/* Give the name of the curve NAME, store the curve parameters into P,
A, B, G, and N if they point to NULL value. Note that G is returned
in standard uncompressed format. Also update MODEL and DIALECT if
they are not NULL. */
gpg_err_code_t
_gcry_ecc_update_curve_param (const char *name,
enum gcry_mpi_ec_models *model,
enum ecc_dialects *dialect,
gcry_mpi_t *p, gcry_mpi_t *a, gcry_mpi_t *b,
gcry_mpi_t *g, gcry_mpi_t *n)
{
int idx;
idx = find_domain_parms_idx (name);
if (idx < 0)
return GPG_ERR_UNKNOWN_CURVE;
if (g)
{
char *buf;
size_t len;
len = 4;
len += strlen (domain_parms[idx].g_x+2);
len += strlen (domain_parms[idx].g_y+2);
len++;
buf = xtrymalloc (len);
if (!buf)
return gpg_err_code_from_syserror ();
strcpy (stpcpy (stpcpy (buf, "0x04"), domain_parms[idx].g_x+2),
domain_parms[idx].g_y+2);
_gcry_mpi_release (*g);
*g = scanval (buf);
xfree (buf);
}
if (model)
*model = domain_parms[idx].model;
if (dialect)
*dialect = domain_parms[idx].dialect;
if (p)
{
_gcry_mpi_release (*p);
*p = scanval (domain_parms[idx].p);
}
if (a)
{
_gcry_mpi_release (*a);
*a = scanval (domain_parms[idx].a);
}
if (b)
{
_gcry_mpi_release (*b);
*b = scanval (domain_parms[idx].b);
}
if (n)
{
_gcry_mpi_release (*n);
*n = scanval (domain_parms[idx].n);
}
return 0;
}
/****************
* Generate the crypto system setup.
* As of now the fix NIST recommended values are used.
* The subgroup generator point is in another function: gen_big_point.
*/
static gpg_err_code_t
generate_curve (unsigned int nbits, const char *name,
elliptic_curve_t *curve, unsigned int *r_nbits)
{
int idx, aliasno;
if (name)
{
/* First check nor native curves. */
for (idx = 0; domain_parms[idx].desc; idx++)
if (!strcmp (name, domain_parms[idx].desc))
break;
/* If not found consult the alias table. */
if (!domain_parms[idx].desc)
{
for (aliasno = 0; curve_aliases[aliasno].name; aliasno++)
if (!strcmp (name, curve_aliases[aliasno].other))
break;
if (curve_aliases[aliasno].name)
{
for (idx = 0; domain_parms[idx].desc; idx++)
if (!strcmp (curve_aliases[aliasno].name,
domain_parms[idx].desc))
break;
}
}
}
else
{
for (idx = 0; domain_parms[idx].desc; idx++)
if (nbits == domain_parms[idx].nbits)
break;
}
if (!domain_parms[idx].desc)
return GPG_ERR_INV_VALUE;
*r_nbits = domain_parms[idx].nbits;
curve->p = scanval (domain_parms[idx].p);
curve->a = scanval (domain_parms[idx].a);
curve->b = scanval (domain_parms[idx].b);
curve->n = scanval (domain_parms[idx].n);
curve->G.x = scanval (domain_parms[idx].g_x);
curve->G.y = scanval (domain_parms[idx].g_y);
curve->G.z = mpi_alloc_set_ui (1);
return 0;
}
/* Return the name matching the parameters in PKEY. This works only
with curves described by the Weierstrass equation. */
const char *
_gcry_ecc_get_curve (gcry_sexp_t keyparms, int iterator, unsigned int *r_nbits)
{
gpg_err_code_t rc;
const char *result = NULL;
elliptic_curve_t E;
gcry_mpi_t mpi_g = NULL;
gcry_mpi_t tmp = NULL;
int idx;
memset (&E, 0, sizeof E);
if (r_nbits)
*r_nbits = 0;
if (!keyparms)
{
idx = iterator;
if (idx >= 0 && idx < DIM (domain_parms))
{
result = domain_parms[idx].desc;
if (r_nbits)
*r_nbits = domain_parms[idx].nbits;
}
return result;
}
/*
* Extract the curve parameters..
