diff --git a/include/polarssl/config.h b/include/polarssl/config.h index b69bd8ced..7640a96eb 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -536,6 +536,43 @@ */ #define POLARSSL_DHM_C +/** + * \def POLARSSL_ECDH_C + * + * Enable the elliptic curve Diffie-Hellman library. + * + * Module: library/ecdh.c + * Caller: + * + * Requires: POLARSSL_ECP_C + */ +#define POLARSSL_ECDH_C + +/** + * \def POLARSSL_ECDSA_C + * + * Enable the elliptic curve DSA library. + * + * Module: library/ecdsa.c + * Caller: + * + * Requires: POLARSSL_ECP_C + */ +#define POLARSSL_ECDSA_C + +/** + * \def POLARSSL_ECP_C + * + * Enable the elliptic curve over GF(p) library. + * + * Module: library/ecp.c + * Caller: library/ecdh.c + * library/ecdsa.c + * + * Requires: POLARSSL_BIGNUM_C + */ +#define POLARSSL_ECP_C + /** * \def POLARSSL_ENTROPY_C * @@ -887,6 +924,7 @@ * Caller: */ #define POLARSSL_XTEA_C + /* \} name */ #endif /* config.h */ diff --git a/include/polarssl/ecdh.h b/include/polarssl/ecdh.h new file mode 100644 index 000000000..7f6f4cb28 --- /dev/null +++ b/include/polarssl/ecdh.h @@ -0,0 +1,176 @@ +/** + * \file ecdh.h + * + * \brief Elliptic curve Diffie-Hellman + * + * Copyright (C) 2006-2013, Brainspark B.V. + * + * This file is part of PolarSSL (http://www.polarssl.org) + * Lead Maintainer: Paul Bakker + * + * All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#ifndef POLARSSL_ECDH_H +#define POLARSSL_ECDH_H + +#include "polarssl/ecp.h" + +/** + * \brief ECDH context structure + */ +typedef struct +{ + ecp_group grp; /*!< ellipitic curve used */ + mpi d; /*!< our secret value */ + ecp_point Q; /*!< our public value */ + ecp_point Qp; /*!< peer's public value */ + mpi z; /*!< shared secret */ + int point_format; /*!< format for point export */ +} +ecdh_context; + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Generate a public key + * + * \param grp ECP group + * \param d Destination MPI (secret exponent) + * \param Q Destination point (public key) + * \param f_rng RNG function + * \param p_rng RNG parameter + * + * \return 0 if successful, + * or a POLARSSL_ERR_ECP_XXX or POLARSSL_MPI_XXX error code + */ +int ecdh_gen_public( const ecp_group *grp, mpi *d, ecp_point *Q, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); + +/** + * \brief Compute shared secret + * + * \param grp ECP group + * \param z Destination MPI (shared secret) + * \param Q Public key from other party + * \param d Our secret exponent + * + * \return 0 if successful, + * or a POLARSSL_ERR_ECP_XXX or POLARSSL_MPI_XXX error code + */ +int ecdh_compute_shared( const ecp_group *grp, mpi *z, + const ecp_point *Q, const mpi *d ); + +/** + * \brief Initialize context + * + * \param ctx Context to initialize + */ +void ecdh_init( ecdh_context *ctx ); + +/** + * \brief Free context + * + * \param ctx Context to free + */ +void ecdh_free( ecdh_context *ctx ); + +/** + * \brief Setup and write the ServerKeyExhange parameters + * + * \param ctx ECDH context + * \param buf destination buffer + * \param olen number of chars written + * \param f_rng RNG function + * \param p_rng RNG parameter + * + * \note This function assumes that ctx->grp has already been + * properly set (for example using ecp_use_known_dp). + * + * \return 0 if successful, or an POLARSSL_ERR_ECP_XXX error code + */ +int ecdh_make_params( ecdh_context *ctx, size_t *olen, + unsigned char *buf, size_t blen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); + +/** + * \brief Parse the ServerKeyExhange parameters + * + * \param ctx ECDH context + * \param buf $(start of input buffer) + * \param end one past end of buffer + * + * \return 0 if successful, or an POLARSSL_ERR_ECP_XXX error code + */ +int ecdh_read_params( ecdh_context *ctx, + const unsigned char **buf, const unsigned char *end ); + +/** + * \brief Setup and export the client's public value + * + * \param ctx ECDH context + * \param olen number of bytes actually written + * \param buf destination buffer + * \param blen size of destination buffer + * + * \return 0 if successful, or an POLARSSL_ERR_ECP_XXX error code + */ +int ecdh_make_public( ecdh_context *ctx, size_t *olen, + unsigned char *buf, size_t blen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); + +/** + * \brief Parse and import the client's public value + * + * \param ctx ECDH context + * \param buf start of input buffer + * \param blen length of input buffer + * + * \return 0 if successful, or an POLARSSL_ERR_ECP_XXX error code + */ +int ecdh_read_public( ecdh_context *ctx, + const unsigned char *buf, size_t blen ); + +/** + * \brief Derive and export the shared secret + * + * \param ctx ECDH context + * \param olen number of bytes written + * \param buf destination buffer + * \param blen buffer length + * + * \return 0 if successful, or an POLARSSL_ERR_ECP_XXX error code + */ +int ecdh_calc_secret( ecdh_context *ctx, size_t *olen, + unsigned char *buf, size_t blen ); + +/** + * \brief Checkup routine + * + * \return 0 if successful, or 1 if the test failed + */ +int ecdh_self_test( int verbose ); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/include/polarssl/ecdsa.h b/include/polarssl/ecdsa.h new file mode 100644 index 000000000..2ad986d64 --- /dev/null +++ b/include/polarssl/ecdsa.h @@ -0,0 +1,84 @@ +/** + * \file ecdsa.h + * + * \brief Elliptic curve DSA + * + * Copyright (C) 2006-2013, Brainspark B.V. + * + * This file is part of PolarSSL (http://www.polarssl.org) + * Lead Maintainer: Paul Bakker + * + * All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#ifndef POLARSSL_ECDSA_H +#define POLARSSL_ECDSA_H + +#include "polarssl/ecp.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Compute ECDSA signature of a previously hashed message + * + * \param grp ECP group + * \param r First output integer + * \param s Second output integer + * \param d Private signing key + * \param buf Message hash + * \param blen Length of buf + * \param f_rng RNG function + * \param p_rng RNG parameter + * + * \return 0 if successful, + * or a POLARSSL_ERR_ECP_XXX or POLARSSL_MPI_XXX error code + */ +int ecdsa_sign( const ecp_group *grp, mpi *r, mpi *s, + const mpi *d, const unsigned char *buf, size_t blen, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); + +/** + * \brief Verify ECDSA signature of a previously hashed message + * + * \param grp ECP group + * \param buf Message hash + * \param blen Length of buf + * \param Q Public key to use for verification + * \param r First integer of the signature + * \param s Second integer of the signature + * + * \return 0 if successful, + * POLARSSL_ERR_ECP_BAD_INPUT_DATA if signature is invalid + * or a POLARSSL_ERR_ECP_XXX or POLARSSL_MPI_XXX error code + */ +int ecdsa_verify( const ecp_group *grp, + const unsigned char *buf, size_t blen, + const ecp_point *Q, const mpi *r, const mpi *s); + +/** + * \brief Checkup routine + * + * \return 0 if successful, or 1 if the test failed + */ +int ecdsa_self_test( int verbose ); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h new file mode 100644 index 000000000..8debda44a --- /dev/null +++ b/include/polarssl/ecp.h @@ -0,0 +1,428 @@ +/** + * \file ecp.h + * + * \brief Elliptic curves over GF(p) + * + * Copyright (C) 2006-2013, Brainspark B.V. + * + * This file is part of PolarSSL (http://www.polarssl.org) + * Lead Maintainer: Paul Bakker + * + * All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#ifndef POLARSSL_ECP_H +#define POLARSSL_ECP_H + +#include "polarssl/bignum.h" + +/* + * ECP error codes + */ +#define POLARSSL_ERR_ECP_BAD_INPUT_DATA -0x4F80 /**< Bad input parameters to function. */ +#define POLARSSL_ERR_ECP_BUFFER_TOO_SMALL -0x4F80 /**< The buffer is too small to write to. */ +#define POLARSSL_ERR_ECP_GENERIC -0x4F00 /**< Generic ECP error */ + +/** + * \brief ECP point structure (jacobian coordinates) + * + * \note All functions expect and return points satisfying + * the following condition: Z == 0 or Z == 1. (Other + * values of Z are used by internal functions only.) + * The point is zero, or "at infinity", if Z == 0. + * Otherwise, X and Y are its standard (affine) coordinates. + */ +typedef struct +{ + mpi X; /*!< the point's X coordinate */ + mpi Y; /*!< the point's Y coordinate */ + mpi Z; /*!< the point's Z coordinate */ +} +ecp_point; + +/* + * RFC 4492 defines an enum NamedCurve with two-bytes values + */ +typedef uint16_t ecp_group_id; + +/** + * \brief ECP group structure + * + * The curves we consider are defined by y^2 = x^3 - 3x + B mod P, + * and a generator for a large subgroup of order N is fixed. + * + * pbits and nbits must be the size of P and N in bits. + * + * If modp is NULL, reduction modulo P is done using a generic + * algorithm. Otherwise, it must point to a function that takes an mpi + * in the range 0..2^(2*pbits) and transforms it in-place in an integer + * of little more than pbits, so that the integer may be efficiently + * brought in the 0..P range by a few additions or substractions. It + * must return 0 on success and a POLARSSL_ERR_ECP_XXX error on failure. + */ +typedef struct +{ + ecp_group_id id; /*!< RFC 4492 group ID */ + mpi P; /*!< prime modulus of the base field */ + mpi B; /*!< constant term in the equation */ + ecp_point G; /*!< generator of the subgroup used */ + mpi N; /*!< the order of G */ + size_t pbits; /*!< number of bits in P */ + size_t nbits; /*!< number of bits in N */ + int (*modp)(mpi *); /*!< function for fast reduction mod P */ +} +ecp_group; + +/** + * RFC 5114 defines a number of standardized ECP groups for use with TLS. + * + * These also are the NIST-recommended ECP groups, are the random ECP groups + * recommended by SECG, and include the two groups used by NSA Suite B. + * There are known as secpLLLr1 with LLL = 192, 224, 256, 384, 521. + * + * \warning This library does not support validation of arbitrary domain + * parameters. Therefore, only well-known domain parameters from trusted + * sources should be used. See ecp_use_known_dp(). + * + * \note The values are taken from RFC 4492's enum NamedCurve. + */ +#define POLARSSL_ECP_DP_SECP192R1 19 +#define POLARSSL_ECP_DP_SECP224R1 21 +#define POLARSSL_ECP_DP_SECP256R1 23 +#define POLARSSL_ECP_DP_SECP384R1 24 +#define POLARSSL_ECP_DP_SECP521R1 25 + +/** + * Maximum bit size of the groups (that is, of N) + */ +#define POLARSSL_ECP_MAX_N_BITS 521 + +/* + * Maximum window size (actually, NAF width) used for point multipliation. + * Default: 7. + * Minimum value: 2. Maximum value: 8. + * + * Result is an array of at most ( 1 << ( POLARSSL_ECP_WINDOW_SIZE - 1 ) ) + * points used for point multiplication, so at most 64 by default. + * In practice, most curves will use less precomputed points. + * + * Reduction in size may reduce speed for big curves. + */ +#define POLARSSL_ECP_WINDOW_SIZE 7 /**< Maximum NAF width used. */ + +/* + * Point formats, from RFC 4492's enum ECPointFormat + */ +#define POLARSSL_ECP_PF_UNCOMPRESSED 0 /**< Uncompressed point format */ +#define POLARSSL_ECP_PF_COMPRESSED 1 /**< Compressed point format */ + +/* + * Some other constants from RFC 4492 + */ +#define POLARSSL_ECP_TLS_NAMED_CURVE 3 /**< ECCurveType's named_curve */ + + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Initialize a point (as zero) + */ +void ecp_point_init( ecp_point *pt ); + +/** + * \brief Initialize a group (to something meaningless) + */ +void ecp_group_init( ecp_group *grp ); + +/** + * \brief Free the components of a point + */ +void ecp_point_free( ecp_point *pt ); + +/** + * \brief Free the components of an ECP group + */ +void ecp_group_free( ecp_group *grp ); + +/** + * \brief Set a point to zero + * + * \param pt Destination point + * + * \return 0 if successful, + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed + */ +int ecp_set_zero( ecp_point *pt ); + +/** + * \brief Tell if a point is zero + * + * \param pt Point to test + * + * \return 1 if point is zero, 0 otherwise + */ +int ecp_is_zero( ecp_point *pt ); + +/** + * \brief Copy the contents of point Q into P + * + * \param P Destination point + * \param Q Source point + * + * \return 0 if successful, + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed + */ +int ecp_copy( ecp_point *P, const ecp_point *Q ); + +/** + * \brief Check that a point is a valid public key on this curve + * + * \param grp Curve/group the point should belong to + * \param pt Point to check + * + * \return 0 if point is a valid public key, + * POLARSSL_ERR_ECP_GENERIC otherwise. + * + * \note This function only checks the point is non-zero, has valid + * coordinates and lies on the curve, but not that it is + * indeed a multiple of G. This is additional check is more + * expensive, isn't required by standards, and shouldn't be + * necessary if the group used has a small cofactor. In + * particular, it is useless for the NIST groups which all + * have a cofactor of 1. + */ +int ecp_check_pubkey( const ecp_group *grp, const ecp_point *pt ); + +/** + * \brief Import a non-zero point from two ASCII strings + * + * \param P Destination point + * \param radix Input numeric base + * \param x First affine coordinate as a null-terminated string + * \param y Second affine coordinate as a null-terminated string + * + * \return 0 if successful, or a POLARSSL_ERR_MPI_XXX error code + */ +int ecp_point_read_string( ecp_point *P, int radix, + const char *x, const char *y ); + +/** + * \brief Import an ECP group from null-terminated ASCII strings + * + * \param grp Destination group + * \param radix Input numeric base + * \param p Prime modulus of the base field + * \param b Constant term in the equation + * \param gx The generator's X coordinate + * \param gy The generator's Y coordinate + * \param n The generator's order + * + * \return 0 if successful, or a POLARSSL_ERR_MPI_XXX error code + * + * \note Sets all fields except modp. + */ +int ecp_group_read_string( ecp_group *grp, int radix, + const char *p, const char *b, + const char *gx, const char *gy, const char *n); + +/** + * \brief Export a point into unsigned binary data + * + * \param grp Group to which the point should belong + * \param P Point to export + * \param format Point format, should be a POLARSSL_ECP_PF_XXX macro + * \param olen Length of the actual output + * \param buf Output buffer + * \param buflen Length of the output buffer + * + * \return 0 if successful, + * or