diff --git a/AUTHORS b/AUTHORS index 3dd7d1e..0a8e9f8 100644 --- a/AUTHORS +++ b/AUTHORS @@ -1,2 +1,15 @@ -Open Source Maintainer: Constanza Heath -Author: Rafael Misoczki \ No newline at end of file +Architect: +Rafael Misoczki + +Open Source Maintainer: +Constanza Heath +Rafael Misoczki + +Contributors: +Constanza Heath +Rafael Misoczki +Flavio Santes +Jarkko Sakkinen +Chris Morrison +Marti Bolivar +Colin Ian King diff --git a/LICENSE b/LICENSE index a4f3868..2e1db51 100644 --- a/LICENSE +++ b/LICENSE @@ -5,7 +5,7 @@ ================================================================================ - Copyright (c) 2015, Intel Corporation. All rights reserved. + Copyright (c) 2017, Intel Corporation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -34,8 +34,7 @@ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ================================================================================ - -Copyright (c) 2013, Kenneth MacKay +Copyright (c) 2014, Kenneth MacKay All rights reserved. https://github.com/kmackay/micro-ecc diff --git a/Makefile b/Makefile index 2a86c57..3c0e42b 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ ################################################################################ # -# Copyright (C) 2015 by Intel Corporation, All Rights Reserved. +# Copyright (C) 2017 by Intel Corporation, All Rights Reserved. # # Global Makefile. # See lib/Makefile and tests/Makefile for further configuration. diff --git a/README b/README index c0e96b7..fb52c19 100644 --- a/README +++ b/README @@ -5,7 +5,7 @@ ================================================================================ - Copyright (c) 2015, Intel Corporation. All rights reserved. + Copyright (c) 2017, Intel Corporation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -50,6 +50,7 @@ cryptographic primitive. Organization: /lib: C source code of the cryptographic primitives. +/lib/include/tinycrypt: C header files of the cryptographic primitives. /tests: Test vectors of the cryptographic primitives. /doc: Documentation of TinyCrypt. @@ -60,6 +61,7 @@ Building: 1) In Makefile.conf set: - CFLAGS for compiler flags. - CC for compiler. + - ENABLE_TESTS for enabling (true) or disabling (false) tests compilation. 2) In lib/Makefile select the primitives required by your project. 3) In tests/Makefile select the corresponding tests of the selected primitives. 4) make diff --git a/VERSION b/VERSION index 53a75d6..b003284 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.2.6 +0.2.7 diff --git a/config.mk b/config.mk index 9642066..a5b9fb7 100644 --- a/config.mk +++ b/config.mk @@ -1,11 +1,12 @@ ################################################################################ # -# Copyright (C) 2015 by Intel Corporation, All Rights Reserved. +# Copyright (C) 2017 by Intel Corporation, All Rights Reserved. # # Global configuration Makefile. Included everywhere. # ################################################################################ +# EDIT HERE: CC:=gcc CFLAGS:=-Os -std=c99 -Wall -Wextra -D_ISOC99_SOURCE -MMD -I../lib/include/ -I../lib/source/ -I../tests/include/ vpath %.c ../lib/source/ @@ -19,11 +20,16 @@ ifeq ($(OS),Windows_NT) DOTEXE:=.exe endif -# DO NOT EDIT THIS: +# DO NOT EDIT AFTER THIS POINT: ifeq ($(ENABLE_TESTS), true) CFLAGS += -DENABLE_TESTS else CFLAGS += -DDISABLE_TESTS endif +export CC +export CFLAGS +export VPATH +export ENABLE_TESTS + ################################################################################ diff --git a/documentation/tinycrypt.rst b/documentation/tinycrypt.rst index 2f55d73..356c099 100644 --- a/documentation/tinycrypt.rst +++ b/documentation/tinycrypt.rst @@ -1,7 +1,7 @@ TinyCrypt Cryptographic Library ############################### -Copyright (C) 2015 by Intel Corporation, All Rights Reserved. +Copyright (C) 2017 by Intel Corporation, All Rights Reserved. Overview ******** @@ -72,13 +72,13 @@ corresponding header file. * ECC-DH: - * Type of primitive: Key exchange. + * Type of primitive: Key exchange based on curve NIST p-256. * Standard Specification: RFC 6090. * Requires: ECC auxiliary functions (ecc.h/c). * ECC-DSA: - * Type of primitive: Digital signature. + * Type of primitive: Digital signature based on curve NIST p-256. * Standard Specification: RFC 6090. * Requires: ECC auxiliary functions (ecc.h/c). @@ -102,15 +102,17 @@ Important Remarks The cryptographic implementations in TinyCrypt library have some limitations. Some of these limitations are inherent to the cryptographic primitives -themselves, while others are specific to TinyCrypt. Some of these limitations -are discussed in-depth below. +themselves, while others are specific to TinyCrypt. These limitations were accepted +in order to meet its design goals (in special, minimal code size) and to better +serve applications targeting constrained devices in general. Some of these +limitations are discussed in-depth below. General Remarks *************** * TinyCrypt does **not** intend to be fully side-channel resistant. Due to the - variety of side-channel attacks, many of them making certain platforms - vulnerable. In this sense, instead of penalizing all library users with + variety of side-channel attacks, many of them only relevant to certain + platforms. In this sense, instead of penalizing all library users with side-channel countermeasures such as increasing the overall code size, TinyCrypt only implements certain generic timing-attack countermeasures. @@ -134,7 +136,9 @@ Specific Remarks * The tc_hmac_final function, responsible for computing the message tag, cleans the state context before exiting. Thus, applications do not need to - clean the TCHmacState_t ctx after calling tc_hmac_final. + clean the TCHmacState_t ctx after calling tc_hmac_final. This should not + be changed in future versions of the library as there are applications + currently relying on this good-practice/feature of TinyCrypt. * HMAC-PRNG: @@ -160,7 +164,7 @@ Specific Remarks * The AES-CTR mode limits the size of a data message they encrypt to 2^32 blocks. If you need to encrypt larger data sets, your application would need to replace the key after 2^32 block encryptions. - + * CTR-PRNG: * Before using CTR-PRNG, you *must* find an entropy source to produce a seed. @@ -231,11 +235,10 @@ Specific Remarks * ECC-DH and ECC-DSA: - * TinyCrypt ECC implementation is based on nano-ecc (see - https://github.com/iSECPartners/nano-ecc) which in turn is based on - mciro-ecc (see https://github.com/kmackay/micro-ecc). In the original - nano and micro-ecc documentation, there is an important remark about the - way integers are represented: + * TinyCrypt ECC implementation is based on micro-ecc (see + https://github.com/kmackay/micro-ecc). In the original micro-ecc + documentation, there is an important remark about the way integers are + represented: "Integer representation: To reduce code size, all large integers are represented using little-endian words - so the least significant word is @@ -243,6 +246,13 @@ Specific Remarks functions to convert between the native integer representation and the standardized octet representation." + Note that the assumed bit layout is: {31, 30, ..., 0}, {63, 62, ..., 32}, + {95, 94, ..., 64}, {127, 126, ..., 96} for a very-long-integer (vli) + consisting of 4 unsigned integers (as an example). + + * A cryptographically-secure PRNG function must be set (using uECC_set_rng()) + before calling uECC_make_key() or uECC_sign(). + Examples of Applications ************************ It is possible to do useful cryptography with only the given small set of @@ -321,9 +331,9 @@ References .. _NIST SP 800-38C (AES-CCM): http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf -* `NIST Statistical Test Suite`_ +* `NIST Statistical Test Suite (useful for testing HMAC-PRNG)`_ -.. _NIST Statistical Test Suite: +.. _NIST Statistical Test Suite (useful for testing HMAC-PRNG): http://csrc.nist.gov/groups/ST/toolkit/rng/documentation_software.html * `NIST Cryptographic Algorithm Validation Program (CAVP) site`_ diff --git a/lib/Makefile b/lib/Makefile index ee831e8..9c4d8e2 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -1,8 +1,8 @@ ################################################################################ # -# Copyright (C) 2015 by Intel Corporation, All Rights Reserved. +# Copyright (C) 2017 by Intel Corporation, All Rights Reserved. # -# Cryptographic Primitives Makefile. +# Cryptographic Primitives Makefile. # ################################################################################ diff --git a/lib/include/tinycrypt/aes.h b/lib/include/tinycrypt/aes.h index b6dbbb5..b612213 100644 --- a/lib/include/tinycrypt/aes.h +++ b/lib/include/tinycrypt/aes.h @@ -1,7 +1,7 @@ /* aes.h - TinyCrypt interface to an AES-128 implementation */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -61,10 +61,9 @@ extern "C" { #define TC_AES_BLOCK_SIZE (Nb*Nk) #define TC_AES_KEY_SIZE (Nb*Nk) -struct tc_aes_key_sched_struct { - uint32_t words[Nb*(Nr+1)]; -}; -typedef struct tc_aes_key_sched_struct *TCAesKeySched_t; +typedef struct tc_aes_key_sched_struct { + unsigned int words[Nb*(Nr+1)]; +} *TCAesKeySched_t; /** * @brief Set AES-128 encryption key @@ -77,7 +76,7 @@ typedef struct tc_aes_key_sched_struct *TCAesKeySched_t; * @param s IN/OUT -- initialized struct tc_aes_key_sched_struct * @param k IN -- points to the AES key */ -int32_t tc_aes128_set_encrypt_key(TCAesKeySched_t s, const uint8_t *k); +int tc_aes128_set_encrypt_key(TCAesKeySched_t s, const uint8_t *k); /** * @brief AES-128 Encryption procedure @@ -91,9 +90,8 @@ int32_t tc_aes128_set_encrypt_key(TCAesKeySched_t s, const uint8_t *k); * @param in IN -- a plaintext block to encrypt * @param s IN -- initialized AES key schedule */ -int32_t tc_aes_encrypt(uint8_t *out, - const uint8_t *in, - const TCAesKeySched_t s); +int tc_aes_encrypt(uint8_t *out, const uint8_t *in, + const TCAesKeySched_t s); /** * @brief Set the AES-128 decryption key @@ -109,7 +107,7 @@ int32_t tc_aes_encrypt(uint8_t *out, * @param s IN/OUT -- initialized struct tc_aes_key_sched_struct * @param k IN -- points to the AES key */ -int32_t tc_aes128_set_decrypt_key(TCAesKeySched_t s, const uint8_t *k); +int tc_aes128_set_decrypt_key(TCAesKeySched_t s, const uint8_t *k); /** * @brief AES-128 Encryption procedure @@ -122,12 +120,11 @@ int32_t tc_aes128_set_decrypt_key(TCAesKeySched_t s, const uint8_t *k); * @param in IN -- a plaintext block to encrypt * @param s IN -- initialized AES key schedule */ -int32_t tc_aes_decrypt(uint8_t *out, - const uint8_t *in, - const TCAesKeySched_t s); +int tc_aes_decrypt(uint8_t *out, const uint8_t *in, + const TCAesKeySched_t s); #ifdef __cplusplus } #endif -#endif +#endif /* __TC_AES_H__ */ diff --git a/lib/include/tinycrypt/cbc_mode.h b/lib/include/tinycrypt/cbc_mode.h index 74d2914..4a837fd 100644 --- a/lib/include/tinycrypt/cbc_mode.h +++ b/lib/include/tinycrypt/cbc_mode.h @@ -1,7 +1,7 @@ /* cbc_mode.h - TinyCrypt interface to a CBC mode implementation */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -107,9 +107,9 @@ extern "C" { * @param iv IN -- the IV for the this encrypt/decrypt * @param sched IN -- AES key schedule for this encrypt */ -int32_t tc_cbc_mode_encrypt(uint8_t *out, uint32_t outlen, const uint8_t *in, - uint32_t inlen, const uint8_t *iv, - const TCAesKeySched_t sched); +int tc_cbc_mode_encrypt(uint8_t *out, unsigned int outlen, const uint8_t *in, + unsigned int inlen, const uint8_t *iv, + const TCAesKeySched_t sched); /** * @brief CBC decryption procedure @@ -140,12 +140,12 @@ int32_t tc_cbc_mode_encrypt(uint8_t *out, uint32_t outlen, const uint8_t *in, * @param sched IN -- AES key schedule for this decrypt * */ -int32_t tc_cbc_mode_decrypt(uint8_t *out, uint32_t outlen, const uint8_t *in, - uint32_t inlen, const uint8_t *iv, - const TCAesKeySched_t sched); +int tc_cbc_mode_decrypt(uint8_t *out, unsigned int outlen, const uint8_t *in, + unsigned int inlen, const uint8_t *iv, + const TCAesKeySched_t sched); #ifdef __cplusplus } #endif -#endif +#endif /* __TC_CBC_MODE_H__ */ diff --git a/lib/include/tinycrypt/ccm_mode.h b/lib/include/tinycrypt/ccm_mode.h index 9fa5915..69c798e 100644 --- a/lib/include/tinycrypt/ccm_mode.h +++ b/lib/include/tinycrypt/ccm_mode.h @@ -1,7 +1,7 @@ /* ccm_mode.h - TinyCrypt interface to a CCM mode implementation */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -91,7 +91,7 @@ extern "C" { typedef struct tc_ccm_mode_struct { TCAesKeySched_t sched; /* AES key schedule */ uint8_t *nonce; /* nonce required by CCM */ - uint32_t mlen; /* mac length in bytes (parameter t in SP-800 38C) */ + unsigned int mlen; /* mac length in bytes (parameter t in SP-800 38C) */ } *TCCcmMode_t; /** @@ -108,8 +108,8 @@ typedef struct tc_ccm_mode_struct { * @param nlen -- nonce length in bytes * @param mlen -- mac length in bytes (parameter t in SP-800 38C) */ -int32_t tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce, - uint32_t nlen, uint32_t mlen); +int tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce, + unsigned int nlen, unsigned int mlen); /** * @brief CCM tag generation and encryption procedure @@ -120,15 +120,19 @@ int32_t tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce, * ((plen > 0) and (payload == NULL)) or * ((alen > 0) and (associated_data == NULL)) or * (alen >= TC_CCM_AAD_MAX_BYTES) or - * (plen >= TC_CCM_PAYLOAD_MAX_BYTES) + * (plen >= TC_CCM_PAYLOAD_MAX_BYTES) or + * (olen < plen + maclength) * * @param out OUT -- encrypted data + * @param olen IN -- output length in bytes * @param associated_data IN -- associated data * @param alen IN -- associated data length in bytes * @param payload IN -- payload * @param plen IN -- payload length in bytes * @param c IN -- CCM state * + * @note: out buffer should be at least (plen + c->mlen) bytes long. + * * @note: The sequence b for encryption is formatted as follows: * b = [FLAGS | nonce | counter ], where: * FLAGS is 1 byte long @@ -149,9 +153,10 @@ int32_t tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce, * 6: Adata (0 if alen == 0, and 1 otherwise) * 7: always 0 */ -int32_t tc_ccm_generation_encryption(uint8_t *out, const uint8_t *associated_data, - uint32_t alen, const uint8_t *payload, - uint32_t plen, TCCcmMode_t c); +int tc_ccm_generation_encryption(uint8_t *out, unsigned int olen, + const uint8_t *associated_data, + unsigned int alen, const uint8_t *payload, + unsigned int plen, TCCcmMode_t c); /** * @brief CCM decryption and tag verification procedure @@ -162,7 +167,8 @@ int32_t tc_ccm_generation_encryption(uint8_t *out, const uint8_t *associated_dat * ((plen > 0) and (payload == NULL)) or * ((alen > 0) and (associated_data == NULL)) or * (alen >= TC_CCM_AAD_MAX_BYTES) or - * (plen >= TC_CCM_PAYLOAD_MAX_BYTES) + * (plen >= TC_CCM_PAYLOAD_MAX_BYTES) or + * (olen < plen - c->mlen) * * @param out OUT -- decrypted data * @param associated_data IN -- associated data @@ -171,6 +177,8 @@ int32_t tc_ccm_generation_encryption(uint8_t *out, const uint8_t *associated_dat * @param plen IN -- payload length in bytes * @param c IN -- CCM state * + * @note: out buffer should be at least (plen - c->mlen) bytes long. + * * @note: The sequence b for encryption is formatted as follows: * b = [FLAGS | nonce | counter ], where: * FLAGS is 1 byte long @@ -191,11 +199,13 @@ int32_t tc_ccm_generation_encryption(uint8_t *out, const uint8_t *associated_dat * 6: Adata (0 if alen == 0, and 1 otherwise) * 7: always 0 */ -int32_t tc_ccm_decryption_verification(uint8_t *out, const uint8_t *associated_data, - uint32_t alen, const uint8_t *payload, uint32_t plen, - TCCcmMode_t c); +int tc_ccm_decryption_verification(uint8_t *out, unsigned int olen, + const uint8_t *associated_data, + unsigned int alen, const uint8_t *payload, unsigned int plen, + TCCcmMode_t c); + #ifdef __cplusplus } #endif -#endif +#endif /* __TC_CCM_MODE_H__ */ diff --git a/lib/include/tinycrypt/cmac_mode.h b/lib/include/tinycrypt/cmac_mode.h index 9d3f130..f44b0a5 100644 --- a/lib/include/tinycrypt/cmac_mode.h +++ b/lib/include/tinycrypt/cmac_mode.h @@ -1,7 +1,7 @@ /* cmac_mode.h -- interface to a CMAC implementation */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -119,9 +119,9 @@ typedef struct tc_cmac_struct { /* where to put bytes that didn't fill a block */ uint8_t leftover[TC_AES_BLOCK_SIZE]; /* identifies the encryption key */ - uint32_t keyid; + unsigned int keyid; /* next available leftover location */ - uint32_t leftover_offset; + unsigned int leftover_offset; /* AES key schedule */ TCAesKeySched_t sched; /* calls to tc_cmac_update left before re-key */ @@ -139,8 +139,8 @@ typedef struct tc_cmac_struct { * @param key IN -- the key to use * @param sched IN -- AES key schedule */ -int32_t tc_cmac_setup(TCCmacState_t s, const uint8_t *key, - TCAesKeySched_t sched); +int tc_cmac_setup(TCCmacState_t s, const uint8_t *key, + TCAesKeySched_t sched); /** * @brief Erases the CMAC state @@ -150,7 +150,7 @@ int32_t tc_cmac_setup(TCCmacState_t s, const uint8_t *key, * * @param s IN/OUT -- the state to erase */ -int32_t tc_cmac_erase(TCCmacState_t s); +int tc_cmac_erase(TCCmacState_t s); /** * @brief Initializes a new CMAC computation @@ -160,7 +160,7 @@ int32_t tc_cmac_erase(TCCmacState_t s); * * @param s IN/OUT -- the state to initialize */ -int32_t tc_cmac_init(TCCmacState_t s); +int tc_cmac_init(TCCmacState_t s); /** * @brief Incrementally computes CMAC over the next data segment @@ -173,7 +173,7 @@ int32_t tc_cmac_init(TCCmacState_t s); * @param data IN -- the next data segment to MAC * @param dlen IN -- the length of data in bytes */ -int32_t tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t dlen); +int tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t dlen); /** * @brief Generates the tag from the CMAC state @@ -185,10 +185,10 @@ int32_t tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t dlen); * @param tag OUT -- the CMAC tag * @param s IN -- CMAC state */ -int32_t tc_cmac_final(uint8_t *tag, TCCmacState_t s); +int tc_cmac_final(uint8_t *tag, TCCmacState_t s); #ifdef __cplusplus } #endif -#endif +#endif /* __TC_CMAC_MODE_H__ */ diff --git a/lib/include/tinycrypt/constants.h b/lib/include/tinycrypt/constants.h index 1a7c9df..965490e 100644 --- a/lib/include/tinycrypt/constants.h +++ b/lib/include/tinycrypt/constants.h @@ -1,7 +1,7 @@ /* constants.h - TinyCrypt interface to constants */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -43,6 +43,8 @@ extern "C" { #endif +#include + #ifndef NULL #define NULL ((void *)0) #endif @@ -56,4 +58,4 @@ extern "C" { } #endif -#endif +#endif /* __TC_CONSTANTS_H__ */ diff --git a/lib/include/tinycrypt/ctr_mode.h b/lib/include/tinycrypt/ctr_mode.h index 5f7766d..dc221f9 100644 --- a/lib/include/tinycrypt/ctr_mode.h +++ b/lib/include/tinycrypt/ctr_mode.h @@ -1,7 +1,7 @@ /* ctr_mode.h - TinyCrypt interface to CTR mode */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -98,11 +98,11 @@ extern "C" { * @param ctr IN/OUT -- the current counter value * @param sched IN -- an initialized AES key schedule */ -int32_t tc_ctr_mode(uint8_t *out, uint32_t outlen, const uint8_t *in, - uint32_t inlen, uint8_t *ctr, const TCAesKeySched_t sched); +int tc_ctr_mode(uint8_t *out, unsigned int outlen, const uint8_t *in, + unsigned int inlen, uint8_t *ctr, const TCAesKeySched_t sched); #ifdef __cplusplus } #endif -#endif +#endif /* __TC_CTR_MODE_H__ */ diff --git a/lib/include/tinycrypt/ctr_prng.h b/lib/include/tinycrypt/ctr_prng.h index 12cac8f..9be06db 100644 --- a/lib/include/tinycrypt/ctr_prng.h +++ b/lib/include/tinycrypt/ctr_prng.h @@ -67,8 +67,7 @@ extern "C" { #endif -typedef struct -{ +typedef struct { /* updated each time another BLOCKLEN_BYTES bytes are produced */ uint8_t V[TC_AES_BLOCK_SIZE]; @@ -99,11 +98,11 @@ typedef struct * @param plen IN -- personalization length in bytes * */ -int32_t tc_ctr_prng_init(TCCtrPrng_t * const ctx, - uint8_t const * const entropy, - uint32_t entropyLen, - uint8_t const * const personalization, - uint32_t pLen); +int tc_ctr_prng_init(TCCtrPrng_t * const ctx, + uint8_t const * const entropy, + unsigned int entropyLen, + uint8_t const * const personalization, + unsigned int pLen); /** * @brief CTR-PRNG reseed procedure @@ -124,11 +123,11 @@ int32_t tc_ctr_prng_init(TCCtrPrng_t * const ctx, * @param additional_input IN -- additional input to the prng (may be null) * @param additionallen IN -- additional input length in bytes */ -int32_t tc_ctr_prng_reseed(TCCtrPrng_t * const ctx, - uint8_t const * const entropy, - uint32_t entropyLen, - uint8_t const * const additional_input, - uint32_t additionallen); +int tc_ctr_prng_reseed(TCCtrPrng_t * const ctx, + uint8_t const * const entropy, + unsigned int entropyLen, + uint8_t const * const additional_input, + unsigned int additionallen); /** * @brief CTR-PRNG generate procedure @@ -146,11 +145,11 @@ int32_t tc_ctr_prng_reseed(TCCtrPrng_t * const ctx, * @param out IN/OUT -- buffer to receive output * @param outlen IN -- size of out buffer in bytes */ -int32_t tc_ctr_prng_generate(TCCtrPrng_t * const ctx, - uint8_t const * const additional_input, - uint32_t additionallen, - uint8_t * const out, - uint32_t outlen); +int tc_ctr_prng_generate(TCCtrPrng_t * const ctx, + uint8_t const * const additional_input, + unsigned int additionallen, + uint8_t * const out, + unsigned int outlen); /** * @brief CTR-PRNG uninstantiate procedure @@ -164,4 +163,4 @@ void tc_ctr_prng_uninstantiate(TCCtrPrng_t * const ctx); } #endif -#endif +#endif /* __TC_CTR_PRNG_H__ */ diff --git a/lib/include/tinycrypt/ecc.h b/lib/include/tinycrypt/ecc.h index 74324f9..8abc949 100644 --- a/lib/include/tinycrypt/ecc.h +++ b/lib/include/tinycrypt/ecc.h @@ -1,10 +1,7 @@ -/* ecc.h - TinyCrypt interface to ECC auxiliary functions */ +/* ecc.h - TinyCrypt interface to common ECC functions */ -/* - * ============================================================================= - * Copyright (c) 2013, Kenneth MacKay +/* Copyright (c) 2014, Kenneth MacKay * All rights reserved. - * https://github.com/kmackay/micro-ecc * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -27,9 +24,10 @@ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. - * - * ============================================================================= - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + */ + +/* + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -60,9 +58,9 @@ /** * @file - * @brief -- Interface to ECC auxiliary functions. + * @brief -- Interface to common ECC functions. * - * Overview: This software is an implementation of auxiliary functions + * Overview: This software is an implementation of common functions * necessary to elliptic curve cryptography. This implementation uses * curve NIST p-256. * @@ -70,8 +68,8 @@ * */ -#ifndef __TC_ECC_H__ -#define __TC_ECC_H__ +#ifndef __TC_UECC_H__ +#define __TC_UECC_H__ #include @@ -80,278 +78,468 @@ extern "C" { #endif /* Word size (4 bytes considering 32-bits architectures) */ -#define WORD_SIZE 4 +#define uECC_WORD_SIZE 4 + +/* setting max number of calls to prng: */ +#ifndef uECC_RNG_MAX_TRIES +#define uECC_RNG_MAX_TRIES 64 +#endif + +/* defining data types to store word and bit counts: */ +typedef int8_t wordcount_t; +typedef int16_t bitcount_t; +/* defining data type for comparison result: */ +typedef int8_t cmpresult_t; +/* defining data type to store ECC coordinate/point in 32bits words: */ +typedef unsigned int uECC_word_t; +/* defining data type to store an ECC coordinate/point in 64bits words: */ +typedef uint64_t uECC_dword_t; + +/* defining masks useful for ecc computations: */ +#define HIGH_BIT_SET 0x80000000 +#define uECC_WORD_BITS 32 +#define uECC_WORD_BITS_SHIFT 5 +#define uECC_WORD_BITS_MASK 0x01F + /* Number of words of 32 bits to represent an element of the the curve p-256: */ -#define NUM_ECC_DIGITS 8 +#define NUM_ECC_WORDS 8 /* Number of bytes to represent an element of the the curve p-256: */ -#define NUM_ECC_BYTES (WORD_SIZE*NUM_ECC_DIGITS) +#define NUM_ECC_BYTES (uECC_WORD_SIZE*NUM_ECC_WORDS) -/* struct to represent a point of the curve (uses X and Y coordinates): */ -typedef struct EccPoint { - uint32_t x[NUM_ECC_DIGITS]; - uint32_t y[NUM_ECC_DIGITS]; -} EccPoint; +/* structure that represents an elliptic curve (e.g. p256):*/ +struct uECC_Curve_t; +typedef const struct uECC_Curve_t * uECC_Curve; +struct uECC_Curve_t { + wordcount_t num_words; + wordcount_t num_bytes; + bitcount_t num_n_bits; + uECC_word_t p[NUM_ECC_WORDS]; + uECC_word_t n[NUM_ECC_WORDS]; + uECC_word_t G[NUM_ECC_WORDS * 2]; + uECC_word_t b[NUM_ECC_WORDS]; + void (*double_jacobian)(uECC_word_t * X1, uECC_word_t * Y1, uECC_word_t * Z1, + uECC_Curve curve); + void (*x_side)(uECC_word_t *result, const uECC_word_t *x, uECC_Curve curve); + void (*mmod_fast)(uECC_word_t *result, uECC_word_t *product); +}; -/* struct to represent a point of the curve in Jacobian coordinates - * (uses X, Y and Z coordinates): +/* + * @brief computes doubling of point ion jacobian coordinates, in place. + * @param X1 IN/OUT -- x coordinate + * @param Y1 IN/OUT -- y coordinate + * @param Z1 IN/OUT -- z coordinate + * @param curve IN -- elliptic curve */ -typedef struct EccPointJacobi { - uint32_t X[NUM_ECC_DIGITS]; - uint32_t Y[NUM_ECC_DIGITS]; - uint32_t Z[NUM_ECC_DIGITS]; -} EccPointJacobi; +void double_jacobian_default(uECC_word_t * X1, uECC_word_t * Y1, + uECC_word_t * Z1, uECC_Curve curve); /* - * @brief Check if p_vli is zero. - * @return returns non-zero if p_vli == 0, zero otherwise. - * - * @param p_native OUT -- will be filled in with the native integer value. - * @param p_bytes IN -- standard octet representation of the integer to convert. - * - * @note Side-channel countermeasure: algorithm strengthened against timing - * attack. + * @brief Computes x^3 + ax + b. result must not overlap x. + * @param result OUT -- x^3 + ax + b + * @param x IN -- value of x + * @param curve IN -- elliptic curve */ -uint32_t vli_isZero(uint32_t *p_vli); +void x_side_default(uECC_word_t *result, const uECC_word_t *x, + uECC_Curve curve); /* - * @brief Set the content of p_src in p_dest. - * - * @param p_dest OUT -- Destination buffer. - * @param p_src IN -- Origin buffer. - * + * @brief Computes result = product % curve_p + * from http://www.nsa.gov/ia/_files/nist-routines.pdf + * @param result OUT -- product % curve_p + * @param product IN -- value to be reduced mod curve_p */ -void vli_set(uint32_t *p_dest, uint32_t *p_src); +void vli_mmod_fast_secp256r1(unsigned int *result, unsigned int *product); + +/* Bytes to words ordering: */ +#define BYTES_TO_WORDS_8(a, b, c, d, e, f, g, h) 0x##d##c##b##a, 0x##h##g##f##e +#define BYTES_TO_WORDS_4(a, b, c, d) 0x##d##c##b##a +#define BITS_TO_WORDS(num_bits) \ + ((num_bits + ((uECC_WORD_SIZE * 8) - 1)) / (uECC_WORD_SIZE * 8)) +#define BITS_TO_BYTES(num_bits) ((num_bits + 7) / 8) + +/* definition of curve NIST p-256: */ +static const struct uECC_Curve_t curve_secp256r1 = { + NUM_ECC_WORDS, + NUM_ECC_BYTES, + 256, /* num_n_bits */ { + BYTES_TO_WORDS_8(FF, FF, FF, FF, FF, FF, FF, FF), + BYTES_TO_WORDS_8(FF, FF, FF, FF, 00, 00, 00, 00), + BYTES_TO_WORDS_8(00, 00, 00, 00, 00, 00, 00, 00), + BYTES_TO_WORDS_8(01, 00, 00, 00, FF, FF, FF, FF) + }, { + BYTES_TO_WORDS_8(51, 25, 63, FC, C2, CA, B9, F3), + BYTES_TO_WORDS_8(84, 9E, 17, A7, AD, FA, E6, BC), + BYTES_TO_WORDS_8(FF, FF, FF, FF, FF, FF, FF, FF), + BYTES_TO_WORDS_8(00, 00, 00, 00, FF, FF, FF, FF) + }, { + BYTES_TO_WORDS_8(96, C2, 98, D8, 45, 39, A1, F4), + BYTES_TO_WORDS_8(A0, 33, EB, 2D, 81, 7D, 03, 77), + BYTES_TO_WORDS_8(F2, 40, A4, 63, E5, E6, BC, F8), + BYTES_TO_WORDS_8(47, 42, 2C, E1, F2, D1, 17, 6B), + + BYTES_TO_WORDS_8(F5, 51, BF, 37, 68, 40, B6, CB), + BYTES_TO_WORDS_8(CE, 5E, 31, 6B, 57, 33, CE, 2B), + BYTES_TO_WORDS_8(16, 9E, 0F, 7C, 4A, EB, E7, 8E), + BYTES_TO_WORDS_8(9B, 