-/* Copyright (c) 2015, Google Inc.
+/* ====================================================================
+ * Copyright (c) 2016 The OpenSSL Project. All rights reserved.
*
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
*
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
/* This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
- * 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
- * public domain but this file has the ISC license just to keep licencing
- * simple.
+ * 20141124 (http://bench.cr.yp.to/supercop.html).
*
* The field functions are shared by Ed25519 and X25519 where possible. */
-#include <openssl/curve25519.h>
-
#include <string.h>
-
-#include <openssl/cpu.h>
-#include <openssl/mem.h>
-#include <openssl/rand.h>
-#include <openssl/sha.h>
-
-#include "internal.h"
+#include "ec_lcl.h"
/* fe means field element. Here the field is \Z/(2^255-19). An element t,
fe_mul(out, t1, t0);
}
+#if 0 /* Ed25519 code: not used yet */
+
/* h = -f
*
* Preconditions:
*
* Preconditions: b in {0,1}. */
static void fe_cmov(fe f, const fe g, unsigned b) {
+ size_t i;
b = 0-b;
- unsigned i;
for (i = 0; i < 10; i++) {
int32_t x = f[i] ^ g[i];
x &= b;
* |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
static int fe_isnonzero(const fe f) {
uint8_t s[32];
- fe_tobytes(s, f);
-
static const uint8_t zero[32] = {0};
+
+ fe_tobytes(s, f);
return CRYPTO_memcmp(s, zero, sizeof(zero)) != 0;
}
return CRYPTO_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
}
+#endif /* Ed25519 */
+
-#if defined(BORINGSSL_X25519_X86_64)
+#if defined(OPENSSL_X25519_X86_64)
static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
const uint8_t point[32]) {
*
* Preconditions: b in {0,1}. */
static void fe_cswap(fe f, fe g, unsigned int b) {
+ size_t i;
b = 0-b;
- unsigned i;
for (i = 0; i < 10; i++) {
int32_t x = f[i] ^ g[i];
x &= b;
const uint8_t scalar[32],
const uint8_t point[32]) {
fe x1, x2, z2, x3, z3, tmp0, tmp1;
-
uint8_t e[32];
+ unsigned swap = 0;
+ int pos;
+
memcpy(e, scalar, 32);
e[0] &= 248;
e[31] &= 127;
fe_copy(x3, x1);
fe_1(z3);
- unsigned swap = 0;
- int pos;
for (pos = 254; pos >= 0; --pos) {
unsigned b = 1 & (e[pos / 8] >> (pos & 7));
swap ^= b;
static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
const uint8_t point[32]) {
-#if defined(BORINGSSL_X25519_NEON)
+#if defined(OPENSSL_X25519_NEON)
if (CRYPTO_is_NEON_capable()) {
x25519_NEON(out, scalar, point);
return;
x25519_scalar_mult_generic(out, scalar, point);
}
-#endif /* BORINGSSL_X25519_X86_64 */
-
+#endif /* OPENSSL_X25519_X86_64 */
+#if 0
void X25519_keypair(uint8_t out_public_value[32], uint8_t out_private_key[32]) {
RAND_bytes(out_private_key, 32);
X25519_public_from_private(out_public_value, out_private_key);
}
+#endif
+
int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
const uint8_t peer_public_value[32]) {
static const uint8_t kZeros[32] = {0};
return CRYPTO_memcmp(kZeros, out_shared_key, 32) != 0;
}
-#if defined(BORINGSSL_X25519_X86_64)
+#if 0
+
+#if defined(OPENSSL_X25519_X86_64)
-/* When |BORINGSSL_X25519_X86_64| is set, base point multiplication is done with
+/* When |OPENSSL_X25519_X86_64| is set, base point multiplication is done with
* the Montgomery ladder because it's faster. Otherwise it's done using the
* Ed25519 tables. */
void X25519_public_from_private(uint8_t out_public_value[32],
const uint8_t private_key[32]) {
-#if defined(BORINGSSL_X25519_NEON)
+ uint8_t e[32];
+ ge_p3 A;
+ fe zplusy, zminusy, zminusy_inv;
+
+#if defined(OPENSSL_X25519_NEON)
if (CRYPTO_is_NEON_capable()) {
static const uint8_t kMongomeryBasePoint[32] = {9};
x25519_NEON(out_public_value, private_key, kMongomeryBasePoint);
}
#endif
- uint8_t e[32];
memcpy(e, private_key, 32);
e[0] &= 248;
e[31] &= 127;
e[31] |= 64;
- ge_p3 A;
ge_scalarmult_base(&A, e);
/* We only need the u-coordinate of the curve25519 point. The map is
* u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y). */
- fe zplusy, zminusy, zminusy_inv;
fe_add(zplusy, A.Z, A.Y);
fe_sub(zminusy, A.Z, A.Y);
fe_invert(zminusy_inv, zminusy);
fe_tobytes(out_public_value, zplusy);
}
-#endif /* BORINGSSL_X25519_X86_64 */
+#endif /* OPENSSL_X25519_X86_64 */
+
+#endif