From 64397fdd5b734b0ec6346e325893291a1f446291 Mon Sep 17 00:00:00 2001 From: nagendra modadugu Date: Sun, 17 Jul 2016 09:47:20 -0700 Subject: CR50: when testing an RSA key, check that N % p == 0 TCG test CPCTPM_TC2_2_22_02_08 installs an RSA key for which p does not divide the modulus, and subsequently the test is expected to fail accordingly. This change adds the check necessary to pass this test -- a check that p divides N. Also removed dangling function declaration for bn_mul(). BRANCH=none BUG=chrome-os-partner:43025,chrome-os-partner:47524 BUG=chrome-os-partner:50115 TEST=TCG test CPCTPM_TC2_2_22_02_08 passes consistently Signed-off-by: nagendra modadugu Reviewed-on: https://chromium-review.googlesource.com/360968 Reviewed-by: Vadim Bendebury Commit-Queue: Vadim Bendebury (cherry picked from commit c4430ecac8f77a05ac4071679de1535e0da2779e) (cherry picked from commit 832d04b5b8cebf702d2ec00051615f827d2d16e1) Change-Id: If2ffc6260ae848d75e93263a37e84f0ed7d301a0 Reviewed-on: https://chromium-review.googlesource.com/362117 Commit-Ready: Vadim Bendebury Tested-by: Vadim Bendebury --- chip/g/dcrypto/bn.c | 2 +- chip/g/dcrypto/internal.h | 3 +-- chip/g/dcrypto/rsa.c | 5 ++++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/chip/g/dcrypto/bn.c b/chip/g/dcrypto/bn.c index 240694ba36..adea4e72e4 100644 --- a/chip/g/dcrypto/bn.c +++ b/chip/g/dcrypto/bn.c @@ -30,7 +30,7 @@ void DCRYPTO_bn_wrap(struct LITE_BIGNUM *b, void *buf, size_t len) b->d = (struct access_helper *) buf; } -static int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b) +int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b) { int i; uint32_t top = 0; diff --git a/chip/g/dcrypto/internal.h b/chip/g/dcrypto/internal.h index 74fbf2be6e..7be2140ac4 100644 --- a/chip/g/dcrypto/internal.h +++ b/chip/g/dcrypto/internal.h @@ -70,6 +70,7 @@ void bn_init(struct LITE_BIGNUM *bn, void *buf, size_t len); #define bn_size(b) ((b)->dmax * LITE_BN_BYTES) #define bn_words(b) ((b)->dmax) #define bn_bits(b) ((b)->dmax * LITE_BN_BITS2) +int bn_eq(const struct LITE_BIGNUM *a, const struct LITE_BIGNUM *b); int bn_check_topbit(const struct LITE_BIGNUM *N); void bn_mont_modexp(struct LITE_BIGNUM *output, const struct LITE_BIGNUM *input, const struct LITE_BIGNUM *exp, const struct LITE_BIGNUM *N); @@ -79,8 +80,6 @@ void bn_mont_modexp_asm(struct LITE_BIGNUM *output, const struct LITE_BIGNUM *N); uint32_t bn_add(struct LITE_BIGNUM *c, const struct LITE_BIGNUM *a); uint32_t bn_sub(struct LITE_BIGNUM *c, const struct LITE_BIGNUM *a); -void bn_mul(struct LITE_BIGNUM *c, const struct LITE_BIGNUM *a, - const struct LITE_BIGNUM *b); int bn_modinv_vartime(struct LITE_BIGNUM *r, const struct LITE_BIGNUM *e, const struct LITE_BIGNUM *MOD); int bn_is_bit_set(const struct LITE_BIGNUM *a, int n); diff --git a/chip/g/dcrypto/rsa.c b/chip/g/dcrypto/rsa.c index e9a02be9d2..359565d118 100644 --- a/chip/g/dcrypto/rsa.c +++ b/chip/g/dcrypto/rsa.c @@ -651,8 +651,11 @@ int DCRYPTO_rsa_key_compute(struct LITE_BIGNUM *N, struct LITE_BIGNUM *d, bn_sub(&phi, &ONE); if (!bn_modinv_vartime(&q_local, p, &phi)) return 0; + /* Check that p * q == N */ + DCRYPTO_bn_mul(&phi, p, &q_local); + if (!bn_eq(N, &phi)) + return 0; q = &q_local; - bn_add(&phi, &ONE); } else { DCRYPTO_bn_mul(N, p, q); memcpy(phi_buf, N->d, bn_size(N)); -- cgit v1.2.1