/**
* @brief Pre-calculate some of the expensive steps in reduction.
*
* This function should only be called once (normally when a session starts).
* When the session is over, bi_free_mod() should be called. bi_mod_power()
* relies on this function being called.
* @param ctx [in] The bigint session context.
* @param bim [in] The bigint modulus that will be used.
* @param mod_offset [in] There are three moduluii that can be stored - the
* standard modulus, and its two primes p and q. This offset refers to which
* modulus we are referring to.
* @see bi_free_mod(), bi_mod_power().
*/
void ICACHE_FLASH_ATTR bi_set_mod(BI_CTX *ctx, bigint *bim, int mod_offset)
{
int k = bim->size;
comp d = (comp)((long_comp)COMP_RADIX/(bim->comps[k-1]+1));
#ifdef CONFIG_BIGINT_MONTGOMERY
bigint *R, *R2;
#endif
ctx->bi_mod[mod_offset] = bim;
bi_permanent(ctx->bi_mod[mod_offset]);
ctx->bi_normalised_mod[mod_offset] = bi_int_multiply(ctx, bim, d);
bi_permanent(ctx->bi_normalised_mod[mod_offset]);
#if defined(CONFIG_BIGINT_MONTGOMERY)
/* set montgomery variables */
R = comp_left_shift(bi_clone(ctx, ctx->bi_radix), k-1); /* R */
R2 = comp_left_shift(bi_clone(ctx, ctx->bi_radix), k*2-1); /* R^2 */
ctx->bi_RR_mod_m[mod_offset] = bi_mod(ctx, R2); /* R^2 mod m */
ctx->bi_R_mod_m[mod_offset] = bi_mod(ctx, R); /* R mod m */
bi_permanent(ctx->bi_RR_mod_m[mod_offset]);
bi_permanent(ctx->bi_R_mod_m[mod_offset]);
ctx->N0_dash[mod_offset] = modular_inverse(ctx->bi_mod[mod_offset]);
#elif defined (CONFIG_BIGINT_BARRETT)
ctx->bi_mu[mod_offset] =
bi_divide(ctx, comp_left_shift(
bi_clone(ctx, ctx->bi_radix), k*2-1), ctx->bi_mod[mod_offset], 0);
bi_permanent(ctx->bi_mu[mod_offset]);
#endif
}
/*
* Karatsuba improves on regular multiplication due to only 3 multiplications
* being done instead of 4. The additional additions/subtractions are O(N)
* rather than O(N^2) and so for big numbers it saves on a few operations
*/
static bigint * ICACHE_FLASH_ATTR karatsuba(BI_CTX *ctx, bigint *bia, bigint *bib, int is_square)
{
bigint *x0, *x1;
bigint *p0, *p1, *p2;
int m;
if (is_square)
{
m = (bia->size + 1)/2;
}
else
{
m = (max(bia->size, bib->size) + 1)/2;
}
x0 = bi_clone(ctx, bia);
x0->size = m;
x1 = bi_clone(ctx, bia);
comp_right_shift(x1, m);
bi_free(ctx, bia);
/* work out the 3 partial products */
if (is_square)
{
p0 = bi_square(ctx, bi_copy(x0));
p2 = bi_square(ctx, bi_copy(x1));
p1 = bi_square(ctx, bi_add(ctx, x0, x1));
}
else /* normal multiply */
{
bigint *y0, *y1;
y0 = bi_clone(ctx, bib);
y0->size = m;
y1 = bi_clone(ctx, bib);
comp_right_shift(y1, m);
bi_free(ctx, bib);
p0 = bi_multiply(ctx, bi_copy(x0), bi_copy(y0));
p2 = bi_multiply(ctx, bi_copy(x1), bi_copy(y1));
p1 = bi_multiply(ctx, bi_add(ctx, x0, x1), bi_add(ctx, y0, y1));
}
p1 = bi_subtract(ctx,
bi_subtract(ctx, p1, bi_copy(p2), NULL), bi_copy(p0), NULL);
comp_left_shift(p1, m);
comp_left_shift(p2, 2*m);
return bi_add(ctx, p1, bi_add(ctx, p0, p2));
}
/**
* @brief Perform a single Barrett reduction.
