Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / third_party / tpm2 / refs/heads/stabilize-12859.B / . / CpriECC.c
blob: 14aa14d46e385d6b5f460740d45c9e5bd9dfb673 [file] [log] [blame]
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1// This file was extracted from the TCG Published
2// Trusted Platform Module Library
3// Part 4: Supporting Routines
4// Family "2.0"
5// Level 00 Revision 01.16
6// October 30, 2014
7
Vadim Bendebury0a050712015-05-29 11:35:04 -0700[diff] [blame]8#include <string.h>
9
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]10#include "OsslCryptoEngine.h"
Vadim Bendebury0a050712015-05-29 11:35:04 -0700[diff] [blame]11
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]12#ifdef TPM_ALG_ECC
13#include "CpriDataEcc.h"
14#include "CpriDataEcc.c"
15//
16//
17// Functions
18//
19// _cpri__EccStartup()
20//
21// This function is called at TPM Startup to initialize the crypto units.
22// In this implementation, no initialization is performed at startup but a future version may initialize the self-
23// test functions here.
24//
25LIB_EXPORT BOOL
26_cpri__EccStartup(
27 void
28 )
29{
30 return TRUE;
31}
32//
33//
34// _cpri__GetCurveIdByIndex()
35//
36// This function returns the number of the i-th implemented curve. The normal use would be to call this
37// function with i starting at 0. When the i is greater than or equal to the number of implemented curves,
38// TPM_ECC_NONE is returned.
39//
40LIB_EXPORT TPM_ECC_CURVE
41_cpri__GetCurveIdByIndex(
42 UINT16 i
43 )
44{
45 if(i >= ECC_CURVE_COUNT)
46 return TPM_ECC_NONE;
47 return eccCurves[i].curveId;
48}
49LIB_EXPORT UINT32
50_cpri__EccGetCurveCount(
51 void
52 )
53{
54 return ECC_CURVE_COUNT;
55}
56//
57//
58// _cpri__EccGetParametersByCurveId()
59//
60// This function returns a pointer to the curve data that is associated with the indicated curveId. If there is no
61// curve with the indicated ID, the function returns NULL.
62//
63//
64//
65//
66// Return Value Meaning
67//
68// NULL curve with the indicated TPM_ECC_CURVE value is not
69// implemented
70// non-NULL pointer to the curve data
71//
72LIB_EXPORT const ECC_CURVE *
73_cpri__EccGetParametersByCurveId(
74 TPM_ECC_CURVE curveId // IN: the curveID
75 )
76{
77 int i;
78 for(i = 0; i < ECC_CURVE_COUNT; i++)
79 {
80 if(eccCurves[i].curveId == curveId)
81 return &eccCurves[i];
82 }
83 FAIL(FATAL_ERROR_INTERNAL);
Vadim Bendebury0a050712015-05-29 11:35:04 -0700[diff] [blame]84
85 return NULL; // Never reached.
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]86}
87static const ECC_CURVE_DATA *
88GetCurveData(
89 TPM_ECC_CURVE curveId // IN: the curveID
90 )
91{
92 const ECC_CURVE *curve = _cpri__EccGetParametersByCurveId(curveId);
93 return curve->curveData;
94}
95//
96//
97// Point2B()
98//
99// This function makes a TPMS_ECC_POINT from a BIGNUM EC_POINT.
100//
101static BOOL
102Point2B(
103 EC_GROUP *group, // IN: group for the point
104 TPMS_ECC_POINT *p, // OUT: receives the converted point
105 EC_POINT *ecP, // IN: the point to convert
106 INT16 size, // IN: size of the coordinates
107 BN_CTX *context // IN: working context
108 )
109{
110 BIGNUM *bnX;
111 BIGNUM *bnY;
112 BN_CTX_start(context);
113 bnX = BN_CTX_get(context);
114 bnY = BN_CTX_get(context);
115 if( bnY == NULL
116 // Get the coordinate values
117 || EC_POINT_get_affine_coordinates_GFp(group, ecP, bnX, bnY, context) != 1
118 // Convert x
119 || (!BnTo2B(&p->x.b, bnX, size))
120 // Convert y
121 || (!BnTo2B(&p->y.b, bnY, size))
122 )
123 FAIL(FATAL_ERROR_INTERNAL);
124 BN_CTX_end(context);
125 return TRUE;
126}
127//
128//
129// EccCurveInit()
130//
131// This function initializes the OpenSSL() group definition structure
132// This function is only used within this file.
133// It is a fatal error if groupContext is not provided.
134//
135// Return Value Meaning
136//
137// NULL the TPM_ECC_CURVE is not valid
138// non-NULL points to a structure in groupContext static EC_GROUP *
139//
140static EC_GROUP *
141EccCurveInit(
142 TPM_ECC_CURVE curveId, // IN: the ID of the curve
143 BN_CTX *groupContext // IN: the context in which the group is to be
144 // created
145 )
146{
147 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
148 EC_GROUP *group = NULL;
149 EC_POINT *P = NULL;
150 BN_CTX *context;
151 BIGNUM *bnP;
152 BIGNUM *bnA;
153 BIGNUM *bnB;
154 BIGNUM *bnX;
155 BIGNUM *bnY;
156 BIGNUM *bnN;
157 BIGNUM *bnH;
158 int ok = FALSE;
159 // Context must be provided and curve selector must be valid
160 pAssert(groupContext != NULL && curveData != NULL);
161 context = BN_CTX_new();
162 if(context == NULL)
163 FAIL(FATAL_ERROR_ALLOCATION);
164 BN_CTX_start(context);
165 bnP = BN_CTX_get(context);
166 bnA = BN_CTX_get(context);
167 bnB = BN_CTX_get(context);
168 bnX = BN_CTX_get(context);
169 bnY = BN_CTX_get(context);
170 bnN = BN_CTX_get(context);
171 bnH = BN_CTX_get(context);
172 if (bnH == NULL)
173 goto Cleanup;
174 // Convert the number formats
175 BnFrom2B(bnP, curveData->p);
176 BnFrom2B(bnA, curveData->a);
177 BnFrom2B(bnB, curveData->b);
178 BnFrom2B(bnX, curveData->x);
179 BnFrom2B(bnY, curveData->y);
180 BnFrom2B(bnN, curveData->n);
181 BnFrom2B(bnH, curveData->h);
182 // initialize EC group, associate a generator point and initialize the point
183 // from the parameter data
184 ok = ( (group = EC_GROUP_new_curve_GFp(bnP, bnA, bnB, groupContext)) != NULL
185 && (P = EC_POINT_new(group)) != NULL
186 && EC_POINT_set_affine_coordinates_GFp(group, P, bnX, bnY, groupContext)
187 && EC_GROUP_set_generator(group, P, bnN, bnH)
188 );
189Cleanup:
190 if (!ok && group != NULL)
191 {
192 EC_GROUP_free(group);
193 group = NULL;
194 }
195 if(P != NULL)
196 EC_POINT_free(P);
197 BN_CTX_end(context);
198 BN_CTX_free(context);
199 return group;
200}
201//
202//
203// PointFrom2B()
204//
205// This function sets the coordinates of an existing BN Point from a TPMS_ECC_POINT.
206//
207static EC_POINT *
208PointFrom2B(
209 EC_GROUP *group, // IN: the group for the point
210 EC_POINT *ecP, // IN: an existing BN point in the group
211 TPMS_ECC_POINT *p, // IN: the 2B coordinates of the point
212 BN_CTX *context // IN: the BIGNUM context
213 )
214{
215 BIGNUM *bnX;
216 BIGNUM *bnY;
217 // If the point is not allocated then just return a NULL
218 if(ecP == NULL)
219 return NULL;
220 BN_CTX_start(context);
221 bnX = BN_CTX_get(context);
222 bnY = BN_CTX_get(context);
223 if( // Set the coordinates of the point
224 bnY == NULL
225 || BN_bin2bn(p->x.t.buffer, p->x.t.size, bnX) == NULL
226 || BN_bin2bn(p->y.t.buffer, p->y.t.size, bnY) == NULL
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]227 )
228 FAIL(FATAL_ERROR_INTERNAL);
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]229 if( !EC_POINT_set_affine_coordinates_GFp(group, ecP, bnX, bnY, context)
230 || EC_POINT_is_on_curve(group, ecP, context) <= 0
231 )
232 ecP = NULL; // Point is not on curve
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]233 BN_CTX_end(context);
234 return ecP;
235}
236//
237//
238// EccInitPoint2B()
239//
240// This function allocates a point in the provided group and initializes it with the values in a
241// TPMS_ECC_POINT.
242//
243static EC_POINT *
244EccInitPoint2B(
245 EC_GROUP *group, // IN: group for the point
246 TPMS_ECC_POINT *p, // IN: the coordinates for the point
247 BN_CTX *context // IN: the BIGNUM context
248 )
249{
250 EC_POINT *ecP;
251 BN_CTX_start(context);
252 ecP = EC_POINT_new(group);
253 if(PointFrom2B(group, ecP, p, context) == NULL)
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]254 {
255 EC_POINT_free(ecP);
256 ecP = NULL;
257 }
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]258 BN_CTX_end(context);
259 return ecP;
260}
261//
262//
263// PointMul()
264//
265// This function does a point multiply and checks for the result being the point at infinity. Q = ([A]G + [B]P)
266//
267// Return Value Meaning
268//
269// CRYPT_NO_RESULT point is at infinity
270// CRYPT_SUCCESS point not at infinity
271//
272static CRYPT_RESULT
273PointMul(
274 EC_GROUP *group, // IN: group curve
275 EC_POINT *ecpQ, // OUT: result
276 BIGNUM *bnA, // IN: scalar for [A]G
277 EC_POINT *ecpP, // IN: point for [B]P
278 BIGNUM *bnB, // IN: scalar for [B]P
279 BN_CTX *context // IN: working context
280 )
281{
282 if(EC_POINT_mul(group, ecpQ, bnA, ecpP, bnB, context) != 1)
283 FAIL(FATAL_ERROR_INTERNAL);
284 if(EC_POINT_is_at_infinity(group, ecpQ))
285 return CRYPT_NO_RESULT;
286 return CRYPT_SUCCESS;
287}
288//
289//
290// GetRandomPrivate()
291//
292// This function gets a random value (d) to use as a private ECC key and then qualifies the key so that it is
293// between 0 < d < n.
294// It is a fatal error if dOut or pIn is not provided or if the size of pIn is larger than MAX_ECC_KEY_BYTES
295// (the largest buffer size of a TPM2B_ECC_PARAMETER)
296//
297static void
298GetRandomPrivate(
299 TPM2B_ECC_PARAMETER *dOut, // OUT: the qualified random value
300 const TPM2B *pIn // IN: the maximum value for the key
301 )
302{
303 int i;
304 BYTE *pb;
305 pAssert(pIn != NULL && dOut != NULL && pIn->size <= MAX_ECC_KEY_BYTES);
306 // Set the size of the output
307 dOut->t.size = pIn->size;
308 // Get some random bits
309 while(TRUE)
310 {
311 _cpri__GenerateRandom(dOut->t.size, dOut->t.buffer);
312 // See if the d < n
313 if(memcmp(dOut->t.buffer, pIn->buffer, pIn->size) < 0)
314 {
315 // dOut < n so make sure that 0 < dOut
316 for(pb = dOut->t.buffer, i = dOut->t.size; i > 0; i--)
317 {
318 if(*pb++ != 0)
319 return;
320 }
321 }
322 }
323}
324//
325//
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]326// _cpri__EccPointMultiply
327//
328// This function computes 'R := [dIn]G + [uIn]QIn. Where dIn and uIn are scalars, G and QIn are points on
329// the specified curve and G is the default generator of the curve.
330// The xOut and yOut parameters are optional and may be set to NULL if not used.
331// It is not necessary to provide uIn if QIn is specified but one of uIn and dIn must be provided. If dIn and
332// QIn are specified but uIn is not provided, then R = [dIn]QIn.
333// If the multiply produces the point at infinity, the CRYPT_NO_RESULT is returned.
334// The sizes of xOut and yOut' will be set to be the size of the degree of the curve
335// It is a fatal error if dIn and uIn are both unspecified (NULL) or if Qin or Rout is unspecified.
