// This file was extracted from the TCG Published // Trusted Platform Module Library // Part 4: Supporting Routines // Family "2.0" // Level 00 Revision 01.16 // October 30, 2014 #include <string.h> #include "OsslCryptoEngine.h" #ifdef TPM_ALG_ECC #include "CpriDataEcc.h" #include "CpriDataEcc.c" // // // Functions // // _cpri__EccStartup() // // This function is called at TPM Startup to initialize the crypto units. // In this implementation, no initialization is performed at startup but a future version may initialize the self- // test functions here. // LIB_EXPORT BOOL _cpri__EccStartup( void ) { return TRUE; } // // // _cpri__GetCurveIdByIndex() // // This function returns the number of the i-th implemented curve. The normal use would be to call this // function with i starting at 0. When the i is greater than or equal to the number of implemented curves, // TPM_ECC_NONE is returned. // LIB_EXPORT TPM_ECC_CURVE _cpri__GetCurveIdByIndex( UINT16 i ) { if(i >= ECC_CURVE_COUNT) return TPM_ECC_NONE; return eccCurves[i].curveId; } LIB_EXPORT UINT32 _cpri__EccGetCurveCount( void ) { return ECC_CURVE_COUNT; } // // // _cpri__EccGetParametersByCurveId() // // This function returns a pointer to the curve data that is associated with the indicated curveId. If there is no // curve with the indicated ID, the function returns NULL. // // // // // Return Value Meaning // // NULL curve with the indicated TPM_ECC_CURVE value is not // implemented // non-NULL pointer to the curve data // LIB_EXPORT const ECC_CURVE * _cpri__EccGetParametersByCurveId( TPM_ECC_CURVE curveId // IN: the curveID ) { int i; for(i = 0; i < ECC_CURVE_COUNT; i++) { if(eccCurves[i].curveId == curveId) return &eccCurves[i]; } FAIL(FATAL_ERROR_INTERNAL); return NULL; // Never reached. } static const ECC_CURVE_DATA * GetCurveData( TPM_ECC_CURVE curveId // IN: the curveID ) { const ECC_CURVE *curve = _cpri__EccGetParametersByCurveId(curveId); return curve->curveData; } // // // Point2B() // // This function makes a TPMS_ECC_POINT from a BIGNUM EC_POINT. // static BOOL Point2B( EC_GROUP *group, // IN: group for the point TPMS_ECC_POINT *p, // OUT: receives the converted point EC_POINT *ecP, // IN: the point to convert INT16 size, // IN: size of the coordinates BN_CTX *context // IN: working context ) { BIGNUM *bnX; BIGNUM *bnY; BN_CTX_start(context); bnX = BN_CTX_get(context); bnY = BN_CTX_get(context); if( bnY == NULL // Get the coordinate values || EC_POINT_get_affine_coordinates_GFp(group, ecP, bnX, bnY, context) != 1 // Convert x || (!BnTo2B(&p->x.b, bnX, size)) // Convert y || (!BnTo2B(&p->y.b, bnY, size)) ) FAIL(FATAL_ERROR_INTERNAL); BN_CTX_end(context); return TRUE; } // // // EccCurveInit() // // This function initializes the OpenSSL() group definition structure // This function is only used within this file. // It is a fatal error if groupContext is not provided. // // Return Value Meaning // // NULL the TPM_ECC_CURVE is not valid // non-NULL points to a structure in groupContext static EC_GROUP * // static EC_GROUP * EccCurveInit( TPM_ECC_CURVE curveId, // IN: the ID of the curve BN_CTX *groupContext // IN: the context in which the group is to be // created ) { const ECC_CURVE_DATA *curveData = GetCurveData(curveId); EC_GROUP *group = NULL; EC_POINT *P = NULL; BN_CTX *context; BIGNUM *bnP; BIGNUM *bnA; BIGNUM *bnB; BIGNUM *bnX; BIGNUM *bnY; BIGNUM *bnN; BIGNUM *bnH; int ok = FALSE; // Context must be provided and curve selector must be valid pAssert(groupContext != NULL && curveData != NULL); context = BN_CTX_new(); if(context == NULL) FAIL(FATAL_ERROR_ALLOCATION); BN_CTX_start(context); bnP = BN_CTX_get(context); bnA = BN_CTX_get(context); bnB = BN_CTX_get(context); bnX = BN_CTX_get(context); bnY = BN_CTX_get(context); bnN = BN_CTX_get(context); bnH = BN_CTX_get(context); if (bnH == NULL) goto Cleanup; // Convert the number formats BnFrom2B(bnP, curveData->p); BnFrom2B(bnA, curveData->a); BnFrom2B(bnB, curveData->b); BnFrom2B(bnX, curveData->x); BnFrom2B(bnY, curveData->y); BnFrom2B(bnN, curveData->n); BnFrom2B(bnH, curveData->h); // initialize EC group, associate a generator point and initialize the point // from the parameter data ok = ( (group = EC_GROUP_new_curve_GFp(bnP, bnA, bnB, groupContext)) != NULL && (P = EC_POINT_new(group)) != NULL && EC_POINT_set_affine_coordinates_GFp(group, P, bnX, bnY, groupContext) && EC_GROUP_set_generator(group, P, bnN, bnH) ); Cleanup: if (!ok && group != NULL) { EC_GROUP_free(group); group = NULL; } if(P != NULL) EC_POINT_free(P); BN_CTX_end(context); BN_CTX_free(context); return group; } // // // PointFrom2B() // // This function sets the coordinates of an existing BN Point from a TPMS_ECC_POINT. // static EC_POINT * PointFrom2B( EC_GROUP *group, // IN: the group for the point EC_POINT *ecP, // IN: an existing BN point in the group TPMS_ECC_POINT *p, // IN: the 2B coordinates of the point BN_CTX *context // IN: the BIGNUM context ) { BIGNUM *bnX; BIGNUM *bnY; // If the point is not allocated then just return a NULL if(ecP == NULL) return NULL; BN_CTX_start(context); bnX = BN_CTX_get(context); bnY = BN_CTX_get(context); if( // Set the coordinates of the point bnY == NULL || BN_bin2bn(p->x.t.buffer, p->x.t.size, bnX) == NULL || BN_bin2bn(p->y.t.buffer, p->y.t.size, bnY) == NULL || !EC_POINT_set_affine_coordinates_GFp(group, ecP, bnX, bnY, context) ) FAIL(FATAL_ERROR_INTERNAL); BN_CTX_end(context); return ecP; } // // // EccInitPoint2B() // // This function allocates a point in the provided group and initializes it with the values in a // TPMS_ECC_POINT. // static EC_POINT * EccInitPoint2B( EC_GROUP *group, // IN: group for the point TPMS_ECC_POINT *p, // IN: the coordinates for the point BN_CTX *context // IN: the BIGNUM context ) { EC_POINT *ecP; BN_CTX_start(context); ecP = EC_POINT_new(group); if(PointFrom2B(group, ecP, p, context) == NULL) FAIL(FATAL_ERROR_INTERNAL); BN_CTX_end(context); return ecP; } // // // PointMul() // // This function does a point multiply and checks for the result being the point at infinity. Q = ([A]G + [B]P) // // Return Value Meaning // // CRYPT_NO_RESULT point is at infinity // CRYPT_SUCCESS point not at infinity // static CRYPT_RESULT PointMul( EC_GROUP *group, // IN: group curve EC_POINT *ecpQ, // OUT: result BIGNUM *bnA, // IN: scalar for [A]G EC_POINT *ecpP, // IN: point for [B]P BIGNUM *bnB, // IN: scalar for [B]P BN_CTX *context // IN: working context ) { if(EC_POINT_mul(group, ecpQ, bnA, ecpP, bnB, context) != 1) FAIL(FATAL_ERROR_INTERNAL); if(EC_POINT_is_at_infinity(group, ecpQ)) return CRYPT_NO_RESULT; return CRYPT_SUCCESS; } // // // GetRandomPrivate() // // This function gets a random value (d) to use as a private ECC key and then qualifies the key so that it is // between 0 < d < n. // It is a fatal error if dOut or pIn is not provided or if the size of pIn is larger than MAX_ECC_KEY_BYTES // (the largest buffer size of a TPM2B_ECC_PARAMETER) // static void GetRandomPrivate( TPM2B_ECC_PARAMETER *dOut, // OUT: the qualified random value const TPM2B *pIn // IN: the maximum value for the key ) { int i; BYTE *pb; pAssert(pIn != NULL && dOut != NULL && pIn->size <= MAX_ECC_KEY_BYTES); // Set the size of the output dOut->t.size = pIn->size; // Get some random bits while(TRUE) { _cpri__GenerateRandom(dOut->t.size, dOut->t.buffer); // See if the d < n if(memcmp(dOut->t.buffer, pIn->buffer, pIn->size) < 0) { // dOut < n so make sure that 0 < dOut for(pb = dOut->t.buffer, i = dOut->t.size; i > 0; i--) { if(*pb++ != 0) return; } } } } // // // _cpri__EccPointMultiply // // This function computes 'R := [dIn]G + [uIn]QIn. Where dIn and uIn are scalars, G and QIn are points on // the specified curve and G is the default generator of the curve. // The xOut and yOut parameters are optional and may be set to NULL if not used. // It is not necessary to provide uIn if QIn is specified but one of uIn and dIn must be provided. If dIn and // QIn are specified but uIn is not provided, then R = [dIn]QIn. // If the multiply produces the point at infinity, the CRYPT_NO_RESULT is returned. // The sizes of xOut and yOut' will be set to be the size of the degree of the curve // It is a fatal error if dIn and uIn are both unspecified (NULL) or if Qin or Rout is unspecified. // // // // // Return Value Meaning // // CRYPT_SUCCESS point multiplication succeeded // CRYPT_POINT the point Qin is not on the curve // CRYPT_NO_RESULT the product point is at infinity // LIB_EXPORT CRYPT_RESULT _cpri__EccPointMultiply( TPMS_ECC_POINT *Rout, // OUT: the product point R TPM_ECC_CURVE curveId, // IN: the curve to use TPM2B_ECC_PARAMETER *dIn, // IN: value to multiply against the // curve generator TPMS_ECC_POINT *Qin, // IN: point Q TPM2B_ECC_PARAMETER *uIn // IN: scalar value for the multiplier // of Q ) { BN_CTX *context; BIGNUM *bnD; BIGNUM *bnU; EC_GROUP *group; EC_POINT *R = NULL; EC_POINT *Q = NULL; CRYPT_RESULT retVal = CRYPT_SUCCESS; // Validate that the required parameters are provided. pAssert((dIn != NULL || uIn != NULL) && (Qin != NULL || dIn != NULL)); // If a point is provided for the multiply, make sure that it is on the curve if(Qin != NULL && !