diff --git a/configure.ac b/configure.ac index d9b17709c..9cc58e412 100644 --- a/configure.ac +++ b/configure.ac @@ -1088,7 +1088,8 @@ fi # for using memory optimization setting on both curve25519 and ed25519 -ENABLED_CURVED25519_SMALL=no +ENABLED_CURVE25519_SMALL=no +ENABLED_ED25519_SMALL=no # CURVE25519 AC_ARG_ENABLE([curve25519], @@ -1105,8 +1106,8 @@ fi if test "$ENABLED_CURVE25519" = "small" then - AM_CFLAGS="$AM_CFLAGS -DCURVED25519_SMALL" - ENABLED_CURVED25519_SMALL=yes + AM_CFLAGS="$AM_CFLAGS -DCURVE25519_SMALL" + ENABLED_CURVE25519_SMALL=yes ENABLED_CURVE25519=yes fi @@ -1118,7 +1119,7 @@ fi AM_CONDITIONAL([BUILD_CURVE25519], [test "x$ENABLED_CURVE25519" = "xyes"]) - +AM_CONDITIONAL([BUILD_CURVE25519_SMALL], [test "x$ENABLED_CURVE25519_SMALL" = "xyes"]) # ED25519 AC_ARG_ENABLE([ed25519], @@ -1135,8 +1136,8 @@ fi if test "$ENABLED_ED25519" = "small" then - AM_CFLAGS="$AM_CFLAGS -DCURVED25519_SMALL" - ENABLED_CURVED25519_SMALL=yes + AM_CFLAGS="$AM_CFLAGS -DED25519_SMALL" + ENABLED_ED25519_SMALL=yes ENABLED_ED25519=yes fi @@ -1152,7 +1153,7 @@ then fi AM_CONDITIONAL([BUILD_ED25519], [test "x$ENABLED_ED25519" = "xyes"]) -AM_CONDITIONAL([BUILD_CURVED25519_SMALL], [test "x$ENABLED_CURVED25519_SMALL" = "xyes"]) +AM_CONDITIONAL([BUILD_ED25519_SMALL], [test "x$ENABLED_ED25519_SMALL" = "xyes"]) AM_CONDITIONAL([BUILD_FEMATH], [test "x$ENABLED_FEMATH" = "xyes"]) AM_CONDITIONAL([BUILD_GEMATH], [test "x$ENABLED_GEMATH" = "xyes"]) diff --git a/src/include.am b/src/include.am index 22bb8edfe..1140dd0e8 100644 --- a/src/include.am +++ b/src/include.am @@ -228,7 +228,7 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/ed25519.c endif if BUILD_FEMATH -if BUILD_CURVED25519_SMALL +if BUILD_CURVE25519_SMALL src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_low_mem.c else src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_operations.c @@ -236,10 +236,16 @@ endif endif if BUILD_GEMATH -if BUILD_CURVED25519_SMALL +if BUILD_ED25519_SMALL src_libwolfssl_la_SOURCES += wolfcrypt/src/ge_low_mem.c +if !BUILD_CURVE25519_SMALL +src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_low_mem.c +endif else src_libwolfssl_la_SOURCES += wolfcrypt/src/ge_operations.c +if BUILD_CURVE25519_SMALL +src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_operations.c +endif endif endif diff --git a/wolfcrypt/src/curve25519.c b/wolfcrypt/src/curve25519.c index 6740cc536..ae6bef770 100644 --- a/wolfcrypt/src/curve25519.c +++ b/wolfcrypt/src/curve25519.c @@ -53,7 +53,7 @@ const curve25519_set_type curve25519_sets[] = { int wc_curve25519_make_key(WC_RNG* rng, int keysize, curve25519_key* key) { -#ifdef FREESCALE_LTC_ECC +#ifdef FREESCALE_LTC_ECC const ECPoint* basepoint = wc_curve25519_GetBasePoint(); #else unsigned char basepoint[CURVE25519_KEYSIZE] = {9}; @@ -117,7 +117,7 @@ int wc_curve25519_shared_secret_ex(curve25519_key* private_key, if (private_key == NULL || public_key == NULL || out == NULL || outlen == NULL || *outlen < CURVE25519_KEYSIZE) return BAD_FUNC_ARG; - + /* avoid implementation fingerprinting */ if (public_key->p.point[CURVE25519_KEYSIZE-1] > 0x7F) return ECC_BAD_ARG_E; @@ -249,8 +249,7 @@ int wc_curve25519_import_public_ex(const byte* in, word32 inLen, XMEMCPY(key->p.point, in, inLen); key->dp = &curve25519_sets[0]; - - + /* LTC needs also Y coordinate - let's compute it */ #ifdef FREESCALE_LTC_ECC ltc_pkha_ecc_point_t ltcPoint; @@ -424,7 +423,7 @@ int wc_curve25519_init(curve25519_key* key) /* currently the format for curve25519 */ key->dp = &curve25519_sets[0]; - XMEMSET(key->k.point, 0, key->dp->size); + XMEMSET(key->k.point, 0, key->dp->size); XMEMSET(key->p.point, 0, key->dp->size); #ifdef FREESCALE_LTC_ECC XMEMSET(key->k.pointY, 0, key->dp->size); diff --git a/wolfcrypt/src/ed25519.c b/wolfcrypt/src/ed25519.c index 22ced3d1b..c0181cad3 100644 --- a/wolfcrypt/src/ed25519.c +++ b/wolfcrypt/src/ed25519.c @@ -112,7 +112,7 @@ int wc_ed25519_sign_msg(const byte* in, word32 inlen, byte* out, #else ge_p3 R; #endif - byte nonce[SHA512_DIGEST_SIZE]; + byte nonce[SHA512_DIGEST_SIZE]; byte hram[SHA512_DIGEST_SIZE]; byte az[ED25519_PRV_KEY_SIZE]; Sha512 sha; @@ -193,7 +193,7 @@ int wc_ed25519_sign_msg(const byte* in, word32 inlen, byte* out, #else sc_reduce(hram); sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce); -#endif +#endif return ret; } @@ -234,7 +234,7 @@ int wc_ed25519_verify_msg(const byte* sig, word32 siglen, const byte* msg, return BAD_FUNC_ARG; /* uncompress A (public key), test if valid, and negate it */ -#ifndef FREESCALE_LTC_ECC +#ifndef FREESCALE_LTC_ECC if (ge_frombytes_negate_vartime(&A, key->p) != 0) return BAD_FUNC_ARG; #endif diff --git a/wolfcrypt/src/fe_low_mem.c b/wolfcrypt/src/fe_low_mem.c index 0f0f1be44..ba45282af 100644 --- a/wolfcrypt/src/fe_low_mem.c +++ b/wolfcrypt/src/fe_low_mem.c @@ -28,8 +28,8 @@ #include -#if defined(CURVED25519_SMALL) /* use slower code that takes less memory */ -#if defined(HAVE_ED25519) || defined(HAVE_CURVE25519) +#if defined(HAVE_CURVE25519) || defined(HAVE_ED25519) +#if defined(CURVE25519_SMALL) || defined(ED25519_SMALL) /* use slower code that takes less memory */ #include @@ -49,7 +49,7 @@ void fprime_copy(byte *x, const byte *a) } -void fe_copy(fe x, const fe a) +void lm_copy(byte* x, const byte* a) { int i; for (i = 0; i < F25519_SIZE; i++) @@ -57,6 +57,7 @@ void fe_copy(fe x, const fe a) } +#ifdef CURVE25519_SMALL /* Double an X-coordinate */ static void xc_double(byte *x3, byte *z3, const byte *x1, const byte *z1) @@ -77,12 +78,12 @@ static void xc_double(byte *x3, byte *z3, fe_mul__distinct(z1sq, z1, z1); fe_mul__distinct(x1z1, x1, z1); - fe_sub(a, x1sq, z1sq); + lm_sub(a, x1sq, z1sq); fe_mul__distinct(x3, a, a); fe_mul_c(a, x1z1, 