cr50: switch HMAC_DRBG to use enum dcrypto_result

Make HMAC_DRBG return codes consistent with other functions.

BUG=b:197893750
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
in ccd: u2f_test, dcrypto_ecdsa, rma_auth

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I9c673a45a250bef32c096f8d8be3152756a64cb7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3180482
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>

8 files changed, 57 insertions, 68 deletions

diff --git a/board/cr50/dcrypto/dcrypto_p256.c b/board/cr50/dcrypto/dcrypto_p256.c
index bb9aff456c..858d0ce53c 100644
--- a/board/cr50/dcrypto/dcrypto_p256.c
+++ b/board/cr50/dcrypto/dcrypto_p256.c
@@ -139,19 +139,18 @@ enum dcrypto_result dcrypto_p256_ecdsa_sign(struct drbg_ctx *drbg,
 					    const p256_int *message,
 					    p256_int *r, p256_int *s)
 {
-	int result;
+	enum dcrypto_result result;
 	p256_int nonce;
 
 	/* Pick uniform 0 < k < R */
-	result = (p256_hmac_drbg_generate(drbg, &nonce) != HMAC_DRBG_SUCCESS);
+	result = p256_hmac_drbg_generate(drbg, &nonce);
 
-	result |= dcrypto_p256_ecdsa_sign_raw(&nonce, key, message, r, s) -
-		  DCRYPTO_OK;
+	result |= dcrypto_p256_ecdsa_sign_raw(&nonce, key, message, r, s);
 
 	/* Wipe temp nonce */
 	p256_clear(&nonce);
 
-	return dcrypto_ok_if_zero(result);
+	return dcrypto_ok_if_zero(result - DCRYPTO_OK);
 }
 
 enum dcrypto_result dcrypto_p256_ecdsa_sign_raw(const p256_int *nonce,
diff --git a/board/cr50/dcrypto/dcrypto_runtime.c b/board/cr50/dcrypto/dcrypto_runtime.c
index 0c79d34310..b6dfac8a88 100644
--- a/board/cr50/dcrypto/dcrypto_runtime.c
+++ b/board/cr50/dcrypto/dcrypto_runtime.c
@@ -405,7 +405,7 @@ static enum dcrypto_result ecdsa_sign_go(p256_int *r, p256_int *s)
 	hmac_drbg_init(&drbg, r->a, sizeof(r->a), NULL, 0, NULL, 0);
 
 	/* pick a key */
-	if (p256_hmac_drbg_generate(&drbg, &d) != HMAC_DRBG_SUCCESS) {
+	if (p256_hmac_drbg_generate(&drbg, &d) != DCRYPTO_OK) {
 		/* to be consistent with ecdsa_sign error return */
 		drbg_exit(&drbg);
 		return DCRYPTO_FAIL;
diff --git a/board/cr50/dcrypto/fips.c b/board/cr50/dcrypto/fips.c
index 391fee5657..d6c1912029 100644
--- a/board/cr50/dcrypto/fips.c
+++ b/board/cr50/dcrypto/fips.c
@@ -332,14 +332,13 @@ static bool fips_hmac_drbg_generate_kat(struct drbg_ctx *ctx)
 		0xf1, 0x32, 0xf6, 0x86, 0xb7, 0x60, 0xf0, 0x12
 	};
 	uint8_t buf[128];
-	int passed;
+	enum dcrypto_result passed;
 
-	passed = hmac_drbg_generate(ctx, buf, sizeof(buf), NULL, 0) -
-		 HMAC_DRBG_SUCCESS;
+	passed = hmac_drbg_generate(ctx, buf, sizeof(buf), NULL, 0);
 
 	/* Verify internal drbg state */
-	passed |= DCRYPTO_equals(ctx->v, V2, sizeof(V2)) - DCRYPTO_OK;
-	passed |= DCRYPTO_equals(ctx->k, K2, sizeof(K2)) - DCRYPTO_OK;
+	passed |= DCRYPTO_equals(ctx->v, V2, sizeof(V2));
+	passed |= DCRYPTO_equals(ctx->k, K2, sizeof(K2));
 
 	memcpy(buf, drbg_entropy2, sizeof(drbg_entropy2));
 	if (fips_break_cmd == FIPS_BREAK_HMAC_DRBG)
@@ -348,10 +347,9 @@ static bool fips_hmac_drbg_generate_kat(struct drbg_ctx *ctx)
 	hmac_drbg_reseed(ctx, buf, sizeof(drbg_entropy2), drbg_addtl_input2,
 			 sizeof(drbg_addtl_input2), NULL, 0);
 
