diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h index db59a9350..707d04028 100644 --- a/include/polarssl/ecp.h +++ b/include/polarssl/ecp.h @@ -228,25 +228,6 @@ int ecp_is_zero( ecp_point *pt ); */ int ecp_copy( ecp_point *P, const ecp_point *Q ); -/** - * \brief Check that a point is a valid public key on this curve - * - * \param grp Curve/group the point should belong to - * \param pt Point to check - * - * \return 0 if point is a valid public key, - * POLARSSL_ERR_ECP_GENERIC otherwise. - * - * \note This function only checks the point is non-zero, has valid - * coordinates and lies on the curve, but not that it is - * indeed a multiple of G. This is additional check is more - * expensive, isn't required by standards, and shouldn't be - * necessary if the group used has a small cofactor. In - * particular, it is useless for the NIST groups which all - * have a cofactor of 1. - */ -int ecp_check_pubkey( const ecp_group *grp, const ecp_point *pt ); - /** * \brief Import a non-zero point from two ASCII strings * @@ -437,6 +418,44 @@ int ecp_sub( const ecp_group *grp, ecp_point *R, int ecp_mul( const ecp_group *grp, ecp_point *R, const mpi *m, const ecp_point *P ); +/** + * \brief Check that a point is a valid public key on this curve + * + * \param grp Curve/group the point should belong to + * \param pt Point to check + * + * \return 0 if point is a valid public key, + * POLARSSL_ERR_ECP_GENERIC otherwise. + * + * \note This function only checks the point is non-zero, has valid + * coordinates and lies on the curve, but not that it is + * indeed a multiple of G. This is additional check is more + * expensive, isn't required by standards, and shouldn't be + * necessary if the group used has a small cofactor. In + * particular, it is useless for the NIST groups which all + * have a cofactor of 1. + * + * \note Uses bare components rather than an ecp_keypair structure + * in order to ease use with other structures such as + * ecdh_context of ecdsa_context. + */ +int ecp_check_pubkey( const ecp_group *grp, const ecp_point *pt ); + +/** + * \brief Check that an mpi is a valid private key for this curve + * + * \param grp Group used + * \param d Integer to check + * + * \return 0 if point is a valid private key, + * POLARSSL_ERR_ECP_GENERIC otherwise. + * + * \note Uses bare components rather than an ecp_keypair structure + * in order to ease use with other structures such as + * ecdh_context of ecdsa_context. + */ +int ecp_check_prvkey( const ecp_group *grp, const mpi *d ); + /** * \brief Generate a keypair * @@ -448,6 +467,10 @@ int ecp_mul( const ecp_group *grp, ecp_point *R, * * \return 0 if successful, * or a POLARSSL_ERR_ECP_XXX or POLARSSL_MPI_XXX error code + * + * \note Uses bare components rather than an ecp_keypair structure + * in order to ease use with other structures such as + * ecdh_context of ecdsa_context. */ int ecp_gen_keypair( const ecp_group *grp, mpi *d, ecp_point *Q, int (*f_rng)(void *, unsigned char *, size_t), diff --git a/library/ecp.c b/library/ecp.c index 216fc4330..29cfce5a3 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -727,51 +727,6 @@ int ecp_tls_write_group( const ecp_group *grp, size_t *olen, while( mpi_cmp_mpi( &N, &grp->P ) >= 0 ) \ MPI_CHK( mpi_sub_mpi( &N, &N, &grp->P ) ) -/* - * Check that a point is valid as a public key (SEC1 3.2.3.1) - */ -int ecp_check_pubkey( const ecp_group *grp, const ecp_point *pt ) -{ - int ret; - mpi YY, RHS; - - if( mpi_cmp_int( &pt->Z, 0 ) == 0 ) - return( POLARSSL_ERR_ECP_GENERIC ); - - /* - * pt coordinates must be normalized for our checks - */ - if( mpi_cmp_int( &pt->Z, 1 ) != 0 ) - return( POLARSSL_ERR_ECP_GENERIC ); - - if( mpi_cmp_int( &pt->X, 0 ) < 0 || - mpi_cmp_int( &pt->Y, 0 ) < 0 || - mpi_cmp_mpi( &pt->X, &grp->P ) >= 0 || - mpi_cmp_mpi( &pt->Y, &grp->P ) >= 0 ) - return( POLARSSL_ERR_ECP_GENERIC ); - - mpi_init( &YY ); mpi_init( &RHS ); - - /* - * YY = Y^2 - * RHS = X (X^2 - 3) + B = X^3 - 3X + B - */ - MPI_CHK( mpi_mul_mpi( &YY, &pt->Y, &pt->Y ) ); MOD_MUL( YY ); - MPI_CHK( mpi_mul_mpi( &RHS, &pt->X, &pt->X ) ); MOD_MUL( RHS ); - MPI_CHK( mpi_sub_int( &RHS, &RHS, 3 ) ); MOD_SUB( RHS ); - MPI_CHK( mpi_mul_mpi( &RHS, &RHS, &pt->X ) ); MOD_MUL( RHS ); - MPI_CHK( mpi_add_mpi( &RHS, &RHS, &grp->B ) ); MOD_ADD( RHS ); - - if( mpi_cmp_mpi( &YY, &RHS ) != 0 ) - ret = POLARSSL_ERR_ECP_GENERIC; - -cleanup: - - mpi_free( &YY ); mpi_free( &RHS ); - - return( ret ); -} - /* * Normalize jacobian coordinates so that Z == 0 || Z == 1 (GECC 3.2.1) */ @@ -1305,6 +1260,63 @@ cleanup: return( ret ); } +/* + * Check that a point is valid as a public key (SEC1 3.2.3.1) + */ +int ecp_check_pubkey( const ecp_group *grp, const ecp_point *pt ) +{ + int ret; + mpi YY, RHS; + + if( mpi_cmp_int( &pt->Z, 0 ) == 0 ) + return( POLARSSL_ERR_ECP_GENERIC ); + + /* + * pt coordinates must be normalized for our checks + */ + if( mpi_cmp_int( &pt->Z, 1 ) != 0 ) + return( POLARSSL_ERR_ECP_GENERIC ); + + if( mpi_cmp_int( &pt->X, 0 ) < 0 || + mpi_cmp_int( &pt->Y, 0 ) < 0 || + mpi_cmp_mpi( &pt->X, &grp->P ) >= 0 || + mpi_cmp_mpi( &pt->Y, &grp->P ) >= 0 ) + return( POLARSSL_ERR_ECP_GENERIC ); + + mpi_init( &YY ); mpi_init( &RHS ); + + /* + * YY = Y^2 + * RHS = X (X^2 - 3) + B = X^3 - 3X + B + */ + MPI_CHK( mpi_mul_mpi( &YY, &pt->Y, &pt->Y ) ); MOD_MUL( YY ); + MPI_CHK( mpi_mul_mpi( &RHS, &pt->X, &pt->X ) ); MOD_MUL( RHS ); + MPI_CHK( mpi_sub_int( &RHS, &RHS, 3 ) ); MOD_SUB( RHS ); + MPI_CHK( mpi_mul_mpi( &RHS, &RHS, &pt->X ) ); MOD_MUL( RHS ); + MPI_CHK( mpi_add_mpi( &RHS, &RHS, &grp->B ) ); MOD_ADD( RHS ); + + if( mpi_cmp_mpi( &YY, &RHS ) != 0 ) + ret = POLARSSL_ERR_ECP_GENERIC; + +cleanup: + + mpi_free( &YY ); mpi_free( &RHS ); + + return( ret ); +} + +/* + * Check that an mpi is valid as a private key (SEC1 3.2) + */ +int ecp_check_prvkey( const ecp_group *grp, const mpi *d ) +{ + /* We want 1 <= d <= N-1 */ + if ( mpi_cmp_int( d, 1 ) < 0 || mpi_cmp_mpi( d, &grp->N ) >= 0 ) + return( POLARSSL_ERR_ECP_GENERIC ); + + return( 0 ); +} + /* * Generate a keypair (SEC1 3.2.1) */ diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data index 30fc4614d..d19e41863 100644 --- a/tests/suites/test_suite_ecp.data +++ b/tests/suites/test_suite_ecp.data @@ -245,6 +245,9 @@ ECP tls write-read group #2 depends_on:POLARSSL_ECP_DP_SECP521R1_ENABLED ecp_tls_write_read_group:SECP521R1 +ECP check prvkey +ecp_check_prvkey:SECP192R1 + ECP gen keypair depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED ecp_gen_keypair:SECP192R1 diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function index a051bd74d..1d3d3dfc2 100644 --- a/tests/suites/test_suite_ecp.function +++ b/tests/suites/test_suite_ecp.function @@ -437,6 +437,28 @@ ecp_tls_write_read_group:id } END_CASE +BEGIN_CASE +ecp_check_prvkey:id +{ + ecp_group grp; + mpi d; + + ecp_group_init( &grp ); + mpi_init( &d ); + + TEST_ASSERT( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_{id} ) == 0 ); + + TEST_ASSERT( mpi_lset( &d, 0 ) == 0 ); + TEST_ASSERT( ecp_check_prvkey( &grp, &d ) == POLARSSL_ERR_ECP_GENERIC ); + + TEST_ASSERT( mpi_copy( &d, &grp.N ) == 0 ); + TEST_ASSERT( ecp_check_prvkey( &grp, &d ) == POLARSSL_ERR_ECP_GENERIC ); + + ecp_group_free( &grp ); + mpi_free( &d ); +} +END_CASE + BEGIN_CASE ecp_gen_keypair:id { @@ -455,8 +477,8 @@ ecp_gen_keypair:id TEST_ASSERT( ecp_gen_keypair( &grp, &d, &Q, &rnd_pseudo_rand, &rnd_info ) == 0 ); - TEST_ASSERT( mpi_cmp_mpi( &d, &grp.N ) < 0 ); - TEST_ASSERT( mpi_cmp_int( &d, 1 ) >= 0 ); + TEST_ASSERT( ecp_check_pubkey( &grp, &Q ) == 0 ); + TEST_ASSERT( ecp_check_prvkey( &grp, &d ) == 0 ); ecp_group_free( &grp ); ecp_point_free( &Q );