486662); - fe_add(a, x1sq, a); - fe_add(a, z1sq, a); + lm_add(a, x1sq, a); + lm_add(a, z1sq, a); fe_mul__distinct(x1sq, x1z1, a); fe_mul_c(z3, x1sq, 4); } @@ -113,19 +114,19 @@ static void xc_diffadd(byte *x5, byte *z5, byte a[F25519_SIZE]; byte b[F25519_SIZE]; - fe_add(a, x2, z2); - fe_sub(b, x3, z3); /* D */ + lm_add(a, x2, z2); + lm_sub(b, x3, z3); /* D */ fe_mul__distinct(da, a, b); - fe_sub(b, x2, z2); - fe_add(a, x3, z3); /* C */ + lm_sub(b, x2, z2); + lm_add(a, x3, z3); /* C */ fe_mul__distinct(cb, a, b); - fe_add(a, da, cb); + lm_add(a, da, cb); fe_mul__distinct(b, a, a); fe_mul__distinct(x5, z1, b); - fe_sub(a, da, cb); + lm_sub(a, da, cb); fe_mul__distinct(b, a, a); fe_mul__distinct(z5, x1, b); } @@ -144,7 +145,7 @@ int curve25519(byte *result, byte *e, byte *q) int i; /* Note: bit 254 is assumed to be 1 */ - fe_copy(xm, q); + lm_copy(xm, q); for (i = 253; i >= 0; i--) { const int bit = (e[i >> 3] >> (i & 7)) & 1; @@ -175,6 +176,8 @@ int curve25519(byte *result, byte *e, byte *q) return 0; } #endif /* !FREESCALE_LTC_ECC */ +#endif /* CURVE25519_SMALL */ + static void raw_add(byte *x, const byte *p) { @@ -346,7 +349,7 @@ void fe_select(byte *dst, } -void fe_add(fe r, const fe a, const fe b) +void lm_add(byte* r, const byte* a, const byte* b) { word16 c = 0; int i; @@ -370,7 +373,7 @@ void fe_add(fe r, const fe a, const fe b) } -void fe_sub(fe r, const fe a, const fe b) +void lm_sub(byte* r, const byte* a, const byte* b) { word32 c = 0; int i; @@ -395,7 +398,7 @@ void fe_sub(fe r, const fe a, const fe b) } -void fe_neg(fe r, const fe a) +void lm_neg(byte* r, const byte* a) { word32 c = 0; int i; @@ -450,12 +453,12 @@ void fe_mul__distinct(byte *r, const byte *a, const byte *b) } -void fe_mul(fe r, const fe a, const fe b) +void lm_mul(byte *r, const byte* a, const byte *b) { byte tmp[F25519_SIZE]; fe_mul__distinct(tmp, a, b); - fe_copy(r, tmp); + lm_copy(r, tmp); } @@ -533,12 +536,12 @@ void fe_inv__distinct(byte *r, const byte *x) } -void fe_invert(fe r, const fe x) +void lm_invert(byte *r, const byte *x) { byte tmp[F25519_SIZE]; fe_inv__distinct(tmp, x); - fe_copy(r, tmp); + lm_copy(r, tmp); } @@ -588,12 +591,12 @@ void fe_sqrt(byte *r, const byte *a) fe_mul__distinct(y, v, v); fe_mul__distinct(i, x, y); fe_load(y, 1); - fe_sub(i, i, y); + lm_sub(i, i, y); /* r = avi */ fe_mul__distinct(x, v, a); fe_mul__distinct(r, x, i); } -#endif /* HAVE_CURVE25519 or HAVE_ED25519 */ -#endif /* CURVED25519_SMALL */ +#endif /* CURVE25519_SMALL || ED25519_SMALL */ +#endif /* HAVE_CURVE25519 || HAVE_ED25519 */ diff --git a/wolfcrypt/src/fe_operations.c b/wolfcrypt/src/fe_operations.c index 285f6c0cf..45bdbb514 100755 --- a/wolfcrypt/src/fe_operations.c +++ b/wolfcrypt/src/fe_operations.c @@ -28,8 +28,8 @@ #include -#ifndef CURVED25519_SMALL /* run when not defined to use small memory math */ -#if defined(HAVE_ED25519) || defined(HAVE_CURVE25519) +#if defined(HAVE_CURVE25519) || defined(HAVE_ED25519) +#if !defined(CURVE25519_SMALL) || !defined(ED25519_SMALL) /* run when not defined to use small memory math */ #include #include @@ -110,7 +110,7 @@ void fe_0(fe h) h[9] = 0; } -#ifndef FREESCALE_LTC_ECC +#if !defined(CURVE25519_SMALL) && !defined(FREESCALE_LTC_ECC) int curve25519(byte* q, byte* n, byte* p) { #if 0 @@ -186,7 +186,8 @@ int curve25519(byte* q, byte* n, byte* p) return 0; } -#endif /* !FREESCALE_LTC_ECC */ +#endif /* !CURVE25519_SMALL && !FREESCALE_LTC_ECC */ + /* h = f * f @@ -1411,6 +1412,6 @@ void fe_cmov(fe f, const fe g, int b) f[9] = f9 ^ x9; } #endif -#endif /* HAVE ED25519 or CURVE25519 */ -#endif /* not defined CURVED25519_SMALL */ +#endif /* !CURVE25519_SMALL || !ED25519_SMALL */ +#endif /* HAVE_CURVE25519 || HAVE_ED25519 */ diff --git a/wolfcrypt/src/fe_x25519_128.i b/wolfcrypt/src/fe_x25519_128.i index d7297a260..1b939a671 100644 --- a/wolfcrypt/src/fe_x25519_128.i +++ b/wolfcrypt/src/fe_x25519_128.i @@ -389,6 +389,7 @@ void fe_invert(fe r, const fe a) fe_sq(t1, t1); for (i = 1; i < 5; ++i) fe_sq(t1, t1); fe_mul( r, t1, t0); } +#ifndef CURVE25519_SMALL /* Scalar multiply the field element a by n using Montgomery Ladder and places * result in r. * @@ -447,6 +448,7 @@ int curve25519(byte* r, byte* n, byte* a) return 0; } +#endif /* !CURVE25519_SMALL */ /* The field element value 0 as an array of bytes. */ static const unsigned char zero[32] = {0}; diff --git a/wolfcrypt/src/ge_low_mem.c b/wolfcrypt/src/ge_low_mem.c index 9b6b26206..e66ba1d9e 100644 --- a/wolfcrypt/src/ge_low_mem.c +++ b/wolfcrypt/src/ge_low_mem.c @@ -28,8 +28,8 @@ #include -#if defined(CURVED25519_SMALL) /* use slower code that takes less memory */ -#if defined(HAVE_ED25519) +#ifdef HAVE_ED25519 +#ifdef ED25519_SMALL /* use slower code that takes less memory */ #include #include @@ -77,10 +77,10 @@ int ge_compress_key(byte* out, const byte* xIn, const byte* yIn, byte pt[32]; int i; - fe_copy(tmp, xIn); + lm_copy(tmp, xIn); parity = (tmp[0] & 1) << 7; - fe_copy(pt, yIn); + lm_copy(pt, yIn); pt[31] |= parity; for(i = 0; i < 32; i++) { @@ -301,13 +301,13 @@ void ed25519_add(ge_p3 *r, byte h[F25519_SIZE]; /* A = (Y1-X1)(Y2-X2) */ - fe_sub(c, p1->Y, p1->X); - fe_sub(d, p2->Y, p2->X); + lm_sub(c, p1->Y, p1->X); + lm_sub(d, p2->Y, p2->X); fe_mul__distinct(a, c, d); /* B = (Y1+X1)(Y2+X2) */ - fe_add(c, p1->Y, p1->X); - fe_add(d, p2->Y, p2->X); + lm_add(c, p1->Y, p1->X); + lm_add(d, p2->Y, p2->X); fe_mul__distinct(b, c, d); /* C = T1 k T2 */ @@ -316,19 +316,19 @@ void ed25519_add(ge_p3 *r, /* D = Z1 2 Z2 */ fe_mul__distinct(d, p1->Z, p2->Z); - fe_add(d, d, d); + lm_add(d, d, d); /* E = B - A */ - fe_sub(e, b, a); + lm_sub(e, b, a); /* F = D - C */ - fe_sub(f, d, c); + lm_sub(f, d, c); /* G = D + C */ - fe_add(g, d, c); + lm_add(g, d, c); /* H = B + A */ - fe_add(h, b, a); + lm_add(h, b, a); /* X3 = E F */ fe_mul__distinct(r->X, e, f); @@ -379,24 +379,24 @@ void