1 files changed, 445 insertions, 0 deletions
diff --git a/chip/g/dcrypto/dcrypto.h b/chip/g/dcrypto/dcrypto.h
new file mode 100644
index 0000000000..8cf1071090
--- /dev/null
+++ b/chip/g/dcrypto/dcrypto.h
@@ -0,0 +1,445 @@
+/* Copyright 2015 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+/*
+ * Crypto wrapper library for the g chip.
+ */
+#ifndef __EC_CHIP_G_DCRYPTO_DCRYPTO_H
+#define __EC_CHIP_G_DCRYPTO_DCRYPTO_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(TEST_FUZZ) || !defined(TEST_BUILD)
+
+#include "internal.h"
+
+#include "crypto_api.h"
+
+#include <stddef.h>
+
+#include "cryptoc/hmac.h"
+
+enum cipher_mode {
+	CIPHER_MODE_ECB = 0, /* NIST SP 800-38A */
+	CIPHER_MODE_CTR = 1, /* NIST SP 800-38A */
+	CIPHER_MODE_CBC = 2, /* NIST SP 800-38A */
+	CIPHER_MODE_GCM = 3  /* NIST SP 800-38D */
+};
+
+enum encrypt_mode {
+	DECRYPT_MODE = 0,
+	ENCRYPT_MODE = 1
+};
+
+enum hashing_mode {
+	HASH_SHA1 = 0,
+	HASH_SHA256 = 1,
+	HASH_SHA384 = 2,  /* Only supported for PKCS#1 signing */
+	HASH_SHA512 = 3,  /* Only supported for PKCS#1 signing */
+	HASH_NULL = 4  /* Only supported for PKCS#1 signing */
+};
+
+/*
+ * AES implementation, based on a hardware AES block.
+ * FIPS Publication 197, The Advanced Encryption Standard (AES)
+ */
+#define AES256_BLOCK_CIPHER_KEY_SIZE       32
+
+int DCRYPTO_aes_init(const uint8_t *key, uint32_t key_len, const uint8_t *iv,
+		enum cipher_mode c_mode, enum encrypt_mode e_mode);
+int DCRYPTO_aes_block(const uint8_t *in, uint8_t *out);
+
+void DCRYPTO_aes_write_iv(const uint8_t *iv);
+void DCRYPTO_aes_read_iv(uint8_t *iv);
+
+/* AES-CTR-128/192/256
+ * NIST Special Publication 800-38A
+ */
+int DCRYPTO_aes_ctr(uint8_t *out, const uint8_t *key, uint32_t key_bits,
+		const uint8_t *iv, const uint8_t *in, size_t in_len);
+
+/* AES-GCM-128/192/256
+ * NIST Special Publication 800-38D, IV is provided externally
+ * Caller should use IV length according to section 8.2 of SP 800-38D
+ * And choose appropriate IV construction method, constrain number
+ * of invocations according to section 8.3 of SP 800-38D
+ */
+struct GCM_CTX {
+	union {
+		uint32_t d[4];
+		uint8_t c[16];
+	} block, Ej0;
+
+	uint64_t aad_len;
+	uint64_t count;
+	size_t remainder;
+};
+
+/* Initialize the GCM context structure. */
+void DCRYPTO_gcm_init(struct GCM_CTX *ctx, uint32_t key_bits,
+		const uint8_t *key, const uint8_t *iv, size_t iv_len);
+/* Additional authentication data to include in the tag calculation. */
+void DCRYPTO_gcm_aad(struct GCM_CTX *ctx, const uint8_t *aad_data, size_t len);
+/* Encrypt & decrypt return the number of bytes written to out
+ * (always an integral multiple of 16), or -1 on error.  These functions
+ * may be called repeatedly with incremental data.
+ *
+ * NOTE: if in_len is not a integral multiple of 16, then out_len must
+ * be atleast in_len - (in_len % 16) + 16 bytes.