* @param ctx [in] The bigint session context.
* @param bi [in] A bigint.
* @return The result of the Barrett reduction.
*/
bigint * ICACHE_FLASH_ATTR bi_barrett(BI_CTX *ctx, bigint *bi)
{
bigint *q1, *q2, *q3, *r1, *r2, *r;
uint8_t mod_offset = ctx->mod_offset;
bigint *bim = ctx->bi_mod[mod_offset];
int k = bim->size;
check(bi);
check(bim);
/* use Classical method instead - Barrett cannot help here */
if (bi->size > k*2)
{
return bi_mod(ctx, bi);
}
q1 = comp_right_shift(bi_clone(ctx, bi), k-1);
/* do outer partial multiply */
q2 = regular_multiply(ctx, q1, ctx->bi_mu[mod_offset], 0, k-1);
q3 = comp_right_shift(q2, k+1);
r1 = comp_mod(bi, k+1);
/* do inner partial multiply */
r2 = comp_mod(regular_multiply(ctx, q3, bim, k+1, 0), k+1);
r = bi_subtract(ctx, r1, r2, NULL);
/* if (r >= m) r = r - m; */
if (bi_compare(r, bim) >= 0)
{
r = bi_subtract(ctx, r, bim, NULL);
}
return r;
}
/**
* @brief Perform a modular exponentiation using a temporary modulus.
*
* We need this function to check the signatures of certificates. The modulus
* of this function is temporary as it's just used for authentication.
* @param ctx [in] The bigint session context.
* @param bi [in] The bigint to perform the exp/mod.
* @param bim [in] The temporary modulus.
* @param biexp [in] The bigint exponent.
* @return The result of the mod exponentiation operation
* @see bi_set_mod().
*/
bigint *ICACHE_FLASH_ATTR bi_mod_power2(BI_CTX *ctx, bigint *bi, bigint *bim, bigint *biexp) {
bigint *biR, *tmp_biR;
/* Set up a temporary bigint context and transfer what we need between
* them. We need to do this since we want to keep the original modulus
* which is already in this context. This operation is only called when
* doing peer verification, and so is not expensive :-) */
BI_CTX *tmp_ctx = bi_initialize();
bi_set_mod(tmp_ctx, bi_clone(tmp_ctx, bim), BIGINT_M_OFFSET);
tmp_biR = bi_mod_power(tmp_ctx,
bi_clone(tmp_ctx, bi),
bi_clone(tmp_ctx, biexp));
biR = bi_clone(ctx, tmp_biR);
bi_free(tmp_ctx, tmp_biR);
bi_free_mod(tmp_ctx, BIGINT_M_OFFSET);
bi_terminate(tmp_ctx);
bi_free(ctx, bi);
bi_free(ctx, bim);
bi_free(ctx, biexp);
return biR;
}
/*
* Work out g1, g3, g5, g7... etc for the sliding-window algorithm
*/
static void ICACHE_FLASH_ATTR precompute_slide_window(BI_CTX *ctx, int window, bigint *g1) {
int k = 1, i;
bigint *g2;
for (i = 0; i < window - 1; i++) { /* compute 2^(window-1) */
k <<= 1;
}
ctx->g = (bigint **)os_malloc(k * sizeof(bigint *));
ctx->g[0] = bi_clone(ctx, g1);
bi_permanent(ctx->g[0]);
g2 = bi_residue(ctx, bi_square(ctx, ctx->g[0])); /* g^2 */
for (i = 1; i < k; i++) {
ctx->g[i] = bi_residue(ctx, bi_multiply(ctx, ctx->g[i - 1], bi_copy(g2)));
bi_permanent(ctx->g[i]);
}
bi_free(ctx, g2);
ctx->window = k;
}
/**
* Do some basic checks on the certificate chain.
