From bfe1760c17a30dfeb0da897ccb9668cecd052c91 Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 1 Jun 2020 10:48:52 -0700 Subject: [PATCH 1/2] Improvements to the ECC max bits calculation used with fast math (`USE_FAST_MATH` and `ALT_ECC_SIZE`). Updated example code comments to reflect accurate calculation. --- IDE/GCC-ARM/Header/user_settings.h | 7 +++- .../user_settings.h | 6 +-- .../user_settings_verbose_example.h | 8 ++-- .../custom_port_user_settings/user_settings.h | 6 +-- IDE/LPCXPRESSO/lib_wolfssl/user_settings.h | 4 +- IDE/WICED-STUDIO/user_settings.h | 2 +- wolfssl/wolfcrypt/ecc.h | 40 +++++++++---------- 7 files changed, 39 insertions(+), 34 deletions(-) diff --git a/IDE/GCC-ARM/Header/user_settings.h b/IDE/GCC-ARM/Header/user_settings.h index 135ddb086..80e3d0d62 100644 --- a/IDE/GCC-ARM/Header/user_settings.h +++ b/IDE/GCC-ARM/Header/user_settings.h @@ -189,14 +189,17 @@ extern "C" { /* Use alternate ECC size for ECC math */ #ifdef USE_FAST_MATH + /* MAX ECC BITS = ROUND8(MAX ECC) * 2 */ #ifdef NO_RSA /* Custom fastmath size if not using RSA */ - /* MAX = ROUND32(ECC BITS 256) + SIZE_OF_MP_DIGIT(32) */ #undef FP_MAX_BITS - #define FP_MAX_BITS (256 + 32) + #define FP_MAX_BITS (256 * 2) #else #undef ALT_ECC_SIZE #define ALT_ECC_SIZE + /* wolfSSL will compute the FP_MAX_BITS_ECC, but it can be overriden */ + //#undef FP_MAX_BITS_ECC + //#define FP_MAX_BITS_ECC (256 * 2) #endif /* Speedups specific to curve */ diff --git a/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_SAMV71_XULT_user_settings/user_settings.h b/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_SAMV71_XULT_user_settings/user_settings.h index 3a124c7bb..37714a3ec 100644 --- a/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_SAMV71_XULT_user_settings/user_settings.h +++ b/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_SAMV71_XULT_user_settings/user_settings.h @@ -34,11 +34,11 @@ #undef ECC_USER_CURVES #define ECC_USER_CURVES - #undef ECC_ALT_SIZE - #define ECC_ALT_SIZE + #undef ALT_ECC_SIZE + #define ALT_ECC_SIZE #undef FP_MAX_BITS_ECC - #define FP_MAX_BITS_ECC 528 + #define FP_MAX_BITS_ECC (256 * 2) #undef TFM_TIMING_RESISTANT #define TFM_TIMING_RESISTANT diff --git a/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_SAMV71_XULT_user_settings/user_settings_verbose_example.h b/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_SAMV71_XULT_user_settings/user_settings_verbose_example.h index 3819e6cfc..185497c6c 100644 --- a/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_SAMV71_XULT_user_settings/user_settings_verbose_example.h +++ b/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_SAMV71_XULT_user_settings/user_settings_verbose_example.h @@ -84,11 +84,13 @@ #define ECC_TIMING_RESISTANT #ifdef USE_FAST_MATH - /* Max ECC bits (curve size * 8). ECC521 is (66*8) = 528. */ #undef ALT_ECC_SIZE #define ALT_ECC_SIZE - #undef FP_MAX_BITS_ECC - #define FP_MAX_BITS_ECC 528 + + /* wolfSSL will compute the FP_MAX_BITS_ECC, but it can be overriden */ + /* MAX ECC BITS = ROUND8(MAX ECC) * 2 */ + //#undef FP_MAX_BITS_ECC + //#define FP_MAX_BITS_ECC (528 * 2) /* Enable TFM optimizations for ECC */ #define TFM_ECC192 diff --git a/IDE/IAR-EWARM/embOS/custom_port/custom_port_user_settings/user_settings.h b/IDE/IAR-EWARM/embOS/custom_port/custom_port_user_settings/user_settings.h index 1c4cadf38..358c2b48e 100644 --- a/IDE/IAR-EWARM/embOS/custom_port/custom_port_user_settings/user_settings.h +++ b/IDE/IAR-EWARM/embOS/custom_port/custom_port_user_settings/user_settings.h @@ -31,11 +31,11 @@ #undef ECC_USER_CURVES #define ECC_USER_CURVES - #undef ECC_ALT_SIZE - #define ECC_ALT_SIZE + #undef ALT_ECC_SIZE + #define ALT_ECC_SIZE #undef FP_MAX_BITS_ECC - #define FP_MAX_BITS_ECC 528 + #define FP_MAX_BITS_ECC (256 * 2) #undef TFM_TIMING_RESISTANT #define TFM_TIMING_RESISTANT diff --git a/IDE/LPCXPRESSO/lib_wolfssl/user_settings.h b/IDE/LPCXPRESSO/lib_wolfssl/user_settings.h index 1414154ba..9189410a5 100644 --- a/IDE/LPCXPRESSO/lib_wolfssl/user_settings.h +++ b/IDE/LPCXPRESSO/lib_wolfssl/user_settings.h @@ -22,7 +22,8 @@ #define FP_LUT 4 #define FP_MAX_BITS 2048 /* 4096 */ -#define FP_MAX_BITS_ECC 512 +#define ECC_USER_CURVES /* Disables P-112, P-128, P-160, P-192, P-224, P-384, P-521 but leaves P-256 enabled */ +#define FP_MAX_BITS_ECC (256 * 2) #define ALT_ECC_SIZE #define USE_FAST_MATH #define SMALL_SESSION_CACHE @@ -52,7 +53,6 @@ #define NO_64BIT #define NO_WOLFSSL_SERVER #define NO_OLD_TLS -#define ECC_USER_CURVES /* Disables P-112, P-128, P-160, P-192, P-224, P-384, P-521 but leaves P-256 enabled */ #define NO_DES3 #define NO_MD5 #define NO_RC4 diff --git a/IDE/WICED-STUDIO/user_settings.h b/IDE/WICED-STUDIO/user_settings.h index b548a55ac..70e13959f 100644 --- a/IDE/WICED-STUDIO/user_settings.h +++ b/IDE/WICED-STUDIO/user_settings.h @@ -595,7 +595,7 @@ extern unsigned int my_rng_seed_gen(void); #endif #if 1 - #define FP_MAX_BITS_ECC 512 + #define FP_MAX_BITS_ECC (256 + 32) #endif /* ------------------------------------------------------------------------- */ diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index 4d9eb2c01..3dc0f3253 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -278,14 +278,15 @@ typedef struct ecc_set_type { * mp_ints for the components of the point. With ALT_ECC_SIZE, the components * of the point are pointers that are set to each of a three item array of * alt_fp_ints. While an mp_int will have 4096 bits of digit inside the - * structure, the alt_fp_int will only have 528 bits. A size value was added - * in the ALT case, as well, and is set by mp_init() and alt_fp_init(). The - * functions fp_zero() and fp_copy() use the size parameter. An int needs to - * be initialized before using it instead of just fp_zeroing it, the init will - * call zero. FP_MAX_BITS_ECC defaults to 528, but can be set to change the - * number of bits used in the alternate FP_INT. + * structure, the alt_fp_int will only have 512 bits for ECC 256-bit and + * 1056-bits for ECC 521-bit. A size value was added in the ALT case, as well, + * and