Blame - 3rdparty/everest/library/x25519.c - mirror/mbed-tls

blob: 72cab6bbe57b855cd683b324e3d3c2923ac8d7a7 [file] [log] [blame]

Christoph M. Wintersteiger	de4fcf2	2018-10-25 12:41:04 +0100	[diff] [blame^]	1	/*
				2	* ECDH with curve-optimized implementation multiplexing
				3	*
				4	* Copyright 2016-2018 INRIA and Microsoft Corporation
				5	* SPDX-License-Identifier: Apache-2.0
				6	*
				7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
				8	* not use this file except in compliance with the License.
				9	* You may obtain a copy of the License at
				10	*
				11	* http://www.apache.org/licenses/LICENSE-2.0
				12	*
				13	* Unless required by applicable law or agreed to in writing, software
				14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				16	* See the License for the specific language governing permissions and
				17	* limitations under the License.
				18	*
				19	* This file is part of mbed TLS (https://tls.mbed.org)
				20	*/
				21
				22	#if !defined(MBEDTLS_CONFIG_FILE)
				23	#include "mbedtls/config.h"
				24	#else
				25	#include MBEDTLS_CONFIG_FILE
				26	#endif
				27
				28	#if defined(MBEDTLS_ECDH_C)
				29
				30	#include <Hacl_Curve25519.h>
				31	#include <mbedtls/platform_util.h>
				32
				33	#include "x25519.h"
				34
				35	#include <string.h>
				36
				37	/*
				38	* Initialize context
				39	*/
				40	void mbedtls_x25519_init( mbedtls_x25519_context *ctx )
				41	{
				42	memset( ctx, 0, sizeof( mbedtls_x25519_context ) );
				43	}
				44
				45	/*
				46	* Free context
				47	*/
				48	void mbedtls_x25519_free( mbedtls_x25519_context *ctx )
				49	{
				50	if( ctx == NULL )
				51	return;
				52
				53	mbedtls_platform_zeroize( ctx->our_secret, 32 );
				54	mbedtls_platform_zeroize( ctx->peer_point, 32 );
				55	}
				56
				57	int mbedtls_x25519_make_params( mbedtls_x25519_context ctx, size_t olen,
				58	unsigned char *buf, size_t blen,
				59	int( f_rng )(void , unsigned char *, size_t),
				60	void *p_rng )
				61	{
				62	int ret = 0;
				63
				64	uint8_t base[32] = {0};
				65
				66	if( ( ret = f_rng( p_rng, ctx->our_secret, 32 ) ) != 0 )
				67	return ret;
				68
				69	*olen = 36;
				70	if( blen < *olen )
				71	return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
				72
				73	*buf++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
				74	*buf++ = MBEDTLS_ECP_TLS_CURVE25519 >> 8;
				75	*buf++ = MBEDTLS_ECP_TLS_CURVE25519 & 0xFF;
				76	*buf++ = 32;
				77
				78	base[0] = 9;
				79	Hacl_Curve25519_crypto_scalarmult( buf, ctx->our_secret, base );
				80
				81	base[0] = 0;
				82	if( memcmp( buf, base, 32) == 0 )
				83	return MBEDTLS_ERR_ECP_RANDOM_FAILED;
				84
				85	return( 0 );
				86	}
				87
				88	int mbedtls_x25519_read_params( mbedtls_x25519_context *ctx,
				89	const unsigned char *buf, const unsigned char end )
				90	{
				91	if( end - *buf < 33 )
				92	return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
				93
				94	if( ( (buf)++ != 32 ) )
				95	return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
				96
				97	memcpy( ctx->peer_point, *buf, 32 );
				98	*buf += 32;
				99	return( 0 );
				100	}
				101
				102	int mbedtls_x25519_get_params( mbedtls_x25519_context ctx, const mbedtls_ecp_keypair key,
				103	int side )
				104	{
				105	size_t olen = 0;
				106
				107	switch( side ) {
				108	case MBEDTLS_ECDH_THEIRS:
				109	mbedtls_ecp_point_write_binary( &key->grp, &key->Q, MBEDTLS_ECP_PF_COMPRESSED, &olen, ctx->peer_point, 32 );
				110	/* untested; defensively throw an error for now. */
				111	return(MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE);
				112	case MBEDTLS_ECDH_OURS:
				113	mbedtls_mpi_write_binary( &key->d, ctx->our_secret, 32 );
				114	/* CMW: key->Q = key->d * base; do we need to set up ctx.peer_point here? */
				115	/* untested; defensively throw an error for now. */
				116	return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
				117	default:
				118	return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
				119	}
				120	}
				121
				122	int mbedtls_x25519_calc_secret( mbedtls_x25519_context ctx, size_t olen,
				123	unsigned char *buf, size_t blen,
				124	int( f_rng )(void , unsigned char *, size_t),
				125	void *p_rng )
				126	{
				127	/* CMW: Is it okay that f_rng, p_rng are not used? */
				128	(( void )f_rng);
				129	(( void )p_rng);
				130
				131	*olen = 32;
				132
				133	if( blen < *olen )
				134	return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
				135
				136	Hacl_Curve25519_crypto_scalarmult( buf, ctx->our_secret, ctx->peer_point);
				137
				138	/* Wipe the DH secret and don't let the peer chose a small subgroup point */
				139	memset( ctx->our_secret, 0, 32 );
				140	if( memcmp( buf, ctx->our_secret, 32) == 0 )
				141	return MBEDTLS_ERR_ECP_RANDOM_FAILED;
				142
				143	return( 0 );
				144	}
				145
				146	int mbedtls_x25519_make_public( mbedtls_x25519_context ctx, size_t olen,
				147	unsigned char *buf, size_t blen,
				148	int( f_rng )(void , unsigned char *, size_t),
				149	void *p_rng )
				150	{
				151	unsigned char base[32] = { 0 };
				152
				153	/* CMW: Is it okay that f_rng, p_rng are not used? */
				154	(( void )f_rng);
				155	(( void )p_rng);
				156
				157	if( ctx == NULL )
				158	return(MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
				159
				160	*olen = 33;
				161	if( blen < *olen )
				162	return(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
				163	*buf++ = 32;
				164
				165	base[0] = 9;
				166	Hacl_Curve25519_crypto_scalarmult( buf, ctx->our_secret, base );
				167
				168	base[0] = 0;
				169	if( memcmp( buf, base, 32 ) == 0 )
				170	return MBEDTLS_ERR_ECP_RANDOM_FAILED;
				171
				172	return(0);
				173	}
				174
				175	int mbedtls_x25519_read_public( mbedtls_x25519_context *ctx,
				176	const unsigned char *buf, size_t blen )
				177	{
				178	if( blen < 33 )
				179	return(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
				180	if( (*buf++ != 32) )
				181	return(MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
				182	memcpy( ctx->peer_point, buf, 32 );
				183	return(0);
				184	}
				185
				186
				187	#endif /* MBEDTLS_ECDH_C */