diff options
author | Vadim Sukhomlinov <sukhomlinov@google.com> | 2021-08-09 17:50:21 -0700 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2021-08-12 20:38:26 +0000 |
commit | 2a590e25e8cc41d324abf56894b032ceda028832 (patch) | |
tree | 906739ca85cbbd9197cec0189d2c6b7b1f1a14d8 /board/cr50/dcrypto/dcrypto_p256.c | |
parent | 7ddbd2a9eab0dc54897d6b5bb8ee1d4b3be1fe27 (diff) | |
download | chrome-ec-stabilize-14151.B-cr50_stab.tar.gz |
cr50: drop cryptoc for p256 implementationstabilize-14151.B-cr50_stab
To implement FIPS module we need to bring many crypto functions in the
module boundary. Unfortunately, cryptoc is a third-party library used
by dcrypto code in cr50. Cryptoc is also not well-maintained and shared
with other projects. While just making local copy of cryptoc would
solve an issue, it's suboptimal as prevents from many optimizations and
improvements.
Removed redundant functions (dcrypto_p256_pick and dcrypto_p256_rand).
Another improvement is separation of platform independent code in p256.c
to support better host-side unit tests. For this purpose added fast
random number generator using LFSR to replace use of TRNG for blinding
and wiping secrets where security strength is not required.
BUG=b:138578318
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
in console: dcrypto_ecdsa
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I9bfd13b8006ddca55508635962be4502a56532b5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3087833
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Diffstat (limited to 'board/cr50/dcrypto/dcrypto_p256.c')
-rw-r--r-- | board/cr50/dcrypto/dcrypto_p256.c | 65 |
1 files changed, 6 insertions, 59 deletions
diff --git a/board/cr50/dcrypto/dcrypto_p256.c b/board/cr50/dcrypto/dcrypto_p256.c index 4de8d22f9a..cdea597733 100644 --- a/board/cr50/dcrypto/dcrypto_p256.c +++ b/board/cr50/dcrypto/dcrypto_p256.c @@ -752,19 +752,6 @@ struct DMEM_ecc { #define DMEM_OFFSET(p) (offsetof(struct DMEM_ecc, p)) #define DMEM_INDEX(p) (DMEM_OFFSET(p) / DMEM_CELL_SIZE) -/* p256 elliptic curve characteristics */ -static const p256_int SECP256r1_nMin1 = { - { - 0xfc632551 - 1, - 0xf3b9cac2, - 0xa7179e84, - 0xbce6faad, - -1, - -1, - 0, - -1, - }, -}; /* * Read-only pointer to read-only DMEM_ecc struct, use cp*w() @@ -839,47 +826,26 @@ static void dcrypto_ecc_init(void) CP1W(d, 0, 8); } -/* Return -1 if a < b */ -static int p256_lt(const p256_int *a, const p256_int *b) -{ - p256_sddigit borrow = 0; - - for (int i = 0; i < P256_NDIGITS; ++i) { - volatile uint32_t blinder = rand(); - - borrow += ((p256_sddigit)P256_DIGIT(a, i) - blinder); - borrow -= P256_DIGIT(b, i); - borrow += blinder; - borrow >>= P256_BITSPERDIGIT; - } - return (int)borrow; -} - int dcrypto_p256_ecdsa_sign(struct drbg_ctx *drbg, const p256_int *key, const p256_int *message, p256_int *r, p256_int *s) { int i, result; - p256_int rnd, k; + p256_int k; dcrypto_init_and_lock(); dcrypto_ecc_init(); result = dcrypto_call(CF_p256init_adr); /* Pick uniform 0 < k < R */ - do { - hmac_drbg_generate_p256(drbg, &rnd); - } while (p256_cmp(&SECP256r1_nMin2, &rnd) < 0); + result |= (p256_hmac_drbg_generate(drbg, &k) != HMAC_DRBG_SUCCESS); drbg_exit(drbg); - p256_add_d(&rnd, 1, &k); - CP8W(k, &k); for (i = 0; i < 8; ++i) - CP1W(rnd, i, rand()); + CP1W(rnd, i, fast_random()); - /* Wipe temp rnd,k */ - rnd = dmem_ecc->rnd; + /* Wipe temp k */ k = dmem_ecc->rnd; CP8W(msg, message); @@ -891,8 +857,8 @@ int dcrypto_p256_ecdsa_sign(struct drbg_ctx *drbg, const p256_int *key, *s = dmem_ecc->s; /* Wipe d,k */ - CP8W(d, &rnd); - CP8W(k, &rnd); + CP8W(d, &k); + CP8W(k, &k); dcrypto_unlock(); return result == 0; @@ -997,22 +963,3 @@ int dcrypto_p256_is_valid_point(const p256_int *x, const p256_int *y) dcrypto_unlock(); return result == 0; } - -int dcrypto_p256_pick(struct drbg_ctx *drbg, p256_int *output) -{ - int result = 0; - - /* make sure to return stirred output even if drbg fails */ - dcrypto_p256_rnd(output); - - do { - result = hmac_drbg_generate_p256(drbg, output); - } while ((result == 0) && (p256_lt(output, &SECP256r1_nMin1) >= 0)); - return result; -} - -void dcrypto_p256_rnd(p256_int *output) -{ - for (int i = 0; i < 8; ++i) - output->a[i] = rand(); -} |