cr50: drop cryptoc for SHA1/SHA2 supportstabilize-14150.882.B-cr50_stabstabilize-14150.881.B-cr50_stabstabilize-14150.74.B-cr50_stabstabilize-14150.734.B-cr50_stabstabilize-14150.64.B-cr50_stabstabilize-14150.43.B-cr50_stabstabilize-14150.376.B-cr50_stabrelease-R94-14150.B-cr50_stabrelease-R94-14150.49.B-cr50_stab

To implement FIPS module we need to bring many crypto functions in the
module boundary. Unfortunately, cryptoc is a third-party library used
by dcrypto code in cr50. Cryptoc is also not well-maintained and shared
with other projects. While just making local copy of cryptoc would
solve an issue, it's suboptimal as prevents from many optimizations and
improvements.

Provided SHA & HMAC implementations from Ti50 project. This provides
better performance (500us vs. 670us earlier for HMAC DRBG) and reduce
code size. This implementation also enables stack use savings when
only specific digest is needed. Earlier SHA512 context was allocated
when only SHA256 is needed greatly increasing stack consumption for
code using HMAC_DRBG and others.

However, it introduce subtle API changes which require handling.
As for tests, since core implementation is hardware-independent, make
it available for BOARD=host too.

Before change (with cryptoc):
*** 12368 bytes in flash and 5784 bytes in RAM

After:
*** 13136 bytes in flash and 5796 bytes in RAM

BUG=b:138578318
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I2ff5362aee9078ce83dc1f8081943a5101d5f666
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3064201
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>

1 files changed, 26 insertions, 28 deletions

diff --git a/common/u2f.c b/common/u2f.c
index 7a5b3e5945..c209be466e 100644
--- a/common/u2f.c
+++ b/common/u2f.c
@@ -8,10 +8,6 @@
 #include "console.h"
 #include "cryptoc/p256.h"
 
-#ifndef TEST_BUILD
-#include "cryptoc/sha256.h"
-#endif
-
 #include "dcrypto.h"
 #include "extension.h"
 #include "system.h"
@@ -444,7 +440,7 @@ static enum vendor_cmd_rc u2f_attest(enum vendor_cmd_cc code, void *buf,
 
 	int verify_ret;
 
-	struct HASH_CTX h_ctx;
+	struct sha256_ctx h_ctx;
 	struct drbg_ctx dr_ctx;
 
 	/* Data hash, and corresponding signature. */
@@ -471,9 +467,9 @@ static enum vendor_cmd_rc u2f_attest(enum vendor_cmd_cc code, void *buf,
 		return verify_ret;
 
 	/* Message signature */
-	DCRYPTO_SHA256_init(&h_ctx, 0);
-	HASH_update(&h_ctx, req->data, u2f_attest_format_size(req->format));
-	p256_from_bin(HASH_final(&h_ctx), &h);
+	SHA256_hw_init(&h_ctx);
+	SHA256_update(&h_ctx, req->data, u2f_attest_format_size(req->format));
+	p256_from_bin(SHA256_final(&h_ctx)->b8, &h);
 
 	/* Derive G2F Attestation Key */
 	if (g2f_individual_keypair(&d, &pk_x, &pk_y)) {
@@ -509,7 +505,7 @@ int u2f_origin_user_keyhandle(const uint8_t *origin, const uint8_t *user,
 			      const uint8_t *origin_seed,
 			      struct u2f_key_handle *key_handle)
 {
-	LITE_HMAC_CTX ctx;
+	struct hmac_sha256_ctx ctx;
 	struct u2f_state *state = get_state();
 
 	if (!state)
@@ -517,12 +513,13 @@ int u2f_origin_user_keyhandle(const uint8_t *origin, const uint8_t *user,
 
 	memcpy(key_handle->origin_seed, origin_seed, P256_NBYTES);
 
-	DCRYPTO_HMAC_SHA256_init(&ctx, state->salt_kek, SHA256_DIGEST_SIZE);
-	HASH_update(&ctx.hash, origin, P256_NBYTES);
-	HASH_update(&ctx.hash, user, P256_NBYTES);
-	HASH_update(&ctx.hash, origin_seed, P256_NBYTES);
+	HMAC_SHA256_hw_init(&ctx, state->salt_kek, SHA256_DIGEST_SIZE);
+	HMAC_SHA256_update(&ctx, origin, P256_NBYTES);
+	HMAC_SHA256_update(&ctx, user, P256_NBYTES);
+	HMAC_SHA256_update(&ctx, origin_seed, P256_NBYTES);
 
