cr50: update ECDSA pair-wise consistency test to alter key, not message

Intent of pair-wise consistency test is to ensure that private key
matches the public key, so update what we change when simulating error.

BUG=b:198219806
TEST=make BOARD=cr50 CRYPTO_TEST=1 U2F_TEST=1;
u2f_test; passes
fips pwct
u2f_test; fails on u2f_generate, u2f_sign and u2f_attest.

Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I35de5608184fc9f28db4912f2b62795d53d48f43
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3229800
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>

1 files changed, 12 insertions, 4 deletions

diff --git a/board/cr50/dcrypto/p256_ec.c b/board/cr50/dcrypto/p256_ec.c
index 5924848c23..ac39813abb 100644
--- a/board/cr50/dcrypto/p256_ec.c
+++ b/board/cr50/dcrypto/p256_ec.c
@@ -97,6 +97,9 @@ enum dcrypto_result dcrypto_p256_key_pwct(struct drbg_ctx *drbg,
 {
 	p256_int message, r, s;
 	enum dcrypto_result result;
+#ifdef CRYPTO_TEST_SETUP
+	p256_int d_altered;
+#endif
 
 	if (p256_is_zero(d))
 		return DCRYPTO_FAIL;
@@ -104,14 +107,19 @@ enum dcrypto_result dcrypto_p256_key_pwct(struct drbg_ctx *drbg,
 	/* set some pseudo-random message. */
 	p256_fast_random(&message);
 
+#ifdef CRYPTO_TEST_SETUP
+	if (fips_break_cmd == FIPS_BREAK_ECDSA_PWCT) {
+		/* Modify key used for signing. */
+		d_altered = *d;
+		d_altered.a[1] ^= 1;
+		d = &d_altered;
+	}
+#endif
+
 	result = dcrypto_p256_fips_sign_internal(drbg, d, &message, &r, &s);
 	if (result != DCRYPTO_OK)
 		return result;
 
-#ifdef CRYPTO_TEST_SETUP
-	if (fips_break_cmd == FIPS_BREAK_ECDSA_PWCT)
-		message.a[0] = ~message.a[0];
-#endif
 	return dcrypto_p256_ecdsa_verify(x, y, &message, &r, &s);
 }