336//
337//
338//
339//
340// Return Value Meaning
341//
342// CRYPT_SUCCESS point multiplication succeeded
343// CRYPT_POINT the point Qin is not on the curve
344// CRYPT_NO_RESULT the product point is at infinity
345//
346LIB_EXPORT CRYPT_RESULT
347_cpri__EccPointMultiply(
348 TPMS_ECC_POINT *Rout, // OUT: the product point R
349 TPM_ECC_CURVE curveId, // IN: the curve to use
350 TPM2B_ECC_PARAMETER *dIn, // IN: value to multiply against the
351 // curve generator
352 TPMS_ECC_POINT *Qin, // IN: point Q
353 TPM2B_ECC_PARAMETER *uIn // IN: scalar value for the multiplier
354 // of Q
355 )
356{
357 BN_CTX *context;
358 BIGNUM *bnD;
359 BIGNUM *bnU;
360 EC_GROUP *group;
361 EC_POINT *R = NULL;
362 EC_POINT *Q = NULL;
363 CRYPT_RESULT retVal = CRYPT_SUCCESS;
364 // Validate that the required parameters are provided.
365 pAssert((dIn != NULL || uIn != NULL) && (Qin != NULL || dIn != NULL));
366 // If a point is provided for the multiply, make sure that it is on the curve
367 if(Qin != NULL && !_cpri__EccIsPointOnCurve(curveId, Qin))
368 return CRYPT_POINT;
369 context = BN_CTX_new();
370 if(context == NULL)
371 FAIL(FATAL_ERROR_ALLOCATION);
372 BN_CTX_start(context);
373 bnU = BN_CTX_get(context);
374 bnD = BN_CTX_get(context);
375 group = EccCurveInit(curveId, context);
376 // There should be no path for getting a bad curve ID into this function.
377 pAssert(group != NULL);
378 // check allocations should have worked and allocate R
379 if( bnD == NULL
380 || (R = EC_POINT_new(group)) == NULL)
381 FAIL(FATAL_ERROR_ALLOCATION);
382 // If Qin is present, create the point
383 if(Qin != NULL)
384 {
385 // Assume the size variables do not overflow. This should not happen in
386 // the contexts in which this function will be called.
387 assert2Bsize(Qin->x.t);
388 assert2Bsize(Qin->x.t);
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]389 if (!(Q = EccInitPoint2B(group, Qin, context)))
390 {
391 retVal = CRYPT_POINT;
392 goto Cleanup;
393 }
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]394 }
395 if(dIn != NULL)
396 {
397 // Assume the size variables do not overflow, which should not happen in
398 // the contexts that this function will be called.
399 assert2Bsize(dIn->t);
400 BnFrom2B(bnD, &dIn->b);
401 }
402 else
403 bnD = NULL;
404 // If uIn is specified, initialize its BIGNUM
405 if(uIn != NULL)
406 {
407 // Assume the size variables do not overflow, which should not happen in
408 // the contexts that this function will be called.
409 assert2Bsize(uIn->t);
410 BnFrom2B(bnU, &uIn->b);
411 }
412 // If uIn is not specified but Q is, then we are going to
413 // do R = [d]Q
414 else if(Qin != NULL)
415 {
416 bnU = bnD;
417 bnD = NULL;
418 }
419 // If neither Q nor u is specified, then null this pointer
420 else
421 bnU = NULL;
422 // Use the generator of the curve
423 if((retVal = PointMul(group, R, bnD, Q, bnU, context)) == CRYPT_SUCCESS)
Jocelyn Bohrddcb1ce2015-08-14 15:32:09 -0700[diff] [blame]424 Point2B(group, Rout, R, (INT16) ((EC_GROUP_get_degree(group)+7)/8), context);
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]425Cleanup:
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]426 if (Q)
427 EC_POINT_free(Q);
428 if(R)
429 EC_POINT_free(R);
430 if(group)
431 EC_GROUP_free(group);
432 BN_CTX_end(context);
433 BN_CTX_free(context);
434 return retVal;
435}
nagendra modadugu16e65be2016-03-08 11:05:25 -0800[diff] [blame]436#if defined TPM_ALG_ECDAA || defined TPM_ALG_SM2 //%
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]437//
438//
439// ClearPoint2B()
440//
441// Initialize the size values of a point
442//
443static void
444ClearPoint2B(
445 TPMS_ECC_POINT *p // IN: the point
446 )
447{
448 if(p != NULL) {
449 p->x.t.size = 0;
450 p->y.t.size = 0;
451 }
452}
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]453//
454//
455// _cpri__EccCommitCompute()
456//
457// This function performs the point multiply operations required by TPM2_Commit().
458// If B or M is provided, they must be on the curve defined by curveId. This routine does not check that they
459// are on the curve and results are unpredictable if they are not.
460//
461//
462//
463// It is a fatal error if r or d is NULL. If B is not NULL, then it is a fatal error if K and L are both NULL. If M is
464// not NULL, then it is a fatal error if E is NULL.
465//
466// Return Value Meaning
467//
468// CRYPT_SUCCESS computations completed normally
469// CRYPT_NO_RESULT if K, L or E was computed to be the point at infinity
470// CRYPT_CANCEL a cancel indication was asserted during this function
471//
472LIB_EXPORT CRYPT_RESULT
473_cpri__EccCommitCompute(
474 TPMS_ECC_POINT *K, // OUT: [d]B or [r]Q
475 TPMS_ECC_POINT *L, // OUT: [r]B
476 TPMS_ECC_POINT *E, // OUT: [r]M
477 TPM_ECC_CURVE curveId, // IN: the curve for the computations
478 TPMS_ECC_POINT *M, // IN: M (optional)
479 TPMS_ECC_POINT *B, // IN: B (optional)
480 TPM2B_ECC_PARAMETER *d, // IN: d (required)
481 TPM2B_ECC_PARAMETER *r // IN: the computed r value (required)
482 )
483{
484 BN_CTX *context;
Vadim Bendebury0a050712015-05-29 11:35:04 -0700[diff] [blame]485 BIGNUM *bnY, *bnR, *bnD;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]486 EC_GROUP *group;
487 EC_POINT *pK = NULL, *pL = NULL, *pE = NULL, *pM = NULL, *pB = NULL;
488 UINT16 keySizeInBytes;
489 CRYPT_RESULT retVal = CRYPT_SUCCESS;
490 // Validate that the required parameters are provided.
491 // Note: E has to be provided if computing E := [r]Q or E := [r]M. Will do
492 // E := [r]Q if both M and B are NULL.
Vadim Bendebury0a050712015-05-29 11:35:04 -0700[diff] [blame]493
494 pAssert((r && (K || !B) && (L || !B)) || (E || (!M && B)));
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]495 context = BN_CTX_new();
496 if(context == NULL)
497 FAIL(FATAL_ERROR_ALLOCATION);
498 BN_CTX_start(context);
499 bnR = BN_CTX_get(context);
500 bnD = BN_CTX_get(context);
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]501 bnY = BN_CTX_get(context);
502 if(bnY == NULL)
503 FAIL(FATAL_ERROR_ALLOCATION);
504 // Initialize the output points in case they are not computed
505 ClearPoint2B(K);
506 ClearPoint2B(L);
507 ClearPoint2B(E);
508 if((group = EccCurveInit(curveId, context)) == NULL)
509 {
510 retVal = CRYPT_PARAMETER;
511 goto Cleanup2;
512 }
Jocelyn Bohrddcb1ce2015-08-14 15:32:09 -0700[diff] [blame]513 keySizeInBytes = (UINT16) ((EC_GROUP_get_degree(group)+7)/8);
nagendra modadugud0a96512016-10-12 17:27:23 -0700[diff] [blame]514 // Size of the r parameter may not be zero
515 pAssert((int) r->t.size > 0);
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]516 // Convert scalars to BIGNUM
517 BnFrom2B(bnR, &r->b);
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]518 // If B is provided, compute K=[d]B and L=[r]B
519 if(B != NULL)
520 {
nagendra modadugud0a96512016-10-12 17:27:23 -0700[diff] [blame]521 // Size of the d parameter may not be zero
522 pAssert((int) d->t.size > 0);
523 BnFrom2B(bnD, &d->b);
524
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]525 // Allocate the points to receive the value
526 if( (pK = EC_POINT_new(group)) == NULL
527 || (pL = EC_POINT_new(group)) == NULL)
528 FAIL(FATAL_ERROR_ALLOCATION);
529 // need to compute K = [d]B
530 // Allocate and initialize BIGNUM version of B
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]531 if (!(pB = EccInitPoint2B(group, B, context)))
532 {
533 retVal = CRYPT_POINT;
534 goto Cleanup;
535 }
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]536 // do the math for K = [d]B
537 if((retVal = PointMul(group, pK, NULL, pB, bnD, context)) != CRYPT_SUCCESS)
538 goto Cleanup;
539 // Convert BN K to TPM2B K
540 Point2B(group, K, pK, (INT16)keySizeInBytes, context);
541 // compute L= [r]B after checking for cancel
542 if(_plat__IsCanceled())
543 {
544 retVal = CRYPT_CANCEL;
545 goto Cleanup;
546 }
547 // compute L = [r]B
548 if((retVal = PointMul(group, pL, NULL, pB, bnR, context)) != CRYPT_SUCCESS)
549 goto Cleanup;
550 // Convert BN L to TPM2B L
551 Point2B(group, L, pL, (INT16)keySizeInBytes, context);
552 }
553 if(M != NULL || B == NULL)
554 {
555 // if this is the third point multiply, check for cancel first
556 if(B != NULL && _plat__IsCanceled())
557 {
558 retVal = CRYPT_CANCEL;
559 goto Cleanup;
560 }
561 // Allocate E
562 if((pE = EC_POINT_new(group)) == NULL)
563 FAIL(FATAL_ERROR_ALLOCATION);
564 // Create BIGNUM version of M unless M is NULL
565 if(M != NULL)
566 {
567 // M provided so initialize a BIGNUM M and compute E = [r]M
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]568 if (!(pM = EccInitPoint2B(group, M, context)))
569 {
570 retVal = CRYPT_POINT;
571 goto Cleanup;
572 }
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]573 retVal = PointMul(group, pE, NULL, pM, bnR, context);
574 }
575 else
576 // compute E = [r]G (this is only done if M and B are both NULL
577 retVal = PointMul(group, pE, bnR, NULL, NULL, context);
578 if(retVal == CRYPT_SUCCESS)
579 // Convert E to 2B format
580 Point2B(group, E, pE, (INT16)keySizeInBytes, context);
581 }
582Cleanup:
583 EC_GROUP_free(group);
584 if(pK != NULL) EC_POINT_free(pK);
585 if(pL != NULL) EC_POINT_free(pL);
586 if(pE != NULL) EC_POINT_free(pE);
587 if(pM != NULL) EC_POINT_free(pM);
588 if(pB != NULL) EC_POINT_free(pB);
589Cleanup2:
590 BN_CTX_end(context);
591 BN_CTX_free(context);
592 return retVal;
593}
594#endif //%
595//
596//
597// _cpri__EccIsPointOnCurve()
598//
599// This function is used to test if a point is on a defined curve. It does this by checking that y^2 mod p = x^3
600// + a*x + b mod p
601// It is a fatal error if Q is not specified (is NULL).
602//
603// Return Value Meaning
604//
605// TRUE point is on curve
606// FALSE point is not on curve or curve is not supported
607//
608LIB_EXPORT BOOL
609_cpri__EccIsPointOnCurve(
610 TPM_ECC_CURVE curveId, // IN: the curve selector
611 TPMS_ECC_POINT *Q // IN: the point.
612 )
613{
614 BN_CTX *context;
615 BIGNUM *bnX;
616 BIGNUM *bnY;
617 BIGNUM *bnA;
618 BIGNUM *bnB;
619 BIGNUM *bnP;
620 BIGNUM *bn3;
621 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
622 BOOL retVal;
623 pAssert(Q != NULL && curveData != NULL);
624 if((context = BN_CTX_new()) == NULL)
625 FAIL(FATAL_ERROR_ALLOCATION);
626 BN_CTX_start(context);
627 bnX = BN_CTX_get(context);
628 bnY = BN_CTX_get(context);
629 bnA = BN_CTX_get(context);
630 bnB = BN_CTX_get(context);
631 bn3 = BN_CTX_get(context);
632 bnP = BN_CTX_get(context);
633 if(bnP == NULL)
634 FAIL(FATAL_ERROR_ALLOCATION);
635 // Convert values
636 if ( !BN_bin2bn(Q->x.t.buffer, Q->x.t.size, bnX)
637 || !BN_bin2bn(Q->y.t.buffer, Q->y.t.size, bnY)
638 || !BN_bin2bn(curveData->p->buffer, curveData->p->size, bnP)
639 || !BN_bin2bn(curveData->a->buffer, curveData->a->size, bnA)
640 || !BN_set_word(bn3, 3)
641 || !BN_bin2bn(curveData->b->buffer, curveData->b->size, bnB)
642 )
643 FAIL(FATAL_ERROR_INTERNAL);
644 // The following sequence is probably not optimal but it seems to be correct.
