Commit 48d78a5e authored by Paul Bakker's avatar Paul Bakker
Browse files

Merged support for Curve25519

parents 498fd354 93f41dbd
......@@ -5,6 +5,7 @@ Features
* EC key generation support in gen_key app
* Support for adhering to client ciphersuite order preference
(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
* Support for Curve25519
Changes
* gen_prime() speedup
......@@ -15,6 +16,7 @@ Changes
* Split off curves from ecp.c into ecp_curves.c
Bugfix
* Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
* Fixed X.509 hostname comparison (with non-regular characters)
* SSL now gracefully handles missing RNG
* Missing defines / cases for RSA_PSK key exchange
......
......@@ -236,11 +236,10 @@ void mpi_swap( mpi *X, mpi *Y );
*
* \param X MPI to conditionally assign to
* \param Y Value to be assigned
* \param assign 1: perform the assignment, 0: leave X untouched
* \param assign 1: perform the assignment, 0: keep X's original value
*
* \return 0 if successful,
* POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed,
* POLARSSL_ERR_MPI_BAD_INPUT_DATA if assing is not 0 or 1
*
* \note This function is equivalent to
* if( assign ) mpi_copy( X, Y );
......@@ -251,6 +250,25 @@ void mpi_swap( mpi *X, mpi *Y );
*/
int mpi_safe_cond_assign( mpi *X, const mpi *Y, unsigned char assign );
/**
* \brief Safe conditional swap X <-> Y if swap is 1
*
* \param X First mpi value
* \param Y Second mpi value
* \param assign 1: perform the swap, 0: keep X and Y's original values
*
* \return 0 if successful,
* POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed,
*
* \note This function is equivalent to
* if( assign ) mpi_swap( X, Y );
* except that it avoids leaking any information about whether
* the assignment was done or not (the above code may leak
* information through branch prediction and/or memory access
* patterns analysis).
*/
int mpi_safe_cond_swap( mpi *X, mpi *Y, unsigned char assign );
/**
* \brief Set value from integer
*
......
......@@ -248,6 +248,10 @@
#define POLARSSL_ECP_DP_BP256R1_ENABLED
#define POLARSSL_ECP_DP_BP384R1_ENABLED
#define POLARSSL_ECP_DP_BP512R1_ENABLED
//#define POLARSSL_ECP_DP_M221_ENABLED // Not implemented yet!
#define POLARSSL_ECP_DP_M255_ENABLED
//#define POLARSSL_ECP_DP_M383_ENABLED // Not implemented yet!
//#define POLARSSL_ECP_DP_M511_ENABLED // Not implemented yet!
/**
* \def POLARSSL_ECP_NIST_OPTIM
......
......@@ -64,10 +64,16 @@ typedef enum
POLARSSL_ECP_DP_BP256R1, /*!< 256-bits Brainpool curve */
POLARSSL_ECP_DP_BP384R1, /*!< 384-bits Brainpool curve */
POLARSSL_ECP_DP_BP512R1, /*!< 512-bits Brainpool curve */
POLARSSL_ECP_DP_M221, /*!< (not implemented yet) */
POLARSSL_ECP_DP_M255, /*!< Curve25519 */
POLARSSL_ECP_DP_M383, /*!< (not implemented yet) */
POLARSSL_ECP_DP_M511, /*!< (not implemented yet) */
} ecp_group_id;
/**
* Number of supported curves (plus one for NONE)
* Number of supported curves (plus one for NONE).
*
* (Montgomery curves excluded for now.)
*/
#define POLARSSL_ECP_DP_MAX 9
......@@ -102,10 +108,16 @@ ecp_point;
/**
* \brief ECP group structure
*
* The curves we consider are defined by y^2 = x^3 + A x + B mod P,
* and a generator for a large subgroup of order N is fixed.
