diff options
author | Yicheng Li <yichengli@chromium.org> | 2019-07-25 17:29:20 -0700 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2019-10-03 05:03:21 +0000 |
commit | 43e89bafd85ac2c101a2bc68d08d39a1cef19734 (patch) | |
tree | 68c98726b16ab38e8a40daf1d420889ff8582ed1 | |
parent | 8357a4fb160bda9a3c926c674492cb604421b7f1 (diff) | |
download | chrome-ec-43e89bafd85ac2c101a2bc68d08d39a1cef19734.tar.gz |
fpsensor: Add hkdf-expand implementation for arbitrary output size.
This can be used to replace hkdf_expand_one_step in more general cases
of HKDF. Also add unit tests for this.
BRANCH=nocturne
BUG=none
TEST=make -j buildall
Change-Id: Ie116b13ee33d171298eccabb8a37b59e702d0218
Signed-off-by: Yicheng Li <yichengli@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1719871
Reviewed-by: Nicolas Norvez <norvez@chromium.org>
-rw-r--r-- | common/fpsensor/fpsensor_crypto.c | 58 | ||||
-rw-r--r-- | include/fpsensor_crypto.h | 23 | ||||
-rw-r--r-- | test/fpsensor.c | 113 |
3 files changed, 193 insertions, 1 deletions
diff --git a/common/fpsensor/fpsensor_crypto.c b/common/fpsensor/fpsensor_crypto.c index d5bbd03c38..b7c5ea7260 100644 --- a/common/fpsensor/fpsensor_crypto.c +++ b/common/fpsensor/fpsensor_crypto.c @@ -2,6 +2,7 @@ * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ +#include <stdbool.h> #include "aes.h" #include "aes-gcm.h" @@ -10,7 +11,6 @@ #include "fpsensor_private.h" #include "fpsensor_state.h" #include "rollback.h" -#include "sha256.h" #if !defined(CONFIG_AES) || !defined(CONFIG_AES_GCM) || \ !defined(CONFIG_ROLLBACK_SECRET_SIZE) @@ -83,6 +83,62 @@ static int hkdf_expand_one_step(uint8_t *out_key, size_t out_key_size, return EC_SUCCESS; } +int hkdf_expand(uint8_t *out_key, size_t L, const uint8_t *prk, + size_t prk_size, const uint8_t *info, size_t info_size) +{ + /* + * "Expand" step of HKDF. + * https://tools.ietf.org/html/rfc5869#section-2.3 + */ +#define HASH_LEN SHA256_DIGEST_SIZE + uint8_t count = 1; + const uint8_t *T = out_key; + size_t T_len = 0; + uint8_t T_buffer[HASH_LEN]; + /* Number of blocks. */ + const uint32_t N = DIV_ROUND_UP(L, HASH_LEN); + uint8_t info_buffer[HASH_LEN + HKDF_MAX_INFO_SIZE + sizeof(count)]; + bool arguments_valid = false; + + if (out_key == NULL || L == 0) + CPRINTS("HKDF expand: output buffer not valid."); + else if (prk == NULL) + CPRINTS("HKDF expand: prk is NULL."); + else if (info == NULL && info_size > 0) + CPRINTS("HKDF expand: info is NULL but info size is not zero."); + else if (info_size > HKDF_MAX_INFO_SIZE) + CPRINTF("HKDF expand: info size larger than %d bytes.\n", + HKDF_MAX_INFO_SIZE); + else if (N > HKDF_SHA256_MAX_BLOCK_COUNT) + CPRINTS("HKDF expand: output key size too large."); + else + arguments_valid = true; + + if (!arguments_valid) + return EC_ERROR_INVAL; + + while (L > 0) { + const size_t block_size = L < HASH_LEN ? L : HASH_LEN; + + memcpy(info_buffer, T, T_len); + memcpy(info_buffer + T_len, info, info_size); + info_buffer[T_len + info_size] = count; + hmac_SHA256(T_buffer, prk, prk_size, info_buffer, + T_len + info_size + sizeof(count)); + memcpy(out_key, T_buffer, block_size); + + T += T_len; + T_len = HASH_LEN; + count++; + out_key += block_size; + L -= block_size; + } + always_memset(T_buffer, 0, sizeof(T_buffer)); + always_memset(info_buffer, 0, sizeof(info_buffer)); + return EC_SUCCESS; +#undef HASH_LEN +} + int derive_encryption_key(uint8_t *out_key, const uint8_t *salt) { int ret; diff --git a/include/fpsensor_crypto.h b/include/fpsensor_crypto.h index ebda41bcb9..e01a38799d 100644 --- a/include/fpsensor_crypto.h +++ b/include/fpsensor_crypto.h @@ -8,6 +8,29 @@ #ifndef __CROS_EC_FPSENSOR_CRYPTO_H #define __CROS_EC_FPSENSOR_CRYPTO_H +#include <stddef.h> + +#include "sha256.h" + +#define HKDF_MAX_INFO_SIZE 128 +#define HKDF_SHA256_MAX_BLOCK_COUNT 255 + +/** + * Expand hkdf pseudorandom key |prk| to length |out_key_size|. + * + * @param out_key the buffer to hold output key material. + * @param out_key_size length of output key in bytes. Must be less than + * or equal to HKDF_SHA256_MAX_BLOCK_COUNT * SHA256_DIGEST_SIZE bytes. + * @param prk pseudorandom key. + * @param prk_size length of |prk| in bytes. + * @param info optional context. + * @param info_size size of |info| in bytes, must be less than or equal to + * HKDF_MAX_INFO_SIZE bytes. + * @return EC_SUCCESS on success and error code otherwise. + */ +int hkdf_expand(uint8_t *out_key, size_t out_key_size, const uint8_t *prk, + size_t prk_size, const uint8_t *info, size_t info_size); + /** * Derive hardware encryption key from rollback secret and |salt|. * diff --git a/test/fpsensor.c b/test/fpsensor.c index 33998b6b00..ae23dd08fe 100644 --- a/test/fpsensor.c +++ b/test/fpsensor.c @@ -75,6 +75,118 @@ test_static int test_fp_enc_status_valid_flags(void) return