Merge pull request #2993 from dgarske/math_fixes

Improvements around the ECC max bits calculation
2020-06-03 14:53:51 -07:00
parent d220168384 b947f69f60
commit 4ddbe546a3
9 changed files with 41 additions and 37 deletions
--- a/IDE/GCC-ARM/Header/user_settings.h
+++ b/IDE/GCC-ARM/Header/user_settings.h
@ -189,14 +189,17 @@ extern "C" {

    /* Use alternate ECC size for ECC math */
    #ifdef USE_FAST_MATH
+        /* MAX ECC BITS = ROUND8(MAX ECC) * 2 */
        #ifdef NO_RSA
            /* Custom fastmath size if not using RSA */
-            /* MAX = ROUND32(ECC BITS 256) + SIZE_OF_MP_DIGIT(32) */
            #undef  FP_MAX_BITS
-            #define FP_MAX_BITS     (256 + 32)
+            #define FP_MAX_BITS     (256 * 2)
        #else
            #undef  ALT_ECC_SIZE
            #define ALT_ECC_SIZE
+            /* wolfSSL will compute the FP_MAX_BITS_ECC, but it can be overriden */
+            //#undef  FP_MAX_BITS_ECC
+            //#define FP_MAX_BITS_ECC (256 * 2)
        #endif

        /* Speedups specific to curve */
--- a/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_SAMV71_XULT_user_settings/user_settings.h
+++ b/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_SAMV71_XULT_user_settings/user_settings.h
@ -34,11 +34,11 @@
    #undef ECC_USER_CURVES
    #define ECC_USER_CURVES

-    #undef ECC_ALT_SIZE
-    #define ECC_ALT_SIZE
+    #undef ALT_ECC_SIZE
+    #define ALT_ECC_SIZE

    #undef FP_MAX_BITS_ECC
-    #define FP_MAX_BITS_ECC 528
+    #define FP_MAX_BITS_ECC (256 * 2)

    #undef TFM_TIMING_RESISTANT
    #define TFM_TIMING_RESISTANT
--- a/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_SAMV71_XULT_user_settings/user_settings_verbose_example.h
+++ b/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_SAMV71_XULT_user_settings/user_settings_verbose_example.h
@ -84,11 +84,13 @@
    #define ECC_TIMING_RESISTANT

    #ifdef USE_FAST_MATH
-        /* Max ECC bits (curve size * 8). ECC521 is (66*8) = 528. */
        #undef  ALT_ECC_SIZE
        #define ALT_ECC_SIZE
-        #undef  FP_MAX_BITS_ECC
-        #define FP_MAX_BITS_ECC     528
+
+        /* wolfSSL will compute the FP_MAX_BITS_ECC, but it can be overriden */
+        /* MAX ECC BITS = ROUND8(MAX ECC) * 2 */
+        //#undef  FP_MAX_BITS_ECC
+        //#define FP_MAX_BITS_ECC (528 * 2)

        /* Enable TFM optimizations for ECC */
        #define TFM_ECC192
--- a/IDE/IAR-EWARM/embOS/custom_port/custom_port_user_settings/user_settings.h
+++ b/IDE/IAR-EWARM/embOS/custom_port/custom_port_user_settings/user_settings.h
@ -31,11 +31,11 @@
    #undef ECC_USER_CURVES
    #define ECC_USER_CURVES

-    #undef ECC_ALT_SIZE
-    #define ECC_ALT_SIZE
+    #undef ALT_ECC_SIZE
+    #define ALT_ECC_SIZE

    #undef FP_MAX_BITS_ECC
-    #define FP_MAX_BITS_ECC 528
+    #define FP_MAX_BITS_ECC (256 * 2)

    #undef TFM_TIMING_RESISTANT
    #define TFM_TIMING_RESISTANT
--- a/IDE/LPCXPRESSO/lib_wolfssl/user_settings.h
+++ b/IDE/LPCXPRESSO/lib_wolfssl/user_settings.h
@ -22,7 +22,8 @@

 #define FP_LUT                   4
 #define FP_MAX_BITS              2048 /* 4096 */
-#define FP_MAX_BITS_ECC          512
+#define ECC_USER_CURVES /* Disables P-112, P-128, P-160, P-192, P-224, P-384, P-521 but leaves P-256 enabled */
+#define FP_MAX_BITS_ECC          (256 * 2)
 #define ALT_ECC_SIZE
 #define USE_FAST_MATH
 #define SMALL_SESSION_CACHE
@ -52,7 +53,6 @@
 #define NO_64BIT
 #define NO_WOLFSSL_SERVER
 #define NO_OLD_TLS
-#define ECC_USER_CURVES /* Disables P-112, P-128, P-160, P-192, P-224, P-384, P-521 but leaves P-256 enabled */
 #define NO_DES3
 #define NO_MD5
 #define NO_RC4
--- a/IDE/WICED-STUDIO/user_settings.h
+++ b/IDE/WICED-STUDIO/user_settings.h
@ -595,7 +595,7 @@ extern unsigned int my_rng_seed_gen(void);
 #endif

