Add tinycrypt 0.2.8
Signed-off-by: Fabio Utzig <utzig@apache.org>
diff --git a/ext/tinycrypt/lib/Makefile b/ext/tinycrypt/lib/Makefile
index ee831e8..9c4d8e2 100644
--- a/ext/tinycrypt/lib/Makefile
+++ b/ext/tinycrypt/lib/Makefile
@@ -1,8 +1,8 @@
################################################################################
#
-# Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+# Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
#
-# Cryptographic Primitives Makefile.
+# Cryptographic Primitives Makefile.
#
################################################################################
diff --git a/ext/tinycrypt/lib/include/tinycrypt/aes.h b/ext/tinycrypt/lib/include/tinycrypt/aes.h
index b6dbbb5..b612213 100644
--- a/ext/tinycrypt/lib/include/tinycrypt/aes.h
+++ b/ext/tinycrypt/lib/include/tinycrypt/aes.h
@@ -1,7 +1,7 @@
/* aes.h - TinyCrypt interface to an AES-128 implementation */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -61,10 +61,9 @@
#define TC_AES_BLOCK_SIZE (Nb*Nk)
#define TC_AES_KEY_SIZE (Nb*Nk)
-struct tc_aes_key_sched_struct {
- uint32_t words[Nb*(Nr+1)];
-};
-typedef struct tc_aes_key_sched_struct *TCAesKeySched_t;
+typedef struct tc_aes_key_sched_struct {
+ unsigned int words[Nb*(Nr+1)];
+} *TCAesKeySched_t;
/**
* @brief Set AES-128 encryption key
@@ -77,7 +76,7 @@
* @param s IN/OUT -- initialized struct tc_aes_key_sched_struct
* @param k IN -- points to the AES key
*/
-int32_t tc_aes128_set_encrypt_key(TCAesKeySched_t s, const uint8_t *k);
+int tc_aes128_set_encrypt_key(TCAesKeySched_t s, const uint8_t *k);
/**
* @brief AES-128 Encryption procedure
@@ -91,9 +90,8 @@
* @param in IN -- a plaintext block to encrypt
* @param s IN -- initialized AES key schedule
*/
-int32_t tc_aes_encrypt(uint8_t *out,
- const uint8_t *in,
- const TCAesKeySched_t s);
+int tc_aes_encrypt(uint8_t *out, const uint8_t *in,
+ const TCAesKeySched_t s);
/**
* @brief Set the AES-128 decryption key
@@ -109,7 +107,7 @@
* @param s IN/OUT -- initialized struct tc_aes_key_sched_struct
* @param k IN -- points to the AES key
*/
-int32_t tc_aes128_set_decrypt_key(TCAesKeySched_t s, const uint8_t *k);
+int tc_aes128_set_decrypt_key(TCAesKeySched_t s, const uint8_t *k);
/**
* @brief AES-128 Encryption procedure
@@ -122,12 +120,11 @@
* @param in IN -- a plaintext block to encrypt
* @param s IN -- initialized AES key schedule
*/
-int32_t tc_aes_decrypt(uint8_t *out,
- const uint8_t *in,
- const TCAesKeySched_t s);
+int tc_aes_decrypt(uint8_t *out, const uint8_t *in,
+ const TCAesKeySched_t s);
#ifdef __cplusplus
}
#endif
-#endif
+#endif /* __TC_AES_H__ */
diff --git a/ext/tinycrypt/lib/include/tinycrypt/cbc_mode.h b/ext/tinycrypt/lib/include/tinycrypt/cbc_mode.h
index 74d2914..4a837fd 100644
--- a/ext/tinycrypt/lib/include/tinycrypt/cbc_mode.h
+++ b/ext/tinycrypt/lib/include/tinycrypt/cbc_mode.h
@@ -1,7 +1,7 @@
/* cbc_mode.h - TinyCrypt interface to a CBC mode implementation */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -107,9 +107,9 @@
* @param iv IN -- the IV for the this encrypt/decrypt
* @param sched IN -- AES key schedule for this encrypt
*/
-int32_t tc_cbc_mode_encrypt(uint8_t *out, uint32_t outlen, const uint8_t *in,
- uint32_t inlen, const uint8_t *iv,
- const TCAesKeySched_t sched);
+int tc_cbc_mode_encrypt(uint8_t *out, unsigned int outlen, const uint8_t *in,
+ unsigned int inlen, const uint8_t *iv,
+ const TCAesKeySched_t sched);
/**
* @brief CBC decryption procedure
@@ -140,12 +140,12 @@
* @param sched IN -- AES key schedule for this decrypt
*
*/
-int32_t tc_cbc_mode_decrypt(uint8_t *out, uint32_t outlen, const uint8_t *in,
- uint32_t inlen, const uint8_t *iv,
- const TCAesKeySched_t sched);
+int tc_cbc_mode_decrypt(uint8_t *out, unsigned int outlen, const uint8_t *in,
+ unsigned int inlen, const uint8_t *iv,
+ const TCAesKeySched_t sched);
#ifdef __cplusplus
}
#endif
-#endif
+#endif /* __TC_CBC_MODE_H__ */
diff --git a/ext/tinycrypt/lib/include/tinycrypt/ccm_mode.h b/ext/tinycrypt/lib/include/tinycrypt/ccm_mode.h
index 9fa5915..69c798e 100644
--- a/ext/tinycrypt/lib/include/tinycrypt/ccm_mode.h
+++ b/ext/tinycrypt/lib/include/tinycrypt/ccm_mode.h
@@ -1,7 +1,7 @@
/* ccm_mode.h - TinyCrypt interface to a CCM mode implementation */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -91,7 +91,7 @@
typedef struct tc_ccm_mode_struct {
TCAesKeySched_t sched; /* AES key schedule */
uint8_t *nonce; /* nonce required by CCM */
- uint32_t mlen; /* mac length in bytes (parameter t in SP-800 38C) */
+ unsigned int mlen; /* mac length in bytes (parameter t in SP-800 38C) */
} *TCCcmMode_t;
/**
@@ -108,8 +108,8 @@
* @param nlen -- nonce length in bytes
* @param mlen -- mac length in bytes (parameter t in SP-800 38C)
*/
-int32_t tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce,
- uint32_t nlen, uint32_t mlen);
+int tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce,
+ unsigned int nlen, unsigned int mlen);
/**
* @brief CCM tag generation and encryption procedure
@@ -120,15 +120,19 @@
* ((plen > 0) and (payload == NULL)) or
* ((alen > 0) and (associated_data == NULL)) or
* (alen >= TC_CCM_AAD_MAX_BYTES) or
- * (plen >= TC_CCM_PAYLOAD_MAX_BYTES)
+ * (plen >= TC_CCM_PAYLOAD_MAX_BYTES) or
+ * (olen < plen + maclength)
*
* @param out OUT -- encrypted data
+ * @param olen IN -- output length in bytes
* @param associated_data IN -- associated data
* @param alen IN -- associated data length in bytes
* @param payload IN -- payload
* @param plen IN -- payload length in bytes
* @param c IN -- CCM state
*
+ * @note: out buffer should be at least (plen + c->mlen) bytes long.
+ *
* @note: The sequence b for encryption is formatted as follows:
* b = [FLAGS | nonce | counter ], where:
* FLAGS is 1 byte long
@@ -149,9 +153,10 @@
* 6: Adata (0 if alen == 0, and 1 otherwise)
* 7: always 0
*/
-int32_t tc_ccm_generation_encryption(uint8_t *out, const uint8_t *associated_data,
- uint32_t alen, const uint8_t *payload,
- uint32_t plen, TCCcmMode_t c);
+int tc_ccm_generation_encryption(uint8_t *out, unsigned int olen,
+ const uint8_t *associated_data,
+ unsigned int alen, const uint8_t *payload,
+ unsigned int plen, TCCcmMode_t c);
/**
* @brief CCM decryption and tag verification procedure
@@ -162,7 +167,8 @@
* ((plen > 0) and (payload == NULL)) or
* ((alen > 0) and (associated_data == NULL)) or
* (alen >= TC_CCM_AAD_MAX_BYTES) or
- * (plen >= TC_CCM_PAYLOAD_MAX_BYTES)
+ * (plen >= TC_CCM_PAYLOAD_MAX_BYTES) or
+ * (olen < plen - c->mlen)
*
* @param out OUT -- decrypted data
* @param associated_data IN -- associated data
@@ -171,6 +177,8 @@
* @param plen IN -- payload length in bytes
* @param c IN -- CCM state
*
+ * @note: out buffer should be at least (plen - c->mlen) bytes long.
+ *
* @note: The sequence b for encryption is formatted as follows:
* b = [FLAGS | nonce | counter ], where:
* FLAGS is 1 byte long
@@ -191,11 +199,13 @@
* 6: Adata (0 if alen == 0, and 1 otherwise)
* 7: always 0
*/
-int32_t tc_ccm_decryption_verification(uint8_t *out, const uint8_t *associated_data,
- uint32_t alen, const uint8_t *payload, uint32_t plen,
- TCCcmMode_t c);
+int tc_ccm_decryption_verification(uint8_t *out, unsigned int olen,
+ const uint8_t *associated_data,
+ unsigned int alen, const uint8_t *payload, unsigned int plen,
+ TCCcmMode_t c);
+
#ifdef __cplusplus
}
#endif
-#endif
+#endif /* __TC_CCM_MODE_H__ */
diff --git a/ext/tinycrypt/lib/include/tinycrypt/cmac_mode.h b/ext/tinycrypt/lib/include/tinycrypt/cmac_mode.h
index 9d3f130..f44b0a5 100644
--- a/ext/tinycrypt/lib/include/tinycrypt/cmac_mode.h
+++ b/ext/tinycrypt/lib/include/tinycrypt/cmac_mode.h
@@ -1,7 +1,7 @@
/* cmac_mode.h -- interface to a CMAC implementation */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -119,9 +119,9 @@
/* where to put bytes that didn't fill a block */
uint8_t leftover[TC_AES_BLOCK_SIZE];
/* identifies the encryption key */
- uint32_t keyid;
+ unsigned int keyid;
/* next available leftover location */
- uint32_t leftover_offset;
+ unsigned int leftover_offset;
/* AES key schedule */
TCAesKeySched_t sched;
/* calls to tc_cmac_update left before re-key */
@@ -139,8 +139,8 @@
* @param key IN -- the key to use
* @param sched IN -- AES key schedule
*/
-int32_t tc_cmac_setup(TCCmacState_t s, const uint8_t *key,
- TCAesKeySched_t sched);
+int tc_cmac_setup(TCCmacState_t s, const uint8_t *key,
+ TCAesKeySched_t sched);
/**
* @brief Erases the CMAC state
@@ -150,7 +150,7 @@
*
* @param s IN/OUT -- the state to erase
*/
-int32_t tc_cmac_erase(TCCmacState_t s);
+int tc_cmac_erase(TCCmacState_t s);
/**
* @brief Initializes a new CMAC computation
@@ -160,7 +160,7 @@
*
* @param s IN/OUT -- the state to initialize
*/
-int32_t tc_cmac_init(TCCmacState_t s);
+int tc_cmac_init(TCCmacState_t s);
/**
* @brief Incrementally computes CMAC over the next data segment
@@ -173,7 +173,7 @@
* @param data IN -- the next data segment to MAC
* @param dlen IN -- the length of data in bytes
*/
-int32_t tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t dlen);
+int tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t dlen);
/**
* @brief Generates the tag from the CMAC state
@@ -185,10 +185,10 @@
* @param tag OUT -- the CMAC tag
* @param s IN -- CMAC state
*/
-int32_t tc_cmac_final(uint8_t *tag, TCCmacState_t s);
+int tc_cmac_final(uint8_t *tag, TCCmacState_t s);
#ifdef __cplusplus
}
#endif
-#endif
+#endif /* __TC_CMAC_MODE_H__ */
diff --git a/ext/tinycrypt/lib/include/tinycrypt/constants.h b/ext/tinycrypt/lib/include/tinycrypt/constants.h
index 1a7c9df..965490e 100644
--- a/ext/tinycrypt/lib/include/tinycrypt/constants.h
+++ b/ext/tinycrypt/lib/include/tinycrypt/constants.h
@@ -1,7 +1,7 @@
/* constants.h - TinyCrypt interface to constants */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -43,6 +43,8 @@
extern "C" {
#endif
+#include <stdbool.h>
+
#ifndef NULL
#define NULL ((void *)0)
#endif
@@ -56,4 +58,4 @@
}
#endif
-#endif
+#endif /* __TC_CONSTANTS_H__ */
diff --git a/ext/tinycrypt/lib/include/tinycrypt/ctr_mode.h b/ext/tinycrypt/lib/include/tinycrypt/ctr_mode.h
index 5f7766d..dc221f9 100644
--- a/ext/tinycrypt/lib/include/tinycrypt/ctr_mode.h
+++ b/ext/tinycrypt/lib/include/tinycrypt/ctr_mode.h
@@ -1,7 +1,7 @@
/* ctr_mode.h - TinyCrypt interface to CTR mode */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -98,11 +98,11 @@
* @param ctr IN/OUT -- the current counter value
* @param sched IN -- an initialized AES key schedule
*/
-int32_t tc_ctr_mode(uint8_t *out, uint32_t outlen, const uint8_t *in,
- uint32_t inlen, uint8_t *ctr, const TCAesKeySched_t sched);
+int tc_ctr_mode(uint8_t *out, unsigned int outlen, const uint8_t *in,
+ unsigned int inlen, uint8_t *ctr, const TCAesKeySched_t sched);
#ifdef __cplusplus
}
#endif
-#endif
+#endif /* __TC_CTR_MODE_H__ */
diff --git a/ext/tinycrypt/lib/include/tinycrypt/ctr_prng.h b/ext/tinycrypt/lib/include/tinycrypt/ctr_prng.h
index 12cac8f..9be06db 100644
--- a/ext/tinycrypt/lib/include/tinycrypt/ctr_prng.h
+++ b/ext/tinycrypt/lib/include/tinycrypt/ctr_prng.h
@@ -67,8 +67,7 @@
extern "C" {
#endif
-typedef struct
-{
+typedef struct {
/* updated each time another BLOCKLEN_BYTES bytes are produced */
uint8_t V[TC_AES_BLOCK_SIZE];
@@ -99,11 +98,11 @@
* @param plen IN -- personalization length in bytes
*
*/
-int32_t tc_ctr_prng_init(TCCtrPrng_t * const ctx,
- uint8_t const * const entropy,
- uint32_t entropyLen,
- uint8_t const * const personalization,
- uint32_t pLen);
+int tc_ctr_prng_init(TCCtrPrng_t * const ctx,
+ uint8_t const * const entropy,
+ unsigned int entropyLen,
+ uint8_t const * const personalization,
+ unsigned int pLen);
/**
* @brief CTR-PRNG reseed procedure
@@ -124,11 +123,11 @@
* @param additional_input IN -- additional input to the prng (may be null)
* @param additionallen IN -- additional input length in bytes
*/
-int32_t tc_ctr_prng_reseed(TCCtrPrng_t * const ctx,
- uint8_t const * const entropy,
- uint32_t entropyLen,
- uint8_t const * const additional_input,
- uint32_t additionallen);
+int tc_ctr_prng_reseed(TCCtrPrng_t * const ctx,
+ uint8_t const * const entropy,
+ unsigned int entropyLen,
+ uint8_t const * const additional_input,
+ unsigned int additionallen);
/**
* @brief CTR-PRNG generate procedure
@@ -146,11 +145,11 @@
* @param out IN/OUT -- buffer to receive output
* @param outlen IN -- size of out buffer in bytes
*/
-int32_t tc_ctr_prng_generate(TCCtrPrng_t * const ctx,
- uint8_t const * const additional_input,
- uint32_t additionallen,
- uint8_t * const out,
- uint32_t outlen);
+int tc_ctr_prng_generate(TCCtrPrng_t * const ctx,
+ uint8_t const * const additional_input,
+ unsigned int additionallen,
+ uint8_t * const out,
+ unsigned int outlen);
/**
* @brief CTR-PRNG uninstantiate procedure
@@ -164,4 +163,4 @@
}
#endif
-#endif
+#endif /* __TC_CTR_PRNG_H__ */
diff --git a/ext/tinycrypt/lib/include/tinycrypt/ecc.h b/ext/tinycrypt/lib/include/tinycrypt/ecc.h
index 74324f9..8abc949 100644
--- a/ext/tinycrypt/lib/include/tinycrypt/ecc.h
+++ b/ext/tinycrypt/lib/include/tinycrypt/ecc.h
@@ -1,10 +1,7 @@
-/* ecc.h - TinyCrypt interface to ECC auxiliary functions */
+/* ecc.h - TinyCrypt interface to common ECC functions */
-/*
- * =============================================================================
- * Copyright (c) 2013, Kenneth MacKay
+/* Copyright (c) 2014, Kenneth MacKay
* All rights reserved.
- * https://github.com/kmackay/micro-ecc
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -27,9 +24,10 @@
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
- *
- * =============================================================================
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ */
+
+/*
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -60,9 +58,9 @@
/**
* @file
- * @brief -- Interface to ECC auxiliary functions.
+ * @brief -- Interface to common ECC functions.
*
- * Overview: This software is an implementation of auxiliary functions
+ * Overview: This software is an implementation of common functions
* necessary to elliptic curve cryptography. This implementation uses
* curve NIST p-256.
*
@@ -70,8 +68,8 @@
*
*/
-#ifndef __TC_ECC_H__
-#define __TC_ECC_H__
+#ifndef __TC_UECC_H__
+#define __TC_UECC_H__
#include <stdint.h>
@@ -80,278 +78,468 @@
#endif
/* Word size (4 bytes considering 32-bits architectures) */
-#define WORD_SIZE 4
+#define uECC_WORD_SIZE 4
+
+/* setting max number of calls to prng: */
+#ifndef uECC_RNG_MAX_TRIES
+#define uECC_RNG_MAX_TRIES 64
+#endif
+
+/* defining data types to store word and bit counts: */
+typedef int8_t wordcount_t;
+typedef int16_t bitcount_t;
+/* defining data type for comparison result: */
+typedef int8_t cmpresult_t;
+/* defining data type to store ECC coordinate/point in 32bits words: */
+typedef unsigned int uECC_word_t;
+/* defining data type to store an ECC coordinate/point in 64bits words: */
+typedef uint64_t uECC_dword_t;
+
+/* defining masks useful for ecc computations: */
+#define HIGH_BIT_SET 0x80000000
+#define uECC_WORD_BITS 32
+#define uECC_WORD_BITS_SHIFT 5
+#define uECC_WORD_BITS_MASK 0x01F
+
/* Number of words of 32 bits to represent an element of the the curve p-256: */
-#define NUM_ECC_DIGITS 8
+#define NUM_ECC_WORDS 8
/* Number of bytes to represent an element of the the curve p-256: */
-#define NUM_ECC_BYTES (WORD_SIZE*NUM_ECC_DIGITS)
+#define NUM_ECC_BYTES (uECC_WORD_SIZE*NUM_ECC_WORDS)
-/* struct to represent a point of the curve (uses X and Y coordinates): */
-typedef struct EccPoint {
- uint32_t x[NUM_ECC_DIGITS];
- uint32_t y[NUM_ECC_DIGITS];
-} EccPoint;
-
-/* struct to represent a point of the curve in Jacobian coordinates
- * (uses X, Y and Z coordinates):
- */
-typedef struct EccPointJacobi {
- uint32_t X[NUM_ECC_DIGITS];
- uint32_t Y[NUM_ECC_DIGITS];
- uint32_t Z[NUM_ECC_DIGITS];
-} EccPointJacobi;
+/* structure that represents an elliptic curve (e.g. p256):*/
+struct uECC_Curve_t;
+typedef const struct uECC_Curve_t * uECC_Curve;
+struct uECC_Curve_t {
+ wordcount_t num_words;
+ wordcount_t num_bytes;
+ bitcount_t num_n_bits;
+ uECC_word_t p[NUM_ECC_WORDS];
+ uECC_word_t n[NUM_ECC_WORDS];
+ uECC_word_t G[NUM_ECC_WORDS * 2];
+ uECC_word_t b[NUM_ECC_WORDS];
+ void (*double_jacobian)(uECC_word_t * X1, uECC_word_t * Y1, uECC_word_t * Z1,
+ uECC_Curve curve);
+ void (*x_side)(uECC_word_t *result, const uECC_word_t *x, uECC_Curve curve);
+ void (*mmod_fast)(uECC_word_t *result, uECC_word_t *product);
+};
/*
- * @brief Check if p_vli is zero.
- * @return returns non-zero if p_vli == 0, zero otherwise.
- *
- * @param p_native OUT -- will be filled in with the native integer value.
- * @param p_bytes IN -- standard octet representation of the integer to convert.
- *
- * @note Side-channel countermeasure: algorithm strengthened against timing
- * attack.
+ * @brief computes doubling of point ion jacobian coordinates, in place.
+ * @param X1 IN/OUT -- x coordinate
+ * @param Y1 IN/OUT -- y coordinate
+ * @param Z1 IN/OUT -- z coordinate
+ * @param curve IN -- elliptic curve
*/
-uint32_t vli_isZero(uint32_t *p_vli);
+void double_jacobian_default(uECC_word_t * X1, uECC_word_t * Y1,
+ uECC_word_t * Z1, uECC_Curve curve);
/*
- * @brief Set the content of p_src in p_dest.
- *
- * @param p_dest OUT -- Destination buffer.
- * @param p_src IN -- Origin buffer.
- *
+ * @brief Computes x^3 + ax + b. result must not overlap x.
+ * @param result OUT -- x^3 + ax + b
+ * @param x IN -- value of x
+ * @param curve IN -- elliptic curve
*/
-void vli_set(uint32_t *p_dest, uint32_t *p_src);
+void x_side_default(uECC_word_t *result, const uECC_word_t *x,
+ uECC_Curve curve);
/*
- * @brief Computes the sign of p_left - p_right.
- * @return returns the sign of p_left - p_right.
- *
- * @param p_left IN -- buffer to be compared.
- * @param p_right IN -- buffer to be compared.
- * @param word_size IN -- size of the word.
- *
- * @note Side-channel countermeasure: algorithm strengthened against timing
- * attack.
+ * @brief Computes result = product % curve_p
+ * from http://www.nsa.gov/ia/_files/nist-routines.pdf
+ * @param result OUT -- product % curve_p
+ * @param product IN -- value to be reduced mod curve_p
*/
-int32_t vli_cmp(uint32_t *p_left, uint32_t *p_right, int32_t word_size);
+void vli_mmod_fast_secp256r1(unsigned int *result, unsigned int *product);
+
+/* Bytes to words ordering: */
+#define BYTES_TO_WORDS_8(a, b, c, d, e, f, g, h) 0x##d##c##b##a, 0x##h##g##f##e
+#define BYTES_TO_WORDS_4(a, b, c, d) 0x##d##c##b##a
+#define BITS_TO_WORDS(num_bits) \
+ ((num_bits + ((uECC_WORD_SIZE * 8) - 1)) / (uECC_WORD_SIZE * 8))
+#define BITS_TO_BYTES(num_bits) ((num_bits + 7) / 8)
+
+/* definition of curve NIST p-256: */
+static const struct uECC_Curve_t curve_secp256r1 = {
+ NUM_ECC_WORDS,
+ NUM_ECC_BYTES,
+ 256, /* num_n_bits */ {
+ BYTES_TO_WORDS_8(FF, FF, FF, FF, FF, FF, FF, FF),
+ BYTES_TO_WORDS_8(FF, FF, FF, FF, 00, 00, 00, 00),
+ BYTES_TO_WORDS_8(00, 00, 00, 00, 00, 00, 00, 00),
+ BYTES_TO_WORDS_8(01, 00, 00, 00, FF, FF, FF, FF)
+ }, {
+ BYTES_TO_WORDS_8(51, 25, 63, FC, C2, CA, B9, F3),
+ BYTES_TO_WORDS_8(84, 9E, 17, A7, AD, FA, E6, BC),
+ BYTES_TO_WORDS_8(FF, FF, FF, FF, FF, FF, FF, FF),
+ BYTES_TO_WORDS_8(00, 00, 00, 00, FF, FF, FF, FF)
+ }, {
+ BYTES_TO_WORDS_8(96, C2, 98, D8, 45, 39, A1, F4),
+ BYTES_TO_WORDS_8(A0, 33, EB, 2D, 81, 7D, 03, 77),
+ BYTES_TO_WORDS_8(F2, 40, A4, 63, E5, E6, BC, F8),
+ BYTES_TO_WORDS_8(47, 42, 2C, E1, F2, D1, 17, 6B),
+
+ BYTES_TO_WORDS_8(F5, 51, BF, 37, 68, 40, B6, CB),
+ BYTES_TO_WORDS_8(CE, 5E, 31, 6B, 57, 33, CE, 2B),
+ BYTES_TO_WORDS_8(16, 9E, 0F, 7C, 4A, EB, E7, 8E),
+ BYTES_TO_WORDS_8(9B, 7F, 1A, FE, E2, 42, E3, 4F)
+ }, {
+ BYTES_TO_WORDS_8(4B, 60, D2, 27, 3E, 3C, CE, 3B),
+ BYTES_TO_WORDS_8(F6, B0, 53, CC, B0, 06, 1D, 65),
+ BYTES_TO_WORDS_8(BC, 86, 98, 76, 55, BD, EB, B3),
+ BYTES_TO_WORDS_8(E7, 93, 3A, AA, D8, 35, C6, 5A)
+ },
+ &double_jacobian_default,
+ &x_side_default,
+ &vli_mmod_fast_secp256r1
+};
+
+uECC_Curve uECC_secp256r1(void);
/*
- * @brief Computes p_result = p_left - p_right, returns borrow.
