lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-28 00:21:48 +03:00
Code Activity

Merged support for Brainpool curves and ciphersuites

Browse Source
This commit is contained in:
Paul Bakker
2013-10-11 10:03:27 +02:00
parent 1677033bc8 0cd6f98c0f
commit b799dec4c0
30 changed files with 329 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

245
library/ecp.c
View File

@ -70,28 +70,37 @@ unsigned long add_count, dbl_count;
/*
* List of supported curves:
* - internal ID
* - TLS NamedCurve ID (RFC 4492 section 5.1.1)
* - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2)
* - size in bits
* - readeble name
* - readable name
*/
const ecp_curve_info ecp_supported_curves[] =
{
#if defined(POLARSSL_ECP_DP_BP512R1_ENABLED)
{ POLARSSL_ECP_DP_BP512R1, 28, 512, "brainpool512r1" },
#endif
#if defined(POLARSSL_ECP_DP_BP384R1_ENABLED)
{ POLARSSL_ECP_DP_BP384R1, 27, 384, "brainpool384r1" },
#endif
#if defined(POLARSSL_ECP_DP_BP256R1_ENABLED)
{ POLARSSL_ECP_DP_BP256R1, 26, 256, "brainpool256r1" },
#endif
#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
{ POLARSSL_ECP_DP_SECP521R1, 25, 521, "secp521r1" },
{ POLARSSL_ECP_DP_SECP521R1, 25, 521, "secp521r1" },
#endif
#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
{ POLARSSL_ECP_DP_SECP384R1, 24, 384, "secp384r1" },
{ POLARSSL_ECP_DP_SECP384R1, 24, 384, "secp384r1" },
#endif
#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
{ POLARSSL_ECP_DP_SECP256R1, 23, 256, "secp256r1" },
{ POLARSSL_ECP_DP_SECP256R1, 23, 256, "secp256r1" },
#endif
#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
{ POLARSSL_ECP_DP_SECP224R1, 21, 224, "secp224r1" },
{ POLARSSL_ECP_DP_SECP224R1, 21, 224, "secp224r1" },
#endif
#if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
{ POLARSSL_ECP_DP_SECP192R1, 19, 192, "secp192r1" },
{ POLARSSL_ECP_DP_SECP192R1, 19, 192, "secp192r1" },
#endif
{ POLARSSL_ECP_DP_NONE, 0, 0, NULL },
{ POLARSSL_ECP_DP_NONE, 0, 0, NULL },
};
/*
@ -163,6 +172,7 @@ void ecp_group_free( ecp_group *grp )
return;
mpi_free( &grp->P );
mpi_free( &grp->A );
mpi_free( &grp->B );
ecp_point_free( &grp->G );
mpi_free( &grp->N );
@ -253,15 +263,16 @@ cleanup:
}
/*
* Import an ECP group from ASCII strings
* Import an ECP group from ASCII strings, general case (A used)
*/
int ecp_group_read_string( ecp_group *grp, int radix,
const char *p, const char *b,
static int ecp_group_read_string_gen( ecp_group *grp, int radix,
const char *p, const char *a, const char *b,
const char *gx, const char *gy, const char *n)
{
int ret;
MPI_CHK( mpi_read_string( &grp->P, radix, p ) );
MPI_CHK( mpi_read_string( &grp->A, radix, a ) );
MPI_CHK( mpi_read_string( &grp->B, radix, b ) );
MPI_CHK( ecp_point_read_string( &grp->G, radix, gx, gy ) );
MPI_CHK( mpi_read_string( &grp->N, radix, n ) );
@ -270,6 +281,28 @@ int ecp_group_read_string( ecp_group *grp, int radix,
grp->nbits = mpi_msb( &grp->N );
cleanup:
if( ret != 0 )
ecp_group_free( grp );
return( ret );
}
/*
* Import an ECP group from ASCII strings, case A == -3
*/
int ecp_group_read_string( ecp_group *grp, int radix,
const char *p, const char *b,
const char *gx, const char *gy, const char *n)
{
int ret;
MPI_CHK( ecp_group_read_string_gen( grp, radix, p, "00", b, gx, gy, n ) );
MPI_CHK( mpi_add_int( &grp->A, &grp->P, -3 ) );
cleanup:
if( ret != 0 )
ecp_group_free( grp );
return( ret );
}
@ -646,6 +679,66 @@ cleanup:
"FFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148" \
"F709A5D03BB5C9B8899C47AEBB6FB71E91386409"
/*
* Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
*/
#define BP256R1_P \
"A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377"
