mirror of
https://notabug.org/litucks/torzu.git
synced 2024-11-23 06:49:42 +00:00
Downgraded mbedtls and updated for latest dynarmic
This commit is contained in:
parent
9bb9b8b30b
commit
920e2504c3
2
externals/mbedtls/.gitattributes
vendored
2
externals/mbedtls/.gitattributes
vendored
@ -1,2 +0,0 @@
|
|||||||
# Classify all '.function' files as C for syntax highlighting purposes
|
|
||||||
*.function linguist-language=C
|
|
@ -1,35 +0,0 @@
|
|||||||
---
|
|
||||||
name: Bug report
|
|
||||||
about: To report a bug, please fill this form.
|
|
||||||
title: ''
|
|
||||||
labels: ''
|
|
||||||
assignees: ''
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
### Summary
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### System information
|
|
||||||
|
|
||||||
Mbed TLS version (number or commit id):
|
|
||||||
Operating system and version:
|
|
||||||
Configuration (if not default, please attach `mbedtls_config.h`):
|
|
||||||
Compiler and options (if you used a pre-built binary, please indicate how you obtained it):
|
|
||||||
Additional environment information:
|
|
||||||
|
|
||||||
### Expected behavior
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Actual behavior
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Steps to reproduce
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Additional information
|
|
||||||
|
|
@ -1,8 +0,0 @@
|
|||||||
blank_issues_enabled: false
|
|
||||||
contact_links:
|
|
||||||
- name: Mbed TLS security team
|
|
||||||
url: mailto:mbed-tls-security@lists.trustedfirmware.org
|
|
||||||
about: Report a security vulnerability.
|
|
||||||
- name: Mbed TLS mailing list
|
|
||||||
url: https://lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmware.org
|
|
||||||
about: Mbed TLS community support and general discussion.
|
|
@ -1,17 +0,0 @@
|
|||||||
---
|
|
||||||
name: Enhancement request
|
|
||||||
about: To request an enhancement, please fill this form.
|
|
||||||
title: ''
|
|
||||||
labels: ''
|
|
||||||
assignees: ''
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
### Suggested enhancement
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Justification
|
|
||||||
|
|
||||||
Mbed TLS needs this because
|
|
||||||
|
|
41
externals/mbedtls/.github/issue_template.md
vendored
Normal file
41
externals/mbedtls/.github/issue_template.md
vendored
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
Note: This is just a template, so feel free to use/remove the unnecessary things
|
||||||
|
|
||||||
|
### Description
|
||||||
|
- Type: Bug | Enhancement\Feature Request | Question
|
||||||
|
- Priority: Blocker | Major | Minor
|
||||||
|
|
||||||
|
---------------------------------------------------------------
|
||||||
|
## Bug
|
||||||
|
|
||||||
|
**OS**
|
||||||
|
Mbed OS|linux|windows|
|
||||||
|
|
||||||
|
**mbed TLS build:**
|
||||||
|
Version: x.x.x or git commit id
|
||||||
|
OS version: x.x.x
|
||||||
|
Configuration: please attach config.h file where possible
|
||||||
|
Compiler and options (if you used a pre-built binary, please indicate how you obtained it):
|
||||||
|
Additional environment information:
|
||||||
|
|
||||||
|
**Peer device TLS stack and version**
|
||||||
|
OpenSSL|GnuTls|Chrome|NSS(Firefox)|SecureChannel (IIS/Internet Explorer/Edge)|Other
|
||||||
|
Version:
|
||||||
|
|
||||||
|
**Expected behavior**
|
||||||
|
|
||||||
|
**Actual behavior**
|
||||||
|
|
||||||
|
**Steps to reproduce**
|
||||||
|
|
||||||
|
----------------------------------------------------------------
|
||||||
|
## Enhancement\Feature Request
|
||||||
|
|
||||||
|
**Justification - why does the library need this feature?**
|
||||||
|
|
||||||
|
**Suggested enhancement**
|
||||||
|
|
||||||
|
-----------------------------------------------------------------
|
||||||
|
|
||||||
|
## Question
|
||||||
|
|
||||||
|
**Please first check for answers in the [Mbed TLS knowledge Base](https://tls.mbed.org/kb), and preferably file an issue in the [Mbed TLS support forum](https://forums.mbed.com/c/mbed-tls)**
|
@ -1,27 +1,36 @@
|
|||||||
|
Notes:
|
||||||
|
* Pull requests cannot be accepted until the PR follows the [contributing guidelines](../CONTRIBUTING.md). In particular, each commit must have at least one `Signed-off-by:` line from the committer to certify that the contribution is made under the terms of the [Developer Certificate of Origin](../dco.txt).
|
||||||
|
* This is just a template, so feel free to use/remove the unnecessary things
|
||||||
## Description
|
## Description
|
||||||
|
A few sentences describing the overall goals of the pull request's commits.
|
||||||
Please write a few sentences describing the overall goals of the pull request's commits.
|
|
||||||
|
|
||||||
|
|
||||||
|
## Status
|
||||||
|
**READY/IN DEVELOPMENT/HOLD**
|
||||||
|
|
||||||
## PR checklist
|
## Requires Backporting
|
||||||
|
When there is a bug fix, it should be backported to all maintained and supported branches.
|
||||||
|
Changes do not have to be backported if:
|
||||||
|
- This PR is a new feature\enhancement
|
||||||
|
- This PR contains changes in the API. If this is true, and there is a need for the fix to be backported, the fix should be handled differently in the legacy branch
|
||||||
|
|
||||||
Please tick as appropriate and edit the reasons (e.g.: "backport: not needed because this is a new feature")
|
Yes | NO
|
||||||
|
Which branch?
|
||||||
|
|
||||||
- [ ] **changelog** provided, or not required
|
## Migrations
|
||||||
- [ ] **backport** done, or not required
|
If there is any API change, what's the incentive and logic for it.
|
||||||
- [ ] **tests** provided, or not required
|
|
||||||
|
YES | NO
|
||||||
|
|
||||||
|
## Additional comments
|
||||||
|
Any additional information that could be of interest
|
||||||
|
|
||||||
|
## Todos
|
||||||
|
- [ ] Tests
|
||||||
|
- [ ] Documentation
|
||||||
|
- [ ] Changelog updated
|
||||||
|
- [ ] Backported
|
||||||
|
|
||||||
|
|
||||||
|
## Steps to test or reproduce
|
||||||
## Notes for the submitter
|
Outline the steps to test or reproduce the PR here.
|
||||||
|
|
||||||
Please refer to the [contributing guidelines](https://github.com/Mbed-TLS/mbedtls/blob/development/CONTRIBUTING.md), especially the
|
|
||||||
checklist for PR contributors.
|
|
||||||
|
|
||||||
Help make review efficient:
|
|
||||||
* Multiple simple commits
|
|
||||||
- please structure your PR into a series of small commits, each of which does one thing
|
|
||||||
* Avoid force-push
|
|
||||||
- please do not force-push to update your PR - just add new commit(s)
|
|
||||||
* See our [Guidelines for Contributors](https://mbed-tls.readthedocs.io/en/latest/reviews/review-for-contributors/) for more details about the review process.
|
|
||||||
|
25
externals/mbedtls/.gitignore
vendored
25
externals/mbedtls/.gitignore
vendored
@ -1,7 +1,5 @@
|
|||||||
# Random seed file created by test scripts and sample programs
|
# Random seed file created by test scripts and sample programs
|
||||||
seedfile
|
seedfile
|
||||||
# MBEDTLS_PSA_INJECT_ENTROPY seed file created by the test framework
|
|
||||||
00000000ffffff52.psa_its
|
|
||||||
|
|
||||||
# CMake build artifacts:
|
# CMake build artifacts:
|
||||||
CMakeCache.txt
|
CMakeCache.txt
|
||||||
@ -20,19 +18,10 @@ Testing
|
|||||||
Coverage
|
Coverage
|
||||||
*.gcno
|
*.gcno
|
||||||
*.gcda
|
*.gcda
|
||||||
coverage-summary.txt
|
|
||||||
|
|
||||||
# generated by scripts/memory.sh
|
# generated by scripts/memory.sh
|
||||||
massif-*
|
massif-*
|
||||||
|
|
||||||
# Eclipse project files
|
|
||||||
.cproject
|
|
||||||
.project
|
|
||||||
/.settings
|
|
||||||
|
|
||||||
# Unix-like build artifacts:
|
|
||||||
*.o
|
|
||||||
|
|
||||||
# MSVC build artifacts:
|
# MSVC build artifacts:
|
||||||
*.exe
|
*.exe
|
||||||
*.pdb
|
*.pdb
|
||||||
@ -42,18 +31,9 @@ massif-*
|
|||||||
# Python build artifacts:
|
# Python build artifacts:
|
||||||
*.pyc
|
*.pyc
|
||||||
|
|
||||||
# CMake generates *.dir/ folders for in-tree builds (used by MSVC projects), ignore all of those:
|
|
||||||
*.dir/
|
|
||||||
|
|
||||||
# Microsoft CMake extension for Visual Studio Code generates a build directory by default
|
|
||||||
/build/
|
|
||||||
|
|
||||||
# Generated documentation:
|
# Generated documentation:
|
||||||
/apidoc
|
/apidoc
|
||||||
|
|
||||||
# PSA Crypto compliance test repo, cloned by test_psa_compliance.py
|
|
||||||
/psa-arch-tests
|
|
||||||
|
|
||||||
# Editor navigation files:
|
# Editor navigation files:
|
||||||
/GPATH
|
/GPATH
|
||||||
/GRTAGS
|
/GRTAGS
|
||||||
@ -62,8 +42,3 @@ massif-*
|
|||||||
/TAGS
|
/TAGS
|
||||||
/cscope*.out
|
/cscope*.out
|
||||||
/tags
|
/tags
|
||||||
|
|
||||||
# clangd compilation database
|
|
||||||
compile_commands.json
|
|
||||||
# clangd index files
|
|
||||||
/.cache/clangd/index/
|
|
||||||
|
4
externals/mbedtls/.mypy.ini
vendored
4
externals/mbedtls/.mypy.ini
vendored
@ -1,4 +0,0 @@
|
|||||||
[mypy]
|
|
||||||
mypy_path = scripts
|
|
||||||
namespace_packages = True
|
|
||||||
warn_unused_configs = True
|
|
14
externals/mbedtls/.pylintrc
vendored
14
externals/mbedtls/.pylintrc
vendored
@ -1,7 +1,3 @@
|
|||||||
[MASTER]
|
|
||||||
init-hook='import sys; sys.path.append("scripts")'
|
|
||||||
min-similarity-lines=10
|
|
||||||
|
|
||||||
[BASIC]
|
[BASIC]
|
||||||
# We're ok with short funtion argument names.
|
# We're ok with short funtion argument names.
|
||||||
# [invalid-name]
|
# [invalid-name]
|
||||||
@ -16,9 +12,9 @@ bad-functions=input
|
|||||||
# [missing-docstring]
|
# [missing-docstring]
|
||||||
docstring-min-length=10
|
docstring-min-length=10
|
||||||
|
|
||||||
# No upper limit on method names. Pylint <2.1.0 has an upper limit of 30.
|
# Allow longer methods than the default.
|
||||||
# [invalid-name]
|
# [invalid-name]
|
||||||
method-rgx=[a-z_][a-z0-9_]{2,}$
|
method-rgx=[a-z_][a-z0-9_]{2,35}$
|
||||||
|
|
||||||
# Allow module names containing a dash (but no underscore or uppercase letter).
|
# Allow module names containing a dash (but no underscore or uppercase letter).
|
||||||
# They are whole programs, not meant to be included by another module.
|
# They are whole programs, not meant to be included by another module.
|
||||||
@ -27,7 +23,7 @@ module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+)|[a-z][-0-9a-z]+)$
|
|||||||
|
|
||||||
# Some functions don't need docstrings.
|
# Some functions don't need docstrings.
|
||||||
# [missing-docstring]
|
# [missing-docstring]
|
||||||
no-docstring-rgx=(run_)?main$
|
no-docstring-rgx=(run_)main$
|
||||||
|
|
||||||
# We're ok with short local or global variable names.
|
# We're ok with short local or global variable names.
|
||||||
# [invalid-name]
|
# [invalid-name]
|
||||||
@ -74,7 +70,3 @@ reports=no
|
|||||||
# Allow unused variables if their name starts with an underscore.
|
# Allow unused variables if their name starts with an underscore.
|
||||||
# [unused-argument]
|
# [unused-argument]
|
||||||
dummy-variables-rgx=_.*
|
dummy-variables-rgx=_.*
|
||||||
|
|
||||||
[SIMILARITIES]
|
|
||||||
# Ignore imports when computing similarities.
|
|
||||||
ignore-imports=yes
|
|
||||||
|
32
externals/mbedtls/.readthedocs.yaml
vendored
32
externals/mbedtls/.readthedocs.yaml
vendored
@ -1,32 +0,0 @@
|
|||||||
# .readthedocs.yaml
|
|
||||||
# Read the Docs configuration file
|
|
||||||
# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
|
|
||||||
|
|
||||||
# Required
|
|
||||||
version: 2
|
|
||||||
|
|
||||||
# Set the version of Python and other tools you might need
|
|
||||||
build:
|
|
||||||
os: ubuntu-20.04
|
|
||||||
tools:
|
|
||||||
python: "3.9"
|
|
||||||
jobs:
|
|
||||||
pre_build:
|
|
||||||
- ./scripts/apidoc_full.sh
|
|
||||||
- breathe-apidoc -o docs/api apidoc/xml
|
|
||||||
post_build:
|
|
||||||
- |
|
|
||||||
# Work around Readthedocs bug: Command parsing fails if the 'if' statement is on the first line
|
|
||||||
if [ "$READTHEDOCS_VERSION" = "development" ]; then
|
|
||||||
"$READTHEDOCS_VIRTUALENV_PATH/bin/rtd" projects "Mbed TLS API" redirects sync --wet-run -f docs/redirects.yaml
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Build documentation in the docs/ directory with Sphinx
|
|
||||||
sphinx:
|
|
||||||
builder: dirhtml
|
|
||||||
configuration: docs/conf.py
|
|
||||||
|
|
||||||
# Optionally declare the Python requirements required to build your docs
|
|
||||||
python:
|
|
||||||
install:
|
|
||||||
- requirements: docs/requirements.txt
|
|
62
externals/mbedtls/.travis.yml
vendored
62
externals/mbedtls/.travis.yml
vendored
@ -1,24 +1,60 @@
|
|||||||
# Declare python as our language. This way we get our chosen Python version,
|
language: c
|
||||||
# and pip is available. Gcc and clang are available anyway.
|
compiler: gcc
|
||||||
dist: jammy
|
sudo: false
|
||||||
os: linux
|
|
||||||
language: python
|
|
||||||
python: 3.10
|
|
||||||
|
|
||||||
cache: ccache
|
cache: ccache
|
||||||
|
|
||||||
branches:
|
jobs:
|
||||||
only:
|
include:
|
||||||
coverity_scan
|
- name: basic checks and reference configurations
|
||||||
|
addons:
|
||||||
|
apt:
|
||||||
|
packages:
|
||||||
|
- gnutls-bin
|
||||||
|
- doxygen
|
||||||
|
- graphviz
|
||||||
|
- gcc-arm-none-eabi
|
||||||
|
- libnewlib-arm-none-eabi
|
||||||
|
language: python # Needed to get pip for Python 3
|
||||||
|
python: 3.5 # version from Ubuntu 16.04
|
||||||
|
install:
|
||||||
|
- pip install pylint==2.4.4
|
||||||
|
script:
|
||||||
|
- tests/scripts/all.sh -k 'check_*'
|
||||||
|
- tests/scripts/all.sh -k test_default_out_of_box
|
||||||
|
- tests/scripts/test-ref-configs.pl
|
||||||
|
- tests/scripts/all.sh -k build_arm_none_eabi_gcc_arm5vte build_arm_none_eabi_gcc_m0plus
|
||||||
|
|
||||||
install:
|
- name: full configuration
|
||||||
- $PYTHON scripts/min_requirements.py
|
script:
|
||||||
|
- tests/scripts/all.sh -k test_full_cmake_gcc_asan
|
||||||
|
|
||||||
|
- name: check compilation guards
|
||||||
|
script:
|
||||||
|
- tests/scripts/all.sh -k 'test_depends_*' 'build_key_exchanges'
|
||||||
|
|
||||||
|
- name: macOS
|
||||||
|
os: osx
|
||||||
|
compiler: clang
|
||||||
|
script:
|
||||||
|
- tests/scripts/all.sh -k test_default_out_of_box
|
||||||
|
|
||||||
|
- name: Windows
|
||||||
|
os: windows
|
||||||
|
script:
|
||||||
|
- scripts/windows_msbuild.bat v141 # Visual Studio 2017
|
||||||
|
|
||||||
|
after_failure:
|
||||||
|
- tests/scripts/travis-log-failure.sh
|
||||||
|
|
||||||
env:
|
env:
|
||||||
global:
|
global:
|
||||||
- SEED=1
|
- SEED=1
|
||||||
- secure: "GF/Fde5fkm15T/RNykrjrPV5Uh1KJ70cP308igL6Xkk3eJmqkkmWCe9JqRH12J3TeWw2fu9PYPHt6iFSg6jasgqysfUyg+W03knRT5QNn3h5eHgt36cQJiJr6t3whPrRaiM6U9omE0evm+c0cAwlkA3GGSMw8Z+na4EnKI6OFCo="
|
- secure: "FrI5d2s+ckckC17T66c8jm2jV6i2DkBPU5nyWzwbedjmEBeocREfQLd/x8yKpPzLDz7ghOvr+/GQvsPPn0dVkGlNzm3Q+hGHc/ujnASuUtGrcuMM+0ALnJ3k4rFr9xEvjJeWb4SmhJO5UCAZYvTItW4k7+bj9L+R6lt3TzQbXzg="
|
||||||
|
|
||||||
addons:
|
addons:
|
||||||
|
apt:
|
||||||
|
packages:
|
||||||
|
- gnutls-bin
|
||||||
coverity_scan:
|
coverity_scan:
|
||||||
project:
|
project:
|
||||||
name: "ARMmbed/mbedtls"
|
name: "ARMmbed/mbedtls"
|
||||||
|
240
externals/mbedtls/.uncrustify.cfg
vendored
240
externals/mbedtls/.uncrustify.cfg
vendored
@ -1,240 +0,0 @@
|
|||||||
# Configuration options for Uncrustify specifying the Mbed TLS code style.
|
|
||||||
#
|
|
||||||
# Note: The code style represented by this file has not yet been introduced
|
|
||||||
# to Mbed TLS.
|
|
||||||
#
|
|
||||||
# Copyright The Mbed TLS Contributors
|
|
||||||
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
|
||||||
|
|
||||||
|
|
||||||
# Wrap lines at 100 characters
|
|
||||||
code_width = 100
|
|
||||||
|
|
||||||
# Allow splitting long for statements between the condition statements
|
|
||||||
ls_for_split_full = true
|
|
||||||
|
|
||||||
# Allow splitting function calls between arguments
|
|
||||||
ls_func_split_full = true
|
|
||||||
|
|
||||||
input_tab_size = 4
|
|
||||||
|
|
||||||
# Spaces-only indentation
|
|
||||||
indent_with_tabs = 0
|
|
||||||
|
|
||||||
indent_columns = 4
|
|
||||||
|
|
||||||
# Indent 'case' 1 level from 'switch'
|
|
||||||
indent_switch_case = indent_columns
|
|
||||||
|
|
||||||
# Line-up strings broken by '\'
|
|
||||||
indent_align_string = true
|
|
||||||
|
|
||||||
# Braces on the same line (Egyptian-style braces)
|
|
||||||
nl_enum_brace = remove
|
|
||||||
nl_union_brace = remove
|
|
||||||
nl_struct_brace = remove
|
|
||||||
nl_do_brace = remove
|
|
||||||
nl_if_brace = remove
|
|
||||||
nl_for_brace = remove
|
|
||||||
nl_else_brace = remove
|
|
||||||
nl_while_brace = remove
|
|
||||||
nl_switch_brace = remove
|
|
||||||
|
|
||||||
# Braces on same line as keywords that follow them - 'else' and the 'while' in 'do {} while ()';
|
|
||||||
nl_brace_else = remove
|
|
||||||
nl_brace_while = remove
|
|
||||||
# Space before else on the same line
|
|
||||||
sp_brace_else = add
|
|
||||||
# If else is on the same line as '{', force exactly 1 space between them
|
|
||||||
sp_else_brace = force
|
|
||||||
|
|
||||||
# Functions are the exception and have braces on the next line
|
|
||||||
nl_fcall_brace = add
|
|
||||||
nl_fdef_brace = add
|
|
||||||
|
|
||||||
# Force exactly one space between ')' and '{' in statements
|
|
||||||
sp_sparen_brace = force
|
|
||||||
|
|
||||||
# At least 1 space around assignment
|
|
||||||
sp_assign = add
|
|
||||||
|
|
||||||
# Remove spaces around the preprocessor '##' token-concatenate
|
|
||||||
sp_pp_concat = ignore
|
|
||||||
|
|
||||||
# At least 1 space around '||' and '&&'
|
|
||||||
sp_bool = add
|
|
||||||
|
|
||||||
# But no space after the '!' operator
|
|
||||||
sp_not = remove
|
|
||||||
|
|
||||||
# No space after the bitwise-not '~' operator
|
|
||||||
sp_inv = remove
|
|
||||||
|
|
||||||
# No space after the addressof '&' operator
|
|
||||||
sp_addr = remove
|
|
||||||
|
|
||||||
# No space around the member '.' and '->' operators
|
|
||||||
sp_member = remove
|
|
||||||
|
|
||||||
# No space after the dereference '*' operator
|
|
||||||
sp_deref = remove
|
|
||||||
|
|
||||||
# No space after a unary negation '-'
|
|
||||||
sp_sign = remove
|
|
||||||
|
|
||||||
# No space between the '++'/'--' operator and its operand
|
|
||||||
sp_incdec = remove
|
|
||||||
|
|
||||||
# At least 1 space around comparison operators
|
|
||||||
sp_compare = add
|
|
||||||
|
|
||||||
# Remove spaces inside all kinds of parentheses:
|
|
||||||
|
|
||||||
# Remove spaces inside parentheses
|
|
||||||
sp_inside_paren = remove
|
|
||||||
|
|
||||||
# No spaces inside statement parentheses
|
|
||||||
sp_inside_sparen = remove
|
|
||||||
|
|
||||||
# No spaces inside cast parentheses '( char )x' -> '(char)x'
|
|
||||||
sp_inside_paren_cast = remove
|
|
||||||
|
|
||||||
# No spaces inside function parentheses
|
|
||||||
sp_inside_fparen = remove
|
|
||||||
# (The case where the function has no parameters/arguments)
|
|
||||||
sp_inside_fparens = remove
|
|
||||||
|
|
||||||
# No spaces inside the first parentheses in a function type
|
|
||||||
sp_inside_tparen = remove
|
|
||||||
|
|
||||||
# (Uncrustify >= 0.74.0) No spaces inside parens in for statements
|
|
||||||
sp_inside_for = remove
|
|
||||||
|
|
||||||
# Remove spaces between nested parentheses '( (' -> '(('
|
|
||||||
sp_paren_paren = remove
|
|
||||||
# (Uncrustify >= 0.74.0)
|
|
||||||
sp_sparen_paren = remove
|
|
||||||
|
|
||||||
# Remove spaces between ')' and adjacent '('
|
|
||||||
sp_cparen_oparen = remove
|
|
||||||
|
|
||||||
# (Uncrustify >= 0.73.0) space between 'do' and '{'
|
|
||||||
sp_do_brace_open = force
|
|
||||||
|
|
||||||
# (Uncrustify >= 0.73.0) space between '}' and 'while'
|
|
||||||
sp_brace_close_while = force
|
|
||||||
|
|
||||||
# At least 1 space before a '*' pointer star
|
|
||||||
sp_before_ptr_star = add
|
|
||||||
|
|
||||||
# Remove spaces between pointer stars
|
|
||||||
sp_between_ptr_star = remove
|
|
||||||
|
|
||||||
# No space after a pointer star
|
|
||||||
sp_after_ptr_star = remove
|
|
||||||
|
|
||||||
# But allow a space in the case of e.g. char * const x;
|
|
||||||
sp_after_ptr_star_qualifier = ignore
|
|
||||||
|
|
||||||
# Remove space after star in a function return type
|
|
||||||
sp_after_ptr_star_func = remove
|
|
||||||
|
|
||||||
# At least 1 space after a type in variable definition etc
|
|
||||||
sp_after_type = add
|
|
||||||
|
|
||||||
# Force exactly 1 space between a statement keyword (e.g. 'if') and an opening parenthesis
|
|
||||||
sp_before_sparen = force
|
|
||||||
|
|
||||||
# Remove a space before a ';'
|
|
||||||
sp_before_semi = remove
|
|
||||||
# (Uncrustify >= 0.73.0) Remove space before a semi in a non-empty for
|
|
||||||
sp_before_semi_for = remove
|
|
||||||
# (Uncrustify >= 0.73.0) Remove space in empty first statement of a for
|
|
||||||
sp_before_semi_for_empty = remove
|
|
||||||
# (Uncrustify >= 0.74.0) Remove space in empty middle statement of a for
|
|
||||||
sp_between_semi_for_empty = remove
|
|
||||||
|
|
||||||
# Add a space after a ';' (unless a comment follows)
|
|
||||||
sp_after_semi = add
|
|
||||||
# (Uncrustify >= 0.73.0) Add a space after a semi in non-empty for statements
|
|
||||||
sp_after_semi_for = add
|
|
||||||
# (Uncrustify >= 0.73.0) No space after final semi in empty for statements
|
|
||||||
sp_after_semi_for_empty = remove
|
|
||||||
|
|
||||||
# Remove spaces on the inside of square brackets '[]'
|
|
||||||
sp_inside_square = remove
|
|
||||||
|
|
||||||
# Must have at least 1 space after a comma
|
|
||||||
sp_after_comma = add
|
|
||||||
|
|
||||||
# Must not have a space before a comma
|
|
||||||
sp_before_comma = remove
|
|
||||||
|
|
||||||
# No space before the ':' in a case statement
|
|
||||||
sp_before_case_colon = remove
|
|
||||||
|
|
||||||
# Must have space after a cast - '(char)x' -> '(char) x'
|
|
||||||
sp_after_cast = add
|
|
||||||
|
|
||||||
# No space between 'sizeof' and '('
|
|
||||||
sp_sizeof_paren = remove
|
|
||||||
|
|
||||||
# At least 1 space inside '{ }'
|
|
||||||
sp_inside_braces = add
|
|
||||||
|
|
||||||
# At least 1 space inside '{ }' in an enum
|
|
||||||
sp_inside_braces_enum = add
|
|
||||||
|
|
||||||
# At least 1 space inside '{ }' in a struct
|
|
||||||
sp_inside_braces_struct = add
|
|
||||||
|
|
||||||
# At least 1 space between a function return type and the function name
|
|
||||||
sp_type_func = add
|
|
||||||
|
|
||||||
# No space between a function name and its arguments/parameters
|
|
||||||
sp_func_proto_paren = remove
|
|
||||||
sp_func_def_paren = remove
|
|
||||||
sp_func_call_paren = remove
|
|
||||||
|
|
||||||
# No space between '__attribute__' and '('
|
|
||||||
sp_attribute_paren = remove
|
|
||||||
|
|
||||||
# No space between 'defined' and '(' in preprocessor conditions
|
|
||||||
sp_defined_paren = remove
|
|
||||||
|
|
||||||
# At least 1 space between a macro's name and its definition
|
|
||||||
sp_macro = add
|
|
||||||
sp_macro_func = add
|
|
||||||
|
|
||||||
# Force exactly 1 space between a '}' and the name of a typedef if on the same line
|
|
||||||
sp_brace_typedef = force
|
|
||||||
|
|
||||||
# At least 1 space before a '\' line continuation
|
|
||||||
sp_before_nl_cont = add
|
|
||||||
|
|
||||||
# At least 1 space around '?' and ':' in ternary statements
|
|
||||||
sp_cond_colon = add
|
|
||||||
sp_cond_question = add
|
|
||||||
|
|
||||||
# Space between #else/#endif and comment afterwards
|
|
||||||
sp_endif_cmt = add
|
|
||||||
|
|
||||||
# Remove newlines at the start of a file
|
|
||||||
nl_start_of_file = remove
|
|
||||||
|
|
||||||
# At least 1 newline at the end of a file
|
|
||||||
nl_end_of_file = add
|
|
||||||
nl_end_of_file_min = 1
|
|
||||||
|
|
||||||
# Add braces in single-line statements
|
|
||||||
mod_full_brace_do = add
|
|
||||||
mod_full_brace_for = add
|
|
||||||
mod_full_brace_if = add
|
|
||||||
mod_full_brace_while = add
|
|
||||||
|
|
||||||
# Remove parentheses from return statements
|
|
||||||
mod_paren_on_return = remove
|
|
||||||
|
|
||||||
# Disable removal of leading spaces in a multi-line comment if the first and
|
|
||||||
# last lines are the same length
|
|
||||||
cmt_multi_check_last = false
|
|
1
externals/mbedtls/3rdparty/.gitignore
vendored
1
externals/mbedtls/3rdparty/.gitignore
vendored
@ -1 +0,0 @@
|
|||||||
/Makefile
|
|
2
externals/mbedtls/3rdparty/CMakeLists.txt
vendored
2
externals/mbedtls/3rdparty/CMakeLists.txt
vendored
@ -1,2 +0,0 @@
|
|||||||
add_subdirectory(everest)
|
|
||||||
add_subdirectory(p256-m)
|
|
3
externals/mbedtls/3rdparty/Makefile.inc
vendored
3
externals/mbedtls/3rdparty/Makefile.inc
vendored
@ -1,3 +0,0 @@
|
|||||||
THIRDPARTY_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
|
|
||||||
include $(THIRDPARTY_DIR)/everest/Makefile.inc
|
|
||||||
include $(THIRDPARTY_DIR)/p256-m/Makefile.inc
|
|
@ -1 +0,0 @@
|
|||||||
Makefile
|
|
@ -1,42 +0,0 @@
|
|||||||
set(everest_target "${MBEDTLS_TARGET_PREFIX}everest")
|
|
||||||
|
|
||||||
add_library(${everest_target}
|
|
||||||
library/everest.c
|
|
||||||
library/x25519.c
|
|
||||||
library/Hacl_Curve25519_joined.c)
|
|
||||||
|
|
||||||
target_include_directories(${everest_target}
|
|
||||||
PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>
|
|
||||||
$<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
|
|
||||||
$<INSTALL_INTERFACE:include>
|
|
||||||
PRIVATE include/everest
|
|
||||||
include/everest/kremlib
|
|
||||||
${MBEDTLS_DIR}/library/)
|
|
||||||
|
|
||||||
# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
|
|
||||||
# This must be duplicated from library/CMakeLists.txt because
|
|
||||||
# everest is not directly linked against any mbedtls targets
|
|
||||||
# so does not inherit the compile definitions.
|
|
||||||
if(MBEDTLS_CONFIG_FILE)
|
|
||||||
target_compile_definitions(${everest_target}
|
|
||||||
PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
|
|
||||||
endif()
|
|
||||||
if(MBEDTLS_USER_CONFIG_FILE)
|
|
||||||
target_compile_definitions(${everest_target}
|
|
||||||
PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if(INSTALL_MBEDTLS_HEADERS)
|
|
||||||
|
|
||||||
install(DIRECTORY include/everest
|
|
||||||
DESTINATION include
|
|
||||||
FILE_PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
|
|
||||||
DIRECTORY_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
|
|
||||||
FILES_MATCHING PATTERN "*.h")
|
|
||||||
|
|
||||||
endif(INSTALL_MBEDTLS_HEADERS)
|
|
||||||
|
|
||||||
install(TARGETS ${everest_target}
|
|
||||||
EXPORT MbedTLSTargets
|
|
||||||
DESTINATION ${CMAKE_INSTALL_LIBDIR}
|
|
||||||
PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
|
|
@ -1,6 +0,0 @@
|
|||||||
THIRDPARTY_INCLUDES+=-I$(THIRDPARTY_DIR)/everest/include -I$(THIRDPARTY_DIR)/everest/include/everest -I$(THIRDPARTY_DIR)/everest/include/everest/kremlib
|
|
||||||
|
|
||||||
THIRDPARTY_CRYPTO_OBJECTS+= \
|
|
||||||
$(THIRDPARTY_DIR)/everest/library/everest.o \
|
|
||||||
$(THIRDPARTY_DIR)/everest/library/x25519.o \
|
|
||||||
$(THIRDPARTY_DIR)/everest/library/Hacl_Curve25519_joined.o
|
|
5
externals/mbedtls/3rdparty/everest/README.md
vendored
5
externals/mbedtls/3rdparty/everest/README.md
vendored
@ -1,5 +0,0 @@
|
|||||||
The files in this directory stem from [Project Everest](https://project-everest.github.io/) and are distributed under the Apache 2.0 license.
|
|
||||||
|
|
||||||
This is a formally verified implementation of Curve25519-based handshakes. The C code is automatically derived from the (verified) [original implementation](https://github.com/project-everest/hacl-star/tree/master/code/curve25519) in the [F* language](https://github.com/fstarlang/fstar) by [KreMLin](https://github.com/fstarlang/kremlin). In addition to the improved safety and security of the implementation, it is also significantly faster than the default implementation of Curve25519 in mbedTLS.
|
|
||||||
|
|
||||||
The caveat is that not all platforms are supported, although the version in `everest/library/legacy` should work on most systems. The main issue is that some platforms do not provide a 128-bit integer type and KreMLin therefore has to use additional (also verified) code to simulate them, resulting in less of a performance gain overall. Explicitly supported platforms are currently `x86` and `x86_64` using gcc or clang, and Visual C (2010 and later).
|
|
@ -1,21 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
|
|
||||||
* KreMLin invocation: /mnt/e/everest/verify/kremlin/krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -fbuiltin-uint128 -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -I /mnt/e/everest/verify/hacl-star/code/lib/kremlin -I /mnt/e/everest/verify/kremlin/kremlib/compat -I /mnt/e/everest/verify/hacl-star/specs -I /mnt/e/everest/verify/hacl-star/specs/old -I . -ccopt -march=native -verbose -ldopt -flto -tmpdir x25519-c -I ../bignum -bundle Hacl.Curve25519=* -minimal -add-include "kremlib.h" -skip-compilation x25519-c/out.krml -o x25519-c/Hacl_Curve25519.c
|
|
||||||
* F* version: 059db0c8
|
|
||||||
* KreMLin version: 916c37ac
|
|
||||||
*/
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#ifndef __Hacl_Curve25519_H
|
|
||||||
#define __Hacl_Curve25519_H
|
|
||||||
|
|
||||||
|
|
||||||
#include "kremlib.h"
|
|
||||||
|
|
||||||
void Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint);
|
|
||||||
|
|
||||||
#define __Hacl_Curve25519_H_DEFINED
|
|
||||||
#endif
|
|
@ -1,234 +0,0 @@
|
|||||||
/*
|
|
||||||
* Interface to code from Project Everest
|
|
||||||
*
|
|
||||||
* Copyright 2016-2018 INRIA and Microsoft Corporation
|
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*
|
|
||||||
* This file is part of Mbed TLS (https://tls.mbed.org).
|
|
||||||
*/
|
|
||||||
|
|
||||||
#ifndef MBEDTLS_EVEREST_H
|
|
||||||
#define MBEDTLS_EVEREST_H
|
|
||||||
|
|
||||||
#include "everest/x25519.h"
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
extern "C" {
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Defines the source of the imported EC key.
|
|
||||||
*/
|
|
||||||
typedef enum
|
|
||||||
{
|
|
||||||
MBEDTLS_EVEREST_ECDH_OURS, /**< Our key. */
|
|
||||||
MBEDTLS_EVEREST_ECDH_THEIRS, /**< The key of the peer. */
|
|
||||||
} mbedtls_everest_ecdh_side;
|
|
||||||
|
|
||||||
typedef struct {
|
|
||||||
mbedtls_x25519_context ctx;
|
|
||||||
} mbedtls_ecdh_context_everest;
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function sets up the ECDH context with the information
|
|
||||||
* given.
|
|
||||||
*
|
|
||||||
* This function should be called after mbedtls_ecdh_init() but
|
|
||||||
* before mbedtls_ecdh_make_params(). There is no need to call
|
|
||||||
* this function before mbedtls_ecdh_read_params().
|
|
||||||
*
|
|
||||||
* This is the first function used by a TLS server for ECDHE
|
|
||||||
* ciphersuites.
|
|
||||||
*
|
|
||||||
* \param ctx The ECDH context to set up.
|
|
||||||
* \param grp_id The group id of the group to set up the context for.
|
|
||||||
*
|
|
||||||
* \return \c 0 on success.
|
|
||||||
*/
|
|
||||||
int mbedtls_everest_setup( mbedtls_ecdh_context_everest *ctx, int grp_id );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function frees a context.
|
|
||||||
*
|
|
||||||
* \param ctx The context to free.
|
|
||||||
*/
|
|
||||||
void mbedtls_everest_free( mbedtls_ecdh_context_everest *ctx );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function generates a public key and a TLS
|
|
||||||
* ServerKeyExchange payload.
|
|
||||||
*
|
|
||||||
* This is the second function used by a TLS server for ECDHE
|
|
||||||
* ciphersuites. (It is called after mbedtls_ecdh_setup().)
|
|
||||||
*
|
|
||||||
* \note This function assumes that the ECP group (grp) of the
|
|
||||||
* \p ctx context has already been properly set,
|
|
||||||
* for example, using mbedtls_ecp_group_load().
|
|
||||||
*
|
|
||||||
* \see ecp.h
|
|
||||||
*
|
|
||||||
* \param ctx The ECDH context.
|
|
||||||
* \param olen The number of characters written.
|
|
||||||
* \param buf The destination buffer.
|
|
||||||
* \param blen The length of the destination buffer.
|
|
||||||
* \param f_rng The RNG function.
|
|
||||||
* \param p_rng The RNG context.
|
|
||||||
*
|
|
||||||
* \return \c 0 on success.
|
|
||||||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
||||||
*/
|
|
||||||
int mbedtls_everest_make_params( mbedtls_ecdh_context_everest *ctx, size_t *olen,
|
|
||||||
unsigned char *buf, size_t blen,
|
|
||||||
int( *f_rng )( void *, unsigned char *, size_t ),
|
|
||||||
void *p_rng );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function parses and processes a TLS ServerKeyExchange
|
|
||||||
* payload.
|
|
||||||
*
|
|
||||||
* This is the first function used by a TLS client for ECDHE
|
|
||||||
* ciphersuites.
|
|
||||||
*
|
|
||||||
* \see ecp.h
|
|
||||||
*
|
|
||||||
* \param ctx The ECDH context.
|
|
||||||
* \param buf The pointer to the start of the input buffer.
|
|
||||||
* \param end The address for one Byte past the end of the buffer.
|
|
||||||
*
|
|
||||||
* \return \c 0 on success.
|
|
||||||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
int mbedtls_everest_read_params( mbedtls_ecdh_context_everest *ctx,
|
|
||||||
const unsigned char **buf, const unsigned char *end );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function parses and processes a TLS ServerKeyExchange
|
|
||||||
* payload.
|
|
||||||
*
|
|
||||||
* This is the first function used by a TLS client for ECDHE
|
|
||||||
* ciphersuites.
|
|
||||||
*
|
|
||||||
* \see ecp.h
|
|
||||||
*
|
|
||||||
* \param ctx The ECDH context.
|
|
||||||
* \param buf The pointer to the start of the input buffer.
|
|
||||||
* \param end The address for one Byte past the end of the buffer.
|
|
||||||
*
|
|
||||||
* \return \c 0 on success.
|
|
||||||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
int mbedtls_everest_read_params( mbedtls_ecdh_context_everest *ctx,
|
|
||||||
const unsigned char **buf, const unsigned char *end );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function sets up an ECDH context from an EC key.
|
|
||||||
*
|
|
||||||
* It is used by clients and servers in place of the
|
|
||||||
* ServerKeyEchange for static ECDH, and imports ECDH
|
|
||||||
* parameters from the EC key information of a certificate.
|
|
||||||
*
|
|
||||||
* \see ecp.h
|
|
||||||
*
|
|
||||||
* \param ctx The ECDH context to set up.
|
|
||||||
* \param key The EC key to use.
|
|
||||||
* \param side Defines the source of the key: 1: Our key, or
|
|
||||||
* 0: The key of the peer.
|
|
||||||
*
|
|
||||||
* \return \c 0 on success.
|
|
||||||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
int mbedtls_everest_get_params( mbedtls_ecdh_context_everest *ctx, const mbedtls_ecp_keypair *key,
|
|
||||||
mbedtls_everest_ecdh_side side );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function generates a public key and a TLS
|
|
||||||
* ClientKeyExchange payload.
|
|
||||||
*
|
|
||||||
* This is the second function used by a TLS client for ECDH(E)
|
|
||||||
* ciphersuites.
|
|
||||||
*
|
|
||||||
* \see ecp.h
|
|
||||||
*
|
|
||||||
* \param ctx The ECDH context.
|
|
||||||
* \param olen The number of Bytes written.
|
|
||||||
* \param buf The destination buffer.
|
|
||||||
* \param blen The size of the destination buffer.
|
|
||||||
* \param f_rng The RNG function.
|
|
||||||
* \param p_rng The RNG context.
|
|
||||||
*
|
|
||||||
* \return \c 0 on success.
|
|
||||||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
||||||
*/
|
|
||||||
int mbedtls_everest_make_public( mbedtls_ecdh_context_everest *ctx, size_t *olen,
|
|
||||||
unsigned char *buf, size_t blen,
|
|
||||||
int( *f_rng )( void *, unsigned char *, size_t ),
|
|
||||||
void *p_rng );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function parses and processes a TLS ClientKeyExchange
|
|
||||||
* payload.
|
|
||||||
*
|
|
||||||
* This is the third function used by a TLS server for ECDH(E)
|
|
||||||
* ciphersuites. (It is called after mbedtls_ecdh_setup() and
|
|
||||||
* mbedtls_ecdh_make_params().)
|
|
||||||
*
|
|
||||||
* \see ecp.h
|
|
||||||
*
|
|
||||||
* \param ctx The ECDH context.
