2014-11-01 09:45:20 +00:00
|
|
|
|
/*
|
|
|
|
|
* Elliptic-curve crypto module for PuTTY
|
|
|
|
|
* Implements the three required curves, no optional curves
|
2015-05-09 14:02:52 +00:00
|
|
|
|
*
|
2014-11-01 09:45:20 +00:00
|
|
|
|
* NOTE: Only curves on prime field are handled by the maths functions
|
2015-05-09 14:02:52 +00:00
|
|
|
|
* in Weierstrass form using Jacobian co-ordinates.
|
|
|
|
|
*
|
|
|
|
|
* Montgomery form curves are supported for DH. (Curve25519)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* References:
|
|
|
|
|
*
|
|
|
|
|
* Elliptic curves in SSH are specified in RFC 5656:
|
|
|
|
|
* http://tools.ietf.org/html/rfc5656
|
|
|
|
|
*
|
|
|
|
|
* That specification delegates details of public key formatting and a
|
|
|
|
|
* lot of underlying mechanism to SEC 1:
|
|
|
|
|
* http://www.secg.org/sec1-v2.pdf
|
2015-05-09 14:02:52 +00:00
|
|
|
|
*
|
|
|
|
|
* Montgomery maths from:
|
|
|
|
|
* Handbook of elliptic and hyperelliptic curve cryptography, Chapter 13
|
|
|
|
|
* http://cs.ucsb.edu/~koc/ccs130h/2013/EllipticHyperelliptic-CohenFrey.pdf
|
2014-11-01 09:45:20 +00:00
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <assert.h>
|
|
|
|
|
|
|
|
|
|
#include "ssh.h"
|
|
|
|
|
|
|
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Elliptic curve definitions
|
|
|
|
|
*/
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
static int initialise_wcurve(struct ec_curve *curve, int bits, unsigned char *p,
|
|
|
|
|
unsigned char *a, unsigned char *b,
|
|
|
|
|
unsigned char *n, unsigned char *Gx,
|
|
|
|
|
unsigned char *Gy)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
|
|
|
|
int length = bits / 8;
|
|
|
|
|
if (bits % 8) ++length;
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
curve->type = EC_WEIERSTRASS;
|
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
|
curve->fieldBits = bits;
|
|
|
|
|
curve->p = bignum_from_bytes(p, length);
|
|
|
|
|
if (!curve->p) goto error;
|
|
|
|
|
|
|
|
|
|
/* Curve co-efficients */
|
2015-05-09 14:02:52 +00:00
|
|
|
|
curve->w.a = bignum_from_bytes(a, length);
|
|
|
|
|
if (!curve->w.a) goto error;
|
|
|
|
|
curve->w.b = bignum_from_bytes(b, length);
|
|
|
|
|
if (!curve->w.b) goto error;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
/* Group order and generator */
|
2015-05-09 14:02:52 +00:00
|
|
|
|
curve->w.n = bignum_from_bytes(n, length);
|
|
|
|
|
if (!curve->w.n) goto error;
|
|
|
|
|
curve->w.G.x = bignum_from_bytes(Gx, length);
|
|
|
|
|
if (!curve->w.G.x) goto error;
|
|
|
|
|
curve->w.G.y = bignum_from_bytes(Gy, length);
|
|
|
|
|
if (!curve->w.G.y) goto error;
|
|
|
|
|
curve->w.G.curve = curve;
|
|
|
|
|
curve->w.G.infinity = 0;
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
error:
|
|
|
|
|
if (curve->p) freebn(curve->p);
|
|
|
|
|
if (curve->w.a) freebn(curve->w.a);
|
|
|
|
|
if (curve->w.b) freebn(curve->w.b);
|
|
|
|
|
if (curve->w.n) freebn(curve->w.n);
|
|
|
|
|
if (curve->w.G.x) freebn(curve->w.G.x);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int initialise_mcurve(struct ec_curve *curve, int bits, unsigned char *p,
|
|
|
|
|
unsigned char *a, unsigned char *b,
|
|
|
|
|
unsigned char *Gx)
|
|
|
|
|
{
|
|
|
|
|
int length = bits / 8;
|
|
|
|
|
if (bits % 8) ++length;
|
|
|
|
|
|
|
|
|
|
curve->type = EC_MONTGOMERY;
|
|
|
|
|
|
|
|
|
|
curve->fieldBits = bits;
|
|
|
|
|
curve->p = bignum_from_bytes(p, length);
|
|
|
|
|
if (!curve->p) goto error;
|
|
|
|
|
|
|
|
|
|
/* Curve co-efficients */
|
|
|
|
|
curve->m.a = bignum_from_bytes(a, length);
|
|
|
|
|
if (!curve->m.a) goto error;
|
|
|
|
|
curve->m.b = bignum_from_bytes(b, length);
|
|
|
|
|
if (!curve->m.b) goto error;
|
|
|
|
|
|
|
|
|
|
/* Generator */
|
|
|
|
|
curve->m.G.x = bignum_from_bytes(Gx, length);
|
|
|
|
|
if (!curve->m.G.x) goto error;
|
|
|
|
|
curve->m.G.y = NULL;
|
|
|
|
|
curve->m.G.z = NULL;
|
|
|
|
|
curve->m.G.curve = curve;
|
|
|
|
|
curve->m.G.infinity = 0;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
error:
|
|
|
|
|
if (curve->p) freebn(curve->p);
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (curve->m.a) freebn(curve->m.a);
|
|
|
|
|
if (curve->m.b) freebn(curve->m.b);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
unsigned char nistp256_oid[] = {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07};
|
|
|
|
|
int nistp256_oid_len = 8;
|
|
|
|
|
unsigned char nistp384_oid[] = {0x2b, 0x81, 0x04, 0x00, 0x22};
|
|
|
|
|
int nistp384_oid_len = 5;
|
|
|
|
|
unsigned char nistp521_oid[] = {0x2b, 0x81, 0x04, 0x00, 0x23};
|
|
|
|
|
int nistp521_oid_len = 5;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
unsigned char curve25519_oid[] = {0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01};
|
|
|
|
|
int curve25519_oid_len = 12;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
struct ec_curve *ec_p256(void)
|
|
|
|
|
{
|
|
|
|
|
static struct ec_curve curve = { 0 };
|
|
|
|
|
static unsigned char initialised = 0;
|
|
|
|
|
|
|
|
|
|
if (!initialised)
|
|
|
|
|
{
|
|
|
|
|
unsigned char p[] = {
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
|
|
|
|
|
};
|
|
|
|
|
unsigned char a[] = {
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc
|
|
|
|
|
};
|
|
|
|
|
unsigned char b[] = {
|
|
|
|
|
0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7,
|
|
|
|
|
0xb3, 0xeb, 0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc,
|
|
|
|
|
0x65, 0x1d, 0x06, 0xb0, 0xcc, 0x53, 0xb0, 0xf6,
|
|
|
|
|
0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, 0x60, 0x4b
|
|
|
|
|
};
|
|
|
|
|
unsigned char n[] = {
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xbc, 0xe6, 0xfa, 0xad, 0xa7, 0x17, 0x9e, 0x84,
|
|
|
|
|
0xf3, 0xb9, 0xca, 0xc2, 0xfc, 0x63, 0x25, 0x51
|
|
|
|
|
};
|
|
|
|
|
unsigned char Gx[] = {
|
|
|
|
|
0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47,
|
|
|
|
|
0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2,
|
|
|
|
|
0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0,
|
|
|
|
|
0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96
|
|
|
|
|
};
|
|
|
|
|
unsigned char Gy[] = {
|
|
|
|
|
0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b,
|
|
|
|
|
0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16,
|
|
|
|
|
0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
|
|
|
|
|
0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5
|
|
|
|
|
};
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (!initialise_wcurve(&curve, 256, p, a, b, n, Gx, Gy)) {
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Now initialised, no need to do it again */
|
|
|
|
|
initialised = 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &curve;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct ec_curve *ec_p384(void)
|
|
|
|
|
{
|
|
|
|
|
static struct ec_curve curve = { 0 };
|
|
|
|
|
static unsigned char initialised = 0;
|
|
|
|
|
|
|
|
|
|
if (!initialised)
|
|
|
|
|
{
|
|
|
|
|
unsigned char p[] = {
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff
|
|
|
|
|
};
|
|
|
|
|
unsigned char a[] = {
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xfc
|
|
|
|
|
};
|
|
|
|
|
unsigned char b[] = {
|
|
|
|
|
0xb3, 0x31, 0x2f, 0xa7, 0xe2, 0x3e, 0xe7, 0xe4,
|
|
|
|
|
0x98, 0x8e, 0x05, 0x6b, 0xe3, 0xf8, 0x2d, 0x19,
|
|
|
|
|
0x18, 0x1d, 0x9c, 0x6e, 0xfe, 0x81, 0x41, 0x12,
|
|
|
|
|
0x03, 0x14, 0x08, 0x8f, 0x50, 0x13, 0x87, 0x5a,
|
|
|
|
|
0xc6, 0x56, 0x39, 0x8d, 0x8a, 0x2e, 0xd1, 0x9d,
|
|
|
|
|
0x2a, 0x85, 0xc8, 0xed, 0xd3, 0xec, 0x2a, 0xef
|
|
|
|
|
};
|
|
|
|
|
unsigned char n[] = {
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xc7, 0x63, 0x4d, 0x81, 0xf4, 0x37, 0x2d, 0xdf,
|
|
|
|
|
0x58, 0x1a, 0x0d, 0xb2, 0x48, 0xb0, 0xa7, 0x7a,
|
|
|
|
|
0xec, 0xec, 0x19, 0x6a, 0xcc, 0xc5, 0x29, 0x73
|
|
|
|
|
};
|
|
|
|
|
unsigned char Gx[] = {
|
|
|
|
|
0xaa, 0x87, 0xca, 0x22, 0xbe, 0x8b, 0x05, 0x37,
|
|
|
|
|
0x8e, 0xb1, 0xc7, 0x1e, 0xf3, 0x20, 0xad, 0x74,
|
|
|
|
|
0x6e, 0x1d, 0x3b, 0x62, 0x8b, 0xa7, 0x9b, 0x98,
|
|
|
|
|
0x59, 0xf7, 0x41, 0xe0, 0x82, 0x54, 0x2a, 0x38,
|
|
|
|
|
0x55, 0x02, 0xf2, 0x5d, 0xbf, 0x55, 0x29, 0x6c,
|
|
|
|
|
0x3a, 0x54, 0x5e, 0x38, 0x72, 0x76, 0x0a, 0xb7
|
|
|
|
|
};
|
|
|
|
|
unsigned char Gy[] = {
|
|
|
|
|
0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f,
|
|
|
|
|
0x5d, 0x9e, 0x98, 0xbf, 0x92, 0x92, 0xdc, 0x29,
|
|
|
|
|
0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
|
|
|
|
|
0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0,
|
|
|
|
|
0x0a, 0x60, 0xb1, 0xce, 0x1d, 0x7e, 0x81, 0x9d,
|
|
|
|
|
0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f
|
|
|
|
|
};
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (!initialise_wcurve(&curve, 384, p, a, b, n, Gx, Gy)) {
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Now initialised, no need to do it again */
|
|
|
|
|
initialised = 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &curve;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct ec_curve *ec_p521(void)
|
|
|
|
|
{
|
|
|
|
|
static struct ec_curve curve = { 0 };
|
|
|
|
|
static unsigned char initialised = 0;
|
|
|
|
|
|
|
|
|
|
if (!initialised)
|
|
|
|
|
{
|
|
|
|
|
unsigned char p[] = {
|
|
|
|
|
0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff
|
|
|
|
|
};
|
|
|
|
|
unsigned char a[] = {
|
|
|
|
|
0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xfc
|
|
|
|
|
};
|
|
|
|
|
unsigned char b[] = {
|
|
|
|
|
0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c,
|
|
|
|
|
0x9a, 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85,
|
|
|
|
|
0x40, 0xee, 0xa2, 0xda, 0x72, 0x5b, 0x99, 0xb3,
|
|
|
|
|
0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1,
|
|
|
|
|
0x09, 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e,
|
|
|
|
|
0x93, 0x7b, 0x16, 0x52, 0xc0, 0xbd, 0x3b, 0xb1,
|
|
|
|
|
0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c,
|
|
|
|
|
0x34, 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50,
|
|
|
|
|
0x3f, 0x00
|
|
|
|
|
};
|
|
|
|
|
unsigned char n[] = {
|
|
|
|
|
0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xfa, 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f,
|
|
|
|
|
0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48, 0xf7, 0x09,
|
|
|
|
|
0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c,
|
|
|
|
|
0x47, 0xae, 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38,
|
|
|
|
|
0x64, 0x09
|
|
|
|
|
};
|
|
|
|
|
unsigned char Gx[] = {
|
|
|
|
|
0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04,
|
|
|
|
|
0xe9, 0xcd, 0x9e, 0x3e, 0xcb, 0x66, 0x23, 0x95,
|
|
|
|
|
0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f,
|
|
|
|
|
0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d,
|
|
|
|
|
0x3d, 0xba, 0xa1, 0x4b, 0x5e, 0x77, 0xef, 0xe7,
|
|
|
|
|
0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff,
