feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #975 from dgarske/ed_curve_small

Browse Source 
Allow different Ed25519/Curve25519 math versions
This commit is contained in:
toddouska
2017-06-21 13:00:33 -07:00
committed by GitHub
parent 64873489ef 3e06beac19
commit cd570a01f2
16 changed files with 257 additions and 187 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
configure.ac
View File

@ -1088,7 +1088,8 @@ fi
# for using memory optimization setting on both curve25519 and ed25519
ENABLED_CURVED25519_SMALL=no
ENABLED_CURVE25519_SMALL=no
ENABLED_ED25519_SMALL=no
# CURVE25519
AC_ARG_ENABLE([curve25519],
@ -1105,8 +1106,8 @@ fi
if test "$ENABLED_CURVE25519" = "small"
then
AM_CFLAGS="$AM_CFLAGS -DCURVED25519_SMALL"
ENABLED_CURVED25519_SMALL=yes
AM_CFLAGS="$AM_CFLAGS -DCURVE25519_SMALL"
ENABLED_CURVE25519_SMALL=yes
ENABLED_CURVE25519=yes
fi
@ -1118,7 +1119,7 @@ fi
AM_CONDITIONAL([BUILD_CURVE25519], [test "x$ENABLED_CURVE25519" = "xyes"])
AM_CONDITIONAL([BUILD_CURVE25519_SMALL], [test "x$ENABLED_CURVE25519_SMALL" = "xyes"])
# ED25519
AC_ARG_ENABLE([ed25519],
@ -1135,8 +1136,8 @@ fi
if test "$ENABLED_ED25519" = "small"
then
AM_CFLAGS="$AM_CFLAGS -DCURVED25519_SMALL"
ENABLED_CURVED25519_SMALL=yes
AM_CFLAGS="$AM_CFLAGS -DED25519_SMALL"
ENABLED_ED25519_SMALL=yes
ENABLED_ED25519=yes
fi
@ -1152,7 +1153,7 @@ then
fi
AM_CONDITIONAL([BUILD_ED25519], [test "x$ENABLED_ED25519" = "xyes"])
AM_CONDITIONAL([BUILD_CURVED25519_SMALL], [test "x$ENABLED_CURVED25519_SMALL" = "xyes"])
AM_CONDITIONAL([BUILD_ED25519_SMALL], [test "x$ENABLED_ED25519_SMALL" = "xyes"])
AM_CONDITIONAL([BUILD_FEMATH], [test "x$ENABLED_FEMATH" = "xyes"])
AM_CONDITIONAL([BUILD_GEMATH], [test "x$ENABLED_GEMATH" = "xyes"])

4
examples/client/client.c
View File

@ -1559,7 +1559,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("DisableExtendedMasterSecret failed");
}
#endif
#ifdef HAVE_CURVE25519
#if defined(HAVE_CURVE25519) && defined(HAVE_SUPPORTED_CURVES)
if (useX25519) {
if (wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ECC_X25519)
!= SSL_SUCCESS) {
@ -1570,7 +1570,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("unable to support secp256r1");
}
}
#endif
#endif /* HAVE_CURVE25519 && HAVE_SUPPORTED_CURVES */
if (benchmark) {
((func_args*)args)->return_code =

10
src/include.am
View File

@ -228,7 +228,7 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/ed25519.c
endif
if BUILD_FEMATH
if BUILD_CURVED25519_SMALL
if BUILD_CURVE25519_SMALL
src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_low_mem.c
else
src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_operations.c
@ -236,10 +236,16 @@ endif
endif
if BUILD_GEMATH
if BUILD_CURVED25519_SMALL
if BUILD_ED25519_SMALL
src_libwolfssl_la_SOURCES += wolfcrypt/src/ge_low_mem.c
if !BUILD_CURVE25519_SMALL
src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_low_mem.c
endif
else
src_libwolfssl_la_SOURCES += wolfcrypt/src/ge_operations.c
if BUILD_CURVE25519_SMALL
src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_operations.c
endif
endif
endif

