Line | Count | Source (jump to first uncovered line) |
1 | | // This file was extracted from the TCG Published |
2 | | // Trusted Platform Module Library |
3 | | // Part 4: Supporting Routines |
4 | | // Family "2.0" |
5 | | // Level 00 Revision 01.16 |
6 | | // October 30, 2014 |
7 | | |
8 | | #include <string.h> |
9 | | |
10 | | #include "OsslCryptoEngine.h" |
11 | | |
12 | | #ifdef TPM_ALG_ECC |
13 | | #include "CpriDataEcc.h" |
14 | | #include "CpriDataEcc.c" |
15 | | // |
16 | | // |
17 | | // Functions |
18 | | // |
19 | | // _cpri__EccStartup() |
20 | | // |
21 | | // This function is called at TPM Startup to initialize the crypto units. |
22 | | // In this implementation, no initialization is performed at startup but a future version may initialize the self- |
23 | | // test functions here. |
24 | | // |
25 | | LIB_EXPORT BOOL |
26 | | _cpri__EccStartup( |
27 | | void |
28 | | ) |
29 | 759 | { |
30 | 759 | return TRUE; |
31 | 759 | } |
32 | | // |
33 | | // |
34 | | // _cpri__GetCurveIdByIndex() |
35 | | // |
36 | | // This function returns the number of the i-th implemented curve. The normal use would be to call this |
37 | | // function with i starting at 0. When the i is greater than or equal to the number of implemented curves, |
38 | | // TPM_ECC_NONE is returned. |
39 | | // |
40 | | LIB_EXPORT TPM_ECC_CURVE |
41 | | _cpri__GetCurveIdByIndex( |
42 | | UINT16 i |
43 | | ) |
44 | 0 | { |
45 | 0 | if(i >= ECC_CURVE_COUNT) |
46 | 0 | return TPM_ECC_NONE; |
47 | 0 | return eccCurves[i].curveId; |
48 | 0 | } |
49 | | LIB_EXPORT UINT32 |
50 | | _cpri__EccGetCurveCount( |
51 | | void |
52 | | ) |
53 | 0 | { |
54 | 0 | return ECC_CURVE_COUNT; |
55 | 0 | } |
56 | | // |
57 | | // |
58 | | // _cpri__EccGetParametersByCurveId() |
59 | | // |
60 | | // This function returns a pointer to the curve data that is associated with the indicated curveId. If there is no |
61 | | // curve with the indicated ID, the function returns NULL. |
62 | | // |
63 | | // |
64 | | // |
65 | | // |
66 | | // Return Value Meaning |
67 | | // |
68 | | // NULL curve with the indicated TPM_ECC_CURVE value is not |
69 | | // implemented |
70 | | // non-NULL pointer to the curve data |
71 | | // |
72 | | LIB_EXPORT const ECC_CURVE * |
73 | | _cpri__EccGetParametersByCurveId( |
74 | | TPM_ECC_CURVE curveId // IN: the curveID |
75 | | ) |
76 | 38 | { |
77 | 38 | int i; |
78 | 38 | for(i = 0; i < ECC_CURVE_COUNT; i++) |
79 | 38 | { |
80 | 38 | if(eccCurves[i].curveId == curveId) |
81 | 38 | return &eccCurves[i]; |
82 | 38 | } |
83 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
84 | |
|
85 | 0 | return NULL; // Never reached. |
86 | 38 | } |
87 | | static const ECC_CURVE_DATA * |
88 | | GetCurveData( |
89 | | TPM_ECC_CURVE curveId // IN: the curveID |
90 | | ) |
91 | 10 | { |
92 | 10 | const ECC_CURVE *curve = _cpri__EccGetParametersByCurveId(curveId); |
93 | 10 | return curve->curveData; |
94 | 10 | } |
95 | | // |
96 | | // |
97 | | // Point2B() |
98 | | // |
99 | | // This function makes a TPMS_ECC_POINT from a BIGNUM EC_POINT. |
100 | | // |
101 | | static BOOL |
102 | | Point2B( |
103 | | EC_GROUP *group, // IN: group for the point |
104 | | TPMS_ECC_POINT *p, // OUT: receives the converted point |
105 | | EC_POINT *ecP, // IN: the point to convert |
106 | | INT16 size, // IN: size of the coordinates |
107 | | BN_CTX *context // IN: working context |
108 | | ) |
109 | 2 | { |
110 | 2 | BIGNUM *bnX; |
111 | 2 | BIGNUM *bnY; |
112 | 2 | BN_CTX_start(context); |
113 | 2 | bnX = BN_CTX_get(context); |
114 | 2 | bnY = BN_CTX_get(context); |
115 | 2 | if( bnY == NULL |
116 | | // Get the coordinate values |
117 | 2 | || EC_POINT_get_affine_coordinates_GFp(group, ecP, bnX, bnY, context) != 1 |
118 | | // Convert x |
119 | 2 | || (!BnTo2B(&p->x.b, bnX, size)) |
120 | | // Convert y |
121 | 2 | || (!BnTo2B(&p->y.b, bnY, size)) |
122 | 2 | ) |
123 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
124 | 2 | BN_CTX_end(context); |
125 | 2 | return TRUE; |
126 | 2 | } |
127 | | // |
128 | | // |
129 | | // EccCurveInit() |
130 | | // |
131 | | // This function initializes the OpenSSL() group definition structure |
132 | | // This function is only used within this file. |
133 | | // It is a fatal error if groupContext is not provided. |
134 | | // |
135 | | // Return Value Meaning |
136 | | // |
137 | | // NULL the TPM_ECC_CURVE is not valid |
138 | | // non-NULL points to a structure in groupContext static EC_GROUP * |
139 | | // |
140 | | static EC_GROUP * |
141 | | EccCurveInit( |
142 | | TPM_ECC_CURVE curveId, // IN: the ID of the curve |
143 | | BN_CTX *groupContext // IN: the context in which the group is to be |
144 | | // created |
145 | | ) |
146 | 3 | { |
147 | 3 | const ECC_CURVE_DATA *curveData = GetCurveData(curveId); |
148 | 3 | EC_GROUP *group = NULL; |
149 | 3 | EC_POINT *P = NULL; |
150 | 3 | BN_CTX *context; |
151 | 3 | BIGNUM *bnP; |
152 | 3 | BIGNUM *bnA; |
153 | 3 | BIGNUM *bnB; |
154 | 3 | BIGNUM *bnX; |
155 | 3 | BIGNUM *bnY; |
156 | 3 | BIGNUM *bnN; |
157 | 3 | BIGNUM *bnH; |
158 | 3 | int ok = FALSE; |
159 | | // Context must be provided and curve selector must be valid |
160 | 3 | pAssert(groupContext != NULL && curveData != NULL); |
161 | 3 | context = BN_CTX_new(); |
162 | 3 | if(context == NULL) |
163 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
164 | 3 | BN_CTX_start(context); |
165 | 3 | bnP = BN_CTX_get(context); |
166 | 3 | bnA = BN_CTX_get(context); |
167 | 3 | bnB = BN_CTX_get(context); |
168 | 3 | bnX = BN_CTX_get(context); |
169 | 3 | bnY = BN_CTX_get(context); |
170 | 3 | bnN = BN_CTX_get(context); |
171 | 3 | bnH = BN_CTX_get(context); |
172 | 3 | if (bnH == NULL) |
173 | 0 | goto Cleanup; |
174 | | // Convert the number formats |
175 | 3 | BnFrom2B(bnP, curveData->p); |
176 | 3 | BnFrom2B(bnA, curveData->a); |
177 | 3 | BnFrom2B(bnB, curveData->b); |
178 | 3 | BnFrom2B(bnX, curveData->x); |
179 | 3 | BnFrom2B(bnY, curveData->y); |
180 | 3 | BnFrom2B(bnN, curveData->n); |
181 | 3 | BnFrom2B(bnH, curveData->h); |
182 | | // initialize EC group, associate a generator point and initialize the point |
183 | | // from the parameter data |
184 | 3 | ok = ( (group = EC_GROUP_new_curve_GFp(bnP, bnA, bnB, groupContext)) != NULL |
185 | 3 | && (P = EC_POINT_new(group)) != NULL |
186 | 3 | && EC_POINT_set_affine_coordinates_GFp(group, P, bnX, bnY, groupContext) |
187 | 3 | && EC_GROUP_set_generator(group, P, bnN, bnH) |
188 | 3 | ); |
189 | 3 | Cleanup: |
190 | 3 | if (!ok && group != NULL) |
191 | 0 | { |
192 | 0 | EC_GROUP_free(group); |
193 | 0 | group = NULL; |
194 | 0 | } |
195 | 3 | if(P != NULL) |
196 | 3 | EC_POINT_free(P); |
197 | 3 | BN_CTX_end(context); |
198 | 3 | BN_CTX_free(context); |
199 | 3 | return group; |
200 | 3 | } |
201 | | // |
202 | | // |
203 | | // PointFrom2B() |
204 | | // |
205 | | // This function sets the coordinates of an existing BN Point from a TPMS_ECC_POINT. |
206 | | // |
207 | | static EC_POINT * |
208 | | PointFrom2B( |
209 | | EC_GROUP *group, // IN: the group for the point |
210 | | EC_POINT *ecP, // IN: an existing BN point in the group |
211 | | TPMS_ECC_POINT *p, // IN: the 2B coordinates of the point |
212 | | BN_CTX *context // IN: the BIGNUM context |
213 | | ) |
214 | 0 | { |
215 | 0 | BIGNUM *bnX; |
216 | 0 | BIGNUM *bnY; |
217 | | // If the point is not allocated then just return a NULL |
218 | 0 | if(ecP == NULL) |
219 | 0 | return NULL; |
220 | 0 | BN_CTX_start(context); |
221 | 0 | bnX = BN_CTX_get(context); |
222 | 0 | bnY = BN_CTX_get(context); |
223 | 0 | if( // Set the coordinates of the point |
224 | 0 | bnY == NULL |
225 | 0 | || BN_bin2bn(p->x.t.buffer, p->x.t.size, bnX) == NULL |
226 | 0 | || BN_bin2bn(p->y.t.buffer, p->y.t.size, bnY) == NULL |
227 | 0 | ) |
228 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
229 | 0 | if( !EC_POINT_set_affine_coordinates_GFp(group, ecP, bnX, bnY, context) |
230 | 0 | || EC_POINT_is_on_curve(group, ecP, context) <= 0 |
231 | 0 | ) |
232 | 0 | ecP = NULL; // Point is not on curve |
233 | 0 | BN_CTX_end(context); |
234 | 0 | return ecP; |
235 | 0 | } |
236 | | // |
237 | | // |
238 | | // EccInitPoint2B() |
239 | | // |
240 | | // This function allocates a point in the provided group and initializes it with the values in a |
241 | | // TPMS_ECC_POINT. |
242 | | // |
243 | | static EC_POINT * |
244 | | EccInitPoint2B( |
245 | | EC_GROUP *group, // IN: group for the point |
246 | | TPMS_ECC_POINT *p, // IN: the coordinates for the point |
247 | | BN_CTX *context // IN: the BIGNUM context |
248 | | ) |
249 | 0 | { |
250 | 0 | EC_POINT *ecP; |
251 | 0 | BN_CTX_start(context); |
252 | 0 | ecP = EC_POINT_new(group); |
253 | 0 | if(PointFrom2B(group, ecP, p, context) == NULL) |
254 | 0 | { |
255 | 0 | EC_POINT_free(ecP); |
256 | 0 | ecP = NULL; |
257 | 0 | } |
258 | 0 | BN_CTX_end(context); |
259 | 0 | return ecP; |
260 | 0 | } |
261 | | // |
262 | | // |
263 | | // PointMul() |
264 | | // |
265 | | // This function does a point multiply and checks for the result being the point at infinity. Q = ([A]G + [B]P) |
266 | | // |
267 | | // Return Value Meaning |
268 | | // |
269 | | // CRYPT_NO_RESULT point is at infinity |
270 | | // CRYPT_SUCCESS point not at infinity |
271 | | // |
272 | | static CRYPT_RESULT |
273 | | PointMul( |
274 | | EC_GROUP *group, // IN: group curve |
275 | | EC_POINT *ecpQ, // OUT: result |
276 | | BIGNUM *bnA, // IN: scalar for [A]G |
277 | | EC_POINT *ecpP, // IN: point for [B]P |
278 | | BIGNUM *bnB, // IN: scalar for [B]P |
279 | | BN_CTX *context // IN: working context |
280 | | ) |
281 | 3 | { |
282 | 3 | if(EC_POINT_mul(group, ecpQ, bnA, ecpP, bnB, context) != 1) |
283 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
284 | 3 | if(EC_POINT_is_at_infinity(group, ecpQ)) |
285 | 1 | return CRYPT_NO_RESULT; |
286 | 2 | return CRYPT_SUCCESS; |
287 | 3 | } |
288 | | // |
289 | | // |
290 | | // GetRandomPrivate() |
291 | | // |
292 | | // This function gets a random value (d) to use as a private ECC key and then qualifies the key so that it is |
293 | | // between 0 < d < n. |
294 | | // It is a fatal error if dOut or pIn is not provided or if the size of pIn is larger than MAX_ECC_KEY_BYTES |
295 | | // (the largest buffer size of a TPM2B_ECC_PARAMETER) |
296 | | // |
297 | | static void |
298 | | GetRandomPrivate( |
299 | | TPM2B_ECC_PARAMETER *dOut, // OUT: the qualified random value |
300 | | const TPM2B *pIn // IN: the maximum value for the key |
301 | | ) |
302 | 0 | { |
303 | 0 | int i; |
304 | 0 | BYTE *pb; |
305 | 0 | pAssert(pIn != NULL && dOut != NULL && pIn->size <= MAX_ECC_KEY_BYTES); |
306 | | // Set the size of the output |
307 | 0 | dOut->t.size = pIn->size; |
308 | | // Get some random bits |
309 | 0 | while(TRUE) |
310 | 0 | { |
311 | 0 | _cpri__GenerateRandom(dOut->t.size, dOut->t.buffer); |
312 | | // See if the d < n |
313 | 0 | if(memcmp(dOut->t.buffer, pIn->buffer, pIn->size) < 0) |
314 | 0 | { |
315 | | // dOut < n so make sure that 0 < dOut |
316 | 0 | for(pb = dOut->t.buffer, i = dOut->t.size; i > 0; i--) |
317 | 0 | { |
318 | 0 | if(*pb++ != 0) |
319 | 0 | return; |
320 | 0 | } |
321 | 0 | } |
322 | 0 | } |
323 | 0 | } |
324 | | // |
325 | | // |
326 | | // _cpri__EccPointMultiply |
327 | | // |
328 | | // This function computes 'R := [dIn]G + [uIn]QIn. Where dIn and uIn are scalars, G and QIn are points on |
329 | | // the specified curve and G is the default generator of the curve. |