POLARSSL_ERR_ECP_BAD_INPUT_DATA + * or POLARSSL_ERR_ECP_BUFFER_TOO_SMALL + */ +int ecp_point_write_binary( const ecp_group *grp, const ecp_point *P, + int format, size_t *olen, + unsigned char *buf, size_t buflen ); + +/** + * \brief Import a point from unsigned binary data + * + * \param grp Group to which the point should belong + * \param P Point to import + * \param buf Input buffer + * \param ilen Actual length of input + * + * \return 0 if successful, + * POLARSSL_ERR_ECP_GENERIC if input is invalid + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed + * + * \note This function does NOT check that the point actually + * belongs to the given group, see ecp_check_pubkey() for + * that. + */ +int ecp_point_read_binary( const ecp_group *grp, ecp_point *P, + const unsigned char *buf, size_t ilen ); + +/** + * \brief Set a group using well-known domain parameters + * + * \param grp Destination group + * \param index Index in the list of well-known domain parameters + * + * \return O if successful, + * POLARSSL_ERR_MPI_XXX if initialization failed + * POLARSSL_ERR_ECP_GENERIC if index is out of range + * + * \note Index should be a value of RFC 4492's enum NamdeCurve, + * possibly in the form of a POLARSSL_ECP_DP_XXX macro. + */ +int ecp_use_known_dp( ecp_group *grp, ecp_group_id id ); + +/** + * \brief Set a group from a TLS ECParameters record + * + * \param grp Destination group + * \param buf &(Start of input buffer) + * \param len Buffer length + * + * \return O if successful, + * POLARSSL_ERR_MPI_XXX if initialization failed + * POLARSSL_ERR_ECP_BAD_INPUT_DATA if input is invalid + */ +int ecp_tls_read_group( ecp_group *grp, const unsigned char **buf, size_t len ); + +/** + * \brief Write the TLS ECParameters record for a group + * + * \param grp ECP group used + * \param olen Number of bytes actually written + * \param buf Buffer to write to + * \param blen Buffer length + * + * \return 0 if successful, + * or POLARSSL_ERR_ECP_BUFFER_TOO_SMALL + */ +int ecp_tls_write_group( const ecp_group *grp, size_t *olen, + unsigned char *buf, size_t blen ); + +/** + * \brief Import a point from a TLS ECPoint record + * + * \param grp ECP group used + * \param pt Destination point + * \param buf $(Start of input buffer) + * \param len Buffer length + * + * \return O if successful, + * POLARSSL_ERR_MPI_XXX if initialization failed + * POLARSSL_ERR_ECP_BAD_INPUT_DATA if input is invalid + */ +int ecp_tls_read_point( const ecp_group *grp, ecp_point *pt, + const unsigned char **buf, size_t len ); + +/** + * \brief Export a point as a TLS ECPoint record + * + * \param grp ECP group used + * \param pt Point to export + * \param format Export format + * \param buf Buffer to write to + * \param len Buffer length + * + * \return 0 if successful, + * or POLARSSL_ERR_ECP_BAD_INPUT_DATA + * or POLARSSL_ERR_ECP_BUFFER_TOO_SMALL + */ +int ecp_tls_write_point( const ecp_group *grp, const ecp_point *pt, + int format, size_t *olen, + unsigned char *buf, size_t blen ); + +/** + * \brief Addition: R = P + Q + * + * \param grp ECP group + * \param R Destination point + * \param P Left-hand point + * \param Q Right-hand point + * + * \return 0 if successful, + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed + */ +int ecp_add( const ecp_group *grp, ecp_point *R, + const ecp_point *P, const ecp_point *Q ); + +/** + * \brief Subtraction: R = P - Q + * + * \param grp ECP group + * \param R Destination point + * \param P Left-hand point + * \param Q Right-hand point + * + * \return 0 if successful, + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed + */ +int ecp_sub( const ecp_group *grp, ecp_point *R, + const ecp_point *P, const ecp_point *Q ); + +/** + * \brief Multiplication by an integer: R = m * P + * + * \param grp ECP group + * \param R Destination point + * \param m Integer by which to multiply + * \param P Point to multiply + * + * \return 0 if successful, + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed + * POLARSSL_ERR_ECP_GENERIC if m < 0 of m has greater bit + * length than N, the number of points in the group. + * + * \note This function executes a constant number of operations + * for random m in the allowed range. + */ +int ecp_mul( const ecp_group *grp, ecp_point *R, + const mpi *m, const ecp_point *P ); + +/** + * \brief Generate a keypair + * + * \param grp ECP group + * \param d Destination MPI (secret part) + * \param Q Destination point (public part) + * \param f_rng RNG function + * \param p_rng RNG parameter + * + * \return 0 if successful, + * or a POLARSSL_ERR_ECP_XXX or POLARSSL_MPI_XXX error code + */ +int ecp_gen_keypair( const ecp_group *grp, mpi *d, ecp_point *Q, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); + +/** + * \brief Checkup routine + * + * \return 0 if successful, or 1 if the test failed + */ +int ecp_self_test( int verbose ); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/include/polarssl/error.h b/include/polarssl/error.h index 96815a73a..32dc0a7fd 100644 --- a/include/polarssl/error.h +++ b/include/polarssl/error.h @@ -3,7 +3,7 @@ * * \brief Error to string translation * - * Copyright (C) 2006-2010, Brainspark B.V. + * Copyright (C) 2006-2013, Brainspark B.V. * * This file is part of PolarSSL (http://www.polarssl.org) * Lead Maintainer: Paul Bakker @@ -68,6 +68,7 @@ * SHA2 1 0x0078-0x0078 * SHA4 1 0x007A-0x007A * PBKDF2 1 0x007C-0x007C + * ECP 1 0x007E-0x007E * * High-level module nr (3 bits - 0x1...-0x8...) * Name ID Nr of Errors @@ -75,6 +76,7 @@ * X509 2 21 * DHM 3 6 * RSA 4 9 + * ECP 4 1 (Started from top) * MD 5 4 * CIPHER 6 5 * SSL 6 2 (Started from top) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 1ddd44e23..c96a42a86 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -16,6 +16,9 @@ set(src debug.c des.c dhm.c + ecp.c + ecdh.c + ecdsa.c entropy.c entropy_poll.c error.c diff --git a/library/Makefile b/library/Makefile index 2fcbce096..1d3a38ab7 100644 --- a/library/Makefile +++ b/library/Makefile @@ -39,7 +39,9 @@ OBJS= aes.o arc4.o asn1parse.o \ blowfish.o camellia.o \ certs.o cipher.o cipher_wrap.o \ ctr_drbg.o debug.o des.o \ - dhm.o entropy.o entropy_poll.o \ + dhm.o ecdh.o ecdsa.o \ + ecp.o \ + entropy.o entropy_poll.o \ error.o gcm.o havege.o \ md.o md_wrap.o md2.o \ md4.o md5.o net.o \ diff --git a/library/ecdh.c b/library/ecdh.c new file mode 100644 index 000000000..e30ae3a71 --- /dev/null +++ b/library/ecdh.c @@ -0,0 +1,232 @@ +/* + * Elliptic curve Diffie-Hellman + * + * Copyright (C) 2006-2013, Brainspark B.V. + * + * This file is part of PolarSSL (http://www.polarssl.org) + * Lead Maintainer: Paul Bakker + * + * All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/* + * References: + * + * SEC1 http://www.secg.org/index.php?action=secg,docs_secg + * RFC 4492 + */ + +#include "polarssl/config.h" + +#if defined(POLARSSL_ECDH_C) + +#include "polarssl/ecdh.h" + +/* + * Generate public key: simple wrapper around ecp_gen_keypair + */ +int ecdh_gen_public( const ecp_group *grp, mpi *d, ecp_point *Q, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + return ecp_gen_keypair( grp, d, Q, f_rng, p_rng ); +} + +/* + * Compute shared secret (SEC1 3.3.1) + */ +int ecdh_compute_shared( const ecp_group *grp, mpi *z, + const ecp_point *Q, const mpi *d ) +{ + int ret; + ecp_point P; + + ecp_point_init( &P ); + + /* + * Make sure Q is a valid pubkey before using it + */ + MPI_CHK( ecp_check_pubkey( grp, Q ) ); + + MPI_CHK( ecp_mul( grp, &P, d, Q ) ); + + if( ecp_is_zero( &P ) ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + + MPI_CHK( mpi_copy( z, &P.X ) ); + +cleanup: + ecp_point_free( &P ); + + return( ret ); +} + +/* + * Initialize context + */ +void ecdh_init( ecdh_context *ctx ) +{ + ecp_group_init( &ctx->grp ); + mpi_init ( &ctx->d ); + ecp_point_init( &ctx->Q ); + ecp_point_init( &ctx->Qp ); + mpi_init ( &ctx->z ); + ctx->point_format = POLARSSL_ECP_PF_UNCOMPRESSED; +} + +/* + * Free context + */ +void ecdh_free( ecdh_context *ctx ) +{ + if( ctx == NULL ) + return; + + ecp_group_free( &ctx->grp ); + mpi_free ( &ctx->d ); + ecp_point_free( &ctx->Q ); + ecp_point_free( &ctx->Qp ); + mpi_free ( &ctx->z ); +} + +/* + * Setup and write the ServerKeyExhange parameters (RFC 4492) + * struct { + * ECParameters curve_params; + * ECPoint public; + * } ServerECDHParams; + */ +int ecdh_make_params( ecdh_context *ctx, size_t *olen, + unsigned char *buf, size_t blen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + int ret; + size_t grp_len, pt_len; + + if( ctx == NULL || ctx->grp.pbits == 0 ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + + if( ( ret = ecdh_gen_public( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) ) + != 0 ) + return( ret ); + + if( ( ret = ecp_tls_write_group( &ctx->grp, &grp_len, buf, blen ) ) + != 0 ) + return( ret ); + + buf += grp_len; + blen -= grp_len; + + if( ( ret = ecp_tls_write_point( &ctx->grp, &ctx->Q, ctx->point_format, + &pt_len, buf, blen ) ) != 0 ) + return( ret ); + + *olen = grp_len + pt_len; + return 0; +} + +/* + * Read the ServerKeyExhange parameters (RFC 4492) + * struct { + * ECParameters curve_params; + * ECPoint public; + * } ServerECDHParams; + */ +int ecdh_read_params( ecdh_context *ctx, + const unsigned char **buf, const unsigned char *end ) +{ + int ret; + + ecdh_init( ctx ); + + if( ( ret = ecp_tls_read_group( &ctx->grp, buf, end - *buf ) ) != 0 ) + return( ret ); + + if( ( ret = ecp_tls_read_point( &ctx->grp, &ctx->Qp, buf, end - *buf ) ) + != 0 ) + return( ret ); + + return 0; +} + +/* + * Setup and export the client public value + */ +int ecdh_make_public( ecdh_context *ctx, size_t *olen, + unsigned char *buf, size_t blen, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + int ret; + + if( ctx == NULL || ctx->grp.pbits == 0 ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + + if( ( ret = ecdh_gen_public( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) ) + != 0 ) + return( ret ); + + return ecp_tls_write_point( &ctx->grp, &ctx->Q, ctx->point_format, + olen, buf, blen ); +} + +/* + * Parse and import the client's public value + */ +int ecdh_read_public( ecdh_context *ctx, + const unsigned char *buf, size_t blen ) +{ + if( ctx == NULL ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + + return ecp_tls_read_point( &ctx->grp, &ctx->Qp, &buf, blen ); +} + +/* + * Derive and export the shared secret + */ +int ecdh_calc_secret( ecdh_context *ctx, size_t *olen, + unsigned char *buf, size_t blen ) +{ + int ret; + + if( ctx == NULL ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + + if( ( ret = ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp, &ctx->d ) ) + != 0 ) + return( ret ); + + *olen = mpi_size( &ctx->z ); + return mpi_write_binary( &ctx->z, buf, blen ); +} + + +#if defined(POLARSSL_SELF_TEST) + +/* + * Checkup routine + */ +int ecdh_self_test( int verbose ) +{ + return( verbose++ ); +} + +#endif + +#endif /* defined(POLARSSL_ECDH_C) */ diff --git a/library/ecdsa.c b/library/ecdsa.c new file mode 100644 index 000000000..d6834574d --- /dev/null +++ b/library/ecdsa.c @@ -0,0 +1,190 @@ +/* + * Elliptic curve DSA + * + * Copyright (C) 2006-2013, Brainspark B.V. + * + * This file is part of PolarSSL (http://www.polarssl.org) + * Lead Maintainer: Paul Bakker + * + * All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/* + * References: + * + * SEC1 http://www.secg.org/index.php?action=secg,docs_secg + */ + +#include "polarssl/config.h" + +#if defined(POLARSSL_ECDSA_C) + +#include "polarssl/ecdsa.h" + +/* + * Derive a suitable integer for group grp from a buffer of length len + * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3 + */ +static int derive_mpi( const ecp_group *grp, mpi *x, + const unsigned char *buf, size_t blen ) +{ + size_t n_size = (grp->nbits + 7) / 8; + return( mpi_read_binary( x, buf, blen > n_size ? n_size : blen ) ); +} + +/* + * Compute ECDSA signature of a hashed message (SEC1 4.1.3) + * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message) + */ +int ecdsa_sign( const ecp_group *grp, mpi *r, mpi *s, + const mpi *d, const unsigned char *buf, size_t blen, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) +{ + int ret, key_tries, sign_tries; + ecp_point R; + mpi k, e; + + ecp_point_init( &R ); + mpi_init( &k ); + mpi_init( &e ); + + sign_tries = 0; + do + { + /* + * Steps 1-3: generate a suitable ephemeral keypair + */ + key_tries = 0; + do + { + MPI_CHK( ecp_gen_keypair( grp, &k, &R, f_rng, p_rng ) ); + MPI_CHK( mpi_copy( r, &R.X ) ); + + if( key_tries++ > 10 ) + return( POLARSSL_ERR_ECP_GENERIC ); + } + while( mpi_cmp_int( r, 0 ) == 0 ); + + /* + * Step 5: derive MPI from hashed message + */ + MPI_CHK( derive_mpi( grp, &e, buf, blen ) ); + + /* + * Step 6: compute s = (e + r * d) / k mod n + */ + MPI_CHK( mpi_mul_mpi( s, r, d ) ); + MPI_CHK( mpi_add_mpi( &e, &e, s ) ); + MPI_CHK( mpi_inv_mod( s, &k, &grp->N ) ); + MPI_CHK( mpi_mul_mpi( s, s, &e ) ); + MPI_CHK( mpi_mod_mpi( s, s, &grp->N ) ); + + if( sign_tries++ > 10 ) + return( POLARSSL_ERR_ECP_GENERIC ); + } + while( mpi_cmp_int( s, 0 ) == 0 ); + +cleanup: + ecp_point_free( &R ); + mpi_free( &k ); + mpi_free( &e ); + + return( ret ); +} + +/* + * Verify ECDSA signature of hashed message (SEC1 4.1.4) + * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message) + */ +int ecdsa_verify( const ecp_group *grp, + const unsigned char *buf, size_t blen, + const ecp_point *Q, const mpi *r, const mpi *s) +{ + int ret; + mpi e, s_inv, u1, u2; + ecp_point R, P; + + ecp_point_init( &R ); ecp_point_init( &P ); + mpi_init( &e ); mpi_init( &s_inv ); mpi_init( &u1 ); mpi_init( &u2 ); + + /* + * Step 1: make sure r and s are in range 1..n-1 + */ + if( mpi_cmp_int( r, 1 ) < 0 || mpi_cmp_mpi( r, &grp->N ) >= 0 || + mpi_cmp_int( s, 1 ) < 0 || mpi_cmp_mpi( s, &grp->N ) >= 0 ) + { + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + } + + /* + * Additional precaution: make sure Q is valid + */ + MPI_CHK( ecp_check_pubkey( grp, Q ) ); + + /* + * Step 3: derive MPI from hashed message + */ + MPI_CHK( derive_mpi( grp, &e, buf, blen ) ); + + /* + * Step 4: u1 = e / s mod n, u2 = r / s mod n + */ + MPI_CHK( mpi_inv_mod( &s_inv, s, &grp->N ) ); + + MPI_CHK( mpi_mul_mpi( &u1, &e, &s_inv ) ); + MPI_CHK( mpi_mod_mpi( &u1, &u1, &grp->N ) ); + + MPI_CHK( mpi_mul_mpi( &u2, r, &s_inv ) ); + MPI_CHK( mpi_mod_mpi( &u2, &u2, &grp->N ) ); + + /* + * Step 5: R = u1 