|
|
|
|
|
0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a,
|
|
|
|
|
0x42, 0x9b, 0xf9, 0x7e, 0x7e, 0x31, 0xc2, 0xe5,
|
|
|
|
|
0xbd, 0x66
|
|
|
|
|
};
|
|
|
|
|
unsigned char Gy[] = {
|
|
|
|
|
0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b,
|
|
|
|
|
0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d,
|
|
|
|
|
0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
|
|
|
|
|
0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e,
|
|
|
|
|
0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4,
|
|
|
|
|
0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
|
|
|
|
|
0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72,
|
|
|
|
|
0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1,
|
|
|
|
|
0x66, 0x50
|
|
|
|
|
};
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (!initialise_wcurve(&curve, 521, p, a, b, n, Gx, Gy)) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Now initialised, no need to do it again */
|
|
|
|
|
initialised = 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &curve;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct ec_curve *ec_curve25519(void)
|
|
|
|
|
{
|
|
|
|
|
static struct ec_curve curve = { 0 };
|
|
|
|
|
static unsigned char initialised = 0;
|
|
|
|
|
|
|
|
|
|
if (!initialised)
|
|
|
|
|
{
|
|
|
|
|
unsigned char p[] = {
|
|
|
|
|
0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xed
|
|
|
|
|
};
|
|
|
|
|
unsigned char a[] = {
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x6d, 0x06
|
|
|
|
|
};
|
|
|
|
|
unsigned char b[] = {
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
|
|
|
|
|
};
|
|
|
|
|
unsigned char gx[32] = {
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if (!initialise_mcurve(&curve, 256, p, a, b, gx)) {
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Now initialised, no need to do it again */
|
|
|
|
|
initialised = 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &curve;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-05 19:16:17 +00:00
|
|
|
|
static struct ec_curve *ec_name_to_curve(const char *name, int len) {
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (len > 11 && !memcmp(name, "ecdsa-sha2-", 11)) {
|
|
|
|
|
name += 11;
|
|
|
|
|
len -= 11;
|
|
|
|
|
} else if (len > 10 && !memcmp(name, "ecdh-sha2-", 10)) {
|
|
|
|
|
name += 10;
|
|
|
|
|
len -= 10;
|
|
|
|
|
}
|
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (len == 8 && !memcmp(name, "nistp", 5)) {
|
|
|
|
|
name += 5;
|
|
|
|
|
if (!memcmp(name, "256", 3)) {
|
|
|
|
|
return ec_p256();
|
|
|
|
|
} else if (!memcmp(name, "384", 3)) {
|
|
|
|
|
return ec_p384();
|
|
|
|
|
} else if (!memcmp(name, "521", 3)) {
|
|
|
|
|
return ec_p521();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (len == 28 && !memcmp(name, "curve25519-sha256@libssh.org", 28)) {
|
|
|
|
|
return ec_curve25519();
|
|
|
|
|
}
|
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
/* Type enumeration for specifying the curve name */
|
|
|
|
|
enum ec_name_type { EC_TYPE_DSA, EC_TYPE_DH, EC_TYPE_CURVE };
|
|
|
|
|
|
|
|
|
|
static int ec_curve_to_name(enum ec_name_type type, const struct ec_curve *curve,
|
|
|
|
|
unsigned char *name, int len) {
|
|
|
|
|
if (curve->type == EC_WEIERSTRASS) {
|
|
|
|
|
int length, loc;
|
|
|
|
|
if (type == EC_TYPE_DSA) {
|
|
|
|
|
length = 19;
|
|
|
|
|
loc = 16;
|
|
|
|
|
} else if (type == EC_TYPE_DH) {
|
|
|
|
|
length = 18;
|
|
|
|
|
loc = 15;
|
|
|
|
|
} else {
|
|
|
|
|
length = 8;
|
|
|
|
|
loc = 5;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Return length of string */
|
|
|
|
|
if (name == NULL) return length;
|
|
|
|
|
|
|
|
|
|
/* Not enough space for the name */
|
|
|
|
|
if (len < length) return 0;
|
|
|
|
|
|
|
|
|
|
/* Put the name in the buffer */
|
|
|
|
|
switch (curve->fieldBits) {
|
|
|
|
|
case 256:
|
|
|
|
|
memcpy(name+loc, "256", 3);
|
|
|
|
|
break;
|
|
|
|
|
case 384:
|
|
|
|
|
memcpy(name+loc, "384", 3);
|
|
|
|
|
break;
|
|
|
|
|
case 521:
|
|
|
|
|
memcpy(name+loc, "521", 3);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (type == EC_TYPE_DSA) {
|
|
|
|
|
memcpy(name, "ecdsa-sha2-nistp", 16);
|
|
|
|
|
} else if (type == EC_TYPE_DH) {
|
|
|
|
|
memcpy(name, "ecdh-sha2-nistp", 15);
|
|
|
|
|
} else {
|
|
|
|
|
memcpy(name, "nistp", 5);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return length;
|
|
|
|
|
} else {
|
|
|
|
|
/* No DSA for curve25519 */
|
|
|
|
|
if (type == EC_TYPE_DSA || type == EC_TYPE_CURVE) return 0;
|
|
|
|
|
|
|
|
|
|
/* Return length of string */
|
|
|
|
|
if (name == NULL) return 28;
|
|
|
|
|
|
|
|
|
|
/* Not enough space for the name */
|
|
|
|
|
if (len < 28) return 0;
|
|
|
|
|
|
|
|
|
|
/* Unknown curve field */
|
|
|
|
|
if (curve->fieldBits != 256) return 0;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
memcpy(name, "curve25519-sha256@libssh.org", 28);
|
|
|
|
|
return 28;
|
|
|
|
|
}
|
2014-11-01 09:45:20 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Return 1 if a is -3 % p, otherwise return 0
|
|
|
|
|
* This is used because there are some maths optimisations */
|
|
|
|
|
static int ec_aminus3(const struct ec_curve *curve)
|
|
|
|
|
{
|
|
|
|
|
int ret;
|
|
|
|
|
Bignum _p;
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (curve->type != EC_WEIERSTRASS) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_p = bignum_add_long(curve->w.a, 3);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (!_p) return 0;
|
|
|
|
|
|
|
|
|
|
ret = !bignum_cmp(curve->p, _p);
|
|
|
|
|
freebn(_p);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Elliptic curve field maths
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static Bignum ecf_add(const Bignum a, const Bignum b,
|
|
|
|
|
const struct ec_curve *curve)
|
|
|
|
|
{
|
|
|
|
|
Bignum a1, b1, ab, ret;
|
|
|
|
|
|
|
|
|
|
a1 = bigmod(a, curve->p);
|
|
|
|
|
if (!a1) return NULL;
|
|
|
|
|
b1 = bigmod(b, curve->p);
|
|
|
|
|
if (!b1)
|
|
|
|
|
{
|
|
|
|
|
freebn(a1);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ab = bigadd(a1, b1);
|
|
|
|
|
freebn(a1);
|
|
|
|
|
freebn(b1);
|
|
|
|
|
if (!ab) return NULL;
|
|
|
|
|
|
|
|
|
|
ret = bigmod(ab, curve->p);
|
|
|
|
|
freebn(ab);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static Bignum ecf_square(const Bignum a, const struct ec_curve *curve)
|
|
|
|
|
{
|
|
|
|
|
return modmul(a, a, curve->p);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static Bignum ecf_treble(const Bignum a, const struct ec_curve *curve)
|
|
|
|
|
{
|
|
|
|
|
Bignum ret, tmp;
|
|
|
|
|
|
|
|
|
|
/* Double */
|
|
|
|
|
tmp = bignum_lshift(a, 1);
|
|
|
|
|
if (!tmp) return NULL;
|
|
|
|
|
|
|
|
|
|
/* Add itself (i.e. treble) */
|
|
|
|
|
ret = bigadd(tmp, a);
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
|
|
|
|
|
/* Normalise */
|
|
|
|
|
while (ret != NULL && bignum_cmp(ret, curve->p) >= 0)
|
|
|
|
|
{
|
|
|
|
|
tmp = bigsub(ret, curve->p);
|
|
|
|
|
freebn(ret);
|
|
|
|
|
ret = tmp;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static Bignum ecf_double(const Bignum a, const struct ec_curve *curve)
|
|
|
|
|
{
|
|
|
|
|
Bignum ret = bignum_lshift(a, 1);
|
|
|
|
|
if (!ret) return NULL;
|
|
|
|
|
if (bignum_cmp(ret, curve->p) >= 0)
|
|
|
|
|
{
|
|
|
|
|
Bignum tmp = bigsub(ret, curve->p);
|
|
|
|
|
freebn(ret);
|
|
|
|
|
return tmp;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Memory functions
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
void ec_point_free(struct ec_point *point)
|
|
|
|
|
{
|
|
|
|
|
if (point == NULL) return;
|
|
|
|
|
point->curve = 0;
|
|
|
|
|
if (point->x) freebn(point->x);
|
|
|
|
|
if (point->y) freebn(point->y);
|
|
|
|
|
if (point->z) freebn(point->z);
|
|
|
|
|
point->infinity = 0;
|
|
|
|
|
sfree(point);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct ec_point *ec_point_new(const struct ec_curve *curve,
|
|
|
|
|
const Bignum x, const Bignum y, const Bignum z,
|
|
|
|
|
unsigned char infinity)
|
|
|
|
|
{
|
|
|
|
|
struct ec_point *point = snewn(1, struct ec_point);
|
|
|
|
|
point->curve = curve;
|
|
|
|
|
point->x = x;
|
|
|
|
|
point->y = y;
|
|
|
|
|
point->z = z;
|
|
|
|
|
point->infinity = infinity ? 1 : 0;
|
|
|
|
|
return point;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct ec_point *ec_point_copy(const struct ec_point *a)
|
|
|
|
|
{
|
|
|
|
|
if (a == NULL) return NULL;
|
|
|
|
|
return ec_point_new(a->curve,
|
|
|
|
|
a->x ? copybn(a->x) : NULL,
|
|
|
|
|
a->y ? copybn(a->y) : NULL,
|
|
|
|
|
a->z ? copybn(a->z) : NULL,
|
|
|
|
|
a->infinity);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int ec_point_verify(const struct ec_point *a)
|
|
|
|
|
{
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (a->infinity) {
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return 1;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
} else if (a->curve->type == EC_WEIERSTRASS) {
|
2014-11-01 09:45:20 +00:00
|
|
|
|
/* Verify y^2 = x^3 + ax + b */
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
Bignum lhs = NULL, x3 = NULL, ax = NULL, x3ax = NULL, x3axm = NULL, x3axb = NULL, rhs = NULL;
|
|
|
|
|
|
|
|
|
|
Bignum Three = bignum_from_long(3);
|
|
|
|
|
if (!Three) return 0;
|
|
|
|
|
|
|
|
|
|
lhs = modmul(a->y, a->y, a->curve->p);
|
|
|
|
|
if (!lhs) goto error;
|
|
|
|
|
|
|
|
|
|
/* This uses montgomery multiplication to optimise */
|
|
|
|
|
x3 = modpow(a->x, Three, a->curve->p);
|
|
|
|
|
freebn(Three);
|
|
|
|
|
if (!x3) goto error;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
ax = modmul(a->curve->w.a, a->x, a->curve->p);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (!ax) goto error;
|
|
|
|
|
x3ax = bigadd(x3, ax);
|
|
|
|
|
if (!x3ax) goto error;
|
|
|
|
|
freebn(x3); x3 = NULL;
|
|
|
|
|
freebn(ax); ax = NULL;
|
|
|
|
|
x3axm = bigmod(x3ax, a->curve->p);
|
|
|
|
|
if (!x3axm) goto error;
|
|
|
|
|
freebn(x3ax); x3ax = NULL;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
x3axb = bigadd(x3axm, a->curve->w.b);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (!x3axb) goto error;
|
|
|
|
|
freebn(x3axm); x3axm = NULL;
|
|
|
|
|
rhs = bigmod(x3axb, a->curve->p);
|
|
|
|
|
if (!rhs) goto error;
|
|
|
|
|
freebn(x3axb);
|
|
|
|
|
|
|
|
|
|
ret = bignum_cmp(lhs, rhs) ? 0 : 1;
|
|
|
|
|
freebn(lhs);
|
|
|
|
|
freebn(rhs);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
error:
|
|
|
|
|
if (x3) freebn(x3);
|
|
|
|
|
if (ax) freebn(ax);
|
|
|
|
|
if (x3ax) freebn(x3ax);
|
|
|
|
|
if (x3axm) freebn(x3axm);
|
|
|
|
|
if (x3axb) freebn(x3axb);
|
|
|
|
|
if (lhs) freebn(lhs);
|
|
|
|
|
return 0;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
} else {
|
|
|
|
|
return 0;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Elliptic curve point maths
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* Returns 1 on success and 0 on memory error */
