/src/dropbear/src/ecc.c

Source
#include "includes.h"
#include "ecc.h"
#include "dbutil.h"
#include "bignum.h"

#if DROPBEAR_ECC

/* .dp members are filled out by dropbear_ecc_fill_dp() at startup */
#if DROPBEAR_ECC_256
struct dropbear_ecc_curve ecc_curve_nistp256 = {
  32,   /* .ltc_size  */
  NULL,   /* .dp    */
  &sha256_desc, /* .hash_desc */
  "nistp256"  /* .name  */
};
#endif
#if DROPBEAR_ECC_384
struct dropbear_ecc_curve ecc_curve_nistp384 = {
  48,   /* .ltc_size  */
  NULL,   /* .dp    */
  &sha384_desc, /* .hash_desc */
  "nistp384"  /* .name  */
};
#endif
#if DROPBEAR_ECC_521
struct dropbear_ecc_curve ecc_curve_nistp521 = {
  66,   /* .ltc_size  */
  NULL,   /* .dp    */
  &sha512_desc, /* .hash_desc */
  "nistp521"  /* .name  */
};
#endif

struct dropbear_ecc_curve *dropbear_ecc_curves[] = {
#if DROPBEAR_ECC_256
  &ecc_curve_nistp256,
#endif
#if DROPBEAR_ECC_384
  &ecc_curve_nistp384,
#endif
#if DROPBEAR_ECC_521
  &ecc_curve_nistp521,
#endif
  NULL
};

void dropbear_ecc_fill_dp() {
  struct dropbear_ecc_curve **curve;
  /* libtomcrypt guarantees they're ordered by size */
  const ltc_ecc_set_type *dp = ltc_ecc_sets;
  for (curve = dropbear_ecc_curves; *curve; curve++) {
    for (;dp->size > 0; dp++) {
      if (dp->size == (*curve)->ltc_size) {
        (*curve)->dp = dp;
        break;
      }
    }
    if (!(*curve)->dp) {
      dropbear_exit("Missing ECC params %s", (*curve)->name);
    }
  }
}

struct dropbear_ecc_curve* curve_for_dp(const ltc_ecc_set_type *dp) {
  struct dropbear_ecc_curve **curve = NULL;
  for (curve = dropbear_ecc_curves; *curve; curve++) {
    if ((*curve)->dp == dp) {
      break;
    }
  }
  assert(*curve);
  return *curve;
}

ecc_key * new_ecc_key(void) {
  ecc_key *key = m_malloc(sizeof(*key));
  m_mp_alloc_init_multi((mp_int**)&key->pubkey.x, (mp_int**)&key->pubkey.y, 
    (mp_int**)&key->pubkey.z, (mp_int**)&key->k, NULL);
  return key;
}

/* Copied from libtomcrypt ecc_import.c (version there is static), modified
   for different mp_int pointer without LTC_SOURCE */
static int ecc_is_point(const ecc_key *key)
{
  mp_int *prime, *b, *t1, *t2;
  int err;
  
  m_mp_alloc_init_multi(&prime, &b, &t1, &t2, NULL);
  
   /* load prime and b */
  if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK)                          { goto error; }
  if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK)                                  { goto error; }
  
   /* compute y^2 */
  if ((err = mp_sqr(key->pubkey.y, t1)) != CRYPT_OK)                                         { goto error; }
  
   /* compute x^3 */
  if ((err = mp_sqr(key->pubkey.x, t2)) != CRYPT_OK)                                         { goto error; }
  if ((err = mp_mod(t2, prime, t2)) != CRYPT_OK)                                             { goto error; }
  if ((err = mp_mul(key->pubkey.x, t2, t2)) != CRYPT_OK)                                     { goto error; }
  
   /* compute y^2 - x^3 */
  if ((err = mp_sub(t1, t2, t1)) != CRYPT_OK)                                                { goto error; }
  