* We consider two types of curves equations:
* 1. Short Weierstrass y^2 = x^3 + A x + B mod P (SEC1 + RFC 4492)
* 2. Montgomery, y^2 = x^3 + A x^2 + x mod P (M255 + draft)
* In both cases, a generator G for a prime-order subgroup is fixed. In the
* short weierstrass, this subgroup is actually the whole curve, and its
* cardinal is denoted by N.
*
* pbits and nbits must be the size of P and N in bits.
* In the case of Montgomery curves, we don't store A but (A + 2) / 4 which is
* the quantity actualy used in the formulas. Also, nbits is not the size of N
* but the required size for private keys.
*
* If modp is NULL, reduction modulo P is done using a generic algorithm.
* Otherwise, it must point to a function that takes an mpi in the range
......@@ -118,18 +130,18 @@ typedef struct
{
ecp_group_id id; /*!< internal group identifier */
mpi P; /*!< prime modulus of the base field */
mpi A; /*!< linear term in the equation */
mpi B; /*!< constant term in the equation */
ecp_point G; /*!< generator of the subgroup used */
mpi N; /*!< the order of G */
mpi A; /*!< 1. A in the equation, or 2. (A + 2) / 4 */
mpi B; /*!< 1. B in the equation, or 2. unused */
ecp_point G; /*!< generator of the (sub)group used */
mpi N; /*!< 1. the order of G, or 2. unused */
size_t pbits; /*!< number of bits in P */
size_t nbits; /*!< number of bits in N */
unsigned int h; /*!< cofactor (unused now: assume 1) */
size_t nbits; /*!< number of bits in 1. P, or 2. private keys */
unsigned int h; /*!< unused */
int (*modp)(mpi *); /*!< function for fast reduction mod P */
int (*t_pre)(ecp_point *, void *); /*!< currently unused */
int (*t_post)(ecp_point *, void *); /*!< currently unused */
void *t_data; /*!< currently unused */
ecp_point *T; /*!< pre-computed points for ecp_mul() */
int (*t_pre)(ecp_point *, void *); /*!< unused */
int (*t_post)(ecp_point *, void *); /*!< unused */
void *t_data; /*!< unused */
ecp_point *T; /*!< pre-computed points for ecp_mul_comb() */
size_t T_size; /*!< number for pre-computed points */
}
ecp_group;
......@@ -438,6 +450,9 @@ int ecp_tls_write_group( const ecp_group *grp, size_t *olen,
*
* \return 0 if successful,
* POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
*
* \note This function does not support Montgomery curves, such as
* Curve25519.
*/
int ecp_add( const ecp_group *grp, ecp_point *R,
const ecp_point *P, const ecp_point *Q );
......@@ -452,6 +467,9 @@ int ecp_add( const ecp_group *grp, ecp_point *R,
*
* \return 0 if successful,
* POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
*
* \note This function does not support Montgomery curves, such as
* Curve25519.
*/
int ecp_sub( const ecp_group *grp, ecp_point *R,
const ecp_point *P, const ecp_point *Q );
......
......@@ -214,16 +214,16 @@ int mpi_safe_cond_assign( mpi *X, const mpi *Y, unsigned char assign )
int ret = 0;
size_t i;
if( assign * ( 1 - assign ) != 0 )
return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
/* make sure assign is 0 or 1 */
assign = ( assign != 0 );
if( Y->n > X->n )
MPI_CHK( mpi_grow( X, Y->n ) );
MPI_CHK( mpi_grow( X, Y->n ) );
/* Do the conditional assign safely */
X->s = X->s * (1 - assign) + Y->s * assign;
for( i = 0; i < Y->n; i++ )
X->p[i] = X->p[i] * (1 - assign) + Y->p[i] * assign;
for( ; i < X->n; i++ )
X->p[i] *= (1 - assign);
......@@ -231,6 +231,43 @@ cleanup:
return( ret );
}
/*
* Conditionally swap X and Y, without leaking information
* about whether the swap was made or not.
* Here it is not ok to simply swap the pointers, which whould lead to
* different memory access patterns when X and Y are used afterwards.