+ */
+int DCRYPTO_gcm_encrypt(struct GCM_CTX *ctx, uint8_t *out, size_t out_len,
+			const uint8_t *in, size_t in_len);
+int DCRYPTO_gcm_decrypt(struct GCM_CTX *ctx, uint8_t *out, size_t out_len,
+			const uint8_t *in, size_t in_len);
+/* Encrypt & decrypt a partial final block, if any.  These functions
+ * return the number of bytes written to out (<= 15), or -1 on error.
+ */
+int DCRYPTO_gcm_encrypt_final(struct GCM_CTX *ctx,
+			uint8_t *out, size_t out_len);
+int DCRYPTO_gcm_decrypt_final(struct GCM_CTX *ctx,
+			uint8_t *out, size_t out_len);
+/* Compute the tag over AAD + encrypt or decrypt data, and return the
+ * number of bytes written to tag.  Returns -1 on error.
+ */
+int DCRYPTO_gcm_tag(struct GCM_CTX *ctx, uint8_t *tag, size_t tag_len);
+/* Cleanup secrets. */
+void DCRYPTO_gcm_finish(struct GCM_CTX *ctx);
+
+/* AES-CMAC-128
+ * NIST Special Publication 800-38B, RFC 4493
+ * K: 128-bit key, M: message, len: number of bytes in M
+ * Writes 128-bit tag to T; returns 0 if an error is encountered and 1
+ * otherwise.
+ */
+int DCRYPTO_aes_cmac(const uint8_t *K, const uint8_t *M, const uint32_t len,
+		uint32_t T[4]);
+/* key: 128-bit key, M: message, len: number of bytes in M,
+ *    T: tag to be verified
+ * Returns 1 if the tag is correct and 0 otherwise.
+ */
+int DCRYPTO_aes_cmac_verify(const uint8_t *key, const uint8_t *M, const int len,
+		const uint32_t T[4]);
+
+/*
+ * SHA implementation.  This abstraction is backed by either a
+ * software or hardware implementation.
+ *
+ * There could be only a single hardware SHA context in progress. The init
+ * functions will try using the HW context, if available, unless 'sw_required'
+ * is TRUE, in which case there will be no attempt to use the hardware for
+ * this particular hashing session.
+ */
+void DCRYPTO_SHA1_init(SHA_CTX *ctx, uint32_t sw_required);
+/*  SHA256/384/512 FIPS 180-4
+ */
+void DCRYPTO_SHA256_init(LITE_SHA256_CTX *ctx, uint32_t sw_required);
+void DCRYPTO_SHA384_init(LITE_SHA384_CTX *ctx);
+void DCRYPTO_SHA512_init(LITE_SHA512_CTX *ctx);
+const uint8_t *DCRYPTO_SHA1_hash(const void *data, uint32_t n,
+				uint8_t *digest);
+const uint8_t *DCRYPTO_SHA256_hash(const void *data, uint32_t n,
+				   uint8_t *digest);
+const uint8_t *DCRYPTO_SHA384_hash(const void *data, uint32_t n,
+				   uint8_t *digest);
+const uint8_t *DCRYPTO_SHA512_hash(const void *data, uint32_t n,
+				   uint8_t *digest);
+/*
+ *  HMAC. FIPS 198-1
+ */
+void DCRYPTO_HMAC_SHA256_init(LITE_HMAC_CTX *ctx, const void *key,
+			unsigned int len);
+/* DCRYPTO HMAC-SHA256 final */
+const uint8_t *DCRYPTO_HMAC_final(LITE_HMAC_CTX *ctx);
+
+/*
+ * BIGNUM utility methods.
+ */
+void DCRYPTO_bn_wrap(struct LITE_BIGNUM *b, void *buf, size_t len);
+
+/*
+ *  RSA.
+ */
+
+/* Largest supported key size for signing / encryption: 2048-bits.
+ * Verification is a special case and supports 4096-bits (signing /
+ * decryption could also support 4k-RSA, but is disabled since support
+ * is not required, and enabling support would result in increased
+ * stack usage for all key sizes.)
