diff options
author | nagendra modadugu <ngm@google.com> | 2016-07-17 09:47:20 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2016-07-21 17:32:25 -0700 |
commit | 64397fdd5b734b0ec6346e325893291a1f446291 (patch) | |
tree | 7b87fcd3db715a04d89ab3815ed1f8d55694e7c9 /chip | |
parent | c2434ec5eb46b6c28fd22c8f10ae6dd43c48475d (diff) | |
download | chrome-ec-64397fdd5b734b0ec6346e325893291a1f446291.tar.gz |
CR50: when testing an RSA key, check that N % p == 0
TCG test CPCTPM_TC2_2_22_02_08 installs an RSA key
for which p does not divide the modulus, and subsequently
the test is expected to fail accordingly.
This change adds the check necessary to pass this test --
a check that p divides N.
Also removed dangling function declaration for bn_mul().
BRANCH=none
BUG=chrome-os-partner:43025,chrome-os-partner:47524
BUG=chrome-os-partner:50115
TEST=TCG test CPCTPM_TC2_2_22_02_08 passes consistently
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/360968
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
(cherry picked from commit c4430ecac8f77a05ac4071679de1535e0da2779e)
(cherry picked from commit 832d04b5b8cebf702d2ec00051615f827d2d16e1)
Change-Id: If2ffc6260ae848d75e93263a37e84f0ed7d301a0
Reviewed-on: https://chromium-review.googlesource.com/362117
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Diffstat (limited to 'chip')
-rw-r--r-- | chip/g/dcrypto/bn.c | 2 | ||||
-rw-r--r-- | chip/g/dcrypto/internal.h | 3 | ||||
-rw-r--r-- | chip/g/dcrypto/rsa.c | 5 |
3 files changed, 6 insertions, 4 deletions
diff --git a/chip/g/dcrypto/bn.c b/chip/g/dcrypto/bn.c index 240694ba36..adea4e72e4 100644 --- a/chip/g/dcrypto/bn.c +++ b/chip/g/dcrypto/bn.c @@ -30,7 +30,7 @@ void DCRYPTO_bn_wrap(struct LITE_BIGNUM *b, void *buf, size_t len) b->d = (struct access_helper *) buf; } -static int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b) +int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b) { int i; uint32_t top = 0; diff --git a/chip/g/dcrypto/internal.h b/chip/g/dcrypto/internal.h index 74fbf2be6e..7be2140ac4 100644 --- a/chip/g/dcrypto/internal.h +++ b/chip/g/dcrypto/internal.h @@ -70,6 +70,7 @@ void bn_init(struct LITE_BIGNUM *bn, void *buf, size_t len); #define bn_size(b) ((b)->dmax * LITE_BN_BYTES) #define bn_words(b) ((b)->dmax) #define bn_bits(b) ((b)->dmax * LITE_BN_BITS2) +int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b); int bn_check_topbit(const struct LITE_BIGNUM *N); void bn_mont_modexp(struct LITE_BIGNUM *output, const struct LITE_BIGNUM *input, const struct LITE_BIGNUM *exp, const struct LITE_BIGNUM *N); @@ -79,8 +80,6 @@ void bn_mont_modexp_asm(struct LITE_BIGNUM *output, const struct LITE_BIGNUM *N); uint32_t bn_add(struct LITE_BIGNUM *c, const struct LITE_BIGNUM *a); uint32_t bn_sub(struct LITE_BIGNUM *c, const struct LITE_BIGNUM *a); -void bn_mul(struct LITE_BIGNUM *c, const struct LITE_BIGNUM *a, - const struct LITE_BIGNUM *b); int bn_modinv_vartime(struct LITE_BIGNUM *r, const struct LITE_BIGNUM *e, const struct LITE_BIGNUM *MOD); int bn_is_bit_set(const struct LITE_BIGNUM *a, int n); diff --git a/chip/g/dcrypto/rsa.c b/chip/g/dcrypto/rsa.c index e9a02be9d2..359565d118 100644 --- a/chip/g/dcrypto/rsa.c +++ b/chip/g/dcrypto/rsa.c @@ -651,8 +651,11 @@ int DCRYPTO_rsa_key_compute(struct LITE_BIGNUM *N, struct LITE_BIGNUM *d, bn_sub(&phi, &ONE); if (!bn_modinv_vartime(&q_local, p, &phi)) return 0; + /* Check that p * q == N */ + DCRYPTO_bn_mul(&phi, p, &q_local); + if (!bn_eq(N, &phi)) + return 0; q = &q_local; - bn_add(&phi, &ONE); } else { DCRYPTO_bn_mul(N, p, q); memcpy(phi_buf, N->d, bn_size(N)); |