aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenys Vlasenko <vda.linux@googlemail.com>2018-11-13 02:16:24 +0100
committerDenys Vlasenko <vda.linux@googlemail.com>2018-11-13 02:17:54 +0100
commitbddb6545a982696bde417a9ae621f9e2d3c22b3d (patch)
treebacdebc4431ff1c438b41f9ae7341ef06b78ad94
parent8767c12774d9392565f20d3ea4e28bb1b6075a31 (diff)
downloadbusybox-w32-bddb6545a982696bde417a9ae621f9e2d3c22b3d.tar.gz
busybox-w32-bddb6545a982696bde417a9ae621f9e2d3c22b3d.tar.bz2
busybox-w32-bddb6545a982696bde417a9ae621f9e2d3c22b3d.zip
tls: add support for ECDHE-ECDSA-AES-128-CBC-SHA and x25519 curve
function old new delta curve25519 - 835 +835 tls_handshake 1619 1935 +316 xc_diffadd - 230 +230 fe_mul__distinct - 149 +149 lm_sub - 103 +103 lm_add - 82 +82 fe_mul_c - 74 +74 fe_select - 45 +45 static.f25519_one - 32 +32 static.basepoint9 - 32 +32 static.OID_ECDSA_KEY_ALG - 21 +21 static.OID_RSA_KEY_ALG - 13 +13 static.supported_groups - 8 +8 static.empty_client_cert - 7 +7 der_binary_to_pstm 40 42 +2 static.expected 13 - -13 ------------------------------------------------------------------------------ (add/remove: 14/1 grow/shrink: 2/0 up/down: 1949/-13) Total: 1936 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat
-rw-r--r--networking/tls.c334
-rw-r--r--networking/tls.h3
-rw-r--r--networking/tls_fe.c601
-rw-r--r--networking/tls_fe.h7
4 files changed, 865 insertions, 80 deletions
diff --git a/networking/tls.c b/networking/tls.c
index 0f637a3d7..694fbf34d 100644
--- a/networking/tls.c
+++ b/networking/tls.c
@@ -12,8 +12,9 @@
12//kbuild:lib-$(CONFIG_TLS) += tls_pstm_montgomery_reduce.o 12//kbuild:lib-$(CONFIG_TLS) += tls_pstm_montgomery_reduce.o
13//kbuild:lib-$(CONFIG_TLS) += tls_pstm_mul_comba.o 13//kbuild:lib-$(CONFIG_TLS) += tls_pstm_mul_comba.o
14//kbuild:lib-$(CONFIG_TLS) += tls_pstm_sqr_comba.o 14//kbuild:lib-$(CONFIG_TLS) += tls_pstm_sqr_comba.o
15//kbuild:lib-$(CONFIG_TLS) += tls_rsa.o
16//kbuild:lib-$(CONFIG_TLS) += tls_aes.o 15//kbuild:lib-$(CONFIG_TLS) += tls_aes.o
16//kbuild:lib-$(CONFIG_TLS) += tls_rsa.o
17//kbuild:lib-$(CONFIG_TLS) += tls_fe.o
17////kbuild:lib-$(CONFIG_TLS) += tls_aes_gcm.o 18////kbuild:lib-$(CONFIG_TLS) += tls_aes_gcm.o
18 19
19#include "tls.h" 20#include "tls.h"
@@ -57,6 +58,7 @@
57#define CIPHER_ID2 TLS_RSA_WITH_AES_128_CBC_SHA 58#define CIPHER_ID2 TLS_RSA_WITH_AES_128_CBC_SHA
58 59
59// bug #11456: host is.gd accepts only ECDHE-ECDSA-foo (the simplest which works: ECDHE-ECDSA-AES128-SHA 0xC009) 60// bug #11456: host is.gd accepts only ECDHE-ECDSA-foo (the simplest which works: ECDHE-ECDSA-AES128-SHA 0xC009)
61#define CIPHER_ID3 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
60 62
61 63
62#define TLS_DEBUG 0 64#define TLS_DEBUG 0
@@ -260,15 +262,22 @@ struct record_hdr {
260 uint8_t len16_hi, len16_lo; 262 uint8_t len16_hi, len16_lo;
261}; 263};
262 264
265enum {
266 KEY_ALG_RSA,
267 KEY_ALG_ECDSA,
268};
263struct tls_handshake_data { 269struct tls_handshake_data {
264 /* In bbox, md5/sha1/sha256 ctx's are the same structure */ 270 /* In bbox, md5/sha1/sha256 ctx's are the same structure */
265 md5sha_ctx_t handshake_hash_ctx; 271 md5sha_ctx_t handshake_hash_ctx;
266 272
267 uint8_t client_and_server_rand32[2 * 32]; 273 uint8_t client_and_server_rand32[2 * 32];
268 uint8_t master_secret[48]; 274 uint8_t master_secret[48];
275
276 smallint key_alg;
269//TODO: store just the DER key here, parse/use/delete it when sending client key 277//TODO: store just the DER key here, parse/use/delete it when sending client key
270//this way it will stay key type agnostic here. 278//this way it will stay key type agnostic here.
