michaelh/zephyr
1
0
Fork 0
Code Releases Activity

Integration of TinyCrypt v2: ECC, CMAC, AES-CCM with test cases for CMAC and CCM.

Browse source 
Change-Id: I26a5c3027af0d00f55021c1ac063100606084314
Signed-off-by: Constanza Heath <constanza.m.heath@intel.com>
This commit is contained in:
Constanza Heath 2016-01-27 11:07:05 -08:00 committed by Anas Nashif
commit eaed145cb6
51 changed files with 3527 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

36
lib/crypto/tinycrypt/Kconfig
View file

@ -50,6 +50,24 @@ config TINYCRYPT_SHA256_HMAC_PRNG
This option enables support for psudeo-random number
generator.
config TINYCRYPT_ECC_DH
bool
prompt "ECC_DH anonymous key agreement protocol"
depends on TINYCRYPT
default n
help
This option enables support for the Elliptic curve
Diffie-Helman anonymous key agreement protocol.
config TINYCRYPT_ECC_DSA
bool
prompt "ECC_DSA digital signature algorithm"
depends on TINYCRYPT
default n
help
This option enables support for the Elliptic Curbe Digital
Signature Algorithm (ECDSA).
config TINYCRYPT_AES
bool
prompt "AES-128 decrypt/encrypt"
@ -72,4 +90,20 @@ config TINYCRYPT_AES_CTR
depends on TINYCRYPT_AES
default n
help
This option enables support for AES-128 counter mode.
This option enables support for AES-128 counter mode.
config TINYCRYPT_AES_CCM
bool
prompt "AES-128 CCM mode"
depends on TINYCRYPT_AES
default n
help
This option enables support for AES-128 CCM mode.
config TINYCRYPT_AES_CMAC
bool
prompt "AES-128 CMAC mode"
depends on TINYCRYPT_AES
default n
help
This option enables support for AES-128 CMAC mode.

4
lib/crypto/tinycrypt/Makefile
View file

@ -1,9 +1,13 @@
ccflags-y +=-I$(srctree)/lib/crypto/tinycrypt/include
lib-$(CONFIG_TINYCRYPT) := source/utils.o
lib-$(CONFIG_TINYCRYPT_ECC_DH) += source/ecc_dh.o
lib-$(CONFIG_TINYCRYPT_ECC_DSA) += source/ecc_dsa.o
lib-$(CONFIG_TINYCRYPT_AES) += source/aes_decrypt.o
lib-$(CONFIG_TINYCRYPT_AES) += source/aes_encrypt.o
lib-$(CONFIG_TINYCRYPT_AES_CBC) += source/cbc_mode.o
lib-$(CONFIG_TINYCRYPT_AES_CTR) += source/ctr_mode.o
lib-$(CONFIG_TINYCRYPT_AES_CCM) += source/ccm_mode.o
lib-$(CONFIG_TINYCRYPT_AES_CMAC) += source/cmac_mode.o
lib-$(CONFIG_TINYCRYPT_SHA256) += source/sha256.o
lib-$(CONFIG_TINYCRYPT_SHA256) += source/utils.o
lib-$(CONFIG_TINYCRYPT_SHA256_HMAC) += source/hmac.o

6
lib/crypto/tinycrypt/include/tinycrypt/aes.h
View file

@ -49,7 +49,7 @@
#ifndef __TC_AES_H__
#define __TC_AES_H__
#include<stdint.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
@ -74,7 +74,7 @@ typedef struct tc_aes_key_sched_struct *TCAesKeySched_t;
* @note This implementation skips the additional steps required for keys
* larger than 128 bits, and must not be used for AES-192 or
* AES-256 key schedule -- see FIPS 197 for details
* @param s IN/OUT -- inited struct tc_aes_key_sched_struct
* @param s IN/OUT -- initialized struct tc_aes_key_sched_struct
* @param k IN -- points to the AES key
*/
int32_t tc_aes128_set_encrypt_key(TCAesKeySched_t s, const uint8_t *k);
@ -106,7 +106,7 @@ int32_t tc_aes_encrypt(uint8_t *out,
* @warning This routine skips the additional steps required for keys larger
* than 128, and must not be used for AES-192 or AES-256 key
* schedule -- see FIPS 197 for details
* @param s IN/OUT -- inited struct tc_aes_key_sched_struct
* @param s IN/OUT -- initialized struct tc_aes_key_sched_struct
* @param k IN -- points to the AES key
*/
int32_t tc_aes128_set_decrypt_key(TCAesKeySched_t s, const uint8_t *k);

2
lib/crypto/tinycrypt/include/tinycrypt/cbc_mode.h
View file

@ -114,7 +114,7 @@ int32_t tc_cbc_mode_encrypt(uint8_t *out, uint32_t outlen, const uint8_t *in,
/**
* @brief CBC decryption procedure
* CBC decrypts inlen bytes of the in buffer into the out buffer
* using the encryption key schedule provided by a
* using the provided encryption key schedule
* @return returns TC_SUCCESS (1)
* returns TC_FAIL (0) if:
* out == NULL or

201
lib/crypto/tinycrypt/include/tinycrypt/ccm_mode.h Normal file
View file

@ -0,0 +1,201 @@
/* ccm_mode.h - TinyCrypt interface to a CCM mode implementation */
/*
* Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/**
* @file
* @brief Interface to a CCM mode implementation.
*
* Overview: CCM (for "Counter with CBC-MAC") mode is a NIST approved mode of
* operation defined in SP 800-38C.
*
* TinyCrypt CCM implementation accepts:
*
* 1) Both non-empty payload and associated data (it encrypts and
* authenticates the payload and also authenticates the associated
* data);
* 2) Non-empty payload and empty associated data (it encrypts and
* authenticates the payload);
* 3) Non-empty associated data and empty payload (it degenerates to
* an authentication mode on the associated data).
*
* TinyCrypt CCM implementation accepts associated data of any length
* between 0 and (2^16 - 2^8) bytes.
*
* Security: The mac length parameter is an important parameter to estimate the
* security against collision attacks (that aim at finding different
* messages that produce the same authentication tag). TinyCrypt CCM
* implementation accepts any even integer between 4 and 16, as
* suggested in SP 800-38C.
*
* RFC-3610, which also specifies CCM, presents a few relevant
* security suggestions, such as: it is recommended for most
* applications to use a mac length greater than 8. Besides, the
* usage of the same nonce for two different messages which are
* encrypted with the same key destroys the security of CCM mode.
*
* Requires: AES-128
*
* Usage: 1) call tc_ccm_config to configure.
*
* 2) call tc_ccm_mode_encrypt to encrypt data and generate tag.
*
* 3) call tc_ccm_mode_decrypt to decrypt data and verify tag.
*/
#ifndef __TC_CCM_MODE_H__
#define __TC_CCM_MODE_H__
#include <tinycrypt/aes.h>
#include <stddef.h>
#ifdef __cplusplus
extern "C" {
#endif
/* max additional authenticated size in bytes: 2^16 - 2^8 = 65280 */
#define TC_CCM_AAD_MAX_BYTES 0xff00
/* max message size in bytes: 2^(8L) = 2^16 = 65536 */
#define TC_CCM_PAYLOAD_MAX_BYTES 0x10000
/* struct tc_ccm_mode_struct represents the state of a CCM computation */
typedef struct tc_ccm_mode_struct {
TCAesKeySched_t sched; /* AES key schedule */
uint8_t *nonce; /* nonce required by CCM */
uint32_t mlen; /* mac length in bytes (parameter t in SP-800 38C) */
} *TCCcmMode_t;
/**
* @brief CCM configuration procedure
* @return returns TC_SUCCESS (1)
* returns TC_FAIL (0) if:
* c == NULL or
* sched == NULL or
* nonce == NULL or
* mlen != {4, 6, 8, 10, 12, 16}
* @param c -- CCM state
* @param sched IN -- AES key schedule
* @param nonce IN - nonce
* @param nlen -- nonce length in bytes
* @param mlen -- mac length in bytes (parameter t in SP-800 38C)
*/
int32_t tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce,
uint32_t nlen, uint32_t mlen);
/**
* @brief CCM tag generation and encryption procedure
* @return returns TC_SUCCESS (1)
* returns TC_FAIL (0) if:
* out == NULL or
* c == NULL or
* ((plen > 0) and (payload == NULL)) or
* ((alen > 0) and (associated_data == NULL)) or
* (alen >= TC_CCM_AAD_MAX_BYTES) or
* (plen >= TC_CCM_PAYLOAD_MAX_BYTES)
*
* @param out OUT -- encrypted data
* @param associated_data IN -- associated data
* @param alen IN -- associated data length in bytes
* @param payload IN -- payload
* @param plen IN -- payload length in bytes
* @param c IN -- CCM state
*
* @note: The sequence b for encryption is formatted as follows:
* b = [FLAGS | nonce | counter ], where:
* FLAGS is 1 byte long
* nonce is 13 bytes long
* counter is 2 bytes long
* The byte FLAGS is composed by the following 8 bits:
* 0-2 bits: used to represent the value of q-1
* 3-7 btis: always 0's
*
* @note: The sequence b for authentication is formatted as follows:
* b = [FLAGS | nonce | length(mac length)], where:
* FLAGS is 1 byte long
* nonce is 13 bytes long
* length(mac length) is 2 bytes long
* The byte FLAGS is composed by the following 8 bits:
* 0-2 bits: used to represent the value of q-1
* 3-5 bits: mac length (encoded as: (mlen-2)/2)
* 6: Adata (0 if alen == 0, and 1 otherwise)
* 7: always 0
*/
int32_t tc_ccm_generation_encryption(uint8_t *out, const uint8_t *associated_data,
uint32_t alen, const uint8_t *payload,
uint32_t plen, TCCcmMode_t c);
/**
* @brief CCM decryption and tag verification procedure
* @return returns TC_SUCCESS (1)
* returns TC_FAIL (0) if:
* out == NULL or
* c == NULL or
* ((plen > 0) and (payload == NULL)) or
* ((alen > 0) and (associated_data == NULL)) or
* (alen >= TC_CCM_AAD_MAX_BYTES) or
* (plen >= TC_CCM_PAYLOAD_MAX_BYTES)
*
* @param out OUT -- decrypted data
* @param associated_data IN -- associated data
* @param alen IN -- associated data length in bytes
* @param payload IN -- payload
* @param plen IN -- payload length in bytes
* @param c IN -- CCM state
*
* @note: The sequence b for encryption is formatted as follows:
* b = [FLAGS | nonce | counter ], where:
* FLAGS is 1 byte long
* nonce is 13 bytes long
* counter is 2 bytes long
* The byte FLAGS is composed by the following 8 bits:
* 0-2 bits: used to represent the value of q-1
* 3-7 btis: always 0's
*
* @note: The sequence b for authentication is formatted as follows:
* b = [FLAGS | nonce | length(mac length)], where:
* FLAGS is 1 byte long
* nonce is 13 bytes long
* length(mac length) is 2 bytes long
* The byte FLAGS is composed by the following 8 bits:
* 0-2 bits: used to represent the value of q-1
* 3-5 bits: mac length (encoded as: (mlen-2)/2)
* 6: Adata (0 if alen == 0, and 1 otherwise)
* 7: always 0
*/
int32_t tc_ccm_decryption_verification(uint8_t *out, const uint8_t *associated_data,
uint32_t alen, const uint8_t *payload, uint32_t plen,
TCCcmMode_t c);
#ifdef __cplusplus
}
#endif
#endif

194
lib/crypto/tinycrypt/include/tinycrypt/cmac_mode.h Normal file
View file

@ -0,0 +1,194 @@
/* cmac_mode.h -- interface to a CMAC implementation */
/*
* Copyright (C) 2015 by Intel Corporation, All Rights Reserved
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/**
* @file
* @brief Interface to a CMAC implementation.
*
* Overview: CMAC is defined NIST in SP 800-38B, and is the standard algorithm
* for computing a MAC using a block cipher. It can compute the MAC
* for a byte string of any length. It is distinguished from CBC-MAC
* in the processing of the final message block; CMAC uses a
* different technique to compute the final message block is full
* size or only partial, while CBC-MAC uses the same technique for
* both. This difference permits CMAC to be applied to variable
* length messages, while all messages authenticated by CBC-MAC must
* be the same length.
*
* Security: AES128-CMAC mode of operation offers 64 bits of security against
* collision attacks. Note however that an external attacker cannot
* generate the tags him/herself without knowing the MAC key. In this
* sense, to attack the collision property of AES128-CMAC, an
* external attacker would need the cooperation of the legal user to
* produce an exponentially high number of tags (e.g. 2^64) to
* finally be able to look for collisions and benefit from them. As
* an extra precaution, the current implementation allows to at most
* 2^48 calls to the tc_cmac_update function before re-calling
* tc_cmac_setup (allowing a new key to be set), as suggested in
* Appendix B of SP 800-38B.
*
* Requires: AES-128
*
* Usage: This implementation provides a "scatter-gather" interface, so that
* the CMAC value can be computed incrementally over a message
* scattered in different segments throughout memory. Experience shows
* this style of interface tends to minimize the burden of programming
* correctly. Like all symmetric key operations, it is session
* oriented.
*
* To begin a CMAC session, use tc_cmac_setup to initialize a struct
* tc_cmac_struct with encryption key and buffer. Our implementation
* always assume that the AES key to be the same size as the block
* cipher block size. Once setup, this data structure can be used for
* many CMAC computations.
*
* Once the state has been setup with a key, computing the CMAC of
* some data requires three steps:
*
* (1) first use tc_cmac_init to initialize a new CMAC computation.
* (2) next mix all of the data into the CMAC computation state using
* tc_cmac_update. If all of the data resides in a single data
* segment then only one tc_cmac_update call is needed; if data
* is scattered throughout memory in n data segments, then n calls
* will be needed. CMAC IS ORDER SENSITIVE, to be able to detect
* attacks that swap bytes, so the order in which data is mixed
* into the state is critical!
* (3) Once all of the data for a message has been mixed, use
* tc_cmac_final to compute the CMAC tag value.
*
* Steps (1)-(3) can be repeated as many times as you want to CMAC
* multiple messages. A practical limit is 2^48 1K messages before you
* have to change the key.
*
* Once you are done computing CMAC with a key, it is a good idea to
* destroy the state so an attacker cannot recover the key; use
* tc_cmac_erase to accomplish this.
*/
#ifndef __TC_CMAC_MODE_H__
#define __TC_CMAC_MODE_H__
#include <tinycrypt/aes.h>
#include <stddef.h>
#ifdef __cplusplus
extern "C" {
#endif
/* padding for last message block */
#define TC_CMAC_PADDING 0x80
/* struct tc_cmac_struct represents the state of a CMAC computation */
typedef struct tc_cmac_struct {
/* initialization vector */
uint8_t iv[TC_AES_BLOCK_SIZE];
/* used if message length is a multiple of block_size bytes */
uint8_t K1[TC_AES_BLOCK_SIZE];
/* used if message length isn't a multiple block_size bytes */
uint8_t K2[TC_AES_BLOCK_SIZE];
/* where to put bytes that didn't fill a block */
uint8_t leftover[TC_AES_BLOCK_SIZE];
/* identifies the encryption key */
uint32_t keyid;
/* next available leftover location */
uint32_t leftover_offset;
/* AES key schedule */
TCAesKeySched_t sched;
/* calls to tc_cmac_update left before re-key */
uint64_t countdown;
} *TCCmacState_t;
/**
* @brief Configures the CMAC state to use the given AES key
* @return returns TC_SUCCESS (1) after having configured the CMAC state
* returns TC_FAIL (0) if:
* s == NULL or
* key == NULL
*
* @param s IN/OUT -- the state to set up
* @param key IN -- the key to use
* @param sched IN -- AES key schedule
*/
int32_t tc_cmac_setup(TCCmacState_t s, const uint8_t *key,
TCAesKeySched_t sched);
/**
* @brief Erases the CMAC state
* @return returns TC_SUCCESS (1) after having configured the CMAC state
* returns TC_FAIL (0) if:
* s == NULL
*
* @param s IN/OUT -- the state to erase
*/
int32_t tc_cmac_erase(TCCmacState_t s);
/**
* @brief Initializes a new CMAC computation
* @return returns TC_SUCCESS (1) after having initialized the CMAC state
* returns TC_FAIL (0) if:
* s == NULL
*
* @param s IN/OUT -- the state to initialize
*/
int32_t tc_cmac_init(TCCmacState_t s);
/**
* @brief Incrementally computes CMAC over the next data segment
* @return returns TC_SUCCESS (1) after successfully updating the CMAC state
* returns TC_FAIL (0) if:
* s == NULL or
* if data == NULL when dlen > 0
*
* @param s IN/OUT -- the CMAC state
* @param data IN -- the next data segment to MAC
* @param dlen IN -- the length of data in bytes
*/
int32_t tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t dlen);
/**
* @brief Generates the tag from the CMAC state
* @return returns TC_SUCCESS (1) after successfully generating the tag
* returns TC_FAIL (0) if:
* tag == NULL or
* s == NULL
*
* @param tag OUT -- the CMAC tag
* @param s IN -- CMAC state
*/
int32_t tc_cmac_final(uint8_t *tag, TCCmacState_t s);
#ifdef __cplusplus
}
#endif
#endif