ed25519_double(ge_p3 *r, const ge_p3 *p) /* C = 2 Z1^2 */ fe_mul__distinct(c, p->Z, p->Z); - fe_add(c, c, c); + lm_add(c, c, c); /* D = a A (alter sign) */ /* E = (X1+Y1)^2-A-B */ - fe_add(f, p->X, p->Y); + lm_add(f, p->X, p->Y); fe_mul__distinct(e, f, f); - fe_sub(e, e, a); - fe_sub(e, e, b); + lm_sub(e, e, a); + lm_sub(e, e, b); /* G = D + B */ - fe_sub(g, b, a); + lm_sub(g, b, a); /* F = G - C */ - fe_sub(f, g, c); + lm_sub(f, g, c); /* H = D - B */ - fe_neg(h, b); - fe_sub(h, h, a); + lm_neg(h, b); + lm_sub(h, h, a); /* X3 = E F */ fe_mul__distinct(r->X, e, f); @@ -457,7 +457,7 @@ void ge_p3_tobytes(unsigned char *s,const ge_p3 *h) fe_normalize(y); parity = (x[0] & 1) << 7; - fe_copy(s, y); + lm_copy(s, y); fe_normalize(s); s[31] |= parity; } @@ -479,7 +479,7 @@ void ge_tobytes(unsigned char *s,const ge_p2 *h) fe_normalize(y); parity = (x[0] & 1) << 7; - fe_copy(s, y); + lm_copy(s, y); fe_normalize(s); s[31] |= parity; } @@ -502,17 +502,17 @@ int ge_frombytes_negate_vartime(ge_p3 *p,const unsigned char *s) /* unpack the key s */ parity = s[31] >> 7; - fe_copy(y, s); + lm_copy(y, s); y[31] &= 127; fe_mul__distinct(c, y, y); fe_mul__distinct(b, c, ed25519_d); - fe_add(a, b, f25519_one); + lm_add(a, b, f25519_one); fe_inv__distinct(b, a); - fe_sub(a, c, f25519_one); + lm_sub(a, c, f25519_one); fe_mul__distinct(c, a, b); fe_sqrt(a, c); - fe_neg(b, a); + lm_neg(b, a); fe_select(x, a, b, (a[0] ^ parity) & 1); /* test that x^2 is equal to c */ @@ -522,14 +522,14 @@ int ge_frombytes_negate_vartime(ge_p3 *p,const unsigned char *s) ret |= ConstantCompare(a, c, F25519_SIZE); /* project the key s onto p */ - fe_copy(p->X, x); - fe_copy(p->Y, y); + lm_copy(p->X, x); + lm_copy(p->Y, y); fe_load(p->Z, 1); fe_mul__distinct(p->T, x, y); /* negate, the point becomes (-X,Y,Z,-T) */ - fe_neg(p->X,p->X); - fe_neg(p->T,p->T); + lm_neg(p->X,p->X); + lm_neg(p->T,p->T); return ret; } @@ -552,13 +552,12 @@ int ge_double_scalarmult_vartime(ge_p2* R, const unsigned char *h, /* SB + -H(R,A,M)A */ ed25519_add(&A, &p, &A); - fe_copy(R->X, A.X); - fe_copy(R->Y, A.Y); - fe_copy(R->Z, A.Z); + lm_copy(R->X, A.X); + lm_copy(R->Y, A.Y); + lm_copy(R->Z, A.Z); return ret; } +#endif /* ED25519_SMALL */ #endif /* HAVE_ED25519 */ -#endif /* CURVED25519_SMALL */ - diff --git a/wolfcrypt/src/ge_operations.c b/wolfcrypt/src/ge_operations.c index bf9b2eee4..3da367027 100644 --- a/wolfcrypt/src/ge_operations.c +++ b/wolfcrypt/src/ge_operations.c @@ -29,8 +29,8 @@ #include -#ifndef CURVED25519_SMALL /* run when not defined to use small memory math */ #ifdef HAVE_ED25519 +#ifndef ED25519_SMALL /* run when not defined to use small memory math */ #include #include @@ -45,7 +45,7 @@ /* ge means group element. -Here the group is the set of pairs (x,y) of field elements (see fe.h) +Here the group is the set of pairs (x,y) of field elements (see ge_operations.h) satisfying -x^2 + y^2 = 1 + d