From 3da0cce06e2bc039eb7acc694ed237ca104b01f1 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 11 Jul 2018 08:12:14 -0400 Subject: [PATCH] rev148: Fixes to EccSignature math and test cases Signed-off-by: Stefan Berger --- src/tpm2/EccTestData.h | 79 ++++++++------------- src/tpm2/crypto/openssl/CryptEccSignature.c | 76 ++++++++++---------- 2 files changed, 66 insertions(+), 89 deletions(-) diff --git a/src/tpm2/EccTestData.h b/src/tpm2/EccTestData.h index 5750985a..44ebaca3 100644 --- a/src/tpm2/EccTestData.h +++ b/src/tpm2/EccTestData.h @@ -3,7 +3,7 @@ /* Parameter data for ECC testing */ /* Written by Ken Goldman */ /* IBM Thomas J. Watson Research Center */ -/* $Id: EccTestData.h 1160 2018-04-17 17:15:34Z kgoldman $ */ +/* $Id: EccTestData.h 1259 2018-07-10 19:11:09Z kgoldman $ */ /* */ /* Licenses and Notices */ /* */ @@ -55,21 +55,14 @@ /* arising in any way out of use or reliance upon this specification or any */ /* information herein. */ /* */ -/* (c) Copyright IBM Corp. and others, 2016, 2018 */ +/* (c) Copyright IBM Corp. and others, 2016 - 2018 */ /* */ /********************************************************************************/ -#ifndef ECCTESTDATA_H -#define ECCTESTDATA_H - - -/* 10.1.12 EccTestData.h */ #ifdef SELF_TEST_DATA TPM2B_TYPE(EC_TEST, 32); const TPM_ECC_CURVE c_testCurve = 00003; - -/* The static key */ - +// The static key const TPM2B_EC_TEST c_ecTestKey_ds = {{32, { 0xdf,0x8d,0xa4,0xa3,0x88,0xf6,0x76,0x96,0x89,0xfc,0x2f,0x2d,0xa1,0xb4,0x39,0x7a, 0x78,0xc4,0x7f,0x71,0x8c,0xa6,0x91,0x85,0xc0,0xbf,0xf3,0x54,0x20,0x91,0x2f,0x73}}}; @@ -79,9 +72,7 @@ const TPM2B_EC_TEST c_ecTestKey_QsX = {{32, { const TPM2B_EC_TEST c_ecTestKey_QsY = {{32, { 0xa6,0xca,0xf2,0x18,0x45,0x96,0x6e,0x58,0xe6,0x72,0x34,0x12,0x89,0xcd,0xaa,0xad, 0xcb,0x68,0xb2,0x51,0xdc,0x5e,0xd1,0x6d,0x38,0x20,0x35,0x57,0xb2,0xfd,0xc7,0x52}}}; - -/* The ephemeral key */ - +// The ephemeral key const TPM2B_EC_TEST c_ecTestKey_de = {{32, { 0xb6,0xb5,0x33,0x5c,0xd1,0xee,0x52,0x07,0x99,0xea,0x2e,0x8f,0x8b,0x19,0x18,0x07, 0xc1,0xf8,0xdf,0xdd,0xb8,0x77,0x00,0xc7,0xd6,0x53,0x21,0xed,0x02,0x53,0xee,0xac}}}; @@ -91,23 +82,19 @@ const TPM2B_EC_TEST c_ecTestKey_QeX = {{32, { const TPM2B_EC_TEST c_ecTestKey_QeY = {{32, { 