Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / tpm2 / 7c2f61d943dd0e34764aae12e845ee3f1f98fdd3 / . / CpriECC.c
blob: f22022963da6c692fd58c947717e56d740432542 [file] [log] [blame]
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1// This file was extracted from the TCG Published
2// Trusted Platform Module Library
3// Part 4: Supporting Routines
4// Family "2.0"
5// Level 00 Revision 01.16
6// October 30, 2014
7
Vadim Bendebury0a050712015-05-29 11:35:04 -0700[diff] [blame]8#include <string.h>
9
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]10#include "OsslCryptoEngine.h"
Vadim Bendebury0a050712015-05-29 11:35:04 -0700[diff] [blame]11
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]12#ifdef TPM_ALG_ECC
13#include "CpriDataEcc.h"
14#include "CpriDataEcc.c"
Vadim Bendebury0a050712015-05-29 11:35:04 -0700[diff] [blame]15
16/*
17 * TODO(vbendeb): this structure is supposed to be defined in the openssl
18 * include files, but is not. Adding missing fields to it by hand, this will
19 * have to be validated.
20 */
21struct ec_group_st {
22 BIGNUM field;
23 BIGNUM order;
24};
25
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]26//
27//
28// Functions
29//
30// _cpri__EccStartup()
31//
32// This function is called at TPM Startup to initialize the crypto units.
33// In this implementation, no initialization is performed at startup but a future version may initialize the self-
34// test functions here.
35//
36LIB_EXPORT BOOL
37_cpri__EccStartup(
38 void
39 )
40{
41 return TRUE;
42}
43//
44//
45// _cpri__GetCurveIdByIndex()
46//
47// This function returns the number of the i-th implemented curve. The normal use would be to call this
48// function with i starting at 0. When the i is greater than or equal to the number of implemented curves,
49// TPM_ECC_NONE is returned.
50//
51LIB_EXPORT TPM_ECC_CURVE
52_cpri__GetCurveIdByIndex(
53 UINT16 i
54 )
55{
56 if(i >= ECC_CURVE_COUNT)
57 return TPM_ECC_NONE;
58 return eccCurves[i].curveId;
59}
60LIB_EXPORT UINT32
61_cpri__EccGetCurveCount(
62 void
63 )
64{
65 return ECC_CURVE_COUNT;
66}
67//
68//
69// _cpri__EccGetParametersByCurveId()
70//
71// This function returns a pointer to the curve data that is associated with the indicated curveId. If there is no
72// curve with the indicated ID, the function returns NULL.
73//
74//
75//
76//
77// Return Value Meaning
78//
79// NULL curve with the indicated TPM_ECC_CURVE value is not
80// implemented
81// non-NULL pointer to the curve data
82//
83LIB_EXPORT const ECC_CURVE *
84_cpri__EccGetParametersByCurveId(
85 TPM_ECC_CURVE curveId // IN: the curveID
86 )
87{
88 int i;
89 for(i = 0; i < ECC_CURVE_COUNT; i++)
90 {
91 if(eccCurves[i].curveId == curveId)
92 return &eccCurves[i];
93 }
94 FAIL(FATAL_ERROR_INTERNAL);
Vadim Bendebury0a050712015-05-29 11:35:04 -0700[diff] [blame]95
96 return NULL; // Never reached.
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]97}
98static const ECC_CURVE_DATA *
99GetCurveData(
100 TPM_ECC_CURVE curveId // IN: the curveID
101 )
102{
103 const ECC_CURVE *curve = _cpri__EccGetParametersByCurveId(curveId);
104 return curve->curveData;
105}
106//
107//
108// Point2B()
109//
110// This function makes a TPMS_ECC_POINT from a BIGNUM EC_POINT.
111//
112static BOOL
113Point2B(
114 EC_GROUP *group, // IN: group for the point
115 TPMS_ECC_POINT *p, // OUT: receives the converted point
116 EC_POINT *ecP, // IN: the point to convert
117 INT16 size, // IN: size of the coordinates
118 BN_CTX *context // IN: working context
119 )
120{
121 BIGNUM *bnX;
122 BIGNUM *bnY;
123 BN_CTX_start(context);
124 bnX = BN_CTX_get(context);
125 bnY = BN_CTX_get(context);
126 if( bnY == NULL
127 // Get the coordinate values
128 || EC_POINT_get_affine_coordinates_GFp(group, ecP, bnX, bnY, context) != 1
129 // Convert x
130 || (!BnTo2B(&p->x.b, bnX, size))
131 // Convert y
132 || (!BnTo2B(&p->y.b, bnY, size))
133 )
134 FAIL(FATAL_ERROR_INTERNAL);
135 BN_CTX_end(context);
136 return TRUE;
137}
138//
139//
140// EccCurveInit()
141//
142// This function initializes the OpenSSL() group definition structure
143// This function is only used within this file.
144// It is a fatal error if groupContext is not provided.
145//
146// Return Value Meaning
147//
148// NULL the TPM_ECC_CURVE is not valid
149// non-NULL points to a structure in groupContext static EC_GROUP *
150//
151static EC_GROUP *
152EccCurveInit(
153 TPM_ECC_CURVE curveId, // IN: the ID of the curve
154 BN_CTX *groupContext // IN: the context in which the group is to be
155 // created
156 )
157{
158 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
159 EC_GROUP *group = NULL;
160 EC_POINT *P = NULL;
161 BN_CTX *context;
162 BIGNUM *bnP;
163 BIGNUM *bnA;
164 BIGNUM *bnB;
165 BIGNUM *bnX;
166 BIGNUM *bnY;
167 BIGNUM *bnN;
168 BIGNUM *bnH;
169 int ok = FALSE;
170 // Context must be provided and curve selector must be valid
171 pAssert(groupContext != NULL && curveData != NULL);
172 context = BN_CTX_new();
173 if(context == NULL)
174 FAIL(FATAL_ERROR_ALLOCATION);
175 BN_CTX_start(context);
176 bnP = BN_CTX_get(context);
177 bnA = BN_CTX_get(context);
178 bnB = BN_CTX_get(context);
179 bnX = BN_CTX_get(context);
180 bnY = BN_CTX_get(context);
181 bnN = BN_CTX_get(context);
182 bnH = BN_CTX_get(context);
183 if (bnH == NULL)
184 goto Cleanup;
185 // Convert the number formats
186 BnFrom2B(bnP, curveData->p);
187 BnFrom2B(bnA, curveData->a);
188 BnFrom2B(bnB, curveData->b);
189 BnFrom2B(bnX, curveData->x);
190 BnFrom2B(bnY, curveData->y);
191 BnFrom2B(bnN, curveData->n);
192 BnFrom2B(bnH, curveData->h);
193 // initialize EC group, associate a generator point and initialize the point
194 // from the parameter data
195 ok = ( (group = EC_GROUP_new_curve_GFp(bnP, bnA, bnB, groupContext)) != NULL
196 && (P = EC_POINT_new(group)) != NULL
197 && EC_POINT_set_affine_coordinates_GFp(group, P, bnX, bnY, groupContext)
198 && EC_GROUP_set_generator(group, P, bnN, bnH)
199 );
200Cleanup:
201 if (!ok && group != NULL)
202 {
203 EC_GROUP_free(group);
204 group = NULL;
205 }
206 if(P != NULL)
207 EC_POINT_free(P);
208 BN_CTX_end(context);
209 BN_CTX_free(context);
210 return group;
211}
212//
213//
214// PointFrom2B()
215//
216// This function sets the coordinates of an existing BN Point from a TPMS_ECC_POINT.
217//
218static EC_POINT *
219PointFrom2B(
220 EC_GROUP *group, // IN: the group for the point
221 EC_POINT *ecP, // IN: an existing BN point in the group
222 TPMS_ECC_POINT *p, // IN: the 2B coordinates of the point
223 BN_CTX *context // IN: the BIGNUM context
224 )
225{
226 BIGNUM *bnX;
227 BIGNUM *bnY;
228 // If the point is not allocated then just return a NULL
229 if(ecP == NULL)
230 return NULL;
231 BN_CTX_start(context);
232 bnX = BN_CTX_get(context);
233 bnY = BN_CTX_get(context);
234 if( // Set the coordinates of the point
235 bnY == NULL
236 || BN_bin2bn(p->x.t.buffer, p->x.t.size, bnX) == NULL
237 || BN_bin2bn(p->y.t.buffer, p->y.t.size, bnY) == NULL
238 || !EC_POINT_set_affine_coordinates_GFp(group, ecP, bnX, bnY, context)
239 )
240 FAIL(FATAL_ERROR_INTERNAL);
241 BN_CTX_end(context);
242 return ecP;
243}
244//
245//
246// EccInitPoint2B()
247//
248// This function allocates a point in the provided group and initializes it with the values in a
249// TPMS_ECC_POINT.
250//
251static EC_POINT *
252EccInitPoint2B(
253 EC_GROUP *group, // IN: group for the point
254 TPMS_ECC_POINT *p, // IN: the coordinates for the point
255 BN_CTX *context // IN: the BIGNUM context
256 )
257{
258 EC_POINT *ecP;
259 BN_CTX_start(context);
260 ecP = EC_POINT_new(group);
261 if(PointFrom2B(group, ecP, p, context) == NULL)
262 FAIL(FATAL_ERROR_INTERNAL);
263 BN_CTX_end(context);
264 return ecP;
265}
266//
267//
268// PointMul()
269//
270// This function does a point multiply and checks for the result being the point at infinity. Q = ([A]G + [B]P)
271//
272// Return Value Meaning
273//
274// CRYPT_NO_RESULT point is at infinity
275// CRYPT_SUCCESS point not at infinity
276//
277static CRYPT_RESULT
278PointMul(
279 EC_GROUP *group, // IN: group curve
280 EC_POINT *ecpQ, // OUT: result
281 BIGNUM *bnA, // IN: scalar for [A]G
282 EC_POINT *ecpP, // IN: point for [B]P
283 BIGNUM *bnB, // IN: scalar for [B]P
284 BN_CTX *context // IN: working context
285 )
286{
287 if(EC_POINT_mul(group, ecpQ, bnA, ecpP, bnB, context) != 1)
288 FAIL(FATAL_ERROR_INTERNAL);
289 if(EC_POINT_is_at_infinity(group, ecpQ))
290 return CRYPT_NO_RESULT;
291 return CRYPT_SUCCESS;
292}
293//
294//
295// GetRandomPrivate()
296//
297// This function gets a random value (d) to use as a private ECC key and then qualifies the key so that it is
298// between 0 < d < n.
299// It is a fatal error if dOut or pIn is not provided or if the size of pIn is larger than MAX_ECC_KEY_BYTES
300// (the largest buffer size of a TPM2B_ECC_PARAMETER)
301//
302static void
303GetRandomPrivate(
304 TPM2B_ECC_PARAMETER *dOut, // OUT: the qualified random value
305 const TPM2B *pIn // IN: the maximum value for the key
306 )
307{
308 int i;
309 BYTE *pb;
310 pAssert(pIn != NULL && dOut != NULL && pIn->size <= MAX_ECC_KEY_BYTES);
311 // Set the size of the output
312 dOut->t.size = pIn->size;
313 // Get some random bits
314 while(TRUE)
315 {
316 _cpri__GenerateRandom(dOut->t.size, dOut->t.buffer);
317 // See if the d < n
318 if(memcmp(dOut->t.buffer, pIn->buffer, pIn->size) < 0)
319 {
320 // dOut < n so make sure that 0 < dOut
321 for(pb = dOut->t.buffer, i = dOut->t.size; i > 0; i--)
322 {
323 if(*pb++ != 0)
324 return;
325 }
326 }
327 }
328}
329//
330//
331// Mod2B()
332//
333// Function does modular reduction of TPM2B values.
334//
335static CRYPT_RESULT
336Mod2B(
337 TPM2B *x, // IN/OUT: value to reduce
338 const TPM2B *n // IN: mod
339 )
340{
341 int compare;
342 compare = _math__uComp(x->size, x->buffer, n->size, n->buffer);
343 if(compare < 0)
344 // if x < n, then mod is x
345 return CRYPT_SUCCESS;
346 if(compare == 0)
347 {
348 // if x == n then mod is 0
349 x->size = 0;
350 x->buffer[0] = 0;
351 return CRYPT_SUCCESS;
352 }
353 return _math__Div(x, n, NULL, x);
354}
355//
356//
357// _cpri__EccPointMultiply
358//
359// This function computes 'R := [dIn]G + [uIn]QIn. Where dIn and uIn are scalars, G and QIn are points on
360// the specified curve and G is the default generator of the curve.