330 | | // The xOut and yOut parameters are optional and may be set to NULL if not used. |
331 | | // It is not necessary to provide uIn if QIn is specified but one of uIn and dIn must be provided. If dIn and |
332 | | // QIn are specified but uIn is not provided, then R = [dIn]QIn. |
333 | | // If the multiply produces the point at infinity, the CRYPT_NO_RESULT is returned. |
334 | | // The sizes of xOut and yOut' will be set to be the size of the degree of the curve |
335 | | // It is a fatal error if dIn and uIn are both unspecified (NULL) or if Qin or Rout is unspecified. |
336 | | // |
337 | | // |
338 | | // |
339 | | // |
340 | | // Return Value Meaning |
341 | | // |
342 | | // CRYPT_SUCCESS point multiplication succeeded |
343 | | // CRYPT_POINT the point Qin is not on the curve |
344 | | // CRYPT_NO_RESULT the product point is at infinity |
345 | | // |
346 | | LIB_EXPORT CRYPT_RESULT |
347 | | _cpri__EccPointMultiply( |
348 | | TPMS_ECC_POINT *Rout, // OUT: the product point R |
349 | | TPM_ECC_CURVE curveId, // IN: the curve to use |
350 | | TPM2B_ECC_PARAMETER *dIn, // IN: value to multiply against the |
351 | | // curve generator |
352 | | TPMS_ECC_POINT *Qin, // IN: point Q |
353 | | TPM2B_ECC_PARAMETER *uIn // IN: scalar value for the multiplier |
354 | | // of Q |
355 | | ) |
356 | 3 | { |
357 | 3 | BN_CTX *context; |
358 | 3 | BIGNUM *bnD; |
359 | 3 | BIGNUM *bnU; |
360 | 3 | EC_GROUP *group; |
361 | 3 | EC_POINT *R = NULL; |
362 | 3 | EC_POINT *Q = NULL; |
363 | 3 | CRYPT_RESULT retVal = CRYPT_SUCCESS; |
364 | | // Validate that the required parameters are provided. |
365 | 3 | pAssert((dIn != NULL || uIn != NULL) && (Qin != NULL || dIn != NULL)); |
366 | | // If a point is provided for the multiply, make sure that it is on the curve |
367 | 3 | if(Qin != NULL && !_cpri__EccIsPointOnCurve(curveId, Qin)) |
368 | 0 | return CRYPT_POINT; |
369 | 3 | context = BN_CTX_new(); |
370 | 3 | if(context == NULL) |
371 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
372 | 3 | BN_CTX_start(context); |
373 | 3 | bnU = BN_CTX_get(context); |
374 | 3 | bnD = BN_CTX_get(context); |
375 | 3 | group = EccCurveInit(curveId, context); |
376 | | // There should be no path for getting a bad curve ID into this function. |
377 | 3 | pAssert(group != NULL); |
378 | | // check allocations should have worked and allocate R |
379 | 3 | if( bnD == NULL |
380 | 3 | || (R = EC_POINT_new(group)) == NULL) |
381 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
382 | | // If Qin is present, create the point |
383 | 3 | if(Qin != NULL) |
384 | 0 | { |
385 | | // Assume the size variables do not overflow. This should not happen in |
386 | | // the contexts in which this function will be called. |
387 | 0 | assert2Bsize(Qin->x.t); |
388 | 0 | assert2Bsize(Qin->x.t); |
389 | 0 | if (!(Q = EccInitPoint2B(group, Qin, context))) |
390 | 0 | { |
391 | 0 | retVal = CRYPT_POINT; |
392 | 0 | goto Cleanup; |
393 | 0 | } |
394 | 0 | } |
395 | 3 | if(dIn != NULL) |
396 | 3 | { |
397 | | // Assume the size variables do not overflow, which should not happen in |
398 | | // the contexts that this function will be called. |
399 | 3 | assert2Bsize(dIn->t); |
400 | 3 | BnFrom2B(bnD, &dIn->b); |
401 | 3 | } |
402 | 0 | else |
403 | 0 | bnD = NULL; |
404 | | // If uIn is specified, initialize its BIGNUM |
405 | 3 | if(uIn != NULL) |
406 | 0 | { |
407 | | // Assume the size variables do not overflow, which should not happen in |
408 | | // the contexts that this function will be called. |
409 | 0 | assert2Bsize(uIn->t); |
410 | 0 | BnFrom2B(bnU, &uIn->b); |
411 | 0 | } |
412 | | // If uIn is not specified but Q is, then we are going to |
413 | | // do R = [d]Q |
414 | 3 | else if(Qin != NULL) |
415 | 0 | { |
416 | 0 | bnU = bnD; |
417 | 0 | bnD = NULL; |
418 | 0 | } |
419 | | // If neither Q nor u is specified, then null this pointer |
420 | 3 | else |
421 | 3 | bnU = NULL; |
422 | | // Use the generator of the curve |
423 | 3 | if((retVal = PointMul(group, R, bnD, Q, bnU, context)) == CRYPT_SUCCESS) |
424 | 2 | Point2B(group, Rout, R, (INT16) ((EC_GROUP_get_degree(group)+7)/8), context); |
425 | 3 | Cleanup: |
426 | 3 | if (Q) |
427 | 0 | EC_POINT_free(Q); |
428 | 3 | if(R) |
429 | 3 | EC_POINT_free(R); |
430 | 3 | if(group) |
431 | 3 | EC_GROUP_free(group); |
432 | 3 | BN_CTX_end(context); |
433 | 3 | BN_CTX_free(context); |
434 | 3 | return retVal; |
435 | 3 | } |
436 | | #if defined TPM_ALG_ECDAA || defined TPM_ALG_SM2 //% |
437 | | // |
438 | | // |
439 | | // ClearPoint2B() |
440 | | // |
441 | | // Initialize the size values of a point |
442 | | // |
443 | | static void |
444 | | ClearPoint2B( |
445 | | TPMS_ECC_POINT *p // IN: the point |
446 | | ) |
447 | 0 | { |
448 | 0 | if(p != NULL) { |
449 | 0 | p->x.t.size = 0; |
450 | 0 | p->y.t.size = 0; |
451 | 0 | } |
452 | 0 | } |
453 | | // |
454 | | // |
455 | | // _cpri__EccCommitCompute() |
456 | | // |
457 | | // This function performs the point multiply operations required by TPM2_Commit(). |
458 | | // If B or M is provided, they must be on the curve defined by curveId. This routine does not check that they |
459 | | // are on the curve and results are unpredictable if they are not. |
460 | | // |
461 | | // |
462 | | // |
463 | | // It is a fatal error if r or d is NULL. If B is not NULL, then it is a fatal error if K and L are both NULL. If M is |
464 | | // not NULL, then it is a fatal error if E is NULL. |
465 | | // |
466 | | // Return Value Meaning |
467 | | // |
468 | | // CRYPT_SUCCESS computations completed normally |
469 | | // CRYPT_NO_RESULT if K, L or E was computed to be the point at infinity |
470 | | // CRYPT_CANCEL a cancel indication was asserted during this function |
471 | | // |
472 | | LIB_EXPORT CRYPT_RESULT |
473 | | _cpri__EccCommitCompute( |
474 | | TPMS_ECC_POINT *K, // OUT: [d]B or [r]Q |
475 | | TPMS_ECC_POINT *L, // OUT: [r]B |
476 | | TPMS_ECC_POINT *E, // OUT: [r]M |
477 | | TPM_ECC_CURVE curveId, // IN: the curve for the computations |
478 | | TPMS_ECC_POINT *M, // IN: M (optional) |
479 | | TPMS_ECC_POINT *B, // IN: B (optional) |
480 | | TPM2B_ECC_PARAMETER *d, // IN: d (required) |
481 | | TPM2B_ECC_PARAMETER *r // IN: the computed r value (required) |
482 | | ) |
483 | 0 | { |
484 | 0 | BN_CTX *context; |
485 | 0 | BIGNUM *bnY, *bnR, *bnD; |
486 | 0 | EC_GROUP *group; |
487 | 0 | EC_POINT *pK = NULL, *pL = NULL, *pE = NULL, *pM = NULL, *pB = NULL; |
488 | 0 | UINT16 keySizeInBytes; |
489 | 0 | CRYPT_RESULT retVal = CRYPT_SUCCESS; |
490 | | // Validate that the required parameters are provided. |
491 | | // Note: E has to be provided if computing E := [r]Q or E := [r]M. Will do |
492 | | // E := [r]Q if both M and B are NULL. |
493 | |
|
494 | 0 | pAssert((r && (K || !B) && (L || !B)) || (E || (!M && B))); |
495 | 0 | context = BN_CTX_new(); |
496 | 0 | if(context == NULL) |
497 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
498 | 0 | BN_CTX_start(context); |
499 | 0 | bnR = BN_CTX_get(context); |
500 | 0 | bnD = BN_CTX_get(context); |
501 | 0 | bnY = BN_CTX_get(context); |
502 | 0 | if(bnY == NULL) |
503 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
504 | | // Initialize the output points in case they are not computed |
505 | 0 | ClearPoint2B(K); |
506 | 0 | ClearPoint2B(L); |
507 | 0 | ClearPoint2B(E); |
508 | 0 | if((group = EccCurveInit(curveId, context)) == NULL) |
509 | 0 | { |
510 | 0 | retVal = CRYPT_PARAMETER; |
511 | 0 | goto Cleanup2; |
512 | 0 | } |
513 | 0 | keySizeInBytes = (UINT16) ((EC_GROUP_get_degree(group)+7)/8); |
514 | | // Size of the r parameter may not be zero |
515 | 0 | pAssert((int) r->t.size > 0); |
516 | | // Convert scalars to BIGNUM |
517 | 0 | BnFrom2B(bnR, &r->b); |
518 | | // If B is provided, compute K=[d]B and L=[r]B |
519 | 0 | if(B != NULL) |
520 | 0 | { |
521 | | // Size of the d parameter may not be zero |
522 | 0 | pAssert((int) d->t.size > 0); |
523 | 0 | BnFrom2B(bnD, &d->b); |
524 | | |
525 | | // Allocate the points to receive the value |
526 | 0 | if( (pK = EC_POINT_new(group)) == NULL |
527 | 0 | || (pL = EC_POINT_new(group)) == NULL) |
528 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
529 | | // need to compute K = [d]B |
530 | | // Allocate and initialize BIGNUM version of B |
531 | 0 | if (!(pB = EccInitPoint2B(group, B, context))) |
532 | 0 | { |
533 | 0 | retVal = CRYPT_POINT; |
534 | 0 | goto Cleanup; |
535 | 0 | } |
536 | | // do the math for K = [d]B |
537 | 0 | if((retVal = PointMul(group, pK, NULL, pB, bnD, context)) != CRYPT_SUCCESS) |
538 | 0 | goto Cleanup; |
539 | | // Convert BN K to TPM2B K |
540 | 0 | Point2B(group, K, pK, (INT16)keySizeInBytes, context); |
541 | | // compute L= [r]B after checking for cancel |
542 | 0 | if(_plat__IsCanceled()) |
543 | 0 | { |
544 | 0 | retVal = CRYPT_CANCEL; |
545 | 0 | goto Cleanup; |
546 | 0 | } |
547 | | // compute L = [r]B |
548 | 0 | if((retVal = PointMul(group, pL, NULL, pB, bnR, context)) != CRYPT_SUCCESS) |
549 | 0 | goto Cleanup; |
550 | | // Convert BN L to TPM2B L |
551 | 0 | Point2B(group, L, pL, (INT16)keySizeInBytes, context); |
552 | 0 | } |
553 | 0 | if(M != NULL || B == NULL) |
554 | 0 | { |
555 | | // if this is the third point multiply, check for cancel first |
556 | 0 | if(B != NULL && _plat__IsCanceled()) |
557 | 0 | { |
558 | 0 | retVal = CRYPT_CANCEL; |
559 | 0 | goto Cleanup; |
560 | 0 | } |
561 | | // Allocate E |
562 | 0 | if((pE = EC_POINT_new(group)) == NULL) |
563 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
564 | | // Create BIGNUM version of M unless M is NULL |
565 | 0 | if(M != NULL) |
566 | 0 | { |
567 | | // M provided so initialize a BIGNUM M and compute E = [r]M |
568 | 0 | if (!(pM = EccInitPoint2B(group, M, context))) |
569 | 0 | { |
570 | 0 | retVal = CRYPT_POINT; |
571 | 0 | goto Cleanup; |
572 | 0 | } |
573 | 0 | retVal = PointMul(group, pE, NULL, pM, bnR, context); |
574 | 0 | } |
575 | 0 | else |
576 | | // compute E = [r]G (this is only done if M and B are both NULL |
577 | 0 | retVal = PointMul(group, pE, bnR, NULL, NULL, context); |
578 | 0 | if(retVal == CRYPT_SUCCESS) |
579 | | // Convert E to 2B format |
580 | 0 | Point2B(group, E, pE, (INT16)keySizeInBytes, context); |
581 | 0 | } |
582 | 0 | Cleanup: |
583 | 0 | EC_GROUP_free(group); |
584 | 0 | if(pK != NULL) EC_POINT_free(pK); |
585 | 0 | if(pL != NULL) EC_POINT_free(pL); |
586 | 0 | if(pE != NULL) EC_POINT_free(pE); |
587 | 0 | if(pM != NULL) EC_POINT_free(pM); |
588 | 0 | if(pB != NULL) EC_POINT_free(pB); |
589 | 0 | Cleanup2: |
590 | 0 | BN_CTX_end(context); |
591 | 0 | BN_CTX_free(context); |
592 | 0 | return retVal; |
593 | 0 | } |
594 | | #endif //% |
595 | | // |
596 | | // |
597 | | // _cpri__EccIsPointOnCurve() |
598 | | // |
599 | | // This function is used to test if a point is on a defined curve. It does this by checking that y^2 mod p = x^3 |
600 | | // + a*x + b mod p |
601 | | // It is a fatal error if Q is not specified (is NULL). |
602 | | // |
603 | | // Return Value Meaning |
604 | | // |
605 | | // TRUE point is on curve |
606 | | // FALSE point is not on curve or curve is not supported |
607 | | // |
608 | | LIB_EXPORT BOOL |
609 | | _cpri__EccIsPointOnCurve( |
610 | | TPM_ECC_CURVE curveId, // IN: the curve selector |
611 | | TPMS_ECC_POINT *Q // IN: the point. |
612 | | ) |
613 | 7 | { |
614 | 7 | BN_CTX *context; |
615 | 7 | BIGNUM *bnX; |
616 | 7 | BIGNUM *bnY; |
617 | 7 | BIGNUM *bnA; |
618 | 7 | BIGNUM *bnB; |
619 | 7 | BIGNUM *bnP; |
620 | 7 | BIGNUM *bn3; |
621 | 7 | const ECC_CURVE_DATA *curveData = GetCurveData(curveId); |
