summaryrefslogtreecommitdiff
path: root/chip
diff options
context:
space:
mode:
authornagendra modadugu <ngm@google.com>2016-07-17 09:47:20 -0700
committerchrome-bot <chrome-bot@chromium.org>2016-07-21 17:32:25 -0700
commit64397fdd5b734b0ec6346e325893291a1f446291 (patch)
tree7b87fcd3db715a04d89ab3815ed1f8d55694e7c9 /chip
parentc2434ec5eb46b6c28fd22c8f10ae6dd43c48475d (diff)
downloadchrome-ec-64397fdd5b734b0ec6346e325893291a1f446291.tar.gz
CR50: when testing an RSA key, check that N % p == 0
TCG test CPCTPM_TC2_2_22_02_08 installs an RSA key for which p does not divide the modulus, and subsequently the test is expected to fail accordingly. This change adds the check necessary to pass this test -- a check that p divides N. Also removed dangling function declaration for bn_mul(). BRANCH=none BUG=chrome-os-partner:43025,chrome-os-partner:47524 BUG=chrome-os-partner:50115 TEST=TCG test CPCTPM_TC2_2_22_02_08 passes consistently Signed-off-by: nagendra modadugu <ngm@google.com> Reviewed-on: https://chromium-review.googlesource.com/360968 Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org> (cherry picked from commit c4430ecac8f77a05ac4071679de1535e0da2779e) (cherry picked from commit 832d04b5b8cebf702d2ec00051615f827d2d16e1) Change-Id: If2ffc6260ae848d75e93263a37e84f0ed7d301a0 Reviewed-on: https://chromium-review.googlesource.com/362117 Commit-Ready: Vadim Bendebury <vbendeb@chromium.org> Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Diffstat (limited to 'chip')
-rw-r--r--chip/g/dcrypto/bn.c2
-rw-r--r--chip/g/dcrypto/internal.h3
-rw-r--r--chip/g/dcrypto/rsa.c5
3 files changed, 6 insertions, 4 deletions
diff --git a/chip/g/dcrypto/bn.c b/chip/g/dcrypto/bn.c
index 240694ba36..adea4e72e4 100644
--- a/chip/g/dcrypto/bn.c
+++ b/chip/g/dcrypto/bn.c
@@ -30,7 +30,7 @@ void DCRYPTO_bn_wrap(struct LITE_BIGNUM *b, void *buf, size_t len)
b->d = (struct access_helper *) buf;
}
-static int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b)
+int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b)
{
int i;
uint32_t top = 0;
diff --git a/chip/g/dcrypto/internal.h b/chip/g/dcrypto/internal.h
index 74fbf2be6e..7be2140ac4 100644
--- a/chip/g/dcrypto/internal.h
+++ b/chip/g/dcrypto/internal.h
@@ -70,6 +70,7 @@ void bn_init(struct LITE_BIGNUM *bn, void *buf, size_t len);
#define bn_size(b) ((b)->dmax * LITE_BN_BYTES)
#define bn_words(b) ((b)->dmax)
#define bn_bits(b) ((b)->dmax * LITE_BN_BITS2)
+int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b);
int bn_check_topbit(const struct LITE_BIGNUM *N);
void bn_mont_modexp(struct LITE_BIGNUM *output, const struct LITE_BIGNUM *input,
const struct LITE_BIGNUM *exp, const struct LITE_BIGNUM *N);
@@ -79,8 +80,6 @@ void bn_mont_modexp_asm(struct LITE_BIGNUM *output,
const struct LITE_BIGNUM *N);
uint32_t bn_add(struct LITE_BIGNUM *c, const struct LITE_BIGNUM *a);
uint32_t bn_sub(struct LITE_BIGNUM *c, const struct LITE_BIGNUM *a);
-void bn_mul(struct LITE_BIGNUM *c, const struct LITE_BIGNUM *a,
- const struct LITE_BIGNUM *b);
int bn_modinv_vartime(struct LITE_BIGNUM *r, const struct LITE_BIGNUM *e,
const struct LITE_BIGNUM *MOD);
int bn_is_bit_set(const struct LITE_BIGNUM *a, int n);
diff --git a/chip/g/dcrypto/rsa.c b/chip/g/dcrypto/rsa.c
index e9a02be9d2..359565d118 100644
--- a/chip/g/dcrypto/rsa.c
+++ b/chip/g/dcrypto/rsa.c
@@ -651,8 +651,11 @@ int DCRYPTO_rsa_key_compute(struct LITE_BIGNUM *N, struct LITE_BIGNUM *d,
bn_sub(&phi, &ONE);
if (!bn_modinv_vartime(&q_local, p, &phi))
return 0;
+ /* Check that p * q == N */
+ DCRYPTO_bn_mul(&phi, p, &q_local);
+ if (!bn_eq(N, &phi))
+ return 0;
q = &q_local;
- bn_add(&phi, &ONE);
} else {
DCRYPTO_bn_mul(N, p, q);
memcpy(phi_buf, N->d, bn_size(N));