From 58c35587eacba090414522a6506cb86f2d0e91af Mon Sep 17 00:00:00 2001 From: Patrick Steuer Date: Thu, 11 Jul 2019 10:38:18 +0200 Subject: [PATCH] s390x assembly pack: accelerate ECDSA for NIST P-256, P-384 and P-521 using KDSA instruction. Signed-off-by: Patrick Steuer Reviewed-by: Richard Levitte Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/9348) --- crypto/ec/ecp_s390x_nistp.c | 202 +++++++++++++++++++++++++++++++++++- crypto/err/openssl.txt | 2 + 2 files changed, 200 insertions(+), 4 deletions(-) diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c index 0b03d7fd04..be81f0b8f0 100644 --- a/crypto/ec/ecp_s390x_nistp.c +++ b/crypto/ec/ecp_s390x_nistp.c @@ -10,6 +10,7 @@ #include #include #include +#include #include "ec_lcl.h" #include "s390x_arch.h" @@ -28,6 +29,15 @@ #define S390X_OFF_SRC_Y(n) (3 * n) #define S390X_OFF_SCALAR(n) (4 * n) +/* Offsets of fields in KDSA parameter blocks */ +#define S390X_OFF_R(n) (0 * n) +#define S390X_OFF_S(n) (1 * n) +#define S390X_OFF_H(n) (2 * n) +#define S390X_OFF_K(n) (3 * n) +#define S390X_OFF_X(n) (3 * n) +#define S390X_OFF_RN(n) (4 * n) +#define S390X_OFF_Y(n) (4 * n) + static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], @@ -106,6 +116,163 @@ ret: return rc; } +static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst, + int dgstlen, + const BIGNUM *kinv, + const BIGNUM *r, + EC_KEY *eckey, + unsigned int fc, int len) +{ + unsigned char param[S390X_SIZE_PARAM]; + int ok = 0; + BIGNUM *k; + ECDSA_SIG *sig; + const EC_GROUP *group; + const BIGNUM *privkey; + int off; + + group = EC_KEY_get0_group(eckey); + privkey = EC_KEY_get0_private_key(eckey); + if (group == NULL || privkey == NULL) { + ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, EC_R_MISSING_PARAMETERS); + return NULL; + } + + if (!EC_KEY_can_sign(eckey)) { + ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, + EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); + return NULL; + } + + k = BN_secure_new(); + sig = ECDSA_SIG_new(); + if (k == NULL || sig == NULL) { + ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE); + goto ret; + } + + sig->r = BN_new(); + sig->s = BN_new(); + if (sig->r == NULL || sig->s == NULL) { + ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE); + goto ret; + } + + memset(param, 0, sizeof(param)); + off = len - (dgstlen > len ? len : dgstlen); + memcpy(param + S390X_OFF_H(len) + off, dgst, len - off); + + if (BN_bn2binpad(privkey, param + S390X_OFF_K(len), len) == -1) { + ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB); + goto ret; + } + + if (r == NULL || kinv == NULL) { + /* + * Generate random k and copy to param param block. RAND_priv_bytes + * is used instead of BN_priv_rand_range or BN_generate_dsa_nonce + * because kdsa instruction constructs an in-range, invertible nonce + * internally implementing counter-measures for RNG weakness. + */ + if (RAND_priv_bytes(param + S390X_OFF_RN(len), len) != 1) { + ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, + EC_R_RANDOM_NUMBER_GENERATION_FAILED); + goto ret; + } + } else { + /* Reconstruct k = (k^-1)^-1. */ + if (ec_group_do_inverse_ord(group, k, kinv, NULL) == 0 + || BN_bn2binpad(k, param + S390X_OFF_RN(len), len) == -1) { + ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB); + goto ret; + } + /* Turns KDSA internal nonce-generation off. */ + fc |= S390X_KDSA_D; + } + + if (s390x_kdsa(fc, param, NULL, 0) != 0) { + ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_ECDSA_LIB); + goto ret; + } + + if (BN_bin2bn(param + S390X_OFF_R(len), len, sig->r) == NULL + || BN_bin2bn(param + S390X_OFF_S(len), len, sig->s) == NULL) { + ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB); + goto ret; + } + + ok = 1; +ret: + OPENSSL_cleanse(param, sizeof(param)); + if (ok != 1) { + ECDSA_SIG_free(sig); + sig = NULL; + } + BN_clear_free(k); + return sig; +} + +static int ecdsa_s390x_nistp_verify_sig(const unsigned char *dgst, int