7F, 1A, FE, E2, 42, E3, 4F) + }, { + BYTES_TO_WORDS_8(4B, 60, D2, 27, 3E, 3C, CE, 3B), + BYTES_TO_WORDS_8(F6, B0, 53, CC, B0, 06, 1D, 65), + BYTES_TO_WORDS_8(BC, 86, 98, 76, 55, BD, EB, B3), + BYTES_TO_WORDS_8(E7, 93, 3A, AA, D8, 35, C6, 5A) + }, + &double_jacobian_default, + &x_side_default, + &vli_mmod_fast_secp256r1 +}; + +uECC_Curve uECC_secp256r1(void); /* - * @brief Computes the sign of p_left - p_right. - * @return returns the sign of p_left - p_right. + * @brief Generates a random integer in the range 0 < random < top. + * Both random and top have num_words words. + * @param random OUT -- random integer in the range 0 < random < top + * @param top IN -- upper limit + * @param num_words IN -- number of words + * @return a random integer in the range 0 < random < top + */ +int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top, + wordcount_t num_words); + + +/* uECC_RNG_Function type + * The RNG function should fill 'size' random bytes into 'dest'. It should + * return 1 if 'dest' was filled with random data, or 0 if the random data could + * not be generated. The filled-in values should be either truly random, or from + * a cryptographically-secure PRNG. + * + * A correctly functioning RNG function must be set (using uECC_set_rng()) + * before calling uECC_make_key() or uECC_sign(). * - * @param p_left IN -- buffer to be compared. - * @param p_right IN -- buffer to be compared. - * @param word_size IN -- size of the word. + * Setting a correctly functioning RNG function improves the resistance to + * side-channel attacks for uECC_shared_secret(). * - * @note Side-channel countermeasure: algorithm strengthened against timing - * attack. + * A correct RNG function is set by default. If you are building on another + * POSIX-compliant system that supports /dev/random or /dev/urandom, you can + * define uECC_POSIX to use the predefined RNG. */ -int32_t vli_cmp(uint32_t *p_left, uint32_t *p_right, int32_t word_size); +typedef int(*uECC_RNG_Function)(uint8_t *dest, unsigned int size); /* - * @brief Computes p_result = p_left - p_right, returns borrow. - * @return returns the sign of p_left - p_right. + * @brief Set the function that will be used to generate random bytes. The RNG + * function should return 1 if the random data was generated, or 0 if the random + * data could not be generated. * - * @param p_result IN -- buffer to be compared. - * @param p_left IN -- buffer p_left in (p_left - p_right). - * @param p_right IN -- buffer p_right in (p_left - p_right). - * @param word_size IN -- size of the word. + * @note On platforms where there is no predefined RNG function, this must be + * called before uECC_make_key() or uECC_sign() are used. * - * @note Side-channel countermeasure: algorithm strengthened against timing - * attack. - * @note Can modify in place. + * @param rng_function IN -- function that will be used to generate random bytes */ -uint32_t vli_sub(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right, - uint32_t word_size); +void uECC_set_rng(uECC_RNG_Function rng_function); /* - * @brief Conditional set: sets either 'p_true' or 'p_false' to 'output', - * depending on the value of 'cond'. - * - * @param output OUT -- result buffer after setting either p_true or p_false. - * @param p_true IN -- buffer to be used if cond is true. - * @param p_false IN -- buffer to be used if cond is false. - * @param cond IN -- boolean value that will determine which value will be set - * to output. + * @brief provides current uECC_RNG_Function. + * @return Returns the function that will be used to generate random bytes. */ -void vli_cond_set(uint32_t *output, uint32_t *p_true, uint32_t *p_false, - uint32_t cond); +uECC_RNG_Function uECC_get_rng(void); /* - * @brief Computes p_result = (p_left + p_right) % p_mod. - * - * @param p_result OUT -- result buffer. - * @param p_left IN -- buffer p_left in (p_left + p_right) % p_mod. - * @param p_right IN -- buffer p_right in (p_left + p_right) % p_mod. - * @param p_mod IN -- module. - * - * @note Assumes that p_left < p_mod and p_right < p_mod, p_result != p_mod. - * @note Side-channel countermeasure: algorithm strengthened against timing - * attack. + * @brief computes the size of a private key for the curve in bytes. + * @param curve IN -- elliptic curve + * @return size of a private key for the curve in bytes. */ -void vli_modAdd(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right, - uint32_t *p_mod); +int uECC_curve_private_key_size(uECC_Curve curve); /* - * @brief Computes p_result = (p_left - p_right) % p_mod. - * - * @param p_result OUT -- result buffer. - * @param p_left IN -- buffer p_left in (p_left - p_right) % p_mod. - * @param p_right IN -- buffer p_right in (p_left - p_right) % p_mod. - * @param p_mod IN -- module. - * - * @note Assumes that p_left < p_mod and p_right < p_mod, p_result != p_mod. - * @note Side-channel countermeasure: algorithm strengthened against timing - * attack. + * @brief computes the size of a public key for the curve in bytes. + * @param curve IN -- elliptic curve + * @return the size of a public key for the curve in bytes. */ -void vli_modSub(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right, - uint32_t *p_mod); +int uECC_curve_public_key_size(uECC_Curve curve); /* - * @brief Computes p_result = (p_left * p_right) % curve_p. - * - * @param p_result OUT -- result buffer. - * @param p_left IN -- buffer p_left in (p_left * p_right) % curve_p. - * @param p_right IN -- buffer p_right in (p_left * p_right) % curve_p. + * @brief Compute the corresponding public key for a private key. + * @param private_key IN -- The private key to compute the public key for + * @param public_key OUT -- Will be filled in with the corresponding public key + * @param curve + * @return Returns 1 if key was computed successfully, 0 if an error occurred. */ -void vli_modMult_fast(uint32_t *p_result, uint32_t *p_left, - uint32_t *p_right); +int uECC_compute_public_key(const uint8_t *private_key, + uint8_t *public_key, uECC_Curve curve); /* - * @brief Computes p_result = p_left^2 % curve_p. - * - * @param p_result OUT -- result buffer. - * @param p_left IN -- buffer p_left in (p_left^2 % curve_p). + * @brief Compute public-key. + * @return corresponding public-key. + * @param result OUT -- public-key + * @param private_key IN -- private-key + * @param curve IN -- elliptic curve */ -void vli_modSquare_fast(uint32_t *p_result, uint32_t *p_left); +uECC_word_t EccPoint_compute_public_key(uECC_word_t *result, + uECC_word_t *private_key, uECC_Curve curve); /* - * @brief Computes p_result = (p_left * p_right) % p_mod. - * - * @param p_result OUT -- result buffer. - * @param p_left IN -- buffer p_left in (p_left * p_right) % p_mod. - * @param p_right IN -- buffer p_right in (p_left * p_right) % p_mod. - * @param p_mod IN -- module. - * @param p_barrett IN -- used for Barrett reduction. - * @note Side-channel countermeasure: algorithm strengthened against timing - * attack. + * @brief Regularize the bitcount for the private key so that attackers cannot + * use a side channel attack to learn the number of leading zeros. + * @return Regularized k + * @param k IN -- private-key + * @param k0 IN/OUT -- regularized k + * @param k1 IN/OUT -- regularized k + * @param curve IN -- elliptic curve */ -void vli_modMult(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right, - uint32_t *p_mod, uint32_t *p_barrett); +uECC_word_t regularize_k(const uECC_word_t * const k, uECC_word_t *k0, + uECC_word_t *k1, uECC_Curve curve); /* - * @brief Computes modular inversion: (1/p_intput) % p_mod. - * - * @param p_result OUT -- result buffer. - * @param p_input IN -- buffer p_input in (1/p_intput) % p_mod. - * @param p_mod IN -- module. - * @param p_barrett IN -- used for Barrett reduction. - * @note Side-channel countermeasure: algorithm strengthened against timing - * attack. - */ -void vli_modInv(uint32_t *p_result, uint32_t *p_input, - uint32_t *p_mod, uint32_t *p_barrett); - -/* - * @brief modular reduction based on Barrett's method - * @param p_result OUT -- p_product % p_mod. - * @param p_product IN -- buffer p_product in (p_product % p_mod). - * @param p_mod IN -- buffer p_mod in (p_product % p_mod). - * @param p_barrett -- used for Barrett reduction. - * @note Side-channel countermeasure: algorithm strengthened against timing - * attack. - */ -void vli_mmod_barrett( - uint32_t *p_result, - uint32_t *p_product, - uint32_t *p_mod, - uint32_t *p_barrett); - -/* - * @brief Check if a point is zero. - * @return Returns 1 if p_point is the point at infinity, 0 otherwise. - * - * @param p_point IN -- point to be checked. + * @brief Point multiplication algorithm using Montgomery's ladder with co-Z + * coordinates. See http://eprint.iacr.org/2011/338.pdf. + * @note Result may overlap point. + * @param result OUT -- returns scalar*point + * @param point IN -- elliptic curve point + * @param scalar IN -- scalar + * @param initial_Z IN -- initial value for z + * @param num_bits IN -- number of bits in scalar + * @param curve IN -- elliptic curve */ -uint32_t EccPoint_isZero(EccPoint *p_point); +void EccPoint_mult(uECC_word_t * result, const uECC_word_t * point, + const uECC_word_t * scalar, const uECC_word_t * initial_Z, + bitcount_t num_bits, uECC_Curve curve); /* - * @brief Check if point in Jacobi coordinates is zero. - * @return Returns 1 if p_point_jacobi is the point at infinity, 0 otherwise. - * - * @param p_point IN -- point to be checked. + * @brief Constant-time comparison to zero - secure way to compare long integers + * @param vli IN -- very long integer + * @param num_words IN -- number of words in the vli + * @return 1 if vli == 0, 0 otherwise. */ -uint32_t EccPointJacobi_isZero(EccPointJacobi *p_point_jacobi); +uECC_word_t uECC_vli_isZero(const uECC_word_t *vli, wordcount_t num_words); /* - * @brief Conversion from Jacobi coordinates to Affine coordinates. - * - * @param p_point OUT -- point in Affine coordinates. - * @param p_point_jacobi OUT -- point in Jacobi coordinates. + * @brief Check if 'point' is the point at infinity + * @param point IN -- elliptic curve point + * @param curve IN -- elliptic curve + * @return if 'point' is the point at infinity, 0 otherwise. */ -void EccPoint_toAffine(EccPoint *p_point, EccPointJacobi *p_point_jacobi); +uECC_word_t EccPoint_isZero(const uECC_word_t *point, uECC_Curve curve); /* - * @brief Elliptic curve point addition in Jacobi coordinates: P1 = P1 + P2. - * - * @param P1 IN/OUT -- P1 in P1 = P1 + P2. - * @param P2 IN -- P2 in P1 = P1 + P2. + * @brief computes the sign of left - right, in constant time. + * @param left IN -- left term to be compared + * @param right IN -- right term to be compared + * @param num_words IN -- number of words + * @return the sign of left - right */ -void EccPoint_add(EccPointJacobi *P1, EccPointJacobi *P2); +cmpresult_t uECC_vli_cmp(const uECC_word_t *left, const uECC_word_t *right, + wordcount_t num_words); /* - * @brief Elliptic curve scalar multiplication with result in Jacobi coordinates - * - * @param p_result OUT -- Product of p_point by p_scalar. - * @param p_point IN -- Elliptic curve point - * @param p_scalar IN -- Scalar integer - * @note Side-channel countermeasure: algorithm strengthened against timing - * attack. - */ -void EccPoint_mult_safe(EccPointJacobi *p_result, EccPoint *p_point, - uint32_t *p_scalar); - -/* - * @brief Fast elliptic curve scalar multiplication with result in Jacobi - * coordinates - * @note non constant time - * @param p_result OUT -- Product of p_point by p_scalar. - * @param p_point IN -- Elliptic curve point - * @param p_scalar IN -- Scalar integer - * @note algorithm NOT strengthened against timing attack. - */ -void EccPoint_mult_unsafe( - EccPointJacobi *p_result, - EccPoint *p_point, - uint32_t *p_scalar); - -/* - * @brief Convert an integer in standard octet representation to native format. - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * out == NULL or - * c == NULL or - * ((plen > 0) and (payload == NULL)) or - * ((alen > 0) and (associated_data == NULL)) or - * (alen >= TC_CCM_AAD_MAX_BYTES) or - * (plen >= TC_CCM_PAYLOAD_MAX_BYTES) - * - * @param p_native OUT -- will be filled in with the native integer value. - * @param p_bytes IN -- standard octet representation of the integer to convert. - * + * @brief computes sign of left - right, not in constant time. + * @note should not be used if inputs are part of a secret + * @param left IN -- left term to be compared + * @param right IN -- right term to be compared + * @param num_words IN -- number of words + * @return the sign of left - right */ -void ecc_bytes2native(uint32_t p_native[NUM_ECC_DIGITS], - uint8_t p_bytes[NUM_ECC_DIGITS*4]); +cmpresult_t uECC_vli_cmp_unsafe(const uECC_word_t *left, const uECC_word_t *right, + wordcount_t num_words); +/* + * @brief Computes result = (left - right) % mod. + * @note Assumes that (left < mod) and (right < mod), and that result does not + * overlap mod. + * @param result OUT -- (left - right) % mod + * @param left IN -- leftright term in modular subtraction + * @param right IN -- right term in modular subtraction + * @param mod IN -- mod + * @param num_words IN -- number of words + */ +void uECC_vli_modSub(uECC_word_t *result, const uECC_word_t *left, + const uECC_word_t *right, const uECC_word_t *mod, + wordcount_t num_words); /* - * @brief Convert an integer in native format to standard octet representation. - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * out == NULL or - * c == NULL or - * ((plen > 0) and (payload == NULL)) or - * ((alen > 0) and (associated_data == NULL)) or - * (alen >= TC_CCM_AAD_MAX_BYTES) or - * (plen >= TC_CCM_PAYLOAD_MAX_BYTES) - * - * @param p_bytes OUT -- will be filled in with the standard octet - * representation of the integer. - * @param p_native IN -- native integer value to convert. - * + * @brief Computes P' = (x1', y1', Z3), P + Q = (x3, y3, Z3) or + * P => P', Q => P + Q + * @note assumes Input P = (x1, y1, Z), Q = (x2, y2, Z) + * @param X1 IN -- x coordinate of P + * @param Y1 IN -- y coordinate of P + * @param X2 IN -- x coordinate of Q + * @param Y2 IN -- y coordinate of Q + * @param curve IN -- elliptic curve + */ +void XYcZ_add(uECC_word_t * X1, uECC_word_t * Y1, uECC_word_t * X2, + uECC_word_t * Y2, uECC_Curve curve); + +/* + * @brief Computes (x1 * z^2, y1 * z^3) + * @param X1 IN -- previous x1 coordinate + * @param Y1 IN -- previous y1 coordinate + * @param Z IN -- z value + * @param curve IN -- elliptic curve + */ +void apply_z(uECC_word_t * X1, uECC_word_t * Y1, const uECC_word_t * const Z, + uECC_Curve curve); + +/* + * @brief Check if bit is set. + * @return Returns nonzero if bit 'bit' of vli is set. + * @warning It is assumed that the value provided in 'bit' is within the + * boundaries of the word-array 'vli'. + * @note The bit ordering layout assumed for vli is: {31, 30, ..., 0}, + * {63, 62, ..., 32}, {95, 94, ..., 64}, {127, 126,..., 96} for a vli consisting + * of 4 uECC_word_t elements. + */ +uECC_word_t uECC_vli_testBit(const uECC_word_t *vli, bitcount_t bit); + +/* + * @brief Computes result = product % mod, where product is 2N words long. + * @param result OUT -- product % mod + * @param mod IN -- module + * @param num_words IN -- number of words + * @warning Currently only designed to work for curve_p or curve_n. + */ +void uECC_vli_mmod(uECC_word_t *result, uECC_word_t *product, + const uECC_word_t *mod, wordcount_t num_words); + +/* + * @brief Computes modular product (using curve->mmod_fast) + * @param result OUT -- (left * right) mod % curve_p + * @param left IN -- left term in product + * @param right IN -- right term in product + * @param curve IN -- elliptic curve + */ +void uECC_vli_modMult_fast(uECC_word_t *result, const uECC_word_t *left, + const uECC_word_t *right, uECC_Curve curve); + +/* + * @brief Computes result = left - right. + * @note Can modify in place. + * @param result OUT -- left - right + * @param left IN -- left term in subtraction + * @param right IN -- right term in subtraction + * @param num_words IN -- number of words + * @return borrow + */ +uECC_word_t uECC_vli_sub(uECC_word_t *result, const uECC_word_t *left, + const uECC_word_t *right, wordcount_t num_words); + +/* + * @brief Constant-time comparison function(secure way to compare long ints) + * @param left IN -- left term in comparison + * @param right IN -- right term in comparison + * @param num_words IN -- number of words + * @return Returns 0 if left == right, 1 otherwise. + */ +uECC_word_t uECC_vli_equal(const uECC_word_t *left, const uECC_word_t *right, + wordcount_t num_words); + +/* + * @brief Computes (left * right) % mod + * @param result OUT -- (left * right) % mod + * @param left IN -- left term in product + * @param right IN -- right term in product + * @param mod IN -- mod + * @param num_words IN -- number of words + */ +void uECC_vli_modMult(uECC_word_t *result, const uECC_word_t *left, + const uECC_word_t *right, const uECC_word_t *mod, + wordcount_t num_words); + +/* + * @brief Computes (1 / input) % mod + * @note All VLIs are the same size. + * @note See "Euclid's GCD to Montgomery Multiplication to the Great Divide" + * @param result OUT -- (1 / input) % mod + * @param input IN -- value to be modular inverted + * @param mod IN -- mod + * @param num_words -- number of words */ -void ecc_native2bytes(uint8_t p_bytes[NUM_ECC_DIGITS*4], - uint32_t p_native[NUM_ECC_DIGITS]); +void uECC_vli_modInv(uECC_word_t *result, const uECC_word_t *input, + const uECC_word_t *mod, wordcount_t num_words); + +/* + * @brief Sets dest = src. + * @param dest OUT -- destination buffer + * @param src IN -- origin buffer + * @param num_words IN -- number of words + */ +void uECC_vli_set(uECC_word_t *dest, const uECC_word_t *src, + wordcount_t num_words); + +/* + * @brief Computes (left + right) % mod. + * @note Assumes that (left < mod) and right < mod), and that result does not + * overlap mod. + * @param result OUT -- (left + right) % mod. + * @param left IN -- left term in addition + * @param right IN -- right term in addition + * @param mod IN -- mod + * @param num_words IN -- number of words + */ +void uECC_vli_modAdd(uECC_word_t *result, const uECC_word_t *left, + const uECC_word_t *right, const uECC_word_t *mod, + wordcount_t num_words); + +/* + * @brief Counts the number of bits required to represent vli. + * @param vli IN -- very long integer + * @param max_words IN -- number of words + * @return number of bits in given vli + */ +bitcount_t uECC_vli_numBits(const uECC_word_t *vli, + const wordcount_t max_words); + +/* + * @brief Erases (set to 0) vli + * @param vli IN -- very long integer + * @param num_words IN -- number of words + */ +void uECC_vli_clear(uECC_word_t *vli, wordcount_t num_words); + +/* + * @brief check if it is a valid point in the curve + * @param point IN -- point to be checked + * @param curve IN -- elliptic curve + * @return 0 if point is valid + * @exception returns -1 if it is a point at infinity + * @exception returns -2 if x or y is smaller than p, + * @exception returns -3 if y^2 != x^3 + ax + b. + */ +int uECC_valid_point(const uECC_word_t *point, uECC_Curve curve); + +/* + * @brief Check if a public key is valid. + * @param public_key IN -- The public key to be checked. + * @return returns 0 if the public key is valid + * @exception returns -1 if it is a point at infinity + * @exception returns -2 if x or y is smaller than p, + * @exception returns -3 if y^2 != x^3 + ax + b. + * @exception returns -4 if public key is the group generator. + * + * @note Note that you are not required to check for a valid public key before + * using any other uECC functions. However, you may wish to avoid spending CPU + * time computing a shared secret or verifying a signature using an invalid + * public key. + */ +int uECC_valid_public_key(const uint8_t *public_key, uECC_Curve curve); + + /* + * @brief Converts an integer in uECC native format to big-endian bytes. + * @param bytes OUT -- bytes representation + * @param num_bytes IN -- number of bytes + * @param native IN -- uECC native representation + */ +void uECC_vli_nativeToBytes(uint8_t *bytes, int num_bytes, + const unsigned int *native); + +/* + * @brief Converts big-endian bytes to an integer in uECC native format. + * @param native OUT -- uECC native representation + * @param bytes IN -- bytes representation + * @param num_bytes IN -- number of bytes + */ +void uECC_vli_bytesToNative(unsigned int *native, const uint8_t *bytes, + int num_bytes); #ifdef __cplusplus } #endif -#endif +#endif /* __TC_UECC_H__ */ diff --git a/lib/include/tinycrypt/ecc_dh.h b/lib/include/tinycrypt/ecc_dh.h index 778fee2..b828e19 100644 --- a/lib/include/tinycrypt/ecc_dh.h +++ b/lib/include/tinycrypt/ecc_dh.h @@ -1,10 +1,8 @@ /* ecc_dh.h - TinyCrypt interface to EC-DH implementation */ /* - * ============================================================================= - * Copyright (c) 2013, Kenneth MacKay + * Copyright (c) 2014, Kenneth MacKay * All rights reserved. - * https://github.com/kmackay/micro-ecc * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -27,9 +25,9 @@ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. - * - * ============================================================================= - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + */ + +/* Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -66,7 +64,6 @@ * uses curve NIST p-256. * * Security: The curve NIST p-256 provides approximately 128 bits of security. - * */ #ifndef __TC_ECC_DH_H__ @@ -80,63 +77,55 @@ extern "C" { /** * @brief Create a public/private key pair. - * @return returns TC_CRYPTO_SUCCESS (1) if key pair was generated successfully - * returns TC_CRYPTO_FAIL (0) if: - * the private key is 0 - * - * @param p_publicKey OUT -- the point representing the public key. - * @param p_privateKey OUT -- the private key. - * @param p_random IN -- The random number to use to generate the key pair. + * @return returns TC_CRYPTO_SUCCESS (1) if the key pair was generated successfully + * returns TC_CRYPTO_FAIL (0) if error while generating key pair * - * @note You must use a new non-predictable random number to generate each - * new key pair. - * @note p_random must have NUM_ECC_DIGITS*2 bits of entropy to eliminate - * bias in keys. + * @param p_public_key OUT -- Will be filled in with the public key. Must be at + * least 2 * the curve size (in bytes) long. For curve secp256r1, p_public_key + * must be 64 bytes long. + * @param p_private_key OUT -- Will be filled in with the private key. Must be as + * long as the curve order (for secp256r1, p_private_key must be 32 bytes long). * * @note side-channel countermeasure: algorithm strengthened against timing * attack. + * @warning A cryptographically-secure PRNG function must be set (using + * uECC_set_rng()) before calling uECC_make_key(). */ -int32_t ecc_make_key(EccPoint *p_publicKey, - uint32_t p_privateKey[NUM_ECC_DIGITS], - uint32_t p_random[2 * NUM_ECC_DIGITS]); +int uECC_make_key(uint8_t *p_public_key, uint8_t *p_private_key, uECC_Curve curve); + +#ifdef ENABLE_TESTS /** - * @brief Determine whether or not a given point is on the chosen elliptic curve - * (ie, is a valid public key). - * @return returns 0 if the given point is valid - * returns -1 if: the point is zero - * returns -2 if: curve_p - p_publicKey->x != 1 or - * curve_p - p_publicKey->y != 1 - * returns -3 if: y^2 != x^3 + ax + b - * returns -4 if: public key is the group generator - * - * @param p_publicKey IN -- The point to be checked. + * @brief Create a public/private key pair given a specific d. + * + * @note THIS FUNCTION SHOULD BE CALLED ONLY FOR TEST PURPOSES. Refer to + * uECC_make_key() function for real applications. */ -int32_t ecc_valid_public_key(EccPoint *p_publicKey); +int uECC_make_key_with_d(uint8_t *p_public_key, uint8_t *p_private_key, + unsigned int *d, uECC_Curve curve); +#endif /** * @brief Compute a shared secret given your secret key and someone else's * public key. - * @return returns TC_CRYPTO_SUCCESS (1) if the secret was computed successfully + * @return returns TC_CRYPTO_SUCCESS (1) if the shared secret was computed successfully * returns TC_CRYPTO_FAIL (0) otherwise * - * @param p_secret OUT -- The shared secret value. - * @param p_publicKey IN -- The public key of the remote party. - * @param p_privateKey IN -- Your private key. + * @param p_secret OUT -- Will be filled in with the shared secret value. Must be + * the same size as the curve size (for curve secp256r1, secret must be 32 bytes + * long. + * @param p_public_key IN -- The public key of the remote party. + * @param p_private_key IN -- Your private key. * - * @note Optionally, you can provide a random multiplier for resistance to DPA - * attacks. The random multiplier should probably be different for each - * invocation of ecdh_shared_secret(). - * - * @warning It is recommended to use the output of ecdh_shared_secret() as the + * @warning It is recommended to use the output of uECC_shared_secret() as the * input of a recommended Key Derivation Function (see NIST SP 800-108) in - * order to produce a symmetric key. + * order to produce a cryptographically secure symmetric key. */ -int32_t ecdh_shared_secret(uint32_t p_secret[NUM_ECC_DIGITS], EccPoint *p_publicKey, - uint32_t p_privateKey[NUM_ECC_DIGITS]); +int uECC_shared_secret(const uint8_t *p_public_key, const uint8_t *p_private_key, + uint8_t *p_secret, uECC_Curve curve); #ifdef __cplusplus } #endif -#endif +#endif /* __TC_ECC_DH_H__ */ diff --git a/lib/include/tinycrypt/ecc_dsa.h b/lib/include/tinycrypt/ecc_dsa.h index a037fa5..aca00bc 100644 --- a/lib/include/tinycrypt/ecc_dsa.h +++ b/lib/include/tinycrypt/ecc_dsa.h @@ -1,10 +1,8 @@ /* ecc_dh.h - TinyCrypt interface to EC-DSA implementation */ /* - * ============================================================================= - * Copyright (c) 2013, Kenneth MacKay + * Copyright (c) 2014, Kenneth MacKay * All rights reserved. - * https://github.com/kmackay/micro-ecc * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -27,9 +25,10 @@ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. - * - * ============================================================================= - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + */ + +/* + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -87,49 +86,54 @@ extern "C" { /** * @brief Generate an ECDSA signature for a given hash value. - * @return returns TC_CRYPTO_SUCCESS (1) if the the signature generated successfully - * returns TC_CRYPTO_FAIL (0) if: - * r == 0 or - * p_random == 0 - * - * @param r OUT -- to be filled with the signature values. - * @param s OUT -- to be filled with the signature values. - * @param p_privateKey IN -- Your private key. - * @param p_random IN -- The random number to use in generating ephemeral DSA - * keys. - * @param p_hash IN -- The message hash to sign. - * - * @note p_random must have NUM_ECC_DIGITS*2 bits of entropy to eliminate - * bias in keys. - * + * @return returns TC_CRYPTO_SUCCESS (1) if the signature generated successfully + * returns TC_CRYPTO_FAIL (0) if an error occurred. + * + * @param p_private_key IN -- Your private key. + * @param p_message_hash IN -- The hash of the message to sign. + * @param p_hash_size IN -- The size of p_message_hash in bytes. + * @param p_signature OUT -- Will be filled in with the signature value. Must be + * at least 2 * curve size long (for secp256r1, signature must be 64 bytes long). + * + * @warning A cryptographically-secure PRNG function must be set (using + * uECC_set_rng()) before calling uECC_sign(). + * @note Usage: Compute a hash of the data you wish to sign (SHA-2 is + * recommended) and pass it in to this function along with your private