361// The xOut and yOut parameters are optional and may be set to NULL if not used.
362// It is not necessary to provide uIn if QIn is specified but one of uIn and dIn must be provided. If dIn and
363// QIn are specified but uIn is not provided, then R = [dIn]QIn.
364// If the multiply produces the point at infinity, the CRYPT_NO_RESULT is returned.
365// The sizes of xOut and yOut' will be set to be the size of the degree of the curve
366// It is a fatal error if dIn and uIn are both unspecified (NULL) or if Qin or Rout is unspecified.
367//
368//
369//
370//
371// Return Value Meaning
372//
373// CRYPT_SUCCESS point multiplication succeeded
374// CRYPT_POINT the point Qin is not on the curve
375// CRYPT_NO_RESULT the product point is at infinity
376//
377LIB_EXPORT CRYPT_RESULT
378_cpri__EccPointMultiply(
379 TPMS_ECC_POINT *Rout, // OUT: the product point R
380 TPM_ECC_CURVE curveId, // IN: the curve to use
381 TPM2B_ECC_PARAMETER *dIn, // IN: value to multiply against the
382 // curve generator
383 TPMS_ECC_POINT *Qin, // IN: point Q
384 TPM2B_ECC_PARAMETER *uIn // IN: scalar value for the multiplier
385 // of Q
386 )
387{
388 BN_CTX *context;
389 BIGNUM *bnD;
390 BIGNUM *bnU;
391 EC_GROUP *group;
392 EC_POINT *R = NULL;
393 EC_POINT *Q = NULL;
394 CRYPT_RESULT retVal = CRYPT_SUCCESS;
395 // Validate that the required parameters are provided.
396 pAssert((dIn != NULL || uIn != NULL) && (Qin != NULL || dIn != NULL));
397 // If a point is provided for the multiply, make sure that it is on the curve
398 if(Qin != NULL && !_cpri__EccIsPointOnCurve(curveId, Qin))
399 return CRYPT_POINT;
400 context = BN_CTX_new();
401 if(context == NULL)
402 FAIL(FATAL_ERROR_ALLOCATION);
403 BN_CTX_start(context);
404 bnU = BN_CTX_get(context);
405 bnD = BN_CTX_get(context);
406 group = EccCurveInit(curveId, context);
407 // There should be no path for getting a bad curve ID into this function.
408 pAssert(group != NULL);
409 // check allocations should have worked and allocate R
410 if( bnD == NULL
411 || (R = EC_POINT_new(group)) == NULL)
412 FAIL(FATAL_ERROR_ALLOCATION);
413 // If Qin is present, create the point
414 if(Qin != NULL)
415 {
416 // Assume the size variables do not overflow. This should not happen in
417 // the contexts in which this function will be called.
418 assert2Bsize(Qin->x.t);
419 assert2Bsize(Qin->x.t);
420 Q = EccInitPoint2B(group, Qin, context);
421 }
422 if(dIn != NULL)
423 {
424 // Assume the size variables do not overflow, which should not happen in
425 // the contexts that this function will be called.
426 assert2Bsize(dIn->t);
427 BnFrom2B(bnD, &dIn->b);
428 }
429 else
430 bnD = NULL;
431 // If uIn is specified, initialize its BIGNUM
432 if(uIn != NULL)
433 {
434 // Assume the size variables do not overflow, which should not happen in
435 // the contexts that this function will be called.
436 assert2Bsize(uIn->t);
437 BnFrom2B(bnU, &uIn->b);
438 }
439 // If uIn is not specified but Q is, then we are going to
440 // do R = [d]Q
441 else if(Qin != NULL)
442 {
443 bnU = bnD;
444 bnD = NULL;
445 }
446 // If neither Q nor u is specified, then null this pointer
447 else
448 bnU = NULL;
449 // Use the generator of the curve
450 if((retVal = PointMul(group, R, bnD, Q, bnU, context)) == CRYPT_SUCCESS)
451 Point2B(group, Rout, R, (INT16) BN_num_bytes(&group->field), context);
452 if (Q)
453 EC_POINT_free(Q);
454 if(R)
455 EC_POINT_free(R);
456 if(group)
457 EC_GROUP_free(group);
458 BN_CTX_end(context);
459 BN_CTX_free(context);
460 return retVal;
461}
462//
463//
464// ClearPoint2B()
465//
466// Initialize the size values of a point
467//
468static void
469ClearPoint2B(
470 TPMS_ECC_POINT *p // IN: the point
471 )
472{
473 if(p != NULL) {
474 p->x.t.size = 0;
475 p->y.t.size = 0;
476 }
477}
478#if defined TPM_ALG_ECDAA || defined TPM_ALG_SM2 //%
479//
480//
481// _cpri__EccCommitCompute()
482//
483// This function performs the point multiply operations required by TPM2_Commit().
484// If B or M is provided, they must be on the curve defined by curveId. This routine does not check that they
485// are on the curve and results are unpredictable if they are not.
486//
487//
488//
489// It is a fatal error if r or d is NULL. If B is not NULL, then it is a fatal error if K and L are both NULL. If M is
490// not NULL, then it is a fatal error if E is NULL.
491//
492// Return Value Meaning
493//
494// CRYPT_SUCCESS computations completed normally
495// CRYPT_NO_RESULT if K, L or E was computed to be the point at infinity
496// CRYPT_CANCEL a cancel indication was asserted during this function
497//
498LIB_EXPORT CRYPT_RESULT
499_cpri__EccCommitCompute(
500 TPMS_ECC_POINT *K, // OUT: [d]B or [r]Q
501 TPMS_ECC_POINT *L, // OUT: [r]B
502 TPMS_ECC_POINT *E, // OUT: [r]M
503 TPM_ECC_CURVE curveId, // IN: the curve for the computations
504 TPMS_ECC_POINT *M, // IN: M (optional)
505 TPMS_ECC_POINT *B, // IN: B (optional)
506 TPM2B_ECC_PARAMETER *d, // IN: d (required)
507 TPM2B_ECC_PARAMETER *r // IN: the computed r value (required)
508 )
509{
510 BN_CTX *context;
Vadim Bendebury0a050712015-05-29 11:35:04 -0700[diff] [blame]511 BIGNUM *bnY, *bnR, *bnD;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]512 EC_GROUP *group;
513 EC_POINT *pK = NULL, *pL = NULL, *pE = NULL, *pM = NULL, *pB = NULL;
514 UINT16 keySizeInBytes;
515 CRYPT_RESULT retVal = CRYPT_SUCCESS;
516 // Validate that the required parameters are provided.
517 // Note: E has to be provided if computing E := [r]Q or E := [r]M. Will do
518 // E := [r]Q if both M and B are NULL.
Vadim Bendebury0a050712015-05-29 11:35:04 -0700[diff] [blame]519
520 pAssert((r && (K || !B) && (L || !B)) || (E || (!M && B)));
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]521 context = BN_CTX_new();
522 if(context == NULL)
523 FAIL(FATAL_ERROR_ALLOCATION);
524 BN_CTX_start(context);
525 bnR = BN_CTX_get(context);
526 bnD = BN_CTX_get(context);
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]527 bnY = BN_CTX_get(context);
528 if(bnY == NULL)
529 FAIL(FATAL_ERROR_ALLOCATION);
530 // Initialize the output points in case they are not computed
531 ClearPoint2B(K);
532 ClearPoint2B(L);
533 ClearPoint2B(E);
534 if((group = EccCurveInit(curveId, context)) == NULL)
535 {
536 retVal = CRYPT_PARAMETER;
537 goto Cleanup2;
538 }
539 keySizeInBytes = (UINT16) BN_num_bytes(&group->field);
540 // Sizes of the r and d parameters may not be zero
541 pAssert(((int) r->t.size > 0) && ((int) d->t.size > 0));
542 // Convert scalars to BIGNUM
543 BnFrom2B(bnR, &r->b);
544 BnFrom2B(bnD, &d->b);
545 // If B is provided, compute K=[d]B and L=[r]B
546 if(B != NULL)
547 {
548 // Allocate the points to receive the value
549 if( (pK = EC_POINT_new(group)) == NULL
550 || (pL = EC_POINT_new(group)) == NULL)
551 FAIL(FATAL_ERROR_ALLOCATION);
552 // need to compute K = [d]B
553 // Allocate and initialize BIGNUM version of B
554 pB = EccInitPoint2B(group, B, context);
555 // do the math for K = [d]B
556 if((retVal = PointMul(group, pK, NULL, pB, bnD, context)) != CRYPT_SUCCESS)
557 goto Cleanup;
558 // Convert BN K to TPM2B K
559 Point2B(group, K, pK, (INT16)keySizeInBytes, context);
560 // compute L= [r]B after checking for cancel
561 if(_plat__IsCanceled())
562 {
563 retVal = CRYPT_CANCEL;
564 goto Cleanup;
565 }
566 // compute L = [r]B
567 if((retVal = PointMul(group, pL, NULL, pB, bnR, context)) != CRYPT_SUCCESS)
568 goto Cleanup;
569 // Convert BN L to TPM2B L
570 Point2B(group, L, pL, (INT16)keySizeInBytes, context);
571 }
572 if(M != NULL || B == NULL)
573 {
574 // if this is the third point multiply, check for cancel first
575 if(B != NULL && _plat__IsCanceled())
576 {
577 retVal = CRYPT_CANCEL;
578 goto Cleanup;
579 }
580 // Allocate E
581 if((pE = EC_POINT_new(group)) == NULL)
582 FAIL(FATAL_ERROR_ALLOCATION);
583 // Create BIGNUM version of M unless M is NULL
584 if(M != NULL)
585 {
586 // M provided so initialize a BIGNUM M and compute E = [r]M
587 pM = EccInitPoint2B(group, M, context);
588 retVal = PointMul(group, pE, NULL, pM, bnR, context);
589 }
590 else
591 // compute E = [r]G (this is only done if M and B are both NULL
592 retVal = PointMul(group, pE, bnR, NULL, NULL, context);
593 if(retVal == CRYPT_SUCCESS)
594 // Convert E to 2B format
595 Point2B(group, E, pE, (INT16)keySizeInBytes, context);
596 }
597Cleanup:
598 EC_GROUP_free(group);
599 if(pK != NULL) EC_POINT_free(pK);
600 if(pL != NULL) EC_POINT_free(pL);
601 if(pE != NULL) EC_POINT_free(pE);
602 if(pM != NULL) EC_POINT_free(pM);
603 if(pB != NULL) EC_POINT_free(pB);
604Cleanup2:
605 BN_CTX_end(context);
606 BN_CTX_free(context);
607 return retVal;
608}
609#endif //%
610//
611//
612// _cpri__EccIsPointOnCurve()
613//
614// This function is used to test if a point is on a defined curve. It does this by checking that y^2 mod p = x^3
615// + a*x + b mod p
616// It is a fatal error if Q is not specified (is NULL).
617//
618// Return Value Meaning
619//
620// TRUE point is on curve
621// FALSE point is not on curve or curve is not supported
622//
623LIB_EXPORT BOOL
624_cpri__EccIsPointOnCurve(
625 TPM_ECC_CURVE curveId, // IN: the curve selector
626 TPMS_ECC_POINT *Q // IN: the point.
627 )
628{
629 BN_CTX *context;
630 BIGNUM *bnX;
631 BIGNUM *bnY;
632 BIGNUM *bnA;
633 BIGNUM *bnB;
634 BIGNUM *bnP;
635 BIGNUM *bn3;
636 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
637 BOOL retVal;
638 pAssert(Q != NULL && curveData != NULL);
639 if((context = BN_CTX_new()) == NULL)
640 FAIL(FATAL_ERROR_ALLOCATION);
641 BN_CTX_start(context);
642 bnX = BN_CTX_get(context);
643 bnY = BN_CTX_get(context);
644 bnA = BN_CTX_get(context);
645 bnB = BN_CTX_get(context);
646 bn3 = BN_CTX_get(context);
647 bnP = BN_CTX_get(context);
648 if(bnP == NULL)
649 FAIL(FATAL_ERROR_ALLOCATION);
650 // Convert values
651 if ( !BN_bin2bn(Q->x.t.buffer, Q->x.t.size, bnX)
652 || !BN_bin2bn(Q->y.t.buffer, Q->y.t.size, bnY)
653 || !BN_bin2bn(curveData->p->buffer, curveData->p->size, bnP)
654 || !BN_bin2bn(curveData->a->buffer, curveData->a->size, bnA)
655 || !BN_set_word(bn3, 3)
656 || !BN_bin2bn(curveData->b->buffer, curveData->b->size, bnB)
657 )
658 FAIL(FATAL_ERROR_INTERNAL);
659 // The following sequence is probably not optimal but it seems to be correct.