|
|
||||||
* \param buf The start of the input buffer.
|
|
||||||
* \param blen The length of the input buffer.
|
|
||||||
*
|
|
||||||
* \return \c 0 on success.
|
|
||||||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
||||||
*/
|
|
||||||
int mbedtls_everest_read_public( mbedtls_ecdh_context_everest *ctx,
|
|
||||||
const unsigned char *buf, size_t blen );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function derives and exports the shared secret.
|
|
||||||
*
|
|
||||||
* This is the last function used by both TLS client
|
|
||||||
* and servers.
|
|
||||||
*
|
|
||||||
* \note If \p f_rng is not NULL, it is used to implement
|
|
||||||
* countermeasures against side-channel attacks.
|
|
||||||
* For more information, see mbedtls_ecp_mul().
|
|
||||||
*
|
|
||||||
* \see ecp.h
|
|
||||||
*
|
|
||||||
* \param ctx The ECDH context.
|
|
||||||
* \param olen The number of Bytes written.
|
|
||||||
* \param buf The destination buffer.
|
|
||||||
* \param blen The length of the destination buffer.
|
|
||||||
* \param f_rng The RNG function.
|
|
||||||
* \param p_rng The RNG context.
|
|
||||||
*
|
|
||||||
* \return \c 0 on success.
|
|
||||||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
||||||
*/
|
|
||||||
int mbedtls_everest_calc_secret( mbedtls_ecdh_context_everest *ctx, size_t *olen,
|
|
||||||
unsigned char *buf, size_t blen,
|
|
||||||
int( *f_rng )( void *, unsigned char *, size_t ),
|
|
||||||
void *p_rng );
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#endif /* MBEDTLS_EVEREST_H */
|
|
@ -1,29 +0,0 @@
|
|||||||
/*
|
|
||||||
* Copyright 2016-2018 INRIA and Microsoft Corporation
|
|
||||||
*
|
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*
|
|
||||||
* This file is part of Mbed TLS (https://tls.mbed.org) and
|
|
||||||
* originated from Project Everest (https://project-everest.github.io/)
|
|
||||||
*/
|
|
||||||
|
|
||||||
#ifndef __KREMLIB_H
|
|
||||||
#define __KREMLIB_H
|
|
||||||
|
|
||||||
#include "kremlin/internal/target.h"
|
|
||||||
#include "kremlin/internal/types.h"
|
|
||||||
#include "kremlin/c_endianness.h"
|
|
||||||
|
|
||||||
#endif /* __KREMLIB_H */
|
|
@ -1,124 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
|
|
||||||
* KreMLin invocation: ../krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrB9w -minimal -fparentheses -fcurly-braces -fno-shadow -header copyright-header.txt -minimal -tmpdir dist/uint128 -skip-compilation -extract-uints -add-include <inttypes.h> -add-include <stdbool.h> -add-include "kremlin/internal/types.h" -bundle FStar.UInt128=* extracted/prims.krml extracted/FStar_Pervasives_Native.krml extracted/FStar_Pervasives.krml extracted/FStar_Mul.krml extracted/FStar_Squash.krml extracted/FStar_Classical.krml extracted/FStar_StrongExcludedMiddle.krml extracted/FStar_FunctionalExtensionality.krml extracted/FStar_List_Tot_Base.krml extracted/FStar_List_Tot_Properties.krml extracted/FStar_List_Tot.krml extracted/FStar_Seq_Base.krml extracted/FStar_Seq_Properties.krml extracted/FStar_Seq.krml extracted/FStar_Math_Lib.krml extracted/FStar_Math_Lemmas.krml extracted/FStar_BitVector.krml extracted/FStar_UInt.krml extracted/FStar_UInt32.krml extracted/FStar_Int.krml extracted/FStar_Int16.krml extracted/FStar_Preorder.krml extracted/FStar_Ghost.krml extracted/FStar_ErasedLogic.krml extracted/FStar_UInt64.krml extracted/FStar_Set.krml extracted/FStar_PropositionalExtensionality.krml extracted/FStar_PredicateExtensionality.krml extracted/FStar_TSet.krml extracted/FStar_Monotonic_Heap.krml extracted/FStar_Heap.krml extracted/FStar_Map.krml extracted/FStar_Monotonic_HyperHeap.krml extracted/FStar_Monotonic_HyperStack.krml extracted/FStar_HyperStack.krml extracted/FStar_Monotonic_Witnessed.krml extracted/FStar_HyperStack_ST.krml extracted/FStar_HyperStack_All.krml extracted/FStar_Date.krml extracted/FStar_Universe.krml extracted/FStar_GSet.krml extracted/FStar_ModifiesGen.krml extracted/LowStar_Monotonic_Buffer.krml extracted/LowStar_Buffer.krml extracted/Spec_Loops.krml extracted/LowStar_BufferOps.krml extracted/C_Loops.krml extracted/FStar_UInt8.krml extracted/FStar_Kremlin_Endianness.krml extracted/FStar_UInt63.krml extracted/FStar_Exn.krml extracted/FStar_ST.krml extracted/FStar_All.krml extracted/FStar_Dyn.krml extracted/FStar_Int63.krml extracted/FStar_Int64.krml extracted/FStar_Int32.krml extracted/FStar_Int8.krml extracted/FStar_UInt16.krml extracted/FStar_Int_Cast.krml extracted/FStar_UInt128.krml extracted/C_Endianness.krml extracted/FStar_List.krml extracted/FStar_Float.krml extracted/FStar_IO.krml extracted/C.krml extracted/FStar_Char.krml extracted/FStar_String.krml extracted/LowStar_Modifies.krml extracted/C_String.krml extracted/FStar_Bytes.krml extracted/FStar_HyperStack_IO.krml extracted/C_Failure.krml extracted/TestLib.krml extracted/FStar_Int_Cast_Full.krml
|
|
||||||
* F* version: 059db0c8
|
|
||||||
* KreMLin version: 916c37ac
|
|
||||||
*/
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#ifndef __FStar_UInt128_H
|
|
||||||
#define __FStar_UInt128_H
|
|
||||||
|
|
||||||
|
|
||||||
#include <inttypes.h>
|
|
||||||
#include <stdbool.h>
|
|
||||||
#include "kremlin/internal/types.h"
|
|
||||||
|
|
||||||
uint64_t FStar_UInt128___proj__Mkuint128__item__low(FStar_UInt128_uint128 projectee);
|
|
||||||
|
|
||||||
uint64_t FStar_UInt128___proj__Mkuint128__item__high(FStar_UInt128_uint128 projectee);
|
|
||||||
|
|
||||||
typedef FStar_UInt128_uint128 FStar_UInt128_t;
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s);
|
|
||||||
|
|
||||||
bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a);
|
|
||||||
|
|
||||||
uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Plus_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Plus_Question_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Plus_Percent_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Subtraction_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Subtraction_Question_Hat)(
|
|
||||||
FStar_UInt128_uint128 x0,
|
|
||||||
FStar_UInt128_uint128 x1
|
|
||||||
);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Subtraction_Percent_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Amp_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Hat_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Bar_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Less_Less_Hat)(FStar_UInt128_uint128 x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Greater_Greater_Hat)(FStar_UInt128_uint128 x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern bool (*FStar_UInt128_op_Equals_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern bool
|
|
||||||
(*FStar_UInt128_op_Greater_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern bool (*FStar_UInt128_op_Less_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern bool
|
|
||||||
(*FStar_UInt128_op_Greater_Equals_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern bool
|
|
||||||
(*FStar_UInt128_op_Less_Equals_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y);
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y);
|
|
||||||
|
|
||||||
#define __FStar_UInt128_H_DEFINED
|
|
||||||
#endif
|
|
@ -1,280 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
|
|
||||||
* KreMLin invocation: ../krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrB9w -minimal -fparentheses -fcurly-braces -fno-shadow -header copyright-header.txt -minimal -tmpdir dist/minimal -skip-compilation -extract-uints -add-include <inttypes.h> -add-include <stdbool.h> -add-include "kremlin/internal/compat.h" -add-include "kremlin/internal/types.h" -bundle FStar.UInt64+FStar.UInt32+FStar.UInt16+FStar.UInt8=* extracted/prims.krml extracted/FStar_Pervasives_Native.krml extracted/FStar_Pervasives.krml extracted/FStar_Mul.krml extracted/FStar_Squash.krml extracted/FStar_Classical.krml extracted/FStar_StrongExcludedMiddle.krml extracted/FStar_FunctionalExtensionality.krml extracted/FStar_List_Tot_Base.krml extracted/FStar_List_Tot_Properties.krml extracted/FStar_List_Tot.krml extracted/FStar_Seq_Base.krml extracted/FStar_Seq_Properties.krml extracted/FStar_Seq.krml extracted/FStar_Math_Lib.krml extracted/FStar_Math_Lemmas.krml extracted/FStar_BitVector.krml extracted/FStar_UInt.krml extracted/FStar_UInt32.krml extracted/FStar_Int.krml extracted/FStar_Int16.krml extracted/FStar_Preorder.krml extracted/FStar_Ghost.krml extracted/FStar_ErasedLogic.krml extracted/FStar_UInt64.krml extracted/FStar_Set.krml extracted/FStar_PropositionalExtensionality.krml extracted/FStar_PredicateExtensionality.krml extracted/FStar_TSet.krml extracted/FStar_Monotonic_Heap.krml extracted/FStar_Heap.krml extracted/FStar_Map.krml extracted/FStar_Monotonic_HyperHeap.krml extracted/FStar_Monotonic_HyperStack.krml extracted/FStar_HyperStack.krml extracted/FStar_Monotonic_Witnessed.krml extracted/FStar_HyperStack_ST.krml extracted/FStar_HyperStack_All.krml extracted/FStar_Date.krml extracted/FStar_Universe.krml extracted/FStar_GSet.krml extracted/FStar_ModifiesGen.krml extracted/LowStar_Monotonic_Buffer.krml extracted/LowStar_Buffer.krml extracted/Spec_Loops.krml extracted/LowStar_BufferOps.krml extracted/C_Loops.krml extracted/FStar_UInt8.krml extracted/FStar_Kremlin_Endianness.krml extracted/FStar_UInt63.krml extracted/FStar_Exn.krml extracted/FStar_ST.krml extracted/FStar_All.krml extracted/FStar_Dyn.krml extracted/FStar_Int63.krml extracted/FStar_Int64.krml extracted/FStar_Int32.krml extracted/FStar_Int8.krml extracted/FStar_UInt16.krml extracted/FStar_Int_Cast.krml extracted/FStar_UInt128.krml extracted/C_Endianness.krml extracted/FStar_List.krml extracted/FStar_Float.krml extracted/FStar_IO.krml extracted/C.krml extracted/FStar_Char.krml extracted/FStar_String.krml extracted/LowStar_Modifies.krml extracted/C_String.krml extracted/FStar_Bytes.krml extracted/FStar_HyperStack_IO.krml extracted/C_Failure.krml extracted/TestLib.krml extracted/FStar_Int_Cast_Full.krml
|
|
||||||
* F* version: 059db0c8
|
|
||||||
* KreMLin version: 916c37ac
|
|
||||||
*/
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#ifndef __FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8_H
|
|
||||||
#define __FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8_H
|
|
||||||
|
|
||||||
|
|
||||||
#include <inttypes.h>
|
|
||||||
#include <stdbool.h>
|
|
||||||
#include "kremlin/internal/compat.h"
|
|
||||||
#include "kremlin/internal/types.h"
|
|
||||||
|
|
||||||
extern Prims_int FStar_UInt64_n;
|
|
||||||
|
|
||||||
extern Prims_int FStar_UInt64_v(uint64_t x0);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_uint_to_t(Prims_int x0);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_add(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_add_underspec(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_add_mod(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_sub(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_sub_underspec(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_sub_mod(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_mul(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_mul_underspec(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_mul_mod(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_mul_div(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_div(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_rem(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_logand(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_logxor(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_logor(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_lognot(uint64_t x0);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_shift_right(uint64_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_shift_left(uint64_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt64_eq(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt64_gt(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt64_gte(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt64_lt(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt64_lte(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_minus(uint64_t x0);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt64_n_minus_one;
|
|
||||||
|
|
||||||
uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b);
|
|
||||||
|
|
||||||
uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b);
|
|
||||||
|
|
||||||
extern Prims_string FStar_UInt64_to_string(uint64_t x0);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_of_string(Prims_string x0);
|
|
||||||
|
|
||||||
extern Prims_int FStar_UInt32_n;
|
|
||||||
|
|
||||||
extern Prims_int FStar_UInt32_v(uint32_t x0);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_uint_to_t(Prims_int x0);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_add(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_add_underspec(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_add_mod(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_sub(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_sub_underspec(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_sub_mod(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_mul(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_mul_underspec(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_mul_mod(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_mul_div(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_div(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_rem(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_logand(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_logxor(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_logor(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_lognot(uint32_t x0);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_shift_right(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_shift_left(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt32_eq(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt32_gt(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt32_gte(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt32_lt(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt32_lte(uint32_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_minus(uint32_t x0);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_n_minus_one;
|
|
||||||
|
|
||||||
uint32_t FStar_UInt32_eq_mask(uint32_t a, uint32_t b);
|
|
||||||
|
|
||||||
uint32_t FStar_UInt32_gte_mask(uint32_t a, uint32_t b);
|
|
||||||
|
|
||||||
extern Prims_string FStar_UInt32_to_string(uint32_t x0);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt32_of_string(Prims_string x0);
|
|
||||||
|
|
||||||
extern Prims_int FStar_UInt16_n;
|
|
||||||
|
|
||||||
extern Prims_int FStar_UInt16_v(uint16_t x0);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_uint_to_t(Prims_int x0);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_add(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_add_underspec(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_add_mod(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_sub(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_sub_underspec(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_sub_mod(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_mul(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_mul_underspec(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_mul_mod(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_mul_div(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_div(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_rem(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_logand(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_logxor(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_logor(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_lognot(uint16_t x0);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_shift_right(uint16_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_shift_left(uint16_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt16_eq(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt16_gt(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt16_gte(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt16_lt(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt16_lte(uint16_t x0, uint16_t x1);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_minus(uint16_t x0);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt16_n_minus_one;
|
|
||||||
|
|
||||||
uint16_t FStar_UInt16_eq_mask(uint16_t a, uint16_t b);
|
|
||||||
|
|
||||||
uint16_t FStar_UInt16_gte_mask(uint16_t a, uint16_t b);
|
|
||||||
|
|
||||||
extern Prims_string FStar_UInt16_to_string(uint16_t x0);
|
|
||||||
|
|
||||||
extern uint16_t FStar_UInt16_of_string(Prims_string x0);
|
|
||||||
|
|
||||||
extern Prims_int FStar_UInt8_n;
|
|
||||||
|
|
||||||
extern Prims_int FStar_UInt8_v(uint8_t x0);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_uint_to_t(Prims_int x0);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_add(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_add_underspec(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_add_mod(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_sub(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_sub_underspec(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_sub_mod(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_mul(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_mul_underspec(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_mul_mod(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_mul_div(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_div(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_rem(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_logand(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_logxor(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_logor(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_lognot(uint8_t x0);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_shift_right(uint8_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_shift_left(uint8_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt8_eq(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt8_gt(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt8_gte(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt8_lt(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern bool FStar_UInt8_lte(uint8_t x0, uint8_t x1);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_minus(uint8_t x0);
|
|
||||||
|
|
||||||
extern uint32_t FStar_UInt8_n_minus_one;
|
|
||||||
|
|
||||||
uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b);
|
|
||||||
|
|
||||||
uint8_t FStar_UInt8_gte_mask(uint8_t a, uint8_t b);
|
|
||||||
|
|
||||||
extern Prims_string FStar_UInt8_to_string(uint8_t x0);
|
|
||||||
|
|
||||||
extern uint8_t FStar_UInt8_of_string(Prims_string x0);
|
|
||||||
|
|
||||||
typedef uint8_t FStar_UInt8_byte;
|
|
||||||
|
|
||||||
#define __FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8_H_DEFINED
|
|
||||||
#endif
|
|
@ -1,204 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
#ifndef __KREMLIN_ENDIAN_H
|
|
||||||
#define __KREMLIN_ENDIAN_H
|
|
||||||
|
|
||||||
#include <string.h>
|
|
||||||
#include <inttypes.h>
|
|
||||||
|
|
||||||
/******************************************************************************/
|
|
||||||
/* Implementing C.fst (part 2: endian-ness macros) */
|
|
||||||
/******************************************************************************/
|
|
||||||
|
|
||||||
/* ... for Linux */
|
|
||||||
#if defined(__linux__) || defined(__CYGWIN__)
|
|
||||||
# include <endian.h>
|
|
||||||
|
|
||||||
/* ... for OSX */
|
|
||||||
#elif defined(__APPLE__)
|
|
||||||
# include <libkern/OSByteOrder.h>
|
|
||||||
# define htole64(x) OSSwapHostToLittleInt64(x)
|
|
||||||
# define le64toh(x) OSSwapLittleToHostInt64(x)
|
|
||||||
# define htobe64(x) OSSwapHostToBigInt64(x)
|
|
||||||
# define be64toh(x) OSSwapBigToHostInt64(x)
|
|
||||||
|
|
||||||
# define htole16(x) OSSwapHostToLittleInt16(x)
|
|
||||||
# define le16toh(x) OSSwapLittleToHostInt16(x)
|
|
||||||
# define htobe16(x) OSSwapHostToBigInt16(x)
|
|
||||||
# define be16toh(x) OSSwapBigToHostInt16(x)
|
|
||||||
|
|
||||||
# define htole32(x) OSSwapHostToLittleInt32(x)
|
|
||||||
# define le32toh(x) OSSwapLittleToHostInt32(x)
|
|
||||||
# define htobe32(x) OSSwapHostToBigInt32(x)
|
|
||||||
# define be32toh(x) OSSwapBigToHostInt32(x)
|
|
||||||
|
|
||||||
/* ... for Solaris */
|
|
||||||
#elif defined(__sun__)
|
|
||||||
# include <sys/byteorder.h>
|
|
||||||
# define htole64(x) LE_64(x)
|
|
||||||
# define le64toh(x) LE_64(x)
|
|
||||||
# define htobe64(x) BE_64(x)
|
|
||||||
# define be64toh(x) BE_64(x)
|
|
||||||
|
|
||||||
# define htole16(x) LE_16(x)
|
|
||||||
# define le16toh(x) LE_16(x)
|
|
||||||
# define htobe16(x) BE_16(x)
|
|
||||||
# define be16toh(x) BE_16(x)
|
|
||||||
|
|
||||||
# define htole32(x) LE_32(x)
|
|
||||||
# define le32toh(x) LE_32(x)
|
|
||||||
# define htobe32(x) BE_32(x)
|
|
||||||
# define be32toh(x) BE_32(x)
|
|
||||||
|
|
||||||
/* ... for the BSDs */
|
|
||||||
#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
|
|
||||||
# include <sys/endian.h>
|
|
||||||
#elif defined(__OpenBSD__)
|
|
||||||
# include <endian.h>
|
|
||||||
|
|
||||||
/* ... for Windows (MSVC)... not targeting XBOX 360! */
|
|
||||||
#elif defined(_MSC_VER)
|
|
||||||
|
|
||||||
# include <stdlib.h>
|
|
||||||
# define htobe16(x) _byteswap_ushort(x)
|
|
||||||
# define htole16(x) (x)
|
|
||||||
# define be16toh(x) _byteswap_ushort(x)
|
|
||||||
# define le16toh(x) (x)
|
|
||||||
|
|
||||||
# define htobe32(x) _byteswap_ulong(x)
|
|
||||||
# define htole32(x) (x)
|
|
||||||
# define be32toh(x) _byteswap_ulong(x)
|
|
||||||
# define le32toh(x) (x)
|
|
||||||
|
|
||||||
# define htobe64(x) _byteswap_uint64(x)
|
|
||||||
# define htole64(x) (x)
|
|
||||||
# define be64toh(x) _byteswap_uint64(x)
|
|
||||||
# define le64toh(x) (x)
|
|
||||||
|
|
||||||
/* ... for Windows (GCC-like, e.g. mingw or clang) */
|
|
||||||
#elif (defined(_WIN32) || defined(_WIN64)) && \
|
|
||||||
(defined(__GNUC__) || defined(__clang__))
|
|
||||||
|
|
||||||
# define htobe16(x) __builtin_bswap16(x)
|
|
||||||
# define htole16(x) (x)
|
|
||||||
# define be16toh(x) __builtin_bswap16(x)
|
|
||||||
# define le16toh(x) (x)
|
|
||||||
|
|
||||||
# define htobe32(x) __builtin_bswap32(x)
|
|
||||||
# define htole32(x) (x)
|
|
||||||
# define be32toh(x) __builtin_bswap32(x)
|
|
||||||
# define le32toh(x) (x)
|
|
||||||
|
|
||||||
# define htobe64(x) __builtin_bswap64(x)
|
|
||||||
# define htole64(x) (x)
|
|
||||||
# define be64toh(x) __builtin_bswap64(x)
|
|
||||||
# define le64toh(x) (x)
|
|
||||||
|
|
||||||
/* ... generic big-endian fallback code */
|
|
||||||
#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
|
|
||||||
|
|
||||||
/* byte swapping code inspired by:
|
|
||||||
* https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h
|
|
||||||
* */
|
|
||||||
|
|
||||||
# define htobe32(x) (x)
|
|
||||||
# define be32toh(x) (x)
|
|
||||||
# define htole32(x) \
|
|
||||||
(__extension__({ \
|
|
||||||
uint32_t _temp = (x); \
|
|
||||||
((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \
|
|
||||||
((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \
|
|
||||||
}))
|
|
||||||
# define le32toh(x) (htole32((x)))
|
|
||||||
|
|
||||||
# define htobe64(x) (x)
|
|
||||||
# define be64toh(x) (x)
|
|
||||||
# define htole64(x) \
|
|
||||||
(__extension__({ \
|
|
||||||
uint64_t __temp = (x); \
|
|
||||||
uint32_t __low = htobe32((uint32_t)__temp); \
|
|
||||||
uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \
|
|
||||||
(((uint64_t)__low) << 32) | __high; \
|
|
||||||
}))
|
|
||||||
# define le64toh(x) (htole64((x)))
|
|
||||||
|
|
||||||
/* ... generic little-endian fallback code */
|
|
||||||
#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
|
|
||||||
|
|
||||||
# define htole32(x) (x)
|
|
||||||
# define le32toh(x) (x)
|
|
||||||
# define htobe32(x) \
|
|
||||||
(__extension__({ \
|
|
||||||
uint32_t _temp = (x); \
|
|
||||||
((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \
|
|
||||||
((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \
|
|
||||||
}))
|
|
||||||
# define be32toh(x) (htobe32((x)))
|
|
||||||
|
|
||||||
# define htole64(x) (x)
|
|
||||||
# define le64toh(x) (x)
|
|
||||||
# define htobe64(x) \
|
|
||||||
(__extension__({ \
|
|
||||||
uint64_t __temp = (x); \
|
|
||||||
uint32_t __low = htobe32((uint32_t)__temp); \
|
|
||||||
uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \
|
|
||||||
(((uint64_t)__low) << 32) | __high; \
|
|
||||||
}))
|
|
||||||
# define be64toh(x) (htobe64((x)))
|
|
||||||
|
|
||||||
/* ... couldn't determine endian-ness of the target platform */
|
|
||||||
#else
|
|
||||||
# error "Please define __BYTE_ORDER__!"
|
|
||||||
|
|
||||||
#endif /* defined(__linux__) || ... */
|
|
||||||
|
|
||||||
/* Loads and stores. These avoid undefined behavior due to unaligned memory
|
|
||||||
* accesses, via memcpy. */
|
|
||||||
|
|
||||||
inline static uint16_t load16(uint8_t *b) {
|
|
||||||
uint16_t x;
|
|
||||||
memcpy(&x, b, 2);
|
|
||||||
return x;
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static uint32_t load32(uint8_t *b) {
|
|
||||||
uint32_t x;
|
|
||||||
memcpy(&x, b, 4);
|
|
||||||
return x;
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static uint64_t load64(uint8_t *b) {
|
|
||||||
uint64_t x;
|
|
||||||
memcpy(&x, b, 8);
|
|
||||||
return x;
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void store16(uint8_t *b, uint16_t i) {
|
|
||||||
memcpy(b, &i, 2);
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void store32(uint8_t *b, uint32_t i) {
|
|
||||||
memcpy(b, &i, 4);
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void store64(uint8_t *b, uint64_t i) {
|
|
||||||
memcpy(b, &i, 8);
|
|
||||||
}
|
|
||||||
|
|
||||||
#define load16_le(b) (le16toh(load16(b)))
|
|
||||||
#define store16_le(b, i) (store16(b, htole16(i)))
|
|
||||||
#define load16_be(b) (be16toh(load16(b)))
|
|
||||||
#define store16_be(b, i) (store16(b, htobe16(i)))
|
|
||||||
|
|
||||||
#define load32_le(b) (le32toh(load32(b)))
|
|
||||||
#define store32_le(b, i) (store32(b, htole32(i)))
|
|
||||||
#define load32_be(b) (be32toh(load32(b)))
|
|
||||||
#define store32_be(b, i) (store32(b, htobe32(i)))
|
|
||||||
|
|
||||||
#define load64_le(b) (le64toh(load64(b)))
|
|
||||||
#define store64_le(b, i) (store64(b, htole64(i)))
|
|
||||||
#define load64_be(b) (be64toh(load64(b)))
|
|
||||||
#define store64_be(b, i) (store64(b, htobe64(i)))
|
|
||||||
|
|
||||||
#endif
|
|
@ -1,16 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
#ifndef __KREMLIN_BUILTIN_H
|
|
||||||
#define __KREMLIN_BUILTIN_H
|
|
||||||
|
|
||||||
/* For alloca, when using KreMLin's -falloca */
|
|
||||||
#if (defined(_WIN32) || defined(_WIN64))
|
|
||||||
# include <malloc.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* If some globals need to be initialized before the main, then kremlin will
|
|
||||||
* generate and try to link last a function with this type: */
|
|
||||||
void kremlinit_globals(void);
|
|
||||||
|
|
||||||
#endif
|
|
@ -1,46 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
#ifndef __KREMLIN_CALLCONV_H
|
|
||||||
#define __KREMLIN_CALLCONV_H
|
|
||||||
|
|
||||||
/******************************************************************************/
|
|
||||||
/* Some macros to ease compatibility */
|
|
||||||
/******************************************************************************/
|
|
||||||
|
|
||||||
/* We want to generate __cdecl safely without worrying about it being undefined.
|
|
||||||
* When using MSVC, these are always defined. When using MinGW, these are
|
|
||||||
* defined too. They have no meaning for other platforms, so we define them to
|
|
||||||
* be empty macros in other situations. */
|
|
||||||
#ifndef _MSC_VER
|
|
||||||
#ifndef __cdecl
|
|
||||||
#define __cdecl
|
|
||||||
#endif
|
|
||||||
#ifndef __stdcall
|
|
||||||
#define __stdcall
|
|
||||||
#endif
|
|
||||||
#ifndef __fastcall
|
|
||||||
#define __fastcall
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Since KreMLin emits the inline keyword unconditionally, we follow the
|
|
||||||
* guidelines at https://gcc.gnu.org/onlinedocs/gcc/Inline.html and make this
|
|
||||||
* __inline__ to ensure the code compiles with -std=c90 and earlier. */
|
|
||||||
#ifdef __GNUC__
|
|
||||||
# define inline __inline__
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* GCC-specific attribute syntax; everyone else gets the standard C inline
|
|
||||||
* attribute. */
|
|
||||||
#ifdef __GNU_C__
|
|
||||||
# ifndef __clang__
|
|
||||||
# define force_inline inline __attribute__((always_inline))
|
|
||||||
# else
|
|
||||||
# define force_inline inline
|
|
||||||
# endif
|
|
||||||
#else
|
|
||||||
# define force_inline inline
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#endif
|
|
@ -1,34 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
#ifndef KRML_COMPAT_H
|
|
||||||
#define KRML_COMPAT_H
|
|
||||||
|
|
||||||
#include <inttypes.h>
|
|
||||||
|
|
||||||
/* A series of macros that define C implementations of types that are not Low*,
|
|
||||||
* to facilitate porting programs to Low*. */
|
|
||||||
|
|
||||||
typedef const char *Prims_string;
|
|
||||||
|
|
||||||
typedef struct {
|
|
||||||
uint32_t length;
|
|
||||||
const char *data;
|
|
||||||
} FStar_Bytes_bytes;
|
|
||||||
|
|
||||||
typedef int32_t Prims_pos, Prims_nat, Prims_nonzero, Prims_int,
|
|
||||||
krml_checked_int_t;
|
|
||||||
|
|
||||||
#define RETURN_OR(x) \
|
|
||||||
do { \
|
|
||||||
int64_t __ret = x; \
|
|
||||||
if (__ret < INT32_MIN || INT32_MAX < __ret) { \
|
|
||||||
KRML_HOST_PRINTF( \
|
|
||||||
"Prims.{int,nat,pos} integer overflow at %s:%d\n", __FILE__, \
|
|
||||||
__LINE__); \
|
|
||||||
KRML_HOST_EXIT(252); \
|
|
||||||
} \
|
|
||||||
return (int32_t)__ret; \
|
|
||||||
} while (0)
|
|
||||||
|
|
||||||
#endif
|
|
@ -1,57 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
#ifndef __KREMLIN_DEBUG_H
|
|
||||||
#define __KREMLIN_DEBUG_H
|
|
||||||
|
|
||||||
#include <inttypes.h>
|
|
||||||
|
|
||||||
#include "kremlin/internal/target.h"
|
|
||||||
|
|
||||||
/******************************************************************************/
|
|
||||||
/* Debugging helpers - intended only for KreMLin developers */
|
|
||||||
/******************************************************************************/
|
|
||||||
|
|
||||||
/* In support of "-wasm -d force-c": we might need this function to be
|
|
||||||
* forward-declared, because the dependency on WasmSupport appears very late,
|
|
||||||
* after SimplifyWasm, and sadly, after the topological order has been done. */
|
|
||||||
void WasmSupport_check_buffer_size(uint32_t s);
|
|
||||||
|
|
||||||
/* A series of GCC atrocities to trace function calls (kremlin's [-d c-calls]
|
|
||||||
* option). Useful when trying to debug, say, Wasm, to compare traces. */
|
|
||||||
/* clang-format off */
|
|
||||||
#ifdef __GNUC__
|
|
||||||
#define KRML_FORMAT(X) _Generic((X), \
|
|
||||||
uint8_t : "0x%08" PRIx8, \
|
|
||||||
uint16_t: "0x%08" PRIx16, \
|
|
||||||
uint32_t: "0x%08" PRIx32, \
|
|
||||||
uint64_t: "0x%08" PRIx64, \
|
|
||||||
int8_t : "0x%08" PRIx8, \
|
|
||||||
int16_t : "0x%08" PRIx16, \
|
|
||||||
int32_t : "0x%08" PRIx32, \
|
|
||||||
int64_t : "0x%08" PRIx64, \
|
|
||||||
default : "%s")
|
|
||||||
|
|
||||||
#define KRML_FORMAT_ARG(X) _Generic((X), \
|
|
||||||
uint8_t : X, \
|
|
||||||
uint16_t: X, \
|
|
||||||
uint32_t: X, \
|
|
||||||
uint64_t: X, \
|
|
||||||
int8_t : X, \
|
|
||||||
int16_t : X, \
|
|
||||||
int32_t : X, \
|
|
||||||
int64_t : X, \
|
|
||||||
default : "unknown")
|
|
||||||
/* clang-format on */
|
|
||||||
|
|
||||||
# define KRML_DEBUG_RETURN(X) \
|
|
||||||
({ \
|
|
||||||
__auto_type _ret = (X); \
|
|
||||||
KRML_HOST_PRINTF("returning: "); \
|
|
||||||
KRML_HOST_PRINTF(KRML_FORMAT(_ret), KRML_FORMAT_ARG(_ret)); \
|
|
||||||
KRML_HOST_PRINTF(" \n"); \
|
|
||||||
_ret; \
|
|
||||||
})
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#endif
|
|
@ -1,102 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
#ifndef __KREMLIN_TARGET_H
|
|
||||||
#define __KREMLIN_TARGET_H
|
|
||||||
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <stdbool.h>
|
|
||||||
#include <inttypes.h>
|
|
||||||
#include <limits.h>
|
|
||||||
|
|
||||||
#include "kremlin/internal/callconv.h"
|
|
||||||
|
|
||||||
/******************************************************************************/
|
|
||||||
/* Macros that KreMLin will generate. */
|
|
||||||
/******************************************************************************/
|
|
||||||
|
|
||||||
/* For "bare" targets that do not have a C stdlib, the user might want to use
|
|
||||||
* [-add-early-include '"mydefinitions.h"'] and override these. */
|
|
||||||
#ifndef KRML_HOST_PRINTF
|
|
||||||
# define KRML_HOST_PRINTF printf
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if ( \
|
|
||||||
(defined __STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) && \
|
|
||||||
(!(defined KRML_HOST_EPRINTF)))
|
|
||||||
# define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef KRML_HOST_EXIT
|
|
||||||
# define KRML_HOST_EXIT exit
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef KRML_HOST_MALLOC
|
|
||||||
# define KRML_HOST_MALLOC malloc
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef KRML_HOST_CALLOC
|
|
||||||
# define KRML_HOST_CALLOC calloc
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef KRML_HOST_FREE
|
|
||||||
# define KRML_HOST_FREE free
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef KRML_HOST_TIME
|
|
||||||
|
|
||||||
# include <time.h>
|
|
||||||
|
|
||||||
/* Prims_nat not yet in scope */
|
|
||||||
inline static int32_t krml_time() {
|
|
||||||
return (int32_t)time(NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
# define KRML_HOST_TIME krml_time
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* In statement position, exiting is easy. */
|
|
||||||
#define KRML_EXIT \
|
|
||||||
do { \
|
|
||||||
KRML_HOST_PRINTF("Unimplemented function at %s:%d\n", __FILE__, __LINE__); \
|
|
||||||
KRML_HOST_EXIT(254); \
|
|
||||||
} while (0)
|
|
||||||
|
|
||||||
/* In expression position, use the comma-operator and a malloc to return an
|
|
||||||
* expression of the right size. KreMLin passes t as the parameter to the macro.
|
|
||||||
*/
|
|
||||||
#define KRML_EABORT(t, msg) \
|
|
||||||
(KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", __FILE__, __LINE__, msg), \
|
|
||||||
KRML_HOST_EXIT(255), *((t *)KRML_HOST_MALLOC(sizeof(t))))
|
|
||||||
|
|
||||||
/* In FStar.Buffer.fst, the size of arrays is uint32_t, but it's a number of
|
|
||||||
* *elements*. Do an ugly, run-time check (some of which KreMLin can eliminate).
|
|
||||||
*/
|
|
||||||
|
|
||||||
#ifdef __GNUC__
|
|
||||||
# define _KRML_CHECK_SIZE_PRAGMA \
|
|
||||||
_Pragma("GCC diagnostic ignored \"-Wtype-limits\"")
|
|
||||||
#else
|
|
||||||
# define _KRML_CHECK_SIZE_PRAGMA
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#define KRML_CHECK_SIZE(size_elt, sz) \
|
|
||||||
do { \
|
|
||||||
_KRML_CHECK_SIZE_PRAGMA \
|
|
||||||
if (((size_t)(sz)) > ((size_t)(SIZE_MAX / (size_elt)))) { \
|
|
||||||
KRML_HOST_PRINTF( \
|
|
||||||
"Maximum allocatable size exceeded, aborting before overflow at " \
|
|
||||||
"%s:%d\n", \
|
|
||||||
__FILE__, __LINE__); \
|
|
||||||
KRML_HOST_EXIT(253); \
|
|
||||||
} \
|
|
||||||
} while (0)
|
|
||||||
|
|
||||||
#if defined(_MSC_VER) && _MSC_VER < 1900
|
|
||||||
# define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) _snprintf_s(buf, sz, _TRUNCATE, fmt, arg)
|
|
||||||
#else
|
|
||||||
# define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) snprintf(buf, sz, fmt, arg)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#endif
|
|
@ -1,61 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
#ifndef KRML_TYPES_H
|
|
||||||
#define KRML_TYPES_H
|
|
||||||
|
|
||||||
#include <inttypes.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
|
|
||||||
/* Types which are either abstract, meaning that have to be implemented in C, or
|
|
||||||
* which are models, meaning that they are swapped out at compile-time for
|
|
||||||
* hand-written C types (in which case they're marked as noextract). */
|
|
||||||
|
|
||||||
typedef uint64_t FStar_UInt64_t, FStar_UInt64_t_;
|
|
||||||
typedef int64_t FStar_Int64_t, FStar_Int64_t_;
|
|
||||||
typedef uint32_t FStar_UInt32_t, FStar_UInt32_t_;
|
|
||||||
typedef int32_t FStar_Int32_t, FStar_Int32_t_;
|
|
||||||
typedef uint16_t FStar_UInt16_t, FStar_UInt16_t_;
|
|
||||||
typedef int16_t FStar_Int16_t, FStar_Int16_t_;
|
|
||||||
typedef uint8_t FStar_UInt8_t, FStar_UInt8_t_;
|
|
||||||
typedef int8_t FStar_Int8_t, FStar_Int8_t_;
|
|
||||||
|
|
||||||
/* Only useful when building Kremlib, because it's in the dependency graph of
|
|
||||||
* FStar.Int.Cast. */
|
|
||||||
typedef uint64_t FStar_UInt63_t, FStar_UInt63_t_;
|
|
||||||
typedef int64_t FStar_Int63_t, FStar_Int63_t_;
|
|
||||||
|
|
||||||
typedef double FStar_Float_float;
|
|
||||||
typedef uint32_t FStar_Char_char;
|
|
||||||
typedef FILE *FStar_IO_fd_read, *FStar_IO_fd_write;
|
|
||||||
|
|
||||||
typedef void *FStar_Dyn_dyn;
|
|
||||||
|
|
||||||
typedef const char *C_String_t, *C_String_t_;
|
|
||||||
|
|
||||||
typedef int exit_code;
|
|
||||||
typedef FILE *channel;
|
|
||||||
|
|
||||||
typedef unsigned long long TestLib_cycles;
|
|
||||||
|
|
||||||
typedef uint64_t FStar_Date_dateTime, FStar_Date_timeSpan;
|
|
||||||
|
|
||||||
/* The uint128 type is a special case since we offer several implementations of
|
|
||||||
* it, depending on the compiler and whether the user wants the verified
|
|
||||||
* implementation or not. */
|
|
||||||
#if !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(_M_X64)
|
|
||||||
# include <emmintrin.h>
|
|
||||||
typedef __m128i FStar_UInt128_uint128;
|
|
||||||
#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER)
|
|
||||||
typedef unsigned __int128 FStar_UInt128_uint128;
|
|
||||||
#else
|
|
||||||
typedef struct FStar_UInt128_uint128_s {
|
|
||||||
uint64_t low;
|
|
||||||
uint64_t high;
|
|
||||||
} FStar_UInt128_uint128;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
typedef FStar_UInt128_uint128 FStar_UInt128_t, FStar_UInt128_t_, uint128_t;
|
|
||||||
|
|
||||||
#endif
|
|
@ -1,5 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
/* This file is automatically included when compiling with -wasm -d force-c */
|
|
||||||
#define WasmSupport_check_buffer_size(X)
|
|
@ -1,21 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
|
|
||||||
* KreMLin invocation: /mnt/e/everest/verify/kremlin/krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -I /mnt/e/everest/verify/hacl-star/code/lib/kremlin -I /mnt/e/everest/verify/kremlin/kremlib/compat -I /mnt/e/everest/verify/hacl-star/specs -I /mnt/e/everest/verify/hacl-star/specs/old -I . -ccopt -march=native -verbose -ldopt -flto -tmpdir x25519-c -I ../bignum -bundle Hacl.Curve25519=* -minimal -add-include "kremlib.h" -skip-compilation x25519-c/out.krml -o x25519-c/Hacl_Curve25519.c
|
|
||||||
* F* version: 059db0c8
|
|
||||||
* KreMLin version: 916c37ac
|
|
||||||
*/
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#ifndef __Hacl_Curve25519_H
|
|
||||||
#define __Hacl_Curve25519_H
|
|
||||||
|
|
||||||
|
|
||||||
#include "kremlib.h"
|
|
||||||
|
|
||||||
void Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint);
|
|
||||||
|
|
||||||
#define __Hacl_Curve25519_H_DEFINED
|
|
||||||
#endif
|
|
@ -1,36 +0,0 @@
|
|||||||
/*
|
|
||||||
* Custom inttypes.h for VS2010 KreMLin requires these definitions,
|
|
||||||
* but VS2010 doesn't provide them.
|
|
||||||
*
|
|
||||||
* Copyright 2016-2018 INRIA and Microsoft Corporation
|
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*
|
|
||||||
* This file is part of Mbed TLS (https://tls.mbed.org)
|
|
||||||
*/
|
|
||||||
|
|
||||||
#ifndef _INTTYPES_H_VS2010
|
|
||||||
#define _INTTYPES_H_VS2010
|
|
||||||
|
|
||||||
#include <stdint.h>
|
|
||||||
|
|
||||||
#ifdef _MSC_VER
|
|
||||||
#define inline __inline
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* VS2010 unsigned long == 8 bytes */
|
|
||||||
|
|
||||||
#define PRIu64 "I64u"
|
|
||||||
|
|
||||||
#endif
|
|
@ -1,31 +0,0 @@
|
|||||||
/*
|
|
||||||
* Custom stdbool.h for VS2010 KreMLin requires these definitions,
|
|
||||||
* but VS2010 doesn't provide them.