*/
rc = gpg_err_code (sexp_extract_param (keyparms, NULL, "-pabgn",
&E.p, &E.a, &E.b, &mpi_g, &E.n,
NULL));
if (rc == GPG_ERR_NO_OBJ)
{
/* This might be the second use case of checking whether a
specific curve given by name is supported. */
gcry_sexp_t l1;
char *name;
l1 = sexp_find_token (keyparms, "curve", 5);
if (!l1)
goto leave; /* No curve name parameter. */
name = sexp_nth_string (l1, 1);
sexp_release (l1);
if (!name)
goto leave; /* Name missing or out of core. */
idx = find_domain_parms_idx (name);
xfree (name);
if (idx >= 0) /* Curve found. */
{
result = domain_parms[idx].desc;
if (r_nbits)
*r_nbits = domain_parms[idx].nbits;
}
return result;
}
if (rc)
goto leave;
if (mpi_g)
{
_gcry_mpi_point_init (&E.G);
if (_gcry_ecc_os2ec (&E.G, mpi_g))
goto leave;
}
for (idx = 0; domain_parms[idx].desc; idx++)
{
mpi_free (tmp);
tmp = scanval (domain_parms[idx].p);
if (!mpi_cmp (tmp, E.p))
{
mpi_free (tmp);
tmp = scanval (domain_parms[idx].a);
if (!mpi_cmp (tmp, E.a))
{
mpi_free (tmp);
tmp = scanval (domain_parms[idx].b);
if (!mpi_cmp (tmp, E.b))
{
mpi_free (tmp);
tmp = scanval (domain_parms[idx].n);
if (!mpi_cmp (tmp, E.n))
{
mpi_free (tmp);
tmp = scanval (domain_parms[idx].g_x);
if (!mpi_cmp (tmp, E.G.x))
{
mpi_free (tmp);
tmp = scanval (domain_parms[idx].g_y);
if (!mpi_cmp (tmp, E.G.y))
{
result = domain_parms[idx].desc;
if (r_nbits)
*r_nbits = domain_parms[idx].nbits;
goto leave;
}
}
}
}
}
}
}
leave:
_gcry_mpi_release (tmp);
_gcry_mpi_release (E.p);
_gcry_mpi_release (E.a);
_gcry_mpi_release (E.b);
_gcry_mpi_release (mpi_g);
_gcry_mpi_point_free_parts (&E.G);
_gcry_mpi_release (E.n);
return result;
}
/* Generate the crypto system setup. This function takes the NAME of
a curve or the desired number of bits and stores at R_CURVE the
parameters of the named curve or those of a suitable curve. If
R_NBITS is not NULL, the chosen number of bits is stored there.