0x30,0xe6,0x4f,0x97,0x03,0xa1,0xcb,0x3b,0x32,0x2a,0x70,0x39,0x94,0xeb,0x4e,0xea, 0x55,0x88,0x81,0x3f,0xb5,0x00,0xb8,0x54,0x25,0xab,0xd4,0xda,0xfd,0x53,0x7a,0x18}}}; - -/* ECDH test results */ - +// ECDH test results const TPM2B_EC_TEST c_ecTestEcdh_X = {{32, { 0x64,0x02,0x68,0x92,0x78,0xdb,0x33,0x52,0xed,0x3b,0xfa,0x3b,0x74,0xa3,0x3d,0x2c, 0x2f,0x9c,0x59,0x03,0x07,0xf8,0x22,0x90,0xed,0xe3,0x45,0xf8,0x2a,0x0a,0xd8,0x1d}}}; const TPM2B_EC_TEST c_ecTestEcdh_Y = {{32, { 0x58,0x94,0x05,0x82,0xbe,0x5f,0x33,0x02,0x25,0x90,0x3a,0x33,0x90,0x89,0xe3,0xe5, 0x10,0x4a,0xbc,0x78,0xa5,0xc5,0x07,0x64,0xaf,0x91,0xbc,0xe6,0xff,0x85,0x11,0x40}}}; - TPM2B_TYPE(TEST_VALUE, 64); const TPM2B_TEST_VALUE c_ecTestValue = {{64, { 0x78,0xd5,0xd4,0x56,0x43,0x61,0xdb,0x97,0xa4,0x32,0xc4,0x0b,0x06,0xa9,0xa8,0xa0, 0xf4,0x45,0x7f,0x13,0xd8,0x13,0x81,0x0b,0xe5,0x76,0xbe,0xaa,0xb6,0x3f,0x8d,0x4d, 0x23,0x65,0xcc,0xa7,0xc9,0x19,0x10,0xce,0x69,0xcb,0x0c,0xc7,0x11,0x8d,0xc3,0xff, 0x62,0x69,0xa2,0xbe,0x46,0x90,0xe7,0x7d,0x81,0x77,0x94,0x65,0x1c,0x3e,0xc1,0x3e}}}; - #if ALG_SHA1_VALUE == DEFAULT_TEST_HASH const TPM2B_EC_TEST c_TestEcDsa_r = {{32, { 0x57,0xf3,0x36,0xb7,0xec,0xc2,0xdd,0x76,0x0e,0xe2,0x81,0x21,0x49,0xc5,0x66,0x11, @@ -115,27 +102,13 @@ const TPM2B_EC_TEST c_TestEcDsa_r = {{32, { const TPM2B_EC_TEST c_TestEcDsa_s = {{32, { 0x1b,0xed,0x23,0x72,0x8f,0x17,0x5f,0x47,0x2e,0xa7,0x97,0x2c,0x51,0x57,0x20,0x70, 0x6f,0x89,0x74,0x8a,0xa8,0xf4,0x26,0xf4,0x96,0xa1,0xb8,0x3e,0xe5,0x35,0xc5,0x94}}}; -const TPM2B_EC_TEST c_TestEcSchnorr_r = {{32, { - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x42,0xc6,0x0d,0x2f, - 0x86,0xa0,0x1c,0x93,0x5e,0x4a,0xad,0x0b,0x67,0xde,0x5d,0x2a,0xb1,0x08,0x4d,0xae}}}; -const TPM2B_EC_TEST c_TestEcSchnorr_s = {{32, { - 0xb1,0x37,0x7b,0xff,0xf8,0xf7,0xcf,0x2f,0xa6,0xa9,0x5a,0xb1,0x03,0xc1,0x1e,0xa7, - 0xf8,0x05,0x33,0xc0,0x0a,0x7b,0xda,0x7b,0x1a,0x00,0x47,0xe1,0x9e,0xbe,0x50,0xe4}}}; +const TPM2B_EC_TEST c_TestEcSchnorr_r = {{32,{ + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1b,0x08,0x9f,0xde, + 0xef,0x62,0xe3,0xf1,0x14,0xcb,0x54,0x28,0x13,0x76,0xfc,0x6d,0x69,0x22,0xb5,0x3e}}}; +const TPM2B_EC_TEST c_TestEcSchnorr_s = {{32,{ + 0xd9,0xd3,0x20,0xfb,0x4d,0x16,0xf2,0xe6,0xe2,0x45,0x07,0x45,0x1c,0x92,0x92,0x92, + 0xa9,0x6b,0x48,0xf8,0xd1,0x98,0x29,0x4d,0xd3,0x8f,0x56,0xf2,0xbb,0x2e,0x22,0x3b}}}; #endif // SHA1 -#if ALG_SHA384_VALUE == DEFAULT_TEST_HASH -const TPM2B_EC_TEST c_TestEcDsa_r = {{32, { - 0xf5,0x74,0x6d,0xd6,0xc6,0x56,0x86,0xbb,0xba,0x1c,0xba,0x75,0x65,0xee,0x64,0x31, - 0xce,0x04,0xe3,0x9f,0x24,0x3f,0xbd,0xfe,0x04,0xcd,0xab,0x7e,0xfe,0xad,0xcb,0x82}}}; -const TPM2B_EC_TEST c_TestEcDsa_s = {{32, { - 0xc2,0x4f,0x32,0xa1,0x06,0xc0,0x85,0x4f,0xc6,0xd8,0x31,0x66,0x91,0x9f,0x79,0xcd, - 0x5b,0xe5,0x7b,0x94,0xa1,0x91,0x38,0xac,0xd4,0x20,0xa2,0x10,0xf0,0xd5,0x9d,0xbf}}}; -const TPM2B_EC_TEST c_TestEcSchnorr_r = {{32, { - 0xad,0xe8,0xd2,0xda,0x57,0x6d,0x4a,0xe5,0xcc,0xcd,0x7c,0x14,0x1a,0x71,0x93,0xab, - 0x6b,0x9d,0x0f,0x6a,0x97,0xb2,0x32,0x75,0x6c,0xb7,0x82,0x17,0x6b,0x17,0xca,0x1b}}}; -const TPM2B_EC_TEST c_TestEcSchnorr_s = {{32, { - 0xd6,0xf1,0xe3,0x05,0xe5,0xdb,0x7c,0x8f,0x67,0x46,0x24,0x0f,0x5a,0x67,0xf8,0x2d, - 0x5e,0xcb,0xa6,0x8b,0xd7,0x80,0x66,0x83,0x36,0x50,0xd7,0x73,0x7c,0xb8,0x63,0x41}}}; -#endif // SHA384 #if ALG_SHA256_VALUE == DEFAULT_TEST_HASH const TPM2B_EC_TEST c_TestEcDsa_r = {{32, { 0x04,0x7d,0x54,0xeb,0x04,0x6f,0x56,0xec,0xa2,0x6c,0x38,0x8c,0xeb,0x43,0x0b,0x71, @@ -144,31 +117,39 @@ const TPM2B_EC_TEST c_TestEcDsa_s = {{32, { 0x8f,0xd0,0x12,0xd9,0x24,0x75,0xf6,0xc4,0x3b,0xb5,0x46,0x75,0x3a,0x41,0x8d,0x80, 0x23,0x99,0x38,0xd7,0xe2,0x40,0xca,0x9a,0x19,0x2a,0xfc,0x54,0x75,0xd3,0x4a,0x6e}}}; const TPM2B_EC_TEST c_TestEcSchnorr_r = {{32, { - 0x80,0xd5,0x77,0x52,0xf4,0x51,0x4a,0xe8,0xd0,0x28,0x91,0x98,0xbd,0x36,0x5d,0x89, - 0x24,0x0b,0xcf,0x08,0x30,0x35,0xc2,0x19,0x9f,0xf9,0x49,0x4f,0x53,0xe5,0x1f,0xe8}}}; -const TPM2B_EC_TEST c_TestEcSchnorr_s = {{32, { - 0xf7,0x47,0xda,0x09,0xc6,0xc3,0x28,0x28,0xc2,0xbd,0xbf,0xe6,0xa2,0xec,0x3f,0x44, - 0xcf,0xee,0xa2,0x30,0x96,0xe7,0xa4,0xaf,0x1f,0x37,0xac,0x1f,0xc6,0xc1,0xb4,0x25}}}; + 0xf7,0xb9,0x15,0x4c,0x34,0xf6,0x41,0x19,0xa3,0xd2,0xf1,0xbd,0xf4,0x13,0x6a,0x4f, + 0x63,0xb8,0x4d,0xb5,0xc8,0xcd,0xde,0x85,0x95,0xa5,0x39,0x0a,0x14,0x49,0x3d,0x2f}}}; +const TPM2B_EC_TEST c_TestEcSchnorr_s = {{32,{ + 0xfe,0xbe,0x17,0xaa,0x31,0x22,0x9f,0xd0,0xd2,0xf5,0x25,0x04,0x92,0xb0,0xaa,0x4e, + 0xcc,0x1c,0xb6,0x79,0xd6,0x42,0xb3,0x4e,0x3f,0xbb,0xfe,0x5f,0xd0,0xd0,0x8b,0xc3}}}; #endif // SHA256 - +#if ALG_SHA384_VALUE == DEFAULT_TEST_HASH +const TPM2B_EC_TEST