*
* Certificate verification consists of a number of checks:
* - The date of the certificate is after the start date.
* - The date of the certificate is before the finish date.
* - A root certificate exists in the certificate store.
* - That the certificate(s) are not self-signed.
* - The certificate chain is valid.
* - The signature of the certificate is valid.
*/
int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert)
{
int ret = X509_OK, i = 0;
bigint *cert_sig;
X509_CTX *next_cert = NULL;
BI_CTX *ctx = NULL;
bigint *mod = NULL, *expn = NULL;
int match_ca_cert = 0;
struct timeval tv;
uint8_t is_self_signed = 0;
if (cert == NULL)
{
ret = X509_VFY_ERROR_NO_TRUSTED_CERT;
goto end_verify;
}
/* a self-signed certificate that is not in the CA store - use this
to check the signature */
if (asn1_compare_dn(cert->ca_cert_dn, cert->cert_dn) == 0)
{
is_self_signed = 1;
ctx = cert->rsa_ctx->bi_ctx;
mod = cert->rsa_ctx->m;
expn = cert->rsa_ctx->e;
}
gettimeofday(&tv, NULL);
/* check the not before date */
if (tv.tv_sec < cert->not_before)
{
ret = X509_VFY_ERROR_NOT_YET_VALID;
goto end_verify;
}
/* check the not after date */
if (tv.tv_sec > cert->not_after)
{
ret = X509_VFY_ERROR_EXPIRED;
goto end_verify;
}
next_cert = cert->next;
/* last cert in the chain - look for a trusted cert */
if (next_cert == NULL)
{
if (ca_cert_ctx != NULL)
{
/* go thu the CA store */
while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i])
{
if (asn1_compare_dn(cert->ca_cert_dn,
ca_cert_ctx->cert[i]->cert_dn) == 0)
{
/* use this CA certificate for signature verification */
match_ca_cert = 1;
ctx = ca_cert_ctx->cert[i]->rsa_ctx->bi_ctx;
mod = ca_cert_ctx->cert[i]->rsa_ctx->m;
expn = ca_cert_ctx->cert[i]->rsa_ctx->e;
break;
}
i++;
}
}
/* couldn't find a trusted cert (& let self-signed errors
be returned) */
if (!match_ca_cert && !is_self_signed)
{
ret = X509_VFY_ERROR_NO_TRUSTED_CERT;
goto end_verify;
}
}
else if (asn1_compare_dn(cert->ca_cert_dn, next_cert->cert_dn) != 0)
{
/* check the chain */
ret = X509_VFY_ERROR_INVALID_CHAIN;
goto end_verify;
}
else /* use the next certificate in the chain for signature verify */
{
ctx = next_cert->rsa_ctx->bi_ctx;
mod = next_cert->rsa_ctx->m;
expn = next_cert->rsa_ctx->e;
}
/* cert is self signed */
if (!match_ca_cert && is_self_signed)
{
ret = X509_VFY_ERROR_SELF_SIGNED;
goto end_verify;
}
/* check the signature */
cert_sig = sig_verify(ctx, cert->signature, cert->sig_len,
bi_clone(ctx, mod), bi_clone(ctx, expn));
if (cert_sig && cert->digest)
{
if (bi_compare(cert_sig, cert->digest) != 0)
ret = X509_VFY_ERROR_BAD_SIGNATURE;
bi_free(ctx, cert_sig);
}
else
{
ret = X509_VFY_ERROR_BAD_SIGNATURE;
}
if (ret)
goto end_verify;
/* go down the certificate chain using recursion. */
if (next_cert != NULL)
{
ret = x509_verify(ca_cert_ctx, next_cert);
}
end_verify:
return ret;
}
/**
* @brief Perform a modular exponentiation.
*
* This function requires bi_set_mod() to have been called previously. This is
* one of the optimisations used for performance.
* @param ctx [in] The bigint session context.
* @param bi [in] The bigint on which to perform the mod power operation.
* @param biexp [in] The bigint exponent.
