| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 1 | /* ec_dh.c - TinyCrypt implementation of EC-DH */ | 
|  | 2 |  | 
| Jarno Lamsa | 187fbb1 | 2019-04-25 09:03:19 +0300 | [diff] [blame] | 3 | /* | 
| Simon Butcher | 92c3d1f | 2019-09-09 17:25:08 +0100 | [diff] [blame] | 4 | *  Copyright (c) 2019, Arm Limited (or its affiliates), All Rights Reserved. | 
|  | 5 | *  SPDX-License-Identifier: BSD-3-Clause | 
|  | 6 | */ | 
|  | 7 |  | 
|  | 8 | /* | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 9 | * Copyright (c) 2014, Kenneth MacKay | 
|  | 10 | * All rights reserved. | 
|  | 11 | * | 
|  | 12 | * Redistribution and use in source and binary forms, with or without | 
|  | 13 | * modification, are permitted provided that the following conditions are met: | 
|  | 14 | *  * Redistributions of source code must retain the above copyright notice, | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 15 | *	this list of conditions and the following disclaimer. | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 16 | *  * Redistributions in binary form must reproduce the above copyright notice, | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 17 | *	this list of conditions and the following disclaimer in the documentation | 
|  | 18 | *	and/or other materials provided with the distribution. | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 19 | * | 
|  | 20 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | 
|  | 21 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | 
|  | 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | 
|  | 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE | 
|  | 24 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | 
|  | 25 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | 
|  | 26 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | 
|  | 27 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | 
|  | 28 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | 
|  | 29 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | 
|  | 30 | * POSSIBILITY OF SUCH DAMAGE. | 
|  | 31 | */ | 
|  | 32 |  | 
|  | 33 | /* | 
|  | 34 | *  Copyright (C) 2017 by Intel Corporation, All Rights Reserved. | 
|  | 35 | * | 
|  | 36 | *  Redistribution and use in source and binary forms, with or without | 
|  | 37 | *  modification, are permitted provided that the following conditions are met: | 
|  | 38 | * | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 39 | *	- Redistributions of source code must retain the above copyright notice, | 
|  | 40 | *	 this list of conditions and the following disclaimer. | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 41 | * | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 42 | *	- Redistributions in binary form must reproduce the above copyright | 
|  | 43 | *	notice, this list of conditions and the following disclaimer in the | 
|  | 44 | *	documentation and/or other materials provided with the distribution. | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 45 | * | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 46 | *	- Neither the name of Intel Corporation nor the names of its contributors | 
|  | 47 | *	may be used to endorse or promote products derived from this software | 
|  | 48 | *	without specific prior written permission. | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 49 | * | 
|  | 50 | *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | 
|  | 51 | *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | 
|  | 52 | *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | 
|  | 53 | *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE | 
|  | 54 | *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | 
|  | 55 | *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | 
|  | 56 | *  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | 
|  | 57 | *  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | 
|  | 58 | *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | 
|  | 59 | *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | 
|  | 60 | *  POSSIBILITY OF SUCH DAMAGE. | 
|  | 61 | */ | 
| Hanno Becker | 36ae758 | 2019-07-23 15:52:35 +0100 | [diff] [blame] | 62 |  | 
|  | 63 | #if !defined(MBEDTLS_CONFIG_FILE) | 
|  | 64 | #include "mbedtls/config.h" | 
|  | 65 | #else | 
|  | 66 | #include MBEDTLS_CONFIG_FILE | 
|  | 67 | #endif | 
|  | 68 |  | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 69 | #include <tinycrypt/ecc.h> | 
|  | 70 | #include <tinycrypt/ecc_dh.h> | 
|  | 71 | #include <string.h> | 
