/src/dropbear/src/ecc.c

Source (jump to first uncovered line)
#include "includes.h"
#include "ecc.h"
#include "dbutil.h"
#include "bignum.h"

#if DROPBEAR_ECC

/* .dp members are filled out by dropbear_ecc_fill_dp() at startup */
#if DROPBEAR_ECC_256
struct dropbear_ecc_curve ecc_curve_nistp256 = {
  32,   /* .ltc_size  */
  NULL,   /* .dp    */
  &sha256_desc, /* .hash_desc */
  "nistp256"  /* .name  */
};
#endif
#if DROPBEAR_ECC_384
struct dropbear_ecc_curve ecc_curve_nistp384 = {
  48,   /* .ltc_size  */
  NULL,   /* .dp    */
  &sha384_desc, /* .hash_desc */
  "nistp384"  /* .name  */
};
#endif
#if DROPBEAR_ECC_521
struct dropbear_ecc_curve ecc_curve_nistp521 = {
  66,   /* .ltc_size  */
  NULL,   /* .dp    */
  &sha512_desc, /* .hash_desc */
  "nistp521"  /* .name  */
};
#endif

struct dropbear_ecc_curve *dropbear_ecc_curves[] = {
#if DROPBEAR_ECC_256
  &ecc_curve_nistp256,
#endif
#if DROPBEAR_ECC_384
  &ecc_curve_nistp384,
#endif
#if DROPBEAR_ECC_521
  &ecc_curve_nistp521,
#endif
  NULL
};

void dropbear_ecc_fill_dp() {
  struct dropbear_ecc_curve **curve;
  /* libtomcrypt guarantees they're ordered by size */
  const ltc_ecc_set_type *dp = ltc_ecc_sets;
  for (curve = dropbear_ecc_curves; *curve; curve++) {
    for (;dp->size > 0; dp++) {
      if (dp->size == (*curve)->ltc_size) {
        (*curve)->dp = dp;
        break;
      }
    }
    if (!(*curve)->dp) {
      dropbear_exit("Missing ECC params %s", (*curve)->name);
    }
  }
}

struct dropbear_ecc_curve* curve_for_dp(const ltc_ecc_set_type *dp) {
  struct dropbear_ecc_curve **curve = NULL;
  for (curve = dropbear_ecc_curves; *curve; curve++) {
    if ((*curve)->dp == dp) {
      break;
    }
  }
  assert(*curve);
  return *curve;
}

ecc_key * new_ecc_key(void) {
  ecc_key *key = m_malloc(sizeof(*key));
  m_mp_alloc_init_multi((mp_int**)&key->pubkey.x, (mp_int**)&key->pubkey.y, 
    (mp_int**)&key->pubkey.z, (mp_int**)&key->k, NULL);
  return key;
}

/* Copied from libtomcrypt ecc_import.c (version there is static), modified
   for different mp_int pointer without LTC_SOURCE */
static int ecc_is_point(const ecc_key *key)
{
  mp_int *prime, *b, *t1, *t2;
  int err;
  
  m_mp_alloc_init_multi(&prime, &b, &t1, &t2, NULL);
  
   /* load prime and b */
  if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK)                          { goto error; }
  if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK)                                  { goto error; }
  
   /* compute y^2 */
  if ((err = mp_sqr(key->pubkey.y, t1)) != CRYPT_OK)                                         { goto error; }
  
   /* compute x^3 */
  if ((err = mp_sqr(key->pubkey.x, t2)) != CRYPT_OK)                                         { goto error; }
  if ((err = mp_mod(t2, prime, t2)) != CRYPT_OK)                                             { goto error; }
  if ((err = mp_mul(key->pubkey.x, t2, t2)) != CRYPT_OK)                                     { goto error; }
  
   /* compute y^2 - x^3 */
  if ((err = mp_sub(t1, t2, t1)) != CRYPT_OK)                                                { goto error; }
  
   /* compute y^2 - x^3 + 3x */
  if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK)                                     { goto error; }
  if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK)                                     { goto error; }
  if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK)                                     { goto error; }
  if ((err = mp_mod(t1, prime, t1)) != CRYPT_OK)                                             { goto error; }
  while (mp_cmp_d(t1, 0) == LTC_MP_LT) {
    if ((err = mp_add(t1, prime, t1)) != CRYPT_OK)                                          { goto error; }
  }
  while (mp_cmp(t1, prime) != LTC_MP_LT) {
    if ((err = mp_sub(t1, prime, t1)) != CRYPT_OK)                                          { goto error; }
  }
  
   /* compare to b */
  if (mp_cmp(t1, b) != LTC_MP_EQ) {
    err = CRYPT_INVALID_PACKET;
  } else {
    err = CRYPT_OK;
  }
  
  error:
  mp_clear_multi(prime, b, t1, t2, NULL);
  m_free(prime);
  m_free(b);
  m_free(t1);
  m_free(t2);
  return err;
}