63
lib/crypto/tinycrypt/include/tinycrypt/constants.h Normal file
View file

@ -0,0 +1,63 @@
/* constants.h - TinyCrypt interface to constants */
/*
* Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/**
* @file
* @brief -- Interface to constants.
*
*/
#ifndef __TC_CONSTANTS_H__
#define __TC_CONSTANTS_H__
#ifdef __cplusplus
extern "C" {
#endif
#ifndef NULL
#define NULL ((void *)0)
#endif
#ifndef bool
enum {false, true} bool;
#endif
#define TC_CRYPTO_SUCCESS 1
#define TC_CRYPTO_FAIL 0
#define TC_ZERO_BYTE 0x00
#ifdef __cplusplus
}
#endif
#endif

1
lib/crypto/tinycrypt/include/tinycrypt/ctr_mode.h
View file

@ -68,6 +68,7 @@
#define __TC_CTR_MODE_H__
#include <tinycrypt/aes.h>
#include <tinycrypt/constants.h>
#ifdef __cplusplus
extern "C" {

320
lib/crypto/tinycrypt/include/tinycrypt/ecc.h Normal file
View file

@ -0,0 +1,320 @@
/* ecc.h - TinyCrypt interface to ECC auxiliary functions */
/*
* =============================================================================
* Copyright (c) 2013, Kenneth MacKay
* All rights reserved.
* https://github.com/kmackay/micro-ecc
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* =============================================================================
* Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/**
* @file
* @brief -- Interface to ECC auxiliary functions.
*
* Overview: This software is an implementation of auxiliary functions
* necessary to elliptic curve cryptography. This implementation uses
* curve NIST p-256.
*
* Security: The curve NIST p-256 provides approximately 128 bits of security.
*
*/
#ifndef __TC_ECC_H__
#define __TC_ECC_H__
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/* Number of words of 32 bits to represent an element of the the curve p-256: */
#define NUM_ECC_DIGITS 8
/* Number of bytes to represent an element of the the curve p-256: */
#define NUM_ECC_BYTES (4*NUM_ECC_DIGITS)
/* struct to represent a point of the curve (uses X and Y coordinates): */
typedef struct EccPoint {
uint32_t x[NUM_ECC_DIGITS];
uint32_t y[NUM_ECC_DIGITS];
} EccPoint;
/* struct to represent a point of the curve in Jacobian coordinates
* (uses X, Y and Z coordinates):
*/
typedef struct EccPointJacobi {
uint32_t X[NUM_ECC_DIGITS];
uint32_t Y[NUM_ECC_DIGITS];
uint32_t Z[NUM_ECC_DIGITS];
} EccPointJacobi;
/*
* @brief Check if p_vli is zero.
* @return returns non-zero if p_vli == 0, zero otherwise.
*
* @param p_native OUT -- will be filled in with the native integer value.
* @param p_bytes IN -- standard octet representation of the integer to convert.
*
* @note Side-channel countermeasure: algorithm strengthened against timing
* attack.
*/
uint32_t vli_isZero(uint32_t *p_vli);
/*
* @brief Set the content of p_src in p_dest.
*
* @param p_dest OUT -- Destination buffer.
* @param p_src IN -- Origin buffer.
*
*/
void vli_set(uint32_t *p_dest, uint32_t *p_src);
/*
* @brief Computes the sign of p_left - p_right.
* @return returns the sign of p_left - p_right.
*
* @param p_left IN -- buffer to be compared.
* @param p_right IN -- buffer to be compared.
* @param word_size IN -- size of the word.
*
* @note Side-channel countermeasure: algorithm strengthened against timing
* attack.
*/
int32_t vli_cmp(uint32_t *p_left, uint32_t *p_right, int32_t word_size);
/*
* @brief Computes p_result = p_left - p_right, returns borrow.
* @return returns the sign of p_left - p_right.
*
* @param p_result IN -- buffer to be compared.
* @param p_left IN -- buffer p_left in (p_left - p_right).
* @param p_right IN -- buffer p_right in (p_left - p_right).
* @param word_size IN -- size of the word.
*
* @note Side-channel countermeasure: algorithm strengthened against timing
* attack.
* @note Can modify in place.
*/
uint32_t vli_sub(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
uint32_t word_size);
/*
* @brief Conditional set: sets either 'p_true' or 'p_false' to 'output',
* depending on the value of 'cond'.
*
* @param output OUT -- result buffer after setting either p_true or p_false.
* @param p_true IN -- buffer to be used if cond is true.
* @param p_false IN -- buffer to be used if cond is false.
* @param cond IN -- boolean value that will determine which value will be set
* to output.
*/
void vli_cond_set(uint32_t *output, uint32_t *p_true, uint32_t *p_false,
uint32_t cond);
/*
* @brief Computes p_result = (p_left + p_right) % p_mod.
*
* @param p_result OUT -- result buffer.
* @param p_left IN -- buffer p_left in (p_left + p_right) % p_mod.
* @param p_right IN -- buffer p_right in (p_left + p_right) % p_mod.
* @param p_mod IN -- module.
*
* @note Assumes that p_left < p_mod and p_right < p_mod, p_result != p_mod.
* @note Side-channel countermeasure: algorithm strengthened against timing
* attack.
*/
void vli_modAdd(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
uint32_t *p_mod);
/*
* @brief Computes p_result = (p_left - p_right) % p_mod.
*
* @param p_result OUT -- result buffer.
* @param p_left IN -- buffer p_left in (p_left - p_right) % p_mod.
* @param p_right IN -- buffer p_right in (p_left - p_right) % p_mod.
* @param p_mod IN -- module.
*
* @note Assumes that p_left < p_mod and p_right < p_mod, p_result != p_mod.
* @note Side-channel countermeasure: algorithm strengthened against timing
* attack.
*/
void vli_modSub(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
uint32_t *p_mod);
/*
* @brief Computes p_result = (p_left * p_right) % curve_p.
*
* @param p_result OUT -- result buffer.
* @param p_left IN -- buffer p_left in (p_left * p_right) % curve_p.
* @param p_right IN -- buffer p_right in (p_left * p_right) % curve_p.
*/
void vli_modMult_fast(uint32_t *p_result, uint32_t *p_left,
uint32_t *p_right);
/*
* @brief Computes p_result = p_left^2 % curve_p.
*
* @param p_result OUT -- result buffer.
* @param p_left IN -- buffer p_left in (p_left^2 % curve_p).
*/
void vli_modSquare_fast(uint32_t *p_result, uint32_t *p_left);
/*
* @brief Computes p_result = (p_left * p_right) % p_mod.
*
* @param p_result OUT -- result buffer.
* @param p_left IN -- buffer p_left in (p_left * p_right) % p_mod.
* @param p_right IN -- buffer p_right in (p_left * p_right) % p_mod.
* @param p_mod IN -- module.
* @param p_barrett IN -- used for Barrett reduction.
*/
void vli_modMult(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
uint32_t *p_mod, uint32_t *p_barrett);
/*
* @brief Computes modular inversion: (1/p_intput) % p_mod.
*
* @param p_result OUT -- result buffer.
* @param p_input IN -- buffer p_input in (1/p_intput) % p_mod.
* @param p_mod IN -- module.
* @param p_barrett IN -- used for Barrett reduction.
*/
void vli_modInv(uint32_t *p_result, uint32_t *p_input,
uint32_t *p_mod, uint32_t *p_barrett);
/*
* @brief Check if a point is zero.
* @return Returns 1 if p_point is the point at infinity, 0 otherwise.
*
* @param p_point IN -- point to be checked.
*/
uint32_t EccPoint_isZero(EccPoint *p_point);
/*
* @brief Check if point in Jacobi coordinates is zero.
* @return Returns 1 if p_point_jacobi is the point at infinity, 0 otherwise.
*
* @param p_point IN -- point to be checked.
*/
uint32_t EccPointJacobi_isZero(EccPointJacobi *p_point_jacobi);
/*
* @brief Conversion from Jacobi coordinates to Affine coordinates.
*
* @param p_point OUT -- point in Affine coordinates.
* @param p_point_jacobi OUT -- point in Jacobi coordinates.
*/
void EccPoint_toAffine(EccPoint *p_point, EccPointJacobi *p_point_jacobi);
/*
* @brief Elliptic curve point addition in Jacobi coordinates: P1 = P1 + P2.
*
* @param P1 IN/OUT -- P1 in P1 = P1 + P2.
* @param P2 IN -- P2 in P1 = P1 + P2.
*/
void EccPoint_add(EccPointJacobi *P1, EccPointJacobi *P2);
/*
* @brief Elliptic curve scalar multiplication with result in Jacobi coordinates
*
* @param p_result OUT -- Product of p_point by p_scalar.
* @param p_point IN -- Elliptic curve point
* @param p_scalar IN -- Scalar integer
*/
void EccPoint_mult(EccPointJacobi *p_result, EccPoint *p_point,
uint32_t *p_scalar);
/*
* @brief Convert an integer in standard octet representation to native format.
* @return returns TC_SUCCESS (1)
* returns TC_FAIL (0) if:
* out == NULL or
* c == NULL or
* ((plen > 0) and (payload == NULL)) or
* ((alen > 0) and (associated_data == NULL)) or
* (alen >= TC_CCM_AAD_MAX_BYTES) or
* (plen >= TC_CCM_PAYLOAD_MAX_BYTES)
*
* @param p_native OUT -- will be filled in with the native integer value.
* @param p_bytes IN -- standard octet representation of the integer to convert.
*
*/
void ecc_bytes2native(uint32_t p_native[NUM_ECC_DIGITS],
uint8_t p_bytes[NUM_ECC_DIGITS*4]);
/*
* @brief Convert an integer in native format to standard octet representation.
* @return returns TC_SUCCESS (1)
* returns TC_FAIL (0) if:
* out == NULL or
* c == NULL or
* ((plen > 0) and (payload == NULL)) or
* ((alen > 0) and (associated_data == NULL)) or
* (alen >= TC_CCM_AAD_MAX_BYTES) or
* (plen >= TC_CCM_PAYLOAD_MAX_BYTES)
*
* @param p_bytes OUT -- will be filled in with the standard octet
* representation of the integer.
* @param p_native IN -- native integer value to convert.
*
*/
void ecc_native2bytes(uint8_t p_bytes[NUM_ECC_DIGITS*4],
uint32_t p_native[NUM_ECC_DIGITS]);
#ifdef __cplusplus
}
#endif
#endif

144
lib/crypto/tinycrypt/include/tinycrypt/ecc_dh.h Normal file
View file

@ -0,0 +1,144 @@
/* ecc_dh.h - TinyCrypt interface to EC-DH implementation */
/*
* =============================================================================
* Copyright (c) 2013, Kenneth MacKay
* All rights reserved.
* https://github.com/kmackay/micro-ecc
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* =============================================================================
* Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/**
* @file
* @brief -- Interface to EC-DH implementation.
*
* Overview: This software is an implementation of EC-DH. This implementation
* uses curve NIST p-256.
*
* Security: The curve NIST p-256 provides approximately 128 bits of security.
*
*/
#ifndef __TC_ECC_DH_H__
#define __TC_ECC_DH_H__
#include <tinycrypt/ecc.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* @brief Create a public/private key pair.
* @return returns TC_SUCCESS (1) if the key pair was generated successfully
* returns TC_FAIL (0) if:
* the private key is 0
* @param p_publicKey OUT -- the point representing the public key.
* @param p_privateKey OUT -- the private key.
* @param p_random IN -- The random number to use to generate the key pair.
*
* @note You must use a new non-predictable random number to generate each
* new key pair.
* @note p_random must have NUM_ECC_DIGITS*2 bits of entropy to eliminate
* bias in keys.
*
* @note side-channel countermeasure: algorithm strengthened against timing
* attack.
*/
int32_t ecc_make_key(EccPoint *p_publicKey,
uint32_t p_privateKey[NUM_ECC_DIGITS],
uint32_t p_random[NUM_ECC_DIGITS * 2]);
/**
* @brief Determine whether or not a given point is on the chosen elliptic curve
* (ie, is a valid public key).
* @return returns 0 if the given point is valid
* returns -1 if: the point is zero
* returns -2 if: curve_p - p_publicKey->x != 1 or
* curve_p - p_publicKey->y != 1
* returns -3 if: y^2 != x^3 + ax + b
* @param p_publicKey IN -- The point to be checked.
*/
int32_t ecc_valid_public_key(EccPoint *p_publicKey);
/**
* @brief Compute a shared secret given your secret key and someone else's
* public key.
* @return returns TC_SUCCESS (1) if the shared secret was computed successfully
* returns TC_FAIL (0) otherwise
*
* @param p_secret OUT -- The shared secret value.
* @param p_publicKey IN -- The public key of the remote party.
* @param p_privateKey IN -- Your private key.
*
* @note Optionally, you can provide a random multiplier for resistance to DPA
* attacks. The random multiplier should probably be different for each
* invocation of ecdh_shared_secret().
*
* @note It is recommended that you hash the result of ecdh_shared_secret before
* using it for symmetric encryption or HMAC. If you do not hash the shared
* secret, you must call ecc_valid_public_key() to verify that the remote side's
* public key is valid. If this is not done, an attacker could create a public
* key that would cause your use of the shared secret to leak information about
* the private key.
*/
int32_t ecdh_shared_secret(uint32_t p_secret[NUM_ECC_DIGITS], EccPoint *p_publicKey,
uint32_t p_privateKey[NUM_ECC_DIGITS]);
#ifdef __cplusplus
}
#endif
#endif