271 psRsaKey_t server_rsa_pub_key; 279 psRsaKey_t server_rsa_pub_key;
280 uint8_t ecc_pub_key32[32];
272 281
273 unsigned saved_client_hello_size; 282 unsigned saved_client_hello_size;
274 uint8_t saved_client_hello[1]; 283 uint8_t saved_client_hello[1];
@@ -1022,15 +1031,25 @@ static uint8_t *skip_der_item(uint8_t *der, uint8_t *end)
1022 return new_der; 1031 return new_der;
1023} 1032}
1024 1033
1034//
1035static void binary_to_pstm(pstm_int *pstm_n, uint8_t *bin_ptr, unsigned len)
1036{
1037 pstm_init_for_read_unsigned_bin(/*pool:*/ NULL, pstm_n, len);
1038 pstm_read_unsigned_bin(pstm_n, bin_ptr, len);
1039 //return bin_ptr + len;
1040}
1041//
1042
1025static void der_binary_to_pstm(pstm_int *pstm_n, uint8_t *der, uint8_t *end) 1043static void der_binary_to_pstm(pstm_int *pstm_n, uint8_t *der, uint8_t *end)
1026{ 1044{
1027 uint8_t *bin_ptr; 1045 uint8_t *bin_ptr;
1028 unsigned len = get_der_len(&bin_ptr, der, end); 1046 unsigned len = get_der_len(&bin_ptr, der, end);
1029 1047
1030 dbg_der("binary bytes:%u, first:0x%02x\n", len, bin_ptr[0]); 1048 dbg_der("binary bytes:%u, first:0x%02x\n", len, bin_ptr[0]);
1031 pstm_init_for_read_unsigned_bin(/*pool:*/ NULL, pstm_n, len); 1049 binary_to_pstm(pstm_n, bin_ptr, len);
1032 pstm_read_unsigned_bin(pstm_n, bin_ptr, len); 1050 //pstm_init_for_read_unsigned_bin(/*pool:*/ NULL, pstm_n, len);
1033 //return bin + len; 1051 //pstm_read_unsigned_bin(pstm_n, bin_ptr, len);
1052 ////return bin_ptr + len;
1034} 1053}
1035 1054
1036static void find_key_in_der_cert(tls_state_t *tls, uint8_t *der, int len) 1055static void find_key_in_der_cert(tls_state_t *tls, uint8_t *der, int len)
@@ -1113,6 +1132,18 @@ static void find_key_in_der_cert(tls_state_t *tls, uint8_t *der, int len)
1113 * publicKey (BIT STRING) 1132 * publicKey (BIT STRING)
1114 * 1133 *
1115 * We need Certificate.tbsCertificate.subjectPublicKeyInfo.publicKey 1134 * We need Certificate.tbsCertificate.subjectPublicKeyInfo.publicKey
1135 *
1136 * Example of an ECDSA key:
1137 * SEQ 0x59 bytes (subjectPublicKeyInfo): 3059
1138 * SEQ 0x13 bytes (algorithm): 3013
1139 * OID 7 bytes: 0607 2a8648ce3d0201 (OID_ECDSA_KEY_ALG 42.134.72.206.61.2.1)
1140 * OID 8 bytes: 0608 2a8648ce3d030107 (OID_EC_prime256v1 42.134.72.206.61.3.1.7)
1141 * BITSTRING 0x42 bytes (publicKey): 0342
1142 * 0004 53af f65e 50cc 7959 7e29 0171 c75c
1143 * 7335 e07d f45b 9750 b797 3a38 aebb 2ac6
1144 * 8329 2748 e77e 41cb d482 2ce6 05ec a058
1145 * f3ab d561 2f4c d845 9ad3 7252 e3de bd3b
1146 * 9012
1116 */ 1147 */
1117 uint8_t *end = der + len; 1148 uint8_t *end = der + len;
1118 1149
@@ -1147,40 +1178,61 @@ static void find_key_in_der_cert(tls_state_t *tls, uint8_t *der, int len)
1147 /* enter subjectPublicKeyInfo */ 1178 /* enter subjectPublicKeyInfo */
1148 der = enter_der_item(der, &end); 1179 der = enter_der_item(der, &end);
1149 { /* check subjectPublicKeyInfo.algorithm */ 1180 { /* check subjectPublicKeyInfo.algorithm */
1150 static const uint8_t expected[] = { 1181 static const uint8_t OID_RSA_KEY_ALG[] = {
1151 0x30,0x0d, // SEQ 13 bytes 1182 0x30,0x0d, // SEQ 13 bytes
1152 0x06,0x09, 0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01, // OID RSA_KEY_ALG 42.134.72.134.247.13.1.1.1 1183 0x06,0x09, 0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01, // OID RSA_KEY_ALG 42.134.72.134.247.13.1.1.1
1153 //0x05,0x00, // NULL 1184 //0x05,0x00, // NULL
1154 }; 1185 };
1155 if (memcmp(der, expected, sizeof(expected)) != 0) 1186 static const uint8_t OID_ECDSA_KEY_ALG[] = {
1156 bb_error_msg_and_die("not RSA key"); 1187 0x30,0x13, // SEQ 0x13 bytes
1188 0x06,0x07, 0x2a,0x86,0x48,0xce,0x3d,0x02,0x01, //OID_ECDSA_KEY_ALG 42.134.72.206.61.2.1
1189 0x06,0x08, 0x2a,0x86,0x48,0xce,0x3d,0x03,0x01,0x07, //OID_EC_prime256v1 42.134.72.206.61.3.1.7
1190 //rfc3279:
1191 //42.134.72.206.61.3 is ellipticCurve
1192 //42.134.72.206.61.3.0 is c-TwoCurve
1193 //42.134.72.206.61.3.1 is primeCurve
1194 //42.134.72.206.61.3.1.7 is prime256v1
1195 };
1196 if (memcmp(der, OID_RSA_KEY_ALG, sizeof(OID_RSA_KEY_ALG)) == 0) {
1197 dbg("RSA key\n");
1198 tls->hsd->key_alg = KEY_ALG_RSA;
1199 } else
1200 if (memcmp(der, OID_ECDSA_KEY_ALG, sizeof(OID_ECDSA_KEY_ALG)) == 0) {
1201 dbg("ECDSA key\n");
1202 tls->hsd->key_alg = KEY_ALG_ECDSA;
1203 } else
1204 bb_error_msg_and_die("not RSA or ECDSA key");
1157 } 1205 }
1158 /* skip subjectPublicKeyInfo.algorithm */
1159 der = skip_der_item(der, end);
1160 /* enter subjectPublicKeyInfo.publicKey */
1161// die_if_not_this_der_type(der, end, 0x03); /* must be BITSTRING */
1162 der = enter_der_item(der, &end);
1163 1206
1164 /* parse RSA key: */ 1207 if (tls->hsd->key_alg == KEY_ALG_RSA) {
1165//based on getAsnRsaPubKey(), pkcs1ParsePrivBin() is also of note 1208 /* parse RSA key: */
1166 dbg("key bytes:%u, first:0x%02x\n", (int)(end - der), der[0]); 1209 //based on getAsnRsaPubKey(), pkcs1ParsePrivBin() is also of note
1167 if (end - der < 14) xfunc_die(); 1210 /* skip subjectPublicKeyInfo.algorithm */
1168 /* example format: 1211 der = skip_der_item(der, end);
1169 * ignore bits: 00 1212 /* enter subjectPublicKeyInfo.publicKey */
1170 * SEQ 0x018a/394 bytes: 3082018a 1213// die_if_not_this_der_type(der, end, 0x03); /* must be BITSTRING */
1171 * INTEGER 0x0181/385 bytes (modulus): 02820181 XX...XXX 1214 der = enter_der_item(der, &end);
1172 * INTEGER 3 bytes (exponent): 0203 010001 1215
1173 */ 1216 dbg("key bytes:%u, first:0x%02x\n", (int)(end - der), der[0]);
1174 if (*der != 0) /* "ignore bits", should be 0 */ 1217 if (end - der < 14)
1175 xfunc_die(); 1218 xfunc_die();
1176 der++; 1219 /* example format:
1177 der = enter_der_item(der, &end); /* enter SEQ */ 1220 * ignore bits: 00
1178 /* memset(tls->hsd->server_rsa_pub_key, 0, sizeof(tls->hsd->server_rsa_pub_key)); - already is */ 1221 * SEQ 0x018a/394 bytes: 3082018a
1179 der_binary_to_pstm(&tls->hsd->server_rsa_pub_key.N, der, end); /* modulus */ 1222 * INTEGER 0x0181/385 bytes (modulus): 02820181 XX...XXX
1180 der = skip_der_item(der, end); 1223 * INTEGER 3 bytes (exponent): 0203 010001
1181 der_binary_to_pstm(&tls->hsd->server_rsa_pub_key.e, der, end); /* exponent */ 1224 */