- * @return returns the sign of p_left - p_right.
+ * @brief Generates a random integer in the range 0 < random < top.
+ * Both random and top have num_words words.
+ * @param random OUT -- random integer in the range 0 < random < top
+ * @param top IN -- upper limit
+ * @param num_words IN -- number of words
+ * @return a random integer in the range 0 < random < top
+ */
+int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top,
+ wordcount_t num_words);
+
+
+/* uECC_RNG_Function type
+ * The RNG function should fill 'size' random bytes into 'dest'. It should
+ * return 1 if 'dest' was filled with random data, or 0 if the random data could
+ * not be generated. The filled-in values should be either truly random, or from
+ * a cryptographically-secure PRNG.
*
- * @param p_result IN -- buffer to be compared.
- * @param p_left IN -- buffer p_left in (p_left - p_right).
- * @param p_right IN -- buffer p_right in (p_left - p_right).
- * @param word_size IN -- size of the word.
+ * A correctly functioning RNG function must be set (using uECC_set_rng())
+ * before calling uECC_make_key() or uECC_sign().
*
- * @note Side-channel countermeasure: algorithm strengthened against timing
- * attack.
+ * Setting a correctly functioning RNG function improves the resistance to
+ * side-channel attacks for uECC_shared_secret().
+ *
+ * A correct RNG function is set by default. If you are building on another
+ * POSIX-compliant system that supports /dev/random or /dev/urandom, you can
+ * define uECC_POSIX to use the predefined RNG.
+ */
+typedef int(*uECC_RNG_Function)(uint8_t *dest, unsigned int size);
+
+/*
+ * @brief Set the function that will be used to generate random bytes. The RNG
+ * function should return 1 if the random data was generated, or 0 if the random
+ * data could not be generated.
+ *
+ * @note On platforms where there is no predefined RNG function, this must be
+ * called before uECC_make_key() or uECC_sign() are used.
+ *
+ * @param rng_function IN -- function that will be used to generate random bytes
+ */
+void uECC_set_rng(uECC_RNG_Function rng_function);
+
+/*
+ * @brief provides current uECC_RNG_Function.
+ * @return Returns the function that will be used to generate random bytes.
+ */
+uECC_RNG_Function uECC_get_rng(void);
+
+/*
+ * @brief computes the size of a private key for the curve in bytes.
+ * @param curve IN -- elliptic curve
+ * @return size of a private key for the curve in bytes.
+ */
+int uECC_curve_private_key_size(uECC_Curve curve);
+
+/*
+ * @brief computes the size of a public key for the curve in bytes.
+ * @param curve IN -- elliptic curve
+ * @return the size of a public key for the curve in bytes.
+ */
+int uECC_curve_public_key_size(uECC_Curve curve);
+
+/*
+ * @brief Compute the corresponding public key for a private key.
+ * @param private_key IN -- The private key to compute the public key for
+ * @param public_key OUT -- Will be filled in with the corresponding public key
+ * @param curve
+ * @return Returns 1 if key was computed successfully, 0 if an error occurred.
+ */
+int uECC_compute_public_key(const uint8_t *private_key,
+ uint8_t *public_key, uECC_Curve curve);
+
+/*
+ * @brief Compute public-key.
+ * @return corresponding public-key.
+ * @param result OUT -- public-key
+ * @param private_key IN -- private-key
+ * @param curve IN -- elliptic curve
+ */
+uECC_word_t EccPoint_compute_public_key(uECC_word_t *result,
+ uECC_word_t *private_key, uECC_Curve curve);
+
+/*
+ * @brief Regularize the bitcount for the private key so that attackers cannot
+ * use a side channel attack to learn the number of leading zeros.
+ * @return Regularized k
+ * @param k IN -- private-key
+ * @param k0 IN/OUT -- regularized k
+ * @param k1 IN/OUT -- regularized k
+ * @param curve IN -- elliptic curve
+ */
+uECC_word_t regularize_k(const uECC_word_t * const k, uECC_word_t *k0,
+ uECC_word_t *k1, uECC_Curve curve);
+
+/*
+ * @brief Point multiplication algorithm using Montgomery's ladder with co-Z
+ * coordinates. See http://eprint.iacr.org/2011/338.pdf.
+ * @note Result may overlap point.
+ * @param result OUT -- returns scalar*point
+ * @param point IN -- elliptic curve point
+ * @param scalar IN -- scalar
+ * @param initial_Z IN -- initial value for z
+ * @param num_bits IN -- number of bits in scalar
+ * @param curve IN -- elliptic curve
+ */
+void EccPoint_mult(uECC_word_t * result, const uECC_word_t * point,
+ const uECC_word_t * scalar, const uECC_word_t * initial_Z,
+ bitcount_t num_bits, uECC_Curve curve);
+
+/*
+ * @brief Constant-time comparison to zero - secure way to compare long integers
+ * @param vli IN -- very long integer
+ * @param num_words IN -- number of words in the vli
+ * @return 1 if vli == 0, 0 otherwise.
+ */
+uECC_word_t uECC_vli_isZero(const uECC_word_t *vli, wordcount_t num_words);
+
+/*
+ * @brief Check if 'point' is the point at infinity
+ * @param point IN -- elliptic curve point
+ * @param curve IN -- elliptic curve
+ * @return if 'point' is the point at infinity, 0 otherwise.
+ */
+uECC_word_t EccPoint_isZero(const uECC_word_t *point, uECC_Curve curve);
+
+/*
+ * @brief computes the sign of left - right, in constant time.
+ * @param left IN -- left term to be compared
+ * @param right IN -- right term to be compared
+ * @param num_words IN -- number of words
+ * @return the sign of left - right
+ */
+cmpresult_t uECC_vli_cmp(const uECC_word_t *left, const uECC_word_t *right,
+ wordcount_t num_words);
+
+/*
+ * @brief computes sign of left - right, not in constant time.
+ * @note should not be used if inputs are part of a secret
+ * @param left IN -- left term to be compared
+ * @param right IN -- right term to be compared
+ * @param num_words IN -- number of words
+ * @return the sign of left - right
+ */
+cmpresult_t uECC_vli_cmp_unsafe(const uECC_word_t *left, const uECC_word_t *right,
+ wordcount_t num_words);
+
+/*
+ * @brief Computes result = (left - right) % mod.
+ * @note Assumes that (left < mod) and (right < mod), and that result does not
+ * overlap mod.
+ * @param result OUT -- (left - right) % mod
+ * @param left IN -- leftright term in modular subtraction
+ * @param right IN -- right term in modular subtraction
+ * @param mod IN -- mod
+ * @param num_words IN -- number of words
+ */
+void uECC_vli_modSub(uECC_word_t *result, const uECC_word_t *left,
+ const uECC_word_t *right, const uECC_word_t *mod,
+ wordcount_t num_words);
+
+/*
+ * @brief Computes P' = (x1', y1', Z3), P + Q = (x3, y3, Z3) or
+ * P => P', Q => P + Q
+ * @note assumes Input P = (x1, y1, Z), Q = (x2, y2, Z)
+ * @param X1 IN -- x coordinate of P
+ * @param Y1 IN -- y coordinate of P
+ * @param X2 IN -- x coordinate of Q
+ * @param Y2 IN -- y coordinate of Q
+ * @param curve IN -- elliptic curve
+ */
+void XYcZ_add(uECC_word_t * X1, uECC_word_t * Y1, uECC_word_t * X2,
+ uECC_word_t * Y2, uECC_Curve curve);
+
+/*
+ * @brief Computes (x1 * z^2, y1 * z^3)
+ * @param X1 IN -- previous x1 coordinate
+ * @param Y1 IN -- previous y1 coordinate
+ * @param Z IN -- z value
+ * @param curve IN -- elliptic curve
+ */
+void apply_z(uECC_word_t * X1, uECC_word_t * Y1, const uECC_word_t * const Z,
+ uECC_Curve curve);
+
+/*
+ * @brief Check if bit is set.
+ * @return Returns nonzero if bit 'bit' of vli is set.
+ * @warning It is assumed that the value provided in 'bit' is within the
+ * boundaries of the word-array 'vli'.
+ * @note The bit ordering layout assumed for vli is: {31, 30, ..., 0},
+ * {63, 62, ..., 32}, {95, 94, ..., 64}, {127, 126,..., 96} for a vli consisting
+ * of 4 uECC_word_t elements.
+ */
+uECC_word_t uECC_vli_testBit(const uECC_word_t *vli, bitcount_t bit);
+
+/*
+ * @brief Computes result = product % mod, where product is 2N words long.
+ * @param result OUT -- product % mod
+ * @param mod IN -- module
+ * @param num_words IN -- number of words
+ * @warning Currently only designed to work for curve_p or curve_n.
+ */
+void uECC_vli_mmod(uECC_word_t *result, uECC_word_t *product,
+ const uECC_word_t *mod, wordcount_t num_words);
+
+/*
+ * @brief Computes modular product (using curve->mmod_fast)
+ * @param result OUT -- (left * right) mod % curve_p
+ * @param left IN -- left term in product
+ * @param right IN -- right term in product
+ * @param curve IN -- elliptic curve
+ */
+void uECC_vli_modMult_fast(uECC_word_t *result, const uECC_word_t *left,
+ const uECC_word_t *right, uECC_Curve curve);
+
+/*
+ * @brief Computes result = left - right.
* @note Can modify in place.
+ * @param result OUT -- left - right
+ * @param left IN -- left term in subtraction
+ * @param right IN -- right term in subtraction
+ * @param num_words IN -- number of words
+ * @return borrow
*/
-uint32_t vli_sub(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
- uint32_t word_size);
+uECC_word_t uECC_vli_sub(uECC_word_t *result, const uECC_word_t *left,
+ const uECC_word_t *right, wordcount_t num_words);
/*
- * @brief Conditional set: sets either 'p_true' or 'p_false' to 'output',
- * depending on the value of 'cond'.
- *
- * @param output OUT -- result buffer after setting either p_true or p_false.
- * @param p_true IN -- buffer to be used if cond is true.
- * @param p_false IN -- buffer to be used if cond is false.
- * @param cond IN -- boolean value that will determine which value will be set
- * to output.
+ * @brief Constant-time comparison function(secure way to compare long ints)
+ * @param left IN -- left term in comparison
+ * @param right IN -- right term in comparison
+ * @param num_words IN -- number of words
+ * @return Returns 0 if left == right, 1 otherwise.
*/
-void vli_cond_set(uint32_t *output, uint32_t *p_true, uint32_t *p_false,
- uint32_t cond);
+uECC_word_t uECC_vli_equal(const uECC_word_t *left, const uECC_word_t *right,
+ wordcount_t num_words);
/*
- * @brief Computes p_result = (p_left + p_right) % p_mod.
- *
- * @param p_result OUT -- result buffer.
- * @param p_left IN -- buffer p_left in (p_left + p_right) % p_mod.
- * @param p_right IN -- buffer p_right in (p_left + p_right) % p_mod.
- * @param p_mod IN -- module.
- *
- * @note Assumes that p_left < p_mod and p_right < p_mod, p_result != p_mod.
- * @note Side-channel countermeasure: algorithm strengthened against timing
- * attack.
+ * @brief Computes (left * right) % mod
+ * @param result OUT -- (left * right) % mod
+ * @param left IN -- left term in product
+ * @param right IN -- right term in product
+ * @param mod IN -- mod
+ * @param num_words IN -- number of words
*/
-void vli_modAdd(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
- uint32_t *p_mod);
+void uECC_vli_modMult(uECC_word_t *result, const uECC_word_t *left,
+ const uECC_word_t *right, const uECC_word_t *mod,
+ wordcount_t num_words);
/*
- * @brief Computes p_result = (p_left - p_right) % p_mod.
- *
- * @param p_result OUT -- result buffer.
- * @param p_left IN -- buffer p_left in (p_left - p_right) % p_mod.
- * @param p_right IN -- buffer p_right in (p_left - p_right) % p_mod.
- * @param p_mod IN -- module.
- *
- * @note Assumes that p_left < p_mod and p_right < p_mod, p_result != p_mod.
- * @note Side-channel countermeasure: algorithm strengthened against timing
- * attack.
+ * @brief Computes (1 / input) % mod
+ * @note All VLIs are the same size.
+ * @note See "Euclid's GCD to Montgomery Multiplication to the Great Divide"
+ * @param result OUT -- (1 / input) % mod
+ * @param input IN -- value to be modular inverted
+ * @param mod IN -- mod
+ * @param num_words -- number of words
*/
-void vli_modSub(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
- uint32_t *p_mod);
+void uECC_vli_modInv(uECC_word_t *result, const uECC_word_t *input,
+ const uECC_word_t *mod, wordcount_t num_words);
/*
- * @brief Computes p_result = (p_left * p_right) % curve_p.
- *
- * @param p_result OUT -- result buffer.
- * @param p_left IN -- buffer p_left in (p_left * p_right) % curve_p.
- * @param p_right IN -- buffer p_right in (p_left * p_right) % curve_p.
+ * @brief Sets dest = src.
+ * @param dest OUT -- destination buffer
+ * @param src IN -- origin buffer
+ * @param num_words IN -- number of words
*/
-void vli_modMult_fast(uint32_t *p_result, uint32_t *p_left,
- uint32_t *p_right);
+void uECC_vli_set(uECC_word_t *dest, const uECC_word_t *src,
+ wordcount_t num_words);
/*
- * @brief Computes p_result = p_left^2 % curve_p.
- *
- * @param p_result OUT -- result buffer.
- * @param p_left IN -- buffer p_left in (p_left^2 % curve_p).
+ * @brief Computes (left + right) % mod.
+ * @note Assumes that (left < mod) and right < mod), and that result does not
+ * overlap mod.
+ * @param result OUT -- (left + right) % mod.
+ * @param left IN -- left term in addition
+ * @param right IN -- right term in addition
+ * @param mod IN -- mod
+ * @param num_words IN -- number of words
*/
-void vli_modSquare_fast(uint32_t *p_result, uint32_t *p_left);
+void uECC_vli_modAdd(uECC_word_t *result, const uECC_word_t *left,
+ const uECC_word_t *right, const uECC_word_t *mod,
+ wordcount_t num_words);
/*
- * @brief Computes p_result = (p_left * p_right) % p_mod.
- *
- * @param p_result OUT -- result buffer.
- * @param p_left IN -- buffer p_left in (p_left * p_right) % p_mod.
- * @param p_right IN -- buffer p_right in (p_left * p_right) % p_mod.
- * @param p_mod IN -- module.
- * @param p_barrett IN -- used for Barrett reduction.
- * @note Side-channel countermeasure: algorithm strengthened against timing
- * attack.
+ * @brief Counts the number of bits required to represent vli.
+ * @param vli IN -- very long integer
+ * @param max_words IN -- number of words
+ * @return number of bits in given vli
*/
-void vli_modMult(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
- uint32_t *p_mod, uint32_t *p_barrett);
+bitcount_t uECC_vli_numBits(const uECC_word_t *vli,
+ const wordcount_t max_words);
/*
- * @brief Computes modular inversion: (1/p_intput) % p_mod.
- *
- * @param p_result OUT -- result buffer.
- * @param p_input IN -- buffer p_input in (1/p_intput) % p_mod.
- * @param p_mod IN -- module.
- * @param p_barrett IN -- used for Barrett reduction.
- * @note Side-channel countermeasure: algorithm strengthened against timing
- * attack.
+ * @brief Erases (set to 0) vli
+ * @param vli IN -- very long integer
+ * @param num_words IN -- number of words
*/
-void vli_modInv(uint32_t *p_result, uint32_t *p_input,
- uint32_t *p_mod, uint32_t *p_barrett);
+void uECC_vli_clear(uECC_word_t *vli, wordcount_t num_words);
/*
- * @brief modular reduction based on Barrett's method
- * @param p_result OUT -- p_product % p_mod.
- * @param p_product IN -- buffer p_product in (p_product % p_mod).
- * @param p_mod IN -- buffer p_mod in (p_product % p_mod).
- * @param p_barrett -- used for Barrett reduction.
- * @note Side-channel countermeasure: algorithm strengthened against timing
- * attack.
+ * @brief check if it is a valid point in the curve
+ * @param point IN -- point to be checked
+ * @param curve IN -- elliptic curve
+ * @return 0 if point is valid
+ * @exception returns -1 if it is a point at infinity
+ * @exception returns -2 if x or y is smaller than p,
+ * @exception returns -3 if y^2 != x^3 + ax + b.
*/
-void vli_mmod_barrett(
- uint32_t *p_result,
- uint32_t *p_product,
- uint32_t *p_mod,
- uint32_t *p_barrett);
+int uECC_valid_point(const uECC_word_t *point, uECC_Curve curve);
/*
- * @brief Check if a point is zero.
- * @return Returns 1 if p_point is the point at infinity, 0 otherwise.
+ * @brief Check if a public key is valid.
+ * @param public_key IN -- The public key to be checked.
+ * @return returns 0 if the public key is valid
+ * @exception returns -1 if it is a point at infinity
+ * @exception returns -2 if x or y is smaller than p,
+ * @exception returns -3 if y^2 != x^3 + ax + b.
+ * @exception returns -4 if public key is the group generator.
*
- * @param p_point IN -- point to be checked.
+ * @note Note that you are not required to check for a valid public key before
+ * using any other uECC functions. However, you may wish to avoid spending CPU
+ * time computing a shared secret or verifying a signature using an invalid
+ * public key.
*/
-uint32_t EccPoint_isZero(EccPoint *p_point);
+int uECC_valid_public_key(const uint8_t *public_key, uECC_Curve curve);
+
+ /*
+ * @brief Converts an integer in uECC native format to big-endian bytes.
+ * @param bytes OUT -- bytes representation
+ * @param num_bytes IN -- number of bytes
+ * @param native IN -- uECC native representation
+ */
+void uECC_vli_nativeToBytes(uint8_t *bytes, int num_bytes,
+ const unsigned int *native);
/*
- * @brief Check if point in Jacobi coordinates is zero.
- * @return Returns 1 if p_point_jacobi is the point at infinity, 0 otherwise.
- *
- * @param p_point IN -- point to be checked.
+ * @brief Converts big-endian bytes to an integer in uECC native format.
+ * @param native OUT -- uECC native representation
+ * @param bytes IN -- bytes representation
+ * @param num_bytes IN -- number of bytes
*/
-uint32_t EccPointJacobi_isZero(EccPointJacobi *p_point_jacobi);
-
-/*
- * @brief Conversion from Jacobi coordinates to Affine coordinates.
- *
- * @param p_point OUT -- point in Affine coordinates.
- * @param p_point_jacobi OUT -- point in Jacobi coordinates.
- */
-void EccPoint_toAffine(EccPoint *p_point, EccPointJacobi *p_point_jacobi);
-
-/*
- * @brief Elliptic curve point addition in Jacobi coordinates: P1 = P1 + P2.
- *
- * @param P1 IN/OUT -- P1 in P1 = P1 + P2.
- * @param P2 IN -- P2 in P1 = P1 + P2.
- */
-void EccPoint_add(EccPointJacobi *P1, EccPointJacobi *P2);
-
-/*
- * @brief Elliptic curve scalar multiplication with result in Jacobi coordinates
- *
- * @param p_result OUT -- Product of p_point by p_scalar.
- * @param p_point IN -- Elliptic curve point
- * @param p_scalar IN -- Scalar integer
- * @note Side-channel countermeasure: algorithm strengthened against timing
- * attack.
- */
-void EccPoint_mult_safe(EccPointJacobi *p_result, EccPoint *p_point,
- uint32_t *p_scalar);
-
-/*
- * @brief Fast elliptic curve scalar multiplication with result in Jacobi
- * coordinates
- * @note non constant time
- * @param p_result OUT -- Product of p_point by p_scalar.
- * @param p_point IN -- Elliptic curve point
- * @param p_scalar IN -- Scalar integer
- * @note algorithm NOT strengthened against timing attack.
- */
-void EccPoint_mult_unsafe(
- EccPointJacobi *p_result,
- EccPoint *p_point,
- uint32_t *p_scalar);
-
-/*
- * @brief Convert an integer in standard octet representation to native format.
- * @return returns TC_CRYPTO_SUCCESS (1)
- * returns TC_CRYPTO_FAIL (0) if:
- * out == NULL or
- * c == NULL or
- * ((plen > 0) and (payload == NULL)) or
- * ((alen > 0) and (associated_data == NULL)) or
- * (alen >= TC_CCM_AAD_MAX_BYTES) or
- * (plen >= TC_CCM_PAYLOAD_MAX_BYTES)
- *
- * @param p_native OUT -- will be filled in with the native integer value.
- * @param p_bytes IN -- standard octet representation of the integer to convert.
- *
- */
-void ecc_bytes2native(uint32_t p_native[NUM_ECC_DIGITS],
- uint8_t p_bytes[NUM_ECC_DIGITS*4]);
-
-
-/*
- * @brief Convert an integer in native format to standard octet representation.
- * @return returns TC_CRYPTO_SUCCESS (1)
- * returns TC_CRYPTO_FAIL (0) if:
- * out == NULL or
- * c == NULL or
- * ((plen > 0) and (payload == NULL)) or
- * ((alen > 0) and (associated_data == NULL)) or
- * (alen >= TC_CCM_AAD_MAX_BYTES) or
- * (plen >= TC_CCM_PAYLOAD_MAX_BYTES)
- *
- * @param p_bytes OUT -- will be filled in with the standard octet
- * representation of the integer.
- * @param p_native IN -- native integer value to convert.
- *
- */
-void ecc_native2bytes(uint8_t p_bytes[NUM_ECC_DIGITS*4],
- uint32_t p_native[NUM_ECC_DIGITS]);
+void uECC_vli_bytesToNative(unsigned int *native, const uint8_t *bytes,
+ int num_bytes);
#ifdef __cplusplus
}
#endif
-#endif
+#endif /* __TC_UECC_H__ */
diff --git a/ext/tinycrypt/lib/include/tinycrypt/ecc_dh.h b/ext/tinycrypt/lib/include/tinycrypt/ecc_dh.h
index 778fee2..b828e19 100644
--- a/ext/tinycrypt/lib/include/tinycrypt/ecc_dh.h
+++ b/ext/tinycrypt/lib/include/tinycrypt/ecc_dh.h
@@ -1,10 +1,8 @@
/* ecc_dh.h - TinyCrypt interface to EC-DH implementation */
/*
- * =============================================================================
- * Copyright (c) 2013, Kenneth MacKay
+ * Copyright (c) 2014, Kenneth MacKay
* All rights reserved.
- * https://github.com/kmackay/micro-ecc
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -27,9 +25,9 @@
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
- *
- * =============================================================================
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ */
+
+/* Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -66,7 +64,6 @@
* uses curve NIST p-256.
*
* Security: The curve NIST p-256 provides approximately 128 bits of security.
- *
*/
#ifndef __TC_ECC_DH_H__
@@ -80,63 +77,55 @@
/**
* @brief Create a public/private key pair.
