1 /*############################################################################
2 # Copyright 2017 Intel Corporation
3 #
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
7 #
8 # http://www.apache.org/licenses/LICENSE-2.0
9 #
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15 ############################################################################*/
16 /// Host non-revoked proof helper implementation
17 /*! \file */
18
19 #include "epid/member/src/nrprove_commitment.h"
20
21 #include <stdint.h>
22 #include "epid/common/math/finitefield.h"
23 #include "epid/common/src/memory.h"
24
25 /// Handle SDK Error with Break
26 #define BREAK_ON_EPID_ERROR(ret) \
27 if (kEpidNoErr != (ret)) { \
28 break; \
29 }
30
31 #pragma pack(1)
32 /// Storage for values to create commitment in NrProve algorithm
33 typedef struct NrProveCommitValues {
34 BigNumStr p; //!< A large prime (256-bit)
35 G1ElemStr g1; //!< Generator of G1 (512-bit)
36 G1ElemStr B; //!< (element of G1): part of basic signature Sigma0
37 G1ElemStr K; //!< (element of G1): part of basic signature Sigma0
38 G1ElemStr rlB; //!< (element of G1): one entry in SigRL
39 G1ElemStr rlK; //!< (element of G1): one entry in SigRL
40 NrProveCommitOutput commit_out; //!< output of NrProveCommit
41 uint8_t msg[1]; //!< message
42 } NrProveCommitValues;
43 #pragma pack()
44
HashNrProveCommitment(FiniteField * Fp,HashAlg hash_alg,G1ElemStr const * B_str,G1ElemStr const * K_str,SigRlEntry const * sigrl_entry,NrProveCommitOutput const * commit_out,void const * msg,size_t msg_len,FpElemStr * c_str)45 EpidStatus HashNrProveCommitment(FiniteField* Fp, HashAlg hash_alg,
46 G1ElemStr const* B_str, G1ElemStr const* K_str,
47 SigRlEntry const* sigrl_entry,
48 NrProveCommitOutput const* commit_out,
49 void const* msg, size_t msg_len,
50 FpElemStr* c_str) {
51 EpidStatus sts = kEpidErr;
52 FfElement* c = NULL;
53 NrProveCommitValues* commit_values = NULL;
54
55 if (!Fp || !B_str || !K_str || !sigrl_entry || !commit_out ||
56 (0 != msg_len && !msg) || !c_str) {
57 return kEpidBadArgErr;
58 }
59
60 if (msg_len >
61 ((SIZE_MAX - sizeof(*commit_values)) + sizeof(*commit_values->msg)))
62 return kEpidBadArgErr;
63
64 do {
65 size_t const commit_len =
66 sizeof(*commit_values) - sizeof(*commit_values->msg) + msg_len;
67 Epid2Params params = {
68 #include "epid/common/src/epid2params_ate.inc"
69 };
70
71 commit_values = SAFE_ALLOC(commit_len);
72 if (!commit_values) {
73 sts = kEpidMemAllocErr;
74 BREAK_ON_EPID_ERROR(sts);
75 }
76
77 commit_values->p = params.p;
78 commit_values->g1 = params.g1;
79 commit_values->B = *B_str;
80 commit_values->K = *K_str;
81 commit_values->rlB = sigrl_entry->b;
82 commit_values->rlK = sigrl_entry->k;
83 commit_values->commit_out = *commit_out;
84
85 // commit_values is allocated such that there are msg_len bytes available
86 // starting at commit_values->msg
87 if (msg) {
88 // Memory copy is used to copy a message of variable length
89 if (0 != memcpy_S(&commit_values->msg[0], msg_len, msg, msg_len)) {
90 sts = kEpidBadArgErr;
91 BREAK_ON_EPID_ERROR(sts);
92 }
93 }
94
95 sts = NewFfElement(Fp, &c);
96 BREAK_ON_EPID_ERROR(sts);
97
98 // 7. The member computes c = Fp.hash(p || g1 || B || K || B' ||
99 // K' || T || R1 || R2 || m).
100 sts = FfHash(Fp, commit_values, commit_len, hash_alg, c);
101 BREAK_ON_EPID_ERROR(sts);
102
103 sts = WriteFfElement(Fp, c, c_str, sizeof(*c_str));
104 BREAK_ON_EPID_ERROR(sts);
105
106 sts = kEpidNoErr;
107 } while (0);
108
109 SAFE_FREE(commit_values);
110 DeleteFfElement(&c);
111
112 return sts;
113 }
114