1182 tls->hsd->server_rsa_pub_key.size = pstm_unsigned_bin_size(&tls->hsd->server_rsa_pub_key.N); 1225 if (*der != 0) /* "ignore bits", should be 0 */
1183 dbg("server_rsa_pub_key.size:%d\n", tls->hsd->server_rsa_pub_key.size); 1226 xfunc_die();
1227 der++;
1228 der = enter_der_item(der, &end); /* enter SEQ */
1229 /* memset(tls->hsd->server_rsa_pub_key, 0, sizeof(tls->hsd->server_rsa_pub_key)); - already is */
1230 der_binary_to_pstm(&tls->hsd->server_rsa_pub_key.N, der, end); /* modulus */
1231 der = skip_der_item(der, end);
1232 der_binary_to_pstm(&tls->hsd->server_rsa_pub_key.e, der, end); /* exponent */
1233 tls->hsd->server_rsa_pub_key.size = pstm_unsigned_bin_size(&tls->hsd->server_rsa_pub_key.N);
1234 dbg("server_rsa_pub_key.size:%d\n", tls->hsd->server_rsa_pub_key.size);
1235 }
1184} 1236}
1185 1237
1186/* 1238/*
@@ -1217,6 +1269,22 @@ static ALWAYS_INLINE void fill_handshake_record_hdr(void *buf, unsigned type, un
1217 1269
1218static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni) 1270static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
1219{ 1271{
1272 static const uint8_t supported_groups[] = {
1273 0x00,0x0a, //extension_type: "supported_groups"
1274 0x00,0x04, //ext len
1275 0x00,0x02, //list len
1276 0x00,0x1d, //curve_x25519 (rfc7748)
1277 //0x00,0x17, //curve_secp256r1
1278 //0x00,0x18, //curve_secp384r1
1279 //0x00,0x19, //curve_secp521r1
1280 };
1281 //static const uint8_t signature_algorithms[] = {
1282 // 000d
1283 // 0020
1284 // 001e
1285 // 0601 0602 0603 0501 0502 0503 0401 0402 0403 0301 0302 0303 0201 0202 0203
1286 //};
1287
1220 struct client_hello { 1288 struct client_hello {
1221 uint8_t type; 1289 uint8_t type;
1222 uint8_t len24_hi, len24_mid, len24_lo; 1290 uint8_t len24_hi, len24_mid, len24_lo;
@@ -1225,7 +1293,7 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
1225 uint8_t session_id_len; 1293 uint8_t session_id_len;
1226 /* uint8_t session_id[]; */ 1294 /* uint8_t session_id[]; */
1227 uint8_t cipherid_len16_hi, cipherid_len16_lo; 1295 uint8_t cipherid_len16_hi, cipherid_len16_lo;
1228 uint8_t cipherid[2 * (2 + !!CIPHER_ID2)]; /* actually variable */ 1296 uint8_t cipherid[2 * (2 + !!CIPHER_ID2 + !!CIPHER_ID3)]; /* actually variable */
1229 uint8_t comprtypes_len; 1297 uint8_t comprtypes_len;
1230 uint8_t comprtypes[1]; /* actually variable */ 1298 uint8_t comprtypes[1]; /* actually variable */
1231 /* Extensions (SNI shown): 1299 /* Extensions (SNI shown):
@@ -1250,12 +1318,19 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
1250// 0017 0000 - extended master secret 1318// 0017 0000 - extended master secret
1251 }; 1319 };
1252 struct client_hello *record; 1320 struct client_hello *record;
1321 uint8_t *ptr;
1253 int len; 1322 int len;
1254 int sni_len = sni ? strnlen(sni, 127 - 9) : 0; 1323 int ext_len;
1324 int sni_len = sni ? strnlen(sni, 127 - 5) : 0;
1255 1325
1256 len = sizeof(*record); 1326 ext_len = 0;
1327 /* is.gd responds with "handshake failure" to our hello if there's no supported_groups element */
1328 ext_len += sizeof(supported_groups);
1257 if (sni_len) 1329 if (sni_len)
1258 len += 11 + sni_len; 1330 ext_len += 9 + sni_len;
1331
1332 /* +2 is for "len of all extensions" 2-byte field */
1333 len = sizeof(*record) + 2 + ext_len;
1259 record = tls_get_outbuf(tls, len); 1334 record = tls_get_outbuf(tls, len);
1260 memset(record, 0, len); 1335 memset(record, 0, len);
1261 1336
@@ -1278,25 +1353,30 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni)
1278 if ((CIPHER_ID2 >> 8) != 0) record->cipherid[4] = CIPHER_ID2 >> 8; 1353 if ((CIPHER_ID2 >> 8) != 0) record->cipherid[4] = CIPHER_ID2 >> 8;
1279 /*************************/ record->cipherid[5] = CIPHER_ID2 & 0xff; 1354 /*************************/ record->cipherid[5] = CIPHER_ID2 & 0xff;
1280#endif 1355#endif
1356#if CIPHER_ID3
1357 if ((CIPHER_ID3 >> 8) != 0) record->cipherid[6] = CIPHER_ID3 >> 8;
1358 /*************************/ record->cipherid[7] = CIPHER_ID3 & 0xff;
1359#endif
1281 1360
1282 record->comprtypes_len = 1; 1361 record->comprtypes_len = 1;
1283 /* record->comprtypes[0] = 0; */ 1362 /* record->comprtypes[0] = 0; */
1284 1363
1364 ptr = (void*)(record + 1);
1365 *ptr++ = ext_len >> 8;
1366 *ptr++ = ext_len;
1285 if (sni_len) { 1367 if (sni_len) {
1286 uint8_t *p = (void*)(record + 1); 1368 //ptr[0] = 0; //
1287 //p[0] = 0; // 1369 //ptr[1] = 0; //extension_type
1288 p[1] = sni_len + 9; //ext_len 1370 //ptr[2] = 0; //
1289 //p[2] = 0; // 1371 ptr[3] = sni_len + 5; //list len
1290 //p[3] = 0; //extension_type 1372 //ptr[4] = 0; //
1291 //p[4] = 0; // 1373 ptr[5] = sni_len + 3; //len of 1st SNI
1292 p[5] = sni_len + 5; //list len 1374 //ptr[6] = 0; //name type
1293 //p[6] = 0; // 1375 //ptr[7] = 0; //
1294 p[7] = sni_len + 3; //len of 1st SNI 1376 ptr[8] = sni_len; //name len
1295 //p[8] = 0; //name type 1377 ptr = mempcpy(&ptr[9], sni, sni_len);
1296 //p[9] = 0; //
1297 p[10] = sni_len; //name len
1298 memcpy(&p[11], sni, sni_len);
1299 } 1378 }
1379 mempcpy(ptr, supported_groups, sizeof(supported_groups));
1300 1380
1301 dbg(">> CLIENT_HELLO\n"); 1381 dbg(">> CLIENT_HELLO\n");
1302 /* Can hash it only when we know which MAC hash to use */ 1382 /* Can hash it only when we know which MAC hash to use */
@@ -1373,7 +1453,9 @@ static void get_server_hello(tls_state_t *tls)
1373 tls->cipher_id = cipher = 0x100 * cipherid[0] + cipherid[1]; 1453 tls->cipher_id = cipher = 0x100 * cipherid[0] + cipherid[1];
1374 dbg("server chose cipher %04x\n", cipher); 1454 dbg("server chose cipher %04x\n", cipher);
1375 1455
1376 if (cipher == TLS_RSA_WITH_AES_128_CBC_SHA) { 1456 if (cipher == TLS_RSA_WITH_AES_128_CBC_SHA
1457 || cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
1458 ) {
1377 tls->key_size = AES128_KEYSIZE; 1459 tls->key_size = AES128_KEYSIZE;
1378 tls->MAC_size = SHA1_OUTSIZE; 1460 tls->MAC_size = SHA1_OUTSIZE;
1379 } 1461 }
@@ -1425,6 +1507,55 @@ static void get_server_cert(tls_state_t *tls)
1425 find_key_in_der_cert(tls, certbuf + 10, len); 1507 find_key_in_der_cert(tls, certbuf + 10, len);
1426} 1508}
1427 1509
1510/* On input, len is known to be >= 4.