622 | 7 | BOOL retVal; |
623 | 7 | pAssert(Q != NULL && curveData != NULL); |
624 | 7 | if((context = BN_CTX_new()) == NULL) |
625 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
626 | 7 | BN_CTX_start(context); |
627 | 7 | bnX = BN_CTX_get(context); |
628 | 7 | bnY = BN_CTX_get(context); |
629 | 7 | bnA = BN_CTX_get(context); |
630 | 7 | bnB = BN_CTX_get(context); |
631 | 7 | bn3 = BN_CTX_get(context); |
632 | 7 | bnP = BN_CTX_get(context); |
633 | 7 | if(bnP == NULL) |
634 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
635 | | // Convert values |
636 | 7 | if ( !BN_bin2bn(Q->x.t.buffer, Q->x.t.size, bnX) |
637 | 7 | || !BN_bin2bn(Q->y.t.buffer, Q->y.t.size, bnY) |
638 | 7 | || !BN_bin2bn(curveData->p->buffer, curveData->p->size, bnP) |
639 | 7 | || !BN_bin2bn(curveData->a->buffer, curveData->a->size, bnA) |
640 | 7 | || !BN_set_word(bn3, 3) |
641 | 7 | || !BN_bin2bn(curveData->b->buffer, curveData->b->size, bnB) |
642 | 7 | ) |
643 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
644 | | // The following sequence is probably not optimal but it seems to be correct. |
645 | | // compute x^3 + a*x + b mod p |
646 | | // first, compute a*x mod p |
647 | 7 | if( !BN_mod_mul(bnA, bnA, bnX, bnP, context) |
648 | | // |
649 | | // next, compute a*x + b mod p |
650 | 7 | || !BN_mod_add(bnA, bnA, bnB, bnP, context) |
651 | | // next, compute X^3 mod p |
652 | 7 | || !BN_mod_exp(bnX, bnX, bn3, bnP, context) |
653 | | // finally, compute x^3 + a*x + b mod p |
654 | 7 | || !BN_mod_add(bnX, bnX, bnA, bnP, context) |
655 | | // then compute y^2 |
656 | 7 | || !BN_mod_mul(bnY, bnY, bnY, bnP, context) |
657 | 7 | ) |
658 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
659 | 7 | retVal = BN_cmp(bnX, bnY) == 0; |
660 | 7 | BN_CTX_end(context); |
661 | 7 | BN_CTX_free(context); |
662 | 7 | return retVal; |
663 | 7 | } |
664 | | // |
665 | | // |
666 | | // _cpri__GenerateKeyEcc() |
667 | | // |
668 | | // This function generates an ECC key pair based on the input parameters. This routine uses KDFa() to |
669 | | // produce candidate numbers. The method is according to FIPS 186-3, section B.4.1 "GKey() Pair |
670 | | // Generation Using Extra Random Bits." According to the method in FIPS 186-3, the resulting private value |
671 | | // d should be 1 <= d < n where n is the order of the base point. In this implementation, the range of the |
672 | | // private value is further restricted to be 2^(nLen/2) <= d < n where nLen is the order of n. |
673 | | // |
674 | | // EXAMPLE: If the curve is NIST-P256, then nLen is 256 bits and d will need to be between 2^128 <= d < n |
675 | | // |
676 | | // It is a fatal error if Qout, dOut, or seed is not provided (is NULL). |
677 | | // |
678 | | // Return Value Meaning |
679 | | // |
680 | | // CRYPT_PARAMETER the hash algorithm is not supported |
681 | | // |
682 | | LIB_EXPORT CRYPT_RESULT |
683 | | _cpri__GenerateKeyEcc( |
684 | | TPMS_ECC_POINT *Qout, // OUT: the public point |
685 | | TPM2B_ECC_PARAMETER *dOut, // OUT: the private scalar |
686 | | TPM_ECC_CURVE curveId, // IN: the curve identifier |
687 | | TPM_ALG_ID hashAlg, // IN: hash algorithm to use in the key |
688 | | // generation process |
689 | | TPM2B *seed, // IN: the seed to use |
690 | | const char *label, // IN: A label for the generation |
691 | | // process. |
692 | | TPM2B *extra, // IN: Party 1 data for the KDF |
693 | | UINT32 *counter // IN/OUT: Counter value to allow KDF |
694 | | // iteration to be propagated across |
695 | | // multiple functions |
696 | | ) |
697 | 0 | { |
698 | 0 | const ECC_CURVE_DATA *curveData = GetCurveData(curveId); |
699 | 0 | INT16 keySizeInBytes; |
700 | 0 | UINT32 count = 0; |
701 | 0 | CRYPT_RESULT retVal; |
702 | 0 | UINT16 hLen = _cpri__GetDigestSize(hashAlg); |
703 | 0 | BIGNUM *bnNm1; // Order of the curve minus one |
704 | 0 | BIGNUM *bnD; // the private scalar |
705 | 0 | BN_CTX *context; // the context for the BIGNUM values |
706 | 0 | BYTE withExtra[MAX_ECC_KEY_BYTES + 8]; // trial key with |
707 | | //extra bits |
708 | 0 | TPM2B_4_BYTE_VALUE marshaledCounter = {.t = {4}}; |
709 | 0 | UINT32 totalBits; |
710 | | // Validate parameters (these are fatal) |
711 | 0 | pAssert( seed != NULL && dOut != NULL && Qout != NULL && curveData != NULL); |
712 | | // Non-fatal parameter checks. |
713 | 0 | if(hLen <= 0) |
714 | 0 | return CRYPT_PARAMETER; |
715 | | // allocate the local BN values |
716 | 0 | context = BN_CTX_new(); |
717 | 0 | if(context == NULL) |
718 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
719 | 0 | BN_CTX_start(context); |
720 | 0 | bnNm1 = BN_CTX_get(context); |
721 | 0 | bnD = BN_CTX_get(context); |
722 | | // The size of the input scalars is limited by the size of the size of a |
723 | | // TPM2B_ECC_PARAMETER. Make sure that it is not irrational. |
724 | 0 | pAssert((int) curveData->n->size <= MAX_ECC_KEY_BYTES); |
725 | 0 | if( bnD == NULL |
726 | 0 | || BN_bin2bn(curveData->n->buffer, curveData->n->size, bnNm1) == NULL |
727 | 0 | || (keySizeInBytes = (INT16) BN_num_bytes(bnNm1)) > MAX_ECC_KEY_BYTES) |
728 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
729 | | // get the total number of bits |
730 | 0 | totalBits = BN_num_bits(bnNm1) + 64; |
731 | | // Reduce bnNm1 from 'n' to 'n' - 1 |
732 | 0 | BN_sub_word(bnNm1, 1); |
733 | | // Initialize the count value |
734 | 0 | if(counter != NULL) |
735 | 0 | count = *counter; |
736 | 0 | if(count == 0) |
737 | 0 | count = 1; |
738 | | // Start search for key (should be quick) |
739 | 0 | for(; count != 0; count++) |
740 | 0 | { |
741 | 0 | UINT32_TO_BYTE_ARRAY(count, marshaledCounter.t.buffer); |
742 | 0 | _cpri__KDFa(hashAlg, seed, label, extra, &marshaledCounter.b, |
743 | 0 | totalBits, withExtra, NULL, FALSE); |
744 | | // Convert the result and modular reduce |
745 | | // Assume the size variables do not overflow, which should not happen in |
746 | | // the contexts that this function will be called. |
747 | 0 | pAssert(keySizeInBytes <= MAX_ECC_KEY_BYTES); |
748 | 0 | if ( BN_bin2bn(withExtra, keySizeInBytes+8, bnD) == NULL |
749 | 0 | || BN_mod(bnD, bnD, bnNm1, context) != 1) |
750 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
751 | | // Add one to get 0 < d < n |
752 | 0 | BN_add_word(bnD, 1); |
753 | 0 | if(BnTo2B(&dOut->b, bnD, keySizeInBytes) != 1) |
754 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
755 | | // Do the point multiply to create the public portion of the key. If |
756 | | // the multiply generates the point at infinity (unlikely), do another |
757 | | // iteration. |
758 | 0 | if( (retVal = _cpri__EccPointMultiply(Qout, curveId, dOut, NULL, NULL)) |
759 | 0 | != CRYPT_NO_RESULT) |
760 | 0 | break; |
761 | 0 | } |
762 | 0 | if(count == 0) // if counter wrapped, then the TPM should go into failure mode |
763 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
764 | | // Free up allocated BN values |
765 | 0 | BN_CTX_end(context); |
766 | 0 | BN_CTX_free(context); |
767 | 0 | if(counter != NULL) |
768 | 0 | *counter = count; |
769 | 0 | return retVal; |
770 | 0 | } |
771 | | // |
772 | | // |
773 | | // _cpri__GetEphemeralEcc() |
774 | | // |
775 | | // This function creates an ephemeral ECC. It is ephemeral in that is expected that the private part of the |
776 | | // key will be discarded |
777 | | // |
778 | | LIB_EXPORT CRYPT_RESULT |
779 | | _cpri__GetEphemeralEcc( |
780 | | TPMS_ECC_POINT *Qout, // OUT: the public point |
781 | | TPM2B_ECC_PARAMETER *dOut, // OUT: the private scalar |
782 | | TPM_ECC_CURVE curveId // IN: the curve for the key |
783 | | ) |
784 | 0 | { |
785 | 0 | CRYPT_RESULT retVal; |
786 | 0 | const ECC_CURVE_DATA *curveData = GetCurveData(curveId); |
787 | 0 | pAssert(curveData != NULL); |
788 | | // Keep getting random values until one is found that doesn't create a point |
789 | | // at infinity. This will never, ever, ever, ever, ever, happen but if it does |
790 | | // we have to get a next random value. |
791 | 0 | while(TRUE) |
792 | 0 | { |
793 | 0 | GetRandomPrivate(dOut, curveData->p); |
794 | | // _cpri__EccPointMultiply does not return CRYPT_ECC_POINT if no point is |
795 | | // provided. CRYPT_PARAMTER should not be returned because the curve ID |
796 | | // has to be supported. Thus the only possible error is CRYPT_NO_RESULT. |
797 | 0 | retVal = _cpri__EccPointMultiply(Qout, curveId, dOut, NULL, NULL); |
798 | 0 | if(retVal != CRYPT_NO_RESULT) |
799 | 0 | return retVal; // Will return CRYPT_SUCCESS |
800 | 0 | } |
801 | 0 | } |
802 | | #ifdef TPM_ALG_ECDSA //% |
803 | | // |
804 | | // |
805 | | // SignEcdsa() |
806 | | // |
807 | | // This function implements the ECDSA signing algorithm. The method is described in the comments below. |
808 | | // It is a fatal error if rOut, sOut, dIn, or digest are not provided. |
809 | | // |
810 | | LIB_EXPORT CRYPT_RESULT |
811 | | SignEcdsa( |
812 | | TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature |
813 | | TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature |
814 | | TPM_ECC_CURVE curveId, // IN: the curve used in the signature |
815 | | // process |
816 | | TPM2B_ECC_PARAMETER *dIn, // IN: the private key |
817 | | TPM2B *digest // IN: the value to sign |
818 | | ) |
819 | 0 | { |
820 | 0 | BIGNUM *bnK; |
821 | 0 | BIGNUM *bnIk; |
822 | 0 | BIGNUM *bnN; |
823 | 0 | BIGNUM *bnR; |
824 | | // |
825 | 0 | BIGNUM *bnD; |
826 | 0 | BIGNUM *bnZ; |
827 | 0 | TPM2B_ECC_PARAMETER k; |
828 | 0 | TPMS_ECC_POINT R; |
829 | 0 | BN_CTX *context; |
830 | 0 | CRYPT_RESULT retVal = CRYPT_SUCCESS; |
831 | 0 | const ECC_CURVE_DATA *curveData = GetCurveData(curveId); |
832 | 0 | pAssert(rOut != NULL && sOut != NULL && dIn != NULL && digest != NULL); |
833 | 0 | context = BN_CTX_new(); |
834 | 0 | if(context == NULL) |
835 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
836 | 0 | BN_CTX_start(context); |
837 | 0 | bnN = BN_CTX_get(context); |
838 | 0 | bnZ = BN_CTX_get(context); |
839 | 0 | bnR = BN_CTX_get(context); |
840 | 0 | bnD = BN_CTX_get(context); |
841 | 0 | bnIk = BN_CTX_get(context); |
842 | 0 | bnK = BN_CTX_get(context); |
843 | | // Assume the size variables do not overflow, which should not happen in |
844 | | // the contexts that this function will be called. |
845 | 0 | pAssert(curveData->n->size <= MAX_ECC_PARAMETER_BYTES); |
846 | 0 | if( bnK == NULL |
847 | 0 | || BN_bin2bn(curveData->n->buffer, curveData->n->size, bnN) == NULL) |
848 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
849 | | // The algorithm as described in "Suite B Implementer's Guide to FIPS 186-3(ECDSA)" |
850 | | // 1. Use one of the routines in Appendix A.2 to generate (k, k^-1), a per-message |
851 | | // secret number and its inverse modulo n. Since n is prime, the |
852 | | // output will be invalid only if there is a failure in the RBG. |
853 | | // 2. Compute the elliptic curve point R = [k]G = (xR, yR) using EC scalar |
854 | | // multiplication (see [Routines]), where G is the base point included in |
855 | | // the set of domain parameters. |
856 | | // 3. Compute r = xR mod n. If r = 0, then return to Step 1. 1. |
857 | | // 4. Use the selected hash function to compute H = Hash(M). |
858 | | // 5. Convert the bit string H to an integer e as described in Appendix B.2. |
859 | | // 6. Compute s = (k^-1 * (e + d * r)) mod n. If s = 0, return to Step 1.2. |
860 | | // 7. Return (r, s). |
861 | | // Generate a random value k in the range 1 <= k < n |
862 | | // Want a K value that is the same size as the curve order |
