Mercurial > dropbear

comparison ecc.c @ 839:33207ed1174b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge in ECC
author Matt Johnston <matt@ucc.asn.au>
date Mon, 21 Oct 2013 22:57:21 +0800
parents 724c3e0c8734
children 7540c0822374
comparison
equal deleted inserted replaced
834:e378da7eae5d 839:33207ed1174b
1 #include "includes.h"
2 #include "options.h"
3 #include "ecc.h"
4 #include "dbutil.h"
5 #include "bignum.h"
6
7 #ifdef DROPBEAR_ECC
8
9 // .dp members are filled out by dropbear_ecc_fill_dp() at startup
10 #ifdef DROPBEAR_ECC_256
11 struct dropbear_ecc_curve ecc_curve_nistp256 = {
12 .ltc_size = 32,
13 .hash_desc = &sha256_desc,
14 .name = "nistp256"
15 };
16 #endif
17 #ifdef DROPBEAR_ECC_384
18 struct dropbear_ecc_curve ecc_curve_nistp384 = {
19 .ltc_size = 48,
20 .hash_desc = &sha384_desc,
21 .name = "nistp384"
22 };
23 #endif
24 #ifdef DROPBEAR_ECC_521
25 struct dropbear_ecc_curve ecc_curve_nistp521 = {
26 .ltc_size = 66,
27 .hash_desc = &sha512_desc,
28 .name = "nistp521"
29 };
30 #endif
31
32 struct dropbear_ecc_curve *dropbear_ecc_curves[] = {
33 #ifdef DROPBEAR_ECC_256
34 &ecc_curve_nistp256,
35 #endif
36 #ifdef DROPBEAR_ECC_384
37 &ecc_curve_nistp384,
38 #endif
39 #ifdef DROPBEAR_ECC_521
40 &ecc_curve_nistp521,
41 #endif
42 NULL
43 };
44
45 void dropbear_ecc_fill_dp() {
46 struct dropbear_ecc_curve **curve;
47 // libtomcrypt guarantees they're ordered by size
48 const ltc_ecc_set_type *dp = ltc_ecc_sets;
49 for (curve = dropbear_ecc_curves; *curve; curve++) {
50 for (;dp->size > 0; dp++) {
51 if (dp->size == (*curve)->ltc_size) {
52 (*curve)->dp = dp;
53 break;
54 }
55 }
56 if (!(*curve)->dp) {
57 dropbear_exit("Missing ECC params %s", (*curve)->name);
58 }
59 }
60 }
61
62 struct dropbear_ecc_curve* curve_for_dp(const ltc_ecc_set_type *dp) {
63 struct dropbear_ecc_curve **curve = NULL;
64 for (curve = dropbear_ecc_curves; *curve; curve++) {
65 if ((*curve)->dp == dp) {
66 break;
67 }
68 }
69 assert(*curve);
70 return *curve;
71 }
72
73 ecc_key * new_ecc_key(void) {
74 ecc_key *key = m_malloc(sizeof(*key));
75 m_mp_alloc_init_multi(&key->pubkey.x, &key->pubkey.y,
76 &key->pubkey.z, &key->k, NULL);
77 return key;
78 }
79
80 // Copied from libtomcrypt ecc_import.c (version there is static), modified
81 // for different mp_int pointer without LTC_SOURCE
82 static int ecc_is_point(ecc_key *key)
83 {
84 mp_int *prime, *b, *t1, *t2;
85 int err;
86
87 prime = m_malloc(sizeof(mp_int));
88 b = m_malloc(sizeof(mp_int));
89 t1 = m_malloc(sizeof(mp_int));
90 t2 = m_malloc(sizeof(mp_int));
91
92 m_mp_alloc_init_multi(&prime, &b, &t1, &t2, NULL);
93
94 /* load prime and b */
95 if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK) { goto error; }
96 if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK) { goto error; }
97
98 /* compute y^2 */
99 if ((err = mp_sqr(key->pubkey.y, t1)) != CRYPT_OK) { goto error; }
100
101 /* compute x^3 */
102 if ((err = mp_sqr(key->pubkey.x, t2)) != CRYPT_OK) { goto error; }
103 if ((err = mp_mod(t2, prime, t2)) != CRYPT_OK) { goto error; }
104 if ((err = mp_mul(key->pubkey.x, t2, t2)) != CRYPT_OK) { goto error; }
105
106 /* compute y^2 - x^3 */
107 if ((err = mp_sub(t1, t2, t1)) != CRYPT_OK) { goto error; }
108
109 /* compute y^2 - x^3 + 3x */
110 if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; }
111 if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; }
112 if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; }
113 if ((err = mp_mod(t1, prime, t1)) != CRYPT_OK) { goto error; }
114 while (mp_cmp_d(t1, 0) == LTC_MP_LT) {
115 if ((err = mp_add(t1, prime, t1)) != CRYPT_OK) { goto error; }
116 }
117 while (mp_cmp(t1, prime) != LTC_MP_LT) {
