/*
* Compute shared secret (SEC1 3.3.1)
*/
int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
int ret;
mbedtls_ecp_point P;
mbedtls_ecp_point_init( &P );
/*
* Make sure Q is a valid pubkey before using it
*/
MBEDTLS_MPI_CHK( mbedtls_ecp_check_pubkey( grp, Q ) );
MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, &P, d, Q, f_rng, p_rng ) );
if( mbedtls_ecp_is_zero( &P ) )
{
ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
goto cleanup;
}
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( z, &P.X ) );
cleanup:
mbedtls_ecp_point_free( &P );
return( ret );
}
static int neg(void *a, void *b)
{
if (mbedtls_mpi_copy(b, a))
return CRYPT_MEM;
((mbedtls_mpi *)b)->s *= -1;
return CRYPT_OK;
}
void TEE_BigIntComputeExtendedGcd(TEE_BigInt *gcd, TEE_BigInt *u,
TEE_BigInt *v, const TEE_BigInt *op1,
const TEE_BigInt *op2)
{
mbedtls_mpi mpi_gcd_res;
mbedtls_mpi mpi_op1;
mbedtls_mpi mpi_op2;
mbedtls_mpi *pop2 = &mpi_op2;
get_mpi(&mpi_gcd_res, gcd);
get_mpi(&mpi_op1, op1);
if (op2 == op1)
pop2 = &mpi_op1;
else
get_mpi(&mpi_op2, op2);
if (!u && !v) {
if (gcd)
MPI_CHECK(mbedtls_mpi_gcd(&mpi_gcd_res, &mpi_op1,
pop2));
} else {
mbedtls_mpi mpi_u;
mbedtls_mpi mpi_v;
int8_t s1 = mpi_op1.s;
int8_t s2 = pop2->s;
int cmp;
mpi_op1.s = 1;
pop2->s = 1;
get_mpi(&mpi_u, u);
get_mpi(&mpi_v, v);
cmp = mbedtls_mpi_cmp_abs(&mpi_op1, pop2);
if (cmp == 0) {
MPI_CHECK(mbedtls_mpi_copy(&mpi_gcd_res, &mpi_op1));
MPI_CHECK(mbedtls_mpi_lset(&mpi_u, 1));
MPI_CHECK(mbedtls_mpi_lset(&mpi_v, 0));
} else if (cmp > 0) {
mpi_egcd(&mpi_gcd_res, &mpi_u, &mpi_v, &mpi_op1, pop2);
} else {
mpi_egcd(&mpi_gcd_res, &mpi_v, &mpi_u, pop2, &mpi_op1);
}
mpi_u.s *= s1;
mpi_v.s *= s2;
MPI_CHECK(copy_mpi_to_bigint(&mpi_u, u));
MPI_CHECK(copy_mpi_to_bigint(&mpi_v, v));
mbedtls_mpi_free(&mpi_u);
mbedtls_mpi_free(&mpi_v);
}
MPI_CHECK(copy_mpi_to_bigint(&mpi_gcd_res, gcd));
mbedtls_mpi_free(&mpi_gcd_res);
mbedtls_mpi_free(&mpi_op1);
if (pop2 == &mpi_op2)
mbedtls_mpi_free(&mpi_op2);
}
/*
* Initializes a MPI from a constant bigint.
*
* A MPI is allocated and given an initial value based on the supplied
* bigint. When the MPI is freed with put_mpi() no changes are propagated
* back.
*/
static void get_const_mpi(mbedtls_mpi *mpi, const TEE_BigInt *bigInt)
{
mbedtls_mpi mpi_const;
init_static_mpi(&mpi_const, (TEE_BigInt *)bigInt);
get_mpi(mpi, NULL);
MPI_CHECK(mbedtls_mpi_copy(mpi, &mpi_const));
}
/*
* Use the blinding method and optimisation suggested in section 10 of:
* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
* DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
* Berlin Heidelberg, 1996. p. 104-113.
