#481: install basic X25519 curve support

2025-04-19 03:37:08 +00:00 · 2019-11-09 22:39:58 -08:00 · 2019-11-09 22:39:58 -08:00 · 9432fabcf0
commit 9432fabcf0
parent a891fb6c0f
3 changed files with 398 additions and 2 deletions
--- a/security/nss/lib/freebl/ecl/Makefile
+++ b/security/nss/lib/freebl/ecl/Makefile
@ -78,7 +78,8 @@ LIBOBJS = ecl.o ecl_curve.o ecl_mult.o ecl_gf.o \
 	ecp_aff.o ecp_jac.o ecp_mont.o \
 	ec_naf.o ecp_jm.o \
 	ecp_192.o ecp_224.o ecp_256.o ecp_384.o ecp_521.o \
-	ecp_256_32.o
+	ecp_256_32.o \
+	curve25519_32.o
 ifeq ($(ECL_USE_FP),1)
 LIBOBJS+= ecp_fp160.o ecp_fp192.o ecp_fp224.o ecp_fp.o
 endif
@ -131,6 +132,7 @@ ecp_256.o: ecp_256.c $(LIBHDRS)
 ecp_384.o: ecp_384.c $(LIBHDRS)
 ecp_521.o: ecp_521.c $(LIBHDRS)
 ecp_fp.o: ecp_fp.c $(LIBHDRS)
+curve25519_32.o: curve25519_32.c $(LIBHDRS)
 ifeq ($(ECL_USE_FP),1)
 ecp_fp160.o: ecp_fp160.c ecp_fpinc.c $(LIBHDRS)
 ecp_fp192.o: ecp_fp192.c ecp_fpinc.c $(LIBHDRS)
--- a/security/nss/lib/freebl/ecl/curve25519_32.c
+++ b/security/nss/lib/freebl/ecl/curve25519_32.c
@ -0,0 +1,394 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * Derived from public domain code by Matthew Dempsky and D. J. Bernstein.
+ */
+
+#include "ecl-priv.h"
+#include "mpi.h"
+
+#include <stdint.h>
+#include <stdio.h>
+
+#include "seccomon.h"
+#include "secerr.h"
+#include "prtypes.h"
+
+typedef uint32_t elem[32];
+
+/*
+ * Add two field elements.
+ * out = a + b
+ */
+static void
+add(elem out, const elem a, const elem b)
+{
+    uint32_t j;
+    uint32_t u = 0;
+    for (j = 0; j < 31; ++j) {
+        u += a[j] + b[j];
+        out[j] = u & 0xFF;
+        u >>= 8;
+    }
+    u += a[31] + b[31];
+    out[31] = u;
+}
+
+/*
+ * Subtract two field elements.
+ * out = a - b
+ */
+static void
+sub(elem out, const elem a, const elem b)
+{
+    uint32_t j;
+    uint32_t u;
+    u = 218;
+    for (j = 0; j < 31; ++j) {
+        u += a[j] + 0xFF00 - b[j];
+        out[j] = u & 0xFF;
+        u >>= 8;
+    }
+    u += a[31] - b[31];
+    out[31] = u;
+}
+
+/*
+ * "Squeeze" an element after multiplication (and square).
+ */
+static void
+squeeze(elem a)
+{
+    uint32_t j;
+    uint32_t u;
+    u = 0;
+    for (j = 0; j < 31; ++j) {
+        u += a[j];
+        a[j] = u & 0xFF;
+        u >>= 8;
+    }
+    u += a[31];
+    a[31] = u & 0x7F;
+    u = 19 * (u >> 7);
+    for (j = 0; j < 31; ++j) {
+        u += a[j];
+        a[j] = u & 0xFF;
+        u >>= 8;
+    }
+    a[31] += u;
+}
+
+static const elem minusp = { 19, 0, 0, 0, 0, 0, 0, 0,
+                             0, 0, 0, 0, 0, 0, 0, 0,
+                             0, 0, 0, 0, 0, 0, 0, 0,
+                             0, 0, 0, 0, 0, 0, 0, 128 };
+
+/*
+ * Reduce point a by 2^255-19
+ */
+static void
+reduce(elem a)
+{
+    elem aorig;
+    uint32_t j;
+    uint32_t negative;
+
+    for (j = 0; j < 32; ++j) {
+        aorig[j] = a[j];
+    }
+    add(a, a, minusp);
+    negative = 1 + ~((a[31] >> 7) & 1);
+    for (j = 0; j < 32; ++j) {
+        a[j] ^= negative & (aorig[j] ^ a[j]);
+    }
+}
+
+/*
+ * Multiplication and squeeze
+ * out = a * b
+ */
+static void
+mult(elem out, const elem a, const elem b)
+{
+    uint32_t i;
+    uint32_t j;
+    uint32_t u;
+
+    for (i = 0; i < 32; ++i) {
+        u = 0;
+        for (j = 0; j <= i; ++j) {
+            u += a[j] * b[i - j];
+        }
+        for (j = i + 1; j < 32; ++j) {
+            u += 38 * a[j] * b[i + 32 - j];
+        }
+        out[i] = u;
+    }
+    squeeze(out);
+}
+
+/*
+ * Multiplication
+ * out = 121665 * a
+ */
+static void
+mult121665(elem out, const elem a)
+{
+    uint32_t j;
+    uint32_t u;
+
+    u = 0;
+    for (j = 0; j < 31; ++j) {
+        u += 121665 * a[j];
+        out[j] = u & 0xFF;
+        u >>= 8;
+    }
+    u += 121665 * a[31];
+    out[31] = u & 0x7F;
+    u = 19 * (u >> 7);
+    for (j = 0; j < 31; ++j) {
+        u += out[j];
+        out[j] = u & 0xFF;
+        u >>= 8;
+    }
+    u += out[j];
+    out[j] = u;
+}
+
+/*
+ * Square a and squeeze the result.
