Add tinycrypt 0.2.8
Signed-off-by: Fabio Utzig <utzig@apache.org>
diff --git a/ext/tinycrypt/lib/source/ecc_dh.c b/ext/tinycrypt/lib/source/ecc_dh.c
index c2ab414..e5257d2 100644
--- a/ext/tinycrypt/lib/source/ecc_dh.c
+++ b/ext/tinycrypt/lib/source/ecc_dh.c
@@ -1,7 +1,32 @@
/* ec_dh.c - TinyCrypt implementation of EC-DH */
+/*
+ * Copyright (c) 2014, Kenneth MacKay
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
/*
- * Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
+ * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -31,102 +56,145 @@
*/
#include <tinycrypt/constants.h>
#include <tinycrypt/ecc.h>
+#include <tinycrypt/ecc_dh.h>
+#include <string.h>
-extern uint32_t curve_p[NUM_ECC_DIGITS];
-extern uint32_t curve_b[NUM_ECC_DIGITS];
-extern uint32_t curve_n[NUM_ECC_DIGITS];
-extern uint32_t curve_pb[NUM_ECC_DIGITS + 1];
-extern EccPoint curve_G;
+#if default_RNG_defined
+static uECC_RNG_Function g_rng_function = &default_CSPRNG;
+#else
+static uECC_RNG_Function g_rng_function = 0;
+#endif
-int32_t ecc_make_key(EccPoint *p_publicKey, uint32_t p_privateKey[NUM_ECC_DIGITS],
- uint32_t p_random[NUM_ECC_DIGITS * 2])
-{
- // computing modular reduction of p_random (see FIPS 186.4 B.4.1):
- vli_mmod_barrett(p_privateKey, p_random, curve_p, curve_pb);
-
- /* Make sure the private key is in the range [1, n-1].
- * For the supported curve, n is always large enough
- * that we only need to subtract once at most.
- */
- uint32_t p_tmp[NUM_ECC_DIGITS];
- vli_sub(p_tmp, p_privateKey, curve_n, NUM_ECC_DIGITS);
-
- vli_cond_set(p_privateKey, p_privateKey, p_tmp,
- vli_cmp(curve_n, p_privateKey, NUM_ECC_DIGITS) == 1);
-
- /* erasing temporary buffer used to store secret: */
- for (uint32_t i = 0; i < NUM_ECC_DIGITS; i++)
- p_tmp[i] = 0;
-
- if (vli_isZero(p_privateKey)) {
- return TC_CRYPTO_FAIL; /* The private key cannot be 0 (mod p). */
- }
-
- EccPointJacobi P;
-
- EccPoint_mult_safe(&P, &curve_G, p_privateKey);
- EccPoint_toAffine(p_publicKey, &P);
-
- return TC_CRYPTO_SUCCESS;
-}
-
-/* Compute p_result = x^3 - 3x + b */
-static void curve_x_side(uint32_t p_result[NUM_ECC_DIGITS],
- uint32_t x[NUM_ECC_DIGITS])
+int uECC_make_key_with_d(uint8_t *public_key, uint8_t *private_key,
+ unsigned int *d, uECC_Curve curve)
{
- uint32_t _3[NUM_ECC_DIGITS] = {3}; /* -a = 3 */
+ uECC_word_t _private[NUM_ECC_WORDS];
+ uECC_word_t _public[NUM_ECC_WORDS * 2];
- vli_modSquare_fast(p_result, x); /* r = x^2 */
- vli_modSub(p_result, p_result, _3, curve_p); /* r = x^2 - 3 */
- vli_modMult_fast(p_result, p_result, x); /* r = x^3 - 3x */
- vli_modAdd(p_result, p_result, curve_b, curve_p); /* r = x^3 - 3x + b */
+ /* This function is designed for test purposes-only (such as validating NIST
+ * test vectors) as it uses a provided value for d instead of generating
+ * it uniformly at random. */
+ memcpy (_private, d, NUM_ECC_BYTES);
-}
+ /* Computing public-key from private: */
+ if (EccPoint_compute_public_key(_public, _private, curve)) {
-int32_t ecc_valid_public_key(EccPoint *p_publicKey)
-{
- uint32_t l_tmp1[NUM_ECC_DIGITS];
- uint32_t l_tmp2[NUM_ECC_DIGITS];
+ /* Converting buffers to correct bit order: */
+ uECC_vli_nativeToBytes(private_key,
+ BITS_TO_BYTES(curve->num_n_bits),
+ _private);
+ uECC_vli_nativeToBytes(public_key,
+ curve->num_bytes,
+ _public);
+ uECC_vli_nativeToBytes(public_key + curve->num_bytes,
+ curve->num_bytes,
+ _public + curve->num_words);
- if (EccPoint_isZero(p_publicKey)) {
- return -1;
+ /* erasing temporary buffer used to store secret: */
+ memset(_private, 0, NUM_ECC_BYTES);
+
+ return 1;
}
-
- if ((vli_cmp(curve_p, p_publicKey->x, NUM_ECC_DIGITS) != 1) ||
- (vli_cmp(curve_p, p_publicKey->y, NUM_ECC_DIGITS) != 1)) {
- return -2;
- }
-