|
|
|
|
|
static int ecp_normalise(struct ec_point *a)
|
|
|
|
|
{
|
|
|
|
|
if (!a) {
|
2014-11-03 18:41:56 +00:00
|
|
|
|
/* No point */
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return 0;
|
|
|
|
|
}
|
2015-05-09 14:02:52 +00:00
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (a->infinity) {
|
2014-11-03 18:41:56 +00:00
|
|
|
|
/* Point is at infinity - i.e. normalised */
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (a->curve->type == EC_WEIERSTRASS) {
|
|
|
|
|
/* In Jacobian Coordinates the triple (X, Y, Z) represents
|
|
|
|
|
the affine point (X / Z^2, Y / Z^3) */
|
|
|
|
|
|
|
|
|
|
Bignum Z2, Z2inv, Z3, Z3inv, tx, ty;
|
|
|
|
|
|
|
|
|
|
if (!a->x || !a->y) {
|
|
|
|
|
/* No point defined */
|
|
|
|
|
return 0;
|
|
|
|
|
} else if (!a->z) {
|
|
|
|
|
/* Already normalised */
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Z2 = ecf_square(a->z, a->curve);
|
|
|
|
|
if (!Z2) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
Z2inv = modinv(Z2, a->curve->p);
|
|
|
|
|
if (!Z2inv) {
|
|
|
|
|
freebn(Z2);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
tx = modmul(a->x, Z2inv, a->curve->p);
|
|
|
|
|
freebn(Z2inv);
|
|
|
|
|
if (!tx) {
|
|
|
|
|
freebn(Z2);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Z3 = modmul(Z2, a->z, a->curve->p);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
freebn(Z2);
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (!Z3) {
|
|
|
|
|
freebn(tx);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
Z3inv = modinv(Z3, a->curve->p);
|
|
|
|
|
freebn(Z3);
|
|
|
|
|
if (!Z3inv) {
|
|
|
|
|
freebn(tx);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
ty = modmul(a->y, Z3inv, a->curve->p);
|
|
|
|
|
freebn(Z3inv);
|
|
|
|
|
if (!ty) {
|
|
|
|
|
freebn(tx);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
freebn(a->x);
|
|
|
|
|
a->x = tx;
|
|
|
|
|
freebn(a->y);
|
|
|
|
|
a->y = ty;
|
|
|
|
|
freebn(a->z);
|
|
|
|
|
a->z = NULL;
|
|
|
|
|
return 1;
|
|
|
|
|
} else if (a->curve->type == EC_MONTGOMERY) {
|
|
|
|
|
/* In Montgomery (X : Z) represents the x co-ord (X / Z, ?) */
|
|
|
|
|
|
|
|
|
|
Bignum tmp, tmp2;
|
|
|
|
|
|
|
|
|
|
if (!a->x) {
|
|
|
|
|
/* No point defined */
|
|
|
|
|
return 0;
|
|
|
|
|
} else if (!a->z) {
|
|
|
|
|
/* Already normalised */
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tmp = modinv(a->z, a->curve->p);
|
|
|
|
|
if (!tmp) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
tmp2 = modmul(a->x, tmp, a->curve->p);
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
if (!tmp2) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
freebn(a->z);
|
|
|
|
|
a->z = NULL;
|
|
|
|
|
freebn(a->x);
|
|
|
|
|
a->x = tmp2;
|
|
|
|
|
return 1;
|
|
|
|
|
} else {
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
static struct ec_point *ecp_doublew(const struct ec_point *a, const int aminus3)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
|
|
|
|
Bignum S, M, outx, outy, outz;
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (bignum_cmp(a->y, Zero) == 0)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
|
|
|
|
/* Identity */
|
|
|
|
|
return ec_point_new(a->curve, NULL, NULL, NULL, 1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* S = 4*X*Y^2 */
|
|
|
|
|
{
|
|
|
|
|
Bignum Y2, XY2, _2XY2;
|
|
|
|
|
|
|
|
|
|
Y2 = ecf_square(a->y, a->curve);
|
|
|
|
|
if (!Y2) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
XY2 = modmul(a->x, Y2, a->curve->p);
|
|
|
|
|
freebn(Y2);
|
|
|
|
|
if (!XY2) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_2XY2 = ecf_double(XY2, a->curve);
|
|
|
|
|
freebn(XY2);
|
|
|
|
|
if (!_2XY2) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
S = ecf_double(_2XY2, a->curve);
|
|
|
|
|
freebn(_2XY2);
|
|
|
|
|
if (!S) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Faster calculation if a = -3 */
|
|
|
|
|
if (aminus3) {
|
|
|
|
|
/* if a = -3, then M can also be calculated as M = 3*(X + Z^2)*(X - Z^2) */
|
|
|
|
|
Bignum Z2, XpZ2, XmZ2, second;
|
|
|
|
|
|
|
|
|
|
if (a->z == NULL) {
|
|
|
|
|
Z2 = copybn(One);
|
|
|
|
|
} else {
|
|
|
|
|
Z2 = ecf_square(a->z, a->curve);
|
|
|
|
|
}
|
|
|
|
|
if (!Z2) {
|
|
|
|
|
freebn(S);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
XpZ2 = ecf_add(a->x, Z2, a->curve);
|
|
|
|
|
if (!XpZ2) {
|
|
|
|
|
freebn(S);
|
|
|
|
|
freebn(Z2);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
XmZ2 = modsub(a->x, Z2, a->curve->p);
|
|
|
|
|
freebn(Z2);
|
2014-12-20 17:07:17 +00:00
|
|
|
|
if (!XmZ2) {
|
2014-11-01 09:45:20 +00:00
|
|
|
|
freebn(S);
|
|
|
|
|
freebn(XpZ2);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
second = modmul(XpZ2, XmZ2, a->curve->p);
|
|
|
|
|
freebn(XpZ2);
|
|
|
|
|
freebn(XmZ2);
|
|
|
|
|
if (!second) {
|
|
|
|
|
freebn(S);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
M = ecf_treble(second, a->curve);
|
|
|
|
|
freebn(second);
|
|
|
|
|
if (!M) {
|
|
|
|
|
freebn(S);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
/* M = 3*X^2 + a*Z^4 */
|
|
|
|
|
Bignum _3X2, X2, aZ4;
|
|
|
|
|
|
|
|
|
|
if (a->z == NULL) {
|
2015-05-09 14:02:52 +00:00
|
|
|
|
aZ4 = copybn(a->curve->w.a);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
} else {
|
|
|
|
|
Bignum Z2, Z4;
|
|
|
|
|
|
|
|
|
|
Z2 = ecf_square(a->z, a->curve);
|
|
|
|
|
if (!Z2) {
|
|
|
|
|
freebn(S);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
Z4 = ecf_square(Z2, a->curve);
|
|
|
|
|
freebn(Z2);
|
|
|
|
|
if (!Z4) {
|
|
|
|
|
freebn(S);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2015-05-09 14:02:52 +00:00
|
|
|
|
aZ4 = modmul(a->curve->w.a, Z4, a->curve->p);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
freebn(Z4);
|
|
|
|
|
}
|
|
|
|
|
if (!aZ4) {
|
|
|
|
|
freebn(S);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
X2 = modmul(a->x, a->x, a->curve->p);
|
|
|
|
|
if (!X2) {
|
|
|
|
|
freebn(S);
|
|
|
|
|
freebn(aZ4);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
_3X2 = ecf_treble(X2, a->curve);
|
|
|
|
|
freebn(X2);
|
|
|
|
|
if (!_3X2) {
|
|
|
|
|
freebn(S);
|
|
|
|
|
freebn(aZ4);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
M = ecf_add(_3X2, aZ4, a->curve);
|
|
|
|
|
freebn(_3X2);
|
|
|
|
|
freebn(aZ4);
|
|
|
|
|
if (!M) {
|
|
|
|
|
freebn(S);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* X' = M^2 - 2*S */
|
|
|
|
|
{
|
|
|
|
|
Bignum M2, _2S;
|
|
|
|
|
|
|
|
|
|
M2 = ecf_square(M, a->curve);
|
|
|
|
|
if (!M2) {
|
|
|
|
|
freebn(S);
|
|
|
|
|
freebn(M);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_2S = ecf_double(S, a->curve);
|
|
|
|
|
if (!_2S) {
|
|
|
|
|
freebn(M2);
|
|
|
|
|
freebn(S);
|
|
|
|
|
freebn(M);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
outx = modsub(M2, _2S, a->curve->p);
|
|
|
|
|
freebn(M2);
|
|
|
|
|
freebn(_2S);
|
|
|
|
|
if (!outx) {
|
|
|
|
|
freebn(S);
|
|
|
|
|
freebn(M);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Y' = M*(S - X') - 8*Y^4 */
|
|
|
|
|
{
|
|
|
|
|
Bignum SX, MSX, Eight, Y2, Y4, _8Y4;
|
|
|
|
|
|
|
|
|
|
SX = modsub(S, outx, a->curve->p);
|
|
|
|
|
freebn(S);
|
|
|
|
|
if (!SX) {
|
|
|
|
|
freebn(M);
|
|
|
|
|
freebn(outx);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
MSX = modmul(M, SX, a->curve->p);
|
|
|
|
|
freebn(SX);
|
|
|
|
|
freebn(M);
|
|
|
|
|
if (!MSX) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
Y2 = ecf_square(a->y, a->curve);
|
|
|
|
|
if (!Y2) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(MSX);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
Y4 = ecf_square(Y2, a->curve);
|
|
|
|
|
freebn(Y2);
|
|
|
|
|
if (!Y4) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(MSX);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
Eight = bignum_from_long(8);
|
|
|
|
|
if (!Eight) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(MSX);
|
|
|
|
|
freebn(Y4);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
_8Y4 = modmul(Eight, Y4, a->curve->p);
|
|
|
|
|
freebn(Eight);
|
|
|
|
|
freebn(Y4);
|
|
|
|
|
if (!_8Y4) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(MSX);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
outy = modsub(MSX, _8Y4, a->curve->p);
|
|
|
|
|
freebn(MSX);
|
|
|
|
|
freebn(_8Y4);
|
|
|
|
|
if (!outy) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Z' = 2*Y*Z */
|
|
|
|
|
{
|
|
|
|
|
Bignum YZ;
|
|
|
|
|
|
|
|
|
|
if (a->z == NULL) {
|
|
|
|
|
YZ = copybn(a->y);
|
|
|
|
|
} else {
|
|
|
|
|
YZ = modmul(a->y, a->z, a->curve->p);
|
|
|
|
|
}
|
|
|
|
|
if (!YZ) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(outy);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
outz = ecf_double(YZ, a->curve);
|
|
|
|
|
freebn(YZ);
|
|
|
|
|
if (!outz) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(outy);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ec_point_new(a->curve, outx, outy, outz, 0);
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
static struct ec_point *ecp_doublem(const struct ec_point *a)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
2015-05-09 14:02:52 +00:00
|
|
|
|
Bignum z, outx, outz, xpz, xmz;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
z = a->z;
|
|
|
|
|
if (!z) {
|
|
|
|
|
z = One;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* 4xz = (x + z)^2 - (x - z)^2 */
|
|
|
|
|
{
|
|
|
|
|
Bignum tmp;
|
|
|
|
|
|
|
|
|
|
tmp = ecf_add(a->x, z, a->curve);
|
|
|
|
|
if (!tmp) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
xpz = ecf_square(tmp, a->curve);
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
if (!xpz) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tmp = modsub(a->x, z, a->curve->p);
|
|
|
|
|
if (!tmp) {
|
|
|
|
|
freebn(xpz);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
xmz = ecf_square(tmp, a->curve);
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
if (!xmz) {
|
|
|
|
|
freebn(xpz);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* outx = (x + z)^2 * (x - z)^2 */
|
|
|
|
|
outx = modmul(xpz, xmz, a->curve->p);
|
|
|
|
|
if (!outx) {
|
|
|
|
|
freebn(xpz);
|
|
|
|
|
freebn(xmz);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* outz = 4xz * ((x - z)^2 + ((A + 2) / 4)*4xz) */
|
|
|
|
|
{
|
|
|
|
|
Bignum _4xz, tmp, tmp2, tmp3;
|
|
|
|
|
|
|
|
|
|
tmp = bignum_from_long(2);
|
|
|
|
|
if (!tmp) {
|
|
|
|
|
freebn(xpz);
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(xmz);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
tmp2 = ecf_add(a->curve->m.a, tmp, a->curve);
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
if (!tmp2) {
|
|
|
|
|
freebn(xpz);
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(xmz);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_4xz = modsub(xpz, xmz, a->curve->p);
|
|
|
|
|
freebn(xpz);
|
|
|
|
|
if (!_4xz) {
|
|
|
|
|
freebn(tmp2);
