diff options
author | Vadim Sukhomlinov <sukhomlinov@google.com> | 2021-07-30 08:40:32 -0700 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2021-08-12 14:18:48 +0000 |
commit | 7ddbd2a9eab0dc54897d6b5bb8ee1d4b3be1fe27 (patch) | |
tree | 43356bb71d38ea7f5ea1639855ac3b322d460176 /common | |
parent | 43f6e7be087720507e57cf27e9460aae64c3b69a (diff) | |
download | chrome-ec-7ddbd2a9eab0dc54897d6b5bb8ee1d4b3be1fe27.tar.gz |
cr50: drop cryptoc for SHA1/SHA2 supportstabilize-14150.882.B-cr50_stabstabilize-14150.881.B-cr50_stabstabilize-14150.74.B-cr50_stabstabilize-14150.734.B-cr50_stabstabilize-14150.64.B-cr50_stabstabilize-14150.43.B-cr50_stabstabilize-14150.376.B-cr50_stabrelease-R94-14150.B-cr50_stabrelease-R94-14150.49.B-cr50_stab
To implement FIPS module we need to bring many crypto functions in the
module boundary. Unfortunately, cryptoc is a third-party library used
by dcrypto code in cr50. Cryptoc is also not well-maintained and shared
with other projects. While just making local copy of cryptoc would
solve an issue, it's suboptimal as prevents from many optimizations and
improvements.
Provided SHA & HMAC implementations from Ti50 project. This provides
better performance (500us vs. 670us earlier for HMAC DRBG) and reduce
code size. This implementation also enables stack use savings when
only specific digest is needed. Earlier SHA512 context was allocated
when only SHA256 is needed greatly increasing stack consumption for
code using HMAC_DRBG and others.
However, it introduce subtle API changes which require handling.
As for tests, since core implementation is hardware-independent, make
it available for BOARD=host too.
Before change (with cryptoc):
*** 12368 bytes in flash and 5784 bytes in RAM
After:
*** 13136 bytes in flash and 5796 bytes in RAM
BUG=b:138578318
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I2ff5362aee9078ce83dc1f8081943a5101d5f666
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3064201
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Diffstat (limited to 'common')
-rw-r--r-- | common/ap_ro_integrity_check.c | 4 | ||||
-rw-r--r-- | common/ccd_config.c | 13 | ||||
-rw-r--r-- | common/pinweaver.c | 46 | ||||
-rw-r--r-- | common/rma_auth.c | 16 | ||||
-rw-r--r-- | common/u2f.c | 54 |
5 files changed, 67 insertions, 66 deletions
diff --git a/common/ap_ro_integrity_check.c b/common/ap_ro_integrity_check.c index f6592d1ca9..ea0456ad5a 100644 --- a/common/ap_ro_integrity_check.c +++ b/common/ap_ro_integrity_check.c @@ -12,11 +12,11 @@ #include "extension.h" #include "flash.h" #include "flash_info.h" -#include "cryptoc/sha256.h" #include "stddef.h" #include "stdint.h" #include "timer.h" #include "usb_spi.h" +#include "usb_spi_board.h" #define CPRINTS(format, args...) cprints(CC_SYSTEM, format, ##args) #define CPRINTF(format, args...) cprintf(CC_SYSTEM, format, ##args) @@ -269,7 +269,7 @@ static enum ap_ro_check_vc_errors ap_ro_check_unsupported(int add_flash_event) int validate_ap_ro(void) { uint32_t i; - HASH_CTX ctx; + struct sha256_ctx ctx; uint8_t digest[SHA256_DIGEST_SIZE]; int rv; diff --git a/common/ccd_config.c b/common/ccd_config.c index 3433766b7c..b3b12e12a7 100644 --- a/common/ccd_config.c +++ b/common/ccd_config.c @@ -9,7 +9,6 @@ #include "byteorder.h" #include "ccd_config.h" #include "console.h" -#include "cryptoc/sha256.h" #include "dcrypto.h" #include "extension.h" #include "hooks.h" @@ -239,17 +238,17 @@ static int raw_has_password(void) */ static void ccd_password_digest(uint8_t *digest, const char *password) { - HASH_CTX sha; + struct sha256_ctx sha; uint8_t *unique_id; int unique_id_len; unique_id_len = system_get_chip_unique_id(&unique_id); - DCRYPTO_SHA256_init(&sha, 0); - HASH_update(&sha, config.password_salt, sizeof(config.password_salt)); - HASH_update(&sha, unique_id, unique_id_len); - HASH_update(&sha, password, strlen(password)); - memcpy(digest, HASH_final(&sha), CCD_PASSWORD_DIGEST_SIZE); + SHA256_hw_init(&sha); + SHA256_update(&sha, config.password_salt, sizeof(config.password_salt)); + SHA256_update(&sha, unique_id, unique_id_len); + SHA256_update(&sha, password, strlen(password)); + memcpy(digest, SHA256_final(&sha)->b8, CCD_PASSWORD_DIGEST_SIZE); } /** diff --git a/common/pinweaver.c b/common/pinweaver.c index 2cc4118c7d..7cea0ca1b0 100644 --- a/common/pinweaver.c +++ b/common/pinweaver.c @@ -159,17 +159,19 @@ static int create_merkle_tree(struct bits_per_level_t bits_per_level, uint8_t temp_hash[PW_HASH_SIZE] = {}; uint8_t hx; uint16_t kx; - LITE_SHA256_CTX ctx; + struct sha256_ctx ctx; merkle_tree->bits_per_level = bits_per_level; merkle_tree->height = height; /* Initialize the root hash. */ for (hx = 0; hx < height.v; ++hx) { - DCRYPTO_SHA256_init(&ctx, 0); + SHA256_hw_init(&ctx); for (kx = 0; kx < fan_out; ++kx) - HASH_update(&ctx, temp_hash, PW_HASH_SIZE); - memcpy(temp_hash, HASH_final(&ctx), PW_HASH_SIZE); + HASH_update((union hash_ctx *)&ctx, temp_hash, + PW_HASH_SIZE); + memcpy(temp_hash, HASH_final((union hash_ctx *)&ctx), + PW_HASH_SIZE); } memcpy(merkle_tree->root, temp_hash, PW_HASH_SIZE); @@ -179,24 +181,25 @@ static int create_merkle_tree(struct bits_per_level_t bits_per_level, } /* Computes the HMAC for an encrypted leaf using the key in the merkle_tree. */ -static void compute_hmac( - const struct merkle_tree_t *merkle_tree, - const struct imported_leaf_data_t *imported_leaf_data, - uint8_t result[PW_HASH_SIZE]) +static void compute_hmac(const struct merkle_tree_t *merkle_tree, + const struct imported_leaf_data_t *imported_leaf_data, + uint8_t result[PW_HASH_SIZE]) { - LITE_HMAC_CTX hmac; + struct hmac_sha256_ctx hmac; - DCRYPTO_HMAC_SHA256_init(&hmac, merkle_tree->hmac_key, + HMAC_SHA256_hw_init(&hmac, merkle_tree->hmac_key, sizeof(merkle_tree->hmac_key)); - HASH_update(&hmac.hash, imported_leaf_data->head, + /* use HASH_update() vs. HMAC_update() due limits of dcrypto mock. */ + HASH_update((union hash_ctx *)&hmac.hash, imported_leaf_data->head, sizeof(*imported_leaf_data->head)); - HASH_update(&hmac.hash, imported_leaf_data->iv, + HASH_update((union hash_ctx *)&hmac.hash, imported_leaf_data->iv, sizeof(PW_WRAP_BLOCK_SIZE)); - HASH_update(&hmac.hash, imported_leaf_data->pub, + HASH_update((union hash_ctx *)&hmac.hash, imported_leaf_data->pub, imported_leaf_data->head->pub_len); - HASH_update(&hmac.hash, imported_leaf_data->cipher_text, + HASH_update((union hash_ctx *)&hmac.hash, + imported_leaf_data->cipher_text, imported_leaf_data->head->sec_len); - memcpy(result, DCRYPTO_HMAC_final(&hmac), PW_HASH_SIZE); + memcpy(result, HMAC_SHA256_hw_final(&hmac), PW_HASH_SIZE); } /* Computes the root hash for the specified path and