feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Enhancement to support different sized Curve/Ed math library implementations for FE/GE. Remains backwards compatible with CURVED25519_SMALL define. Adds new defines CURVE25519_SMALL and ED25519_SMALL to allow individual enabling of math library choice (_low_mem or _operations). Example: ./configure --enable-ed25519=small --enable-curve25519.

Browse Source
This commit is contained in:
David Garske
2017-06-16 09:41:10 -07:00
parent e6f0ee84ec
commit 3c173ba366
12 changed files with 187 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
configure.ac
View File

@ -1088,7 +1088,8 @@ fi
# for using memory optimization setting on both curve25519 and ed25519 # for using memory optimization setting on both curve25519 and ed25519
ENABLED_CURVED25519_SMALL=no ENABLED_CURVE25519_SMALL=no
ENABLED_ED25519_SMALL=no
# CURVE25519 # CURVE25519
AC_ARG_ENABLE([curve25519], AC_ARG_ENABLE([curve25519],
@ -1105,8 +1106,8 @@ fi
if test "$ENABLED_CURVE25519" = "small" if test "$ENABLED_CURVE25519" = "small"
then then
AM_CFLAGS="$AM_CFLAGS -DCURVED25519_SMALL" AM_CFLAGS="$AM_CFLAGS -DCURVE25519_SMALL"
ENABLED_CURVED25519_SMALL=yes ENABLED_CURVE25519_SMALL=yes
ENABLED_CURVE25519=yes ENABLED_CURVE25519=yes
fi fi
@ -1118,7 +1119,7 @@ fi
AM_CONDITIONAL([BUILD_CURVE25519], [test "x$ENABLED_CURVE25519" = "xyes"]) AM_CONDITIONAL([BUILD_CURVE25519], [test "x$ENABLED_CURVE25519" = "xyes"])
AM_CONDITIONAL([BUILD_CURVE25519_SMALL], [test "x$ENABLED_CURVE25519_SMALL" = "xyes"])
# ED25519 # ED25519
AC_ARG_ENABLE([ed25519], AC_ARG_ENABLE([ed25519],
@ -1135,8 +1136,8 @@ fi
if test "$ENABLED_ED25519" = "small" if test "$ENABLED_ED25519" = "small"
then then
AM_CFLAGS="$AM_CFLAGS -DCURVED25519_SMALL" AM_CFLAGS="$AM_CFLAGS -DED25519_SMALL"
ENABLED_CURVED25519_SMALL=yes ENABLED_ED25519_SMALL=yes
ENABLED_ED25519=yes ENABLED_ED25519=yes
fi fi
@ -1152,7 +1153,7 @@ then
fi fi
AM_CONDITIONAL([BUILD_ED25519], [test "x$ENABLED_ED25519" = "xyes"]) AM_CONDITIONAL([BUILD_ED25519], [test "x$ENABLED_ED25519" = "xyes"])
AM_CONDITIONAL([BUILD_CURVED25519_SMALL], [test "x$ENABLED_CURVED25519_SMALL" = "xyes"]) AM_CONDITIONAL([BUILD_ED25519_SMALL], [test "x$ENABLED_ED25519_SMALL" = "xyes"])
AM_CONDITIONAL([BUILD_FEMATH], [test "x$ENABLED_FEMATH" = "xyes"]) AM_CONDITIONAL([BUILD_FEMATH], [test "x$ENABLED_FEMATH" = "xyes"])
AM_CONDITIONAL([BUILD_GEMATH], [test "x$ENABLED_GEMATH" = "xyes"]) AM_CONDITIONAL([BUILD_GEMATH], [test "x$ENABLED_GEMATH" = "xyes"])

10
src/include.am
View File

@ -228,7 +228,7 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/ed25519.c
endif endif
if BUILD_FEMATH if BUILD_FEMATH
if BUILD_CURVED25519_SMALL if BUILD_CURVE25519_SMALL
src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_low_mem.c src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_low_mem.c
else else
src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_operations.c src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_operations.c
@ -236,10 +236,16 @@ endif
endif endif
if BUILD_GEMATH if BUILD_GEMATH
if BUILD_CURVED25519_SMALL if BUILD_ED25519_SMALL
src_libwolfssl_la_SOURCES += wolfcrypt/src/ge_low_mem.c src_libwolfssl_la_SOURCES += wolfcrypt/src/ge_low_mem.c
if !BUILD_CURVE25519_SMALL
src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_low_mem.c
endif
else else
src_libwolfssl_la_SOURCES += wolfcrypt/src/ge_operations.c src_libwolfssl_la_SOURCES += wolfcrypt/src/ge_operations.c
if BUILD_CURVE25519_SMALL
src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_operations.c
endif
endif endif
endif endif

