diff --git a/wolfcrypt/src/sp_arm32.c b/wolfcrypt/src/sp_arm32.c index 18e31014b..ba22e3828 100644 --- a/wolfcrypt/src/sp_arm32.c +++ b/wolfcrypt/src/sp_arm32.c @@ -36385,13 +36385,10 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W hashLen = 32U; } - sp_256_from_bin(ctx->e, 8, hash, (int)hashLen); - ctx->i = SP_ECC_MAX_SIG_GEN; ctx->state = 1; break; case 1: /* GEN */ - sp_256_from_mp(ctx->x, 8, priv); /* New random point. */ if (km == NULL || mp_iszero(km)) { err = sp_256_ecc_gen_k_8(rng, ctx->k); @@ -36419,6 +36416,9 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W c = sp_256_cmp_8(ctx->r, p256_order); sp_256_cond_sub_8(ctx->r, ctx->r, p256_order, 0L - (sp_digit)(c >= 0)); sp_256_norm_8(ctx->r); + + sp_256_from_mp(ctx->x, 8, priv); + sp_256_from_bin(ctx->e, 8, hash, (int)hashLen); ctx->state = 4; break; } @@ -36475,6 +36475,9 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W ctx->state = 10; break; } + #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP + ctx->i = 1; + #endif /* not usable gen, try again */ ctx->i--; @@ -37041,7 +37044,7 @@ typedef struct sp_ecc_verify_256_ctx { int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ, - const mp_int* r, const mp_int* sm, int* res, void* heap) + const mp_int* rm, const mp_int* sm, int* res, void* heap) { int err = FP_WOULDBLOCK; sp_ecc_verify_256_ctx* ctx = (sp_ecc_verify_256_ctx*)sp_ctx->data; @@ -37056,7 +37059,7 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, } sp_256_from_bin(ctx->u1, 8, hash, (int)hashLen); - sp_256_from_mp(ctx->u2, 8, r); + sp_256_from_mp(ctx->u2, 8, rm); sp_256_from_mp(ctx->s, 8, sm); sp_256_from_mp(ctx->p2.x, 8, pX); sp_256_from_mp(ctx->p2.y, 8, pY); @@ -37114,57 +37117,33 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, if (err == MP_OKAY) ctx->state = 9; break; - case 9: /* DBLPREP */ - if (sp_256_iszero_8(ctx->p1.z)) { - if (sp_256_iszero_8(ctx->p1.x) && sp_256_iszero_8(ctx->p1.y)) { - XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx)); - ctx->state = 10; - break; - } - else { - /* Y ordinate is not used from here - don't set. */ - int i; - for (i=0; i<8; i++) { - ctx->p1.x[i] = 0; - } - XMEMCPY(ctx->p1.z, p256_norm_mod, sizeof(p256_norm_mod)); - } - } - ctx->state = 11; - break; - case 10: /* DBL */ - err = sp_256_proj_point_dbl_8_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->p1, - &ctx->p2, ctx->tmp); - if (err == MP_OKAY) { - ctx->state = 11; - } - break; - case 11: /* MONT */ + case 9: /* MONT */ /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_256_from_mp(ctx->u2, 8, r); + sp_256_from_mp(ctx->u2, 8, rm); err = sp_256_mod_mul_norm_8(ctx->u2, ctx->u2, p256_mod); if (err == MP_OKAY) - ctx->state = 12; + ctx->state = 10; break; - case 12: /* SQR */ + case 10: /* SQR */ /* u1 = r.z'.z' mod prime */ sp_256_mont_sqr_8(ctx->p1.z, ctx->p1.z, p256_mod, p256_mp_mod); - ctx->state = 13; + ctx->state = 11; break; - case 13: /* MUL */ + case 11: /* MUL */ sp_256_mont_mul_8(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, p256_mp_mod); - ctx->state = 14; + ctx->state = 12; break; - case 14: /* RES */ + case 12: /* RES */ + { + int32_t c = 0; err = MP_OKAY; /* math okay, now check result */ *res = (int)(sp_256_cmp_8(ctx->p1.x, ctx->u1) == 0); if (*res == 0) { sp_digit carry; - int32_t c; /* Reload r and add order. */ - sp_256_from_mp(ctx->u2, 8, r); + sp_256_from_mp(ctx->u2, 8, rm); carry = sp_256_add_8(ctx->u2, ctx->u2, p256_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -37172,22 +37151,23 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, /* Compare with mod and if greater or equal then not valid. */ c = sp_256_cmp_8(ctx->u2, p256_mod); - if (c < 0) { - /* Convert to Montogomery form */ - err = sp_256_mod_mul_norm_8(ctx->u2, ctx->u2, p256_mod); - if (err == MP_OKAY) { - /* u1 = (r + 1*order).z'.z' mod prime */ - sp_256_mont_mul_8(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, - p256_mp_mod); - *res = (int)(sp_256_cmp_8(ctx->p1.x, ctx->u1) == 0); - } - } + } + } + if ((*res == 0) && (c < 0)) { + /* Convert to Montogomery form */ + err = sp_256_mod_mul_norm_8(ctx->u2, ctx->u2, p256_mod); + if (err == MP_OKAY) { + /* u1 = (r + 1*order).z'.z' mod prime */ + sp_256_mont_mul_8(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, + p256_mp_mod); + *res = (int)(sp_256_cmp_8(ctx->p1.x, ctx->u1) == 0); } } break; } + } /* switch */ - if (err == MP_OKAY && ctx->state != 14) { + if (err == MP_OKAY && ctx->state != 12) { err = FP_WOULDBLOCK; } @@ -37196,7 +37176,7 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, #endif /* WOLFSSL_SP_NONBLOCK */ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, - const mp_int* pY, const mp_int* pZ, const mp_int* r, const mp_int* sm, + const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm, int* res, void* heap) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC) @@ -37240,7 +37220,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, } sp_256_from_bin(u1, 8, hash, (int)hashLen); - sp_256_from_mp(u2, 8, r); + sp_256_from_mp(u2, 8, rm); sp_256_from_mp(s, 8, sm); sp_256_from_mp(p2->x, 8, pX); sp_256_from_mp(p2->y, 8, pY); @@ -37251,7 +37231,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, if (err == MP_OKAY) { /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_256_from_mp(u2, 8, r); + sp_256_from_mp(u2, 8, rm); err = sp_256_mod_mul_norm_8(u2, u2, p256_mod); } @@ -37262,7 +37242,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, *res = (int)(sp_256_cmp_8(p1->x, u1) == 0); if (*res == 0) { /* Reload r and add order. */ - sp_256_from_mp(u2, 8, r); + sp_256_from_mp(u2, 8, rm); carry = sp_256_add_8(u2, u2, p256_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -37271,8 +37251,8 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, /* Compare with mod and if greater or equal then not valid. */ c = sp_256_cmp_8(u2, p256_mod); } - } - if ((*res == 0) && (c < 0)) { + } + if ((*res == 0) && (c < 0)) { /* Convert to Montogomery form */ err = sp_256_mod_mul_norm_8(u2, u2, p256_mod); if (err == MP_OKAY) { @@ -45623,13 +45603,10 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W hashLen = 48U; } - sp_384_from_bin(ctx->e, 12, hash, (int)hashLen); - ctx->i = SP_ECC_MAX_SIG_GEN; ctx->state = 1; break; case 1: /* GEN */ - sp_384_from_mp(ctx->x, 12, priv); /* New random point. */ if (km == NULL || mp_iszero(km)) { err = sp_384_ecc_gen_k_12(rng, ctx->k); @@ -45657,6 +45634,9 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W c = sp_384_cmp_12(ctx->r, p384_order); sp_384_cond_sub_12(ctx->r, ctx->r, p384_order, 0L - (sp_digit)(c >= 0)); sp_384_norm_12(ctx->r); + + sp_384_from_mp(ctx->x, 12, priv); + sp_384_from_bin(ctx->e, 12, hash, (int)hashLen); ctx->state = 4; break; } @@ -45713,6 +45693,9 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W ctx->state = 10; break; } + #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP + ctx->i = 1; + #endif /* not usable gen, try again */ ctx->i--; @@ -46326,7 +46309,7 @@ typedef struct sp_ecc_verify_384_ctx { int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ, - const mp_int* r, const mp_int* sm, int* res, void* heap) + const mp_int* rm, const mp_int* sm, int* res, void* heap) { int err = FP_WOULDBLOCK; sp_ecc_verify_384_ctx* ctx = (sp_ecc_verify_384_ctx*)sp_ctx->data; @@ -46341,7 +46324,7 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, } sp_384_from_bin(ctx->u1, 12, hash, (int)hashLen); - sp_384_from_mp(ctx->u2, 12, r); + sp_384_from_mp(ctx->u2, 12, rm); sp_384_from_mp(ctx->s, 12, sm); sp_384_from_mp(ctx->p2.x, 12, pX); sp_384_from_mp(ctx->p2.y, 12, pY); @@ -46399,57 +46382,33 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, if (err == MP_OKAY) ctx->state = 9; break; - case 9: /* DBLPREP */ - if (sp_384_iszero_12(ctx->p1.z)) { - if (sp_384_iszero_12(ctx->p1.x) && sp_384_iszero_12(ctx->p1.y)) { - XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx)); - ctx->state = 10; - break; - } - else { - /* Y ordinate is not used from here - don't set. */ - int i; - for (i=0; i<12; i++) { - ctx->p1.x[i] = 0; - } - XMEMCPY(ctx->p1.z, p384_norm_mod, sizeof(p384_norm_mod)); - } - } - ctx->state = 11; - break; - case 10: /* DBL */ - err = sp_384_proj_point_dbl_12_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->p1, - &ctx->p2, ctx->tmp); - if (err == MP_OKAY) { - ctx->state = 11; - } - break; - case 11: /* MONT */ + case 9: /* MONT */ /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_384_from_mp(ctx->u2, 12, r); + sp_384_from_mp(ctx->u2, 12, rm); err = sp_384_mod_mul_norm_12(ctx->u2, ctx->u2, p384_mod); if (err == MP_OKAY) - ctx->state = 12; + ctx->state = 10; break; - case 12: /* SQR */ + case 10: /* SQR */ /* u1 = r.z'.z' mod prime */ sp_384_mont_sqr_12(ctx->p1.z, ctx->p1.z, p384_mod, p384_mp_mod); - ctx->state = 13; + ctx->state = 11; break; - case 13: /* MUL */ + case 11: /* MUL */ sp_384_mont_mul_12(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, p384_mp_mod); - ctx->state = 14; + ctx->state = 12; break; - case 14: /* RES */ + case 12: /* RES */ + { + int32_t c = 0; err = MP_OKAY; /* math okay, now check result */ *res = (int)(sp_384_cmp_12(ctx->p1.x, ctx->u1) == 0); if (*res == 0) { sp_digit carry; - int32_t c; /* Reload r and add order. */ - sp_384_from_mp(ctx->u2, 12, r); + sp_384_from_mp(ctx->u2, 12, rm); carry = sp_384_add_12(ctx->u2, ctx->u2, p384_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -46457,22 +46416,23 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, /* Compare with mod and if greater or equal then not valid. */ c = sp_384_cmp_12(ctx->u2, p384_mod); - if (c < 0) { - /* Convert to Montogomery form */ - err = sp_384_mod_mul_norm_12(ctx->u2, ctx->u2, p384_mod); - if (err == MP_OKAY) { - /* u1 = (r + 1*order).z'.z' mod prime */ - sp_384_mont_mul_12(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, - p384_mp_mod); - *res = (int)(sp_384_cmp_12(ctx->p1.x, ctx->u1) == 0); - } - } + } + } + if ((*res == 0) && (c < 0)) { + /* Convert to Montogomery form */ + err = sp_384_mod_mul_norm_12(ctx->u2, ctx->u2, p384_mod); + if (err == MP_OKAY) { + /* u1 = (r + 1*order).z'.z' mod prime */ + sp_384_mont_mul_12(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, + p384_mp_mod); + *res = (int)(sp_384_cmp_12(ctx->p1.x, ctx->u1) == 0); } } break; } + } /* switch */ - if (err == MP_OKAY && ctx->state != 14) { + if (err == MP_OKAY && ctx->state != 12) { err = FP_WOULDBLOCK; } @@ -46481,7 +46441,7 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, #endif /* WOLFSSL_SP_NONBLOCK */ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, - const mp_int* pY, const mp_int* pZ, const mp_int* r, const mp_int* sm, + const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm, int* res, void* heap) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC) @@ -46525,7 +46485,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, } sp_384_from_bin(u1, 12, hash, (int)hashLen); - sp_384_from_mp(u2, 12, r); + sp_384_from_mp(u2, 12, rm); sp_384_from_mp(s, 12, sm); sp_384_from_mp(p2->x, 12, pX); sp_384_from_mp(p2->y, 12, pY); @@ -46536,7 +46496,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, if (err == MP_OKAY) { /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_384_from_mp(u2, 12, r); + sp_384_from_mp(u2, 12, rm); err = sp_384_mod_mul_norm_12(u2, u2, p384_mod); } @@ -46547,7 +46507,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, *res = (int)(sp_384_cmp_12(p1->x, u1) == 0); if (*res == 0) { /* Reload r and add order. */ - sp_384_from_mp(u2, 12, r); + sp_384_from_mp(u2, 12, rm); carry = sp_384_add_12(u2, u2, p384_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -46556,8 +46516,8 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, /* Compare with mod and if greater or equal then not valid. */ c = sp_384_cmp_12(u2, p384_mod); } - } - if ((*res == 0) && (c < 0)) { + } + if ((*res == 0) && (c < 0)) { /* Convert to Montogomery form */ err = sp_384_mod_mul_norm_12(u2, u2, p384_mod); if (err == MP_OKAY) { diff --git a/wolfcrypt/src/sp_arm64.c b/wolfcrypt/src/sp_arm64.c index 6c0522317..c5b80e9f2 100644 --- a/wolfcrypt/src/sp_arm64.c +++ b/wolfcrypt/src/sp_arm64.c @@ -37947,13 +37947,10 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W hashLen = 32U; } - sp_256_from_bin(ctx->e, 4, hash, (int)hashLen); - ctx->i = SP_ECC_MAX_SIG_GEN; ctx->state = 1; break; case 1: /* GEN */ - sp_256_from_mp(ctx->x, 4, priv); /* New random point. */ if (km == NULL || mp_iszero(km)) { err = sp_256_ecc_gen_k_4(rng, ctx->k); @@ -37981,6 +37978,9 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W c = sp_256_cmp_4(ctx->r, p256_order); sp_256_cond_sub_4(ctx->r, ctx->r, p256_order, 0L - (sp_digit)(c >= 0)); sp_256_norm_4(ctx->r); + + sp_256_from_mp(ctx->x, 4, priv); + sp_256_from_bin(ctx->e, 4, hash, (int)hashLen); ctx->state = 4; break; } @@ -38037,6 +38037,9 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W ctx->state = 10; break; } + #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP + ctx->i = 1; + #endif /* not usable gen, try again */ ctx->i--; @@ -38599,7 +38602,7 @@ typedef struct sp_ecc_verify_256_ctx { int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ, - const mp_int* r, const mp_int* sm, int* res, void* heap) + const mp_int* rm, const mp_int* sm, int* res, void* heap) { int err = FP_WOULDBLOCK; sp_ecc_verify_256_ctx* ctx = (sp_ecc_verify_256_ctx*)sp_ctx->data; @@ -38614,7 +38617,7 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, } sp_256_from_bin(ctx->u1, 4, hash, (int)hashLen); - sp_256_from_mp(ctx->u2, 4, r); + sp_256_from_mp(ctx->u2, 4, rm); sp_256_from_mp(ctx->s, 4, sm); sp_256_from_mp(ctx->p2.x, 4, pX); sp_256_from_mp(ctx->p2.y, 4, pY); @@ -38672,57 +38675,33 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, if (err == MP_OKAY) ctx->state = 9; break; - case 9: /* DBLPREP */ - if (sp_256_iszero_4(ctx->p1.z)) { - if (sp_256_iszero_4(ctx->p1.x) && sp_256_iszero_4(ctx->p1.y)) { - XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx)); - ctx->state = 10; - break; - } - else { - /* Y ordinate is not used from here - don't set. */ - int i; - for (i=0; i<4; i++) { - ctx->p1.x[i] = 0; - } - XMEMCPY(ctx->p1.z, p256_norm_mod, sizeof(p256_norm_mod)); - } - } - ctx->state = 11; - break; - case 10: /* DBL */ - err = sp_256_proj_point_dbl_4_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->p1, - &ctx->p2, ctx->tmp); - if (err == MP_OKAY) { - ctx->state = 11; - } - break; - case 11: /* MONT */ + case 9: /* MONT */ /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_256_from_mp(ctx->u2, 4, r); + sp_256_from_mp(ctx->u2, 4, rm); err = sp_256_mod_mul_norm_4(ctx->u2, ctx->u2, p256_mod); if (err == MP_OKAY) - ctx->state = 12; + ctx->state = 10; break; - case 12: /* SQR */ + case 10: /* SQR */ /* u1 = r.z'.z' mod prime */ sp_256_mont_sqr_4(ctx->p1.z, ctx->p1.z, p256_mod, p256_mp_mod); - ctx->state = 13; + ctx->state = 11; break; - case 13: /* MUL */ + case 11: /* MUL */ sp_256_mont_mul_4(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, p256_mp_mod); - ctx->state = 14; + ctx->state = 12; break; - case 14: /* RES */ + case 12: /* RES */ + { + int64_t c = 0; err = MP_OKAY; /* math okay, now check result */ *res = (int)(sp_256_cmp_4(ctx->p1.x, ctx->u1) == 0); if (*res == 0) { sp_digit carry; - int64_t c; /* Reload r and add order. */ - sp_256_from_mp(ctx->u2, 4, r); + sp_256_from_mp(ctx->u2, 4, rm); carry = sp_256_add_4(ctx->u2, ctx->u2, p256_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -38730,22 +38709,23 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, /* Compare with mod and if greater or equal then not valid. */ c = sp_256_cmp_4(ctx->u2, p256_mod); - if (c < 0) { - /* Convert to Montogomery form */ - err = sp_256_mod_mul_norm_4(ctx->u2, ctx->u2, p256_mod); - if (err == MP_OKAY) { - /* u1 = (r + 1*order).z'.z' mod prime */ - sp_256_mont_mul_4(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, - p256_mp_mod); - *res = (int)(sp_256_cmp_4(ctx->p1.x, ctx->u1) == 0); - } - } + } + } + if ((*res == 0) && (c < 0)) { + /* Convert to Montogomery form */ + err = sp_256_mod_mul_norm_4(ctx->u2, ctx->u2, p256_mod); + if (err == MP_OKAY) { + /* u1 = (r + 1*order).z'.z' mod prime */ + sp_256_mont_mul_4(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, + p256_mp_mod); + *res = (int)(sp_256_cmp_4(ctx->p1.x, ctx->u1) == 0); } } break; } + } /* switch */ - if (err == MP_OKAY && ctx->state != 14) { + if (err == MP_OKAY && ctx->state != 12) { err = FP_WOULDBLOCK; } @@ -38754,7 +38734,7 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, #endif /* WOLFSSL_SP_NONBLOCK */ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, - const mp_int* pY, const mp_int* pZ, const mp_int* r, const mp_int* sm, + const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm, int* res, void* heap) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC) @@ -38798,7 +38778,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, } sp_256_from_bin(u1, 4, hash, (int)hashLen); - sp_256_from_mp(u2, 4, r); + sp_256_from_mp(u2, 4, rm); sp_256_from_mp(s, 4, sm); sp_256_from_mp(p2->x, 4, pX); sp_256_from_mp(p2->y, 4, pY); @@ -38809,7 +38789,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, if (err == MP_OKAY) { /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_256_from_mp(u2, 4, r); + sp_256_from_mp(u2, 4, rm); err = sp_256_mod_mul_norm_4(u2, u2, p256_mod); } @@ -38820,7 +38800,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, *res = (int)(sp_256_cmp_4(p1->x, u1) == 0); if (*res == 0) { /* Reload r and add order. */ - sp_256_from_mp(u2, 4, r); + sp_256_from_mp(u2, 4, rm); carry = sp_256_add_4(u2, u2, p256_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -38829,8 +38809,8 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, /* Compare with mod and if greater or equal then not valid. */ c = sp_256_cmp_4(u2, p256_mod); } - } - if ((*res == 0) && (c < 0)) { + } + if ((*res == 0) && (c < 0)) { /* Convert to Montogomery form */ err = sp_256_mod_mul_norm_4(u2, u2, p256_mod); if (err == MP_OKAY) { @@ -63710,13 +63690,10 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W hashLen = 48U; } - sp_384_from_bin(ctx->e, 6, hash, (int)hashLen); - ctx->i = SP_ECC_MAX_SIG_GEN; ctx->state = 1; break; case 1: /* GEN */ - sp_384_from_mp(ctx->x, 6, priv); /* New random point. */ if (km == NULL || mp_iszero(km)) { err = sp_384_ecc_gen_k_6(rng, ctx->k); @@ -63744,6 +63721,9 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W c = sp_384_cmp_6(ctx->r, p384_order); sp_384_cond_sub_6(ctx->r, ctx->r, p384_order, 0L - (sp_digit)(c >= 0)); sp_384_norm_6(ctx->r); + + sp_384_from_mp(ctx->x, 6, priv); + sp_384_from_bin(ctx->e, 6, hash, (int)hashLen); ctx->state = 4; break; } @@ -63800,6 +63780,9 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W ctx->state = 10; break; } + #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP + ctx->i = 1; + #endif /* not usable gen, try again */ ctx->i--; @@ -64247,7 +64230,7 @@ typedef struct sp_ecc_verify_384_ctx { int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ, - const mp_int* r, const mp_int* sm, int* res, void* heap) + const mp_int* rm, const mp_int* sm, int* res, void* heap) { int err = FP_WOULDBLOCK; sp_ecc_verify_384_ctx* ctx = (sp_ecc_verify_384_ctx*)sp_ctx->data; @@ -64262,7 +64245,7 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, } sp_384_from_bin(ctx->u1, 6, hash, (int)hashLen); - sp_384_from_mp(ctx->u2, 6, r); + sp_384_from_mp(ctx->u2, 6, rm); sp_384_from_mp(ctx->s, 6, sm); sp_384_from_mp(ctx->p2.x, 6, pX); sp_384_from_mp(ctx->p2.y, 6, pY); @@ -64320,57 +64303,33 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, if (err == MP_OKAY) ctx->state = 9; break; - case 9: /* DBLPREP */ - if (sp_384_iszero_6(ctx->p1.z)) { - if (sp_384_iszero_6(ctx->p1.x) && sp_384_iszero_6(ctx->p1.y)) { - XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx)); - ctx->state = 10; - break; - } - else { - /* Y ordinate is not used from here - don't set. */ - int i; - for (i=0; i<6; i++) { - ctx->p1.x[i] = 0; - } - XMEMCPY(ctx->p1.z, p384_norm_mod, sizeof(p384_norm_mod)); - } - } - ctx->state = 11; - break; - case 10: /* DBL */ - err = sp_384_proj_point_dbl_6_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->p1, - &ctx->p2, ctx->tmp); - if (err == MP_OKAY) { - ctx->state = 11; - } - break; - case 11: /* MONT */ + case 9: /* MONT */ /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_384_from_mp(ctx->u2, 6, r); + sp_384_from_mp(ctx->u2, 6, rm); err = sp_384_mod_mul_norm_6(ctx->u2, ctx->u2, p384_mod); if (err == MP_OKAY) - ctx->state = 12; + ctx->state = 10; break; - case 12: /* SQR */ + case 10: /* SQR */ /* u1 = r.z'.z' mod prime */ sp_384_mont_sqr_6(ctx->p1.z, ctx->p1.z, p384_mod, p384_mp_mod); - ctx->state = 13; + ctx->state = 11; break; - case 13: /* MUL */ + case 11: /* MUL */ sp_384_mont_mul_6(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, p384_mp_mod); - ctx->state = 14; + ctx->state = 12; break; - case 14: /* RES */ + case 12: /* RES */ + { + int64_t c = 0; err = MP_OKAY; /* math okay, now check result */ *res = (int)(sp_384_cmp_6(ctx->p1.x, ctx->u1) == 0); if (*res == 0) { sp_digit carry; - int64_t c; /* Reload r and add order. */ - sp_384_from_mp(ctx->u2, 6, r); + sp_384_from_mp(ctx->u2, 6, rm); carry = sp_384_add_6(ctx->u2, ctx->u2, p384_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -64378,22 +64337,23 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, /* Compare with mod and if greater or equal then not valid. */ c = sp_384_cmp_6(ctx->u2, p384_mod); - if (c < 0) { - /* Convert