118 if ((err = mp_sub(t1, prime, t1)) != CRYPT_OK) { goto error; }
119 }
120
121 /* compare to b */
122 if (mp_cmp(t1, b) != LTC_MP_EQ) {
123 err = CRYPT_INVALID_PACKET;
124 } else {
125 err = CRYPT_OK;
126 }
127
128 error:
129 mp_clear_multi(prime, b, t1, t2, NULL);
130 m_free(prime);
131 m_free(b);
132 m_free(t1);
133 m_free(t2);
134 return err;
135 }
136
137 /* For the "ephemeral public key octet string" in ECDH (rfc5656 section 4) */
138 void buf_put_ecc_raw_pubkey_string(buffer *buf, ecc_key *key) {
139 unsigned long len = key->dp->size*2 + 1;
140 buf_putint(buf, len);
141 int err = ecc_ansi_x963_export(key, buf_getwriteptr(buf, len), &len);
142 if (err != CRYPT_OK) {
143 dropbear_exit("ECC error");
144 }
145 buf_incrwritepos(buf, len);
146 }
147
148 /* For the "ephemeral public key octet string" in ECDH (rfc5656 section 4) */
149 ecc_key * buf_get_ecc_raw_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve) {
150 ecc_key *key = NULL;
151 int ret = DROPBEAR_FAILURE;
152 const unsigned int size = curve->dp->size;
153 unsigned char first;
154
155 TRACE(("enter buf_get_ecc_raw_pubkey"))
156
157 buf_setpos(buf, 0);
158 first = buf_getbyte(buf);
159 if (first == 2 || first == 3) {
160 dropbear_log(LOG_WARNING, "Dropbear doesn't support ECC point compression");
161 return NULL;
162 }
163 if (first != 4 || buf->len != 1+2*size) {
164 TRACE(("leave, wrong size"))
165 return NULL;
166 }
167
168 key = new_ecc_key();
169 key->dp = curve->dp;
170
171 if (mp_read_unsigned_bin(key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) {
172 TRACE(("failed to read x"))
173 goto out;
174 }
175 buf_incrpos(buf, size);
176
177 if (mp_read_unsigned_bin(key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) {
178 TRACE(("failed to read y"))
179 goto out;
180 }
181 buf_incrpos(buf, size);
182
183 mp_set(key->pubkey.z, 1);
184
185 if (ecc_is_point(key) != CRYPT_OK) {
186 TRACE(("failed, not a point"))
187 goto out;
188 }
189
190 // SEC1 3.2.3.1 Check that Q != 0
191 if (mp_cmp_d(key->pubkey.x, 0) == LTC_MP_EQ) {
192 TRACE(("failed, x == 0"))
193 goto out;
194 }
195 if (mp_cmp_d(key->pubkey.y, 0) == LTC_MP_EQ) {
196 TRACE(("failed, y == 0"))
197 goto out;
198 }
199
200 ret = DROPBEAR_SUCCESS;
201
202 out:
203 if (ret == DROPBEAR_FAILURE) {
204 if (key) {
205 ecc_free(key);
206 m_free(key);
207 key = NULL;
208 }
209 }
210
211 return key;
212
213 }
214
215 // a modified version of libtomcrypt's "ecc_shared_secret" to output
216 // a mp_int instead.
217 mp_int * dropbear_ecc_shared_secret(ecc_key *public_key, ecc_key *private_key)
218 {
219 ecc_point *result = NULL;
220 mp_int *prime = NULL, *shared_secret = NULL;
221 int err = DROPBEAR_FAILURE;
222
223 /* type valid? */
224 if (private_key->type != PK_PRIVATE) {
225 goto done;
226 }
227
228 if (private_key->dp != public_key->dp) {
229 goto done;
230 }
231
232 /* make new point */
233 result = ltc_ecc_new_point();
234 if (result == NULL) {
235 goto done;
236 }
237
238 prime = m_malloc(sizeof(*prime));
239 m_mp_init(prime);
240
241 if (mp_read_radix(prime, (char *)private_key->dp->prime, 16) != CRYPT_OK) {
242 goto done;
243 }
244 if (ltc_mp.ecc_ptmul(private_key->k, &public_key->pubkey, result, prime, 1) != CRYPT_OK) {
245 goto done;
246 }
247
248 err = DROPBEAR_SUCCESS;
249 done:
250 if (err == DROPBEAR_SUCCESS) {
251 shared_secret = m_malloc(sizeof(*shared_secret));
252 m_mp_init(shared_secret);
253 mp_copy(result->x, shared_secret);
254 }
255
256 if (prime) {
257 mp_clear(prime);
258 m_free(prime);
259 }
260 if (result)
261 {
262 ltc_ecc_del_point(result);
263 }
264
265 if (err == DROPBEAR_FAILURE) {
266 dropbear_exit("ECC error");
267 }
268 return shared_secret;
269 }
270
271 #endif