- * @return returns TC_CRYPTO_SUCCESS (1) if key pair was generated successfully
- * returns TC_CRYPTO_FAIL (0) if:
- * the private key is 0
+ * @return returns TC_CRYPTO_SUCCESS (1) if the key pair was generated successfully
+ * returns TC_CRYPTO_FAIL (0) if error while generating key pair
*
- * @param p_publicKey OUT -- the point representing the public key.
- * @param p_privateKey OUT -- the private key.
- * @param p_random IN -- The random number to use to generate the key pair.
- *
- * @note You must use a new non-predictable random number to generate each
- * new key pair.
- * @note p_random must have NUM_ECC_DIGITS*2 bits of entropy to eliminate
- * bias in keys.
+ * @param p_public_key OUT -- Will be filled in with the public key. Must be at
+ * least 2 * the curve size (in bytes) long. For curve secp256r1, p_public_key
+ * must be 64 bytes long.
+ * @param p_private_key OUT -- Will be filled in with the private key. Must be as
+ * long as the curve order (for secp256r1, p_private_key must be 32 bytes long).
*
* @note side-channel countermeasure: algorithm strengthened against timing
* attack.
+ * @warning A cryptographically-secure PRNG function must be set (using
+ * uECC_set_rng()) before calling uECC_make_key().
*/
-int32_t ecc_make_key(EccPoint *p_publicKey,
- uint32_t p_privateKey[NUM_ECC_DIGITS],
- uint32_t p_random[2 * NUM_ECC_DIGITS]);
+int uECC_make_key(uint8_t *p_public_key, uint8_t *p_private_key, uECC_Curve curve);
+
+#ifdef ENABLE_TESTS
/**
- * @brief Determine whether or not a given point is on the chosen elliptic curve
- * (ie, is a valid public key).
- * @return returns 0 if the given point is valid
- * returns -1 if: the point is zero
- * returns -2 if: curve_p - p_publicKey->x != 1 or
- * curve_p - p_publicKey->y != 1
- * returns -3 if: y^2 != x^3 + ax + b
- * returns -4 if: public key is the group generator
+ * @brief Create a public/private key pair given a specific d.
*
- * @param p_publicKey IN -- The point to be checked.
+ * @note THIS FUNCTION SHOULD BE CALLED ONLY FOR TEST PURPOSES. Refer to
+ * uECC_make_key() function for real applications.
*/
-int32_t ecc_valid_public_key(EccPoint *p_publicKey);
+int uECC_make_key_with_d(uint8_t *p_public_key, uint8_t *p_private_key,
+ unsigned int *d, uECC_Curve curve);
+#endif
/**
* @brief Compute a shared secret given your secret key and someone else's
* public key.
- * @return returns TC_CRYPTO_SUCCESS (1) if the secret was computed successfully
+ * @return returns TC_CRYPTO_SUCCESS (1) if the shared secret was computed successfully
* returns TC_CRYPTO_FAIL (0) otherwise
*
- * @param p_secret OUT -- The shared secret value.
- * @param p_publicKey IN -- The public key of the remote party.
- * @param p_privateKey IN -- Your private key.
+ * @param p_secret OUT -- Will be filled in with the shared secret value. Must be
+ * the same size as the curve size (for curve secp256r1, secret must be 32 bytes
+ * long.
+ * @param p_public_key IN -- The public key of the remote party.
+ * @param p_private_key IN -- Your private key.
*
- * @note Optionally, you can provide a random multiplier for resistance to DPA
- * attacks. The random multiplier should probably be different for each
- * invocation of ecdh_shared_secret().
- *
- * @warning It is recommended to use the output of ecdh_shared_secret() as the
+ * @warning It is recommended to use the output of uECC_shared_secret() as the
* input of a recommended Key Derivation Function (see NIST SP 800-108) in
- * order to produce a symmetric key.
+ * order to produce a cryptographically secure symmetric key.
*/
-int32_t ecdh_shared_secret(uint32_t p_secret[NUM_ECC_DIGITS], EccPoint *p_publicKey,
- uint32_t p_privateKey[NUM_ECC_DIGITS]);
+int uECC_shared_secret(const uint8_t *p_public_key, const uint8_t *p_private_key,
+ uint8_t *p_secret, uECC_Curve curve);
#ifdef __cplusplus
}
#endif
-#endif
+#endif /* __TC_ECC_DH_H__ */
diff --git a/ext/tinycrypt/lib/include/tinycrypt/ecc_dsa.h b/ext/tinycrypt/lib/include/tinycrypt/ecc_dsa.h
index a037fa5..aca00bc 100644
--- a/ext/tinycrypt/lib/include/tinycrypt/ecc_dsa.h
+++ b/ext/tinycrypt/lib/include/tinycrypt/ecc_dsa.h
@@ -1,10 +1,8 @@
/* ecc_dh.h - TinyCrypt interface to EC-DSA implementation */
/*
- * =============================================================================
- * Copyright (c) 2013, Kenneth MacKay
+ * Copyright (c) 2014, Kenneth MacKay
* All rights reserved.
- * https://github.com/kmackay/micro-ecc
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -27,9 +25,10 @@
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
- *
- * =============================================================================
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ */
+
+/*
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -87,49 +86,54 @@
/**
* @brief Generate an ECDSA signature for a given hash value.
- * @return returns TC_CRYPTO_SUCCESS (1) if the the signature generated successfully
- * returns TC_CRYPTO_FAIL (0) if:
- * r == 0 or
- * p_random == 0
+ * @return returns TC_CRYPTO_SUCCESS (1) if the signature generated successfully
+ * returns TC_CRYPTO_FAIL (0) if an error occurred.
*
- * @param r OUT -- to be filled with the signature values.
- * @param s OUT -- to be filled with the signature values.
- * @param p_privateKey IN -- Your private key.
- * @param p_random IN -- The random number to use in generating ephemeral DSA
- * keys.
- * @param p_hash IN -- The message hash to sign.
+ * @param p_private_key IN -- Your private key.
+ * @param p_message_hash IN -- The hash of the message to sign.
+ * @param p_hash_size IN -- The size of p_message_hash in bytes.
+ * @param p_signature OUT -- Will be filled in with the signature value. Must be
+ * at least 2 * curve size long (for secp256r1, signature must be 64 bytes long).
*
- * @note p_random must have NUM_ECC_DIGITS*2 bits of entropy to eliminate
- * bias in keys.
- *
+ * @warning A cryptographically-secure PRNG function must be set (using
+ * uECC_set_rng()) before calling uECC_sign().
+ * @note Usage: Compute a hash of the data you wish to sign (SHA-2 is
+ * recommended) and pass it in to this function along with your private key.
* @note side-channel countermeasure: algorithm strengthened against timing
* attack.
*/
-int32_t ecdsa_sign(uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS],
- uint32_t p_privateKey[NUM_ECC_DIGITS], uint32_t p_random[NUM_ECC_DIGITS * 2],
- uint32_t p_hash[NUM_ECC_DIGITS]);
+int uECC_sign(const uint8_t *p_private_key, const uint8_t *p_message_hash,
+ unsigned p_hash_size, uint8_t *p_signature, uECC_Curve curve);
+#ifdef ENABLE_TESTS
+/*
+ * THIS FUNCTION SHOULD BE CALLED FOR TEST PURPOSES ONLY.
+ * Refer to uECC_sign() function for real applications.
+ */
+int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash,
+ unsigned int hash_size, uECC_word_t *k, uint8_t *signature,
+ uECC_Curve curve);
+#endif
/**
* @brief Verify an ECDSA signature.
- * @return returns TC_CRYPTO_SUCCESS (1) if the the signature generated successfully
- * returns TC_CRYPTO_FAIL (0) if:
- * r == 0 or
- * p_random == 0
+ * @return returns TC_SUCCESS (1) if the signature is valid
+ * returns TC_FAIL (0) if the signature is invalid.
*
- * @param p_publicKey IN -- The signer's public key.
- * @param p_hash IN -- The hash of the signed data.
- * @param r IN -- The signature values.
- * @param s IN -- The signature values.
+ * @param p_public_key IN -- The signer's public key.
+ * @param p_message_hash IN -- The hash of the signed data.
+ * @param p_hash_size IN -- The size of p_message_hash in bytes.
+ * @param p_signature IN -- The signature values.
*
- * @note side-channel countermeasure: algorithm strengthened against timing
- * attack.
+ * @note Usage: Compute the hash of the signed data using the same hash as the
+ * signer and pass it to this function along with the signer's public key and
+ * the signature values (hash_size and signature).
*/
-int32_t ecdsa_verify(EccPoint *p_publicKey, uint32_t p_hash[NUM_ECC_DIGITS],
- uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS]);
+int uECC_verify(const uint8_t *p_public_key, const uint8_t *p_message_hash,
+ unsigned int p_hash_size, const uint8_t *p_signature, uECC_Curve curve);
#ifdef __cplusplus
}
#endif
-#endif
+#endif /* __TC_ECC_DSA_H__ */
diff --git a/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h b/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h
new file mode 100644
index 0000000..e2c8823
--- /dev/null
+++ b/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h
@@ -0,0 +1,81 @@
+/* uECC_platform_specific.h - Interface to platform specific functions*/
+
+/* Copyright (c) 2014, Kenneth MacKay
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.*/
+
+/*
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * - Neither the name of Intel Corporation nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * uECC_platform_specific.h -- Interface to platform specific functions
+ */
+
+#ifndef __UECC_PLATFORM_SPECIFIC_H_
+#define __UECC_PLATFORM_SPECIFIC_H_
+
+/*
+ * The RNG function should fill 'size' random bytes into 'dest'. It should
+ * return 1 if 'dest' was filled with random data, or 0 if the random data could
+ * not be generated. The filled-in values should be either truly random, or from
+ * a cryptographically-secure PRNG.
+ *
+ * A cryptographically-secure PRNG function must be set (using uECC_set_rng())
+ * before calling uECC_make_key() or uECC_sign().
+ *
+ * Setting a cryptographically-secure PRNG function improves the resistance to
+ * side-channel attacks for uECC_shared_secret().
+ *
+ * A correct PRNG function is set by default (default_RNG_defined = 1) and works
+ * for some platforms, such as Unix and Linux. For other platforms, you may need
+ * to provide another PRNG function.
+*/
+#define default_RNG_defined 1
+
+int default_CSPRNG(uint8_t *dest, unsigned int size);
+
+#endif /* __UECC_PLATFORM_SPECIFIC_H_ */
diff --git a/ext/tinycrypt/lib/include/tinycrypt/hmac.h b/ext/tinycrypt/lib/include/tinycrypt/hmac.h
index 26f6cfe..3a08149 100644
--- a/ext/tinycrypt/lib/include/tinycrypt/hmac.h
+++ b/ext/tinycrypt/lib/include/tinycrypt/hmac.h
@@ -1,7 +1,7 @@
/* hmac.h - TinyCrypt interface to an HMAC implementation */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -89,9 +89,8 @@
* @param key IN -- the HMAC key to configure
* @param key_size IN -- the HMAC key size
*/
-int32_t tc_hmac_set_key(TCHmacState_t ctx,
- const uint8_t *key,
- uint32_t key_size);
+int tc_hmac_set_key(TCHmacState_t ctx, const uint8_t *key,
+ unsigned int key_size);
/**
* @brief HMAC init procedure
@@ -100,7 +99,7 @@
* returns TC_CRYPTO_FAIL (0) if: ctx == NULL or key == NULL
* @param ctx IN/OUT -- struct tc_hmac_state_struct buffer to init
*/
-int32_t tc_hmac_init(TCHmacState_t ctx);
+int tc_hmac_init(TCHmacState_t ctx);
/**
* @brief HMAC update procedure
@@ -112,9 +111,8 @@
* @param data IN -- data to incorporate into state
* @param data_length IN -- size of data in bytes
*/
-int32_t tc_hmac_update(TCHmacState_t ctx,
- const void *data,
- uint32_t data_length);
+int tc_hmac_update(TCHmacState_t ctx, const void *data,
+ unsigned int data_length);
/**
* @brief HMAC final procedure
@@ -125,17 +123,17 @@
* ctx == NULL or
* key == NULL or
* taglen != TC_SHA256_DIGEST_SIZE
- * @note 'ctx' is erased before exiting (this must never be changed/removed).
+ * @note ctx is erased before exiting. This should never be changed/removed.
* @note Assumes the tag bufer is at least sizeof(hmac_tag_size(state)) bytes
* state has been initialized by tc_hmac_init
* @param tag IN/OUT -- buffer to receive computed HMAC tag
* @param taglen IN -- size of tag in bytes
* @param ctx IN/OUT -- the HMAC state for computing tag
*/
-int32_t tc_hmac_final(uint8_t *tag, uint32_t taglen, TCHmacState_t ctx);
+int tc_hmac_final(uint8_t *tag, unsigned int taglen, TCHmacState_t ctx);
#ifdef __cplusplus
}
#endif
-#endif
+#endif /*__TC_HMAC_H__*/
diff --git a/ext/tinycrypt/lib/include/tinycrypt/hmac_prng.h b/ext/tinycrypt/lib/include/tinycrypt/hmac_prng.h
index b631c2c..ad12cbb 100644
--- a/ext/tinycrypt/lib/include/tinycrypt/hmac_prng.h
+++ b/ext/tinycrypt/lib/include/tinycrypt/hmac_prng.h
@@ -1,7 +1,7 @@
/* hmac_prng.h - TinyCrypt interface to an HMAC-PRNG implementation */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -85,7 +85,7 @@
/* PRNG state */
uint8_t v[TC_SHA256_DIGEST_SIZE];
/* calls to tc_hmac_prng_generate left before re-seed */
- uint32_t countdown;
+ unsigned int countdown;
};
typedef struct tc_hmac_prng_struct *TCHmacPrng_t;
@@ -112,15 +112,15 @@
* @param personalization IN -- personalization string
* @param plen IN -- personalization length in bytes
*/
-int32_t tc_hmac_prng_init(TCHmacPrng_t prng,
- const uint8_t *personalization,
- uint32_t plen);
+int tc_hmac_prng_init(TCHmacPrng_t prng,
+ const uint8_t *personalization,
+ unsigned int plen);
/**
* @brief HMAC-PRNG reseed procedure
* Mixes seed into prng, enables tc_hmac_prng_generate
* @return returns TC_CRYPTO_SUCCESS (1)
- * returns TC_CRYPTO_FAIL (0) if:
+ * returns TC_CRYPTO_FAIL (0) if:
* prng == NULL,
* seed == NULL,
* seedlen < MIN_SLEN,
@@ -136,16 +136,16 @@
* @param additional_input IN -- additional input to the prng
* @param additionallen IN -- additional input length in bytes
*/
-int32_t tc_hmac_prng_reseed(TCHmacPrng_t prng, const uint8_t *seed,
- uint32_t seedlen, const uint8_t *additional_input,
- uint32_t additionallen);
+int tc_hmac_prng_reseed(TCHmacPrng_t prng, const uint8_t *seed,
+ unsigned int seedlen, const uint8_t *additional_input,
+ unsigned int additionallen);
/**
* @brief HMAC-PRNG generate procedure
* Generates outlen pseudo-random bytes into out buffer, updates prng
* @return returns TC_CRYPTO_SUCCESS (1)
* returns TC_HMAC_PRNG_RESEED_REQ (-1) if a reseed is needed
- * returns TC_CRYPTO_FAIL (0) if:
+ * returns TC_CRYPTO_FAIL (0) if:
* out == NULL,
* prng == NULL,
* outlen == 0,
@@ -155,10 +155,10 @@
* @param outlen IN -- size of out buffer in bytes
* @param prng IN/OUT -- the PRNG state
*/
-int32_t tc_hmac_prng_generate(uint8_t *out, uint32_t outlen, TCHmacPrng_t prng);
+int tc_hmac_prng_generate(uint8_t *out, unsigned int outlen, TCHmacPrng_t prng);
#ifdef __cplusplus
}
#endif
-#endif
+#endif /* __TC_HMAC_PRNG_H__ */
diff --git a/ext/tinycrypt/lib/include/tinycrypt/sha256.h b/ext/tinycrypt/lib/include/tinycrypt/sha256.h
index d1e1f61..af5e8ba 100644
--- a/ext/tinycrypt/lib/include/tinycrypt/sha256.h
+++ b/ext/tinycrypt/lib/include/tinycrypt/sha256.h
@@ -1,7 +1,7 @@
/* sha256.h - TinyCrypt interface to a SHA-256 implementation */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -69,7 +69,7 @@
#define TC_SHA256_STATE_BLOCKS (TC_SHA256_DIGEST_SIZE/4)
struct tc_sha256_state_struct {
- uint32_t iv[TC_SHA256_STATE_BLOCKS];
+ unsigned int iv[TC_SHA256_STATE_BLOCKS];
uint64_t bits_hashed;
uint8_t leftover[TC_SHA256_BLOCK_SIZE];
size_t leftover_offset;
@@ -84,7 +84,7 @@
* returns TC_CRYPTO_FAIL (0) if s == NULL
* @param s Sha256 state struct
*/
-int32_t tc_sha256_init(TCSha256State_t s);
+int tc_sha256_init(TCSha256State_t s);
/**
* @brief SHA256 update procedure
@@ -102,9 +102,7 @@
* @param data message to hash
* @param datalen length of message to hash
*/
-int32_t tc_sha256_update(TCSha256State_t s,
- const uint8_t *data,
- size_t datalen);
+int tc_sha256_update (TCSha256State_t s, const uint8_t *data, size_t datalen);
/**
* @brief SHA256 final procedure
@@ -122,10 +120,10 @@
* @param digest unsigned eight bit integer
* @param Sha256 state struct
*/
-int32_t tc_sha256_final(uint8_t *digest, TCSha256State_t s);
+int tc_sha256_final(uint8_t *digest, TCSha256State_t s);
#ifdef __cplusplus
}
#endif
-#endif
+#endif /* __TC_SHA256_H__ */
diff --git a/ext/tinycrypt/lib/include/tinycrypt/utils.h b/ext/tinycrypt/lib/include/tinycrypt/utils.h
index 429934e..bab5c32 100644
--- a/ext/tinycrypt/lib/include/tinycrypt/utils.h
+++ b/ext/tinycrypt/lib/include/tinycrypt/utils.h
@@ -1,7 +1,7 @@
/* utils.h - TinyCrypt interface to platform-dependent run-time operations */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -57,8 +57,8 @@
* @param from IN -- origin buffer
* @param from_len IN -- length of origin buffer
*/
-uint32_t _copy(uint8_t *to, uint32_t to_len,
- const uint8_t *from, uint32_t from_len);
+unsigned int _copy(uint8_t *to, unsigned int to_len,
+ const uint8_t *from, unsigned int from_len);
/**
* @brief Set the value 'val' into the buffer 'to', 'len' times.
@@ -67,7 +67,7 @@
* @param val IN -- value to be set in 'to'
* @param len IN -- number of times the value will be copied
*/
-void _set(void *to, uint8_t val, uint32_t len);
+void _set(void *to, uint8_t val, unsigned int len);
/*
* @brief AES specific doubling function, which utilizes
@@ -86,10 +86,10 @@
* @param b IN -- sequence of bytes b
* @param size IN -- size of sequences a and b
*/
-int32_t _compare(const uint8_t *a, const uint8_t *b, size_t size);
+int _compare(const uint8_t *a, const uint8_t *b, size_t size);
#ifdef __cplusplus
}
#endif
-#endif
+#endif /* __TC_UTILS_H__ */
diff --git a/ext/tinycrypt/lib/source/Makefile b/ext/tinycrypt/lib/source/Makefile
deleted file mode 100644
index b61b05c..0000000
--- a/ext/tinycrypt/lib/source/Makefile
+++ /dev/null
@@ -1,4 +0,0 @@
-# Zephyr makefile.
