From 9eb883104e5eabccfb711f65bbdc65f2423ed786 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 7 Oct 2013 19:35:48 +0200 Subject: [PATCH 01/13] Update some comments on ecp_group --- include/polarssl/ecp.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h index 3a9a7b667..0267cb07a 100644 --- a/include/polarssl/ecp.h +++ b/include/polarssl/ecp.h @@ -113,7 +113,7 @@ ecp_point; */ typedef struct { - ecp_group_id id; /*!< RFC 4492 group ID */ + ecp_group_id id; /*!< internal group identifier */ mpi P; /*!< prime modulus of the base field */ mpi A; /*!< currently unused (-3 assumed) */ mpi B; /*!< constant term in the equation */ @@ -126,7 +126,7 @@ typedef struct int (*t_pre)(ecp_point *, void *); /*!< currently unused */ int (*t_post)(ecp_point *, void *); /*!< currently unused */ void *t_data; /*!< currently unused */ - ecp_point *T; /*!< pre-computed points (unused now) */ + ecp_point *T; /*!< pre-computed points for ecp_mul() */ size_t T_size; /*!< number for pre-computed points */ } ecp_group; From 8195c1a5678867fcaf67500c71584b6d92ff46b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 7 Oct 2013 19:40:41 +0200 Subject: [PATCH 02/13] Add identifiers for Brainpool curves --- include/polarssl/config.h | 3 +++ include/polarssl/ecp.h | 5 ++++- library/ecp.c | 25 +++++++++++++++++-------- 3 files changed, 24 insertions(+), 9 deletions(-) diff --git a/include/polarssl/config.h b/include/polarssl/config.h index bd1234396..6208c426d 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -241,6 +241,9 @@ #define POLARSSL_ECP_DP_SECP256R1_ENABLED #define POLARSSL_ECP_DP_SECP384R1_ENABLED #define POLARSSL_ECP_DP_SECP521R1_ENABLED +#define POLARSSL_ECP_DP_BP256R1_ENABLED +#define POLARSSL_ECP_DP_BP384R1_ENABLED +#define POLARSSL_ECP_DP_BP512R1_ENABLED /** * \def POLARSSL_KEY_EXCHANGE_PSK_ENABLED diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h index 0267cb07a..72e843c51 100644 --- a/include/polarssl/ecp.h +++ b/include/polarssl/ecp.h @@ -61,12 +61,15 @@ typedef enum POLARSSL_ECP_DP_SECP256R1, /*!< 256-bits NIST curve */ POLARSSL_ECP_DP_SECP384R1, /*!< 384-bits NIST curve */ POLARSSL_ECP_DP_SECP521R1, /*!< 521-bits NIST curve */ + POLARSSL_ECP_DP_BP256R1, /*!< 256-bits Brainpool curve */ + POLARSSL_ECP_DP_BP384R1, /*!< 384-bits Brainpool curve */ + POLARSSL_ECP_DP_BP512R1, /*!< 512-bits Brainpool curve */ } ecp_group_id; /** * Number of supported curves (plus one for NONE) */ -#define POLARSSL_ECP_DP_MAX 6 +#define POLARSSL_ECP_DP_MAX 9 /** * Curve information for use by other modules diff --git a/library/ecp.c b/library/ecp.c index c8ee3a76f..b344c81a3 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -70,28 +70,37 @@ unsigned long add_count, dbl_count; /* * List of supported curves: * - internal ID - * - TLS NamedCurve ID (RFC 4492 section 5.1.1) + * - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2) * - size in bits - * - readeble name + * - readable name */ const ecp_curve_info ecp_supported_curves[] = { +#if defined(POLARSSL_ECP_DP_BP512R1_ENABLED) + { POLARSSL_ECP_DP_BP512R1, 28, 512, "brainpool512r1" }, +#endif +#if defined(POLARSSL_ECP_DP_BP384R1_ENABLED) + { POLARSSL_ECP_DP_BP384R1, 27, 384, "brainpool384r1" }, +#endif +#if defined(POLARSSL_ECP_DP_BP256R1_ENABLED) + { POLARSSL_ECP_DP_BP256R1, 26, 256, "brainpool256r1" }, +#endif #if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED) - { POLARSSL_ECP_DP_SECP521R1, 25, 521, "secp521r1" }, + { POLARSSL_ECP_DP_SECP521R1, 25, 521, "secp521r1" }, #endif #if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED) - { POLARSSL_ECP_DP_SECP384R1, 24, 384, "secp384r1" }, + { POLARSSL_ECP_DP_SECP384R1, 24, 384, "secp384r1" }, #endif #if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED) - { POLARSSL_ECP_DP_SECP256R1, 23, 256, "secp256r1" }, + { POLARSSL_ECP_DP_SECP256R1, 23, 256, "secp256r1" }, #endif #if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED) - { POLARSSL_ECP_DP_SECP224R1, 21, 224, "secp224r1" }, + { POLARSSL_ECP_DP_SECP224R1, 21, 224, "secp224r1" }, #endif #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED) - { POLARSSL_ECP_DP_SECP192R1, 19, 192, "secp192r1" }, + { POLARSSL_ECP_DP_SECP192R1, 19, 192, "secp192r1" }, #endif - { POLARSSL_ECP_DP_NONE, 0, 0, NULL }, + { POLARSSL_ECP_DP_NONE, 0, 0, NULL }, }; /* From cec4a53c9841f0a6d7735605733d8216c943b212 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 7 Oct 2013 19:52:27 +0200 Subject: [PATCH 03/13] Add domain parameters for Brainpool curves --- library/ecp.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/library/ecp.c b/library/ecp.c index b344c81a3..ee7d4500f 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -655,6 +655,66 @@ cleanup: "FFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148" \ "F709A5D03BB5C9B8899C47AEBB6FB71E91386409" +/* + * Domain parameters for brainpoolP256r1 (RFC 5639 3.4) + */ +#define BP256R1_P \ + "A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377" +#define BP256R1_A \ + "7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9" +#define BP256R1_B \ + "26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6" +#define BP256R1_GX \ + "8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262" +#define BP256R1_GY \ + "547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997" +#define BP256R1_N \ + "A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7" + +/* + * Domain parameters for brainpoolP384r1 (RFC 5639 3.6) + */ +#define BP384R1_P \ + "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB711" \ + "23ACD3A729901D1A71874700133107EC53" +#define BP384R1_A \ + "7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F9" \ + "0F8AA5814A503AD4EB04A8C7DD22CE2826" +#define BP384R1_B \ + "04A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62" \ + "D57CB4390295DBC9943AB78696FA504C11" +#define BP384R1_GX \ + "1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10" \ + "E8E826E03436D646AAEF87B2E247D4AF1E" +#define BP384R1_GY \ + "8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129" \ + "280E4646217791811142820341263C5315" +#define BP384R1_N \ + "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425" \ + "A7CF3AB6AF6B7FC3103B883202E9046565" + +/* + * Domain parameters for brainpoolP512r1 (RFC 5639 3.7) + */ +#define BP512R1_P \ + "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308" \ + "717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3" +#define BP512R1_A \ + "7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863" \ + "BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA" +#define BP512R1_B \ + "3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117" \ + "A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723" +#define BP512R1_GX \ + "81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D009" \ + "8EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822" +#define BP512R1_GY \ + "7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F81" \ + "11B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892" +#define BP512R1_N \ + "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308" \ + "70553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069" + /* * Set a group using well-known domain parameters */ From a070ada6d4940de4174dbbad792ff900ec3e631a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 8 Oct 2013 12:04:56 +0200 Subject: [PATCH 04/13] Add brainpool curves to ecp_use_kown_dp() --- library/ecp.