+ * out = a * a
+ */
+static void
+square(elem out, const elem a)
+{
+    uint32_t i;
+    uint32_t j;
+    uint32_t u;
+
+    for (i = 0; i < 32; ++i) {
+        u = 0;
+        for (j = 0; j < i - j; ++j) {
+            u += a[j] * a[i - j];
+        }
+        for (j = i + 1; j < i + 32 - j; ++j) {
+            u += 38 * a[j] * a[i + 32 - j];
+        }
+        u *= 2;
+        if ((i & 1) == 0) {
+            u += a[i / 2] * a[i / 2];
+            u += 38 * a[i / 2 + 16] * a[i / 2 + 16];
+        }
+        out[i] = u;
+    }
+    squeeze(out);
+}
+
+/*
+ * Constant time swap between r and s depending on b
+ */
+static void
+cswap(uint32_t p[64], uint32_t q[64], uint32_t b)
+{
+    uint32_t j;
+    uint32_t swap = 1 + ~b;
+
+    for (j = 0; j < 64; ++j) {
+        const uint32_t t = swap & (p[j] ^ q[j]);
+        p[j] ^= t;
+        q[j] ^= t;
+    }
+}
+
+/*
+ * Montgomery ladder
+ */
+static void
+monty(elem x_2_out, elem z_2_out,
+      const elem point, const elem scalar)
+{
+    uint32_t x_3[64] = { 0 };
+    uint32_t x_2[64] = { 0 };
+    uint32_t a0[64];
+    uint32_t a1[64];
+    uint32_t b0[64];
+    uint32_t b1[64];
+    uint32_t c1[64];
+    uint32_t r[32];
+    uint32_t s[32];
+    uint32_t t[32];
+    uint32_t u[32];
+    uint32_t swap = 0;
+    uint32_t k_t = 0;
+    int j;
+
+    for (j = 0; j < 32; ++j) {
+        x_3[j] = point[j];
+    }
+    x_3[32] = 1;
+    x_2[0] = 1;
+
+    for (j = 254; j >= 0; --j) {
+        k_t = (scalar[j >> 3] >> (j & 7)) & 1;
+        swap ^= k_t;
+        cswap(x_2, x_3, swap);
+        swap = k_t;
+        add(a0, x_2, x_2 + 32);
+        sub(a0 + 32, x_2, x_2 + 32);
+        add(a1, x_3, x_3 + 32);
+        sub(a1 + 32, x_3, x_3 + 32);
+        square(b0, a0);
+        square(b0 + 32, a0 + 32);
+        mult(b1, a1, a0 + 32);
+        mult(b1 + 32, a1 + 32, a0);
+        add(c1, b1, b1 + 32);
+        sub(c1 + 32, b1, b1 + 32);
+        square(r, c1 + 32);
+        sub(s, b0, b0 + 32);
+        mult121665(t, s);
+        add(u, t, b0);
+        mult(x_2, b0, b0 + 32);
+        mult(x_2 + 32, s, u);
+        square(x_3, c1);
+        mult(x_3 + 32, r, point);
+    }
+
+    cswap(x_2, x_3, swap);
+    for (j = 0; j < 32; ++j) {
+        x_2_out[j] = x_2[j];
+    }
+    for (j = 0; j < 32; ++j) {
+        z_2_out[j] = x_2[j + 32];
+    }
+}
+
+static void
+recip(elem out, const elem z)
+{
+    elem z2;
+    elem z9;
+    elem z11;
+    elem z2_5_0;
+    elem z2_10_0;
+    elem z2_20_0;
+    elem z2_50_0;
+    elem z2_100_0;
+    elem t0;
+    elem t1;
+    int i;
+
+    /* 2 */ square(z2, z);
+    /* 4 */ square(t1, z2);
+    /* 8 */ square(t0, t1);
+    /* 9 */ mult(z9, t0, z);
+    /* 11 */ mult(z11, z9, z2);
+    /* 22 */ square(t0, z11);
+    /* 2^5 - 2^0 = 31 */ mult(z2_5_0, t0, z9);
+
+    /* 2^6 - 2^1 */ square(t0, z2_5_0);
+    /* 2^7 - 2^2 */ square(t1, t0);
+    /* 2^8 - 2^3 */ square(t0, t1);
+    /* 2^9 - 2^4 */ square(t1, t0);