660 // compute x^3 + a*x + b mod p
661 // first, compute a*x mod p
662 if( !BN_mod_mul(bnA, bnA, bnX, bnP, context)
663//
664 // next, compute a*x + b mod p
665 || !BN_mod_add(bnA, bnA, bnB, bnP, context)
666 // next, compute X^3 mod p
667 || !BN_mod_exp(bnX, bnX, bn3, bnP, context)
668 // finally, compute x^3 + a*x + b mod p
669 || !BN_mod_add(bnX, bnX, bnA, bnP, context)
670 // then compute y^2
671 || !BN_mod_mul(bnY, bnY, bnY, bnP, context)
672 )
673 FAIL(FATAL_ERROR_INTERNAL);
674 retVal = BN_cmp(bnX, bnY) == 0;
675 BN_CTX_end(context);
676 BN_CTX_free(context);
677 return retVal;
678}
679//
680//
681// _cpri__GenerateKeyEcc()
682//
683// This function generates an ECC key pair based on the input parameters. This routine uses KDFa() to
684// produce candidate numbers. The method is according to FIPS 186-3, section B.4.1 "GKey() Pair
685// Generation Using Extra Random Bits." According to the method in FIPS 186-3, the resulting private value
686// d should be 1 <= d < n where n is the order of the base point. In this implementation, the range of the
687// private value is further restricted to be 2^(nLen/2) <= d < n where nLen is the order of n.
688//
689// EXAMPLE: If the curve is NIST-P256, then nLen is 256 bits and d will need to be between 2^128 <= d < n
690//
691// It is a fatal error if Qout, dOut, or seed is not provided (is NULL).
692//
693// Return Value Meaning
694//
695// CRYPT_PARAMETER the hash algorithm is not supported
696//
697LIB_EXPORT CRYPT_RESULT
698_cpri__GenerateKeyEcc(
699 TPMS_ECC_POINT *Qout, // OUT: the public point
700 TPM2B_ECC_PARAMETER *dOut, // OUT: the private scalar
701 TPM_ECC_CURVE curveId, // IN: the curve identifier
702 TPM_ALG_ID hashAlg, // IN: hash algorithm to use in the key
703 // generation process
704 TPM2B *seed, // IN: the seed to use
705 const char *label, // IN: A label for the generation
706 // process.
707 TPM2B *extra, // IN: Party 1 data for the KDF
708 UINT32 *counter // IN/OUT: Counter value to allow KDF
709 // iteration to be propagated across
710 // multiple functions
711 )
712{
713 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
714 INT16 keySizeInBytes;
715 UINT32 count = 0;
716 CRYPT_RESULT retVal;
717 UINT16 hLen = _cpri__GetDigestSize(hashAlg);
718 BIGNUM *bnNm1; // Order of the curve minus one
719 BIGNUM *bnD; // the private scalar
720 BN_CTX *context; // the context for the BIGNUM values
721 BYTE withExtra[MAX_ECC_KEY_BYTES + 8]; // trial key with
722 //extra bits
Vadim Bendebury0a050712015-05-29 11:35:04 -0700[diff] [blame]723 TPM2B_4_BYTE_VALUE marshaledCounter = {.t = {4}};
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]724 UINT32 totalBits;
725 // Validate parameters (these are fatal)
726 pAssert( seed != NULL && dOut != NULL && Qout != NULL && curveData != NULL);
727 // Non-fatal parameter checks.
728 if(hLen <= 0)
729 return CRYPT_PARAMETER;
730 // allocate the local BN values
731 context = BN_CTX_new();
732 if(context == NULL)
733 FAIL(FATAL_ERROR_ALLOCATION);
734 BN_CTX_start(context);
735 bnNm1 = BN_CTX_get(context);
736 bnD = BN_CTX_get(context);
737 // The size of the input scalars is limited by the size of the size of a
738 // TPM2B_ECC_PARAMETER. Make sure that it is not irrational.
739 pAssert((int) curveData->n->size <= MAX_ECC_KEY_BYTES);
740 if( bnD == NULL
741 || BN_bin2bn(curveData->n->buffer, curveData->n->size, bnNm1) == NULL
742 || (keySizeInBytes = (INT16) BN_num_bytes(bnNm1)) > MAX_ECC_KEY_BYTES)
743 FAIL(FATAL_ERROR_INTERNAL);
744 // get the total number of bits
745 totalBits = BN_num_bits(bnNm1) + 64;
746 // Reduce bnNm1 from 'n' to 'n' - 1
747 BN_sub_word(bnNm1, 1);
748 // Initialize the count value
749 if(counter != NULL)
750 count = *counter;
751 if(count == 0)
752 count = 1;
753 // Start search for key (should be quick)
754 for(; count != 0; count++)
755 {
756 UINT32_TO_BYTE_ARRAY(count, marshaledCounter.t.buffer);
757 _cpri__KDFa(hashAlg, seed, label, extra, &marshaledCounter.b,
758 totalBits, withExtra, NULL, FALSE);
759 // Convert the result and modular reduce
760 // Assume the size variables do not overflow, which should not happen in
761 // the contexts that this function will be called.
762 pAssert(keySizeInBytes <= MAX_ECC_KEY_BYTES);
763 if ( BN_bin2bn(withExtra, keySizeInBytes+8, bnD) == NULL
764 || BN_mod(bnD, bnD, bnNm1, context) != 1)
765 FAIL(FATAL_ERROR_INTERNAL);
766 // Add one to get 0 < d < n
767 BN_add_word(bnD, 1);
768 if(BnTo2B(&dOut->b, bnD, keySizeInBytes) != 1)
769 FAIL(FATAL_ERROR_INTERNAL);
770 // Do the point multiply to create the public portion of the key. If
771 // the multiply generates the point at infinity (unlikely), do another
772 // iteration.
773 if( (retVal = _cpri__EccPointMultiply(Qout, curveId, dOut, NULL, NULL))
774 != CRYPT_NO_RESULT)
775 break;
776 }
777 if(count == 0) // if counter wrapped, then the TPM should go into failure mode
778 FAIL(FATAL_ERROR_INTERNAL);
779 // Free up allocated BN values
780 BN_CTX_end(context);
781 BN_CTX_free(context);
782 if(counter != NULL)
783 *counter = count;
784 return retVal;
785}
786//
787//
788// _cpri__GetEphemeralEcc()
789//
790// This function creates an ephemeral ECC. It is ephemeral in that is expected that the private part of the
791// key will be discarded
792//
793LIB_EXPORT CRYPT_RESULT
794_cpri__GetEphemeralEcc(
795 TPMS_ECC_POINT *Qout, // OUT: the public point
796 TPM2B_ECC_PARAMETER *dOut, // OUT: the private scalar
797 TPM_ECC_CURVE curveId // IN: the curve for the key
798 )
799{
800 CRYPT_RESULT retVal;
801 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
802 pAssert(curveData != NULL);
803 // Keep getting random values until one is found that doesn't create a point
804 // at infinity. This will never, ever, ever, ever, ever, happen but if it does
805 // we have to get a next random value.
806 while(TRUE)
807 {
808 GetRandomPrivate(dOut, curveData->p);
809 // _cpri__EccPointMultiply does not return CRYPT_ECC_POINT if no point is
810 // provided. CRYPT_PARAMTER should not be returned because the curve ID
811 // has to be supported. Thus the only possible error is CRYPT_NO_RESULT.
812 retVal = _cpri__EccPointMultiply(Qout, curveId, dOut, NULL, NULL);
813 if(retVal != CRYPT_NO_RESULT)
814 return retVal; // Will return CRYPT_SUCCESS
815 }
816}
817#ifdef TPM_ALG_ECDSA //%
818//
819//
820// SignEcdsa()
821//
822// This function implements the ECDSA signing algorithm. The method is described in the comments below.
823// It is a fatal error if rOut, sOut, dIn, or digest are not provided.
824//
825LIB_EXPORT CRYPT_RESULT
826SignEcdsa(
827 TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature
828 TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature
829 TPM_ECC_CURVE curveId, // IN: the curve used in the signature
830 // process
831 TPM2B_ECC_PARAMETER *dIn, // IN: the private key
832 TPM2B *digest // IN: the value to sign
833 )
834{
835 BIGNUM *bnK;
836 BIGNUM *bnIk;
837 BIGNUM *bnN;
838 BIGNUM *bnR;
839//
840 BIGNUM *bnD;
841 BIGNUM *bnZ;
842 TPM2B_ECC_PARAMETER k;
843 TPMS_ECC_POINT R;
844 BN_CTX *context;
845 CRYPT_RESULT retVal = CRYPT_SUCCESS;
846 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
847 pAssert(rOut != NULL && sOut != NULL && dIn != NULL && digest != NULL);
848 context = BN_CTX_new();
849 if(context == NULL)
850 FAIL(FATAL_ERROR_ALLOCATION);
851 BN_CTX_start(context);
852 bnN = BN_CTX_get(context);
853 bnZ = BN_CTX_get(context);
854 bnR = BN_CTX_get(context);
855 bnD = BN_CTX_get(context);
856 bnIk = BN_CTX_get(context);
857 bnK = BN_CTX_get(context);
858 // Assume the size variables do not overflow, which should not happen in
859 // the contexts that this function will be called.
860 pAssert(curveData->n->size <= MAX_ECC_PARAMETER_BYTES);
861 if( bnK == NULL
862 || BN_bin2bn(curveData->n->buffer, curveData->n->size, bnN) == NULL)
863 FAIL(FATAL_ERROR_INTERNAL);
864// The algorithm as described in "Suite B Implementer's Guide to FIPS 186-3(ECDSA)"
865// 1. Use one of the routines in Appendix A.2 to generate (k, k^-1), a per-message
866// secret number and its inverse modulo n. Since n is prime, the
867// output will be invalid only if there is a failure in the RBG.
868// 2. Compute the elliptic curve point R = [k]G = (xR, yR) using EC scalar
869// multiplication (see [Routines]), where G is the base point included in
870// the set of domain parameters.
871// 3. Compute r = xR mod n. If r = 0, then return to Step 1. 1.
872// 4. Use the selected hash function to compute H = Hash(M).
873// 5. Convert the bit string H to an integer e as described in Appendix B.2.
874// 6. Compute s = (k^-1 * (e + d * r)) mod n. If s = 0, return to Step 1.2.
875// 7. Return (r, s).
876 // Generate a random value k in the range 1 <= k < n
877 // Want a K value that is the same size as the curve order
878 k.t.size = curveData->n->size;
879 while(TRUE) // This implements the loop at step 6. If s is zero, start over.
880 {
881 while(TRUE)
882 {
883 // Step 1 and 2 -- generate an ephemeral key and the modular inverse
884 // of the private key.
885 while(TRUE)
886 {
887 GetRandomPrivate(&k, curveData->n);
888 // Do the point multiply to generate a point and check to see if
889 // the point it at infinity
890 if( _cpri__EccPointMultiply(&R, curveId, &k, NULL, NULL)
891 != CRYPT_NO_RESULT)
892 break; // can only be CRYPT_SUCCESS
893 }
894 // x coordinate is mod p. Make it mod n
895 // Assume the size variables do not overflow, which should not happen
896 // in the contexts that this function will be called.
897 assert2Bsize(R.x.t);
898 BN_bin2bn(R.x.t.buffer, R.x.t.size, bnR);
899 BN_mod(bnR, bnR, bnN, context);
900 // Make sure that it is not zero;
901 if(BN_is_zero(bnR))
902 continue;
903 // Make sure that a modular inverse exists
904 // Assume the size variables do not overflow, which should not happen
905 // in the contexts that this function will be called.