c_TestEcDsa_r = {{32, { + 0xf5,0x74,0x6d,0xd6,0xc6,0x56,0x86,0xbb,0xba,0x1c,0xba,0x75,0x65,0xee,0x64,0x31, + 0xce,0x04,0xe3,0x9f,0x24,0x3f,0xbd,0xfe,0x04,0xcd,0xab,0x7e,0xfe,0xad,0xcb,0x82}}}; +const TPM2B_EC_TEST c_TestEcDsa_s = {{32, { + 0xc2,0x4f,0x32,0xa1,0x06,0xc0,0x85,0x4f,0xc6,0xd8,0x31,0x66,0x91,0x9f,0x79,0xcd, + 0x5b,0xe5,0x7b,0x94,0xa1,0x91,0x38,0xac,0xd4,0x20,0xa2,0x10,0xf0,0xd5,0x9d,0xbf}}}; +const TPM2B_EC_TEST c_TestEcSchnorr_r = {{32, { + 0x1e,0xb8,0xe1,0xbf,0xa1,0x9e,0x39,0x1e,0x58,0xa2,0xe6,0x59,0xd0,0x1a,0x6a,0x03, + 0x6a,0x1f,0x1c,0x4f,0x36,0x19,0xc1,0xec,0x30,0xa4,0x85,0x1b,0xe9,0x74,0x35,0x66}}}; +const TPM2B_EC_TEST c_TestEcSchnorr_s = {{32,{ + 0xb9,0xe6,0xe3,0x7e,0xcb,0xb9,0xea,0xf1,0xcc,0xf4,0x48,0x44,0x4a,0xda,0xc8,0xd7, + 0x87,0xb4,0xba,0x40,0xfe,0x5b,0x68,0x11,0x14,0xcf,0xa0,0x0e,0x85,0x46,0x99,0x01}}}; +#endif // SHA384 #if ALG_SHA512_VALUE == DEFAULT_TEST_HASH - const TPM2B_EC_TEST c_TestEcDsa_r = {{32, { 0xc9,0x71,0xa6,0xb4,0xaf,0x46,0x26,0x8c,0x27,0x00,0x06,0x3b,0x00,0x0f,0xa3,0x17, 0x72,0x48,0x40,0x49,0x4d,0x51,0x4f,0xa4,0xcb,0x7e,0x86,0xe9,0xe7,0xb4,0x79,0xb2}}}; const TPM2B_EC_TEST c_TestEcDsa_s = {{32,{ 0x87,0xbc,0xc0,0xed,0x74,0x60,0x9e,0xfa,0x4e,0xe8,0x16,0xf3,0xf9,0x6b,0x26,0x07, 0x3c,0x74,0x31,0x7e,0xf0,0x62,0x46,0xdc,0xd6,0x45,0x22,0x47,0x3e,0x0c,0xa0,0x02}}}; - const TPM2B_EC_TEST c_TestEcSchnorr_r = {{32,{ 0xcc,0x07,0xad,0x65,0x91,0xdd,0xa0,0x10,0x23,0xae,0x53,0xec,0xdf,0xf1,0x50,0x90, 0x16,0x96,0xf4,0x45,0x09,0x73,0x9c,0x84,0xb5,0x5c,0x5f,0x08,0x51,0xcb,0x60,0x01}}}; const TPM2B_EC_TEST c_TestEcSchnorr_s = {{32,{ 0x55,0x20,0x21,0x54,0xe2,0x49,0x07,0x47,0x71,0xf4,0x99,0x15,0x54,0xf3,0xab,0x14, 0xdb,0x8e,0xda,0x79,0xb6,0x02,0x0e,0xe3,0x5e,0x6f,0x2c,0xb6,0x05,0xbd,0x14,0x10}}}; - #endif // SHA512 - #endif // SELF_TEST_DATA -#endif diff --git a/src/tpm2/crypto/openssl/CryptEccSignature.c b/src/tpm2/crypto/openssl/CryptEccSignature.c index ebd99ccb..d293cd31 100644 --- a/src/tpm2/crypto/openssl/CryptEccSignature.c +++ b/src/tpm2/crypto/openssl/CryptEccSignature.c @@ -1,9 +1,9 @@ /********************************************************************************/ /* */ -/* */ +/* ECC Signatures */ /* Written by Ken Goldman */ /* IBM Thomas J. Watson Research Center */ -/* $Id: CryptEccSignature.c 