-# subdir-ccflags-y += -I$(PROJECT)/ext/tinycrypt/lib/include
-
-obj-y += ecc.o ecc_dsa.o sha256.o utils.o
diff --git a/ext/tinycrypt/lib/source/Makefile.inc b/ext/tinycrypt/lib/source/Makefile.inc
deleted file mode 100644
index ebb101a..0000000
--- a/ext/tinycrypt/lib/source/Makefile.inc
+++ /dev/null
@@ -1,3 +0,0 @@
-# vim: ft=make
-
-subdir-ccflags-$(NEED_TINYCRYPT) += -I$(PROJECT)/ext/tinycrypt/lib/include
diff --git a/ext/tinycrypt/lib/source/aes_decrypt.c b/ext/tinycrypt/lib/source/aes_decrypt.c
index 2e4e3bc..993a618 100644
--- a/ext/tinycrypt/lib/source/aes_decrypt.c
+++ b/ext/tinycrypt/lib/source/aes_decrypt.c
@@ -1,7 +1,7 @@
/* aes_decrypt.c - TinyCrypt implementation of AES decryption procedure */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -34,8 +34,6 @@
#include <tinycrypt/constants.h>
#include <tinycrypt/utils.h>
-#define ZERO_BYTE 0x00
-
static const uint8_t inv_sbox[256] = {
0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e,
0x81, 0xf3, 0xd7, 0xfb, 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
@@ -61,7 +59,7 @@
0x55, 0x21, 0x0c, 0x7d
};
-int32_t tc_aes128_set_decrypt_key(TCAesKeySched_t s, const uint8_t *k)
+int tc_aes128_set_decrypt_key(TCAesKeySched_t s, const uint8_t *k)
{
return tc_aes128_set_encrypt_key(s, k);
}
@@ -91,7 +89,7 @@
(void)_copy(s, sizeof(t), t, sizeof(t));
}
-static inline void add_round_key(uint8_t *s, const uint32_t *k)
+static inline void add_round_key(uint8_t *s, const unsigned int *k)
{
s[0] ^= (uint8_t)(k[0] >> 24); s[1] ^= (uint8_t)(k[0] >> 16);
s[2] ^= (uint8_t)(k[0] >> 8); s[3] ^= (uint8_t)(k[0]);
@@ -105,7 +103,7 @@
static inline void inv_sub_bytes(uint8_t *s)
{
- uint32_t i;
+ unsigned int i;
for (i = 0; i < (Nb*Nk); ++i) {
s[i] = inv_sbox[s[i]];
@@ -128,10 +126,10 @@
(void)_copy(s, sizeof(t), t, sizeof(t));
}
-int32_t tc_aes_decrypt(uint8_t *out, const uint8_t *in, const TCAesKeySched_t s)
+int tc_aes_decrypt(uint8_t *out, const uint8_t *in, const TCAesKeySched_t s)
{
uint8_t state[Nk*Nb];
- uint32_t i;
+ unsigned int i;
if (out == (uint8_t *) 0) {
return TC_CRYPTO_FAIL;
@@ -145,7 +143,7 @@
add_round_key(state, s->words + Nb*Nr);
- for (i = Nr-1; i > 0; --i) {
+ for (i = Nr - 1; i > 0; --i) {
inv_shift_rows(state);
inv_sub_bytes(state);
add_round_key(state, s->words + Nb*i);
@@ -157,8 +155,10 @@
add_round_key(state, s->words);
(void)_copy(out, sizeof(state), state, sizeof(state));
- /*zeroing out one byte state buffer */
- _set(state, ZERO_BYTE, sizeof(state));
+
+ /*zeroing out the state buffer */
+ _set(state, TC_ZERO_BYTE, sizeof(state));
+
return TC_CRYPTO_SUCCESS;
}
diff --git a/ext/tinycrypt/lib/source/aes_encrypt.c b/ext/tinycrypt/lib/source/aes_encrypt.c
index 6bc73a5..8991aee 100644
--- a/ext/tinycrypt/lib/source/aes_encrypt.c
+++ b/ext/tinycrypt/lib/source/aes_encrypt.c
@@ -1,7 +1,7 @@
/* aes_encrypt.c - TinyCrypt implementation of AES encryption procedure */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -59,7 +59,7 @@
0xb0, 0x54, 0xbb, 0x16
};
-static inline uint32_t rotword(uint32_t a)
+static inline unsigned int rotword(unsigned int a)
{
return (((a) >> 24)|((a) << 8));
}
@@ -67,14 +67,14 @@
#define subbyte(a, o)(sbox[((a) >> (o))&0xff] << (o))
#define subword(a)(subbyte(a, 24)|subbyte(a, 16)|subbyte(a, 8)|subbyte(a, 0))
-int32_t tc_aes128_set_encrypt_key(TCAesKeySched_t s, const uint8_t *k)
+int tc_aes128_set_encrypt_key(TCAesKeySched_t s, const uint8_t *k)
{
- const uint32_t rconst[11] = {
- 0x00000000, 0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000,
- 0x20000000, 0x40000000, 0x80000000, 0x1b000000, 0x36000000
+ const unsigned int rconst[11] = {
+ 0x00000000, 0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000,
+ 0x20000000, 0x40000000, 0x80000000, 0x1b000000, 0x36000000
};
- uint32_t i;
- uint32_t t;
+ unsigned int i;
+ unsigned int t;
if (s == (TCAesKeySched_t) 0) {
return TC_CRYPTO_FAIL;
@@ -87,7 +87,7 @@
(k[Nb*i+2]<<8) | (k[Nb*i+3]);
}
- for (; i < (Nb*(Nr+1)); ++i) {
+ for (; i < (Nb * (Nr + 1)); ++i) {
t = s->words[i-1];
if ((i % Nk) == 0) {
t = subword(rotword(t)) ^ rconst[i/Nk];
@@ -98,7 +98,7 @@
return TC_CRYPTO_SUCCESS;
}
-static inline void add_round_key(uint8_t *s, const uint32_t *k)
+static inline void add_round_key(uint8_t *s, const unsigned int *k)
{
s[0] ^= (uint8_t)(k[0] >> 24); s[1] ^= (uint8_t)(k[0] >> 16);
s[2] ^= (uint8_t)(k[0] >> 8); s[3] ^= (uint8_t)(k[0]);
@@ -112,9 +112,9 @@
static inline void sub_bytes(uint8_t *s)
{
- uint32_t i;
+ unsigned int i;
- for (i = 0; i < (Nb*Nk); ++i) {
+ for (i = 0; i < (Nb * Nk); ++i) {
s[i] = sbox[s[i]];
}
}
@@ -135,8 +135,8 @@
mult_row_column(t, s);
mult_row_column(&t[Nb], s+Nb);
- mult_row_column(&t[2*Nb], s+(2*Nb));
- mult_row_column(&t[3*Nb], s+(3*Nb));
+ mult_row_column(&t[2 * Nb], s + (2 * Nb));
+ mult_row_column(&t[3 * Nb], s + (3 * Nb));
(void) _copy(s, sizeof(t), t, sizeof(t));
}
@@ -146,7 +146,7 @@
*/
static inline void shift_rows(uint8_t *s)
{
- uint8_t t[Nb*Nk];
+ uint8_t t[Nb * Nk];
t[0] = s[0]; t[1] = s[5]; t[2] = s[10]; t[3] = s[15];
t[4] = s[4]; t[5] = s[9]; t[6] = s[14]; t[7] = s[3];
@@ -155,10 +155,10 @@
(void) _copy(s, sizeof(t), t, sizeof(t));
}
-int32_t tc_aes_encrypt(uint8_t *out, const uint8_t *in, const TCAesKeySched_t s)
+int tc_aes_encrypt(uint8_t *out, const uint8_t *in, const TCAesKeySched_t s)
{
uint8_t state[Nk*Nb];
- uint32_t i;
+ unsigned int i;
if (out == (uint8_t *) 0) {
return TC_CRYPTO_FAIL;
@@ -171,7 +171,7 @@
(void)_copy(state, sizeof(state), in, sizeof(state));
add_round_key(state, s->words);
- for (i = 0; i < (Nr-1); ++i) {
+ for (i = 0; i < (Nr - 1); ++i) {
sub_bytes(state);
shift_rows(state);
mix_columns(state);
diff --git a/ext/tinycrypt/lib/source/cbc_mode.c b/ext/tinycrypt/lib/source/cbc_mode.c
index 8163e0d..62d7879 100644
--- a/ext/tinycrypt/lib/source/cbc_mode.c
+++ b/ext/tinycrypt/lib/source/cbc_mode.c
@@ -1,7 +1,7 @@
/* cbc_mode.c - TinyCrypt implementation of CBC mode encryption & decryption */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -34,13 +34,13 @@
#include <tinycrypt/constants.h>
#include <tinycrypt/utils.h>
-int32_t tc_cbc_mode_encrypt(uint8_t *out, uint32_t outlen, const uint8_t *in,
- uint32_t inlen, const uint8_t *iv,
+int tc_cbc_mode_encrypt(uint8_t *out, unsigned int outlen, const uint8_t *in,
+ unsigned int inlen, const uint8_t *iv,
const TCAesKeySched_t sched)
{
uint8_t buffer[TC_AES_BLOCK_SIZE];
- uint32_t n, m;
+ unsigned int n, m;
/* input sanity check: */
if (out == (uint8_t *) 0 ||
@@ -74,13 +74,14 @@
return TC_CRYPTO_SUCCESS;
}
-int32_t tc_cbc_mode_decrypt(uint8_t *out, uint32_t outlen, const uint8_t *in,
- uint32_t inlen, const uint8_t *iv,
+int tc_cbc_mode_decrypt(uint8_t *out, unsigned int outlen, const uint8_t *in,
+ unsigned int inlen, const uint8_t *iv,
const TCAesKeySched_t sched)
{
+
uint8_t buffer[TC_AES_BLOCK_SIZE];
const uint8_t *p;
- uint32_t n, m;
+ unsigned int n, m;
/* sanity check the inputs */
if (out == (uint8_t *) 0 ||
diff --git a/ext/tinycrypt/lib/source/ccm_mode.c b/ext/tinycrypt/lib/source/ccm_mode.c
index 7b6d485..929adac 100644
--- a/ext/tinycrypt/lib/source/ccm_mode.c
+++ b/ext/tinycrypt/lib/source/ccm_mode.c
@@ -1,7 +1,7 @@
/* ccm_mode.c - TinyCrypt implementation of CCM mode */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -36,8 +36,8 @@
#include <stdio.h>
-int32_t tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce,
- uint32_t nlen, uint32_t mlen)
+int tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce,
+ unsigned int nlen, unsigned int mlen)
{
/* input sanity check: */
@@ -61,11 +61,11 @@
/**
* Variation of CBC-MAC mode used in CCM.
*/
-static void ccm_cbc_mac(uint8_t *T, const uint8_t *data, uint32_t dlen,
- uint32_t flag, TCAesKeySched_t sched)
+static void ccm_cbc_mac(uint8_t *T, const uint8_t *data, unsigned int dlen,
+ unsigned int flag, TCAesKeySched_t sched)
{
- uint32_t i;
+ unsigned int i;
if (flag > 0) {
T[0] ^= (uint8_t)(dlen >> 8);
@@ -90,14 +90,14 @@
* encryption). Besides, it is assumed that the counter is stored in the last
* 2 bytes of the nonce.
*/
-static int32_t ccm_ctr_mode(uint8_t *out, uint32_t outlen, const uint8_t *in,
- uint32_t inlen, uint8_t *ctr, const TCAesKeySched_t sched)
+static int ccm_ctr_mode(uint8_t *out, unsigned int outlen, const uint8_t *in,
+ unsigned int inlen, uint8_t *ctr, const TCAesKeySched_t sched)
{
uint8_t buffer[TC_AES_BLOCK_SIZE];
uint8_t nonce[TC_AES_BLOCK_SIZE];
uint16_t block_num;
- uint32_t i;
+ unsigned int i;
/* input sanity check: */
if (out == (uint8_t *) 0 ||
@@ -134,23 +134,26 @@
return TC_CRYPTO_SUCCESS;
}
-int32_t tc_ccm_generation_encryption(uint8_t *out, const uint8_t *associated_data,
- uint32_t alen, const uint8_t *payload,
- uint32_t plen, TCCcmMode_t c)
+int tc_ccm_generation_encryption(uint8_t *out, unsigned int olen,
+ const uint8_t *associated_data,
+ unsigned int alen, const uint8_t *payload,
+ unsigned int plen, TCCcmMode_t c)
{
+
/* input sanity check: */
if ((out == (uint8_t *) 0) ||
- (c == (TCCcmMode_t) 0) ||
- ((plen > 0) && (payload == (uint8_t *) 0)) ||
- ((alen > 0) && (associated_data == (uint8_t *) 0)) ||
- (alen >= TC_CCM_AAD_MAX_BYTES) || /* associated data size unsupported */
- (plen >= TC_CCM_PAYLOAD_MAX_BYTES)) { /* payload size unsupported */
+ (c == (TCCcmMode_t) 0) ||
+ ((plen > 0) && (payload == (uint8_t *) 0)) ||
+ ((alen > 0) && (associated_data == (uint8_t *) 0)) ||
+ (alen >= TC_CCM_AAD_MAX_BYTES) || /* associated data size unsupported */
+ (plen >= TC_CCM_PAYLOAD_MAX_BYTES) || /* payload size unsupported */
+ (olen < (plen + c->mlen))) { /* invalid output buffer size */
return TC_CRYPTO_FAIL;
}
uint8_t b[Nb * Nk];
uint8_t tag[Nb * Nk];
- uint32_t i;
+ unsigned int i;
/* GENERATING THE AUTHENTICATION TAG: */
@@ -192,23 +195,26 @@
return TC_CRYPTO_SUCCESS;
}
-int32_t tc_ccm_decryption_verification(uint8_t *out, const uint8_t *associated_data,
- uint32_t alen, const uint8_t *payload,
- uint32_t plen, TCCcmMode_t c)
-{
+int tc_ccm_decryption_verification(uint8_t *out, unsigned int olen,
+ const uint8_t *associated_data,
+ unsigned int alen, const uint8_t *payload,
+ unsigned int plen, TCCcmMode_t c)
+{
+
/* input sanity check: */
- if ((out == (uint8_t *) 0) ||
+ if ((out == (uint8_t *) 0) ||
(c == (TCCcmMode_t) 0) ||
((plen > 0) && (payload == (uint8_t *) 0)) ||
((alen > 0) && (associated_data == (uint8_t *) 0)) ||
(alen >= TC_CCM_AAD_MAX_BYTES) || /* associated data size unsupported */
- (plen >= TC_CCM_PAYLOAD_MAX_BYTES)) { /* payload size unsupported */
+ (plen >= TC_CCM_PAYLOAD_MAX_BYTES) || /* payload size unsupported */
+ (olen < plen - c->mlen)) { /* invalid output buffer size */
return TC_CRYPTO_FAIL;
- }
+ }
uint8_t b[Nb * Nk];
uint8_t tag[Nb * Nk];
- uint32_t i;
+ unsigned int i;
/* DECRYPTION: */
@@ -250,11 +256,11 @@
}
/* comparing the received tag and the computed one: */
- if (_compare(b, tag, c->mlen) != 0) {
+ if (_compare(b, tag, c->mlen) == 0) {
+ return TC_CRYPTO_SUCCESS;
+ } else {
/* erase the decrypted buffer in case of mac validation failure: */
- _set(out, 0, sizeof(*out));
+ _set(out, 0, plen - c->mlen);
return TC_CRYPTO_FAIL;
}
-
- return TC_CRYPTO_SUCCESS;
}
diff --git a/ext/tinycrypt/lib/source/cmac_mode.c b/ext/tinycrypt/lib/source/cmac_mode.c
index 3b31c3e..96d147e 100644
--- a/ext/tinycrypt/lib/source/cmac_mode.c
+++ b/ext/tinycrypt/lib/source/cmac_mode.c
@@ -1,7 +1,7 @@
/* cmac_mode.c - TinyCrypt CMAC mode implementation */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -36,7 +36,7 @@
#include <tinycrypt/utils.h>
/* max number of calls until change the key (2^48).*/
-static uint64_t MAX_CALLS = ((uint64_t)1 << 48);
+const static uint64_t MAX_CALLS = ((uint64_t)1 << 48);
/*
* gf_wrap -- In our implementation, GF(2^128) is represented as a 16 byte
@@ -94,7 +94,7 @@
}
}
-int32_t tc_cmac_setup(TCCmacState_t s, const uint8_t *key, TCAesKeySched_t sched)
+int tc_cmac_setup(TCCmacState_t s, const uint8_t *key, TCAesKeySched_t sched)
{
/* input sanity check: */
@@ -122,7 +122,7 @@
return TC_CRYPTO_SUCCESS;
}
-int32_t tc_cmac_erase(TCCmacState_t s)
+int tc_cmac_erase(TCCmacState_t s)
{
if (s == (TCCmacState_t) 0) {
return TC_CRYPTO_FAIL;
@@ -134,7 +134,7 @@
return TC_CRYPTO_SUCCESS;
}
-int32_t tc_cmac_init(TCCmacState_t s)
+int tc_cmac_init(TCCmacState_t s)
{
/* input sanity check: */
if (s == (TCCmacState_t) 0) {
@@ -154,9 +154,9 @@
return TC_CRYPTO_SUCCESS;
}
-int32_t tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t data_length)
+int tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t data_length)
{
- uint32_t i;
+ unsigned int i;
/* input sanity check: */
if (s == (TCCmacState_t) 0) {
@@ -219,10 +219,10 @@
return TC_CRYPTO_SUCCESS;
}
-int32_t tc_cmac_final(uint8_t *tag, TCCmacState_t s)
+int tc_cmac_final(uint8_t *tag, TCCmacState_t s)
{
uint8_t *k;
- uint32_t i;
+ unsigned int i;
/* input sanity check: */
if (tag == (uint8_t *) 0 ||
diff --git a/ext/tinycrypt/lib/source/ctr_mode.c b/ext/tinycrypt/lib/source/ctr_mode.c
index 7ba53d0..1dfb92d 100644
--- a/ext/tinycrypt/lib/source/ctr_mode.c
+++ b/ext/tinycrypt/lib/source/ctr_mode.c
@@ -1,7 +1,7 @@
/* ctr_mode.c - TinyCrypt CTR mode implementation */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -34,14 +34,14 @@
#include <tinycrypt/ctr_mode.h>
#include <tinycrypt/utils.h>
-int32_t tc_ctr_mode(uint8_t *out, uint32_t outlen, const uint8_t *in,
- uint32_t inlen, uint8_t *ctr, const TCAesKeySched_t sched)
+int tc_ctr_mode(uint8_t *out, unsigned int outlen, const uint8_t *in,
+ unsigned int inlen, uint8_t *ctr, const TCAesKeySched_t sched)
{
uint8_t buffer[TC_AES_BLOCK_SIZE];
uint8_t nonce[TC_AES_BLOCK_SIZE];
- uint32_t block_num;
- uint32_t i;
+ unsigned int block_num;
+ unsigned int i;
/* input sanity check: */
if (out == (uint8_t *) 0 ||
diff --git a/ext/tinycrypt/lib/source/ctr_prng.c b/ext/tinycrypt/lib/source/ctr_prng.c
index bac81d8..cac2cc4 100644
--- a/ext/tinycrypt/lib/source/ctr_prng.c
+++ b/ext/tinycrypt/lib/source/ctr_prng.c
@@ -50,15 +50,12 @@
* @param arr IN/OUT -- array to be incremented
* @param len IN -- size of arr in bytes
*/
-static void arrInc(uint8_t arr[], uint32_t len)
+static void arrInc(uint8_t arr[], unsigned int len)
{
- uint32_t i;
- if (0 != arr)
- {
- for (i = len; i > 0U; i--)
- {
- if (++arr[i-1] != 0U)
- {
+ unsigned int i;
+ if (0 != arr) {
+ for (i = len; i > 0U; i--) {
+ if (++arr[i-1] != 0U) {
break;
}
}
@@ -76,24 +73,21 @@
*/
static void tc_ctr_prng_update(TCCtrPrng_t * const ctx, uint8_t const * const providedData)
{
- if (0 != ctx)
- {
+ if (0 != ctx) {
/* 10.2.1.2 step 1 */
uint8_t temp[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE];
- uint32_t len = 0U;
+ unsigned int len = 0U;
/* 10.2.1.2 step 2 */
- while (len < sizeof temp)
- {
- uint32_t blocklen = sizeof(temp) - len;
+ while (len < sizeof temp) {
+ unsigned int blocklen = sizeof(temp) - len;
uint8_t output_block[TC_AES_BLOCK_SIZE];
/* 10.2.1.2 step 2.1 */
arrInc(ctx->V, sizeof ctx->V);
/* 10.2.1.2 step 2.2 */
- if (blocklen > TC_AES_BLOCK_SIZE)
- {
+ if (blocklen > TC_AES_BLOCK_SIZE) {
blocklen = TC_AES_BLOCK_SIZE;
}
(void)tc_aes_encrypt(output_block, ctx->V, &ctx->key);
@@ -105,11 +99,9 @@
}
/* 10.2.1.2 step 4 */
- if (0 != providedData)
- {
- uint32_t i;
- for (i = 0U; i < sizeof temp; i++)
- {
+ if (0 != providedData) {
+ unsigned int i;
+ for (i = 0U; i < sizeof temp; i++) {
temp[i] ^= providedData[i];
}
}
@@ -122,24 +114,22 @@
}
}
-int32_t tc_ctr_prng_init(TCCtrPrng_t * const ctx,
- uint8_t const * const entropy,
- uint32_t entropyLen,
- uint8_t const * const personalization,
- uint32_t pLen)
+int tc_ctr_prng_init(TCCtrPrng_t * const ctx,
+ uint8_t const * const entropy,
+ unsigned int entropyLen,
+ uint8_t const * const personalization,
+ unsigned int pLen)
{
- int32_t result = TC_CRYPTO_FAIL;
- uint32_t i;
+ int result = TC_CRYPTO_FAIL;
+ unsigned int i;
uint8_t personalization_buf[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE] = {0U};
uint8_t seed_material[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE];
uint8_t zeroArr[TC_AES_BLOCK_SIZE] = {0U};
- if (0 != personalization)
- {
+ if (0 != personalization) {
/* 10.2.1.3.1 step 1 */
- uint32_t len = pLen;
- if (len > sizeof personalization_buf)
- {
+ unsigned int len = pLen;
+ if (len > sizeof personalization_buf) {
len = sizeof personalization_buf;
}
@@ -147,12 +137,10 @@
memcpy(personalization_buf, personalization, len);
}
- if ((0 != ctx) && (0 != entropy) && (entropyLen >= sizeof seed_material))
- {
+ if ((0 != ctx) && (0 != entropy) && (entropyLen >= sizeof seed_material)) {
/* 10.2.1.3.1 step 3 */
memcpy(seed_material, entropy, sizeof seed_material);
- for (i = 0U; i < sizeof seed_material; i++)
- {
+ for (i = 0U; i < sizeof seed_material; i++) {
seed_material[i] ^= personalization_buf[i];
}
@@ -173,23 +161,21 @@
return result;
}
-int32_t tc_ctr_prng_reseed(TCCtrPrng_t * const ctx,
+int tc_ctr_prng_reseed(TCCtrPrng_t * const ctx,
uint8_t const * const entropy,
- uint32_t entropyLen,
+ unsigned int entropyLen,
uint8_t const * const additional_input,
- uint32_t additionallen)
+ unsigned int additionallen)
{
- uint32_t i;
- int32_t result = TC_CRYPTO_FAIL;
+ unsigned int i;
+ int result = TC_CRYPTO_FAIL;
uint8_t additional_input_buf[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE] = {0U};
uint8_t seed_material[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE];
- if (0 != additional_input)
- {
+ if (0 != additional_input) {
/* 10.2.1.4.1 step 1 */
- uint32_t len = additionallen;
- if (len > sizeof additional_input_buf)
- {
+ unsigned int len = additionallen;
+ if (len > sizeof additional_input_buf) {
len = sizeof additional_input_buf;
}
@@ -197,13 +183,11 @@
memcpy(additional_input_buf, additional_input, len);
}
- uint32_t seedlen = (uint32_t)TC_AES_KEY_SIZE + (uint32_t)TC_AES_BLOCK_SIZE;
- if ((0 != ctx) && (entropyLen >= seedlen))
- {
+ unsigned int seedlen = (unsigned int)TC_AES_KEY_SIZE + (unsigned int)TC_AES_BLOCK_SIZE;
+ if ((0 != ctx) && (entropyLen >= seedlen)) {
/* 10.2.1.4.1 step 3 */
memcpy(seed_material, entropy, sizeof seed_material);
- for (i = 0U; i < sizeof seed_material; i++)
- {
+ for (i = 0U; i < sizeof seed_material; i++) {
seed_material[i] ^= additional_input_buf[i];
}
@@ -218,36 +202,30 @@
return result;
}
-int32_t tc_ctr_prng_generate(TCCtrPrng_t * const ctx,
+int tc_ctr_prng_generate(TCCtrPrng_t * const ctx,
uint8_t const * const additional_input,
- uint32_t additionallen,
+ unsigned int additionallen,
uint8_t * const out,
- uint32_t outlen)
+ unsigned int outlen)
{
/* 2^48 - see section 10.2.1 */
static const uint64_t MAX_REQS_BEFORE_RESEED = 0x1000000000000ULL;
/* 2^19 bits - see section 10.2.1 */
- static const uint32_t MAX_BYTES_PER_REQ = 65536U;
+ static const unsigned int MAX_BYTES_PER_REQ = 65536U;
- int32_t result = TC_CRYPTO_FAIL;
+ unsigned int result = TC_CRYPTO_FAIL;
- if ((0 != ctx) && (0 != out) && (outlen < MAX_BYTES_PER_REQ))
- {
+ if ((0 != ctx) && (0 != out) && (outlen < MAX_BYTES_PER_REQ)) {
/* 10.2.1.5.1 step 1 */
- if (ctx->reseedCount > MAX_REQS_BEFORE_RESEED)
- {
+ if (ctx->reseedCount > MAX_REQS_BEFORE_RESEED) {
result = TC_CTR_PRNG_RESEED_REQ;
- }
- else
- {
+ } else {
uint8_t additional_input_buf[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE] = {0U};
- if (0 != additional_input)
- {
+ if (0 != additional_input) {
/* 10.2.1.5.1 step 2 */
- uint32_t len = additionallen;
- if (len > sizeof additional_input_buf)
- {
+ unsigned int len = additionallen;
+ if (len > sizeof additional_input_buf) {
len = sizeof additional_input_buf;
}
memcpy(additional_input_buf, additional_input, len);
@@ -257,10 +235,9 @@
/* 10.2.1.5.1 step 3 - implicit */
/* 10.2.1.5.1 step 4 */
- uint32_t len = 0U;
- while (len < outlen)
- {
- uint32_t blocklen = outlen - len;
+ unsigned int len = 0U;
+ while (len < outlen) {
+ unsigned int blocklen = outlen - len;
uint8_t output_block[TC_AES_BLOCK_SIZE];
/* 10.2.1.5.1 step 4.1 */
@@ -270,8 +247,7 @@
(void)tc_aes_encrypt(output_block, ctx->V, &ctx->key);
/* 10.2.1.5.1 step 4.3/step 5 */
- if (blocklen > TC_AES_BLOCK_SIZE)
- {
+ if (blocklen > TC_AES_BLOCK_SIZE) {
blocklen = TC_AES_BLOCK_SIZE;
}
memcpy(&(out[len]), output_block, blocklen);
@@ -295,8 +271,7 @@
void tc_ctr_prng_uninstantiate(TCCtrPrng_t * const ctx)
{
- if (0 != ctx)
- {
+ if (0 != ctx) {
memset(ctx->key.words, 0x00, sizeof ctx->key.words);
memset(ctx->V, 0x00, sizeof ctx->V);
ctx->reseedCount = 0U;
diff --git a/ext/tinycrypt/lib/source/ecc.c b/ext/tinycrypt/lib/source/ecc.c
index bfe6c5f..46080bf 100644
--- a/ext/tinycrypt/lib/source/ecc.c
+++ b/ext/tinycrypt/lib/source/ecc.c
@@ -1,625 +1,942 @@
-/* ecc.c - TinyCrypt implementation of ECC auxiliary functions */
+/* ecc.c - TinyCrypt implementation of common ECC functions */
/*
- *
- * Copyright (c) 2013, Kenneth MacKay
- * All rights reserved.