|
|
||||||
*
|
|
||||||
* Copyright 2016-2018 INRIA and Microsoft Corporation
|
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*
|
|
||||||
* This file is part of Mbed TLS (https://tls.mbed.org)
|
|
||||||
*/
|
|
||||||
|
|
||||||
#ifndef _STDBOOL_H_VS2010
|
|
||||||
#define _STDBOOL_H_VS2010
|
|
||||||
|
|
||||||
typedef int bool;
|
|
||||||
|
|
||||||
static bool true = 1;
|
|
||||||
static bool false = 0;
|
|
||||||
|
|
||||||
#endif
|
|
@ -1,190 +0,0 @@
|
|||||||
/*
|
|
||||||
* ECDH with curve-optimized implementation multiplexing
|
|
||||||
*
|
|
||||||
* Copyright 2016-2018 INRIA and Microsoft Corporation
|
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*
|
|
||||||
* This file is part of Mbed TLS (https://tls.mbed.org)
|
|
||||||
*/
|
|
||||||
|
|
||||||
#ifndef MBEDTLS_X25519_H
|
|
||||||
#define MBEDTLS_X25519_H
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
extern "C" {
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#define MBEDTLS_ECP_TLS_CURVE25519 0x1d
|
|
||||||
#define MBEDTLS_X25519_KEY_SIZE_BYTES 32
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Defines the source of the imported EC key.
|
|
||||||
*/
|
|
||||||
typedef enum
|
|
||||||
{
|
|
||||||
MBEDTLS_X25519_ECDH_OURS, /**< Our key. */
|
|
||||||
MBEDTLS_X25519_ECDH_THEIRS, /**< The key of the peer. */
|
|
||||||
} mbedtls_x25519_ecdh_side;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief The x25519 context structure.
|
|
||||||
*/
|
|
||||||
typedef struct
|
|
||||||
{
|
|
||||||
unsigned char our_secret[MBEDTLS_X25519_KEY_SIZE_BYTES];
|
|
||||||
unsigned char peer_point[MBEDTLS_X25519_KEY_SIZE_BYTES];
|
|
||||||
} mbedtls_x25519_context;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function initializes an x25519 context.
|
|
||||||
*
|
|
||||||
* \param ctx The x25519 context to initialize.
|
|
||||||
*/
|
|
||||||
void mbedtls_x25519_init( mbedtls_x25519_context *ctx );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function frees a context.
|
|
||||||
*
|
|
||||||
* \param ctx The context to free.
|
|
||||||
*/
|
|
||||||
void mbedtls_x25519_free( mbedtls_x25519_context *ctx );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function generates a public key and a TLS
|
|
||||||
* ServerKeyExchange payload.
|
|
||||||
*
|
|
||||||
* This is the first function used by a TLS server for x25519.
|
|
||||||
*
|
|
||||||
*
|
|
||||||
* \param ctx The x25519 context.
|
|
||||||
* \param olen The number of characters written.
|
|
||||||
* \param buf The destination buffer.
|
|
||||||
* \param blen The length of the destination buffer.
|
|
||||||
* \param f_rng The RNG function.
|
|
||||||
* \param p_rng The RNG context.
|
|
||||||
*
|
|
||||||
* \return \c 0 on success.
|
|
||||||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
||||||
*/
|
|
||||||
int mbedtls_x25519_make_params( mbedtls_x25519_context *ctx, size_t *olen,
|
|
||||||
unsigned char *buf, size_t blen,
|
|
||||||
int( *f_rng )(void *, unsigned char *, size_t),
|
|
||||||
void *p_rng );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function parses and processes a TLS ServerKeyExchange
|
|
||||||
* payload.
|
|
||||||
*
|
|
||||||
*
|
|
||||||
* \param ctx The x25519 context.
|
|
||||||
* \param buf The pointer to the start of the input buffer.
|
|
||||||
* \param end The address for one Byte past the end of the buffer.
|
|
||||||
*
|
|
||||||
* \return \c 0 on success.
|
|
||||||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
int mbedtls_x25519_read_params( mbedtls_x25519_context *ctx,
|
|
||||||
const unsigned char **buf, const unsigned char *end );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function sets up an x25519 context from an EC key.
|
|
||||||
*
|
|
||||||
* It is used by clients and servers in place of the
|
|
||||||
* ServerKeyEchange for static ECDH, and imports ECDH
|
|
||||||
* parameters from the EC key information of a certificate.
|
|
||||||
*
|
|
||||||
* \see ecp.h
|
|
||||||
*
|
|
||||||
* \param ctx The x25519 context to set up.
|
|
||||||
* \param key The EC key to use.
|
|
||||||
* \param side Defines the source of the key: 1: Our key, or
|
|
||||||
* 0: The key of the peer.
|
|
||||||
*
|
|
||||||
* \return \c 0 on success.
|
|
||||||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
int mbedtls_x25519_get_params( mbedtls_x25519_context *ctx, const mbedtls_ecp_keypair *key,
|
|
||||||
mbedtls_x25519_ecdh_side side );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function derives and exports the shared secret.
|
|
||||||
*
|
|
||||||
* This is the last function used by both TLS client
|
|
||||||
* and servers.
|
|
||||||
*
|
|
||||||
*
|
|
||||||
* \param ctx The x25519 context.
|
|
||||||
* \param olen The number of Bytes written.
|
|
||||||
* \param buf The destination buffer.
|
|
||||||
* \param blen The length of the destination buffer.
|
|
||||||
* \param f_rng The RNG function.
|
|
||||||
* \param p_rng The RNG context.
|
|
||||||
*
|
|
||||||
* \return \c 0 on success.
|
|
||||||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
||||||
*/
|
|
||||||
int mbedtls_x25519_calc_secret( mbedtls_x25519_context *ctx, size_t *olen,
|
|
||||||
unsigned char *buf, size_t blen,
|
|
||||||
int( *f_rng )(void *, unsigned char *, size_t),
|
|
||||||
void *p_rng );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function generates a public key and a TLS
|
|
||||||
* ClientKeyExchange payload.
|
|
||||||
*
|
|
||||||
* This is the second function used by a TLS client for x25519.
|
|
||||||
*
|
|
||||||
* \see ecp.h
|
|
||||||
*
|
|
||||||
* \param ctx The x25519 context.
|
|
||||||
* \param olen The number of Bytes written.
|
|
||||||
* \param buf The destination buffer.
|
|
||||||
* \param blen The size of the destination buffer.
|
|
||||||
* \param f_rng The RNG function.
|
|
||||||
* \param p_rng The RNG context.
|
|
||||||
*
|
|
||||||
* \return \c 0 on success.
|
|
||||||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
||||||
*/
|
|
||||||
int mbedtls_x25519_make_public( mbedtls_x25519_context *ctx, size_t *olen,
|
|
||||||
unsigned char *buf, size_t blen,
|
|
||||||
int( *f_rng )(void *, unsigned char *, size_t),
|
|
||||||
void *p_rng );
|
|
||||||
|
|
||||||
/**
|
|
||||||
* \brief This function parses and processes a TLS ClientKeyExchange
|
|
||||||
* payload.
|
|
||||||
*
|
|
||||||
* This is the second function used by a TLS server for x25519.
|
|
||||||
*
|
|
||||||
* \see ecp.h
|
|
||||||
*
|
|
||||||
* \param ctx The x25519 context.
|
|
||||||
* \param buf The start of the input buffer.
|
|
||||||
* \param blen The length of the input buffer.
|
|
||||||
*
|
|
||||||
* \return \c 0 on success.
|
|
||||||
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
|
|
||||||
*/
|
|
||||||
int mbedtls_x25519_read_public( mbedtls_x25519_context *ctx,
|
|
||||||
const unsigned char *buf, size_t blen );
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#endif /* x25519.h */
|
|
@ -1,760 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
|
|
||||||
* KreMLin invocation: /mnt/e/everest/verify/kremlin/krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -fbuiltin-uint128 -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -I /mnt/e/everest/verify/hacl-star/code/lib/kremlin -I /mnt/e/everest/verify/kremlin/kremlib/compat -I /mnt/e/everest/verify/hacl-star/specs -I /mnt/e/everest/verify/hacl-star/specs/old -I . -ccopt -march=native -verbose -ldopt -flto -tmpdir x25519-c -I ../bignum -bundle Hacl.Curve25519=* -minimal -add-include "kremlib.h" -skip-compilation x25519-c/out.krml -o x25519-c/Hacl_Curve25519.c
|
|
||||||
* F* version: 059db0c8
|
|
||||||
* KreMLin version: 916c37ac
|
|
||||||
*/
|
|
||||||
|
|
||||||
|
|
||||||
#include "Hacl_Curve25519.h"
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_eq_mask(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_gte_mask(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint128_t FStar_UInt128_add(uint128_t x0, uint128_t x1);
|
|
||||||
|
|
||||||
extern uint128_t FStar_UInt128_add_mod(uint128_t x0, uint128_t x1);
|
|
||||||
|
|
||||||
extern uint128_t FStar_UInt128_logand(uint128_t x0, uint128_t x1);
|
|
||||||
|
|
||||||
extern uint128_t FStar_UInt128_shift_right(uint128_t x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern uint128_t FStar_UInt128_uint64_to_uint128(uint64_t x0);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt128_uint128_to_uint64(uint128_t x0);
|
|
||||||
|
|
||||||
extern uint128_t FStar_UInt128_mul_wide(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
static void Hacl_Bignum_Modulo_carry_top(uint64_t *b)
|
|
||||||
{
|
|
||||||
uint64_t b4 = b[4U];
|
|
||||||
uint64_t b0 = b[0U];
|
|
||||||
uint64_t b4_ = b4 & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t b0_ = b0 + (uint64_t)19U * (b4 >> (uint32_t)51U);
|
|
||||||
b[4U] = b4_;
|
|
||||||
b[0U] = b0_;
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, uint128_t *input)
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
uint128_t xi = input[i];
|
|
||||||
output[i] = (uint64_t)xi;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void
|
|
||||||
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(uint128_t *output, uint64_t *input, uint64_t s)
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
uint128_t xi = output[i];
|
|
||||||
uint64_t yi = input[i];
|
|
||||||
output[i] = xi + (uint128_t)yi * s;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Fproduct_carry_wide_(uint128_t *tmp)
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
uint32_t ctr = i;
|
|
||||||
uint128_t tctr = tmp[ctr];
|
|
||||||
uint128_t tctrp1 = tmp[ctr + (uint32_t)1U];
|
|
||||||
uint64_t r0 = (uint64_t)tctr & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint128_t c = tctr >> (uint32_t)51U;
|
|
||||||
tmp[ctr] = (uint128_t)r0;
|
|
||||||
tmp[ctr + (uint32_t)1U] = tctrp1 + c;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Fmul_shift_reduce(uint64_t *output)
|
|
||||||
{
|
|
||||||
uint64_t tmp = output[4U];
|
|
||||||
uint64_t b0;
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
uint32_t ctr = (uint32_t)5U - i - (uint32_t)1U;
|
|
||||||
uint64_t z = output[ctr - (uint32_t)1U];
|
|
||||||
output[ctr] = z;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
output[0U] = tmp;
|
|
||||||
b0 = output[0U];
|
|
||||||
output[0U] = (uint64_t)19U * b0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_Bignum_Fmul_mul_shift_reduce_(uint128_t *output, uint64_t *input, uint64_t *input2)
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
uint64_t input2i;
|
|
||||||
{
|
|
||||||
uint32_t i0;
|
|
||||||
for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0 = i0 + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
uint64_t input2i0 = input2[i0];
|
|
||||||
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i0);
|
|
||||||
Hacl_Bignum_Fmul_shift_reduce(input);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
i = (uint32_t)4U;
|
|
||||||
input2i = input2[i];
|
|
||||||
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input2)
|
|
||||||
{
|
|
||||||
uint64_t tmp[5U] = { 0U };
|
|
||||||
memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]);
|
|
||||||
KRML_CHECK_SIZE(sizeof (uint128_t), (uint32_t)5U);
|
|
||||||
{
|
|
||||||
uint128_t t[5U];
|
|
||||||
{
|
|
||||||
uint32_t _i;
|
|
||||||
for (_i = 0U; _i < (uint32_t)5U; ++_i)
|
|
||||||
t[_i] = (uint128_t)(uint64_t)0U;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
uint128_t b4;
|
|
||||||
uint128_t b0;
|
|
||||||
uint128_t b4_;
|
|
||||||
uint128_t b0_;
|
|
||||||
uint64_t i0;
|
|
||||||
uint64_t i1;
|
|
||||||
uint64_t i0_;
|
|
||||||
uint64_t i1_;
|
|
||||||
Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2);
|
|
||||||
Hacl_Bignum_Fproduct_carry_wide_(t);
|
|
||||||
b4 = t[4U];
|
|
||||||
b0 = t[0U];
|
|
||||||
b4_ = b4 & (uint128_t)(uint64_t)0x7ffffffffffffU;
|
|
||||||
b0_ = b0 + (uint128_t)(uint64_t)19U * (uint64_t)(b4 >> (uint32_t)51U);
|
|
||||||
t[4U] = b4_;
|
|
||||||
t[0U] = b0_;
|
|
||||||
Hacl_Bignum_Fproduct_copy_from_wide_(output, t);
|
|
||||||
i0 = output[0U];
|
|
||||||
i1 = output[1U];
|
|
||||||
i0_ = i0 & (uint64_t)0x7ffffffffffffU;
|
|
||||||
i1_ = i1 + (i0 >> (uint32_t)51U);
|
|
||||||
output[0U] = i0_;
|
|
||||||
output[1U] = i1_;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Fsquare_fsquare__(uint128_t *tmp, uint64_t *output)
|
|
||||||
{
|
|
||||||
uint64_t r0 = output[0U];
|
|
||||||
uint64_t r1 = output[1U];
|
|
||||||
uint64_t r2 = output[2U];
|
|
||||||
uint64_t r3 = output[3U];
|
|
||||||
uint64_t r4 = output[4U];
|
|
||||||
uint64_t d0 = r0 * (uint64_t)2U;
|
|
||||||
uint64_t d1 = r1 * (uint64_t)2U;
|
|
||||||
uint64_t d2 = r2 * (uint64_t)2U * (uint64_t)19U;
|
|
||||||
uint64_t d419 = r4 * (uint64_t)19U;
|
|
||||||
uint64_t d4 = d419 * (uint64_t)2U;
|
|
||||||
uint128_t s0 = (uint128_t)r0 * r0 + (uint128_t)d4 * r1 + (uint128_t)d2 * r3;
|
|
||||||
uint128_t s1 = (uint128_t)d0 * r1 + (uint128_t)d4 * r2 + (uint128_t)(r3 * (uint64_t)19U) * r3;
|
|
||||||
uint128_t s2 = (uint128_t)d0 * r2 + (uint128_t)r1 * r1 + (uint128_t)d4 * r3;
|
|
||||||
uint128_t s3 = (uint128_t)d0 * r3 + (uint128_t)d1 * r2 + (uint128_t)r4 * d419;
|
|
||||||
uint128_t s4 = (uint128_t)d0 * r4 + (uint128_t)d1 * r3 + (uint128_t)r2 * r2;
|
|
||||||
tmp[0U] = s0;
|
|
||||||
tmp[1U] = s1;
|
|
||||||
tmp[2U] = s2;
|
|
||||||
tmp[3U] = s3;
|
|
||||||
tmp[4U] = s4;
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Fsquare_fsquare_(uint128_t *tmp, uint64_t *output)
|
|
||||||
{
|
|
||||||
uint128_t b4;
|
|
||||||
uint128_t b0;
|
|
||||||
uint128_t b4_;
|
|
||||||
uint128_t b0_;
|
|
||||||
uint64_t i0;
|
|
||||||
uint64_t i1;
|
|
||||||
uint64_t i0_;
|
|
||||||
uint64_t i1_;
|
|
||||||
Hacl_Bignum_Fsquare_fsquare__(tmp, output);
|
|
||||||
Hacl_Bignum_Fproduct_carry_wide_(tmp);
|
|
||||||
b4 = tmp[4U];
|
|
||||||
b0 = tmp[0U];
|
|
||||||
b4_ = b4 & (uint128_t)(uint64_t)0x7ffffffffffffU;
|
|
||||||
b0_ = b0 + (uint128_t)(uint64_t)19U * (uint64_t)(b4 >> (uint32_t)51U);
|
|
||||||
tmp[4U] = b4_;
|
|
||||||
tmp[0U] = b0_;
|
|
||||||
Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
|
|
||||||
i0 = output[0U];
|
|
||||||
i1 = output[1U];
|
|
||||||
i0_ = i0 & (uint64_t)0x7ffffffffffffU;
|
|
||||||
i1_ = i1 + (i0 >> (uint32_t)51U);
|
|
||||||
output[0U] = i0_;
|
|
||||||
output[1U] = i1_;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times_(uint64_t *input, uint128_t *tmp, uint32_t count1)
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_(tmp, input);
|
|
||||||
for (i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U)
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_(tmp, input);
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(uint64_t *output, uint64_t *input, uint32_t count1)
|
|
||||||
{
|
|
||||||
KRML_CHECK_SIZE(sizeof (uint128_t), (uint32_t)5U);
|
|
||||||
{
|
|
||||||
uint128_t t[5U];
|
|
||||||
{
|
|
||||||
uint32_t _i;
|
|
||||||
for (_i = 0U; _i < (uint32_t)5U; ++_i)
|
|
||||||
t[_i] = (uint128_t)(uint64_t)0U;
|
|
||||||
}
|
|
||||||
memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Fsquare_fsquare_times_inplace(uint64_t *output, uint32_t count1)
|
|
||||||
{
|
|
||||||
KRML_CHECK_SIZE(sizeof (uint128_t), (uint32_t)5U);
|
|
||||||
{
|
|
||||||
uint128_t t[5U];
|
|
||||||
{
|
|
||||||
uint32_t _i;
|
|
||||||
for (_i = 0U; _i < (uint32_t)5U; ++_i)
|
|
||||||
t[_i] = (uint128_t)(uint64_t)0U;
|
|
||||||
}
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Crecip_crecip(uint64_t *out, uint64_t *z)
|
|
||||||
{
|
|
||||||
uint64_t buf[20U] = { 0U };
|
|
||||||
uint64_t *a0 = buf;
|
|
||||||
uint64_t *t00 = buf + (uint32_t)5U;
|
|
||||||
uint64_t *b0 = buf + (uint32_t)10U;
|
|
||||||
uint64_t *t01;
|
|
||||||
uint64_t *b1;
|
|
||||||
uint64_t *c0;
|
|
||||||
uint64_t *a;
|
|
||||||
uint64_t *t0;
|
|
||||||
uint64_t *b;
|
|
||||||
uint64_t *c;
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(a0, z, (uint32_t)1U);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(t00, a0, (uint32_t)2U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(b0, t00, z);
|
|
||||||
Hacl_Bignum_Fmul_fmul(a0, b0, a0);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(t00, a0, (uint32_t)1U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(b0, t00, b0);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U);
|
|
||||||
t01 = buf + (uint32_t)5U;
|
|
||||||
b1 = buf + (uint32_t)10U;
|
|
||||||
c0 = buf + (uint32_t)15U;
|
|
||||||
Hacl_Bignum_Fmul_fmul(b1, t01, b1);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(c0, t01, b1);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(t01, c0, (uint32_t)20U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(t01, t01, c0);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(b1, t01, b1);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U);
|
|
||||||
a = buf;
|
|
||||||
t0 = buf + (uint32_t)5U;
|
|
||||||
b = buf + (uint32_t)10U;
|
|
||||||
c = buf + (uint32_t)15U;
|
|
||||||
Hacl_Bignum_Fmul_fmul(c, t0, b);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(t0, t0, c);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)50U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(t0, t0, b);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)5U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(out, t0, a);
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_fsum(uint64_t *a, uint64_t *b)
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
uint64_t xi = a[i];
|
|
||||||
uint64_t yi = b[i];
|
|
||||||
a[i] = xi + yi;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_fdifference(uint64_t *a, uint64_t *b)
|
|
||||||
{
|
|
||||||
uint64_t tmp[5U] = { 0U };
|
|
||||||
uint64_t b0;
|
|
||||||
uint64_t b1;
|
|
||||||
uint64_t b2;
|
|
||||||
uint64_t b3;
|
|
||||||
uint64_t b4;
|
|
||||||
memcpy(tmp, b, (uint32_t)5U * sizeof b[0U]);
|
|
||||||
b0 = tmp[0U];
|
|
||||||
b1 = tmp[1U];
|
|
||||||
b2 = tmp[2U];
|
|
||||||
b3 = tmp[3U];
|
|
||||||
b4 = tmp[4U];
|
|
||||||
tmp[0U] = b0 + (uint64_t)0x3fffffffffff68U;
|
|
||||||
tmp[1U] = b1 + (uint64_t)0x3ffffffffffff8U;
|
|
||||||
tmp[2U] = b2 + (uint64_t)0x3ffffffffffff8U;
|
|
||||||
tmp[3U] = b3 + (uint64_t)0x3ffffffffffff8U;
|
|
||||||
tmp[4U] = b4 + (uint64_t)0x3ffffffffffff8U;
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
uint64_t xi = a[i];
|
|
||||||
uint64_t yi = tmp[i];
|
|
||||||
a[i] = yi - xi;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_fscalar(uint64_t *output, uint64_t *b, uint64_t s)
|
|
||||||
{
|
|
||||||
KRML_CHECK_SIZE(sizeof (uint128_t), (uint32_t)5U);
|
|
||||||
{
|
|
||||||
uint128_t tmp[5U];
|
|
||||||
{
|
|
||||||
uint32_t _i;
|
|
||||||
for (_i = 0U; _i < (uint32_t)5U; ++_i)
|
|
||||||
tmp[_i] = (uint128_t)(uint64_t)0U;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
uint128_t b4;
|
|
||||||
uint128_t b0;
|
|
||||||
uint128_t b4_;
|
|
||||||
uint128_t b0_;
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
uint64_t xi = b[i];
|
|
||||||
tmp[i] = (uint128_t)xi * s;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Hacl_Bignum_Fproduct_carry_wide_(tmp);
|
|
||||||
b4 = tmp[4U];
|
|
||||||
b0 = tmp[0U];
|
|
||||||
b4_ = b4 & (uint128_t)(uint64_t)0x7ffffffffffffU;
|
|
||||||
b0_ = b0 + (uint128_t)(uint64_t)19U * (uint64_t)(b4 >> (uint32_t)51U);
|
|
||||||
tmp[4U] = b4_;
|
|
||||||
tmp[0U] = b0_;
|
|
||||||
Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_fmul(uint64_t *output, uint64_t *a, uint64_t *b)
|
|
||||||
{
|
|
||||||
Hacl_Bignum_Fmul_fmul(output, a, b);
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_crecip(uint64_t *output, uint64_t *input)
|
|
||||||
{
|
|
||||||
Hacl_Bignum_Crecip_crecip(output, input);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_EC_Point_swap_conditional_step(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
|
|
||||||
{
|
|
||||||
uint32_t i = ctr - (uint32_t)1U;
|
|
||||||
uint64_t ai = a[i];
|
|
||||||
uint64_t bi = b[i];
|
|
||||||
uint64_t x = swap1 & (ai ^ bi);
|
|
||||||
uint64_t ai1 = ai ^ x;
|
|
||||||
uint64_t bi1 = bi ^ x;
|
|
||||||
a[i] = ai1;
|
|
||||||
b[i] = bi1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_EC_Point_swap_conditional_(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
|
|
||||||
{
|
|
||||||
if (!(ctr == (uint32_t)0U))
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
Hacl_EC_Point_swap_conditional_step(a, b, swap1, ctr);
|
|
||||||
i = ctr - (uint32_t)1U;
|
|
||||||
Hacl_EC_Point_swap_conditional_(a, b, swap1, i);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Point_swap_conditional(uint64_t *a, uint64_t *b, uint64_t iswap)
|
|
||||||
{
|
|
||||||
uint64_t swap1 = (uint64_t)0U - iswap;
|
|
||||||
Hacl_EC_Point_swap_conditional_(a, b, swap1, (uint32_t)5U);
|
|
||||||
Hacl_EC_Point_swap_conditional_(a + (uint32_t)5U, b + (uint32_t)5U, swap1, (uint32_t)5U);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Point_copy(uint64_t *output, uint64_t *input)
|
|
||||||
{
|
|
||||||
memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
|
|
||||||
memcpy(output + (uint32_t)5U,
|
|
||||||
input + (uint32_t)5U,
|
|
||||||
(uint32_t)5U * sizeof (input + (uint32_t)5U)[0U]);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fexpand(uint64_t *output, uint8_t *input)
|
|
||||||
{
|
|
||||||
uint64_t i0 = load64_le(input);
|
|
||||||
uint8_t *x00 = input + (uint32_t)6U;
|
|
||||||
uint64_t i1 = load64_le(x00);
|
|
||||||
uint8_t *x01 = input + (uint32_t)12U;
|
|
||||||
uint64_t i2 = load64_le(x01);
|
|
||||||
uint8_t *x02 = input + (uint32_t)19U;
|
|
||||||
uint64_t i3 = load64_le(x02);
|
|
||||||
uint8_t *x0 = input + (uint32_t)24U;
|
|
||||||
uint64_t i4 = load64_le(x0);
|
|
||||||
uint64_t output0 = i0 & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t output1 = i1 >> (uint32_t)3U & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t output2 = i2 >> (uint32_t)6U & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t output3 = i3 >> (uint32_t)1U & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t output4 = i4 >> (uint32_t)12U & (uint64_t)0x7ffffffffffffU;
|
|
||||||
output[0U] = output0;
|
|
||||||
output[1U] = output1;
|
|
||||||
output[2U] = output2;
|
|
||||||
output[3U] = output3;
|
|
||||||
output[4U] = output4;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fcontract_first_carry_pass(uint64_t *input)
|
|
||||||
{
|
|
||||||
uint64_t t0 = input[0U];
|
|
||||||
uint64_t t1 = input[1U];
|
|
||||||
uint64_t t2 = input[2U];
|
|
||||||
uint64_t t3 = input[3U];
|
|
||||||
uint64_t t4 = input[4U];
|
|
||||||
uint64_t t1_ = t1 + (t0 >> (uint32_t)51U);
|
|
||||||
uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U);
|
|
||||||
uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U);
|
|
||||||
uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U);
|
|
||||||
uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU;
|
|
||||||
input[0U] = t0_;
|
|
||||||
input[1U] = t1__;
|
|
||||||
input[2U] = t2__;
|
|
||||||
input[3U] = t3__;
|
|
||||||
input[4U] = t4_;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fcontract_first_carry_full(uint64_t *input)
|
|
||||||
{
|
|
||||||
Hacl_EC_Format_fcontract_first_carry_pass(input);
|
|
||||||
Hacl_Bignum_Modulo_carry_top(input);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fcontract_second_carry_pass(uint64_t *input)
|
|
||||||
{
|
|
||||||
uint64_t t0 = input[0U];
|
|
||||||
uint64_t t1 = input[1U];
|
|
||||||
uint64_t t2 = input[2U];
|
|
||||||
uint64_t t3 = input[3U];
|
|
||||||
uint64_t t4 = input[4U];
|
|
||||||
uint64_t t1_ = t1 + (t0 >> (uint32_t)51U);
|
|
||||||
uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U);
|
|
||||||
uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U);
|
|
||||||
uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U);
|
|
||||||
uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU;
|
|
||||||
input[0U] = t0_;
|
|
||||||
input[1U] = t1__;
|
|
||||||
input[2U] = t2__;
|
|
||||||
input[3U] = t3__;
|
|
||||||
input[4U] = t4_;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fcontract_second_carry_full(uint64_t *input)
|
|
||||||
{
|
|
||||||
uint64_t i0;
|
|
||||||
uint64_t i1;
|
|
||||||
uint64_t i0_;
|
|
||||||
uint64_t i1_;
|
|
||||||
Hacl_EC_Format_fcontract_second_carry_pass(input);
|
|
||||||
Hacl_Bignum_Modulo_carry_top(input);
|
|
||||||
i0 = input[0U];
|
|
||||||
i1 = input[1U];
|
|
||||||
i0_ = i0 & (uint64_t)0x7ffffffffffffU;
|
|
||||||
i1_ = i1 + (i0 >> (uint32_t)51U);
|
|
||||||
input[0U] = i0_;
|
|
||||||
input[1U] = i1_;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fcontract_trim(uint64_t *input)
|
|
||||||
{
|
|
||||||
uint64_t a0 = input[0U];
|
|
||||||
uint64_t a1 = input[1U];
|
|
||||||
uint64_t a2 = input[2U];
|
|
||||||
uint64_t a3 = input[3U];
|
|
||||||
uint64_t a4 = input[4U];
|
|
||||||
uint64_t mask0 = FStar_UInt64_gte_mask(a0, (uint64_t)0x7ffffffffffedU);
|
|
||||||
uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0x7ffffffffffffU);
|
|
||||||
uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x7ffffffffffffU);
|
|
||||||
uint64_t mask3 = FStar_UInt64_eq_mask(a3, (uint64_t)0x7ffffffffffffU);
|
|
||||||
uint64_t mask4 = FStar_UInt64_eq_mask(a4, (uint64_t)0x7ffffffffffffU);
|
|
||||||
uint64_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4;
|
|
||||||
uint64_t a0_ = a0 - ((uint64_t)0x7ffffffffffedU & mask);
|
|
||||||
uint64_t a1_ = a1 - ((uint64_t)0x7ffffffffffffU & mask);
|
|
||||||
uint64_t a2_ = a2 - ((uint64_t)0x7ffffffffffffU & mask);
|
|
||||||
uint64_t a3_ = a3 - ((uint64_t)0x7ffffffffffffU & mask);
|
|
||||||
uint64_t a4_ = a4 - ((uint64_t)0x7ffffffffffffU & mask);
|
|
||||||
input[0U] = a0_;
|
|
||||||
input[1U] = a1_;
|
|
||||||
input[2U] = a2_;
|
|
||||||
input[3U] = a3_;
|
|
||||||
input[4U] = a4_;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fcontract_store(uint8_t *output, uint64_t *input)
|
|
||||||
{
|
|
||||||
uint64_t t0 = input[0U];
|
|
||||||
uint64_t t1 = input[1U];
|
|
||||||
uint64_t t2 = input[2U];
|
|
||||||
uint64_t t3 = input[3U];
|
|
||||||
uint64_t t4 = input[4U];
|
|
||||||
uint64_t o0 = t1 << (uint32_t)51U | t0;
|
|
||||||
uint64_t o1 = t2 << (uint32_t)38U | t1 >> (uint32_t)13U;
|
|
||||||
uint64_t o2 = t3 << (uint32_t)25U | t2 >> (uint32_t)26U;
|
|
||||||
uint64_t o3 = t4 << (uint32_t)12U | t3 >> (uint32_t)39U;
|
|
||||||
uint8_t *b0 = output;
|
|
||||||
uint8_t *b1 = output + (uint32_t)8U;
|
|
||||||
uint8_t *b2 = output + (uint32_t)16U;
|
|
||||||
uint8_t *b3 = output + (uint32_t)24U;
|
|
||||||
store64_le(b0, o0);
|
|
||||||
store64_le(b1, o1);
|
|
||||||
store64_le(b2, o2);
|
|
||||||
store64_le(b3, o3);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fcontract(uint8_t *output, uint64_t *input)
|
|
||||||
{
|
|
||||||
Hacl_EC_Format_fcontract_first_carry_full(input);
|
|
||||||
Hacl_EC_Format_fcontract_second_carry_full(input);
|
|
||||||
Hacl_EC_Format_fcontract_trim(input);
|
|
||||||
Hacl_EC_Format_fcontract_store(output, input);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_scalar_of_point(uint8_t *scalar, uint64_t *point)
|
|
||||||
{
|
|
||||||
uint64_t *x = point;
|
|
||||||
uint64_t *z = point + (uint32_t)5U;
|
|
||||||
uint64_t buf[10U] = { 0U };
|
|
||||||
uint64_t *zmone = buf;
|
|
||||||
uint64_t *sc = buf + (uint32_t)5U;
|
|
||||||
Hacl_Bignum_crecip(zmone, z);
|
|
||||||
Hacl_Bignum_fmul(sc, x, zmone);
|
|
||||||
Hacl_EC_Format_fcontract(scalar, sc);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_EC_AddAndDouble_fmonty(
|
|
||||||
uint64_t *pp,
|
|
||||||
uint64_t *ppq,
|
|
||||||
uint64_t *p,
|
|
||||||
uint64_t *pq,
|
|
||||||
uint64_t *qmqp
|
|
||||||
)
|
|
||||||
{
|
|
||||||
uint64_t *qx = qmqp;
|
|
||||||
uint64_t *x2 = pp;
|
|
||||||
uint64_t *z2 = pp + (uint32_t)5U;
|
|
||||||
uint64_t *x3 = ppq;
|
|
||||||
uint64_t *z3 = ppq + (uint32_t)5U;
|
|
||||||
uint64_t *x = p;
|
|
||||||
uint64_t *z = p + (uint32_t)5U;
|
|
||||||
uint64_t *xprime = pq;
|
|
||||||
uint64_t *zprime = pq + (uint32_t)5U;
|
|
||||||
uint64_t buf[40U] = { 0U };
|
|
||||||
uint64_t *origx = buf;
|
|
||||||
uint64_t *origxprime0 = buf + (uint32_t)5U;
|
|
||||||
uint64_t *xxprime0 = buf + (uint32_t)25U;
|
|
||||||
uint64_t *zzprime0 = buf + (uint32_t)30U;
|
|
||||||
uint64_t *origxprime;
|
|
||||||
uint64_t *xx0;
|
|
||||||
uint64_t *zz0;
|
|
||||||
uint64_t *xxprime;
|
|
||||||
uint64_t *zzprime;
|
|
||||||
uint64_t *zzzprime;
|
|
||||||
uint64_t *zzz;
|
|
||||||
uint64_t *xx;
|
|
||||||
uint64_t *zz;
|
|
||||||
uint64_t scalar;
|
|
||||||
memcpy(origx, x, (uint32_t)5U * sizeof x[0U]);
|
|
||||||
Hacl_Bignum_fsum(x, z);
|
|
||||||
Hacl_Bignum_fdifference(z, origx);
|
|
||||||
memcpy(origxprime0, xprime, (uint32_t)5U * sizeof xprime[0U]);
|
|
||||||
Hacl_Bignum_fsum(xprime, zprime);
|
|
||||||
Hacl_Bignum_fdifference(zprime, origxprime0);
|
|
||||||
Hacl_Bignum_fmul(xxprime0, xprime, z);
|
|
||||||
Hacl_Bignum_fmul(zzprime0, x, zprime);
|
|
||||||
origxprime = buf + (uint32_t)5U;
|
|
||||||
xx0 = buf + (uint32_t)15U;
|
|
||||||
zz0 = buf + (uint32_t)20U;
|
|
||||||
xxprime = buf + (uint32_t)25U;
|
|
||||||
zzprime = buf + (uint32_t)30U;
|
|
||||||
zzzprime = buf + (uint32_t)35U;
|
|
||||||
memcpy(origxprime, xxprime, (uint32_t)5U * sizeof xxprime[0U]);
|
|
||||||
Hacl_Bignum_fsum(xxprime, zzprime);
|
|
||||||
Hacl_Bignum_fdifference(zzprime, origxprime);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(x3, xxprime, (uint32_t)1U);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(zzzprime, zzprime, (uint32_t)1U);
|
|
||||||
Hacl_Bignum_fmul(z3, zzzprime, qx);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(xx0, x, (uint32_t)1U);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(zz0, z, (uint32_t)1U);
|
|
||||||
zzz = buf + (uint32_t)10U;
|
|
||||||
xx = buf + (uint32_t)15U;
|
|
||||||
zz = buf + (uint32_t)20U;
|
|
||||||
Hacl_Bignum_fmul(x2, xx, zz);
|
|
||||||
Hacl_Bignum_fdifference(zz, xx);
|
|
||||||
scalar = (uint64_t)121665U;
|
|
||||||
Hacl_Bignum_fscalar(zzz, zz, scalar);
|
|
||||||
Hacl_Bignum_fsum(zzz, xx);
|
|
||||||
Hacl_Bignum_fmul(z2, zzz, zz);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(
|
|
||||||
uint64_t *nq,
|
|
||||||
uint64_t *nqpq,
|
|
||||||
uint64_t *nq2,
|
|
||||||
uint64_t *nqpq2,
|
|
||||||
uint64_t *q,
|
|
||||||
uint8_t byt
|
|
||||||
)
|
|
||||||
{
|
|
||||||
uint64_t bit0 = (uint64_t)(byt >> (uint32_t)7U);
|
|
||||||
uint64_t bit;
|
|
||||||
Hacl_EC_Point_swap_conditional(nq, nqpq, bit0);
|
|
||||||
Hacl_EC_AddAndDouble_fmonty(nq2, nqpq2, nq, nqpq, q);
|
|
||||||
bit = (uint64_t)(byt >> (uint32_t)7U);
|
|
||||||
Hacl_EC_Point_swap_conditional(nq2, nqpq2, bit);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(
|
|
||||||
uint64_t *nq,
|
|
||||||
uint64_t *nqpq,
|
|
||||||
uint64_t *nq2,
|
|
||||||
uint64_t *nqpq2,
|
|
||||||
uint64_t *q,
|
|
||||||
uint8_t byt
|
|
||||||
)
|
|
||||||
{
|
|
||||||
uint8_t byt1;
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq, nqpq, nq2, nqpq2, q, byt);
|
|
||||||
byt1 = byt << (uint32_t)1U;
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop(
|
|
||||||
uint64_t *nq,
|
|
||||||
uint64_t *nqpq,
|
|
||||||
uint64_t *nq2,
|
|
||||||
uint64_t *nqpq2,
|
|
||||||
uint64_t *q,
|
|
||||||
uint8_t byt,
|
|
||||||
uint32_t i
|
|
||||||
)
|
|
||||||
{
|
|
||||||
if (!(i == (uint32_t)0U))
|
|
||||||
{
|
|
||||||
uint32_t i_ = i - (uint32_t)1U;
|
|
||||||
uint8_t byt_;
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(nq, nqpq, nq2, nqpq2, q, byt);
|
|
||||||
byt_ = byt << (uint32_t)2U;
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byt_, i_);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_EC_Ladder_BigLoop_cmult_big_loop(
|
|
||||||
uint8_t *n1,
|
|
||||||
uint64_t *nq,
|
|
||||||
uint64_t *nqpq,
|
|
||||||
uint64_t *nq2,
|
|
||||||
uint64_t *nqpq2,
|
|
||||||
uint64_t *q,
|
|
||||||
uint32_t i
|
|
||||||
)
|
|
||||||
{
|
|
||||||
if (!(i == (uint32_t)0U))
|
|
||||||
{
|
|
||||||
uint32_t i1 = i - (uint32_t)1U;
|
|
||||||
uint8_t byte = n1[i1];
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byte, (uint32_t)4U);
|
|
||||||
Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, i1);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Ladder_cmult(uint64_t *result, uint8_t *n1, uint64_t *q)
|
|
||||||
{
|
|
||||||
uint64_t point_buf[40U] = { 0U };
|
|
||||||
uint64_t *nq = point_buf;
|
|
||||||
uint64_t *nqpq = point_buf + (uint32_t)10U;
|
|
||||||
uint64_t *nq2 = point_buf + (uint32_t)20U;
|
|
||||||
uint64_t *nqpq2 = point_buf + (uint32_t)30U;
|
|
||||||
Hacl_EC_Point_copy(nqpq, q);
|
|
||||||
nq[0U] = (uint64_t)1U;
|
|
||||||
Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, (uint32_t)32U);
|
|
||||||
Hacl_EC_Point_copy(result, nq);
|
|
||||||
}
|
|
||||||
|
|
||||||
void Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint)
|
|
||||||
{
|
|
||||||
uint64_t buf0[10U] = { 0U };
|
|
||||||
uint64_t *x0 = buf0;
|
|
||||||
uint64_t *z = buf0 + (uint32_t)5U;
|
|
||||||
uint64_t *q;
|
|
||||||
Hacl_EC_Format_fexpand(x0, basepoint);
|
|
||||||
z[0U] = (uint64_t)1U;
|
|
||||||
q = buf0;
|
|
||||||
{
|
|
||||||
uint8_t e[32U] = { 0U };
|
|
||||||
uint8_t e0;
|
|
||||||
uint8_t e31;
|
|
||||||
uint8_t e01;
|
|
||||||
uint8_t e311;
|
|
||||||
uint8_t e312;
|
|
||||||
uint8_t *scalar;
|
|
||||||
memcpy(e, secret, (uint32_t)32U * sizeof secret[0U]);
|
|
||||||
e0 = e[0U];
|
|
||||||
e31 = e[31U];
|
|
||||||
e01 = e0 & (uint8_t)248U;
|
|
||||||
e311 = e31 & (uint8_t)127U;
|
|
||||||
e312 = e311 | (uint8_t)64U;
|
|
||||||
e[0U] = e01;
|
|
||||||
e[31U] = e312;
|
|
||||||
scalar = e;
|
|
||||||
{
|
|
||||||
uint64_t buf[15U] = { 0U };
|
|
||||||
uint64_t *nq = buf;
|
|
||||||
uint64_t *x = nq;
|
|
||||||
x[0U] = (uint64_t)1U;
|
|
||||||
Hacl_EC_Ladder_cmult(nq, scalar, q);
|
|
||||||
Hacl_EC_Format_scalar_of_point(mypublic, nq);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@ -1,50 +0,0 @@
|
|||||||
/*
|
|
||||||
* Interface to code from Project Everest
|
|
||||||
*
|
|
||||||
* Copyright 2016-2018 INRIA and Microsoft Corporation
|
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*
|
|
||||||
* This file is part of Mbed TLS (https://tls.mbed.org)
|
|
||||||
*/
|
|
||||||
#ifndef _BSD_SOURCE
|
|
||||||
/* Required to get htole64() from gcc/glibc's endian.h (older systems)
|
|
||||||
* when we compile with -std=c99 */
|
|
||||||
#define _BSD_SOURCE
|
|
||||||
#endif
|
|
||||||
#ifndef _DEFAULT_SOURCE
|
|
||||||
/* (modern version of _BSD_SOURCE) */
|
|
||||||
#define _DEFAULT_SOURCE
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include "common.h"
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
|
|
||||||
|
|
||||||
#if defined(__SIZEOF_INT128__) && (__SIZEOF_INT128__ == 16)
|
|
||||||
#define MBEDTLS_HAVE_INT128
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_HAVE_INT128)
|
|
||||||
#include "Hacl_Curve25519.c"
|
|
||||||
#else
|
|
||||||
#define KRML_VERIFIED_UINT128
|
|
||||||
#include "kremlib/FStar_UInt128_extracted.c"
|
|
||||||
#include "legacy/Hacl_Curve25519.c"
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include "kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.c"
|
|
||||||
|
|
||||||
#endif /* defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED) */
|
|
||||||
|
|
102
externals/mbedtls/3rdparty/everest/library/everest.c
vendored
102
externals/mbedtls/3rdparty/everest/library/everest.c
vendored
@ -1,102 +0,0 @@
|
|||||||
/*
|
|
||||||
* Interface to code from Project Everest
|
|
||||||
*
|
|
||||||
* Copyright 2016-2018 INRIA and Microsoft Corporation
|
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*
|
|
||||||
* This file is part of Mbed TLS (https://tls.mbed.org).
