3 files changed, 193 insertions, 1 deletions
diff --git a/common/fpsensor/fpsensor_crypto.c b/common/fpsensor/fpsensor_crypto.c
index d5bbd03c38..b7c5ea7260 100644
--- a/common/fpsensor/fpsensor_crypto.c
+++ b/common/fpsensor/fpsensor_crypto.c
@@ -2,6 +2,7 @@
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
+#include <stdbool.h>
 
 #include "aes.h"
 #include "aes-gcm.h"
@@ -10,7 +11,6 @@
 #include "fpsensor_private.h"
 #include "fpsensor_state.h"
 #include "rollback.h"
-#include "sha256.h"
 
 #if !defined(CONFIG_AES) || !defined(CONFIG_AES_GCM) || \
 	!defined(CONFIG_ROLLBACK_SECRET_SIZE)
@@ -83,6 +83,62 @@ static int hkdf_expand_one_step(uint8_t *out_key, size_t out_key_size,
 	return EC_SUCCESS;
 }
 
+int hkdf_expand(uint8_t *out_key, size_t L, const uint8_t *prk,
+		size_t prk_size, const uint8_t *info, size_t info_size)
+{
+	/*
+	 * "Expand" step of HKDF.
+	 * https://tools.ietf.org/html/rfc5869#section-2.3
+	 */
+#define HASH_LEN SHA256_DIGEST_SIZE
+	uint8_t count = 1;
+	const uint8_t *T = out_key;
+	size_t T_len = 0;
+	uint8_t T_buffer[HASH_LEN];
+	/* Number of blocks. */
+	const uint32_t N = DIV_ROUND_UP(L, HASH_LEN);
+	uint8_t info_buffer[HASH_LEN + HKDF_MAX_INFO_SIZE + sizeof(count)];
+	bool arguments_valid = false;
+
+	if (out_key == NULL || L == 0)
+		CPRINTS("HKDF expand: output buffer not valid.");
+	else if (prk == NULL)
+		CPRINTS("HKDF expand: prk is NULL.");
+	else if (info == NULL && info_size > 0)
+		CPRINTS("HKDF expand: info is NULL but info size is not zero.");
+	else if (info_size > HKDF_MAX_INFO_SIZE)
+		CPRINTF("HKDF expand: info size larger than %d bytes.\n",
+			HKDF_MAX_INFO_SIZE);
+	else if (N > HKDF_SHA256_MAX_BLOCK_COUNT)
+		CPRINTS("HKDF expand: output key size too large.");
+	else
+		arguments_valid = true;
+
+	if (!arguments_valid)
+		return EC_ERROR_INVAL;
+
+	while (L > 0) {
+		const size_t block_size = L < HASH_LEN ? L : HASH_LEN;
+
+		memcpy(info_buffer, T, T_len);
+		memcpy(info_buffer + T_len, info, info_size);
+		info_buffer[T_len + info_size] = count;
+		hmac_SHA256(T_buffer, prk, prk_size, info_buffer,
+			    T_len + info_size + sizeof(count));
+		memcpy(out_key, T_buffer, block_size);
+
+		T += T_len;
+		T_len = HASH_LEN;
+		count++;
+		out_key += block_size;
+		L -= block_size;
+	}
+	always_memset(T_buffer, 0, sizeof(T_buffer));
+	always_memset(info_buffer, 0, sizeof(info_buffer));
+	return EC_SUCCESS;
+#undef HASH_LEN
+}
+
 int derive_encryption_key(uint8_t *out_key, const uint8_t *salt)
 {
 	int ret;
diff --git a/include/fpsensor_crypto.h b/include/fpsensor_crypto.h
index ebda41bcb9..e01a38799d 100644
--- a/include/fpsensor_crypto.h
+++ b/include/fpsensor_crypto.h
@@ -8,6 +8,29 @@
 #ifndef __CROS_EC_FPSENSOR_CRYPTO_H
 #define __CROS_EC_FPSENSOR_CRYPTO_H
 
+#include <stddef.h>
+
+#include "sha256.h"
+
+#define HKDF_MAX_INFO_SIZE 128
+#define HKDF_SHA256_MAX_BLOCK_COUNT 255
+
+/**
+ * Expand hkdf pseudorandom key |prk| to length |out_key_size|.
+ *
+ * @param out_key the buffer to hold output key material.
+ * @param out_key_size length of output key in bytes. Must be less than
+ * or equal to HKDF_SHA256_MAX_BLOCK_COUNT * SHA256_DIGEST_SIZE bytes.
+ * @param prk pseudorandom key.
+ * @param prk_size length of |prk| in bytes.
+ * @param info optional context.
+ * @param info_size size of |info| in bytes, must be less than or equal to
+ * HKDF_MAX_INFO_SIZE bytes.
+ * @return EC_SUCCESS on success and error code otherwise.
+ */
+int hkdf_expand(uint8_t *out_key, size_t out_key_size, const uint8_t *prk,
+		size_t prk_size, const uint8_t *info, size_t info_size);
+
 /**
  * Derive hardware encryption key from rollback secret and |salt|.
  *
diff --git a/test/fpsensor.c b/test/fpsensor.c
index 33998b6b00..ae23dd08fe 100644
--- a/test/fpsensor.c
+++ b/test/fpsensor.c
@@ -75,6 +75,118 @@ test_static int test_fp_enc_status_valid_flags(void)
 	return EC_RES_SUCCESS;
 }
 