x^2y^2 where d = -121665/121666. @@ -691,7 +691,7 @@ void sc_muladd(byte* s, const byte* a, const byte* b, const byte* c) int ge_compress_key(byte* out, const byte* xIn, const byte* yIn, word32 keySz) { - fe x,y,z; + ge x,y,z; ge_p3 g; byte bArray[ED25519_KEY_SIZE]; word32 i; @@ -721,7 +721,7 @@ r = p + q */ void ge_add(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) { - fe t0; + ge t0; fe_add(r->X,p->Y,p->X); fe_sub(r->Y,p->Y,p->X); fe_mul(r->Z,r->X,q->YplusX); @@ -3720,12 +3720,12 @@ int ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, } #ifdef HAVE___UINT128_T -static const fe d = { +static const ge d = { 0x34dca135978a3, 0x1a8283b156ebd, 0x5e7a26001c029, 0x739c663a03cbb, 0x52036cee2b6ff }; #else -static const fe d = { +static const ge d = { -10913610,13857413,-15372611,6949391,114729, -8787816,-6275908,-3247719,-18696448,-12055116 } ; @@ -3733,12 +3733,12 @@ static const fe d = { #ifdef HAVE___UINT128_T -static const fe sqrtm1 = { +static const ge sqrtm1 = { 0x61b274a0ea0b0, 0x0d5a5fc8f189d, 0x7ef5e9cbd0c60, 0x78595a6804c9e, 0x2b8324804fc1d }; #else -static const fe sqrtm1 = { +static const ge sqrtm1 = { -32595792,-7943725,9377950,3500415,12389472, -272473,-25146209,-2005654,326686,11406482 } ; @@ -3747,11 +3747,11 @@ static const fe sqrtm1 = { int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s) { - fe u; - fe v; - fe v3; - fe vxx; - fe check; + ge u; + ge v; + ge v3; + ge vxx; + ge check; fe_frombytes(h->Y,s); fe_1(h->Z); @@ -3795,7 +3795,7 @@ r = p + q void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q) { - fe t0; + ge t0; fe_add(r->X,p->Y,p->X); fe_sub(r->Y,p->Y,p->X); fe_mul(r->Z,r->X,q->yplusx); @@ -3817,7 +3817,7 @@ r = p - q void ge_msub(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q) { - fe t0; + ge t0; fe_add(r->X,p->Y,p->X); fe_sub(r->Y,p->Y,p->X); fe_mul(r->Z,r->X,q->yminusx); @@ -3877,7 +3877,7 @@ r = 2 * p void ge_p2_dbl(ge_p1p1 *r,const ge_p2 *p) { - fe t0; + ge t0; fe_sq(r->X,p->X); fe_sq(r->Z,p->Y); fe_sq2(r->T,p->Z); @@ -3922,12 +3922,12 @@ r = p */ #ifdef HAVE___UINT128_T -static const fe d2 = { +static const ge d2 = { 0x69b9426b2f159, 0x35050762add7a, 0x3cf44c0038052, 0x6738cc7407977, 0x2406d9dc56dff }; #else -static const fe d2 = { +static const ge d2 = { -21827239,-5839606,-30745221,13898782,229458, 15978800,-12551817,-6495438,29715968,9444199 } ; @@ -3959,9 +3959,9 @@ extern void ge_p3_to_p2(ge_p2 *r,const ge_p3 *p) /* ge p3 tobytes */ void ge_p3_tobytes(unsigned char *s,const ge_p3 *h) { - fe recip; - fe x; - fe y; + ge recip; + ge x; + ge y; fe_invert(recip,h->Z); fe_mul(x,h->X,recip); @@ -3987,7 +3987,7 @@ r = p - q void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) { - fe t0; + ge t0; fe_add(r->X,p->Y,p->X); fe_sub(r->Y,p->Y,p->X); fe_mul(r->Z,r->X,q->YminusX); @@ -4005,9 +4005,9 @@ void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) /* ge tobytes */ void