- * https://github.com/kmackay/micro-ecc
- *
- * Redistribution and use in source and binary forms, with or without modification,
- * are permitted provided that the following conditions are met:
- * * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * - Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- *
- * - Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * - Neither the name of Intel Corporation nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
+ * Copyright (c) 2014, Kenneth MacKay
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * - Neither the name of Intel Corporation nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
#include <tinycrypt/ecc.h>
+#include <tinycrypt/ecc_platform_specific.h>
+#include <string.h>
-/* ------ Curve NIST P-256 constants: ------ */
+/* IMPORTANT: Make sure a cryptographically-secure PRNG is set and the platform
+ * has access to enough entropy in order to feed the PRNG regularly. */
+#if default_RNG_defined
+static uECC_RNG_Function g_rng_function = &default_CSPRNG;
+#else
+static uECC_RNG_Function g_rng_function = 0;
+#endif
-#define Curve_P {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, \
- 0x00000000, 0x00000000, 0x00000001, 0xFFFFFFFF}
-
-#define Curve_B {0x27D2604B, 0x3BCE3C3E, 0xCC53B0F6, 0x651D06B0, \
- 0x769886BC, 0xB3EBBD55, 0xAA3A93E7, 0x5AC635D8}
-
-#define Curve_N {0xFC632551, 0xF3B9CAC2, 0xA7179E84, 0xBCE6FAAD, \
- 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0xFFFFFFFF}
-
-#define Curve_G {{0xD898C296, 0xF4A13945, 0x2DEB33A0, 0x77037D81, \
- 0x63A440F2, 0xF8BCE6E5, 0xE12C4247, 0x6B17D1F2}, \
- {0x37BF51F5, 0xCBB64068, 0x6B315ECE, 0x2BCE3357, \
- 0x7C0F9E16, 0x8EE7EB4A, 0xFE1A7F9B, 0x4FE342E2} }
-
-#define Curve_P_Barrett {0x00000003, 0x00000000, 0xFFFFFFFF, 0xFFFFFFFE, \
- 0xFFFFFFFE, 0xFFFFFFFE, 0xFFFFFFFF, 0x00000000, 0x00000001}
-
-#define Curve_N_Barrett {0xEEDF9BFE, 0x012FFD85, 0xDF1A6C21, 0x43190552, \
- 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFFFF, 0x00000000, 0x00000001}
-
-uint32_t curve_p[NUM_ECC_DIGITS] = Curve_P;
-uint32_t curve_b[NUM_ECC_DIGITS] = Curve_B;
-EccPoint curve_G = Curve_G;
-uint32_t curve_n[NUM_ECC_DIGITS] = Curve_N;
-uint32_t curve_pb[NUM_ECC_DIGITS + 1] = Curve_P_Barrett;
-uint32_t curve_nb[NUM_ECC_DIGITS + 1] = Curve_N_Barrett;
-
-/* ------ Static functions: ------ */
-
-/* Zeroing out p_vli. */
-static void vli_clear(uint32_t *p_vli)
+void uECC_set_rng(uECC_RNG_Function rng_function)
{
- uint32_t i;
+ g_rng_function = rng_function;
+}
- for (i = 0; i < NUM_ECC_DIGITS; ++i) {
- p_vli[i] = 0;
+uECC_RNG_Function uECC_get_rng(void)
+{
+ return g_rng_function;
+}
+
+int uECC_curve_private_key_size(uECC_Curve curve)
+{
+ return BITS_TO_BYTES(curve->num_n_bits);
+}
+
+int uECC_curve_public_key_size(uECC_Curve curve)
+{
+ return 2 * curve->num_bytes;
+}
+
+void uECC_vli_clear(uECC_word_t *vli, wordcount_t num_words)
+{
+ wordcount_t i;
+ for (i = 0; i < num_words; ++i) {
+ vli[i] = 0;
}
}
-/* Returns nonzero if bit p_bit of p_vli is set.
- * It is assumed that the value provided in 'bit' is within
- * the boundaries of the word-array 'p_vli'.*/
-static uint32_t vli_testBit(uint32_t *p_vli, uint32_t p_bit)
+uECC_word_t uECC_vli_isZero(const uECC_word_t *vli, wordcount_t num_words)
{
- return (p_vli[p_bit / 32] & (1 << (p_bit % 32)));
+ uECC_word_t bits = 0;
+ wordcount_t i;
+ for (i = 0; i < num_words; ++i) {
+ bits |= vli[i];
+ }
+ return (bits == 0);
}
-uint32_t vli_isZero(uint32_t *p_vli)
+uECC_word_t uECC_vli_testBit(const uECC_word_t *vli, bitcount_t bit)
{
- uint32_t acc = 0;
+ return (vli[bit >> uECC_WORD_BITS_SHIFT] &
+ ((uECC_word_t)1 << (bit & uECC_WORD_BITS_MASK)));
+}
- for (uint32_t i = 0; i < NUM_ECC_DIGITS; ++i) {
- acc |= p_vli[i];
+/* Counts the number of words in vli. */
+static wordcount_t vli_numDigits(const uECC_word_t *vli,
+ const wordcount_t max_words)
+{
+
+ wordcount_t i;
+ /* Search from the end until we find a non-zero digit. We do it in reverse
+ * because we expect that most digits will be nonzero. */
+ for (i = max_words - 1; i >= 0 && vli[i] == 0; --i) {
}
- return (!acc);
+ return (i + 1);
}
-/*
- * Find the right-most nonzero 32-bit "digits" in p_vli.
- *
- * Side-channel countermeasure: algorithm strengthened against timing attack.
- */
-static uint32_t vli_numDigits(uint32_t *p_vli)
+bitcount_t uECC_vli_numBits(const uECC_word_t *vli,
+ const wordcount_t max_words)
{
- int32_t i;
- uint32_t digits = 0;
- for (i = NUM_ECC_DIGITS - 1; i >= 0 ; --i) {
- digits += p_vli[i] || digits;
+ uECC_word_t i;
+ uECC_word_t digit;
+
+ wordcount_t num_digits = vli_numDigits(vli, max_words);
+ if (num_digits == 0) {
+ return 0;
}
- return digits;
-}
-
-/*
- * Find the left-most non-zero bit in p_vli.
- *
- * Side-channel countermeasure: algorithm strengthened against timing attack.
- */
-static uint32_t vli_numBits(uint32_t *p_vli)
-{
- uint32_t l_digit;
- uint32_t i, acc = 32;
- uint32_t l_numDigits = vli_numDigits(p_vli);
-
- l_digit = p_vli[l_numDigits - 1];
-
- for (i = 0; i < 32; ++i) {
- acc -= !l_digit;
- l_digit >>= 1;
+ digit = vli[num_digits - 1];
+ for (i = 0; digit; ++i) {
+ digit >>= 1;
}
- return ((l_numDigits - 1) * 32 + acc);
+ return (((bitcount_t)(num_digits - 1) << uECC_WORD_BITS_SHIFT) + i);
}
-/*
- * Computes p_result = p_left + p_right, returns carry.
- *
- * Side-channel countermeasure: algorithm strengthened against timing attack.
- */
-static uint32_t vli_add(uint32_t *p_result, uint32_t *p_left,
- uint32_t *p_right)
+void uECC_vli_set(uECC_word_t *dest, const uECC_word_t *src,
+ wordcount_t num_words)
{
+ wordcount_t i;
- uint32_t l_carry = 0;
-
- for (uint32_t i = 0; i < NUM_ECC_DIGITS; ++i) {
- uint32_t l_sum = p_left[i] + p_right[i] + l_carry;
-
- l_carry = (l_sum < p_left[i]) | ((l_sum == p_left[i]) && l_carry);
- p_result[i] = l_sum;
- }
-
- return l_carry;
+ for (i = 0; i < num_words; ++i) {
+ dest[i] = src[i];
+ }
}
-
-/* Computes p_result = p_left * p_right. */
-static void vli_mult(uint32_t *p_result, uint32_t *p_left,
- uint32_t *p_right, uint32_t word_size)
+cmpresult_t uECC_vli_cmp_unsafe(const uECC_word_t *left,
+ const uECC_word_t *right,
+ wordcount_t num_words)
{
+ wordcount_t i;
- uint64_t r01 = 0;
- uint32_t r2 = 0;
-
- /* Compute each digit of p_result in sequence, maintaining the carries. */
- for (uint32_t k = 0; k < word_size*2 - 1; ++k) {
-
- uint32_t l_min = (k < word_size ? 0 : (k + 1) - word_size);
-
- for (uint32_t i = l_min; i <= k && i < word_size; ++i) {
-
- uint64_t l_product = (uint64_t)p_left[i] * p_right[k - i];
-
- r01 += l_product;
- r2 += (r01 < l_product);
+ for (i = num_words - 1; i >= 0; --i) {
+ if (left[i] > right[i]) {
+ return 1;
+ } else if (left[i] < right[i]) {
+ return -1;
}
- p_result[k] = (uint32_t)r01;
- r01 = (r01 >> 32) | (((uint64_t)r2) << 32);
+ }
+ return 0;
+}
+
+uECC_word_t uECC_vli_equal(const uECC_word_t *left, const uECC_word_t *right,
+ wordcount_t num_words)
+{
+
+ uECC_word_t diff = 0;
+ wordcount_t i;
+
+ for (i = num_words - 1; i >= 0; --i) {
+ diff |= (left[i] ^ right[i]);
+ }
+ return !(diff == 0);
+}
+
+uECC_word_t cond_set(uECC_word_t p_true, uECC_word_t p_false, unsigned int cond)
+{
+ return (p_true*(cond)) | (p_false*(!cond));
+}
+
+/* Computes result = left - right, returning borrow, in constant time.
+ * Can modify in place. */
+uECC_word_t uECC_vli_sub(uECC_word_t *result, const uECC_word_t *left,
+ const uECC_word_t *right, wordcount_t num_words)
+{
+ uECC_word_t borrow = 0;
+ wordcount_t i;
+ for (i = 0; i < num_words; ++i) {
+ uECC_word_t diff = left[i] - right[i] - borrow;
+ uECC_word_t val = (diff > left[i]);
+ borrow = cond_set(val, borrow, (diff != left[i]));
+
+ result[i] = diff;
+ }
+ return borrow;
+}
+
+/* Computes result = left + right, returning carry, in constant time.
+ * Can modify in place. */
+static uECC_word_t uECC_vli_add(uECC_word_t *result, const uECC_word_t *left,
+ const uECC_word_t *right, wordcount_t num_words)
+{
+ uECC_word_t carry = 0;
+ wordcount_t i;
+ for (i = 0; i < num_words; ++i) {
+ uECC_word_t sum = left[i] + right[i] + carry;
+ uECC_word_t val = (sum < left[i]);
+ carry = cond_set(val, carry, (sum != left[i]));
+ result[i] = sum;
+ }
+ return carry;
+}
+
+cmpresult_t uECC_vli_cmp(const uECC_word_t *left, const uECC_word_t *right,
+ wordcount_t num_words)
+{
+ uECC_word_t tmp[NUM_ECC_WORDS];
+ uECC_word_t neg = !!uECC_vli_sub(tmp, left, right, num_words);
+ uECC_word_t equal = uECC_vli_isZero(tmp, num_words);
+ return (!equal - 2 * neg);
+}
+
+/* Computes vli = vli >> 1. */
+static void uECC_vli_rshift1(uECC_word_t *vli, wordcount_t num_words)
+{
+ uECC_word_t *end = vli;
+ uECC_word_t carry = 0;
+
+ vli += num_words;
+ while (vli-- > end) {
+ uECC_word_t temp = *vli;
+ *vli = (temp >> 1) | carry;
+ carry = temp << (uECC_WORD_BITS - 1);
+ }
+}
+
+static void muladd(uECC_word_t a, uECC_word_t b, uECC_word_t *r0,
+ uECC_word_t *r1, uECC_word_t *r2)
+{
+
+ uECC_dword_t p = (uECC_dword_t)a * b;
+ uECC_dword_t r01 = ((uECC_dword_t)(*r1) << uECC_WORD_BITS) | *r0;
+ r01 += p;
+ *r2 += (r01 < p);
+ *r1 = r01 >> uECC_WORD_BITS;
+ *r0 = (uECC_word_t)r01;
+
+}
+
+/* Computes result = left * right. Result must be 2 * num_words long. */
+static void uECC_vli_mult(uECC_word_t *result, const uECC_word_t *left,
+ const uECC_word_t *right, wordcount_t num_words)
+{
+
+ uECC_word_t r0 = 0;
+ uECC_word_t r1 = 0;
+ uECC_word_t r2 = 0;
+ wordcount_t i, k;
+
+ /* Compute each digit of result in sequence, maintaining the carries. */
+ for (k = 0; k < num_words; ++k) {
+
+ for (i = 0; i <= k; ++i) {
+ muladd(left[i], right[k - i], &r0, &r1, &r2);
+ }
+
+ result[k] = r0;
+ r0 = r1;
+ r1 = r2;
r2 = 0;
}
- p_result[word_size * 2 - 1] = (uint32_t)r01;
+ for (k = num_words; k < num_words * 2 - 1; ++k) {
+
+ for (i = (k + 1) - num_words; i < num_words; ++i) {
+ muladd(left[i], right[k - i], &r0, &r1, &r2);
+ }
+ result[k] = r0;
+ r0 = r1;
+ r1 = r2;
+ r2 = 0;
+ }
+ result[num_words * 2 - 1] = r0;
}
-/* Computes p_result = p_left^2. */
-static void vli_square(uint32_t *p_result, uint32_t *p_left)
+void uECC_vli_modAdd(uECC_word_t *result, const uECC_word_t *left,
+ const uECC_word_t *right, const uECC_word_t *mod,
+ wordcount_t num_words)
{
+ uECC_word_t carry = uECC_vli_add(result, left, right, num_words);
+ if (carry || uECC_vli_cmp_unsafe(mod, result, num_words) != 1) {
+ /* result > mod (result = mod + remainder), so subtract mod to get
+ * remainder. */
+ uECC_vli_sub(result, result, mod, num_words);
+ }
+}
- uint64_t r01 = 0;
- uint32_t r2 = 0;
- uint32_t i, k;
+void uECC_vli_modSub(uECC_word_t *result, const uECC_word_t *left,
+ const uECC_word_t *right, const uECC_word_t *mod,
+ wordcount_t num_words)
+{
+ uECC_word_t l_borrow = uECC_vli_sub(result, left, right, num_words);
+ if (l_borrow) {
+ /* In this case, result == -diff == (max int) - diff. Since -x % d == d - x,
+ * we can get the correct result from result + mod (with overflow). */
+ uECC_vli_add(result, result, mod, num_words);
+ }
+}
- for (k = 0; k < NUM_ECC_DIGITS * 2 - 1; ++k) {
+/* Computes result = product % mod, where product is 2N words long. */
+/* Currently only designed to work for curve_p or curve_n. */
+void uECC_vli_mmod(uECC_word_t *result, uECC_word_t *product,
+ const uECC_word_t *mod, wordcount_t num_words)
+{
+ uECC_word_t mod_multiple[2 * NUM_ECC_WORDS];
+ uECC_word_t tmp[2 * NUM_ECC_WORDS];
+ uECC_word_t *v[2] = {tmp, product};
+ uECC_word_t index;
- uint32_t l_min = (k < NUM_ECC_DIGITS ? 0 : (k + 1) - NUM_ECC_DIGITS);
+ /* Shift mod so its highest set bit is at the maximum position. */
+ bitcount_t shift = (num_words * 2 * uECC_WORD_BITS) -
+ uECC_vli_numBits(mod, num_words);
+ wordcount_t word_shift = shift / uECC_WORD_BITS;
+ wordcount_t bit_shift = shift % uECC_WORD_BITS;
+ uECC_word_t carry = 0;
+ uECC_vli_clear(mod_multiple, word_shift);
+ if (bit_shift > 0) {
+ for(index = 0; index < (uECC_word_t)num_words; ++index) {
+ mod_multiple[word_shift + index] = (mod[index] << bit_shift) | carry;
+ carry = mod[index] >> (uECC_WORD_BITS - bit_shift);
+ }
+ } else {
+ uECC_vli_set(mod_multiple + word_shift, mod, num_words);
+ }
- for (i = l_min; i <= k && i <= k - i; ++i) {
-
- uint64_t l_product = (uint64_t)p_left[i] * p_left[k - i];
-
- if (i < k - i) {
-
- r2 += l_product >> 63;
- l_product *= 2;
+ for (index = 1; shift >= 0; --shift) {
+ uECC_word_t borrow = 0;
+ wordcount_t i;
+ for (i = 0; i < num_words * 2; ++i) {
+ uECC_word_t diff = v[index][i] - mod_multiple[i] - borrow;
+ if (diff != v[index][i]) {
+ borrow = (diff > v[index][i]);
}
- r01 += l_product;
- r2 += (r01 < l_product);
+ v[1 - index][i] = diff;
}
- p_result[k] = (uint32_t)r01;
- r01 = (r01 >> 32) | (((uint64_t)r2) << 32);
- r2 = 0;
+ /* Swap the index if there was no borrow */
+ index = !(index ^ borrow);
+ uECC_vli_rshift1(mod_multiple, num_words);
+ mod_multiple[num_words - 1] |= mod_multiple[num_words] <<
+ (uECC_WORD_BITS - 1);
+ uECC_vli_rshift1(mod_multiple + num_words, num_words);
}
-
- p_result[NUM_ECC_DIGITS * 2 - 1] = (uint32_t)r01;
+ uECC_vli_set(result, v[index], num_words);
}
-/* Computes p_result = p_product % curve_p using Barrett reduction. */
-void vli_mmod_barrett(uint32_t *p_result, uint32_t *p_product,
- uint32_t *p_mod, uint32_t *p_barrett)
+void uECC_vli_modMult(uECC_word_t *result, const uECC_word_t *left,
+ const uECC_word_t *right, const uECC_word_t *mod,
+ wordcount_t num_words)
{
- uint32_t i;
- uint32_t q1[NUM_ECC_DIGITS + 1];
+ uECC_word_t product[2 * NUM_ECC_WORDS];
+ uECC_vli_mult(product, left, right, num_words);
+ uECC_vli_mmod(result, product, mod, num_words);
+}
- for (i = NUM_ECC_DIGITS - 1; i < 2 * NUM_ECC_DIGITS; i++) {
- q1[i - (NUM_ECC_DIGITS - 1)] = p_product[i];
+void uECC_vli_modMult_fast(uECC_word_t *result, const uECC_word_t *left,
+ const uECC_word_t *right, uECC_Curve curve)
+{
+ uECC_word_t product[2 * NUM_ECC_WORDS];
+ uECC_vli_mult(product, left, right, curve->num_words);
+
+ curve->mmod_fast(result, product);
+}
+
+static void uECC_vli_modSquare_fast(uECC_word_t *result,
+ const uECC_word_t *left,
+ uECC_Curve curve)
+{
+ uECC_vli_modMult_fast(result, left, left, curve);
+}
+
+
+#define EVEN(vli) (!(vli[0] & 1))
+
+static void vli_modInv_update(uECC_word_t *uv,
+ const uECC_word_t *mod,
+ wordcount_t num_words)
+{
+
+ uECC_word_t carry = 0;
+
+ if (!EVEN(uv)) {
+ carry = uECC_vli_add(uv, uv, mod, num_words);
}
-
- uint32_t q2[2*NUM_ECC_DIGITS + 2];
-
- vli_mult(q2, q1, p_barrett, NUM_ECC_DIGITS + 1);
- for (i = NUM_ECC_DIGITS + 1; i < 2 * NUM_ECC_DIGITS + 2; i++) {
- q1[i - (NUM_ECC_DIGITS + 1)] = q2[i];
- }
-
- uint32_t prime2[2*NUM_ECC_DIGITS];
-
- for (i = 0; i < NUM_ECC_DIGITS; i++) {
- prime2[i] = p_mod[i];
- prime2[NUM_ECC_DIGITS + i] = 0;
- }
-
- vli_mult(q2, q1, prime2, NUM_ECC_DIGITS + 1);
- vli_sub(p_product, p_product, q2, 2 * NUM_ECC_DIGITS);
-
- uint32_t borrow;
-
- borrow = vli_sub(q1, p_product, prime2, NUM_ECC_DIGITS + 1);
- vli_cond_set(p_product, p_product, q1, borrow);
- p_product[NUM_ECC_DIGITS] = q1[NUM_ECC_DIGITS] * (!borrow);
- borrow = vli_sub(q1, p_product, prime2, NUM_ECC_DIGITS + 1);
- vli_cond_set(p_product, p_product, q1, borrow);
- p_product[NUM_ECC_DIGITS] = q1[NUM_ECC_DIGITS] * (!borrow);
- borrow = vli_sub(q1, p_product, prime2, NUM_ECC_DIGITS + 1);
- vli_cond_set(p_product, p_product, q1, borrow);
- p_product[NUM_ECC_DIGITS] = q1[NUM_ECC_DIGITS] * (!borrow);
-
- for (i = 0; i < NUM_ECC_DIGITS; i++) {
- p_result[i] = p_product[i];
+ uECC_vli_rshift1(uv, num_words);
+ if (carry) {
+ uv[num_words - 1] |= HIGH_BIT_SET;
}
}
-/*
- * Computes modular exponentiation.
- *
- * Side-channel countermeasure: algorithm strengthened against timing attack.
- */
-static void vli_modExp(uint32_t *p_result, uint32_t *p_base,
- uint32_t *p_exp, uint32_t *p_mod, uint32_t *p_barrett)
+void uECC_vli_modInv(uECC_word_t *result, const uECC_word_t *input,
+ const uECC_word_t *mod, wordcount_t num_words)
{
+ uECC_word_t a[NUM_ECC_WORDS], b[NUM_ECC_WORDS];
+ uECC_word_t u[NUM_ECC_WORDS], v[NUM_ECC_WORDS];
+ cmpresult_t cmpResult;
- uint32_t acc[NUM_ECC_DIGITS], tmp[NUM_ECC_DIGITS], product[2 * NUM_ECC_DIGITS];
- uint32_t j;
- int32_t i;
-
- vli_clear(acc);
- acc[0] = 1;
-
- for (i = NUM_ECC_DIGITS - 1; i >= 0; i--) {
- for (j = 1 << 31; j > 0; j = j >> 1) {
- vli_square(product, acc);
- vli_mmod_barrett(acc, product, p_mod, p_barrett);
- vli_mult(product, acc, p_base, NUM_ECC_DIGITS);
- vli_mmod_barrett(tmp, product, p_mod, p_barrett);
- vli_cond_set(acc, tmp, acc, j & p_exp[i]);
- }
- }
-
- vli_set(p_result, acc);
-}
-
-/* Conversion from Affine coordinates to Jacobi coordinates. */
-static void EccPoint_fromAffine(EccPointJacobi *p_point_jacobi,
- EccPoint *p_point) {
-
- vli_set(p_point_jacobi->X, p_point->x);
- vli_set(p_point_jacobi->Y, p_point->y);
- vli_clear(p_point_jacobi->Z);
- p_point_jacobi->Z[0] = 1;
-}
-
-/*
- * Elliptic curve point doubling in Jacobi coordinates: P = P + P.
- *
- * Requires 4 squares and 4 multiplications.
