/* free single cache entry */
static void
_ecc_wmnaf_cache_entry_free (gnutls_ecc_curve_cache_entry_t * p)
{
int i;
for (i = 0; i < WMNAF_PRECOMPUTED_LENGTH; ++i)
{
ecc_del_point (p->pos[i]);
ecc_del_point (p->neg[i]);
}
}
/* initialize single cache entry
* for a curve with the given id */
static int
_ecc_wmnaf_cache_entry_init (gnutls_ecc_curve_cache_entry_t * p,
gnutls_ecc_curve_t id)
{
int i, j, err;
ecc_point *G;
mpz_t a, modulus;
const gnutls_ecc_curve_entry_st *st = NULL;
if (p == NULL || id == 0)
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
G = ecc_new_point ();
if (G == NULL)
{
return GNUTLS_E_MEMORY_ERROR;
}
st = _gnutls_ecc_curve_get_params (id);
if (st == NULL)
{
err = GNUTLS_E_INTERNAL_ERROR;
goto done;
}
if ((err = mp_init_multi (&a, &modulus, NULL) != 0))
return err;
/* set id */
p->id = id;
/* set modulus */
mpz_set_str (modulus, st->prime, 16);
/* get generator point */
mpz_set_str (G->x, st->Gx, 16);
mpz_set_str (G->y, st->Gy, 16);
mpz_set_ui (G->z, 1);
/* set A */
mpz_set_str (a, st->A, 16);
/* alloc ram for precomputed values */
for (i = 0; i < WMNAF_PRECOMPUTED_LENGTH; ++i)
{
p->pos[i] = ecc_new_point ();
p->neg[i] = ecc_new_point ();
if (p->pos[i] == NULL || p->neg[i] == NULL)
{
for (j = 0; j < i; ++j)
{
ecc_del_point (p->pos[j]);
ecc_del_point (p->neg[j]);
}
err = GNUTLS_E_MEMORY_ERROR;
goto done;
}
}
/* fill in pos and neg arrays with precomputed values
* pos holds kG for k == 1, 3, 5, ..., (2^w - 1)
* neg holds kG for k == -1,-3,-5, ...,-(2^w - 1)
*/
/* pos[0] == 2G for a while, later it will be set to the expected 1G */
if ((err = ecc_projective_dbl_point (G, p->pos[0], a, modulus)) != 0)
goto done;
/* pos[1] == 3G */
if ((err =
ecc_projective_add_point (p->pos[0], G, p->pos[1], a,
modulus)) != 0)
goto done;
/* fill in kG for k = 5, 7, ..., (2^w - 1) */
for (j = 2; j < WMNAF_PRECOMPUTED_LENGTH; ++j)
{
if ((err =
ecc_projective_add_point (p->pos[j - 1], p->pos[0], p->pos[j],
a, modulus)) != 0)
goto done;
}
/* set pos[0] == 1G as expected
* after this step we don't need G at all */
mpz_set (p->pos[0]->x, G->x);
mpz_set (p->pos[0]->y, G->y);
mpz_set (p->pos[0]->z, G->z);
/* map to affine all elements in pos
* this will allow to use ecc_projective_madd later
* set neg[i] == -pos[i] */
for (j = 0; j < WMNAF_PRECOMPUTED_LENGTH; ++j)
{
if ((err = ecc_map (p->pos[j], modulus)) != 0)
goto done;
if ((err =
ecc_projective_negate_point (p->pos[j], p->neg[j], modulus)) != 0)
goto done;
}
err = 0;
done:
ecc_del_point (G);
mp_clear_multi (&a, &modulus, NULL);
return err;
}
/*
Perform a point wMNAF-multiplication utilizing cache
This version tries to be timing resistant
@param k The scalar to multiply by
@param id The curve's id
@param R [out] Destination for kG
@param a The curve's A value
@param modulus The modulus of the field the ECC curve is in
@param map Boolean whether to map back to affine or not (1 == map, 0 == leave in projective)
@return GNUTLS_E_SUCCESS on success
*/
int
ecc_mulmod_cached_timing (mpz_t k, gnutls_ecc_curve_t id, ecc_point * R,
mpz_t a, mpz_t modulus, int map)
{
int j, err;
gnutls_ecc_curve_cache_entry_t *cache = NULL;
signed char *wmnaf = NULL;
size_t wmnaf_len;
signed char digit;