/* For the "ephemeral public key octet string" in ECDH (rfc5656 section 4) */
void buf_put_ecc_raw_pubkey_string(buffer *buf, ecc_key *key) {
  unsigned long len = key->dp->size*2 + 1;
  int err;
  buf_putint(buf, len);
  err = ecc_ansi_x963_export(key, buf_getwriteptr(buf, len), &len);
  if (err != CRYPT_OK) {
    dropbear_exit("ECC error");
  }
  buf_incrwritepos(buf, len);
}

/* For the "ephemeral public key octet string" in ECDH (rfc5656 section 4) */
ecc_key * buf_get_ecc_raw_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve) {
  ecc_key *key = NULL;
  int ret = DROPBEAR_FAILURE;
  const unsigned int size = curve->dp->size;
  unsigned char first;

  TRACE(("enter buf_get_ecc_raw_pubkey"))

  buf_setpos(buf, 0);
  first = buf_getbyte(buf);
  if (first == 2 || first == 3) {
    dropbear_log(LOG_WARNING, "Dropbear doesn't support ECC point compression");
    return NULL;
  }
  if (first != 4 || buf->len != 1+2*size) {
    TRACE(("leave, wrong size"))
    return NULL;
  }

  key = new_ecc_key();
  key->dp = curve->dp;

  if (mp_from_ubin(key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) {
    TRACE(("failed to read x"))
    goto out;
  }
  buf_incrpos(buf, size);

  if (mp_from_ubin(key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) {
    TRACE(("failed to read y"))
    goto out;
  }
  buf_incrpos(buf, size);

  mp_set(key->pubkey.z, 1);

  if (ecc_is_point(key) != CRYPT_OK) {
    TRACE(("failed, not a point"))
    goto out;
  }

   /* SEC1 3.2.3.1 Check that Q != 0 */
  if (mp_cmp_d(key->pubkey.x, 0) == LTC_MP_EQ) {
    TRACE(("failed, x == 0"))
    goto out;
  }
  if (mp_cmp_d(key->pubkey.y, 0) == LTC_MP_EQ) {
    TRACE(("failed, y == 0"))
    goto out;
  }

  ret = DROPBEAR_SUCCESS;

  out:
  if (ret == DROPBEAR_FAILURE) {
    if (key) {
      ecc_free(key);
      m_free(key);
      key = NULL;
    }
  }

  return key;

}

/* a modified version of libtomcrypt's "ecc_shared_secret" to output
   a mp_int instead. */
mp_int * dropbear_ecc_shared_secret(ecc_key *public_key, const ecc_key *private_key)
{
  ecc_point *result = NULL;
  mp_int *prime = NULL, *shared_secret = NULL;
  int err = DROPBEAR_FAILURE;

   /* type valid? */
  if (private_key->type != PK_PRIVATE) {
    goto out;
  }

  if (private_key->dp != public_key->dp) {
    goto out;
  }

   /* make new point */
  result = ltc_ecc_new_point();
  if (result == NULL) {
    goto out;
  }

  prime = m_malloc(sizeof(*prime));
  m_mp_init(prime);

  if (mp_read_radix(prime, (char *)private_key->dp->prime, 16) != CRYPT_OK) { 
    goto out;
  }
  if (ltc_mp.ecc_ptmul(private_key->k, &public_key->pubkey, result, prime, 1) != CRYPT_OK) { 
    goto out;
  }

  shared_secret = m_malloc(sizeof(*shared_secret));
  m_mp_init(shared_secret);
  if (mp_copy(result->x, shared_secret) != CRYPT_OK) {
    goto out;
  }

  mp_clear(prime);
  m_free(prime);
  ltc_ecc_del_point(result);

  err = DROPBEAR_SUCCESS;
  out:
  if (err == DROPBEAR_FAILURE) {
    dropbear_exit("ECC error");
  }
  return shared_secret;
}

