host: Add dcrypto definitions that can be used by fuzzing targets.

These definitions provide the necessary dcrypto functionality for
fuzzing pinweaver. They can be built out as needed to support
further fuzzing.

BRANCH=none
BUG=chromium:876582
TEST=make -j buildfuzztests &&
  ./build/host/cr50_fuzz/cr50_fuzz.exe (with the cr50_fuzz CL)

Change-Id: I36ce874efab5dbc59825d126f6079b7b6d0da9ef
Signed-off-by: Allen Webb <allenwebb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1180573
Reviewed-by: Randall Spangler <rspangler@chromium.org>

8 files changed, 161 insertions, 0 deletions

diff --git a/chip/g/dcrypto/dcrypto.h b/chip/g/dcrypto/dcrypto.h
index 5210710b72..93763b1f26 100644
--- a/chip/g/dcrypto/dcrypto.h
+++ b/chip/g/dcrypto/dcrypto.h
@@ -293,6 +293,9 @@ enum dcrypto_appid {
 };
 
 struct APPKEY_CTX {
+#ifdef TEST_FUZZ
+	uint8_t unused_for_cxx_compatibility;
+#endif
 };
 
 int DCRYPTO_ladder_compute_frk2(size_t major_fw_version, uint8_t *frk2);
diff --git a/chip/g/dcrypto/internal.h b/chip/g/dcrypto/internal.h
index 4baf175760..3e546e90a2 100644
--- a/chip/g/dcrypto/internal.h
+++ b/chip/g/dcrypto/internal.h
@@ -169,12 +169,14 @@ uint32_t dcrypto_dmem_load(size_t offset, const void *words, size_t n_words);
 /*
  * Key ladder.
  */
+#ifndef __cplusplus
 enum dcrypto_appid;      /* Forward declaration. */
 
 int dcrypto_ladder_compute_usr(enum dcrypto_appid id,
 			const uint32_t usr_salt[8]);
 int dcrypto_ladder_derive(enum dcrypto_appid appid, const uint32_t salt[8],
 			  const uint32_t input[8], uint32_t output[8]);
+#endif
 
