/
crypto_ecc.cpp
178 lines (150 loc) · 3.87 KB
/
crypto_ecc.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
#include <stdint.h>
#include <string.h>
#include <openssl/hmac.h>
#include <openssl/evp.h>
#include <openssl/sha.h>
#include <openssl/ecdsa.h>
#include "crypto.h"
static struct ec_group *ec_group_cache[256];
void ec_group_deinit(struct ec_group *ec)
{
BN_clear_free(ec->b);
BN_clear_free(ec->a);
BN_clear_free(ec->order);
BN_clear_free(ec->prime);
EC_GROUP_free(ec->group);
BN_CTX_free(ec->bnctx);
free(ec);
}
struct ec_group *ec_group_init(int group)
{
struct ec_group *ec;
int nid;
/* Map from IANA registry for IKE D-H groups to OpenSSL NID */
switch (group) {
case 19:
nid = NID_X9_62_prime256v1;
break;
case 20:
nid = NID_secp384r1;
break;
case 21:
nid = NID_secp521r1;
break;
case 25:
nid = NID_X9_62_prime192v1;
break;
case 26:
nid = NID_secp224r1;
break;
#ifdef NID_brainpoolP224r1
case 27:
nid = NID_brainpoolP224r1;
break;
#endif /* NID_brainpoolP224r1 */
#ifdef NID_brainpoolP256r1
case 28:
nid = NID_brainpoolP256r1;
break;
#endif /* NID_brainpoolP256r1 */
#ifdef NID_brainpoolP384r1
case 29:
nid = NID_brainpoolP384r1;
break;
#endif /* NID_brainpoolP384r1 */
#ifdef NID_brainpoolP512r1
case 30:
nid = NID_brainpoolP512r1;
break;
#endif /* NID_brainpoolP512r1 */
default:
return NULL;
}
ec = (struct ec_group *)malloc(sizeof(*ec));
if (ec == NULL)
return NULL;
ec->nid = nid;
ec->bnctx = BN_CTX_new();
ec->group = EC_GROUP_new_by_curve_name(nid);
ec->prime = BN_new();
ec->order = BN_new();
ec->a = BN_new();
ec->b = BN_new();
if (ec->group == NULL || ec->bnctx == NULL || ec->prime == NULL ||
ec->order == NULL || ec->a == NULL || ec->b == NULL ||
!EC_GROUP_get_curve_GFp(ec->group, ec->prime, ec->a, ec->b, ec->bnctx) ||
!EC_GROUP_get_order(ec->group, ec->order, ec->bnctx)) {
fprintf(stderr, "Error in %s\n", __FUNCTION__);
ec_group_deinit(ec);
ec = NULL;
}
// TODO: Are all the parameters now initialized?
ec->prime_len = BN_num_bytes(ec->prime);
return ec;
}
struct ec_group * get_ec_group(int group)
{
if (group > 30) {
fprintf(stderr, "ERROR: %s: unsupported group %d\n", __FUNCTION__, group);
return NULL;
}
if (ec_group_cache[group] != NULL)
return ec_group_cache[group];
ec_group_cache[group] = ec_group_init(group);
return ec_group_cache[group];
}
int crypto_bignum_legendre(const BIGNUM *a, const BIGNUM *p)
{
static BN_CTX *bnctx = NULL;
static BIGNUM *exp = NULL, *tmp = NULL;
int res = -2;
/* Allocate these things only once to improve efficiency */
if (bnctx == NULL) {
bnctx = BN_CTX_new();
exp = BN_new();
tmp = BN_new();
if (bnctx == NULL || exp == NULL || tmp == NULL) {
fprintf(stderr, "%s: BN_CTX_new or BN_new failed\n", __FUNCTION__);
exit(1);
}
}
/* exp = (p-1) / 2 */
if (!BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
!BN_rshift1(exp, exp) ||
!BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p,
bnctx))
return res;
if (BN_is_word(tmp, 1))
return 1;
else if (BN_is_zero(tmp))
return 0;
else
return -1;
}
int crypto_ec_point_compute_y_sqr(const struct ec_group *ec, const BIGNUM *x, BIGNUM *y_sqr)
{
static BIGNUM *tmp = NULL, *tmp2 = NULL;
/* Allocate these things only once to improve efficiency */
if (tmp == NULL) {
tmp = BN_new();
tmp2 = BN_new();
if (tmp == NULL || tmp2 == NULL) {
fprintf(stderr, "%s: BN_new failed\n", __FUNCTION__);
exit(1);
}
}
/* y^2 = x^3 + ax + b */
if (BN_mod_sqr(tmp, (const BIGNUM *) x, ec->prime, ec->bnctx) &&
BN_mod_mul(tmp, tmp, (const BIGNUM *) x, ec->prime, ec->bnctx) &&
BN_mod_mul(y_sqr, ec->a, (const BIGNUM *) x, ec->prime, ec->bnctx) &&
BN_mod_add_quick(y_sqr, y_sqr, tmp, ec->prime) &&
BN_mod_add_quick(y_sqr, y_sqr, ec->b, ec->prime))
return 1;
return -1;
}
int is_quadratic_residue(const struct ec_group *ec, const uint8_t *prime, const BIGNUM *y_sqr)
{
int res = -1;
res = crypto_bignum_legendre(y_sqr, ec->prime);
return res == 1;
}