*/
static int dhm_update_blinding( mbedtls_dhm_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret, count;
/*
* Don't use any blinding the first time a particular X is used,
* but remember it to use blinding next time.
*/
if( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->pX ) != 0 )
{
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &ctx->pX, &ctx->X ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->Vi, 1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->Vf, 1 ) );
return( 0 );
}
/*
* Ok, we need blinding. Can we re-use existing values?
* If yes, just update them by squaring them.
*/
if( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 )
{
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
return( 0 );
}
/*
* We need to generate blinding values from scratch
*/
/* Vi = random( 2, P-1 ) */
count = 0;
do
{
mbedtls_mpi_fill_random( &ctx->Vi, mbedtls_mpi_size( &ctx->P ), f_rng, p_rng );
while( mbedtls_mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->Vi, 1 ) );
if( count++ > 10 )
return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
}
while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );
/* Vf = Vi^-X mod P */
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) );
cleanup:
return( ret );
}
int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial )
{
int ret;
if( ( ret = mbedtls_mpi_copy( &ctx->serial, serial ) ) != 0 )
return( ret );
return( 0 );
}
static int div_2(void *a, void *b)
{
if (mbedtls_mpi_copy(b, a))
return CRYPT_MEM;
if (mbedtls_mpi_shift_r(b, 1))
return CRYPT_MEM;
return CRYPT_OK;
}
void TEE_BigIntShiftRight(TEE_BigInt *dest, const TEE_BigInt *op, size_t bits)
{
mbedtls_mpi mpi_dest;
mbedtls_mpi mpi_op;
get_mpi(&mpi_dest, dest);
if (dest == op) {
MPI_CHECK(mbedtls_mpi_shift_r(&mpi_dest, bits));
goto out;
}
get_mpi(&mpi_op, op);
if (mbedtls_mpi_size(&mpi_dest) >= mbedtls_mpi_size(&mpi_op)) {
MPI_CHECK(mbedtls_mpi_copy(&mpi_dest, &mpi_op));
MPI_CHECK(mbedtls_mpi_shift_r(&mpi_dest, bits));
} else {
mbedtls_mpi mpi_t;
get_mpi(&mpi_t, NULL);
/*
* We're using a temporary buffer to avoid the corner case
* where destination is unexpectedly overflowed by up to
* @bits number of bits.
*/
MPI_CHECK(mbedtls_mpi_copy(&mpi_t, &mpi_op));
MPI_CHECK(mbedtls_mpi_shift_r(&mpi_t, bits));
MPI_CHECK(mbedtls_mpi_copy(&mpi_dest, &mpi_t));
mbedtls_mpi_free(&mpi_t);
}
mbedtls_mpi_free(&mpi_op);
out:
MPI_CHECK(copy_mpi_to_bigint(&mpi_dest, dest));
mbedtls_mpi_free(&mpi_dest);
}
/*
* Set context from an mbedtls_ecp_keypair
*/
int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key )
{
int ret;
if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 ||
( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 ||
( ret = mbedtls_ecp_copy( &ctx->Q, &key->Q ) ) != 0 )
{
mbedtls_ecdsa_free( ctx );
}
return( ret );
}
/* reduce */
static int montgomery_reduce(void *a, void *b, void *c)
{
mbedtls_mpi A;
mbedtls_mpi *N = b;
mbedtls_mpi_uint *mm = c;
mbedtls_mpi T;
int ret = CRYPT_MEM;
mbedtls_mpi_init_mempool(&T);
mbedtls_mpi_init_mempool(&A);
if (mbedtls_mpi_grow(&T, (N->n + 1) * 2))
goto out;
if (mbedtls_mpi_cmp_mpi(a, N) > 0) {
if (mbedtls_mpi_mod_mpi(&A, a, N))
goto out;
} else {
if (mbedtls_mpi_copy(&A, a))
goto out;
}
if (mbedtls_mpi_grow(&A, N->n + 1))
goto out;
if (mbedtls_mpi_montred(&A, N, *mm, &T))
goto out;