906 assert2Bsize(k.t);
907 BN_bin2bn(k.t.buffer, k.t.size, bnK);
908 if( BN_mod_inverse(bnIk, bnK, bnN, context) != NULL)
909 break;
910 }
911 // Set z = leftmost bits of the digest
912 // NOTE: This is implemented such that the key size needs to be
913 // an even number of bytes in length.
914 if(digest->size > curveData->n->size)
915 {
916 // Assume the size variables do not overflow, which should not happen
917 // in the contexts that this function will be called.
918 pAssert(curveData->n->size <= MAX_ECC_KEY_BYTES);
919 // digest is larger than n so truncate
920 BN_bin2bn(digest->buffer, curveData->n->size, bnZ);
921 }
922 else
923 {
924 // Assume the size variables do not overflow, which should not happen
925 // in the contexts that this function will be called.
926 pAssert(digest->size <= MAX_DIGEST_SIZE);
927 // digest is same or smaller than n so use it all
928 BN_bin2bn(digest->buffer, digest->size, bnZ);
929 }
930 // Assume the size variables do not overflow, which should not happen in
931 // the contexts that this function will be called.
932 assert2Bsize(dIn->t);
933 if( bnZ == NULL
934 // need the private scalar of the signing key
935 || BN_bin2bn(dIn->t.buffer, dIn->t.size, bnD) == NULL)
936 FAIL(FATAL_ERROR_INTERNAL);
937 // NOTE: When the result of an operation is going to be reduced mod x
938 // any modular multiplication is done so that the intermediate values
939 // don't get too large.
940 //
941 // now have inverse of K (bnIk), z (bnZ), r (bnR), d (bnD) and n (bnN)
942 // Compute s = k^-1 (z + r*d)(mod n)
943 // first do d = r*d mod n
944 if( !BN_mod_mul(bnD, bnR, bnD, bnN, context)
945 // d = z + r * d
946 || !BN_add(bnD, bnZ, bnD)
947 // d = k^(-1)(z + r * d)(mod n)
948 || !BN_mod_mul(bnD, bnIk, bnD, bnN, context)
949 // convert to TPM2B format
950 || !BnTo2B(&sOut->b, bnD, curveData->n->size)
951 // and write the modular reduced version of r
952 // NOTE: this was deferred to reduce the number of
953 // error checks.
954 || !BnTo2B(&rOut->b, bnR, curveData->n->size))
955 FAIL(FATAL_ERROR_INTERNAL);
956 if(!BN_is_zero(bnD))
957 break; // signature not zero so done
958 // if the signature value was zero, start over
959 }
960 // Free up allocated BN values
961 BN_CTX_end(context);
962 BN_CTX_free(context);
963 return retVal;
964}
965#endif //%
966#if defined TPM_ALG_ECDAA || defined TPM_ALG_ECSCHNORR //%
967//
968//
969// EcDaa()
970//
971// This function is used to perform a modified Schnorr signature for ECDAA.
972// This function performs s = k + T * d mod n where
973// a) 'k is a random, or pseudo-random value used in the commit phase
974// b) T is the digest to be signed, and
975// c) d is a private key.
976// If tIn is NULL then use tOut as T
977//
978// Return Value Meaning
979//
980// CRYPT_SUCCESS signature created
981//
982static CRYPT_RESULT
983EcDaa(
984 TPM2B_ECC_PARAMETER *tOut, // OUT: T component of the signature
985 TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature
986 TPM_ECC_CURVE curveId, // IN: the curve used in signing
987 TPM2B_ECC_PARAMETER *dIn, // IN: the private key
988 TPM2B *tIn, // IN: the value to sign
989 TPM2B_ECC_PARAMETER *kIn // IN: a random value from commit
990 )
991{
992 BIGNUM *bnN, *bnK, *bnT, *bnD;
993 BN_CTX *context;
994 const TPM2B *n;
995 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
996 BOOL OK = TRUE;
997 // Parameter checks
998 pAssert( sOut != NULL && dIn != NULL && tOut != NULL
999 && kIn != NULL && curveData != NULL);
1000 // this just saves key strokes
1001 n = curveData->n;
1002 if(tIn != NULL)
1003 Copy2B(&tOut->b, tIn);
1004 // The size of dIn and kIn input scalars is limited by the size of the size
1005 // of a TPM2B_ECC_PARAMETER and tIn can be no larger than a digest.
1006 // Make sure they are within range.
1007 pAssert( (int) dIn->t.size <= MAX_ECC_KEY_BYTES
1008 && (int) kIn->t.size <= MAX_ECC_KEY_BYTES
1009//
1010 && (int) tOut->t.size <= MAX_DIGEST_SIZE
1011 );
1012 context = BN_CTX_new();
1013 if(context == NULL)
1014 FAIL(FATAL_ERROR_ALLOCATION);
1015 BN_CTX_start(context);
1016 bnN = BN_CTX_get(context);
1017 bnK = BN_CTX_get(context);
1018 bnT = BN_CTX_get(context);
1019 bnD = BN_CTX_get(context);
1020 // Check for allocation problems
1021 if(bnD == NULL)
1022 FAIL(FATAL_ERROR_ALLOCATION);
1023 // Convert values
1024 if( BN_bin2bn(n->buffer, n->size, bnN) == NULL
1025 || BN_bin2bn(kIn->t.buffer, kIn->t.size, bnK) == NULL
1026 || BN_bin2bn(dIn->t.buffer, dIn->t.size, bnD) == NULL
1027 || BN_bin2bn(tOut->t.buffer, tOut->t.size, bnT) == NULL)
1028 FAIL(FATAL_ERROR_INTERNAL);
1029 // Compute T = T mod n
1030 OK = OK && BN_mod(bnT, bnT, bnN, context);
1031 // compute (s = k + T * d mod n)
1032 // d = T * d mod n
1033 OK = OK && BN_mod_mul(bnD, bnT, bnD, bnN, context) == 1;
1034 // d = k + T * d mod n
1035 OK = OK && BN_mod_add(bnD, bnK, bnD, bnN, context) == 1;
1036 // s = d
1037 OK = OK && BnTo2B(&sOut->b, bnD, n->size);
1038 // r = T
1039 OK = OK && BnTo2B(&tOut->b, bnT, n->size);
1040 if(!OK)
1041 FAIL(FATAL_ERROR_INTERNAL);
1042 // Cleanup
1043 BN_CTX_end(context);
1044 BN_CTX_free(context);
1045 return CRYPT_SUCCESS;
1046}
1047#endif //%
1048#ifdef TPM_ALG_ECSCHNORR //%
1049//
1050//
1051// SchnorrEcc()
1052//
1053// This function is used to perform a modified Schnorr signature.
1054// This function will generate a random value k and compute
1055// a) (xR, yR) = [k]G
1056// b) r = hash(P || xR)(mod n)
1057// c) s= k + r * ds
1058// d) return the tuple T, s
1059//
1060//
1061//
1062//
1063// Return Value Meaning
1064//
1065// CRYPT_SUCCESS signature created
1066// CRYPT_SCHEME hashAlg can't produce zero-length digest
1067//
1068static CRYPT_RESULT
1069SchnorrEcc(
1070 TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature
1071 TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature
1072 TPM_ALG_ID hashAlg, // IN: hash algorithm used
1073 TPM_ECC_CURVE curveId, // IN: the curve used in signing
1074 TPM2B_ECC_PARAMETER *dIn, // IN: the private key
1075 TPM2B *digest, // IN: the digest to sign
1076 TPM2B_ECC_PARAMETER *kIn // IN: for testing
1077 )
1078{
1079 TPM2B_ECC_PARAMETER k;
1080 BIGNUM *bnR, *bnN, *bnK, *bnT, *bnD;
1081 BN_CTX *context;
1082 const TPM2B *n;
1083 EC_POINT *pR = NULL;
1084 EC_GROUP *group = NULL;
1085 CPRI_HASH_STATE hashState;
1086 UINT16 digestSize = _cpri__GetDigestSize(hashAlg);
1087 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
1088 TPM2B_TYPE(T, MAX(MAX_DIGEST_SIZE, MAX_ECC_PARAMETER_BYTES));
1089 TPM2B_T T2b;
1090 BOOL OK = TRUE;
1091 // Parameter checks
1092 // Must have a place for the 'r' and 's' parts of the signature, a private
1093 // key ('d')
1094 pAssert( rOut != NULL && sOut != NULL && dIn != NULL
1095 && digest != NULL && curveData != NULL);
1096 // to save key strokes
1097 n = curveData->n;
1098 // If the digest does not produce a hash, then null the signature and return
1099 // a failure.
1100 if(digestSize == 0)
1101 {
1102 rOut->t.size = 0;
1103 sOut->t.size = 0;
1104 return CRYPT_SCHEME;
1105 }
1106 // Allocate big number values
1107 context = BN_CTX_new();
1108 if(context == NULL)
1109 FAIL(FATAL_ERROR_ALLOCATION);
1110 BN_CTX_start(context);
1111 bnR = BN_CTX_get(context);
1112 bnN = BN_CTX_get(context);
1113 bnK = BN_CTX_get(context);
1114 bnT = BN_CTX_get(context);
1115 bnD = BN_CTX_get(context);
1116 if( bnD == NULL
1117 // initialize the group parameters
1118 || (group = EccCurveInit(curveId, context)) == NULL
1119 // allocate a local point
1120 || (pR = EC_POINT_new(group)) == NULL
1121 )
1122 FAIL(FATAL_ERROR_ALLOCATION);
1123 if(BN_bin2bn(curveData->n->buffer, curveData->n->size, bnN) == NULL)
1124 FAIL(FATAL_ERROR_INTERNAL);
1125 while(OK)
1126 {
1127// a) set k to a random value such that 1 k n-1
1128 if(kIn != NULL)
1129 {
1130 Copy2B(&k.b, &kIn->b); // copy input k if testing
1131 OK = FALSE; // not OK to loop
1132 }
1133 else
1134 // If get a random value in the correct range
1135 GetRandomPrivate(&k, n);
1136 // Convert 'k' and generate pR = ['k']G
1137 BnFrom2B(bnK, &k.b);
1138// b) compute E (xE, yE) [k]G
1139 if(PointMul(group, pR, bnK, NULL, NULL, context) == CRYPT_NO_RESULT)
1140// c) if E is the point at infinity, go to a)
1141 continue;
1142// d) compute e xE (mod n)
1143 // Get the x coordinate of the point
1144 EC_POINT_get_affine_coordinates_GFp(group, pR, bnR, NULL, context);
1145 // make (mod n)
1146 BN_mod(bnR, bnR, bnN, context);
1147// e) if e is zero, go to a)
1148 if(BN_is_zero(bnR))
1149 continue;
1150 // Convert xR to a string (use T as a temp)
1151 BnTo2B(&T2b.b, bnR, (UINT16)(BN_num_bits(bnR)+7)/8);
1152// f) compute r HschemeHash(P || e) (mod n)
1153 _cpri__StartHash(hashAlg, FALSE, &hashState);
1154 _cpri__UpdateHash(&hashState, digest->size, digest->buffer);
1155 _cpri__UpdateHash(&hashState, T2b.t.size, T2b.t.buffer);
1156 if(_cpri__CompleteHash(&hashState, digestSize, T2b.b.buffer) != digestSize)
1157 FAIL(FATAL_ERROR_INTERNAL);
1158 T2b.t.size = digestSize;
1159 BnFrom2B(bnT, &T2b.b);
1160 BN_div(NULL, bnT, bnT, bnN, context);
1161 BnTo2B(&rOut->b, bnT, (UINT16)BN_num_bytes(bnT));
1162 // We have a value and we are going to exit the loop successfully
1163 OK = TRUE;
1164 break;
1165 }
1166 // Cleanup
1167 EC_POINT_free(pR);
1168 EC_GROUP_free(group);
1169 BN_CTX_end(context);
1170 BN_CTX_free(context);
1171 // If we have a value, finish the signature
1172 if(OK)
1173 return EcDaa(rOut, sOut, curveId, dIn, NULL, &k);
1174 else
1175 return CRYPT_NO_RESULT;
1176}
1177#endif //%
1178#ifdef TPM_ALG_SM2 //%
1179#ifdef _SM2_SIGN_DEBUG //%
1180static int
1181cmp_bn2hex(
1182 BIGNUM *bn, // IN: big number value
1183 const char *c // IN: character string number
1184 )
1185{
1186 int result;
1187 BIGNUM *bnC = BN_new();
1188 pAssert(bnC != NULL);
1189 BN_hex2bn(&bnC, c);
1190 result = BN_ucmp(bn, bnC);
1191 BN_free(bnC);
1192 return result;
1193}
1194static int
1195cmp_2B2hex(
1196 TPM2B *a, // IN: TPM2B number to compare
1197 const char *c // IN: character string
1198 )
1199{
1200 int result;
1201 int sl = strlen(c);
1202 BIGNUM *bnA;
1203 result = (a->size * 2) - sl;
1204 if(result != 0)
1205 return result;
1206 pAssert((bnA = BN_bin2bn(a->buffer, a->size, NULL)) != NULL);
1207 result = cmp_bn2hex(bnA, c);
1208 BN_free(bnA);
1209 return result;
1210}
1211static void
1212cpy_hexTo2B(
1213 TPM2B *b, // OUT: receives value
1214 const char *c // IN: source string
1215 )
1216{
1217 BIGNUM *bnB = BN_new();
1218 pAssert((strlen(c) & 1) == 0); // must have an even number of digits
1219 b->size = strlen(c) / 2;
1220 BN_hex2bn(&bnB, c);
1221 pAssert(bnB != NULL);
1222 BnTo2B(b, bnB, b->size);
1223 BN_free(bnB);
1224}
1225#endif //% _SM2_SIGN_DEBUG
1226//
1227//
1228// SignSM2()
1229//
1230// This function signs a digest using the method defined in SM2 Part 2. The method in the standard will add
1231// a header to the message to be signed that is a hash of the values that define the key. This then hashed
1232// with the message to produce a digest (e) that is signed. This function signs e.