_cpri__EccIsPointOnCurve(curveId, Qin)) return CRYPT_POINT; context = BN_CTX_new(); if(context == NULL) FAIL(FATAL_ERROR_ALLOCATION); BN_CTX_start(context); bnU = BN_CTX_get(context); bnD = BN_CTX_get(context); group = EccCurveInit(curveId, context); // There should be no path for getting a bad curve ID into this function. pAssert(group != NULL); // check allocations should have worked and allocate R if( bnD == NULL || (R = EC_POINT_new(group)) == NULL) FAIL(FATAL_ERROR_ALLOCATION); // If Qin is present, create the point if(Qin != NULL) { // Assume the size variables do not overflow. This should not happen in // the contexts in which this function will be called. assert2Bsize(Qin->x.t); assert2Bsize(Qin->x.t); Q = EccInitPoint2B(group, Qin, context); } if(dIn != NULL) { // Assume the size variables do not overflow, which should not happen in // the contexts that this function will be called. assert2Bsize(dIn->t); BnFrom2B(bnD, &dIn->b); } else bnD = NULL; // If uIn is specified, initialize its BIGNUM if(uIn != NULL) { // Assume the size variables do not overflow, which should not happen in // the contexts that this function will be called. assert2Bsize(uIn->t); BnFrom2B(bnU, &uIn->b); } // If uIn is not specified but Q is, then we are going to // do R = [d]Q else if(Qin != NULL) { bnU = bnD; bnD = NULL; } // If neither Q nor u is specified, then null this pointer else bnU = NULL; // Use the generator of the curve if((retVal = PointMul(group, R, bnD, Q, bnU, context)) == CRYPT_SUCCESS) Point2B(group, Rout, R, (INT16) ((EC_GROUP_get_degree(group)+7)/8), context); if (Q) EC_POINT_free(Q); if(R) EC_POINT_free(R); if(group) EC_GROUP_free(group); BN_CTX_end(context); BN_CTX_free(context); return retVal; } // // // ClearPoint2B() // // Initialize the size values of a point // static void ClearPoint2B( TPMS_ECC_POINT *p // IN: the point ) { if(p != NULL) { p->x.t.size = 0; p->y.t.size = 0; } } #if defined TPM_ALG_ECDAA || defined TPM_ALG_SM2 //% // // // _cpri__EccCommitCompute() // // This function performs the point multiply operations required by TPM2_Commit(). // If B or M is provided, they must be on the curve defined by curveId. This routine does not check that they // are on the curve and results are unpredictable if they are not. // // // // It is a fatal error if r or d is NULL. If B is not NULL, then it is a fatal error if K and L are both NULL. If M is // not NULL, then it is a fatal error if E is NULL. // // Return Value Meaning // // CRYPT_SUCCESS computations completed normally // CRYPT_NO_RESULT if K, L or E was computed to be the point at infinity // CRYPT_CANCEL a cancel indication was asserted during this function // LIB_EXPORT CRYPT_RESULT _cpri__EccCommitCompute( TPMS_ECC_POINT *K, // OUT: [d]B or [r]Q TPMS_ECC_POINT *L, // OUT: [r]B TPMS_ECC_POINT *E, // OUT: [r]M TPM_ECC_CURVE curveId, // IN: the curve for the computations TPMS_ECC_POINT *M, // IN: M (optional) TPMS_ECC_POINT *B, // IN: B (optional) TPM2B_ECC_PARAMETER *d, // IN: d (required) TPM2B_ECC_PARAMETER *r // IN: the computed r value (required) ) { BN_CTX *context; BIGNUM *bnY, *bnR, *bnD; EC_GROUP *group; EC_POINT *pK = NULL, *pL = NULL, *pE = NULL, *pM = NULL, *pB = NULL; UINT16 keySizeInBytes; CRYPT_RESULT retVal = CRYPT_SUCCESS; // Validate that the required parameters are provided. // Note: E has to be provided if computing E := [r]Q or E := [r]M. Will do // E := [r]Q if both M and B are NULL. pAssert((r && (K || !B) && (L || !B)) || (E || (!M && B))); context = BN_CTX_new(); if(context == NULL) FAIL(FATAL_ERROR_ALLOCATION); BN_CTX_start(context); bnR = BN_CTX_get(context); bnD = BN_CTX_get(context); bnY = BN_CTX_get(context); if(bnY == NULL) FAIL(FATAL_ERROR_ALLOCATION); // Initialize the output points in case they are not computed ClearPoint2B(K); ClearPoint2B(L); ClearPoint2B(E); if((group = EccCurveInit(curveId, context)) == NULL) { retVal = CRYPT_PARAMETER; goto Cleanup2; } keySizeInBytes = (UINT16) ((EC_GROUP_get_degree(group)+7)/8); // Sizes of the r and d parameters may not be zero pAssert(((int) r->t.size > 0) && ((int) d->t.size > 0)); // Convert scalars to BIGNUM BnFrom2B(bnR, &r->b); BnFrom2B(bnD, &d->b); // If B is provided, compute K=[d]B and L=[r]B if(B != NULL) { // Allocate the points to receive the value if( (pK = EC_POINT_new(group)) == NULL || (pL = EC_POINT_new(group)) == NULL) FAIL(FATAL_ERROR_ALLOCATION); // need to compute K = [d]B // Allocate and initialize BIGNUM version of B pB = EccInitPoint2B(group, B, context); // do the math for K = [d]B if((retVal = PointMul(group, pK, NULL, pB, bnD, context)) != CRYPT_SUCCESS) goto Cleanup; // Convert BN K to TPM2B K Point2B(group, K, pK, (INT16)keySizeInBytes, context); // compute L= [r]B after checking for cancel if(_plat__IsCanceled()) { retVal = CRYPT_CANCEL; goto Cleanup; } // compute L = [r]B if((retVal = PointMul(group, pL, NULL, pB, bnR, context)) != CRYPT_SUCCESS) goto Cleanup; // Convert BN L to TPM2B L Point2B(group, L, pL, (INT16)keySizeInBytes, context); } if(M != NULL || B == NULL) { // if this is the third point multiply, check for cancel first if(B != NULL && _plat__IsCanceled()) { retVal = CRYPT_CANCEL; goto Cleanup; } // Allocate E if((pE = EC_POINT_new(group)) == NULL) FAIL(FATAL_ERROR_ALLOCATION); // Create BIGNUM version of M unless M is NULL if(M != NULL) { // M provided so initialize a BIGNUM M and compute E = [r]M pM = EccInitPoint2B(group, M, context); retVal = PointMul(group, pE, NULL, pM, bnR, context); } else // compute E = [r]G (this is only done if M and B are both NULL retVal = PointMul(group, pE, bnR, NULL, NULL, context); if(retVal == CRYPT_SUCCESS) // Convert E to 2B format Point2B(group, E, pE, (INT16)keySizeInBytes, context); } Cleanup: EC_GROUP_free(group); if(pK != NULL) EC_POINT_free(pK); if(pL != NULL) EC_POINT_free(pL); if(pE != NULL) EC_POINT_free(pE); if(pM != NULL) EC_POINT_free(pM); if(pB != NULL) EC_POINT_free(pB); Cleanup2: BN_CTX_end(context); BN_CTX_free(context); return retVal; } #endif //% // // // _cpri__EccIsPointOnCurve() // // This function is used to test if a point is on a defined curve. It does this by checking that y^2 mod p = x^3 // + a*x + b mod p // It is a fatal error if Q is not specified (is NULL). // // Return Value Meaning // // TRUE point is on curve // FALSE point is not on curve or curve is not supported // LIB_EXPORT BOOL _cpri__EccIsPointOnCurve( TPM_ECC_CURVE curveId, // IN: the curve selector TPMS_ECC_POINT *Q // IN: the point. ) { BN_CTX *context; BIGNUM *bnX; BIGNUM *bnY; BIGNUM *bnA; BIGNUM *bnB; BIGNUM *bnP; BIGNUM *bn3; const ECC_CURVE_DATA *curveData = GetCurveData(curveId); BOOL retVal; pAssert(Q != NULL && curveData != NULL); if((context = BN_CTX_new()) == NULL) FAIL(FATAL_ERROR_ALLOCATION); BN_CTX_start(context); bnX = BN_CTX_get(context); bnY = BN_CTX_get(context); bnA = BN_CTX_get(context); bnB = BN_CTX_get(context); bn3 = BN_CTX_get(context); bnP = BN_CTX_get(context); if(bnP == NULL) FAIL(FATAL_ERROR_ALLOCATION); // Convert values if ( !BN_bin2bn(Q->x.t.buffer, Q->x.t.size, bnX) || !BN_bin2bn(Q->y.t.buffer, Q->y.t.size, bnY) || !BN_bin2bn(curveData->p->buffer, curveData->p->size, bnP) || !BN_bin2bn(curveData->a->buffer, curveData->a->size, bnA) || !BN_set_word(bn3, 3) || !BN_bin2bn(curveData->b->buffer, curveData->b->size, bnB) ) FAIL(FATAL_ERROR_INTERNAL); // The following sequence is probably not optimal but it seems to be correct. // compute x^3 + a*x + b mod p // first, compute a*x mod p if( !BN_mod_mul(bnA, bnA, bnX, bnP, context) // // next, compute a*x + b mod p || !BN_mod_add(bnA, bnA, bnB, bnP, context) // next, compute X^3 mod p || !BN_mod_exp(bnX, bnX, bn3, bnP, context) // finally, compute x^3 + a*x + b mod p || !BN_mod_add(bnX, bnX, bnA, bnP, context) // then compute y^2 || !BN_mod_mul(bnY, bnY, bnY, bnP, context) ) FAIL(FATAL_ERROR_INTERNAL); retVal = BN_cmp(bnX, bnY) == 0; BN_CTX_end(context); BN_CTX_free(context); return retVal; } // // // _cpri__GenerateKeyEcc() // // This function generates an ECC key pair based on the input parameters. This routine uses KDFa() to // produce candidate numbers. The method is according to FIPS 186-3, section B.4.1 "GKey() Pair // Generation Using Extra Random Bits." According to the method in FIPS 186-3, the resulting private value // d should be 1 <= d < n where n is the order of the base point. In this implementation, the range of the // private value is further restricted to be 2^(nLen/2) <= d < n where nLen is the order of n. // // EXAMPLE: If the curve is NIST-P256, then nLen is 256 bits and d will need to be between 2^128 <= d < n // // It is a fatal error if Qout, dOut, or seed is not provided (is NULL). // // Return Value Meaning // // CRYPT_PARAMETER the hash algorithm is not supported // LIB_EXPORT CRYPT_RESULT _cpri__GenerateKeyEcc( TPMS_ECC_POINT *Qout, // OUT: the public point TPM2B_ECC_PARAMETER *dOut, // OUT: the private scalar TPM_ECC_CURVE curveId, // IN: the curve identifier TPM_ALG_ID hashAlg, // IN: hash algorithm to use in the key // generation process TPM2B *seed, // IN: the seed to use const char *label, // IN: A label for the generation // process. TPM2B *extra, // IN: Party 1 data for the KDF UINT32 *counter // IN/OUT: Counter value to allow KDF // iteration to be propagated across // multiple functions ) { const ECC_CURVE_DATA *curveData = GetCurveData(curveId); INT16 keySizeInBytes; UINT32 count = 0; CRYPT_RESULT retVal; UINT16 hLen = _cpri__GetDigestSize(hashAlg); BIGNUM *bnNm1; // Order of the curve minus one BIGNUM *bnD; // the private scalar BN_CTX *context; // the context for the BIGNUM values BYTE withExtra[MAX_ECC_KEY_BYTES + 8]; // trial key with //extra bits TPM2B_4_BYTE_VALUE marshaledCounter = {.t = {4}}; UINT32 totalBits; // Validate parameters (these are fatal) pAssert( seed != NULL && dOut != NULL && Qout != NULL && curveData != NULL); // Non-fatal parameter checks. if(hLen <= 0) return CRYPT_PARAMETER; // allocate the local BN values context = BN_CTX_new(); if(context == NULL) FAIL(FATAL_ERROR_ALLOCATION); BN_CTX_start(context); bnNm1 = BN_CTX_get(context); bnD = BN_CTX_get(context); // The size of the input scalars is limited by the size of the size of a // TPM2B_ECC_PARAMETER. Make sure that it is not irrational. pAssert((int) curveData->n->size <= MAX_ECC_KEY_BYTES); if( bnD == NULL || BN_bin2bn(curveData->n->buffer, curveData->n->size, bnNm1) == NULL || (keySizeInBytes = (INT16) BN_num_bytes(bnNm1)) > MAX_ECC_KEY_BYTES) FAIL(FATAL_ERROR_INTERNAL); // get the total number of bits totalBits = BN_num_bits(bnNm1) + 64; // Reduce bnNm1 from 'n' to 'n' - 1 BN_sub_word(bnNm1, 1); // Initialize the count value if(counter != NULL) count = *counter; if(count == 0) count = 1; // Start search for key (should be quick) for(; count != 0; count++) { UINT32_TO_BYTE_ARRAY(count, marshaledCounter.t.buffer); _cpri__KDFa(hashAlg, seed, label, extra, &marshaledCounter.b, totalBits, withExtra, NULL, FALSE); // Convert the result and modular reduce // Assume the size variables do not overflow, which should not happen in // the contexts that this function will be called. pAssert(keySizeInBytes <= MAX_ECC_KEY_BYTES); if ( BN_bin2bn(withExtra, keySizeInBytes+8, bnD) == NULL || BN_mod(bnD, bnD, bnNm1, context) != 1) FAIL(FATAL_ERROR_INTERNAL); // Add one to get 0 < d < n BN_add_word(bnD, 1); if(BnTo2B(&dOut->b, bnD, keySizeInBytes) != 1) FAIL(FATAL_ERROR_INTERNAL); // Do the point multiply to create the public portion of the key. If // the multiply generates the point at infinity (unlikely), do another // iteration. if( (retVal = _cpri__EccPointMultiply(Qout, curveId, dOut, NULL, NULL)) != CRYPT_NO_RESULT) break; } if(count == 0) // if counter wrapped, then the TPM should go into failure mode FAIL(FATAL_ERROR_INTERNAL); // Free up allocated BN values BN_CTX_end(context); BN_CTX_free(context); if(counter != NULL) *counter = count; return retVal; } // // // _cpri__GetEphemeralEcc() // // This function creates an ephemeral ECC. It is ephemeral in that is expected that the private part of the // key will be discarded // LIB_EXPORT CRYPT_RESULT _cpri__GetEphemeralEcc( TPMS_ECC_POINT *Qout, // OUT: the public point TPM2B_ECC_PARAMETER *dOut, // OUT: the private scalar TPM_ECC_CURVE curveId // IN: the curve for the key ) { CRYPT_RESULT retVal; const ECC_CURVE_DATA *curveData = GetCurveData(curveId); pAssert(curveData != NULL); // Keep getting random values until one is found that doesn't create a point // at infinity. This will never, ever, ever, ever, ever, happen but if it does // we have to get a next random value. while(TRUE) { GetRandomPrivate(dOut, curveData->p); // _cpri__EccPointMultiply does not return CRYPT_ECC_POINT if no point is // provided. CRYPT_PARAMTER should not be returned because the curve ID // has to be supported. Thus the only possible error is CRYPT_NO_RESULT. retVal = _cpri__EccPointMultiply(Qout, curveId, dOut, NULL, NULL); if(retVal != CRYPT_NO_RESULT) return retVal; // Will return CRYPT_SUCCESS } } #ifdef TPM_ALG_ECDSA //% // // // SignEcdsa() // // This function implements the ECDSA signing algorithm. The method is described in the comments below. // It is a fatal error if rOut, sOut, dIn, or digest are not provided. // LIB_EXPORT CRYPT_RESULT SignEcdsa( TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature TPM_ECC_CURVE curveId, // IN: the curve used in the signature // process TPM2B_ECC_PARAMETER *dIn, // IN: the private key TPM2B *digest // IN: the value to sign ) { BIGNUM *bnK; BIGNUM *bnIk; BIGNUM *bnN; BIGNUM *bnR; // BIGNUM *bnD; BIGNUM *bnZ; TPM2B_ECC_PARAMETER k; TPMS_ECC_POINT R; BN_CTX *context; CRYPT_RESULT retVal = CRYPT_SUCCESS; const ECC_CURVE_DATA *curveData = GetCurveData(curveId); pAssert(rOut != NULL && sOut != NULL && dIn != NULL && digest != NULL); context = BN_CTX_new(); if(context == NULL) FAIL(FATAL_ERROR_ALLOCATION); BN_CTX_start(context); bnN = BN_CTX_get(context); bnZ = BN_CTX_get(context); bnR = BN_CTX_get(context); bnD = BN_CTX_get(context); bnIk = BN_CTX_get(context); bnK = BN_CTX_get(context); // Assume the size variables do not overflow, which should not happen in // the contexts that this function will be called. pAssert(curveData->n->size <= MAX_ECC_PARAMETER_BYTES); if( bnK == NULL || BN_bin2bn(curveData->n->buffer, curveData->n->size, bnN) == NULL) FAIL(FATAL_ERROR_INTERNAL); // The algorithm as described in "Suite B Implementer's Guide to FIPS 186-3(ECDSA)" // 1. Use one of the routines in Appendix A.2 to generate (k, k^-1), a per-message // secret number and its inverse modulo n. Since n is prime, the // output will be invalid only if there is a failure in the RBG. // 2. Compute the elliptic curve point R = [k]G = (xR, yR) using EC scalar // multiplication (see [Routines]), where G is the base point included in // the set of domain parameters. // 3. Compute r = xR mod n. If r = 0, then return to Step 1. 