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(xmz);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
tmp = modmul(tmp2, _4xz, a->curve->p);
|
|
|
|
|
freebn(tmp2);
|
|
|
|
|
if (!tmp) {
|
|
|
|
|
freebn(_4xz);
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(xmz);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tmp2 = bignum_from_long(4);
|
|
|
|
|
if (!tmp2) {
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
freebn(_4xz);
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(xmz);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
tmp3 = modinv(tmp2, a->curve->p);
|
|
|
|
|
freebn(tmp2);
|
|
|
|
|
if (!tmp3) {
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
freebn(_4xz);
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(xmz);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
tmp2 = modmul(tmp, tmp3, a->curve->p);
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
freebn(tmp3);
|
|
|
|
|
if (!tmp2) {
|
|
|
|
|
freebn(_4xz);
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(xmz);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tmp = ecf_add(xmz, tmp2, a->curve);
|
|
|
|
|
freebn(xmz);
|
|
|
|
|
freebn(tmp2);
|
|
|
|
|
if (!tmp) {
|
|
|
|
|
freebn(_4xz);
|
|
|
|
|
freebn(outx);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
outz = modmul(_4xz, tmp, a->curve->p);
|
|
|
|
|
freebn(_4xz);
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
if (!outz) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ec_point_new(a->curve, outx, NULL, outz, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct ec_point *ecp_double(const struct ec_point *a, const int aminus3)
|
|
|
|
|
{
|
|
|
|
|
if (a->infinity)
|
|
|
|
|
{
|
|
|
|
|
/* Identity */
|
|
|
|
|
return ec_point_new(a->curve, NULL, NULL, NULL, 1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (a->curve->type == EC_WEIERSTRASS)
|
|
|
|
|
{
|
|
|
|
|
return ecp_doublew(a, aminus3);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
return ecp_doublem(a);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct ec_point *ecp_addw(const struct ec_point *a,
|
|
|
|
|
const struct ec_point *b,
|
|
|
|
|
const int aminus3)
|
|
|
|
|
{
|
|
|
|
|
Bignum U1, U2, S1, S2, outx, outy, outz;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
/* U1 = X1*Z2^2 */
|
|
|
|
|
/* S1 = Y1*Z2^3 */
|
|
|
|
|
if (b->z) {
|
|
|
|
|
Bignum Z2, Z3;
|
|
|
|
|
|
|
|
|
|
Z2 = ecf_square(b->z, a->curve);
|
|
|
|
|
if (!Z2) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
U1 = modmul(a->x, Z2, a->curve->p);
|
|
|
|
|
if (!U1) {
|
|
|
|
|
freebn(Z2);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
Z3 = modmul(Z2, b->z, a->curve->p);
|
|
|
|
|
freebn(Z2);
|
|
|
|
|
if (!Z3) {
|
|
|
|
|
freebn(U1);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
S1 = modmul(a->y, Z3, a->curve->p);
|
|
|
|
|
freebn(Z3);
|
|
|
|
|
if (!S1) {
|
|
|
|
|
freebn(U1);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
U1 = copybn(a->x);
|
|
|
|
|
if (!U1) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
S1 = copybn(a->y);
|
|
|
|
|
if (!S1) {
|
|
|
|
|
freebn(U1);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* U2 = X2*Z1^2 */
|
|
|
|
|
/* S2 = Y2*Z1^3 */
|
|
|
|
|
if (a->z) {
|
|
|
|
|
Bignum Z2, Z3;
|
|
|
|
|
|
|
|
|
|
Z2 = ecf_square(a->z, b->curve);
|
|
|
|
|
if (!Z2) {
|
|
|
|
|
freebn(U1);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
U2 = modmul(b->x, Z2, b->curve->p);
|
|
|
|
|
if (!U2) {
|
|
|
|
|
freebn(U1);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(Z2);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
Z3 = modmul(Z2, a->z, b->curve->p);
|
|
|
|
|
freebn(Z2);
|
|
|
|
|
if (!Z3) {
|
|
|
|
|
freebn(U1);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(U2);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
S2 = modmul(b->y, Z3, b->curve->p);
|
|
|
|
|
freebn(Z3);
|
|
|
|
|
if (!S2) {
|
|
|
|
|
freebn(U1);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(U2);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
U2 = copybn(b->x);
|
|
|
|
|
if (!U2) {
|
|
|
|
|
freebn(U1);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
S2 = copybn(b->y);
|
|
|
|
|
if (!S2) {
|
|
|
|
|
freebn(U1);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(U2);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Check if multiplying by self */
|
|
|
|
|
if (bignum_cmp(U1, U2) == 0)
|
|
|
|
|
{
|
|
|
|
|
freebn(U1);
|
|
|
|
|
freebn(U2);
|
|
|
|
|
if (bignum_cmp(S1, S2) == 0)
|
|
|
|
|
{
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(S2);
|
|
|
|
|
return ecp_double(a, aminus3);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(S2);
|
|
|
|
|
/* Infinity */
|
|
|
|
|
return ec_point_new(a->curve, NULL, NULL, NULL, 1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
Bignum H, R, UH2, H3;
|
|
|
|
|
|
|
|
|
|
/* H = U2 - U1 */
|
|
|
|
|
H = modsub(U2, U1, a->curve->p);
|
|
|
|
|
freebn(U2);
|
|
|
|
|
if (!H) {
|
|
|
|
|
freebn(U1);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(S2);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* R = S2 - S1 */
|
|
|
|
|
R = modsub(S2, S1, a->curve->p);
|
|
|
|
|
freebn(S2);
|
|
|
|
|
if (!R) {
|
|
|
|
|
freebn(H);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(U1);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* X3 = R^2 - H^3 - 2*U1*H^2 */
|
|
|
|
|
{
|
|
|
|
|
Bignum R2, H2, _2UH2, first;
|
|
|
|
|
|
|
|
|
|
H2 = ecf_square(H, a->curve);
|
|
|
|
|
if (!H2) {
|
|
|
|
|
freebn(U1);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(H);
|
|
|
|
|
freebn(R);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
UH2 = modmul(U1, H2, a->curve->p);
|
|
|
|
|
freebn(U1);
|
|
|
|
|
if (!UH2) {
|
|
|
|
|
freebn(H2);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(H);
|
|
|
|
|
freebn(R);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
H3 = modmul(H2, H, a->curve->p);
|
|
|
|
|
freebn(H2);
|
|
|
|
|
if (!H3) {
|
|
|
|
|
freebn(UH2);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(H);
|
|
|
|
|
freebn(R);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
R2 = ecf_square(R, a->curve);
|
|
|
|
|
if (!R2) {
|
|
|
|
|
freebn(H3);
|
|
|
|
|
freebn(UH2);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(H);
|
|
|
|
|
freebn(R);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
_2UH2 = ecf_double(UH2, a->curve);
|
|
|
|
|
if (!_2UH2) {
|
|
|
|
|
freebn(R2);
|
|
|
|
|
freebn(H3);
|
|
|
|
|
freebn(UH2);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(H);
|
|
|
|
|
freebn(R);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
first = modsub(R2, H3, a->curve->p);
|
|
|
|
|
freebn(R2);
|
|
|
|
|
if (!first) {
|
|
|
|
|
freebn(H3);
|
|
|
|
|
freebn(_2UH2);
|
|
|
|
|
freebn(UH2);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(H);
|
|
|
|
|
freebn(R);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
outx = modsub(first, _2UH2, a->curve->p);
|
|
|
|
|
freebn(first);
|
|
|
|
|
freebn(_2UH2);
|
|
|
|
|
if (!outx) {
|
|
|
|
|
freebn(H3);
|
|
|
|
|
freebn(UH2);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(H);
|
|
|
|
|
freebn(R);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
|
|
|
|
|
{
|
|
|
|
|
Bignum RUH2mX, UH2mX, SH3;
|
|
|
|
|
|
|
|
|
|
UH2mX = modsub(UH2, outx, a->curve->p);
|
|
|
|
|
freebn(UH2);
|
|
|
|
|
if (!UH2mX) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(H3);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(H);
|
|
|
|
|
freebn(R);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
RUH2mX = modmul(R, UH2mX, a->curve->p);
|
|
|
|
|
freebn(UH2mX);
|
|
|
|
|
freebn(R);
|
|
|
|
|
if (!RUH2mX) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(H3);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(H);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
SH3 = modmul(S1, H3, a->curve->p);
|
|
|
|
|
freebn(S1);
|
|
|
|
|
freebn(H3);
|
|
|
|
|
if (!SH3) {
|
|
|
|
|
freebn(RUH2mX);
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(H);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
outy = modsub(RUH2mX, SH3, a->curve->p);
|
|
|
|
|
freebn(RUH2mX);
|
|
|
|
|
freebn(SH3);
|
|
|
|
|
if (!outy) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(H);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Z3 = H*Z1*Z2 */
|
|
|
|
|
if (a->z && b->z) {
|
|
|
|
|
Bignum ZZ;
|
|
|
|
|
|
|
|
|
|
ZZ = modmul(a->z, b->z, a->curve->p);
|
|
|
|
|
if (!ZZ) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(outy);
|
|
|
|
|
freebn(H);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
outz = modmul(H, ZZ, a->curve->p);
|
|
|
|
|
freebn(H);
|
|
|
|
|
freebn(ZZ);
|
|
|
|
|
if (!outz) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(outy);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
} else if (a->z) {
|
|
|
|
|
outz = modmul(H, a->z, a->curve->p);
|
|
|
|
|
freebn(H);
|
|
|
|
|
if (!outz) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(outy);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
} else if (b->z) {
|
|
|
|
|
outz = modmul(H, b->z, a->curve->p);
|
|
|
|
|
freebn(H);
|
|
|
|
|
if (!outz) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
freebn(outy);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
outz = H;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ec_point_new(a->curve, outx, outy, outz, 0);
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
static struct ec_point *ecp_addm(const struct ec_point *a,
|
|
|
|
|
const struct ec_point *b,
|
|
|
|
|
const struct ec_point *base)
|
|
|
|
|
{
|
|
|
|
|
Bignum outx, outz, az, bz;
|
|
|
|
|
|
|
|
|
|
az = a->z;
|
|
|
|
|
if (!az) {
|
|
|
|
|
az = One;
|
|
|
|
|
}
|
|
|
|
|
bz = b->z;
|
|
|
|
|
if (!bz) {
|
|
|
|
|
bz = One;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* a-b is maintained at 1 due to Montgomery ladder implementation */
|
|
|
|
|
/* Xa+b = Za-b * ((Xa - Za)*(Xb + Zb) + (Xa + Za)*(Xb - Zb))^2 */
|
|
|
|
|
/* Za+b = Xa-b * ((Xa - Za)*(Xb + Zb) - (Xa + Za)*(Xb - Zb))^2 */
|
|
|
|
|
{
|
|
|
|
|
Bignum tmp, tmp2, tmp3, tmp4;
|
|
|
|
|
|
|
|
|
|
/* (Xa + Za) * (Xb - Zb) */
|
|
|
|
|
tmp = ecf_add(a->x, az, a->curve);
|
|
|
|
|
if (!tmp) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
tmp2 = modsub(b->x, bz, a->curve->p);
|
|
|
|
|
if (!tmp2) {
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
tmp3 = modmul(tmp, tmp2, a->curve->p);
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
freebn(tmp2);
|
|
|
|
|
if (!tmp3) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* (Xa - Za) * (Xb + Zb) */
|
|
|
|
|
tmp = modsub(a->x, az, a->curve->p);
|
|
|
|
|
if (!tmp) {
|
|
|
|
|
freebn(tmp3);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
tmp2 = ecf_add(b->x, bz, a->curve);
|
|
|
|
|
if (!tmp2) {
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
freebn(tmp3);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