64
src/internal.c
View File

@ -3429,6 +3429,7 @@ int EccMakeKey(WOLFSSL* ssl, ecc_key* key, ecc_key* peer)
return ret;
}
#endif /* HAVE_ECC */
#ifdef HAVE_ED25519
/* Sign the data using EdDSA and key using X25519.
@ -3640,7 +3641,7 @@ static int X25519MakeKey(WOLFSSL* ssl, curve25519_key* key,
return ret;
}
#endif /* HAVE_CURVE25519 */
#endif /* HAVE_ECC */
#endif /* !NO_CERTS */
#if !defined(NO_CERTS) || !defined(NO_PSK)
@ -17906,7 +17907,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
}
break;
#endif /* !NO_DH && !NO_PSK */
#if defined(HAVE_ECC) && !defined(NO_PSK)
#if (defined(HAVE_ECC) || defined(HAVE_CURVE25519)) && !defined(NO_PSK)
case ecdhe_psk_kea:
/* sanity check that PSK client callback has been set */
if (ssl->options.client_psk_cb == NULL) {
@ -17963,7 +17964,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
ret = EccMakeKey(ssl, (ecc_key*)ssl->hsKey, ssl->peerEccKey);
break;
#endif /* HAVE_ECC && !NO_PSK */
#endif /* (HAVE_ECC || HAVE_CURVE25519) && !NO_PSK */
#ifdef HAVE_NTRU
case ntru_kea:
if (ssl->peerNtruKeyPresent == 0) {
@ -17971,10 +17972,12 @@ int SendClientKeyExchange(WOLFSSL* ssl)
}
break;
#endif /* HAVE_NTRU */
#ifdef HAVE_ECC
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519)
case ecc_diffie_hellman_kea:
{
#ifdef HAVE_ECC
ecc_key* peerKey;
#endif
#ifdef HAVE_PK_CALLBACKS
/* if callback then use it for shared secret */
@ -18007,8 +18010,8 @@ int SendClientKeyExchange(WOLFSSL* ssl)
ssl->peerX25519Key);
break;
}
else
#endif
#ifdef HAVE_ECC
if (ssl->specs.static_ecdh) {
/* TODO: EccDsa is really fixed Ecc change naming */
if (!ssl->peerEccDsaKey ||
@ -18037,10 +18040,11 @@ int SendClientKeyExchange(WOLFSSL* ssl)
}
ret = EccMakeKey(ssl, (ecc_key*)ssl->hsKey, peerKey);
#endif
break;
}
#endif /* HAVE_ECC */
#endif /* HAVE_ECC || HAVE_CURVE25519 */
default:
ret = BAD_KEA_TYPE_E;
@ -18206,7 +18210,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
break;
}
#endif /* !NO_DH && !NO_PSK */
#if defined(HAVE_ECC) && !defined(NO_PSK)
#if (defined(HAVE_ECC) || defined(HAVE_CURVE25519)) && !defined(NO_PSK)
case ecdhe_psk_kea:
{
word32 esSz = 0;
@ -18291,7 +18295,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
break;
}
#endif /* HAVE_NTRU */
#ifdef HAVE_ECC
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519)
case ecc_diffie_hellman_kea:
{
ssl->arrays->preMasterSz = ENCRYPT_LEN;
@ -18316,6 +18320,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
break;
}
#endif
#ifdef HAVE_ECC
#ifdef HAVE_PK_CALLBACKS
/* if callback then use it for shared secret */
if (ssl->ctx->EccSharedSecretCb != NULL) {
@ -18329,9 +18334,10 @@ int SendClientKeyExchange(WOLFSSL* ssl)
if (ret != 0) {
ERROR_OUT(ECC_EXPORT_ERROR, exit_scke);
}
#endif /* HAVE_ECC */
break;
}
#endif /* HAVE_ECC */
#endif /* HAVE_ECC || HAVE_CURVE25519 */
default:
ret = BAD_KEA_TYPE_E;
@ -18400,7 +18406,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
break;
}
#endif /* !NO_DH && !NO_PSK */
#if defined(HAVE_ECC) && !defined(NO_PSK)
#if (defined(HAVE_ECC) || defined(HAVE_CURVE25519)) && !defined(NO_PSK)
case ecdhe_psk_kea:
{
#ifdef HAVE_CURVE25519
@ -18434,7 +18440,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
);
break;
}
#endif /* HAVE_ECC && !NO_PSK */
#endif /* (HAVE_ECC || HAVE_CURVE25519) && !NO_PSK */
#ifdef HAVE_NTRU
case ntru_kea:
{
@ -18459,10 +18465,12 @@ int SendClientKeyExchange(WOLFSSL* ssl)
break;
}
#endif /* HAVE_NTRU */
#ifdef HAVE_ECC
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519)
case ecc_diffie_hellman_kea:
{
#ifdef HAVE_ECC
ecc_key* peerKey;
#endif
#ifdef HAVE_CURVE25519
if (ssl->peerX25519KeyPresent) {
@ -18481,6 +18489,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
break;
}
#endif
#ifdef HAVE_ECC
peerKey = (ssl->specs.static_ecdh) ?
ssl->peerEccDsaKey : ssl->peerEccKey;
@ -18496,10 +18505,11 @@ int SendClientKeyExchange(WOLFSSL* ssl)
NULL
#endif
);
#endif
break;
}
#endif /* HAVE_ECC */
#endif /* HAVE_ECC || HAVE_CURVE25519 */
default:
ret = BAD_KEA_TYPE_E;
@ -19968,7 +19978,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
case ecdhe_psk_kea:
/* Fall through to create temp ECC key */
#endif /* HAVE_ECC && !NO_PSK */
#ifdef HAVE_ECC
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519)
case ecc_diffie_hellman_kea:
{
#ifdef HAVE_CURVE25519
@ -19993,6 +20003,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
break;
}
#endif
#ifdef HAVE_ECC
/* need ephemeral key now, create it if missing */
if (ssl->eccTempKey == NULL) {
/* alloc/init on demand */
@ -20011,9 +20022,10 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ssl->eccTempKeyPresent = 1;
}
}
#endif
break;
}
#endif /* HAVE_ECC */
#endif /* HAVE_ECC || HAVE_CURVE25519 */
default:
/* Skip ServerKeyExchange */
goto exit_sske;
@ -23079,9 +23091,10 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
break;
}
#endif /* HAVE_NTRU */
#ifdef HAVE_ECC
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519)
case ecc_diffie_hellman_kea:
{
#ifdef HAVE_ECC
ecc_key* private_key = ssl->eccTempKey;
/* handle static private key */
@ -23109,6 +23122,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
}
}
#endif
/* import peer ECC key */
if ((args->idx - args->begin) + OPAQUE8_LEN > size) {
@ -23162,6 +23176,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
break;
}
#endif
#ifdef HAVE_ECC
#ifdef HAVE_PK_CALLBACKS
/* if callback then use it for shared secret */
if (ssl->ctx->EccSharedSecretCb != NULL) {
@ -23197,13 +23212,14 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
ssl->peerEccKeyPresent = 1;
#endif /* HAVE_ECC */
if (ret != 0) {
goto exit_dcke;
}
break;
}
#endif /* HAVE_ECC */
#endif /* HAVE_ECC || HAVE_CURVE25519 */
#ifndef NO_DH
case diffie_hellman_kea:
{
@ -23290,7 +23306,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
break;
}
#endif /* !NO_DH && !NO_PSK */
#if defined(HAVE_ECC) && !defined(NO_PSK)
#if (defined(HAVE_ECC) || defined(HAVE_CURVE25519)) && !defined(NO_PSK)
case ecdhe_psk_kea:
{
word16 clientSz;
@ -23406,7 +23422,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ssl->peerEccKeyPresent = 1;
break;
}
#endif /* HAVE_ECC && !NO_PSK */
#endif /* (HAVE_ECC || HAVE_CURVE25519) && !NO_PSK */
default:
ret = BAD_KEA_TYPE_E;
} /* switch (ssl->specs.kea) */
@ -23457,7 +23473,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
break;
}
#endif /* HAVE_NTRU */
#ifdef HAVE_ECC
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519)
case ecc_diffie_hellman_kea:
{
void* private_key = ssl->eccTempKey;
@ -23480,6 +23496,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
break;
}
#endif
#ifdef HAVE_ECC
if (ssl->specs.static_ecdh) {
private_key = ssl->hsKey;
}
@ -23497,9 +23514,10 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
NULL
#endif
);
#endif
break;
}
#endif /* HAVE_ECC */
#endif /* HAVE_ECC || HAVE_CURVE25519 */
#ifndef NO_DH
case diffie_hellman_kea:
{
@ -23526,7 +23544,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
break;
}
#endif /* !NO_DH && !NO_PSK */
#if defined(HAVE_ECC) && !defined(NO_PSK)
#if (defined(HAVE_ECC) || defined(HAVE_CURVE25519)) && !defined(NO_PSK)
case ecdhe_psk_kea:
{
#ifdef HAVE_CURVE25519
@ -23562,7 +23580,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
);
break;
}
#endif /* HAVE_ECC && !NO_PSK */
#endif /* (HAVE_ECC || HAVE_CURVE25519) && !NO_PSK */
default:
ret = BAD_KEA_TYPE_E;
} /* switch (ssl->specs.kea) */