#define BP256R1_A \
"7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9"
#define BP256R1_B \
"26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6"
#define BP256R1_GX \
"8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262"
#define BP256R1_GY \
"547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997"
#define BP256R1_N \
"A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7"
/*
* Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
*/
#define BP384R1_P \
"8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB711" \
"23ACD3A729901D1A71874700133107EC53"
#define BP384R1_A \
"7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F9" \
"0F8AA5814A503AD4EB04A8C7DD22CE2826"
#define BP384R1_B \
"04A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62" \
"D57CB4390295DBC9943AB78696FA504C11"
#define BP384R1_GX \
"1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10" \
"E8E826E03436D646AAEF87B2E247D4AF1E"
#define BP384R1_GY \
"8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129" \
"280E4646217791811142820341263C5315"
#define BP384R1_N \
"8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425" \
"A7CF3AB6AF6B7FC3103B883202E9046565"
/*
* Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
*/
#define BP512R1_P \
"AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308" \
"717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3"
#define BP512R1_A \
"7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863" \
"BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA"
#define BP512R1_B \
"3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117" \
"A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723"
#define BP512R1_GX \
"81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D009" \
"8EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822"
#define BP512R1_GY \
"7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F81" \
"11B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892"
#define BP512R1_N \
"AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308" \
"70553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069"
/*
* Set a group using well-known domain parameters
*/
@ -692,8 +785,29 @@ int ecp_use_known_dp( ecp_group *grp, ecp_group_id id )
SECP521R1_GX, SECP521R1_GY, SECP521R1_N ) );
#endif /* POLARSSL_ECP_DP_SECP521R1_ENABLED */
#if defined(POLARSSL_ECP_DP_BP256R1_ENABLED)
case POLARSSL_ECP_DP_BP256R1:
return( ecp_group_read_string_gen( grp, 16,
BP256R1_P, BP256R1_A, BP256R1_B,
BP256R1_GX, BP256R1_GY, BP256R1_N ) );
#endif /* POLARSSL_ECP_DP_BP256R1_ENABLED */
#if defined(POLARSSL_ECP_DP_BP384R1_ENABLED)
case POLARSSL_ECP_DP_BP384R1:
return( ecp_group_read_string_gen( grp, 16,
BP384R1_P, BP384R1_A, BP384R1_B,
BP384R1_GX, BP384R1_GY, BP384R1_N ) );
#endif /* POLARSSL_ECP_DP_BP384R1_ENABLED */
#if defined(POLARSSL_ECP_DP_BP512R1_ENABLED)
case POLARSSL_ECP_DP_BP512R1:
return( ecp_group_read_string_gen( grp, 16,
BP512R1_P, BP512R1_A, BP512R1_B,
BP512R1_GX, BP512R1_GY, BP512R1_N ) );
#endif /* POLARSSL_ECP_DP_BP512R1_ENABLED */
default:
grp->id = POLARSSL_ECP_DP_NONE;
ecp_group_free( grp );
return( POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE );
}
}
@ -945,60 +1059,59 @@ cleanup:
return( ret );
}
/*
* Point doubling R = 2 P, Jacobian coordinates (GECC 3.21)
* Point doubling R = 2 P, Jacobian coordinates
*
* http://www.hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian/doubling/dbl-2007-bl.op3
* with heavy variable renaming, some reordering and one minor modification
* (a = 2 * b, c = d - 2a replaced with c = d, c = c - b, c = c - b)
* in order to use a lot less intermediate variables (6 vs 25).