/* point for throttle */
ecc_point *T;
if (k == NULL || R == NULL || modulus == NULL || id == 0)
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
/* prepare T point */
T = ecc_new_point ();
if (T == NULL)
return GNUTLS_E_MEMORY_ERROR;
/* calculate wMNAF */
wmnaf = ecc_wMNAF (k, &wmnaf_len);
if (!wmnaf)
{
err = GNUTLS_E_INTERNAL_ERROR;
goto done;
}
/* set R to neutral */
mpz_set_ui (R->x, 1);
mpz_set_ui (R->y, 1);
mpz_set_ui (R->z, 0);
/* set T to neutral */
mpz_set_ui (T->x, 1);
mpz_set_ui (T->y, 1);
mpz_set_ui (T->z, 0);
/* do cache lookup */
cache = ecc_wmnaf_cache + id - 1;
/* perform ops */
for (j = wmnaf_len - 1; j >= 0; --j)
{
if ((err = ecc_projective_dbl_point (R, R, a, modulus)) != 0)
goto done;
digit = wmnaf[j];
if (digit)
{
if (digit > 0)
{
if ((err =
ecc_projective_madd (R, cache->pos[(digit / 2)], R, a,
modulus)) != 0)
goto done;
}
else
{
if ((err =
ecc_projective_madd (R, cache->neg[(-digit / 2)], R, a,
modulus)) != 0)
goto done;
}
}
else
{
/* we add middle element of pos array as a general case
* there is no real difference between using pos and neg */
if ((err =
ecc_projective_madd (R,
cache->
pos[(WMNAF_PRECOMPUTED_LENGTH / 2)], T, a,
modulus)) != 0)
goto done;
}
}
/* map R back from projective space */
if (map)
{
err = ecc_map (R, modulus);
}
else
{
err = GNUTLS_E_SUCCESS;
}
done:
ecc_del_point (T);
if (wmnaf)
free (wmnaf);
return err;
}
/*
Perform a point multiplication using wMNAF representation
@param k The scalar to multiply by
@param G The base point
@param R [out] Destination for kG
@param a The curve's A value
@param modulus The modulus of the field the ECC curve is in
@param map Boolean whether to map back to affine or not (1 == map, 0 == leave in projective)
@return GNUTLS_E_SUCCESS on success
*/
int
ecc_mulmod (mpz_t k, ecc_point * G, ecc_point * R, mpz_t a,
mpz_t modulus, int map)
{
ecc_point *pos[WMNAF_PRECOMPUTED_LENGTH], *neg[WMNAF_PRECOMPUTED_LENGTH];
int i, j, err;
signed char *wmnaf = NULL;
size_t wmnaf_len;
signed char digit;
if (k == NULL || G == NULL || R == NULL || modulus == NULL)
return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
/* alloc ram for precomputed values */
for (i = 0; i < WMNAF_PRECOMPUTED_LENGTH; ++i)
{
pos[i] = ecc_new_point ();
neg[i] = ecc_new_point ();
if (pos[i] == NULL || neg[i] == NULL)
{
for (j = 0; j < i; ++j)
{
ecc_del_point (pos[j]);
ecc_del_point (neg[j]);
}
return GNUTLS_E_MEMORY_ERROR;
}
}
/* fill in pos and neg arrays with precomputed values
* pos holds kG for k == 1, 3, 5, ..., (2^w - 1)
* neg holds kG for k == -1,-3,-5, ...,-(2^w - 1)
*/
/* pos[0] == 2G for a while, later it will be set to the expected 1G */
if ((err = ecc_projective_dbl_point (G, pos[0], a, modulus)) != 0)
goto done;
/* pos[1] == 3G */
if ((err =
ecc_projective_add_point (pos[0], G, pos[1], a, modulus)) != 0)
goto done;
/* fill in kG for k = 5, 7, ..., (2^w - 1) */
for (j = 2; j < WMNAF_PRECOMPUTED_LENGTH; ++j)
{
if ((err =
ecc_projective_add_point (pos[j - 1], pos[0], pos[j], a,
modulus)) != 0)
goto done;
}
/* set pos[0] == 1G as expected
* after this step we don't need G at all
* and can change it without worries even if R == G */
mpz_set (pos[0]->x, G->x);
mpz_set (pos[0]->y, G->y);