1. // 4. Use the selected hash function to compute H = Hash(M). // 5. Convert the bit string H to an integer e as described in Appendix B.2. // 6. Compute s = (k^-1 * (e + d * r)) mod n. If s = 0, return to Step 1.2. // 7. Return (r, s). // Generate a random value k in the range 1 <= k < n // Want a K value that is the same size as the curve order k.t.size = curveData->n->size; while(TRUE) // This implements the loop at step 6. If s is zero, start over. { while(TRUE) { // Step 1 and 2 -- generate an ephemeral key and the modular inverse // of the private key. while(TRUE) { GetRandomPrivate(&k, curveData->n); // Do the point multiply to generate a point and check to see if // the point it at infinity if( _cpri__EccPointMultiply(&R, curveId, &k, NULL, NULL) != CRYPT_NO_RESULT) break; // can only be CRYPT_SUCCESS } // x coordinate is mod p. Make it mod n // Assume the size variables do not overflow, which should not happen // in the contexts that this function will be called. assert2Bsize(R.x.t); BN_bin2bn(R.x.t.buffer, R.x.t.size, bnR); BN_mod(bnR, bnR, bnN, context); // Make sure that it is not zero; if(BN_is_zero(bnR)) continue; // Make sure that a modular inverse exists // Assume the size variables do not overflow, which should not happen // in the contexts that this function will be called. assert2Bsize(k.t); BN_bin2bn(k.t.buffer, k.t.size, bnK); if( BN_mod_inverse(bnIk, bnK, bnN, context) != NULL) break; } // Set z = leftmost bits of the digest // NOTE: This is implemented such that the key size needs to be // an even number of bytes in length. if(digest->size > curveData->n->size) { // Assume the size variables do not overflow, which should not happen // in the contexts that this function will be called. pAssert(curveData->n->size <= MAX_ECC_KEY_BYTES); // digest is larger than n so truncate BN_bin2bn(digest->buffer, curveData->n->size, bnZ); } else { // Assume the size variables do not overflow, which should not happen // in the contexts that this function will be called. pAssert(digest->size <= MAX_DIGEST_SIZE); // digest is same or smaller than n so use it all BN_bin2bn(digest->buffer, digest->size, bnZ); } // Assume the size variables do not overflow, which should not happen in // the contexts that this function will be called. assert2Bsize(dIn->t); if( bnZ == NULL // need the private scalar of the signing key || BN_bin2bn(dIn->t.buffer, dIn->t.size, bnD) == NULL) FAIL(FATAL_ERROR_INTERNAL); // NOTE: When the result of an operation is going to be reduced mod x // any modular multiplication is done so that the intermediate values // don't get too large. // // now have inverse of K (bnIk), z (bnZ), r (bnR), d (bnD) and n (bnN) // Compute s = k^-1 (z + r*d)(mod n) // first do d = r*d mod n if( !BN_mod_mul(bnD, bnR, bnD, bnN, context) // d = z + r * d || !BN_add(bnD, bnZ, bnD) // d = k^(-1)(z + r * d)(mod n) || !BN_mod_mul(bnD, bnIk, bnD, bnN, context) // convert to TPM2B format || !BnTo2B(&sOut->b, bnD, curveData->n->size) // and write the modular reduced version of r // NOTE: this was deferred to reduce the number of // error checks. || !BnTo2B(&rOut->b, bnR, curveData->n->size)) FAIL(FATAL_ERROR_INTERNAL); if(!BN_is_zero(bnD)) break; // signature not zero so done // if the signature value was zero, start over } // Free up allocated BN values BN_CTX_end(context); BN_CTX_free(context); return retVal; } #endif //% #if defined TPM_ALG_ECDAA || defined TPM_ALG_ECSCHNORR //% // // // EcDaa() // // This function is used to perform a modified Schnorr signature for ECDAA. // This function performs s = k + T * d mod n where // a) 'k is a random, or pseudo-random value used in the commit phase // b) T is the digest to be signed, and // c) d is a private key. // If tIn is NULL then use tOut as T // // Return Value Meaning // // CRYPT_SUCCESS signature created // static CRYPT_RESULT EcDaa( TPM2B_ECC_PARAMETER *tOut, // OUT: T component of the signature TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature TPM_ECC_CURVE curveId, // IN: the curve used in signing TPM2B_ECC_PARAMETER *dIn, // IN: the private key TPM2B *tIn, // IN: the value to sign TPM2B_ECC_PARAMETER *kIn // IN: a random value from commit ) { BIGNUM *bnN, *bnK, *bnT, *bnD; BN_CTX *context; const TPM2B *n; const ECC_CURVE_DATA *curveData = GetCurveData(curveId); BOOL OK = TRUE; // Parameter checks pAssert( sOut != NULL && dIn != NULL && tOut != NULL && kIn != NULL && curveData != NULL); // this just saves key strokes n = curveData->n; if(tIn != NULL) Copy2B(&tOut->b, tIn); // The size of dIn and kIn input scalars is limited by the size of the size // of a TPM2B_ECC_PARAMETER and tIn can be no larger than a digest. // Make sure they are within range. pAssert( (int) dIn->t.size <= MAX_ECC_KEY_BYTES && (int) kIn->t.size <= MAX_ECC_KEY_BYTES // && (int) tOut->t.size <= MAX_DIGEST_SIZE ); context = BN_CTX_new(); if(context == NULL) FAIL(FATAL_ERROR_ALLOCATION); BN_CTX_start(context); bnN = BN_CTX_get(context); bnK = BN_CTX_get(context); bnT = BN_CTX_get(context); bnD = BN_CTX_get(context); // Check for allocation problems if(bnD == NULL) FAIL(FATAL_ERROR_ALLOCATION); // Convert values if( BN_bin2bn(n->buffer, n->size, bnN) == NULL || BN_bin2bn(kIn->t.buffer, kIn->t.size, bnK) == NULL || BN_bin2bn(dIn->t.buffer, dIn->t.size, bnD) == NULL || BN_bin2bn(tOut->t.buffer, tOut->t.size, bnT) == NULL) FAIL(FATAL_ERROR_INTERNAL); // Compute T = T mod n OK = OK && BN_mod(bnT, bnT, bnN, context); // compute (s = k + T * d mod n) // d = T * d mod n OK = OK && BN_mod_mul(bnD, bnT, bnD, bnN, context) == 1; // d = k + T * d mod n OK = OK && BN_mod_add(bnD, bnK, bnD, bnN, context) == 1; // s = d OK = OK && BnTo2B(&sOut->b, bnD, n->size); // r = T OK = OK && BnTo2B(&tOut->b, bnT, n->size); if(!OK) FAIL(FATAL_ERROR_INTERNAL); // Cleanup BN_CTX_end(context); BN_CTX_free(context); return CRYPT_SUCCESS; } #endif //% #ifdef TPM_ALG_ECSCHNORR //% // // // Mod2B() // // Function does modular reduction of TPM2B values. // static CRYPT_RESULT Mod2B( TPM2B *x, // IN/OUT: value to reduce const TPM2B *n // IN: mod ) { int compare; compare = _math__uComp(x->size, x->buffer, n->size, n->buffer); if(compare < 0) // if x < n, then mod is x return CRYPT_SUCCESS; if(compare == 0) { // if x == n then mod is 0 x->size = 0; x->buffer[0] = 0; return CRYPT_SUCCESS; } return _math__Div(x, n, NULL, x); } // // // SchnorrEcc() // // This function is used to perform a modified Schnorr signature. // This function will generate a random value k and compute // a) (xR, yR) = [k]G // b) r = hash(P || xR)(mod n) // c) s= k + r * ds // d) return the tuple T, s // // // // // Return Value Meaning // // CRYPT_SUCCESS signature created // CRYPT_SCHEME hashAlg can't produce zero-length digest // static CRYPT_RESULT SchnorrEcc( TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature TPM_ALG_ID hashAlg, // IN: hash algorithm used TPM_ECC_CURVE curveId, // IN: the curve used in signing TPM2B_ECC_PARAMETER *dIn, // IN: the private key TPM2B *digest, // IN: the digest to sign TPM2B_ECC_PARAMETER *kIn // IN: for testing ) { TPM2B_ECC_PARAMETER k; BIGNUM *bnR, *bnN, *bnK, *bnT, *bnD; BN_CTX *context; const TPM2B *n; EC_POINT *pR = NULL; EC_GROUP *group = NULL; CPRI_HASH_STATE hashState; UINT16 digestSize = _cpri__GetDigestSize(hashAlg); const ECC_CURVE_DATA *curveData = GetCurveData(curveId); TPM2B_TYPE(T, MAX(MAX_DIGEST_SIZE, MAX_ECC_PARAMETER_BYTES)); TPM2B_T T2b; BOOL OK = TRUE; // Parameter checks // Must have a place for the 'r' and 's' parts of the signature, a private // key ('d') pAssert( rOut != NULL && sOut != NULL && dIn != NULL && digest != NULL && curveData != NULL); // to save key strokes n = curveData->n; // If the digest does not produce a hash, then null the signature and return // a failure. if(digestSize == 0) { rOut->t.size = 0; sOut->t.size = 0; return CRYPT_SCHEME; } // Allocate big number values context = BN_CTX_new(); if(context == NULL) FAIL(FATAL_ERROR_ALLOCATION); BN_CTX_start(context); bnR = BN_CTX_get(context); bnN = BN_CTX_get(context); bnK = BN_CTX_get(context); bnT = BN_CTX_get(context); bnD = BN_CTX_get(context); if( bnD == NULL // initialize the group parameters || (group = EccCurveInit(curveId, context)) == NULL // allocate a local point || (pR = EC_POINT_new(group)) == NULL ) FAIL(FATAL_ERROR_ALLOCATION); if(BN_bin2bn(curveData->n->buffer, curveData->n->size, bnN) == NULL) FAIL(FATAL_ERROR_INTERNAL); while(OK) { // a) set