cr50: drop cryptoc for p256 implementationstabilize-14151.B-cr50_stab

To implement FIPS module we need to bring many crypto functions in the
module boundary. Unfortunately, cryptoc is a third-party library used
by dcrypto code in cr50. Cryptoc is also not well-maintained and shared
with other projects. While just making local copy of cryptoc would
solve an issue, it's suboptimal as prevents from many optimizations and
improvements.

Removed redundant functions (dcrypto_p256_pick and dcrypto_p256_rand).

Another improvement is separation of platform independent code in p256.c
to support better host-side unit tests. For this purpose added fast
random number generator using LFSR to replace use of TRNG for blinding
and wiping secrets where security strength is not required.

BUG=b:138578318
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
in console: dcrypto_ecdsa

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I9bfd13b8006ddca55508635962be4502a56532b5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3087833
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>

1 files changed, 6 insertions, 59 deletions

diff --git a/board/cr50/dcrypto/dcrypto_p256.c b/board/cr50/dcrypto/dcrypto_p256.c
index 4de8d22f9a..cdea597733 100644
--- a/board/cr50/dcrypto/dcrypto_p256.c
+++ b/board/cr50/dcrypto/dcrypto_p256.c
@@ -752,19 +752,6 @@ struct DMEM_ecc {
 #define DMEM_OFFSET(p) (offsetof(struct DMEM_ecc, p))
 #define DMEM_INDEX(p) (DMEM_OFFSET(p) / DMEM_CELL_SIZE)
 
-/* p256 elliptic curve characteristics */
-static const p256_int SECP256r1_nMin1 = {
-	{
-		0xfc632551 - 1,
-		0xf3b9cac2,
-		0xa7179e84,
-		0xbce6faad,
-		-1,
-		-1,
-		0,
-		-1,
-	},
-};
 
 /*
  * Read-only pointer to read-only DMEM_ecc struct, use cp*w()
@@ -839,47 +826,26 @@ static void dcrypto_ecc_init(void)
 	CP1W(d, 0, 8);
 }
 
-/* Return -1 if a < b */
-static int p256_lt(const p256_int *a, const p256_int *b)
-{
-	p256_sddigit borrow = 0;
-
-	for (int i = 0; i < P256_NDIGITS; ++i) {
-		volatile uint32_t blinder = rand();
-
-		borrow += ((p256_sddigit)P256_DIGIT(a, i) - blinder);
-		borrow -= P256_DIGIT(b, i);
-		borrow += blinder;
-		borrow >>= P256_BITSPERDIGIT;
-	}
-	return (int)borrow;
-}
-
 int dcrypto_p256_ecdsa_sign(struct drbg_ctx *drbg, const p256_int *key,
 			    const p256_int *message, p256_int *r, p256_int *s)
 {
 	int i, result;
-	p256_int rnd, k;
+	p256_int k;
 
 	dcrypto_init_and_lock();
 	dcrypto_ecc_init();
 	result = dcrypto_call(CF_p256init_adr);
 
 	/* Pick uniform 0 < k < R */
-	do {
-		hmac_drbg_generate_p256(drbg, &rnd);
-	} while (p256_cmp(&SECP256r1_nMin2, &rnd) < 0);
+	result |= (p256_hmac_drbg_generate(drbg, &k) != HMAC_DRBG_SUCCESS);
 	drbg_exit(drbg);
 
-	p256_add_d(&rnd, 1, &k);
-
 	CP8W(k, &k);
 
 	for (i = 0; i < 8; ++i)
-		CP1W(rnd, i, rand());
+		CP1W(rnd, i, fast_random());
 
-	/* Wipe temp rnd,k */
-	rnd = dmem_ecc->rnd;
+	/* Wipe temp k */
 	k = dmem_ecc->rnd;
 
 	CP8W(msg, message);
@@ -891,8 +857,8 @@ int dcrypto_p256_ecdsa_sign(struct drbg_ctx *drbg, const p256_int *key,
 	*s = dmem_ecc->s;
 
 	/* Wipe d,k */
-	CP8W(d, &rnd);
-	CP8W(k, &rnd);
+	CP8W(d, &k);
+	CP8W(k, &k);
 
 	dcrypto_unlock();
 	return result == 0;
@@ -997,22 +963,3 @@ int dcrypto_p256_is_valid_point(const p256_int *x, const p256_int *y)
 	dcrypto_unlock();
 	return result == 0;
 }
-
-int dcrypto_p256_pick(struct drbg_ctx *drbg, p256_int *output)
-{
-	int result = 0;
-
-	/* make sure to return stirred output even if drbg fails */
-	dcrypto_p256_rnd(output);
-
-	do {
-		result = hmac_drbg_generate_p256(drbg, output);
-	} while ((result == 0) && (p256_lt(output, &SECP256r1_nMin1) >= 0));
-	return result;
-}
-
-void dcrypto_p256_rnd(p256_int *output)
-{
-	for (int i = 0; i < 8; ++i)
-		output->a[i] = rand();
-}