 bits
+	 * Reseed_interval = 10 000 requests.
+	 */
+	if (out_len > 7500 / 8)
+		return HMAC_DRBG_INVALID_PARAM;
 
-	if (ctx->reseed_counter >= 10000)
-		return 2;
+	if (ctx->reseed_counter++ >= 10000)
+		return HMAC_DRBG_RESEED_REQUIRED;
 
 	if (input_len)
 		update(ctx, input, input_len, NULL, 0, NULL, 0);
@@ -130,16 +135,13 @@ int hmac_drbg_generate(struct drbg_ctx *ctx,
 	}
 
 	update(ctx, input, input_len, NULL, 0, NULL, 0);
-	ctx->reseed_counter++;
 
-	return 0;
+	return HMAC_DRBG_SUCCESS;
 }
 
-void hmac_drbg_generate_p256(struct drbg_ctx *ctx, p256_int *k_out)
+enum hmac_result hmac_drbg_generate_p256(struct drbg_ctx *ctx, p256_int *k_out)
 {
-	hmac_drbg_generate(ctx,
-			   k_out->a, sizeof(k_out->a),
-			   NULL, 0);
+	return hmac_drbg_generate(ctx, k_out->a, sizeof(k_out->a), NULL, 0);
 }
 
 void drbg_exit(struct drbg_ctx *ctx)
diff --git a/chip/g/dcrypto/internal.h b/chip/g/dcrypto/internal.h
index 69c54da4d4..26bac1c73f 100644
--- a/chip/g/dcrypto/internal.h
+++ b/chip/g/dcrypto/internal.h
@@ -130,6 +130,11 @@ struct drbg_ctx {
 /*
  * NIST SP 800-90A HMAC DRBG.
  */
+enum hmac_result {
+	HMAC_DRBG_SUCCESS = 0,
+	HMAC_DRBG_INVALID_PARAM = 1,
+	HMAC_DRBG_RESEED_REQUIRED = 2
+};
 
 /* Standard initialization. */
 void hmac_drbg_init(struct drbg_ctx *ctx,
@@ -146,11 +151,11 @@ void hmac_drbg_reseed(struct drbg_ctx *ctx,
 		      const void *p0, size_t p0_len,
 		      const void *p1, size_t p1_len,
 		      const void *p2, size_t p2_len);
-int hmac_drbg_generate(struct drbg_ctx *ctx,
-		       void *out, size_t out_len,
-		       const void *input, size_t input_len);
+enum hmac_result hmac_drbg_generate(struct drbg_ctx *ctx, void *out,
+				    size_t out_len, const void *input,
+				    size_t input_len);
 /* Generate p256, with no additional input. */
-void hmac_drbg_generate_p256(struct drbg_ctx *ctx, p256_int *k_out);
+enum hmac_result hmac_drbg_generate_p256(struct drbg_ctx *ctx, p256_int *k_out);
 void drbg_exit(struct drbg_ctx *ctx);
 
 /*