 
 #endif  /* ! __EC_CHIP_G_DCRYPTO_INTERNAL_H */
diff --git a/chip/host/build.mk b/chip/host/build.mk
index 40d2604fcb..92284b072a 100644
--- a/chip/host/build.mk
+++ b/chip/host/build.mk
@@ -12,3 +12,29 @@ chip-y=system.o gpio.o uart.o persistence.o flash.o lpc.o reboot.o i2c.o \
 	clock.o
 chip-$(HAS_TASK_KEYSCAN)+=keyboard_raw.o
 chip-$(CONFIG_USB_POWER_DELIVERY)+=usb_pd_phy.o
+
+ifeq ($(CONFIG_DCRYPTO),y)
+CPPFLAGS += -I$(abspath ./chip/g)
+dirs-y += chip/g/dcrypto
+endif
+dirs-y += chip/host/dcrypto
+
+chip-$(CONFIG_DCRYPTO)+= dcrypto/aes.o
+chip-$(CONFIG_DCRYPTO)+= dcrypto/app_cipher.o
+chip-$(CONFIG_DCRYPTO)+= dcrypto/app_key.o
+chip-$(CONFIG_DCRYPTO)+= dcrypto/sha256.o
+
+# Object files that can be shared with the Cr50 dcrypto implementation
+chip-$(CONFIG_DCRYPTO)+= ../g/dcrypto/hmac.o
+
+ifeq ($(CONFIG_DCRYPTO),y)
+CRYPTOCLIB := $(realpath ../../third_party/cryptoc)
+
+# Force the external build each time, so it can look for changed sources.
+.PHONY: $(out)/cryptoc/libcryptoc.a
+$(out)/cryptoc/libcryptoc.a:
+	$(MAKE) obj=$(realpath $(out))/cryptoc SUPPORT_UNALIGNED=1 \
+		CONFIG_UPTO_SHA512=$(CONFIG_UPTO_SHA512) -C $(CRYPTOCLIB)
+
+CPPFLAGS += -I$(CRYPTOCLIB)/include
+endif   # end CONFIG_DCRYPTO
diff --git a/chip/host/dcrypto/README.md b/chip/host/dcrypto/README.md
new file mode 100644
index 0000000000..6812dde311
--- /dev/null
+++ b/chip/host/dcrypto/README.md
@@ -0,0 +1,13 @@
+# Rough Dcrypto Implementation on Host for Fuzzing Targets.
+
+This implementation of the dcrypto API is not complete, but provides the needed
+function definitions to fuzz Cr50 code.
+The the following should be noted:
+* A complete implementation of dcrypto does not add any extra coverage since the
+  dcrypto code here doesn't match the Cr50 implementation that depends on
+  a specific hardware accelerator.
+* The input data comes from a fuzzer so storage encryption isn't necessary—no
+  user data is handled.
+* For fuzzing fully implementing the crypto functionality isn't useful for the
+  purpose of finding bugs--it makes the fuzzer take longer to execute without
+  providing any benefit for the extra cycles.
diff --git a/chip/host/dcrypto/aes.c b/chip/host/dcrypto/aes.c
new file mode 100644
index 0000000000..5c944a0c95
--- /dev/null
+++ b/chip/host/dcrypto/aes.c
@@ -0,0 +1,35 @@
+/* Copyright 2018 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include <openssl/evp.h>
+
+#include "dcrypto.h"
+#include "registers.h"
+
+int DCRYPTO_aes_ctr(uint8_t *out, const uint8_t *key, uint32_t key_bits,
+		const uint8_t *iv, const uint8_t *in, size_t in_len)
+{
+	EVP_CIPHER_CTX *ctx;
+	int ret = 0;
+	int out_len = 0;
+
+	ctx = EVP_CIPHER_CTX_new();
+	if (!ctx)
+		return 0;
+
+	if (EVP_EncryptInit_ex(ctx, EVP_aes_256_ctr(), NULL, key, iv) != 1)
+		goto cleanup;
+
+	if (EVP_EncryptUpdate(ctx, out, &out_len, in, in_len) != 1)
+		goto cleanup;
+
+	if (EVP_EncryptFinal(ctx, out + out_len, &out_len) != 1)
+		goto cleanup;
+	ret = 1;
+
+cleanup:
+	EVP_CIPHER_CTX_free(ctx);
+	return ret;
+}
diff --git a/chip/host/dcrypto/app_cipher.c b/chip/host/dcrypto/app_cipher.c
new file mode 100644
index 0000000000..af6c2c4beb
--- /dev/null
+++ b/chip/host/dcrypto/app_cipher.c
@@ -0,0 +1,33 @@
+/* Copyright 2018 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "dcrypto.h"
+#include "util.h"
+
+void app_compute_hash(uint8_t *p_buf, size_t num_bytes,
+		      uint8_t *p_hash, size_t hash_len)
+{
+	uint8_t digest[SHA256_DIGEST_SIZE];
+
+	/*
+	 * Use the built in dcrypto engine to generate the sha1 hash of the
+	 * buffer.
+	 */
+	DCRYPTO_SHA256_hash((uint8_t *)p_buf, num_bytes, digest);
+
+	memcpy(p_hash, digest, MIN(hash_len, sizeof(digest)));
+
+	if (hash_len > sizeof(digest))
+		memset(p_hash + sizeof(digest), 0,
+		       hash_len - sizeof(digest));
+}
+
+int app_cipher(const void *salt_p, void *out_p, const void *in_p, size_t size)
+{
+	/* See README.md for while this is a passthrough. */
+	memcpy(out_p, in_p, size);
+	return 1;
+}
+
diff --git a/chip/host/dcrypto/app_key.c b/chip/host/dcrypto/app_key.c
new file mode 100644
index 0000000000..58066c84ba
--- /dev/null
+++ b/chip/host/dcrypto/app_key.c
@@ -0,0 +1,31 @@
+/* Copyright 2018 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "dcrypto.h"
+
+static int dcrypto_appkey_init_flag_ = -1;
+
+int DCRYPTO_appkey_init(enum dcrypto_appid appid, struct APPKEY_CTX *ctx)
+{
+	if (dcrypto_appkey_init_flag_ != -1)
+		return 0;
+
+	dcrypto_appkey_init_flag_ = appid;
+	return 1;
+}
+
+void DCRYPTO_appkey_finish(struct APPKEY_CTX *ctx)
+{
+	memset(ctx, 0, sizeof(struct APPKEY_CTX));
+	dcrypto_appkey_init_flag_ = -1;
+}
+
+int DCRYPTO_appkey_derive(enum dcrypto_appid appid, const uint32_t input[8],
+			  uint32_t output[8])
+{
+	/* See README.md for while this is a passthrough. */
+	memcpy(output, input, SHA256_DIGEST_SIZE);
+	return 1;
+}
diff --git a/chip/host/dcrypto/sha256.c b/chip/host/dcrypto/sha256.c
new file mode 100644
index 0000000000..429588c8ac
--- /dev/null
+++ b/chip/host/dcrypto/sha256.c
@@ -0,0 +1,18 @@
+/* Copyright 2018 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "dcrypto.h"
+
+void DCRYPTO_SHA256_init(LITE_SHA256_CTX *ctx, uint32_t sw_required)
+{
+	SHA256_init(ctx);
+}
+
+const uint8_t *DCRYPTO_SHA256_hash(const void *data, uint32_t n,
+				uint8_t *digest)
+{
+	SHA256_hash(data, n, digest);
+	return digest;
+}