9
wolfcrypt/src/curve25519.c
View File

@ -53,7 +53,7 @@ const curve25519_set_type curve25519_sets[] = {
int wc_curve25519_make_key(WC_RNG* rng, int keysize, curve25519_key* key) int wc_curve25519_make_key(WC_RNG* rng, int keysize, curve25519_key* key)
{ {
#ifdef FREESCALE_LTC_ECC #ifdef FREESCALE_LTC_ECC
const ECPoint* basepoint = wc_curve25519_GetBasePoint(); const ECPoint* basepoint = wc_curve25519_GetBasePoint();
#else #else
unsigned char basepoint[CURVE25519_KEYSIZE] = {9}; unsigned char basepoint[CURVE25519_KEYSIZE] = {9};
@ -117,7 +117,7 @@ int wc_curve25519_shared_secret_ex(curve25519_key* private_key,
if (private_key == NULL || public_key == NULL || if (private_key == NULL || public_key == NULL ||
out == NULL || outlen == NULL || *outlen < CURVE25519_KEYSIZE) out == NULL || outlen == NULL || *outlen < CURVE25519_KEYSIZE)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
/* avoid implementation fingerprinting */ /* avoid implementation fingerprinting */
if (public_key->p.point[CURVE25519_KEYSIZE-1] > 0x7F) if (public_key->p.point[CURVE25519_KEYSIZE-1] > 0x7F)
return ECC_BAD_ARG_E; return ECC_BAD_ARG_E;
@ -249,8 +249,7 @@ int wc_curve25519_import_public_ex(const byte* in, word32 inLen,
XMEMCPY(key->p.point, in, inLen); XMEMCPY(key->p.point, in, inLen);
key->dp = &curve25519_sets[0]; key->dp = &curve25519_sets[0];
/* LTC needs also Y coordinate - let's compute it */ /* LTC needs also Y coordinate - let's compute it */
#ifdef FREESCALE_LTC_ECC #ifdef FREESCALE_LTC_ECC
ltc_pkha_ecc_point_t ltcPoint; ltc_pkha_ecc_point_t ltcPoint;
@ -424,7 +423,7 @@ int wc_curve25519_init(curve25519_key* key)
/* currently the format for curve25519 */ /* currently the format for curve25519 */
key->dp = &curve25519_sets[0]; key->dp = &curve25519_sets[0];
XMEMSET(key->k.point, 0, key->dp->size); XMEMSET(key->k.point, 0, key->dp->size);
XMEMSET(key->p.point, 0, key->dp->size); XMEMSET(key->p.point, 0, key->dp->size);
#ifdef FREESCALE_LTC_ECC #ifdef FREESCALE_LTC_ECC
XMEMSET(key->k.pointY, 0, key->dp->size); XMEMSET(key->k.pointY, 0, key->dp->size);

6
wolfcrypt/src/ed25519.c
View File

@ -112,7 +112,7 @@ int wc_ed25519_sign_msg(const byte* in, word32 inlen, byte* out,
#else #else
ge_p3 R; ge_p3 R;
#endif #endif
byte nonce[SHA512_DIGEST_SIZE]; byte nonce[SHA512_DIGEST_SIZE];
byte hram[SHA512_DIGEST_SIZE]; byte hram[SHA512_DIGEST_SIZE];
byte az[ED25519_PRV_KEY_SIZE]; byte az[ED25519_PRV_KEY_SIZE];
Sha512 sha; Sha512 sha;
@ -193,7 +193,7 @@ int wc_ed25519_sign_msg(const byte* in, word32 inlen, byte* out,
#else #else
sc_reduce(hram); sc_reduce(hram);
sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce); sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
#endif #endif
return ret; return ret;
} }
@ -234,7 +234,7 @@ int wc_ed25519_verify_msg(const byte* sig, word32 siglen, const byte* msg,
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
/* uncompress A (public key), test if valid, and negate it */ /* uncompress A (public key), test if valid, and negate it */
#ifndef FREESCALE_LTC_ECC #ifndef FREESCALE_LTC_ECC
if (ge_frombytes_negate_vartime(&A, key->p) != 0) if (ge_frombytes_negate_vartime(&A, key->p) != 0)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
#endif #endif