- vli_modSquare_fast(l_tmp1, p_publicKey->y); /* tmp1 = y^2 */
-
- curve_x_side(l_tmp2, p_publicKey->x); /* tmp2 = x^3 - 3x + b */
-
- /* Make sure that y^2 == x^3 + ax + b */
- if (vli_cmp(l_tmp1, l_tmp2, NUM_ECC_DIGITS) != 0) {
- return -3;
- }
-
- if (vli_cmp(p_publicKey->x, curve_G.x, NUM_ECC_DIGITS) == 0 &&
- vli_cmp(p_publicKey->y, curve_G.y, NUM_ECC_DIGITS) == 0 )
- return -4;
-
return 0;
}
-int32_t ecdh_shared_secret(uint32_t p_secret[NUM_ECC_DIGITS],
- EccPoint *p_publicKey, uint32_t p_privateKey[NUM_ECC_DIGITS])
+int uECC_make_key(uint8_t *public_key, uint8_t *private_key, uECC_Curve curve)
{
- EccPoint p_point;
- EccPointJacobi P;
+ uECC_word_t _random[NUM_ECC_WORDS * 2];
+ uECC_word_t _private[NUM_ECC_WORDS];
+ uECC_word_t _public[NUM_ECC_WORDS * 2];
+ uECC_word_t tries;
- EccPoint_mult_safe(&P, p_publicKey, p_privateKey);
- if (EccPointJacobi_isZero(&P)) {
- return TC_CRYPTO_FAIL;
- }
- EccPoint_toAffine(&p_point, &P);
- vli_set(p_secret, p_point.x);
+ for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) {
+ /* Generating _private uniformly at random: */
+ uECC_RNG_Function rng_function = uECC_get_rng();
+ if (!rng_function ||
+ !rng_function((uint8_t *)_random, 2 * NUM_ECC_WORDS*uECC_WORD_SIZE)) {
+ return 0;
+ }
- return TC_CRYPTO_SUCCESS;
+ /* computing modular reduction of _random (see FIPS 186.4 B.4.1): */
+ uECC_vli_mmod(_private, _random, curve->n, BITS_TO_WORDS(curve->num_n_bits));
+
+ /* Computing public-key from private: */
+ if (EccPoint_compute_public_key(_public, _private, curve)) {
+
+ /* Converting buffers to correct bit order: */
+ uECC_vli_nativeToBytes(private_key,
+ BITS_TO_BYTES(curve->num_n_bits),
+ _private);
+ uECC_vli_nativeToBytes(public_key,
+ curve->num_bytes,
+ _public);
+ uECC_vli_nativeToBytes(public_key + curve->num_bytes,
+ curve->num_bytes,
+ _public + curve->num_words);
+
+ /* erasing temporary buffer that stored secret: */
+ memset(_private, 0, NUM_ECC_BYTES);
+
+ return 1;
+ }
+ }
+ return 0;
+}
+
+int uECC_shared_secret(const uint8_t *public_key, const uint8_t *private_key,
+ uint8_t *secret, uECC_Curve curve)
+{
+
+ uECC_word_t _public[NUM_ECC_WORDS * 2];
+ uECC_word_t _private[NUM_ECC_WORDS];
+
+ uECC_word_t tmp[NUM_ECC_WORDS];
+ uECC_word_t *p2[2] = {_private, tmp};
+ uECC_word_t *initial_Z = 0;
+ uECC_word_t carry;
+ wordcount_t num_words = curve->num_words;
+ wordcount_t num_bytes = curve->num_bytes;
+ int r;
+
+ /* Converting buffers to correct bit order: */
+ uECC_vli_bytesToNative(_private,
+ private_key,
+ BITS_TO_BYTES(curve->num_n_bits));
+ uECC_vli_bytesToNative(_public,
+ public_key,
+ num_bytes);
+ uECC_vli_bytesToNative(_public + num_words,
+ public_key + num_bytes,
+ num_bytes);
+
+ /* Regularize the bitcount for the private key so that attackers cannot use a
+ * side channel attack to learn the number of leading zeros. */
+ carry = regularize_k(_private, _private, tmp, curve);
+
+ /* If an RNG function was specified, try to get a random initial Z value to
+ * improve protection against side-channel attacks. */
+ if (g_rng_function) {
+ if (!uECC_generate_random_int(p2[carry], curve->p, num_words)) {
+ r = 0;
+ goto clear_and_out;
+ }
+ initial_Z = p2[carry];
+ }
+
+ EccPoint_mult(_public, _public, p2[!carry], initial_Z, curve->num_n_bits + 1,
+ curve);
+
+ uECC_vli_nativeToBytes(secret, num_bytes, _public);
+ r = !EccPoint_isZero(_public, curve);
+
+clear_and_out:
+ /* erasing temporary buffer used to store secret: */
+ memset(p2, 0, sizeof(p2));
+ __asm__ __volatile__("" :: "g"(p2) : "memory");
+ memset(tmp, 0, sizeof(tmp));
+ __asm__ __volatile__("" :: "g"(tmp) : "memory");
+ memset(_private, 0, sizeof(_private));
+ __asm__ __volatile__("" :: "g"(_private) : "memory");
+
+ return r;
}