NULL may be given for R_CURVE, if the value is not required and for
example only a quick test for availability is desired. Note that
the curve fields should be initialized to zero because fields which
are not NULL are skipped. */
gpg_err_code_t
_gcry_ecc_fill_in_curve (unsigned int nbits, const char *name,
elliptic_curve_t *curve, unsigned int *r_nbits)
{
int idx;
const char *resname = NULL; /* Set to a found curve name. */
if (name)
idx = find_domain_parms_idx (name);
else
{
for (idx = 0; domain_parms[idx].desc; idx++)
if (nbits == domain_parms[idx].nbits
&& domain_parms[idx].model == MPI_EC_WEIERSTRASS)
break;
if (!domain_parms[idx].desc)
idx = -1;
}
if (idx < 0)
return GPG_ERR_UNKNOWN_CURVE;
resname = domain_parms[idx].desc;
/* In fips mode we only support NIST curves. Note that it is
possible to bypass this check by specifying the curve parameters
directly. */
if (fips_mode () && !domain_parms[idx].fips )
return GPG_ERR_NOT_SUPPORTED;
switch (domain_parms[idx].model)
{
case MPI_EC_WEIERSTRASS:
case MPI_EC_TWISTEDEDWARDS:
break;
case MPI_EC_MONTGOMERY:
return GPG_ERR_NOT_SUPPORTED;
default:
return GPG_ERR_BUG;
}
if (r_nbits)
*r_nbits = domain_parms[idx].nbits;
if (curve)
{
curve->model = domain_parms[idx].model;
curve->dialect = domain_parms[idx].dialect;
if (!curve->p)
curve->p = scanval (domain_parms[idx].p);
if (!curve->a)
curve->a = scanval (domain_parms[idx].a);
if (!curve->b)
curve->b = scanval (domain_parms[idx].b);
if (!curve->n)
curve->n = scanval (domain_parms[idx].n);
if (!curve->G.x)
curve->G.x = scanval (domain_parms[idx].g_x);
if (!curve->G.y)
curve->G.y = scanval (domain_parms[idx].g_y);
if (!curve->G.z)
curve->G.z = mpi_alloc_set_ui (1);
if (!curve->name)
curve->name = resname;
}
return 0;
}
/* Recover X from Y and SIGN (which actually is a parity bit). */
gpg_err_code_t
_gcry_ecc_eddsa_recover_x (gcry_mpi_t x, gcry_mpi_t y, int sign, mpi_ec_t ec)
{
gpg_err_code_t rc = 0;
gcry_mpi_t u, v, v3, t;
static gcry_mpi_t p58, seven;
if (ec->dialect != ECC_DIALECT_ED25519)
return GPG_ERR_NOT_IMPLEMENTED;
if (!p58)
p58 = scanval ("0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD");
if (!seven)
seven = mpi_set_ui (NULL, 7);
u = mpi_new (0);
v = mpi_new (0);
v3 = mpi_new (0);
t = mpi_new (0);
/* Compute u and v */
/* u = y^2 */
mpi_mulm (u, y, y, ec->p);
/* v = b*y^2 */
mpi_mulm (v, ec->b, u, ec->p);
/* u = y^2-1 */
mpi_sub_ui (u, u, 1);
/* v = b*y^2+1 */
mpi_add_ui (v, v, 1);
/* Compute sqrt(u/v) */
/* v3 = v^3 */
mpi_powm (v3, v, mpi_const (MPI_C_THREE), ec->p);
/* t = v3 * v3 * u * v = u * v^7 */
mpi_powm (t, v, seven, ec->p);
mpi_mulm (t, t, u, ec->p);
/* t = t^((p-5)/8) = (u * v^7)^((p-5)/8) */
mpi_powm (t, t, p58, ec->p);
/* x = t * u * v^3 = (u * v^3) * (u * v^7)^((p-5)/8) */
mpi_mulm (t, t, u, ec->p);
mpi_mulm (x, t, v3, ec->p);
/* Adjust if needed. */
/* t = v * x^2 */
mpi_mulm (t, x, x, ec->p);
mpi_mulm (t, t, v, ec->p);
/* -t == u ? x = x * sqrt(-1) */
mpi_neg (t, t);
if (!mpi_cmp (t, u))
{
static gcry_mpi_t m1; /* Fixme: this is not thread-safe. */
if (!m1)
m1 = scanval ("2B8324804FC1DF0B2B4D00993DFBD7A7"
"2F431806AD2FE478C4EE1B274A0EA0B0");
mpi_mulm (x, x, m1, ec->p);
/* t = v * x^2 */
mpi_mulm (t, x, x, ec->p);
mpi_mulm (t, t, v, ec->p);
/* -t == u ? x = x * sqrt(-1) */
mpi_neg (t, t);
if (!mpi_cmp (t, u))
rc = GPG_ERR_INV_OBJ;
}
/* Choose the desired square root according to parity */
if (mpi_test_bit (x, 0) != !!sign)
mpi_sub (x, ec->p, x);
mpi_free (t);
mpi_free (v3);
mpi_free (v);
mpi_free (u);
return rc;
}