tmp4 = modmul(tmp, tmp2, a->curve->p);
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
freebn(tmp2);
|
|
|
|
|
if (!tmp4) {
|
|
|
|
|
freebn(tmp3);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tmp = ecf_add(tmp3, tmp4, a->curve);
|
|
|
|
|
if (!tmp) {
|
|
|
|
|
freebn(tmp3);
|
|
|
|
|
freebn(tmp4);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
outx = ecf_square(tmp, a->curve);
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
if (!outx) {
|
|
|
|
|
freebn(tmp3);
|
|
|
|
|
freebn(tmp4);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tmp = modsub(tmp3, tmp4, a->curve->p);
|
|
|
|
|
freebn(tmp3);
|
|
|
|
|
freebn(tmp4);
|
|
|
|
|
if (!tmp) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
tmp2 = ecf_square(tmp, a->curve);
|
|
|
|
|
freebn(tmp);
|
|
|
|
|
if (!tmp2) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
outz = modmul(base->x, tmp2, a->curve->p);
|
|
|
|
|
freebn(tmp2);
|
|
|
|
|
if (!outz) {
|
|
|
|
|
freebn(outx);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ec_point_new(a->curve, outx, NULL, outz, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct ec_point *ecp_add(const struct ec_point *a,
|
|
|
|
|
const struct ec_point *b,
|
|
|
|
|
const int aminus3)
|
|
|
|
|
{
|
|
|
|
|
if (a->curve != b->curve) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Check if multiplying by infinity */
|
|
|
|
|
if (a->infinity) return ec_point_copy(b);
|
|
|
|
|
if (b->infinity) return ec_point_copy(a);
|
|
|
|
|
|
|
|
|
|
if (a->curve->type == EC_WEIERSTRASS)
|
|
|
|
|
{
|
|
|
|
|
return ecp_addw(a, b, aminus3);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
|
static struct ec_point *ecp_mul_(const struct ec_point *a, const Bignum b, int aminus3)
|
|
|
|
|
{
|
|
|
|
|
struct ec_point *A, *ret;
|
|
|
|
|
int bits, i;
|
|
|
|
|
|
|
|
|
|
A = ec_point_copy(a);
|
|
|
|
|
ret = ec_point_new(a->curve, NULL, NULL, NULL, 1);
|
|
|
|
|
|
|
|
|
|
bits = bignum_bitcount(b);
|
|
|
|
|
for (i = 0; ret != NULL && A != NULL && i < bits; ++i)
|
|
|
|
|
{
|
|
|
|
|
if (bignum_bit(b, i))
|
|
|
|
|
{
|
|
|
|
|
struct ec_point *tmp = ecp_add(ret, A, aminus3);
|
|
|
|
|
ec_point_free(ret);
|
|
|
|
|
ret = tmp;
|
|
|
|
|
}
|
|
|
|
|
if (i+1 != bits)
|
|
|
|
|
{
|
|
|
|
|
struct ec_point *tmp = ecp_double(A, aminus3);
|
|
|
|
|
ec_point_free(A);
|
|
|
|
|
A = tmp;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!A) {
|
|
|
|
|
ec_point_free(ret);
|
|
|
|
|
ret = NULL;
|
|
|
|
|
} else {
|
|
|
|
|
ec_point_free(A);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
static struct ec_point *ecp_mulw(const struct ec_point *a, const Bignum b)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
|
|
|
|
struct ec_point *ret = ecp_mul_(a, b, ec_aminus3(a->curve));
|
|
|
|
|
|
|
|
|
|
if (!ecp_normalise(ret)) {
|
|
|
|
|
ec_point_free(ret);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
static struct ec_point *ecp_mulm(const struct ec_point *p, const Bignum n)
|
|
|
|
|
{
|
|
|
|
|
struct ec_point *P1, *P2;
|
|
|
|
|
int bits, i;
|
|
|
|
|
|
|
|
|
|
/* P1 <- P and P2 <- [2]P */
|
|
|
|
|
P2 = ecp_double(p, 0);
|
|
|
|
|
if (!P2) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
P1 = ec_point_copy(p);
|
|
|
|
|
if (!P1) {
|
|
|
|
|
ec_point_free(P2);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* for i = bits − 2 down to 0 */
|
|
|
|
|
bits = bignum_bitcount(n);
|
|
|
|
|
for (i = bits - 2; P1 != NULL && P2 != NULL && i >= 0; --i)
|
|
|
|
|
{
|
|
|
|
|
if (!bignum_bit(n, i))
|
|
|
|
|
{
|
|
|
|
|
/* P2 <- P1 + P2 */
|
|
|
|
|
struct ec_point *tmp = ecp_addm(P1, P2, p);
|
|
|
|
|
ec_point_free(P2);
|
|
|
|
|
P2 = tmp;
|
|
|
|
|
|
|
|
|
|
/* P1 <- [2]P1 */
|
|
|
|
|
tmp = ecp_double(P1, 0);
|
|
|
|
|
ec_point_free(P1);
|
|
|
|
|
P1 = tmp;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* P1 <- P1 + P2 */
|
|
|
|
|
struct ec_point *tmp = ecp_addm(P1, P2, p);
|
|
|
|
|
ec_point_free(P1);
|
|
|
|
|
P1 = tmp;
|
|
|
|
|
|
|
|
|
|
/* P2 <- [2]P2 */
|
|
|
|
|
tmp = ecp_double(P2, 0);
|
|
|
|
|
ec_point_free(P2);
|
|
|
|
|
P2 = tmp;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!P2) {
|
|
|
|
|
if (P1) ec_point_free(P1);
|
|
|
|
|
P1 = NULL;
|
|
|
|
|
} else {
|
|
|
|
|
ec_point_free(P2);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!ecp_normalise(P1)) {
|
|
|
|
|
ec_point_free(P1);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return P1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Not static because it is used by sshecdsag.c to generate a new key */
|
|
|
|
|
struct ec_point *ecp_mul(const struct ec_point *a, const Bignum b)
|
|
|
|
|
{
|
|
|
|
|
if (a->curve->type == EC_WEIERSTRASS) {
|
|
|
|
|
return ecp_mulw(a, b);
|
|
|
|
|
} else {
|
|
|
|
|
return ecp_mulm(a, b);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
|
static struct ec_point *ecp_summul(const Bignum a, const Bignum b,
|
|
|
|
|
const struct ec_point *point)
|
|
|
|
|
{
|
|
|
|
|
struct ec_point *aG, *bP, *ret;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
int aminus3;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (point->curve->type != EC_WEIERSTRASS) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
aminus3 = ec_aminus3(point->curve);
|
|
|
|
|
|
|
|
|
|
aG = ecp_mul_(&point->curve->w.G, a, aminus3);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (!aG) return NULL;
|
|
|
|
|
bP = ecp_mul_(point, b, aminus3);
|
|
|
|
|
if (!bP) {
|
|
|
|
|
ec_point_free(aG);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = ecp_add(aG, bP, aminus3);
|
|
|
|
|
|
|
|
|
|
ec_point_free(aG);
|
|
|
|
|
ec_point_free(bP);
|
|
|
|
|
|
|
|
|
|
if (!ecp_normalise(ret)) {
|
|
|
|
|
ec_point_free(ret);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Public point from private
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
struct ec_point *ec_public(const Bignum privateKey, const struct ec_curve *curve)
|
|
|
|
|
{
|
|
|
|
|
if (curve->type == EC_WEIERSTRASS) {
|
|
|
|
|
return ecp_mul(&curve->w.G, privateKey);
|
|
|
|
|
} else {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Basic sign and verify routines
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static int _ecdsa_verify(const struct ec_point *publicKey,
|
|
|
|
|
const unsigned char *data, const int dataLen,
|
|
|
|
|
const Bignum r, const Bignum s)
|
|
|
|
|
{
|
|
|
|
|
int z_bits, n_bits;
|
|
|
|
|
Bignum z;
|
|
|
|
|
int valid = 0;
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (publicKey->curve->type != EC_WEIERSTRASS) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
|
/* Sanity checks */
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (bignum_cmp(r, Zero) == 0 || bignum_cmp(r, publicKey->curve->w.n) >= 0
|
|
|
|
|
|| bignum_cmp(s, Zero) == 0 || bignum_cmp(s, publicKey->curve->w.n) >= 0)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* z = left most bitlen(curve->n) of data */
|
|
|
|
|
z = bignum_from_bytes(data, dataLen);
|
|
|
|
|
if (!z) return 0;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
n_bits = bignum_bitcount(publicKey->curve->w.n);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
z_bits = bignum_bitcount(z);
|
|
|
|
|
if (z_bits > n_bits)
|
|
|
|
|
{
|
|
|
|
|
Bignum tmp = bignum_rshift(z, z_bits - n_bits);
|
|
|
|
|
freebn(z);
|
|
|
|
|
z = tmp;
|
|
|
|
|
if (!z) return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Ensure z in range of n */
|
|
|
|
|
{
|
2015-05-09 14:02:52 +00:00
|
|
|
|
Bignum tmp = bigmod(z, publicKey->curve->w.n);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
freebn(z);
|
|
|
|
|
z = tmp;
|
|
|
|
|
if (!z) return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Calculate signature */
|
|
|
|
|
{
|
|
|
|
|
Bignum w, x, u1, u2;
|
|
|
|
|
struct ec_point *tmp;
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
w = modinv(s, publicKey->curve->w.n);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (!w) {
|
|
|
|
|
freebn(z);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2015-05-09 14:02:52 +00:00
|
|
|
|
u1 = modmul(z, w, publicKey->curve->w.n);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (!u1) {
|
|
|
|
|
freebn(z);
|
|
|
|
|
freebn(w);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2015-05-09 14:02:52 +00:00
|
|
|
|
u2 = modmul(r, w, publicKey->curve->w.n);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
freebn(w);
|
|
|
|
|
if (!u2) {
|
|
|
|
|
freebn(z);
|
|
|
|
|
freebn(u1);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tmp = ecp_summul(u1, u2, publicKey);
|
|
|
|
|
freebn(u1);
|
|
|
|
|
freebn(u2);
|
|
|
|
|
if (!tmp) {
|
|
|
|
|
freebn(z);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
x = bigmod(tmp->x, publicKey->curve->w.n);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
ec_point_free(tmp);
|
|
|
|
|
if (!x) {
|
|
|
|
|
freebn(z);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
valid = (bignum_cmp(r, x) == 0) ? 1 : 0;
|
|
|
|
|
freebn(x);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
freebn(z);
|
|
|
|
|
|
|
|
|
|
return valid;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void _ecdsa_sign(const Bignum privateKey, const struct ec_curve *curve,
|
|
|
|
|
const unsigned char *data, const int dataLen,
|
|
|
|
|
Bignum *r, Bignum *s)
|
|
|
|
|
{
|
|
|
|
|
unsigned char digest[20];
|
|
|
|
|
int z_bits, n_bits;
|
|
|
|
|
Bignum z, k;
|
|
|
|
|
struct ec_point *kG;
|
|
|
|
|
|
|
|
|
|
*r = NULL;
|
|
|
|
|
*s = NULL;
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (curve->type != EC_WEIERSTRASS) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
|
/* z = left most bitlen(curve->n) of data */
|
|
|
|
|
z = bignum_from_bytes(data, dataLen);
|
|
|
|
|
if (!z) return;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
n_bits = bignum_bitcount(curve->w.n);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
z_bits = bignum_bitcount(z);
|
|
|
|
|
if (z_bits > n_bits)
|
|
|
|
|
{
|
|
|
|
|
Bignum tmp;
|
|
|
|
|
tmp = bignum_rshift(z, z_bits - n_bits);
|
|
|
|
|
freebn(z);
|
|
|
|
|
z = tmp;
|
|
|
|
|
if (!z) return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Generate k between 1 and curve->n, using the same deterministic
|
|
|
|
|
* k generation system we use for conventional DSA. */
|
|
|
|
|
SHA_Simple(data, dataLen, digest);
|
2015-05-09 14:02:52 +00:00
|
|
|
|
k = dss_gen_k("ECDSA deterministic k generator", curve->w.n, privateKey,
|
2014-11-01 09:45:20 +00:00
|
|
|
|
digest, sizeof(digest));
|
|
|
|
|
if (!k) return;
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
kG = ecp_mul(&curve->w.G, k);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (!kG) {
|
|
|
|
|
freebn(z);
|
|
|
|
|
freebn(k);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* r = kG.x mod n */
|
2015-05-09 14:02:52 +00:00
|
|
|
|
*r = bigmod(kG->x, curve->w.n);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
