diff options
Diffstat (limited to 'networking/tls_fe.c')
-rw-r--r-- | networking/tls_fe.c | 89 |
1 files changed, 59 insertions, 30 deletions
diff --git a/networking/tls_fe.c b/networking/tls_fe.c index f810e112a..ecb410281 100644 --- a/networking/tls_fe.c +++ b/networking/tls_fe.c | |||
@@ -64,8 +64,8 @@ static void fprime_select(byte *dst, const byte *zero, const byte *one, byte con | |||
64 | #endif | 64 | #endif |
65 | 65 | ||
66 | static void fe_select(byte *dst, | 66 | static void fe_select(byte *dst, |
67 | const byte *zero, const byte *one, | 67 | const byte *zero, const byte *one, |
68 | byte condition) | 68 | byte condition) |
69 | { | 69 | { |
70 | const byte mask = -condition; | 70 | const byte mask = -condition; |
71 | int i; | 71 | int i; |
@@ -108,26 +108,26 @@ static void raw_try_sub(byte *x, const byte *p) | |||
108 | #if 0 //UNUSED | 108 | #if 0 //UNUSED |
109 | static int prime_msb(const byte *p) | 109 | static int prime_msb(const byte *p) |
110 | { | 110 | { |
111 | int i; | 111 | int i; |
112 | byte x; | 112 | byte x; |
113 | int shift = 1; | 113 | int shift = 1; |
114 | int z = F25519_SIZE - 1; | 114 | int z = F25519_SIZE - 1; |
115 | 115 | ||
116 | /* | 116 | /* |
117 | Test for any hot bits. | 117 | Test for any hot bits. |
118 | As soon as one instance is encountered set shift to 0. | 118 | As soon as one instance is encountered set shift to 0. |
119 | */ | 119 | */ |
120 | for (i = F25519_SIZE - 1; i >= 0; i--) { | 120 | for (i = F25519_SIZE - 1; i >= 0; i--) { |
121 | shift &= ((shift ^ ((-p[i] | p[i]) >> 7)) & 1); | 121 | shift &= ((shift ^ ((-p[i] | p[i]) >> 7)) & 1); |
122 | z -= shift; | 122 | z -= shift; |
123 | } | 123 | } |
124 | x = p[z]; | 124 | x = p[z]; |
125 | z <<= 3; | 125 | z <<= 3; |
126 | shift = 1; | 126 | shift = 1; |
127 | for (i = 0; i < 8; i++) { | 127 | for (i = 0; i < 8; i++) { |
128 | shift &= ((-(x >> i) | (x >> i)) >> (7 - i) & 1); | 128 | shift &= ((-(x >> i) | (x >> i)) >> (7 - i) & 1); |
129 | z += shift; | 129 | z += shift; |
130 | } | 130 | } |
131 | 131 | ||
132 | return z - 1; | 132 | return z - 1; |
133 | } | 133 | } |
@@ -163,11 +163,11 @@ static void fprime_mul(byte *r, const byte *a, const byte *b, | |||
163 | const byte bit = (b[i >> 3] >> (i & 7)) & 1; | 163 | const byte bit = (b[i >> 3] >> (i & 7)) & 1; |
164 | byte plusa[F25519_SIZE]; | 164 | byte plusa[F25519_SIZE]; |
165 | 165 | ||
166 | for (j = 0; j < F25519_SIZE; j++) { | 166 | for (j = 0; j < F25519_SIZE; j++) { |
167 | c |= ((word16)r[j]) << 1; | 167 | c |= ((word16)r[j]) << 1; |
168 | r[j] = (byte)c; | 168 | r[j] = (byte)c; |
169 | c >>= 8; | 169 | c >>= 8; |
170 | } | 170 | } |
171 | raw_try_sub(r, modulus); | 171 | raw_try_sub(r, modulus); |
172 | 172 | ||
173 | fprime_copy(plusa, r); | 173 | fprime_copy(plusa, r); |
@@ -315,7 +315,7 @@ static void fe_mul__distinct(byte *r, const byte *a, const byte *b) | |||
315 | 315 | ||
316 | for (; j < F25519_SIZE; j++) | 316 | for (; j < F25519_SIZE; j++) |
317 | c += ((word32)a[j]) * | 317 | c += ((word32)a[j]) * |
318 | ((word32)b[i + F25519_SIZE - j]) * 38; | 318 | ((word32)b[i + F25519_SIZE - j]) * 38; |
319 | 319 | ||
320 | r[i] = c; | 320 | r[i] = c; |
321 | } | 321 | } |
@@ -474,9 +474,9 @@ static void fe_sqrt(byte *r, const byte *a) | |||
474 | 474 | ||
475 | /* Differential addition */ | 475 | /* Differential addition */ |
476 | static void xc_diffadd(byte *x5, byte *z5, | 476 | static void xc_diffadd(byte *x5, byte *z5, |
477 | const byte *x1, const byte *z1, | 477 | const byte *x1, const byte *z1, |
478 | const byte *x2, const byte *z2, | 478 | const byte *x2, const byte *z2, |