135
lib/crypto/tinycrypt/include/tinycrypt/ecc_dsa.h Normal file
View file

@ -0,0 +1,135 @@
/* ecc_dh.h - TinyCrypt interface to EC-DSA implementation */
/*
* =============================================================================
* Copyright (c) 2013, Kenneth MacKay
* All rights reserved.
* https://github.com/kmackay/micro-ecc
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* =============================================================================
* Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/**
* @file
* @brief -- Interface to EC-DSA implementation.
*
* Overview: This software is an implementation of EC-DSA. This implementation
* uses curve NIST p-256.
*
* Security: The curve NIST p-256 provides approximately 128 bits of security.
*
* Usage: - To sign: Compute a hash of the data you wish to sign (SHA-2 is
* recommended) and pass it in to ecdsa_sign function along with your
* private key and a random number. You must use a new non-predictable
* random number to generate each new signature.
* - To verify a signature: Compute the hash of the signed data using
* the same hash as the signer and pass it to this function along with
* the signer's public key and the signature values (r and s).
*/
#ifndef __TC_ECC_DSA_H__
#define __TC_ECC_DSA_H__
#include <tinycrypt/ecc.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* @brief Generate an ECDSA signature for a given hash value.
* @return returns TC_SUCCESS (1) if the the signature generated successfully
* returns TC_FAIL (0) if:
* r == 0 or
* p_random == 0
*
* @param r OUT -- to be filled with the signature values.
* @param s OUT -- to be filled with the signature values.
* @param p_privateKey IN -- Your private key.
* @param p_random IN -- The random number to use in generating ephemeral DSA
* keys.
* @param p_hash IN -- The message hash to sign.
*
* @note p_random must have NUM_ECC_DIGITS*2 bits of entropy to eliminate
* bias in keys.
*
* @note side-channel countermeasure: algorithm strengthened against timing
* attack.
*/
int32_t ecdsa_sign(uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS],
uint32_t p_privateKey[NUM_ECC_DIGITS], uint32_t p_random[NUM_ECC_DIGITS * 2],
uint32_t p_hash[NUM_ECC_DIGITS]);
/**
* @brief Verify an ECDSA signature.
* @return returns TC_SUCCESS (1) if the the signature generated successfully
* returns TC_FAIL (0) if:
* r == 0 or
* p_random == 0
*
* @param p_publicKey IN -- The signer's public key.
* @param p_hash IN -- The hash of the signed data.
* @param r IN -- The signature values.
* @param s IN -- The signature values.
*
* @note side-channel countermeasure: algorithm strengthened against timing
* attack.
*/
int32_t ecdsa_verify(EccPoint *p_publicKey, uint32_t p_hash[NUM_ECC_DIGITS],
uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS]);
#ifdef __cplusplus
}
#endif
#endif

2
lib/crypto/tinycrypt/include/tinycrypt/hmac.h
View file

@ -129,7 +129,7 @@ int32_t tc_hmac_update(TCHmacState_t ctx,
* state has been initialized by tc_hmac_init
* @param tag IN/OUT -- buffer to receive computed HMAC tag
* @param taglen IN -- size of tag in bytes
* @param ctx IN -- the HMAC state for computing tag
* @param ctx IN/OUT -- the HMAC state for computing tag
*/
int32_t tc_hmac_final(uint8_t *tag, uint32_t taglen, TCHmacState_t ctx);

4
lib/crypto/tinycrypt/include/tinycrypt/hmac_prng.h
View file

@ -75,6 +75,8 @@
extern "C" {
#endif
#define TC_HMAC_PRNG_RESEED_REQ -1
struct tc_hmac_prng_struct {
/* the HMAC instance for this PRNG */
struct tc_hmac_state_struct h;
@ -142,7 +144,7 @@ int32_t tc_hmac_prng_reseed(TCHmacPrng_t prng, const uint8_t *seed,
* @brief HMAC-PRNG generate procedure
* Generates outlen pseudo-random bytes into out buffer, updates prng
* @return returns TC_SUCCESS (1)
* returns TC_RESEED_REQ (-1) if a reseed is needed
* returns TC_HMAC_PRNG_RESEED_REQ (-1) if a reseed is needed
* returns TC_FAIL (0) if:
* out == NULL,
* prng == NULL,

2
lib/crypto/tinycrypt/include/tinycrypt/sha256.h
View file

@ -119,7 +119,7 @@ int32_t tc_sha256_update(TCSha256State_t s,
* @warning The state buffer 'leftover' is left in memory after processing
* If your application intends to have sensitive data in this
* buffer, remind to erase it after the data has been processed
* @param digest unigned eight bit integer
* @param digest unsigned eight bit integer
* @param Sha256 state struct
*/
int32_t tc_sha256_final(uint8_t *digest, TCSha256State_t s);

35
lib/crypto/tinycrypt/include/tinycrypt/utils.h
View file

@ -40,6 +40,7 @@
#define __TC_UTILS_H__
#include <stdint.h>
#include <stddef.h>
#ifdef __cplusplus
extern "C" {
@ -51,24 +52,46 @@ extern "C" {
/**
* @brief Copy the the buffer 'from' to the buffer 'to'.
* @return returns TC_SUCCESS (1)
* returns TC_FAIL (0) if:
* from_len > to_len.
*
* @return returns TC_FAIL (0) if:
* from_len > to_len.
* @param to OUT -- destination buffer
* @param to_len IN -- length of destination buffer
* @param from IN -- origin buffer
* @param from_len IN -- length of origin buffer
*/
uint32_t _copy(uint8_t *to, uint32_t to_len,
const uint8_t *from, uint32_t from_len);
/**
* @brief Set the value 'val' into the buffer 'to', 'len' times.
*
* @param to OUT -- destination buffer
* @param val IN -- value to be set in 'to'
* @param len IN -- number of times the value will be copied
*/
void _set(uint8_t *to, uint8_t val, uint32_t len);
void _set(void *to, uint8_t val, uint32_t len);
/**
* @brief This is an AES specific doubling function, which utilizes the
* finite field used by AES.
/*
* @brief AES specific doubling function, which utilizes
* the finite field used by AES.
* @return Returns a^2
*
* @param a IN/OUT -- value to be doubled
*/
uint8_t _double_byte(uint8_t a);
/*
* @brief Constant-time algorithm to compare if two sequences of bytes are equal
* @return Returns 0 if equal, and non-zero otherwise
*
* @param a IN -- sequence of bytes a
* @param b IN -- sequence of bytes b
* @param size IN -- size of sequences a and b
*/
int32_t _compare(const uint8_t *a, const uint8_t *b, size_t size);
#ifdef __cplusplus
}
#endif

1
lib/crypto/tinycrypt/source/aes_decrypt.c
View file

@ -31,6 +31,7 @@
*/
#include <tinycrypt/aes.h>
#include <tinycrypt/constants.h>
#include <tinycrypt/utils.h>
#define ZERO_BYTE 0x00

5
lib/crypto/tinycrypt/source/aes_encrypt.c
View file

@ -32,6 +32,7 @@
#include <tinycrypt/aes.h>
#include <tinycrypt/utils.h>
#include <tinycrypt/constants.h>
static const uint8_t sbox[256] = {
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b,
@ -182,7 +183,9 @@ int32_t tc_aes_encrypt(uint8_t *out, const uint8_t *in, const TCAesKeySched_t s)
add_round_key(state, s->words + Nb*(i+1));
(void)_copy(out, sizeof(state), state, sizeof(state));
_set(state, 0x00, sizeof(state));
/* zeroing out the state buffer */
_set(state, TC_ZERO_BYTE, sizeof(state));
return TC_SUCCESS;
}

1
lib/crypto/tinycrypt/source/cbc_mode.c
View file

@ -31,6 +31,7 @@
*/
#include <tinycrypt/cbc_mode.h>
#include <tinycrypt/constants.h>
#include <tinycrypt/utils.h>
int32_t tc_cbc_mode_encrypt(uint8_t *out, uint32_t outlen, const uint8_t *in,

262
lib/crypto/tinycrypt/source/ccm_mode.c Normal file
View file

@ -0,0 +1,262 @@
/* ccm_mode.c - TinyCrypt implementation of CCM mode */
/*
* Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <tinycrypt/ccm_mode.h>
#include <tinycrypt/constants.h>
#include <tinycrypt/utils.h>
#include <stdio.h>
int32_t tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce,
uint32_t nlen, uint32_t mlen)
{
/* input sanity check: */
if (c == (TCCcmMode_t) 0 ||
sched == (TCAesKeySched_t) 0 ||
nonce == (uint8_t *) 0) {
return TC_FAIL;
} else if (nlen != 13) {
return TC_FAIL; /* The allowed nonce size is: 13. See documentation.*/
} else if ((mlen < 4) || (mlen > 16) || (mlen & 1)) {
return TC_FAIL; /* The allowed mac sizes are: 4, 6, 8, 10, 12, 14, 16.*/
}
c->mlen = mlen;
c->sched = sched;
c->nonce = nonce;
return TC_SUCCESS;
}
/**
* Variation of CBC-MAC mode used in CCM.
*/
static void ccm_cbc_mac(uint8_t *T, const uint8_t *data, uint32_t dlen,
uint32_t flag, TCAesKeySched_t sched)
{
uint32_t i;
if (flag > 0) {
T[0] ^= (uint8_t)(dlen >> 8);
T[1] ^= (uint8_t)(dlen);
dlen += 2; i = 2;
} else {
i = 0;
}
while (i < dlen) {
T[i++ % (Nb * Nk)] ^= *data++;
if (((i % (Nb * Nk)) == 0) || dlen == i) {
(void) tc_aes_encrypt(T, T, sched);
}
}
}
/**
* Variation of CTR mode used in CCM.
* The CTR mode used by CCM is slightly different than the conventional CTR
* mode (the counter is increased before encryption, instead of after
* encryption). Besides, it is assumed that the counter is stored in the last
* 2 bytes of the nonce.
*/
static int32_t ccm_ctr_mode(uint8_t *out, uint32_t outlen, const uint8_t *in,
uint32_t inlen, uint8_t *ctr, const TCAesKeySched_t sched)
{
uint8_t buffer[TC_AES_BLOCK_SIZE];
uint8_t nonce[TC_AES_BLOCK_SIZE];
uint16_t block_num;
uint32_t i;
/* input sanity check: */
if (out == (uint8_t *) 0 ||
in == (uint8_t *) 0 ||
ctr == (uint8_t *) 0 ||
sched == (TCAesKeySched_t) 0 ||
inlen == 0 ||
outlen == 0 ||
outlen != inlen) {
return TC_FAIL;
}
/* copy the counter to the nonce */
(void) _copy(nonce, sizeof(nonce), ctr, sizeof(nonce));
/* select the last 2 bytes of the nonce to be incremented */
block_num = (uint16_t) ((nonce[14] << 8)|(nonce[15]));
for (i = 0; i < inlen; ++i) {
if ((i % (TC_AES_BLOCK_SIZE)) == 0) {
block_num++;
nonce[14] = (uint8_t)(block_num >> 8);
nonce[15] = (uint8_t)(block_num);
if (!tc_aes_encrypt(buffer, nonce, sched)) {
return TC_FAIL;
}
}
/* update the output */
*out++ = buffer[i % (TC_AES_BLOCK_SIZE)] ^ *in++;
}
/* update the counter */
ctr[14] = nonce[14]; ctr[15] = nonce[15];
return TC_SUCCESS;
}
int32_t tc_ccm_generation_encryption(uint8_t *out, const uint8_t *associated_data,
uint32_t alen, const uint8_t *payload,
uint32_t plen, TCCcmMode_t c)
{
/* input sanity check: */
if ((out == (uint8_t *) 0) ||
(c == (TCCcmMode_t) 0) ||
((plen > 0) && (payload == (uint8_t *) 0)) ||
((alen > 0) && (associated_data == (uint8_t *) 0)) ||
(alen >= TC_CCM_AAD_MAX_BYTES) || /* associated data size unsupported */
(plen >= TC_CCM_PAYLOAD_MAX_BYTES)) { /* payload size unsupported */
return TC_FAIL;
}
uint8_t b[Nb * Nk];
uint8_t tag[Nb * Nk];
uint32_t i;
/* GENERATING THE AUTHENTICATION TAG: */
/* formatting the sequence b for authentication: */
b[0] = ((alen > 0) ? 0x40:0) | (((c->mlen - 2) / 2 << 3)) | (1);
for (i = 1; i <= 13; ++i) {
b[i] = c->nonce[i - 1];
}
b[14] = (uint8_t)(plen >> 8);
b[15] = (uint8_t)(plen);
/* computing the authentication tag using cbc-mac: */
(void) tc_aes_encrypt(tag, b, c->sched);
if (alen > 0) {
ccm_cbc_mac(tag, associated_data, alen, 1, c->sched);
}
if (plen > 0) {
ccm_cbc_mac(tag, payload, plen, 0, c->sched);
}
/* ENCRYPTION: */
/* formatting the sequence b for encryption: */
b[0] = 1; /* q - 1 = 2 - 1 = 1 */
b[14] = b[15] = TC_ZERO_BYTE;
/* encrypting payload using ctr mode: */
ccm_ctr_mode(out, plen, payload, plen, b, c->sched);
b[14] = b[15] = TC_ZERO_BYTE; /* restoring initial counter for ctr_mode (0):*/
/* encrypting b and adding the tag to the output: */
(void) tc_aes_encrypt(b, b, c->sched);
out += plen;
for (i = 0; i < c->mlen; ++i) {
*out++ = tag[i] ^ b[i];
}
return TC_SUCCESS;
}
int32_t tc_ccm_decryption_verification(uint8_t *out, const uint8_t *associated_data,
uint32_t alen, const uint8_t *payload,
uint32_t plen, TCCcmMode_t c)
{
/* input sanity check: */
if ((plen <= alen) ||
(out == (uint8_t *) 0) ||
(c == (TCCcmMode_t) 0) ||
((plen > 0) && (payload == (uint8_t *) 0)) ||
((alen > 0) && (associated_data == (uint8_t *) 0)) ||
(alen >= TC_CCM_AAD_MAX_BYTES) || /* associated data size unsupported */
(plen >= TC_CCM_PAYLOAD_MAX_BYTES)) { /* payload size unsupported */
return TC_FAIL;
}
uint8_t b[Nb * Nk];
uint8_t tag[Nb * Nk];
uint32_t i;
/* DECRYPTION: */
/* formatting the sequence b for decryption: */
b[0] = 1; /* q - 1 = 2 - 1 = 1 */
for (i = 1; i < 14; ++i) {
b[i] = c->nonce[i - 1];
}
b[14] = b[15] = TC_ZERO_BYTE; /* initial counter value is 0 */
/* decrypting payload using ctr mode: */
ccm_ctr_mode(out, plen - c->mlen, payload, plen - c->mlen, b, c->sched);
b[14] = b[15] = TC_ZERO_BYTE; /* restoring initial counter value (0) */
/* encrypting b and restoring the tag from input: */
(void) tc_aes_encrypt(b, b, c->sched);
for (i = 0; i < c->mlen; ++i) {
tag[i] = *(payload + plen - c->mlen + i) ^ b[i];
}
/* VERIFYING THE AUTHENTICATION TAG: */
/* formatting the sequence b for authentication: */
b[0] = ((alen > 0) ? 0x40:0)|(((c->mlen - 2) / 2 << 3)) | (1);
for (i = 1; i < 14; ++i) {
b[i] = c->nonce[i - 1];
}
b[14] = (uint8_t)((plen - c->mlen) >> 8);
b[15] = (uint8_t)(plen - c->mlen);
/* computing the authentication tag using cbc-mac: */
(void) tc_aes_encrypt(b, b, c->sched);
if (alen > 0) {
ccm_cbc_mac(b, associated_data, alen, 1, c->sched);
}
if (plen > 0) {
ccm_cbc_mac(b, out, plen - c->mlen, 0, c->sched);
}
/* comparing the received tag and the computed one: */
if (_compare(b, tag, c->mlen) != 0) {
/* erase the decrypted buffer in case of mac validation failure: */
_set(out, 0, sizeof(*out));
return TC_FAIL;
}
return TC_SUCCESS;
}