key. * @note side-channel countermeasure: algorithm strengthened against timing * attack. */ -int32_t ecdsa_sign(uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS], - uint32_t p_privateKey[NUM_ECC_DIGITS], uint32_t p_random[NUM_ECC_DIGITS * 2], - uint32_t p_hash[NUM_ECC_DIGITS]); +int uECC_sign(const uint8_t *p_private_key, const uint8_t *p_message_hash, + unsigned p_hash_size, uint8_t *p_signature, uECC_Curve curve); +#ifdef ENABLE_TESTS +/* + * THIS FUNCTION SHOULD BE CALLED FOR TEST PURPOSES ONLY. + * Refer to uECC_sign() function for real applications. + */ +int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash, + unsigned int hash_size, uECC_word_t *k, uint8_t *signature, + uECC_Curve curve); +#endif /** * @brief Verify an ECDSA signature. - * @return returns TC_CRYPTO_SUCCESS (1) if the the signature generated successfully - * returns TC_CRYPTO_FAIL (0) if: - * r == 0 or - * p_random == 0 + * @return returns TC_SUCCESS (1) if the signature is valid + * returns TC_FAIL (0) if the signature is invalid. * - * @param p_publicKey IN -- The signer's public key. - * @param p_hash IN -- The hash of the signed data. - * @param r IN -- The signature values. - * @param s IN -- The signature values. + * @param p_public_key IN -- The signer's public key. + * @param p_message_hash IN -- The hash of the signed data. + * @param p_hash_size IN -- The size of p_message_hash in bytes. + * @param p_signature IN -- The signature values. * - * @note side-channel countermeasure: algorithm strengthened against timing - * attack. + * @note Usage: Compute the hash of the signed data using the same hash as the + * signer and pass it to this function along with the signer's public key and + * the signature values (hash_size and signature). */ -int32_t ecdsa_verify(EccPoint *p_publicKey, uint32_t p_hash[NUM_ECC_DIGITS], - uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS]); +int uECC_verify(const uint8_t *p_public_key, const uint8_t *p_message_hash, + unsigned int p_hash_size, const uint8_t *p_signature, uECC_Curve curve); #ifdef __cplusplus } #endif -#endif +#endif /* __TC_ECC_DSA_H__ */ diff --git a/lib/include/tinycrypt/hmac.h b/lib/include/tinycrypt/hmac.h index 26f6cfe..3a08149 100644 --- a/lib/include/tinycrypt/hmac.h +++ b/lib/include/tinycrypt/hmac.h @@ -1,7 +1,7 @@ /* hmac.h - TinyCrypt interface to an HMAC implementation */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -89,9 +89,8 @@ typedef struct tc_hmac_state_struct *TCHmacState_t; * @param key IN -- the HMAC key to configure * @param key_size IN -- the HMAC key size */ -int32_t tc_hmac_set_key(TCHmacState_t ctx, - const uint8_t *key, - uint32_t key_size); +int tc_hmac_set_key(TCHmacState_t ctx, const uint8_t *key, + unsigned int key_size); /** * @brief HMAC init procedure @@ -100,7 +99,7 @@ int32_t tc_hmac_set_key(TCHmacState_t ctx, * returns TC_CRYPTO_FAIL (0) if: ctx == NULL or key == NULL * @param ctx IN/OUT -- struct tc_hmac_state_struct buffer to init */ -int32_t tc_hmac_init(TCHmacState_t ctx); +int tc_hmac_init(TCHmacState_t ctx); /** * @brief HMAC update procedure @@ -112,9 +111,8 @@ int32_t tc_hmac_init(TCHmacState_t ctx); * @param data IN -- data to incorporate into state * @param data_length IN -- size of data in bytes */ -int32_t tc_hmac_update(TCHmacState_t ctx, - const void *data, - uint32_t data_length); +int tc_hmac_update(TCHmacState_t ctx, const void *data, + unsigned int data_length); /** * @brief HMAC final procedure @@ -125,17 +123,17 @@ int32_t tc_hmac_update(TCHmacState_t ctx, * ctx == NULL or * key == NULL or * taglen != TC_SHA256_DIGEST_SIZE - * @note 'ctx' is erased before exiting (this must never be changed/removed). + * @note ctx is erased before exiting. This should never be changed/removed. * @note Assumes the tag bufer is at least sizeof(hmac_tag_size(state)) bytes * state has been initialized by tc_hmac_init * @param tag IN/OUT -- buffer to receive computed HMAC tag * @param taglen IN -- size of tag in bytes * @param ctx IN/OUT -- the HMAC state for computing tag */ -int32_t tc_hmac_final(uint8_t *tag, uint32_t taglen, TCHmacState_t ctx); +int tc_hmac_final(uint8_t *tag, unsigned int taglen, TCHmacState_t ctx); #ifdef __cplusplus } #endif -#endif +#endif /*__TC_HMAC_H__*/ diff --git a/lib/include/tinycrypt/hmac_prng.h b/lib/include/tinycrypt/hmac_prng.h index b631c2c..ad12cbb 100644 --- a/lib/include/tinycrypt/hmac_prng.h +++ b/lib/include/tinycrypt/hmac_prng.h @@ -1,7 +1,7 @@ /* hmac_prng.h - TinyCrypt interface to an HMAC-PRNG implementation */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -85,7 +85,7 @@ struct tc_hmac_prng_struct { /* PRNG state */ uint8_t v[TC_SHA256_DIGEST_SIZE]; /* calls to tc_hmac_prng_generate left before re-seed */ - uint32_t countdown; + unsigned int countdown; }; typedef struct tc_hmac_prng_struct *TCHmacPrng_t; @@ -112,15 +112,15 @@ typedef struct tc_hmac_prng_struct *TCHmacPrng_t; * @param personalization IN -- personalization string * @param plen IN -- personalization length in bytes */ -int32_t tc_hmac_prng_init(TCHmacPrng_t prng, - const uint8_t *personalization, - uint32_t plen); +int tc_hmac_prng_init(TCHmacPrng_t prng, + const uint8_t *personalization, + unsigned int plen); /** * @brief HMAC-PRNG reseed procedure * Mixes seed into prng, enables tc_hmac_prng_generate * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: + * returns TC_CRYPTO_FAIL (0) if: * prng == NULL, * seed == NULL, * seedlen < MIN_SLEN, @@ -136,16 +136,16 @@ int32_t tc_hmac_prng_init(TCHmacPrng_t prng, * @param additional_input IN -- additional input to the prng * @param additionallen IN -- additional input length in bytes */ -int32_t tc_hmac_prng_reseed(TCHmacPrng_t prng, const uint8_t *seed, - uint32_t seedlen, const uint8_t *additional_input, - uint32_t additionallen); +int tc_hmac_prng_reseed(TCHmacPrng_t prng, const uint8_t *seed, + unsigned int seedlen, const uint8_t *additional_input, + unsigned int additionallen); /** * @brief HMAC-PRNG generate procedure * Generates outlen pseudo-random bytes into out buffer, updates prng * @return returns TC_CRYPTO_SUCCESS (1) * returns TC_HMAC_PRNG_RESEED_REQ (-1) if a reseed is needed - * returns TC_CRYPTO_FAIL (0) if: + * returns TC_CRYPTO_FAIL (0) if: * out == NULL, * prng == NULL, * outlen == 0, @@ -155,10 +155,10 @@ int32_t tc_hmac_prng_reseed(TCHmacPrng_t prng, const uint8_t *seed, * @param outlen IN -- size of out buffer in bytes * @param prng IN/OUT -- the PRNG state */ -int32_t tc_hmac_prng_generate(uint8_t *out, uint32_t outlen, TCHmacPrng_t prng); +int tc_hmac_prng_generate(uint8_t *out, unsigned int outlen, TCHmacPrng_t prng); #ifdef __cplusplus } #endif -#endif +#endif /* __TC_HMAC_PRNG_H__ */ diff --git a/lib/include/tinycrypt/sha256.h b/lib/include/tinycrypt/sha256.h index d1e1f61..af5e8ba 100644 --- a/lib/include/tinycrypt/sha256.h +++ b/lib/include/tinycrypt/sha256.h @@ -1,7 +1,7 @@ /* sha256.h - TinyCrypt interface to a SHA-256 implementation */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -69,7 +69,7 @@ extern "C" { #define TC_SHA256_STATE_BLOCKS (TC_SHA256_DIGEST_SIZE/4) struct tc_sha256_state_struct { - uint32_t iv[TC_SHA256_STATE_BLOCKS]; + unsigned int iv[TC_SHA256_STATE_BLOCKS]; uint64_t bits_hashed; uint8_t leftover[TC_SHA256_BLOCK_SIZE]; size_t leftover_offset; @@ -84,7 +84,7 @@ typedef struct tc_sha256_state_struct *TCSha256State_t; * returns TC_CRYPTO_FAIL (0) if s == NULL * @param s Sha256 state struct */ -int32_t tc_sha256_init(TCSha256State_t s); +int tc_sha256_init(TCSha256State_t s); /** * @brief SHA256 update procedure @@ -102,9 +102,7 @@ int32_t tc_sha256_init(TCSha256State_t s); * @param data message to hash * @param datalen length of message to hash */ -int32_t tc_sha256_update(TCSha256State_t s, - const uint8_t *data, - size_t datalen); +int tc_sha256_update (TCSha256State_t s, const uint8_t *data, size_t datalen); /** * @brief SHA256 final procedure @@ -122,10 +120,10 @@ int32_t tc_sha256_update(TCSha256State_t s, * @param digest unsigned eight bit integer * @param Sha256 state struct */ -int32_t tc_sha256_final(uint8_t *digest, TCSha256State_t s); +int tc_sha256_final(uint8_t *digest, TCSha256State_t s); #ifdef __cplusplus } #endif -#endif +#endif /* __TC_SHA256_H__ */ diff --git a/lib/include/tinycrypt/utils.h b/lib/include/tinycrypt/utils.h index 429934e..bab5c32 100644 --- a/lib/include/tinycrypt/utils.h +++ b/lib/include/tinycrypt/utils.h @@ -1,7 +1,7 @@ /* utils.h - TinyCrypt interface to platform-dependent run-time operations */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -57,8 +57,8 @@ extern "C" { * @param from IN -- origin buffer * @param from_len IN -- length of origin buffer */ -uint32_t _copy(uint8_t *to, uint32_t to_len, - const uint8_t *from, uint32_t from_len); +unsigned int _copy(uint8_t *to, unsigned int to_len, + const uint8_t *from, unsigned int from_len); /** * @brief Set the value 'val' into the buffer 'to', 'len' times. @@ -67,7 +67,7 @@ uint32_t _copy(uint8_t *to, uint32_t to_len, * @param val IN -- value to be set in 'to' * @param len IN -- number of times the value will be copied */ -void _set(void *to, uint8_t val, uint32_t len); +void _set(void *to, uint8_t val, unsigned int len); /* * @brief AES specific doubling function, which utilizes @@ -86,10 +86,10 @@ uint8_t _double_byte(uint8_t a); * @param b IN -- sequence of bytes b * @param size IN -- size of sequences a and b */ -int32_t _compare(const uint8_t *a, const uint8_t *b, size_t size); +int _compare(const uint8_t *a, const uint8_t *b, size_t size); #ifdef __cplusplus } #endif -#endif +#endif /* __TC_UTILS_H__ */ diff --git a/lib/source/aes_decrypt.c b/lib/source/aes_decrypt.c index 2e4e3bc..993a618 100644 --- a/lib/source/aes_decrypt.c +++ b/lib/source/aes_decrypt.c @@ -1,7 +1,7 @@ /* aes_decrypt.c - TinyCrypt implementation of AES decryption procedure */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -34,8 +34,6 @@ #include #include -#define ZERO_BYTE 0x00 - static const uint8_t inv_sbox[256] = { 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, @@ -61,7 +59,7 @@ static const uint8_t inv_sbox[256] = { 0x55, 0x21, 0x0c, 0x7d }; -int32_t tc_aes128_set_decrypt_key(TCAesKeySched_t s, const uint8_t *k) +int tc_aes128_set_decrypt_key(TCAesKeySched_t s, const uint8_t *k) { return tc_aes128_set_encrypt_key(s, k); } @@ -91,7 +89,7 @@ static inline void inv_mix_columns(uint8_t *s) (void)_copy(s, sizeof(t), t, sizeof(t)); } -static inline void add_round_key(uint8_t *s, const uint32_t *k) +static inline void add_round_key(uint8_t *s, const unsigned int *k) { s[0] ^= (uint8_t)(k[0] >> 24); s[1] ^= (uint8_t)(k[0] >> 16); s[2] ^= (uint8_t)(k[0] >> 8); s[3] ^= (uint8_t)(k[0]); @@ -105,7 +103,7 @@ static inline void add_round_key(uint8_t *s, const uint32_t *k) static inline void inv_sub_bytes(uint8_t *s) { - uint32_t i; + unsigned int i; for (i = 0; i < (Nb*Nk); ++i) { s[i] = inv_sbox[s[i]]; @@ -128,10 +126,10 @@ static inline void inv_shift_rows(uint8_t *s) (void)_copy(s, sizeof(t), t, sizeof(t)); } -int32_t tc_aes_decrypt(uint8_t *out, const uint8_t *in, const TCAesKeySched_t s) +int tc_aes_decrypt(uint8_t *out, const uint8_t *in, const TCAesKeySched_t s) { uint8_t state[Nk*Nb]; - uint32_t i; + unsigned int i; if (out == (uint8_t *) 0) { return TC_CRYPTO_FAIL; @@ -145,7 +143,7 @@ int32_t tc_aes_decrypt(uint8_t *out, const uint8_t *in, const TCAesKeySched_t s) add_round_key(state, s->words + Nb*Nr); - for (i = Nr-1; i > 0; --i) { + for (i = Nr - 1; i > 0; --i) { inv_shift_rows(state); inv_sub_bytes(state); add_round_key(state, s->words + Nb*i); @@ -157,8 +155,10 @@ int32_t tc_aes_decrypt(uint8_t *out, const uint8_t *in, const TCAesKeySched_t s) add_round_key(state, s->words); (void)_copy(out, sizeof(state), state, sizeof(state)); - /*zeroing out one byte state buffer */ - _set(state, ZERO_BYTE, sizeof(state)); + + /*zeroing out the state buffer */ + _set(state, TC_ZERO_BYTE, sizeof(state)); + return TC_CRYPTO_SUCCESS; } diff --git a/lib/source/aes_encrypt.c b/lib/source/aes_encrypt.c index 6bc73a5..8991aee 100644 --- a/lib/source/aes_encrypt.c +++ b/lib/source/aes_encrypt.c @@ -1,7 +1,7 @@ /* aes_encrypt.c - TinyCrypt implementation of AES encryption procedure */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -59,7 +59,7 @@ static const uint8_t sbox[256] = { 0xb0, 0x54, 0xbb, 0x16 }; -static inline uint32_t rotword(uint32_t a) +static inline unsigned int rotword(unsigned int a) { return (((a) >> 24)|((a) << 8)); } @@ -67,14 +67,14 @@ static inline uint32_t rotword(uint32_t a) #define subbyte(a, o)(sbox[((a) >> (o))&0xff] << (o)) #define subword(a)(subbyte(a, 24)|subbyte(a, 16)|subbyte(a, 8)|subbyte(a, 0)) -int32_t tc_aes128_set_encrypt_key(TCAesKeySched_t s, const uint8_t *k) +int tc_aes128_set_encrypt_key(TCAesKeySched_t s, const uint8_t *k) { - const uint32_t rconst[11] = { - 0x00000000, 0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000, - 0x20000000, 0x40000000, 0x80000000, 0x1b000000, 0x36000000 + const unsigned int rconst[11] = { + 0x00000000, 0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000, + 0x20000000, 0x40000000, 0x80000000, 0x1b000000, 0x36000000 }; - uint32_t i; - uint32_t t; + unsigned int i; + unsigned int t; if (s == (TCAesKeySched_t) 0) { return TC_CRYPTO_FAIL; @@ -87,7 +87,7 @@ int32_t tc_aes128_set_encrypt_key(TCAesKeySched_t s, const uint8_t *k) (k[Nb*i+2]<<8) | (k[Nb*i+3]); } - for (; i < (Nb*(Nr+1)); ++i) { + for (; i < (Nb * (Nr + 1)); ++i) { t = s->words[i-1]; if ((i % Nk) == 0) { t = subword(rotword(t)) ^ rconst[i/Nk]; @@ -98,7 +98,7 @@ int32_t tc_aes128_set_encrypt_key(TCAesKeySched_t s, const uint8_t *k) return TC_CRYPTO_SUCCESS; } -static inline void add_round_key(uint8_t *s, const uint32_t *k) +static inline void add_round_key(uint8_t *s, const unsigned int *k) { s[0] ^= (uint8_t)(k[0] >> 24); s[1] ^= (uint8_t)(k[0] >> 16); s[2] ^= (uint8_t)(k[0] >> 8); s[3] ^= (uint8_t)(k[0]); @@ -112,9 +112,9 @@ static inline void add_round_key(uint8_t *s, const uint32_t *k) static inline void sub_bytes(uint8_t *s) { - uint32_t i; + unsigned int i; - for (i = 0; i < (Nb*Nk); ++i) { + for (i = 0; i < (Nb * Nk); ++i) { s[i] = sbox[s[i]]; } } @@ -135,8 +135,8 @@ static inline void mix_columns(uint8_t *s) mult_row_column(t, s); mult_row_column(&t[Nb], s+Nb); - mult_row_column(&t[2*Nb], s+(2*Nb)); - mult_row_column(&t[3*Nb], s+(3*Nb)); + mult_row_column(&t[2 * Nb], s + (2 * Nb)); + mult_row_column(&t[3 * Nb], s + (3 * Nb)); (void) _copy(s, sizeof(t), t, sizeof(t)); } @@ -146,7 +146,7 @@ static inline void mix_columns(uint8_t *s) */ static inline void shift_rows(uint8_t *s) { - uint8_t t[Nb*Nk]; + uint8_t t[Nb * Nk]; t[0] = s[0]; t[1] = s[5]; t[2] = s[10]; t[3] = s[15]; t[4] = s[4]; t[5] = s[9]; t[6] = s[14]; t[7] = s[3]; @@ -155,10 +155,10 @@ static inline void shift_rows(uint8_t *s) (void) _copy(s, sizeof(t), t, sizeof(t)); } -int32_t tc_aes_encrypt(uint8_t *out, const uint8_t *in, const TCAesKeySched_t s) +int tc_aes_encrypt(uint8_t *out, const uint8_t *in, const TCAesKeySched_t s) { uint8_t state[Nk*Nb]; - uint32_t i; + unsigned int i; if (out == (uint8_t *) 0) { return TC_CRYPTO_FAIL; @@ -171,7 +171,7 @@ int32_t tc_aes_encrypt(uint8_t *out, const uint8_t *in, const TCAesKeySched_t s) (void)_copy(state, sizeof(state), in, sizeof(state)); add_round_key(state, s->words); - for (i = 0; i < (Nr-1); ++i) { + for (i = 0; i < (Nr - 1); ++i) { sub_bytes(state); shift_rows(state); mix_columns(state); diff --git a/lib/source/cbc_mode.c b/lib/source/cbc_mode.c index 8163e0d..62d7879 100644 --- a/lib/source/cbc_mode.c +++ b/lib/source/cbc_mode.c @@ -1,7 +1,7 @@ /* cbc_mode.c - TinyCrypt implementation of CBC mode encryption & decryption */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -34,13 +34,13 @@ #include #include -int32_t tc_cbc_mode_encrypt(uint8_t *out, uint32_t outlen, const uint8_t *in, - uint32_t inlen, const uint8_t *iv, +int tc_cbc_mode_encrypt(uint8_t *out, unsigned int outlen, const uint8_t *in, + unsigned int inlen, const uint8_t *iv, const TCAesKeySched_t sched) { uint8_t buffer[TC_AES_BLOCK_SIZE]; - uint32_t n, m; + unsigned int n, m; /* input sanity check: */ if (out == (uint8_t *) 0 || @@ -74,13 +74,14 @@ int32_t tc_cbc_mode_encrypt(uint8_t *out, uint32_t outlen, const uint8_t *in, return TC_CRYPTO_SUCCESS; } -int32_t tc_cbc_mode_decrypt(uint8_t *out, uint32_t outlen, const uint8_t *in, - uint32_t inlen, const uint8_t *iv, +int tc_cbc_mode_decrypt(uint8_t *out, unsigned int outlen, const uint8_t *in, + unsigned int inlen, const uint8_t *iv, const TCAesKeySched_t sched) { + uint8_t buffer[TC_AES_BLOCK_SIZE]; const uint8_t *p; - uint32_t n, m; + unsigned int n, m; /* sanity check the inputs */ if (out == (uint8_t *) 0 || diff --git a/lib/source/ccm_mode.c b/lib/source/ccm_mode.c index 7b6d485..ca744e2 100644 --- a/lib/source/ccm_mode.c +++ b/lib/source/ccm_mode.c @@ -1,7 +1,7 @@ /* ccm_mode.c - TinyCrypt implementation of CCM mode */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -36,8 +36,8 @@ #include -int32_t tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce, - uint32_t nlen, uint32_t mlen) +int tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce, + unsigned int nlen, unsigned int mlen) { /* input sanity check: */ @@ -61,11 +61,11 @@ int32_t tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce, /** * Variation of CBC-MAC mode used in CCM. */ -static void ccm_cbc_mac(uint8_t *T, const uint8_t *data, uint32_t dlen, - uint32_t flag, TCAesKeySched_t sched) +static void ccm_cbc_mac(uint8_t *T, const uint8_t *data, unsigned int dlen, + unsigned int flag, TCAesKeySched_t sched) { - uint32_t i; + unsigned int i; if (flag > 0) { T[0] ^= (uint8_t)(dlen >> 8); @@ -90,14 +90,14 @@ static void ccm_cbc_mac(uint8_t *T, const uint8_t *data, uint32_t dlen, * encryption). Besides, it is assumed that the counter is stored in the last * 2 bytes of the nonce. */ -static int32_t ccm_ctr_mode(uint8_t *out, uint32_t outlen, const uint8_t *in, - uint32_t inlen, uint8_t *ctr, const TCAesKeySched_t sched) +static int ccm_ctr_mode(uint8_t *out, unsigned int outlen, const uint8_t *in, + unsigned int inlen, uint8_t *ctr, const TCAesKeySched_t sched) { uint8_t buffer[TC_AES_BLOCK_SIZE]; uint8_t nonce[TC_AES_BLOCK_SIZE]; uint16_t block_num; - uint32_t i; + unsigned int i; /* input sanity check: */ if (out == (uint8_t *) 0 || @@ -134,23 +134,26 @@ static int32_t ccm_ctr_mode(uint8_t *out, uint32_t outlen, const uint8_t *in, return TC_CRYPTO_SUCCESS; } -int32_t tc_ccm_generation_encryption(uint8_t *out, const uint8_t *associated_data, - uint32_t alen, const uint8_t *payload, - uint32_t plen, TCCcmMode_t c) +int tc_ccm_generation_encryption(uint8_t *out, unsigned int olen, + const uint8_t *associated_data, + unsigned int alen, const uint8_t *payload, + unsigned int plen, TCCcmMode_t c) { + /* input sanity check: */ if ((out == (uint8_t *) 0) || - (c == (TCCcmMode_t) 0) || - ((plen > 0) && (payload == (uint8_t *) 0)) || - ((alen > 0) && (associated_data == (uint8_t *) 0)) || - (alen >= TC_CCM_AAD_MAX_BYTES) || /* associated data size unsupported */ - (plen >= TC_CCM_PAYLOAD_MAX_BYTES)) { /* payload size unsupported */ + (c == (TCCcmMode_t) 0) || + ((plen > 0) && (payload == (uint8_t *) 0)) || + ((alen > 0) && (associated_data == (uint8_t *) 0)) || + (alen >= TC_CCM_AAD_MAX_BYTES) || /* associated data size unsupported */ + (plen >= TC_CCM_PAYLOAD_MAX_BYTES) || /* payload size unsupported */ + (olen < (plen + c->mlen))) { /* invalid output buffer size */ return TC_CRYPTO_FAIL; } uint8_t b[Nb * Nk]; uint8_t tag[Nb * Nk]; - uint32_t i; + unsigned int i; /* GENERATING THE AUTHENTICATION TAG: */ @@ -192,23 +195,27 @@ int32_t tc_ccm_generation_encryption(uint8_t *out, const uint8_t *associated_dat return TC_CRYPTO_SUCCESS; } -int32_t tc_ccm_decryption_verification(uint8_t *out, const uint8_t *associated_data, - uint32_t alen, const uint8_t *payload, - uint32_t plen, TCCcmMode_t c) -{ +int tc_ccm_decryption_verification(uint8_t *out, unsigned int olen, + const uint8_t *associated_data, + unsigned int alen, const uint8_t *payload, + unsigned int plen, TCCcmMode_t c) +{ + /* input sanity check: */ - if ((out == (uint8_t *) 0) || + if ((plen <= alen) || + (out == (uint8_t *) 0) || (c == (TCCcmMode_t) 0) || ((plen > 0) && (payload == (uint8_t *) 0)) || ((alen > 0) && (associated_data == (uint8_t *) 0)) || (alen >= TC_CCM_AAD_MAX_BYTES) || /* associated data size unsupported */ - (plen >= TC_CCM_PAYLOAD_MAX_BYTES)) { /* payload size unsupported */ + (plen >= TC_CCM_PAYLOAD_MAX_BYTES) || /* payload size unsupported */ + (olen < plen - c->mlen)) { /* invalid output buffer size */ return TC_CRYPTO_FAIL; - } + } uint8_t b[Nb * Nk]; uint8_t tag[Nb * Nk]; - uint32_t i; + unsigned int i; /* DECRYPTION: */ @@ -250,11 +257,11 @@ int32_t tc_ccm_decryption_verification(uint8_t *out, const uint8_t *associated_d } /* comparing the received tag and the computed one: */ - if (_compare(b, tag, c->mlen) != 0) { + if (_compare(b, tag, c->mlen) == 0) { + return TC_CRYPTO_SUCCESS; + } else { /* erase the decrypted buffer in case of mac validation failure: */ - _set(out, 0, sizeof(*out)); + _set(out, 0, plen - c->mlen); return TC_CRYPTO_FAIL; } - - return TC_CRYPTO_SUCCESS; } diff --git a/lib/source/cmac_mode.c b/lib/source/cmac_mode.c index 0da74d1..96d147e 100644 --- a/lib/source/cmac_mode.c +++ b/lib/source/cmac_mode.c @@ -1,7 +1,7 @@ /* cmac_mode.c - TinyCrypt CMAC mode implementation */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -94,7 +94,7 @@ void gf_double(uint8_t *out, uint8_t *in) } } -int32_t tc_cmac_setup(TCCmacState_t s, const uint8_t *key, TCAesKeySched_t sched) +int tc_cmac_setup(TCCmacState_t s, const uint8_t *key, TCAesKeySched_t sched) { /* input sanity check: */ @@ -122,7 +122,7 @@ int32_t tc_cmac_setup(TCCmacState_t s, const uint8_t *key, TCAesKeySched_t sched return TC_CRYPTO_SUCCESS; } -int32_t tc_cmac_erase(TCCmacState_t s) +int tc_cmac_erase(TCCmacState_t s) { if (s == (TCCmacState_t) 0) { return TC_CRYPTO_FAIL; @@ -134,7 +134,7 @@ int32_t tc_cmac_erase(TCCmacState_t s) return TC_CRYPTO_SUCCESS; } -int32_t tc_cmac_init(TCCmacState_t s) +int tc_cmac_init(TCCmacState_t s) { /* input sanity check: */ if (s == (TCCmacState_t) 0) { @@ -154,9 +154,9 @@ int32_t tc_cmac_init(TCCmacState_t s) return TC_CRYPTO_SUCCESS; } -int32_t tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t data_length) +int tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t data_length) { - uint32_t i; + unsigned int i; /* input sanity check: */ if (s == (TCCmacState_t) 0) { @@ -219,10 +219,10 @@ int32_t tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t data_length) return TC_CRYPTO_SUCCESS; } -int32_t tc_cmac_final(uint8_t *tag, TCCmacState_t s) +int tc_cmac_final(uint8_t *tag, TCCmacState_t s) { uint8_t *k; - uint32_t i; + unsigned int i; /* input sanity check: */ if (tag == (uint8_t *) 0 || diff --git a/lib/source/ctr_mode.c b/lib/source/ctr_mode.c index 7ba53d0..1dfb92d 100644 --- a/lib/source/ctr_mode.c +++ b/lib/source/ctr_mode.c @@ -1,7 +1,7 @@ /* ctr_mode.c - TinyCrypt CTR mode implementation */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -34,14 +34,14 @@ #include #include -int32_t tc_ctr_mode(uint8_t *out, uint32_t outlen, const uint8_t *in, - uint32_t inlen, uint8_t *ctr, const TCAesKeySched_t sched) +int tc_ctr_mode(uint8_t *out, unsigned int outlen, const uint8_t *in, + unsigned int inlen, uint8_t *ctr, const TCAesKeySched_t sched) { uint8_t buffer[TC_AES_BLOCK_SIZE]; uint8_t nonce[TC_AES_BLOCK_SIZE]; - uint32_t block_num; - uint32_t i; + unsigned int block_num; + unsigned int i; /* input sanity check: */ if (out == (uint8_t *) 0 || diff --git a/lib/source/ctr_prng.c b/lib/source/ctr_prng.c index bac81d8..cac2cc4 100644 --- a/lib/source/ctr_prng.c +++ b/lib/source/ctr_prng.c @@ -50,15 +50,12 @@ * @param arr IN/OUT -- array to be incremented * @param len IN -- size of arr in bytes */ -static void arrInc(uint8_t arr[], uint32_t len) +static void arrInc(uint8_t arr[], unsigned int len) { - uint32_t i; - if (0 != arr) - { - for (i = len; i > 0U; i--) - { - if (++arr[i-1] != 0U) - { + unsigned int i; + if (0 != arr) { + for (i = len; i > 0U; i--) { + if (++arr[i-1] != 0U) { break; } } @@ -76,24 +73,21 @@ static void arrInc(uint8_t arr[], uint32_t len) */ static void tc_ctr_prng_update(TCCtrPrng_t * const ctx, uint8_t const * const providedData) { - if (0 != ctx) - { + if (0 != ctx) { /* 10.2.1.2 step 1 */ uint8_t temp[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE]; - uint32_t len = 0U; + unsigned int len = 0U; /* 10.2.1.2 step 2 */ - while (len < sizeof temp) - { - uint32_t blocklen = sizeof(temp) - len; + while (len < sizeof temp) { + unsigned int blocklen = sizeof(temp) - len; uint8_t output_block[TC_AES_BLOCK_SIZE]; /* 10.2.1.2 step 2.1 */ arrInc(ctx->V, sizeof ctx->V); /* 10.2.1.2 step 2.2 */ - if (blocklen > TC_AES_BLOCK_SIZE) - { + if (blocklen > TC_AES_BLOCK_SIZE) { blocklen = TC_AES_BLOCK_SIZE; } (void)tc_aes_encrypt(output_block, ctx->V, &ctx->key); @@ -105,11 +99,9 @@ static void tc_ctr_prng_update(TCCtrPrng_t * const ctx, uint8_t const * const pr } /* 10.2.1.2 step 4 */ - if (0 != providedData) - { - uint32_t i; - for (i = 0U; i < sizeof temp; i++) - { + if (0 != providedData) { + unsigned int i; + for (i = 0U; i < sizeof temp; i++) { temp[i] ^= providedData[i]; } } @@ -122,24 +114,22 @@ static void tc_ctr_prng_update(TCCtrPrng_t * const ctx, uint8_t const * const pr } } -int32_t tc_ctr_prng_init(TCCtrPrng_t * const ctx, - uint8_t const * const entropy, - uint32_t entropyLen, - uint8_t const * const personalization, - uint32_t pLen) +int tc_ctr_prng_init(TCCtrPrng_t * const ctx, + uint8_t const * const entropy, + unsigned int entropyLen, + uint8_t const * const personalization, + unsigned int pLen) { - int32_t result = TC_CRYPTO_FAIL; - uint32_t i; + int result = TC_CRYPTO_FAIL; + unsigned int i; uint8_t personalization_buf[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE] = {0U}; uint8_t seed_material[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE]; uint8_t zeroArr[TC_AES_BLOCK_SIZE] = {0U}; - if (0 != personalization) - { + if (0 != personalization) { /* 10.2.1.3.1 step 1 */ - uint32_t len = pLen; - if (len > sizeof personalization_buf) - { + unsigned int len = pLen; + if (len > sizeof personalization_buf) { len = sizeof personalization_buf; } @@ -147,12 +137,10 @@ int32_t tc_ctr_prng_init(TCCtrPrng_t * const ctx, memcpy(personalization_buf, personalization, len); } - if ((0 != ctx) && (0 != entropy) && (entropyLen >= sizeof seed_material)) - { + if ((0 != ctx) && (0 != entropy) && (entropyLen >= sizeof seed_material)) { /* 10.2.1.3.1 step 3 */ memcpy(seed_material, entropy, sizeof seed_material); - for (i = 0U; i < sizeof seed_material; i++) - { + for (i = 0U; i < sizeof seed_material; i++) { seed_material[i] ^= personalization_buf[i]; } @@ -173,23 +161,21 @@ int32_t tc_ctr_prng_init(TCCtrPrng_t * const ctx, return result; } -int32_t tc_ctr_prng_reseed(TCCtrPrng_t * const ctx, +int tc_ctr_prng_reseed(TCCtrPrng_t * const ctx, uint8_t const * const entropy, - uint32_t entropyLen, + unsigned int entropyLen, uint8_t const * const additional_input, - uint32_t additionallen) + unsigned int additionallen) { - uint32_t i; - int32_t result = TC_CRYPTO_FAIL; + unsigned int i; + int result = TC_CRYPTO_FAIL; uint8_t additional_input_buf[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE] = {0U}; uint8_t seed_material[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE]; - if (0 != additional_input) - { + if (0 != additional_input) { /* 10.2.1.4.1 step 1 */ - uint32_t len = additionallen; - if (len > sizeof additional_input_buf) - { + unsigned int len = additionallen; + if (len > sizeof additional_input_buf) { len = sizeof additional_input_buf; } @@ -197,13 +183,11 @@ int32_t tc_ctr_prng_reseed(TCCtrPrng_t * const ctx, memcpy(additional_input_buf, additional_input, len); } - uint32_t seedlen = (uint32_t)TC_AES_KEY_SIZE + (uint32_t)TC_AES_BLOCK_SIZE; - if ((0 != ctx) && (entropyLen >= seedlen)) - { + unsigned int seedlen = (unsigned int)TC_AES_KEY_SIZE + (unsigned int)TC_AES_BLOCK_SIZE; + if ((0 != ctx) && (entropyLen >= seedlen)) { /* 10.2.1.4.1 step 3 */ memcpy(seed_material, entropy, sizeof seed_material); - for (i = 0U; i < sizeof seed_material; i++) - { + for (i = 0U; i < sizeof seed_material; i++) { seed_material[i] ^= additional_input_buf[i]; } @@ -218,36 +202,30 @@ int32_t tc_ctr_prng_reseed(TCCtrPrng_t * const ctx, return result; } -int32_t tc_ctr_prng_generate(TCCtrPrng_t * const ctx, +int tc_ctr_prng_generate(TCCtrPrng_t * const ctx, uint8_t const * const additional_input, - uint32_t additionallen, + unsigned int additionallen, uint8_t * const out, - uint32_t outlen) + unsigned int outlen) { /* 2^48 - see section 10.2.1 */ static const uint64_t MAX_REQS_BEFORE_RESEED = 0x1000000000000ULL; /* 2^19 bits - see section 10.2.1 */ - static const uint32_t MAX_BYTES_PER_REQ = 65536U; + static const unsigned int MAX_BYTES_PER_REQ = 65536U; - int32_t result = TC_CRYPTO_FAIL; + unsigned int result = TC_CRYPTO_FAIL; - if ((0 != ctx) && (0 != out) && (outlen < MAX_BYTES_PER_REQ)) - { + if ((0 != ctx) && (0 != out) && (outlen < MAX_BYTES_PER_REQ)) { /* 10.2.1.5.1 step 1 */ - if (ctx->reseedCount > MAX_REQS_BEFORE_RESEED) - { + if (ctx->reseedCount > MAX_REQS_BEFORE_RESEED) { result = TC_CTR_PRNG_RESEED_REQ; - } - else - { + } else { uint8_t additional_input_buf[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE] = {0U}; - if (0 != additional_input) - { + if (0 != additional_input) { /* 10.2.1.5.1 step 2 */ - uint32_t len = additionallen; - if (len > sizeof additional_input_buf) - { + unsigned int len = additionallen; + if (len > sizeof additional_input_buf) { len = sizeof additional_input_buf; } memcpy(additional_input_buf, additional_input, len); @@ -257,10 +235,9 @@ int32_t tc_ctr_prng_generate(TCCtrPrng_t * const ctx, /* 10.2.1.5.1 step 3 - implicit */ /* 10.2.1.5.1 step 4 */ - uint32_t len = 0U; - while (len < outlen) - { - uint32_t blocklen = outlen - len; + unsigned int len = 0U; + while (len < outlen) { + unsigned int blocklen = outlen - len; uint8_t output_block[TC_AES_BLOCK_SIZE]; /* 10.2.1.5.1 step 4.1 */ @@ -270,8 +247,7 @@ int32_t tc_ctr_prng_generate(TCCtrPrng_t * const ctx, (void)tc_aes_encrypt(output_block, ctx->V, &ctx->key); /* 10.2.1.5.1 step 4.3/step 5 */ - if (blocklen > TC_AES_BLOCK_SIZE) - { + if (blocklen > TC_AES_BLOCK_SIZE) { blocklen = TC_AES_BLOCK_SIZE; } memcpy(&(out[len]), output_block, blocklen); @@ -295,8 +271,7 @@ int32_t tc_ctr_prng_generate(TCCtrPrng_t * const ctx, void tc_ctr_prng_uninstantiate(TCCtrPrng_t * const ctx) { - if (0 != ctx) - { + if (0 != ctx) { memset(ctx->key.words, 0x00, sizeof ctx->key.words); memset(ctx->V, 0x00, sizeof ctx->V); ctx->reseedCount = 0U; diff --git a/lib/source/ecc.c b/lib/source/ecc.c index bfe6c5f..46080bf 100644 --- a/lib/source/ecc.c +++ b/lib/source/ecc.c @@ -1,625 +1,942 @@ -/* ecc.c - TinyCrypt implementation of ECC auxiliary functions */ +/* ecc.c - TinyCrypt implementation of common ECC functions */ /* - * - * Copyright (c) 2013, Kenneth MacKay - * All rights reserved. - * https://github.com/kmackay/micro-ecc - * - * Redistribution and use in source and binary forms, with or without modification, - * are permitted provided that the following conditions are met: - * * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR - * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ + * Copyright (c) 2014, Kenneth MacKay + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * - Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * - Neither the name of Intel Corporation nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ #include - -/* ------ Curve NIST P-256 constants: ------ */ - -#define Curve_P {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, \ - 0x00000000, 0x00000000, 0x00000001, 0xFFFFFFFF} - -#define Curve_B {0x27D2604B, 0x3BCE3C3E, 0xCC53B0F6, 0x651D06B0, \ - 0x769886BC, 0xB3EBBD55, 0xAA3A93E7, 0x5AC635D8} - -#define Curve_N {0xFC632551, 0xF3B9CAC2, 0xA7179E84, 0xBCE6FAAD, \ - 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0xFFFFFFFF} - -#define Curve_G {{0xD898C296, 0xF4A13945, 0x2DEB33A0, 0x77037D81, \ - 0x63A440F2, 0xF8BCE6E5, 0xE12C4247, 0x6B17D1F2}, \ - {0x37BF51F5, 0xCBB64068, 0x6B315ECE, 0x2BCE3357, \ - 0x7C0F9E16, 0x8EE7EB4A, 0xFE1A7F9B, 0x4FE342E2} } - -#define Curve_P_Barrett {0x00000003, 0x00000000, 0xFFFFFFFF, 0xFFFFFFFE, \ - 0xFFFFFFFE, 0xFFFFFFFE, 0xFFFFFFFF, 0x00000000, 0x00000001} - -#define Curve_N_Barrett {0xEEDF9BFE, 0x012FFD85, 0xDF1A6C21, 0x43190552, \ - 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFFFF, 0x00000000, 0x00000001} - -uint32_t curve_p[NUM_ECC_DIGITS] = Curve_P; -uint32_t curve_b[NUM_ECC_DIGITS] = Curve_B; -EccPoint curve_G = Curve_G; -uint32_t curve_n[NUM_ECC_DIGITS] = Curve_N; -uint32_t curve_pb[NUM_ECC_DIGITS + 1] = Curve_P_Barrett; -uint32_t curve_nb[NUM_ECC_DIGITS + 1] = Curve_N_Barrett; - -/* ------ Static functions: ------ */ - -/* Zeroing out p_vli. */ -static void vli_clear(uint32_t *p_vli) +#include +#include + +/* IMPORTANT: Make sure a cryptographically-secure PRNG is set and the platform + * has access to enough entropy in order to feed the PRNG regularly. */ +#if default_RNG_defined +static uECC_RNG_Function g_rng_function = &default_CSPRNG; +#else +static uECC_RNG_Function g_rng_function = 0; +#endif + +void uECC_set_rng(uECC_RNG_Function rng_function) { - uint32_t i; + g_rng_function = rng_function; +} - for (i = 0; i < NUM_ECC_DIGITS; ++i) { - p_vli[i] = 0; - } +uECC_RNG_Function uECC_get_rng(void) +{ + return g_rng_function; } -/* Returns nonzero if bit p_bit of p_vli is set. - * It is assumed that the value provided in 'bit' is within - * the boundaries of the word-array 'p_vli'.*/ -static uint32_t vli_testBit(uint32_t *p_vli, uint32_t p_bit) +int uECC_curve_private_key_size(uECC_Curve curve) { - return (p_vli[p_bit / 32] & (1 << (p_bit % 32))); + return BITS_TO_BYTES(curve->num_n_bits); } -uint32_t vli_isZero(uint32_t *p_vli) +int uECC_curve_public_key_size(uECC_Curve curve) { - uint32_t acc = 0; + return 2 * curve->num_bytes; +} - for (uint32_t i = 0; i < NUM_ECC_DIGITS; ++i) { - acc |= p_vli[i]; +void uECC_vli_clear(uECC_word_t *vli, wordcount_t num_words) +{ + wordcount_t i; + for (i = 0; i < num_words; ++i) { + vli[i] = 0; } - - return (!acc); } -/* - * Find the right-most nonzero 32-bit "digits" in p_vli. - * - * Side-channel countermeasure: algorithm strengthened against timing attack. - */ -static uint32_t vli_numDigits(uint32_t *p_vli) +uECC_word_t uECC_vli_isZero(const uECC_word_t *vli, wordcount_t num_words) { - int32_t i; - uint32_t digits = 0; - - for (i = NUM_ECC_DIGITS - 1; i >= 0 ; --i) { - digits += p_vli[i] || digits; + uECC_word_t bits = 0; + wordcount_t i; + for (i = 0; i < num_words; ++i) { + bits |= vli[i]; } - - return digits; + return (bits == 0); } -/* - * Find the left-most non-zero bit in p_vli. - * - * Side-channel countermeasure: algorithm strengthened against timing attack. - */ -static uint32_t vli_numBits(uint32_t *p_vli) +uECC_word_t uECC_vli_testBit(const uECC_word_t *vli, bitcount_t bit) { - uint32_t l_digit; - uint32_t i, acc = 32; - uint32_t l_numDigits = vli_numDigits(p_vli); + return (vli[bit >> uECC_WORD_BITS_SHIFT] & + ((uECC_word_t)1 << (bit & uECC_WORD_BITS_MASK))); +} - l_digit = p_vli[l_numDigits - 1]; +/* Counts the number of words in vli. */ +static wordcount_t vli_numDigits(const uECC_word_t *vli, + const wordcount_t max_words) +{ - for (i = 0; i < 32; ++i) { - acc -= !l_digit; - l_digit >>= 1; + wordcount_t i; + /* Search from the end until we find a non-zero digit. We do it in reverse + * because we expect that most digits will be nonzero. */ + for (i = max_words - 1; i >= 0 && vli[i] == 0; --i) { } - return ((l_numDigits - 1) * 32 + acc); + return (i + 1); } -/* - * Computes p_result = p_left + p_right, returns carry. - * - * Side-channel countermeasure: algorithm strengthened against timing attack. - */ -static uint32_t vli_add(uint32_t *p_result, uint32_t *p_left, - uint32_t *p_right) +bitcount_t uECC_vli_numBits(const uECC_word_t *vli, + const wordcount_t max_words) { - uint32_t l_carry = 0; + uECC_word_t i; + uECC_word_t digit; - for (uint32_t i = 0; i < NUM_ECC_DIGITS; ++i) { - uint32_t l_sum = p_left[i] + p_right[i] + l_carry; + wordcount_t num_digits = vli_numDigits(vli, max_words); + if (num_digits == 0) { + return 0; + } - l_carry = (l_sum < p_left[i]) | ((l_sum == p_left[i]) && l_carry); - p_result[i] = l_sum; + digit = vli[num_digits - 1]; + for (i = 0; digit; ++i) { + digit >>= 1; } - return l_carry; + return (((bitcount_t)(num_digits - 1) << uECC_WORD_BITS_SHIFT) + i); } - -/* Computes p_result = p_left * p_right. */ -static void vli_mult(uint32_t *p_result, uint32_t *p_left, - uint32_t *p_right, uint32_t word_size) +void uECC_vli_set(uECC_word_t *dest, const uECC_word_t *src, + wordcount_t num_words) { + wordcount_t i; - uint64_t r01 = 0; - uint32_t r2 = 0; - - /* Compute each digit of p_result in sequence, maintaining the carries. */ - for (uint32_t k = 0; k < word_size*2 - 1; ++k) { - - uint32_t l_min = (k < word_size ? 0 : (k + 1) - word_size); - - for (uint32_t i = l_min; i <= k && i < word_size; ++i) { + for (i = 0; i < num_words; ++i) { + dest[i] = src[i]; + } +} - uint64_t l_product = (uint64_t)p_left[i] * p_right[k - i]; +cmpresult_t uECC_vli_cmp_unsafe(const uECC_word_t *left, + const uECC_word_t *right, + wordcount_t num_words) +{ + wordcount_t i; - r01 += l_product; - r2 += (r01 < l_product); + for (i = num_words - 1; i >= 0; --i) { + if (left[i] > right[i]) { + return 1; + } else if (left[i] < right[i]) { + return -1; } - p_result[k] = (uint32_t)r01; - r01 = (r01 >> 32) | (((uint64_t)r2) << 32); - r2 = 0; } - - p_result[word_size * 2 - 1] = (uint32_t)r01; + return 0; } -/* Computes p_result = p_left^2. */ -static void vli_square(uint32_t *p_result, uint32_t *p_left) +uECC_word_t uECC_vli_equal(const uECC_word_t *left, const uECC_word_t *right, + wordcount_t num_words) { - uint64_t r01 = 0; - uint32_t r2 = 0; - uint32_t i, k; + uECC_word_t diff = 0; + wordcount_t i; - for (k = 0; k < NUM_ECC_DIGITS * 2 - 1; ++k) { + for (i = num_words - 1; i >= 0; --i) { + diff |= (left[i] ^ right[i]); + } + return !(diff == 0); +} - uint32_t l_min = (k < NUM_ECC_DIGITS ? 0 : (k + 1) - NUM_ECC_DIGITS); +uECC_word_t cond_set(uECC_word_t p_true, uECC_word_t p_false, unsigned int cond) +{ + return (p_true*(cond)) | (p_false*(!cond)); +} - for (i = l_min; i <= k && i <= k - i; ++i) { +/* Computes result = left - right, returning borrow, in constant time. + * Can modify in place. */ +uECC_word_t uECC_vli_sub(uECC_word_t *result, const uECC_word_t *left, + const uECC_word_t *right, wordcount_t num_words) +{ + uECC_word_t borrow = 0; + wordcount_t i; + for (i = 0; i < num_words; ++i) { + uECC_word_t diff = left[i] - right[i] - borrow; + uECC_word_t val = (diff > left[i]); + borrow = cond_set(val, borrow, (diff != left[i])); + + result[i] = diff; + } + return borrow; +} - uint64_t l_product = (uint64_t)p_left[i] * p_left[k - i]; +/* Computes result = left + right, returning carry, in constant time. + * Can modify in place. */ +static uECC_word_t uECC_vli_add(uECC_word_t *result, const uECC_word_t *left, + const uECC_word_t *right, wordcount_t num_words) +{ + uECC_word_t carry = 0; + wordcount_t i; + for (i = 0; i < num_words; ++i) { + uECC_word_t sum = left[i] + right[i] + carry; + uECC_word_t val = (sum < left[i]); + carry = cond_set(val, carry, (sum != left[i])); + result[i] = sum; + } + return carry; +} - if (i < k - i) { +cmpresult_t uECC_vli_cmp(const uECC_word_t *left, const uECC_word_t *right, + wordcount_t num_words) +{ + uECC_word_t tmp[NUM_ECC_WORDS]; + uECC_word_t neg = !!uECC_vli_sub(tmp, left, right, num_words); + uECC_word_t equal = uECC_vli_isZero(tmp, num_words); + return (!equal - 2 * neg); +} - r2 += l_product >> 63; - l_product *= 2; - } - r01 += l_product; - r2 += (r01 < l_product); - } - p_result[k] = (uint32_t)r01; - r01 = (r01 >> 32) | (((uint64_t)r2) << 32); - r2 = 0; +/* Computes vli = vli >> 1. */ +static void uECC_vli_rshift1(uECC_word_t *vli, wordcount_t num_words) +{ + uECC_word_t *end = vli; + uECC_word_t carry = 0; + + vli += num_words; + while (vli-- > end) { + uECC_word_t temp = *vli; + *vli = (temp >> 1) | carry; + carry = temp << (uECC_WORD_BITS - 1); } - - p_result[NUM_ECC_DIGITS * 2 - 1] = (uint32_t)r01; } -/* Computes p_result = p_product % curve_p using Barrett reduction. */ -void vli_mmod_barrett(uint32_t *p_result, uint32_t *p_product, - uint32_t *p_mod, uint32_t *p_barrett) +static void muladd(uECC_word_t a, uECC_word_t b, uECC_word_t *r0, + uECC_word_t *r1, uECC_word_t *r2) { - uint32_t i; - uint32_t q1[NUM_ECC_DIGITS + 1]; - for (i = NUM_ECC_DIGITS - 1; i < 2 * NUM_ECC_DIGITS; i++) { - q1[i - (NUM_ECC_DIGITS - 1)] = p_product[i]; - } + uECC_dword_t p = (uECC_dword_t)a * b; + uECC_dword_t r01 = ((uECC_dword_t)(*r1) << uECC_WORD_BITS) | *r0; + r01 += p; + *r2 += (r01 < p); + *r1 = r01 >> uECC_WORD_BITS; + *r0 = (uECC_word_t)r01; - uint32_t q2[2*NUM_ECC_DIGITS + 2]; +} - vli_mult(q2, q1, p_barrett, NUM_ECC_DIGITS + 1); - for (i = NUM_ECC_DIGITS + 1; i < 2 * NUM_ECC_DIGITS + 2; i++) { - q1[i - (NUM_ECC_DIGITS + 1)] = q2[i]; - } +/* Computes result = left * right. Result must be 2 * num_words long. */ +static void uECC_vli_mult(uECC_word_t *result, const uECC_word_t *left, + const uECC_word_t *right, wordcount_t num_words) +{ - uint32_t prime2[2*NUM_ECC_DIGITS]; + uECC_word_t r0 = 0; + uECC_word_t r1 = 0; + uECC_word_t r2 = 0; + wordcount_t i, k; - for (i = 0; i < NUM_ECC_DIGITS; i++) { - prime2[i] = p_mod[i]; - prime2[NUM_ECC_DIGITS + i] = 0; - } + /* Compute each digit of result in sequence, maintaining the carries. */ + for (k = 0; k < num_words; ++k) { - vli_mult(q2, q1, prime2, NUM_ECC_DIGITS + 1); - vli_sub(p_product, p_product, q2, 2 * NUM_ECC_DIGITS); + for (i = 0; i <= k; ++i) { + muladd(left[i], right[k - i], &r0, &r1, &r2); + } - uint32_t borrow; + result[k] = r0; + r0 = r1; + r1 = r2; + r2 = 0; + } - borrow = vli_sub(q1, p_product, prime2, NUM_ECC_DIGITS + 1); - vli_cond_set(p_product, p_product, q1, borrow); - p_product[NUM_ECC_DIGITS] = q1[NUM_ECC_DIGITS] * (!borrow); - borrow = vli_sub(q1, p_product, prime2, NUM_ECC_DIGITS + 1); - vli_cond_set(p_product, p_product, q1, borrow); - p_product[NUM_ECC_DIGITS] = q1[NUM_ECC_DIGITS] * (!borrow); - borrow = vli_sub(q1, p_product, prime2, NUM_ECC_DIGITS + 1); - vli_cond_set(p_product, p_product, q1, borrow); - p_product[NUM_ECC_DIGITS] = q1[NUM_ECC_DIGITS] * (!borrow); + for (k = num_words; k < num_words * 2 - 1; ++k) { - for (i = 0; i < NUM_ECC_DIGITS; i++) { - p_result[i] = p_product[i]; + for (i = (k + 1) - num_words; i < num_words; ++i) { + muladd(left[i], right[k - i], &r0, &r1, &r2); + } + result[k] = r0; + r0 = r1; + r1 = r2; + r2 = 0; } + result[num_words * 2 - 1] = r0; } -/* - * Computes modular exponentiation. - * - * Side-channel countermeasure: algorithm strengthened against timing attack. - */ -static void vli_modExp(uint32_t *p_result, uint32_t *p_base, - uint32_t *p_exp, uint32_t *p_mod, uint32_t *p_barrett) +void uECC_vli_modAdd(uECC_word_t *result, const uECC_word_t *left, + const uECC_word_t *right, const uECC_word_t *mod, + wordcount_t num_words) { + uECC_word_t carry = uECC_vli_add(result, left, right, num_words); + if (carry || uECC_vli_cmp_unsafe(mod, result, num_words) != 1) { + /* result > mod (result = mod + remainder), so subtract mod to get + * remainder. */ + uECC_vli_sub(result, result, mod, num_words); + } +} - uint32_t acc[NUM_ECC_DIGITS], tmp[NUM_ECC_DIGITS], product[2 * NUM_ECC_DIGITS]; - uint32_t j; - int32_t i; - - vli_clear(acc); - acc[0] = 1; +void uECC_vli_modSub(uECC_word_t *result, const uECC_word_t *left, + const uECC_word_t *right, const uECC_word_t *mod, + wordcount_t num_words) +{ + uECC_word_t l_borrow = uECC_vli_sub(result, left, right, num_words); + if (l_borrow) { + /* In this case, result == -diff == (max int) - diff. Since -x % d == d - x, + * we can get the correct result from result + mod (with overflow). */ + uECC_vli_add(result, result, mod, num_words); + } +} - for (i = NUM_ECC_DIGITS - 1; i >= 0; i--) { - for (j = 1 << 31; j > 0; j = j >> 1) { - vli_square(product, acc); - vli_mmod_barrett(acc, product, p_mod, p_barrett); - vli_mult(product, acc, p_base, NUM_ECC_DIGITS); - vli_mmod_barrett(tmp, product, p_mod, p_barrett); - vli_cond_set(acc, tmp, acc, j & p_exp[i]); +/* Computes result = product % mod, where product is 2N words long. */ +/* Currently only designed to work for curve_p or curve_n. */ +void uECC_vli_mmod(uECC_word_t *result, uECC_word_t *product, + const uECC_word_t *mod, wordcount_t num_words) +{ + uECC_word_t mod_multiple[2 * NUM_ECC_WORDS]; + uECC_word_t tmp[2 * NUM_ECC_WORDS]; + uECC_word_t *v[2] = {tmp, product}; + uECC_word_t index; + + /* Shift mod so its highest set bit is at the maximum position. */ + bitcount_t shift = (num_words * 2 * uECC_WORD_BITS) - + uECC_vli_numBits(mod, num_words); + wordcount_t word_shift = shift / uECC_WORD_BITS; + wordcount_t bit_shift = shift % uECC_WORD_BITS; + uECC_word_t carry = 0; + uECC_vli_clear(mod_multiple, word_shift); + if (bit_shift > 0) { + for(index = 0; index < (uECC_word_t)num_words; ++index) { + mod_multiple[word_shift + index] = (mod[index] << bit_shift) | carry; + carry = mod[index] >> (uECC_WORD_BITS - bit_shift); } + } else { + uECC_vli_set(mod_multiple + word_shift, mod, num_words); } - vli_set(p_result, acc); + for (index = 1; shift >= 0; --shift) { + uECC_word_t borrow = 0; + wordcount_t i; + for (i = 0; i < num_words * 2; ++i) { + uECC_word_t diff = v[index][i] - mod_multiple[i] - borrow; + if (diff != v[index][i]) { + borrow = (diff > v[index][i]); + } + v[1 - index][i] = diff; + } + /* Swap the index if there was no borrow */ + index = !(index ^ borrow); + uECC_vli_rshift1(mod_multiple, num_words); + mod_multiple[num_words - 1] |= mod_multiple[num_words] << + (uECC_WORD_BITS - 1); + uECC_vli_rshift1(mod_multiple + num_words, num_words); + } + uECC_vli_set(result, v[index], num_words); } -/* Conversion from Affine coordinates to Jacobi coordinates. */ -static void EccPoint_fromAffine(EccPointJacobi *p_point_jacobi, - EccPoint *p_point) { - - vli_set(p_point_jacobi->X, p_point->x); - vli_set(p_point_jacobi->Y, p_point->y); - vli_clear(p_point_jacobi->Z); - p_point_jacobi->Z[0] = 1; +void uECC_vli_modMult(uECC_word_t *result, const uECC_word_t *left, + const uECC_word_t *right, const uECC_word_t *mod, + wordcount_t num_words) +{ + uECC_word_t product[2 * NUM_ECC_WORDS]; + uECC_vli_mult(product, left, right, num_words); + uECC_vli_mmod(result, product, mod, num_words); } -/* - * Elliptic curve point doubling in Jacobi coordinates: P = P + P. - * - * Requires 4 squares and 4 multiplications. - */ -static void EccPoint_double(EccPointJacobi *P) +void uECC_vli_modMult_fast(uECC_word_t *result, const uECC_word_t *left, + const uECC_word_t *right, uECC_Curve curve) { + uECC_word_t product[2 * NUM_ECC_WORDS]; + uECC_vli_mult(product, left, right, curve->num_words); - uint32_t m[NUM_ECC_DIGITS], s[NUM_ECC_DIGITS], t[NUM_ECC_DIGITS]; - - vli_modSquare_fast(t, P->Z); - vli_modSub(m, P->X, t, curve_p); - vli_modAdd(s, P->X, t, curve_p); - vli_modMult_fast(m, m, s); - vli_modAdd(s, m, m, curve_p); - vli_modAdd(m, s, m, curve_p); /* m = 3X^2 - 3Z^4 */ - vli_modSquare_fast(t, P->Y); - vli_modMult_fast(s, P->X, t); - vli_modAdd(s, s, s, curve_p); - vli_modAdd(s, s, s, curve_p); /* s = 4XY^2 */ - vli_modMult_fast(P->Z, P->Y, P->Z); - vli_modAdd(P->Z, P->Z, P->Z, curve_p); /* Z' = 2YZ */ - vli_modSquare_fast(P->X, m); - vli_modSub(P->X, P->X, s, curve_p); - vli_modSub(P->X, P->X, s, curve_p); /* X' = m^2 - 2s */ - vli_modSquare_fast(P->Y, t); - vli_modAdd(P->Y, P->Y, P->Y, curve_p); - vli_modAdd(P->Y, P->Y, P->Y, curve_p); - vli_modAdd(P->Y, P->Y, P->Y, curve_p); - vli_modSub(t, s, P->X, curve_p); - vli_modMult_fast(t, t, m); - vli_modSub(P->Y, t, P->Y, curve_p); /* Y' = m(s - X') - 8Y^4 */ - + curve->mmod_fast(result, product); } -/* Copy input to target. */ -static void EccPointJacobi_set(EccPointJacobi *target, EccPointJacobi *input) +static void uECC_vli_modSquare_fast(uECC_word_t *result, + const uECC_word_t *left, + uECC_Curve curve) { - vli_set(target->X, input->X); - vli_set(target->Y, input->Y); - vli_set(target->Z, input->Z); + uECC_vli_modMult_fast(result, left, left, curve); } -/* ------ Externally visible functions (see header file for comments): ------ */ -void vli_set(uint32_t *p_dest, uint32_t *p_src) +#define EVEN(vli) (!(vli[0] & 1)) + +static void vli_modInv_update(uECC_word_t *uv, + const uECC_word_t *mod, + wordcount_t num_words) { - uint32_t i; + uECC_word_t carry = 0; - for (i = 0; i < NUM_ECC_DIGITS; ++i) { - p_dest[i] = p_src[i]; + if (!EVEN(uv)) { + carry = uECC_vli_add(uv, uv, mod, num_words); + } + uECC_vli_rshift1(uv, num_words); + if (carry) { + uv[num_words - 1] |= HIGH_BIT_SET; } } -int32_t vli_cmp(uint32_t *p_left, uint32_t *p_right, int32_t word_size) +void uECC_vli_modInv(uECC_word_t *result, const uECC_word_t *input, + const uECC_word_t *mod, wordcount_t num_words) { + uECC_word_t a[NUM_ECC_WORDS], b[NUM_ECC_WORDS]; + uECC_word_t u[NUM_ECC_WORDS], v[NUM_ECC_WORDS]; + cmpresult_t cmpResult; - int32_t i, cmp = 0; - - for (i = word_size-1; i >= 0; --i) { - cmp |= ((p_left[i] > p_right[i]) - (p_left[i] < p_right[i])) * (!cmp); + if (uECC_vli_isZero(input, num_words)) { + uECC_vli_clear(result, num_words); + return; } - return cmp; + uECC_vli_set(a, input, num_words); + uECC_vli_set(b, mod, num_words); + uECC_vli_clear(u, num_words); + u[0] = 1; + uECC_vli_clear(v, num_words); + while ((cmpResult = uECC_vli_cmp_unsafe(a, b, num_words)) != 0) { + if (EVEN(a)) { + uECC_vli_rshift1(a, num_words); + vli_modInv_update(u, mod, num_words); + } else if (EVEN(b)) { + uECC_vli_rshift1(b, num_words); + vli_modInv_update(v, mod, num_words); + } else if (cmpResult > 0) { + uECC_vli_sub(a, a, b, num_words); + uECC_vli_rshift1(a, num_words); + if (uECC_vli_cmp_unsafe(u, v, num_words) < 0) { + uECC_vli_add(u, u, mod, num_words); + } + uECC_vli_sub(u, u, v, num_words); + vli_modInv_update(u, mod, num_words); + } else { + uECC_vli_sub(b, b, a, num_words); + uECC_vli_rshift1(b, num_words); + if (uECC_vli_cmp_unsafe(v, u, num_words) < 0) { + uECC_vli_add(v, v, mod, num_words); + } + uECC_vli_sub(v, v, u, num_words); + vli_modInv_update(v, mod, num_words); + } + } + uECC_vli_set(result, u, num_words); } -uint32_t vli_sub(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right, - uint32_t word_size) -{ +/* ------ Point operations ------ */ - uint32_t l_borrow = 0; +void double_jacobian_default(uECC_word_t * X1, uECC_word_t * Y1, + uECC_word_t * Z1, uECC_Curve curve) +{ + /* t1 = X, t2 = Y, t3 = Z */ + uECC_word_t t4[NUM_ECC_WORDS]; + uECC_word_t t5[NUM_ECC_WORDS]; + wordcount_t num_words = curve->num_words; - for (uint32_t i = 0; i < word_size; ++i) { - uint32_t l_diff = p_left[i] - p_right[i] - l_borrow; + if (uECC_vli_isZero(Z1, num_words)) { + return; + } - l_borrow = (l_diff > p_left[i]) | ((l_diff == p_left[i]) && l_borrow); - p_result[i] = l_diff; + uECC_vli_modSquare_fast(t4, Y1, curve); /* t4 = y1^2 */ + uECC_vli_modMult_fast(t5, X1, t4, curve); /* t5 = x1*y1^2 = A */ + uECC_vli_modSquare_fast(t4, t4, curve); /* t4 = y1^4 */ + uECC_vli_modMult_fast(Y1, Y1, Z1, curve); /* t2 = y1*z1 = z3 */ + uECC_vli_modSquare_fast(Z1, Z1, curve); /* t3 = z1^2 */ + + uECC_vli_modAdd(X1, X1, Z1, curve->p, num_words); /* t1 = x1 + z1^2 */ + uECC_vli_modAdd(Z1, Z1, Z1, curve->p, num_words); /* t3 = 2*z1^2 */ + uECC_vli_modSub(Z1, X1, Z1, curve->p, num_words); /* t3 = x1 - z1^2 */ + uECC_vli_modMult_fast(X1, X1, Z1, curve); /* t1 = x1^2 - z1^4 */ + + uECC_vli_modAdd(Z1, X1, X1, curve->p, num_words); /* t3 = 2*(x1^2 - z1^4) */ + uECC_vli_modAdd(X1, X1, Z1, curve->p, num_words); /* t1 = 3*(x1^2 - z1^4) */ + if (uECC_vli_testBit(X1, 0)) { + uECC_word_t l_carry = uECC_vli_add(X1, X1, curve->p, num_words); + uECC_vli_rshift1(X1, num_words); + X1[num_words - 1] |= l_carry << (uECC_WORD_BITS - 1); + } else { + uECC_vli_rshift1(X1, num_words); } - return l_borrow; + /* t1 = 3/2*(x1^2 - z1^4) = B */ + uECC_vli_modSquare_fast(Z1, X1, curve); /* t3 = B^2 */ + uECC_vli_modSub(Z1, Z1, t5, curve->p, num_words); /* t3 = B^2 - A */ + uECC_vli_modSub(Z1, Z1, t5, curve->p, num_words); /* t3 = B^2 - 2A = x3 */ + uECC_vli_modSub(t5, t5, Z1, curve->p, num_words); /* t5 = A - x3 */ + uECC_vli_modMult_fast(X1, X1, t5, curve); /* t1 = B * (A - x3) */ + /* t4 = B * (A - x3) - y1^4 = y3: */ + uECC_vli_modSub(t4, X1, t4, curve->p, num_words); + + uECC_vli_set(X1, Z1, num_words); + uECC_vli_set(Z1, Y1, num_words); + uECC_vli_set(Y1, t4, num_words); } -void vli_cond_set(uint32_t *output, uint32_t *p_true, uint32_t *p_false, - uint32_t cond) +void x_side_default(uECC_word_t *result, + const uECC_word_t *x, + uECC_Curve curve) { - uint32_t i; - - cond = (!cond); - - for (i = 0; i < NUM_ECC_DIGITS; i++) { - output[i] = (p_true[i]*(!cond)) | (p_false[i]*cond); - } + uECC_word_t _3[NUM_ECC_WORDS] = {3}; /* -a = 3 */ + wordcount_t num_words = curve->num_words; + + uECC_vli_modSquare_fast(result, x, curve); /* r = x^2 */ + uECC_vli_modSub(result, result, _3, curve->p, num_words); /* r = x^2 - 3 */ + uECC_vli_modMult_fast(result, result, x, curve); /* r = x^3 - 3x */ + /* r = x^3 - 3x + b: */ + uECC_vli_modAdd(result, result, curve->b, curve->p, num_words); } -void vli_modAdd(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right, - uint32_t *p_mod) +uECC_Curve uECC_secp256r1(void) { - uint32_t l_carry = vli_add(p_result, p_left, p_right); - uint32_t p_temp[NUM_ECC_DIGITS]; - - l_carry = l_carry == vli_sub(p_temp, p_result, p_mod, NUM_ECC_DIGITS); - vli_cond_set(p_result, p_temp, p_result, l_carry); + return &curve_secp256r1; } -void vli_modSub(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right, - uint32_t *p_mod) +void vli_mmod_fast_secp256r1(unsigned int *result, unsigned int*product) { - uint32_t l_borrow = vli_sub(p_result, p_left, p_right, NUM_ECC_DIGITS); - uint32_t p_temp[NUM_ECC_DIGITS]; - - vli_add(p_temp, p_result, p_mod); - vli_cond_set(p_result, p_temp, p_result, l_borrow); + unsigned int tmp[NUM_ECC_WORDS]; + int carry; + + /* t */ + uECC_vli_set(result, product, NUM_ECC_WORDS); + + /* s1 */ + tmp[0] = tmp[1] = tmp[2] = 0; + tmp[3] = product[11]; + tmp[4] = product[12]; + tmp[5] = product[13]; + tmp[6] = product[14]; + tmp[7] = product[15]; + carry = uECC_vli_add(tmp, tmp, tmp, NUM_ECC_WORDS); + carry += uECC_vli_add(result, result, tmp, NUM_ECC_WORDS); + + /* s2 */ + tmp[3] = product[12]; + tmp[4] = product[13]; + tmp[5] = product[14]; + tmp[6] = product[15]; + tmp[7] = 0; + carry += uECC_vli_add(tmp, tmp, tmp, NUM_ECC_WORDS); + carry += uECC_vli_add(result, result, tmp, NUM_ECC_WORDS); + + /* s3 */ + tmp[0] = product[8]; + tmp[1] = product[9]; + tmp[2] = product[10]; + tmp[3] = tmp[4] = tmp[5] = 0; + tmp[6] = product[14]; + tmp[7] = product[15]; + carry += uECC_vli_add(result, result, tmp, NUM_ECC_WORDS); + + /* s4 */ + tmp[0] = product[9]; + tmp[1] = product[10]; + tmp[2] = product[11]; + tmp[3] = product[13]; + tmp[4] = product[14]; + tmp[5] = product[15]; + tmp[6] = product[13]; + tmp[7] = product[8]; + carry += uECC_vli_add(result, result, tmp, NUM_ECC_WORDS); + + /* d1 */ + tmp[0] = product[11]; + tmp[1] = product[12]; + tmp[2] = product[13]; + tmp[3] = tmp[4] = tmp[5] = 0; + tmp[6] = product[8]; + tmp[7] = product[10]; + carry -= uECC_vli_sub(result, result, tmp, NUM_ECC_WORDS); + + /* d2 */ + tmp[0] = product[12]; + tmp[1] = product[13]; + tmp[2] = product[14]; + tmp[3] = product[15]; + tmp[4] = tmp[5] = 0; + tmp[6] = product[9]; + tmp[7] = product[11]; + carry -= uECC_vli_sub(result, result, tmp, NUM_ECC_WORDS); + + /* d3 */ + tmp[0] = product[13]; + tmp[1] = product[14]; + tmp[2] = product[15]; + tmp[3] = product[8]; + tmp[4] = product[9]; + tmp[5] = product[10]; + tmp[6] = 0; + tmp[7] = product[12]; + carry -= uECC_vli_sub(result, result, tmp, NUM_ECC_WORDS); + + /* d4 */ + tmp[0] = product[14]; + tmp[1] = product[15]; + tmp[2] = 0; + tmp[3] = product[9]; + tmp[4] = product[10]; + tmp[5] = product[11]; + tmp[6] = 0; + tmp[7] = product[13]; + carry -= uECC_vli_sub(result, result, tmp, NUM_ECC_WORDS); + + if (carry < 0) { + do { + carry += uECC_vli_add(result, result, curve_secp256r1.p, NUM_ECC_WORDS); + } + while (carry < 0); + } else { + while (carry || + uECC_vli_cmp_unsafe(curve_secp256r1.p, result, NUM_ECC_WORDS) != 1) { + carry -= uECC_vli_sub(result, result, curve_secp256r1.p, NUM_ECC_WORDS); + } + } } -void vli_modMult_fast(uint32_t *p_result, uint32_t *p_left, - uint32_t *p_right) +uECC_word_t EccPoint_isZero(const uECC_word_t *point, uECC_Curve curve) { - uint32_t l_product[2 * NUM_ECC_DIGITS]; - - vli_mult(l_product, p_left, p_right, NUM_ECC_DIGITS); - vli_mmod_barrett(p_result, l_product, curve_p, curve_pb); + return uECC_vli_isZero(point, curve->num_words * 2); } -void vli_modSquare_fast(uint32_t *p_result, uint32_t *p_left) +void apply_z(uECC_word_t * X1, uECC_word_t * Y1, const uECC_word_t * const Z, + uECC_Curve curve) { - uint32_t l_product[2 * NUM_ECC_DIGITS]; + uECC_word_t t1[NUM_ECC_WORDS]; - vli_square(l_product, p_left); - vli_mmod_barrett(p_result, l_product, curve_p, curve_pb); + uECC_vli_modSquare_fast(t1, Z, curve); /* z^2 */ + uECC_vli_modMult_fast(X1, X1, t1, curve); /* x1 * z^2 */ + uECC_vli_modMult_fast(t1, t1, Z, curve); /* z^3 */ + uECC_vli_modMult_fast(Y1, Y1, t1, curve); /* y1 * z^3 */ } -void vli_modMult(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right, - uint32_t *p_mod, uint32_t *p_barrett) +/* P = (x1, y1) => 2P, (x2, y2) => P' */ +static void XYcZ_initial_double(uECC_word_t * X1, uECC_word_t * Y1, + uECC_word_t * X2, uECC_word_t * Y2, + const uECC_word_t * const initial_Z, + uECC_Curve curve) { + uECC_word_t z[NUM_ECC_WORDS]; + wordcount_t num_words = curve->num_words; + if (initial_Z) { + uECC_vli_set(z, initial_Z, num_words); + } else { + uECC_vli_clear(z, num_words); + z[0] = 1; + } - uint32_t l_product[2 * NUM_ECC_DIGITS]; + uECC_vli_set(X2, X1, num_words); + uECC_vli_set(Y2, Y1, num_words); - vli_mult(l_product, p_left, p_right, NUM_ECC_DIGITS); - vli_mmod_barrett(p_result, l_product, p_mod, p_barrett); + apply_z(X1, Y1, z, curve); + curve->double_jacobian(X1, Y1, z, curve); + apply_z(X2, Y2, z, curve); } -void vli_modInv(uint32_t *p_result, uint32_t *p_input, uint32_t *p_mod, - uint32_t *p_barrett) +void XYcZ_add(uECC_word_t * X1, uECC_word_t * Y1, + uECC_word_t * X2, uECC_word_t * Y2, + uECC_Curve curve) { - uint32_t p_power[NUM_ECC_DIGITS]; - - vli_set(p_power, p_mod); - p_power[0] -= 2; - vli_modExp(p_result, p_input, p_power, p_mod, p_barrett); + /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */ + uECC_word_t t5[NUM_ECC_WORDS]; + wordcount_t num_words = curve->num_words; + + uECC_vli_modSub(t5, X2, X1, curve->p, num_words); /* t5 = x2 - x1 */ + uECC_vli_modSquare_fast(t5, t5, curve); /* t5 = (x2 - x1)^2 = A */ + uECC_vli_modMult_fast(X1, X1, t5, curve); /* t1 = x1*A = B */ + uECC_vli_modMult_fast(X2, X2, t5, curve); /* t3 = x2*A = C */ + uECC_vli_modSub(Y2, Y2, Y1, curve->p, num_words); /* t4 = y2 - y1 */ + uECC_vli_modSquare_fast(t5, Y2, curve); /* t5 = (y2 - y1)^2 = D */ + + uECC_vli_modSub(t5, t5, X1, curve->p, num_words); /* t5 = D - B */ + uECC_vli_modSub(t5, t5, X2, curve->p, num_words); /* t5 = D - B - C = x3 */ + uECC_vli_modSub(X2, X2, X1, curve->p, num_words); /* t3 = C - B */ + uECC_vli_modMult_fast(Y1, Y1, X2, curve); /* t2 = y1*(C - B) */ + uECC_vli_modSub(X2, X1, t5, curve->p, num_words); /* t3 = B - x3 */ + uECC_vli_modMult_fast(Y2, Y2, X2, curve); /* t4 = (y2 - y1)*(B - x3) */ + uECC_vli_modSub(Y2, Y2, Y1, curve->p, num_words); /* t4 = y3 */ + + uECC_vli_set(X2, t5, num_words); } -uint32_t EccPoint_isZero(EccPoint *p_point) +/* Input P = (x1, y1, Z), Q = (x2, y2, Z) + Output P + Q = (x3, y3, Z3), P - Q = (x3', y3', Z3) + or P => P - Q, Q => P + Q + */ +static void XYcZ_addC(uECC_word_t * X1, uECC_word_t * Y1, + uECC_word_t * X2, uECC_word_t * Y2, + uECC_Curve curve) { - return (vli_isZero(p_point->x) && vli_isZero(p_point->y)); + /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */ + uECC_word_t t5[NUM_ECC_WORDS]; + uECC_word_t t6[NUM_ECC_WORDS]; + uECC_word_t t7[NUM_ECC_WORDS]; + wordcount_t num_words = curve->num_words; + + uECC_vli_modSub(t5, X2, X1, curve->p, num_words); /* t5 = x2 - x1 */ + uECC_vli_modSquare_fast(t5, t5, curve); /* t5 = (x2 - x1)^2 = A */ + uECC_vli_modMult_fast(X1, X1, t5, curve); /* t1 = x1*A = B */ + uECC_vli_modMult_fast(X2, X2, t5, curve); /* t3 = x2*A = C */ + uECC_vli_modAdd(t5, Y2, Y1, curve->p, num_words); /* t5 = y2 + y1 */ + uECC_vli_modSub(Y2, Y2, Y1, curve->p, num_words); /* t4 = y2 - y1 */ + + uECC_vli_modSub(t6, X2, X1, curve->p, num_words); /* t6 = C - B */ + uECC_vli_modMult_fast(Y1, Y1, t6, curve); /* t2 = y1 * (C - B) = E */ + uECC_vli_modAdd(t6, X1, X2, curve->p, num_words); /* t6 = B + C */ + uECC_vli_modSquare_fast(X2, Y2, curve); /* t3 = (y2 - y1)^2 = D */ + uECC_vli_modSub(X2, X2, t6, curve->p, num_words); /* t3 = D - (B + C) = x3 */ + + uECC_vli_modSub(t7, X1, X2, curve->p, num_words); /* t7 = B - x3 */ + uECC_vli_modMult_fast(Y2, Y2, t7, curve); /* t4 = (y2 - y1)*(B - x3) */ + /* t4 = (y2 - y1)*(B - x3) - E = y3: */ + uECC_vli_modSub(Y2, Y2, Y1, curve->p, num_words); + + uECC_vli_modSquare_fast(t7, t5, curve); /* t7 = (y2 + y1)^2 = F */ + uECC_vli_modSub(t7, t7, t6, curve->p, num_words); /* t7 = F - (B + C) = x3' */ + uECC_vli_modSub(t6, t7, X1, curve->p, num_words); /* t6 = x3' - B */ + uECC_vli_modMult_fast(t6, t6, t5, curve); /* t6 = (y2+y1)*(x3' - B) */ + /* t2 = (y2+y1)*(x3' - B) - E = y3': */ + uECC_vli_modSub(Y1, t6, Y1, curve->p, num_words); + + uECC_vli_set(X1, t7, num_words); } -uint32_t EccPointJacobi_isZero(EccPointJacobi *p_point_jacobi) +void EccPoint_mult(uECC_word_t * result, const uECC_word_t * point, + const uECC_word_t * scalar, + const uECC_word_t * initial_Z, + bitcount_t num_bits, uECC_Curve curve) { - return vli_isZero(p_point_jacobi->Z); + /* R0 and R1 */ + uECC_word_t Rx[2][NUM_ECC_WORDS]; + uECC_word_t Ry[2][NUM_ECC_WORDS]; + uECC_word_t z[NUM_ECC_WORDS]; + bitcount_t i; + uECC_word_t nb; + wordcount_t num_words = curve->num_words; + + uECC_vli_set(Rx[1], point, num_words); + uECC_vli_set(Ry[1], point + num_words, num_words); + + XYcZ_initial_double(Rx[1], Ry[1], Rx[0], Ry[0], initial_Z, curve); + + for (i = num_bits - 2; i > 0; --i) { + nb = !uECC_vli_testBit(scalar, i); + XYcZ_addC(Rx[1 - nb], Ry[1 - nb], Rx[nb], Ry[nb], curve); + XYcZ_add(Rx[nb], Ry[nb], Rx[1 - nb], Ry[1 - nb], curve); + } + + nb = !uECC_vli_testBit(scalar, 0); + XYcZ_addC(Rx[1 - nb], Ry[1 - nb], Rx[nb], Ry[nb], curve); + + /* Find final 1/Z value. */ + uECC_vli_modSub(z, Rx[1], Rx[0], curve->p, num_words); /* X1 - X0 */ + uECC_vli_modMult_fast(z, z, Ry[1 - nb], curve); /* Yb * (X1 - X0) */ + uECC_vli_modMult_fast(z, z, point, curve); /* xP * Yb * (X1 - X0) */ + uECC_vli_modInv(z, z, curve->p, num_words); /* 1 / (xP * Yb * (X1 - X0))*/ + /* yP / (xP * Yb * (X1 - X0)) */ + uECC_vli_modMult_fast(z, z, point + num_words, curve); + /* Xb * yP / (xP * Yb * (X1 - X0)) */ + uECC_vli_modMult_fast(z, z, Rx[1 - nb], curve); + /* End 1/Z calculation */ + + XYcZ_add(Rx[nb], Ry[nb], Rx[1 - nb], Ry[1 - nb], curve); + apply_z(Rx[0], Ry[0], z, curve); + + uECC_vli_set(result, Rx[0], num_words); + uECC_vli_set(result + num_words, Ry[0], num_words); } -void EccPoint_toAffine(EccPoint *p_point, EccPointJacobi *p_point_jacobi) +uECC_word_t regularize_k(const uECC_word_t * const k, uECC_word_t *k0, + uECC_word_t *k1, uECC_Curve curve) { - if (vli_isZero(p_point_jacobi->Z)) { - vli_clear(p_point->x); - vli_clear(p_point->y); - return; - } + wordcount_t num_n_words = BITS_TO_WORDS(curve->num_n_bits); + + bitcount_t num_n_bits = curve->num_n_bits; + + uECC_word_t carry = uECC_vli_add(k0, k, curve->n, num_n_words) || + (num_n_bits < ((bitcount_t)num_n_words * uECC_WORD_SIZE * 8) && + uECC_vli_testBit(k0, num_n_bits)); - uint32_t z[NUM_ECC_DIGITS]; + uECC_vli_add(k1, k0, curve->n, num_n_words); - vli_set(z, p_point_jacobi->Z); - vli_modInv(z, z, curve_p, curve_pb); - vli_modSquare_fast(p_point->x, z); - vli_modMult_fast(p_point->y, p_point->x, z); - vli_modMult_fast(p_point->x, p_point->x, p_point_jacobi->X); - vli_modMult_fast(p_point->y, p_point->y, p_point_jacobi->Y); + return carry; } -void EccPoint_add(EccPointJacobi *P1, EccPointJacobi *P2) +uECC_word_t EccPoint_compute_public_key(uECC_word_t *result, + uECC_word_t *private_key, + uECC_Curve curve) { - uint32_t s1[NUM_ECC_DIGITS], u1[NUM_ECC_DIGITS], t[NUM_ECC_DIGITS]; - uint32_t h[NUM_ECC_DIGITS], r[NUM_ECC_DIGITS]; + uECC_word_t tmp1[NUM_ECC_WORDS]; + uECC_word_t tmp2[NUM_ECC_WORDS]; + uECC_word_t *p2[2] = {tmp1, tmp2}; + uECC_word_t carry; - vli_modSquare_fast(r, P1->Z); - vli_modSquare_fast(s1, P2->Z); - vli_modMult_fast(u1, P1->X, s1); /* u1 = X1 Z2^2 */ - vli_modMult_fast(h, P2->X, r); - vli_modMult_fast(s1, P1->Y, s1); - vli_modMult_fast(s1, s1, P2->Z); /* s1 = Y1 Z2^3 */ - vli_modMult_fast(r, P2->Y, r); - vli_modMult_fast(r, r, P1->Z); - vli_modSub(h, h, u1, curve_p); /* h = X2 Z1^2 - u1 */ - vli_modSub(r, r, s1, curve_p); /* r = Y2 Z1^3 - s1 */ + /* Regularize the bitcount for the private key so that attackers cannot + * use a side channel attack to learn the number of leading zeros. */ + carry = regularize_k(private_key, tmp1, tmp2, curve); - if (vli_isZero(h)) { - if (vli_isZero(r)) { - /* P1 = P2 */ - EccPoint_double(P1); - return; - } - /* point at infinity */ - vli_clear(P1->Z); - return; + EccPoint_mult(result, curve->G, p2[!carry], 0, curve->num_n_bits + 1, curve); + + if (EccPoint_isZero(result, curve)) { + return 0; } + return 1; +} - vli_modMult_fast(P1->Z, P1->Z, P2->Z); - vli_modMult_fast(P1->Z, P1->Z, h); /* Z3 = h Z1 Z2 */ - vli_modSquare_fast(t, h); - vli_modMult_fast(h, t, h); - vli_modMult_fast(u1, u1, t); - vli_modSquare_fast(P1->X, r); - vli_modSub(P1->X, P1->X, h, curve_p); - vli_modSub(P1->X, P1->X, u1, curve_p); - vli_modSub(P1->X, P1->X, u1, curve_p); /* X3 = r^2 - h^3 - 2 u1 h^2 */ - vli_modMult_fast(t, s1, h); - vli_modSub(P1->Y, u1, P1->X, curve_p); - vli_modMult_fast(P1->Y, P1->Y, r); - vli_modSub(P1->Y, P1->Y, t, curve_p); /* Y3 = r(u1 h^2 - X3) - s1 h^3 */ +/* Converts an integer in uECC native format to big-endian bytes. */ +void uECC_vli_nativeToBytes(uint8_t *bytes, int num_bytes, + const unsigned int *native) +{ + wordcount_t i; + for (i = 0; i < num_bytes; ++i) { + unsigned b = num_bytes - 1 - i; + bytes[i] = native[b / uECC_WORD_SIZE] >> (8 * (b % uECC_WORD_SIZE)); + } } -/* - * Elliptic curve scalar multiplication with result in Jacobi coordinates: - * - * p_result = p_scalar * p_point. - */ -void EccPoint_mult_safe(EccPointJacobi *p_result, EccPoint *p_point, uint32_t *p_scalar) +/* Converts big-endian bytes to an integer in uECC native format. */ +void uECC_vli_bytesToNative(unsigned int *native, const uint8_t *bytes, + int num_bytes) { + wordcount_t i; + uECC_vli_clear(native, (num_bytes + (uECC_WORD_SIZE - 1)) / uECC_WORD_SIZE); + for (i = 0; i < num_bytes; ++i) { + unsigned b = num_bytes - 1 - i; + native[b / uECC_WORD_SIZE] |= + (uECC_word_t)bytes[i] << (8 * (b % uECC_WORD_SIZE)); + } +} - int32_t i; - uint32_t bit; - EccPointJacobi p_point_jacobi, p_tmp; +int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top, + wordcount_t num_words) +{ + uECC_word_t mask = (uECC_word_t)-1; + uECC_word_t tries; + bitcount_t num_bits = uECC_vli_numBits(top, num_words); - EccPoint_fromAffine(p_result, p_point); - EccPoint_fromAffine(&p_point_jacobi, p_point); + if (!g_rng_function) { + return 0; + } - for (i = vli_numBits(p_scalar) - 2; i >= 0; i--) { - EccPoint_double(p_result); - EccPointJacobi_set(&p_tmp, p_result); - EccPoint_add(&p_tmp, &p_point_jacobi); - bit = vli_testBit(p_scalar, i); - vli_cond_set(p_result->X, p_tmp.X, p_result->X, bit); - vli_cond_set(p_result->Y, p_tmp.Y, p_result->Y, bit); - vli_cond_set(p_result->Z, p_tmp.Z, p_result->Z, bit); + for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { + if (!g_rng_function((uint8_t *)random, num_words * uECC_WORD_SIZE)) { + return 0; + } + random[num_words - 1] &= + mask >> ((bitcount_t)(num_words * uECC_WORD_SIZE * 8 - num_bits)); + if (!uECC_vli_isZero(random, num_words) && + uECC_vli_cmp(top, random, num_words) == 1) { + return 1; + } } + return 0; } -/* Ellptic curve scalar multiplication with result in Jacobi coordinates */ -/* p_result = p_scalar * p_point */ -void EccPoint_mult_unsafe(EccPointJacobi *p_result, EccPoint *p_point, uint32_t *p_scalar) + +int uECC_valid_point(const uECC_word_t *point, uECC_Curve curve) { - int i; - EccPointJacobi p_point_jacobi; - EccPoint_fromAffine(p_result, p_point); - EccPoint_fromAffine(&p_point_jacobi, p_point); + uECC_word_t tmp1[NUM_ECC_WORDS]; + uECC_word_t tmp2[NUM_ECC_WORDS]; + wordcount_t num_words = curve->num_words; - for(i = vli_numBits(p_scalar) - 2; i >= 0; i--) - { - EccPoint_double(p_result); - if (vli_testBit(p_scalar, i)) - { - EccPoint_add(p_result, &p_point_jacobi); - } - } -} + /* The point at infinity is invalid. */ + if (EccPoint_isZero(point, curve)) { + return -1; + } + + /* x and y must be smaller than p. */ + if (uECC_vli_cmp_unsafe(curve->p, point, num_words) != 1 || + uECC_vli_cmp_unsafe(curve->p, point + num_words, num_words) != 1) { + return -2; + } + + uECC_vli_modSquare_fast(tmp1, point + num_words, curve); + curve->x_side(tmp2, point, curve); /* tmp2 = x^3 + ax + b */ + + /* Make sure that y^2 == x^3 + ax + b */ + if (uECC_vli_equal(tmp1, tmp2, num_words) != 0) + return -3; -/* -------- Conversions between big endian and little endian: -------- */ + return 0; +} -void ecc_bytes2native(uint32_t p_native[NUM_ECC_DIGITS], - uint8_t p_bytes[NUM_ECC_DIGITS * 4]) +int uECC_valid_public_key(const uint8_t *public_key, uECC_Curve curve) { - uint32_t i; + uECC_word_t _public[NUM_ECC_WORDS * 2]; - for (i = 0; i < NUM_ECC_DIGITS; ++i) { - uint8_t *p_digit = p_bytes + 4 * (NUM_ECC_DIGITS - 1 - i); + uECC_vli_bytesToNative(_public, public_key, curve->num_bytes); + uECC_vli_bytesToNative( + _public + curve->num_words, + public_key + curve->num_bytes, + curve->num_bytes); - p_native[i] = ((uint32_t)p_digit[0] << 24) | - ((uint32_t)p_digit[1] << 16) | - ((uint32_t)p_digit[2] << 8) | - (uint32_t)p_digit[3]; + if (uECC_vli_cmp_unsafe(_public, curve->G, NUM_ECC_WORDS * 2) == 0) { + return -4; } + + return uECC_valid_point(_public, curve); } -void ecc_native2bytes(uint8_t p_bytes[NUM_ECC_DIGITS * 4], - uint32_t p_native[NUM_ECC_DIGITS]) +int uECC_compute_public_key(const uint8_t *private_key, uint8_t *public_key, + uECC_Curve curve) { - uint32_t i; + uECC_word_t _private[NUM_ECC_WORDS]; + uECC_word_t _public[NUM_ECC_WORDS * 2]; - for (i = 0; i < NUM_ECC_DIGITS; ++i) { - uint8_t *p_digit = p_bytes + 4 * (NUM_ECC_DIGITS - 1 - i); + uECC_vli_bytesToNative( + _private, + private_key, + BITS_TO_BYTES(curve->num_n_bits)); - p_digit[0] = p_native[i] >> 24; - p_digit[1] = p_native[i] >> 16; - p_digit[2] = p_native[i] >> 8; - p_digit[3] = p_native[i]; + /* Make sure the private key is in the range [1, n-1]. */ + if (uECC_vli_isZero(_private, BITS_TO_WORDS(curve->num_n_bits))) { + return 0; } + + if (uECC_vli_cmp(curve->n, _private, BITS_TO_WORDS(curve->num_n_bits)) != 1) { + return 0; + } + + /* Compute public key. */ + if (!EccPoint_compute_public_key(_public, _private, curve)) { + return 0; + } + + uECC_vli_nativeToBytes(public_key, curve->num_bytes, _public); + uECC_vli_nativeToBytes( + public_key + + curve->num_bytes, curve->num_bytes, _public + curve->num_words); + return 1; } + + diff --git a/lib/source/ecc_dh.c b/lib/source/ecc_dh.c index c2ab414..c9961c1 100644 --- a/lib/source/ecc_dh.c +++ b/lib/source/ecc_dh.c @@ -1,7 +1,32 @@ /* ec_dh.c - TinyCrypt implementation of EC-DH */ +/* + * Copyright (c) 2014, Kenneth MacKay + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -31,102 +56,135 @@ */ #include #include +#include +#include -extern uint32_t curve_p[NUM_ECC_DIGITS]; -extern uint32_t curve_b[NUM_ECC_DIGITS]; -extern uint32_t curve_n[NUM_ECC_DIGITS]; -extern uint32_t curve_pb[NUM_ECC_DIGITS + 1]; -extern EccPoint curve_G; +#if default_RNG_defined +static uECC_RNG_Function g_rng_function = &default_CSPRNG; +#else +static uECC_RNG_Function g_rng_function = 0; +#endif -int32_t ecc_make_key(EccPoint *p_publicKey, uint32_t p_privateKey[NUM_ECC_DIGITS], - uint32_t p_random[NUM_ECC_DIGITS * 2]) +int uECC_make_key_with_d(uint8_t *public_key, uint8_t *private_key, + unsigned int *d, uECC_Curve curve) { - // computing modular reduction of p_random (see FIPS 186.4 B.4.1): - vli_mmod_barrett(p_privateKey, p_random, curve_p, curve_pb); - /* Make sure the private key is in the range [1, n-1]. - * For the supported curve, n is always large enough - * that we only need to subtract once at most. - */ - uint32_t p_tmp[NUM_ECC_DIGITS]; - vli_sub(p_tmp, p_privateKey, curve_n, NUM_ECC_DIGITS); + uECC_word_t _private[NUM_ECC_WORDS]; + uECC_word_t _public[NUM_ECC_WORDS * 2]; - vli_cond_set(p_privateKey, p_privateKey, p_tmp, - vli_cmp(curve_n, p_privateKey, NUM_ECC_DIGITS) == 1); + /* This function is designed for test purposes-only (such as validating NIST + * test vectors) as it uses a provided value for d instead of generating + * it uniformly at random. */ + memcpy (_private, d, NUM_ECC_BYTES); - /* erasing temporary buffer used to store secret: */ - for (uint32_t i = 0; i < NUM_ECC_DIGITS; i++) - p_tmp[i] = 0; + /* Computing public-key from private: */ + if (EccPoint_compute_public_key(_public, _private, curve)) { - if (vli_isZero(p_privateKey)) { - return TC_CRYPTO_FAIL; /* The private key cannot be 0 (mod p). */ - } - - EccPointJacobi P; + /* Converting buffers to correct bit order: */ + uECC_vli_nativeToBytes(private_key, + BITS_TO_BYTES(curve->num_n_bits), + _private); + uECC_vli_nativeToBytes(public_key, + curve->num_bytes, + _public); + uECC_vli_nativeToBytes(public_key + curve->num_bytes, + curve->num_bytes, + _public + curve->num_words); - EccPoint_mult_safe(&P, &curve_G, p_privateKey); - EccPoint_toAffine(p_publicKey, &P); - - return TC_CRYPTO_SUCCESS; -} - -/* Compute p_result = x^3 - 3x + b */ -static void curve_x_side(uint32_t p_result[NUM_ECC_DIGITS], - uint32_t x[NUM_ECC_DIGITS]) -{ - - uint32_t _3[NUM_ECC_DIGITS] = {3}; /* -a = 3 */ - - vli_modSquare_fast(p_result, x); /* r = x^2 */ - vli_modSub(p_result, p_result, _3, curve_p); /* r = x^2 - 3 */ - vli_modMult_fast(p_result, p_result, x); /* r = x^3 - 3x */ - vli_modAdd(p_result, p_result, curve_b, curve_p); /* r = x^3 - 3x + b */ + /* erasing temporary buffer used to store secret: */ + memset(_private, 0, NUM_ECC_BYTES); + return 1; + } + return 0; } -int32_t ecc_valid_public_key(EccPoint *p_publicKey) +int uECC_make_key(uint8_t *public_key, uint8_t *private_key, uECC_Curve curve) { - uint32_t l_tmp1[NUM_ECC_DIGITS]; - uint32_t l_tmp2[NUM_ECC_DIGITS]; - - if (EccPoint_isZero(p_publicKey)) { - return -1; - } - - if ((vli_cmp(curve_p, p_publicKey->x, NUM_ECC_DIGITS) != 1) || - (vli_cmp(curve_p, p_publicKey->y, NUM_ECC_DIGITS) != 1)) { - return -2; - } - - vli_modSquare_fast(l_tmp1, p_publicKey->y); /* tmp1 = y^2 */ - - curve_x_side(l_tmp2, p_publicKey->x); /* tmp2 = x^3 - 3x + b */ - - /* Make sure that y^2 == x^3 + ax + b */ - if (vli_cmp(l_tmp1, l_tmp2, NUM_ECC_DIGITS) != 0) { - return -3; - } - - if (vli_cmp(p_publicKey->x, curve_G.x, NUM_ECC_DIGITS) == 0 && - vli_cmp(p_publicKey->y, curve_G.y, NUM_ECC_DIGITS) == 0 ) - return -4; + uECC_word_t _random[NUM_ECC_WORDS * 2]; + uECC_word_t _private[NUM_ECC_WORDS]; + uECC_word_t _public[NUM_ECC_WORDS * 2]; + uECC_word_t tries; + + for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { + /* Generating _private uniformly at random: */ + uECC_RNG_Function rng_function = uECC_get_rng(); + if (!rng_function || + !rng_function((uint8_t *)_random, 2 * NUM_ECC_WORDS*uECC_WORD_SIZE)) { + return 0; + } + + /* computing modular reduction of _random (see FIPS 186.4 B.4.1): */ + uECC_vli_mmod(_private, _random, curve->n, BITS_TO_WORDS(curve->num_n_bits)); + + /* Computing public-key from private: */ + if (EccPoint_compute_public_key(_public, _private, curve)) { + + /* Converting buffers to correct bit order: */ + uECC_vli_nativeToBytes(private_key, + BITS_TO_BYTES(curve->num_n_bits), + _private); + uECC_vli_nativeToBytes(public_key, + curve->num_bytes, + _public); + uECC_vli_nativeToBytes(public_key + curve->num_bytes, + curve->num_bytes, + _public + curve->num_words); + + /* erasing temporary buffer that stored secret: */ + memset(_private, 0, NUM_ECC_BYTES); + + return 1; + } + } return 0; } -int32_t ecdh_shared_secret(uint32_t p_secret[NUM_ECC_DIGITS], - EccPoint *p_publicKey, uint32_t p_privateKey[NUM_ECC_DIGITS]) +int uECC_shared_secret(const uint8_t *public_key, const uint8_t *private_key, + uint8_t *secret, uECC_Curve curve) { - EccPoint p_point; - EccPointJacobi P; - - EccPoint_mult_safe(&P, p_publicKey, p_privateKey); - if (EccPointJacobi_isZero(&P)) { - return TC_CRYPTO_FAIL; - } - EccPoint_toAffine(&p_point, &P); - vli_set(p_secret, p_point.x); - - return TC_CRYPTO_SUCCESS; + uECC_word_t _public[NUM_ECC_WORDS * 2]; + uECC_word_t _private[NUM_ECC_WORDS]; + + uECC_word_t tmp[NUM_ECC_WORDS]; + uECC_word_t *p2[2] = {_private, tmp}; + uECC_word_t *initial_Z = 0; + uECC_word_t carry; + wordcount_t num_words = curve->num_words; + wordcount_t num_bytes = curve->num_bytes; + + /* Converting buffers to correct bit order: */ + uECC_vli_bytesToNative(_private, + private_key, + BITS_TO_BYTES(curve->num_n_bits)); + uECC_vli_bytesToNative(_public, + public_key, + num_bytes); + uECC_vli_bytesToNative(_public + num_words, + public_key + num_bytes, + num_bytes); + + /* Regularize the bitcount for the private key so that attackers cannot use a + * side channel attack to learn the number of leading zeros. */ + carry = regularize_k(_private, _private, tmp, curve); + + /* If an RNG function was specified, try to get a random initial Z value to + * improve protection against side-channel attacks. */ + if (g_rng_function) { + if (!uECC_generate_random_int(p2[carry], curve->p, num_words)) { + return 0; + } + initial_Z = p2[carry]; + } + + EccPoint_mult(_public, _public, p2[!carry], initial_Z, curve->num_n_bits + 1, + curve); + + /* erasing temporary buffer used to store secret: */ + memset (p2, 0, 2*NUM_ECC_WORDS); + + uECC_vli_nativeToBytes(secret, num_bytes, _public); + return !EccPoint_isZero(_public, curve); } diff --git a/lib/source/ecc_dsa.c b/lib/source/ecc_dsa.c index dd84a18..064dfe5 100644 --- a/lib/source/ecc_dsa.c +++ b/lib/source/ecc_dsa.c @@ -1,7 +1,30 @@ /* ec_dsa.c - TinyCrypt implementation of EC-DSA */ +/* Copyright (c) 2014, Kenneth MacKay + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE.*/ + /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -32,84 +55,241 @@ #include #include +#include -extern uint32_t curve_n[NUM_ECC_DIGITS]; -extern EccPoint curve_G; -extern uint32_t curve_nb[NUM_ECC_DIGITS + 1]; +#if default_RNG_defined +static uECC_RNG_Function g_rng_function = &default_CSPRNG; +#else +static uECC_RNG_Function g_rng_function = 0; +#endif -int32_t ecdsa_sign(uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS], - uint32_t p_privateKey[NUM_ECC_DIGITS], uint32_t p_random[NUM_ECC_DIGITS], - uint32_t p_hash[NUM_ECC_DIGITS]) +static void bits2int(uECC_word_t *native, const uint8_t *bits, + unsigned bits_size, uECC_Curve curve) { + unsigned num_n_bytes = BITS_TO_BYTES(curve->num_n_bits); + unsigned num_n_words = BITS_TO_WORDS(curve->num_n_bits); + int shift; + uECC_word_t carry; + uECC_word_t *ptr; - uint32_t k[NUM_ECC_DIGITS], tmp[NUM_ECC_DIGITS]; - EccPoint p_point; - EccPointJacobi P; + if (bits_size > num_n_bytes) { + bits_size = num_n_bytes; + } - if (vli_isZero(p_random)) { - return TC_CRYPTO_FAIL; /* The random number must not be 0. */ + uECC_vli_clear(native, num_n_words); + uECC_vli_bytesToNative(native, bits, bits_size); + if (bits_size * 8 <= (unsigned)curve->num_n_bits) { + return; + } + shift = bits_size * 8 - curve->num_n_bits; + carry = 0; + ptr = native + num_n_words; + while (ptr-- > native) { + uECC_word_t temp = *ptr; + *ptr = (temp >> shift) | carry; + carry = temp << (uECC_WORD_BITS - shift); } - vli_set(k, p_random); + /* Reduce mod curve_n */ + if (uECC_vli_cmp_unsafe(curve->n, native, num_n_words) != 1) { + uECC_vli_sub(native, native, curve->n, num_n_words); + } +} - vli_sub(tmp, k, curve_n, NUM_ECC_DIGITS); - vli_cond_set(k, k, tmp, vli_cmp(curve_n, k, NUM_ECC_DIGITS) == 1); +int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash, + unsigned hash_size, uECC_word_t *k, uint8_t *signature, + uECC_Curve curve) +{ - /* tmp = k * G */ - EccPoint_mult_safe(&P, &curve_G, k); - EccPoint_toAffine(&p_point, &P); + uECC_word_t tmp[NUM_ECC_WORDS]; + uECC_word_t s[NUM_ECC_WORDS]; + uECC_word_t *k2[2] = {tmp, s}; + uECC_word_t p[NUM_ECC_WORDS * 2]; + uECC_word_t carry; + wordcount_t num_words = curve->num_words; + wordcount_t num_n_words = BITS_TO_WORDS(curve->num_n_bits); + bitcount_t num_n_bits = curve->num_n_bits; - /* r = x1 (mod n) */ - vli_set(r, p_point.x); - if (vli_cmp(curve_n, r, NUM_ECC_DIGITS) != 1) { - vli_sub(r, r, curve_n, NUM_ECC_DIGITS); + /* Make sure 0 < k < curve_n */ + if (uECC_vli_isZero(k, num_words) || + uECC_vli_cmp(curve->n, k, num_n_words) != 1) { + return 0; } - if (vli_isZero(r)) { - return TC_CRYPTO_FAIL; /* If r == 0, fail (need a different random number). */ + carry = regularize_k(k, tmp, s, curve); + EccPoint_mult(p, curve->G, k2[!carry], 0, num_n_bits + 1, curve); + if (uECC_vli_isZero(p, num_words)) { + return 0; } - vli_modMult(s, r, p_privateKey, curve_n, curve_nb); /* s = r*d */ - vli_modAdd(s, p_hash, s, curve_n); /* s = e + r*d */ - vli_modInv(k, k, curve_n, curve_nb); /* k = 1 / k */ - vli_modMult(s, s, k, curve_n, curve_nb); /* s = (e + r*d) / k */ + /* If an RNG function was specified, get a random number + to prevent side channel analysis of k. */ + if (!g_rng_function) { + uECC_vli_clear(tmp, num_n_words); + tmp[0] = 1; + } + else if (!uECC_generate_random_int(tmp, curve->n, num_n_words)) { + return 0; + } - return TC_CRYPTO_SUCCESS; + /* Prevent side channel analysis of uECC_vli_modInv() to determine + bits of k / the private key by premultiplying by a random number */ + uECC_vli_modMult(k, k, tmp, curve->n, num_n_words); /* k' = rand * k */ + uECC_vli_modInv(k, k, curve->n, num_n_words); /* k = 1 / k' */ + uECC_vli_modMult(k, k, tmp, curve->n, num_n_words); /* k = 1 / k */ + + uECC_vli_nativeToBytes(signature, curve->num_bytes, p); /* store r */ + + /* tmp = d: */ + uECC_vli_bytesToNative(tmp, private_key, BITS_TO_BYTES(curve->num_n_bits)); + + s[num_n_words - 1] = 0; + uECC_vli_set(s, p, num_words); + uECC_vli_modMult(s, tmp, s, curve->n, num_n_words); /* s = r*d */ + + bits2int(tmp, message_hash, hash_size, curve); + uECC_vli_modAdd(s, tmp, s, curve->n, num_n_words); /* s = e + r*d */ + uECC_vli_modMult(s, s, k, curve->n, num_n_words); /* s = (e + r*d) / k */ + if (uECC_vli_numBits(s, num_n_words) > (bitcount_t)curve->num_bytes * 8) { + return 0; + } + + uECC_vli_nativeToBytes(signature + curve->num_bytes, curve->num_bytes, s); + return 1; } -int32_t ecdsa_verify(EccPoint *p_publicKey, uint32_t p_hash[NUM_ECC_DIGITS], - uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS]) +int uECC_sign(const uint8_t *private_key, const uint8_t *message_hash, + unsigned hash_size, uint8_t *signature, uECC_Curve curve) { + uECC_word_t _random[2*NUM_ECC_WORDS]; + uECC_word_t k[NUM_ECC_WORDS]; + uECC_word_t tries; + + for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { + /* Generating _random uniformly at random: */ + uECC_RNG_Function rng_function = uECC_get_rng(); + if (!rng_function || + !rng_function((uint8_t *)_random, 2*NUM_ECC_WORDS*uECC_WORD_SIZE)) { + return 0; + } - uint32_t u1[NUM_ECC_DIGITS], u2[NUM_ECC_DIGITS]; - uint32_t z[NUM_ECC_DIGITS]; - EccPointJacobi P, R; - EccPoint p_point; + // computing k as modular reduction of _random (see FIPS 186.4 B.5.1): + uECC_vli_mmod(k, _random, curve->n, BITS_TO_WORDS(curve->num_n_bits)); - if (vli_isZero(r) || vli_isZero(s)) { - return TC_CRYPTO_FAIL; /* r, s must not be 0. */ + if (uECC_sign_with_k(private_key, message_hash, hash_size, k, signature, + curve)) { + return 1; + } } + return 0; +} - if ((vli_cmp(curve_n, r, NUM_ECC_DIGITS) != 1) || - (vli_cmp(curve_n, s, NUM_ECC_DIGITS) != 1)) { - return TC_CRYPTO_FAIL; /* r, s must be < n. */ +static bitcount_t smax(bitcount_t a, bitcount_t b) +{ + return (a > b ? a : b); +} + +int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash, + unsigned hash_size, const uint8_t *signature, + uECC_Curve curve) +{ + + uECC_word_t u1[NUM_ECC_WORDS], u2[NUM_ECC_WORDS]; + uECC_word_t z[NUM_ECC_WORDS]; + uECC_word_t sum[NUM_ECC_WORDS * 2]; + uECC_word_t rx[NUM_ECC_WORDS]; + uECC_word_t ry[NUM_ECC_WORDS]; + uECC_word_t tx[NUM_ECC_WORDS]; + uECC_word_t ty[NUM_ECC_WORDS]; + uECC_word_t tz[NUM_ECC_WORDS]; + const uECC_word_t *points[4]; + const uECC_word_t *point; + bitcount_t num_bits; + bitcount_t i; + + uECC_word_t _public[NUM_ECC_WORDS * 2]; + uECC_word_t r[NUM_ECC_WORDS], s[NUM_ECC_WORDS]; + wordcount_t num_words = curve->num_words; + wordcount_t num_n_words = BITS_TO_WORDS(curve->num_n_bits); + + rx[num_n_words - 1] = 0; + r[num_n_words - 1] = 0; + s[num_n_words - 1] = 0; + + uECC_vli_bytesToNative(_public, public_key, curve->num_bytes); + uECC_vli_bytesToNative(_public + num_words, public_key + curve->num_bytes, + curve->num_bytes); + uECC_vli_bytesToNative(r, signature, curve->num_bytes); + uECC_vli_bytesToNative(s, signature + curve->num_bytes, curve->num_bytes); + + /* r, s must not be 0. */ + if (uECC_vli_isZero(r, num_words) || uECC_vli_isZero(s, num_words)) { + return 0; + } + + /* r, s must be < n. */ + if (uECC_vli_cmp_unsafe(curve->n, r, num_n_words) != 1 || + uECC_vli_cmp_unsafe(curve->n, s, num_n_words) != 1) { + return 0; } /* Calculate u1 and u2. */ - vli_modInv(z, s, curve_n, curve_nb); /* Z = s^-1 */ - vli_modMult(u1, p_hash, z, curve_n, curve_nb); /* u1 = e/s */ - vli_modMult(u2, r, z, curve_n, curve_nb); /* u2 = r/s */ - - /* calculate P = u1*G + u2*Q */ - EccPoint_mult_unsafe(&P, &curve_G, u1); - EccPoint_mult_unsafe(&R, p_publicKey, u2); - EccPoint_add(&P, &R); - EccPoint_toAffine(&p_point, &P); - - /* Accept only if P.x == r. */ - if (!vli_sub(z, p_point.x, curve_n, NUM_ECC_DIGITS)) { - vli_set(p_point.x, z); + uECC_vli_modInv(z, s, curve->n, num_n_words); /* z = 1/s */ + u1[num_n_words - 1] = 0; + bits2int(u1, message_hash, hash_size, curve); + uECC_vli_modMult(u1, u1, z, curve->n, num_n_words); /* u1 = e/s */ + uECC_vli_modMult(u2, r, z, curve->n, num_n_words); /* u2 = r/s */ + + /* Calculate sum = G + Q. */ + uECC_vli_set(sum, _public, num_words); + uECC_vli_set(sum + num_words, _public + num_words, num_words); + uECC_vli_set(tx, curve->G, num_words); + uECC_vli_set(ty, curve->G + num_words, num_words); + uECC_vli_modSub(z, sum, tx, curve->p, num_words); /* z = x2 - x1 */ + XYcZ_add(tx, ty, sum, sum + num_words, curve); + uECC_vli_modInv(z, z, curve->p, num_words); /* z = 1/z */ + apply_z(sum, sum + num_words, z, curve); + + /* Use Shamir's trick to calculate u1*G + u2*Q */ + points[0] = 0; + points[1] = curve->G; + points[2] = _public; + points[3] = sum; + num_bits = smax(uECC_vli_numBits(u1, num_n_words), + uECC_vli_numBits(u2, num_n_words)); + + point = points[(!!uECC_vli_testBit(u1, num_bits - 1)) | + ((!!uECC_vli_testBit(u2, num_bits - 1)) << 1)]; + uECC_vli_set(rx, point, num_words); + uECC_vli_set(ry, point + num_words, num_words); + uECC_vli_clear(z, num_words); + z[0] = 1; + + for (i = num_bits - 2; i >= 0; --i) { + uECC_word_t index; + curve->double_jacobian(rx, ry, z, curve); + + index = (!!uECC_vli_testBit(u1, i)) | ((!!uECC_vli_testBit(u2, i)) << 1); + point = points[index]; + if (point) { + uECC_vli_set(tx, point, num_words); + uECC_vli_set(ty, point + num_words, num_words); + apply_z(tx, ty, z, curve); + uECC_vli_modSub(tz, rx, tx, curve->p, num_words); /* Z = x2 - x1 */ + XYcZ_add(tx, ty, rx, ry, curve); + uECC_vli_modMult_fast(z, z, tz, curve); + } + } + + uECC_vli_modInv(z, z, curve->p, num_words); /* Z = 1/Z */ + apply_z(rx, ry, z, curve); + + /* v = x1 (mod n) */ + if (uECC_vli_cmp_unsafe(curve->n, rx, num_n_words) != 1) { + uECC_vli_sub(rx, rx, curve->n, num_n_words); } - return (vli_cmp(p_point.x, r, NUM_ECC_DIGITS) == 0); + /* Accept only if v == r. */ + return (int)(uECC_vli_equal(rx, r, num_words) == 0); } + diff --git a/lib/source/hmac.c b/lib/source/hmac.c index e256846..3f4dadd 100644 --- a/lib/source/hmac.c +++ b/lib/source/hmac.c @@ -1,7 +1,7 @@ /* hmac.c - TinyCrypt implementation of the HMAC algorithm */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -34,11 +34,11 @@ #include #include -static void rekey(uint8_t *key, const uint8_t *new_key, uint32_t key_size) +static void rekey(uint8_t *key, const uint8_t *new_key, unsigned int key_size) { const uint8_t inner_pad = (uint8_t) 0x36; const uint8_t outer_pad = (uint8_t) 0x5c; - uint32_t i; + unsigned int i; for (i = 0; i < key_size; ++i) { key[i] = inner_pad ^ new_key[i]; @@ -49,10 +49,10 @@ static void rekey(uint8_t *key, const uint8_t *new_key, uint32_t key_size) } } -int32_t tc_hmac_set_key(TCHmacState_t ctx, - const uint8_t *key, - uint32_t key_size) +int tc_hmac_set_key(TCHmacState_t ctx, const uint8_t *key, + unsigned int key_size) { + /* input sanity check: */ if (ctx == (TCHmacState_t) 0 || key == (const uint8_t *) 0 || @@ -93,27 +93,29 @@ int32_t tc_hmac_set_key(TCHmacState_t ctx, return TC_CRYPTO_SUCCESS; } -int32_t tc_hmac_init(TCHmacState_t ctx) +int tc_hmac_init(TCHmacState_t ctx) { + /* input sanity check: */ - if (ctx == (TCHmacState_t) 0) { + if (ctx == (TCHmacState_t) 0 || + ctx->key == (uint8_t *) 0) { return TC_CRYPTO_FAIL; } - (void)tc_sha256_init(&ctx->hash_state); - (void)tc_sha256_update(&ctx->hash_state, - ctx->key, - TC_SHA256_BLOCK_SIZE); + (void) tc_sha256_init(&ctx->hash_state); + (void) tc_sha256_update(&ctx->hash_state, ctx->key, TC_SHA256_BLOCK_SIZE); return TC_CRYPTO_SUCCESS; } -int32_t tc_hmac_update(TCHmacState_t ctx, - const void *data, - uint32_t data_length) +int tc_hmac_update(TCHmacState_t ctx, + const void *data, + unsigned int data_length) { + /* input sanity check: */ - if (ctx == (TCHmacState_t) 0) { + if (ctx == (TCHmacState_t) 0 || + ctx->key == (uint8_t *) 0) { return TC_CRYPTO_FAIL; } @@ -122,12 +124,14 @@ int32_t tc_hmac_update(TCHmacState_t ctx, return TC_CRYPTO_SUCCESS; } -int32_t tc_hmac_final(uint8_t *tag, uint32_t taglen, TCHmacState_t ctx) +int tc_hmac_final(uint8_t *tag, unsigned int taglen, TCHmacState_t ctx) { + /* input sanity check: */ if (tag == (uint8_t *) 0 || taglen != TC_SHA256_DIGEST_SIZE || - ctx == (TCHmacState_t) 0) { + ctx == (TCHmacState_t) 0 || + ctx->key == (uint8_t *) 0) { return TC_CRYPTO_FAIL; } diff --git a/lib/source/hmac_prng.c b/lib/source/hmac_prng.c index ceac27f..68b5b1f 100644 --- a/lib/source/hmac_prng.c +++ b/lib/source/hmac_prng.c @@ -1,7 +1,7 @@ /* hmac_prng.c - TinyCrypt implementation of HMAC-PRNG */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -39,43 +39,43 @@ * min bytes in the seed string. * MIN_SLEN*8 must be at least the expected security level. */ -static const uint32_t MIN_SLEN = 32; +static const unsigned int MIN_SLEN = 32; /* * max bytes in the seed string; * SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes). */ -static const uint32_t MAX_SLEN = UINT32_MAX; +static const unsigned int MAX_SLEN = UINT32_MAX; /* * max bytes in the personalization string; * SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes). */ -static const uint32_t MAX_PLEN = UINT32_MAX; +static const unsigned int MAX_PLEN = UINT32_MAX; /* * max bytes in the additional_info string; * SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes). */ -static const uint32_t MAX_ALEN = UINT32_MAX; +static const unsigned int MAX_ALEN = UINT32_MAX; /* * max number of generates between re-seeds; * TinyCrypt accepts up to (2^32 - 1) which is the maximal value of - * a uint32_t variable, while SP800-90A specifies a maximum of 2^48. + * a 32-bit unsigned int variable, while SP800-90A specifies a maximum of 2^48. */ -static const uint32_t MAX_GENS = UINT32_MAX; +static const unsigned int MAX_GENS = UINT32_MAX; /* * maximum bytes per generate call; * SP800-90A specifies a maximum up to 2^19. */ -static const uint32_t MAX_OUT = (1 << 19); +static const unsigned int MAX_OUT = (1 << 19); /* * Assumes: prng != NULL, e != NULL, len >= 0. */ -static void update(TCHmacPrng_t prng, const uint8_t *e, uint32_t len) +static void update(TCHmacPrng_t prng, const uint8_t *e, unsigned int len) { const uint8_t separator0 = 0x00; const uint8_t separator1 = 0x01; @@ -109,10 +109,11 @@ static void update(TCHmacPrng_t prng, const uint8_t *e, uint32_t len) (void)tc_hmac_final(prng->v, sizeof(prng->v), &prng->h); } -int32_t tc_hmac_prng_init(TCHmacPrng_t prng, - const uint8_t *personalization, - uint32_t plen) +int tc_hmac_prng_init(TCHmacPrng_t prng, + const uint8_t *personalization, + unsigned int plen) { + /* input sanity check: */ if (prng == (TCHmacPrng_t) 0 || personalization == (uint8_t *) 0 || @@ -134,12 +135,13 @@ int32_t tc_hmac_prng_init(TCHmacPrng_t prng, return TC_CRYPTO_SUCCESS; } -int32_t tc_hmac_prng_reseed(TCHmacPrng_t prng, - const uint8_t *seed, - uint32_t seedlen, - const uint8_t *additional_input, - uint32_t additionallen) +int tc_hmac_prng_reseed(TCHmacPrng_t prng, + const uint8_t *seed, + unsigned int seedlen, + const uint8_t *additional_input, + unsigned int additionallen) { + /* input sanity check: */ if (prng == (TCHmacPrng_t) 0 || seed == (const uint8_t *) 0 || @@ -172,9 +174,9 @@ int32_t tc_hmac_prng_reseed(TCHmacPrng_t prng, return TC_CRYPTO_SUCCESS; } -int32_t tc_hmac_prng_generate(uint8_t *out, uint32_t outlen, TCHmacPrng_t prng) +int tc_hmac_prng_generate(uint8_t *out, unsigned int outlen, TCHmacPrng_t prng) { - uint32_t bufferlen; + unsigned int bufferlen; /* input sanity check: */ if (out == (uint8_t *) 0 || diff --git a/lib/source/sha256.c b/lib/source/sha256.c index c27d3e1..2fbee4f 100644 --- a/lib/source/sha256.c +++ b/lib/source/sha256.c @@ -1,7 +1,7 @@ /* sha256.c - TinyCrypt SHA-256 crypto hash algorithm implementation */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -34,9 +34,9 @@ #include #include -static void compress(uint32_t *iv, const uint8_t *data); +static void compress(unsigned int *iv, const uint8_t *data); -int32_t tc_sha256_init(TCSha256State_t s) +int tc_sha256_init(TCSha256State_t s) { /* input sanity check: */ if (s == (TCSha256State_t) 0) { @@ -62,10 +62,11 @@ int32_t tc_sha256_init(TCSha256State_t s) return TC_CRYPTO_SUCCESS; } -int32_t tc_sha256_update(TCSha256State_t s, const uint8_t *data, size_t datalen) +int tc_sha256_update(TCSha256State_t s, const uint8_t *data, size_t datalen) { /* input sanity check: */ if (s == (TCSha256State_t) 0 || + s->iv == (unsigned int *) 0 || data == (void *) 0) { return TC_CRYPTO_FAIL; } else if (datalen == 0) { @@ -84,13 +85,14 @@ int32_t tc_sha256_update(TCSha256State_t s, const uint8_t *data, size_t datalen) return TC_CRYPTO_SUCCESS; } -int32_t tc_sha256_final(uint8_t *digest, TCSha256State_t s) +int tc_sha256_final(uint8_t *digest, TCSha256State_t s) { - uint32_t i; + unsigned int i; /* input sanity check: */ if (digest == (uint8_t *) 0 || - s == (TCSha256State_t) 0) { + s == (TCSha256State_t) 0 || + s->iv == (unsigned int *) 0) { return TC_CRYPTO_FAIL; } @@ -122,7 +124,7 @@ int32_t tc_sha256_final(uint8_t *digest, TCSha256State_t s) /* copy the iv out to digest */ for (i = 0; i < TC_SHA256_STATE_BLOCKS; ++i) { - uint32_t t = *((uint32_t *) &s->iv[i]); + unsigned int t = *((unsigned int *) &s->iv[i]); *digest++ = (uint8_t)(t >> 24); *digest++ = (uint8_t)(t >> 16); *digest++ = (uint8_t)(t >> 8); @@ -140,7 +142,7 @@ int32_t tc_sha256_final(uint8_t *digest, TCSha256State_t s) * These values correspond to the first 32 bits of the fractional parts of the * cube roots of the first 64 primes between 2 and 311. */ -static const uint32_t k256[64] = { +static const unsigned int k256[64] = { 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, @@ -154,7 +156,7 @@ static const uint32_t k256[64] = { 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 }; -static inline uint32_t ROTR(uint32_t a, uint32_t n) +static inline unsigned int ROTR(unsigned int a, unsigned int n) { return (((a) >> n) | ((a) << (32 - n))); } @@ -167,25 +169,25 @@ static inline uint32_t ROTR(uint32_t a, uint32_t n) #define Ch(a, b, c)(((a) & (b)) ^ ((~(a)) & (c))) #define Maj(a, b, c)(((a) & (b)) ^ ((a) & (c)) ^ ((b) & (c))) -static inline uint32_t BigEndian(const uint8_t **c) +static inline unsigned int BigEndian(const uint8_t **c) { - uint32_t n = 0; + unsigned int n = 0; - n = (((uint32_t)(*((*c)++))) << 24); - n |= ((uint32_t)(*((*c)++)) << 16); - n |= ((uint32_t)(*((*c)++)) << 8); - n |= ((uint32_t)(*((*c)++))); + n = (((unsigned int)(*((*c)++))) << 24); + n |= ((unsigned int)(*((*c)++)) << 16); + n |= ((unsigned int)(*((*c)++)) << 8); + n |= ((unsigned int)(*((*c)++))); return n; } -static void compress(uint32_t *iv, const uint8_t *data) +static void compress(unsigned int *iv, const uint8_t *data) { - uint32_t a, b, c, d, e, f, g, h; - uint32_t s0, s1; - uint32_t t1, t2; - uint32_t work_space[16]; - uint32_t n; - uint32_t i; + unsigned int a, b, c, d, e, f, g, h; + unsigned int s0, s1; + unsigned int t1, t2; + unsigned int work_space[16]; + unsigned int n; + unsigned int i; a = iv[0]; b = iv[1]; c = iv[2]; d = iv[3]; e = iv[4]; f = iv[5]; g = iv[6]; h = iv[7]; diff --git a/lib/source/utils.c b/lib/source/utils.c index 147d8d4..13cc495 100644 --- a/lib/source/utils.c +++ b/lib/source/utils.c @@ -1,7 +1,7 @@ /* utils.c - TinyCrypt platform-dependent run-time operations */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -35,11 +35,10 @@ #include -#define MASK_MOST_SIG_BIT 0x80 #define MASK_TWENTY_SEVEN 0x1b -uint32_t _copy(uint8_t *to, uint32_t to_len, - const uint8_t *from, uint32_t from_len) +unsigned int _copy(uint8_t *to, unsigned int to_len, + const uint8_t *from, unsigned int from_len) { if (from_len <= to_len) { (void)memcpy(to, from, from_len); @@ -49,7 +48,7 @@ uint32_t _copy(uint8_t *to, uint32_t to_len, } } -void _set(void *to, uint8_t val, uint32_t len) +void _set(void *to, uint8_t val, unsigned int len) { (void)memset(to, val, len); } @@ -62,13 +61,13 @@ uint8_t _double_byte(uint8_t a) return ((a<<1) ^ ((a>>7) * MASK_TWENTY_SEVEN)); } -int32_t _compare(const uint8_t *a, const uint8_t *b, size_t size) +int _compare(const uint8_t *a, const uint8_t *b, size_t size) { const uint8_t *tempa = a; const uint8_t *tempb = b; uint8_t result = 0; - for (uint32_t i = 0; i < size; i++) { + for (unsigned int i = 0; i < size; i++) { result |= tempa[i] ^ tempb[i]; } return result; diff --git a/tests/Makefile b/tests/Makefile index 8067a1d..eff5a88 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -1,6 +1,6 @@ ################################################################################ # -# Copyright (C) 2015 by Intel Corporation, All Rights Reserved. +# Copyright (C) 2017 by Intel Corporation, All Rights Reserved. # # Tests Makefile. # @@ -56,11 +56,11 @@ test_hmac_prng$(DOTEXE): test_hmac_prng.o hmac_prng.o hmac.o \ test_sha256$(DOTEXE): test_sha256.o sha256.o utils.o $(LINK.o) $^ $(LOADLIBES) $(LDLIBS) -o $@ -test_ecc_dh$(DOTEXE): test_ecc_dh.o ecc.o ecc_dh.o test_ecc_utils.o +test_ecc_dh$(DOTEXE): test_ecc_dh.o ecc.o ecc_dh.o test_ecc_utils.o ecc_platform_specific.o $(LINK.o) $^ $(LOADLIBES) $(LDLIBS) -o $@ test_ecc_dsa$(DOTEXE): test_ecc_dsa.o ecc.o utils.o ecc_dh.o \ - ecc_dsa.o sha256.o test_ecc_utils.o + ecc_dsa.o sha256.o test_ecc_utils.o ecc_platform_specific.o $(LINK.o) $^ $(LOADLIBES) $(LDLIBS) -o $@ diff --git a/tests/include/test_ecc_utils.h b/tests/include/test_ecc_utils.h index 97c183c..4e29054 100644 --- a/tests/include/test_ecc_utils.h +++ b/tests/include/test_ecc_utils.h @@ -1,7 +1,30 @@ /* test_ecc_utils.h - TinyCrypt interface to common functions for ECC tests */ +/* Copyright (c) 2014, Kenneth MacKay + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE.*/ + /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -35,48 +58,43 @@ #ifndef __TEST_ECC_UTILS_H__ #define __TEST_ECC_UTILS_H__ -#include -#include -#include +#include +#include +#include -EccPoint keygen_vectors(char **d_vec, - char **qx_vec, - char **qy_vec, - int tests, - bool verbose); +int hex2int (char hex); -void getRandomBytes(void *p_dest, unsigned p_size); -void string2host(uint32_t *native, const uint8_t *bytes, size_t len); +/* + * Convert hex string to byte string + * Return number of bytes written to buf, or 0 on error + */ +int hex2bin(uint8_t *buf, const size_t buflen, const char *hex, + const size_t hexlen); -int hex2int (char hex); +/* + * Convert hex string to zero-padded nanoECC scalar + */ +void string2scalar(unsigned int * scalar, unsigned int num_word32, char *str); + + +void print_ecc_scalar(const char *label, const unsigned int * p_vli, + unsigned int num_word32); -int hex2bin( - uint8_t *buf, - const size_t buflen, - const char *hex, - const size_t hexlen); +int check_ecc_result(const int num, const char *name, + const unsigned int *expected, + const unsigned int *computed, + const unsigned int num_word32, const bool verbose); -void string2scalar(uint32_t * scalar, uint32_t num_word32, char *str); +/* Test ecc_make_keys, and also as keygen part of other tests */ +int keygen_vectors(char **d_vec, char **qx_vec, char **qy_vec, int tests, bool verbose); -void vli_print(uint32_t *p_vli, unsigned int p_size); +void vli_print_bytes(uint8_t *vli, unsigned int size); -void print_ecc_scalar( - const char *label, - const uint32_t * p_vli, - uint32_t num_word32); -void check_code(const int num, - const char *name, - const int expected, - const int computed, - const int verbose); +int check_code(const int num, const char *name, const int expected, + const int computed, const int verbose); -void check_ecc_result(const int num, const char *name, - const uint32_t *expected, - const uint32_t *computed, - const uint32_t num_word32, - const bool verbose); -#endif +#endif /* __TEST_ECC_UTILS_H__ */ diff --git a/tests/include/test_utils.h b/tests/include/test_utils.h index 5f51511..055f91b 100644 --- a/tests/include/test_utils.h +++ b/tests/include/test_utils.h @@ -1,7 +1,7 @@ /* test_utils.h - TinyCrypt interface to common functions for tests */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -83,18 +83,19 @@ "PROJECT EXECUTION %s\n", \ result == TC_PASS ? "SUCCESSFUL" : "FAILED"); \ } while (0) + static inline void show_str(const char *label, const uint8_t *s, size_t len) { - uint32_t i; + unsigned int i; TC_PRINT("%s = ", label); - for (i = 0; i < (uint32_t) len; ++i) { + for (i = 0; i < (unsigned int) len; ++i) { TC_PRINT("%02x", s[i]); } TC_PRINT("\n"); } -static inline void fatal(uint32_t testnum, const void *expected, size_t expectedlen, +static inline void fatal(unsigned int testnum, const void *expected, size_t expectedlen, const void *computed, size_t computedlen) { @@ -104,10 +105,10 @@ static inline void fatal(uint32_t testnum, const void *expected, size_t expected TC_PRINT("\n"); } -static inline uint32_t check_result(uint32_t testnum, const void *expected, size_t expectedlen, +static inline unsigned int check_result(unsigned int testnum, const void *expected, size_t expectedlen, const void *computed, size_t computedlen) { - uint32_t result = TC_PASS; + unsigned int result = TC_PASS; if (expectedlen != computedlen) { TC_ERROR("The length of the computed buffer (%zu)", computedlen); @@ -121,4 +122,4 @@ static inline uint32_t check_result(uint32_t testnum, const void *expected, size return result; } -#endif +#endif /* __TEST_UTILS_H__ */ diff --git a/tests/test_aes.c b/tests/test_aes.c index 40c89fa..ea3e2da 100644 --- a/tests/test_aes.c +++ b/tests/test_aes.c @@ -1,9 +1,7 @@ -/* test_aes.c - TinyCrypt - * Implementation of some AES-128 tests (including NIST tests) - */ +/* test_aes.c - TinyCrypt AES-128 tests (including NIST tests) */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -73,7 +71,8 @@ int test_1(void) 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c }; - const struct tc_aes_key_sched_struct expected = {{ + const struct tc_aes_key_sched_struct expected = { + { 0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c, 0xa0fafe17, 0x88542cb1, 0x23a33939, 0x2a6c7605, 0xf2c295f2, 0x7a96b943, 0x5935807a, 0x7359f67f, @@ -85,7 +84,8 @@ int test_1(void) 0xead27321, 0xb58dbad2, 0x312bf560, 0x7f8d292f, 0xac7766f3, 0x19fadc21, 0x28d12941, 0x575c006e, 0xd014f9a8, 0xc9ee2589, 0xe13f0cc8, 0xb6630ca6 - } }; + } + }; struct tc_aes_key_sched_struct s; TC_PRINT("AES128 %s (NIST key schedule test):\n", __func__); @@ -97,11 +97,10 @@ int test_1(void) goto exitTest1; } - result = check_result(1, expected.words, - sizeof(expected.words), - s.words, sizeof(s.words)); + result = check_result(1, expected.words, sizeof(expected.words), s.words, + sizeof(s.words)); - exitTest1: +exitTest1: TC_END_RESULT(result); return result; } @@ -137,16 +136,16 @@ int test_2(void) goto exitTest2; } - result = check_result(2, expected, sizeof(expected), - ciphertext, sizeof(ciphertext)); + result = check_result(2, expected, sizeof(expected), ciphertext, + sizeof(ciphertext)); - exitTest2: +exitTest2: TC_END_RESULT(result); return result; } -int var_text_test(uint32_t r, const uint8_t *in, const uint8_t *out, +int var_text_test(unsigned int r, const uint8_t *in, const uint8_t *out, TCAesKeySched_t s) { uint8_t ciphertext[NUM_OF_NIST_KEYS]; @@ -154,8 +153,8 @@ int var_text_test(uint32_t r, const uint8_t *in, const uint8_t *out, int result = TC_PASS; (void)tc_aes_encrypt(ciphertext, in, s); - result = check_result(r, out, NUM_OF_NIST_KEYS, - ciphertext, sizeof(ciphertext)); + result = check_result(r, out, NUM_OF_NIST_KEYS, ciphertext, + sizeof(ciphertext)); if (result != TC_FAIL) { if (tc_aes_decrypt(decrypted, ciphertext, s) == 0) { TC_ERROR("aes_decrypt failed\n"); @@ -1078,7 +1077,7 @@ int test_3(void) } } }; struct tc_aes_key_sched_struct s; - uint32_t i; + unsigned int i; TC_PRINT("AES128 %s (NIST fixed-key and variable-text):\n", __func__); @@ -1096,7 +1095,7 @@ int test_3(void) return result; } -int var_key_test(uint32_t r, const uint8_t *in, const uint8_t *out) +int var_key_test(unsigned int r, const uint8_t *in, const uint8_t *out) { int result = TC_PASS; @@ -1110,8 +1109,8 @@ int var_key_test(uint32_t r, const uint8_t *in, const uint8_t *out) (void)tc_aes128_set_encrypt_key(&s, in); (void)tc_aes_encrypt(ciphertext, plaintext, &s); - result = check_result(r, out, NUM_OF_NIST_KEYS, - ciphertext, sizeof(ciphertext)); + result = check_result(r, out, NUM_OF_NIST_KEYS, ciphertext, + sizeof(ciphertext)); return result; } @@ -2020,7 +2019,7 @@ int test_4(void) 0x89, 0x64, 0x48, 0x45, 0x38, 0xbf, 0xc9, 0x2c } } }; - uint32_t i; + unsigned int i; TC_PRINT("AES128 test #4 (NIST variable-key and fixed-text):\n"); diff --git a/tests/test_cbc_mode.c b/tests/test_cbc_mode.c index 24fe14b..ffa0a88 100644 --- a/tests/test_cbc_mode.c +++ b/tests/test_cbc_mode.c @@ -1,7 +1,7 @@ /* test_cbc_mode.c - TinyCrypt implementation of some AES-CBC tests */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -108,7 +108,7 @@ int test_1_and_2(void) uint8_t encrypted[80]; uint8_t decrypted[64]; uint8_t *p; - uint32_t length; + unsigned int length; int result = TC_PASS; (void)tc_aes128_set_encrypt_key(&a, key); @@ -116,36 +116,34 @@ int test_1_and_2(void) (void)memcpy(iv_buffer, iv, TC_AES_BLOCK_SIZE); TC_PRINT("CBC test #1 (encryption SP 800-38a tests):\n"); - if (tc_cbc_mode_encrypt(encrypted, - sizeof(plaintext) + TC_AES_BLOCK_SIZE, - plaintext, sizeof(plaintext), - iv_buffer, &a) == 0) { + if (tc_cbc_mode_encrypt(encrypted, sizeof(plaintext) + TC_AES_BLOCK_SIZE, + plaintext, sizeof(plaintext), iv_buffer, &a) == 0) { TC_ERROR("CBC test #1 (encryption SP 800-38a tests) failed in " "%s.\n", __func__); result = TC_FAIL; goto exitTest1; } - result = check_result(1, ciphertext, sizeof(encrypted), - encrypted, sizeof(encrypted)); + result = check_result(1, ciphertext, sizeof(encrypted), encrypted, + sizeof(encrypted)); TC_END_RESULT(result); TC_PRINT("CBC test #2 (decryption SP 800-38a tests):\n"); (void)tc_aes128_set_decrypt_key(&a, key); p = &encrypted[TC_AES_BLOCK_SIZE]; - length = ((uint32_t) sizeof(encrypted)) - TC_AES_BLOCK_SIZE; + length = ((unsigned int) sizeof(encrypted)) - TC_AES_BLOCK_SIZE; - if (tc_cbc_mode_decrypt(decrypted, length - TC_AES_BLOCK_SIZE, p, - length, encrypted, &a) == 0) { + if (tc_cbc_mode_decrypt(decrypted, length - TC_AES_BLOCK_SIZE, p, length, + encrypted, &a) == 0) { TC_ERROR("CBC test #2 (decryption SP 800-38a tests) failed in. " "%s\n", __func__); result = TC_FAIL; goto exitTest1; } - result = check_result(2, plaintext, sizeof(decrypted), - decrypted, sizeof(decrypted)); + result = check_result(2, plaintext, sizeof(decrypted), decrypted, + sizeof(decrypted)); exitTest1: TC_END_RESULT(result); @@ -163,7 +161,8 @@ int main(void) TC_PRINT("Performing CBC tests:\n"); result = test_1_and_2(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("CBC test #1 failed.\n"); goto exitTest; } diff --git a/tests/test_ccm_mode.c b/tests/test_ccm_mode.c index 4ed0f51..878edb3 100644 --- a/tests/test_ccm_mode.c +++ b/tests/test_ccm_mode.c @@ -1,7 +1,7 @@ /* test_ccm_mode.c - TinyCrypt AES-CCM tests (RFC 3610 tests) */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -51,8 +51,8 @@ #include -#define CIPHERTEXT_LEN 50 -#define DECRYPTED_LEN 25 +#define TC_CCM_MAX_CT_SIZE 50 +#define TC_CCM_MAX_PT_SIZE 25 #define NUM_NIST_KEYS 16 #define NONCE_LEN 13 #define HEADER_LEN 8 @@ -67,16 +67,17 @@ #define EXPECTED_BUF_LEN34 34 #define EXPECTED_BUF_LEN35 35 -int do_test(const uint8_t *key, - uint8_t *nonce, size_t nlen, - const uint8_t *hdr, size_t hlen, - const uint8_t *data, size_t dlen, - const uint8_t *expected, size_t elen, - const int mlen) +int do_test(const uint8_t *key, uint8_t *nonce, + size_t nlen, const uint8_t *hdr, + size_t hlen, const uint8_t *data, + size_t dlen, const uint8_t *expected, + size_t elen, const int mlen) { + int result = TC_PASS; - uint8_t ciphertext[CIPHERTEXT_LEN]; - uint8_t decrypted[DECRYPTED_LEN]; + + uint8_t ciphertext[TC_CCM_MAX_CT_SIZE]; + uint8_t decrypted[TC_CCM_MAX_PT_SIZE]; struct tc_ccm_mode_struct c; struct tc_aes_key_sched_struct sched; @@ -90,8 +91,8 @@ int do_test(const uint8_t *key, goto exitTest1; } - result = tc_ccm_generation_encryption(ciphertext, hdr, hlen, - data, dlen, &c); + result = tc_ccm_generation_encryption(ciphertext, TC_CCM_MAX_CT_SIZE, hdr, + hlen, data, dlen, &c); if (result == 0) { TC_ERROR("ccm_encrypt failed in %s.\n", __func__); @@ -110,8 +111,8 @@ int do_test(const uint8_t *key, goto exitTest1; } - result = tc_ccm_decryption_verification(decrypted, hdr, hlen, - ciphertext, dlen + mlen, &c); + result = tc_ccm_decryption_verification(decrypted, TC_CCM_MAX_PT_SIZE, hdr, + hlen, ciphertext, dlen+mlen, &c); if (result == 0) { TC_ERROR("ccm_decrypt failed in %s.