1
wolfcrypt/src/curve25519.c
View File

@ -250,7 +250,6 @@ int wc_curve25519_import_public_ex(const byte* in, word32 inLen,
key->dp = &curve25519_sets[0];
/* LTC needs also Y coordinate - let's compute it */
#ifdef FREESCALE_LTC_ECC
ltc_pkha_ecc_point_t ltcPoint;

49
wolfcrypt/src/fe_low_mem.c
View File

@ -28,8 +28,8 @@
#include <wolfssl/wolfcrypt/settings.h>
#if defined(CURVED25519_SMALL) /* use slower code that takes less memory */
#if defined(HAVE_ED25519) || defined(HAVE_CURVE25519)
#if defined(HAVE_CURVE25519) || defined(HAVE_ED25519)
#if defined(CURVE25519_SMALL) || defined(ED25519_SMALL) /* use slower code that takes less memory */
#include <wolfssl/wolfcrypt/fe_operations.h>
@ -49,7 +49,7 @@ void fprime_copy(byte *x, const byte *a)
}
void fe_copy(fe x, const fe a)
void lm_copy(byte* x, const byte* a)
{
int i;
for (i = 0; i < F25519_SIZE; i++)
@ -57,6 +57,7 @@ void fe_copy(fe x, const fe a)
}
#ifdef CURVE25519_SMALL
/* Double an X-coordinate */
static void xc_double(byte *x3, byte *z3,
const byte *x1, const byte *z1)
@ -77,12 +78,12 @@ static void xc_double(byte *x3, byte *z3,
fe_mul__distinct(z1sq, z1, z1);
fe_mul__distinct(x1z1, x1, z1);
fe_sub(a, x1sq, z1sq);
lm_sub(a, x1sq, z1sq);
fe_mul__distinct(x3, a, a);
fe_mul_c(a, x1z1, 486662);
fe_add(a, x1sq, a);
fe_add(a, z1sq, a);
lm_add(a, x1sq, a);
lm_add(a, z1sq, a);
fe_mul__distinct(x1sq, x1z1, a);
fe_mul_c(z3, x1sq, 4);
}
@ -113,19 +114,19 @@ static void xc_diffadd(byte *x5, byte *z5,
byte a[F25519_SIZE];
byte b[F25519_SIZE];
fe_add(a, x2, z2);
fe_sub(b, x3, z3); /* D */
lm_add(a, x2, z2);
lm_sub(b, x3, z3); /* D */
fe_mul__distinct(da, a, b);
fe_sub(b, x2, z2);
fe_add(a, x3, z3); /* C */
lm_sub(b, x2, z2);
lm_add(a, x3, z3); /* C */
fe_mul__distinct(cb, a, b);
fe_add(a, da, cb);
lm_add(a, da, cb);
fe_mul__distinct(b, a, a);
fe_mul__distinct(x5, z1, b);
fe_sub(a, da, cb);
lm_sub(a, da, cb);
fe_mul__distinct(b, a, a);
fe_mul__distinct(z5, x1, b);
}
@ -144,7 +145,7 @@ int curve25519(byte *result, byte *e, byte *q)
int i;
/* Note: bit 254 is assumed to be 1 */
fe_copy(xm, q);
lm_copy(xm, q);
for (i = 253; i >= 0; i--) {
const int bit = (e[i >> 3] >> (i & 7)) & 1;
@ -175,6 +176,8 @@ int curve25519(byte *result, byte *e, byte *q)
return 0;
}
#endif /* !FREESCALE_LTC_ECC */
#endif /* CURVE25519_SMALL */
static void raw_add(byte *x, const byte *p)
{
@ -346,7 +349,7 @@ void fe_select(byte *dst,
}
void fe_add(fe r, const fe a, const fe b)
void lm_add(byte* r, const byte* a, const byte* b)
{
word16 c = 0;
int i;
@ -370,7 +373,7 @@ void fe_add(fe r, const fe a, const fe b)
}
void fe_sub(fe r, const fe a, const fe b)
void lm_sub(byte* r, const byte* a, const byte* b)
{
word32 c = 0;
int i;
@ -395,7 +398,7 @@ void fe_sub(fe r, const fe a, const fe b)
}
void fe_neg(fe r, const fe a)
void lm_neg(byte* r, const byte* a)
{
word32 c = 0;
int i;
@ -450,12 +453,12 @@ void fe_mul__distinct(byte *r, const byte *a, const byte *b)
}
void fe_mul(fe r, const fe a, const fe b)
void lm_mul(byte *r, const byte* a, const byte *b)
{
byte tmp[F25519_SIZE];
fe_mul__distinct(tmp, a, b);
fe_copy(r, tmp);
lm_copy(r, tmp);
}
@ -533,12 +536,12 @@ void fe_inv__distinct(byte *r, const byte *x)
}
void fe_invert(fe r, const fe x)
void lm_invert(byte *r, const byte *x)
{
byte tmp[F25519_SIZE];
fe_inv__distinct(tmp, x);
fe_copy(r, tmp);
lm_copy(r, tmp);
}
@ -588,12 +591,12 @@ void fe_sqrt(byte *r, const byte *a)
fe_mul__distinct(y, v, v);
fe_mul__distinct(i, x, y);
fe_load(y, 1);
fe_sub(i, i, y);
lm_sub(i, i, y);
/* r = avi */
fe_mul__distinct(x, v, a);
fe_mul__distinct(r, x, i);
}
#endif /* HAVE_CURVE25519 or HAVE_ED25519 */
#endif /* CURVED25519_SMALL */
#endif /* CURVE25519_SMALL || ED25519_SMALL */
#endif /* HAVE_CURVE25519 || HAVE_ED25519 */