*/
int mpi_safe_cond_swap( mpi *X, mpi *Y, unsigned char swap )
{
int ret, s;
size_t i;
t_uint tmp;
if( X == Y )
return( 0 );
/* make sure swap is 0 or 1 */
swap = ( swap != 0 );
MPI_CHK( mpi_grow( X, Y->n ) );
MPI_CHK( mpi_grow( Y, X->n ) );
s = X->s;
X->s = X->s * (1 - swap) + Y->s * swap;
Y->s = Y->s * (1 - swap) + s * swap;
for( i = 0; i < X->n; i++ )
{
tmp = X->p[i];
X->p[i] = X->p[i] * (1 - swap) + Y->p[i] * swap;
Y->p[i] = Y->p[i] * (1 - swap) + tmp * swap;
}
cleanup:
return( ret );
}
/*
* Set value from integer
*/
......@@ -280,7 +317,8 @@ int mpi_set_bit( mpi *X, size_t pos, unsigned char val )
MPI_CHK( mpi_grow( X, off + 1 ) );
}
X->p[off] = ( X->p[off] & ~( 0x01 << idx ) ) | ( val << idx );
X->p[off] &= ~( (t_uint) 0x01 << idx );
X->p[off] |= (t_uint) val << idx;
cleanup:
......
......@@ -59,6 +59,10 @@ int ecdsa_sign( ecp_group *grp, mpi *r, mpi *s,
ecp_point R;
mpi k, e;
/* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
if( grp->N.p == NULL )
return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
ecp_point_init( &R );
mpi_init( &k );
mpi_init( &e );
......@@ -129,6 +133,10 @@ int ecdsa_verify( ecp_group *grp,
ecp_point_init( &R ); ecp_point_init( &P );
mpi_init( &e ); mpi_init( &s_inv ); mpi_init( &u1 ); mpi_init( &u2 );
/* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
if( grp->N.p == NULL )
return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
/*
* Step 1: make sure r and s are in range 1..n-1
*/
......
This diff is collapsed.
......@@ -322,16 +322,29 @@ cleanup:
#if defined(POLARSSL_ECP_NIST_OPTIM)
/* Forward declarations */
#if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
static int ecp_mod_p192( mpi * );
#endif
#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
static int ecp_mod_p224( mpi * );
#endif
#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
static int ecp_mod_p256( mpi * );
#endif
#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
static int ecp_mod_p384( mpi * );
#endif
#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
static int ecp_mod_p521( mpi * );
#endif
#if defined(POLARSSL_ECP_DP_M255_ENABLED)
static int ecp_mod_p255( mpi * );
#endif
#define NIST_MODP( P ) grp->modp = ecp_mod_ ## P;
#else
#define NIST_MODP( P )
#endif
#endif /* POLARSSL_ECP_NIST_OPTIM */
#define LOAD_GROUP( G ) ecp_group_read_binary( grp, \
G ## _p, sizeof( G ## _p ), \
......@@ -341,11 +354,45 @@ static int ecp_mod_p521( mpi * );
G ## _gy, sizeof( G ## _gy ), \
G ## _n, sizeof( G ## _n ) )
/*
* Specialized function for creating the Curve25519 group
*/
static int ecp_use_curve25519( ecp_group *grp )
{
int ret;
/* Actually ( A + 2 ) / 4 */
MPI_CHK( mpi_read_string( &grp->A, 16, "01DB42" ) );
/* P = 2^255 - 19 */
MPI_CHK( mpi_lset( &grp->P, 1 ) );
MPI_CHK( mpi_shift_l( &grp->P, 255 ) );
MPI_CHK( mpi_sub_int( &grp->P, &grp->P, 19 ) );
grp->pbits = mpi_msb( &grp->P );
/* Y intentionaly not set, since we use x/z coordinates.
