From dacfe563700e703f30f7a3dd3044b0d253786fd8 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 2 May 2023 14:05:13 +0200 Subject: [PATCH 1/6] Add `_raw` function to P192K1 Modified the testing to use the generic fast reduction test function. Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 12 ++++---- library/ecp_invasive.h | 2 +- scripts/mbedtls_dev/ecp.py | 8 +++-- tests/suites/test_suite_ecp.function | 46 +++++----------------------- 4 files changed, 20 insertions(+), 48 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index b07753a07..feda4ce35 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -4613,7 +4613,7 @@ int mbedtls_ecp_mod_p448(mbedtls_mpi *); #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) static int ecp_mod_p192k1(mbedtls_mpi *); MBEDTLS_STATIC_TESTABLE -int mbedtls_ecp_mod_p192k1(mbedtls_mpi *); +int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); #endif #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) static int ecp_mod_p224k1(mbedtls_mpi *); @@ -5629,21 +5629,21 @@ static int ecp_mod_p192k1(mbedtls_mpi *N) int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t expected_width = 2 * ((192 + biL - 1) / biL); MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width)); - ret = mbedtls_ecp_mod_p192k1(N); + ret = mbedtls_ecp_mod_p192k1_raw(N->p, expected_width); cleanup: return ret; } MBEDTLS_STATIC_TESTABLE -int mbedtls_ecp_mod_p192k1(mbedtls_mpi *N) +int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs) { static mbedtls_mpi_uint Rp[] = { - MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, - 0x00) + MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00) }; - return ecp_mod_koblitz(N->p, N->n, Rp, 192); + return ecp_mod_koblitz(X, X_limbs, Rp, 192); } #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index 68187acbc..78e0bcbf7 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -176,7 +176,7 @@ int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs); * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119 */ MBEDTLS_STATIC_TESTABLE -int mbedtls_ecp_mod_p192k1(mbedtls_mpi *N); +int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index 5f0efcf1c..76a369701 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -494,8 +494,8 @@ class EcpP192K1Raw(bignum_common.ModOperationCommon, EcpTarget): """Test cases for ECP P192K1 fast reduction.""" symbol = "-" - test_function = "ecp_mod_p192k1" - test_name = "ecp_mod_p192k1" + test_function = "ecp_mod_p_generic_raw" + test_name = "ecp_mod_p192k1_raw" input_style = "fixed" arity = 1 dependencies = ["MBEDTLS_ECP_DP_SECP192K1_ENABLED"] @@ -557,6 +557,10 @@ class EcpP192K1Raw(bignum_common.ModOperationCommon, def is_valid(self) -> bool: return True + def arguments(self): + args = super().arguments() + return ["MBEDTLS_ECP_DP_SECP192K1"] + args + class EcpP224K1Raw(bignum_common.ModOperationCommon, EcpTarget): diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index f034d6fc8..9d33e4df4 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -1327,6 +1327,13 @@ void ecp_mod_p_generic_raw(int curve_id, curve_bits = 522; curve_func = &mbedtls_ecp_mod_p521_raw; break; +#endif +#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) + case MBEDTLS_ECP_DP_SECP192K1: + limbs = 2 * limbs_N; + curve_bits = 192; + curve_func = &mbedtls_ecp_mod_p192k1_raw; + break; #endif default: mbedtls_test_fail("Unsupported curve_id", __LINE__, __FILE__); @@ -1355,45 +1362,6 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_DP_SECP192K1_ENABLED */ -void ecp_mod_p192k1(char *input_N, - char *input_X, - char *result) -{ - mbedtls_mpi X; - mbedtls_mpi N; - mbedtls_mpi res; - - mbedtls_mpi_init(&X); - mbedtls_mpi_init(&N); - mbedtls_mpi_init(&res); - - TEST_EQUAL(mbedtls_test_read_mpi(&X, input_X), 0); - TEST_EQUAL(mbedtls_test_read_mpi(&N, input_N), 0); - TEST_EQUAL(mbedtls_test_read_mpi(&res, result), 0); - - TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, X.p, X.n)); - TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, N.p, N.n)); - TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, res.p, res.n)); - - size_t limbs = N.n; - size_t bytes = limbs * sizeof(mbedtls_mpi_uint); - - TEST_EQUAL(X.n, 2 * limbs); - TEST_EQUAL(res.n, limbs); - - TEST_EQUAL(mbedtls_ecp_mod_p192k1(&X), 0); - TEST_EQUAL(mbedtls_mpi_mod_mpi(&X, &X, &N), 0); - TEST_LE_U(mbedtls_mpi_core_bitlen(X.p, X.n), 192); - ASSERT_COMPARE(X.p, bytes, res.p, bytes); - -exit: - mbedtls_mpi_free(&X); - mbedtls_mpi_free(&N); - mbedtls_mpi_free(&res); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_DP_SECP224K1_ENABLED */ void ecp_mod_p224k1(char *input_N, char *input_X, From e42bb6294e49e4ce7f3319e7f3840fa118a1a2c6 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 2 May 2023 14:10:57 +0200 Subject: [PATCH 2/6] Add `_raw` function to P224K1 Modified the testing to use the generic fast reduction test function. Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 20 ++++++------- library/ecp_invasive.h | 3 +- scripts/mbedtls_dev/ecp.py | 10 +++++-- tests/suites/test_suite_ecp.function | 45 +++++----------------------- 4 files changed, 26 insertions(+), 52 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index feda4ce35..708dcec5f 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -4618,7 +4618,7 @@ int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) static int ecp_mod_p224k1(mbedtls_mpi *); MBEDTLS_STATIC_TESTABLE -int mbedtls_ecp_mod_p224k1(mbedtls_mpi *); +int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); #endif #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) static int ecp_mod_p256k1(mbedtls_mpi *); @@ -5650,30 +5650,30 @@ int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs) #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) +/* + * Fast quasi-reduction modulo p224k1 = 2^224 - R, + * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93 + */ static int ecp_mod_p224k1(mbedtls_mpi *N) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t expected_width = 2 * 224 / biL; MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width)); - ret = mbedtls_ecp_mod_p224k1(N); + ret = mbedtls_ecp_mod_p224k1_raw(N->p, expected_width); cleanup: return ret; } -/* - * Fast quasi-reduction modulo p224k1 = 2^224 - R, - * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93 - */ MBEDTLS_STATIC_TESTABLE -int mbedtls_ecp_mod_p224k1(mbedtls_mpi *N) +int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs) { static mbedtls_mpi_uint Rp[] = { - MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, - 0x00) + MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00) }; - return ecp_mod_koblitz(N->p, N->n, Rp, 224); + return ecp_mod_koblitz(X, X_limbs, Rp, 224); } #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index 78e0bcbf7..744945c33 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -179,10 +179,11 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ + #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) MBEDTLS_STATIC_TESTABLE -int mbedtls_ecp_mod_p224k1(mbedtls_mpi *N); +int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); #endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index 76a369701..7efb32d89 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -566,8 +566,8 @@ class EcpP224K1Raw(bignum_common.ModOperationCommon, EcpTarget): """Test cases for ECP P224 fast reduction.""" symbol = "-" - test_function = "ecp_mod_p224k1" - test_name = "ecp_mod_p224k1" + test_function = "ecp_mod_p_generic_raw" + test_name = "ecp_mod_p224k1_raw" input_style = "fixed" arity = 1 dependencies = ["MBEDTLS_ECP_DP_SECP224K1_ENABLED"] @@ -586,7 +586,7 @@ class EcpP224K1Raw(bignum_common.ModOperationCommon, # 2^224 - 1 "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - # Maximum canonical P224 multiplication result + # Maximum canonical P224K1 multiplication result ("fffffffffffffffffffffffffffffffffffffffffffffffdffffcad8" "00000000000000000000000000000000000000010000352802c26590"), @@ -630,6 +630,10 @@ class EcpP224K1Raw(bignum_common.ModOperationCommon, def is_valid(self) -> bool: return True + def arguments(self): + args = super().arguments() + return ["MBEDTLS_ECP_DP_SECP224K1"] + args + class EcpP256K1Raw(bignum_common.ModOperationCommon, EcpTarget): diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index 9d33e4df4..f55c184a4 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -1334,6 +1334,13 @@ void ecp_mod_p_generic_raw(int curve_id, curve_bits = 192; curve_func = &mbedtls_ecp_mod_p192k1_raw; break; +#endif +#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) + case MBEDTLS_ECP_DP_SECP224K1: + limbs = 448 / biL; + curve_bits = 224; + curve_func = &mbedtls_ecp_mod_p224k1_raw; + break; #endif default: mbedtls_test_fail("Unsupported curve_id", __LINE__, __FILE__); @@ -1362,44 +1369,6 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_DP_SECP224K1_ENABLED */ -void ecp_mod_p224k1(char *input_N, - char *input_X, - char *result) -{ - mbedtls_mpi X; - mbedtls_mpi N; - mbedtls_mpi res; - - mbedtls_mpi_init(&X); - mbedtls_mpi_init(&N); - mbedtls_mpi_init(&res); - - TEST_EQUAL(mbedtls_test_read_mpi(&X, input_X), 0); - TEST_EQUAL(mbedtls_test_read_mpi(&N, input_N), 0); - TEST_EQUAL(mbedtls_test_read_mpi(&res, result), 0); - - TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, X.p, X.n)); - TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, N.p, N.n)); - TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, res.p, res.n)); - - size_t limbs = N.n; - size_t bytes = limbs * sizeof(mbedtls_mpi_uint); - - TEST_LE_U(X.n, 448 / biL); - TEST_EQUAL(res.n, limbs); - - TEST_EQUAL(mbedtls_ecp_mod_p224k1(&X), 0); - TEST_EQUAL(mbedtls_mpi_mod_mpi(&X, &X, &N), 0); - TEST_LE_U(mbedtls_mpi_core_bitlen(X.p, X.n), 224); - ASSERT_COMPARE(X.p, bytes, res.p, bytes); - -exit: - mbedtls_mpi_free(&X); - mbedtls_mpi_free(&N); - mbedtls_mpi_free(&res); -} -/* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_DP_SECP256K1_ENABLED */ void ecp_mod_p256k1(char *input_N, From 03558b847e2505c4919d55ce2fe4eee179c43067 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 2 May 2023 14:12:25 +0200 Subject: [PATCH 3/6] Add `_raw` function to P256K1 Modified the testing to use the generic fast reduction test function. Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 21 +++++++------ library/ecp_invasive.h | 2 +- scripts/mbedtls_dev/ecp.py | 18 ++++++++--- tests/suites/test_suite_ecp.function | 47 +++++----------------------- 4 files changed, 32 insertions(+), 56 deletions(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 708dcec5f..c217c40a8 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -4623,7 +4623,7 @@ int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) static int ecp_mod_p256k1(mbedtls_mpi *); MBEDTLS_STATIC_TESTABLE -int mbedtls_ecp_mod_p256k1(mbedtls_mpi *); +int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); #endif #if defined(ECP_LOAD_GROUP) @@ -5680,30 +5680,31 @@ int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs) #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) +/* + * Fast quasi-reduction modulo p256k1 = 2^256 - R, + * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1 + */ static int ecp_mod_p256k1(mbedtls_mpi *N) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t expected_width = 2 * ((256 + biL - 1) / biL); MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width)); - ret = mbedtls_ecp_mod_p256k1(N); + ret = mbedtls_ecp_mod_p256k1_raw(N->p, expected_width); cleanup: return ret; } -/* - * Fast quasi-reduction modulo p256k1 = 2^256 - R, - * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1 - */ MBEDTLS_STATIC_TESTABLE -int mbedtls_ecp_mod_p256k1(mbedtls_mpi *N) +int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs) { static mbedtls_mpi_uint Rp[] = { - MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, - 0x00) + MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00) }; - return ecp_mod_koblitz(N->p, N->n, Rp, 256); + return ecp_mod_koblitz(X, X_limbs, Rp, 256); } + #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ #if defined(MBEDTLS_TEST_HOOKS) diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index 744945c33..cfa12e9be 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -190,7 +190,7 @@ int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) MBEDTLS_STATIC_TESTABLE -int mbedtls_ecp_mod_p256k1(mbedtls_mpi *N); +int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py index 7efb32d89..c9fb5e55e 100644 --- a/scripts/mbedtls_dev/ecp.py +++ b/scripts/mbedtls_dev/ecp.py @@ -639,8 +639,8 @@ class EcpP256K1Raw(bignum_common.ModOperationCommon, EcpTarget): """Test cases for ECP P256 fast reduction.""" symbol = "-" - test_function = "ecp_mod_p256k1" - test_name = "ecp_mod_p256k1" + test_function = "ecp_mod_p_generic_raw" + test_name = "ecp_mod_p256k1_raw" input_style = "fixed" arity = 1 dependencies = ["MBEDTLS_ECP_DP_SECP256K1_ENABLED"] @@ -659,9 +659,13 @@ class EcpP256K1Raw(bignum_common.ModOperationCommon, # 2^256 - 1 "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - # Maximum canonical P256 multiplication result - ("fffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffff85c0" - "00000000000000000000000000000000000000000000001000007a4000e9844"), + # Maximum canonical P256K1 multiplication result + ("fffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffff85c" + "000000000000000000000000000000000000000000000001000007a4000e9844"), + + # Test case for overflow during addition + ("0000fffffc2f000e90a0c86a0a63234e5ba641f43a7e4aecc4040e67ec850562" + "00000000000000000000000000000000000000000000000000000000585674fd"), # Test case for overflow during addition ("0000fffffc2f000e90a0c86a0a63234e5ba641f43a7e4aecc4040e67ec850562" @@ -702,6 +706,10 @@ class EcpP256K1Raw(bignum_common.ModOperationCommon, def is_valid(self) -> bool: return True + def arguments(self): + args = super().arguments() + return ["MBEDTLS_ECP_DP_SECP256K1"] + args + class EcpP448Raw(bignum_common.ModOperationCommon, EcpTarget): diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index f55c184a4..af69aaff2 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -1341,6 +1341,13 @@ void ecp_mod_p_generic_raw(int curve_id, curve_bits = 224; curve_func = &mbedtls_ecp_mod_p224k1_raw; break; +#endif +#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) + case MBEDTLS_ECP_DP_SECP256K1: + limbs = 2 * limbs_N; + curve_bits = 256; + curve_func = &mbedtls_ecp_mod_p256k1_raw; + break; #endif default: mbedtls_test_fail("Unsupported curve_id", __LINE__, __FILE__); @@ -1369,46 +1376,6 @@ exit: } /* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_DP_SECP256K1_ENABLED */ -void ecp_mod_p256k1(char *input_N, - char *input_X, - char *result) -{ - mbedtls_mpi X; - mbedtls_mpi N; - mbedtls_mpi res; - - mbedtls_mpi_init(&X); - mbedtls_mpi_init(&N); - mbedtls_mpi_init(&res); - - TEST_EQUAL(mbedtls_test_read_mpi(&X, input_X), 0); - TEST_EQUAL(mbedtls_test_read_mpi(&N, input_N), 0); - TEST_EQUAL(mbedtls_test_read_mpi(&res, result), 0); - - TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, X.p, X.n)); - TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, N.p, N.n)); - TEST_ASSERT(mbedtls_mpi_core_uint_le_mpi(0, res.p, res.n)); - - size_t limbs = N.n; - size_t bytes = limbs * sizeof(mbedtls_mpi_uint); - - TEST_LE_U(X.n, 2 * limbs); - TEST_EQUAL(res.n, limbs); - - TEST_EQUAL(mbedtls_ecp_mod_p256k1(&X), 0); - TEST_EQUAL(mbedtls_mpi_mod_mpi(&X, &X, &N), 0); - TEST_LE_U(mbedtls_mpi_core_bitlen(X.p, X.n), 256); - ASSERT_COMPARE(X.p, bytes, res.p, bytes); - -exit: - mbedtls_mpi_free(&X); - mbedtls_mpi_free(&N); - mbedtls_mpi_free(&res); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_ECP_DP_CURVE448_ENABLED */ void ecp_mod_p448(char *input_N, char *input_X, From caac83c517effd6dedf29767874708bf751ddc03 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 16 May 2023 17:41:26 +0200 Subject: [PATCH 4/6] Fix comment Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index c217c40a8..149697087 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5532,7 +5532,7 @@ cleanup: * Fast quasi-reduction modulo P = 2^s - R, * with R about 33 bits, used by the Koblitz curves. * - * Write N as A0 + 2^224 A1, return A0 + R * A1. + * Write X as A0 + 2^224 A1, return A0 + R * A1. */ #define P_KOBLITZ_R (8 / sizeof(mbedtls_mpi_uint)) // Limbs in R From fa3f74145b21d9d9c827a016bcc5b6d355a0afd1 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 17 May 2023 17:35:47 +0200 Subject: [PATCH 5/6] Add documentation Signed-off-by: Gabor Mezei --- library/ecp_invasive.h | 47 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 3 deletions(-) diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index cfa12e9be..16b7b6141 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -171,9 +171,20 @@ int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs); #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) -/* - * Fast quasi-reduction modulo p192k1 = 2^192 - R, - * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119 +/** Fast quasi-reduction modulo p192k1 = 2^192 - R, + * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9 + * + * \param[in,out] X The address of the MPI to be converted. + * Must have exact limb size that stores a 384-bit MPI + * (double the bitlength of the modulus). + * Upon return holds the reduced value which is + * in range `0 <= X < 2 * N` (where N is the modulus). + * The bitlength of the reduced value is the same as + * that of the modulus (192 bits). + * \param[in] X_limbs The length of \p X in limbs. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed. */ MBEDTLS_STATIC_TESTABLE int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); @@ -182,6 +193,21 @@ int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) +/** Fast quasi-reduction modulo p224k1 = 2^224 - R, + * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93 + * + * \param[in,out] X The address of the MPI to be converted. + * Must have exact limb size that stores a 448-bit MPI + * (double the bitlength of the modulus). + * Upon return holds the reduced value which is + * in range `0 <= X < 2 * N` (where N is the modulus). + * The bitlength of the reduced value is the same as + * that of the modulus (224 bits). + * \param[in] X_limbs The length of \p X in limbs. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed. + */ MBEDTLS_STATIC_TESTABLE int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); @@ -189,6 +215,21 @@ int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) +/** Fast quasi-reduction modulo p256k1 = 2^256 - R, + * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1 + * + * \param[in,out] X The address of the MPI to be converted. + * Must have exact limb size that stores a 512-bit MPI + * (double the bitlength of the modulus). + * Upon return holds the reduced value which is + * in range `0 <= X < 2 * N` (where N is the modulus). + * The bitlength of the reduced value is the same as + * that of the modulus (256 bits). + * \param[in] X_limbs The length of \p X in limbs. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed. + */ MBEDTLS_STATIC_TESTABLE int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); From d56e6e008bb5979c68d8710b5a992b664dc9212c Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 17 May 2023 17:51:19 +0200 Subject: [PATCH 6/6] Add input parameter length check for the Koblitz reduction Signed-off-by: Gabor Mezei --- library/ecp_curves.c | 13 +++++++++++++ library/ecp_invasive.h | 6 ++++++ 2 files changed, 19 insertions(+) diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 149697087..6573f8954 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -5643,6 +5643,10 @@ int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs) 0x01, 0x00, 0x00, 0x00) }; + if (X_limbs != 2 * ((192 + biL - 1) / biL)) { + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + } + return ecp_mod_koblitz(X, X_limbs, Rp, 192); } @@ -5673,6 +5677,10 @@ int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs) 0x01, 0x00, 0x00, 0x00) }; + if (X_limbs != 2 * 224 / biL) { + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + } + return ecp_mod_koblitz(X, X_limbs, Rp, 224); } @@ -5702,6 +5710,11 @@ int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs) MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00) }; + + if (X_limbs != 2 * ((256 + biL - 1) / biL)) { + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + } + return ecp_mod_koblitz(X, X_limbs, Rp, 256); } diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h index 16b7b6141..aadcdbc78 100644 --- a/library/ecp_invasive.h +++ b/library/ecp_invasive.h @@ -184,6 +184,8 @@ int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs); * \param[in] X_limbs The length of \p X in limbs. * * \return \c 0 on success. + * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have + * twice as many limbs as the modulus. * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed. */ MBEDTLS_STATIC_TESTABLE @@ -206,6 +208,8 @@ int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); * \param[in] X_limbs The length of \p X in limbs. * * \return \c 0 on success. + * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have + * twice as many limbs as the modulus. * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed. */ MBEDTLS_STATIC_TESTABLE @@ -228,6 +232,8 @@ int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs); * \param[in] X_limbs The length of \p X in limbs. * * \return \c 0 on success. + * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have + * twice as many limbs as the modulus. * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed. */ MBEDTLS_STATIC_TESTABLE