| Jarno Lamsa | 187fbb1 | 2019-04-25 09:03:19 +0300 | [diff] [blame] | 72 | #include "mbedtls/platform_util.h" | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 73 |  | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 74 | int uECC_make_key_with_d(uint8_t *public_key, uint8_t *private_key, | 
| Manuel Pégourié-Gonnard | 1a53371 | 2019-11-21 12:00:43 +0100 | [diff] [blame] | 75 | unsigned int *d) | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 76 | { | 
| Andrzej Kurek | fd56f40 | 2020-05-25 11:52:05 -0400 | [diff] [blame] | 77 | int ret = UECC_FAULT_DETECTED; | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 78 | uECC_word_t _private[NUM_ECC_WORDS]; | 
|  | 79 | uECC_word_t _public[NUM_ECC_WORDS * 2]; | 
|  | 80 |  | 
|  | 81 | /* This function is designed for test purposes-only (such as validating NIST | 
|  | 82 | * test vectors) as it uses a provided value for d instead of generating | 
|  | 83 | * it uniformly at random. */ | 
| Piotr Nowicki | 305a5ec | 2020-08-10 17:42:18 +0200 | [diff] [blame] | 84 | if( mbedtls_platform_memcpy (_private, d, NUM_ECC_BYTES) != _private ) | 
|  | 85 | { | 
|  | 86 | goto exit; | 
|  | 87 | } | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 88 |  | 
|  | 89 | /* Computing public-key from private: */ | 
| Manuel Pégourié-Gonnard | 9d6a535 | 2019-11-25 13:06:05 +0100 | [diff] [blame] | 90 | ret = EccPoint_compute_public_key(_public, _private); | 
|  | 91 | if (ret != UECC_SUCCESS) { | 
|  | 92 | goto exit; | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 93 | } | 
| Manuel Pégourié-Gonnard | 9d6a535 | 2019-11-25 13:06:05 +0100 | [diff] [blame] | 94 |  | 
|  | 95 | /* Converting buffers to correct bit order: */ | 
|  | 96 | uECC_vli_nativeToBytes(private_key, | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 97 | BITS_TO_BYTES(NUM_ECC_BITS), | 
|  | 98 | _private); | 
| Manuel Pégourié-Gonnard | 9d6a535 | 2019-11-25 13:06:05 +0100 | [diff] [blame] | 99 | uECC_vli_nativeToBytes(public_key, | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 100 | NUM_ECC_BYTES, | 
|  | 101 | _public); | 
| Manuel Pégourié-Gonnard | 9d6a535 | 2019-11-25 13:06:05 +0100 | [diff] [blame] | 102 | uECC_vli_nativeToBytes(public_key + NUM_ECC_BYTES, | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 103 | NUM_ECC_BYTES, | 
|  | 104 | _public + NUM_ECC_WORDS); | 
| Manuel Pégourié-Gonnard | 9d6a535 | 2019-11-25 13:06:05 +0100 | [diff] [blame] | 105 |  | 
|  | 106 | exit: | 
|  | 107 | /* erasing temporary buffer used to store secret: */ | 
|  | 108 | mbedtls_platform_memset(_private, 0, NUM_ECC_BYTES); | 
|  | 109 |  | 
|  | 110 | return ret; | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 111 | } | 
|  | 112 |  | 
| Manuel Pégourié-Gonnard | 1a53371 | 2019-11-21 12:00:43 +0100 | [diff] [blame] | 113 | int uECC_make_key(uint8_t *public_key, uint8_t *private_key) | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 114 | { | 
| Andrzej Kurek | fd56f40 | 2020-05-25 11:52:05 -0400 | [diff] [blame] | 115 | int ret = UECC_FAULT_DETECTED; | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 116 | uECC_word_t _random[NUM_ECC_WORDS * 2]; | 
|  | 117 | uECC_word_t _private[NUM_ECC_WORDS]; | 
|  | 118 | uECC_word_t _public[NUM_ECC_WORDS * 2]; | 
|  | 119 | uECC_word_t tries; | 
| Andrzej Kurek | 74f7d0f | 2020-07-06 14:28:12 -0400 | [diff] [blame] | 120 | volatile uint8_t *public_key_dup = public_key; | 
|  | 121 | volatile uint8_t *private_key_dup = private_key; | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 122 |  | 
|  | 123 | for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { | 
|  | 124 | /* Generating _private uniformly at random: */ | 
|  | 125 | uECC_RNG_Function rng_function = uECC_get_rng(); | 
|  | 126 | if (!rng_function || | 
| Andrzej Kurek | 090365f | 2020-06-08 11:00:51 -0400 | [diff] [blame] | 127 | rng_function((uint8_t *)_random, 2 * NUM_ECC_WORDS*uECC_WORD_SIZE) != 2 * NUM_ECC_WORDS*uECC_WORD_SIZE) { | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 128 | return UECC_FAILURE; | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 129 | } | 
|  | 130 |  | 
|  | 131 | /* computing modular reduction of _random (see FIPS 186.4 B.4.1): */ | 
| Manuel Pégourié-Gonnard | 356d859 | 2019-11-21 10:23:05 +0100 | [diff] [blame] | 132 | uECC_vli_mmod(_private, _random, curve_n); | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 133 |  | 
|  | 134 | /* Computing public-key from private: */ | 
| Manuel Pégourié-Gonnard | 9d6a535 | 2019-11-25 13:06:05 +0100 | [diff] [blame] | 135 | ret = EccPoint_compute_public_key(_public, _private); | 