#endif

Coverage Report

Created: 2025-07-18 06:52

Line	Count	Source (jump to first uncovered line)
1		#include "includes.h"
2		#include "ecc.h"
3		#include "dbutil.h"
4		#include "bignum.h"
5
6		#if DROPBEAR_ECC
7
8		/* .dp members are filled out by dropbear_ecc_fill_dp() at startup */
9		#if DROPBEAR_ECC_256
10		struct dropbear_ecc_curve ecc_curve_nistp256 = {
11		32, /* .ltc_size */
12		NULL, /* .dp */
13		&sha256_desc, /* .hash_desc */
14		"nistp256" /* .name */
15		};
16		#endif
17		#if DROPBEAR_ECC_384
18		struct dropbear_ecc_curve ecc_curve_nistp384 = {
19		48, /* .ltc_size */
20		NULL, /* .dp */
21		&sha384_desc, /* .hash_desc */
22		"nistp384" /* .name */
23		};
24		#endif
25		#if DROPBEAR_ECC_521
26		struct dropbear_ecc_curve ecc_curve_nistp521 = {
27		66, /* .ltc_size */
28		NULL, /* .dp */
29		&sha512_desc, /* .hash_desc */
30		"nistp521" /* .name */
31		};
32		#endif
33
34		struct dropbear_ecc_curve *dropbear_ecc_curves[] = {
35		#if DROPBEAR_ECC_256
36		&ecc_curve_nistp256,
37		#endif
38		#if DROPBEAR_ECC_384
39		&ecc_curve_nistp384,
40		#endif
41		#if DROPBEAR_ECC_521
42		&ecc_curve_nistp521,
43		#endif
44		NULL
45		};
46
47	1	void dropbear_ecc_fill_dp() {
48	1	struct dropbear_ecc_curve **curve;
49		/* libtomcrypt guarantees they're ordered by size */
50	1	const ltc_ecc_set_type *dp = ltc_ecc_sets;
51	4	for (curve = dropbear_ecc_curves; *curve; curve++) {
52	5	for (;dp->size > 0; dp++) {
53	5	if (dp->size == (*curve)->ltc_size) {
54	3	(*curve)->dp = dp;
55	3	break;
56	3	}
57	5	}
58	3	if (!(*curve)->dp) {
59	0	dropbear_exit("Missing ECC params %s", (*curve)->name);
60	0	}
61	3	}
62	1	}
63
64	0	struct dropbear_ecc_curve* curve_for_dp(const ltc_ecc_set_type *dp) {
65	0	struct dropbear_ecc_curve **curve = NULL;
66	0	for (curve = dropbear_ecc_curves; *curve; curve++) {
67	0	if ((*curve)->dp == dp) {
68	0	break;
69	0	}
70	0	}
71	0	assert(*curve);
72	0	return *curve;
73	0	}
74
75	0	ecc_key * new_ecc_key(void) {
76	0	ecc_key key = m_malloc(sizeof(key));
77	0	m_mp_alloc_init_multi((mp_int)&key->pubkey.x, (mp_int)&key->pubkey.y,
78	0	(mp_int)&key->pubkey.z, (mp_int)&key->k, NULL);
79	0	return key;
80	0	}
81
82		/* Copied from libtomcrypt ecc_import.c (version there is static), modified
83		for different mp_int pointer without LTC_SOURCE */
84		static int ecc_is_point(const ecc_key *key)
85	0	{
86	0	mp_int prime, b, t1, t2;
87	0	int err;
88
89	0	m_mp_alloc_init_multi(&prime, &b, &t1, &t2, NULL);
90
91		/* load prime and b */
92	0	if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK) { goto error; }
93	0	if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK) { goto error; }
94
95		/* compute y^2 */
96	0	if ((err = mp_sqr(key->pubkey.y, t1)) != CRYPT_OK) { goto error; }
97
98		/* compute x^3 */
99	0	if ((err = mp_sqr(key->pubkey.x, t2)) != CRYPT_OK) { goto error; }
100	0	if ((err = mp_mod(t2, prime, t2)) != CRYPT_OK) { goto error; }
101	0	if ((err = mp_mul(key->pubkey.x, t2, t2)) != CRYPT_OK) { goto error; }
102
103		/* compute y^2 - x^3 */
104	0	if ((err = mp_sub(t1, t2, t1)) != CRYPT_OK) { goto error; }
105
106		/* compute y^2 - x^3 + 3x */
107	0	if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; }
108	0	if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; }
109	0	if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; }
110	0	if ((err = mp_mod(t1, prime, t1)) != CRYPT_OK) { goto error; }
111	0	while (mp_cmp_d(t1, 0) == LTC_MP_LT) {
112	0	if ((err = mp_add(t1, prime, t1)) != CRYPT_OK) { goto error; }
113	0	}
114	0	while (mp_cmp(t1, prime) != LTC_MP_LT) {
115	0	if ((err = mp_sub(t1, prime, t1)) != CRYPT_OK) { goto error; }
116	0	}
117
118		/* compare to b */
119	0	if (mp_cmp(t1, b) != LTC_MP_EQ) {
120	0	err = CRYPT_INVALID_PACKET;