ec_point_free(kG);
|
|
|
|
|
if (!*r) {
|
|
|
|
|
freebn(z);
|
|
|
|
|
freebn(k);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* s = (z + r * priv)/k mod n */
|
|
|
|
|
{
|
|
|
|
|
Bignum rPriv, zMod, first, firstMod, kInv;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
rPriv = modmul(*r, privateKey, curve->w.n);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (!rPriv) {
|
|
|
|
|
freebn(*r);
|
|
|
|
|
freebn(z);
|
|
|
|
|
freebn(k);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2015-05-09 14:02:52 +00:00
|
|
|
|
zMod = bigmod(z, curve->w.n);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
freebn(z);
|
|
|
|
|
if (!zMod) {
|
|
|
|
|
freebn(rPriv);
|
|
|
|
|
freebn(*r);
|
|
|
|
|
freebn(k);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
first = bigadd(rPriv, zMod);
|
|
|
|
|
freebn(rPriv);
|
|
|
|
|
freebn(zMod);
|
|
|
|
|
if (!first) {
|
|
|
|
|
freebn(*r);
|
|
|
|
|
freebn(k);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2015-05-09 14:02:52 +00:00
|
|
|
|
firstMod = bigmod(first, curve->w.n);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
freebn(first);
|
|
|
|
|
if (!firstMod) {
|
|
|
|
|
freebn(*r);
|
|
|
|
|
freebn(k);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2015-05-09 14:02:52 +00:00
|
|
|
|
kInv = modinv(k, curve->w.n);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
freebn(k);
|
|
|
|
|
if (!kInv) {
|
|
|
|
|
freebn(firstMod);
|
|
|
|
|
freebn(*r);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2015-05-09 14:02:52 +00:00
|
|
|
|
*s = modmul(firstMod, kInv, curve->w.n);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
freebn(firstMod);
|
|
|
|
|
freebn(kInv);
|
|
|
|
|
if (!*s) {
|
|
|
|
|
freebn(*r);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Misc functions
|
|
|
|
|
*/
|
|
|
|
|
|
2015-05-05 19:16:17 +00:00
|
|
|
|
static void getstring(const char **data, int *datalen,
|
|
|
|
|
const char **p, int *length)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
|
|
|
|
*p = NULL;
|
|
|
|
|
if (*datalen < 4)
|
|
|
|
|
return;
|
|
|
|
|
*length = toint(GET_32BIT(*data));
|
|
|
|
|
if (*length < 0)
|
|
|
|
|
return;
|
|
|
|
|
*datalen -= 4;
|
|
|
|
|
*data += 4;
|
|
|
|
|
if (*datalen < *length)
|
|
|
|
|
return;
|
|
|
|
|
*p = *data;
|
|
|
|
|
*data += *length;
|
|
|
|
|
*datalen -= *length;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-05 19:16:17 +00:00
|
|
|
|
static Bignum getmp(const char **data, int *datalen)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
2015-05-05 19:16:17 +00:00
|
|
|
|
const char *p;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
int length;
|
|
|
|
|
|
|
|
|
|
getstring(data, datalen, &p, &length);
|
|
|
|
|
if (!p)
|
|
|
|
|
return NULL;
|
|
|
|
|
if (p[0] & 0x80)
|
|
|
|
|
return NULL; /* negative mp */
|
|
|
|
|
return bignum_from_bytes((unsigned char *)p, length);
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-05 19:16:17 +00:00
|
|
|
|
static int decodepoint(const char *p, int length, struct ec_point *point)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
|
|
|
|
if (length < 1 || p[0] != 0x04) /* Only support uncompressed point */
|
|
|
|
|
return 0;
|
|
|
|
|
/* Skip compression flag */
|
|
|
|
|
++p;
|
|
|
|
|
--length;
|
|
|
|
|
/* The two values must be equal length */
|
|
|
|
|
if (length % 2 != 0) {
|
|
|
|
|
point->x = NULL;
|
|
|
|
|
point->y = NULL;
|
|
|
|
|
point->z = NULL;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
length = length / 2;
|
|
|
|
|
point->x = bignum_from_bytes((unsigned char *)p, length);
|
|
|
|
|
if (!point->x) return 0;
|
|
|
|
|
p += length;
|
|
|
|
|
point->y = bignum_from_bytes((unsigned char *)p, length);
|
|
|
|
|
if (!point->y) {
|
|
|
|
|
freebn(point->x);
|
|
|
|
|
point->x = NULL;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
point->z = NULL;
|
|
|
|
|
|
|
|
|
|
/* Verify the point is on the curve */
|
|
|
|
|
if (!ec_point_verify(point)) {
|
2014-12-20 17:07:17 +00:00
|
|
|
|
freebn(point->x);
|
|
|
|
|
point->x = NULL;
|
|
|
|
|
freebn(point->y);
|
|
|
|
|
point->y = NULL;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-05 19:16:17 +00:00
|
|
|
|
static int getmppoint(const char **data, int *datalen, struct ec_point *point)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
2015-05-05 19:16:17 +00:00
|
|
|
|
const char *p;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
int length;
|
|
|
|
|
|
|
|
|
|
getstring(data, datalen, &p, &length);
|
|
|
|
|
if (!p) return 0;
|
|
|
|
|
return decodepoint(p, length, point);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Exposed ECDSA interface
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static void ecdsa_freekey(void *key)
|
|
|
|
|
{
|
|
|
|
|
struct ec_key *ec = (struct ec_key *) key;
|
|
|
|
|
if (!ec) return;
|
|
|
|
|
|
|
|
|
|
if (ec->publicKey.x)
|
|
|
|
|
freebn(ec->publicKey.x);
|
|
|
|
|
if (ec->publicKey.y)
|
|
|
|
|
freebn(ec->publicKey.y);
|
|
|
|
|
if (ec->publicKey.z)
|
|
|
|
|
freebn(ec->publicKey.z);
|
|
|
|
|
if (ec->privateKey)
|
|
|
|
|
freebn(ec->privateKey);
|
|
|
|
|
sfree(ec);
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-05 19:16:17 +00:00
|
|
|
|
static void *ecdsa_newkey(const char *data, int len)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
2015-05-05 19:16:17 +00:00
|
|
|
|
const char *p;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
int slen;
|
|
|
|
|
struct ec_key *ec;
|
|
|
|
|
struct ec_curve *curve;
|
|
|
|
|
|
|
|
|
|
getstring(&data, &len, &p, &slen);
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (!p) {
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2015-05-09 14:02:52 +00:00
|
|
|
|
curve = ec_name_to_curve(p, slen);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (!curve) return NULL;
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (curve->type != EC_WEIERSTRASS) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
/* Curve name is duplicated for Weierstrass form */
|
|
|
|
|
if (curve->type == EC_WEIERSTRASS) {
|
|
|
|
|
getstring(&data, &len, &p, &slen);
|
|
|
|
|
if (curve != ec_name_to_curve(p, slen)) return NULL;
|
|
|
|
|
}
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
ec = snew(struct ec_key);
|
|
|
|
|
|
|
|
|
|
ec->publicKey.curve = curve;
|
|
|
|
|
ec->publicKey.infinity = 0;
|
|
|
|
|
ec->publicKey.x = NULL;
|
|
|
|
|
ec->publicKey.y = NULL;
|
|
|
|
|
ec->publicKey.z = NULL;
|
|
|
|
|
if (!getmppoint(&data, &len, &ec->publicKey)) {
|
|
|
|
|
ecdsa_freekey(ec);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
ec->privateKey = NULL;
|
|
|
|
|
|
|
|
|
|
if (!ec->publicKey.x || !ec->publicKey.y ||
|
|
|
|
|
bignum_cmp(ec->publicKey.x, curve->p) >= 0 ||
|
|
|
|
|
bignum_cmp(ec->publicKey.y, curve->p) >= 0)
|
|
|
|
|
{
|
|
|
|
|
ecdsa_freekey(ec);
|
|
|
|
|
ec = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ec;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static char *ecdsa_fmtkey(void *key)
|
|
|
|
|
{
|
|
|
|
|
struct ec_key *ec = (struct ec_key *) key;
|
|
|
|
|
char *p;
|
|
|
|
|
int len, i, pos, nibbles;
|
|
|
|
|
static const char hex[] = "0123456789abcdef";
|
|
|
|
|
if (!ec->publicKey.x || !ec->publicKey.y || !ec->publicKey.curve)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
pos = ec_curve_to_name(EC_TYPE_CURVE, ec->publicKey.curve, NULL, 0);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (pos == 0) return NULL;
|
|
|
|
|
|
|
|
|
|
len = 4 + 2 + 1; /* 2 x "0x", punctuation, \0 */
|
|
|
|
|
len += pos; /* Curve name */
|
|
|
|
|
len += 4 * (bignum_bitcount(ec->publicKey.x) + 15) / 16;
|
|
|
|
|
len += 4 * (bignum_bitcount(ec->publicKey.y) + 15) / 16;
|
|
|
|
|
p = snewn(len, char);
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
pos = ec_curve_to_name(EC_TYPE_CURVE, ec->publicKey.curve, (unsigned char*)p, pos);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
pos += sprintf(p + pos, ",0x");
|
|
|
|
|
nibbles = (3 + bignum_bitcount(ec->publicKey.x)) / 4;
|
|
|
|
|
if (nibbles < 1)
|
|
|
|
|
nibbles = 1;
|
|
|
|
|
for (i = nibbles; i--;) {
|
|
|
|
|
p[pos++] =
|
|
|
|
|
hex[(bignum_byte(ec->publicKey.x, i / 2) >> (4 * (i % 2))) & 0xF];
|
|
|
|
|
}
|
|
|
|
|
pos += sprintf(p + pos, ",0x");
|
|
|
|
|
nibbles = (3 + bignum_bitcount(ec->publicKey.y)) / 4;
|
|
|
|
|
if (nibbles < 1)
|
|
|
|
|
nibbles = 1;
|
|
|
|
|
for (i = nibbles; i--;) {
|
|
|
|
|
p[pos++] =
|
|
|
|
|
hex[(bignum_byte(ec->publicKey.y, i / 2) >> (4 * (i % 2))) & 0xF];
|
|
|
|
|
}
|
|
|
|
|
p[pos] = '\0';
|
|
|
|
|
return p;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static unsigned char *ecdsa_public_blob(void *key, int *len)
|
|
|
|
|
{
|
|
|
|
|
struct ec_key *ec = (struct ec_key *) key;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
int pointlen, bloblen, fullnamelen, namelen;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
int i;
|
|
|
|
|
unsigned char *blob, *p;
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (ec->publicKey.curve->type == EC_WEIERSTRASS) {
|
|
|
|
|
fullnamelen = ec_curve_to_name(EC_TYPE_DSA, ec->publicKey.curve, NULL, 0);
|
|
|
|
|
if (fullnamelen == 0) return NULL;
|
|
|
|
|
namelen = ec_curve_to_name(EC_TYPE_CURVE, ec->publicKey.curve, NULL, 0);
|
|
|
|
|
if (namelen == 0) return NULL;
|
|
|
|
|
|
|
|
|
|
pointlen = (bignum_bitcount(ec->publicKey.curve->p) + 7) / 8;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* string "ecdsa-sha2-<name>", string "<name>", 0x04 point x, y.
|
|
|
|
|
*/
|
|
|
|
|
bloblen = 4 + fullnamelen + 4 + namelen + 4 + 1 + (pointlen * 2);
|
|
|
|
|
blob = snewn(bloblen, unsigned char);
|
|
|
|
|
|
|
|
|
|
p = blob;
|
|
|
|
|
PUT_32BIT(p, fullnamelen);
|
|
|
|
|
p += 4;
|
|
|
|
|
p += ec_curve_to_name(EC_TYPE_DSA, ec->publicKey.curve, p, fullnamelen);
|
|
|
|
|
PUT_32BIT(p, namelen);
|
|
|
|
|
p += 4;
|
|
|
|
|
p += ec_curve_to_name(EC_TYPE_CURVE, ec->publicKey.curve, p, namelen);
|
|
|
|
|
PUT_32BIT(p, (2 * pointlen) + 1);
|
|
|
|
|
p += 4;
|
|
|
|
|
*p++ = 0x04;
|
|
|
|
|
for (i = pointlen; i--;) {
|
|
|
|
|
*p++ = bignum_byte(ec->publicKey.x, i);
|
|
|
|
|
}
|
|
|
|
|
for (i = pointlen; i--;) {
|
|
|
|
|
*p++ = bignum_byte(ec->publicKey.y, i);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
assert(p == blob + bloblen);
|
|
|
|
|
*len = bloblen;
|
|
|
|
|
|
|
|
|
|
return blob;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static unsigned char *ecdsa_private_blob(void *key, int *len)
|
|
|
|
|
{
|
|
|
|
|
struct ec_key *ec = (struct ec_key *) key;
|
|
|
|
|
int keylen, bloblen;
|
|
|
|
|
int i;
|
|
|
|
|
unsigned char *blob, *p;
|
|
|
|
|
|
|
|
|
|
if (!ec->privateKey) return NULL;
|
|
|
|
|
|
|
|
|
|
keylen = (bignum_bitcount(ec->privateKey) + 8) / 8;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* mpint privateKey. Total 4 + keylen.