   /* compute y^2 - x^3 + 3x */
  if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK)                                     { goto error; }
  if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK)                                     { goto error; }
  if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK)                                     { goto error; }
  if ((err = mp_mod(t1, prime, t1)) != CRYPT_OK)                                             { goto error; }
  while (mp_cmp_d(t1, 0) == LTC_MP_LT) {
    if ((err = mp_add(t1, prime, t1)) != CRYPT_OK)                                          { goto error; }
  }
  while (mp_cmp(t1, prime) != LTC_MP_LT) {
    if ((err = mp_sub(t1, prime, t1)) != CRYPT_OK)                                          { goto error; }
  }
  
   /* compare to b */
  if (mp_cmp(t1, b) != LTC_MP_EQ) {
    err = CRYPT_INVALID_PACKET;
  } else {
    err = CRYPT_OK;
  }
  
  error:
  mp_clear_multi(prime, b, t1, t2, NULL);
  m_free(prime);
  m_free(b);
  m_free(t1);
  m_free(t2);
  return err;
}

/* For the "ephemeral public key octet string" in ECDH (rfc5656 section 4) */
void buf_put_ecc_raw_pubkey_string(buffer *buf, ecc_key *key) {
  unsigned long len = key->dp->size*2 + 1;
  int err;
  buf_putint(buf, len);
  err = ecc_ansi_x963_export(key, buf_getwriteptr(buf, len), &len);
  if (err != CRYPT_OK) {
    dropbear_exit("ECC error");
  }
  buf_incrwritepos(buf, len);
}

/* For the "ephemeral public key octet string" in ECDH (rfc5656 section 4) */
ecc_key * buf_get_ecc_raw_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve) {
  ecc_key *key = NULL;
  int ret = DROPBEAR_FAILURE;
  const unsigned int size = curve->dp->size;
  unsigned char first;

  TRACE(("enter buf_get_ecc_raw_pubkey"))

  buf_setpos(buf, 0);
  first = buf_getbyte(buf);
  if (first == 2 || first == 3) {
    dropbear_log(LOG_WARNING, "Dropbear doesn't support ECC point compression");
    return NULL;
  }
  if (first != 4 || buf->len != 1+2*size) {
    TRACE(("leave, wrong size"))
    return NULL;
  }

  key = new_ecc_key();
  key->dp = curve->dp;

  if (mp_from_ubin(key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) {
    TRACE(("failed to read x"))
    goto out;
  }
  buf_incrpos(buf, size);

  if (mp_from_ubin(key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) {
    TRACE(("failed to read y"))
    goto out;
  }
  buf_incrpos(buf, size);

  mp_set(key->pubkey.z, 1);

  if (ecc_is_point(key) != CRYPT_OK) {
    TRACE(("failed, not a point"))
    goto out;
  }

   /* SEC1 3.2.3.1 Check that Q != 0 */
  if (mp_cmp_d(key->pubkey.x, 0) == LTC_MP_EQ) {
    TRACE(("failed, x == 0"))
    goto out;
  }
  if (mp_cmp_d(key->pubkey.y, 0) == LTC_MP_EQ) {
    TRACE(("failed, y == 0"))
    goto out;
  }

  ret = DROPBEAR_SUCCESS;

  out:
  if (ret == DROPBEAR_FAILURE) {
    if (key) {
      ecc_free(key);
      m_free(key);
      key = NULL;
    }
  }

  return key;

}

/* a modified version of libtomcrypt's "ecc_shared_secret" to output
   a mp_int instead. */
mp_int * dropbear_ecc_shared_secret(ecc_key *public_key, const ecc_key *private_key)
{
  ecc_point *result = NULL;
  mp_int *prime = NULL, *shared_secret = NULL;
  int err = DROPBEAR_FAILURE;