254
lib/crypto/tinycrypt/source/cmac_mode.c Normal file
View file

@ -0,0 +1,254 @@
/* cmac_mode.c - TinyCrypt CMAC mode implementation */
/*
* Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <tinycrypt/aes.h>
#include <tinycrypt/cmac_mode.h>
#include <tinycrypt/constants.h>
#include <tinycrypt/utils.h>
/* max number of calls until change the key (2^48).*/
static uint64_t MAX_CALLS = ((uint64_t)1 << 48);
/*
* gf_wrap -- In our implementation, GF(2^128) is represented as a 16 byte
* array with byte 0 the most significant and byte 15 the least significant.
* High bit carry reduction is based on the primitive polynomial
*
* X^128 + X^7 + X^2 + X + 1,
*
* which leads to the reduction formula X^128 = X^7 + X^2 + X + 1. Indeed,
* since 0 = (X^128 + X^7 + X^2 + 1) mod (X^128 + X^7 + X^2 + X + 1) and since
* addition of polynomials with coefficients in Z/Z(2) is just XOR, we can
* add X^128 to both sides to get
*
* X^128 = (X^7 + X^2 + X + 1) mod (X^128 + X^7 + X^2 + X + 1)
*
* and the coefficients of the polynomial on the right hand side form the
* string 1000 0111 = 0x87, which is the value of gf_wrap.
*
* This gets used in the following way. Doubling in GF(2^128) is just a left
* shift by 1 bit, except when the most significant bit is 1. In the latter
* case, the relation X^128 = X^7 + X^2 + X + 1 says that the high order bit
* that overflows beyond 128 bits can be replaced by addition of
* X^7 + X^2 + X + 1 <--> 0x87 to the low order 128 bits. Since addition
* in GF(2^128) is represented by XOR, we therefore only have to XOR 0x87
* into the low order byte after a left shift when the starting high order
* bit is 1.
*/
const unsigned char gf_wrap = 0x87;
/*
* assumes: out != NULL and points to a GF(2^n) value to receive the
* doubled value;
* in != NULL and points to a 16 byte GF(2^n) value
* to double;
* the in and out buffers do not overlap.
* effects: doubles the GF(2^n) value pointed to by "in" and places
* the result in the GF(2^n) value pointed to by "out."
*/
void gf_double(uint8_t *out, uint8_t *in)
{
/* start with low order byte */
uint8_t *x = in + (TC_AES_BLOCK_SIZE - 1);
/* if msb == 1, we need to add the gf_wrap value, otherwise add 0 */
uint8_t carry = (in[0] >> 7) ? gf_wrap : 0;
out += (TC_AES_BLOCK_SIZE - 1);
for (;;) {
*out-- = (*x << 1) ^ carry;
if (x == in) {
break;
}
carry = *x-- >> 7;
}
}
int32_t tc_cmac_setup(TCCmacState_t s, const uint8_t *key, TCAesKeySched_t sched)
{
/* input sanity check: */
if (s == (TCCmacState_t) 0 ||
key == (const uint8_t *) 0) {
return TC_FAIL;
}
/* put s into a known state */
_set(s, 0, sizeof(*s));
s->sched = sched;
/* configure the encryption key used by the underlying block cipher */
tc_aes128_set_encrypt_key(s->sched, key);
/* compute s->K1 and s->K2 from s->iv using s->keyid */
_set(s->iv, 0, TC_AES_BLOCK_SIZE);
tc_aes_encrypt(s->iv, s->iv, s->sched);
gf_double (s->K1, s->iv);
gf_double (s->K2, s->K1);
/* reset s->iv to 0 in case someone wants to compute now */
tc_cmac_init(s);
return TC_SUCCESS;
}
int32_t tc_cmac_erase(TCCmacState_t s)
{
if (s == (TCCmacState_t) 0) {
return TC_FAIL;
}
/* destroy the current state */
_set(s, 0, sizeof(*s));
return TC_SUCCESS;
}
int32_t tc_cmac_init(TCCmacState_t s)
{
/* input sanity check: */
if (s == (TCCmacState_t) 0) {
return TC_FAIL;
}
/* CMAC starts with an all zero initialization vector */
_set(s->iv, 0, TC_AES_BLOCK_SIZE);
/* and the leftover buffer is empty */
_set(s->leftover, 0, TC_AES_BLOCK_SIZE);
s->leftover_offset = 0;
/* Set countdown to max number of calls allowed before re-keying: */
s->countdown = MAX_CALLS;
return TC_SUCCESS;
}
int32_t tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t data_length)
{
uint32_t i;
/* input sanity check: */
if (s == (TCCmacState_t) 0) {
return TC_FAIL;
}
if (data_length == 0) {
return TC_SUCCESS;
}
if (data == (const uint8_t *) 0) {
return TC_FAIL;
}
if (s->countdown == 0) {
return TC_FAIL;
}
s->countdown--;
if (s->leftover_offset > 0) {
/* last data added to s didn't end on a TC_AES_BLOCK_SIZE byte boundary */
size_t remaining_space = TC_AES_BLOCK_SIZE - s->leftover_offset;
if (data_length < remaining_space) {
/* still not enough data to encrypt this time either */
_copy(&s->leftover[s->leftover_offset], data_length, data, data_length);
s->leftover_offset += data_length;
return TC_SUCCESS;
}
/* leftover block is now full; encrypt it first */
_copy(&s->leftover[s->leftover_offset],
remaining_space,
data,
remaining_space);
data_length -= remaining_space;
data += remaining_space;
s->leftover_offset = 0;
for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) {
s->iv[i] ^= s->leftover[i];
}
tc_aes_encrypt(s->iv, s->iv, s->sched);
}
/* CBC encrypt each (except the last) of the data blocks */
while (data_length > TC_AES_BLOCK_SIZE) {
for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) {
s->iv[i] ^= data[i];
}
tc_aes_encrypt(s->iv, s->iv, s->sched);
data += TC_AES_BLOCK_SIZE;
data_length -= TC_AES_BLOCK_SIZE;
}
if (data_length > 0) {
/* save leftover data for next time */
_copy(s->leftover, data_length, data, data_length);
s->leftover_offset = data_length;
}
return TC_SUCCESS;
}
int32_t tc_cmac_final(uint8_t *tag, TCCmacState_t s)
{
uint8_t *k;
uint32_t i;
/* input sanity check: */
if (tag == (uint8_t *) 0 ||
s == (TCCmacState_t) 0) {
return TC_FAIL;
}
if (s->leftover_offset == TC_AES_BLOCK_SIZE) {
/* the last message block is a full-sized block */
k = (uint8_t *) s->K1;
} else {
/* the final message block is not a full-sized block */
size_t remaining = TC_AES_BLOCK_SIZE - s->leftover_offset;
_set(&s->leftover[s->leftover_offset], 0, remaining);
s->leftover[s->leftover_offset] = TC_CMAC_PADDING;
k = (uint8_t *) s->K2;
}
for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) {
s->iv[i] ^= s->leftover[i] ^ k[i];
}
tc_aes_encrypt(tag, s->iv, s->sched);
/* erasing state: */
tc_cmac_erase(s);
return TC_SUCCESS;
}

1
lib/crypto/tinycrypt/source/ctr_mode.c
View file

@ -30,6 +30,7 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <tinycrypt/constants.h>
#include <tinycrypt/ctr_mode.h>
#include <tinycrypt/utils.h>