if (mbedtls_mpi_copy(a, &A))
goto out;
ret = CRYPT_OK;
out:
mbedtls_mpi_free(&A);
mbedtls_mpi_free(&T);
return ret;
}
result_t PKey::copy(const mbedtls_pk_context &key)
{
mbedtls_pk_type_t type = mbedtls_pk_get_type(&key);
int32_t ret;
if (type == MBEDTLS_PK_RSA)
{
mbedtls_rsa_context *rsa = mbedtls_pk_rsa(key);
ret = mbedtls_pk_setup(&m_key, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
if (ret != 0)
return CHECK_ERROR(_ssl::setError(ret));
mbedtls_rsa_context *rsa1 = mbedtls_pk_rsa(m_key);
ret = mbedtls_rsa_copy(rsa1, rsa);
if (ret != 0)
return CHECK_ERROR(_ssl::setError(ret));
return 0;
}
if (type == MBEDTLS_PK_ECKEY)
{
mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(key);
ret = mbedtls_pk_setup(&m_key, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY));
if (ret != 0)
return CHECK_ERROR(_ssl::setError(ret));
mbedtls_ecp_keypair *ecp1 = mbedtls_pk_ec(m_key);
ret = mbedtls_ecp_group_copy(&ecp1->grp, &ecp->grp);
if (ret != 0)
return CHECK_ERROR(_ssl::setError(ret));
ret = mbedtls_mpi_copy(&ecp1->d, &ecp->d);
if (ret != 0)
return CHECK_ERROR(_ssl::setError(ret));
ret = mbedtls_ecp_copy(&ecp1->Q, &ecp->Q);
if (ret != 0)
return CHECK_ERROR(_ssl::setError(ret));
return 0;
}
return CHECK_ERROR(CALL_E_INVALID_CALL);
}
/*
* Derive and export the shared secret (G^Y)^X mod P
*/
int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
unsigned char *output, size_t output_size, size_t *olen,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
int ret;
mbedtls_mpi GYb;
if( ctx == NULL || output_size < ctx->len )
return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
return( ret );
mbedtls_mpi_init( &GYb );
/* Blind peer's value */
if( f_rng != NULL )
{
MBEDTLS_MPI_CHK( dhm_update_blinding( ctx, f_rng, p_rng ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &GYb, &ctx->GY, &ctx->Vi ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &GYb, &GYb, &ctx->P ) );
}
else
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &GYb, &ctx->GY ) );
/* Do modular exponentiation */
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->K, &GYb, &ctx->X,
&ctx->P, &ctx->RP ) );
/* Unblind secret value */
if( f_rng != NULL )
{
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->K, &ctx->K, &ctx->Vf ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->K, &ctx->K, &ctx->P ) );
}
*olen = mbedtls_mpi_size( &ctx->K );
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->K, output, *olen ) );
cleanup:
mbedtls_mpi_free( &GYb );
if( ret != 0 )
return( MBEDTLS_ERR_DHM_CALC_SECRET_FAILED + ret );
return( 0 );
}
void TEE_BigIntNeg(TEE_BigInt *dest, const TEE_BigInt *src)
{
mbedtls_mpi mpi_dest;
get_mpi(&mpi_dest, dest);
if (dest != src) {
mbedtls_mpi mpi_src;
get_const_mpi(&mpi_src, src);
MPI_CHECK(mbedtls_mpi_copy(&mpi_dest, &mpi_src));
put_mpi(&mpi_src);
}
mpi_dest.s *= -1;
put_mpi(&mpi_dest);
}
void TEE_BigIntNeg(TEE_BigInt *dest, const TEE_BigInt *src)
{
mbedtls_mpi mpi_dest;
get_mpi(&mpi_dest, dest);
if (dest != src) {
mbedtls_mpi mpi_src;
get_mpi(&mpi_src, src);
MPI_CHECK(mbedtls_mpi_copy(&mpi_dest, &mpi_src));
mbedtls_mpi_free(&mpi_src);
}
mpi_dest.s *= -1;
MPI_CHECK(copy_mpi_to_bigint(&mpi_dest, dest));
mbedtls_mpi_free(&mpi_dest);
}
/*
* This function calculates:
* d = a^b mod c
*
* @a: base
* @b: exponent
* @c: modulus
* @d: destination
*/