1511 * The record is known to be SERVER_KEY_EXCHANGE.
1512 */
1513static void process_server_key(tls_state_t *tls, int len)
1514{
1515 struct record_hdr *xhdr;
1516 uint8_t *keybuf;
1517 int len1;
1518 uint32_t t32;
1519
1520 xhdr = (void*)tls->inbuf;
1521 keybuf = (void*)(xhdr + 1);
1522//seen from is.gd: it selects curve_x25519:
1523// 0c 00006e //SERVER_KEY_EXCHANGE
1524// 03 //curve_type: named curve
1525// 001d //curve_x25519
1526//server-chosen EC point, and then signed_params
1527// (rfc8422: "A hash of the params, with the signature
1528// appropriate to that hash applied. The private key corresponding
1529// to the certified public key in the server's Certificate message is
1530// used for signing.")
1531//follow. Format unclear/guessed:
1532// 20 //eccPubKeyLen
1533// 25511923d73b70dd2f60e66ba2f3fda31a9c25170963c7a3a972e481dbb2835d //eccPubKey (32bytes)
1534// 0203 //hashSigAlg: 2:SHA1 (4:SHA256 5:SHA384 6:SHA512), 3:ECDSA (1:RSA)
1535// 0046 //len (16bit)
1536// 30 44 //SEQ, len
1537// 02 20 //INTEGER, len
1538// 2e18e7c2a9badd0a70cd3059a6ab114539b9f5163568911147386cd77ed7c412 //32bytes
1539//this item ^^^^^ is sometimes 33 bytes (with all container sizes also +1)
1540// 02 20 //INTEGER, len
1541// 64523d6216cb94c43c9b20e377d8c52c55be6703fd6730a155930c705eaf3af6 //32bytes
1542//same about this item ^^^^^
1543 /* Get and verify length */
1544 len1 = get24be(keybuf + 1);
1545 if (len1 > len - 4) tls_error_die(tls);
1546 len = len1;
1547 if (len < (1+2+1+32)) tls_error_die(tls);
1548 keybuf += 4;
1549
1550 /* So far we only support curve_x25519 */
1551 move_from_unaligned32(t32, keybuf);
1552 if (t32 != htonl(0x03001d20))
1553 tls_error_die(tls);
1554
1555 memcpy(tls->hsd->ecc_pub_key32, keybuf + 4, 32);
1556 dbg("got eccPubKey\n");
1557}
1558
1428static void send_empty_client_cert(tls_state_t *tls) 1559static void send_empty_client_cert(tls_state_t *tls)
1429{ 1560{
1430 struct client_empty_cert { 1561 struct client_empty_cert {
@@ -1433,13 +1564,18 @@ static void send_empty_client_cert(tls_state_t *tls)
1433 uint8_t cert_chain_len24_hi, cert_chain_len24_mid, cert_chain_len24_lo; 1564 uint8_t cert_chain_len24_hi, cert_chain_len24_mid, cert_chain_len24_lo;
1434 }; 1565 };
1435 struct client_empty_cert *record; 1566 struct client_empty_cert *record;
1567 static const uint8_t empty_client_cert[] = {
1568 HANDSHAKE_CERTIFICATE,
1569 0, 0, 3, //len24
1570 0, 0, 0, //cert_chain_len24
1571 };
1436 1572
1437 record = tls_get_outbuf(tls, sizeof(*record)); 1573 record = tls_get_outbuf(tls, sizeof(*record));
1438//FIXME: can just memcpy a ready-made one. 1574 //fill_handshake_record_hdr(record, HANDSHAKE_CERTIFICATE, sizeof(*record));
1439 fill_handshake_record_hdr(record, HANDSHAKE_CERTIFICATE, sizeof(*record)); 1575 //record->cert_chain_len24_hi = 0;
1440 record->cert_chain_len24_hi = 0; 1576 //record->cert_chain_len24_mid = 0;
1441 record->cert_chain_len24_mid = 0; 1577 //record->cert_chain_len24_lo = 0;
1442 record->cert_chain_len24_lo = 0; 1578 memcpy(record, empty_client_cert, sizeof(empty_client_cert));
1443 1579
1444 dbg(">> CERTIFICATE\n"); 1580 dbg(">> CERTIFICATE\n");
1445 xwrite_and_update_handshake_hash(tls, sizeof(*record)); 1581 xwrite_and_update_handshake_hash(tls, sizeof(*record));
@@ -1450,34 +1586,63 @@ static void send_client_key_exchange(tls_state_t *tls)
1450 struct client_key_exchange { 1586 struct client_key_exchange {
1451 uint8_t type; 1587 uint8_t type;
1452 uint8_t len24_hi, len24_mid, len24_lo; 1588 uint8_t len24_hi, len24_mid, len24_lo;
1453 /* keylen16 exists for RSA (in TLS, not in SSL), but not for some other key types */ 1589 uint8_t key[2 + 4 * 1024]; // size??