ge_tobytes(unsigned char *s,const ge_p2 *h) { - fe recip; - fe x; - fe y; + ge recip; + ge x; + ge y; fe_invert(recip,h->Z); fe_mul(x,h->X,recip); @@ -4015,6 +4015,6 @@ void ge_tobytes(unsigned char *s,const ge_p2 *h) fe_tobytes(s,y); s[31] ^= fe_isnegative(x) << 7; } -#endif /* HAVE_ED25519 */ -#endif /* not defined CURVED25519_SMALL */ +#endif /* !ED25519_SMALL */ +#endif /* HAVE_ED25519 */ diff --git a/wolfssl/wolfcrypt/fe_operations.h b/wolfssl/wolfcrypt/fe_operations.h index 5bbe1b299..a331d57fd 100644 --- a/wolfssl/wolfcrypt/fe_operations.h +++ b/wolfssl/wolfcrypt/fe_operations.h @@ -27,7 +27,7 @@ #if defined(HAVE_CURVE25519) || defined(HAVE_ED25519) -#ifndef CURVED25519_SMALL +#ifndef CURVE25519_SMALL #include #endif #include @@ -40,18 +40,31 @@ t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on context. */ -#ifdef CURVED25519_SMALL - #define F25519_SIZE 32 - typedef byte fe[32]; -#elif defined(HAVE___UINT128_T) +#if defined(CURVE25519_SMALL) || defined(ED25519_SMALL) + #define F25519_SIZE 32 + + WOLFSSL_LOCAL void lm_copy(byte*, const byte*); + WOLFSSL_LOCAL void lm_add(byte*, const byte*, const byte*); + WOLFSSL_LOCAL void lm_sub(byte*, const byte*, const byte*); + WOLFSSL_LOCAL void lm_neg(byte*,const byte*); + WOLFSSL_LOCAL void lm_invert(byte*, const byte*); + WOLFSSL_LOCAL void lm_mul(byte*,const byte*,const byte*); +#endif + + +#if !defined(FREESCALE_LTC_ECC) +WOLFSSL_LOCAL int curve25519(byte * q, byte * n, byte * p); +#endif + +/* default to be faster but take more memory */ +#if !defined(CURVE25519_SMALL) || !defined(ED25519_SMALL) + +#if defined(HAVE___UINT128_T) typedef int64_t fe[5]; #else typedef int32_t fe[10]; #endif -#if! defined FREESCALE_LTC_ECC -WOLFSSL_LOCAL int curve25519(byte * q, byte * n, byte * p); -#endif WOLFSSL_LOCAL void fe_copy(fe, const fe); WOLFSSL_LOCAL void fe_add(fe, const fe, const fe); WOLFSSL_LOCAL void fe_neg(fe,const fe); @@ -59,8 +72,6 @@ WOLFSSL_LOCAL void fe_sub(fe, const fe, const fe); WOLFSSL_LOCAL void fe_invert(fe, const fe); WOLFSSL_LOCAL void fe_mul(fe,const fe,const fe); -/* default to be faster but take more memory */ -#ifndef CURVED25519_SMALL /* Based On Daniel J Bernstein's curve25519 and ed25519 Public Domain ref10 work. */ @@ -81,11 +92,11 @@ WOLFSSL_LOCAL void fe_pow22523(fe,const fe); /* 64 type needed for SHA512 */ WOLFSSL_LOCAL uint64_t load_3(const unsigned char *in); WOLFSSL_LOCAL uint64_t load_4(const unsigned char *in); -#endif /* not defined CURVED25519_SMALL */ +#endif /* !CURVE25519_SMALL */ /* Use less memory and only 32bit types or less, but is slower Based on Daniel Beer's public domain work. */ -#ifdef CURVED25519_SMALL +#if defined(CURVE25519_SMALL) || defined(ED25519_SMALL) static const byte c25519_base_x[F25519_SIZE] = {9}; static const byte f25519_zero[F25519_SIZE] = {0}; static const byte f25519_one[F25519_SIZE] = {1}; @@ -131,7 +142,8 @@ WOLFSSL_LOCAL