- */
-static void EccPoint_double(EccPointJacobi *P)
-{
-
- uint32_t m[NUM_ECC_DIGITS], s[NUM_ECC_DIGITS], t[NUM_ECC_DIGITS];
-
- vli_modSquare_fast(t, P->Z);
- vli_modSub(m, P->X, t, curve_p);
- vli_modAdd(s, P->X, t, curve_p);
- vli_modMult_fast(m, m, s);
- vli_modAdd(s, m, m, curve_p);
- vli_modAdd(m, s, m, curve_p); /* m = 3X^2 - 3Z^4 */
- vli_modSquare_fast(t, P->Y);
- vli_modMult_fast(s, P->X, t);
- vli_modAdd(s, s, s, curve_p);
- vli_modAdd(s, s, s, curve_p); /* s = 4XY^2 */
- vli_modMult_fast(P->Z, P->Y, P->Z);
- vli_modAdd(P->Z, P->Z, P->Z, curve_p); /* Z' = 2YZ */
- vli_modSquare_fast(P->X, m);
- vli_modSub(P->X, P->X, s, curve_p);
- vli_modSub(P->X, P->X, s, curve_p); /* X' = m^2 - 2s */
- vli_modSquare_fast(P->Y, t);
- vli_modAdd(P->Y, P->Y, P->Y, curve_p);
- vli_modAdd(P->Y, P->Y, P->Y, curve_p);
- vli_modAdd(P->Y, P->Y, P->Y, curve_p);
- vli_modSub(t, s, P->X, curve_p);
- vli_modMult_fast(t, t, m);
- vli_modSub(P->Y, t, P->Y, curve_p); /* Y' = m(s - X') - 8Y^4 */
-
-}
-
-/* Copy input to target. */
-static void EccPointJacobi_set(EccPointJacobi *target, EccPointJacobi *input)
-{
- vli_set(target->X, input->X);
- vli_set(target->Y, input->Y);
- vli_set(target->Z, input->Z);
-}
-
-/* ------ Externally visible functions (see header file for comments): ------ */
-
-void vli_set(uint32_t *p_dest, uint32_t *p_src)
-{
-
- uint32_t i;
-
- for (i = 0; i < NUM_ECC_DIGITS; ++i) {
- p_dest[i] = p_src[i];
- }
-}
-
-int32_t vli_cmp(uint32_t *p_left, uint32_t *p_right, int32_t word_size)
-{
-
- int32_t i, cmp = 0;
-
- for (i = word_size-1; i >= 0; --i) {
- cmp |= ((p_left[i] > p_right[i]) - (p_left[i] < p_right[i])) * (!cmp);
- }
-
- return cmp;
-}
-
-uint32_t vli_sub(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
- uint32_t word_size)
-{
-
- uint32_t l_borrow = 0;
-
- for (uint32_t i = 0; i < word_size; ++i) {
- uint32_t l_diff = p_left[i] - p_right[i] - l_borrow;
-
- l_borrow = (l_diff > p_left[i]) | ((l_diff == p_left[i]) && l_borrow);
- p_result[i] = l_diff;
- }
-
- return l_borrow;
-}
-
-void vli_cond_set(uint32_t *output, uint32_t *p_true, uint32_t *p_false,
- uint32_t cond)
-{
- uint32_t i;
-
- cond = (!cond);
-
- for (i = 0; i < NUM_ECC_DIGITS; i++) {
- output[i] = (p_true[i]*(!cond)) | (p_false[i]*cond);
- }
-}
-
-void vli_modAdd(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
- uint32_t *p_mod)
-{
- uint32_t l_carry = vli_add(p_result, p_left, p_right);
- uint32_t p_temp[NUM_ECC_DIGITS];
-
- l_carry = l_carry == vli_sub(p_temp, p_result, p_mod, NUM_ECC_DIGITS);
- vli_cond_set(p_result, p_temp, p_result, l_carry);
-}
-
-void vli_modSub(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
- uint32_t *p_mod)
-{
- uint32_t l_borrow = vli_sub(p_result, p_left, p_right, NUM_ECC_DIGITS);
- uint32_t p_temp[NUM_ECC_DIGITS];
-
- vli_add(p_temp, p_result, p_mod);
- vli_cond_set(p_result, p_temp, p_result, l_borrow);
-}
-
-void vli_modMult_fast(uint32_t *p_result, uint32_t *p_left,
- uint32_t *p_right)
-{
- uint32_t l_product[2 * NUM_ECC_DIGITS];
-
- vli_mult(l_product, p_left, p_right, NUM_ECC_DIGITS);
- vli_mmod_barrett(p_result, l_product, curve_p, curve_pb);
-}
-
-void vli_modSquare_fast(uint32_t *p_result, uint32_t *p_left)
-{
- uint32_t l_product[2 * NUM_ECC_DIGITS];
-
- vli_square(l_product, p_left);
- vli_mmod_barrett(p_result, l_product, curve_p, curve_pb);
-}
-
-void vli_modMult(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
- uint32_t *p_mod, uint32_t *p_barrett)
-{
-
- uint32_t l_product[2 * NUM_ECC_DIGITS];
-
- vli_mult(l_product, p_left, p_right, NUM_ECC_DIGITS);
- vli_mmod_barrett(p_result, l_product, p_mod, p_barrett);
-}
-
-void vli_modInv(uint32_t *p_result, uint32_t *p_input, uint32_t *p_mod,
- uint32_t *p_barrett)
-{
- uint32_t p_power[NUM_ECC_DIGITS];
-
- vli_set(p_power, p_mod);
- p_power[0] -= 2;
- vli_modExp(p_result, p_input, p_power, p_mod, p_barrett);
-}
-
-uint32_t EccPoint_isZero(EccPoint *p_point)
-{
- return (vli_isZero(p_point->x) && vli_isZero(p_point->y));
-}
-
-uint32_t EccPointJacobi_isZero(EccPointJacobi *p_point_jacobi)
-{
- return vli_isZero(p_point_jacobi->Z);
-}
-
-void EccPoint_toAffine(EccPoint *p_point, EccPointJacobi *p_point_jacobi)
-{
-
- if (vli_isZero(p_point_jacobi->Z)) {
- vli_clear(p_point->x);
- vli_clear(p_point->y);
+ if (uECC_vli_isZero(input, num_words)) {
+ uECC_vli_clear(result, num_words);
return;
}
- uint32_t z[NUM_ECC_DIGITS];
-
- vli_set(z, p_point_jacobi->Z);
- vli_modInv(z, z, curve_p, curve_pb);
- vli_modSquare_fast(p_point->x, z);
- vli_modMult_fast(p_point->y, p_point->x, z);
- vli_modMult_fast(p_point->x, p_point->x, p_point_jacobi->X);
- vli_modMult_fast(p_point->y, p_point->y, p_point_jacobi->Y);
+ uECC_vli_set(a, input, num_words);
+ uECC_vli_set(b, mod, num_words);
+ uECC_vli_clear(u, num_words);
+ u[0] = 1;
+ uECC_vli_clear(v, num_words);
+ while ((cmpResult = uECC_vli_cmp_unsafe(a, b, num_words)) != 0) {
+ if (EVEN(a)) {
+ uECC_vli_rshift1(a, num_words);
+ vli_modInv_update(u, mod, num_words);
+ } else if (EVEN(b)) {
+ uECC_vli_rshift1(b, num_words);
+ vli_modInv_update(v, mod, num_words);
+ } else if (cmpResult > 0) {
+ uECC_vli_sub(a, a, b, num_words);
+ uECC_vli_rshift1(a, num_words);
+ if (uECC_vli_cmp_unsafe(u, v, num_words) < 0) {
+ uECC_vli_add(u, u, mod, num_words);
+ }
+ uECC_vli_sub(u, u, v, num_words);
+ vli_modInv_update(u, mod, num_words);
+ } else {
+ uECC_vli_sub(b, b, a, num_words);
+ uECC_vli_rshift1(b, num_words);
+ if (uECC_vli_cmp_unsafe(v, u, num_words) < 0) {
+ uECC_vli_add(v, v, mod, num_words);
+ }
+ uECC_vli_sub(v, v, u, num_words);
+ vli_modInv_update(v, mod, num_words);
+ }
+ }
+ uECC_vli_set(result, u, num_words);
}
-void EccPoint_add(EccPointJacobi *P1, EccPointJacobi *P2)
+/* ------ Point operations ------ */
+
+void double_jacobian_default(uECC_word_t * X1, uECC_word_t * Y1,
+ uECC_word_t * Z1, uECC_Curve curve)
{
+ /* t1 = X, t2 = Y, t3 = Z */
+ uECC_word_t t4[NUM_ECC_WORDS];
+ uECC_word_t t5[NUM_ECC_WORDS];
+ wordcount_t num_words = curve->num_words;
- uint32_t s1[NUM_ECC_DIGITS], u1[NUM_ECC_DIGITS], t[NUM_ECC_DIGITS];
- uint32_t h[NUM_ECC_DIGITS], r[NUM_ECC_DIGITS];
-
- vli_modSquare_fast(r, P1->Z);
- vli_modSquare_fast(s1, P2->Z);
- vli_modMult_fast(u1, P1->X, s1); /* u1 = X1 Z2^2 */
- vli_modMult_fast(h, P2->X, r);
- vli_modMult_fast(s1, P1->Y, s1);
- vli_modMult_fast(s1, s1, P2->Z); /* s1 = Y1 Z2^3 */
- vli_modMult_fast(r, P2->Y, r);
- vli_modMult_fast(r, r, P1->Z);
- vli_modSub(h, h, u1, curve_p); /* h = X2 Z1^2 - u1 */
- vli_modSub(r, r, s1, curve_p); /* r = Y2 Z1^3 - s1 */
-
- if (vli_isZero(h)) {
- if (vli_isZero(r)) {
- /* P1 = P2 */
- EccPoint_double(P1);
- return;
- }
- /* point at infinity */
- vli_clear(P1->Z);
+ if (uECC_vli_isZero(Z1, num_words)) {
return;
}
- vli_modMult_fast(P1->Z, P1->Z, P2->Z);
- vli_modMult_fast(P1->Z, P1->Z, h); /* Z3 = h Z1 Z2 */
- vli_modSquare_fast(t, h);
- vli_modMult_fast(h, t, h);
- vli_modMult_fast(u1, u1, t);
- vli_modSquare_fast(P1->X, r);
- vli_modSub(P1->X, P1->X, h, curve_p);
- vli_modSub(P1->X, P1->X, u1, curve_p);
- vli_modSub(P1->X, P1->X, u1, curve_p); /* X3 = r^2 - h^3 - 2 u1 h^2 */
- vli_modMult_fast(t, s1, h);
- vli_modSub(P1->Y, u1, P1->X, curve_p);
- vli_modMult_fast(P1->Y, P1->Y, r);
- vli_modSub(P1->Y, P1->Y, t, curve_p); /* Y3 = r(u1 h^2 - X3) - s1 h^3 */
+ uECC_vli_modSquare_fast(t4, Y1, curve); /* t4 = y1^2 */
+ uECC_vli_modMult_fast(t5, X1, t4, curve); /* t5 = x1*y1^2 = A */
+ uECC_vli_modSquare_fast(t4, t4, curve); /* t4 = y1^4 */
+ uECC_vli_modMult_fast(Y1, Y1, Z1, curve); /* t2 = y1*z1 = z3 */
+ uECC_vli_modSquare_fast(Z1, Z1, curve); /* t3 = z1^2 */
+
+ uECC_vli_modAdd(X1, X1, Z1, curve->p, num_words); /* t1 = x1 + z1^2 */
+ uECC_vli_modAdd(Z1, Z1, Z1, curve->p, num_words); /* t3 = 2*z1^2 */
+ uECC_vli_modSub(Z1, X1, Z1, curve->p, num_words); /* t3 = x1 - z1^2 */
+ uECC_vli_modMult_fast(X1, X1, Z1, curve); /* t1 = x1^2 - z1^4 */
+
+ uECC_vli_modAdd(Z1, X1, X1, curve->p, num_words); /* t3 = 2*(x1^2 - z1^4) */
+ uECC_vli_modAdd(X1, X1, Z1, curve->p, num_words); /* t1 = 3*(x1^2 - z1^4) */
+ if (uECC_vli_testBit(X1, 0)) {
+ uECC_word_t l_carry = uECC_vli_add(X1, X1, curve->p, num_words);
+ uECC_vli_rshift1(X1, num_words);
+ X1[num_words - 1] |= l_carry << (uECC_WORD_BITS - 1);
+ } else {
+ uECC_vli_rshift1(X1, num_words);
+ }
+
+ /* t1 = 3/2*(x1^2 - z1^4) = B */
+ uECC_vli_modSquare_fast(Z1, X1, curve); /* t3 = B^2 */
+ uECC_vli_modSub(Z1, Z1, t5, curve->p, num_words); /* t3 = B^2 - A */
+ uECC_vli_modSub(Z1, Z1, t5, curve->p, num_words); /* t3 = B^2 - 2A = x3 */
+ uECC_vli_modSub(t5, t5, Z1, curve->p, num_words); /* t5 = A - x3 */
+ uECC_vli_modMult_fast(X1, X1, t5, curve); /* t1 = B * (A - x3) */
+ /* t4 = B * (A - x3) - y1^4 = y3: */
+ uECC_vli_modSub(t4, X1, t4, curve->p, num_words);
+
+ uECC_vli_set(X1, Z1, num_words);
+ uECC_vli_set(Z1, Y1, num_words);
+ uECC_vli_set(Y1, t4, num_words);
}
-/*
- * Elliptic curve scalar multiplication with result in Jacobi coordinates:
- *
- * p_result = p_scalar * p_point.
+void x_side_default(uECC_word_t *result,
+ const uECC_word_t *x,
+ uECC_Curve curve)
+{
+ uECC_word_t _3[NUM_ECC_WORDS] = {3}; /* -a = 3 */
+ wordcount_t num_words = curve->num_words;
+
+ uECC_vli_modSquare_fast(result, x, curve); /* r = x^2 */
+ uECC_vli_modSub(result, result, _3, curve->p, num_words); /* r = x^2 - 3 */
+ uECC_vli_modMult_fast(result, result, x, curve); /* r = x^3 - 3x */
+ /* r = x^3 - 3x + b: */
+ uECC_vli_modAdd(result, result, curve->b, curve->p, num_words);
+}
+
+uECC_Curve uECC_secp256r1(void)
+{
+ return &curve_secp256r1;
+}
+
+void vli_mmod_fast_secp256r1(unsigned int *result, unsigned int*product)
+{
+ unsigned int tmp[NUM_ECC_WORDS];
+ int carry;
+
+ /* t */
+ uECC_vli_set(result, product, NUM_ECC_WORDS);
+
+ /* s1 */
+ tmp[0] = tmp[1] = tmp[2] = 0;
+ tmp[3] = product[11];
+ tmp[4] = product[12];
+ tmp[5] = product[13];
+ tmp[6] = product[14];
+ tmp[7] = product[15];
+ carry = uECC_vli_add(tmp, tmp, tmp, NUM_ECC_WORDS);
+ carry += uECC_vli_add(result, result, tmp, NUM_ECC_WORDS);
+
+ /* s2 */
+ tmp[3] = product[12];
+ tmp[4] = product[13];
+ tmp[5] = product[14];
+ tmp[6] = product[15];
+ tmp[7] = 0;
+ carry += uECC_vli_add(tmp, tmp, tmp, NUM_ECC_WORDS);
+ carry += uECC_vli_add(result, result, tmp, NUM_ECC_WORDS);
+
+ /* s3 */
+ tmp[0] = product[8];
+ tmp[1] = product[9];
+ tmp[2] = product[10];
+ tmp[3] = tmp[4] = tmp[5] = 0;
+ tmp[6] = product[14];
+ tmp[7] = product[15];
+ carry += uECC_vli_add(result, result, tmp, NUM_ECC_WORDS);
+
+ /* s4 */
+ tmp[0] = product[9];
+ tmp[1] = product[10];
+ tmp[2] = product[11];
+ tmp[3] = product[13];
+ tmp[4] = product[14];
+ tmp[5] = product[15];
+ tmp[6] = product[13];
+ tmp[7] = product[8];
+ carry += uECC_vli_add(result, result, tmp, NUM_ECC_WORDS);
+
+ /* d1 */
+ tmp[0] = product[11];
+ tmp[1] = product[12];
+ tmp[2] = product[13];
+ tmp[3] = tmp[4] = tmp[5] = 0;
+ tmp[6] = product[8];
+ tmp[7] = product[10];
+ carry -= uECC_vli_sub(result, result, tmp, NUM_ECC_WORDS);
+
+ /* d2 */
+ tmp[0] = product[12];
+ tmp[1] = product[13];
+ tmp[2] = product[14];
+ tmp[3] = product[15];
+ tmp[4] = tmp[5] = 0;
+ tmp[6] = product[9];
+ tmp[7] = product[11];
+ carry -= uECC_vli_sub(result, result, tmp, NUM_ECC_WORDS);
+
+ /* d3 */
+ tmp[0] = product[13];
+ tmp[1] = product[14];
+ tmp[2] = product[15];
+ tmp[3] = product[8];
+ tmp[4] = product[9];
+ tmp[5] = product[10];
+ tmp[6] = 0;
+ tmp[7] = product[12];
+ carry -= uECC_vli_sub(result, result, tmp, NUM_ECC_WORDS);
+
+ /* d4 */
+ tmp[0] = product[14];
+ tmp[1] = product[15];
+ tmp[2] = 0;
+ tmp[3] = product[9];
+ tmp[4] = product[10];
+ tmp[5] = product[11];
+ tmp[6] = 0;
+ tmp[7] = product[13];
+ carry -= uECC_vli_sub(result, result, tmp, NUM_ECC_WORDS);
+
+ if (carry < 0) {
+ do {
+ carry += uECC_vli_add(result, result, curve_secp256r1.p, NUM_ECC_WORDS);
+ }
+ while (carry < 0);
+ } else {
+ while (carry ||
+ uECC_vli_cmp_unsafe(curve_secp256r1.p, result, NUM_ECC_WORDS) != 1) {
+ carry -= uECC_vli_sub(result, result, curve_secp256r1.p, NUM_ECC_WORDS);
+ }
+ }
+}
+
+uECC_word_t EccPoint_isZero(const uECC_word_t *point, uECC_Curve curve)
+{
+ return uECC_vli_isZero(point, curve->num_words * 2);
+}
+
+void apply_z(uECC_word_t * X1, uECC_word_t * Y1, const uECC_word_t * const Z,
+ uECC_Curve curve)
+{
+ uECC_word_t t1[NUM_ECC_WORDS];
+
+ uECC_vli_modSquare_fast(t1, Z, curve); /* z^2 */
+ uECC_vli_modMult_fast(X1, X1, t1, curve); /* x1 * z^2 */
+ uECC_vli_modMult_fast(t1, t1, Z, curve); /* z^3 */
+ uECC_vli_modMult_fast(Y1, Y1, t1, curve); /* y1 * z^3 */
+}
+
+/* P = (x1, y1) => 2P, (x2, y2) => P' */
+static void XYcZ_initial_double(uECC_word_t * X1, uECC_word_t * Y1,
+ uECC_word_t * X2, uECC_word_t * Y2,
+ const uECC_word_t * const initial_Z,
+ uECC_Curve curve)
+{
+ uECC_word_t z[NUM_ECC_WORDS];
+ wordcount_t num_words = curve->num_words;
+ if (initial_Z) {
+ uECC_vli_set(z, initial_Z, num_words);
+ } else {
+ uECC_vli_clear(z, num_words);
+ z[0] = 1;
+ }
+
+ uECC_vli_set(X2, X1, num_words);
+ uECC_vli_set(Y2, Y1, num_words);
+
+ apply_z(X1, Y1, z, curve);
+ curve->double_jacobian(X1, Y1, z, curve);
+ apply_z(X2, Y2, z, curve);
+}
+
+void XYcZ_add(uECC_word_t * X1, uECC_word_t * Y1,
+ uECC_word_t * X2, uECC_word_t * Y2,
+ uECC_Curve curve)
+{
+ /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */
+ uECC_word_t t5[NUM_ECC_WORDS];
+ wordcount_t num_words = curve->num_words;
+
+ uECC_vli_modSub(t5, X2, X1, curve->p, num_words); /* t5 = x2 - x1 */
+ uECC_vli_modSquare_fast(t5, t5, curve); /* t5 = (x2 - x1)^2 = A */
+ uECC_vli_modMult_fast(X1, X1, t5, curve); /* t1 = x1*A = B */
+ uECC_vli_modMult_fast(X2, X2, t5, curve); /* t3 = x2*A = C */
+ uECC_vli_modSub(Y2, Y2, Y1, curve->p, num_words); /* t4 = y2 - y1 */
+ uECC_vli_modSquare_fast(t5, Y2, curve); /* t5 = (y2 - y1)^2 = D */
+
+ uECC_vli_modSub(t5, t5, X1, curve->p, num_words); /* t5 = D - B */
+ uECC_vli_modSub(t5, t5, X2, curve->p, num_words); /* t5 = D - B - C = x3 */
+ uECC_vli_modSub(X2, X2, X1, curve->p, num_words); /* t3 = C - B */
+ uECC_vli_modMult_fast(Y1, Y1, X2, curve); /* t2 = y1*(C - B) */
+ uECC_vli_modSub(X2, X1, t5, curve->p, num_words); /* t3 = B - x3 */
+ uECC_vli_modMult_fast(Y2, Y2, X2, curve); /* t4 = (y2 - y1)*(B - x3) */
+ uECC_vli_modSub(Y2, Y2, Y1, curve->p, num_words); /* t4 = y3 */
+
+ uECC_vli_set(X2, t5, num_words);
+}
+
+/* Input P = (x1, y1, Z), Q = (x2, y2, Z)
+ Output P + Q = (x3, y3, Z3), P - Q = (x3', y3', Z3)
+ or P => P - Q, Q => P + Q
*/
-void EccPoint_mult_safe(EccPointJacobi *p_result, EccPoint *p_point, uint32_t *p_scalar)
+static void XYcZ_addC(uECC_word_t * X1, uECC_word_t * Y1,
+ uECC_word_t * X2, uECC_word_t * Y2,
+ uECC_Curve curve)
+{
+ /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */
+ uECC_word_t t5[NUM_ECC_WORDS];
+ uECC_word_t t6[NUM_ECC_WORDS];
+ uECC_word_t t7[NUM_ECC_WORDS];
+ wordcount_t num_words = curve->num_words;
+
+ uECC_vli_modSub(t5, X2, X1, curve->p, num_words); /* t5 = x2 - x1 */
+ uECC_vli_modSquare_fast(t5, t5, curve); /* t5 = (x2 - x1)^2 = A */
+ uECC_vli_modMult_fast(X1, X1, t5, curve); /* t1 = x1*A = B */
+ uECC_vli_modMult_fast(X2, X2, t5, curve); /* t3 = x2*A = C */
+ uECC_vli_modAdd(t5, Y2, Y1, curve->p, num_words); /* t5 = y2 + y1 */
+ uECC_vli_modSub(Y2, Y2, Y1, curve->p, num_words); /* t4 = y2 - y1 */
+
+ uECC_vli_modSub(t6, X2, X1, curve->p, num_words); /* t6 = C - B */
+ uECC_vli_modMult_fast(Y1, Y1, t6, curve); /* t2 = y1 * (C - B) = E */
+ uECC_vli_modAdd(t6, X1, X2, curve->p, num_words); /* t6 = B + C */
+ uECC_vli_modSquare_fast(X2, Y2, curve); /* t3 = (y2 - y1)^2 = D */
+ uECC_vli_modSub(X2, X2, t6, curve->p, num_words); /* t3 = D - (B + C) = x3 */
+
+ uECC_vli_modSub(t7, X1, X2, curve->p, num_words); /* t7 = B - x3 */
+ uECC_vli_modMult_fast(Y2, Y2, t7, curve); /* t4 = (y2 - y1)*(B - x3) */
+ /* t4 = (y2 - y1)*(B - x3) - E = y3: */
+ uECC_vli_modSub(Y2, Y2, Y1, curve->p, num_words);
+
+ uECC_vli_modSquare_fast(t7, t5, curve); /* t7 = (y2 + y1)^2 = F */
+ uECC_vli_modSub(t7, t7, t6, curve->p, num_words); /* t7 = F - (B + C) = x3' */
+ uECC_vli_modSub(t6, t7, X1, curve->p, num_words); /* t6 = x3' - B */
+ uECC_vli_modMult_fast(t6, t6, t5, curve); /* t6 = (y2+y1)*(x3' - B) */
+ /* t2 = (y2+y1)*(x3' - B) - E = y3': */
+ uECC_vli_modSub(Y1, t6, Y1, curve->p, num_words);
+
+ uECC_vli_set(X1, t7, num_words);
+}
+
+void EccPoint_mult(uECC_word_t * result, const uECC_word_t * point,
+ const uECC_word_t * scalar,
+ const uECC_word_t * initial_Z,
+ bitcount_t num_bits, uECC_Curve curve)
+{
+ /* R0 and R1 */
+ uECC_word_t Rx[2][NUM_ECC_WORDS];
+ uECC_word_t Ry[2][NUM_ECC_WORDS];
+ uECC_word_t z[NUM_ECC_WORDS];
+ bitcount_t i;
+ uECC_word_t nb;
+ wordcount_t num_words = curve->num_words;
+
+ uECC_vli_set(Rx[1], point, num_words);
+ uECC_vli_set(Ry[1], point + num_words, num_words);
+
+ XYcZ_initial_double(Rx[1], Ry[1], Rx[0], Ry[0], initial_Z, curve);
+
+ for (i = num_bits - 2; i > 0; --i) {
+ nb = !uECC_vli_testBit(scalar, i);
+ XYcZ_addC(Rx[1 - nb], Ry[1 - nb], Rx[nb], Ry[nb], curve);
+ XYcZ_add(Rx[nb], Ry[nb], Rx[1 - nb], Ry[1 - nb], curve);
+ }
+
+ nb = !uECC_vli_testBit(scalar, 0);
+ XYcZ_addC(Rx[1 - nb], Ry[1 - nb], Rx[nb], Ry[nb], curve);
+
+ /* Find final 1/Z value. */
+ uECC_vli_modSub(z, Rx[1], Rx[0], curve->p, num_words); /* X1 - X0 */
+ uECC_vli_modMult_fast(z, z, Ry[1 - nb], curve); /* Yb * (X1 - X0) */
+ uECC_vli_modMult_fast(z, z, point, curve); /* xP * Yb * (X1 - X0) */
+ uECC_vli_modInv(z, z, curve->p, num_words); /* 1 / (xP * Yb * (X1 - X0))*/
+ /* yP / (xP * Yb * (X1 - X0)) */
+ uECC_vli_modMult_fast(z, z, point + num_words, curve);
