123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709 |
- /* curve25519.c
- *
- * Copyright (C) 2006-2022 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
- /* Based On Daniel J Bernstein's curve25519 Public Domain ref10 work. */
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
- #include <wolfssl/wolfcrypt/settings.h>
- #ifdef HAVE_CURVE25519
- #include <wolfssl/wolfcrypt/curve25519.h>
- #include <wolfssl/wolfcrypt/error-crypt.h>
- #ifdef NO_INLINE
- #include <wolfssl/wolfcrypt/misc.h>
- #else
- #define WOLFSSL_MISC_INCLUDED
- #include <wolfcrypt/src/misc.c>
- #endif
- #if defined(FREESCALE_LTC_ECC)
- #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
- #endif
- #ifdef WOLFSSL_SE050
- #include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
- #endif
- #ifdef WOLF_CRYPTO_CB
- #include <wolfssl/wolfcrypt/cryptocb.h>
- #endif
- const curve25519_set_type curve25519_sets[] = {
- {
- CURVE25519_KEYSIZE,
- "CURVE25519",
- }
- };
- static const unsigned char kCurve25519BasePoint[CURVE25519_KEYSIZE] = {9};
- /* Curve25519 private key must be less than order */
- /* These functions clamp private k and check it */
- static WC_INLINE int curve25519_priv_clamp(byte* priv)
- {
- priv[0] &= 248;
- priv[CURVE25519_KEYSIZE-1] &= 127;
- priv[CURVE25519_KEYSIZE-1] |= 64;
- return 0;
- }
- static WC_INLINE int curve25519_priv_clamp_check(const byte* priv)
- {
- /* check that private part of key has been clamped */
- int ret = 0;
- if ((priv[0] & ~248) ||
- (priv[CURVE25519_KEYSIZE-1] & 128)) {
- ret = ECC_BAD_ARG_E;
- }
- return ret;
- }
- static WC_INLINE void curve25519_copy_point(byte* out, const byte* point,
- int endian)
- {
- int i;
- if (endian == EC25519_BIG_ENDIAN) {
- /* put shared secret key in Big Endian format */
- for (i = 0; i < CURVE25519_KEYSIZE; i++) {
- out[i] = point[CURVE25519_KEYSIZE - i -1];
- }
- }
- else { /* put shared secret key in Little Endian format */
- XMEMCPY(out, point, CURVE25519_KEYSIZE);
- }
- }
- /* compute the public key from an existing private key, using bare vectors.
- *
- * return value is propagated from curve25519() (0 on success), or
- * ECC_BAD_ARG_E, and the byte vectors are little endian.
- */
- int wc_curve25519_make_pub(int public_size, byte* pub, int private_size,
- const byte* priv)
- {
- int ret;
- #ifdef FREESCALE_LTC_ECC
- const ECPoint* basepoint = nxp_ltc_curve25519_GetBasePoint();
- ECPoint wc_pub;
- #endif
- if ( (public_size != CURVE25519_KEYSIZE) ||
- (private_size != CURVE25519_KEYSIZE)) {
- return ECC_BAD_ARG_E;
- }
- if ((pub == NULL) || (priv == NULL)) {
- return ECC_BAD_ARG_E;
- }
- /* check clamping */
- ret = curve25519_priv_clamp_check(priv);
- if (ret != 0)
- return ret;
- #ifdef FREESCALE_LTC_ECC
- /* input basepoint on Weierstrass curve */
- ret = nxp_ltc_curve25519(&wc_pub, priv, basepoint, kLTC_Weierstrass);
- if (ret == 0) {
- XMEMCPY(pub, wc_pub.point, CURVE25519_KEYSIZE);
- }
- #else
- fe_init();
- SAVE_VECTOR_REGISTERS(return _svr_ret;);
- ret = curve25519(pub, priv, kCurve25519BasePoint);
- RESTORE_VECTOR_REGISTERS();
- #endif
- return ret;
- }
- /* compute the public key from an existing private key, with supplied basepoint,
- * using bare vectors.
- *
- * return value is propagated from curve25519() (0 on success),
- * and the byte vectors are little endian.
