void TEE_BigIntComputeExtendedGcd(TEE_BigInt *gcd, TEE_BigInt *u,
TEE_BigInt *v, const TEE_BigInt *op1,
const TEE_BigInt *op2)
{
mbedtls_mpi mpi_gcd_res;
mbedtls_mpi mpi_op1;
mbedtls_mpi mpi_op2;
mbedtls_mpi *pop2 = &mpi_op2;
get_mpi(&mpi_gcd_res, gcd);
get_mpi(&mpi_op1, op1);
if (op2 == op1)
pop2 = &mpi_op1;
else
get_mpi(&mpi_op2, op2);
if (!u && !v) {
if (gcd)
MPI_CHECK(mbedtls_mpi_gcd(&mpi_gcd_res, &mpi_op1,
pop2));
} else {
mbedtls_mpi mpi_u;
mbedtls_mpi mpi_v;
int8_t s1 = mpi_op1.s;
int8_t s2 = pop2->s;
int cmp;
mpi_op1.s = 1;
pop2->s = 1;
get_mpi(&mpi_u, u);
get_mpi(&mpi_v, v);
cmp = mbedtls_mpi_cmp_abs(&mpi_op1, pop2);
if (cmp == 0) {
MPI_CHECK(mbedtls_mpi_copy(&mpi_gcd_res, &mpi_op1));
MPI_CHECK(mbedtls_mpi_lset(&mpi_u, 1));
MPI_CHECK(mbedtls_mpi_lset(&mpi_v, 0));
} else if (cmp > 0) {
mpi_egcd(&mpi_gcd_res, &mpi_u, &mpi_v, &mpi_op1, pop2);
} else {
mpi_egcd(&mpi_gcd_res, &mpi_v, &mpi_u, pop2, &mpi_op1);
}
mpi_u.s *= s1;
mpi_v.s *= s2;
MPI_CHECK(copy_mpi_to_bigint(&mpi_u, u));
MPI_CHECK(copy_mpi_to_bigint(&mpi_v, v));
mbedtls_mpi_free(&mpi_u);
mbedtls_mpi_free(&mpi_v);
}
MPI_CHECK(copy_mpi_to_bigint(&mpi_gcd_res, gcd));
mbedtls_mpi_free(&mpi_gcd_res);
mbedtls_mpi_free(&mpi_op1);
if (pop2 == &mpi_op2)
mbedtls_mpi_free(&mpi_op2);
}
/*
* Use the blinding method and optimisation suggested in section 10 of:
* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
* Berlin Heidelberg, 1996. p. 104-113.
*/
static int dhm_update_blinding( mbedtls_dhm_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret, count;
/*
* Don't use any blinding the first time a particular X is used,
* but remember it to use blinding next time.
*/
if( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->pX ) != 0 )
{
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &ctx->pX, &ctx->X ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->Vi, 1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->Vf, 1 ) );
return( 0 );
}
/*
* Ok, we need blinding. Can we re-use existing values?
* If yes, just update them by squaring them.
*/
if( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 )
{
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
return( 0 );
}
/*
* We need to generate blinding values from scratch
*/
/* Vi = random( 2, P-1 ) */
count = 0;
do
{
mbedtls_mpi_fill_random( &ctx->Vi, mbedtls_mpi_size( &ctx->P ), f_rng, p_rng );
while( mbedtls_mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->Vi, 1 ) );
if( count++ > 10 )
return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
}
while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );
/* Vf = Vi^-X mod P */
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) );
cleanup:
return( ret );
}
void TEE_BigIntConvertFromS32(TEE_BigInt *dest, int32_t shortVal)
{
mbedtls_mpi mpi;
get_mpi(&mpi, dest);
MPI_CHECK(mbedtls_mpi_lset(&mpi, shortVal));
put_mpi(&mpi);
}
void TEE_BigIntConvertFromS32(TEE_BigInt *dest, int32_t shortVal)
{
mbedtls_mpi mpi;
get_mpi(&mpi, dest);
MPI_CHECK(mbedtls_mpi_lset(&mpi, shortVal));
MPI_CHECK(copy_mpi_to_bigint(&mpi, dest));
mbedtls_mpi_free(&mpi);
}
/* get normalization value */
static int montgomery_normalization(void *a, void *b)
{
size_t c = ROUNDUP(mbedtls_mpi_size(b), sizeof(mbedtls_mpi_uint)) * 8;
if (mbedtls_mpi_lset(a, 1))
return CRYPT_MEM;
if (mbedtls_mpi_shift_l(a, c))
return CRYPT_MEM;
if (mbedtls_mpi_mod_mpi(a, a, b))
return CRYPT_MEM;
return CRYPT_OK;
}
/*
* Verify sanity of parameter with regards to P
*
* Parameter should be: 2 <= public_param <= P - 2
*
* For more information on the attack, see:
* http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
*/
static int dhm_check_range( const mbedtls_mpi *param, const mbedtls_mpi *P )
{
mbedtls_mpi L, U;
int ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
mbedtls_mpi_init( &L ); mbedtls_mpi_init( &U );
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &L, 2 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &U, P, 2 ) );
if( mbedtls_mpi_cmp_mpi( param, &L ) >= 0 &&
mbedtls_mpi_cmp_mpi( param, &U ) <= 0 )
{
ret = 0;
}
cleanup:
mbedtls_mpi_free( &L ); mbedtls_mpi_free( &U );
return( ret );
}
/*
* Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
* WARNING: the resulting group should only be used with
* pk_group_id_from_specified(), since its base point may not be set correctly
* if it was encoded compressed.