-	passed |= hmac_drbg_generate(ctx, buf, sizeof(buf), NULL, 0) -
-		  HMAC_DRBG_SUCCESS;
-	passed |= DCRYPTO_equals(buf, KA, sizeof(KA)) - DCRYPTO_OK;
-	return passed == 0;
+	passed |= hmac_drbg_generate(ctx, buf, sizeof(buf), NULL, 0);
+	passed |= DCRYPTO_equals(buf, KA, sizeof(KA));
+	return passed == DCRYPTO_OK;
 }
 
 /* Known-answer test for HMAC_DRBG SHA256. */
diff --git a/board/cr50/dcrypto/fips_rand.c b/board/cr50/dcrypto/fips_rand.c
index f50d6300fc..fe352a1f1a 100644
--- a/board/cr50/dcrypto/fips_rand.c
+++ b/board/cr50/dcrypto/fips_rand.c
@@ -306,17 +306,17 @@ static bool fips_drbg_reseed_with_entropy(struct drbg_ctx *ctx)
 	return true;
 }
 
-enum hmac_result fips_hmac_drbg_generate_reseed(struct drbg_ctx *ctx, void *out,
-						size_t out_len,
-						const void *input,
-						size_t input_len)
+enum dcrypto_result fips_hmac_drbg_generate_reseed(struct drbg_ctx *ctx,
+						   void *out, size_t out_len,
+						   const void *input,
+						   size_t input_len)
 {
-	enum hmac_result err =
+	enum dcrypto_result err =
 		hmac_drbg_generate(ctx, out, out_len, input, input_len);
 
-	while (err == HMAC_DRBG_RESEED_REQUIRED) {
+	while (err == DCRYPTO_RESEED_NEEDED) {
 		if (!fips_drbg_reseed_with_entropy(ctx))
-			return HMAC_DRBG_RESEED_REQUIRED;
+			return DCRYPTO_FAIL;
 		err = hmac_drbg_generate(ctx, out, out_len, input, input_len);
 	}
 	return err;
@@ -338,8 +338,7 @@ bool fips_rand_bytes(void *buffer, size_t len)
 		size_t request = (len > (7500 / 8)) ? (7500 / 8) : len;
 
 		if (fips_hmac_drbg_generate_reseed(&fips_drbg, buffer, request,
-						   NULL,
-						   0) != HMAC_DRBG_SUCCESS)
+						   NULL, 0) != DCRYPTO_OK)
 			return false;
 		len -= request;
 		buffer += request;
@@ -347,18 +346,18 @@ bool fips_rand_bytes(void *buffer, size_t len)
 	return true;
 }
 
-enum hmac_result fips_p256_hmac_drbg_generate(struct drbg_ctx *drbg,
-					      p256_int *out)
+enum dcrypto_result fips_p256_hmac_drbg_generate(struct drbg_ctx *drbg,
+						 p256_int *out)
 {
-	enum hmac_result err;
+	enum dcrypto_result err;
 
 	if (!fips_crypto_allowed())
-		return HMAC_DRBG_INVALID_PARAM;
+		return DCRYPTO_FAIL;
 
 	err = p256_hmac_drbg_generate(drbg, out);
-	while (err == HMAC_DRBG_RESEED_REQUIRED) {
+	while (err == DCRYPTO_RESEED_NEEDED) {
 		if (!fips_drbg_reseed_with_entropy(drbg))
-			return HMAC_DRBG_RESEED_REQUIRED;
+			return DCRYPTO_FAIL;
 		err = p256_hmac_drbg_generate(drbg, out);
 	}
 	return err;
diff --git a/board/cr50/dcrypto/hmac_drbg.c b/board/cr50/dcrypto/hmac_drbg.c
index e3c7e68212..e39e7754bc 100644
--- a/board/cr50/dcrypto/hmac_drbg.c
+++ b/board/cr50/dcrypto/hmac_drbg.c
@@ -93,7 +93,7 @@ void hmac_drbg_reseed(struct drbg_ctx *ctx,
 	ctx->reseed_counter = 1;
 }
 