1454 uint8_t keylen16_hi, keylen16_lo;
1455 uint8_t key[4 * 1024]; // size??
1456 }; 1590 };
1457//FIXME: better size estimate 1591//FIXME: better size estimate
1458 struct client_key_exchange *record = tls_get_outbuf(tls, sizeof(*record)); 1592 struct client_key_exchange *record = tls_get_outbuf(tls, sizeof(*record));
1459 uint8_t rsa_premaster[RSA_PREMASTER_SIZE]; 1593 uint8_t rsa_premaster[RSA_PREMASTER_SIZE];
1594 uint8_t x25519_premaster[CURVE25519_KEYSIZE];
1595 uint8_t *premaster;
1596 int premaster_size;
1460 int len; 1597 int len;
1461 1598
1462 tls_get_random(rsa_premaster, sizeof(rsa_premaster)); 1599 if (tls->hsd->key_alg == KEY_ALG_RSA) {
1463 if (TLS_DEBUG_FIXED_SECRETS) 1600 tls_get_random(rsa_premaster, sizeof(rsa_premaster));
1464 memset(rsa_premaster, 0x44, sizeof(rsa_premaster)); 1601 if (TLS_DEBUG_FIXED_SECRETS)
1465 // RFC 5246 1602 memset(rsa_premaster, 0x44, sizeof(rsa_premaster));
1466 // "Note: The version number in the PreMasterSecret is the version 1603 // RFC 5246
1467 // offered by the client in the ClientHello.client_version, not the 1604 // "Note: The version number in the PreMasterSecret is the version
1468 // version negotiated for the connection." 1605 // offered by the client in the ClientHello.client_version, not the
1469 rsa_premaster[0] = TLS_MAJ; 1606 // version negotiated for the connection."
1470 rsa_premaster[1] = TLS_MIN; 1607 rsa_premaster[0] = TLS_MAJ;
1471 dump_hex("premaster:%s\n", rsa_premaster, sizeof(rsa_premaster)); 1608 rsa_premaster[1] = TLS_MIN;
1472 len = psRsaEncryptPub(/*pool:*/ NULL, 1609 dump_hex("premaster:%s\n", rsa_premaster, sizeof(rsa_premaster));
1473 /* psRsaKey_t* */ &tls->hsd->server_rsa_pub_key, 1610 len = psRsaEncryptPub(/*pool:*/ NULL,
1474 rsa_premaster, /*inlen:*/ sizeof(rsa_premaster), 1611 /* psRsaKey_t* */ &tls->hsd->server_rsa_pub_key,
1475 record->key, sizeof(record->key), 1612 rsa_premaster, /*inlen:*/ sizeof(rsa_premaster),
1476 data_param_ignored 1613 record->key + 2, sizeof(record->key) - 2,
1477 ); 1614 data_param_ignored
1478 record->keylen16_hi = len >> 8; 1615 );
1479 record->keylen16_lo = len & 0xff; 1616 /* keylen16 exists for RSA (in TLS, not in SSL), but not for some other key types */
1480 len += 2; 1617 record->key[0] = len >> 8;
1618 record->key[1] = len & 0xff;
1619 len += 2;
1620 premaster = rsa_premaster;
1621 premaster_size = sizeof(rsa_premaster);
1622 } else {
1623 /* KEY_ALG_ECDSA */
1624 static const uint8_t basepoint9[CURVE25519_KEYSIZE] = {9};
1625 uint8_t privkey[CURVE25519_KEYSIZE]; //[32]
1626
1627 /* Generate random private key, see RFC 7748 */
1628 tls_get_random(privkey, sizeof(privkey));
1629 privkey[0] &= 0xf8;
1630 privkey[CURVE25519_KEYSIZE-1] = ((privkey[CURVE25519_KEYSIZE-1] & 0x7f) | 0x40);
1631
1632 /* Compute public key */
1633 curve25519(record->key + 1, privkey, basepoint9);
1634
1635 /* Compute premaster using peer's public key */
1636 dbg("computing x25519_premaster\n");
1637 curve25519(x25519_premaster, privkey, tls->hsd->ecc_pub_key32);
1638
1639 len = CURVE25519_KEYSIZE;
1640 record->key[0] = len;
1641 len++;
1642 premaster = x25519_premaster;
1643 premaster_size = sizeof(x25519_premaster);
1644 }
1645
1481 record->type = HANDSHAKE_CLIENT_KEY_EXCHANGE; 1646 record->type = HANDSHAKE_CLIENT_KEY_EXCHANGE;
1482 record->len24_hi = 0; 1647 record->len24_hi = 0;
1483 record->len24_mid = len >> 8; 1648 record->len24_mid = len >> 8;
@@ -1499,7 +1664,7 @@ static void send_client_key_exchange(tls_state_t *tls)
1499 // of the premaster secret will vary depending on key exchange method. 1664 // of the premaster secret will vary depending on key exchange method.
1500 prf_hmac_sha256(/*tls,*/ 1665 prf_hmac_sha256(/*tls,*/
1501 tls->hsd->master_secret, sizeof(tls->hsd->master_secret), 1666 tls->hsd->master_secret, sizeof(tls->hsd->master_secret),
1502 rsa_premaster, sizeof(rsa_premaster), 1667 premaster, premaster_size,
1503 "master secret", 1668 "master secret",
1504 tls->hsd->client_and_server_rand32, sizeof(tls->hsd->client_and_server_rand32) 1669 tls->hsd->client_and_server_rand32, sizeof(tls->hsd->client_and_server_rand32)
1505 ); 1670 );
@@ -1686,8 +1851,19 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni)
1686 //SvKey len=455^ 1851 //SvKey len=455^
1687 // with TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: 461 bytes: 1852 // with TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: 461 bytes:
1688 // 0c 00|01|c9 03|00|17|41|04|cd|9b|b4|29|1f|f6|b0|c2|84|82|7f|29|6a|47|4e|ec|87|0b|c1|9c|69|e1|f8|c6|d0|53|e9|27|90|a5|c8|02|15|75... 1853 // 0c 00|01|c9 03|00|17|41|04|cd|9b|b4|29|1f|f6|b0|c2|84|82|7f|29|6a|47|4e|ec|87|0b|c1|9c|69|e1|f8|c6|d0|53|e9|27|90|a5|c8|02|15|75...
1854 //
1855 // RFC 8422 5.4. Server Key Exchange
1856 // This message is sent when using the ECDHE_ECDSA, ECDHE_RSA, and
1857 // ECDH_anon key exchange algorithms.
1858 // This message is used to convey the server's ephemeral ECDH public key
1859 // (and the corresponding elliptic curve domain parameters) to the
1860 // client.
