2 files changed, 25 insertions, 11 deletions

diff --git a/board/cr50/tpm2/rsa.c b/board/cr50/tpm2/rsa.c
index 306eccb92d..d4bb863319 100644
--- a/board/cr50/tpm2/rsa.c
+++ b/board/cr50/tpm2/rsa.c
@@ -265,15 +265,14 @@ static int generate_prime(struct BIGNUM *b, TPM_ALG_ID hashing, TPM2B *seed,
 			const char *label, TPM2B *extra, uint32_t *counter)
 {
 	TPM2B_4_BYTE_VALUE marshaled_counter = { .t = {4} };
-	uint32_t initial_counter;
+	uint32_t i;
 
-	initial_counter = *counter;
-	for (; *counter - initial_counter < MAX_GENERATE_ATTEMPTS;
-	     *counter += 1) {
+	for (i = 0; i < MAX_GENERATE_ATTEMPTS; i++) {
 		UINT32_TO_BYTE_ARRAY(*counter, marshaled_counter.t.buffer);
 		_cpri__KDFa(hashing, seed, label, extra, &marshaled_counter.b,
 			bn_bits(b), (uint8_t *) b->d, NULL, FALSE);
 
+		(*counter)++;           /* Mark as used. */
 		if (DCRYPTO_bn_generate_prime(b))
 			return 1;
 	}
@@ -556,6 +555,7 @@ static const RSA_KEY RSA_2048 = {
 };
 
 #define MAX_MSG_BYTES RSA_MAX_BYTES
+#define MAX_LABEL_LEN 32
 
 /* 128-byte buffer to hold entropy for generating a
  * 2048-bit RSA key (assuming ~112 bits of security strength,
@@ -588,6 +588,7 @@ static void rsa_command_handler(void *cmd_body,
 	TPM2B_128_BYTE_VALUE seed;
 	uint8_t bn_buf[RSA_MAX_BYTES];
 	struct BIGNUM bn;
+	char label[MAX_LABEL_LEN];
 
 	assert(sizeof(size_t) == sizeof(uint32_t));
 
@@ -717,13 +718,22 @@ static void rsa_command_handler(void *cmd_body,
 		*response_size = 1;
 		return;
 	case TEST_RSA_KEYGEN:
+		if (in_len > MAX_LABEL_LEN - 1) {
+			*response_size = 0;
+			return;
+		}
 		N.b.size = sizeof(N.t.buffer);
 		p.b.size = sizeof(p.t.buffer);
 		seed.b.size = sizeof(seed.t.buffer);
 		rand_bytes(seed.b.buffer, seed.b.size);
+		if (in_len > 0) {
+			memcpy(label, in, in_len);
+			label[in_len] = '\0';
+		}
 		if (_cpri__GenerateKeyRSA(
 				&N.b, &p.b, key_len, RSA_F4, TPM_ALG_SHA256,
-				&seed.b, NULL, NULL, NULL) != CRYPT_SUCCESS) {
+				&seed.b, in_len ? label : NULL, NULL, NULL)
+			!= CRYPT_SUCCESS) {
 			*response_size = 0;
 		} else {
 			memcpy(out, N.b.buffer, N.b.size);
diff --git a/test/tpm_test/rsa_test.py b/test/tpm_test/rsa_test.py
index 6ee474c579..d746fba47c 100644
--- a/test/tpm_test/rsa_test.py
+++ b/test/tpm_test/rsa_test.py
@@ -116,13 +116,13 @@ def _keytest_cmd(key_len):
                                 dl='', dig='')
 
 
-def _keygen_cmd(key_len, e):
+def _keygen_cmd(key_len, e, label):
   op = _RSA_OPCODES['KEYGEN']
   padding = _RSA_PADDING['NONE']
   hashing = _HASH['NONE']
   return _RSA_CMD_FORMAT.format(o=op, p=padding, h=hashing,
                                 kl=struct.pack('>H', key_len),
-                                ml=struct.pack('>H', 0), msg='',
+                                ml=struct.pack('>H', len(label)), msg=label,
                                 dl=struct.pack('>H', 0), dig='')
 
 
@@ -582,7 +582,8 @@ _KEYTEST_INPUTS = (
 )
 
 _KEYGEN_INPUTS = (
-  (768, 65537),
+  (768, 65537, "rsa_test"),
+  (768, 65537, ''),
 )
 
 
@@ -659,9 +660,9 @@ def _keytest_tests(tpm):
 
 def _keygen_tests(tpm):
   for data in _KEYGEN_INPUTS:
-    key_len, e = data
-    test_name = 'RSA-KEYGEN:%d:%d' % data
-    cmd = _keygen_cmd(key_len, e)
+    key_len, e, label = data
+    test_name = 'RSA-KEYGEN:%d:%d:%s' % data
+    cmd = _keygen_cmd(key_len, e, label)
 
     wrapped_response = tpm.command(tpm.wrap_ext_command(subcmd.RSA, cmd))
     result = tpm.unwrap_ext_response(subcmd.RSA, wrapped_response)
@@ -679,6 +680,9 @@ def _keygen_tests(tpm):
     if not rsa.prime.is_prime(q):
       raise subcmd.TpmTestError('%s error:%s' % (
           test_name, utils.hex_dump(result)))
+    if p == q:
+      raise subcmd.TpmTestError('%s error:%s' % (
+          test_name, utils.hex_dump(result)))
     print('%sSUCCESS: %s' % (utils.cursor_back(), test_name))