to Montogomery form */ - err = sp_384_mod_mul_norm_6(ctx->u2, ctx->u2, p384_mod); - if (err == MP_OKAY) { - /* u1 = (r + 1*order).z'.z' mod prime */ - sp_384_mont_mul_6(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, - p384_mp_mod); - *res = (int)(sp_384_cmp_6(ctx->p1.x, ctx->u1) == 0); - } - } + } + } + if ((*res == 0) && (c < 0)) { + /* Convert to Montogomery form */ + err = sp_384_mod_mul_norm_6(ctx->u2, ctx->u2, p384_mod); + if (err == MP_OKAY) { + /* u1 = (r + 1*order).z'.z' mod prime */ + sp_384_mont_mul_6(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, + p384_mp_mod); + *res = (int)(sp_384_cmp_6(ctx->p1.x, ctx->u1) == 0); } } break; } + } /* switch */ - if (err == MP_OKAY && ctx->state != 14) { + if (err == MP_OKAY && ctx->state != 12) { err = FP_WOULDBLOCK; } @@ -64402,7 +64362,7 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, #endif /* WOLFSSL_SP_NONBLOCK */ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, - const mp_int* pY, const mp_int* pZ, const mp_int* r, const mp_int* sm, + const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm, int* res, void* heap) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC) @@ -64446,7 +64406,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, } sp_384_from_bin(u1, 6, hash, (int)hashLen); - sp_384_from_mp(u2, 6, r); + sp_384_from_mp(u2, 6, rm); sp_384_from_mp(s, 6, sm); sp_384_from_mp(p2->x, 6, pX); sp_384_from_mp(p2->y, 6, pY); @@ -64457,7 +64417,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, if (err == MP_OKAY) { /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_384_from_mp(u2, 6, r); + sp_384_from_mp(u2, 6, rm); err = sp_384_mod_mul_norm_6(u2, u2, p384_mod); } @@ -64468,7 +64428,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, *res = (int)(sp_384_cmp_6(p1->x, u1) == 0); if (*res == 0) { /* Reload r and add order. */ - sp_384_from_mp(u2, 6, r); + sp_384_from_mp(u2, 6, rm); carry = sp_384_add_6(u2, u2, p384_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -64477,8 +64437,8 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, /* Compare with mod and if greater or equal then not valid. */ c = sp_384_cmp_6(u2, p384_mod); } - } - if ((*res == 0) && (c < 0)) { + } + if ((*res == 0) && (c < 0)) { /* Convert to Montogomery form */ err = sp_384_mod_mul_norm_6(u2, u2, p384_mod); if (err == MP_OKAY) { diff --git a/wolfcrypt/src/sp_armthumb.c b/wolfcrypt/src/sp_armthumb.c index 22ec6841c..e35809c90 100644 --- a/wolfcrypt/src/sp_armthumb.c +++ b/wolfcrypt/src/sp_armthumb.c @@ -21725,13 +21725,10 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W hashLen = 32U; } - sp_256_from_bin(ctx->e, 8, hash, (int)hashLen); - ctx->i = SP_ECC_MAX_SIG_GEN; ctx->state = 1; break; case 1: /* GEN */ - sp_256_from_mp(ctx->x, 8, priv); /* New random point. */ if (km == NULL || mp_iszero(km)) { err = sp_256_ecc_gen_k_8(rng, ctx->k); @@ -21759,6 +21756,9 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W c = sp_256_cmp_8(ctx->r, p256_order); sp_256_cond_sub_8(ctx->r, ctx->r, p256_order, 0L - (sp_digit)(c >= 0)); sp_256_norm_8(ctx->r); + + sp_256_from_mp(ctx->x, 8, priv); + sp_256_from_bin(ctx->e, 8, hash, (int)hashLen); ctx->state = 4; break; } @@ -21815,6 +21815,9 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W ctx->state = 10; break; } + #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP + ctx->i = 1; + #endif /* not usable gen, try again */ ctx->i--; @@ -22670,7 +22673,7 @@ typedef struct sp_ecc_verify_256_ctx { int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ, - const mp_int* r, const mp_int* sm, int* res, void* heap) + const mp_int* rm, const mp_int* sm, int* res, void* heap) { int err = FP_WOULDBLOCK; sp_ecc_verify_256_ctx* ctx = (sp_ecc_verify_256_ctx*)sp_ctx->data; @@ -22685,7 +22688,7 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, } sp_256_from_bin(ctx->u1, 8, hash, (int)hashLen); - sp_256_from_mp(ctx->u2, 8, r); + sp_256_from_mp(ctx->u2, 8, rm); sp_256_from_mp(ctx->s, 8, sm); sp_256_from_mp(ctx->p2.x, 8, pX); sp_256_from_mp(ctx->p2.y, 8, pY); @@ -22743,57 +22746,33 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, if (err == MP_OKAY) ctx->state = 9; break; - case 9: /* DBLPREP */ - if (sp_256_iszero_8(ctx->p1.z)) { - if (sp_256_iszero_8(ctx->p1.x) && sp_256_iszero_8(ctx->p1.y)) { - XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx)); - ctx->state = 10; - break; - } - else { - /* Y ordinate is not used from here - don't set. */ - int i; - for (i=0; i<8; i++) { - ctx->p1.x[i] = 0; - } - XMEMCPY(ctx->p1.z, p256_norm_mod, sizeof(p256_norm_mod)); - } - } - ctx->state = 11; - break; - case 10: /* DBL */ - err = sp_256_proj_point_dbl_8_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->p1, - &ctx->p2, ctx->tmp); - if (err == MP_OKAY) { - ctx->state = 11; - } - break; - case 11: /* MONT */ + case 9: /* MONT */ /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_256_from_mp(ctx->u2, 8, r); + sp_256_from_mp(ctx->u2, 8, rm); err = sp_256_mod_mul_norm_8(ctx->u2, ctx->u2, p256_mod); if (err == MP_OKAY) - ctx->state = 12; + ctx->state = 10; break; - case 12: /* SQR */ + case 10: /* SQR */ /* u1 = r.z'.z' mod prime */ sp_256_mont_sqr_8(ctx->p1.z, ctx->p1.z, p256_mod, p256_mp_mod); - ctx->state = 13; + ctx->state = 11; break; - case 13: /* MUL */ + case 11: /* MUL */ sp_256_mont_mul_8(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, p256_mp_mod); - ctx->state = 14; + ctx->state = 12; break; - case 14: /* RES */ + case 12: /* RES */ + { + int32_t c = 0; err = MP_OKAY; /* math okay, now check result */ *res = (int)(sp_256_cmp_8(ctx->p1.x, ctx->u1) == 0); if (*res == 0) { sp_digit carry; - int32_t c; /* Reload r and add order. */ - sp_256_from_mp(ctx->u2, 8, r); + sp_256_from_mp(ctx->u2, 8, rm); carry = sp_256_add_8(ctx->u2, ctx->u2, p256_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -22801,22 +22780,23 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, /* Compare with mod and if greater or equal then not valid. */ c = sp_256_cmp_8(ctx->u2, p256_mod); - if (c < 0) { - /* Convert to Montogomery form */ - err = sp_256_mod_mul_norm_8(ctx->u2, ctx->u2, p256_mod); - if (err == MP_OKAY) { - /* u1 = (r + 1*order).z'.z' mod prime */ - sp_256_mont_mul_8(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, - p256_mp_mod); - *res = (int)(sp_256_cmp_8(ctx->p1.x, ctx->u1) == 0); - } - } + } + } + if ((*res == 0) && (c < 0)) { + /* Convert to Montogomery form */ + err = sp_256_mod_mul_norm_8(ctx->u2, ctx->u2, p256_mod); + if (err == MP_OKAY) { + /* u1 = (r + 1*order).z'.z' mod prime */ + sp_256_mont_mul_8(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, + p256_mp_mod); + *res = (int)(sp_256_cmp_8(ctx->p1.x, ctx->u1) == 0); } } break; } + } /* switch */ - if (err == MP_OKAY && ctx->state != 14) { + if (err == MP_OKAY && ctx->state != 12) { err = FP_WOULDBLOCK; } @@ -22825,7 +22805,7 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, #endif /* WOLFSSL_SP_NONBLOCK */ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, - const mp_int* pY, const mp_int* pZ, const mp_int* r, const mp_int* sm, + const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm, int* res, void* heap) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC) @@ -22869,7 +22849,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, } sp_256_from_bin(u1, 8, hash, (int)hashLen); - sp_256_from_mp(u2, 8, r); + sp_256_from_mp(u2, 8, rm); sp_256_from_mp(s, 8, sm); sp_256_from_mp(p2->x, 8, pX); sp_256_from_mp(p2->y, 8, pY); @@ -22880,7 +22860,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, if (err == MP_OKAY) { /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_256_from_mp(u2, 8, r); + sp_256_from_mp(u2, 8, rm); err = sp_256_mod_mul_norm_8(u2, u2, p256_mod); } @@ -22891,7 +22871,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, *res = (int)(sp_256_cmp_8(p1->x, u1) == 0); if (*res == 0) { /* Reload r and add order. */ - sp_256_from_mp(u2, 8, r); + sp_256_from_mp(u2, 8, rm); carry = sp_256_add_8(u2, u2, p256_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -22900,8 +22880,8 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, /* Compare with mod and if greater or equal then not valid. */ c = sp_256_cmp_8(u2, p256_mod); } - } - if ((*res == 0) && (c < 0)) { + } + if ((*res == 0) && (c < 0)) { /* Convert to Montogomery form */ err = sp_256_mod_mul_norm_8(u2, u2, p256_mod); if (err == MP_OKAY) { @@ -29420,13 +29400,10 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W hashLen = 48U; } - sp_384_from_bin(ctx->e, 12, hash, (int)hashLen); - ctx->i = SP_ECC_MAX_SIG_GEN; ctx->state = 1; break; case 1: /* GEN */ - sp_384_from_mp(ctx->x, 12, priv); /* New random point. */ if (km == NULL || mp_iszero(km)) { err = sp_384_ecc_gen_k_12(rng, ctx->k); @@ -29454,6 +29431,9 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W c = sp_384_cmp_12(ctx->r, p384_order); sp_384_cond_sub_12(ctx->r, ctx->r, p384_order, 0L - (sp_digit)(c >= 0)); sp_384_norm_12(ctx->r); + + sp_384_from_mp(ctx->x, 12, priv); + sp_384_from_bin(ctx->e, 12, hash, (int)hashLen); ctx->state = 4; break; } @@ -29510,6 +29490,9 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W ctx->state = 10; break; } + #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP + ctx->i = 1; + #endif /* not usable gen, try again */ ctx->i--; @@ -30576,7 +30559,7 @@ typedef struct sp_ecc_verify_384_ctx { int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ, - const mp_int* r, const mp_int* sm, int* res, void* heap) + const mp_int* rm, const mp_int* sm, int* res, void* heap) { int err = FP_WOULDBLOCK; sp_ecc_verify_384_ctx* ctx = (sp_ecc_verify_384_ctx*)sp_ctx->data; @@ -30591,7 +30574,7 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, } sp_384_from_bin(ctx->u1, 12, hash, (int)hashLen); - sp_384_from_mp(ctx->u2, 12, r); + sp_384_from_mp(ctx->u2, 12, rm); sp_384_from_mp(ctx->s, 12, sm); sp_384_from_mp(ctx->p2.x, 12, pX); sp_384_from_mp(ctx->p2.y, 12, pY); @@ -30649,57 +30632,33 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, if (err == MP_OKAY) ctx->state = 9; break; - case 9: /* DBLPREP */ - if (sp_384_iszero_12(ctx->p1.z)) { - if (sp_384_iszero_12(ctx->p1.x) && sp_384_iszero_12(ctx->p1.y)) { - XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx)); - ctx->state = 10; - break; - } - else { - /* Y ordinate is not used from here - don't set. */ - int i; - for (i=0; i<12; i++) { - ctx->p1.x[i] = 0; - } - XMEMCPY(ctx->p1.z, p384_norm_mod, sizeof(p384_norm_mod)); - } - } - ctx->state = 11; - break; - case 10: /* DBL */ - err = sp_384_proj_point_dbl_12_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->p1, - &ctx->p2, ctx->tmp); - if (err == MP_OKAY) { - ctx->state = 11; - } - break; - case 11: /* MONT */ + case 9: /* MONT */ /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_384_from_mp(ctx->u2, 12, r); + sp_384_from_mp(ctx->u2, 12, rm); err = sp_384_mod_mul_norm_12(ctx->u2, ctx->u2, p384_mod); if (err == MP_OKAY) - ctx->state = 12; + ctx->state = 10; break; - case 12: /* SQR */ + case 10: /* SQR */ /* u1 = r.z'.z' mod prime */ sp_384_mont_sqr_12(ctx->p1.z, ctx->p1.z, p384_mod, p384_mp_mod); - ctx->state = 13; + ctx->state = 11; break; - case 13: /* MUL */ + case 11: /* MUL */ sp_384_mont_mul_12(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, p384_mp_mod); - ctx->state = 14; + ctx->state = 12; break; - case 14: /* RES */ + case 12: /* RES */ + { + int32_t c = 0; err = MP_OKAY; /* math okay, now check result */ *res = (int)(sp_384_cmp_12(ctx->p1.x, ctx->u1) == 0); if (*res == 0) { sp_digit carry; - int32_t c; /* Reload r and add order. */ - sp_384_from_mp(ctx->u2, 12, r); + sp_384_from_mp(ctx->u2, 12, rm); carry = sp_384_add_12(ctx->u2, ctx->u2, p384_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -30707,22 +30666,23 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, /* Compare with mod and if greater or equal then not valid. */ c = sp_384_cmp_12(ctx->u2, p384_mod); - if (c < 0) { - /* Convert to Montogomery form */ - err = sp_384_mod_mul_norm_12(ctx->u2, ctx->u2, p384_mod); - if (err == MP_OKAY) { - /* u1 = (r + 1*order).z'.z' mod prime */ - sp_384_mont_mul_12(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, - p384_mp_mod); - *res = (int)(sp_384_cmp_12(ctx->p1.x, ctx->u1) == 0); - } - } + } + } + if ((*res == 0) && (c < 0)) { + /* Convert to Montogomery form */ + err = sp_384_mod_mul_norm_12(ctx->u2, ctx->u2, p384_mod); + if (err == MP_OKAY) { + /* u1 = (r + 1*order).z'.z' mod prime */ + sp_384_mont_mul_12(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, + p384_mp_mod); + *res = (int)(sp_384_cmp_12(ctx->p1.x, ctx->u1) == 0); } } break; } + } /* switch */ - if (err == MP_OKAY && ctx->state != 14) { + if (err == MP_OKAY && ctx->state != 12) { err = FP_WOULDBLOCK; } @@ -30731,7 +30691,7 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, #endif /* WOLFSSL_SP_NONBLOCK */ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, - const mp_int* pY, const mp_int* pZ, const mp_int* r, const mp_int* sm, + const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm, int* res, void* heap) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC) @@ -30775,7 +30735,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, } sp_384_from_bin(u1, 12, hash, (int)hashLen); - sp_384_from_mp(u2, 12, r); + sp_384_from_mp(u2, 12, rm); sp_384_from_mp(s, 12, sm); sp_384_from_mp(p2->x, 12, pX); sp_384_from_mp(p2->y, 12, pY); @@ -30786,7 +30746,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, if (err == MP_OKAY) { /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_384_from_mp(u2, 12, r); + sp_384_from_mp(u2, 12, rm); err = sp_384_mod_mul_norm_12(u2, u2, p384_mod); } @@ -30797,7 +30757,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, *res = (int)(sp_384_cmp_12(p1->x, u1) == 0); if (*res == 0) { /* Reload r and add order. */ - sp_384_from_mp(u2, 12, r); + sp_384_from_mp(u2, 12, rm); carry = sp_384_add_12(u2, u2, p384_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -30806,8 +30766,8 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, /* Compare with mod and if greater or equal then not valid. */ c = sp_384_cmp_12(u2, p384_mod); } - } - if ((*res == 0) && (c < 0)) { + } + if ((*res == 0) && (c < 0)) { /* Convert to Montogomery form */ err = sp_384_mod_mul_norm_12(u2, u2, p384_mod); if (err == MP_OKAY) { diff --git a/wolfcrypt/src/sp_c32.c b/wolfcrypt/src/sp_c32.c index 089b7f1d2..934b7d9c5 100644 --- a/wolfcrypt/src/sp_c32.c +++ b/wolfcrypt/src/sp_c32.c @@ -14499,7 +14499,7 @@ static int sp_256_ecc_mulmod_10(sp_point_256* r, const sp_point_256* g, int y; int err = MP_OKAY; - /* Implementatio is constant time. */ + /* Implementation is constant time. */ (void)ct; (void)heap; @@ -18080,13 +18080,10 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W hashLen = 32U; } - sp_256_from_bin(ctx->e, 10, hash, (int)hashLen); - ctx->i = SP_ECC_MAX_SIG_GEN; ctx->state = 1; break; case 1: /* GEN */ - sp_256_from_mp(ctx->x, 10, priv); /* New random point. */ if (km == NULL || mp_iszero(km)) { err = sp_256_ecc_gen_k_10(rng, ctx->k); @@ -18114,6 +18111,9 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W c = sp_256_cmp_10(ctx->r, p256_order); sp_256_cond_sub_10(ctx->r, ctx->r, p256_order, 0L - (sp_digit)(c >= 0)); sp_256_norm_10(ctx->r); + + sp_256_from_mp(ctx->x, 10, priv); + sp_256_from_bin(ctx->e, 10, hash, (int)hashLen); ctx->state = 4; break; } @@ -18170,6 +18170,9 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W ctx->state = 10; break; } + #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP + ctx->i = 1; + #endif /* not usable gen, try again */ ctx->i--; @@ -18603,7 +18606,7 @@ typedef struct sp_ecc_verify_256_ctx { int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ, - const mp_int* r, const mp_int* sm, int* res, void* heap) + const mp_int* rm, const mp_int* sm, int* res, void* heap) { int err = FP_WOULDBLOCK; sp_ecc_verify_256_ctx* ctx = (sp_ecc_verify_256_ctx*)sp_ctx->data; @@ -18618,7 +18621,7 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, } sp_256_from_bin(ctx->u1, 10, hash, (int)hashLen); - sp_256_from_mp(ctx->u2, 10, r); + sp_256_from_mp(ctx->u2, 10, rm); sp_256_from_mp(ctx->s, 10, sm); sp_256_from_mp(ctx->p2.x, 10, pX); sp_256_from_mp(ctx->p2.y, 10, pY); @@ -18676,57 +18679,33 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, if (err == MP_OKAY) ctx->state = 9; break; - case 9: /* DBLPREP */ - if (sp_256_iszero_10(ctx->p1.z)) { - if (sp_256_iszero_10(ctx->p1.x) && sp_256_iszero_10(ctx->p1.y)) { - XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx)); - ctx->state = 10; - break; - } - else { - /* Y ordinate is not used from here - don't set. */ - int i; - for (i=0; i<10; i++) { - ctx->p1.x[i] = 0; - } - XMEMCPY(ctx->p1.z, p256_norm_mod, sizeof(p256_norm_mod)); - } - } - ctx->state = 11; - break; - case 10: /* DBL */ - err = sp_256_proj_point_dbl_10_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->p1, - &ctx->p2, ctx->tmp); - if (err == MP_OKAY) { - ctx->state = 11; - } - break; - case 11: /* MONT */ + case 9: /* MONT */ /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_256_from_mp(ctx->u2, 10, r); + sp_256_from_mp(ctx->u2, 10, rm); err = sp_256_mod_mul_norm_10(ctx->u2, ctx->u2, p256_mod); if (err == MP_OKAY) - ctx->state = 12; + ctx->state = 10; break; - case 12: /* SQR */ + case 10: /* SQR */ /* u1 = r.z'.z' mod prime */ sp_256_mont_sqr_10(ctx->p1.z, ctx->p1.z, p256_mod, p256_mp_mod); - ctx->state = 13; + ctx->state = 11; break; - case 13: /* MUL */ + case 11: /* MUL */ sp_256_mont_mul_10(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, p256_mp_mod); - ctx->state = 14; + ctx->state = 12; break; - case 14: /* RES */ + case 12: /* RES */ + { + int32_t c = 0; err = MP_OKAY; /* math okay, now check result */ *res = (int)(sp_256_cmp_10(ctx->p1.x, ctx->u1) == 0); if (*res == 0) { sp_digit carry; - int32_t c; /* Reload r and add order. */ - sp_256_from_mp(ctx->u2, 10, r); + sp_256_from_mp(ctx->u2, 10, rm); carry = sp_256_add_10(ctx->u2, ctx->u2, p256_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -18734,22 +18713,23 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, /* Compare with mod and if greater or equal then not valid. */ c = sp_256_cmp_10(ctx->u2, p256_mod); - if (c < 0) { - /* Convert to Montogomery form */ - err = sp_256_mod_mul_norm_10(ctx->u2, ctx->u2, p256_mod); - if (err == MP_OKAY) { - /* u1 = (r + 1*order).z'.z' mod prime */ - sp_256_mont_mul_10(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, - p256_mp_mod); - *res = (int)(sp_256_cmp_10(ctx->p1.x, ctx->u1) == 0); - } - } + } + } + if ((*res == 0) && (c < 0)) { + /* Convert to Montogomery form */ + err = sp_256_mod_mul_norm_10(ctx->u2, ctx->u2, p256_mod); + if (err == MP_OKAY) { + /* u1 = (r + 1*order).z'.z' mod prime */ + sp_256_mont_mul_10(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, + p256_mp_mod); + *res = (int)(sp_256_cmp_10(ctx->p1.x, ctx->u1) == 0); } } break; } + } /* switch */ - if (err == MP_OKAY && ctx->state != 14) { + if (err == MP_OKAY && ctx->state != 12) { err = FP_WOULDBLOCK; } @@ -18758,7 +18738,7 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, #endif /* WOLFSSL_SP_NONBLOCK */ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, - const mp_int* pY, const mp_int* pZ, const mp_int* r, const mp_int* sm, + const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm, int* res, void* heap) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC) @@ -18802,7 +18782,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, } sp_256_from_bin(u1, 10, hash, (int)hashLen); - sp_256_from_mp(u2, 10, r); + sp_256_from_mp(u2, 10, rm); sp_256_from_mp(s, 10, sm); sp_256_from_mp(p2->x, 10, pX); sp_256_from_mp(p2->y, 10, pY); @@ -18813,7 +18793,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, if (err == MP_OKAY) { /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_256_from_mp(u2, 10, r); + sp_256_from_mp(u2, 10, rm); err = sp_256_mod_mul_norm_10(u2, u2, p256_mod); } @@ -18824,7 +18804,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, *res = (int)(sp_256_cmp_10(p1->x, u1) == 0); if (*res == 0) { /* Reload r and add order. */ - sp_256_from_mp(u2, 10, r); + sp_256_from_mp(u2, 10, rm); carry = sp_256_add_10(u2, u2, p256_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -18833,8 +18813,8 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, /* Compare with mod and if greater or equal then not valid. */ c = sp_256_cmp_10(u2, p256_mod); } - } - if ((*res == 0) && (c < 0)) { + } + if ((*res == 0) && (c < 0)) { /* Convert to Montogomery form */ err = sp_256_mod_mul_norm_10(u2, u2, p256_mod); if (err == MP_OKAY) { @@ -21675,7 +21655,7 @@ static int sp_384_ecc_mulmod_15(sp_point_384* r, const sp_point_384* g, int y; int err = MP_OKAY; - /* Implementatio is constant time. */ + /* Implementation is constant time. */ (void)ct; (void)heap; @@ -25807,13 +25787,10 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W hashLen = 48U; } - sp_384_from_bin(ctx->e, 15, hash, (int)hashLen); - ctx->i = SP_ECC_MAX_SIG_GEN; ctx->state = 1; break; case 1: /* GEN */ - sp_384_from_mp(ctx->x, 15, priv); /* New random point. */ if (km == NULL || mp_iszero(km)) { err = sp_384_ecc_gen_k_15(rng, ctx->k); @@ -25841,6 +25818,9 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W c = sp_384_cmp_15(ctx->r, p384_order); sp_384_cond_sub_15(ctx->r, ctx->r, p384_order, 0L - (sp_digit)(c >= 0)); sp_384_norm_15(ctx->r); + + sp_384_from_mp(ctx->x, 15, priv); + sp_384_from_bin(ctx->e, 15, hash, (int)hashLen); ctx->state = 