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 49 insertions(+), 5 deletions(-) diff --git a/library/ecp.c b/library/ecp.c index ee7d4500f..9f60971e1 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -172,6 +172,7 @@ void ecp_group_free( ecp_group *grp ) return; mpi_free( &grp->P ); + mpi_free( &grp->A ); mpi_free( &grp->B ); ecp_point_free( &grp->G ); mpi_free( &grp->N ); @@ -262,15 +263,16 @@ cleanup: } /* - * Import an ECP group from ASCII strings + * Import an ECP group from ASCII strings, general case (A used) */ -int ecp_group_read_string( ecp_group *grp, int radix, - const char *p, const char *b, +static int ecp_group_read_string_gen( ecp_group *grp, int radix, + const char *p, const char *a, const char *b, const char *gx, const char *gy, const char *n) { int ret; MPI_CHK( mpi_read_string( &grp->P, radix, p ) ); + MPI_CHK( mpi_read_string( &grp->A, radix, a ) ); MPI_CHK( mpi_read_string( &grp->B, radix, b ) ); MPI_CHK( ecp_point_read_string( &grp->G, radix, gx, gy ) ); MPI_CHK( mpi_read_string( &grp->N, radix, n ) ); @@ -279,6 +281,23 @@ int ecp_group_read_string( ecp_group *grp, int radix, grp->nbits = mpi_msb( &grp->N ); cleanup: + if( ret != 0 ) + ecp_group_free( grp ); + + return( ret ); +} + +/* + * Import an ECP group from ASCII strings, case A == -3 (A cleared) + */ +int ecp_group_read_string( ecp_group *grp, int radix, + const char *p, const char *b, + const char *gx, const char *gy, const char *n) +{ + int ret = ecp_group_read_string_gen( grp, radix, p, "00", b, gx, gy, n ); + + mpi_free( &grp->A ); + return( ret ); } @@ -761,8 +780,29 @@ int ecp_use_known_dp( ecp_group *grp, ecp_group_id id ) SECP521R1_GX, SECP521R1_GY, SECP521R1_N ) ); #endif /* POLARSSL_ECP_DP_SECP521R1_ENABLED */ +#if defined(POLARSSL_ECP_DP_BP256R1_ENABLED) + case POLARSSL_ECP_DP_BP256R1: + return( ecp_group_read_string_gen( grp, 16, + BP256R1_P, BP256R1_A, BP256R1_B, + BP256R1_GX, BP256R1_GY, BP256R1_N ) ); +#endif /* POLARSSL_ECP_DP_BP256R1_ENABLED */ + +#if defined(POLARSSL_ECP_DP_BP384R1_ENABLED) + case POLARSSL_ECP_DP_BP384R1: + return( ecp_group_read_string_gen( grp, 16, + BP384R1_P, BP384R1_A, BP384R1_B, + BP384R1_GX, BP384R1_GY, BP384R1_N ) ); +#endif /* POLARSSL_ECP_DP_BP384R1_ENABLED */ + +#if defined(POLARSSL_ECP_DP_BP512R1_ENABLED) + case POLARSSL_ECP_DP_BP512R1: + return( ecp_group_read_string_gen( grp, 16, + BP512R1_P, BP512R1_A, BP512R1_B, + BP512R1_GX, BP512R1_GY, BP512R1_N ) ); +#endif /* POLARSSL_ECP_DP_BP512R1_ENABLED */ + default: - grp->id = POLARSSL_ECP_DP_NONE; + ecp_group_free( grp ); return( POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE ); } } @@ -1016,7 +1056,7 @@ cleanup: /* - * Point doubling R = 2 P, Jacobian coordinates (GECC 3.21) + * Point doubling R = 2 P, Jacobian coordinates with a == -3 (GECC 3.21) */ static int ecp_double_jac( const ecp_group *grp, ecp_point *R, const ecp_point *P ) @@ -1024,6 +1064,10 @@ static int ecp_double_jac( const ecp_group *grp, ecp_point *R, int ret; mpi T1, T2, T3, X, Y, Z; + /* We can't handle A != -3 yet */ + if( grp->A.p != NULL ) + return( POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE ); + #if defined(POLARSSL_SELF_TEST) dbl_count++; #endif From 43545c8b4fe28fdef3126e8be901acd3ec6267c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 8 Oct 2013 12:44:27 +0200 Subject: [PATCH 05/13] Add test vectors for brainpool curves --- tests/suites/test_suite_ecp.data | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data index 1b4d14afc..9eb302b5b 100644 --- a/tests/suites/test_suite_ecp.data +++ b/tests/suites/test_suite_ecp.data @@ -281,5 +281,17 @@ ECP test vectors secp521r1 rfc 5114 depends_on:POLARSSL_ECP_DP_SECP521R1_ENABLED ecp_test_vect:POLARSSL_ECP_DP_SECP521R1:"0113F82DA825735E3D97276683B2B74277BAD27335EA71664AF2430CC4F33459B9669EE78B3FFB9B8683015D344DCBFEF6FB9AF4C6C470BE254516CD3C1A1FB47362":"01EBB34DD75721ABF8ADC9DBED17889CBB9765D90A7C60F2CEF007BB0F2B26E14881FD4442E689D61CB2DD046EE30E3FFD20F9A45BBDF6413D583A2DBF59924FD35C":"00F6B632D194C0388E22D8437E558C552AE195ADFD153F92D74908351B2F8C4EDA94EDB0916D1B53C020B5EECAED1A5FC38A233E4830587BB2EE3489B3B42A5A86A4":"00CEE3480D8645A17D249F2776D28BAE616952D1791FDB4B70F7C3378732AA1B22928448BCD1DC2496D435B01048066EBE4F72903C361B1A9DC1193DC2C9D0891B96":"010EBFAFC6E85E08D24BFFFCC1A4511DB0E634BEEB1B6DEC8C5939AE44766201AF6200430BA97C8AC6A0E9F08B33CE7E9FEEB5BA4EE5E0D81510C24295B8A08D0235":"00A4A6EC300DF9E257B0372B5E7ABFEF093436719A77887EBB0B18CF8099B9F4212B6E30A1419C18E029D36863CC9D448F4DBA4D2A0E60711BE572915FBD4FEF2695":"00CDEA89621CFA46B132F9E4CFE2261CDE2D4368EB5656634C7CC98C7A00CDE54ED1866A0DD3E6126C9D2F845DAFF82CEB1DA08F5D87521BB0EBECA77911169C20CC":"00F9A71641029B7FC1A808AD07CD4861E868614B865AFBECAB1F2BD4D8B55EBCB5E3A53143CEB2C511B1AE0AF5AC827F60F2FD872565AC5CA0A164038FE980A7E4BD" +ECP test vectors brainpoolP256r1 rfc 7027 +depends_on:POLARSSL_ECP_DP_BP256R1_ENABLED +ecp_test_vect:POLARSSL_ECP_DP_BP256R1:"81DB1EE100150FF2EA338D708271BE38300CB54241D79950F77B063039804F1D":"44106E913F92BC02A1705D9953A8414DB95E1AAA49E81D9E85F929A8E3100BE5":"8AB4846F11CACCB73CE49CBDD120F5A900A69FD32C272223F789EF10EB089BDC":"55E40BC41E37E3E2AD25C3C6654511FFA8474A91A0032087593852D3E7D76BD3":"8D2D688C6CF93E1160AD04CC4429117DC2C41825E1E9FCA0ADDD34E6F1B39F7B":"990C57520812BE512641E47034832106BC7D3E8DD0E4C7F1136D7006547CEC6A":"89AFC39D41D3B327814B80940B042590F96556EC91E6AE7939BCE31F3A18BF2B":"49C27868F4ECA2179BFD7D59B1E3BF34C1DBDE61AE12931648F43E59632504DE" + +ECP test vectors brainpoolP384r1 rfc 7027 +depends_on:POLARSSL_ECP_DP_BP384R1_ENABLED +ecp_test_vect:POLARSSL_ECP_DP_BP384R1:"1E20F5E048A5886F1F157C74E91BDE2B98C8B52D58E5003D57053FC4B0BD65D6F15EB5D1EE1610DF870795143627D042":"68B665DD91C195800650CDD363C625F4E742E8134667B767B1B476793588F885AB698C852D4A6E77A252D6380FCAF068":"55BC91A39C9EC01DEE36017B7D673A931236D2F1F5C83942D049E3FA20607493E0D038FF2FD30C2AB67D15C85F7FAA59":"032640BC6003C59260F7250C3DB58CE647F98E1260ACCE4ACDA3DD869F74E01F8BA5E0324309DB6A9831497ABAC96670":"4D44326F269A597A5B58BBA565DA5556ED7FD9A8A9EB76C25F46DB69D19DC8CE6AD18E404B15738B2086DF37E71D1EB4":"62D692136DE56CBE93BF5FA3188EF58BC8A3A0EC6C1E151A21038A42E9185329B5B275903D192F8D4E1F32FE9CC78C48":"0BD9D3A7EA0B3D519D09D8E48D0785FB744A6B355E6304BC51C229FBBCE239BBADF6403715C35D4FB2A5444F575D4F42":"0DF213417EBE4D8E40A5F76F66C56470C489A3478D146DECF6DF0D94BAE9E598157290F8756066975F1DB34B2324B7BD" + +ECP