863 | 0 | k.t.size = curveData->n->size; |
864 | 0 | while(TRUE) // This implements the loop at step 6. If s is zero, start over. |
865 | 0 | { |
866 | 0 | while(TRUE) |
867 | 0 | { |
868 | | // Step 1 and 2 -- generate an ephemeral key and the modular inverse |
869 | | // of the private key. |
870 | 0 | while(TRUE) |
871 | 0 | { |
872 | 0 | GetRandomPrivate(&k, curveData->n); |
873 | | // Do the point multiply to generate a point and check to see if |
874 | | // the point it at infinity |
875 | 0 | if( _cpri__EccPointMultiply(&R, curveId, &k, NULL, NULL) |
876 | 0 | != CRYPT_NO_RESULT) |
877 | 0 | break; // can only be CRYPT_SUCCESS |
878 | 0 | } |
879 | | // x coordinate is mod p. Make it mod n |
880 | | // Assume the size variables do not overflow, which should not happen |
881 | | // in the contexts that this function will be called. |
882 | 0 | assert2Bsize(R.x.t); |
883 | 0 | BN_bin2bn(R.x.t.buffer, R.x.t.size, bnR); |
884 | 0 | BN_mod(bnR, bnR, bnN, context); |
885 | | // Make sure that it is not zero; |
886 | 0 | if(BN_is_zero(bnR)) |
887 | 0 | continue; |
888 | | // Make sure that a modular inverse exists |
889 | | // Assume the size variables do not overflow, which should not happen |
890 | | // in the contexts that this function will be called. |
891 | 0 | assert2Bsize(k.t); |
892 | 0 | BN_bin2bn(k.t.buffer, k.t.size, bnK); |
893 | 0 | if( BN_mod_inverse(bnIk, bnK, bnN, context) != NULL) |
894 | 0 | break; |
895 | 0 | } |
896 | | // Set z = leftmost bits of the digest |
897 | | // NOTE: This is implemented such that the key size needs to be |
898 | | // an even number of bytes in length. |
899 | 0 | if(digest->size > curveData->n->size) |
900 | 0 | { |
901 | | // Assume the size variables do not overflow, which should not happen |
902 | | // in the contexts that this function will be called. |
903 | 0 | pAssert(curveData->n->size <= MAX_ECC_KEY_BYTES); |
904 | | // digest is larger than n so truncate |
905 | 0 | BN_bin2bn(digest->buffer, curveData->n->size, bnZ); |
906 | 0 | } |
907 | 0 | else |
908 | 0 | { |
909 | | // Assume the size variables do not overflow, which should not happen |
910 | | // in the contexts that this function will be called. |
911 | 0 | pAssert(digest->size <= MAX_DIGEST_SIZE); |
912 | | // digest is same or smaller than n so use it all |
913 | 0 | BN_bin2bn(digest->buffer, digest->size, bnZ); |
914 | 0 | } |
915 | | // Assume the size variables do not overflow, which should not happen in |
916 | | // the contexts that this function will be called. |
917 | 0 | assert2Bsize(dIn->t); |
918 | 0 | if( bnZ == NULL |
919 | | // need the private scalar of the signing key |
920 | 0 | || BN_bin2bn(dIn->t.buffer, dIn->t.size, bnD) == NULL) |
921 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
922 | | // NOTE: When the result of an operation is going to be reduced mod x |
923 | | // any modular multiplication is done so that the intermediate values |
924 | | // don't get too large. |
925 | | // |
926 | | // now have inverse of K (bnIk), z (bnZ), r (bnR), d (bnD) and n (bnN) |
927 | | // Compute s = k^-1 (z + r*d)(mod n) |
928 | | // first do d = r*d mod n |
929 | 0 | if( !BN_mod_mul(bnD, bnR, bnD, bnN, context) |
930 | | // d = z + r * d |
931 | 0 | || !BN_add(bnD, bnZ, bnD) |
932 | | // d = k^(-1)(z + r * d)(mod n) |
933 | 0 | || !BN_mod_mul(bnD, bnIk, bnD, bnN, context) |
934 | | // convert to TPM2B format |
935 | 0 | || !BnTo2B(&sOut->b, bnD, curveData->n->size) |
936 | | // and write the modular reduced version of r |
937 | | // NOTE: this was deferred to reduce the number of |
938 | | // error checks. |
939 | 0 | || !BnTo2B(&rOut->b, bnR, curveData->n->size)) |
940 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
941 | 0 | if(!BN_is_zero(bnD)) |
942 | 0 | break; // signature not zero so done |
943 | | // if the signature value was zero, start over |
944 | 0 | } |
945 | | // Free up allocated BN values |
946 | 0 | BN_CTX_end(context); |
947 | 0 | BN_CTX_free(context); |
948 | 0 | return retVal; |
949 | 0 | } |
950 | | #endif //% |
951 | | #if defined TPM_ALG_ECDAA || defined TPM_ALG_ECSCHNORR //% |
952 | | // |
953 | | // |
954 | | // EcDaa() |
955 | | // |
956 | | // This function is used to perform a modified Schnorr signature for ECDAA. |
957 | | // This function performs s = k + T * d mod n where |
958 | | // a) 'k is a random, or pseudo-random value used in the commit phase |
959 | | // b) T is the digest to be signed, and |
960 | | // c) d is a private key. |
961 | | // If tIn is NULL then use tOut as T |
962 | | // |
963 | | // Return Value Meaning |
964 | | // |
965 | | // CRYPT_SUCCESS signature created |
966 | | // |
967 | | static CRYPT_RESULT |
968 | | EcDaa( |
969 | | TPM2B_ECC_PARAMETER *tOut, // OUT: T component of the signature |
970 | | TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature |
971 | | TPM_ECC_CURVE curveId, // IN: the curve used in signing |
972 | | TPM2B_ECC_PARAMETER *dIn, // IN: the private key |
973 | | TPM2B *tIn, // IN: the value to sign |
974 | | TPM2B_ECC_PARAMETER *kIn // IN: a random value from commit |
975 | | ) |
976 | 0 | { |
977 | 0 | BIGNUM *bnN, *bnK, *bnT, *bnD; |
978 | 0 | BN_CTX *context; |
979 | 0 | const TPM2B *n; |
980 | 0 | const ECC_CURVE_DATA *curveData = GetCurveData(curveId); |
981 | 0 | BOOL OK = TRUE; |
982 | | // Parameter checks |
983 | 0 | pAssert( sOut != NULL && dIn != NULL && tOut != NULL |
984 | 0 | && kIn != NULL && curveData != NULL); |
985 | | // this just saves key strokes |
986 | 0 | n = curveData->n; |
987 | 0 | if(tIn != NULL) |
988 | 0 | Copy2B(&tOut->b, tIn); |
989 | | // The size of dIn and kIn input scalars is limited by the size of the size |
990 | | // of a TPM2B_ECC_PARAMETER and tIn can be no larger than a digest. |
991 | | // Make sure they are within range. |
992 | 0 | pAssert( (int) dIn->t.size <= MAX_ECC_KEY_BYTES |
993 | 0 | && (int) kIn->t.size <= MAX_ECC_KEY_BYTES |
994 | | // |
995 | 0 | && (int) tOut->t.size <= MAX_DIGEST_SIZE |
996 | 0 | ); |
997 | 0 | context = BN_CTX_new(); |
998 | 0 | if(context == NULL) |
999 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
1000 | 0 | BN_CTX_start(context); |
1001 | 0 | bnN = BN_CTX_get(context); |
1002 | 0 | bnK = BN_CTX_get(context); |
1003 | 0 | bnT = BN_CTX_get(context); |
1004 | 0 | bnD = BN_CTX_get(context); |
1005 | | // Check for allocation problems |
1006 | 0 | if(bnD == NULL) |
1007 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
1008 | | // Convert values |
1009 | 0 | if( BN_bin2bn(n->buffer, n->size, bnN) == NULL |
1010 | 0 | || BN_bin2bn(kIn->t.buffer, kIn->t.size, bnK) == NULL |
1011 | 0 | || BN_bin2bn(dIn->t.buffer, dIn->t.size, bnD) == NULL |
1012 | 0 | || BN_bin2bn(tOut->t.buffer, tOut->t.size, bnT) == NULL) |
1013 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1014 | | // Compute T = T mod n |
1015 | 0 | OK = OK && BN_mod(bnT, bnT, bnN, context); |
1016 | | // compute (s = k + T * d mod n) |
1017 | | // d = T * d mod n |
1018 | 0 | OK = OK && BN_mod_mul(bnD, bnT, bnD, bnN, context) == 1; |
1019 | | // d = k + T * d mod n |
1020 | 0 | OK = OK && BN_mod_add(bnD, bnK, bnD, bnN, context) == 1; |
1021 | | // s = d |
1022 | 0 | OK = OK && BnTo2B(&sOut->b, bnD, n->size); |
1023 | | // r = T |
1024 | 0 | OK = OK && BnTo2B(&tOut->b, bnT, n->size); |
1025 | 0 | if(!OK) |
1026 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1027 | | // Cleanup |
1028 | 0 | BN_CTX_end(context); |
1029 | 0 | BN_CTX_free(context); |
1030 | 0 | return CRYPT_SUCCESS; |
1031 | 0 | } |
1032 | | #endif //% |
1033 | | #ifdef TPM_ALG_ECSCHNORR //% |
1034 | | // |
1035 | | // |
1036 | | // Mod2B() |
1037 | | // |
1038 | | // Function does modular reduction of TPM2B values. |
1039 | | // |
1040 | | static CRYPT_RESULT |
1041 | | Mod2B( |
1042 | | TPM2B *x, // IN/OUT: value to reduce |
1043 | | const TPM2B *n // IN: mod |
1044 | | ) |
1045 | 0 | { |
1046 | 0 | int compare; |
1047 | 0 | compare = _math__uComp(x->size, x->buffer, n->size, n->buffer); |
1048 | 0 | if(compare < 0) |
1049 | | // if x < n, then mod is x |
1050 | 0 | return CRYPT_SUCCESS; |
1051 | 0 | if(compare == 0) |
1052 | 0 | { |
1053 | | // if x == n then mod is 0 |
1054 | 0 | x->size = 0; |
1055 | 0 | x->buffer[0] = 0; |
1056 | 0 | return CRYPT_SUCCESS; |
1057 | 0 | } |
1058 | 0 | return _math__Div(x, n, NULL, x); |
1059 | 0 | } |
1060 | | |
1061 | | // |
1062 | | // |
1063 | | // SchnorrEcc() |
1064 | | // |
1065 | | // This function is used to perform a modified Schnorr signature. |
1066 | | // This function will generate a random value k and compute |
1067 | | // a) (xR, yR) = [k]G |
1068 | | // b) r = hash(P || xR)(mod n) |
1069 | | // c) s= k + r * ds |
1070 | | // d) return the tuple T, s |
1071 | | // |
1072 | | // |
1073 | | // |
1074 | | // |
1075 | | // Return Value Meaning |
1076 | | // |
1077 | | // CRYPT_SUCCESS signature created |
1078 | | // CRYPT_SCHEME hashAlg can't produce zero-length digest |
1079 | | // |
1080 | | static CRYPT_RESULT |
1081 | | SchnorrEcc( |
1082 | | TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature |
1083 | | TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature |
1084 | | TPM_ALG_ID hashAlg, // IN: hash algorithm used |
1085 | | TPM_ECC_CURVE curveId, // IN: the curve used in signing |
1086 | | TPM2B_ECC_PARAMETER *dIn, // IN: the private key |
1087 | | TPM2B *digest, // IN: the digest to sign |
1088 | | TPM2B_ECC_PARAMETER *kIn // IN: for testing |
1089 | | ) |
1090 | 0 | { |
1091 | 0 | TPM2B_ECC_PARAMETER k; |
1092 | 0 | BIGNUM *bnR, *bnN, *bnK, *bnT, *bnD; |
1093 | 0 | BN_CTX *context; |
1094 | 0 | const TPM2B *n; |
1095 | 0 | EC_POINT *pR = NULL; |
1096 | 0 | EC_GROUP *group = NULL; |
1097 | 0 | CPRI_HASH_STATE hashState; |
1098 | 0 | UINT16 digestSize = _cpri__GetDigestSize(hashAlg); |
1099 | 0 | const ECC_CURVE_DATA *curveData = GetCurveData(curveId); |
1100 | 0 | TPM2B_TYPE(T, MAX(MAX_DIGEST_SIZE, MAX_ECC_PARAMETER_BYTES)); |
1101 | 0 | TPM2B_T T2b; |
1102 | 0 | BOOL OK = TRUE; |
1103 | | // Parameter checks |
1104 | | // Must have a place for the 'r' and 's' parts of the signature, a private |
1105 | | // key ('d') |
1106 | 0 | pAssert( rOut != NULL && sOut != NULL && dIn != NULL |
1107 | 0 | && digest != NULL && curveData != NULL); |
1108 | | // to save key strokes |
1109 | 0 | n = curveData->n; |
1110 | | // If the digest does not produce a hash, then null the signature and return |
1111 | | // a failure. |
1112 | 0 | if(digestSize == 0) |
1113 | 0 | { |
1114 | 0 | rOut->t.size = 0; |
1115 | 0 | sOut->t.size = 0; |
1116 | 0 | return CRYPT_SCHEME; |
1117 | 0 | } |
1118 | | // Allocate big number values |
1119 | 0 | context = BN_CTX_new(); |
1120 | 0 | if(context == NULL) |
1121 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
1122 | 0 | BN_CTX_start(context); |
1123 | 0 | bnR = BN_CTX_get(context); |
1124 | 0 | bnN = BN_CTX_get(context); |
1125 | 0 | bnK = BN_CTX_get(context); |
1126 | 0 | bnT = BN_CTX_get(context); |
1127 | 0 | bnD = BN_CTX_get(context); |
1128 | 0 | if( bnD == NULL |
1129 | | // initialize the group parameters |
1130 | 0 | || (group = EccCurveInit(curveId, context)) == NULL |
1131 | | // allocate a local point |
1132 | 0 | || (pR = EC_POINT_new(group)) == NULL |
1133 | 0 | ) |
1134 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
1135 | 0 | if(BN_bin2bn(curveData->n->buffer, curveData->n->size, bnN) == NULL) |
1136 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1137 | 0 | while(OK) |
1138 | 0 | { |
