CR50: add NULL padding support for RSA encrypt/decrypt

NULL padding (aka vanilla RSA) support is required by the TPM2 test suite (referred to as TPM_ALG_NULL in the tpm2 source). BRANCH=none BUG=chrome-os-partner:43025,chrome-os-partner:47524 TEST=tests under test/tpm2 pass Change-Id: I9848fad3b44add05a04810ecd178fbad20ae92cc Signed-off-by: nagendra modadugu <ngm@google.com> Reviewed-on: https://chromium-review.googlesource.com/328830 Commit-Ready: Nagendra Modadugu <ngm@google.com> Tested-by: Nagendra Modadugu <ngm@google.com> Reviewed-by: Nagendra Modadugu <ngm@google.com>
author: nagendra modadugu <ngm@google.com> 2016-02-19 15:21:45 -0800
committer: chrome-bot <chrome-bot@chromium.org> 2016-03-31 07:08:01 -0700
commit: 7aa42e2ba9a33530dd97bc5e814cd1b73d2cbb25 (patch)
tree: 78886f1b2d0b148a31e2471b4196fa7cd5858da9
parent: 70378b86b4e5682b70a8145c9679e250280d6f14 (diff)
download: chrome-ec-7aa42e2ba9a33530dd97bc5e814cd1b73d2cbb25.tar.gz
4 files changed, 42 insertions, 5 deletions
diff --git a/board/cr50/tpm2/rsa.c b/board/cr50/tpm2/rsa.c
index 526dc25c95..6345b70309 100644
--- a/board/cr50/tpm2/rsa.c
+++ b/board/cr50/tpm2/rsa.c
@@ -33,8 +33,10 @@ static int check_encrypt_params(TPM_ALG_ID padding_alg, TPM_ALG_ID hash_alg,
 			/* Unsupported hash algorithm. */
 			return 0;
 		*padding = PADDING_MODE_OAEP;
+	} else if (padding_alg == TPM_ALG_NULL) {
+		*padding = PADDING_MODE_NULL;
 	} else {
-		return 0;  /* NULL padding unsupported. */
+		return 0;  /* Unsupported padding mode. */
 	}
 	return 1;
 }
diff --git a/chip/g/dcrypto/dcrypto.h b/chip/g/dcrypto/dcrypto.h
index 0856ec76c6..a412adee5a 100644
--- a/chip/g/dcrypto/dcrypto.h
+++ b/chip/g/dcrypto/dcrypto.h
@@ -94,12 +94,15 @@ struct RSA {
 enum padding_mode {
 	PADDING_MODE_PKCS1 = 0,
 	PADDING_MODE_OAEP  = 1,
-	PADDING_MODE_PSS = 2
+	PADDING_MODE_PSS = 2,
+	/* USE OF NULL PADDING IS NOT RECOMMENDED.
+	 * SUPPORT EXISTS AS A REQUIREMENT FOR TPM2 OPERATION. */
+	PADDING_MODE_NULL  = 3
 };
 
 /* Calculate r = m ^ e mod N */
 int DCRYPTO_rsa_encrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
-			const uint8_t *in, const uint32_t in_len,
+			const uint8_t *in, uint32_t in_len,
 			enum padding_mode padding, enum hashing_mode hashing,
 			const char *label);
 
diff --git a/chip/g/dcrypto/rsa.c b/chip/g/dcrypto/rsa.c
index 02dbbf01f4..ff42e00457 100644
--- a/chip/g/dcrypto/rsa.c
+++ b/chip/g/dcrypto/rsa.c
@@ -411,10 +411,11 @@ static int check_modulus_params(const struct BIGNUM *N, uint32_t *out_len)
 }
 
 int DCRYPTO_rsa_encrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
-			const uint8_t *in, const uint32_t in_len,
+			const uint8_t *in, uint32_t in_len,
 			enum padding_mode padding, enum hashing_mode hashing,
 			const char *label)
 {
+	uint8_t *p;
 	uint32_t padded_buf[RSA_MAX_WORDS];
 	uint32_t e_buf[BN_BYTES / sizeof(uint32_t)];
 