*
* SpecifiedECDomain ::= SEQUENCE {
* version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...),
* fieldID FieldID {{FieldTypes}},
* curve Curve,
* base ECPoint,
* order INTEGER,
* cofactor INTEGER OPTIONAL,
* hash HashAlgorithm OPTIONAL,
* ...
* }
*
* We only support prime-field as field type, and ignore hash and cofactor.
*/
static int pk_group_from_specified( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
{
int ret;
unsigned char *p = params->p;
const unsigned char * const end = params->p + params->len;
const unsigned char *end_field, *end_curve;
size_t len;
int ver;
/* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
if( ( ret = mbedtls_asn1_get_int( &p, end, &ver ) ) != 0 )
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
if( ver < 1 || ver > 3 )
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
/*
* FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
* fieldType FIELD-ID.&id({IOSet}),
* parameters FIELD-ID.&Type({IOSet}{@fieldType})
* }
*/
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
return( ret );
end_field = p + len;
/*
* FIELD-ID ::= TYPE-IDENTIFIER
* FieldTypes FIELD-ID ::= {
* { Prime-p IDENTIFIED BY prime-field } |
* { Characteristic-two IDENTIFIED BY characteristic-two-field }
* }
* prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
*/
if( ( ret = mbedtls_asn1_get_tag( &p, end_field, &len, MBEDTLS_ASN1_OID ) ) != 0 )
return( ret );
if( len != MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD ) ||
memcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 )
{
return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
}
p += len;
/* Prime-p ::= INTEGER -- Field of size p. */
if( ( ret = mbedtls_asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 )
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
grp->pbits = mbedtls_mpi_bitlen( &grp->P );
if( p != end_field )
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
/*
* Curve ::= SEQUENCE {
* a FieldElement,
* b FieldElement,
* seed BIT STRING OPTIONAL
* -- Shall be present if used in SpecifiedECDomain
* -- with version equal to ecdpVer2 or ecdpVer3
* }
*/
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
return( ret );
end_curve = p + len;
/*
* FieldElement ::= OCTET STRING
* containing an integer in the case of a prime field
*/
if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
( ret = mbedtls_mpi_read_binary( &grp->A, p, len ) ) != 0 )
{
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
}
p += len;
if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
( ret = mbedtls_mpi_read_binary( &grp->B, p, len ) ) != 0 )
{
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
}
p += len;
/* Ignore seed BIT STRING OPTIONAL */
if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING ) ) == 0 )
p += len;
if( p != end_curve )
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
/*
* ECPoint ::= OCTET STRING
*/
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
if( ( ret = mbedtls_ecp_point_read_binary( grp, &grp->G,
( const unsigned char *) p, len ) ) != 0 )
{
/*
* If we can't read the point because it's compressed, cheat by
* reading only the X coordinate and the parity bit of Y.