1139 | | // a) set k to a random value such that 1 k n-1 |
1140 | 0 | if(kIn != NULL) |
1141 | 0 | { |
1142 | 0 | Copy2B(&k.b, &kIn->b); // copy input k if testing |
1143 | 0 | OK = FALSE; // not OK to loop |
1144 | 0 | } |
1145 | 0 | else |
1146 | | // If get a random value in the correct range |
1147 | 0 | GetRandomPrivate(&k, n); |
1148 | | // Convert 'k' and generate pR = ['k']G |
1149 | 0 | BnFrom2B(bnK, &k.b); |
1150 | | // b) compute E (xE, yE) [k]G |
1151 | 0 | if(PointMul(group, pR, bnK, NULL, NULL, context) == CRYPT_NO_RESULT) |
1152 | | // c) if E is the point at infinity, go to a) |
1153 | 0 | continue; |
1154 | | // d) compute e xE (mod n) |
1155 | | // Get the x coordinate of the point |
1156 | 0 | EC_POINT_get_affine_coordinates_GFp(group, pR, bnR, NULL, context); |
1157 | | // make (mod n) |
1158 | 0 | BN_mod(bnR, bnR, bnN, context); |
1159 | | // e) if e is zero, go to a) |
1160 | 0 | if(BN_is_zero(bnR)) |
1161 | 0 | continue; |
1162 | | // Convert xR to a string (use T as a temp) |
1163 | 0 | BnTo2B(&T2b.b, bnR, (UINT16)(BN_num_bits(bnR)+7)/8); |
1164 | | // f) compute r HschemeHash(P || e) (mod n) |
1165 | 0 | _cpri__StartHash(hashAlg, FALSE, &hashState); |
1166 | 0 | _cpri__UpdateHash(&hashState, digest->size, digest->buffer); |
1167 | 0 | _cpri__UpdateHash(&hashState, T2b.t.size, T2b.t.buffer); |
1168 | 0 | if(_cpri__CompleteHash(&hashState, digestSize, T2b.b.buffer) != digestSize) |
1169 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1170 | 0 | T2b.t.size = digestSize; |
1171 | 0 | BnFrom2B(bnT, &T2b.b); |
1172 | 0 | BN_div(NULL, bnT, bnT, bnN, context); |
1173 | 0 | BnTo2B(&rOut->b, bnT, (UINT16)BN_num_bytes(bnT)); |
1174 | | // We have a value and we are going to exit the loop successfully |
1175 | 0 | OK = TRUE; |
1176 | 0 | break; |
1177 | 0 | } |
1178 | | // Cleanup |
1179 | 0 | EC_POINT_free(pR); |
1180 | 0 | EC_GROUP_free(group); |
1181 | 0 | BN_CTX_end(context); |
1182 | 0 | BN_CTX_free(context); |
1183 | | // If we have a value, finish the signature |
1184 | 0 | if(OK) |
1185 | 0 | return EcDaa(rOut, sOut, curveId, dIn, NULL, &k); |
1186 | 0 | else |
1187 | 0 | return CRYPT_NO_RESULT; |
1188 | 0 | } |
1189 | | #endif //% |
1190 | | #ifdef TPM_ALG_SM2 //% |
1191 | | #ifdef _SM2_SIGN_DEBUG //% |
1192 | | static int |
1193 | | cmp_bn2hex( |
1194 | | BIGNUM *bn, // IN: big number value |
1195 | | const char *c // IN: character string number |
1196 | | ) |
1197 | | { |
1198 | | int result; |
1199 | | BIGNUM *bnC = BN_new(); |
1200 | | pAssert(bnC != NULL); |
1201 | | BN_hex2bn(&bnC, c); |
1202 | | result = BN_ucmp(bn, bnC); |
1203 | | BN_free(bnC); |
1204 | | return result; |
1205 | | } |
1206 | | static int |
1207 | | cmp_2B2hex( |
1208 | | TPM2B *a, // IN: TPM2B number to compare |
1209 | | const char *c // IN: character string |
1210 | | ) |
1211 | | { |
1212 | | int result; |
1213 | | int sl = strlen(c); |
1214 | | BIGNUM *bnA; |
1215 | | result = (a->size * 2) - sl; |
1216 | | if(result != 0) |
1217 | | return result; |
1218 | | pAssert((bnA = BN_bin2bn(a->buffer, a->size, NULL)) != NULL); |
1219 | | result = cmp_bn2hex(bnA, c); |
1220 | | BN_free(bnA); |
1221 | | return result; |
1222 | | } |
1223 | | static void |
1224 | | cpy_hexTo2B( |
1225 | | TPM2B *b, // OUT: receives value |
1226 | | const char *c // IN: source string |
1227 | | ) |
1228 | | { |
1229 | | BIGNUM *bnB = BN_new(); |
1230 | | pAssert((strlen(c) & 1) == 0); // must have an even number of digits |
1231 | | b->size = strlen(c) / 2; |
1232 | | BN_hex2bn(&bnB, c); |
1233 | | pAssert(bnB != NULL); |
1234 | | BnTo2B(b, bnB, b->size); |
1235 | | BN_free(bnB); |
1236 | | } |
1237 | | #endif //% _SM2_SIGN_DEBUG |
1238 | | // |
1239 | | // |
1240 | | // SignSM2() |
1241 | | // |
1242 | | // This function signs a digest using the method defined in SM2 Part 2. The method in the standard will add |
1243 | | // a header to the message to be signed that is a hash of the values that define the key. This then hashed |
1244 | | // with the message to produce a digest (e) that is signed. This function signs e. |
1245 | | // |
1246 | | // |
1247 | | // |
1248 | | // |
1249 | | // Return Value Meaning |
1250 | | // |
1251 | | // CRYPT_SUCCESS sign worked |
1252 | | // |
1253 | | static CRYPT_RESULT |
1254 | | SignSM2( |
1255 | | TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature |
1256 | | TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature |
1257 | | TPM_ECC_CURVE curveId, // IN: the curve used in signing |
1258 | | TPM2B_ECC_PARAMETER *dIn, // IN: the private key |
1259 | | TPM2B *digest // IN: the digest to sign |
1260 | | ) |
1261 | 0 | { |
1262 | 0 | BIGNUM *bnR; |
1263 | 0 | BIGNUM *bnS; |
1264 | 0 | BIGNUM *bnN; |
1265 | 0 | BIGNUM *bnK; |
1266 | 0 | BIGNUM *bnX1; |
1267 | 0 | BIGNUM *bnD; |
1268 | 0 | BIGNUM *bnT; // temp |
1269 | 0 | BIGNUM *bnE; |
1270 | 0 | BN_CTX *context; |
1271 | 0 | TPM2B_ECC_PARAMETER k; |
1272 | 0 | TPMS_ECC_POINT p2Br; |
1273 | 0 | const ECC_CURVE_DATA *curveData = GetCurveData(curveId); |
1274 | 0 | pAssert(curveData != NULL); |
1275 | 0 | context = BN_CTX_new(); |
1276 | 0 | BN_CTX_start(context); |
1277 | 0 | bnK = BN_CTX_get(context); |
1278 | 0 | bnR = BN_CTX_get(context); |
1279 | 0 | bnS = BN_CTX_get(context); |
1280 | 0 | bnX1 = BN_CTX_get(context); |
1281 | 0 | bnN = BN_CTX_get(context); |
1282 | 0 | bnD = BN_CTX_get(context); |
1283 | 0 | bnT = BN_CTX_get(context); |
1284 | 0 | bnE = BN_CTX_get(context); |
1285 | 0 | if(bnE == NULL) |
1286 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
1287 | 0 | BnFrom2B(bnE, digest); |
1288 | 0 | BnFrom2B(bnN, curveData->n); |
1289 | 0 | BnFrom2B(bnD, &dIn->b); |
1290 | | #ifdef _SM2_SIGN_DEBUG |
1291 | | BN_hex2bn(&bnE, "B524F552CD82B8B028476E005C377FB19A87E6FC682D48BB5D42E3D9B9EFFE76"); |
1292 | | BN_hex2bn(&bnD, "128B2FA8BD433C6C068C8D803DFF79792A519A55171B1B650C23661D15897263"); |
1293 | | #endif |
1294 | | // A3: Use random number generator to generate random number 1 <= k <= n-1; |
1295 | | // NOTE: Ax: numbers are from the SM2 standard |
1296 | 0 | k.t.size = curveData->n->size; |
1297 | 0 | loop: |
1298 | 0 | { |
1299 | | // Get a random number |
1300 | 0 | _cpri__GenerateRandom(k.t.size, k.t.buffer); |
1301 | | #ifdef _SM2_SIGN_DEBUG |
1302 | | BN_hex2bn(&bnK, "6CB28D99385C175C94F94E934817663FC176D925DD72B727260DBAAE1FB2F96F"); |
1303 | | BnTo2B(&k.b,bnK, 32); |
1304 | | k.t.size = 32; |
1305 | | #endif |
1306 | | //make sure that the number is 0 < k < n |
1307 | 0 | BnFrom2B(bnK, &k.b); |
1308 | 0 | if( BN_ucmp(bnK, bnN) >= 0 |
1309 | 0 | || BN_is_zero(bnK)) |
1310 | 0 | goto loop; |
1311 | | // A4: Figure out the point of elliptic curve (x1, y1)=[k]G, and according |
1312 | | // to details specified in 4.2.7 in Part 1 of this document, transform the |
1313 | | // data type of x1 into an integer; |
1314 | 0 | if( _cpri__EccPointMultiply(&p2Br, curveId, &k, NULL, NULL) |
1315 | 0 | == CRYPT_NO_RESULT) |
1316 | 0 | goto loop; |
1317 | 0 | BnFrom2B(bnX1, &p2Br.x.b); |
1318 | | // A5: Figure out r = (e + x1) mod n, |
1319 | 0 | if(!BN_mod_add(bnR, bnE, bnX1, bnN, context)) |
1320 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1321 | | #ifdef _SM2_SIGN_DEBUG |
1322 | | pAssert(cmp_bn2hex(bnR, |
1323 | | "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1") |
1324 | | == 0); |
1325 | | #endif |
1326 | | // if r=0 or r+k=n, return to A3; |
1327 | 0 | if(!BN_add(bnT, bnK, bnR)) |
1328 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1329 | 0 | if(BN_is_zero(bnR) || BN_ucmp(bnT, bnN) == 0) |
1330 | 0 | goto loop; |
1331 | | // A6: Figure out s = ((1 + dA)^-1 (k - r dA)) mod n, if s=0, return to A3; |
1332 | | // compute t = (1+d)-1 |
1333 | 0 | BN_copy(bnT, bnD); |
1334 | 0 | if( !BN_add_word(bnT, 1) |
1335 | 0 | || !BN_mod_inverse(bnT, bnT, bnN, context) // (1 + dA)^-1 mod n |
1336 | 0 | ) |
1337 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1338 | | #ifdef _SM2_SIGN_DEBUG |
1339 | | pAssert(cmp_bn2hex(bnT, |
1340 | | "79BFCF3052C80DA7B939E0C6914A18CBB2D96D8555256E83122743A7D4F5F956") |
1341 | | == 0); |
1342 | | #endif |
1343 | | // compute s = t * (k - r * dA) mod n |
1344 | 0 | if( !BN_mod_mul(bnS, bnD, bnR, bnN, context) // (r * dA) mod n |
1345 | 0 | || !BN_mod_sub(bnS, bnK, bnS, bnN, context) // (k - (r * dA) mod n |
1346 | 0 | || !BN_mod_mul(bnS, bnT, bnS, bnN, context))// t * (k - (r * dA) mod n |
1347 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1348 | | #ifdef _SM2_SIGN_DEBUG |
1349 | | pAssert(cmp_bn2hex(bnS, |
1350 | | "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7") |
1351 | | == 0); |
1352 | | #endif |
1353 | 0 | if(BN_is_zero(bnS)) |
1354 | 0 | goto loop; |
1355 | 0 | } |
1356 | | // A7: According to details specified in 4.2.1 in Part 1 of this document, transform |
1357 | | // the data type of r, s into bit strings, signature of message M is (r, s). |
1358 | 0 | BnTo2B(&rOut->b, bnR, curveData->n->size); |
1359 | 0 | BnTo2B(&sOut->b, bnS, curveData->n->size); |
1360 | | #ifdef _SM2_SIGN_DEBUG |
1361 | | pAssert(cmp_2B2hex(&rOut->b, |
1362 | | "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1") |
1363 | | == 0); |
1364 | | pAssert(cmp_2B2hex(&sOut->b, |
1365 | | "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7") |
1366 | | == 0); |
1367 | | #endif |
1368 | 0 | BN_CTX_end(context); |
1369 | 0 | BN_CTX_free(context); |
1370 | 0 | return CRYPT_SUCCESS; |
1371 | 0 | } |
1372 | | #endif //% TPM_ALG_SM2 |
1373 | | // |
1374 | | // |
1375 | | // _cpri__SignEcc() |
1376 | | // |
1377 | | // This function is the dispatch function for the various ECC-based signing schemes. |
1378 | | // |
1379 | | // Return Value Meaning |
1380 | | // |
1381 | | // CRYPT_SCHEME scheme is not supported |
1382 | | // |
1383 | | LIB_EXPORT CRYPT_RESULT |
1384 | | _cpri__SignEcc( |
1385 | | TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature |
1386 | | TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature |
1387 | | TPM_ALG_ID scheme, // IN: the scheme selector |
1388 | | TPM_ALG_ID hashAlg, // IN: the hash algorithm if need |
1389 | | TPM_ECC_CURVE curveId, // IN: the curve used in the signature |
1390 | | // process |
1391 | | TPM2B_ECC_PARAMETER *dIn, // IN: the private key |
1392 | | TPM2B *digest, // IN: the digest to sign |
1393 | | TPM2B_ECC_PARAMETER *kIn // IN: k for input |
1394 | | ) |
1395 | 0 | { |
1396 | 0 | switch (scheme) |
1397 | 0 | { |
1398 | 0 | case TPM_ALG_ECDSA: |
1399 | | // SignEcdsa always works |
1400 | 0 | return SignEcdsa(rOut, sOut, curveId, dIn, digest); |
1401 | 0 | break; |
1402 | 0 | #ifdef TPM_ALG_ECDAA |
1403 | 0 | case TPM_ALG_ECDAA: |
1404 | 0 | if(rOut != NULL) |
1405 | 0 | rOut->b.size = 0; |
1406 | 0 | return EcDaa(rOut, sOut, curveId, dIn, digest, kIn); |
1407 | 0 | break; |
1408 | 0 | #endif |
1409 | 0 | #ifdef TPM_ALG_ECSCHNORR |
1410 | 0 | case TPM_ALG_ECSCHNORR: |
1411 | 0 | return SchnorrEcc(rOut, sOut, hashAlg, curveId, dIn, digest, kIn); |
1412 | 0 | break; |
1413 | 0 | #endif |
1414 | 0 | #ifdef TPM_ALG_SM2 |
1415 | 0 | case TPM_ALG_SM2: |
1416 | 0 | return SignSM2(rOut, sOut, curveId, dIn, digest); |
1417 | 0 | break; |
1418 | 0 | #endif |
1419 | 0 | default: |
1420 | 0 | return CRYPT_SCHEME; |
1421 | 0 | } |
1422 | 0 | } |
1423 | | #ifdef TPM_ALG_ECDSA //% |
1424 | | // |
1425 | | // |
1426 | | // ValidateSignatureEcdsa() |
1427 | | // |
1428 | | // This function validates an ECDSA signature. rIn and sIn shoudl have been checked to make sure that |
1429 | | // they are not zero. |
1430 | | // |
1431 | | // Return Value Meaning |