* This is used as a marker to identify Montgomery curves! */
MPI_CHK( mpi_lset( &grp->G.X, 9 ) );
MPI_CHK( mpi_lset( &grp->G.Z, 1 ) );
mpi_free( &grp->G.Y );
/* Actually, the required msb for private keys */
grp->nbits = 254;
cleanup:
if( ret != 0 )
ecp_group_free( grp );
return( ret );
}
/*
* Set a group using well-known domain parameters
*/
int ecp_use_known_dp( ecp_group *grp, ecp_group_id id )
{
ecp_group_free( grp );
grp->id = id;
switch( id )
......@@ -395,6 +442,12 @@ int ecp_use_known_dp( ecp_group *grp, ecp_group_id id )
return( LOAD_GROUP( brainpoolP512r1 ) );
#endif /* POLARSSL_ECP_DP_BP512R1_ENABLED */
#if defined(POLARSSL_ECP_DP_M255_ENABLED)
case POLARSSL_ECP_DP_M255:
grp->modp = ecp_mod_p255;
return( ecp_use_curve25519( grp ) );
#endif /* POLARSSL_ECP_DP_M255_ENABLED */
default:
ecp_group_free( grp );
return( POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE );
......@@ -804,4 +857,48 @@ cleanup:
#endif /* POLARSSL_ECP_NIST_OPTIM */
#if defined(POLARSSL_ECP_DP_M255_ENABLED)
/* Size of p255 in terms of t_uint */
#define P255_WIDTH ( 255 / 8 / sizeof( t_uint ) + 1 )
/*
* Fast quasi-reduction modulo p255 = 2^255 - 19
* Write N as A1 + 2^255 A1, return A0 + 19 * A1
*/
static int ecp_mod_p255( mpi *N )
{
int ret;
size_t i;
mpi M;
t_uint Mp[P255_WIDTH + 2];
if( N->n < P255_WIDTH )
return( 0 );
/* M = A1 */
M.s = 1;
M.n = N->n - ( P255_WIDTH - 1 );
if( M.n > P255_WIDTH + 1 )
M.n = P255_WIDTH + 1;
M.p = Mp;
memset( Mp, 0, sizeof Mp );
memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( t_uint ) );
MPI_CHK( mpi_shift_r( &M, 255 % ( 8 * sizeof( t_uint ) ) ) );
M.n++; /* Make room for multiplication by 19 */
/* N = A0 */
mpi_set_bit( N, 255, 0 );
for( i = P255_WIDTH; i < N->n; i++ )
N->p[i] = 0;
/* N = A0 + 19 * A1 */
MPI_CHK( mpi_mul_int( &M, &M, 19 ) );
MPI_CHK( mpi_add_abs( N, N, &M ) );
cleanup:
return( ret );
}
#endif /* POLARSSL_ECP_DP_M255_ENABLED */
#endif
......@@ -159,6 +159,12 @@ ecp_small_check_pub:0:2:1:0
ECP small check pubkey #10
ecp_small_check_pub:10:25:1:POLARSSL_ERR_ECP_INVALID_KEY
ECP check pubkey Montgomery #1 (too big)
ecp_check_pub_mx:POLARSSL_ECP_DP_M255:"010000000000000000000000000000000000000000000000000000000000000000":POLARSSL_ERR_ECP_INVALID_KEY
ECP check pubkey Montgomery #2 (biggest)
ecp_check_pub_mx:POLARSSL_ECP_DP_M255:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":0
ECP write binary #0 (zero, bad format)
depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
ecp_write_binary:POLARSSL_ECP_DP_SECP192R1:"01":"01":"00":POLARSSL_ECP_PF_UNKNOWN:"00":1:POLARSSL_ERR_ECP_BAD_INPUT_DATA
......@@ -271,14 +277,58 @@ ECP tls write-read group #2
depends_on:POLARSSL_ECP_DP_SECP521R1_ENABLED
ecp_tls_write_read_group:POLARSSL_ECP_DP_SECP521R1
ECP check privkey
ECP check privkey #1 (short weierstrass, too small)
depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
