Merge pull request #6939 from minosgalanakis/bignum/6027_hardcode_montgomery_moduli
Bignum: hardcode montgomery moduli
diff --git a/library/ecp.c b/library/ecp.c
index d9d5425..08fbe86 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -582,11 +582,9 @@
}
if (grp->h != 1) {
- mbedtls_mpi_free(&grp->P);
mbedtls_mpi_free(&grp->A);
mbedtls_mpi_free(&grp->B);
mbedtls_ecp_point_free(&grp->G);
- mbedtls_mpi_free(&grp->N);
}
if (!ecp_group_is_static_comb_table(grp) && grp->T != NULL) {
diff --git a/library/ecp_curves.c b/library/ecp_curves.c
index e62dcea..727283f 100644
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@@ -4502,7 +4502,9 @@
#endif
#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
-#if defined(ECP_LOAD_GROUP)
+
+#if defined(ECP_LOAD_GROUP) || defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
/*
* Create an MPI from embedded constants
* (assumes len is an exact multiple of sizeof mbedtls_mpi_uint)
@@ -4513,7 +4515,9 @@
X->n = len / sizeof(mbedtls_mpi_uint);
X->p = (mbedtls_mpi_uint *) p;
}
+#endif
+#if defined(ECP_LOAD_GROUP)
/*
* Set an MPI to static value 1
*/
@@ -4627,9 +4631,21 @@
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
/* Constants used by ecp_use_curve25519() */
static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42;
-static const unsigned char curve25519_part_of_n[] = {
- 0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6,
- 0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED,
+
+/* P = 2^255 - 19 */
+static const mbedtls_mpi_uint curve25519_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0X7F)
+};
+
+/* N = 2^252 + 27742317777372353535851937790883648493 */
+static const mbedtls_mpi_uint curve25519_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0XED, 0XD3, 0XF5, 0X5C, 0X1A, 0X63, 0X12, 0X58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XD6, 0X9C, 0XF7, 0XA2, 0XDE, 0XF9, 0XDE, 0X14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0X00, 0X00, 0X00, 0X00, 0x00, 0x00, 0x00, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10)
};
/*
@@ -4642,16 +4658,11 @@
/* Actually ( A + 2 ) / 4 */
MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve25519_a24));
- /* P = 2^255 - 19 */
- MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->P, 1));
- MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 255));
- MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 19));
+ ecp_mpi_load(&grp->P, curve25519_p, sizeof(curve25519_p));
+
grp->pbits = mbedtls_mpi_bitlen(&grp->P);
- /* N = 2^252 + 27742317777372353535851937790883648493 */
- MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&grp->N,
- curve25519_part_of_n, sizeof(curve25519_part_of_n)));
- MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&grp->N, 252, 1));
+ ecp_mpi_load(&grp->N, curve25519_n, sizeof(curve25519_n));
/* Y intentionally not set, since we use x/z coordinates.
* This is used as a marker to identify Montgomery curves! */
@@ -4674,11 +4685,29 @@
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
/* Constants used by ecp_use_curve448() */
static const mbedtls_mpi_sint curve448_a24 = 0x98AA;
-static const unsigned char curve448_part_of_n[] = {
- 0x83, 0x35, 0xDC, 0x16, 0x3B, 0xB1, 0x24,
- 0xB6, 0x51, 0x29, 0xC9, 0x6F, 0xDE, 0x93,
- 0x3D, 0x8D, 0x72, 0x3A, 0x70, 0xAA, 0xDC,
- 0x87, 0x3D, 0x6D, 0x54, 0xA7, 0xBB, 0x0D,
+
+/* P = 2^448 - 2^224 - 1 */
+static const mbedtls_mpi_uint curve448_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFE, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00)
+};
+
+/* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
+static const mbedtls_mpi_uint curve448_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0XF3, 0X44, 0X58, 0XAB, 0X92, 0XC2, 0X78, 0X23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0X55, 0X8F, 0XC5, 0X8D, 0X72, 0XC2, 0X6C, 0X21),
+ MBEDTLS_BYTES_TO_T_UINT_8(0X90, 0X36, 0XD6, 0XAE, 0X49, 0XDB, 0X4E, 0XC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XE9, 0X23, 0XCA, 0X7C, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0X3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00)
};
/*
@@ -4686,20 +4715,12 @@
*/
static int ecp_use_curve448(mbedtls_ecp_group *grp)
{
- mbedtls_mpi Ns;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_mpi_init(&Ns);
-
/* Actually ( A + 2 ) / 4 */
MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve448_a24));
- /* P = 2^448 - 2^224 - 1 */
- MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->P, 1));
- MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 224));
- MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 1));
- MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 224));
- MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 1));
+ ecp_mpi_load(&grp->P, curve448_p, sizeof(curve448_p));
grp->pbits = mbedtls_mpi_bitlen(&grp->P);
/* Y intentionally not set, since we use x/z coordinates.
@@ -4708,17 +4729,12 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
mbedtls_mpi_free(&grp->G.Y);
- /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
- MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&grp->N, 446, 1));
- MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&Ns,
- curve448_part_of_n, sizeof(curve448_part_of_n)));
- MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&grp->N, &grp->N, &Ns));
+ ecp_mpi_load(&grp->N, curve448_n, sizeof(curve448_n));
/* Actually, the required msb for private keys */
grp->nbits = 447;
cleanup:
- mbedtls_mpi_free(&Ns);
if (ret != 0) {
mbedtls_ecp_group_free(grp);
}
diff --git a/library/pkparse.c b/library/pkparse.c
index 990b554..ccca692 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -429,7 +429,18 @@
ret = pk_group_id_from_group(&grp, grp_id);
cleanup:
- mbedtls_ecp_group_free(&grp);
+ /* The API respecting lifecycle for mbedtls_ecp_group struct is
+ * _init(), _load() and _free(). In pk_group_id_from_specified() the
+ * temporary grp breaks that flow and it's members are populated
+ * by pk_group_id_from_group(). As such mbedtls_ecp_group_free()
+ * which is assuming a group populated by _setup() may not clean-up
+ * properly -> Manually free it's members.
+ */
+ mbedtls_mpi_free(&grp.N);
+ mbedtls_mpi_free(&grp.P);
+ mbedtls_mpi_free(&grp.A);
+ mbedtls_mpi_free(&grp.B);
+ mbedtls_ecp_point_free(&grp.G);
return ret;
}