G + u2 Q + */ + MPI_CHK( ecp_mul( grp, &R, &u1, &grp->G ) ); + MPI_CHK( ecp_mul( grp, &P, &u2, Q ) ); + MPI_CHK( ecp_add( grp, &R, &R, &P ) ); + + if( ecp_is_zero( &R ) ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + + /* + * Step 6: check that xR == r + */ + if( mpi_cmp_mpi( &R.X, r ) != 0 ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + +cleanup: + ecp_point_free( &R ); ecp_point_free( &P ); + mpi_free( &e ); mpi_free( &s_inv ); mpi_free( &u1 ); mpi_free( &u2 ); + + return( ret ); +} + + +#if defined(POLARSSL_SELF_TEST) + +/* + * Checkup routine + */ +int ecdsa_self_test( int verbose ) +{ + return( verbose++ ); +} + +#endif + +#endif /* defined(POLARSSL_ECDSA_C) */ diff --git a/library/ecp.c b/library/ecp.c new file mode 100644 index 000000000..a76ce7062 --- /dev/null +++ b/library/ecp.c @@ -0,0 +1,1364 @@ +/* + * Elliptic curves over GF(p) + * + * Copyright (C) 2006-2013, Brainspark B.V. + * + * This file is part of PolarSSL (http://www.polarssl.org) + * Lead Maintainer: Paul Bakker + * + * All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/* + * References: + * + * SEC1 http://www.secg.org/index.php?action=secg,docs_secg + * GECC = Guide to Elliptic Curve Cryptography - Hankerson, Menezes, Vanstone + * FIPS 186-3 http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf + * RFC 4492 for the related TLS structures and constants + */ + +#include "polarssl/config.h" + +#if defined(POLARSSL_ECP_C) + +#include "polarssl/ecp.h" +#include +#include + +#if defined(POLARSSL_SELF_TEST) +/* + * Counts of point addition and doubling operations. + * Used to test resistance of point multiplication to SPA/timing attacks. + */ +unsigned long add_count, dbl_count; +#endif + +/* + * Initialize (the components of) a point + */ +void ecp_point_init( ecp_point *pt ) +{ + if( pt == NULL ) + return; + + mpi_init( &pt->X ); + mpi_init( &pt->Y ); + mpi_init( &pt->Z ); +} + +/* + * Initialize (the components of) a group + */ +void ecp_group_init( ecp_group *grp ) +{ + if( grp == NULL ) + return; + + grp->id = 0; + + mpi_init( &grp->P ); + mpi_init( &grp->B ); + ecp_point_init( &grp->G ); + mpi_init( &grp->N ); + + grp->pbits = 0; + grp->nbits = 0; + + grp->modp = NULL; +} + +/* + * Unallocate (the components of) a point + */ +void ecp_point_free( ecp_point *pt ) +{ + if( pt == NULL ) + return; + + mpi_free( &( pt->X ) ); + mpi_free( &( pt->Y ) ); + mpi_free( &( pt->Z ) ); +} + +/* + * Unallocate (the components of) a group + */ +void ecp_group_free( ecp_group *grp ) +{ + if( grp == NULL ) + return; + + mpi_free( &grp->P ); + mpi_free( &grp->B ); + ecp_point_free( &grp->G ); + mpi_free( &grp->N ); +} + +/* + * Set point to zero + */ +int ecp_set_zero( ecp_point *pt ) +{ + int ret; + + MPI_CHK( mpi_lset( &pt->X , 1 ) ); + MPI_CHK( mpi_lset( &pt->Y , 1 ) ); + MPI_CHK( mpi_lset( &pt->Z , 0 ) ); + +cleanup: + return( ret ); +} + +/* + * Tell if a point is zero + */ +int ecp_is_zero( ecp_point *pt ) +{ + return( mpi_cmp_int( &pt->Z, 0 ) == 0 ); +} + +/* + * Copy the contents of Q into P + */ +int ecp_copy( ecp_point *P, const ecp_point *Q ) +{ + int ret; + + MPI_CHK( mpi_copy( &P->X, &Q->X ) ); + MPI_CHK( mpi_copy( &P->Y, &Q->Y ) ); + MPI_CHK( mpi_copy( &P->Z, &Q->Z ) ); + +cleanup: + return( ret ); +} + +/* + * Import a non-zero point from ASCII strings + */ +int ecp_point_read_string( ecp_point *P, int radix, + const char *x, const char *y ) +{ + int ret; + + MPI_CHK( mpi_read_string( &P->X, radix, x ) ); + MPI_CHK( mpi_read_string( &P->Y, radix, y ) ); + MPI_CHK( mpi_lset( &P->Z, 1 ) ); + +cleanup: + return( ret ); +} + +/* + * Import an ECP group from ASCII strings + */ +int ecp_group_read_string( ecp_group *grp, int radix, + const char *p, const char *b, + const char *gx, const char *gy, const char *n) +{ + int ret; + + MPI_CHK( mpi_read_string( &grp->P, radix, p ) ); + MPI_CHK( mpi_read_string( &grp->B, radix, b ) ); + MPI_CHK( ecp_point_read_string( &grp->G, radix, gx, gy ) ); + MPI_CHK( mpi_read_string( &grp->N, radix, n ) ); + + grp->pbits = mpi_msb( &grp->P ); + grp->nbits = mpi_msb( &grp->N ); + +cleanup: + return( ret ); +} + +/* + * Export a point into unsigned binary data (SEC1 2.3.3) + */ +int ecp_point_write_binary( const ecp_group *grp, const ecp_point *P, + int format, size_t *olen, + unsigned char *buf, size_t buflen ) +{ + int ret; + size_t plen; + + if( format != POLARSSL_ECP_PF_UNCOMPRESSED && + format != POLARSSL_ECP_PF_COMPRESSED ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + + /* + * Common case: P == 0 + */ + if( mpi_cmp_int( &P->Z, 0 ) == 0 ) + { + if( buflen < 1 ) + return( POLARSSL_ERR_ECP_BUFFER_TOO_SMALL ); + + buf[0] = 0x00; + *olen = 1; + + return( 0 ); + } + + plen = mpi_size( &grp->P ); + + if( format == POLARSSL_ECP_PF_UNCOMPRESSED ) + { + *olen = 2 * plen + 1; + + if( buflen < *olen ) + return( POLARSSL_ERR_ECP_BUFFER_TOO_SMALL ); + + buf[0] = 0x04; + MPI_CHK( mpi_write_binary( &P->X, buf + 1, plen ) ); + MPI_CHK( mpi_write_binary( &P->Y, buf + 1 + plen, plen ) ); + } + else if( format == POLARSSL_ECP_PF_COMPRESSED ) + { + *olen = plen + 1; + + if( buflen < *olen ) + return( POLARSSL_ERR_ECP_BUFFER_TOO_SMALL ); + + buf[0] = 0x02 + mpi_get_bit( &P->Y, 0 ); + MPI_CHK( mpi_write_binary( &P->X, buf + 1, plen ) ); + } + +cleanup: + return( ret ); +} + +/* + * Import a point from unsigned binary data (SEC1 2.3.4) + */ +int ecp_point_read_binary( const ecp_group *grp, ecp_point *pt, + const unsigned char *buf, size_t ilen ) { + int ret; + size_t plen; + + if( ilen == 1 && buf[0] == 0x00 ) + return( ecp_set_zero( pt ) ); + + plen = mpi_size( &grp->P ); + + if( ilen != 2 * plen + 1 || buf[0] != 0x04 ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + + MPI_CHK( mpi_read_binary( &pt->X, buf + 1, plen ) ); + MPI_CHK( mpi_read_binary( &pt->Y, buf + 1 + plen, plen ) ); + MPI_CHK( mpi_lset( &pt->Z, 1 ) ); + +cleanup: + return( ret ); +} + +/* + * Import a point from a TLS ECPoint record (RFC 4492) + * struct { + * opaque point <1..2^8-1>; + * } ECPoint; + */ +int ecp_tls_read_point( const ecp_group *grp, ecp_point *pt, + const unsigned char **buf, size_t buf_len ) +{ + unsigned char data_len; + const unsigned char *buf_start; + + /* + * We must have at least two bytes (1 for length, at least of for data) + */ + if( buf_len < 2 ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + + data_len = *(*buf)++; + if( data_len < 1 || data_len > buf_len - 1 ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + + /* + * Save buffer start for read_binary and update buf + */ + buf_start = *buf; + *buf += data_len; + + return ecp_point_read_binary( grp, pt, buf_start, data_len ); +} + +/* + * Export a point as a TLS ECPoint record (RFC 4492) + * struct { + * opaque point <1..2^8-1>; + * } ECPoint; + */ +int ecp_tls_write_point( const ecp_group *grp, const ecp_point *pt, + int format, size_t *olen, + unsigned char *buf, size_t blen ) +{ + int ret; + + /* + * buffer length must be at least one, for our length byte + */ + if( blen < 1 ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + + if( ( ret = ecp_point_write_binary( grp, pt, format, + olen, buf + 1, blen - 1) ) != 0 ) + return( ret ); + + /* + * write length to the first byte and update total length + */ + buf[0] = *olen; + ++*olen; + + return 0; +} + +/* + * Wrapper around fast quasi-modp functions, with fall-back to mpi_mod_mpi. + * See the documentation of struct ecp_group. + */ +static int ecp_modp( mpi *N, const ecp_group *grp ) +{ + int ret; + + if( grp->modp == NULL ) + return( mpi_mod_mpi( N, N, &grp->P ) ); + + if( mpi_cmp_int( N, 0 ) < 0 || mpi_msb( N ) > 2 * grp->pbits ) + return( POLARSSL_ERR_ECP_GENERIC ); + + MPI_CHK( grp->modp( N ) ); + + while( mpi_cmp_int( N, 0 ) < 0 ) + MPI_CHK( mpi_add_mpi( N, N, &grp->P ) ); + + while( mpi_cmp_mpi( N, &grp->P ) >= 0 ) + MPI_CHK( mpi_sub_mpi( N, N, &grp->P ) ); + +cleanup: + return( ret ); +} + +/* + * 192 bits in terms of t_uint + */ +#define P192_SIZE_INT ( 192 / CHAR_BIT / sizeof( t_uint ) ) + +/* + * Table to get S1, S2, S3 of FIPS 186-3 D.2.1: + * -1 means let this chunk be 0 + * a positive value i means A_i. + */ +#define P192_CHUNKS 3 +#define P192_CHUNK_CHAR ( 64 / CHAR_BIT ) +#define P192_CHUNK_INT ( P192_CHUNK_CHAR / sizeof( t_uint ) ) + +const signed char p192_tbl[][P192_CHUNKS] = { + { -1, 3, 3 }, /* S1 */ + { 4, 4, -1 }, /* S2 */ + { 5, 5, 5 }, /* S3 */ +}; + +/* + * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1) + */ +static int ecp_mod_p192( mpi *N ) +{ + int ret; + unsigned char i, j, offset; + signed char chunk; + mpi tmp, acc; + t_uint tmp_p[P192_SIZE_INT], acc_p[P192_SIZE_INT + 1]; + + tmp.s = 1; + tmp.n = sizeof( tmp_p ) / sizeof( tmp_p[0] ); + tmp.p = tmp_p; + + acc.s = 1; + acc.n = sizeof( acc_p ) / sizeof( acc_p[0] ); + acc.p = acc_p; + + MPI_CHK( mpi_grow( N, P192_SIZE_INT * 2 ) ); + + /* + * acc = T + */ + memset( acc_p, 0, sizeof( acc_p ) ); + memcpy( acc_p, N->p, P192_CHUNK_CHAR * P192_CHUNKS ); + + for( i = 0; i < sizeof( p192_tbl ) / sizeof( p192_tbl[0] ); i++) + { + /* + * tmp = S_i + */ + memset( tmp_p, 0, sizeof( tmp_p ) ); + for( j = 0, offset = P192_CHUNKS - 1; j < P192_CHUNKS; j++, offset-- ) + { + chunk = p192_tbl[i][j]; + if( chunk >= 0 ) + memcpy( tmp_p + offset * P192_CHUNK_INT, + N->p + chunk * P192_CHUNK_INT, + P192_CHUNK_CHAR ); + } + + /* + * acc += tmp + */ + MPI_CHK( mpi_add_abs( &acc, &acc, &tmp ) ); + } + + MPI_CHK( mpi_copy( N, &acc ) ); + +cleanup: + return( ret ); +} + +/* + * Size of p521 in terms of t_uint + */ +#define P521_SIZE_INT ( 521 / CHAR_BIT / sizeof( t_uint ) + 1 ) + +/* + * Bits to keep in the most significant t_uint + */ +#if defined(POLARSS_HAVE_INT8) +#define P521_MASK 0x01 +#else +#define P521_MASK 0x01FF +#endif + +/* + * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5) + */ +static int ecp_mod_p521( mpi *N ) +{ + int ret; + t_uint Mp[P521_SIZE_INT]; + mpi M; + + if( N->n < P521_SIZE_INT ) + return( 0 ); + + memset( Mp, 0, P521_SIZE_INT * sizeof( t_uint ) ); + memcpy( Mp, N->p, P521_SIZE_INT * sizeof( t_uint ) ); + Mp[P521_SIZE_INT - 1] &= P521_MASK; + + M.s = 1; + M.n = P521_SIZE_INT; + M.p = Mp; + + MPI_CHK( mpi_shift_r( N, 521 ) ); + + MPI_CHK( mpi_add_abs( N, N, &M ) ); + +cleanup: + return( ret ); +} + +/* + * Domain parameters for secp192r1 + */ +#define SECP192R1_P \ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF" +#define SECP192R1_B \ + "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1" +#define SECP192R1_GX \ + "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012" +#define SECP192R1_GY \ + "07192B95FFC8DA78631011ED6B24CDD573F977A11E794811" +#define SECP192R1_N \ + "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831" + +/* + * Domain parameters for secp224r1 + */ +#define SECP224R1_P \ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001" +#define SECP224R1_B \ + "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4" +#define SECP224R1_GX \ + "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21" +#define SECP224R1_GY \ + "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34" +#define SECP224R1_N \ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D" + +/* + * Domain parameters for secp256r1 + */ +#define SECP256R1_P \ + "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF" +#define SECP256R1_B \ + "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B" +#define SECP256R1_GX \ + "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296" +#define SECP256R1_GY \ + "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5" +#define SECP256R1_N \ + "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551" + +/* + * Domain parameters for secp384r1 + */ +#define SECP384R1_P \ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \ + "FFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF" +#define SECP384R1_B \ + "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE814112" \ + "0314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF" +#define SECP384R1_GX \ + "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B98" \ + "59F741E082542A385502F25DBF55296C3A545E3872760AB7" +#define SECP384R1_GY \ + "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147C" \ + "E9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F" +#define SECP384R1_N \ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \ + "C7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973" + +/* + * Domain parameters for secp521r1 + */ +#define SECP521R1_P \ + "000001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" +#define SECP521R1_B \ + "00000051953EB9618E1C9A1F929A21A0B68540EEA2DA725B" \ + "99B315F3B8B489918EF109E156193951EC7E937B1652C0BD" \ + "3BB1BF073573DF883D2C34F1EF451FD46B503F00" +#define SECP521R1_GX \ + "000000C6858E06B70404E9CD9E3ECB662395B4429C648139" \ + "053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127" \ + "A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66" +#define SECP521R1_GY \ + "0000011839296A789A3BC0045C8A5FB42C7D1BD998F54449" \ + "579B446817AFBD17273E662C97EE72995EF42640C550B901" \ + "3FAD0761353C7086A272C24088BE94769FD16650" +#define SECP521R1_N \ + "000001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \ + "FFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148" \ + "F709A5D03BB5C9B8899C47AEBB6FB71E91386409" + +/* + * Set a group using well-known domain parameters + */ +int ecp_use_known_dp( ecp_group *grp, ecp_group_id id ) +{ + grp->id = id; + + switch( id ) + { + case POLARSSL_ECP_DP_SECP192R1: + grp->modp = ecp_mod_p192; + return( ecp_group_read_string( grp, 16, + SECP192R1_P, SECP192R1_B, + SECP192R1_GX, SECP192R1_GY, SECP192R1_N ) ); + + case POLARSSL_ECP_DP_SECP224R1: + return( ecp_group_read_string( grp, 16, + SECP224R1_P, SECP224R1_B, + SECP224R1_GX, SECP224R1_GY, SECP224R1_N ) ); + + case POLARSSL_ECP_DP_SECP256R1: + return( ecp_group_read_string( grp, 16, + SECP256R1_P, SECP256R1_B, + SECP256R1_GX, SECP256R1_GY, SECP256R1_N ) ); + + case POLARSSL_ECP_DP_SECP384R1: + return( ecp_group_read_string( grp, 16, + SECP384R1_P, SECP384R1_B, + SECP384R1_GX, SECP384R1_GY, SECP384R1_N ) ); + + case POLARSSL_ECP_DP_SECP521R1: + grp->modp = ecp_mod_p521; + return( ecp_group_read_string( grp, 16, + SECP521R1_P, SECP521R1_B, + SECP521R1_GX, SECP521R1_GY, SECP521R1_N ) ); + } + + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); +} + +/* + * Set a group from an ECParameters record (RFC 