- */
- int wc_curve25519_generic(int public_size, byte* pub,
- int private_size, const byte* priv,
- int basepoint_size, const byte* basepoint)
- {
- #ifdef FREESCALE_LTC_ECC
- /* unsupported with NXP LTC, only supports single basepoint with
- * nxp_ltc_curve25519_GetBasePoint() */
- return WC_HW_E;
- #else
- int ret;
- if ((public_size != CURVE25519_KEYSIZE) ||
- (private_size != CURVE25519_KEYSIZE) ||
- (basepoint_size != CURVE25519_KEYSIZE)) {
- return ECC_BAD_ARG_E;
- }
- if ((pub == NULL) || (priv == NULL) || (basepoint == NULL))
- return ECC_BAD_ARG_E;
- /* check clamping */
- ret = curve25519_priv_clamp_check(priv);
- if (ret != 0)
- return ret;
- fe_init();
- SAVE_VECTOR_REGISTERS(return _svr_ret;);
- ret = curve25519(pub, priv, basepoint);
- RESTORE_VECTOR_REGISTERS();
- return ret;
- #endif /* FREESCALE_LTC_ECC */
- }
- /* generate a new private key, as a bare vector.
- *
- * return value is propagated from wc_RNG_GenerateBlock(() (0 on success),
- * or BAD_FUNC_ARG/ECC_BAD_ARG_E, and the byte vector is little endian.
- */
- int wc_curve25519_make_priv(WC_RNG* rng, int keysize, byte* key)
- {
- int ret;
- if (key == NULL || rng == NULL)
- return BAD_FUNC_ARG;
- /* currently only a key size of 32 bytes is used */
- if (keysize != CURVE25519_KEYSIZE)
- return ECC_BAD_ARG_E;
- /* random number for private key */
- ret = wc_RNG_GenerateBlock(rng, key, keysize);
- if (ret == 0) {
- /* Clamp the private key */
- ret = curve25519_priv_clamp(key);
- }
- return ret;
- }
- /* generate a new keypair.
- *
- * return value is propagated from wc_curve25519_make_private() or
- * wc_curve25519_make_pub() (0 on success).
- */
- int wc_curve25519_make_key(WC_RNG* rng, int keysize, curve25519_key* key)
- {
- int ret;
- if (key == NULL || rng == NULL)
- return BAD_FUNC_ARG;
- #ifdef WOLF_CRYPTO_CB
- if (key->devId != INVALID_DEVID) {
- ret = wc_CryptoCb_Curve25519Gen(rng, keysize, key);
- if (ret != CRYPTOCB_UNAVAILABLE)
- return ret;
- /* fall-through when unavailable */
- }
- #endif
- #ifdef WOLFSSL_SE050
- ret = se050_curve25519_create_key(key, keysize);
- #else
- ret = wc_curve25519_make_priv(rng, keysize, key->k);
- if (ret == 0) {
- key->privSet = 1;
- ret = wc_curve25519_make_pub((int)sizeof(key->p.point), key->p.point,
- (int)sizeof(key->k), key->k);
- key->pubSet = (ret == 0);
- }
- #endif
- return ret;
- }
- #ifdef HAVE_CURVE25519_SHARED_SECRET
- int wc_curve25519_shared_secret(curve25519_key* private_key,
- curve25519_key* public_key,
- byte* out, word32* outlen)
- {
- return wc_curve25519_shared_secret_ex(private_key, public_key,
- out, outlen, EC25519_BIG_ENDIAN);
- }
- int wc_curve25519_shared_secret_ex(curve25519_key* private_key,
- curve25519_key* public_key,
- byte* out, word32* outlen, int endian)
- {
- int ret;
- ECPoint o;
- /* sanity check */
- if (private_key == NULL || public_key == NULL ||
- out == NULL || outlen == NULL || *outlen < CURVE25519_KEYSIZE) {
- return BAD_FUNC_ARG;
- }
- /* make sure we have a populated private and public key */
- if (!public_key->pubSet
- #ifndef WOLFSSL_SE050
- || !private_key->privSet
- #endif
- ) {
- return ECC_BAD_ARG_E;
- }
- /* avoid implementation fingerprinting - make sure signed bit is not set */
- if (public_key->p.point[CURVE25519_KEYSIZE-1] & 0x80) {
- return ECC_BAD_ARG_E;
- }
- #ifdef WOLF_CRYPTO_CB
- if (private_key->devId != INVALID_DEVID) {