EC_RES_SUCCESS; } +static int test_hkdf_expand_raw(const uint8_t *prk, size_t prk_size, + const uint8_t *info, size_t info_size, + const uint8_t *expected_okm, size_t okm_size) +{ + uint8_t actual_okm[okm_size]; + + TEST_ASSERT(hkdf_expand(actual_okm, okm_size, prk, prk_size, + info, info_size) == EC_SUCCESS); + TEST_ASSERT_ARRAY_EQ(expected_okm, actual_okm, okm_size); + return EC_SUCCESS; +} + +test_static int test_hkdf_expand(void) +{ + /* Test vectors in https://tools.ietf.org/html/rfc5869#appendix-A */ + static const uint8_t prk1[] = { + 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, + 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63, + 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31, + 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5, + }; + static const uint8_t info1[] = { + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, + 0xf8, 0xf9, + }; + static const uint8_t expected_okm1[] = { + 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, + 0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a, + 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c, + 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, + 0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18, + 0x58, 0x65, + }; + static const uint8_t prk2[] = { + 0x06, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a, + 0x06, 0x10, 0x4c, 0x9c, 0xeb, 0x35, 0xb4, 0x5c, + 0xef, 0x76, 0x00, 0x14, 0x90, 0x46, 0x71, 0x01, + 0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f, 0xc2, 0x44, + }; + static const uint8_t info2[] = { + 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, + 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, + 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, + 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, + 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, + 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, + 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, + 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff, + }; + static const uint8_t expected_okm2[] = { + 0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1, + 0xc8, 0xe7, 0xf7, 0x8c, 0x59, 0x6a, 0x49, 0x34, + 0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8, + 0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c, + 0x59, 0x04, 0x5a, 0x99, 0xca, 0xc7, 0x82, 0x72, + 0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09, + 0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8, + 0x36, 0x77, 0x93, 0xa9, 0xac, 0xa3, 0xdb, 0x71, + 0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87, + 0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f, + 0x1d, 0x87, + }; + static const uint8_t prk3[] = { + 0x19, 0xef, 0x24, 0xa3, 0x2c, 0x71, 0x7b, 0x16, + 0x7f, 0x33, 0xa9, 0x1d, 0x6f, 0x64, 0x8b, 0xdf, + 0x96, 0x59, 0x67, 0x76, 0xaf, 0xdb, 0x63, 0x77, + 0xac, 0x43, 0x4c, 0x1c, 0x29, 0x3c, 0xcb, 0x04, + }; + static const uint8_t expected_okm3[] = { + 0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f, + 0x71, 0x5f, 0x80, 0x2a, 0x06, 0x3c, 0x5a, 0x31, + 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, 0x87, 0x9e, + 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d, + 0x9d, 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a, + 0x96, 0xc8, + }; + static uint8_t unused_output[SHA256_DIGEST_SIZE] = { 0 }; + + TEST_ASSERT(test_hkdf_expand_raw(prk1, sizeof(prk1), info1, + sizeof(info1), expected_okm1, + sizeof(expected_okm1)) + == EC_SUCCESS); + TEST_ASSERT(test_hkdf_expand_raw(prk2, sizeof(prk2), info2, + sizeof(info2), expected_okm2, + sizeof(expected_okm2)) + == EC_SUCCESS); + TEST_ASSERT(test_hkdf_expand_raw(prk3, sizeof(prk3), NULL, 0, + expected_okm3, sizeof(expected_okm3)) + == EC_SUCCESS); + + TEST_ASSERT(hkdf_expand(NULL, sizeof(unused_output), prk1, + sizeof(prk1), info1, sizeof(info1)) + == EC_ERROR_INVAL); + TEST_ASSERT(hkdf_expand(unused_output, sizeof(unused_output), + NULL, sizeof(prk1), info1, sizeof(info1)) + == EC_ERROR_INVAL); + TEST_ASSERT(hkdf_expand(unused_output, sizeof(unused_output), + prk1, sizeof(prk1), NULL, sizeof(info1)) + == EC_ERROR_INVAL); + /* Info size too long. */ + TEST_ASSERT(hkdf_expand(unused_output, sizeof(unused_output), + prk1, sizeof(prk1), info1, 1024) + == EC_ERROR_INVAL); + /* OKM size too big. */ + TEST_ASSERT(hkdf_expand(unused_output, 256 * SHA256_DIGEST_SIZE, + prk1, sizeof(prk1), info1, sizeof(info1)) + == EC_ERROR_INVAL); + return EC_SUCCESS; +} + test_static int test_derive_encryption_key_failure_seed_not_set(void) { static uint8_t unused_key[SBP_ENC_KEY_LEN]; @@ -312,6 +424,7 @@ test_static int test_fp_set_sensor_mode(void) void run_test(void) { + RUN_TEST(test_hkdf_expand); RUN_TEST(test_fp_enc_status_valid_flags); RUN_TEST(test_fp_tpm_seed_not_set); RUN_TEST(test_derive_encryption_key_failure_seed_not_set); |