1432 | | // |
1433 | | // CRYPT_SUCCESS signature valid |
1434 | | // CRYPT_FAIL signature not valid |
1435 | | // |
1436 | | static CRYPT_RESULT |
1437 | | ValidateSignatureEcdsa( |
1438 | | TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature |
1439 | | TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature |
1440 | | TPM_ECC_CURVE curveId, // IN: the curve used in the signature |
1441 | | // process |
1442 | | TPMS_ECC_POINT *Qin, // IN: the public point of the key |
1443 | | TPM2B *digest // IN: the digest that was signed |
1444 | | ) |
1445 | 0 | { |
1446 | 0 | TPM2B_ECC_PARAMETER U1; |
1447 | 0 | TPM2B_ECC_PARAMETER U2; |
1448 | 0 | TPMS_ECC_POINT R; |
1449 | 0 | const TPM2B *n; |
1450 | 0 | BN_CTX *context; |
1451 | 0 | EC_GROUP *group = NULL; |
1452 | 0 | BIGNUM *bnU1; |
1453 | 0 | BIGNUM *bnU2; |
1454 | 0 | BIGNUM *bnR; |
1455 | 0 | BIGNUM *bnS; |
1456 | 0 | BIGNUM *bnW; |
1457 | 0 | BIGNUM *bnV; |
1458 | 0 | BIGNUM *bnN; |
1459 | 0 | BIGNUM *bnE; |
1460 | 0 | CRYPT_RESULT retVal = CRYPT_FAIL; |
1461 | 0 | int t; |
1462 | 0 | const ECC_CURVE_DATA *curveData = GetCurveData(curveId); |
1463 | | // The curve selector should have been filtered by the unmarshaling process |
1464 | 0 | pAssert (curveData != NULL); |
1465 | 0 | n = curveData->n; |
1466 | | // 1. If r and s are not both integers in the interval [1, n - 1], output |
1467 | | // INVALID. |
1468 | | // rIn and sIn are known to be greater than zero (was checked by the caller). |
1469 | 0 | if( _math__uComp(rIn->t.size, rIn->t.buffer, n->size, n->buffer) >= 0 |
1470 | 0 | || _math__uComp(sIn->t.size, sIn->t.buffer, n->size, n->buffer) >= 0 |
1471 | 0 | ) |
1472 | 0 | return CRYPT_FAIL; |
1473 | 0 | context = BN_CTX_new(); |
1474 | 0 | if(context == NULL) |
1475 | 0 | FAIL(FATAL_ERROR_ALLOCATION); |
1476 | 0 | BN_CTX_start(context); |
1477 | 0 | bnR = BN_CTX_get(context); |
1478 | 0 | bnS = BN_CTX_get(context); |
1479 | 0 | bnN = BN_CTX_get(context); |
1480 | 0 | bnE = BN_CTX_get(context); |
1481 | 0 | bnV = BN_CTX_get(context); |
1482 | 0 | bnW = BN_CTX_get(context); |
1483 | 0 | bnU1 = BN_CTX_get(context); |
1484 | 0 | bnU2 = BN_CTX_get(context); |
1485 | | // Assume the size variables do not overflow, which should not happen in |
1486 | | // the contexts that this function will be called. |
1487 | 0 | assert2Bsize(Qin->x.t); |
1488 | 0 | assert2Bsize(rIn->t); |
1489 | 0 | assert2Bsize(sIn->t); |
1490 | | // BN_CTX_get() is sticky so only need to check the last value to know that |
1491 | | // all worked. |
1492 | 0 | if( bnU2 == NULL |
1493 | | // initialize the group parameters |
1494 | 0 | || (group = EccCurveInit(curveId, context)) == NULL |
1495 | | // convert the signature values |
1496 | 0 | || BN_bin2bn(rIn->t.buffer, rIn->t.size, bnR) == NULL |
1497 | 0 | || BN_bin2bn(sIn->t.buffer, sIn->t.size, bnS) == NULL |
1498 | | // convert the curve order |
1499 | 0 | || BN_bin2bn(curveData->n->buffer, curveData->n->size, bnN) == NULL) |
1500 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1501 | | // 2. Use the selected hash function to compute H0 = Hash(M0). |
1502 | | // This is an input parameter |
1503 | | // 3. Convert the bit string H0 to an integer e as described in Appendix B.2. |
1504 | 0 | t = (digest->size > rIn->t.size) ? rIn->t.size : digest->size; |
1505 | 0 | if(BN_bin2bn(digest->buffer, t, bnE) == NULL) |
1506 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1507 | | // 4. Compute w = (s')^-1 mod n, using the routine in Appendix B.1. |
1508 | 0 | if (BN_mod_inverse(bnW, bnS, bnN, context) == NULL) |
1509 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1510 | | // 5. Compute u1 = (e' * w) mod n, and compute u2 = (r' * w) mod n. |
1511 | 0 | if( !BN_mod_mul(bnU1, bnE, bnW, bnN, context) |
1512 | 0 | || !BN_mod_mul(bnU2, bnR, bnW, bnN, context)) |
1513 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1514 | 0 | BnTo2B(&U1.b, bnU1, (INT16) BN_num_bytes(bnU1)); |
1515 | 0 | BnTo2B(&U2.b, bnU2, (INT16) BN_num_bytes(bnU2)); |
1516 | | // 6. Compute the elliptic curve point R = (xR, yR) = u1G+u2Q, using EC |
1517 | | // scalar multiplication and EC addition (see [Routines]). If R is equal to |
1518 | | // the point at infinity O, output INVALID. |
1519 | 0 | if((retVal = _cpri__EccPointMultiply(&R, curveId, &U1, Qin, &U2)) == CRYPT_SUCCESS) |
1520 | 0 | { |
1521 | | // 7. Compute v = Rx mod n. |
1522 | 0 | if( BN_bin2bn(R.x.t.buffer, R.x.t.size, bnV) == NULL |
1523 | 0 | || !BN_mod(bnV, bnV, bnN, context)) |
1524 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1525 | | // 8. Compare v and r0. If v = r0, output VALID; otherwise, output INVALID |
1526 | 0 | if(BN_cmp(bnV, bnR)) |
1527 | 0 | retVal = CRYPT_FAIL; |
1528 | 0 | } |
1529 | 0 | if(group != NULL) EC_GROUP_free(group); |
1530 | 0 | BN_CTX_end(context); |
1531 | 0 | BN_CTX_free(context); |
1532 | 0 | return retVal; |
1533 | 0 | } |
1534 | | #endif //% TPM_ALG_ECDSA |
1535 | | #ifdef TPM_ALG_ECSCHNORR //% |
1536 | | // |
1537 | | // |
1538 | | // ValidateSignatureEcSchnorr() |
1539 | | // |
1540 | | // This function is used to validate an EC Schnorr signature. rIn and sIn are required to be greater than |
1541 | | // zero. This is checked in _cpri__ValidateSignatureEcc(). |
1542 | | // |
1543 | | // Return Value Meaning |
1544 | | // |
1545 | | // CRYPT_SUCCESS signature valid |
1546 | | // CRYPT_FAIL signature not valid |
1547 | | // CRYPT_SCHEME hashAlg is not supported |
1548 | | // |
1549 | | static CRYPT_RESULT |
1550 | | ValidateSignatureEcSchnorr( |
1551 | | TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature |
1552 | | TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature |
1553 | | TPM_ALG_ID hashAlg, // IN: hash algorithm of the signature |
1554 | | TPM_ECC_CURVE curveId, // IN: the curve used in the signature |
1555 | | // process |
1556 | | TPMS_ECC_POINT *Qin, // IN: the public point of the key |
1557 | | TPM2B *digest // IN: the digest that was signed |
1558 | | ) |
1559 | 0 | { |
1560 | 0 | TPMS_ECC_POINT pE; |
1561 | 0 | const TPM2B *n; |
1562 | 0 | CPRI_HASH_STATE hashState; |
1563 | 0 | TPM2B_DIGEST rPrime; |
1564 | 0 | TPM2B_ECC_PARAMETER minusR; |
1565 | 0 | UINT16 digestSize = _cpri__GetDigestSize(hashAlg); |
1566 | 0 | const ECC_CURVE_DATA *curveData = GetCurveData(curveId); |
1567 | | // The curve parameter should have been filtered by unmarshaling code |
1568 | 0 | pAssert(curveData != NULL); |
1569 | 0 | if(digestSize == 0) |
1570 | 0 | return CRYPT_SCHEME; |
1571 | | // Input parameter validation |
1572 | 0 | pAssert(rIn != NULL && sIn != NULL && Qin != NULL && digest != NULL); |
1573 | 0 | n = curveData->n; |
1574 | | // if sIn or rIn are not between 1 and N-1, signature check fails |
1575 | | // sIn and rIn were verified to be non-zero by the caller |
1576 | 0 | if( _math__uComp(sIn->b.size, sIn->b.buffer, n->size, n->buffer) >= 0 |
1577 | 0 | || _math__uComp(rIn->b.size, rIn->b.buffer, n->size, n->buffer) >= 0 |
1578 | 0 | ) |
1579 | 0 | return CRYPT_FAIL; |
1580 | | //E = [s]InG - [r]InQ |
1581 | 0 | _math__sub(n->size, n->buffer, |
1582 | 0 | rIn->t.size, rIn->t.buffer, |
1583 | 0 | &minusR.t.size, minusR.t.buffer); |
1584 | 0 | if(_cpri__EccPointMultiply(&pE, curveId, sIn, Qin, &minusR) != CRYPT_SUCCESS) |
1585 | 0 | return CRYPT_FAIL; |
1586 | | // Ex = Ex mod N |
1587 | 0 | if(Mod2B(&pE.x.b, n) != CRYPT_SUCCESS) |
1588 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1589 | 0 | _math__Normalize2B(&pE.x.b); |
1590 | | // rPrime = h(digest || pE.x) mod n; |
1591 | 0 | _cpri__StartHash(hashAlg, FALSE, &hashState); |
1592 | 0 | _cpri__UpdateHash(&hashState, digest->size, digest->buffer); |
1593 | 0 | _cpri__UpdateHash(&hashState, pE.x.t.size, pE.x.t.buffer); |
1594 | 0 | if(_cpri__CompleteHash(&hashState, digestSize, rPrime.t.buffer) != digestSize) |
1595 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1596 | 0 | rPrime.t.size = digestSize; |
1597 | | // rPrime = rPrime (mod n) |
1598 | 0 | if(Mod2B(&rPrime.b, n) != CRYPT_SUCCESS) |
1599 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1600 | | // if the values don't match, then the signature is bad |
1601 | 0 | if(_math__uComp(rIn->t.size, rIn->t.buffer, |
1602 | 0 | rPrime.t.size, rPrime.t.buffer) != 0) |
1603 | 0 | return CRYPT_FAIL; |
1604 | 0 | else |
1605 | 0 | return CRYPT_SUCCESS; |
1606 | 0 | } |
1607 | | #endif //% TPM_ALG_ECSCHNORR |
1608 | | #ifdef TPM_ALG_SM2 //% |
1609 | | // |
1610 | | // |
1611 | | // ValidateSignatueSM2Dsa() |
1612 | | // |
1613 | | // This function is used to validate an SM2 signature. |
1614 | | // |
1615 | | // Return Value Meaning |
1616 | | // |
1617 | | // CRYPT_SUCCESS signature valid |
1618 | | // CRYPT_FAIL signature not valid |
1619 | | // |
1620 | | static CRYPT_RESULT |
1621 | | ValidateSignatureSM2Dsa( |
1622 | | TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature |
1623 | | TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature |
1624 | | TPM_ECC_CURVE curveId, // IN: the curve used in the signature |
1625 | | // process |
1626 | | TPMS_ECC_POINT *Qin, // IN: the public point of the key |
1627 | | TPM2B *digest // IN: the digest that was signed |
1628 | | ) |
1629 | 0 | { |
1630 | 0 | BIGNUM *bnR; |
1631 | 0 | BIGNUM *bnRp; |
1632 | 0 | BIGNUM *bnT; |
1633 | 0 | BIGNUM *bnS; |
1634 | 0 | BIGNUM *bnE; |
1635 | 0 | BIGNUM *order; |
1636 | 0 | EC_POINT *pQ; |
1637 | 0 | BN_CTX *context; |
1638 | 0 | EC_GROUP *group = NULL; |
1639 | 0 | const ECC_CURVE_DATA *curveData = GetCurveData(curveId); |
1640 | 0 | BOOL fail = FALSE; |
1641 | | // |
1642 | 0 | if((context = BN_CTX_new()) == NULL || curveData == NULL) |
1643 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1644 | 0 | bnR = BN_CTX_get(context); |
1645 | 0 | bnRp= BN_CTX_get(context); |
1646 | 0 | bnE = BN_CTX_get(context); |
1647 | 0 | bnT = BN_CTX_get(context); |
1648 | 0 | bnS = BN_CTX_get(context); |
1649 | 0 | order = BN_CTX_get(context); |
1650 | 0 | if( order == NULL |
1651 | 0 | || (group = EccCurveInit(curveId, context)) == NULL) |
1652 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1653 | | #ifdef _SM2_SIGN_DEBUG |
1654 | | cpy_hexTo2B(&Qin->x.b, |
1655 | | "0AE4C7798AA0F119471BEE11825BE46202BB79E2A5844495E97C04FF4DF2548A"); |
1656 | | cpy_hexTo2B(&Qin->y.b, |
1657 | | "7C0240F88F1CD4E16352A73C17B7F16F07353E53A176D684A9FE0C6BB798E857"); |
1658 | | cpy_hexTo2B(digest, |
1659 | | "B524F552CD82B8B028476E005C377FB19A87E6FC682D48BB5D42E3D9B9EFFE76"); |
1660 | | #endif |
1661 | 0 | if (!(pQ = EccInitPoint2B(group, Qin, context))) |
1662 | 0 | goto Cleanup; |
1663 | | #ifdef _SM2_SIGN_DEBUG |
1664 | | pAssert(EC_POINT_get_affine_coordinates_GFp(group, pQ, bnT, bnS, context)); |
1665 | | pAssert(cmp_bn2hex(bnT, |
1666 | | "0AE4C7798AA0F119471BEE11825BE46202BB79E2A5844495E97C04FF4DF2548A") |
1667 | | == 0); |
1668 | | pAssert(cmp_bn2hex(bnS, |
1669 | | "7C0240F88F1CD4E16352A73C17B7F16F07353E53A176D684A9FE0C6BB798E857") |
1670 | | == 0); |
1671 | | #endif |
1672 | 0 | BnFrom2B(bnR, &rIn->b); |
1673 | 0 | BnFrom2B(bnS, &sIn->b); |
1674 | 0 | BnFrom2B(bnE, digest); |
1675 | | #ifdef _SM2_SIGN_DEBUG |
1676 | | // Make sure that the input signature is the test signature |
1677 | | pAssert(cmp_2B2hex(&rIn->b, |
1678 | | "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1") == 0); |
1679 | | pAssert(cmp_2B2hex(&sIn->b, |
1680 | | "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7") == 0); |
1681 | | #endif |
1682 | | // a) verify that r and s are in the inclusive interval 1 to (n 1) |