- ret = wc_CryptoCb_Curve25519(private_key, public_key, out, outlen,
- endian);
- if (ret != CRYPTOCB_UNAVAILABLE)
- return ret;
- /* fall-through when unavailable */
- }
- #endif
- XMEMSET(&o, 0, sizeof(o));
- #ifdef FREESCALE_LTC_ECC
- /* input point P on Curve25519 */
- ret = nxp_ltc_curve25519(&o, private_key->k, &public_key->p,
- kLTC_Curve25519);
- #else
- #ifdef WOLFSSL_SE050
- if (!private_key->privSet) {
- /* use NXP SE050: "privSet" is not set */
- ret = se050_curve25519_shared_secret(private_key, public_key, &o);
- }
- else
- #endif
- {
- SAVE_VECTOR_REGISTERS(return _svr_ret;);
- ret = curve25519(o.point, private_key->k, public_key->p.point);
- RESTORE_VECTOR_REGISTERS();
- }
- #endif
- #ifdef WOLFSSL_ECDHX_SHARED_NOT_ZERO
- if (ret == 0) {
- int i;
- byte t = 0;
- for (i = 0; i < CURVE25519_KEYSIZE; i++) {
- t |= o.point[i];
- }
- if (t == 0) {
- ret = ECC_OUT_OF_RANGE_E;
- }
- }
- #endif
- if (ret != 0) {
- ForceZero(&o, sizeof(o));
- return ret;
- }
- curve25519_copy_point(out, o.point, endian);
- *outlen = CURVE25519_KEYSIZE;
- ForceZero(&o, sizeof(o));
- return ret;
- }
- #endif /* HAVE_CURVE25519_SHARED_SECRET */
- #ifdef HAVE_CURVE25519_KEY_EXPORT
- /* export curve25519 public key (Big endian)
- * return 0 on success */
- int wc_curve25519_export_public(curve25519_key* key, byte* out, word32* outLen)
- {
- return wc_curve25519_export_public_ex(key, out, outLen, EC25519_BIG_ENDIAN);
- }
- /* export curve25519 public key (Big or Little endian)
- * return 0 on success */
- int wc_curve25519_export_public_ex(curve25519_key* key, byte* out,
- word32* outLen, int endian)
- {
- int ret = 0;
- if (key == NULL || out == NULL || outLen == NULL) {
- return BAD_FUNC_ARG;
- }
- /* check and set outgoing key size */
- if (*outLen < CURVE25519_KEYSIZE) {
- *outLen = CURVE25519_KEYSIZE;
- return ECC_BAD_ARG_E;
- }
- /* calculate public if missing */
- if (!key->pubSet) {
- ret = wc_curve25519_make_pub((int)sizeof(key->p.point), key->p.point,
- (int)sizeof(key->k), key->k);
- key->pubSet = (ret == 0);
- }
- /* export public point with endianess */
- curve25519_copy_point(out, key->p.point, endian);
- *outLen = CURVE25519_KEYSIZE;
- return ret;
- }
- #endif /* HAVE_CURVE25519_KEY_EXPORT */
- #ifdef HAVE_CURVE25519_KEY_IMPORT
- /* import curve25519 public key (Big endian)
- * return 0 on success */
- int wc_curve25519_import_public(const byte* in, word32 inLen,
- curve25519_key* key)
- {
- return wc_curve25519_import_public_ex(in, inLen, key, EC25519_BIG_ENDIAN);
- }
- /* import curve25519 public key (Big or Little endian)
- * return 0 on success */
- int wc_curve25519_import_public_ex(const byte* in, word32 inLen,
- curve25519_key* key, int endian)
- {
- #ifdef FREESCALE_LTC_ECC
- ltc_pkha_ecc_point_t ltcPoint;
- #endif
- /* sanity check */
- if (key == NULL || in == NULL) {
- return BAD_FUNC_ARG;
- }
- /* check size of incoming keys */
- if (inLen != CURVE25519_KEYSIZE) {
- return ECC_BAD_ARG_E;
- }
- /* import public point with endianess */
- curve25519_copy_point(key->p.point, in, endian);
- key->pubSet = 1;
- key->dp = &curve25519_sets[0];
- /* LTC needs also Y coordinate - let's compute it */
- #ifdef FREESCALE_LTC_ECC
- ltcPoint.X = &key->p.point[0];
- ltcPoint.Y = &key->p.pointY[0];
- LTC_PKHA_Curve25519ComputeY(<cPoint);
- #endif
- return 0;
- }
- /* Check the public key value (big or little endian)
- *
- * pub Public key bytes.