+ */
+#define RSA_BYTES_2K    256
+#define RSA_BYTES_4K    512
+#define RSA_WORDS_2K    (RSA_BYTES_2K / sizeof(uint32_t))
+#define RSA_WORDS_4K    (RSA_BYTES_4K / sizeof(uint32_t))
+#ifndef RSA_MAX_BYTES
+#define RSA_MAX_BYTES   RSA_BYTES_2K
+#endif
+#define RSA_MAX_WORDS   (RSA_MAX_BYTES / sizeof(uint32_t))
+#define RSA_F4          65537
+
+struct RSA {
+	uint32_t e;
+	struct LITE_BIGNUM N;
+	struct LITE_BIGNUM d;
+};
+
+enum padding_mode {
+	PADDING_MODE_PKCS1 = 0,
+	PADDING_MODE_OAEP  = 1,
+	PADDING_MODE_PSS = 2,
+	/* USE OF NULL PADDING IS NOT RECOMMENDED.
+	 * SUPPORT EXISTS AS A REQUIREMENT FOR TPM2 OPERATION. */
+	PADDING_MODE_NULL  = 3
+};
+
+/* RSA support, FIPS PUB 186-4 *
+ * Calculate r = m ^ e mod N
+ */
+int DCRYPTO_rsa_encrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
+			const uint8_t *in, uint32_t in_len,
+			enum padding_mode padding, enum hashing_mode hashing,
+			const char *label);
+
+/* Calculate r = m ^ d mod N
+ * return 0 if error
+ */
+int DCRYPTO_rsa_decrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
+			const uint8_t *in, const uint32_t in_len,
+			enum padding_mode padding, enum hashing_mode hashing,
+			const char *label);
+
+/* Calculate r = m ^ d mod N
+ * return 0 if error
+ */
+int DCRYPTO_rsa_sign(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
+		const uint8_t *in, const uint32_t in_len,
+		enum padding_mode padding, enum hashing_mode hashing);
+
+/* Calculate r = m ^ e mod N
+ * return 0 if error
+ */
+int DCRYPTO_rsa_verify(const struct RSA *rsa, const uint8_t *digest,
+		uint32_t digest_len, const uint8_t *sig,
+		const uint32_t sig_len,	enum padding_mode padding,
+		enum hashing_mode hashing);
+
+/* Calculate n = p * q, d = e ^ -1 mod phi. */
+int DCRYPTO_rsa_key_compute(struct LITE_BIGNUM *N, struct LITE_BIGNUM *d,
+			struct LITE_BIGNUM *p, struct LITE_BIGNUM *q,
+			uint32_t e);
+
+/*
+ *  EC.
+ */
+
+/* DCRYPTO_p256_base_point_mul sets {out_x,out_y} = nG, where n is < the
+ * order of the group.
+ */
+int DCRYPTO_p256_base_point_mul(p256_int *out_x, p256_int *out_y,
+				const p256_int *n);
+
+/* DCRYPTO_p256_point_mul sets {out_x,out_y} = n*{in_x,in_y}, where n is <
+ * the order of the group.
+ */
+int DCRYPTO_p256_point_mul(p256_int *out_x, p256_int *out_y,
+			const p256_int *n, const p256_int *in_x,
+			const p256_int *in_y);
+/*
+ * Key selection based on FIPS-186-4, section B.4.2 (Key Pair
+ * Generation by Testing Candidates).
+ * Produce uniform private key from seed.
+ * If x or y is NULL, the public key part is not computed.
+ * Returns !0 on success.
+ */
+int DCRYPTO_p256_key_from_bytes(p256_int *x, p256_int *y, p256_int *d,
+				const uint8_t bytes[P256_NBYTES]);
+
+
+/* P256 based integration encryption (DH+AES128+SHA256).