1683 | 0 | if (!EC_GROUP_get_order(group, order, context)) goto Cleanup; |
1684 | 0 | fail = (BN_ucmp(bnR, order) >= 0); |
1685 | 0 | fail = (BN_ucmp(bnS, order) >= 0) || fail; |
1686 | 0 | if(fail) |
1687 | | // There is no reason to continue. Since r and s are inputs from the caller, |
1688 | | // they can know that the values are not in the proper range. So, exiting here |
1689 | | // does not disclose any information. |
1690 | 0 | goto Cleanup; |
1691 | | // b) compute t := (r + s) mod n |
1692 | 0 | if(!BN_mod_add(bnT, bnR, bnS, order, context)) |
1693 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1694 | | #ifdef _SM2_SIGN_DEBUG |
1695 | | pAssert(cmp_bn2hex(bnT, |
1696 | | "2B75F07ED7ECE7CCC1C8986B991F441AD324D6D619FE06DD63ED32E0C997C801") |
1697 | | == 0); |
1698 | | #endif |
1699 | | // c) verify that t > 0 |
1700 | 0 | if(BN_is_zero(bnT)) { |
1701 | 0 | fail = TRUE; |
1702 | | // set to a value that should allow rest of the computations to run without |
1703 | | // trouble |
1704 | 0 | BN_copy(bnT, bnS); |
1705 | 0 | } |
1706 | | // d) compute (x, y) := [s]G + [t]Q |
1707 | 0 | if(!EC_POINT_mul(group, pQ, bnS, pQ, bnT, context)) |
1708 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1709 | | // Get the x coordinate of the point |
1710 | 0 | if(!EC_POINT_get_affine_coordinates_GFp(group, pQ, bnT, NULL, context)) |
1711 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1712 | | #ifdef _SM2_SIGN_DEBUG |
1713 | | pAssert(cmp_bn2hex(bnT, |
1714 | | "110FCDA57615705D5E7B9324AC4B856D23E6D9188B2AE47759514657CE25D112") |
1715 | | == 0); |
1716 | | #endif |
1717 | | // e) compute r' := (e + x) mod n (the x coordinate is in bnT) |
1718 | 0 | if(!BN_mod_add(bnRp, bnE, bnT, order, context)) |
1719 | 0 | FAIL(FATAL_ERROR_INTERNAL); |
1720 | | // f) verify that r' = r |
1721 | 0 | fail = BN_ucmp(bnR, bnRp) != 0 || fail; |
1722 | 0 | Cleanup: |
1723 | 0 | if(pQ) EC_POINT_free(pQ); |
1724 | 0 | if(group) EC_GROUP_free(group); |
1725 | 0 | BN_CTX_end(context); |
1726 | 0 | BN_CTX_free(context); |
1727 | 0 | if(fail) |
1728 | 0 | return CRYPT_FAIL; |
1729 | 0 | else |
1730 | 0 | return CRYPT_SUCCESS; |
1731 | 0 | } |
1732 | | #endif //% TPM_ALG_SM2 |
1733 | | // |
1734 | | // |
1735 | | // _cpri__ValidateSignatureEcc() |
1736 | | // |
1737 | | // This function validates |
1738 | | // |
1739 | | // Return Value Meaning |
1740 | | // |
1741 | | // CRYPT_SUCCESS signature is valid |
1742 | | // CRYPT_FAIL not a valid signature |
1743 | | // CRYPT_SCHEME unsupported scheme |
1744 | | // |
1745 | | LIB_EXPORT CRYPT_RESULT |
1746 | | _cpri__ValidateSignatureEcc( |
1747 | | TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature |
1748 | | TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature |
1749 | | TPM_ALG_ID scheme, // IN: the scheme selector |
1750 | | TPM_ALG_ID hashAlg, // IN: the hash algorithm used (not used |
1751 | | // in all schemes) |
1752 | | TPM_ECC_CURVE curveId, // IN: the curve used in the signature |
1753 | | // process |
1754 | | TPMS_ECC_POINT *Qin, // IN: the public point of the key |
1755 | | TPM2B *digest // IN: the digest that was signed |
1756 | | ) |
1757 | 0 | { |
1758 | 0 | CRYPT_RESULT retVal; |
1759 | | // return failure if either part of the signature is zero |
1760 | 0 | if(_math__Normalize2B(&rIn->b) == 0 || _math__Normalize2B(&sIn->b) == 0) |
1761 | 0 | return CRYPT_FAIL; |
1762 | 0 | switch (scheme) |
1763 | 0 | { |
1764 | 0 | case TPM_ALG_ECDSA: |
1765 | 0 | retVal = ValidateSignatureEcdsa(rIn, sIn, curveId, Qin, digest); |
1766 | 0 | break; |
1767 | 0 | #ifdef TPM_ALG_ECSCHNORR |
1768 | 0 | case TPM_ALG_ECSCHNORR: |
1769 | 0 | retVal = ValidateSignatureEcSchnorr(rIn, sIn, hashAlg, curveId, Qin, |
1770 | 0 | digest); |
1771 | 0 | break; |
1772 | 0 | #endif |
1773 | 0 | #ifdef TPM_ALG_SM2 |
1774 | 0 | case TPM_ALG_SM2: |
1775 | 0 | retVal = ValidateSignatureSM2Dsa(rIn, sIn, curveId, Qin, digest); |
1776 | 0 | #endif |
1777 | 0 | default: |
1778 | 0 | retVal = CRYPT_SCHEME; |
1779 | 0 | break; |
1780 | 0 | } |
1781 | 0 | return retVal; |
1782 | 0 | } |
1783 | | #if CC_ZGen_2Phase == YES //% |
1784 | | #ifdef TPM_ALG_ECMQV |
1785 | | // |
1786 | | // |
1787 | | // avf1() |
1788 | | // |
1789 | | // This function does the associated value computation required by MQV key exchange. Process: |
1790 | | // a) Convert xQ to an integer xqi using the convention specified in Appendix C.3. |
1791 | | // b) Calculate xqm = xqi mod 2^ceil(f/2) (where f = ceil(log2(n)). |
1792 | | // c) Calculate the associate value function avf(Q) = xqm + 2ceil(f / 2) |
1793 | | // |
1794 | | static BOOL |
1795 | | avf1( |
1796 | | BIGNUM *bnX, // IN/OUT: the reduced value |
1797 | | BIGNUM *bnN // IN: the order of the curve |
1798 | | ) |
1799 | | { |
1800 | | // compute f = 2^(ceil(ceil(log2(n)) / 2)) |
1801 | | int f = (BN_num_bits(bnN) + 1) / 2; |
1802 | | // x' = 2^f + (x mod 2^f) |
1803 | | BN_mask_bits(bnX, f); // This is mod 2*2^f but it doesn't matter because |
1804 | | // the next operation will SET the extra bit anyway |
1805 | | BN_set_bit(bnX, f); |
1806 | | return TRUE; |
1807 | | } |
1808 | | // |
1809 | | // |
1810 | | // C_2_2_MQV() |
1811 | | // |
1812 | | // This function performs the key exchange defined in SP800-56A 6.1.1.4 Full MQV, C(2, 2, ECC MQV). |
1813 | | // CAUTION: Implementation of this function may require use of essential claims in patents not owned by |
1814 | | // TCG members. |
1815 | | // Points QsB() and QeB() are required to be on the curve of inQsA. The function will fail, possibly |
1816 | | // catastrophically, if this is not the case. |
1817 | | // |
1818 | | // |
1819 | | // |
1820 | | // Return Value Meaning |
1821 | | // |
1822 | | // CRYPT_SUCCESS results is valid |
1823 | | // CRYPT_NO_RESULT the value for dsA does not give a valid point on the curve |
1824 | | // |
1825 | | static CRYPT_RESULT |
1826 | | C_2_2_MQV( |
1827 | | TPMS_ECC_POINT *outZ, // OUT: the computed point |
1828 | | TPM_ECC_CURVE curveId, // IN: the curve for the computations |
1829 | | TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key |
1830 | | TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key |
1831 | | TPMS_ECC_POINT *QsB, // IN: static public party B key |
1832 | | TPMS_ECC_POINT *QeB // IN: ephemeral public party B key |
1833 | | ) |
1834 | | { |
1835 | | BN_CTX *context; |
1836 | | EC_POINT *pQeA = NULL; |
1837 | | EC_POINT *pQeB = NULL; |
1838 | | EC_POINT *pQsB = NULL; |
1839 | | EC_GROUP *group = NULL; |
1840 | | BIGNUM *bnTa; |
1841 | | BIGNUM *bnDeA; |
1842 | | BIGNUM *bnDsA; |
1843 | | BIGNUM *bnXeA; // x coordinate of ephemeral party A key |
1844 | | BIGNUM *bnH; |
1845 | | BIGNUM *bnN; |
1846 | | BIGNUM *bnXeB; |
1847 | | const ECC_CURVE_DATA *curveData = GetCurveData(curveId); |
1848 | | CRYPT_RESULT retVal = CRYPT_POINT; |
1849 | | pAssert( curveData != NULL && outZ != NULL && dsA != NULL |
1850 | | && deA != NULL && QsB != NULL && QeB != NULL); |
1851 | | context = BN_CTX_new(); |
1852 | | if(context == NULL || curveData == NULL) |
1853 | | FAIL(FATAL_ERROR_ALLOCATION); |
1854 | | BN_CTX_start(context); |
1855 | | bnTa = BN_CTX_get(context); |
1856 | | bnDeA = BN_CTX_get(context); |
1857 | | bnDsA = BN_CTX_get(context); |
1858 | | bnXeA = BN_CTX_get(context); |
1859 | | bnH = BN_CTX_get(context); |
1860 | | bnN = BN_CTX_get(context); |
1861 | | bnXeB = BN_CTX_get(context); |
1862 | | if(bnXeB == NULL) |
1863 | | FAIL(FATAL_ERROR_ALLOCATION); |
1864 | | // Process: |
1865 | | // 1. implicitsigA = (de,A + avf(Qe,A)ds,A ) mod n. |
1866 | | // 2. P = h(implicitsigA)(Qe,B + avf(Qe,B)Qs,B). |
1867 | | // 3. If P = O, output an error indicator. |
1868 | | // 4. Z=xP, where xP is the x-coordinate of P. |
1869 | | // Initialize group parameters and local values of input |
1870 | | if((group = EccCurveInit(curveId, context)) == NULL) |
1871 | | FAIL(FATAL_ERROR_INTERNAL); |
1872 | | if((pQeA = EC_POINT_new(group)) == NULL) |
1873 | | FAIL(FATAL_ERROR_ALLOCATION); |
1874 | | BnFrom2B(bnDeA, &deA->b); |
1875 | | BnFrom2B(bnDsA, &dsA->b); |
1876 | | BnFrom2B(bnH, curveData->h); |
1877 | | BnFrom2B(bnN, curveData->n); |
1878 | | BnFrom2B(bnXeB, &QeB->x.b); |
1879 | | if (!(pQeB = EccInitPoint2B(group, QeB, context))) |
1880 | | { |
1881 | | retVal = CRYPT_POINT; |
1882 | | goto Cleanup; |
1883 | | } |
1884 | | if (!(pQsB = EccInitPoint2B(group, QsB, context))) |
1885 | | { |
1886 | | retVal = CRYPT_POINT; |
1887 | | goto Cleanup; |
1888 | | } |
1889 | | // Compute the public ephemeral key pQeA = [de,A]G |
1890 | | if( (retVal = PointMul(group, pQeA, bnDeA, NULL, NULL, context)) |
1891 | | != CRYPT_SUCCESS) |
1892 | | goto Cleanup; |
1893 | | if(EC_POINT_get_affine_coordinates_GFp(group, pQeA, bnXeA, NULL, context) != 1) |
1894 | | FAIL(FATAL_ERROR_INTERNAL); |
1895 | | // 1. implicitsigA = (de,A + avf(Qe,A)ds,A ) mod n. |
1896 | | // tA := (ds,A + de,A avf(Xe,A)) mod n (3) |
1897 | | // Compute 'tA' = ('deA' + 'dsA' avf('XeA')) mod n |
1898 | | // Ta = avf(XeA); |
1899 | | BN_copy(bnTa, bnXeA); |
1900 | | avf1(bnTa, bnN); |
1901 | | if(// do Ta = ds,A * Ta mod n = dsA * avf(XeA) mod n |
1902 | | !BN_mod_mul(bnTa, bnDsA, bnTa, bnN, context) |
1903 | | // now Ta = deA + Ta mod n = deA + dsA * avf(XeA) mod n |
1904 | | || !BN_mod_add(bnTa, bnDeA, bnTa, bnN, context) |
1905 | | ) |
1906 | | FAIL(FATAL_ERROR_INTERNAL); |
1907 | | // 2. P = h(implicitsigA)(Qe,B + avf(Qe,B)Qs,B). |
1908 | | // Put this in because almost every case of h is == 1 so skip the call when |
1909 | | // not necessary. |
1910 | | if(!BN_is_one(bnH)) |
1911 | | { |
1912 | | // Cofactor is not 1 so compute Ta := Ta * h mod n |
1913 | | if(!BN_mul(bnTa, bnTa, bnH, context)) |
1914 | | FAIL(FATAL_ERROR_INTERNAL); |
1915 | | } |
1916 | | // Now that 'tA' is (h * 'tA' mod n) |
1917 | | // 'outZ' = (tA)(Qe,B + avf(Qe,B)Qs,B). |
1918 | | // first, compute XeB = avf(XeB) |
1919 | | avf1(bnXeB, bnN); |
1920 | | // QsB := [XeB]QsB |
1921 | | if( !EC_POINT_mul(group, pQsB, NULL, pQsB, bnXeB, context) |
1922 | | // QeB := QsB + QeB |
1923 | | || !EC_POINT_add(group, pQeB, pQeB, pQsB, context) |
1924 | | ) |
1925 | | FAIL(FATAL_ERROR_INTERNAL); |
1926 | | // QeB := [tA]QeB = [tA](QsB + [Xe,B]QeB) and check for at infinity |
1927 | | if(PointMul(group, pQeB, NULL, pQeB, bnTa, context) == CRYPT_SUCCESS) |
1928 | | // Convert BIGNUM E to TPM2B E |
1929 | | Point2B(group, outZ, pQeB, (INT16)BN_num_bytes(bnN), context); |
1930 | | Cleanup: |
1931 | | if(pQeA != NULL) EC_POINT_free(pQeA); |
1932 | | if(pQeB != NULL) EC_POINT_free(pQeB); |
1933 | | if(pQsB != NULL) EC_POINT_free(pQsB); |
1934 | | if(group != NULL) EC_GROUP_free(group); |
1935 | | BN_CTX_end(context); |
1936 | | BN_CTX_free(context); |
1937 | | return retVal; |
1938 | | } |
1939 | | #endif // TPM_ALG_ECMQV |
1940 | | #ifdef TPM_ALG_SM2 //% |
1941 | | // |
1942 | | // |
1943 | | // avfSm2() |
1944 | | // |
1945 | | // This function does the associated value computation required by SM2 key exchange. This is different |
1946 | | // form the avf() in the international standards because it returns a value that is half the size of the value |
1947 | | // returned by the standard avf. For example, if n is 15, Ws (w in the standard) is 2 but the W here is 1. This |
1948 | | // means that an input value of 14 (1110b) would return a value of 110b with the standard but 10b with the |
1949 | | // scheme in SM2. |
1950 | | // |
1951 | | static BOOL |
1952 | | avfSm2( |
1953 | | BIGNUM *bnX, // IN/OUT: the reduced value |