1233//
1234//
1235//
1236//
1237// Return Value Meaning
1238//
1239// CRYPT_SUCCESS sign worked
1240//
1241static CRYPT_RESULT
1242SignSM2(
1243 TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature
1244 TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature
1245 TPM_ECC_CURVE curveId, // IN: the curve used in signing
1246 TPM2B_ECC_PARAMETER *dIn, // IN: the private key
1247 TPM2B *digest // IN: the digest to sign
1248 )
1249{
1250 BIGNUM *bnR;
1251 BIGNUM *bnS;
1252 BIGNUM *bnN;
1253 BIGNUM *bnK;
1254 BIGNUM *bnX1;
1255 BIGNUM *bnD;
1256 BIGNUM *bnT; // temp
1257 BIGNUM *bnE;
1258 BN_CTX *context;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1259 TPM2B_ECC_PARAMETER k;
1260 TPMS_ECC_POINT p2Br;
1261 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
1262 pAssert(curveData != NULL);
1263 context = BN_CTX_new();
1264 BN_CTX_start(context);
1265 bnK = BN_CTX_get(context);
1266 bnR = BN_CTX_get(context);
1267 bnS = BN_CTX_get(context);
1268 bnX1 = BN_CTX_get(context);
1269 bnN = BN_CTX_get(context);
1270 bnD = BN_CTX_get(context);
1271 bnT = BN_CTX_get(context);
1272 bnE = BN_CTX_get(context);
1273 if(bnE == NULL)
1274 FAIL(FATAL_ERROR_ALLOCATION);
1275 BnFrom2B(bnE, digest);
1276 BnFrom2B(bnN, curveData->n);
1277 BnFrom2B(bnD, &dIn->b);
1278#ifdef _SM2_SIGN_DEBUG
1279BN_hex2bn(&bnE, "B524F552CD82B8B028476E005C377FB19A87E6FC682D48BB5D42E3D9B9EFFE76");
1280BN_hex2bn(&bnD, "128B2FA8BD433C6C068C8D803DFF79792A519A55171B1B650C23661D15897263");
1281#endif
1282// A3: Use random number generator to generate random number 1 <= k <= n-1;
1283// NOTE: Ax: numbers are from the SM2 standard
1284 k.t.size = curveData->n->size;
1285loop:
1286 {
1287 // Get a random number
1288 _cpri__GenerateRandom(k.t.size, k.t.buffer);
1289#ifdef _SM2_SIGN_DEBUG
1290BN_hex2bn(&bnK, "6CB28D99385C175C94F94E934817663FC176D925DD72B727260DBAAE1FB2F96F");
1291BnTo2B(&k.b,bnK, 32);
1292k.t.size = 32;
1293#endif
1294 //make sure that the number is 0 < k < n
1295 BnFrom2B(bnK, &k.b);
1296 if( BN_ucmp(bnK, bnN) >= 0
1297 || BN_is_zero(bnK))
1298 goto loop;
1299// A4: Figure out the point of elliptic curve (x1, y1)=[k]G, and according
1300// to details specified in 4.2.7 in Part 1 of this document, transform the
1301// data type of x1 into an integer;
1302 if( _cpri__EccPointMultiply(&p2Br, curveId, &k, NULL, NULL)
1303 == CRYPT_NO_RESULT)
1304 goto loop;
1305 BnFrom2B(bnX1, &p2Br.x.b);
1306// A5: Figure out r = (e + x1) mod n,
1307 if(!BN_mod_add(bnR, bnE, bnX1, bnN, context))
1308 FAIL(FATAL_ERROR_INTERNAL);
1309#ifdef _SM2_SIGN_DEBUG
1310pAssert(cmp_bn2hex(bnR,
1311 "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1")
1312 == 0);
1313#endif
1314 // if r=0 or r+k=n, return to A3;
1315 if(!BN_add(bnT, bnK, bnR))
1316 FAIL(FATAL_ERROR_INTERNAL);
1317 if(BN_is_zero(bnR) || BN_ucmp(bnT, bnN) == 0)
1318 goto loop;
1319// A6: Figure out s = ((1 + dA)^-1 (k - r dA)) mod n, if s=0, return to A3;
1320 // compute t = (1+d)-1
1321 BN_copy(bnT, bnD);
1322 if( !BN_add_word(bnT, 1)
1323 || !BN_mod_inverse(bnT, bnT, bnN, context) // (1 + dA)^-1 mod n
1324 )
1325 FAIL(FATAL_ERROR_INTERNAL);
1326#ifdef _SM2_SIGN_DEBUG
1327pAssert(cmp_bn2hex(bnT,
1328 "79BFCF3052C80DA7B939E0C6914A18CBB2D96D8555256E83122743A7D4F5F956")
1329 == 0);
1330#endif
1331 // compute s = t * (k - r * dA) mod n
1332 if( !BN_mod_mul(bnS, bnD, bnR, bnN, context) // (r * dA) mod n
1333 || !BN_mod_sub(bnS, bnK, bnS, bnN, context) // (k - (r * dA) mod n
1334 || !BN_mod_mul(bnS, bnT, bnS, bnN, context))// t * (k - (r * dA) mod n
1335 FAIL(FATAL_ERROR_INTERNAL);
1336#ifdef _SM2_SIGN_DEBUG
1337pAssert(cmp_bn2hex(bnS,
1338 "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7")
1339 == 0);
1340#endif
1341 if(BN_is_zero(bnS))
1342 goto loop;
1343 }
1344// A7: According to details specified in 4.2.1 in Part 1 of this document, transform
1345// the data type of r, s into bit strings, signature of message M is (r, s).
1346 BnTo2B(&rOut->b, bnR, curveData->n->size);
1347 BnTo2B(&sOut->b, bnS, curveData->n->size);
1348#ifdef _SM2_SIGN_DEBUG
1349pAssert(cmp_2B2hex(&rOut->b,
1350 "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1")
1351 == 0);
1352pAssert(cmp_2B2hex(&sOut->b,
1353 "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7")
1354 == 0);
1355#endif
1356 BN_CTX_end(context);
1357 BN_CTX_free(context);
1358 return CRYPT_SUCCESS;
1359}
1360#endif //% TPM_ALG_SM2
1361//
1362//
1363// _cpri__SignEcc()
1364//
1365// This function is the dispatch function for the various ECC-based signing schemes.
1366//
1367// Return Value Meaning
1368//
1369// CRYPT_SCHEME scheme is not supported
1370//
1371LIB_EXPORT CRYPT_RESULT
1372_cpri__SignEcc(
1373 TPM2B_ECC_PARAMETER *rOut, // OUT: r component of the signature
1374 TPM2B_ECC_PARAMETER *sOut, // OUT: s component of the signature
1375 TPM_ALG_ID scheme, // IN: the scheme selector
1376 TPM_ALG_ID hashAlg, // IN: the hash algorithm if need
1377 TPM_ECC_CURVE curveId, // IN: the curve used in the signature
1378 // process
1379 TPM2B_ECC_PARAMETER *dIn, // IN: the private key
1380 TPM2B *digest, // IN: the digest to sign
1381 TPM2B_ECC_PARAMETER *kIn // IN: k for input
1382 )
1383{
1384 switch (scheme)
1385 {
1386 case TPM_ALG_ECDSA:
1387 // SignEcdsa always works
1388 return SignEcdsa(rOut, sOut, curveId, dIn, digest);
1389 break;
1390#ifdef TPM_ALG_ECDAA
1391 case TPM_ALG_ECDAA:
1392 if(rOut != NULL)
1393 rOut->b.size = 0;
1394 return EcDaa(rOut, sOut, curveId, dIn, digest, kIn);
1395 break;
1396#endif
1397#ifdef TPM_ALG_ECSCHNORR
1398 case TPM_ALG_ECSCHNORR:
1399 return SchnorrEcc(rOut, sOut, hashAlg, curveId, dIn, digest, kIn);
1400 break;
1401#endif
1402#ifdef TPM_ALG_SM2
1403 case TPM_ALG_SM2:
1404 return SignSM2(rOut, sOut, curveId, dIn, digest);
1405 break;
1406#endif
1407 default:
1408 return CRYPT_SCHEME;
1409 }
1410}
1411#ifdef TPM_ALG_ECDSA //%
1412//
1413//
1414// ValidateSignatureEcdsa()
1415//
1416// This function validates an ECDSA signature. rIn and sIn shoudl have been checked to make sure that
1417// they are not zero.
1418//
1419// Return Value Meaning
1420//
1421// CRYPT_SUCCESS signature valid
1422// CRYPT_FAIL signature not valid
1423//
1424static CRYPT_RESULT
1425ValidateSignatureEcdsa(
1426 TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature
1427 TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature
1428 TPM_ECC_CURVE curveId, // IN: the curve used in the signature
1429 // process
1430 TPMS_ECC_POINT *Qin, // IN: the public point of the key
1431 TPM2B *digest // IN: the digest that was signed
1432 )
1433{
1434 TPM2B_ECC_PARAMETER U1;
1435 TPM2B_ECC_PARAMETER U2;
1436 TPMS_ECC_POINT R;
1437 const TPM2B *n;
1438 BN_CTX *context;
1439 EC_POINT *pQ = NULL;
1440 EC_GROUP *group = NULL;
1441 BIGNUM *bnU1;
1442 BIGNUM *bnU2;
1443 BIGNUM *bnR;
1444 BIGNUM *bnS;
1445 BIGNUM *bnW;
1446 BIGNUM *bnV;
1447 BIGNUM *bnN;
1448 BIGNUM *bnE;
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1449 BIGNUM *bnQx;
1450 BIGNUM *bnQy;
1451 CRYPT_RESULT retVal = CRYPT_FAIL;
1452 int t;
1453 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
1454 // The curve selector should have been filtered by the unmarshaling process
1455 pAssert (curveData != NULL);
1456 n = curveData->n;
1457// 1. If r and s are not both integers in the interval [1, n - 1], output
1458// INVALID.
1459// rIn and sIn are known to be greater than zero (was checked by the caller).