mpz_set (pos[0]->z, G->z);
/* neg[i] == -pos[i] */
for (j = 0; j < WMNAF_PRECOMPUTED_LENGTH; ++j)
{
if ((err = ecc_projective_negate_point (pos[j], neg[j], modulus)) != 0)
goto done;
}
/* calculate wMNAF */
wmnaf = ecc_wMNAF (k, &wmnaf_len);
if (!wmnaf)
{
err = GNUTLS_E_INTERNAL_ERROR;
goto done;
}
/* actual point computation */
/* set R to neutral */
mpz_set_ui (R->x, 1);
mpz_set_ui (R->y, 1);
mpz_set_ui (R->z, 0);
/* perform ops */
for (j = wmnaf_len - 1; j >= 0; --j)
{
if ((err = ecc_projective_dbl_point (R, R, a, modulus)) != 0)
goto done;
digit = wmnaf[j];
if (digit)
{
if (digit > 0)
{
if ((err =
ecc_projective_add_point (R, pos[(digit / 2)], R, a,
modulus)) != 0)
goto done;
}
else
{
if ((err =
ecc_projective_add_point (R, neg[(-digit / 2)], R, a,
modulus)) != 0)
goto done;
}
}
}
/* map R back from projective space */
if (map)
{
err = ecc_map (R, modulus);
}
else
{
err = GNUTLS_E_SUCCESS;
}
done:
for (i = 0; i < WMNAF_PRECOMPUTED_LENGTH; ++i)
{
ecc_del_point (pos[i]);
ecc_del_point (neg[i]);
}
if (wmnaf)
free (wmnaf);
return err;
}
/**
Perform a point multiplication
@param k The scalar to multiply by
@param G The base point
@param R [out] Destination for kG
@param modulus The modulus of the field the ECC curve is in
@param map Boolean whether to map back to affine or not (1==map, 0 == leave in projective)
@return CRYPT_OK on success
*/
int
ecc_mulmod (mpz_t k, ecc_point * G, ecc_point * R, mpz_t a, mpz_t modulus,
int map)
{
ecc_point *tG, *M[8];
int i, j, err, bitidx;
int first, bitbuf, bitcpy, mode;
if (k == NULL || G == NULL || R == NULL || modulus == NULL)
return -1;
/* alloc ram for window temps */
for (i = 0; i < 8; i++) {
M[i] = ecc_new_point();
if (M[i] == NULL) {
for (j = 0; j < i; j++) {
ecc_del_point(M[j]);
}
return -1;
}
}
/* make a copy of G incase R==G */
tG = ecc_new_point();
if (tG == NULL)
{
err = -1;
goto done;
}
/* tG = G and convert to montgomery */
mpz_set (tG->x, G->x);
mpz_set (tG->y, G->y);
mpz_set (tG->z, G->z);
/* calc the M tab, which holds kG for k==8..15 */
/* M[0] == 8G */
if ((err = ecc_projective_dbl_point (tG, M[0], a, modulus)) != 0)
goto done;
if ((err = ecc_projective_dbl_point (M[0], M[0], a, modulus)) != 0)
goto done;
if ((err = ecc_projective_dbl_point (M[0], M[0], a, modulus)) != 0)
goto done;
/* now find (8+k)G for k=1..7 */
for (j = 9; j < 16; j++) {
if (ecc_projective_add_point(M[j-9], tG, M[j-8], a, modulus) != 0)
goto done;
}
/* setup sliding window */
mode = 0;
bitidx = mpz_size (k) * GMP_NUMB_BITS - 1;
bitcpy = bitbuf = 0;
first = 1;
/* perform ops */
for (;;) {
/* grab next digit as required */
if (bitidx == -1) {
break;
}
/* grab the next msb from the ltiplicand */
i = mpz_tstbit (k, bitidx--);
/* skip leading zero bits */
if (mode == 0 && i == 0) {
continue;
}
/* if the bit is zero and mode == 1 then we double */
if (mode == 1 && i == 0) {
if ((err = ecc_projective_dbl_point(R, R, a, modulus)) != 0)
goto done;
continue;
}
/* else we add it to the window */
bitbuf |= (i << (WINSIZE - ++bitcpy));
mode = 2;
if (bitcpy == WINSIZE) {
/* if this is the first window we do a simple copy */
if (first == 1) {
/* R = kG [k = first window] */
mpz_set(R->x, M[bitbuf-8]->x);