-	memcpy(key_handle->hmac, DCRYPTO_HMAC_final(&ctx), SHA256_DIGEST_SIZE);
+	memcpy(key_handle->hmac, HMAC_SHA256_hw_final(&ctx),
+	       SHA256_DIGEST_SIZE);
 
 	return EC_SUCCESS;
 }
@@ -532,7 +529,7 @@ int u2f_origin_user_versioned_keyhandle(
 	uint8_t version,
 	struct u2f_versioned_key_handle_header *key_handle_header)
 {
-	LITE_HMAC_CTX ctx;
+	struct hmac_sha256_ctx ctx;
 	struct u2f_state *state = get_state();
 
 	if (!state)
@@ -541,13 +538,13 @@ int u2f_origin_user_versioned_keyhandle(
 	key_handle_header->version = version;
 	memcpy(key_handle_header->origin_seed, origin_seed, P256_NBYTES);
 
-	DCRYPTO_HMAC_SHA256_init(&ctx, state->salt_kek, SHA256_DIGEST_SIZE);
-	HASH_update(&ctx.hash, origin, P256_NBYTES);
-	HASH_update(&ctx.hash, user, P256_NBYTES);
-	HASH_update(&ctx.hash, origin_seed, P256_NBYTES);
-	HASH_update(&ctx.hash, &version, sizeof(key_handle_header->version));
+	HMAC_SHA256_hw_init(&ctx, state->salt_kek, SHA256_DIGEST_SIZE);
+	HMAC_SHA256_update(&ctx, origin, P256_NBYTES);
+	HMAC_SHA256_update(&ctx, user, P256_NBYTES);
+	HMAC_SHA256_update(&ctx, origin_seed, P256_NBYTES);
+	HMAC_SHA256_update(&ctx, &version, sizeof(key_handle_header->version));
 
-	memcpy(key_handle_header->kh_hmac, DCRYPTO_HMAC_final(&ctx),
+	memcpy(key_handle_header->kh_hmac, HMAC_SHA256_hw_final(&ctx),
 	       SHA256_DIGEST_SIZE);
 
 	return EC_SUCCESS;
@@ -557,19 +554,20 @@ int u2f_authorization_hmac(const uint8_t *authorization_salt,
 			   const struct u2f_versioned_key_handle_header *header,
 			   const uint8_t *auth_time_secret_hash, uint8_t *hmac)
 {
-	LITE_HMAC_CTX ctx;
+	struct hmac_sha256_ctx ctx;
 	struct u2f_state *state = get_state();
 
 	if (!state)
 		return EC_ERROR_UNKNOWN;
 
-	DCRYPTO_HMAC_SHA256_init(&ctx, state->salt_kek, SHA256_DIGEST_SIZE);
-	HASH_update(&ctx.hash, authorization_salt, U2F_AUTHORIZATION_SALT_SIZE);
-	HASH_update(&ctx.hash, (uint8_t *)header,
-		    sizeof(struct u2f_versioned_key_handle_header));
-	HASH_update(&ctx.hash, auth_time_secret_hash, SHA256_DIGEST_SIZE);
+	HMAC_SHA256_hw_init(&ctx, state->salt_kek, SHA256_DIGEST_SIZE);
+	HMAC_SHA256_update(&ctx, authorization_salt,
+			   U2F_AUTHORIZATION_SALT_SIZE);
+	HMAC_SHA256_update(&ctx, (uint8_t *)header,
+			   sizeof(struct u2f_versioned_key_handle_header));
+	HMAC_SHA256_update(&ctx, auth_time_secret_hash, SHA256_DIGEST_SIZE);
 
-	memcpy(hmac, DCRYPTO_HMAC_final(&ctx), SHA256_DIGEST_SIZE);
+	memcpy(hmac, HMAC_SHA256_hw_final(&ctx), SHA256_DIGEST_SIZE);
 
 	return EC_SUCCESS;
 }