20
wolfcrypt/src/fe_operations.c
View File

@ -28,8 +28,8 @@
#include <wolfssl/wolfcrypt/settings.h>
#ifndef CURVED25519_SMALL /* run when not defined to use small memory math */
#if defined(HAVE_ED25519) || defined(HAVE_CURVE25519)
#if defined(HAVE_CURVE25519) || defined(HAVE_ED25519)
#if !defined(CURVE25519_SMALL) || !defined(ED25519_SMALL) /* run when not defined to use small memory math */
#include <wolfssl/wolfcrypt/fe_operations.h>
#include <stdint.h>
@ -44,6 +44,8 @@
#ifdef HAVE___UINT128_T
#include "fe_x25519_128.i"
#else
#ifdef HAVE_CURVE25519
/*
fe means field element.
Here the field is \Z/(2^255-19).
@ -71,7 +73,7 @@ uint64_t load_4(const unsigned char *in)
result |= ((uint64_t) in[3]) << 24;
return result;
}
#endif
/*
h = 1
@ -110,7 +112,8 @@ void fe_0(fe h)
h[9] = 0;
}
#ifndef FREESCALE_LTC_ECC
#if defined(HAVE_CURVE25519) && !defined(CURVE25519_SMALL) && \
!defined(FREESCALE_LTC_ECC)
int curve25519(byte* q, byte* n, byte* p)
{
#if 0
@ -186,7 +189,8 @@ int curve25519(byte* q, byte* n, byte* p)
return 0;
}
#endif /* !FREESCALE_LTC_ECC */
#endif /* HAVE_CURVE25519 && !CURVE25519_SMALL && !FREESCALE_LTC_ECC */
/*
h = f * f
@ -569,6 +573,7 @@ void fe_sub(fe h,const fe f,const fe g)
}
#ifdef HAVE_CURVE25519
/*
Ignores top bit of h.
*/
@ -619,6 +624,7 @@ void fe_frombytes(fe h,const unsigned char *s)
h[8] = (int32_t)h8;
h[9] = (int32_t)h9;
}
#endif
void fe_invert(fe out,const fe z)
@ -1411,6 +1417,6 @@ void fe_cmov(fe f, const fe g, int b)
f[9] = f9 ^ x9;
}
#endif
#endif /* HAVE ED25519 or CURVE25519 */
#endif /* not defined CURVED25519_SMALL */
#endif /* !CURVE25519_SMALL || !ED25519_SMALL */
#endif /* HAVE_CURVE25519 || HAVE_ED25519 */

2
wolfcrypt/src/fe_x25519_128.i
View File

@ -389,6 +389,7 @@ void fe_invert(fe r, const fe a)
fe_sq(t1, t1); for (i = 1; i < 5; ++i) fe_sq(t1, t1); fe_mul( r, t1, t0);
}
#ifndef CURVE25519_SMALL
/* Scalar multiply the field element a by n using Montgomery Ladder and places
* result in r.
*
@ -447,6 +448,7 @@ int curve25519(byte* r, byte* n, byte* a)
return 0;
}
#endif /* !CURVE25519_SMALL */
/* The field element value 0 as an array of bytes. */
static const unsigned char zero[32] = {0};