@@ -441,6 +442,19 @@ int DCRYPTO_rsa_encrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
 					(const uint8_t *) in, in_len))
 			return 0;
 		break;
+	case PADDING_MODE_NULL:
+		/* Input is allowed to have more bytes than N, in
+		 * which case the excess must be zero. */
+		for (; in_len > bn_size(&padded); in_len--)
+			if (*in++ != 0)
+				return 0;
+		p = (uint8_t *) padded.d;
+		/* If in_len < bn_size(&padded), padded will
+		 * have leading zero bytes. */
+		memcpy(&p[bn_size(&padded) - in_len], in, in_len);
+		/* TODO(ngm): in may be > N, bn_mont_mod_exp() should
+		 * handle this case. */
+		break;
 	default:
 		return 0;                       /* Unsupported padding mode. */
 	}
@@ -497,6 +511,14 @@ int DCRYPTO_rsa_decrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
 				bn_size(&padded)))
 			ret = 0;
 		break;
+	case PADDING_MODE_NULL:
+		if (*out_len < bn_size(&padded)) {
+			ret = 0;
+		} else {
+			*out_len = bn_size(&padded);
+			memcpy(out, padded.d, *out_len);
+		}
+		break;
 	default:
 		/* Unsupported padding mode. */
 		ret = 0;
diff --git a/test/tpm_test/rsa_test.py b/test/tpm_test/rsa_test.py
index 37ffbd2677..2a751d3ee7 100644
--- a/test/tpm_test/rsa_test.py
+++ b/test/tpm_test/rsa_test.py
@@ -26,7 +26,8 @@ _RSA_PADDING = {
   'PKCS1-SSA': 0x14,
   'PKCS1-ES': 0x15,
   'PKCS1-PSS': 0x16,
-  'OAEP': 0x17
+  'OAEP': 0x17,
+  'NULL': 0x10,
 }
 
 
@@ -110,6 +111,7 @@ _ENCRYPT_INPUTS = (
   ('OAEP', 'SHA256', 768),
   ('PKCS1-ES', 'NONE', 768),
   ('PKCS1-ES', 'NONE', 2048),
+  ('NULL', 'NONE', 768),
 )
 
 
@@ -135,6 +137,14 @@ def _encrypt_tests(tpm):
                        key_len, ciphertext)
     wrapped_response = tpm.command(tpm.wrap_ext_command(subcmd.RSA, cmd))
     plaintext = tpm.unwrap_ext_response(subcmd.RSA, wrapped_response)
+    if padding == 'NULL':
+      # Check for leading zeros.
+      if reduce(lambda x, y: x | y,
+                map(ord, plaintext[:len(plaintext) - len(msg)])):
+        raise subcmd.TpmTestError('%s error:%s%s' % (
+          test_name, utils.hex_dump(msg), utils.hex_dump(plaintext)))
+      else:
+        plaintext = plaintext[len(plaintext) - len(msg):]
     if msg != plaintext:
       raise subcmd.TpmTestError('%s error:%s%s' % (
           test_name, utils.hex_dump(msg), utils.hex_dump(plaintext)))
author	nagendra modadugu <ngm@google.com>	2016-02-19 15:21:45 -0800
committer	chrome-bot <chrome-bot@chromium.org>	2016-03-31 07:08:01 -0700
commit	7aa42e2ba9a33530dd97bc5e814cd1b73d2cbb25 (patch)
tree	78886f1b2d0b148a31e2471b4196fa7cd5858da9
parent	70378b86b4e5682b70a8145c9679e250280d6f14 (diff)
download	chrome-ec-7aa42e2ba9a33530dd97bc5e814cd1b73d2cbb25.tar.gz