49
wolfcrypt/src/fe_low_mem.c
View File

@ -28,8 +28,8 @@
#include <wolfssl/wolfcrypt/settings.h> #include <wolfssl/wolfcrypt/settings.h>
#if defined(CURVED25519_SMALL) /* use slower code that takes less memory */ #if defined(HAVE_CURVE25519) || defined(HAVE_ED25519)
#if defined(HAVE_ED25519) || defined(HAVE_CURVE25519) #if defined(CURVE25519_SMALL) || defined(ED25519_SMALL) /* use slower code that takes less memory */
#include <wolfssl/wolfcrypt/fe_operations.h> #include <wolfssl/wolfcrypt/fe_operations.h>
@ -49,7 +49,7 @@ void fprime_copy(byte *x, const byte *a)
} }
void fe_copy(fe x, const fe a) void lm_copy(byte* x, const byte* a)
{ {
int i; int i;
for (i = 0; i < F25519_SIZE; i++) for (i = 0; i < F25519_SIZE; i++)
@ -57,6 +57,7 @@ void fe_copy(fe x, const fe a)
} }
#ifdef CURVE25519_SMALL
/* Double an X-coordinate */ /* Double an X-coordinate */
static void xc_double(byte *x3, byte *z3, static void xc_double(byte *x3, byte *z3,
const byte *x1, const byte *z1) const byte *x1, const byte *z1)
@ -77,12 +78,12 @@ static void xc_double(byte *x3, byte *z3,
fe_mul__distinct(z1sq, z1, z1); fe_mul__distinct(z1sq, z1, z1);
fe_mul__distinct(x1z1, x1, z1); fe_mul__distinct(x1z1, x1, z1);
fe_sub(a, x1sq, z1sq); lm_sub(a, x1sq, z1sq);
fe_mul__distinct(x3, a, a); fe_mul__distinct(x3, a, a);
fe_mul_c(a, x1z1, 486662); fe_mul_c(a, x1z1, 486662);
fe_add(a, x1sq, a); lm_add(a, x1sq, a);
fe_add(a, z1sq, a); lm_add(a, z1sq, a);
fe_mul__distinct(x1sq, x1z1, a); fe_mul__distinct(x1sq, x1z1, a);
fe_mul_c(z3, x1sq, 4); fe_mul_c(z3, x1sq, 4);
} }
@ -113,19 +114,19 @@ static void xc_diffadd(byte *x5, byte *z5,
byte a[F25519_SIZE]; byte a[F25519_SIZE];
byte b[F25519_SIZE]; byte b[F25519_SIZE];
fe_add(a, x2, z2); lm_add(a, x2, z2);
fe_sub(b, x3, z3); /* D */ lm_sub(b, x3, z3); /* D */
fe_mul__distinct(da, a, b); fe_mul__distinct(da, a, b);
fe_sub(b, x2, z2); lm_sub(b, x2, z2);
fe_add(a, x3, z3); /* C */ lm_add(a, x3, z3); /* C */
fe_mul__distinct(cb, a, b); fe_mul__distinct(cb, a, b);
fe_add(a, da, cb); lm_add(a, da, cb);
fe_mul__distinct(b, a, a); fe_mul__distinct(b, a, a);
fe_mul__distinct(x5, z1, b); fe_mul__distinct(x5, z1, b);
fe_sub(a, da, cb); lm_sub(a, da, cb);
fe_mul__distinct(b, a, a); fe_mul__distinct(b, a, a);
fe_mul__distinct(z5, x1, b); fe_mul__distinct(z5, x1, b);
} }
@ -144,7 +145,7 @@ int curve25519(byte *result, byte *e, byte *q)
int i; int i;
/* Note: bit 254 is assumed to be 1 */ /* Note: bit 254 is assumed to be 1 */
fe_copy(xm, q); lm_copy(xm, q);
for (i = 253; i >= 0; i--) { for (i = 253; i >= 0; i--) {
const int bit = (e[i >> 3] >> (i & 7)) & 1; const int bit = (e[i >> 3] >> (i & 7)) & 1;
@ -175,6 +176,8 @@ int curve25519(byte *result, byte *e, byte *q)
return 0; return 0;
} }
#endif /* !FREESCALE_LTC_ECC */ #endif /* !FREESCALE_LTC_ECC */
#endif /* CURVE25519_SMALL */
static void raw_add(byte *x, const byte *p) static void raw_add(byte *x, const byte *p)
{ {
@ -346,7 +349,7 @@ void fe_select(byte *dst,
} }
void fe_add(fe r, const fe a, const fe b) void lm_add(byte* r, const byte* a, const byte* b)
{ {
word16 c = 0; word16 c = 0;
int i; int i;
@ -370,7 +373,7 @@ void fe_add(fe r, const fe a, const fe b)
} }
void fe_sub(fe r, const fe a, const fe b) void lm_sub(byte* r, const byte* a, const byte* b)
{ {
word32 c = 0; word32 c = 0;
int i; int i;
@ -395,7 +398,7 @@ void fe_sub(fe r, const fe a, const fe b)
} }
void fe_neg(fe r, const fe a) void lm_neg(byte* r, const byte* a)
{ {
word32 c = 0; word32 c = 0;
int i; int i;
@ -450,12 +453,12 @@ void fe_mul__distinct(byte *r, const byte *a, const byte *b)
} }
void fe_mul(fe r, const fe a, const fe b) void lm_mul(byte *r, const byte* a, const byte *b)
{ {
byte tmp[F25519_SIZE]; byte tmp[F25519_SIZE];
fe_mul__distinct(tmp, a, b); fe_mul__distinct(tmp, a, b);
fe_copy(r, tmp); lm_copy(r, tmp);
} }
@ -533,12 +536,12 @@ void fe_inv__distinct(byte *r, const byte *x)
} }
void fe_invert(fe r, const fe x) void lm_invert(byte *r, const byte *x)
{ {
byte tmp[F25519_SIZE]; byte tmp[F25519_SIZE];
fe_inv__distinct(tmp, x); fe_inv__distinct(tmp, x);
fe_copy(r, tmp); lm_copy(r, tmp);
} }
@ -588,12 +591,12 @@ void fe_sqrt(byte *r, const byte *a)
fe_mul__distinct(y, v, v); fe_mul__distinct(y, v, v);
fe_mul__distinct(i, x, y); fe_mul__distinct(i, x, y);
fe_load(y, 1); fe_load(y, 1);
fe_sub(i, i, y); lm_sub(i, i, y);
/* r = avi */ /* r = avi */
fe_mul__distinct(x, v, a); fe_mul__distinct(x, v, a);
fe_mul__distinct(r, x, i); fe_mul__distinct(r, x, i);
} }
#endif /* HAVE_CURVE25519 or HAVE_ED25519 */ #endif /* CURVE25519_SMALL || ED25519_SMALL */
#endif /* CURVED25519_SMALL */ #endif /* HAVE_CURVE25519 || HAVE_ED25519 */

13
wolfcrypt/src/fe_operations.c
View File

@ -28,8 +28,8 @@
#include <wolfssl/wolfcrypt/settings.h> #include <wolfssl/wolfcrypt/settings.h>
#ifndef CURVED25519_SMALL /* run when not defined to use small memory math */ #if defined(HAVE_CURVE25519) || defined(HAVE_ED25519)
#if defined(HAVE_ED25519) || defined(HAVE_CURVE25519) #if !defined(CURVE25519_SMALL) || !defined(ED25519_SMALL) /* run when not defined to use small memory math */
#include <wolfssl/wolfcrypt/fe_operations.h> #include <wolfssl/wolfcrypt/fe_operations.h>
#include <stdint.h> #include <stdint.h>
@ -110,7 +110,7 @@ void fe_0(fe h)
h[9] = 0; h[9] = 0;
} }
#ifndef FREESCALE_LTC_ECC #if !defined(CURVE25519_SMALL) && !defined(FREESCALE_LTC_ECC)
int curve25519(byte* q, byte* n, byte* p) int curve25519(byte* q, byte* n, byte* p)
{ {
#if 0 #if 0
@ -186,7 +186,8 @@ int curve25519(byte* q, byte* n, byte* p)
return 0; return 0;
} }
#endif /* !FREESCALE_LTC_ECC */ #endif /* !CURVE25519_SMALL && !FREESCALE_LTC_ECC */
/* /*
h = f * f h = f * f
@ -1411,6 +1412,6 @@ void fe_cmov(fe f, const fe g, int b)
f[9] = f9 ^ x9; f[9] = f9 ^ x9;
} }
#endif #endif
#endif /* HAVE ED25519 or CURVE25519 */
#endif /* not defined CURVED25519_SMALL */
#endif /* !CURVE25519_SMALL || !ED25519_SMALL */
#endif /* HAVE_CURVE25519 || HAVE_ED25519 */