645 // compute x^3 + a*x + b mod p
646 // first, compute a*x mod p
647 if( !BN_mod_mul(bnA, bnA, bnX, bnP, context)
648//
649 // next, compute a*x + b mod p
650 || !BN_mod_add(bnA, bnA, bnB, bnP, context)
651 // next, compute X^3 mod p
652 || !BN_mod_exp(bnX, bnX, bn3, bnP, context)
653 // finally, compute x^3 + a*x + b mod p
654 || !BN_mod_add(bnX, bnX, bnA, bnP, context)
655 // then compute y^2
656 || !BN_mod_mul(bnY, bnY, bnY, bnP, context)
657 )
658 FAIL(FATAL_ERROR_INTERNAL);
659 retVal = BN_cmp(bnX, bnY) == 0;
660 BN_CTX_end(context);
661 BN_CTX_free(context);
662 return retVal;
663}
664//
665//
666// _cpri__GenerateKeyEcc()
667//
668// This function generates an ECC key pair based on the input parameters. This routine uses KDFa() to
669// produce candidate numbers. The method is according to FIPS 186-3, section B.4.1 "GKey() Pair
670// Generation Using Extra Random Bits." According to the method in FIPS 186-3, the resulting private value
671// d should be 1 <= d < n where n is the order of the base point. In this implementation, the range of the
672// private value is further restricted to be 2^(nLen/2) <= d < n where nLen is the order of n.
673//
674// EXAMPLE: If the curve is NIST-P256, then nLen is 256 bits and d will need to be between 2^128 <= d < n
675//
676// It is a fatal error if Qout, dOut, or seed is not provided (is NULL).
677//
678// Return Value Meaning
679//
680// CRYPT_PARAMETER the hash algorithm is not supported
681//
682LIB_EXPORT CRYPT_RESULT
683_cpri__GenerateKeyEcc(
684 TPMS_ECC_POINT *Qout, // OUT: the public point
685 TPM2B_ECC_PARAMETER *dOut, // OUT: the private scalar
686 TPM_ECC_CURVE curveId, // IN: the curve identifier
687 TPM_ALG_ID hashAlg, // IN: hash algorithm to use in the key
688 // generation process
689 TPM2B *seed, // IN: the seed to use
690 const char *label, // IN: A label for the generation
691 // process.
692 TPM2B *extra, // IN: Party 1 data for the KDF
693 UINT32 *counter // IN/OUT: Counter value to allow KDF
694 // iteration to be propagated across
695 // multiple functions
696 )
697{
698 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
699 INT16 keySizeInBytes;
700 UINT32 count = 0;
701 CRYPT_RESULT retVal;
702 UINT16 hLen = _cpri__GetDigestSize(hashAlg);
703 BIGNUM *bnNm1; // Order of the curve minus one
704 BIGNUM *bnD; // the private scalar
705 BN_CTX *context; // the context for the BIGNUM values
706 BYTE withExtra[MAX_ECC_KEY_BYTES + 8]; // trial key with
707 //extra bits
Vadim Bendebury0a050712015-05-29 11:35:04 -0700[diff] [blame]708 TPM2B_4_BYTE_VALUE marshaledCounter = {.t = {4}};
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]709 UINT32 totalBits;
710 // Validate parameters (these are fatal)
711 pAssert( seed != NULL && dOut != NULL && Qout != NULL && curveData != NULL);
712 // Non-fatal parameter checks.
713 if(hLen <= 0)
714 return CRYPT_PARAMETER;
715 // allocate the local BN values
716 context = BN_CTX_new();
717 if(context == NULL)
718 FAIL(FATAL_ERROR_ALLOCATION);
719 BN_CTX_start(context);
720 bnNm1 = BN_CTX_get(context);
721 bnD = BN_CTX_get(context);
722 // The size of the input scalars is limited by the size of the size of a
723 // TPM2B_ECC_PARAMETER. Make sure that it is not irrational.
724 pAssert((int) curveData->n->size <= MAX_ECC_KEY_BYTES);
725 if( bnD == NULL
726 || BN_bin2bn(curveData->n->buffer, curveData->n->size, bnNm1) == NULL
727 || (keySizeInBytes = (INT16) BN_num_bytes(bnNm1)) > MAX_ECC_KEY_BYTES)
728 FAIL(FATAL_ERROR_INTERNAL);
729 // get the total number of bits
730 totalBits = BN_num_bits(bnNm1) + 64;
731 // Reduce bnNm1 from 'n' to 'n' - 1
732 BN_sub_word(bnNm1, 1);
733 // Initialize the count value
734 if(counter != NULL)
735 count = *counter;
736 if(count == 0)
737 count = 1;
738 // Start search for key (should be quick)
739 for(; count != 0; count++)
740 {
741 UINT32_TO_BYTE_ARRAY(count, marshaledCounter.t.buffer);
742 _cpri__KDFa(hashAlg, seed, label, extra, &marshaledCounter.b,
743 totalBits, withExtra, NULL, FALSE);
744 // Convert the result and modular reduce
745 // Assume the size variables do not overflow, which should not happen in
746 // the contexts that this function will be called.
747 pAssert(keySizeInBytes <= MAX_ECC_KEY_BYTES);
748 if ( BN_bin2bn(withExtra, keySizeInBytes+8, bnD) == NULL
749 || BN_mod(bnD, bnD, bnNm1, context) != 1)
750 FAIL(FATAL_ERROR_INTERNAL);
751 // Add one to get 0 < d < n
752 BN_add_word(bnD, 1);
753 if(BnTo2B(&dOut->b, bnD, keySizeInBytes) != 1)
754 FAIL(FATAL_ERROR_INTERNAL);
755 // Do the point multiply to create the public portion of the key. If
756 // the multiply generates the point at infinity (unlikely), do another
757 // iteration.
758 if( (retVal = _cpri__EccPointMultiply(Qout, curveId, dOut, NULL, NULL))
759 != CRYPT_NO_RESULT)
760 break;
761 }
762 if(count == 0) // if counter wrapped, then the TPM should go into failure mode
763 FAIL(FATAL_ERROR_INTERNAL);
764 // Free up allocated BN values
765 BN_CTX_end(context);
766 BN_CTX_free(context);
767 if(counter != NULL)
768 *counter = count;
769 return retVal;
770}
771//
772//
773// _cpri__GetEphemeralEcc()
774//
775// This function creates an ephemeral ECC. It is ephemeral in that is expected that the private part of the
776// key will be discarded
777//
778LIB_EXPORT CRYPT_RESULT
779_cpri__GetEphemeralEcc(
780 TPMS_ECC_POINT *Qout, // OUT: the public point
781 TPM2B_ECC_PARAMETER *dOut, // OUT: the private scalar
782 TPM_ECC_CURVE curveId // IN: the curve for the key
783 )
784{
785 CRYPT_RESULT retVal;
786 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
787 pAssert(curveData != NULL);
788 // Keep getting random values until one is found that doesn't create a point
789 // at infinity. This will never, ever, ever, ever, ever, happen but if it does
790 // we have to get a next random value.
791 while(TRUE)
792 {
793 GetRandomPrivate(dOut, curveData->p);
794 // _cpri__EccPointMultiply does not return CRYPT_ECC_POINT if no point is
795 // provided. CRYPT_PARAMTER should not be returned because the curve ID
796 // has to be supported. Thus the only possible error is CRYPT_NO_RESULT.
797 retVal = _cpri__EccPointMultiply(Qout, curveId, dOut, NULL, NULL);
798 if(retVal != CRYPT_NO_RESULT)
799 return retVal; // Will return CRYPT_SUCCESS
800 }
801}
802#ifdef TPM_ALG_ECDSA //%
803//
804//
805// SignEcdsa()
806//
807// This function implements the ECDSA signing algorithm. The method is described in the comments below.
808// It is a fatal error if rOut, sOut, dIn, or digest are not provided.
809//
810LIB_EXPORT CRYPT_RESULT
811SignEcdsa(
812 TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature
813 TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature
814 TPM_ECC_CURVE curveId, // IN: the curve used in the signature
815 // process
816 TPM2B_ECC_PARAMETER *dIn, // IN: the private key
817 TPM2B *digest // IN: the value to sign
818 )
819{
820 BIGNUM *bnK;
821 BIGNUM *bnIk;
822 BIGNUM *bnN;
823 BIGNUM *bnR;
824//
825 BIGNUM *bnD;
826 BIGNUM *bnZ;
827 TPM2B_ECC_PARAMETER k;
828 TPMS_ECC_POINT R;
829 BN_CTX *context;
830 CRYPT_RESULT retVal = CRYPT_SUCCESS;
831 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
832 pAssert(rOut != NULL && sOut != NULL && dIn != NULL && digest != NULL);
833 context = BN_CTX_new();
834 if(context == NULL)
835 FAIL(FATAL_ERROR_ALLOCATION);
836 BN_CTX_start(context);
837 bnN = BN_CTX_get(context);
838 bnZ = BN_CTX_get(context);
839 bnR = BN_CTX_get(context);
840 bnD = BN_CTX_get(context);
841 bnIk = BN_CTX_get(context);
842 bnK = BN_CTX_get(context);
843 // Assume the size variables do not overflow, which should not happen in
844 // the contexts that this function will be called.
845 pAssert(curveData->n->size <= MAX_ECC_PARAMETER_BYTES);
846 if( bnK == NULL
847 || BN_bin2bn(curveData->n->buffer, curveData->n->size, bnN) == NULL)
848 FAIL(FATAL_ERROR_INTERNAL);
849// The algorithm as described in "Suite B Implementer's Guide to FIPS 186-3(ECDSA)"
850// 1. Use one of the routines in Appendix A.2 to generate (k, k^-1), a per-message
851// secret number and its inverse modulo n. Since n is prime, the
852// output will be invalid only if there is a failure in the RBG.
853// 2. Compute the elliptic curve point R = [k]G = (xR, yR) using EC scalar
854// multiplication (see [Routines]), where G is the base point included in
855// the set of domain parameters.
856// 3. Compute r = xR mod n. If r = 0, then return to Step 1. 1.
857// 4. Use the selected hash function to compute H = Hash(M).
858// 5. Convert the bit string H to an integer e as described in Appendix B.2.
859// 6. Compute s = (k^-1 * (e + d * r)) mod n. If s = 0, return to Step 1.2.
860// 7. Return (r, s).
861 // Generate a random value k in the range 1 <= k < n
862 // Want a K value that is the same size as the curve order
863 k.t.size = curveData->n->size;
864 while(TRUE) // This implements the loop at step 6. If s is zero, start over.
865 {
866 while(TRUE)
867 {
868 // Step 1 and 2 -- generate an ephemeral key and the modular inverse
869 // of the private key.
870 while(TRUE)
871 {
872 GetRandomPrivate(&k, curveData->n);
873 // Do the point multiply to generate a point and check to see if
874 // the point it at infinity
875 if( _cpri__EccPointMultiply(&R, curveId, &k, NULL, NULL)
876 != CRYPT_NO_RESULT)
877 break; // can only be CRYPT_SUCCESS
878 }
879 // x coordinate is mod p. Make it mod n
880 // Assume the size variables do not overflow, which should not happen
881 // in the contexts that this function will be called.
882 assert2Bsize(R.x.t);
883 BN_bin2bn(R.x.t.buffer, R.x.t.size, bnR);
884 BN_mod(bnR, bnR, bnN, context);
885 // Make sure that it is not zero;
886 if(BN_is_zero(bnR))
887 continue;
888 // Make sure that a modular inverse exists
889 // Assume the size variables do not overflow, which should not happen
890 // in the contexts that this function will be called.
891 assert2Bsize(k.t);
892 BN_bin2bn(k.t.buffer, k.t.size, bnK);
893 if( BN_mod_inverse(bnIk, bnK, bnN, context) != NULL)
894 break;
895 }
896 // Set z = leftmost bits of the digest
897 // NOTE: This is implemented such that the key size needs to be
898 // an even number of bytes in length.
899 if(digest->size > curveData->n->size)
900 {
901 // Assume the size variables do not overflow, which should not happen
902 // in the contexts that this function will be called.
