Fix for STM32 PKA with `coefSign` for non 256-bit curves. Don't check point for STM PKA. ZD14928

IDE/STM32Cube/default_conf.ftl

@@ -197,16 +197,18 @@ extern ${variable.value} ${variable.name};
  * 6=Single Precision C all small
  * 7=Single Precision C all big
  */
-#if defined(WOLF_CONF_MATH) && WOLF_CONF_MATH != 2
-    /* fast (stack) math */
+#if defined(WOLF_CONF_MATH) && WOLF_CONF_MATH == 1
+    /* fast (stack) math - tfm.c */
     #define USE_FAST_MATH
     #define TFM_TIMING_RESISTANT
 
     /* Optimizations (TFM_ARM, TFM_ASM or none) */
     //#define TFM_NO_ASM
     //#define TFM_ASM
-#endif
-#if defined(WOLF_CONF_MATH) && (WOLF_CONF_MATH >= 3)
+#elif defined(WOLF_CONF_MATH) && WOLF_CONF_MATH == 2
+    /* heap math - integer.c */
+    #define USE_INTEGER_HEAP_MATH
+#elif defined(WOLF_CONF_MATH) && (WOLF_CONF_MATH >= 3)
     /* single precision only */
     #define WOLFSSL_SP
     #if WOLF_CONF_MATH != 7
@@ -405,7 +407,7 @@ extern ${variable.value} ${variable.name};
     #define HAVE_AES_DECRYPT
 #endif
 
-/* Other possible AES modes */    
+/* Other possible AES modes */
 //#define WOLFSSL_AES_COUNTER
 //#define HAVE_AESCCM
 //#define WOLFSSL_AES_XTS

wolfcrypt/src/aes.c

@@ -8080,7 +8080,7 @@ static WARN_UNUSED_RESULT int wc_AesGcmDecrypt_STM32(
         XMEMSET(partialBlock, 0, sizeof(partialBlock));
         XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial);
         status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)partialBlock, partial,
-(           uint32_t*)partialBlock, STM32_HAL_TIMEOUT);
+            (uint32_t*)partialBlock, STM32_HAL_TIMEOUT);
         XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial);
     }
     #endif

wolfcrypt/src/ecc.c

@@ -1266,7 +1266,8 @@ static int wc_ecc_export_x963_compressed(ecc_key* key, byte* out, word32* outLen
 #if !defined(WOLFSSL_SP_MATH) && \
     !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
     !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SILABS_SE_ACCEL) && \
-    !defined(WOLFSSL_SE050) && !defined(WOLF_CRYPTO_CB_ONLY_ECC)
+    !defined(WOLFSSL_SE050) && !defined(WOLF_CRYPTO_CB_ONLY_ECC) && \
+    !defined(WOLFSSL_STM32_PKA)
 static int ecc_check_pubkey_order(ecc_key* key, ecc_point* pubkey, mp_int* a,
     mp_int* prime, mp_int* order);
 #endif
@@ -9107,7 +9108,7 @@ int wc_ecc_export_x963_ex(ecc_key* key, byte* out, word32* outLen,
 
 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
     !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SE050) && \
-    !defined(WOLF_CRYPTO_CB_ONLY_ECC)
+    !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLFSSL_STM32_PKA)
 
 /* is ecc point on curve described by dp ? */
 int wc_ecc_is_point(ecc_point* ecp, mp_int* a, mp_int* b, mp_int* prime)
@@ -9592,7 +9593,7 @@ static int _ecc_validate_public_key(ecc_key* key, int partial, int priv)
 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
     !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SILABS_SE_ACCEL) && \
     !defined(WOLFSSL_SE050) && !defined(WOLF_CRYPTO_CB_ONLY_ECC) && \
-    !defined(WOLF_CRYPTO_CB_ONLY_ECC)
+    !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLFSSL_STM32_PKA)
     mp_int* b = NULL;
     #ifdef USE_ECC_B_PARAM
         DECLARE_CURVE_SPECS(4);
@@ -9642,7 +9643,7 @@ static int _ecc_validate_public_key(ecc_key* key, int partial, int priv)
 #if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A) || \
     defined(WOLFSSL_CRYPTOCELL) || defined(WOLFSSL_SILABS_SE_ACCEL) || \
     defined(WOLFSSL_SE050) || defined(WOLF_CRYPTO_CB_ONLY_ECC) || \
-    defined(WOLFSSL_XILINX_CRYPT_VERSAL)
+    defined(WOLFSSL_XILINX_CRYPT_VERSAL) || defined(WOLFSSL_STM32_PKA)
 