1047 2017-07-20 18:27:34Z kgoldman $ */ +/* $Id: CryptEccSignature.c 1259 2018-07-10 19:11:09Z kgoldman $ */ /* */ /* Licenses and Notices */ /* */ @@ -55,7 +55,7 @@ /* arising in any way out of use or reliance upon this specification or any */ /* information herein. */ /* */ -/* (c) Copyright IBM Corp. and others, 2016, 2017 */ +/* (c) Copyright IBM Corp. and others, 2016 - 2018 */ /* */ /********************************************************************************/ @@ -144,7 +144,7 @@ BnSignEcdsa( { ECC_NUM(bnK); ECC_NUM(bnIk); - BN_VAR(bnE, MAX_DIGEST_SIZE * 8); + BN_VAR(bnE, MAX(MAX_ECC_KEY_BYTES, MAX_DIGEST_SIZE) * 8); POINT(ecR); bigConst order = CurveGetOrder(AccessCurveData(E)); TPM_RC retVal = TPM_RC_SUCCESS; @@ -284,7 +284,7 @@ BnSignEcdaa( return retVal; } #endif // ALG_ECDAA -#if ALG_ECSCHNORR //% +#if ALG_ECSCHNORR /* 10.2.13.3.3 SchnorrReduce() */ /* Function to reduce a hash result if it's magnitude is to large. The size of number is set so that it has no more bytes of significance than the reference value. If the resulting number can have @@ -372,7 +372,7 @@ BnSignEcSchnorr( } #endif // ALG_ECSCHNORR #if ALG_SM2 -#ifdef _SM2_SIGN_DEBUG +#ifdef _SM2_SIGN_DEBUG static BOOL BnHexEqual( bigNum bn, //IN: big number value @@ -402,20 +402,19 @@ BnSignEcSm2( // debug) ) { - BN_MAX_INITIALIZED(bnE, digest); // Don't know how big digest might be + BN_MAX_INITIALIZED(bnE, digest); // Don't know how big digest might be ECC_NUM(bnN); ECC_NUM(bnK); - ECC_NUM(bnX1); - ECC_NUM(bnT); // temp + ECC_NUM(bnT); // temp POINT(Q1); bigConst order = (E != NULL) ? CurveGetOrder(AccessCurveData(E)) : NULL; // #ifdef _SM2_SIGN_DEBUG - BnFromHex(bnE, - "B524F552CD82B8B028476E005C377FB19A87E6FC682D48BB5D42E3D9B9EFFE76"); - BnFromHex(bnD, - "128B2FA8BD433C6C068C8D803DFF79792A519A55171B1B650C23661D15897263"); + BnFromHex(bnE, "B524F552CD82B8B028476E005C377FB1" + "9A87E6FC682D48BB5D42E3D9B9EFFE76"); + BnFromHex(bnD, "128B2FA8BD433C6C068C8D803DFF7979" + "2A519A55171B1B650C23661D15897263"); #endif // A3: Use random number generator to generate random number 1 <= k <= n-1; // NOTE: Ax: numbers are from the SM2 standard @@ -424,20 +423,20 @@ BnSignEcSm2( // Get a random number 0 < k < n BnGenerateRandomInRange(bnK, order, rand); #ifdef _SM2_SIGN_DEBUG - BnFromHex(bnK, - "6CB28D99385C175C94F94E934817663FC176D925DD72B727260DBAAE1FB2F96F"); + BnFromHex(bnK, "6CB28D99385C175C94F94E934817663F" + "C176D925DD72B727260DBAAE1FB2F96F"); #endif // A4: Figure out the point of elliptic curve (x1, y1)=[k]G, and according // to details specified in 4.2.7 in Part 1 of this document, transform the // data type of x1 into an integer; - if(BnEccModMult(Q1, NULL, bnK, E) != TPM_RC_SUCCESS) + if(!BnEccModMult(Q1, NULL, bnK, E)) goto loop; // A5: Figure out r = (e + x1) mod n, - BnAdd(bnR, bnE, bnX1); + BnAdd(bnR, bnE, Q1->x); BnMod(bnR, order); #ifdef _SM2_SIGN_DEBUG - pAssert(BnHexEqual(bnR, - "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1")); + pAssert(BnHexEqual(bnR, "40F1EC59F793D9F49E09DCEF49130D41" + "94F79FB1EED2CAA55BACDB49C4E755D1")); #endif // if r=0 or r+k=n, return to A3; if(BnEqualZero(bnR)) @@ -451,8 +450,8 @@ BnSignEcSm2( BnAddWord(bnT, bnD, 1); BnModInverse(bnT, bnT, order); #ifdef _SM2_SIGN_DEBUG - pAssert(BnHexEqual(bnT, - "79BFCF3052C80DA7B939E0C6914A18CBB2D96D8555256E83122743A7D4F5F956")); + pAssert(BnHexEqual(bnT, "79BFCF3052C80DA7B939E0C6914A18CB" + "B2D96D8555256E83122743A7D4F5F956")); #endif // compute s = t * (k - r * dA) mod n BnModMult(bnS, bnR, bnD, order); @@ -461,8 +460,8 @@ BnSignEcSm2( BnAdd(bnS, bnK, bnS); BnModMult(bnS, bnS, bnT, order); #ifdef _SM2_SIGN_DEBUG - pAssert(BnHexEqual(bnS, - "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7")); + pAssert(BnHexEqual(bnS, "6FC6DAC32C5D5CF10C77DFB20F7C2EB6" + "67A457872FB09EC56327A67EC7DEEBE7")); #endif if(BnEqualZero(bnS)) goto loop; @@ -472,10 +471,10 @@ BnSignEcSm2( // is (r, s). // This is handled by the common return code #ifdef _SM2_SIGN_DEBUG - pAssert(BnHexEqual(bnR, - "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1")); - pAssert(BnHexEqual(bnS, - "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7")); + pAssert(BnHexEqual(bnR, "40F1EC59F793D9F49E09DCEF49130D41" + "94F79FB1EED2CAA55BACDB49C4E755D1")); + pAssert(BnHexEqual(bnS, "6FC6DAC32C5D5CF10C77DFB20F7C2EB6" + "67A457872FB09EC56327A67EC7DEEBE7")); #endif return TPM_RC_SUCCESS; } @@ -515,10 +514,6 @@ CryptEccSign( = sizeof(signature->signature.ecdaa.signatureR.t.buffer); signature->signature.ecdaa.signatureS.t.size = sizeof(signature->signature.ecdaa.signatureS.t.buffer); - // Prime order for this implementation needs to be a multiple of a byte - // so, no P521 for now. - pAssert((BnSizeInBits(CurveGetPrime(C)) & 7) == 0); - pAssert((BnSizeInBits(CurveGetOrder(C)) & 7) == 0); TEST(signature->sigAlg); switch(signature->sigAlg) { @@ -561,7 +556,7 @@ CryptEccSign( CURVE_FREE(E); return retVal; } -#if ALG_ECDSA //% +#if ALG_ECDSA /* 10.2.13.3.7 BnValidateSignatureEcdsa() */ /* This function validates an ECDSA signature. rIn and sIn should have been checked to make sure that they are in the range 0 < v < n */ @@ -579,7 +574,7 @@ BnValidateSignatureEcdsa( { // Make sure that the allocation for the digest is big enough for a maximum // digest - BN_VAR(bnE, MAX_DIGEST_SIZE * 8); + BN_VAR(bnE, MAX(MAX_ECC_KEY_BYTES, MAX_DIGEST_SIZE) * 8); POINT(ecR); ECC_NUM(bnU1); ECC_NUM(bnU2); @@ -616,7 +611,7 @@ BnValidateSignatureEcdsa( Exit: return retVal; } -#endif //% ALG_ECDSA +#endif // ALG_ECDSA #if ALG_SM2 /* 10.2.13.3.8 BnValidateSignatureEcSm2() */ /* This function is used to validate an SM2 signature. */ @@ -648,7 +643,7 @@ BnValidateSignatureEcSm2( "67A457872FB09EC56327A67EC7DEEBE7")); #endif // b) compute t := (r + s) mod n - BnAdd(bnT, bnT, bnS); + BnAdd(bnT, bnR, bnS); BnMod(bnT, order); #ifdef _SM2_SIGN_DEBUG pAssert(BnHexEqual(bnT, @@ -669,16 +664,16 @@ BnValidateSignatureEcSm2( "23E6D9188B2AE47759514657CE25D112")); #endif // e) compute r' := (e + x) mod n (the x coordinate is in bnT) - BnAdd(bnRp, bnE, P->x); - BnMod(bnRp, order); + OK = OK && BnAdd(bnRp, bnE, P->x); + OK = OK && BnMod(bnRp, order); // f) verify that r' = r - OK = (BnUnsignedCmp(bnR, bnRp) != 0) & OK; + OK = OK && (BnUnsignedCmp(bnR, bnRp)); if(!OK) return TPM_RC_SIGNATURE; else return TPM_RC_SUCCESS; } -#endif //% ALG_SM2 +#endif // ALG_SM2 #if ALG_ECSCHNORR /* 10.2.13.3.9 BnValidateSignatureEcSchnorr() */ /* This function is used to validate an EC Schnorr signature. */ @@ -825,7 +820,8 @@ CryptEccCommitCompute( TPM2B_ECC_PARAMETER *r // IN: the computed r value (required) ) { - CURVE_INITIALIZED(curve, curveId); + CURVE_INITIALIZED(curve, curveId); // Normally initialize E as the curve, but E means + // something else in this function ECC_INITIALIZED(bnR, r); TPM_RC retVal = TPM_RC_SUCCESS; //