\n", __func__); show_str("\t\tExpected", data, dlen); @@ -378,8 +379,8 @@ int test_vector_7(void) }; struct tc_ccm_mode_struct c; struct tc_aes_key_sched_struct sched; - uint8_t decrypted[DECRYPTED_LEN]; - uint8_t ciphertext[CIPHERTEXT_LEN]; + uint8_t decrypted[TC_CCM_MAX_PT_SIZE]; + uint8_t ciphertext[TC_CCM_MAX_CT_SIZE]; uint16_t mlen = M_LEN10; TC_PRINT("%s: Performing CCM test #7 (no associated data):\n", @@ -393,8 +394,8 @@ int test_vector_7(void) goto exitTest1; } - result = tc_ccm_generation_encryption(ciphertext, hdr, 0, - data, sizeof(data), &c); + result = tc_ccm_generation_encryption(ciphertext, TC_CCM_MAX_CT_SIZE, hdr, + 0, data, sizeof(data), &c); if (result == 0) { TC_ERROR("ccm_encryption failed in %s.\n", __func__); @@ -402,8 +403,8 @@ int test_vector_7(void) goto exitTest1; } - result = tc_ccm_decryption_verification(decrypted, hdr, 0, ciphertext, - sizeof(data) + mlen, &c); + result = tc_ccm_decryption_verification (decrypted, TC_CCM_MAX_PT_SIZE, hdr, + 0, ciphertext, sizeof(data)+mlen, &c); if (result == 0) { TC_ERROR("ccm_decrypt failed in %s.\n", __func__); show_str("\t\tExpected", data, sizeof(data)); @@ -436,11 +437,15 @@ int test_vector_8(void) const uint8_t hdr[8] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; - uint8_t data[] = {}; + + uint8_t *data = NULL; + struct tc_ccm_mode_struct c; struct tc_aes_key_sched_struct sched; - uint8_t decrypted[DECRYPTED_LEN]; - uint8_t ciphertext[CIPHERTEXT_LEN]; + + uint8_t decrypted[TC_CCM_MAX_PT_SIZE]; + uint8_t ciphertext[TC_CCM_MAX_CT_SIZE]; + uint16_t mlen = M_LEN10; TC_PRINT("%s: Performing CCM test #8 (no payload data):\n", __func__); @@ -453,8 +458,8 @@ int test_vector_8(void) goto exitTest1; } - result = tc_ccm_generation_encryption(ciphertext, hdr, sizeof(hdr), - data, sizeof(data), &c); + result = tc_ccm_generation_encryption(ciphertext, TC_CCM_MAX_CT_SIZE, hdr, + sizeof(hdr), data, 0, &c); if (result == 0) { TC_ERROR("ccm_encrypt failed in %s.\n", __func__); @@ -462,8 +467,8 @@ int test_vector_8(void) goto exitTest1; } - result = tc_ccm_decryption_verification(decrypted, hdr, sizeof(hdr), - ciphertext, mlen, &c); + result = tc_ccm_decryption_verification(decrypted, TC_CCM_MAX_PT_SIZE, hdr, + sizeof(hdr), ciphertext, mlen, &c); if (result == 0) { TC_ERROR("ccm_decrypt failed in %s.\n", __func__); show_str("\t\tExpected", data, sizeof(data)); diff --git a/tests/test_cmac_mode.c b/tests/test_cmac_mode.c index 759c330..dc757fe 100644 --- a/tests/test_cmac_mode.c +++ b/tests/test_cmac_mode.c @@ -1,7 +1,7 @@ /* test_cmac_mode.c - TinyCrypt AES-CMAC tests (including SP 800-38B tests) */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -38,7 +38,7 @@ * - CMAC test #2 null msg (SP 800-38B test vector #1) * - CMAC test #3 1 block msg (SP 800-38B test vector #2) * - CMAC test #4 320 bit msg (SP 800-38B test vector #3) - * - CMAC test #5 512 bit msg(SP 800-38B test vector #4) + * - CMAC test #5 512 bit msg (SP 800-38B test vector #4) */ #include @@ -53,7 +53,7 @@ static void show(const char *label, const uint8_t *s, size_t slen) { - uint32_t i; + unsigned int i; TC_PRINT("%s\t", label); for (i = 0; i < slen; ++i) { @@ -65,7 +65,7 @@ static void show(const char *label, const uint8_t *s, size_t slen) extern void gf_double(uint8_t *out, uint8_t *in); static int verify_gf_2_128_double(uint8_t *K1, uint8_t *K2, - struct tc_cmac_struct s) + struct tc_cmac_struct s) { int result = TC_PASS; @@ -249,6 +249,8 @@ static int verify_cmac_512_bit_msg(TCCmacState_t s) /* * Main task to test CMAC + * effects: returns 1 if all tests pass + * exceptions: returns a negative value if some test fails */ int main(void) { @@ -268,31 +270,36 @@ int main(void) (void) tc_cmac_setup(&state, key, &sched); result = verify_gf_2_128_double(K1, K2, state); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("CMAC test #1 (128 double) failed.\n"); goto exitTest; } (void) tc_cmac_setup(&state, key, &sched); result = verify_cmac_null_msg(&state); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("CMAC test #2 (null msg) failed.\n"); goto exitTest; } (void) tc_cmac_setup(&state, key, &sched); result = verify_cmac_1_block_msg(&state); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("CMAC test #3 (1 block msg)failed.\n"); goto exitTest; } (void) tc_cmac_setup(&state, key, &sched); result = verify_cmac_320_bit_msg(&state); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("CMAC test #4 (320 bit msg) failed.\n"); goto exitTest; } (void) tc_cmac_setup(&state, key, &sched); result = verify_cmac_512_bit_msg(&state); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("CMAC test #5 (512 bit msg)failed.\n"); goto exitTest; } diff --git a/tests/test_ctr_mode.c b/tests/test_ctr_mode.c index d185aee..daf3787 100644 --- a/tests/test_ctr_mode.c +++ b/tests/test_ctr_mode.c @@ -1,7 +1,7 @@ /* test_ctr_mode.c - TinyCrypt implementation of some AES-CTR tests */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -50,37 +50,37 @@ /* * NIST SP 800-38a CTR Test for encryption and decryption. */ -uint32_t test_1_and_2(void) +unsigned int test_1_and_2(void) { const uint8_t key[16] = { - 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, - 0x09, 0xcf, 0x4f, 0x3c + 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, + 0x09, 0xcf, 0x4f, 0x3c }; uint8_t ctr[16] = { - 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, - 0xfc, 0xfd, 0xfe, 0xff + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, + 0xfc, 0xfd, 0xfe, 0xff }; const uint8_t plaintext[64] = { - 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, - 0x73, 0x93, 0x17, 0x2a, 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, - 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 0x30, 0xc8, 0x1c, 0x46, - 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, - 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, - 0xe6, 0x6c, 0x37, 0x10 + 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, + 0x73, 0x93, 0x17, 0x2a, 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, + 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, 0x30, 0xc8, 0x1c, 0x46, + 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, + 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, + 0xe6, 0x6c, 0x37, 0x10 }; const uint8_t ciphertext[80] = { - 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, - 0xfc, 0xfd, 0xfe, 0xff, 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, - 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce, 0x98, 0x06, 0xf6, 0x6b, - 0x79, 0x70, 0xfd, 0xff, 0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff, - 0x5a, 0xe4, 0xdf, 0x3e, 0xdb, 0xd5, 0xd3, 0x5e, 0x5b, 0x4f, 0x09, 0x02, - 0x0d, 0xb0, 0x3e, 0xab, 0x1e, 0x03, 0x1d, 0xda, 0x2f, 0xbe, 0x03, 0xd1, - 0x79, 0x21, 0x70, 0xa0, 0xf3, 0x00, 0x9c, 0xee + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, + 0xfc, 0xfd, 0xfe, 0xff, 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, + 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce, 0x98, 0x06, 0xf6, 0x6b, + 0x79, 0x70, 0xfd, 0xff, 0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff, + 0x5a, 0xe4, 0xdf, 0x3e, 0xdb, 0xd5, 0xd3, 0x5e, 0x5b, 0x4f, 0x09, 0x02, + 0x0d, 0xb0, 0x3e, 0xab, 0x1e, 0x03, 0x1d, 0xda, 0x2f, 0xbe, 0x03, 0xd1, + 0x79, 0x21, 0x70, 0xa0, 0xf3, 0x00, 0x9c, 0xee }; struct tc_aes_key_sched_struct sched; uint8_t out[80]; uint8_t decrypted[64]; - uint32_t result = TC_PASS; + unsigned int result = TC_PASS; TC_PRINT("CTR test #1 (encryption SP 800-38a tests):\n"); (void)tc_aes128_set_encrypt_key(&sched, key); @@ -99,7 +99,7 @@ uint32_t test_1_and_2(void) TC_PRINT("CTR test #2 (decryption SP 800-38a tests):\n"); (void) memcpy(ctr, out, sizeof(ctr)); if (tc_ctr_mode(decrypted, sizeof(decrypted), &out[TC_AES_BLOCK_SIZE], - sizeof(decrypted), ctr, &sched) == 0) { + sizeof(decrypted), ctr, &sched) == 0) { TC_ERROR("CTR test #2 (decryption SP 800-38a tests) failed in %s.\n", __func__); result = TC_FAIL; goto exitTest1; @@ -119,7 +119,7 @@ uint32_t test_1_and_2(void) int main(void) { - uint32_t result = TC_PASS; + unsigned int result = TC_PASS; TC_START("Performing AES128-CTR mode tests:"); diff --git a/tests/test_ctr_prng.c b/tests/test_ctr_prng.c index b429670..e95f7f1 100644 --- a/tests/test_ctr_prng.c +++ b/tests/test_ctr_prng.c @@ -60,18 +60,17 @@ uint8_t *hexStringToBytes(char *inhex) uint8_t *p; int len, i; - len = strlen(inhex) / 2; + len = strlen(inhex) / 2; retval = (uint8_t *)malloc(len+1); for(i=0, p = (uint8_t *) inhex; i #include +#include #include #include #include #include +#include #include #include #include -void ecdh_vectors(char **qx_vec, - char **qy_vec, - char **d_vec, - char **z_vec, - int tests, - int verbose) { +int ecdh_vectors(char **qx_vec, char **qy_vec, char **d_vec, char **z_vec, + int tests, int verbose) +{ - EccPoint Q; - uint32_t prv[NUM_ECC_DIGITS]; - uint32_t z[NUM_ECC_DIGITS]; + unsigned int pub[2*NUM_ECC_WORDS]; + unsigned int prv[NUM_ECC_WORDS]; + unsigned int z[NUM_ECC_WORDS]; + unsigned int result = TC_PASS; - int rc; - uint32_t exp_z[NUM_ECC_DIGITS]; + int rc; + unsigned int exp_z[NUM_ECC_WORDS]; - for (int i=0; i 2*NUM_ECC_BYTES || - strlen(qy_vec[i]) > 2*NUM_ECC_BYTES) { - // invalid input to ECC digit conversion (string2native()) - rc = -2; - } else { - string2scalar(pub.x, NUM_ECC_DIGITS, qx_vec[i]); - string2scalar(pub.y, NUM_ECC_DIGITS, qy_vec[i]); - rc = ecc_valid_public_key(&pub); - } - - /* - * map to CAVP error codes - * 0 => 0 - success - * -1 => ? - (x,y) = (0,0) (not covered) - * -2 => 1 - out of bounds (pubverify or ecc import) - * -3 => 2 - not on curve - */ - - if (rc == -3) rc = 2; - if (rc == -2) rc = 1; - - check_code(i, res_vec[i], exp_rc, rc, verbose); - } + result = check_ecc_result(i, "Z", exp_z, z, NUM_ECC_WORDS, verbose); + if (result == TC_FAIL) { + return result; + } + } + return result; } -void cavp_pkv(bool verbose) { - - /* - * [P-256] - */ - char *x[] = { - "e0f7449c5588f24492c338f2bc8f7865f755b958d48edb0f2d0056e50c3fd5b7", - "d17c446237d9df87266ba3a91ff27f45abfdcb77bfd83536e92903efb861a9a9", - "17875397ae87369365656d490e8ce956911bd97607f2aff41b56f6f3a61989826", - "f2d1c0dc0852c3d8a2a2500a23a44813ccce1ac4e58444175b440469ffc12273", - "10b0ca230fff7c04768f4b3d5c75fa9f6c539bea644dffbec5dc796a213061b58", - "2c1052f25360a15062d204a056274e93cbe8fc4c4e9b9561134ad5c15ce525da", - "a40d077a87dae157d93dcccf3fe3aca9c6479a75aa2669509d2ef05c7de6782f", - "2633d398a3807b1895548adbb0ea2495ef4b930f91054891030817df87d4ac0a", - "14bf57f76c260b51ec6bbc72dbd49f02a56eaed070b774dc4bad75a54653c3d56", - "2fa74931ae816b426f484180e517f5050c92decfc8daf756cd91f54d51b302f1", - "f8c6dd3181a76aa0e36c2790bba47041acbe7b1e473ff71eee39a824dc595ff0", - "7a81a7e0b015252928d8b36e4ca37e92fdc328eb25c774b4f872693028c4be38", - }; - - char *y[] = { - "86d7e9255d0f4b6f44fa2cd6f8ba3c0aa828321d6d8cc430ca6284ce1d5b43a0", - "1eabb6a349ce2cd447d777b6739c5fc066add2002d2029052c408d0701066231c", - "980a3c4f61b9692633fbba5ef04c9cb546dd05cdec9fa8428b8849670e2fba92", - "32bfe992831b305d8c37b9672df5d29fcb5c29b4a40534683e3ace23d24647dd", - "f5edf37c11052b75f771b7f9fa050e353e464221fec916684ed45b6fead38205", - "ced9783713a8a2a09eff366987639c625753295d9a85d0f5325e32dedbcada0b", - "503d86b87d743ba20804fd7e7884aa017414a7b5b5963e0d46e3a9611419ddf3", - "d6b2f738e3873cc8364a2d364038ce7d0798bb092e3dd77cbdae7c263ba618d2", - "7a231a23bf8b3aa31d9600d888a0678677a30e573decd3dc56b33f365cc11236", - "5b994346137988c58c14ae2152ac2f6ad96d97decb33099bd8a0210114cd1141", - "9c965f227f281b3072b95b8daf29e88b35284f3574462e268e529bbdc50e9e52", - "08862f7335147261e7b1c3d055f9a316e4cab7daf99cc09d1c647f5dd6e7d5bb", - }; - - char *Result[] = { - "P (0 )", "F (1 - Q_x or Q_y out of range)", - "F (1 - Q_x or Q_y out of range)", "F (2 - Point not on curve)", - "F (1 - Q_x or Q_y out of range)", "P (0 )", - "F (2 - Point not on curve)", "P (0 )", - "F (1 - Q_x or Q_y out of range)", "P (0 )", - "F (2 - Point not on curve)", "F (2 - Point not on curve)", - }; - - printf("Test #3: PubKeyVerify "); - printf("NIST-p256-SHA2-256\n"); - - pkv_vectors(x, y, Result, 12, verbose); +int cavp_ecdh(bool verbose) +{ + unsigned int result = TC_PASS; + /* + * P-256 + */ + char *d[] = { + "7d7dc5f71eb29ddaf80d6214632eeae03d9058af1fb6d22ed80badb62bc1a534", + "38f65d6dce47676044d58ce5139582d568f64bb16098d179dbab07741dd5caf5", + "1accfaf1b97712b85a6f54b148985a1bdc4c9bec0bd258cad4b3d603f49f32c8", + "207c43a79bfee03db6f4b944f53d2fb76cc49ef1c9c4d34d51b6c65c4db6932d", + "59137e38152350b195c9718d39673d519838055ad908dd4757152fd8255c09bf", + "f5f8e0174610a661277979b58ce5c90fee6c9b3bb346a90a7196255e40b132ef", + "3b589af7db03459c23068b64f63f28d3c3c6bc25b5bf76ac05f35482888b5190", + "d8bf929a20ea7436b2461b541a11c80e61d826c0a4c9d322b31dd54e7f58b9c8", + "0f9883ba0ef32ee75ded0d8bda39a5146a29f1f2507b3bd458dbea0b2bb05b4d", + "2beedb04b05c6988f6a67500bb813faf2cae0d580c9253b6339e4a3337bb6c08", + "77c15dcf44610e41696bab758943eff1409333e4d5a11bbe72c8f6c395e9f848", + "42a83b985011d12303db1a800f2610f74aa71cdf19c67d54ce6c9ed951e9093e", + "ceed35507b5c93ead5989119b9ba342cfe38e6e638ba6eea343a55475de2800b", + "43e0e9d95af4dc36483cdd1968d2b7eeb8611fcce77f3a4e7d059ae43e509604", + "b2f3600df3368ef8a0bb85ab22f41fc0e5f4fdd54be8167a5c3cd4b08db04903", + "4002534307f8b62a9bf67ff641ddc60fef593b17c3341239e95bdb3e579bfdc8", + "4dfa12defc60319021b681b3ff84a10a511958c850939ed45635934ba4979147", + "1331f6d874a4ed3bc4a2c6e9c74331d3039796314beee3b7152fcdba5556304e", + "dd5e9f70ae740073ca0204df60763fb6036c45709bf4a7bb4e671412fad65da3", + "5ae026cfc060d55600717e55b8a12e116d1d0df34af831979057607c2d9c2f76", + "b601ac425d5dbf9e1735c5e2d5bdb79ca98b3d5be4a2cfd6f2273f150e064d9d", + "fefb1dda1845312b5fce6b81b2be205af2f3a274f5a212f66c0d9fc33d7ae535", + "334ae0c4693d23935a7e8e043ebbde21e168a7cba3fa507c9be41d7681e049ce", + "2c4bde40214fcc3bfc47d4cf434b629acbe9157f8fd0282540331de7942cf09d", + "85a268f9d7772f990c36b42b0a331adc92b5941de0b862d5d89a347cbf8faab0", + }; + + char *x[] = { + "700c48f77f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287", + "809f04289c64348c01515eb03d5ce7ac1a8cb9498f5caa50197e58d43a86a7ae", + "a2339c12d4a03c33546de533268b4ad667debf458b464d77443636440ee7fec3", + "df3989b9fa55495719b3cf46dccd28b5153f7808191dd518eff0c3cff2b705ed", + "41192d2813e79561e6a1d6f53c8bc1a433a199c835e141b05a74a97b0faeb922", + "33e82092a0f1fb38f5649d5867fba28b503172b7035574bf8e5b7100a3052792", + "6a9e0c3f916e4e315c91147be571686d90464e8bf981d34a90b6353bca6eeba7", + "a9c0acade55c2a73ead1a86fb0a9713223c82475791cd0e210b046412ce224bb", + "94e94f16a98255fff2b9ac0c9598aac35487b3232d3231bd93b7db7df36f9eb9", + "e099bf2a4d557460b5544430bbf6da11004d127cb5d67f64ab07c94fcdf5274f", + "f75a5fe56bda34f3c1396296626ef012dc07e4825838778a645c8248cff01658", + "2db4540d50230756158abf61d9835712b6486c74312183ccefcaef2797b7674d", + "cd94fc9497e8990750309e9a8534fd114b0a6e54da89c4796101897041d14ecb", + "15b9e467af4d290c417402e040426fe4cf236bae72baa392ed89780dfccdb471", + "49c503ba6c4fa605182e186b5e81113f075bc11dcfd51c932fb21e951eee2fa1", + "19b38de39fdd2f70f7091631a4f75d1993740ba9429162c2a45312401636b29c", + "2c91c61f33adfe9311c942fdbff6ba47020feff416b7bb63cec13faf9b099954", + "a28a2edf58025668f724aaf83a50956b7ac1cfbbff79b08c3bf87dfd2828d767", + "a2ef857a081f9d6eb206a81c4cf78a802bdf598ae380c8886ecd85fdc1ed7644", + "ccd8a2d86bc92f2e01bce4d6922cf7fe1626aed044685e95e2eebd464505f01f", + "c188ffc8947f7301fb7b53e36746097c2134bf9cc981ba74b4e9c4361f595e4e", + "317e1020ff53fccef18bf47bb7f2dd7707fb7b7a7578e04f35b3beed222a0eb6", + "45fb02b2ceb9d7c79d9c2fa93e9c7967c2fa4df5789f9640b24264b1e524fcb1", + "a19ef7bff98ada781842fbfc51a47aff39b5935a1c7d9625c8d323d511c92de6", + "356c5a444c049a52fee0adeb7e5d82ae5aa83030bfff31bbf8ce2096cf161c4b", + }; + + char *y[] = { + "db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac", + "b29d84e811197f25eba8f5194092cb6ff440e26d4421011372461f579271cda3", + "ef48a3ab26e20220bcda2c1851076839dae88eae962869a497bf73cb66faf536", + "422294ff46003429d739a33206c8752552c8ba54a270defc06e221e0feaf6ac4", + "1af98cc45e98a7e041b01cf35f462b7562281351c8ebf3ffa02e33a0722a1328", + "f2cf6b601e0a05945e335550bf648d782f46186c772c0f20d3cd0d6b8ca14b2f", + "40f9bead39c2f2bcc2602f75b8a73ec7bdffcbcead159d0174c6c4d3c5357f05", + "f6de0afa20e93e078467c053d241903edad734c6b403ba758c2b5ff04c9d4229", + "d8049a43579cfa90b8093a94416cbefbf93386f15b3f6e190b6e3455fedfe69a", + "d9c50dbe70d714edb5e221f4e020610eeb6270517e688ca64fb0e98c7ef8c1c5", + "33bbdf1b1772d8059df568b061f3f1122f28a8d819167c97be448e3dc3fb0c3c", + "62f57f314e3f3495dc4e099012f5e0ba71770f9660a1eada54104cdfde77243e", + "c3def4b5fe04faee0a11932229fff563637bfdee0e79c6deeaf449f85401c5c4", + "cdf4e9170fb904302b8fd93a820ba8cc7ed4efd3a6f2d6b05b80b2ff2aee4e77", + "8af706ff0922d87b3f0c5e4e31d8b259aeb260a9269643ed520a13bb25da5924", + "09aed7232b28e060941741b6828bcdfa2bc49cc844f3773611504f82a390a5ae", + "6cab31b06419e5221fca014fb84ec870622a1b12bab5ae43682aa7ea73ea08d0", + "dfa7bfffd4c766b86abeaf5c99b6e50cb9ccc9d9d00b7ffc7804b0491b67bc03", + "563c4c20419f07bc17d0539fade1855e34839515b892c0f5d26561f97fa04d1a", + "e9ddd583a9635a667777d5b8a8f31b0f79eba12c75023410b54b8567dddc0f38", + "bf7d2f2056e72421ef393f0c0f2b0e00130e3cac4abbcc00286168e85ec55051", + "09420ce5a19d77c6fe1ee587e6a49fbaf8f280e8df033d75403302e5a27db2ae", + "5c6e8ecf1f7d3023893b7b1ca1e4d178972ee2a230757ddc564ffe37f5c5a321", + "e9c184df75c955e02e02e400ffe45f78f339e1afe6d056fb3245f4700ce606ef", + "57d128de8b2a57a094d1a001e572173f96e8866ae352bf29cddaf92fc85b2f92", + }; + + char *Z[] = { + "46fc62106420ff012e54a434fbdd2d25ccc5852060561e68040dd7778997bd7b", + "057d636096cb80b67a8c038c890e887d1adfa4195e9b3ce241c8a778c59cda67", + "2d457b78b4614132477618a5b077965ec90730a8c81a1c75d6d4ec68005d67ec", + "96441259534b80f6aee3d287a6bb17b5094dd4277d9e294f8fe73e48bf2a0024", + "19d44c8d63e8e8dd12c22a87b8cd4ece27acdde04dbf47f7f27537a6999a8e62", + "664e45d5bba4ac931cd65d52017e4be9b19a515f669bea4703542a2c525cd3d3", + "ca342daa50dc09d61be7c196c85e60a80c5cb04931746820be548cdde055679d", + "35aa9b52536a461bfde4e85fc756be928c7de97923f0416c7a3ac8f88b3d4489", + "605c16178a9bc875dcbff54d63fe00df699c03e8a888e9e94dfbab90b25f39b4", + "f96e40a1b72840854bb62bc13c40cc2795e373d4e715980b261476835a092e0b", + "8388fa79c4babdca02a8e8a34f9e43554976e420a4ad273c81b26e4228e9d3a3", + "72877cea33ccc4715038d4bcbdfe0e43f42a9e2c0c3b017fc2370f4b9acbda4a", + "e4e7408d85ff0e0e9c838003f28cdbd5247cdce31f32f62494b70e5f1bc36307", + "ed56bcf695b734142c24ecb1fc1bb64d08f175eb243a31f37b3d9bb4407f3b96", + "bc5c7055089fc9d6c89f83c1ea1ada879d9934b2ea28fcf4e4a7e984b28ad2cf", + "9a4e8e657f6b0e097f47954a63c75d74fcba71a30d83651e3e5a91aa7ccd8343", + "3ca1fc7ad858fb1a6aba232542f3e2a749ffc7203a2374a3f3d3267f1fc97b78", + "1aaabe7ee6e4a6fa732291202433a237df1b49bc53866bfbe00db96a0f58224f", + "430e6a4fba4449d700d2733e557f66a3bf3d50517c1271b1ddae1161b7ac798c", + "1ce9e6740529499f98d1f1d71329147a33df1d05e4765b539b11cf615d6974d3", + "4690e3743c07d643f1bc183636ab2a9cb936a60a802113c49bb1b3f2d0661660", + "30c2261bd0004e61feda2c16aa5e21ffa8d7e7f7dbf6ec379a43b48e4b36aeb0", + "2adae4a138a239dcd93c243a3803c3e4cf96e37fe14e6a9b717be9599959b11c", + "2e277ec30f5ea07d6ce513149b9479b96e07f4b6913b1b5c11305c1444a1bc0b", + "1e51373bd2c6044c129c436e742a55be2a668a85ae08441b6756445df5493857", + }; + + TC_PRINT("Test #1: ECDH"); + TC_PRINT("NIST-p256\n"); + + result = ecdh_vectors(x, y, d, Z, 25, verbose); + if(result == TC_FAIL) { + goto exitTest1; + } + + exitTest1: + TC_END_RESULT(result); + return result; } -int randfd; - -void montecarlo_ecdh(uint32_t num, bool verbose) { - - EccPoint l_Q1, l_Q2; /* public keys */ - uint32_t l_random1[2 * NUM_ECC_DIGITS]; - uint32_t l_random2[2 * NUM_ECC_DIGITS]; - uint32_t l_secret1[NUM_ECC_DIGITS]; - uint32_t l_secret2[NUM_ECC_DIGITS]; - - uint32_t l_shared1[NUM_ECC_DIGITS]; - uint32_t l_shared2[NUM_ECC_DIGITS]; +int cavp_keygen(bool verbose) +{ + unsigned int result = TC_PASS; + /* + * [P-256, B.4.2 Key Pair Generation by Testing Candidates] + */ + char *d[] = { + "c9806898a0334916c860748880a541f093b579a9b1f32934d86c363c39800357", + "710735c8388f48c684a97bd66751cc5f5a122d6b9a96a2dbe73662f78217446d", + "78d5d8b7b3e2c16b3e37e7e63becd8ceff61e2ce618757f514620ada8a11f6e4", + "2a61a0703860585fe17420c244e1de5a6ac8c25146b208ef88ad51ae34c8cb8c", + "01b965b45ff386f28c121c077f1d7b2710acc6b0cb58d8662d549391dcf5a883", + "fac92c13d374c53a085376fe4101618e1e181b5a63816a84a0648f3bdc24e519", + "f257a192dde44227b3568008ff73bcf599a5c45b32ab523b5b21ca582fef5a0a", + "add67e57c42a3d28708f0235eb86885a4ea68e0d8cfd76eb46134c596522abfd", + "4494860fd2c805c5c0d277e58f802cff6d731f76314eb1554142a637a9bc5538", + "d40b07b1ea7b86d4709ef9dc634c61229feb71abd63dc7fc85ef46711a87b210", + }; + + char *x[] = { + "d0720dc691aa80096ba32fed1cb97c2b620690d06de0317b8618d5ce65eb728f", + "f6836a8add91cb182d8d258dda6680690eb724a66dc3bb60d2322565c39e4ab9", + "76711126cbb2af4f6a5fe5665dad4c88d27b6cb018879e03e54f779f203a854e", + "e1aa7196ceeac088aaddeeba037abb18f67e1b55c0a5c4e71ec70ad666fcddc8", + "1f038c5422e88eec9e88b815e8f6b3e50852333fc423134348fc7d79ef8e8a10", + "7258f2ab96fc84ef6ccb33e308cd392d8b568ea635730ceb4ebd72fa870583b9", + "d2e01411817b5512b79bbbe14d606040a4c90deb09e827d25b9f2fc068997872", + "55bed2d9c029b7f230bde934c7124ed52b1330856f13cbac65a746f9175f85d7", + "5190277a0c14d8a3d289292f8a544ce6ea9183200e51aec08440e0c1a463a4e4", + "fbcea7c2827e0e8085d7707b23a3728823ea6f4878b24747fb4fd2842d406c73", + }; + + char *y[] = { + "9681b517b1cda17d0d83d335d9c4a8a9a9b0b1b3c7106d8f3c72bc5093dc275f", + "1f837aa32864870cb8e8d0ac2ff31f824e7beddc4bb7ad72c173ad974b289dc2", + "a26df39960ab5248fd3620fd018398e788bd89a3cea509b352452b69811e6856", + "d7d35bdce6dedc5de98a7ecb27a9cd066a08f586a733b59f5a2cdb54f971d5c8", + "43a047cb20e94b4ffb361ef68952b004c0700b2962e0c0635a70269bc789b849", + "489807ca55bdc29ca5c8fe69b94f227b0345cccdbe89975e75d385cc2f6bb1e2", + "503f138f8bab1df2c4507ff663a1fdf7f710e7adb8e7841eaa902703e314e793", + "32805e311d583b4e007c40668185e85323948e21912b6b0d2cda8557389ae7b0", + "ecd98514821bd5aaf3419ab79b71780569470e4fed3da3c1353b28fe137f36eb", + "2393c85f1f710c5afc115a39ba7e18abe03f19c9d4bb3d47d19468b818efa535", + }; + + TC_PRINT("Test #2: ECC KeyGen "); + TC_PRINT("NIST-p256\n"); + + result = keygen_vectors(d, x, y, 10, verbose); + if(result == TC_FAIL) { + goto exitTest1; + } + + exitTest1: + TC_END_RESULT(result); + return result; +} - randfd = open("/dev/urandom", O_RDONLY); - if(randfd == -1) { - printf("No access to urandom\n"); - exit(-1); +/* Test ecc_make_keys, and also as keygen part of other tests */ +int pkv_vectors(char **qx_vec, char **qy_vec, char **res_vec, int tests, + bool verbose) +{ + + unsigned int pub[2 * NUM_ECC_WORDS]; + uint8_t _public[2 * NUM_ECC_BYTES]; + int rc; + int exp_rc; + char tmp; + unsigned int result = TC_PASS; + const struct uECC_Curve_t * curve = uECC_secp256r1(); + + for (int i = 0; i < tests; i++) { + + if (2 != sscanf(res_vec[i], "%c (%d ", &tmp, &exp_rc)) { + TC_ERROR("Error: failed to parse CAVP response.\n"); + result = TC_FAIL; + goto exitTest1; + } + + if (strlen(qx_vec[i]) > 2 * NUM_ECC_BYTES || + strlen(qy_vec[i]) > 2 * NUM_ECC_BYTES) { + /* invalid input to ECC digit conversion (string2native()) */ + rc = -2; + } else { + string2scalar(pub, NUM_ECC_WORDS, qx_vec[i]); + string2scalar(pub + NUM_ECC_WORDS, NUM_ECC_WORDS, qy_vec[i]); + + uECC_vli_nativeToBytes(_public, NUM_ECC_BYTES, pub); + uECC_vli_nativeToBytes(_public + NUM_ECC_BYTES, NUM_ECC_BYTES, pub+NUM_ECC_WORDS); + + rc = uECC_valid_public_key(_public, curve); + } + + /* + * map to CAVP error codes + * 0 => 0 - success + * -1 => ? - (x,y) = (0,0) (not covered) + * -2 => 1 - out of bounds (pubverify or ecc import) + * -3 => 2 - not on curve + * -4 => ? - public key is the group generator + */ + + if (rc == -3) rc = 2; + if (rc == -2) rc = 1; + + result = check_code(i, res_vec[i], exp_rc, rc, verbose); + if(result == TC_FAIL) { + goto exitTest1; + } } - printf("Test #4: Monte Carlo (Randomized EC-DH key-exchange) "); - printf("NIST-p256\n"); - - for(uint32_t i=0; i #include +#include +#include #include +#include +#include #include #include -#include -#include #include +#include #include + #include +/* Maximum size of message to be signed. */ #define BUF_SIZE 256 -int sign_vectors(TCSha256State_t hash, - char **d_vec, - char **k_vec, - char **msg_vec, - char **qx_vec, - char **qy_vec, - char **r_vec, - char **s_vec, - int tests, - bool verbose) { - - uint32_t seed[2*NUM_ECC_DIGITS]; - uint32_t prv[NUM_ECC_DIGITS]; - uint32_t r[NUM_ECC_DIGITS]; - uint32_t s[NUM_ECC_DIGITS]; - uint8_t digest[TC_SHA256_DIGEST_SIZE]; - uint32_t dig32[NUM_ECC_DIGITS]; - - /* expected outputs (converted input vectors) */ - uint32_t exp_r[NUM_ECC_DIGITS]; - uint32_t exp_s[NUM_ECC_DIGITS]; - - uint8_t msg[BUF_SIZE]; - size_t msglen; - - for (int i=0; in, BITS_TO_WORDS(curve->num_n_bits)); + uECC_vli_nativeToBytes(hash, NUM_ECC_BYTES, hash_words); + + if (!uECC_make_key(public, private, curve)) { + TC_ERROR("uECC_make_key() failed\n"); + return TC_FAIL; + } + + if (!uECC_sign(private, hash, sizeof(hash), sig, curve)) { + TC_ERROR("uECC_sign() failed\n"); + return TC_FAIL; + } + + if (!uECC_verify(public, hash, sizeof(hash), sig, curve)) { + TC_ERROR("uECC_verify() failed\n"); + return TC_FAIL; + } + if (verbose) { + fflush(stdout); + printf("."); + } + } + TC_PRINT("\n"); + return TC_PASS; } -int main() { - - bool verbose = true; - - cavp_sign(verbose); - cavp_verify(verbose); - montecarlo_signverify(10, verbose); - - printf("\nAll ECC-DSA tests succeeded.\n"); - - return 0; +int main() +{ + unsigned int result = TC_PASS; + + TC_START("Performing ECC-DSA tests:"); + /* Setup of the Cryptographically Secure PRNG. */ + uECC_set_rng(&default_CSPRNG); + + bool verbose = true; + + TC_PRINT("Performing cavp_sign test:\n"); + result = cavp_sign(verbose); + if (result == TC_FAIL) { /* terminate test */ + TC_ERROR("cavp_sign test failed.\n"); + goto exitTest; + } + TC_PRINT("Performing cavp_verify test:\n"); + result = cavp_verify(verbose); + if (result == TC_FAIL) { + TC_ERROR("cavp_verify test failed.\n"); + goto exitTest; + } + TC_PRINT("Performing montecarlo_signverify test:\n"); + result = montecarlo_signverify(10, verbose); + if (result == TC_FAIL) { + TC_ERROR("montecarlo_signverify test failed.\n"); + goto exitTest; + } + + TC_PRINT("\nAll ECC-DSA tests succeeded.\n"); + + exitTest: + TC_END_RESULT(result); + TC_END_REPORT(result); } diff --git a/tests/test_ecc_utils.c b/tests/test_ecc_utils.c index a635ebe..5c81eba 100644 --- a/tests/test_ecc_utils.c +++ b/tests/test_ecc_utils.c @@ -1,7 +1,30 @@ /* test_ecc_utils.c - TinyCrypt common functions for ECC tests */ +/* Copyright (c) 2014, Kenneth MacKay + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE.*/ + /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -32,8 +55,7 @@ * test_ecc_utils.c -- Implementation of some common functions for ECC tests. * */ -#include -#include + #include #include @@ -41,190 +63,209 @@ #include #include #include +#include +#include +#include -extern int randfd; - -void getRandomBytes(void *p_dest, unsigned p_size) { - if(read(randfd, p_dest, p_size) != (int)p_size) { - printf("Failed to get random bytes.