4; break; } @@ -25897,6 +25877,9 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W ctx->state = 10; break; } + #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP + ctx->i = 1; + #endif /* not usable gen, try again */ ctx->i--; @@ -26335,7 +26318,7 @@ typedef struct sp_ecc_verify_384_ctx { int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ, - const mp_int* r, const mp_int* sm, int* res, void* heap) + const mp_int* rm, const mp_int* sm, int* res, void* heap) { int err = FP_WOULDBLOCK; sp_ecc_verify_384_ctx* ctx = (sp_ecc_verify_384_ctx*)sp_ctx->data; @@ -26350,7 +26333,7 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, } sp_384_from_bin(ctx->u1, 15, hash, (int)hashLen); - sp_384_from_mp(ctx->u2, 15, r); + sp_384_from_mp(ctx->u2, 15, rm); sp_384_from_mp(ctx->s, 15, sm); sp_384_from_mp(ctx->p2.x, 15, pX); sp_384_from_mp(ctx->p2.y, 15, pY); @@ -26408,57 +26391,33 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, if (err == MP_OKAY) ctx->state = 9; break; - case 9: /* DBLPREP */ - if (sp_384_iszero_15(ctx->p1.z)) { - if (sp_384_iszero_15(ctx->p1.x) && sp_384_iszero_15(ctx->p1.y)) { - XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx)); - ctx->state = 10; - break; - } - else { - /* Y ordinate is not used from here - don't set. */ - int i; - for (i=0; i<15; i++) { - ctx->p1.x[i] = 0; - } - XMEMCPY(ctx->p1.z, p384_norm_mod, sizeof(p384_norm_mod)); - } - } - ctx->state = 11; - break; - case 10: /* DBL */ - err = sp_384_proj_point_dbl_15_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->p1, - &ctx->p2, ctx->tmp); - if (err == MP_OKAY) { - ctx->state = 11; - } - break; - case 11: /* MONT */ + case 9: /* MONT */ /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_384_from_mp(ctx->u2, 15, r); + sp_384_from_mp(ctx->u2, 15, rm); err = sp_384_mod_mul_norm_15(ctx->u2, ctx->u2, p384_mod); if (err == MP_OKAY) - ctx->state = 12; + ctx->state = 10; break; - case 12: /* SQR */ + case 10: /* SQR */ /* u1 = r.z'.z' mod prime */ sp_384_mont_sqr_15(ctx->p1.z, ctx->p1.z, p384_mod, p384_mp_mod); - ctx->state = 13; + ctx->state = 11; break; - case 13: /* MUL */ + case 11: /* MUL */ sp_384_mont_mul_15(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, p384_mp_mod); - ctx->state = 14; + ctx->state = 12; break; - case 14: /* RES */ + case 12: /* RES */ + { + int32_t c = 0; err = MP_OKAY; /* math okay, now check result */ *res = (int)(sp_384_cmp_15(ctx->p1.x, ctx->u1) == 0); if (*res == 0) { sp_digit carry; - int32_t c; /* Reload r and add order. */ - sp_384_from_mp(ctx->u2, 15, r); + sp_384_from_mp(ctx->u2, 15, rm); carry = sp_384_add_15(ctx->u2, ctx->u2, p384_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -26466,22 +26425,23 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, /* Compare with mod and if greater or equal then not valid. */ c = sp_384_cmp_15(ctx->u2, p384_mod); - if (c < 0) { - /* Convert to Montogomery form */ - err = sp_384_mod_mul_norm_15(ctx->u2, ctx->u2, p384_mod); - if (err == MP_OKAY) { - /* u1 = (r + 1*order).z'.z' mod prime */ - sp_384_mont_mul_15(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, - p384_mp_mod); - *res = (int)(sp_384_cmp_15(ctx->p1.x, ctx->u1) == 0); - } - } + } + } + if ((*res == 0) && (c < 0)) { + /* Convert to Montogomery form */ + err = sp_384_mod_mul_norm_15(ctx->u2, ctx->u2, p384_mod); + if (err == MP_OKAY) { + /* u1 = (r + 1*order).z'.z' mod prime */ + sp_384_mont_mul_15(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, + p384_mp_mod); + *res = (int)(sp_384_cmp_15(ctx->p1.x, ctx->u1) == 0); } } break; } + } /* switch */ - if (err == MP_OKAY && ctx->state != 14) { + if (err == MP_OKAY && ctx->state != 12) { err = FP_WOULDBLOCK; } @@ -26490,7 +26450,7 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, #endif /* WOLFSSL_SP_NONBLOCK */ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, - const mp_int* pY, const mp_int* pZ, const mp_int* r, const mp_int* sm, + const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm, int* res, void* heap) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC) @@ -26534,7 +26494,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, } sp_384_from_bin(u1, 15, hash, (int)hashLen); - sp_384_from_mp(u2, 15, r); + sp_384_from_mp(u2, 15, rm); sp_384_from_mp(s, 15, sm); sp_384_from_mp(p2->x, 15, pX); sp_384_from_mp(p2->y, 15, pY); @@ -26545,7 +26505,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, if (err == MP_OKAY) { /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_384_from_mp(u2, 15, r); + sp_384_from_mp(u2, 15, rm); err = sp_384_mod_mul_norm_15(u2, u2, p384_mod); } @@ -26556,7 +26516,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, *res = (int)(sp_384_cmp_15(p1->x, u1) == 0); if (*res == 0) { /* Reload r and add order. */ - sp_384_from_mp(u2, 15, r); + sp_384_from_mp(u2, 15, rm); carry = sp_384_add_15(u2, u2, p384_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -26565,8 +26525,8 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, /* Compare with mod and if greater or equal then not valid. */ c = sp_384_cmp_15(u2, p384_mod); } - } - if ((*res == 0) && (c < 0)) { + } + if ((*res == 0) && (c < 0)) { /* Convert to Montogomery form */ err = sp_384_mod_mul_norm_15(u2, u2, p384_mod); if (err == MP_OKAY) { @@ -29469,7 +29429,7 @@ static int sp_1024_ecc_mulmod_42(sp_point_1024* r, const sp_point_1024* g, int y; int err = MP_OKAY; - /* Implementatio is constant time. */ + /* Implementation is constant time. */ (void)ct; (void)heap; diff --git a/wolfcrypt/src/sp_c64.c b/wolfcrypt/src/sp_c64.c index 297311504..d50d010dd 100644 --- a/wolfcrypt/src/sp_c64.c +++ b/wolfcrypt/src/sp_c64.c @@ -14359,7 +14359,7 @@ static int sp_256_ecc_mulmod_5(sp_point_256* r, const sp_point_256* g, int y; int err = MP_OKAY; - /* Implementatio is constant time. */ + /* Implementation is constant time. */ (void)ct; (void)heap; @@ -17861,13 +17861,10 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W hashLen = 32U; } - sp_256_from_bin(ctx->e, 5, hash, (int)hashLen); - ctx->i = SP_ECC_MAX_SIG_GEN; ctx->state = 1; break; case 1: /* GEN */ - sp_256_from_mp(ctx->x, 5, priv); /* New random point. */ if (km == NULL || mp_iszero(km)) { err = sp_256_ecc_gen_k_5(rng, ctx->k); @@ -17895,6 +17892,9 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W c = sp_256_cmp_5(ctx->r, p256_order); sp_256_cond_sub_5(ctx->r, ctx->r, p256_order, 0L - (sp_digit)(c >= 0)); sp_256_norm_5(ctx->r); + + sp_256_from_mp(ctx->x, 5, priv); + sp_256_from_bin(ctx->e, 5, hash, (int)hashLen); ctx->state = 4; break; } @@ -17951,6 +17951,9 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W ctx->state = 10; break; } + #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP + ctx->i = 1; + #endif /* not usable gen, try again */ ctx->i--; @@ -18384,7 +18387,7 @@ typedef struct sp_ecc_verify_256_ctx { int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ, - const mp_int* r, const mp_int* sm, int* res, void* heap) + const mp_int* rm, const mp_int* sm, int* res, void* heap) { int err = FP_WOULDBLOCK; sp_ecc_verify_256_ctx* ctx = (sp_ecc_verify_256_ctx*)sp_ctx->data; @@ -18399,7 +18402,7 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, } sp_256_from_bin(ctx->u1, 5, hash, (int)hashLen); - sp_256_from_mp(ctx->u2, 5, r); + sp_256_from_mp(ctx->u2, 5, rm); sp_256_from_mp(ctx->s, 5, sm); sp_256_from_mp(ctx->p2.x, 5, pX); sp_256_from_mp(ctx->p2.y, 5, pY); @@ -18457,57 +18460,33 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, if (err == MP_OKAY) ctx->state = 9; break; - case 9: /* DBLPREP */ - if (sp_256_iszero_5(ctx->p1.z)) { - if (sp_256_iszero_5(ctx->p1.x) && sp_256_iszero_5(ctx->p1.y)) { - XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx)); - ctx->state = 10; - break; - } - else { - /* Y ordinate is not used from here - don't set. */ - int i; - for (i=0; i<5; i++) { - ctx->p1.x[i] = 0; - } - XMEMCPY(ctx->p1.z, p256_norm_mod, sizeof(p256_norm_mod)); - } - } - ctx->state = 11; - break; - case 10: /* DBL */ - err = sp_256_proj_point_dbl_5_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->p1, - &ctx->p2, ctx->tmp); - if (err == MP_OKAY) { - ctx->state = 11; - } - break; - case 11: /* MONT */ + case 9: /* MONT */ /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_256_from_mp(ctx->u2, 5, r); + sp_256_from_mp(ctx->u2, 5, rm); err = sp_256_mod_mul_norm_5(ctx->u2, ctx->u2, p256_mod); if (err == MP_OKAY) - ctx->state = 12; + ctx->state = 10; break; - case 12: /* SQR */ + case 10: /* SQR */ /* u1 = r.z'.z' mod prime */ sp_256_mont_sqr_5(ctx->p1.z, ctx->p1.z, p256_mod, p256_mp_mod); - ctx->state = 13; + ctx->state = 11; break; - case 13: /* MUL */ + case 11: /* MUL */ sp_256_mont_mul_5(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, p256_mp_mod); - ctx->state = 14; + ctx->state = 12; break; - case 14: /* RES */ + case 12: /* RES */ + { + int64_t c = 0; err = MP_OKAY; /* math okay, now check result */ *res = (int)(sp_256_cmp_5(ctx->p1.x, ctx->u1) == 0); if (*res == 0) { sp_digit carry; - int64_t c; /* Reload r and add order. */ - sp_256_from_mp(ctx->u2, 5, r); + sp_256_from_mp(ctx->u2, 5, rm); carry = sp_256_add_5(ctx->u2, ctx->u2, p256_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -18515,22 +18494,23 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, /* Compare with mod and if greater or equal then not valid. */ c = sp_256_cmp_5(ctx->u2, p256_mod); - if (c < 0) { - /* Convert to Montogomery form */ - err = sp_256_mod_mul_norm_5(ctx->u2, ctx->u2, p256_mod); - if (err == MP_OKAY) { - /* u1 = (r + 1*order).z'.z' mod prime */ - sp_256_mont_mul_5(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, - p256_mp_mod); - *res = (int)(sp_256_cmp_5(ctx->p1.x, ctx->u1) == 0); - } - } + } + } + if ((*res == 0) && (c < 0)) { + /* Convert to Montogomery form */ + err = sp_256_mod_mul_norm_5(ctx->u2, ctx->u2, p256_mod); + if (err == MP_OKAY) { + /* u1 = (r + 1*order).z'.z' mod prime */ + sp_256_mont_mul_5(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, + p256_mp_mod); + *res = (int)(sp_256_cmp_5(ctx->p1.x, ctx->u1) == 0); } } break; } + } /* switch */ - if (err == MP_OKAY && ctx->state != 14) { + if (err == MP_OKAY && ctx->state != 12) { err = FP_WOULDBLOCK; } @@ -18539,7 +18519,7 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, #endif /* WOLFSSL_SP_NONBLOCK */ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, - const mp_int* pY, const mp_int* pZ, const mp_int* r, const mp_int* sm, + const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm, int* res, void* heap) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC) @@ -18583,7 +18563,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, } sp_256_from_bin(u1, 5, hash, (int)hashLen); - sp_256_from_mp(u2, 5, r); + sp_256_from_mp(u2, 5, rm); sp_256_from_mp(s, 