mpz_set(R->y, M[bitbuf-8]->y);
mpz_set(R->z, M[bitbuf-8]->z);
first = 0;
} else {
/* normal window */
/* ok window is filled so double as required and add */
/* double first */
for (j = 0; j < WINSIZE; j++) {
if ((err = ecc_projective_dbl_point(R, R, a, modulus)) != 0)
goto done;
}
/* then add, bitbuf will be 8..15 [8..2^WINSIZE] guaranteed */
if ((err = ecc_projective_add_point(R, M[bitbuf-8], R, a, modulus)) != 0)
goto done;
}
/* empty window and reset */
bitcpy = bitbuf = 0;
mode = 1;
}
}
/* if bits remain then double/add */
if (mode == 2 && bitcpy > 0) {
/* double then add */
for (j = 0; j < bitcpy; j++) {
/* only double if we have had at least one add first */
if (first == 0) {
if ((err = ecc_projective_dbl_point(R, R, a, modulus)) != 0)
goto done;
}
bitbuf <<= 1;
if ((bitbuf & (1 << WINSIZE)) != 0) {
if (first == 1){
/* first add, so copy */
mpz_set(R->x, tG->x);
mpz_set(R->y, tG->y);
mpz_set(R->z, tG->z);
first = 0;
} else {
/* then add */
if ((err = ecc_projective_add_point(R, tG, R, a, modulus)) != 0)
goto done;
}
}
}
}
/* map R back from projective space */
if (map) {
err = ecc_map(R, modulus);
} else {
err = 0;
}
done:
ecc_del_point(tG);
for (i = 0; i < 8; i++) {
ecc_del_point(M[i]);
}
return err;
}
int
ecc_make_key_ex (void *random_ctx, nettle_random_func random, ecc_key * key,
mpz_t prime, mpz_t order, mpz_t A, mpz_t B, mpz_t Gx, mpz_t Gy,
int timing_res)
{
int err;
ecc_point *base;
unsigned char *buf;
int keysize;
if (key == NULL || random == NULL)
return -1;
keysize = nettle_mpz_sizeinbase_256_u (order);
/* allocate ram */
base = NULL;
buf = malloc (keysize);
if (buf == NULL)
return -1;
/* make up random string */
random (random_ctx, keysize, buf);
/* setup the key variables */
if ((err =
mp_init_multi (&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k,
&key->prime, &key->order, &key->A, &key->B, &key->Gx, &key->Gy,
NULL)) != 0)
{
goto ERR_BUF;
}
base = ecc_new_point ();
if (base == NULL)
{
err = -1;
goto errkey;
}
/* read in the specs for this key */
mpz_set (key->prime, prime);
mpz_set (key->order, order);
mpz_set (key->Gx, Gx);
mpz_set (key->Gy, Gy);
mpz_set (key->A, A);
mpz_set (key->B, B);
mpz_set (base->x, key->Gx);
mpz_set (base->y, key->Gy);
mpz_set_ui (base->z, 1);
nettle_mpz_set_str_256_u (key->k, keysize, buf);
/* the key should be smaller than the order of base point */
if (mpz_cmp (key->k, key->order) >= 0)
{
mpz_mod (key->k, key->k, key->order);
}
/* make the public key */
if (timing_res)
err = ecc_mulmod_timing (key->k, base, &key->pubkey, key->A, key->prime, 1);
else
err = ecc_mulmod (key->k, base, &key->pubkey, key->A, key->prime, 1);
if (err != 0)
goto errkey;
key->type = PK_PRIVATE;
/* free up ram */
err = 0;
goto cleanup;
errkey:
mp_clear_multi (&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k,
&key->order, &key->prime, &key->Gx, &key->Gy, &key->A, &key->B,
NULL);
cleanup:
ecc_del_point (base);
ERR_BUF:
free (buf);
return err;
}
static int
wrap_nettle_pk_verify_params (gnutls_pk_algorithm_t algo,
const gnutls_pk_params_st * params)
{
int ret;
switch (algo)
{
case GNUTLS_PK_RSA:
{
bigint_t t1 = NULL, t2 = NULL;
if (params->params_nr != RSA_PRIVATE_PARAMS)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