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include "common.h"
|
|
||||||
|
|
||||||
#include <string.h>
|
|
||||||
|
|
||||||
#include "mbedtls/ecdh.h"
|
|
||||||
|
|
||||||
#include "everest/x25519.h"
|
|
||||||
#include "everest/everest.h"
|
|
||||||
|
|
||||||
#include "mbedtls/platform.h"
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
|
|
||||||
|
|
||||||
int mbedtls_everest_setup( mbedtls_ecdh_context_everest *ctx, int grp_id )
|
|
||||||
{
|
|
||||||
if( grp_id != MBEDTLS_ECP_DP_CURVE25519 )
|
|
||||||
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
|
||||||
mbedtls_x25519_init( &ctx->ctx );
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
void mbedtls_everest_free( mbedtls_ecdh_context_everest *ctx )
|
|
||||||
{
|
|
||||||
mbedtls_x25519_free( &ctx->ctx );
|
|
||||||
}
|
|
||||||
|
|
||||||
int mbedtls_everest_make_params( mbedtls_ecdh_context_everest *ctx, size_t *olen,
|
|
||||||
unsigned char *buf, size_t blen,
|
|
||||||
int( *f_rng )( void *, unsigned char *, size_t ),
|
|
||||||
void *p_rng )
|
|
||||||
{
|
|
||||||
mbedtls_x25519_context *x25519_ctx = &ctx->ctx;
|
|
||||||
return mbedtls_x25519_make_params( x25519_ctx, olen, buf, blen, f_rng, p_rng );
|
|
||||||
}
|
|
||||||
|
|
||||||
int mbedtls_everest_read_params( mbedtls_ecdh_context_everest *ctx,
|
|
||||||
const unsigned char **buf,
|
|
||||||
const unsigned char *end )
|
|
||||||
{
|
|
||||||
mbedtls_x25519_context *x25519_ctx = &ctx->ctx;
|
|
||||||
return mbedtls_x25519_read_params( x25519_ctx, buf, end );
|
|
||||||
}
|
|
||||||
|
|
||||||
int mbedtls_everest_get_params( mbedtls_ecdh_context_everest *ctx,
|
|
||||||
const mbedtls_ecp_keypair *key,
|
|
||||||
mbedtls_everest_ecdh_side side )
|
|
||||||
{
|
|
||||||
mbedtls_x25519_context *x25519_ctx = &ctx->ctx;
|
|
||||||
mbedtls_x25519_ecdh_side s = side == MBEDTLS_EVEREST_ECDH_OURS ?
|
|
||||||
MBEDTLS_X25519_ECDH_OURS :
|
|
||||||
MBEDTLS_X25519_ECDH_THEIRS;
|
|
||||||
return mbedtls_x25519_get_params( x25519_ctx, key, s );
|
|
||||||
}
|
|
||||||
|
|
||||||
int mbedtls_everest_make_public( mbedtls_ecdh_context_everest *ctx, size_t *olen,
|
|
||||||
unsigned char *buf, size_t blen,
|
|
||||||
int( *f_rng )( void *, unsigned char *, size_t ),
|
|
||||||
void *p_rng )
|
|
||||||
{
|
|
||||||
mbedtls_x25519_context *x25519_ctx = &ctx->ctx;
|
|
||||||
return mbedtls_x25519_make_public( x25519_ctx, olen, buf, blen, f_rng, p_rng );
|
|
||||||
}
|
|
||||||
|
|
||||||
int mbedtls_everest_read_public( mbedtls_ecdh_context_everest *ctx,
|
|
||||||
const unsigned char *buf, size_t blen )
|
|
||||||
{
|
|
||||||
mbedtls_x25519_context *x25519_ctx = &ctx->ctx;
|
|
||||||
return mbedtls_x25519_read_public ( x25519_ctx, buf, blen );
|
|
||||||
}
|
|
||||||
|
|
||||||
int mbedtls_everest_calc_secret( mbedtls_ecdh_context_everest *ctx, size_t *olen,
|
|
||||||
unsigned char *buf, size_t blen,
|
|
||||||
int( *f_rng )( void *, unsigned char *, size_t ),
|
|
||||||
void *p_rng )
|
|
||||||
{
|
|
||||||
mbedtls_x25519_context *x25519_ctx = &ctx->ctx;
|
|
||||||
return mbedtls_x25519_calc_secret( x25519_ctx, olen, buf, blen, f_rng, p_rng );
|
|
||||||
}
|
|
||||||
|
|
||||||
#endif /* MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED */
|
|
||||||
|
|
@ -1,413 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
|
|
||||||
* KreMLin invocation: ../krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrB9w -minimal -fparentheses -fcurly-braces -fno-shadow -header copyright-header.txt -minimal -tmpdir extracted -warn-error +9+11 -skip-compilation -extract-uints -add-include <inttypes.h> -add-include "kremlib.h" -add-include "kremlin/internal/compat.h" extracted/prims.krml extracted/FStar_Pervasives_Native.krml extracted/FStar_Pervasives.krml extracted/FStar_Mul.krml extracted/FStar_Squash.krml extracted/FStar_Classical.krml extracted/FStar_StrongExcludedMiddle.krml extracted/FStar_FunctionalExtensionality.krml extracted/FStar_List_Tot_Base.krml extracted/FStar_List_Tot_Properties.krml extracted/FStar_List_Tot.krml extracted/FStar_Seq_Base.krml extracted/FStar_Seq_Properties.krml extracted/FStar_Seq.krml extracted/FStar_Math_Lib.krml extracted/FStar_Math_Lemmas.krml extracted/FStar_BitVector.krml extracted/FStar_UInt.krml extracted/FStar_UInt32.krml extracted/FStar_Int.krml extracted/FStar_Int16.krml extracted/FStar_Preorder.krml extracted/FStar_Ghost.krml extracted/FStar_ErasedLogic.krml extracted/FStar_UInt64.krml extracted/FStar_Set.krml extracted/FStar_PropositionalExtensionality.krml extracted/FStar_PredicateExtensionality.krml extracted/FStar_TSet.krml extracted/FStar_Monotonic_Heap.krml extracted/FStar_Heap.krml extracted/FStar_Map.krml extracted/FStar_Monotonic_HyperHeap.krml extracted/FStar_Monotonic_HyperStack.krml extracted/FStar_HyperStack.krml extracted/FStar_Monotonic_Witnessed.krml extracted/FStar_HyperStack_ST.krml extracted/FStar_HyperStack_All.krml extracted/FStar_Date.krml extracted/FStar_Universe.krml extracted/FStar_GSet.krml extracted/FStar_ModifiesGen.krml extracted/LowStar_Monotonic_Buffer.krml extracted/LowStar_Buffer.krml extracted/Spec_Loops.krml extracted/LowStar_BufferOps.krml extracted/C_Loops.krml extracted/FStar_UInt8.krml extracted/FStar_Kremlin_Endianness.krml extracted/FStar_UInt63.krml extracted/FStar_Exn.krml extracted/FStar_ST.krml extracted/FStar_All.krml extracted/FStar_Dyn.krml extracted/FStar_Int63.krml extracted/FStar_Int64.krml extracted/FStar_Int32.krml extracted/FStar_Int8.krml extracted/FStar_UInt16.krml extracted/FStar_Int_Cast.krml extracted/FStar_UInt128.krml extracted/C_Endianness.krml extracted/FStar_List.krml extracted/FStar_Float.krml extracted/FStar_IO.krml extracted/C.krml extracted/FStar_Char.krml extracted/FStar_String.krml extracted/LowStar_Modifies.krml extracted/C_String.krml extracted/FStar_Bytes.krml extracted/FStar_HyperStack_IO.krml extracted/C_Failure.krml extracted/TestLib.krml extracted/FStar_Int_Cast_Full.krml
|
|
||||||
* F* version: 059db0c8
|
|
||||||
* KreMLin version: 916c37ac
|
|
||||||
*/
|
|
||||||
|
|
||||||
|
|
||||||
#include "FStar_UInt128.h"
|
|
||||||
#include "kremlin/c_endianness.h"
|
|
||||||
#include "FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.h"
|
|
||||||
|
|
||||||
uint64_t FStar_UInt128___proj__Mkuint128__item__low(FStar_UInt128_uint128 projectee)
|
|
||||||
{
|
|
||||||
return projectee.low;
|
|
||||||
}
|
|
||||||
|
|
||||||
uint64_t FStar_UInt128___proj__Mkuint128__item__high(FStar_UInt128_uint128 projectee)
|
|
||||||
{
|
|
||||||
return projectee.high;
|
|
||||||
}
|
|
||||||
|
|
||||||
static uint64_t FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b)
|
|
||||||
{
|
|
||||||
return (a ^ ((a ^ b) | ((a - b) ^ b))) >> (uint32_t)63U;
|
|
||||||
}
|
|
||||||
|
|
||||||
static uint64_t FStar_UInt128_carry(uint64_t a, uint64_t b)
|
|
||||||
{
|
|
||||||
return FStar_UInt128_constant_time_carry(a, b);
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
flat = { a.low + b.low, a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
flat = { a.low + b.low, a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
flat = { a.low + b.low, a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
flat = { a.low - b.low, a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
flat = { a.low - b.low, a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
static FStar_UInt128_uint128
|
|
||||||
FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
flat = { a.low - b.low, a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
return FStar_UInt128_sub_mod_impl(a, b);
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 flat = { a.low & b.low, a.high & b.high };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 flat = { a.low ^ b.low, a.high ^ b.high };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 flat = { a.low | b.low, a.high | b.high };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 flat = { ~a.low, ~a.high };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
static uint32_t FStar_UInt128_u32_64 = (uint32_t)64U;
|
|
||||||
|
|
||||||
static uint64_t FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s)
|
|
||||||
{
|
|
||||||
return (hi << s) + (lo >> (FStar_UInt128_u32_64 - s));
|
|
||||||
}
|
|
||||||
|
|
||||||
static uint64_t FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s)
|
|
||||||
{
|
|
||||||
return FStar_UInt128_add_u64_shift_left(hi, lo, s);
|
|
||||||
}
|
|
||||||
|
|
||||||
static FStar_UInt128_uint128
|
|
||||||
FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s)
|
|
||||||
{
|
|
||||||
if (s == (uint32_t)0U)
|
|
||||||
{
|
|
||||||
return a;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
flat = { a.low << s, FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s) };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static FStar_UInt128_uint128
|
|
||||||
FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 flat = { (uint64_t)0U, a.low << (s - FStar_UInt128_u32_64) };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s)
|
|
||||||
{
|
|
||||||
if (s < FStar_UInt128_u32_64)
|
|
||||||
{
|
|
||||||
return FStar_UInt128_shift_left_small(a, s);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
return FStar_UInt128_shift_left_large(a, s);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static uint64_t FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s)
|
|
||||||
{
|
|
||||||
return (lo >> s) + (hi << (FStar_UInt128_u32_64 - s));
|
|
||||||
}
|
|
||||||
|
|
||||||
static uint64_t FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s)
|
|
||||||
{
|
|
||||||
return FStar_UInt128_add_u64_shift_right(hi, lo, s);
|
|
||||||
}
|
|
||||||
|
|
||||||
static FStar_UInt128_uint128
|
|
||||||
FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s)
|
|
||||||
{
|
|
||||||
if (s == (uint32_t)0U)
|
|
||||||
{
|
|
||||||
return a;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
flat = { FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s), a.high >> s };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static FStar_UInt128_uint128
|
|
||||||
FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 flat = { a.high >> (s - FStar_UInt128_u32_64), (uint64_t)0U };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s)
|
|
||||||
{
|
|
||||||
if (s < FStar_UInt128_u32_64)
|
|
||||||
{
|
|
||||||
return FStar_UInt128_shift_right_small(a, s);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
return FStar_UInt128_shift_right_large(a, s);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
return a.low == b.low && a.high == b.high;
|
|
||||||
}
|
|
||||||
|
|
||||||
bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
return a.high > b.high || (a.high == b.high && a.low > b.low);
|
|
||||||
}
|
|
||||||
|
|
||||||
bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
return a.high < b.high || (a.high == b.high && a.low < b.low);
|
|
||||||
}
|
|
||||||
|
|
||||||
bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
return a.high > b.high || (a.high == b.high && a.low >= b.low);
|
|
||||||
}
|
|
||||||
|
|
||||||
bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
return a.high < b.high || (a.high == b.high && a.low <= b.low);
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
flat =
|
|
||||||
{
|
|
||||||
FStar_UInt64_eq_mask(a.low,
|
|
||||||
b.low)
|
|
||||||
& FStar_UInt64_eq_mask(a.high, b.high),
|
|
||||||
FStar_UInt64_eq_mask(a.low,
|
|
||||||
b.low)
|
|
||||||
& FStar_UInt64_eq_mask(a.high, b.high)
|
|
||||||
};
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
flat =
|
|
||||||
{
|
|
||||||
(FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high))
|
|
||||||
| (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)),
|
|
||||||
(FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high))
|
|
||||||
| (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low))
|
|
||||||
};
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 flat = { a, (uint64_t)0U };
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a)
|
|
||||||
{
|
|
||||||
return a.low;
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Plus_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
|
|
||||||
FStar_UInt128_add;
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Plus_Question_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
|
|
||||||
FStar_UInt128_add_underspec;
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Plus_Percent_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
|
|
||||||
FStar_UInt128_add_mod;
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Subtraction_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
|
|
||||||
FStar_UInt128_sub;
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Subtraction_Question_Hat)(
|
|
||||||
FStar_UInt128_uint128 x0,
|
|
||||||
FStar_UInt128_uint128 x1
|
|
||||||
) = FStar_UInt128_sub_underspec;
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Subtraction_Percent_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
|
|
||||||
FStar_UInt128_sub_mod;
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Amp_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
|
|
||||||
FStar_UInt128_logand;
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Hat_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
|
|
||||||
FStar_UInt128_logxor;
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Bar_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
|
|
||||||
FStar_UInt128_logor;
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Less_Less_Hat)(FStar_UInt128_uint128 x0, uint32_t x1) =
|
|
||||||
FStar_UInt128_shift_left;
|
|
||||||
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
(*FStar_UInt128_op_Greater_Greater_Hat)(FStar_UInt128_uint128 x0, uint32_t x1) =
|
|
||||||
FStar_UInt128_shift_right;
|
|
||||||
|
|
||||||
bool
|
|
||||||
(*FStar_UInt128_op_Equals_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
|
|
||||||
FStar_UInt128_eq;
|
|
||||||
|
|
||||||
bool
|
|
||||||
(*FStar_UInt128_op_Greater_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
|
|
||||||
FStar_UInt128_gt;
|
|
||||||
|
|
||||||
bool
|
|
||||||
(*FStar_UInt128_op_Less_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
|
|
||||||
FStar_UInt128_lt;
|
|
||||||
|
|
||||||
bool
|
|
||||||
(*FStar_UInt128_op_Greater_Equals_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
|
|
||||||
FStar_UInt128_gte;
|
|
||||||
|
|
||||||
bool
|
|
||||||
(*FStar_UInt128_op_Less_Equals_Hat)(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1) =
|
|
||||||
FStar_UInt128_lte;
|
|
||||||
|
|
||||||
static uint64_t FStar_UInt128_u64_mod_32(uint64_t a)
|
|
||||||
{
|
|
||||||
return a & (uint64_t)0xffffffffU;
|
|
||||||
}
|
|
||||||
|
|
||||||
static uint32_t FStar_UInt128_u32_32 = (uint32_t)32U;
|
|
||||||
|
|
||||||
static uint64_t FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo)
|
|
||||||
{
|
|
||||||
return lo + (hi << FStar_UInt128_u32_32);
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
flat =
|
|
||||||
{
|
|
||||||
FStar_UInt128_u32_combine((x >> FStar_UInt128_u32_32)
|
|
||||||
* (uint64_t)y
|
|
||||||
+ (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32),
|
|
||||||
FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * (uint64_t)y)),
|
|
||||||
((x >> FStar_UInt128_u32_32)
|
|
||||||
* (uint64_t)y
|
|
||||||
+ (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32))
|
|
||||||
>> FStar_UInt128_u32_32
|
|
||||||
};
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
typedef struct K___uint64_t_uint64_t_uint64_t_uint64_t_s
|
|
||||||
{
|
|
||||||
uint64_t fst;
|
|
||||||
uint64_t snd;
|
|
||||||
uint64_t thd;
|
|
||||||
uint64_t f3;
|
|
||||||
}
|
|
||||||
K___uint64_t_uint64_t_uint64_t_uint64_t;
|
|
||||||
|
|
||||||
static K___uint64_t_uint64_t_uint64_t_uint64_t
|
|
||||||
FStar_UInt128_mul_wide_impl_t_(uint64_t x, uint64_t y)
|
|
||||||
{
|
|
||||||
K___uint64_t_uint64_t_uint64_t_uint64_t
|
|
||||||
flat =
|
|
||||||
{
|
|
||||||
FStar_UInt128_u64_mod_32(x),
|
|
||||||
FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y)),
|
|
||||||
x
|
|
||||||
>> FStar_UInt128_u32_32,
|
|
||||||
(x >> FStar_UInt128_u32_32)
|
|
||||||
* FStar_UInt128_u64_mod_32(y)
|
|
||||||
+ (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32)
|
|
||||||
};
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
static uint64_t FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo)
|
|
||||||
{
|
|
||||||
return lo + (hi << FStar_UInt128_u32_32);
|
|
||||||
}
|
|
||||||
|
|
||||||
static FStar_UInt128_uint128 FStar_UInt128_mul_wide_impl(uint64_t x, uint64_t y)
|
|
||||||
{
|
|
||||||
K___uint64_t_uint64_t_uint64_t_uint64_t scrut = FStar_UInt128_mul_wide_impl_t_(x, y);
|
|
||||||
uint64_t u1 = scrut.fst;
|
|
||||||
uint64_t w3 = scrut.snd;
|
|
||||||
uint64_t x_ = scrut.thd;
|
|
||||||
uint64_t t_ = scrut.f3;
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
flat =
|
|
||||||
{
|
|
||||||
FStar_UInt128_u32_combine_(u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_),
|
|
||||||
w3),
|
|
||||||
x_
|
|
||||||
* (y >> FStar_UInt128_u32_32)
|
|
||||||
+ (t_ >> FStar_UInt128_u32_32)
|
|
||||||
+ ((u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_)) >> FStar_UInt128_u32_32)
|
|
||||||
};
|
|
||||||
return flat;
|
|
||||||
}
|
|
||||||
|
|
||||||
FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y)
|
|
||||||
{
|
|
||||||
return FStar_UInt128_mul_wide_impl(x, y);
|
|
||||||
}
|
|
||||||
|
|
@ -1,100 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
|
|
||||||
* KreMLin invocation: ../krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrB9w -minimal -fparentheses -fcurly-braces -fno-shadow -header copyright-header.txt -minimal -tmpdir dist/minimal -skip-compilation -extract-uints -add-include <inttypes.h> -add-include <stdbool.h> -add-include "kremlin/internal/compat.h" -add-include "kremlin/internal/types.h" -bundle FStar.UInt64+FStar.UInt32+FStar.UInt16+FStar.UInt8=* extracted/prims.krml extracted/FStar_Pervasives_Native.krml extracted/FStar_Pervasives.krml extracted/FStar_Mul.krml extracted/FStar_Squash.krml extracted/FStar_Classical.krml extracted/FStar_StrongExcludedMiddle.krml extracted/FStar_FunctionalExtensionality.krml extracted/FStar_List_Tot_Base.krml extracted/FStar_List_Tot_Properties.krml extracted/FStar_List_Tot.krml extracted/FStar_Seq_Base.krml extracted/FStar_Seq_Properties.krml extracted/FStar_Seq.krml extracted/FStar_Math_Lib.krml extracted/FStar_Math_Lemmas.krml extracted/FStar_BitVector.krml extracted/FStar_UInt.krml extracted/FStar_UInt32.krml extracted/FStar_Int.krml extracted/FStar_Int16.krml extracted/FStar_Preorder.krml extracted/FStar_Ghost.krml extracted/FStar_ErasedLogic.krml extracted/FStar_UInt64.krml extracted/FStar_Set.krml extracted/FStar_PropositionalExtensionality.krml extracted/FStar_PredicateExtensionality.krml extracted/FStar_TSet.krml extracted/FStar_Monotonic_Heap.krml extracted/FStar_Heap.krml extracted/FStar_Map.krml extracted/FStar_Monotonic_HyperHeap.krml extracted/FStar_Monotonic_HyperStack.krml extracted/FStar_HyperStack.krml extracted/FStar_Monotonic_Witnessed.krml extracted/FStar_HyperStack_ST.krml extracted/FStar_HyperStack_All.krml extracted/FStar_Date.krml extracted/FStar_Universe.krml extracted/FStar_GSet.krml extracted/FStar_ModifiesGen.krml extracted/LowStar_Monotonic_Buffer.krml extracted/LowStar_Buffer.krml extracted/Spec_Loops.krml extracted/LowStar_BufferOps.krml extracted/C_Loops.krml extracted/FStar_UInt8.krml extracted/FStar_Kremlin_Endianness.krml extracted/FStar_UInt63.krml extracted/FStar_Exn.krml extracted/FStar_ST.krml extracted/FStar_All.krml extracted/FStar_Dyn.krml extracted/FStar_Int63.krml extracted/FStar_Int64.krml extracted/FStar_Int32.krml extracted/FStar_Int8.krml extracted/FStar_UInt16.krml extracted/FStar_Int_Cast.krml extracted/FStar_UInt128.krml extracted/C_Endianness.krml extracted/FStar_List.krml extracted/FStar_Float.krml extracted/FStar_IO.krml extracted/C.krml extracted/FStar_Char.krml extracted/FStar_String.krml extracted/LowStar_Modifies.krml extracted/C_String.krml extracted/FStar_Bytes.krml extracted/FStar_HyperStack_IO.krml extracted/C_Failure.krml extracted/TestLib.krml extracted/FStar_Int_Cast_Full.krml
|
|
||||||
* F* version: 059db0c8
|
|
||||||
* KreMLin version: 916c37ac
|
|
||||||
*/
|
|
||||||
|
|
||||||
|
|
||||||
#include "FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.h"
|
|
||||||
|
|
||||||
uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b)
|
|
||||||
{
|
|
||||||
uint64_t x = a ^ b;
|
|
||||||
uint64_t minus_x = ~x + (uint64_t)1U;
|
|
||||||
uint64_t x_or_minus_x = x | minus_x;
|
|
||||||
uint64_t xnx = x_or_minus_x >> (uint32_t)63U;
|
|
||||||
return xnx - (uint64_t)1U;
|
|
||||||
}
|
|
||||||
|
|
||||||
uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b)
|
|
||||||
{
|
|
||||||
uint64_t x = a;
|
|
||||||
uint64_t y = b;
|
|
||||||
uint64_t x_xor_y = x ^ y;
|
|
||||||
uint64_t x_sub_y = x - y;
|
|
||||||
uint64_t x_sub_y_xor_y = x_sub_y ^ y;
|
|
||||||
uint64_t q = x_xor_y | x_sub_y_xor_y;
|
|
||||||
uint64_t x_xor_q = x ^ q;
|
|
||||||
uint64_t x_xor_q_ = x_xor_q >> (uint32_t)63U;
|
|
||||||
return x_xor_q_ - (uint64_t)1U;
|
|
||||||
}
|
|
||||||
|
|
||||||
uint32_t FStar_UInt32_eq_mask(uint32_t a, uint32_t b)
|
|
||||||
{
|
|
||||||
uint32_t x = a ^ b;
|
|
||||||
uint32_t minus_x = ~x + (uint32_t)1U;
|
|
||||||
uint32_t x_or_minus_x = x | minus_x;
|
|
||||||
uint32_t xnx = x_or_minus_x >> (uint32_t)31U;
|
|
||||||
return xnx - (uint32_t)1U;
|
|
||||||
}
|
|
||||||
|
|
||||||
uint32_t FStar_UInt32_gte_mask(uint32_t a, uint32_t b)
|
|
||||||
{
|
|
||||||
uint32_t x = a;
|
|
||||||
uint32_t y = b;
|
|
||||||
uint32_t x_xor_y = x ^ y;
|
|
||||||
uint32_t x_sub_y = x - y;
|
|
||||||
uint32_t x_sub_y_xor_y = x_sub_y ^ y;
|
|
||||||
uint32_t q = x_xor_y | x_sub_y_xor_y;
|
|
||||||
uint32_t x_xor_q = x ^ q;
|
|
||||||
uint32_t x_xor_q_ = x_xor_q >> (uint32_t)31U;
|
|
||||||
return x_xor_q_ - (uint32_t)1U;
|
|
||||||
}
|
|
||||||
|
|
||||||
uint16_t FStar_UInt16_eq_mask(uint16_t a, uint16_t b)
|
|
||||||
{
|
|
||||||
uint16_t x = a ^ b;
|
|
||||||
uint16_t minus_x = ~x + (uint16_t)1U;
|
|
||||||
uint16_t x_or_minus_x = x | minus_x;
|
|
||||||
uint16_t xnx = x_or_minus_x >> (uint32_t)15U;
|
|
||||||
return xnx - (uint16_t)1U;
|
|
||||||
}
|
|
||||||
|
|
||||||
uint16_t FStar_UInt16_gte_mask(uint16_t a, uint16_t b)
|
|
||||||
{
|
|
||||||
uint16_t x = a;
|
|
||||||
uint16_t y = b;
|
|
||||||
uint16_t x_xor_y = x ^ y;
|
|
||||||
uint16_t x_sub_y = x - y;
|
|
||||||
uint16_t x_sub_y_xor_y = x_sub_y ^ y;
|
|
||||||
uint16_t q = x_xor_y | x_sub_y_xor_y;
|
|
||||||
uint16_t x_xor_q = x ^ q;
|
|
||||||
uint16_t x_xor_q_ = x_xor_q >> (uint32_t)15U;
|
|
||||||
return x_xor_q_ - (uint16_t)1U;
|
|
||||||
}
|
|
||||||
|
|
||||||
uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b)
|
|
||||||
{
|
|
||||||
uint8_t x = a ^ b;
|
|
||||||
uint8_t minus_x = ~x + (uint8_t)1U;
|
|
||||||
uint8_t x_or_minus_x = x | minus_x;
|
|
||||||
uint8_t xnx = x_or_minus_x >> (uint32_t)7U;
|
|
||||||
return xnx - (uint8_t)1U;
|
|
||||||
}
|
|
||||||
|
|
||||||
uint8_t FStar_UInt8_gte_mask(uint8_t a, uint8_t b)
|
|
||||||
{
|
|
||||||
uint8_t x = a;
|
|
||||||
uint8_t y = b;
|
|
||||||
uint8_t x_xor_y = x ^ y;
|
|
||||||
uint8_t x_sub_y = x - y;
|
|
||||||
uint8_t x_sub_y_xor_y = x_sub_y ^ y;
|
|
||||||
uint8_t q = x_xor_y | x_sub_y_xor_y;
|
|
||||||
uint8_t x_xor_q = x ^ q;
|
|
||||||
uint8_t x_xor_q_ = x_xor_q >> (uint32_t)7U;
|
|
||||||
return x_xor_q_ - (uint8_t)1U;
|
|
||||||
}
|
|
||||||
|
|
@ -1,805 +0,0 @@
|
|||||||
/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved.
|
|
||||||
Licensed under the Apache 2.0 License. */
|
|
||||||
|
|
||||||
/* This file was generated by KreMLin <https://github.com/FStarLang/kremlin>
|
|
||||||
* KreMLin invocation: /mnt/e/everest/verify/kremlin/krml -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -fc89 -fparentheses -fno-shadow -header /mnt/e/everest/verify/hdrcLh -minimal -I /mnt/e/everest/verify/hacl-star/code/lib/kremlin -I /mnt/e/everest/verify/kremlin/kremlib/compat -I /mnt/e/everest/verify/hacl-star/specs -I /mnt/e/everest/verify/hacl-star/specs/old -I . -ccopt -march=native -verbose -ldopt -flto -tmpdir x25519-c -I ../bignum -bundle Hacl.Curve25519=* -minimal -add-include "kremlib.h" -skip-compilation x25519-c/out.krml -o x25519-c/Hacl_Curve25519.c
|
|
||||||
* F* version: 059db0c8
|
|
||||||
* KreMLin version: 916c37ac
|
|
||||||
*/
|
|
||||||
|
|
||||||
|
|
||||||
#include "Hacl_Curve25519.h"
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_eq_mask(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt64_gte_mask(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128
|
|
||||||
FStar_UInt128_add(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128
|
|
||||||
FStar_UInt128_add_mod(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128
|
|
||||||
FStar_UInt128_logand(FStar_UInt128_uint128 x0, FStar_UInt128_uint128 x1);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128 FStar_UInt128_shift_right(FStar_UInt128_uint128 x0, uint32_t x1);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t x0);
|
|
||||||
|
|
||||||
extern uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 x0);
|
|
||||||
|
|
||||||
extern FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x0, uint64_t x1);
|
|
||||||
|
|
||||||
static void Hacl_Bignum_Modulo_carry_top(uint64_t *b)
|
|
||||||
{
|
|
||||||
uint64_t b4 = b[4U];
|
|
||||||
uint64_t b0 = b[0U];
|
|
||||||
uint64_t b4_ = b4 & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t b0_ = b0 + (uint64_t)19U * (b4 >> (uint32_t)51U);
|
|
||||||
b[4U] = b4_;
|
|
||||||
b[0U] = b0_;
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void
|
|
||||||
Hacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, FStar_UInt128_uint128 *input)
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 xi = input[i];
|
|
||||||
output[i] = FStar_UInt128_uint128_to_uint64(xi);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void
|
|
||||||
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(
|
|
||||||
FStar_UInt128_uint128 *output,
|
|
||||||
uint64_t *input,
|
|
||||||
uint64_t s
|
|
||||||
)
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 xi = output[i];
|
|
||||||
uint64_t yi = input[i];
|
|
||||||
output[i] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Fproduct_carry_wide_(FStar_UInt128_uint128 *tmp)
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
uint32_t ctr = i;
|
|
||||||
FStar_UInt128_uint128 tctr = tmp[ctr];
|
|
||||||
FStar_UInt128_uint128 tctrp1 = tmp[ctr + (uint32_t)1U];
|
|
||||||
uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU;
|
|
||||||
FStar_UInt128_uint128 c = FStar_UInt128_shift_right(tctr, (uint32_t)51U);
|
|
||||||
tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
|
|
||||||
tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Fmul_shift_reduce(uint64_t *output)
|
|
||||||
{
|
|
||||||
uint64_t tmp = output[4U];
|
|
||||||
uint64_t b0;
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
uint32_t ctr = (uint32_t)5U - i - (uint32_t)1U;
|
|
||||||
uint64_t z = output[ctr - (uint32_t)1U];
|
|
||||||
output[ctr] = z;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
output[0U] = tmp;
|
|
||||||
b0 = output[0U];
|
|
||||||
output[0U] = (uint64_t)19U * b0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_Bignum_Fmul_mul_shift_reduce_(
|
|
||||||
FStar_UInt128_uint128 *output,
|
|
||||||
uint64_t *input,
|
|
||||||
uint64_t *input2
|
|
||||||
)
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
uint64_t input2i;
|
|
||||||
{
|
|
||||||
uint32_t i0;
|
|
||||||
for (i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0 = i0 + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
uint64_t input2i0 = input2[i0];
|
|
||||||
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i0);
|
|
||||||
Hacl_Bignum_Fmul_shift_reduce(input);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
i = (uint32_t)4U;
|
|
||||||
input2i = input2[i];
|
|
||||||
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input2)
|
|
||||||
{
|
|
||||||
uint64_t tmp[5U] = { 0U };
|
|
||||||
memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]);
|
|
||||||
KRML_CHECK_SIZE(sizeof (FStar_UInt128_uint128), (uint32_t)5U);
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 t[5U];
|
|
||||||
{
|
|
||||||
uint32_t _i;
|
|
||||||
for (_i = 0U; _i < (uint32_t)5U; ++_i)
|
|
||||||
t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
|
|
||||||
}
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 b4;
|
|
||||||
FStar_UInt128_uint128 b0;
|
|
||||||
FStar_UInt128_uint128 b4_;
|
|
||||||
FStar_UInt128_uint128 b0_;
|
|
||||||
uint64_t i0;
|
|
||||||
uint64_t i1;
|
|
||||||
uint64_t i0_;
|
|
||||||
uint64_t i1_;
|
|
||||||
Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2);
|
|
||||||
Hacl_Bignum_Fproduct_carry_wide_(t);
|
|
||||||
b4 = t[4U];
|
|
||||||
b0 = t[0U];
|
|
||||||
b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
|
|
||||||
b0_ =
|
|
||||||
FStar_UInt128_add(b0,
|
|
||||||
FStar_UInt128_mul_wide((uint64_t)19U,
|
|
||||||
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
|
|
||||||
t[4U] = b4_;
|
|
||||||
t[0U] = b0_;
|
|
||||||
Hacl_Bignum_Fproduct_copy_from_wide_(output, t);
|
|
||||||
i0 = output[0U];
|
|
||||||
i1 = output[1U];
|
|
||||||
i0_ = i0 & (uint64_t)0x7ffffffffffffU;
|
|
||||||
i1_ = i1 + (i0 >> (uint32_t)51U);
|
|
||||||
output[0U] = i0_;
|
|
||||||
output[1U] = i1_;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Fsquare_fsquare__(FStar_UInt128_uint128 *tmp, uint64_t *output)
|
|
||||||
{
|
|
||||||
uint64_t r0 = output[0U];
|
|
||||||
uint64_t r1 = output[1U];
|
|
||||||
uint64_t r2 = output[2U];
|
|
||||||
uint64_t r3 = output[3U];
|
|
||||||
uint64_t r4 = output[4U];
|
|
||||||
uint64_t d0 = r0 * (uint64_t)2U;
|
|
||||||
uint64_t d1 = r1 * (uint64_t)2U;
|
|
||||||
uint64_t d2 = r2 * (uint64_t)2U * (uint64_t)19U;
|
|
||||||
uint64_t d419 = r4 * (uint64_t)19U;
|
|
||||||
uint64_t d4 = d419 * (uint64_t)2U;
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
s0 =
|
|
||||||
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(r0, r0),
|
|
||||||
FStar_UInt128_mul_wide(d4, r1)),
|
|
||||||
FStar_UInt128_mul_wide(d2, r3));
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
s1 =
|
|
||||||
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r1),
|
|
||||||
FStar_UInt128_mul_wide(d4, r2)),
|
|
||||||
FStar_UInt128_mul_wide(r3 * (uint64_t)19U, r3));
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
s2 =
|
|
||||||
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r2),
|
|
||||||
FStar_UInt128_mul_wide(r1, r1)),
|
|
||||||
FStar_UInt128_mul_wide(d4, r3));
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
s3 =
|
|
||||||
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r3),
|
|
||||||
FStar_UInt128_mul_wide(d1, r2)),
|
|
||||||
FStar_UInt128_mul_wide(r4, d419));
|
|
||||||
FStar_UInt128_uint128
|
|
||||||
s4 =
|
|
||||||
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r4),
|
|
||||||
FStar_UInt128_mul_wide(d1, r3)),
|
|
||||||
FStar_UInt128_mul_wide(r2, r2));
|
|
||||||
tmp[0U] = s0;
|
|
||||||
tmp[1U] = s1;
|
|
||||||
tmp[2U] = s2;
|
|
||||||
tmp[3U] = s3;
|
|
||||||
tmp[4U] = s4;
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Fsquare_fsquare_(FStar_UInt128_uint128 *tmp, uint64_t *output)
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 b4;
|
|
||||||
FStar_UInt128_uint128 b0;
|
|
||||||
FStar_UInt128_uint128 b4_;
|
|
||||||
FStar_UInt128_uint128 b0_;
|
|
||||||
uint64_t i0;
|
|
||||||
uint64_t i1;
|
|
||||||
uint64_t i0_;
|
|
||||||
uint64_t i1_;
|
|
||||||
Hacl_Bignum_Fsquare_fsquare__(tmp, output);
|
|
||||||
Hacl_Bignum_Fproduct_carry_wide_(tmp);
|
|
||||||
b4 = tmp[4U];
|
|
||||||
b0 = tmp[0U];
|
|
||||||
b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
|
|
||||||
b0_ =
|
|
||||||
FStar_UInt128_add(b0,
|
|
||||||
FStar_UInt128_mul_wide((uint64_t)19U,
|
|
||||||
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
|
|
||||||
tmp[4U] = b4_;
|
|
||||||
tmp[0U] = b0_;
|
|
||||||
Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
|
|
||||||
i0 = output[0U];
|
|
||||||
i1 = output[1U];
|
|
||||||
i0_ = i0 & (uint64_t)0x7ffffffffffffU;
|
|
||||||
i1_ = i1 + (i0 >> (uint32_t)51U);
|
|
||||||
output[0U] = i0_;
|
|
||||||
output[1U] = i1_;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times_(
|
|
||||||
uint64_t *input,
|
|
||||||
FStar_UInt128_uint128 *tmp,
|
|
||||||
uint32_t count1
|
|
||||||
)
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_(tmp, input);
|
|
||||||
for (i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U)
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_(tmp, input);
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(uint64_t *output, uint64_t *input, uint32_t count1)
|
|
||||||
{
|
|
||||||
KRML_CHECK_SIZE(sizeof (FStar_UInt128_uint128), (uint32_t)5U);
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 t[5U];
|
|
||||||
{
|
|
||||||
uint32_t _i;
|
|
||||||
for (_i = 0U; _i < (uint32_t)5U; ++_i)
|
|
||||||
t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
|
|
||||||
}
|
|
||||||
memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Fsquare_fsquare_times_inplace(uint64_t *output, uint32_t count1)
|
|
||||||
{
|
|
||||||
KRML_CHECK_SIZE(sizeof (FStar_UInt128_uint128), (uint32_t)5U);
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 t[5U];
|
|
||||||
{
|
|
||||||
uint32_t _i;
|
|
||||||
for (_i = 0U; _i < (uint32_t)5U; ++_i)
|
|
||||||
t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
|
|
||||||
}
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_Crecip_crecip(uint64_t *out, uint64_t *z)
|
|
||||||
{
|
|
||||||
uint64_t buf[20U] = { 0U };
|
|
||||||
uint64_t *a0 = buf;
|
|
||||||
uint64_t *t00 = buf + (uint32_t)5U;
|
|
||||||
uint64_t *b0 = buf + (uint32_t)10U;
|
|
||||||
uint64_t *t01;
|
|
||||||
uint64_t *b1;
|
|
||||||
uint64_t *c0;
|
|
||||||
uint64_t *a;
|
|
||||||
uint64_t *t0;
|
|
||||||
uint64_t *b;
|
|
||||||
uint64_t *c;
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(a0, z, (uint32_t)1U);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(t00, a0, (uint32_t)2U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(b0, t00, z);
|
|
||||||
Hacl_Bignum_Fmul_fmul(a0, b0, a0);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(t00, a0, (uint32_t)1U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(b0, t00, b0);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U);
|
|
||||||
t01 = buf + (uint32_t)5U;
|
|
||||||
b1 = buf + (uint32_t)10U;
|
|
||||||
c0 = buf + (uint32_t)15U;
|
|
||||||
Hacl_Bignum_Fmul_fmul(b1, t01, b1);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(c0, t01, b1);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(t01, c0, (uint32_t)20U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(t01, t01, c0);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(b1, t01, b1);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U);
|
|
||||||
a = buf;
|
|
||||||
t0 = buf + (uint32_t)5U;
|
|
||||||
b = buf + (uint32_t)10U;
|
|
||||||
c = buf + (uint32_t)15U;
|
|
||||||
Hacl_Bignum_Fmul_fmul(c, t0, b);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(t0, t0, c);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)50U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(t0, t0, b);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)5U);