* @return The result of the mod exponentiation operation
* @see bi_set_mod().
*/
bigint * ICACHE_FLASH_ATTR bi_mod_power(BI_CTX *ctx, bigint *bi, bigint *biexp)
{
int i = find_max_exp_index(biexp), j, window_size = 1;
bigint *biR = int_to_bi(ctx, 1);
#if defined(CONFIG_BIGINT_MONTGOMERY)
uint8_t mod_offset = ctx->mod_offset;
if (!ctx->use_classical)
{
/* preconvert */
bi = bi_mont(ctx,
bi_multiply(ctx, bi, ctx->bi_RR_mod_m[mod_offset])); /* x' */
bi_free(ctx, biR);
biR = ctx->bi_R_mod_m[mod_offset]; /* A */
}
#endif
check(bi);
check(biexp);
#ifdef CONFIG_BIGINT_SLIDING_WINDOW
for (j = i; j > 32; j /= 5) /* work out an optimum size */
window_size++;
/* work out the slide constants */
precompute_slide_window(ctx, window_size, bi);
#else /* just one constant */
ctx->g = (bigint **)SSL_MALLOC(sizeof(bigint *));
ctx->g[0] = bi_clone(ctx, bi);
ctx->window = 1;
bi_permanent(ctx->g[0]);
#endif
/* if sliding-window is off, then only one bit will be done at a time and
* will reduce to standard left-to-right exponentiation */
do
{
if (exp_bit_is_one(biexp, i))
{
int l = i-window_size+1;
int part_exp = 0;
if (l < 0) /* LSB of exponent will always be 1 */
l = 0;
else
{
while (exp_bit_is_one(biexp, l) == 0)
l++; /* go back up */
}
/* build up the section of the exponent */
for (j = i; j >= l; j--)
{
biR = bi_residue(ctx, bi_square(ctx, biR));
if (exp_bit_is_one(biexp, j))
part_exp++;
if (j != l)
part_exp <<= 1;
}
part_exp = (part_exp-1)/2; /* adjust for array */
biR = bi_residue(ctx, bi_multiply(ctx, biR, ctx->g[part_exp]));
i = l-1;
}
else /* square it */
{
biR = bi_residue(ctx, bi_square(ctx, biR));
i--;
}
} while (i >= 0);
/* cleanup */
for (i = 0; i < ctx->window; i++)
{
bi_depermanent(ctx->g[i]);
bi_free(ctx, ctx->g[i]);
}
SSL_FREE(ctx->g);
bi_free(ctx, bi);
bi_free(ctx, biexp);
#if defined CONFIG_BIGINT_MONTGOMERY
return ctx->use_classical ? biR : bi_mont(ctx, biR); /* convert back */
#else /* CONFIG_BIGINT_CLASSICAL or CONFIG_BIGINT_BARRETT */
return biR;
#endif
}
/**
* Do some basic checks on the certificate chain.
*
* Certificate verification consists of a number of checks:
* - The date of the certificate is after the start date.
* - The date of the certificate is before the finish date.
* - A root certificate exists in the certificate store.
* - That the certificate(s) are not self-signed.
* - The certificate chain is valid.
* - The signature of the certificate is valid.