   /* type valid? */
  if (private_key->type != PK_PRIVATE) {
    goto out;
  }

  if (private_key->dp != public_key->dp) {
    goto out;
  }

   /* make new point */
  result = ltc_ecc_new_point();
  if (result == NULL) {
    goto out;
  }

  prime = m_malloc(sizeof(*prime));
  m_mp_init(prime);

  if (mp_read_radix(prime, (char *)private_key->dp->prime, 16) != CRYPT_OK) { 
    goto out;
  }
  if (ltc_mp.ecc_ptmul(private_key->k, &public_key->pubkey, result, prime, 1) != CRYPT_OK) { 
    goto out;
  }

  shared_secret = m_malloc(sizeof(*shared_secret));
  m_mp_init(shared_secret);
  if (mp_copy(result->x, shared_secret) != CRYPT_OK) {
    goto out;
  }

  mp_clear(prime);
  m_free(prime);
  ltc_ecc_del_point(result);

  err = DROPBEAR_SUCCESS;
  out:
  if (err == DROPBEAR_FAILURE) {
    dropbear_exit("ECC error");
  }
  return shared_secret;
}

#endif

Coverage Report

Created: 2025-10-28 06:27

Line	Count	Source
1		#include "includes.h"
2		#include "ecc.h"
3		#include "dbutil.h"
4		#include "bignum.h"
5
6		#if DROPBEAR_ECC
7
8		/* .dp members are filled out by dropbear_ecc_fill_dp() at startup */
9		#if DROPBEAR_ECC_256
10		struct dropbear_ecc_curve ecc_curve_nistp256 = {
11		32, /* .ltc_size */
12		NULL, /* .dp */
13		&sha256_desc, /* .hash_desc */
14		"nistp256" /* .name */
15		};
16		#endif
17		#if DROPBEAR_ECC_384
18		struct dropbear_ecc_curve ecc_curve_nistp384 = {
19		48, /* .ltc_size */
20		NULL, /* .dp */
21		&sha384_desc, /* .hash_desc */
22		"nistp384" /* .name */
23		};
24		#endif
25		#if DROPBEAR_ECC_521
26		struct dropbear_ecc_curve ecc_curve_nistp521 = {
27		66, /* .ltc_size */
28		NULL, /* .dp */
29		&sha512_desc, /* .hash_desc */
30		"nistp521" /* .name */
31		};
32		#endif
33
34		struct dropbear_ecc_curve *dropbear_ecc_curves[] = {
35		#if DROPBEAR_ECC_256
36		&ecc_curve_nistp256,
37		#endif
38		#if DROPBEAR_ECC_384
39		&ecc_curve_nistp384,
40		#endif
41		#if DROPBEAR_ECC_521
42		&ecc_curve_nistp521,
43		#endif
44		NULL
45		};
46
47	36	void dropbear_ecc_fill_dp() {
48	36	struct dropbear_ecc_curve **curve;
49		/* libtomcrypt guarantees they're ordered by size */
50	36	const ltc_ecc_set_type *dp = ltc_ecc_sets;
51	144	for (curve = dropbear_ecc_curves; *curve; curve++) {
52	180	for (;dp->size > 0; dp++) {
53	180	if (dp->size == (*curve)->ltc_size) {
54	108	(*curve)->dp = dp;
55	108	break;
56	108	}
57	180	}
58	108	if (!(*curve)->dp) {
59	0	dropbear_exit("Missing ECC params %s", (*curve)->name);
60	0	}
61	108	}
62	36	}
63
64	12.3k	struct dropbear_ecc_curve* curve_for_dp(const ltc_ecc_set_type *dp) {
65	12.3k	struct dropbear_ecc_curve **curve = NULL;
66	12.9k	for (curve = dropbear_ecc_curves; *curve; curve++) {
67	12.9k	if ((*curve)->dp == dp) {
68	12.3k	break;
69	12.3k	}
70	12.9k	}
71	12.3k	assert(*curve);
72	12.3k	return *curve;
73	12.3k	}
74
75	1.10k	ecc_key * new_ecc_key(void) {
76	1.10k	ecc_key key = m_malloc(sizeof(key));