2
wolfcrypt/src/fe_x25519_128.i
View File

@ -389,6 +389,7 @@ void fe_invert(fe r, const fe a)
fe_sq(t1, t1); for (i = 1; i < 5; ++i) fe_sq(t1, t1); fe_mul( r, t1, t0); fe_sq(t1, t1); for (i = 1; i < 5; ++i) fe_sq(t1, t1); fe_mul( r, t1, t0);
} }
#ifndef CURVE25519_SMALL
/* Scalar multiply the field element a by n using Montgomery Ladder and places /* Scalar multiply the field element a by n using Montgomery Ladder and places
* result in r. * result in r.
* *
@ -447,6 +448,7 @@ int curve25519(byte* r, byte* n, byte* a)
return 0; return 0;
} }
#endif /* !CURVE25519_SMALL */
/* The field element value 0 as an array of bytes. */ /* The field element value 0 as an array of bytes. */
static const unsigned char zero[32] = {0}; static const unsigned char zero[32] = {0};

71
wolfcrypt/src/ge_low_mem.c
View File

@ -28,8 +28,8 @@
#include <wolfssl/wolfcrypt/settings.h> #include <wolfssl/wolfcrypt/settings.h>
#if defined(CURVED25519_SMALL) /* use slower code that takes less memory */ #ifdef HAVE_ED25519
#if defined(HAVE_ED25519) #ifdef ED25519_SMALL /* use slower code that takes less memory */
#include <wolfssl/wolfcrypt/ge_operations.h> #include <wolfssl/wolfcrypt/ge_operations.h>
#include <wolfssl/wolfcrypt/error-crypt.h> #include <wolfssl/wolfcrypt/error-crypt.h>
@ -77,10 +77,10 @@ int ge_compress_key(byte* out, const byte* xIn, const byte* yIn,
byte pt[32]; byte pt[32];
int i; int i;
fe_copy(tmp, xIn); lm_copy(tmp, xIn);
parity = (tmp[0] & 1) << 7; parity = (tmp[0] & 1) << 7;
fe_copy(pt, yIn); lm_copy(pt, yIn);
pt[31] |= parity; pt[31] |= parity;
for(i = 0; i < 32; i++) { for(i = 0; i < 32; i++) {
@ -301,13 +301,13 @@ void ed25519_add(ge_p3 *r,
byte h[F25519_SIZE]; byte h[F25519_SIZE];
/* A = (Y1-X1)(Y2-X2) */ /* A = (Y1-X1)(Y2-X2) */
fe_sub(c, p1->Y, p1->X); lm_sub(c, p1->Y, p1->X);
fe_sub(d, p2->Y, p2->X); lm_sub(d, p2->Y, p2->X);
fe_mul__distinct(a, c, d); fe_mul__distinct(a, c, d);
/* B = (Y1+X1)(Y2+X2) */ /* B = (Y1+X1)(Y2+X2) */
fe_add(c, p1->Y, p1->X); lm_add(c, p1->Y, p1->X);
fe_add(d, p2->Y, p2->X); lm_add(d, p2->Y, p2->X);
fe_mul__distinct(b, c, d); fe_mul__distinct(b, c, d);
/* C = T1 k T2 */ /* C = T1 k T2 */
@ -316,19 +316,19 @@ void ed25519_add(ge_p3 *r,
/* D = Z1 2 Z2 */ /* D = Z1 2 Z2 */
fe_mul__distinct(d, p1->Z, p2->Z); fe_mul__distinct(d, p1->Z, p2->Z);
fe_add(d, d, d); lm_add(d, d, d);
/* E = B - A */ /* E = B - A */
fe_sub(e, b, a); lm_sub(e, b, a);
/* F = D - C */ /* F = D - C */
fe_sub(f, d, c); lm_sub(f, d, c);
/* G = D + C */ /* G = D + C */
fe_add(g, d, c); lm_add(g, d, c);
/* H = B + A */ /* H = B + A */
fe_add(h, b, a); lm_add(h, b, a);
/* X3 = E F */ /* X3 = E F */
fe_mul__distinct(r->X, e, f); fe_mul__distinct(r->X, e, f);
@ -379,24 +379,24 @@ void ed25519_double(ge_p3 *r, const ge_p3 *p)
/* C = 2 Z1^2 */ /* C = 2 Z1^2 */
fe_mul__distinct(c, p->Z, p->Z); fe_mul__distinct(c, p->Z, p->Z);
fe_add(c, c, c); lm_add(c, c, c);