|
|
||||||
Hacl_Bignum_Fmul_fmul(out, t0, a);
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_fsum(uint64_t *a, uint64_t *b)
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
uint64_t xi = a[i];
|
|
||||||
uint64_t yi = b[i];
|
|
||||||
a[i] = xi + yi;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_fdifference(uint64_t *a, uint64_t *b)
|
|
||||||
{
|
|
||||||
uint64_t tmp[5U] = { 0U };
|
|
||||||
uint64_t b0;
|
|
||||||
uint64_t b1;
|
|
||||||
uint64_t b2;
|
|
||||||
uint64_t b3;
|
|
||||||
uint64_t b4;
|
|
||||||
memcpy(tmp, b, (uint32_t)5U * sizeof b[0U]);
|
|
||||||
b0 = tmp[0U];
|
|
||||||
b1 = tmp[1U];
|
|
||||||
b2 = tmp[2U];
|
|
||||||
b3 = tmp[3U];
|
|
||||||
b4 = tmp[4U];
|
|
||||||
tmp[0U] = b0 + (uint64_t)0x3fffffffffff68U;
|
|
||||||
tmp[1U] = b1 + (uint64_t)0x3ffffffffffff8U;
|
|
||||||
tmp[2U] = b2 + (uint64_t)0x3ffffffffffff8U;
|
|
||||||
tmp[3U] = b3 + (uint64_t)0x3ffffffffffff8U;
|
|
||||||
tmp[4U] = b4 + (uint64_t)0x3ffffffffffff8U;
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
uint64_t xi = a[i];
|
|
||||||
uint64_t yi = tmp[i];
|
|
||||||
a[i] = yi - xi;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_fscalar(uint64_t *output, uint64_t *b, uint64_t s)
|
|
||||||
{
|
|
||||||
KRML_CHECK_SIZE(sizeof (FStar_UInt128_uint128), (uint32_t)5U);
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 tmp[5U];
|
|
||||||
{
|
|
||||||
uint32_t _i;
|
|
||||||
for (_i = 0U; _i < (uint32_t)5U; ++_i)
|
|
||||||
tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
|
|
||||||
}
|
|
||||||
{
|
|
||||||
FStar_UInt128_uint128 b4;
|
|
||||||
FStar_UInt128_uint128 b0;
|
|
||||||
FStar_UInt128_uint128 b4_;
|
|
||||||
FStar_UInt128_uint128 b0_;
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
|
|
||||||
{
|
|
||||||
uint64_t xi = b[i];
|
|
||||||
tmp[i] = FStar_UInt128_mul_wide(xi, s);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Hacl_Bignum_Fproduct_carry_wide_(tmp);
|
|
||||||
b4 = tmp[4U];
|
|
||||||
b0 = tmp[0U];
|
|
||||||
b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
|
|
||||||
b0_ =
|
|
||||||
FStar_UInt128_add(b0,
|
|
||||||
FStar_UInt128_mul_wide((uint64_t)19U,
|
|
||||||
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
|
|
||||||
tmp[4U] = b4_;
|
|
||||||
tmp[0U] = b0_;
|
|
||||||
Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_fmul(uint64_t *output, uint64_t *a, uint64_t *b)
|
|
||||||
{
|
|
||||||
Hacl_Bignum_Fmul_fmul(output, a, b);
|
|
||||||
}
|
|
||||||
|
|
||||||
inline static void Hacl_Bignum_crecip(uint64_t *output, uint64_t *input)
|
|
||||||
{
|
|
||||||
Hacl_Bignum_Crecip_crecip(output, input);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_EC_Point_swap_conditional_step(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
|
|
||||||
{
|
|
||||||
uint32_t i = ctr - (uint32_t)1U;
|
|
||||||
uint64_t ai = a[i];
|
|
||||||
uint64_t bi = b[i];
|
|
||||||
uint64_t x = swap1 & (ai ^ bi);
|
|
||||||
uint64_t ai1 = ai ^ x;
|
|
||||||
uint64_t bi1 = bi ^ x;
|
|
||||||
a[i] = ai1;
|
|
||||||
b[i] = bi1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_EC_Point_swap_conditional_(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
|
|
||||||
{
|
|
||||||
if (!(ctr == (uint32_t)0U))
|
|
||||||
{
|
|
||||||
uint32_t i;
|
|
||||||
Hacl_EC_Point_swap_conditional_step(a, b, swap1, ctr);
|
|
||||||
i = ctr - (uint32_t)1U;
|
|
||||||
Hacl_EC_Point_swap_conditional_(a, b, swap1, i);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Point_swap_conditional(uint64_t *a, uint64_t *b, uint64_t iswap)
|
|
||||||
{
|
|
||||||
uint64_t swap1 = (uint64_t)0U - iswap;
|
|
||||||
Hacl_EC_Point_swap_conditional_(a, b, swap1, (uint32_t)5U);
|
|
||||||
Hacl_EC_Point_swap_conditional_(a + (uint32_t)5U, b + (uint32_t)5U, swap1, (uint32_t)5U);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Point_copy(uint64_t *output, uint64_t *input)
|
|
||||||
{
|
|
||||||
memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
|
|
||||||
memcpy(output + (uint32_t)5U,
|
|
||||||
input + (uint32_t)5U,
|
|
||||||
(uint32_t)5U * sizeof (input + (uint32_t)5U)[0U]);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fexpand(uint64_t *output, uint8_t *input)
|
|
||||||
{
|
|
||||||
uint64_t i0 = load64_le(input);
|
|
||||||
uint8_t *x00 = input + (uint32_t)6U;
|
|
||||||
uint64_t i1 = load64_le(x00);
|
|
||||||
uint8_t *x01 = input + (uint32_t)12U;
|
|
||||||
uint64_t i2 = load64_le(x01);
|
|
||||||
uint8_t *x02 = input + (uint32_t)19U;
|
|
||||||
uint64_t i3 = load64_le(x02);
|
|
||||||
uint8_t *x0 = input + (uint32_t)24U;
|
|
||||||
uint64_t i4 = load64_le(x0);
|
|
||||||
uint64_t output0 = i0 & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t output1 = i1 >> (uint32_t)3U & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t output2 = i2 >> (uint32_t)6U & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t output3 = i3 >> (uint32_t)1U & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t output4 = i4 >> (uint32_t)12U & (uint64_t)0x7ffffffffffffU;
|
|
||||||
output[0U] = output0;
|
|
||||||
output[1U] = output1;
|
|
||||||
output[2U] = output2;
|
|
||||||
output[3U] = output3;
|
|
||||||
output[4U] = output4;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fcontract_first_carry_pass(uint64_t *input)
|
|
||||||
{
|
|
||||||
uint64_t t0 = input[0U];
|
|
||||||
uint64_t t1 = input[1U];
|
|
||||||
uint64_t t2 = input[2U];
|
|
||||||
uint64_t t3 = input[3U];
|
|
||||||
uint64_t t4 = input[4U];
|
|
||||||
uint64_t t1_ = t1 + (t0 >> (uint32_t)51U);
|
|
||||||
uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U);
|
|
||||||
uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U);
|
|
||||||
uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U);
|
|
||||||
uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU;
|
|
||||||
input[0U] = t0_;
|
|
||||||
input[1U] = t1__;
|
|
||||||
input[2U] = t2__;
|
|
||||||
input[3U] = t3__;
|
|
||||||
input[4U] = t4_;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fcontract_first_carry_full(uint64_t *input)
|
|
||||||
{
|
|
||||||
Hacl_EC_Format_fcontract_first_carry_pass(input);
|
|
||||||
Hacl_Bignum_Modulo_carry_top(input);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fcontract_second_carry_pass(uint64_t *input)
|
|
||||||
{
|
|
||||||
uint64_t t0 = input[0U];
|
|
||||||
uint64_t t1 = input[1U];
|
|
||||||
uint64_t t2 = input[2U];
|
|
||||||
uint64_t t3 = input[3U];
|
|
||||||
uint64_t t4 = input[4U];
|
|
||||||
uint64_t t1_ = t1 + (t0 >> (uint32_t)51U);
|
|
||||||
uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U);
|
|
||||||
uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U);
|
|
||||||
uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU;
|
|
||||||
uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U);
|
|
||||||
uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU;
|
|
||||||
input[0U] = t0_;
|
|
||||||
input[1U] = t1__;
|
|
||||||
input[2U] = t2__;
|
|
||||||
input[3U] = t3__;
|
|
||||||
input[4U] = t4_;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fcontract_second_carry_full(uint64_t *input)
|
|
||||||
{
|
|
||||||
uint64_t i0;
|
|
||||||
uint64_t i1;
|
|
||||||
uint64_t i0_;
|
|
||||||
uint64_t i1_;
|
|
||||||
Hacl_EC_Format_fcontract_second_carry_pass(input);
|
|
||||||
Hacl_Bignum_Modulo_carry_top(input);
|
|
||||||
i0 = input[0U];
|
|
||||||
i1 = input[1U];
|
|
||||||
i0_ = i0 & (uint64_t)0x7ffffffffffffU;
|
|
||||||
i1_ = i1 + (i0 >> (uint32_t)51U);
|
|
||||||
input[0U] = i0_;
|
|
||||||
input[1U] = i1_;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fcontract_trim(uint64_t *input)
|
|
||||||
{
|
|
||||||
uint64_t a0 = input[0U];
|
|
||||||
uint64_t a1 = input[1U];
|
|
||||||
uint64_t a2 = input[2U];
|
|
||||||
uint64_t a3 = input[3U];
|
|
||||||
uint64_t a4 = input[4U];
|
|
||||||
uint64_t mask0 = FStar_UInt64_gte_mask(a0, (uint64_t)0x7ffffffffffedU);
|
|
||||||
uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0x7ffffffffffffU);
|
|
||||||
uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x7ffffffffffffU);
|
|
||||||
uint64_t mask3 = FStar_UInt64_eq_mask(a3, (uint64_t)0x7ffffffffffffU);
|
|
||||||
uint64_t mask4 = FStar_UInt64_eq_mask(a4, (uint64_t)0x7ffffffffffffU);
|
|
||||||
uint64_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4;
|
|
||||||
uint64_t a0_ = a0 - ((uint64_t)0x7ffffffffffedU & mask);
|
|
||||||
uint64_t a1_ = a1 - ((uint64_t)0x7ffffffffffffU & mask);
|
|
||||||
uint64_t a2_ = a2 - ((uint64_t)0x7ffffffffffffU & mask);
|
|
||||||
uint64_t a3_ = a3 - ((uint64_t)0x7ffffffffffffU & mask);
|
|
||||||
uint64_t a4_ = a4 - ((uint64_t)0x7ffffffffffffU & mask);
|
|
||||||
input[0U] = a0_;
|
|
||||||
input[1U] = a1_;
|
|
||||||
input[2U] = a2_;
|
|
||||||
input[3U] = a3_;
|
|
||||||
input[4U] = a4_;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fcontract_store(uint8_t *output, uint64_t *input)
|
|
||||||
{
|
|
||||||
uint64_t t0 = input[0U];
|
|
||||||
uint64_t t1 = input[1U];
|
|
||||||
uint64_t t2 = input[2U];
|
|
||||||
uint64_t t3 = input[3U];
|
|
||||||
uint64_t t4 = input[4U];
|
|
||||||
uint64_t o0 = t1 << (uint32_t)51U | t0;
|
|
||||||
uint64_t o1 = t2 << (uint32_t)38U | t1 >> (uint32_t)13U;
|
|
||||||
uint64_t o2 = t3 << (uint32_t)25U | t2 >> (uint32_t)26U;
|
|
||||||
uint64_t o3 = t4 << (uint32_t)12U | t3 >> (uint32_t)39U;
|
|
||||||
uint8_t *b0 = output;
|
|
||||||
uint8_t *b1 = output + (uint32_t)8U;
|
|
||||||
uint8_t *b2 = output + (uint32_t)16U;
|
|
||||||
uint8_t *b3 = output + (uint32_t)24U;
|
|
||||||
store64_le(b0, o0);
|
|
||||||
store64_le(b1, o1);
|
|
||||||
store64_le(b2, o2);
|
|
||||||
store64_le(b3, o3);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_fcontract(uint8_t *output, uint64_t *input)
|
|
||||||
{
|
|
||||||
Hacl_EC_Format_fcontract_first_carry_full(input);
|
|
||||||
Hacl_EC_Format_fcontract_second_carry_full(input);
|
|
||||||
Hacl_EC_Format_fcontract_trim(input);
|
|
||||||
Hacl_EC_Format_fcontract_store(output, input);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Format_scalar_of_point(uint8_t *scalar, uint64_t *point)
|
|
||||||
{
|
|
||||||
uint64_t *x = point;
|
|
||||||
uint64_t *z = point + (uint32_t)5U;
|
|
||||||
uint64_t buf[10U] = { 0U };
|
|
||||||
uint64_t *zmone = buf;
|
|
||||||
uint64_t *sc = buf + (uint32_t)5U;
|
|
||||||
Hacl_Bignum_crecip(zmone, z);
|
|
||||||
Hacl_Bignum_fmul(sc, x, zmone);
|
|
||||||
Hacl_EC_Format_fcontract(scalar, sc);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_EC_AddAndDouble_fmonty(
|
|
||||||
uint64_t *pp,
|
|
||||||
uint64_t *ppq,
|
|
||||||
uint64_t *p,
|
|
||||||
uint64_t *pq,
|
|
||||||
uint64_t *qmqp
|
|
||||||
)
|
|
||||||
{
|
|
||||||
uint64_t *qx = qmqp;
|
|
||||||
uint64_t *x2 = pp;
|
|
||||||
uint64_t *z2 = pp + (uint32_t)5U;
|
|
||||||
uint64_t *x3 = ppq;
|
|
||||||
uint64_t *z3 = ppq + (uint32_t)5U;
|
|
||||||
uint64_t *x = p;
|
|
||||||
uint64_t *z = p + (uint32_t)5U;
|
|
||||||
uint64_t *xprime = pq;
|
|
||||||
uint64_t *zprime = pq + (uint32_t)5U;
|
|
||||||
uint64_t buf[40U] = { 0U };
|
|
||||||
uint64_t *origx = buf;
|
|
||||||
uint64_t *origxprime0 = buf + (uint32_t)5U;
|
|
||||||
uint64_t *xxprime0 = buf + (uint32_t)25U;
|
|
||||||
uint64_t *zzprime0 = buf + (uint32_t)30U;
|
|
||||||
uint64_t *origxprime;
|
|
||||||
uint64_t *xx0;
|
|
||||||
uint64_t *zz0;
|
|
||||||
uint64_t *xxprime;
|
|
||||||
uint64_t *zzprime;
|
|
||||||
uint64_t *zzzprime;
|
|
||||||
uint64_t *zzz;
|
|
||||||
uint64_t *xx;
|
|
||||||
uint64_t *zz;
|
|
||||||
uint64_t scalar;
|
|
||||||
memcpy(origx, x, (uint32_t)5U * sizeof x[0U]);
|
|
||||||
Hacl_Bignum_fsum(x, z);
|
|
||||||
Hacl_Bignum_fdifference(z, origx);
|
|
||||||
memcpy(origxprime0, xprime, (uint32_t)5U * sizeof xprime[0U]);
|
|
||||||
Hacl_Bignum_fsum(xprime, zprime);
|
|
||||||
Hacl_Bignum_fdifference(zprime, origxprime0);
|
|
||||||
Hacl_Bignum_fmul(xxprime0, xprime, z);
|
|
||||||
Hacl_Bignum_fmul(zzprime0, x, zprime);
|
|
||||||
origxprime = buf + (uint32_t)5U;
|
|
||||||
xx0 = buf + (uint32_t)15U;
|
|
||||||
zz0 = buf + (uint32_t)20U;
|
|
||||||
xxprime = buf + (uint32_t)25U;
|
|
||||||
zzprime = buf + (uint32_t)30U;
|
|
||||||
zzzprime = buf + (uint32_t)35U;
|
|
||||||
memcpy(origxprime, xxprime, (uint32_t)5U * sizeof xxprime[0U]);
|
|
||||||
Hacl_Bignum_fsum(xxprime, zzprime);
|
|
||||||
Hacl_Bignum_fdifference(zzprime, origxprime);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(x3, xxprime, (uint32_t)1U);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(zzzprime, zzprime, (uint32_t)1U);
|
|
||||||
Hacl_Bignum_fmul(z3, zzzprime, qx);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(xx0, x, (uint32_t)1U);
|
|
||||||
Hacl_Bignum_Fsquare_fsquare_times(zz0, z, (uint32_t)1U);
|
|
||||||
zzz = buf + (uint32_t)10U;
|
|
||||||
xx = buf + (uint32_t)15U;
|
|
||||||
zz = buf + (uint32_t)20U;
|
|
||||||
Hacl_Bignum_fmul(x2, xx, zz);
|
|
||||||
Hacl_Bignum_fdifference(zz, xx);
|
|
||||||
scalar = (uint64_t)121665U;
|
|
||||||
Hacl_Bignum_fscalar(zzz, zz, scalar);
|
|
||||||
Hacl_Bignum_fsum(zzz, xx);
|
|
||||||
Hacl_Bignum_fmul(z2, zzz, zz);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(
|
|
||||||
uint64_t *nq,
|
|
||||||
uint64_t *nqpq,
|
|
||||||
uint64_t *nq2,
|
|
||||||
uint64_t *nqpq2,
|
|
||||||
uint64_t *q,
|
|
||||||
uint8_t byt
|
|
||||||
)
|
|
||||||
{
|
|
||||||
uint64_t bit0 = (uint64_t)(byt >> (uint32_t)7U);
|
|
||||||
uint64_t bit;
|
|
||||||
Hacl_EC_Point_swap_conditional(nq, nqpq, bit0);
|
|
||||||
Hacl_EC_AddAndDouble_fmonty(nq2, nqpq2, nq, nqpq, q);
|
|
||||||
bit = (uint64_t)(byt >> (uint32_t)7U);
|
|
||||||
Hacl_EC_Point_swap_conditional(nq2, nqpq2, bit);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(
|
|
||||||
uint64_t *nq,
|
|
||||||
uint64_t *nqpq,
|
|
||||||
uint64_t *nq2,
|
|
||||||
uint64_t *nqpq2,
|
|
||||||
uint64_t *q,
|
|
||||||
uint8_t byt
|
|
||||||
)
|
|
||||||
{
|
|
||||||
uint8_t byt1;
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq, nqpq, nq2, nqpq2, q, byt);
|
|
||||||
byt1 = byt << (uint32_t)1U;
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop(
|
|
||||||
uint64_t *nq,
|
|
||||||
uint64_t *nqpq,
|
|
||||||
uint64_t *nq2,
|
|
||||||
uint64_t *nqpq2,
|
|
||||||
uint64_t *q,
|
|
||||||
uint8_t byt,
|
|
||||||
uint32_t i
|
|
||||||
)
|
|
||||||
{
|
|
||||||
if (!(i == (uint32_t)0U))
|
|
||||||
{
|
|
||||||
uint32_t i_ = i - (uint32_t)1U;
|
|
||||||
uint8_t byt_;
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(nq, nqpq, nq2, nqpq2, q, byt);
|
|
||||||
byt_ = byt << (uint32_t)2U;
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byt_, i_);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
Hacl_EC_Ladder_BigLoop_cmult_big_loop(
|
|
||||||
uint8_t *n1,
|
|
||||||
uint64_t *nq,
|
|
||||||
uint64_t *nqpq,
|
|
||||||
uint64_t *nq2,
|
|
||||||
uint64_t *nqpq2,
|
|
||||||
uint64_t *q,
|
|
||||||
uint32_t i
|
|
||||||
)
|
|
||||||
{
|
|
||||||
if (!(i == (uint32_t)0U))
|
|
||||||
{
|
|
||||||
uint32_t i1 = i - (uint32_t)1U;
|
|
||||||
uint8_t byte = n1[i1];
|
|
||||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byte, (uint32_t)4U);
|
|
||||||
Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, i1);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static void Hacl_EC_Ladder_cmult(uint64_t *result, uint8_t *n1, uint64_t *q)
|
|
||||||
{
|
|
||||||
uint64_t point_buf[40U] = { 0U };
|
|
||||||
uint64_t *nq = point_buf;
|
|
||||||
uint64_t *nqpq = point_buf + (uint32_t)10U;
|
|
||||||
uint64_t *nq2 = point_buf + (uint32_t)20U;
|
|
||||||
uint64_t *nqpq2 = point_buf + (uint32_t)30U;
|
|
||||||
Hacl_EC_Point_copy(nqpq, q);
|
|
||||||
nq[0U] = (uint64_t)1U;
|
|
||||||
Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, (uint32_t)32U);
|
|
||||||
Hacl_EC_Point_copy(result, nq);
|
|
||||||
}
|
|
||||||
|
|
||||||
void Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint)
|
|
||||||
{
|
|
||||||
uint64_t buf0[10U] = { 0U };
|
|
||||||
uint64_t *x0 = buf0;
|
|
||||||
uint64_t *z = buf0 + (uint32_t)5U;
|
|
||||||
uint64_t *q;
|
|
||||||
Hacl_EC_Format_fexpand(x0, basepoint);
|
|
||||||
z[0U] = (uint64_t)1U;
|
|
||||||
q = buf0;
|
|
||||||
{
|
|
||||||
uint8_t e[32U] = { 0U };
|
|
||||||
uint8_t e0;
|
|
||||||
uint8_t e31;
|
|
||||||
uint8_t e01;
|
|
||||||
uint8_t e311;
|
|
||||||
uint8_t e312;
|
|
||||||
uint8_t *scalar;
|
|
||||||
memcpy(e, secret, (uint32_t)32U * sizeof secret[0U]);
|
|
||||||
e0 = e[0U];
|
|
||||||
e31 = e[31U];
|
|
||||||
e01 = e0 & (uint8_t)248U;
|
|
||||||
e311 = e31 & (uint8_t)127U;
|
|
||||||
e312 = e311 | (uint8_t)64U;
|
|
||||||
e[0U] = e01;
|
|
||||||
e[31U] = e312;
|
|
||||||
scalar = e;
|
|
||||||
{
|
|
||||||
uint64_t buf[15U] = { 0U };
|
|
||||||
uint64_t *nq = buf;
|
|
||||||
uint64_t *x = nq;
|
|
||||||
x[0U] = (uint64_t)1U;
|
|
||||||
Hacl_EC_Ladder_cmult(nq, scalar, q);
|
|
||||||
Hacl_EC_Format_scalar_of_point(mypublic, nq);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
186
externals/mbedtls/3rdparty/everest/library/x25519.c
vendored
186
externals/mbedtls/3rdparty/everest/library/x25519.c
vendored
@ -1,186 +0,0 @@
|
|||||||
/*
|
|
||||||
* ECDH with curve-optimized implementation multiplexing
|
|
||||||
*
|
|
||||||
* Copyright 2016-2018 INRIA and Microsoft Corporation
|
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*
|
|
||||||
* This file is part of Mbed TLS (https://tls.mbed.org)
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include "common.h"
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECDH_C) && defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
|
|
||||||
|
|
||||||
#include <mbedtls/ecdh.h>
|
|
||||||
|
|
||||||
#if !(defined(__SIZEOF_INT128__) && (__SIZEOF_INT128__ == 16))
|
|
||||||
#define KRML_VERIFIED_UINT128
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include <Hacl_Curve25519.h>
|
|
||||||
#include <mbedtls/platform_util.h>
|
|
||||||
|
|
||||||
#include "x25519.h"
|
|
||||||
|
|
||||||
#include <string.h>
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Initialize context
|
|
||||||
*/
|
|
||||||
void mbedtls_x25519_init( mbedtls_x25519_context *ctx )
|
|
||||||
{
|
|
||||||
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x25519_context ) );
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Free context
|
|
||||||
*/
|
|
||||||
void mbedtls_x25519_free( mbedtls_x25519_context *ctx )
|
|
||||||
{
|
|
||||||
if( ctx == NULL )
|
|
||||||
return;
|
|
||||||
|
|
||||||
mbedtls_platform_zeroize( ctx->our_secret, MBEDTLS_X25519_KEY_SIZE_BYTES );
|
|
||||||
mbedtls_platform_zeroize( ctx->peer_point, MBEDTLS_X25519_KEY_SIZE_BYTES );
|
|
||||||
}
|
|
||||||
|
|
||||||
int mbedtls_x25519_make_params( mbedtls_x25519_context *ctx, size_t *olen,
|
|
||||||
unsigned char *buf, size_t blen,
|
|
||||||
int( *f_rng )(void *, unsigned char *, size_t),
|
|
||||||
void *p_rng )
|
|
||||||
{
|
|
||||||
int ret = 0;
|
|
||||||
|
|
||||||
uint8_t base[MBEDTLS_X25519_KEY_SIZE_BYTES] = {0};
|
|
||||||
|
|
||||||
if( ( ret = f_rng( p_rng, ctx->our_secret, MBEDTLS_X25519_KEY_SIZE_BYTES ) ) != 0 )
|
|
||||||
return ret;
|
|
||||||
|
|
||||||
*olen = MBEDTLS_X25519_KEY_SIZE_BYTES + 4;
|
|
||||||
if( blen < *olen )
|
|
||||||
return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
|
|
||||||
|
|
||||||
*buf++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
|
|
||||||
*buf++ = MBEDTLS_ECP_TLS_CURVE25519 >> 8;
|
|
||||||
*buf++ = MBEDTLS_ECP_TLS_CURVE25519 & 0xFF;
|
|
||||||
*buf++ = MBEDTLS_X25519_KEY_SIZE_BYTES;
|
|
||||||
|
|
||||||
base[0] = 9;
|
|
||||||
Hacl_Curve25519_crypto_scalarmult( buf, ctx->our_secret, base );
|
|
||||||
|
|
||||||
base[0] = 0;
|
|
||||||
if( memcmp( buf, base, MBEDTLS_X25519_KEY_SIZE_BYTES) == 0 )
|
|
||||||
return MBEDTLS_ERR_ECP_RANDOM_FAILED;
|
|
||||||
|
|
||||||
return( 0 );
|
|
||||||
}
|
|
||||||
|
|
||||||
int mbedtls_x25519_read_params( mbedtls_x25519_context *ctx,
|
|
||||||
const unsigned char **buf, const unsigned char *end )
|
|
||||||
{
|
|
||||||
if( end - *buf < MBEDTLS_X25519_KEY_SIZE_BYTES + 1 )
|
|
||||||
return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
|
|
||||||
|
|
||||||
if( ( *(*buf)++ != MBEDTLS_X25519_KEY_SIZE_BYTES ) )
|
|
||||||
return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
|
|
||||||
|
|
||||||
memcpy( ctx->peer_point, *buf, MBEDTLS_X25519_KEY_SIZE_BYTES );
|
|
||||||
*buf += MBEDTLS_X25519_KEY_SIZE_BYTES;
|
|
||||||
return( 0 );
|
|
||||||
}
|
|
||||||
|
|
||||||
int mbedtls_x25519_get_params( mbedtls_x25519_context *ctx, const mbedtls_ecp_keypair *key,
|
|
||||||
mbedtls_x25519_ecdh_side side )
|
|
||||||
{
|
|
||||||
size_t olen = 0;
|
|
||||||
|
|
||||||
switch( side ) {
|
|
||||||
case MBEDTLS_X25519_ECDH_THEIRS:
|
|
||||||
return mbedtls_ecp_point_write_binary( &key->grp, &key->Q, MBEDTLS_ECP_PF_COMPRESSED, &olen, ctx->peer_point, MBEDTLS_X25519_KEY_SIZE_BYTES );
|
|
||||||
case MBEDTLS_X25519_ECDH_OURS:
|
|
||||||
return mbedtls_mpi_write_binary_le( &key->d, ctx->our_secret, MBEDTLS_X25519_KEY_SIZE_BYTES );
|
|
||||||
default:
|
|
||||||
return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
int mbedtls_x25519_calc_secret( mbedtls_x25519_context *ctx, size_t *olen,
|
|
||||||
unsigned char *buf, size_t blen,
|
|
||||||
int( *f_rng )(void *, unsigned char *, size_t),
|
|
||||||
void *p_rng )
|
|
||||||
{
|
|
||||||
/* f_rng and p_rng are not used here because this implementation does not
|
|
||||||
need blinding since it has constant trace. */
|
|
||||||
(( void )f_rng);
|
|
||||||
(( void )p_rng);
|
|
||||||
|
|
||||||
*olen = MBEDTLS_X25519_KEY_SIZE_BYTES;
|
|
||||||
|
|
||||||
if( blen < *olen )
|
|
||||||
return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
|
|
||||||
|
|
||||||
Hacl_Curve25519_crypto_scalarmult( buf, ctx->our_secret, ctx->peer_point);
|
|
||||||
|
|
||||||
/* Wipe the DH secret and don't let the peer chose a small subgroup point */
|
|
||||||
mbedtls_platform_zeroize( ctx->our_secret, MBEDTLS_X25519_KEY_SIZE_BYTES );
|
|
||||||
|
|
||||||
if( memcmp( buf, ctx->our_secret, MBEDTLS_X25519_KEY_SIZE_BYTES) == 0 )
|
|
||||||
return MBEDTLS_ERR_ECP_RANDOM_FAILED;
|
|
||||||
|
|
||||||
return( 0 );
|
|
||||||
}
|
|
||||||
|
|
||||||
int mbedtls_x25519_make_public( mbedtls_x25519_context *ctx, size_t *olen,
|
|
||||||
unsigned char *buf, size_t blen,
|
|
||||||
int( *f_rng )(void *, unsigned char *, size_t),
|
|
||||||
void *p_rng )
|
|
||||||
{
|
|
||||||
int ret = 0;
|
|
||||||
unsigned char base[MBEDTLS_X25519_KEY_SIZE_BYTES] = { 0 };
|
|
||||||
|
|
||||||
if( ctx == NULL )
|
|
||||||
return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
|
|
||||||
|
|
||||||
if( ( ret = f_rng( p_rng, ctx->our_secret, MBEDTLS_X25519_KEY_SIZE_BYTES ) ) != 0 )
|
|
||||||
return ret;
|
|
||||||
|
|
||||||
*olen = MBEDTLS_X25519_KEY_SIZE_BYTES + 1;
|
|
||||||
if( blen < *olen )
|
|
||||||
return(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
|
|
||||||
*buf++ = MBEDTLS_X25519_KEY_SIZE_BYTES;
|
|
||||||
|
|
||||||
base[0] = 9;
|
|
||||||
Hacl_Curve25519_crypto_scalarmult( buf, ctx->our_secret, base );
|
|
||||||
|
|
||||||
base[0] = 0;
|
|
||||||
if( memcmp( buf, base, MBEDTLS_X25519_KEY_SIZE_BYTES ) == 0 )
|
|
||||||
return MBEDTLS_ERR_ECP_RANDOM_FAILED;
|
|
||||||
|
|
||||||
return( ret );
|
|
||||||
}
|
|
||||||
|
|
||||||
int mbedtls_x25519_read_public( mbedtls_x25519_context *ctx,
|
|
||||||
const unsigned char *buf, size_t blen )
|
|
||||||
{
|
|
||||||
if( blen < MBEDTLS_X25519_KEY_SIZE_BYTES + 1 )
|
|
||||||
return(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL);
|
|
||||||
if( (*buf++ != MBEDTLS_X25519_KEY_SIZE_BYTES) )
|
|
||||||
return(MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
|
|
||||||
memcpy( ctx->peer_point, buf, MBEDTLS_X25519_KEY_SIZE_BYTES );
|
|
||||||
return( 0 );
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
#endif /* MBEDTLS_ECDH_C && MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED */
|
|
40
externals/mbedtls/3rdparty/p256-m/CMakeLists.txt
vendored
40
externals/mbedtls/3rdparty/p256-m/CMakeLists.txt
vendored
@ -1,40 +0,0 @@
|
|||||||
set(p256m_target ${MBEDTLS_TARGET_PREFIX}p256m)
|
|
||||||
|
|
||||||
add_library(${p256m_target}
|
|
||||||
p256-m_driver_entrypoints.c
|
|
||||||
p256-m/p256-m.c)
|
|
||||||
|
|
||||||
target_include_directories(${p256m_target}
|
|
||||||
PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}>
|
|
||||||
$<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/p256-m>
|
|
||||||
$<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
|
|
||||||
$<INSTALL_INTERFACE:include>
|
|
||||||
PRIVATE ${MBEDTLS_DIR}/library/)
|
|
||||||
|
|
||||||
# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
|
|
||||||
# This must be duplicated from library/CMakeLists.txt because
|
|
||||||
# p256m is not directly linked against any mbedtls targets
|
|
||||||
# so does not inherit the compile definitions.
|
|
||||||
if(MBEDTLS_CONFIG_FILE)
|
|
||||||
target_compile_definitions(${p256m_target}
|
|
||||||
PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
|
|
||||||
endif()
|
|
||||||
if(MBEDTLS_USER_CONFIG_FILE)
|
|
||||||
target_compile_definitions(${p256m_target}
|
|
||||||
PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if(INSTALL_MBEDTLS_HEADERS)
|
|
||||||
|
|
||||||
install(DIRECTORY :${CMAKE_CURRENT_SOURCE_DIR}
|
|
||||||
DESTINATION include
|
|
||||||
FILE_PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
|
|
||||||
DIRECTORY_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
|
|
||||||
FILES_MATCHING PATTERN "*.h")
|
|
||||||
|
|
||||||
endif(INSTALL_MBEDTLS_HEADERS)
|
|
||||||
|
|
||||||
install(TARGETS ${p256m_target}
|
|
||||||
EXPORT MbedTLSTargets
|
|
||||||
DESTINATION ${CMAKE_INSTALL_LIBDIR}
|
|
||||||
PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
|
|
@ -1,5 +0,0 @@
|
|||||||
THIRDPARTY_INCLUDES+=-I$(THIRDPARTY_DIR)/p256-m/p256-m/include -I$(THIRDPARTY_DIR)/p256-m/p256-m/include/p256-m -I$(THIRDPARTY_DIR)/p256-m/p256-m_driver_interface
|
|
||||||
|
|
||||||
THIRDPARTY_CRYPTO_OBJECTS+= \
|
|
||||||
$(THIRDPARTY_DIR)/p256-m//p256-m_driver_entrypoints.o \
|
|
||||||
$(THIRDPARTY_DIR)/p256-m//p256-m/p256-m.o
|
|
4
externals/mbedtls/3rdparty/p256-m/README.md
vendored
4
externals/mbedtls/3rdparty/p256-m/README.md
vendored
@ -1,4 +0,0 @@
|
|||||||
The files within the `p256-m/` subdirectory originate from the [p256-m GitHub repository](https://github.com/mpg/p256-m). They are distributed here under a dual Apache-2.0 OR GPL-2.0-or-later license. They are authored by Manuel Pégourié-Gonnard. p256-m is a minimalistic implementation of ECDH and ECDSA on NIST P-256, especially suited to constrained 32-bit environments. Mbed TLS documentation for integrating drivers uses p256-m as an example of a software accelerator, and describes how it can be integrated alongside Mbed TLS. It should be noted that p256-m files in the Mbed TLS repo will not be updated regularly, so they may not have fixes and improvements present in the upstream project.
|
|
||||||
|
|
||||||
The files `p256-m.c`, `p256-m.h` and `README.md` have been taken from the `p256-m` repository.
|
|
||||||
It should be noted that p256-m deliberately does not supply its own cryptographically secure RNG function. As a result, the PSA RNG is used, with `p256_generate_random()` wrapping `psa_generate_random()`.
|
|
544
externals/mbedtls/3rdparty/p256-m/p256-m/README.md
vendored
544
externals/mbedtls/3rdparty/p256-m/p256-m/README.md
vendored
@ -1,544 +0,0 @@
|
|||||||
*This is the original README for the p256-m repository. Please note that as
|
|
||||||
only a subset of p256-m's files are present in Mbed TLS, this README may refer
|
|
||||||
to files that are not present/relevant here.*
|
|
||||||
|
|
||||||
p256-m is a minimalistic implementation of ECDH and ECDSA on NIST P-256,
|
|
||||||
especially suited to constrained 32-bit environments. It's written in standard
|
|
||||||
C, with optional bits of assembly for Arm Cortex-M and Cortex-A CPUs.
|
|
||||||
|
|
||||||
Its design is guided by the following goals in this order:
|
|
||||||
|
|
||||||
1. correctness & security;
|
|
||||||
2. low code size & RAM usage;
|
|
||||||
3. runtime performance.
|
|
||||||
|
|
||||||
Most cryptographic implementations care more about speed than footprint, and
|
|
||||||
some might even risk weakening security for more speed. p256-m was written
|
|
||||||
because I wanted to see what happened when reversing the usual emphasis.
|
|
||||||
|
|
||||||
The result is a full implementation of ECDH and ECDSA in **less than 3KiB of
|
|
||||||
code**, using **less than 768 bytes of RAM**, with comparable performance
|
|
||||||
to existing implementations (see below) - in less than 700 LOC.
|
|
||||||
|
|
||||||
_Contents of this Readme:_
|
|
||||||
|
|
||||||
- [Correctness](#correctness)
|
|
||||||
- [Security](#security)
|
|
||||||
- [Code size](#code-size)
|
|
||||||
- [RAM usage](#ram-usage)
|
|
||||||
- [Runtime performance](#runtime-performance)
|
|
||||||
- [Comparison with other implementations](#comparison-with-other-implementations)
|
|
||||||
- [Design overview](#design-overview)
|
|
||||||
- [Notes about other curves](#notes-about-other-curves)
|
|
||||||
- [Notes about other platforms](#notes-about-other-platforms)
|
|
||||||
|
|
||||||
## Correctness
|
|
||||||
|
|
||||||
**API design:**
|
|
||||||
|
|
||||||
- The API is minimal: only 4 public functions.
|
|
||||||
- Each public function fully validates its inputs and returns specific errors.
|
|
||||||
- The API uses arrays of octets for all input and output.
|
|
||||||
|
|
||||||
**Testing:**
|
|
||||||
|
|
||||||
- p256-m is validated against multiple test vectors from various RFCs and
|
|
||||||
NIST.
|
|
||||||
- In addition, crafted inputs are used for negative testing and to reach
|
|
||||||
corner cases.
|
|
||||||
- Two test suites are provided: one for closed-box testing (using only the
|
|
||||||
public API), one for open-box testing (for unit-testing internal functions,
|
|
||||||
and reaching more error cases by exploiting knowledge of how the RNG is used).
|
|
||||||
- The resulting branch coverage is maximal: closed-box testing reaches all
|
|
||||||
branches except four; three of them are reached by open-box testing using a
|
|
||||||
rigged RNG; the last branch could only be reached by computing a discrete log
|
|
||||||
on P-256... See `coverage.sh`.
|
|
||||||
- Testing also uses dynamic analysis: valgrind, ASan, MemSan, UBSan.
|
|
||||||
|
|
||||||
**Code quality:**
|
|
||||||
|
|
||||||
- The code is standard C99; it builds without warnings with `clang
|
|
||||||
-Weverything` and `gcc -Wall -Wextra -pedantic`.
|
|
||||||
- The code is small and well documented, including internal APIs: with the
|
|
||||||
header file, it's less than 700 lines of code, and more lines of comments
|
|
||||||
than of code.
|
|
||||||
- However it _has not been reviewed_ independently so far, as this is a
|
|
||||||
personal project.
|
|
||||||
|
|
||||||
**Short Weierstrass pitfalls:**
|
|
||||||
|
|
||||||
Its has been [pointed out](https://safecurves.cr.yp.to/) that the NIST curves,
|
|
||||||
and indeed all Short Weierstrass curves, have a number of pitfalls including
|
|
||||||
risk for the implementation to:
|
|
||||||
|
|
||||||
- "produce incorrect results for some rare curve points" - this is avoided by
|
|
||||||
carefully checking the validity domain of formulas used throughout the code;
|
|
||||||
- "leak secret data when the input isn't a curve point" - this is avoided by
|
|
||||||
validating that points lie on the curve every time a point is deserialized.
|
|
||||||
|
|
||||||
## Security
|
|
||||||
|
|
||||||
In addition to the above correctness claims, p256-m has the following
|
|
||||||
properties:
|
|
||||||
|
|
||||||
- it has no branch depending (even indirectly) on secret data;
|
|
||||||
- it has no memory access depending (even indirectly) on secret data.
|
|
||||||
|
|
||||||
These properties are checked using valgrind and MemSan with the ideas
|
|
||||||
behind [ctgrind](https://github.com/agl/ctgrind), see `consttime.sh`.
|
|
||||||
|
|
||||||
In addition to avoiding branches and memory accesses depending on secret data,
|
|
||||||
p256-m also avoid instructions (or library functions) whose execution time
|
|
||||||
depends on the value of operands on cores of interest. Namely, it never uses
|
|
||||||
integer division, and for multiplication by default it only uses 16x16->32 bit
|
|
||||||
unsigned multiplication. On cores which have a constant-time 32x32->64 bit
|
|
||||||
unsigned multiplication instruction, the symbol `MUL64_IS_CONSTANT_TIME` can
|
|
||||||
be defined by the user at compile-time to take advantage of it in order to
|
|
||||||
improve performance and code size. (On Cortex-M and Cortex-A cores wtih GCC or
|
|
||||||
Clang this is not necessary, since inline assembly is used instead.)
|
|
||||||
|
|
||||||
As a result, p256-m should be secure against the following classes of attackers:
|
|
||||||
|
|
||||||
1. attackers who can only manipulate the input and observe the output;
|
|
||||||
2. attackers who can also measure the total computation time of the operation;
|
|
||||||
3. attackers who can also observe and manipulate micro-architectural features
|
|
||||||
such as the cache or branch predictor with arbitrary precision.
|
|
||||||
|
|
||||||
However, p256-m makes no attempt to protect against:
|
|
||||||
|
|
||||||
4. passive physical attackers who can record traces of physical emissions
|
|
||||||
(power, EM, sound) of the CPU while it manipulates secrets;
|
|
||||||
5. active physical attackers who can also inject faults in the computation.
|
|
||||||
|
|
||||||
(Note: p256-m should actually be secure against SPA, by virtue of being fully
|
|
||||||
constant-flow, but is not expected to resist any other physical attack.)
|
|
||||||
|
|
||||||
**Warning:** p256-m requires an externally-provided RNG function. If that
|
|
||||||
function is not cryptographically secure, then neither is p256-m's key
|
|
||||||
generation or ECDSA signature generation.
|
|
||||||
|
|
||||||
_Note:_ p256-m also follows best practices such as securely erasing secret
|
|
||||||
data on the stack before returning.
|
|
||||||
|
|
||||||
## Code size
|
|
||||||
|
|
||||||
Compiled with
|
|
||||||
[ARM-GCC 9](https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-rm/downloads),
|
|
||||||
with `-mthumb -Os`, here are samples of code sizes reached on selected cores:
|
|
||||||
|
|
||||||
- Cortex-M0: 2988 bytes
|
|
||||||
- Cortex-M4: 2900 bytes
|
|
||||||
- Cortex-A7: 2924 bytes
|
|
||||||
|
|
||||||
Clang was also tried but tends to generate larger code (by about 10%). For
|
|
||||||
details, see `sizes.sh`.
|
|
||||||
|
|
||||||
**What's included:**
|
|
||||||
|
|
||||||
- Full input validation and (de)serialisation of input/outputs to/from bytes.
|
|
||||||
- Cleaning up secret values from the stack before returning from a function.
|
|
||||||
- The code has no dependency on libc functions or the toolchain's runtime
|
|
||||||
library (such as helpers for long multiply); this can be checked for the
|
|
||||||
Arm-GCC toolchain with the `deps.sh` script.
|
|
||||||
|
|
||||||
**What's excluded:**
|
|
||||||
|
|
||||||
- A secure RNG function needs to be provided externally, see
|
|
||||||
`p256_generate_random()` in `p256-m.h`.