604
lib/crypto/tinycrypt/source/ecc.c Normal file
View file

@ -0,0 +1,604 @@
/* ecc.c - TinyCrypt implementation of ECC auxiliary functions */
/*
*
* Copyright (c) 2013, Kenneth MacKay
* All rights reserved.
* https://github.com/kmackay/micro-ecc
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
* * Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <tinycrypt/ecc.h>
/* ------ Curve NIST P-256 constants: ------ */
#define Curve_P {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, \
0x00000000, 0x00000000, 0x00000001, 0xFFFFFFFF}
#define Curve_B {0x27D2604B, 0x3BCE3C3E, 0xCC53B0F6, 0x651D06B0, \
0x769886BC, 0xB3EBBD55, 0xAA3A93E7, 0x5AC635D8}
#define Curve_N {0xFC632551, 0xF3B9CAC2, 0xA7179E84, 0xBCE6FAAD, \
0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0xFFFFFFFF}
#define Curve_G {{0xD898C296, 0xF4A13945, 0x2DEB33A0, 0x77037D81, \
0x63A440F2, 0xF8BCE6E5, 0xE12C4247, 0x6B17D1F2}, \
{0x37BF51F5, 0xCBB64068, 0x6B315ECE, 0x2BCE3357, \
0x7C0F9E16, 0x8EE7EB4A, 0xFE1A7F9B, 0x4FE342E2} }
#define Curve_P_Barrett {0x00000003, 0x00000000, 0xFFFFFFFF, 0xFFFFFFFE, \
0xFFFFFFFE, 0xFFFFFFFE, 0xFFFFFFFF, 0x00000000, 0x00000001}
#define Curve_N_Barrett {0xEEDF9BFE, 0x012FFD85, 0xDF1A6C21, 0x43190552, \
0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFFFF, 0x00000000, 0x00000001}
uint32_t curve_p[NUM_ECC_DIGITS] = Curve_P;
uint32_t curve_b[NUM_ECC_DIGITS] = Curve_B;
EccPoint curve_G = Curve_G;
uint32_t curve_n[NUM_ECC_DIGITS] = Curve_N;
uint32_t curve_pb[NUM_ECC_DIGITS + 1] = Curve_P_Barrett;
uint32_t curve_nb[NUM_ECC_DIGITS + 1] = Curve_N_Barrett;
/* ------ Static functions: ------ */
/* Zeroing out p_vli. */
static void vli_clear(uint32_t *p_vli)
{
uint32_t i;
for (i = 0; i < NUM_ECC_DIGITS; ++i) {
p_vli[i] = 0;
}
}
/* Returns nonzero if bit p_bit of p_vli is set. */
static uint32_t vli_testBit(uint32_t *p_vli, uint32_t p_bit)
{
return (p_vli[p_bit / 32] & (1 << (p_bit % 32)));
}
uint32_t vli_isZero(uint32_t *p_vli)
{
uint32_t acc = 0;
for (uint32_t i = 0; i < NUM_ECC_DIGITS; ++i) {
acc |= p_vli[i];
}
return (!acc);
}
/*
* Find the right-most nonzero 32-bit "digits" in p_vli.
*
* Side-channel countermeasure: algorithm strengthened against timing attack.
*/
static uint32_t vli_numDigits(uint32_t *p_vli)
{
int32_t i;
uint32_t digits = 0;
for (i = NUM_ECC_DIGITS - 1; i >= 0 ; --i) {
digits += p_vli[i] || digits;
}
return digits;
}
/*
* Find the left-most non-zero bit in p_vli.
*
* Side-channel countermeasure: algorithm strengthened against timing attack.
*/
static uint32_t vli_numBits(uint32_t *p_vli)
{
uint32_t l_digit;
uint32_t i, acc = 32;
uint32_t l_numDigits = vli_numDigits(p_vli);
l_digit = p_vli[l_numDigits - 1];
for (i = 0; i < 32; ++i) {
acc -= !l_digit;
l_digit >>= 1;
}
return ((l_numDigits - 1) * 32 + acc);
}
/*
* Computes p_result = p_left + p_right, returns carry.
*
* Side-channel countermeasure: algorithm strengthened against timing attack.
*/
static uint32_t vli_add(uint32_t *p_result, uint32_t *p_left,
uint32_t *p_right)
{
uint32_t l_carry = 0;
for (uint32_t i = 0; i < NUM_ECC_DIGITS; ++i) {
uint32_t l_sum = p_left[i] + p_right[i] + l_carry;
l_carry = (l_sum < p_left[i]) | ((l_sum == p_left[i]) && l_carry);
p_result[i] = l_sum;
}
return l_carry;
}
/* Computes p_result = p_left * p_right. */
static void vli_mult(uint32_t *p_result, uint32_t *p_left,
uint32_t *p_right, uint32_t word_size)
{
uint64_t r01 = 0;
uint32_t r2 = 0;
/* Compute each digit of p_result in sequence, maintaining the carries. */
for (uint32_t k = 0; k < word_size*2 - 1; ++k) {
uint32_t l_min = (k < word_size ? 0 : (k + 1) - word_size);
for (uint32_t i = l_min; i <= k && i < word_size; ++i) {
uint64_t l_product = (uint64_t)p_left[i] * p_right[k - i];
r01 += l_product;
r2 += (r01 < l_product);
}
p_result[k] = (uint32_t)r01;
r01 = (r01 >> 32) | (((uint64_t)r2) << 32);
r2 = 0;
}
p_result[word_size * 2 - 1] = (uint32_t)r01;
}
/* Computes p_result = p_left^2. */
static void vli_square(uint32_t *p_result, uint32_t *p_left)
{
uint64_t r01 = 0;
uint32_t r2 = 0;
uint32_t i, k;
for (k = 0; k < NUM_ECC_DIGITS * 2 - 1; ++k) {
uint32_t l_min = (k < NUM_ECC_DIGITS ? 0 : (k + 1) - NUM_ECC_DIGITS);
for (i = l_min; i <= k && i <= k - i; ++i) {
uint64_t l_product = (uint64_t)p_left[i] * p_left[k - i];
if (i < k - i) {
r2 += l_product >> 63;
l_product *= 2;
}
r01 += l_product;
r2 += (r01 < l_product);
}
p_result[k] = (uint32_t)r01;
r01 = (r01 >> 32) | (((uint64_t)r2) << 32);
r2 = 0;
}
p_result[NUM_ECC_DIGITS * 2 - 1] = (uint32_t)r01;
}
/* Computes p_result = p_product % curve_p using Barrett reduction. */
static void vli_mmod_barrett(uint32_t *p_result, uint32_t *p_product,
uint32_t *p_mod, uint32_t *p_barrett)
{
uint32_t i;
uint32_t q1[NUM_ECC_DIGITS + 1];
for (i = NUM_ECC_DIGITS - 1; i < 2 * NUM_ECC_DIGITS; i++) {
q1[i - (NUM_ECC_DIGITS - 1)] = p_product[i];
}
uint32_t q2[2*NUM_ECC_DIGITS + 2];
vli_mult(q2, q1, p_barrett, NUM_ECC_DIGITS + 1);
for (i = NUM_ECC_DIGITS + 1; i < 2 * NUM_ECC_DIGITS + 2; i++) {
q1[i - (NUM_ECC_DIGITS + 1)] = q2[i];
}
uint32_t prime2[2*NUM_ECC_DIGITS];
for (i = 0; i < NUM_ECC_DIGITS; i++) {
prime2[i] = p_mod[i];
prime2[NUM_ECC_DIGITS + i] = 0;
}
vli_mult(q2, q1, prime2, NUM_ECC_DIGITS + 1);
vli_sub(p_product, p_product, q2, 2 * NUM_ECC_DIGITS);
uint32_t borrow;
borrow = vli_sub(q1, p_product, prime2, NUM_ECC_DIGITS + 1);
vli_cond_set(p_product, p_product, q1, borrow);
p_product[NUM_ECC_DIGITS] = q1[NUM_ECC_DIGITS] * (!borrow);
borrow = vli_sub(q1, p_product, prime2, NUM_ECC_DIGITS + 1);
vli_cond_set(p_product, p_product, q1, borrow);
p_product[NUM_ECC_DIGITS] = q1[NUM_ECC_DIGITS] * (!borrow);
borrow = vli_sub(q1, p_product, prime2, NUM_ECC_DIGITS + 1);
vli_cond_set(p_product, p_product, q1, borrow);
p_product[NUM_ECC_DIGITS] = q1[NUM_ECC_DIGITS] * (!borrow);
for (i = 0; i < NUM_ECC_DIGITS; i++) {
p_result[i] = p_product[i];
}
}
/*
* Computes modular exponentiation.
*
* Side-channel countermeasure: algorithm strengthened against timing attack.
*/
static void vli_modExp(uint32_t *p_result, uint32_t *p_base,
uint32_t *p_exp, uint32_t *p_mod, uint32_t *p_barrett)
{
uint32_t acc[NUM_ECC_DIGITS], tmp[NUM_ECC_DIGITS], product[2 * NUM_ECC_DIGITS];
uint32_t j;
int32_t i;
vli_clear(acc);
acc[0] = 1;
for (i = NUM_ECC_DIGITS - 1; i >= 0; i--) {
for (j = 1 << 31; j > 0; j = j >> 1) {
vli_square(product, acc);
vli_mmod_barrett(acc, product, p_mod, p_barrett);
vli_mult(product, acc, p_base, NUM_ECC_DIGITS);
vli_mmod_barrett(tmp, product, p_mod, p_barrett);
vli_cond_set(acc, tmp, acc, j & p_exp[i]);
}
}
vli_set(p_result, acc);
}
/* Conversion from Affine coordinates to Jacobi coordinates. */
static void EccPoint_fromAffine(EccPointJacobi *p_point_jacobi,
EccPoint *p_point) {
vli_set(p_point_jacobi->X, p_point->x);
vli_set(p_point_jacobi->Y, p_point->y);
vli_clear(p_point_jacobi->Z);
p_point_jacobi->Z[0] = 1;
}
/*
* Elliptic curve point doubling in Jacobi coordinates: P = P + P.
*
* Requires 4 squares and 4 multiplications.
*/
static void EccPoint_double(EccPointJacobi *P)
{
uint32_t m[NUM_ECC_DIGITS], s[NUM_ECC_DIGITS], t[NUM_ECC_DIGITS];
vli_modSquare_fast(t, P->Z);
vli_modSub(m, P->X, t, curve_p);
vli_modAdd(s, P->X, t, curve_p);
vli_modMult_fast(m, m, s);
vli_modAdd(s, m, m, curve_p);
vli_modAdd(m, s, m, curve_p); /* m = 3X^2 - 3Z^4 */
vli_modSquare_fast(t, P->Y);
vli_modMult_fast(s, P->X, t);
vli_modAdd(s, s, s, curve_p);
vli_modAdd(s, s, s, curve_p); /* s = 4XY^2 */
vli_modMult_fast(P->Z, P->Y, P->Z);
vli_modAdd(P->Z, P->Z, P->Z, curve_p); /* Z' = 2YZ */
vli_modSquare_fast(P->X, m);
vli_modSub(P->X, P->X, s, curve_p);
vli_modSub(P->X, P->X, s, curve_p); /* X' = m^2 - 2s */
vli_modSquare_fast(P->Y, t);
vli_modAdd(P->Y, P->Y, P->Y, curve_p);
vli_modAdd(P->Y, P->Y, P->Y, curve_p);
vli_modAdd(P->Y, P->Y, P->Y, curve_p);
vli_modSub(t, s, P->X, curve_p);
vli_modMult_fast(t, t, m);
vli_modSub(P->Y, t, P->Y, curve_p); /* Y' = m(s - X') - 8Y^4 */
}
/* Copy input to target. */
static void EccPointJacobi_set(EccPointJacobi *target, EccPointJacobi *input)
{
vli_set(target->X, input->X);
vli_set(target->Y, input->Y);
vli_set(target->Z, input->Z);
}
/* ------ Externally visible functions (see header file for comments): ------ */
void vli_set(uint32_t *p_dest, uint32_t *p_src)
{
uint32_t i;
for (i = 0; i < NUM_ECC_DIGITS; ++i) {
p_dest[i] = p_src[i];
}
}
int32_t vli_cmp(uint32_t *p_left, uint32_t *p_right, int32_t word_size)
{
int32_t i, cmp = 0;
for (i = word_size-1; i >= 0; --i) {
cmp |= ((p_left[i] > p_right[i]) - (p_left[i] < p_right[i])) * (!cmp);
}
return cmp;
}
uint32_t vli_sub(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
uint32_t word_size)
{
uint32_t l_borrow = 0;
for (uint32_t i = 0; i < word_size; ++i) {
uint32_t l_diff = p_left[i] - p_right[i] - l_borrow;
l_borrow = (l_diff > p_left[i]) | ((l_diff == p_left[i]) && l_borrow);
p_result[i] = l_diff;
}
return l_borrow;
}
void vli_cond_set(uint32_t *output, uint32_t *p_true, uint32_t *p_false,
uint32_t cond)
{
uint32_t i;
cond = (!cond);
for (i = 0; i < NUM_ECC_DIGITS; i++) {
output[i] = (p_true[i]*(!cond)) | (p_false[i]*cond);
}
}
void vli_modAdd(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
uint32_t *p_mod)
{
uint32_t l_carry = vli_add(p_result, p_left, p_right);
uint32_t p_temp[NUM_ECC_DIGITS];
l_carry = l_carry == vli_sub(p_temp, p_result, p_mod, NUM_ECC_DIGITS);
vli_cond_set(p_result, p_temp, p_result, l_carry);
}
void vli_modSub(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
uint32_t *p_mod)
{
uint32_t l_borrow = vli_sub(p_result, p_left, p_right, NUM_ECC_DIGITS);
uint32_t p_temp[NUM_ECC_DIGITS];
vli_add(p_temp, p_result, p_mod);
vli_cond_set(p_result, p_temp, p_result, l_borrow);
}
void vli_modMult_fast(uint32_t *p_result, uint32_t *p_left,
uint32_t *p_right)
{
uint32_t l_product[2 * NUM_ECC_DIGITS];
vli_mult(l_product, p_left, p_right, NUM_ECC_DIGITS);
vli_mmod_barrett(p_result, l_product, curve_p, curve_pb);
}
void vli_modSquare_fast(uint32_t *p_result, uint32_t *p_left)
{
uint32_t l_product[2 * NUM_ECC_DIGITS];
vli_square(l_product, p_left);
vli_mmod_barrett(p_result, l_product, curve_p, curve_pb);
}
void vli_modMult(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
uint32_t *p_mod, uint32_t *p_barrett)
{
uint32_t l_product[2 * NUM_ECC_DIGITS];
vli_mult(l_product, p_left, p_right, NUM_ECC_DIGITS);
vli_mmod_barrett(p_result, l_product, p_mod, p_barrett);
}
void vli_modInv(uint32_t *p_result, uint32_t *p_input, uint32_t *p_mod,
uint32_t *p_barrett)
{
uint32_t p_power[NUM_ECC_DIGITS];
vli_set(p_power, p_mod);
p_power[0] -= 2;
vli_modExp(p_result, p_input, p_power, p_mod, p_barrett);
}
uint32_t EccPoint_isZero(EccPoint *p_point)
{
return (vli_isZero(p_point->x) && vli_isZero(p_point->y));
}
uint32_t EccPointJacobi_isZero(EccPointJacobi *p_point_jacobi)
{
return vli_isZero(p_point_jacobi->Z);
}
void EccPoint_toAffine(EccPoint *p_point, EccPointJacobi *p_point_jacobi)
{
if (vli_isZero(p_point_jacobi->Z)) {
vli_clear(p_point->x);
vli_clear(p_point->y);
return;
}
uint32_t z[NUM_ECC_DIGITS];
vli_set(z, p_point_jacobi->Z);
vli_modInv(z, z, curve_p, curve_pb);
vli_modSquare_fast(p_point->x, z);
vli_modMult_fast(p_point->y, p_point->x, z);
vli_modMult_fast(p_point->x, p_point->x, p_point_jacobi->X);
vli_modMult_fast(p_point->y, p_point->y, p_point_jacobi->Y);
}
void EccPoint_add(EccPointJacobi *P1, EccPointJacobi *P2)
{
uint32_t s1[NUM_ECC_DIGITS], u1[NUM_ECC_DIGITS], t[NUM_ECC_DIGITS];
uint32_t h[NUM_ECC_DIGITS], r[NUM_ECC_DIGITS];
vli_modSquare_fast(r, P1->Z);
vli_modSquare_fast(s1, P2->Z);
vli_modMult_fast(u1, P1->X, s1); /* u1 = X1 Z2^2 */
vli_modMult_fast(h, P2->X, r);
vli_modMult_fast(s1, P1->Y, s1);
vli_modMult_fast(s1, s1, P2->Z); /* s1 = Y1 Z2^3 */
vli_modMult_fast(r, P2->Y, r);
vli_modMult_fast(r, r, P1->Z);
vli_modSub(h, h, u1, curve_p); /* h = X2 Z1^2 - u1 */
vli_modSub(r, r, s1, curve_p); /* r = Y2 Z1^3 - s1 */
if (vli_isZero(h)) {
if (vli_isZero(r)) {
/* P1 = P2 */
EccPoint_double(P1);
return;
}
/* point at infinity */
vli_clear(P1->Z);
return;
}
vli_modMult_fast(P1->Z, P1->Z, P2->Z);
vli_modMult_fast(P1->Z, P1->Z, h); /* Z3 = h Z1 Z2 */
vli_modSquare_fast(t, h);
vli_modMult_fast(h, t, h);
vli_modMult_fast(u1, u1, t);
vli_modSquare_fast(P1->X, r);
vli_modSub(P1->X, P1->X, h, curve_p);
vli_modSub(P1->X, P1->X, u1, curve_p);
vli_modSub(P1->X, P1->X, u1, curve_p); /* X3 = r^2 - h^3 - 2 u1 h^2 */
vli_modMult_fast(t, s1, h);
vli_modSub(P1->Y, u1, P1->X, curve_p);
vli_modMult_fast(P1->Y, P1->Y, r);
vli_modSub(P1->Y, P1->Y, t, curve_p); /* Y3 = r(u1 h^2 - X3) - s1 h^3 */
}
/*
* Elliptic curve scalar multiplication with result in Jacobi coordinates:
*
* p_result = p_scalar * p_point.
*/
void EccPoint_mult(EccPointJacobi *p_result, EccPoint *p_point, uint32_t *p_scalar)
{
int32_t i;
uint32_t bit;
EccPointJacobi p_point_jacobi, p_tmp;
EccPoint_fromAffine(p_result, p_point);
EccPoint_fromAffine(&p_point_jacobi, p_point);
for (i = vli_numBits(p_scalar) - 2; i >= 0; i--) {
EccPoint_double(p_result);
EccPointJacobi_set(&p_tmp, p_result);
EccPoint_add(&p_tmp, &p_point_jacobi);
bit = vli_testBit(p_scalar, i);
vli_cond_set(p_result->X, p_tmp.X, p_result->X, bit);
vli_cond_set(p_result->Y, p_tmp.Y, p_result->Y, bit);
vli_cond_set(p_result->Z, p_tmp.Z, p_result->Z, bit);
}
}
/* -------- Conversions between big endian and little endian: -------- */
void ecc_bytes2native(uint32_t p_native[NUM_ECC_DIGITS],
uint8_t p_bytes[NUM_ECC_DIGITS * 4])
{
uint32_t i;
for (i = 0; i < NUM_ECC_DIGITS; ++i) {
uint8_t *p_digit = p_bytes + 4 * (NUM_ECC_DIGITS - 1 - i);
p_native[i] = ((uint32_t)p_digit[0] << 24) |
((uint32_t)p_digit[1] << 16) |
((uint32_t)p_digit[2] << 8) |
(uint32_t)p_digit[3];
}
}
void ecc_native2bytes(uint8_t p_bytes[NUM_ECC_DIGITS * 4],
uint32_t p_native[NUM_ECC_DIGITS])
{
uint32_t i;
for (i = 0; i < NUM_ECC_DIGITS; ++i) {
uint8_t *p_digit = p_bytes + 4 * (NUM_ECC_DIGITS - 1 - i);
p_digit[0] = p_native[i] >> 24;
p_digit[1] = p_native[i] >> 16;
p_digit[2] = p_native[i] >> 8;
p_digit[3] = p_native[i];
}
}

