diff options
| author | Vadim Sukhomlinov <sukhomlinov@google.com> | 2020-06-03 11:17:14 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-06-04 17:59:07 +0000 |
| commit | 398315c41f2111135f2510e88d55ad3dbe83b5d6 (patch) | |
| tree | 568dbe543bd67699f88c245f7ac6a41d19c11652 | |
| parent | 4fd5c9a385b1a2388d6e7ab282ed5bb570e43288 (diff) | |
| download | chrome-ec-398315c41f2111135f2510e88d55ad3dbe83b5d6.tar.gz | |
dcrypto/hmac: fix HMAC-SHA256 computation
https://crrev.com/c/1850535 introduced change in LITE_HMAC_CTX structure
which change size of opad field. HMAC computation was using sizeof(opad)
instead of SHA256_BLOCK_SIZE and that caused incorrect values.
BUG=b:158094716
TEST=make BOARD=cr50 CRYPTO_TEST=1 ; test/tpm_test/tpmtest.py
or rfc6979 and hmac_drbg in Cr50 console.
Change-Id: I58c166381b9f95f02f9f0c26a04a88e552d8057f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2229280
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
| -rw-r--r-- | chip/g/dcrypto/dcrypto.h | 1 | ||||
| -rw-r--r-- | chip/g/dcrypto/hmac.c | 32 |
2 files changed, 19 insertions, 14 deletions
diff --git a/chip/g/dcrypto/dcrypto.h b/chip/g/dcrypto/dcrypto.h index 1de0d63b03..8cf1071090 100644 --- a/chip/g/dcrypto/dcrypto.h +++ b/chip/g/dcrypto/dcrypto.h @@ -152,6 +152,7 @@ const uint8_t *DCRYPTO_SHA512_hash(const void *data, uint32_t n, */ void DCRYPTO_HMAC_SHA256_init(LITE_HMAC_CTX *ctx, const void *key, unsigned int len); +/* DCRYPTO HMAC-SHA256 final */ const uint8_t *DCRYPTO_HMAC_final(LITE_HMAC_CTX *ctx); /* diff --git a/chip/g/dcrypto/hmac.c b/chip/g/dcrypto/hmac.c index d6f2d4e775..427d924d5f 100644 --- a/chip/g/dcrypto/hmac.c +++ b/chip/g/dcrypto/hmac.c @@ -11,49 +11,53 @@ #include "cryptoc/sha256.h" #include "cryptoc/util.h" -/* TODO(ngm): add support for hardware hmac. */ -static void HMAC_init(LITE_HMAC_CTX *ctx, const void *key, unsigned int len) +/* TODO(sukhomlinov): add support for hardware hmac. */ +static void hmac_sha256_init(LITE_HMAC_CTX *ctx, const void *key, + unsigned int len) { unsigned int i; - memset(&ctx->opad[0], 0, sizeof(ctx->opad)); + BUILD_ASSERT(sizeof(ctx->opad) >= SHA256_BLOCK_SIZE); + + memset(&ctx->opad[0], 0, SHA256_BLOCK_SIZE); if (len > sizeof(ctx->opad)) { DCRYPTO_SHA256_init(&ctx->hash, 0); HASH_update(&ctx->hash, key, len); memcpy(&ctx->opad[0], HASH_final(&ctx->hash), - HASH_size(&ctx->hash)); + HASH_size(&ctx->hash)); } else { memcpy(&ctx->opad[0], key, len); } - for (i = 0; i < sizeof(ctx->opad); ++i) + for (i = 0; i < SHA256_BLOCK_SIZE; ++i) ctx->opad[i] ^= 0x36; DCRYPTO_SHA256_init(&ctx->hash, 0); /* hash ipad */ - HASH_update(&ctx->hash, ctx->opad, sizeof(ctx->opad)); + HASH_update(&ctx->hash, ctx->opad, SHA256_BLOCK_SIZE); - for (i = 0; i < sizeof(ctx->opad); ++i) + for (i = 0; i < SHA256_BLOCK_SIZE; ++i) ctx->opad[i] ^= (0x36 ^ 0x5c); } void DCRYPTO_HMAC_SHA256_init(LITE_HMAC_CTX *ctx, const void *key, - unsigned int len) + unsigned int len) { - HMAC_init(ctx, key, len); + hmac_sha256_init(ctx, key, len); } const uint8_t *DCRYPTO_HMAC_final(LITE_HMAC_CTX *ctx) { - uint8_t digest[SHA_DIGEST_MAX_BYTES]; /* upto SHA2 */ + uint8_t digest[SHA256_DIGEST_SIZE]; /* up to SHA256 */ memcpy(digest, HASH_final(&ctx->hash), - (HASH_size(&ctx->hash) <= sizeof(digest) ? - HASH_size(&ctx->hash) : sizeof(digest))); + (HASH_size(&ctx->hash) <= sizeof(digest) ? + HASH_size(&ctx->hash) : + sizeof(digest))); DCRYPTO_SHA256_init(&ctx->hash, 0); - HASH_update(&ctx->hash, ctx->opad, sizeof(ctx->opad)); + HASH_update(&ctx->hash, ctx->opad, SHA256_BLOCK_SIZE); HASH_update(&ctx->hash, digest, HASH_size(&ctx->hash)); - always_memset(&ctx->opad[0], 0, sizeof(ctx->opad)); /* wipe key */ + always_memset(&ctx->opad[0], 0, SHA256_BLOCK_SIZE); /* wipe key */ return HASH_final(&ctx->hash); } |