|
|
|
|
|
*/
|
|
|
|
|
bloblen = 4 + keylen;
|
|
|
|
|
blob = snewn(bloblen, unsigned char);
|
|
|
|
|
|
|
|
|
|
p = blob;
|
|
|
|
|
PUT_32BIT(p, keylen);
|
|
|
|
|
p += 4;
|
|
|
|
|
for (i = keylen; i--;)
|
|
|
|
|
*p++ = bignum_byte(ec->privateKey, i);
|
|
|
|
|
|
|
|
|
|
assert(p == blob + bloblen);
|
|
|
|
|
*len = bloblen;
|
|
|
|
|
return blob;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-05 19:16:17 +00:00
|
|
|
|
static void *ecdsa_createkey(const unsigned char *pub_blob, int pub_len,
|
|
|
|
|
const unsigned char *priv_blob, int priv_len)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
|
|
|
|
struct ec_key *ec;
|
|
|
|
|
struct ec_point *publicKey;
|
2015-05-05 19:16:17 +00:00
|
|
|
|
const char *pb = (const char *) priv_blob;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
2015-05-05 19:16:17 +00:00
|
|
|
|
ec = (struct ec_key*)ecdsa_newkey((const char *) pub_blob, pub_len);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (!ec) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ec->privateKey = getmp(&pb, &priv_len);
|
|
|
|
|
if (!ec->privateKey) {
|
|
|
|
|
ecdsa_freekey(ec);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Check that private key generates public key */
|
2015-05-09 14:02:52 +00:00
|
|
|
|
publicKey = ec_public(ec->privateKey, ec->publicKey.curve);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
if (!publicKey ||
|
|
|
|
|
bignum_cmp(publicKey->x, ec->publicKey.x) ||
|
|
|
|
|
bignum_cmp(publicKey->y, ec->publicKey.y))
|
|
|
|
|
{
|
|
|
|
|
ecdsa_freekey(ec);
|
|
|
|
|
ec = NULL;
|
|
|
|
|
}
|
|
|
|
|
ec_point_free(publicKey);
|
|
|
|
|
|
|
|
|
|
return ec;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-05 19:16:17 +00:00
|
|
|
|
static void *ecdsa_openssh_createkey(const unsigned char **blob, int *len)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
2015-05-05 19:16:17 +00:00
|
|
|
|
const char **b = (const char **) blob;
|
|
|
|
|
const char *p;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
int slen;
|
|
|
|
|
struct ec_key *ec;
|
|
|
|
|
struct ec_curve *curve;
|
|
|
|
|
struct ec_point *publicKey;
|
|
|
|
|
|
|
|
|
|
getstring(b, len, &p, &slen);
|
|
|
|
|
|
|
|
|
|
if (!p) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
curve = ec_name_to_curve(p, slen);
|
|
|
|
|
if (!curve) return NULL;
|
|
|
|
|
|
|
|
|
|
ec = snew(struct ec_key);
|
|
|
|
|
|
|
|
|
|
ec->publicKey.curve = curve;
|
|
|
|
|
ec->publicKey.infinity = 0;
|
|
|
|
|
ec->publicKey.x = NULL;
|
|
|
|
|
ec->publicKey.y = NULL;
|
|
|
|
|
ec->publicKey.z = NULL;
|
|
|
|
|
if (!getmppoint(b, len, &ec->publicKey)) {
|
|
|
|
|
ecdsa_freekey(ec);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
ec->privateKey = NULL;
|
|
|
|
|
|
|
|
|
|
if (!ec->publicKey.x || !ec->publicKey.y ||
|
|
|
|
|
bignum_cmp(ec->publicKey.x, curve->p) >= 0 ||
|
|
|
|
|
bignum_cmp(ec->publicKey.y, curve->p) >= 0)
|
|
|
|
|
{
|
|
|
|
|
ecdsa_freekey(ec);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ec->privateKey = getmp(b, len);
|
|
|
|
|
if (ec->privateKey == NULL)
|
|
|
|
|
{
|
|
|
|
|
ecdsa_freekey(ec);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Now check that the private key makes the public key */
|
2015-05-09 14:02:52 +00:00
|
|
|
|
publicKey = ec_public(ec->privateKey, ec->publicKey.curve);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (!publicKey)
|
|
|
|
|
{
|
|
|
|
|
ecdsa_freekey(ec);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (bignum_cmp(ec->publicKey.x, publicKey->x) ||
|
|
|
|
|
bignum_cmp(ec->publicKey.y, publicKey->y))
|
|
|
|
|
{
|
|
|
|
|
/* Private key doesn't make the public key on the given curve */
|
|
|
|
|
ecdsa_freekey(ec);
|
|
|
|
|
ec_point_free(publicKey);
|
2014-12-20 17:07:17 +00:00
|
|
|
|
return NULL;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ec_point_free(publicKey);
|
|
|
|
|
|
|
|
|
|
return ec;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int ecdsa_openssh_fmtkey(void *key, unsigned char *blob, int len)
|
|
|
|
|
{
|
|
|
|
|
struct ec_key *ec = (struct ec_key *) key;
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
int pointlen;
|
|
|
|
|
int namelen;
|
|
|
|
|
int bloblen;
|
|
|
|
|
int i;
|
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (ec->publicKey.curve->type != EC_WEIERSTRASS) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
pointlen = (bignum_bitcount(ec->publicKey.curve->p) + 7) / 8;
|
|
|
|
|
namelen = ec_curve_to_name(EC_TYPE_CURVE, ec->publicKey.curve, NULL, 0);
|
|
|
|
|
bloblen =
|
2014-11-01 09:45:20 +00:00
|
|
|
|
4 + namelen /* <LEN> nistpXXX */
|
|
|
|
|
+ 4 + 1 + (pointlen * 2) /* <LEN> 0x04 pX pY */
|
|
|
|
|
+ ssh2_bignum_length(ec->privateKey);
|
|
|
|
|
|
|
|
|
|
if (bloblen > len)
|
|
|
|
|
return bloblen;
|
|
|
|
|
|
|
|
|
|
bloblen = 0;
|
|
|
|
|
|
|
|
|
|
PUT_32BIT(blob+bloblen, namelen);
|
|
|
|
|
bloblen += 4;
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
bloblen += ec_curve_to_name(EC_TYPE_CURVE, ec->publicKey.curve, blob+bloblen, namelen);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
PUT_32BIT(blob+bloblen, 1 + (pointlen * 2));
|
|
|
|
|
bloblen += 4;
|
|
|
|
|
blob[bloblen++] = 0x04;
|
|
|
|
|
for (i = pointlen; i--; )
|
|
|
|
|
blob[bloblen++] = bignum_byte(ec->publicKey.x, i);
|
|
|
|
|
for (i = pointlen; i--; )
|
|
|
|
|
blob[bloblen++] = bignum_byte(ec->publicKey.y, i);
|
|
|
|
|
|
|
|
|
|
pointlen = (bignum_bitcount(ec->privateKey) + 8) / 8;
|
|
|
|
|
PUT_32BIT(blob+bloblen, pointlen);
|
|
|
|
|
bloblen += 4;
|
|
|
|
|
for (i = pointlen; i--; )
|
|
|
|
|
blob[bloblen++] = bignum_byte(ec->privateKey, i);
|
|
|
|
|
|
|
|
|
|
return bloblen;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-05 19:16:17 +00:00
|
|
|
|
static int ecdsa_pubkey_bits(const void *blob, int len)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
|
|
|
|
struct ec_key *ec;
|
|
|
|
|
int ret;
|
|
|
|
|
|
2015-05-05 19:16:17 +00:00
|
|
|
|
ec = (struct ec_key*)ecdsa_newkey((const char *) blob, len);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
if (!ec)
|
|
|
|
|
return -1;
|
|
|
|
|
ret = ec->publicKey.curve->fieldBits;
|
|
|
|
|
ecdsa_freekey(ec);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static char *ecdsa_fingerprint(void *key)
|
|
|
|
|
{
|
|
|
|
|
struct ec_key *ec = (struct ec_key *) key;
|
|
|
|
|
struct MD5Context md5c;
|
|
|
|
|
unsigned char digest[16], lenbuf[4];
|
|
|
|
|
char *ret;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
unsigned char *name, *fullname;
|
|
|
|
|
int pointlen, namelen, fullnamelen, i, j;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
MD5Init(&md5c);
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
namelen = ec_curve_to_name(EC_TYPE_DSA, ec->publicKey.curve, NULL, 0);
|
|
|
|
|
name = snewn(namelen, unsigned char);
|
|
|
|
|
ec_curve_to_name(EC_TYPE_DSA, ec->publicKey.curve, name, namelen);
|
|
|
|
|
|
|
|
|
|
if (ec->publicKey.curve->type == EC_WEIERSTRASS) {
|
|
|
|
|
fullnamelen = ec_curve_to_name(EC_TYPE_CURVE, ec->publicKey.curve, NULL, 0);
|
|
|
|
|
fullname = snewn(namelen, unsigned char);
|
|
|
|
|
ec_curve_to_name(EC_TYPE_DSA, ec->publicKey.curve, fullname, fullnamelen);
|
|
|
|
|
|
|
|
|
|
PUT_32BIT(lenbuf, fullnamelen);
|
|
|
|
|
MD5Update(&md5c, lenbuf, 4);
|
|
|
|
|
MD5Update(&md5c, fullname, fullnamelen);
|
|
|
|
|
sfree(fullname);
|
|
|
|
|
|
|
|
|
|
PUT_32BIT(lenbuf, namelen);
|
|
|
|
|
MD5Update(&md5c, lenbuf, 4);
|
|
|
|
|
MD5Update(&md5c, name, namelen);
|
|
|
|
|
|
|
|
|
|
pointlen = (bignum_bitcount(ec->publicKey.curve->p) + 7) / 8;
|
|
|
|
|
PUT_32BIT(lenbuf, 1 + (pointlen * 2));
|
|
|
|
|
MD5Update(&md5c, lenbuf, 4);
|
|
|
|
|
MD5Update(&md5c, (const unsigned char *)"\x04", 1);
|
|
|
|
|
for (i = pointlen; i--; ) {
|
|
|
|
|
unsigned char c = bignum_byte(ec->publicKey.x, i);
|
|
|
|
|
MD5Update(&md5c, &c, 1);
|
|
|
|
|
}
|
|
|
|
|
for (i = pointlen; i--; ) {
|
|
|
|
|
unsigned char c = bignum_byte(ec->publicKey.y, i);
|
|
|
|
|
MD5Update(&md5c, &c, 1);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
sfree(name);
|
|
|
|
|
return NULL;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
MD5Final(digest, &md5c);
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
ret = snewn(namelen + 1 + (16 * 3), char);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
i = 0;
|
|
|
|
|
memcpy(ret, name, namelen);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
i += namelen;
|
|
|
|
|
sfree(name);
|
|
|
|
|
ret[i++] = ' ';
|
2015-05-09 14:02:52 +00:00
|
|
|
|
for (j = 0; j < 16; j++) {
|
2014-11-01 09:45:20 +00:00
|
|
|
|
i += sprintf(ret + i, "%s%02x", j ? ":" : "", digest[j]);
|
2015-05-09 14:02:52 +00:00
|
|
|
|
}
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-05 19:16:17 +00:00
|
|
|
|
static int ecdsa_verifysig(void *key, const char *sig, int siglen,
|
|
|
|
|
const char *data, int datalen)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
|
|
|
|
struct ec_key *ec = (struct ec_key *) key;
|
2015-05-05 19:16:17 +00:00
|
|
|
|
const char *p;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
int slen;
|
|
|
|
|
unsigned char digest[512 / 8];
|
|
|
|
|
int digestLen;
|
|
|
|
|
int ret;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
Bignum r, s;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
if (!ec->publicKey.x || !ec->publicKey.y || !ec->publicKey.curve)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/* Check the signature curve matches the key curve */
|
|
|
|
|
getstring(&sig, &siglen, &p, &slen);
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (!p) {
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return 0;
|
|
|
|
|
}
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (ec->publicKey.curve != ec_name_to_curve(p, slen)) {
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
getstring(&sig, &siglen, &p, &slen);
|
2015-05-09 14:02:52 +00:00
|
|
|
|
|
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
|
r = getmp(&p, &slen);
|
|
|
|
|
if (!r) return 0;
|
|
|
|
|
s = getmp(&p, &slen);
|
|
|
|
|
if (!s) {
|
|
|
|
|
freebn(r);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Perform correct hash function depending on curve size */
|
|
|
|
|
if (ec->publicKey.curve->fieldBits <= 256) {
|
|
|
|
|
SHA256_Simple(data, datalen, digest);
|
|
|
|
|
digestLen = 256 / 8;
|
|
|
|
|
} else if (ec->publicKey.curve->fieldBits <= 384) {
|
|
|
|
|
SHA384_Simple(data, datalen, digest);
|
|
|
|
|
digestLen = 384 / 8;
|
|
|
|
|
} else {
|
|
|
|
|
SHA512_Simple(data, datalen, digest);
|
|
|
|
|
digestLen = 512 / 8;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Verify the signature */
|
2015-05-09 14:02:52 +00:00
|
|
|
|
ret = _ecdsa_verify(&ec->publicKey, digest, digestLen, r, s);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
freebn(r);
|
|
|
|
|
freebn(s);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-05 19:16:17 +00:00
|
|
|
|
static unsigned char *ecdsa_sign(void *key, const char *data, int datalen,
|
2014-11-01 09:45:20 +00:00
|
|
|
|
int *siglen)
|
|
|
|
|
{
|
|
|
|
|
struct ec_key *ec = (struct ec_key *) key;
|
|
|
|
|
unsigned char digest[512 / 8];
|
|
|
|
|
int digestLen;
|
|
|
|
|
Bignum r = NULL, s = NULL;
|
|
|
|
|
unsigned char *buf, *p;
|
|
|
|
|