t1 = _gnutls_mpi_new (256);
if (t1 == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
_gnutls_mpi_mulm (t1, params->params[RSA_PRIME1], params->params[RSA_PRIME2], params->params[RSA_MODULUS]);
if (_gnutls_mpi_cmp_ui(t1, 0) != 0)
{
ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
goto rsa_cleanup;
}
mpz_invert (TOMPZ(t1), TOMPZ (params->params[RSA_PRIME2]), TOMPZ (params->params[RSA_PRIME1]));
if (_gnutls_mpi_cmp(t1, params->params[RSA_COEF]) != 0)
{
ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
goto rsa_cleanup;
}
/* [RSA_PRIME1] = d % p-1, [RSA_PRIME2] = d % q-1 */
_gnutls_mpi_sub_ui (t1, params->params[RSA_PRIME1], 1);
t2 = _gnutls_mpi_mod (params->params[RSA_PRIV], t1);
if (t2 == NULL)
{
ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
goto rsa_cleanup;
}
if (_gnutls_mpi_cmp(params->params[RSA_E1], t2) != 0)
{
ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
goto rsa_cleanup;
}
_gnutls_mpi_sub_ui (t1, params->params[RSA_PRIME2], 1);
_gnutls_mpi_release(&t2);
t2 = _gnutls_mpi_mod (params->params[RSA_PRIV], t1);
if (t2 == NULL)
{
ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
goto rsa_cleanup;
}
if (_gnutls_mpi_cmp(params->params[RSA_E2], t2) != 0)
{
ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
goto rsa_cleanup;
}
ret = 0;
rsa_cleanup:
_gnutls_mpi_release(&t1);
_gnutls_mpi_release(&t2);
}
break;
case GNUTLS_PK_DSA:
{
bigint_t t1 = NULL;
if (params->params_nr != DSA_PRIVATE_PARAMS)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
t1 = _gnutls_mpi_new (256);
if (t1 == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
_gnutls_mpi_powm (t1, params->params[DSA_G], params->params[DSA_X], params->params[DSA_P]);
if (_gnutls_mpi_cmp(t1, params->params[DSA_Y]) != 0)
{
ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
goto dsa_cleanup;
}
ret = 0;
dsa_cleanup:
_gnutls_mpi_release(&t1);
}
break;
case GNUTLS_PK_EC:
{
int curve = params->flags;
ecc_key ecc_priv;
ecc_point *R;
ecc_point zero;
if (params->params_nr != ECC_PRIVATE_PARAMS)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
if (is_supported_curve(curve) == 0)
return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
_ecc_params_to_privkey(params, &ecc_priv);
R = ecc_new_point();
/* verify that x,y lie on the curve */
ret = ecc_projective_check_point(&ecc_priv.pubkey, TOMPZ(params->params[ECC_B]), params->params[ECC_PRIME]);
if (ret != 0)
{
ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
goto ecc_cleanup;
}
memcpy(&zero.x, ecc_priv.Gx, sizeof(mpz_t));
memcpy(&zero.y, ecc_priv.Gy, sizeof(mpz_t));
memcpy(&zero.z, ecc_priv.pubkey.z, sizeof(mpz_t)); /* z = 1 */
/* verify that k*(Gx,Gy)=(x,y) */
ret = ecc_mulmod_cached(ecc_priv.k, curve, R, TOMPZ(params->params[ECC_A]), TOMPZ(params->params[ECC_PRIME]), 1);
if (ret != 0)
{
ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
goto ecc_cleanup;
}
if (mpz_cmp(ecc_priv.pubkey.x, R->x) != 0 || mpz_cmp(ecc_priv.pubkey.y, R->y) != 0)
{
ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
goto ecc_cleanup;
}
ret = 0;
ecc_cleanup:
_ecc_params_clear(&ecc_priv);
ecc_del_point(R);
}
break;
default:
ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
}
return ret;
}