test vectors brainpoolP512r1 rfc 7027 +depends_on:POLARSSL_ECP_DP_BP512R1_ENABLED +ecp_test_vect:POLARSSL_ECP_DP_BP512R1:"16302FF0DBBB5A8D733DAB7141C1B45ACBC8715939677F6A56850A38BD87BD59B09E80279609FF333EB9D4C061231FB26F92EEB04982A5F1D1764CAD57665422":"0A420517E406AAC0ACDCE90FCD71487718D3B953EFD7FBEC5F7F27E28C6149999397E91E029E06457DB2D3E640668B392C2A7E737A7F0BF04436D11640FD09FD":"72E6882E8DB28AAD36237CD25D580DB23783961C8DC52DFA2EC138AD472A0FCEF3887CF62B623B2A87DE5C588301EA3E5FC269B373B60724F5E82A6AD147FDE7":"230E18E1BCC88A362FA54E4EA3902009292F7F8033624FD471B5D8ACE49D12CFABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B25429":"9D45F66DE5D67E2E6DB6E93A59CE0BB48106097FF78A081DE781CDB31FCE8CCBAAEA8DD4320C4119F1E9CD437A2EAB3731FA9668AB268D871DEDA55A5473199F":"2FDC313095BCDD5FB3A91636F07A959C8E86B5636A1E930E8396049CB481961D365CC11453A06C719835475B12CB52FC3C383BCE35E27EF194512B71876285FA":"A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF3226244B76D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD1F":"7DB71C3DEF63212841C463E881BDCF055523BD368240E6C3143BD8DEF8B3B3223B95E0F53082FF5E412F4222537A43DF1C6D25729DDB51620A832BE6A26680A2" + ECP selftest ecp_selftest: From cd7458aafd862b2764e592b8f89d0cfc2ef0734f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 8 Oct 2013 13:11:30 +0200 Subject: [PATCH 06/13] Support brainpool curves in ecp_check_pubkey() --- include/polarssl/ecp.h | 33 ++++++++++++++++++--------------- library/ecp.c | 20 ++++++++++++++------ 2 files changed, 32 insertions(+), 21 deletions(-) diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h index 72e843c51..ef9836153 100644 --- a/include/polarssl/ecp.h +++ b/include/polarssl/ecp.h @@ -105,6 +105,9 @@ ecp_point; * The curves we consider are defined by y^2 = x^3 + A x + B mod P, * and a generator for a large subgroup of order N is fixed. * + * If A is not set (ie A.p == NULL) then the value A = -3 is assumed, + * which allows the used of slightly faster point doubling formulas. + * * pbits and nbits must be the size of P and N in bits. * * If modp is NULL, reduction modulo P is done using a generic algorithm. @@ -116,21 +119,21 @@ ecp_point; */ typedef struct { - ecp_group_id id; /*!< internal group identifier */ - mpi P; /*!< prime modulus of the base field */ - mpi A; /*!< currently unused (-3 assumed) */ - mpi B; /*!< constant term in the equation */ - ecp_point G; /*!< generator of the subgroup used */ - mpi N; /*!< the order of G */ - size_t pbits; /*!< number of bits in P */ - size_t nbits; /*!< number of bits in N */ - unsigned int h; /*!< cofactor (unused now: assume 1) */ - int (*modp)(mpi *); /*!< function for fast reduction mod P */ - int (*t_pre)(ecp_point *, void *); /*!< currently unused */ - int (*t_post)(ecp_point *, void *); /*!< currently unused */ - void *t_data; /*!< currently unused */ - ecp_point *T; /*!< pre-computed points for ecp_mul() */ - size_t T_size; /*!< number for pre-computed points */ + ecp_group_id id; /*!< internal group identifier */ + mpi P; /*!< prime modulus of the base field */ + mpi A; /*!< linear term in the equation (default: -3) */ + mpi B; /*!< constant term in the equation */ + ecp_point G; /*!< generator of the subgroup used */ + mpi N; /*!< the order of G */ + size_t pbits; /*!< number of bits in P */ + size_t nbits; /*!< number of bits in N */ + unsigned int h; /*!< cofactor (unused now: assume 1) */ + int (*modp)(mpi *); /*!< function for fast reduction mod P */ + int (*t_pre)(ecp_point *, void *); /*!< currently unused */ + int (*t_post)(ecp_point *, void *); /*!< currently unused */ + void *t_data; /*!< currently unused */ + ecp_point *T; /*!< pre-computed points for ecp_mul() */ + size_t T_size; /*!< number for pre-computed points */ } ecp_group; diff --git a/library/ecp.c b/library/ecp.c index 9f60971e1..de7943d5b 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -1608,13 +1608,21 @@ int ecp_check_pubkey( const ecp_group *grp, const ecp_point *pt ) /* * YY = Y^2 - * RHS = X (X^2 - 3) + B = X^3 - 3X + B + * RHS = X (X^2 + A) + B = X^3 + A X + B + * with, as usual, A = -3 if A is ommited */ - MPI_CHK( mpi_mul_mpi( &YY, &pt->Y, &pt->Y ) ); MOD_MUL( YY ); - MPI_CHK( mpi_mul_mpi( &RHS, &pt->X, &pt->X ) ); MOD_MUL( RHS ); - MPI_CHK( mpi_sub_int( &RHS, &RHS, 3 ) ); MOD_SUB( RHS ); - MPI_CHK( mpi_mul_mpi( &RHS, &RHS, &pt->X ) ); MOD_MUL( RHS ); - MPI_CHK( mpi_add_mpi( &RHS, &RHS, &grp->B ) ); MOD_ADD( RHS ); + MPI_CHK( mpi_mul_mpi( &YY, &pt->Y, &pt->Y ) ); MOD_MUL( YY ); + MPI_CHK( mpi_mul_mpi( &RHS, &pt->X, &pt->X ) ); MOD_MUL( RHS ); + if( grp->A.p == NULL ) + { + MPI_CHK( mpi_add_int( &RHS, &RHS, -3 ) ); MOD_SUB( RHS ); + } + else + { + MPI_CHK( mpi_add_mpi( &RHS, &RHS, &grp->A ) ); MOD_ADD( RHS ); + } + MPI_CHK( mpi_mul_mpi( &RHS, &RHS, &pt->X ) ); MOD_MUL( RHS ); + MPI_CHK( mpi_add_mpi( &RHS, &RHS, &grp->B ) ); MOD_ADD( RHS ); if( mpi_cmp_mpi( &YY, &RHS ) != 0 ) ret = POLARSSL_ERR_ECP_INVALID_KEY; From 1c4aa24df159a9fd1b6484bfbcd1879a08ba4b97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 9 Oct 2013 16:09:46 +0200 Subject: [PATCH 07/13] Add brainpool support for ecp_mul() --- library/ecp.c | 90 ++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 79 insertions(+), 11 deletions(-) diff --git a/library/ecp.c b/library/ecp.c index de7943d5b..59d399a69 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -1054,24 +1054,15 @@ cleanup: return( ret ); } - /* * Point doubling R = 2 P, Jacobian coordinates with a == -3 (GECC 3.21) */ -static int ecp_double_jac( const ecp_group *grp, ecp_point *R, - const ecp_point *P ) +static int ecp_double_jac_am3( const ecp_group *grp, ecp_point *R, + const ecp_point *P ) { int ret; mpi T1, T2, T3, X, Y, Z; - /* We can't handle A != -3 yet */ - if( grp->A.p != NULL ) - return( POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE ); - -#if defined(POLARSSL_SELF_TEST) - dbl_count++; -#endif - if( mpi_cmp_int( &P->Z, 0 ) == 0 ) return( ecp_set_zero( R ) ); @@ -1116,6 +1107,83 @@ cleanup: return( ret ); } +/* + * Point doubling R = 2 P, Jacobian coordinates with general A + * http://www.hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian/doubling/dbl-2007-bl.op3 + */ +static int ecp_double_jac_gen( const ecp_group *grp, ecp_point *R, + const ecp_point *P ) +{ + int ret; + mpi