int rlen, slen, namelen;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
if (!ec->privateKey || !ec->publicKey.curve) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Perform correct hash function depending on curve size */
|
|
|
|
|
if (ec->publicKey.curve->fieldBits <= 256) {
|
|
|
|
|
SHA256_Simple(data, datalen, digest);
|
|
|
|
|
digestLen = 256 / 8;
|
|
|
|
|
} else if (ec->publicKey.curve->fieldBits <= 384) {
|
|
|
|
|
SHA384_Simple(data, datalen, digest);
|
|
|
|
|
digestLen = 384 / 8;
|
|
|
|
|
} else {
|
|
|
|
|
SHA512_Simple(data, datalen, digest);
|
|
|
|
|
digestLen = 512 / 8;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Do the signature */
|
|
|
|
|
_ecdsa_sign(ec->privateKey, ec->publicKey.curve, digest, digestLen, &r, &s);
|
|
|
|
|
if (!r || !s) {
|
|
|
|
|
if (r) freebn(r);
|
|
|
|
|
if (s) freebn(s);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rlen = (bignum_bitcount(r) + 8) / 8;
|
|
|
|
|
slen = (bignum_bitcount(s) + 8) / 8;
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
namelen = ec_curve_to_name(EC_TYPE_DSA, ec->publicKey.curve, NULL, 0);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
/* Format the output */
|
2015-05-09 14:02:52 +00:00
|
|
|
|
*siglen = 8+namelen+rlen+slen+8;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
buf = snewn(*siglen, unsigned char);
|
|
|
|
|
p = buf;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
PUT_32BIT(p, namelen);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
p += 4;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
p += ec_curve_to_name(EC_TYPE_DSA, ec->publicKey.curve, p, namelen);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
PUT_32BIT(p, rlen + slen + 8);
|
|
|
|
|
p += 4;
|
|
|
|
|
PUT_32BIT(p, rlen);
|
|
|
|
|
p += 4;
|
|
|
|
|
for (i = rlen; i--;)
|
|
|
|
|
*p++ = bignum_byte(r, i);
|
|
|
|
|
PUT_32BIT(p, slen);
|
|
|
|
|
p += 4;
|
|
|
|
|
for (i = slen; i--;)
|
|
|
|
|
*p++ = bignum_byte(s, i);
|
|
|
|
|
|
2014-12-20 17:07:17 +00:00
|
|
|
|
freebn(r);
|
|
|
|
|
freebn(s);
|
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return buf;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const struct ssh_signkey ssh_ecdsa_nistp256 = {
|
|
|
|
|
ecdsa_newkey,
|
|
|
|
|
ecdsa_freekey,
|
|
|
|
|
ecdsa_fmtkey,
|
|
|
|
|
ecdsa_public_blob,
|
|
|
|
|
ecdsa_private_blob,
|
|
|
|
|
ecdsa_createkey,
|
|
|
|
|
ecdsa_openssh_createkey,
|
|
|
|
|
ecdsa_openssh_fmtkey,
|
2015-05-02 14:11:41 +00:00
|
|
|
|
3 /* curve name, point, private exponent */,
|
2014-11-01 09:45:20 +00:00
|
|
|
|
ecdsa_pubkey_bits,
|
|
|
|
|
ecdsa_fingerprint,
|
|
|
|
|
ecdsa_verifysig,
|
|
|
|
|
ecdsa_sign,
|
|
|
|
|
"ecdsa-sha2-nistp256",
|
|
|
|
|
"ecdsa-sha2-nistp256",
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const struct ssh_signkey ssh_ecdsa_nistp384 = {
|
|
|
|
|
ecdsa_newkey,
|
|
|
|
|
ecdsa_freekey,
|
|
|
|
|
ecdsa_fmtkey,
|
|
|
|
|
ecdsa_public_blob,
|
|
|
|
|
ecdsa_private_blob,
|
|
|
|
|
ecdsa_createkey,
|
|
|
|
|
ecdsa_openssh_createkey,
|
|
|
|
|
ecdsa_openssh_fmtkey,
|
2015-05-02 14:11:41 +00:00
|
|
|
|
3 /* curve name, point, private exponent */,
|
2014-11-01 09:45:20 +00:00
|
|
|
|
ecdsa_pubkey_bits,
|
|
|
|
|
ecdsa_fingerprint,
|
|
|
|
|
ecdsa_verifysig,
|
|
|
|
|
ecdsa_sign,
|
|
|
|
|
"ecdsa-sha2-nistp384",
|
|
|
|
|
"ecdsa-sha2-nistp384",
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const struct ssh_signkey ssh_ecdsa_nistp521 = {
|
|
|
|
|
ecdsa_newkey,
|
|
|
|
|
ecdsa_freekey,
|
|
|
|
|
ecdsa_fmtkey,
|
|
|
|
|
ecdsa_public_blob,
|
|
|
|
|
ecdsa_private_blob,
|
|
|
|
|
ecdsa_createkey,
|
|
|
|
|
ecdsa_openssh_createkey,
|
|
|
|
|
ecdsa_openssh_fmtkey,
|
2015-05-02 14:11:41 +00:00
|
|
|
|
3 /* curve name, point, private exponent */,
|
2014-11-01 09:45:20 +00:00
|
|
|
|
ecdsa_pubkey_bits,
|
|
|
|
|
ecdsa_fingerprint,
|
|
|
|
|
ecdsa_verifysig,
|
|
|
|
|
ecdsa_sign,
|
|
|
|
|
"ecdsa-sha2-nistp521",
|
|
|
|
|
"ecdsa-sha2-nistp521",
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Exposed ECDH interface
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static Bignum ecdh_calculate(const Bignum private,
|
|
|
|
|
const struct ec_point *public)
|
|
|
|
|
{
|
|
|
|
|
struct ec_point *p;
|
|
|
|
|
Bignum ret;
|
|
|
|
|
p = ecp_mul(public, private);
|
|
|
|
|
if (!p) return NULL;
|
|
|
|
|
ret = p->x;
|
|
|
|
|
p->x = NULL;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
|
|
|
|
|
if (p->curve->type == EC_MONTGOMERY) {
|
|
|
|
|
/* Do conversion in network byte order */
|
|
|
|
|
int i;
|
|
|
|
|
int bytes = (bignum_bitcount(ret)+7) / 8;
|
|
|
|
|
unsigned char *byteorder = snewn(bytes, unsigned char);
|
|
|
|
|
if (!byteorder) {
|
|
|
|
|
ec_point_free(p);
|
|
|
|
|
freebn(ret);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
for (i = 0; i < bytes; ++i) {
|
|
|
|
|
byteorder[i] = bignum_byte(ret, i);
|
|
|
|
|
}
|
|
|
|
|
freebn(ret);
|
|
|
|
|
ret = bignum_from_bytes(byteorder, bytes);
|
|
|
|
|
sfree(byteorder);
|
|
|
|
|
}
|
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
|
ec_point_free(p);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
void *ssh_ecdhkex_newkey(const char *name)
|
2014-11-01 09:45:20 +00:00
|
|
|
|
{
|
2015-05-09 14:02:52 +00:00
|
|
|
|
struct ec_curve *curve;
|
|
|
|
|
struct ec_key *key;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
struct ec_point *publicKey;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
|
|
|
|
|
curve = ec_name_to_curve(name, strlen(name));
|
|
|
|
|
|
|
|
|
|
key = snew(struct ec_key);
|
|
|
|
|
if (!key) {
|
2014-11-01 09:45:20 +00:00
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2015-05-09 14:02:52 +00:00
|
|
|
|
|
|
|
|
|
key->publicKey.curve = curve;
|
|
|
|
|
|
|
|
|
|
if (curve->type == EC_MONTGOMERY) {
|
|
|
|
|
unsigned char bytes[32] = {0};
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < sizeof(bytes); ++i)
|
|
|
|
|
{
|
|
|
|
|
bytes[i] = (unsigned char)random_byte();
|
|
|
|
|
}
|
|
|
|
|
bytes[0] &= 248;
|
|
|
|
|
bytes[31] &= 127;
|
|
|
|
|
bytes[31] |= 64;
|
|
|
|
|
key->privateKey = bignum_from_bytes(bytes, sizeof(bytes));
|
|
|
|
|
for (i = 0; i < sizeof(bytes); ++i)
|
|
|
|
|
{
|
|
|
|
|
((volatile char*)bytes)[i] = 0;
|
|
|
|
|
}
|
|
|
|
|
if (!key->privateKey) {
|
|
|
|
|
sfree(key);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
publicKey = ecp_mul(&key->publicKey.curve->m.G, key->privateKey);
|
|
|
|
|
if (!publicKey) {
|
|
|
|
|
freebn(key->privateKey);
|
|
|
|
|
sfree(key);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
key->publicKey.x = publicKey->x;
|
|
|
|
|
key->publicKey.y = publicKey->y;
|
|
|
|
|
key->publicKey.z = NULL;
|
|
|
|
|
sfree(publicKey);
|
|
|
|
|
} else {
|
|
|
|
|
key->privateKey = bignum_random_in_range(One, key->publicKey.curve->w.n);
|
|
|
|
|
if (!key->privateKey) {
|
|
|
|
|
sfree(key);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
publicKey = ecp_mul(&key->publicKey.curve->w.G, key->privateKey);
|
|
|
|
|
if (!publicKey) {
|
|
|
|
|
freebn(key->privateKey);
|
|
|
|
|
sfree(key);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
key->publicKey.x = publicKey->x;
|
|
|
|
|
key->publicKey.y = publicKey->y;
|
|
|
|
|
key->publicKey.z = NULL;
|
|
|
|
|
sfree(publicKey);
|
2014-11-01 09:45:20 +00:00
|
|
|
|
}
|
|
|
|
|
return key;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
char *ssh_ecdhkex_getpublic(void *key, int *len)
|
|
|
|
|
{
|
|
|
|
|
struct ec_key *ec = (struct ec_key*)key;
|
|
|
|
|
char *point, *p;
|
|
|
|
|
int i;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
int pointlen;
|
|
|
|
|
|
|
|
|
|
pointlen = (bignum_bitcount(ec->publicKey.curve->p) + 7) / 8;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (ec->publicKey.curve->type == EC_WEIERSTRASS) {
|
|
|
|
|
*len = 1 + pointlen * 2;
|
|
|
|
|
} else {
|
|
|
|
|
*len = pointlen;
|
|
|
|
|
}
|
2014-11-01 09:45:20 +00:00
|
|
|
|
point = (char*)snewn(*len, char);
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (!point) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
p = point;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (ec->publicKey.curve->type == EC_WEIERSTRASS) {
|
|
|
|
|
*p++ = 0x04;
|
|
|
|
|
for (i = pointlen; i--;) {
|
|
|
|
|
*p++ = bignum_byte(ec->publicKey.x, i);
|
|
|
|
|
}
|
|
|
|
|
for (i = pointlen; i--;) {
|
|
|
|
|
*p++ = bignum_byte(ec->publicKey.y, i);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
for (i = 0; i < pointlen; ++i) {
|
|
|
|
|
*p++ = bignum_byte(ec->publicKey.x, i);
|
|
|
|
|
}
|
|
|
|
|
}
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
|
|
|
|
return point;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Bignum ssh_ecdhkex_getkey(void *key, char *remoteKey, int remoteKeyLen)
|
|
|
|
|
{
|
|
|
|
|
struct ec_key *ec = (struct ec_key*) key;
|
|
|
|
|
struct ec_point remote;
|
2015-05-09 14:02:52 +00:00
|
|
|
|
Bignum ret;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
if (ec->publicKey.curve->type == EC_WEIERSTRASS) {
|
|
|
|
|
remote.curve = ec->publicKey.curve;
|
|
|
|
|
remote.infinity = 0;
|
|
|
|
|
if (!decodepoint(remoteKey, remoteKeyLen, &remote)) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
/* Point length has to be the same length */
|
|
|
|
|
if (remoteKeyLen != (bignum_bitcount(ec->publicKey.curve->p) + 7) / 8) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
remote.curve = ec->publicKey.curve;
|
|
|
|
|
remote.infinity = 0;
|
|
|
|
|
remote.x = bignum_from_bytes_le((unsigned char*)remoteKey, remoteKeyLen);
|
|
|
|
|
remote.y = NULL;
|
|
|
|
|
remote.z = NULL;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
}
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
ret = ecdh_calculate(ec->privateKey, &remote);
|
|
|
|
|
if (remote.x) freebn(remote.x);
|
|
|
|
|
if (remote.y) freebn(remote.y);
|
|
|
|
|
return ret;
|
2014-11-01 09:45:20 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ssh_ecdhkex_freekey(void *key)
|
|
|
|
|
{
|
|
|
|
|
ecdsa_freekey(key);
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-09 14:02:52 +00:00
|
|
|
|
static const struct ssh_kex ssh_ec_kex_curve25519 = {
|
|
|
|
|
"curve25519-sha256@libssh.org", NULL, KEXTYPE_ECDH, NULL, NULL, 0, 0, &ssh_sha256
|
|
|
|
|
};
|
|
|
|
|
|
2014-11-01 09:45:20 +00:00
|
|
|
|
static const struct ssh_kex ssh_ec_kex_nistp256 = {
|
|
|
|
|
"ecdh-sha2-nistp256", NULL, KEXTYPE_ECDH, NULL, NULL, 0, 0, &ssh_sha256
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static const struct ssh_kex ssh_ec_kex_nistp384 = {
|
|
|
|
|
"ecdh-sha2-nistp384", NULL, KEXTYPE_ECDH, NULL, NULL, 0, 0, &ssh_sha384
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static const struct ssh_kex ssh_ec_kex_nistp521 = {
|
|
|
|
|
"ecdh-sha2-nistp521", NULL, KEXTYPE_ECDH, NULL, NULL, 0, 0, &ssh_sha512
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static const struct ssh_kex *const ec_kex_list[] = {
|
2015-05-09 14:02:52 +00:00
|
|
|
|
&ssh_ec_kex_curve25519,
|
2014-11-01 09:45:20 +00:00
|
|
|
|
&ssh_ec_kex_nistp256,
|
|
|
|
|
&ssh_ec_kex_nistp384,
|
|
|
|
|
&ssh_ec_kex_nistp521
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const struct ssh_kexes ssh_ecdh_kex = {
|
|
|
|
|
sizeof(ec_kex_list) / sizeof(*ec_kex_list),
|
|
|
|
|
ec_kex_list
|
|
|
|
|
};
|