/* D = a A (alter sign) */ /* D = a A (alter sign) */
/* E = (X1+Y1)^2-A-B */ /* E = (X1+Y1)^2-A-B */
fe_add(f, p->X, p->Y); lm_add(f, p->X, p->Y);
fe_mul__distinct(e, f, f); fe_mul__distinct(e, f, f);
fe_sub(e, e, a); lm_sub(e, e, a);
fe_sub(e, e, b); lm_sub(e, e, b);
/* G = D + B */ /* G = D + B */
fe_sub(g, b, a); lm_sub(g, b, a);
/* F = G - C */ /* F = G - C */
fe_sub(f, g, c); lm_sub(f, g, c);
/* H = D - B */ /* H = D - B */
fe_neg(h, b); lm_neg(h, b);
fe_sub(h, h, a); lm_sub(h, h, a);
/* X3 = E F */ /* X3 = E F */
fe_mul__distinct(r->X, e, f); fe_mul__distinct(r->X, e, f);
@ -457,7 +457,7 @@ void ge_p3_tobytes(unsigned char *s,const ge_p3 *h)
fe_normalize(y); fe_normalize(y);
parity = (x[0] & 1) << 7; parity = (x[0] & 1) << 7;
fe_copy(s, y); lm_copy(s, y);
fe_normalize(s); fe_normalize(s);
s[31] |= parity; s[31] |= parity;
} }
@ -479,7 +479,7 @@ void ge_tobytes(unsigned char *s,const ge_p2 *h)
fe_normalize(y); fe_normalize(y);
parity = (x[0] & 1) << 7; parity = (x[0] & 1) << 7;
fe_copy(s, y); lm_copy(s, y);
fe_normalize(s); fe_normalize(s);
s[31] |= parity; s[31] |= parity;
} }
@ -502,17 +502,17 @@ int ge_frombytes_negate_vartime(ge_p3 *p,const unsigned char *s)
/* unpack the key s */ /* unpack the key s */
parity = s[31] >> 7; parity = s[31] >> 7;
fe_copy(y, s); lm_copy(y, s);
y[31] &= 127; y[31] &= 127;
fe_mul__distinct(c, y, y); fe_mul__distinct(c, y, y);
fe_mul__distinct(b, c, ed25519_d); fe_mul__distinct(b, c, ed25519_d);
fe_add(a, b, f25519_one); lm_add(a, b, f25519_one);
fe_inv__distinct(b, a); fe_inv__distinct(b, a);
fe_sub(a, c, f25519_one); lm_sub(a, c, f25519_one);
fe_mul__distinct(c, a, b); fe_mul__distinct(c, a, b);
fe_sqrt(a, c); fe_sqrt(a, c);
fe_neg(b, a); lm_neg(b, a);
fe_select(x, a, b, (a[0] ^ parity) & 1); fe_select(x, a, b, (a[0] ^ parity) & 1);
/* test that x^2 is equal to c */ /* test that x^2 is equal to c */
@ -522,14 +522,14 @@ int ge_frombytes_negate_vartime(ge_p3 *p,const unsigned char *s)
ret |= ConstantCompare(a, c, F25519_SIZE); ret |= ConstantCompare(a, c, F25519_SIZE);
/* project the key s onto p */ /* project the key s onto p */
fe_copy(p->X, x); lm_copy(p->X, x);
fe_copy(p->Y, y); lm_copy(p->Y, y);
fe_load(p->Z, 1); fe_load(p->Z, 1);
fe_mul__distinct(p->T, x, y); fe_mul__distinct(p->T, x, y);
/* negate, the point becomes (-X,Y,Z,-T) */ /* negate, the point becomes (-X,Y,Z,-T) */
fe_neg(p->X,p->X); lm_neg(p->X,p->X);
fe_neg(p->T,p->T); lm_neg(p->T,p->T);
return ret; return ret;
} }
@ -552,13 +552,12 @@ int ge_double_scalarmult_vartime(ge_p2* R, const unsigned char *h,
/* SB + -H(R,A,M)A */ /* SB + -H(R,A,M)A */
ed25519_add(&A, &p, &A); ed25519_add(&A, &p, &A);
fe_copy(R->X, A.X); lm_copy(R->X, A.X);
fe_copy(R->Y, A.Y); lm_copy(R->Y, A.Y);
fe_copy(R->Z, A.Z); lm_copy(R->Z, A.Z);
return ret; return ret;
} }
#endif /* ED25519_SMALL */
#endif /* HAVE_ED25519 */ #endif /* HAVE_ED25519 */
#endif /* CURVED25519_SMALL */