+ /* Xb * yP / (xP * Yb * (X1 - X0)) */
+ uECC_vli_modMult_fast(z, z, Rx[1 - nb], curve);
+ /* End 1/Z calculation */
+
+ XYcZ_add(Rx[nb], Ry[nb], Rx[1 - nb], Ry[1 - nb], curve);
+ apply_z(Rx[0], Ry[0], z, curve);
+
+ uECC_vli_set(result, Rx[0], num_words);
+ uECC_vli_set(result + num_words, Ry[0], num_words);
+}
+
+uECC_word_t regularize_k(const uECC_word_t * const k, uECC_word_t *k0,
+ uECC_word_t *k1, uECC_Curve curve)
{
- int32_t i;
- uint32_t bit;
- EccPointJacobi p_point_jacobi, p_tmp;
+ wordcount_t num_n_words = BITS_TO_WORDS(curve->num_n_bits);
- EccPoint_fromAffine(p_result, p_point);
- EccPoint_fromAffine(&p_point_jacobi, p_point);
+ bitcount_t num_n_bits = curve->num_n_bits;
- for (i = vli_numBits(p_scalar) - 2; i >= 0; i--) {
- EccPoint_double(p_result);
- EccPointJacobi_set(&p_tmp, p_result);
- EccPoint_add(&p_tmp, &p_point_jacobi);
- bit = vli_testBit(p_scalar, i);
- vli_cond_set(p_result->X, p_tmp.X, p_result->X, bit);
- vli_cond_set(p_result->Y, p_tmp.Y, p_result->Y, bit);
- vli_cond_set(p_result->Z, p_tmp.Z, p_result->Z, bit);
+ uECC_word_t carry = uECC_vli_add(k0, k, curve->n, num_n_words) ||
+ (num_n_bits < ((bitcount_t)num_n_words * uECC_WORD_SIZE * 8) &&
+ uECC_vli_testBit(k0, num_n_bits));
+
+ uECC_vli_add(k1, k0, curve->n, num_n_words);
+
+ return carry;
+}
+
+uECC_word_t EccPoint_compute_public_key(uECC_word_t *result,
+ uECC_word_t *private_key,
+ uECC_Curve curve)
+{
+
+ uECC_word_t tmp1[NUM_ECC_WORDS];
+ uECC_word_t tmp2[NUM_ECC_WORDS];
+ uECC_word_t *p2[2] = {tmp1, tmp2};
+ uECC_word_t carry;
+
+ /* Regularize the bitcount for the private key so that attackers cannot
+ * use a side channel attack to learn the number of leading zeros. */
+ carry = regularize_k(private_key, tmp1, tmp2, curve);
+
+ EccPoint_mult(result, curve->G, p2[!carry], 0, curve->num_n_bits + 1, curve);
+
+ if (EccPoint_isZero(result, curve)) {
+ return 0;
+ }
+ return 1;
+}
+
+/* Converts an integer in uECC native format to big-endian bytes. */
+void uECC_vli_nativeToBytes(uint8_t *bytes, int num_bytes,
+ const unsigned int *native)
+{
+ wordcount_t i;
+ for (i = 0; i < num_bytes; ++i) {
+ unsigned b = num_bytes - 1 - i;
+ bytes[i] = native[b / uECC_WORD_SIZE] >> (8 * (b % uECC_WORD_SIZE));
}
}
-/* Ellptic curve scalar multiplication with result in Jacobi coordinates */
-/* p_result = p_scalar * p_point */
-void EccPoint_mult_unsafe(EccPointJacobi *p_result, EccPoint *p_point, uint32_t *p_scalar)
+/* Converts big-endian bytes to an integer in uECC native format. */
+void uECC_vli_bytesToNative(unsigned int *native, const uint8_t *bytes,
+ int num_bytes)
{
- int i;
- EccPointJacobi p_point_jacobi;
- EccPoint_fromAffine(p_result, p_point);
- EccPoint_fromAffine(&p_point_jacobi, p_point);
-
- for(i = vli_numBits(p_scalar) - 2; i >= 0; i--)
- {
- EccPoint_double(p_result);
- if (vli_testBit(p_scalar, i))
- {
- EccPoint_add(p_result, &p_point_jacobi);
- }
- }
+ wordcount_t i;
+ uECC_vli_clear(native, (num_bytes + (uECC_WORD_SIZE - 1)) / uECC_WORD_SIZE);
+ for (i = 0; i < num_bytes; ++i) {
+ unsigned b = num_bytes - 1 - i;
+ native[b / uECC_WORD_SIZE] |=
+ (uECC_word_t)bytes[i] << (8 * (b % uECC_WORD_SIZE));
+ }
}
-/* -------- Conversions between big endian and little endian: -------- */
-
-void ecc_bytes2native(uint32_t p_native[NUM_ECC_DIGITS],
- uint8_t p_bytes[NUM_ECC_DIGITS * 4])
+int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top,
+ wordcount_t num_words)
{
+ uECC_word_t mask = (uECC_word_t)-1;
+ uECC_word_t tries;
+ bitcount_t num_bits = uECC_vli_numBits(top, num_words);
- uint32_t i;
-
- for (i = 0; i < NUM_ECC_DIGITS; ++i) {
- uint8_t *p_digit = p_bytes + 4 * (NUM_ECC_DIGITS - 1 - i);
-
- p_native[i] = ((uint32_t)p_digit[0] << 24) |
- ((uint32_t)p_digit[1] << 16) |
- ((uint32_t)p_digit[2] << 8) |
- (uint32_t)p_digit[3];
+ if (!g_rng_function) {
+ return 0;
}
+
+ for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) {
+ if (!g_rng_function((uint8_t *)random, num_words * uECC_WORD_SIZE)) {
+ return 0;
+ }
+ random[num_words - 1] &=
+ mask >> ((bitcount_t)(num_words * uECC_WORD_SIZE * 8 - num_bits));
+ if (!uECC_vli_isZero(random, num_words) &&
+ uECC_vli_cmp(top, random, num_words) == 1) {
+ return 1;
+ }
+ }
+ return 0;
}
-void ecc_native2bytes(uint8_t p_bytes[NUM_ECC_DIGITS * 4],
- uint32_t p_native[NUM_ECC_DIGITS])
+
+int uECC_valid_point(const uECC_word_t *point, uECC_Curve curve)
+{
+ uECC_word_t tmp1[NUM_ECC_WORDS];
+ uECC_word_t tmp2[NUM_ECC_WORDS];
+ wordcount_t num_words = curve->num_words;
+
+ /* The point at infinity is invalid. */
+ if (EccPoint_isZero(point, curve)) {
+ return -1;
+ }
+
+ /* x and y must be smaller than p. */
+ if (uECC_vli_cmp_unsafe(curve->p, point, num_words) != 1 ||
+ uECC_vli_cmp_unsafe(curve->p, point + num_words, num_words) != 1) {
+ return -2;
+ }
+
+ uECC_vli_modSquare_fast(tmp1, point + num_words, curve);
+ curve->x_side(tmp2, point, curve); /* tmp2 = x^3 + ax + b */
+
+ /* Make sure that y^2 == x^3 + ax + b */
+ if (uECC_vli_equal(tmp1, tmp2, num_words) != 0)
+ return -3;
+
+ return 0;
+}
+
+int uECC_valid_public_key(const uint8_t *public_key, uECC_Curve curve)
{
- uint32_t i;
+ uECC_word_t _public[NUM_ECC_WORDS * 2];
- for (i = 0; i < NUM_ECC_DIGITS; ++i) {
- uint8_t *p_digit = p_bytes + 4 * (NUM_ECC_DIGITS - 1 - i);
+ uECC_vli_bytesToNative(_public, public_key, curve->num_bytes);
+ uECC_vli_bytesToNative(
+ _public + curve->num_words,
+ public_key + curve->num_bytes,
+ curve->num_bytes);
- p_digit[0] = p_native[i] >> 24;
- p_digit[1] = p_native[i] >> 16;
- p_digit[2] = p_native[i] >> 8;
- p_digit[3] = p_native[i];
+ if (uECC_vli_cmp_unsafe(_public, curve->G, NUM_ECC_WORDS * 2) == 0) {
+ return -4;
}
+
+ return uECC_valid_point(_public, curve);
}
+int uECC_compute_public_key(const uint8_t *private_key, uint8_t *public_key,
+ uECC_Curve curve)
+{
+
+ uECC_word_t _private[NUM_ECC_WORDS];
+ uECC_word_t _public[NUM_ECC_WORDS * 2];
+
+ uECC_vli_bytesToNative(
+ _private,
+ private_key,
+ BITS_TO_BYTES(curve->num_n_bits));
+
+ /* Make sure the private key is in the range [1, n-1]. */
+ if (uECC_vli_isZero(_private, BITS_TO_WORDS(curve->num_n_bits))) {
+ return 0;
+ }
+
+ if (uECC_vli_cmp(curve->n, _private, BITS_TO_WORDS(curve->num_n_bits)) != 1) {
+ return 0;
+ }
+
+ /* Compute public key. */
+ if (!EccPoint_compute_public_key(_public, _private, curve)) {
+ return 0;
+ }
+
+ uECC_vli_nativeToBytes(public_key, curve->num_bytes, _public);
+ uECC_vli_nativeToBytes(
+ public_key +
+ curve->num_bytes, curve->num_bytes, _public + curve->num_words);
+ return 1;
+}
+
+
+
diff --git a/ext/tinycrypt/lib/source/ecc_dh.c b/ext/tinycrypt/lib/source/ecc_dh.c
index c2ab414..e5257d2 100644
--- a/ext/tinycrypt/lib/source/ecc_dh.c
+++ b/ext/tinycrypt/lib/source/ecc_dh.c
@@ -1,7 +1,32 @@
/* ec_dh.c - TinyCrypt implementation of EC-DH */
+/*
+ * Copyright (c) 2014, Kenneth MacKay
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -31,102 +56,145 @@
*/
#include <tinycrypt/constants.h>
#include <tinycrypt/ecc.h>
+#include <tinycrypt/ecc_dh.h>
+#include <string.h>
-extern uint32_t curve_p[NUM_ECC_DIGITS];
-extern uint32_t curve_b[NUM_ECC_DIGITS];
-extern uint32_t curve_n[NUM_ECC_DIGITS];
-extern uint32_t curve_pb[NUM_ECC_DIGITS + 1];
-extern EccPoint curve_G;
+#if default_RNG_defined
+static uECC_RNG_Function g_rng_function = &default_CSPRNG;
+#else
+static uECC_RNG_Function g_rng_function = 0;
+#endif
-int32_t ecc_make_key(EccPoint *p_publicKey, uint32_t p_privateKey[NUM_ECC_DIGITS],
- uint32_t p_random[NUM_ECC_DIGITS * 2])
-{
- // computing modular reduction of p_random (see FIPS 186.4 B.4.1):
- vli_mmod_barrett(p_privateKey, p_random, curve_p, curve_pb);
-
- /* Make sure the private key is in the range [1, n-1].
- * For the supported curve, n is always large enough
- * that we only need to subtract once at most.
- */
- uint32_t p_tmp[NUM_ECC_DIGITS];
- vli_sub(p_tmp, p_privateKey, curve_n, NUM_ECC_DIGITS);
-
- vli_cond_set(p_privateKey, p_privateKey, p_tmp,
- vli_cmp(curve_n, p_privateKey, NUM_ECC_DIGITS) == 1);
-
- /* erasing temporary buffer used to store secret: */
- for (uint32_t i = 0; i < NUM_ECC_DIGITS; i++)
- p_tmp[i] = 0;
-
- if (vli_isZero(p_privateKey)) {
- return TC_CRYPTO_FAIL; /* The private key cannot be 0 (mod p). */
- }
-
- EccPointJacobi P;
-
- EccPoint_mult_safe(&P, &curve_G, p_privateKey);
- EccPoint_toAffine(p_publicKey, &P);
-
- return TC_CRYPTO_SUCCESS;
-}
-
-/* Compute p_result = x^3 - 3x + b */
-static void curve_x_side(uint32_t p_result[NUM_ECC_DIGITS],
- uint32_t x[NUM_ECC_DIGITS])
+int uECC_make_key_with_d(uint8_t *public_key, uint8_t *private_key,
+ unsigned int *d, uECC_Curve curve)
{
- uint32_t _3[NUM_ECC_DIGITS] = {3}; /* -a = 3 */
+ uECC_word_t _private[NUM_ECC_WORDS];
+ uECC_word_t _public[NUM_ECC_WORDS * 2];
- vli_modSquare_fast(p_result, x); /* r = x^2 */
- vli_modSub(p_result, p_result, _3, curve_p); /* r = x^2 - 3 */
- vli_modMult_fast(p_result, p_result, x); /* r = x^3 - 3x */
- vli_modAdd(p_result, p_result, curve_b, curve_p); /* r = x^3 - 3x + b */
+ /* This function is designed for test purposes-only (such as validating NIST
+ * test vectors) as it uses a provided value for d instead of generating
+ * it uniformly at random. */
+ memcpy (_private, d, NUM_ECC_BYTES);
-}
+ /* Computing public-key from private: */
+ if (EccPoint_compute_public_key(_public, _private, curve)) {
-int32_t ecc_valid_public_key(EccPoint *p_publicKey)
-{
- uint32_t l_tmp1[NUM_ECC_DIGITS];
- uint32_t l_tmp2[NUM_ECC_DIGITS];
+ /* Converting buffers to correct bit order: */
+ uECC_vli_nativeToBytes(private_key,
+ BITS_TO_BYTES(curve->num_n_bits),
+ _private);
+ uECC_vli_nativeToBytes(public_key,
+ curve->num_bytes,
+ _public);
+ uECC_vli_nativeToBytes(public_key + curve->num_bytes,
+ curve->num_bytes,
+ _public + curve->num_words);
- if (EccPoint_isZero(p_publicKey)) {
- return -1;
+ /* erasing temporary buffer used to store secret: */
+ memset(_private, 0, NUM_ECC_BYTES);
+
+ return 1;
}
-
- if ((vli_cmp(curve_p, p_publicKey->x, NUM_ECC_DIGITS) != 1) ||
- (vli_cmp(curve_p, p_publicKey->y, NUM_ECC_DIGITS) != 1)) {
- return -2;
- }
-
- vli_modSquare_fast(l_tmp1, p_publicKey->y); /* tmp1 = y^2 */
-
- curve_x_side(l_tmp2, p_publicKey->x); /* tmp2 = x^3 - 3x + b */
-
- /* Make sure that y^2 == x^3 + ax + b */
- if (vli_cmp(l_tmp1, l_tmp2, NUM_ECC_DIGITS) != 0) {
- return -3;
- }
-
- if (vli_cmp(p_publicKey->x, curve_G.x, NUM_ECC_DIGITS) == 0 &&
- vli_cmp(p_publicKey->y, curve_G.y, NUM_ECC_DIGITS) == 0 )
- return -4;
-
return 0;
}
-int32_t ecdh_shared_secret(uint32_t p_secret[NUM_ECC_DIGITS],
- EccPoint *p_publicKey, uint32_t p_privateKey[NUM_ECC_DIGITS])
+int uECC_make_key(uint8_t *public_key, uint8_t *private_key, uECC_Curve curve)
{
- EccPoint p_point;
- EccPointJacobi P;
+ uECC_word_t _random[NUM_ECC_WORDS * 2];
+ uECC_word_t _private[NUM_ECC_WORDS];
+ uECC_word_t _public[NUM_ECC_WORDS * 2];
+ uECC_word_t tries;
- EccPoint_mult_safe(&P, p_publicKey, p_privateKey);
- if (EccPointJacobi_isZero(&P)) {
- return TC_CRYPTO_FAIL;
- }
- EccPoint_toAffine(&p_point, &P);
- vli_set(p_secret, p_point.x);
+ for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) {
+ /* Generating _private uniformly at random: */
+ uECC_RNG_Function rng_function = uECC_get_rng();
+ if (!rng_function ||
+ !rng_function((uint8_t *)_random, 2 * NUM_ECC_WORDS*uECC_WORD_SIZE)) {
+ return 0;
+ }
- return TC_CRYPTO_SUCCESS;
+ /* computing modular reduction of _random (see FIPS 186.4 B.4.1): */
+ uECC_vli_mmod(_private, _random, curve->n, BITS_TO_WORDS(curve->num_n_bits));
+
+ /* Computing public-key from private: */
+ if (EccPoint_compute_public_key(_public, _private, curve)) {
+
+ /* Converting buffers to correct bit order: */
+ uECC_vli_nativeToBytes(private_key,
+ BITS_TO_BYTES(curve->num_n_bits),
+ _private);
+ uECC_vli_nativeToBytes(public_key,
+ curve->num_bytes,
+ _public);
+ uECC_vli_nativeToBytes(public_key + curve->num_bytes,
+ curve->num_bytes,
+ _public + curve->num_words);
+
+ /* erasing temporary buffer that stored secret: */
+ memset(_private, 0, NUM_ECC_BYTES);
+
+ return 1;
+ }
+ }
+ return 0;
+}
+
+int uECC_shared_secret(const uint8_t *public_key, const uint8_t *private_key,
+ uint8_t *secret, uECC_Curve curve)
+{
+
+ uECC_word_t _public[NUM_ECC_WORDS * 2];
+ uECC_word_t _private[NUM_ECC_WORDS];
+
+ uECC_word_t tmp[NUM_ECC_WORDS];
+ uECC_word_t *p2[2] = {_private, tmp};
+ uECC_word_t *initial_Z = 0;
+ uECC_word_t carry;
+ wordcount_t num_words = curve->num_words;
+ wordcount_t num_bytes = curve->num_bytes;
+ int r;
+
+ /* Converting buffers to correct bit order: */
+ uECC_vli_bytesToNative(_private,
+ private_key,
+ BITS_TO_BYTES(curve->num_n_bits));
+ uECC_vli_bytesToNative(_public,
+ public_key,
+ num_bytes);
+ uECC_vli_bytesToNative(_public + num_words,
+ public_key + num_bytes,
+ num_bytes);
+
+ /* Regularize the bitcount for the private key so that attackers cannot use a
+ * side channel attack to learn the number of leading zeros. */
+ carry = regularize_k(_private, _private, tmp, curve);
+
+ /* If an RNG function was specified, try to get a random initial Z value to
+ * improve protection against side-channel attacks. */
+ if (g_rng_function) {
+ if (!uECC_generate_random_int(p2[carry], curve->p, num_words)) {
+ r = 0;
+ goto clear_and_out;
+ }
+ initial_Z = p2[carry];
+ }
+
+ EccPoint_mult(_public, _public, p2[!carry], initial_Z, curve->num_n_bits + 1,
+ curve);
+
+ uECC_vli_nativeToBytes(secret, num_bytes, _public);
+ r = !EccPoint_isZero(_public, curve);
+
+clear_and_out:
+ /* erasing temporary buffer used to store secret: */
+ memset(p2, 0, sizeof(p2));
+ __asm__ __volatile__("" :: "g"(p2) : "memory");
+ memset(tmp, 0, sizeof(tmp));
+ __asm__ __volatile__("" :: "g"(tmp) : "memory");
+ memset(_private, 0, sizeof(_private));
+ __asm__ __volatile__("" :: "g"(_private) : "memory");
+
+ return r;
}
diff --git a/ext/tinycrypt/lib/source/ecc_dsa.c b/ext/tinycrypt/lib/source/ecc_dsa.c
index dd84a18..064dfe5 100644
--- a/ext/tinycrypt/lib/source/ecc_dsa.c
+++ b/ext/tinycrypt/lib/source/ecc_dsa.c
@@ -1,7 +1,30 @@
/* ec_dsa.c - TinyCrypt implementation of EC-DSA */
+/* Copyright (c) 2014, Kenneth MacKay
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.*/
+
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -32,84 +55,241 @@
#include <tinycrypt/constants.h>
#include <tinycrypt/ecc.h>
+#include <tinycrypt/ecc_dsa.h>
-extern uint32_t curve_n[NUM_ECC_DIGITS];
-extern EccPoint curve_G;
-extern uint32_t curve_nb[NUM_ECC_DIGITS + 1];
+#if default_RNG_defined
+static uECC_RNG_Function g_rng_function = &default_CSPRNG;
+#else
+static uECC_RNG_Function g_rng_function = 0;
+#endif
-int32_t ecdsa_sign(uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS],
- uint32_t p_privateKey[NUM_ECC_DIGITS], uint32_t p_random[NUM_ECC_DIGITS],
- uint32_t p_hash[NUM_ECC_DIGITS])
+static void bits2int(uECC_word_t *native, const uint8_t *bits,
+ unsigned bits_size, uECC_Curve curve)
{
+ unsigned num_n_bytes = BITS_TO_BYTES(curve->num_n_bits);
+ unsigned num_n_words = BITS_TO_WORDS(curve->num_n_bits);
+ int shift;
+ uECC_word_t carry;
+ uECC_word_t *ptr;
- uint32_t k[NUM_ECC_DIGITS], tmp[NUM_ECC_DIGITS];
- EccPoint p_point;
- EccPointJacobi P;
-
- if (vli_isZero(p_random)) {
- return TC_CRYPTO_FAIL; /* The random number must not be 0. */
+ if (bits_size > num_n_bytes) {
+ bits_size = num_n_bytes;
}
- vli_set(k, p_random);
-
- vli_sub(tmp, k, curve_n, NUM_ECC_DIGITS);
- vli_cond_set(k, k, tmp, vli_cmp(curve_n, k, NUM_ECC_DIGITS) == 1);
-
- /* tmp = k * G */
- EccPoint_mult_safe(&P, &curve_G, k);
- EccPoint_toAffine(&p_point, &P);
-
- /* r = x1 (mod n) */
- vli_set(r, p_point.x);
- if (vli_cmp(curve_n, r, NUM_ECC_DIGITS) != 1) {
- vli_sub(r, r, curve_n, NUM_ECC_DIGITS);
+ uECC_vli_clear(native, num_n_words);
+ uECC_vli_bytesToNative(native, bits, bits_size);
+ if (bits_size * 8 <= (unsigned)curve->num_n_bits) {
+ return;
+ }
+ shift = bits_size * 8 - curve->num_n_bits;
+ carry = 0;
+ ptr = native + num_n_words;
+ while (ptr-- > native) {
+ uECC_word_t temp = *ptr;
+ *ptr = (temp >> shift) | carry;
+ carry = temp << (uECC_WORD_BITS - shift);
}
- if (vli_isZero(r)) {
- return TC_CRYPTO_FAIL; /* If r == 0, fail (need a different random number). */
+ /* Reduce mod curve_n */
+ if (uECC_vli_cmp_unsafe(curve->n, native, num_n_words) != 1) {
+ uECC_vli_sub(native, native, curve->n, num_n_words);
}
-
- vli_modMult(s, r, p_privateKey, curve_n, curve_nb); /* s = r*d */
- vli_modAdd(s, p_hash, s, curve_n); /* s = e + r*d */
- vli_modInv(k, k, curve_n, curve_nb); /* k = 1 / k */
- vli_modMult(s, s, k, curve_n, curve_nb); /* s = (e + r*d) / k */
-
- return TC_CRYPTO_SUCCESS;
}
-int32_t ecdsa_verify(EccPoint *p_publicKey, uint32_t p_hash[NUM_ECC_DIGITS],
- uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS])
+int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash,
+ unsigned hash_size, uECC_word_t *k, uint8_t *signature,
+ uECC_Curve curve)
{
- uint32_t u1[NUM_ECC_DIGITS], u2[NUM_ECC_DIGITS];
- uint32_t z[NUM_ECC_DIGITS];
- EccPointJacobi P, R;
- EccPoint p_point;
+ uECC_word_t tmp[NUM_ECC_WORDS];
+ uECC_word_t s[NUM_ECC_WORDS];
+ uECC_word_t *k2[2] = {tmp, s};
+ uECC_word_t p[NUM_ECC_WORDS * 2];
+ uECC_word_t carry;
+ wordcount_t num_words = curve->num_words;
+ wordcount_t num_n_words = BITS_TO_WORDS(curve->num_n_bits);
+ bitcount_t num_n_bits = curve->num_n_bits;
- if (vli_isZero(r) || vli_isZero(s)) {
- return TC_CRYPTO_FAIL; /* r, s must not be 0. */
+ /* Make sure 0 < k < curve_n */
+ if (uECC_vli_isZero(k, num_words) ||
+ uECC_vli_cmp(curve->n, k, num_n_words) != 1) {
+ return 0;