*/
int x509_verify(X509_CTX* ca_certs /* GBG: changed */, const X509_CTX *cert, const SSL_DateTime* now)
{
int ret = X509_OK;
bigint *cert_sig;
X509_CTX *next_cert = NULL;
BI_CTX *ctx = NULL;
bigint *mod = NULL, *expn = NULL;
int match_ca_cert = 0;
uint8_t is_self_signed = 0;
SSL_DateTime now_dt;
if (cert == NULL)
{
ret = X509_VFY_ERROR_NO_TRUSTED_CERT;
goto end_verify;
}
/* a self-signed certificate that is not in the CA store - use this
to check the signature */
if (asn1_compare_dn(cert->ca_cert_dn, cert->cert_dn) == 0)
{
is_self_signed = 1;
ctx = cert->rsa_ctx->bi_ctx;
mod = cert->rsa_ctx->m;
expn = cert->rsa_ctx->e;
}
/* if the time was not passed in, get it now */
if (now == NULL) {
SSL_DateTime_Now(&now_dt);
now = &now_dt;
}
/* check the not before date */
if (SSL_DateTime_Before(now, &cert->not_before))
{
ret = X509_VFY_ERROR_NOT_YET_VALID;
goto end_verify;
}
/* check the not after date */
if (SSL_DateTime_Before(&cert->not_after, now))
{
ret = X509_VFY_ERROR_EXPIRED;
goto end_verify;
}
next_cert = cert->next;
/* last cert in the chain - look for a trusted cert */
if (next_cert == NULL)
{
/* GBG: modified */
X509_CTX* ca_cert = ca_certs;
while (ca_cert) {
if (asn1_compare_dn(cert->ca_cert_dn, ca_cert->cert_dn) == 0) {
/* use this CA certificate for signature verification */
match_ca_cert = 1;
ctx = ca_cert->rsa_ctx->bi_ctx;
mod = ca_cert->rsa_ctx->m;
expn = ca_cert->rsa_ctx->e;
break;
}
ca_cert = ca_cert->next;
}
/* couldn't find a trusted cert (& let self-signed errors be returned) */
if (!match_ca_cert && !is_self_signed)
{
ret = X509_VFY_ERROR_NO_TRUSTED_CERT;
goto end_verify;
}
}
else if (asn1_compare_dn(cert->ca_cert_dn, next_cert->cert_dn) != 0)
{
/* check the chain */
ret = X509_VFY_ERROR_INVALID_CHAIN;
goto end_verify;
}
else /* use the next certificate in the chain for signature verify */
{
ctx = next_cert->rsa_ctx->bi_ctx;
mod = next_cert->rsa_ctx->m;
expn = next_cert->rsa_ctx->e;
}
/* cert is self signed */
if (!match_ca_cert && is_self_signed)
{
ret = X509_VFY_ERROR_SELF_SIGNED;
goto end_verify;
}
/* check the signature */
cert_sig = sig_verify(ctx, cert->signature, cert->sig_len,
bi_clone(ctx, mod), bi_clone(ctx, expn));
if (cert_sig && cert->digest)
{
if (bi_compare(cert_sig, cert->digest) != 0)
ret = X509_VFY_ERROR_BAD_SIGNATURE;
bi_free(ctx, cert_sig);
}
else
{
ret = X509_VFY_ERROR_BAD_SIGNATURE;
}
if (ret)
goto end_verify;
/* go down the certificate chain using recursion. */
if (next_cert != NULL)
{
ret = x509_verify(ca_certs, next_cert, now);
}
end_verify:
return ret;
}
/**
* Do some basic checks on the certificate chain.
*
* Certificate verification consists of a number of checks:
* - The date of the certificate is after the start date.
* - The date of the certificate is before the finish date.
* - A root certificate exists in the certificate store.
* - That the certificate(s) are not self-signed.
* - The certificate chain is valid.
* - The signature of the certificate is valid.