k to a random value such that 1 k n-1 if(kIn != NULL) { Copy2B(&k.b, &kIn->b); // copy input k if testing OK = FALSE; // not OK to loop } else // If get a random value in the correct range GetRandomPrivate(&k, n); // Convert 'k' and generate pR = ['k']G BnFrom2B(bnK, &k.b); // b) compute E (xE, yE) [k]G if(PointMul(group, pR, bnK, NULL, NULL, context) == CRYPT_NO_RESULT) // c) if E is the point at infinity, go to a) continue; // d) compute e xE (mod n) // Get the x coordinate of the point EC_POINT_get_affine_coordinates_GFp(group, pR, bnR, NULL, context); // make (mod n) BN_mod(bnR, bnR, bnN, context); // e) if e is zero, go to a) if(BN_is_zero(bnR)) continue; // Convert xR to a string (use T as a temp) BnTo2B(&T2b.b, bnR, (UINT16)(BN_num_bits(bnR)+7)/8); // f) compute r HschemeHash(P || e) (mod n) _cpri__StartHash(hashAlg, FALSE, &hashState); _cpri__UpdateHash(&hashState, digest->size, digest->buffer); _cpri__UpdateHash(&hashState, T2b.t.size, T2b.t.buffer); if(_cpri__CompleteHash(&hashState, digestSize, T2b.b.buffer) != digestSize) FAIL(FATAL_ERROR_INTERNAL); T2b.t.size = digestSize; BnFrom2B(bnT, &T2b.b); BN_div(NULL, bnT, bnT, bnN, context); BnTo2B(&rOut->b, bnT, (UINT16)BN_num_bytes(bnT)); // We have a value and we are going to exit the loop successfully OK = TRUE; break; } // Cleanup EC_POINT_free(pR); EC_GROUP_free(group); BN_CTX_end(context); BN_CTX_free(context); // If we have a value, finish the signature if(OK) return EcDaa(rOut, sOut, curveId, dIn, NULL, &k); else return CRYPT_NO_RESULT; } #endif //% #ifdef TPM_ALG_SM2 //% #ifdef _SM2_SIGN_DEBUG //% static int cmp_bn2hex( BIGNUM *bn, // IN: big number value const char *c // IN: character string number ) { int result; BIGNUM *bnC = BN_new(); pAssert(bnC != NULL); BN_hex2bn(&bnC, c); result = BN_ucmp(bn, bnC); BN_free(bnC); return result; } static int cmp_2B2hex( TPM2B *a, // IN: TPM2B number to compare const char *c // IN: character string ) { int result; int sl = strlen(c); BIGNUM *bnA; result = (a->size * 2) - sl; if(result != 0) return result; pAssert((bnA = BN_bin2bn(a->buffer, a->size, NULL)) != NULL); result = cmp_bn2hex(bnA, c); BN_free(bnA); return result; } static void cpy_hexTo2B( TPM2B *b, // OUT: receives value const char *c // IN: source string ) { BIGNUM *bnB = BN_new(); pAssert((strlen(c) & 1) == 0); // must have an even number of digits b->size = strlen(c) / 2; BN_hex2bn(&bnB, c); pAssert(bnB != NULL); BnTo2B(b, bnB, b->size); BN_free(bnB); } #endif //% _SM2_SIGN_DEBUG // // // SignSM2() // // This function signs a digest using the method defined in SM2 Part 2. The method in the standard will add // a header to the message to be signed that is a hash of the values that define the key. This then hashed // with the message to produce a digest (e) that is signed. This function signs e. // // // // // Return Value Meaning // // CRYPT_SUCCESS sign worked // static CRYPT_RESULT SignSM2( TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature TPM_ECC_CURVE curveId, // IN: the curve used in signing TPM2B_ECC_PARAMETER *dIn, // IN: the private key TPM2B *digest // IN: the digest to sign ) { BIGNUM *bnR; BIGNUM *bnS; BIGNUM *bnN; BIGNUM *bnK; BIGNUM *bnX1; BIGNUM *bnD; BIGNUM *bnT; // temp BIGNUM *bnE; BN_CTX *context; TPM2B_ECC_PARAMETER k; TPMS_ECC_POINT p2Br; const ECC_CURVE_DATA *curveData = GetCurveData(curveId); pAssert(curveData != NULL); context = BN_CTX_new(); BN_CTX_start(context); bnK = BN_CTX_get(context); bnR = BN_CTX_get(context); bnS = BN_CTX_get(context); bnX1 = BN_CTX_get(context); bnN = BN_CTX_get(context); bnD = BN_CTX_get(context); bnT = BN_CTX_get(context); bnE = BN_CTX_get(context); if(bnE == NULL) FAIL(FATAL_ERROR_ALLOCATION); BnFrom2B(bnE, digest); BnFrom2B(bnN, curveData->n); BnFrom2B(bnD, &dIn->b); #ifdef _SM2_SIGN_DEBUG BN_hex2bn(&bnE, "B524F552CD82B8B028476E005C377FB19A87E6FC682D48BB5D42E3D9B9EFFE76"); BN_hex2bn(&bnD, "128B2FA8BD433C6C068C8D803DFF79792A519A55171B1B650C23661D15897263"); #endif // A3: Use random number generator to generate random number 1 <= k <= n-1; // NOTE: Ax: numbers are from the SM2 standard k.t.size = curveData->n->size; loop: { // Get a random number _cpri__GenerateRandom(k.t.size, k.t.buffer); #ifdef _SM2_SIGN_DEBUG BN_hex2bn(&bnK, "6CB28D99385C175C94F94E934817663FC176D925DD72B727260DBAAE1FB2F96F"); BnTo2B(&k.b,bnK, 32); k.t.size = 32; #endif //make sure that the number is 0 < k < n BnFrom2B(bnK, &k.b); if( BN_ucmp(bnK, bnN) >= 0 || BN_is_zero(bnK)) goto loop; // A4: Figure out the point of elliptic curve (x1, y1)=[k]G, and according // to details specified in 4.2.7 in Part 1 of this document, transform the // data type of x1 into an integer; if( _cpri__EccPointMultiply(&p2Br, curveId, &k, NULL, NULL) == CRYPT_NO_RESULT) goto loop; BnFrom2B(bnX1, &p2Br.x.b); // A5: Figure out r = (e + x1) mod n, if(!BN_mod_add(bnR, bnE, bnX1, bnN, context)) FAIL(FATAL_ERROR_INTERNAL); #ifdef _SM2_SIGN_DEBUG pAssert(cmp_bn2hex(bnR, "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1") == 0); #endif // if r=0 or r+k=n, return to A3; if(!BN_add(bnT, bnK, bnR)) FAIL(FATAL_ERROR_INTERNAL); if(BN_is_zero(bnR) || BN_ucmp(bnT, bnN) == 0) goto loop; // A6: Figure out s = ((1 + dA)^-1 (k - r dA)) mod n, if s=0, return to A3; // compute t = (1+d)-1 BN_copy(bnT, bnD); if( !BN_add_word(bnT, 1) || !BN_mod_inverse(bnT, bnT, bnN, context) // (1 + dA)^-1 mod n ) FAIL(FATAL_ERROR_INTERNAL); #ifdef _SM2_SIGN_DEBUG pAssert(cmp_bn2hex(bnT, "79BFCF3052C80DA7B939E0C6914A18CBB2D96D8555256E83122743A7D4F5F956") == 0); #endif // compute s = t * (k - r * dA) mod n if( !BN_mod_mul(bnS, bnD, bnR, bnN, context) // (r * dA) mod n || !BN_mod_sub(bnS, bnK, bnS, bnN, context) // (k - (r * dA) mod n || !BN_mod_mul(bnS, bnT, bnS, bnN, context))// t * (k - (r * dA) mod n FAIL(FATAL_ERROR_INTERNAL); #ifdef _SM2_SIGN_DEBUG pAssert(cmp_bn2hex(bnS, "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7") == 0); #endif if(BN_is_zero(bnS)) goto loop; } // A7: According to details specified in 4.2.1 in Part 1 of this document, transform // the data type of r, s into bit strings, signature of message M is (r, s). BnTo2B(&rOut->b, bnR, curveData->n->size); BnTo2B(&sOut->b, bnS, curveData->n->size); #ifdef _SM2_SIGN_DEBUG pAssert(cmp_2B2hex(&rOut->b, "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1") == 0); pAssert(cmp_2B2hex(&sOut->b, "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7") == 0); #endif BN_CTX_end(context); BN_CTX_free(context); return CRYPT_SUCCESS; } #endif //% TPM_ALG_SM2 // // // _cpri__SignEcc() // // This function is the dispatch function for the various ECC-based signing schemes. // // Return Value Meaning // // CRYPT_SCHEME scheme is not supported // LIB_EXPORT CRYPT_RESULT _cpri__SignEcc( TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature TPM_ALG_ID scheme, // IN: the scheme selector TPM_ALG_ID hashAlg, // IN: the hash algorithm if need TPM_ECC_CURVE curveId, // IN: the curve used in the signature // process TPM2B_ECC_PARAMETER *dIn, // IN: the private key TPM2B *digest, // IN: the digest to sign TPM2B_ECC_PARAMETER *kIn // IN: k for input ) { switch (scheme) { case TPM_ALG_ECDSA: // SignEcdsa always works return SignEcdsa(rOut, sOut, curveId, dIn, digest); break; #ifdef TPM_ALG_ECDAA case TPM_ALG_ECDAA: if(rOut != NULL) rOut->b.size = 0; return EcDaa(rOut, sOut, curveId, dIn, digest, kIn); break; #endif #ifdef TPM_ALG_ECSCHNORR case TPM_ALG_ECSCHNORR: return SchnorrEcc(rOut, sOut, hashAlg, curveId, dIn, digest, kIn); break; #endif #ifdef TPM_ALG_SM2 case TPM_ALG_SM2: return SignSM2(rOut, sOut, curveId, dIn, digest); break; #endif default: return CRYPT_SCHEME; } } #ifdef TPM_ALG_ECDSA //% // // // ValidateSignatureEcdsa() // // This function validates an ECDSA signature. rIn and sIn shoudl have been checked to make sure that // they are not zero. // // Return Value Meaning // // CRYPT_SUCCESS signature valid // CRYPT_FAIL signature not valid // static CRYPT_RESULT ValidateSignatureEcdsa( TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature TPM_ECC_CURVE curveId, // IN: the curve used in the signature // process TPMS_ECC_POINT *Qin, // IN: the public point of the key TPM2B *digest // IN: the digest that was signed ) { TPM2B_ECC_PARAMETER U1; TPM2B_ECC_PARAMETER U2; TPMS_ECC_POINT R; const TPM2B *n; BN_CTX *context; EC_POINT *pQ = NULL; EC_GROUP *group = NULL; BIGNUM *bnU1; BIGNUM *bnU2; BIGNUM *bnR; BIGNUM *bnS; BIGNUM *bnW; BIGNUM *bnV; BIGNUM *bnN; BIGNUM *bnE; BIGNUM *bnQx; BIGNUM *bnQy; CRYPT_RESULT retVal = CRYPT_FAIL; int t; const ECC_CURVE_DATA *curveData = GetCurveData(curveId); // The curve selector should have been filtered by the unmarshaling process pAssert (curveData != NULL); n = curveData->n; // 1. If r and s are not both integers in the interval [1, n - 1], output // INVALID. // rIn and sIn are known to be greater than zero (was checked by the caller). if( _math__uComp(rIn->t.size, rIn->t.buffer, n->size, n->buffer) >= 0 || _math__uComp(sIn->t.size, sIn->t.buffer, n->size, n->buffer) >= 0 ) return CRYPT_FAIL; context = BN_CTX_new(); if(context == NULL) FAIL(FATAL_ERROR_ALLOCATION); BN_CTX_start(context); bnR = BN_CTX_get(context); bnS = BN_CTX_get(context); bnN = BN_CTX_get(context); bnE = BN_CTX_get(context); bnV = BN_CTX_get(context); bnW = BN_CTX_get(context); bnQx = BN_CTX_get(context); bnQy = BN_CTX_get(context); bnU1 = BN_CTX_get(context); bnU2 = BN_CTX_get(context); // Assume the size variables do not overflow, which should not happen in // the contexts that this function will be called. assert2Bsize(Qin->x.t); assert2Bsize(rIn->t); assert2Bsize(sIn->t); // BN_CTX_get() is sticky so only need to check the last value to know that // all worked. if( bnU2 == NULL // initialize the group parameters || (group = EccCurveInit(curveId, context)) == NULL // allocate a local point || (pQ = EC_POINT_new(group)) == NULL // use the public key values (QxIn and QyIn) to initialize Q || BN_bin2bn(Qin->x.t.buffer, Qin->x.t.size, bnQx) == NULL || BN_bin2bn(Qin->x.t.buffer, Qin->x.t.size, bnQy) == NULL || !EC_POINT_set_affine_coordinates_GFp(group, pQ, bnQx, bnQy, context) // convert the signature values || BN_bin2bn(rIn->t.buffer, rIn->t.size, bnR) == NULL || BN_bin2bn(sIn->t.buffer, sIn->t.size, bnS) == NULL // convert the curve order || BN_bin2bn(curveData->n->buffer, curveData->n->size, bnN) == NULL) FAIL(FATAL_ERROR_INTERNAL); // 2. Use the selected hash function to compute H0 = Hash(M0). // This is an input parameter // 3. Convert the bit string H0 to an integer e as described in Appendix B.2. t = (digest->size > rIn->t.size) ? rIn->t.size : digest->size; if(BN_bin2bn(digest->buffer, t, bnE) == NULL) FAIL(FATAL_ERROR_INTERNAL); // 4. Compute w = (s')^-1 mod n, using the routine in Appendix B.1. if (BN_mod_inverse(bnW, bnS, bnN, context) == NULL) FAIL(FATAL_ERROR_INTERNAL); // 5. Compute u1 = (e' * w) mod n, and compute u2 = (r' * w) mod n. if( !BN_mod_mul(bnU1, bnE, bnW, bnN, context) || !BN_mod_mul(bnU2, bnR, bnW, bnN, context)) FAIL(FATAL_ERROR_INTERNAL); BnTo2B(&U1.b, bnU1, (INT16) BN_num_bytes(bnU1)); BnTo2B(&U2.b, bnU2, (INT16) BN_num_bytes(bnU2)); // 6. Compute the elliptic curve point R = (xR, yR) = u1G+u2Q, using EC // scalar multiplication and EC addition (see [Routines]). If R is equal to // the point at infinity O, output INVALID. if(_cpri__EccPointMultiply(&R, curveId, &U1, Qin, &U2) == CRYPT_SUCCESS) { // 7. Compute v = Rx mod n. if( BN_bin2bn(R.x.t.buffer, R.x.t.size, bnV) == NULL || !BN_mod(bnV, bnV, bnN, context)) FAIL(FATAL_ERROR_INTERNAL); // 8. Compare v and r0. If v = r0, output VALID; otherwise, output INVALID if(BN_cmp(bnV, bnR) == 0) retVal = CRYPT_SUCCESS; } if(pQ != NULL) EC_POINT_free(pQ); if(group != NULL) EC_GROUP_free(group); BN_CTX_end(context); BN_CTX_free(context); return retVal; } #endif //% TPM_ALG_ECDSA #ifdef TPM_ALG_ECSCHNORR //% // // // ValidateSignatureEcSchnorr() // // This function is used to validate an EC Schnorr signature. rIn and sIn are required to be greater than // zero. This is checked in _cpri__ValidateSignatureEcc(). // // Return Value Meaning // // CRYPT_SUCCESS signature valid // CRYPT_FAIL signature not valid // CRYPT_SCHEME hashAlg is not supported // static CRYPT_RESULT ValidateSignatureEcSchnorr( TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature TPM_ALG_ID hashAlg, // IN: hash algorithm of the signature TPM_ECC_CURVE curveId, // IN: the curve used in the signature // process TPMS_ECC_POINT *Qin, // IN: the public point of the key TPM2B *digest // IN: the digest that was signed ) { TPMS_ECC_POINT pE; const TPM2B *n; CPRI_HASH_STATE hashState; TPM2B_DIGEST rPrime; TPM2B_ECC_PARAMETER minusR; UINT16 digestSize = _cpri__GetDigestSize(hashAlg); const ECC_CURVE_DATA *curveData = GetCurveData(curveId); // The curve parameter should have been filtered by unmarshaling code pAssert(curveData != NULL); if(digestSize == 0) return CRYPT_SCHEME; // Input parameter validation pAssert(rIn != NULL && sIn != NULL && Qin != NULL && digest != NULL); n = curveData->n; // if sIn or rIn are not between 1 and N-1, signature check fails // sIn and rIn were verified to be non-zero by the caller if( _math__uComp(sIn->b.size, sIn->b.buffer, n->size, n->buffer) >= 0 || _math__uComp(rIn->b.size, rIn->b.buffer, n->size, n->buffer) >= 0 ) return CRYPT_FAIL; //E = [s]InG - [r]InQ _math__sub(n->size, n->buffer, rIn->t.size, rIn->t.buffer, &minusR.t.size, minusR.t.buffer); if(_cpri__EccPointMultiply(&pE, curveId, sIn, Qin, &minusR) != CRYPT_SUCCESS) return CRYPT_FAIL; // Ex = Ex mod N if(Mod2B(&pE.x.b, n) != CRYPT_SUCCESS) FAIL(FATAL_ERROR_INTERNAL); _math__Normalize2B(&pE.x.b); // rPrime = h(digest || pE.x) mod n; _cpri__StartHash(hashAlg, FALSE, &hashState); _cpri__UpdateHash(&hashState, digest->size, digest->buffer); _cpri__UpdateHash(&hashState, pE.x.t.size, pE.x.t.buffer); if(_cpri__CompleteHash(&hashState, digestSize, rPrime.t.buffer) != digestSize) FAIL(FATAL_ERROR_INTERNAL); rPrime.t.size = digestSize; // rPrime = rPrime (mod n) if(Mod2B(&rPrime.b, n) != CRYPT_SUCCESS) FAIL(FATAL_ERROR_INTERNAL); // if the values don't match, then the signature is bad if(_math__uComp(rIn->t.size, rIn->t.buffer, rPrime.t.size, rPrime.t.buffer) != 0) return CRYPT_FAIL; else return CRYPT_SUCCESS; } #endif //% TPM_ALG_ECSCHNORR #ifdef TPM_ALG_SM2 //% // // // ValidateSignatueSM2Dsa() // // This function is used to validate an SM2 signature. // // Return Value Meaning // // CRYPT_SUCCESS signature valid // CRYPT_FAIL signature not valid // static CRYPT_RESULT ValidateSignatureSM2Dsa( TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature TPM_ECC_CURVE curveId, // IN: the curve used in the signature // process TPMS_ECC_POINT *Qin, // IN: the public point of the key TPM2B *digest // IN: the digest that was signed ) { BIGNUM *bnR; BIGNUM *bnRp; BIGNUM *bnT; BIGNUM *bnS; BIGNUM *bnE; BIGNUM *order; EC_POINT *pQ; BN_CTX *context; EC_GROUP *group = NULL; const ECC_CURVE_DATA *curveData = GetCurveData(curveId); BOOL fail = FALSE; // if((context = BN_CTX_new()) == NULL || curveData == NULL) FAIL(FATAL_ERROR_INTERNAL); bnR = BN_CTX_get(context); bnRp= BN_CTX_get(context); bnE = BN_CTX_get(context); bnT = BN_CTX_get(context); bnS = BN_CTX_get(context); order = BN_CTX_get(context); if( order == NULL || (group = EccCurveInit(curveId, context)) == NULL) FAIL(FATAL_ERROR_INTERNAL); #ifdef _SM2_SIGN_DEBUG cpy_hexTo2B(&Qin->x.b, "0AE4C7798AA0F119471BEE11825BE46202BB79E2A5844495E97C04FF4DF2548A"); cpy_hexTo2B(&Qin->y.b, "7C0240F88F1CD4E16352A73C17B7F16F07353E53A176D684A9FE0C6BB798E857"); cpy_hexTo2B(digest, "B524F552CD82B8B028476E005C377FB19A87E6FC682D48BB5D42E3D9B9EFFE76"); #endif pQ = EccInitPoint2B(group, Qin, context); #ifdef _SM2_SIGN_DEBUG pAssert(EC_POINT_get_affine_coordinates_GFp(group, pQ, bnT, bnS, context)); pAssert(cmp_bn2hex(bnT, "0AE4C7798AA0F119471BEE11825BE46202BB79E2A5844495E97C04FF4DF2548A") == 0); pAssert(cmp_bn2hex(bnS, "7C0240F88F1CD4E16352A73C17B7F16F07353E53A176D684A9FE0C6BB798E857") == 0); #endif BnFrom2B(bnR, &rIn->b); BnFrom2B(bnS, &sIn->b); BnFrom2B(bnE, digest); #ifdef _SM2_SIGN_DEBUG // Make sure that the input signature is