1 /*
2  * Copyright 2013 The Android Open Source Project
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions are met:
6  *     * Redistributions of source code must retain the above copyright
7  *       notice, this list of conditions and the following disclaimer.
8  *     * Redistributions in binary form must reproduce the above copyright
9  *       notice, this list of conditions and the following disclaimer in the
10  *       documentation and/or other materials provided with the distribution.
11  *     * Neither the name of Google Inc. nor the names of its contributors may
12  *       be used to endorse or promote products derived from this software
13  *       without specific prior written permission.
14  *
15  * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
17  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
18  * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
20  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
21  * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
22  * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
23  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
24  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26 
27 #ifndef SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_
28 #define SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_
29 
30 // Collection of routines manipulating 256 bit unsigned integers.
31 // Just enough to implement ecdsa-p256 and related algorithms.
32 
33 #include <stdint.h>
34 
35 #ifdef __cplusplus
36 extern "C" {
37 #endif
38 
39 #define P256_BITSPERDIGIT 64
40 #define P256_NDIGITS 4
41 #define P256_NBYTES 32
42 
43 // n' such as n * n' = -1 mod (2^64)
44 #define P256_MONTGOMERY_FACTOR 0xCCD1C8AAEE00BC4F
45 
46 #define P256_LITERAL(lo,hi) (((uint32_t) (lo)) + (((uint64_t) (hi)) << 32))
47 
48 typedef int cryptonite_p256_err;
49 typedef uint64_t cryptonite_p256_digit;
50 typedef int64_t cryptonite_p256_sdigit;
51 typedef __uint128_t cryptonite_p256_ddigit;
52 typedef __int128_t cryptonite_p256_sddigit;
53 
54 // Defining cryptonite_p256_int as struct to leverage struct assigment.
55 typedef struct {
56   cryptonite_p256_digit a[P256_NDIGITS];
57 } cryptonite_p256_int;
58 
59 extern const cryptonite_p256_int cryptonite_SECP256r1_n;  // Curve order
60 extern const cryptonite_p256_int cryptonite_SECP256r1_p;  // Curve prime
61 extern const cryptonite_p256_int cryptonite_SECP256r1_b;  // Curve param
62 
63 // Initialize a cryptonite_p256_int to zero.
64 void cryptonite_p256_init(cryptonite_p256_int* a);
65 
66 // Clear a cryptonite_p256_int to zero.
67 void cryptonite_p256_clear(cryptonite_p256_int* a);
68 
69 // Return bit. Index 0 is least significant.
70 int cryptonite_p256_get_bit(const cryptonite_p256_int* a, int index);
71 
72 // b := a % MOD
73 void cryptonite_p256_mod(
74     const cryptonite_p256_int* MOD,
75     const cryptonite_p256_int* a,
76     cryptonite_p256_int* b);
77 
78 // c := a * (top_b | b) % MOD
79 void cryptonite_p256_modmul(
80     const cryptonite_p256_int* MOD,
81     const cryptonite_p256_int* a,
82     const cryptonite_p256_digit top_b,
83     const cryptonite_p256_int* b,
84     cryptonite_p256_int* c);
85 
86 // b := 1 / a % MOD
87 // MOD best be SECP256r1_n
88 void cryptonite_p256_modinv(
89     const cryptonite_p256_int* MOD,
90     const cryptonite_p256_int* a,
91     cryptonite_p256_int* b);
92 
93 // b := 1 / a % MOD
94 // MOD best be SECP256r1_n
95 // Faster than cryptonite_p256_modinv()
96 void cryptonite_p256_modinv_vartime(
97     const cryptonite_p256_int* MOD,
98     const cryptonite_p256_int* a,
99     cryptonite_p256_int* b);
100 
101 // b := a << (n % P256_BITSPERDIGIT)
102 // Returns the bits shifted out of most significant digit.
103 cryptonite_p256_digit cryptonite_p256_shl(const cryptonite_p256_int* a, int n, cryptonite_p256_int* b);
104 
105 // b := a >> (n % P256_BITSPERDIGIT)
106 void cryptonite_p256_shr(const cryptonite_p256_int* a, int n, cryptonite_p256_int* b);
107 
108 int cryptonite_p256_is_zero(const cryptonite_p256_int* a);
109 int cryptonite_p256_is_odd(const cryptonite_p256_int* a);
110 int cryptonite_p256_is_even(const cryptonite_p256_int* a);
111 
112 // Returns -1, 0 or 1.
113 int cryptonite_p256_cmp(const cryptonite_p256_int* a, const cryptonite_p256_int *b);
114 
115 // c: = a - b
116 // Returns -1 on borrow.
117 int cryptonite_p256_sub(const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c);
118 
119 // c := a + b
120 // Returns 1 on carry.
121 int cryptonite_p256_add(const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c);
122 
123 // c := a + (single digit)b
124 // Returns carry 1 on carry.
125 int cryptonite_p256_add_d(const cryptonite_p256_int* a, cryptonite_p256_digit b, cryptonite_p256_int* c);
126 
127 // ec routines.
128 
129 // {out_x,out_y} := nG
130 void cryptonite_p256_base_point_mul(const cryptonite_p256_int *n,
131                          cryptonite_p256_int *out_x,
132                          cryptonite_p256_int *out_y);
133 
134 // {out_x,out_y} := n{in_x,in_y}
135 void cryptonite_p256_point_mul(const cryptonite_p256_int *n,
136                     const cryptonite_p256_int *in_x,
137                     const cryptonite_p256_int *in_y,
138                     cryptonite_p256_int *out_x,
139                     cryptonite_p256_int *out_y);
140 
141 // {out_x,out_y} := n1G + n2{in_x,in_y}
142 void cryptonite_p256_points_mul_vartime(
143     const cryptonite_p256_int *n1, const cryptonite_p256_int *n2,
144     const cryptonite_p256_int *in_x, const cryptonite_p256_int *in_y,
145     cryptonite_p256_int *out_x, cryptonite_p256_int *out_y);
146 
147 // Return whether point {x,y} is on curve.
148 int cryptonite_p256_is_valid_point(const cryptonite_p256_int* x, const cryptonite_p256_int* y);
149 
150 // Outputs big-endian binary form. No leading zero skips.
151 void cryptonite_p256_to_bin(const cryptonite_p256_int* src, uint8_t dst[P256_NBYTES]);
152 
153 // Reads from big-endian binary form,
154 // thus pre-pad with leading zeros if short.
155 void cryptonite_p256_from_bin(const uint8_t src[P256_NBYTES], cryptonite_p256_int* dst);
156 
157 #define P256_DIGITS(x) ((x)->a)
158 #define P256_DIGIT(x,y) ((x)->a[y])
159 
160 #define P256_ZERO {{0}}
161 #define P256_ONE {{1}}
162 
163 #ifdef __cplusplus
164 }
165 #endif
166 
167 #endif  // SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_
168