diff --git a/configure.ac b/configure.ac index 7315827a7..937cebd64 100644 --- a/configure.ac +++ b/configure.ac @@ -4450,6 +4450,9 @@ if test "$ENABLED_SP_ASM" = "yes"; then if test "$ENABLED_SP" = "no"; then AC_MSG_ERROR([Must have SP enabled: --enable-sp]) fi + if test "$ENABLED_SP_NONBLOCK" = "yes"; then + AC_MSG_ERROR([SP non-blocking not supported with sp-asm]) + fi if test "$ENABLED_ASM" = "no"; then AC_MSG_ERROR([Assembly code turned off]) fi diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index b2f871b8b..217b17ee2 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -20051,6 +20051,433 @@ exit: } #endif +/* ECC Non-blocking tests for Sign and Verify */ +/* Requires SP math and supports P384 or P256 */ +/* ./configure --enable-ecc=nonblock --enable-sp=yes,nonblock CFLAGS="-DWOLFSSL_PUBLIC_MP" */ +#if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_PUBLIC_MP) && \ + defined(HAVE_ECC_SIGN) && defined(HAVE_ECC_VERIFY) +/* Test Data - Random */ +static const uint8_t kMsg[] = { + 0x69, 0xbc, 0x9f, 0xce, 0x68, 0x17, 0xc2, 0x10, 0xea, 0xfc, 0x10, 0x65, 0x67, 0x52, 0xed, 0x78, + 0x6e, 0xb8, 0x83, 0x9c, 0x9a, 0xb4, 0x56, 0x0d, 0xc1, 0x0d, 0x1f, 0x78, 0x6e, 0x75, 0xd7, 0xbe, + 0x92, 0x6b, 0x12, 0xf6, 0x76, 0x60, 0x8e, 0xb1, 0xf4, 0x19, 0x0c, 0x81, 0xe7, 0x54, 0x5e, 0xbc, + 0xe0, 0xae, 0xc2, 0x7d, 0x1b, 0xc4, 0x6e, 0xec, 0xb1, 0x99, 0x6c, 0xbf, 0x0e, 0x38, 0xa8, 0x01, + 0xa6, 0x9a, 0x48, 0x12, 0xe4, 0xc9, 0x3b, 0xf0, 0x63, 0x46, 0x15, 0xb4, 0x61, 0xa8, 0x1a, 0x60, + 0x71, 0x87, 0x98, 0xd7, 0x6f, 0x98, 0x7b, 0x2d, 0xb9, 0x19, 0x1b, 0x21, 0x9c, 0x70, 0x58, 0xe8, + 0x0d, 0x0f, 0xe9, 0x2d, 0x9a, 0x9a, 0xf1, 0x55, 0xa0, 0x4c, 0xd3, 0x07, 0xbd, 0x97, 0x48, 0xec, + 0x88, 0x0a, 0xaf, 0xb3, 0x80, 0x78, 0xa4, 0x59, 0x43, 0x57, 0xd3, 0xa7, 0x01, 0x66, 0x0e, 0xfc +}; + +/* ECC Private Key "d" */ +static const uint8_t kPrivKey[] = { +#ifdef HAVE_ECC384 + /* SECP384R1 */ + /* d */ + 0xa4, 0xe5, 0x06, 0xe8, 0x06, 0x16, 0x3e, 0xab, + 0x89, 0xf8, 0x60, 0x43, 0xc0, 0x60, 0x25, 0xdb, + 0xba, 0x7b, 0xfe, 0x19, 0x35, 0x08, 0x55, 0x65, + 0x76, 0xe2, 0xdc, 0xe0, 0x01, 0x8b, 0x6b, 0x68, + 0xdf, 0xcf, 0x6f, 0x80, 0x12, 0xce, 0x79, 0x37, + 0xeb, 0x2b, 0x9c, 0x7b, 0xc4, 0x68, 0x1c, 0x74 +#else + /* SECP256R1 */ + /* d */ + 0x1e, 0xe7, 0x70, 0x07, 0xd3, 0x30, 0x94, 0x39, + 0x28, 0x90, 0xdf, 0x23, 0x88, 0x2c, 0x4a, 0x34, + 0x15, 0xdb, 0x4c, 0x43, 0xcd, 0xfa, 0xe5, 0x1f, + 0x3d, 0x4c, 0x37, 0xfe, 0x59, 0x3b, 0x96, 0xd8 +#endif +}; + +/* ECC public key Qx/Qy */ +static const uint8_t kPubKey[] = { +#ifdef HAVE_ECC384 + /* SECP384R1 */ + /* Qx */ + 0xea, 0xcf, 0x93, 0x4f, 0x2c, 0x09, 0xbb, 0x39, + 0x14, 0x0f, 0x56, 0x64, 0xc3, 0x40, 0xb4, 0xdf, + 0x0e, 0x63, 0xae, 0xe5, 0x71, 0x4b, 0x00, 0xcc, + 0x04, 0x97, 0xff, 0xe1, 0xe9, 0x38, 0x96, 0xbb, + 0x5f, 0x91, 0xb2, 0x6a, 0xcc, 0xb5, 0x39, 0x5f, + 0x8f, 0x70, 0x59, 0xf1, 0x01, 0xf6, 0x5a, 0x2b, + /* Qy */ + 0x01, 0x6c, 0x68, 0x0b, 0xcf, 0x55, 0x25, 0xaf, + 0x6d, 0x98, 0x48, 0x0a, 0xa8, 0x74, 0xc9, 0xa9, + 0x17, 0xa0, 0x0c, 0xc3, 0xfb, 0xd3, 0x23, 0x68, + 0xfe, 0x04, 0x3c, 