1460 if( _math__uComp(rIn->t.size, rIn->t.buffer, n->size, n->buffer) >= 0
1461 || _math__uComp(sIn->t.size, sIn->t.buffer, n->size, n->buffer) >= 0
1462 )
1463 return CRYPT_FAIL;
1464 context = BN_CTX_new();
1465 if(context == NULL)
1466 FAIL(FATAL_ERROR_ALLOCATION);
1467 BN_CTX_start(context);
1468 bnR = BN_CTX_get(context);
1469 bnS = BN_CTX_get(context);
1470 bnN = BN_CTX_get(context);
1471 bnE = BN_CTX_get(context);
1472 bnV = BN_CTX_get(context);
1473 bnW = BN_CTX_get(context);
Vadim Bendebury56797522015-05-20 10:32:25 -0700[diff] [blame]1474 bnQx = BN_CTX_get(context);
1475 bnQy = BN_CTX_get(context);
1476 bnU1 = BN_CTX_get(context);
1477 bnU2 = BN_CTX_get(context);
1478 // Assume the size variables do not overflow, which should not happen in
1479 // the contexts that this function will be called.
1480 assert2Bsize(Qin->x.t);
1481 assert2Bsize(rIn->t);
1482 assert2Bsize(sIn->t);
1483 // BN_CTX_get() is sticky so only need to check the last value to know that
1484 // all worked.
1485 if( bnU2 == NULL
1486 // initialize the group parameters
1487 || (group = EccCurveInit(curveId, context)) == NULL
1488 // allocate a local point
1489 || (pQ = EC_POINT_new(group)) == NULL
1490 // use the public key values (QxIn and QyIn) to initialize Q
1491 || BN_bin2bn(Qin->x.t.buffer, Qin->x.t.size, bnQx) == NULL
1492 || BN_bin2bn(Qin->x.t.buffer, Qin->x.t.size, bnQy) == NULL
1493 || !EC_POINT_set_affine_coordinates_GFp(group, pQ, bnQx, bnQy, context)
1494 // convert the signature values
1495 || BN_bin2bn(rIn->t.buffer, rIn->t.size, bnR) == NULL
1496 || BN_bin2bn(sIn->t.buffer, sIn->t.size, bnS) == NULL
1497 // convert the curve order
1498 || BN_bin2bn(curveData->n->buffer, curveData->n->size, bnN) == NULL)
1499 FAIL(FATAL_ERROR_INTERNAL);
1500// 2. Use the selected hash function to compute H0 = Hash(M0).
1501 // This is an input parameter
1502// 3. Convert the bit string H0 to an integer e as described in Appendix B.2.
1503 t = (digest->size > rIn->t.size) ? rIn->t.size : digest->size;
1504 if(BN_bin2bn(digest->buffer, t, bnE) == NULL)
1505 FAIL(FATAL_ERROR_INTERNAL);
1506// 4. Compute w = (s')^-1 mod n, using the routine in Appendix B.1.
1507 if (BN_mod_inverse(bnW, bnS, bnN, context) == NULL)
1508 FAIL(FATAL_ERROR_INTERNAL);
1509// 5. Compute u1 = (e' * w) mod n, and compute u2 = (r' * w) mod n.
1510 if( !BN_mod_mul(bnU1, bnE, bnW, bnN, context)
1511 || !BN_mod_mul(bnU2, bnR, bnW, bnN, context))
1512 FAIL(FATAL_ERROR_INTERNAL);
1513 BnTo2B(&U1.b, bnU1, (INT16) BN_num_bytes(bnU1));
1514 BnTo2B(&U2.b, bnU2, (INT16) BN_num_bytes(bnU2));
1515// 6. Compute the elliptic curve point R = (xR, yR) = u1G+u2Q, using EC
1516// scalar multiplication and EC addition (see [Routines]). If R is equal to
1517// the point at infinity O, output INVALID.
1518 if(_cpri__EccPointMultiply(&R, curveId, &U1, Qin, &U2) == CRYPT_SUCCESS)
1519 {
1520 // 7. Compute v = Rx mod n.
1521 if( BN_bin2bn(R.x.t.buffer, R.x.t.size, bnV) == NULL
1522 || !BN_mod(bnV, bnV, bnN, context))
1523 FAIL(FATAL_ERROR_INTERNAL);
1524 // 8. Compare v and r0. If v = r0, output VALID; otherwise, output INVALID
1525 if(BN_cmp(bnV, bnR) == 0)
1526 retVal = CRYPT_SUCCESS;
1527 }
1528 if(pQ != NULL) EC_POINT_free(pQ);
1529 if(group != NULL) EC_GROUP_free(group);
1530 BN_CTX_end(context);
1531 BN_CTX_free(context);
1532 return retVal;
1533}
1534#endif //% TPM_ALG_ECDSA
1535#ifdef TPM_ALG_ECSCHNORR //%
1536//
1537//
1538// ValidateSignatureEcSchnorr()
1539//
1540// This function is used to validate an EC Schnorr signature. rIn and sIn are required to be greater than
1541// zero. This is checked in _cpri__ValidateSignatureEcc().
1542//
1543// Return Value Meaning
1544//
1545// CRYPT_SUCCESS signature valid
1546// CRYPT_FAIL signature not valid
1547// CRYPT_SCHEME hashAlg is not supported
1548//
1549static CRYPT_RESULT
1550ValidateSignatureEcSchnorr(
1551 TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature
1552 TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature
1553 TPM_ALG_ID hashAlg, // IN: hash algorithm of the signature
1554 TPM_ECC_CURVE curveId, // IN: the curve used in the signature
1555 // process
1556 TPMS_ECC_POINT *Qin, // IN: the public point of the key
1557 TPM2B *digest // IN: the digest that was signed
1558 )
1559{
1560 TPMS_ECC_POINT pE;
1561 const TPM2B *n;
1562 CPRI_HASH_STATE hashState;
1563 TPM2B_DIGEST rPrime;
1564 TPM2B_ECC_PARAMETER minusR;
1565 UINT16 digestSize = _cpri__GetDigestSize(hashAlg);
1566 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
1567 // The curve parameter should have been filtered by unmarshaling code
1568 pAssert(curveData != NULL);
1569 if(digestSize == 0)
1570 return CRYPT_SCHEME;
1571 // Input parameter validation
1572 pAssert(rIn != NULL && sIn != NULL && Qin != NULL && digest != NULL);
1573 n = curveData->n;
1574 // if sIn or rIn are not between 1 and N-1, signature check fails
1575 // sIn and rIn were verified to be non-zero by the caller
1576 if( _math__uComp(sIn->b.size, sIn->b.buffer, n->size, n->buffer) >= 0
1577 || _math__uComp(rIn->b.size, rIn->b.buffer, n->size, n->buffer) >= 0
1578 )
1579 return CRYPT_FAIL;
1580 //E = [s]InG - [r]InQ
1581 _math__sub(n->size, n->buffer,
1582 rIn->t.size, rIn->t.buffer,
1583 &minusR.t.size, minusR.t.buffer);
1584 if(_cpri__EccPointMultiply(&pE, curveId, sIn, Qin, &minusR) != CRYPT_SUCCESS)
1585 return CRYPT_FAIL;
1586 // Ex = Ex mod N
1587 if(Mod2B(&pE.x.b, n) != CRYPT_SUCCESS)
1588 FAIL(FATAL_ERROR_INTERNAL);
1589 _math__Normalize2B(&pE.x.b);
1590 // rPrime = h(digest || pE.x) mod n;
1591 _cpri__StartHash(hashAlg, FALSE, &hashState);
1592 _cpri__UpdateHash(&hashState, digest->size, digest->buffer);
1593 _cpri__UpdateHash(&hashState, pE.x.t.size, pE.x.t.buffer);
1594 if(_cpri__CompleteHash(&hashState, digestSize, rPrime.t.buffer) != digestSize)
1595 FAIL(FATAL_ERROR_INTERNAL);
1596 rPrime.t.size = digestSize;
1597 // rPrime = rPrime (mod n)
1598 if(Mod2B(&rPrime.b, n) != CRYPT_SUCCESS)
1599 FAIL(FATAL_ERROR_INTERNAL);
1600 // if the values don't match, then the signature is bad
1601 if(_math__uComp(rIn->t.size, rIn->t.buffer,
1602 rPrime.t.size, rPrime.t.buffer) != 0)
1603 return CRYPT_FAIL;
1604 else
1605 return CRYPT_SUCCESS;
1606}
1607#endif //% TPM_ALG_ECSCHNORR
1608#ifdef TPM_ALG_SM2 //%
1609//
1610//
1611// ValidateSignatueSM2Dsa()
1612//
1613// This function is used to validate an SM2 signature.
1614//
1615// Return Value Meaning
1616//
1617// CRYPT_SUCCESS signature valid
1618// CRYPT_FAIL signature not valid
1619//
1620static CRYPT_RESULT
1621ValidateSignatureSM2Dsa(
1622 TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature
1623 TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature
1624 TPM_ECC_CURVE curveId, // IN: the curve used in the signature
1625 // process
1626 TPMS_ECC_POINT *Qin, // IN: the public point of the key
1627 TPM2B *digest // IN: the digest that was signed
1628 )
1629{
1630 BIGNUM *bnR;
1631 BIGNUM *bnRp;
1632 BIGNUM *bnT;
1633 BIGNUM *bnS;
1634 BIGNUM *bnE;
1635 EC_POINT *pQ;
1636 BN_CTX *context;
1637 EC_GROUP *group = NULL;
1638 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
1639 BOOL fail = FALSE;
1640//
1641 if((context = BN_CTX_new()) == NULL || curveData == NULL)
1642 FAIL(FATAL_ERROR_INTERNAL);
1643 bnR = BN_CTX_get(context);
1644 bnRp= BN_CTX_get(context);
1645 bnE = BN_CTX_get(context);
1646 bnT = BN_CTX_get(context);
1647 bnS = BN_CTX_get(context);
1648 if( bnS == NULL
1649 || (group = EccCurveInit(curveId, context)) == NULL)
1650 FAIL(FATAL_ERROR_INTERNAL);
1651#ifdef _SM2_SIGN_DEBUG
1652 cpy_hexTo2B(&Qin->x.b,
1653 "0AE4C7798AA0F119471BEE11825BE46202BB79E2A5844495E97C04FF4DF2548A");
1654 cpy_hexTo2B(&Qin->y.b,
1655 "7C0240F88F1CD4E16352A73C17B7F16F07353E53A176D684A9FE0C6BB798E857");
1656 cpy_hexTo2B(digest,
1657 "B524F552CD82B8B028476E005C377FB19A87E6FC682D48BB5D42E3D9B9EFFE76");
1658#endif
1659 pQ = EccInitPoint2B(group, Qin, context);
1660#ifdef _SM2_SIGN_DEBUG
1661 pAssert(EC_POINT_get_affine_coordinates_GFp(group, pQ, bnT, bnS, context));
1662 pAssert(cmp_bn2hex(bnT,
1663 "0AE4C7798AA0F119471BEE11825BE46202BB79E2A5844495E97C04FF4DF2548A")
1664 == 0);
1665 pAssert(cmp_bn2hex(bnS,
1666 "7C0240F88F1CD4E16352A73C17B7F16F07353E53A176D684A9FE0C6BB798E857")
1667 == 0);
1668#endif
1669 BnFrom2B(bnR, &rIn->b);
1670 BnFrom2B(bnS, &sIn->b);
1671 BnFrom2B(bnE, digest);
1672#ifdef _SM2_SIGN_DEBUG
1673// Make sure that the input signature is the test signature
1674pAssert(cmp_2B2hex(&rIn->b,
1675 "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1") == 0);
1676pAssert(cmp_2B2hex(&sIn->b,
1677 "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7") == 0);
1678#endif
1679// a) verify that r and s are in the inclusive interval 1 to (n 1)
1680 fail = (BN_ucmp(bnR, &group->order) >= 0);
1681 fail = (BN_ucmp(bnS, &group->order) >= 0) || fail;
1682 if(fail)
1683 // There is no reason to continue. Since r and s are inputs from the caller,
1684 // they can know that the values are not in the proper range. So, exiting here
1685 // does not disclose any information.