is set by mp_init() and alt_fp_init(). The functions fp_zero() and + * fp_copy() use the size parameter. An int needs to be initialized before + * using it instead of just fp_zeroing it, the init will call zero. The + * FP_MAX_BITS_ECC defaults to calculating based on MAX_ECC_BITS, but + * can be set to change the number of bits used in the alternate FP_INT. * - * Do not enable ALT_ECC_SIZE and disable fast math in the configuration. + * The ALT_ECC_SIZE option only applies to stack based fast math USE_FAST_MATH. */ #ifndef USE_FAST_MATH @@ -294,19 +295,18 @@ typedef struct ecc_set_type { /* determine max bits required for ECC math */ #ifndef FP_MAX_BITS_ECC - /* check alignment */ - #if ((MAX_ECC_BITS * 2) % DIGIT_BIT) == 0 - /* max bits is double */ - #define FP_MAX_BITS_ECC (MAX_ECC_BITS * 2) - #else - /* max bits is doubled, plus one digit of fudge */ - #define FP_MAX_BITS_ECC ((MAX_ECC_BITS * 2) + DIGIT_BIT) - #endif -#else - /* verify alignment */ - #if FP_MAX_BITS_ECC % CHAR_BIT - #error FP_MAX_BITS_ECC must be a multiple of CHAR_BIT - #endif + /* max bits rounded up by 8 then doubled */ + /* (ROUND8(MAX_ECC_BITS) * 2) */ + #define FP_MAX_BITS_ECC (2 * \ + ((MAX_ECC_BITS + DIGIT_BIT - 1) / DIGIT_BIT) * DIGIT_BIT) + + /* Note: For ECC verify only FP_MAX_BITS_ECC can be reduced to: + ROUND8(MAX_ECC_BITS) + ROUND8(DIGIT_BIT) */ +#endif + +/* verify alignment */ +#if FP_MAX_BITS_ECC % CHAR_BIT + #error FP_MAX_BITS_ECC must be a multiple of CHAR_BIT #endif /* determine buffer size */ From b947f69f60caec34df0049efca6d18652c02ed0c Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 1 Jun 2020 10:49:08 -0700 Subject: [PATCH 2/2] Fix to correct SP 4096-bit enable. Correct nonexistent `WOLFSSL_SP_NO_4096`, which should be `WOLFSSL_SP_4096`. --- wolfcrypt/src/dh.c | 2 +- wolfcrypt/src/sp_int.c | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c index 6c53be8f3..78decc3f8 100644 --- a/wolfcrypt/src/dh.c +++ b/wolfcrypt/src/dh.c @@ -1485,7 +1485,7 @@ int wc_DhCheckPubKey_ex(DhKey* key, const byte* pub, word32 pubSz, } else #endif -#ifdef WOLFSSL_SP_NO_4096 +#ifdef WOLFSSL_SP_4096 if (mp_count_bits(&key->p) == 4096) { ret = sp_ModExp_4096(y, q, p, y); if (ret != 0) diff --git a/wolfcrypt/src/sp_int.c b/wolfcrypt/src/sp_int.c index e53bc93fc..4ec6e2339 100644 --- a/wolfcrypt/src/sp_int.c +++ b/wolfcrypt/src/sp_int.c @@ -43,7 +43,6 @@ * WOLFSSL_SP_NO_MALLOC: Always use stack, no heap XMALLOC/XFREE allowed * WOLFSSL_SP_NO_2048: Disable RSA/DH 2048-bit support * WOLFSSL_SP_NO_3072: Disable RSA/DH 3072-bit support - * WOLFSSL_SP_NO_4096: Disable RSA/DH 4096-bit support * WOLFSSL_SP_4096: Enable RSA/RH 4096-bit support * WOLFSSL_SP_384 Enable ECC 384-bit SECP384R1 support * WOLFSSL_SP_NO_256 Disable ECC 256-bit SECP256R1 support @@ -1659,7 +1658,7 @@ int sp_exptmod(sp_int* b, sp_int* e, sp_int* m, sp_int* r) } else #endif -#ifdef WOLFSSL_SP_NO_4096 +#ifdef WOLFSSL_SP_4096 if ((mBits == 4096) && sp_isodd(m) && (bBits <= 4096) && (eBits <= 4096)) { err = sp_ModExp_4096(b, e, m, r);