+ * Not FIPS 140-2 compliant, not used other than for tests
+ * Authenticated data may be provided, where the first auth_data_len
+ * bytes of in will be authenticated but not encrypted. *
+ * Supports in-place encryption / decryption. *
+ * The output format is:
+ * 0x04 || PUBKEY || AUTH_DATA || AES128_CTR(PLAINTEXT) ||
+ *         HMAC_SHA256(AUTH_DATA || CIPHERTEXT)
+ */
+size_t DCRYPTO_ecies_encrypt(
+	void *out, size_t out_len, const void *in, size_t in_len,
+	size_t auth_data_len, const uint8_t *iv,
+	const p256_int *pub_x, const p256_int *pub_y,
+	const uint8_t *salt, size_t salt_len,
+	const uint8_t *info, size_t info_len);
+size_t DCRYPTO_ecies_decrypt(
+	void *out, size_t out_len, const void *in, size_t in_len,
+	size_t auth_data_len, const uint8_t *iv,
+	const p256_int *d,
+	const uint8_t *salt, size_t salt_len,
+	const uint8_t *info, size_t info_len);
+
+/*
+ * HKDF as per RFC 5869. Mentioned as conforming NIST SP 800-56C Rev.1
+ * [RFC 5869] specifies a version of the above extraction-then-expansion
+ * key-derivation procedure using HMAC for both the extraction and expansion
+ * steps.
+ */
+int DCRYPTO_hkdf(uint8_t *OKM, size_t OKM_len,
+		const uint8_t *salt, size_t salt_len,
+		const uint8_t *IKM, size_t IKM_len,
+		const uint8_t *info, size_t info_len);
+
+/*
+ *  BN.
+ */
+
+/* Apply Miller-Rabin test for prime candidate p.
+ * Returns 1 if test passed, 0 otherwise
+ */
+int DCRYPTO_bn_generate_prime(struct LITE_BIGNUM *p);
+void DCRYPTO_bn_wrap(struct LITE_BIGNUM *b, void *buf, size_t len);
+void DCRYPTO_bn_mul(struct LITE_BIGNUM *c, const struct LITE_BIGNUM *a,
+		const struct LITE_BIGNUM *b);
+int DCRYPTO_bn_div(struct LITE_BIGNUM *quotient, struct LITE_BIGNUM *remainder,
+		const struct LITE_BIGNUM *input,
+		const struct LITE_BIGNUM *divisor);
+
+/*
+ * ASN.1 DER
+ */
+size_t DCRYPTO_asn1_sigp(uint8_t *buf, const p256_int *r, const p256_int *s);
+size_t DCRYPTO_asn1_pubp(uint8_t *buf, const p256_int *x, const p256_int *y);
+
+/*
+ *  X509.
+ */
+/* DCRYPTO_x509_verify verifies that the provided X509 certificate was issued
+ * by the specified certifcate authority.
+ *
+ * cert is a pointer to a DER encoded X509 certificate, as specified
+ * in https://tools.ietf.org/html/rfc5280#section-4.1.  In ASN.1
+ * notation, the certificate has the following structure:
+ *
+ *   Certificate  ::=  SEQUENCE  {
+ *        tbsCertificate       TBSCertificate,
+ *        signatureAlgorithm   AlgorithmIdentifier,
+ *        signatureValue       BIT STRING  }
+ *
+ *   TBSCertificate  ::=  SEQUENCE  { }
+ *   AlgorithmIdentifier  ::=  SEQUENCE  { }
+ *
+ * where signatureValue = SIGN(HASH(tbsCertificate)), with SIGN and
+ * HASH specified by signatureAlgorithm.