+    /* 2^10 - 2^5 */ square(t0, t1);
+    /* 2^10 - 2^0 */ mult(z2_10_0, t0, z2_5_0);
+
+    /* 2^11 - 2^1 */ square(t0, z2_10_0);
+    /* 2^12 - 2^2 */ square(t1, t0);
+    /* 2^20 - 2^10 */
+    for (i = 2; i < 10; i += 2) {
+        square(t0, t1);
+        square(t1, t0);
+    }
+    /* 2^20 - 2^0 */ mult(z2_20_0, t1, z2_10_0);
+
+    /* 2^21 - 2^1 */ square(t0, z2_20_0);
+    /* 2^22 - 2^2 */ square(t1, t0);
+    /* 2^40 - 2^20 */
+    for (i = 2; i < 20; i += 2) {
+        square(t0, t1);
+        square(t1, t0);
+    }
+    /* 2^40 - 2^0 */ mult(t0, t1, z2_20_0);
+
+    /* 2^41 - 2^1 */ square(t1, t0);
+    /* 2^42 - 2^2 */ square(t0, t1);
+    /* 2^50 - 2^10 */
+    for (i = 2; i < 10; i += 2) {
+        square(t1, t0);
+        square(t0, t1);
+    }
+    /* 2^50 - 2^0 */ mult(z2_50_0, t0, z2_10_0);
+
+    /* 2^51 - 2^1 */ square(t0, z2_50_0);
+    /* 2^52 - 2^2 */ square(t1, t0);
+    /* 2^100 - 2^50 */
+    for (i = 2; i < 50; i += 2) {
+        square(t0, t1);
+        square(t1, t0);
+    }
+    /* 2^100 - 2^0 */ mult(z2_100_0, t1, z2_50_0);
+
+    /* 2^101 - 2^1 */ square(t1, z2_100_0);
+    /* 2^102 - 2^2 */ square(t0, t1);
+    /* 2^200 - 2^100 */
+    for (i = 2; i < 100; i += 2) {
+        square(t1, t0);
+        square(t0, t1);
+    }
+    /* 2^200 - 2^0 */ mult(t1, t0, z2_100_0);
+
+    /* 2^201 - 2^1 */ square(t0, t1);
+    /* 2^202 - 2^2 */ square(t1, t0);
+    /* 2^250 - 2^50 */
+    for (i = 2; i < 50; i += 2) {
+        square(t0, t1);
+        square(t1, t0);
+    }
+    /* 2^250 - 2^0 */ mult(t0, t1, z2_50_0);
+
+    /* 2^251 - 2^1 */ square(t1, t0);
+    /* 2^252 - 2^2 */ square(t0, t1);
+    /* 2^253 - 2^3 */ square(t1, t0);
+    /* 2^254 - 2^4 */ square(t0, t1);
+    /* 2^255 - 2^5 */ square(t1, t0);
+    /* 2^255 - 21 */ mult(out, t1, z11);
+}
+
+/*
+ * Computes q = Curve25519(p, s)
+ */
+SECStatus
+ec_Curve25519_mul(PRUint8 *q, const PRUint8 *s, const PRUint8 *p)
+{
+    elem point = { 0 };
+    elem x_2 = { 0 };
+    elem z_2 = { 0 };
+    elem X = { 0 };
+    elem scalar = { 0 };
+    uint32_t i;
+
+    /* read and mask scalar */
+    for (i = 0; i < 32; ++i) {
+        scalar[i] = s[i];
+    }
+    scalar[0] &= 0xF8;
+    scalar[31] &= 0x7F;
+    scalar[31] |= 64;
+
+    /* read and mask point */
+    for (i = 0; i < 32; ++i) {
+        point[i] = p[i];
+    }
+    point[31] &= 0x7F;
+
+    monty(x_2, z_2, point, scalar);
+    recip(z_2, z_2);
+    mult(X, x_2, z_2);
+    reduce(X);
+    for (i = 0; i < 32; ++i) {
+        q[i] = X[i];
+    }
+    return 0;
+}
--- a/security/nss/lib/freebl/manifest.mn
+++ b/security/nss/lib/freebl/manifest.mn
@ -73,7 +73,7 @@ ifndef NSS_DISABLE_ECC
 ECL_SRCS = ecl.c ecl_curve.c ecl_mult.c ecl_gf.c \
 	ecp_aff.c ecp_jac.c ecp_mont.c \
 	ec_naf.c ecp_jm.c ecp_256.c ecp_384.c ecp_521.c \
-	ecp_256_32.c
+	ecp_256_32.c curve25519_32.o
 ifdef NSS_ECC_MORE_THAN_SUITE_B
 ECL_SRCS += ec2_aff.c ec2_mont.c ec2_proj.c \
 	ec2_163.c ec2_193.c ec2_233.c \