|
|
||||||
|
|
||||||
## RAM usage
|
|
||||||
|
|
||||||
p256-m doesn't use any dynamic memory (on the heap), only the stack. Here's
|
|
||||||
how much stack is used by each of its 4 public functions on selected cores:
|
|
||||||
|
|
||||||
| Function | Cortex-M0 | Cortex-M4 | Cortex-A7 |
|
|
||||||
| ------------------------- | --------: | --------: | --------: |
|
|
||||||
| `p256_gen_keypair` | 608 | 564 | 564 |
|
|
||||||
| `p256_ecdh_shared_secret` | 640 | 596 | 596 |
|
|
||||||
| `p256_ecdsa_sign` | 664 | 604 | 604 |
|
|
||||||
| `p256_ecdsa_verify` | 752 | 700 | 700 |
|
|
||||||
|
|
||||||
For details, see `stack.sh`, `wcs.py` and `libc.msu` (the above figures assume
|
|
||||||
that the externally-provided RNG function uses at most 384 bytes of stack).
|
|
||||||
|
|
||||||
## Runtime performance
|
|
||||||
|
|
||||||
Here are the timings of each public function in milliseconds measured on
|
|
||||||
platforms based on a selection of cores:
|
|
||||||
|
|
||||||
- Cortex-M0 at 48 MHz: STM32F091 board running Mbed OS 6
|
|
||||||
- Cortex-M4 at 100 MHz: STM32F411 board running Mbed OS 6
|
|
||||||
- Cortex-A7 at 900 MHz: Raspberry Pi 2B running Raspbian Buster
|
|
||||||
|
|
||||||
| Function | Cortex-M0 | Cortex-M4 | Cortex-A7 |
|
|
||||||
| ------------------------- | --------: | --------: | --------: |
|
|
||||||
| `p256_gen_keypair` | 921 | 145 | 11 |
|
|
||||||
| `p256_ecdh_shared_secret` | 922 | 144 | 11 |
|
|
||||||
| `p256_ecdsa_sign` | 990 | 155 | 12 |
|
|
||||||
| `p256_ecdsa_verify` | 1976 | 309 | 24 |
|
|
||||||
| Sum of the above | 4809 | 753 | 59 |
|
|
||||||
|
|
||||||
The sum of these operations corresponds to a TLS handshake using ECDHE-ECDSA
|
|
||||||
with mutual authentication based on raw public keys or directly-trusted
|
|
||||||
certificates (otherwise, add one 'verify' for each link in the peer's
|
|
||||||
certificate chain).
|
|
||||||
|
|
||||||
_Note_: the above figures where obtained by compiling with GCC, which is able
|
|
||||||
to use inline assembly. Without that inline assembly (22 lines for Cortex-M0,
|
|
||||||
1 line for Cortex-M4), the code would be roughly 2 times slower on those
|
|
||||||
platforms. (The effect is much less important on the Cortex-A7 core.)
|
|
||||||
|
|
||||||
For details, see `bench.sh`, `benchmark.c` and `on-target-benchmark/`.
|
|
||||||
|
|
||||||
## Comparison with other implementations
|
|
||||||
|
|
||||||
The most relevant/convenient implementation for comparisons is
|
|
||||||
[TinyCrypt](https://github.com/intel/tinycrypt), as it's also a standalone
|
|
||||||
implementation of ECDH and ECDSA on P-256 only, that also targets constrained
|
|
||||||
devices. Other implementations tend to implement many curves and build on a
|
|
||||||
shared bignum/MPI module (possibly also supporting RSA), which makes fair
|
|
||||||
comparisons less convenient.
|
|
||||||
|
|
||||||
The scripts used for TinyCrypt measurements are available in [this
|
|
||||||
branch](https://github.com/mpg/tinycrypt/tree/measurements), based on version
|
|
||||||
0.2.8.
|
|
||||||
|
|
||||||
**Code size**
|
|
||||||
|
|
||||||
| Core | p256-m | TinyCrypt |
|
|
||||||
| --------- | -----: | --------: |
|
|
||||||
| Cortex-M0 | 2988 | 6134 |
|
|
||||||
| Cortex-M4 | 2900 | 5934 |
|
|
||||||
| Cortex-A7 | 2924 | 5934 |
|
|
||||||
|
|
||||||
**RAM usage**
|
|
||||||
|
|
||||||
TinyCrypto also uses no heap, only the stack. Here's the RAM used by each
|
|
||||||
operation on a Cortex-M0 core:
|
|
||||||
|
|
||||||
| operation | p256-m | TinyCrypt |
|
|
||||||
| ------------------ | -----: | --------: |
|
|
||||||
| key generation | 608 | 824 |
|
|
||||||
| ECDH shared secret | 640 | 728 |
|
|
||||||
| ECDSA sign | 664 | 880 |
|
|
||||||
| ECDSA verify | 752 | 824 |
|
|
||||||
|
|
||||||
On a Cortex-M4 or Cortex-A7 core (identical numbers):
|
|
||||||
|
|
||||||
| operation | p256-m | TinyCrypt |
|
|
||||||
| ------------------ | -----: | --------: |
|
|
||||||
| key generation | 564 | 796 |
|
|
||||||
| ECDH shared secret | 596 | 700 |
|
|
||||||
| ECDSA sign | 604 | 844 |
|
|
||||||
| ECDSA verify | 700 | 808 |
|
|
||||||
|
|
||||||
**Runtime performance**
|
|
||||||
|
|
||||||
Here are the timings of each operation in milliseconds measured on
|
|
||||||
platforms based on a selection of cores:
|
|
||||||
|
|
||||||
_Cortex-M0_ at 48 MHz: STM32F091 board running Mbed OS 6
|
|
||||||
|
|
||||||
| Operation | p256-m | TinyCrypt |
|
|
||||||
| ------------------ | -----: | --------: |
|
|
||||||
| Key generation | 921 | 979 |
|
|
||||||
| ECDH shared secret | 922 | 975 |
|
|
||||||
| ECDSA sign | 990 | 1009 |
|
|
||||||
| ECDSA verify | 1976 | 1130 |
|
|
||||||
| Sum of those 4 | 4809 | 4093 |
|
|
||||||
|
|
||||||
_Cortex-M4_ at 100 MHz: STM32F411 board running Mbed OS 6
|
|
||||||
|
|
||||||
| Operation | p256-m | TinyCrypt |
|
|
||||||
| ------------------ | -----: | --------: |
|
|
||||||
| Key generation | 145 | 178 |
|
|
||||||
| ECDH shared secret | 144 | 177 |
|
|
||||||
| ECDSA sign | 155 | 188 |
|
|
||||||
| ECDSA verify | 309 | 210 |
|
|
||||||
| Sum of those 4 | 753 | 753 |
|
|
||||||
|
|
||||||
_Cortex-A7_ at 900 MHz: Raspberry Pi 2B running Raspbian Buster
|
|
||||||
|
|
||||||
| Operation | p256-m | TinyCrypt |
|
|
||||||
| ------------------ | -----: | --------: |
|
|
||||||
| Key generation | 11 | 13 |
|
|
||||||
| ECDH shared secret | 11 | 13 |
|
|
||||||
| ECDSA sign | 12 | 14 |
|
|
||||||
| ECDSA verify | 24 | 15 |
|
|
||||||
| Sum of those 4 | 59 | 55 |
|
|
||||||
|
|
||||||
_64-bit Intel_ (i7-6500U at 2.50GHz) laptop running Ubuntu 20.04
|
|
||||||
|
|
||||||
Note: results in microseconds (previous benchmarks in milliseconds)
|
|
||||||
|
|
||||||
| Operation | p256-m | TinyCrypt |
|
|
||||||
| ------------------ | -----: | --------: |
|
|
||||||
| Key generation | 1060 | 1627 |
|
|
||||||
| ECDH shared secret | 1060 | 1611 |
|
|
||||||
| ECDSA sign | 1136 | 1712 |
|
|
||||||
| ECDSA verify | 2279 | 1888 |
|
|
||||||
| Sum of those 4 | 5535 | 6838 |
|
|
||||||
|
|
||||||
**Other differences**
|
|
||||||
|
|
||||||
- While p256-m fully validates all inputs, Tinycrypt's ECDH shared secret
|
|
||||||
function doesn't include validation of the peer's public key, which should be
|
|
||||||
done separately by the user for static ECDH (there are attacks [when users
|
|
||||||
forget](https://link.springer.com/chapter/10.1007/978-3-319-24174-6_21)).
|
|
||||||
- The two implementations have slightly different security characteristics:
|
|
||||||
p256-m is fully constant-time from the ground up so should be more robust
|
|
||||||
than TinyCrypt against powerful local attackers (such as an untrusted OS
|
|
||||||
attacking a secure enclave); on the other hand TinyCrypt includes coordinate
|
|
||||||
randomisation which protects against some passive physical attacks (such as
|
|
||||||
DPA, see Table 3, column C9 of [this
|
|
||||||
paper](https://www.esat.kuleuven.be/cosic/publications/article-2293.pdf#page=12)),
|
|
||||||
which p256-m completely ignores.
|
|
||||||
- TinyCrypt's code looks like it could easily be expanded to support other
|
|
||||||
curves, while p256-m has much more hard-coded to minimize code size (see
|
|
||||||
"Notes about other curves" below).
|
|
||||||
- TinyCrypt uses a specialised routine for reduction modulo the curve prime,
|
|
||||||
exploiting its structure as a Solinas prime, which should be faster than the
|
|
||||||
generic Montgomery reduction used by p256-m, but other factors appear to
|
|
||||||
compensate for that.
|
|
||||||
- TinyCrypt uses Co-Z Jacobian formulas for point operation, which should be
|
|
||||||
faster (though a bit larger) than the mixed affine-Jacobian formulas
|
|
||||||
used by p256-m, but again other factors appear to compensate for that.
|
|
||||||
- p256-m uses bits of inline assembly for 64-bit multiplication on the
|
|
||||||
platforms used for benchmarking, while TinyCrypt uses only C (and the
|
|
||||||
compiler's runtime library).
|
|
||||||
- TinyCrypt uses a specialised routine based on Shamir's trick for
|
|
||||||
ECDSA verification, which gives much better performance than the generic
|
|
||||||
code that p256-m uses in order to minimize code size.
|
|
||||||
|
|
||||||
## Design overview
|
|
||||||
|
|
||||||
The implementation is contained in a single file to keep most functions static
|
|
||||||
and allow for more optimisations. It is organized in multiple layers:
|
|
||||||
|
|
||||||
- Fixed-width multi-precision arithmetic
|
|
||||||
- Fixed-width modular arithmetic
|
|
||||||
- Operations on curve points
|
|
||||||
- Operations with scalars
|
|
||||||
- The public API
|
|
||||||
|
|
||||||
**Multi-precision arithmetic.**
|
|
||||||
|
|
||||||
Large integers are represented as arrays of `uint32_t` limbs. When carries may
|
|
||||||
occur, casts to `uint64_t` are used to nudge the compiler towards using the
|
|
||||||
CPU's carry flag. When overflow may occur, functions return a carry flag.
|
|
||||||
|
|
||||||
This layer contains optional assembly for Cortex-M and Cortex-A cores, for the
|
|
||||||
internal `u32_muladd64()` function, as well as two pure C versions of this
|
|
||||||
function, depending on whether `MUL64_IS_CONSTANT_TIME`.
|
|
||||||
|
|
||||||
This layer's API consists of:
|
|
||||||
|
|
||||||
- addition, subtraction;
|
|
||||||
- multiply-and-add, shift by one limb (for Montgomery multiplication);
|
|
||||||
- conditional assignment, assignment of a small value;
|
|
||||||
- comparison of two values for equality, comparison to 0 for equality;
|
|
||||||
- (de)serialization as big-endian arrays of bytes.
|
|
||||||
|
|
||||||
**Modular arithmetic.**
|
|
||||||
|
|
||||||
All modular operations are done in the Montgomery domain, that is x is
|
|
||||||
represented by `x * 2^256 mod m`; integers need to be converted to that domain
|
|
||||||
before computations, and back from it afterwards. Montgomery constants
|
|
||||||
associated to the curve's p and n are pre-computed and stored in static
|
|
||||||
structures.
|
|
||||||
|
|
||||||
Modular inversion is computed using Fermat's little theorem to get
|
|
||||||
constant-time behaviour with respect to the value being inverted.
|
|
||||||
|
|
||||||
This layer's API consists of:
|
|
||||||
|
|
||||||
- the curve's constants p and n (and associated Montgomery constants);
|
|
||||||
- modular addition, subtraction, multiplication, and inversion;
|
|
||||||
- assignment of a small value;
|
|
||||||
- conversion to/from Montgomery domain;
|
|
||||||
- (de)serialization to/from bytes with integrated range checking and
|
|
||||||
Montgomery domain conversion.
|
|
||||||
|
|
||||||
**Operations on curve points.**
|
|
||||||
|
|
||||||
Curve points are represented using either affine or Jacobian coordinates;
|
|
||||||
affine coordinates are extended to represent 0 as (0,0). Individual
|
|
||||||
coordinates are always in the Montgomery domain.
|
|
||||||
|
|
||||||
Not all formulas associated with affine or Jacobian coordinates are complete;
|
|
||||||
great care is taken to document and satisfy each function's pre-conditions.
|
|
||||||
|
|
||||||
This layer's API consists of:
|
|
||||||
|
|
||||||
- curve constants: b from the equation, the base point's coordinates;
|
|
||||||
- point validity check (on the curve and not 0);
|
|
||||||
- Jacobian to affine coordinate conversion;
|
|
||||||
- point doubling in Jacobian coordinates (complete formulas);
|
|
||||||
- point addition in mixed affine-Jacobian coordinates (P not in {0, Q, -Q});
|
|
||||||
- point addition-or-doubling in affine coordinates (leaky version, only used
|
|
||||||
for ECDSA verify where all data is public);
|
|
||||||
- (de)serialization to/from bytes with integrated validity checking
|
|
||||||
|
|
||||||
**Scalar operations.**
|
|
||||||
|
|
||||||
The crucial function here is scalar multiplication. It uses a signed binary
|
|
||||||
ladder, which is a variant of the good old double-and-add algorithm where an
|
|
||||||
addition/subtraction is performed at each step. Again, care is taken to make
|
|
||||||
sure the pre-conditions for the addition formulas are always satisfied. The
|
|
||||||
signed binary ladder only works if the scalar is odd; this is ensured by
|
|
||||||
negating both the scalar (mod n) and the input point if necessary.
|
|
||||||
|
|
||||||
This layer's API consists of:
|
|
||||||
|
|
||||||
- scalar multiplication
|
|
||||||
- de-serialization from bytes with integrated range checking
|
|
||||||
- generation of a scalar and its associated public key
|
|
||||||
|
|
||||||
**Public API.**
|
|
||||||
|
|
||||||
This layer builds on the others, but unlike them, all inputs and outputs are
|
|
||||||
byte arrays. Key generation and ECDH shared secret computation are thin
|
|
||||||
wrappers around internal functions, just taking care of format conversions and
|
|
||||||
errors. The ECDSA functions have more non-trivial logic.
|
|
||||||
|
|
||||||
This layer's API consists of:
|
|
||||||
|
|
||||||
- key-pair generation
|
|
||||||
- ECDH shared secret computation
|
|
||||||
- ECDSA signature creation
|
|
||||||
- ECDSA signature verification
|
|
||||||
|
|
||||||
**Testing.**
|
|
||||||
|
|
||||||
A self-contained, straightforward, pure-Python implementation was first
|
|
||||||
produced as a warm-up and to help check intermediate values. Test vectors from
|
|
||||||
various sources are embedded and used to validate the implementation.
|
|
||||||
|
|
||||||
This implementation, `p256.py`, is used by a second Python script,
|
|
||||||
`gen-test-data.py`, to generate additional data for both positive and negative
|
|
||||||
testing, available from a C header file, that is then used by the closed-box
|
|
||||||
and open-box test programs.
|
|
||||||
|
|
||||||
p256-m can be compiled with extra instrumentation to mark secret data and
|
|
||||||
allow either valgrind or MemSan to check that no branch or memory access
|
|
||||||
depends on it (even indirectly). Macros are defined for this purpose near the
|
|
||||||
top of the file.
|
|
||||||
|
|
||||||
**Tested platforms.**
|
|
||||||
|
|
||||||
There are 4 versions of the internal function `u32_muladd64`: two assembly
|
|
||||||
versions, for Cortex-M/A cores with or without the DSP extension, and two
|
|
||||||
pure-C versions, depending on whether `MUL64_IS_CONSTANT_TIME`.
|
|
||||||
|
|
||||||
Tests are run on the following platforms:
|
|
||||||
|
|
||||||
- `make` on x64 tests the pure-C version without `MUL64_IS_CONSTANT_TIME`
|
|
||||||
(with Clang).
|
|
||||||
- `./consttime.sh` on x64 tests both pure-C versions (with Clang).
|
|
||||||
- `make` on Arm v7-A (Raspberry Pi 2) tests the Arm-DSP assembly version (with
|
|
||||||
Clang).
|
|
||||||
- `on-target-*box` on boards based on Cortex-M0 and M4 cores test both
|
|
||||||
assembly versions (with GCC).
|
|
||||||
|
|
||||||
In addition:
|
|
||||||
|
|
||||||
- `sizes.sh` builds the code for three Arm cores with GCC and Clang.
|
|
||||||
- `deps.sh` checks for external dependencies with GCC.
|
|
||||||
|
|
||||||
## Notes about other curves
|
|
||||||
|
|
||||||
It should be clear that minimal code size can only be reached by specializing
|
|
||||||
the implementation to the curve at hand. Here's a list of things in the
|
|
||||||
implementation that are specific to the NIST P-256 curve, and how the
|
|
||||||
implementation could be changed to expand to other curves, layer by layer (see
|
|
||||||
"Design Overview" above).
|
|
||||||
|
|
||||||
**Fixed-width multi-precision arithmetic:**
|
|
||||||
|
|
||||||
- The number of limbs is hard-coded to 8. For other 256-bit curves, nothing to
|
|
||||||
change. For a curve of another size, hard-code to another value. For multiple
|
|
||||||
curves of various sizes, add a parameter to each function specifying the
|
|
||||||
number of limbs; when declaring arrays, always use the maximum number of
|
|
||||||
limbs.
|
|
||||||
|
|
||||||
**Fixed-width modular arithmetic:**
|
|
||||||
|
|
||||||
- The values of the curve's constant p and n, and their associated Montgomery
|
|
||||||
constants, are hard-coded. For another curve, just hard-code the new constants.
|
|
||||||
For multiple other curves, define all the constants, and from this layer's API
|
|
||||||
only keep the functions that already accept a `mod` parameter (that is, remove
|
|
||||||
convenience functions `m256_xxx_p()`).
|
|
||||||
- The number of limbs is again hard-coded to 8. See above, but it order to
|
|
||||||
support multiple sizes there is no need to add a new parameter to functions
|
|
||||||
in this layer: the existing `mod` parameter can include the number of limbs as
|
|
||||||
well.
|
|
||||||
|
|
||||||
**Operations on curve points:**
|
|
||||||
|
|
||||||
- The values of the curve's constants b (constant term from the equation) and
|
|
||||||
gx, gy (coordinates of the base point) are hard-coded. For another curve,
|
|
||||||
hard-code the other values. For multiple curves, define each curve's value and
|
|
||||||
add a "curve id" parameter to all functions in this layer.
|
|
||||||
- The value of the curve's constant a is implicitly hard-coded to `-3` by using
|
|
||||||
a standard optimisation to save one multiplication in the first step of
|
|
||||||
`point_double()`. For curves that don't have a == -3, replace that with the
|
|
||||||
normal computation.
|
|
||||||
- The fact that b != 0 in the curve equation is used indirectly, to ensure
|
|
||||||
that (0, 0) is not a point on the curve and re-use that value to represent
|
|
||||||
the point 0. As far as I know, all Short Weierstrass curves standardized so
|
|
||||||
far have b != 0.
|
|
||||||
- The shape of the curve is assumed to be Short Weierstrass. For other curve
|
|
||||||
shapes (Montgomery, (twisted) Edwards), this layer would probably look very
|
|
||||||
different (both implementation and API).
|
|
||||||
|
|
||||||
**Scalar operations:**
|
|
||||||
|
|
||||||
- If multiple curves are to be supported, all function in this layer need to
|
|
||||||
gain a new "curve id" parameter.
|
|
||||||
- This layer assumes that the bit size of the curve's order n is the same as
|
|
||||||
that of the modulus p. This is true of most curves standardized so far, the
|
|
||||||
only exception being secp224k1. If that curve were to be supported, the
|
|
||||||
representation of `n` and scalars would need adapting to allow for an extra
|
|
||||||
limb.
|
|
||||||
- The bit size of the curve's order is hard-coded in `scalar_mult()`. For
|
|
||||||
multiple curves, this should be deduced from the "curve id" parameter.
|
|
||||||
- The `scalar_mult()` function exploits the fact that the second least
|
|
||||||
significant bit of the curve's order n is set in order to avoid a special
|
|
||||||
case. For curve orders that don't meet this criterion, we can just handle that
|
|
||||||
special case (multiplication by +-2) separately (always compute that and
|
|
||||||
conditionally assign it to the result).
|
|
||||||
- The shape of the curve is again assumed to be Short Weierstrass. For other curve
|
|
||||||
shapes (Montgomery, (twisted) Edwards), this layer would probably have a
|
|
||||||
very different implementation.
|
|
||||||
|
|
||||||
**Public API:**
|
|
||||||
|
|
||||||
- For multiple curves, all functions in this layer would need to gain a "curve
|
|
||||||
id" parameter and handle variable-sized input/output.
|
|
||||||
- The shape of the curve is again assumed to be Short Weierstrass. For other curve
|
|
||||||
shapes (Montgomery, (twisted) Edwards), the ECDH API would probably look
|
|
||||||
quite similar (with differences in the size of public keys), but the ECDSA API
|
|
||||||
wouldn't apply and an EdDSA API would look pretty different.
|
|
||||||
|
|
||||||
## Notes about other platforms
|
|
||||||
|
|
||||||
While p256-m is standard C99, it is written with constrained 32-bit platforms
|
|
||||||
in mind and makes a few assumptions about the platform:
|
|
||||||
|
|
||||||
- The types `uint8_t`, `uint16_t`, `uint32_t` and `uint64_t` exist.
|
|
||||||
- 32-bit unsigned addition and subtraction with carry are constant time.
|
|
||||||
- 16x16->32-bit unsigned multiplication is available and constant time.
|
|
||||||
|
|
||||||
Also, on platforms on which 64-bit addition and subtraction with carry, or
|
|
||||||
even 64x64->128-bit multiplication, are available, p256-m makes no use of
|
|
||||||
them, though they could significantly improve performance.
|
|
||||||
|
|
||||||
This could be improved by replacing uses of arrays of `uint32_t` with a
|
|
||||||
defined type throughout the internal APIs, and then on 64-bit platforms define
|
|
||||||
that type to be an array of `uint64_t` instead, and making the obvious
|
|
||||||
adaptations in the multi-precision arithmetic layer.
|
|
||||||
|
|
||||||
Finally, the optional assembly code (which boosts performance by a factor 2 on
|
|
||||||
tested Cortex-M CPUs, while slightly reducing code size and stack usage) is
|
|
||||||
currently only available with compilers that support GCC's extended asm
|
|
||||||
syntax (which includes GCC and Clang).
|
|
1514
externals/mbedtls/3rdparty/p256-m/p256-m/p256-m.c
vendored
1514
externals/mbedtls/3rdparty/p256-m/p256-m/p256-m.c
vendored
File diff suppressed because it is too large
Load Diff
135
externals/mbedtls/3rdparty/p256-m/p256-m/p256-m.h
vendored
135
externals/mbedtls/3rdparty/p256-m/p256-m/p256-m.h
vendored
@ -1,135 +0,0 @@
|
|||||||
/*
|
|
||||||
* Interface of curve P-256 (ECDH and ECDSA)
|
|
||||||
*
|
|
||||||
* Copyright The Mbed TLS Contributors
|
|
||||||
* Author: Manuel Pégourié-Gonnard.
|
|
||||||
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
|
||||||
*/
|
|
||||||
#ifndef P256_M_H
|
|
||||||
#define P256_M_H
|
|
||||||
|
|
||||||
#include <stdint.h>
|
|
||||||
#include <stddef.h>
|
|
||||||
|
|
||||||
/* Status codes */
|
|
||||||
#define P256_SUCCESS 0
|
|
||||||
#define P256_RANDOM_FAILED -1
|
|
||||||
#define P256_INVALID_PUBKEY -2
|
|
||||||
#define P256_INVALID_PRIVKEY -3
|
|
||||||
#define P256_INVALID_SIGNATURE -4
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
extern "C" {
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
* RNG function - must be provided externally and be cryptographically secure.
|
|
||||||
*
|
|
||||||
* in: output - must point to a writable buffer of at least output_size bytes.
|
|
||||||
* output_size - the number of random bytes to write to output.
|
|
||||||
* out: output is filled with output_size random bytes.
|
|
||||||
* return 0 on success, non-zero on errors.
|
|
||||||
*/
|
|
||||||
extern int p256_generate_random(uint8_t * output, unsigned output_size);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* ECDH/ECDSA generate key pair
|
|
||||||
*
|
|
||||||
* [in] draws from p256_generate_random()
|
|
||||||
* [out] priv: on success, holds the private key, as a big-endian integer
|
|
||||||
* [out] pub: on success, holds the public key, as two big-endian integers
|
|
||||||
*
|
|
||||||
* return: P256_SUCCESS on success
|
|
||||||
* P256_RANDOM_FAILED on failure
|
|
||||||
*/
|
|
||||||
int p256_gen_keypair(uint8_t priv[32], uint8_t pub[64]);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* ECDH compute shared secret
|
|
||||||
*
|
|
||||||
* [out] secret: on success, holds the shared secret, as a big-endian integer
|
|
||||||
* [in] priv: our private key as a big-endian integer
|
|
||||||
* [in] pub: the peer's public key, as two big-endian integers
|
|
||||||
*
|
|
||||||
* return: P256_SUCCESS on success
|
|
||||||
* P256_INVALID_PRIVKEY if priv is invalid
|
|
||||||
* P256_INVALID_PUBKEY if pub is invalid
|
|
||||||
*/
|
|
||||||
int p256_ecdh_shared_secret(uint8_t secret[32],
|
|
||||||
const uint8_t priv[32], const uint8_t pub[64]);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* ECDSA sign
|
|
||||||
*
|
|
||||||
* [in] draws from p256_generate_random()
|
|
||||||
* [out] sig: on success, holds the signature, as two big-endian integers
|
|
||||||
* [in] priv: our private key as a big-endian integer
|
|
||||||
* [in] hash: the hash of the message to be signed
|
|
||||||
* [in] hlen: the size of hash in bytes
|
|
||||||
*
|
|
||||||
* return: P256_SUCCESS on success
|
|
||||||
* P256_RANDOM_FAILED on failure
|
|
||||||
* P256_INVALID_PRIVKEY if priv is invalid
|
|
||||||
*/
|
|
||||||
int p256_ecdsa_sign(uint8_t sig[64], const uint8_t priv[32],
|
|
||||||
const uint8_t *hash, size_t hlen);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* ECDSA verify
|
|
||||||
*
|
|
||||||
* [in] sig: the signature to be verified, as two big-endian integers
|
|
||||||
* [in] pub: the associated public key, as two big-endian integers
|
|
||||||
* [in] hash: the hash of the message that was signed
|
|
||||||
* [in] hlen: the size of hash in bytes
|
|
||||||
*
|
|
||||||
* return: P256_SUCCESS on success - the signature was verified as valid
|
|
||||||
* P256_INVALID_PUBKEY if pub is invalid
|
|
||||||
* P256_INVALID_SIGNATURE if the signature was found to be invalid
|
|
||||||
*/
|
|
||||||
int p256_ecdsa_verify(const uint8_t sig[64], const uint8_t pub[64],
|
|
||||||
const uint8_t *hash, size_t hlen);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Public key validation
|
|
||||||
*
|
|
||||||
* Note: you never need to call this function, as all other functions always
|
|
||||||
* validate their input; however it's availabe if you want to validate the key
|
|
||||||
* without performing an operation.
|
|
||||||
*
|
|
||||||
* [in] pub: the public key, as two big-endian integers
|
|
||||||
*
|
|
||||||
* return: P256_SUCCESS if the key is valid
|
|
||||||
* P256_INVALID_PUBKEY if pub is invalid
|
|
||||||
*/
|
|
||||||
int p256_validate_pubkey(const uint8_t pub[64]);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Private key validation
|
|
||||||
*
|
|
||||||
* Note: you never need to call this function, as all other functions always
|
|
||||||
* validate their input; however it's availabe if you want to validate the key
|
|
||||||
* without performing an operation.
|
|
||||||
*
|
|
||||||
* [in] priv: the private key, as a big-endian integer
|
|
||||||
*
|
|
||||||
* return: P256_SUCCESS if the key is valid
|
|
||||||
* P256_INVALID_PRIVKEY if priv is invalid
|
|
||||||
*/
|
|
||||||
int p256_validate_privkey(const uint8_t priv[32]);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Compute public key from private key
|
|
||||||
*
|
|
||||||
* [out] pub: the associated public key, as two big-endian integers
|
|
||||||
* [in] priv: the private key, as a big-endian integer
|
|
||||||
*
|
|
||||||
* return: P256_SUCCESS on success
|
|
||||||
* P256_INVALID_PRIVKEY if priv is invalid
|
|
||||||
*/
|
|
||||||
int p256_public_from_private(uint8_t pub[64], const uint8_t priv[32]);
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#endif /* P256_M_H */
|
|
@ -1,312 +0,0 @@
|
|||||||
/*
|
|
||||||
* Driver entry points for p256-m
|
|
||||||
*/
|
|
||||||
/*
|
|
||||||
* Copyright The Mbed TLS Contributors
|
|
||||||
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include "mbedtls/platform.h"
|
|
||||||
#include "p256-m_driver_entrypoints.h"
|
|
||||||
#include "p256-m/p256-m.h"
|
|
||||||
#include "psa/crypto.h"
|
|
||||||
#include <stddef.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include "psa_crypto_driver_wrappers_no_static.h"
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
|
|
||||||
|
|
||||||
/* INFORMATION ON PSA KEY EXPORT FORMATS:
|
|
||||||
*
|
|
||||||
* PSA exports SECP256R1 keys in two formats:
|
|
||||||
* 1. Keypair format: 32 byte string which is just the private key (public key
|
|
||||||
* can be calculated from the private key)
|
|
||||||
* 2. Public Key format: A leading byte 0x04 (indicating uncompressed format),
|
|
||||||
* followed by the 64 byte public key. This results in a
|
|
||||||
* total of 65 bytes.
|
|
||||||
*
|
|
||||||
* p256-m's internal format for private keys matches PSA. Its format for public
|
|
||||||
* keys is only 64 bytes: the same as PSA but without the leading byte (0x04).
|
|
||||||
* Hence, when passing public keys from PSA to p256-m, the leading byte is
|
|
||||||
* removed.
|
|
||||||
*
|
|
||||||
* Shared secret and signature have the same format between PSA and p256-m.
|
|
||||||
*/
|
|
||||||
#define PSA_PUBKEY_SIZE 65
|
|
||||||
#define PSA_PUBKEY_HEADER_BYTE 0x04
|
|
||||||
#define P256_PUBKEY_SIZE 64
|
|
||||||
#define PRIVKEY_SIZE 32
|
|
||||||
#define SHARED_SECRET_SIZE 32
|
|
||||||
#define SIGNATURE_SIZE 64
|
|
||||||
|
|
||||||
#define CURVE_BITS 256
|
|
||||||
|
|
||||||
/* Convert between p256-m and PSA error codes */
|
|
||||||
static psa_status_t p256_to_psa_error(int ret)
|
|
||||||
{
|
|
||||||
switch (ret) {
|
|
||||||
case P256_SUCCESS:
|
|
||||||
return PSA_SUCCESS;
|
|
||||||
case P256_INVALID_PUBKEY:
|
|
||||||
case P256_INVALID_PRIVKEY:
|
|
||||||
return PSA_ERROR_INVALID_ARGUMENT;
|
|
||||||
case P256_INVALID_SIGNATURE:
|
|
||||||
return PSA_ERROR_INVALID_SIGNATURE;
|
|
||||||
case P256_RANDOM_FAILED:
|
|
||||||
default:
|
|
||||||
return PSA_ERROR_GENERIC_ERROR;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
psa_status_t p256_transparent_import_key(const psa_key_attributes_t *attributes,
|
|
||||||
const uint8_t *data,
|
|
||||||
size_t data_length,
|
|
||||||
uint8_t *key_buffer,
|
|
||||||
size_t key_buffer_size,
|
|
||||||
size_t *key_buffer_length,
|
|
||||||
size_t *bits)
|
|
||||||
{
|
|
||||||
/* Check the key size */
|
|
||||||
if (*bits != 0 && *bits != CURVE_BITS) {
|
|
||||||
return PSA_ERROR_NOT_SUPPORTED;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Validate the key (and its type and size) */
|
|
||||||
psa_key_type_t type = psa_get_key_type(attributes);
|
|
||||||
if (type == PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1)) {
|
|
||||||
if (data_length != PSA_PUBKEY_SIZE) {
|
|
||||||
return *bits == 0 ? PSA_ERROR_NOT_SUPPORTED : PSA_ERROR_INVALID_ARGUMENT;
|
|
||||||
}
|
|
||||||
/* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
|
|
||||||
if (p256_validate_pubkey(data + 1) != P256_SUCCESS) {
|
|
||||||
return PSA_ERROR_INVALID_ARGUMENT;
|
|
||||||
}
|
|
||||||
} else if (type == PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)) {
|
|
||||||
if (data_length != PRIVKEY_SIZE) {
|
|
||||||
return *bits == 0 ? PSA_ERROR_NOT_SUPPORTED : PSA_ERROR_INVALID_ARGUMENT;
|
|
||||||
}
|
|
||||||
if (p256_validate_privkey(data) != P256_SUCCESS) {
|
|
||||||
return PSA_ERROR_INVALID_ARGUMENT;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
return PSA_ERROR_NOT_SUPPORTED;
|
|
||||||
}
|
|
||||||
*bits = CURVE_BITS;
|
|
||||||
|
|
||||||
/* We only support the export format for input, so just copy. */
|
|
||||||
if (key_buffer_size < data_length) {
|
|
||||||
return PSA_ERROR_BUFFER_TOO_SMALL;
|
|
||||||
}
|
|
||||||
memcpy(key_buffer, data, data_length);
|
|
||||||
*key_buffer_length = data_length;
|
|
||||||
|
|
||||||
return PSA_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
psa_status_t p256_transparent_export_public_key(const psa_key_attributes_t *attributes,
|
|
||||||
const uint8_t *key_buffer,
|
|
||||||
size_t key_buffer_size,
|
|
||||||
uint8_t *data,
|
|
||||||
size_t data_size,
|
|
||||||
size_t *data_length)
|
|
||||||
{
|
|
||||||
/* Is this the right curve? */
|
|
||||||
size_t bits = psa_get_key_bits(attributes);
|
|
||||||
psa_key_type_t type = psa_get_key_type(attributes);
|
|
||||||
if (bits != CURVE_BITS || type != PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)) {
|
|
||||||
return PSA_ERROR_NOT_SUPPORTED;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Validate sizes, as p256-m expects fixed-size buffers */
|
|
||||||
if (key_buffer_size != PRIVKEY_SIZE) {
|
|
||||||
return PSA_ERROR_INVALID_ARGUMENT;
|
|
||||||
}
|
|
||||||
if (data_size < PSA_PUBKEY_SIZE) {
|
|
||||||
return PSA_ERROR_BUFFER_TOO_SMALL;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
|
|
||||||
data[0] = PSA_PUBKEY_HEADER_BYTE;
|
|
||||||
int ret = p256_public_from_private(data + 1, key_buffer);
|
|
||||||
if (ret == P256_SUCCESS) {
|
|
||||||
*data_length = PSA_PUBKEY_SIZE;
|
|
||||||
}
|
|
||||||
|
|
||||||
return p256_to_psa_error(ret);
|
|
||||||
}
|
|
||||||
|
|
||||||
psa_status_t p256_transparent_generate_key(
|
|
||||||
const psa_key_attributes_t *attributes,
|
|
||||||
uint8_t *key_buffer,
|
|
||||||
size_t key_buffer_size,
|
|
||||||
size_t *key_buffer_length)
|
|
||||||
{
|
|
||||||
/* We don't use this argument, but the specification mandates the signature
|
|
||||||
* of driver entry-points. (void) used to avoid compiler warning. */
|
|
||||||
(void) attributes;
|
|
||||||
|
|
||||||
/* Validate sizes, as p256-m expects fixed-size buffers */
|
|
||||||
if (key_buffer_size != PRIVKEY_SIZE) {
|
|
||||||
return PSA_ERROR_BUFFER_TOO_SMALL;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* p256-m's keypair generation function outputs both public and private
|
|
||||||
* keys. Allocate a buffer to which the public key will be written. The
|
|
||||||
* private key will be written to key_buffer, which is passed to this
|
|
||||||
* function as an argument. */
|
|
||||||
uint8_t public_key_buffer[P256_PUBKEY_SIZE];
|
|
||||||
|
|
||||||
int ret = p256_gen_keypair(key_buffer, public_key_buffer);
|
|
||||||
if (ret == P256_SUCCESS) {
|
|
||||||
*key_buffer_length = PRIVKEY_SIZE;
|
|
||||||
}
|
|
||||||
|
|
||||||
return p256_to_psa_error(ret);
|
|
||||||
}
|
|
||||||
|
|
||||||
psa_status_t p256_transparent_key_agreement(
|
|
||||||
const psa_key_attributes_t *attributes,
|
|
||||||
const uint8_t *key_buffer,
|
|
||||||
size_t key_buffer_size,
|
|
||||||
psa_algorithm_t alg,
|
|
||||||
const uint8_t *peer_key,
|
|
||||||
size_t peer_key_length,
|
|
||||||
uint8_t *shared_secret,
|
|
||||||
size_t shared_secret_size,
|
|
||||||
size_t *shared_secret_length)
|
|
||||||
{
|
|
||||||
/* We don't use these arguments, but the specification mandates the
|
|
||||||
* sginature of driver entry-points. (void) used to avoid compiler
|
|
||||||
* warning. */
|
|
||||||
(void) attributes;
|
|
||||||
(void) alg;
|
|
||||||
|
|
||||||
/* Validate sizes, as p256-m expects fixed-size buffers */
|
|
||||||
if (key_buffer_size != PRIVKEY_SIZE || peer_key_length != PSA_PUBKEY_SIZE) {
|
|
||||||
return PSA_ERROR_INVALID_ARGUMENT;
|
|
||||||
}
|
|
||||||
if (shared_secret_size < SHARED_SECRET_SIZE) {
|
|
||||||
return PSA_ERROR_BUFFER_TOO_SMALL;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
|
|
||||||
const uint8_t *peer_key_p256m = peer_key + 1;
|
|
||||||
int ret = p256_ecdh_shared_secret(shared_secret, key_buffer, peer_key_p256m);
|
|
||||||
if (ret == P256_SUCCESS) {
|
|
||||||
*shared_secret_length = SHARED_SECRET_SIZE;
|
|
||||||
}
|
|
||||||
|
|
||||||
return p256_to_psa_error(ret);
|
|
||||||
}
|
|
||||||
|
|
||||||
psa_status_t p256_transparent_sign_hash(
|
|
||||||
const psa_key_attributes_t *attributes,
|
|
||||||
const uint8_t *key_buffer,
|
|
||||||
size_t key_buffer_size,
|
|
||||||
psa_algorithm_t alg,
|
|
||||||
const uint8_t *hash,
|
|
||||||
size_t hash_length,
|
|
||||||
uint8_t *signature,
|
|
||||||
size_t signature_size,
|
|
||||||
size_t *signature_length)
|
|
||||||
{
|
|
||||||
/* We don't use these arguments, but the specification mandates the
|
|
||||||
* sginature of driver entry-points. (void) used to avoid compiler
|
|
||||||
* warning. */
|
|
||||||
(void) attributes;
|
|
||||||
(void) alg;
|
|
||||||
|
|
||||||
/* Validate sizes, as p256-m expects fixed-size buffers */
|
|
||||||
if (key_buffer_size != PRIVKEY_SIZE) {
|
|
||||||
return PSA_ERROR_INVALID_ARGUMENT;
|
|
||||||
}
|
|
||||||
if (signature_size < SIGNATURE_SIZE) {
|
|
||||||
return PSA_ERROR_BUFFER_TOO_SMALL;
|
|
||||||
}
|
|
||||||
|
|
||||||
int ret = p256_ecdsa_sign(signature, key_buffer, hash, hash_length);
|
|
||||||
if (ret == P256_SUCCESS) {
|
|
||||||
*signature_length = SIGNATURE_SIZE;
|
|
||||||
}
|
|
||||||
|
|
||||||
return p256_to_psa_error(ret);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* This function expects the key buffer to contain a PSA public key,
|
|
||||||
* as exported by psa_export_public_key() */
|
|
||||||
static psa_status_t p256_verify_hash_with_public_key(
|
|
||||||
const uint8_t *key_buffer,
|
|
||||||
size_t key_buffer_size,
|
|
||||||
const uint8_t *hash,
|
|
||||||
size_t hash_length,
|
|
||||||
const uint8_t *signature,
|
|
||||||
size_t signature_length)
|
|
||||||
{
|
|
||||||
/* Validate sizes, as p256-m expects fixed-size buffers */
|
|
||||||
if (key_buffer_size != PSA_PUBKEY_SIZE || *key_buffer != PSA_PUBKEY_HEADER_BYTE) {
|
|
||||||
return PSA_ERROR_INVALID_ARGUMENT;
|
|
||||||
}
|
|
||||||
if (signature_length != SIGNATURE_SIZE) {
|
|
||||||
return PSA_ERROR_INVALID_SIGNATURE;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* See INFORMATION ON PSA KEY EXPORT FORMATS near top of file */
|
|
||||||
const uint8_t *public_key_p256m = key_buffer + 1;
|
|
||||||
int ret = p256_ecdsa_verify(signature, public_key_p256m, hash, hash_length);
|
|
||||||
|
|
||||||
return p256_to_psa_error(ret);
|
|
||||||
}
|
|
||||||
|
|
||||||
psa_status_t p256_transparent_verify_hash(
|
|
||||||
const psa_key_attributes_t *attributes,
|
|
||||||
const uint8_t *key_buffer,
|
|
||||||
size_t key_buffer_size,
|
|
||||||
psa_algorithm_t alg,
|
|
||||||
const uint8_t *hash,
|
|
||||||
size_t hash_length,
|
|
||||||
const uint8_t *signature,
|
|
||||||
size_t signature_length)
|
|
||||||
{
|
|
||||||
/* We don't use this argument, but the specification mandates the signature
|
|
||||||
* of driver entry-points. (void) used to avoid compiler warning. */
|
|
||||||
(void) alg;
|
|
||||||
|
|
||||||
psa_status_t status;
|
|
||||||
uint8_t public_key_buffer[PSA_PUBKEY_SIZE];
|
|
||||||
size_t public_key_buffer_size = PSA_PUBKEY_SIZE;
|
|
||||||
|
|
||||||
size_t public_key_length = PSA_PUBKEY_SIZE;
|
|
||||||
/* As p256-m doesn't require dynamic allocation, we want to avoid it in
|
|
||||||
* the entrypoint functions as well. psa_driver_wrapper_export_public_key()
|
|
||||||
* requires size_t*, so we use a pointer to a stack variable. */
|
|
||||||
size_t *public_key_length_ptr = &public_key_length;
|
|
||||||
|
|
||||||
/* The contents of key_buffer may either be the 32 byte private key
|
|
||||||
* (keypair format), or 0x04 followed by the 64 byte public key (public
|
|
||||||
* key format). To ensure the key is in the latter format, the public key
|
|
||||||
* is exported. */
|
|
||||||
status = psa_driver_wrapper_export_public_key(
|
|
||||||
attributes,
|
|
||||||
key_buffer,
|
|
||||||
key_buffer_size,
|
|
||||||
public_key_buffer,
|
|
||||||
public_key_buffer_size,
|
|
||||||
public_key_length_ptr);
|
|
||||||
if (status != PSA_SUCCESS) {
|
|
||||||
goto exit;
|
|
||||||
}
|
|
||||||
|
|
||||||
status = p256_verify_hash_with_public_key(
|
|
||||||
public_key_buffer,
|
|
||||||
public_key_buffer_size,
|
|
||||||
hash,
|
|
||||||
hash_length,
|
|
||||||
signature,
|
|
||||||
signature_length);
|
|
||||||
|
|
||||||
exit:
|
|
||||||
return status;
|
|
||||||
}
|
|
||||||
|
|
||||||
#endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */
|
|
@ -1,219 +0,0 @@
|
|||||||
/*
|
|
||||||
* Driver entry points for p256-m
|
|
||||||
*/
|
|
||||||
/*
|
|
||||||
* Copyright The Mbed TLS Contributors
|
|
||||||
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
|
||||||
*/
|
|
||||||
|
|
||||||
#ifndef P256M_DRIVER_ENTRYPOINTS_H
|
|
||||||
#define P256M_DRIVER_ENTRYPOINTS_H
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
|
|
||||||
#ifndef PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
|
|
||||||
#define PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
|
|
||||||
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
|
|
||||||
#endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */
|
|
||||||
|
|
||||||
#include "psa/crypto_types.h"
|
|
||||||
|
|
||||||
/** Import SECP256R1 key.