54
wolfcrypt/src/ge_operations.c
View File

@ -29,8 +29,8 @@
#include <wolfssl/wolfcrypt/settings.h> #include <wolfssl/wolfcrypt/settings.h>
#ifndef CURVED25519_SMALL /* run when not defined to use small memory math */
#ifdef HAVE_ED25519 #ifdef HAVE_ED25519
#ifndef ED25519_SMALL /* run when not defined to use small memory math */
#include <wolfssl/wolfcrypt/ge_operations.h> #include <wolfssl/wolfcrypt/ge_operations.h>
#include <wolfssl/wolfcrypt/ed25519.h> #include <wolfssl/wolfcrypt/ed25519.h>
@ -45,7 +45,7 @@
/* /*
ge means group element. ge means group element.
Here the group is the set of pairs (x,y) of field elements (see fe.h) Here the group is the set of pairs (x,y) of field elements (see ge_operations.h)
satisfying -x^2 + y^2 = 1 + d x^2y^2 satisfying -x^2 + y^2 = 1 + d x^2y^2
where d = -121665/121666. where d = -121665/121666.
@ -691,7 +691,7 @@ void sc_muladd(byte* s, const byte* a, const byte* b, const byte* c)
int ge_compress_key(byte* out, const byte* xIn, const byte* yIn, word32 keySz) int ge_compress_key(byte* out, const byte* xIn, const byte* yIn, word32 keySz)
{ {
fe x,y,z; ge x,y,z;
ge_p3 g; ge_p3 g;
byte bArray[ED25519_KEY_SIZE]; byte bArray[ED25519_KEY_SIZE];
word32 i; word32 i;
@ -721,7 +721,7 @@ r = p + q
*/ */
void ge_add(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) void ge_add(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
{ {
fe t0; ge t0;
fe_add(r->X,p->Y,p->X); fe_add(r->X,p->Y,p->X);
fe_sub(r->Y,p->Y,p->X); fe_sub(r->Y,p->Y,p->X);
fe_mul(r->Z,r->X,q->YplusX); fe_mul(r->Z,r->X,q->YplusX);
@ -3720,12 +3720,12 @@ int ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a,
} }
#ifdef HAVE___UINT128_T #ifdef HAVE___UINT128_T
static const fe d = { static const ge d = {
0x34dca135978a3, 0x1a8283b156ebd, 0x5e7a26001c029, 0x739c663a03cbb, 0x34dca135978a3, 0x1a8283b156ebd, 0x5e7a26001c029, 0x739c663a03cbb,
0x52036cee2b6ff 0x52036cee2b6ff
}; };
#else #else
static const fe d = { static const ge d = {
-10913610,13857413,-15372611,6949391,114729, -10913610,13857413,-15372611,6949391,114729,
-8787816,-6275908,-3247719,-18696448,-12055116 -8787816,-6275908,-3247719,-18696448,-12055116
} ; } ;
@ -3733,12 +3733,12 @@ static const fe d = {
#ifdef HAVE___UINT128_T #ifdef HAVE___UINT128_T
static const fe sqrtm1 = { static const ge sqrtm1 = {
0x61b274a0ea0b0, 0x0d5a5fc8f189d, 0x7ef5e9cbd0c60, 0x78595a6804c9e, 0x61b274a0ea0b0, 0x0d5a5fc8f189d, 0x7ef5e9cbd0c60, 0x78595a6804c9e,
0x2b8324804fc1d 0x2b8324804fc1d
}; };
#else #else
static const fe sqrtm1 = { static const ge sqrtm1 = {
-32595792,-7943725,9377950,3500415,12389472, -32595792,-7943725,9377950,3500415,12389472,
-272473,-25146209,-2005654,326686,11406482 -272473,-25146209,-2005654,326686,11406482
} ; } ;
@ -3747,11 +3747,11 @@ static const fe sqrtm1 = {
int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s) int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s)
{ {
fe u; ge u;
fe v; ge v;
fe v3; ge v3;
fe vxx; ge vxx;
fe check; ge check;
fe_frombytes(h->Y,s); fe_frombytes(h->Y,s);
fe_1(h->Z); fe_1(h->Z);
@ -3795,7 +3795,7 @@ r = p + q
void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q) void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
{ {
fe t0; ge t0;
fe_add(r->X,p->Y,p->X); fe_add(r->X,p->Y,p->X);
fe_sub(r->Y,p->Y,p->X); fe_sub(r->Y,p->Y,p->X);
fe_mul(r->Z,r->X,q->yplusx); fe_mul(r->Z,r->X,q->yplusx);
@ -3817,7 +3817,7 @@ r = p - q
void ge_msub(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q) void ge_msub(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
{ {
fe t0; ge t0;
fe_add(r->X,p->Y,p->X); fe_add(r->X,p->Y,p->X);
fe_sub(r->Y,p->Y,p->X); fe_sub(r->Y,p->Y,p->X);
fe_mul(r->Z,r->X,q->yminusx); fe_mul(r->Z,r->X,q->yminusx);
@ -3877,7 +3877,7 @@ r = 2 * p
void ge_p2_dbl(ge_p1p1 *r,const ge_p2 *p) void ge_p2_dbl(ge_p1p1 *r,const ge_p2 *p)
{ {
fe t0; ge t0;
fe_sq(r->X,p->X); fe_sq(r->X,p->X);
fe_sq(r->Z,p->Y); fe_sq(r->Z,p->Y);
fe_sq2(r->T,p->Z); fe_sq2(r->T,p->Z);
@ -3922,12 +3922,12 @@ r = p
*/ */
#ifdef HAVE___UINT128_T #ifdef HAVE___UINT128_T
static const fe d2 = { static const ge d2 = {
0x69b9426b2f159, 0x35050762add7a, 0x3cf44c0038052, 0x6738cc7407977, 0x69b9426b2f159, 0x35050762add7a, 0x3cf44c0038052, 0x6738cc7407977,
0x2406d9dc56dff 0x2406d9dc56dff
}; };
#else #else
static const fe d2 = { static const ge d2 = {
-21827239,-5839606,-30745221,13898782,229458, -21827239,-5839606,-30745221,13898782,229458,
15978800,-12551817,-6495438,29715968,9444199 15978800,-12551817,-6495438,29715968,9444199
} ; } ;
@ -3959,9 +3959,9 @@ extern void ge_p3_to_p2(ge_p2 *r,const ge_p3 *p)
/* ge p3 tobytes */ /* ge p3 tobytes */
void ge_p3_tobytes(unsigned char *s,const ge_p3 *h) void ge_p3_tobytes(unsigned char *s,const ge_p3 *h)
{ {
fe recip; ge recip;
fe x; ge x;
fe y; ge y;
fe_invert(recip,h->Z); fe_invert(recip,h->Z);
fe_mul(x,h->X,recip); fe_mul(x,h->X,recip);
@ -3987,7 +3987,7 @@ r = p - q
void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
{ {
fe t0; ge t0;
fe_add(r->X,p->Y,p->X); fe_add(r->X,p->Y,p->X);
fe_sub(r->Y,p->Y,p->X); fe_sub(r->Y,p->Y,p->X);
fe_mul(r->Z,r->X,q->YminusX); fe_mul(r->Z,r->X,q->YminusX);
@ -4005,9 +4005,9 @@ void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
/* ge tobytes */ /* ge tobytes */
void ge_tobytes(unsigned char *s,const ge_p2 *h) void ge_tobytes(unsigned char *s,const ge_p2 *h)
{ {
fe recip; ge recip;
fe x; ge x;
fe y; ge y;
fe_invert(recip,h->Z); fe_invert(recip,h->Z);
fe_mul(x,h->X,recip); fe_mul(x,h->X,recip);
@ -4015,6 +4015,6 @@ void ge_tobytes(unsigned char *s,const ge_p2 *h)
fe_tobytes(s,y); fe_tobytes(s,y);
s[31] ^= fe_isnegative(x) << 7; s[31] ^= fe_isnegative(x) << 7;
} }
#endif /* HAVE_ED25519 */
#endif /* not defined CURVED25519_SMALL */
#endif /* !ED25519_SMALL */
#endif /* HAVE_ED25519 */

