cr50: refactor HMAC_DRBG to simplify reseeding and initialization logicstabilize-14249.B-cr50_stab

1) Move DRBG initialization flag inside DRBG context to prevent use of
DRBG which is not properly initialized.

2) Add configurable reseed threshold to cover both deterministic key gen
and non-deterministic randoms. Simplify reseeding logic, remove
similar code snippets. Also, can support NDRBG with reseed threshold
equal to 0, which will result in reseeding each time.

3) Adjust parameter names to match NIST SP 800-90A specification.

4) Enforce checking result of hmac_drbg_generate(), update call sites
   to check for errors.

5) Reseeding in generate function consumes additional data as per
   NIST SP 800-90Ar1 9.3.1

BUG=b:138577416
TEST=make BOARD=cr50 CRYPTO_TEST=1 DRBG_TEST=1;
test/tpm_test/tpm_test.py

in ccd:
hmac_drbg
rand_perf

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I0e780b5c237d7fbc64e8b0e74d12559a1f40f84c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3183397
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>

1 files changed, 19 insertions, 12 deletions

diff --git a/board/cr50/dcrypto/u2f.c b/board/cr50/dcrypto/u2f.c
index 414a8fe41a..76be43285d 100644
--- a/board/cr50/dcrypto/u2f.c
+++ b/board/cr50/dcrypto/u2f.c
@@ -183,9 +183,11 @@ static enum ec_error_list u2f_origin_user_key_pair(
 		 */
 		hmac_drbg_init(&drbg, state->drbg_entropy,
 			       state->drbg_entropy_size, dev_salt, P256_NBYTES,
-			       NULL, 0);
-		hmac_drbg_generate(&drbg, key_seed, sizeof(key_seed),
-				   key_handle, key_handle_size);
+			       NULL, 0, HMAC_DRBG_DO_NOT_AUTO_RESEED);
+		if (hmac_drbg_generate(&drbg, key_seed, sizeof(key_seed),
+				       key_handle,
+				       key_handle_size) != DCRYPTO_OK)
+			return EC_ERROR_HW_INTERNAL;
 	} else {
 		/**
 		 * FIPS-compliant path.
@@ -198,15 +200,18 @@ static enum ec_error_list u2f_origin_user_key_pair(
 		 */
 		hmac_drbg_init(&drbg, state->drbg_entropy,
 			       state->drbg_entropy_size, key_handle,
-			       key_handle_size, NULL, 0);
+			       key_handle_size, NULL, 0,
+			       HMAC_DRBG_DO_NOT_AUTO_RESEED);
 
 		/**
 		 * Additional data = Device_ID (constant coming from HW).
 		 */
-		hmac_drbg_generate(&drbg, key_seed, sizeof(key_seed), dev_salt,
-				   P256_NBYTES);
+		if (hmac_drbg_generate(&drbg, key_seed, sizeof(key_seed),
+				       dev_salt, P256_NBYTES) != DCRYPTO_OK)
+			return EC_ERROR_HW_INTERNAL;
 	}
 	result = DCRYPTO_p256_key_from_bytes(pk_x, pk_y, d, key_seed);
+	drbg_exit(&drbg);
 
 	if (result == DCRYPTO_RETRY)
 		return EC_ERROR_TRY_AGAIN;
@@ -427,7 +432,7 @@ enum ec_error_list u2f_sign(const struct u2f_state *state,
 		  DCRYPTO_OK) ?
 			 EC_SUCCESS :
 			       EC_ERROR_HW_INTERNAL;
-
+	drbg_exit(&ctx);
 	p256_clear(&origin_d);
 
 	p256_to_bin(&r, sig->sig_r);
@@ -485,19 +490,21 @@ static bool g2f_individual_key_pair(const struct u2f_state *state, p256_int *d,
 		 */
 		hmac_drbg_init(&drbg, state->drbg_entropy,
 			       state->drbg_entropy_size, state->salt,
-			       sizeof(state->salt), NULL, 0);
+			       sizeof(state->salt), NULL, 0,
+			       HMAC_DRBG_DO_NOT_AUTO_RESEED);
 
 		do {
 			/**
 			 * Additional data = constant coming from HW.
 			 */
-			hmac_drbg_generate(&drbg, key_candidate,
-					   sizeof(key_candidate), buf.b32,
-					   sizeof(buf));
+			if (hmac_drbg_generate(&drbg, key_candidate,
+					       sizeof(key_candidate), buf.b32,
+					       sizeof(buf)) != DCRYPTO_OK)
+				return false;
 			result = DCRYPTO_p256_key_from_bytes(pk_x, pk_y, d,
 							     key_candidate);
 		} while (result == DCRYPTO_RETRY);
-
+		drbg_exit(&drbg);
 		if (result != DCRYPTO_OK)
 			return false;
 	}