|
|
||||||
*
|
|
||||||
* \param[in] attributes The attributes of the key to use for the
|
|
||||||
* operation.
|
|
||||||
* \param[in] data The raw key material. For private keys
|
|
||||||
* this must be a big-endian integer of 32
|
|
||||||
* bytes; for public key this must be an
|
|
||||||
* uncompressed ECPoint (65 bytes).
|
|
||||||
* \param[in] data_length The size of the raw key material.
|
|
||||||
* \param[out] key_buffer The buffer to contain the key data in
|
|
||||||
* output format upon successful return.
|
|
||||||
* \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
|
|
||||||
* \param[out] key_buffer_length The length of the data written in \p
|
|
||||||
* key_buffer in bytes.
|
|
||||||
* \param[out] bits The bitsize of the key.
|
|
||||||
*
|
|
||||||
* \retval #PSA_SUCCESS
|
|
||||||
* Success. Keypair generated and stored in buffer.
|
|
||||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
|
||||||
* The input is not supported by this driver (not SECP256R1).
|
|
||||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
|
||||||
* The input is invalid.
|
|
||||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
|
||||||
* \p key_buffer_size is too small.
|
|
||||||
*/
|
|
||||||
psa_status_t p256_transparent_import_key(const psa_key_attributes_t *attributes,
|
|
||||||
const uint8_t *data,
|
|
||||||
size_t data_length,
|
|
||||||
uint8_t *key_buffer,
|
|
||||||
size_t key_buffer_size,
|
|
||||||
size_t *key_buffer_length,
|
|
||||||
size_t *bits);
|
|
||||||
|
|
||||||
/** Export SECP256R1 public key, from the private key.
|
|
||||||
*
|
|
||||||
* \param[in] attributes The attributes of the key to use for the
|
|
||||||
* operation.
|
|
||||||
* \param[in] key_buffer The private key in the export format.
|
|
||||||
* \param[in] key_buffer_size The size of the private key in bytes.
|
|
||||||
* \param[out] data The buffer to contain the public key in
|
|
||||||
* the export format upon successful return.
|
|
||||||
* \param[in] data_size The size of the \p data buffer in bytes.
|
|
||||||
* \param[out] data_length The length written to \p data in bytes.
|
|
||||||
*
|
|
||||||
* \retval #PSA_SUCCESS
|
|
||||||
* Success. Keypair generated and stored in buffer.
|
|
||||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
|
||||||
* The input is not supported by this driver (not SECP256R1).
|
|
||||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
|
||||||
* The input is invalid.
|
|
||||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
|
||||||
* \p key_buffer_size is too small.
|
|
||||||
*/
|
|
||||||
psa_status_t p256_transparent_export_public_key(const psa_key_attributes_t *attributes,
|
|
||||||
const uint8_t *key_buffer,
|
|
||||||
size_t key_buffer_size,
|
|
||||||
uint8_t *data,
|
|
||||||
size_t data_size,
|
|
||||||
size_t *data_length);
|
|
||||||
|
|
||||||
/** Generate SECP256R1 ECC Key Pair.
|
|
||||||
* Interface function which calls the p256-m key generation function and
|
|
||||||
* places it in the key buffer provided by the caller (Mbed TLS) in the
|
|
||||||
* correct format. For a SECP256R1 curve this is the 32 bit private key.
|
|
||||||
*
|
|
||||||
* \param[in] attributes The attributes of the key to use for the
|
|
||||||
* operation.
|
|
||||||
* \param[out] key_buffer The buffer to contain the key data in
|
|
||||||
* output format upon successful return.
|
|
||||||
* \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
|
|
||||||
* \param[out] key_buffer_length The length of the data written in \p
|
|
||||||
* key_buffer in bytes.
|
|
||||||
*
|
|
||||||
* \retval #PSA_SUCCESS
|
|
||||||
* Success. Keypair generated and stored in buffer.
|
|
||||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
|
||||||
* \p key_buffer_size is too small.
|
|
||||||
* \retval #PSA_ERROR_GENERIC_ERROR
|
|
||||||
* The internal RNG failed.
|
|
||||||
*/
|
|
||||||
psa_status_t p256_transparent_generate_key(
|
|
||||||
const psa_key_attributes_t *attributes,
|
|
||||||
uint8_t *key_buffer,
|
|
||||||
size_t key_buffer_size,
|
|
||||||
size_t *key_buffer_length);
|
|
||||||
|
|
||||||
/** Perform raw key agreement using p256-m's ECDH implementation
|
|
||||||
* \param[in] attributes The attributes of the key to use for the
|
|
||||||
* operation.
|
|
||||||
* \param[in] key_buffer The buffer containing the private key
|
|
||||||
* in the format specified by PSA.
|
|
||||||
* \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
|
|
||||||
* \param[in] alg A key agreement algorithm that is
|
|
||||||
* compatible with the type of the key.
|
|
||||||
* \param[in] peer_key The buffer containing the peer's public
|
|
||||||
* key in format specified by PSA.
|
|
||||||
* \param[in] peer_key_length Size of the \p peer_key buffer in
|
|
||||||
* bytes.
|
|
||||||
* \param[out] shared_secret The buffer to which the shared secret
|
|
||||||
* is to be written.
|
|
||||||
* \param[in] shared_secret_size Size of the \p shared_secret buffer in
|
|
||||||
* bytes.
|
|
||||||
* \param[out] shared_secret_length On success, the number of bytes that
|
|
||||||
* make up the returned shared secret.
|
|
||||||
* \retval #PSA_SUCCESS
|
|
||||||
* Success. Shared secret successfully calculated.
|
|
||||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
|
||||||
* The input is invalid.
|
|
||||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
|
||||||
* \p shared_secret_size is too small.
|
|
||||||
*/
|
|
||||||
psa_status_t p256_transparent_key_agreement(
|
|
||||||
const psa_key_attributes_t *attributes,
|
|
||||||
const uint8_t *key_buffer,
|
|
||||||
size_t key_buffer_size,
|
|
||||||
psa_algorithm_t alg,
|
|
||||||
const uint8_t *peer_key,
|
|
||||||
size_t peer_key_length,
|
|
||||||
uint8_t *shared_secret,
|
|
||||||
size_t shared_secret_size,
|
|
||||||
size_t *shared_secret_length);
|
|
||||||
|
|
||||||
/** Sign an already-calculated hash with a private key using p256-m's ECDSA
|
|
||||||
* implementation
|
|
||||||
* \param[in] attributes The attributes of the key to use for the
|
|
||||||
* operation.
|
|
||||||
* \param[in] key_buffer The buffer containing the private key
|
|
||||||
* in the format specified by PSA.
|
|
||||||
* \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
|
|
||||||
* \param[in] alg A signature algorithm that is compatible
|
|
||||||
* with the type of the key.
|
|
||||||
* \param[in] hash The hash to sign.
|
|
||||||
* \param[in] hash_length Size of the \p hash buffer in bytes.
|
|
||||||
* \param[out] signature Buffer where signature is to be written.
|
|
||||||
* \param[in] signature_size Size of the \p signature buffer in bytes.
|
|
||||||
* \param[out] signature_length On success, the number of bytes
|
|
||||||
* that make up the returned signature value.
|
|
||||||
*
|
|
||||||
* \retval #PSA_SUCCESS
|
|
||||||
* Success. Hash was signed successfully.
|
|
||||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
|
||||||
* The input is invalid.
|
|
||||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
|
||||||
* \p signature_size is too small.
|
|
||||||
* \retval #PSA_ERROR_GENERIC_ERROR
|
|
||||||
* The internal RNG failed.
|
|
||||||
*/
|
|
||||||
psa_status_t p256_transparent_sign_hash(
|
|
||||||
const psa_key_attributes_t *attributes,
|
|
||||||
const uint8_t *key_buffer,
|
|
||||||
size_t key_buffer_size,
|
|
||||||
psa_algorithm_t alg,
|
|
||||||
const uint8_t *hash,
|
|
||||||
size_t hash_length,
|
|
||||||
uint8_t *signature,
|
|
||||||
size_t signature_size,
|
|
||||||
size_t *signature_length);
|
|
||||||
|
|
||||||
/** Verify the signature of a hash using a SECP256R1 public key using p256-m's
|
|
||||||
* ECDSA implementation.
|
|
||||||
*
|
|
||||||
* \note p256-m expects a 64 byte public key, but the contents of the key
|
|
||||||
buffer may be the 32 byte keypair representation or the 65 byte
|
|
||||||
public key representation. As a result, this function calls
|
|
||||||
psa_driver_wrapper_export_public_key() to ensure the public key
|
|
||||||
can be passed to p256-m.
|
|
||||||
*
|
|
||||||
* \param[in] attributes The attributes of the key to use for the
|
|
||||||
* operation.
|
|
||||||
*
|
|
||||||
* \param[in] key_buffer The buffer containing the key
|
|
||||||
* in the format specified by PSA.
|
|
||||||
* \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
|
|
||||||
* \param[in] alg A signature algorithm that is compatible with
|
|
||||||
* the type of the key.
|
|
||||||
* \param[in] hash The hash whose signature is to be
|
|
||||||
* verified.
|
|
||||||
* \param[in] hash_length Size of the \p hash buffer in bytes.
|
|
||||||
* \param[in] signature Buffer containing the signature to verify.
|
|
||||||
* \param[in] signature_length Size of the \p signature buffer in bytes.
|
|
||||||
*
|
|
||||||
* \retval #PSA_SUCCESS
|
|
||||||
* The signature is valid.
|
|
||||||
* \retval #PSA_ERROR_INVALID_SIGNATURE
|
|
||||||
* The calculation was performed successfully, but the passed
|
|
||||||
* signature is not a valid signature.
|
|
||||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
|
||||||
* The input is invalid.
|
|
||||||
*/
|
|
||||||
psa_status_t p256_transparent_verify_hash(
|
|
||||||
const psa_key_attributes_t *attributes,
|
|
||||||
const uint8_t *key_buffer,
|
|
||||||
size_t key_buffer_size,
|
|
||||||
psa_algorithm_t alg,
|
|
||||||
const uint8_t *hash,
|
|
||||||
size_t hash_length,
|
|
||||||
const uint8_t *signature,
|
|
||||||
size_t signature_length);
|
|
||||||
|
|
||||||
#endif /* P256M_DRIVER_ENTRYPOINTS_H */
|
|
111
externals/mbedtls/BRANCHES.md
vendored
111
externals/mbedtls/BRANCHES.md
vendored
@ -1,111 +0,0 @@
|
|||||||
# Maintained branches
|
|
||||||
|
|
||||||
At any point in time, we have a number of maintained branches, currently consisting of:
|
|
||||||
|
|
||||||
- The [`master`](https://github.com/Mbed-TLS/mbedtls/tree/master) branch:
|
|
||||||
this always contains the latest release, including all publicly available
|
|
||||||
security fixes.
|
|
||||||
- The [`development`](https://github.com/Mbed-TLS/mbedtls/tree/development) branch:
|
|
||||||
this is where the current major version of Mbed TLS (version 3.x) is being
|
|
||||||
prepared. It has API changes that make it incompatible with Mbed TLS 2.x,
|
|
||||||
as well as all the new features and bug fixes and security fixes.
|
|
||||||
- One or more long-time support (LTS) branches: these only get bug fixes and
|
|
||||||
security fixes. Currently, the only supported LTS branch is:
|
|
||||||
[`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28).
|
|
||||||
|
|
||||||
We retain a number of historical branches, whose names are prefixed by `archive/`,
|
|
||||||
such as [`archive/mbedtls-2.7`](https://github.com/Mbed-TLS/mbedtls/tree/archive/mbedtls-2.7).
|
|
||||||
These branches will not receive any changes or updates.
|
|
||||||
|
|
||||||
We use [Semantic Versioning](https://semver.org/). In particular, we maintain
|
|
||||||
API compatibility in the `master` branch across minor version changes (e.g.
|
|
||||||
the API of 3.(x+1) is backward compatible with 3.x). We only break API
|
|
||||||
compatibility on major version changes (e.g. from 3.x to 4.0). We also maintain
|
|
||||||
ABI compatibility within LTS branches; see the next section for details.
|
|
||||||
|
|
||||||
Every major version will become an LTS branch when the next major version is
|
|
||||||
released. We may occasionally create LTS branches from other releases at our
|
|
||||||
discretion.
|
|
||||||
When a new LTS branch is created, it usually remains supported for three years.
|
|
||||||
|
|
||||||
## Backwards Compatibility for application code
|
|
||||||
|
|
||||||
We maintain API compatibility in released versions of Mbed TLS. If you have
|
|
||||||
code that's working and secure with Mbed TLS x.y.z and does not rely on
|
|
||||||
undocumented features, then you should be able to re-compile it without
|
|
||||||
modification with any later release x.y'.z' with the same major version
|
|
||||||
number, and your code will still build, be secure, and work.
|
|
||||||
|
|
||||||
Note that this guarantee only applies if you either use the default
|
|
||||||
compile-time configuration (`mbedtls/mbedtls_config.h`) or the same modified
|
|
||||||
compile-time configuration. Changing compile-time configuration options can
|
|
||||||
result in an incompatible API or ABI, although features will generally not
|
|
||||||
affect unrelated features (for example, enabling or disabling a
|
|
||||||
cryptographic algorithm does not break code that does not use that
|
|
||||||
algorithm).
|
|
||||||
|
|
||||||
Note that new releases of Mbed TLS may extend the API. Here are some
|
|
||||||
examples of changes that are common in minor releases of Mbed TLS, and are
|
|
||||||
not considered API compatibility breaks:
|
|
||||||
|
|
||||||
* Adding or reordering fields in a structure or union.
|
|
||||||
* Removing a field from a structure, unless the field is documented as public.
|
|
||||||
* Adding items to an enum.
|
|
||||||
* Returning an error code that was not previously documented for a function
|
|
||||||
when a new error condition arises.
|
|
||||||
* Changing which error code is returned in a case where multiple error
|
|
||||||
conditions apply.
|
|
||||||
* Changing the behavior of a function from failing to succeeding, when the
|
|
||||||
change is a reasonable extension of the current behavior, i.e. the
|
|
||||||
addition of a new feature.
|
|
||||||
|
|
||||||
There are rare exceptions where we break API compatibility: code that was
|
|
||||||
relying on something that became insecure in the meantime (for example,
|
|
||||||
crypto that was found to be weak) may need to be changed. In case security
|
|
||||||
comes in conflict with backwards compatibility, we will put security first,
|
|
||||||
but always attempt to provide a compatibility option.
|
|
||||||
|
|
||||||
## Backward compatibility for the key store
|
|
||||||
|
|
||||||
We maintain backward compatibility with previous versions of the
|
|
||||||
PSA Crypto persistent storage since Mbed TLS 2.25.0, provided that the
|
|
||||||
storage backend (PSA ITS implementation) is configured in a compatible way.
|
|
||||||
We intend to maintain this backward compatibility throughout a major version
|
|
||||||
of Mbed TLS (for example, all Mbed TLS 3.y versions will be able to read
|
|
||||||
keys written under any Mbed TLS 3.x with x <= y).
|
|
||||||
|
|
||||||
Mbed TLS 3.x can also read keys written by Mbed TLS 2.25.0 through 2.28.x
|
|
||||||
LTS, but future major version upgrades (for example from 2.28.x/3.x to 4.y)
|
|
||||||
may require the use of an upgrade tool.
|
|
||||||
|
|
||||||
Note that this guarantee does not currently fully extend to drivers, which
|
|
||||||
are an experimental feature. We intend to maintain compatibility with the
|
|
||||||
basic use of drivers from Mbed TLS 2.28.0 onwards, even if driver APIs
|
|
||||||
change. However, for more experimental parts of the driver interface, such
|
|
||||||
as the use of driver state, we do not yet guarantee backward compatibility.
|
|
||||||
|
|
||||||
## Long-time support branches
|
|
||||||
|
|
||||||
For the LTS branches, additionally we try very hard to also maintain ABI
|
|
||||||
compatibility (same definition as API except with re-linking instead of
|
|
||||||
re-compiling) and to avoid any increase in code size or RAM usage, or in the
|
|
||||||
minimum version of tools needed to build the code. The only exception, as
|
|
||||||
before, is in case those goals would conflict with fixing a security issue, we
|
|
||||||
will put security first but provide a compatibility option. (So far we never
|
|
||||||
had to break ABI compatibility in an LTS branch, but we occasionally had to
|
|
||||||
increase code size for a security fix.)
|
|
||||||
|
|
||||||
For contributors, see the [Backwards Compatibility section of
|
|
||||||
CONTRIBUTING](CONTRIBUTING.md#backwards-compatibility).
|
|
||||||
|
|
||||||
## Current Branches
|
|
||||||
|
|
||||||
The following branches are currently maintained:
|
|
||||||
|
|
||||||
- [master](https://github.com/Mbed-TLS/mbedtls/tree/master)
|
|
||||||
- [`development`](https://github.com/Mbed-TLS/mbedtls/)
|
|
||||||
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
|
|
||||||
maintained until at least the end of 2024, see
|
|
||||||
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.7>.
|
|
||||||
|
|
||||||
Users are urged to always use the latest version of a maintained branch.
|
|
20
externals/mbedtls/BUGS.md
vendored
20
externals/mbedtls/BUGS.md
vendored
@ -1,20 +0,0 @@
|
|||||||
## Known issues
|
|
||||||
|
|
||||||
Known issues in Mbed TLS are [tracked on GitHub](https://github.com/Mbed-TLS/mbedtls/issues).
|
|
||||||
|
|
||||||
## Reporting a bug
|
|
||||||
|
|
||||||
If you think you've found a bug in Mbed TLS, please follow these steps:
|
|
||||||
|
|
||||||
1. Make sure you're using the latest version of a
|
|
||||||
[maintained branch](BRANCHES.md): `master`, `development`,
|
|
||||||
or a long-time support branch.
|
|
||||||
2. Check [GitHub](https://github.com/Mbed-TLS/mbedtls/issues) to see if
|
|
||||||
your issue has already been reported. If not, …
|
|
||||||
3. If the issue is a security risk (for example: buffer overflow,
|
|
||||||
data leak), please report it confidentially as described in
|
|
||||||
[`SECURITY.md`](SECURITY.md). If not, …
|
|
||||||
4. Please [create an issue on on GitHub](https://github.com/Mbed-TLS/mbedtls/issues).
|
|
||||||
|
|
||||||
Please do not use GitHub for support questions. If you want to know
|
|
||||||
how to do something with Mbed TLS, please see [`SUPPORT.md`](SUPPORT.md) for available documentation and support channels.
|
|
395
externals/mbedtls/CMakeLists.txt
vendored
395
externals/mbedtls/CMakeLists.txt
vendored
@ -1,71 +1,16 @@
|
|||||||
#
|
cmake_minimum_required(VERSION 2.6)
|
||||||
# CMake build system design considerations:
|
|
||||||
#
|
|
||||||
# - Include directories:
|
|
||||||
# + Do not define include directories globally using the include_directories
|
|
||||||
# command but rather at the target level using the
|
|
||||||
# target_include_directories command. That way, it is easier to guarantee
|
|
||||||
# that targets are built using the proper list of include directories.
|
|
||||||
# + Use the PUBLIC and PRIVATE keywords to specify the scope of include
|
|
||||||
# directories. That way, a target linking to a library (using the
|
|
||||||
# target_link_libraries command) inherits from the library PUBLIC include
|
|
||||||
# directories and not from the PRIVATE ones.
|
|
||||||
# - MBEDTLS_TARGET_PREFIX: CMake targets are designed to be alterable by calling
|
|
||||||
# CMake in order to avoid target name clashes, via the use of
|
|
||||||
# MBEDTLS_TARGET_PREFIX. The value of this variable is prefixed to the
|
|
||||||
# mbedtls, mbedx509, mbedcrypto and apidoc targets.
|
|
||||||
#
|
|
||||||
|
|
||||||
# We specify a minimum requirement of 3.10.2, but for now use 3.5.1 here
|
|
||||||
# until our infrastructure catches up.
|
|
||||||
cmake_minimum_required(VERSION 3.5.1)
|
|
||||||
|
|
||||||
include(CMakePackageConfigHelpers)
|
|
||||||
|
|
||||||
# https://cmake.org/cmake/help/latest/policy/CMP0011.html
|
|
||||||
# Setting this policy is required in CMake >= 3.18.0, otherwise a warning is generated. The OLD
|
|
||||||
# policy setting is deprecated, and will be removed in future versions.
|
|
||||||
cmake_policy(SET CMP0011 NEW)
|
|
||||||
# https://cmake.org/cmake/help/latest/policy/CMP0012.html
|
|
||||||
# Setting the CMP0012 policy to NEW is required for FindPython3 to work with CMake 3.18.2
|
|
||||||
# (there is a bug in this particular version), otherwise, setting the CMP0012 policy is required
|
|
||||||
# for CMake versions >= 3.18.3 otherwise a deprecated warning is generated. The OLD policy setting
|
|
||||||
# is deprecated and will be removed in future versions.
|
|
||||||
cmake_policy(SET CMP0012 NEW)
|
|
||||||
|
|
||||||
if(TEST_CPP)
|
if(TEST_CPP)
|
||||||
project("Mbed TLS" LANGUAGES C CXX)
|
project("mbed TLS" C CXX)
|
||||||
else()
|
else()
|
||||||
project("Mbed TLS" LANGUAGES C)
|
project("mbed TLS" C)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
include(GNUInstallDirs)
|
option(USE_PKCS11_HELPER_LIBRARY "Build mbed TLS with the pkcs11-helper library." OFF)
|
||||||
|
option(ENABLE_ZLIB_SUPPORT "Build mbed TLS with zlib library." OFF)
|
||||||
|
|
||||||
# Determine if Mbed TLS is being built as a subproject using add_subdirectory()
|
option(ENABLE_PROGRAMS "Build mbed TLS programs." OFF)
|
||||||
if(NOT DEFINED MBEDTLS_AS_SUBPROJECT)
|
|
||||||
set(MBEDTLS_AS_SUBPROJECT ON)
|
|
||||||
if(CMAKE_CURRENT_SOURCE_DIR STREQUAL CMAKE_SOURCE_DIR)
|
|
||||||
set(MBEDTLS_AS_SUBPROJECT OFF)
|
|
||||||
endif()
|
|
||||||
endif()
|
|
||||||
|
|
||||||
# Set the project root directory.
|
|
||||||
set(MBEDTLS_DIR ${CMAKE_CURRENT_SOURCE_DIR})
|
|
||||||
|
|
||||||
option(ENABLE_PROGRAMS "Build Mbed TLS programs." ON)
|
|
||||||
|
|
||||||
option(UNSAFE_BUILD "Allow unsafe builds. These builds ARE NOT SECURE." OFF)
|
option(UNSAFE_BUILD "Allow unsafe builds. These builds ARE NOT SECURE." OFF)
|
||||||
option(MBEDTLS_FATAL_WARNINGS "Compiler warnings treated as errors" ON)
|
|
||||||
if(CMAKE_HOST_WIN32)
|
|
||||||
# N.B. The comment on the next line is significant! If you change it,
|
|
||||||
# edit the sed command in prepare_release.sh that modifies
|
|
||||||
# CMakeLists.txt.
|
|
||||||
option(GEN_FILES "Generate the auto-generated files as needed" OFF) # off in development
|
|
||||||
else()
|
|
||||||
option(GEN_FILES "Generate the auto-generated files as needed" ON)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
option(DISABLE_PACKAGE_CONFIG_AND_INSTALL "Disable package configuration, target export and installation" ${MBEDTLS_AS_SUBPROJECT})
|
|
||||||
|
|
||||||
string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}")
|
string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}")
|
||||||
string(REGEX MATCH "GNU" CMAKE_COMPILER_IS_GNU "${CMAKE_C_COMPILER_ID}")
|
string(REGEX MATCH "GNU" CMAKE_COMPILER_IS_GNU "${CMAKE_C_COMPILER_ID}")
|
||||||
@ -74,12 +19,23 @@ string(REGEX MATCH "MSVC" CMAKE_COMPILER_IS_MSVC "${CMAKE_C_COMPILER_ID}")
|
|||||||
|
|
||||||
# the test suites currently have compile errors with MSVC
|
# the test suites currently have compile errors with MSVC
|
||||||
if(CMAKE_COMPILER_IS_MSVC)
|
if(CMAKE_COMPILER_IS_MSVC)
|
||||||
option(ENABLE_TESTING "Build Mbed TLS tests." OFF)
|
option(ENABLE_TESTING "Build mbed TLS tests." OFF)
|
||||||
else()
|
else()
|
||||||
option(ENABLE_TESTING "Build Mbed TLS tests." ON)
|
option(ENABLE_TESTING "Build mbed TLS tests." OFF)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
# Warning string - created as a list for compatibility with CMake 2.8
|
# Warning string - created as a list for compatibility with CMake 2.8
|
||||||
|
set(WARNING_BORDER "*******************************************************\n")
|
||||||
|
set(NULL_ENTROPY_WARN_L1 "**** WARNING! MBEDTLS_TEST_NULL_ENTROPY defined!\n")
|
||||||
|
set(NULL_ENTROPY_WARN_L2 "**** THIS BUILD HAS NO DEFINED ENTROPY SOURCES\n")
|
||||||
|
set(NULL_ENTROPY_WARN_L3 "**** AND IS *NOT* SUITABLE FOR PRODUCTION USE\n")
|
||||||
|
|
||||||
|
set(NULL_ENTROPY_WARNING "${WARNING_BORDER}"
|
||||||
|
"${NULL_ENTROPY_WARN_L1}"
|
||||||
|
"${NULL_ENTROPY_WARN_L2}"
|
||||||
|
"${NULL_ENTROPY_WARN_L3}"
|
||||||
|
"${WARNING_BORDER}")
|
||||||
|
|
||||||
set(CTR_DRBG_128_BIT_KEY_WARN_L1 "**** WARNING! MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!\n")
|
set(CTR_DRBG_128_BIT_KEY_WARN_L1 "**** WARNING! MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!\n")
|
||||||
set(CTR_DRBG_128_BIT_KEY_WARN_L2 "**** Using 128-bit keys for CTR_DRBG limits the security of generated\n")
|
set(CTR_DRBG_128_BIT_KEY_WARN_L2 "**** Using 128-bit keys for CTR_DRBG limits the security of generated\n")
|
||||||
set(CTR_DRBG_128_BIT_KEY_WARN_L3 "**** keys and operations that use random values generated to 128-bit security\n")
|
set(CTR_DRBG_128_BIT_KEY_WARN_L3 "**** keys and operations that use random values generated to 128-bit security\n")
|
||||||
@ -90,183 +46,125 @@ set(CTR_DRBG_128_BIT_KEY_WARNING "${WARNING_BORDER}"
|
|||||||
"${CTR_DRBG_128_BIT_KEY_WARN_L3}"
|
"${CTR_DRBG_128_BIT_KEY_WARN_L3}"
|
||||||
"${WARNING_BORDER}")
|
"${WARNING_BORDER}")
|
||||||
|
|
||||||
# Python 3 is only needed here to check for configuration warnings.
|
find_package(PythonInterp)
|
||||||
if(NOT CMAKE_VERSION VERSION_LESS 3.15.0)
|
find_package(Perl)
|
||||||
set(Python3_FIND_STRATEGY LOCATION)
|
if(PERL_FOUND)
|
||||||
find_package(Python3 COMPONENTS Interpreter)
|
|
||||||
if(Python3_Interpreter_FOUND)
|
|
||||||
set(MBEDTLS_PYTHON_EXECUTABLE ${Python3_EXECUTABLE})
|
|
||||||
endif()
|
|
||||||
else()
|
|
||||||
find_package(PythonInterp 3)
|
|
||||||
if(PYTHONINTERP_FOUND)
|
|
||||||
set(MBEDTLS_PYTHON_EXECUTABLE ${PYTHON_EXECUTABLE})
|
|
||||||
endif()
|
|
||||||
endif()
|
|
||||||
if(MBEDTLS_PYTHON_EXECUTABLE)
|
|
||||||
|
|
||||||
# If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
|
# If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
|
||||||
execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/mbedtls_config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
|
execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
|
||||||
RESULT_VARIABLE result)
|
RESULT_VARIABLE result)
|
||||||
if(${result} EQUAL 0)
|
if(${result} EQUAL 0)
|
||||||
message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING})
|
message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING})
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
|
# If NULL Entropy is configured, display an appropriate warning
|
||||||
|
execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
|
||||||
|
RESULT_VARIABLE result)
|
||||||
|
if(${result} EQUAL 0)
|
||||||
|
message(WARNING ${NULL_ENTROPY_WARNING})
|
||||||
|
|
||||||
|
if(NOT UNSAFE_BUILD)
|
||||||
|
message(FATAL_ERROR "\
|
||||||
|
\n\
|
||||||
|
Warning! You have enabled MBEDTLS_TEST_NULL_ENTROPY. \
|
||||||
|
This option is not safe for production use and negates all security \
|
||||||
|
It is intended for development use only. \
|
||||||
|
\n\
|
||||||
|
To confirm you want to build with this option, re-run cmake with the \
|
||||||
|
option: \n\
|
||||||
|
cmake -DUNSAFE_BUILD=ON ")
|
||||||
|
|
||||||
|
return()
|
||||||
|
endif()
|
||||||
|
endif()
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
# We now potentially need to link all executables against PThreads, if available
|
set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
|
||||||
set(CMAKE_THREAD_PREFER_PTHREAD TRUE)
|
CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull"
|
||||||
set(THREADS_PREFER_PTHREAD_FLAG TRUE)
|
FORCE)
|
||||||
find_package(Threads)
|
|
||||||
|
|
||||||
# If this is the root project add longer list of available CMAKE_BUILD_TYPE values
|
|
||||||
if(CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR)
|
|
||||||
set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
|
|
||||||
CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull TSan TSanDbg"
|
|
||||||
FORCE)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
# Make MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE into PATHs
|
|
||||||
set(MBEDTLS_CONFIG_FILE "" CACHE FILEPATH "Mbed TLS config file (overrides default).")
|
|
||||||
set(MBEDTLS_USER_CONFIG_FILE "" CACHE FILEPATH "Mbed TLS user config file (appended to default).")
|
|
||||||
|
|
||||||
# Create a symbolic link from ${base_name} in the binary directory
|
# Create a symbolic link from ${base_name} in the binary directory
|
||||||
# to the corresponding path in the source directory.
|
# to the corresponding path in the source directory.
|
||||||
# Note: Copies the file(s) on Windows.
|
|
||||||
function(link_to_source base_name)
|
function(link_to_source base_name)
|
||||||
set(link "${CMAKE_CURRENT_BINARY_DIR}/${base_name}")
|
# Get OS dependent path to use in `execute_process`
|
||||||
set(target "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}")
|
if (CMAKE_HOST_WIN32)
|
||||||
|
#mklink is an internal command of cmd.exe it can only work with \
|
||||||
|
string(REPLACE "/" "\\" link "${CMAKE_CURRENT_BINARY_DIR}/${base_name}")
|
||||||
|
string(REPLACE "/" "\\" target "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}")
|
||||||
|
else()
|
||||||
|
set(link "${CMAKE_CURRENT_BINARY_DIR}/${base_name}")
|
||||||
|
set(target "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}")
|
||||||
|
endif()
|
||||||
|
|
||||||
# Linking to non-existent file is not desirable. At best you will have a
|
if (NOT EXISTS ${link})
|
||||||
# dangling link, but when building in tree, this can create a symbolic link
|
|
||||||
# to itself.
|
|
||||||
if (EXISTS ${target} AND NOT EXISTS ${link})
|
|
||||||
if (CMAKE_HOST_UNIX)
|
if (CMAKE_HOST_UNIX)
|
||||||
execute_process(COMMAND ln -s ${target} ${link}
|
set(command ln -s ${target} ${link})
|
||||||
RESULT_VARIABLE result
|
|
||||||
ERROR_VARIABLE output)
|
|
||||||
|
|
||||||
if (NOT ${result} EQUAL 0)
|
|
||||||
message(FATAL_ERROR "Could not create symbolic link for: ${target} --> ${output}")
|
|
||||||
endif()
|
|
||||||
else()
|
else()
|
||||||
if (IS_DIRECTORY ${target})
|
if (IS_DIRECTORY ${target})
|
||||||
file(GLOB_RECURSE files FOLLOW_SYMLINKS LIST_DIRECTORIES false RELATIVE ${target} "${target}/*")
|
set(command cmd.exe /c mklink /j ${link} ${target})
|
||||||
foreach(file IN LISTS files)
|
|
||||||
configure_file("${target}/${file}" "${link}/${file}" COPYONLY)
|
|
||||||
endforeach(file)
|
|
||||||
else()
|
else()
|
||||||
configure_file(${target} ${link} COPYONLY)
|
set(command cmd.exe /c mklink /h ${link} ${target})
|
||||||
endif()
|
endif()
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
|
execute_process(COMMAND ${command}
|
||||||
|
RESULT_VARIABLE result
|
||||||
|
ERROR_VARIABLE output)
|
||||||
|
|
||||||
|
if (NOT ${result} EQUAL 0)
|
||||||
|
message(FATAL_ERROR "Could not create symbolic link for: ${target} --> ${output}")
|
||||||
|
endif()
|
||||||
endif()
|
endif()
|
||||||
endfunction(link_to_source)
|
endfunction(link_to_source)
|
||||||
|
|
||||||
# Get the filename without the final extension (i.e. convert "a.b.c" to "a.b")
|
|
||||||
function(get_name_without_last_ext dest_var full_name)
|
|
||||||
# Split into a list on '.' (but a cmake list is just a ';'-separated string)
|
|
||||||
string(REPLACE "." ";" ext_parts "${full_name}")
|
|
||||||
# Remove the last item if there are more than one
|
|
||||||
list(LENGTH ext_parts ext_parts_len)
|
|
||||||
if (${ext_parts_len} GREATER "1")
|
|
||||||
math(EXPR ext_parts_last_item "${ext_parts_len} - 1")
|
|
||||||
list(REMOVE_AT ext_parts ${ext_parts_last_item})
|
|
||||||
endif()
|
|
||||||
# Convert back to a string by replacing separators with '.'
|
|
||||||
string(REPLACE ";" "." no_ext_name "${ext_parts}")
|
|
||||||
# Copy into the desired variable
|
|
||||||
set(${dest_var} ${no_ext_name} PARENT_SCOPE)
|
|
||||||
endfunction(get_name_without_last_ext)
|
|
||||||
|
|
||||||
string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}")
|
string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}")
|
||||||
|
|
||||||
include(CheckCCompilerFlag)
|
|
||||||
|
|
||||||
set(CMAKE_C_EXTENSIONS OFF)
|
|
||||||
set(CMAKE_C_STANDARD 99)
|
|
||||||
|
|
||||||
if(CMAKE_COMPILER_IS_GNU)
|
if(CMAKE_COMPILER_IS_GNU)
|
||||||
# some warnings we want are not available with old GCC versions
|
# some warnings we want are not available with old GCC versions
|
||||||
# note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION
|
# note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION
|
||||||
execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion
|
execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion
|
||||||
OUTPUT_VARIABLE GCC_VERSION)
|
OUTPUT_VARIABLE GCC_VERSION)
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings")
|
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings")
|
||||||
if (GCC_VERSION VERSION_GREATER 3.0 OR GCC_VERSION VERSION_EQUAL 3.0)
|
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat=2 -Wno-format-nonliteral")
|
|
||||||
endif()
|
|
||||||
if (GCC_VERSION VERSION_GREATER 4.3 OR GCC_VERSION VERSION_EQUAL 4.3)
|
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wvla")
|
|
||||||
endif()
|
|
||||||
if (GCC_VERSION VERSION_GREATER 4.5 OR GCC_VERSION VERSION_EQUAL 4.5)
|
if (GCC_VERSION VERSION_GREATER 4.5 OR GCC_VERSION VERSION_EQUAL 4.5)
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wlogical-op")
|
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wlogical-op")
|
||||||
endif()
|
endif()
|
||||||
if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8)
|
if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8)
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow")
|
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow")
|
||||||
endif()
|
endif()
|
||||||
if (GCC_VERSION VERSION_GREATER 5.0)
|
|
||||||
CHECK_C_COMPILER_FLAG("-Wformat-signedness" C_COMPILER_SUPPORTS_WFORMAT_SIGNEDNESS)
|
|
||||||
if(C_COMPILER_SUPPORTS_WFORMAT_SIGNEDNESS)
|
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat-signedness")
|
|
||||||
endif()
|
|
||||||
endif()
|
|
||||||
if (GCC_VERSION VERSION_GREATER 7.0 OR GCC_VERSION VERSION_EQUAL 7.0)
|
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat-overflow=2 -Wformat-truncation")
|
|
||||||
endif()
|
|
||||||
set(CMAKE_C_FLAGS_RELEASE "-O2")
|
set(CMAKE_C_FLAGS_RELEASE "-O2")
|
||||||
set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
|
set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
|
||||||
set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
|
set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
|
||||||
set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
|
set(CMAKE_C_FLAGS_ASAN "-Werror -fsanitize=address -fno-common -O3")
|
||||||
set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
|
set(CMAKE_C_FLAGS_ASANDBG "-Werror -fsanitize=address -fno-common -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
|
||||||
set(CMAKE_C_FLAGS_TSAN "-fsanitize=thread -O3")
|
set(CMAKE_C_FLAGS_CHECK "-Werror -Os")
|
||||||
set(CMAKE_C_FLAGS_TSANDBG "-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
|
|
||||||
set(CMAKE_C_FLAGS_CHECK "-Os")
|
|
||||||
set(CMAKE_C_FLAGS_CHECKFULL "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
|
set(CMAKE_C_FLAGS_CHECKFULL "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
|
||||||
endif(CMAKE_COMPILER_IS_GNU)
|
endif(CMAKE_COMPILER_IS_GNU)
|
||||||
|
|
||||||
if(CMAKE_COMPILER_IS_CLANG)
|
if(CMAKE_COMPILER_IS_CLANG)
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral")
|
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow")
|
||||||
set(CMAKE_C_FLAGS_RELEASE "-O2")
|
set(CMAKE_C_FLAGS_RELEASE "-O2")
|
||||||
set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
|
set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
|
||||||
set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
|
set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
|
||||||
set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
|
set(CMAKE_C_FLAGS_ASAN "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
|
||||||
set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
|
set(CMAKE_C_FLAGS_ASANDBG "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
|
||||||
set(CMAKE_C_FLAGS_MEMSAN "-fsanitize=memory -O3")
|
set(CMAKE_C_FLAGS_MEMSAN "-Werror -fsanitize=memory -O3")
|
||||||
set(CMAKE_C_FLAGS_MEMSANDBG "-fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2")
|
set(CMAKE_C_FLAGS_MEMSANDBG "-Werror -fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2")
|
||||||
set(CMAKE_C_FLAGS_TSAN "-fsanitize=thread -O3")
|
set(CMAKE_C_FLAGS_CHECK "-Werror -Os")
|
||||||
set(CMAKE_C_FLAGS_TSANDBG "-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
|
|
||||||
set(CMAKE_C_FLAGS_CHECK "-Os")
|
|
||||||
endif(CMAKE_COMPILER_IS_CLANG)
|
endif(CMAKE_COMPILER_IS_CLANG)
|
||||||
|
|
||||||
if(CMAKE_COMPILER_IS_IAR)
|
if(CMAKE_COMPILER_IS_IAR)
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warn_about_c_style_casts")
|
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warn_about_c_style_casts --warnings_are_errors -Ohz")
|
||||||
set(CMAKE_C_FLAGS_RELEASE "-Ohz")
|
|
||||||
set(CMAKE_C_FLAGS_DEBUG "--debug -On")
|
|
||||||
endif(CMAKE_COMPILER_IS_IAR)
|
endif(CMAKE_COMPILER_IS_IAR)
|
||||||
|
|
||||||
if(CMAKE_COMPILER_IS_MSVC)
|
if(CMAKE_COMPILER_IS_MSVC)
|
||||||
# Strictest warnings, UTF-8 source and execution charset
|
# Compile with UTF-8 encoding (REMOVE THIS COMMIT ONCE A FIX IS DEPLOYED UPSTREAM)
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /W3 /utf-8")
|
add_compile_options(/utf-8)
|
||||||
|
|
||||||
|
# Strictest warnings, and treat as errors
|
||||||
|
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /W3")
|
||||||
|
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX")
|
||||||
endif(CMAKE_COMPILER_IS_MSVC)
|
endif(CMAKE_COMPILER_IS_MSVC)
|
||||||
|
|
||||||
if(MBEDTLS_FATAL_WARNINGS)
|
|
||||||
if(CMAKE_COMPILER_IS_MSVC)
|
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX")
|
|
||||||
endif(CMAKE_COMPILER_IS_MSVC)
|
|
||||||
|
|
||||||
if(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU)
|
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Werror")
|
|
||||||
if(UNSAFE_BUILD)
|
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-error=cpp")
|
|
||||||
set(CMAKE_C_FLAGS_ASAN "${CMAKE_C_FLAGS_ASAN} -Wno-error=cpp")
|
|
||||||
set(CMAKE_C_FLAGS_ASANDBG "${CMAKE_C_FLAGS_ASANDBG} -Wno-error=cpp")
|
|
||||||
endif(UNSAFE_BUILD)
|
|
||||||
endif(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU)
|
|
||||||
|
|
||||||
if (CMAKE_COMPILER_IS_IAR)
|
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warnings_are_errors")
|
|
||||||
endif(CMAKE_COMPILER_IS_IAR)
|
|
||||||
endif(MBEDTLS_FATAL_WARNINGS)
|
|
||||||
|
|
||||||
if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
|
if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
|
||||||
if(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG)
|
if(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG)
|
||||||
set(CMAKE_SHARED_LINKER_FLAGS "--coverage")
|
set(CMAKE_SHARED_LINKER_FLAGS "--coverage")
|
||||||
@ -274,70 +172,28 @@ if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
|
|||||||
endif(CMAKE_BUILD_TYPE STREQUAL "Coverage")
|
endif(CMAKE_BUILD_TYPE STREQUAL "Coverage")
|
||||||
|
|
||||||
if(LIB_INSTALL_DIR)
|
if(LIB_INSTALL_DIR)
|
||||||
set(CMAKE_INSTALL_LIBDIR "${LIB_INSTALL_DIR}")
|
else()
|
||||||
|
set(LIB_INSTALL_DIR lib)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
add_subdirectory(include)
|
include_directories(include/)
|
||||||
|
|
||||||
add_subdirectory(3rdparty)
|
if(ENABLE_ZLIB_SUPPORT)
|
||||||
|
find_package(ZLIB)
|
||||||
|
|
||||||
|
if(ZLIB_FOUND)
|
||||||
|
include_directories(${ZLIB_INCLUDE_DIR})
|
||||||
|
endif(ZLIB_FOUND)
|
||||||
|
endif(ENABLE_ZLIB_SUPPORT)
|
||||||
|
|
||||||
add_subdirectory(library)
|
add_subdirectory(library)
|
||||||
|
add_subdirectory(include)
|
||||||
add_subdirectory(pkgconfig)