4492) + */ +int ecp_tls_read_group( ecp_group *grp, const unsigned char **buf, size_t len ) +{ + ecp_group_id id; + + /* + * We expect at least three bytes (see below) + */ + if( len < 3 ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + + /* + * First byte is curve_type; only named_curve is handled + */ + if( *(*buf)++ != POLARSSL_ECP_TLS_NAMED_CURVE ) + return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + + /* + * Next two bytes are the namedcurve value + */ + id = *(*buf)++; + id <<= 8; + id |= *(*buf)++; + return ecp_use_known_dp( grp, id ); +} + +/* + * Write the ECParameters record corresponding to a group (RFC 4492) + */ +int ecp_tls_write_group( const ecp_group *grp, size_t *olen, + unsigned char *buf, size_t blen ) +{ + /* + * We are going to write 3 bytes (see below) + */ + *olen = 3; + if( blen < *olen ) + return( POLARSSL_ERR_ECP_BUFFER_TOO_SMALL ); + + /* + * First byte is curve_type, always named_curve + */ + *buf++ = POLARSSL_ECP_TLS_NAMED_CURVE; + + /* + * Next two bytes are the namedcurve value + */ + buf[0] = grp->id >> 8; + buf[1] = grp->id & 0xFF; + + return 0; +} + +/* + * Fast mod-p functions expect their argument to be in the 0..p^2 range. + * + * In order to guarantee that, we need to ensure that operands of + * mpi_mul_mpi are in the 0..p range. So, after each operation we will + * bring the result back to this range. + * + * The following macros are shortcuts for doing that. + */ + +/* + * Reduce a mpi mod p in-place, general case, to use after mpi_mul_mpi + */ +#define MOD_MUL( N ) MPI_CHK( ecp_modp( &N, grp ) ) + +/* + * Reduce a mpi mod p in-place, to use after mpi_sub_mpi + */ +#define MOD_SUB( N ) \ + while( mpi_cmp_int( &N, 0 ) < 0 ) \ + MPI_CHK( mpi_add_mpi( &N, &N, &grp->P ) ) + +/* + * Reduce a mpi mod p in-place, to use after mpi_add_mpi and mpi_mul_int + */ +#define MOD_ADD( N ) \ + while( mpi_cmp_mpi( &N, &grp->P ) >= 0 ) \ + MPI_CHK( mpi_sub_mpi( &N, &N, &grp->P ) ) + +/* + * Check that a point is valid as a public key (SEC1 3.2.3.1) + */ +int ecp_check_pubkey( const ecp_group *grp, const ecp_point *pt ) +{ + int ret; + mpi YY, RHS; + + if( mpi_cmp_int( &pt->Z, 0 ) == 0 ) + return( POLARSSL_ERR_ECP_GENERIC ); + + /* + * pt coordinates must be normalized for our checks + */ + if( mpi_cmp_int( &pt->Z, 1 ) != 0 ) + return( POLARSSL_ERR_ECP_GENERIC ); + + if( mpi_cmp_int( &pt->X, 0 ) < 0 || + mpi_cmp_int( &pt->Y, 0 ) < 0 || + mpi_cmp_mpi( &pt->X, &grp->P ) >= 0 || + mpi_cmp_mpi( &pt->Y, &grp->P ) >= 0 ) + return( POLARSSL_ERR_ECP_GENERIC ); + + mpi_init( &YY ); mpi_init( &RHS ); + + /* + * YY = Y^2 + * RHS = X (X^2 - 3) + B = X^3 - 3X + B + */ + MPI_CHK( mpi_mul_mpi( &YY, &pt->Y, &pt->Y ) ); MOD_MUL( YY ); + MPI_CHK( mpi_mul_mpi( &RHS, &pt->X, &pt->X ) ); MOD_MUL( RHS ); + MPI_CHK( mpi_sub_int( &RHS, &RHS, 3 ) ); MOD_SUB( RHS ); + MPI_CHK( mpi_mul_mpi( &RHS, &RHS, &pt->X ) ); MOD_MUL( RHS ); + MPI_CHK( mpi_add_mpi( &RHS, &RHS, &grp->B ) ); MOD_ADD( RHS ); + + if( mpi_cmp_mpi( &YY, &RHS ) != 0 ) + ret = POLARSSL_ERR_ECP_GENERIC; + +cleanup: + + mpi_free( &YY ); mpi_free( &RHS ); + + return( ret ); +} + +/* + * Normalize jacobian coordinates so that Z == 0 || Z == 1 (GECC 3.2.1) + */ +static int ecp_normalize( const ecp_group *grp, ecp_point *pt ) +{ + int ret; + mpi Zi, ZZi; + + if( mpi_cmp_int( &pt->Z, 0 ) == 0 ) + return( 0 ); + + mpi_init( &Zi ); mpi_init( &ZZi ); + + /* + * X = X / Z^2 mod p + */ + MPI_CHK( mpi_inv_mod( &Zi, &pt->Z, &grp->P ) ); + MPI_CHK( mpi_mul_mpi( &ZZi, &Zi, &Zi ) ); MOD_MUL( ZZi ); + MPI_CHK( mpi_mul_mpi( &pt->X, &pt->X, &ZZi ) ); MOD_MUL( pt->X ); + + /* + * Y = Y / Z^3 mod p + */ + MPI_CHK( mpi_mul_mpi( &pt->Y, &pt->Y, &ZZi ) ); MOD_MUL( pt->Y ); + MPI_CHK( mpi_mul_mpi( &pt->Y, &pt->Y, &Zi ) ); MOD_MUL( pt->Y ); + + /* + * Z = 1 + */ + MPI_CHK( mpi_lset( &pt->Z, 1 ) ); + +cleanup: + + mpi_free( &Zi ); mpi_free( &ZZi ); + + return( ret ); +} + +/* + * Normalize jacobian coordinates of an array of points, + * using Montgomery's trick to perform only one inversion mod P. + * (See for example Cohen's "A Course in Computational Algebraic Number + * Theory", Algorithm 10.3.4.) + * + * Warning: fails if one of the points is zero! + * This should never happen, see choice of w in ecp_mul(). + */ +static int ecp_normalize_many( const ecp_group *grp, + ecp_point T[], size_t t_len ) +{ + int ret; + size_t i; + mpi *c, u, Zi, ZZi; + + if( t_len < 2 ) + return( ecp_normalize( grp, T ) ); + + if( ( c = (mpi *) malloc( t_len * sizeof( mpi ) ) ) == NULL ) + return( POLARSSL_ERR_ECP_GENERIC ); + + mpi_init( &u ); mpi_init( &Zi ); mpi_init( &ZZi ); + for( i = 0; i < t_len; i++ ) + mpi_init( &c[i] ); + + /* + * c[i] = Z_0 * ... * Z_i + */ + MPI_CHK( mpi_copy( &c[0], &T[0].Z ) ); + for( i = 1; i < t_len; i++ ) + { + MPI_CHK( mpi_mul_mpi( &c[i], &c[i-1], &T[i].Z ) ); + MOD_MUL( c[i] ); + } + + /* + * u = 1 / (Z_0 * ... * Z_n) mod P + */ + MPI_CHK( mpi_inv_mod( &u, &c[t_len-1], &grp->P ) ); + + for( i = t_len - 1; ; i-- ) + { + /* + * Zi = 1 / Z_i mod p + * u = 1 / (Z_0 * ... * Z_i) mod P + */ + if( i == 0 ) { + MPI_CHK( mpi_copy( &Zi, &u ) ); + } + else + { + MPI_CHK( mpi_mul_mpi( &Zi, &u, &c[i-1] ) ); MOD_MUL( Zi ); + MPI_CHK( mpi_mul_mpi( &u, &u, &T[i].Z ) ); MOD_MUL( u ); + } + + /* + * proceed as in normalize() + */ + MPI_CHK( mpi_mul_mpi( &ZZi, &Zi, &Zi ) ); MOD_MUL( ZZi ); + MPI_CHK( mpi_mul_mpi( &T[i].X, &T[i].X, &ZZi ) ); MOD_MUL( T[i].X ); + MPI_CHK( mpi_mul_mpi( &T[i].Y, &T[i].Y, &ZZi ) ); MOD_MUL( T[i].Y ); + MPI_CHK( mpi_mul_mpi( &T[i].Y, &T[i].Y, &Zi ) ); MOD_MUL( T[i].Y ); + MPI_CHK( mpi_lset( &T[i].Z, 1 ) ); + + if( i == 0 ) + break; + } + +cleanup: + + mpi_free( &u ); mpi_free( &Zi ); mpi_free( &ZZi ); + for( i = 0; i < t_len; i++ ) + mpi_free( &c[i] ); + free( c ); + + return( ret ); +} + + +/* + * Point doubling R = 2 P, Jacobian coordinates (GECC 3.21) + */ +static int ecp_double_jac( const ecp_group *grp, ecp_point *R, + const ecp_point *P ) +{ + int ret; + mpi T1, T2, T3, X, Y, Z; + +#if defined(POLARSSL_SELF_TEST) + dbl_count++; +#endif + + if( mpi_cmp_int( &P->Z, 0 ) == 0 ) + return( ecp_set_zero( R ) ); + + mpi_init( &T1 ); mpi_init( &T2 ); mpi_init( &T3 ); + mpi_init( &X ); mpi_init( &Y ); mpi_init( &Z ); + + MPI_CHK( mpi_mul_mpi( &T1, &P->Z, &P->Z ) ); MOD_MUL( T1 ); + MPI_CHK( mpi_sub_mpi( &T2, &P->X, &T1 ) ); MOD_SUB( T2 ); + MPI_CHK( mpi_add_mpi( &T1, &P->X, &T1 ) ); MOD_ADD( T1 ); + MPI_CHK( mpi_mul_mpi( &T2, &T2, &T1 ) ); MOD_MUL( T2 ); + MPI_CHK( mpi_mul_int( &T2, &T2, 3 ) ); MOD_ADD( T2 ); + MPI_CHK( mpi_mul_int( &Y, &P->Y, 2 ) ); MOD_ADD( Y ); + MPI_CHK( mpi_mul_mpi( &Z, &Y, &P->Z ) ); MOD_MUL( Z ); + MPI_CHK( mpi_mul_mpi( &Y, &Y, &Y ) ); MOD_MUL( Y ); + MPI_CHK( mpi_mul_mpi( &T3, &Y, &P->X ) ); MOD_MUL( T3 ); + MPI_CHK( mpi_mul_mpi( &Y, &Y, &Y ) ); MOD_MUL( Y ); + + /* + * For Y = Y / 2 mod p, we must make sure that Y is even before + * using right-shift. No need to reduce mod p afterwards. + */ + if( mpi_get_bit( &Y, 0 ) == 1 ) + MPI_CHK( mpi_add_mpi( &Y, &Y, &grp->P ) ); + MPI_CHK( mpi_shift_r( &Y, 1 ) ); + + MPI_CHK( mpi_mul_mpi( &X, &T2, &T2 ) ); MOD_MUL( X ); + MPI_CHK( mpi_mul_int( &T1, &T3, 2 ) ); MOD_ADD( T1 ); + MPI_CHK( mpi_sub_mpi( &X, &X, &T1 ) ); MOD_SUB( X ); + MPI_CHK( mpi_sub_mpi( &T1, &T3, &X ) ); MOD_SUB( T1 ); + MPI_CHK( mpi_mul_mpi( &T1, &T1, &T2 ) ); MOD_MUL( T1 ); + MPI_CHK( mpi_sub_mpi( &Y, &T1, &Y ) ); MOD_SUB( Y ); + + MPI_CHK( mpi_copy( &R->X, &X ) ); + MPI_CHK( mpi_copy( &R->Y, &Y ) ); + MPI_CHK( mpi_copy( &R->Z, &Z ) ); + +cleanup: + + mpi_free( &T1 ); mpi_free( &T2 ); mpi_free( &T3 ); + mpi_free( &X ); mpi_free( &Y ); mpi_free( &Z ); + + return( ret ); +} + +/* + * Addition or subtraction: R = P + Q or R = P + Q, + * mixed affine-Jacobian coordinates (GECC 3.22) + * + * The coordinates of Q must be normalized (= affine), + * but those of P don't need to. R is not normalized. + * + * If sign >= 0, perform addition, otherwise perform subtraction, + * taking advantage of the fact that, for Q != 0, we have + * -Q = (Q.X, -Q.Y, Q.Z) + */ +static int ecp_add_mixed( const ecp_group *grp, ecp_point *R, + const ecp_point *P, const ecp_point *Q, + signed char sign ) +{ + int ret; + mpi T1, T2, T3, T4, X, Y, Z; + +#if defined(POLARSSL_SELF_TEST) + add_count++; +#endif + + /* + * Trivial cases: P == 0 or Q == 0 + * (Check Q first, so that we know Q != 0 when we compute -Q.) + */ + if( mpi_cmp_int( &Q->Z, 0 ) == 0 ) + return( ecp_copy( R, P ) ); + + if( mpi_cmp_int( &P->Z, 0 ) == 0 ) + { + ret = ecp_copy( R, Q ); + + /* + * -R.Y mod P = P - R.Y unless R.Y == 0 + */ + if( ret == 0 && sign < 0) + if( mpi_cmp_int( &R->Y, 0 ) != 0 ) + ret = mpi_sub_mpi( &R->Y, &grp->P, &R->Y ); + + return( ret ); + } + + /* + * Make sure Q coordinates are normalized + */ + if( mpi_cmp_int( &Q->Z, 1 ) != 0 ) + return( POLARSSL_ERR_ECP_GENERIC ); + + mpi_init( &T1 ); mpi_init( &T2 ); mpi_init( &T3 ); mpi_init( &T4 ); + mpi_init( &X ); mpi_init( &Y ); mpi_init( &Z ); + + MPI_CHK( mpi_mul_mpi( &T1, &P->Z, &P->Z ) ); MOD_MUL( T1 ); + MPI_CHK( mpi_mul_mpi( &T2, &T1, &P->Z ) ); MOD_MUL( T2 ); + MPI_CHK( mpi_mul_mpi( &T1, &T1, &Q->X ) ); MOD_MUL( T1 ); + MPI_CHK( mpi_mul_mpi( &T2, &T2, &Q->Y ) ); MOD_MUL( T2 ); + + /* + * For subtraction, -Q.Y should have been used instead of Q.Y, + * so we replace T2 by -T2, which is P - T2 mod P + */ + if( sign < 0 ) + { + MPI_CHK( mpi_sub_mpi( &T2, &grp->P, &T2 ) ); + MOD_SUB( T2 ); + } + + MPI_CHK( mpi_sub_mpi( &T1, &T1, &P->X ) ); MOD_SUB( T1 ); + MPI_CHK( mpi_sub_mpi( &T2, &T2, &P->Y ) ); MOD_SUB( T2 ); + + if( mpi_cmp_int( &T1, 0 ) == 0 ) + { + if( mpi_cmp_int( &T2, 0 ) == 0 ) + { + ret = ecp_double_jac( grp, R, P ); + goto cleanup; + } + else + { + ret = ecp_set_zero( R ); + goto cleanup; + } + } + + MPI_CHK( mpi_mul_mpi( &Z, &P->Z, &T1 ) ); MOD_MUL( Z ); + MPI_CHK( mpi_mul_mpi( &T3, &T1, &T1 ) ); MOD_MUL( T3 ); + MPI_CHK( mpi_mul_mpi( &T4, &T3, &T1 ) ); MOD_MUL( T4 ); + MPI_CHK( mpi_mul_mpi( &T3, &T3, &P->X ) ); MOD_MUL( T3 ); + MPI_CHK( mpi_mul_int( &T1, &T3, 2 ) ); MOD_ADD( T1 ); + MPI_CHK( mpi_mul_mpi( &X, &T2, &T2 ) ); MOD_MUL( X ); + MPI_CHK( mpi_sub_mpi( &X, &X, &T1 ) ); MOD_SUB( X ); + MPI_CHK( mpi_sub_mpi( &X, &X, &T4 ) ); MOD_SUB( X ); + MPI_CHK( mpi_sub_mpi( &T3, &T3, &X ) ); MOD_SUB( T3 ); + MPI_CHK( mpi_mul_mpi( &T3, &T3, &T2 ) ); MOD_MUL( T3 ); + MPI_CHK( mpi_mul_mpi( &T4, &T4, &P->Y ) ); MOD_MUL( T4 ); + MPI_CHK( mpi_sub_mpi( &Y, &T3, &T4 ) ); MOD_SUB( Y ); + + MPI_CHK( mpi_copy( &R->X, &X ) ); + MPI_CHK( mpi_copy( &R->Y, &Y ) ); + MPI_CHK( mpi_copy( &R->Z, &Z ) ); + +cleanup: + + mpi_free( &T1 ); mpi_free( &T2 ); mpi_free( &T3 ); mpi_free( &T4 ); + mpi_free( &X ); mpi_free( &Y ); mpi_free( &Z ); + + return( ret ); +} + +/* + * Addition: R = P + Q, result's coordinates normalized + */ +int ecp_add( const ecp_group *grp, ecp_point *R, + const ecp_point *P, const ecp_point *Q ) +{ + int ret; + + MPI_CHK( ecp_add_mixed( grp, R, P, Q , 1 ) ); + MPI_CHK( ecp_normalize( grp, R ) ); + +cleanup: + return( ret ); +} + +/* + * Subtraction: R = P - Q, result's coordinates normalized + */ +int ecp_sub( const ecp_group *grp, ecp_point *R, + const ecp_point *P, const ecp_point *Q ) +{ + int ret; + + MPI_CHK( ecp_add_mixed( grp, R, P, Q, -1 ) ); + MPI_CHK( ecp_normalize( grp, R ) ); + +cleanup: + return( ret ); +} + +/* + * Compute a modified width-w non-adjacent form (NAF) of a number, + * with a fixed pattern for resistance to SPA/timing attacks, + * see . + * (The resulting multiplication algorithm can also been seen as a + * modification of 2^w-ary multiplication, with signed coefficients, + * all of them odd.) + * + * Input: + * m must be an odd positive mpi less than w * k bits long + * x must be an array of k elements + * w must be less than a certain maximum (currently 8) + * + * The result is a sequence x[0], ..., x[k-1] with x[i] in the range + * - 2^(width - 1) .. 2^(width - 1) - 1 such that + * m = (2 * x[0] + 1) + 2^width * (2 * x[1] + 1) + ... + * + 2^((k-1) * width) * (2 * x[k-1] + 1) + * + * Compared to "Algorithm SPA-resistant Width-w NAF with Odd Scalar" + * p. 335 of the cited reference, here we return only u, not d_w since + * it is known that the other d_w[j] will be 0. Moreover, the returned + * string doesn't actually store u_i but x_i = u_i / 2 since it is known + * that u_i is odd. Also, since we always select a positive value for d + * mod 2^w, we don't need to check the sign of u[i-1] when the reference + * does. Finally, there is an off-by-one error in the reference: the + * last index should be k-1, not k. + */ +static int ecp_w_naf_fixed( signed char x[], size_t k, + unsigned char w, const mpi *m ) +{ + int ret; + unsigned int i, u, mask, carry; + mpi M; + + mpi_init( &M ); + + MPI_CHK( mpi_copy( &M, m ) ); + mask = ( 1 << w ) - 1; + carry = 1 << ( w - 1 ); + + for( i = 0; i < k; i++ ) + { + u = M.p[0] & mask; + + if( ( u & 1 ) == 0 && i > 0 ) + x[i - 1] -= carry; + + x[i] = u >> 1; + mpi_shift_r( &M, w ); + } + + /* + * We should have consumed all the bits now + */ + if( mpi_cmp_int( &M, 0 ) != 0 ) + ret = POLARSSL_ERR_ECP_GENERIC; + +cleanup: + + mpi_free( &M ); + + return( ret ); +} + +/* + * Precompute odd multiples of P up to (2 * t_len - 1) P. + * The table is filled with T[i] = (2 * i + 1) P. + */ +static int ecp_precompute( const ecp_group *grp, + ecp_point T[], size_t t_len, + const ecp_point *P ) +{ + int ret; + size_t i; + ecp_point PP; + + ecp_point_init( &PP ); + + MPI_CHK( ecp_add( grp, &PP, P, P ) ); + + MPI_CHK( ecp_copy( &T[0], P ) ); + + for( i = 1; i < t_len; i++ ) + MPI_CHK( ecp_add_mixed( grp, &T[i], &T[i-1], &PP, +1 ) ); + + /* + * T[0] = P already has normalized coordinates + */ + MPI_CHK( ecp_normalize_many( grp, T + 1, t_len - 1 ) ); + +cleanup: + + ecp_point_free( &PP ); + + return( ret ); +} + +/* + * Maximum length of the precomputed table + */ +#define MAX_PRE_LEN ( 1 << (POLARSSL_ECP_WINDOW_SIZE - 1) ) + +/* + * Maximum length of the NAF: ceil( grp->nbits + 1 ) / w + * (that is: grp->nbits / w + 1) + * Allow p_bits + 1 bits in case M = grp->N + 1 is one bit longer than N. + */ +#define MAX_NAF_LEN ( POLARSSL_ECP_MAX_N_BITS / 2 + 1 ) + +/* + * Integer multiplication: R = m * P + * + * Based on fixed-pattern width-w NAF, see comments of ecp_w_naf_fixed() + * and . + * + * This function executes a fixed number of operations for + * random m in the range 0 .. 