void fprime_sub(byte *r, const byte *a, const byte *modulus); WOLFSSL_LOCAL void fprime_mul(byte *r, const byte *a, const byte *b, const byte *modulus); WOLFSSL_LOCAL void fprime_copy(byte *x, const byte *a); -#endif /* CURVED25519_SMALL */ -#endif /* HAVE_CURVE25519 or HAVE_ED25519 */ -#endif /* WOLF_CRYPT_FE_OPERATIONS_H */ +#endif /* CURVE25519_SMALL || ED25519_SMALL */ +#endif /* HAVE_CURVE25519 || HAVE_ED25519 */ + +#endif /* WOLF_CRYPT_FE_OPERATIONS_H */ diff --git a/wolfssl/wolfcrypt/ge_operations.h b/wolfssl/wolfcrypt/ge_operations.h index c079b36b8..2848adf86 100644 --- a/wolfssl/wolfcrypt/ge_operations.h +++ b/wolfssl/wolfcrypt/ge_operations.h @@ -29,7 +29,7 @@ #ifdef HAVE_ED25519 -#ifndef CURVED25519_SMALL +#ifndef ED25519_SMALL #include #endif #include @@ -48,20 +48,28 @@ Representations: ge_precomp (Duif): (y+x,y-x,2dxy) */ +#ifdef ED25519_SMALL + typedef byte ge[F25519_SIZE]; +#elif defined(HAVE___UINT128_T) + typedef int64_t ge[5]; +#else + typedef int32_t ge[10]; +#endif typedef struct { - fe X; - fe Y; - fe Z; + ge X; + ge Y; + ge Z; } ge_p2; typedef struct { - fe X; - fe Y; - fe Z; - fe T; + ge X; + ge Y; + ge Z; + ge T; } ge_p3; + WOLFSSL_LOCAL int ge_compress_key(byte* out, const byte* xIn, const byte* yIn, word32 keySz); WOLFSSL_LOCAL int ge_frombytes_negate_vartime(ge_p3 *,const unsigned char *); @@ -75,25 +83,26 @@ WOLFSSL_LOCAL void sc_muladd(byte* s, const byte* a, const byte* b, WOLFSSL_LOCAL void ge_tobytes(unsigned char *,const ge_p2 *); WOLFSSL_LOCAL void ge_p3_tobytes(unsigned char *,const ge_p3 *); -#ifndef CURVED25519_SMALL + +#ifndef ED25519_SMALL typedef struct { - fe X; - fe Y; - fe Z; - fe T; + ge X; + ge Y; + ge Z; + ge T; } ge_p1p1; typedef struct { - fe yplusx; - fe yminusx; - fe xy2d; + ge yplusx; + ge yminusx; + ge xy2d; } ge_precomp; typedef struct { - fe YplusX; - fe YminusX; - fe Z; - fe T2d; + ge YplusX; + ge YminusX; + ge Z; + ge T2d; } ge_cached; WOLFSSL_LOCAL void ge_p2_0(ge_p2 *); @@ -110,7 +119,9 @@ WOLFSSL_LOCAL void ge_madd(ge_p1p1 *,const ge_p3 *,const ge_precomp *); WOLFSSL_LOCAL void ge_msub(ge_p1p1 *,const ge_p3 *,const ge_precomp *); WOLFSSL_LOCAL void ge_add(ge_p1p1 *,const ge_p3 *,const ge_cached *); WOLFSSL_LOCAL void ge_sub(ge_p1p1 *,const ge_p3 *,const ge_cached *); -#endif /* no CURVED25519_SMALL */ -#endif /* HAVE_ED25519 */ -#endif /* WOLF_CRYPT_GE_OPERATIONS_H */ +#endif /* !ED25519_SMALL */ + +#endif /* HAVE_ED25519 */ + +#endif /* WOLF_CRYPT_GE_OPERATIONS_H */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 5531462d5..8829fbdcc 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -1574,6 +1574,12 @@ extern void uITRON4_free(void *p) ; #define SSL_CTRL_SET_TLSEXT_HOSTNAME #endif +/* both CURVE and ED small math should be enabled */ +#ifdef CURVED25519_SMALL + #define CURVE25519_SMALL + #define ED25519_SMALL +#endif + #ifdef __cplusplus } /* extern "C" */ #endif