|
|
||||||
|
|
||||||
#
|
|
||||||
# The C files in tests/src directory contain test code shared among test suites
|
|
||||||
# and programs. This shared test code is compiled and linked to test suites and
|
|
||||||
# programs objects as a set of compiled objects. The compiled objects are NOT
|
|
||||||
# built into a library that the test suite and program objects would link
|
|
||||||
# against as they link against the mbedcrypto, mbedx509 and mbedtls libraries.
|
|
||||||
# The reason is that such library is expected to have mutual dependencies with
|
|
||||||
# the aforementioned libraries and that there is as of today no portable way of
|
|
||||||
# handling such dependencies (only toolchain specific solutions).
|
|
||||||
#
|
|
||||||
# Thus the below definition of the `mbedtls_test` CMake library of objects
|
|
||||||
# target. This library of objects is used by tests and programs CMake files
|
|
||||||
# to define the test executables.
|
|
||||||
#
|
|
||||||
if(ENABLE_TESTING OR ENABLE_PROGRAMS)
|
|
||||||
file(GLOB MBEDTLS_TEST_FILES
|
|
||||||
${CMAKE_CURRENT_SOURCE_DIR}/tests/src/*.c
|
|
||||||
${CMAKE_CURRENT_SOURCE_DIR}/tests/src/drivers/*.c)
|
|
||||||
add_library(mbedtls_test OBJECT ${MBEDTLS_TEST_FILES})
|
|
||||||
target_include_directories(mbedtls_test
|
|
||||||
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tests/include
|
|
||||||
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
|
|
||||||
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library)
|
|
||||||
|
|
||||||
file(GLOB MBEDTLS_TEST_HELPER_FILES
|
|
||||||
${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_helpers/*.c)
|
|
||||||
add_library(mbedtls_test_helpers OBJECT ${MBEDTLS_TEST_HELPER_FILES})
|
|
||||||
target_include_directories(mbedtls_test_helpers
|
|
||||||
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tests/include
|
|
||||||
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
|
|
||||||
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library
|
|
||||||
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/everest/include)
|
|
||||||
|
|
||||||
# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
|
|
||||||
if(MBEDTLS_CONFIG_FILE)
|
|
||||||
target_compile_definitions(mbedtls_test
|
|
||||||
PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
|
|
||||||
target_compile_definitions(mbedtls_test_helpers
|
|
||||||
PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
|
|
||||||
endif()
|
|
||||||
if(MBEDTLS_USER_CONFIG_FILE)
|
|
||||||
target_compile_definitions(mbedtls_test
|
|
||||||
PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
|
|
||||||
target_compile_definitions(mbedtls_test_helpers
|
|
||||||
PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
|
|
||||||
endif()
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if(ENABLE_PROGRAMS)
|
if(ENABLE_PROGRAMS)
|
||||||
add_subdirectory(programs)
|
add_subdirectory(programs)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
ADD_CUSTOM_TARGET(${MBEDTLS_TARGET_PREFIX}apidoc
|
ADD_CUSTOM_TARGET(apidoc
|
||||||
COMMAND doxygen mbedtls.doxyfile
|
COMMAND doxygen mbedtls.doxyfile
|
||||||
WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/doxygen)
|
WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/doxygen)
|
||||||
|
|
||||||
@ -349,15 +205,22 @@ if(ENABLE_TESTING)
|
|||||||
# additional convenience targets for Unix only
|
# additional convenience targets for Unix only
|
||||||
if(UNIX)
|
if(UNIX)
|
||||||
|
|
||||||
# For coverage testing:
|
ADD_CUSTOM_TARGET(covtest
|
||||||
# 1. Build with:
|
COMMAND make test
|
||||||
# cmake -D CMAKE_BUILD_TYPE=Coverage /path/to/source && make
|
COMMAND programs/test/selftest
|
||||||
# 2. Run the relevant tests for the part of the code you're interested in.
|
COMMAND tests/compat.sh
|
||||||
# For the reference coverage measurement, see
|
COMMAND tests/ssl-opt.sh
|
||||||
# tests/scripts/basic-build-test.sh
|
)
|
||||||
# 3. Run scripts/lcov.sh to generate an HTML report.
|
|
||||||
ADD_CUSTOM_TARGET(lcov
|
ADD_CUSTOM_TARGET(lcov
|
||||||
COMMAND scripts/lcov.sh
|
COMMAND rm -rf Coverage
|
||||||
|
COMMAND lcov --capture --initial --directory library/CMakeFiles/mbedtls.dir -o files.info
|
||||||
|
COMMAND lcov --capture --directory library/CMakeFiles/mbedtls.dir -o tests.info
|
||||||
|
COMMAND lcov --add-tracefile files.info --add-tracefile tests.info -o all.info
|
||||||
|
COMMAND lcov --remove all.info -o final.info '*.h'
|
||||||
|
COMMAND gendesc tests/Descriptions.txt -o descriptions
|
||||||
|
COMMAND genhtml --title "mbed TLS" --description-file descriptions --keep-descriptions --legend --no-branch-coverage -o Coverage final.info
|
||||||
|
COMMAND rm -f files.info tests.info all.info final.info descriptions
|
||||||
)
|
)
|
||||||
|
|
||||||
ADD_CUSTOM_TARGET(memcheck
|
ADD_CUSTOM_TARGET(memcheck
|
||||||
@ -378,39 +241,3 @@ if(ENABLE_TESTING)
|
|||||||
${CMAKE_CURRENT_BINARY_DIR}/DartConfiguration.tcl COPYONLY)
|
${CMAKE_CURRENT_BINARY_DIR}/DartConfiguration.tcl COPYONLY)
|
||||||
endif()
|
endif()
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL)
|
|
||||||
configure_package_config_file(
|
|
||||||
"cmake/MbedTLSConfig.cmake.in"
|
|
||||||
"cmake/MbedTLSConfig.cmake"
|
|
||||||
INSTALL_DESTINATION "cmake")
|
|
||||||
|
|
||||||
write_basic_package_version_file(
|
|
||||||
"cmake/MbedTLSConfigVersion.cmake"
|
|
||||||
COMPATIBILITY SameMajorVersion
|
|
||||||
VERSION 3.5.2)
|
|
||||||
|
|
||||||
install(
|
|
||||||
FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
|
|
||||||
"${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfigVersion.cmake"
|
|
||||||
DESTINATION "${CMAKE_INSTALL_LIBDIR}/cmake/MbedTLS")
|
|
||||||
|
|
||||||
export(
|
|
||||||
EXPORT MbedTLSTargets
|
|
||||||
NAMESPACE MbedTLS::
|
|
||||||
FILE "cmake/MbedTLSTargets.cmake")
|
|
||||||
|
|
||||||
install(
|
|
||||||
EXPORT MbedTLSTargets
|
|
||||||
NAMESPACE MbedTLS::
|
|
||||||
DESTINATION "${CMAKE_INSTALL_LIBDIR}/cmake/MbedTLS"
|
|
||||||
FILE "MbedTLSTargets.cmake")
|
|
||||||
|
|
||||||
if(CMAKE_VERSION VERSION_GREATER 3.15 OR CMAKE_VERSION VERSION_EQUAL 3.15)
|
|
||||||
# Do not export the package by default
|
|
||||||
cmake_policy(SET CMP0090 NEW)
|
|
||||||
|
|
||||||
# Make this package visible to the system
|
|
||||||
export(PACKAGE MbedTLS)
|
|
||||||
endif()
|
|
||||||
endif()
|
|
||||||
|
71
externals/mbedtls/CONTRIBUTING.md
vendored
71
externals/mbedtls/CONTRIBUTING.md
vendored
@ -1,40 +1,38 @@
|
|||||||
Contributing
|
Contributing
|
||||||
============
|
============
|
||||||
We gratefully accept bug reports and contributions from the community. All PRs are reviewed by the project team / community, and may need some modifications to
|
We gratefully accept bug reports and contributions from the community. There are some requirements we need to fulfill in order to be able to integrate contributions:
|
||||||
be accepted.
|
|
||||||
|
|
||||||
Quick Checklist for PR contributors
|
- As with any open source project, contributions will be reviewed by the project team and community and may need some modifications to be accepted.
|
||||||
-----------------------------------
|
- The contribution should not break API or ABI, unless there is a real justification for that. If there is an API change, the contribution, if accepted, will be merged only when there will be a major release.
|
||||||
More details on all of these points may be found in the sections below.
|
|
||||||
|
|
||||||
- [Sign-off](#license-and-copyright): all commits must be signed off.
|
|
||||||
- [Tests](#tests): please ensure the PR includes adequate tests.
|
|
||||||
- [Changelog](#documentation): if needed, please provide a changelog entry.
|
|
||||||
- [Backports](#long-term-support-branches): provide a backport if needed (it's fine to wait until the main PR is accepted).
|
|
||||||
|
|
||||||
Coding Standards
|
Coding Standards
|
||||||
----------------
|
----------------
|
||||||
- Contributions should include tests, as mentioned in the [Tests](#tests) and [Continuous Integration](#continuous-integration-tests) sections. Please check that your contribution passes basic tests before submission, and check the CI results after making a pull request.
|
- We would ask that contributions conform to [our coding standards](https://tls.mbed.org/kb/development/mbedtls-coding-standards), and that contributions are fully tested before submission, as mentioned in the [Tests](#tests) and [Continuous Integration](#continuous-integration-tests) sections.
|
||||||
- The code should be written in a clean and readable style, and must follow [our coding standards](https://mbed-tls.readthedocs.io/en/latest/kb/development/mbedtls-coding-standards/).
|
- The code should be written in a clean and readable style.
|
||||||
- The code should be written in a portable generic way, that will benefit the whole community, and not only your own needs.
|
- The code should be written in a portable generic way, that will benefit the whole community, and not only your own needs.
|
||||||
- The code should be secure, and will be reviewed from a security point of view as well.
|
- The code should be secure, and will be reviewed from a security point of view as well.
|
||||||
|
|
||||||
Making a Contribution
|
Making a Contribution
|
||||||
---------------------
|
---------------------
|
||||||
1. [Check for open issues](https://github.com/Mbed-TLS/mbedtls/issues) or [start a discussion](https://lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmware.org) around a feature idea or a bug.
|
1. [Check for open issues](https://github.com/ARMmbed/mbedtls/issues) or [start a discussion](https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls) around a feature idea or a bug.
|
||||||
1. Fork the [Mbed TLS repository on GitHub](https://github.com/Mbed-TLS/mbedtls) to start making your changes. As a general rule, you should use the ["development" branch](https://github.com/Mbed-TLS/mbedtls/tree/development) as a basis.
|
1. Fork the [Mbed TLS repository on GitHub](https://github.com/ARMmbed/mbedtls) to start making your changes. As a general rule, you should use the ["development" branch](https://github.com/ARMmbed/mbedtls/tree/development) as a basis.
|
||||||
1. Write a test which shows that the bug was fixed or that the feature works as expected.
|
1. Write a test which shows that the bug was fixed or that the feature works as expected.
|
||||||
1. Send a pull request (PR) and work with us until it gets merged and published. Contributions may need some modifications, so a few rounds of review and fixing may be necessary. See our [review process guidelines](https://mbed-tls.readthedocs.io/en/latest/reviews/review-for-contributors/).
|
1. Send a pull request (PR) and work with us until it gets merged and published. Contributions may need some modifications, so a few rounds of review and fixing may be necessary. We will include your name in the ChangeLog :)
|
||||||
1. For quick merging, the contribution should be short, and concentrated on a single feature or topic. The larger the contribution is, the longer it would take to review it and merge it.
|
1. For quick merging, the contribution should be short, and concentrated on a single feature or topic. The larger the contribution is, the longer it would take to review it and merge it.
|
||||||
|
1. All new files should include the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) standard license header where possible.
|
||||||
|
1. Ensure that each commit has at least one `Signed-off-by:` line from the committer. If anyone else contributes to the commit, they should also add their own `Signed-off-by:` line. By adding this line, contributor(s) certify that the contribution is made under the terms of the [Developer Certificate of Origin](dco.txt). The contribution licensing is described in the [License section of the README](README.md#License).
|
||||||
|
|
||||||
Backwards Compatibility
|
API/ABI Compatibility
|
||||||
-----------------------
|
---------------------
|
||||||
|
The project aims to minimise the impact on users upgrading to newer versions of the library and it should not be necessary for a user to make any changes to their own code to work with a newer version of the library. Unless the user has made an active decision to use newer features, a newer generation of the library or a change has been necessary due to a security issue or other significant software defect, no modifications to their own code should be necessary. To achieve this, API compatibility is maintained between different versions of Mbed TLS on the main development branch and in LTS (Long Term Support) branches.
|
||||||
|
|
||||||
The project aims to minimise the impact on users upgrading to newer versions of the library and it should not be necessary for a user to make any changes to their own code to work with a newer version of the library. Unless the user has made an active decision to use newer features, a newer generation of the library or a change has been necessary due to a security issue or other significant software defect, no modifications to their own code should be necessary. To achieve this, API compatibility is maintained between different versions of Mbed TLS on the main development branch and in LTS (Long Term Support) branches, as described in [BRANCHES.md](BRANCHES.md).
|
To minimise such disruption to users, where a change to the interface is required, all changes to the ABI or API, even on the main development branch where new features are added, need to be justifiable by either being a significant enhancement, new feature or bug fix which is best resolved by an interface change.
|
||||||
|
|
||||||
To minimise such disruption to users, where a change to the interface is required, all changes to the ABI or API, even on the main development branch where new features are added, need to be justifiable by either being a significant enhancement, new feature or bug fix which is best resolved by an interface change. If there is an API change, the contribution, if accepted, will be merged only when there is a major release.
|
Where changes to an existing interface are necessary, functions in the public interface which need to be changed, are marked as 'deprecated'. This is done with the preprocessor symbols `MBEDTLS_DEPRECATED_WARNING` and `MBEDTLS_DEPRECATED_REMOVED`. Then, a new function with a new name but similar if not identical behaviour to the original function containing the necessary changes should be created alongside the existing deprecated function.
|
||||||
|
|
||||||
No changes are permitted to the definition of functions in the public interface which will change the API. Instead the interface can only be changed by its extension. Where changes to an existing interface are necessary, functions in the public interface which need to be changed are marked as 'deprecated'. If there is a strong reason to replace an existing function with one that has a slightly different interface (different prototype, or different documented behavior), create a new function with a new name with the desired interface. Keep the old function, but mark it as deprecated.
|
When a build is made with the deprecation preprocessor symbols defined, a compiler warning will be generated to warn a user that the function will be removed at some point in the future, notifying users that they should change from the older deprecated function to the newer function at their own convenience.
|
||||||
|
|
||||||
|
Therefore, no changes are permitted to the definition of functions in the public interface which will change the API. Instead the interface can only be changed by its extension. As described above, if a function needs to be changed, a new function needs to be created alongside it, with a new name, and whatever change is necessary, such as a new parameter or the addition of a return value.
|
||||||
|
|
||||||
Periodically, the library will remove deprecated functions from the library which will be a breaking change in the API, but such changes will be made only in a planned, structured way that gives sufficient notice to users of the library.
|
Periodically, the library will remove deprecated functions from the library which will be a breaking change in the API, but such changes will be made only in a planned, structured way that gives sufficient notice to users of the library.
|
||||||
|
|
||||||
@ -48,18 +46,20 @@ When backporting to these branches please observe the following rules:
|
|||||||
1. All bug fixes that correct a defect that is also present in an LTS branch must be backported to that LTS branch. If a bug fix introduces a change to the API such as a new function, the fix should be reworked to avoid the API change. API changes without very strong justification are unlikely to be accepted.
|
1. All bug fixes that correct a defect that is also present in an LTS branch must be backported to that LTS branch. If a bug fix introduces a change to the API such as a new function, the fix should be reworked to avoid the API change. API changes without very strong justification are unlikely to be accepted.
|
||||||
1. If a contribution is a new feature or enhancement, no backporting is required. Exceptions to this may be additional test cases or quality improvements such as changes to build or test scripts.
|
1. If a contribution is a new feature or enhancement, no backporting is required. Exceptions to this may be additional test cases or quality improvements such as changes to build or test scripts.
|
||||||
|
|
||||||
It would be highly appreciated if contributions are backported to LTS branches in addition to the [development branch](https://github.com/Mbed-TLS/mbedtls/tree/development) by contributors.
|
It would be highly appreciated if contributions are backported to LTS branches in addition to the [development branch](https://github.com/ARMmbed/mbedtls/tree/development) by contributors.
|
||||||
|
|
||||||
|
Currently maintained LTS branches are:
|
||||||
|
1. [mbedtls-2.7](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.7)
|
||||||
|
1. [mbedtls-2.16](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16)
|
||||||
|
|
||||||
The list of maintained branches can be found in the [Current Branches section
|
|
||||||
of BRANCHES.md](BRANCHES.md#current-branches).
|
|
||||||
|
|
||||||
Tests
|
Tests
|
||||||
-----
|
-----
|
||||||
As mentioned, tests that show the correctness of the feature or bug fix should be added to the pull request, if no such tests exist.
|
As mentioned, tests that show the correctness of the feature or bug fix should be added to the pull request, if no such tests exist.
|
||||||
|
|
||||||
Mbed TLS includes a comprehensive set of test suites in the `tests/` directory that are dynamically generated to produce the actual test source files (e.g. `test_suite_rsa.c`). These files are generated from a `function file` (e.g. `suites/test_suite_rsa.function`) and a `data file` (e.g. `suites/test_suite_rsa.data`). The function file contains the test functions. The data file contains the test cases, specified as parameters that will be passed to the test function.
|
Mbed TLS includes a comprehensive set of test suites in the `tests/` directory that are dynamically generated to produce the actual test source files (e.g. `test_suite_mpi.c`). These files are generated from a `function file` (e.g. `suites/test_suite_mpi.function`) and a `data file` (e.g. `suites/test_suite_mpi.data`). The function file contains the test functions. The data file contains the test cases, specified as parameters that will be passed to the test function.
|
||||||
|
|
||||||
[A Knowledge Base article describing how to add additional tests is available on the Mbed TLS website](https://mbed-tls.readthedocs.io/en/latest/kb/development/test_suites/).
|
[A Knowledge Base article describing how to add additional tests is available on the Mbed TLS website](https://tls.mbed.org/kb/development/test_suites).
|
||||||
|
|
||||||
A test script `tests/scripts/basic-build-test.sh` is available to show test coverage of the library. New code contributions should provide a similar level of code coverage to that which already exists for the library.
|
A test script `tests/scripts/basic-build-test.sh` is available to show test coverage of the library. New code contributions should provide a similar level of code coverage to that which already exists for the library.
|
||||||
|
|
||||||
@ -69,7 +69,7 @@ Continuous Integration Tests
|
|||||||
----------------------------
|
----------------------------
|
||||||
Once a PR has been made, the Continuous Integration (CI) tests are triggered and run. You should follow the result of the CI tests, and fix failures.
|
Once a PR has been made, the Continuous Integration (CI) tests are triggered and run. You should follow the result of the CI tests, and fix failures.
|
||||||
|
|
||||||
It is advised to enable the [githooks scripts](https://github.com/Mbed-TLS/mbedtls/tree/development/tests/git-scripts) prior to pushing your changes, for catching some of the issues as early as possible.
|
It is advised to enable the [githooks scripts](https://github.com/ARMmbed/mbedtls/tree/development/tests/git-scripts) prior to pushing your changes, for catching some of the issues as early as possible.
|
||||||
|
|
||||||
Documentation
|
Documentation
|
||||||
-------------
|
-------------
|
||||||
@ -78,20 +78,5 @@ Mbed TLS is well documented, but if you think documentation is needed, speak out
|
|||||||
1. All interfaces should be documented through Doxygen. New APIs should introduce Doxygen documentation.
|
1. All interfaces should be documented through Doxygen. New APIs should introduce Doxygen documentation.
|
||||||
1. Complex parts in the code should include comments.
|
1. Complex parts in the code should include comments.
|
||||||
1. If needed, a Readme file is advised.
|
1. If needed, a Readme file is advised.
|
||||||
1. If a [Knowledge Base (KB)](https://mbed-tls.readthedocs.io/en/latest/kb/) article should be added, write this as a comment in the PR description.
|
1. If a [Knowledge Base (KB)](https://tls.mbed.org/kb) article should be added, write this as a comment in the PR description.
|
||||||
1. A [ChangeLog](https://github.com/Mbed-TLS/mbedtls/blob/development/ChangeLog.d/00README.md) entry should be added for this contribution.
|
1. A [ChangeLog](https://github.com/ARMmbed/mbedtls/blob/development/ChangeLog.d/00README.md) entry should be added for this contribution.
|
||||||
|
|
||||||
License and Copyright
|
|
||||||
---------------------
|
|
||||||
|
|
||||||
Unless specifically indicated otherwise in a file, Mbed TLS files are provided under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license. See the [LICENSE](LICENSE) file for the full text of these licenses. This means that users may choose which of these licenses they take the code under.
|
|
||||||
|
|
||||||
Contributors must accept that their contributions are made under both the Apache-2.0 AND [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) licenses.
|
|
||||||
|
|
||||||
All new files should include the standard SPDX license identifier where possible, i.e. "SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later".
|
|
||||||
|
|
||||||
The copyright on contributions is retained by the original authors of the code. Where possible for new files, this should be noted in a comment at the top of the file in the form: "Copyright The Mbed TLS Contributors".
|
|
||||||
|
|
||||||
When contributing code to us, the committer and all authors are required to make the submission under the terms of the [Developer Certificate of Origin](dco.txt), confirming that the code submitted can (legally) become part of the project, and is submitted under both the Apache-2.0 AND GPL-2.0-or-later licenses.
|
|
||||||
|
|
||||||
This is done by including the standard Git `Signed-off-by:` line in every commit message. If more than one person contributed to the commit, they should also add their own `Signed-off-by:` line.
|
|
||||||
|
2394
externals/mbedtls/ChangeLog
vendored
2394
externals/mbedtls/ChangeLog
vendored
File diff suppressed because it is too large
Load Diff
5
externals/mbedtls/ChangeLog.d/00README.md
vendored
5
externals/mbedtls/ChangeLog.d/00README.md
vendored
@ -21,11 +21,8 @@ We generally don't include changelog entries for:
|
|||||||
* Performance improvements, unless they are particularly significant.
|
* Performance improvements, unless they are particularly significant.
|
||||||
* Changes to parts of the code base that users don't interact with directly,
|
* Changes to parts of the code base that users don't interact with directly,
|
||||||
such as test code and test data.
|
such as test code and test data.
|
||||||
* Fixes for compiler warnings. Releases typically contain a number of fixes
|
|
||||||
of this kind, so we will only mention them in the Changelog if they are
|
|
||||||
particularly significant.
|
|
||||||
|
|
||||||
Until Mbed TLS 2.24.0, we required changelog entries in more cases.
|
Until Mbed TLS 2.16.8, we required changelog entries in more cases.
|
||||||
Looking at older changelog entries is good practice for how to write a
|
Looking at older changelog entries is good practice for how to write a
|
||||||
changelog entry, but not for deciding whether to write one.
|
changelog entry, but not for deciding whether to write one.
|
||||||
|
|
||||||
|
3
externals/mbedtls/ChangeLog.d/7764.txt
vendored
3
externals/mbedtls/ChangeLog.d/7764.txt
vendored
@ -1,3 +0,0 @@
|
|||||||
Features
|
|
||||||
* Add functions mbedtls_ecc_group_to_psa() and mbedtls_ecc_group_from_psa()
|
|
||||||
to convert between Mbed TLS and PSA curve identifiers.
|
|
3
externals/mbedtls/ChangeLog.d/7765.txt
vendored
3
externals/mbedtls/ChangeLog.d/7765.txt
vendored
@ -1,3 +0,0 @@
|
|||||||
Features
|
|
||||||
* Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to
|
|
||||||
convert ECDSA signatures between raw and DER (ASN.1) formats.
|
|
7
externals/mbedtls/ChangeLog.d/8030.txt
vendored
7
externals/mbedtls/ChangeLog.d/8030.txt
vendored
@ -1,7 +0,0 @@
|
|||||||
Changes
|
|
||||||
* Extended PSA Crypto configurations options for FFDH by making it possible
|
|
||||||
to select only some of the parameters / groups, with the macros
|
|
||||||
PSA_WANT_DH_RFC7919_XXXX. You now need to defined the corresponding macro
|
|
||||||
for each size you want to support. Also, if you have an FFDH accelerator,
|
|
||||||
you'll need to define the appropriate MBEDTLS_PSA_ACCEL macros to signal
|
|
||||||
support for these domain parameters.
|
|
4
externals/mbedtls/ChangeLog.d/8340.txt
vendored
4
externals/mbedtls/ChangeLog.d/8340.txt
vendored
@ -1,4 +0,0 @@
|
|||||||
Features
|
|
||||||
* Add functions mbedtls_md_psa_alg_from_type() and
|
|
||||||
mbedtls_md_type_from_psa_alg() to convert between mbedtls_md_type_t and
|
|
||||||
psa_algorithm_t.
|
|
3
externals/mbedtls/ChangeLog.d/8372.txt
vendored
3
externals/mbedtls/ChangeLog.d/8372.txt
vendored
@ -1,3 +0,0 @@
|
|||||||
Features
|
|
||||||
* AES-NI is now supported in Windows builds with clang and clang-cl.
|
|
||||||
Resolves #8372.
|
|
4
externals/mbedtls/ChangeLog.d/8461.txt
vendored
4
externals/mbedtls/ChangeLog.d/8461.txt
vendored
@ -1,4 +0,0 @@
|
|||||||
Bugfix
|
|
||||||
* Fix unsupported PSA asymmetric encryption and decryption
|
|
||||||
(psa_asymmetric_[en|de]crypt) with opaque keys.
|
|
||||||
Resolves #8461.
|
|
6
externals/mbedtls/ChangeLog.d/8482.txt
vendored
6
externals/mbedtls/ChangeLog.d/8482.txt
vendored
@ -1,6 +0,0 @@
|
|||||||
Changes
|
|
||||||
* PSA_WANT_ALG_CCM and PSA_WANT_ALG_CCM_STAR_NO_TAG are no more synonyms and
|
|
||||||
they are now treated separately. This means that they should be
|
|
||||||
individually enabled in order to enable respective support; also the
|
|
||||||
corresponding MBEDTLS_PSA_ACCEL symbol should be defined in case
|
|
||||||
acceleration is required.
|
|
10
externals/mbedtls/ChangeLog.d/8647.txt
vendored
10
externals/mbedtls/ChangeLog.d/8647.txt
vendored
@ -1,10 +0,0 @@
|
|||||||
Default behavior changes
|
|
||||||
* psa_import_key() now only accepts RSA keys in the PSA standard formats.
|
|
||||||
The undocumented ability to import other formats (PKCS#8, SubjectPublicKey,
|
|
||||||
PEM) accepted by the pkparse module has been removed. Applications that
|
|
||||||
need these formats can call mbedtls_pk_parse_{public,}key() followed by
|
|
||||||
mbedtls_pk_import_into_psa().
|
|
||||||
|
|
||||||
Changes
|
|
||||||
* RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
|
|
||||||
saving code size when those are not otherwise enabled.
|
|
2
externals/mbedtls/ChangeLog.d/8726.txt
vendored
2
externals/mbedtls/ChangeLog.d/8726.txt
vendored
@ -1,2 +0,0 @@
|
|||||||
Features
|
|
||||||
* Add partial platform support for z/OS.
|
|
3
externals/mbedtls/ChangeLog.d/8799.txt
vendored
3
externals/mbedtls/ChangeLog.d/8799.txt
vendored
@ -1,3 +0,0 @@
|
|||||||
Bugfix
|
|
||||||
* mbedtls_pem_read_buffer() now performs a check on the padding data of
|
|
||||||
decrypted keys and it rejects invalid ones.
|
|
7
externals/mbedtls/ChangeLog.d/8824.txt
vendored
7
externals/mbedtls/ChangeLog.d/8824.txt
vendored
@ -1,7 +0,0 @@
|
|||||||
Bugfix
|
|
||||||
* Fix mbedtls_pk_sign(), mbedtls_pk_verify(), mbedtls_pk_decrypt() and
|
|
||||||
mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
|
|
||||||
the RSA context. Before, if MBEDTLS_USE_PSA_CRYPTO was enabled, they always
|
|
||||||
used PKCS#1 v1.5 even when the RSA context was configured for PKCS#1 v2.1
|
|
||||||
(PSS/OAEP). Fixes #8824.
|
|
||||||
|
|
6
externals/mbedtls/ChangeLog.d/8848.txt
vendored
6
externals/mbedtls/ChangeLog.d/8848.txt
vendored
@ -1,6 +0,0 @@
|
|||||||
Removals
|
|
||||||
* Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the
|
|
||||||
same behavior mbedtls_pk_get_psa_attributes() and
|
|
||||||
mbedtls_pk_import_into_psa() can be used to import a PK key into PSA,
|
|
||||||
while mbedtls_pk_setup_opaque() can be used to wrap a PSA key into a opaque
|
|
||||||
PK context.
|
|
@ -1,3 +0,0 @@
|
|||||||
Features
|
|
||||||
* Add support for using AES-CBC 128, 192, and 256 bit schemes
|
|
||||||
with PKCS#5 PBES2. Keys encrypted this way can now be parsed by PK parse.
|
|
@ -1,6 +0,0 @@
|
|||||||
Features
|
|
||||||
* Enable the new option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT to omit
|
|
||||||
the decryption direction of block ciphers (AES, ARIA, Camellia).
|
|
||||||
This affects both the low-level modules and the high-level APIs
|
|
||||||
(the cipher and PSA interfaces). This option is incompatible with modes
|
|
||||||
that use the decryption direction (ECB in PSA, CBC, XTS, KW) and with DES.
|
|
3
externals/mbedtls/ChangeLog.d/add-missing-parenthesis.txt
vendored
Normal file
3
externals/mbedtls/ChangeLog.d/add-missing-parenthesis.txt
vendored
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
Bugfix
|
||||||
|
* Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
|
||||||
|
defined. Fixes #4217.
|
@ -1,2 +0,0 @@
|
|||||||
Features
|
|
||||||
* Added an example program showing how to hash with the PSA API.
|
|
@ -1,5 +0,0 @@
|
|||||||
Features
|
|
||||||
* Add support for record size limit extension as defined by RFC 8449
|
|
||||||
and configured with MBEDTLS_SSL_RECORD_SIZE_LIMIT.
|
|
||||||
Application data sent and received will be fragmented according to
|
|
||||||
Record size limits negotiated during handshake.
|
|
3
externals/mbedtls/ChangeLog.d/aescrypt2.txt
vendored
Normal file
3
externals/mbedtls/ChangeLog.d/aescrypt2.txt
vendored
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
Changes
|
||||||
|
* Remove the AES sample application programs/aes/aescrypt2 which shows
|
||||||
|
bad cryptographic practice. Fix #1906.
|
@ -1,3 +0,0 @@
|
|||||||
Features
|
|
||||||
* Support use of Armv8-A Cryptographic Extensions for hardware acclerated
|
|
||||||
AES when compiling for Thumb (T32) or 32-bit Arm (A32).
|
|
@ -1,3 +0,0 @@
|
|||||||
Features
|
|
||||||
* The benchmark program now reports times for both ephemeral and static
|
|
||||||
ECDH in all ECDH configurations.
|
|
5
externals/mbedtls/ChangeLog.d/bugfix_PR3616.txt
vendored
Normal file
5
externals/mbedtls/ChangeLog.d/bugfix_PR3616.txt
vendored
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
Bugfix
|
||||||
|
* Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
|
||||||
|
lead to the seed file corruption in case if the path to the seed file is
|
||||||
|
equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
|
||||||
|
Krasnoshchok in #3616.
|
3
externals/mbedtls/ChangeLog.d/ctr-perf.txt
vendored
3
externals/mbedtls/ChangeLog.d/ctr-perf.txt
vendored
@ -1,3 +0,0 @@
|
|||||||
Features
|
|
||||||
* Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
|
|
||||||
hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
|
|
4
externals/mbedtls/ChangeLog.d/dhm_min_bitlen.txt
vendored
Normal file
4
externals/mbedtls/ChangeLog.d/dhm_min_bitlen.txt
vendored
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
Bugfix
|
||||||
|
* In a TLS client, enforce the Diffie-Hellman minimum parameter size
|
||||||
|
set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
|
||||||
|
minimum size was rounded down to the nearest multiple of 8.
|
@ -1,9 +0,0 @@
|
|||||||
New deprecations
|
|
||||||
* In the PSA API, domain parameters are no longer used for anything.
|
|
||||||
They are deprecated and will be removed in a future version of the
|
|
||||||
library.
|
|
||||||
|
|
||||||
Removals
|
|
||||||
* In the PSA API, the experimental way to encode the public exponent of
|
|
||||||
an RSA key as a domain parameter is no longer supported. Use
|
|
||||||
psa_generate_key_ext() instead.
|
|
@ -1,11 +0,0 @@
|
|||||||
Features
|
|
||||||
* If a cipher or AEAD mechanism has a PSA driver, you can now build the
|
|
||||||
library without the corresponding built-in implementation. Generally
|
|
||||||
speaking that requires both the key type and algorithm to be accelerated
|
|
||||||
or they'll both be built in. However, for CCM and GCM the built-in
|
|
||||||
implementation is able to take advantage of a driver that only
|
|
||||||
accelerates the key type (that is, the block cipher primitive). See
|
|
||||||
docs/driver-only-builds.md for full details and current limitations.
|
|
||||||
* The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
|
|
||||||
disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
|
|
||||||
MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES.
|
|
2
externals/mbedtls/ChangeLog.d/dtls_sample_use_read_timeout.txt
vendored
Normal file
2
externals/mbedtls/ChangeLog.d/dtls_sample_use_read_timeout.txt
vendored
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Changes
|
||||||
|
* Fix the setting of the read timeout in the DTLS sample programs.
|
@ -1,5 +0,0 @@
|
|||||||
Features
|
|
||||||
* Add utility functions to manipulate mbedtls_ecp_keypair objects, filling
|
|
||||||
gaps made by making its fields private: mbedtls_ecp_set_public_key(),
|
|
||||||
mbedtls_ecp_write_public_key(), mbedtls_ecp_keypair_calc_public(),
|
|
||||||
mbedtls_ecp_keypair_get_group_id(). Fixes #5017, #5441, #8367, #8652.
|
|
@ -1,8 +0,0 @@
|
|||||||
Features
|
|
||||||
* The new function mbedtls_ecp_write_key_ext() is similar to
|
|
||||||
mbedtls_ecp_write_key(), but can be used without separately calculating
|
|
||||||
the output length.
|
|
||||||
|
|
||||||
New deprecations
|
|
||||||
* mbedtls_ecp_write_key() is deprecated in favor of
|
|
||||||
mbedtls_ecp_write_key_ext().
|
|
@ -1,3 +0,0 @@
|
|||||||
Bugfix
|
|
||||||
* Fix the build with CMake when Everest or P256-m is enabled through
|
|
||||||
a user configuration file or the compiler command line. Fixes #8165.
|
|
@ -1,3 +0,0 @@
|
|||||||
Bugfix
|
|
||||||
* Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is
|
|
||||||
disabled.
|
|
@ -1,6 +0,0 @@
|
|||||||
Features
|
|
||||||
* Add new mbedtls_x509_csr_parse_der_with_ext_cb() routine which allows
|
|
||||||
parsing unsupported certificate extensions via user provided callback.
|
|
||||||
|
|
||||||
Bugfix
|
|
||||||
* Fix parsing of CSRs with critical extensions.
|
|
@ -1,3 +0,0 @@
|
|||||||
Bugfix
|
|
||||||
* Fix possible NULL dereference issue in X509 cert_req program if an entry
|
|
||||||
in the san parameter is not separated by a colon.
|
|
@ -1,3 +0,0 @@
|
|||||||
Bugfix
|
|
||||||
* Fix possible NULL dereference issue in X509 cert_write program if an entry
|
|
||||||
in the san parameter is not separated by a colon.
|
|
@ -1,2 +0,0 @@
|
|||||||
Bugfix
|
|
||||||
* Fix build failure in conda-forge. Fixes #8422.
|
|
@ -1,4 +0,0 @@
|
|||||||
Bugfix
|
|
||||||
* Fix an inconsistency between implementations and usages of `__cpuid`,
|
|
||||||
which mainly causes failures when building Windows target using
|
|
||||||
mingw or clang. Fixes #8334 & #8332.
|
|
2
externals/mbedtls/ChangeLog.d/fix-pk-parse-key-error-code.txt
vendored
Normal file
2
externals/mbedtls/ChangeLog.d/fix-pk-parse-key-error-code.txt
vendored
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Bugfix
|
||||||
|
* Fix an incorrect error code when parsing a PKCS#8 private key.
|
@ -1,3 +0,0 @@
|
|||||||
Bugfix
|
|
||||||
* Remove accidental introduction of RSA signature algorithms
|
|
||||||
in TLS Suite B Profile. Fixes #8221.
|
|
@ -1,3 +0,0 @@
|
|||||||
Bugfix
|
|
||||||
* Fix TLS server accepting TLS 1.2 handshake while TLS 1.2
|
|
||||||
is disabled at runtime. Fixes #8593.
|
|
@ -1,3 +0,0 @@
|
|||||||
Bugfix
|
|
||||||
* Correct initial capacities for key derivation algorithms:TLS12_PRF,
|
|
||||||
TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
|
|
@ -1,4 +0,0 @@
|
|||||||
Features
|
|
||||||
* Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
|
|
||||||
operations when hardware accelerated AES is not present. Improves
|
|
||||||
performance by around 30% on 64-bit Intel; 125% on Armv7-M.
|
|
@ -1,3 +0,0 @@
|
|||||||
Bugfix
|
|
||||||
* Avoid segmentation fault caused by releasing not initialized
|
|
||||||
entropy resource in gen_key example. Fixes #8809.
|
|
@ -1,3 +0,0 @@
|
|||||||
Features
|
|
||||||
* Add getter (mbedtls_ssl_session_get_ticket_creation_time()) to access
|
|
||||||
`mbedtls_ssl_session.ticket_creation_time`.
|
|
@ -1,5 +0,0 @@
|
|||||||
Bugfix
|
|
||||||
* Switch to milliseconds as the unit for ticket creation and reception time
|
|
||||||
instead of seconds. That avoids rounding errors when computing the age of
|
|
||||||
tickets compared to peer using a millisecond clock (observed with GnuTLS).
|
|
||||||
Fixes #6623.
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user