1686 goto Cleanup;
1687// b) compute t := (r + s) mod n
1688 if(!BN_mod_add(bnT, bnR, bnS, &group->order, context))
1689 FAIL(FATAL_ERROR_INTERNAL);
1690#ifdef _SM2_SIGN_DEBUG
1691 pAssert(cmp_bn2hex(bnT,
1692 "2B75F07ED7ECE7CCC1C8986B991F441AD324D6D619FE06DD63ED32E0C997C801")
1693 == 0);
1694#endif
1695// c) verify that t > 0
1696 if(BN_is_zero(bnT)) {
1697 fail = TRUE;
1698 // set to a value that should allow rest of the computations to run without
1699 // trouble
1700 BN_copy(bnT, bnS);
1701 }
1702// d) compute (x, y) := [s]G + [t]Q
1703 if(!EC_POINT_mul(group, pQ, bnS, pQ, bnT, context))
1704 FAIL(FATAL_ERROR_INTERNAL);
1705 // Get the x coordinate of the point
1706 if(!EC_POINT_get_affine_coordinates_GFp(group, pQ, bnT, NULL, context))
1707 FAIL(FATAL_ERROR_INTERNAL);
1708#ifdef _SM2_SIGN_DEBUG
1709 pAssert(cmp_bn2hex(bnT,
1710 "110FCDA57615705D5E7B9324AC4B856D23E6D9188B2AE47759514657CE25D112")
1711 == 0);
1712#endif
1713// e) compute r' := (e + x) mod n (the x coordinate is in bnT)
1714 if(!BN_mod_add(bnRp, bnE, bnT, &group->order, context))
1715 FAIL(FATAL_ERROR_INTERNAL);
1716// f) verify that r' = r
1717 fail = BN_ucmp(bnR, bnRp) != 0 || fail;
1718Cleanup:
1719 if(pQ) EC_POINT_free(pQ);
1720 if(group) EC_GROUP_free(group);
1721 BN_CTX_end(context);
1722 BN_CTX_free(context);
1723 if(fail)
1724 return CRYPT_FAIL;
1725 else
1726 return CRYPT_SUCCESS;
1727}
1728#endif //% TPM_ALG_SM2
1729//
1730//
1731// _cpri__ValidateSignatureEcc()
1732//
1733// This function validates
1734//
1735// Return Value Meaning
1736//
1737// CRYPT_SUCCESS signature is valid
1738// CRYPT_FAIL not a valid signature
1739// CRYPT_SCHEME unsupported scheme
1740//
1741LIB_EXPORT CRYPT_RESULT
1742_cpri__ValidateSignatureEcc(
1743 TPM2B_ECC_PARAMETER *rIn, // IN: r component of the signature
1744 TPM2B_ECC_PARAMETER *sIn, // IN: s component of the signature
1745 TPM_ALG_ID scheme, // IN: the scheme selector
1746 TPM_ALG_ID hashAlg, // IN: the hash algorithm used (not used
1747 // in all schemes)
1748 TPM_ECC_CURVE curveId, // IN: the curve used in the signature
1749 // process
1750 TPMS_ECC_POINT *Qin, // IN: the public point of the key
1751 TPM2B *digest // IN: the digest that was signed
1752 )
1753{
1754 CRYPT_RESULT retVal;
1755 // return failure if either part of the signature is zero
1756 if(_math__Normalize2B(&rIn->b) == 0 || _math__Normalize2B(&sIn->b) == 0)
1757 return CRYPT_FAIL;
1758 switch (scheme)
1759 {
1760 case TPM_ALG_ECDSA:
1761 retVal = ValidateSignatureEcdsa(rIn, sIn, curveId, Qin, digest);
1762 break;
1763#ifdef TPM_ALG_ECSCHNORR
1764 case TPM_ALG_ECSCHNORR:
1765 retVal = ValidateSignatureEcSchnorr(rIn, sIn, hashAlg, curveId, Qin,
1766 digest);
1767 break;
1768#endif
1769#ifdef TPM_ALG_SM2
1770 case TPM_ALG_SM2:
1771 retVal = ValidateSignatureSM2Dsa(rIn, sIn, curveId, Qin, digest);
1772#endif
1773 default:
1774 retVal = CRYPT_SCHEME;
1775 break;
1776 }
1777 return retVal;
1778}
1779#if CC_ZGen_2Phase == YES //%
1780#ifdef TPM_ALG_ECMQV
1781//
1782//
1783// avf1()
1784//
1785// This function does the associated value computation required by MQV key exchange. Process:
1786// a) Convert xQ to an integer xqi using the convention specified in Appendix C.3.
1787// b) Calculate xqm = xqi mod 2^ceil(f/2) (where f = ceil(log2(n)).
1788// c) Calculate the associate value function avf(Q) = xqm + 2ceil(f / 2)
1789//
1790static BOOL
1791avf1(
1792 BIGNUM *bnX, // IN/OUT: the reduced value
1793 BIGNUM *bnN // IN: the order of the curve
1794 )
1795{
1796// compute f = 2^(ceil(ceil(log2(n)) / 2))
1797 int f = (BN_num_bits(bnN) + 1) / 2;
1798// x' = 2^f + (x mod 2^f)
1799 BN_mask_bits(bnX, f); // This is mod 2*2^f but it doesn't matter because
1800 // the next operation will SET the extra bit anyway
1801 BN_set_bit(bnX, f);
1802 return TRUE;
1803}
1804//
1805//
1806// C_2_2_MQV()
1807//
1808// This function performs the key exchange defined in SP800-56A 6.1.1.4 Full MQV, C(2, 2, ECC MQV).
1809// CAUTION: Implementation of this function may require use of essential claims in patents not owned by
1810// TCG members.
1811// Points QsB() and QeB() are required to be on the curve of inQsA. The function will fail, possibly
1812// catastrophically, if this is not the case.
1813//
1814//
1815//
1816// Return Value Meaning
1817//
1818// CRYPT_SUCCESS results is valid
1819// CRYPT_NO_RESULT the value for dsA does not give a valid point on the curve
1820//
1821static CRYPT_RESULT
1822C_2_2_MQV(
1823 TPMS_ECC_POINT *outZ, // OUT: the computed point
1824 TPM_ECC_CURVE curveId, // IN: the curve for the computations
1825 TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key
1826 TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key
1827 TPMS_ECC_POINT *QsB, // IN: static public party B key
1828 TPMS_ECC_POINT *QeB // IN: ephemeral public party B key
1829 )
1830{
1831 BN_CTX *context;
1832 EC_POINT *pQeA = NULL;
1833 EC_POINT *pQeB = NULL;
1834 EC_POINT *pQsB = NULL;
1835 EC_GROUP *group = NULL;
1836 BIGNUM *bnTa;
1837 BIGNUM *bnDeA;
1838 BIGNUM *bnDsA;
1839 BIGNUM *bnXeA; // x coordinate of ephemeral party A key
1840 BIGNUM *bnH;
1841 BIGNUM *bnN;
1842 BIGNUM *bnXeB;
1843 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
1844 CRYPT_RESULT retVal;
1845 pAssert( curveData != NULL && outZ != NULL && dsA != NULL
1846 && deA != NULL && QsB != NULL && QeB != NULL);
1847 context = BN_CTX_new();
1848 if(context == NULL || curveData == NULL)
1849 FAIL(FATAL_ERROR_ALLOCATION);
1850 BN_CTX_start(context);
1851 bnTa = BN_CTX_get(context);
1852 bnDeA = BN_CTX_get(context);
1853 bnDsA = BN_CTX_get(context);
1854 bnXeA = BN_CTX_get(context);
1855 bnH = BN_CTX_get(context);
1856 bnN = BN_CTX_get(context);
1857 bnXeB = BN_CTX_get(context);
1858 if(bnXeB == NULL)
1859 FAIL(FATAL_ERROR_ALLOCATION);
1860// Process:
1861// 1. implicitsigA = (de,A + avf(Qe,A)ds,A ) mod n.
1862// 2. P = h(implicitsigA)(Qe,B + avf(Qe,B)Qs,B).
1863// 3. If P = O, output an error indicator.
1864// 4. Z=xP, where xP is the x-coordinate of P.
1865 // Initialize group parameters and local values of input
1866 if((group = EccCurveInit(curveId, context)) == NULL)
1867 FAIL(FATAL_ERROR_INTERNAL);
1868 if((pQeA = EC_POINT_new(group)) == NULL)
1869 FAIL(FATAL_ERROR_ALLOCATION);
1870 BnFrom2B(bnDeA, &deA->b);
1871 BnFrom2B(bnDsA, &dsA->b);
1872 BnFrom2B(bnH, curveData->h);
1873 BnFrom2B(bnN, curveData->n);
1874 BnFrom2B(bnXeB, &QeB->x.b);
1875 pQeB = EccInitPoint2B(group, QeB, context);
1876 pQsB = EccInitPoint2B(group, QsB, context);
1877 // Compute the public ephemeral key pQeA = [de,A]G
1878 if( (retVal = PointMul(group, pQeA, bnDeA, NULL, NULL, context))
1879 != CRYPT_SUCCESS)
1880 goto Cleanup;
1881 if(EC_POINT_get_affine_coordinates_GFp(group, pQeA, bnXeA, NULL, context) != 1)
1882 FAIL(FATAL_ERROR_INTERNAL);
1883// 1. implicitsigA = (de,A + avf(Qe,A)ds,A ) mod n.
1884// tA := (ds,A + de,A avf(Xe,A)) mod n (3)
1885// Compute 'tA' = ('deA' + 'dsA' avf('XeA')) mod n
1886 // Ta = avf(XeA);
1887 BN_copy(bnTa, bnXeA);
1888 avf1(bnTa, bnN);
1889 if(// do Ta = ds,A * Ta mod n = dsA * avf(XeA) mod n
1890 !BN_mod_mul(bnTa, bnDsA, bnTa, bnN, context)
1891 // now Ta = deA + Ta mod n = deA + dsA * avf(XeA) mod n
1892 || !BN_mod_add(bnTa, bnDeA, bnTa, bnN, context)
1893 )
1894 FAIL(FATAL_ERROR_INTERNAL);
1895// 2. P = h(implicitsigA)(Qe,B + avf(Qe,B)Qs,B).
1896// Put this in because almost every case of h is == 1 so skip the call when
1897 // not necessary.
1898 if(!BN_is_one(bnH))
1899 {
1900 // Cofactor is not 1 so compute Ta := Ta * h mod n
1901 if(!BN_mul(bnTa, bnTa, bnH, context))
1902 FAIL(FATAL_ERROR_INTERNAL);
1903 }
1904 // Now that 'tA' is (h * 'tA' mod n)
1905 // 'outZ' = (tA)(Qe,B + avf(Qe,B)Qs,B).
1906 // first, compute XeB = avf(XeB)
1907 avf1(bnXeB, bnN);
1908 // QsB := [XeB]QsB
1909 if( !EC_POINT_mul(group, pQsB, NULL, pQsB, bnXeB, context)
1910 // QeB := QsB + QeB
1911 || !EC_POINT_add(group, pQeB, pQeB, pQsB, context)
1912 )
1913 FAIL(FATAL_ERROR_INTERNAL);
1914 // QeB := [tA]QeB = [tA](QsB + [Xe,B]QeB) and check for at infinity
1915 if(PointMul(group, pQeB, NULL, pQeB, bnTa, context) == CRYPT_SUCCESS)
1916 // Convert BIGNUM E to TPM2B E
1917 Point2B(group, outZ, pQeB, (INT16)BN_num_bytes(bnN), context);
1918Cleanup:
1919 if(pQeA != NULL) EC_POINT_free(pQeA);
1920 if(pQeB != NULL) EC_POINT_free(pQeB);
1921 if(pQsB != NULL) EC_POINT_free(pQsB);
1922 if(group != NULL) EC_GROUP_free(group);
1923 BN_CTX_end(context);
1924 BN_CTX_free(context);
1925 return retVal;
1926}
1927#endif // TPM_ALG_ECMQV
1928#ifdef TPM_ALG_SM2 //%
1929//
1930//
1931// avfSm2()
1932//
1933// This function does the associated value computation required by SM2 key exchange. This is different
1934// form the avf() in the international standards because it returns a value that is half the size of the value
1935// returned by the standard avf. For example, if n is 15, Ws (w in the standard) is 2 but the W here is 1. This
1936// means that an input value of 14 (1110b) would return a value of 110b with the standard but 10b with the
1937// scheme in SM2.
