diff options
author | Vadim Sukhomlinov <sukhomlinov@google.com> | 2021-08-30 18:13:38 -0700 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2021-08-31 18:37:18 +0000 |
commit | 50e3ce90b2f81075ed2e22a73ade0ed5cee35471 (patch) | |
tree | 60d5af298b0d00be3b41782075c6a51eba645435 | |
parent | 8ddc58e3ce801e2ce72e78fc28bf026436dc22b2 (diff) | |
download | chrome-ec-50e3ce90b2f81075ed2e22a73ade0ed5cee35471.tar.gz |
cr50: add pair-wise consistency test for ECDSA key generation.
FIPS requires pair-wise consistency test for asymmetric key generation
algorithms. For U2F we use only ECDSA P-256, so adding this step into
key generation function.
BUG=b:198219806
TEST=make BOARD=cr50 CRYPTO_TEST=1; test/tpm_test/tpmtest.py
This test covers U2F and TPM2 uses of ECDSA keygen.
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Change-Id: I520a233e700a68b19c863bad05271f97693b5ca9
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3131949
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
-rw-r--r-- | board/cr50/dcrypto/dcrypto.h | 10 | ||||
-rw-r--r-- | board/cr50/dcrypto/p256_ec.c | 40 | ||||
-rw-r--r-- | board/cr50/fips.h | 12 |
3 files changed, 54 insertions, 8 deletions
diff --git a/board/cr50/dcrypto/dcrypto.h b/board/cr50/dcrypto/dcrypto.h index b94bbd7eb3..284aa5dd51 100644 --- a/board/cr50/dcrypto/dcrypto.h +++ b/board/cr50/dcrypto/dcrypto.h @@ -255,6 +255,16 @@ int DCRYPTO_p256_point_mul(p256_int *out_x, p256_int *out_y, const p256_int *n, int DCRYPTO_p256_key_from_bytes(p256_int *x, p256_int *y, p256_int *d, const uint8_t bytes[P256_NBYTES]); +/** + * Pair-wise consistency test for private and public key. + * + * @param d - private key (scalar) + * @param x - public key part + * @param y - public key part + * @return !0 on success + */ +int DCRYPTO_p256_key_pwct(p256_int *d, p256_int *x, p256_int *y); + /* P256 based integration encryption (DH+AES128+SHA256). * Not FIPS 140-2 compliant, not used other than for tests * Authenticated data may be provided, where the first auth_data_len diff --git a/board/cr50/dcrypto/p256_ec.c b/board/cr50/dcrypto/p256_ec.c index fee1434136..4c97c521fc 100644 --- a/board/cr50/dcrypto/p256_ec.c +++ b/board/cr50/dcrypto/p256_ec.c @@ -4,6 +4,8 @@ */ #include "dcrypto.h" +#include "fips.h" +#include "fips_rand.h" #include <stdint.h> @@ -36,6 +38,28 @@ int DCRYPTO_p256_point_mul(p256_int *out_x, p256_int *out_y, return dcrypto_p256_point_mul(n, in_x, in_y, out_x, out_y); } +int DCRYPTO_p256_key_pwct(p256_int *d, p256_int *x, p256_int *y) +{ + p256_int message, r, s; + int result; + + if (p256_is_zero(d)) + return 0; + + /* set some pseudo-random message. */ + p256_fast_random(&message); + + if (fips_p256_ecdsa_sign(d, &message, &r, &s) == 0) + return 0; + +#ifdef CRYPTO_TEST_SETUP + if (fips_break_cmd == FIPS_BREAK_ECDSA_PWCT) + message.a[0] = ~message.a[0]; +#endif + result = dcrypto_p256_ecdsa_verify(x, y, &message, &r, &s); + return result; +} + /** * Key selection based on FIPS-186-4, section B.4.2 (Key Pair * Generation by Testing Candidates). @@ -44,6 +68,7 @@ int DCRYPTO_p256_key_from_bytes(p256_int *x, p256_int *y, p256_int *d, const uint8_t key_bytes[P256_NBYTES]) { p256_int key; + p256_int tx, ty; p256_from_bin(key_bytes, &key); @@ -57,7 +82,16 @@ int DCRYPTO_p256_key_from_bytes(p256_int *x, p256_int *y, p256_int *d, return 0; p256_add_d(&key, 1, d); always_memset(&key, 0, sizeof(key)); - if (x == NULL || y == NULL) - return 1; - return dcrypto_p256_base_point_mul(d, x, y); + + /* We need public key anyway for pair-wise consistency test. */ + if (!x) + x = &tx; + if (!y) + y = &ty; + + /* Compute public key (x,y) = d * G */ + if (dcrypto_p256_base_point_mul(d, x, y) == 0) + return 0; + + return DCRYPTO_p256_key_pwct(d, x, y); } diff --git a/board/cr50/fips.h b/board/cr50/fips.h index 5a3a67997c..52d8ec68c6 100644 --- a/board/cr50/fips.h +++ b/board/cr50/fips.h @@ -50,11 +50,12 @@ enum fips_break { FIPS_BREAK_HMAC_SHA256 = 3, FIPS_BREAK_HMAC_DRBG = 4, FIPS_BREAK_ECDSA = 5, + FIPS_BREAK_ECDSA_PWCT = 6, #ifdef CONFIG_FIPS_AES_CBC_256 - FIPS_BREAK_AES256 = 6, + FIPS_BREAK_AES256 = 7, #endif #ifdef CONFIG_FIPS_RSA2048 - FIPS_BREAK_RSA2048 = 7, + FIPS_BREAK_RSA2048 = 8, #endif }; @@ -75,13 +76,14 @@ enum fips_cmd { FIPS_CMD_BREAK_HMAC_SHA256 = 5, FIPS_CMD_BREAK_HMAC_DRBG = 6, FIPS_CMD_BREAK_ECDSA = 7, + FIPS_CMD_BREAK_ECDSA_PWCT = 8, #ifdef CONFIG_FIPS_AES_CBC_256 - FIPS_CMD_BREAK_AES256 = 8, + FIPS_CMD_BREAK_AES256 = 9, #endif #ifdef CONFIG_FIPS_RSA2048 - FIPS_CMD_BREAK_RSA2048 = 9, + FIPS_CMD_BREAK_RSA2048 = 10, #endif - FIPS_CMD_NO_BREAK = 10 + FIPS_CMD_NO_BREAK = 11 }; /* These symbols defined in core/cortex-m/ec.lds.S. */ |