71
wolfcrypt/src/ge_low_mem.c
View File

@ -28,8 +28,8 @@
#include <wolfssl/wolfcrypt/settings.h>
#if defined(CURVED25519_SMALL) /* use slower code that takes less memory */
#if defined(HAVE_ED25519)
#ifdef HAVE_ED25519
#ifdef ED25519_SMALL /* use slower code that takes less memory */
#include <wolfssl/wolfcrypt/ge_operations.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
@ -77,10 +77,10 @@ int ge_compress_key(byte* out, const byte* xIn, const byte* yIn,
byte pt[32];
int i;
fe_copy(tmp, xIn);
lm_copy(tmp, xIn);
parity = (tmp[0] & 1) << 7;
fe_copy(pt, yIn);
lm_copy(pt, yIn);
pt[31] |= parity;
for(i = 0; i < 32; i++) {
@ -301,13 +301,13 @@ void ed25519_add(ge_p3 *r,
byte h[F25519_SIZE];
/* A = (Y1-X1)(Y2-X2) */
fe_sub(c, p1->Y, p1->X);
fe_sub(d, p2->Y, p2->X);
lm_sub(c, p1->Y, p1->X);
lm_sub(d, p2->Y, p2->X);
fe_mul__distinct(a, c, d);
/* B = (Y1+X1)(Y2+X2) */
fe_add(c, p1->Y, p1->X);
fe_add(d, p2->Y, p2->X);
lm_add(c, p1->Y, p1->X);
lm_add(d, p2->Y, p2->X);
fe_mul__distinct(b, c, d);
/* C = T1 k T2 */
@ -316,19 +316,19 @@ void ed25519_add(ge_p3 *r,
/* D = Z1 2 Z2 */
fe_mul__distinct(d, p1->Z, p2->Z);
fe_add(d, d, d);
lm_add(d, d, d);
/* E = B - A */
fe_sub(e, b, a);
lm_sub(e, b, a);
/* F = D - C */
fe_sub(f, d, c);
lm_sub(f, d, c);
/* G = D + C */
fe_add(g, d, c);
lm_add(g, d, c);
/* H = B + A */
fe_add(h, b, a);
lm_add(h, b, a);
/* X3 = E F */
fe_mul__distinct(r->X, e, f);
@ -379,24 +379,24 @@ void ed25519_double(ge_p3 *r, const ge_p3 *p)
/* C = 2 Z1^2 */
fe_mul__distinct(c, p->Z, p->Z);
fe_add(c, c, c);
lm_add(c, c, c);
/* D = a A (alter sign) */
/* E = (X1+Y1)^2-A-B */
fe_add(f, p->X, p->Y);
lm_add(f, p->X, p->Y);
fe_mul__distinct(e, f, f);
fe_sub(e, e, a);
fe_sub(e, e, b);
lm_sub(e, e, a);
lm_sub(e, e, b);
/* G = D + B */
fe_sub(g, b, a);
lm_sub(g, b, a);
/* F = G - C */
fe_sub(f, g, c);
lm_sub(f, g, c);
/* H = D - B */
fe_neg(h, b);
fe_sub(h, h, a);
lm_neg(h, b);
lm_sub(h, h, a);
/* X3 = E F */
fe_mul__distinct(r->X, e, f);
@ -457,7 +457,7 @@ void ge_p3_tobytes(unsigned char *s,const ge_p3 *h)
fe_normalize(y);
parity = (x[0] & 1) << 7;
fe_copy(s, y);
lm_copy(s, y);
fe_normalize(s);
s[31] |= parity;
}
@ -479,7 +479,7 @@ void ge_tobytes(unsigned char *s,const ge_p2 *h)
fe_normalize(y);
parity = (x[0] & 1) << 7;
fe_copy(s, y);
lm_copy(s, y);
fe_normalize(s);
s[31] |= parity;
}
@ -502,17 +502,17 @@ int ge_frombytes_negate_vartime(ge_p3 *p,const unsigned char *s)
/* unpack the key s */
parity = s[31] >> 7;
fe_copy(y, s);
lm_copy(y, s);
y[31] &= 127;
fe_mul__distinct(c, y, y);
fe_mul__distinct(b, c, ed25519_d);
fe_add(a, b, f25519_one);
lm_add(a, b, f25519_one);
fe_inv__distinct(b, a);
fe_sub(a, c, f25519_one);
lm_sub(a, c, f25519_one);
fe_mul__distinct(c, a, b);
fe_sqrt(a, c);
fe_neg(b, a);
lm_neg(b, a);
fe_select(x, a, b, (a[0] ^ parity) & 1);
/* test that x^2 is equal to c */
@ -522,14 +522,14 @@ int ge_frombytes_negate_vartime(ge_p3 *p,const unsigned char *s)
ret |= ConstantCompare(a, c, F25519_SIZE);
/* project the key s onto p */
fe_copy(p->X, x);
fe_copy(p->Y, y);
lm_copy(p->X, x);
lm_copy(p->Y, y);
fe_load(p->Z, 1);
fe_mul__distinct(p->T, x, y);
/* negate, the point becomes (-X,Y,Z,-T) */
fe_neg(p->X,p->X);
fe_neg(p->T,p->T);
lm_neg(p->X,p->X);
lm_neg(p->T,p->T);
return ret;
}
@ -552,13 +552,12 @@ int ge_double_scalarmult_vartime(ge_p2* R, const unsigned char *h,
/* SB + -H(R,A,M)A */
ed25519_add(&A, &p, &A);
fe_copy(R->X, A.X);
fe_copy(R->Y, A.Y);
fe_copy(R->Z, A.Z);
lm_copy(R->X, A.X);
lm_copy(R->Y, A.Y);
lm_copy(R->Z, A.Z);
return ret;
}
#endif /* ED25519_SMALL */
#endif /* HAVE_ED25519 */
#endif /* CURVED25519_SMALL */