903 pAssert(curveData->n->size <= MAX_ECC_KEY_BYTES);
904 // digest is larger than n so truncate
905 BN_bin2bn(digest->buffer, curveData->n->size, bnZ);
906 }
907 else
908 {
909 // Assume the size variables do not overflow, which should not happen
910 // in the contexts that this function will be called.
911 pAssert(digest->size <= MAX_DIGEST_SIZE);
912 // digest is same or smaller than n so use it all
913 BN_bin2bn(digest->buffer, digest->size, bnZ);
914 }
915 // Assume the size variables do not overflow, which should not happen in
916 // the contexts that this function will be called.
917 assert2Bsize(dIn->t);
918 if( bnZ == NULL
919 // need the private scalar of the signing key
920 || BN_bin2bn(dIn->t.buffer, dIn->t.size, bnD) == NULL)
921 FAIL(FATAL_ERROR_INTERNAL);
922 // NOTE: When the result of an operation is going to be reduced mod x
923 // any modular multiplication is done so that the intermediate values
924 // don't get too large.
925 //
926 // now have inverse of K (bnIk), z (bnZ), r (bnR), d (bnD) and n (bnN)
927 // Compute s = k^-1 (z + r*d)(mod n)
928 // first do d = r*d mod n
929 if( !BN_mod_mul(bnD, bnR, bnD, bnN, context)
930 // d = z + r * d
931 || !BN_add(bnD, bnZ, bnD)
932 // d = k^(-1)(z + r * d)(mod n)
933 || !BN_mod_mul(bnD, bnIk, bnD, bnN, context)
934 // convert to TPM2B format
935 || !BnTo2B(&sOut->b, bnD, curveData->n->size)
936 // and write the modular reduced version of r
937 // NOTE: this was deferred to reduce the number of
938 // error checks.
939 || !BnTo2B(&rOut->b, bnR, curveData->n->size))
940 FAIL(FATAL_ERROR_INTERNAL);
941 if(!BN_is_zero(bnD))
942 break; // signature not zero so done
943 // if the signature value was zero, start over
944 }
945 // Free up allocated BN values
946 BN_CTX_end(context);
947 BN_CTX_free(context);
948 return retVal;
949}
950#endif //%
951#if defined TPM_ALG_ECDAA || defined TPM_ALG_ECSCHNORR //%
952//
953//
954// EcDaa()
955//
956// This function is used to perform a modified Schnorr signature for ECDAA.
957// This function performs s = k + T * d mod n where
958// a) 'k is a random, or pseudo-random value used in the commit phase
959// b) T is the digest to be signed, and
960// c) d is a private key.
961// If tIn is NULL then use tOut as T
962//
963// Return Value Meaning
964//
965// CRYPT_SUCCESS signature created
966//
967static CRYPT_RESULT
968EcDaa(
969 TPM2B_ECC_PARAMETER *tOut, // OUT: T component of the signature
970 TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature
971 TPM_ECC_CURVE curveId, // IN: the curve used in signing
972 TPM2B_ECC_PARAMETER *dIn, // IN: the private key
973 TPM2B *tIn, // IN: the value to sign
974 TPM2B_ECC_PARAMETER *kIn // IN: a random value from commit
975 )
976{
977 BIGNUM *bnN, *bnK, *bnT, *bnD;
978 BN_CTX *context;
979 const TPM2B *n;
980 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
981 BOOL OK = TRUE;
982 // Parameter checks
983 pAssert( sOut != NULL && dIn != NULL && tOut != NULL
984 && kIn != NULL && curveData != NULL);
985 // this just saves key strokes
986 n = curveData->n;
987 if(tIn != NULL)
988 Copy2B(&tOut->b, tIn);
989 // The size of dIn and kIn input scalars is limited by the size of the size
990 // of a TPM2B_ECC_PARAMETER and tIn can be no larger than a digest.
991 // Make sure they are within range.
992 pAssert( (int) dIn->t.size <= MAX_ECC_KEY_BYTES
993 && (int) kIn->t.size <= MAX_ECC_KEY_BYTES
994//
995 && (int) tOut->t.size <= MAX_DIGEST_SIZE
996 );
997 context = BN_CTX_new();
998 if(context == NULL)
999 FAIL(FATAL_ERROR_ALLOCATION);
1000 BN_CTX_start(context);
1001 bnN = BN_CTX_get(context);
1002 bnK = BN_CTX_get(context);
1003 bnT = BN_CTX_get(context);
1004 bnD = BN_CTX_get(context);
1005 // Check for allocation problems
1006 if(bnD == NULL)
1007 FAIL(FATAL_ERROR_ALLOCATION);
1008 // Convert values
1009 if( BN_bin2bn(n->buffer, n->size, bnN) == NULL
1010 || BN_bin2bn(kIn->t.buffer, kIn->t.size, bnK) == NULL
1011 || BN_bin2bn(dIn->t.buffer, dIn->t.size, bnD) == NULL
1012 || BN_bin2bn(tOut->t.buffer, tOut->t.size, bnT) == NULL)
1013 FAIL(FATAL_ERROR_INTERNAL);
1014 // Compute T = T mod n
1015 OK = OK && BN_mod(bnT, bnT, bnN, context);
1016 // compute (s = k + T * d mod n)
1017 // d = T * d mod n
1018 OK = OK && BN_mod_mul(bnD, bnT, bnD, bnN, context) == 1;
1019 // d = k + T * d mod n
1020 OK = OK && BN_mod_add(bnD, bnK, bnD, bnN, context) == 1;
1021 // s = d
1022 OK = OK && BnTo2B(&sOut->b, bnD, n->size);
1023 // r = T
1024 OK = OK && BnTo2B(&tOut->b, bnT, n->size);
1025 if(!OK)
1026 FAIL(FATAL_ERROR_INTERNAL);
1027 // Cleanup
1028 BN_CTX_end(context);
1029 BN_CTX_free(context);
1030 return CRYPT_SUCCESS;
1031}
1032#endif //%
1033#ifdef TPM_ALG_ECSCHNORR //%
1034//
1035//
Vadim Bendebury0343d5b2015-10-08 17:31:34 -0700[diff] [blame]1036// Mod2B()
1037//
1038// Function does modular reduction of TPM2B values.
1039//
1040static CRYPT_RESULT
1041Mod2B(
1042 TPM2B *x, // IN/OUT: value to reduce
1043 const TPM2B *n // IN: mod
1044 )
1045{
1046 int compare;
1047 compare = _math__uComp(x->size, x->buffer, n->size, n->buffer);
1048 if(compare < 0)
1049 // if x < n, then mod is x
1050 return CRYPT_SUCCESS;
1051 if(compare == 0)
1052 {
1053 // if x == n then mod is 0
1054 x->size = 0;
1055 x->buffer[0] = 0;
1056 return CRYPT_SUCCESS;
1057 }
1058 return _math__Div(x, n, NULL, x);
1059}
1060
1061//
1062//
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1063// SchnorrEcc()
1064//
1065// This function is used to perform a modified Schnorr signature.
1066// This function will generate a random value k and compute
1067// a) (xR, yR) = [k]G
1068// b) r = hash(P || xR)(mod n)
1069// c) s= k + r * ds
1070// d) return the tuple T, s
1071//
1072//
1073//
1074//
1075// Return Value Meaning
1076//
1077// CRYPT_SUCCESS signature created
1078// CRYPT_SCHEME hashAlg can't produce zero-length digest
1079//
1080static CRYPT_RESULT
1081SchnorrEcc(
1082 TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature
1083 TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature
1084 TPM_ALG_ID hashAlg, // IN: hash algorithm used
1085 TPM_ECC_CURVE curveId, // IN: the curve used in signing
1086 TPM2B_ECC_PARAMETER *dIn, // IN: the private key
1087 TPM2B *digest, // IN: the digest to sign
1088 TPM2B_ECC_PARAMETER *kIn // IN: for testing
1089 )
1090{
1091 TPM2B_ECC_PARAMETER k;
1092 BIGNUM *bnR, *bnN, *bnK, *bnT, *bnD;
1093 BN_CTX *context;
1094 const TPM2B *n;
1095 EC_POINT *pR = NULL;
1096 EC_GROUP *group = NULL;
1097 CPRI_HASH_STATE hashState;
1098 UINT16 digestSize = _cpri__GetDigestSize(hashAlg);
1099 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
1100 TPM2B_TYPE(T, MAX(MAX_DIGEST_SIZE, MAX_ECC_PARAMETER_BYTES));
1101 TPM2B_T T2b;
1102 BOOL OK = TRUE;
1103 // Parameter checks
1104 // Must have a place for the 'r' and 's' parts of the signature, a private
1105 // key ('d')
1106 pAssert( rOut != NULL && sOut != NULL && dIn != NULL
1107 && digest != NULL && curveData != NULL);
1108 // to save key strokes
1109 n = curveData->n;
1110 // If the digest does not produce a hash, then null the signature and return
1111 // a failure.
1112 if(digestSize == 0)
1113 {
1114 rOut->t.size = 0;
1115 sOut->t.size = 0;
1116 return CRYPT_SCHEME;
1117 }
1118 // Allocate big number values
1119 context = BN_CTX_new();
1120 if(context == NULL)
1121 FAIL(FATAL_ERROR_ALLOCATION);
1122 BN_CTX_start(context);
1123 bnR = BN_CTX_get(context);
1124 bnN = BN_CTX_get(context);
1125 bnK = BN_CTX_get(context);
1126 bnT = BN_CTX_get(context);
1127 bnD = BN_CTX_get(context);
1128 if( bnD == NULL
1129 // initialize the group parameters
1130 || (group = EccCurveInit(curveId, context)) == NULL
1131 // allocate a local point
1132 || (pR = EC_POINT_new(group)) == NULL
1133 )
1134 FAIL(FATAL_ERROR_ALLOCATION);
1135 if(BN_bin2bn(curveData->n->buffer, curveData->n->size, bnN) == NULL)
1136 FAIL(FATAL_ERROR_INTERNAL);
1137 while(OK)
1138 {
1139// a) set k to a random value such that 1 k n-1
1140 if(kIn != NULL)
1141 {
1142 Copy2B(&k.b, &kIn->b); // copy input k if testing
1143 OK = FALSE; // not OK to loop
1144 }
1145 else
1146 // If get a random value in the correct range
1147 GetRandomPrivate(&k, n);
1148 // Convert 'k' and generate pR = ['k']G
1149 BnFrom2B(bnK, &k.b);
1150// b) compute E (xE, yE) [k]G
1151 if(PointMul(group, pR, bnK, NULL, NULL, context) == CRYPT_NO_RESULT)
1152// c) if E is the point at infinity, go to a)
1153 continue;
1154// d) compute e xE (mod n)
1155 // Get the x coordinate of the point
1156 EC_POINT_get_affine_coordinates_GFp(group, pR, bnR, NULL, context);
1157 // make (mod n)
1158 BN_mod(bnR, bnR, bnN, context);
1159// e) if e is zero, go to a)
1160 if(BN_is_zero(bnR))
1161 continue;
1162 // Convert xR to a string (use T as a temp)
1163 BnTo2B(&T2b.b, bnR, (UINT16)(BN_num_bits(bnR)+7)/8);
1164// f) compute r HschemeHash(P || e) (mod n)
1165 _cpri__StartHash(hashAlg, FALSE, &hashState);
1166 _cpri__UpdateHash(&hashState, digest->size, digest->buffer);
1167 _cpri__UpdateHash(&hashState, T2b.t.size, T2b.t.buffer);
1168 if(_cpri__CompleteHash(&hashState, digestSize, T2b.b.buffer) != digestSize)
1169 FAIL(FATAL_ERROR_INTERNAL);
1170 T2b.t.size = digestSize;
1171 BnFrom2B(bnT, &T2b.b);
1172 BN_div(NULL, bnT, bnT, bnN, context);
1173 BnTo2B(&rOut->b, bnT, (UINT16)BN_num_bytes(bnT));
1174 // We have a value and we are going to exit the loop successfully
1175 OK = TRUE;
1176 break;
1177 }
1178 // Cleanup
1179 EC_POINT_free(pR);
1180 EC_GROUP_free(group);
1181 BN_CTX_end(context);
1182 BN_CTX_free(context);
1183 // If we have a value, finish the signature
1184 if(OK)
1185 return EcDaa(rOut, sOut, curveId, dIn, NULL, &k);
1186 else
1187 return CRYPT_NO_RESULT;
1188}
1189#endif //%
1190#ifdef TPM_ALG_SM2 //%
1191#ifdef _SM2_SIGN_DEBUG //%
1192static int
1193cmp_bn2hex(
1194 BIGNUM *bn, // IN: big number value
1195 const char *c // IN: character string number
1196 )
1197{
1198 int result;
1199 BIGNUM *bnC = BN_new();
1200 pAssert(bnC != NULL);
1201 BN_hex2bn(&bnC, c);
1202 result = BN_ucmp(bn, bnC);
1203 BN_free(bnC);
1204 return result;
1205}
1206static int
1207cmp_2B2hex(
1208 TPM2B *a, // IN: TPM2B number to compare
1209 const char *c // IN: character string
1210 )
1211{
1212 int result;
1213 int sl = strlen(c);
1214 BIGNUM *bnA;
1215 result = (a->size * 2) - sl;
1216 if(result != 0)
1217 return result;
1218 pAssert((bnA = BN_bin2bn(a->buffer, a->size, NULL)) != NULL);
1219 result = cmp_bn2hex(bnA, c);
1220 BN_free(bnA);
1221 return result;
1222}
1223static void
1224cpy_hexTo2B(
1225 TPM2B *b, // OUT: receives value
1226 const char *c // IN: source string
1227 )
1228{
1229 BIGNUM *bnB = BN_new();
1230 pAssert((strlen(c) & 1) == 0); // must have an even number of digits
1231 b->size = strlen(c) / 2;
1232 BN_hex2bn(&bnB, c);
1233 pAssert(bnB != NULL);
1234 BnTo2B(b, bnB, b->size);
1235 BN_free(bnB);
1236}
1237#endif //% _SM2_SIGN_DEBUG
1238//
1239//
1240// SignSM2()
1241//
1242// This function signs a digest using the method defined in SM2 Part 2. The method in the standard will add
1243// a header to the message to be signed that is a hash of the values that define the key. This then hashed
1244// with the message to produce a digest (e) that is signed. This function signs e.