- * pubSz Size of public key in bytes.
- * endian Public key bytes passed in as big-endian or little-endian.
- * returns BAD_FUNC_ARGS when pub is NULL,
- * BUFFER_E when size of public key is zero;
- * ECC_OUT_OF_RANGE_E if the high bit is set;
- * ECC_BAD_ARG_E if key length is not 32 bytes, public key value is
- * zero or one; and
- * 0 otherwise.
- */
- int wc_curve25519_check_public(const byte* pub, word32 pubSz, int endian)
- {
- word32 i;
- if (pub == NULL)
- return BAD_FUNC_ARG;
- /* Check for empty key data */
- if (pubSz == 0)
- return BUFFER_E;
- /* Check key length */
- if (pubSz != CURVE25519_KEYSIZE)
- return ECC_BAD_ARG_E;
- if (endian == EC25519_LITTLE_ENDIAN) {
- /* Check for value of zero or one */
- for (i = CURVE25519_KEYSIZE - 1; i > 0; i--) {
- if (pub[i] != 0)
- break;
- }
- if (i == 0 && (pub[0] == 0 || pub[0] == 1))
- return ECC_BAD_ARG_E;
- /* Check high bit set */
- if (pub[CURVE25519_KEYSIZE - 1] & 0x80)
- return ECC_OUT_OF_RANGE_E;
- /* Check for order-1 or higher. */
- if (pub[CURVE25519_KEYSIZE - 1] == 0x7f) {
- for (i = CURVE25519_KEYSIZE - 2; i > 0; i--) {
- if (pub[i] != 0xff)
- break;
- }
- if (i == 0 && (pub[0] >= 0xec))
- return ECC_BAD_ARG_E;
- }
- }
- else {
- /* Check for value of zero or one */
- for (i = 0; i < CURVE25519_KEYSIZE - 1; i++) {
- if (pub[i] != 0)
- break;
- }
- if (i == CURVE25519_KEYSIZE - 1 && (pub[i] == 0 || pub[i] == 1))
- return ECC_BAD_ARG_E;
- /* Check high bit set */
- if (pub[0] & 0x80)
- return ECC_OUT_OF_RANGE_E;
- /* Check for order-1 or higher. */
- if (pub[0] == 0x7f) {
- for (i = 1; i < CURVE25519_KEYSIZE - 1; i++) {
- if (pub[i] != 0)
- break;
- }
- if (i == CURVE25519_KEYSIZE - 1 && (pub[i] >= 0xec))
- return ECC_BAD_ARG_E;
- }
- }
- return 0;
- }
- #endif /* HAVE_CURVE25519_KEY_IMPORT */
- #ifdef HAVE_CURVE25519_KEY_EXPORT
- /* export curve25519 private key only raw (Big endian)
- * outLen is in/out size
- * return 0 on success */
- int wc_curve25519_export_private_raw(curve25519_key* key, byte* out,
- word32* outLen)
- {
- return wc_curve25519_export_private_raw_ex(key, out, outLen,
- EC25519_BIG_ENDIAN);
- }
- /* export curve25519 private key only raw (Big or Little endian)
- * outLen is in/out size
- * return 0 on success */
- int wc_curve25519_export_private_raw_ex(curve25519_key* key, byte* out,
- word32* outLen, int endian)
- {
- /* sanity check */
- if (key == NULL || out == NULL || outLen == NULL)
- return BAD_FUNC_ARG;
- /* check size of outgoing buffer */
- if (*outLen < CURVE25519_KEYSIZE) {
- *outLen = CURVE25519_KEYSIZE;
- return ECC_BAD_ARG_E;
- }
- /* export private scalar with endianess */
- curve25519_copy_point(out, key->k, endian);
- *outLen = CURVE25519_KEYSIZE;
- return 0;
- }
- /* curve25519 key pair export (Big or Little endian)
- * return 0 on success */
- int wc_curve25519_export_key_raw(curve25519_key* key,
- byte* priv, word32 *privSz,
- byte* pub, word32 *pubSz)
- {
- return wc_curve25519_export_key_raw_ex(key, priv, privSz,
- pub, pubSz, EC25519_BIG_ENDIAN);
- }
- /* curve25519 key pair export (Big or Little endian)
- * return 0 on success */
- int wc_curve25519_export_key_raw_ex(curve25519_key* key,
- byte* priv, word32 *privSz,
- byte* pub, word32 *pubSz,
- int endian)
- {
- int ret;
- /* export private part */
- ret = wc_curve25519_export_private_raw_ex(key, priv, privSz, endian);