ecp_check_privkey:POLARSSL_ECP_DP_SECP192R1
ecp_check_privkey:POLARSSL_ECP_DP_SECP192R1:"00":POLARSSL_ERR_ECP_INVALID_KEY
ECP check privkey #2 (short weierstrass, smallest)
depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
ecp_check_privkey:POLARSSL_ECP_DP_SECP192R1:"01":0
ECP check privkey #3 (short weierstrass, biggest)
depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
ecp_check_privkey:POLARSSL_ECP_DP_SECP192R1:"FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830":0
ECP check privkey #4 (short weierstrass, too big)
depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
ecp_check_privkey:POLARSSL_ECP_DP_SECP192R1:"FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831":POLARSSL_ERR_ECP_INVALID_KEY
ECP check privkey #5 (montgomery, too big)
depends_on:POLARSSL_ECP_DP_M255_ENABLED
ecp_check_privkey:POLARSSL_ECP_DP_M255:"C000000000000000000000000000000000000000000000000000000000000000":POLARSSL_ERR_ECP_INVALID_KEY
ECP check privkey #6 (montgomery, not big enough)
depends_on:POLARSSL_ECP_DP_M255_ENABLED
ecp_check_privkey:POLARSSL_ECP_DP_M255:"3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0":POLARSSL_ERR_ECP_INVALID_KEY
ECP check privkey #7 (montgomery, msb OK)
depends_on:POLARSSL_ECP_DP_M255_ENABLED
ecp_check_privkey:POLARSSL_ECP_DP_M255:"4000000000000000000000000000000000000000000000000000000000000000":0
ECP check privkey #8 (montgomery, bit 0 set)
depends_on:POLARSSL_ECP_DP_M255_ENABLED
ecp_check_privkey:POLARSSL_ECP_DP_M255:"4000000000000000000000000000000000000000000000000000000000000001":POLARSSL_ERR_ECP_INVALID_KEY
ECP check privkey #9 (montgomery, bit 1 set)
depends_on:POLARSSL_ECP_DP_M255_ENABLED
ecp_check_privkey:POLARSSL_ECP_DP_M255:"4000000000000000000000000000000000000000000000000000000000000002":POLARSSL_ERR_ECP_INVALID_KEY
ECP check privkey #10 (montgomery, bit 2 set)
depends_on:POLARSSL_ECP_DP_M255_ENABLED
ecp_check_privkey:POLARSSL_ECP_DP_M255:"4000000000000000000000000000000000000000000000000000000000000004":POLARSSL_ERR_ECP_INVALID_KEY
ECP check privkey #11 (montgomery, OK)
depends_on:POLARSSL_ECP_DP_M255_ENABLED
ecp_check_privkey:POLARSSL_ECP_DP_M255:"7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8":0
ECP gen keypair
depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
ecp_gen_keypair:POLARSSL_ECP_DP_SECP192R1
ECP gen keypair
depends_on:POLARSSL_ECP_DP_M255_ENABLED
ecp_gen_keypair:POLARSSL_ECP_DP_M255
ECP gen keypair wrapper
depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
ecp_gen_key:POLARSSL_ECP_DP_SECP192R1
......@@ -367,5 +417,9 @@ ECP test vectors brainpoolP512r1 rfc 7027
depends_on:POLARSSL_ECP_DP_BP512R1_ENABLED