77	1.10k	m_mp_alloc_init_multi((mp_int)&key->pubkey.x, (mp_int)&key->pubkey.y,
78	1.10k	(mp_int)&key->pubkey.z, (mp_int)&key->k, NULL);
79	1.10k	return key;
80	1.10k	}
81
82		/* Copied from libtomcrypt ecc_import.c (version there is static), modified
83		for different mp_int pointer without LTC_SOURCE */
84		static int ecc_is_point(const ecc_key *key)
85	1.10k	{
86	1.10k	mp_int prime, b, t1, t2;
87	1.10k	int err;
88
89	1.10k	m_mp_alloc_init_multi(&prime, &b, &t1, &t2, NULL);
90
91		/* load prime and b */
92	1.10k	if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK) { goto error; }
93	1.10k	if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK) { goto error; }
94
95		/* compute y^2 */
96	1.10k	if ((err = mp_sqr(key->pubkey.y, t1)) != CRYPT_OK) { goto error; }
97
98		/* compute x^3 */
99	1.10k	if ((err = mp_sqr(key->pubkey.x, t2)) != CRYPT_OK) { goto error; }
100	1.10k	if ((err = mp_mod(t2, prime, t2)) != CRYPT_OK) { goto error; }
101	1.10k	if ((err = mp_mul(key->pubkey.x, t2, t2)) != CRYPT_OK) { goto error; }
102
103		/* compute y^2 - x^3 */
104	1.10k	if ((err = mp_sub(t1, t2, t1)) != CRYPT_OK) { goto error; }
105
106		/* compute y^2 - x^3 + 3x */
107	1.10k	if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; }
108	1.10k	if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; }
109	1.10k	if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; }
110	1.10k	if ((err = mp_mod(t1, prime, t1)) != CRYPT_OK) { goto error; }
111	1.10k	while (mp_cmp_d(t1, 0) == LTC_MP_LT) {
112	0	if ((err = mp_add(t1, prime, t1)) != CRYPT_OK) { goto error; }
113	0	}
114	1.10k	while (mp_cmp(t1, prime) != LTC_MP_LT) {
115	0	if ((err = mp_sub(t1, prime, t1)) != CRYPT_OK) { goto error; }
116	0	}
117
118		/* compare to b */
119	1.10k	if (mp_cmp(t1, b) != LTC_MP_EQ) {
120	412	err = CRYPT_INVALID_PACKET;
121	697	} else {
122	697	err = CRYPT_OK;
123	697	}
124
125	1.10k	error:
126	1.10k	mp_clear_multi(prime, b, t1, t2, NULL);
127	1.10k	m_free(prime);
128	1.10k	m_free(b);
129	1.10k	m_free(t1);
130	1.10k	m_free(t2);
131	1.10k	return err;
132	1.10k	}
133
134		/* For the "ephemeral public key octet string" in ECDH (rfc5656 section 4) */
135	9.47k	void buf_put_ecc_raw_pubkey_string(buffer buf, ecc_key key) {
136	9.47k	unsigned long len = key->dp->size*2 + 1;
137	9.47k	int err;
138	9.47k	buf_putint(buf, len);
139	9.47k	err = ecc_ansi_x963_export(key, buf_getwriteptr(buf, len), &len);
140	9.47k	if (err != CRYPT_OK) {
141	0	dropbear_exit("ECC error");
142	0	}
143	9.47k	buf_incrwritepos(buf, len);
144	9.47k	}
145
146		/* For the "ephemeral public key octet string" in ECDH (rfc5656 section 4) */
147	1.59k	ecc_key * buf_get_ecc_raw_pubkey(buffer buf, const struct dropbear_ecc_curve curve) {
148	1.59k	ecc_key *key = NULL;
149	1.59k	int ret = DROPBEAR_FAILURE;
150	1.59k	const unsigned int size = curve->dp->size;
151	1.59k	unsigned char first;
152