123
lib/crypto/tinycrypt/source/ecc_dh.c Normal file
View file

@ -0,0 +1,123 @@
/* ec_dh.c - TinyCrypt implementation of EC-DH */
/*
* Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <tinycrypt/constants.h>
#include <tinycrypt/ecc.h>
extern uint32_t curve_p[NUM_ECC_DIGITS];
extern uint32_t curve_b[NUM_ECC_DIGITS];
extern uint32_t curve_n[NUM_ECC_DIGITS];
extern EccPoint curve_G;
int32_t ecc_make_key(EccPoint *p_publicKey, uint32_t p_privateKey[NUM_ECC_DIGITS],
uint32_t p_random[NUM_ECC_DIGITS])
{
/* Make sure the private key is in the range [1, n-1].
* For the supported curve, n is always large enough
* that we only need to subtract once at most.
*/
uint32_t p_tmp[NUM_ECC_DIGITS];
vli_set(p_privateKey, p_random);
vli_sub(p_tmp, p_privateKey, curve_n, NUM_ECC_DIGITS);
vli_cond_set(p_privateKey, p_privateKey, p_tmp,
vli_cmp(curve_n, p_privateKey, NUM_ECC_DIGITS) == 1);
if (vli_isZero(p_privateKey)) {
return TC_CRYPTO_FAIL; /* The private key cannot be 0 (mod p). */
}
EccPointJacobi P;
EccPoint_mult(&P, &curve_G, p_privateKey);
EccPoint_toAffine(p_publicKey, &P);
return TC_CRYPTO_SUCCESS;
}
/* Compute p_result = x^3 - 3x + b */
static void curve_x_side(uint32_t p_result[NUM_ECC_DIGITS],
uint32_t x[NUM_ECC_DIGITS])
{
uint32_t _3[NUM_ECC_DIGITS] = {3}; /* -a = 3 */
vli_modSquare_fast(p_result, x); /* r = x^2 */
vli_modSub(p_result, p_result, _3, curve_p); /* r = x^2 - 3 */
vli_modMult_fast(p_result, p_result, x); /* r = x^3 - 3x */
vli_modAdd(p_result, p_result, curve_b, curve_p); /* r = x^3 - 3x + b */
}
int32_t ecc_valid_public_key(EccPoint *p_publicKey)
{
uint32_t l_tmp1[NUM_ECC_DIGITS];
uint32_t l_tmp2[NUM_ECC_DIGITS];
if (EccPoint_isZero(p_publicKey)) {
return -1;
}
if ((vli_cmp(curve_p, p_publicKey->x, NUM_ECC_DIGITS) != 1) ||
(vli_cmp(curve_p, p_publicKey->y, NUM_ECC_DIGITS) != 1)) {
return -2;
}
vli_modSquare_fast(l_tmp1, p_publicKey->y); /* tmp1 = y^2 */
curve_x_side(l_tmp2, p_publicKey->x); /* tmp2 = x^3 - 3x + b */
/* Make sure that y^2 == x^3 + ax + b */
if (vli_cmp(l_tmp1, l_tmp2, NUM_ECC_DIGITS) != 0) {
return -3;
}
return 0;
}
int32_t ecdh_shared_secret(uint32_t p_secret[NUM_ECC_DIGITS],
EccPoint *p_publicKey, uint32_t p_privateKey[NUM_ECC_DIGITS])
{
EccPoint p_point;
EccPointJacobi P;
EccPoint_mult(&P, p_publicKey, p_privateKey);
if (EccPointJacobi_isZero(&P)) {
return TC_CRYPTO_FAIL;
}
EccPoint_toAffine(&p_point, &P);
vli_set(p_secret, p_point.x);
return TC_CRYPTO_SUCCESS;
}

117
lib/crypto/tinycrypt/source/ecc_dsa.c Normal file
View file

@ -0,0 +1,117 @@
/* ec_dsa.c - TinyCrypt implementation of EC-DSA */
/*
* Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <tinycrypt/constants.h>
#include <tinycrypt/ecc.h>
extern uint32_t curve_n[NUM_ECC_DIGITS];
extern EccPoint curve_G;
extern uint32_t curve_nb[NUM_ECC_DIGITS + 1];
int32_t ecdsa_sign(uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS],
uint32_t p_privateKey[NUM_ECC_DIGITS], uint32_t p_random[NUM_ECC_DIGITS],
uint32_t p_hash[NUM_ECC_DIGITS])
{
uint32_t k[NUM_ECC_DIGITS], tmp[NUM_ECC_DIGITS];
EccPoint p_point;
EccPointJacobi P;
if (vli_isZero(p_random)) {
return TC_CRYPTO_FAIL; /* The random number must not be 0. */
}
vli_set(k, p_random);
vli_sub(tmp, k, curve_n, NUM_ECC_DIGITS);
vli_cond_set(k, k, tmp, vli_cmp(curve_n, k, NUM_ECC_DIGITS) == 1);
/* tmp = k * G */
EccPoint_mult(&P, &curve_G, k);
EccPoint_toAffine(&p_point, &P);
/* r = x1 (mod n) */
vli_set(r, p_point.x);
if (vli_cmp(curve_n, r, NUM_ECC_DIGITS) != 1) {
vli_sub(r, r, curve_n, NUM_ECC_DIGITS);
}
if (vli_isZero(r)) {
return TC_CRYPTO_FAIL; /* If r == 0, fail (need a different random number). */
}
vli_modMult(s, r, p_privateKey, curve_n, curve_nb); /* s = r*d */
vli_modAdd(s, p_hash, s, curve_n); /* s = e + r*d */
vli_modInv(k, k, curve_n, curve_nb); /* k = 1 / k */
vli_modMult(s, s, k, curve_n, curve_nb); /* s = (e + r*d) / k */
return TC_CRYPTO_SUCCESS;
}
int32_t ecdsa_verify(EccPoint *p_publicKey, uint32_t p_hash[NUM_ECC_DIGITS],
uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS])
{
uint32_t u1[NUM_ECC_DIGITS], u2[NUM_ECC_DIGITS];
uint32_t z[NUM_ECC_DIGITS];
EccPointJacobi P, R;
EccPoint p_point;
if (vli_isZero(r) || vli_isZero(s)) {
return TC_CRYPTO_FAIL; /* r, s must not be 0. */
}
if ((vli_cmp(curve_n, r, NUM_ECC_DIGITS) != 1) ||
(vli_cmp(curve_n, s, NUM_ECC_DIGITS) != 1)) {
return TC_CRYPTO_FAIL; /* r, s must be < n. */
}
/* Calculate u1 and u2. */
vli_modInv(z, s, curve_n, curve_nb); /* Z = s^-1 */
vli_modMult(u1, p_hash, z, curve_n, curve_nb); /* u1 = e/s */
vli_modMult(u2, r, z, curve_n, curve_nb); /* u2 = r/s */
/* calculate P = u1*G + u2*Q */
EccPoint_mult(&P, &curve_G, u1);
EccPoint_mult(&R, p_publicKey, u2);
EccPoint_add(&P, &R);
EccPoint_toAffine(&p_point, &P);
/* Accept only if P.x == r. */
vli_cond_set(
p_point.x,
p_point.x,
z,
vli_sub(z, p_point.x, curve_n, NUM_ECC_DIGITS));
return (vli_cmp(p_point.x, r, NUM_ECC_DIGITS) == 0);
}

4
lib/crypto/tinycrypt/source/hmac.c
View file

@ -31,6 +31,7 @@
*/
#include <tinycrypt/hmac.h>
#include <tinycrypt/constants.h>
#include <tinycrypt/utils.h>
static void rekey(uint8_t *key, const uint8_t *new_key, uint32_t key_size)
@ -141,5 +142,8 @@ int32_t tc_hmac_final(uint8_t *tag, uint32_t taglen, TCHmacState_t ctx)
(void)tc_sha256_update(&ctx->hash_state, tag, TC_SHA256_DIGEST_SIZE);
(void)tc_sha256_final(tag, &ctx->hash_state);
/* destroy the current state */
_set(ctx, 0, sizeof(*ctx));
return TC_SUCCESS;
}

8
lib/crypto/tinycrypt/source/hmac_prng.c
View file

@ -32,6 +32,7 @@
#include <tinycrypt/hmac_prng.h>
#include <tinycrypt/hmac.h>
#include <tinycrypt/constants.h>
#include <tinycrypt/utils.h>
/*
@ -155,16 +156,17 @@ int32_t tc_hmac_prng_reseed(TCHmacPrng_t prng,
if (additionallen == 0 ||
additionallen > MAX_ALEN) {
return TC_FAIL;
}
} else {
/* call update for the seed and additional_input */
update(prng, seed, seedlen);
update(prng, additional_input, additionallen);
}
} else {
/* call update only for the seed */
update(prng, seed, seedlen);
}
/* ... and enable hmac_prng_get */
/* ... and enable hmac_prng_generate */
prng->countdown = MAX_GENS;
return TC_SUCCESS;
@ -181,7 +183,7 @@ int32_t tc_hmac_prng_generate(uint8_t *out, uint32_t outlen, TCHmacPrng_t prng)
outlen > MAX_OUT) {
return TC_FAIL;
} else if (prng->countdown == 0) {
return TC_RESEED_REQ;
return TC_HMAC_PRNG_RESEED_REQ;
}
prng->countdown--;

4
lib/crypto/tinycrypt/source/sha256.c
View file

@ -31,6 +31,7 @@
*/
#include <tinycrypt/sha256.h>
#include <tinycrypt/constants.h>
#include <tinycrypt/utils.h>
static void compress(uint32_t *iv, const uint8_t *data);
@ -130,6 +131,9 @@ int32_t tc_sha256_final(uint8_t *digest, TCSha256State_t s)
*digest++ = (uint8_t)(t);
}
/* destroy the current state */
_set(s, 0, sizeof(*s));
return TC_SUCCESS;
}

17
lib/crypto/tinycrypt/source/utils.c
View file

@ -31,6 +31,7 @@
*/
#include <tinycrypt/utils.h>
#include <tinycrypt/constants.h>
#include <string.h>
@ -48,14 +49,14 @@ uint32_t _copy(uint8_t *to, uint32_t to_len,
}
}
void _set(uint8_t *to, uint8_t val, uint32_t len)
void _set(void *to, uint8_t val, uint32_t len)
{
(void)memset(to, val, len);
}
/*
* Doubles the value of a byte for values up to 127. Original 'return
* ((a<<1) ^ ((a>>7) * 0x1b))' re-written to avoid extra multiplicaiton which
* ((a<<1) ^ ((a>>7) * 0x1b))' re-written to avoid extra multiplication which
* the compiler won't be able to optimize
*/
uint8_t _double_byte(uint8_t a)
@ -63,3 +64,15 @@ uint8_t _double_byte(uint8_t a)
return (a & MASK_MOST_SIG_BIT) ?
((a << 1) ^ MASK_TWENTY_SEVEN) : (a << 1);
}
int32_t _compare(const uint8_t *a, const uint8_t *b, size_t size)
{
const uint8_t *tempa = a;
const uint8_t *tempb = b;
uint8_t result = 0;
for (uint32_t i = 0; i < size; i++) {
result |= tempa[i] ^ tempb[i];
}
return result;
}

11
samples/crypto/test_aes/test_aes.c
View file

@ -41,17 +41,18 @@
- AES128 NIST variable-key and fixed-text
*/
#include <test_utils.h>
#include <tinycrypt/aes.h>
#include <tinycrypt/constants.h>
#include <test_utils.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <stddef.h>
#include <misc/printk.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#define NUM_OF_NIST_KEYS 16
#define NUM_OF_FIXED_KEYS 128

1
samples/crypto/test_cbc/test_cbc_mode.c
View file

@ -38,6 +38,7 @@
*/
#include <tinycrypt/cbc_mode.h>
#include <tinycrypt/constants.h>
#include "test_utils.h"
#include <stdlib.h>

2
samples/crypto/test_ccm_mode/Makefile Normal file
View file

@ -0,0 +1,2 @@
ccflags-y += -I$(srctree)/samples/include -I$(srctree)/lib/crypto/tinycrypt/include
obj-y = test_ccm_mode.o