ecp_test_vect:POLARSSL_ECP_DP_BP512R1:"16302FF0DBBB5A8D733DAB7141C1B45ACBC8715939677F6A56850A38BD87BD59B09E80279609FF333EB9D4C061231FB26F92EEB04982A5F1D1764CAD57665422":"0A420517E406AAC0ACDCE90FCD71487718D3B953EFD7FBEC5F7F27E28C6149999397E91E029E06457DB2D3E640668B392C2A7E737A7F0BF04436D11640FD09FD":"72E6882E8DB28AAD36237CD25D580DB23783961C8DC52DFA2EC138AD472A0FCEF3887CF62B623B2A87DE5C588301EA3E5FC269B373B60724F5E82A6AD147FDE7":"230E18E1BCC88A362FA54E4EA3902009292F7F8033624FD471B5D8ACE49D12CFABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B25429":"9D45F66DE5D67E2E6DB6E93A59CE0BB48106097FF78A081DE781CDB31FCE8CCBAAEA8DD4320C4119F1E9CD437A2EAB3731FA9668AB268D871DEDA55A5473199F":"2FDC313095BCDD5FB3A91636F07A959C8E86B5636A1E930E8396049CB481961D365CC11453A06C719835475B12CB52FC3C383BCE35E27EF194512B71876285FA":"A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF3226244B76D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD1F":"7DB71C3DEF63212841C463E881BDCF055523BD368240E6C3143BD8DEF8B3B3223B95E0F53082FF5E412F4222537A43DF1C6D25729DDB51620A832BE6A26680A2"
ECP test vectors M255 aka Curve25519
depends_on:POLARSSL_ECP_DP_M255_ENABLED
ecp_test_vec_x:POLARSSL_ECP_DP_M255:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"057E23EA9F1CBE8A27168F6E696A791DE61DD3AF7ACD4EEACC6E7BA514FDA863":"47DC3D214174820E1154B49BC6CDB2ABD45EE95817055D255AA35831B70D3260":"6EB89DA91989AE37C7EAC7618D9E5C4951DBA1D73C285AE1CD26A855020EEF04":"61450CD98E36016B58776A897A9F0AEF738B99F09468B8D6B8511184D53494AB"
ECP selftest
ecp_selftest:
......@@ -188,6 +188,27 @@ void ecp_small_check_pub( int x, int y, int z, int ret )
}
/* END_CASE */
/* BEGIN_CASE */
void ecp_check_pub_mx( int grp_id, char *key_hex, int ret )
{
ecp_group grp;
ecp_point P;
ecp_group_init( &grp );
ecp_point_init( &P );
TEST_ASSERT( ecp_use_known_dp( &grp, grp_id ) == 0 );
TEST_ASSERT( mpi_read_string( &P.X, 16, key_hex ) == 0 );
TEST_ASSERT( mpi_lset( &P.Z, 1 ) == 0 );
TEST_ASSERT( ecp_check_pubkey( &grp, &P ) == ret );
ecp_group_free( &grp );
ecp_point_free( &P );
}
/* END_CASE */
/* BEGIN_CASE */
void ecp_test_vect( int id, char *dA_str, char *xA_str, char *yA_str,
char *dB_str, char *xB_str, char *yB_str, char *xZ_str,
......@@ -242,6 +263,56 @@ void ecp_test_vect( int id, char *dA_str, char *xA_str, char *yA_str,
}
/* END_CASE */
/* BEGIN_CASE */
void ecp_test_vec_x( int id, char *dA_hex, char *xA_hex,
char *dB_hex, char *xB_hex, char *xS_hex )
{
ecp_group grp;
ecp_point R;
mpi dA, xA, dB, xB, xS;
rnd_pseudo_info rnd_info;
ecp_group_init( &grp ); ecp_point_init( &R );
mpi_init( &dA ); mpi_init( &xA );
mpi_init( &dB ); mpi_init( &xB );
mpi_init( &xS );
memset( &rnd_info, 0x00, sizeof( rnd_pseudo_info ) );
TEST_ASSERT( ecp_use_known_dp( &grp, id ) == 0 );
TEST_ASSERT( ecp_check_pubkey( &grp, &grp.G ) == 0 );
TEST_ASSERT( mpi_read_string( &dA, 16, dA_hex ) == 0 );
TEST_ASSERT( mpi_read_string( &dB, 16, dB_hex ) == 0 );
TEST_ASSERT( mpi_read_string( &xA, 16, xA_hex ) == 0 );
TEST_ASSERT( mpi_read_string( &xB, 16, xB_hex ) == 0 );