42
wolfssl/wolfcrypt/fe_operations.h
View File

@ -27,7 +27,7 @@
#if defined(HAVE_CURVE25519) || defined(HAVE_ED25519) #if defined(HAVE_CURVE25519) || defined(HAVE_ED25519)
#ifndef CURVED25519_SMALL #ifndef CURVE25519_SMALL
#include <stdint.h> #include <stdint.h>
#endif #endif
#include <wolfssl/wolfcrypt/types.h> #include <wolfssl/wolfcrypt/types.h>
@ -40,18 +40,31 @@ t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9].
Bounds on each t[i] vary depending on context. Bounds on each t[i] vary depending on context.
*/ */
#ifdef CURVED25519_SMALL #if defined(CURVE25519_SMALL) || defined(ED25519_SMALL)
#define F25519_SIZE 32 #define F25519_SIZE 32
typedef byte fe[32];
#elif defined(HAVE___UINT128_T) WOLFSSL_LOCAL void lm_copy(byte*, const byte*);
WOLFSSL_LOCAL void lm_add(byte*, const byte*, const byte*);
WOLFSSL_LOCAL void lm_sub(byte*, const byte*, const byte*);
WOLFSSL_LOCAL void lm_neg(byte*,const byte*);
WOLFSSL_LOCAL void lm_invert(byte*, const byte*);
WOLFSSL_LOCAL void lm_mul(byte*,const byte*,const byte*);
#endif
#if !defined(FREESCALE_LTC_ECC)
WOLFSSL_LOCAL int curve25519(byte * q, byte * n, byte * p);
#endif
/* default to be faster but take more memory */
#if !defined(CURVE25519_SMALL) || !defined(ED25519_SMALL)
#if defined(HAVE___UINT128_T)
typedef int64_t fe[5]; typedef int64_t fe[5];
#else #else
typedef int32_t fe[10]; typedef int32_t fe[10];
#endif #endif
#if! defined FREESCALE_LTC_ECC
WOLFSSL_LOCAL int curve25519(byte * q, byte * n, byte * p);
#endif
WOLFSSL_LOCAL void fe_copy(fe, const fe); WOLFSSL_LOCAL void fe_copy(fe, const fe);
WOLFSSL_LOCAL void fe_add(fe, const fe, const fe); WOLFSSL_LOCAL void fe_add(fe, const fe, const fe);
WOLFSSL_LOCAL void fe_neg(fe,const fe); WOLFSSL_LOCAL void fe_neg(fe,const fe);
@ -59,8 +72,6 @@ WOLFSSL_LOCAL void fe_sub(fe, const fe, const fe);
WOLFSSL_LOCAL void fe_invert(fe, const fe); WOLFSSL_LOCAL void fe_invert(fe, const fe);
WOLFSSL_LOCAL void fe_mul(fe,const fe,const fe); WOLFSSL_LOCAL void fe_mul(fe,const fe,const fe);
/* default to be faster but take more memory */
#ifndef CURVED25519_SMALL
/* Based On Daniel J Bernstein's curve25519 and ed25519 Public Domain ref10 /* Based On Daniel J Bernstein's curve25519 and ed25519 Public Domain ref10
work. */ work. */
@ -81,11 +92,11 @@ WOLFSSL_LOCAL void fe_pow22523(fe,const fe);
/* 64 type needed for SHA512 */ /* 64 type needed for SHA512 */
WOLFSSL_LOCAL uint64_t load_3(const unsigned char *in); WOLFSSL_LOCAL uint64_t load_3(const unsigned char *in);
WOLFSSL_LOCAL uint64_t load_4(const unsigned char *in); WOLFSSL_LOCAL uint64_t load_4(const unsigned char *in);
#endif /* not defined CURVED25519_SMALL */ #endif /* !CURVE25519_SMALL */
/* Use less memory and only 32bit types or less, but is slower /* Use less memory and only 32bit types or less, but is slower
Based on Daniel Beer's public domain work. */ Based on Daniel Beer's public domain work. */
#ifdef CURVED25519_SMALL #if defined(CURVE25519_SMALL) || defined(ED25519_SMALL)
static const byte c25519_base_x[F25519_SIZE] = {9}; static const byte c25519_base_x[F25519_SIZE] = {9};
static const byte f25519_zero[F25519_SIZE] = {0}; static const byte f25519_zero[F25519_SIZE] = {0};
static const byte f25519_one[F25519_SIZE] = {1}; static const byte f25519_one[F25519_SIZE] = {1};
@ -131,7 +142,8 @@ WOLFSSL_LOCAL void fprime_sub(byte *r, const byte *a, const byte *modulus);
WOLFSSL_LOCAL void fprime_mul(byte *r, const byte *a, const byte *b, WOLFSSL_LOCAL void fprime_mul(byte *r, const byte *a, const byte *b,
const byte *modulus); const byte *modulus);
WOLFSSL_LOCAL void fprime_copy(byte *x, const byte *a); WOLFSSL_LOCAL void fprime_copy(byte *x, const byte *a);
#endif /* CURVED25519_SMALL */
#endif /* HAVE_CURVE25519 or HAVE_ED25519 */
#endif /* WOLF_CRYPT_FE_OPERATIONS_H */
#endif /* CURVE25519_SMALL || ED25519_SMALL */
#endif /* HAVE_CURVE25519 || HAVE_ED25519 */
#endif /* WOLF_CRYPT_FE_OPERATIONS_H */