1954 | | BIGNUM *bnN // IN: the order of the curve |
1955 | | ) |
1956 | | { |
1957 | | // a) set w := ceil(ceil(log2(n)) / 2) - 1 |
1958 | | int w = ((BN_num_bits(bnN) + 1) / 2) - 1; |
1959 | | // b) set x' := 2^w + ( x & (2^w - 1)) |
1960 | | // This is just like the avf for MQV where x' = 2^w + (x mod 2^w) |
1961 | | BN_mask_bits(bnX, w); // as wiht avf1, this is too big by a factor of 2 but |
1962 | | // it doesn't matter becasue we SET the extra bit anyway |
1963 | | BN_set_bit(bnX, w); |
1964 | | return TRUE; |
1965 | | } |
1966 | | // |
1967 | | // SM2KeyExchange() This function performs the key exchange defined in SM2. The first step is to compute |
1968 | | // tA = (dsA + deA avf(Xe,A)) mod n Then, compute the Z value from outZ = (h tA mod n) (QsA + |
1969 | | // [avf(QeB().x)](QeB())). The function will compute the ephemeral public key from the ephemeral private |
1970 | | // key. All points are required to be on the curve of inQsA. The function will fail catastrophically if this is not |
1971 | | // the case |
1972 | | // |
1973 | | // Return Value Meaning |
1974 | | // |
1975 | | // CRYPT_SUCCESS results is valid |
1976 | | // CRYPT_NO_RESULT the value for dsA does not give a valid point on the curve |
1977 | | // |
1978 | | static CRYPT_RESULT |
1979 | | SM2KeyExchange( |
1980 | | TPMS_ECC_POINT *outZ, // OUT: the computed point |
1981 | | TPM_ECC_CURVE curveId, // IN: the curve for the computations |
1982 | | TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key |
1983 | | TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key |
1984 | | TPMS_ECC_POINT *QsB, // IN: static public party B key |
1985 | | TPMS_ECC_POINT *QeB // IN: ephemeral public party B key |
1986 | | ) |
1987 | | { |
1988 | | BN_CTX *context; |
1989 | | EC_POINT *pQeA = NULL; |
1990 | | EC_POINT *pQeB = NULL; |
1991 | | EC_POINT *pQsB = NULL; |
1992 | | EC_GROUP *group = NULL; |
1993 | | BIGNUM *bnTa; |
1994 | | BIGNUM *bnDeA; |
1995 | | BIGNUM *bnDsA; |
1996 | | BIGNUM *bnXeA; // x coordinate of ephemeral party A key |
1997 | | BIGNUM *bnH; |
1998 | | BIGNUM *bnN; |
1999 | | BIGNUM *bnXeB; |
2000 | | // |
2001 | | const ECC_CURVE_DATA *curveData = GetCurveData(curveId); |
2002 | | CRYPT_RESULT retVal = CRYPT_POINT; |
2003 | | pAssert( curveData != NULL && outZ != NULL && dsA != NULL |
2004 | | && deA != NULL && QsB != NULL && QeB != NULL); |
2005 | | context = BN_CTX_new(); |
2006 | | if(context == NULL || curveData == NULL) |
2007 | | FAIL(FATAL_ERROR_ALLOCATION); |
2008 | | BN_CTX_start(context); |
2009 | | bnTa = BN_CTX_get(context); |
2010 | | bnDeA = BN_CTX_get(context); |
2011 | | bnDsA = BN_CTX_get(context); |
2012 | | bnXeA = BN_CTX_get(context); |
2013 | | bnH = BN_CTX_get(context); |
2014 | | bnN = BN_CTX_get(context); |
2015 | | bnXeB = BN_CTX_get(context); |
2016 | | if(bnXeB == NULL) |
2017 | | FAIL(FATAL_ERROR_ALLOCATION); |
2018 | | // Initialize group parameters and local values of input |
2019 | | if((group = EccCurveInit(curveId, context)) == NULL) |
2020 | | FAIL(FATAL_ERROR_INTERNAL); |
2021 | | if((pQeA = EC_POINT_new(group)) == NULL) |
2022 | | FAIL(FATAL_ERROR_ALLOCATION); |
2023 | | BnFrom2B(bnDeA, &deA->b); |
2024 | | BnFrom2B(bnDsA, &dsA->b); |
2025 | | BnFrom2B(bnH, curveData->h); |
2026 | | BnFrom2B(bnN, curveData->n); |
2027 | | BnFrom2B(bnXeB, &QeB->x.b); |
2028 | | if(!(pQeB = EccInitPoint2B(group, QeB, context))) |
2029 | | goto Cleanup; |
2030 | | if(!(pQsB = EccInitPoint2B(group, QsB, context))) |
2031 | | goto Cleanup; |
2032 | | // Compute the public ephemeral key pQeA = [de,A]G |
2033 | | if( (retVal = PointMul(group, pQeA, bnDeA, NULL, NULL, context)) |
2034 | | != CRYPT_SUCCESS) |
2035 | | goto Cleanup; |
2036 | | if(EC_POINT_get_affine_coordinates_GFp(group, pQeA, bnXeA, NULL, context) != 1) |
2037 | | FAIL(FATAL_ERROR_INTERNAL); |
2038 | | // tA := (ds,A + de,A avf(Xe,A)) mod n (3) |
2039 | | // Compute 'tA' = ('dsA' + 'deA' avf('XeA')) mod n |
2040 | | // Ta = avf(XeA); |
2041 | | BN_copy(bnTa, bnXeA); |
2042 | | avfSm2(bnTa, bnN); |
2043 | | if(// do Ta = de,A * Ta mod n = deA * avf(XeA) mod n |
2044 | | !BN_mod_mul(bnTa, bnDeA, bnTa, bnN, context) |
2045 | | // now Ta = dsA + Ta mod n = dsA + deA * avf(XeA) mod n |
2046 | | || !BN_mod_add(bnTa, bnDsA, bnTa, bnN, context) |
2047 | | ) |
2048 | | FAIL(FATAL_ERROR_INTERNAL); |
2049 | | // outZ ? [h tA mod n] (Qs,B + [avf(Xe,B)](Qe,B)) (4) |
2050 | | // Put this in because almost every case of h is == 1 so skip the call when |
2051 | | // not necessary. |
2052 | | if(!BN_is_one(bnH)) |
2053 | | { |
2054 | | // Cofactor is not 1 so compute Ta := Ta * h mod n |
2055 | | if(!BN_mul(bnTa, bnTa, bnH, context)) |
2056 | | FAIL(FATAL_ERROR_INTERNAL); |
2057 | | } |
2058 | | // Now that 'tA' is (h * 'tA' mod n) |
2059 | | // 'outZ' = ['tA'](QsB + [avf(QeB.x)](QeB)). |
2060 | | // first, compute XeB = avf(XeB) |
2061 | | avfSm2(bnXeB, bnN); |
2062 | | // QeB := [XeB]QeB |
2063 | | if( !EC_POINT_mul(group, pQeB, NULL, pQeB, bnXeB, context) |
2064 | | // QeB := QsB + QeB |
2065 | | || !EC_POINT_add(group, pQeB, pQeB, pQsB, context) |
2066 | | ) |
2067 | | FAIL(FATAL_ERROR_INTERNAL); |
2068 | | // QeB := [tA]QeB = [tA](QsB + [Xe,B]QeB) and check for at infinity |
2069 | | if(PointMul(group, pQeB, NULL, pQeB, bnTa, context) == CRYPT_SUCCESS) |
2070 | | // Convert BIGNUM E to TPM2B E |
2071 | | Point2B(group, outZ, pQeB, (INT16)BN_num_bytes(bnN), context); |
2072 | | Cleanup: |
2073 | | if(pQeA != NULL) EC_POINT_free(pQeA); |
2074 | | if(pQeB != NULL) EC_POINT_free(pQeB); |
2075 | | if(pQsB != NULL) EC_POINT_free(pQsB); |
2076 | | if(group != NULL) EC_GROUP_free(group); |
2077 | | BN_CTX_end(context); |
2078 | | BN_CTX_free(context); |
2079 | | return retVal; |
2080 | | } |
2081 | | #endif //% TPM_ALG_SM2 |
2082 | | // |
2083 | | // |
2084 | | // C_2_2_ECDH() |
2085 | | // |
2086 | | // This function performs the two phase key exchange defined in SP800-56A, 6.1.1.2 Full Unified Model, |
2087 | | // C(2, 2, ECC CDH). |
2088 | | // |
2089 | | static CRYPT_RESULT |
2090 | | C_2_2_ECDH( |
2091 | | TPMS_ECC_POINT *outZ1, // OUT: Zs |
2092 | | TPMS_ECC_POINT *outZ2, // OUT: Ze |
2093 | | TPM_ECC_CURVE curveId, // IN: the curve for the computations |
2094 | | TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key |
2095 | | TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key |
2096 | | TPMS_ECC_POINT *QsB, // IN: static public party B key |
2097 | | TPMS_ECC_POINT *QeB // IN: ephemeral public party B key |
2098 | | ) |
2099 | | { |
2100 | | BIGNUM *order; |
2101 | | BN_CTX *context; |
2102 | | EC_POINT *pQ = NULL; |
2103 | | EC_GROUP *group = NULL; |
2104 | | BIGNUM *bnD; |
2105 | | INT16 size; |
2106 | | CRYPT_RESULT retVal = CRYPT_POINT; |
2107 | | const ECC_CURVE_DATA *curveData = GetCurveData(curveId); |
2108 | | context = BN_CTX_new(); |
2109 | | if(context == NULL || curveData == NULL) |
2110 | | FAIL(FATAL_ERROR_ALLOCATION); |
2111 | | BN_CTX_start(context); |
2112 | | order = BN_CTX_get(context); |
2113 | | if((bnD = BN_CTX_get(context)) == NULL) |
2114 | | FAIL(FATAL_ERROR_INTERNAL); |
2115 | | // Initialize group parameters and local values of input |
2116 | | if((group = EccCurveInit(curveId, context)) == NULL) |
2117 | | FAIL(FATAL_ERROR_INTERNAL); |
2118 | | if (!EC_GROUP_get_order(group, order, context)) |
2119 | | FAIL(FATAL_ERROR_INTERNAL); |
2120 | | size = (INT16)BN_num_bytes(order); |
2121 | | // Get the static private key of A |
2122 | | BnFrom2B(bnD, &dsA->b); |
2123 | | // Initialize the static public point from B |
2124 | | if (!(pQ = EccInitPoint2B(group, QsB, context))) |
2125 | | goto Cleanup; |
2126 | | // Do the point multiply for the Zs value |
2127 | | if(PointMul(group, pQ, NULL, pQ, bnD, context) != CRYPT_NO_RESULT) |
2128 | | // Convert the Zs value |
2129 | | Point2B(group, outZ1, pQ, size, context); |
2130 | | // Get the ephemeral private key of A |
2131 | | BnFrom2B(bnD, &deA->b); |
2132 | | // Initalize the ephemeral public point from B |
2133 | | if (!PointFrom2B(group, pQ, QeB, context)) |
2134 | | goto Cleanup; |
2135 | | // Do the point multiply for the Ze value |
2136 | | if(PointMul(group, pQ, NULL, pQ, bnD, context) != CRYPT_NO_RESULT) |
2137 | | // Convert the Ze value. |
2138 | | { |
2139 | | Point2B(group, outZ2, pQ, size, context); |
2140 | | retVal = CRYPT_SUCCESS; |
2141 | | } |
2142 | | Cleanup: |
2143 | | if(pQ != NULL) EC_POINT_free(pQ); |
2144 | | if(group != NULL) EC_GROUP_free(group); |
2145 | | BN_CTX_end(context); |
2146 | | BN_CTX_free(context); |
2147 | | return retVal; |
2148 | | } |
2149 | | // |
2150 | | // |
2151 | | // _cpri__C_2_2_KeyExchange() |
2152 | | // |
2153 | | // This function is the dispatch routine for the EC key exchange function that use two ephemeral and two |
2154 | | // static keys. |
2155 | | // |
2156 | | // Return Value Meaning |
2157 | | // |
2158 | | // CRYPT_SCHEME scheme is not defined |
2159 | | // |
2160 | | LIB_EXPORT CRYPT_RESULT |
2161 | | _cpri__C_2_2_KeyExchange( |
2162 | | TPMS_ECC_POINT *outZ1, // OUT: a computed point |
2163 | | TPMS_ECC_POINT *outZ2, // OUT: and optional second point |
2164 | | TPM_ECC_CURVE curveId, // IN: the curve for the computations |
2165 | | TPM_ALG_ID scheme, // IN: the key exchange scheme |
2166 | | TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key |
2167 | | TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key |
2168 | | TPMS_ECC_POINT *QsB, // IN: static public party B key |
2169 | | TPMS_ECC_POINT *QeB // IN: ephemeral public party B key |
2170 | | ) |
2171 | | { |
2172 | | pAssert( outZ1 != NULL |
2173 | | && dsA != NULL && deA != NULL |
2174 | | && QsB != NULL && QeB != NULL); |
2175 | | // Initalize the output points so that they are empty until one of the |
2176 | | // functions decides otherwise |
2177 | | outZ1->x.b.size = 0; |
2178 | | outZ1->y.b.size = 0; |
2179 | | if(outZ2 != NULL) |
2180 | | { |
2181 | | outZ2->x.b.size = 0; |
2182 | | outZ2->y.b.size = 0; |
2183 | | } |
2184 | | switch (scheme) |
2185 | | { |
2186 | | case TPM_ALG_ECDH: |
2187 | | return C_2_2_ECDH(outZ1, outZ2, curveId, dsA, deA, QsB, QeB); |
2188 | | break; |
2189 | | #ifdef TPM_ALG_ECMQV |
2190 | | case TPM_ALG_ECMQV: |
2191 | | return C_2_2_MQV(outZ1, curveId, dsA, deA, QsB, QeB); |
2192 | | break; |
2193 | | #endif |
2194 | | #ifdef TPM_ALG_SM2 |
2195 | | case TPM_ALG_SM2: |
2196 | | return SM2KeyExchange(outZ1, curveId, dsA, deA, QsB, QeB); |
2197 | | break; |
2198 | | #endif |
2199 | | default: |
2200 | | return CRYPT_SCHEME; |
2201 | | } |
2202 | | } |
2203 | | #else //% |
2204 | | // |
2205 | | // Stub used when the 2-phase key exchange is not defined so that the linker has something to associate |
2206 | | // with the value in the .def file. |
2207 | | // |
2208 | | LIB_EXPORT CRYPT_RESULT |
2209 | | _cpri__C_2_2_KeyExchange( |
2210 | | TPMS_ECC_POINT *outZ1, // OUT: a computed point |
2211 | | TPMS_ECC_POINT *outZ2, // OUT: and optional second point |
2212 | | TPM_ECC_CURVE curveId, // IN: the curve for the computations |
2213 | | TPM_ALG_ID scheme, // IN: the key exchange scheme |
2214 | | TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key |
2215 | | TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key |
2216 | | TPMS_ECC_POINT *QsB, // IN: static public party B key |
2217 | | TPMS_ECC_POINT *QeB // IN: ephemeral public party B key |
2218 | | ) |
2219 | 0 | { |
2220 | 0 | return CRYPT_FAIL; |
2221 | 0 | } |
2222 | | #endif //% CC_ZGen_2Phase |
2223 | | #endif // TPM_ALG_ECC |