1689 dbg("<< SERVER_KEY_EXCHANGE len:%u\n", len); 1861 dbg("<< SERVER_KEY_EXCHANGE len:%u\n", len);
1690//probably need to save it 1862 dump_raw_in("<< %s\n", tls->inbuf, RECHDR_LEN + len);
1863 if (tls->hsd->key_alg == KEY_ALG_ECDSA)
1864 process_server_key(tls, len);
1865
1866 // read next handshake block
1691 len = tls_xread_handshake_block(tls, 4); 1867 len = tls_xread_handshake_block(tls, 4);
1692 } 1868 }
1693 1869
diff --git a/networking/tls.h b/networking/tls.h
index d487f3810..66d25eff5 100644
--- a/networking/tls.h
+++ b/networking/tls.h
@@ -94,6 +94,7 @@ void tls_get_random(void *buf, unsigned len);
94 94
95 95
96#include "tls_pstm.h" 96#include "tls_pstm.h"
97#include "tls_rsa.h"
98#include "tls_symmetric.h" 97#include "tls_symmetric.h"
99#include "tls_aes.h" 98#include "tls_aes.h"
99#include "tls_rsa.h"
100#include "tls_fe.h"
diff --git a/networking/tls_fe.c b/networking/tls_fe.c
new file mode 100644
index 000000000..37fea34f7
--- /dev/null
+++ b/networking/tls_fe.c
@@ -0,0 +1,601 @@
1/*
2 * Copyright (C) 2018 Denys Vlasenko
3 *
4 * Licensed under GPLv2, see file LICENSE in this source tree.
5 */
6#include "tls.h"
7
8typedef uint8_t byte;
9typedef uint16_t word16;
10typedef uint32_t word32;
11#define XMEMSET memset
12
13#define F25519_SIZE CURVE25519_KEYSIZE
14
15/* The code below is taken from wolfssl-3.15.3/wolfcrypt/src/fe_low_mem.c
16 * Header comment is kept intact:
17 */
18
19/* fe_low_mem.c
20 *
21 * Copyright (C) 2006-2017 wolfSSL Inc.
22 *
23 * This file is part of wolfSSL.
24 *
25 * wolfSSL is free software; you can redistribute it and/or modify
26 * it under the terms of the GNU General Public License as published by
27 * the Free Software Foundation; either version 2 of the License, or
28 * (at your option) any later version.
29 *
30 * wolfSSL is distributed in the hope that it will be useful,
31 * but WITHOUT ANY WARRANTY; without even the implied warranty of
32 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
33 * GNU General Public License for more details.
34 *
35 * You should have received a copy of the GNU General Public License
36 * along with this program; if not, write to the Free Software
37 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
38 */
39
40
41/* Based from Daniel Beer's public domain work. */
42
43#if 0 //UNUSED
44static void fprime_copy(byte *x, const byte *a)
45{
46 int i;
47 for (i = 0; i < F25519_SIZE; i++)
48 x[i] = a[i];
49}
50#endif
51
52static void lm_copy(byte* x, const byte* a)
53{
54 int i;
55 for (i = 0; i < F25519_SIZE; i++)
56 x[i] = a[i];
57}
58
59#if 0 //UNUSED
60static void fprime_select(byte *dst, const byte *zero, const byte *one, byte condition)
61{
62 const byte mask = -condition;
63 int i;
64
65 for (i = 0; i < F25519_SIZE; i++)
66 dst[i] = zero[i] ^ (mask & (one[i] ^ zero[i]));
67}
68#endif
69
70static void fe_select(byte *dst,
71 const byte *zero, const byte *one,
72 byte condition)
73{
74 const byte mask = -condition;
75 int i;
76
77 for (i = 0; i < F25519_SIZE; i++)
78 dst[i] = zero[i] ^ (mask & (one[i] ^ zero[i]));
79}
80
81#if 0 //UNUSED
82static void raw_add(byte *x, const byte *p)
83{
84 word16 c = 0;
85 int i;
86
87 for (i = 0; i < F25519_SIZE; i++) {
88 c += ((word16)x[i]) + ((word16)p[i]);
89 x[i] = (byte)c;
90 c >>= 8;
91 }
92}
93#endif
94
95#if 0 //UNUSED
96static void raw_try_sub(byte *x, const byte *p)
97{
98 byte minusp[F25519_SIZE];
99 word16 c = 0;
100 int i;
101
102 for (i = 0; i < F25519_SIZE; i++) {
103 c = ((word16)x[i]) - ((word16)p[i]) - c;
104 minusp[i] = (byte)c;
105 c = (c >> 8) & 1;
106 }
107
108 fprime_select(x, minusp, x, (byte)c);
109}
110#endif
111
112#if 0 //UNUSED
113static int prime_msb(const byte *p)
114{
115 int i;
116 byte x;
117 int shift = 1;
118 int z = F25519_SIZE - 1;
119
120 /*
121 Test for any hot bits.
122 As soon as one instance is encountered set shift to 0.
123 */
124 for (i = F25519_SIZE - 1; i >= 0; i--) {
125 shift &= ((shift ^ ((-p[i] | p[i]) >> 7)) & 1);
126 z -= shift;
127 }
128 x = p[z];
129 z <<= 3;
130 shift = 1;
131 for (i = 0; i < 8; i++) {
132 shift &= ((-(x >> i) | (x >> i)) >> (7 - i) & 1);
133 z += shift;
134 }
135
136 return z - 1;
137}
138#endif
139
140#if 0 //UNUSED
141static void fprime_add(byte *r, const byte *a, const byte *modulus)
142{
143 raw_add(r, a);
144 raw_try_sub(r, modulus);
145}
146#endif
147
148#if 0 //UNUSED
149static void fprime_sub(byte *r, const byte *a, const byte *modulus)
150{
151 raw_add(r, modulus);
152 raw_try_sub(r, a);
153 raw_try_sub(r, modulus);
154}
155#endif
156
157#if 0 //UNUSED
158static void fprime_mul(byte *r, const byte *a, const byte *b,
159 const byte *modulus)
160{
161 word16 c = 0;
162 int i,j;
163
164 XMEMSET(r, 0, F25519_SIZE);
165
166 for (i = prime_msb(modulus); i >= 0; i--) {
167 const byte bit = (b[i >> 3] >> (i & 7)) & 1;
168 byte plusa[F25519_SIZE];
169
170 for (j = 0; j < F25519_SIZE; j++) {
171 c |= ((word16)r[j]) << 1;
172 r[j] = (byte)c;
173 c >>= 8;
174 }
175 raw_try_sub(r, modulus);
176
177 fprime_copy(plusa, r);
178 fprime_add(plusa, a, modulus);
179
180 fprime_select(r, r, plusa, bit);
181 }
182}
183#endif
184
185#if 0 //UNUSED
186static void fe_load(byte *x, word32 c)
187{
188 word32 i;
189
190 for (i = 0; i < sizeof(c); i++) {
191 x[i] = c;
192 c >>= 8;
193 }
194
195 for (; i < F25519_SIZE; i++)
196 x[i] = 0;
197}
198#endif
199
200static void fe_normalize(byte *x)
201{
202 byte minusp[F25519_SIZE];
203 word16 c;
204 int i;
205
206 /* Reduce using 2^255 = 19 mod p */
207 c = (x[31] >> 7) * 19;
208 x[31] &= 127;
209
210 for (i = 0; i < F25519_SIZE; i++) {
211 c += x[i];
212 x[i] = (byte)c;
213 c >>= 8;
214 }
215
216 /* The number is now less than 2^255 + 18, and therefore less than
217 * 2p. Try subtracting p, and conditionally load the subtracted
218 * value if underflow did not occur.