dgstlen, + const ECDSA_SIG *sig, EC_KEY *eckey, + unsigned int fc, int len) +{ + unsigned char param[S390X_SIZE_PARAM]; + int rc = -1; + BN_CTX *ctx; + BIGNUM *x, *y; + const EC_GROUP *group; + const EC_POINT *pubkey; + int off; + + group = EC_KEY_get0_group(eckey); + pubkey = EC_KEY_get0_public_key(eckey); + if (eckey == NULL || group == NULL || pubkey == NULL || sig == NULL) { + ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, EC_R_MISSING_PARAMETERS); + return -1; + } + + if (!EC_KEY_can_sign(eckey)) { + ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, + EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); + return -1; + } + + ctx = BN_CTX_new_ex(group->libctx); + if (ctx == NULL) { + ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE); + return -1; + } + + BN_CTX_start(ctx); + + x = BN_CTX_get(ctx); + y = BN_CTX_get(ctx); + if (x == NULL || y == NULL) { + ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE); + goto ret; + } + + memset(param, 0, sizeof(param)); + off = len - (dgstlen > len ? len : dgstlen); + memcpy(param + S390X_OFF_H(len) + off, dgst, len - off); + + if (group->meth->point_get_affine_coordinates(group, pubkey, + x, y, ctx) != 1 + || BN_bn2binpad(sig->r, param + S390X_OFF_R(len), len) == -1 + || BN_bn2binpad(sig->s, param + S390X_OFF_S(len), len) == -1 + || BN_bn2binpad(x, param + S390X_OFF_X(len), len) == -1 + || BN_bn2binpad(y, param + S390X_OFF_Y(len), len) == -1) { + ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_BN_LIB); + goto ret; + } + + rc = s390x_kdsa(fc, param, NULL, 0) == 0 ? 1 : 0; +ret: + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return rc; +} + #define EC_GFP_S390X_NISTP_METHOD(bits) \ \ static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP *group, \ @@ -122,6 +289,29 @@ static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP *group, \ S390X_SIZE_P##bits); \ } \ \ +static ECDSA_SIG *ecdsa_s390x_nistp##bits##_sign_sig(const unsigned \ + char *dgst, \ + int dgstlen, \ + const BIGNUM *kinv,\ + const BIGNUM *r, \ + EC_KEY *eckey) \ +{ \ + return ecdsa_s390x_nistp_sign_sig(dgst, dgstlen, kinv, r, eckey, \ + S390X_ECDSA_SIGN_P##bits, \ + S390X_SIZE_P##bits); \ +} \ + \ +static int ecdsa_s390x_nistp##bits##_verify_sig(const \ + unsigned char *dgst, \ + int dgstlen, \ + const ECDSA_SIG *sig, \ + EC_KEY *eckey) \ +{ \ + return ecdsa_s390x_nistp_verify_sig(dgst, dgstlen, sig, eckey, \ + S390X_ECDSA_VERIFY_P##bits, \ + S390X_SIZE_P##bits); \ +} \ + \ const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void) \ { \ static const EC_METHOD EC_GFp_s390x_nistp##bits##_meth = { \ @@ -176,8 +366,8 @@ const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void) \ NULL, /* keyfinish */ \ ecdh_simple_compute_key, \ ecdsa_simple_sign_setup, \ - ecdsa_simple_sign_sig, \ - ecdsa_simple_verify_sig, \ + ecdsa_s390x_nistp##bits##_sign_sig, \ + ecdsa_s390x_nistp##bits##_verify_sig, \ NULL, /* field_inverse_mod_ord */ \ ec_GFp_simple_blind_coordinates, \ ec_GFp_simple_ladder_pre, \ @@ -186,8 +376,12 @@ const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void) \ }; \ static const EC_METHOD *ret; \ \ - if (OPENSSL_s390xcap_P.pcc[1] \ - & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits)) \ + if ((OPENSSL_s390xcap_P.pcc[1] \ + & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits)) \ + && (OPENSSL_s390xcap_P.kdsa[0] \ + & S390X_CAPBIT(S390X_ECDSA_VERIFY_P##bits)) \ + && (OPENSSL_s390xcap_P.kdsa[0] \ + & S390X_CAPBIT(S390X_ECDSA_SIGN_P##bits))) \ ret = &EC_GFp_s390x_nistp##bits##_meth; \ else \ ret = EC_GFp_mont_method(); \ diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 035bd729f3..5d5981035c 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -554,6 +554,8 @@ EC_F_ECDSA_VERIFY:253:ECDSA_verify EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig +EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig +EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode -- 2.39.2