     /* consider key check success on HW crypto
      * ex: ATECC508/608A, CryptoCell and Silabs

wolfcrypt/src/port/st/stm32.c

@@ -732,46 +732,48 @@ static int stm32_get_ecc_specs(const uint8_t **prime, const uint8_t **coef,
     const uint8_t **GenPointX, const uint8_t **GenPointY, const uint8_t **order,
     int size)
 {
-    switch(size) {
+    switch (size) {
+#ifdef ECC256
     case 32:
-        *prime = stm32_ecc256_prime;
-        *coef = stm32_ecc256_coef;
+        if (prime) *prime = stm32_ecc256_prime;
+        if (coef) *coef = stm32_ecc256_coef;
         if (coefB) *coefB = stm32_ecc256_coefB;
-        *GenPointX = stm32_ecc256_pointX;
-        *GenPointY = stm32_ecc256_pointY;
-        *coef_sign = &stm32_ecc256_coef_sign;
+        if (GenPointX) *GenPointX = stm32_ecc256_pointX;
+        if (GenPointY) *GenPointY = stm32_ecc256_pointY;
+        if (coef_sign) *coef_sign = &stm32_ecc256_coef_sign;
         if (order) *order = stm32_ecc256_order;
         break;
+#endif
 #ifdef ECC224
     case 28:
-        *prime = stm32_ecc224_prime;
-        *coef = stm32_ecc224_coef;
+        if (prime) *prime = stm32_ecc224_prime;
+        if (coef) *coef = stm32_ecc224_coef;
         if (coefB) *coefB = stm32_ecc224_coefB;
-        *GenPointX = stm32_ecc224_pointX;
-        *GenPointY = stm32_ecc224_pointY;
-        *coef_sign = &stm32_ecc224_coef;
+        if (GenPointX) *GenPointX = stm32_ecc224_pointX;
+        if (GenPointY) *GenPointY = stm32_ecc224_pointY;
+        if (coef_sign) *coef_sign = &stm32_ecc224_coef_sign;
         if (order) *order = stm32_ecc224_order;
         break;
 #endif
 #ifdef ECC192
     case 24:
-        *prime = stm32_ecc192_prime;
-        *coef = stm32_ecc192_coef;
+        if (prime) *prime = stm32_ecc192_prime;
+        if (coef) *coef = stm32_ecc192_coef;
         if (coefB) *coefB = stm32_ecc192_coefB;
-        *GenPointX = stm32_ecc192_pointX;
-        *GenPointY = stm32_ecc192_pointY;
-        *coef_sign = &stm32_ecc192_coef;
+        if (GenPointX) *GenPointX = stm32_ecc192_pointX;
+        if (GenPointY) *GenPointY = stm32_ecc192_pointY;
+        if (coef_sign) *coef_sign = &stm32_ecc192_coef_sign;
         if (order) *order = stm32_ecc192_order;
         break;
 #endif
 #ifdef ECC384
     case 48:
-        *prime = stm32_ecc384_prime;
-        *coef = stm32_ecc384_coef;
+        if (prime) *prime = stm32_ecc384_prime;
+        if (coef) *coef = stm32_ecc384_coef;
         if (coefB) *coefB = stm32_ecc384_coefB;
-        *GenPointX = stm32_ecc384_pointX;
-        *GenPointY = stm32_ecc384_pointY;
-        *coef_sign = &stm32_ecc384_coef;
+        if (GenPointX) *GenPointX = stm32_ecc384_pointX;
+        if (GenPointY) *GenPointY = stm32_ecc384_pointY;
+        if (coef_sign) *coef_sign = &stm32_ecc384_coef_sign;
         if (order) *order = stm32_ecc384_order;
         break;
 #endif
@@ -809,8 +811,7 @@ int wc_ecc_mulmod_ex(const mp_int *k, ecc_point *G, ecc_point *R, mp_int* a,
     uint8_t PtYbin[STM32_MAX_ECC_SIZE];
     const uint8_t *prime, *coef, *coefB, *gen_x, *gen_y, *order;
     const uint32_t *coef_sign;
-    (void)a;
-    (void)heap;
+
     XMEMSET(&pka_mul, 0x00, sizeof(PKA_ECCMulInTypeDef));
     XMEMSET(&pka_mul_res, 0x00, sizeof(PKA_ECCMulOutTypeDef));
     pka_mul_res.ptX = PtXbin;
@@ -845,7 +846,7 @@ int wc_ecc_mulmod_ex(const mp_int *k, ecc_point *G, ecc_point *R, mp_int* a,
     pka_mul.modulus = prime;
     pka_mul.pointX = Gxbin;
     pka_mul.pointY = Gybin;
-    pka_mul.scalarMulSize = size;
+    pka_mul.scalarMulSize = szkbin;
     pka_mul.scalarMul = kbin;
 #ifdef WOLFSSL_STM32_PKA_V2
     pka_mul.coefB = coefB;
@@ -857,6 +858,7 @@ int wc_ecc_mulmod_ex(const mp_int *k, ecc_point *G, ecc_point *R, mp_int* a,
 
     status = HAL_PKA_ECCMul(&hpka, &pka_mul, HAL_MAX_DELAY);
     if (status != HAL_OK) {
+        HAL_PKA_RAMReset(&hpka);
         return WC_HW_E;
     }
     pka_mul_res.ptX = Gxbin;
@@ -875,6 +877,10 @@ int wc_ecc_mulmod_ex(const mp_int *k, ecc_point *G, ecc_point *R, mp_int* a,
     if (res == MP_OKAY)
         res = mp_set(R->z, 1);
     HAL_PKA_RAMReset(&hpka);
+
+    (void)heap;
+    (void)a; /* uses computed (absolute value, |a| < p) */
+
     return res;
 }