153	1.59k	TRACE(("enter buf_get_ecc_raw_pubkey"))
154
155	1.59k	buf_setpos(buf, 0);
156	1.59k	first = buf_getbyte(buf);
157	1.59k	if (first == 2 \|\| first == 3) {
158	139	dropbear_log(LOG_WARNING, "Dropbear doesn't support ECC point compression");
159	139	return NULL;
160	139	}
161	1.45k	if (first != 4 \|\| buf->len != 1+2*size) {
162	326	TRACE(("leave, wrong size"))
163	326	return NULL;
164	326	}
165
166	1.12k	key = new_ecc_key();
167	1.12k	key->dp = curve->dp;
168
169	1.12k	if (mp_from_ubin(key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) {
170	0	TRACE(("failed to read x"))
171	0	goto out;
172	0	}
173	1.12k	buf_incrpos(buf, size);
174
175	1.12k	if (mp_from_ubin(key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) {
176	0	TRACE(("failed to read y"))
177	0	goto out;
178	0	}
179	1.12k	buf_incrpos(buf, size);
180
181	1.12k	mp_set(key->pubkey.z, 1);
182
183	1.12k	if (ecc_is_point(key) != CRYPT_OK) {
184	412	TRACE(("failed, not a point"))
185	412	goto out;
186	412	}
187
188		/* SEC1 3.2.3.1 Check that Q != 0 */
189	714	if (mp_cmp_d(key->pubkey.x, 0) == LTC_MP_EQ) {
190	0	TRACE(("failed, x == 0"))
191	0	goto out;
192	0	}
193	714	if (mp_cmp_d(key->pubkey.y, 0) == LTC_MP_EQ) {
194	0	TRACE(("failed, y == 0"))
195	0	goto out;
196	0	}
197
198	714	ret = DROPBEAR_SUCCESS;
199
200	1.10k	out:
201	1.10k	if (ret == DROPBEAR_FAILURE) {
202	412	if (key) {
203	412	ecc_free(key);
204	412	m_free(key);
205	412	key = NULL;
206	412	}
207	412	}
208
209	1.10k	return key;
210
211	714	}
212
213		/* a modified version of libtomcrypt's "ecc_shared_secret" to output
214		a mp_int instead. */
215		mp_int * dropbear_ecc_shared_secret(ecc_key public_key, const ecc_key private_key)
216	271	{
217	271	ecc_point *result = NULL;
218	271	mp_int prime = NULL, shared_secret = NULL;
219	271	int err = DROPBEAR_FAILURE;
220
221		/* type valid? */
222	271	if (private_key->type != PK_PRIVATE) {
223	0	goto out;
224	0	}
225
226	271	if (private_key->dp != public_key->dp) {
227	1	goto out;
228	1	}
229
230		/* make new point */
231	270	result = ltc_ecc_new_point();
232	270	if (result == NULL) {
233	0	goto out;
234	0	}
235
236	270	prime = m_malloc(sizeof(*prime));
237	270	m_mp_init(prime);
238
239	270	if (mp_read_radix(prime, (char *)private_key->dp->prime, 16) != CRYPT_OK) {
240	0	goto out;
241	0	}
242	270	if (ltc_mp.ecc_ptmul(private_key->k, &public_key->pubkey, result, prime, 1) != CRYPT_OK) {
243	0	goto out;
244	0	}
245
246	270	shared_secret = m_malloc(sizeof(*shared_secret));
247	270	m_mp_init(shared_secret);
248	270	if (mp_copy(result->x, shared_secret) != CRYPT_OK) {
249	0	goto out;
250	0	}
251
252	270	mp_clear(prime);
253	270	m_free(prime);
254	270	ltc_ecc_del_point(result);
255
256	270	err = DROPBEAR_SUCCESS;
257	271	out:
258	271	if (err == DROPBEAR_FAILURE) {
259	1	dropbear_exit("ECC error");
260	1	}
261	270	return shared_secret;
262	271	}
263
264		#endif