-enum hmac_result hmac_drbg_generate(struct drbg_ctx *ctx,
+enum dcrypto_result hmac_drbg_generate(struct drbg_ctx *ctx,
 		       void *out, size_t out_len,
 		       const void *input, size_t input_len)
 {
@@ -102,10 +102,10 @@ enum hmac_result hmac_drbg_generate(struct drbg_ctx *ctx,
 	 * Reseed_interval = 10 000 requests.
 	 */
 	if (out_len > 7500 / 8)
-		return HMAC_DRBG_INVALID_PARAM;
+		return DCRYPTO_FAIL;
 
 	if (ctx->reseed_counter++ >= 10000)
-		return HMAC_DRBG_RESEED_REQUIRED;
+		return DCRYPTO_RESEED_NEEDED;
 
 	if (input_len)
 		update(ctx, input, input_len, NULL, 0, NULL, 0);
@@ -122,7 +122,7 @@ enum hmac_result hmac_drbg_generate(struct drbg_ctx *ctx,
 
 	update(ctx, input, input_len, NULL, 0, NULL, 0);
 
-	return HMAC_DRBG_SUCCESS;
+	return DCRYPTO_OK;
 }
 
 void drbg_exit(struct drbg_ctx *ctx)
@@ -451,7 +451,7 @@ static enum vendor_cmd_rc drbg_test(enum vendor_cmd_cc code, void *buf,
 			return VENDOR_RC_BOGUS_ARGS;
 
 		if (hmac_drbg_generate(&drbg_ctx, output, p1_len, p0, p0_len) !=
-		    HMAC_DRBG_SUCCESS)
+		    DCRYPTO_OK)
 			return VENDOR_RC_INTERNAL_ERROR;
 
 		memcpy(buf, output, p1_len);
diff --git a/board/cr50/dcrypto/internal.h b/board/cr50/dcrypto/internal.h
index 7e1ea40384..0967c50845 100644
--- a/board/cr50/dcrypto/internal.h
+++ b/board/cr50/dcrypto/internal.h
@@ -99,25 +99,18 @@ struct drbg_ctx {
 /*
  * NIST SP 800-90A HMAC DRBG.
  */
-enum hmac_result {
-	HMAC_DRBG_SUCCESS = 0,
-	HMAC_DRBG_INVALID_PARAM = 1,
-	HMAC_DRBG_RESEED_REQUIRED = 2
-};
 
 /* Standard initialization. */
-void hmac_drbg_init(struct drbg_ctx *ctx,
-		    const void *p0, size_t p0_len,
-		    const void *p1, size_t p1_len,
-		    const void *p2, size_t p2_len);
-
-void hmac_drbg_reseed(struct drbg_ctx *ctx,
-		      const void *p0, size_t p0_len,
-		      const void *p1, size_t p1_len,
-		      const void *p2, size_t p2_len);
-enum hmac_result hmac_drbg_generate(struct drbg_ctx *ctx, void *out,
-				    size_t out_len, const void *input,
-				    size_t input_len);
+void hmac_drbg_init(struct drbg_ctx *ctx, const void *p0, size_t p0_len,
+		    const void *p1, size_t p1_len, const void *p2,
+		    size_t p2_len);
+
+void hmac_drbg_reseed(struct drbg_ctx *ctx, const void *p0, size_t p0_len,
+		      const void *p1, size_t p1_len, const void *p2,
+		      size_t p2_len);
+enum dcrypto_result hmac_drbg_generate(struct drbg_ctx *ctx, void *out,
+				       size_t out_len, const void *input,
+				       size_t input_len);
 void drbg_exit(struct drbg_ctx *ctx);
 
 /**
@@ -162,19 +155,19 @@ extern struct drbg_ctx fips_drbg;
  *
  * @param drbg DRBG to use
  * @param out output value
- * @return HMAC_DRBG_SUCCESS if out contains random.
+ * @return DCRYPTO_OK if out contains random.
  */
-enum hmac_result fips_p256_hmac_drbg_generate(struct drbg_ctx *drbg,
-					      p256_int *out);
+enum dcrypto_result fips_p256_hmac_drbg_generate(struct drbg_ctx *drbg,
+					         p256_int *out);
 