TEST_ASSERT( mpi_read_string( &xS, 16, xS_hex ) == 0 );
TEST_ASSERT( ecp_mul( &grp, &R, &dA, &grp.G,
&rnd_pseudo_rand, &rnd_info ) == 0 );
TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.X, &xA ) == 0 );
TEST_ASSERT( ecp_mul( &grp, &R, &dB, &R,
&rnd_pseudo_rand, &rnd_info ) == 0 );
TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.X, &xS ) == 0 );
TEST_ASSERT( ecp_mul( &grp, &R, &dB, &grp.G, NULL, NULL ) == 0 );
TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.X, &xB ) == 0 );
TEST_ASSERT( ecp_mul( &grp, &R, &dA, &R, NULL, NULL ) == 0 );
TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &R.X, &xS ) == 0 );
ecp_group_free( &grp ); ecp_point_free( &R );
mpi_free( &dA ); mpi_free( &xA );
mpi_free( &dB ); mpi_free( &xB );
mpi_free( &xS );
}
/* END_CASE */
/* BEGIN_CASE */
void ecp_fast_mod( int id, char *N_str )
{
......@@ -490,7 +561,7 @@ void ecp_tls_write_read_group( int id )
/* END_CASE */
/* BEGIN_CASE */
void ecp_check_privkey( int id )
void ecp_check_privkey( int id, char *key_hex, int ret )
{
ecp_group grp;
mpi d;
......@@ -499,12 +570,9 @@ void ecp_check_privkey( int id )
mpi_init( &d );
TEST_ASSERT( ecp_use_known_dp( &grp, id ) == 0 );
TEST_ASSERT( mpi_read_string( &d, 16, key_hex ) == 0 );
TEST_ASSERT( mpi_lset( &d, 0 ) == 0 );
TEST_ASSERT( ecp_check_privkey( &grp, &d ) == POLARSSL_ERR_ECP_INVALID_KEY );
TEST_ASSERT( mpi_copy( &d, &grp.N ) == 0 );
TEST_ASSERT( ecp_check_privkey( &grp, &d ) == POLARSSL_ERR_ECP_INVALID_KEY );
TEST_ASSERT( ecp_check_privkey( &grp, &d ) == ret );
ecp_group_free( &grp );
mpi_free( &d );
......
......@@ -223,6 +223,24 @@ mpi_safe_cond_assign:-1:"01":+1:"02"
Test mpi_safe_cond_assign #6
mpi_safe_cond_assign:-1:"01":-1:"02"
Test mpi_safe_cond_swap #1
mpi_safe_cond_swap:+1:"01":+1:"02"
Test mpi_safe_cond_swap #2
mpi_safe_cond_swap:+1:"FF000000000000000001":+1:"02"
Test mpi_safe_cond_swap #3
mpi_safe_cond_swap:+1:"01":+1:"FF000000000000000002"
Test mpi_safe_cond_swap #4
mpi_safe_cond_swap:+1:"01":-1:"02"
Test mpi_safe_cond_swap #5
mpi_safe_cond_swap:-1:"01":+1:"02"
Test mpi_safe_cond_swap #6
mpi_safe_cond_swap:-1:"01":-1:"02"
Base test mpi_add_abs #1
mpi_add_abs:10:"12345678":10:"642531":10:"12988209"
......@@ -665,6 +683,12 @@ mpi_set_bit:10:"49979687":80:0:10:"49979687"
Test bit set (Add above existing limbs with a 1)
mpi_set_bit:10:"49979687":80:1:10:"1208925819614629224685863"
Test bit set (Bit index larger than 31 with a 0)
mpi_set_bit:16:"FFFFFFFFFFFFFFFF":32:0:16:"FFFFFFFEFFFFFFFF"
Test bit set (Bit index larger than 31 with a 1)
mpi_set_bit:16:"00":32:1:16:"0100000000"
MPI Selftest
depends_on:POLARSSL_SELF_TEST
mpi_selftest:
......@@ -331,6 +331,36 @@ void mpi_safe_cond_assign( int x_sign, char *x_str,
}
/* END_CASE */
/* BEGIN_CASE */
void mpi_safe_cond_swap( int x_sign, char *x_str,
int y_sign, char *y_str )
{
mpi X, Y, XX, YY;