54
wolfcrypt/src/ge_operations.c
View File

@ -29,8 +29,8 @@
#include <wolfssl/wolfcrypt/settings.h>
#ifndef CURVED25519_SMALL /* run when not defined to use small memory math */
#ifdef HAVE_ED25519
#ifndef ED25519_SMALL /* run when not defined to use small memory math */
#include <wolfssl/wolfcrypt/ge_operations.h>
#include <wolfssl/wolfcrypt/ed25519.h>
@ -45,7 +45,7 @@
/*
ge means group element.
Here the group is the set of pairs (x,y) of field elements (see fe.h)
Here the group is the set of pairs (x,y) of field elements (see ge_operations.h)
satisfying -x^2 + y^2 = 1 + d x^2y^2
where d = -121665/121666.
@ -691,7 +691,7 @@ void sc_muladd(byte* s, const byte* a, const byte* b, const byte* c)
int ge_compress_key(byte* out, const byte* xIn, const byte* yIn, word32 keySz)
{
fe x,y,z;
ge x,y,z;
ge_p3 g;
byte bArray[ED25519_KEY_SIZE];
word32 i;
@ -721,7 +721,7 @@ r = p + q
*/
void ge_add(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
{
fe t0;
ge t0;
fe_add(r->X,p->Y,p->X);
fe_sub(r->Y,p->Y,p->X);
fe_mul(r->Z,r->X,q->YplusX);
@ -3720,12 +3720,12 @@ int ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a,
}
#ifdef HAVE___UINT128_T
static const fe d = {
static const ge d = {
0x34dca135978a3, 0x1a8283b156ebd, 0x5e7a26001c029, 0x739c663a03cbb,
0x52036cee2b6ff
};
#else
static const fe d = {
static const ge d = {
-10913610,13857413,-15372611,6949391,114729,
-8787816,-6275908,-3247719,-18696448,-12055116
} ;
@ -3733,12 +3733,12 @@ static const fe d = {
#ifdef HAVE___UINT128_T
static const fe sqrtm1 = {
static const ge sqrtm1 = {
0x61b274a0ea0b0, 0x0d5a5fc8f189d, 0x7ef5e9cbd0c60, 0x78595a6804c9e,
0x2b8324804fc1d
};
#else
static const fe sqrtm1 = {
static const ge sqrtm1 = {
-32595792,-7943725,9377950,3500415,12389472,
-272473,-25146209,-2005654,326686,11406482
} ;
@ -3747,11 +3747,11 @@ static const fe sqrtm1 = {
int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s)
{
fe u;
fe v;
fe v3;
fe vxx;
fe check;
ge u;
ge v;
ge v3;
ge vxx;
ge check;
fe_frombytes(h->Y,s);
fe_1(h->Z);
@ -3795,7 +3795,7 @@ r = p + q
void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
{
fe t0;
ge t0;
fe_add(r->X,p->Y,p->X);
fe_sub(r->Y,p->Y,p->X);
fe_mul(r->Z,r->X,q->yplusx);
@ -3817,7 +3817,7 @@ r = p - q
void ge_msub(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
{
fe t0;
ge t0;
fe_add(r->X,p->Y,p->X);
fe_sub(r->Y,p->Y,p->X);
fe_mul(r->Z,r->X,q->yminusx);
@ -3877,7 +3877,7 @@ r = 2 * p
void ge_p2_dbl(ge_p1p1 *r,const ge_p2 *p)
{
fe t0;
ge t0;
fe_sq(r->X,p->X);
fe_sq(r->Z,p->Y);
fe_sq2(r->T,p->Z);
@ -3922,12 +3922,12 @@ r = p
*/
#ifdef HAVE___UINT128_T
static const fe d2 = {
static const ge d2 = {
0x69b9426b2f159, 0x35050762add7a, 0x3cf44c0038052, 0x6738cc7407977,
0x2406d9dc56dff
};
#else
static const fe d2 = {
static const ge d2 = {
-21827239,-5839606,-30745221,13898782,229458,
15978800,-12551817,-6495438,29715968,9444199
} ;
@ -3959,9 +3959,9 @@ extern void ge_p3_to_p2(ge_p2 *r,const ge_p3 *p)
/* ge p3 tobytes */
void ge_p3_tobytes(unsigned char *s,const ge_p3 *h)
{
fe recip;
fe x;
fe y;
ge recip;
ge x;
ge y;
fe_invert(recip,h->Z);
fe_mul(x,h->X,recip);
@ -3987,7 +3987,7 @@ r = p - q
void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
{
fe t0;
ge t0;
fe_add(r->X,p->Y,p->X);
fe_sub(r->Y,p->Y,p->X);
fe_mul(r->Z,r->X,q->YminusX);
@ -4005,9 +4005,9 @@ void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
/* ge tobytes */
void ge_tobytes(unsigned char *s,const ge_p2 *h)
{
fe recip;
fe x;
fe y;
ge recip;
ge x;
ge y;
fe_invert(recip,h->Z);
fe_mul(x,h->X,recip);
@ -4015,6 +4015,6 @@ void ge_tobytes(unsigned char *s,const ge_p2 *h)
fe_tobytes(s,y);
s[31] ^= fe_isnegative(x) << 7;
}
#endif /* HAVE_ED25519 */
#endif /* not defined CURVED25519_SMALL */
#endif /* !ED25519_SMALL */
#endif /* HAVE_ED25519 */