static int exptmod(void *a, void *b, void *c, void *d)
{
int res;
if (d == a || d == b || d == c) {
mbedtls_mpi dest;
mbedtls_mpi_init_mempool(&dest);
res = mbedtls_mpi_exp_mod(&dest, a, b, c, NULL);
if (!res)
res = mbedtls_mpi_copy(d, &dest);
mbedtls_mpi_free(&dest);
} else {
res = mbedtls_mpi_exp_mod(d, a, b, c, NULL);
}
if (res)
return CRYPT_MEM;
else
return CRYPT_OK;
}
/*
* Get parameters from a keypair
*/
int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypair *key,
mbedtls_ecdh_side side )
{
int ret;
if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 )
return( ret );
/* If it's not our key, just import the public part as Qp */
if( side == MBEDTLS_ECDH_THEIRS )
return( mbedtls_ecp_copy( &ctx->Qp, &key->Q ) );
/* Our key: import public (as Q) and private parts */
if( side != MBEDTLS_ECDH_OURS )
return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
if( ( ret = mbedtls_ecp_copy( &ctx->Q, &key->Q ) ) != 0 ||
( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 )
return( ret );
return( 0 );
}
/* ---- trivial ---- */
static int set_int(void *a, unsigned long b)
{
uint32_t b32 = b;
if (b32 != b)
return CRYPT_INVALID_ARG;
mbedtls_mpi_uint p = b32;
mbedtls_mpi bn = { .s = 1, .n = 1, .p = &p };
if (mbedtls_mpi_copy(a, &bn))
return CRYPT_MEM;
return CRYPT_OK;
}
static unsigned long get_int(void *a)
{
mbedtls_mpi *bn = a;
if (!bn->n)
return 0;
return bn->p[bn->n - 1];
}
result_t PKey::get_publicKey(obj_ptr<PKey_base> &retVal)
{
result_t hr;
bool priv;
hr = isPrivate(priv);
if (hr < 0)
return hr;
if (!priv)
return CALL_RETURN_NULL;
mbedtls_pk_type_t type = mbedtls_pk_get_type(&m_key);
int32_t ret;
if (type == MBEDTLS_PK_RSA)
{
mbedtls_rsa_context *rsa = mbedtls_pk_rsa(m_key);
obj_ptr<PKey> pk1 = new PKey();
ret = mbedtls_pk_setup(&pk1->m_key, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
if (ret != 0)
return CHECK_ERROR(_ssl::setError(ret));
mbedtls_rsa_context *rsa1 = mbedtls_pk_rsa(pk1->m_key);
rsa1->len = rsa->len;
rsa1->padding = rsa->padding;
rsa1->hash_id = rsa->hash_id;
ret = mbedtls_mpi_copy(&rsa1->N, &rsa->N);
if (ret != 0)
return CHECK_ERROR(_ssl::setError(ret));
ret = mbedtls_mpi_copy(&rsa1->E, &rsa->E);
if (ret != 0)
return CHECK_ERROR(_ssl::setError(ret));
retVal = pk1;
return 0;
}
if (type == MBEDTLS_PK_ECKEY)
{
mbedtls_ecp_keypair *ecp = mbedtls_pk_ec(m_key);
obj_ptr<PKey> pk1 = new PKey();
ret = mbedtls_pk_setup(&pk1->m_key, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY));
if (ret != 0)
return CHECK_ERROR(_ssl::setError(ret));
mbedtls_ecp_keypair *ecp1 = mbedtls_pk_ec(pk1->m_key);
ret = mbedtls_ecp_group_copy(&ecp1->grp, &ecp->grp);
if (ret != 0)
return CHECK_ERROR(_ssl::setError(ret));
ret = mbedtls_ecp_copy(&ecp1->Q, &ecp->Q);
if (ret != 0)
return CHECK_ERROR(_ssl::setError(ret));
retVal = pk1;
return 0;
}
return CHECK_ERROR(CALL_E_INVALID_CALL);
}
/* Z = X * Y */
int mbedtls_mpi_mul_mpi( mbedtls_mpi *Z, const mbedtls_mpi *X, const mbedtls_mpi *Y )
{
int ret;
size_t bits_x, bits_y, words_x, words_y, words_mult, words_z;
/* Count words needed for X & Y in hardware */
bits_x = mbedtls_mpi_bitlen(X);
bits_y = mbedtls_mpi_bitlen(Y);
/* Convert bit counts to words, rounded up to 512-bit
(16 word) blocks */
words_x = bits_to_hardware_words(bits_x);
words_y = bits_to_hardware_words(bits_y);
/* Short-circuit eval if either argument is 0 or 1.