509
samples/crypto/test_ccm_mode/test_ccm_mode.c Normal file
View file

@ -0,0 +1,509 @@
/* test_ccm_mode.c - TinyCrypt AES-CCM tests (RFC 3610 tests) */
/*
* Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/*
* DESCRIPTION
* This module tests the following AES-CCM Mode routines:
*
* Scenarios tested include:
* - AES128 CCM mode encryption RFC 3610 test vector #1
* - AES128 CCM mode encryption RFC 3610 test vector #2
* - AES128 CCM mode encryption RFC 3610 test vector #3
* - AES128 CCM mode encryption RFC 3610 test vector #7
* - AES128 CCM mode encryption RFC 3610 test vector #8
* - AES128 CCM mode encryption RFC 3610 test vector #9
* - AES128 CCM mode encryption No associated data
* - AES128 CCM mode encryption No payhoad data
*/
#include <tinycrypt/ccm_mode.h>
#include <tinycrypt/constants.h>
#include <test_utils.h>
#include <string.h>
#define CIPHERTEXT_LEN 50
#define DECRYPTED_LEN 25
#define NUM_NIST_KEYS 16
#define NONCE_LEN 13
#define HEADER_LEN 8
#define M_LEN8 8
#define M_LEN10 10
#define DATA_BUF_LEN23 23
#define DATA_BUF_LEN24 24
#define DATA_BUF_LEN25 25
#define EXPECTED_BUF_LEN31 31
#define EXPECTED_BUF_LEN32 32
#define EXPECTED_BUF_LEN33 33
#define EXPECTED_BUF_LEN34 34
#define EXPECTED_BUF_LEN35 35
uint32_t do_test(const uint8_t *key, uint8_t *nonce, size_t nlen,
const uint8_t *hdr, size_t hlen, const uint8_t *data, size_t dlen,
const uint8_t *expected, size_t elen, const int mlen)
{
uint32_t result = TC_PASS;
uint8_t ciphertext[CIPHERTEXT_LEN];
uint8_t decrypted[DECRYPTED_LEN];
struct tc_ccm_mode_struct c;
struct tc_aes_key_sched_struct sched;
tc_aes128_set_encrypt_key(&sched, key);
if (tc_ccm_config(&c, &sched, nonce, nlen, mlen) == 0) {
TC_ERROR("CCM config failed in %s.\n", __func__);
result = TC_FAIL;
goto exitTest1;
}
if (tc_ccm_generation_encryption(ciphertext, hdr, hlen, data, dlen, &c) == 0) {
TC_ERROR("ccm_encrypt failed in %s.\n", __func__);
result = TC_FAIL;
goto exitTest1;
}
if (memcmp(expected, ciphertext, elen) != 0) {
TC_ERROR("ccm_encrypt produced wrong ciphertext in %s.\n", __func__);
show_str("\t\tExpected", expected, elen);
show_str("\t\tComputed", ciphertext, elen);
result = TC_FAIL;
goto exitTest1;
}
if (tc_ccm_decryption_verification(decrypted, hdr, hlen, ciphertext, dlen+mlen, &c) == 0) {
TC_ERROR("ccm_decrypt failed in %s.\n", __func__);
show_str("\t\tExpected", data, sizeof(data));
show_str("\t\tComputed", decrypted, sizeof(decrypted));
result = TC_FAIL;
goto exitTest1;
}
exitTest1:
TC_END_RESULT(result);
return result;
}
uint32_t test_vector_1(void)
{
uint32_t result = TC_PASS;
TC_PRINT("Performing CCM test #1 (RFC 3610 test vector #1):\n", __func__);
/* RFC 3610 test vector #1 */
const uint8_t key[NUM_NIST_KEYS] = {
0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb,
0xcc, 0xcd, 0xce, 0xcf
};
uint8_t nonce[NONCE_LEN] = {
0x00, 0x00, 0x00, 0x03, 0x02, 0x01, 0x00, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4,
0xa5
};
const uint8_t hdr[HEADER_LEN] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
};
const uint8_t data[DATA_BUF_LEN23] = {
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e
};
const uint8_t expected[EXPECTED_BUF_LEN31] = {
0x58, 0x8c, 0x97, 0x9a, 0x61, 0xc6, 0x63, 0xd2, 0xf0, 0x66, 0xd0, 0xc2,
0xc0, 0xf9, 0x89, 0x80, 0x6d, 0x5f, 0x6b, 0x61, 0xda, 0xc3, 0x84, 0x17,
0xe8, 0xd1, 0x2c, 0xfd, 0xf9, 0x26, 0xe0
};
uint16_t mlen = M_LEN8;
result = do_test(key, nonce, sizeof(nonce), hdr, sizeof(hdr), data, sizeof(data), expected,
sizeof(expected), mlen);
return result;
}
uint32_t test_vector_2(void)
{
uint32_t result = TC_PASS;
TC_PRINT("Performing CCM test #2 (RFC 3610 test vector #2):\n");
/* RFC 3610 test vector #2 */
const uint8_t key[NUM_NIST_KEYS] = {
0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb,
0xcc, 0xcd, 0xce, 0xcf
};
uint8_t nonce[NONCE_LEN] = {
0x00, 0x00, 0x00, 0x04, 0x03, 0x02, 0x01, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4,
0xa5
};
const uint8_t hdr[HEADER_LEN] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
};
const uint8_t data[DATA_BUF_LEN24] = {
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
};
const uint8_t expected[EXPECTED_BUF_LEN32] = {
0x72, 0xc9, 0x1a, 0x36, 0xe1, 0x35, 0xf8, 0xcf, 0x29, 0x1c, 0xa8, 0x94,
0x08, 0x5c, 0x87, 0xe3, 0xcc, 0x15, 0xc4, 0x39, 0xc9, 0xe4, 0x3a, 0x3b,
0xa0, 0x91, 0xd5, 0x6e, 0x10, 0x40, 0x09, 0x16
};
uint16_t mlen = M_LEN8;
result = do_test(key, nonce, sizeof(nonce), hdr, sizeof(hdr), data, sizeof(data), expected,
sizeof(expected), mlen);
return result;
}
uint32_t test_vector_3(void)
{
uint32_t result = TC_PASS;
TC_PRINT("Performing CCM test #3 (RFC 3610 test vector #3):\n");
/* RFC 3610 test vector #3 */
const uint8_t key[NUM_NIST_KEYS] = {
0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb,
0xcc, 0xcd, 0xce, 0xcf
};
uint8_t nonce[NONCE_LEN] = {
0x00, 0x00, 0x00, 0x05, 0x04, 0x03, 0x02, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4,
0xa5
};
const uint8_t hdr[HEADER_LEN] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
};
const uint8_t data[DATA_BUF_LEN25] = {
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
0x20
};
const uint8_t expected[EXPECTED_BUF_LEN33] = {
0x51, 0xb1, 0xe5, 0xf4, 0x4a, 0x19, 0x7d, 0x1d, 0xa4, 0x6b, 0x0f, 0x8e,
0x2d, 0x28, 0x2a, 0xe8, 0x71, 0xe8, 0x38, 0xbb, 0x64, 0xda, 0x85, 0x96,
0x57, 0x4a, 0xda, 0xa7, 0x6f, 0xbd, 0x9f, 0xb0, 0xc5
};
uint16_t mlen = M_LEN8;
result = do_test(key, nonce, sizeof(nonce), hdr, sizeof(hdr), data, sizeof(data), expected,
sizeof(expected), mlen);
return result;
}
uint32_t test_vector_4(void)
{
uint32_t result = TC_PASS;
TC_PRINT("Performing CCM test #4 (RFC 3610 test vector #7):\n");
/* RFC 3610 test vector #7 */
const uint8_t key[NUM_NIST_KEYS] = {
0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb,
0xcc, 0xcd, 0xce, 0xcf
};
uint8_t nonce[NONCE_LEN] = {
0x00, 0x00, 0x00, 0x09, 0x08, 0x07, 0x06, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4,
0xa5
};
const uint8_t hdr[HEADER_LEN] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
};
const uint8_t data[DATA_BUF_LEN23] = {
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e
};
const uint8_t expected[EXPECTED_BUF_LEN33] = {
0x01, 0x35, 0xD1, 0xB2, 0xC9, 0x5F, 0x41, 0xD5,
0xD1, 0xD4, 0xFE, 0xC1, 0x85, 0xD1, 0x66, 0xB8,
0x09, 0x4E, 0x99, 0x9D, 0xFE, 0xD9, 0x6C, 0x04,
0x8C, 0x56, 0x60, 0x2C, 0x97, 0xAC, 0xBB, 0x74, 0x90
};
uint16_t mlen = M_LEN10;
result = do_test(key, nonce, sizeof(nonce), hdr, sizeof(hdr), data, sizeof(data), expected,
sizeof(expected), mlen);
return result;
}
uint32_t test_vector_5(void)
{
uint32_t result = TC_PASS;
TC_PRINT("Performing CCM test #5 (RFC 3610 test vector #8):\n");
/* RFC 3610 test vector #8 */
const uint8_t key[NUM_NIST_KEYS] = {
0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF
};
uint8_t nonce[NONCE_LEN] = {
0x00, 0x00, 0x00, 0x0A, 0x09, 0x08, 0x07, 0xA0,
0xA1, 0xA2, 0xA3, 0xA4, 0xA5
};
const uint8_t hdr[HEADER_LEN] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
};
const uint8_t data[DATA_BUF_LEN24] = {
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
};
const uint8_t expected[EXPECTED_BUF_LEN34] = {
0x7B, 0x75, 0x39, 0x9A, 0xC0, 0x83, 0x1D, 0xD2,
0xF0, 0xBB, 0xD7, 0x58, 0x79, 0xA2, 0xFD, 0x8F,
0x6C, 0xAE, 0x6B, 0x6C, 0xD9, 0xB7, 0xDB, 0x24,
0xC1, 0x7B, 0x44, 0x33, 0xF4, 0x34, 0x96, 0x3F, 0x34, 0xB4
};
uint16_t mlen = M_LEN10;
result = do_test(key, nonce, sizeof(nonce), hdr, sizeof(hdr), data, sizeof(data), expected,
sizeof(expected), mlen);
return result;
}
uint32_t test_vector_6(void)
{
uint32_t result = TC_PASS;
TC_PRINT("Performing CCM test #6 (RFC 3610 test vector #9):\n");
/* RFC 3610 test vector #9 */
const uint8_t key[NUM_NIST_KEYS] = {
0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF
};
uint8_t nonce[NONCE_LEN] = {
0x00, 0x00, 0x00, 0x0B, 0x0A, 0x09, 0x08, 0xA0,
0xA1, 0xA2, 0xA3, 0xA4, 0xA5
};
const uint8_t hdr[HEADER_LEN] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
};
const uint8_t data[DATA_BUF_LEN25] = {
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20
};
const uint8_t expected[EXPECTED_BUF_LEN35] = {
0x82, 0x53, 0x1a, 0x60, 0xCC, 0x24, 0x94, 0x5a,
0x4b, 0x82, 0x79, 0x18, 0x1a, 0xb5, 0xc8, 0x4d,
0xf2, 0x1c, 0xe7, 0xf9, 0xb7, 0x3f, 0x42, 0xe1,
0x97, 0xea, 0x9c, 0x07, 0xe5, 0x6b, 0x5e, 0xb1, 0x7e, 0x5f, 0x4e
};
uint16_t mlen = M_LEN10;
result = do_test(key, nonce, sizeof(nonce), hdr, sizeof(hdr), data, sizeof(data), expected,
sizeof(expected), mlen);
return result;
}
uint32_t test_vector_7(void)
{
uint32_t result = TC_PASS;
TC_PRINT("Performing CCM test #7 (no associated data):\n");
/* Test based on RFC 3610 test vector #9 but with no associated data */
const uint8_t key[NUM_NIST_KEYS] = {
0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF
};
uint8_t nonce[NONCE_LEN] = {
0x00, 0x00, 0x00, 0x0B, 0x0A, 0x09, 0x08, 0xA0,
0xA1, 0xA2, 0xA3, 0xA4, 0xA5
};
uint8_t *hdr = NULL;
uint8_t data[DATA_BUF_LEN25] = {
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20
};
struct tc_ccm_mode_struct c;
struct tc_aes_key_sched_struct sched;
uint8_t decrypted[DECRYPTED_LEN];
uint8_t ciphertext[CIPHERTEXT_LEN];
uint16_t mlen = M_LEN10;
tc_aes128_set_encrypt_key(&sched, key);
if (tc_ccm_config(&c, &sched, nonce, sizeof(nonce), mlen) == 0) {
TC_ERROR("ccm_config failed in %s.\n", __func__);
result = TC_FAIL;
goto exitTest1;
}
if (tc_ccm_generation_encryption(ciphertext, hdr, 0, data, sizeof(data), &c) == 0) {
TC_ERROR("ccm_encryption failed in %s.\n", __func__);
result = TC_FAIL;
goto exitTest1;
}
if (tc_ccm_decryption_verification(decrypted, hdr, 0, ciphertext,
sizeof(data)+mlen, &c) == 0) {
TC_ERROR("ccm_decrypt failed in %s.\n", __func__);
show_str("\t\tExpected", data, sizeof(data));
show_str("\t\tComputed", decrypted, sizeof(decrypted));
result = TC_FAIL;
goto exitTest1;
}
exitTest1:
TC_END_RESULT(result);
return result;
}
uint32_t test_vector_8(void)
{
uint32_t result = TC_PASS;
TC_PRINT("Performing CCM test #8 (no payload data):\n");
/* Test based on RFC 3610 test vector #9 but with no payload data */
const uint8_t key[NUM_NIST_KEYS] = {
0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF
};
uint8_t nonce[NONCE_LEN] = {
0x00, 0x00, 0x00, 0x0B, 0x0A, 0x09, 0x08, 0xA0,
0xA1, 0xA2, 0xA3, 0xA4, 0xA5
};
const uint8_t hdr[8] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
};
uint8_t *data = NULL;
struct tc_ccm_mode_struct c;
struct tc_aes_key_sched_struct sched;
uint8_t decrypted[DECRYPTED_LEN];
uint8_t ciphertext[CIPHERTEXT_LEN];
uint16_t mlen = M_LEN10;
tc_aes128_set_encrypt_key(&sched, key);
if (tc_ccm_config(&c, &sched, nonce, sizeof(nonce), mlen) == 0) {
TC_ERROR("CCM config failed in %s.\n", __func__);
result = TC_FAIL;
goto exitTest1;
}
if (tc_ccm_generation_encryption(ciphertext, hdr, sizeof(hdr), data, 0, &c) == 0) {
TC_ERROR("ccm_encrypt failed in %s.\n", __func__);
result = TC_FAIL;
goto exitTest1;
}
if (tc_ccm_decryption_verification(decrypted, hdr, sizeof(hdr),
ciphertext, mlen, &c) == 0) {
TC_ERROR("ccm_decrypt failed in %s.\n", __func__);
show_str("\t\tExpected", data, sizeof(data));
show_str("\t\tComputed", decrypted, sizeof(decrypted));
result = TC_FAIL;
goto exitTest1;
}
exitTest1:
TC_END_RESULT(result);
return result;
}
/*
* Main task to test CCM
*/
#ifdef CONFIG_MICROKERNEL
void mainloop(void)
#else
void main(void)
#endif
{
uint32_t result = TC_PASS;
TC_START("Performing CCM tests:");
result = test_vector_1();
if (result == TC_FAIL) { /* terminate test */
TC_ERROR("CCM test #1 (RFC 3610 test vector #1) failed.\n");
goto exitTest;
}
result = test_vector_2();
if (result == TC_FAIL) { /* terminate test */
TC_ERROR("CCM test #2 failed.\n");
goto exitTest;
}
result = test_vector_3();
if (result == TC_FAIL) { /* terminate test */
TC_ERROR("CCM test #3 failed.\n");
goto exitTest;
}
result = test_vector_4();
if (result == TC_FAIL) { /* terminate test */
TC_ERROR("CCM test #4 failed.\n");
goto exitTest;
}
result = test_vector_5();
if (result == TC_FAIL) { /* terminate test */
TC_ERROR("CCM test #5 failed.\n");
goto exitTest;
}
result = test_vector_6();
if (result == TC_FAIL) { /* terminate test */
TC_ERROR("CCM test #6 failed.\n");
goto exitTest;
}
result = test_vector_7();
if (result == TC_FAIL) { /* terminate test */
TC_ERROR("CCM test #7 failed.\n");
goto exitTest;
}
result = test_vector_8();
if (result == TC_FAIL) { /* terminate test */
TC_ERROR("CCM test #8 (no payload data) failed.\n");
goto exitTest;
}
TC_PRINT("All CCM tests succeeded!\n");
exitTest:
TC_END_RESULT(result);
TC_END_REPORT(result);
}

2
samples/crypto/test_cmac_mode/Makefile Normal file
View file

@ -0,0 +1,2 @@
ccflags-y += -I$(srctree)/samples/include -I$(srctree)/lib/crypto/tinycrypt/include
obj-y = test_cmac_mode.o

