g: corrected division algorithm in DCRYPTO_bn_div

Long division algorithm computes incorrect answer in rare cases causing valid RSA signatures to be rejected. BRANCH=cr50 BUG=b:137973895 TEST=tpm_test passes Change-Id: Ie8f39eed21443978734adbbf60b72d7701154c18 Signed-off-by: Vadim Sukhomlinov <sukhomlinov@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1766088 Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org>
author: Vadim Sukhomlinov <sukhomlinov@google.com> 2019-08-22 11:12:43 -0700
committer: Commit Bot <commit-bot@chromium.org> 2019-08-23 18:22:49 +0000
commit: a06dc0b52c6415eabc3a5d46357894bbe6416a17 (patch)
tree: c4eb82a24467928cd0d7fc26fc1584ec388c62c8
parent: 5b3ef3d1d46f84aa20b36d4d4e92e5bbb46bc2b0 (diff)
download: chrome-ec-a06dc0b52c6415eabc3a5d46357894bbe6416a17.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/chip/g/dcrypto/bn.c b/chip/g/dcrypto/bn.c
index 3131139f89..94aafa1799 100644
--- a/chip/g/dcrypto/bn.c
+++ b/chip/g/dcrypto/bn.c
@@ -610,6 +610,7 @@ static int bn_div_ex(struct LITE_BIGNUM *q,
 
 		/* If borrowed, add one back and adjust estimate */
 		if (t < 0) {
+			k = 0;
 			qd = qd - 1;
 			for (i = 0; i < n; i++) {
 				t = (uint64_t)un[i + j] + vn[i] + k;
author	Vadim Sukhomlinov <sukhomlinov@google.com>	2019-08-22 11:12:43 -0700
committer	Commit Bot <commit-bot@chromium.org>	2019-08-23 18:22:49 +0000
commit	a06dc0b52c6415eabc3a5d46357894bbe6416a17 (patch)
tree	c4eb82a24467928cd0d7fc26fc1584ec388c62c8
parent	5b3ef3d1d46f84aa20b36d4d4e92e5bbb46bc2b0 (diff)
download	chrome-ec-a06dc0b52c6415eabc3a5d46357894bbe6416a17.tar.gz