*/
static int ecp_double_jac( const ecp_group *grp, ecp_point *R,
const ecp_point *P )
{
int ret;
mpi T1, T2, T3, X, Y, Z;
mpi T1, T2, T3, X3, Y3, Z3;
#if defined(POLARSSL_SELF_TEST)
dbl_count++;
#endif
if( mpi_cmp_int( &P->Z, 0 ) == 0 )
return( ecp_set_zero( R ) );
mpi_init( &T1 ); mpi_init( &T2 ); mpi_init( &T3 );
mpi_init( &X ); mpi_init( &Y ); mpi_init( &Z );
mpi_init( &X3 ); mpi_init( &Y3 ); mpi_init( &Z3 );
MPI_CHK( mpi_mul_mpi( &T1, &P->Z, &P->Z ) ); MOD_MUL( T1 );
MPI_CHK( mpi_sub_mpi( &T2, &P->X, &T1 ) ); MOD_SUB( T2 );
MPI_CHK( mpi_add_mpi( &T1, &P->X, &T1 ) ); MOD_ADD( T1 );
MPI_CHK( mpi_mul_mpi( &T2, &T2, &T1 ) ); MOD_MUL( T2 );
MPI_CHK( mpi_mul_int( &T2, &T2, 3 ) ); MOD_ADD( T2 );
MPI_CHK( mpi_mul_int( &Y, &P->Y, 2 ) ); MOD_ADD( Y );
MPI_CHK( mpi_mul_mpi( &Z, &Y, &P->Z ) ); MOD_MUL( Z );
MPI_CHK( mpi_mul_mpi( &Y, &Y, &Y ) ); MOD_MUL( Y );
MPI_CHK( mpi_mul_mpi( &T3, &Y, &P->X ) ); MOD_MUL( T3 );
MPI_CHK( mpi_mul_mpi( &Y, &Y, &Y ) ); MOD_MUL( Y );
MPI_CHK( mpi_mul_mpi( &T3, &P->X, &P->X ) ); MOD_MUL( T3 );
MPI_CHK( mpi_mul_mpi( &T2, &P->Y, &P->Y ) ); MOD_MUL( T2 );
MPI_CHK( mpi_mul_mpi( &Y3, &T2, &T2 ) ); MOD_MUL( Y3 );
MPI_CHK( mpi_add_mpi( &X3, &P->X, &T2 ) ); MOD_ADD( X3 );
MPI_CHK( mpi_mul_mpi( &X3, &X3, &X3 ) ); MOD_MUL( X3 );
MPI_CHK( mpi_sub_mpi( &X3, &X3, &Y3 ) ); MOD_SUB( X3 );
MPI_CHK( mpi_sub_mpi( &X3, &X3, &T3 ) ); MOD_SUB( X3 );
MPI_CHK( mpi_mul_int( &T1, &X3, 2 ) ); MOD_ADD( T1 );
MPI_CHK( mpi_mul_mpi( &Z3, &P->Z, &P->Z ) ); MOD_MUL( Z3 );
MPI_CHK( mpi_mul_mpi( &X3, &Z3, &Z3 ) ); MOD_MUL( X3 );
MPI_CHK( mpi_mul_int( &T3, &T3, 3 ) ); MOD_ADD( T3 );
MPI_CHK( mpi_mul_mpi( &X3, &X3, &grp->A ) ); MOD_MUL( X3 );
MPI_CHK( mpi_add_mpi( &T3, &T3, &X3 ) ); MOD_ADD( T3 );
MPI_CHK( mpi_mul_mpi( &X3, &T3, &T3 ) ); MOD_MUL( X3 );
MPI_CHK( mpi_sub_mpi( &X3, &X3, &T1 ) ); MOD_SUB( X3 );
MPI_CHK( mpi_sub_mpi( &X3, &X3, &T1 ) ); MOD_SUB( X3 );
MPI_CHK( mpi_sub_mpi( &T1, &T1, &X3 ) ); MOD_SUB( T1 );
MPI_CHK( mpi_mul_mpi( &T1, &T3, &T1 ) ); MOD_MUL( T1 );
MPI_CHK( mpi_mul_int( &T3, &Y3, 8 ) ); MOD_ADD( T3 );
MPI_CHK( mpi_sub_mpi( &Y3, &T1, &T3 ) ); MOD_SUB( Y3 );
MPI_CHK( mpi_add_mpi( &T1, &P->Y, &P->Z ) ); MOD_ADD( T1 );
MPI_CHK( mpi_mul_mpi( &T1, &T1, &T1 ) ); MOD_MUL( T1 );
MPI_CHK( mpi_sub_mpi( &T1, &T1, &T2 ) ); MOD_SUB( T1 );
MPI_CHK( mpi_sub_mpi( &Z3, &T1, &Z3 ) ); MOD_SUB( Z3 );
/*
* For Y = Y / 2 mod p, we must make sure that Y is even before
* using right-shift. No need to reduce mod p afterwards.