309
samples/crypto/test_cmac_mode/test_cmac_mode.c Normal file
View file

@ -0,0 +1,309 @@
/* test_cmac_mode.c - TinyCrypt AES-CMAC tests (including SP 800-38B tests) */
/*
* Copyright (C) 2015 by Intel Corporation, All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Intel Corporation nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/*
* DESCRIPTION
* This module tests the following AES-CMAC test (including SP 800-38B):
*
* Scenarios tested include:
* - CMAC test #1 (GF(2^128) double))
* - CMAC test #2 null msg (SP 800-38B test vector #1)
* - CMAC test #3 1 block msg (SP 800-38B test vector #2)
* - CMAC test #4 320 bit msg (SP 800-38B test vector #3)
* - CMAC test #5 512 bit msg(SP 800-38B test vector #4)
*/
#include <tinycrypt/cmac_mode.h>
#include <tinycrypt/constants.h>
#include <tinycrypt/aes.h>
#include <test_utils.h>
#include <stdio.h>
#include <string.h>
#define BUF_LEN 16
static void show(const char *label, const uint8_t *s, size_t slen)
{
uint32_t i;
TC_PRINT("%s\t", label);
for (i = 0; i < slen; ++i) {
TC_PRINT("%02x", s[i]);
}
TC_PRINT("\n");
}
extern void gf_double(uint8_t *out, uint8_t *in);
static uint32_t verify_gf_2_128_double(uint8_t *K1, uint8_t *K2, struct tc_cmac_struct s)
{
uint32_t result = TC_PASS;
TC_PRINT("Performing CMAC test #1 (GF(2^128) double):\n");
uint8_t zero[BUF_LEN];
uint8_t L[BUF_LEN];
const uint8_t l[BUF_LEN] = {
0x7d, 0xf7, 0x6b, 0x0c, 0x1a, 0xb8, 0x99, 0xb3,
0x3e, 0x42, 0xf0, 0x47, 0xb9, 0x1b, 0x54, 0x6f
};
const uint8_t k1[BUF_LEN] = {
0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
};
const uint8_t k2[BUF_LEN] = {
0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
};
(void) memset(zero, '\0', sizeof(zero));
tc_aes_encrypt(L, zero, s.sched);
if (memcmp(L, l, BUF_LEN) != 0) {
TC_ERROR("AES encryption failed in %s.\n", __func__);
show("expected L =", l, sizeof(l));
show("computed L =", L, sizeof(L));
return TC_FAIL;
}
gf_double(K1, L);
if (memcmp(K1, k1, BUF_LEN) != 0) {
TC_ERROR("gf_2_128_double failed when msb = 0\n", __func__);
show("expected K1 =", k1, sizeof(k1));
show("computed K1 =", K1, sizeof(k1));
return TC_FAIL;
}
gf_double(K2, K1);
if (memcmp(K2, k2, BUF_LEN) != 0) {
TC_ERROR("gf_2_128_double failed when msb = 1\n", __func__);
show("expected K2 =", k2, sizeof(k2));
show("computed K2 =", K2, sizeof(k2));
return TC_FAIL;
}
TC_END_RESULT(result);
return result;
}
static uint32_t verify_cmac_null_msg(TCCmacState_t s)
{
uint32_t result = TC_PASS;
TC_PRINT("Performing CMAC test #2 (SP 800-38B test vector #1):\n");
const uint8_t tag[BUF_LEN] = {
0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
};
uint8_t Tag[BUF_LEN];
(void) tc_cmac_init(s);
(void) tc_cmac_update(s, (const uint8_t *) 0, 0);
(void) tc_cmac_final(Tag, s);
if (memcmp(Tag, tag, BUF_LEN) != 0) {
TC_ERROR("aes_cmac failed with null msg = 1\n", __func__);
show("expected Tag =", tag, sizeof(tag));
show("computed Tag =", Tag, sizeof(Tag));
return TC_FAIL;
}
TC_END_RESULT(result);
return result;
}
static uint32_t verify_cmac_1_block_msg(TCCmacState_t s)
{
uint32_t result = TC_PASS;
TC_PRINT("Performing CMAC test #3 (SP 800-38B test vector #2):\n");
const uint8_t msg[BUF_LEN] = {
0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a
};
const uint8_t tag[BUF_LEN] = {
0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
};
uint8_t Tag[BUF_LEN];
(void) tc_cmac_init(s);
(void) tc_cmac_update(s, msg, sizeof(msg));
(void) tc_cmac_final(Tag, s);
if (memcmp(Tag, tag, BUF_LEN) != 0) {
TC_ERROR("aes_cmac failed with 1 block msg\n", __func__);
show("aes_cmac failed with 1 block msg =", msg, sizeof(msg));
show("expected Tag =", tag, sizeof(tag));
show("computed Tag =", Tag, sizeof(Tag));
return TC_FAIL;
}
TC_END_RESULT(result);
return result;
}
static uint32_t verify_cmac_320_bit_msg(TCCmacState_t s)
{
uint32_t result = TC_PASS;
TC_PRINT("Performing CMAC test #4 (SP 800-38B test vector #3):\n");
const uint8_t msg[40] = {
0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11
};
const uint8_t tag[BUF_LEN] = {
0xdf, 0xa6, 0x67, 0x47, 0xde, 0x9a, 0xe6, 0x30,
0x30, 0xca, 0x32, 0x61, 0x14, 0x97, 0xc8, 0x27
};
uint8_t Tag[BUF_LEN];
(void) tc_cmac_init(s);
(void) tc_cmac_update(s, msg, sizeof(msg));
(void) tc_cmac_final(Tag, s);
if (memcmp(Tag, tag, BUF_LEN) != 0) {
TC_ERROR("aes_cmac failed with 320 bit msg\n", __func__);
show("aes_cmac failed with 320 bit msg =", msg, sizeof(msg));
show("expected Tag =", tag, sizeof(tag));
show("computed Tag =", Tag, sizeof(Tag));
return TC_FAIL;
}
TC_END_RESULT(result);
return result;
}
static uint32_t verify_cmac_512_bit_msg(TCCmacState_t s)
{
uint32_t result = TC_PASS;
TC_PRINT("Performing CMAC test #5 (SP 800-38B test vector #4)\n");
const uint8_t msg[64] = {
0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
};
const uint8_t tag[BUF_LEN] = {
0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
};
uint8_t Tag[BUF_LEN];
(void)tc_cmac_init(s);
(void)tc_cmac_update(s, msg, sizeof(msg));
(void)tc_cmac_final(Tag, s);
if (memcmp(Tag, tag, BUF_LEN) != 0) {
TC_ERROR("aes_cmac failed with 512 bit msg\n", __func__);
show("aes_cmac failed with 512 bit msg =", msg, sizeof(msg));
show("expected Tag =", tag, sizeof(tag));
show("computed Tag =", Tag, sizeof(Tag));
return TC_FAIL;
}
TC_END_RESULT(result);
return result;
}
/*
* Main task to test CMAC
*/
#ifdef CONFIG_MICROKERNEL
void mainloop(void)
#else
void main(void)
#endif
{
uint32_t result = TC_PASS;
struct tc_cmac_struct state;
struct tc_aes_key_sched_struct sched;
const uint8_t key[BUF_LEN] = {
0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
};
uint8_t K1[BUF_LEN], K2[BUF_LEN];
TC_START("Performing CMAC tests:");
(void) tc_cmac_setup(&state, key, &sched);
result = verify_gf_2_128_double(K1, K2, state);
if (result == TC_FAIL) { /* terminate test */
TC_ERROR("CMAC test #1 (128 double) failed.\n");
goto exitTest;
}
(void) tc_cmac_setup(&state, key, &sched);
result = verify_cmac_null_msg(&state);
if (result == TC_FAIL) { /* terminate test */
TC_ERROR("CMAC test #2 (null msg) failed.\n");
goto exitTest;
}
(void) tc_cmac_setup(&state, key, &sched);
result = verify_cmac_1_block_msg(&state);
if (result == TC_FAIL) { /* terminate test */
TC_ERROR("CMAC test #3 (1 block msg)failed.\n");
goto exitTest;
}
(void) tc_cmac_setup(&state, key, &sched);
result = verify_cmac_320_bit_msg(&state);
if (result == TC_FAIL) { /* terminate test */
TC_ERROR("CMAC test #4 (320 bit msg) failed.\n");
goto exitTest;
}
(void) tc_cmac_setup(&state, key, &sched);
result = verify_cmac_512_bit_msg(&state);
if (result == TC_FAIL) { /* terminate test */
TC_ERROR("CMAC test #5 (512 bit msg)failed.\n");
goto exitTest;
}
TC_PRINT("All CMAC tests succeeded!\n");
exitTest:
TC_END_RESULT(result);
TC_END_REPORT(result);
}

1
samples/crypto/test_ctr/test_ctr_mode.c
View file

@ -39,6 +39,7 @@
*/
#include <tinycrypt/ctr_mode.h>
#include <tinycrypt/constants.h>
#include <test_utils.h>
#include <stdio.h>

3
samples/crypto/test_hmac/test_hmac.c
View file

@ -38,8 +38,9 @@
- HMAC tests (RFC 4231 test vectors)
*/
#include <test_utils.h>
#include <tinycrypt/hmac.h>
#include <tinycrypt/constants.h>
#include <test_utils.h>
uint32_t do_hmac_test(TCHmacState_t h, uint32_t testnum, const uint8_t *data,
size_t datalen, const uint8_t *expected,

7
samples/crypto/test_prng/test_hmac_prng.c
View file

@ -40,11 +40,12 @@
- HMAC-PRNG generate)
*/
#include <tinycrypt/hmac_prng.h>
#include <tinycrypt/constants.h>
#include <stdio.h>
#include <tc_util.h>
#include <drivers/system_timer.h>
#include <stdio.h>
#include <tinycrypt/hmac_prng.h>
/*
* Main task to test AES

1
samples/crypto/test_sha256/test_sha256.c
View file

@ -39,6 +39,7 @@
*/
#include <tinycrypt/sha256.h>
#include <tinycrypt/constants.h>
#include <test_utils.h>
#include <stdio.h>

1
samples/include/test_utils.h
View file

@ -33,6 +33,7 @@
#define __TEST_UTILS_H__
#include <tc_util.h>
#include <tinycrypt/constants.h>
static inline void show_str(const char *label, const uint8_t *s, size_t len)
{

7
samples/microkernel/test/test_ccm_mode/Makefile Normal file
View file

@ -0,0 +1,7 @@
BOARD ?= qemu_x86
MDEF_FILE = prj.mdef
KERNEL_TYPE = micro
CONF_FILE = prj_$(ARCH).conf
SOURCE_DIR = $(ZEPHYR_BASE)/samples/crypto/test_ccm_mode/
include $(ZEPHYR_BASE)/Makefile.inc

60
samples/microkernel/test/test_ccm_mode/README.txt Normal file
View file

@ -0,0 +1,60 @@
Title: test_aes_ccm
Description:
This test verifies that the TinyCrypt AES APIs operate as expected.
--------------------------------------------------------------------------------
Building and Running Project:
This microkernel project outputs to the console. It can be built and executed
on QEMU as follows:
make qemu
--------------------------------------------------------------------------------
Troubleshooting:
Problems caused by out-dated project information can be addressed by
issuing one of the following commands then rebuilding the project:
make clean # discard results of previous builds
# but keep existing configuration info
or
make pristine # discard results of previous builds
# and restore pre-defined configuration info
--------------------------------------------------------------------------------
Sample Output:
tc_start() - Performing CCM tests:
Performing CCM test #1 (RFC 3610 test vector #1):
===================================================================
PASS - do_test.
Performing CCM test #2 (RFC 3610 test vector #2):
===================================================================
PASS - do_test.
Performing CCM test #3 (RFC 3610 test vector #3):
===================================================================
PASS - do_test.
Performing CCM test #4 (RFC 3610 test vector #7):
===================================================================
PASS - do_test.
Performing CCM test #5 (RFC 3610 test vector #8):
===================================================================
PASS - do_test.
Performing CCM test #6 (RFC 3610 test vector #9):
===================================================================
PASS - do_test.
Performing CCM test #7 (no associated data):
===================================================================
PASS - test_vector_7.
Performing CCM test #8 (no payload data):
===================================================================
PASS - test_vector_8.
All CCM tests succeeded!
===================================================================
PASS - mainloop.
===================================================================
PROJECT EXECUTION SUCCESSFUL

5
samples/microkernel/test/test_ccm_mode/prj.mdef Normal file
View file

@ -0,0 +1,5 @@
% Application : test AES128-CCM mode TinyCrypt APIs
% TASK NAME PRIO ENTRY STACK GROUPS
% ====================================================
TASK tStartTask 5 mainloop 1024 [EXE]

4
samples/microkernel/test/test_ccm_mode/prj_arm.conf Normal file
View file

@ -0,0 +1,4 @@
CONFIG_TEST_RANDOM_GENERATOR=y
CONFIG_TINYCRYPT=y
CONFIG_TINYCRYPT_AES=y
CONFIG_TINYCRYPT_AES_CCM=y

4
samples/microkernel/test/test_ccm_mode/prj_x86.conf Normal file
View file

@ -0,0 +1,4 @@
CONFIG_TEST_RANDOM_GENERATOR=y
CONFIG_TINYCRYPT=y
CONFIG_TINYCRYPT_AES=y
CONFIG_TINYCRYPT_AES_CCM=y

4
samples/microkernel/test/test_ccm_mode/testcase.ini Normal file
View file

@ -0,0 +1,4 @@
[test]
tags = crypto aes ccm
build_only = false
arch_whitelist = x86 arm

7
samples/microkernel/test/test_cmac_mode/Makefile Normal file
View file

@ -0,0 +1,7 @@
BOARD ?= qemu_x86
MDEF_FILE = prj.mdef
KERNEL_TYPE = micro
CONF_FILE = prj_$(ARCH).conf
SOURCE_DIR = $(ZEPHYR_BASE)/samples/crypto/test_cmac_mode/
include $(ZEPHYR_BASE)/Makefile.inc

51
samples/microkernel/test/test_cmac_mode/README.txt Normal file
View file

@ -0,0 +1,51 @@
Title: test_aes_cmac
Description:
This test verifies that the TinyCrypt AES APIs operate as expected.
--------------------------------------------------------------------------------
Building and Running Project:
This microkernel project outputs to the console. It can be built and executed
on QEMU as follows:
make qemu
--------------------------------------------------------------------------------
Troubleshooting:
Problems caused by out-dated project information can be addressed by
issuing one of the following commands then rebuilding the project:
make clean # discard results of previous builds
# but keep existing configuration info
or
make pristine # discard results of previous builds
# and restore pre-defined configuration info
--------------------------------------------------------------------------------
Sample Output:
tc_start() - Performing CMAC tests:
Performing CMAC test #1 (GF(2^128) double):
===================================================================
PASS - verify_gf_2_128_double.
Performing CMAC test #2 (SP 800-38B test vector #1):
===================================================================
PASS - verify_cmac_null_msg.
Performing CMAC test #3 (SP 800-38B test vector #2):
===================================================================
PASS - verify_cmac_1_block_msg.
Performing CMAC test #4 (SP 800-38B test vector #3):
===================================================================
PASS - verify_cmac_320_bit_msg.
Performing CMAC test #5 (SP 800-38B test vector #4)
===================================================================
PASS - verify_cmac_512_bit_msg.
All CMAC tests succeeded!
===================================================================
PASS - mainloop.
===================================================================
PROJECT EXECUTION SUCCESSFUL

5
samples/microkernel/test/test_cmac_mode/prj.mdef Normal file
View file

@ -0,0 +1,5 @@
% Application : test AES-CMAC mode TinyCrypt APIs
% TASK NAME PRIO ENTRY STACK GROUPS
% ====================================================
TASK tStartTask 5 mainloop 1024 [EXE]

4
samples/microkernel/test/test_cmac_mode/prj_arm.conf Normal file
View file

@ -0,0 +1,4 @@
CONFIG_TEST_RANDOM_GENERATOR=y
CONFIG_TINYCRYPT=y
CONFIG_TINYCRYPT_AES=y
CONFIG_TINYCRYPT_AES_CMAC=y

4
samples/microkernel/test/test_cmac_mode/prj_x86.conf Normal file
View file

@ -0,0 +1,4 @@
CONFIG_TEST_RANDOM_GENERATOR=y
CONFIG_TINYCRYPT=y
CONFIG_TINYCRYPT_AES=y
CONFIG_TINYCRYPT_AES_CMAC=y

4
samples/microkernel/test/test_cmac_mode/testcase.ini Normal file
View file

@ -0,0 +1,4 @@
[test]
tags = crypto aes cmac
build_only = false
arch_whitelist = x86 arm