2^nbits - 1. + */ +int ecp_mul( const ecp_group *grp, ecp_point *R, + const mpi *m, const ecp_point *P ) +{ + int ret; + unsigned char w, m_is_odd; + size_t pre_len, naf_len, i, j; + signed char naf[ MAX_NAF_LEN ]; + ecp_point Q, T[ MAX_PRE_LEN ]; + mpi M; + + if( mpi_cmp_int( m, 0 ) < 0 || mpi_msb( m ) > grp->nbits ) + return( POLARSSL_ERR_ECP_GENERIC ); + + w = grp->nbits >= 521 ? 6 : + grp->nbits >= 224 ? 5 : + 4; + + /* + * Make sure w is within the limits. + * The last test ensures that none of the precomputed points is zero, + * which wouldn't be handled correctly by ecp_normalize_many(). + * It is only useful for small curves, as used in the test suite. + */ + if( w > POLARSSL_ECP_WINDOW_SIZE ) + w = POLARSSL_ECP_WINDOW_SIZE; + if( w < 2 || w >= grp->nbits ) + w = 2; + + pre_len = 1 << ( w - 1 ); + naf_len = grp->nbits / w + 1; + + mpi_init( &M ); + ecp_point_init( &Q ); + for( i = 0; i < pre_len; i++ ) + ecp_point_init( &T[i] ); + + m_is_odd = ( mpi_get_bit( m, 0 ) == 1 ); + + /* + * Make sure M is odd: + * later we'll get m * P by subtracting * P or 2 * P to M * P. + */ + MPI_CHK( mpi_copy( &M, m ) ); + MPI_CHK( mpi_add_int( &M, &M, 1 + m_is_odd ) ); + + /* + * Compute the fixed-pattern NAF and precompute odd multiples + */ + MPI_CHK( ecp_w_naf_fixed( naf, naf_len, w, &M ) ); + MPI_CHK( ecp_precompute( grp, T, pre_len, P ) ); + + /* + * Compute M * P, using a variant of left-to-right 2^w-ary multiplication: + * at each step we add (2 * naf[i] + 1) P, then multiply by 2^w. + * + * If naf[i] >= 0, we have (2 * naf[i] + 1) P == T[ naf[i] ] + * Otherwise, (2 * naf[i] + 1) P == - ( 2 * ( - naf[i] - 1 ) + 1) P + * == T[ - naf[i] - 1 ] + */ + MPI_CHK( ecp_set_zero( &Q ) ); + i = naf_len - 1; + while( 1 ) + { + if( naf[i] < 0 ) + { + MPI_CHK( ecp_add_mixed( grp, &Q, &Q, &T[ - naf[i] - 1 ], -1 ) ); + } + else + { + MPI_CHK( ecp_add_mixed( grp, &Q, &Q, &T[ naf[i] ], +1 ) ); + } + + if( i == 0 ) + break; + i--; + + for( j = 0; j < w; j++ ) + { + MPI_CHK( ecp_double_jac( grp, &Q, &Q ) ); + } + } + + /* + * Now get m * P from M * P. + * Since we don't need T[] any more, we can recycle it: + * we already have T[0] = P, now set T[1] = 2 * P. + */ + MPI_CHK( ecp_add( grp, &T[1], P, P ) ); + MPI_CHK( ecp_sub( grp, R, &Q, &T[m_is_odd] ) ); + + +cleanup: + + mpi_free( &M ); + ecp_point_free( &Q ); + for( i = 0; i < pre_len; i++ ) + ecp_point_free( &T[i] ); + + return( ret ); +} + +/* + * Generate a keypair (SEC1 3.2.1) + */ +int ecp_gen_keypair( const ecp_group *grp, mpi *d, ecp_point *Q, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) +{ + int count = 0; + size_t n_size = (grp->nbits + 7) / 8; + + /* + * Generate d such that 1 <= n < N + */ + do + { + mpi_fill_random( d, n_size, f_rng, p_rng ); + + while( mpi_cmp_mpi( d, &grp->N ) >= 0 ) + mpi_shift_r( d, 1 ); + + if( count++ > 10 ) + return( POLARSSL_ERR_ECP_GENERIC ); + } + while( mpi_cmp_int( d, 1 ) < 0 ); + + return( ecp_mul( grp, Q, d, &grp->G ) ); +} + +#if defined(POLARSSL_SELF_TEST) + +/* + * Checkup routine + */ +int ecp_self_test( int verbose ) +{ + int ret; + size_t i; + ecp_group grp; + ecp_point R; + mpi m; + unsigned long add_c_prev, dbl_c_prev; + char *exponents[] = + { + "000000000000000000000000000000000000000000000000", /* zero */ + "000000000000000000000000000000000000000000000001", /* one */ + "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831", /* N */ + "5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25", /* random */ + "400000000000000000000000000000000000000000000000", + "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", + "555555555555555555555555555555555555555555555555", + }; + + ecp_group_init( &grp ); + ecp_point_init( &R ); + mpi_init( &m ); + + MPI_CHK( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_SECP192R1 ) ); + + if( verbose != 0 ) + printf( " ECP test #1 (SPA resistance): " ); + + add_count = 0; + dbl_count = 0; + MPI_CHK( mpi_read_string( &m, 16, exponents[0] ) ); + MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G ) ); + + for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ ) + { + add_c_prev = add_count; + dbl_c_prev = dbl_count; + add_count = 0; + dbl_count = 0; + + MPI_CHK( mpi_read_string( &m, 16, exponents[i] ) ); + MPI_CHK( ecp_mul( &grp, &R, &m, &grp.G ) ); + + if( add_count != add_c_prev || dbl_count != dbl_c_prev ) + { + if( verbose != 0 ) + printf( "failed (%zu)\n", i ); + + ret = 1; + goto cleanup; + } + } + + if( verbose != 0 ) + printf( "passed\n" ); + +cleanup: + + if( ret < 0 && verbose != 0 ) + printf( "Unexpected error, return code = %08X\n", ret ); + + ecp_group_free( &grp ); + ecp_point_free( &R ); + mpi_free( &m ); + + if( verbose != 0 ) + printf( "\n" ); + + return( ret ); +} + +#endif + +#endif diff --git a/library/error.c b/library/error.c index d4bc27762..1a8457bad 100644 --- a/library/error.c +++ b/library/error.c @@ -63,6 +63,10 @@ #include "polarssl/dhm.h" #endif +#if defined(POLARSSL_ECP_C) +#include "polarssl/ecp.h" +#endif + #if defined(POLARSSL_ENTROPY_C) #include "polarssl/entropy.h" #endif @@ -182,6 +186,13 @@ void error_strerror( int ret, char *buf, size_t buflen ) snprintf( buf, buflen, "DHM - Calculation of the DHM secret failed" ); #endif /* POLARSSL_DHM_C */ +#if defined(POLARSSL_ECP_C) + if( use_ret == -(POLARSSL_ERR_ECP_BAD_INPUT_DATA) ) + snprintf( buf, buflen, "ECP - Bad input parameters to function" ); + if( use_ret == -(POLARSSL_ERR_ECP_GENERIC) ) + snprintf( buf, buflen, "ECP - Generic ECP error" ); +#endif /* POLARSSL_ECP_C */ + #if defined(POLARSSL_MD_C) if( use_ret == -(POLARSSL_ERR_MD_FEATURE_UNAVAILABLE) ) snprintf( buf, buflen, "MD - The selected feature is not available" ); diff --git a/programs/.gitignore b/programs/.gitignore index d6d9efcf6..9a6953247 100644 --- a/programs/.gitignore +++ b/programs/.gitignore @@ -29,6 +29,7 @@ ssl/ssl_mail_client ssl/ssl_server ssl/ssl_server2 test/benchmark +test/ecp-bench test/o_p_test test/selftest test/ssl_cert_test diff --git a/programs/Makefile b/programs/Makefile index 9b0d1f531..388b029e2 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -38,6 +38,7 @@ APPS = aes/aescrypt2 aes/crypt_and_hash \ random/gen_random_ctr_drbg \ test/ssl_cert_test test/benchmark \ test/selftest test/ssl_test \ + test/ecp-bench \ util/strerror \ x509/cert_app x509/crl_app \ x509/cert_req @@ -174,6 +175,10 @@ test/benchmark: test/benchmark.c ../library/libpolarssl.a echo " CC test/benchmark.c" $(CC) $(CFLAGS) $(OFLAGS) test/benchmark.c $(LDFLAGS) -o $@ +test/ecp-bench: test/ecp-bench.c ../library/libpolarssl.a + echo " CC test/ecp-bench.c" + $(CC) $(CFLAGS) $(OFLAGS) test/ecp-bench.c $(LDFLAGS) -o $@ + test/selftest: test/selftest.c ../library/libpolarssl.a echo " CC test/selftest.c" $(CC) $(CFLAGS) $(OFLAGS) test/selftest.c $(LDFLAGS) -o $@ diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index c05b903f4..56bcae082 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -18,6 +18,9 @@ target_link_libraries(selftest ${libs}) add_executable(benchmark benchmark.c) target_link_libraries(benchmark ${libs}) +add_executable(ecp-bench ecp-bench.c) +target_link_libraries(ecp-bench ${libs}) + add_executable(ssl_test ssl_test.c) target_link_libraries(ssl_test ${libs}) diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index 86de2c63c..7ee465f4d 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -45,6 +45,7 @@ #include "polarssl/camellia.h" #include "polarssl/gcm.h" #include "polarssl/rsa.h" +#include "polarssl/dhm.h" #include "polarssl/timing.h" #include "polarssl/havege.h" #include "polarssl/ctr_drbg.h" @@ -120,6 +121,10 @@ int main( int argc, char *argv[] ) #endif #if defined(POLARSSL_CTR_DRBG_C) ctr_drbg_context ctr_drbg; +#endif +#if defined(POLARSSL_DHM_C) && defined(POLARSSL_BIGNUM_C) + dhm_context dhm; + size_t olen = BUFSIZE; #endif ((void) argc); ((void) argv); @@ -505,6 +510,74 @@ int main( int argc, char *argv[] ) rsa_free( &rsa ); #endif +#if defined(POLARSSL_DHM_C) && defined(POLARSSL_BIGNUM_C) + memset( &dhm, 0, sizeof( dhm_context ) ); + + mpi_read_string( &dhm.P, 16, POLARSSL_DHM_RFC5114_MODP_1024_P ); + mpi_read_string( &dhm.G, 16, POLARSSL_DHM_RFC5114_MODP_1024_G ); + dhm.len = mpi_size( &dhm.P ); + dhm_make_public( &dhm, dhm.len, buf, dhm.len, myrand, NULL ); + mpi_copy( &dhm.GY, &dhm.GX ); + + printf( HEADER_FORMAT, "DHM-1024" ); + fflush( stdout ); + set_alarm( 3 ); + + for( i = 1; ! alarmed; i++ ) + { + dhm_make_public( &dhm, dhm.len, buf, dhm.len, myrand, NULL ); + dhm_calc_secret( &dhm, buf, &olen ); + } + + printf( "%9lu handshake/s\n", i / 3 ); + + dhm_free( &dhm ); + + memset( &dhm, 0, sizeof( dhm_context ) ); + + mpi_read_string( &dhm.P, 16, POLARSSL_DHM_RFC3526_MODP_2048_P ); + mpi_read_string( &dhm.G, 16, POLARSSL_DHM_RFC3526_MODP_2048_G ); + dhm.len = mpi_size( &dhm.P ); + dhm_make_public( &dhm, dhm.len, buf, dhm.len, myrand, NULL ); + mpi_copy( &dhm.GY, &dhm.GX ); + + printf( HEADER_FORMAT, "DHM-2048" ); + fflush( stdout ); + set_alarm( 3 ); + + for( i = 1; ! alarmed; i++ ) + { + dhm_make_public( &dhm, dhm.len, buf, dhm.len, myrand, NULL ); + dhm_calc_secret( &dhm, buf, &olen ); + } + + printf( "%9lu handshake/s\n", i / 3 ); + + dhm_free( &dhm ); + + memset( &dhm, 0, sizeof( dhm_context ) ); + + mpi_read_string( &dhm.P, 16, POLARSSL_DHM_RFC3526_MODP_3072_P ); + mpi_read_string( &dhm.G, 16, POLARSSL_DHM_RFC3526_MODP_3072_G ); + dhm.len = mpi_size( &dhm.P ); + dhm_make_public( &dhm, dhm.len, buf, dhm.len, myrand, NULL ); + mpi_copy( &dhm.GY, &dhm.GX ); + + printf( HEADER_FORMAT, "DHM-3072" ); + fflush( stdout ); + set_alarm( 3 ); + + for( i = 1; ! alarmed; i++ ) + { + dhm_make_public( &dhm, dhm.len, buf, dhm.len, myrand, NULL ); + dhm_calc_secret( &dhm, buf, &olen ); + } + + printf( "%9lu handshake/s\n", i / 3 ); + + dhm_free( &dhm ); +#endif + printf( "\n" ); #if defined(_WIN32) diff --git a/programs/test/ecp-bench.c b/programs/test/ecp-bench.c new file mode 100644 index 000000000..3064cc9eb --- /dev/null +++ b/programs/test/ecp-bench.c @@ -0,0 +1,205 @@ +/* + * Temporary mini-benchmark for ECP multiplication + * (and comparision with GF(p) exponentation if any argument is given) + */ + +#include +#include +#include + +#include "polarssl/config.h" + +#include "polarssl/dhm.h" +#include "polarssl/ecp.h" +#include "polarssl/timing.h" +#include "polarssl/error.h" + +#if !defined(POLARSSL_TIMING_C) || !defined(POLARSSL_BIGNUM_C) || \ + !defined(POLARSSL_DHM_C) || !defined(POLARSSL_ECP_C) + +int main( int argc, char *argv[] ) +{ + ((void) argc); + ((void) argv); + + printf("POLARSSL_{TIMING,BIGNUM,DHM,ECP}_C not defined.\n"); + return( 0 ); +} + +#else + +void dhm_bench_case( const char *s, const char *p, + const char *g, const char *x ) +{ + unsigned long i; + mpi P, G, X, R, C; + + mpi_init( &P ); mpi_init( &G ); mpi_init( &X ); mpi_init( &R ); + mpi_init( &C ); + + mpi_read_string( &P, 16, p ); + mpi_read_string( &G, 16, g ); + mpi_read_string( &X, 16, x ); + + printf( " MODP-%s : ", s ); + fflush( stdout ); + set_alarm( 3 ); + + for( i = 1; ! alarmed; i++ ) + mpi_exp_mod( &R, &G, &X, &P, &C ); + + printf( "%9lu exp/s\n", i / 3 ); + + mpi_free( &P ); mpi_free( &G ); mpi_free( &X ); mpi_free( &R ); + mpi_free( &C ); +} + +#define MODP_1024_G \ + "205BE4D89282CE6A9488626CA9BCC1264E7C9525903F049D" \ + "D6A77315AA12B01467EB1EA21B25569BECEC276623859A8C" \ + "518D445DF43DCBA1B75D23B6BB6B96084FA3C10CA8DC1A96" \ + "77E26332152233E13F4E6BF3C5D48514BC264A35AF385463" \ + "8B8AE5E363BD6AE0B5D44875BB60A73A5E4075FB2037B833" \ + "DC382EA6DD458EAE" + +#define MODP_1024_X \ + "262F6727B2E44AF61981AAAB2AA749F64FD79AD18A1FC999" \ + "2E71795130CB69F89BCFB70DB2A0F2A49A825A0AAA50715D" \ + "5D9AE98198F0522AECBF8A0A2D331AB0296110617FC685FF" \ + "7338F4201329ABDFDEAEC779E4D56CC46A0A38B18DC18DFE" \ + "640865426A7360BCCD4E4F82B3686B4804071D4B9F5582ED" \ + "E4758F170C3A1415" + +#define MODP_2048_G \ + "717892E6698EB3CD62113AAE793EA6690791F89290FD83C3" \ + "A059F328C5FBD10AB25C1E8F96245836600FC7772AFB42ED" \ + "F7A809FC3D38F7794574CAC8A318D41C917EE34C81EA8838" \ + "BA6068E81ED3C7F039A83914D044AB2379B3C5C24F0FFD4E" \ + "B6642F26F1EDF015AB7829E9EDC8DCD8A4013C76682338E8" \ + "3D44B0F4E870CF3134874EAA3AC0803DA2CE30922E251B02" \ + "BDDD94137F9DFD41627AE20B7E4137BA94496A4B2AEB0354" \ + "8E1C4126A87240B43E23BB574D354EF1AD01FED5627F240C" \ + "2F4F5521D2F51DFE0702D18EED6DDF022D93554E7AB67D81" \ + "AD4C5256A6AC00DE1AD0751FDCC17F8C7136C194F48A39F5" \ + "957B831081C9058CA0C3A03C7C41F1C9" + +#define MODP_2048_X \ + "AFA7186FC7A0370DE6E3DD95473C9D10C916BD186E41FB48" \ + "195D123E5CFE8D237A2A640DCE19B3DD7028C6168084A61D" \ + "4E4E218A1D98E0C2C93E2E1516F97E596B50C811CE93417B" \ + "905DA6833D1CE41838AEAA9CA6CE36E2430A244A6696E99B" \ + "54B6AAC75D4F6FF6F0568145BDBBC83F5F603D698198A8EE" \ + "2098F5DCABDD458C465E795520EDD46C3B992EAFACF24A56" \ + "263850C9A07165A0CE52B7DC71489CA67AC4A6E6176B547B" \ + "A1C233E3C7898C283E82B3E74B9056F84F7B4A10B5CE10FF" \ + "7D43107B68F2381E64C77C61474DE8CA70EA8DF935D43CD2" \ + "CE208D9F7E468F07A93A74676ED1A3C77CB1CD59E96DCA77" \ + "125DE5B672798FC943048FDBB24167B1" + +#define MODP_3072_G \ + "38B2B12253661411B63E62F3FAC5BE7CF6A416F249E4A039" \ + "0884765C18F2EDF93FCC2646B888ED64B783765D576887B1" \ + "74ABB76123ECA6537DDC1F95757645F3C870CBFF2D40E40D" \ + "C2556A14115C37BE299BDCB0F07AB7AAE0D8FA6CF44A0C22" \ + "ED5368922EF028EC2B5B0AB42F858D5D780828A508C252A7" \ + "96F8CE7AA9C83D1E820F6991771AAA2286A7754FCCB3AA16" \ + "51D840EC788C5DDEAFAAC0C82EAC84EBFF5EB52699BE4020" \ + "F62607937EB168766BCC1F786F4FCDDBB66C0BCEA983AE87" \ + "5C2DD6C201FBF5C178308E64831D14F12399F21761D13BC1" \ + "20B2377FBAD73613FA7B7E443BEE3879E7EEFB0A625A0EBA" \ + "2D379E8F5EA62C91BC58A6FCDD5D7435B0E747B7B65A47BE" \ + "0CA769DE340E611A98A6DDED72E89486875F02DAE24715E8" \ + "3787A5DB53AA28D3F838E7F11EE80F0310C8597B585D6B1A" \ + "3991FBD7459ED277C34C9A4AE0AE6DC7EE5C99B14F366129" \ + "C3747617B724A2BED48F5BF3106B40E60CC3677780F1A39D" \ + "430154C2B460CC676AACC7B34F792621D743D1AC59EDBAC6" + +#define MODP_3072_X \ + "4391157AD824806F07421C1545AA795E26B120A5CEE427F0" \ + "6725BB247E6B2F4C4BE052E4B240B2DD6194B37F3423FA3F" \ + "00C3DF9F4C2165662FCCC9B8DE52C19001E8D54E9053A605" \ + "24BCA6AB0698632EB5D62451987E89AF0FA63479D344E2A7" \ + "58ED8DB5D287600C85A8DD08D9E2E5587177AB6A25A76C71" \ + "5BCAA737FB7DC45E371F4DEC13B40CA9D461A99A98847E1B" \ + "D9CD1BA02DCC331B5B2256887B7F0139A9E7BEA8A6CDA318" \ + "B95E12A1CEE6A26EC070C34C270067C79DBC906295C3C9DF" \ + "2FA6D6B637B7CE81B535DB2D6E196F46ED2F92F3EE8EACE1" \ + "002349D035550A44B75E76B7A77A6A670EC13E334201B543" \ + "B1708295F33B777BD4555A032313C3388DBD5ABC5FB0FEFD" \ + "A9A98C0CC4C7E919927BDC8D46B5347A1266A4C8331C2EB0" \ + "C93DB67244BD6CE2757BA61A063DDD0DF0561A97786D1299" \ + "EBE3EAC838F420D1A0DC9D633B2F16CCE91E436C0413CE6A" \ + "F98E0273FC5C08A4EA70D6DC09A1855AFB402E02BD9F261E" \ + "863717A552F4A83D4DD5060CB70E2D4D7FFAEE912C2C4408" + +void dhm_bench( void ) +{ + dhm_bench_case( "1024", POLARSSL_DHM_RFC5114_MODP_1024_P, + MODP_1024_G, MODP_1024_X ); + + dhm_bench_case( "2048", POLARSSL_DHM_RFC3526_MODP_2048_P, + MODP_2048_G, MODP_2048_X ); + + dhm_bench_case( "3072", POLARSSL_DHM_RFC3526_MODP_3072_P, + MODP_3072_G, MODP_3072_X ); +} + +void ecp_bench_case( size_t dp, char *s, char *m ) +{ + unsigned long i; + ecp_group grp; + ecp_point R; + mpi M; + + ecp_group_init( &grp ); ecp_point_init( &R ); mpi_init( &M ); + + ecp_use_known_dp( &grp, dp ); + mpi_read_string( &M, 16, m ); + + printf( " ECP-%s : ", s ); + fflush( stdout ); + set_alarm( 3 ); + + for( i = 1; ! alarmed; i++ ) + ecp_mul( &grp, &R, &M, &grp.G ); + + printf( "%9lu mul/s\n", i / 3 ); + + ecp_group_free( &grp ); ecp_point_free( &R ); mpi_free( &M ); +} + +#define ECP_192_M \ + "FE61330B02915F25970C2AF8575CBB227E6B6394774E6EC8" +#define ECP_224_M \ + "EAC63628087E32F61A383DCAED57E4348081FF3637D95B904C2FD487" +#define ECP_256_M \ + "83C4106612BDDB781DD446CF2A873D78AA0620B9003789244A18F83B39B3EA63" +#define ECP_384_M \ + "3E45569675A7E2E0E2E663A11E4226FBEF0F99A96CD6E547" \ + "9ABDDF36DD9AB7278BCD8B96A0775847A6431D2AF7476CD9" +#define ECP_521_M \ + "017F540D09F24EC6B102E8E4A9F14B850442D98C68FB29A6B09B9B9D40E2A750" \ + "7F3D2D6C5B6536B607EF2BCEA4797BB3A68F0D745410EB5CFFC7FF7FB17381544E" + +void ecp_bench( void ) +{ + ecp_bench_case( 0, "192", ECP_192_M ); + ecp_bench_case( 1, "224", ECP_224_M ); + ecp_bench_case( 2, "256", ECP_256_M ); + ecp_bench_case( 3, "384", ECP_384_M ); + ecp_bench_case( 4, "521", ECP_521_M ); +} + +int main( int argc, char *argv[] ) +{ + ((void) argv); + if( argc > 1 ) + { + dhm_bench(); + } + + ecp_bench(); + + return( 0 ); +} +#endif diff --git a/programs/test/selftest.c b/programs/test/selftest.c index 8dddf3481..333e3a16d 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -50,6 +50,7 @@ #include "polarssl/x509.h" #include "polarssl/xtea.h" #include "polarssl/pbkdf2.h" +#include "polarssl/ecp.h" int main( int argc, char *argv[] ) { @@ -155,6 +156,11 @@ int main( int argc, char *argv[] ) return( ret ); #endif +#if defined(POLARSSL_ECP_C) + if( ( ret = ecp_self_test( v ) ) != 0 ) + return( ret ); +#endif + #else printf( " POLARSSL_SELF_TEST not defined.\n" ); #endif diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl index e89496490..8184d78c2 100755 --- a/scripts/generate_errors.pl +++ b/scripts/generate_errors.pl @@ -12,7 +12,7 @@ my @low_level_modules = ( "AES", "ASN1", "BLOWFISH", "CAMELLIA", "BIGNUM", "BASE64", "XTEA", "PBKDF2", "PADLOCK", "DES", "NET", "CTR_DRBG", "ENTROPY", "MD2", "MD4", "MD5", "SHA1", "SHA2", "SHA4", "GCM" ); -my @high_level_modules = ( "PEM", "X509", "DHM", "RSA", "MD", "CIPHER", "SSL" ); +my @high_level_modules = ( "PEM", "X509", "DHM", "RSA", "ECP", "MD", "CIPHER", "SSL" ); my $line_separator = $/; undef $/; diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 18d5ad425..63224b261 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -45,6 +45,9 @@ add_test_suite(ctr_drbg) add_test_suite(debug) add_test_suite(des) add_test_suite(dhm) +add_test_suite(ecp) +add_test_suite(ecdh) +add_test_suite(ecdsa) add_test_suite(error) add_test_suite(gcm gcm.encrypt) add_test_suite(gcm gcm.decrypt) diff --git a/tests/Makefile b/tests/Makefile index 4c97aa5d3..08173e114 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -30,6 +30,8 @@ APPS = test_suite_aes test_suite_arc4 \ test_suite_cipher.des test_suite_cipher.null \ test_suite_ctr_drbg test_suite_debug \ test_suite_des test_suite_dhm \ + test_suite_ecdh test_suite_ecdsa \ + test_suite_ecp \ test_suite_error test_suite_gcm.decrypt \ test_suite_gcm.decrypt test_suite_hmac_shax \ test_suite_md test_suite_mdx \ @@ -127,6 +129,18 @@ test_suite_dhm: test_suite_dhm.c ../library/libpolarssl.a echo " CC $@.c" $(CC) $(CFLAGS) $(OFLAGS) $@.c $(LDFLAGS) -o $@ +test_suite_ecdh: test_suite_ecdh.c ../library/libpolarssl.a + echo " CC $@.c" + $(CC) $(CFLAGS) $(OFLAGS) $@.c $(LDFLAGS) -o $@ + +test_suite_ecdsa: test_suite_ecdsa.c ../library/libpolarssl.a + echo " CC $@.c" + $(CC) $(CFLAGS) $(OFLAGS) $@.c $(LDFLAGS) -o $@ + +test_suite_ecp: test_suite_ecp.c ../library/libpolarssl.a + echo " CC $@.c" + $(CC) $(CFLAGS) $(OFLAGS) $@.c $(LDFLAGS) -o $@ + test_suite_error: test_suite_error.c ../library/libpolarssl.a echo " CC $@.c" $(CC) $(CFLAGS) $(OFLAGS) $@.c $(LDFLAGS) -o $@ diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function index 2f1b26cf8..208e7e675 100644 --- a/tests/suites/helpers.function +++ b/tests/suites/helpers.function @@ -218,3 +218,49 @@ static int rnd_pseudo_rand( void *rng_state, unsigned char *output, size_t len ) return( 0 ); } + +/** + * This function returns a buffer given as a hex string. + * + * The buffer is reversed so that the following are equivalent: + * mpi_fill_random( x, len, not_rnd, str ); + * mpi_read_string( x, 16, str ); + * (So, not random at all. Usefull to match test vectors.) + * Based on unhexify(), just reversed (changes marked by "sic") + */ +static int not_rnd( void *in, unsigned char *out, size_t len ) +{ + unsigned char *obuf; + const char *ibuf = in; + unsigned char c, c2; + assert( len == strlen(ibuf) / 2 ); + assert(!(strlen(ibuf) %1)); // must be even number of bytes + + obuf = out + (len - 1); // sic + while (*ibuf != 0) + { + c = *ibuf++; + if( c >= '0' && c <= '9' ) + c -= '0'; + else if( c >= 'a' && c <= 'f' ) + c -= 'a' - 10; + else if( c >= 'A' && c <= 'F' ) + c -= 'A' - 10; + else + assert( 0 ); + + c2 = *ibuf++; + if( c2 >= '0' && c2 <= '9' ) + c2 -= '0'; + else if( c2 >= 'a' && c2 <= 'f' ) + c2 -= 'a' - 10; + else if( c2 >= 'A' && c2 <= 'F' ) + c2 -= 'A' - 10; + else + assert( 0 ); + + *obuf-- = ( c << 4 ) | c2; // sic + } + + return( 0 ); +} diff --git a/tests/suites/test_suite_ecdh.data b/tests/suites/test_suite_ecdh.data new file mode 100644 index 000000000..47b68fb59 --- /dev/null +++ b/tests/suites/test_suite_ecdh.data @@ -0,0 +1,29 @@ +ECDH primitive random #1 +ecdh_primitive_random:SECP192R1 + +ECDH primitive random #2 +ecdh_primitive_random:SECP224R1 + +ECDH primitive random #3 +ecdh_primitive_random:SECP256R1 + +ECDH primitive random #4 +ecdh_primitive_random:SECP384R1 + +ECDH primitive random #5 +ecdh_primitive_random:SECP521R1 + +ECDH primitive rfc 5903 p256 +ecdh_primitive_testvec:SECP256R1:C88F01F510D9AC3F70A292DAA2316DE544E9AAB8AFE84049C62A9C57862D1433:DAD0B65394221CF9B051E1FECA5787D098DFE637FC90B9EF945D0C3772581180:5271A0461CDB8252D61F1C456FA3E59AB1F45B33ACCF5F58389E0577B8990BB3:C6EF9C5D78AE012A011164ACB397CE2088685D8F06BF9BE0B283AB46476BEE53:D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF63:56FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB:D6840F6B42F6EDAFD13116E0E12565202FEF8E9ECE7DCE03812464D04B9442DE + +ECDH primitive rfc 5903 p384 +ecdh_primitive_testvec:SECP384R1:099F3C7034D4A2C699884D73A375A67F7624EF7C6B3C0F160647B67414DCE655E35B538041E649EE3FAEF896783AB194:667842D7D180AC2CDE6F74F37551F55755C7645C20EF73E31634FE72B4C55EE6DE3AC808ACB4BDB4C88732AEE95F41AA:9482ED1FC0EEB9CAFC4984625CCFC23F65032149E0E144ADA024181535A0F38EEB9FCFF3C2C947DAE69B4C634573A81C:41CB0779B4BDB85D47846725FBEC3C9430FAB46CC8DC5060855CC9BDA0AA2942E0308312916B8ED2960E4BD55A7448FC:E558DBEF53EECDE3D3FCCFC1AEA08A89A987475D12FD950D83CFA41732BC509D0D1AC43A0336DEF96FDA41D0774A3571:DCFBEC7AACF3196472169E838430367F66EEBE3C6E70C416DD5F0C68759DD1FFF83FA40142209DFF5EAAD96DB9E6386C:11187331C279962D93D604243FD592CB9D0A926F422E47187521287E7156C5C4D603135569B9E9D09CF5D4A270F59746 + +ECDH primitive rfc 5903 p521 +ecdh_primitive_testvec:SECP521R1:0037ADE9319A89F4DABDB3EF411AACCCA5123C61ACAB57B5393DCE47608172A095AA85A30FE1C2952C6771D937BA9777F5957B2639BAB072462F68C27A57382D4A52:0015417E84DBF28C0AD3C278713349DC7DF153C897A1891BD98BAB4357C9ECBEE1E3BF42E00B8E380AEAE57C2D107564941885942AF5A7F4601723C4195D176CED3E:017CAE20B6641D2EEB695786D8C946146239D099E18E1D5A514C739D7CB4A10AD8A788015AC405D7799DC75E7B7D5B6CF2261A6A7F1507438BF01BEB6CA3926F9582:0145BA99A847AF43793FDD0E872E7CDFA16BE30FDC780F97BCCC3F078380201E9C677D600B343757A3BDBF2A3163E4C2F869CCA7458AA4A4EFFC311F5CB151685EB9:00D0B3975AC4B799F5BEA16D5E13E9AF971D5E9B984C9F39728B5E5739735A219B97C356436ADC6E95BB0352F6BE64A6C2912D4EF2D0433CED2B6171640012D9460F:015C68226383956E3BD066E797B623C27CE0EAC2F551A10C2C724D9852077B87220B6536C5C408A1D2AEBB8E86D678AE49CB57091F4732296579AB44FCD17F0FC56A:01144C7D79AE6956BC8EDB8E7C787C4521CB086FA64407F97894E5E6B2D79B04D1427E73CA4BAA240A34786859810C06B3C715A3A8CC3151F2BEE417996D19F3DDEA + +ECDH exchange #1 +ecdh_exchange:SECP192R1 + +ECDH exchange #2 +ecdh_exchange:SECP521R1 diff --git a/tests/suites/test_suite_ecdh.function b/tests/suites/test_suite_ecdh.function new file mode 100644 index 000000000..105f99ce0 --- /dev/null +++ b/tests/suites/test_suite_ecdh.function @@ -0,0 +1,114 @@ +BEGIN_HEADER +#include +END_HEADER + +BEGIN_DEPENDENCIES +depends_on:POLARSSL_ECDH_C:POLARSSL_ECP_C:POLARSSL_BIGNUM_C +END_DEPENDENCIES + +BEGIN_CASE +ecdh_primitive_random:id +{ + ecp_group grp; + ecp_point qA, qB; + mpi dA, dB, zA, zB; + rnd_pseudo_info rnd_info; + + ecp_group_init( &grp ); + ecp_point_init( &qA ); ecp_point_init( &qB ); + mpi_init( &dA ); mpi_init( &dB ); + mpi_init( &zA ); mpi_init( &zB ); + memset( &rnd_info, 0x00, sizeof( rnd_pseudo_info ) ); + + TEST_ASSERT( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_{id} ) == 0 ); + + TEST_ASSERT( ecdh_gen_public( &grp, &dA, &qA, &rnd_pseudo_rand, &rnd_info ) + == 0 ); + TEST_ASSERT( ecdh_gen_public( &grp, &dB, &qB, &rnd_pseudo_rand, &rnd_info ) + == 0 ); + TEST_ASSERT( ecdh_compute_shared( &grp, &zA, &qB, &dA ) == 0 ); + TEST_ASSERT( ecdh_compute_shared( &grp, &zB, &qA, &dB ) == 0 ); + + TEST_ASSERT( mpi_cmp_mpi( &zA, &zB ) == 0 ); + + ecp_group_free( &grp ); + ecp_point_free( &qA ); ecp_point_free( &qB ); + mpi_free( &dA ); mpi_free( &dB ); + mpi_free( &zA ); mpi_free( &zB ); +} +END_CASE + +BEGIN_CASE +ecdh_primitive_testvec:id:dA:xA:yA:dB:xB:yB:z +{ + ecp_group grp; + ecp_point qA, qB; + mpi dA, dB, zA, zB, check; + + ecp_group_init( &grp ); + ecp_point_init( &qA ); ecp_point_init( &qB ); + mpi_init( &dA ); mpi_init( &dB ); + mpi_init( &zA ); mpi_init( &zB ); mpi_init( &check ); + + TEST_ASSERT( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_{id} ) == 0 ); + + TEST_ASSERT( ecdh_gen_public( &grp, &dA, &qA, ¬_rnd, "{dA}" ) == 0 ); + TEST_ASSERT( ! ecp_is_zero( &qA ) ); + TEST_ASSERT( mpi_read_string( &check, 16, "{xA}" ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &qA.X, &check ) == 0 ); + TEST_ASSERT( mpi_read_string( &check, 16, "{yA}" ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &qA.Y, &check ) == 0 ); + + TEST_ASSERT( ecdh_gen_public( &grp, &dB, &qB, ¬_rnd, "{dB}" ) == 0 ); + TEST_ASSERT( ! ecp_is_zero( &qB ) ); + TEST_ASSERT( mpi_read_string( &check, 16, "{xB}" ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &qB.X, &check ) == 0 ); + TEST_ASSERT( mpi_read_string( &check, 16, "{yB}" ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &qB.Y, &check ) == 0 ); + + TEST_ASSERT( mpi_read_string( &check, 16, "{z}" ) == 0 ); + TEST_ASSERT( ecdh_compute_shared( &grp, &zA, &qB, &dA ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &zA, &check ) == 0 ); + TEST_ASSERT( ecdh_compute_shared( &grp, &zB, &qA, &dB ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &zB, &check ) == 0 ); + + ecp_group_free( &grp ); + ecp_point_free( &qA ); ecp_point_free( &qB ); + mpi_free( &dA ); mpi_free( &dB ); + mpi_free( &zA ); mpi_free( &zB ); mpi_free( &check ); +} +END_CASE + +BEGIN_CASE +ecdh_exchange:id +{ + ecdh_context srv, cli; + unsigned char buf[1000]; + const unsigned char *vbuf; + size_t len; + rnd_pseudo_info rnd_info; + + ecdh_init( &srv ); + ecdh_init( &cli ); + memset( &rnd_info, 0x00, sizeof( rnd_pseudo_info ) ); + + TEST_ASSERT( ecp_use_known_dp( &srv.grp, POLARSSL_ECP_DP_{id} ) == 0 ); + + memset( buf, 0x00, sizeof( buf ) ); vbuf = buf; + TEST_ASSERT( ecdh_make_params( &srv, &len, buf, 1000, + &rnd_pseudo_rand, &rnd_info ) == 0 ); + TEST_ASSERT( ecdh_read_params( &cli, &vbuf, buf + len ) == 0 ); + + memset( buf, 0x00, sizeof( buf ) ); + TEST_ASSERT( ecdh_make_public( &cli, &len, buf, 1000, + &rnd_pseudo_rand, &rnd_info ) == 0 ); + TEST_ASSERT( ecdh_read_public( &srv, buf, len ) == 0 ); + + TEST_ASSERT( ecdh_calc_secret( &srv, &len, buf, 1000 ) == 0 ); + TEST_ASSERT( ecdh_calc_secret( &cli, &len, buf, 1000 ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &srv.z, &cli.z ) == 0 ); + + ecdh_free( &srv ); + ecdh_free( &cli ); +} +END_CASE diff --git a/tests/suites/test_suite_ecdsa.data b/tests/suites/test_suite_ecdsa.data new file mode 100644 index 000000000..5a94419f7 --- /dev/null +++ b/tests/suites/test_suite_ecdsa.data @@ -0,0 +1,24 @@ +ECDSA primitive random #1 +ecdsa_prim_random:SECP192R1 + +ECDSA primitive random #2 +ecdsa_prim_random:SECP224R1 + +ECDSA primitive random #3 +ecdsa_prim_random:SECP256R1 + +ECDSA primitive random #4 +ecdsa_prim_random:SECP384R1 + +ECDSA primitive random #5 +ecdsa_prim_random:SECP521R1 + +ECDSA primitive rfc 4754 p256 +ecdsa_prim_test_vectors:SECP256R1:DC51D3866A15BACDE33D96F992FCA99DA7E6EF0934E7097559C27F1614C88A7F:2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970:6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D509BBFD7D:9E56F509196784D963D1C0A401510EE7ADA3DCC5DEE04B154BF61AF1D5A6DECE:BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD:CB28E0999B9C7715FD0A80D8E47A77079716CBBF917DD72E97566EA1C066957C:86FA3BB4E26CAD5BF90B7F81899256CE7594BB1EA0C89212748BFF3B3D5B0315 + +ECDSA primitive rfc 4754 p384 +ecdsa_prim_test_vectors:SECP384R1:0BEB646634BA87735D77AE4809A0EBEA865535DE4C1E1DCB692E84708E81A5AF62E528C38B2A81B35309668D73524D9F:96281BF8DD5E0525CA049C048D345D3082968D10FEDF5C5ACA0C64E6465A97EA5CE10C9DFEC21797415710721F437922:447688BA94708EB6E2E4D59F6AB6D7EDFF9301D249FE49C33096655F5D502FAD3D383B91C5E7EDAA2B714CC99D5743CA:B4B74E44D71A13D568003D7489908D564C7761E229C58CBFA18950096EB7463B854D7FA992F934D927376285E63414FA:CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED1631A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7:FB017B914E29149432D8BAC29A514640B46F53DDAB2C69948084E2930F1C8F7E08E07C9C63F2D21A07DCB56A6AF56EB3:B263A1305E057F984D38726A1B46874109F417BCA112674C528262A40A629AF1CBB9F516CE0FA7D2FF630863A00E8B9F + +ECDSA primitive rfc 4754 p521 +ecdsa_prim_test_vectors:SECP521R1:0065FDA3409451DCAB0A0EAD45495112A3D813C17BFD34BDF8C1209D7DF5849120597779060A7FF9D704ADF78B570FFAD6F062E95C7E0C5D5481C5B153B48B375FA1:0151518F1AF0F563517EDD5485190DF95A4BF57B5CBA4CF2A9A3F6474725A35F7AFE0A6DDEB8BEDBCD6A197E592D40188901CECD650699C9B5E456AEA5ADD19052A8:006F3B142EA1BFFF7E2837AD44C9E4FF6D2D34C73184BBAD90026DD5E6E85317D9DF45CAD7803C6C20035B2F3FF63AFF4E1BA64D1C077577DA3F4286C58F0AEAE643:00C1C2B305419F5A41344D7E4359933D734096F556197A9B244342B8B62F46F9373778F9DE6B6497B1EF825FF24F42F9B4A4BD7382CFC3378A540B1B7F0C1B956C2F:DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA20A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F:0154FD3836AF92D0DCA57DD5341D3053988534FDE8318FC6AAAAB68E2E6F4339B19F2F281A7E0B22C269D93CF8794A9278880ED7DBB8D9362CAEACEE544320552251:017705A7030290D1CEB605A9A1BB03FF9CDD521E87A696EC926C8C10C8362DF4975367101F67D1CF9BCCBF2F3D239534FA509E70AAC851AE01AAC68D62F866472660 + diff --git a/tests/suites/test_suite_ecdsa.function b/tests/suites/test_suite_ecdsa.function new file mode 100644 index 000000000..e7d4900dd --- /dev/null +++ b/tests/suites/test_suite_ecdsa.function @@ -0,0 +1,75 @@ +BEGIN_HEADER +#include +END_HEADER + +BEGIN_DEPENDENCIES +depends_on:POLARSSL_ECDSA_C:POLARSSL_ECP_C:POLARSSL_BIGNUM_C +END_DEPENDENCIES + +BEGIN_CASE +ecdsa_prim_random:id +{ + ecp_group grp; + ecp_point Q; + mpi d, r, s; + rnd_pseudo_info rnd_info; + unsigned char buf[66]; + + ecp_group_init( &grp ); + ecp_point_init( &Q ); + mpi_init( &d ); mpi_init( &r ); mpi_init( &s ); + memset( &rnd_info, 0x00, sizeof( rnd_pseudo_info ) ); + memset( buf, 0, sizeof( buf ) ); + + /* prepare material for signature */ + TEST_ASSERT( rnd_pseudo_rand( &rnd_info, buf, sizeof( buf ) ) == 0 ); + TEST_ASSERT( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_{id} ) == 0 ); + TEST_ASSERT( ecp_gen_keypair( &grp, &d, &Q, &rnd_pseudo_rand, &rnd_info ) + == 0 ); + + TEST_ASSERT( ecdsa_sign( &grp, &r, &s, &d, buf, sizeof( buf ), + &rnd_pseudo_rand, &rnd_info ) == 0 ); + TEST_ASSERT( ecdsa_verify( &grp, buf, sizeof( buf ), &Q, &r, &s ) == 0 ); + + ecp_group_free( &grp ); + ecp_point_free( &Q ); + mpi_free( &d ); mpi_free( &r ); mpi_free( &s ); +} +END_CASE + +BEGIN_CASE +ecdsa_prim_test_vectors:id:d:xQ:yQ:k:hash:r:s +{ + ecp_group grp; + ecp_point Q; + mpi d, r, s, r_check, s_check; + unsigned char buf[66]; + size_t len; + + ecp_group_init( &grp ); + ecp_point_init( &Q ); + mpi_init( &d ); mpi_init( &r ); mpi_init( &s ); + mpi_init( &r_check ); mpi_init( &s_check ); + memset( buf, 0, sizeof( buf ) ); + + TEST_ASSERT( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_{id} ) == 0 ); + TEST_ASSERT( ecp_point_read_string( &Q, 16, "{xQ}", "{yQ}" ) == 0 ); + TEST_ASSERT( mpi_read_string( &d, 16, "{d}" ) == 0 ); + TEST_ASSERT( mpi_read_string( &r_check, 16, "{r}" ) == 0 ); + TEST_ASSERT( mpi_read_string( &s_check, 16, "{s}" ) == 0 ); + len = unhexify(buf, "{hash}"); + + TEST_ASSERT( ecdsa_sign( &grp, &r, &s, &d, buf, len, + ¬_rnd, "{k}" ) == 0 ); + + TEST_ASSERT( mpi_cmp_mpi( &r, &r_check ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &s, &s_check ) == 0 ); + + TEST_ASSERT( ecdsa_verify( &grp, buf, len, &Q, &r_check, &s_check ) == 0 ); + + ecp_group_free( &grp ); + ecp_point_free( &Q ); + mpi_free( &d ); mpi_free( &r ); mpi_free( &s ); + mpi_free( &r_check ); mpi_free( &s_check ); +} +END_CASE diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data new file mode 100644 index 000000000..57b3113b5 --- /dev/null +++ b/tests/suites/test_suite_ecp.data @@ -0,0 +1,249 @@ +ECP small addition #1 +ecp_small_add:1:"":"":1:"":"":1:0:0 + +ECP small addition #2 +ecp_small_add:1:"":"":0:"14":"11":0:14:11 + +ECP small addition #3 +ecp_small_add:0:"13":"00":0:"13":"00":1:0:0 + +ECP small addition #4 +ecp_small_add:0:"14":"11":0:"14":"36":1:0:0 + +ECP small addition #5 +ecp_small_add:0:"13":"00":0:"37":"31":0:34:14 + +ECP small addition #6 +ecp_small_add:0:"14":"11":0:"37":"31":0:45:07 + +ECP small addition #7 +ecp_small_add:0:"37":"31":0:"37":"31":0:21:32 + +ECP small addition #8 +ecp_small_add:0:"14":"11":0:"14":"11":0:27:30 + +ECP small subtraction #1 +ecp_small_sub:1:"":"":1:"":"":1:0:0 + +ECP small subtraction #2 +ecp_small_sub:1:"":"":0:"14":"11":0:14:36 + +ECP small subtraction #3 +ecp_small_sub:1:"":"":0:"13":"00":0:13:00 + +ECP small subtraction #4 +ecp_small_sub:0:"13":"00":0:"13":"00":1:0:0 + +ECP small subtraction #5 +ecp_small_sub:0:"14":"11":0:"14":"11":1:0:0 + +ECP small subtraction #6 +ecp_small_sub:0:"13":"00":0:"37":"16":0:34:14 + +ECP small subtraction #7 +ecp_small_sub:0:"14":"11":0:"37":"16":0:45:07 + +ECP small subtraction #8 +ecp_small_sub:0:"37":"31":0:"37":"16":0:21:32 + +ECP small subtraction #9 +ecp_small_sub:0:"14":"11":0:"14":"36":0:27:30 + +ECP small multiplication negative +ecp_small_mul:-1:0:0:0:POLARSSL_ERR_ECP_GENERIC + +ECP small multiplication #0 +ecp_small_mul:0:1:0:0:0 + +ECP small multiplication #1 +ecp_small_mul:1:0:17:42:0 + +ECP small multiplication #2 +ecp_small_mul:2:0:20:01:0 + +ECP small multiplication #3 +ecp_small_mul:3:0:14:11:0 + +ECP small multiplication #4 +ecp_small_mul:4:0:34:33:0 + +ECP small multiplication #5 +ecp_small_mul:5:0:21:32:0 + +ECP small multiplication #6 +ecp_small_mul:6:0:27:30:0 + +ECP small multiplication #7 +ecp_small_mul:7:0:27:17:0 + +ECP small multiplication #8 +ecp_small_mul:8:0:21:15:0 + +ECP small multiplication #9 +ecp_small_mul:9:0:34:14:0 + +ECP small multiplication #10 +ecp_small_mul:10:0:14:36:0 + +ECP small multiplication #11 +ecp_small_mul:11:0:20:46:0 + +ECP small multiplication #12 +ecp_small_mul:12:0:17:05:0 + +ECP small multiplication #13 +ecp_small_mul:13:1:0:0:0 + +ECP small multiplication #14 +ecp_small_mul:1:0:17:42:0 + +ECP small multiplication #15 +ecp_small_mul:2:0:20:01:0 + +ECP small multiplication too big +ecp_small_mul:-1:0:0:0:POLARSSL_ERR_ECP_GENERIC + +ECP small check pubkey #1 +ecp_small_check_pub:1:1:0:POLARSSL_ERR_ECP_GENERIC + +ECP small check pubkey #2 +ecp_small_check_pub:9:-1:1:POLARSSL_ERR_ECP_GENERIC + +ECP small check pubkey #3 +ecp_small_check_pub:9:46:1:0 + +ECP small check pubkey #4 +ecp_small_check_pub:13:47:1:POLARSSL_ERR_ECP_GENERIC + +ECP small check pubkey #5 +ecp_small_check_pub:13:0:1:0 + +ECP small check pubkey #6 +ecp_small_check_pub:-1:10:1:POLARSSL_ERR_ECP_GENERIC + +ECP small check pubkey #7 +ecp_small_check_pub:46:10:1:0 + +ECP small check pubkey #8 +ecp_small_check_pub:47:2:1:POLARSSL_ERR_ECP_GENERIC + +ECP small check pubkey #9 +ecp_small_check_pub:0:2:1:0 + +ECP small check pubkey #10 +ecp_small_check_pub:10:25:1:POLARSSL_ERR_ECP_GENERIC + +ECP write binary #0 (zero, bad format) +ecp_write_binary:SECP192R1:"01":"01":"00":UNKNOWN:"00":1:POLARSSL_ERR_ECP_BAD_INPUT_DATA + +ECP write binary #1 (zero, uncompressed, buffer just fits) +ecp_write_binary:SECP192R1:"01":"01":"00":UNCOMPRESSED:"00":1:0 + +ECP write binary #2 (zero, buffer too small) +ecp_write_binary:SECP192R1:"01":"01":"00":UNCOMPRESSED:"00":0:POLARSSL_ERR_ECP_BUFFER_TOO_SMALL + +ECP write binary #3 (non-zero, uncompressed, buffer just fits) +ecp_write_binary:SECP192R1:"48d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc9933":"6ceed4d7cba482e288669ee1b6415626d6f34d28501e060c":"01":UNCOMPRESSED:"0448d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc99336ceed4d7cba482e288669ee1b6415626d6f34d28501e060c":49:0 + +ECP write binary #4 (non-zero, uncompressed, buffer too small) +ecp_write_binary:SECP192R1:"48d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc9933":"6ceed4d7cba482e288669ee1b6415626d6f34d28501e060c":"01":UNCOMPRESSED:"0448d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc99336ceed4d7cba482e288669ee1b6415626d6f34d28501e060c":48:POLARSSL_ERR_ECP_BUFFER_TOO_SMALL + +ECP write binary #5 (zero, compressed, buffer just fits) +ecp_write_binary:SECP192R1:"01":"01":"00":COMPRESSED:"00":1:0 + +ECP write binary #6 (zero, buffer too small) +ecp_write_binary:SECP192R1:"01":"01":"00":COMPRESSED:"00":0:POLARSSL_ERR_ECP_BUFFER_TOO_SMALL + +ECP write binary #7 (even, compressed, buffer just fits) +ecp_write_binary:SECP192R1:"48d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc9933":"6ceed4d7cba482e288669ee1b6415626d6f34d28501e060c":"01":COMPRESSED:"0248d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc9933":25:0 + +ECP write binary #8 (even, compressed, buffer too small) +ecp_write_binary:SECP192R1:"48d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc9933":"6ceed4d7cba482e288669ee1b6415626d6f34d28501e060c":"01":COMPRESSED:"0248d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc9933":24:POLARSSL_ERR_ECP_BUFFER_TOO_SMALL + +ECP write binary #7 (odd, compressed, buffer just fits) +ecp_write_binary:SECP192R1:"48d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc9933":"93112b28345b7d1d7799611e49bea9d8290cb2d7afe1f9f3":"01":COMPRESSED:"0348d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc9933":25:0 + +ECP read binary #1 (zero, invalid ilen) +ecp_read_binary:SECP192R1:"0000":"01":"01":"00":POLARSSL_ERR_ECP_BAD_INPUT_DATA + +ECP read binary #2 (zero, invalid first byte) +ecp_read_binary:SECP192R1:"01":"01":"01":"00":POLARSSL_ERR_ECP_BAD_INPUT_DATA + +ECP read binary #3 (zero, OK) +ecp_read_binary:SECP192R1:"00":"01":"01":"00":0 + +ECP read binary #4 (non-zero, invalid ilen) +ecp_read_binary:SECP192R1:"04001122":"01":"01":"00":POLARSSL_ERR_ECP_BAD_INPUT_DATA + +ECP read binary #5 (non-zero, invalid first byte) +ecp_read_binary:SECP192R1:"0548d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc99336ceed4d7cba482e288669ee1b6415626d6f34d28501e060c":"48d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc9933":"6ceed4d7cba482e288669ee1b6415626d6f34d28501e060c":"01":POLARSSL_ERR_ECP_BAD_INPUT_DATA + +ECP read binary #6 (non-zero, OK) +ecp_read_binary:SECP192R1:"0448d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc99336ceed4d7cba482e288669ee1b6415626d6f34d28501e060c":"48d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc9933":"6ceed4d7cba482e288669ee1b6415626d6f34d28501e060c":"01":0 + +ECP tls read point #1 (zero, invalid length byte) +ecp_tls_read_point:SECP192R1:"0200":"01":"01":"00":POLARSSL_ERR_ECP_BAD_INPUT_DATA + +ECP tls read point #2 (zero, OK) +ecp_tls_read_point:SECP192R1:"0100":"01":"01":"00":0 + +ECP tls read point #3 (non-zero, invalid length byte) +ecp_tls_read_point:SECP192R1:"300448d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc99336ceed4d7cba482e288669ee1b6415626d6f34d28501e060c":"48d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc9933":"6ceed4d7cba482e288669ee1b6415626d6f34d28501e060c":"01":POLARSSL_ERR_ECP_BAD_INPUT_DATA + +ECP tls read point #4 (non-zero, OK) +ecp_tls_read_point:SECP192R1:"310448d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc99336ceed4d7cba482e288669ee1b6415626d6f34d28501e060c":"48d8082a3a1e3112bc03a8ef2f6d40d0a77a6f8e00cc9933":"6ceed4d7cba482e288669ee1b6415626d6f34d28501e060c":"01":0 + +ECP tls write-read point #1 +ecp_tls_write_read_point:SECP192R1 + +ECP tls write-read point #2 +ecp_tls_write_read_point:SECP521R1 + +ECP tls read group #1 (record too short) +ecp_tls_read_group:"0313":POLARSSL_ERR_ECP_BAD_INPUT_DATA:0 + +ECP tls read group #2 (bad curve_type) +ecp_tls_read_group:"010013":POLARSSL_ERR_ECP_BAD_INPUT_DATA:0 + +ECP tls read group #3 (unknown curve) +ecp_tls_read_group:"030010":POLARSSL_ERR_ECP_BAD_INPUT_DATA:0 + +ECP tls read group #4 (OK, buffer just fits) +ecp_tls_read_group:"030017":0:256 + +ECP tls read group #5 (OK, buffer continues) +ecp_tls_read_group:"0300180000":0:384 + +ECP tls write-read group #1 +ecp_tls_write_read_group:SECP192R1 + +ECP tls write-read group #2 +ecp_tls_write_read_group:SECP521R1 + +ECP gen keypair +ecp_gen_keypair:SECP192R1 + +ECP mod p192 readable +ecp_fast_mod:SECP192R1:"000000000000010500000000000001040000000000000103000000000000010200000000000001010000000000000100" + +ECP mod p192 random +ecp_fast_mod:SECP192R1:"36CF96B45D706A0954D89E52CE5F38517A2270E0175849B6F3740151D238CCABEF921437E475881D83BB69E4AA258EBD" + +ECP test vectors secp192r1 rfc 5114 +ecp_test_vect:SECP192R1:"323FA3169D8E9C6593F59476BC142000AB5BE0E249C43426":"CD46489ECFD6C105E7B3D32566E2B122E249ABAADD870612":"68887B4877DF51DD4DC3D6FD11F0A26F8FD3844317916E9A":"631F95BB4A67632C9C476EEE9AB695AB240A0499307FCF62":"519A121680E0045466BA21DF2EEE47F5973B500577EF13D5":"FF613AB4D64CEE3A20875BDB10F953F6B30CA072C60AA57F":"AD420182633F8526BFE954ACDA376F05E5FF4F837F54FEBE":"4371545ED772A59741D0EDA32C671112B7FDDD51461FCF32" + +ECP test vectors secp224r1 rfc 5114 +ecp_test_vect:SECP224R1:"B558EB6C288DA707BBB4F8FBAE2AB9E9CB62E3BC5C7573E22E26D37F":"49DFEF309F81488C304CFF5AB3EE5A2154367DC7833150E0A51F3EEB":"4F2B5EE45762C4F654C1A0C67F54CF88B016B51BCE3D7C228D57ADB4":"AC3B1ADD3D9770E6F6A708EE9F3B8E0AB3B480E9F27F85C88B5E6D18":"6B3AC96A8D0CDE6A5599BE8032EDF10C162D0A8AD219506DCD42A207":"D491BE99C213A7D1CA3706DEBFE305F361AFCBB33E2609C8B1618AD5":"52272F50F46F4EDC9151569092F46DF2D96ECC3B6DC1714A4EA949FA":"5F30C6AA36DDC403C0ACB712BB88F1763C3046F6D919BD9C524322BF" + +ECP test vectors secp256r1 rfc 5114 +ecp_test_vect:SECP256R1:"814264145F2F56F2E96A8E337A1284993FAF432A5ABCE59E867B7291D507A3AF":"2AF502F3BE8952F2C9B5A8D4160D09E97165BE50BC42AE4A5E8D3B4BA83AEB15":"EB0FAF4CA986C4D38681A0F9872D79D56795BD4BFF6E6DE3C0F5015ECE5EFD85":"2CE1788EC197E096DB95A200CC0AB26A19CE6BCCAD562B8EEE1B593761CF7F41":"B120DE4AA36492795346E8DE6C2C8646AE06AAEA279FA775B3AB0715F6CE51B0":"9F1B7EECE20D7B5ED8EC685FA3F071D83727027092A8411385C34DDE5708B2B6":"DD0F5396219D1EA393310412D19A08F1F5811E9DC8EC8EEA7F80D21C820C2788":"0357DCCD4C804D0D8D33AA42B848834AA5605F9AB0D37239A115BBB647936F50" + +ECP test vectors secp384r1 rfc 5114 +ecp_test_vect:SECP384R1:"D27335EA71664AF244DD14E9FD1260715DFD8A7965571C48D709EE7A7962A156D706A90CBCB5DF2986F05FEADB9376F1":"793148F1787634D5DA4C6D9074417D05E057AB62F82054D10EE6B0403D6279547E6A8EA9D1FD77427D016FE27A8B8C66":"C6C41294331D23E6F480F4FB4CD40504C947392E94F4C3F06B8F398BB29E42368F7A685923DE3B67BACED214A1A1D128":"52D1791FDB4B70F89C0F00D456C2F7023B6125262C36A7DF1F80231121CCE3D39BE52E00C194A4132C4A6C768BCD94D2":"5CD42AB9C41B5347F74B8D4EFB708B3D5B36DB65915359B44ABC17647B6B9999789D72A84865AE2F223F12B5A1ABC120":"E171458FEAA939AAA3A8BFAC46B404BD8F6D5B348C0FA4D80CECA16356CA933240BDE8723415A8ECE035B0EDF36755DE":"5EA1FC4AF7256D2055981B110575E0A8CAE53160137D904C59D926EB1B8456E427AA8A4540884C37DE159A58028ABC0E":"0CC59E4B046414A81C8A3BDFDCA92526C48769DD8D3127CAA99B3632D1913942DE362EAFAA962379374D9F3F066841CA" + +ECP test vectors secp521r1 rfc 5114 +ecp_test_vect:SECP521R1:"0113F82DA825735E3D97276683B2B74277BAD27335EA71664AF2430CC4F33459B9669EE78B3FFB9B8683015D344DCBFEF6FB9AF4C6C470BE254516CD3C1A1FB47362":"01EBB34DD75721ABF8ADC9DBED17889CBB9765D90A7C60F2CEF007BB0F2B26E14881FD4442E689D61CB2DD046EE30E3FFD20F9A45BBDF6413D583A2DBF59924FD35C":"00F6B632D194C0388E22D8437E558C552AE195ADFD153F92D74908351B2F8C4EDA94EDB0916D1B53C020B5EECAED1A5FC38A233E4830587BB2EE3489B3B42A5A86A4":"00CEE3480D8645A17D249F2776D28BAE616952D1791FDB4B70F7C3378732AA1B22928448BCD1DC2496D435B01048066EBE4F72903C361B1A9DC1193DC2C9D0891B96":"010EBFAFC6E85E08D24BFFFCC1A4511DB0E634BEEB1B6DEC8C5939AE44766201AF6200430BA97C8AC6A0E9F08B33CE7E9FEEB5BA4EE5E0D81510C24295B8A08D0235":"00A4A6EC300DF9E257B0372B5E7ABFEF093436719A77887EBB0B18CF8099B9F4212B6E30A1419C18E029D36863CC9D448F4DBA4D2A0E60711BE572915FBD4FEF2695":"00CDEA89621CFA46B132F9E4CFE2261CDE2D4368EB5656634C7CC98C7A00CDE54ED1866A0DD3E6126C9D2F845DAFF82CEB1DA08F5D87521BB0EBECA77911169C20CC":"00F9A71641029B7FC1A808AD07CD4861E868614B865AFBECAB1F2BD4D8B55EBCB5E3A53143CEB2C511B1AE0AF5AC827F60F2FD872565AC5CA0A164038FE980A7E4BD" + +ECP selftest +depends_on:POLARSSL_SELF_TEST +ecp_selftest: diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function new file mode 100644 index 000000000..a051bd74d --- /dev/null +++ b/tests/suites/test_suite_ecp.function @@ -0,0 +1,472 @@ +BEGIN_HEADER +#include +END_HEADER + +BEGIN_DEPENDENCIES +depends_on:POLARSSL_ECP_C:POLARSSL_BIGNUM_C +END_DEPENDENCIES + +BEGIN_CASE +ecp_small_add:a_zero:x_a:y_a:b_zero:x_b:y_b:c_zero:x_c:y_c +{ + ecp_group grp; + ecp_point A, B, C; + + ecp_group_init( &grp ); + ecp_point_init( &A ); ecp_point_init( &B ); ecp_point_init( &C ); + + TEST_ASSERT( ecp_group_read_string( &grp, 10, + "47", "4", "17", "42", "13" ) == 0 ); + + if( {a_zero} ) + ecp_set_zero( &A ); + else + TEST_ASSERT( ecp_point_read_string( &A, 10, {x_a}, {y_a} ) == 0 ); + + if( {b_zero} ) + ecp_set_zero( &B ); + else + TEST_ASSERT( ecp_point_read_string( &B, 10, {x_b}, {y_b} ) == 0 ); + + TEST_ASSERT( ecp_add( &grp, &C, &A, &B ) == 0 ); + + if( {c_zero} ) + TEST_ASSERT( mpi_cmp_int( &C.Z, 0 ) == 0 ); + else + { + TEST_ASSERT( mpi_cmp_int( &C.X, {x_c} ) == 0 ); + TEST_ASSERT( mpi_cmp_int( &C.Y, {y_c} ) == 0 ); + } + + TEST_ASSERT( ecp_add( &grp, &C, &B, &A ) == 0 ); + + if( {c_zero} ) + TEST_ASSERT( mpi_cmp_int( &C.Z, 0 ) == 0 ); + else + { + TEST_ASSERT( mpi_cmp_int( &C.X, {x_c} ) == 0 ); + TEST_ASSERT( mpi_cmp_int( &C.Y, {y_c} ) == 0 ); + } + + ecp_group_free( &grp ); + ecp_point_free( &A ); ecp_point_free( &B ); ecp_point_free( &C ); +} +END_CASE + +BEGIN_CASE +ecp_small_sub:a_zero:x_a:y_a:b_zero:x_b:y_b:c_zero:x_c:y_c +{ + ecp_group grp; + ecp_point A, B, C; + + ecp_group_init( &grp ); + ecp_point_init( &A ); ecp_point_init( &B ); ecp_point_init( &C ); + + TEST_ASSERT( ecp_group_read_string( &grp, 10, + "47", "4", "17", "42", "13" ) == 0 ); + + if( {a_zero} ) + ecp_set_zero( &A ); + else + TEST_ASSERT( ecp_point_read_string( &A, 10, {x_a}, {y_a} ) == 0 ); + + if( {b_zero} ) + ecp_set_zero( &B ); + else + TEST_ASSERT( ecp_point_read_string( &B, 10, {x_b}, {y_b} ) == 0 ); + + TEST_ASSERT( ecp_sub( &grp, &C, &A, &B ) == 0 ); + + if( {c_zero} ) + TEST_ASSERT( mpi_cmp_int( &C.Z, 0 ) == 0 ); + else + { + TEST_ASSERT( mpi_cmp_int( &C.X, {x_c} ) == 0 ); + TEST_ASSERT( mpi_cmp_int( &C.Y, {y_c} ) == 0 ); + } + + ecp_group_free( &grp ); + ecp_point_free( &A ); ecp_point_free( &B ); ecp_point_free( &C ); +} +END_CASE + +BEGIN_CASE +ecp_small_mul:m:r_zero:x_r:y_r:ret +{ + ecp_group grp; + ecp_point R; + mpi m; + + ecp_group_init( &grp ); + ecp_point_init( &R ); + mpi_init( &m ); + + TEST_ASSERT( ecp_group_read_string( &grp, 10, + "47", "4", "17", "42", "13" ) == 0 ); + + TEST_ASSERT( mpi_lset( &m, {m} ) == 0 ); + + TEST_ASSERT( ecp_mul( &grp, &R, &m, &grp.G ) == {ret} ); + + if( {r_zero} ) + TEST_ASSERT( mpi_cmp_int( &R.Z, 0 ) == 0 ); + else + { + TEST_ASSERT( mpi_cmp_int( &R.X, {x_r} ) == 0 ); + TEST_ASSERT( mpi_cmp_int( &R.Y, {y_r} ) == 0 ); + } + + ecp_group_free( &grp ); + ecp_point_free( &R ); + mpi_free( &m ); +} +END_CASE + +BEGIN_CASE +ecp_small_check_pub:x:y:z:ret +{ + ecp_group grp; + ecp_point P; + + ecp_group_init( &grp ); + ecp_point_init( &P ); + + TEST_ASSERT( ecp_group_read_string( &grp, 10, + "47", "4", "17", "42", "13" ) == 0 ); + + TEST_ASSERT( mpi_lset( &P.X, {x} ) == 0 ); + TEST_ASSERT( mpi_lset( &P.Y, {y} ) == 0 ); + TEST_ASSERT( mpi_lset( &P.Z, {z} ) == 0 ); + + TEST_ASSERT( ecp_check_pubkey( &grp, &P ) == {ret} ); + + ecp_group_free( &grp ); + ecp_point_free( &P ); +} +END_CASE + +BEGIN_CASE +ecp_test_vect:id:dA:xA:yA:dB:xB:yB:xZ:yZ +{ + ecp_group grp; + ecp_point R; + mpi dA, xA, yA, dB, xB, yB, xZ, yZ; + + ecp_group_init( &grp ); ecp_point_init( &R ); + mpi_init( &dA ); mpi_init( &xA ); mpi_init( &yA ); mpi_init( &dB ); + mpi_init( &xB ); mpi_init( &yB ); mpi_init( &xZ ); mpi_init( &yZ ); + + TEST_ASSERT( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_{id} ) == 0 ); + + TEST_ASSERT( ecp_check_pubkey( &grp, &grp.G ) == 0 ); + + TEST_ASSERT( mpi_read_string( &dA, 16, {dA} ) == 0 ); + TEST_ASSERT( mpi_read_string( &xA, 16, {xA} ) == 0 ); + TEST_ASSERT( mpi_read_string( &yA, 16, {yA} ) == 0 ); + TEST_ASSERT( mpi_read_string( &dB, 16, {dB} ) == 0 ); + TEST_ASSERT( mpi_read_string( &xB, 16, {xB} ) == 0 ); + TEST_ASSERT( mpi_read_string( &yB, 16, {yB} ) == 0 ); + TEST_ASSERT( mpi_read_string( &xZ, 16, {xZ} ) == 0 ); + TEST_ASSERT( mpi_read_string( &yZ, 16, {yZ} ) == 0 ); + + TEST_ASSERT( ecp_mul( &grp, &R, &dA, &grp.G ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &R.X, &xA ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &R.Y, &yA ) == 0 ); + TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 ); + TEST_ASSERT( ecp_mul( &grp, &R, &dB, &R ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &R.X, &xZ ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &R.Y, &yZ ) == 0 ); + TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 ); + + TEST_ASSERT( ecp_mul( &grp, &R, &dB, &grp.G ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &R.X, &xB ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &R.Y, &yB ) == 0 ); + TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 ); + TEST_ASSERT( ecp_mul( &grp, &R, &dA, &R ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &R.X, &xZ ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &R.Y, &yZ ) == 0 ); + TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 ); + + ecp_group_free( &grp ); ecp_point_free( &R ); + mpi_free( &dA ); mpi_free( &xA ); mpi_free( &yA ); mpi_free( &dB ); + mpi_free( &xB ); mpi_free( &yB ); mpi_free( &xZ ); mpi_free( &yZ ); +} +END_CASE + +BEGIN_CASE +ecp_fast_mod:id:N +{ + ecp_group grp; + mpi N, R; + + mpi_init( &N ); mpi_init( &R ); + ecp_group_init( &grp ); + + TEST_ASSERT( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_{id} ) == 0 ); + TEST_ASSERT( mpi_read_string( &N, 16, {N} ) == 0 ); + + /* + * Store correct result before we touch N + */ + TEST_ASSERT( mpi_mod_mpi( &R, &N, &grp.P ) == 0 ); + + TEST_ASSERT( grp.modp( &N ) == 0 ); + TEST_ASSERT( mpi_msb( &N ) <= grp.pbits + 3 ); + + /* + * Use mod rather than addition/substraction in case previous test fails + */ + TEST_ASSERT( mpi_mod_mpi( &N, &N, &grp.P ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &N, &R ) == 0 ); + + mpi_free( &N ); mpi_free( &R ); + ecp_group_free( &grp ); +} +END_CASE + +BEGIN_CASE +ecp_write_binary:id:x:y:z:format:out:blen:ret +{ + ecp_group grp; + ecp_point P; + unsigned char buf[256], str[512]; + size_t olen; + + memset( buf, 0, sizeof( buf ) ); + memset( str, 0, sizeof( str ) ); + + ecp_group_init( &grp ); ecp_point_init( &P ); + + TEST_ASSERT( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_{id} ) == 0 ); + + TEST_ASSERT( mpi_read_string( &P.X, 16, {x} ) == 0 ); + TEST_ASSERT( mpi_read_string( &P.Y, 16, {y} ) == 0 ); + TEST_ASSERT( mpi_read_string( &P.Z, 16, {z} ) == 0 ); + +#define POLARSSL_ECP_PF_UNKNOWN -1 + TEST_ASSERT( ecp_point_write_binary( &grp, &P, POLARSSL_ECP_PF_{format}, + &olen, buf, {blen} ) == {ret} ); + + if( {ret} == 0 ) + { + hexify( str, buf, olen ); + TEST_ASSERT( strcasecmp( (char *) str, {out} ) == 0 ); + } + + ecp_group_free( &grp ); ecp_point_free( &P ); +} +END_CASE + +BEGIN_CASE +ecp_read_binary:id:input:x:y:z:ret +{ + ecp_group grp; + ecp_point P; + mpi X, Y, Z; + int ilen; + unsigned char buf[256]; + + memset( buf, 0, sizeof( buf ) ); + + ecp_group_init( &grp ); ecp_point_init( &P ); + mpi_init( &X ); mpi_init( &Y ); mpi_init( &Z ); + + TEST_ASSERT( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_{id} ) == 0 ); + + TEST_ASSERT( mpi_read_string( &X, 16, {x} ) == 0 ); + TEST_ASSERT( mpi_read_string( &Y, 16, {y} ) == 0 ); + TEST_ASSERT( mpi_read_string( &Z, 16, {z} ) == 0 ); + + ilen = unhexify( buf, {input} ); + + TEST_ASSERT( ecp_point_read_binary( &grp, &P, buf, ilen ) == {ret} ); + + if( {ret} == 0 ) + { + TEST_ASSERT( mpi_cmp_mpi( &P.X, &X ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &P.Y, &Y ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &P.Z, &Z ) == 0 ); + } + + ecp_group_free( &grp ); ecp_point_free( &P ); + mpi_free( &X ); mpi_free( &Y ); mpi_free( &Z ); +} +END_CASE + +BEGIN_CASE +ecp_tls_read_point:id:input:x:y:z:ret +{ + ecp_group grp; + ecp_point P; + mpi X, Y, Z; + size_t ilen; + unsigned char buf[256]; + const unsigned char *vbuf = buf; + + memset( buf, 0, sizeof( buf ) ); + + ecp_group_init( &grp ); ecp_point_init( &P ); + mpi_init( &X ); mpi_init( &Y ); mpi_init( &Z ); + + TEST_ASSERT( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_{id} ) == 0 ); + + TEST_ASSERT( mpi_read_string( &X, 16, {x} ) == 0 ); + TEST_ASSERT( mpi_read_string( &Y, 16, {y} ) == 0 ); + TEST_ASSERT( mpi_read_string( &Z, 16, {z} ) == 0 ); + + ilen = unhexify( buf, {input} ); + + TEST_ASSERT( ecp_tls_read_point( &grp, &P, &vbuf, ilen ) == {ret} ); + + if( {ret} == 0 ) + { + TEST_ASSERT( mpi_cmp_mpi( &P.X, &X ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &P.Y, &Y ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &P.Z, &Z ) == 0 ); + TEST_ASSERT( *vbuf == 0x00 ); + } + + ecp_group_free( &grp ); ecp_point_free( &P ); + mpi_free( &X ); mpi_free( &Y ); mpi_free( &Z ); +} +END_CASE + +BEGIN_CASE +ecp_tls_write_read_point:id +{ + ecp_group grp; + ecp_point pt; + unsigned char buf[256]; + const unsigned char *vbuf; + size_t olen; + + ecp_group_init( &grp ); + ecp_point_init( &pt ); + + TEST_ASSERT( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_{id} ) == 0 ); + + memset( buf, 0x00, sizeof( buf ) ); vbuf = buf; + TEST_ASSERT( ecp_tls_write_point( &grp, &grp.G, + POLARSSL_ECP_PF_COMPRESSED, &olen, buf, 256 ) == 0 ); + TEST_ASSERT( ecp_tls_read_point( &grp, &pt, &vbuf, olen ) + == POLARSSL_ERR_ECP_BAD_INPUT_DATA ); + TEST_ASSERT( vbuf == buf + olen ); + + memset( buf, 0x00, sizeof( buf ) ); vbuf = buf; + TEST_ASSERT( ecp_tls_write_point( &grp, &grp.G, + POLARSSL_ECP_PF_UNCOMPRESSED, &olen, buf, 256 ) == 0 ); + TEST_ASSERT( ecp_tls_read_point( &grp, &pt, &vbuf, olen ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &grp.G.X, &pt.X ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &grp.G.Y, &pt.Y ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &grp.G.Z, &pt.Z ) == 0 ); + TEST_ASSERT( vbuf == buf + olen ); + + memset( buf, 0x00, sizeof( buf ) ); vbuf = buf; + TEST_ASSERT( ecp_set_zero( &pt ) == 0 ); + TEST_ASSERT( ecp_tls_write_point( &grp, &pt, + POLARSSL_ECP_PF_COMPRESSED, &olen, buf, 256 ) == 0 ); + TEST_ASSERT( ecp_tls_read_point( &grp, &pt, &vbuf, olen ) == 0 ); + TEST_ASSERT( ecp_is_zero( &pt ) ); + TEST_ASSERT( vbuf == buf + olen ); + + memset( buf, 0x00, sizeof( buf ) ); vbuf = buf; + TEST_ASSERT( ecp_set_zero( &pt ) == 0 ); + TEST_ASSERT( ecp_tls_write_point( &grp, &pt, + POLARSSL_ECP_PF_UNCOMPRESSED, &olen, buf, 256 ) == 0 ); + TEST_ASSERT( ecp_tls_read_point( &grp, &pt, &vbuf, olen ) == 0 ); + TEST_ASSERT( ecp_is_zero( &pt ) ); + TEST_ASSERT( vbuf == buf + olen ); + + ecp_group_free( &grp ); + ecp_point_free( &pt ); +} +END_CASE + +BEGIN_CASE +ecp_tls_read_group:record:ret:bits +{ + ecp_group grp; + unsigned char buf[10]; + const unsigned char *vbuf = buf; + int len, ret; + + ecp_group_init( &grp ); + memset( buf, 0x00, sizeof( buf ) ); + + len = unhexify( buf, {record} ); + + ret = ecp_tls_read_group( &grp, &vbuf, len ); + + TEST_ASSERT( ret == {ret} ); + if( ret == 0) + { + TEST_ASSERT( mpi_msb( &grp.P ) == {bits} ); + TEST_ASSERT( *vbuf == 0x00 ); + } + + ecp_group_free( &grp ); +} +END_CASE + +BEGIN_CASE +ecp_tls_write_read_group:id +{ + ecp_group grp1, grp2; + unsigned char buf[10]; + const unsigned char *vbuf = buf; + size_t len; + int ret; + + ecp_group_init( &grp1 ); + ecp_group_init( &grp2 ); + memset( buf, 0x00, sizeof( buf ) ); + + TEST_ASSERT( ecp_use_known_dp( &grp1, POLARSSL_ECP_DP_{id} ) == 0 ); + + TEST_ASSERT( ecp_tls_write_group( &grp1, &len, buf, 10 ) == 0 ); + TEST_ASSERT( ( ret = ecp_tls_read_group( &grp2, &vbuf, len ) ) == 0 ); + + if( ret == 0 ) + { + TEST_ASSERT( mpi_cmp_mpi( &grp1.N, &grp2.N ) == 0 ); + TEST_ASSERT( grp1.id == grp2.id ); + } + + ecp_group_free( &grp1 ); + ecp_group_free( &grp2 ); +} +END_CASE + +BEGIN_CASE +ecp_gen_keypair:id +{ + ecp_group grp; + ecp_point Q; + mpi d; + rnd_pseudo_info rnd_info; + + ecp_group_init( &grp ); + ecp_point_init( &Q ); + mpi_init( &d ); + memset( &rnd_info, 0x00, sizeof( rnd_pseudo_info ) ); + + TEST_ASSERT( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_{id} ) == 0 ); + + TEST_ASSERT( ecp_gen_keypair( &grp, &d, &Q, &rnd_pseudo_rand, &rnd_info ) + == 0 ); + + TEST_ASSERT( mpi_cmp_mpi( &d, &grp.N ) < 0 ); + TEST_ASSERT( mpi_cmp_int( &d, 1 ) >= 0 ); + + ecp_group_free( &grp ); + ecp_point_free( &Q ); + mpi_free( &d ); +} +END_CASE + +BEGIN_CASE +ecp_selftest: +{ + TEST_ASSERT( ecp_self_test( 0 ) == 0 ); +} +END_CASE