479 | const byte *x3, const byte *z3) | 479 | const byte *x3, const byte *z3) |
480 | { | 480 | { |
481 | /* Explicit formulas database: dbl-1987-m3 | 481 | /* Explicit formulas database: dbl-1987-m3 |
482 | * | 482 | * |
@@ -516,7 +516,7 @@ static void xc_diffadd(byte *x5, byte *z5, | |||
516 | 516 | ||
517 | /* Double an X-coordinate */ | 517 | /* Double an X-coordinate */ |
518 | static void xc_double(byte *x3, byte *z3, | 518 | static void xc_double(byte *x3, byte *z3, |
519 | const byte *x1, const byte *z1) | 519 | const byte *x1, const byte *z1) |
520 | { | 520 | { |
521 | /* Explicit formulas database: dbl-1987-m | 521 | /* Explicit formulas database: dbl-1987-m |
522 | * | 522 | * |
@@ -544,11 +544,14 @@ static void xc_double(byte *x3, byte *z3, | |||
544 | fe_mul_c(z3, x1sq, 4); | 544 | fe_mul_c(z3, x1sq, 4); |
545 | } | 545 | } |
546 | 546 | ||
547 | void FAST_FUNC curve25519(byte *result, const byte *e, const byte *q) | 547 | static void curve25519(byte *result, const byte *e, const byte *q) |
548 | { | 548 | { |
549 | int i; | 549 | int i; |
550 | 550 | ||
551 | struct { | 551 | struct { |
552 | /* for bbox's special case of q == NULL meaning "use basepoint" */ | ||
553 | /*static const*/ uint8_t basepoint9[CURVE25519_KEYSIZE]; // = {9}; | ||
554 | |||
552 | /* from wolfssl-3.15.3/wolfssl/wolfcrypt/fe_operations.h */ | 555 | /* from wolfssl-3.15.3/wolfssl/wolfcrypt/fe_operations.h */ |
553 | /*static const*/ byte f25519_one[F25519_SIZE]; // = {1}; | 556 | /*static const*/ byte f25519_one[F25519_SIZE]; // = {1}; |
554 | 557 | ||
@@ -559,6 +562,7 @@ void FAST_FUNC curve25519(byte *result, const byte *e, const byte *q) | |||
559 | byte xm1[F25519_SIZE]; // = {1}; | 562 | byte xm1[F25519_SIZE]; // = {1}; |
560 | byte zm1[F25519_SIZE]; // = {0}; | 563 | byte zm1[F25519_SIZE]; // = {0}; |
561 | } z; | 564 | } z; |
565 | #define basepoint9 z.basepoint9 | ||
562 | #define f25519_one z.f25519_one | 566 | #define f25519_one z.f25519_one |
563 | #define xm z.xm | 567 | #define xm z.xm |
564 | #define zm z.zm | 568 | #define zm z.zm |
@@ -569,6 +573,11 @@ void FAST_FUNC curve25519(byte *result, const byte *e, const byte *q) | |||
569 | zm[0] = 1; | 573 | zm[0] = 1; |
570 | xm1[0] = 1; | 574 | xm1[0] = 1; |
571 | 575 | ||
576 | if (!q) { | ||
577 | basepoint9[0] = 9; | ||
578 | q = basepoint9; | ||
579 | } | ||
580 | |||
572 | /* Note: bit 254 is assumed to be 1 */ | 581 | /* Note: bit 254 is assumed to be 1 */ |
573 | lm_copy(xm, q); | 582 | lm_copy(xm, q); |
574 | 583 | ||
@@ -599,3 +608,23 @@ void FAST_FUNC curve25519(byte *result, const byte *e, const byte *q) | |||
599 | fe_mul__distinct(result, zm1, xm); | 608 | fe_mul__distinct(result, zm1, xm); |
600 | fe_normalize(result); | 609 | fe_normalize(result); |
601 | } | 610 | } |
611 | |||
612 | /* interface to bbox's TLS code: */ | ||
613 | |||
614 | void FAST_FUNC curve_x25519_compute_pubkey_and_premaster( | ||
615 | uint8_t *pubkey, uint8_t *premaster, | ||
616 | const uint8_t *peerkey32) | ||
617 | { | ||
618 | uint8_t privkey[CURVE25519_KEYSIZE]; //[32] | ||
619 | |||
620 | /* Generate random private key, see RFC 7748 */ | ||
621 | tls_get_random(privkey, sizeof(privkey)); | ||
622 | privkey[0] &= 0xf8; | ||
623 | privkey[CURVE25519_KEYSIZE-1] = ((privkey[CURVE25519_KEYSIZE-1] & 0x7f) | 0x40); | ||
624 | |||
625 | /* Compute public key */ | ||
626 | curve25519(pubkey, privkey, NULL /* "use base point of x25519" */); | ||
627 | |||
628 | /* Compute premaster using peer's public key */ | ||
629 | curve25519(premaster, privkey, peerkey32); | ||
630 | } | ||