*/
if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ||
( p[0] != 0x02 && p[0] != 0x03 ) ||
len != mbedtls_mpi_size( &grp->P ) + 1 ||
mbedtls_mpi_read_binary( &grp->G.X, p + 1, len - 1 ) != 0 ||
mbedtls_mpi_lset( &grp->G.Y, p[0] - 2 ) != 0 ||
mbedtls_mpi_lset( &grp->G.Z, 1 ) != 0 )
{
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
}
}
p += len;
/*
* order INTEGER
*/
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &grp->N ) ) != 0 )
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
grp->nbits = mbedtls_mpi_bitlen( &grp->N );
/*
* Allow optional elements by purposefully not enforcing p == end here.
*/
return( 0 );
}
/* Z = X * Y */
int mbedtls_mpi_mul_mpi( mbedtls_mpi *Z, const mbedtls_mpi *X, const mbedtls_mpi *Y )
{
int ret;
size_t bits_x, bits_y, words_x, words_y, words_mult, words_z;
/* Count words needed for X & Y in hardware */
bits_x = mbedtls_mpi_bitlen(X);
bits_y = mbedtls_mpi_bitlen(Y);
/* Convert bit counts to words, rounded up to 512-bit
(16 word) blocks */
words_x = bits_to_hardware_words(bits_x);
words_y = bits_to_hardware_words(bits_y);
/* Short-circuit eval if either argument is 0 or 1.
This is needed as the mpi modular division
argument will sometimes call in here when one
argument is too large for the hardware unit, but the other
argument is zero or one.
This leaks some timing information, although overall there is a
lot less timing variation than a software MPI approach.
*/
if (bits_x == 0 || bits_y == 0) {
mbedtls_mpi_lset(Z, 0);
return 0;
}
if (bits_x == 1) {
return mbedtls_mpi_copy(Z, Y);
}
if (bits_y == 1) {
return mbedtls_mpi_copy(Z, X);
}
words_mult = (words_x > words_y ? words_x : words_y);
/* Result Z has to have room for double the larger factor */
words_z = words_mult * 2;
/* If either factor is over 2048 bits, we can't use the standard hardware multiplier
(it assumes result is double longest factor, and result is max 4096 bits.)
However, we can fail over to mod_mult for up to 4096 bits of result (modulo
multiplication doesn't have the same restriction, so result is simply the
number of bits in X plus number of bits in in Y.)
*/
if (words_mult * 32 > 2048) {
/* Calculate new length of Z */
words_z = bits_to_hardware_words(bits_x + bits_y);
if (words_z * 32 <= 4096) {
/* Note: it's possible to use mpi_mult_mpi_overlong
for this case as well, but it's very slightly
slower and requires a memory allocation.
*/
return mpi_mult_mpi_failover_mod_mult(Z, X, Y, words_z);
} else {
/* Still too long for the hardware unit... */
if(bits_y > bits_x) {
return mpi_mult_mpi_overlong(Z, X, Y, bits_y, words_z);
} else {
return mpi_mult_mpi_overlong(Z, Y, X, bits_x, words_z);
}
}
}
/* Otherwise, we can use the (faster) multiply hardware unit */
esp_mpi_acquire_hardware();
/* Copy X (right-extended) & Y (left-extended) to memory block */
mpi_to_mem_block(RSA_MEM_X_BLOCK_BASE, X, words_mult);
mpi_to_mem_block(RSA_MEM_Z_BLOCK_BASE + words_mult * 4, Y, words_mult);
/* NB: as Y is left-extended, we don't zero the bottom words_mult words of Y block.
This is OK for now because zeroing is done by hardware when we do esp_mpi_acquire_hardware().