1938//
1939static BOOL
1940avfSm2(
1941 BIGNUM *bnX, // IN/OUT: the reduced value
1942 BIGNUM *bnN // IN: the order of the curve
1943 )
1944{
1945// a) set w := ceil(ceil(log2(n)) / 2) - 1
1946 int w = ((BN_num_bits(bnN) + 1) / 2) - 1;
1947// b) set x' := 2^w + ( x & (2^w - 1))
1948// This is just like the avf for MQV where x' = 2^w + (x mod 2^w)
1949 BN_mask_bits(bnX, w); // as wiht avf1, this is too big by a factor of 2 but
1950 // it doesn't matter becasue we SET the extra bit anyway
1951 BN_set_bit(bnX, w);
1952 return TRUE;
1953}
1954//
1955// SM2KeyExchange() This function performs the key exchange defined in SM2. The first step is to compute
1956// tA = (dsA + deA avf(Xe,A)) mod n Then, compute the Z value from outZ = (h tA mod n) (QsA +
1957// [avf(QeB().x)](QeB())). The function will compute the ephemeral public key from the ephemeral private
1958// key. All points are required to be on the curve of inQsA. The function will fail catastrophically if this is not
1959// the case
1960//
1961// Return Value Meaning
1962//
1963// CRYPT_SUCCESS results is valid
1964// CRYPT_NO_RESULT the value for dsA does not give a valid point on the curve
1965//
1966static CRYPT_RESULT
1967SM2KeyExchange(
1968 TPMS_ECC_POINT *outZ, // OUT: the computed point
1969 TPM_ECC_CURVE curveId, // IN: the curve for the computations
1970 TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key
1971 TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key
1972 TPMS_ECC_POINT *QsB, // IN: static public party B key
1973 TPMS_ECC_POINT *QeB // IN: ephemeral public party B key
1974 )
1975{
1976 BN_CTX *context;
1977 EC_POINT *pQeA = NULL;
1978 EC_POINT *pQeB = NULL;
1979 EC_POINT *pQsB = NULL;
1980 EC_GROUP *group = NULL;
1981 BIGNUM *bnTa;
1982 BIGNUM *bnDeA;
1983 BIGNUM *bnDsA;
1984 BIGNUM *bnXeA; // x coordinate of ephemeral party A key
1985 BIGNUM *bnH;
1986 BIGNUM *bnN;
1987 BIGNUM *bnXeB;
1988//
1989 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
1990 CRYPT_RESULT retVal;
1991 pAssert( curveData != NULL && outZ != NULL && dsA != NULL
1992 && deA != NULL && QsB != NULL && QeB != NULL);
1993 context = BN_CTX_new();
1994 if(context == NULL || curveData == NULL)
1995 FAIL(FATAL_ERROR_ALLOCATION);
1996 BN_CTX_start(context);
1997 bnTa = BN_CTX_get(context);
1998 bnDeA = BN_CTX_get(context);
1999 bnDsA = BN_CTX_get(context);
2000 bnXeA = BN_CTX_get(context);
2001 bnH = BN_CTX_get(context);
2002 bnN = BN_CTX_get(context);
2003 bnXeB = BN_CTX_get(context);
2004 if(bnXeB == NULL)
2005 FAIL(FATAL_ERROR_ALLOCATION);
2006 // Initialize group parameters and local values of input
2007 if((group = EccCurveInit(curveId, context)) == NULL)
2008 FAIL(FATAL_ERROR_INTERNAL);
2009 if((pQeA = EC_POINT_new(group)) == NULL)
2010 FAIL(FATAL_ERROR_ALLOCATION);
2011 BnFrom2B(bnDeA, &deA->b);
2012 BnFrom2B(bnDsA, &dsA->b);
2013 BnFrom2B(bnH, curveData->h);
2014 BnFrom2B(bnN, curveData->n);
2015 BnFrom2B(bnXeB, &QeB->x.b);
2016 pQeB = EccInitPoint2B(group, QeB, context);
2017 pQsB = EccInitPoint2B(group, QsB, context);
2018 // Compute the public ephemeral key pQeA = [de,A]G
2019 if( (retVal = PointMul(group, pQeA, bnDeA, NULL, NULL, context))
2020 != CRYPT_SUCCESS)
2021 goto Cleanup;
2022 if(EC_POINT_get_affine_coordinates_GFp(group, pQeA, bnXeA, NULL, context) != 1)
2023 FAIL(FATAL_ERROR_INTERNAL);
2024// tA := (ds,A + de,A avf(Xe,A)) mod n (3)
2025// Compute 'tA' = ('dsA' + 'deA' avf('XeA')) mod n
2026 // Ta = avf(XeA);
2027 BN_copy(bnTa, bnXeA);
2028 avfSm2(bnTa, bnN);
2029 if(// do Ta = de,A * Ta mod n = deA * avf(XeA) mod n
2030 !BN_mod_mul(bnTa, bnDeA, bnTa, bnN, context)
2031 // now Ta = dsA + Ta mod n = dsA + deA * avf(XeA) mod n
2032 || !BN_mod_add(bnTa, bnDsA, bnTa, bnN, context)
2033 )
2034 FAIL(FATAL_ERROR_INTERNAL);
2035// outZ ? [h tA mod n] (Qs,B + [avf(Xe,B)](Qe,B)) (4)
2036 // Put this in because almost every case of h is == 1 so skip the call when
2037 // not necessary.
2038 if(!BN_is_one(bnH))
2039 {
2040 // Cofactor is not 1 so compute Ta := Ta * h mod n
2041 if(!BN_mul(bnTa, bnTa, bnH, context))
2042 FAIL(FATAL_ERROR_INTERNAL);
2043 }
2044 // Now that 'tA' is (h * 'tA' mod n)
2045 // 'outZ' = ['tA'](QsB + [avf(QeB.x)](QeB)).
2046 // first, compute XeB = avf(XeB)
2047 avfSm2(bnXeB, bnN);
2048 // QeB := [XeB]QeB
2049 if( !EC_POINT_mul(group, pQeB, NULL, pQeB, bnXeB, context)
2050 // QeB := QsB + QeB
2051 || !EC_POINT_add(group, pQeB, pQeB, pQsB, context)
2052 )
2053 FAIL(FATAL_ERROR_INTERNAL);
2054 // QeB := [tA]QeB = [tA](QsB + [Xe,B]QeB) and check for at infinity
2055 if(PointMul(group, pQeB, NULL, pQeB, bnTa, context) == CRYPT_SUCCESS)
2056 // Convert BIGNUM E to TPM2B E
2057 Point2B(group, outZ, pQeB, (INT16)BN_num_bytes(bnN), context);
2058Cleanup:
2059 if(pQeA != NULL) EC_POINT_free(pQeA);
2060 if(pQeB != NULL) EC_POINT_free(pQeB);
2061 if(pQsB != NULL) EC_POINT_free(pQsB);
2062 if(group != NULL) EC_GROUP_free(group);
2063 BN_CTX_end(context);
2064 BN_CTX_free(context);
2065 return retVal;
2066}
2067#endif //% TPM_ALG_SM2
2068//
2069//
2070// C_2_2_ECDH()
2071//
2072// This function performs the two phase key exchange defined in SP800-56A, 6.1.1.2 Full Unified Model,
2073// C(2, 2, ECC CDH).
2074//
2075static CRYPT_RESULT
2076C_2_2_ECDH(
2077 TPMS_ECC_POINT *outZ1, // OUT: Zs
2078 TPMS_ECC_POINT *outZ2, // OUT: Ze
2079 TPM_ECC_CURVE curveId, // IN: the curve for the computations
2080 TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key
2081 TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key
2082 TPMS_ECC_POINT *QsB, // IN: static public party B key
2083 TPMS_ECC_POINT *QeB // IN: ephemeral public party B key
2084 )
2085{
2086 BN_CTX *context;
2087 EC_POINT *pQ = NULL;
2088 EC_GROUP *group = NULL;
2089 BIGNUM *bnD;
2090 INT16 size;
2091 const ECC_CURVE_DATA *curveData = GetCurveData(curveId);
2092 context = BN_CTX_new();
2093 if(context == NULL || curveData == NULL)
2094 FAIL(FATAL_ERROR_ALLOCATION);
2095 BN_CTX_start(context);
2096 if((bnD = BN_CTX_get(context)) == NULL)
2097 FAIL(FATAL_ERROR_INTERNAL);
2098 // Initialize group parameters and local values of input
2099 if((group = EccCurveInit(curveId, context)) == NULL)
2100 FAIL(FATAL_ERROR_INTERNAL);
2101 size = (INT16)BN_num_bytes(&group->order);
2102 // Get the static private key of A
2103 BnFrom2B(bnD, &dsA->b);
2104 // Initialize the static public point from B
2105 pQ = EccInitPoint2B(group, QsB, context);
2106 // Do the point multiply for the Zs value
2107 if(PointMul(group, pQ, NULL, pQ, bnD, context) != CRYPT_NO_RESULT)
2108 // Convert the Zs value
2109 Point2B(group, outZ1, pQ, size, context);
2110 // Get the ephemeral private key of A
2111 BnFrom2B(bnD, &deA->b);
2112 // Initalize the ephemeral public point from B
2113 PointFrom2B(group, pQ, QeB, context);
2114 // Do the point multiply for the Ze value
2115 if(PointMul(group, pQ, NULL, pQ, bnD, context) != CRYPT_NO_RESULT)
2116 // Convert the Ze value.
2117 Point2B(group, outZ2, pQ, size, context);
2118 if(pQ != NULL) EC_POINT_free(pQ);
2119 if(group != NULL) EC_GROUP_free(group);
2120 BN_CTX_end(context);
2121 BN_CTX_free(context);
2122 return CRYPT_SUCCESS;
2123}
2124//
2125//
2126// _cpri__C_2_2_KeyExchange()
2127//
2128// This function is the dispatch routine for the EC key exchange function that use two ephemeral and two
2129// static keys.
2130//
2131// Return Value Meaning
2132//
2133// CRYPT_SCHEME scheme is not defined
2134//
2135LIB_EXPORT CRYPT_RESULT
2136_cpri__C_2_2_KeyExchange(
2137 TPMS_ECC_POINT *outZ1, // OUT: a computed point
2138 TPMS_ECC_POINT *outZ2, // OUT: and optional second point
2139 TPM_ECC_CURVE curveId, // IN: the curve for the computations
2140 TPM_ALG_ID scheme, // IN: the key exchange scheme
2141 TPM2B_ECC_PARAMETER *dsA, // IN: static private TPM key
2142 TPM2B_ECC_PARAMETER *deA, // IN: ephemeral private TPM key
2143 TPMS_ECC_POINT *QsB, // IN: static public party B key
2144 TPMS_ECC_POINT *QeB // IN: ephemeral public party B key
2145 )
2146{
2147 pAssert( outZ1 != NULL
2148 && dsA != NULL && deA != NULL
2149 && QsB != NULL && QeB != NULL);
2150 // Initalize the output points so that they are empty until one of the
2151 // functions decides otherwise
2152 outZ1->x.b.size = 0;
2153 outZ1->y.b.size = 0;
2154 if(outZ2 != NULL)
2155 {
2156 outZ2->x.b.size = 0;
2157 outZ2->y.b.size = 0;
2158 }
2159 switch (scheme)
2160 {
2161 case TPM_ALG_ECDH:
2162 return C_2_2_ECDH(outZ1, outZ2, curveId, dsA, deA, QsB, QeB);
2163 break;
2164#ifdef TPM_ALG_ECMQV
2165 case TPM_ALG_ECMQV:
2166 return C_2_2_MQV(outZ1, curveId, dsA, deA, QsB, QeB);
2167 break;
2168#endif
2169#ifdef TPM_ALG_SM2
2170 case TPM_ALG_SM2:
2171 return SM2KeyExchange(outZ1, curveId, dsA, deA, QsB, QeB);
2172 break;
2173#endif
2174 default:
2175 return CRYPT_SCHEME;
2176 }
2177}
2178#else //%
2179//
2180// Stub used when the 2-phase key exchange is not defined so that the linker has something to associate
2181// with the value in the .def file.
2182//
2183LIB_EXPORT CRYPT_RESULT
2184_cpri__C_2_2_KeyExchange(
2185 void
2186 )
2187{
2188 return CRYPT_FAIL;
2189}
2190#endif //% CC_ZGen_2Phase
2191#endif // TPM_ALG_ECC