diff options
| -rw-r--r-- | chip/g/dcrypto/bn.c | 2 | ||||
| -rw-r--r-- | chip/g/dcrypto/internal.h | 3 | ||||
| -rw-r--r-- | chip/g/dcrypto/rsa.c | 5 |
3 files changed, 6 insertions, 4 deletions
diff --git a/chip/g/dcrypto/bn.c b/chip/g/dcrypto/bn.c index 240694ba36..adea4e72e4 100644 --- a/chip/g/dcrypto/bn.c +++ b/chip/g/dcrypto/bn.c @@ -30,7 +30,7 @@ void DCRYPTO_bn_wrap(struct LITE_BIGNUM *b, void *buf, size_t len) b->d = (struct access_helper *) buf; } -static int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b) +int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b) { int i; uint32_t top = 0; diff --git a/chip/g/dcrypto/internal.h b/chip/g/dcrypto/internal.h index 74fbf2be6e..7be2140ac4 100644 --- a/chip/g/dcrypto/internal.h +++ b/chip/g/dcrypto/internal.h @@ -70,6 +70,7 @@ void bn_init(struct LITE_BIGNUM *bn, void *buf, size_t len); #define bn_size(b) ((b)->dmax * LITE_BN_BYTES) #define bn_words(b) ((b)->dmax) #define bn_bits(b) ((b)->dmax * LITE_BN_BITS2) +int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b); int bn_check_topbit(const struct LITE_BIGNUM *N); void bn_mont_modexp(struct LITE_BIGNUM *output, const struct LITE_BIGNUM *input, const struct LITE_BIGNUM *exp, const struct LITE_BIGNUM *N); @@ -79,8 +80,6 @@ void bn_mont_modexp_asm(struct LITE_BIGNUM *output, const struct LITE_BIGNUM *N); uint32_t bn_add(struct LITE_BIGNUM *c, const struct LITE_BIGNUM *a); uint32_t bn_sub(struct LITE_BIGNUM *c, const struct LITE_BIGNUM *a); -void bn_mul(struct LITE_BIGNUM *c, const struct LITE_BIGNUM *a, - const struct LITE_BIGNUM *b); int bn_modinv_vartime(struct LITE_BIGNUM *r, const struct LITE_BIGNUM *e, const struct LITE_BIGNUM *MOD); int bn_is_bit_set(const struct LITE_BIGNUM *a, int n); diff --git a/chip/g/dcrypto/rsa.c b/chip/g/dcrypto/rsa.c index e9a02be9d2..359565d118 100644 --- a/chip/g/dcrypto/rsa.c +++ b/chip/g/dcrypto/rsa.c @@ -651,8 +651,11 @@ int DCRYPTO_rsa_key_compute(struct LITE_BIGNUM *N, struct LITE_BIGNUM *d, bn_sub(&phi, &ONE); if (!bn_modinv_vartime(&q_local, p, &phi)) return 0; + /* Check that p * q == N */ + DCRYPTO_bn_mul(&phi, p, &q_local); + if (!bn_eq(N, &phi)) + return 0; q = &q_local; - bn_add(&phi, &ONE); } else { DCRYPTO_bn_mul(N, p, q); memcpy(phi_buf, N->d, bn_size(N)); |