1245//
1246//
1247//
1248//
1249// Return Value Meaning
1250//
1251// CRYPT_SUCCESS sign worked
1252//
1253static CRYPT_RESULT
1254SignSM2(
1255 TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature
1256 TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature
1257 TPM_ECC_CURVE curveId, // IN: the curve used in signing
1258 TPM2B_ECC_PARAMETER *dIn, // IN: the private key
1259 TPM2B *digest // IN: the digest to sign
1260 )
1261{
1262 BIGNUM *bnR;
1263 BIGNUM *bnS;
1264 BIGNUM *bnN;
1265 BIGNUM *bnK;
1266 BIGNUM *bnX1;
1267 BIGNUM *bnD;
1268 BIGNUM *bnT; // temp
1269 BIGNUM *bnE;
1270 BN_CTX *context;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1271 TPM2B_ECC_PARAMETER k;
1272 TPMS_ECC_POINT p2Br;
1273 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
1274 pAssert(curveData != NULL);
1275 context = BN_CTX_new();
1276 BN_CTX_start(context);
1277 bnK = BN_CTX_get(context);
1278 bnR = BN_CTX_get(context);
1279 bnS = BN_CTX_get(context);
1280 bnX1 = BN_CTX_get(context);
1281 bnN = BN_CTX_get(context);
1282 bnD = BN_CTX_get(context);
1283 bnT = BN_CTX_get(context);
1284 bnE = BN_CTX_get(context);
1285 if(bnE == NULL)
1286 FAIL(FATAL_ERROR_ALLOCATION);
1287 BnFrom2B(bnE, digest);
1288 BnFrom2B(bnN, curveData->n);
1289 BnFrom2B(bnD, &dIn->b);
1290#ifdef _SM2_SIGN_DEBUG
1291BN_hex2bn(&bnE, "B524F552CD82B8B028476E005C377FB19A87E6FC682D48BB5D42E3D9B9EFFE76");
1292BN_hex2bn(&bnD, "128B2FA8BD433C6C068C8D803DFF79792A519A55171B1B650C23661D15897263");
1293#endif
1294// A3: Use random number generator to generate random number 1 <= k <= n-1;
1295// NOTE: Ax: numbers are from the SM2 standard
1296 k.t.size = curveData->n->size;
1297loop:
1298 {
1299 // Get a random number
1300 _cpri__GenerateRandom(k.t.size, k.t.buffer);
1301#ifdef _SM2_SIGN_DEBUG
1302BN_hex2bn(&bnK, "6CB28D99385C175C94F94E934817663FC176D925DD72B727260DBAAE1FB2F96F");
1303BnTo2B(&k.b,bnK, 32);
1304k.t.size = 32;
1305#endif
1306 //make sure that the number is 0 < k < n
1307 BnFrom2B(bnK, &k.b);
1308 if( BN_ucmp(bnK, bnN) >= 0
1309 || BN_is_zero(bnK))
1310 goto loop;
1311// A4: Figure out the point of elliptic curve (x1, y1)=[k]G, and according
1312// to details specified in 4.2.7 in Part 1 of this document, transform the
1313// data type of x1 into an integer;
1314 if( _cpri__EccPointMultiply(&p2Br, curveId, &k, NULL, NULL)
1315 == CRYPT_NO_RESULT)
1316 goto loop;
1317 BnFrom2B(bnX1, &p2Br.x.b);
1318// A5: Figure out r = (e + x1) mod n,
1319 if(!BN_mod_add(bnR, bnE, bnX1, bnN, context))
1320 FAIL(FATAL_ERROR_INTERNAL);
1321#ifdef _SM2_SIGN_DEBUG
1322pAssert(cmp_bn2hex(bnR,
1323 "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1")
1324 == 0);
1325#endif
1326 // if r=0 or r+k=n, return to A3;
1327 if(!BN_add(bnT, bnK, bnR))
1328 FAIL(FATAL_ERROR_INTERNAL);
1329 if(BN_is_zero(bnR) || BN_ucmp(bnT, bnN) == 0)
1330 goto loop;
1331// A6: Figure out s = ((1 + dA)^-1 (k - r dA)) mod n, if s=0, return to A3;
1332 // compute t = (1+d)-1
1333 BN_copy(bnT, bnD);
1334 if( !BN_add_word(bnT, 1)
1335 || !BN_mod_inverse(bnT, bnT, bnN, context) // (1 + dA)^-1 mod n
1336 )
1337 FAIL(FATAL_ERROR_INTERNAL);
1338#ifdef _SM2_SIGN_DEBUG
1339pAssert(cmp_bn2hex(bnT,
1340 "79BFCF3052C80DA7B939E0C6914A18CBB2D96D8555256E83122743A7D4F5F956")
1341 == 0);
1342#endif
1343 // compute s = t * (k - r * dA) mod n
1344 if( !BN_mod_mul(bnS, bnD, bnR, bnN, context) // (r * dA) mod n
1345 || !BN_mod_sub(bnS, bnK, bnS, bnN, context) // (k - (r * dA) mod n
1346 || !BN_mod_mul(bnS, bnT, bnS, bnN, context))// t * (k - (r * dA) mod n
1347 FAIL(FATAL_ERROR_INTERNAL);
1348#ifdef _SM2_SIGN_DEBUG
1349pAssert(cmp_bn2hex(bnS,
1350 "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7")
1351 == 0);
1352#endif
1353 if(BN_is_zero(bnS))
1354 goto loop;
1355 }
1356// A7: According to details specified in 4.2.1 in Part 1 of this document, transform
1357// the data type of r, s into bit strings, signature of message M is (r, s).
1358 BnTo2B(&rOut->b, bnR, curveData->n->size);
1359 BnTo2B(&sOut->b, bnS, curveData->n->size);
1360#ifdef _SM2_SIGN_DEBUG
1361pAssert(cmp_2B2hex(&rOut->b,
1362 "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1")
1363 == 0);
1364pAssert(cmp_2B2hex(&sOut->b,
1365 "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7")
1366 == 0);
1367#endif
1368 BN_CTX_end(context);
1369 BN_CTX_free(context);
1370 return CRYPT_SUCCESS;
1371}
1372#endif //% TPM_ALG_SM2
1373//
1374//
1375// _cpri__SignEcc()
1376//
1377// This function is the dispatch function for the various ECC-based signing schemes.
1378//
1379// Return Value Meaning
1380//
1381// CRYPT_SCHEME scheme is not supported
1382//
1383LIB_EXPORT CRYPT_RESULT
1384_cpri__SignEcc(
1385 TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature
1386 TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature
1387 TPM_ALG_ID scheme, // IN: the scheme selector
1388 TPM_ALG_ID hashAlg, // IN: the hash algorithm if need
1389 TPM_ECC_CURVE curveId, // IN: the curve used in the signature
1390 // process
1391 TPM2B_ECC_PARAMETER *dIn, // IN: the private key
1392 TPM2B *digest, // IN: the digest to sign
1393 TPM2B_ECC_PARAMETER *kIn // IN: k for input
1394 )
1395{
1396 switch (scheme)
1397 {
1398 case TPM_ALG_ECDSA:
1399 // SignEcdsa always works
1400 return SignEcdsa(rOut, sOut, curveId, dIn, digest);
1401 break;
1402#ifdef TPM_ALG_ECDAA
1403 case TPM_ALG_ECDAA:
1404 if(rOut != NULL)
1405 rOut->b.size = 0;
1406 return EcDaa(rOut, sOut, curveId, dIn, digest, kIn);
1407 break;
1408#endif
1409#ifdef TPM_ALG_ECSCHNORR
1410 case TPM_ALG_ECSCHNORR:
1411 return SchnorrEcc(rOut, sOut, hashAlg, curveId, dIn, digest, kIn);
1412 break;
1413#endif
1414#ifdef TPM_ALG_SM2
1415 case TPM_ALG_SM2:
1416 return SignSM2(rOut, sOut, curveId, dIn, digest);
1417 break;
1418#endif
1419 default:
1420 return CRYPT_SCHEME;
1421 }
1422}
1423#ifdef TPM_ALG_ECDSA //%
1424//
1425//
1426// ValidateSignatureEcdsa()
1427//
1428// This function validates an ECDSA signature. rIn and sIn shoudl have been checked to make sure that
1429// they are not zero.
1430//
1431// Return Value Meaning
1432//
1433// CRYPT_SUCCESS signature valid
1434// CRYPT_FAIL signature not valid
1435//
1436static CRYPT_RESULT
1437ValidateSignatureEcdsa(
1438 TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature
1439 TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature
1440 TPM_ECC_CURVE curveId, // IN: the curve used in the signature
1441 // process
1442 TPMS_ECC_POINT *Qin, // IN: the public point of the key
1443 TPM2B *digest // IN: the digest that was signed
1444 )
1445{
1446 TPM2B_ECC_PARAMETER U1;
1447 TPM2B_ECC_PARAMETER U2;
1448 TPMS_ECC_POINT R;
1449 const TPM2B *n;
1450 BN_CTX *context;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1451 EC_GROUP *group = NULL;
1452 BIGNUM *bnU1;
1453 BIGNUM *bnU2;
1454 BIGNUM *bnR;
1455 BIGNUM *bnS;
1456 BIGNUM *bnW;
1457 BIGNUM *bnV;
1458 BIGNUM *bnN;
1459 BIGNUM *bnE;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1460 CRYPT_RESULT retVal = CRYPT_FAIL;
1461 int t;
1462 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
1463 // The curve selector should have been filtered by the unmarshaling process
1464 pAssert (curveData != NULL);
1465 n = curveData->n;
1466// 1. If r and s are not both integers in the interval [1, n - 1], output
1467// INVALID.
1468// rIn and sIn are known to be greater than zero (was checked by the caller).
1469 if( _math__uComp(rIn->t.size, rIn->t.buffer, n->size, n->buffer) >= 0
1470 || _math__uComp(sIn->t.size, sIn->t.buffer, n->size, n->buffer) >= 0
1471 )
1472 return CRYPT_FAIL;
1473 context = BN_CTX_new();
1474 if(context == NULL)
1475 FAIL(FATAL_ERROR_ALLOCATION);
1476 BN_CTX_start(context);
1477 bnR = BN_CTX_get(context);
1478 bnS = BN_CTX_get(context);
1479 bnN = BN_CTX_get(context);
1480 bnE = BN_CTX_get(context);
1481 bnV = BN_CTX_get(context);
1482 bnW = BN_CTX_get(context);
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1483 bnU1 = BN_CTX_get(context);
1484 bnU2 = BN_CTX_get(context);
1485 // Assume the size variables do not overflow, which should not happen in
1486 // the contexts that this function will be called.