+static int test_hkdf_expand_raw(const uint8_t *prk, size_t prk_size,
+				const uint8_t *info, size_t info_size,
+				const uint8_t *expected_okm, size_t okm_size)
+{
+	uint8_t actual_okm[okm_size];
+
+	TEST_ASSERT(hkdf_expand(actual_okm, okm_size, prk, prk_size,
+		    info, info_size) == EC_SUCCESS);
+	TEST_ASSERT_ARRAY_EQ(expected_okm, actual_okm, okm_size);
+	return EC_SUCCESS;
+}
+
+test_static int test_hkdf_expand(void)
+{
+	/* Test vectors in https://tools.ietf.org/html/rfc5869#appendix-A */
+	static const uint8_t prk1[] = {
+		0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
+		0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
+		0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
+		0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5,
+	};
+	static const uint8_t info1[] = {
+		0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+		0xf8, 0xf9,
+	};
+	static const uint8_t expected_okm1[] = {
+		0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a,
+		0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a,
+		0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
+		0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf,
+		0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
+		0x58, 0x65,
+	};
+	static const uint8_t prk2[] = {
+		0x06, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a,
+		0x06, 0x10, 0x4c, 0x9c, 0xeb, 0x35, 0xb4, 0x5c,
+		0xef, 0x76, 0x00, 0x14, 0x90, 0x46, 0x71, 0x01,
+		0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f, 0xc2, 0x44,
+	};
+	static const uint8_t info2[] = {
+		0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
+		0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
+		0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
+		0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
+		0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
+		0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
+		0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
+		0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
+		0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+		0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff,
+	};
+	static const uint8_t expected_okm2[] = {
+		0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1,
+		0xc8, 0xe7, 0xf7, 0x8c, 0x59, 0x6a, 0x49, 0x34,
+		0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8,
+		0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c,
+		0x59, 0x04, 0x5a, 0x99, 0xca, 0xc7, 0x82, 0x72,
+		0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09,
+		0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8,
+		0x36, 0x77, 0x93, 0xa9, 0xac, 0xa3, 0xdb, 0x71,
+		0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87,
+		0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f,
+		0x1d, 0x87,
+	};
+	static const uint8_t prk3[] = {
+		0x19, 0xef, 0x24, 0xa3, 0x2c, 0x71, 0x7b, 0x16,
+		0x7f, 0x33, 0xa9, 0x1d, 0x6f, 0x64, 0x8b, 0xdf,
+		0x96, 0x59, 0x67, 0x76, 0xaf, 0xdb, 0x63, 0x77,
+		0xac, 0x43, 0x4c, 0x1c, 0x29, 0x3c, 0xcb, 0x04,
+	};
+	static const uint8_t expected_okm3[] = {
+		0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f,
+		0x71, 0x5f, 0x80, 0x2a, 0x06, 0x3c, 0x5a, 0x31,
+		0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, 0x87, 0x9e,
+		0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d,
+		0x9d, 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a,
+		0x96, 0xc8,
+	};
+	static uint8_t unused_output[SHA256_DIGEST_SIZE] = { 0 };
+
+	TEST_ASSERT(test_hkdf_expand_raw(prk1, sizeof(prk1), info1,
+					 sizeof(info1), expected_okm1,
+					 sizeof(expected_okm1))
+		== EC_SUCCESS);
+	TEST_ASSERT(test_hkdf_expand_raw(prk2, sizeof(prk2), info2,
+					 sizeof(info2), expected_okm2,
+					 sizeof(expected_okm2))
+		== EC_SUCCESS);
+	TEST_ASSERT(test_hkdf_expand_raw(prk3, sizeof(prk3), NULL, 0,
+					 expected_okm3, sizeof(expected_okm3))
+		== EC_SUCCESS);
+
+	TEST_ASSERT(hkdf_expand(NULL, sizeof(unused_output), prk1,
+				sizeof(prk1), info1, sizeof(info1))
+		== EC_ERROR_INVAL);
+	TEST_ASSERT(hkdf_expand(unused_output, sizeof(unused_output),
+				NULL, sizeof(prk1), info1, sizeof(info1))
+		== EC_ERROR_INVAL);
+	TEST_ASSERT(hkdf_expand(unused_output, sizeof(unused_output),
+				prk1, sizeof(prk1), NULL, sizeof(info1))
+		== EC_ERROR_INVAL);
+	/* Info size too long. */
+	TEST_ASSERT(hkdf_expand(unused_output, sizeof(unused_output),
+				prk1, sizeof(prk1), info1, 1024)
+		== EC_ERROR_INVAL);
+	/* OKM size too big. */
+	TEST_ASSERT(hkdf_expand(unused_output, 256 * SHA256_DIGEST_SIZE,
+				prk1, sizeof(prk1), info1, sizeof(info1))
+		== EC_ERROR_INVAL);
+	return EC_SUCCESS;
+}
+
 test_static int test_derive_encryption_key_failure_seed_not_set(void)
 {
 	static uint8_t unused_key[SBP_ENC_KEY_LEN];
@@ -312,6 +424,7 @@ test_static int test_fp_set_sensor_mode(void)
 
 void run_test(void)
 {
+	RUN_TEST(test_hkdf_expand);
 	RUN_TEST(test_fp_enc_status_valid_flags);
 	RUN_TEST(test_fp_tpm_seed_not_set);
 	RUN_TEST(test_derive_encryption_key_failure_seed_not_set);