219 */
220 c = 19;
221
222 for (i = 0; i + 1 < F25519_SIZE; i++) {
223 c += x[i];
224 minusp[i] = (byte)c;
225 c >>= 8;
226 }
227
228 c += ((word16)x[i]) - 128;
229 minusp[31] = (byte)c;
230
231 /* Load x-p if no underflow */
232 fe_select(x, minusp, x, (c >> 15) & 1);
233}
234
235static void lm_add(byte* r, const byte* a, const byte* b)
236{
237 word16 c = 0;
238 int i;
239
240 /* Add */
241 for (i = 0; i < F25519_SIZE; i++) {
242 c >>= 8;
243 c += ((word16)a[i]) + ((word16)b[i]);
244 r[i] = (byte)c;
245 }
246
247 /* Reduce with 2^255 = 19 mod p */
248 r[31] &= 127;
249 c = (c >> 7) * 19;
250
251 for (i = 0; i < F25519_SIZE; i++) {
252 c += r[i];
253 r[i] = (byte)c;
254 c >>= 8;
255 }
256}
257
258static void lm_sub(byte* r, const byte* a, const byte* b)
259{
260 word32 c = 0;
261 int i;
262
263 /* Calculate a + 2p - b, to avoid underflow */
264 c = 218;
265 for (i = 0; i + 1 < F25519_SIZE; i++) {
266 c += 65280 + ((word32)a[i]) - ((word32)b[i]);
267 r[i] = c;
268 c >>= 8;
269 }
270
271 c += ((word32)a[31]) - ((word32)b[31]);
272 r[31] = c & 127;
273 c = (c >> 7) * 19;
274
275 for (i = 0; i < F25519_SIZE; i++) {
276 c += r[i];
277 r[i] = c;
278 c >>= 8;
279 }
280}
281
282#if 0 //UNUSED
283static void lm_neg(byte* r, const byte* a)
284{
285 word32 c = 0;
286 int i;
287
288 /* Calculate 2p - a, to avoid underflow */
289 c = 218;
290 for (i = 0; i + 1 < F25519_SIZE; i++) {
291 c += 65280 - ((word32)a[i]);
292 r[i] = c;
293 c >>= 8;
294 }
295
296 c -= ((word32)a[31]);
297 r[31] = c & 127;
298 c = (c >> 7) * 19;
299
300 for (i = 0; i < F25519_SIZE; i++) {
301 c += r[i];
302 r[i] = c;
303 c >>= 8;
304 }
305}
306#endif
307
308static void fe_mul__distinct(byte *r, const byte *a, const byte *b)
309{
310 word32 c = 0;
311 int i;
312
313 for (i = 0; i < F25519_SIZE; i++) {
314 int j;
315
316 c >>= 8;
317 for (j = 0; j <= i; j++)
318 c += ((word32)a[j]) * ((word32)b[i - j]);
319
320 for (; j < F25519_SIZE; j++)
321 c += ((word32)a[j]) *
322 ((word32)b[i + F25519_SIZE - j]) * 38;
323
324 r[i] = c;
325 }
326
327 r[31] &= 127;
328 c = (c >> 7) * 19;
329
330 for (i = 0; i < F25519_SIZE; i++) {
331 c += r[i];
332 r[i] = c;
333 c >>= 8;
334 }
335}
336
337#if 0 //UNUSED
338static void lm_mul(byte *r, const byte* a, const byte *b)
339{
340 byte tmp[F25519_SIZE];
341
342 fe_mul__distinct(tmp, a, b);
343 lm_copy(r, tmp);
344}
345#endif
346
347static void fe_mul_c(byte *r, const byte *a, word32 b)
348{
349 word32 c = 0;
350 int i;
351
352 for (i = 0; i < F25519_SIZE; i++) {
353 c >>= 8;
354 c += b * ((word32)a[i]);
355 r[i] = c;
356 }
357
358 r[31] &= 127;
359 c >>= 7;
360 c *= 19;
361
362 for (i = 0; i < F25519_SIZE; i++) {
363 c += r[i];
364 r[i] = c;
365 c >>= 8;
366 }
367}
368
369static void fe_inv__distinct(byte *r, const byte *x)
370{
371 byte s[F25519_SIZE];
372 int i;
373
374 /* This is a prime field, so by Fermat's little theorem:
375 *
376 * x^(p-1) = 1 mod p
377 *
378 * Therefore, raise to (p-2) = 2^255-21 to get a multiplicative
379 * inverse.
380 *
381 * This is a 255-bit binary number with the digits:
382 *
383 * 11111111... 01011
384 *
385 * We compute the result by the usual binary chain, but
386 * alternate between keeping the accumulator in r and s, so as
387 * to avoid copying temporaries.
388 */
389
390 /* 1 1 */
391 fe_mul__distinct(s, x, x);
392 fe_mul__distinct(r, s, x);
393
394 /* 1 x 248 */
395 for (i = 0; i < 248; i++) {
396 fe_mul__distinct(s, r, r);
397 fe_mul__distinct(r, s, x);
398 }
399
400 /* 0 */
401 fe_mul__distinct(s, r, r);
402
403 /* 1 */
404 fe_mul__distinct(r, s, s);
405 fe_mul__distinct(s, r, x);
406
407 /* 0 */
408 fe_mul__distinct(r, s, s);
409
410 /* 1 */
411 fe_mul__distinct(s, r, r);
412 fe_mul__distinct(r, s, x);
413
414 /* 1 */
415 fe_mul__distinct(s, r, r);
416 fe_mul__distinct(r, s, x);
417}
418
419#if 0 //UNUSED
420static void lm_invert(byte *r, const byte *x)
421{
422 byte tmp[F25519_SIZE];
423
424 fe_inv__distinct(tmp, x);
425 lm_copy(r, tmp);
426}
427#endif
428
429#if 0 //UNUSED
430/* Raise x to the power of (p-5)/8 = 2^252-3, using s for temporary
431 * storage.