This is needed as the mpi modular division
argument will sometimes call in here when one
argument is too large for the hardware unit, but the other
argument is zero or one.
This leaks some timing information, although overall there is a
lot less timing variation than a software MPI approach.
*/
if (bits_x == 0 || bits_y == 0) {
mbedtls_mpi_lset(Z, 0);
return 0;
}
if (bits_x == 1) {
return mbedtls_mpi_copy(Z, Y);
}
if (bits_y == 1) {
return mbedtls_mpi_copy(Z, X);
}
words_mult = (words_x > words_y ? words_x : words_y);
/* Result Z has to have room for double the larger factor */
words_z = words_mult * 2;
/* If either factor is over 2048 bits, we can't use the standard hardware multiplier
(it assumes result is double longest factor, and result is max 4096 bits.)
However, we can fail over to mod_mult for up to 4096 bits of result (modulo
multiplication doesn't have the same restriction, so result is simply the
number of bits in X plus number of bits in in Y.)
*/
if (words_mult * 32 > 2048) {
/* Calculate new length of Z */
words_z = bits_to_hardware_words(bits_x + bits_y);
if (words_z * 32 <= 4096) {
/* Note: it's possible to use mpi_mult_mpi_overlong
for this case as well, but it's very slightly
slower and requires a memory allocation.
*/
return mpi_mult_mpi_failover_mod_mult(Z, X, Y, words_z);
} else {
/* Still too long for the hardware unit... */
if(bits_y > bits_x) {
return mpi_mult_mpi_overlong(Z, X, Y, bits_y, words_z);
} else {
return mpi_mult_mpi_overlong(Z, Y, X, bits_x, words_z);
}
}
}
/* Otherwise, we can use the (faster) multiply hardware unit */
esp_mpi_acquire_hardware();
/* Copy X (right-extended) & Y (left-extended) to memory block */
mpi_to_mem_block(RSA_MEM_X_BLOCK_BASE, X, words_mult);
mpi_to_mem_block(RSA_MEM_Z_BLOCK_BASE + words_mult * 4, Y, words_mult);
/* NB: as Y is left-extended, we don't zero the bottom words_mult words of Y block.
This is OK for now because zeroing is done by hardware when we do esp_mpi_acquire_hardware().
