diff options
-rw-r--r-- | board/cr50/tpm2/rsa.c | 4 | ||||
-rw-r--r-- | chip/g/dcrypto/dcrypto.h | 7 | ||||
-rw-r--r-- | chip/g/dcrypto/rsa.c | 24 | ||||
-rw-r--r-- | test/tpm_test/rsa_test.py | 12 |
4 files changed, 42 insertions, 5 deletions
diff --git a/board/cr50/tpm2/rsa.c b/board/cr50/tpm2/rsa.c index 526dc25c95..6345b70309 100644 --- a/board/cr50/tpm2/rsa.c +++ b/board/cr50/tpm2/rsa.c @@ -33,8 +33,10 @@ static int check_encrypt_params(TPM_ALG_ID padding_alg, TPM_ALG_ID hash_alg, /* Unsupported hash algorithm. */ return 0; *padding = PADDING_MODE_OAEP; + } else if (padding_alg == TPM_ALG_NULL) { + *padding = PADDING_MODE_NULL; } else { - return 0; /* NULL padding unsupported. */ + return 0; /* Unsupported padding mode. */ } return 1; } diff --git a/chip/g/dcrypto/dcrypto.h b/chip/g/dcrypto/dcrypto.h index 0856ec76c6..a412adee5a 100644 --- a/chip/g/dcrypto/dcrypto.h +++ b/chip/g/dcrypto/dcrypto.h @@ -94,12 +94,15 @@ struct RSA { enum padding_mode { PADDING_MODE_PKCS1 = 0, PADDING_MODE_OAEP = 1, - PADDING_MODE_PSS = 2 + PADDING_MODE_PSS = 2, + /* USE OF NULL PADDING IS NOT RECOMMENDED. + * SUPPORT EXISTS AS A REQUIREMENT FOR TPM2 OPERATION. */ + PADDING_MODE_NULL = 3 }; /* Calculate r = m ^ e mod N */ int DCRYPTO_rsa_encrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len, - const uint8_t *in, const uint32_t in_len, + const uint8_t *in, uint32_t in_len, enum padding_mode padding, enum hashing_mode hashing, const char *label); diff --git a/chip/g/dcrypto/rsa.c b/chip/g/dcrypto/rsa.c index 02dbbf01f4..ff42e00457 100644 --- a/chip/g/dcrypto/rsa.c +++ b/chip/g/dcrypto/rsa.c @@ -411,10 +411,11 @@ static int check_modulus_params(const struct BIGNUM *N, uint32_t *out_len) } int DCRYPTO_rsa_encrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len, - const uint8_t *in, const uint32_t in_len, + const uint8_t *in, uint32_t in_len, enum padding_mode padding, enum hashing_mode hashing, const char *label) { + uint8_t *p; uint32_t padded_buf[RSA_MAX_WORDS]; uint32_t e_buf[BN_BYTES / sizeof(uint32_t)]; @@ -441,6 +442,19 @@ int DCRYPTO_rsa_encrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len, (const uint8_t *) in, in_len)) return 0; break; + case PADDING_MODE_NULL: + /* Input is allowed to have more bytes than N, in + * which case the excess must be zero. */ + for (; in_len > bn_size(&padded); in_len--) + if (*in++ != 0) + return 0; + p = (uint8_t *) padded.d; + /* If in_len < bn_size(&padded), padded will + * have leading zero bytes. */ + memcpy(&p[bn_size(&padded) - in_len], in, in_len); + /* TODO(ngm): in may be > N, bn_mont_mod_exp() should + * handle this case. */ + break; default: return 0; /* Unsupported padding mode. */ } @@ -497,6 +511,14 @@ int DCRYPTO_rsa_decrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len, bn_size(&padded))) ret = 0; break; + case PADDING_MODE_NULL: + if (*out_len < bn_size(&padded)) { + ret = 0; + } else { + *out_len = bn_size(&padded); + memcpy(out, padded.d, *out_len); + } + break; default: /* Unsupported padding mode. */ ret = 0; diff --git a/test/tpm_test/rsa_test.py b/test/tpm_test/rsa_test.py index 37ffbd2677..2a751d3ee7 100644 --- a/test/tpm_test/rsa_test.py +++ b/test/tpm_test/rsa_test.py @@ -26,7 +26,8 @@ _RSA_PADDING = { 'PKCS1-SSA': 0x14, 'PKCS1-ES': 0x15, 'PKCS1-PSS': 0x16, - 'OAEP': 0x17 + 'OAEP': 0x17, + 'NULL': 0x10, } @@ -110,6 +111,7 @@ _ENCRYPT_INPUTS = ( ('OAEP', 'SHA256', 768), ('PKCS1-ES', 'NONE', 768), ('PKCS1-ES', 'NONE', 2048), + ('NULL', 'NONE', 768), ) @@ -135,6 +137,14 @@ def _encrypt_tests(tpm): key_len, ciphertext) wrapped_response = tpm.command(tpm.wrap_ext_command(subcmd.RSA, cmd)) plaintext = tpm.unwrap_ext_response(subcmd.RSA, wrapped_response) + if padding == 'NULL': + # Check for leading zeros. + if reduce(lambda x, y: x | y, + map(ord, plaintext[:len(plaintext) - len(msg)])): + raise subcmd.TpmTestError('%s error:%s%s' % ( + test_name, utils.hex_dump(msg), utils.hex_dump(plaintext))) + else: + plaintext = plaintext[len(plaintext) - len(msg):] if msg != plaintext: raise subcmd.TpmTestError('%s error:%s%s' % ( test_name, utils.hex_dump(msg), utils.hex_dump(plaintext))) |