432 */
433static void exp2523(byte *r, const byte *x, byte *s)
434{
435 int i;
436
437 /* This number is a 252-bit number with the binary expansion:
438 *
439 * 111111... 01
440 */
441
442 /* 1 1 */
443 fe_mul__distinct(r, x, x);
444 fe_mul__distinct(s, r, x);
445
446 /* 1 x 248 */
447 for (i = 0; i < 248; i++) {
448 fe_mul__distinct(r, s, s);
449 fe_mul__distinct(s, r, x);
450 }
451
452 /* 0 */
453 fe_mul__distinct(r, s, s);
454
455 /* 1 */
456 fe_mul__distinct(s, r, r);
457 fe_mul__distinct(r, s, x);
458}
459#endif
460
461#if 0 //UNUSED
462static void fe_sqrt(byte *r, const byte *a)
463{
464 byte v[F25519_SIZE];
465 byte i[F25519_SIZE];
466 byte x[F25519_SIZE];
467 byte y[F25519_SIZE];
468
469 /* v = (2a)^((p-5)/8) [x = 2a] */
470 fe_mul_c(x, a, 2);
471 exp2523(v, x, y);
472
473 /* i = 2av^2 - 1 */
474 fe_mul__distinct(y, v, v);
475 fe_mul__distinct(i, x, y);
476 fe_load(y, 1);
477 lm_sub(i, i, y);
478
479 /* r = avi */
480 fe_mul__distinct(x, v, a);
481 fe_mul__distinct(r, x, i);
482}
483#endif
484
485/* Differential addition */
486static void xc_diffadd(byte *x5, byte *z5,
487 const byte *x1, const byte *z1,
488 const byte *x2, const byte *z2,
489 const byte *x3, const byte *z3)
490{
491 /* Explicit formulas database: dbl-1987-m3
492 *
493 * source 1987 Montgomery "Speeding the Pollard and elliptic curve
494 * methods of factorization", page 261, fifth display, plus
495 * common-subexpression elimination
496 * compute A = X2+Z2
497 * compute B = X2-Z2
498 * compute C = X3+Z3
499 * compute D = X3-Z3
500 * compute DA = D A
501 * compute CB = C B
502 * compute X5 = Z1(DA+CB)^2
503 * compute Z5 = X1(DA-CB)^2
504 */
505 byte da[F25519_SIZE];
506 byte cb[F25519_SIZE];
507 byte a[F25519_SIZE];
508 byte b[F25519_SIZE];
509
510 lm_add(a, x2, z2);
511 lm_sub(b, x3, z3); /* D */
512 fe_mul__distinct(da, a, b);
513
514 lm_sub(b, x2, z2);
515 lm_add(a, x3, z3); /* C */
516 fe_mul__distinct(cb, a, b);
517
518 lm_add(a, da, cb);
519 fe_mul__distinct(b, a, a);
520 fe_mul__distinct(x5, z1, b);
521
522 lm_sub(a, da, cb);
523 fe_mul__distinct(b, a, a);
524 fe_mul__distinct(z5, x1, b);
525}
526
527/* Double an X-coordinate */
528static void xc_double(byte *x3, byte *z3,
529 const byte *x1, const byte *z1)
530{
531 /* Explicit formulas database: dbl-1987-m
532 *
533 * source 1987 Montgomery "Speeding the Pollard and elliptic
534 * curve methods of factorization", page 261, fourth display
535 * compute X3 = (X1^2-Z1^2)^2
536 * compute Z3 = 4 X1 Z1 (X1^2 + a X1 Z1 + Z1^2)
537 */
538 byte x1sq[F25519_SIZE];
539 byte z1sq[F25519_SIZE];
540 byte x1z1[F25519_SIZE];
541 byte a[F25519_SIZE];
542
543 fe_mul__distinct(x1sq, x1, x1);
544 fe_mul__distinct(z1sq, z1, z1);
545 fe_mul__distinct(x1z1, x1, z1);
546
547 lm_sub(a, x1sq, z1sq);
548 fe_mul__distinct(x3, a, a);
549
550 fe_mul_c(a, x1z1, 486662);
551 lm_add(a, x1sq, a);
552 lm_add(a, z1sq, a);
553 fe_mul__distinct(x1sq, x1z1, a);
554 fe_mul_c(z3, x1sq, 4);
555}
556
557void curve25519(byte *result, const byte *e, const byte *q)
558{
559 /* from wolfssl-3.15.3/wolfssl/wolfcrypt/fe_operations.h */
560 static const byte f25519_one[F25519_SIZE] = {1};
561
562 /* Current point: P_m */
563 byte xm[F25519_SIZE];
564 byte zm[F25519_SIZE] = {1};
565
566 /* Predecessor: P_(m-1) */
567 byte xm1[F25519_SIZE] = {1};
568 byte zm1[F25519_SIZE] = {0};
569
570 int i;
571
572 /* Note: bit 254 is assumed to be 1 */
573 lm_copy(xm, q);
574
575 for (i = 253; i >= 0; i--) {
576 const int bit = (e[i >> 3] >> (i & 7)) & 1;
577 byte xms[F25519_SIZE];
578 byte zms[F25519_SIZE];
579
580 /* From P_m and P_(m-1), compute P_(2m) and P_(2m-1) */
581 xc_diffadd(xm1, zm1, q, f25519_one, xm, zm, xm1, zm1);
582 xc_double(xm, zm, xm, zm);
583
584 /* Compute P_(2m+1) */
585 xc_diffadd(xms, zms, xm1, zm1, xm, zm, q, f25519_one);
586
587 /* Select:
588 * bit = 1 --> (P_(2m+1), P_(2m))
589 * bit = 0 --> (P_(2m), P_(2m-1))
590 */
591 fe_select(xm1, xm1, xm, bit);
592 fe_select(zm1, zm1, zm, bit);
593 fe_select(xm, xm, xms, bit);
594 fe_select(zm, zm, zms, bit);
595 }
596
597 /* Freeze out of projective coordinates */
598 fe_inv__distinct(zm1, zm);
599 fe_mul__distinct(result, zm1, xm);
600 fe_normalize(result);
601}
diff --git a/networking/tls_fe.h b/networking/tls_fe.h
new file mode 100644
index 000000000..bd2f2b3da
--- /dev/null
+++ b/networking/tls_fe.h
@@ -0,0 +1,7 @@
1/*
2 * Copyright (C) 2018 Denys Vlasenko
3 *
4 * Licensed under GPLv2, see file LICENSE in this source tree.
5 */
6#define CURVE25519_KEYSIZE 32
7void curve25519(uint8_t *result, const uint8_t *e, const uint8_t *q);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 12:23:38 +0000