*/
REG_WRITE(RSA_M_DASH_REG, 0);
/* "mode" register loaded with number of 512-bit blocks in result,
plus 7 (for range 9-12). (this is ((N~ / 32) - 1) + 8))
*/
REG_WRITE(RSA_MULT_MODE_REG, (words_z / 16) + 7);
execute_op(RSA_MULT_START_REG);
/* Read back the result */
ret = mem_block_to_mpi(Z, RSA_MEM_Z_BLOCK_BASE, words_z);
Z->s = X->s * Y->s;
esp_mpi_release_hardware();
return ret;
}
static int copy(void *a, void *b)
{
if (mbedtls_mpi_copy(b, a))
return CRYPT_MEM;
return CRYPT_OK;
}
/*
* Compute ECDSA signature of a hashed message (SEC1 4.1.3)
* Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
*/
static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
mbedtls_mpi *r, mbedtls_mpi *s,
const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
mbedtls_ecdsa_restart_ctx *rs_ctx )
{
int ret, key_tries, sign_tries;
int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries;
mbedtls_ecp_point R;
mbedtls_mpi k, e, t;
mbedtls_mpi *pk = &k, *pr = r;
/* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
if( grp->N.p == NULL )
return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
/* Make sure d is in range 1..n-1 */
if( mbedtls_mpi_cmp_int( d, 1 ) < 0 || mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 )
return( MBEDTLS_ERR_ECP_INVALID_KEY );
mbedtls_ecp_point_init( &R );
mbedtls_mpi_init( &k ); mbedtls_mpi_init( &e ); mbedtls_mpi_init( &t );
ECDSA_RS_ENTER( sig );
#if defined(MBEDTLS_ECP_RESTARTABLE)
if( rs_ctx != NULL && rs_ctx->sig != NULL )
{
/* redirect to our context */
p_sign_tries = &rs_ctx->sig->sign_tries;
p_key_tries = &rs_ctx->sig->key_tries;
pk = &rs_ctx->sig->k;
pr = &rs_ctx->sig->r;
/* jump to current step */
if( rs_ctx->sig->state == ecdsa_sig_mul )
goto mul;
if( rs_ctx->sig->state == ecdsa_sig_modn )
goto modn;
}
#endif /* MBEDTLS_ECP_RESTARTABLE */
*p_sign_tries = 0;
do
{
if( *p_sign_tries++ > 10 )
{
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup;
}
/*
* Steps 1-3: generate a suitable ephemeral keypair
* and set r = xR mod n
*/
*p_key_tries = 0;
do
{
if( *p_key_tries++ > 10 )
{
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup;
}
MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, pk, f_rng, p_rng ) );
#if defined(MBEDTLS_ECP_RESTARTABLE)
if( rs_ctx != NULL && rs_ctx->sig != NULL )
rs_ctx->sig->state = ecdsa_sig_mul;
mul:
#endif
MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &R, pk, &grp->G,
f_rng, p_rng, ECDSA_RS_ECP ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pr, &R.X, &grp->N ) );
}
while( mbedtls_mpi_cmp_int( pr, 0 ) == 0 );
#if defined(MBEDTLS_ECP_RESTARTABLE)
if( rs_ctx != NULL && rs_ctx->sig != NULL )
rs_ctx->sig->state = ecdsa_sig_modn;
modn:
#endif
/*
* Accounting for everything up to the end of the loop
* (step 6, but checking now avoids saving e and t)
*/
ECDSA_BUDGET( MBEDTLS_ECP_OPS_INV + 4 );
/*
* Step 5: derive MPI from hashed message
*/
MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
/*
* Generate a random value to blind inv_mod in next step,
* avoiding a potential timing leak.
*/
MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, &t, f_rng, p_rng ) );
/*
* Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n
*/
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, pr, d ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
}
while( mbedtls_mpi_cmp_int( s, 0 ) == 0 );
#if defined(MBEDTLS_ECP_RESTARTABLE)
if( rs_ctx != NULL && rs_ctx->sig != NULL )
mbedtls_mpi_copy( r, pr );
#endif
cleanup:
mbedtls_ecp_point_free( &R );
mbedtls_mpi_free( &k ); mbedtls_mpi_free( &e ); mbedtls_mpi_free( &t );
ECDSA_RS_LEAVE( sig );
return( ret );
}
/*
* Based on libmpa implementation __mpa_egcd(), modified to work with MPI
* instead.