XX, YY, YYYY, ZZ, t0, t1, t2, t3, S, t4, t5, t6, M, t7, t8, T, X3, t9, + t10, t11, Y3, t12, t13, t14, Z3; + + mpi_init( &XX ); mpi_init( &YY ); mpi_init( &YYYY ); mpi_init( &ZZ ); + mpi_init( &t0 ); mpi_init( &t1 ); mpi_init( &t2 ); mpi_init( &t3 ); + mpi_init( &S ); mpi_init( &t4 ); mpi_init( &t5 ); mpi_init( &t6 ); + mpi_init( &M ); mpi_init( &t7 ); mpi_init( &t8 ); mpi_init( &T ); + mpi_init( &X3 ); mpi_init( &t9 ); mpi_init( &t10 ); mpi_init( &t11 ); + mpi_init( &Y3 ); mpi_init( &t12 ); mpi_init( &t13 ); mpi_init( &t14 ); + mpi_init( &Z3 ); + + MPI_CHK( mpi_mul_mpi( &XX, &P->X, &P->X ) ); MOD_MUL( XX ); + MPI_CHK( mpi_mul_mpi( &YY, &P->Y, &P->Y ) ); MOD_MUL( YY ); + MPI_CHK( mpi_mul_mpi( &YYYY, &YY, &YY ) ); MOD_MUL( YYYY ); + MPI_CHK( mpi_mul_mpi( &ZZ, &P->Z, &P->Z ) ); MOD_MUL( ZZ ); + MPI_CHK( mpi_add_mpi( &t0, &P->X, &YY ) ); MOD_ADD( t0 ); + MPI_CHK( mpi_mul_mpi( &t1, &t0, &t0 ) ); MOD_MUL( t1 ); + MPI_CHK( mpi_sub_mpi( &t2, &t1, &XX ) ); MOD_SUB( t2 ); + MPI_CHK( mpi_sub_mpi( &t3, &t2, &YYYY ) ); MOD_SUB( t3 ); + MPI_CHK( mpi_mul_int( &S, &t3, 2 ) ); MOD_ADD( S ); + MPI_CHK( mpi_mul_mpi( &t4, &ZZ, &ZZ ) ); MOD_MUL( t4 ); + MPI_CHK( mpi_mul_mpi( &t5, &t4, &grp->A ) ); MOD_MUL( t5 ); + MPI_CHK( mpi_mul_int( &t6, &XX, 3 ) ); MOD_ADD( t6 ); + MPI_CHK( mpi_add_mpi( &M, &t6, &t5 ) ); MOD_ADD( M ); + MPI_CHK( mpi_mul_mpi( &t7, &M, &M ) ); MOD_MUL( t7 ); + MPI_CHK( mpi_mul_int( &t8, &S, 2 ) ); MOD_ADD( t8 ); + MPI_CHK( mpi_sub_mpi( &T, &t7, &t8 ) ); MOD_SUB( T ); + MPI_CHK( mpi_copy( &X3, &T ) ); + MPI_CHK( mpi_sub_mpi( &t9, &S, &T ) ); MOD_SUB( t9 ); + MPI_CHK( mpi_mul_int( &t10, &YYYY, 8 ) ); MOD_ADD( t10 ); + MPI_CHK( mpi_mul_mpi( &t11, &M, &t9 ) ); MOD_MUL( t11 ); + MPI_CHK( mpi_sub_mpi( &Y3, &t11, &t10 ) ); MOD_SUB( Y3 ); + MPI_CHK( mpi_add_mpi( &t12, &P->Y, &P->Z ) ); MOD_ADD( t12 ); + MPI_CHK( mpi_mul_mpi( &t13, &t12, &t12 ) ); MOD_MUL( t13 ); + MPI_CHK( mpi_sub_mpi( &t14, &t13, &YY ) ); MOD_SUB( t14 ); + MPI_CHK( mpi_sub_mpi( &Z3, &t14, &ZZ ) ); MOD_SUB( Z3 ); + + MPI_CHK( mpi_copy( &R->X, &X3 ) ); + MPI_CHK( mpi_copy( &R->Y, &Y3 ) ); + MPI_CHK( mpi_copy( &R->Z, &Z3 ) ); + +cleanup: + mpi_free( &XX ); mpi_free( &YY ); mpi_free( &YYYY ); mpi_free( &ZZ ); + mpi_free( &t0 ); mpi_free( &t1 ); mpi_free( &t2 ); mpi_free( &t3 ); + mpi_free( &S ); mpi_free( &t4 ); mpi_free( &t5 ); mpi_free( &t6 ); + mpi_free( &M ); mpi_free( &t7 ); mpi_free( &t8 ); mpi_free( &T ); + mpi_free( &X3 ); mpi_free( &t9 ); mpi_free( &t10 ); mpi_free( &t11 ); + mpi_free( &Y3 ); mpi_free( &t12 ); mpi_free( &t13 ); mpi_free( &t14 ); + mpi_free( &Z3 ); + + return( ret ); +} + +/* + * Point doubling R = 2 P, dispatcher function + */ +static int ecp_double_jac( const ecp_group *grp, ecp_point *R, + const ecp_point *P ) +{ +#if defined(POLARSSL_SELF_TEST) + dbl_count++; +#endif + + if( grp->A.p != NULL ) + return( ecp_double_jac_gen( grp, R, P ) ); + else + return( ecp_double_jac_am3( grp, R, P ) ); +} + /* * Addition or subtraction: R = P + Q or R = P + Q, * mixed affine-Jacobian coordinates (GECC 3.22) From 0ace4b3154e88b1ddf5347363e07ed6f1f6d2407 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 10 Oct 2013 12:44:27 +0200 Subject: [PATCH 08/13] Use much less variables in ecp_double_jac_gen() --- library/ecp.c | 74 +++++++++++++++++++++++---------------------------- 1 file changed, 33 insertions(+), 41 deletions(-) diff --git a/library/ecp.c b/library/ecp.c index 59d399a69..2eb57fa97 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -1109,61 +1109,53 @@ cleanup: /* * Point doubling R = 2 P, Jacobian coordinates with general A + * * http://www.hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian/doubling/dbl-2007-bl.op3 + * with heavy variable renaming, some reordering and one minor modification + * (a = 2 * b, c = d - 2a replaced with c = d, c = c - b, c = c - b) + * in order to use a lot less intermediate variables (6 vs 25). */ static int ecp_double_jac_gen( const ecp_group *grp, ecp_point *R, const ecp_point *P ) { int ret; - mpi XX, YY, YYYY, ZZ, t0, t1, t2, t3, S, t4, t5, t6, M, t7, t8, T, X3, t9, - t10, t11, Y3, t12, t13, t14, Z3; + mpi T1, T2, T3, X3, Y3, Z3; - mpi_init( &XX ); mpi_init( &YY ); mpi_init( &YYYY ); mpi_init( &ZZ ); - mpi_init( &t0 ); mpi_init( &t1 ); mpi_init( &t2 ); mpi_init( &t3 ); - mpi_init( &S ); mpi_init( &t4 ); mpi_init( &t5 ); mpi_init( &t6 ); - mpi_init( &M ); mpi_init( &t7 ); mpi_init( &t8 ); mpi_init( &T ); - mpi_init( &X3 ); mpi_init( &t9 ); mpi_init( &t10 ); mpi_init( &t11 ); - mpi_init( &Y3 ); mpi_init( &t12 ); mpi_init( &t13 ); mpi_init( &t14 ); - mpi_init( &Z3 ); + mpi_init( &T1 ); mpi_init( &T2 ); mpi_init( &T3 ); + mpi_init( &X3 ); mpi_init( &Y3 ); mpi_init( &Z3 ); - MPI_CHK( mpi_mul_mpi( &XX, &P->X, &P->X ) ); MOD_MUL( XX ); - MPI_CHK( mpi_mul_mpi( &YY, &P->Y, &P->Y ) ); MOD_MUL( YY ); - MPI_CHK( mpi_mul_mpi( &YYYY, &YY, &YY ) ); MOD_MUL( YYYY ); - MPI_CHK( mpi_mul_mpi( &ZZ, &P->Z, &P->Z ) ); MOD_MUL( ZZ ); - MPI_CHK( mpi_add_mpi( &t0, &P->X, &YY ) ); MOD_ADD( t0 ); - MPI_CHK( mpi_mul_mpi( &t1, &t0, &t0 ) ); MOD_MUL( t1 ); - MPI_CHK( mpi_sub_mpi( &t2, &t1, &XX ) ); MOD_SUB( t2 ); - MPI_CHK( mpi_sub_mpi( &t3, &t2, &YYYY ) ); MOD_SUB( t3 ); - MPI_CHK( mpi_mul_int( &S, &t3, 2 ) ); MOD_ADD( S ); - MPI_CHK( mpi_mul_mpi( &t4, &ZZ, &ZZ ) ); MOD_MUL( t4 ); - MPI_CHK( mpi_mul_mpi( &t5, &t4, &grp->A ) ); MOD_MUL( t5 ); - MPI_CHK( mpi_mul_int( &t6, &XX, 3 ) ); MOD_ADD( t6 ); - MPI_CHK( mpi_add_mpi( &M, &t6, &t5 ) ); MOD_ADD( M ); - MPI_CHK( mpi_mul_mpi( &t7, &M, &M ) ); MOD_MUL( t7 ); - MPI_CHK( mpi_mul_int( &t8, &S, 2 ) ); MOD_ADD( t8 ); - MPI_CHK( mpi_sub_mpi( &T, &t7, &t8 ) ); MOD_SUB( T ); - MPI_CHK( mpi_copy( &X3, &T ) ); - MPI_CHK( mpi_sub_mpi( &t9, &S, &T ) ); MOD_SUB( t9 ); - MPI_CHK( mpi_mul_int( &t10, &YYYY, 8 ) ); MOD_ADD( t10 ); - MPI_CHK( mpi_mul_mpi( &t11, &M, &t9 ) ); MOD_MUL( t11 ); - MPI_CHK( mpi_sub_mpi( &Y3, &t11, &t10 ) ); MOD_SUB( Y3 ); - MPI_CHK( mpi_add_mpi( &t12, &P->Y, &P->Z ) ); MOD_ADD( t12 ); - MPI_CHK( mpi_mul_mpi( &t13, &t12, &t12 ) ); MOD_MUL( t13 ); - MPI_CHK( mpi_sub_mpi( &t14, &t13, &YY ) ); MOD_SUB( t14 ); - MPI_CHK( mpi_sub_mpi( &Z3, &t14, &ZZ ) ); MOD_SUB( Z3 ); + MPI_CHK( mpi_mul_mpi( &T3, &P->X, &P->X ) ); MOD_MUL( T3 ); + MPI_CHK( mpi_mul_mpi( &T2, &P->Y, &P->Y ) ); MOD_MUL( T2 ); + MPI_CHK( mpi_mul_mpi( &Y3, &T2, &T2 ) ); MOD_MUL( Y3 ); + MPI_CHK( mpi_add_mpi( &X3, &P->X, &T2 ) ); MOD_ADD( X3 ); + MPI_CHK( mpi_mul_mpi( &X3, &X3, &X3 ) ); MOD_MUL( X3 ); + MPI_CHK( mpi_sub_mpi( &X3, &X3, &Y3 ) ); MOD_SUB( X3 ); + MPI_CHK( mpi_sub_mpi( &X3, &X3, &T3 ) ); MOD_SUB( X3 ); + MPI_CHK( mpi_mul_int( &T1, &X3, 2 ) ); MOD_ADD( T1 ); + MPI_CHK( mpi_mul_mpi( &Z3, &P->Z, &P->Z ) ); MOD_MUL( Z3 ); + MPI_CHK( mpi_mul_mpi( &X3, &Z3, &Z3 ) ); MOD_MUL( X3 ); + MPI_CHK( mpi_mul_int( &T3, &T3, 3 ) ); MOD_ADD( T3 ); + MPI_CHK( mpi_mul_mpi( &X3, &X3, &grp->A ) ); MOD_MUL( X3 ); + MPI_CHK( mpi_add_mpi( &T3, &T3, &X3 ) ); MOD_ADD( T3 ); + MPI_CHK( mpi_mul_mpi( &X3, &T3, &T3 ) ); MOD_MUL( X3 ); + MPI_CHK( mpi_sub_mpi( &X3, &X3, &T1 ) ); MOD_SUB( X3 ); + MPI_CHK( mpi_sub_mpi( &X3, &X3, &T1 ) ); MOD_SUB( X3 ); + MPI_CHK( mpi_sub_mpi( &T1, &T1, &X3 ) ); MOD_SUB( T1 ); + MPI_CHK( mpi_mul_mpi( &T1, &T3, &T1 ) ); MOD_MUL( T1 ); + MPI_CHK( mpi_mul_int( &T3, &Y3, 8 ) ); MOD_ADD( T3 ); + MPI_CHK( mpi_sub_mpi( &Y3, &T1, &T3 ) ); MOD_SUB( Y3 ); + MPI_CHK( mpi_add_mpi( &T1, &P->Y, &P->Z ) ); MOD_ADD( T1 ); + MPI_CHK( mpi_mul_mpi( &T1, &T1, &T1 ) ); MOD_MUL( T1 ); + MPI_CHK( mpi_sub_mpi( &T1, &T1, &T2 ) ); MOD_SUB( T1 ); + MPI_CHK( mpi_sub_mpi( &Z3, &T1, &Z3 ) ); MOD_SUB( Z3 ); MPI_CHK( mpi_copy( &R->X, &X3 ) ); MPI_CHK( mpi_copy( &R->Y, &Y3 ) ); MPI_CHK( mpi_copy( &R->Z, &Z3 ) ); cleanup: - mpi_free( &XX ); mpi_free( &YY ); mpi_free( &YYYY ); mpi_free( &ZZ ); - mpi_free( &t0 ); mpi_free( &t1 ); mpi_free( &t2 ); mpi_free( &t3 ); - mpi_free( &S ); mpi_free( &t4 ); mpi_free( &t5 ); mpi_free( &t6 ); - mpi_free( &M ); mpi_free( &t7 ); mpi_free( &t8 ); mpi_free( &T ); - mpi_free( &X3 ); mpi_free( &t9 ); mpi_free( &t10 ); mpi_free( &t11 ); - mpi_free( &Y3 ); mpi_free( &t12 ); mpi_free( &t13 ); mpi_free( &t14 ); - mpi_free( &Z3 ); + mpi_free( &T1 ); mpi_free( &T2 ); mpi_free( &T3 ); + mpi_free( &X3 ); mpi_free( &Y3 ); mpi_free( &Z3 ); return( ret ); } From 201401646e45406d6d6c87fb0c12ada3f2addcd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 10 Oct 2013 12:48:03 +0200 Subject: [PATCH 09/13] Fix a few selftest typos --- tests/suites/test_suite_aes.function | 2 +- tests/suites/test_suite_arc4.function | 2 +- tests/suites/test_suite_base64.function | 2 +- tests/suites/test_suite_camellia.function | 2 +- tests/suites/test_suite_cipher.function | 2 +- tests/suites/test_suite_des.function | 2 +- tests/suites/test_suite_dhm.function | 2 +- tests/suites/test_suite_ecp.function | 2 +- tests/suites/test_suite_gcm.function | 2 +- tests/suites/test_suite_mdx.function | 6 +++--- tests/suites/test_suite_mpi.function | 2 +- tests/suites/test_suite_rsa.function | 2 +- tests/suites/test_suite_shax.function | 6 +++--- tests/suites/test_suite_x509parse.function | 2 +- tests/suites/test_suite_xtea.function | 2 +- 15 files changed, 19 insertions(+), 19 deletions(-) diff --git a/tests/suites/test_suite_aes.function b/tests/suites/test_suite_aes.function index 051264e11..e5386bdf1 100644 --- a/tests/suites/test_suite_aes.function +++ b/tests/suites/test_suite_aes.function @@ -197,7 +197,7 @@ void aes_decrypt_cfb128( char *hex_key_string, char *hex_iv_string, } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SELF_TEST */ void aes_selftest() { TEST_ASSERT( aes_self_test( 0 ) == 0 ); diff --git a/tests/suites/test_suite_arc4.function b/tests/suites/test_suite_arc4.function index 759b0c2fa..73df59e53 100644 --- a/tests/suites/test_suite_arc4.function +++ b/tests/suites/test_suite_arc4.function @@ -34,7 +34,7 @@ void arc4_crypt( char *hex_src_string, char *hex_key_string, } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SELF_TEST */ void arc4_selftest() { TEST_ASSERT( arc4_self_test( 0 ) == 0 ); diff --git a/tests/suites/test_suite_base64.function b/tests/suites/test_suite_base64.function index 6ac2f31ec..27b6c134c 100644 --- a/tests/suites/test_suite_base64.function +++ b/tests/suites/test_suite_base64.function @@ -47,7 +47,7 @@ void base64_decode( char *src_string, char *dst_string, int result ) } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SELF_TEST */ void base64_selftest() { TEST_ASSERT( base64_self_test( 0 ) == 0 ); diff --git a/tests/suites/test_suite_camellia.function b/tests/suites/test_suite_camellia.function index 55f6e7a46..59785d2b6 100644 --- a/tests/suites/test_suite_camellia.function +++ b/tests/suites/test_suite_camellia.function @@ -197,7 +197,7 @@ void camellia_decrypt_cfb128( char *hex_key_string, char *hex_iv_string, } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SELF_TEST */ void camellia_selftest() { TEST_ASSERT( camellia_self_test( 0 ) == 0 ); diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 81188ae43..b8f1df3d9 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -487,7 +487,7 @@ void check_padding( int pad_mode, char *input_str, int ret, int dlen_check ) } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SELF_TEST */ void cipher_selftest() { TEST_ASSERT( cipher_self_test( 0 ) == 0 ); diff --git a/tests/suites/test_suite_des.function b/tests/suites/test_suite_des.function index 5c5c1c907..ee327c917 100644 --- a/tests/suites/test_suite_des.function +++ b/tests/suites/test_suite_des.function @@ -314,7 +314,7 @@ void des_key_parity_run() } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SELF_TEST */ void des_selftest() { TEST_ASSERT( des_self_test( 0 ) == 0 ); diff --git a/tests/suites/test_suite_dhm.function b/tests/suites/test_suite_dhm.function index 6161b4c86..d66998ffe 100644 --- a/tests/suites/test_suite_dhm.function +++ b/tests/suites/test_suite_dhm.function @@ -97,7 +97,7 @@ void dhm_do_dhm( int radix_P, char *input_P, } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SELF_TEST */ void dhm_selftest() { TEST_ASSERT( dhm_self_test( 0 ) == 0 ); diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index 11221a158..6981f47d3 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -515,7 +515,7 @@ void ecp_gen_keypair( int id ) } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SELF_TEST */ void ecp_selftest() { TEST_ASSERT( ecp_self_test( 0 ) == 0 ); diff --git a/tests/suites/test_suite_gcm.function b/tests/suites/test_suite_gcm.function index 349945ad2..b131e7afb 100644 --- a/tests/suites/test_suite_gcm.function +++ b/tests/suites/test_suite_gcm.function @@ -108,7 +108,7 @@ void gcm_decrypt_and_verify( char *hex_key_string, char *hex_src_string, } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SELF_TEST */ void gcm_selftest() { TEST_ASSERT( gcm_self_test( 0 ) == 0 ); diff --git a/tests/suites/test_suite_mdx.function b/tests/suites/test_suite_mdx.function index 649a711bd..e9a834740 100644 --- a/tests/suites/test_suite_mdx.function +++ b/tests/suites/test_suite_mdx.function @@ -187,21 +187,21 @@ void md5_file( char *filename, char *hex_hash_string ) } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_MD2_C:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_MD2_C:POLARSSL_SELF_TEST */ void md2_selftest() { TEST_ASSERT( md2_self_test( 0 ) == 0 ); } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_MD4_C:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_MD4_C:POLARSSL_SELF_TEST */ void