* - Basic constraints
*/
int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert,
int *pathLenConstraint)
{
int ret = X509_OK, i = 0;
bigint *cert_sig;
X509_CTX *next_cert = NULL;
BI_CTX *ctx = NULL;
bigint *mod = NULL, *expn = NULL;
int match_ca_cert = 0;
struct timeval tv;
uint8_t is_self_signed = 0;
if (cert == NULL)
{
ret = X509_VFY_ERROR_NO_TRUSTED_CERT;
goto end_verify;
}
/* a self-signed certificate that is not in the CA store - use this
to check the signature */
if (asn1_compare_dn(cert->ca_cert_dn, cert->cert_dn) == 0)
{
is_self_signed = 1;
ctx = cert->rsa_ctx->bi_ctx;
mod = cert->rsa_ctx->m;
expn = cert->rsa_ctx->e;
}
gettimeofday(&tv, NULL);
/* check the not before date */
if (tv.tv_sec < cert->not_before)
{
ret = X509_VFY_ERROR_NOT_YET_VALID;
goto end_verify;
}
/* check the not after date */
if (tv.tv_sec > cert->not_after)
{
ret = X509_VFY_ERROR_EXPIRED;
goto end_verify;
}
if (cert->basic_constraint_present)
{
/* If the cA boolean is not asserted,
then the keyCertSign bit in the key usage extension MUST NOT be
asserted. */
if (!cert->basic_constraint_cA &&
IS_SET_KEY_USAGE_FLAG(cert, KEY_USAGE_KEY_CERT_SIGN))
{
ret = X509_VFY_ERROR_BASIC_CONSTRAINT;
goto end_verify;
}
/* The pathLenConstraint field is meaningful only if the cA boolean is
asserted and the key usage extension, if present, asserts the
keyCertSign bit. In this case, it gives the maximum number of
non-self-issued intermediate certificates that may follow this
certificate in a valid certification path. */
if (cert->basic_constraint_cA &&
(!cert->key_usage_present ||
IS_SET_KEY_USAGE_FLAG(cert, KEY_USAGE_KEY_CERT_SIGN)) &&
(cert->basic_constraint_pathLenConstraint+1) < *pathLenConstraint)
{
ret = X509_VFY_ERROR_BASIC_CONSTRAINT;
goto end_verify;
}
}
next_cert = cert->next;
/* last cert in the chain - look for a trusted cert */
if (next_cert == NULL)
{
if (ca_cert_ctx != NULL)
{
/* go thru the CA store */
while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i])
{
/* the extension is present but the cA boolean is not
asserted, then the certified public key MUST NOT be used
to verify certificate signatures. */
if (cert->basic_constraint_present &&
!ca_cert_ctx->cert[i]->basic_constraint_cA)
continue;
if (asn1_compare_dn(cert->ca_cert_dn,
ca_cert_ctx->cert[i]->cert_dn) == 0)
{
/* use this CA certificate for signature verification */
match_ca_cert = true;
ctx = ca_cert_ctx->cert[i]->rsa_ctx->bi_ctx;
mod = ca_cert_ctx->cert[i]->rsa_ctx->m;
expn = ca_cert_ctx->cert[i]->rsa_ctx->e;
break;
}
i++;
}
}
/* couldn't find a trusted cert (& let self-signed errors
be returned) */
if (!match_ca_cert && !is_self_signed)
{
ret = X509_VFY_ERROR_NO_TRUSTED_CERT;
goto end_verify;
}
}
else if (asn1_compare_dn(cert->ca_cert_dn, next_cert->cert_dn) != 0)
{
/* check the chain */
ret = X509_VFY_ERROR_INVALID_CHAIN;
goto end_verify;
}
else /* use the next certificate in the chain for signature verify */
{
ctx = next_cert->rsa_ctx->bi_ctx;
mod = next_cert->rsa_ctx->m;
expn = next_cert->rsa_ctx->e;
}
/* cert is self signed */
if (!match_ca_cert && is_self_signed)
{
ret = X509_VFY_ERROR_SELF_SIGNED;
goto end_verify;
}
/* check the signature */
cert_sig = sig_verify(ctx, cert->signature, cert->sig_len,
bi_clone(ctx, mod), bi_clone(ctx, expn));
if (cert_sig && cert->digest)
{
if (bi_compare(cert_sig, cert->digest) != 0)
ret = X509_VFY_ERROR_BAD_SIGNATURE;
bi_free(ctx, cert_sig);
}
else
{
ret = X509_VFY_ERROR_BAD_SIGNATURE;
}
bi_clear_cache(ctx);
if (ret)
goto end_verify;
/* go down the certificate chain using recursion. */
if (next_cert != NULL)
{
(*pathLenConstraint)++; /* don't include last certificate */
ret = x509_verify(ca_cert_ctx, next_cert, pathLenConstraint);
}
end_verify:
return ret;
}