\n"); - } -} - -int hex2int (char hex) { - uint8_t dec; +int hex2int (char hex) +{ + uint8_t dec; - if ('0' <= hex && hex <= '9') dec = hex - '0'; - else if ('a' <= hex && hex <= 'f') dec = hex - 'a' + 10; - else if ('A' <= hex && hex <= 'F') dec = hex - 'A' + 10; - else return -1; + if ('0' <= hex && hex <= '9') dec = hex - '0'; + else if ('a' <= hex && hex <= 'f') dec = hex - 'a' + 10; + else if ('A' <= hex && hex <= 'F') dec = hex - 'A' + 10; + else return -1; - return dec; + return dec; } /* * Convert hex string to byte string * Return number of bytes written to buf, or 0 on error */ -int hex2bin( - uint8_t *buf, - const size_t buflen, - const char *hex, - const size_t hexlen) { - - int dec; - - if (buflen < hexlen/2 + hexlen%2) - return false; - - // if hexlen is uneven, insert leading zero nibble - if (hexlen%2) { - dec = hex2int(hex[0]); - if (dec == -1) - return false; - buf[0] = dec; - buf++; - hex++; - } - - // regular hex conversion - for (size_t i = 0; i (padding = 2*num_bytes - strlen(str))) { - printf( - "Error: 2*num_bytes(%u) < strlen(hex) (%zu)\n", - 2*num_bytes, - strlen(str)); - exit(-1); - } + if (0 > (padding = 2 * num_bytes - strlen(str))) + { + printf("Error: 2 * num_bytes(%d) < strlen(hex) (%zu)\n", + 2 * num_bytes, strlen(str)); + exit(-1); + } - memset(tmp, 0, padding/2); + memset(tmp, 0, padding / 2); - if (false == hex2bin(tmp+padding/2, num_bytes, str, hexlen)) - exit(-1); - ecc_bytes2native(scalar, tmp); + if (false == hex2bin(tmp + padding / 2, num_bytes, str, hexlen)) + { + exit(-1); + } + uECC_vli_bytesToNative(scalar, tmp, num_bytes); } -void vli_print(uint32_t *p_vli, unsigned int p_size) { - while(p_size) { - printf("%08X ", (unsigned)p_vli[p_size - 1]); - --p_size; - } +void vli_print_bytes(uint8_t *vli, unsigned int size) +{ + for(unsigned i = 0; i < size; ++i) + { + printf("%02X ", (unsigned)vli[i]); + } } -void print_ecc_scalar( - const char *label, - const uint32_t * p_vli, - uint32_t num_word32) { - uint32_t i; +void print_ecc_scalar(const char *label, const unsigned int * p_vli, + unsigned int num_word32) +{ + unsigned int i; - if (label) - printf("%s = { ", label); + if (label) { + printf("%s = { ", label); + } - for(i=0; i #include -uint32_t do_hmac_test(TCHmacState_t h, uint32_t testnum, const uint8_t *data, - size_t datalen, const uint8_t *expected, - size_t expectedlen) +unsigned int do_hmac_test(TCHmacState_t h, unsigned int testnum, const uint8_t *data, + size_t datalen, const uint8_t *expected, + size_t expectedlen) { uint8_t digest[32]; - uint32_t result = TC_PASS; + unsigned int result = TC_PASS; (void)tc_hmac_init(h); (void)tc_hmac_update(h, data, datalen); @@ -66,243 +66,238 @@ uint32_t do_hmac_test(TCHmacState_t h, uint32_t testnum, const uint8_t *data, /* * NIST test vectors for encryption. */ -uint32_t test_1(void) +unsigned int test_1(void) { - uint32_t result = TC_PASS; + unsigned int result = TC_PASS; TC_PRINT("HMAC %s:\n", __func__); const uint8_t key[20] = { - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, + 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b }; const uint8_t data[8] = { - 0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65 + 0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65 }; const uint8_t expected[32] = { - 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, - 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, - 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7 + 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, + 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, + 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7 }; struct tc_hmac_state_struct h; (void)memset(&h, 0x00, sizeof(h)); (void)tc_hmac_set_key(&h, key, sizeof(key)); - result = do_hmac_test(&h, 1, data, sizeof(data), - expected, sizeof(expected)); + result = do_hmac_test(&h, 1, data, sizeof(data),expected, + sizeof(expected)); TC_END_RESULT(result); return result; } -uint32_t test_2(void) +unsigned int test_2(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("HMAC %s:\n", __func__); const uint8_t key[4] = { 0x4a, 0x65, 0x66, 0x65 }; const uint8_t data[28] = { - 0x77, 0x68, 0x61, 0x74, 0x20, 0x64, 0x6f, 0x20, 0x79, 0x61, 0x20, 0x77, - 0x61, 0x6e, 0x74, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x6e, 0x6f, 0x74, 0x68, - 0x69, 0x6e, 0x67, 0x3f + 0x77, 0x68, 0x61, 0x74, 0x20, 0x64, 0x6f, 0x20, 0x79, 0x61, 0x20, 0x77, + 0x61, 0x6e, 0x74, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x6e, 0x6f, 0x74, 0x68, + 0x69, 0x6e, 0x67, 0x3f }; const uint8_t expected[32] = { - 0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, - 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, - 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43 + 0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, + 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, + 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43 }; struct tc_hmac_state_struct h; (void)memset(&h, 0x00, sizeof(h)); (void)tc_hmac_set_key(&h, key, sizeof(key)); - result = do_hmac_test(&h, 2, data, sizeof(data), - expected, sizeof(expected)); + result = do_hmac_test(&h, 2, data, sizeof(data), expected, + sizeof(expected)); TC_END_RESULT(result); return result; } -uint32_t test_3(void) +unsigned int test_3(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("HMAC %s:\n", __func__); const uint8_t key[20] = { - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa }; const uint8_t data[50] = { - 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, - 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, - 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, - 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, - 0xdd, 0xdd + 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, + 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, + 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, + 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, + 0xdd, 0xdd }; const uint8_t expected[32] = { - 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, - 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, - 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe + 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, + 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, + 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe }; struct tc_hmac_state_struct h; (void)memset(&h, 0x00, sizeof(h)); (void)tc_hmac_set_key(&h, key, sizeof(key)); - result = do_hmac_test(&h, 3, data, sizeof(data), - expected, sizeof(expected)); + result = do_hmac_test(&h, 3, data, sizeof(data), expected, + sizeof(expected)); TC_END_RESULT(result); return result; } -uint32_t test_4(void) +unsigned int test_4(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("HMAC %s:\n", __func__); + const uint8_t key[25] = { - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, - 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, - 0x19 + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, + 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, + 0x19 }; const uint8_t data[50] = { - 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, - 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, - 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, - 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, - 0xcd, 0xcd + 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, + 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, + 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, + 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, + 0xcd, 0xcd }; const uint8_t expected[32] = { - 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, - 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, - 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b + 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, + 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, + 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b }; struct tc_hmac_state_struct h; (void)memset(&h, 0x00, sizeof(h)); (void)tc_hmac_set_key(&h, key, sizeof(key)); - result = do_hmac_test(&h, 4, data, sizeof(data), - expected, sizeof(expected)); + result = do_hmac_test(&h, 4, data, sizeof(data), expected, + sizeof(expected)); TC_END_RESULT(result); return result; } -uint32_t test_5(void) +unsigned int test_5(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("HMAC %s:\n", __func__); const uint8_t key[20] = { - 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, - 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c }; const uint8_t data[20] = { - 0x54, 0x65, 0x73, 0x74, 0x20, 0x57, 0x69, 0x74, 0x68, 0x20, 0x54, 0x72, - 0x75, 0x6e, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e + 0x54, 0x65, 0x73, 0x74, 0x20, 0x57, 0x69, 0x74, 0x68, 0x20, 0x54, 0x72, + 0x75, 0x6e, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e }; const uint8_t expected[32] = { - 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0, 0x6e, 0x0c, 0x79, 0x6c, - 0x29, 0x55, 0x55, 0x2b, 0xfa, 0x6f, 0x7c, 0x0a, 0x6a, 0x8a, 0xef, 0x8b, - 0x93, 0xf8, 0x60, 0xaa, 0xb0, 0xcd, 0x20, 0xc5 + 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0, 0x6e, 0x0c, 0x79, 0x6c, + 0x29, 0x55, 0x55, 0x2b, 0xfa, 0x6f, 0x7c, 0x0a, 0x6a, 0x8a, 0xef, 0x8b, + 0x93, 0xf8, 0x60, 0xaa, 0xb0, 0xcd, 0x20, 0xc5 }; struct tc_hmac_state_struct h; (void)memset(&h, 0x00, sizeof(h)); (void)tc_hmac_set_key(&h, key, sizeof(key)); - result = do_hmac_test(&h, 5, data, sizeof(data), - expected, sizeof(expected)); + result = do_hmac_test(&h, 5, data, sizeof(data), expected, + sizeof(expected)); TC_END_RESULT(result); return result; } -uint32_t test_6(void) +unsigned int test_6(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("HMAC %s:\n", __func__); const uint8_t key[131] = { - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa }; const uint8_t data[54] = { - 0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69, 0x6e, 0x67, 0x20, 0x4c, - 0x61, 0x72, 0x67, 0x65, 0x72, 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42, - 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a, 0x65, 0x20, 0x4b, 0x65, - 0x79, 0x20, 0x2d, 0x20, 0x48, 0x61, 0x73, 0x68, 0x20, 0x4b, 0x65, 0x79, - 0x20, 0x46, 0x69, 0x72, 0x73, 0x74 + 0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69, 0x6e, 0x67, 0x20, 0x4c, + 0x61, 0x72, 0x67, 0x65, 0x72, 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42, + 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a, 0x65, 0x20, 0x4b, 0x65, + 0x79, 0x20, 0x2d, 0x20, 0x48, 0x61, 0x73, 0x68, 0x20, 0x4b, 0x65, 0x79, + 0x20, 0x46, 0x69, 0x72, 0x73, 0x74 }; const uint8_t expected[32] = { - 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, - 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, - 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54 + 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, + 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, + 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54 }; struct tc_hmac_state_struct h; (void)memset(&h, 0x00, sizeof(h)); (void)tc_hmac_set_key(&h, key, sizeof(key)); - result = do_hmac_test(&h, 6, data, sizeof(data), - expected, sizeof(expected)); + result = do_hmac_test(&h, 6, data, sizeof(data), expected, + sizeof(expected)); TC_END_RESULT(result); return result; } -uint32_t test_7(void) +unsigned int test_7(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("HMAC %s:\n", __func__); const uint8_t key[131] = { - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa }; const uint8_t data[152] = { - 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x61, 0x20, 0x74, 0x65, - 0x73, 0x74, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x20, 0x6c, - 0x61, 0x72, 0x67, 0x65, 0x72, 0x20, 0x74, 0x68, 0x61, 0x6e, 0x20, 0x62, - 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x73, 0x69, 0x7a, 0x65, 0x20, 0x6b, 0x65, - 0x79, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x61, 0x20, 0x6c, 0x61, 0x72, 0x67, - 0x65, 0x72, 0x20, 0x74, 0x68, 0x61, 0x6e, 0x20, 0x62, 0x6c, 0x6f, 0x63, - 0x6b, 0x2d, 0x73, 0x69, 0x7a, 0x65, 0x20, 0x64, 0x61, 0x74, 0x61, 0x2e, - 0x20, 0x54, 0x68, 0x65, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x6e, 0x65, 0x65, - 0x64, 0x73, 0x20, 0x74, 0x6f, 0x20, 0x62, 0x65, 0x20, 0x68, 0x61, 0x73, - 0x68, 0x65, 0x64, 0x20, 0x62, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x20, 0x62, - 0x65, 0x69, 0x6e, 0x67, 0x20, 0x75, 0x73, 0x65, 0x64, 0x20, 0x62, 0x79, - 0x20, 0x74, 0x68, 0x65, 0x20, 0x48, 0x4d, 0x41, 0x43, 0x20, 0x61, 0x6c, - 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x2e + 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x61, 0x20, 0x74, 0x65, + 0x73, 0x74, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x20, 0x6c, + 0x61, 0x72, 0x67, 0x65, 0x72, 0x20, 0x74, 0x68, 0x61, 0x6e, 0x20, 0x62, + 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x73, 0x69, 0x7a, 0x65, 0x20, 0x6b, 0x65, + 0x79, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x61, 0x20, 0x6c, 0x61, 0x72, 0x67, + 0x65, 0x72, 0x20, 0x74, 0x68, 0x61, 0x6e, 0x20, 0x62, 0x6c, 0x6f, 0x63, + 0x6b, 0x2d, 0x73, 0x69, 0x7a, 0x65, 0x20, 0x64, 0x61, 0x74, 0x61, 0x2e, + 0x20, 0x54, 0x68, 0x65, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x6e, 0x65, 0x65, + 0x64, 0x73, 0x20, 0x74, 0x6f, 0x20, 0x62, 0x65, 0x20, 0x68, 0x61, 0x73, + 0x68, 0x65, 0x64, 0x20, 0x62, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x20, 0x62, + 0x65, 0x69, 0x6e, 0x67, 0x20, 0x75, 0x73, 0x65, 0x64, 0x20, 0x62, 0x79, + 0x20, 0x74, 0x68, 0x65, 0x20, 0x48, 0x4d, 0x41, 0x43, 0x20, 0x61, 0x6c, + 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x2e }; const uint8_t expected[32] = { - 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, - 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, - 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2 + 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, + 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, + 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2 }; struct tc_hmac_state_struct h; (void)memset(&h, 0x00, sizeof(h)); (void)tc_hmac_set_key(&h, key, sizeof(key)); - result = do_hmac_test(&h, 7, data, sizeof(data), - expected, sizeof(expected)); + result = do_hmac_test(&h, 7, data, sizeof(data), expected, + sizeof(expected)); TC_END_RESULT(result); return result; } @@ -312,42 +307,49 @@ uint32_t test_7(void) */ int main(void) { - uint32_t result = TC_PASS; + unsigned int result = TC_PASS; TC_START("Performing HMAC tests (RFC4231 test vectors):"); result = test_1(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("HMAC test #1 failed.\n"); goto exitTest; } result = test_2(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("HMAC test #2 failed.\n"); goto exitTest; } result = test_3(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("HMAC test #3 failed.\n"); goto exitTest; } result = test_4(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("HMAC test #4 failed.\n"); goto exitTest; } result = test_5(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("HMAC test #5 failed.\n"); goto exitTest; } result = test_6(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("HMAC #6 test failed.\n"); goto exitTest; } result = test_7(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("HMAC test #7 failed.\n"); goto exitTest; } diff --git a/tests/test_hmac_prng.c b/tests/test_hmac_prng.c index 9071305..b45e984 100644 --- a/tests/test_hmac_prng.c +++ b/tests/test_hmac_prng.c @@ -1,7 +1,7 @@ /* test_hmac_prng.c - TinyCrypt implementation of some HMAC-PRNG tests */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -48,24 +48,44 @@ #include #include +#define TC_DEBUG_MODE 0 + +#ifdef TC_DEBUG_MODE +void show(const char *label, const uint8_t *s, size_t len) +{ + unsigned int i; + printf ("%s = ", label); + for (i = 0; i < (unsigned int) len; ++i) { + printf ("%02x", s[i]); + } + printf ("\n"); +} + +void printBinaryFile(const uint8_t *s, unsigned int slen) +{ + FILE *write_ptr; + write_ptr = fopen("pseudo-random-data.bin","wb"); + fwrite(s, slen, 1, write_ptr); +} +#endif + /* * Main task to test AES */ - int main(void) { uint8_t seed[128]; struct tc_hmac_prng_struct h; - uint32_t size = (1 << 15); + unsigned int size = (1 << 19); uint8_t random[size]; - uint32_t i; - uint32_t result = TC_PASS; + unsigned int i; + unsigned int result = TC_PASS; TC_START("Performing HMAC-PRNG tests:"); TC_PRINT("HMAC-PRNG test#1 (init, reseed, generate):\n"); /* Fake seed (replace by a a truly random seed): */ - for (i = 0; i < (uint32_t) sizeof(seed); ++i) { + for (i = 0; i < (unsigned int) sizeof(seed); ++i) { seed[i] = i; } @@ -102,6 +122,11 @@ int main(void) } TC_END_RESULT(result); +#ifdef TC_DEBUG_MODE + printBinaryFile(random, size); + show ("Pseudo-random data", random, size); +#endif + TC_PRINT("All HMAC tests succeeded!\n"); exitTest: diff --git a/tests/test_sha256.c b/tests/test_sha256.c index 5da973f..b309ed1 100644 --- a/tests/test_sha256.c +++ b/tests/test_sha256.c @@ -1,7 +1,7 @@ /* test_sha256.c - TinyCrypt implementation of some SHA-256 tests */ /* - * Copyright (C) 2015 by Intel Corporation, All Rights Reserved. + * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -50,15 +50,15 @@ /* * NIST SHA256 test vector 1. */ -uint32_t test_1(void) +unsigned int test_1(void) { - uint32_t result = TC_PASS; + unsigned int result = TC_PASS; TC_PRINT("SHA256 test #1:\n"); const uint8_t expected[32] = { - 0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, - 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, - 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad + 0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, + 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, + 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad }; const char *m = "abc"; uint8_t digest[32]; @@ -76,15 +76,14 @@ uint32_t test_1(void) /* * NIST SHA256 test vector 2. */ -uint32_t test_2(void) +unsigned int test_2(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("SHA256 test #2:\n"); const uint8_t expected[32] = { - 0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, - 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, - 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1 + 0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, + 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, + 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1 }; const char *m = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"; uint8_t digest[32]; @@ -100,15 +99,14 @@ uint32_t test_2(void) return result; } -uint32_t test_3(void) +unsigned int test_3(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("SHA256 test #3:\n"); const uint8_t expected[32] = { - 0x68, 0x32, 0x57, 0x20, 0xaa, 0xbd, 0x7c, 0x82, 0xf3, 0x0f, 0x55, 0x4b, - 0x31, 0x3d, 0x05, 0x70, 0xc9, 0x5a, 0xcc, 0xbb, 0x7d, 0xc4, 0xb5, 0xaa, - 0xe1, 0x12, 0x04, 0xc0, 0x8f, 0xfe, 0x73, 0x2b + 0x68, 0x32, 0x57, 0x20, 0xaa, 0xbd, 0x7c, 0x82, 0xf3, 0x0f, 0x55, 0x4b, + 0x31, 0x3d, 0x05, 0x70, 0xc9, 0x5a, 0xcc, 0xbb, 0x7d, 0xc4, 0xb5, 0xaa, + 0xe1, 0x12, 0x04, 0xc0, 0x8f, 0xfe, 0x73, 0x2b }; const uint8_t m[1] = { 0xbd }; uint8_t digest[32]; @@ -124,15 +122,14 @@ uint32_t test_3(void) return result; } -uint32_t test_4(void) +unsigned int test_4(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("SHA256 test #4:\n"); const uint8_t expected[32] = { - 0x7a, 0xbc, 0x22, 0xc0, 0xae, 0x5a, 0xf2, 0x6c, 0xe9, 0x3d, 0xbb, 0x94, - 0x43, 0x3a, 0x0e, 0x0b, 0x2e, 0x11, 0x9d, 0x01, 0x4f, 0x8e, 0x7f, 0x65, - 0xbd, 0x56, 0xc6, 0x1c, 0xcc, 0xcd, 0x95, 0x04 + 0x7a, 0xbc, 0x22, 0xc0, 0xae, 0x5a, 0xf2, 0x6c, 0xe9, 0x3d, 0xbb, 0x94, + 0x43, 0x3a, 0x0e, 0x0b, 0x2e, 0x11, 0x9d, 0x01, 0x4f, 0x8e, 0x7f, 0x65, + 0xbd, 0x56, 0xc6, 0x1c, 0xcc, 0xcd, 0x95, 0x04 }; const uint8_t m[4] = { 0xc9, 0x8c, 0x8e, 0x55 }; uint8_t digest[32]; @@ -148,15 +145,15 @@ uint32_t test_4(void) return result; } -uint32_t test_5(void) +unsigned int test_5(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("SHA256 test #5:\n"); + const uint8_t expected[32] = { - 0x02, 0x77, 0x94, 0x66, 0xcd, 0xec, 0x16, 0x38, 0x11, 0xd0, 0x78, 0x81, - 0x5c, 0x63, 0x3f, 0x21, 0x90, 0x14, 0x13, 0x08, 0x14, 0x49, 0x00, 0x2f, - 0x24, 0xaa, 0x3e, 0x80, 0xf0, 0xb8, 0x8e, 0xf7 + 0x02, 0x77, 0x94, 0x66, 0xcd, 0xec, 0x16, 0x38, 0x11, 0xd0, 0x78, 0x81, + 0x5c, 0x63, 0x3f, 0x21, 0x90, 0x14, 0x13, 0x08, 0x14, 0x49, 0x00, 0x2f, + 0x24, 0xaa, 0x3e, 0x80, 0xf0, 0xb8, 0x8e, 0xf7 }; uint8_t m[55]; uint8_t digest[32]; @@ -174,15 +171,14 @@ uint32_t test_5(void) return result; } -uint32_t test_6(void) +unsigned int test_6(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("SHA256 test #6:\n"); const uint8_t expected[32] = { - 0xd4, 0x81, 0x7a, 0xa5, 0x49, 0x76, 0x28, 0xe7, 0xc7, 0x7e, 0x6b, 0x60, - 0x61, 0x07, 0x04, 0x2b, 0xbb, 0xa3, 0x13, 0x08, 0x88, 0xc5, 0xf4, 0x7a, - 0x37, 0x5e, 0x61, 0x79, 0xbe, 0x78, 0x9f, 0xbb + 0xd4, 0x81, 0x7a, 0xa5, 0x49, 0x76, 0x28, 0xe7, 0xc7, 0x7e, 0x6b, 0x60, + 0x61, 0x07, 0x04, 0x2b, 0xbb, 0xa3, 0x13, 0x08, 0x88, 0xc5, 0xf4, 0x7a, + 0x37, 0x5e, 0x61, 0x79, 0xbe, 0x78, 0x9f, 0xbb }; uint8_t m[56]; uint8_t digest[32]; @@ -200,15 +196,14 @@ uint32_t test_6(void) return result; } -uint32_t test_7(void) +unsigned int test_7(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("SHA256 test #7:\n"); const uint8_t expected[32] = { - 0x65, 0xa1, 0x6c, 0xb7, 0x86, 0x13, 0x35, 0xd5, 0xac, 0xe3, 0xc6, 0x07, - 0x18, 0xb5, 0x05, 0x2e, 0x44, 0x66, 0x07, 0x26, 0xda, 0x4c, 0xd1, 0x3b, - 0xb7, 0x45, 0x38, 0x1b, 0x23, 0x5a, 0x17, 0x85 + 0x65, 0xa1, 0x6c, 0xb7, 0x86, 0x13, 0x35, 0xd5, 0xac, 0xe3, 0xc6, 0x07, + 0x18, 0xb5, 0x05, 0x2e, 0x44, 0x66, 0x07, 0x26, 0xda, 0x4c, 0xd1, 0x3b, + 0xb7, 0x45, 0x38, 0x1b, 0x23, 0x5a, 0x17, 0x85 }; uint8_t m[57]; uint8_t digest[32]; @@ -226,15 +221,15 @@ uint32_t test_7(void) return result; } -uint32_t test_8(void) +unsigned int test_8(void) { - uint32_t result = TC_PASS; + unsigned int result = TC_PASS; TC_PRINT("SHA256 test #8:\n"); const uint8_t expected[32] = { - 0xf5, 0xa5, 0xfd, 0x42, 0xd1, 0x6a, 0x20, 0x30, 0x27, 0x98, 0xef, 0x6e, - 0xd3, 0x09, 0x97, 0x9b, 0x43, 0x00, 0x3d, 0x23, 0x20, 0xd9, 0xf0, 0xe8, - 0xea, 0x98, 0x31, 0xa9, 0x27, 0x59, 0xfb, 0x4b + 0xf5, 0xa5, 0xfd, 0x42, 0xd1, 0x6a, 0x20, 0x30, 0x27, 0x98, 0xef, 0x6e, + 0xd3, 0x09, 0x97, 0x9b, 0x43, 0x00, 0x3d, 0x23, 0x20, 0xd9, 0xf0, 0xe8, + 0xea, 0x98, 0x31, 0xa9, 0x27, 0x59, 0xfb, 0x4b }; uint8_t m[64]; uint8_t digest[32]; @@ -252,15 +247,14 @@ uint32_t test_8(void) return result; } -uint32_t test_9(void) +unsigned int test_9(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("SHA256 test #9:\n"); const uint8_t expected[32] = { - 0x54, 0x1b, 0x3e, 0x9d, 0xaa, 0x09, 0xb2, 0x0b, 0xf8, 0x5f, 0xa2, 0x73, - 0xe5, 0xcb, 0xd3, 0xe8, 0x01, 0x85, 0xaa, 0x4e, 0xc2, 0x98, 0xe7, 0x65, - 0xdb, 0x87, 0x74, 0x2b, 0x70, 0x13, 0x8a, 0x53 + 0x54, 0x1b, 0x3e, 0x9d, 0xaa, 0x09, 0xb2, 0x0b, 0xf8, 0x5f, 0xa2, 0x73, + 0xe5, 0xcb, 0xd3, 0xe8, 0x01, 0x85, 0xaa, 0x4e, 0xc2, 0x98, 0xe7, 0x65, + 0xdb, 0x87, 0x74, 0x2b, 0x70, 0x13, 0x8a, 0x53 }; uint8_t m[1000]; uint8_t digest[32]; @@ -278,15 +272,14 @@ uint32_t test_9(void) return result; } -uint32_t test_10(void) +unsigned int test_10(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("SHA256 test #10:\n"); const uint8_t expected[32] = { - 0xc2, 0xe6, 0x86, 0x82, 0x34, 0x89, 0xce, 0xd2, 0x01, 0x7f, 0x60, 0x59, - 0xb8, 0xb2, 0x39, 0x31, 0x8b, 0x63, 0x64, 0xf6, 0xdc, 0xd8, 0x35, 0xd0, - 0xa5, 0x19, 0x10, 0x5a, 0x1e, 0xad, 0xd6, 0xe4 + 0xc2, 0xe6, 0x86, 0x82, 0x34, 0x89, 0xce, 0xd2, 0x01, 0x7f, 0x60, 0x59, + 0xb8, 0xb2, 0x39, 0x31, 0x8b, 0x63, 0x64, 0xf6, 0xdc, 0xd8, 0x35, 0xd0, + 0xa5, 0x19, 0x10, 0x5a, 0x1e, 0xad, 0xd6, 0xe4 }; uint8_t m[1000]; uint8_t digest[32]; @@ -304,15 +297,14 @@ uint32_t test_10(void) return result; } -uint32_t test_11(void) +unsigned int test_11(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("SHA256 test #11:\n"); const uint8_t expected[32] = { - 0xf4, 0xd6, 0x2d, 0xde, 0xc0, 0xf3, 0xdd, 0x90, 0xea, 0x13, 0x80, 0xfa, - 0x16, 0xa5, 0xff, 0x8d, 0xc4, 0xc5, 0x4b, 0x21, 0x74, 0x06, 0x50, 0xf2, - 0x4a, 0xfc, 0x41, 0x20, 0x90, 0x35, 0x52, 0xb0 + 0xf4, 0xd6, 0x2d, 0xde, 0xc0, 0xf3, 0xdd, 0x90, 0xea, 0x13, 0x80, 0xfa, + 0x16, 0xa5, 0xff, 0x8d, 0xc4, 0xc5, 0x4b, 0x21, 0x74, 0x06, 0x50, 0xf2, + 0x4a, 0xfc, 0x41, 0x20, 0x90, 0x35, 0x52, 0xb0 }; uint8_t m[1005]; uint8_t digest[32]; @@ -330,20 +322,20 @@ uint32_t test_11(void) return result; } -uint32_t test_12(void) +unsigned int test_12(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("SHA256 test #12:\n"); + const uint8_t expected[32] = { - 0xd2, 0x97, 0x51, 0xf2, 0x64, 0x9b, 0x32, 0xff, 0x57, 0x2b, 0x5e, 0x0a, - 0x9f, 0x54, 0x1e, 0xa6, 0x60, 0xa5, 0x0f, 0x94, 0xff, 0x0b, 0xee, 0xdf, - 0xb0, 0xb6, 0x92, 0xb9, 0x24, 0xcc, 0x80, 0x25 + 0xd2, 0x97, 0x51, 0xf2, 0x64, 0x9b, 0x32, 0xff, 0x57, 0x2b, 0x5e, 0x0a, + 0x9f, 0x54, 0x1e, 0xa6, 0x60, 0xa5, 0x0f, 0x94, 0xff, 0x0b, 0xee, 0xdf, + 0xb0, 0xb6, 0x92, 0xb9, 0x24, 0xcc, 0x80, 0x25 }; uint8_t m[1000]; uint8_t digest[32]; struct tc_sha256_state_struct s; - uint32_t i; + unsigned int i; (void)memset(m, 0x00, sizeof(m)); @@ -359,20 +351,19 @@ uint32_t test_12(void) return result; } -uint32_t test_13(void) +unsigned int test_13(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("SHA256 test #13:\n"); const uint8_t expected[32] = { - 0x15, 0xa1, 0x86, 0x8c, 0x12, 0xcc, 0x53, 0x95, 0x1e, 0x18, 0x23, 0x44, - 0x27, 0x74, 0x47, 0xcd, 0x09, 0x79, 0x53, 0x6b, 0xad, 0xcc, 0x51, 0x2a, - 0xd2, 0x4c, 0x67, 0xe9, 0xb2, 0xd4, 0xf3, 0xdd + 0x15, 0xa1, 0x86, 0x8c, 0x12, 0xcc, 0x53, 0x95, 0x1e, 0x18, 0x23, 0x44, + 0x27, 0x74, 0x47, 0xcd, 0x09, 0x79, 0x53, 0x6b, 0xad, 0xcc, 0x51, 0x2a, + 0xd2, 0x4c, 0x67, 0xe9, 0xb2, 0xd4, 0xf3, 0xdd }; uint8_t m[32768]; uint8_t digest[32]; struct tc_sha256_state_struct s; - uint32_t i; + unsigned int i; (void)memset(m, 0x5a, sizeof(m)); @@ -388,20 +379,19 @@ uint32_t test_13(void) return result; } -uint32_t test_14(void) +unsigned int test_14(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_PRINT("SHA256 test #14:\n"); const uint8_t expected[32] = { - 0x46, 0x1c, 0x19, 0xa9, 0x3b, 0xd4, 0x34, 0x4f, 0x92, 0x15, 0xf5, 0xec, - 0x64, 0x35, 0x70, 0x90, 0x34, 0x2b, 0xc6, 0x6b, 0x15, 0xa1, 0x48, 0x31, - 0x7d, 0x27, 0x6e, 0x31, 0xcb, 0xc2, 0x0b, 0x53 + 0x46, 0x1c, 0x19, 0xa9, 0x3b, 0xd4, 0x34, 0x4f, 0x92, 0x15, 0xf5, 0xec, + 0x64, 0x35, 0x70, 0x90, 0x34, 0x2b, 0xc6, 0x6b, 0x15, 0xa1, 0x48, 0x31, + 0x7d, 0x27, 0x6e, 0x31, 0xcb, 0xc2, 0x0b, 0x53 }; uint8_t m[32768]; uint8_t digest[32]; struct tc_sha256_state_struct s; - uint32_t i; + unsigned int i; (void)memset(m, 0x00, sizeof(m)); @@ -423,77 +413,91 @@ uint32_t test_14(void) int main(void) { - uint32_t result = TC_PASS; - + unsigned int result = TC_PASS; TC_START("Performing SHA256 tests (NIST tests vectors):"); result = test_1(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("SHA256 test #1 failed.\n"); goto exitTest; } result = test_2(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("SHA256 test #2 failed.\n"); goto exitTest; } result = test_3(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("SHA256 test #3 failed.\n"); goto exitTest; } result = test_4(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("SHA256 test #4 failed.\n"); goto exitTest; } result = test_5(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("SHA256 test #5 failed.\n"); goto exitTest; } result = test_6(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("SHA256 test #6 failed.\n"); goto exitTest; } result = test_7(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("SHA256 test #7 failed.\n"); goto exitTest; } result = test_8(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("SHA256 test #8 failed.\n"); goto exitTest; } result = test_9(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("SHA256 test #9 failed.\n"); goto exitTest; } result = test_10(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("SHA256 test #10 failed.\n"); goto exitTest; } result = test_11(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("SHA256 test #11 failed.\n"); goto exitTest; } result = test_12(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("SHA256 test #12 failed.\n"); goto exitTest; } + /* memory and computation intensive test cases: */ result = test_13(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("SHA256 test #13 failed.\n"); goto exitTest; } result = test_14(); - if (result == TC_FAIL) { /* terminate test */ + if (result == TC_FAIL) { + /* terminate test */ TC_ERROR("SHA256 test #14 failed.\n"); goto exitTest; } @@ -504,3 +508,4 @@ int main(void) TC_END_RESULT(result); TC_END_REPORT(result); } +