child hash. */ @@ -1386,16 +1389,17 @@ void compute_hash(const uint8_t hashes[][PW_HASH_SIZE], uint16_t num_hashes, const uint8_t child_hash[PW_HASH_SIZE], uint8_t result[PW_HASH_SIZE]) { - LITE_SHA256_CTX ctx; + struct sha256_ctx ctx; - DCRYPTO_SHA256_init(&ctx, 0); + SHA256_hw_init(&ctx); if (location.v > 0) - HASH_update(&ctx, hashes[0], PW_HASH_SIZE * location.v); - HASH_update(&ctx, child_hash, PW_HASH_SIZE); + HASH_update((union hash_ctx *)&ctx, hashes[0], + PW_HASH_SIZE * location.v); + HASH_update((union hash_ctx *)&ctx, child_hash, PW_HASH_SIZE); if (location.v < num_hashes) - HASH_update(&ctx, hashes[location.v], + HASH_update((union hash_ctx *)&ctx, hashes[location.v], PW_HASH_SIZE * (num_hashes - location.v)); - memcpy(result, HASH_final(&ctx), PW_HASH_SIZE); + memcpy(result, HASH_final((union hash_ctx *)&ctx), PW_HASH_SIZE); } /* If a request from older protocol comes, this method should make it diff --git a/common/rma_auth.c b/common/rma_auth.c index 7a34396acd..09539c537b 100644 --- a/common/rma_auth.c +++ b/common/rma_auth.c @@ -80,11 +80,11 @@ static void get_hmac_sha256(void *hmac_out, const uint8_t *secret, size_t ch_size) { #ifdef USE_DCRYPTO - LITE_HMAC_CTX hmac; + struct hmac_sha256_ctx hmac; - DCRYPTO_HMAC_SHA256_init(&hmac, secret, secret_size); - HASH_update(&hmac.hash, ch_ptr, ch_size); - memcpy(hmac_out, DCRYPTO_HMAC_final(&hmac), 32); + HMAC_SHA256_hw_init(&hmac, secret, secret_size); + HMAC_SHA256_update(&hmac, ch_ptr, ch_size); + memcpy(hmac_out, HMAC_SHA256_hw_final(&hmac), 32); #else hmac_SHA256(hmac_out, secret, secret_size, ch_ptr, ch_size); #endif @@ -131,7 +131,7 @@ static void p256_get_pub_key_and_secret(uint8_t pub_key[P256_NBYTES], * until the genreated bublic key has the compliant Y coordinate. */ while (1) { - HASH_CTX sha; + struct sha256_ctx sha; if (DCRYPTO_p256_key_from_bytes(&pk_x, &pk_y, &d, buf)) { @@ -141,9 +141,9 @@ static void p256_get_pub_key_and_secret(uint8_t pub_key[P256_NBYTES], } /* Did not succeed, rehash the private key and try again. */ - DCRYPTO_SHA256_init(&sha, 0); - HASH_update(&sha, buf, sizeof(buf)); - memcpy(buf, HASH_final(&sha), sizeof(buf)); + SHA256_hw_init(&sha); + SHA256_update(&sha, buf, sizeof(buf)); + memcpy(buf, SHA256_final(&sha), sizeof(buf)); } /* X coordinate is passed to the server as the public key. */ diff --git a/common/u2f.c b/common/u2f.c index 7a5b3e5945..c209be466e 100644 --- a/common/u2f.c +++ b/common/u2f.c @@ -8,10 +8,6 @@ #include "console.h" #include "cryptoc/p256.h" -#ifndef TEST_BUILD -#include "cryptoc/sha256.h" -#endif - #include "dcrypto.h" #include "extension.h" #include "system.h" @@ -444,7 +440,7 @@ static enum vendor_cmd_rc u2f_attest(enum vendor_cmd_cc code, void *buf, int verify_ret; - struct HASH_CTX h_ctx; + struct sha256_ctx h_ctx; struct drbg_ctx dr_ctx; /* Data hash, and corresponding signature. */ @@ -471,9 +467,9 @@ static enum vendor_cmd_rc u2f_attest(enum vendor_cmd_cc code, void *buf, return verify_ret; /* Message signature */ - DCRYPTO_SHA256_init(&h_ctx, 0); - HASH_update(&h_ctx, req->data, u2f_attest_format_size(req->format)); - p256_from_bin(HASH_final(&h_ctx), &h); + SHA256_hw_init(&h_ctx); + SHA256_update(&h_ctx, req->data, u2f_attest_format_size(req->format)); + p256_from_bin(SHA256_final(&h_ctx)->b8, &h); /* Derive G2F Attestation Key */ if (g2f_individual_keypair(&d, &pk_x, &pk_y)) { @@ -509,7 +505,7 @@ int u2f_origin_user_keyhandle(const uint8_t *origin, const uint8_t *user, const uint8_t *origin_seed, struct u2f_key_handle *key_handle) { - LITE_HMAC_CTX ctx; + struct hmac_sha256_ctx ctx; struct u2f_state *state = get_state(); if (!state) @@ -517,12 +513,13 @@ int u2f_origin_user_keyhandle(const uint8_t *origin, const uint8_t *user, memcpy(key_handle->origin_seed, origin_seed, P256_NBYTES); - DCRYPTO_HMAC_SHA256_init(&ctx, state->salt_kek, SHA256_DIGEST_SIZE); - HASH_update(&ctx.hash, origin, P256_NBYTES); - HASH_update(&ctx.hash, user, P256_NBYTES); - HASH_update(&ctx.hash, origin_seed, P256_NBYTES); + HMAC_SHA256_hw_init(&ctx, state->salt_kek, SHA256_DIGEST_SIZE); + HMAC_SHA256_update(&ctx, origin, P256_NBYTES); + HMAC_SHA256_update(&ctx, user, P256_NBYTES); + HMAC_SHA256_update(&ctx, origin_seed, P256_NBYTES); - memcpy(key_handle->hmac, DCRYPTO_HMAC_final(&ctx), SHA256_DIGEST_SIZE); + memcpy(key_handle->hmac, HMAC_SHA256_hw_final(&ctx), + SHA256_DIGEST_SIZE); return EC_SUCCESS; } @@ -532,7 +529,7 @@ int u2f_origin_user_versioned_keyhandle( uint8_t version, struct u2f_versioned_key_handle_header *key_handle_header) { - LITE_HMAC_CTX ctx; + struct hmac_sha256_ctx ctx; struct u2f_state *state = get_state(); if (!state) @@ -541,13 +538,13 @@ int u2f_origin_user_versioned_keyhandle( key_handle_header->version = version; memcpy(key_handle_header->origin_seed, origin_seed, P256_NBYTES); - DCRYPTO_HMAC_SHA256_init(&ctx, state->salt_kek, SHA256_DIGEST_SIZE); - HASH_update(&ctx.hash, origin, P256_NBYTES); - HASH_update(&ctx.hash, user, P256_NBYTES); - HASH_update(&ctx.hash, origin_seed, P256_NBYTES); - HASH_update(&ctx.hash, &version, sizeof(key_handle_header->version)); + HMAC_SHA256_hw_init(&ctx, state->salt_kek, SHA256_DIGEST_SIZE); + HMAC_SHA256_update(&ctx, origin, P256_NBYTES); + HMAC_SHA256_update(&ctx, user, P256_NBYTES); + HMAC_SHA256_update(&ctx, origin_seed, P256_NBYTES); + HMAC_SHA256_update(&ctx, &version, sizeof(key_handle_header->version)); - memcpy(key_handle_header->kh_hmac, DCRYPTO_HMAC_final(&ctx), + memcpy(key_handle_header->kh_hmac, HMAC_SHA256_hw_final(&ctx), SHA256_DIGEST_SIZE); return EC_SUCCESS; @@ -557,19 +554,20 @@ int u2f_authorization_hmac(const uint8_t *authorization_salt, const struct u2f_versioned_key_handle_header *header, const uint8_t *auth_time_secret_hash, uint8_t *hmac) { - LITE_HMAC_CTX ctx; + struct hmac_sha256_ctx ctx; struct u2f_state *state = get_state(); if (!state) return EC_ERROR_UNKNOWN; - DCRYPTO_HMAC_SHA256_init(&ctx, state->salt_kek, SHA256_DIGEST_SIZE); - HASH_update(&ctx.hash, authorization_salt, U2F_AUTHORIZATION_SALT_SIZE); - HASH_update(&ctx.hash, (uint8_t *)header, - sizeof(struct u2f_versioned_key_handle_header)); - HASH_update(&ctx.hash, auth_time_secret_hash, SHA256_DIGEST_SIZE); + HMAC_SHA256_hw_init(&ctx, state->salt_kek, SHA256_DIGEST_SIZE); + HMAC_SHA256_update(&ctx, authorization_salt, + U2F_AUTHORIZATION_SALT_SIZE); + HMAC_SHA256_update(&ctx, (uint8_t *)header, + sizeof(struct u2f_versioned_key_handle_header)); + HMAC_SHA256_update(&ctx, auth_time_secret_hash, SHA256_DIGEST_SIZE); - memcpy(hmac, DCRYPTO_HMAC_final(&ctx), SHA256_DIGEST_SIZE); + memcpy(hmac, HMAC_SHA256_hw_final(&ctx), SHA256_DIGEST_SIZE); return EC_SUCCESS; } |