*/
REG_WRITE(RSA_M_DASH_REG, 0);
/* "mode" register loaded with number of 512-bit blocks in result,
plus 7 (for range 9-12). (this is ((N~ / 32) - 1) + 8))
*/
REG_WRITE(RSA_MULT_MODE_REG, (words_z / 16) + 7);
execute_op(RSA_MULT_START_REG);
/* Read back the result */
ret = mem_block_to_mpi(Z, RSA_MEM_Z_BLOCK_BASE, words_z);
Z->s = X->s * Y->s;
esp_mpi_release_hardware();
return ret;
}
int main( int argc, char *argv[] )
{
int ret;
mbedtls_ecdh_context ctx_cli, ctx_srv;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
unsigned char cli_to_srv[32], srv_to_cli[32];
const char pers[] = "ecdh";
((void) argc);
((void) argv);
mbedtls_ecdh_init( &ctx_cli );
mbedtls_ecdh_init( &ctx_srv );
mbedtls_ctr_drbg_init( &ctr_drbg );
/*
* Initialize random number generation
*/
mbedtls_printf( " . Seeding the random number generator..." );
fflush( stdout );
mbedtls_entropy_init( &entropy );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
sizeof pers ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* Client: inialize context and generate keypair
*/
mbedtls_printf( " . Setting up client context..." );
fflush( stdout );
ret = mbedtls_ecp_group_load( &ctx_cli.grp, MBEDTLS_ECP_DP_CURVE25519 );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ecp_group_load returned %d\n", ret );
goto exit;
}
ret = mbedtls_ecdh_gen_public( &ctx_cli.grp, &ctx_cli.d, &ctx_cli.Q,
mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ecdh_gen_public returned %d\n", ret );
goto exit;
}
ret = mbedtls_mpi_write_binary( &ctx_cli.Q.X, cli_to_srv, 32 );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_mpi_write_binary returned %d\n", ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* Server: initialize context and generate keypair
*/
mbedtls_printf( " . Setting up server context..." );
fflush( stdout );
ret = mbedtls_ecp_group_load( &ctx_srv.grp, MBEDTLS_ECP_DP_CURVE25519 );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ecp_group_load returned %d\n", ret );
goto exit;
}
ret = mbedtls_ecdh_gen_public( &ctx_srv.grp, &ctx_srv.d, &ctx_srv.Q,
mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ecdh_gen_public returned %d\n", ret );
goto exit;
}
ret = mbedtls_mpi_write_binary( &ctx_srv.Q.X, srv_to_cli, 32 );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_mpi_write_binary returned %d\n", ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* Server: read peer's key and generate shared secret
*/
mbedtls_printf( " . Server reading client key and computing secret..." );
fflush( stdout );
ret = mbedtls_mpi_lset( &ctx_srv.Qp.Z, 1 );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_mpi_lset returned %d\n", ret );
goto exit;
}
ret = mbedtls_mpi_read_binary( &ctx_srv.Qp.X, cli_to_srv, 32 );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_mpi_read_binary returned %d\n", ret );
goto exit;
}
ret = mbedtls_ecdh_compute_shared( &ctx_srv.grp, &ctx_srv.z,
&ctx_srv.Qp, &ctx_srv.d,
mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ecdh_compute_shared returned %d\n", ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* Client: read peer's key and generate shared secret
*/
mbedtls_printf( " . Client reading server key and computing secret..." );
fflush( stdout );
ret = mbedtls_mpi_lset( &ctx_cli.Qp.Z, 1 );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_mpi_lset returned %d\n", ret );
goto exit;
}
ret = mbedtls_mpi_read_binary( &ctx_cli.Qp.X, srv_to_cli, 32 );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_mpi_read_binary returned %d\n", ret );
goto exit;
}
ret = mbedtls_ecdh_compute_shared( &ctx_cli.grp, &ctx_cli.z,
&ctx_cli.Qp, &ctx_cli.d,
mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ecdh_compute_shared returned %d\n", ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* Verification: are the computed secret equal?
*/
mbedtls_printf( " . Checking if both computed secrets are equal..." );
fflush( stdout );
ret = mbedtls_mpi_cmp_mpi( &ctx_cli.z, &ctx_srv.z );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ecdh_compute_shared returned %d\n", ret );
goto exit;
}
mbedtls_printf( " ok\n" );
exit:
#if defined(_WIN32)
mbedtls_printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
mbedtls_ecdh_free( &ctx_srv );
mbedtls_ecdh_free( &ctx_cli );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
return( ret != 0 );
}
/*
* Generate an RSA keypair
*/
int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
unsigned int nbits, int exponent )
{
int ret;
mbedtls_mpi P1, Q1, H, G;
if( f_rng == NULL || nbits < 128 || exponent < 3 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &H ); mbedtls_mpi_init( &G );
/*
* find primes P and Q with Q < P so that:
* GCD( E, (P-1)*(Q-1) ) == 1
*/
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
do
{
MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0,
f_rng, p_rng ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
f_rng, p_rng ) );
if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
mbedtls_mpi_swap( &ctx->P, &ctx->Q );
if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
continue;
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )
continue;
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &P1, &Q1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H ) );
}
while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );
/*
* D = E^-1 mod ((P-1)*(Q-1))
* DP = D mod (P - 1)
* DQ = D mod (Q - 1)
* QP = Q^-1 mod P
*/
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D , &ctx->E, &H ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
ctx->len = ( mbedtls_mpi_bitlen( &ctx->N ) + 7 ) >> 3;
cleanup:
mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G );
if( ret != 0 )
{
mbedtls_rsa_free( ctx );
return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
}
return( 0 );
}
/*
* Based on libmpa implementation __mpa_egcd(), modified to work with MPI
* instead.