*/
static void mpi_egcd(mbedtls_mpi *gcd, mbedtls_mpi *a, mbedtls_mpi *b,
mbedtls_mpi *x_in, mbedtls_mpi *y_in)
{
mbedtls_mpi_uint k;
mbedtls_mpi A;
mbedtls_mpi B;
mbedtls_mpi C;
mbedtls_mpi D;
mbedtls_mpi x;
mbedtls_mpi y;
mbedtls_mpi u;
get_mpi(&A, NULL);
get_mpi(&B, NULL);
get_mpi(&C, NULL);
get_mpi(&D, NULL);
get_mpi(&x, NULL);
get_mpi(&y, NULL);
get_mpi(&u, NULL);
/* have y < x from assumption */
if (!mbedtls_mpi_cmp_int(y_in, 0)) {
MPI_CHECK(mbedtls_mpi_lset(a, 1));
MPI_CHECK(mbedtls_mpi_lset(b, 0));
MPI_CHECK(mbedtls_mpi_copy(gcd, x_in));
goto out;
}
MPI_CHECK(mbedtls_mpi_copy(&x, x_in));
MPI_CHECK(mbedtls_mpi_copy(&y, y_in));
k = 0;
while (mpi_is_even(&x) && mpi_is_even(&y)) {
k++;
MPI_CHECK(mbedtls_mpi_shift_r(&x, 1));
MPI_CHECK(mbedtls_mpi_shift_r(&y, 1));
}
MPI_CHECK(mbedtls_mpi_copy(&u, &x));
MPI_CHECK(mbedtls_mpi_copy(gcd, &y));
MPI_CHECK(mbedtls_mpi_lset(&A, 1));
MPI_CHECK(mbedtls_mpi_lset(&B, 0));
MPI_CHECK(mbedtls_mpi_lset(&C, 0));
MPI_CHECK(mbedtls_mpi_lset(&D, 1));
while (mbedtls_mpi_cmp_int(&u, 0)) {
while (mpi_is_even(&u)) {
MPI_CHECK(mbedtls_mpi_shift_r(&u, 1));
if (mpi_is_odd(&A) || mpi_is_odd(&B)) {
MPI_CHECK(mbedtls_mpi_add_mpi(&A, &A, &y));
MPI_CHECK(mbedtls_mpi_sub_mpi(&B, &B, &x));
}
MPI_CHECK(mbedtls_mpi_shift_r(&A, 1));
MPI_CHECK(mbedtls_mpi_shift_r(&B, 1));
}
while (mpi_is_even(gcd)) {
MPI_CHECK(mbedtls_mpi_shift_r(gcd, 1));
if (mpi_is_odd(&C) || mpi_is_odd(&D)) {
MPI_CHECK(mbedtls_mpi_add_mpi(&C, &C, &y));
MPI_CHECK(mbedtls_mpi_sub_mpi(&D, &D, &x));
}
MPI_CHECK(mbedtls_mpi_shift_r(&C, 1));
MPI_CHECK(mbedtls_mpi_shift_r(&D, 1));
}
if (mbedtls_mpi_cmp_mpi(&u, gcd) >= 0) {
MPI_CHECK(mbedtls_mpi_sub_mpi(&u, &u, gcd));
MPI_CHECK(mbedtls_mpi_sub_mpi(&A, &A, &C));
MPI_CHECK(mbedtls_mpi_sub_mpi(&B, &B, &D));
} else {
MPI_CHECK(mbedtls_mpi_sub_mpi(gcd, gcd, &u));
MPI_CHECK(mbedtls_mpi_sub_mpi(&C, &C, &A));
MPI_CHECK(mbedtls_mpi_sub_mpi(&D, &D, &B));
}
}
MPI_CHECK(mbedtls_mpi_copy(a, &C));
MPI_CHECK(mbedtls_mpi_copy(b, &D));
MPI_CHECK(mbedtls_mpi_shift_l(gcd, k));
out:
mbedtls_mpi_free(&A);
mbedtls_mpi_free(&B);
mbedtls_mpi_free(&C);
mbedtls_mpi_free(&D);
mbedtls_mpi_free(&x);
mbedtls_mpi_free(&y);
mbedtls_mpi_free(&u);
}