the test signature pAssert(cmp_2B2hex(&rIn->b, "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1") == 0); pAssert(cmp_2B2hex(&sIn->b, "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7") == 0); #endif // a) verify that r and s are in the inclusive interval 1 to (n 1) if (!EC_GROUP_get_order(group, order, context)) goto Cleanup; fail = (BN_ucmp(bnR, order) >= 0); fail = (BN_ucmp(bnS, order) >= 0) || fail; if(fail) // There is no reason to continue. Since r and s are inputs from the caller, // they can know that the values are not in the proper range. So, exiting here // does not disclose any information. goto Cleanup; // b) compute t := (r + s) mod n if(!BN_mod_add(bnT, bnR, bnS, order, context)) FAIL(FATAL_ERROR_INTERNAL); #ifdef _SM2_SIGN_DEBUG pAssert(cmp_bn2hex(bnT, "2B75F07ED7ECE7CCC1C8986B991F441AD324D6D619FE06DD63ED32E0C997C801") == 0); #endif // c) verify that t > 0 if(BN_is_zero(bnT)) { fail = TRUE; // set to a value that should allow rest of the computations to run without // trouble BN_copy(bnT, bnS); } // d) compute (x, y) := [s]G + [t]Q if(!EC_POINT_mul(group, pQ, bnS, pQ, bnT, context)) FAIL(FATAL_ERROR_INTERNAL); // Get the x coordinate of the point if(!EC_POINT_get_affine_coordinates_GFp(group, pQ, bnT, NULL, context)) FAIL(FATAL_ERROR_INTERNAL); #ifdef _SM2_SIGN_DEBUG pAssert(cmp_bn2hex(bnT, "110FCDA57615705D5E7B9324AC4B856D23E6D9188B2AE47759514657CE25D112") == 0); #endif // e) compute r' := (e + x) mod n (the x coordinate is in bnT) if(!BN_mod_add(bnRp, bnE, bnT, order, context)) FAIL(FATAL_ERROR_INTERNAL); // f) verify that r' = r fail = BN_ucmp(bnR, bnRp) != 0 || fail; Cleanup: if(pQ) EC_POINT_free(pQ); if(group) EC_GROUP_free(group); BN_CTX_end(context); BN_CTX_free(context); if(fail) return CRYPT_FAIL; else return CRYPT_SUCCESS; } #endif //% TPM_ALG_SM2 // // // _cpri__ValidateSignatureEcc() // // This function validates // // Return Value Meaning // // CRYPT_SUCCESS signature is valid // CRYPT_FAIL not a valid signature // CRYPT_SCHEME unsupported scheme // LIB_EXPORT CRYPT_RESULT _cpri__ValidateSignatureEcc( TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature TPM_ALG_ID scheme, // IN: the scheme selector TPM_ALG_ID hashAlg, // IN: the hash algorithm used (not used // in all schemes) TPM_ECC_CURVE curveId, // IN: the curve used in the signature // process TPMS_ECC_POINT *Qin, // IN: the public point of the key TPM2B *digest // IN: the digest that was signed ) { CRYPT_RESULT retVal; // return failure if either part of the signature is zero if(_math__Normalize2B(&rIn->b) == 0 || _math__Normalize2B(&sIn->b) == 0) return CRYPT_FAIL; switch (scheme) { case TPM_ALG_ECDSA: retVal = ValidateSignatureEcdsa(rIn, sIn, curveId, Qin, digest); break; #ifdef TPM_ALG_ECSCHNORR case TPM_ALG_ECSCHNORR: retVal = ValidateSignatureEcSchnorr(rIn, sIn, hashAlg, curveId, Qin, digest); break; #endif #ifdef TPM_ALG_SM2 case TPM_ALG_SM2: retVal = ValidateSignatureSM2Dsa(rIn, sIn, curveId, Qin, digest); #endif default: retVal = CRYPT_SCHEME; break; } return retVal; } #if CC_ZGen_2Phase == YES //% #ifdef TPM_ALG_ECMQV // // // avf1() // // This function does the associated value computation required by MQV key exchange. Process: // a) Convert xQ to an integer xqi using the convention specified in Appendix C.3. // b) Calculate xqm = xqi mod 2^ceil(f/2) (where f = ceil(log2(n)). // c) Calculate the associate value function avf(Q) = xqm + 2ceil(f / 2) // static BOOL avf1( BIGNUM *bnX, // IN/OUT: the reduced value BIGNUM *bnN // IN: the order of the curve ) { // compute f = 2^(ceil(ceil(log2(n)) / 2)) int f = (BN_num_bits(bnN) + 1) / 2; // x' = 2^f + (x mod 2^f) BN_mask_bits(bnX, f); // This is mod 2*2^f but it doesn't matter because // the next operation will SET the extra bit anyway BN_set_bit(bnX, f); return TRUE; } // // // C_2_2_MQV() // // This function performs the key exchange defined in SP800-56A 6.1.1.4 Full MQV, C(2, 2, ECC MQV). // CAUTION: Implementation of this function may require use of essential claims in patents not owned by // TCG members. // Points QsB() and QeB() are required to be on the curve of inQsA. The function will fail, possibly // catastrophically, if this is not the case. // // // // Return Value Meaning // // CRYPT_SUCCESS results is valid // CRYPT_NO_RESULT the value for dsA does not give a valid point on the curve // static CRYPT_RESULT C_2_2_MQV( TPMS_ECC_POINT *outZ, // OUT: the computed point TPM_ECC_CURVE curveId, // IN: the curve for the computations TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key TPMS_ECC_POINT *QsB, // IN: static public party B key TPMS_ECC_POINT *QeB // IN: ephemeral public party B key ) { BN_CTX *context; EC_POINT *pQeA = NULL; EC_POINT *pQeB = NULL; EC_POINT *pQsB = NULL; EC_GROUP *group = NULL; BIGNUM *bnTa; BIGNUM *bnDeA; BIGNUM *bnDsA; BIGNUM *bnXeA; // x coordinate of ephemeral party A key BIGNUM *bnH; BIGNUM *bnN; BIGNUM *bnXeB; const ECC_CURVE_DATA *curveData = GetCurveData(curveId); CRYPT_RESULT retVal; pAssert( curveData != NULL && outZ != NULL && dsA != NULL && deA != NULL && QsB != NULL && QeB != NULL); context = BN_CTX_new(); if(context == NULL || curveData == NULL) FAIL(FATAL_ERROR_ALLOCATION); BN_CTX_start(context); bnTa = BN_CTX_get(context); bnDeA = BN_CTX_get(context); bnDsA = BN_CTX_get(context); bnXeA = BN_CTX_get(context); bnH = BN_CTX_get(context); bnN = BN_CTX_get(context); bnXeB = BN_CTX_get(context); if(bnXeB == NULL) FAIL(FATAL_ERROR_ALLOCATION); // Process: // 1. implicitsigA = (de,A + avf(Qe,A)ds,A ) mod n. // 2. P = h(implicitsigA)(Qe,B + avf(Qe,B)Qs,B). // 3. If P = O, output an error indicator. // 4. Z=xP, where xP is the x-coordinate of P. // Initialize group parameters and local values of input if((group = EccCurveInit(curveId, context)) == NULL) FAIL(FATAL_ERROR_INTERNAL); if((pQeA = EC_POINT_new(group)) == NULL) FAIL(FATAL_ERROR_ALLOCATION); BnFrom2B(bnDeA, &deA->b); BnFrom2B(bnDsA, &dsA->b); BnFrom2B(bnH, curveData->h); BnFrom2B(bnN, curveData->n); BnFrom2B(bnXeB, &QeB->x.b); pQeB = EccInitPoint2B(group, QeB, context); pQsB = EccInitPoint2B(group, QsB, context); // Compute the public ephemeral key pQeA = [de,A]G if( (retVal = PointMul(group, pQeA, bnDeA, NULL, NULL, context)) != CRYPT_SUCCESS) goto Cleanup; if(EC_POINT_get_affine_coordinates_GFp(group, pQeA, bnXeA, NULL, context) != 1) FAIL(FATAL_ERROR_INTERNAL); // 1. implicitsigA = (de,A + avf(Qe,A)ds,A ) mod n. // tA := (ds,A + de,A avf(Xe,A)) mod n (3) // Compute 'tA' = ('deA' + 'dsA' avf('XeA')) mod n // Ta = avf(XeA); BN_copy(bnTa, bnXeA); avf1(bnTa, bnN); if(// do Ta = ds,A * Ta mod n = dsA * avf(XeA) mod n !BN_mod_mul(bnTa, bnDsA, bnTa, bnN, context) // now Ta = deA + Ta mod n = deA + dsA * avf(XeA) mod n || !BN_mod_add(bnTa, bnDeA, bnTa, bnN, context) ) FAIL(FATAL_ERROR_INTERNAL); // 2. P = h(implicitsigA)(Qe,B + avf(Qe,B)Qs,B). // Put this in because almost every case of h is == 1 so skip the call when // not necessary. if(!BN_is_one(bnH)) { // Cofactor is not 1 so compute Ta := Ta * h mod n if(!BN_mul(bnTa, bnTa, bnH, context)) FAIL(FATAL_ERROR_INTERNAL); } // Now that 'tA' is (h * 'tA' mod n) // 'outZ' = (tA)(Qe,B + avf(Qe,B)Qs,B). // first, compute XeB = avf(XeB) avf1(bnXeB, bnN); // QsB := [XeB]QsB if( !EC_POINT_mul(group, pQsB, NULL, pQsB, bnXeB, context) // QeB := QsB + QeB || !EC_POINT_add(group, pQeB, pQeB, pQsB, context) ) FAIL(FATAL_ERROR_INTERNAL); // QeB := [tA]QeB = [tA](QsB + [Xe,B]QeB) and check for at infinity if(PointMul(group, pQeB, NULL, pQeB, bnTa, context) == CRYPT_SUCCESS) // Convert BIGNUM E to TPM2B E Point2B(group, outZ, pQeB, (INT16)BN_num_bytes(bnN), context); Cleanup: if(pQeA != NULL) EC_POINT_free(pQeA); if(pQeB != NULL) EC_POINT_free(pQeB); if(pQsB != NULL) EC_POINT_free(pQsB); if(group != NULL) EC_GROUP_free(group); BN_CTX_end(context); BN_CTX_free(context); return retVal; } #endif // TPM_ALG_ECMQV #ifdef TPM_ALG_SM2 //% // // // avfSm2() // // This function does the associated value computation required by SM2 key exchange. This is different // form the avf() in the international standards because it returns a value that is