*/
static void mpi_egcd(mbedtls_mpi *gcd, mbedtls_mpi *a, mbedtls_mpi *b,
mbedtls_mpi *x_in, mbedtls_mpi *y_in)
{
mbedtls_mpi_uint k;
mbedtls_mpi A;
mbedtls_mpi B;
mbedtls_mpi C;
mbedtls_mpi D;
mbedtls_mpi x;
mbedtls_mpi y;
mbedtls_mpi u;
get_mpi(&A, NULL);
get_mpi(&B, NULL);
get_mpi(&C, NULL);
get_mpi(&D, NULL);
get_mpi(&x, NULL);
get_mpi(&y, NULL);
get_mpi(&u, NULL);
/* have y < x from assumption */
if (!mbedtls_mpi_cmp_int(y_in, 0)) {
MPI_CHECK(mbedtls_mpi_lset(a, 1));
MPI_CHECK(mbedtls_mpi_lset(b, 0));
MPI_CHECK(mbedtls_mpi_copy(gcd, x_in));
goto out;
}
MPI_CHECK(mbedtls_mpi_copy(&x, x_in));
MPI_CHECK(mbedtls_mpi_copy(&y, y_in));
k = 0;
while (mpi_is_even(&x) && mpi_is_even(&y)) {
k++;
MPI_CHECK(mbedtls_mpi_shift_r(&x, 1));
MPI_CHECK(mbedtls_mpi_shift_r(&y, 1));
}
MPI_CHECK(mbedtls_mpi_copy(&u, &x));
MPI_CHECK(mbedtls_mpi_copy(gcd, &y));
MPI_CHECK(mbedtls_mpi_lset(&A, 1));
MPI_CHECK(mbedtls_mpi_lset(&B, 0));
MPI_CHECK(mbedtls_mpi_lset(&C, 0));
MPI_CHECK(mbedtls_mpi_lset(&D, 1));
while (mbedtls_mpi_cmp_int(&u, 0)) {
while (mpi_is_even(&u)) {
MPI_CHECK(mbedtls_mpi_shift_r(&u, 1));
if (mpi_is_odd(&A) || mpi_is_odd(&B)) {
MPI_CHECK(mbedtls_mpi_add_mpi(&A, &A, &y));
MPI_CHECK(mbedtls_mpi_sub_mpi(&B, &B, &x));
}
MPI_CHECK(mbedtls_mpi_shift_r(&A, 1));
MPI_CHECK(mbedtls_mpi_shift_r(&B, 1));
}
while (mpi_is_even(gcd)) {
MPI_CHECK(mbedtls_mpi_shift_r(gcd, 1));
if (mpi_is_odd(&C) || mpi_is_odd(&D)) {
MPI_CHECK(mbedtls_mpi_add_mpi(&C, &C, &y));
MPI_CHECK(mbedtls_mpi_sub_mpi(&D, &D, &x));
}
MPI_CHECK(mbedtls_mpi_shift_r(&C, 1));
MPI_CHECK(mbedtls_mpi_shift_r(&D, 1));
}
if (mbedtls_mpi_cmp_mpi(&u, gcd) >= 0) {
MPI_CHECK(mbedtls_mpi_sub_mpi(&u, &u, gcd));
MPI_CHECK(mbedtls_mpi_sub_mpi(&A, &A, &C));
MPI_CHECK(mbedtls_mpi_sub_mpi(&B, &B, &D));
} else {
MPI_CHECK(mbedtls_mpi_sub_mpi(gcd, gcd, &u));
MPI_CHECK(mbedtls_mpi_sub_mpi(&C, &C, &A));
MPI_CHECK(mbedtls_mpi_sub_mpi(&D, &D, &B));
}
}
MPI_CHECK(mbedtls_mpi_copy(a, &C));
MPI_CHECK(mbedtls_mpi_copy(b, &D));
MPI_CHECK(mbedtls_mpi_shift_l(gcd, k));
out:
mbedtls_mpi_free(&A);
mbedtls_mpi_free(&B);
mbedtls_mpi_free(&C);
mbedtls_mpi_free(&D);
mbedtls_mpi_free(&x);
mbedtls_mpi_free(&y);
mbedtls_mpi_free(&u);
}
int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
int ( *f_rng )( void *, unsigned char *, size_t ),
void *p_rng )
{
int ret = 0;
void* pHeap = NULL;
size_t heapSize = 0;
uint32_t public_key_size = (2 * MAX_KEY_SIZE_IN_BYTES + 1);
const CRYS_ECPKI_Domain_t* pDomain = CRYS_ECPKI_GetEcDomain ( convert_mbedtls_grp_id_to_crys_domain_id( grp->id ) );