5, sm); sp_256_from_mp(p2->x, 5, pX); sp_256_from_mp(p2->y, 5, pY); @@ -18594,7 +18574,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, if (err == MP_OKAY) { /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_256_from_mp(u2, 5, r); + sp_256_from_mp(u2, 5, rm); err = sp_256_mod_mul_norm_5(u2, u2, p256_mod); } @@ -18605,7 +18585,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, *res = (int)(sp_256_cmp_5(p1->x, u1) == 0); if (*res == 0) { /* Reload r and add order. */ - sp_256_from_mp(u2, 5, r); + sp_256_from_mp(u2, 5, rm); carry = sp_256_add_5(u2, u2, p256_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -18614,8 +18594,8 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, /* Compare with mod and if greater or equal then not valid. */ c = sp_256_cmp_5(u2, p256_mod); } - } - if ((*res == 0) && (c < 0)) { + } + if ((*res == 0) && (c < 0)) { /* Convert to Montogomery form */ err = sp_256_mod_mul_norm_5(u2, u2, p256_mod); if (err == MP_OKAY) { @@ -21040,7 +21020,7 @@ static int sp_384_ecc_mulmod_7(sp_point_384* r, const sp_point_384* g, int y; int err = MP_OKAY; - /* Implementatio is constant time. */ + /* Implementation is constant time. */ (void)ct; (void)heap; @@ -25067,13 +25047,10 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W hashLen = 48U; } - sp_384_from_bin(ctx->e, 7, hash, (int)hashLen); - ctx->i = SP_ECC_MAX_SIG_GEN; ctx->state = 1; break; case 1: /* GEN */ - sp_384_from_mp(ctx->x, 7, priv); /* New random point. */ if (km == NULL || mp_iszero(km)) { err = sp_384_ecc_gen_k_7(rng, ctx->k); @@ -25101,6 +25078,9 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W c = sp_384_cmp_7(ctx->r, p384_order); sp_384_cond_sub_7(ctx->r, ctx->r, p384_order, 0L - (sp_digit)(c >= 0)); sp_384_norm_7(ctx->r); + + sp_384_from_mp(ctx->x, 7, priv); + sp_384_from_bin(ctx->e, 7, hash, (int)hashLen); ctx->state = 4; break; } @@ -25157,6 +25137,9 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W ctx->state = 10; break; } + #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP + ctx->i = 1; + #endif /* not usable gen, try again */ ctx->i--; @@ -25592,7 +25575,7 @@ typedef struct sp_ecc_verify_384_ctx { int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ, - const mp_int* r, const mp_int* sm, int* res, void* heap) + const mp_int* rm, const mp_int* sm, int* res, void* heap) { int err = FP_WOULDBLOCK; sp_ecc_verify_384_ctx* ctx = (sp_ecc_verify_384_ctx*)sp_ctx->data; @@ -25607,7 +25590,7 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, } sp_384_from_bin(ctx->u1, 7, hash, (int)hashLen); - sp_384_from_mp(ctx->u2, 7, r); + sp_384_from_mp(ctx->u2, 7, rm); sp_384_from_mp(ctx->s, 7, sm); sp_384_from_mp(ctx->p2.x, 7, pX); sp_384_from_mp(ctx->p2.y, 7, pY); @@ -25665,57 +25648,33 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, if (err == MP_OKAY) ctx->state = 9; break; - case 9: /* DBLPREP */ - if (sp_384_iszero_7(ctx->p1.z)) { - if (sp_384_iszero_7(ctx->p1.x) && sp_384_iszero_7(ctx->p1.y)) { - XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx)); - ctx->state = 10; - break; - } - else { - /* Y ordinate is not used from here - don't set. */ - int i; - for (i=0; i<7; i++) { - ctx->p1.x[i] = 0; - } - XMEMCPY(ctx->p1.z, p384_norm_mod, sizeof(p384_norm_mod)); - } - } - ctx->state = 11; - break; - case 10: /* DBL */ - err = sp_384_proj_point_dbl_7_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->p1, - &ctx->p2, ctx->tmp); - if (err == MP_OKAY) { - ctx->state = 11; - } - break; - case 11: /* MONT */ + case 9: /* MONT */ /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_384_from_mp(ctx->u2, 7, r); + sp_384_from_mp(ctx->u2, 7, rm); err = sp_384_mod_mul_norm_7(ctx->u2, ctx->u2, p384_mod); if (err == MP_OKAY) - ctx->state = 12; + ctx->state = 10; break; - case 12: /* SQR */ + case 10: /* SQR */ /* u1 = r.z'.z' mod prime */ sp_384_mont_sqr_7(ctx->p1.z, ctx->p1.z, p384_mod, p384_mp_mod); - ctx->state = 13; + ctx->state = 11; break; - case 13: /* MUL */ + case 11: /* MUL */ sp_384_mont_mul_7(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, p384_mp_mod); - ctx->state = 14; + ctx->state = 12; break; - case 14: /* RES */ + case 12: /* RES */ + { + int64_t c = 0; err = MP_OKAY; /* math okay, now check result */ *res = (int)(sp_384_cmp_7(ctx->p1.x, ctx->u1) == 0); if (*res == 0) { sp_digit carry; - int64_t c; /* Reload r and add order. */ - sp_384_from_mp(ctx->u2, 7, r); + sp_384_from_mp(ctx->u2, 7, rm); carry = sp_384_add_7(ctx->u2, ctx->u2, p384_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -25723,22 +25682,23 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, /* Compare with mod and if greater or equal then not valid. */ c = sp_384_cmp_7(ctx->u2, p384_mod); - if (c < 0) { - /* Convert to Montogomery form */ - err = sp_384_mod_mul_norm_7(ctx->u2, ctx->u2, p384_mod); - if (err == MP_OKAY) { - /* u1 = (r + 1*order).z'.z' mod prime */ - sp_384_mont_mul_7(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, - p384_mp_mod); - *res = (int)(sp_384_cmp_7(ctx->p1.x, ctx->u1) == 0); - } - } + } + } + if ((*res == 0) && (c < 0)) { + /* Convert to Montogomery form */ + err = sp_384_mod_mul_norm_7(ctx->u2, ctx->u2, p384_mod); + if (err == MP_OKAY) { + /* u1 = (r + 1*order).z'.z' mod prime */ + sp_384_mont_mul_7(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, + p384_mp_mod); + *res = (int)(sp_384_cmp_7(ctx->p1.x, ctx->u1) == 0); } } break; } + } /* switch */ - if (err == MP_OKAY && ctx->state != 14) { + if (err == MP_OKAY && ctx->state != 12) { err = FP_WOULDBLOCK; } @@ -25747,7 +25707,7 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, #endif /* WOLFSSL_SP_NONBLOCK */ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, - const mp_int* pY, const mp_int* pZ, const mp_int* r, const mp_int* sm, + const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm, int* res, void* heap) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC) @@ -25791,7 +25751,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, } sp_384_from_bin(u1, 7, hash, (int)hashLen); - sp_384_from_mp(u2, 7, r); + sp_384_from_mp(u2, 7, rm); sp_384_from_mp(s, 7, sm); sp_384_from_mp(p2->x, 7, pX); sp_384_from_mp(p2->y, 7, pY); @@ -25802,7 +25762,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, if (err == MP_OKAY) { /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_384_from_mp(u2, 7, r); + sp_384_from_mp(u2, 7, rm); err = sp_384_mod_mul_norm_7(u2, u2, p384_mod); } @@ -25813,7 +25773,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, *res = (int)(sp_384_cmp_7(p1->x, u1) == 0); if (*res == 0) { /* Reload r and add order. */ - sp_384_from_mp(u2, 7, r); + sp_384_from_mp(u2, 7, rm); carry = sp_384_add_7(u2, u2, p384_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -25822,8 +25782,8 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, /* Compare with mod and if greater or equal then not valid. */ c = sp_384_cmp_7(u2, p384_mod); } - } - if ((*res == 0) && (c < 0)) { + } + if ((*res == 0) && (c < 0)) { /* Convert to Montogomery form */ err = sp_384_mod_mul_norm_7(u2, u2, p384_mod); if (err == MP_OKAY) { @@ -28614,7 +28574,7 @@ static int sp_1024_ecc_mulmod_18(sp_point_1024* r, const sp_point_1024* g, int y; int err = MP_OKAY; - /* Implementatio is constant time. */ + /* Implementation is constant time. */ (void)ct; (void)heap; diff --git a/wolfcrypt/src/sp_cortexm.c b/wolfcrypt/src/sp_cortexm.c index 5e840627d..b243b851f 100644 --- a/wolfcrypt/src/sp_cortexm.c +++ b/wolfcrypt/src/sp_cortexm.c @@ -21731,13 +21731,10 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W hashLen = 32U; } - sp_256_from_bin(ctx->e, 8, hash, (int)hashLen); - ctx->i = SP_ECC_MAX_SIG_GEN; ctx->state = 1; break; case 1: /* GEN */ - sp_256_from_mp(ctx->x, 8, priv); /* New random point. */ if (km == NULL || mp_iszero(km)) { err = sp_256_ecc_gen_k_8(rng, ctx->k); @@ -21765,6 +21762,9 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W c = sp_256_cmp_8(ctx->r, p256_order); sp_256_cond_sub_8(ctx->r, ctx->r, p256_order, 0L - (sp_digit)(c >= 0)); sp_256_norm_8(ctx->r); + + sp_256_from_mp(ctx->x, 8, priv); + sp_256_from_bin(ctx->e, 8, hash, (int)hashLen); ctx->state = 4; break; } @@ -21821,6 +21821,9 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W ctx->state = 10; break; } + #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP + ctx->i = 1; + #endif /* not usable gen, try again */ ctx->i--; @@ -22385,7 +22388,7 @@ typedef struct sp_ecc_verify_256_ctx { int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ, - const mp_int* r, const mp_int* sm, int* res, void* heap) + const mp_int* rm, const mp_int* sm, int* res, void* heap) { int err = FP_WOULDBLOCK; sp_ecc_verify_256_ctx* ctx = (sp_ecc_verify_256_ctx*)sp_ctx->data; @@ -22400,7 +22403,7 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, } sp_256_from_bin(ctx->u1, 8, hash, (int)hashLen); - sp_256_from_mp(ctx->u2, 8, r); + sp_256_from_mp(ctx->u2, 8, rm); sp_256_from_mp(ctx->s, 8, sm); sp_256_from_mp(ctx->p2.x, 8, pX); sp_256_from_mp(ctx->p2.y, 8, pY); @@ -22458,57 +22461,33 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, if (err == MP_OKAY) ctx->state = 9; break; - case 9: /* DBLPREP */ - if (sp_256_iszero_8(ctx->p1.z)) { - if (sp_256_iszero_8(ctx->p1.x) && sp_256_iszero_8(ctx->p1.y)) { - XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx)); - ctx->state = 10; - break; - } - else { - /* Y ordinate is not used from here - don't set. */ - int i; - for (i=0; i<8; i++) { - ctx->p1.x[i] = 0; - } - XMEMCPY(ctx->p1.z, p256_norm_mod, sizeof(p256_norm_mod)); - } - } - ctx->state = 11; - break; - case 10: /* DBL */ - err = sp_256_proj_point_dbl_8_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->p1, - &ctx->p2, ctx->tmp); - if (err == MP_OKAY) { - ctx->state = 11; - } - break; - case 11: /* MONT */ + case 9: /* MONT */ /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_256_from_mp(ctx->u2, 8, r); + sp_256_from_mp(ctx->u2, 8, rm); err = sp_256_mod_mul_norm_8(ctx->u2, ctx->u2, p256_mod); if (err == MP_OKAY) - ctx->state = 12; + ctx->state = 10; break; - case 12: /* SQR */ + case 10: /* SQR */ /* u1 = r.z'.z' mod prime */ sp_256_mont_sqr_8(ctx->p1.z, ctx->p1.z, p256_mod, p256_mp_mod); - ctx->state = 13; + ctx->state = 11; break; - case 13: /* MUL */ + case 11: /* MUL */ sp_256_mont_mul_8(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, p256_mp_mod); - ctx->state = 14; + ctx->state = 12; break; - case 14: /* RES */ + case 12: /* RES */ + { + int32_t c = 0; err = MP_OKAY; /* math okay, now check result */ *res = (int)(sp_256_cmp_8(ctx->p1.x, ctx->u1) == 0); if (*res == 0) { sp_digit carry; - int32_t c; /* Reload r and add order. */ - sp_256_from_mp(ctx->u2, 8, r); + sp_256_from_mp(ctx->u2, 8, rm); carry = sp_256_add_8(ctx->u2, ctx->u2, p256_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -22516,22 +22495,23 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, /* Compare with mod and if greater or equal then not valid. */ c = sp_256_cmp_8(ctx->u2, p256_mod); - if (c < 0) { - /* Convert to Montogomery form */ - err = sp_256_mod_mul_norm_8(ctx->u2, ctx->u2, p256_mod); - if (err == MP_OKAY) { - /* u1 = (r + 1*order).z'.z' mod prime */ - sp_256_mont_mul_8(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, - p256_mp_mod); - *res = (int)(sp_256_cmp_8(ctx->p1.x, ctx->u1) == 0); - } - } + } + } + if ((*res == 0) && (c < 0)) { + /* Convert to Montogomery form */ + err = sp_256_mod_mul_norm_8(ctx->u2, ctx->u2, p256_mod); + if (err == MP_OKAY) { + /* u1 = (r + 1*order).z'.z' mod prime */ + sp_256_mont_mul_8(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, + p256_mp_mod); + *res = (int)(sp_256_cmp_8(ctx->p1.x, ctx->u1) == 0); } } break; } + } /* switch */ - if (err == MP_OKAY && ctx->state != 14) { + if (err == MP_OKAY && ctx->state != 12) { err = FP_WOULDBLOCK; } @@ -22540,7 +22520,7 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, #endif /* WOLFSSL_SP_NONBLOCK */ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, - const mp_int* pY, const mp_int* pZ, const mp_int* r, const mp_int* sm, + const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm, int* res, void* heap) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC) @@ -22584,7 +22564,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, } sp_256_from_bin(u1, 8, hash, (int)hashLen); - sp_256_from_mp(u2, 8, r); + sp_256_from_mp(u2, 8, rm); sp_256_from_mp(s, 8, sm); sp_256_from_mp(p2->x, 8, pX); sp_256_from_mp(p2->y, 8, pY); @@ -22595,7 +22575,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, if (err == MP_OKAY) { /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_256_from_mp(u2, 8, r); + sp_256_from_mp(u2, 8, rm); err = sp_256_mod_mul_norm_8(u2, u2, p256_mod); } @@ -22606,7 +22586,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, *res = (int)(sp_256_cmp_8(p1->x, u1) == 0); if (*res == 0) { /* Reload r and add order. */ - sp_256_from_mp(u2, 8, r); + sp_256_from_mp(u2, 8, rm); carry = sp_256_add_8(u2, u2, p256_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -22615,8 +22595,8 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, /* Compare with mod and if greater or equal then not valid. */ c = sp_256_cmp_8(u2, p256_mod); } - } - if ((*res == 0) && (c < 0)) { + } + if ((*res == 0) && (c < 0)) { /* Convert to Montogomery form */ err = sp_256_mod_mul_norm_8(u2, u2, p256_mod); if (err == MP_OKAY) { @@ -28914,13 +28894,10 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W hashLen = 48U; } - sp_384_from_bin(ctx->e, 12, hash, (int)hashLen); - ctx->i = SP_ECC_MAX_SIG_GEN; ctx->state = 1; break; case 1: /* GEN */ - sp_384_from_mp(ctx->x, 12, priv); /* New random point. */ if (km == NULL || mp_iszero(km)) { err = sp_384_ecc_gen_k_12(rng, ctx->k); @@ -28948,6 +28925,9 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W c = sp_384_cmp_12(ctx->r, p384_order); sp_384_cond_sub_12(ctx->r, ctx->r, p384_order, 0L - (sp_digit)(c >= 0)); sp_384_norm_12(ctx->r); + + sp_384_from_mp(ctx->x, 12, priv); + sp_384_from_bin(ctx->e, 12, hash, (int)hashLen); ctx->state = 4; break; } @@ -29004,6 +28984,9 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W ctx->state = 10; break; } + #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP + ctx->i = 1; + #endif /* not usable gen, try again */ ctx->i--; @@ -29616,7 +29599,7 @@ typedef struct sp_ecc_verify_384_ctx { int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ, - const mp_int* r, const mp_int* sm, int* res, void* heap) + const mp_int* rm, const mp_int* sm, int* res, void* heap) { int err = FP_WOULDBLOCK; sp_ecc_verify_384_ctx* ctx = (sp_ecc_verify_384_ctx*)sp_ctx->data; @@ -29631,7 +29614,7 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, } sp_384_from_bin(ctx->u1, 12, hash, (int)hashLen); - sp_384_from_mp(ctx->u2, 12, r); + sp_384_from_mp(ctx->u2, 12, rm); sp_384_from_mp(ctx->s, 12, sm); sp_384_from_mp(ctx->p2.x, 12, pX); sp_384_from_mp(ctx->p2.y, 12, pY); @@ -29689,57 +29672,33 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, if (err == MP_OKAY) ctx->state = 9; break; - case 9: /* DBLPREP */ - if (sp_384_iszero_12(ctx->p1.z)) { - if (sp_384_iszero_12(ctx->p1.x) && sp_384_iszero_12(ctx->p1.y)) { - XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx)); - ctx->state = 10; - break; - } - else { - /* Y ordinate is not used from here - don't set. */ - int i; - for (i=0; i<12; i++) { - ctx->p1.x[i] = 0; - } - XMEMCPY(ctx->p1.z, p384_norm_mod, sizeof(p384_norm_mod)); - } - } - ctx->state = 11; - break; - case 10: /* DBL */ - err = sp_384_proj_point_dbl_12_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->p1, - &ctx->p2, ctx->tmp); - if (err == MP_OKAY) { - ctx->state = 11; - } - break; - case 11: /* MONT */ + case 9: /* MONT */ /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_384_from_mp(ctx->u2, 12, r); + sp_384_from_mp(ctx->u2, 12, rm); err = sp_384_mod_mul_norm_12(ctx->u2, ctx->u2, p384_mod); if (err == MP_OKAY) - ctx->state = 12; + ctx->state = 10; break; - case 12: /* SQR */ + case 10: /* SQR */ /* u1 = r.z'.z' mod prime */ sp_384_mont_sqr_12(ctx->p1.z, ctx->p1.z, p384_mod, p384_mp_mod); - ctx->state = 13; + ctx->state = 11; break; - case 13: /* MUL */ + case 11: /* MUL */ sp_384_mont_mul_12(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, p384_mp_mod); - ctx->state = 14; + ctx->state = 12; break; - case 14: /* RES */ + case 12: /* RES */ + { + int32_t c = 0; err = MP_OKAY; /* math okay, now check result */ *res = (int)(sp_384_cmp_12(ctx->p1.x, ctx->u1) == 0); if (*res == 0) { sp_digit carry; - int32_t c; /* Reload r and add order. */ - sp_384_from_mp(ctx->u2, 12, r); + sp_384_from_mp(ctx->u2, 12, rm); carry = sp_384_add_12(ctx->u2, ctx->u2, p384_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -29747,22 +29706,23 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, /* Compare with mod and if greater or equal then not valid. */ c = sp_384_cmp_12(ctx->u2, p384_mod); - if (c < 0) { - /* Convert to Montogomery form */ - err = sp_384_mod_mul_norm_12(ctx->u2, ctx->u2, p384_mod); - if (err == MP_OKAY) { - /* u1 = (r + 1*order).z'.z' mod prime */ - sp_384_mont_mul_12(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, - p384_mp_mod); - *res = (int)(sp_384_cmp_12(ctx->p1.x, ctx->u1) == 0); - } - } + } + } + if ((*res == 0) && (c < 0)) { + /* Convert to Montogomery form */ + err = sp_384_mod_mul_norm_12(ctx->u2, ctx->u2, p384_mod); + if (err == MP_OKAY) { + /* u1 = (r + 1*order).z'.z' mod prime */ + sp_384_mont_mul_12(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, + p384_mp_mod); + *res = (int)(sp_384_cmp_12(ctx->p1.x, ctx->u1) == 0); } } break; } + } /* switch */ - if (err == MP_OKAY && ctx->state != 14) { + if (err == MP_OKAY && ctx->state != 12) { err = FP_WOULDBLOCK; } @@ -29771,7 +29731,7 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, #endif /* WOLFSSL_SP_NONBLOCK */ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, - const mp_int* pY, const mp_int* pZ, const mp_int* r, const mp_int* sm, + const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm, int* res, void* heap) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC) @@ -29815,7 +29775,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, } sp_384_from_bin(u1, 12, hash, (int)hashLen); - sp_384_from_mp(u2, 12, r); + sp_384_from_mp(u2, 12, rm); sp_384_from_mp(s, 12, sm); sp_384_from_mp(p2->x, 12, pX); sp_384_from_mp(p2->y, 12, pY); @@ -29826,7 +29786,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, if (err == MP_OKAY) { /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_384_from_mp(u2, 12, r); + sp_384_from_mp(u2, 12, rm); err = sp_384_mod_mul_norm_12(u2, u2, p384_mod); } @@ -29837,7 +29797,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, *res = (int)(sp_384_cmp_12(p1->x, u1) == 0); if (*res == 0) { /* Reload r and add order. */ - sp_384_from_mp(u2, 12, r); + sp_384_from_mp(u2, 12, rm); carry = sp_384_add_12(u2, u2, p384_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -29846,8 +29806,8 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, /* Compare with mod and if greater or equal then not valid. */ c = sp_384_cmp_12(u2, p384_mod); } - } - if ((*res == 0) && (c < 0)) { + } + if ((*res == 0) && (c < 0)) { /* Convert to Montogomery form */ err = sp_384_mod_mul_norm_12(u2, u2, p384_mod); if (err == MP_OKAY) { diff --git a/wolfcrypt/src/sp_x86_64.c b/wolfcrypt/src/sp_x86_64.c index 90bccc7fd..c51d73769 100644 --- a/wolfcrypt/src/sp_x86_64.c +++ b/wolfcrypt/src/sp_x86_64.c @@ -23673,13 +23673,10 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W hashLen = 32U; } - sp_256_from_bin(ctx->e, 4, hash, (int)hashLen); - ctx->i = SP_ECC_MAX_SIG_GEN; ctx->state = 1; break; case 1: /* GEN */ - sp_256_from_mp(ctx->x, 4, priv); /* New random point. */ if (km == NULL || mp_iszero(km)) { err = sp_256_ecc_gen_k_4(rng, ctx->k); @@ -23707,6 +23704,9 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W c = sp_256_cmp_4(ctx->r, p256_order); sp_256_cond_sub_4(ctx->r, ctx->r, p256_order, 0L - (sp_digit)(c >= 0)); sp_256_norm_4(ctx->r); + + sp_256_from_mp(ctx->x, 4, priv); + sp_256_from_bin(ctx->e, 4, hash, (int)hashLen); ctx->state = 4; break; } @@ -23763,6 +23763,9 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W ctx->state = 10; break; } + #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP + ctx->i = 1; + #endif /* not usable gen, try again */ ctx->i--; @@ -24105,7 +24108,7 @@ typedef struct sp_ecc_verify_256_ctx { int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ, - const mp_int* r, const mp_int* sm, int* res, void* heap) + const mp_int* rm, const mp_int* sm, int* res, void* heap) { int err = FP_WOULDBLOCK; sp_ecc_verify_256_ctx* ctx = (sp_ecc_verify_256_ctx*)sp_ctx->data; @@ -24120,7 +24123,7 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, } sp_256_from_bin(ctx->u1, 4, hash, (int)hashLen); - sp_256_from_mp(ctx->u2, 4, r); + sp_256_from_mp(ctx->u2, 4, rm); sp_256_from_mp(ctx->s, 4, sm); sp_256_from_mp(ctx->p2.x, 4, pX); sp_256_from_mp(ctx->p2.y, 4, pY); @@ -24178,57 +24181,33 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, if (err == MP_OKAY) ctx->state = 9; break; - case 9: /* DBLPREP */ - if (sp_256_iszero_4(ctx->p1.z)) { - if (sp_256_iszero_4(ctx->p1.x) && sp_256_iszero_4(ctx->p1.y)) { - XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx)); - ctx->state = 10; - break; - } - else { - /* Y ordinate is not used from here - don't set. */ - int i; - for (i=0; i<4; i++) { - ctx->p1.x[i] = 0; - } - XMEMCPY(ctx->p1.z, p256_norm_mod, sizeof(p256_norm_mod)); - } - } - ctx->state = 