md4_selftest() { TEST_ASSERT( md4_self_test( 0 ) == 0 ); } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_MD5_C:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_MD5_C:POLARSSL_SELF_TEST */ void md5_selftest() { TEST_ASSERT( md5_self_test( 0 ) == 0 ); diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function index 728574990..e08b48d09 100644 --- a/tests/suites/test_suite_mpi.function +++ b/tests/suites/test_suite_mpi.function @@ -681,7 +681,7 @@ void mpi_shift_r( int radix_X, char *input_X, int shift_X, int radix_A, } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SELF_TEST */ void mpi_selftest() { TEST_ASSERT( mpi_self_test( 0 ) == 0 ); diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 9bc8a24bf..29651ccea 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -532,7 +532,7 @@ void rsa_gen_key( int nrbits, int exponent, int result) } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SELF_TEST */ void rsa_selftest() { TEST_ASSERT( rsa_self_test( 0 ) == 0 ); diff --git a/tests/suites/test_suite_shax.function b/tests/suites/test_suite_shax.function index 64498816b..73190dcb1 100644 --- a/tests/suites/test_suite_shax.function +++ b/tests/suites/test_suite_shax.function @@ -189,21 +189,21 @@ void sha512_file( char *filename, char *hex_hash_string ) } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SHA1_C:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SHA1_C:POLARSSL_SELF_TEST */ void sha1_selftest() { TEST_ASSERT( sha1_self_test( 0 ) == 0 ); } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SHA256_C:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SHA256_C:POLARSSL_SELF_TEST */ void sha256_selftest() { TEST_ASSERT( sha256_self_test( 0 ) == 0 ); } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SHA512_C:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SHA512_C:POLARSSL_SELF_TEST */ void sha512_selftest() { TEST_ASSERT( sha512_self_test( 0 ) == 0 ); diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 2add9e3c9..ff5705866 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -224,7 +224,7 @@ void x509parse_crl( char *crl_data, char *result_str, int result ) } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_X509_CRT_PARSE_C:POLARSSL_SELF_TEST */ void x509_selftest() { TEST_ASSERT( x509_self_test( 0 ) == 0 ); diff --git a/tests/suites/test_suite_xtea.function b/tests/suites/test_suite_xtea.function index fd6189c8f..091752fdc 100644 --- a/tests/suites/test_suite_xtea.function +++ b/tests/suites/test_suite_xtea.function @@ -59,7 +59,7 @@ void xtea_decrypt_ecb( char *hex_key_string, char *hex_src_string, } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_SELFTEST_C */ +/* BEGIN_CASE depends_on:POLARSSL_SELF_TEST */ void xtea_selftest() { TEST_ASSERT( xtea_self_test( 0 ) == 0 ); From 22f64c8a9a7b3c3c33c343228414d1595e45c4e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 10 Oct 2013 13:11:20 +0200 Subject: [PATCH 10/13] Cosmetics in benchmark --- programs/test/benchmark.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index c7f7f8290..4cebd14b1 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -50,8 +50,8 @@ #include "polarssl/ecdh.h" #define BUFSIZE 1024 -#define HEADER_FORMAT " %-16s : " -#define TITLE_LEN 17 +#define HEADER_FORMAT " %-18s : " +#define TITLE_LEN 19 #if !defined(POLARSSL_TIMING_C) int main( int argc, char *argv[] ) From 48ac3db551a8a606aabb3e1d9ae393b9f14d836a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 10 Oct 2013 15:11:33 +0200 Subject: [PATCH 11/13] Add OIDs for brainpool curves --- include/polarssl/oid.h | 21 ++++++++++++++++++++- library/oid.c | 12 ++++++++++++ tests/data_files/ec_bp256_prv.pem | 5 +++++ tests/data_files/ec_bp256_pub.pem | 4 ++++ tests/data_files/ec_bp384_prv.pem | 6 ++++++ tests/data_files/ec_bp384_pub.pem | 5 +++++ tests/data_files/ec_bp512_prv.pem | 7 +++++++ tests/data_files/ec_bp512_pub.pem | 6 ++++++ tests/suites/test_suite_pkparse.data | 24 ++++++++++++++++++++++++ 9 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 tests/data_files/ec_bp256_prv.pem create mode 100644 tests/data_files/ec_bp256_pub.pem create mode 100644 tests/data_files/ec_bp384_prv.pem create mode 100644 tests/data_files/ec_bp384_pub.pem create mode 100644 tests/data_files/ec_bp512_prv.pem create mode 100644 tests/data_files/ec_bp512_pub.pem diff --git a/include/polarssl/oid.h b/include/polarssl/oid.h index 20bacae1b..85ab04c21 100644 --- a/include/polarssl/oid.h +++ b/include/polarssl/oid.h @@ -74,6 +74,8 @@ #define OID_OIW_SECSIG_SHA1 OID_OIW_SECSIG_ALG "\x1a" #define OID_ORG_CERTICOM "\x81\x04" /* certicom(132) */ #define OID_CERTICOM OID_ISO_IDENTIFIED_ORG OID_ORG_CERTICOM +#define OID_ORG_TELETRUST "\x24" /* teletrust(36) */ +#define OID_TELETRUST OID_ISO_IDENTIFIED_ORG OID_ORG_TELETRUST /* * ISO ITU OID parts @@ -258,7 +260,7 @@ #define OID_EC_ALG_ECDH OID_CERTICOM "\x01\x0c" /* - * ECParameters namedCurve identifiers, from RFC 5480 + * ECParameters namedCurve identifiers, from RFC 5480 and RFC 5639 */ /* secp192r1 OBJECT IDENTIFIER ::= { @@ -281,6 +283,23 @@ * iso(1) identified-organization(3) certicom(132) curve(0) 35 } */ #define OID_EC_GRP_SECP521R1 OID_CERTICOM "\x00\x23" +/* RFC 5639 4.1 + * ecStdCurvesAndGeneration OBJECT IDENTIFIER::= {iso(1) + * identified-organization(3) teletrust(36) algorithm(3) signature- + * algorithm(3) ecSign(2) 8} + * ellipticCurve OBJECT IDENTIFIER ::= {ecStdCurvesAndGeneration 1} + * versionOne OBJECT IDENTIFIER ::= {ellipticCurve 1} */ +#define OID_EC_BRAINPOOL_V1 OID_TELETRUST "\x03\x03\x02\x08\x01\x01" + +/* brainpoolP256r1 OBJECT IDENTIFIER ::= {versionOne 7} */ +#define OID_EC_GRP_BP256R1 OID_EC_BRAINPOOL_V1 "\x07" + +/* brainpoolP384r1 OBJECT IDENTIFIER ::= {versionOne 11} */ +#define OID_EC_GRP_BP384R1 OID_EC_BRAINPOOL_V1 "\x0B" + +/* brainpoolP512r1 OBJECT IDENTIFIER ::= {versionOne 13} */ +#define OID_EC_GRP_BP512R1 OID_EC_BRAINPOOL_V1 "\x0D" + /* * ECDSA signature identifers, from RFC 5480 */ diff --git a/library/oid.c b/library/oid.c index 485fd4cc1..c9cfe4842 100644 --- a/library/oid.c +++ b/library/oid.c @@ -405,6 +405,18 @@ static const oid_ecp_grp_t oid_ecp_grp[] = { ADD_LEN( OID_EC_GRP_SECP521R1 ), "secp521r1", "secp521r1" }, POLARSSL_ECP_DP_SECP521R1, }, + { + { ADD_LEN( OID_EC_GRP_BP256R1 ), "brainpoolP256r1","brainpool256r1" }, + POLARSSL_ECP_DP_BP256R1, + }, + { + { ADD_LEN( OID_EC_GRP_BP384R1 ), "brainpoolP384r1","brainpool384r1" }, + POLARSSL_ECP_DP_BP384R1, + }, + { + { ADD_LEN( OID_EC_GRP_BP512R1 ), "brainpoolP512r1","brainpool512r1" }, + POLARSSL_ECP_DP_BP512R1, + }, { { NULL, 0, NULL, NULL }, 0, diff --git a/tests/data_files/ec_bp256_prv.pem b/tests/data_files/ec_bp256_prv.pem new file mode 100644 index 000000000..9d6a867cc --- /dev/null +++ b/tests/data_files/ec_bp256_prv.