57
wolfssl/wolfcrypt/ge_operations.h
View File

@ -29,7 +29,7 @@
#ifdef HAVE_ED25519 #ifdef HAVE_ED25519
#ifndef CURVED25519_SMALL #ifndef ED25519_SMALL
#include <stdint.h> #include <stdint.h>
#endif #endif
#include <wolfssl/wolfcrypt/fe_operations.h> #include <wolfssl/wolfcrypt/fe_operations.h>
@ -48,20 +48,28 @@ Representations:
ge_precomp (Duif): (y+x,y-x,2dxy) ge_precomp (Duif): (y+x,y-x,2dxy)
*/ */
#ifdef ED25519_SMALL
typedef byte ge[F25519_SIZE];
#elif defined(HAVE___UINT128_T)
typedef int64_t ge[5];
#else
typedef int32_t ge[10];
#endif
typedef struct { typedef struct {
fe X; ge X;
fe Y; ge Y;
fe Z; ge Z;
} ge_p2; } ge_p2;
typedef struct { typedef struct {
fe X; ge X;
fe Y; ge Y;
fe Z; ge Z;
fe T; ge T;
} ge_p3; } ge_p3;
WOLFSSL_LOCAL int ge_compress_key(byte* out, const byte* xIn, const byte* yIn, WOLFSSL_LOCAL int ge_compress_key(byte* out, const byte* xIn, const byte* yIn,
word32 keySz); word32 keySz);
WOLFSSL_LOCAL int ge_frombytes_negate_vartime(ge_p3 *,const unsigned char *); WOLFSSL_LOCAL int ge_frombytes_negate_vartime(ge_p3 *,const unsigned char *);
@ -75,25 +83,26 @@ WOLFSSL_LOCAL void sc_muladd(byte* s, const byte* a, const byte* b,
WOLFSSL_LOCAL void ge_tobytes(unsigned char *,const ge_p2 *); WOLFSSL_LOCAL void ge_tobytes(unsigned char *,const ge_p2 *);
WOLFSSL_LOCAL void ge_p3_tobytes(unsigned char *,const ge_p3 *); WOLFSSL_LOCAL void ge_p3_tobytes(unsigned char *,const ge_p3 *);
#ifndef CURVED25519_SMALL
#ifndef ED25519_SMALL
typedef struct { typedef struct {
fe X; ge X;
fe Y; ge Y;
fe Z; ge Z;
fe T; ge T;
} ge_p1p1; } ge_p1p1;
typedef struct { typedef struct {
fe yplusx; ge yplusx;
fe yminusx; ge yminusx;
fe xy2d; ge xy2d;
} ge_precomp; } ge_precomp;
typedef struct { typedef struct {
fe YplusX; ge YplusX;
fe YminusX; ge YminusX;
fe Z; ge Z;
fe T2d; ge T2d;
} ge_cached; } ge_cached;
WOLFSSL_LOCAL void ge_p2_0(ge_p2 *); WOLFSSL_LOCAL void ge_p2_0(ge_p2 *);
@ -110,7 +119,9 @@ WOLFSSL_LOCAL void ge_madd(ge_p1p1 *,const ge_p3 *,const ge_precomp *);
WOLFSSL_LOCAL void ge_msub(ge_p1p1 *,const ge_p3 *,const ge_precomp *); WOLFSSL_LOCAL void ge_msub(ge_p1p1 *,const ge_p3 *,const ge_precomp *);
WOLFSSL_LOCAL void ge_add(ge_p1p1 *,const ge_p3 *,const ge_cached *); WOLFSSL_LOCAL void ge_add(ge_p1p1 *,const ge_p3 *,const ge_cached *);
WOLFSSL_LOCAL void ge_sub(ge_p1p1 *,const ge_p3 *,const ge_cached *); WOLFSSL_LOCAL void ge_sub(ge_p1p1 *,const ge_p3 *,const ge_cached *);
#endif /* no CURVED25519_SMALL */
#endif /* HAVE_ED25519 */
#endif /* WOLF_CRYPT_GE_OPERATIONS_H */
#endif /* !ED25519_SMALL */
#endif /* HAVE_ED25519 */
#endif /* WOLF_CRYPT_GE_OPERATIONS_H */

6
wolfssl/wolfcrypt/settings.h
View File

@ -1574,6 +1574,12 @@ extern void uITRON4_free(void *p) ;
#define SSL_CTRL_SET_TLSEXT_HOSTNAME #define SSL_CTRL_SET_TLSEXT_HOSTNAME
#endif #endif
/* both CURVE and ED small math should be enabled */
#ifdef CURVED25519_SMALL
#define CURVE25519_SMALL
#define ED25519_SMALL
#endif
#ifdef __cplusplus #ifdef __cplusplus
} /* extern "C" */ } /* extern "C" */
#endif #endif