 /**
  * wrapper around hmac_drbg_generate to automatically reseed drbg
  * when needed.
  */
-enum hmac_result fips_hmac_drbg_generate_reseed(struct drbg_ctx *ctx, void *out,
-						size_t out_len,
-						const void *input,
-						size_t input_len);
+enum dcrypto_result fips_hmac_drbg_generate_reseed(struct drbg_ctx *ctx,
+						   void *out, size_t out_len,
+						   const void *input,
+						   size_t input_len);
 
 /* Set seed for fast random number generator using LFSR. */
 void set_fast_random_seed(uint32_t seed);
@@ -311,7 +304,8 @@ enum dcrypto_result dcrypto_p256_key_pwct(
 void p256_fast_random(p256_int *rnd);
 
 /* Generate a p256 number between 1 < k < |p256| using provided DRBG. */
-enum hmac_result p256_hmac_drbg_generate(struct drbg_ctx *ctx, p256_int *k_out);
+enum dcrypto_result p256_hmac_drbg_generate(struct drbg_ctx *ctx,
+					    p256_int *k_out);
 
 /**
  * Sign using provided DRBG. Reseed DRBG with entropy from verified TRNG if
diff --git a/board/cr50/dcrypto/p256.c b/board/cr50/dcrypto/p256.c
index 52d65fbaae..dd21dac5e9 100644
--- a/board/cr50/dcrypto/p256.c
+++ b/board/cr50/dcrypto/p256.c
@@ -191,9 +191,9 @@ void p256_fast_random(p256_int *rnd)
 }
 
 /* B.5.2 Per-Message Secret Number Generation by Testing Candidates */
-enum hmac_result p256_hmac_drbg_generate(struct drbg_ctx *ctx, p256_int *rnd)
+enum dcrypto_result p256_hmac_drbg_generate(struct drbg_ctx *ctx, p256_int *rnd)
 {
-	enum hmac_result result;
+	enum dcrypto_result result;
 
 	/* Generate p256 candidates from DRBG until valid is found. */
 	do {
@@ -217,7 +217,7 @@ enum hmac_result p256_hmac_drbg_generate(struct drbg_ctx *ctx, p256_int *rnd)
 		 * Key comes from DRBG, it is ensured to be in valid
 		 * range for the P-256 curve.
 		 */
-	} while ((result == HMAC_DRBG_SUCCESS) &&
+	} while ((result == DCRYPTO_OK) &&
 		 (p256_lt_blinded(rnd, &SECP256r1_nMin2) >= 0));
 	p256_add_d(rnd, 1, rnd);
 
diff --git a/board/cr50/dcrypto/p256_ec.c b/board/cr50/dcrypto/p256_ec.c
index d9e87b699a..2f458080ce 100644
--- a/board/cr50/dcrypto/p256_ec.c
+++ b/board/cr50/dcrypto/p256_ec.c
@@ -68,19 +68,18 @@ enum dcrypto_result dcrypto_p256_fips_sign_internal(struct drbg_ctx *drbg,
 						    const p256_int *message,
 						    p256_int *r, p256_int *s)
 {
-	int result;
+	enum dcrypto_result result;
 	p256_int k;
 
 	/* Pick uniform 0 < k < R */
-	result = fips_p256_hmac_drbg_generate(drbg, &k) - HMAC_DRBG_SUCCESS;
+	result = fips_p256_hmac_drbg_generate(drbg, &k);
 
-	result |= dcrypto_p256_ecdsa_sign_raw(&k, key, message, r, s) -
-		  DCRYPTO_OK;
+	result |= dcrypto_p256_ecdsa_sign_raw(&k, key, message, r, s);
 
 	/* Wipe temp k */
 	p256_clear(&k);
 
-	return dcrypto_ok_if_zero(result);
+	return dcrypto_ok_if_zero(result - DCRYPTO_OK);
 }
 
 enum dcrypto_result dcrypto_p256_key_pwct(struct drbg_ctx *drbg,