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHgCAQEEICFh1vLbdlJvpiwW81aoDwHzL3dnhLNqqZeZqLdmIID/oAsGCSskAwMC +CAEBB6FEA0IABHaMjK5KvKYwbbDtgbDEpiFcN4Bm7G1hbBRuE/HH34CblqtpEcJ9 +igIznwkmhA5VI209HvviZp0JDkxMZg+tqR0= +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/ec_bp256_pub.pem b/tests/data_files/ec_bp256_pub.pem new file mode 100644 index 000000000..f738623d8 --- /dev/null +++ b/tests/data_files/ec_bp256_pub.pem @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFowFAYHKoZIzj0CAQYJKyQDAwIIAQEHA0IABHaMjK5KvKYwbbDtgbDEpiFcN4Bm +7G1hbBRuE/HH34CblqtpEcJ9igIznwkmhA5VI209HvviZp0JDkxMZg+tqR0= +-----END PUBLIC KEY----- diff --git a/tests/data_files/ec_bp384_prv.pem b/tests/data_files/ec_bp384_prv.pem new file mode 100644 index 000000000..34e82db7a --- /dev/null +++ b/tests/data_files/ec_bp384_prv.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGoAgEBBDA92S51DZDX05/BiFzYrRLqlEHyK5M0tNllICrbFEjOJMWAioXdmvwi +mvCjEk91W8ugCwYJKyQDAwIIAQELoWQDYgAEcZ+dCTpifg01A4XGYc6/AMYZI1Zv +6QBqMQevHYcbxrtomF/XIuoyvjFvjng7fNGVd4X2bPwMsZXdXJmo56uqhIVTpYTf +0rSOdtRF/gDdi+WQlth31GltI7S8jbFHJOZq +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/ec_bp384_pub.pem b/tests/data_files/ec_bp384_pub.pem new file mode 100644 index 000000000..eb202e214 --- /dev/null +++ b/tests/data_files/ec_bp384_pub.pem @@ -0,0 +1,5 @@ +-----BEGIN PUBLIC KEY----- +MHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABHGfnQk6Yn4NNQOFxmHOvwDGGSNW +b+kAajEHrx2HG8a7aJhf1yLqMr4xb454O3zRlXeF9mz8DLGV3VyZqOerqoSFU6WE +39K0jnbURf4A3YvlkJbYd9RpbSO0vI2xRyTmag== +-----END PUBLIC KEY----- diff --git a/tests/data_files/ec_bp512_prv.pem b/tests/data_files/ec_bp512_prv.pem new file mode 100644 index 000000000..a30c622db --- /dev/null +++ b/tests/data_files/ec_bp512_prv.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHaAgEBBEA3LJd49p9ybLyj9KJo8WtNYX0QKA15pqApzVGHn+EBKTTf5TlUVTN9 +9pBtx9bS7qTbsgZcAij3Oz7XFkgOfXHSoAsGCSskAwMCCAEBDaGBhQOBggAEOLfs +krYcXGx/vCik7HWdSPzU4uN03v1cSWilTb73UQ5ReIb7/DjqOapSk1nXCnFWw108 +usfOd2vbJR3WS85xI0Qk7nBJ7tBy8NvE15mW4XXVV+JjdjrpcJXAgec+fbLjitw9 +TJoEh7Ht6HbcH8phyQLpodhyK4YSko8YokhFWRo= +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/ec_bp512_pub.pem b/tests/data_files/ec_bp512_pub.pem new file mode 100644 index 000000000..ff5d07296 --- /dev/null +++ b/tests/data_files/ec_bp512_pub.pem @@ -0,0 +1,6 @@ +-----BEGIN PUBLIC KEY----- +MIGbMBQGByqGSM49AgEGCSskAwMCCAEBDQOBggAEOLfskrYcXGx/vCik7HWdSPzU +4uN03v1cSWilTb73UQ5ReIb7/DjqOapSk1nXCnFWw108usfOd2vbJR3WS85xI0Qk +7nBJ7tBy8NvE15mW4XXVV+JjdjrpcJXAgec+fbLjitw9TJoEh7Ht6HbcH8phyQLp +odhyK4YSko8YokhFWRo= +-----END PUBLIC KEY----- diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data index 8434efb79..dc13fdbde 100644 --- a/tests/suites/test_suite_pkparse.data +++ b/tests/suites/test_suite_pkparse.data @@ -130,6 +130,18 @@ Parse Public EC Key #6 (RFC 5480, secp521r1) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP521R1_ENABLED pk_parse_public_keyfile_ec:"data_files/ec_521_pub.pem":0 +Parse Public EC Key #7 (RFC 5480, brainpoolP256r1) +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_BP256R1_ENABLED +pk_parse_public_keyfile_ec:"data_files/ec_bp256_pub.pem":0 + +Parse Public EC Key #8 (RFC 5480, brainpoolP384r1) +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_BP384R1_ENABLED +pk_parse_public_keyfile_ec:"data_files/ec_bp384_pub.pem":0 + +Parse Public EC Key #9 (RFC 5480, brainpoolP512r1) +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_BP512R1_ENABLED +pk_parse_public_keyfile_ec:"data_files/ec_bp512_pub.pem":0 + Parse EC Key #1 (SEC1 DER) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP192R1_ENABLED pk_parse_keyfile_ec:"data_files/ec_prv.sec1.der":"NULL":0 @@ -174,6 +186,18 @@ Parse EC Key #11 (SEC1 PEM, secp521r1) depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP521R1_ENABLED pk_parse_keyfile_ec:"data_files/ec_521_prv.pem":"NULL":0 +Parse EC Key #12 (SEC1 PEM, bp256r1) +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_BP256R1_ENABLED +pk_parse_keyfile_ec:"data_files/ec_bp256_prv.pem":"NULL":0 + +Parse EC Key #13 (SEC1 PEM, bp384r1) +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_BP384R1_ENABLED +pk_parse_keyfile_ec:"data_files/ec_bp384_prv.pem":"NULL":0 + +Parse EC Key #14 (SEC1 PEM, bp512r1) +depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_BP512R1_ENABLED +pk_parse_keyfile_ec:"data_files/ec_bp512_prv.pem":"NULL":0 + Key ASN1 (Incorrect first tag) pk_parse_key_rsa:"":"":POLARSSL_ERR_PK_KEY_INVALID_FORMAT From b8012fca5fa94d145b58324b37e7863ab6456ec8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 10 Oct 2013 15:40:49 +0200 Subject: [PATCH 12/13] Adjust dependencies --- include/polarssl/config.h | 12 ++++++++++-- library/ecp.c | 22 ++++------------------ 2 files changed, 14 insertions(+), 20 deletions(-) diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 6208c426d..e4ab5e1bb 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -1016,7 +1016,7 @@ * Caller: library/ecdh.c * library/ecdsa.c * - * Requires: POLARSSL_BIGNUM_C + * Requires: POLARSSL_BIGNUM_C and at least one POLARSSL_ECP_DP_XXX_ENABLED */ #define POLARSSL_ECP_C @@ -1710,7 +1710,15 @@ #error "POLARSSL_ECDSA_C defined, but not all prerequisites" #endif -#if defined(POLARSSL_ECP_C) && !defined(POLARSSL_BIGNUM_C) +#if defined(POLARSSL_ECP_C) && !defined(POLARSSL_BIGNUM_C) || ( \ + !defined(POLARSSL_ECP_DP_SECP192R1_ENABLED) && \ + !defined(POLARSSL_ECP_DP_SECP224R1_ENABLED) && \ + !defined(POLARSSL_ECP_DP_SECP256R1_ENABLED) && \ + !defined(POLARSSL_ECP_DP_SECP384R1_ENABLED) && \ + !defined(POLARSSL_ECP_DP_SECP521R1_ENABLED) && \ + !defined(POLARSSL_ECP_DP_BP256R1_ENABLED) && \ + !defined(POLARSSL_ECP_DP_BP384R1_ENABLED) && \ + !defined(POLARSSL_ECP_DP_BP512R1_ENABLED) ) #error "POLARSSL_ECP_C defined, but not all prerequisites" #endif diff --git a/library/ecp.c b/library/ecp.c index 2eb57fa97..d980d4b9e 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -1747,6 +1747,7 @@ int ecp_self_test( int verbose ) ecp_point R, P; mpi m; unsigned long add_c_prev, dbl_c_prev; + /* exponents especially adapted for secp192r1 */ const char *exponents[] = { "000000000000000000000000000000000000000000000000", /* zero */ @@ -1763,27 +1764,12 @@ int ecp_self_test( int verbose ) ecp_point_init( &P ); mpi_init( &m ); + /* Use secp192r1 if available, or any available curve */ #if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED) MPI_CHK( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_SECP192R1 ) ); #else -#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED) - MPI_CHK( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_SECP224R1 ) ); -#else -#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED) - MPI_CHK( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_SECP256R1 ) ); -#else -#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED) - MPI_CHK( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_SECP384R1 ) ); -#else -#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED) - MPI_CHK( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_SECP521R1 ) ); -#else -#error No curves defines -#endif /* POLARSSL_ECP_DP_SECP512R1_ENABLED */ -#endif /* POLARSSL_ECP_DP_SECP384R1_ENABLED */ -#endif /* POLARSSL_ECP_DP_SECP256R1_ENABLED */ -#endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED */ -#endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */ + MPI_CHK( ecp_use_known_dp( &grp, ecp_curve_list()->grp_id ) ); +#endif if( verbose != 0 ) printf( " ECP test #1 (constant op_count, base point G): " ); From 0cd6f98c0f12310bcadc72db1f18ab8a3d006762 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 10 Oct 2013 15:55:39 +0200 Subject: [PATCH 13/13] Don't special-case a = -3, not worth it --- include/polarssl/ecp.h | 5 +-- library/ecp.c | 100 +++++++---------------------------------- 2 files changed, 17 insertions(+), 88 deletions(-) diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h index ef9836153..90fa09b6e 100644 --- a/include/polarssl/ecp.h +++ b/include/polarssl/ecp.h @@ -105,9 +105,6 @@ ecp_point; * The curves we consider are defined by y^2 = x^3 + A x + B mod P, * and a generator for a large subgroup of order N is fixed. * - * If A is not set (ie A.p == NULL) then the value A = -3 is assumed, - * which allows the used of slightly faster point doubling formulas. - * * pbits and nbits must be the size of P and N in bits. * * If modp is NULL, reduction modulo P is done using a generic algorithm. @@ -121,7 +118,7 @@ typedef struct { ecp_group_id id; /*!< internal group identifier */ mpi P; /*!< prime modulus of the base field */ - mpi A; /*!< linear term in the equation (default: -3) */ + mpi A; /*!< linear term in the equation */ mpi B; /*!< constant term in the equation */ ecp_point G; /*!< generator of the subgroup used */ mpi N; /*!< the order of G */ diff --git a/library/ecp.c b/library/ecp.c index d980d4b9e..b7af16a1b 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -288,15 +288,20 @@ cleanup: } /* - * Import an ECP group from ASCII strings, case A == -3 (A cleared) + * Import an ECP group from ASCII strings, case A == -3 */ int ecp_group_read_string( ecp_group *grp, int radix, const char *p, const char *b, const char *gx, const char *gy, const char *n) { - int ret = ecp_group_read_string_gen( grp, radix, p, "00", b, gx, gy, n ); + int ret; - mpi_free( &grp->A ); + MPI_CHK( ecp_group_read_string_gen( grp, radix, p, "00", b, gx, gy, n ) ); + MPI_CHK( mpi_add_int( &grp->A, &grp->P, -3 ) ); + +cleanup: + if( ret != 0 ) + ecp_group_free( grp ); return( ret ); } @@ -1055,72 +1060,23 @@ cleanup: } /* - * Point doubling R = 2 P, Jacobian coordinates with a == -3 (GECC 3.21) - */ -static int ecp_double_jac_am3( const ecp_group *grp, ecp_point *R, - const ecp_point *P ) -{ - int ret; - mpi T1, T2, T3, X, Y, Z; - - if( mpi_cmp_int( &P->Z, 0 ) == 0 ) - return( ecp_set_zero( R ) ); - - mpi_init( &T1 ); mpi_init( &T2 ); mpi_init( &T3 ); - mpi_init( &X ); mpi_init( &Y ); mpi_init( &Z ); - - MPI_CHK( mpi_mul_mpi( &T1, &P->Z, &P->Z ) ); MOD_MUL( T1 ); - MPI_CHK( mpi_sub_mpi( &T2, &P->X, &T1 ) ); MOD_SUB( T2 ); - MPI_CHK( mpi_add_mpi( &T1, &P->X, &T1 ) ); MOD_ADD( T1 ); - MPI_CHK( mpi_mul_mpi( &T2, &T2, &T1 ) ); MOD_MUL( T2 ); - MPI_CHK( mpi_mul_int( &T2, &T2, 3 ) ); MOD_ADD( T2 ); - MPI_CHK( mpi_mul_int( &Y, &P->Y, 2 ) ); MOD_ADD( Y ); - MPI_CHK( mpi_mul_mpi( &Z, &Y, &P->Z ) ); MOD_MUL( Z ); - MPI_CHK( mpi_mul_mpi( &Y, &Y, &Y ) ); MOD_MUL( Y ); - MPI_CHK( mpi_mul_mpi( &T3, &Y, &P->X ) ); MOD_MUL( T3 ); - MPI_CHK( mpi_mul_mpi( &Y, &Y, &Y ) ); MOD_MUL( Y ); - - /* - * For Y = Y / 2 mod p, we must make sure that Y is even before - * using right-shift. No need to reduce mod p afterwards. - */ - if( mpi_get_bit( &Y, 0 ) == 1 ) - MPI_CHK( mpi_add_mpi( &Y, &Y, &grp->P ) ); - MPI_CHK( mpi_shift_r( &Y, 1 ) ); - - MPI_CHK( mpi_mul_mpi( &X, &T2, &T2 ) ); MOD_MUL( X ); - MPI_CHK( mpi_mul_int( &T1, &T3, 2 ) ); MOD_ADD( T1 ); - MPI_CHK( mpi_sub_mpi( &X, &X, &T1 ) ); MOD_SUB( X ); - MPI_CHK( mpi_sub_mpi( &T1, &T3, &X ) ); MOD_SUB( T1 ); - MPI_CHK( mpi_mul_mpi( &T1, &T1, &T2 ) ); MOD_MUL( T1 ); - MPI_CHK( mpi_sub_mpi( &Y, &T1, &Y ) ); MOD_SUB( Y ); - - MPI_CHK( mpi_copy( &R->X, &X ) ); - MPI_CHK( mpi_copy( &R->Y, &Y ) ); - MPI_CHK( mpi_copy( &R->Z, &Z ) ); - -cleanup: - - mpi_free( &T1 ); mpi_free( &T2 ); mpi_free( &T3 ); - mpi_free( &X ); mpi_free( &Y ); mpi_free( &Z ); - - return( ret ); -} - -/* - * Point doubling R = 2 P, Jacobian coordinates with general A + * Point doubling R = 2 P, Jacobian coordinates * * http://www.hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian/doubling/dbl-2007-bl.op3 * with heavy variable renaming, some reordering and one minor modification * (a = 2 * b, c = d - 2a replaced with c = d, c = c - b, c = c - b) * in order to use a lot less intermediate variables (6 vs 25). */ -static int ecp_double_jac_gen( const ecp_group *grp, ecp_point *R, - const ecp_point *P ) +static int ecp_double_jac( const ecp_group *grp, ecp_point *R, + const ecp_point *P ) { int ret; mpi T1, T2, T3, X3, Y3, Z3; +#if defined(POLARSSL_SELF_TEST) + dbl_count++; +#endif + mpi_init( &T1 ); mpi_init( &T2 ); mpi_init( &T3 ); mpi_init( &X3 ); mpi_init( &Y3 ); mpi_init( &Z3 ); @@ -1160,22 +1116,6 @@ cleanup: return( ret ); } -/* - * Point doubling R = 2 P, dispatcher function - */ -static int ecp_double_jac( const ecp_group *grp, ecp_point *R, - const ecp_point *P ) -{ -#if defined(POLARSSL_SELF_TEST) - dbl_count++; -#endif - - if( grp->A.p != NULL ) - return( ecp_double_jac_gen( grp, R, P ) ); - else - return( ecp_double_jac_am3( grp, R, P ) ); -} - /* * Addition or subtraction: R = P + Q or R = P + Q, * mixed affine-Jacobian coordinates (GECC 3.22) @@ -1669,18 +1609,10 @@ int ecp_check_pubkey( const ecp_group *grp, const ecp_point *pt ) /* * YY = Y^2 * RHS = X (X^2 + A) + B = X^3 + A X + B - * with, as usual, A = -3 if A is ommited */ MPI_CHK( mpi_mul_mpi( &YY, &pt->Y, &pt->Y ) ); MOD_MUL( YY ); MPI_CHK( mpi_mul_mpi( &RHS, &pt->X, &pt->X ) ); MOD_MUL( RHS ); - if( grp->A.p == NULL ) - { - MPI_CHK( mpi_add_int( &RHS, &RHS, -3 ) ); MOD_SUB( RHS ); - } - else - { - MPI_CHK( mpi_add_mpi( &RHS, &RHS, &grp->A ) ); MOD_ADD( RHS ); - } + MPI_CHK( mpi_add_mpi( &RHS, &RHS, &grp->A ) ); MOD_ADD( RHS ); MPI_CHK( mpi_mul_mpi( &RHS, &RHS, &pt->X ) ); MOD_MUL( RHS ); MPI_CHK( mpi_add_mpi( &RHS, &RHS, &grp->B ) ); MOD_ADD( RHS );