}
- if ((vli_cmp(curve_n, r, NUM_ECC_DIGITS) != 1) ||
- (vli_cmp(curve_n, s, NUM_ECC_DIGITS) != 1)) {
- return TC_CRYPTO_FAIL; /* r, s must be < n. */
+ carry = regularize_k(k, tmp, s, curve);
+ EccPoint_mult(p, curve->G, k2[!carry], 0, num_n_bits + 1, curve);
+ if (uECC_vli_isZero(p, num_words)) {
+ return 0;
+ }
+
+ /* If an RNG function was specified, get a random number
+ to prevent side channel analysis of k. */
+ if (!g_rng_function) {
+ uECC_vli_clear(tmp, num_n_words);
+ tmp[0] = 1;
+ }
+ else if (!uECC_generate_random_int(tmp, curve->n, num_n_words)) {
+ return 0;
+ }
+
+ /* Prevent side channel analysis of uECC_vli_modInv() to determine
+ bits of k / the private key by premultiplying by a random number */
+ uECC_vli_modMult(k, k, tmp, curve->n, num_n_words); /* k' = rand * k */
+ uECC_vli_modInv(k, k, curve->n, num_n_words); /* k = 1 / k' */
+ uECC_vli_modMult(k, k, tmp, curve->n, num_n_words); /* k = 1 / k */
+
+ uECC_vli_nativeToBytes(signature, curve->num_bytes, p); /* store r */
+
+ /* tmp = d: */
+ uECC_vli_bytesToNative(tmp, private_key, BITS_TO_BYTES(curve->num_n_bits));
+
+ s[num_n_words - 1] = 0;
+ uECC_vli_set(s, p, num_words);
+ uECC_vli_modMult(s, tmp, s, curve->n, num_n_words); /* s = r*d */
+
+ bits2int(tmp, message_hash, hash_size, curve);
+ uECC_vli_modAdd(s, tmp, s, curve->n, num_n_words); /* s = e + r*d */
+ uECC_vli_modMult(s, s, k, curve->n, num_n_words); /* s = (e + r*d) / k */
+ if (uECC_vli_numBits(s, num_n_words) > (bitcount_t)curve->num_bytes * 8) {
+ return 0;
+ }
+
+ uECC_vli_nativeToBytes(signature + curve->num_bytes, curve->num_bytes, s);
+ return 1;
+}
+
+int uECC_sign(const uint8_t *private_key, const uint8_t *message_hash,
+ unsigned hash_size, uint8_t *signature, uECC_Curve curve)
+{
+ uECC_word_t _random[2*NUM_ECC_WORDS];
+ uECC_word_t k[NUM_ECC_WORDS];
+ uECC_word_t tries;
+
+ for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) {
+ /* Generating _random uniformly at random: */
+ uECC_RNG_Function rng_function = uECC_get_rng();
+ if (!rng_function ||
+ !rng_function((uint8_t *)_random, 2*NUM_ECC_WORDS*uECC_WORD_SIZE)) {
+ return 0;
+ }
+
+ // computing k as modular reduction of _random (see FIPS 186.4 B.5.1):
+ uECC_vli_mmod(k, _random, curve->n, BITS_TO_WORDS(curve->num_n_bits));
+
+ if (uECC_sign_with_k(private_key, message_hash, hash_size, k, signature,
+ curve)) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
+static bitcount_t smax(bitcount_t a, bitcount_t b)
+{
+ return (a > b ? a : b);
+}
+
+int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash,
+ unsigned hash_size, const uint8_t *signature,
+ uECC_Curve curve)
+{
+
+ uECC_word_t u1[NUM_ECC_WORDS], u2[NUM_ECC_WORDS];
+ uECC_word_t z[NUM_ECC_WORDS];
+ uECC_word_t sum[NUM_ECC_WORDS * 2];
+ uECC_word_t rx[NUM_ECC_WORDS];
+ uECC_word_t ry[NUM_ECC_WORDS];
+ uECC_word_t tx[NUM_ECC_WORDS];
+ uECC_word_t ty[NUM_ECC_WORDS];
+ uECC_word_t tz[NUM_ECC_WORDS];
+ const uECC_word_t *points[4];
+ const uECC_word_t *point;
+ bitcount_t num_bits;
+ bitcount_t i;
+
+ uECC_word_t _public[NUM_ECC_WORDS * 2];
+ uECC_word_t r[NUM_ECC_WORDS], s[NUM_ECC_WORDS];
+ wordcount_t num_words = curve->num_words;
+ wordcount_t num_n_words = BITS_TO_WORDS(curve->num_n_bits);
+
+ rx[num_n_words - 1] = 0;
+ r[num_n_words - 1] = 0;
+ s[num_n_words - 1] = 0;
+
+ uECC_vli_bytesToNative(_public, public_key, curve->num_bytes);
+ uECC_vli_bytesToNative(_public + num_words, public_key + curve->num_bytes,
+ curve->num_bytes);
+ uECC_vli_bytesToNative(r, signature, curve->num_bytes);
+ uECC_vli_bytesToNative(s, signature + curve->num_bytes, curve->num_bytes);
+
+ /* r, s must not be 0. */
+ if (uECC_vli_isZero(r, num_words) || uECC_vli_isZero(s, num_words)) {
+ return 0;
+ }
+
+ /* r, s must be < n. */
+ if (uECC_vli_cmp_unsafe(curve->n, r, num_n_words) != 1 ||
+ uECC_vli_cmp_unsafe(curve->n, s, num_n_words) != 1) {
+ return 0;
}
/* Calculate u1 and u2. */
- vli_modInv(z, s, curve_n, curve_nb); /* Z = s^-1 */
- vli_modMult(u1, p_hash, z, curve_n, curve_nb); /* u1 = e/s */
- vli_modMult(u2, r, z, curve_n, curve_nb); /* u2 = r/s */
+ uECC_vli_modInv(z, s, curve->n, num_n_words); /* z = 1/s */
+ u1[num_n_words - 1] = 0;
+ bits2int(u1, message_hash, hash_size, curve);
+ uECC_vli_modMult(u1, u1, z, curve->n, num_n_words); /* u1 = e/s */
+ uECC_vli_modMult(u2, r, z, curve->n, num_n_words); /* u2 = r/s */
- /* calculate P = u1*G + u2*Q */
- EccPoint_mult_unsafe(&P, &curve_G, u1);
- EccPoint_mult_unsafe(&R, p_publicKey, u2);
- EccPoint_add(&P, &R);
- EccPoint_toAffine(&p_point, &P);
+ /* Calculate sum = G + Q. */
+ uECC_vli_set(sum, _public, num_words);
+ uECC_vli_set(sum + num_words, _public + num_words, num_words);
+ uECC_vli_set(tx, curve->G, num_words);
+ uECC_vli_set(ty, curve->G + num_words, num_words);
+ uECC_vli_modSub(z, sum, tx, curve->p, num_words); /* z = x2 - x1 */
+ XYcZ_add(tx, ty, sum, sum + num_words, curve);
+ uECC_vli_modInv(z, z, curve->p, num_words); /* z = 1/z */
+ apply_z(sum, sum + num_words, z, curve);
- /* Accept only if P.x == r. */
- if (!vli_sub(z, p_point.x, curve_n, NUM_ECC_DIGITS)) {
- vli_set(p_point.x, z);
+ /* Use Shamir's trick to calculate u1*G + u2*Q */
+ points[0] = 0;
+ points[1] = curve->G;
+ points[2] = _public;
+ points[3] = sum;
+ num_bits = smax(uECC_vli_numBits(u1, num_n_words),
+ uECC_vli_numBits(u2, num_n_words));
+
+ point = points[(!!uECC_vli_testBit(u1, num_bits - 1)) |
+ ((!!uECC_vli_testBit(u2, num_bits - 1)) << 1)];
+ uECC_vli_set(rx, point, num_words);
+ uECC_vli_set(ry, point + num_words, num_words);
+ uECC_vli_clear(z, num_words);
+ z[0] = 1;
+
+ for (i = num_bits - 2; i >= 0; --i) {
+ uECC_word_t index;
+ curve->double_jacobian(rx, ry, z, curve);
+
+ index = (!!uECC_vli_testBit(u1, i)) | ((!!uECC_vli_testBit(u2, i)) << 1);
+ point = points[index];
+ if (point) {
+ uECC_vli_set(tx, point, num_words);
+ uECC_vli_set(ty, point + num_words, num_words);
+ apply_z(tx, ty, z, curve);
+ uECC_vli_modSub(tz, rx, tx, curve->p, num_words); /* Z = x2 - x1 */
+ XYcZ_add(tx, ty, rx, ry, curve);
+ uECC_vli_modMult_fast(z, z, tz, curve);
+ }
+ }
+
+ uECC_vli_modInv(z, z, curve->p, num_words); /* Z = 1/Z */
+ apply_z(rx, ry, z, curve);
+
+ /* v = x1 (mod n) */
+ if (uECC_vli_cmp_unsafe(curve->n, rx, num_n_words) != 1) {
+ uECC_vli_sub(rx, rx, curve->n, num_n_words);
}
- return (vli_cmp(p_point.x, r, NUM_ECC_DIGITS) == 0);
+ /* Accept only if v == r. */
+ return (int)(uECC_vli_equal(rx, r, num_words) == 0);
}
+
diff --git a/ext/tinycrypt/lib/source/ecc_platform_specific.c b/ext/tinycrypt/lib/source/ecc_platform_specific.c
new file mode 100644
index 0000000..1867988
--- /dev/null
+++ b/ext/tinycrypt/lib/source/ecc_platform_specific.c
@@ -0,0 +1,105 @@
+/* uECC_platform_specific.c - Implementation of platform specific functions*/
+
+/* Copyright (c) 2014, Kenneth MacKay
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.*/
+
+/*
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * - Neither the name of Intel Corporation nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * uECC_platform_specific.c -- Implementation of platform specific functions
+ */
+
+
+#if defined(unix) || defined(__linux__) || defined(__unix__) || \
+ defined(__unix) | (defined(__APPLE__) && defined(__MACH__)) || \
+ defined(uECC_POSIX)
+
+/* Some POSIX-like system with /dev/urandom or /dev/random. */
+#include <sys/types.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <stdint.h>
+
+#ifndef O_CLOEXEC
+#define O_CLOEXEC 0
+#endif
+
+int default_CSPRNG(uint8_t *dest, unsigned int size) {
+
+ /* input sanity check: */
+ if (dest == (uint8_t *) 0 || (size <= 0))
+ return 0;
+
+ int fd = open("/dev/urandom", O_RDONLY | O_CLOEXEC);
+ if (fd == -1) {
+ fd = open("/dev/random", O_RDONLY | O_CLOEXEC);
+ if (fd == -1) {
+ return 0;
+ }
+ }
+
+ char *ptr = (char *)dest;
+ size_t left = (size_t) size;
+ while (left > 0) {
+ ssize_t bytes_read = read(fd, ptr, left);
+ if (bytes_read <= 0) { // read failed
+ close(fd);
+ return 0;
+ }
+ left -= bytes_read;
+ ptr += bytes_read;
+ }
+
+ close(fd);
+ return 1;
+}
+
+#endif /* platform */
+
diff --git a/ext/tinycrypt/lib/source/hmac.c b/ext/tinycrypt/lib/source/hmac.c
index e256846..89878ce 100644
--- a/ext/tinycrypt/lib/source/hmac.c
+++ b/ext/tinycrypt/lib/source/hmac.c
@@ -1,7 +1,7 @@
/* hmac.c - TinyCrypt implementation of the HMAC algorithm */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -34,11 +34,11 @@
#include <tinycrypt/constants.h>
#include <tinycrypt/utils.h>
-static void rekey(uint8_t *key, const uint8_t *new_key, uint32_t key_size)
+static void rekey(uint8_t *key, const uint8_t *new_key, unsigned int key_size)
{
const uint8_t inner_pad = (uint8_t) 0x36;
const uint8_t outer_pad = (uint8_t) 0x5c;
- uint32_t i;
+ unsigned int i;
for (i = 0; i < key_size; ++i) {
key[i] = inner_pad ^ new_key[i];
@@ -49,10 +49,10 @@
}
}
-int32_t tc_hmac_set_key(TCHmacState_t ctx,
- const uint8_t *key,
- uint32_t key_size)
+int tc_hmac_set_key(TCHmacState_t ctx, const uint8_t *key,
+ unsigned int key_size)
{
+
/* input sanity check: */
if (ctx == (TCHmacState_t) 0 ||
key == (const uint8_t *) 0 ||
@@ -93,25 +93,25 @@
return TC_CRYPTO_SUCCESS;
}
-int32_t tc_hmac_init(TCHmacState_t ctx)
+int tc_hmac_init(TCHmacState_t ctx)
{
+
/* input sanity check: */
if (ctx == (TCHmacState_t) 0) {
return TC_CRYPTO_FAIL;
}
- (void)tc_sha256_init(&ctx->hash_state);
- (void)tc_sha256_update(&ctx->hash_state,
- ctx->key,
- TC_SHA256_BLOCK_SIZE);
+ (void) tc_sha256_init(&ctx->hash_state);
+ (void) tc_sha256_update(&ctx->hash_state, ctx->key, TC_SHA256_BLOCK_SIZE);
return TC_CRYPTO_SUCCESS;
}
-int32_t tc_hmac_update(TCHmacState_t ctx,
- const void *data,
- uint32_t data_length)
+int tc_hmac_update(TCHmacState_t ctx,
+ const void *data,
+ unsigned int data_length)
{
+
/* input sanity check: */
if (ctx == (TCHmacState_t) 0) {
return TC_CRYPTO_FAIL;
@@ -122,8 +122,9 @@
return TC_CRYPTO_SUCCESS;
}
-int32_t tc_hmac_final(uint8_t *tag, uint32_t taglen, TCHmacState_t ctx)
+int tc_hmac_final(uint8_t *tag, unsigned int taglen, TCHmacState_t ctx)
{
+
/* input sanity check: */
if (tag == (uint8_t *) 0 ||
taglen != TC_SHA256_DIGEST_SIZE ||
diff --git a/ext/tinycrypt/lib/source/hmac_prng.c b/ext/tinycrypt/lib/source/hmac_prng.c
index ceac27f..68b5b1f 100644
--- a/ext/tinycrypt/lib/source/hmac_prng.c
+++ b/ext/tinycrypt/lib/source/hmac_prng.c
@@ -1,7 +1,7 @@
/* hmac_prng.c - TinyCrypt implementation of HMAC-PRNG */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -39,43 +39,43 @@
* min bytes in the seed string.
* MIN_SLEN*8 must be at least the expected security level.
*/
-static const uint32_t MIN_SLEN = 32;
+static const unsigned int MIN_SLEN = 32;
/*
* max bytes in the seed string;
* SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes).
*/
-static const uint32_t MAX_SLEN = UINT32_MAX;
+static const unsigned int MAX_SLEN = UINT32_MAX;
/*
* max bytes in the personalization string;
* SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes).
*/
-static const uint32_t MAX_PLEN = UINT32_MAX;
+static const unsigned int MAX_PLEN = UINT32_MAX;
/*
* max bytes in the additional_info string;
* SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes).
*/
-static const uint32_t MAX_ALEN = UINT32_MAX;
+static const unsigned int MAX_ALEN = UINT32_MAX;
/*
* max number of generates between re-seeds;
* TinyCrypt accepts up to (2^32 - 1) which is the maximal value of
- * a uint32_t variable, while SP800-90A specifies a maximum of 2^48.
+ * a 32-bit unsigned int variable, while SP800-90A specifies a maximum of 2^48.
*/
-static const uint32_t MAX_GENS = UINT32_MAX;
+static const unsigned int MAX_GENS = UINT32_MAX;
/*
* maximum bytes per generate call;
* SP800-90A specifies a maximum up to 2^19.
*/
-static const uint32_t MAX_OUT = (1 << 19);
+static const unsigned int MAX_OUT = (1 << 19);
/*
* Assumes: prng != NULL, e != NULL, len >= 0.
*/
-static void update(TCHmacPrng_t prng, const uint8_t *e, uint32_t len)
+static void update(TCHmacPrng_t prng, const uint8_t *e, unsigned int len)
{
const uint8_t separator0 = 0x00;
const uint8_t separator1 = 0x01;
@@ -109,10 +109,11 @@
(void)tc_hmac_final(prng->v, sizeof(prng->v), &prng->h);
}
-int32_t tc_hmac_prng_init(TCHmacPrng_t prng,
- const uint8_t *personalization,
- uint32_t plen)
+int tc_hmac_prng_init(TCHmacPrng_t prng,
+ const uint8_t *personalization,
+ unsigned int plen)
{
+
/* input sanity check: */
if (prng == (TCHmacPrng_t) 0 ||
personalization == (uint8_t *) 0 ||
@@ -134,12 +135,13 @@
return TC_CRYPTO_SUCCESS;
}
-int32_t tc_hmac_prng_reseed(TCHmacPrng_t prng,
- const uint8_t *seed,
- uint32_t seedlen,
- const uint8_t *additional_input,
- uint32_t additionallen)
+int tc_hmac_prng_reseed(TCHmacPrng_t prng,
+ const uint8_t *seed,
+ unsigned int seedlen,
+ const uint8_t *additional_input,
+ unsigned int additionallen)
{
+
/* input sanity check: */
if (prng == (TCHmacPrng_t) 0 ||
seed == (const uint8_t *) 0 ||
@@ -172,9 +174,9 @@
return TC_CRYPTO_SUCCESS;
}
-int32_t tc_hmac_prng_generate(uint8_t *out, uint32_t outlen, TCHmacPrng_t prng)
+int tc_hmac_prng_generate(uint8_t *out, unsigned int outlen, TCHmacPrng_t prng)
{
- uint32_t bufferlen;
+ unsigned int bufferlen;
/* input sanity check: */
if (out == (uint8_t *) 0 ||
diff --git a/ext/tinycrypt/lib/source/sha256.c b/ext/tinycrypt/lib/source/sha256.c
index c27d3e1..b4efd20 100644
--- a/ext/tinycrypt/lib/source/sha256.c
+++ b/ext/tinycrypt/lib/source/sha256.c
@@ -1,7 +1,7 @@
/* sha256.c - TinyCrypt SHA-256 crypto hash algorithm implementation */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -34,9 +34,9 @@
#include <tinycrypt/constants.h>
#include <tinycrypt/utils.h>
-static void compress(uint32_t *iv, const uint8_t *data);
+static void compress(unsigned int *iv, const uint8_t *data);
-int32_t tc_sha256_init(TCSha256State_t s)
+int tc_sha256_init(TCSha256State_t s)
{
/* input sanity check: */
if (s == (TCSha256State_t) 0) {
@@ -62,7 +62,7 @@
return TC_CRYPTO_SUCCESS;
}
-int32_t tc_sha256_update(TCSha256State_t s, const uint8_t *data, size_t datalen)
+int tc_sha256_update(TCSha256State_t s, const uint8_t *data, size_t datalen)
{
/* input sanity check: */
if (s == (TCSha256State_t) 0 ||
@@ -84,9 +84,9 @@
return TC_CRYPTO_SUCCESS;
}
-int32_t tc_sha256_final(uint8_t *digest, TCSha256State_t s)
+int tc_sha256_final(uint8_t *digest, TCSha256State_t s)
{
- uint32_t i;
+ unsigned int i;
/* input sanity check: */
if (digest == (uint8_t *) 0 ||
@@ -122,7 +122,7 @@
/* copy the iv out to digest */
for (i = 0; i < TC_SHA256_STATE_BLOCKS; ++i) {
- uint32_t t = *((uint32_t *) &s->iv[i]);
+ unsigned int t = *((unsigned int *) &s->iv[i]);
*digest++ = (uint8_t)(t >> 24);
*digest++ = (uint8_t)(t >> 16);
*digest++ = (uint8_t)(t >> 8);
@@ -140,7 +140,7 @@
* These values correspond to the first 32 bits of the fractional parts of the
* cube roots of the first 64 primes between 2 and 311.
*/
-static const uint32_t k256[64] = {
+static const unsigned int k256[64] = {
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
@@ -154,7 +154,7 @@
0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
};
-static inline uint32_t ROTR(uint32_t a, uint32_t n)
+static inline unsigned int ROTR(unsigned int a, unsigned int n)
{
return (((a) >> n) | ((a) << (32 - n)));
}
@@ -167,25 +167,25 @@
#define Ch(a, b, c)(((a) & (b)) ^ ((~(a)) & (c)))
#define Maj(a, b, c)(((a) & (b)) ^ ((a) & (c)) ^ ((b) & (c)))
-static inline uint32_t BigEndian(const uint8_t **c)
+static inline unsigned int BigEndian(const uint8_t **c)
{
- uint32_t n = 0;
+ unsigned int n = 0;
- n = (((uint32_t)(*((*c)++))) << 24);
- n |= ((uint32_t)(*((*c)++)) << 16);
- n |= ((uint32_t)(*((*c)++)) << 8);
- n |= ((uint32_t)(*((*c)++)));
+ n = (((unsigned int)(*((*c)++))) << 24);
+ n |= ((unsigned int)(*((*c)++)) << 16);
+ n |= ((unsigned int)(*((*c)++)) << 8);
+ n |= ((unsigned int)(*((*c)++)));
return n;
}
-static void compress(uint32_t *iv, const uint8_t *data)
+static void compress(unsigned int *iv, const uint8_t *data)
{
- uint32_t a, b, c, d, e, f, g, h;
- uint32_t s0, s1;
- uint32_t t1, t2;
- uint32_t work_space[16];
- uint32_t n;
- uint32_t i;
+ unsigned int a, b, c, d, e, f, g, h;
+ unsigned int s0, s1;
+ unsigned int t1, t2;
+ unsigned int work_space[16];
+ unsigned int n;
+ unsigned int i;
a = iv[0]; b = iv[1]; c = iv[2]; d = iv[3];
e = iv[4]; f = iv[5]; g = iv[6]; h = iv[7];
diff --git a/ext/tinycrypt/lib/source/utils.c b/ext/tinycrypt/lib/source/utils.c
index 147d8d4..13cc495 100644
--- a/ext/tinycrypt/lib/source/utils.c
+++ b/ext/tinycrypt/lib/source/utils.c
@@ -1,7 +1,7 @@
/* utils.c - TinyCrypt platform-dependent run-time operations */
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -35,11 +35,10 @@
#include <string.h>
-#define MASK_MOST_SIG_BIT 0x80
#define MASK_TWENTY_SEVEN 0x1b
-uint32_t _copy(uint8_t *to, uint32_t to_len,
- const uint8_t *from, uint32_t from_len)
+unsigned int _copy(uint8_t *to, unsigned int to_len,
+ const uint8_t *from, unsigned int from_len)
{
if (from_len <= to_len) {
(void)memcpy(to, from, from_len);
@@ -49,7 +48,7 @@
}
}
-void _set(void *to, uint8_t val, uint32_t len)
+void _set(void *to, uint8_t val, unsigned int len)
{
(void)memset(to, val, len);
}
@@ -62,13 +61,13 @@
return ((a<<1) ^ ((a>>7) * MASK_TWENTY_SEVEN));
}
-int32_t _compare(const uint8_t *a, const uint8_t *b, size_t size)
+int _compare(const uint8_t *a, const uint8_t *b, size_t size)
{
const uint8_t *tempa = a;
const uint8_t *tempb = b;
uint8_t result = 0;
- for (uint32_t i = 0; i < size; i++) {
+ for (unsigned int i = 0; i < size; i++) {
result |= tempa[i] ^ tempb[i];
}
return result;