11; - break; - case 10: /* DBL */ - err = sp_256_proj_point_dbl_4_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->p1, - &ctx->p2, ctx->tmp); - if (err == MP_OKAY) { - ctx->state = 11; - } - break; - case 11: /* MONT */ + case 9: /* MONT */ /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_256_from_mp(ctx->u2, 4, r); + sp_256_from_mp(ctx->u2, 4, rm); err = sp_256_mod_mul_norm_4(ctx->u2, ctx->u2, p256_mod); if (err == MP_OKAY) - ctx->state = 12; + ctx->state = 10; break; - case 12: /* SQR */ + case 10: /* SQR */ /* u1 = r.z'.z' mod prime */ sp_256_mont_sqr_4(ctx->p1.z, ctx->p1.z, p256_mod, p256_mp_mod); - ctx->state = 13; + ctx->state = 11; break; - case 13: /* MUL */ + case 11: /* MUL */ sp_256_mont_mul_4(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, p256_mp_mod); - ctx->state = 14; + ctx->state = 12; break; - case 14: /* RES */ + case 12: /* RES */ + { + int64_t c = 0; err = MP_OKAY; /* math okay, now check result */ *res = (int)(sp_256_cmp_4(ctx->p1.x, ctx->u1) == 0); if (*res == 0) { sp_digit carry; - int64_t c; /* Reload r and add order. */ - sp_256_from_mp(ctx->u2, 4, r); + sp_256_from_mp(ctx->u2, 4, rm); carry = sp_256_add_4(ctx->u2, ctx->u2, p256_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -24236,22 +24215,23 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, /* Compare with mod and if greater or equal then not valid. */ c = sp_256_cmp_4(ctx->u2, p256_mod); - if (c < 0) { - /* Convert to Montogomery form */ - err = sp_256_mod_mul_norm_4(ctx->u2, ctx->u2, p256_mod); - if (err == MP_OKAY) { - /* u1 = (r + 1*order).z'.z' mod prime */ - sp_256_mont_mul_4(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, - p256_mp_mod); - *res = (int)(sp_256_cmp_4(ctx->p1.x, ctx->u1) == 0); - } - } + } + } + if ((*res == 0) && (c < 0)) { + /* Convert to Montogomery form */ + err = sp_256_mod_mul_norm_4(ctx->u2, ctx->u2, p256_mod); + if (err == MP_OKAY) { + /* u1 = (r + 1*order).z'.z' mod prime */ + sp_256_mont_mul_4(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, + p256_mp_mod); + *res = (int)(sp_256_cmp_4(ctx->p1.x, ctx->u1) == 0); } } break; } + } /* switch */ - if (err == MP_OKAY && ctx->state != 14) { + if (err == MP_OKAY && ctx->state != 12) { err = FP_WOULDBLOCK; } @@ -24260,7 +24240,7 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, #endif /* WOLFSSL_SP_NONBLOCK */ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, - const mp_int* pY, const mp_int* pZ, const mp_int* r, const mp_int* sm, + const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm, int* res, void* heap) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC) @@ -24304,7 +24284,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, } sp_256_from_bin(u1, 4, hash, (int)hashLen); - sp_256_from_mp(u2, 4, r); + sp_256_from_mp(u2, 4, rm); sp_256_from_mp(s, 4, sm); sp_256_from_mp(p2->x, 4, pX); sp_256_from_mp(p2->y, 4, pY); @@ -24315,7 +24295,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, if (err == MP_OKAY) { /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_256_from_mp(u2, 4, r); + sp_256_from_mp(u2, 4, rm); err = sp_256_mod_mul_norm_4(u2, u2, p256_mod); } @@ -24326,7 +24306,7 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, *res = (int)(sp_256_cmp_4(p1->x, u1) == 0); if (*res == 0) { /* Reload r and add order. */ - sp_256_from_mp(u2, 4, r); + sp_256_from_mp(u2, 4, rm); carry = sp_256_add_4(u2, u2, p256_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -24335,8 +24315,8 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX, /* Compare with mod and if greater or equal then not valid. */ c = sp_256_cmp_4(u2, p256_mod); } - } - if ((*res == 0) && (c < 0)) { + } + if ((*res == 0) && (c < 0)) { /* Convert to Montogomery form */ err = sp_256_mod_mul_norm_4(u2, u2, p256_mod); if (err == MP_OKAY) { @@ -48182,13 +48162,10 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W hashLen = 48U; } - sp_384_from_bin(ctx->e, 6, hash, (int)hashLen); - ctx->i = SP_ECC_MAX_SIG_GEN; ctx->state = 1; break; case 1: /* GEN */ - sp_384_from_mp(ctx->x, 6, priv); /* New random point. */ if (km == NULL || mp_iszero(km)) { err = sp_384_ecc_gen_k_6(rng, ctx->k); @@ -48216,6 +48193,9 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W c = sp_384_cmp_6(ctx->r, p384_order); sp_384_cond_sub_6(ctx->r, ctx->r, p384_order, 0L - (sp_digit)(c >= 0)); sp_384_norm_6(ctx->r); + + sp_384_from_mp(ctx->x, 6, priv); + sp_384_from_bin(ctx->e, 6, hash, (int)hashLen); ctx->state = 4; break; } @@ -48272,6 +48252,9 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W ctx->state = 10; break; } + #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP + ctx->i = 1; + #endif /* not usable gen, try again */ ctx->i--; @@ -48691,7 +48674,7 @@ typedef struct sp_ecc_verify_384_ctx { int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ, - const mp_int* r, const mp_int* sm, int* res, void* heap) + const mp_int* rm, const mp_int* sm, int* res, void* heap) { int err = FP_WOULDBLOCK; sp_ecc_verify_384_ctx* ctx = (sp_ecc_verify_384_ctx*)sp_ctx->data; @@ -48706,7 +48689,7 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, } sp_384_from_bin(ctx->u1, 6, hash, (int)hashLen); - sp_384_from_mp(ctx->u2, 6, r); + sp_384_from_mp(ctx->u2, 6, rm); sp_384_from_mp(ctx->s, 6, sm); sp_384_from_mp(ctx->p2.x, 6, pX); sp_384_from_mp(ctx->p2.y, 6, pY); @@ -48764,57 +48747,33 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, if (err == MP_OKAY) ctx->state = 9; break; - case 9: /* DBLPREP */ - if (sp_384_iszero_6(ctx->p1.z)) { - if (sp_384_iszero_6(ctx->p1.x) && sp_384_iszero_6(ctx->p1.y)) { - XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx)); - ctx->state = 10; - break; - } - else { - /* Y ordinate is not used from here - don't set. */ - int i; - for (i=0; i<6; i++) { - ctx->p1.x[i] = 0; - } - XMEMCPY(ctx->p1.z, p384_norm_mod, sizeof(p384_norm_mod)); - } - } - ctx->state = 11; - break; - case 10: /* DBL */ - err = sp_384_proj_point_dbl_6_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->p1, - &ctx->p2, ctx->tmp); - if (err == MP_OKAY) { - ctx->state = 11; - } - break; - case 11: /* MONT */ + case 9: /* MONT */ /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_384_from_mp(ctx->u2, 6, r); + sp_384_from_mp(ctx->u2, 6, rm); err = sp_384_mod_mul_norm_6(ctx->u2, ctx->u2, p384_mod); if (err == MP_OKAY) - ctx->state = 12; + ctx->state = 10; break; - case 12: /* SQR */ + case 10: /* SQR */ /* u1 = r.z'.z' mod prime */ sp_384_mont_sqr_6(ctx->p1.z, ctx->p1.z, p384_mod, p384_mp_mod); - ctx->state = 13; + ctx->state = 11; break; - case 13: /* MUL */ + case 11: /* MUL */ sp_384_mont_mul_6(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, p384_mp_mod); - ctx->state = 14; + ctx->state = 12; break; - case 14: /* RES */ + case 12: /* RES */ + { + int64_t c = 0; err = MP_OKAY; /* math okay, now check result */ *res = (int)(sp_384_cmp_6(ctx->p1.x, ctx->u1) == 0); if (*res == 0) { sp_digit carry; - int64_t c; /* Reload r and add order. */ - sp_384_from_mp(ctx->u2, 6, r); + sp_384_from_mp(ctx->u2, 6, rm); carry = sp_384_add_6(ctx->u2, ctx->u2, p384_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -48822,22 +48781,23 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, /* Compare with mod and if greater or equal then not valid. */ c = sp_384_cmp_6(ctx->u2, p384_mod); - if (c < 0) { - /* Convert to Montogomery form */ - err = sp_384_mod_mul_norm_6(ctx->u2, ctx->u2, p384_mod); - if (err == MP_OKAY) { - /* u1 = (r + 1*order).z'.z' mod prime */ - sp_384_mont_mul_6(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, - p384_mp_mod); - *res = (int)(sp_384_cmp_6(ctx->p1.x, ctx->u1) == 0); - } - } + } + } + if ((*res == 0) && (c < 0)) { + /* Convert to Montogomery form */ + err = sp_384_mod_mul_norm_6(ctx->u2, ctx->u2, p384_mod); + if (err == MP_OKAY) { + /* u1 = (r + 1*order).z'.z' mod prime */ + sp_384_mont_mul_6(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, + p384_mp_mod); + *res = (int)(sp_384_cmp_6(ctx->p1.x, ctx->u1) == 0); } } break; } + } /* switch */ - if (err == MP_OKAY && ctx->state != 14) { + if (err == MP_OKAY && ctx->state != 12) { err = FP_WOULDBLOCK; } @@ -48846,7 +48806,7 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, #endif /* WOLFSSL_SP_NONBLOCK */ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, - const mp_int* pY, const mp_int* pZ, const mp_int* r, const mp_int* sm, + const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm, int* res, void* heap) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC) @@ -48890,7 +48850,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, } sp_384_from_bin(u1, 6, hash, (int)hashLen); - sp_384_from_mp(u2, 6, r); + sp_384_from_mp(u2, 6, rm); sp_384_from_mp(s, 6, sm); sp_384_from_mp(p2->x, 6, pX); sp_384_from_mp(p2->y, 6, pY); @@ -48901,7 +48861,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, if (err == MP_OKAY) { /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */ /* Reload r and convert to Montgomery form. */ - sp_384_from_mp(u2, 6, r); + sp_384_from_mp(u2, 6, rm); err = sp_384_mod_mul_norm_6(u2, u2, p384_mod); } @@ -48912,7 +48872,7 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, *res = (int)(sp_384_cmp_6(p1->x, u1) == 0); if (*res == 0) { /* Reload r and add order. */ - sp_384_from_mp(u2, 6, r); + sp_384_from_mp(u2, 6, rm); carry = sp_384_add_6(u2, u2, p384_order); /* Carry means result is greater than mod and is not valid. */ if (carry == 0) { @@ -48921,8 +48881,8 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX, /* Compare with mod and if greater or equal then not valid. */ c = sp_384_cmp_6(u2, p384_mod); } - } - if ((*res == 0) && (c < 0)) { + } + if ((*res == 0) && (c < 0)) { /* Convert to Montogomery form */ err = sp_384_mod_mul_norm_6(u2, u2, p384_mod); if (err == MP_OKAY) { diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 318752748..34524fea0 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -23249,7 +23249,7 @@ static int crypto_ecc_verify(const uint8_t *key, uint32_t keySz, ); count++; - /* TODO: Real-time work can be called here */ + /* This is where real-time work could be called */ } while (ret == FP_WOULDBLOCK); #ifdef DEBUG_WOLFSSL printf("ECC non-block verify: %d times\n", count); @@ -23333,7 +23333,7 @@ static int crypto_ecc_sign(const uint8_t *key, uint32_t keySz, ); count++; - /* TODO: Real-time work can be called here */ + /* This is where real-time work could be called */ } while (ret == FP_WOULDBLOCK); #ifdef DEBUG_WOLFSSL @@ -23343,8 +23343,8 @@ static int crypto_ecc_sign(const uint8_t *key, uint32_t keySz, if (ret == 0) { /* export r/s */ - mp_to_unsigned_bin(&r, sig); - mp_to_unsigned_bin(&s, sig + curveSz); + mp_to_unsigned_bin_len(&r, sig, curveSz); + mp_to_unsigned_bin_len(&s, sig + curveSz, curveSz); } mp_clear(&r);