1487 assert2Bsize(Qin->x.t);
1488 assert2Bsize(rIn->t);
1489 assert2Bsize(sIn->t);
1490 // BN_CTX_get() is sticky so only need to check the last value to know that
1491 // all worked.
1492 if( bnU2 == NULL
1493 // initialize the group parameters
1494 || (group = EccCurveInit(curveId, context)) == NULL
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1495 // convert the signature values
1496 || BN_bin2bn(rIn->t.buffer, rIn->t.size, bnR) == NULL
1497 || BN_bin2bn(sIn->t.buffer, sIn->t.size, bnS) == NULL
1498 // convert the curve order
1499 || BN_bin2bn(curveData->n->buffer, curveData->n->size, bnN) == NULL)
1500 FAIL(FATAL_ERROR_INTERNAL);
1501// 2. Use the selected hash function to compute H0 = Hash(M0).
1502 // This is an input parameter
1503// 3. Convert the bit string H0 to an integer e as described in Appendix B.2.
1504 t = (digest->size > rIn->t.size) ? rIn->t.size : digest->size;
1505 if(BN_bin2bn(digest->buffer, t, bnE) == NULL)
1506 FAIL(FATAL_ERROR_INTERNAL);
1507// 4. Compute w = (s')^-1 mod n, using the routine in Appendix B.1.
1508 if (BN_mod_inverse(bnW, bnS, bnN, context) == NULL)
1509 FAIL(FATAL_ERROR_INTERNAL);
1510// 5. Compute u1 = (e' * w) mod n, and compute u2 = (r' * w) mod n.
1511 if( !BN_mod_mul(bnU1, bnE, bnW, bnN, context)
1512 || !BN_mod_mul(bnU2, bnR, bnW, bnN, context))
1513 FAIL(FATAL_ERROR_INTERNAL);
1514 BnTo2B(&U1.b, bnU1, (INT16) BN_num_bytes(bnU1));
1515 BnTo2B(&U2.b, bnU2, (INT16) BN_num_bytes(bnU2));
1516// 6. Compute the elliptic curve point R = (xR, yR) = u1G+u2Q, using EC
1517// scalar multiplication and EC addition (see [Routines]). If R is equal to
1518// the point at infinity O, output INVALID.
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]1519 if((retVal = _cpri__EccPointMultiply(&R, curveId, &U1, Qin, &U2)) == CRYPT_SUCCESS)
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1520 {
1521 // 7. Compute v = Rx mod n.
1522 if( BN_bin2bn(R.x.t.buffer, R.x.t.size, bnV) == NULL
1523 || !BN_mod(bnV, bnV, bnN, context))
1524 FAIL(FATAL_ERROR_INTERNAL);
1525 // 8. Compare v and r0. If v = r0, output VALID; otherwise, output INVALID
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]1526 if(BN_cmp(bnV, bnR))
1527 retVal = CRYPT_FAIL;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1528 }
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1529 if(group != NULL) EC_GROUP_free(group);
1530 BN_CTX_end(context);
1531 BN_CTX_free(context);
1532 return retVal;
1533}
1534#endif //% TPM_ALG_ECDSA
1535#ifdef TPM_ALG_ECSCHNORR //%
1536//
1537//
1538// ValidateSignatureEcSchnorr()
1539//
1540// This function is used to validate an EC Schnorr signature. rIn and sIn are required to be greater than
1541// zero. This is checked in _cpri__ValidateSignatureEcc().
1542//
1543// Return Value Meaning
1544//
1545// CRYPT_SUCCESS signature valid
1546// CRYPT_FAIL signature not valid
1547// CRYPT_SCHEME hashAlg is not supported
1548//
1549static CRYPT_RESULT
1550ValidateSignatureEcSchnorr(
1551 TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature
1552 TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature
1553 TPM_ALG_ID hashAlg, // IN: hash algorithm of the signature
1554 TPM_ECC_CURVE curveId, // IN: the curve used in the signature
1555 // process
1556 TPMS_ECC_POINT *Qin, // IN: the public point of the key
1557 TPM2B *digest // IN: the digest that was signed
1558 )
1559{
1560 TPMS_ECC_POINT pE;
1561 const TPM2B *n;
1562 CPRI_HASH_STATE hashState;
1563 TPM2B_DIGEST rPrime;
1564 TPM2B_ECC_PARAMETER minusR;
1565 UINT16 digestSize = _cpri__GetDigestSize(hashAlg);
1566 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
1567 // The curve parameter should have been filtered by unmarshaling code
1568 pAssert(curveData != NULL);
1569 if(digestSize == 0)
1570 return CRYPT_SCHEME;
1571 // Input parameter validation
1572 pAssert(rIn != NULL && sIn != NULL && Qin != NULL && digest != NULL);
1573 n = curveData->n;
1574 // if sIn or rIn are not between 1 and N-1, signature check fails
1575 // sIn and rIn were verified to be non-zero by the caller
1576 if( _math__uComp(sIn->b.size, sIn->b.buffer, n->size, n->buffer) >= 0
1577 || _math__uComp(rIn->b.size, rIn->b.buffer, n->size, n->buffer) >= 0
1578 )
1579 return CRYPT_FAIL;
1580 //E = [s]InG - [r]InQ
1581 _math__sub(n->size, n->buffer,
1582 rIn->t.size, rIn->t.buffer,
1583 &minusR.t.size, minusR.t.buffer);
1584 if(_cpri__EccPointMultiply(&pE, curveId, sIn, Qin, &minusR) != CRYPT_SUCCESS)
1585 return CRYPT_FAIL;
1586 // Ex = Ex mod N
1587 if(Mod2B(&pE.x.b, n) != CRYPT_SUCCESS)
1588 FAIL(FATAL_ERROR_INTERNAL);
1589 _math__Normalize2B(&pE.x.b);
1590 // rPrime = h(digest || pE.x) mod n;
1591 _cpri__StartHash(hashAlg, FALSE, &hashState);
1592 _cpri__UpdateHash(&hashState, digest->size, digest->buffer);
1593 _cpri__UpdateHash(&hashState, pE.x.t.size, pE.x.t.buffer);
1594 if(_cpri__CompleteHash(&hashState, digestSize, rPrime.t.buffer) != digestSize)
1595 FAIL(FATAL_ERROR_INTERNAL);
1596 rPrime.t.size = digestSize;
1597 // rPrime = rPrime (mod n)
1598 if(Mod2B(&rPrime.b, n) != CRYPT_SUCCESS)
1599 FAIL(FATAL_ERROR_INTERNAL);
1600 // if the values don't match, then the signature is bad
1601 if(_math__uComp(rIn->t.size, rIn->t.buffer,
1602 rPrime.t.size, rPrime.t.buffer) != 0)
1603 return CRYPT_FAIL;
1604 else
1605 return CRYPT_SUCCESS;
1606}
1607#endif //% TPM_ALG_ECSCHNORR
1608#ifdef TPM_ALG_SM2 //%
1609//
1610//
1611// ValidateSignatueSM2Dsa()
1612//
1613// This function is used to validate an SM2 signature.
1614//
1615// Return Value Meaning
1616//
1617// CRYPT_SUCCESS signature valid
1618// CRYPT_FAIL signature not valid
1619//
1620static CRYPT_RESULT
1621ValidateSignatureSM2Dsa(
1622 TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature
1623 TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature
1624 TPM_ECC_CURVE curveId, // IN: the curve used in the signature
1625 // process
1626 TPMS_ECC_POINT *Qin, // IN: the public point of the key
1627 TPM2B *digest // IN: the digest that was signed
1628 )
1629{
1630 BIGNUM *bnR;
1631 BIGNUM *bnRp;
1632 BIGNUM *bnT;
1633 BIGNUM *bnS;
1634 BIGNUM *bnE;
Jocelyn Bohrddcb1ce2015-08-14 15:32:09 -0700[diff] [blame]1635 BIGNUM *order;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1636 EC_POINT *pQ;
1637 BN_CTX *context;
1638 EC_GROUP *group = NULL;
1639 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
1640 BOOL fail = FALSE;
1641//
1642 if((context = BN_CTX_new()) == NULL || curveData == NULL)
1643 FAIL(FATAL_ERROR_INTERNAL);
1644 bnR = BN_CTX_get(context);
1645 bnRp= BN_CTX_get(context);
1646 bnE = BN_CTX_get(context);
1647 bnT = BN_CTX_get(context);
1648 bnS = BN_CTX_get(context);
Jocelyn Bohrddcb1ce2015-08-14 15:32:09 -0700[diff] [blame]1649 order = BN_CTX_get(context);
1650 if( order == NULL
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1651 || (group = EccCurveInit(curveId, context)) == NULL)
1652 FAIL(FATAL_ERROR_INTERNAL);
1653#ifdef _SM2_SIGN_DEBUG
1654 cpy_hexTo2B(&Qin->x.b,
1655 "0AE4C7798AA0F119471BEE11825BE46202BB79E2A5844495E97C04FF4DF2548A");
1656 cpy_hexTo2B(&Qin->y.b,
1657 "7C0240F88F1CD4E16352A73C17B7F16F07353E53A176D684A9FE0C6BB798E857");
1658 cpy_hexTo2B(digest,
1659 "B524F552CD82B8B028476E005C377FB19A87E6FC682D48BB5D42E3D9B9EFFE76");
1660#endif
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]1661 if (!(pQ = EccInitPoint2B(group, Qin, context)))
1662 goto Cleanup;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1663#ifdef _SM2_SIGN_DEBUG
1664 pAssert(EC_POINT_get_affine_coordinates_GFp(group, pQ, bnT, bnS, context));
1665 pAssert(cmp_bn2hex(bnT,
1666 "0AE4C7798AA0F119471BEE11825BE46202BB79E2A5844495E97C04FF4DF2548A")
1667 == 0);
1668 pAssert(cmp_bn2hex(bnS,
1669 "7C0240F88F1CD4E16352A73C17B7F16F07353E53A176D684A9FE0C6BB798E857")
1670 == 0);
1671#endif
1672 BnFrom2B(bnR, &rIn->b);
1673 BnFrom2B(bnS, &sIn->b);
1674 BnFrom2B(bnE, digest);
1675#ifdef _SM2_SIGN_DEBUG
1676// Make sure that the input signature is the test signature
1677pAssert(cmp_2B2hex(&rIn->b,
1678 "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1") == 0);
1679pAssert(cmp_2B2hex(&sIn->b,
1680 "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7") == 0);
1681#endif
1682// a) verify that r and s are in the inclusive interval 1 to (n 1)
Jocelyn Bohrddcb1ce2015-08-14 15:32:09 -0700[diff] [blame]1683 if (!EC_GROUP_get_order(group, order, context)) goto Cleanup;
1684 fail = (BN_ucmp(bnR, order) >= 0);
1685 fail = (BN_ucmp(bnS, order) >= 0) || fail;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1686 if(fail)
1687 // There is no reason to continue. Since r and s are inputs from the caller,
1688 // they can know that the values are not in the proper range. So, exiting here
1689 // does not disclose any information.
