CR50: add NULL padding support for RSA encrypt/decrypt

NULL padding (aka vanilla RSA) support is required by the TPM2 test suite (referred to as TPM_ALG_NULL in the tpm2 source). BRANCH=none BUG=chrome-os-partner:43025,chrome-os-partner:47524 TEST=tests under test/tpm2 pass Change-Id: I9848fad3b44add05a04810ecd178fbad20ae92cc Signed-off-by: nagendra modadugu <ngm@google.com> Reviewed-on: https://chromium-review.googlesource.com/328830 Commit-Ready: Nagendra Modadugu <ngm@google.com> Tested-by: Nagendra Modadugu <ngm@google.com> Reviewed-by: Nagendra Modadugu <ngm@google.com>
2025-12-29 10:00:51 +00:00 · 2016-02-19 15:21:45 -08:00
parent 70378b86b4
commit 7aa42e2ba9
4 changed files with 42 additions and 5 deletions
--- a/board/cr50/tpm2/rsa.c
+++ b/board/cr50/tpm2/rsa.c
@@ -33,8 +33,10 @@ static int check_encrypt_params(TPM_ALG_ID padding_alg, TPM_ALG_ID hash_alg,
 			/* Unsupported hash algorithm. */
 			return 0;
 		*padding = PADDING_MODE_OAEP;
+	} else if (padding_alg == TPM_ALG_NULL) {
+		*padding = PADDING_MODE_NULL;
 	} else {
-		return 0;  /* NULL padding unsupported. */
+		return 0;  /* Unsupported padding mode. */
 	}
 	return 1;
 }
--- a/chip/g/dcrypto/dcrypto.h
+++ b/chip/g/dcrypto/dcrypto.h
@@ -94,12 +94,15 @@ struct RSA {
 enum padding_mode {
 	PADDING_MODE_PKCS1 = 0,
 	PADDING_MODE_OAEP  = 1,
-	PADDING_MODE_PSS = 2
+	PADDING_MODE_PSS = 2,
+	/* USE OF NULL PADDING IS NOT RECOMMENDED.
+	 * SUPPORT EXISTS AS A REQUIREMENT FOR TPM2 OPERATION. */
+	PADDING_MODE_NULL  = 3
 };

 /* Calculate r = m ^ e mod N */
 int DCRYPTO_rsa_encrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
-			const uint8_t *in, const uint32_t in_len,
+			const uint8_t *in, uint32_t in_len,
 			enum padding_mode padding, enum hashing_mode hashing,
 			const char *label);

--- a/chip/g/dcrypto/rsa.c
+++ b/chip/g/dcrypto/rsa.c
@@ -411,10 +411,11 @@ static int check_modulus_params(const struct BIGNUM *N, uint32_t *out_len)
 }

 int DCRYPTO_rsa_encrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
-			const uint8_t *in, const uint32_t in_len,
+			const uint8_t *in, uint32_t in_len,
 			enum padding_mode padding, enum hashing_mode hashing,
 			const char *label)
 {
+	uint8_t *p;
 	uint32_t padded_buf[RSA_MAX_WORDS];
 	uint32_t e_buf[BN_BYTES / sizeof(uint32_t)];

@@ -441,6 +442,19 @@ int DCRYPTO_rsa_encrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
 					(const uint8_t *) in, in_len))
 			return 0;
 		break;
+	case PADDING_MODE_NULL:
+		/* Input is allowed to have more bytes than N, in
+		 * which case the excess must be zero. */
+		for (; in_len > bn_size(&padded); in_len--)
+			if (*in++ != 0)
+				return 0;
+		p = (uint8_t *) padded.d;
+		/* If in_len < bn_size(&padded), padded will
+		 * have leading zero bytes. */
+		memcpy(&p[bn_size(&padded) - in_len], in, in_len);
+		/* TODO(ngm): in may be > N, bn_mont_mod_exp() should
+		 * handle this case. */
+		break;
 	default:
 		return 0;                       /* Unsupported padding mode. */
 	}
@@ -497,6 +511,14 @@ int DCRYPTO_rsa_decrypt(struct RSA *rsa, uint8_t *out, uint32_t *out_len,
 				bn_size(&padded)))
 			ret = 0;
 		break;
+	case PADDING_MODE_NULL:
+		if (*out_len < bn_size(&padded)) {
+			ret = 0;
+		} else {
+			*out_len = bn_size(&padded);
+			memcpy(out, padded.d, *out_len);
+		}
+		break;
 	default:
 		/* Unsupported padding mode. */
 		ret = 0;
--- a/test/tpm_test/rsa_test.py
+++ b/test/tpm_test/rsa_test.py
@@ -26,7 +26,8 @@ _RSA_PADDING = {
  'PKCS1-SSA': 0x14,
  'PKCS1-ES': 0x15,
  'PKCS1-PSS': 0x16,
-  'OAEP': 0x17
+  'OAEP': 0x17,
+  'NULL': 0x10,
 }


@@ -110,6 +111,7 @@ _ENCRYPT_INPUTS = (
  ('OAEP', 'SHA256', 768),
  ('PKCS1-ES', 'NONE', 768),
  ('PKCS1-ES', 'NONE', 2048),
+  ('NULL', 'NONE', 768),
 )


@@ -135,6 +137,14 @@ def _encrypt_tests(tpm):
                       key_len, ciphertext)
    wrapped_response = tpm.command(tpm.wrap_ext_command(subcmd.RSA, cmd))
    plaintext = tpm.unwrap_ext_response(subcmd.RSA, wrapped_response)
+    if padding == 'NULL':
+      # Check for leading zeros.
+      if reduce(lambda x, y: x | y,
+                map(ord, plaintext[:len(plaintext) - len(msg)])):
+        raise subcmd.TpmTestError('%s error:%s%s' % (
+          test_name, utils.hex_dump(msg), utils.hex_dump(plaintext)))
+      else:
+        plaintext = plaintext[len(plaintext) - len(msg):]
    if msg != plaintext:
      raise subcmd.TpmTestError('%s error:%s%s' % (
          test_name, utils.hex_dump(msg), utils.hex_dump(plaintext)))