26
wolfssl/internal.h
View File

@ -1680,7 +1680,7 @@ struct WOLFSSL_CERT_MANAGER {
#ifndef NO_RSA
short minRsaKeySz; /* minimum allowed RSA key size */
#endif
#ifdef HAVE_ECC
#if defined(HAVE_ECC) || defined(HAVE_ED25519)
short minEccKeySz; /* minimum allowed ECC key size */
#endif
};
@ -2196,7 +2196,7 @@ struct WOLFSSL_CTX {
#ifndef NO_RSA
short minRsaKeySz; /* minimum RSA key size */
#endif
#ifdef HAVE_ECC
#if defined(HAVE_ECC) || defined(HAVE_ED25519)
short minEccKeySz; /* minimum ECC key size */
#endif
#ifdef OPENSSL_EXTRA
@ -2214,9 +2214,11 @@ struct WOLFSSL_CTX {
#endif /* WOLFSSL_DTLS */
VerifyCallback verifyCallback; /* cert verification callback */
word32 timeout; /* session timeout */
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519)
word32 ecdhCurveOID; /* curve Ecc_Sum */
#endif
#ifdef HAVE_ECC
word16 eccTempKeySz; /* in octets 20 - 66 */
word32 ecdhCurveOID; /* curve Ecc_Sum */
word32 pkCurveOID; /* curve Ecc_Sum */
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
@ -2803,7 +2805,7 @@ typedef struct Options {
#ifndef NO_RSA
short minRsaKeySz; /* minimum RSA key size */
#endif
#ifdef HAVE_ECC
#if defined(HAVE_ECC) || defined(HAVE_ED25519)
short minEccKeySz; /* minimum ECC key size */
#endif
@ -3178,17 +3180,22 @@ struct WOLFSSL {
byte peerNtruKey[MAX_NTRU_PUB_KEY_SZ];
byte peerNtruKeyPresent;
#endif
#if defined(HAVE_ECC) || defined(HAVE_ED25519)
int eccVerifyRes;
#endif
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519)
word32 ecdhCurveOID; /* curve Ecc_Sum */
ecc_key* eccTempKey; /* private ECDHE key */
byte eccTempKeyPresent;
byte peerEccKeyPresent;
#endif
#ifdef HAVE_ECC
ecc_key* peerEccKey; /* peer's ECDHE key */
ecc_key* peerEccDsaKey; /* peer's ECDSA key */
ecc_key* eccTempKey; /* private ECDHE key */
int eccVerifyRes;
word32 pkCurveOID; /* curve Ecc_Sum */
word32 ecdhCurveOID; /* curve Ecc_Sum */
word16 eccTempKeySz; /* in octets 20 - 66 */
byte peerEccKeyPresent;
byte peerEccDsaKeyPresent;
byte eccTempKeyPresent;
#endif
#ifdef HAVE_ED25519
ed25519_key* peerEd25519Key;
byte peerEd25519KeyPresent;
@ -3197,7 +3204,6 @@ struct WOLFSSL {
curve25519_key* peerX25519Key;
byte peerX25519KeyPresent;
#endif
#endif
#ifdef HAVE_LIBZ
z_stream c_stream; /* compression stream */
z_stream d_stream; /* decompression stream */

4
wolfssl/wolfcrypt/asn.h
View File

@ -431,7 +431,7 @@ struct SignatureCtx {
byte* out;
byte* plain;
#endif
#ifdef HAVE_ECC
#if defined(HAVE_ECC) || defined(HAVE_ED25519)
int verify;
#endif
union {
@ -565,7 +565,7 @@ struct DecodedCert {
byte* extSubjKeyIdSrc;
word32 extSubjKeyIdSz;
#endif
#ifdef HAVE_ECC
#if defined(HAVE_ECC) || defined(HAVE_ED25519)
word32 pkCurveOID; /* Public Key's curve OID */
#endif /* HAVE_ECC */
byte* beforeDate;