*/
if( mpi_get_bit( &Y, 0 ) == 1 )
MPI_CHK( mpi_add_mpi( &Y, &Y, &grp->P ) );
MPI_CHK( mpi_shift_r( &Y, 1 ) );
MPI_CHK( mpi_mul_mpi( &X, &T2, &T2 ) ); MOD_MUL( X );
MPI_CHK( mpi_mul_int( &T1, &T3, 2 ) ); MOD_ADD( T1 );
MPI_CHK( mpi_sub_mpi( &X, &X, &T1 ) ); MOD_SUB( X );
MPI_CHK( mpi_sub_mpi( &T1, &T3, &X ) ); MOD_SUB( T1 );
MPI_CHK( mpi_mul_mpi( &T1, &T1, &T2 ) ); MOD_MUL( T1 );
MPI_CHK( mpi_sub_mpi( &Y, &T1, &Y ) ); MOD_SUB( Y );
MPI_CHK( mpi_copy( &R->X, &X ) );
MPI_CHK( mpi_copy( &R->Y, &Y ) );
MPI_CHK( mpi_copy( &R->Z, &Z ) );
MPI_CHK( mpi_copy( &R->X, &X3 ) );
MPI_CHK( mpi_copy( &R->Y, &Y3 ) );
MPI_CHK( mpi_copy( &R->Z, &Z3 ) );
cleanup:
mpi_free( &T1 ); mpi_free( &T2 ); mpi_free( &T3 );
mpi_free( &X ); mpi_free( &Y ); mpi_free( &Z );
mpi_free( &X3 ); mpi_free( &Y3 ); mpi_free( &Z3 );
return( ret );
}
@ -1495,13 +1608,13 @@ int ecp_check_pubkey( const ecp_group *grp, const ecp_point *pt )
/*
* YY = Y^2
* RHS = X (X^2 - 3) + B = X^3 - 3X + B
* RHS = X (X^2 + A) + B = X^3 + A X + B
*/
MPI_CHK( mpi_mul_mpi( &YY, &pt->Y, &pt->Y ) ); MOD_MUL( YY );
MPI_CHK( mpi_mul_mpi( &RHS, &pt->X, &pt->X ) ); MOD_MUL( RHS );
MPI_CHK( mpi_sub_int( &RHS, &RHS, 3 ) ); MOD_SUB( RHS );
MPI_CHK( mpi_mul_mpi( &RHS, &RHS, &pt->X ) ); MOD_MUL( RHS );
MPI_CHK( mpi_add_mpi( &RHS, &RHS, &grp->B ) ); MOD_ADD( RHS );
MPI_CHK( mpi_mul_mpi( &YY, &pt->Y, &pt->Y ) ); MOD_MUL( YY );
MPI_CHK( mpi_mul_mpi( &RHS, &pt->X, &pt->X ) ); MOD_MUL( RHS );
MPI_CHK( mpi_add_mpi( &RHS, &RHS, &grp->A ) ); MOD_ADD( RHS );
MPI_CHK( mpi_mul_mpi( &RHS, &RHS, &pt->X ) ); MOD_MUL( RHS );
MPI_CHK( mpi_add_mpi( &RHS, &RHS, &grp->B ) ); MOD_ADD( RHS );
if( mpi_cmp_mpi( &YY, &RHS ) != 0 )
ret = POLARSSL_ERR_ECP_INVALID_KEY;
@ -1566,6 +1679,7 @@ int ecp_self_test( int verbose )
ecp_point R, P;
mpi m;
unsigned long add_c_prev, dbl_c_prev;
/* exponents especially adapted for secp192r1 */
const char *exponents[] =
{
"000000000000000000000000000000000000000000000000", /* zero */
@ -1582,27 +1696,12 @@ int ecp_self_test( int verbose )
ecp_point_init( &P );
mpi_init( &m );
/* Use secp192r1 if available, or any available curve */
#if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
MPI_CHK( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_SECP192R1 ) );
#else
#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
MPI_CHK( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_SECP224R1 ) );
#else
#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
MPI_CHK( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_SECP256R1 ) );
#else
#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
MPI_CHK( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_SECP384R1 ) );
#else
#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
MPI_CHK( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_SECP521R1 ) );
#else
#error No curves defines
#endif /* POLARSSL_ECP_DP_SECP512R1_ENABLED */
#endif /* POLARSSL_ECP_DP_SECP384R1_ENABLED */
#endif /* POLARSSL_ECP_DP_SECP256R1_ENABLED */
#endif /* POLARSSL_ECP_DP_SECP224R1_ENABLED */
#endif /* POLARSSL_ECP_DP_SECP192R1_ENABLED */
MPI_CHK( ecp_use_known_dp( &grp, ecp_curve_list()->grp_id ) );
#endif
if( verbose != 0 )
printf( " ECP test #1 (constant op_count, base point G): " );

12
library/oid.c
View File

@ -405,6 +405,18 @@ static const oid_ecp_grp_t oid_ecp_grp[] =
{ ADD_LEN( OID_EC_GRP_SECP521R1 ), "secp521r1", "secp521r1" },
POLARSSL_ECP_DP_SECP521R1,
},
{
{ ADD_LEN( OID_EC_GRP_BP256R1 ), "brainpoolP256r1","brainpool256r1" },
POLARSSL_ECP_DP_BP256R1,
},
{
{ ADD_LEN( OID_EC_GRP_BP384R1 ), "brainpoolP384r1","brainpool384r1" },
POLARSSL_ECP_DP_BP384R1,
},
{
{ ADD_LEN( OID_EC_GRP_BP512R1 ), "brainpoolP512r1","brainpool512r1" },
POLARSSL_ECP_DP_BP512R1,
},
{
{ NULL, 0, NULL, NULL },
0,