half the size of the value // returned by the standard avf. For example, if n is 15, Ws (w in the standard) is 2 but the W here is 1. This // means that an input value of 14 (1110b) would return a value of 110b with the standard but 10b with the // scheme in SM2. // static BOOL avfSm2( BIGNUM *bnX, // IN/OUT: the reduced value BIGNUM *bnN // IN: the order of the curve ) { // a) set w := ceil(ceil(log2(n)) / 2) - 1 int w = ((BN_num_bits(bnN) + 1) / 2) - 1; // b) set x' := 2^w + ( x & (2^w - 1)) // This is just like the avf for MQV where x' = 2^w + (x mod 2^w) BN_mask_bits(bnX, w); // as wiht avf1, this is too big by a factor of 2 but // it doesn't matter becasue we SET the extra bit anyway BN_set_bit(bnX, w); return TRUE; } // // SM2KeyExchange() This function performs the key exchange defined in SM2. The first step is to compute // tA = (dsA + deA avf(Xe,A)) mod n Then, compute the Z value from outZ = (h tA mod n) (QsA + // [avf(QeB().x)](QeB())). The function will compute the ephemeral public key from the ephemeral private // key. All points are required to be on the curve of inQsA. The function will fail catastrophically if this is not // the case // // Return Value Meaning // // CRYPT_SUCCESS results is valid // CRYPT_NO_RESULT the value for dsA does not give a valid point on the curve // static CRYPT_RESULT SM2KeyExchange( TPMS_ECC_POINT *outZ, // OUT: the computed point TPM_ECC_CURVE curveId, // IN: the curve for the computations TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key TPMS_ECC_POINT *QsB, // IN: static public party B key TPMS_ECC_POINT *QeB // IN: ephemeral public party B key ) { BN_CTX *context; EC_POINT *pQeA = NULL; EC_POINT *pQeB = NULL; EC_POINT *pQsB = NULL; EC_GROUP *group = NULL; BIGNUM *bnTa; BIGNUM *bnDeA; BIGNUM *bnDsA; BIGNUM *bnXeA; // x coordinate of ephemeral party A key BIGNUM *bnH; BIGNUM *bnN; BIGNUM *bnXeB; // const ECC_CURVE_DATA *curveData = GetCurveData(curveId); CRYPT_RESULT retVal; pAssert( curveData != NULL && outZ != NULL && dsA != NULL && deA != NULL && QsB != NULL && QeB != NULL); context = BN_CTX_new(); if(context == NULL || curveData == NULL) FAIL(FATAL_ERROR_ALLOCATION); BN_CTX_start(context); bnTa = BN_CTX_get(context); bnDeA = BN_CTX_get(context); bnDsA = BN_CTX_get(context); bnXeA = BN_CTX_get(context); bnH = BN_CTX_get(context); bnN = BN_CTX_get(context); bnXeB = BN_CTX_get(context); if(bnXeB == NULL) FAIL(FATAL_ERROR_ALLOCATION); // Initialize group parameters and local values of input if((group = EccCurveInit(curveId, context)) == NULL) FAIL(FATAL_ERROR_INTERNAL); if((pQeA = EC_POINT_new(group)) == NULL) FAIL(FATAL_ERROR_ALLOCATION); BnFrom2B(bnDeA, &deA->b); BnFrom2B(bnDsA, &dsA->b); BnFrom2B(bnH, curveData->h); BnFrom2B(bnN, curveData->n); BnFrom2B(bnXeB, &QeB->x.b); pQeB = EccInitPoint2B(group, QeB, context); pQsB = EccInitPoint2B(group, QsB, context); // Compute the public ephemeral key pQeA = [de,A]G if( (retVal = PointMul(group, pQeA, bnDeA, NULL, NULL, context)) != CRYPT_SUCCESS) goto Cleanup; if(EC_POINT_get_affine_coordinates_GFp(group, pQeA, bnXeA, NULL, context) != 1) FAIL(FATAL_ERROR_INTERNAL); // tA := (ds,A + de,A avf(Xe,A)) mod n (3) // Compute 'tA' = ('dsA' + 'deA' avf('XeA')) mod n // Ta = avf(XeA); BN_copy(bnTa, bnXeA); avfSm2(bnTa, bnN); if(// do Ta = de,A * Ta mod n = deA * avf(XeA) mod n !BN_mod_mul(bnTa, bnDeA, bnTa, bnN, context) // now Ta = dsA + Ta mod n = dsA + deA * avf(XeA) mod n || !BN_mod_add(bnTa, bnDsA, bnTa, bnN, context) ) FAIL(FATAL_ERROR_INTERNAL); // outZ ? [h tA mod n] (Qs,B + [avf(Xe,B)](Qe,B)) (4) // Put this in because almost every case of h is == 1 so skip the call when // not necessary. if(!BN_is_one(bnH)) { // Cofactor is not 1 so compute Ta := Ta * h mod n if(!BN_mul(bnTa, bnTa, bnH, context)) FAIL(FATAL_ERROR_INTERNAL); } // Now that 'tA' is (h * 'tA' mod n) // 'outZ' = ['tA'](QsB + [avf(QeB.x)](QeB)). // first, compute XeB = avf(XeB) avfSm2(bnXeB, bnN); // QeB := [XeB]QeB if( !EC_POINT_mul(group, pQeB, NULL, pQeB, bnXeB, context) // QeB := QsB + QeB || !EC_POINT_add(group, pQeB, pQeB, pQsB, context) ) FAIL(FATAL_ERROR_INTERNAL); // QeB := [tA]QeB = [tA](QsB + [Xe,B]QeB) and check for at infinity if(PointMul(group, pQeB, NULL, pQeB, bnTa, context) == CRYPT_SUCCESS) // Convert BIGNUM E to TPM2B E Point2B(group, outZ, pQeB, (INT16)BN_num_bytes(bnN), context); Cleanup: if(pQeA != NULL) EC_POINT_free(pQeA); if(pQeB != NULL) EC_POINT_free(pQeB); if(pQsB != NULL) EC_POINT_free(pQsB); if(group != NULL) EC_GROUP_free(group); BN_CTX_end(context); BN_CTX_free(context); return retVal; } #endif //% TPM_ALG_SM2 // // // C_2_2_ECDH() // // This function performs the two phase key exchange defined in SP800-56A, 6.1.1.2 Full Unified Model, // C(2, 2, ECC CDH). // static CRYPT_RESULT C_2_2_ECDH( TPMS_ECC_POINT *outZ1, // OUT: Zs TPMS_ECC_POINT *outZ2, // OUT: Ze TPM_ECC_CURVE curveId, // IN: the curve for the computations TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key TPMS_ECC_POINT *QsB, // IN: static public party B key TPMS_ECC_POINT *QeB // IN: ephemeral public party B key ) { BIGNUM *order; BN_CTX *context; EC_POINT *pQ = NULL; EC_GROUP *group = NULL; BIGNUM *bnD; INT16 size; const ECC_CURVE_DATA *curveData = GetCurveData(curveId); context = BN_CTX_new(); if(context == NULL || curveData == NULL) FAIL(FATAL_ERROR_ALLOCATION); BN_CTX_start(context); order = BN_CTX_get(context); if((bnD = BN_CTX_get(context)) == NULL) FAIL(FATAL_ERROR_INTERNAL); // Initialize group parameters and local values of input if((group = EccCurveInit(curveId, context)) == NULL) FAIL(FATAL_ERROR_INTERNAL); if (!EC_GROUP_get_order(group, order, context)) FAIL(FATAL_ERROR_INTERNAL); size = (INT16)BN_num_bytes(order); // Get the static private key of A BnFrom2B(bnD, &dsA->b); // Initialize the static public point from B pQ = EccInitPoint2B(group, QsB, context); // Do the point multiply for the Zs value if(PointMul(group, pQ, NULL, pQ, bnD, context) != CRYPT_NO_RESULT) // Convert the Zs value Point2B(group, outZ1, pQ, size, context); // Get the ephemeral private key of A BnFrom2B(bnD, &deA->b); // Initalize the ephemeral public point from B PointFrom2B(group, pQ, QeB, context); // Do the point multiply for the Ze value if(PointMul(group, pQ, NULL, pQ, bnD, context) != CRYPT_NO_RESULT) // Convert the Ze value. Point2B(group, outZ2, pQ, size, context); if(pQ != NULL) EC_POINT_free(pQ); if(group != NULL) EC_GROUP_free(group); BN_CTX_end(context); BN_CTX_free(context); return CRYPT_SUCCESS; } // // // _cpri__C_2_2_KeyExchange() // // This function is the dispatch routine for the EC key exchange function that use two ephemeral and two // static keys. // // Return Value Meaning // // CRYPT_SCHEME scheme is not defined // LIB_EXPORT CRYPT_RESULT _cpri__C_2_2_KeyExchange( TPMS_ECC_POINT *outZ1, // OUT: a computed point TPMS_ECC_POINT *outZ2, // OUT: and optional second point TPM_ECC_CURVE curveId, // IN: the curve for the computations TPM_ALG_ID scheme, // IN: the key exchange scheme TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key TPMS_ECC_POINT *QsB, // IN: static public party B key TPMS_ECC_POINT *QeB // IN: ephemeral public party B key ) { pAssert( outZ1 != NULL && dsA != NULL && deA != NULL && QsB != NULL && QeB != NULL); // Initalize the output points so that they are empty until one of the // functions decides otherwise outZ1->x.b.size = 0; outZ1->y.b.size = 0; if(outZ2 != NULL) { outZ2->x.b.size = 0; outZ2->y.b.size = 0; } switch (scheme) { case TPM_ALG_ECDH: return C_2_2_ECDH(outZ1, outZ2, curveId, dsA, deA, QsB, QeB); break; #ifdef TPM_ALG_ECMQV case TPM_ALG_ECMQV: return C_2_2_MQV(outZ1, curveId, dsA, deA, QsB, QeB); break; #endif #ifdef TPM_ALG_SM2 case TPM_ALG_SM2: return SM2KeyExchange(outZ1, curveId, dsA, deA, QsB, QeB); break; #endif default: return CRYPT_SCHEME; } } #else //% // // Stub used when the 2-phase key exchange is not defined so that the linker has something to associate // with the value in the .def file. // LIB_EXPORT CRYPT_RESULT _cpri__C_2_2_KeyExchange( void ) { return CRYPT_FAIL; } #endif //% CC_ZGen_2Phase #endif // TPM_ALG_ECC