mbedtls_rand_func_container cc_rand = { f_rng, p_rng };
if ( pDomain )
{
uint8_t temp_buf[ 2 * MAX_KEY_SIZE_IN_BYTES + 1 ] = {0};
cc_ecc_ws_keygen_params_t* kgParams = mbedtls_calloc( 1, sizeof( cc_ecc_ws_keygen_params_t ) );
if ( kgParams == NULL )
return ( MBEDTLS_ERR_ECP_ALLOC_FAILED );
pHeap = kgParams;
heapSize = sizeof( cc_ecc_ws_keygen_params_t );
ret = convert_CrysError_to_mbedtls_err( CRYS_ECPKI_GenKeyPair( &cc_rand, convert_mbedtls_to_cc_rand,
pDomain, &kgParams->privKey,
&kgParams->pubKey,
&kgParams->kgTempData, NULL ) );
if( ret != 0 )
{
goto cleanup;
}
ret = convert_CrysError_to_mbedtls_err( CRYS_ECPKI_ExportPublKey( &kgParams->pubKey,
CRYS_EC_PointUncompressed,temp_buf, &public_key_size ) );
if( ret != 0 )
{
goto cleanup;
}
MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( grp, Q, temp_buf, public_key_size ) );
memset ( temp_buf, 0 , sizeof(temp_buf) );
ret = convert_CrysError_to_mbedtls_err( CRYS_COMMON_ConvertLswMswWordsToMsbLsbBytes( temp_buf, (grp->nbits+7)/8,
kgParams->privKey.PrivKeyDbBuff,
4*((((grp->nbits+7)/8)+3)/4) ) );
if( ret != 0 )
{
mbedtls_zeroize( temp_buf, sizeof( temp_buf ) );
goto cleanup;
}
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary( d, temp_buf, (grp->nbits+7)/8 ) );
mbedtls_zeroize( temp_buf, sizeof( temp_buf ) );
}
/* if CRYS_ECPKI_GetEcDomain returns NULL, then the given curve is either Montgomery 25519
* or another curve which is not supported by CC310*/
else if ( grp->id == MBEDTLS_ECP_DP_CURVE25519 )
{
size_t priv_key_size = public_key_size = CURVE_25519_KEY_SIZE ;
cc_ecc_25519_keygen_params_t* kgParams = mbedtls_calloc( 1, sizeof(cc_ecc_25519_keygen_params_t) );
if ( kgParams == NULL )
return ( MBEDTLS_ERR_ECP_ALLOC_FAILED );
pHeap = ( uint8_t* )kgParams;
heapSize = sizeof(cc_ecc_25519_keygen_params_t);
ret = convert_CrysError_to_mbedtls_err( CRYS_ECMONT_KeyPair( kgParams->pubKey, ( size_t* )&public_key_size, kgParams->privKey,
&priv_key_size, &cc_rand, convert_mbedtls_to_cc_rand,
&kgParams->kgTempData ) );
if( ret != 0 )
{
goto cleanup;
}
MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( d, kgParams->privKey, priv_key_size ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &Q->X, kgParams->pubKey, public_key_size ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Q->Z, 1 ) );
}
else
ret = MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
cleanup:
if ( pHeap )
{
mbedtls_zeroize( pHeap, heapSize );
mbedtls_free( pHeap );
}
return ( ret );
}