121	0	} else {
122	0	err = CRYPT_OK;
123	0	}
124
125	0	error:
126	0	mp_clear_multi(prime, b, t1, t2, NULL);
127	0	m_free(prime);
128	0	m_free(b);
129	0	m_free(t1);
130	0	m_free(t2);
131	0	return err;
132	0	}
133
134		/* For the "ephemeral public key octet string" in ECDH (rfc5656 section 4) */
135	0	void buf_put_ecc_raw_pubkey_string(buffer buf, ecc_key key) {
136	0	unsigned long len = key->dp->size*2 + 1;
137	0	int err;
138	0	buf_putint(buf, len);
139	0	err = ecc_ansi_x963_export(key, buf_getwriteptr(buf, len), &len);
140	0	if (err != CRYPT_OK) {
141	0	dropbear_exit("ECC error");
142	0	}
143	0	buf_incrwritepos(buf, len);
144	0	}
145
146		/* For the "ephemeral public key octet string" in ECDH (rfc5656 section 4) */
147	0	ecc_key * buf_get_ecc_raw_pubkey(buffer buf, const struct dropbear_ecc_curve curve) {
148	0	ecc_key *key = NULL;
149	0	int ret = DROPBEAR_FAILURE;
150	0	const unsigned int size = curve->dp->size;
151	0	unsigned char first;
152
153	0	TRACE(("enter buf_get_ecc_raw_pubkey"))
154
155	0	buf_setpos(buf, 0);
156	0	first = buf_getbyte(buf);
157	0	if (first == 2 \|\| first == 3) {
158	0	dropbear_log(LOG_WARNING, "Dropbear doesn't support ECC point compression");
159	0	return NULL;
160	0	}
161	0	if (first != 4 \|\| buf->len != 1+2*size) {
162	0	TRACE(("leave, wrong size"))
163	0	return NULL;
164	0	}
165
166	0	key = new_ecc_key();
167	0	key->dp = curve->dp;
168
169	0	if (mp_from_ubin(key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) {
170	0	TRACE(("failed to read x"))
171	0	goto out;
172	0	}
173	0	buf_incrpos(buf, size);
174
175	0	if (mp_from_ubin(key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) {
176	0	TRACE(("failed to read y"))
177	0	goto out;
178	0	}
179	0	buf_incrpos(buf, size);
180
181	0	mp_set(key->pubkey.z, 1);
182
183	0	if (ecc_is_point(key) != CRYPT_OK) {
184	0	TRACE(("failed, not a point"))
185	0	goto out;
186	0	}
187
188		/* SEC1 3.2.3.1 Check that Q != 0 */
189	0	if (mp_cmp_d(key->pubkey.x, 0) == LTC_MP_EQ) {
190	0	TRACE(("failed, x == 0"))
191	0	goto out;
192	0	}
193	0	if (mp_cmp_d(key->pubkey.y, 0) == LTC_MP_EQ) {
194	0	TRACE(("failed, y == 0"))
195	0	goto out;
196	0	}
197
198	0	ret = DROPBEAR_SUCCESS;
199
200	0	out:
201	0	if (ret == DROPBEAR_FAILURE) {
202	0	if (key) {
203	0	ecc_free(key);
204	0	m_free(key);
205	0	key = NULL;
206	0	}
207	0	}
208
209	0	return key;
210
211	0	}
212
213		/* a modified version of libtomcrypt's "ecc_shared_secret" to output
214		a mp_int instead. */
215		mp_int * dropbear_ecc_shared_secret(ecc_key public_key, const ecc_key private_key)
216	0	{
217	0	ecc_point *result = NULL;
218	0	mp_int prime = NULL, shared_secret = NULL;
219	0	int err = DROPBEAR_FAILURE;
220
221		/* type valid? */
222	0	if (private_key->type != PK_PRIVATE) {
223	0	goto out;
224	0	}
225
226	0	if (private_key->dp != public_key->dp) {
227	0	goto out;
228	0	}
229
230		/* make new point */
231	0	result = ltc_ecc_new_point();
232	0	if (result == NULL) {
233	0	goto out;
234	0	}
235
236	0	prime = m_malloc(sizeof(*prime));
237	0	m_mp_init(prime);
238
239	0	if (mp_read_radix(prime, (char *)private_key->dp->prime, 16) != CRYPT_OK) {
240	0	goto out;
241	0	}
242	0	if (ltc_mp.ecc_ptmul(private_key->k, &public_key->pubkey, result, prime, 1) != CRYPT_OK) {
243	0	goto out;
244	0	}
245
246	0	shared_secret = m_malloc(sizeof(*shared_secret));
247	0	m_mp_init(shared_secret);
248	0	if (mp_copy(result->x, shared_secret) != CRYPT_OK) {
249	0	goto out;
250	0	}
251
252	0	mp_clear(prime);
253	0	m_free(prime);
254	0	ltc_ecc_del_point(result);
255
256	0	err = DROPBEAR_SUCCESS;
257	0	out:
258	0	if (err == DROPBEAR_FAILURE) {
259	0	dropbear_exit("ECC error");
260	0	}
261	0	return shared_secret;
262	0	}
263
264		#endif