|  | 136 | /* don't try again if a fault was detected */ | 
|  | 137 | if (ret == UECC_FAULT_DETECTED) { | 
|  | 138 | return ret; | 
|  | 139 | } | 
|  | 140 | if (ret == UECC_SUCCESS) { | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 141 |  | 
|  | 142 | /* Converting buffers to correct bit order: */ | 
|  | 143 | uECC_vli_nativeToBytes(private_key, | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 144 | BITS_TO_BYTES(NUM_ECC_BITS), | 
|  | 145 | _private); | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 146 | uECC_vli_nativeToBytes(public_key, | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 147 | NUM_ECC_BYTES, | 
|  | 148 | _public); | 
| Manuel Pégourié-Gonnard | 72c1764 | 2019-11-21 09:34:09 +0100 | [diff] [blame] | 149 | uECC_vli_nativeToBytes(public_key + NUM_ECC_BYTES, | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 150 | NUM_ECC_BYTES, | 
|  | 151 | _public + NUM_ECC_WORDS); | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 152 |  | 
|  | 153 | /* erasing temporary buffer that stored secret: */ | 
| Manuel Pégourié-Gonnard | 7a346b8 | 2019-10-02 14:47:01 +0200 | [diff] [blame] | 154 | mbedtls_platform_memset(_private, 0, NUM_ECC_BYTES); | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 155 |  | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 156 | if (private_key == private_key_dup && public_key == public_key_dup) { | 
|  | 157 | return UECC_SUCCESS; | 
| Andrzej Kurek | 74f7d0f | 2020-07-06 14:28:12 -0400 | [diff] [blame] | 158 | } | 
| Andrzej Kurek | ca60937 | 2020-07-08 03:19:02 -0400 | [diff] [blame] | 159 | /* Erase key in case of FI */ | 
|  | 160 | mbedtls_platform_memset(public_key, 0, 2*NUM_ECC_BYTES); | 
| Andrzej Kurek | 74f7d0f | 2020-07-06 14:28:12 -0400 | [diff] [blame] | 161 | return UECC_FAULT_DETECTED; | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 162 | } | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 163 | } | 
| Manuel Pégourié-Gonnard | 9d6a535 | 2019-11-25 13:06:05 +0100 | [diff] [blame] | 164 | return UECC_FAILURE; | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 165 | } | 
|  | 166 |  | 
|  | 167 | int uECC_shared_secret(const uint8_t *public_key, const uint8_t *private_key, | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 168 | uint8_t *secret) | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 169 | { | 
|  | 170 |  | 
|  | 171 | uECC_word_t _public[NUM_ECC_WORDS * 2]; | 
|  | 172 | uECC_word_t _private[NUM_ECC_WORDS]; | 
| Manuel Pégourié-Gonnard | 1765933 | 2019-11-21 09:27:38 +0100 | [diff] [blame] | 173 | wordcount_t num_words = NUM_ECC_WORDS; | 
| Manuel Pégourié-Gonnard | 72c1764 | 2019-11-21 09:34:09 +0100 | [diff] [blame] | 174 | wordcount_t num_bytes = NUM_ECC_BYTES; | 
| Andrzej Kurek | fd56f40 | 2020-05-25 11:52:05 -0400 | [diff] [blame] | 175 | int r = UECC_FAULT_DETECTED; | 
| Andrzej Kurek | 74f7d0f | 2020-07-06 14:28:12 -0400 | [diff] [blame] | 176 |  | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 177 | /* Converting buffers to correct bit order: */ | 
|  | 178 | uECC_vli_bytesToNative(_private, | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 179 | private_key, | 
|  | 180 | BITS_TO_BYTES(NUM_ECC_BITS)); | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 181 | uECC_vli_bytesToNative(_public, | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 182 | public_key, | 
|  | 183 | num_bytes); | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 184 | uECC_vli_bytesToNative(_public + num_words, | 
| Andrzej Kurek | 0919b14 | 2020-07-06 15:28:59 -0400 | [diff] [blame] | 185 | public_key + num_bytes, | 
|  | 186 | num_bytes); | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 187 |  | 
| Manuel Pégourié-Gonnard | 1a53371 | 2019-11-21 12:00:43 +0100 | [diff] [blame] | 188 | r = EccPoint_mult_safer(_public, _public, _private); | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 189 | uECC_vli_nativeToBytes(secret, num_bytes, _public); | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 190 |  | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 191 | /* erasing temporary buffer used to store secret: */ | 
| Piotr Nowicki | a6348ed | 2020-06-29 15:03:56 +0200 | [diff] [blame] | 192 | if (_private == mbedtls_platform_zeroize(_private, sizeof(_private))) { | 
|  | 193 | return r; | 
|  | 194 | } | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 195 |  | 
| Piotr Nowicki | a6348ed | 2020-06-29 15:03:56 +0200 | [diff] [blame] | 196 | return UECC_FAULT_DETECTED; | 
| Jarno Lamsa | 18987a4 | 2019-04-24 15:40:43 +0300 | [diff] [blame] | 197 | } |