44
wolfssl/wolfcrypt/fe_operations.h
View File

@ -27,9 +27,10 @@
#if defined(HAVE_CURVE25519) || defined(HAVE_ED25519)
#ifndef CURVED25519_SMALL
#if !defined(CURVE25519_SMALL) || !defined(ED25519_SMALL)
#include <stdint.h>
#endif
#include <wolfssl/wolfcrypt/types.h>
/*
@ -40,18 +41,31 @@ t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9].
Bounds on each t[i] vary depending on context.
*/
#ifdef CURVED25519_SMALL
#if defined(CURVE25519_SMALL) || defined(ED25519_SMALL)
#define F25519_SIZE 32
typedef byte fe[32];
#elif defined(HAVE___UINT128_T)
WOLFSSL_LOCAL void lm_copy(byte*, const byte*);
WOLFSSL_LOCAL void lm_add(byte*, const byte*, const byte*);
WOLFSSL_LOCAL void lm_sub(byte*, const byte*, const byte*);
WOLFSSL_LOCAL void lm_neg(byte*,const byte*);
WOLFSSL_LOCAL void lm_invert(byte*, const byte*);
WOLFSSL_LOCAL void lm_mul(byte*,const byte*,const byte*);
#endif
#if !defined(FREESCALE_LTC_ECC)
WOLFSSL_LOCAL int curve25519(byte * q, byte * n, byte * p);
#endif
/* default to be faster but take more memory */
#if !defined(CURVE25519_SMALL) || !defined(ED25519_SMALL)
#if defined(HAVE___UINT128_T)
typedef int64_t fe[5];
#else
typedef int32_t fe[10];
#endif
#if! defined FREESCALE_LTC_ECC
WOLFSSL_LOCAL int curve25519(byte * q, byte * n, byte * p);
#endif
WOLFSSL_LOCAL void fe_copy(fe, const fe);
WOLFSSL_LOCAL void fe_add(fe, const fe, const fe);
WOLFSSL_LOCAL void fe_neg(fe,const fe);
@ -59,8 +73,6 @@ WOLFSSL_LOCAL void fe_sub(fe, const fe, const fe);
WOLFSSL_LOCAL void fe_invert(fe, const fe);
WOLFSSL_LOCAL void fe_mul(fe,const fe,const fe);
/* default to be faster but take more memory */
#ifndef CURVED25519_SMALL
/* Based On Daniel J Bernstein's curve25519 and ed25519 Public Domain ref10
work. */
@ -78,14 +90,17 @@ WOLFSSL_LOCAL void fe_mul121666(fe,fe);
WOLFSSL_LOCAL void fe_cmov(fe,const fe, int);
WOLFSSL_LOCAL void fe_pow22523(fe,const fe);
#if defined(HAVE___UINT128_T)
/* 64 type needed for SHA512 */
WOLFSSL_LOCAL uint64_t load_3(const unsigned char *in);
WOLFSSL_LOCAL uint64_t load_4(const unsigned char *in);
#endif /* not defined CURVED25519_SMALL */
#endif
#endif /* !CURVE25519_SMALL || !ED25519_SMALL */
/* Use less memory and only 32bit types or less, but is slower
Based on Daniel Beer's public domain work. */
#ifdef CURVED25519_SMALL
#if defined(CURVE25519_SMALL) || defined(ED25519_SMALL)
static const byte c25519_base_x[F25519_SIZE] = {9};
static const byte f25519_zero[F25519_SIZE] = {0};
static const byte f25519_one[F25519_SIZE] = {1};
@ -131,7 +146,8 @@ WOLFSSL_LOCAL void fprime_sub(byte *r, const byte *a, const byte *modulus);
WOLFSSL_LOCAL void fprime_mul(byte *r, const byte *a, const byte *b,
const byte *modulus);
WOLFSSL_LOCAL void fprime_copy(byte *x, const byte *a);
#endif /* CURVED25519_SMALL */
#endif /* HAVE_CURVE25519 or HAVE_ED25519 */
#endif /* WOLF_CRYPT_FE_OPERATIONS_H */
#endif /* CURVE25519_SMALL || ED25519_SMALL */
#endif /* HAVE_CURVE25519 || HAVE_ED25519 */
#endif /* WOLF_CRYPT_FE_OPERATIONS_H */

58
wolfssl/wolfcrypt/ge_operations.h
View File

@ -29,9 +29,6 @@
#ifdef HAVE_ED25519
#ifndef CURVED25519_SMALL
#include <stdint.h>
#endif
#include <wolfssl/wolfcrypt/fe_operations.h>
/*
@ -48,20 +45,28 @@ Representations:
ge_precomp (Duif): (y+x,y-x,2dxy)
*/
#ifdef ED25519_SMALL
typedef byte ge[F25519_SIZE];
#elif defined(HAVE___UINT128_T)
typedef int64_t ge[5];
#else
typedef int32_t ge[10];
#endif
typedef struct {
fe X;
fe Y;
fe Z;
ge X;
ge Y;
ge Z;
} ge_p2;
typedef struct {
fe X;
fe Y;
fe Z;
fe T;
ge X;
ge Y;
ge Z;
ge T;
} ge_p3;
WOLFSSL_LOCAL int ge_compress_key(byte* out, const byte* xIn, const byte* yIn,
word32 keySz);
WOLFSSL_LOCAL int ge_frombytes_negate_vartime(ge_p3 *,const unsigned char *);
@ -75,25 +80,26 @@ WOLFSSL_LOCAL void sc_muladd(byte* s, const byte* a, const byte* b,
WOLFSSL_LOCAL void ge_tobytes(unsigned char *,const ge_p2 *);
WOLFSSL_LOCAL void ge_p3_tobytes(unsigned char *,const ge_p3 *);
#ifndef CURVED25519_SMALL
#ifndef ED25519_SMALL
typedef struct {
fe X;
fe Y;
fe Z;
fe T;
ge X;
ge Y;
ge Z;
ge T;
} ge_p1p1;
typedef struct {
fe yplusx;
fe yminusx;
fe xy2d;
ge yplusx;
ge yminusx;
ge xy2d;
} ge_precomp;
typedef struct {
fe YplusX;
fe YminusX;
fe Z;
fe T2d;
ge YplusX;
ge YminusX;
ge Z;
ge T2d;
} ge_cached;
WOLFSSL_LOCAL void ge_p2_0(ge_p2 *);
@ -110,7 +116,9 @@ WOLFSSL_LOCAL void ge_madd(ge_p1p1 *,const ge_p3 *,const ge_precomp *);
WOLFSSL_LOCAL void ge_msub(ge_p1p1 *,const ge_p3 *,const ge_precomp *);
WOLFSSL_LOCAL void ge_add(ge_p1p1 *,const ge_p3 *,const ge_cached *);
WOLFSSL_LOCAL void ge_sub(ge_p1p1 *,const ge_p3 *,const ge_cached *);
#endif /* no CURVED25519_SMALL */
#endif /* HAVE_ED25519 */
#endif /* WOLF_CRYPT_GE_OPERATIONS_H */
#endif /* !ED25519_SMALL */
#endif /* HAVE_ED25519 */
#endif /* WOLF_CRYPT_GE_OPERATIONS_H */

6
wolfssl/wolfcrypt/settings.h
View File

@ -1574,6 +1574,12 @@ extern void uITRON4_free(void *p) ;
#define SSL_CTRL_SET_TLSEXT_HOSTNAME
#endif
/* both CURVE and ED small math should be enabled */
#ifdef CURVED25519_SMALL
#define CURVE25519_SMALL
#define ED25519_SMALL
#endif
#ifdef __cplusplus
} /* extern "C" */
#endif