0x63, 0x50, 0x88, 0x3b, 0xb9, + 0x4f, 0x7c, 0x67, 0x34, 0xf7, 0x3b, 0xa9, 0x73, + 0xe7, 0x1b, 0xc3, 0x51, 0x5e, 0x22, 0x18, 0xec +#else + /* SECP256R1 */ + /* Qx */ + 0x96, 0x93, 0x1c, 0x53, 0x0b, 0x43, 0x6c, 0x42, + 0x0c, 0x52, 0x90, 0xe4, 0xa7, 0xec, 0x98, 0xb1, + 0xaf, 0xd4, 0x14, 0x49, 0xd8, 0xc1, 0x42, 0x82, + 0x04, 0x78, 0xd1, 0x90, 0xae, 0xa0, 0x6c, 0x07, + /* Qy */ + 0xf2, 0x3a, 0xb5, 0x10, 0x32, 0x8d, 0xce, 0x9e, + 0x76, 0xa0, 0xd2, 0x8c, 0xf3, 0xfc, 0xa9, 0x94, + 0x43, 0x24, 0xe6, 0x82, 0x00, 0x40, 0xc6, 0xdb, + 0x1c, 0x2f, 0xcd, 0x38, 0x4b, 0x60, 0xdd, 0x61 +#endif +}; + +/* ECC Curve */ +#ifdef HAVE_ECC384 + /* SECP384R1 */ + #define ECC_CURVE_SZ 48 + #define ECC_CURVE_ID ECC_SECP384R1 +#else + /* SECP256R1 */ + #define ECC_CURVE_SZ 32 + #define ECC_CURVE_ID ECC_SECP256R1 +#endif + +/* Hash Algorithm */ +#if defined(HAVE_ECC384) && defined(WOLFSSL_SHA3) + #define HASH_DIGEST_SZ WC_SHA3_384_DIGEST_SIZE + #define HASH_SHA_VER 3 + #define CRYPTO_HASH_FN crypto_sha3_384 +#elif defined(HAVE_ECC384) && defined(WOLFSSL_SHA384) + #define HASH_DIGEST_SZ WC_SHA384_DIGEST_SIZE + #define HASH_SHA_VER 2 + #define CRYPTO_HASH_FN crypto_sha2_384 +#elif !defined(NO_SHA256) + #define HASH_DIGEST_SZ WC_SHA256_DIGEST_SIZE + #define HASH_SHA_VER 2 + #define CRYPTO_HASH_FN crypto_sha2_256 +#else + #error test configuration not supported +#endif + +#if defined(HAVE_ECC384) && defined(WOLFSSL_SHA3) +/* helper to perform hashing block by block */ +static int crypto_sha3_384(const uint8_t *buf, uint32_t len, uint8_t *hash, + uint32_t hashSz, uint32_t blkSz) +{ + int ret; + uint32_t i = 0, chunk; + wc_Sha3 sha3; + + /* validate arguments */ + if ((buf == NULL && len > 0) || hash == NULL || + hashSz < WC_SHA3_384_DIGEST_SIZE || blkSz == 0) + { + return BAD_FUNC_ARG; + } + + /* Init Sha3_384 structure */ + ret = wc_InitSha3_384(&sha3, NULL, INVALID_DEVID); + if (ret != 0) { + return ret; + } + while (i < len) { + chunk = blkSz; + if ((chunk + i) > len) + chunk = len - i; + /* Perform chunked update */ + ret = wc_Sha3_384_Update(&sha3, (buf + i), chunk); + if (ret != 0) { + break; + } + i += chunk; + } + if (ret == 0) { + /* Get final digest result */ + ret = wc_Sha3_384_Final(&sha3, hash); + } + return ret; +} +#elif defined(HAVE_ECC384) && defined(WOLFSSL_SHA384) +/* helper to perform hashing block by block */ +static int crypto_sha2_384(const uint8_t *buf, uint32_t len, uint8_t *hash, + uint32_t hashSz, uint32_t blkSz) +{ + int ret; + uint32_t i = 0, chunk; + wc_Sha384 sha384; + + /* validate arguments */ + if ((buf == NULL && len > 0) || hash == NULL || + hashSz < WC_SHA384_DIGEST_SIZE || blkSz == 0) + { + return BAD_FUNC_ARG; + } + + /* Init Sha384 structure */ + ret = wc_InitSha384(&sha384); + if (ret != 0) { + return ret; + } + while (i < len) { + chunk = blkSz; + if ((chunk + i) > len) + chunk = len - i; + /* Perform chunked update */ + ret = wc_Sha384Update(&sha384, (buf + i), chunk); + if (ret != 0) { + break; + } + i += chunk; + } + if (ret == 0) { + /* Get final digest result */ + ret = wc_Sha384Final(&sha384, hash); + } + return ret; +} +#elif !defined(NO_SHA256) +/* helper to perform hashing block by block */ +static int crypto_sha2_256(const uint8_t *buf, uint32_t len, uint8_t *hash, + uint32_t hashSz, uint32_t blkSz) +{ + int ret; + uint32_t i = 0, chunk; + wc_Sha256 sha256; + + /* validate arguments */ + if ((buf == NULL && len > 0) || hash == NULL || + hashSz < WC_SHA256_DIGEST_SIZE || blkSz == 0) + { + return BAD_FUNC_ARG; + } + + /* Init Sha256 structure */ + ret = wc_InitSha256(&sha256); + if (ret != 0) { + return ret; + } + while (i < len) { + chunk = blkSz; + if ((chunk + i) > len) + chunk = len - i; + /* Perform chunked update */ + ret = wc_Sha256Update(&sha256, (buf + i), chunk); + if (ret != 0) { + break; + } + i += chunk; + } + if (ret == 0) { + /* Get final digest result */ + ret = wc_Sha256Final(&sha256, hash); + } + return ret; +} +#endif + +/* perform verify of signature and hash using public key */ +/* key is public Qx + public Qy */ +/* sig is r + s */ +static int crypto_ecc_verify(const uint8_t *key, uint32_t keySz, + const uint8_t *hash, uint32_t hashSz, const uint8_t *sig, uint32_t sigSz, + uint32_t curveSz, int curveId) +{ + int ret, verify_res = 0; + mp_int r, s; + ecc_key ecc; + ecc_nb_ctx_t nb_ctx; + + /* validate arguments */ + if (key == NULL || hash == NULL || sig == NULL || curveSz == 0 || + hashSz == 0 || keySz < (curveSz*2) || sigSz < (curveSz*2)) + { + return BAD_FUNC_ARG; + } + + /* Setup the ECC key */ + ret = wc_ecc_init(&ecc); + if (ret < 0) { + return ret; + } + + ret = wc_ecc_set_nonblock(&ecc, &nb_ctx); + if (ret != MP_OKAY) { + wc_ecc_free(&ecc); + return ret; + } + + /* Setup the signature r/s variables */ + ret = mp_init(&r); + if (ret != MP_OKAY) { + wc_ecc_free(&ecc); + return ret; + } + ret = mp_init(&s); + if (ret != MP_OKAY) { + mp_clear(&r); + wc_ecc_free(&ecc); + return ret; + } + + /* Import public key x/y */ + ret = wc_ecc_import_unsigned( + &ecc, + (byte*)key, /* Public "x" Coordinate */ + (byte*)(key + curveSz), /* Public "y" Coordinate */ + NULL, /* Private "d" (optional) */ + curveId /* ECC Curve Id */ + ); + /* Make sure it was a public key imported */ + if (ret == 0 && ecc.type != ECC_PUBLICKEY) { + ret = ECC_BAD_ARG_E; + } + + /* Import signature r/s */ + if (ret == 0) { + ret = mp_read_unsigned_bin(&r, sig, curveSz); + } + if (ret == 0) { + ret = mp_read_unsigned_bin(&s, sig + curveSz, curveSz); + } + + /* Verify ECC Signature */ + if (ret == 0) { + do { + ret = wc_ecc_verify_hash_ex( + &r, &s, /* r/s as mp_int */ + hash, hashSz, /* computed hash digest */ + &verify_res, /* verification result 1=success */ + &ecc + ); + + /* TODO: Real-time work can be called here */ + } while (ret == FP_WOULDBLOCK); + } + + /* check verify result */ + if (ret == 0 && verify_res == 0) { + ret = SIG_VERIFY_E; + } + + mp_clear(&r); + mp_clear(&s); + wc_ecc_free(&ecc); + + return ret; +} + +/* perform signature operation against hash using private key */ +static int crypto_ecc_sign(const uint8_t *key, uint32_t keySz, + const uint8_t *hash, uint32_t hashSz, uint8_t *sig, uint32_t* sigSz, + uint32_t curveSz, int curveId, WC_RNG* rng) +{ + int ret; + mp_int r, s; + ecc_key ecc; + ecc_nb_ctx_t nb_ctx; + + /* validate arguments */ + if (key == NULL || hash == NULL || sig == NULL || sigSz == NULL || + curveSz == 0 || hashSz == 0 || keySz < curveSz || *sigSz < (curveSz*2)) + { + return BAD_FUNC_ARG; + } + + /* Initialize signature result */ + memset(sig, 0, curveSz*2); + + /* Setup the ECC key */ + ret = wc_ecc_init(&ecc); + if (ret < 0) { + return ret; + } + + ret = wc_ecc_set_nonblock(&ecc, &nb_ctx); + if (ret != MP_OKAY) { + wc_ecc_free(&ecc); + return ret; + } + + /* Setup the signature r/s variables */ + ret = mp_init(&r); + if (ret != MP_OKAY) { + wc_ecc_free(&ecc); + return ret; + } + ret = mp_init(&s); + if (ret != MP_OKAY) { + mp_clear(&r); + wc_ecc_free(&ecc); + return ret; + } + + /* Import private key "k" */ + ret = wc_ecc_import_private_key_ex( + key, keySz, /* private key "d" */ + NULL, 0, /* public (optional) */ + &ecc, + curveId /* ECC Curve Id */ + ); + + if (ret == 0) { + do { + /* Verify ECC Signature */ + ret = wc_ecc_sign_hash_ex( + hash, hashSz, /* computed hash digest */ + rng, &ecc, /* random and key context */ + &r, &s /* r/s as mp_int */ + ); + + /* TODO: Real-time work can be called here */ + } while (ret == FP_WOULDBLOCK); + } + + if (ret == 0) { + /* export r/s */ + mp_to_unsigned_bin(&r, sig); + mp_to_unsigned_bin(&s, sig + curveSz); + } + + mp_clear(&r); + mp_clear(&s); + wc_ecc_free(&ecc); + + return ret; +} + +static int ecc_test_nonblock(WC_RNG* rng) +{ + int ret; + uint8_t hash[HASH_DIGEST_SZ]; + uint8_t sig[ECC_CURVE_SZ*2]; + uint32_t sigSz = sizeof(sig); + + ret = CRYPTO_HASH_FN( + kMsg, sizeof(kMsg), /* input message */ + hash, sizeof(hash), /* hash digest result */ + 32 /* configurable block / chunk size */ + ); + if (ret == 0) { + /* Sign hash using private key */ + /* Note: result of an ECC sign varies for each call even with same + private key and hash. This is because a new random public key is + used for each operation. */ + ret = crypto_ecc_sign( + kPrivKey, sizeof(kPrivKey), /* private key */ + hash, sizeof(hash), /* computed hash digest */ + sig, &sigSz, /* signature r/s */ + ECC_CURVE_SZ, /* curve size in bytes */ + ECC_CURVE_ID, /* curve id */ + rng + ); + } + + if (ret == 0) { + /* Verify generated signature is valid */ + ret = crypto_ecc_verify( + kPubKey, sizeof(kPubKey), /* public key point x/y */ + hash, sizeof(hash), /* computed hash digest */ + sig, sigSz, /* signature r/s */ + ECC_CURVE_SZ, /* curve size in bytes */ + ECC_CURVE_ID /* curve id */ + ); + } + + return ret; +} +#endif /* WC_ECC_NONBLOCK && WOLFSSL_PUBLIC_MP && HAVE_ECC_SIGN && HAVE_ECC_VERIFY */ + int ecc_test(void) { int ret; @@ -20193,6 +20620,14 @@ int ecc_test(void) } #endif +#if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_PUBLIC_MP) && \ + defined(HAVE_ECC_SIGN) && defined(HAVE_ECC_VERIFY) + ret = ecc_test_nonblock(&rng); + if (ret != 0) { + printf("ecc_test_nonblock failed!: %d\n", ret); + } +#endif + done: wc_FreeRng(&rng);