 #if 1
-    #define FP_MAX_BITS_ECC 512
+    #define FP_MAX_BITS_ECC (256 + 32)
 #endif

 /* ------------------------------------------------------------------------- */
--- a/wolfcrypt/src/dh.c
+++ b/wolfcrypt/src/dh.c
@ -1485,7 +1485,7 @@ int wc_DhCheckPubKey_ex(DhKey* key, const byte* pub, word32 pubSz,
        }
        else
 #endif
-#ifdef WOLFSSL_SP_NO_4096
+#ifdef WOLFSSL_SP_4096
        if (mp_count_bits(&key->p) == 4096) {
            ret = sp_ModExp_4096(y, q, p, y);
            if (ret != 0)
--- a/wolfcrypt/src/sp_int.c
+++ b/wolfcrypt/src/sp_int.c
@ -43,7 +43,6 @@
 * WOLFSSL_SP_NO_MALLOC:        Always use stack, no heap XMALLOC/XFREE allowed
 * WOLFSSL_SP_NO_2048:          Disable RSA/DH 2048-bit support
 * WOLFSSL_SP_NO_3072:          Disable RSA/DH 3072-bit support
- * WOLFSSL_SP_NO_4096:          Disable RSA/DH 4096-bit support
 * WOLFSSL_SP_4096:             Enable RSA/RH 4096-bit support
 * WOLFSSL_SP_384               Enable ECC 384-bit SECP384R1 support
 * WOLFSSL_SP_NO_256            Disable ECC 256-bit SECP256R1 support
@ -1659,7 +1658,7 @@ int sp_exptmod(sp_int* b, sp_int* e, sp_int* m, sp_int* r)
        }
        else
 #endif
-#ifdef WOLFSSL_SP_NO_4096
+#ifdef WOLFSSL_SP_4096
        if ((mBits == 4096) && sp_isodd(m) && (bBits <= 4096) &&
            (eBits <= 4096)) {
            err = sp_ModExp_4096(b, e, m, r);
--- a/wolfssl/wolfcrypt/ecc.h
+++ b/wolfssl/wolfcrypt/ecc.h
@ -278,14 +278,15 @@ typedef struct ecc_set_type {
 * mp_ints for the components of the point. With ALT_ECC_SIZE, the components
 * of the point are pointers that are set to each of a three item array of
 * alt_fp_ints. While an mp_int will have 4096 bits of digit inside the
- * structure, the alt_fp_int will only have 528 bits. A size value was added
- * in the ALT case, as well, and is set by mp_init() and alt_fp_init(). The
- * functions fp_zero() and fp_copy() use the size parameter. An int needs to
- * be initialized before using it instead of just fp_zeroing it, the init will
- * call zero. FP_MAX_BITS_ECC defaults to 528, but can be set to change the
- * number of bits used in the alternate FP_INT.
+ * structure, the alt_fp_int will only have 512 bits for ECC 256-bit and 
+ * 1056-bits for ECC 521-bit. A size value was added in the ALT case, as well, 
+ * and is set by mp_init() and alt_fp_init(). The functions fp_zero() and 
+ * fp_copy() use the size parameter. An int needs to be initialized before 
+ * using it instead of just fp_zeroing it, the init will call zero. The 
+ * FP_MAX_BITS_ECC defaults to calculating based on MAX_ECC_BITS, but 
+ * can be set to change the number of bits used in the alternate FP_INT.
 *
- * Do not enable ALT_ECC_SIZE and disable fast math in the configuration.
+ * The ALT_ECC_SIZE option only applies to stack based fast math USE_FAST_MATH.
 */

 #ifndef USE_FAST_MATH
@ -294,19 +295,18 @@ typedef struct ecc_set_type {

 /* determine max bits required for ECC math */
 #ifndef FP_MAX_BITS_ECC
-    /* check alignment */
-    #if ((MAX_ECC_BITS * 2) % DIGIT_BIT) == 0
-        /* max bits is double */
-        #define FP_MAX_BITS_ECC     (MAX_ECC_BITS * 2)
-    #else
-        /* max bits is doubled, plus one digit of fudge */
-        #define FP_MAX_BITS_ECC     ((MAX_ECC_BITS * 2) + DIGIT_BIT)
-    #endif
-#else
-    /* verify alignment */
-    #if FP_MAX_BITS_ECC % CHAR_BIT
-       #error FP_MAX_BITS_ECC must be a multiple of CHAR_BIT
-    #endif
+    /* max bits rounded up by 8 then doubled */
+    /* (ROUND8(MAX_ECC_BITS) * 2) */
+    #define FP_MAX_BITS_ECC (2 * \
+        ((MAX_ECC_BITS + DIGIT_BIT - 1) / DIGIT_BIT) * DIGIT_BIT)
+
+    /* Note: For ECC verify only FP_MAX_BITS_ECC can be reduced to:
+             ROUND8(MAX_ECC_BITS) + ROUND8(DIGIT_BIT) */
+#endif
+
+/* verify alignment */
+#if FP_MAX_BITS_ECC % CHAR_BIT
+    #error FP_MAX_BITS_ECC must be a multiple of CHAR_BIT
 #endif

 /* determine buffer size */