+ * Accepts only certs with OID: sha256WithRSAEncryption:
+ * 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00
+ */
+int DCRYPTO_x509_verify(const uint8_t *cert, size_t len,
+			const struct RSA *ca_pub_key);
+
+/* Generate U2F Certificate and sign it
+ * Use ECDSA with NIST P-256 curve, and SHA2-256 digest
+ * @param d: key handle, used for NIST SP 800-90A HMAC DRBG
+ * @param pk_x, pk_y: public key
+ * @param serial: serial number for certificate
+ * @param name: certificate issuer and subject
+ * @param cert: output buffer for certificate
+ * @param n: max size of cert
+ */
+int DCRYPTO_x509_gen_u2f_cert_name(const p256_int *d, const p256_int *pk_x,
+				   const p256_int *pk_y, const p256_int *serial,
+				   const char *name, uint8_t *cert,
+				   const int n);
+
+/* Generate U2F Certificate with DCRYPTO_x509_gen_u2f_cert_name
+ * Providing certificate issuer as BOARD or U2F
+ * @param d: key handle, used for NIST SP 800-90A HMAC DRBG
+ * @param pk_x, pk_y: public key
+ * @param serial: serial number for certificate
+ * @param name: certificate issuer and subject
+ * @param cert: output buffer for certificate
+ * @param n: max size of cert
+ */
+int DCRYPTO_x509_gen_u2f_cert(const p256_int *d, const p256_int *pk_x,
+			const p256_int *pk_y, const p256_int *serial,
+			uint8_t *cert, const int n);
+
+/*
+ * Memory related functions.
+ */
+int DCRYPTO_equals(const void *a, const void *b, size_t len);
+
+/*
+ * Key-ladder and application key related functions.
+ */
+enum dcrypto_appid {
+	RESERVED = 0,
+	NVMEM = 1,
+	U2F_ATTEST = 2,
+	U2F_ORIGIN = 3,
+	U2F_WRAP = 4,
+	PERSO_AUTH = 5,
+	PINWEAVER = 6,
+	/* This enum value should not exceed 7. */
+};
+
+struct APPKEY_CTX {
+#ifdef TEST_FUZZ
+	uint8_t unused_for_cxx_compatibility;
+#endif
+};
+
+int DCRYPTO_ladder_compute_frk2(size_t major_fw_version, uint8_t *frk2);
+int DCRYPTO_ladder_random(void *output);
+void DCRYPTO_ladder_revoke(void);
+
+int DCRYPTO_appkey_init(enum dcrypto_appid id, struct APPKEY_CTX *ctx);
+void DCRYPTO_appkey_finish(struct APPKEY_CTX *ctx);
+int DCRYPTO_appkey_derive(enum dcrypto_appid appid, const uint32_t input[8],
+			  uint32_t output[8]);
+
+/* Number of bytes in the salt object. */
+#define DCRYPTO_CIPHER_SALT_SIZE 16
+BUILD_ASSERT(DCRYPTO_CIPHER_SALT_SIZE == CIPHER_SALT_SIZE);
+
+/*
+ * Encrypt/decrypt a flat blob.
+ *
+ * Encrypt or decrypt the input buffer, and write the correspondingly
+ * ciphered output to out.  The number of bytes produced is equal to
+ * the number of input bytes.  Note that the input and output pointers
+ * MUST be word-aligned.
+ *
+ * This API is expected to be applied to a single contiguous region.
+
+ * WARNING: A given salt/"in" pair MUST be unique, i.e. re-using a
+ * salt with a logically different input buffer is catastrophic.  An
+ * example of a suitable salt is one that is derived from "in", e.g. a
+ * digest of the input data.
+ *
+ * @param appid the application-id of the calling context.
+ * @param salt pointer to a unique value to be associated with this blob,
+ *	       used for derivation of the proper IV, the size of the value
+ *	       is as defined by DCRYPTO_CIPHER_SALT_SIZE above.
+ * @param out Destination pointer where to write plaintext / ciphertext.
+ * @param in  Source pointer where to read ciphertext / plaintext.
+ * @param len Number of bytes to read from in / write to out.
+ * @return non-zero on success, and zero otherwise.
+ */
+int DCRYPTO_app_cipher(enum dcrypto_appid appid, const void *salt,
+		void *out, const void *in, size_t len);
+
+#endif  /*  ^^^^^^^^^^^^^^^^^^^^^  !TEST_BUILD   */
+/*
+ * Query whether Key Ladder is enabled.
+ *
+ * @return 1 if Key Ladder is enabled, and 0 otherwise.
+ */
+int DCRYPTO_ladder_is_enabled(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif  /* ! __EC_CHIP_G_DCRYPTO_DCRYPTO_H */