1690 goto Cleanup;
1691// b) compute t := (r + s) mod n
Jocelyn Bohrddcb1ce2015-08-14 15:32:09 -0700[diff] [blame]1692 if(!BN_mod_add(bnT, bnR, bnS, order, context))
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1693 FAIL(FATAL_ERROR_INTERNAL);
1694#ifdef _SM2_SIGN_DEBUG
1695 pAssert(cmp_bn2hex(bnT,
1696 "2B75F07ED7ECE7CCC1C8986B991F441AD324D6D619FE06DD63ED32E0C997C801")
1697 == 0);
1698#endif
1699// c) verify that t > 0
1700 if(BN_is_zero(bnT)) {
1701 fail = TRUE;
1702 // set to a value that should allow rest of the computations to run without
1703 // trouble
1704 BN_copy(bnT, bnS);
1705 }
1706// d) compute (x, y) := [s]G + [t]Q
1707 if(!EC_POINT_mul(group, pQ, bnS, pQ, bnT, context))
1708 FAIL(FATAL_ERROR_INTERNAL);
1709 // Get the x coordinate of the point
1710 if(!EC_POINT_get_affine_coordinates_GFp(group, pQ, bnT, NULL, context))
1711 FAIL(FATAL_ERROR_INTERNAL);
1712#ifdef _SM2_SIGN_DEBUG
1713 pAssert(cmp_bn2hex(bnT,
1714 "110FCDA57615705D5E7B9324AC4B856D23E6D9188B2AE47759514657CE25D112")
1715 == 0);
1716#endif
1717// e) compute r' := (e + x) mod n (the x coordinate is in bnT)
Jocelyn Bohrddcb1ce2015-08-14 15:32:09 -0700[diff] [blame]1718 if(!BN_mod_add(bnRp, bnE, bnT, order, context))
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1719 FAIL(FATAL_ERROR_INTERNAL);
1720// f) verify that r' = r
1721 fail = BN_ucmp(bnR, bnRp) != 0 || fail;
1722Cleanup:
1723 if(pQ) EC_POINT_free(pQ);
1724 if(group) EC_GROUP_free(group);
1725 BN_CTX_end(context);
1726 BN_CTX_free(context);
1727 if(fail)
1728 return CRYPT_FAIL;
1729 else
1730 return CRYPT_SUCCESS;
1731}
1732#endif //% TPM_ALG_SM2
1733//
1734//
1735// _cpri__ValidateSignatureEcc()
1736//
1737// This function validates
1738//
1739// Return Value Meaning
1740//
1741// CRYPT_SUCCESS signature is valid
1742// CRYPT_FAIL not a valid signature
1743// CRYPT_SCHEME unsupported scheme
1744//
1745LIB_EXPORT CRYPT_RESULT
1746_cpri__ValidateSignatureEcc(
1747 TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature
1748 TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature
1749 TPM_ALG_ID scheme, // IN: the scheme selector
1750 TPM_ALG_ID hashAlg, // IN: the hash algorithm used (not used
1751 // in all schemes)
1752 TPM_ECC_CURVE curveId, // IN: the curve used in the signature
1753 // process
1754 TPMS_ECC_POINT *Qin, // IN: the public point of the key
1755 TPM2B *digest // IN: the digest that was signed
1756 )
1757{
1758 CRYPT_RESULT retVal;
1759 // return failure if either part of the signature is zero
1760 if(_math__Normalize2B(&rIn->b) == 0 || _math__Normalize2B(&sIn->b) == 0)
1761 return CRYPT_FAIL;
1762 switch (scheme)
1763 {
1764 case TPM_ALG_ECDSA:
1765 retVal = ValidateSignatureEcdsa(rIn, sIn, curveId, Qin, digest);
1766 break;
1767#ifdef TPM_ALG_ECSCHNORR
1768 case TPM_ALG_ECSCHNORR:
1769 retVal = ValidateSignatureEcSchnorr(rIn, sIn, hashAlg, curveId, Qin,
1770 digest);
1771 break;
1772#endif
1773#ifdef TPM_ALG_SM2
1774 case TPM_ALG_SM2:
1775 retVal = ValidateSignatureSM2Dsa(rIn, sIn, curveId, Qin, digest);
1776#endif
1777 default:
1778 retVal = CRYPT_SCHEME;
1779 break;
1780 }
1781 return retVal;
1782}
1783#if CC_ZGen_2Phase == YES //%
1784#ifdef TPM_ALG_ECMQV
1785//
1786//
1787// avf1()
1788//
1789// This function does the associated value computation required by MQV key exchange. Process:
1790// a) Convert xQ to an integer xqi using the convention specified in Appendix C.3.
1791// b) Calculate xqm = xqi mod 2^ceil(f/2) (where f = ceil(log2(n)).
1792// c) Calculate the associate value function avf(Q) = xqm + 2ceil(f / 2)
1793//
1794static BOOL
1795avf1(
1796 BIGNUM *bnX, // IN/OUT: the reduced value
1797 BIGNUM *bnN // IN: the order of the curve
1798 )
1799{
1800// compute f = 2^(ceil(ceil(log2(n)) / 2))
1801 int f = (BN_num_bits(bnN) + 1) / 2;
1802// x' = 2^f + (x mod 2^f)
1803 BN_mask_bits(bnX, f); // This is mod 2*2^f but it doesn't matter because
1804 // the next operation will SET the extra bit anyway
1805 BN_set_bit(bnX, f);
1806 return TRUE;
1807}
1808//
1809//
1810// C_2_2_MQV()
1811//
1812// This function performs the key exchange defined in SP800-56A 6.1.1.4 Full MQV, C(2, 2, ECC MQV).
1813// CAUTION: Implementation of this function may require use of essential claims in patents not owned by
1814// TCG members.
1815// Points QsB() and QeB() are required to be on the curve of inQsA. The function will fail, possibly
1816// catastrophically, if this is not the case.
1817//
1818//
1819//
1820// Return Value Meaning
1821//
1822// CRYPT_SUCCESS results is valid
1823// CRYPT_NO_RESULT the value for dsA does not give a valid point on the curve
1824//
1825static CRYPT_RESULT
1826C_2_2_MQV(
1827 TPMS_ECC_POINT *outZ, // OUT: the computed point
1828 TPM_ECC_CURVE curveId, // IN: the curve for the computations
1829 TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key
1830 TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key
1831 TPMS_ECC_POINT *QsB, // IN: static public party B key
1832 TPMS_ECC_POINT *QeB // IN: ephemeral public party B key
1833 )
1834{
1835 BN_CTX *context;
1836 EC_POINT *pQeA = NULL;
1837 EC_POINT *pQeB = NULL;
1838 EC_POINT *pQsB = NULL;
1839 EC_GROUP *group = NULL;
1840 BIGNUM *bnTa;
1841 BIGNUM *bnDeA;
1842 BIGNUM *bnDsA;
1843 BIGNUM *bnXeA; // x coordinate of ephemeral party A key
1844 BIGNUM *bnH;
1845 BIGNUM *bnN;
1846 BIGNUM *bnXeB;
1847 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]1848 CRYPT_RESULT retVal = CRYPT_POINT;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1849 pAssert( curveData != NULL && outZ != NULL && dsA != NULL
1850 && deA != NULL && QsB != NULL && QeB != NULL);
1851 context = BN_CTX_new();
1852 if(context == NULL || curveData == NULL)
1853 FAIL(FATAL_ERROR_ALLOCATION);
1854 BN_CTX_start(context);
1855 bnTa = BN_CTX_get(context);
1856 bnDeA = BN_CTX_get(context);
1857 bnDsA = BN_CTX_get(context);
1858 bnXeA = BN_CTX_get(context);
1859 bnH = BN_CTX_get(context);
1860 bnN = BN_CTX_get(context);
1861 bnXeB = BN_CTX_get(context);
1862 if(bnXeB == NULL)
1863 FAIL(FATAL_ERROR_ALLOCATION);
1864// Process:
1865// 1. implicitsigA = (de,A + avf(Qe,A)ds,A ) mod n.
1866// 2. P = h(implicitsigA)(Qe,B + avf(Qe,B)Qs,B).
1867// 3. If P = O, output an error indicator.
1868// 4. Z=xP, where xP is the x-coordinate of P.
1869 // Initialize group parameters and local values of input
1870 if((group = EccCurveInit(curveId, context)) == NULL)
1871 FAIL(FATAL_ERROR_INTERNAL);
1872 if((pQeA = EC_POINT_new(group)) == NULL)
1873 FAIL(FATAL_ERROR_ALLOCATION);
1874 BnFrom2B(bnDeA, &deA->b);
1875 BnFrom2B(bnDsA, &dsA->b);
1876 BnFrom2B(bnH, curveData->h);
1877 BnFrom2B(bnN, curveData->n);
1878 BnFrom2B(bnXeB, &QeB->x.b);
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]1879 if (!(pQeB = EccInitPoint2B(group, QeB, context)))
1880 {
1881 retVal = CRYPT_POINT;
1882 goto Cleanup;
1883 }
1884 if (!(pQsB = EccInitPoint2B(group, QsB, context)))
1885 {
1886 retVal = CRYPT_POINT;
1887 goto Cleanup;
1888 }
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1889 // Compute the public ephemeral key pQeA = [de,A]G
1890 if( (retVal = PointMul(group, pQeA, bnDeA, NULL, NULL, context))
1891 != CRYPT_SUCCESS)
1892 goto Cleanup;
1893 if(EC_POINT_get_affine_coordinates_GFp(group, pQeA, bnXeA, NULL, context) != 1)
1894 FAIL(FATAL_ERROR_INTERNAL);
1895// 1. implicitsigA = (de,A + avf(Qe,A)ds,A ) mod n.
1896// tA := (ds,A + de,A avf(Xe,A)) mod n (3)
1897// Compute 'tA' = ('deA' + 'dsA' avf('XeA')) mod n
1898 // Ta = avf(XeA);
1899 BN_copy(bnTa, bnXeA);
1900 avf1(bnTa, bnN);
1901 if(// do Ta = ds,A * Ta mod n = dsA * avf(XeA) mod n
1902 !BN_mod_mul(bnTa, bnDsA, bnTa, bnN, context)
1903 // now Ta = deA + Ta mod n = deA + dsA * avf(XeA) mod n
1904 || !BN_mod_add(bnTa, bnDeA, bnTa, bnN, context)
1905 )
1906 FAIL(FATAL_ERROR_INTERNAL);
1907// 2. P = h(implicitsigA)(Qe,B + avf(Qe,B)Qs,B).
1908// Put this in because almost every case of h is == 1 so skip the call when
1909 // not necessary.
1910 if(!BN_is_one(bnH))
1911 {
1912 // Cofactor is not 1 so compute Ta := Ta * h mod n
1913 if(!BN_mul(bnTa, bnTa, bnH, context))
1914 FAIL(FATAL_ERROR_INTERNAL);
1915 }
1916 // Now that 'tA' is (h * 'tA' mod n)
1917 // 'outZ' = (tA)(Qe,B + avf(Qe,B)Qs,B).
1918 // first, compute XeB = avf(XeB)
1919 avf1(bnXeB, bnN);
1920 // QsB := [XeB]QsB
1921 if( !EC_POINT_mul(group, pQsB, NULL, pQsB, bnXeB, context)
1922 // QeB := QsB + QeB
1923 || !EC_POINT_add(group, pQeB, pQeB, pQsB, context)
1924 )
1925 FAIL(FATAL_ERROR_INTERNAL);
1926 // QeB := [tA]QeB = [tA](QsB + [Xe,B]QeB) and check for at infinity
1927 if(PointMul(group, pQeB, NULL, pQeB, bnTa, context) == CRYPT_SUCCESS)
1928 // Convert BIGNUM E to TPM2B E
1929 Point2B(group, outZ, pQeB, (INT16)BN_num_bytes(bnN), context);
1930Cleanup:
1931 if(pQeA != NULL) EC_POINT_free(pQeA);
1932 if(pQeB != NULL) EC_POINT_free(pQeB);
1933 if(pQsB != NULL) EC_POINT_free(pQsB);
1934 if(group != NULL) EC_GROUP_free(group);
1935 BN_CTX_end(context);
1936 BN_CTX_free(context);
1937 return retVal;
1938}
1939#endif // TPM_ALG_ECMQV
1940#ifdef TPM_ALG_SM2 //%
1941//
1942//
1943// avfSm2()
1944//
1945// This function does the associated value computation required by SM2 key exchange. This is different
1946// form the avf() in the international standards because it returns a value that is half the size of the value
1947// returned by the standard avf. For example, if n is 15, Ws (w in the standard) is 2 but the W here is 1. This
1948// means that an input value of 14 (1110b) would return a value of 110b with the standard but 10b with the
1949// scheme in SM2.