- if (ret != 0)
- return ret;
- /* export public part */
- return wc_curve25519_export_public_ex(key, pub, pubSz, endian);
- }
- #endif /* HAVE_CURVE25519_KEY_EXPORT */
- #ifdef HAVE_CURVE25519_KEY_IMPORT
- /* curve25519 private key import (Big endian)
- * Public key to match private key needs to be imported too
- * return 0 on success */
- int wc_curve25519_import_private_raw(const byte* priv, word32 privSz,
- const byte* pub, word32 pubSz,
- curve25519_key* key)
- {
- return wc_curve25519_import_private_raw_ex(priv, privSz, pub, pubSz,
- key, EC25519_BIG_ENDIAN);
- }
- /* curve25519 private key import (Big or Little endian)
- * Public key to match private key needs to be imported too
- * return 0 on success */
- int wc_curve25519_import_private_raw_ex(const byte* priv, word32 privSz,
- const byte* pub, word32 pubSz,
- curve25519_key* key, int endian)
- {
- int ret;
- /* import private part */
- ret = wc_curve25519_import_private_ex(priv, privSz, key, endian);
- if (ret != 0)
- return ret;
- /* import public part */
- return wc_curve25519_import_public_ex(pub, pubSz, key, endian);
- }
- /* curve25519 private key import only. (Big endian)
- * return 0 on success */
- int wc_curve25519_import_private(const byte* priv, word32 privSz,
- curve25519_key* key)
- {
- return wc_curve25519_import_private_ex(priv, privSz,
- key, EC25519_BIG_ENDIAN);
- }
- /* curve25519 private key import only. (Big or Little endian)
- * return 0 on success */
- int wc_curve25519_import_private_ex(const byte* priv, word32 privSz,
- curve25519_key* key, int endian)
- {
- /* sanity check */
- if (key == NULL || priv == NULL) {
- return BAD_FUNC_ARG;
- }
- /* check size of incoming keys */
- if ((int)privSz != CURVE25519_KEYSIZE) {
- return ECC_BAD_ARG_E;
- }
- #ifdef WOLFSSL_SE050
- /* release NXP resources if set */
- se050_curve25519_free_key(key);
- #endif
- /* import private scalar with endianess */
- curve25519_copy_point(key->k, priv, endian);
- key->privSet = 1;
- key->dp = &curve25519_sets[0];
- /* Clamp the key */
- return curve25519_priv_clamp(key->k);
- }
- #endif /* HAVE_CURVE25519_KEY_IMPORT */
- int wc_curve25519_init_ex(curve25519_key* key, void* heap, int devId)
- {
- if (key == NULL)
- return BAD_FUNC_ARG;
- XMEMSET(key, 0, sizeof(*key));
- /* currently the format for curve25519 */
- key->dp = &curve25519_sets[0];
- #ifdef WOLF_CRYPTO_CB
- key->devId = devId;
- #else
- (void)devId;
- #endif
- (void)heap; /* if needed for XMALLOC/XFREE in future */
- #ifndef FREESCALE_LTC_ECC
- fe_init();
- #endif
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("wc_curve25519_init_ex key->k", key->k, CURVE25519_KEYSIZE);
- #endif
- return 0;
- }
- int wc_curve25519_init(curve25519_key* key)
- {
- return wc_curve25519_init_ex(key, NULL, INVALID_DEVID);
- }
- /* Clean the memory of a key */
- void wc_curve25519_free(curve25519_key* key)
- {
- if (key == NULL)
- return;
- #ifdef WOLFSSL_SE050
- se050_curve25519_free_key(key);
- #endif
- key->dp = NULL;
- ForceZero(key->k, sizeof(key->k));
- XMEMSET(&key->p, 0, sizeof(key->p));
- key->pubSet = 0;
- key->privSet = 0;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Check(key, sizeof(curve25519_key));
- #endif
- }
- /* get key size */
- int wc_curve25519_size(curve25519_key* key)
- {
- if (key == NULL)
- return 0;
- return key->dp->size;
- }
- #endif /*HAVE_CURVE25519*/
|