1950//
1951static BOOL
1952avfSm2(
1953 BIGNUM *bnX, // IN/OUT: the reduced value
1954 BIGNUM *bnN // IN: the order of the curve
1955 )
1956{
1957// a) set w := ceil(ceil(log2(n)) / 2) - 1
1958 int w = ((BN_num_bits(bnN) + 1) / 2) - 1;
1959// b) set x' := 2^w + ( x & (2^w - 1))
1960// This is just like the avf for MQV where x' = 2^w + (x mod 2^w)
1961 BN_mask_bits(bnX, w); // as wiht avf1, this is too big by a factor of 2 but
1962 // it doesn't matter becasue we SET the extra bit anyway
1963 BN_set_bit(bnX, w);
1964 return TRUE;
1965}
1966//
1967// SM2KeyExchange() This function performs the key exchange defined in SM2. The first step is to compute
1968// tA = (dsA + deA avf(Xe,A)) mod n Then, compute the Z value from outZ = (h tA mod n) (QsA +
1969// [avf(QeB().x)](QeB())). The function will compute the ephemeral public key from the ephemeral private
1970// key. All points are required to be on the curve of inQsA. The function will fail catastrophically if this is not
1971// the case
1972//
1973// Return Value Meaning
1974//
1975// CRYPT_SUCCESS results is valid
1976// CRYPT_NO_RESULT the value for dsA does not give a valid point on the curve
1977//
1978static CRYPT_RESULT
1979SM2KeyExchange(
1980 TPMS_ECC_POINT *outZ, // OUT: the computed point
1981 TPM_ECC_CURVE curveId, // IN: the curve for the computations
1982 TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key
1983 TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key
1984 TPMS_ECC_POINT *QsB, // IN: static public party B key
1985 TPMS_ECC_POINT *QeB // IN: ephemeral public party B key
1986 )
1987{
1988 BN_CTX *context;
1989 EC_POINT *pQeA = NULL;
1990 EC_POINT *pQeB = NULL;
1991 EC_POINT *pQsB = NULL;
1992 EC_GROUP *group = NULL;
1993 BIGNUM *bnTa;
1994 BIGNUM *bnDeA;
1995 BIGNUM *bnDsA;
1996 BIGNUM *bnXeA; // x coordinate of ephemeral party A key
1997 BIGNUM *bnH;
1998 BIGNUM *bnN;
1999 BIGNUM *bnXeB;
2000//
2001 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]2002 CRYPT_RESULT retVal = CRYPT_POINT;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]2003 pAssert( curveData != NULL && outZ != NULL && dsA != NULL
2004 && deA != NULL && QsB != NULL && QeB != NULL);
2005 context = BN_CTX_new();
2006 if(context == NULL || curveData == NULL)
2007 FAIL(FATAL_ERROR_ALLOCATION);
2008 BN_CTX_start(context);
2009 bnTa = BN_CTX_get(context);
2010 bnDeA = BN_CTX_get(context);
2011 bnDsA = BN_CTX_get(context);
2012 bnXeA = BN_CTX_get(context);
2013 bnH = BN_CTX_get(context);
2014 bnN = BN_CTX_get(context);
2015 bnXeB = BN_CTX_get(context);
2016 if(bnXeB == NULL)
2017 FAIL(FATAL_ERROR_ALLOCATION);
2018 // Initialize group parameters and local values of input
2019 if((group = EccCurveInit(curveId, context)) == NULL)
2020 FAIL(FATAL_ERROR_INTERNAL);
2021 if((pQeA = EC_POINT_new(group)) == NULL)
2022 FAIL(FATAL_ERROR_ALLOCATION);
2023 BnFrom2B(bnDeA, &deA->b);
2024 BnFrom2B(bnDsA, &dsA->b);
2025 BnFrom2B(bnH, curveData->h);
2026 BnFrom2B(bnN, curveData->n);
2027 BnFrom2B(bnXeB, &QeB->x.b);
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]2028 if(!(pQeB = EccInitPoint2B(group, QeB, context)))
2029 goto Cleanup;
2030 if(!(pQsB = EccInitPoint2B(group, QsB, context)))
2031 goto Cleanup;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]2032 // Compute the public ephemeral key pQeA = [de,A]G
2033 if( (retVal = PointMul(group, pQeA, bnDeA, NULL, NULL, context))
2034 != CRYPT_SUCCESS)
2035 goto Cleanup;
2036 if(EC_POINT_get_affine_coordinates_GFp(group, pQeA, bnXeA, NULL, context) != 1)
2037 FAIL(FATAL_ERROR_INTERNAL);
2038// tA := (ds,A + de,A avf(Xe,A)) mod n (3)
2039// Compute 'tA' = ('dsA' + 'deA' avf('XeA')) mod n
2040 // Ta = avf(XeA);
2041 BN_copy(bnTa, bnXeA);
2042 avfSm2(bnTa, bnN);
2043 if(// do Ta = de,A * Ta mod n = deA * avf(XeA) mod n
2044 !BN_mod_mul(bnTa, bnDeA, bnTa, bnN, context)
2045 // now Ta = dsA + Ta mod n = dsA + deA * avf(XeA) mod n
2046 || !BN_mod_add(bnTa, bnDsA, bnTa, bnN, context)
2047 )
2048 FAIL(FATAL_ERROR_INTERNAL);
2049// outZ ? [h tA mod n] (Qs,B + [avf(Xe,B)](Qe,B)) (4)
2050 // Put this in because almost every case of h is == 1 so skip the call when
2051 // not necessary.
2052 if(!BN_is_one(bnH))
2053 {
2054 // Cofactor is not 1 so compute Ta := Ta * h mod n
2055 if(!BN_mul(bnTa, bnTa, bnH, context))
2056 FAIL(FATAL_ERROR_INTERNAL);
2057 }
2058 // Now that 'tA' is (h * 'tA' mod n)
2059 // 'outZ' = ['tA'](QsB + [avf(QeB.x)](QeB)).
2060 // first, compute XeB = avf(XeB)
2061 avfSm2(bnXeB, bnN);
2062 // QeB := [XeB]QeB
2063 if( !EC_POINT_mul(group, pQeB, NULL, pQeB, bnXeB, context)
2064 // QeB := QsB + QeB
2065 || !EC_POINT_add(group, pQeB, pQeB, pQsB, context)
2066 )
2067 FAIL(FATAL_ERROR_INTERNAL);
2068 // QeB := [tA]QeB = [tA](QsB + [Xe,B]QeB) and check for at infinity
2069 if(PointMul(group, pQeB, NULL, pQeB, bnTa, context) == CRYPT_SUCCESS)
2070 // Convert BIGNUM E to TPM2B E
2071 Point2B(group, outZ, pQeB, (INT16)BN_num_bytes(bnN), context);
2072Cleanup:
2073 if(pQeA != NULL) EC_POINT_free(pQeA);
2074 if(pQeB != NULL) EC_POINT_free(pQeB);
2075 if(pQsB != NULL) EC_POINT_free(pQsB);
2076 if(group != NULL) EC_GROUP_free(group);
2077 BN_CTX_end(context);
2078 BN_CTX_free(context);
2079 return retVal;
2080}
2081#endif //% TPM_ALG_SM2
2082//
2083//
2084// C_2_2_ECDH()
2085//
2086// This function performs the two phase key exchange defined in SP800-56A, 6.1.1.2 Full Unified Model,
2087// C(2, 2, ECC CDH).
2088//
2089static CRYPT_RESULT
2090C_2_2_ECDH(
2091 TPMS_ECC_POINT *outZ1, // OUT: Zs
2092 TPMS_ECC_POINT *outZ2, // OUT: Ze
2093 TPM_ECC_CURVE curveId, // IN: the curve for the computations
2094 TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key
2095 TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key
2096 TPMS_ECC_POINT *QsB, // IN: static public party B key
2097 TPMS_ECC_POINT *QeB // IN: ephemeral public party B key
2098 )
2099{
Jocelyn Bohrddcb1ce2015-08-14 15:32:09 -0700[diff] [blame]2100 BIGNUM *order;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]2101 BN_CTX *context;
2102 EC_POINT *pQ = NULL;
2103 EC_GROUP *group = NULL;
2104 BIGNUM *bnD;
2105 INT16 size;
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]2106 CRYPT_RESULT retVal = CRYPT_POINT;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]2107 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
2108 context = BN_CTX_new();
2109 if(context == NULL || curveData == NULL)
2110 FAIL(FATAL_ERROR_ALLOCATION);
2111 BN_CTX_start(context);
Jocelyn Bohrddcb1ce2015-08-14 15:32:09 -0700[diff] [blame]2112 order = BN_CTX_get(context);
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]2113 if((bnD = BN_CTX_get(context)) == NULL)
2114 FAIL(FATAL_ERROR_INTERNAL);
2115 // Initialize group parameters and local values of input
2116 if((group = EccCurveInit(curveId, context)) == NULL)
2117 FAIL(FATAL_ERROR_INTERNAL);
Jocelyn Bohrddcb1ce2015-08-14 15:32:09 -0700[diff] [blame]2118 if (!EC_GROUP_get_order(group, order, context))
2119 FAIL(FATAL_ERROR_INTERNAL);
2120 size = (INT16)BN_num_bytes(order);
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]2121 // Get the static private key of A
2122 BnFrom2B(bnD, &dsA->b);
2123 // Initialize the static public point from B
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]2124 if (!(pQ = EccInitPoint2B(group, QsB, context)))
2125 goto Cleanup;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]2126 // Do the point multiply for the Zs value
2127 if(PointMul(group, pQ, NULL, pQ, bnD, context) != CRYPT_NO_RESULT)
2128 // Convert the Zs value
2129 Point2B(group, outZ1, pQ, size, context);
2130 // Get the ephemeral private key of A
2131 BnFrom2B(bnD, &deA->b);
2132 // Initalize the ephemeral public point from B
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]2133 if (!PointFrom2B(group, pQ, QeB, context))
2134 goto Cleanup;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]2135 // Do the point multiply for the Ze value
2136 if(PointMul(group, pQ, NULL, pQ, bnD, context) != CRYPT_NO_RESULT)
2137 // Convert the Ze value.
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]2138 {
2139 Point2B(group, outZ2, pQ, size, context);
2140 retVal = CRYPT_SUCCESS;
2141 }
2142Cleanup:
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]2143 if(pQ != NULL) EC_POINT_free(pQ);
2144 if(group != NULL) EC_GROUP_free(group);
2145 BN_CTX_end(context);
2146 BN_CTX_free(context);
Vadim Sukhomlinova9bc45b2019-08-06 16:08:24 -0700[diff] [blame]2147 return retVal;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]2148}
2149//
2150//
2151// _cpri__C_2_2_KeyExchange()
2152//
2153// This function is the dispatch routine for the EC key exchange function that use two ephemeral and two
2154// static keys.
2155//
2156// Return Value Meaning
2157//
2158// CRYPT_SCHEME scheme is not defined
2159//
2160LIB_EXPORT CRYPT_RESULT
2161_cpri__C_2_2_KeyExchange(
2162 TPMS_ECC_POINT *outZ1, // OUT: a computed point
2163 TPMS_ECC_POINT *outZ2, // OUT: and optional second point
2164 TPM_ECC_CURVE curveId, // IN: the curve for the computations
2165 TPM_ALG_ID scheme, // IN: the key exchange scheme
2166 TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key
2167 TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key
2168 TPMS_ECC_POINT *QsB, // IN: static public party B key
2169 TPMS_ECC_POINT *QeB // IN: ephemeral public party B key
2170 )
2171{
2172 pAssert( outZ1 != NULL
2173 && dsA != NULL && deA != NULL
2174 && QsB != NULL && QeB != NULL);
2175 // Initalize the output points so that they are empty until one of the
2176 // functions decides otherwise
2177 outZ1->x.b.size = 0;
2178 outZ1->y.b.size = 0;
2179 if(outZ2 != NULL)
2180 {
2181 outZ2->x.b.size = 0;
2182 outZ2->y.b.size = 0;
2183 }
2184 switch (scheme)
2185 {
2186 case TPM_ALG_ECDH:
2187 return C_2_2_ECDH(outZ1, outZ2, curveId, dsA, deA, QsB, QeB);
2188 break;
2189#ifdef TPM_ALG_ECMQV
2190 case TPM_ALG_ECMQV:
2191 return C_2_2_MQV(outZ1, curveId, dsA, deA, QsB, QeB);
2192 break;
2193#endif
2194#ifdef TPM_ALG_SM2
2195 case TPM_ALG_SM2:
2196 return SM2KeyExchange(outZ1, curveId, dsA, deA, QsB, QeB);
2197 break;
2198#endif
2199 default:
2200 return CRYPT_SCHEME;
2201 }
2202}
2203#else //%
2204//
2205// Stub used when the 2-phase key exchange is not defined so that the linker has something to associate
2206// with the value in the .def file.
2207//
2208LIB_EXPORT CRYPT_RESULT
2209_cpri__C_2_2_KeyExchange(
Vadim Sukhomlinov5463ebe2019-02-06 07:36:46 -0800[diff] [blame]2210 TPMS_ECC_POINT *outZ1, // OUT: a computed point
2211 TPMS_ECC_POINT *outZ2, // OUT: and optional second point
2212 TPM_ECC_CURVE curveId, // IN: the curve for the computations
2213 TPM_ALG_ID scheme, // IN: the key exchange scheme
2214 TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key
2215 TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key
2216 TPMS_ECC_POINT *QsB, // IN: static public party B key
2217 TPMS_ECC_POINT *QeB // IN: ephemeral public party B key
2218 )
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]2219{
2220 return CRYPT_FAIL;
2221}
2222#endif //% CC_ZGen_2Phase
2223#endif // TPM_ALG_ECC